Keywords: Quantum-resistivity, Post-quantum cryptography, Quantum attacks, Quantum algorithms, Quantum computing

I. Introduction

Cryptography is the science of secret writing. Since its inception, cryptography has evolved from ensuring secret communication for military purposes to develop secure systems that will be used by ordinary people all across the globe [1]. Cryptosystems are developed based on the computation problems which are hard to solve which in turn ensures security of the system [1]. These problems are either proved or conjectured to be inefficiently solvable on classical computers. However, a small class of these problems can be solved efficiently on a quantum computer [2]. Most of these problems are number theoretic on which quantum computers are generally efficient e.g. prime factorization of a number, discrete logarithm problem etc., due to Shor’s algorithms [3], [4]. Prevalent Cryptosystems of classical world such as RSA (Rivest, Shamir, Adleman), DSA (Digital Signature Algorithm) and ECC (Elliptic-Curve-based Cryptosystems) are based on these numeric computing problems, will be easily broken with the advent of large scale quantum computers [5]. Hence, three classifications of cryptosystems exist as per today’s need: Pre-quantum cryptography, Quantum cryptography, and Post-quantum cryptography.

Pre-quantum cryptography is a class of those ciphers both symmetric-key and asymmetric-key which are inefficient to break using a classical computer but are easily breakable on quantum computers. These ciphers such as RSA and Diffie-Hellman can resist an attack executed from a classical computer but cannot resist quantum attacks; attacks carried out using a quantum computer. Quantum algorithms which are used for such attacks are based on Shor’s algorithm, Grover’s algorithm, Simon’s algorithm, and Ambainis’ algorithm [3], [4], [6]–[8]. Overview of these algorithms and the problems which they can solve are presented in section II to understand how well established pre-quantum cryptosystems are broken. Quantum cryptography is about using quantum mechanical effects to achieve cryptographic tasks such key distribution, oblivious transfer et cetera [9]. Whereas, Post-quantum cryptography is the study and design of those cryptographic algorithms that are resistant to both classical and quantum attacks [2]. Even large Quantum computers cannot break these cryptosystems [2]. Similar to Pre-quantum cryptography, there are two types of Post-quantum cryptographic algorithms. These are: post-quantum symmetric cryptography and post-quantum asymmetric cryptography [2]. Further classifying symmetric cryptography gives two categories of symmetric ciphers: Block and Stream ciphers. Quantum resistivity of symmetric cryptosystems is explained next in section III. Quantum-resistive asymmetric cryptography is classified based on the classes of mathematical problems for which no quantum solution is known [2] and are explained in section IV. Section V summarizes the investigation. For this paper, we use a set of standard cryptographic and mathematical notations listed and explained in Table 1.

Table 1. Notations and Terminology used

Notations Terminology

Plaintext alphabet

Ciphertext alphabet

Set of all strings over

Set of all strings over

Plaintext/Message space where

Ciphertext space where

(Encryption) key space

(Decryption) key space

A valid plaintext/message

A valid plaintext/message

A valid ciphertext

A valid ciphertext

a valid key or

Public encryption key

Private decryption key

-bits of key

Encryption algorithm/function defined as

Encryption algorithm with rounds

Decryption algorithm/function defined as

Decryption algorithm with rounds

Key generation algorithm

encrypts message using key to generate ciphertext

decrypts ciphertext using key to generate message

Difference between messages and

Collection of different ‘s

Difference between ciphertext and

Collection of different ‘s

Bob Sender of encrypted message

Alice Receiver of encrypted message

II. Computing problems and Quantum solutions

Security of RSA, DSA, and ECC depends on prime factorization problem and discrete logarithm problem [10]. These are the most studied number theory problems for which no efficient (polynomial-time) algorithms are known on classical computers [11]. However, on a quantum computer these problems can be solved in polynomial-time [3] which shows that quantum computers can perform some tasks efficiently which are not feasible to carry out on a classical computer.

For solving computing problems, there are two classes for designing quantum algorithms. The first class is based on the quantum Fourier transform (QFT) [12]. Shor’s and Simon’s algorithms are an example of this class. Second, quantum algorithms which are based on Grover’s quantum search algorithm [6].

1. Quantum algorithms based on QFT

Definition 1. Discrete Fourier Transform (DFT): It is defined by a matrix equation , where is the column vector of complex numbers, , , … , , which acts as an input, is an matrix whose each element is defined as and the produced output is , where each , for , is evaluated as shown in (1).

(1)

Definition 2. Quantum Fourier Transform: This transformation is exactly same as DFT but it is performed on orthonormal basis , , … , which acts as a linear operator to get vectors i.e. applying QFT on gives as shown in (2).

(2)

To solve a problem in mathematics or computer science, the problem is generally transformed or reduced into some other problem for which solution is known. One of these problems is Discrete Fourier Transform (DFT) as defined in Definition 1 [13]. Best known classical solution takes time of to solve DFT. For quantum computers, there exist a quantum version of DFT called quantum Fourier transform (QFT). QFT, mentioned in Definition 2, is defined as Fourier transform of quantum mechanical amplitudes; this can be efficiently performed on a quantum computer [14], [15], proposed by Vazirani et al. in [12]. This quantum algorithm takes time of . However, there is no speed up when classical task of computing Fourier transforms of classical data is performed [14]. But it is applied to solve phase estimation problem, mentioned in Definition 3 [14], [16], [17], of estimating the phase when a unitary operator is applied to transform one of its eigenvectors i.e. operates on -qubits and holds, estimate the approximated value of . Quantum solution of phase estimation problem is then used to solve another problem called order-finding problem which is explained in Definition 4. Since, order-finding and factoring problems are equivalent to each other; the factoring problem is reduced to order-finding. Based on this approach, Peter Shor presented Quantum algorithms for prime factorization and discrete logarithm problems [3].

Definition 3. Phase Estimation Problem: For a given unitary operator having an eigenvector with corresponding eigenvalue as given by (3), where is unknown. The problem is to estimate accurately.

(3)

Definition 4. Order finding problem (OFP): Given two integers and , find the least such that (4) holds. is called the order of .

(4)

In RSA, two large prime numbers and are multiplied to generate the public key . The security of RSA relies on the ability of factoring this number [3]. The longer it takes to factor , the more secure RSA will be. The best known classical solution uses number field sieve method which has asymptotic running time of for some constant [18], [19]. This complexity is exponential in the size of number to be factored, so factoring is generally considered to be an inefficient problem on a classical computer. However, Shor’s factoring algorithm on a quantum computer can find the factors of a number in time complexity of , along with polynomial of amount of post-processing time required by classical computer to translate the output of quantum computer into factors of , and also has space complexity of [3]. It works by finding the period of the function for a randomly selected integer from interval . After identifying , .the greatest common divisor of and gives the factors of ; detailed description of this algorithm can be found at [3], [14]. Impressive improvements in quantum factoring algorithm have been proposed by Daniel et al. in [20].

The discrete logarithm problem, on which ECC is based, is explained in definition 5. This problem can be solved on a classical computer using a variant of number field sieve based factoring algorithm, having the optimal time complexity of which is of the sub-exponential order [21]. This problem is also solvable on a quantum computer in polynomial time complexity requiring two modular exponentiations and two quantum Fourier transformations [3]. Detailed descriptions of the Shor’s algorithms are presented in [3], [14], [22], [23], [24].

Definition 5. Discrete Logarithm problem (DLP): Given a multiplicative cyclic group modulo a prime , and a generator of the group, the problem is to find an integer with such that (5) is satisfied.

(5)

Simon in 1997 [7] proposed a problem, formally defined in Definition 6 [7], [25], and gave its quantum solution to explain that quantum computers are exponentially more efficient than bounded-error randomized classical algorithms. This problem on classical computer is solved by searching for collisions i.e. finding and such that and . The time-complexity of best solution on a classical computer comes out to be . The Simon’s quantum solution provides an exponential speed-up over classical computers and has polynomial-time complexity of when these collisions occur with some hidden periodicity [7]. The algorithm uses queries to find with high probability [26].

Definition 6. Simon’s Problem (SP): Given a function , where and are integers, and it is guaranteed that either is injective (one-to-one), or there exists such that for any , . If is injective then , as for to hold. In the second case, when , the goal is to determine .

The algorithm repeats a quantum subroutine of fixed number of steps for times. The subroutine stars with two -qubit register, both set to quantum state . Hadamard transform is applied to the first register to obtain the quantum superposition . The function is the black-box to which this quantum state is sent as a query to get the quantum state . Measuring second register yields with the first register collapsing to the quantum state . On the first register, Hadamard transform is applied again which gives the quantum state . First register is measured which yields a vector such that . Since this subroutine is repeated times, independent vectors are obtained such that each vector is orthogonal to i.e. , with high probability, and with these linearly independent vectors, is recovered classically [7], [25]-[27].

2. Grover’s quantum search

Searching is of utmost importance, not only in theoretical and practical computer science but also in those areas where alternative probable solutions are available. Search problem is formally described in Definition 7. Searching is applied in the cases where way of finding a solution by either mathematically, algorithmically, systematically, methodically or procedurally is not known. It is considered as a brute-force approach since all elements of a set are checked, the set is called search space; here it is considered as solution space since each element in it can be a solution to some instance of the same problem. To find the particular solution, complete solution space or a partial solution space is searched where each of the available choices are evaluated for correctness. The partial solution space is found often heuristically. If a choice solves the problem, that choice is one of the solutions or the only solution to an instance of the problem. For the same problem with different parameters solutions varies, however solution space remains more or less same and maybe unordered.

Definition 7. Search Problem: Given a function and a search space of elements indexed from to . The function defines the search problem i.e. the elements to be searched that satisfies certain properties, results when is the desired element and when is not the required element, with .

Considering elements in the unordered solution space, and searching for an element that satisfies certain set of properties and is unique then to solve this problem classical computing algorithm has time complexity of [6]. Each of the possible alternatives of the solution space is evaluated for correctness. When such an alternative is found, it is considered as a solution. Generally, average and worst case are considered which gives the time complexity of for both, since a large fraction of elements has to be examined [6]. This solution space can be evaluated faster using quantum computers. One of these algorithms is Grover’s search algorithm which gives a quadratic speed-up over classical solutions. It is proved to be optimal searching algorithm on quantum computers [28].

Grover’s search algorithm is widely applicable but lacks from exponential speed-up as compared to Shor’s algorithm and Simon’s algorithm, which makes it third most important quantum algorithm. Consider the size of search space of with element indexing from to , the algorithm starts in -qubit state set to and then to get a uniform superposition , with the Hadamard transformation is applied. On this superposition, a unitary operation is applied for times; this unitary operation first rotates the phase by radians if needed and then a diffusion transform is applied which is defined by a matrix as: if & . The final step is to measure the resulting state [6], [29], [30]. This algorithm is found to be optimal quantum searching procedure [28]. It is generalized by Biron et al. [30] so that it can be used to examine any search space.

III. Post-quantum symmetric cryptography

In Symmetric-key cryptography, a key called private key is known only to the communicating parties. Both and algorithms uses the same key. algorithm is used by Bob to encrypt plaintext with key to generate ciphertext , Alice runs on with the same key to get . Security of the symmetric cryptography depends on the secrecy of private key which is shared only between communicating parties. This raises the concern of securely sharing the key among communicating parties which can be done by arranging a physical meeting among parties. However, it is not possible all the time for communicating parties to meet except in some cases such as in military setups. Common solution requires another secure channel which involves asymmetric cryptography or trusted third party to share the key among primary communicating parties.

Symmetric-key cryptography can be classified in two categories: Block ciphers and Stream ciphers. Block ciphers are those encryption schemes in which a variable length message is broken into pieces of fixed length called blocks. Then each block is encrypted using algorithm with a private key . If the block is small than the required length, it is padded with some predefined sequence of bits to make it of the required length. It is also possible to embed the key in the and algorithms, then the encryption scheme is considered keyless. In stream ciphers, a continuous stream of plaintext bits or characters is continuously encrypted using a corresponding stream of pseudo-random bits or characters generated with the help of some pseudo-random number, bit, or character generator function. The way of generating keys independently of plaintext and ciphertext, make these ciphers synchronous. Another way of generating keys is self-synchronizing, in which stream of key is generated using some linear or non-linear relationship between previous bits or characters of ciphertext, plaintext, or both.

The security of symmetric cryptography relies completely on the challenging task of cryptanalysis unlike the security of asymmetric cryptography which depends on the hardness of some mathematical problem [4]. Symmetric cryptosystems are proved perfectly secure when the probability distribution of , and is uniform. In other words, the algorithms , and ensure uniform distribution for the output generated by them. For symmetric cryptography, there exist an exhaustive toolset for classical cryptanalysis using which complexity of breaking a cipher is identified. Using classical computers, the most effective attacks of block and stream ciphers that can be executed are differential cryptanalysis, linear cryptanalysis, slide attack, algebraic attacks, integral cryptanalysis, exhaustive key search etc. [31], [32]. However, these best classical cryptanalysis techniques do not necessarily lead to the best quantum version of attack [4].

As shown in section II, Grover’s search algorithm has quadratic speed-up over its classical counterpart algorithms. For searching in an unsorted database of size , classical solutions require time whereas, using Grover’s search algorithm the time required is . It can be applied to exhaustively search the key used for encryption from key space . If each is of bits then the size of is . Since, Grover’s algorithm have quadratic gain over classical methods to search in , the corresponding classical security level will be of the key space of size on a quantum computer. In other words, security level on quantum computer will be equivalent to classical security level of the key length , which means that the key length is reduced to half. So, to break a symmetric cipher using brute-force key search on a quantum computer requires the time complexity of where is the length of the key. To ensure the same level of security against a quantum computer as of classical computers, the length of key must be doubled or the size of key space must be squared. However, if qubit operations are not small enough and fast enough then implementing Grover’s algorithm will be useless on scalable quantum computers as the quantum overhead increases. If qubit operations are small and fast only then Grover’s algorithm will be a threat to many cryptographic systems [4], [10].

In the work of Kaplan et al. presented in [4], a combination of Grover’s search and Ambainis’ algorithm are combined to perform better cryptanalysis on symmetric cryptosystems, and also quantified differential cryptanalytic [33], truncated differential cryptanalytic [34], and linear cryptanalytic attacks. The quantum version of two same types, Differential distinguisher and Last-rounds attack, of both Differential and Truncated differential cryptanalytic techniques were proposed. It also proposed that a quantum adversary, adversary having access to a quantum computer for cryptanalysis, can use it in two ways for Last-rounds attack of both differential and truncated differential, and only one way for Differential Distinguisher. Also, linear cryptanalytic approach was also developed to work in two ways.

In the first model for Last-rounds attack of simple differential cryptanalysis, an adversary makes use of semi-quantum approach. Here, the data is acquired using classical methods and then the quantum operations are performed on it. After identifying all the pairs of plaintext having a difference of which generates an output difference of , a quantum algorithm is used to generate partial keys, then the attacker runs Grover search algorithm to recover the remaining bits of the key. This is called semi-quantum last-rounds attack. It has quadratic gain in terms of time complexity to perform the attack but restricts from improving the data complexity. For Last-rounds attack of truncated differential cryptanalysis, the procedure only differs in the first step. Instead of finding all the plaintext pairs having a fixed input difference, , and a fixed generated output, , a set of differences are considered for both input and output. The attack in the semi-quantum generates a list of pairs with input differences in set , which is a classical step. The second step filters the list of plaintext to keep only the pairs of message such that , where is the set of output differences. Finally, a quantum search algorithm is run on the filtered pairs along with the checking procedure to generate the partial key with bits, and then searching exhaustively for the remaining part [4].

In the second model, Differential distinguisher and Last-rounds attack works in a fully-quantum approach. The problem with the semi-quantum model of Last-rounds attack was the large Data complexity. Since the classical queries were made to the encryption oracle, it resulted in twice as much of the data required for executing it as compared to the fully-quantum approach. The Last-rounds attack of simple differential works in two steps: setup phase and checking phase. In the setup phase, the Grover search algorithm is run to find a message in the set such that . Then in the checking phase, all possible partial keys are generated and are completed using Grover search by checking for the key’s correctness. Same attack of truncated differential technique, queries the cryptographic oracle each time it is needed to sample a specific element. The use of structures made of lists makes it challenging to query the oracle for all elements at once and hence this is done when required. When all the pairs with the difference in with a single structure, , are found then the attack runs a Grover search over the set . The checking procedure is same as the Fully-quantum Last-rounds attack of simple differential. It generates all possible partial keys for a given pair of inputs and then completes them and returns a pair . The final step runs a modified checking procedure in Grover search once more to return the key given the pair [4].

Differential distinguisher runs in fully-quantum model. Differential distinguisher of simple differential cryptanalysis make quantum queries to encryption oracle that is queries set in quantum superposition state are made. The queries find the marked element by applying the Grover search algorithm. If any such marked element is found then the algorithm outputs “concrete” and otherwise, “random.” If the output is “concrete” then it can lead to a key-recovery attack such as Last-Rounds attack and if the output is “random” then key-recovery attacks cannot speed-up. Similar to simple differential version of Differential distinguisher, in truncated differential Ambainis’ algorithm is used for element distinctness to find for collisions inside the structures. First, a structure is found from a set of structures using Grover search that it contains a pair such that , where using Ambainis’ algorithm for the checking phase [4]. These attacks where are developed in the sense of performing linear cryptanalysis using semi-quantum and fully-quantum model. And the same results were inferred; it was found that the fully-quantum model provides quadratic gain over corresponding classical attacks [4].

When the quantum version of these attacks studied and performed as presented in [4], it was found that smaller keys for cryptosystems might resist some quantum attacks like truncated differential attacks. Cryptanalytic attacks on semi-quantum model have little gain over classical model when the block length of the cipher is same as of its key size. However, the gain is significant and similar to fully-quantum model for the ciphers requiring longer keys e.g. AES-256. This is meaningful, as in the post-quantum symmetric primitive it is recommended to use longer keys, the attacks can also be performed in these cases. It was also found that some best attack might change and not remain best when quantified to run on quantum machine and suggested that Fully-quantum model is much more powerful than semi-quantum model.

There also exists a family of classical cryptanalysis techniques when quantized, gains an exponential speed-up for some symmetric cryptosystems and modes of operations using a variant of Simon’s algorithm which reduces the time complexity of finding the key by brute-force search carried out using Grover’s search to the time complexity of , where is the number of bits in a block of a cipher along with a key of the same length [25]. This work presented by Kaplan et al. in [25] suggested that doubling the key length is not sufficient to restore security of any symmetric cryptosystem against quantum adversaries. The proposed attack strategy developed using Simon’s algorithm starts with encryption oracle and a Simon’s function that satisfies Simon’s promise with two extra properties: superposition queries can be made to and sufficient knowledge of is needed to break cryptographic scheme. This attack works corresponding to classical collision attack, is usually the difference in the internal state of processed pair of messages , i.e. [25]. The important part of this attack scheme is the construction of Simon’s function and is proposed in [25].

Simon’s algorithm is of significance in quantum cryptanalysis. By quantization of classical cryptanalysis techniques called slide attacks [36] using Simon’s algorithm, it provides an exponential speed-up [25]. The quantified slide attack [25] works only on those ciphers having its rounds vulnerable to known-plaintext attacks. The quantum step of this attack identifies all the slid-pairs and then the second step performs exhaustive key search using quantum search [25]. This attack was successful in breaking TREYFER cipher, requiring data complexity of and a time complexity of which an exponential speed-up compared to the classical time complexity of . Table 2 lists symmetric ciphers and modes of operations that can be successfully attacked by quantum adversaries.

Table 2. Symmetric cryptosystems and quantum security

Ciphers Quantum Attack

DES Grover’s search

AES-128 Grover’s search

AES-256 Truncated Differential attacks

LAC Differential attacks

KLEIN-64 Not broken but broken in classical world

KLEIN-96 Broken by fully-quantum attacks

CBC-MAC Forgery attack using Simon’s algorithm

PMAC Recovery and Forgery attacks

GMAC Forgery attacks

GCM Forgery attacks

OCB Forgery attacks

IV. Post-quantum asymmetric cryptography

Asymmetric cryptosystems uses a pair of keys, one key is used to encrypt the message by Bob and another key is used by Alice to decrypt the message. The owner of this key-pair is Alice who keeps the private key , and shares public key with everyone. Anyone who wishes to send a message to Alice will encrypt it using Alice’s public key and then the received message will be decrypted by Alice using her private key . Generally, a large message can’t be communicated using these cryptosystems and hence these are used mainly for key-sharing and digital signatures.

In Section II, quantum algorithms were explained to show that some mathematically inefficient problems of classical world such as Prime-factorization and Discrete logarithm can easily be solved on quantum computers. RSA, ECC and other asymmetric ciphers based on these problems will be broken in the quantum era. This raises the concern of finding problems which can act as one-way trapdoor function (OWTF) and can be proved quantum-resistive i.e. no quantum solution exists for these problems, will help building cryptosystems of quantum world. The problems which are studied to have no quantum solution so far are used and categorize asymmetric cryptography in following classes: Hash-based [37], Code-based [38], Lattice-based [39], Multivariate-quadratic-equation-based [40], Ring-Learning With Errors (LWE) based [41], Rank-based [42] cryptography.

Hash-based cryptosystems were first developed by R. Merkle [37] and are used only for the task of digital signatures. Schemes of this class cannot be used for asymmetric encryption. Some of the signature schemes based on this approach are Lamport-Diffie one-time signature scheme (LD-OTS) [43], Winternitz one-time signature scheme (W-OTS) [44], W-OTS+ [45] etc. These schemes are one-time signature scheme which means that using one pair of public-private keys only one message can be signed; to sign another message a new key-pair needs to be generated. To solve this problem, a scheme was proposed by Merkle [44] which pre-generate -pairs of key and then using -public keys, a single public key is generated whereas private keys are used to sign different messages. Hash-based cryptosystems’ security depends on the collision resistance property on quantum computer of hash function used.

The remaining classes of post-quantum asymmetric encryption schemes are based on some NP-hard problems for which no quantum solution is known. Code-based cryptography depends on the hardness of solving syndrome decoding problem, which is a problem of finding the nearest codeword to a vector when given a linear code and the syndrome of a vector [38]. McEliece cryptosystem is an example of this class [38] which requires finding a Hidden Goppa code (HGC).

Lattice-based ciphers are formulated on the mathematical problem of finding Shortest-Vector (SVP) for a given lattice basis which is formally explained in Definition 8 [39]. There exist Closest Vector problem (CVP) and Shortest Independent Vectors problem (SIVP) which are variants of SVP and are reduced to it. Solution to any of these problems will break lattice-based cryptography [2]. Several ciphers based on this class are explained in [39]. It is the most preferred class for developing new ciphers because the key-size is comparatively small, requires lesser computation while running encrypting and decrypting routines, and has better security proofs [46].

Definition 8. Shortest-Vector problem (SVP): A lattice is defined on a set of linearly independent vectors, , in such that . The lattice is the set of all integer combinations of vectors of as shown in (6). The problem is to find the shortest non-zero vector in .

(6)

Another NP-Complete problem which is used for building encrypting and signing algorithms is Multivariate-quadratic-equation ( ) problem explained in Definition 9 [40], [47]. Cryptosystems based on this problem have better computational time compared to RSA and ECC but it suffers from larger key-sizes which is almost 20 times larger than RSA.

Definition 9. Multivariate-quadratic-equation problem ( ): Given a system of quadratic equations with variables in . Find a solution of the system.

Another important mathematical problem for constructing asymmetric cryptosystems is based on Learning With Errors (LWE) problem [41]. Construction using this problems generally leads to larger key sizes but a variant of it Ring-LWE (R-LWE) reduces the size of keys while maintaining same level of security [48]. It is equally preferred as Lattice-based constructions and is proved to be equally difficult as Lattice problem GapSVP a variant of SVP [41], [49]. It is computationally efficient same as Lattice-based and have similar key sizes. R-LWE can be stated in two different ways: R-LWE search problem and R-LWE decision problem, defined in Definition 10 [48].

Definition 10. Ring-Learning With Errors (R-LWE): Given an irreducible polynomial of degree for some positive integer , define the ring of integer polynomials modulo . Consider the ring , every polynomial in has degree at most and coefficients . The secret is an element of and the error distribution is a centered Discrete Gaussian. An R-LWE sample is a pair with is uniformly random and . The distribution consisting of such samples is the R-LWE distribution . Then the R-LWE Decision problem and R-LWE Search problem are defined as,

a) R-LWE Decision Problem: Given independent samples in , determine whether they were drawn from the uniform distribution over or from .

b) R-LWE Search Problem: Given independent samples from the R-LWE distribution , find .

Rank-based cryptography first proposed by Gaborit et al. [42] in 2015 and also presented an encryption scheme. It is based on a problem of Rank syndrome decoding problem explained in Definition 11. So far, it is a better class for building asymmetric cryptosystems because it needs smaller keys and generally have better computational time for encryption and decryption [42].

Definition 11. Rank Syndrome Decoding problem (RSD): Let be a matrix over with , and an integer. The problem is to find such that and holds.

Table 3 lists the mathematical problems which are assumed to have no efficient solution on quantum computers so far and also lists the problems which have efficient quantum solution. Some of these problems are not explained here as of their lesser importance in cryptography. And for some of the listed problems, only special instances of these problems are used to build quantum-resistive cryptosystems while more general instances can be solved on both classical and quantum computers.

Table 3. Mathematical problems for asymmetric ciphers

Mathematical Problems Quantum Solution Known?

Prime Factorization (e.g. RSA) YES

Discrete Logarithm (e.g. ECC) YES

SVP NO

HGC NO

NO

Isomorphism of Polynomials NO

R-LWE problem NO

RSD NO

Subset-Sum problem NO

Conjugacy search problem NO

V. Conclusion

In this paper, quantum-resistivity of both symmetric and asymmetric cryptography was studied. The investigation shows that both classes of cryptographic ciphers remain vulnerable in the quantum world. Symmetric ciphers which were previously assumed to be secure against quantum adversaries by just doubling the key-length are found to be breakable using quantum variants of Differential, Truncated differential, Linear, and other cryptanalytic attacks based on Simon’s algorithm.

Several mathematically inefficient problems of classical world such as prime factorization can be solved efficiently on a quantum computer. Many asymmetric cryptosystems designed on these problems are broken in quantum world, while other problems which are inefficient on both classical and quantum computer does not helps in building a cryptosystem that can remain computationally efficient for encryption and decryption along with smaller key sizes. This shows that research is needed in asymmetric cryptography.

There is a need of symmetric and asymmetric ciphers that remains secure in both classical and quantum era including computational efficiency for encryption and decryption algorithms with smaller key-sizes.

References

[1] J. Katz and Y. Lindell, “Introduction to Modern Cryptography: Principles and Protocols,” Boca Raton, FL, USA: Chapman and Hall/CRC Press, 2007.

[2] D. J. Bernstein et al., “Post-Quantum Cryptography,” Berlin, Germany: Springer-Verlag Berlin Heidelberg, 2009.

[3] P. W. Shor, “Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer,” SIAM Journal on Computing, vol. 26, no. 5, 1997, pp. 1484-1509.

[4] M. Kaplan et al., “Quantum Differential and Linear Cryptanalysis,” IACR Transactions on Symmetric Cryptology, 2016, pp. 71-94.

[5] M. Möller and C. Vuik, “On the impact of quantum computing technology on future developments in high-performance scientific computing,” Ethics and Information Technology, 2017, pp. 1-17.

[6] L. K. Grover, “A fast quantum mechanical algorithm for database search,” ACM Symposium on the Theory of Computing, 1996, pp. 212-219.

[7] D. R. Simon “On the Power of Quantum Computation,” SIAM Journal on Computing, vol. 26, no. 5, 2006, pp. 1474-1483.

[8] A. Ambainis, “Quantum walk algorithm for element distinctness,” SIAM Journal on Computing, vol. 37, no. 1, 2007, pp. 210-239.

[9] A. Broadbent and C. Schaffner, “Quantum cryptography beyond quantum key distribution,” Design, Codes and Cryptography, vol. 78, no.1, 2016, pp. 351-382.

[10] D. J. Bernstein and T. Lange, “Post-quantum cryptography — dealing with the fallout of physics success,” Cryptology ePrint Archive Report 2017/314, 2017.

[11] C. Pomerance, “Fast, Rigorous Factorization and Discrete Logarithm Algorithms,” Discrete Algorithms and Complexity, Proceedings of the Japan-US Joint Seminar, Kyoto, Japan, June 1986, Academic Press, pp. 119-143.

[12] E. Bernstein and U. Vazirani, “Quantum complexity theory,” Proceedings of the 25th Annual ACM Symposium on Theory of Computing, 1993, pp. 11-20.

[13] J. D. Bruce, “Discrete Fourier Transforms, Linear Filters, and Spectrum Weighting,” IEEE Transactions on Audio and Electroacoustics, vol. 16, no. 4, 1968, pp. 495-499.

[14] M. A. Nielsen and I. L. Chuang “Quantum Computation and Quantum Information 10th Edition,” New York, USA: Cambridge University Press, 2010.

[15] D. Coppersmith, “An approximate Fourier transform useful in quantum factoring,” IBM Research, USA, Report RC 19642, 1994.

[16] K. M. Svore, M. B. Hastings, and M. Freedman, “Faster phase estimation,” Quantum Information & Computation, vol. 14, no. 3-4, 2014, pp. 306-328.

[17] A. Kitaev, “Quantum measurements and the Abelian Stabilizer Problem,” Electronic Colloquium on Computational Complexity (ECCC), arXiv:quant-ph/9511026, 1996.

[18] K. Lenstra et al., “The number field sieve,” Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, ACM, New York, 1990, pp. 564-572.

[19] K. Lenstra and H. W. Lenstra Jr., “The Development of the Number Field Sieve,” Lecture Notes in Mathematics, Springer, vol. 1554, 1993.

[20] D. J. Bernstein et al., “Post-quantum RSA,” Cryptology ePrint Archive, Report 2017/351, 2017.

[21] D. M. Gordon, “Discrete logarithm in GF(p) using the number field sieve,” SIAM Journal on Discrete Mathematics, vol. 6, no. 1, 1993, pp. 124-139.

[22] E. Rieffel and W. Polak, “Quantum Computing – A Gentle Introduction (Scientific and Engineering Computation)” Cambridge, London, England: The MIT Press, 2011.

[23] H. Zhu, “Survey of Computational Assumptions Used in Cryptography Broken or Not by Shor’s Algorithm,” Master in Science thesis, McGill University, Canada, 2001.

[24] M. S. Brown, “Classical Cryptosystems In A Quantum Setting,” Master of Mathematics thesis, University of Waterloo, Canada, 2008.

[25] M. Kaplan et al., “Breaking Symmetric Cryptosystems using Quantum Period Finding,” Advances in Cryptology – CRYPTO 2016, 2016, pp. 207-237.

[26] A. Montanaro and R. de Wolf, “A Survey of Quantum Property Testing,” arXiv:1310.2035, 2014.

[27] R. de Wolf, “Quantum Computing: Lecture Notes,” http://homepages.cwi.nl/~rdewolf/qcnotes.pdf, 2013.

[28] C. Zalka, “Grover’s quantum searching algorithm is optimal,” Physical Review A, vol. 60, no. 4, 1999, pp. 2746-2751.

[29] L. K. Grover, “Quantum Mechanics helps in searching for a needle in a haystack,” Physical Review Letters 79, 1997, pp. 325-328.

[30] D. Biron et al., “Generalized Grover Search Algorithm for Arbitrary Initial Amplitude Distribution,” Proceedings of the First NASA International Conference on Quantum Computation and Quantum Communications, 1998, pp. 140-147.

[31] G. Banegas, “Attacks in Stream Ciphers: ASurvey,” International Association for Cryptologic Research, http://eprint.iacr.org/2014/677.pdf, 2014.

[32] D. Khovratovich, “Methods of Symmetric Cryptanalysis,” Microsoft Research, USA, TechReport MSR-TR-2011-80, 2011.

[33] E. Biham and A. Shamir, “Differential cryptanalysis of des-like cryptosystems,” Advances in Cryptology – CRYPTO’90, 10th Annual International Cryptology Conference, Santa Barbara, California, USA, 1990.

[34] L. R. Knudsen, “Truncated and higher order differentials,” Fast Software Encryption: Second International Workshop, Belgium, 1994, pp. 196-211.

[35] Mitsuru Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology – EUROCRYPT’93, 1993, pp. 386-397.

[36] A. Biryukov and D. Wagner, “Slide attacks,” Fast Software Encryption, 6th International Workshop, FSE’99, Italy, 1999, Lecture Notes in Computer Science, vol. 1636, pp. 245-259.

[37] R. C. Merkle, “A certified digital signature,” Advances in Cryptology, CRYPTO’89 Proceedings, LNCS 435, Springer, 1989, pp. 218-238.

[38] R. McEliece, “A public key cryptosystem based on algebraic coding theory,” DSN progress report 42-44, 1978, pp. 114-116.

[39] C. Peikert, “A Decade of Lattice Cryptography,” Foundation and Trends in Theoretical Computer Science, vol. 10, no. 4, 2016, pp. 283-424.

[40] T. Matsumoto and H. Imai, “Public quadratic polynomial-tuples for efficient signature verification and message-encryption,” Advances in Cryptology, EUROCRYPT’88, 1988, pp. 419-545.

[41] O. Regev, “On Lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM (JACM), vol. 56, no. 6, 2009, pp. 1-40.

[42] P. Gaborit et al., “Rank based cryptography: a credible post-quantum alternative to classical cryptography,” NIST Workshop on Cybersecurity in Post-Quantum World 2015, 2015.

[43] L. Lamport, “Constructing digital signatures from a one way function,” TechReport SRI-CSL-98, SRI International Computational Laboratory, 1979.

[44] R. C. Merkle, “A Digital Signature Based on a Conventional Encryption Function,” CRYPTO’87, 1987, pp. 369-378.

[45] A. Hülsing, “W-OTS+ – Shorter Signatures for Hash-Based Signature Schemes,” Progress in Cryptology – AFRICACRYPT 2013, 2013, pp. 173-188.

[46] S. Bai et al., “Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance,” Advances in Cryptology – ASIACRYPT 2015, 2015, pp. 3-24.

[47] C. Wolf, “Multivariate Quadratic Polynomials in Public Key Cryptography,” Ph.D. thesis, Katholieke Universiteit Leuven, Leuven-Heverlee, 2005.

[48] L. De Meyer, “Security of LWE-based cryptosystems,” Master of Science thesis, Katholieke Universiteit Leuven, 2014-15.

[49] C. Peikert, “Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem: extended abstract,” STOC’99, Proceedings of the forty-first annual ACM symposium on Theory of computing, USA, 2009, pp. 333-342.