I saw that NIST was considering a new breed of post-quantum PKI functions. Which would you recommend to use, if we wanted to make quantum resistant private key signing and encryption today?
For Cyph[1], we went with SPHINCS[2] for signing and a combination of McEliece (specifically McBits[3]), NTRU[4], and SIDH[5] for public key encryption.
We also considered QcBits[6] as a more space-efficient alternative to McEliece, but it just seemed too new / not well understood for our tastes, and last I saw there was a recent attack on it that hadn't been mitigated yet. Definitely keeping an eye on it for the future though.
We also considered QcBits[6] as a more space-efficient alternative to McEliece, but it just seemed too new / not well understood for our tastes, and last I saw there was a recent attack on it that hadn't been mitigated yet. Definitely keeping an eye on it for the future though.
---
1: https://www.cyph.com/castle
2: https://sphincs.cr.yp.to
3: https://tungchou.github.io/mcbits
4: https://github.com/NTRUOpenSourceProject/ntru-crypto
5: https://github.com/Microsoft/PQCrypto-SIDH
6: https://tungchou.github.io/qcbits