Talk:Post-quantum cryptography

Cryptography without/before PKC
Distinct from the research into public-key crypto, there's history and research about the practicalities of living *without* the mathematical/complexity assumptions that underlie most PKC: key negotiation including via multiple third parties, hash signatures, etc. Don't have the round tuits quite yet (and it doesn't really belong in this specific article), but throwing it out there if it piques anyone else's interest.

Rationale for no link to PQ companies.
I'm unfamiliar with how to mention some user such as 46.249.209.132, someone please modify this and help me out with a link on my user talk page.

Post-quantum cryptography (and anything with the word "quantum" in it) are at the frontier of technological advancement. Any mention to an entity who claim to specialize in such field would be strongly misleading and biased endorsement.

post-quantum.com may indeed be a PQ company, but Security Innovation and its subsidiaries (if I'm not mistaken) had specialized in NTRU for perhaps far longer than most other people, yet we still do not give them mention on this page. — Preceding unsigned comment added by Dannyniu (talk • contribs) 02:09, 11 September 2016 (UTC)

standardization section?
i suggest to create a section about the ongoing efforts to collect, select and/or standardize PQ primitives. there is an european group led by tanja lange: https://pqcrypto.eu.org/ https://www.tue.nl/en/university/news-and-press/news/23-04-2015-tanja-lange-leads-multi-million-euro-project-to-protect-data-against-quantum-computers  and there is the NIST QC project http://csrc.nist.gov/groups/ST/post-quantum-crypto/ maybe i can put in some work, but not anytime soon Krisztián Pintér (talk) 22:19, 10 April 2017 (UTC)

Code-Based Cryptography variant McEliece-QC-MDPC Codes insecure
The variant of the McEliece cryptosystem using Quasi-Cyclic Moderate-Density Parity-Checks is mentioned in this article, therefore stating that this is (still) a viable candidate for Post-Quantum Cryptography. However, a key-breaking attack has been developed by Qian Guo, Thomas Johansson and Paul Stankovski (from Lund University in Lund, Sweden). They discuss their attack in their paper named: A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors. This variant is therefore not anymore a viable candidate for Post-Quantum Cryptography. Markovisch (talk) 05:09, 20 April 2017 (UTC)


 * This is likely better mentioned on the page for the McEliece cryptosystem. At this point "Classic McEliece" is the big target, since that is a competitor in the NIST's Post-Quantum Cryptography Standardization project.  74.104.188.4 (talk) 16:01, 3 March 2018 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified one external link on Post-quantum cryptography. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20140503190338/http://eprint.iacr.org/2011/506 to https://eprint.iacr.org/2011/506

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 21:38, 12 January 2018 (UTC)

Appropriate capitalization?
The Post-Quantum Cryptography Standardization page has chosen to capitalize all letters, whereas this article only capitalizes the first letter. Might I suggest a common choice should be made? I'm inclined to go for all words capitalized. 74.104.188.4 (talk) 22:21, 1 March 2018 (UTC)


 * This article title definitely should not change. Wikipedia article titles that aren't proper names should not be capitalized (WP:TITLECAPS).
 * I think Post-Quantum Cryptography Standardization is also correct as it is because it is a proper name: it's the official name of a NIST project and does not refer to just any standardization of PQ crypto. -- intgr [talk] 23:12, 1 March 2018 (UTC)
 * That would seem to be an argument for renaming the Post-Quantum Cryptography Standardization article, or perhaps splitting it into two. I saw a mention of an attempt to have a standardization of this type in Europe, and an article by that name might be expected to cover any such standardization. 74.104.188.4 (talk) 23:35, 1 March 2018 (UTC)

Crypto Agility
I suggest we add a paragraph on crypto agility as an approach to get prepared on quantum cryptography. There are quite some publications existing on that, and it gives a work around, as the "perfect" solution does not exist yet, however infrastructure which will be implemented today may still exist as legacy hardware and software in the post quantum era. ScienceGuard (talk) 10:09, 20 November 2018 (UTC)

Make the "newer NTRU signature" link blue again.
A while ago, I converted that to a red link because it mistakenly pointed to the older NTRUSign page which only described the older NTRUSign algorithm. A few months ago, I added info for pqNTRUSign to NTRUSign, but I'm not sure if I've added appropriate markup to make the page recognizable to pqNTRUSign links, could somebody verify it and make the link blue again?

Dannyniu (talk) 14:35, 29 January 2019 (UTC)

B vs b in the comparison table
It is not obvious from the table whether the "B" refers to Bytes or bits. "B" is more commonly 8-bit bytes, while key lengths are more commonly expressed in bits.

Are these Bytes or bits? There's plenty of room in the table to spell out either one to avoid confusion to the non-expert reader.

BSD Daemon (talk) 20:14, 8 May 2019 (UTC)

Related sources (zkSnark)
UC Berkeley. Nicholas Spooner nick.spooner@berkeley.edu. UC Berkeley. October 25 Waterwizardm (talk) 08:41, 9 July 2020 (UTC)

Article is contradictory
Which current algorithms are breakable by QC and which are not? The article states “all” in one sentence and “most” in another. Is the list of methods all encompassing (doubtful) or just the vulnerable ones? Jhodge3rd (talk) 04:17, 18 August 2021 (UTC)

Specifically this statement: “ As of 2021, this is not true for the most popular public-key algorithms, which can be efficiently broken by a sufficiently strong quantum computer.[citation needed] The problem with currently popular algorithms”. Should this, “The problem with currently popular algorithms”, be “The problem with SOME OF THE currently popular algorithms”? Jhodge3rd (talk) 04:24, 18 August 2021 (UTC)

Problems with initial statement
"In cryptography, post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer. As of 2021, this is not true for the most popular public-key algorithms, which can be efficiently broken by a sufficiently strong quantum computer.[citation needed]"

Citation needed indeed. This paper by DJB (PDF) from 2017 (which appears to be largely ignored by the authors of this wikipedia page) goes into the problems of using Shore and GEECM: https://cr.yp.to/papers/pqrsa-20170419.pdf

TLDR: Everything isn't as black/white contrasted as the initial statement makes, factoring using quantum computers is harder than it looks, there is also PQ-RSA being researched (I'm guessing by RSA). This article needs a serious rewrite.

Can new quantum computers break current cryptography?
First sentence of second paragraph begins: "Even though current quantum computers lack processing power to break any real cryptographic algorithm" and cites an article from 2013. Is that still correct? I know almost nothing about this topic, but this guy sure seems to think quantum computers can break most cryptography: [Https://www.tiktok.com/@cjtrowbridge/video/7294161171442142506 https://www.tiktok.com/@cjtrowbridge/video/7294161171442142506]

Also, should this article include the Quantum Information Science navbox template? Illinvillain (talk) 05:34, 27 October 2023 (UTC)


 * Current quantum computers are limited in size and many known quantum algorithms are not well-designed to handle how noisy results from those computers are right now (including Grover's Alg. which is what that video discusses. That said, people are working on this, see https://arxiv.org/abs/2202.00122, also see any paper of quantum error correction). I'd say that this statement is still correct for now. If you want to consider the term "Q-Day", to the best of public knowledge, we're not there yet, but we're getting closer all the time.
 * Also, as someone working in the field, I would consider post-quantum cryptography to be a kind of quantum information science, but I don't know anything about how Wikipedia editors decide what navboxes are used. KJack115 (talk) 17:17, 5 March 2024 (UTC)

SIDH should no longer be mentioned
SIDH should no longer be mentioned here because it is broken on standard one processor computer within 21 hours. It is insecure!

Check also other mentioned ciphers that they are secure for the moment. 5.173.216.36 (talk) 15:41, 18 July 2024 (UTC)