Post-quantum cryptography for long-term security

Online banking, e-commerce, telemedicine, mobile communication, and cloud computing depend fundamentally on the security of the underlying cryptographic algorithms. Public-key algorithms are particularly crucial since they provide digital signatures and establish secure communication without requiring in-person meetings.

Essentially all applications today are based on RSA or on the discrete-logarithm problem in finite fields or on elliptic curves. Cryptographers optimize parameter choices and implementation details for these systems and build protocols on top of these systems; cryptanalysts fine-tune attacks and establish exact security levels for these systems. Alternative systems are far less visible in research and unheard of in practice.

It might seem that having three systems offers enough variation, but these systems are all broken as soon as large quantum computers are built. The EU and governments around the world are investing heavily in building quantum computers; society needs to be prepared for the consequences, including cryptanalytic attacks accelerated by these computers. Long-term confidential documents such as patient health-care records and state secrets have to guarantee security for many years, but information encrypted today using RSA or elliptic curves and stored until quantum computers are available will then be as easy to decipher as Enigma-encrypted messages are today.

PQCRYPTO will allow users to switch to post-quantum cryptography: cryptographic systems that are not merely secure for today but that will also remain secure long-term against attacks by quantum computers. PQCRYPTO will design a portfolio of high-security post-quantum public-key systems, and will improve the speed of these systems, adapting to the different performance challenges of mobile devices, the cloud, and the Internet of Things. PQCRYPTO will provide efficient implementations of high-security post-quantum cryptography for a broad spectrum of real-world applications.

There is a high urgency to get post-quantum systems deployed. Companies and institutions need solutions. However, the most thoroughly researched systems do not satisfy the efficiency and practicality requirements to be large-scale drop-in replacements for currently deployed systems.

The PQCRYPTO project has included several directions of research:
* Analyzing the security of recent systems, including quantum cryptanalysis.
* Understanding the implementation complexity of the surviving systems.
* Improving existing constructions in terms of efficiency and security.
* Developing side-channel attacks and countermeasures for post-quantum systems.
* Building new signature and encryption systems.
* Understanding application requirements and developing suitable solutions.

This approach has led to a large number of publications in excellent conferences and journals, providing broad visibility and dissemination of the PQCRYPTO results.

PQCRYPTO also reached visibility by giving presentations, including several invited ones, to scientists, industry representatives and the general public. For standardization, PQCRYPTO raised awareness and motivated standardization bodies to see the need for dedicated standards in post-quantum cryptography and to start activities in this direction.

PQCRYPTO research has shown that some systems are less secure than generally assumed. These negative results protect users from weaknesses in deployed systems. As an example, PQCRYPTO developed a successful side-channel attack against published software for a lattice-based signature system. Luckily for users, only a few people were using that particular system.

On the constructive side, the biggest news so far is that Google is carrying out a successful large-scale multiple-month experiment using a PQCRYPTO encryption system, the high-speed high-security New Hope lattice-based cryptosystem. This experiment is using New Hope to protect a fraction of connections between Chrome and Google's servers, and has shown that the system is efficient enough in terms of bandwidth and computation requirements that it can be used today in the real world.

The wider implications of the project reach into every area of societal communication protected by cryptography. Post-quantum cryptography needs to be universally deployed before attackers have large quantum computers. Often information needs to remain confidential for years, creating even higher urgency.