Migrating Applications to Post-Quantum Cryptography:

Beyond Algorithm Replacement

Alexandre Augusto Giron

1,2 a

Graduate Program in Computer Science – Federal University of Santa Catarina, Florian

opolis-SC, Brazil

Federal University of Technology – Parana (UTFPR), Brazil

Keywords:

Post-Quantum Cryptography (PQC), Hybrid PQC, Network Security.

Abstract:

Post-Quantum Cryptography (PQC) deﬁnes cryptographic algorithms designed to resist the advent of the quan-

tum computer. Most public-key cryptosystems today are vulnerable to quantum attackers, so a global-scale

transition to PQC is expected. As a result, several entities foment efforts in PQC standardization, research,

development, creation of Work Groups (WGs), and issuing adoption recommendations. However, there is a

long road to broad PQC adoption in practice. This position paper describes why migrating to PQC is necessary

and gathers evidence that the “hybrid mode” can help the migration process. Finally, it stresses that there are

risks yet to be considered by the literature. Quantum-safe protocols are being evaluated, but more attention

(and awareness) is needed for the software and protocols at the application layer. Lastly, this position paper

gives further recommendations for a smother PQC migration.

1 INTRODUCTION

The Internet Society (IS) (Society, 2023) is a global

initiative that often expresses the beneﬁts of an open,

accessible, cryptographically secure Internet. IS

strives against opposition trying to weaken cryptogra-

phy mechanisms on the Internet. Weakening the most

effective protection mechanism would leave applica-

tions and systems vulnerable to an adverse scenario,

such as mass surveillance. Therefore, web applica-

tions exchanging data through the Internet require ro-

bust security protocols. Otherwise, they are suscep-

tible to eavesdroppers, depending on how the appli-

cations implement cryptography mechanisms. The

strong cryptography is the mechanism that prevents

attackers from disclosing and modifying transmitted

data. Although strong cryptography is not permitted

everywhere, fortunately, most cryptography schemes

today give Internet users sufﬁcient security guaran-

tees.

However, since Shor’s algorithm, widely used

Public-Key Cryptosystems are vulnerable to the

Cryptographically Relevant Quantum Computer

(CRQC) (Mosca and Piani, 2022). In the somewhat-

near future, experts predict the CRQC’s capability

of breaking current cryptography schemes. As a

https://orcid.org/0000-0001-7668-7505

result, vulnerable schemes leave the Internet insecure

against such a quantum attacker. Regarding the

attacker’s capabilities, Bindel et al. (Bindel et al.,

2019) deﬁne the record-now-decrypt-later, in which

the attack starts today (or it is already started) by

secretly capturing data in transit and storing it for

decryption when a CRQC is available. Such a

threat is worrisome and limits conﬁdentiality on the

Internet.

Researchers started addressing this issue with the

so-called Post-Quantum Cryptography (PQC) (Bern-

stein and Lange, 2017). Also called quantum-safe

or quantum-resistant, PQC is built with mathematical

problems with no efﬁcient solution by both quantum

and classical computation. The purpose of PQC is to

protect users of today’s computers against attackers

with quantum algorithm capabilities. Therefore, PQC

enables solving the quantum threat by replacing vul-

nerable algorithms, thus protecting users even before

the CRQC arrives.

Although it looks like a simple substitution, the

PQC migration is considered to be complex, non-

trivial and time-consuming (Kampanakis and Lep-

oint, 2023). The main reasons include the widespread

usage of public-key cryptography, complex charac-

teristics of Public-Key Infrastructures (PKIs), Hard-

ware support requirements, compliance with regula-

tions, and, more speciﬁcally, the conﬁdence in the se-

Giron, A.

Migrating Applications to Post-Quantum Cryptography: Beyond Algorithm Replacement.

DOI: 10.5220/0012138800003555

In Proceedings of the 20th International Conference on Security and Cryptography (SECRYPT 2023), pages 857-862

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

857

curity of PQC schemes. PQC schemes do not have the

same scrutiny and study level as classical schemes. In

the same comparison, PQC schemes can signiﬁcantly

increase byte cost requirements.

At the time of this writing, several research ef-

forts address the PQC migration challenges (Paquin

et al., 2020; Sikeridis et al., 2020). The NIST PQC

standardization process is considered a leading effort,

with plans to give PQC standards by 2024 (NIST,

2016). In addition, Working Groups (WGs) were cre-

ated to study PQC in different Internet-related pro-

tocols, such as Transport Layer Security (TLS) and

Certiﬁcate Management Protocol (CMP). However,

as time passes, PQC migration needs additional at-

tention and increased urgency. While the migration

urgency is increased due to the record-now-decrypt-

later threat, the time required to change several net-

work protocols and implementations also contributes

to this urgency.

Avoiding abrupt changes is ideal since conﬁdence

in PQC security has yet to be fully established.

Therefore, experts recommend the “hybrid mode”

for the PQC migration, where classical cryptography

schemes are combined with PQC (Bindel et al., 2019).

This combination is performed to keep security as

long as one of the combined parts is secure. Using hy-

brids as the PQC migration strategy gives more time

to assess PQC security and performance impacts be-

fore replacing classical schemes.

In this context, this work discusses about PQC

migration strategies, including the hybrid mode, em-

phasizing the challenges and research gaps for PQC

adoption. The contributions of this paper are:

• it emphasizes why carefully adopting PQC is nec-

essary, discussing quantum threats and known hy-

brid mode strategies;

• it discusses challenges for further research, con-

sidering different PQC adoption approaches for

applications;

• it gives insight about the lack of PQC aware-

ness in application-layer protocols and applica-

tions, showing that, otherwise, the migration strat-

egy can fail to mitigate quantum threats; and

• it gives takeaways for readers with PQC adop-

tion recommendations, inviting further engage-

ment regarding quantum threat awareness.

The text is organized as follows. Section 2 dis-

cusses the need for PQC migration. Section 3 shows

the recommended strategies and challenges for mi-

grating. Section 4 argues about additional risks in ap-

plications yet to be fully considered by the literature.

Lastly, Section 5 gives ﬁnal remarks and takeaways.

2 WHY MIGRATE TO PQC?

Considering that public-key cryptosystems are often

used for authentication, non-repudiation, and Key Ex-

change (KEX), when vulnerable, they allow the fol-

lowing attacks:

• Impersonation: having access to the victim’s pri-

vate key sk in a digital signature system, the at-

tacker can impersonate by signing messages with

sk. If the private key of a web server is compro-

mised, the attacker can create a “fake” server, and

then every user will think that their connection is

legitimate. The server’s impersonation allows fur-

ther attacks, such as disclosing user data and com-

munications.

• Violate conﬁdentiality: having access to the pri-

vate key in a KEX process, the attacker obtains

knowledge of symmetric encryption keys used in

the user’s communication. Therefore, the attacker

can disclose the contents of the encrypted trafﬁc.

In theory, a CRQC executes the Shor algorithm

and gives the capability to a quantum attacker to re-

cover a private key from the victim’s public key. As

of today, there is no publicly-known CRQC available.

So, public-key cryptosystems used for authentication

can not be exploited for impersonation until a CRQC

arrives. Experts estimate that a CRQC will eventually

be available, so such cryptosystems will have to be re-

placed (Mosca and Piani, 2022). Given the complex-

ity related to authentication on the Internet, such as

X.509 PKIs and the uncertainty of when a CRQC will

be operational, applications and systems must be pre-

pared in advance to prevent impersonations by quan-

tum attackers.

In regards to KEX mechanisms, the quantum

threat imposes additional concerns. KEX aids appli-

cations to provide conﬁdentiality with symmetric en-

cryption. For example, a typical KEX is the Elliptic-

Curve Difﬁe-Hellman (ECDH), where the parties’

public keys are exchanged in the communication

channel. This exchange generates a shared secret that

is later used for deriving symmetric encryption keys.

However, a quantum attacker could capture the whole

KEX process and obtain the private keys from the ex-

changed public keys, thus allowing to generate the

same symmetric keys. Therefore, attackers can ex-

ploit KEX mechanisms vulnerable to quantum com-

puters to break conﬁdentiality.

Vulnerable KEX mechanisms are worrisome be-

cause they are susceptible to a record-now-decrypt-

later attack. Given that KEX is widely used in net-

work protocols, such as TLS and SSH, quantum com-

puters threaten the conﬁdentiality of today’s commu-

nications. Besides, Grover’s quantum algorithm is an-

SECRYPT 2023 - 20th International Conference on Security and Cryptography

858

other threat to conﬁdentiality (Bernstein and Lange,

2017). It weakens symmetric encryption algorithms

by offering a quadratic speedup over (classical) struc-

tured search in a brute-force attack. However, experts

say Grover’s algorithm is difﬁcult to apply in practice.

Additionally, a simple mitigation to Grover would be

to double the security parameters (such as key length)

of symmetric primitives, keeping the original security

expectation.

The immediate solution to the quantum threat is a

replacement of vulnerable algorithms by PQC. Some-

times called “PQC Drop-in replacement” or “PQC-

only deployment”, the vulnerable KEX and authenti-

cation mechanisms are replaced solely by PQC alter-

natives. Applications equipped with PQC can resist

quantum threats, but there are still threats imposed

by classical computation. For example, Rainbow was

a promising PQC algorithm candidate, but now it is

considered vulnerable to classical attacks (Beullens,

2022). Therefore, migrating to PQC must be handled

with care. In other words, a drop-in replacement of

PQC should be done after the conﬁdence in its secu-

rity is well established. Instead, the hybrid mode is

recommended for an early (and smoother) adoption.

3 FIRST STEP: HYBRIDS

Hybrid PQC is an approach of adopting PQC in im-

plementations, which supports Post-Quantum Cryp-

tography (PQC) but maintains compatibility with the

classical cryptography algorithms. Hence, the secu-

rity of the construction holds until at least one algo-

rithm is not broken. In practice, hybrids are being

proposed as follows:

• Concatenation of KEX objects (Stebila et al.,

2020): two (or more) KEX mechanisms exe-

cute in parallel, but the exchanged public keys

(or ciphertexts) of the KEX parties are concate-

nated before sending. Each KEX will produce

a shared secret concatenated prior to symmetric

key-derivation. In this way, symmetric keys are

produced with seeds from a classical and a PQC

algorithm. An attacker would need to break each

KEX to obtain the symmetric keys.

• Dual signatures: For authentication with digital

signatures, the same data can be signed twice but

using different signing keys (a PQC and a clas-

sical one). The veriﬁer checks the two signa-

tures for authenticating the data. Legacy imple-

mentations can be compatible but will check only

the classical signature. Regarding the PKI infras-

tructure for authentication, there are three pos-

sibilities (Ounsworth, 2023): (i) Composite hy-

brid, simple to implement in practice, where two

(or more) cryptographic objects are concatenated,

such as two signatures or two public keys; (ii)

“Catalyst Hybrid”, where the PQC algorithm ob-

jects are added through X.509 extensions, but us-

ing them as non-critical extensions to avoid dam-

aging legacy implementations; and (iii) Parallel

PKIs, where the implementation deals with a sec-

ond and post-quantum PKI. Adding a second PKI

probably incurs into a new set of certiﬁcates to be

handled by the implementation (called certiﬁca-

tion paths or certiﬁcate chains).

The Open Quantum Safe (OQS) Project (Ste-

bila and Mosca, 2016) is a notorious effort to pro-

vide a cryptographic library for use by the com-

munity. In addition, OQS provides example imple-

mentations and programming language bindings for

broad adoption. In their implementations, the hybrid

mode is recommended. Other implementations, such

as the Bouncy Castle (Factor, 2023), CIRCL (Faz-

Hern

andez and Kwiatkowski, 2019), and OpenSSH

(OpenSSH, 2022), in this case, provide hybrid modes

for KEX operations. Table 1 summarizes implemen-

tations and applications using hybrid modes. The in-

dustry’s interest in hybrid modes is evident, consid-

ering the Google, Cisco, and Cloudﬂare experiments

(Braithwaite, 2016; Westerbaan, 2021; Kampanakis,

2020), and Internet Engineering Task Force standard-

ization drafts (Stebila et al., 2020). They focus on the

hybrid KEX for PQC adoption.

Several reports suggest small performance penal-

ties when comparing hybrids to PQC-only replace-

ments (Paquin et al., 2020). For example, Sikeridis

et al. (Sikeridis et al., 2020) experimented with hy-

brids in TLS and SSH protocols. Their work shows

that the average latency of hybrids is less than 2%

compared to PQ-only instances. Combining efﬁcient

elliptic curve operations with the PQC alternatives in

a hybrid mode results in a good performance, consid-

ering computation time and byte costs.

Unfortunately, PQC signiﬁcantly increases the

sizes of cryptographic objects, such as public keys

and signatures. Building a hybrid instance requires

Table 1: Popular cryptographic implementations and its

PQC support features (if present).

Implementation

Release

Version

PQC

Support?

Hybrid mode?

OQS-OpenSSL 1.1.1 ✓ Present

OpenSSL 3.1.0 ✗ Not present

OpenSSH 9.0 ✓ Default

Bouncy Castle 1.73 ✓ Present

Wolf SSL 5.6.0 ✓ Present

Mbed TLS v3.4.0 ✗ Not present

CIRCL v1.3.2 ✓ Present

Migrating Applications to Post-Quantum Cryptography: Beyond Algorithm Replacement

859

adding at least one PQC algorithm (called ingredient)

to the classical scheme, so it increases the number

of cryptographic objects being transmitted between

parties, and it requires a cryptographic combiner that

has to combine the algorithms securely (i.e., keeping

the security properties of the combined ingredients)

(Bindel et al., 2019).

There are general challenges to adopt PQC in

practice. For example, some PQC schemes need state

management (e.g., control of how many signatures

can be performed). Other schemes must deal with

decryption failure and error sampling mechanisms.

From a high-level perspective, some protocols and

systems lack crypto-agility, with hard-coded parame-

ters. Few cryptographic libraries support PQC (Table

1), but they must be integrated into existing software.

The NIST PQC standardization process can help

developers concerning which PQC algorithms they

can use in their applications (NIST, 2016). For

Key-Encapsulation Mechanisms (KEMs), NIST an-

nounced Kyber as a primary choice for KEM to be

standardized until 2024. For Digital Signatures, NIST

announced Dilithium as a primary choice but added

Falcon and Sphincs+ as alternatives. Table 2 allows

comparing sizes of selected PQC algorithms and clas-

sical algorithms. Noteworthy, other organizations are

also putting efforts in PQC: the standards being pro-

posed by the IETF and the recommendations issued

by European agencies such as ENISA, ETSI, BSI,

and ANSSI (Ounsworth, 2023). Besides, NIST has

recently started a migration project to help the PQC

adoption awareness (NIST, 2023). Except for NSA,

most agencies recommend or allow the hybrid mode.

Decreasing cryptographic payloads is beneﬁcial

for the performance of network applications. Still, the

increased-size challenge remains open. For example,

the NIST PQC process has an open call for new sig-

nature schemes with smaller sizes. Although hybrids

share the same problem, Table 2 shows that adding the

size of classical schemes to PQC does not increase the

overall size signiﬁcantly.

In summary, this paper takes a position in favour

of a hybrid strategy for the PQC migration for the

Table 2: Comparison of classical and some PQC schemes

(at level 1) selected by the NIST process. Type stands for

(S)ignature or (K)EM/KEX.

Algorithm

Name

Public Key

size (bytes)

Ciphertext or

Signature size

Type

Quantum-

safe?

NIST P256 64 64 K ✗

Kyber

800 768 K ✓

ECDSA

64 64 S ✗

Falcon

897 690 S ✓

Dilithium

1312 2420 S ✓

Sphincs+

32 7856 S ✓

following reasons. First, a non-disruptive transition

to PQC: the negotiation process should allow back-

ward compatibility to avoid denying access to ser-

vices, depending on internal policies. Secondly, the

conﬁdence in traditional cryptography: algorithms

such RSA and DH has been studied for many years.

Some PQC algorithms and their cryptographic as-

sumptions are more recent compared to others. Users

may have more conﬁdence in traditional cryptogra-

phy regarding its security. Third, for regulatory and

compliance requirements: government and industry

use cases of cryptography may have to obey speciﬁc

regulations or compliance with published standards.

Lastly, the level of scrutiny of implementations: the

wide variety of available cryptographic implementa-

tions indicates that this scrutiny can take many years.

Similarly to the algorithms scrutiny time, the imple-

mentations also need scrutiny time to increase the

conﬁdence in PQC usage in practice.

4 APPLICATION-LEVEL RISKS

In preparation for the PQC migration, awareness of

the quantum threats is essential. Given the urgency of

record-now-decrypt-later attacks, this need requires

increased attention.

Although deploying hybrids is recommended, this

work argues that it may not be enough for quantum-

safe protection from the application’s perspective.

The main reason is due to the sensitive data that some

applications have to manage. Such sensitive data

could be further explored by quantum attackers, even

if the application has already migrated to PQC.

Due to the record-now-decrypt-later attack, long-

term conﬁdential information can be exploited after

an application’s PQC migration. For a complete mi-

gration to the post-quantum era, PQC algorithm re-

placement might not sufﬁce if conﬁdential (or long-

term) user data can allow future interactions with the

application. As a result, applications must manage

user data considering what knowledge quantum ad-

versaries can get. A “quantum risk assessment pro-

cess” should include policies and security measures

to protect against the quantum threat.

Considering concrete examples, in this case,

application-layer protocols and software, Table 3

summarizes the risks under the record-now-decrypt-

later attack. Each application requires a conﬁdential

channel, often provided by TLS. Since secure chan-

nel providers can be vulnerable to quantum threats,

applications exchanging conﬁdential data face differ-

ent risks. Having these concrete examples, this po-

sition paper emphasizes that applications need PQC

SECRYPT 2023 - 20th International Conference on Security and Cryptography

860

Table 3: Application-layer risks under a record-now-decrypt-later threat (not exhaustive).

Application-layer

Protocol/Utility

Speciﬁcation

Secure

Channel

Provider

Sensitive

Information

Risk Description

Basic HTTP

Authentication

RFC 7617 TLS User Credentials

Exchanged long-term credentials can allow access to server’s resources

after breaking TLS with a quantum computer

OAuth 2.0 RFC 6749 TLS Refresh token

RFC leaves to implementations to explicitly deﬁne expiration time; an

example of refresh token expiration time is one year (Restrepo, 2022).

Attackers could obtain valid tokens exchanged with classical TLS.

OIDC/OAuth 2.0 (Sakimura et al., 2023) TLS

ID Token,

Refresh tokens

Similar to OAuth 2.0 (already pointed out by (Schardong et al., 2022))

Kerberos V5

(with kinit)

RFC 4120,

RFC 4556

N/A Renewal Ticket

In theory, ticket-granting tickets exchanged with classical cryptography

combined with a long-lifetime ticket renewal policy (from 0 to 99,999

days) (Long et al., 2023) could be exploited by a quantum attacker.

Email Protocols RFC 8314 TLS User Credentials

RFC 8314 recommends TLS for IMAP, SMTP and other email protocols.

Quantum attackers could exploit long-term user credentials exchanged

with TLS.

WebRTC (W3C, 2023) DTLS

Authentication

password

WebRTC speciﬁes different authentication methods, if long-term

passwords are used, a quantum attacker could recover the password

after breaking the DTLS session.

Rsync over SSH (Tridgell et al., 2022) SSH Server password

Rsync allows sharing ﬁles over SSH for security. A quantum attacker

could decrypt SSH tunnels and recover exchanged rsync passwords.

algorithms and risk analysis for the PQC migration.

Noteworthy, updating application-layer protocols

to PQC can require a signiﬁcant effort. However,

the efforts are increased when dealing with the risks

shown in Table 3. Therefore, each application proto-

col might need speciﬁc analysis and further changes

for complete protection. For example, by limiting au-

thorizations and access token duration time, enforcing

a policy for long-term conﬁdential data usage, and re-

voking past actions performed with classical cryptog-

raphy. The main drawback is that developing such

measures in the application increases the PQC migra-

tion efforts (and time).

Using SSH as an example, Table 1 showed that

OpenSSH already deployed PQC in hybrid mode,

thus mitigating quantum attacks. Therefore, quan-

tum attackers could exploit applications on top of

OpenSSH if (a) the application has not yet updated

OpenSSH and the quantum attacker has captured the

encrypted communication data; or (b) if the applica-

tion has updated but the user data (e.g., passwords)

have a long-term lifetime, so past communications

that exchanged it makes the record-now-decrypt-later

attack still valid for further exploitation. Although

OpenSSH already supports hybrid, researchers noted

the absence of a PQC working group (WG) for SSH

(Kampanakis and Lepoint, 2023). This work corrob-

orates this need but expand it to application-layer pro-

tocols like those presented in Table 3.

5 TAKEAWAYS

In summary, this position paper discussed the need for

migrating applications to PQC. It emphasized hybrids

as the recommended mechanism for an easier tran-

sition. Additional risks were discussed when appli-

cations had already migrated to PQC. In such a case,

this work showed that applications would require spe-

ciﬁc risk analysis and implement security measures

for complete protection against quantum threats.

Given the PQC migration challenges, this position

paper issues the following takeaways.

• Consider hybrids as the recommended PQC mi-

gration strategy, given the favourable scenario re-

garding performance comparisons and security

conﬁdence in PQC. Remember that adopting PQC

is still challenging for some applications, e.g., due

to increased sizes.

• Take a speciﬁc approach for analyzing how is the

best option for PQC migration. Note that it does

not only need a PQC algorithm selection that best

suits the application’s needs. The PQC migration

strategy should include risk analyses related to

long-term conﬁdential data and other information

that quantum-capable attackers could explore.

• Call for improving participation in PQC adoption

Work Groups (WG), also creating new WGs, aim-

ing at increasing the awareness of the quantum

threats for general applications. Such WGs would

foment new risk analyses for other protocols, such

as the application-layer protocols that were not yet

analyzed elsewhere.

Migrating Applications to Post-Quantum Cryptography: Beyond Algorithm Replacement

861

Hybrid modes for the post-quantum transition

may be a temporary approach. However, this does

not necessarily mean that it will be a short period. On

the contrary, Hybrid PQC can be present in network

communications for an extended period, for as long

as needed to gain full conﬁdence in PQC security.

Additionally, the awareness of the effects of quantum

threats and how to mitigate them helps to build a se-

cure post-quantum world.

ACKNOWLEDGEMENTS

The author would like to say thanks to Ricardo

Cust

odio, the Federal University of Technology -

Parana (UTFPR/Brazil), and the Technology Innova-

tion Institute (TII/UAE) for their support.

REFERENCES

Bernstein, D. J. and Lange, T. (2017). Post-quantum cryp-

tography. Nature, 549(7671):188–194.

Beullens, W. (2022). Breaking rainbow takes a weekend on

a laptop. Cryptology ePrint Archive, Paper 2022/214.

https://eprint.iacr.org/2022/214.

Bindel, N., Brendel, J., Fischlin, M., Goncalves, B., and

Stebila, D. (2019). Hybrid key encapsulation mech-

anisms and authenticated key exchange. In Ding, J.

and Steinwandt, R., editors, Post-Quantum Cryptog-

raphy, pages 206–226, Cham. Springer International

Publishing.

Braithwaite, M. (2016). Experimenting with post-quantum

cryptography. https://security.googleblog.com/2016/

07/experimenting-with-post-quantum.html.

Factor, K. (2023). Post-quantum hybrid cryptogra-

phy in Bouncy Castle. https://doc.primekey.com/

bouncycastle/post-quantum-hybrid-cryptography-in-

bouncy-castle.

Faz-Hern

andez, A. and Kwiatkowski, K. (2019). Intro-

ducing CIRCL: An Advanced Cryptographic Library.

Cloudﬂare. Available at https://github.com/cloudﬂare/

circl. v1.3.2 Accessed Jan, 2023.

Kampanakis, P. (2020). Post-quantum tls 1.3

and ssh performance (preliminary results).

https://blogs.cisco.com/security/tls-ssh-performance-

pq-kem-auth.

Kampanakis, P. and Lepoint, T. (2023). Vision paper: Do

we need to change some things? In G

unther, F. and

Hesse, J., editors, Security Standardisation Research,

pages 78–102, Cham. Springer Nature Switzerland.

Long, L., Mandalika, S., Simpson, D., Gorzelany,

A. M., Hall, J., Bichsel, A., and Pamnani, V.

(2023). Maximum lifetime for user ticket renewal.

https://learn.microsoft.com/en-us/windows/security/

threat-protection/security-policy-settings/maximum-

lifetime-for-user-ticket-renewal.

Mosca, M. and Piani, M. (2022). Quantum

threat timeline report 2022. Available at:

https://globalriskinstitute.org/publication/2022-

quantum-threat-timeline-report/. Accessed on

20.02.2023.

NIST (2016). Post-quantum cryptography. https://csrc.nist.

gov/Projects/Post-Quantum-Cryptography.

NIST (2023). Migration to post-quantum cryp-

tography. https://www.nccoe.nist.gov/crypto-

agility-considerations-migrating-post-quantum-

cryptographic-algorithms.

OpenSSH (2022). Openssh 9.0 release notes. https://www.

openssh.com/txt/release-9.0.

Ounsworth, M. (2023). PQC at the IETF.

https://pkic.org/events/2023/post-quantum-

cryptography-conference/pkic-pqcc-pqc-at-ietf-

mike-ounsworth-entrust.pdf.

Paquin, C., Stebila, D., and Tamvada, G. (2020). Bench-

marking post-quantum cryptography in tls. In Ding,

J. and Tillich, J.-P., editors, Post-Quantum Cryptogra-

phy, pages 72–91, Cham. Springer International Pub-

lishing.

Restrepo, R. (2022). Oauth 2.0 refresh token best prac-

tices. https://stateful.com/blog/oauth-refresh-token-

best-practices.

Sakimura, N., Bradley, J., Jones, M. B., de Medeiros, B.,

and Mortimore, C. (2023). OpenID Connect Core 1.0.

Available at https://openid.net/specs/openid-connect-

core-1 0.html. Accessed March, 2023.

Schardong, F., Giron, A. A., M

uller, F. L., and Cust

odio,

R. (2022). Post-quantum electronic identity: Adapt-

ing openid connect and oauth 2.0 to the post-quantum

era. In Beresford, A. R., Patra, A., and Bellini, E.,

editors, Cryptology and Network Security, pages 371–

390, Cham. Springer International Publishing.

Sikeridis, D., Kampanakis, P., and Devetsikiotis, M. (2020).

Assessing the overhead of post-quantum cryptography

in tls 1.3 and ssh. In Proceedings of the 16th Inter-

national Conference on emerging Networking EXper-

iments and Technologies, pages 149–156, New York,

NY, USA. Association for Computing Machinery.

Society, I. (2023). Internet Society. https://www.

internetsociety.org/.

Stebila, D., Fluhrer, S., and Gueron, S. (2020). Hybrid key

exchange in TLS 1.3. http://tools.ietf.org/html/draft-

ietf-tls-hybrid-design-00. Internet-Draft.

Stebila, D. and Mosca, M. (2016). Post-quantum key ex-

change for the internet and the open quantum safe

project. In International Conference on Selected Ar-

eas in Cryptography, pages 14–37. Springer.

Tridgell, A., Mackerras, P., and Davison, W. (2022). rsync

- a fast, versatile, remote (and local) ﬁle-copying

tool. Available at https://download.samba.org/pub/

rsync/rsync.1. Accessed Apr, 2023.

W3C, W. (2023). WebRTC: Real-Time Communication

in Browsers. Available at https://www.w3.org/TR/

webrtc/. Accessed March, 2023.

Westerbaan, B. (2021). Sizing up post-quantum sig-

natures. https://blog.cloudﬂare.com/sizing-up-post-

quantum-signatures/.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

862