Quantum Cryptanalysis

Motivation

Quantum cryptanalysis is at the crossroad between quantum computing and cryptography, and this Dagstuhl Seminar aims to study quantum attacks against cryptographic solutions that are deployed or considered for standardization. Apart from algorithmic insights, we are interested in software tools that support the quantum cryptanalyst in optimizing and quantifying (quantum) resources. We plan to explore the security of symmetric and asymmetric cryptographic solutions against quantum attacks.

The seminar is a sequel to Dagstuhl Seminars Nº 11381, Nº 13371, Nº 15371, Nº 17401, and Nº 19421 with the same title. This sixth installment of the Quantum Cryptanalysis series intends to focus on deployed schemes and more mature post-quantum cryptographic schemes, such as Round 3 candidates in NIST’s standardization effort. The envisioned emphasis is on quantum cryptanalysis, which includes learning about software tools to improve cost analyses.

For the technical program, we are particularly interested in

1. Quantum algorithmic innovations to attack cryptographic building blocks.
   How can we levarage quantum algorithms to improve cryptanalytic capabilities, and how can we optimize the best available cryptanalytic results in meaningful quantum attack models? We want to fully leverage state-of-the-art quantum computing.
2. Techniques and software tools to optimize and quantify resources for such attacks.
   Can we establish reasonably precise quantum resource counts for cryptanalytic attacks, especially for problem instances and parameter choices that are actually deployed or considered for standardization for future deployment?

Quantum attacks against today’s RSA or elliptic-curve based cryptography, and against AES are naturally part of this conversation. This is needed to have reliable estimates for when a transition to new algorithms is needed. We are no less interested in quantum attacks on mature post-quantum proposals, so that standardized parameters can stand the test of time without impeding on performance more than necessary.

Complementing theoretical investigations, we are interested in presentations on existing tools to analyze quantum algorithms/circuits in software. The composition of the seminar group should help to identify which tools/features cryptanalysts are lacking most to reliably quantify the cost of advanced quantum cryptanalytic attacks.

As in the past, the seminar brings together researchers who work in the field of quantum computing with experts in classical cryptography, taking into account the latest advances in both fields, and we aim at a group composition with about 50% of the participants having strong roots in each of these two fields.