One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers. Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it. Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand. The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced: Lattice-based systems: The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way. Code-based systems: McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals. Non-commutative systems: There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on. Multivariate systems: Multivariate crypto can be explained to somebody who knows Gaussian elimination. Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme. I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items. In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).

1. Klaus Schmeh
www.schmeh.org
September 12-14, 2018
How to Explain Post-
Quantum Cryptography to a
Middle School Student

2. My first
guest is ...

3. A quantum
computer! Hi!
Let me
introduce you.

4. Quantum
Computer
Based on
quantum
mechanics
Quantum bit can
have two values
at the same time
(superposition)

5. Performing
extremely many
computations in
parallel, if there is
only one result
What are you good at?
Examples:
• Find element in large set
• Find optimal solution

6. What are you not good at?
Sorting.
Because sorting
requires more than
one result.

7. What are you excellent at?
Prime factorization!

8. Prime Multiplication
1723 = ? 377 = ??
Prime Factorization
easy difficult
Prime Multiplication
is a one-way
function

9. RSA crypto system is based
on prime multiplication
1723 =
391
Alice's public keyAlice's private key
Prime numbers used in
practice have >500 digits

10. Up to a key
length of 5 bits.
Future versions will be
more powerful.
I can break RSA within
seconds.

11. Thanks for coming!

12. We need to study quantum-
proof alternatives!
RSA and some other encryption methods can
be broken by a quantum computer!

13. Six crypto system families are
believed to be quantum proof.
lattice-based
crypto
non-commutative
crypto
multivariate
crypto
code-based
crypto
hash-based
crypto
None of them is in
wide-spread use so far.
isogeny-based
crypto
I can only cover
four today.

14. US authority NIST has
started a competition! NIST post quantum competition
69 algorithms submitted
The best ones shall be
chosen until around 2023

15. And now welcome!

16. Mr. Snail!

17. Can you explain lattice-
based crypto to us?
lattice-based
crypto
I even can explain
lettuce-based
cryptography.

18. I prefer lettuce
to lattice.
Lattice pointsLattice
Lettuce field Lettuce points

19. a
b
Base vectors
d
c
Base vectors
"Good" base
(nearly orthogonal)
"Bad" base
(nearly parallel)

20. The "closest
lettuce" problem
Which lettuce point is
closest to the snail?
a
b Easy to answer, if good
base is known
d
c
Hard to answer, if only
bad base is known
Easy to answer for two-
dimensional lettuce fields
But if we deal with
250 dimensions?

21. This can be
regarded as one-
way function
Placing a snail next to
a lattuce point is easy
Finding the closest
lattuce point is difficult
(if only bad base is
available)
d
c

22. Goldreich–Goldwasser–Halevi (GGH) encryption
Let's now look at a
lettuce-based
encryption scheme!
Message
b
a
Alice's private key
good base
d
c
Alice's public key
bad base
Bob
Alice can decrypt
because she
knows good base

23. Can GGH be broken with a
quantum computer?
No.

24. Is GGH a good
scheme? No, it is broken.
But there are
other lettuce
methods.

25. For instance Learning with
Errors (LWE) methods.
At first sight, LWE
has nothing to do
with lattices ...

26. 294·x + 629·y + 321·z = 38 (mod 797)
701·x + 29·y + 91·z = 462 (mod 797)
613·x + 339·y + 201·z = 636 (mod 797)
256·x + 94·y + 115·z = 522 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 213 (mod 797)
290·x + 620·y + 201·z = 40 (mod 797)
211·x + 339·y + 381·z = 510 (mod 797)
Let's look at this
system of equations!
There are
more
equations
than
variables
It is solvable anyway: x=3,
y=7, z=6!

27. 294·x + 629·y + 321·z = 38 (mod 797)
701·x + 29·y + 91·z = 462 (mod 797)
613·x + 339·y + 201·z = 636 (mod 797)
256·x + 94·y + 115·z = 522 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 213 (mod 797)
290·x + 620·y + 201·z = 40 (mod 797)
211·x + 339·y + 381·z = 510 (mod 797)
+1
-2
+1
-1
+1
+2
Error
Let's add a few
errors to the
right side!
Errors are small!

28. 294·x + 629·y + 321·z = 38 (mod 797)
701·x + 29·y + 91·z = 462 (mod 797)
613·x + 339·y + 201·z = 636 (mod 797)
256·x + 94·y + 115·z = 522 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 213 (mod 797)
290·x + 620·y + 201·z = 40 (mod 797)
211·x + 339·y + 381·z = 510 (mod 797)
+1
-2
+1
-1
+1
+2
Can the errors be
detected without
knowing x, y, and
z?
39
460
523
212
42
511
636
477
Let's assume, only the
incorrect results are
known.
Learning with Errors (LWE) problem
Yes, but it's laborious!

29. This leads us to a
one-way function!
Adding errors to an equation system is simple Finding these errors is difficult
This can be used for asymmetric encryption!
Learning with Errors one-way function

30. 294·x + 629·y + 321·z = 39 (mod 797)
701·x + 29·y + 91·z = 460 (mod 797)
613·x + 339·y + 201·z = 636 (mod 797)
256·x + 94·y + 115·z = 523 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 212 (mod 797)
290·x + 620·y + 201·z = 42 (mod 797)
211·x + 339·y + 381·z = 511 (mod 797)
The Regev
encryption scheme
Alices public key:
Alices private Key: x=3, y=7, z=6
Bob

31. 294·x + 629·y + 321·z = 39 (mod 797)
701·x + 29·y + 91·z = 460 (mod 797)
613·x + 339·y + 201·z = 636 (mod 797)
256·x + 94·y + 115·z = 523 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 212 (mod 797)
290·x + 620·y + 201·z = 42 (mod 797)
211·x + 339·y + 381·z = 511 (mod 797)
701·x + 29·y + 91·z = 460 (mod 797)
256·x + 94·y + 115·z = 523 (mod 797)
704·x + 629·y + 322·z = 477 (mod 797)
391·x + 23·y + 743·z = 212 (mod 797)
211·x + 339·y + 381·z = 511 (mod 797)
+ + + +
+ + + +
= = = =
400·x + 791·y + 723·z = 717 (mod 797)
Bob
Alices private Key: x=3, y=7, z=6
Alices public Key:

32. If Bob wants to encrypt 0:
he adds 1 to the result
If Bob wants to encrypt 1:
he adds 399 to the result
How Bob encrypts one bit
400·x + 791·y + 723·z = 718 (mod 797) 400·x + 791·y + 723·z = 319 (mod 797)
400·x + 791·y + 723·z = 717 (mod 797)
Knows x,y and z
She can easily check if error in result
(718 or 319) is small or great
Alice
Bob
Attacker needs to solve the LWE problem
small error great error

33. Nice algorithm, but it
encrypts only one bit.
Yes, but there are more
powerful LWE schemes.

34. An what has Regev to do
with lattices?
I'll show
you.

35. An equation system
can be thought of
as lettuce field.
Each
column
is a
vector
Attacker needs to solve the closest lettuce problem
Encryption
0: snail close to lettuce
1: halfway between two lettuces
Decryption
Alice knows x, y and z
 she knows the lettuce point
 She can tell if message is 0 or 1
Message=0
Message=1

36. Are there other lettuce-
based systems? Yes, NTRU, Peikert,
New Hope, ...

37. There are many of this kind
in the competition. NIST post quantum competition
69 algorithms submitted
Lattice
27
Lettuce

38. Thanks, Mr.
Snail!

39. code-based
crypto
Our next guest is a
rocket scientist. Hi!

40. Explain what an error
correction code is!
code-based
crypto

41. 010100100101001101010101
How can we avoid
transmission errors?
Parity bits
01010011 00101000 11000101
Error detection code
1

42. 010100100101001101010101
Alternative
Transmit-three-times code
01010010 01010010 01010010
Error correction code
1

43. Transmit-three-times code
01010010 01010010 01010010
Error correction code
We need better error correction
codes than this one.
This isn't rocket
science!
Error correction code

44. 1 0 1 0 1 1 1 1 1 0 1 0 1 1
Linear error
correction code
5 bit 9 bit
1 0 1 0 1 1 1 1 0 1 0 1 1 0
Linear error
correction code
4 bit 10 bit
Maximum of errors corrected:  overhead/2
Linear error
correction codes

45. 1 0 1 0 1 1 1 1 1 0 1 0 1 1
Error correction
code
5 bit 9 bit
1 0 1 0 1
1 0 1 0 1 1 0 1
1 0 1 0 1 1 0 1
0 0 1 0 0 1 0 1
0 0 1 0 1 0 0 1
1 0 1 0 1 1 0 1
1 1 1 1 0 1 0 1 1 1=·
How a linear
error correction
code works.
59 matrix

46. Adding errors
is easy
Here is a one-
way function!
Finding these
errors is difficult
1011001010101010010101 ... 100
Error
correction
code
01001010 ... 010 0 0 1
In general, there
are exceptions

47. McEliece Crypto System
Easy error
correction code
1 0 1 0 1 1 0 1
0 0 1 0 1 1 0 0
0 0 1 0 0 1 0 1
1 0 0 0 1 0 0 0
0 0 1 1 1 1 0 1
Alices public key
Difficult error
correction code
=
0 0 1 0 1 1 0 1
1 0 1 0 1 1 0 1
0 0 1 0 0 1 0 1
1 0 1 0 1 1 0 1
1 0 1 0 1 0 0 1
Now we use this
for encryption! There are linear codes, for
which error finding is easy
Alices private key
1 0 1 0 1 1 0 1
1 0 1 0 1 1 0 1
0 0 1 0 0 1 0 1
0 0 1 0 1 0 0 1
1 0 1 0 1 1 0 1
blinding
matrix
0 0 1 0 1 1 0 1
1 0 1 1 1 1 0 1
0 1 1 0 0 1 0 1
0 0 1 0 1 0 0 1
1 0 1 0 0 1 0 0
blinding
matrix

48. Here's how
to encrypt
Ciphertext
10100110101011011101111011010011010101101110111101
Random number
010111101010110111011110110100010111101010110111011110110001101010110111011110111010101101110111101
McEliece Encryption
Difficult error
correction code
Alices public key
0 0 0 0 0111 1 1
Bob
Introduces errors
(plaintext)
1 0 1 0 1 1 0 1
1 0 1 0 1 1 0 1
0 0 1 0 0 1 0 1
0 0 1 0 1 0 0 1
1 0 1 0 1 1 0 1
Can find errors
(=plaintext) with easy
error correction code
Alice

49. overhead: 1547 bit
5413 bit
Alices Public Key
0101111010101101110111101101000101111010101101110111101100011010101..............1110111010101101110111101
6960 bit
Bob introduces 119 errors
0 0 0 0 0111 1 1
010111101010110111011110110101011011101111011000110101011011................10101101110111101
Size of public key: about 1MB
Parameters
in practice

50. NIST post quantum competition
69 algorithms submitted
Lattice
Code
27
21
Lettuce
21 algorithms in the
competition are code-based.

51. NIST post quantum competition
69 algorithms submitted
Lattice
Code
27
21
Lettuce
Thanks for coming,
Mr. rocket scientist.

52. And now, please
welcome ...

53. Mr. Rubik's
Cube.
Hi!

54. What's your post quantum
crypto method?
Non-commutative
crypto.

55. Move sequence examples
C
Let me first explain
Rubik's Cube move
sequences.
B
A

56. A
B
A+B
Move Sequence Addition
Addition means
concatenation.

57. not commutative
A+B = B+A
B+A
Move Sequence Addition
A
B
A+B
Let's do
another one.

58. Move Elimination
Let's look at
opposite moves.
A  B
opposite moves eliminate
each other

59. Move Sequence Negation
A
A-A
Move sequences
can be negated.
elimination
-A
(opposite moves, reverse order)
A-A = 0
eliminations
elimination

60. Conjugacy Problem
Difficult to solve it
Here's a one-
way function.
A: move sequence
B: move sequence
A B
=
-XX
? ? ? ???
Find X, for which X+A-X = B
Easy to set up such a problem

61. Equal
Can be used
as key
Stickel Key Exchange
Eavesdropper needs to solve
the conjugacy problem
Alice
Private key:
m, n
Bob
Private key:
r,s
m A + n B
r A + s B
K = mA+rA + sB+nB K = rA+mA + nB+sB
A quantum-
proof key
exchange
A: move sequence
B: move sequence
Similar to
Diffie-Hellman
(not quantum-
proof)

62. NIST post quantum competition
69 algorithms submitted
Lattice
Code
Non-commutative
27
21
1 Lettuce
Only one non-commutative algorithm,
but no Rubik's Cube algorithm.

63. NIST post quantum competition
69 algorithms submitted
Lattice
Code
Non-commutative
27
21
1 Lettuce
You're
welcome! Bye.
Thanks, Mr.
Rubik's Cube!

64. And now welcome
an island salesman!
Hi!
$15000

65. Tell us what
happened recently. $15000

66. Yes. But can I
look at it first?
Would you like to
buy an island?
$10000
$15000

68. Yes, I buy / No, I don't
Both can cheat!
Alice can send a yes and
later say it was a no.
The salesman can say "it was a yes",
though it was a no.

69. Yes, I buy.
Alice
No, I don't buy.
Alice
Safe 1 Safe 2
Combination safe 1
or
Combination safe 2
Alices
private
key
Alices
public
key
Alice has to reveal half of
her private key
=> She can use it only once

70. No, I don't buy.
Alice
Yes, I buy.
Alice
This scheme can also be
used in a digital way.
Hash-based signatures
One-way function
(e.g. SHA-2)
Random number 2
Random number 2
Hashing value of
random number 1
Hashing value of
random number 2
For signing a bit, Alice publishes
message 1 or message 2
Alices
private
key
Alices
public
key

71. Hash-based signaturesHash-based signatures
are quantum-proof!
Can be made more effective
However: keys are long and
can only be used once

72. NIST post quantum competition
69 algorithms submitted
Lattice
Code
Non-commutative
Hash
27
21
2 Lettuce1
Two of the algorithms in the
competition are hash-based.

73. NIST post quantum competition
69 algorithms submitted
Thanks, Mr.
salesman!
Lattice
Code
Non-commutative
Hash
27
21
2 Lettuce1

74. One more look at
the competition NIST post quantum competition
69 algorithms submitted
Lattice
Code
Multivariate
Non-commutative
Hash
Others
27
21
11
1
62
Isogeny
Lettuce

75. This was our post
quantum overview. NIST post quantum competition
69 algorithms submitted
Lattice
Code
Multivariate
Non-commutative
Hash
Others
27
21
11
1
62
I'm sure, we'll see
some of these
algorithms in practice.
Isogeny
Lettuce

76. Good-bye!