I recently did some work as a side project for company called Patero that involved creating quantum hardened prototype of one of their products. This post discusses how to secure state-of-the-art cryptographic protocols against attacks from (future) quantum computers. It starts off with an introduction to how crypto protocols in general are constructed, to serve as an introduction for those of us who haven’t done much crypto work in the past. Either watch the video (EN/DE) or read the post below for a text version.

最近，我作为Patero公司的附属项目做了一些工作，其中涉及为其产品之一创建量子硬化原型。 这篇文章讨论了如何保护最新的加密协议免受来自(未来)量子计算机的攻击。 它首先介绍了一般如何构造加密协议，以作为过去对我们没有做太多加密工作的人们的介绍。 观看视频( EN / DE )或阅读下面的文章以获取文本版本。

In addition to my role at Adobe, I also do occasional freelance work as a software engineer focusing on rust/c++/embedded and cryptographic work. One of the clients I usually do work for is Patero, who are working on integrating quantum hardened secure communication modules in mobile devices, IoT, and critical infrastructure. One of their projects is an end-to-end encrypted, hardware-based cryptography module for securing mobile calls and communications in general even in the face of a compromised operating system. To further this project I was asked to create a quantum hardened version of this chip for evaluation purposes; first identifying those parts of their cryptographic protocol¹ that would break when quantum computer based attacks become feasible and finding solutions to harden the protocol against such attacks. This blog post discusses the general approach usually taken when hardening modern crypto protocols.

除了在Adobe担任职务外，我还偶尔担任软件工程师的自由职业者，重点是rust / c ++ / embedded和cryptographic。 我通常为之工作的客户之一是Patero，他正在致力于将量子硬化安全通信模块集成到移动设备，物联网和关键基础设施中。 他们的项目之一是端到端的，基于硬件的加密模块，即使在操作系统受到威胁的情况下，也可以总体上保护移动电话和通信的安全。 为了促进这个项目，我被要求为评估目的创建该芯片的量子硬化版本。 首先确定其密码协议¹的那些部分，这些部分在基于量子计算机的攻击变得可行时会破坏，并找到解决方案以加强协议以抵抗此类攻击。 这篇博客文章讨论了强化现代加密协议时通常采用的一般方法。

To be clear here, this post is about Quantum Hardening also known as Post Quantum Cryptography; that is the study of how to secure the sort of crypto protocols used in normal machines against cryptanalysis (attacks) using quantum computers. This post is not about Quantum Computing (the study of how to use quantum computers to solve problems) and it is not about Quantum Cryptography (the study of using quantum effects to do cryptography).

在这里要清楚，这篇文章是关于量子硬化的，也被称为量子量子密码学 。 这是关于如何使用量子计算机保护普通机器中使用的那种加密协议免遭密码分析(攻击)的研究。 这篇文章不是关于量子计算 (如何使用量子计算机解决问题的研究)，也不是关于量子密码术 (使用量子效应进行密码学的研究)。

The first part of this post is dedicated to revisiting some cryptography fundamentals the basic make up of modern day crypto protocols so even readers less familiar with the subject can take away something from this post. Jump down to Quantum Attacks: Grover’s algorithm if you are already familiar with the inner workings of modern cryptographic transport protocols.

这篇文章的第一部分致力于重温一些现代密码协议基本构成的密码学基础，因此，即使是对这一主题不太熟悉的读者也可以从这篇文章中受益。 如果您已经熟悉现代密码传输协议的内部工作原理，请跳到“ 量子攻击：Grover算法” 。

简介：如何快速进行量子硬化 (Summary: How to quantum harden in a hurry)

The availability of practical quantum computers would render all commonly used asymmetric cryptography used today insecure. Since pretty much all modern day cryptographic protocols (like HTTPS, TLS⁵, or SSH⁶) rely on asymmetric crypto as a vital component, these protocols will also become insecure. Symmetric cryptography is also affected but doubling key sizes provides an easy fix. Updating asymmetric crypto to be secure again will require the introduction of entirely new cryptographic primitives.

实用的量子计算机的可用性将使当今使用的所有常用非对称密码学变得不安全。 由于几乎所有现代加密协议(例如HTTPS，TLS⁵或SSH⁶)都依赖非对称加密作为重要组成部分，因此这些协议也将变得不安全。 对称加密也受到影响，但是加倍密钥大小可以轻松解决。 要再次更新非对称密码以确保安全，将需要引入全新的密码原语。

This is not a large problem now, because quantum computers are currently impractical, but their technology may advance in the coming years or decades enough to make quantum computer based attacks feasible; we should prepare for this point in time soon and some data needs to remain securely encrypted over the next decades, which is why quantum hardened cryptography is starting to become an important subject.

现在这不是一个大问题，因为量子计算机目前尚不可行，但它们的技术可能在未来几年或几十年中发展到足以使基于量子计算机的攻击成为可能。 我们应该为这一时间点做好准备，并且在接下来的几十年中需要对一些数据进行安全加密，这就是为什么量子硬化密码学开始成为重要课题的原因。

The process to develop post quantum cryptography is currently ongoing. For key exchanges, Classic McElice is a robust choice, but its memory requirements are prohibitive for many platforms. Failing that FrodoKEM is not a terrible choice. Post quantum signature schemes are not as relevant because they are only relevant to thwart online attacks (and for those you need a quantum computer now). Still Sphincs+ is probably not a particularly bad choice, but again the memory requirements are pretty tough to meet.

当前正在开发后量子密码术的过程。 对于密钥交换，Classic McElice是一个可靠的选择，但是它的内存要求在许多平台上都无法满足。 拒绝FrodoKEM并不是一个糟糕的选择。 后量子签名方案并不重要，因为它们仅与阻止在线攻击相关(对于那些现在需要量子计算机的攻击)。 仍然Sphincs +可能不是一个特别糟糕的选择，但是再次很难满足内存要求。

Any post quantum crypto primitive is currently suspect and should not be used on it’s own; there is significant risk the key exchange or signature scheme could be insecure against classical computers, meaning that you would be worse off than with state of the art protocols using such a primitive. Quantum hardened algorithms should only be used together with classical, well analyzed primitives. Employ robust combiners for this purpose. Open Quantum Safe is probably not a bad source of implementations for post quantum primitives.

当前，任何后量子密码基元都值得怀疑，不应单独使用。 密钥交换或签名方案可能对传统计算机不安全，存在很大的风险，这意味着与使用此类原语的最新协议相比 ，您的处境更糟 。 量子硬化算法仅应与经过充分分析的经典图元一起使用。 为此，请使用强大的组合器 。 Open Quantum Safe可能不是后期量子图元实现的不错来源。

Post Quantum Crypto should be limited to research and evaluation use cases at the moment except in very special circumstances. Even though redundant constructions using robust combiners are probably safe, the act of updating protocols, changing implementations may introduce implementation errors, side channels, or operational problems which can easily render your crypto system as a whole insecure. Even if extremely stringent measures are taken to publicly vet the resulting protocol and implementation, this risk persists.

除非常特殊的情况外，Post Quantum Crypto目前应仅限于研究和评估用例。 尽管使用健壮的组合器的冗余结构可能是安全的，但更新协议，更改实现的行为可能会引入实现错误， 侧边通道 或操作问题，这些问题很容易使您的加密系统整体上变得不安全。 即使采取了极其严格的措施公开审查所产生的协议和实施，这种风险仍然存在。

什么是加密 (What is crypto)

On a basic level, the goal of cryptography is the protection of private messages sent over public channels from interception by a third party. In the slide shown above, Alice would like to send a message (“I like your cat ears!”) to Berta; since this message is confidential, she would like to cryptographically protect the message.

从根本上讲，加密的目标是保护通过公共渠道发送的私人消息不受第三方的拦截。 在上面显示的幻灯片中，爱丽丝想向Berta发送一条消息(“我喜欢你的猫耳朵！”)； 由于此消息是机密信息，因此她想用密码保护该消息。

Other use cases have even more stringent requirements: imagine sending a message requesting a wire transfer via online banking; you would not want an adversary to be able to send a transfer in your name or modify the message in somehow. This is why all crypto protocols should fulfill all three properties: Confidentiality (only recipient can read it), Authentication (only you can send), as well as Data Integrity (message cannot be changed).

其他用例则有更严格的要求：想象一下通过网上银行发送一条消息，要求电汇； 您不希望对手能够以您的名义发送转帐或以某种方式修改消息。 这就是为什么所有加密协议都应具有所有三个属性的原因：机密性(只有收件人可以读取它)，身份验证(只有您可以发送)以及数据完整性(消息不能更改)。

古代密码：旋转密码 (Archaic Ciphers: Rotation Cipher)

Modern cryptographic ciphers can be quite hard to understand, so in order to illustrate how basic encryption works, we will take a look at some historical ciphers. The first cipher I would like to introduce is the Caesar Cipher; called that because Julius Caesar was one of the users of this cipher. Before we can encrypt some text using this cipher, we first have to assign a number to each letter of our alphabet and choose a key. Then we simply add the key to each character or subtract it to decrypt our cipher text.

现代加密密码可能很难理解，因此，为了说明基本加密的工作原理，我们将介绍一些历史密码。 我要介绍的第一个密码是凯撒密码； 之所以这样称呼，是因为Julius Caesar是这种密码的使用者之一。 在使用此密码加密某些文本之前，我们首先必须为字母的每个字母分配一个数字并选择一个密钥。 然后，我们只需将密钥添加到每个字符或减去密钥即可解密密文。

Using 4 as our key we get the following conversion table:

使用4作为键，我们得到以下转换表：

space/0 → d/4a/1 → e/5b/2 → f/6...x/24 → a/1y/25 → b/2z/26 → c/2

Our text “i like your cat ears” turns into “mdpmoidbsyvdgexdievw”, which cannot be red without decryption.

我们的文字“我喜欢你的猫耳朵”变成了“ mdpmoidbsyvdgexdievw”，如果不解密，它就不会变成红色。

So how hard is breaking this cipher? Not very hard as it turns out: There is one kind of attack that can always be performed; just try every one of our 27 possible keys until you find one that works. This is called a brute force attack and works well for any cipher whose key space (that is the number of possible keys) is very small; other, more advanced ciphers with a very large key space require more sophisticated sorts of attack.

那么破解这个密码有多难呢？ 事实并非很困难：总是可以执行一种攻击。 只需尝试使用我们27种可能的钥匙中的每一种，直到找到可用的钥匙。 这称为蛮力攻击，对于密钥空间(即可能的密钥数量)很小的任何密码都适用。 其他，具有很大密钥空间的更高级密码需要更复杂的攻击。

古代密码：替代密码 (Archaic Ciphers: Substitution Cipher)

Substitution ciphers fit that bill; similar to how a rotation cipher works, one character maps to another random character from our alphabet. Basically instead of rotating our alphabet by a fixed offset, we shuffle it. This makes rotation ciphers a specific case of substitution ciphers.

替代密码适合该法案； 与旋转密码的工作原理类似，一个字符映射到我们字母表中的另一个随机字符。 基本上，我们不对字母旋转固定的偏移量，而是对其进行随机排列。 这使得旋转密码成为替换密码的特定情况。

alphabet: " abcdefghijklmnopqrstuvwxyz"key:      "jxngzdtlciu wemkavbfsoqprhy"plaintext:  "i like your cat ears"ciphertext: "ijwi djhkobjgxsjdxbf"

Shuffling our alphabet yields a much larger key space; 27! (that is 27 factorial, 27*26*25*…*1) to be precise or roughly 10²⁸ (a 10 with 28 zeroes) keys, which is far too many keys for us to try each one. Even one or many computers can not try this many keys, so attacking this cipher will require a more advanced attack: Notice how our cipher text contains the letter J a lot? We can use that and infer that J must map to a particularly common character — space in our case. By using statistical analysis – that measuring the frequency of each character in our cipher text – we can simply look up which character is this frequent in the English language and break the cipher this way. This works because vowels for instance appear much more frequently than consonants.

改组我们的字母会产生更大的键空间； 27！ (即27个阶乘，即27 * 26 * 25 * ... * 1)精确到大约10²⁸(10个具有28个零的键)，对于我们每个键来说，这太多了。 甚至一台或多台计算机也无法尝试这么多密钥，因此攻击此密码将需要更高级的攻击：请注意，我们的密码文本中如何包含字母J很多？ 我们可以用它来推断J必须映射到一个特别常见的字符-在我们的例子中是空格。 通过使用统计分析(测量密文中每个字符的频率)，我们可以简单地查找英语中哪个字符经常出现，并以此方式破解密文。 之所以可行，是因为例如元音比辅音更频繁地出现。

古代密码：换位密码 (Archaic Ciphers: Transposition Cipher)

Finally, let’s look at a slightly different sort of cipher; while substitution ciphers shuffle our alphabet, a transposition cipher shuffles the actual text turning the cipher text into an anagram of the plain text.

最后，让我们看一下稍有不同的密码。 替换密码会打乱我们的字母，而换位密码会打乱实际的文本，从而将密码文本变成纯文本的字谜。

key: 31542plaintext: HELLOciphertext: EOHLL

Unlike with our previous cipher the problem with this cipher is immediately visible: “eohll” being an anagram of “hello” is pretty obvious. This problem gets worse when the key is used multiple times.

与我们以前的密码不同，此密码的问题是显而易见的：“ eohll”作为“ hello”的字谜非常明显。 当多次使用密钥时，此问题会变得更加严重。

现代密码：AES (Modern Cipher: AES)

Having looked at some archaic examples of ciphers, let’s now jump into the 21st century and take a look at an example of a modern cipher. The Advanced Encryption Standard is widely used today (although there are alternatives). there is a good chance this website was transferred to you via an AES encrypted channel. It is a block cipher; meaning the data is chopped into fixed size segments which are separately encrypted. All operations used by the cipher are reversible, so to decrypt the data, all operations are applied in reverse.

看了一些古老的密码示例之后，现在让我们进入21世纪，看看现代密码的示例。 今天，高级加密标准已被广泛使用(尽管有替代方法 )。 此网站很有可能是通过AES加密通道转移给您的。 这是分组密码； 意味着数据被切成固定大小的段，分别进行加密。 密码使用的所有操作都是可逆的，因此要解密数据，所有操作都将反向应用。

Internally, AES uses a Substitution-Permutation-Network. The big round plus with a circle you can see is an XOR operation; this is similar to the rotation cipher (rotation or modular addition in binary is just xor), except that every bit of data is rotated with a single bit from the key. The boxes labeled S represent substitution steps; here four bit long words of data are replaced according to a built in lookup table. Finally the step labeled P is a transposition step; here the results of the substitution are shuffled according to a predefined pattern.

在内部，AES使用Substitution-Permutation-Network 。 大圆加一个圆圈可以看到是XOR运算； 这类似于旋转密码(旋转或二进制中的模加法只是异或)，不同的是，数据的每一位都用密钥中的一位进行旋转。 标有S的方框表示取代步骤； 这里，根据内置的查找表替换了四位长的数据字。 最后，标记为P的步骤是转置步骤。 在此，替换的结果根据预定义的模式进行混排。

Only the xor step actually combines the data with the key; the substitution and permuatation steps are not really encryption steps per say since their “keys” are known to any attackers. Instead they basically scramble the data, ensuring that each bit in the cipher text is influenced by every bit of plain text and key. Applying these three steps multiple times effectively obscures the relationship between ciphertex, key and plaintext, to the point that statistical methods cannot be used to uncover their relationship. Every bit of the output depends on every bit of the input and every bit of the key; changing just one bit in the input or key should change roughly 50% of the output bits.

实际上，“异或”步骤实际上是将数据与键合并； 可以说替换和渗透步骤并不是真正的加密步骤，因为攻击者都知道它们的“密钥”。 相反，它们基本上是对数据进行加密，以确保密文的每一位都受到纯文本和密钥的每一位的影响。 多次应用这三个步骤有效地模糊了密文，密钥和明文之间的关系，以至于无法使用统计方法来揭示它们之间的关系。 输出的每一位都取决于输入的每一位和键的每一位。 仅更改输入或键中的一位，应更改大约50％的输出位。

Note that we left out a lot of the steps required to really make a secure block cipher; e.g. one problem with the above description is that the same input block and key will produce the same output. This is unacceptable since this would allow attackers to detect when two blocks are the same, there are solutions to this problem but we won’t go into detail here.

请注意，我们省略了真正制作安全分组密码所需的许多步骤。 例如，上面描述的一个问题是相同的输入块和键将产生相同的输出。 这是不可接受的，因为这将使攻击者能够检测到两个块何时相同 ，对此问题有解决方案，但我们在此不做详细介绍。

Now since we have a cipher that is actually secure, we can start to encrypt something, we just need a key! So, Alice does create a key and transmits it to Berta over a secure channel. Our key exchange here is really the most important part; if the key is intercepted all our efforts will be wasted. The adversary will be able to decrypt all past, present, and future messages transmitted using this key. Once the key has been exchanged however, we can start sending data, securely, over untrusted channels.

现在，由于我们拥有的密码实际上是安全的，因此我们可以开始加密某些东西，我们只需要一个密钥！ 因此，爱丽丝确实创建了密钥，并通过安全通道将其传输到Berta。 我们在这里的密钥交换确实是最重要的部分。 如果钥匙被截取，我们的所有努力都将浪费掉。 对手将能够解密使用此密钥传输的所有过去，现在和将来的消息。 但是，一旦交换了密钥，我们就可以开始通过不可信的通道安全地发送数据。

消息验证码 (Message Authentication Codes)

There is one — actually there are many — problems with the protocol above, however one particularly bad one is that the protocol is not authenticated; meaning, that while an attacker could never correctly encrypt data (they would need the key), they could flip bits in the ciphertext or even send entirely random data and Berta would not automatically notice.

上面的协议有一个-实际上有很多-问题，但是一个特别糟糕的问题是该协议未通过身份验证； 意思是，尽管攻击者永远无法正确加密数据(他们需要密钥)，但他们可能会翻转密文中的位，甚至发送完全随机的数据，而Berta不会自动注意到。

To remedy this problem, a message authentication code is used; the authentication tag generated by this function is a bit of redundant data, added to the message to prevent tampering. This tag can only be generated by someone who knows the symmetric key, so an attacker could only guess at the correct code.

为了解决这个问题，使用了消息认证代码。 此功能生成的身份验证标签是一些冗余数据，已添加到消息中以防止篡改。 该标签只能由知道对称密钥的人生成，因此攻击者只能猜测正确的代码。

Our protocol is still almost the same as it was before: having exchanged a shared key, Alice can now start encrypting data. She uses the shared key to encrypt our message. Before sending it, she also uses the message authentication code to generate a short authentication tag over the cipher text using the key. Both the cipher text as well as the message authentication code are sent to Berta who checks the auth tag by generating an auth tag of her own and comparing the one sent along with the message. Having successfully established that the message is authentic, she continues to decrypt the data as before.

我们的协议与以前几乎相同：交换了共享密钥后，Alice现在可以开始加密数据了。 她使用共享密钥来加密我们的消息。 在发送之前，她还使用消息身份验证代码使用密钥在密文上生成一个简短的身份验证标签。 密文和消息身份验证代码都发送到Berta，后者通过生成自己的auth标记并比较与消息一起发送的auth标记来检查auth标记。 成功确定消息是真实的后，她继续像以前一样解密数据。

关键派生功能 (Key derivation Functions)

We now have achieved authenticated encryption; our crypto system is secure as long as the shared key is exchanged securely.

现在，我们已经完成了认证加密； 只要安全地交换共享密钥，我们的加密系统就是安全的。

That is all well and good, however secure key transmission is actually not that easy to achieve. Sounds easy enough, but in practice it usually the key consists of around one hundred completely random characters; ciphers need high quality keys to function properly. A short key, or a key that has obvious patterns in it will not do. Hardly any messenger would be able to remember such a random figure; you could write it down, but then you may loose the piece of paper so this is not a good solution either.

一切都很好，但是安全密钥传输实际上并不是那么容易实现。 听起来很容易，但是实际上它通常由大约一百个完全随机的字符组成； 密码需要高质量的密钥才能正常运行。 短键或具有明显样式的键都不会起作用。 几乎任何使者都无法记住这种随机数字； 您可以将其写下来，但是然后您可以松开纸片，因此这也不是一个好的解决方案。

Luckily, key derivation functions can at least help us lessen that problem; basically a key derivation function can take a string of random data and bring it into the format of a high quality key, provided of course that the input actually contains enough random information. The output will have the needed length, it will look random² and when used with a password, it should be slow to compute, just to thwart attacks testing lot’s of commonly used passwords.

幸运的是，密钥派生功能至少可以帮助我们减轻该问题； 基本上，密钥派生函数可以获取一串随机数据，并将其转换为高质量密钥的格式，当然前提是输入实际上包含足够的随机信息。 输出将具有所需的长度，看起来是随机的²，并且与密码一起使用时，它的计算速度应该很慢，只是为了阻止攻击测试很多常用密码。

Key derivation functions really provide flexibility; you could choose a long sentence as your key (easier for your messenger to remember) or you could sent multiple keys and combine them using the KDF; as long as one key was not intercepted, the generated key will still be secure.

关键派生功能确实提供了灵活性。 您可以选择一个长句子作为密钥(使信使更容易记住)，也可以发送多个密钥并使用KDF进行组合； 只要未截获一个密钥，生成的密钥仍将是安全的。

To integrate this key derivation function in our protocol, Alice chooses a password instead of the key itself and transmits it to Berta. Both parties run the key derivation function to generate the actual key and can now transmit data as they did in the previous two protocols.

为了将此密钥派生功能集成到我们的协议中，Alice选择了一个密码而不是密钥本身，并将其发送给Berta。 双方都运行密钥派生功能以生成实际密钥，并且现在可以像在前两个协议中一样传输数据。

Using a key derivation function drastically simplifies key transmission, without actually solving our core problem: We still need to transmit our keys via a secure channel. Creating a secure channel is really hard; the entire point of this exercise is to create a secure channel, so wouldn’t it be nice to be able to sidestep this problem? Luckily, there is a solution and that solution is called asymmetric cryptography.

使用密钥派生功能可以极大地简化密钥传输，而无需真正解决我们的核心问题：我们仍然需要通过安全通道传输密钥。 创建一个安全的渠道真的很困难。 整个练习的重点是创建一个安全的渠道，所以能够回避这个问题不是很好吗？ 幸运的是，有一个解决方案，该解决方案称为非对称密码术。

非对称密码 (Asymmetric Cryptography)

While in symmetric crypto there is just one key that is shared between both our parties, in asymmetric crypto there is two keys; one that can be absolutely public³ and one that is to be kept absolutely private; not even shared with your communication partner. The public key can be used by anyone to encrypt data they would like to transmit to you, while only you could decrypt the data again. There also is a corresponding signature scheme that can be used to proof that you are really the sender of some data; only you can sign a message using the private signature key, but anyone can validate the signature against your public key (notice to how this is somewhat similar in purpose to an authentication tag).

在对称加密中，只有双方共享一个密钥，而在非对称加密中，则有两个密钥。 一种可以绝对公开³，另一种可以绝对保密。 甚至没有与您的交流伙伴共享。 任何人都可以使用公共密钥来加密他们想要传输给您的数据，而只有您可以再次解密数据。 还有一个相应的签名方案，可以用来证明您确实是某些数据的发送者。 只有您可以使用私钥签名对消息进行签名，但是任何人都可以根据您的公钥来验证签名(请注意，这在某种程度上与身份验证标签有点类似)。

In practice, when sending a message, you would encrypt using the recipients public key and sign using your own secret key and since public key crypto is actually a bit inefficient, you would generate a random shared key, encrypt and authenticate the data using that and finally encrypt and sign the symmetric key using asymmetric cryptography.

实际上，在发送消息时，您将使用收件人的公钥进行加密，并使用自己的私钥进行签名，并且由于公钥加密实际上效率不高，因此您将生成一个随机的共享密钥，并使用该密钥对数据进行加密和身份验证。最后使用非对称密码对对称密钥进行加密和签名。

Combining asymmetric and symmetric crypto in such a way to gain both — the performance of symmetric cryptography and the flexibility of public key cryptography — is called Hybrid Cryptography. When asymmetric encryption is used to encrypt a shared key for further encryption, this is called a Key Encapsulation Method.

将非对称和对称密码以一种既获得对称密码学性能又具有公开密钥密码学灵活性的方式相结合的方式称为混合密码学 。 当使用非对称加密来加密共享密钥以进行进一步加密时，这称为“ 密钥封装方法” 。

Diffie Hellmann密钥交换 (Diffie Hellmann Key Exchange)

Most cryptographic connections today are online — meaning it is possible to quickly send messages back and forth. Key encapsulation can be used to exchange the keys for such a connection, however there is a better way: The Diffie Hellmann Key Exchange; this is a function that produces a shared key directly using my own private key and your public key. To execute the key exchange, both parties generate a random key pair and transmit their public key before executing the Diffie Hellman function. That’s it. Just two packets to transmit and the secret never actually has to be transmitted over the wire.

如今，大多数密码连接都是在线的-这意味着可以快速地来回发送消息。 密钥封装可用于交换此类连接的密钥，但是有更好的方法：Diffie Hellmann密钥交换； 这是一个直接使用我自己的私钥和您的公钥生成共享密钥的函数。 为了执行密钥交换，双方在执行Diffie Hellman函数之前会生成一个随机密钥对并传输其公共密钥。 而已。 仅需传输两个数据包，而秘密实际上就不必通过电线传输。

放在一起：现代加密协议 (Putting it together: Modern day Crypto protocols)

Now, using both symmetric and asymmetric cryptography we can build a cryptographic protocol like this:

现在，通过使用对称和非对称密码，我们可以构建如下的密码协议：

1. Alice and Berta generate random Diffie Hellmann key pairs, and exchange their public keys and generate a secret using those keys.
   Alice和Berta生成随机的Diffie Hellmann密钥对，并交换它们的公共密钥并使用这些密钥生成秘密。
2. They establish each others authenticity; often this involves using a digital signature scheme, although different ways to achieve this exist.
   他们彼此建立了真实性； 尽管存在实现此目的的不同方法，但这通常涉及使用数字签名方案。
3. They use a key derivation function to generate a good key using the secret they just exchanged.
   他们使用密钥派生功能，使用刚刚交换的秘密来生成一个好的密钥。
4. They use the key to encrypt data.
   他们使用密钥来加密数据。
5. And a message authentication code to make sure the data is not tampered with.
   还有一个消息验证码，以确保数据不会被篡改。

That’s it. This is pretty much how state-of-the-art cryptographic protocols work; there is a good chance your browser is used something like this to download this blog post.

而已。 这就是最先进的加密协议的工作方式。 您的浏览器很有可能会使用类似的方式下载此博客文章。

量子攻击：Grover算法 (Quantum Attacks: Grover’s algorithm)

There are two ways that quantum computers can attack modern cryptography; the first and less important of the two is grovers algorithm. As we discussed before, there is one attack that works on every cryptographic method: A “brute force” attack which is just a fancy word for trying every possible key until you find one that works. In computer science this is known as a “linear search” — the most basic search algorithm. Given a million possible keys it would take five hundred thousand tries on average to find the correct one; the formula is just N/2 where N is the number of keys.

量子计算机可以通过两种方式攻击现代加密技术： 两者中的第一个和次要的是grovers算法。 正如我们之前讨论的那样，每种加密方法都可以使用一种攻击：“强力”攻击，这只是尝试所有可能的密钥，直到找到有效的密钥的幻想词。 在计算机科学中，这被称为“线性搜索”-最基本的搜索算法。 给定一百万种可能的密钥，平均需要五十万次尝试才能找到正确的密钥。 公式仅为N / 2，其中N是键的数量。

Grover’s algorithm is the generic quantum search; this takes (don’t ask me how) just a thousand tries for a million possible keys: While the generic classical search takes N/2 tries, quantum search just takes sqrt(2) attempts on average, so it is much faster, or one thousand tries given a million possible keys. Luckily, we can just double our key size from six decimal places to twelve (or from 128 bits to 256 bits for actual cryptographic algorithms) to achieve the same security level as before.

格罗弗的算法是通用量子搜索。 这只需要花一千次尝试(不要问我如何)来获得一百万个可能的密钥：虽然通用经典搜索需要N / 2次尝试，但量子搜索平均只需花费sqrt(2)次尝试，因此速度更快，或者一千次尝试给出了一百万个可能的密钥。 幸运的是，我们可以将密钥大小从六位小数翻倍到十二位(对于实际的加密算法，则从128位到256位)增加一倍，以达到与以前相同的安全级别。

So while Grover’s algorithm can be used against any cryptographic algorithm, there is a relatively easy fix.

因此，尽管可以将Grover算法用于任何密码算法，但存在相对容易的解决方法。

量子攻击：Shor算法 (Quantum Attacks: Shor’s algorithm)

Shor’s algorithm presents a bigger problem; pretty much all asymmetric cryptography⁴ used today is either based on the Discrete Logarithm Problem or the difficulty of factorizing integers. Both problems can be solved very efficiently using Shor’s algorithm.

Shor的算法提出了一个更大的问题。 今天使用的几乎所有非对称密码学都是基于离散对数问题或因数分解的困难。 使用Shor算法可以非常有效地解决这两个问题。

This means: Our handshake is broken; it is entirely insecure against attacks from quantum computers. This is why it is commonly said that quantum computers break all modern crypto; the symmetric part is fine, but if the handshake is insecure the symmetric key will be known so the protocol is insecure as a whole

这意味着：我们的握手中断了； 它完全不受来自量子计算机的攻击。 这就是为什么人们通常说量子计算机打破了所有现代加密货币的原因。 对称部分很好，但是如果握手不安全，则对称密钥是已知的，因此协议整体上都是不安全的

量子攻击：它们可行吗？ (Quantum Attacks: Are they feasible?)

Now, this sounds really bad until you remember that practical quantum computers simply do not exist at the moment. They are really expensive, need to be cooled using cryogenics and just have on the order of 50 to 60 quantum bits; you would need thousands of quantum bits to even attempt breaking modern crypto. Attacking modern crypto with ENIAC (a very early computer) seems more feasible than using quantum computer at this time.

现在，这听起来真的很糟糕，直到您还记得目前根本不存在实用的量子计算机。 它们确实很昂贵，需要使用低温冷却器进行冷却，并且只有50到60个量子比特。 您将需要成千上万个量子位来尝试破坏现代加密货币。 使用ENIAC (一种非常早期的计算机)攻击现代加密货币似乎比此时使用量子计算机更为可行。

However, there is a good chance practical quantum computers will arrive in the next decades, so it is good to be prepared. Besides, in addition to all the cat videos, there is some data stored and transmitted now that we would like to remain secure in thirty to forty years; think financial or medical records. An attacker could simply commit all data they can get their hands on to cold storage and wait until quantum computers are advanced enough to decrypt it; a concept that is called “store now break later”. To thwart this, we should really start to use post quantum crypto as soon as possible.

但是，实用的量子计算机很有可能在未来几十年内问世，因此做好准备的准备很好。 此外，除了所有的猫录像带外，现在我们还希望存储和传输一些数据，我们希望在三十到四十年内保持安全； 考虑财务或医疗记录。 攻击者只需将他们可以使用的所有数据提交到冷存储中，然后等到量子计算机先进到足以解密它即可。 这个概念称为“稍后存储立即休息”。 为了阻止这种情况，我们真的应该尽快开始使用后量子加密。

量子硬化：目前处于早期测试阶段 (Quantum Hardening: Currently in early alpha)

To this end, the National Institute of Standards and Technology — the same organization that standardized SHA, AES, and RSA — has organized a competition to find suitable post quantum crypto algorithms. The competition started 2017 and is expected to take half a decade more. In the beginning around 90 candidates made submissions, but a lot of them were discovered to be insecure in the first couple of hours after submission. Some similar ones have also been merged, but 26 are left and are now candidates in round two of the competition; you can follow the progress here.

为此，美国国家标准技术研究院(对SHA，AES和RSA进行标准化的组织)组织了一场竞赛，以寻找合适的后量子密码算法。 比赛于2017年开始，预计将持续半年。 在开始的时候，大约有90名候选人提交了意见书，但是在提交后的最初几个小时内，许多人被发现不安全。 一些相似的也已经合并，但是剩下的26个已经成为第二轮比赛的候选人。 您可以在此处关注进度。

The new primitives include signature schemes as well as key encapsulation methods and a single example SIKE of a replacement for Diffie Hellmann style key exchanges. They are based on problems like Learning With Errors, Elliptic Curve Isogeny, or the difficulty of decoding Error Correction Codes (as if I knew what the first two meant).

新的原语包括签名方案以及密钥封装方法，以及替代Diffie Hellmann样式密钥交换的单个示例SIKE 。 它们基于诸如“学习错误”，“椭圆曲线同质性”或解码“纠错码”的困难(好像我知道前两个含义)之类的问题。

Experimental implementations of NewHope, NTRU, and SIKE were created for TLS⁵ and used in the Chrome browser and some servers with good results. BSI (the German equivalent of the American NIST) recommends using FrodoKEM or ClassicMcElice if you so choose to use quantum hardened key exchanges. Post Quantum Signature Schemes haven’t received as much attention because they are not quite as relevant for protection from “save now, decrypt later” style attacks. They protect from man in the middle attacks which have to be performed live — just at the time the connection is being created.

为TLS⁵创建了NewHope，NTRU和SIKE的实验性实现 ，并在Chrome浏览器和某些服务器中使用，效果良好。 如果您选择使用量子强化密钥交换，则BSI(相当于美国NIST的德语版本) 建议使用FrodoKEM或ClassicMcElice。 量子后签名方案并未引起人们的广泛关注，因为它们与保护“立即保存，以后解密”式攻击的意义不大。 它们在中间攻击中受到保护，而中间攻击必须实时进行，即在建立连接时。

强大的组合器 (Robust Combiners)

Post quantum crypto primitives are new and shiny; with crypto as with databases this is a bad thing. It means we can not really trust these algorithms’ security as there is still a good chance some of these will turn out to be insecure in future cryptanalytic works. If we were to rely on them alone, our cryptographic protocol may not only be susceptible to quantum attacks but to classical attacks as well. This would be a total failure.

后量子密码原语是新的和有光泽的。 加密与数据库一样，这是一件坏事。 这意味着我们不能真正相信这些算法的安全性，因为在将来的密码分析工作中仍有很大一部分机会会变得不安全。 如果我们仅依靠它们，那么我们的密码协议可能不仅容易受到量子攻击，而且也容易受到经典攻击。 这将完全失败。

Optimally we would find some way to combine state-of-the-art asymmetric cryptographic primitives with post quantum ones, similar to how we combined symmetric and asymmetric cryptography to get the best from both worlds. There is a way and the study of how to do this securely is called “Robust Combiners”; enter the term in the search engine of your choice and you will find that there are a lot of constructions that are unsafe — proven to be bad. One of the few things that has been show to work as a robust combiner is the concatenation combiner: Simply perform both key exchanges and concatenate the secrets they produce. You will end up with a secret twice the size, which is not really a problem because we just use it as the input for our key derivation function anyways. Combining signature schemes is trivial because we can just use both; test each signature and if one of the tests fails, consider the signature to be invalid.

最佳地，我们将找到一种将最新的非对称密码原语与后量子密码原语相结合的方法，类似于我们将对称密码学与非对称密码原语相结合以从两个领域中获得最大收益的方式。 有一种方法，关于如何安全地执行此操作的研究称为“鲁棒合并器”； 在您选择的搜索引擎中输入术语，您会发现许多不安全的构造—证明是不好的。 可以用作健壮的组合器的几件事情之一是串联组合器：只需执行密钥交换并串联它们产生的秘密即可。 您最终将得到一个两倍大小的秘密，这并不是一个真正的问题，因为无论如何我们只是将其用作密钥派生函数的输入。 组合签名方案是微不足道的，因为我们可以同时使用两者。 测试每个签名，如果其中一项测试失败，则认为签名无效。

放在一起：量子强化加密协议的组成 (Putting it together: The make up of a quantum hardened crypto protocol)

Now, finally, we can actually come up with a quantum hardened cryptographic protocol: Perform two key exchanges — one post quantum key exchange and one legacy key exchange; and concat their secrets. Perform two authentication steps; again, one quantum hardened and one legacy authentication. Use your key derivation function to format the combined secrets and start encrypting data. That’s it.

现在，最后，我们实际上可以提出一种量子强化的加密协议：执行两次密钥交换-一个进行量子密钥交换，然后进行遗留密钥交换； 并掩饰他们的秘密。 执行两个认证步骤； 再次，一个量子硬化和一个传统认证。 使用密钥派生功能来格式化组合的机密并开始加密数据。 而已。

选择原语和实现 (Choosing primitives and implementations)

Should you ever be given the challenge to quantum harden a protocol, you will find yourself trying to decide which cipher to use. Unfortunately, there is no straight answer to this question yet; the jury is still out on which post quantum primitives will turn out to be secure and which ones have vital flaws. If you had to choose, Classic McEleice is based on a crypto system invented in 1979 that has been analyzed pretty extensively. It is probably secure, but its key sizes are huge, too huge to fit into the memory of the chip I was programming. If memory is not a giant constraint for your application, use Classic McEleice. FrodoKEM is not as well analyzed, but probably not a terrible choice either and it’s keys are still large, but not prohibitively so at least for the chip I was using. Sphincs+ is probably not a terribly choice for a post quantum signature algorithm, but its signatures are around 40Kb large, so probably too large for a lot of platforms especially when trying to establish a chain of trust.

如果您面临对量子加密协议进行挑战的挑战，您将发现自己试图决定使用哪种密码。 不幸的是，这个问题尚无直接答案。 关于哪些后量子原语将被证明是安全的，以及哪些具有重大缺陷尚无定论。 如果必须选择，Classic McEleice基于1979年发明的加密系统 ，已经对其进行了广泛的分析。 它可能很安全，但是它的密钥大小很大，太大而无法放入我正在编程的芯片的内存中。 如果内存不是您的应用程序的主要限制，请使用Classic McEleice。 FrodoKEM的分析还不够好，但选择也不是一个糟糕的选择，它的密钥仍然很大，但至少不是我所使用的芯片那么高。 对于后量子签名算法，Sphincs +可能不是一个可怕的选择，但是它的签名大约40Kb大，因此对于许多平台而言可能太大，尤其是在尝试建立信任链时 。

As for implementations, libsodium is what you should use in most applications for pre quantum algorithms and symmetric crypto. It provides a very small, secure set of cryptographic functions and follows usable security API design practices which make it comparatively hard to create unsafe constructions. There are alternatives implementing a wider array of cryptographic primitives, but often these include unsafe primitives or ones which are only secure when used in very specific ways. A limited set of choices can be a good thing.

至于实现， libsodium是您在大多数应用中应使用的预量子算法和对称加密算法。 它提供了一个非常小的，安全的密码功能集，并遵循可用的安全API设计实践，这使得创建不安全的构造相对困难。 有一些替代方法可以实现更广泛的加密原语，但是通常这些替代方法包括不安全的原语或仅在以非常特定的方式使用时才是安全的原语。 有限的选择集可能是一件好事。

Finally, there are a couple of libraries that implement post quantum crypto primitives; these implementations are of course not as tried and true as libsodium, but they do follow similar API design guides. There is Open Quantum Safe which is a good default choice as a source of post quantum crypto algorithms. PQClean provides a lot of the implementations used in OQS; I ended up using this one just because I had an easier time compiling it for my platform. mupq implements variants of post quantum primitives optimized for Arm M4; I could have used this, I ended up not using this simply because speed wasn’t an issue at all for my platform, memory was the primary constraint.

最后，有几个实现后量子密码基元的库； 这些实现当然不像libsodium那样真实可靠，但是它们确实遵循类似的API设计指南。 有Open Quantum Safe ，它是后量子密码算法的一个很好的默认选择。 PQClean提供了OQS中使用的许多实现。 我之所以最终使用该程序，是因为我可以更轻松地为自己的平台编译它。 mupq实现了为Arm M4优化的后量子图元的变体； 我本可以使用它，但我之所以最终不使用它，仅仅是因为速度对于我的平台根本不是问题，内存是主要约束。

[1]: https://en.wikipedia.org/wiki/Cryptographic_protocol; this is the sort of technology used to encrypt live connections; TLS — the protocoll your browser is using to fetch this blog post — is an example of such a protocol.

[1]： https ： //en.wikipedia.org/wiki/Cryptographic_protocol ； 这是一种用于加密实时连接的技术； TLS(您的浏览器用来获取此博客文章的协议)是这种协议的示例。

[2]: On average — there must be a 50% probability for each bit to be one or zero.

[2]：平均—每个位必须为50或1的概率为零。

[3]: Download my public key from my web serverhttps://cupdev.net/keys/7EA37614E956818EBFEA76526739B1556DBB745A.asc or from the key servers: `gpg — search-key 7EA37614E956818EBFEA76526739B1556DBB745A`

[3]：从我的Web服务器https://cupdev.net/keys/7EA37614E956818EBFEA76526739B1556DBB745A.asc或从以下关键服务器下载我的公钥：gpg-搜索键7EA37614E956818EBFEA76526739B1556DBB745A`

[4]: This includes RSA, DSA, Diffie-Hellman and all Elliptic Curve Cryptography

[4]：包括RSA，DSA，Diffie-Hellman和所有椭圆曲线密码术

[5]: Transport Layer Security, your browser is using this to encrypt the connection with the blog’s HTTP server.

[5]：传输层安全性，您的浏览器正在使用它来加密与博客的HTTP服务器的连接。

[6]: Secure Shell; the most widely used protocol for administrating servers on the internet.

[6]：安全壳； 用于管理Internet上服务器的最广泛使用的协议。