SSL seminar by Peter Schwabe (Radboud University, Nijmegen)
Date: Monday, 19 of February 2018
The transition to post-quantum cryptography
In 1994, Shor presented an algorithm that is able to efficiently break all cryptographic key-agreement protocols, public-key encryption, and digital signatures that are in wide use today. The catch with this algorithm is that it requires a large universal quantum computer to run and up until today, no such computer exists. However, massive amounts of money are being invested into building such a computer, and is seems quite plausible that these efforts will succeed within the next 2 or 3 decades. This “quantum threat” for today’s cryptography means that we will have to transition cryptography to so-called post-quantum cryptography, i.e., primitives that resist attacks also by large quantum computers. This need has been recognized also by the US National Institute for Standards and Technologies (NIST), who started a multi-year program to identify suitable candidate algorithms and eventually standardize those. In the first part of my talk I will give a bit of an overview of the space of proposals in this project. In the second part of the talk I will raise the question whether transitioning to post-quantum cyptography should be using post-quantum primitives as drop-in replacements for the primitives that are currently in use. I will give several examples that show why this is at best sub-optimal and that we should start re-thinking cryptographic protocols and systems today, to achieve much better performance and security for post-quantum crypto.