Post-Quantum Cryptography - Round One

See also round 2 and round 3.


After NIST’s post-quantum crypthography call for proposal, we have quite a few submissions for round 1.

With almost 70 entries and considering these are all (almost) completely new algorithms, it’s hard to say which are going to be favorites. However, based on no science but name alone, I do have a few favorites.

First one is nod to Star Trek in form of CRYSTALS-DILITHIUM. It is a lattice-based scheme with slight performance advantage over other proposals. Sadly, it uses CryptoJedi as hosting for its white paper which I believe constitutes forbidden religion mix.

Further into the Jedi territory, there is a NewHope algorithm. As it’s unfortunately case with many proposal, there is no website for it, but there is a white paper. It’s again lattice-based algorithm with a focus toward forward secrecy. Not too bad and I would say quite a favorite considering it’s already present in Chrome.

One I like is NTRU Prime. It is (again) lattice-based, but it takes special care to avoid issues other lattice systems might have - the most important being constant-time execution to make classic side-channel attacks more difficult.

Another one to check might be Falcon. It is again lattice-based but with special care given to small memory footprint and stellar performance.

If lattice-based does not work, my money is on DAGS algorithm using quasi-dyadic codes. Its small key size compared to other code-based candidates and possibility of asymmetric key exchange where you get to fine-tune load on server as compared to client make it ideal for IoT (often both energy and performance deprived) applications.

Lastly, RLCE-KEM seems interesting as its RLCE-based encryption gives high performance - even when compared to traditional algorithms. It is a bit finicky algorithm, especially when it comes to padding, but its speed might make it worth.

It is way too early to make serious predictions but I personally really like thought that went into DAGS. It seems to be something that could nicely work for both current and post-quantum scenarios. And fine tuning of server/client work ratio seems to be god-given for battery operated devices. Of course, with great flexibility comes a great responsibility and (generally-speaking) more flexible algorithms allow security downgrades a bit more of a risk.

We shall see what round 2 brings next year. :)