Post Quantum Cryptography

Transitioning to a Quantum-Resistant Public Key Infrastructure unforgeability, non-separability
A Note on Hybrid Signature Schemes defines weak separability, strong separability, backwards/forwards compatibility, simultaneous verification, hybrid generality

RFC 9180 - Hybrid Public Key Encryption ❗!important
An Analysis of Hybrid Public Key Encryption

Algorithms

Post-Quantum Cryptography | CSRC

Lattice-based cryptography - Wikiwand
Multivariate cryptography - Wikiwand
Hash-based cryptography - Wikiwand
Code-based cryptography
Isogeny-based cryptography
Symmetric key quantum resistance

CRYSTALS hard problems over module lattices, learning with errors (LWE)

Standardized Algorithms

Federal Register :: Announcing Issuance of Federal Information Processing Standards (FIPS) FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard, FIPS 204, Module-Lattice-Based Digital Signature Standard, and FIPS 205, Stateless Hash-Based Digital Signature Standard comments for the standards

Post-Quantum signatures zoo
Kyber and Dilithium – Cryptography 101 with Alfred Menezes

FIPS 203: ML-KEM

FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard
hard problems over module lattices, LWE
originally Kyber
pqcrystals-kyber library is also replaced by ml-kem
almost drop in replacement for ECDH
ECDH is a NIKE (Non-Interactive Key Exchange) whereas ML-KEM is a KEM

what is Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM) - Phind
In-Depth Overview of FIPS 203: The Module-Lattice-Based Key-Encapsulation Mechanism Standard | Encryption Consulting
An Overview about FIPS 203: Module-Lattice-based Key-Encapsulation-Mechanism - HackMD

FIPS 204: ML-DSA

FIPS 204 Module-Lattice-Based Digital Signature Standard
hard problems over module lattices, LWE
originally Dilithium
pqcrystals-dilithium library is also replaced by ml-dsa
almost drop-in replacement for RSA and ECDSA
outperforms SLH-DSA in both signature generation and validation time, as well as in signature size

what is Module-Lattice-Based Digital Signature Standard (ML-DSA) - Phind
In-Depth Overview of FIPS 204: Module-Lattice-Based Digital Signature Standard

HashML-DSA considered harmful – Key Material
Address external mu and PH modes · Issue #131 · lamps-wg/draft-composite-sigs
Don't use a prehashed version of ML-DSA · Issue #54 · chipsalliance/adams-bridge

FIPS 205: SLH-DSA

FIPS 205 Stateless Hash-Based Digital Signature Standard
stateless signature, hash-based
originally SPHINCS+
has limit on the max number of signatures per signing key (e.g. 2^64)
smaller key sizes, strong cryptographic assurances
long-lived TLS sessions

what is Stateless Hash-Based Digital Signature Standard (SLH-DSA) - Phind
In-Depth Overview of FIPS 205: Stateless Hash-Based Digital Signature Standard
On Protecting SPHINCS+ Against Fault Attacks | IACR Transactions on Cryptographic Hardware and Embedded Systems
draft-ietf-lamps-cms-sphincs-plus-19 overview of SLH-DSA

SPHINCS-α: A Compact Stateless Hash-Based Signature Scheme

FIPS 206: FN-DSA (not final)

FFT (Fast-Fourier transform) over NTRU-Lattice-Based Digital Signature Algorithm
stateless signature, NTRU lattice, requires floating point when signing
originally Falcon
https://csrc.nist.gov/csrc/media/Presentations/2024/falcon/images-media/prest-falcon-pqc2024.pdf

Stateful Signature

SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes | CSRC

state is considered a part of private key, use of HSM is mandated
RFC 8391 - XMSS: eXtended Merkle Signature Scheme hash-based signatures
XMSS/xmss-reference: Repository for the XMSS reference code, accompanying RFC 8391, XMSS: eXtended Merkle Signature Scheme

RFC 8554 - Leighton-Micali Hash-Based Signatures LMS, hash-based signatures
cisco/hash-sigs: A full-featured implementation of of the LMS and HSS Hash Based Signature Schemes from draft-mcgrew-hash-sigs-07.

Post-Quantum Readiness
RFC 8708 - Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryptographic Message Syntax (CMS)

Research

Public Key Encryption + Key encapsulation mechanism
BIKE - Bit Flipping Key Encapsulation QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check)
Classic McEliece: Intro binary Goppa codes, very large (268kB) public key, very small ciphertexts (128 bytes)
NTS-KEM merged with Classic McEliece
FrodoKEM LWE
HQC Syndrome decoding of structure codes (Hamming Quasi-Cyclic)
NTRU Prime: Intro NTRU lattice
SIKE – Supersingular Isogeny Key Encapsulation isogeny-based, 💀pawned do not use

Stateless Signature
CROSS crypto random linear code
MAYO structured multivariable quadratic equations, balanced signature (321/180 bytes) and public key (1.1/5.4kB) sizes
Hawk NTRU lattice
PQCRainbow structured multivariable quadratic equations, 💀pawned do not use

BIKE - Bit Flipping Key Encapsulation
awslabs/bike-kem: Additional implementation of BIKE (Bit Flipping Key Encapsulation)
Bit Flipping Key Encapsulation for the Post-Quantum Era | IEEE Journals & Magazine | IEEE Xplore

draft-wiggers-hbs-state-02

Chinese Algorithms
Aigis密钥封装算法多平台高效实现与优化 Aigis-enc (KEM)
基于模格的密钥封装方案的比较分析与优化 KEM
Analysis on Aigis-Enc: asymmetrical and symmetrical.pdf
Analysis of Key Reuse for Aigis-Enc Scheme
紧凑的Aigis-sig数字签名方案软硬件协同实现方法-【维普期刊官网】- 中文期刊服务平台
 Aitps：基于非对称模格问题的两方协同签名方案

Adoption

Apple's New iMessage, Signal, & Post-Quantum Crypto | CSA
Blog - iMessage with PQ3: The new state of the art in quantum-secure messaging at scale - Apple Security Research
Signal >> Blog >> Quantum Resistance and the Signal Protocol

cloudflare/go: Go with Cloudflare experimental patches

PQC Key Exchange adoption

IPSec, VPN

RFC 9180 - Hybrid Public Key Encryption
RFC 9370 - Multiple Key Exchanges in the Internet Key Exchange Protocol Version 2 (IKEv2) allows for PQC protocol

Quantum Security Made Easy with RFC 8784 Standard | Palo Alto Networks intermediate solution using preshared keys IDs, hiding the DH parameters
Palo Alto Networks Extends Support for Quantum Safe VPN with RFC 9242, RFC 9370 Standards, and Hybrid KEYs | Palo Alto Networks

PQC Certs X.509 adoption

draft-ietf-lamps-pq-composite-sigs - Composite ML-DSA for use in X.509 Public Key Infrastructure and CMS ❗!important, used by draft-reddy-tls-composite-mldsa, replaced draft-ounsworth-pq-composite-kem
RFC 9881 - Internet X.509 Public Key Infrastructure -- Algorithm Identifiers for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA) used by draft-ietf-tls-mldsa
RFC 9802 - Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure
draft-ietf-lamps-x509-slhdsa - Internet X.509 Public Key Infrastructure: Algorithm Identifiers for SLH-DSA used by draft-reddy-tls-slhdsa

draft-davidben-tls-merkle-tree-certs - Merkle Tree Certificates
davidben/merkle-tree-certs

draft-truskovsky-lamps-pq-hybrid-x509 expired, does not present a generic encoding
ITU-T Recommendation database 2019 version allows two keys to be placed in a certificate but only one used at a time

RFC 9882 - Use of the ML-DSA Signature Algorithm in the Cryptographic Message Syntax (CMS)

draft-uri-lake-pquake - PQuAKE - Post-Quantum Authenticated Key Exchange expired, integration to IKEv2
draft-ietf-lamps-pq-composite-kem - Composite ML-KEM for use in X.509 Public Key Infrastructure and CMS
RFC 9629 - Using Key Encapsulation Mechanism (KEM) Algorithms in the Cryptographic Message Syntax (CMS)

Key Factor's EJBCA
Hybrid CA
Creating a Hybrid CA
Post-Quantum Cryptography Keys and Signatures

Preparing for a Quantum World: Examining the Migration Path of Hybrid Certificates | Keyfactor
Quantum-Safe Certificates – What Are They and What Do They Want From Us? | Keyfactor
EJBCA Enterprise | PKI by Keyfactor

Roadmap Request: Post Quantum Cryptography - Feature Requests - Let's Encrypt Community Support PKI is of lower priority (can only be broken live, no store now, decrypt later issue), requires HSM, CA/Browser Forum Baseline Requirements
Preparing for quantum safe crypto systems - Feature Requests - Let's Encrypt Community Support
Mixed Certificate Chains for the Transition to Post-Quantum Authentication in TLS 1.3
CA/Browser Forum - Certificate Issuers, Certificate Consumers, and Interested Parties Working to Secure the Web

DigiCert Labs | DigiCert
IETF-Hackathon/pqc-certificates: Post-quantum cryptography certificates

PQC SSH adoption

TLS | Open Quantum Safe OpenSSL provider for OpenSSH

draft-ietf-sshm-ntruprime-ssh - Secure Shell (SSH) Key Exchange Method Using Hybrid Streamlined NTRU Prime sntrup761 and X25519 with SHA-512: sntrup761x25519-sha512 added in v9.0
draft-ietf-sshm-mlkem-hybrid-kex - PQ/T Hybrid Key Exchange in SSH
open-quantum-safe/oqs-provider: OpenSSL 3 provider containing post-quantum algorithms limitation: CMS not working for < 3.2, TLS working for < 3.2

draft-kampanakis-curdle-ssh-pq-ke - PQ/T Hybrid Key Exchange in SSH obsolete
open-quantum-safe/openssh: Fork of OpenSSH that includes prototype quantum-resistant key exchange and authentication in SSH based on liboqs. PROJECT INACTIVE. CONTRIBUTORS WANTED. OpenSSH v9.7_p1, based on kampanakis-curdle-ssh-pq-ke and liboqs based on OpenSSL 1.1.1 (pre-provider)
open-quantum-safe/libssh: [DEPRECATED — See notice in README.md] Fork of libssh that includes prototype quantum-resistant algorithms based on liboqs. works with OQS-OpenSSH above

Quantum Computing & Post-Quantum Algorithms why hybrid

PQC TLS adoption

tldr.fail
Post Quantum Cryptography (PQC): You May Already Be Using It! - DomainTools | Start Here. Know Now. 2024-10

Post-Quantum Key Agreement at Cloudflare Modern browsers support X25519MLKEM768 in TLS
Post Quantum Cryptography: A short update. | LinkedIn 2024-12

This document models key agreement as key encapsulation mechanisms (KEMs), which consist of three algorithms:

KeyGen() -> (pk, sk): A probabilistic key generation algorithm, which generates a public key pk and a secret key sk.
Encaps(pk) -> (ct, ss): A probabilistic encapsulation algorithm, which takes as input a public key pk and outputs a ciphertext ct and shared secret ss.
Decaps(sk, ct) -> ss: A decapsulation algorithm, which takes as input a secret key sk and ciphertext ct and outputs a shared secret ss, or in some cases a distinguished error value.