Quantum Computers, Shor’s Algorithm, and Post-Quantum Cryptography

Want to know how quantum computers really work? And why they can crack our best encryption systems? And how we might combat this? In this post, which is from a paper I wrote for a cybersecurity class where I went a bit above and beyond the assignment, I will go over these things. This post is long, but if you are interested in this, you might find it rewarding.

The paper this is copied from is here: https://authortomharper.com/wp-content/uploads/2023/01/Thomas-Harper-Project-IAAS221.pdf

The PDF version of this article contains the three appendixes (on quantum gates, mathematical background on algebraic structures such as rings, and quantum computer hardware and how it works) and two glossaries (one on notation and one on definitions) that will be referenced throughout this post, so if you would like more, then click the above link. Also, the PDF in the above link looks nicer, so it might be worthwhile reading that instead of this post, but if you’re the type that doesn’t like clicking links then this post is here for you.

I’ve copied the full reference section to the bottom of this post in case you’re interested in further reading.

Also, let me know in the comments if there are any formatting issues on this post. I copy-pasted from the PDF file and some of the subscripts and superscripts may have screwed up (I think I fixed them all, but I may have missed some).

First a bit of levity (and actually a decent introduction to how quantum computers actually work):

Now onto the main event.

Abstract

Encryption is necessary to ensure the security of online communications. Many different methods of encryption are available. The Rivest–Shamir–Adleman (RSA) cryptosystem is a commonly used public-key cryptosystem that uses prime factorization with large numbers. This is known as a one-way function (OWF), since it is much easier to multiply two very large prime numbers than to factor the product of those numbers using conventional computers. Quantum computers will be able to perform the factoring much faster than conventional computers, thereby making the RSA cryptosystem insecure. An algorithm, known as Shor’s algorithm, has already been discovered that will be able to crack RSA encryption once quantum computing hardware is sufficiently developed. It is therefore important to formulate methods of post-quantum cryptography (PQC) to ensure the security of RSA encryption before quantum computers become widely operational. Since 2016 the National Institute of Standards and Technology (NIST) has been running a competition in which teams attempt to formulate PQC systems. As of 2022, there are four contenders remaining. All four use some form of lattice-based cryptography, which is thought to be safe even from quantum computers. No known conventional nor quantum algorithm yet exists that can crack lattice-based cryptosystems in less than polynomial time, making them NP-hard even for non-deterministic computers. As such, lattice-based cryptography is a good candidate for PQC.
Keywords: modulus, RSA cryptosystem, qubit, Shor’s algorithm, post-quantum cryptography, lattice-based cryptography

Cryptography

For as long as humans had need of information security, they have used cryptography (alternatively, cryptology). The threat posed by those who might exploit information, such as in politics, diplomacy, or war, necessitated various methods of concealing that information. The ancient Greeks, for instance, are thought to have used what is called a scytale, which is a ribbon containing letters that can wrap helically around an object of a particular diameter (Djekic, 2013). When wrapped around the object, the letters align so as to formulate words.

Later inventions include substitution cyphers, such as the one purportedly used by Julius Caesar (hence the moniker Caesar cypher) that rotates the letters by a certain amount around the alphabet (Luciano, 1987). In such a scheme, the sender and receiver would know how much the letters are rotated and could therefore quickly decipher the message. The rotation measure, then, would be the secret key shared symmetrically between the sender and receiver.

A Caesar cypher would not be terribly difficult for an eavesdropper to crack, if they knew about how the cypher works. Other forms of substitution cypher can be used, which do not simply rotate around the alphabet, but make rotations of rotations or more randomly substitute each letter, thereby making a brute force approach to cracking it much more difficult. This is where modern cryptography, invented by 8th and 9th century Arab scholars, took off (Khan D. , 1996; Singh, 1999). For instance, the frequency analysis of Al-Kindi (Alkindus) in his ca. 850 C.E. treatise Deciphering Cryptographic Messages examined a message for how often certain letters show up and then compared that to how often letters show up in natural writing, thereby giving a good estimate of the substitution scheme being used (Al-Kadit, 1992; Al-Tayeb, 2003).

As cryptography grows in sophistication, so do techniques for breaking the cryptosystem. This was never clearer than during World War II, when both sides, particularly the Allies, poured a great deal of effort in breaking the cryptosystems of enemy communications. The work in Bletchley Park is renowned in practically mythological proportions among cryptanalysts and computer scientists, not only for how much determination was put into cracking the German Lorenz and Enigma codes (Turing, 1942), and the security measures employed, dubbed Ultra (Hinsley, 1993), to ensure the enemy did not suspect they were being eavesdropped upon, but also as the impetus for the invention of modern computers. Alan Turing, the father of modern computers, worked at Bletchley Park, and his work there motivated the invention of the lauded Turing machine, the template for modern computer programs (Turing, 1986; Turing, 2004).

The first Data Encryption Standard (DES) for cryptography using computers was put forth by IBM in the 1970’s and accepted by NIST in 1977 (NIST, 1977). It has since been superseded multiple times (NIST, 1988; NIST, 1993; NIST, 1999) and then by Advanced Encryption Standard (AES) (Nechvatal, 2001; NIST, 2001). At the same time as the first DES, the Diffie-Hellman key exchange system and RSA cryptosystem came out in 1976 and 1977 respectively (Diffie & Hellman, 1976; Rivest, 1978; Singh, 1999). The sophistication of these cryptosystems is motivated by what is sometimes called Kerchkoffs’s Principle (named after Auguste Kerckhoffs who proposed it in 1883) or Shannon’s Maxim (put forth by Claude Shannon, regarded as the father of information theory, in the mid-20th century) (Kerckhoffs, 1883; Shannon, 1949; Khan D. , 1996). This is a precautionary principle that says one should always assume that an eavesdropper is capable of immediately understanding your cryptosystem. Or, put more pithily: “the enemy knows the system being used” (Shannon, 1949, p. 662). This principle is to ensure that the users of a cryptosystem are not overconfident that nobody could be listening in on communications, as is famously what happened with the Axis powers in World War II.

Abiding by this principle is why, although quantum computer technology is still in its infancy (Benioff, 1980; Feynman R. P., 1982; Feynman R. P., 1986), there has been a lot of emphasis put on coming up with cryptosystems that are secure against quantum computers (NIST, 2022a).

The primary advantage of quantum computing is the speed with which it can handle certain types of problems, able to arrive at solutions exponentially quicker than conventional computers (Feynman R. P., 1986; Nielsen & Chuang, 2000; Hidary, 2019). As a result, quantum computing promises both great benefits to scientific and technological progress, but it also poses many potential hazards. Quantum computing technology is rapidly developing (Arute, 2019; Chan, 2019; HPC Wire, 2022; Rolston-Duce, 2022) (Figure 1), and as such, if cryptography is to remain secure, it will need to do two things:

• Use cryptographic algorithms that cannot be cracked by an eavesdropper using a quantum computer (or conventional computer) in any practical amount of time. In other words, it must be secure.
• Be able to be decrypted by the legitimate senders and receivers who possess the relevant keys fast enough to be practical as a cryptosystem. In other words, it must be practicable.

In what follows, I will discuss why our current cryptosystems are insecure against quantum computing by examining the popular RSA cryptosystem and how Shor’s algorithm used on a quantum computer can break RSA. Then I will discuss the potential solutions to this problem in the NIST competition for what is known as post-quantum cryptography (PQC).

RSA Encryption

Current cryptosystems are predicated on the idea of one-way functions (OWF), which are easy to compute in one direction but extremely difficult to do the inverse calculation (Goldreich, 2001). One way in which quantum computing poses a risk is that its ability to rapidly compute difficult problems, such as the inverse of OWF’s, stands to make our current methods of encryption obsolete (Mermin, 2006; Houston-Edwards, 2017b). A popular method of OWF encryption is what is known as public-key cryptography (Rivest, 1978; Stallings, 1990). In public-key cryptography, a public key is shared between two people, say Alice and Bob, who want to pass messages to one another. The public key is set by Alice, who also has a private key that is kept secret. Bob can then encrypt his message with Alice’s public key and send it to her. Anyone else who intercepts the message will not be able to decrypt it since it requires both the public and private keys to decrypt. When Alice receives it, however, she can decrypt the message using her private key.

A common public-key cryptosystem is the RSA (Rivest–Shamir–Adleman) cryptosystem (Rivest, 1978), which uses prime factorization with very large numbers as its OWF. This is done in the following way (Houston-Edwards, 2017a; Houston-Edwards, 2017b). We have our two people, Alice and Bob, where Bob wants to send a secure message to Alice. As discussed, in order to do this, Bob must have the public key set by Alice. The public key consists of two numbers denoted n and e. The number  is the product of two large primes p and q such that

This number n will be used as the modulus for Alice’s public key. The modulus is a concept in modular arithmetic, which is essentially cyclical arithmetic, like on a clock. A clock is a mod 12 system. What this means is, say it is 2 o’clock. What time will it be after nine hours? It will be

That is the same as in normal arithmetic. But what about if it is 2 o’clock and then eleven hours pass? Then we will have

We have cycled back around and started over from one. This cyclical behavior works for any modulus, where, for instance, if we have a mod 5 the cycle goes from 0 to 4 (it is usually standard to begin from 0 instead of 1) and so

The same would work for any modulus  so that

In our modular arithmetic, we can still do multiplication and exponentiation. So, for instance, in our  system, we can do

And for xk = y mod N with N = 5

An interesting property with prime numbers is that if we have the greatest common divisor of x and N, denoted g.c.d.(x,N) = 1, then x and N are said to be coprime or relatively prime. If we choose an x and N that are coprime, then when we raise x to successive positive integer powers k we get a repeating pattern. If we use, say, x = 2 and N = 7 we get Table 1.

In general, we have that if 𝑥 and 𝑁 are coprime, then this will work for all

Observe that in the example in Table 1 we have the repeating pattern of 2, 4, 1, with a period of three. Importantly, it is also the case that the last number in the period will always be 1 when 𝑥 and 𝑁 are coprime. The length of the period 𝑟 will be a signature of the particular 𝑥 and 𝑁 such that

For now, this appears an interesting curiosity, but it will become important later when I cover Shor’s algorithm (Shor, 1994). Let us get back to Alice and Bob sending encrypted messages using the RSA cryptosystem. I said Alice generated a number 𝑛 which was obtained from 𝑛 = 𝑝𝑞 and will be used as the modulus for her encryption. First, she needs a number 𝑒 which falls between 1 and 𝜆(𝑛)

Where 𝑒 and 𝜆(𝑛) are coprime, i.e., the greatest common divisor g.c.d.(𝑒,𝜆(𝑛)) = 1. The number 𝜆(𝑛) is called the Carmichael’s totient function (Carmichael, 1910) and is the smallest positive integer 𝑚 such that

Meaning that am and 1 congruent modulo 𝑛 and that 𝑎 and 𝑛 are coprime, which means that

And g.c.d.(𝑎,𝑛) = 1. As an example, we have for 𝑛 = 5 that 𝜆(𝑛) = 𝑚 ⟶ 𝜆(5) = 4 since the set of numbers 𝑎 that are coprime with 5 is 𝑎∈{1,2,3,4} and

If we had 𝑚 = 3 or 𝑚 = 2 then it would not satisfy the (mod 5) criteria, and so 𝑚 = 4 is the smallest positive integer that satisfies am ≡ 1 (mod 𝑛) for 𝑛 = 5. Alice now has the public key of 𝑛 and 𝑒, but still needs something for a private key. This is denoted as 𝑑 and is calculated as

In other words, it is the modular multiplicative inverse of 𝑒 modulo 𝜆(𝑛), which means that

Which gives us

Now, after all this, Alice has 𝑛 and 𝑒 as her public key (think 𝑒 for encryption), and 𝑑 and the private key (think 𝑑 for decryption). And so, when Bob wants to send an encrypted message 𝑀 to Alice, he can use Alice’s public key (𝑒,𝑛) and, using Optimal Asymmetric Encryption Padding (OAEP) (Bellare M. a., 1995; RSA Laboratories, 1999) to turn his message 𝑀 into an integer 𝑚, and then encrypt it

And then Alice, upon receiving the ciphertext 𝑐 can decrypt it with her private key 𝑑 to retrieve the integer 𝑚

As a simple example, we can use the prime numbers

Giving us 𝑛 of

And then 𝜆(𝑛) is the lowest common multiple (l.c.m.) of one less than our our prime numbers, i.e., 𝑝 − 1 and 𝑞 − 1, and is

We then find an 𝑒 that is both less than and coprime to 12, which can be any number between 1 and 12 that does not have a common divisor other than 1 with 12. It is often best to use a prime number, since then we already know that it is only divisible by 1, meaning we only need to show that 𝜆(35) = 12 is not divisible by our 𝑒. It is also possible to simply use 𝜆(35) − 1 which for us is 11, which also happens to be prime (this may not always occur). We can thus use

We then must find the modular multiplicative inverse of 𝑒, which in this case also happens to be

Since

Where we end up with a remainder of 1 after division by the modulus

The public key is then (𝑒,𝑛) = (11, 35) and the message is

And the private key of 𝑑 = 11 gives the decryption

Say we want to encrypt the number 𝑚 = 23, we then do

And then to decrypt we do

Which gives us back our original number.

In practice, Alice would use prime numbers 𝑝 and 𝑞 that are much larger, making prime factorization of 𝑛 extremely difficult, i.e., much more difficult than the prime factorization of 35 into 5 and 7. It is the difficulty of prime factorization that makes decryption without both the public and private keys exceedingly difficult for a conventional computer using brute force algorithms.

Quantum Computation

Since 2015, the National Institute of Standards and Technology (NIST) has recommended that the modulus for the RSA key length be 2048 bits (Barker & Dang, 2015), which is a number with some 617 digits. The record for cracking an RSA key was set in 2020, with a key length of 829 bits, a 250-digit number, which took 2700 core-years using Intel Xeon and the general number field sieve algorithm (Zimmermann, 2020; Lenstra, 1993). Using a conventional computer, cracking a 2048-bit RSA key could take millions of years using the general number field sieve algorithm, and much longer using brute force tactics.

Quantum computers, on the other hand, can make such computations much faster. In quantum computing, instead of using 0 and 1 as the states of the logic gate, it uses a unit vector in complex 2D Hilbert space (Hilbert D. R., 2009; Hilbert D. R., 1928). This can be given in Dirac bra-ket notation (Dirac, 1939; Dirac, 1958) as a linear combination of states as follows

Where the coefficients 𝛼,𝛽∈ℂ and are normalized so that 𝛼𝛼* + 𝛽𝛽* = 1 (where the superscript * indicates complex conjugate) and the ket vectors |0⟩ and |1⟩ are orthonormal bases such that

This vector can be represented as in Figure 2 in what is called a Bloch sphere (Bloch, Nuclear Induction, 1946; Feynman R. P., 1957; Bloch & Rabi, 1945; Stroud, 1972), with

The e is a phase factor which does not affect the global probability amplitude (see Appendix C for how this is carried out on an actual quantum computer). And so, the Bloch spheres for the zero-superposition and uniform superposition would look like Figure 3.

.

To perform the computations, the quantum computer uses the superposition of the quantum system, called a qubit (portmanteau of quantum bit). This is done essentially by preparing the quantum system in a superposition of all states and then using a quantum algorithm to destructively interfere with “incorrect” states (i.e., states that represent the incorrect solution to the problem) until only the state representing the correct solution remains (Figure 4).

We can think of it like this. If we want to find a factor of 𝑛 with a conventional computer, we could use a brute force method. This means that our computer would see if 2 divides 𝑛, and if that does not work, it would then check if 3 divides 𝑛, and if that does not work, it would check if 4 divides 𝑛, and so on up to 𝑛 − 1 or whenever the computer found a number that divided 𝑛.

We could instead have multiple computers, perhaps even up to 𝑛 − 1 computers, working in parallel, each one checking to see if its single assigned number divides 𝑛. This obviously becomes extremely computationally expensive when we have 𝑛 with 600+ digits, since there are not enough computers in the universe to do this.

Enter the quantum computer. Since a qubit is a linear combination of multiple states, it can essentially hold all the possible solutions for factors of 𝑛 all at once (Houston-Edwards, 2017b).

Where each |𝑝 = 𝑖⟩ is a possible factor for 𝑛 = 𝑝𝑞. The problem is that when we measure our system, there is a 1/𝑛 chance of randomly getting one of the states, making it no better (and perhaps worse) than the brute force method with conventional computers. This means we need some way of amplifying the |𝑝 = 𝑖⟩ that has the correct value for 𝑖 while removing those states that do not have the correct value for 𝑖. Doing this will use what is called the quantum Fourier transform (QFT) which will be discussed later (Coppersmith, 1994).

A single qubit is not enough for most quantum calculations, and so quantum entanglement is exploited to generate a much larger space of possible quantum states (Bernhardt, 2019; Qiskit, 2022a). Effectively what this means is that we cannot differentiate the state of one quantum system from another (the state is described by a single Hamiltonian), and so for two particles that we can call particle 𝐴 and particle 𝐵 we get the entangled quantum state denoted by |𝐴⟩⨂|𝐵⟩ where ⨂ is the tensor product of our two Hilbert spaces HA and HB. More explicitly, this gives us

Where a0, a1, b0, b1 are probability amplitudes. When we “FOIL” it out we get

We can set the probability amplitude products equal to a single letter

As before, we have that 𝑝𝑝* + 𝑞𝑞* + 𝑟𝑟* + 𝑠𝑠* = 1. But we also have that if the two particles are not entangled, then 𝑝𝑠 = 𝑞𝑟, but if they are entangled, then 𝑝𝑠 ≠ 𝑞𝑟 since 𝑞|0⟩A|1⟩B + 𝑟|1⟩A|0⟩B represents that the particles cannot be differentiated from each other (i.e., it could be that particle 𝐴 is in state |0⟩ and particle 𝐵 is in state |1⟩, or it could be the other way around).

With two particles 𝐴 and 𝐵, they each have their own 2D Hilbert space HA and HB, so the tensor product of these two spaces is a 4D space with the basis

Giving the 4×4 identity matrix

We can make the Controlled NOT (CNOT) quantum gate (equivalent of exclusive OR gate, i.e., XOR gate, see Appendix A for more on quantum gates) (Barenco, 1995; Nielsen & Chuang, 2000) by switching the last two columns

What this allows us to do is entangle an unentangled pair of electrons |𝐴⟩ and |𝐵⟩. If we have our unentangled pair of electrons as

Where now we see that 𝑝𝑠 ≠ 𝑞𝑟, meaning our particles are entangled.

Entanglement increases the number of particles in a quantum register and allows for a greater number of possible states of the system (IBM, 2022). For instance, if our register has three entangled particles, then we have (Qiskit, 2022a)

And in general, for 𝑛 qubits in the quantum register there will be 2n probability amplitudes.

The same method of destructive interference discussed above is used on the register, but it allows for computations on problems containing much more information. Think of it like this: a conventional computer with 64-bits can perform computations with larger numbers than a 32-bit conventional computer, so a 2-qubit quantum computer would be able to perform computations on larger numbers than a 1-qubit quantum computer. Quantum computations make quantum computers significantly faster at solving certain kinds of problems than conventional computers (Figure 5). This means that once quantum computers are sufficiently advanced (Arute, 2019), the use of algorithms like that of Peter Shor (Shor, 1994; Mermin, 2006) will make RSA (Rivest–Shamir–Adleman) cryptosystems (Rivest, 1978) insecure. This is because quantum computers can solve the prime factorization with many fewer operations than conventional computers.

Shor’s Algorithm

Here is how Shor’s algorithm works (Houston-Edwards, 2017b; Mermin, 2006; Qiskit, 2022c). Say Bob wants to send an encrypted message to Alice. To do this, Alice shares her public key with Bob, which contains the modulus 𝑛, as discussed above. Since this is part of the public key, a hacker Eve can gain access to it. Because Alice and Bob are using the RSA cryptosystem, Eve knows that their 𝑛 is equal to the product of two prime numbers 𝑝 and 𝑞 such that

The first thing Eve will do is pick a number 1 < 𝑎 < 𝑛 that is coprime to 𝑛, meaning that the greatest common divisor is 1, i.e., g.c.d.(𝑎,𝑛) = 1. This can be done using the Euclidean algorithm (Khan S. , 2013; Zhou, 2010). If Eve finds that g.c.d.(𝑎,𝑛) > 1 then 𝑎 is a factor of 𝑛 and Eve has succeeded. However, if g.c.d.(𝑎,𝑛) = 1 then Eve will need to do more work.

The next step is to compute the period 𝑟 of 𝑎 mod 𝑛. Remember, the period is how many times the computation is repeated before the remainder gets back to one, i.e., that ar = 1 mod 𝑛. Let us say, for instance, that we have 𝑛 = 35 and we use 𝑎 = 8, since those are coprime. We find that

And so, Eve finds that the period is 𝑟 = 4. Eve will need to have 𝑟 be even for this to work out, and so if 𝑟 ends up being odd, Eve will have to go back and pick a different 𝑎. In this case, Eve was lucky the first time and got an even number 𝑟. The reason for this is because we will need to factor out 𝑎𝑟 and so will need ar/2 to proceed. Eve will also need to know that

If this is not satisfied, Eve will again have to go back and pick a different 𝑎. Next, Eve can use the fact that she knows

Which means that ar − 1 is a multiple of 𝑛 such that

Eve can then factor ar − 1 to obtain

And use that 𝑛 = 𝑝𝑞 to get

Which tells Eve that 𝑝 divides one of the two parentheses in the numerator and 𝑞 divides the other one. The reason we needed ar/2 + 1 ≢ 0 mod 𝑛 was to ensure that 𝑝 divides only one of them and 𝑞 divides only one of them. In other words, Eve can safely say that

Using the example of 𝑛 = 35 and 𝑎 = 8 we have that

And so

With 7 and 5 being the two prime numbers that multiply together to get 35.

In practice, if Eve is using a conventional computer, she will find that obtaining the period 𝑟 is computationally extremely difficult and time consuming. But if Eve has a quantum computer, she will be able to find 𝑟 much faster. This is where Shor’s algorithm really comes into play.

As discussed earlier, when using a quantum computer, the different potential factors of 𝑛 are represented in the superpositions of the qubits. When measuring the system there will be an equal probability of finding one of the states. As such, there needs to be a way of amplifying the components of the superpositions representing the correct factors of 𝑛 and reducing those that are incorrect factors. This is done using the quantum Fourier transform (QFT) (Coppersmith, 1994; Qiskit, 2022b).

To understand QFT we first need to discuss the Hadamard gate (Sylvester, 1867; Hadamard, 1893), which is a 1-qubit QFT (Appendix A). Earlier I described the CNOT gate, which is a type of quantum gate. The Hadamard gate is another quantum gate and is represented by the matrix

What the Hadamard gate does is switch from the 𝑧-basis to the 𝑥-basis on the Bloch sphere (Figure 6). Recall that the 𝑥-basis represented the phase (Figure 3). This means, similar to a typical Fourier transform, it is transforming from one domain to another, in this case from what is called the counting basis (or the 𝑧-basis) into the Fourier basis (or the 𝑥-basis).

The QFT works much the same way, except now it is doing it with multiple qubits, which cannot really be illustrated with a Bloch sphere. The QFT is given by (Qiskit, 2022b)

Where 𝜙k are our vector components in the Fourier basis, 𝜓j are our vector components in the counting basis, and ei2π(jk)/N indicates a number of phase shifts. We can look at how this works for the Hadamard gate for a single qubit |Ψ⟩ = 𝛼|0⟩ + 𝛽|1⟩ where 𝜓0 = 𝛼, and 𝜓1 = 𝛽, and 𝑁 = 2 so that

Which is the same as using the Hadamard operator

For larger systems, just a single Hadamard gate will not suffice, and so we also need the phase gate, called the controlled rotation or CROT, which is

Which gives the QFT in general for 𝑁 = 2n as

Where we can see that |0⟩ does not change but |1⟩ is rotated (counterclockwise) around the 𝑧-axis.

Now, with these rotations, we can exploit the roots of unity found in complex analysis (Figure 7). While in the Fourier basis, for each qubit in our register, we rotate the vector once, with each qubit rotating by an angle determined by the roots of unity. For instance, if we have four qubits, one will remain where it is (𝑁 = 1), one will oscillate back and forth (𝑁 = 2), one will make rotations of 120° (𝑁 = 3), and the last will make rotations of 90° (𝑁 = 4). It does one of these rotations for each of the terms of our linear combination (i.e., each component of our superposition). When it lands on the final member of the period, i.e., 𝑎k ≡ 1 mod 𝑛, we stop and measure which direction the vector is pointing (i.e., what the phase is). Whichever root of unity is equal to the period 𝑟 will be the one that does not end up back at the starting point when a period is over.

As an example, let us look at 𝑎 = 2 and 𝑛 = 7. For this, our superposition will be

This is a simple case, so we know that the period will repeat 2,4,1 over and over again, giving us 𝑟 = 3. But let us look at it with our algorithm. With the 𝑁 = 2, 3, 4 roots of unity (skipping the trivial case of 𝑁 = 1) we find that the 𝑁 = 2 and 𝑁 = 4 cancel out while the 𝑁 = 3 amplifies because they point in the same direction (Figure 8).

For 𝑎k mod 7 all rotations around the roots of unity will cancel out except for 𝑁 = 3, which will be amplified, telling us that our period is 𝑟 = 3. Now, equipped with the period, our hacker Eve would be able to discover (𝑎r/2 − 1)(𝑎r/2 + 1) = 𝑘𝑝𝑞 and obtain 𝑝 and 𝑞.

Lattice-Based Cryptography

Once quantum computer technology arrives at the point where it is able to run Shor’s algorithm, the RSA cryptosystem will be insecure (Shor, 1994; Mermin, 2006; IBM Quantum, 2022; Qiskit, 2022c). This demands the development of new cryptosystems to protect against these vulnerabilities. The National Institute of Standards and Technology (NIST) has been running a competition in which groups come up with post-quantum cryptography (PQC) algorithms, such as the McEliece cryptosystem (McEliece, 1978) and Lattice based cryptography (Ajtai M. , 1996; Ajtai M. a., 1997; Regev, 2005; Hoffstein, 1998; Kwiatkowski, 2019). As of 2022, there are four selected algorithms still in the running (NIST, 2022a).

Lattice based cryptography uses the fact that finding the smallest non-zero vector in an 𝑛-dimensional lattice is extremely difficult, even for a quantum computer (Regev, 2005). This is known as the SVP or the Shortest Vector Problem (van Emde Boas, 1981; Manohar, 2016; Nguyen, 2010). See Appendix B for a more in-depth review of the mathematical background, but I will explain it here briefly. Say we have a vector space 𝑉 with the Euclidean norm ℓ2 and a basis in ℝm that is

With our basis 𝑏1, 𝑏2,…, 𝑏n in 𝑚 dimensions such that

And 𝑚 ≥ 𝑛. For our purposes we can use the case where 𝑚 = 𝑛 and therefore [𝑏1, 𝑏2,…, 𝑏n] is a square matrix that we can write as

Where ℝn×n is the set of all real-numbered 𝑛×𝑛 matrices. Our lattice is then

And so, a lattice would be

Which is the points in 2D Euclidean space ℝ2 with integer coordinates, which have basis

Which would give us the same lattice (Figure 9). Indeed, it is the case that every lattice with a rank of 𝑛 ≥ 2 can have infinitely many bases (Nguyen, 2010; Manohar, 2016).

The bases are found when the fundamental parallelepiped 𝒫(𝐆) and the lattice Λ only have an intersection at the point zero

Since zero is the only coordinate in 𝒫(𝐆) that is an integer.

A basis must satisfy two properties: they must be vectors that are (1) linearly independent and (2) span the entire space. (1) means that each basis cannot use any of the other bases to describe them, and (2) means that any point in the space (i.e., the lattice) must be able to be described using the basis (there are no points in the lattice that cannot be described by linear combinations of the bases). What we might think of as the natural basis is the one that uses the shortest distances, like those shown on the left side in Figure 9. But it would not be invalid to use a basis that is 𝑏1 = (2  0)T and 𝑏2 = (0  2)T, or, indeed, as shown on the right side of Figure 9, we could alternatively have used

What we then want to do is find the smallest non-zero vector, which is denoted as 𝜆1(Λ) where this is the shortest in what is called the successive minima of the lattice 𝜆i(Λ). To find this, we take an open ball 𝐵r(𝑝) at a point 𝑝 (usually at 𝑝 = 0) and then find 𝑥 such that

Where 𝑟 is the radius of the open ball 𝐵r(𝑝). The successive minima are defined so that

What this means is that each successive 𝜆i(Λ) must be the next larger open ball to include lattice points in the next dimension. For instance, if we have a 2D rectangular lattice (Figure 10), then 𝜆1(Λ) is the smallest open ball that includes the next nearest lattice point, and 𝜆2(Λ) is the radius of the next larger open ball that includes the nearest lattice point in a second dimension.

At first the SVP may appear to be an easy problem. However, if this is done in many dimensions, even on the order of hundreds of dimensions, and using long bases instead of short, then the problem becomes an NP-hard problem, requiring greater than 𝑂(𝑛2) time to compute (Papadimitriou, 1993; Sipser, 2014; van Leeuwen, 1994; Peikert, 2009). Indeed, there is no known way to solve it quickly, even with a quantum computer, which makes the SVP a good candidate as a secure cryptosystem.

There are three variants of what is called the closest vector problem (CVP). These are known as the decisional, optimization, and search CVP, which are defined in the following ways.

The most common types of lattice problems are the shortest vector problem using the decisional variant, which is called GAPSVP, and the shortest independent vectors problem, or SIVP. There are also the generalized independent vectors problem (GIVP) and the discrete Gaussian sampling problem (DGS). The definitions of these are

In general, we have that the probability at some point 𝐱 in the lattice is

Where 𝑐 = 0 at the origin. And the distribution for some set 𝐴 is

From this, the definition of 𝐷A,k (the general form of 𝐷ℒ,𝑟) is

Post-Quantum Cryptosystem Competition at NIST

The selected PQC from NIST, (Table 2) use lattice-based cryptosystems (NIST, 2022a).

CRYSTALS-KYBER (Cryptographic Suite for Algebraic Lattices)

For the sake of brevity, I will focus only on the CRYSTALS-KYBER system, primarily pulling from (Botros, 2019) and (Avanzi, 2021).

Using modular learning with errors (MLWE), the public key consists of a 𝑘×𝑘 matrix 𝐀̂ (where 𝐀̂ is a matrix 𝐀 after use of a number-theoretic transform (NTT)) with polynomial elements from the modulo 𝑞 ring ℛq=ℤq[𝑥]/(𝑥n + 1) (see Appendix B). The CRYSTALS-KYBER system in particular uses the prime number 𝑞 = 3329 and order 𝑛 = 256 such that

In learning with errors (LWE) (Regev, 2005; Stehlé, 2009; Langlois, 2012; Lyubashevsky V. C., 2013; Bonnoron, 2017; Chen H. L., 2020; Albrecht, 2021; Boudgoust, 2022) we are given an 𝑛-dimensional lattice where we need to find linearly independent vectors s1, s2, s3, …, 𝑠n that minimize max(i)‖𝑠i‖. This is often made simpler by requiring that max(i)‖𝑠i‖ is within an approximation factor 𝛾(𝑛) ≥ 1 off from the real vector 𝐬. To find max(i)‖𝑠i‖ using LWE we are given positive integers 𝑛 and 𝑞 (lattice dimensions and modulus, respectively) with a probability density function 𝜒 over the interval 𝕋=ℝℤ⁄≅[0,1) and then must find the vector 𝐬 using random 𝑎∈ℤnq and 𝜀∈𝕋 (uniformly sampled) such that we have the equations

Where, given many (𝑎i,𝑏i) and an error 0 ≤ 𝜀 < 1, the vector 𝐬 must be calculated. When we have that 𝜀 = 0 this is a standard Gaussian elimination problem and takes 𝑛 equations to find a single 𝑠i, corresponding to a single bit of our message. When instead we have 𝜀 > 0 then it requires 2n equations and 𝑂(2n) time to obtain the first bit of the message. We can use instead matrices such that 𝑎ij∈𝐀 and 𝑏ij∈(1/q)𝐀𝒔+𝒆 where 𝐀∈ℤqm×m. For the CRYSTALS-KYBER system, the 𝐬 vector that we are trying to find (i.e., the shortest vector) and 𝐞, the error, are 𝑘-dimensional vectors so that 𝐛 = (1/𝑞)〈𝐀̂,𝐬〉+𝐞.

The number-theoretic transform (NTT) (Toom, 1963; Cook, 1969) is done in order to perform more efficient multiplications in ℛq=ℤq[𝑥](𝑥n + 1). NTT is a generalization of the fast Fourier transform (Cooley & Tukey, 1965). Briefly, it works as follows. If we have a polynomial 𝑓(𝑥) = Σi=0n-1 fixi∈ℛq then the NTT is

With 𝜔 = 3844 and 𝜓 = √𝜔 = 62 and each 𝑓i randomly sampled from a centered binomial distribution 𝐵𝜂 with 𝜂 = 2 or 𝜂 = 3 such that {0,1}2𝜂∈𝐵𝜂 (see Glossary: Notation and Parameters). The inverse is

For instance, using the polynomial (𝑥256 + 1) we can factor it into 128 degree 2 polynomials modulo 𝑞 like

Where 𝜁 are the 256 roots of unity. And so, the NTT of 𝑓∈ℛq is

This makes the multiplication of two polynomials 𝑓,𝑔∈ℛq much more efficient using

Key construction is done in two steps. The first step (Figure 11) generates a chosen-ciphertext attacks (CCA) secure key encapsulation mechanism (KEM).

This is done similar to (Lyubashevsky V. C., 2013), but instead of ℤq uses a polynomial ring ℤq[𝑥]/〈𝑓(𝑥)〉 like in (Hoffstein, 1998). It also utilizes a method made by (Alkim, 2015) to generate a public matrix (Figure 12).

The second step (Figure 13) is to generate the Kyber.CCAKEM IND-CCA2-secure KEM (indistinguishability against chosen-ciphertext attacks (IND-CCA) KEM) (Rackoff, 1992) using a variation of the Fujisaki–Okamoto transform (Fujisaki, 2013; Hofheinz, 2017).

The Fujisaki–Okamoto transform converts asymmetric or symmetric encryption schemes into a stronger hybrid encryption scheme, i.e., strong in the sense of indistinguishability against adaptive chosen-ciphertext attacks (IND-CCA) in the random oracle model (Bellare & Rogaway, 1993).

Conclusions

As it stands, online banking, email, e-commerce, Transport Layer Security (TLS), and Virtual Private Networks (VPN) use what is called the public key infrastructure (PKI) (Copeland, 2021). To decrypt such messages, a person or business requires a private key in addition to the public key. Without the private key, the time it would take to break the encryption would be hundreds or even thousands of years. With quantum computers, a potential eavesdropper will not require the private key to be able to break the encryption in as short as eight hours (Ryan-Mosley, 2019).

As a result, post-quantum cryptography will be important in many arenas, such as in the realms of the military (Parker, 2021), national security (DHS, 2022), diplomacy (Shafeeq, 2022), and business (IBM, 2018; Buchholz, 2021). Indeed, in July of 2022, NIST already selected twelve businesses to begin using their post-quantum cryptosystems (NIST, 2022b) (Figure 14). Further, there are startups that are attempting to come up with their own methods of post-quantum cryptography (StartUs Insights, 2020; Tracxn, 2022).

Changing to PQC will not be an easy process (Chen L. , 2017; Barker W. W., 2021). For one, in the currently developing PQC’s, the key sizes can still be quite large, making them unsuitable for many uses. Similarly, decryption can still be computationally burdensome. Indeed, the NIST white paper (Barker W. W., 2021) says

On the other hand, existing protocols might need to be modified to handle larger signatures or key sizes (e.g., using message segmentation). Implementations of new applications will need to accommodate the demands of post-quantum cryptography and allow the new schemes to adapt to them. In fact, post-quantum cryptographic requirements may actually shape some future application standards.

These new PQC algorithms will also mean replacing cryptographic libraries, validation tools, hardware, operating systems, and procedures used by administrators and users alike. There will need to be new documentation for standards and procedures of installation, maintenance, and administration. Further, businesses and other organizations will need to catalogue where cryptography is implemented and for what reason, but most IT and information security do not keep records of every system using cryptography. As such, these organizations will need to come up with protocols and methods for identifying where and how these cryptosystems are employed, and then coming up with a means for prioritizing which systems need to be replaced with PQC’s.

The NIST white paper (Barker W. W., 2021) says that identifying where PQC should be implemented will require

• Outreach to SDOs to raise awareness of necessary algorithm and dependent protocol changes (e.g., Internet Engineering Task Force [IETF], International Organization for Standardization/International Electrotechnical Commission [ISO/IEC], American National Standards Institute/International Committee for Information Technology Standards [ANSI/INCITS], Trusted Computing Group [TCG])
• Discovery of all instances where Federal Information Processing Standards and NIST Special Publication 800-series documents will need to be updated or replaced
• Identification of automated discovery tools to assist organizations in identifying where and how public-key cryptography is being used in their systems
• Development of an inventory of where and for what public-key cryptography is being used in enterprises

Regardless of these difficulties, it is necessary that PQC measures be formulated and implemented. Estimates for when quantum computers will reach a level of advancement sufficient to reliably crack current encryption schemes range anywhere between five years and twenty years (Shankland, 2021). As a result, the pains of migrating to PQC will likely be much less than the pain of not migrating to PQC. Neglecting to do this could potentially result in a wild-west-like anarchy of hacks and leaks of personal and vital information from individuals and organizations alike.

The topic of quantum computers and post-quantum cryptography is much larger than this report could ever hope to fully cover. Here I have discussed only a single current public key cryptosystem, namely RSA, and only took a cursory look at a single one of the numerous PQC’s being developed to supersede our current cryptosystems, namely CRYSTALS-KYBER. And even there I hardly did justice to the sophistication and complexity of the PQC. Yet I hope this report has at least indicated at how serious the issue is, and at how difficult it may be to fully implement a regime of post-quantum cryptography.

References

Ajtai, M. (1996). Generating Hard Instances of Lattice Problems. Electron. Colloquium Comput. Complex.,
3., 99108. doi:10.1145/237814.237838

Ajtai, M. a. (1997). A PublicKey Cryptosystem with WorstCase/AverageCase Equivalence. Electronic

Albrecht, M. &. (2021). Lattice Attacks on NTRU and LWE: A History of Refinements. Cryptology ePrint

Alexander, T. N.A. (2020). Qiskit pulse: programming quantum computers through the cloud with pulses. Quantum Science and Technology, 59565/aba404

AlKadit, I. A. (1992). The origins of cryptology: The Arab contributions. Cryptologia, 97126. doi:10.1080/0161119291866801

Alkim, E. L. (2015). Postquantum key exchange a new hope. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2015/1092

AlTayeb, T. (2003, June 9). AlKindi, Cryptography, Code Breaking and Ciphers. Retrieved November 8, 2022, from Muslim Heritage: https://muslimheritage.com/alkindicryptography/

Anderson, P. W., & Rowell, &. J. (1963). Probable Observation of the Josephson Tunnel Effect. Phys. Rev. Lett., 230232. doi:10.1103/PhysRevLett.10.230

Arute, F. e. (2019). Quantum Supremacy Using a Programmable Superconducting Processor. Nature, pages 505510. doi:https://doi.org/10.1038/s4158601916665

Avanzi, R. B. (2021). CRYSTALSKyber Algorithm Specifications And Supporting Documentation.

Bacon, D. (2001). Decoherence, control, and symmetry in quantum computers. University of California, Berkeley. Retrieved from https://arxiv.org/abs/quantph/0305025

Bai, S. a. (2013). An improved compression technique for signatures based on learning with errors. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2013/838

Bardin, J. C. (2020a, August). Quantum Computing. pp. 2444. Retrieved from https://par.nsf.gov/servlets/purl/10195986

Bardin, J. C. (2020b). Microwaves in Quantum Computing. IEEE Journal of Microwaves, 403427. doi:10.1109/JMW.2020.3034071

Barenco, A. B. (1995). Elementary gates for quantum computation. Physical Review, 34573467.

Barends, R. K. (2013). Coherent Josephson Qubit Suitable for Scalable Quantum Integrated Circuits. Physical Review Letters, 080502. doi:10.1103/PhysRevLett.111.080502

Barker, E. a. (2015). Recommendation for Key Management Part 3: ApplicationSpecific Key Management Guidance. Gaithersburg: National Institute of Standards and Technology U.S. Department of Commerce. doi:http://dx.doi.org/10.6028/NIST.SP.80057pt3r1

Barker, W. W. (2021). Getting Ready for PostQuantum Cryptography: Exploring Challenges Associated with Adopting and Using PostQuantum Cryptographic Algorithms. NIST. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf

Bauch, J.D. (2014). Lattices over polynomial Rings and Applications to Function Fields. Arxiv. Retrieved e/10803/283357/jdb1de1.pdf?sequence=1

Bellare, M. a. (1995). Optimal Asymmetric Encryption How to encrypt with RSA. Lecture Notes in Computer Science. Retrieved from https://cseweb.ucsd.edu/~mihir/papers/oaep.pdf

Bellare, M., & Rogaway, P. (1993). Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. CM Conference on Computer and Communications Security, (pp. 6273). Retrieved

Benioff, P. (1980). The computer as a physical system: A microscopic quantum mechanical Hamiltonian model of computers as represented by Turing machines. Journal of Statistical Physics, 563591. doi:10.1007/bf01011339

Bernhardt, C. (2019). Quantum Computing for Everyone. Cambridge: Massachusetts Institute of Technology.

Bernstein, D. J. (2019a). Decisional secondpreimage resistance: When does SPR imply PRE? Retrieved

Bloch, F. (1946). Nuclear Induction. Physical Review, 460474. doi:10.1103/PhysRev.70.460

Bloch, F. a. (1945). Atoms in Variable Magnetic Fields. Rev. Mod. Phys., 237244. doi:10.1103/RevModPhys.17.237

Bogdanov, A. a. (2007). Pseudorandom bits for polynomials. 8th Annual IEEE Symposium on Foundations of Computer Science (FOCS’07), (pp. 4151). doi:10.1109/FOCS.2007.42

Bonnoron, G. &. (2017). A note on RingLWE security in the case of Fully Homomorphic Encryption. Lecture Notes in Computer Science (pp. 2743). Springer, Cham. 3319716671_2

Bose, S. N. (1924). Plancks Gesetz und Lichtquantenhypothese. Zeitschrift für Physik, 178181. doi:10.1007/BF01327326

Botros, L. M. (2019). MemoryEfficient HighSpeed Implementation of Kyber on CortexM4. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2019/489

Bouchiat, V. D. (1998). Quantum Coherence with a Single Cooper Pair. Physica Scripta, 165170. f

Boudgoust, K. C.L. (2022). On the Hardness of Module Learning With Errors with Short Distributions. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2022/472

Carmichael, R. (1910). Note on a new number theory function. Bulletin of the American Mathematical Society, 16, 232238. doi:10.1090/S000299041910018929

Chen, H. L. (2020). On the Concrete Security of LWE with Small Secret. Cryptology ePrint Archive. Retrieve

Chen, L. (2017). Cryptography Standards in Quantum Time: New Wine: New Wine in an Old Wineskin? IEEE Security & Privacy, 51

Cirac, J. I. (1995). Quantum Computations with Cold Trapped Ions. Phys. Rev. Lett., 40914094. doi:10.1103/PhysRevLett.74.4091

Combescot, R. (2022). Superconductivity: An Introduction. Cambridge University Press. Retrieved from https://www.amazon.com/SuperconductivityIntroductionRolandCombescot/dp/110842841X/

Cook, S. A. (1969). On the Minimum Computation Time of Functions. Transactions of the American Mathematical Society, 291314. doi:10.1090/S00029947196902492128

Cooley, J. W., & Tukey, a. J. (1965). An algorithm for the machine calculation of complex Fourier series. Mathematics of Computation, 29730. doi:10.2307/2003354

Cooper, L. N. (1956). Bound Electron Pairs in a Degenerate Fermi Gas. Phys. Rev., 11891190. doi:10.1103/PhysRev.104.1189

Copeland, W. F. (2021, October 6). Quantum computing will break today’s encryption standards here’s what to do about it. Retrieved November 6, 2022, from Verizon: https://www.verizon.com/about/news/quantumcomputingencryptionstandards

Coppersmith, D. (1994). An approximate Fourier transform useful in quantum factoring. Yorktown Heights: IBM Research Division. Retrieved from https://arxiv.org/pdf/quantph/0201067.pdf

Cory, D. G. (1997). Ensemble quantum computing by NMR spectroscopy. Proceedings of the National Academy of Sciences of the United States of America, 16341639.

Cross, A. W. (2019). Validating quantum computers using randomized model circuits. Phys. Rev., 100(3), 032328. doi:10.1103/PhysRevA.100.032328

Diffie, M., & Hellman, M. (1976). New directions in cryptography. EEE Transactions on Information Theory, 644654. doi:10.1109/TIT.1976.1055638

Dilmegani, C. (2021, April 18). Quantum Hardware Components, Interfaces & Challenges. Retrieved November 6, 2022, from AI Multiple: https://research.aimultiple.com/quantumcomputinghardware/

Dirac, P. (1939). A new notation for quantum mechanics. Mathematical Proceedings of the Cambridge Philosophical Society, 416418. doi:10.1017/S0305004100021162

Dirac, P. (1958). The Principles of Quantum Mechanics (4 ed.). Clarendon Press.

Djekic, M. (2013, November 25). A Scytale Cryptography of the Ancient Sparta. Retrieved November 8, 2022, from Australian Science: http://ozscience.com/technology/ascytalecryptographyoftheancientsparta/

Ducas, L. A. (2013). Lattice Signatures and Bimodal Gaussians. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2013/383

Einstein, A. (1924). Quantentheorie des einatomigen idealen Gases. Königliche Preußische Akademie der Wissenschaften, 261267. Retrieved from https://www.unimuenster.de/imperia/md/content/physik_ap/demokritov/mbecfornonphysicists/einstein_1924_1925.pdf

Feynman, R. P. (1957). Geometrical Representation of the Schrödinger Equation for Solving Maser Problems. Journal of Applied Physics

Feynman, R. P. (1982). Simulating Physics with Computers. International Journal of Theoretical Physics, 467488. doi:10.1007/BF02650179

Feynman, R. P. (1986). Quantum mechanical computers. Foundations of Physics, 507531. doi:10.1007/bf01886518

Fouque, P.A. J. (2020). Falcon: FastFourier Latticebased Compact Signatures over NTRU.

Friis, N. O. (2018). Observation of Entangled States of a Fully Controlled 20Qubit System. Physical Review, 021012. doi:10.1103/PhysRevX.8.021012

Fujisaki, E. O. (2013). Secure Integration of Asymmetric and Symmetric Encryption Schemes. J Cryptol, 80101. doi:https://doi.org/10.1007/s0014501191141

Gambetta, J. &. (2019, March 4). Cramming More Power Into a Quantum Device. Retrieved November 7, 2022, from IBM Research Blog: https://www.ibm.com/blogs/research/2019/03/powerquantumdevice/

Gentry, C. C. (2007). How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2007/432

Goldreich, O. (2001). Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press. Retrieved from https://www.amazon.com/FoundationsCryptographyBasicToolsVol/dp/0521791723/

Graham, T. S. (2022). Demonstration of multiqubit entanglement and algorithms on a programmable neutral atom quantum computer. Nature, 457462. doi:https://doi.org/10.1038/s41586022046036

Grumbling, E. a. (2019). Quantum Computing: Progress and Prospects. Washington, DC: National Academy of Sciences. doi:https://doi.org/10.17226/25196

Hadamard, J. (1893). Résolution d’une question relative aux déterminants. Bulletin des Sciences Mathématiques, 240146.

Hendrickx, N. W. (2020). A singlehole spin qubit. Nature Communications. 020172117

Hendrickx, N. W. (2021). An array of four germanium qubits. Nature. 021011166

Henriet, L. L.O. (2020). Quantum Computing with Neutral Atoms. Quantum. Retrieved from https://arxiv.org/pdf/2006.12326.pdf

Hidary, J. (2019). Quantum computing: an applied approach. Springer. Retrieved from https://www.amazon.com/QuantumComputingApproachJackHidary/dp/3030239217

Hilbert, D. R. (1928). Über die Grundlagen der Quantenmechanik. Mathematische Annalen, 130. doi:10.1007/BF01451579

Hilbert, D. R. (2009). David Hilbert’s Lectures on the Foundations of Physics 19151927. (U. M.J. Tilman Sauer (Editor), Ed.) Springer. Retrieved from https://www.amazon.com/HilbertsLecturesFoundationsPhysics19151927/dp/354020606X

Hinsley, F. H. (1993). Codebreakers: The inside story of Bletchley Park. Oxford: Oxford University Press. Retrieved from https://www.amazon.com/CodebreakersInsideStoryBletchleyPark/dp/0192801325/

Hoffstein, J. P. (1998). NTRU: A ringbased public key cryptosystem. Algorithmic Number Theory (pp. 267288). Springer, Berlin, Heidelberg. doi:https://doi.org/10.1007/BFb0054868

Hofheinz, D. K. (2017). A Modular Analysis of the FujisakiOkamoto Transformation. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2017/604

Houck, A. A. (2009). Life after charge noise: recent results with transmon qubits. Quantum Information Processing, 105115. doi:10.1007/s1112800901006

HPC Wire. (2022, September 27). Quantinuum Sets New Record with Highest Ever Quantum Volume. Retrieved November 14, 2022, from HPC Wire: https://www.hpcwire.com/offthewire/quantinuumsetsnewrecordwithhighesteverquantumvolume/

Hülsing, A. (2017, December 4). SPHINCS+ The smaller SPHINCS. Retrieved from Andreas Hülsing: https://huelsing.net/wordpress/?p=558

Hülsing, A. J. (2017). NTRUHRSSKEM lgorithm Specifications And Supporting Documentation. Retrieved f20171130.pdf

IBM Quantum. (2022, October 20). Shor’s algorithm. Retrieved from IBM Quantum Composer: https://quantumcomputing.ibm.com/composer/docs/iqx/guide/shorsalgorithm

Intel. (2015, September 3). Intel Invests US\$50 Million to Advance Quantum Computing. Retrieved November 7, 2022, from Intel: https://newsroom.intel.com/newsreleases/intelinvestsus50milliontoadvancequantumcomputing/

Jenkins, A. J. (2022). Ytterbium NuclearSpin Qubits in an Optical Tweezer Array. Physical Review, 021027. doi:10.1103/PhysRevX.12.021027

Jiang, H. Z. (2017). INDCCAsecure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited. Cryptology ePrint Archive. doi:10.1007/9783319968780_4

Josephson, B. D. (1962). Possible new effects in superconductive tunnelling. Phys. Lett., 251253. doi:10.1016/00319163(62)913690

Josephson, B. D. (1974, March). The discovery of tunnelling supercurrents. Bulletin of the European Physical Society, 5, pp. 251254. Retrieved from https://www.europhysicsnews.org/articles/epn/pdf/1974/03/epn19740503p1.pdf

Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, 583. Retrieved from https://www.petitcolas.net/kerckhoffs/crypto_militaire_1_b.pdf

Khan, D. (1996). The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet. Scribner. Retrieved from https://www.amazon.com/CodebreakersComprehensiveHistoryCommunicationInternet/dp/0684831309

science/cryptography/modarithmetic/a/theeuclideanalgorithm

Khan, T. M., & RoblesKelly, &. A. (2020). Machine Learning: Quantum vs Classical. IEEE Access, 8, 219275219294. doi:10.1109/ACCESS.2020.3041719

Kwiatkowski, K. (2019, June 20). Towards PostQuantum Cryptography in TLS. Retrieved November 6, 2022, from The Cloudflare Blog: https://blog.cloudflare.com/towardspostquantumcryptographyintls/

Langlois, A. &. (2012). WorstCase to AverageCase Reductions for Module Lattices. Cryptology ePrint Archive. Retrieved from https://eprint.iacr.org/2012/090

Le Bellac, M. (2006). A Short Introduction to Quantum Information and Quantum Computation. Cambridge University Press. Retrieved from https://www.amazon.com/ShortIntroductionQuantumInformationComputation/dp/0521860563/

Lenstra, A. K. (1993). The Development of the Number Field Sieve (1 ed.). Heidelberg: SpringerVerlag.

Loss, D. a. (1998). Quantum computation with quantum dots. Physical Review, 57, 120126. doi:10.1103/PhysRevA.57.120

Luciano, D. &. (1987). Cryptology: From Caesar Ciphers to PublicKey Cryptosystems. The College Mathematics Journal, 217. doi:10.2307/2686311

Lyubashevsky, V. (2009). FiatShamir with Aborts: Applications to Lattice and FactoringBased Signatures. Lecture Notes in Computer Science. 5912, pp. 598616. Springer. doi:https://doi.org/10.1007/9783642103667_35

Lyubashevsky, V. C. (2013). On Ideal Lattices and Learning with Errors over Rings. Association for Computing MachineryAssociation for Computing Machinery. doi:10.1145/2535925

Manohar, N. (2016, March 21). Hardness of Lattice Problems for Use in Cryptography. Cambridge: the School of Engineering and Applied Sciences Harvard University. Retrieved from https://web.cs.ucla.edu/~nmanohar/nmanohar_files/UndergradThesis.pdf

Manucharyan VE, K. J. (2009). Fluxonium: single cooperpair circuit free of charge offsets. Science, 113116. doi:10.1126/science.1175552. PMID: 19797655

Martinez, J. (2022). Decoherence and Quantum Error Correction for Quantum Computing and Communications. doi:10.15581/10171/63013

McEliece, R. J. (1978). A PublicKey Cryptosystem Based on Algebraic Coding Theory. DSN Progress Report, 114116. Retrieved from https://tmo.jpl.nasa.gov/progress_report2/4244/44N.PDF

Mermin, D. (2006, March 28). Breaking RSA Encryption with a Quantum Computer: Shor’s Factoring Algorithm. Physics 481681 Lecture Notes. Cornell University. Retrieved from https://web.archive.org/web/20121115112940/http://people.ccmr.cornell.edu/~mermin/qcomp/chap3.pdf

Metcalfe, M., Boaknin, E., Manucharyan, V., Vijay, R., Siddiqi, I., Rigetti, C., . . . Devoret, M. H. (2007). Measuring the decoherence of a quantronium qubit with the cavity bifurcation amplifier. Physical Review B., 174516. doi:10.1103/PhysRevB.76.174516

Middleton, C. (2021, March 5). What’s under the hood of a quantum computer? Retrieved November 6, 2022, from Physics Today: https://physicstoday.scitation.org/do/10.1063/PT.6.1.20210305a/full/

MorenoPineda, E. C. (2017). Molecular Spin Qudits for Quantum Algorithms. Chemical Society Reviews. doi:10.1039/C5CS00933B

Nakamura, Y. Y. (1999). Coherent control of macroscopic quantum states in a singleCooperpair box. Nature, 786788. doi:https://doi.org/10.1038/19718

Nayuki. (2022, September 11). Numbertheoretic transform (integer DFT). Retrieved from Project Nayuki: https://www.nayuki.io/page/numbertheoretictransformintegerdft

Nechvatal, J. E. (2001). Report on the Development of the Advanced Encryption Standard (AES). Journal of Research of the National Institute of Standards and Technology, 106, 511577. Retrieved from https://nvlpubs.nist.gov/nistpubs/jres/106/3/j63nec.pdf

Nguyen, P. Q. (2010). Hermite’s Constant and Lattice Algorithms. In The LLL Algorithm: Survey and Applications (pp. 1969). Heidelberg: Springer. doi:https://doi.org/10.1007/9783642022951

Nielsen, M. A. (2011). Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge University Press. Retrieved from https://www.amazon.com/QuantumComputationInformation10thAnniversary/dp/1107002176

Nielsen, M. A., & Chuang, I. (2000). Quantum Computation and Quantum Information. Cambridge: Cambridge University Press.

NIST. (1977). Data Encryption Standard. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/fips/46/archive/19770115/documents/NBS.FIPS.46.pdf

NIST. (1988). Data Encryption Standard. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/CSRC/media/Publications/fips/46/1/archive/19880122/documents/NBS.FIPS.461.pdf

NIST. (1993). Data Encryption Standard. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/publications/detail/fips/46/2/archive/19931230

NIST. (1999). Data Encryption Standard. National Institute of Standards and Technology. Retrieved from https://csrc.nist.gov/publications/detail/fips/46/3/archive/19991025

NIST. (2001). Announcing the Advanced Encryption Standard (AES). National Institute of Standards and Technology. Federal Information Processing Standards Publication 197. Retrieved from https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf

NIST. (2022a, July 5). Projects: Post Quantum Cryptography. Retrieved from National Institute of Standards and Technology: https://csrc.nist.gov/Projects/postquantumcryptography

NIST. (2022b, July 15). NCCoE Announces Technology Collaborators for the Migration to PostQuantum Cryptography Projec. Retrieved November 6, 2022, from National Cybersecurity Center of

Olson, B. J. (2014). Circulant Matrices and Their Application to Vibration Analysis. Applied Mechanics Reviews

Papadimitriou, C. (1993). Computational Complexity. Pearson.

Parker, E. (2021). Commercial and Military Applications and Timelines for Quantum Technology. RAND Corporation. doi:https://doi.org/10.7249/RRA14824

Peikert, C. (2009). PublicKey Cryptosystems from the WorstCase Shortest Vector Problem. Proceedings of the FortyFirst Annual ACM Symposium on Theory of Computing (pp. 333342). Bethesda: Association for Computing Machinery. doi:10.1145/1536414.1536461

Piot, N. B.U. (2022). A single hole spin with enhanced coherence in natural silicon. Nature Nanotechnology, 10721077. doi:https://doi.org/10.1038/s4156502201196z

Qiskit. (2022a, 10 20). Quantum computing in a nutshell. Retrieved from Qiskit: https://qiskit.org/documentation/qc_intro.html

Rackoff, C. &. (1992). NonInteractive ZeroKnowledge Proof of Knowledge and Chosen Ciphertext Attack. Lecture Notes in Computer Science (pp. 433444). Heidelberg: Springer. 540467661_35

Ramanandan, S. P. (2022). Coherent Hole Transport in Selective Area Grown Ge Nanowire Networks. Nano Letters, 42694275. doi:https://doi.org/10.1021/acs.nanolett.2c00358

Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography. Proceedings of the thirtyseventh annual ACM symposium on Theory of computing (STOC ’05) (pp. 8493). New York: Association for Computing Machinery. doi:10.1145/1060590

Regev, O. (2005). On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. Proceedings of the thirtyseventh annual ACM symposium on Theory of computing (pp. 8493). New York: Association for Computing Machinery. doi:10.1145/1060590.1060603

Rivest, R. A. (1978). A Method for Obtaining Digital Signatures and PublicKey Cryptosystems. Communications of the ACM, 120126. doi:10.1145/359340.359342

RolstonDuce, K. (2022, April 14). Quantinuum Announces Quantum Volume 4096 Achievement. Retrieved November 14, 2022, from Quantinuum: https://www.quantinuum.com/pressrelease/quantinuumannouncesquantumvolume4096achievement#

Roth, T. E. (2021). An Introduction to the Transmon Qubit for Electromagnetic Engineers. IEEE Antennas and Propagation Magazine, 214. doi:10.1109/MAP.2022.3176593

RyanMosley, T. J. (2019, May 30). How a quantum computer could break 2048bit RSA encryption in 8 hours. Retrieved November 6, 2022, from MIT Technology Review: https://www.technologyreview.com/2019/05/30/65724/howaquantumcomputercouldbreak2048bitrsaencryptionin8hours/

Saki, A. A. (2019). Study of Decoherence in Quantum Computers: A CircuitDesign Perspective. Retrieved

Schneiderman, J. F. (2007). Quasiparticle Poisoning and Quantum Coherence in a Differential Charge Qubit. Retrieved from https://arxiv.org/abs/0705.0695

Schreyvogel, C. P. (2015). Active charge state control of single NV centres in diamond by inplane AlSchottky junctions. Scientific reports, 12160. doi:https://doi.org/10.1038/srep12160

Shafeeq, M. (2022, August 31). Emerging Potential of Quantum Computing. Retrieved from Modern potentialofquantumcomputing/

Shankland, S. (2021, May 24). Quantum computers could crack today’s encrypted messages. That’s a problem. Retrieved November 6, 2022, from CNET: https://www.cnet.com/tech/computing/quantumcomputerscouldcracktodaysencryptedmessagesthatsaproblem/

Shannon, C. E. (1949). Communication Theory of Secrecy Systems. The Bell System Technical Journal, 28, 656715. doi:10.1002/j.15387305.1949.tb00928.x

Shor, P. W. (1994). Algorithms for Quantum Computation: DIscrete Logarithms and Factoring. IEEE Computer Society, 124134. doi:10.1109/SFCS.1994.365700

Shuo Ma, A. P. (2022). Universal Gate Operations on Nuclear Spin Qubits in an Optical Tweezer Array of Yb171 Atoms. Physical Review, 021028. doi:10.1103/PhysRevX.12.021028

Singh, S. (1999). The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Anchor. Retrieved from https://www.amazon.com/CodeBookScienceSecrecyCryptography/dp/0385495323/

Sipser, M. (2014). Introduction to the Theory of Computation (3 ed.). Cengage.

SmithGoodson, P. (2019, November 23). Quantum Volume: A Yardstick To Measure The Performance Of Quantum Computers. Retrieved November 14, 2022, from Forbes: https://www.forbes.com/sites/moorinsights/2019/11/23/quantumvolumeayardsticktomeasurethepowerofquantumcomputers/?sh=3cc5f8dd5bf4

Stallings, W. (1990). Cryptography and Network Security: Principles and Practice. Prentice Hall.

StartUs Insights. (2020, June). 5 Top Emerging Quantum Cryptography Solutions. Retrieved from StartUs Insights: https://www.startusinsights.com/innovatorsguide/5topemergingquantumcryptographysolutions/

Stehlé, D. R. (2009). Efficient Public Key Encryption Based on Ideal Lattices. Lecture Notes in Computer Science (pp. 617635). Tokyo: Springer. doi:10.1007/9783642103667_36

Stroud, C. R. (1972). Superradiant Effects in Systems of TwoLevel Atoms. Phys. Rev., 10941104. 094

Sylvester, J. (1867). Thoughts on inverse orthogonal matrices, simultaneous sign successions, and tessellated pavements in two or more colours, with applications to Newton’s rule, ornamental tilework, and the theory of numbers. Philosophical Magazine, 461475.

Toom, A. (1963). The Complexity of a Scheme of Functional Elements Realizing the Multiplication of Integers. Soviet MathematicsDoklady, 714716. Retrieved from http://toomandre.com/myarticles/engmat/MULTE.PDF

Tracxn. (2022, October 12). Top Quantum Computing in Cybersecurity Startups. Retrieved from Tracxn: https://tracxn.com/d/trendingthemes/StartupsinQuantumComputinginCybersecurity

Turing, A. M. (1942). Turing’s Treatise on the Enigma. Retrieved from https://www.archives.gov/files/press/pressreleases/2015/images/turingenigmatreatise.pdf

Turing, A. M. (1986). A.M. Turing’s ACE report of 1946. In A.M. Turing’s ACE report of 1946 and other papers. Retrieved from https://mitpress.mit.edu/9780262031141/amturingsacereportof1946andotherpapers/

Turing, A. M. (2004). Intelligent machinery. In B. Copeland (Ed.), The Essential Turing: Seminal Writings in Computing, Logic, Philosophy, Artificial Intelligence, and Artificial Life plus The Secrets of Enigma (pp. 395432). Clarendon Press. Retrieved from https://www.amazon.com/EssentialTuringPhilosophyArtificialIntelligence/dp/0198250800/

van Emde Boas, P. (1981). Another NPcomplete problem and the complexity of computing short vectors in a lattice. Amsterdam: University of Amsterdam, Department of Mathematics.

van Leeuwen, J. (1994). Handbook of Theoretical Computer Science. The MIT Press. Retrieved from https://www.amazon.com/HandbookTheoreticalComputerScienceVol/dp/0262720205

Vandersypen, L. M. (2019). Quantum computing with semiconductor spins. Physics Today, 3845.

Wang, K. X. (2022). Ultrafast coherent control of a hole spin qubit in a germanium quantum dot. Nature Communications021278807

Wang, R. D. (2019). Gate Tunable Hole Charge Qubit Formed in a Ge/Si Nanowire Double Quantum Dot Coupled to Microwave Photons. Nano Letters, 10521060.

Watzinger, H. J.J. (2018). A germanium hole spin qubit. Nature Communications. doi:10.1038/s41467018064184

Wie, C.R. (2020). TwoQubit Bloch Sphere. Physics, 383396.

Wolfowicz, G. &. (2016). Pulse Techniques for Quantum Information Processing. eMagRes, 5, 15151528. doi:10.1002/9780470034590.emrstm1521

Zhou, J. J. (2010). Extended Euclid algorithm and its application in RSA. The 2nd International Conference on Information Science and Engineering, (pp. 20792081). doi:10.1109/ICISE.2010.5691644

Zimmermann, P. (2020, February 28). Factorization of RSA250. Universite de Lorraine, Nancy. Retrieved bin/wa.exe?A2=NMBRTHRY;dc42ccd1.2002