Practical Post-Quantum Cryptography

Joost Rijneveld

On November 20th 2019, I will be defending my PhD thesis on practical post-quantum cryp­tog­ra­phy. This thesis is a collection of the work I have done at Radboud University between 2015 and 2019, under the super­vision of Peter Schwabe and in collaboration with a wide range of coauthors.

The work consists of three separate chapters, discussing (specific schemes and optimization targets within the realms of) hash-based signatures, MQ-based signatures and lattice-based KEMs. While 'post-quantum cryp­tog­ra­phy' is the obvious commonality, the real focus of this work is on cryptographic en­gi­neer­ing, and most of my contributions involve software optimization.

A digital version of the thesis is available here. Please let me know if you want to receive a physical copy — they will also be available at my defense.

Software availability

The list below mirrors the software availability and data management listing in Section 1.3.1. The links will be updated to point to the latest version of the respective software. Unless explicitly stated otherwise, all software has been placed in the public domain to the extent possible under law, and all copyright and related rights have been waived by applying the CC0 1.0 Public Domain Dedication waiver. Software accompanying a publication is implicitly coauthored by all authors.

Getting started on STM32
Examples that demonstrate how to get started with programming STM32 Discovery boards, as well as wrappers around basic firmware functionality. See Section 2.4.2.
Merkle tree traversal algorithms
Python reimplementations of the Merkle tree traversal algorithms described in [BDS09]. See Section 3.2.5.
The XMSS reference code
The implementation accompanying the informational RFC 8391, specifying WOTS+, XMSS, and XMSSMT . It includes an implementation of the BDS tree traversal algorithm. This implementation was coauthored with Andreas Hülsing. See Sections 3.3.5 and 3.2.5.
The XMSS-T code
The implementation of XMSS-T, leading to the XMSS reference code. It contains tweaks that allow for comparison to SPHINCS-256 and to XMSS at lowered security levels, and accompanied the paper Mitigating Multi-Target Attacks in Hash-based Signatures [HRS16b]. See Section 3.3.3.
XMSSMT on the Java Card
An implementation of the XMSSMT scheme for the Java Card platform. It accompanied the paper Is Java Card ready for hash-based signatures? [LPR+18]. See Section 3.4.
The ARMed SPHINCS code
A modified version of the SPHINCS reference implementation and the XMSSMT reference implementation, targeting the Cortex-M3. It accompanied the paper ARMed SPHINCS – Computing a 41 KB signature in 16 KB of RAM [HRS16a]. See Section 3.6.
The ChaCha permutation for the Cortex-M
An ARMv7E-M assembly implementation of the πChaCha permutation function. This implementation was initially used in ARMed SPHINCS [HRS16a]. See Section 3.6.
A reimplementation of SPHINCS-256 in Python, aimed to provide a highly flexible framework for experimenting and comparison.
The SPHINCS+ reference code
The reference implementation of SPHINCS+, accompanying the SPHINCS+ submission to NIST’s Post-Quantum Cryptography Standardization project [BDE+17]. See Section 3.7.
Python bindings for the SPHINCS+ reference code, originally written for integration into The Update Framework. Also available on PyPI as pyspx.
The MQDSS code
The reference and AVX2-optimized implementation of MQDSS, accompanying the paper From 5-pass MQ-based identification to MQ-based signatures [CHR+16], and the software as part of the MQDSS submission to NIST’s Post-Quantum Cryptography Standardization project. See Section 4.5.
The SOFIA code
The reference and optimized code accompanying the paper SOFIA: MQ-based signatures in the QROM [CHR+18]. See Section 4.8.
The NTRU-HRSS code
The AVX2-optimized implementation of NTRU-HRSS, accompanying the paper High-speed key encapsulation from NTRU [HRS+17a], and the updated software as part of the NTRU-HRSS submission to NIST’s Post-Quantum Cryptography Standardization project. See Sections 5.1 and 5.2.
Bit permutations
Simulator for a subset of x86-64 with AVX2 extensions, used to construct efficient permutations on bit sequences for NTRU-HRSS [HRS+17a].
A library and benchmarking and testing framework for post-quantum cryptography on the Cortex-M4, coauthored with Matthias Kannwischer, Peter Schwabe, and Ko Stoffelen. See also [KRS+19b].
The ℤ2m[x] code
Code generation scripts for polynomial multiplication, accompanying the paper Faster multiplication in ℤ2m[x] on Cortex-M4 to speed up NIST PQC candidates [KRS19]. See Section 5.4.
A testing framework and collection effort of clean implementations of post-quantum cryptography, coauthored with Matthias Kannwischer, Peter Schwabe, Douglas Stebila, and Thom Wiggers. See also [KRS+19a].