At the moment, communication between electronic systems is secured by means of cryptography to achieve confidentiality, integrity and authenticity, in other words, to make sure that no third party can find out anything about the content of the data, modify the data unnoticed, or fake the origin of the data. Most applications require a mix of different cryptosystems to achieve this and almost all of them use at least one piece that is based on number-theoretic assumptions related to integer factorization or computing discrete logarithms in finite groups. A major problem is that Peter Shor developed a polynomial-time algorithm that factors integers and computes discrete logarithms. The only reason why we can still use methods based on these problems for security is that Shor's algorithm requires a sufficiently large quantum computer and that this does not exist, yet.
However, progress in theoretical and applied physics is bringing such a computer within reach for the next decade or two. The US National Academy of Sciences published a report, which states that while experts do not expect to see a large enough quantum computer to threaten encryption during the next ten years, they caution that it is high time to switch systems to using cryptography based on different mathematical assumptions that are not broken by quantum computers. Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer.
In line with this urgency, the US National Institute of Standards and Technology, NIST, is hosting a public competition to select standards for post-quantum cryptography. NIST is looking for encryption and signature algorithms, the fundamental building blocks of public-key cryptography. This competition is currently in the third round and 15 of the initial 69 candidates are still in the race and most of them are holding up well in terms of security. With so much attention and so many algorithms to choose from, should one not expect that all problems are solved? First of all, the post-quantum systems use different assumptions and thus require different computations to be performed. Typically these work on inputs that are larger than our currently deployed systems, which might cause trouble with the bandwidth of input or output. Furthermore, real-world applications need to combine these building blocks into a larger sequence of operations, typically called a cryptographic protocol, and often enough, require special properties. While these requirements are challenging for notebooks, smartphones, desktop computers, and internet servers, they pose a significant burden on small computing devices, so called embedded devices, that are implanted into today's technology like cars, refrigerators, and industry appliances.
This means that there is a lot of work that needs to be done and it cannot be done by a single group. This needs contributions from designers of post-quantum systems, from scientists building larger protocols, from researchers working on efficient and secure implementations, and from industry and affiliated researchers who provide use cases, constraints, and challenges of real-world applications. The goal of the workshop is to bring together researchers working in these four areas to jointly tackle the problems of post-quantum cryptography for applications in embedded devices.
A first workshop on this topic was already scheduled for October 2020 and took place online due to the ongoing travel and meeting restrictions. The workshop in 2022 has the goal to intensify and continue the fruitful calibrations resulting from the first workshop and to extend the collaborations to new topics and projects. The most important outcome of the workshop will be the initialization and solidification of collaborations between industry as one of the users of post-quantum cryptography and researchers that develop and
implement post-quantum cryptography. This will allow to communicate further requirements from industrial use cases, and the limitations of existing proposals. To support wider communication of the outcome of these communications, the organizers will prepare a position paper. The paper will summarize the industry requirements and the shortcomings of existing solutions of post-quantum cryptography for em- bedded devices based on the discussions at the workshop. In the longer run, we expect several scientific publications to result from the workshop as result of the collaborations initiated in the working groups.