Since that paper was published, new algorithms have found currency in the community. However, the process of choosing one is a little like auditioning actors for the lead role in Hamlet. You quickly find that none are perfect and, in fact, some suffer from facial warts!
Current Candidates for Post-Quantum Asymmetric Encryption Algorithms
Several candidates are already being discussed, all of which have chosen key sizes that achieve the 128-bit level of security necessary to be quantum-safe. (Because the maths involved in each are complicated enough to boggle the mind, we won’t attempt to describe them here but provide instead the relevant Wikipedia links and wish you the best.)
NTRUEncrypt.14 One of the first post-quantum algorithms to gain notice was the NTRU (cutely pronounced “en-true”) which is based on lattice mathematics. Among its benefits are a supposedly low memory footprint and decent performance. A drawback is that a patent is involved, and history shows that open source projects tend to avoid patented algorithms.
McEliece with Goppa codes.15 One novel algorithm currently favored by some in the community is the McEliece encryption system. McEliece is the first algorithm to use randomization in the encryption process rather than in the key generation process, where most systems use it. One of its benefits is that it is faster than RSA, but its primary drawback is its huge keys. A typical RSA key is 2048 bits; a McEliece key is 512 kilobits! That’s 256 times as large!
Ring Learning with Errors. Another promising post-quantum key exchange method is Ring Learning with Errors (RLWE).16 It solves problems in field/set theory, and can also be used for homomorphic encryption,17 which is another darling at the crypto community ball. RLWE uses keys of 7,000 bits which, unlike McEliece keys, are in the same order of magnitude as today’s RSA keys.
Google actually publicly experimented with RLWE by combining a popular elliptic curve algorithm (Curve 25519) with a variant of RLWE called “New Hope.” A small fraction of Chrome browsers and Google servers (must be nice to control both sides of a TLS conversation) negotiated their key exchanges using this combined algorithm, which they dubbed CECPQ1.18 Google did not find any impediments to CECPQ1 other than an additional 1 ms delay, likely due to the larger key sizes. However, it has since ended its experiment with New Hope and is waiting for the IETF TLS committee to name a post-quantum winner.
Which is the Likely Winner?
The likely winner is an algorithm with a spectacularly bloated name: Supersingular Isogeny Diffie-Hellman (SIDH) key exchange.
SIDH has fewer warts than the other “actors” being auditioned. It:
- Uses the smallest key sizes of the candidates (3072-bit public keys)
- Can support forward secrecy
- Is free of patents19
SIDH is not perfect, though: some researchers have already been poking holes at it and have come up with some pretty disturbing attacks. The attacks can be mitigated against, but they add a whole new rash of warts.20
Related and Relevant IETF Projects
The IETF TLS working group has already started design work to fit a post-quantum algorithm into TLS. At the 93rd IETF in 2015, William Whyte proposed a hybrid handshake. Like Google’s CECPQ1, Whyte’s proposal uses a classical key exchange for half of the key, and a post-quantum key exchange for the other half. The two halves are then combined into a key derivation function to get the final master key, from which the rest of the session key data is derived.21
If it seems unlikely that any of these warty algorithms will make a good Hamlet, well, that’s okay. Many people in the crypto community are skeptical that a large-scale quantum computer is even possible. The largest number that’s been factored yet by the embryonic quantum computers is only 56,153.22 And that one was found accidentally; the researchers were only trying to factor the number 21. Twenty-one! That’s a far cry from factoring a typical RSA key.
Largest prime (accidentally) factored by quantum computers:
Representation of a sample 2048-bit RSA prime number:
So, quantum computing still has a way to go. But if it really does become a thing, we’ll be (sort of) ready for post-quantum in pretty short order, at least from a protocol point of view. Adoption will take forever though, as usual.
Get the PDF version of this report: click “Download” below.