Quantum-Safeness of WSO2 Products
- Frank Leymann
- Technical Fellow - WSO2
Introduction
We begin with a very brief overview on the underpinnings of quantum computing and the notion of quantum algorithms. Next we show the threats on today’s cryptographic protocols that originate from quantum algorithms.
Quantum Computing
Quantum computers realize a compute paradigm very different from the classical compute paradigm that we are used [1] to: first and foremost, the information unit of a quantum computer is a so-called qubit (“quantum bit”) which is a so-called superposition of 0 and 1, i.e., a qubit can be somehow both, 0 and 1 at the same time, but each of these two values is weighted by a probability measure controlling which value the qubit will be in when read out. But before being read the qubit has an infinite manifold of possible values (i.e., superpositions): this is one of the origins of the power of a quantum computer.
Figure 1: Comparing a Bit and a Qubit
In Figure 1, a bit is depicted on the right side (part (a)): it has two possible values. A qubit q is shown on the left side (part (b)): it is a point on a sphere (called the Bloch Sphere). Any point on the sphere is a possible value of a qubit. Note that the classical values “0” and “1” are written as |0> and |1> to signal that these are not classical values but “quantum states”. See [1] for more details.
Like a classical register is a series of bits, a quantum register is a collection of qubits. But while a classical register always has a single value, a quantum register of n qubits is a superposition of 2n values (namely the values |00…0>, |00…1>, … , |11…1>). For example, if n=50 (today, some commercially available quantum computers have about 100 qubits or even several hundreds of qubits) a corresponding quantum register is in superposition of 250 ≈ 1015 values (remember: 1015 corresponds to the prefix “peta”!). An operation of a quantum computer manipulates all of these values in a single step. This so-called quantum parallelism is the next source of the power of a quantum computer.
Finally, a phenomenon called entanglement is the most important basis for the power of a quantum computer. Very roughly, if a quantum register is entangled, the manipulation of one of its qubits results in manipulation of all the other qubits. The importance of entanglement results from the theorem that proves that a quantum algorithm that achieves an exponential speedup compared to a classical algorithm must exploit entanglement [1]. A quantum algorithm is an algorithm that manipulates quantum registers by means of quantum operations (see next section).
Quantum Algorithms
In essence, a quantum operation on a single qubit simply rotates this qubit on the Bloch sphere. Such an individual operation is referred to as a (quantum) gate. A quantum algorithm is a collection of gates that manipulate a quantum register. The corresponding ordered collection of gates is called a (quantum) circuit. Such a circuit begins its manipulation on an initial state of a quantum register and produces the final result state. This result state is (most often) measured, i.e., turned into classical information.
Figure 2: Structure of a Quantum Circuit
Figure 2 depicts a quantum circuit. The horizontal lines represent the qubits of the quantum register, and a black box represents a gate. For each circuit two categories of gates suffice [1]: one category manipulates single qubits, the other category consists of a gate (the controlled NOT gate) that manipulates two qubits jointly. The final steps of the circuit are measurements of individual qubits.
There is a plethora of quantum algorithms known. One of the early and famous quantum algorithms is Grover’s algorithm that performs an unstructured search with a quadratic speedup compared to the best classical algorithm [2]. Unstructured search is used to solve a number of problems, i.e., these problems benefit from the speedup. Another important quantum algorithm (Quantum Phase Estimation) determines eigenvalues with an exponential speedup: this also has a lot of applications, e.g. in machine learning, in solving linear equation systems etc. For a collection of quantum algorithms see [3]. However, the most famous quantum algorithm is Shor’s algorithm [1],[2]: it offers an exponential speedup in factoring numbers and in computing discrete logarithms which enables breaking today's cryptographic infrastructure (see next section).
The algorithms mentioned before require fault tolerant quantum computers, i.e., quantum computers whose qubits are stable and gates that are basically error free. But today’s quantum computers are error prone: their qubits somehow lose their information after a short period of time, and gates show tiny errors that pile up. Such machines are called NISQ machines [4]: they are noisy (N), have not enough qubits, meaning they are only of intermediate scale (IS) quantum computers (Q). Such NISQ machines pose a lot of restrictions on algorithms that can be successfully performed on them [5]. Especially, Shor’s algorithm cannot be executed on them. But the noise of quantum computers is improving fast and the same is true for their scale [6]. Thus, cryptographically relevant quantum computers (CRQC) are about to appear.
Quantum Threats on Current Cryptographic Protocols
The invention of a quantum algorithm that can compute the prime factors of a number with an exponential speedup compared to the best classical algorithm known today by Peter Shor [7] was a major breakthrough in quantum computing. Shor’s algorithm requires about 10.000 error corrected qubits (which can be realized by using a couple of 100.000 noisy qubits) and more than 109 operations with very small error rates: its execution requires a quantum computer that was very far out at the time of the invention of the algorithm. But in the meantime, such machines are to be expected in the foreseeable future [6].
When such a powerful quantum computer is available, all cryptographic protocols that are based on factorization like RSA [8] can be broken. For example, RSA 2048 can be cracked within a couple of hours [9] although classical algorithms need the lifetime of the universe to crack it. As a consequence, corresponding public-key cryptographic protocols will no longer be secure, and asymmetrically encrypted data will no longer be confidential.
Also, Shor’s algorithm has a variant that can efficiently compute so-called discrete logarithms, i.e., it can also break elliptic curve cryptography (ECC) whose security is based on the hardness of computing discrete logarithms. ECC had been invented because it was believed to be more secure than factorization-based protocols and because it allowed shorter keys. In fact, breaking ECC on a quantum computer is even simpler than breaking factorization based cryptography [10].
Thus, asymmetric cryptography is significantly threatened by quantum computing. Also, symmetric cryptographic protocols are threatened by quantum computers: in principle, a symmetric protocol can be broken by brute force attacks [11] - even on classical computers. Such attacks make use of unstructured search. Now, Grover’s algorithm provides a quadratic speedup compared to classical algorithms. This means that a chosen security level of a symmetric protocol is maintained in face of the use of a quantum computer by doubling the key size used in the protocol: symmetric cryptographic protocols are quantum-safe in the sense that the threat by a quantum computer can be defended by doubling key sizes. Note, that there are arguments that under certain practical assumptions, less than doubling the key size suffice [12].
Post-Quantum Cryptography
The threat to cryptographic protocols posed by quantum algorithms was recognized a few years ago by the National Institute of Standards (NIST). They started an effort to identify cryptographic protocols that today can neither be cracked by classical algorithms nor by quantum algorithms. The main kind of algorithms identified are based on lattices and module-lattices (see sections below). Also, open source implementations presented in this chapter have been provided by an industry group. These implementations can be used to build quantum-safe applications - as sketched below. For extended details about the content of this chapter see [13].
Lattice-Based Cryptography
Very vaguely, a lattice is any grid of points that is somehow periodically arranged in space (see Figure 3). Mathematically, a lattice is the set of all integer combinations of a given basis of a vector space. In Figure 3 two bases are shown: the blue basis and the red basis. As can be seen, one and the same lattice may have many different bases that span the lattice.
Figure 3: A Lattice With a Good Basis (blue) and a Bad Basis (red)
A basis with short vectors and vectors that are pairwise nearly orthogonal is a good basis (e.g. the blue one in Figure 3), and a basis with long vectors with small angles between them is a bad basis. Lattice-based cryptographic schemes define a lattice, a good basis of the lattice becomes a private key and a bad basis becomes a public key. This is based on the fact that precise computations with a bad basis are intractable while the same computations with a good basis are efficient.
Encryption based on lattices, for example, works in principle as follows (for the details refer to [14]): the message m to be encrypted is mapped to a tuple of integers (e.g. by using a table that assigns each character to an integer). These integers are used as coefficients of the linear combination with vectors of the bad basis: as a result, the message is transformed into a point of the lattice. Next, a randomly chosen “small” vector is added to this lattice point resulting in a point outside of the lattice: this point is the encrypted message. Decrypting this message means to determine the lattice point closest to the point representing the encrypted message - and the corresponding computation is hard based on a bad basis of the lattice (i.e., the public key) but simple based on a good basis of the lattice (i.e., the private key) [15]. Once the closest point has been computed it is represented as a linear combination of the vectors of the good basis, and its coefficients are the integers corresponding to the original message.
Computing the point of a lattice that is closest to any given point outside of the lattice is NP complete [16], i.e., it is a really hard problem. It is generally believed (but: see next section!) that the corresponding computations can neither be performed efficiently by a classical algorithm nor by a quantum algorithm. As a consequence, lattice-based cryptography is assumed to be quantum-safe, i.e., any cryptographic protocol based on the corresponding lattice problems can not be broken by quantum computers or classical computers.
NIST Activities
Identifying quantum-safe algorithms and standardizing them is referred to as the post-quantum cryptography effort. The National Institute of Standards (NIST) is running such an effort in several rounds [17]: in each round algorithms are submitted to NIST, are evaluated whether each submission can really be considered to be quantum-safe, those who are positively evaluated are recommended as candidates, and finally they are standardized. The current round is the fourth round (see [18] and [19] for information on the individual rounds).
It is important to note that the resulting standards are considered (!) to be quantum-safe based on best knowledge. But there is no guarantee that they really are because that would require a formal proof for mathematically extremely hard problems [20]. For example, an attack was published shortly after one of the candidates got announced and, thus, needed to be withdrawn from the list [21].
This emphasizes the importance of what is called crypto-agility [22]: a quantum-safe cryptographic infrastructure must be built in such a way that it allows to switch off implementations of algorithms that got cracked. If possible, such an implementation should be substituted by implementations of algorithms that have not been broken. This is why several algorithms considered to be quantum-safe are standardized.
Module-Lattice-Based Cryptography
The main candidates identified by NIST for standardization are lattice-based algorithms. Mathematically, these algorithms use lattices that go beyond what we sketched before: instead of a vector space that contains the lattice points, these points are contained in a so-called module. A module is defined in full analogy to a vector space but instead of using the elements of a field (like real numbers or complex numbers) as the scalars, a ring is used. A ring is nearly a field except that numbers in general have no multiplicative inverse - i.e., there is no 1/x for a number x. For example, the set of integers builds a ring: for an integer z (z ≠ 0, 1, -1) the fraction 1/z is not an integer; otherwise, addition and multiplication of integers is as usual.
Not only numbers build a ring: for example, the set of polynomials with variable X with coefficients in a ring R build another ring denoted by R[X]. As a reminder, a polynomial has the following structure:
Polynomials can be summed up and they can be multiplied, i.e., from this perspective they behave just like numbers. Modules over such polynomial rings are the basis for the lattices (consequently called module-lattices) used by two cryptographic protocols called Kyber [23] and Dilithium [24] which are currently standardized by NIST. The corresponding module-lattice-based cryptographic protocols are considered to be quantum-safe, i.e., neither classical nor quantum algorithms are known that can break these protocols. Kyber is a key encapsulation mechanism, i.e., it uses a protocol with asymmetric encryption to establish a symmetric session key just like Diffie-Hellman used in TLS today (see below). Dilithium is a digital signature mechanism like the standard DSS protocols [25].
Open Source Implementations
Main standards rolled out by NIST’s post-quantum cryptography effort are available as open source software. This software is built by a group of companies and universities called post-quantum cryptography alliance (PQCA) [26]. This alliance runs a project referred to as Open Quantum Safe (OQS) [27] with two streams of work: the first stream provides an open source C-library named liboqs [28] with implementation of several quantum-safe algorithms especially Kyber and Dilithium; the second stream folds such implementations into communication stacks like TLS or SSH.
Sample Application: TLS
Transport Layer Security (TLS) is a protocol for achieving secure exchange of data over the internet. When a client initiates its communication with a server a private/public key mechanism is used to agree on a symmetric key. This symmetric key is used for the whole session to protect the messages exchanged. In its simplest form (see Figure 4) a random number is directly used as the symmetric key; a corresponding plugin provides a random number generator for this purpose. As an alternative, the Diffie-Hellman key exchange mechanism can be used in TLS to agree on the shared secret.
Figure 4: Use of Plugins in TLS & HTTPS
To become quantum-safe, a TLS plugin can use Kyber. In turn, this implies that HTTPS (i.e., HTTP on top of TLS) becomes quantum-safe.
Call to Action: Migration to PQC
In this section we motivate why an organization should set up an effort to understand the cryptographic threat implied by quantum computers and to set up a plan when and how to build on quantum-safe cryptography.
Harvest Now, Decrypt Later
A potential adversary may capture encrypted data, store it, and decrypt it at a later time by means of a quantum computer. This threat is referred to as “Harvest Now, Decrypt Later” [29] sometimes also as “Store Now, Decrypt Later”. Obviously, not only corporate data is threatened but also data of government organizations. To address this threat, the US government, for example, established the Quantum Computing Cybersecurity Preparedness Act [30] to help agencies to migrate to post-quantum cryptography.
To defeat this threat a strategy is needed. Familiarity with quantum computing in general is recommendable, understanding how quantum algorithms threatens existing cryptographic infrastructures is a must, an assessment of one's own vulnerabilities is key, getting experiences with the implementations of post-quantum cryptography algorithms is important, and finally, the migration to a corresponding infrastructure should be planned.
The timeline of this effort can be roughly assessed based on the inequality explained next.
Mosca’s Inequality
Most organizations have data that must be protected against unauthorized access for a certain period of time. Let this time be TProtect (Figure 5). In order to ensure that this data is still secure after quantum computers are powerful enough to break encryption, an organization must migrate to a quantum-safe crypto-infrastructure. This migrating takes time - referred to as TMigration in Figure 5. Obviously, this time is dependent on the resources spent by an organization on this effort. The time it takes to build quantum computers that can break today’s cryptographic protocols is denoted by TCollaps.
Figure 5: Mosca’s Inequality
After the time migrating to a quantum-safe infrastructure TMigration, new data is produced that must be kept confidential for TProtect. Thus, data appearing at TMigration, must not be able to be broken by a quantum computer until TMigration + TProtect. If TCollaps is earlier, unauthorized access to this data is possible. As a consequence, an organization is in trouble if TMigration + TProtect > TCollaps: This is Mosca’s inequality [31]. It determines when an organization must begin migrating to a quantum-safe infrastructure.
The organization controls the migration time TMigration and has individual requirements on TProtect. I.e. TMigration + TProtect is organization specific. But TCollaps is out of control of the organization, it depends on the development time needed by the vendors of quantum computers. Let's assume that a quantum computer that can break today’s cryptographic protocols is available in 10 years, i.e., TCollaps = 10. If the organization needs to protect its data for 10 years (i.e., TProtect = 10), then it is already TMigration + 10 > 10, i.e., the migration must begin immediately and enough resources must be spent to keep the migration time as small as possible.
Quantum Safe WSO2
In response to the escalating challenges posed by advancements in quantum computing that threaten the integrity of existing cryptographic systems, we have initiated a strategic transition to incorporate PQC into all applicable WSO2 products. This proactive shift ensures that our security measures remain robust and ahead of potential cyber threats, safeguarding our clients' data with cutting-edge, quantum-resistant cryptographic technologies.
The migration to PQC in WSO2 products is being done in a series of phases. In the first phase, we focus on delivering Quantum Safe Ballerina and WSO2 Identity Server. The sections below discuss the upgrades and post-quantum security aspects of these products.
Ballerina
As one of the world’s first programming languages to have inbuilt quantum safe mechanisms, Ballerina now supports quantum-secured communications and provides language support for implementing your own PQC use cases.
Service to Service Communication
Ballerina provides support for service-to-service communication through various protocols, including HTTPS, MQTT, gRPC, and GraphQL, all of which utilize TLS. TLS/SSL controls the security of communication protocols and determines how data is encrypted during transmission. Symmetric encryption is used to encrypt data packets using ephemeral keys that are generated for initial key agreement using the RSA or Elliptic Curve algorithms, which are vulnerable to "Harvest Now, Decrypt Later."
With the latest release of Ballerina Swan Lake Update 9 [32], all kinds of Ballerina service-to-service communications are quantum safe. To safeguard against potential threats posed by quantum computing, while maintaining the trusted security standards of classical cryptography, we have integrated built-in support for X25519+Kyber768 [33] key encapsulation algorithm for TLS 1.3 in all inbound and outbound communications. This means that all TLS 1.3 communications between Ballerina services (as well as communications with external parties supporting X25519+Kyber768) will be post-quantum secured, ensuring robust protection for data transmission. Figure 6 shows the different types of TLS communications that are supported by Ballerina components. Both traditional and quantum safe TLS mechanisms are supported. The Ballerina servers/clients can be configured to prioritize quantum safe TLS and revert to traditional TLS if the other party does not support the new paradigm.
Figure 6: Supported TLS communications in Ballerina components
Language level support for post-quantum algorithms
With Ballerina Swan Lake Update 9 [32], support for post-quantum secure end-to-end encryption and post-quantum secure digital signatures has been added. We support NIST post-quantum round 3 finalist algorithms [34], incorporating specifications aligned with the now-standardized FIPS (Federal Information Processing Standards).
- ML-KEM-768/Kyber-768 (FIPS 203 [35])
- ML-DSA-65/Dilithium-3 (FIPS 204 [36])
By integrating native support for these post-quantum algorithms, we have unlocked a world of possibilities for developers within Ballerina. In addition to providing production-grade functionalities, our platform also serves as a Crypto Playground, offering an expansive space for experimenting with these latest advancements in post-quantum cryptography. Developers now have the chance to explore PQC, test various use cases, and implement their own quantum secure applications by using the Ballerina Crypto module [37].
Additionally, the Crypto module provides a range of combined cryptographic algorithms combining traditional methods with post-quantum techniques for enhanced security. The post-quantum algorithms (Q) should be used in conjunction with the classical algorithms (C) until they get standardized and gain trust within the industry. The algorithms can be applied in parallel (C + Q), or sequentially (C.Q) to generate an encryption result that is at least as secure as that of the classical algorithm alone. In Swan Lake Update 9, we added a C + Q key encapsulation algorithm and a C + Q hybrid public key encryption (HPKE) algorithm. HPKE employs both asymmetric and symmetric encryption algorithms to overcome the limitations related to input length in asymmetric cryptography. With HPKE, a key is generated using asymmetric cryptography, which is then used in a symmetric encryption algorithm to encrypt larger inputs. The following algorithms are included in the new Ballerina Crypto module [37].
- RSA-KEM-ML-KEM-768 key encapsulation mechanism (RSA + ML-KEM) [38]
- ML-KEM-768 hybrid public-key encryption (ML-KEM + HKDF-SHA256 + AES) [39]
- RSA-KEM-ML-KEM-768 hybrid public-key encryption (RSA + ML-KEM + HKDF-SHA256 + AES) [40]
By leveraging the strengths of both worlds, you can create robust encryption solutions that offer protection for your data.
WSO2 Identity Server
The WSO2 Identity Server is an IAM product to venture into the realm of PQC. Our effort to incorporate PQC mechanisms into WSO2 Identity Server delves into the following security use cases in the product.
HTTPS communication
Similar to Ballerina’s approach, we integrated post-quantum key encapsulation mechanisms [41] alongside traditional key exchange algorithms [42] into WSO2 Identity Server to enhance the security of TLS communications. The latest WSO2 Identity Server 7.0 comes with a quantum secure TLS mode which can be enabled when required. Those who prioritize the advanced security measures can now enable this mode to utilize the post-quantum secure TLS using both the classical X25519 and post-quantum Kyber [23] for inbound communication. This mode can be activated via a script which installs the required additional libraries that provide support for quantum safe HTTPS communication [43].
For outbound HTTPS communication, the development effort to upgrade the network clients within the WSO2 Identity Server that initiate network requests with external entities is still underway. This feature is expected in a future release of WSO2 Identity Server.
Encryption for Storage
Ever since the release of WSO2 Identity Server 5.11.0, the default internal encryption scheme has been AES-128 symmetric encryption, which is considered to be quantum safe [44],[45]. However, recent research indicates that the first level of security in AES, namely AES-128, may become vulnerable to quantum attacks [46]. To improve security, the next release of WSO2 Identity Server will support AES-256, and a tool will be provided to facilitate migration to this more secure encryption standard.
Additionally, the RSA encryption currently used for encrypting configuration secrets will be replaced with AES-256 symmetric encryption in the upcoming WSO2 Identity Server release.
E2E Encryption
End-to-end encryption (E2E encryption) is a method of secure communication that data remains inaccessible to third parties as it is transferred between systems. Data is asymmetrically encrypted within the WSO2 Identity Server and only the recipient is able to decrypt it, ensuring that no intermediary can access the sensitive information
To enhance security against future quantum threats, we are moving towards post-quantum secure asymmetric encryption. Given that quantum-safe algorithms have not yet gained widespread industry trust, we are using them alongside established classical cryptographic methods. We are implementing the FIPS-standardized ML-KEM (Kyber) algorithm, which is well-suited for post-quantum security and performs efficiently with block ciphers [47]. In contrast, traditional asymmetric algorithms like RSA and ECC are not effective against quantum attacks and have performance limitations when used with block ciphers [48].
Hence, we are implementing a Hybrid Public Key Encryption (HPKE) algorithm using both classical and post-quantum algorithms for asymmetric encryption use cases. HPKE is a cryptographic protocol that combines asymmetric and symmetric algorithms in a single transaction for key encapsulation and data encryption respectively.
The WSO2 Identity Server will eventually incorporate post-quantum secure HPKE for use cases such as token encryption and event payload encryption. This feature is currently under development and will be released in a future release of WSO2 Identity Server.
Hashing
Hashing of all sensitive data in WSO2 Identity Server is done through the SHA-256 algorithm by default, which is considered post-quantum secure. However, similar to the impending vulnerability of AES-128, SHA256 too may become vulnerable to quantum threats in the future [49],[50]. Hence, a migration scheme for hashed sensitive information will be implemented in due time. Additionally, even security-non-intensive use cases will be migrated to utilizing SHA-256 hashing, ensuring a consistent and robust approach across all data processing activities.
Digital signatures
Digital signatures provide integrity and non-repudiation in digital communications, crucial for ensuring data authenticity and preventing denial of involvement. While they can be vulnerable to quantum attacks, they are not susceptible to "Harvest Now, Decrypt Later" threats. Therefore, we will shift our focus to post-quantum secured digital signatures once the previous use cases have been secured.
WSO2 API Manager
The WSO2 API Manager will also inherit post-quantum features from the WSO2 Identity Server to address future quantum threats. The next release of the WSO2 API Manager will include enhancements such as post-quantum secure inbound HTTPS communication and updated encryption for configuration secrets.
WSO2 PQC Roadmap
In the fourth quarter of 2024, our efforts will be concentrated on advancing PQC (Post-Quantum Cryptography) capabilities. We will integrate PQC algorithm support specifically for outbound communications and end-to-end encryption within the WSO2 Identity Server.
Looking beyond Q4 2024, we plan to extend the implementation of PQC applications across other WSO2 products, including Micro Integrator (MI), WSO2 API Manager (APIM), Asgardeo, Open Banking (OB), and Choreo.
References
- Nielsen, M. A.; Chuang, I. L.: Quantum Computation and Quantum Information. Cambridge University Press, 2016.
- Rieffel, E.; Polak, W.: Quantum Computing: A Gentle Introduction. The MIT Press, 2011.
- The Quantum Algorithm Zoo. https://quantumalgorithmzoo.org/
- Preskill, J.. Quantum Computing in the NISQ era and beyond. Quantum 2, 79 (2018).
- Leymann, F.; Barzen, J.. The bitter truth about gate-based quantum algorithms in the NISQ era. Quantum Science and Technology, IOP Publishing Ltd, 2020
- Scholten, T.L.; William, C.J.; Moody, D.; Mosca, M.; Hurley, W.; Zeng, W.J.; Troyer, M.; Gambetta, J.M.. Assessing the Benefits and Risks of Quantum Computers. arXiv:2401.16317v2 (2024).
- Shor, P. W.. Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. In SIAM J. Sci. Statist. Comput. 26 (1997).
- Rivest, R.; Shamir, A.; Adleman, L.. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Comm. ACM. 21 (2) (1978).
- Gidney, C.; Ekara, M.. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 5, 433 (2021).
- Roetteler, M.; Naehrig, M.; Svore, K. M.; Lauter, K.. Quantum resource estimates for computing elliptic curve discrete logarithms. https://arxiv.org/abs/1706.06752 (2017).
- Bernstein, D. J.. Understanding brute force. Semantic Scholar CorpusID:14001363 (2005).
- Fluhrer, S.. Reassessing Grover’s Algorithm. Cryptology ePrint Archive, Paper 2017/811 (2017)
- Barzen, J.; Leymann, F.. Post-Quantum Security: Origin, Fundamentals, and Adoption. https://arxiv.org/abs/2405.11885 (2024).
- Micciancio, D.; Regev, O.. Lattice-based Cryptography. In: Bernstein, D.J.,; Buchmann, J.; Dahmen, E. (eds) Post-Quantum Cryptography. Springer (2009).
- Zheng, Z.. Modern Cryptography - Volume 1. Springer, 2022.
- Manohar, N.. Hardness of Lattice Problems for Use in Cryptography. Harvard University Cambridge, Massachusetts (2016).
- Chen, L.; Jordan, S.; Liu, Y.; Moody, D.; Peralta, R.; Perlner, R.; Smith-Tone, D.. Report on Post-Quantum Cryptography. NISTIR 8105 (2016).
- Post-Quantum Cryptography. CSRC. https://csrc.nist.gov/projects/post-quantum-cryptography
- NIST Post-Quantum Cryptography Standardization - Wikipedia. https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_Standardization
- NTRU Prime Risk-Management Team. Risks of lattice KEMs. NTRU Prime (2021).
- https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/
- Macaulay, T.; Henderson, R.. Cryptographic Agility in Practice. InfoSec Global.
- Kyber. https://pq-crystals.org/kyber/index.shtml
- Dilithium. https://pq-crystals.org/dilithium/index.shtml
- Raimondo, G.; Locascio, L: FIPS 186-5 Digital Signature Standard (DSS). https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf (2023).
- Post-Quantum Cryptography Alliance. https://pqca.org
- Open Quantum Safe. https://openquantumsafe.org
- Liboqs | Open Quantum Safe. https://openquantumsafe.org/liboqs/
- Harvest Now, Decrypt Later - Qrypt. https://www.qrypt.com/resources/harvest-now-decrypt-later/
- Quantum Computing Cybersecurity Preparedness Act, no. H.R. 7535, 117th Congress https://www.govinfo.gov/app/details/BILLS-117hr7535enr/ (2022).
- Mosca, M.; Piani, M.. Quantum Threat Timeline Report. Global Risk Institute (2023).
- Ballerina Swan Lake 9. https://ballerina.io/downloads/swan-lake-release-notes/swan-lake-2201.9.0
- Westerbaan, B; Stebila, D: X25519Kyber768Draft00 hybrid post-quantum key agreement. IETF Datatracker. https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00 (2024).
- NIST Releases First 3 Finalized Post-Quantum Encryption Standards. https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
- National Institute of Standards and Technology: FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.pdf (2024).
- National Institute of Standards and Technology. FIPS 204 Module-Lattice-Based Digital Signature Standard. https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf (2024).
- Ballerina crypto(v2.7.2) - Ballerina Central. https://central.ballerina.io/ballerina/crypto/2.7.2
- https://central.ballerina.io/ballerina/crypto/latest#encapsulateRsaKemMlKem768
- https://central.ballerina.io/ballerina/crypto/latest#encryptMlKem768Hpke
- https://central.ballerina.io/ballerina/crypto/latest#encryptRsaKemMlKem768Hpke
- Key encapsulation mechanism - Wikipedia. https://en.wikipedia.org/wiki/Key_encapsulation_mechanism
- Key_exchange - Wikipedia. https://en.wikipedia.org/wiki/Key_exchange
- Configure post-quantum TLS - WSO2 Identity Server https://is.docs.wso2.com/en/latest/deploy/security/configure-post-quantum-tls/#enable-post-quantum-tls
- Bonnetain, X.; Naya‐Plasencia, M.; Schrottenloher, A.: Quantum Security Analysis of AES. HAL (Le Centre Pour La Communication Scientifique Directe), June 2019.
- Baksi, A.; Jang, K.: Quantum analysis of AES. In Computer architecture and design methodologies, 2024, pp. 51–90.
- Wang, Z.; Wei, S.; Long, G.; Hanzo, L.: Variational quantum attacks threaten advanced encryption standard based symmetric cryptography. Science China. Information Sciences, vol. 65, no. 10, July 2022
- American Binary: Kyber Drive The World's First & Only Lattice-Based Post-Quantum Disk Encryption Solution https://www.ambit.inc/pdf/KyberDrive.pdf (2023).
- Singh, S.; Khan, A. K.; Singh, S. R.: Performance evaluation of RSA and elliptic curve cryptography. IEEE (2016).
- Fernández-Caramés, T; Fraga-Lamas, P.: Towards Post-Quantum Blockchain: A Review on Blockchain Cryptography Resistant to Quantum Computing Attacks. IEEE (2022).
- Hosoyamada, A.; Sasaki, Y.: Quantum collision attacks on reduced SHA-256 and SHA-512. In Lecture Notes in computer science, 2021, pp. 616–646.