In order to deal with the Quantum Computing changes to mathematical difficulty, new cryptography needed to be researched and implemented. The performance and size of the new, larger, safer cryptography needed to be a careful balance in order to meet the practical needs of classical computers for SSL, websites, high speed networks, embedded systems and blockchain.
Post-Quantum Cryptography has been held as a NIST competition since 2016 with 86+ main submissions and 4 rounds of analysis. Additional schemes have been proposed but did not go through rigorous evaluation. There are 4 types of post-quantum cryptography, but each type comes with caveats. There is no universally acceptable, widely applicable functional cryptography scheme.
Lattice-based systems include Learning With Errors (LWE) and Ring Learning with Errors (RLWE or ringLWE). This includes NTRU variations and BLISS signature types. These systems have been studied for decades without anyone finding a feasible attack. The FALCON+ scheme is built on top of a lattice, but has additional parameters that cause concern because the implementation must be extremely specific to be safe.
Code-based cryptography includes error-correction codes such as the McEliece signature has been evaluated and considered secure for over 40 years. Variants that attempt to reduce the key size and complexity have been demonstrated to be weak, so the implementation needs to be specific and sufficiently complex.
Symmetric keys systems such as AES, CHACHA and SALSA2012 rely upon a piece of secret information to remain secure. Grover based attacks are inexpensive against such schemes, but depend on sufficient Quantum Memory to be effective. The faster a quantum system is, the less effective memory is available. As mass production of quantum systems increases to scale, the availability of Quantum Memory will increase. Symmetric key systems may need to adapt but these are typically used ephemerally with new keys generated every few minutes to limit the scope of any attack. A hard commitment to a single symmetric key (xx.network) should be evaluated with extreme concern.
Hash based systems such as SHA256 and Blake2 are the most commonly attacked and well studied systems. Bitcoin mining is essentially generating hash collisions at different difficulty rates which coincide with the difficulty of mining a block. The classical attacks come in different variations, from collision to target, preimage, birthday attack and many other variations. Depending on the specific goal alters the cost of the attack. XMSS, WOTS+ and SPHINCS are added as post-quantum systems for establishing SSL connections. As with most systems, care must be taken around implementations because implementations outside of specification will introduce weaknesses. Lamport Signatures are very widely regarded as a secure post quantum method, but the keys which generate the hashes must be rotated after 2-4 uses because some parts of the key are leaked through each use.
Rainbow and other multivariate systems were broken in specific implementations and attacks were created in the generic form. These systems are not recommended at this time due to the speed of their attack by both classical and quantum systems, and should be specifically avoided. Candidates for the NIST PQ competition were completely broken in both specific and general cases. While patents on some of these systems may exist, the lawyers at the patent office are not a replacement for mathematician cryptographers.
Supersingular elliptic curve isogeny key exchange (SIKE) and supersingular isogeny Diffie-Hellman (SIDH) systems were spectacularly broken during the competition. Many mathematicians studying the problem space were surprised by a geometry based attack against the curve isogeny, which was demonstrated with sample code to recover the private targets. The SIKE/SIDH schemes are always unsafe, and the authors have left warnings in public to advise other people about a path that should not be followed. Some news and review sources (wiki) have not updated their information accurately.
QEVM uses NIST-PQ approved cryptography in order to ensure that the systems remain secure for the foreseeable future. The successful attacks against SIKE/SIDH and Rainbow schemes have left many people uncertain about Lattice based cryptography. It is possible that Lattice based cryptography will be attacked in the distant future by quantum computers approximately the size of the moon. The “Shortest Vector Problem” is harder than NP-complete problems. The “best algorithm” requires super-exponential time and polynomial increasing memory.
In order to be adaptive against future attacks, multiple key systems requiring all NIST-PQ to be compromised are being proposed. A system that is only secure as the weakest link should be avoided. It is possible but expensive to implement a full “all methods must be compromised” variation, and even more expensive computationally for a blockchain system. However, we can implement multiple systems and choose which key systems are to be used in config files, allowing for rapid migration in the future.