% !!!IMPORTANT NOTE: Please read carefully all information including those preceded by % sign %Before you compile the tex file please download the class file AIMS.cls from the following URL link to the %local folder where your tex file resides. http://aimsciences.org/journals/tex-sample/AIMS.cls. \documentclass{aims} \usepackage{amsmath} \usepackage{paralist} \usepackage{graphics} %% add this and next lines if pictures should be in esp format \usepackage{epsfig} %For pictures: screened artwork should be set up with an 85 or 100 line screen \usepackage{graphicx} \usepackage{epstopdf}%This is to transfer .eps figure to .pdf figure; please compile your paper using PDFLeTex or PDFTeXify. \usepackage[colorlinks=true]{hyperref} % Warning: when you first run your tex file, some errors might occur, % please just press enter key to end the compilation process, then it will be fine if you run your tex file again. % Note that it is highly recommended by AIMS to use this package. \hypersetup{urlcolor=blue, citecolor=red} %\usepackage{hyperref} \textheight=8.2 true in \textwidth=5.0 true in \topmargin 30pt \setcounter{page}{1} % The next 5 line will be entered by an editorial staff. \def\currentvolume{X} \def\currentissue{X} \def\currentyear{200X} \def\currentmonth{XX} \def\ppages{X--XX} \def\DOI{10.3934/xx.xx.xx.xx} % Please minimize the usage of "newtheorem", "newcommand", and use % equation numbers only situation when they provide essential convenience % Try to avoid defining your own macros \newtheorem{theorem}{Theorem}[section] \newtheorem{corollary}{Corollary} \newtheorem*{main}{Main Theorem} \newtheorem{lemma}[theorem]{Lemma} \newtheorem{proposition}{Proposition} \newtheorem{conjecture}{Conjecture} \newtheorem*{problem}{Problem} \theoremstyle{definition} \newtheorem{definition}[theorem]{Definition} \newtheorem{remark}{Remark} \newtheorem*{notation}{Notation} \newcommand{\ep}{\varepsilon} \newcommand{\eps}[1]{{#1}_{\varepsilon}} %% Place the running title of the paper with 40 letters or less in [] %% and the full title of the paper in { }. \title[Cryptography in the Quantum Era] %Use the shortened version of the full title {New Mission and Opportunity for Mathematics Researchers: Cryptography in the Quantum Era} % Place all authors' names in [ ] shown as running head, Leave { } empty % Please use `and' to connect the last two names if applicable % Use FirstNameInitial. MiddleNameInitial. LastName, or only last names of authors if there are too many authors \author[Lidong Chen and Dustin Moody]{} % It is required to enter 2010 MSC. \subjclass{Primary: 11T71, 14G50; Secondary: 94A60.} % Please provide minimum 5 keywords. \keywords{Post-quantum cryptography, public-key cryptography, mathematical research, standarization, quantum-safe, quantum resistant.} % Email address of each of all authors is required. % You may list email addresses of all other authors, separately. \email{lily.chen@nist.gov} \email{dustin.moody@nist.gov} % Put your short thanks below. For long thanks/acknowlegements, %please go to the last acknowlegments section. %\thanks{The first author is supported by NSF grant xx-xxxx} % Add corresponding author at the footnote of the first page if it is necessary. % Plase add $^*$ adjacent to the corresponding author's name on the first page. % The example shown in this template is if the first author is the corresponding author. \thanks{$^*$ Corresponding author: } \begin{document} \maketitle % Enter the first author's name and address: \centerline{\scshape Lidong Chen$^*$ and Dustin Moody} \medskip {\footnotesize % please put the address of the first author \centerline{Computer Security Division} \centerline{ National Institute of Standards and Technology} \centerline{ Gaithersburg, MD 20899, USA} } % Do not forget to end the {\footnotesize by the sign } %\medskip % %% Enter the first author's name and address: %\centerline{\scshape Dustin Moody} %\medskip %{\footnotesize %% please put the address of the first author % \centerline{Computer Security Division} % \centerline{ National Institute of Standards and Technology} % \centerline{ Gaithersburg, MD 20899, USA} %} % Do not forget to end the {\footnotesize by the sign } \bigskip % The name of the associate editor will be entered by an editorial staff % "Communicated by the associate editor name" is not needed for special issue. \centerline{(Communicated by the associate editor name)} %The abstract of your paper \begin{abstract} This article introduces the NIST post-quantum cryptography standardization process. We highlight the challenges, discuss the mathematical problems in the proposed post-quantum cryptographic algorithms and the opportunities for mathematics researchers to contribute. \end{abstract} %The title of your section 1 \section{Public-Key Cryptography and Quantum Challenges} Since its invention in 1976, public-key cryptography has greatly rejuvenated many areas of mathematics, such as number theory and finite fields for their applications in cryptography. Today, the most widely deployed public key cryptography schemes (RSA encryption, RSA signatures, Diffie-Hellman key agreement, Elliptic Curve Digital Signature Algorithms) are either based on the hardness of integer factorization or the discrete logarithm problem. By hardness we mean no polynomial time algorithms have been found to solve the problems. Since the 1990s, the National Institute of Standards and Technology (NIST) has published public-key cryptography standards through Federal Information Processing Standards (FIPS) 186 \cite{ref1} for signatures and NIST Special Publications (SP) 800-56A and 800-56B \cite{ref2,ref3} for key establishment. These standards have been widely implemented in communication networks and digital devices, which have served as the cornerstone of cybersecurity. The hardness of the integer factorization and discrete logarithm problems is believed to provide sufficient security for applications utilizing classical computing technology. However, Peter Shor’s astounding results \cite{ref4} show that with quantum computers, factorization and discrete logarithms can be solved in polynomial time. That is, the arrival of quantum computers will fatally shake the security of all widely deployed public-key cryptographic schemes. Besides public-key cryptography, NIST cryptographic standards also cover symmetric-key based cryptographic algorithms such as block ciphers \cite{ref5} and message authentication codes \cite{ref6}. For symmetric-key based cryptosystems, there is also an impact on security as a result of quantum computers. Using Grover’s algorithm \cite{ref7}, there is a square root speed up which reduces the key search complexity from $2^n$ to $2^{n/2}$ for a block cipher with an $n$-bit key. The quantum impact on symmetric-key based cryptography can be handled by simply increasing the key size, until a quantum complexity of $2^{n/2}$ is considered infeasible to launch an attack. In this article, we therefore focus our discussion on public-key cryptography. In dealing with the quantum challenge, a first question is whether there are any problems which remain hard, even in the face of quantum computers. And if yes, then whether a cryptographic mechanism can be built whose security is based on both the classical and quantum hardness of the problem. We will discuss these problems in the next section. \section{Post-Quantum Cryptography} In fact, even though the most widely deployed public-key cryptographic mechanisms are either based on the integer factorization or discrete logarithm problem, they are certainly not the only hard problems upon which public-key cryptosystems have been based. Even in the 1970s, other public-key cryptography mechanisms were proposed with different security assumptions. One example is the McEliece cryptosystem \cite{ref8}. It is based on the hardness of decoding a general linear code, which is classically known to be hard and seems immune to Shor’s quantum attack. The original algorithm used binary Goppa codes, and it never gained much acceptance in the cryptographic community for its overly large size of public keys. At the time when public-key cryptography was first deployed, the computing capacity and communication bandwidth were far more limited in comparison with today’s technology. In addition, there were other systems, like the knapsack cryptosystem \cite{ref9}, which were not adopted due to security flaws. In 1996, the NTRU cryptosystem \cite{ref10} was proposed by three mathematicians from Brown University based on certain hard problems involving lattices. NTRU included both an encryption and digital signature mechanism, a feature shared by the popular RSA cryptosystem in which encryption and signatures use the same operations. Even though the original NTRU signature mechanism was broken \cite{ref11}, its encryption algorithm is still believed to be secure (even against quantum attacks). Ever since it was known that large-scale quantum computers would threaten our currently deployed public-key cryptosystems, researchers have looked for schemes which can resist both classical and quantum attacks. This field has come to be known as post-quantum cryptography, also known as quantum-resistant or quantum-safe cryptography. Over the past decade, post-quantum cryptography has become arguably the most active area in cryptography. It has attracted researchers in mathematics, computer science, and quantum information among other areas. Hundreds of papers are presented, published, and released each year. To design new cryptographic algorithms which are able to resist quantum computers, researchers first look for hard mathematical problems upon which cryptographic mechanisms can be built. Besides the previously mentioned hard problems involving lattices and coding, other problems and structures have been explored. For example, solving a non-linear system of multivariate polynomial equations or recovering an unknown isogeny between a pair of supersingular elliptic curves. While historically many public-key cryptographic systems have relied on using an algebraic or number theoretical problem, so called hash-based signatures use the one-wayness of cryptographic hash functions \cite{ref12}. This idea was proposed in the 1970s to build one-time signatures. The concept was later extended to more general signature schemes known as stateful hash-based signatures. The internal state must be carefully managed to ensure that each private key can be used only once to generate a signature. More recently, stateless hash-based signatures have been proposed, which do not require managing the state at all. Among these various categories, some are relatively new while others are based on ideas known for many years. Research in these areas has involved establishing security based on several different assumptions, as well as optimizing for efficiency by including more algebraic structure in an effort to reduce parameter sizes. Informally, when we say the security of a cryptographic mechanism $\mathcal{A}$ is based on a certain hard problem $\mathcal{B}$, we mean there is a reduction proof which shows that breaking the mechanism $\mathcal{A}$ implies finding an efficient algorithm to solve the problem $\mathcal{B}$. Here “breaking” means an algorithm violates some pre-defined security definition, such as being secure against chosen ciphertext attacks for public-key encryption algorithms. To prove a mechanism quantum secure, it must be understood what is meant by the statement that a problem is “quantum hard”. It usually just means that nobody has found a quantum algorithm to efficiently solve it (i.e. in polynomial time). We note that Shor’s algorithm is not a generic black-box approach. That is, it exploits some of the structure inherent in the factorization and discrete logarithm problems, and cannot be trivially applied to other problems. Even though it is believed that there are no polynomial time quantum algorithms to solve NP-complete problems \cite{ref13}, most of the assumptions used in post-quantum cryptography are variations of hard problems which have not been proven to be NP-hard. The theory to support the security of post-quantum cryptography algorithms is far from being perfect, which leaves a large space for researchers to explore. When a cryptographic algorithm is actually implemented in an application, the practical security is even more complicated. Over the past few decades, we have observed countless failures showing that security flaws can be exploited in many ways. For example, an improper padding method can leak information about the private key. As another example, it has been demonstrated that carefully observing resource consumption or timing information can lead to side-channel attacks. Most post-quantum cryptography mechanisms presented in the literature are relatively new, and numerous details must be investigated before they can be safely adopted for practical applications. Besides security, a second factor to determine whether a cryptographic algorithm can be used in a given application environment is its efficiency. Performance is not only counted by an algorithm’s processing speed but also the memory requirement: key sizes, data expansion rate (i.e. ciphertext size), signature size etc. For a post-quantum cryptography mechanism, many elements, such as incorporating algebraic structure and the selection of concrete parameters, can impact the performance. For example, schemes based on more structured assumptions tend to have smaller keys. However, those assumptions are frequently not proven to be equivalent to the corresponding generic assumptions. Designers are faced with the dilemma of taking a conservative approach in regards to security or a more aggressive approach which optimizes performance. As we can see, there are a considerable number of topics in post-quantum cryptography which need to be explored by researchers and it will likely take many years to get some of the most important questions answered. However, with the significant progress being made in building quantum computers, it is more and more urgent to replace the currently deployed public-key cryptography tools with quantum-resistant counterparts. It usually takes several years to develop standards, besides who can say how many years for industry to make a migration to new cryptographic mechanisms. In the next section, we will introduce NIST’s initiative in regard to the standardization of post-quantum cryptography. \section{NIST's Standardization Approach} NIST started to develop cryptographic standards in the 1970s, with the first cryptographic standard the Data Encryption Standard (DES) \cite{ref14}. At that time, confidentiality was the most critical objective for information security. When the security of DES was not sufficient any more \cite{ref15}, NIST initiated a competition from 1997 to 2000 to select a new block cipher for standardization. The competition was open to researchers worldwide to submit their designs for block ciphers. The Advanced Encryption Standard (AES) was selected among 15 second round candidates and published in FIPS 197. Today, AES has been implemented in almost every piece of communication equipment and digital device. Another essential cryptographic primitive is a hash function. Hash functions are used for digital signatures, message authentication codes, key derivation functions and many other cryptographic purposes. The SHA-1 and SHA-2 hash function families are specified in FIPS 180-4 \cite{ref17}. In 2005, the first practical attack on SHA-1 was presented. To make sure the hash function standards could provide sufficient security, in 2007 NIST organized a competition through which NIST selected the SHA-3 family of hash functions. SHA-3 was standardized in FIPS 202 \cite{ref16}, to complement the SHA-2 family of hash functions. Both the AES and SHA-3 competitions were very successful and cryptographic competitions became a well-accepted procedure to select major cryptographic primitives for standardization. A natural question is whether a competition would be a good approach in selecting post-quantum cryptography mechanisms for standardization. To answer this question, we need to understand the scope of post-quantum cryptography standardization. NIST public-key cryptography standards cover only the most essential functions: public-key encryption, key agreement, and digital signature. Thus first and foremost, the scope for post-quantum cryptography standardization is to find quantum-resistant replacements for these three main functions. The three different functions are in contrast to previous competitions which were looking at only one functinality (block cipher or hash function). Second, post-quantum cryptography is a new and active area. The understanding of both the security and performance, as we discussed in the previous section, is far from being complete. Thus, narrowing down a candidate pool of algorithms may not precisely reflect a fair comparison among the candidates. Studying the literature, it is easily observed that each post-quantum mechanism seems to have both advantages and also inescapable disadvantages, which may make it hard to find a perfect winner for each cryptographic function. Also, to protect against potential attacks against schemes which may not have been thoroughly scrutinized enough, more than one candidate may be needed for each function to satisfy the requirements of different applications. The procedure is full of uncertainty and demands extraordinary collaboration among researchers. The competitive atmosphere may not be conducive to helping standardize the best designed mechanisms. Nonetheless, NIST announced its plan of initiating post-quantum cryptography standards through a competition-like process at the PQCrypto 2016 conference \cite{ref18}. The announcement clearly indicated that the algorithms to be standardized would be solicited through a call for proposals worldwide. In the procedure of developing submission criteria, NIST released draft acceptability requirements and evaluation criteria for public comments before the final announcement \cite{ref19}. Many of the comments NIST received very much reflected the major challenges which we will discuss throughout the rest of this section. For post-quantum cryptography, the uncertainty of quantum security measurement is probably the most vexing problem. In today’s cryptographic standards, classical security is specified by the complexity of the best-known algorithms in solving the underlying hard problem. For example, for the RSA cryptosystem, the security strength is measured by the complexity of the best factorization algorithm in regard to the binary length of the public key parameter $n$. In contrast, the security of post-quantum cryptographic mechanisms is based on various hard problems under the consideration of both classical and quantum computers. When using classical methods, one may or may not be able to use the quantum Grover’s algorithm to speed up the computation. Furthermore, the quantum security requirements must be based on certain assumptions on future quantum computers including memory spaces and circuit depth. There does not seem to be a straightforward way to set requirements on security strength with a number of bits as NIST has done for classical security strengths. As a result, NIST included five security categories in the final call for proposals. In each of the categories as shown in Table 1, classical and quantum security were related to the hardness of breaking a NIST standardized block cipher or hash function. The theory of security proofs in cryptography has advanced significantly in the past 20 years. During this time when we are looking for quantum-resistant cryptography mechanisms, security proofs with a standard definition have become part of the general approach for the assessment of a new cryptographic algorithms. The NIST call for proposals encourages security proofs against well accepted security definitions. It requires “semantically secure” encryption or key encapsulation with respect to adaptive chosen ciphertext attack (IND-CCA2) and existentially unforgeable digital signatures with respect to an adaptive chosen message attack (EUF-CMA). The notion of secure against chosen plaintext attack (CPA) can be used for encryption or key establishment if it is to be employed in a purely ephemeral-key protocol. \begin{table}[h!] \begin{center} \caption{Security Categories} \label{tab:table1} \begin{tabular}{|c| l |} \hline \textbf{Categories} & \multicolumn{1}{c}{\textbf{Security Description}} \\ \hline \textbf{I} & At least as hard to break as AES128 (exhaustive key search) \\ \hline \textbf{II} & At least as hard to break as SHA256 (collision search)\\ \hline \textbf{III} & At least as hard to break as AES192 (exhaustive key search) \\ \hline \textbf{IV} & At least as hard to break as SHA384 (collision search)\\ \hline \textbf{V} & At least as hard to break as AES256 (exhaustive key search) \\ \hline \end{tabular} \end{center} \end{table} Post-quantum cryptography mechanisms must also deal with many issues which haven’t occurred in the current widely used public-key cryptography standards. For example, decryption failure happens in some post-quantum encryption mechanisms. Even though it usually only happens with a very small probability, it needs to be checked that it does not introduce any security flaws when instantiated in any particular protocol. As another example, some encryption mechanisms have security vulnerabilities if a public key is re-used more than one time, and so cannot be used in applications which have static keys. An increasingly important security feature is protection against side-channel attacks. Certain countermeasures can be applied to resist side-channel attacks, but may have a significant impact on the efficiency. The NIST call for proposals states the desire of optimized methods in addressing side-channel attacks, including choosing algorithms with constant-time implementation. The procedure of developing the NIST requirements and criteria engaged the research community to work together. Many details, which had not been investigated before, emerged and needed to be considered and clarified. While the community pursued consensus, frequently there were several different opinions presented. \section{Analysis and Evaluation} By the deadline for submission at the end of November 2017, NIST received a total of 82 submissions with design team members from 25 countries on 6 continents. After checking for “complete and proper” submissions against the published requirements, 69 were accepted as the first-round candidates, which were announced in December 2017. The candidates were publicly posted on the NIST website. Cryptographers immediately busied themselves in the security analysis of the submitted candidates. Within two months, 5 candidates were acknowledged as broken and withdrew from the process. Several other candidates had been attacked to various degrees. The 64 remaining first-round candidates were distributed into the major categories as indicated in Table 2. \begin{table}[h!] \begin{center} \caption{Distribution of First Round Candidates} \label{tab:table2} \begin{tabular}{| l| c | c | c |} \hline & \textbf{Signature} & \textbf{Encryption/KEM} & \textbf{Overall} \\ \hline \textbf{Lattice-based} & 5 & 21 & 26 \\ \hline \textbf{Code-based} & 2 & 17 & 19 \\ \hline \textbf{Multivariate} & 7 & 2 & 9 \\ \hline \textbf{Symmetric/Hash-based} & 3 & 0 & 3 \\ \hline \textbf{Other} & 2 & 5 & 7 \\ \hline & & & \\ \hline \textbf{Total} & 19 & 45 & 64 \\ \hline \end{tabular} \end{center} \end{table} NIST held the first NIST Post-Quantum Cryptography Standardization Conference in April 2018 \cite{ref20}. There were 52 presentations covering 60 of the submitted algorithms. Each team presented design rationale with highlights on their advantages, shortcomings, and differences with the other submissions. The analysis and evaluation of the first-round candidates greatly promoted research in the field, bringing about numerous results published in the literature. Researchers also submitted analysis and evaluation on candidates through publicly-shared official comments on the NIST website. More than three hundred comments were received on 51 of the first-round candidates in the first year. Many of the public comments pointed out errors in security proofs. Some others requested clarifications on definitions and specification details. A security assessment is the most important and challenging task for the first-round candidates. The security analyses have been conducted from different angles by the various submission teams. Confidence is built on those candidates which are not only proved to be secure, but also continue to stand after withstanding attacks. As could be expected, security flaws or weaknesses were found for some candidates, which may bring the underlying security assumptions into question or fall short of NIST’s required security levels. The former can doom an algorithm, while the latter may be fixable through a careful selection of updated parameters and key sizes. Even though cost and performance were not the primary focus points for the first-round evaluation, the candidates were considered for their feasibility to be used in existing applications. Some of the main features considered include computational efficiency and the memory requirements in each of the operations (key generation, encryption/decryption, signature generation/verification), as well as the size of public keys, ciphertexts, and signatures. For each of the candidate algorithms, the designers must carefully consider tradeoffs between security and performance, which is a difficult decision. One example, which may be of interest for the mathematics community, is among the category of lattice algorithms based on the Learning With Errors (LWE) problem. Using structured lattices defined using cyclotomic rings can improve efficiency, resulting in much smaller public key sizes. However, the Ring-LWE versions of the lattice problems have not be been proven to be equivalent to the generic LWE lattice problems. As a result, some design team submitted two versions of their algorithm. One is based on the generic LWE, while the other is based on Ring-LWE. Does the extra structure provide avenues for attack? There is much for the research community to explore. After over a year of analysis and evaluation, in January 2019 NIST announced 26 of the submissions as second-round candidates. The selection of the second-round candidates was based on taking into account of the security, cost and performance, and implementation characteristics of each submitted algorithm. At this stage of standardization, algorithm diversity is important to ensure research continues on a variety of fronts since different categories can complement each other. The distribution of the second-round candidates in each category is shown in Table 3. \begin{table}[h!] \begin{center} \caption{Distribution of Second Round Candidates} \label{tab:table3} \begin{tabular}{| l| c | c | c |} \hline & \textbf{Signature} & \textbf{Encryption/KEM} & \textbf{Overall} \\ \hline \textbf{Lattice-based} & 3 & 9 & 12 \\ \hline \textbf{Code-based} & 0 & 7 & 7 \\ \hline \textbf{Multivariate} & 4 & 0 & 4 \\ \hline \textbf{Symmetric/Hash-based} & 2 & 0 & 2 \\ \hline \textbf{Other} & 0 & 1 & 1 \\ \hline & & & \\ \hline \textbf{Total} & 9 & 17 & 26 \\ \hline \end{tabular} \end{center} \end{table} \section{Opportunities for Mathematics Researchers} The NIST post-quantum cryptography standardization process is a multi-year project. The second round is planned to take 12-18 months for the community and submission teams to evaluate and fine tune the candidates. NIST may further narrow down the candidates to a third round or may select directly among the second-round candidates for standardization. NIST is expected to release the post-quantum cryptography standards sometime around the year 2022 or 2023. As discussed above, to study quantum-resistant cryptosystems many mathematics problems need to be considered. Submissions to the NIST process came from several different families: lattices, codes, multivariate quadratic equations, isogenies of elliptic curves, and even braid groups. This presents a great opportunity to the mathematics research community. Even though some of these families and their related problems are not new, their properties are not well enough understood yet. In order to have confidence in any cryptosystem, we need to know it has been thoroughly analyzed for potential classical and quantum attacks. These attacks frequently exploit some property or structure of the underlying mathematical framework. For example, isogeny-based post-quantum systems were first proposed using ordinary elliptic curves. After a few years, a quantum attack was discovered which used the fact that the endomorphism ring of ordinary elliptic curves is abelian. Thereafter, isogeny-based schemes began using supersingular elliptic curves (whose endomorphism ring is non-abelian). There are many unanswered questions pertaining to post-quantum cryptography. When using different algebraic or geometric structures to construct similar cryptosystems, how can their security strength be measured and compared? Can we prove security based on hard, well-studied problems? Why is there a gap between theory and practice in some of the best known attacks (particularly in lattices)? Is it possible to make key sizes of code-based schemes smaller by using more structured codes without compromising security? We will gain more confidence if mathematicians dive deeper into these problems. There is no doubt that a strong mathematical background can help to investigate these problems in a way that people without such a background cannot. Unfortunately, there are not enough mathematicians and experts in these areas who are studying the cryptographic implications of their work. We also note that among the first-round candidates, there were some submissions based on hard problems outside of the three main categories of lattices, codes, and multivariate (see Table 2). These tended to come from areas which have not been very well explored before. Some of these attempts appear to be promising, while others were flawed. Designing a cryptographic algorithm is a very complex venture. It demands knowledge in multiple science and engineering fields. Collaboration is very important. Therefore, this also provides mathematicians an opportunity to work with researchers in other disciplines. In summary, NIST PQC standardization opens up a broader research space for mathematicians. Researchers are highly encouraged to be involved and to explore new research topics through developing cryptographic standards for the upcoming quantum era. Details about the NIST post-quantum cryptography standardization project can be found at \url{www.nist.gov/pqcrypto}. %%For acknowledgements section, please don't number the section, please begin it with \section*{Acknowledgements} %\section*{Acknowledgments} We would like to thank you for \textbf{following %the instructions above} very closely in advance. It will definitely %save us lot of time and expedite the process of your paper's %publication. % You may incorporate your references as follows in your main tex file. % Using BibTex is not recommended but can be handled. \begin{thebibliography}{99} %\bibitem{A11} % \newblock FirstNameInitial. MiddleNameInitial. LastName, % first name middle initial. and then last name. Only the first character in the paper title is capitalized. % \newblock Title of the paper, % \newblock \emph{Name of the Journal}, \textbf{Volume} (Year), StaringPage--EndingPage. % No author names: \bibitem{ref13} \newblock S. Aaronson, \newblock The limits of quantum computers, \newblock \emph{Scientific American} \textbf{298}, \newblock (2008), 62--69. \bibitem{ref9} \newblock L. Adleman, \newblock On breaking the titrated Merkle-Hellman public-key cryptosystem, \newblock in \emph{Advances in Cryptology: Crypto '82}, \newblock Springer (1982), 303--308. \bibitem{ref19} \newblock \emph{Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms}, \newblock Federal Register \textbf{81}, December 20, 2016. 92787--92788, \newblock Available at \url{https://federalregister.gov/a/2016-30615}. \bibitem{ref15} \newblock E. Biham and A. Shamir, \newblock Differential cryptanalysis of DES-like cryptosystems \newblock \emph{J. of Cryptology} \textbf{4} (1), (1991), 3--72. \bibitem{ref12} \newblock J. Buchmann, E. Dahmen, and M. Szydlo, \newblock Hash-based digital signature schemes \newblock in: \emph{Post-Quantum Cryptography} (eds. D.J. Bernstein, J. Buchmann, E. Dahmen) \newblock Springer, Heidelberg (2009), 35--93. \bibitem{ref11} \newblock G. Gentry and M. Szydlo, \newblock Cryptanalysis of the revised NTRU signature scheme \newblock in \emph{Proceedings of Eurocrypt 2002}, Lect. Notes in Comput. Sci. \textbf{2332}, \newblock Springer (2002), 299--320. \bibitem{ref7} \newblock L. K. Grover, \newblock A fast quantum mechanical algorithm for database search, \newblock \emph{Proceedings of the 28th Annual ACM Symposium on Theory of Computation}, (1996), 212--219. \bibitem{ref10} \newblock J. Hoffstein, J. Pipher, and J.H. Silverman, \newblock NTRU: a ring-based public key cryptosystem \newblock in \emph{Proceedings of ANTS '98} (ed. J. Buhler), Lect. Notes in Comput. Sci. \textbf{423} \newblock Springer (1998), 267--288. \bibitem{ref8} \newblock R. McEliece, \newblock A public-key cryptosystem based on algebraic coding theory, \newblock \emph{DSN Progress Report}, Jet Propulsion Laboratory, Pasadena, CA (1978), 42-44. \newblock Available at \url{ttp://ipnpr.jpl.nasa.gov/progressreport2/42-44/ 44N.pdf}. \bibitem{ref18} \newblock D. Moody, \newblock \emph{Post-Quantum Cryptography Standardization: Announcement and outline of NIST's Call for Submissions}, \newblock PQCrypto 2016, Fukuoka, Japan, February 24-26, 2016, \newblock Available at \url{https://csrc.nist.gov/Presentations/2016/Announcement-and-outline-of-NIST-s-Call-for-Submis}. \bibitem{ref2} \newblock NIST Special Publication (SP) 800-56A Revision 3, \newblock \emph{Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography}, \newblock National Institute of Standards and Technology, Gaithersburg, Maryland, \newblock April 2018, 141pp. Available from: \url{https://doi.org/10.6028/NIST.SP.800-56Ar3} \bibitem{ref3} \newblock NIST Special Publication (SP) 800-56B Revision 1, \newblock \emph{Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography}, \newblock National Institute of Standards and Technology, Gaithersburg, Maryland, \newblock September 2014, 121pp. Available from: \url{https://doi.org/10.6028/NIST.SP.800-56Br1} \bibitem{ref4} \newblock P. Shor, \newblock Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, \newblock \emph{SIAM J. Comput.}, \textbf{26} (5) (1997), 1484--1509. \newblock Available at \url{http://dx.doi.org/10.1137/s0036144598347011}. \bibitem{ref14} \newblock U.S. Department of Commerce, \newblock \emph{Data Encryption Standard (DSS)}, Federal Information Processing Standards (FIPS) Publication 46-3, \newblock October 1999, 22 pp. Available from: \url{https://csrc.nist.gov/CSRC/media/Publications/fips/46/3/archive/1999-10-25/documents/fips46-3.pdf}. \bibitem{ref17} \newblock U.S. Department of Commerce, \newblock \emph{Secure Hash Standard (SHS)}, Federal Information Processing Standards (FIPS) Publication 180-4, \newblock August 2015, 31 pp. Available from: \url{https://doi.org/10.6028/NIST.FIPS.180-4}. \bibitem{ref1} \newblock U.S. Department of Commerce, \newblock \emph{Digital Signature Standard (DSS)}, Federal Information Processing Standards (FIPS) Publication 186-4, \newblock July 2003, 121 pp. Available from: \url{https://doi.org/10.6028/NIST.FIPS.186-4}. \bibitem{ref5} \newblock U.S. Department of Commerce, \newblock \emph{Advanced Encryption Standard (AES)}, Federal Information Processing Standards (FIPS) Publication 197, \newblock November 2001, 47 pp. Available from: \url{https://doi.org/10.6028/NIST.FIPS.197}. \bibitem{ref6} \newblock U.S. Department of Commerce, \newblock \emph{The Keyed-Hash Message Authentication Code (HMAC)}, Federal Information Processing Standards (FIPS) Publication 198-1, \newblock July 2008, 7 pp. Available from: \url{https://doi.org/10.6028/NIST.FIPS.198-1}. \bibitem{ref16} \newblock U.S. Department of Commerce, \newblock \emph{SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions}, Federal Information Processing Standards (FIPS) Publication 202, \newblock August 2015, 29 pp. Available from: \url{https://doi.org/10.6028/NIST.FIPS.202}. \bibitem{ref20} \newblock 1st NIST PQC Standardization Conference, \newblock Ft. Lauderdale, FL, April 11-13, 2018, \newblock Available at \url{https://csrc.nist.gov/Events/2018/First-PQC-Standardization-Conference}. \end{thebibliography} \medskip % The data information below will be filled by AIMS editorial staff Received xxxx 20xx; revised xxxx 20xx. \medskip \end{document}