{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,18]],"date-time":"2026-04-18T17:47:32Z","timestamp":1776534452307,"version":"3.51.2"},"reference-count":67,"publisher":"Springer Science and Business Media LLC","issue":"7671","license":[{"start":{"date-parts":[[2017,9,1]],"date-time":"2017-09-01T00:00:00Z","timestamp":1504224000000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Nature"],"published-print":{"date-parts":[[2017,9]]},"DOI":"10.1038\/nature23461","type":"journal-article","created":{"date-parts":[[2017,9,12]],"date-time":"2017-09-12T16:12:17Z","timestamp":1505232737000},"page":"188-194","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":735,"title":["Post-quantum cryptography"],"prefix":"10.1038","volume":"549","author":[{"given":"Daniel J.","family":"Bernstein","sequence":"first","affiliation":[]},{"given":"Tanja","family":"Lange","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,9,14]]},"reference":[{"key":"BFnature23461_CR1","doi-asserted-by":"publisher","first-page":"120","DOI":"10.1145\/359340.359342","volume":"21","author":"RL Rivest","year":"1978","unstructured":"Rivest, R. L., Shamir, A. & Adleman, L. M. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120\u2013126 (1978)","journal-title":"Commun. ACM"},{"key":"BFnature23461_CR2","doi-asserted-by":"crossref","unstructured":"Shor, P. W. Algorithms for quantum computation: discrete logarithms and factoring. In Proc. 35th Ann. Symp. on Foundations of Computer Science (FOCS \u201994) 124\u2013134 (IEEE, 1994)","DOI":"10.1109\/SFCS.1994.365700"},{"key":"BFnature23461_CR3","first-page":"175","volume":"3","author":"S Beauregard","year":"2003","unstructured":"Beauregard, S. Circuit for Shor\u2019s algorithm using 2n + 3 qubits. Quantum Inf. Comput. 3, 175\u2013185 (2003)","journal-title":"Quantum Inf. Comput."},{"key":"BFnature23461_CR4","doi-asserted-by":"crossref","unstructured":"Miller, V. S. Use of elliptic curves in cryptography. In Advances in Cryptology, Proc. CRYPTO \u201985 (ed. Williams, H. C.) 417\u2013426 (Springer, 1985)","DOI":"10.1007\/3-540-39799-X_31"},{"key":"BFnature23461_CR5","doi-asserted-by":"publisher","first-page":"203","DOI":"10.1090\/S0025-5718-1987-0866109-5","volume":"48","author":"N Koblitz","year":"1987","unstructured":"Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 48, 203\u2013209 (1987)","journal-title":"Math. Comput."},{"key":"BFnature23461_CR6","doi-asserted-by":"publisher","unstructured":"Campbell, E. T., Terhal, B. M. & Vuillot, C. Roads towards fault-tolerant universal quantum computation. Nature http:\/\/dx.doi.org\/10.1038\/nature23460 (2017)","DOI":"10.1038\/nature23460"},{"key":"BFnature23461_CR7","doi-asserted-by":"crossref","unstructured":"Grover, L. K. A fast quantum mechanical algorithm for database search. In Proc. 28th Ann. ACM Symp. on Theory of Computing (ed. Miller, G. L. ) 212\u2013219 (ACM, 1996)","DOI":"10.1145\/237814.237866"},{"key":"BFnature23461_CR8","doi-asserted-by":"crossref","unstructured":"Daemen, J. & Rijmen, V. The Design of Rijndael: AES\u2014The Advanced Encryption Standard (Springer, 2002)","DOI":"10.1007\/978-3-662-04722-4"},{"key":"BFnature23461_CR9","doi-asserted-by":"crossref","unstructured":"Grassl, M., Langenberg, B., Roetteler, M. & Steinwandt, R. Applying Grover\u2019s algorithm to AES: quantum resource estimates. In Post-Quantum Cryptography, Proc. 7th International Workshop (PQCRYPTO 2016) (ed. Takagi, T. ) 29\u201343 (Springer, 2016)","DOI":"10.1007\/978-3-319-29360-8_3"},{"key":"BFnature23461_CR10","unstructured":"Rostovtsev, A. & Stolbunov, A. Public-key cryptosystem based on isogenies. Preprint at https:\/\/eprint.iacr.org\/2006\/145 (2006)"},{"key":"BFnature23461_CR11","unstructured":"Couveignes, J.-M. Hard homogeneous spaces (2006). Preprint at https:\/\/eprint.iacr.org\/2006\/291"},{"key":"BFnature23461_CR12","doi-asserted-by":"crossref","unstructured":"Jao, D. & de Feo, L. Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies. In Post-Quantum Cryptography, Proc. 4th International Workshop (PQCRYPTO 2011) (ed. Yang, B.-Y. ) 19\u201334 (Springer, 2011)","DOI":"10.1007\/978-3-642-25405-5_2"},{"key":"BFnature23461_CR13","doi-asserted-by":"publisher","first-page":"170","DOI":"10.1137\/S0097539703436345","volume":"35","author":"G Kuperberg","year":"2005","unstructured":"Kuperberg, G. A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput. 35, 170\u2013188 (2005)","journal-title":"SIAM J. Comput."},{"key":"BFnature23461_CR14","unstructured":"McEliece, R. J. A Public-Key Cryptosystem based on Algebraic Coding Theory. Deep Space Network Progress Report 42\u201344 http:\/\/ipnpr.jpl.nasa.gov\/progress_report2\/42-44\/44N.PDF (1978)"},{"key":"BFnature23461_CR15","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J., Lange, T. & Peters, C. Attacking and defending the McEliece cryptosystem. In Post-Quantum Cryptography, Proc. 2nd International Workshop (PQCRYPTO 2008) (eds Buchmann, J. A. & Ding, J. ) 31\u201346 (Springer, 2008)","DOI":"10.1007\/978-3-540-88403-3_3"},{"key":"BFnature23461_CR16","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J. Grover vs. McEliece. In Post-Quantum Cryptography, Proc. 3rd International Workshop (PQCRYPTO 2010) (ed. Sendrier, N. ) 73\u201380 (Springer, 2010)","DOI":"10.1007\/978-3-642-12929-2_6"},{"key":"BFnature23461_CR17","first-page":"159","volume":"15","author":"H Niederreiter","year":"1986","unstructured":"Niederreiter, H. Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inform. 15, 159\u2013166 (1986)","journal-title":"Control Inform."},{"key":"BFnature23461_CR18","doi-asserted-by":"crossref","unstructured":"Hoffstein, J., Pipher, J. & Silverman, J. H. NTRU: a ring-based public key cryptosystem. In Algorithmic Number Theory, Proc. 3rd International Symp. (ANTS-III) (ed. Buhler, J. ) 267\u2013288 (Springer, 1998)","DOI":"10.1007\/BFb0054868"},{"issue":"43","key":"BFnature23461_CR19","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2535925","volume":"60","author":"V Lyubashevsky","year":"2013","unstructured":"Lyubashevsky, V., Peikert, C. & Regev, O. On ideal lattices and learning with errors over rings. J. ACM 60, 43:1\u201343:35 (2013)","journal-title":"J. ACM"},{"key":"BFnature23461_CR20","unstructured":"Campbell, P., Groves, M. & Shepherd, D. Soliloquy: a cautionary tale. http:\/\/docbox.etsi.org\/Workshop\/2014\/201410_CRYPTO\/S07_Systems_and_Attacks\/S07_Groves_Annex.pdf (2014)"},{"key":"BFnature23461_CR21","doi-asserted-by":"crossref","unstructured":"Biasse, J.-F. & Song, F. Efficient quantum algorithms for computing class groups and solving the principal ideal problem in arbitrary degree number fields. In Proc. 27th Ann. ACM-SIAM Symp. on Discrete Algorithms (SODA 2016) (ed. Krauthgamer, R. ) 893\u2013902 (SIAM, 2016). An extension of Shor\u2019s algorithm breaks some lattice-based systems","DOI":"10.1137\/1.9781611974331.ch64"},{"key":"BFnature23461_CR22","doi-asserted-by":"crossref","unstructured":"Cramer, R., Ducas, L. & Wesolowski, B. Short Stickelberger class relations and application to Ideal-SVP. In Advances in Cryptology, Proc. Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2017) 324\u2013348 (Springer, 2017)","DOI":"10.1007\/978-3-319-56620-7_12"},{"key":"BFnature23461_CR23","unstructured":"Bernstein, D. J. A subfield-logarithm attack against ideal lattices. The cr.yp.to blog https:\/\/blog.cr.yp.to\/20140213-ideal.html (2014)"},{"key":"BFnature23461_CR24","unstructured":"Bernstein, D. J., Chuengsatiansup, C., Lange, T. & van Vredendaal, C. NTRU Prime. Preprint at https:\/\/eprint.iacr.org\/2016\/461 (2016)"},{"key":"BFnature23461_CR25","doi-asserted-by":"crossref","unstructured":"Laarhoven, T. Sieving for shortest vectors in lattices using angular locality-sensitive hashing. In Advances in Cryptology, Proc. 35th Ann. Cryptology Conf. (CRYPTO 2015) (eds Gennaro, R. & Robshaw, M. ) 3\u201322 (Springer, 2015)","DOI":"10.1007\/978-3-662-47989-6_1"},{"key":"BFnature23461_CR26","doi-asserted-by":"crossref","unstructured":"Laarhoven, T. & de Weger, B. Faster sieving for shortest lattice vectors using spherical locality-sensitive hashing. In Progress in Cryptology, Proc. 4th International Conf. on Cryptology and Information Security in Latin America (LATINCRYPT 2015) (eds Lauter, K. E. & Rodr\u00edguez-Henr\u00edquez, F. ) 101\u2013118 (Springer, 2015)","DOI":"10.1007\/978-3-319-22174-8_6"},{"key":"BFnature23461_CR27","doi-asserted-by":"crossref","unstructured":"Becker, A., Ducas, L., Gama, N. & Laarhoven, T. New directions in nearest neighbor searching with applications to lattice sieving. In Proc. 27th Ann. ACM-SIAM Symp. on Discrete Algorithms (SODA 2016) (ed. Krauthgamer, R. ) 10\u201324 (SIAM, 2016)","DOI":"10.1137\/1.9781611974331.ch2"},{"issue":"34","key":"BFnature23461_CR28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1568318.1568324","volume":"56","author":"O Regev","year":"2009","unstructured":"Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 34:1\u201334:40 (2009)","journal-title":"J. ACM"},{"key":"BFnature23461_CR29","doi-asserted-by":"crossref","unstructured":"Goldreich, O., Goldwasser, S. & Halevi, S. Public-key cryptosystems from lattice reduction problems. In Advances in Cryptology, Proc. 17th Ann. International Cryptology Conf. (CRYPTO\u201997) (ed. Kaliski, B. S. Jr ) 112\u2013131 (Springer, 1997)","DOI":"10.1007\/BFb0052231"},{"key":"BFnature23461_CR30","doi-asserted-by":"crossref","unstructured":"Hoffstein, J., Pipher, J. & Silverman, J. H. NSS: an NTRU lattice-based signature scheme. In Advances in Cryptology, Proc. International Conf. on the Theory and Application of Cryptographic Techniques (EUROCRYPT 2001) (ed. Pfitzmann, B. ) 211\u2013228 (Springer, 2001)","DOI":"10.1007\/3-540-44987-6_14"},{"key":"BFnature23461_CR31","doi-asserted-by":"crossref","unstructured":"Hoffstein, J., Howgrave-Graham, N., Pipher, J., Silverman, J. H. & Whyte, W. NTRUSIGN: digital signatures using the NTRU lattice. In Topics in Cryptology, Proc. Cryptographers\u2019 Track at the RSA Conf. 2003 (CT-RSA 2003) (ed. Joye, M. ) 122\u2013140 (Springer, 2003)","DOI":"10.1007\/3-540-36563-X_9"},{"key":"BFnature23461_CR32","doi-asserted-by":"crossref","unstructured":"Nguyen, P. Q. & Regev, O. Learning a parallelepiped: cryptanalysis of GGH and NTRU signatures. In Advances in Cryptology, Proc. 25th Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2006) (ed. Vaudenay, S. ) 271\u2013288 (Springer, 2006)","DOI":"10.1007\/11761679_17"},{"key":"BFnature23461_CR33","doi-asserted-by":"crossref","unstructured":"Ducas, L. & Nguyen, P. Q. Learning a zonotope and more: cryptanalysis of NTRUSign countermeasures. In Advances in Cryptology, Proc. 18th International Conf. on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2012) (eds Wang, X. & Sako, K. ) 433\u2013450 (Springer, 2012)","DOI":"10.1007\/978-3-642-34961-4_27"},{"key":"BFnature23461_CR34","doi-asserted-by":"crossref","unstructured":"Lyubashevsky, V. Lattice signatures without trapdoors. In Advances in Cryptology, Proc. 31st Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2012) (eds Pointcheval, D. & Johansson, T. ) 738\u2013755 (Springer, 2012)","DOI":"10.1007\/978-3-642-29011-4_43"},{"key":"BFnature23461_CR35","doi-asserted-by":"crossref","unstructured":"Ducas, L., Durmus, A., Lepoint, T. & Lyubashevsky, V. Lattice signatures and bimodal Gaussians. In Advances in Cryptology, Proc. 33rd Ann. Cryptology Conf. (CRYPTO 2013) (eds Canetti, R. & Garay, J. A. ) 40\u201356 (Springer, 2013)","DOI":"10.1007\/978-3-642-40041-4_3"},{"key":"BFnature23461_CR36","doi-asserted-by":"crossref","unstructured":"Groot Bruinderink, L., H\u00fclsing, A., Lange, T. & Yarom, Y. Flush, Gauss, and reload: a cache attack on the BLISS lattice-based signature scheme. In Cryptographic Hardware and Embedded Systems, Proc. 18th International Conf. (CHES 2016) (eds Gierlichs, B. & Poschmann, A. Y. ) 323\u2013345 (Springer, 2016). First successful side-channel attacks against lattice-based signatures","DOI":"10.1007\/978-3-662-53140-2_16"},{"key":"BFnature23461_CR37","doi-asserted-by":"crossref","unstructured":"Matsumoto, T. & Imai, H. Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. In Advances in Cryptology, Proc. Workshop on the Theory and Application of Cryptographic Techniques (EUROCRYPT\u201988) (ed. G\u00fcnther, C. G. ) 419\u2013453 (Springer, 1988)","DOI":"10.1007\/3-540-45961-8_39"},{"key":"BFnature23461_CR38","doi-asserted-by":"publisher","first-page":"248","DOI":"10.1007\/3-540-44750-4_20","volume-title":"Advances in Cryptology \u2014 CRYPT0\u2019 95","author":"Jacques Patarin","year":"1995","unstructured":"Patarin, J. Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt\u201988. In Advances in Cryptology, Proc. 15th Ann. International Cryptology Conf. (CRYPTO\u201995) (ed. Coppersmith, D. ) 248\u2013261 (Springer, 1995)"},{"key":"BFnature23461_CR39","doi-asserted-by":"crossref","unstructured":"Patarin, J. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): two new families of asymmetric algorithms. In Advances in Cryptology, Proc. International Conf. on the Theory and Application of Cryptographic Techniques (EUROCRYPT\u201996) (ed. Maurer, U. M. ) 33\u201348 (Springer, 1996)","DOI":"10.1007\/3-540-68339-9_4"},{"key":"BFnature23461_CR40","doi-asserted-by":"crossref","unstructured":"Petzoldt, A., Chen, M.-S., Yang, B.-Y., Tao, C. & Ding, J. Design principles for HFEv-based multivariate signature schemes. In Advances in Cryptology, Proc. 21st International Conf. on the Theory and Application of Cryptology and Information Security (ASIACRYPT 2015) (eds Iwata, T. & Cheon, J. H.) 311\u2013334 (Springer, 2015).Optimizes conservative multivariate-quadratic signatures","DOI":"10.1007\/978-3-662-48797-6_14"},{"key":"BFnature23461_CR41","unstructured":"Lamport, L. Constructing Digital Signatures from a One Way Function. Technical Report No. SRI-CSL-98 (SRI International Computer Science Laboratory, 1979); available at http:\/\/lamport.azurewebsites.net\/pubs\/pubs.html#dig-sig"},{"key":"BFnature23461_CR42","doi-asserted-by":"publisher","first-page":"644","DOI":"10.1109\/TIT.1976.1055638","volume":"22","author":"W Diffie","year":"1976","unstructured":"Diffie, W. & Hellman, M. E. New directions in cryptography. IEEE Trans. Inf. Theory 22, 644\u2013654 (1976)","journal-title":"IEEE Trans. Inf. Theory"},{"key":"BFnature23461_CR43","unstructured":"Merkle, R. C. Secrecy, Authentication, and Public Key Systems. PhD thesis, Stanford Univ., http:\/\/www.merkle.com\/papers\/Thesis1979.pdf (1979)"},{"key":"BFnature23461_CR44","doi-asserted-by":"crossref","unstructured":"Merkle, R. C. A certified digital signature. In Advances in Cryptology, Proc. 9th Ann. International Cryptology Conf. (CRYPTO \u201989) (ed. Brassard, G. ) 218\u2013238 (Springer, 1989)","DOI":"10.1007\/0-387-34805-0_21"},{"key":"BFnature23461_CR45","doi-asserted-by":"crossref","unstructured":"Dods, C., Smart, N. P. & Stam, M. Hash based digital signature schemes. In Cryptography and Coding, Proc. 10th IMA International Conf. (ed. Smart, N. P. ) 96\u2013115 (Springer, 2005)","DOI":"10.1007\/11586821_8"},{"key":"BFnature23461_CR46","doi-asserted-by":"crossref","unstructured":"H\u00fclsing, A. W-OTS+\u2014shorter signatures for hash-based signature schemes. In Progress in Cryptology, Proc. 6th International Conf. on Cryptology in Africa (AFRICACRYPT 2013) (eds Youssef, A., Nitaj, A. & Hassanien, A. E. ) 173\u2013188 (Springer, 2013)","DOI":"10.1007\/978-3-642-38553-7_10"},{"key":"BFnature23461_CR47","doi-asserted-by":"crossref","unstructured":"Buchmann, J. A., Dahmen, E. & H\u00fclsing, A. XMSS\u2014a practical forward secure signature scheme based on minimal security assumptions. In Post-Quantum Cryptography, Proc. 4th International Workshop (PQCRYPTO 2011) (ed. Yang, B.-Y. ) 117\u2013129 (Springer, 2011).Conservative stateful hash-based signatures are small and fast","DOI":"10.1007\/978-3-642-25405-5_8"},{"key":"BFnature23461_CR48","doi-asserted-by":"crossref","unstructured":"H\u00fclsing, A., Rausch, L. & Buchmann, J. A. Optimal parameters for XMSSMT. In Security Engineering and Intelligence Informatics, Proc. CD-ARES 2013 Workshops: MoCrySEn and SeCIHD (eds Cuzzocrea, A. et al.) 194\u2013208 (Springer, 2013)","DOI":"10.1007\/978-3-642-40588-4_14"},{"key":"BFnature23461_CR49","unstructured":"Langley, A. Hash based signatures. Imperial Violet https:\/\/www.imperialviolet.org\/2013\/07\/18\/hashsig.html (2013)"},{"key":"BFnature23461_CR50","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J. et al. SPHINCS: practical stateless hash-based signatures. In Advances in Cryptology, Proc. 34th Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2015) (eds Oswald, E. & Fischlin, M.) 368\u2013397 (Springer, 2015). Conservative stateless hash-based signatures are practical","DOI":"10.1007\/978-3-662-46800-5_15"},{"key":"BFnature23461_CR51","doi-asserted-by":"publisher","first-page":"104","DOI":"10.1007\/3-540-68697-5_9","volume-title":"Advances in Cryptology \u2014 CRYPTO \u201996","author":"Paul C. Kocher","year":"1996","unstructured":"Kocher, P. C. Timing attacks on implementations of Diffie\u2013Hellman, RSA, DSS, and other systems. In Advances in Cryptology, Proc. 16th Ann. International Cryptology Conf. (CRYPTO \u201996) (ed. Koblitz, N. ) 104\u2013113 (Springer, 1996)"},{"key":"BFnature23461_CR52","doi-asserted-by":"crossref","unstructured":"Kocher, P. C., Jaffe, J. & Jun, B. Differential power analysis. In Advances in Cryptology, Proc. 19th Ann. International Cryptology Conf. (CRYPTO \u201999) (ed. Wiener, M. J. ) 388\u2013397 (Springer, 1999)","DOI":"10.1007\/3-540-48405-1_25"},{"key":"BFnature23461_CR53","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J., Chou, T. & Schwabe, P. McBits: fast constant-time code-based cryptography. In Cryptographic Hardware and Embedded Systems, Proc. 15th International Workshop (CHES 2013) (eds Bertoni, G. & Coron, J.-S. ) 250\u2013272 (Springer, 2013). Conservative code-based encryption is faster than ECC","DOI":"10.1007\/978-3-642-40349-1_15"},{"key":"BFnature23461_CR54","unstructured":"PQCRYPTO Project. Initial Recommendations of Long-Term Secure Post-Quantum Systems. https:\/\/pqcrypto.eu.org\/docs\/initial-recommendations.pdf (2015)"},{"key":"BFnature23461_CR55","unstructured":"Braithwaite, M. Experimenting with post-quantum cryptography. Google Security Blog. https:\/\/security.googleblog.com\/2016\/07\/experimenting-with-post-quantum.html (2016)"},{"key":"BFnature23461_CR56","unstructured":"Alkim, E., Ducas, L., P\u00f6ppelmann, T. & Schwabe, P. Post-quantum key exchange\u2014a new hope. In 25th USENIX Security Symp. (USENIX Security 16) (eds Holz, T. & Savage, S.) 327\u2013343 (USENIX Association, 2016)"},{"key":"BFnature23461_CR57","unstructured":"Langley, A. CECPQ1 results. Imperial Violet https:\/\/www.imperialviolet.org\/2016\/11\/28\/cecpq1.html (2016)"},{"key":"BFnature23461_CR58","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J. The Salsa20 family of stream ciphers. In New Stream Cipher Designs: The eSTREAM Finalists (eds Robshaw, M. J. B. & Billet, O. ) 84\u201397 (Springer, 2008)","DOI":"10.1007\/978-3-540-68351-3_8"},{"key":"BFnature23461_CR59","doi-asserted-by":"crossref","unstructured":"McGrew, D. A. & Viega, J. The security and performance of the Galois\/counter mode (GCM) of operation. In Progress in Cryptology, Proc. 5th International Conf. on Cryptology in India (INDOCRYPT 2004) (eds Canteaut, A. & Viswanathan, K. ) 343\u2013355 (Springer, 2004)","DOI":"10.1007\/978-3-540-30556-9_27"},{"key":"BFnature23461_CR60","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J. The Poly1305-AES message-authentication code. In Fast Software Encryption, Proc. 12th International Workshop (FSE 2005) (eds Gilbert, H. & Handschuh, H. ) 32\u201349 (Springer, 2005)","DOI":"10.1007\/11502760_3"},{"key":"BFnature23461_CR61","unstructured":"NIST Information Technology Laboratory. Secure Hash Standard (SHS). Federal Information Processing Standards Publication 180-4, http:\/\/nvlpubs.nist.gov\/nistpubs\/FIPS\/NIST.FIPS.180\u20134.pdf (NIST, 2012)"},{"key":"BFnature23461_CR62","doi-asserted-by":"crossref","unstructured":"Bertoni, G., Daemen, J., Peeters, M. & Assche, G. V. Keccak. In Advances in Cryptology, Proc. 32nd Ann. International Conf. on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2013) (eds Johansson, T. & Nguyen, P. Q. ) 313\u2013314 (Springer, 2013)","DOI":"10.1007\/978-3-642-38348-9_19"},{"key":"BFnature23461_CR63","doi-asserted-by":"crossref","unstructured":"ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology, Proc. CRYPTO \u201984 (eds Blakley, G. R. & Chaum, D. ) 10\u201318 (Springer, 1984)","DOI":"10.1007\/3-540-39568-7_2"},{"key":"BFnature23461_CR64","doi-asserted-by":"crossref","unstructured":"Schnorr, C.-P. Efficient identification and signatures for smart cards. In Advances in Cryptology, Proc. 9th Ann. International Cryptology Conf. (CRYPTO \u201989) (ed. Brassard, G. ) 239\u2013252 (Springer, 1989)","DOI":"10.1007\/0-387-34805-0_22"},{"key":"BFnature23461_CR65","doi-asserted-by":"crossref","unstructured":"Bernstein, D. J. Curve25519: new Diffie\u2013Hellman speed records. In Public Key Cryptography, Proc. 9th International Conf. on Theory and Practice of Public-Key Cryptography (PKC 2006) (eds Yung, M. et al.) 207\u2013228 (Springer, 2006)","DOI":"10.1007\/11745853_14"},{"key":"BFnature23461_CR66","doi-asserted-by":"publisher","first-page":"36","DOI":"10.1007\/s102070100002","volume":"1","author":"D Johnson","year":"2001","unstructured":"Johnson, D., Menezes, A. & Vanstone, S. A. The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec. 1, 36\u201363 (2001)","journal-title":"J. Inf. Sec."},{"key":"BFnature23461_CR67","doi-asserted-by":"publisher","first-page":"77","DOI":"10.1007\/s13389-012-0027-1","volume":"2","author":"DJ Bernstein","year":"2012","unstructured":"Bernstein, D. J., Duif, N., Lange, T., Schwabe, P. & Yang, B.-Y. High-speed high-security signatures. J. Cryptographic Eng. 2, 77\u201389 (2012)","journal-title":"J. Cryptographic Eng."}],"container-title":["Nature"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.nature.com\/articles\/nature23461.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/www.nature.com\/articles\/nature23461","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/www.nature.com\/doifinder\/10.1038\/nature23461","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"},{"URL":"http:\/\/www.nature.com\/articles\/nature23461.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,25]],"date-time":"2025-06-25T18:17:42Z","timestamp":1750875462000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.nature.com\/articles\/nature23461"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,9]]},"references-count":67,"journal-issue":{"issue":"7671","published-print":{"date-parts":[[2017,9]]}},"alternative-id":["BFnature23461"],"URL":"https:\/\/doi.org\/10.1038\/nature23461","relation":{},"ISSN":["0028-0836","1476-4687"],"issn-type":[{"value":"0028-0836","type":"print"},{"value":"1476-4687","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,9]]},"assertion":[{"value":"28 February 2017","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 June 2017","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"14 September 2017","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare no competing financial interests.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}]}}