International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp.

2608-2615
© Research India Publications. http://www.ripublication.com

A Survey on Post-Quantum Cryptography for Constrained Devices

Kumar Sekhar Roy and Hemanta Kumar Kalita

Abstract Quantum Computer” [1]. Shor’s algorithm can solve integer

The rise of Quantum computers in the recent years have given factorization problem as well as discrete logarithm problem
a major setback to classical and widely used cryptography used by RSA as well as ECC respectively in polynomial time
schemes such as RSA(Rivest-Shamir-Adleman) Algorithm using a sufficiently large Quantum Computer. Thus making the
and ECC (Elliptic Curve Cryptography). RSA and ECC use of cryptosystems based on integer factorization problem as
depends on integer factorization problem and discrete well as discrete logarithm problem obsolete. This current
logarithm problem respectively, which can be easily solved by advances has raised a genuine need for development of
Quantum Computers of sufficiently large size running the cryptosystems which could serve as viable replacement for
infamous Shor’s Algorithm. Therefore cryptography schemes traditionally used cryptosystems which are vulnerable to
which are difficult to solve in both traditional as well as quantum computer based attacks. Since the arrival of IoT, the
Quantum Computers need to be evaluated. In our paper we Cyber security scenario has entirely shifted towards security
provide a rigorous survey on Post-Quantum Cryptography schemes which are lightweight in terms of computational
schemes and emphasize on their applicability to provide complexity, power consumption, memory consumption etc.
security in constrained devices. We provide a detailed insight This schemes also need to be secure against all known attacks.
over the schemes which could possibly replace RSA and ECC Most of the recently proposed schemes for constrained devices
for security in constrained deices. use RSA or ECC.
Keywords: PQC(Post Quantum Cryptography), IoT(Internet Table 1: Post-quantum cryptography
of Things), RSA(Rivest-Shamir-Adleman)algorithm, ECC Sl no. Family Algorithm
(Elliptic Curve Cryptosystem), Ring-LWE(Learning with NTRU
Error), AES(Advanced Encryption Standard), Constrained
devices. 1 Lattice based Cryptography Ring LWE
BLISS
1 INTRODUCTION 2 Multivariate Cryptography Rainbow
The arrival of Quantum computers have raised an immediate Lamport Signature
need for viable replacements of classical and widely used 3 Hash based Cryptography
Merkle Signature
cryptography schemes dependent on integer factorization
problem and discrete logarithm problem such as RSA and McEllice
4 Code based Cryptography
ECC. Quantum Computers were theoretical until 2015 when Niederreiter
NASA publicly demonstrated their Quantum Computer jointly
developed with D-wave and Google. There are several
advances in the field of Quantum Computing since then. As mentioned earlier this schemes are not secure against attacks
Quantum Computers differ from traditional binary electronic raised by Quantum Computers. Thus in our research we try to
computers in several aspects. Commonly used digital evaluate the cryptosystems which are not vulnerable to
computations uses data in the form of definitive binary digits Quantum computer based attacks also popularly known as
which can be in either state i.e. 0 or 1 whereas quantum Post-Quantum Cryptography. We evaluate the Post-Quantum
computation uses quantum bits (qubits), which can be in cartographic algorithms as per the suggestion made in Report
superposition of states i.e. there is no definitive state. It has on PostQuantum Cryptography by NIST [3].
several advantages over traditional electronic computers,
several sorts of computations which were not possible in
2 LITERATURE REVIEW
electronic computers can be easily solved using Quantum
computers. One such algorithm is the Shor’s Algorithm, It was NIST as well as several authors have suggested several Post-
proposed by Peter Shor in his paper titled “Polynomial-Time Quantum cryptosystem which could replace RSA and ECC [6]
Algorithms for Prime Factorization and Discrete Logarithms [3] [7]. In this section we explore and critically review these
on a cryptosystems.

Kumar Sekhar Roy and Hemant Kumar Kalita are with the Department of Information Technology,
North Eastern Hill University, Shillong, Meghalaya, 793022, India.

2608
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

2.1 Multivariate cryptography Signature verification:

These schemes are based on multivariate polynomials over a 1) To verify the authenticity of a signature, one simply
finite field F. These schemes are either defined in ground or computes h = P(z)
expansion field, solving such problem are either NP-hard or 2) Compute hash value h = h(d) of the document.
NP-complete. Therefore they are strong contenders of Post-
Quantum cryptography. Multivariate cryptography has one 3) If h = h holds, the signature is accepted, otherwise rejected.
very important advantage i.e. It uses very short signature [19],
which can serve the purpose of authentication in small devices.
2.2 Lattice based cryptography
2.1.1 Rainbow
Lattices are geometric objects that have evolved into a major
J. Ding and D. Schmidt in 2005 proposed a new signature player in cryptography. Latticebased schemes have come to be
scheme based on multivariate cryptography called Rainbow proven as highly resistant to sub-exponential and quantum
[2], more specifically the idea of these scheme is based on Oil attacks. Hard mathematical problems related to lattices were
and Vinegar schemes [4] [5]. first suggested as the basis for cryptography almost two
The Scheme uses the following principle: decades ago. Lattice were first studied by mathematicians such
as Joseph Louis Lagrange and Carl Friedrich Gauss. Although
Let K be a finite field such that K = GF(28) and S be the set 1, Mikls Ajtai first showed in a seminal result the use of lattices
. . . , n. Let v1,...,vu+1,u ≥ 1 be integers arranged as 0 < v1 < v2 < as a cryptosystem [8]. A lattice L is a set of points in the n-
.... < vu < vu+1 = n. Let the sets of integers be defined as Si = dimensional Euclidean space Rn in real analysis, It has a strong
1,...,vi for i = 1, . . . , u. Let the initialization be set to oi = vi+1 − periodicity property.
vi and Oi = {vi + 1,...,vi+1}(i = 1,...,u). The total of elements in Si
be vi and there is | Oi |= oi. For k = v1 + 1,...,n multivariate Any basis of L can be defined as a set of vectors arranged in
quadratic polynomials be defined in the n variables x 1,...,xn by such a way that any element of L is uniquely represented as
their linear grouping with integer coefficients. Each lattice has
infinitely many different bases when the value of n is at least 2.
All lattices over Rn have infinitely many elements, whereas in
cryptography entities such as the cipher-text, public key, and
private key must be chosen from a finite space (bit strings of
some fixed length).
2.2.1 NTRU
where l be the solitary integer such that k ∈ Ol. These are Oil The first version of the system was developed by
and Vinegar polynomials with xi, i ∈ Sl as the Vinegar variables mathematicians Jeffrey Hoffstein (de), Jill Pipher, and Joseph
and xj,j ∈ Ol as the Oil variables. The map F(x) = H. Silverman [20] in 1996, which was called NTRU . In our
(fv1+1(x),...,fn(x)) can be inverted as follows: Firstly, x1,...,xv1 are survey we come across the latest variant of NTRU i.e. NTRU
chosen randomly. Therefore, a system of o 1 linear equations Prime [23], proposed by Bernstein et al. in 2016, in their paper
(given by the polynomials fk(k ∈ O1)) in the o1 unknowns they prove that their algorithm is stronger than the original
xv1+1,...,xv2 can be obtained, which is solvable by Gaussian NTRU by creating stronger algebraic structure. The algorithm
Elimination method. Then the calculated values of xi(i ∈ O1) is as follows.
are put in the polynomials fk(x)(k > v2) and a system of o2 linear Key generation:
equations is derived(given by the polynomials fk(k ∈ O2)) in the
The receiver generates a public key as follows:
o2 with unknowns xi(i ∈ O2). By Reiterating the process values
for all the variables xi(i = 1,...,n)3 can be obtained. . 1) Generate a uniform random small element g ∈ R. Repeat this
step until g is invertible in R=3.
Key Generation:
2) Generate a uniform random t-small element f ∈ R. (Note that
1) The private key consists of two invertible affine maps L1
f is nonzero and hence invertible in R/q, since t 1.)
: Km → Km and L2 : K n → Kn and the map F =
(fv1+1(x),...,fn(x)). 3) Compute h = g/(3f) in R/q. (By assumption q is a prime
larger than 3, so 3 is invertible in R/q, so 3f is invertible in
2) Here, m = nv1 is the number of components of F.
R/q.)
3) The public key consists of the field K and the composed
4) Encode h as a string h’. The public key is h’.
map P(x) = L1◦F ◦L2(x) : Kn → Km.
5) Save the following secrets: f in R; and 1/g in R/3.
Signature:
Encryption
1) To sign a document d, we use a hash function h : K∗ → Km
to compute the value h = h(d) ∈ Km. 2) Then we compute The sender generates a ciphertext as follows:
recursively x = L−1 1(h),y = F −1(x) and z = L−2 1(y). 1) Decode the public key h’, obtaining h ∈ R=q.
3) The signature of the document is z ∈ K . n
2) Generate a uniform random t-small element r ∈ R.
4) Here, F −1(x) means finding one (of the possibly many) pre- 3) Compute hr ∈ R=q.
image of x.

2609
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

4) Round each coefficient of hr, viewed as an integer Public key generation:

between -(q - 1)/2 and (q - 1) /2, to the nearest multiple of An entity wishing to sign messages generates its public key
3, producing c ∈ R. (If q ∈ 1 + 3Z, as in the case study through the following steps:
q = 9829, then each coefficient of c is in {-(q - 1)/2, . . . ,
-6, -3, 0, 3, 6, . . . , (q 1)/2}. If q ∈ 2 + 3Z then each 1) Create two small polynomials p0(x) and p1(x) with
coefficient of c is in {-(q + 1)/2, . . . , -6, -3, 0, 3, 6, . . . , coefficients selected uniformly from the set -1, 0, 1
(q + 1)/2}.) 2) Calculate t(x) = a(x).p0(x) + p1( x )
5) Encode c as a string c’. 3) Hand out t(x) as the entity’s public key
6) Hash r, obtaining a left half C (”key confirmation”) and a The polynomials p0(x) and p1(x) oblige as the private key and
right half K. t(x) is the concerned public key. The security of this signature
scheme is based on the following problem. Given a polynomial
7) The cipher-text is the concatenation Cc’.
t(x) find small polynomials f1(x) and f2(x) such that: a(x).f1(x)
The session key is K. + f2(x) = t(x)
Decryption: Signature generation:
The receiver decapsulates a cipher-text Cc’ as follows: 1) Create two small polynomials d0(x) and d1(x) with
1) Decode c’, obtaining c ∈ R. coefficients chosen from the set -b, ..., 0, ...., b
2) Multiply by 3f in R/q. 2) Calculate w(x) = a(x).d0(x) + d1( x )
3) View each coefficient of 3fc in R/q as an integer between 3) Transform w(x) into a bit string ω
-(q - 1)=2 and (q - 1) /2, and then reduce modulo 3,
obtaining a polynomial e in R/3. 4) Calculate c(x) = POLYHASH(ω | m) ( This is a
polynomial with k non-zero coefficients. The ”|” denotes
4) Multiply by 1/g in R/3.
concatenation of strings)
5) Lift e/g in R/3 to a small polynomial r’ ∈ R.
5) Calculate s0(x) = p0(x).c(x) + d0( x )
6) Compute c’, C’, K’ from r’ as in encryption.
7) If r’ is t-small, c’ = c, and C’ = C, then output K’. 6) Calculate s1(x) = p1(x).c(x) + d1( x )
Otherwise output False. 7) Unless the infinity norms of s0(x) and s1(x) ≤ β is satisfied
If Cc’ is a legitimate cipher-text then c is obtained by rounding go to step 1. ( This is the denial sampling step noted
the coefficients of hr to the nearest multiples of 3; i.e., c = m+ above)
hr in R=q, where m is small. 8) The signature is the tripartite of polynomials c(x), s0(x)
In 2007 Nick Howgrave-Graham in his research titled ”A and s1( x )
Hybrid Lattice-Reduction and Meetin-the-Middle Attack 9) Transmit the message along with c(x), s0(x) and s1(x) to
Against NTRU” performed an attack which included lattice the verifier.
reduction at first and then performed meet in the middle attack
[11]. The attack methodology performed faster than odlyzko’s Signature verification:
attack [27]. The author assumed this attack as an improved To verify a message m articulated as a bit string, the verifying
result of attack performed by Coppersmith et al. which used entity must possess the signer’s public key (t(x)), the signature
only lattice reduction [21] presented in 1996. The author ( c(x), s0(x), s1(x)), and the message m. The verifier does the
suggests that for NTRU to be secure the private vector needed following:
to be thickened or use a trinary vector which would make meet 1) Verify that the infinity norms of s0(x) and s1(x) , if not
in the middle attack substantially harder to perform without reject the signature.
increasing the parameter N by much. The NTRU prime
algorithm although was published much later (2016) than these 2) Calculate w’(x) = a(x).s0(x) + s1(x) t(x)c(x)
proposed attacks, not enough evidence exist that the proposed 3) Transform w’(x) into a bit string ω’
attacks would work on NTRU prime as well. 4) Calculate c’(x) = HASH(ω0 | m)
2.2.2 Ring-LWE 5) If c’(x) 6= c(x) discard the signature, otherwise agree to
Ring-LWE is more properly called as Learning with Errors take the signature as valid.
over Rings and is merely a bigger learning with errors (LWE) In Our survey we also come across an efficient
problem dedicated to polynomial rings over finite fields [24]. implementation of the ring-lwe problem by R de Clercq et al.
It is built over the arithmetic of polynomials with coefficients [15]. The algorithm is as follows.
chosen from a finite field. The solution to the RLWE problem
may be reducible to the NP-Hard Shortest Vector Problem Key generation:
(SVP) in a Lattice, which is an important feature of basing 1) Two polynomials r1 and r2 are sampled from Xσ using a
cryptography on the ring learning with errors problem. Ring discrete Gaussian sampler.
LWE can be used for several purpose such as key-exchange,
2) r10 ← NTT(r1)
Digital signature as well as homomorphic encryption. We
evaluate an instance of Ring LWE Digital signature scheme by 3) r2)
Lyubashevsky et al. [13]

2610
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

4) p1 ← r1 − a ∗ r2 The private key is and the public key is GLP signature algorithms based on several fault attacks [22].
The authors claimed to have found that either of the three
(a ,p ).
0 0
signature schemes were vulnerable to atleast 9 of the 15 attacks
Encryption: they performed. Although Ring Tesla and GLP are out of our
1) The input message m is encoded to a polynomial m ∈ Rq. research scope, BLISS when attacked with first ordered fault
attacks (randomization, skipping and Zeroing) was found to be
2) Error polynomials e1, e2, e3 ∈ Rq are generated from Xσ vulnerable to 7 different fault attacks. The authors also
using a discrete Gaussian sampler. provided reasonable countermeasures to defend against these
3) NTT(e1). attacks.
4) e 2 ∈ NTT(e2)
0

5) (c01,c02) ← (a0 ∗e01+e02;p0 ∗e01+NTT(e3+m0) 2.3 Hash based cryptography

Decryption: In 1979 Ralph Merkle in his paper tited “Secrecy,
Authentication and Public Key System” proposed the first hash
1) The inverse NTT is performed to compute m = INTT( based digital signature scheme [28]. Since then a lot of research
. The original message m is has been done on it. These sort of scheme depends on the
recovered from m by using a decoder. They use the security of one way hash functions. Although this scheme has
parameter sets (n, q, ) from [9]. a particular disadvantage of producing a particular amount of
Park et al. [12] in 2016 proposed SPA(Simple Power Analysis) signature at once, it still provide long term security against
attack on unprotected Ring LWE scheme proposed by Roy et known algorithms in quantum computers [29]. Ralph Merkle in
al. [14] 1990 came up with Merkle signature scheme which could
convert any one time signature into a multi-time one. Merkle
This particular Ring LWE variant also utilized NTT operation
used Lamport-diffie one-time signature [17]. The algorithms
and 8-bit implementation. They proved that their attack could
are as follows:
deduce the secret by using [log2q] executions. Although their
attack was not performed on the algorithm proposed by R de 2.3.1 Merkle Signature
Clercq et al., it has quite few similarities. Further research is Signature generation:
required to analyze Ring LWE.
1) Generate public key Xi and private key Yi of 2n one-time
2.2.3 BLISS signatures.
Lo Ducas, Alain Durmus, Tancrde Lepoint and Vadim 2) For each public key Xi, with 1 ≤ i ≤ 2n calculate a hash
Lyubashevsky in their 2013 paper ”Lattice Signature and value hi = Xi = H(Yi). With these hash values hi build a hash
Bimodal Gaussians” proposed a Bimodal Lattice Signature tree.
Scheme(BLISS) [10]. BLISS became very popular as it
claimed to have better computational efficiency, smaller 3) Each node of the tree is represented as ai,j, where i denotes
signature size, and higher security. It attracted the attention of the height of the node and j denotes the left-to-right
several research groups such as NIST which proposed further position of the node.
refinement of the algorithm. 4) In the Merkle Tree the hash values hi are the leaves of a
The algorithm is as follows: binary tree, so that hi = a0,i.
Signature: 5) Each inner node of the tree is the hash value of the
concatenation of its two children.
The user would provide the input as Message m, public key A
, secret key S , stand. dev. σ ∈ R 6) A tree with 2n leaves and 2n+1 − 1 nodes is built. The root
of the tree, an,0, is the public key pub of the Merkle
1) y ← Dσm Signature Scheme.
2) c ← H(Aymod2q,m) Signature
3) Select a random bit b ∈{0,1} To sign a message M with the Merkle Signature Scheme:
b
4) z ← y + (−1) Sc 1) The corresponding leaf of the hash tree to a one-time
5) Output(z,c) with probability public key Xi is a0,i = H(Xi).
1/(Mexp(−||Sc||2)/2σ2)cosh(hz,Sci/σ2)) otherwise restart. 2) Identify the path in the hash tree from a0,i to the root A.
Verification: 3) The path A would consist of n+1 nodes,
The User would input message m, public key A0,...An, with A0 = a0,i being the leaf and An = an,0 = pub
being the root of the tree.
A
4) To compute the path A, every child of the nodes A1,...,An
1) if ||Z|| > B2 then reject. is needed.
2) if ||Z||σ ≥ q/4 then reject. 5) To compute the next node Ai+1 of the path A, identify both
3) Accept iff c = H(Az + qcmod2q,m). children of Ai+1. Therefore the brother node of Ai is
required.
Bindel et al. in their research analyzed BLISS, Ring Tesla and

2611
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

6) Identify authi, so that Ai+1 = H(Ai||authi). 2.4 Code based cryptography

7) Therefore, n nodes auth0,...,authn−1 are needed, to 2.4.1 McEllice
compute every node of the path A. In 1978 Robert McEllice developed an asymmetric encryption
8) Compute and save these nodes auth0,...,authn−1. system which used randomization while encryption [32].
These nodes, plus the one-time signature sig0 of M is the McEllice cryptosyste has several advantages and is a viable
signature sig = (sig0||auth0||auth1||...||authn−1) of the replacement for traditionally used cryptosystems. It is faster
Merkle Signature Scheme. than most cryptosystems and uses a large matrices as its public
and private keys. It is based on the NP hard problem of
Verification: decoding linear codes.
1) The receiver knows the public key pub, the message M, Key generation:
and the signature sig = (sig 0||auth0||auth1||...||authn−1).
1) Generate a binary (n,k)-linear code C having the
2) The receiver verifies the one-time signature sig0 of the capability of correcting t errors. This code must possess
message M. an efficient decoding algorithm and generates a k × n
3) If sig0 is a valid signature of M, the receiver computes generator matrix G for the code C.
A0 = H(Xi) by hashing the public key of the one-time 2) Choose a random k × k binary nonsingular matrix S.
signature.
3) Choose a random n × n permutation matrix P.
4) For j = 1,..,n − 1, the nodes of Aj of the path A are
computed with Aj = H(Aj−1||authj−1). 4) Calculate the k × n matrix Gˆ = SGP.

5) If An equals the public key pub of the merkle signature 5) The public key is (G,tˆ ); private key is (S,G,P)
scheme, the signature is valid. Message encryption:
In 2005 Garcia presented a paper titled “On the security and the 1) Encode the message m as a binary string of length k. 2)
efficiency of the Merkle signature scheme” made a thorough Calculate the vector c0 = mGˆ.
analysis of Merkle signature [31]. They proved that Merkle 3) Select a random n-bit vector z containing exactly t ones
signature is unforgeable under adaptive chosen message attack, (a vector of length n and weight t)’
they also claimed to provide an improved variant with forward
security, unlimited keys and low power consumption. 4) The cipher-text can be computed as c = c0 + z.
Buchmann et al. presented XMSS (eXtended Merkle Signature Message decryption:
Signature) which used Winternitz one-time signature scheme’s 1) Calculate the inverse of P (i.e. P −1).
(WOTS) [25] collision-resilient version with the collision-
resilient hash tree construction [26] and adds two different 2) Calculate cˆ= cP −1.
kinds of pseudorandom key generation. There are several other 3) Decode cˆ to mˆ using the decoding algorithm for the
variants of merkle Signature scheme [36] [37]. code C.
2.3.2 Lamport Signature Lamport Signature is a one time 4) Generate m = mSˆ −1
.
signature scheme which uses secure cryptographic hash based
Bernstein et al. in 2008 extracted a plain-text from a cipher-text
function to create a digital signature [38]. Although a signature
by decoding 50 errors in a [1024; 524] code [18]. It aslo
can be used to sign only one message, that range can be
provided with viable countermeasures.
extended using merkle tree algorithm presented in the previous
section. key: 2.4.2 Niederreiter cryptosystem:
1) Let k be a positive integer and let P = {0,1}k be the Niederreiter cryptosystem is quite similar to McEllice
messages. cryptosystem, Although the primary difference is Niederreiter
uses linear Goppa codes and the cipher text is a syndrome and
2) Let f : Y → Z be a one-way function.
the message is an error pattern.
3) For 1 ≤ i ≤ k and j ∈ {0,1} the signer chooses yi,j ∈ Y
Key generation:
randomly and computes zi,j = f(yi,j).
1) Generate a binary (n, k)-linear Goppa code, G, with the
4) The private key, K, consists of 2k values yi,j. The public capability of correcting t errors. This code possesses an
key consists of the 2 k values zi,j. efficient decoding algorithm.
Signature:
2) Select a (n −k)∗n parity check matrix, H, for the code, G.
1) Let m = m1 ...mk ∈{0,1}k be a message.
3) Generate a random (n−k)∗(n−k) binary non-singular
2) The signature of the message is matrix, S.
sig(m1 ...mk) = (y1,m1,...,yk,mk) = (s1,...,sk)
4) Generate a random n ∗ n permutation matrix, P.
Verification:
5) Calculate the (n − k) ∗ n matrix, Hpub = SHP.
The verifier validates a signature by checking that f(si) = zi,mi
6) The public key would be (Hpub,t); and the private key
for all 1 ≤ i ≤ k.
would be (S,H,P).

2612
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

Message encryption: 3 CONCLUSION

1) Encode the message, m, as a binary string of length n In our survey we have analyzed several postquantum
and weight at most t. 2) Generate the cipher-text using c = cryptography schemes and provided a comparison in Table 2.
HpubmT . as per implemented by several authors. We can see from the
Message decryption: comparison table that Lattice based cryptography schemes
even when implemented in a constrained micro-controller
1) Calculate S1c = HPmT . shows good promise as they take the least amount of time for
2) recover PmT by applying syndrome decoding algorithm several operations as well as consume the least memory.
for G. 3) Generate the message, m, via mT = P1PmT . Although, to definitively state that Lattice based cryptography
Roberto et al. provided a survey with several possible side is the best among post-quantum Cryptography further rigorous
channel attacks on McEllice as well as Niedrreiter schemes analysis has to be made. Future works would include rigorous
along with their countermeasures[33]. implementation and analysis of post-quantum Cryptography
algorithms in Software simulation as well as in constrained
devices.

Table 2: A Theoretic Comparison of several post-quantum Cryptosystem

Properties BLISS [34] Ring NTRU(80-bit Lamport Lamport Rainbow[39] McEllice Neidrreiter [40] 80-
(128-bit LWE[35] security) with Merkle bit security
security) (more than (80- bit
156-bit security)
security)
Public Key 7 2 ∼10 0.08 132.7 500 ∼74.032
(KB)
Private Key 2 2 ∼10 ∼250 95.4 1000 ∼ 4.096
(KB)
Signature 7.680 6.32
Size
Signature 329 ms 257.1 ms
Time
Verification 88 ms 288.0 ms
Time
Encryption 68 ms 1.6 ms/op
Time
Decryption 18.8 ms 180 ms/op
Time
Possible
attacks
Platform Atmel Atmel PC PC PC Atmel PC ATxMega256A1
ATxmega ATxmega (not specified) (not (not ATxmega (not
-128A1 -128A1 specified) specified) -128A1 specified)

REFERENCES [4] Kipnis, Aviad, Jacques Patarin, and Louis Goubin.

”Unbalanced oil and vinegar signature schemes.”
[1] Polynomial-time algorithms for prime factorization
International Conference on the Theory and
and discrete logarithms on a quantum computSIAM
Applications of Cryptographic Techniques. Springer
[2] Ding, Jintai, and Dieter Schmidt. ”Rainbow, a new Berlin Heidelberg, 1999.
multivariable polynomial signature scheme.”
[5] Patarin, Jacques. ”Hidden fields equations (HFE) and
International Conference on Applied Cryptography
isomorphisms of polynomials (IP): Two new families
and Network Security. Springer Berlin Heidelberg,
of asymmetric algorithms.” International Conference
2005.
on the Theory and Applications of Cryptographic
[3] Alkim, Erdem, Lo Ducas, Thomas Pppelmann, and Techniques. Springer Berlin Heidelberg, 1996.
Peter Schwabe. ”Post-quantum Key Exchange-A New
[6] Cheng, Chi, Rongxing Lu, Albrecht Petzoldt, and
Hope.” In USENIX Security Symposium, pp. 327-
Tsuyoshi Takagi. ”Securing the Internet of Things in
343. 2016.

2613
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

a Quantum World.” IEEE Communications Magazine Petzoldt. ”The Shortest Signatures Ever.” In Progress
55, no. 2 (2017): 116-120. in CryptologyINDOCRYPT 2016: 17th International
Conference on Cryptology in India, Kolkata, India,
[7] Takagi, Tsuyoshi, ed. Post-Quantum Cryptography: 7
December 11-14, 2016 , Proceedings 17, pp. 61-77.
th International Workshop, PQCrypto 2016, Fukuoka,
Springer International Publishing, 2016.
Japan, February 24-26, 2016, Proceedings. Vol. 9606.
Springer, 2016. [20] Hoffstein, Jeffrey, Jill Pipher, and Joseph Silverman.
”NTRU: A ring-based public key cryptosystem.”
[8] Ajtai, Mikls. ”Generating hard instances of lattice
Algorithmic number theory (1998): 267-288.
problems.” Proceedings of the twenty-eighth annual
ACM symposium on Theory of computing. ACM, [21] Coppersmith, Don, and Adi Shamir. ”Lattice attacks
1996. on NTRU.” International Conference on the Theory
and Applications of Cryptographic Techniques.
[9] Gttert, Norman, et al. ”On the design of hardware
Springer Berlin Heidelberg, 1997.
building blocks for modern lattice-based encryption
schemes.” International Workshop on Cryptographic [22] Bindel, Nina, Johannes Buchmann, and Juliane
Hardware and Embedded Systems. Springer Berlin Krmer. ”Lattice-based signature schemes and their
Heidelberg, 2012. sensitivity to fault attacks.” Fault Diagnosis and
Tolerance in Cryptography (FDTC), 2016 Workshop
[10] Ducas, Lo, et al. ”Lattice signatures and bimodal
on. IEEE, 2016.
gaussians.” Advances in CryptologyCRYPTO 2013.
Springer Berlin Heidelberg, 2013. 40-56. [23] Bernstein, Daniel J., et al. ”NTRU Prime.” IACR
Cryptology ePrint Archive 2016 (2016): 461.
[11] Howgrave-Graham, Nick. ”A hybrid lattice-reduction
and meet-in-the-middle attack against NTRU.” [24] Lyubashevsky, Vadim, Chris Peikert, and Oded
Annual International Cryptology Conference. Regev. ”On ideal lattices and learning with errors over
Springer Berlin Heidelberg, 2007. rings.” Annual International Conference on the
Theory and Applications of Cryptographic
[12] Park, Aesun, and Dong-Guk Han. ”Chosen ciphertext
Techniques. Springer Berlin Heidelberg, 2010.
Simple Power Analysis on software 8-bit
implementation of ring-LWE encryption.” Hardware- [25] Johannes Buchmann, Erik Dahmen, Sarah Ereth,
Oriented Security and Trust (AsianHOST), IEEE Andreas Hlsing, and Markus Rckert. On the security
Asian. IEEE, 2016. of the Winternitz one-time signature scheme. In A.
Nitaj and D. Pointcheval, editors, Africacrypt 2011,
[13] Gneysu, Tim, Vadim Lyubashevsky, and Thomas
volume 6737 of LNCS, pages 363 378. Springer
Pppelmann. ”Practical lattice-based cryptography: A
Berlin / Heidelberg, 2011. 2, 16
signature scheme for embedded systems.”
International Workshop on Cryptographic Hardware [26] Erik Dahmen, Katsuyuki Okeya, Tsuyoshi Takagi,
and Embedded Systems. Springer Berlin Heidelberg, and Camille Vuillaume. Digital signatures out of
2012. secondpreimage resistant hash functions. In Johannes
Buchmann and Jintai Ding, editors, Post-Quantum
[14] Roy, Sujoy Sinha, et al. ”Compact ring-LWE
Cryptography 2008, volume 5299 of LNCS, pages
cryptoprocessor.” International Workshop on
109123. Springer, 2008. 2, 16, 19
Cryptographic Hardware and Embedded Systems.
Springer Berlin Heidelberg, 2014. [27] Howgrave-Graham, Nick, Joseph H. Silverman, and
William Whyte. A Meet-in-the-Middle Attack on an
[15] De Clercq, Ruan, et al. ”Efficient software
NTRU Private key. Vol. 4. Technical report, NTRU
implementation of ring-LWE encryption.” Design,
Cryptosystems, June 2003. Report, 2003.
Automation and Test in Europe Conference and
Exhibition (DATE), 2015. IEEE, 2015. [28] Merkle, Ralph Charles, and Ralph Charles. ”Secrecy,
authentication, and public key systems.” (1979).
[16] Ralph C. Merkle. ”Secrecy, authentication, and public
key systems.” (1979). [29] Daniel, A., and B. Lejla. Initial recommendations of
longterm secure post-quantum systems. Technical
[17] Ralph C. Merkle. A certified digital signature. In G.
report, 2015. [30] H. Kopka and P. W. Daly, A Guide
Brassard, editor, Advances in Cryptology -
to LATEX, 3rd ed. Harlow, England: Addison-Wesley,
CRYPTO89 LNCS, volume 435. Springer-Verlag
1999.
Berlin Heidelberg 1990, 1990.
[31] Garca, LC Coronado. On the security and the
[18] Bernstein, Daniel J., Tanja Lange, and Christiane
efficiency of the Merkle signature scheme. Technical
Peters. ”Attacking and defending the McEliece
Report 2005/192, Cryptology ePrint Archive, 2005.
cryptosystem.” International Workshop on Post-
Available at http://eprint. iacr. org/2005/192, 2005.
Quantum Cryptography. Springer Berlin Heidelberg,
2008. [32] McEliece, Robert J. ”A public-key cryptosystem
based on algebraic.” Coding Thv 4244 (1978): 114-
[19] Mohamed, Mohamed Saied Emam, and Albrecht
116.

2614
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 11 (2019) pp. 2608-2615
© Research India Publications. http://www.ripublication.com

[33] Avanzi, Roberto, et al. ”Side-channel attacks on the

McEliece and Niederreiter public-key cryptosystems.”
Journal of Cryptographic Engineering 1.4 (2011):
271-281.
[34] Oder, Tobias, Thomas Pppelmann, and Tim Gneysu.
”Beyond ECDSA and RSA: Lattice-based digital
signatures on constrained devices.” Proceedings of the
51st Annual Design Automation Conference. ACM,
2014.
[35] Pppelmann, Thomas, Tobias Oder, and Tim Gneysu.
”High-performance ideal lattice-based cryptography
on 8bit ATxmega microcontrollers.” International
Conference on Cryptology and Information Security
in Latin America. Springer International Publishing,
2015.
[36] Johannes Buchmann, Erik Dahmen, and Andreas
Hlsing. XMSS - a practical forward secure signature
scheme based on minimal security assumptions. In
BoYin Yang, editor, Post-Quantum Cryptography
2011, volume 7071 of LNCS, pages 117129. Springer
Berlin / Heidelberg, 2011. 2, 3, 16
[37] Hlsing, Andreas, Joost Rijneveld, and Fang Song.
”Mitigating multi-target attacks in hash-based
signatures.” Public-Key CryptographyPKC 2016.
Springer Berlin Heidelberg, 2016. 387-416.
[38] Lamport, Leslie. Constructing digital signatures from
a one-way function. Vol. 238. Palo Alto: Technical
Report CSL-98, SRI International, 1979.
[39] Czypek, Peter, Stefan Heyse, and Enrico Thomae.
”Efficient implementations of MQPKS on constrained
devices.” International Workshop on Cryptographic
Hardware and Embedded Systems. Springer Berlin
Heidelberg, 2012.
[40] Heyse, Stefan. ”Low-reiter: Niederreiter encryption
scheme for embedded microcontrollers.” International
Workshop on Post-Quantum Cryptography. Springer
Berlin Heidelberg, 2010.

2615