Improving post-quantum cryptography through cryptanalysis

Large quantum computers pose a threat to our public-key cryptographic infrastructure. The possible responses are: 1. Do nothing; accept the fact that quantum computers might be used to break widely deployed protocols. 2. Mitigate the threat by switching entirely to symmetric-key protocols. 3. Mitigate the threat by switching to different public-key protocols. Each user of public-key cryptography will make one of these choices, and we should not expect consensus. Some users will do nothing—perhaps because they view the threat as being too remote. And some users will find that they never needed public-key cryptography in the first place. The work that I present here is for people who need public-key cryptography and want to switch to new protocols. Each of the three articles raises the security estimate of a cryptosystem by showing that some attack is less effective than was previously believed. Each article thereby reduces the cost of using a protocol by letting the user choose smaller (or more efficient) parameters at a fixed level of security. In Part 1, I present joint work with Samuel Jaques in which we revise security estimates for the Supersingular Isogeny Key Exchange (SIKE) protocol. We show that known quantum claw-finding algorithms do not outperform classical claw-finding algorithms. This allows us to recommend 434-bit primes for use in SIKE at the same security level that 503-bit primes had previously been recommended. In Part 2, I present joint work with Martin Albrecht, Vlad Gheorghiu, and Eamonn Postelthwaite that examines the impact of quantum search on sieving algorithms for the shortest vector problem. Cryptographers commonly assume that the cost of solving the shortest vector problem in dimension d is 2 quantumly and 2 classically. These are upper bounds based on a near neighbor search algorithm due to Becker– Ducas–Gama–Laarhoven. Naively, one might think that d must be at least 483(≈ 128/0.265) to avoid attacks that cost fewer than 2 operations. Our analysis accounts for terms in the o(1) that were previously ignored. In a realistic model of quantum computation, we find that applying the Becker–Ducas–Gama–Laarhoven algorithm in dimension d > 376 will cost more than 2 operations. We also find reason to believe that the classical algorithm will outperform the quantum algorithm in dimensions d < 288.