Commit a27829be authored by Alex Wiesmaier's avatar Alex Wiesmaier
Browse files

new copy of CMA

parent 2bcf8207
Pipeline #69610 passed with stages
in 17 seconds
# Cryptographic Migration & Agility
An open community site for sharing any relevant research, findings, and solutions on PQC migration and cryptographic agility.
An open community site for sharing any relevant research, findings, or solutions related to PQC migration and cryptographic agility.
- [About Cryptographic Migration and Agility](#about-cryptographic-migration-and-agility)
- [Our Research Group](#our-research-group)
......@@ -12,7 +12,7 @@ An open community site for sharing any relevant research, findings, and solution
- [Hardware Performance](#hardware-performance)
- [Network Performacne](#network-performacne)
- [Security Considerations](#security-considerations)
- [Algorithm, Parameter Selection and Tradeoffs](#algorithm-parameter-selection-and-Tradeoffs)
- [Algorithm, Parameter Selection and Tradeoffs](#algorithm-parameter-selection-and-tradeoffs)
- [Cryptanalysis](#cryptanalysis)
- [Side-Channel Attacks](#side-channel-attacks)
- [Algorithm Migration Process](#algorithm-migration-process)
......@@ -24,12 +24,9 @@ An open community site for sharing any relevant research, findings, and solution
- [Testing](#testing)
- [Incentives and Best Practices](#incentives-and-best-practices)
- [Frontiers of Cryptography](#frontiers-of-cryptography)
- [Open Issues](#open-issues)
- [Standards](#standards)
- [Projects and Initiatives](#projects-and-initiatives)
- [Cryptographic Libraries and Interfaces](#cryptographic-libraries-and-interfaces)
- [References](#references)
- [To Add](#to-add)
- [Contributing](#contributing)
---
......@@ -40,9 +37,9 @@ Post-quantum cryptographic schemes have been under development for several years
---
## Our Research Group
This site was initiated by the [Applied Cyber-Security](https://fbi.h-da.de/forschung/arbeitsgruppen/applied-cyber-security-darmstadt) research group of [Darmstadt University of Applied Sciences](https://h-da.de/) - [Department of Computer Science](https://fbi.h-da.de/), in cooperation with the [Athene](https://www.athene-center.de/forschung/forschungsbereiche/post-quantum-cryptography-7) group.
This site was initiated by the research groups [Applied Cyber-Security](https://fbi.h-da.de/forschung/arbeitsgruppen/applied-cyber-security-darmstadt) and [User Centered Security](https://fbi.h-da.de/index.php?id=764) of [Darmstadt University of Applied Sciences](https://h-da.de/), funded by [ATHENE National Research Center for Applied Cybersecurity](https://www.athene-center.de).
Our research group deals with the challenges of said migration, and searches for answers to the open questions in this field. We build upon our findings and analysis towards finding suitable solutions for achieving said migration and establishing crypto-agility in IT-systems. Our goal is to develop such solutions through design, strategies, frameworks and interfaces.
Our project team deals with the challenges of PQC migration, and searches for answers to the open questions in this field. We build upon our findings and analysis towards finding suitable solutions for achieving said migration and establishing crypto-agility in IT-systems. Our goal is to develop such solutions through design, strategies, frameworks and interfaces.
On the one hand we conduct research on the newest findings regarding cryptographic measures and their development state. This research is managed and updated continuously through a community-based website that will further gather the newest developments regarding PQC research. On the other hand, we Contribute to cutting edge post quantum cryptography technologies and it's applications, as we transform our theoretical and scientific findings into practical solutions, such as our recently developed cryptographic API (eUCRITE). Further, we intend to start the development of an automated tool for the detection of cryptographic components in IT-systems, that could simplify the migration in networks and IT-infrastructures through analyzing and identifying the existing cryptographic measures.
......@@ -51,132 +48,225 @@ On the one hand we conduct research on the newest findings regarding cryptograph
## Related Work
A collection of survey papers and references dealing with general challenges and recommendations regarding the migration to post-quantum cryptography and cryptographic agility.
*Some references do not include a direct hyperlink to their corresponding original sources. A full citation can however be found in the [references](#references) section. All references are listed in their order of appearance in this document.*
*A full reference list can be found in the [references](#references) section. All references are listed in alphabetical order.*
- [Identifying Research Challenges in Post Quantum Cryptography Migration and Cryptographic Agility](http://arxiv.org/abs/1909.07353): A wide range of topics and challenges at a high abstraction level grouped into categories of PQC migration and crypto-agility [OPp19](#[OPp19]).
- [Our Paper] [paper](#paper)
- [NCCoE Crypto-Agility](https://www.nccoe.nist.gov/projects/building-blocks/post-quantum-cryptography): Considerations for Migrating to Post-Quantum Cryptographic Algorithms [nccoe](#nccoe).
- [Practical Post-Quantum Cryptography](https://www.sit.fraunhofer.de/fileadmin/dokumente/studien_und_technical_reports/Practical.PostQuantum.Cryptography_WP_FraunhoferSIT.pdf?_=1503992279): White paper from the Fraunhofer Institute for Secure Information Technology SIT addressing challenges of PQC migration and comparison of PQC algorithms [sit](#sit).
- [From Pre-Quantum to Post-Quantum in IoT](#references): Challenges for PQC in IoT and comparison of the performance of PQC algorithms [FC20](#[FC20]).
- [Biggest Failures in IT Security](#references): A variety of problems in achieving IT security and possible strategies to solve them [AVVY19](#[AVVY19]).
- [Getting Ready for Post-Quantum Cryptography](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.05262020-draft.pdf): Challenges associated with adoption and use of post-quantum cryptographic algorithms.
- [Migration zu Post-Quanten-Kryptografie](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie.html): Recommendations for action on migration to PQC by the BSI (German Federal Office for Information Security).
- [Quantencomputerresistente Kryptografie: Aktuelle Aktivitäten und Fragestellungen](#references): A brief evaluation of the current state of both post-quantum and quantum cryptography.
- [Quantum Safe Cryptography and Security: An introduction, benefits, enablers and challenges](https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf): Important use cases for cryptography and potential migration strategies to transition to post-quantum cryptography.
- [Getting Ready for Post-Quantum Cryptography](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf): Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms [BPS20](#[BPS20]).
- [Practical Post-Quantum Cryptography](https://www.sit.fraunhofer.de/fileadmin/dokumente/studien_und_technical_reports/Practical.PostQuantum.Cryptography_WP_FraunhoferSIT.pdf?_=1503992279): White paper from the Fraunhofer Institute for Secure Information Technology SIT addressing challenges of PQC migration and comparison of PQC algorithms [NIWA17](#[NIWA17]).
- [From Pre-Quantum to Post-Quantum IoT Security](https://ieeexplore.ieee.org/document/8932459): Challenges for PQC in IoT and comparison of the performance of PQC algorithms [FC20](#[FC20]).
- [Biggest Failures in IT Security](https://drops.dagstuhl.de/opus/volltexte/2020/11981/pdf/dagrep_v009_i011_p001_19451.pdf): A variety of problems in achieving IT security and possible strategies to solve them [AVVY19](#[AVVY19]).
- [Getting Ready for Post-Quantum Cryptography](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.05262020-draft.pdf): Challenges associated with adoption and use of post-quantum cryptographic algorithms [BPS20](#[BPS20]).
- [Migration zu Post-Quanten-Kryptografie](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie.html): Recommendations for action on migration to PQC by the BSI (German Federal Office for Information Security) [BSI20](#[BSI20]).
- [Quantencomputerresistente Kryptografie: Aktuelle Aktivitäten und Fragestellungen](https://www.secumedia-shop.net/Deutschland-Digital-Sicher-30-Jahre-BSI): A brief evaluation of the current state of both post-quantum and quantum cryptography [HLL+21](#[HLL+21]).
- [Quantum Safe Cryptography and Security: An introduction, benefits, enablers and challenges](https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf): Important use cases for cryptography and potential migration strategies to transition to post-quantum cryptography [CCD+15](#[CCD+15]).
---
## State of Migration
#### PQC Algorithms
The current state of PQC is represented by the ongoing [NIST PQC standardization process](https://www.nist.gov/pqcrypto)
- [Report on post-quantum cryptography](https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf) [CJL+ 16](#[CJL+ 16]).
- [Status report on the first round](https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8240.pdf) [AASA+ 19](#[AASA+ 19]).
- [ Status report on the second round](https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf) [MAA+ 20](#[MAA+ 20]).
- [Report on post-quantum cryptography](https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf) [CJL+16](#[CJL+16]).
- [Status report on the first round](https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8240.pdf) [AASA+19](#[AASA+19]).
- [ Status report on the second round](https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf) [MAA+20](#[MAA+20]).
**NIST PQC candidate algorithms:**
| Algorithm | Description | Type | NIST Round |
|-------------------------------------|-------------|------|------------|
| [BIKE](https://bikesuite.org/) | Bit flipping key encapsulation based on QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check) [ABB+ 20](#[ABB+ 20]) | Public-key Encryption and Key-establishment | Round Three Alternative |
| [CRYSTALS-Dilithium](https://pq-crystals.org/dilithium/) | Digital signature scheme based on the hardness of lattice problems over module lattices | Digital Signature | Round 3 Finalist |
| [Falcon](https://falcon-sign.info/) | Lattice-based signature scheme based on the short integer solution problem (SIS) over NTRU lattices [FHK+ 20](#[FHK+ 20]) | Digital Signature | Round 3 Finalist |
| [FrodoKEM](https://frodokem.org/)| Key encapsulation from generic lattices | Public-key Encryption and Key-establishment | Round Three Alternative |
| [GeMSS](https://www-polsys.lip6.fr/Links/NIST/GeMSS.html) | Multivariate signature scheme producing small signatures [CFP+ 19](#[CFP+ 19]) | Digital Signature | Round Three Alternative |
| [HQC](http://pqc-hqc.org/) | Hamming quasi-cyclic code-based public key encryption scheme | Public-key Encryption and Key-establishment | Round Three Alternative |
| [KYBER](https://pq-crystals.org/kyber/) | IND-CCA2-secure key-encapsulation mechanism (KEM) based on hard problems over module lattices [ABD+ 21](#[ABD+ 21])| Public-key Encryption and Key-establishment | Round 3 Finalist |
| [Classic McEliece](https://classic.mceliece.org/) | Code-based public-key cryptosystem based on random binary Goppa codes | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [NTRU](https://ntru.org/) | Public-key cryptosystem based on lattice-based cryptography | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [NTRU-Prime](https://ntruprime.cr.yp.to/) | Small lattice-based key-encapsulation mechanism (KEM) | Public-key Encryption and Key-establishment | Round 3 Alternative |
| [Picnic](https://microsoft.github.io/Picnic/) | Digital signature algorithems based on the zero-knowledge proof system and symmetric key primitives | Digital Signature | Round 3 Alternative |
| [Rainbow](https://www.pqcrainbow.org/)| Public key cryptosystem based on the hardness of solving a set of random multivariate quadratic systems | Digital Signature | Round 3 Finalist |
| [SABER](https://www.esat.kuleuven.be/cosic/pqcrypto/saber/) | IND-CCA2-secure Key Encapsulation Mechanism (KEM) based on the hardness of the Module Learning With Rounding problem (MLWR) | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [SIKE](https://sike.org/)| Isogeny-based key encapsulation suite based on pseudo-random walks in supersingular isogeny graphs | Public-key Encryption and Key-establishment | Round 3 Alternative |
| [SPHINCS+](https://sphincs.org/) | A stateless hash-based signature scheme | Digital Signature | Round 3 Alternative |
| [BIKE](https://bikesuite.org/) | Bit flipping key encapsulation based on QC-MDPC (Quasi-Cyclic Moderate Density Parity-Check) [ABB+20](#[ABB+20]) | Public-key Encryption and Key-establishment | Round Three Alternative |
| [CRYSTALS-Dilithium](https://pq-crystals.org/dilithium/) | Digital signature scheme based on the hardness of lattice problems over module lattices [DKL+21](#[DKL+21]) | Digital Signature | Round 3 Finalist |
| [Falcon](https://falcon-sign.info/) | Lattice-based signature scheme based on the short integer solution problem (SIS) over NTRU lattices [FHK+20](#[FHK+20]) | Digital Signature | Round 3 Finalist |
| [FrodoKEM](https://frodokem.org/)| Key encapsulation from generic lattices [NAB+20](#[NAB+20]) | Public-key Encryption and Key-establishment | Round Three Alternative |
| [GeMSS](https://www-polsys.lip6.fr/Links/NIST/GeMSS.html) | Multivariate signature scheme producing small signatures [CFP+19](#[CFP+19]) | Digital Signature | Round Three Alternative |
| [HQC](http://pqc-hqc.org/) | Hamming quasi-cyclic code-based public key encryption scheme [MAB+20](#[MAB+20]) | Public-key Encryption and Key-establishment | Round Three Alternative |
| [KYBER](https://pq-crystals.org/kyber/) | IND-CCA2-secure key-encapsulation mechanism (KEM) based on hard problems over module lattices [ABD+21](#[ABD+21])| Public-key Encryption and Key-establishment | Round 3 Finalist |
| [Classic McEliece](https://classic.mceliece.org/) | Code-based public-key cryptosystem based on random binary Goppa codes [CCU+20](#[CCU+20]) | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [NTRU](https://ntru.org/) | Public-key cryptosystem based on lattice-based cryptography [CDH+19](#[CDH+19]) | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [NTRU-Prime](https://ntruprime.cr.yp.to/) | Small lattice-based key-encapsulation mechanism (KEM) [BBC+20](#[BBC+20]) | Public-key Encryption and Key-establishment | Round 3 Alternative |
| [Picnic](https://microsoft.github.io/Picnic/) | Digital signature algorithems based on the zero-knowledge proof system and symmetric key primitives [CDG+17](#[CDG+17]) | Digital Signature | Round 3 Alternative |
| [Rainbow](https://www.pqcrainbow.org/)| Public key cryptosystem based on the hardness of solving a set of random multivariate quadratic systems [DS05](#[DS05]) | Digital Signature | Round 3 Finalist |
| [SABER](https://www.esat.kuleuven.be/cosic/pqcrypto/saber/) | IND-CCA2-secure Key Encapsulation Mechanism (KEM) based on the hardness of the Module Learning With Rounding problem (MLWR) [DKR+19](#[DKR+19]) | Public-key Encryption and Key-establishment | Round 3 Finalist |
| [SIKE](https://sike.org/)| Isogeny-based key encapsulation suite based on pseudo-random walks in supersingular isogeny graphs [CCH+20](#[CCH+20]) | Public-key Encryption and Key-establishment | Round 3 Alternative |
| [SPHINCS+](https://sphincs.org/) | A stateless hash-based signature scheme [BHK+19](#[BHK+19]) | Digital Signature | Round 3 Alternative |
||
| [NewHope](https://newhopecrypto.org/) | Key-exchange protocol based on the Ring-Learning-with-Errors (Ring-LWE) problem | Public-key Encryption and Key-establishment | Round Two |
| [qTESLA](https://qtesla.org/) | Signature schemes based on the hardness of the decisional Ring Learning With Errors (R-LWE) problem | Digital Signature | Round Two |
| [NewHope](https://newhopecrypto.org/) | Key-exchange protocol based on the Ring-Learning-with-Errors (Ring-LWE) problem [ADPS16](#[ADPS16]) | Public-key Encryption and Key-establishment | Round Two |
| [qTESLA](https://qtesla.org/) | Signature schemes based on the hardness of the decisional Ring Learning With Errors (R-LWE) problem [ABB+20](#[ABB+20]) | Digital Signature | Round Two |
---
#### Performance Considerations
Evaluation of the performance of PQC algorithms in various facets, classified into thethree subcategories: *Algorithm Performance, Network Performance, and Hardware Performance*
###### Algorithm Performance
- Lattice-based evaluation on chosen hardware:
- [On Feasibility of Post-Quantum Cryptography on Small Devices](#references)
- [Towards Practical Deployment of Post-quantum Cryptography on Constrained Platforms and Hardware-Accelerated Platforms](#references)
- Improvements to CRYSTALS-KYBER:
- [Performance Optimization of Lattice Post-Quantum Cryptographic Algorithms on Many-Core Processors](#references)
- [Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4](#references)
- PQC evaluation on chosen hardware:
- [On Feasibility of Post-Quantum Cryptography on Small Devices](https://www.sciencedirect.com/science/article/pii/S2405896318308474) Experimental post-quantum cryptography implementations on small devices with different platforms [MPD+18](#[MPD+18])
- [Towards Practical Deployment of Post-quantum Cryptography on Constrained Platforms and Hardware-Accelerated Platforms](https://link.springer.com/chapter/10.1007/978-3-030-41025-4_8) Evaluation of the NIST candidates regarding their suitability for the implementation on special hardware platforms [MRD+20](#[MRD+20])
- Improvements to PQC algorithms:
- [Performance Optimization of Lattice Post-Quantum Cryptographic Algorithms on Many-Core Processors](https://ieeexplore.ieee.org/abstract/document/9238630?casa_token=j7T_SBR8ECgAAAAA:Skx0Ze-JY3YP5CSLn20TOmrWviAP_-aUZ0b9W_gpR5fDpO8AWLigR52JC4qZVPTbLlIzv-3p2g) 52% and 83% improvement in performance for the CRYSTALS-Kyber KEM SHA3 variant and AES variant through Vectorization [KKP20](#[KKP20])
- [Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4](http://link.springer.com/10.1007/978-3-030-23696-0_11) Optimized software implementation of Kyber for the ARM Cortex-M4 microcontroller [BKS19](#[BKS19])
- Lattice-based vs. Isogeny-based:
- [Towards Post-Quantum Security for Cyber-PhysicalSystems: Integrating PQC into Industrial M2M Communication](#references)
- [Incorporating Post-Quantum Cryptographyin a Microservice Environment](#references)
- [Towards Post-Quantum Security for Cyber-Physical Systems: Integrating PQC into Industrial M2M Communication](https://link.springer.com/chapter/10.1007/978-3-030-59013-0_15) Two solutions for the integration of PQ primitives into the industrial protocol Open Platform Communications Unified Architecture (OPC UA) [PASC20](#[PASC20])
- [Incorporating Post-Quantum Cryptographyin a Microservice Environment](https://homepages.staff.os3.nl/~delaat/rp/2019-2020/p13/report.pdf) On the practical feasibility of using PQCin a microservice architecture [WvdG20](#[WvdG20])
- PQC in IoT:
- [From Pre-Quantum to Post-Quantum IoT Security: A Survey on Quantum-Resistant Cryptosystems for the Internet of Things](#references)
- [From Pre-Quantum to Post-Quantum IoT Security: A Survey on Quantum-Resistant Cryptosystems for the Internet of Things](https://ieeexplore.ieee.org/abstract/document/8932459) A wide view of post-quantum IoT security and give useful guidelines [FC20](#[FC20])
###### Hardware Performance
- CRYSTALS-Dilithium and qTesla:
- [NIST Post-Quantum Cryptography - A Hardware Evaluation Study](https://eprint.iacr.org/2019/047)
- [NIST Post-Quantum Cryptography - A Hardware Evaluation Study](https://eprint.iacr.org/2019/047) A hardware-based comparison of the NIST PQC candidates [BSNK19](#[BSNK19])
- Performance critial use cases:
- [Ultra-Fast Modular Multiplication Implementation for Isogeny-Based Post-Quantum Cryptography](#references)
- [Ultra-Fast Modular Multiplication Implementation for Isogeny-Based Post-Quantum Cryptography](https://ieeexplore.ieee.org/document/9020384) Improved unconventional-radix finite-field multiplication (IFFM) algorithm reducing computational complexity by about 20% [TLW19](#[TLW19])
- FPGA performance benefits:
- [Implementation and benchmarking of round 2 candidates in the NIST post-quantum cryptography standardization process using hardware and software/hardware co-design approaches](#references)
- [Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves](#references)
- [Post-Quantum Secure Boot](#references)
- [Implementation and benchmarking of round 2 candidates in the NIST post-quantum cryptography standardization process using hardware and software/hardware co-design approaches](https://cryptography.gmu.edu/athena/PQC/GMU_PQC_2020_SW_HW.pdf) Methodology for implementing and benchmarking PQC candidates usingboth hardware and software/hardware co-design approaches [DFA+20](#[DFA+20])
- [Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves](https://ieeexplore.ieee.org/abstract/document/7725935) Isogeny-based schemes can be implemented with high efficiency on reconfigurable hardware [KAMJ17](#[KAMJ17])
- [Post-Quantum Secure Boot](https://ieeexplore.ieee.org/document/9116252) Post-quantum secure boot solution implemented fully as hardware for reasons of security and performance [KGC+20](#[KGC+20])
- Hardware Security Modules (HSMs):
- [Post-Quantum Secure Architectures for Automotive Hardware Secure Modules](https://eprint.iacr.org/2020/026.pdf) Building a post-quantum secure automotive HSM is feasible and can meet the hard requirements imposed by a modern vehicle ECU [WaSt20](#[WaSt20])
###### Network Performacne
- Measurments and benchmarks:
- [Benchmarking Post-Quantum Cryptography in TLS](https://eprint.iacr.org/2019/1447)
- [Real-world measurements of structured-lattices and supersingular isogenies in TLS](https://www.imperialviolet.org/2019/10/30/pqsivssl.html)
- [Measuring TLS key exchange with post-quantum KEM](https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/kwiatkowski-measuring-tls.pdf)
- [Post-Quantum Authentication in TLS 1.3: A Performance Study](http://eprint.iacr.org/2020/071)
- [Benchmarking Post-Quantum Cryptography in TLS](https://eprint.iacr.org/2019/1447) Packet loss rates above 3–5% start to have a significantimpact on post-quantum algorithms that fragment across many packets [PST19](#[PST19])
- [Real-world measurements of structured-lattices and supersingular isogenies in TLS](https://www.imperialviolet.org/2019/10/30/pqsivssl.html) Computational advantages of structured lattices make them a more attractive choice for post-quantum confidentiality [Lang19](#[Lang19])
- [Measuring TLS key exchange with post-quantum KEM](https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/kwiatkowski-measuring-tls.pdf) [KSL+19](#[KSL+19])
- [Post-Quantum Authentication in TLS 1.3: A Performance Study](http://eprint.iacr.org/2020/071) Detailed performance evaluation of the NIST signature algorithm candidates and imposed latency on TLS 1.3 [SKD20](#[SKD20])
- TLS, DTLS, IKEv2 and QUIC PQC integrations:
- [The TLS Post-Quantum Experiment](https://blog.cloudflare.com/the-tls-post-quantum-experiment/)
- [Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyberand SPHINCS+ with Mbed TLS](#references)
- [The Viability of Post-quantum X.509 Certificates](https://eprint.iacr.org/2018/063)
- [Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project](#references)
- [The TLS Post-Quantum Experiment](https://blog.cloudflare.com/the-tls-post-quantum-experiment/) Evaluating the performance and feasibility of deployment in TLS of two post-quantum key agreement ciphers [KwVa19](#[KwVa19])
- [Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyberand SPHINCS+ with Mbed TLS](https://dl.acm.org/doi/abs/10.1145/3320269.3384725) Post-quantum key establishment with Kyber performs well in TLS on embedded devices compared to ECC variants [BSKNS20](#[BSKNS20])
- [The Viability of Post-quantum X.509 Certificates](https://eprint.iacr.org/2018/063) Signature schemes standardized in NIST PQ Project can work with X.509certs in a post-quantum Internet [KPDG18](#[KPDG18])
- [Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project](https://link.springer.com/chapter/10.1007%2F978-3-319-69453-5_2) [StMo16](#[StMo16])
- VPN evaluations:
- [Two PQ Signature Use-cases: Non-issues,challenges and potential solutions](https://eprint.iacr.org/2019/1276)
- [Two PQ Signature Use-cases: Non-issues, challenges and potential solutions](https://eprint.iacr.org/2019/1276) Dilithium and Falcon are the best available options but come with an impact on TLS performance [KaSi19](#[KaSi19])
#### Security Considerations
###### Algorithm, Parameter Selection and Tradeoffs
- Key/sig. size problematic for protocols:
- [The Viability of Post-quantum X.509 Certificates](http://google.com): Very interesting Paper!. [KPDG18](#[KPDG18])
- [The Viability of Post-quantum X.509 Certificates](https://eprint.iacr.org/2018/063.pdf): Present suitable parameters for software signature use cases and good signature candidates for TLS 1.3 authentication. [KPDG18](#[KPDG18])
- [Towards post-quantum security for cyber-physical systems: Integrating PQC into industrial m2m communication](http://link.springer.com/10.1007/978-3-030-59013-0_15): Tradeoffs in security: big key/certificate sizes results in problems and difficulties for various protocols.[PS20](#[PS20])
###### Cryptanalysis
- PQC schemes broken by cryptanalysis:
- [Cryptanalysis of the Lifted Unbalanced Oil Vinegar Signature Scheme](https://eprint.iacr.org/2019/1490.pdf): A new type of attack called Subfield Differential Attack (SDA) on Lifted Unbalanced Oil and Vinegar (LUOV) [DDS+20](#[DDS+20])
- [Quantum cryptanalysis on some generalized Feistel schemes](https://eprint.iacr.org/2017/1249.pdf): Quantum distinguishers to introduce generic quantum key-recovery attacks [DLW19](#[DLW19])
- [A reaction attack against cryptosystems based on LRPC codes.](https://eprint.iacr.org/2019/845.pdf): Analyze cryptosystems based on Low-Rank Parity-Check (LRPC) codes. [SSPB19](#[SSPB19])
- New security assessment methods:
- [Quantum Cryptanalysis in the RAM Model: Claw-Finding Attacks on SIKE.](https://eprint.iacr.org/2019/103.pdf): New models of computation which allow a direct comparison between classical and quantum algorithms [JS19](#[JS19])
- [A classification of differential invariants for multivariate post-quantum cryptosystems](http://link.springer.com/10.1007/978-3-642-38616-9_11): Present an extension of a recent measure of security against a differential adversary. The technique assures security against any first-order differential invariant adversary. [PST13](#[PST13])
- Code-based PQC algorithms for PRNG:
- [Testing of Code-Based Pseudorandom Number Generators for Post-Quantum Application](https://www.researchgate.net/publication/342456148_Testing_of_Code-Based_Pseudorandom_Number_Generators_for_Post-Quantum_Application): Code-based pseudorandom generator, improvement of Fischer-Stern generator [KKS+20](#[KKS+20])
###### Side-Channel Attacks
- Side-Channel Attacks:
- [Physical security in the post-quantum era: A survey on side-channel analysis, random number generators, and physically unclonable functions](https://arxiv.org/abs/2005.04344): Overview of several PQC-related side-channel attacks[CCA+21](#[CCA+21])
- Minimize attack vectors:
- [Physical protection of lattice-based cryptography: Challenges and solutions](https://pure.qub.ac.uk/files/156772945/paper.pdf): Attack and countermeasure for gaussian sampler of lattice-based schemes. [KOV+18](#[KOV+18])
- [A side-channel resistant implementation of saber](https://eprint.iacr.org/2020/733.pdf): State of the art in terms of side channel attacks against lattice based cryptosystems and their respective countermeasures. [VBDK+20](#[VBDK+20])
- [Side-Channel Analysis and Countermeasure Design on ARM-based Quantum-Resistant SIKE](https://ieeexplore.ieee.org/document/9181442): Side-Channel resistant implementation of saber, using masking as a countermeasure [ZYD+20](#[ZYD+20])
- Successfull attack on Himq-3:
- [A complete cryptanalysis of the post-quantum multivariate signature scheme himq-3](https://link.springer.com/chapter/10.1007%2F978-3-030-61078-4_24): Singularity Attack: Successfully breaks signatures of the multivarite public key scheme Himq-3 [DDW20](#[DDW20])
#### Algorithm Migration Process
###### Hybrid and Combiner Approach
- [X.509-Compliant Hybrid Certificates for the Post-Quantum Transition](http://tubiblio.ulb.tu-darmstadt.de/115809/)
- Hybrid TLS & SSH Implementation:
- [Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH](https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/stebila-prototyping-post-quantum.pdf): Hybrid approach: Two or more independent algorithms chosen from both post-quantum, and classical schemes [CPS19](#[CPS19])
- [Zur Integration von Post-Quantum Verfahren in bestehende Softwarepodukte](https://arxiv.org/pdf/2102.00157v1): Field report on the integration of thePQC methods McEliece and SPHINCS+ based on the eUCRITE API [ZWH21](#[ZWH21])
- Hybrid Lattice-Based:
- [ImperialViolet - CECPQ1 results](https://www.imperialviolet.org/2016/11/28/cecpq1.html): Successful experiment using hybrid approach, no network problems and a median connection latency increase of one millisecond [A. 16](#[A.16])
- [Experimenting with Post-Quantum Cryptography](https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html): Same experiment, see above [Bra16](#[Bra16])
- [Towards post-quantum security for cyber-physical systems: Integrating PQC into industrial m2m communication](http://link.springer.com/10.1007/978-3-030-59013-0_15): Tradeoffs in security: big key/certificate sizes results in problems and difficulties for various protocols.[PS20](#[PS20])
- [Incorporating post-quantum cryptography in a microservice environment](https://homepages.staff.os3.nl/~delaat/rp/2019-2020/p13/report.pdf): Post-Quantum algorithms perform on a similar level to classical ones. The most feasible algorithms are lattice-based. [WvdG20](#[WvdG20])
- Hybrid PQ CECPQ2(b) & X25519:
- [The TLS Post-Quantum Experiment](https://blog.cloudflare.com/the-tls-post-quantum-experiment/): Experiment between google and cloudflare comparing three groups using post-quantum CECPQ2, CECPQ2b or non-post-quantum X25519.[KV19](#[KV19])
- Hybrid Certificates:
- [X.509-Compliant Hybrid Certificates for the Post-Quantum Transition](http://tubiblio.ulb.tu-darmstadt.de/115809/): Parallel usage of two independent cryptographic schemes within public key infrastructures enabling a stepwise transition to post-quantum secureand hybrid algorithms [BBG+19](#[BBG+19])
#### Automation and Frameworks
- RFC6916 PKIs Process Formalization:
- [Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI)](https://tools.ietf.org/html/rfc6916): RFC6916 formalizes the Migration Process for algorithm suites in the Resource Public Key Infrastructure [GKT13](#[GKT13])
- Muckle Protocol Security Analysis:
- [Many a Mickle Makes a Muckle: A Framework for Provably Quantum-Secure Hybrid Key Exchange](https://eprint.iacr.org/2020/099.pdf): Framework for the security analysis of hybrid authenticated key exchange protocols and Introduction of the Muckle protocol [DHP20](#[DHP20])
#### New Standards
- NIST Report on Round 3 Finalists:
- [Status report on the second round of the NIST post-quantum cryptography standardization process](https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf): Third round finalists for public-key encryption / key-establishment algorithms and digital signatures [MAA+20](#[MAA+20])
- Review of NIST Candidates:
- [Standardisierung von post-quanten-kryptografie und empfehlungen des bsi](https://www.bsi.bund.de/DE/Service-Navi/Veranstaltungen/Deutscher-IT-Sicherheitskongress-30-Jahre-BSI/deutscher-it-sicherheitskongress-30-jahre-bsi_node.html): Overview of the current state of standardization of post Quantum cryptography with respect to the BSI recommendations. [HKW21](#[HKW21])
- Open Quantum Project:
- [Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project](https://eprint.iacr.org/2016/1017.pdf): Open Quantum Project, libqos library: exemplary cryptographic applications like OpenSSL. Comparing NIST Round 2 PQC candidate implementations using OpenSSL [SM16](#[SM16])
- DNSSEC PQC Draft:
- [Retrofitting post-quantum cryptography in internet protocols: a case study of DNSSEC](https://dl.acm.org/doi/10.1145/3431832.3431838): Evaluate three PQC-Algorithms that are suitable for DNSSEC within certain constraints [MdJvH+20](#[MdJvH+20])
- Decentralized Cert. Management:
- [Next-generation web public-key infrastructure technologies](https://eprints.qut.edu.au/128643): New decentralized approach to certificate management based on generic blockchains (DPKIT), compatible with existing PKIs. [HM19](#[HM19])
---
## State of Agility
Aspects regarding the notion of cryptographic agility and discussion of open issues
#### Modalities
#### Development Considerations
#### Testing
#### Incentives and Best Practices
#### Frontiers of Cryptography
- New agile protocols:
- [Security Agility Solution Independent of the Underlaying Protocol Architecture](https://www.semanticscholar.org/paper/Security-Agility-Solution-Independent-of-the-Vasic-Mikuc/489054a1f28eb26b1baa1a9f0caff2306c821695) The agilecryptographic negotiation protocol (ACNP) proposed in this paper repre-sents a layer-agnostic, robust solution that can be deployed for providingcryptographic agility and greatly improve security. [VM12](#[VM12])
- [Stateful Hash-based Digital Signature Schemes for Bitcoin Cryptocurrency](https://ieeexplore.ieee.org/document/9043192) This research work presents basic analysis and the background understanding of Stateful Hash-based Signature Schemes, particularly the Lamport One-Time Signature Scheme, Winternitz One-Time Signature Scheme, and the Merkle Signature Scheme. [NWAO19](#[NWAO19])
- Enhance existing protocols for use with PQC
- [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility](https://tools.ietf.org/html/rfc8636.html) This document updates the Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) standard (RFC 4556) to remove protocol structures tied to specific cryptographic algorithms. [AZCH19](#[AZCH19])
- [The Secure Socket API: TLS as an Operating System Service](https://www.usenix.org/conference/usenixsecurity18/presentation/oneill) We explore the use of the standard POSIX socket API as a vehicle for a simplified TLS API, while also giving administrators the ability to control applications and tailor TLS configuration to their needs. [OHW+18](#[OHW+18])
- Enhance existing infrastructure for PQC
- [Algorithm Agility – Discussion on TPM 2.0 ECC Functionalities](https://link.springer.com/chapter/10.1007%2F978-3-319-49100-4_6) In this paper, we review all the TPM 2.0 ECC functionalities, and discuss on whether the existing TPM commands can be used to implement new cryptographic algorithms which have not yet been addressed in the specification. [CU16](#[CU16])
- [Fail-Safe-Konzept für Public-Key-Infrastrukturen](https://tuprints.ulb.tu-darmstadt.de/246/) In dieser Dissertation wird ein Fail-Safe-Konzept für Public-Key-Infrastrukturen vorgestellt. [Mas02](#[Mas02])
- [Public Key Infrastructure and Crypto Agility Concept for Intelligent Transportation Systems](http://www.thinkmind.org/index.php?view=article&articleid=vehicular_2015_1_30_30028) This paper proposes a multi-domain PKI architecture for intelligent transportation systems, which considers the necessities of road infrastructure authorities and vehicle manufacturers, today. [UWK15](#[UWK15])
- Draft for composite keys and signatures
- [Composite Keys and Signatures For Use In Internet PKI](https://tools.ietf.org/id/draft-ounsworth-pq-composite-sigs-01.html) This document defines the structures CompositePublicKey, CompositeSignatureValue, and CompositeParams, which are sequences of the respective structure for each component algorithm. [OP20](#[OP20])
---
#### Development Considerations
- eUCRITE API
- [Security Issues on the CNG Cryptography Library (Cryptography API: Next Generation)](https://ieeexplore.ieee.org/document/6603762) This paper introduces structure, features, and programming techniques of CNG, which was released as a substitute of the previous CAPI (Cryptography API) library from Microsoft.
- [Zur Benutzbarkeit und Verwendung von API-Dokumentationen](https://dl.gi.de/handle/20.500.12116/33515) Showcases requirements for a good security API. [HZHW20](#[HZHW20])
- Research on CA mechanism
- [On the importance of cryptographic agility for industrial automation](https://www.degruyter.com/document/doi/10.1515/auto-2019-0019/html) This work motivates cryptographic agility by discussing the threat of quantum computers to moderncryptography. [PN19](#[PN19])
- CA as design principle
- [PQFabric: A Permissioned Blockchain Secure from Both Classical and Quantum Attacks](https://arxiv.org/abs/2010.06571) Proposes a redesign of Fabric's credential-management procedures and related specifications in order to incorporate hybrid digital signatures, protecting against both classical and quantum attacks using one classical and one quantum-safe signature. [HPDM20](#[HPDM20])
- [Public Key Infrastructure and Crypto Agility Concept for Intelligent Transportation Systems](http://www.thinkmind.org/index.php?view=article&articleid=vehicular_2015_1_30_30028) This paper proposes a multi-domain PKI architecture for intelligent transportation systems, which considers the necessities of road infrastructure authorities and vehicle manufacturers, today. [UWK15](#[UWK15])
- Eval crypto libs
- [Comparing the Usability of Cryptographic APIs](https://ieeexplore.ieee.org/document/7958576) This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them. [ABF+ 17](#[ABF+ 17])
- Eval code examples for crypto libs
- [Usability and Security Effects of Code Examples on Crypto APIs](https://ieeexplore.ieee.org/document/8514203) Platform for cryptographic code examples that improves the usability and security of created applications by non security experts. [MW18](#[MW18])
- [Fluid Intelligence Doesn't Matter! Effects of Code Examples on the Usability of Crypto APIs](https://arxiv.org/abs/2004.03973) Researches whether similarity and Gf also have an effect in the context of using cryptographic APIs.[MW20](#[MW20])
- Eval docum. system for crypto libs
- [Zur Benutzbarkeit und Verwendung von API-Dokumentationen](https://dl.gi.de/handle/20.500.12116/33515) Showcases requirements for a good security API. [HZHW20](#[HZHW20])
## Open issues
#### Testing
- Algorithm relations for better test coverage
- [Systematic Testing of Post-Quantum Cryptographic Implementations Using Metamorphic Testing](https://ieeexplore.ieee.org/document/8785645) Investigates the effectiveness of a systematic testing approach for discovering bugs in highly complex cryptographic algorithm implementations. [PRKK19](#[PRKK19])
---
#### Incentives and Best Practices
- Ranking by best practice as incentive
- [Biggest Failures in Security](https://drops.dagstuhl.de/opus/volltexte/2020/11981/) Tries to identify the "biggest failures" in security and to get a comprehensive understanding on their overall impact on security. [AVVY19](#[AVVY19])
- Best practice for agility in protocols
- [Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms](https://tools.ietf.org/html/rfc7696) Provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to-implement algorithm suite to another over time. [Hou15](#[Hou15])
- Building blocks of crypto-agility
- [On the importance of cryptographic agility for industrial automation](https://www.degruyter.com/document/doi/10.1515/auto-2019-0019/html) This work motivates cryptographic agility by discussing the threat of quantum computers to moderncryptography. [PN19](#[PN19])
## Standards
- [NIST PQC Standardization Process](https://csrc.nist.gov/projects/post-quantum-cryptography)
#### Frontiers of Cryptography
- Blockchains difficult
- [Stateful Hash-based Digital Signature Schemes for Bitcoin Cryptocurrency](https://ieeexplore.ieee.org/document/9043192) This research work presents basic analysis and the background understanding of Stateful Hash-based Signature Schemes, particularly the Lamport One-Time Signature Scheme, Winternitz One-Time Signature Scheme, and the Merkle Signature Scheme. [NWAO19](#[NWAO19])
- Satellites difficult
- [Quantum Resistant Authentication Algorithms for Satellite-Based Augmentation Systems](https://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Neish_2018_IONITM_QuantumResistantAuthenticationUpdated.pdf) Introduces the cryptographic primitives necessary to understand the vulnerabilities in modern day cryptography due to quantum computing and investigates the use of TESLA and EC-Schnorr algorithms in broadcast systems. [NWE19](#[NWE19])
- Cryptographic primitives handable
- [Cryptographic Agility and its Relation to Circular Encryption](https://eprint.iacr.org/2010/117) Researches whether wPRFs (weak-PRFs) are agile and whether every secure (IND-R) encryption scheme is secure when encrypting cycles. [ABBC10](#[ABBC10])
---
## Projects and Initiatives
- [Open Quantum Safe](https://openquantumsafe.org/)
- [Open Quantum Safe](https://openquantumsafe.org/):
An open-source project that aims to support the development and prototyping of quantum-resistant cryptography.
- [Quantum RISC](https://www.quantumrisc.de/)
- [Quantum RISC](https://www.quantumrisc.de/):
Next Generation Cryptography for Embedded Systems.
- [Eclipse CogniCrypt]( https://www.eclipse.org/cognicrypt/)
- [Eclipse CogniCrypt]( https://www.eclipse.org/cognicrypt/):
Secure Integration of Cryptographic Software.
- [BSI-Project: Secure Implementation of a Universal Crypto Library](https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Kryptografie/Kryptobibliothek-Botan/kryptobibliothek-botan_node.html) More information (in German language) can be found in the [project summary](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Projektzusammenfassung_Botan.pdf)
---
......@@ -193,64 +283,114 @@ Lightweight crypto library for constrained environments.
- [WASI Cryptography APIs](https://github.com/WebAssembly/wasi-crypto):
Development of cryptography API proposals for the WASI Subgroup of the [WebAssembly Community Group](https://www.w3.org/community/webassembly/)
- [Botan: Crypto and TLS for Modern C++](https://botan.randombit.net/) A C++ cryptographic library implementing a range of practical systems, such as TLS protocol, X.509 certificates, modern AEAD ciphers, PKCS#11 and TPM hardware support, password hashing, and post quantum crypto schemes. Several other language bindings are available, including Python. Versions of Botan that are approved by the BSI can be found on the [Github repository](https://github.com/Rohde-Schwarz/botan)
- [eUCRITE API](https://use-a-pqclib.h-da.io/eucrite-documentation/):
PQC library interface, that provides quantum-resistant cryptographic schemes in abstract manner. It provides not only PQC-based encryption, but also signature schemes. The end-user has the choice between three different security levels based on the strenght and performance of the chosen algorithems. This abstraction aims at supporting crypt-agility and is expected to make using PQC-schemes easier. Collaborations on our cryptographic API, and a special update mechanism for said API are also under development.
---
## References
##### Related Work
- [A.16] <a name="[A.16]">[A. Langley. ImperialViolet - CECPQ1 results, 2016.](https://www.imperialviolet.org/2016/11/28/cecpq1.html)</a>
- [AASA+19] <a name="[AASA+19]">[G. Alagic, J. Alperin-Sheriff, D. Apon, D. Cooper, Q. Dang, Y. Liu, C. Miller, D.Moody, R. Peralta, et al.2019.Status report on the first round of the NIST post-quantum cryptography standardization process. US Department of Commerce,National Institute of Standards and Technology](https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8240.pdf)</a>
- [ABB+20] <a name="[ABB+20]">[E. Alkim, P. S. L. M. Barreto, N. Bindel, J. Krämer, P. Longa, and J. E. Ricardini. The lattice-based digital signature scheme qtesla. In M. Conti, J. Zhou, E. Casalicchio, and A. Spognardi, editors, Applied Cryptography and Network Security, pages 441–460. Springer International Publishing, 2020](https://eprint.iacr.org/2019/085.pdf)</a>
- [ABB+20] <a name="[ABB+20]">[N. Aragon, P. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J. C. Deneuville, P. Gaborit, S. Gueron, T. Guneysu, C. A. Melchor, et al.2020. BIKE: bit flipping key encapsulation (22 Oct 2020)](https://bikesuite.org/files/v4.1/BIKE_Spec.2020.10.22.1.pdf)</a>
- [ABBC10] <a name="[ABBC10]">[T. Acar, M. Belenkiy, M. Bellare, and D. Cash. Cryptographic agility and its relation to circular encryption. 2010.](https://eprint.iacr.org/2010/117)</a>
- [ABD+21] <a name="[ABD+21]">[R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck,P. Schwabe, G. Seiler, and D. Stehlé. 2021. CRYSTALS-Kyber algorithm specifi-cations and supporting documentation (version 3.01).NIST PQC Round 3(31Jan 2021)](https://pq-crystals.org/kyber/data/kyber-specification-round3-20210131.pdf)</a>
- [ABF+ 17] <a name="[ABF+ 17]">[Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M. L. Mazurek, and C. Stransky. Comparing the Usability of Cryptographic APIs. In 2017 IEEE Symposium on Security and Privacy (SP), pages 154–171, San Jose, CA, USA, May 2017. IEEE, doi:10.1109/SP.2017.52](http://ieeexplore.ieee.org/document/7958576/)</a>
- [ADPS16] <a name="[ADPS16]">[E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Post-quantum key exchange—a new hope. In 25Th {USENIX } security symposium ( {USENIX } security 16), pages 327–343, 2016](https://eprint.iacr.org/2015/1092.pdf)</a>
- [AVVY19] <a name="[AVVY19]">[F. Armknecht, I. Verbauwhede, M. Volkamer, and M. Yung, editors. Biggest Failures in Security, volume 9 of Dagstuhl Reports. Dagstuhl Publishing, Nov. 2019.](https://drops.dagstuhl.de/opus/volltexte/2020/11981/)</a>
- [AZCH19] <a name="[AZCH19]">[L. Hornquist Astrand, L. Zhu, M. Cullen, and G. Hudson. Public key cryptography for initial authentication in kerberos (PKINIT) algorithm agility. 2019. RFC 8636.](https://tools.ietf.org/html/rfc8636.html)</a>
- [BBC+20] <a name="[BBC+20]">[D. Bernstein, B. Brumley, M. Chen, C. Chuengsatiansup, T. Lange, A. Marotzke, N. Tuveri, C. van Vredendaal, and B. Yang. Ntru prime: round 3 20201007. 2020](https://ntruprime.cr.yp.to/nist/ntruprime-20201007.pdf)</a>
- [BBG+19] <a name="[BBG+19]">Bindel, N., Braun, J., Gladiator, L., Stöckert, T., & Wirth, J. (2019). X. 509-compliant hybrid certificates for the post-quantum transition. Journal of Open Source Software, 4(40), 1606(https://joss.theoj.org/papers/10.21105/joss.01606)</a>
- [BHK+19] <a name="[BHK+19]">[D. J. Bernstein, A. Hülsing, S. Kölbl, R. Niederhagen, J. Rijneveld, and P. Schwabe. The sphincs+ signature framework. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 2129–2146, New York, NY, USA, 2019. Association for Computing Machinery. doi:10.1145/3319535.3363229](https://eprint.iacr.org/2019/1086.pdf)</a>
- [BKS19] <a name="[BKS19]">L. Botros, M. J. Kannwischer, and P. Schwabe. Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4. In J. Buchmann and T. Nitaj, A.and Rachidi, editors, Progress in Cryptology – AFRICACRYPT 2019, volume 11627, pages 209–228. Springer International Publishing, Cham, 2019. Series Title: Lecture Notes in Computer Science. [URL:](http://link.springer.com/10.1007/978-3-030-23696-0_11) doi:10.1007/978-3-030-23696-0_11</a>
- [BPS20] <a name="[BPS20]">[W. Barker, W. Polk, and M. Souppaya. 2020. Getting Ready for Post-Quantum Cryptography: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms. preprint.](https://doi.org/10.6028/NIST.CSWP.05262020-draft)</a>
- [Bra16] <a name="[Bra16]">[M. Braithwaite. Experimenting with post-quantum cryptography, 2016.](https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html)</a>
- [BSI20] <a name="[BSI20]">[BSI. 2020. Migration zu Post-Quanten-Kryptografie.](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie.html)</a>
- [BSKNS20] <a name="[BSKNS20]">[K. Bürstinghaus-Steinbach, C. Krauß, R. Niederhagen, and M. Schneider. 2020.Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyberand SPHINCS+ with Mbed TLS. InProceedings of the 15th ACM Asia Conferenceon Computer and Communications Security (ASIA CCS ’20). Association forComputing Machinery, 841–852](https://dl.acm.org/doi/abs/10.1145/3320269.3384725)</a>
- [BSNK19] <a name="[BSNK19]">[K. Basu, D. Soni, M. Nabeel, and R. Karri. 2019. NIST Post-Quantum Cryptography - A Hardware Evaluation Study](https://eprint.iacr.org/2019/047)</a>
- [CCA+21] <a name="[CCA+21]">[S. Chowdhury, A. Covic, R. Y. Acharya, S. Dupee, and D. Ganji, F.and Forte. Physical security in the post-quantum era: A survey on side-channel analysis, random number generators, and physi- cally unclonable functions. Journal of Cryptographic Engineering, February 2021.](https://arxiv.org/abs/2005.04344)</a>
- [CCD+15] <a name="[CCD+15]">[M. Campagna, L. Chen, O. Dagdelen, J. Ding, J Fernick, N. Gisin, D. Hayford, T. Jennewein, N. Lütkenhaus, and M. Mosca. 2015.Quantum SafeCryptography and Security: An introduction, benefits, enablers and chal-lenges.European Telecommunications Standards InstituteETSI White Paper,8 (June 2015), 1–64.](https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf)</a>
- [CCH+20] <a name="[CCH+20]">[M. Campagna, C. Costello, B. Hess, A. Jalali, B. Koziel, B. LaMacchia, P. Longa, M. Naehrig, J. Renes, D. Urbanik, et al. Supersingular isogeny key encapsulation. 2020](https://sike.org/files/SIDH-spec.pdf)</a>
- [CCU+20] <a name="[CCU+20]">[T. Chou, C. Cid, S. UiB, J. Gilcher, T. Lange, V. Maram, R. Misoczki, R. Niederhagen, K. G Paterson, Edoardo P., et al. Classic mceliece: conservative code-based cryptography 10 october 2020. 2020](https://classic.mceliece.org/nist/mceliece-20201010.pdf)</a>
- [CDG+17] <a name="[CDG+17]">[Chase, M., Derler, D., Goldfeder, S., Orlandi, C., Ramacher, S., Rechberger, C., ... & Zaverucha, G. (2017, October). Post-quantum zero-knowledge and signatures from symmetric-key primitives. In Proceedings of the 2017 acm sigsac conference on computer and communications security (pp. 1825-1842)](https://eprint.iacr.org/2017/279.pdf)</a>
- [CDH+19] <a name="[CDH+19]">[C. Chen, O. Danba, J. Hoffstein, A. Hülsing, J. Rijneveld, J. M Schanck, P. Schwabe, W. Whyte, and Z. Zhang. Ntru algorithm specifications and supporting documentation. Round-3 submission to the NIST PQC project, March 2019](https://ntru.org/f/ntru-20190330.pdf)</a>
- [CFP+19] <a name="[CFP+19]">[Casanova, J. C. Faugere, G. M. R. J. Patarin, L. Perret, and J. Ryckeghem.2019. GeMSS: a great multivariate short signature.Submission to NIST PQCcompetition Round-2(2019)](https://www-polsys.lip6.fr/Links/NIST/GeMSS_specification.pdf)</a>
- [CJL+16] <a name="[CJL+16]">[L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone.2016.Report on post-quantum cryptography. Vol. 12. US Department of Com-merce, National Institute of Standards and Technology](https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf)</a>
- [CPS19] <a name="[CPS19]">[E. Crockett, C. Paquin, and D. Stebila. Prototyping post-quantum and hybrid key exchange and authentication in TLS and SSH. 2019.](https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/stebila-prototyping-post-quantum.pdf)</a>
- [CU16] <a name="[CU16]">[L. Chen and R. Urian. Algorithm agility – discussion on TPM 2.0 ECC functionalities. In L. Chen, D. McGrew, and C. Mitchell, editors, Security Standardisation Research, volume 10074, pages 141–159. Springer Inter-national Publishing, 2016](http://link.springer.com/10.1007/978-3-319-49100-4_6.)</a>
- [DDS+20] <a name="[DDS+20]">[J. Ding, J. Deaton, K. Schmidt, Vishakha, and Z. Zhang. Cryptanalysis of the Lifted Unbalanced Oil Vinegar Signature Scheme. In D. Micciancio and T. Ristenpart, editors, Advances in Cryptology – CRYPTO 2020, pages 279–298, Cham, 2020. Springer International Publishing.](https://eprint.iacr.org/2019/1490.pdf)</a>
- [DDW20] <a name ="[DDW20]">[Z. Ding, J.and Zhang, J. Deaton, and L. Wang. A complete crypt- analysis of the post-quantum multivariate signature scheme himq- 3. In International Conference on Information and Communica- tions Security, pages 422–440. Springer, 2020.](https://link.springer.com/chapter/10.1007%2F978-3-030-61078-4_24)</a>
- [DFA+20] <a name="[DFA+20]">[V. Ba Dang, F. Farahmand, M. Andrzejczak, K. Mohajerani, D. T. Nguyen, andK. Gaj. 2020. Implementation and benchmarking of round 2 candidates in the nist post-quantum cryptography standardization process using hardware andsoftware/hardware co-design approaches.Cryptology ePrint Archive: Report2020/795(2020)](https://cryptography.gmu.edu/athena/PQC/GMU_PQC_2020_SW_HW.pdf)</a>
- [DHP20] <a name="[DHP20]">[B. Dowling, T. Brandt Hansen, and K. G. Paterson. Many a Mickle Makes a Muckle: A Framework for Provably Quantum-Secure Hybrid Key Exchange. In PQCrypto 2020, 2020.](https://eprint.iacr.org/2020/099.pdf)</a>
- [DKL+21] <a name="[DKL+21]">[L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D.Stehlé. 2021. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation.Round-3 submission to the NIST PQC project(8 Feb 2021)](https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf)</a>
- [DKR+19] <a name="[DKR+19]">[J. D’Anvers, A. Karmakar, S. Roy, F. Vercauteren, J. Mera, A. Bass, and M. Beirendonck. Saber: Mod-lwr based kem: Round 3 submission. In NIST Post-Quantum Cryptography Standardization: Round 3, 2019](https://www.esat.kuleuven.be/cosic/pqcrypto/saber/files/saberspecround3.pdf)</a>
- [DLW19] <a name="[DLW19]">[X. Dong, Z. Li, and X. Wang. Quantum cryptanalysis on some generalized Feistel schemes. Science China Information Sciences, 62(2):22501, February 2019.](https://eprint.iacr.org/2017/1249.pdf)</a>
- [DS05] <a name="[DS05]">[J. Ding and D. Schmidt. Rainbow, a new multivariable polynomial signature scheme. In International Conference on Applied Cryptography and Network Security, pages 164–175. Springer, 2005](https://link.springer.com/chapter/10.1007/11496137_12)</a>
- [FC20] <a name="[FC20]">[Tiago M. Fernández-C. 2020. From Pre-Quantum to Post-Quantum IoT Security:A Survey on Quantum-Resistant Cryptosystems for the Internet of Things.IEEEInternet of Things Journal7, 7 (2020), 6457–6480](https://ieeexplore.ieee.org/document/8932459)</a>
- [FHK+20] <a name="[FHK+20]">[P. A. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Prest, T.Ricosset, G. Seiler, W. Whyte, and Z. Zhang. 2020. Falcon: Fast-fourier lattice-based compact signatures over NTRU specifications v1. 2.NIST Post-Quantum Cryptography Standardization Round3 (2020)](https://falcon-sign.info/falcon.pdf)</a>
- [GKT13] <a name="[GKT13]">[R. Gagliano, S. Kent, and S. Turner. Algorithm Agility Procedure for the Resource Public Key Infrastructure (RPKI). Request for Comments. 2013. RFC 6916.](https://tools.ietf.org/html/rfc6916)</a>
- [GoKa15] <a name="[GoKa15]">[Ghosh, S., & Kate, A. (2015, June). Post-quantum forward-secure onion routing. In International Conference on Applied Cryptography and Network Security (pp. 263-286). Springer, Cham](https://ieeexplore.ieee.org/abstract/document/9363165)</a>
- [HKW21] <a name="[HKW21]">H. Hagemeier, S. Kousidis, and T. Wunderer. Standardisierung von post-quanten-kryptografie und empfehlungen des bsi. In German Federal Office for Information Security (BSI), editor, Tagungsband zum 17. Deutschen IT-Sicherheitskongress, page 382–294. SecuMedia Verlag, Ingelheim, Germany, Feb 2021. [No direct link available] </a>
- [HLL+21] <a name="[HLL+21]">[T. Hemmert, M. Lochter, D. Loebenberger, M. Margraf, S. Reinhardt, and G.Sigl. 2021. Quantencomputerresistente Kryptografie: Aktuelle Aktivitäten und Fragestellungen. InTagungsband zum 17. Deutschen IT-Sicherheitskongress, German Federal Office for Information Security (BSI) (Ed.). SecuMedia Verlag,Ingelheim, Germany, 367–380](https://www.secumedia-shop.net/Deutschland-Digital-Sicher-30-Jahre-BSI)</a>
- [HM19] <a name="[HM19]">[S. Udyani H. Mudiyanselage. Next-generation web public-key infrastructure technologies, 2019. doi:10.5204/thesis.eprints.128643.](https://eprints.qut.edu.au/128643)</a>
- [Hou15] <a name="[Hou15]">[R. Housley. Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms. RFC 7696, 2015.](https://tools.ietf.org/html/rfc7696)</a>
- [HPDM20] <a name="[HPDM20]">[A. Holcomb, G. C. C. F. Pereira, B. Das, and M. Mosca. PQFabric: A Permissioned Blockchain Secure from Both Classical and Quantum Attacks. arXiv:2010.06571](https://arxiv.org/abs/2010.06571)</a>
- [HZHW20] <a name="[HZHW20]">[R. Huesmann, A. Zeier, A. Heinemann, and A. Wiesmaier. Zur Benutzbarkeit und Verwendung von API-Dokumentationen. In Christian Hansen, Andreas Nürnberger, and Bernhard Preim, editors, Mensch und Computer 2020 - Workshopband, Bonn, 2020. Gesellschaft für Informatik e.V. doi:10.18420/muc2020-ws119-002.](https://dl.gi.de/handle/20.500.12116/33515)
- [JS19] <a name="[JS19]">[S. Jaques and J. M. Schanck. Quantum Cryptanalysis in the RAM Model: Claw-Finding Attacks on SIKE. In A. Boldyreva and D. Micciancio, editors, Advances in Cryptology – CRYPTO 2019, volume 11692, pages 32–61. Springer International Publish- ing, 2019.](https://eprint.iacr.org/2019/103.pdf)</a>
- [KAMJ17] <a name="[KAMJ17]">[B. Koziel, R. Azarderakhsh, M. Mozaffari Kermani, and D. Jao. 2017. Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves.IEEETransactions on Circuits and Systems I: Regular Papers64, 1 (Jan. 2017), 86–99](https://ieeexplore.ieee.org/abstract/document/7725935)</a>
- [KaSi19] <a name="[KaSi19]">[P. Kampanakis and D. Sikeridis. 2019.Two PQ Signature Use-cases: Non-issues, challenges and potential solutions. Technical Report 1276](https://eprint.iacr.org/2019/1276)</a>
- [KGC+20] <a name="[KGC+20]">[V. B. Y. Kumar, N. Gupta, A. Chattopadhyay, M. Kasper, C. Krauß, and R. Nieder-hagen. 2020. Post-Quantum Secure Boot. In2020 Design, Automation Test inEurope Conference Exhibition (DATE). 1582–1585 doi:10.23919/DATE48585.2020.9116252](https://ieeexplore.ieee.org/document/9116252)</a>
- [KKP20] <a name="[KKP20]">[S. Koteshwara, M. Kumar, and P. Pattnaik. 2020. Performance Optimization of Lattice Post-Quantum Cryptographic Algorithms on Many-Core Processors.In2020 IEEE International Symposium on Performance Analysis of Systems andSoftware (ISPASS). 223–225](https://ieeexplore.ieee.org/abstract/document/9238630)</a>
- [KKS+20] <a name="[KKS+20]">[A. Kuznetsov, A. Kiian, O. Smirnov, A. Cherep, M. Kanabekova, and I. Chepurko. Testing of Code-Based Pseudorandom Num- ber Generators for Post-Quantum Application. In 2020 IEEE 11th International Conference on Dependable Systems, Services and Technologies (DESSERT), pages 172–177, 2020.](https://www.researchgate.net/publication/342456148_Testing_of_Code-Based_Pseudorandom_Number_Generators_for_Post-Quantum_Application)</a>
- [KOV+18] <a name="[KOV+18]">[A. Khalid, T. Oder, F. Valencia, M. O’ Neill, T. Güneysu, and F. Regazzoni. Physical protection of lattice-based cryptography: Challenges and solutions. In Proceedings of the 2018 on Great Lakes Symposium on VLSI, pages 365–370. ACM, 2018.](https://pure.qub.ac.uk/files/156772945/paper.pdf)</a>
- [KPDG18] <a name="[KPDG18]">[P. Kampanakis, P. Panburana, E. Daw, and D. Van Geest. 2018. The Viability of Post-quantum X.509 Certificates.IACR Cryptol. ePrint Arch.2018 (2018)](http://eprint.iacr.org/2018/063)</a>
- [KSL+19] <a name="[KSL+19]">[K. Kwiatkowski, N. Sullivan, A. Langley, D. Levin, and A. Mislove. 2019. Measuring TLS key exchange with post-quantum KEM. InWorkshop Record of the SecondPQC Standardization Conference](https://csrc.nist.gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/kwiatkowski-measuring-tls.pdf)</a>
- [KV19] <a name="[KV19]">[K. Kwiatkowski and L. Valenta. The TLS Post-Quantum Experiment, October 2019.](https://blog.cloudflare.com/the-tls-post-quantum-experiment/)</a>
- [KwVa19] <a name="[KwVa19]">[K. Kwiatkowski and L. Valenta. 2019. The TLS Post-Quantum Experiment](https://blog.cloudflare.com/the-tls-post-quantum-experiment/)</a>
- [Lang19] <a name="[Lang19]">[A. Langley. 2019. Real-world measurements of structured-lattices and supersin-gular isogenies in TLS](https://www.imperialviolet.org/2019/10/30/pqsivssl.html)</a>
- [LLP+ 13] <a name="[LLP+ 13]">[K. Lee, Y. Lee, J. Park, K. Yim, and I. You. Security issues on the cng cryptography library (cryptography api: Next generation). In Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2013 Seventh International Conference on, pages 709–713. IEEE, 2013.](https://ieeexplore.ieee.org/document/6603762)</a>
- [MAA+20] <a name="[MAA+20]">[D. Moody, G. Alagic, D. C Apon, D. A. Cooper, Q. H. Dang, J. M. Kelsey, Y.Liu, C. A. Miller, R. C. Peralta, R. A. Perlner, A. Y. Robinson, D. C. Smith-Tone,and J. Alperin-Sheriff. 2020. Status report on the second round of the NISTpost-quantum cryptography standardization process.](https://doi.org/10.6028/NIST.IR.8309)</a>
- [MAB+20] <a name="[MAB+20]">[C. Aguilar Melchor, N. Aragon, S. Bettaieb, L. Bidoux, O. Blazy, J. C. Deneuville, P. Gaborit, E. Persichetti, G. Zémor, and I. C. Bourges. Hamming quasi-cyclic (hqc). NIST PQC Round, 3, 2020](https://pqc-hqc.org/doc/hqc-specification_2020-10-01.pdf)</a>
- [Mas02] <a name="[Mas02]">[S. Maseberg. Fail-Safe-Konzept für Public-Key-Infrastrukturen. PhDthesis, 2002.](http://tuprints.ulb.tu-darmstadt.de/246/)</a>
- [MdJvH+20] <a name="[MdJvH+20]">[M. Müller, J. de Jong, M. van Heesch, B. Overeinder, and R. van Rijswijk-Deij. Retrofitting post-quantum cryptography in internet protocols: a case study of DNSSEC. 50(4):49–57, 2020. doi:10.1145/3431832.3431838.](https://dl.acm.org/doi/10.1145/3431832.3431838)</a>
- [MPD+18] <a name="[MPD+18]">[L. Malina, L. Popelova, P. Dzurenda, J. Hajny, and Z. Martinasek. 2018. On Feasibility of Post-Quantum Cryptography on Small Devices (15th IFAC Conference on Programmable Devices and Embedded Systems PDeS 2018), Vol. 51. 462–467](https://www.sciencedirect.com/science/article/pii/S2405896318308474)</a>
- [MRD+20] <a name="[MRD+20]">[L. Malina, S. Ricci, P. Dzurenda, D. Smekal, J. Hajny, and T. Gerlich. 2020. Towards Practical Deployment of Post-quantum Cryptography on Constrained Platforms and Hardware-Accelerated Platforms. In Innovative Security Solutions for Information Technology and Communications. Springer International Publishing, 109–124](https://link.springer.com/chapter/10.1007/978-3-030-41025-4_8)</a>
- [MW18] <a name="[MW18]">[K. Mindermann and S. Wagner. Usability and Security Effects of Code Examples on Crypto APIs. In 2018 16th Annual Conference on Privacy, Security and Trust (PST), pages 1–2. IEEE, August 2018.](https://ieeexplore.ieee.org/document/8514203)</a>
- [MW20] <a name="[MW20]">[K. Mindermann and S. Wagner. 2020. Fluid Intelligence Doesn’t Matter! Effectsof Code Examples on the Usability of Crypto APIs. In2020 IEEE/ACM 42ndInternational Conference on Software Engineering: Companion Proceedings (ICSE-Companion). 306–307.](https://arxiv.org/abs/2004.03973)</a>
- [NAB+20] <a name="[NAB+20]">[M. Naehrig, E. Alkim, J. W Bos, L. Ducas, K. Easterbrook, B. LaMacchia, P. Longa,I. Mironov, V. Nikolaenko, C. Peikert, et al.2020. Frodokem learning with errorskey encapsulation.NIST PQC Round3 (2020)](https://frodokem.org/files/FrodoKEM-specification-20171130.pdf)</a>
- [NIWA17] <a name="[NIWA17]">[Niederhagen, R., & Waidner, M. (2017). Practical Post-Quantum Cryptography. Fraunhofer White Paper, vol. ISSN, 2192-8169](https://www.sit.fraunhofer.de/fileadmin/dokumente/studien_und_technical_reports/Practical.PostQuantum.Cryptography_WP_FraunhoferSIT.pdf?_=1503992279)</a>
- [NWAO19] <a name="[NWAO19]">[M. D. Noel, O. V. Waziri, M. S. Abdulhamid, and A. J. Ojeniyi. Stateful hash-based digital signature schemes for bitcoin cryptocurrency. In 2019 15th International Conference on Electronics, Computer and Computation (ICECCO), pages 1–6, 2019.](https://ieeexplore.ieee.org/document/9043192/)</a>
- [NWE19] <a name="[NWE19]">[A. Neish, T. Walter, and P. Enge. Quantum-resistant authentication algorithms for satellite-based augmentation systems. Navigation, 66(1):199–209, 2019.](https://web.stanford.edu/group/scpnt/gpslab/pubs/papers/Neish_2018_IONITM_QuantumResistantAuthenticationUpdated.pdf)</a>
- [OHW+18] <a name="[OHW+18]">[M. O’Neill, S. Heidbrink, J. Whitehead, T. Perdue, L. Dickinson, T. Collett, N. Bonner, K. Seamons, and D. Zappala. The Secure Socket API: TLS as an Operating System Service. In 27th USENIX Security Symposium (USENIX Security 18), pages 799–816. USENIX Association, 2018.](https://www.usenix.org/conference/usenixsecurity18/presentation/oneill)</a>
- [OP20] <a name="[OP20]">[M. Ounsworth and M. Pala. Composite Keys and Signatures For Use In Internet PKI. Internet-Draft-ounsworth-pq-composite-sigs-03, Internet Engineering Task Force, July 2020. Backup Publisher: Internet Engineering Task Force Num Pages: 18](https://tools.ietf.org/id/draft-ounsworth-pq-composite-sigs-01.html)</a>
- [OPp19] <a name="[OPp19]">[D. Ott, C. Peikert, and participants. 2019. Identifying Research Challengesin Post Quantum Cryptography Migration and Cryptographic Agility. (Sept.2019).](https://cra.org/crn/2019/10/research-challenges-in-post-quantum-cryptography-migration-and-cryptographic-agility/)</a>
- Our paper <a name="paper">Our Paper</a>
- [NCCoE] <a name="nccoe">[NCCoE](https://www.nccoe.nist.gov/projects/building-blocks/post-quantum-cryptography)</a>
- SIT <a name="sit">[Frauenhofer SIT](https://www.sit.fraunhofer.de/fileadmin/dokumente/studien_und_technical_reports/Practical.PostQuantum.Cryptography_WP_FraunhoferSIT.pdf?_=1503992279)</a>
- [FC20] <a name="[FC20]">Tiago M. Fernández-C. 2020. From Pre-Quantum to Post-Quantum IoT Security:A Survey on Quantum-Resistant Cryptosystems for the Internet of Things.IEEEInternet of Things Journal7, 7 (2020), 6457–6480</a>
- [AVVY19] <a name="[AVVY19]">F. Armknecht, I. Verbauwhede, M. Volkamer, and M. Yung (Eds.). 2019.Biggest Failures in Security. Dagstuhl Reports, Vol. 9. Dagstuhl Publishing</a>
- [XXX] <a name="[XXX]">[W. Barker, W. Polk, and M. Souppaya. 2020. Getting Ready for Post-QuantumCryptography:: Explore Challenges Associated with Adoption and Use of Post-Quantum Cryptographic Algorithms. preprint.](https://doi.org/10.6028/NIST.CSWP.05262020-draft)</a>
- [XXX] <a name="[XXX]">[BSI. 2020. Migration zu Post-Quanten-Kryptografie.](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten-Kryptografie.html)</a>
- [XXX] <a name="[XXX]">T. Hemmert, M. Lochter, D. Loebenberger, M. Margraf, S. Reinhardt, and G.Sigl. 2021. Quantencomputerresistente Kryptografie: Aktuelle Aktivitäten undFragestellungen. InTagungsband zum 17. Deutschen IT-Sicherheitskongress, Ger-man Federal Office for Information Security (BSI) (Ed.). SecuMedia Verlag,Ingelheim, Germany, 367–380</a>
- [XXX] <a name="[XXX]">[M. Campagna, L. Chen, O. Dagdelen, J. Ding, J Fernick, N. Gisin, D. Hay-ford, T. Jennewein, N. Lütkenhaus, and M. Mosca. 2015.Quantum SafeCryptography and Security: An introduction, benefits, enablers and chal-lenges.European Telecommunications Standards InstituteETSI White Paper,8 (June 2015), 1–64.](https://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf)</a>
---
##### PQC Algorithms
- [CJL+ 16] <a name="[CJL+ 16]">L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta, R. Perlner, and D. Smith-Tone.2016.Report on post-quantum cryptography. Vol. 12. US Department of Com-merce, National Institute of Standards and Technology</a>
- [AASA+ 19] <a name="[AASA+ 19]">G. Alagic, J. Alperin-Sheriff, D. Apon, D. Cooper, Q. Dang, Y. Liu, C. Miller, D.Moody, R. Peralta, et al.2019.Status report on the first round of the NIST post-quantum cryptography standardization process. US Department of Commerce,National Institute of Standards and Technology</a>
- [MAA+ 20] <a name="[MAA+ 20]">[D. Moody, G. Alagic, D. C Apon, D. A. Cooper, Q. H. Dang, J. M. Kelsey, Y.Liu, C. A. Miller, R. C. Peralta, R. A. Perlner, A. Y. Robinson, D. C. Smith-Tone,and J. Alperin-Sheriff. 2020. Status report on the second round of the NISTpost-quantum cryptography standardization process.](https://doi.org/10.6028/NIST.IR.8309)</a>
---
- [ABB+ 20] <a name="[ABB+ 20]">N. Aragon, P. Barreto, S. Bettaieb, L. Bidoux, O. Blazy, J. C. Deneuville, P. Ga-borit, S. Gueron, T. Guneysu, C. A. Melchor, et al.2020. BIKE: bit flipping keyencapsulation. (22 Oct 2020)</a>
- [XXX] <a name="[XXX]">L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D.Stehlé. 2021. CRYSTALS-Dilithium Algorithm Specifications and SupportingDocumentation.Round-3 submission to the NIST PQC project(8 Feb 2021)</a>
- [FHK+ 20] <a name="[FHK+ 20]">P. A. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Prest, T.Ricosset, G. Seiler, W. Whyte, and Z. Zhang. 2020. Falcon: Fast-fourier lattice-based compact signatures over NTRU specifications v1. 2.NIST Post-QuantumCryptography Standardization Round3 (2020).</a>
- [XXX] <a name="[XXX]">M. Naehrig, E. Alkim, J. W Bos, L. Ducas, K. Easterbrook, B. LaMacchia, P. Longa,I. Mironov, V. Nikolaenko, C. Peikert, et al.2020. Frodokem learning with errorskey encapsulation.NIST PQC Round3 (2020).</a>
- [CFP+ 19] <a name="[CFP+ 19]"> Casanova, J. C. Faugere, G. M. R. J. Patarin, L. Perret, and J. Ryckeghem.2019. GeMSS: a great multivariate short signature.Submission to NIST PQCcompetition Round-2(2019)</a>
- [ABD+ 21] <a name="[ABD+ 21]"> R. Avanzi, J. Bos, L. Ducas, E. Kiltz, T. Lepoint, V. Lyubashevsky, J. M. Schanck,P. Schwabe, G. Seiler, and D. Stehlé. 2021. CRYSTALS-Kyber algorithm specifi-cations and supporting documentation (version 3.01).NIST PQC Round 3(31Jan 2021)</a>
##### Performance Considerations
- S. Koteshwara, M. Kumar, and P. Pattnaik. 2020. Performance Optimization of Lattice Post-Quantum Cryptographic Algorithms on Many-Core Processors.In2020 IEEE International Symposium on Performance Analysis of Systems andSoftware (ISPASS). 223–225
- L. Botros, M. J. Kannwischer, and P. Schwabe. 2019. Memory-Efficient High-Speed Implementation of Kyber on Cortex-M4. InProgress in Cryptology –AFRICACRYPT 2019, J. Buchmann and T. Nitaj, A.and Rachidi (Eds.). Vol. 11627.Springer International Publishing, 209–228
- S. Paul and P. Scheible. 2020. Towards Post-Quantum Security for Cyber-PhysicalSystems: Integrating PQC into Industrial M2M Communication. InComputerSecurity – ESORICS 2020. Vol. 12309. Springer International Publishing, 295–316
- D. Weller and R. van der Gaag. 2020. Incorporating post-quantum cryptographyin a microservice environment. (2020), 36
- Tiago M. Fernández-C. 2020. From Pre-Quantum to Post-Quantum IoT Security:A Survey on Quantum-Resistant Cryptosystems for the Internet of Things.IEEEInternet of Things Journal7, 7 (2020), 6457–6480
- L. Malina, L. Popelova, P. Dzurenda, J. Hajny, and Z. Martinasek. 2018. On Fea-sibility of Post-Quantum Cryptography on Small Devices(15th IFAC Conferenceon Programmable Devices and Embedded Systems PDeS 2018), Vol. 51. 462–467
- L. Malina, S. Ricci, P. Dzurenda, D. Smekal, J. Hajny, and T. Gerlich. 2020. To-wards Practical Deployment of Post-quantum Cryptography on ConstrainedPlatforms and Hardware-Accelerated Platforms. InInnovative Security Solu-tions for Information Technology and Communications. Springer InternationalPublishing, 109–124
---
- K. Basu, D. Soni, M. Nabeel, and R. Karri. 2019. NIST Post-Quantum Cryptogra-phy - A Hardware Evaluation Study. https://eprint.iacr.org/2019/047
- J. Tian, J. Lin, and Z. Wang. 2019. Ultra-Fast Modular Multiplication Implementa-tion for Isogeny-Based Post-Quantum Cryptography. In2019 IEEE InternationalWorkshop on Signal Processing Systems (SiPS). 97–102
- V. Ba Dang, F. Farahmand, M. Andrzejczak, K. Mohajerani, D. T. Nguyen, andK. Gaj. 2020. Implementation and benchmarking of round 2 candidates in thenist post-quantum cryptography standardization process using hardware andsoftware/hardware co-design approaches.Cryptology ePrint Archive: Report2020/795(2020)
- B. Koziel, R. Azarderakhsh, M. Mozaffari Kermani, and D. Jao. 2017. Post-Quantum Cryptography on FPGA Based on Isogenies on Elliptic Curves.IEEETransactions on Circuits and Systems I: Regular Papers64, 1 (Jan. 2017), 86–99
- V. B. Y. Kumar, N. Gupta, A. Chattopadhyay, M. Kasper, C. Krauß, and R. Nieder-hagen. 2020. Post-Quantum Secure Boot. In2020 Design, Automation Test inEurope Conference Exhibition (DATE). 1582–1585
---
- C. Paquin, D. Stebila, and G. Tamvada. 2019.Benchmarking Post-QuantumCryptography in TLS. Technical Report 1447. http://eprint.iacr.org/2019/1447
- A. Langley. 2019. Real-world measurements of structured-lattices and supersin-gular isogenies in TLS. https://www.imperialviolet.org/2019/10/30/pqsivssl.html
- K. Kwiatkowski, N. Sullivan, A. Langley, D. Levin, and A. Mislove. 2019. Measur-ing TLS key exchange with post-quantum KEM. InWorkshop Record of the SecondPQC Standardization Conference. https://csrc. nist. gov/CSRC/media/Events/Second-PQC-Standardization-Conference/documents/accepted-papers/kwiatkowski-measuring-tls. pdf
- D. Sikeridis, P. Kampanakis, and M. Devetsikiotis. 2020.Post-Quantum Au-thentication in TLS 1.3: A Performance Study. Technical Report 071.http://eprint.iacr.org/2020/071
- K. Kwiatkowski and L. Valenta. 2019. The TLS Post-Quantum Experiment.https://blog.cloudflare.com/the-tls-post-quantum-experiment/
- K. Bürstinghaus-Steinbach, C. Krauß, R. Niederhagen, and M. Schneider. 2020.Post-Quantum TLS on Embedded Systems: Integrating and Evaluating Kyberand SPHINCS+ with Mbed TLS. InProceedings of the 15th ACM Asia Conferenceon Computer and Communications Security (ASIA CCS ’20). Association forComputing Machinery, 841–852
- P. Kampanakis, P. Panburana, E. Daw, and D. Van Geest. 2018. The Viabilityof Post-quantum X.509 Certificates.IACR Cryptol. ePrint Arch.2018 (2018).http://eprint.iacr.org/2018/063
- D. Stebila and M. Mosca. 2016. Post-quantum Key Exchange for the Internetand the Open Quantum Safe Project. InSelected Areas in Cryptography – SAC2016, R. Avanzi and H. Heys (Eds.). Springer International Publishing, 14–37.https://doi.org/10.1007/978-3-319-69453-5_2
- P. Kampanakis and D. Sikeridis. 2019.Two PQ Signature Use-cases: Non-issues,challenges and potential solutions. Technical Report 1276. https://eprint.iacr.org/2019/1276
- [PASC20] <a name="[PASC20]">[S. Paul and P. Scheible. 2020. Towards Post-Quantum Security for Cyber-Physical Systems: Integrating PQC into Industrial M2M Communication. InComputerSecurity – ESORICS 2020. Vol. 12309. Springer International Publishing, 295–316](https://link.springer.com/chapter/10.1007/978-3-030-59013-0_15)</a>
- [PN19] <a name="[PN19]">[S. Paul and M. Niethammer. On the importance of cryptographic agility for industrial automation. at - Automatisierungstechnik, 67(5):402–416, May 2019, doi:10.1515/auto-2019-0019](http://www.degruyter.com/view/j/auto.2019.67.issue-5/auto-2019-0019/auto-2019-0019.xml)</a>.
- [PRKK19] <a name="[PRKK19]">[S. Pugh, M. S. Raunak, D. R. Kuhn, and R. Kacker. Systematic Testing of Post-Quantum Cryptographic Implementations Using Metamorphic Testing. In 2019 IEEE/ACM 4th International Workshop on Metamorphic Testing (MET), pages 2–8, Montreal, QC, Canada, May 2019. IEEE, doi:10.1109/MET.2019.00009.](https://ieeexplore.ieee.org/document/8785645/)</a>
- [PS20] <a name="[PS20]">[S. Paul and P. Scheible. Towards post-quantum security for cyber-physical systems: Integrating PQC into industrial m2m communica tion. In L. Chen, N. Li, K. Liang, and S. Schneider, editors, Computer Security – ESORICS 2020, volume 12309, pages 295–316. Springer In ternational Publishing, 2020. Series Title: Lecture Notes in Computer Science. doi:10.1007/978-3-030-59013-0\_15.](http://link.springer.com/10.1007/978-3-030-59013-0_15)</a>
- [PST13] <a name="[PST13]">[R. Perlner and D. Smith-Tone. A classification of differential invariants for multivariate post-quantum cryptosystems. In P. Gaborit, editor, Post- Quantum Cryptography, volume 7932, pages 165–173. Springer Berlin Heidelberg, 2013. Series Title: Lecture Notes in Computer Science. doi:10.1007/ 978-3-642-38616-9_11](http://link.springer.com/10.1007/978-3-642-38616-9_11)</a>
- [PST19] <a name="[PST19]">[C. Paquin, D. Stebila, and G. Tamvada. 2019.Benchmarking Post-QuantumCryptography in TLS. Technical Report 1447] (http://eprint.iacr.org/2019/1447)</a>
- [SKD20] <a name="[SKD20]">[D. Sikeridis, P. Kampanakis, and M. Devetsikiotis. 2020. Post-Quantum Authentication in TLS 1.3: A Performance Study. Technical Report 071](http://eprint.iacr.org/2020/071)</a>
- [SM16] <a name="[SM16]">[D. Stebila and M. Mosca. Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project. In R. Avanzi and H. Heys, editors, Selected Areas in Cryptography – SAC 2016, Lecture Notes in Computer Science, pages 14–37, Cham, 2016. Springer International Publishing. doi:10.1007/978-3-319-69453-5\_2.](https://eprint.iacr.org/2016/1017.pdf)</a>
- [SSPB19] <a name="[SSPB19]">[S. Samardjiska, P. Santini, E. Persichetti, and G. Banegas. A reaction attack against cryptosystems based on LRPC codes. In P. Schwabe and N. Thériault, editors, Progress in Cryptology – LATINCRYPT 2019, pages 197–216. Springer International Pub- lishing, 2019.](https://eprint.iacr.org/2019/845.pdf)</a>
- [StMo16] <a name="[StMo16]">[D. Stebila and M. Mosca. 2016. Post-quantum Key Exchange for the Internet and the Open Quantum Safe Project. In Selected Areas in Cryptography – SAC2016, R. Avanzi and H. Heys (Eds.). Springer International Publishing, 14–37](https://doi.org/10.1007/978-3-319-69453-5_2)</a>
- [TLW19] <a name="[BSNK19]">[J. Tian, J. Lin, and Z. Wang. 2019. Ultra-Fast Modular Multiplication Implementa-tion for Isogeny-Based Post-Quantum Cryptography. In2019 IEEE InternationalWorkshop on Signal Processing Systems (SiPS). 97–102 doi:10.1109/SiPS47522.2019.9020384](https://ieeexplore.ieee.org/document/9020384)</a>
- [TRH+20] <a name="[TRH+20]">[Tujner, Z., Rooijakkers, T., van Heesch, M., & Önen, M. (2020). QSOR: Quantum-Safe Onion Routing. arXiv preprint arXiv:2001.03418](https://arxiv.org/abs/2001.03418)</a>
- [UWK15] <a name="[UWK15]">[M. Ullmann, C. Wieschebrink, and D. Kügler. Public key infrastructure and crypto agility concept for intelligent transportation systems. In Sulc, Noll (Eds.): VEHICULAR 2015: The Fourth International Conference on Advances in Vehicular Systems, Technologies and Applications. October 11-16, 2015, St. Julians, Malta, pages 14 – 19, 2015.](http://www.thinkmind.org/index.php?view=article&articleid=vehicular_2015_1_30_30028.)</a>
- [VBDK+20] <a name="[VBDK+20]">[M. Van Beirendonck, J. P. D’Anvers, A. Karmakar, J. Balasch, and I. Verbauwhede. A side-channel resistant implementation of saber. IACR Cryptol. ePrint Arch, 733, 2020.](https://eprint.iacr.org/2020/733.pdf)</a>
- [VM12] <a name="[VM12]">[V. Vasić and M. Mikuc. Security Agility Solution Independent of the Underlaying Protocol Architecture. In AT, 918 of CEUR Workshop Proceedings, pages 128–137. CEUR-WS.org, 2012.](https://www.semanticscholar.org/paper/Security-Agility-Solution-Independent-of-the-Vasic-Mikuc/489054a1f28eb26b1baa1a9f0caff2306c821695.)</a>
- [WaSt20] <a name="[WaSt20]">[Wang, W., & Stöttinger, M. (2020). Post-Quantum Secure Architectures for Automotive Hardware Secure Modules. IACR Cryptol. ePrint Arch., 2020, 26](https://eprint.iacr.org/2020/026.pdf)</a>
- [WvdG20] <a name="[WvdG20]">[D. Weller and R. van der Gaag. 2020. Incorporating post-quantum cryptographyin a microservice environment. (2020), 36](https://homepages.staff.os3.nl/~delaat/rp/2019-2020/p13/report.pdf)</a>
- [Zei20] <a name="[Zei20]">[A. Zeier. 08.12.2020. eucrite 1.0 API.](https://use-a-pqclib.h-da.io/eucrite-documentation/)</a>
- [ZWH21] <a name="[ZWH21]">[A. Zeier, A. Wiesmaier, and A. Heinemann. Zur Integration von Post-Quantum Verfahren in bestehende Softwarepodukte. In German Federal Office for Information Security (BSI), editor, Tagungsband zum 17. Deutschen IT-Sicherheitskongress, pages 381 – 391. SecuMedia Verlag, Ingelheim, Germany, March 2021.](https://arxiv.org/pdf/2102.00157v1)</a>
- [ZYD+20] <a name="[ZYD+20]">[F. Zhang, B. Yang, X. Dong, S. Guilley, Z. Liu, W. He, F. Zhang, and K. Ren. Side-Channel Analysis and Countermeasure Design on ARM- based Quantum-Resistant SIKE. IEEE Transactions on Computers, pages 1–1, 2020. Conference Name: IEEE Transactions on Computers. doi: 10.1109/TC.2020.3020407.](https://ieeexplore.ieee.org/document/9181442)</a>
##### Algorithm & Parameter Selection
- [KPDG18] <a name="[KPDG18]">[P. Kampanakis, P. Panburana, E. Daw, and D. Van Geest. The Viability of Post-quantum X.509 Certificates. IACR Cryptol. ePrint Arch., 2018, 2018.](https://google.de)</a>
---
## Contributing
Your contributions are always welcome! Please take a look at the [contribution guidelines](Contribution Guidlines.md) first.
For any questions, inquiries or feedback you can contact us via e-mail at: [nouri.alnahawi@h-da.de](mailto:nouri.alnahawi@h-da.de)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment