Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is your favorite post-quantum encryption approach?

I think Lattice-based ones will eventually be broken by a quantum algorithm. I am fully on board with lamport signatures and SPHINCS+



In Cyph, I went with Kyber (lattice-based) combined with HQC (code-based) for encryption. NTRU Prime also may be a good option if Kyber is ever broken in a way that doesn't fundamentally break all lattice crypto.

For signing, I treat Dilithium (lattice-based) as "standard security" and SPHINCS+ (hash-based) as "high security". In particular, the former is used for end user public keys and certificates, while the latter is used for code signing where the larger public key and signature sizes are less of an issue.

In all cases, I wouldn't use PQC without combining it with classical crypto, in Cyph's case X25519/Ed25519. Otherwise you run the risk of a situation like SIDH/SIKE where future cryptanalysis of a particular PQC algorithm finds that it isn't even classically secure, and then you're hosed in the present.


> In all cases, I wouldn't use PQC without combining it with classical crypto

With hash-based signatures, hybridization isn't required. They are the most powerful signature scheme approach by far. The security assumption hash-based signatures rely on is also shared with every other signature scheme (hashes are what are signed). Other schemes come with additional assumptions.

It's unfortunate that hash-based public key exchange is not practical. Merkle Puzzles require 2^n data exchange for 2^2n security.


That's fair. I'd basically agree, which is why I decided not to hybridize SPHINCS+ with Dilithium as I did with the two post-quantum encryption algorithms.

Having said that, while SPHINCS+ seems highly likely to be safe (particularly as far as PQC goes), it isn't impossible that someone finds a flaw in e.g. the construction used to implement statelessness. It's probably fine on its own, and stacking it with something like RSA is maybe more trouble than it's worth, but there's also very little downside to hybridizing with Ed25519 given its overhead relative to SPHINCS+; 64 bytes on top of a ~30 KB signature is practically a rounding error.

(Also, small correction to my last comment: only the SPHINCS+ signatures are large, not the public keys.)


Classic McEliece https://classic.mceliece.org/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: