[Cryptography] Where to Find PQC Crypto Libraries?

Sun Aug 7 05:35:12 EDT 2016

On Sat, 2016-08-06 at 16:50 -0700, Lucky Green wrote:
> Is anyone here aware of cryptographic libraries that implement the
> various PQC algorithms, ideally with test vectors?
> 
> Even http://www.pqcrypto.org/ does not seem to have a link to library
> implementations.

There are links to C implementations of New Hope, SPHINCS, and TESLA
at : https://cryptojedi.org/crypto/index.shtml
New Hope is probably what you want right now anyways.

I'd think a single library cannot really provide algorithm agility right
now because underlying the algorithms remain too different and you
really might want to change algorithms down the road.  Post-quantum
cryptography is very much a research topic with basic questions like
authentication, chosen cyphertext vs plaintext security, etc. remaining
problematic.  In fact, there are attacks where malicious key exchanges
allow attackers to extract private key material, so keys can usually
only be ephemerally, or maybe require some sort of validation.  

Jeff

p.s.  I'll attempt to summarize my understanding of the state of various
post-quantum primitives with some form of implementation : 

SPHINCS - Hash based signatures algorithm.  Very good security
properties, long term keys okay.  Key sizes around 1kb, or maybe better,
but signatures are 40kb, so not usable for most applications. 

TESLA - I haven't read the paper yet.

McBits - McElise style Public-key encryption.  1mb public keys!  Adds
64kb to encrypted messages.  I donno if keys need to be ephemeral, etc.,
so read the paper.  Ask the authors about the code's status.

NTRU - Public-key lattice-based encryption.  Public keys are a few kb.
Aging now, but never subjected to enough crypto-analysis due to patent,
so maybe claims about treat modem get confusing.  Considered weaker than
more modern lattice based schemes.  
https://github.com/NTRUOpenSourceProject

NTRU' - Avoids NTRU patent, and improves in many ways, but many people
feel it suffers from many problems of NTRU, and big arguments about
parameter choices.  Ask authors about the code's status maybe.

New Hope - Ring-LWE based Key exchange.  2 kb public keys.  Acceptable
speed.  Ephemeral keys only.  This is what everyone is using right
now.  

MS SIDH - SIDH Key exchange - Around 600 byte public key.  At least 300
times slower than curve25519, much more if you try to use key
validation.  Very new, so even the authors say not to use it for
anything serious yet.*  
http://www.microsoft.com/en-us/research/project/sidh-library/

Also, there was an interesting paper on an LWE key exchange scheme
without ring structure recently, presumably their code is not production
ready, and their key sizes are much bigger than New Hope.  Yet, one
could imagine that a few years will see this growing into schemes that
seem more secure than Ring-LWE schemes like New Hope for applications
that can afford to pay more in key size. 

* I personally like SIDH long-term.  Amongst other reasons, it appears
you must do computations in a huge mathematical object to break it,
possibly adding an additional hurdle for quantum computers.  Yet, I've
never seen anyone make space complexity claims about attempts to break
it, so maybe that's just wrong.  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160807/1529d2be/attachment.sig>