{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,5]],"date-time":"2026-02-05T07:22:08Z","timestamp":1770276128932,"version":"3.49.0"},"reference-count":164,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T00:00:00Z","timestamp":1609545600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"DSO","award":["DSOCL19218"],"award-info":[{"award-number":["DSOCL19218"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"Public-key cryptography is an indispensable component used in almost all of our present-day digital infrastructure. However, most if not all of it is predominantly built upon hardness guarantees of number theoretic problems that can be broken by large-scale quantum computers in the future. Sensing the imminent threat from continued advances in quantum computing, NIST has recently initiated a global-level standardization process for quantum resistant public-key cryptographic primitives such as public-key encryption, digital signatures, and key encapsulation mechanisms. While the process received proposals from various categories of post-quantum cryptography, lattice-based cryptography features most prominently among all the submissions. Lattice-based cryptography offers a very attractive alternative to traditional public-key cryptography mainly due to the variety of lattice-based schemes offering varying flavors of security and efficiency guarantees. In this article, we survey the evolution of lattice-based key-sharing schemes (public-key encryption and key encapsulation schemes) and cover various aspects ranging from theoretical security guarantees, general algorithmic frameworks, practical implementation aspects, and physical attack security, with special focus on lattice-based key-sharing schemes competing in the NIST\u2019s standardization process.<\/jats:p>","DOI":"10.1145\/3422178","type":"journal-article","created":{"date-parts":[[2021,1,2]],"date-time":"2021-01-02T17:08:21Z","timestamp":1609607301000},"page":"1-39","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Lattice-based Key-sharing Schemes"],"prefix":"10.1145","volume":"54","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0201-3705","authenticated-orcid":false,"given":"Prasanna","family":"Ravi","sequence":"first","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"James","family":"Howe","sequence":"additional","affiliation":[{"name":"PQShield, UK"}]},{"given":"Anupam","family":"Chattopadhyay","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]},{"given":"Shivam","family":"Bhasin","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2021,1,2]]},"reference":[{"key":"e_1_2_2_1_1","volume-title":"The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-07.","author":"Rescorla Eric"},{"key":"e_1_2_2_2_1","volume-title":"The Transport Layer Security (TLS) Protocol Version 1.3 draft-ietf-tls-tls13-13.","author":"Rescorla Eric"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2746539.2746606"},{"key":"e_1_2_2_4_1","volume-title":"Proceedings of the 28th Annual ACM Symposium on Theory of Computing. ACM, 99--108","author":"Ajtai Mikl\u00f3s","year":"1996"},{"key":"e_1_2_2_5_1","volume-title":"Rene Peralta et\u00a0al","author":"Alagic Gorjan","year":"2019"},{"key":"e_1_2_2_6_1","volume-title":"NTRU} schemes! In Proceedings of the International Conference on Security and Cryptography for Networks","author":"Albrecht Martin R."},{"key":"e_1_2_2_7_1","unstructured":"Erdem Alkim Roberto Avanzi Joppe W. Bos Leo Ducas Antonio de la Piedra Thomas Poppelmann Peter Schwabe and Douglas Stebila [n.d.]. NewHope (Version 1.1): Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/newhopecrypto.org\/data\/NewHope_2020_04_10.pdf. Erdem Alkim Roberto Avanzi Joppe W. Bos Leo Ducas Antonio de la Piedra Thomas Poppelmann Peter Schwabe and Douglas Stebila [n.d.]. NewHope (Version 1.1): Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/newhopecrypto.org\/data\/NewHope_2020_04_10.pdf."},{"key":"e_1_2_2_8_1","unstructured":"Erdem Alkim Joppe W. Bos Leo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan and Douglas Stebila [n.d.]. Frodo: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/frodokem.org\/files\/FrodoKEM-specification-20200325.pdf. Erdem Alkim Joppe W. Bos Leo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan and Douglas Stebila [n.d.]. Frodo: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/frodokem.org\/files\/FrodoKEM-specification-20200325.pdf."},{"key":"e_1_2_2_9_1","unstructured":"Erdem Alkim L\u00e9o Ducas Thomas P\u00f6ppelmann and Peter Schwabe. 2016. Newhope without reconciliation. IACR ePrint. Retrieved from https:\/\/eprint.iacr.org\/2016\/1157. Erdem Alkim L\u00e9o Ducas Thomas P\u00f6ppelmann and Peter Schwabe. 2016. Newhope without reconciliation. IACR ePrint. Retrieved from https:\/\/eprint.iacr.org\/2016\/1157."},{"key":"e_1_2_2_10_1","volume-title":"Proceedings of the USENIX Security Symposium. 327--343","author":"Alkim Erdem","year":"2016"},{"key":"e_1_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-49445-6_19"},{"key":"e_1_2_2_12_1","unstructured":"Roberto Avanzi Joppe Bos Leo Ducas Eike Kiltz Tancrede Lepoint Vadim Lyubashevsky John Schanck Peter Schwabe Gregor Seiler and Damien Stehl\u00e9 [n.d.]. CRYSTALS-Kyber (version 2.0) - Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/pq-crystals.org\/kyber\/data\/kyber-specification-round2.pdf. Roberto Avanzi Joppe Bos Leo Ducas Eike Kiltz Tancrede Lepoint Vadim Lyubashevsky John Schanck Peter Schwabe Gregor Seiler and Damien Stehl\u00e9 [n.d.]. CRYSTALS-Kyber (version 2.0) - Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/pq-crystals.org\/kyber\/data\/kyber-specification-round2.pdf."},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2018.8342207"},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2013.6581570"},{"key":"e_1_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2018.8383894"},{"key":"e_1_2_2_16_1","unstructured":"Hayo Baan Sauvik Bhattacharya Scott Fluhrer Oscar Garcia-Morchon Garcia-Morchon Thijs Laarhoven Rachel Player Ronald Rietman Markku-Juhani O. Saarinen Ludo Tolhuizen Jos\u2019e Luis Torre-Arce and Zhenfei Zhang. [n.d.]. Round5: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/round5.org\/doc\/Round5_Submission042020.pdf. Hayo Baan Sauvik Bhattacharya Scott Fluhrer Oscar Garcia-Morchon Garcia-Morchon Thijs Laarhoven Rachel Player Ronald Rietman Markku-Juhani O. Saarinen Ludo Tolhuizen Jos\u2019e Luis Torre-Arce and Zhenfei Zhang. [n.d.]. Round5: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/round5.org\/doc\/Round5_Submission042020.pdf."},{"key":"e_1_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-17656-3_26"},{"key":"e_1_2_2_18_1","volume-title":"Woodbury","author":"Bailey Daniel V.","year":"2001"},{"key":"e_1_2_2_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-29011-4_42"},{"key":"e_1_2_2_20_1","volume-title":"Chandrakasan","author":"Banerjee Utsav","year":"2019"},{"key":"e_1_2_2_21_1","volume-title":"Proceedings of the Conference on the Theory and Application of Cryptographic Techniques. Springer, 311--323","author":"Barrett Paul","year":"1986"},{"key":"e_1_2_2_22_1","unstructured":"Kanad Basu Deepraj Soni Mohammed Nabeel and Ramesh Karri. 2019. NIST post-quantum cryptography-A hardware evaluation study. IACR ePrint Archive. https:\/\/eprint.iacr.org\/2019\/047. Kanad Basu Deepraj Soni Mohammed Nabeel and Ramesh Karri. 2019. NIST post-quantum cryptography-A hardware evaluation study. IACR ePrint Archive. https:\/\/eprint.iacr.org\/2019\/047."},{"key":"e_1_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-12612-4_14"},{"key":"e_1_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1007\/11745853_14"},{"key":"e_1_2_2_25_1","unstructured":"Daniel J. Bernstein Chitchanok Chuengsatiansup Tanja Lange and Christine van Vredendaal. [n.d.]. NTRU Prime: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/ntruprime.cr.yp.to\/nist\/ntruprime-20190330.pdf. Daniel J. Bernstein Chitchanok Chuengsatiansup Tanja Lange and Christine van Vredendaal. [n.d.]. NTRU Prime: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/ntruprime.cr.yp.to\/nist\/ntruprime-20190330.pdf."},{"key":"e_1_2_2_26_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 235--260","author":"Bernstein Daniel J.","year":"2017"},{"key":"e_1_2_2_27_1","unstructured":"Daniel J. Bernstein Tanja Lange and Dan Page. [n.d.]. eBATS. ECRYPT Benchmarking of Asymmetric Systems: Performing Benchmarks (technical report). Daniel J. Bernstein Tanja Lange and Dan Page. [n.d.]. eBATS. ECRYPT Benchmarking of Asymmetric Systems: Performing Benchmarks (technical report)."},{"key":"e_1_2_2_28_1","volume-title":"Bernstein and Edoardo Persichetti","author":"Daniel","year":"2018"},{"key":"e_1_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2019.i3.340-398"},{"key":"e_1_2_2_30_1","series-title":"Round 2","volume-title":"Keccak specifications. Submission to NIST","author":"Bertoni Guido","year":"2009"},{"key":"e_1_2_2_31_1","volume-title":"spKEX: An optimized lattice-based key exchange. IACR EPrint Archive","author":"Bhattacharya Sauvik","year":"2017"},{"key":"e_1_2_2_32_1","unstructured":"David Blackman and Sebastiano Vigna. 2018. Scrambled linear pseudorandom number generators. Retrieved from https:\/\/arXiv:1805.01407. David Blackman and Sebastiano Vigna. 2018. Scrambled linear pseudorandom number generators. Retrieved from https:\/\/arXiv:1805.01407."},{"key":"e_1_2_2_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978425"},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978425"},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2018.00032"},{"key":"e_1_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.40"},{"key":"e_1_2_2_37_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer.","author":"Bos Joppe W.","year":"2018"},{"key":"e_1_2_2_38_1","unstructured":"Joppe W. Bos Simon Friedberger Marco Martinoli Elisabeth Oswald and Martijn Stam. 2018. Fly you fool! Faster Frodo for the ARM Cortex-M4.IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2018\/1116. Joppe W. Bos Simon Friedberger Marco Martinoli Elisabeth Oswald and Martijn Stam. 2018. Fly you fool! Faster Frodo for the ARM Cortex-M4.IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2018\/1116."},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-23696-0_11"},{"key":"e_1_2_2_40_1","volume-title":"Experimenting with post-quantum cryptography. Google Security Blog 7","author":"Braithwaite Matt","year":"2016"},{"key":"e_1_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/2633600"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488608.2488680"},{"key":"e_1_2_2_43_1","unstructured":"Jacqueline Brendel Marc Fischlin Felix G\u00fcnther Christian Janson and Douglas Stebila. 2019. Challenges in proving post-quantum key exchanges based on key encapsulation mechanisms. Jacqueline Brendel Marc Fischlin Felix G\u00fcnther Christian Janson and Douglas Stebila. 2019. Challenges in proving post-quantum key exchanges based on key encapsulation mechanisms."},{"key":"e_1_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53140-2_16"},{"key":"e_1_2_2_45_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 402--417","author":"Buchmann Johannes","year":"2013"},{"key":"e_1_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2899007.2899011"},{"key":"e_1_2_2_47_1","unstructured":"CESG. 2016. Quantum Key Distribution. Retrieved from https:\/\/www.cesg.gov.uk\/white-papers\/quantum-key-distribution. CESG. 2016. Quantum Key Distribution. Retrieved from https:\/\/www.cesg.gov.uk\/white-papers\/quantum-key-distribution."},{"key":"e_1_2_2_48_1","unstructured":"Cong Chen Oussama Danba Jeffrey Hoffstein Andreas H\u00fclsing Joost Rijneveld John M Schanck Peter Schwabe William Whyte and Zhenfei Zhang. [n.d.]. NTRU: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/ntru.org\/f\/ntru-20190330.pdf. Cong Chen Oussama Danba Jeffrey Hoffstein Andreas H\u00fclsing Joost Rijneveld John M Schanck Peter Schwabe William Whyte and Zhenfei Zhang. [n.d.]. NTRU: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/ntru.org\/f\/ntru-20190330.pdf."},{"key":"e_1_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/TCSI.2014.2350431"},{"key":"e_1_2_2_50_1","volume-title":"Proceedings of the International Conference on Information Security and Cryptology. Springer, 51--74","author":"Cheon Jung Hee","year":"2016"},{"key":"e_1_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1964.1053699"},{"key":"e_1_2_2_52_1","unstructured":"CNSS. 2015. Use of Public Standards for the Secure Sharing of Information Among National Security Systems. Committee on National Security Systems: CNSS Advisory Memorandum Information Assurance 02-15. CNSS. 2015. Use of Public Standards for the Secure Sharing of Information Among National Security Systems. Committee on National Security Systems: CNSS Advisory Memorandum Information Assurance 02-15."},{"key":"e_1_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1090\/S0025-5718-1965-0178586-1"},{"key":"e_1_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-69053-0_5"},{"key":"e_1_2_2_55_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-56620-7_12"},{"key":"e_1_2_2_56_1","unstructured":"Jan-Pieter D\u2019Anvers Angshuman Karmakar Sujoy Sinha Roy and Frederik Vercauteren. [n.d.]. Saber: Algorithm\u00a0specifications and supporting documentation (round 2). Retrieved from https:\/\/www.esat.kuleuven.be\/cosic\/pqcrypto\/saber\/resources.html. Jan-Pieter D\u2019Anvers Angshuman Karmakar Sujoy Sinha Roy and Frederik Vercauteren. [n.d.]. Saber: Algorithm\u00a0specifications and supporting documentation (round 2). Retrieved from https:\/\/www.esat.kuleuven.be\/cosic\/pqcrypto\/saber\/resources.html."},{"key":"e_1_2_2_57_1","volume-title":"On the impact of decryption failures on the security of LWE\/LWR based schemes. IACR ePrint Archive","author":"D\u2019Anvers Jan-Pieter","year":"2018"},{"key":"e_1_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.7873\/DATE.2015.0378"},{"key":"e_1_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICC.2017.7996806"},{"key":"e_1_2_2_60_1","unstructured":"Jintai Ding Chi Cheng and Yue Qin. 2019. A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2019\/271. Jintai Ding Chi Cheng and Yue Qin. 2019. A simple key reuse attack on LWE and ring LWE encryption schemes as key encapsulation mechanisms (KEMs). IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2019\/271."},{"key":"e_1_2_2_61_1","volume-title":"Proceedings of the Australasian Conference on Information Security and Privacy. Springer, 467--486","author":"Ding Jintai"},{"key":"e_1_2_2_62_1","unstructured":"Jintai Ding Xiang Xie and Xiaodong Lin. 2012. A simple provably secure key-exchange scheme based on the learning with errors problem. IACR EPrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2012\/688. Jintai Ding Xiang Xie and Xiaodong Lin. 2012. A simple provably secure key-exchange scheme based on the learning with errors problem. IACR EPrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2012\/688."},{"key":"e_1_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-40041-4_3"},{"key":"e_1_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338467.3358948"},{"key":"e_1_2_2_65_1","unstructured":"Thomas Espitau Pierre-Alain Fouque Beno\u00eet G\u00e9rard and Mehdi Tibouchi. 2016. Loop abort faults on lattice-based Fiat-Shamir 8 Hash\u2019n sign signatures. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2016\/449. Thomas Espitau Pierre-Alain Fouque Beno\u00eet G\u00e9rard and Mehdi Tibouchi. 2016. Loop abort faults on lattice-based Fiat-Shamir 8 Hash\u2019n sign signatures. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2016\/449."},{"key":"e_1_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134028"},{"key":"e_1_2_2_67_1","volume-title":"Duc Tri Nguyen, and Kris Gaj","author":"Dang Viet Ba","year":"2008"},{"key":"e_1_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-25510-7_2"},{"key":"e_1_2_2_69_1","volume-title":"Cryptanalysis of ring-LWE based key exchange with key share reuse. IACR ePrint Archive","author":"Fluhrer Scott R.","year":"2016"},{"key":"e_1_2_2_70_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 369--390","author":"Fritzmann Tim","year":"2018"},{"key":"e_1_2_2_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/HST.2019.8741027"},{"key":"e_1_2_2_72_1","doi-asserted-by":"publisher","DOI":"10.23919\/DATE.2019.8715173"},{"key":"e_1_2_2_73_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-48405-1_34"},{"key":"e_1_2_2_74_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1962.1057683"},{"key":"e_1_2_2_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/1374376.1374407"},{"key":"e_1_2_2_76_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-15-0758-8_9"},{"key":"e_1_2_2_77_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-47560-8_12"},{"key":"e_1_2_2_78_1","unstructured":"Mike Hamburg. [n.d.]. ThreeBears: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/www.shiftleft.org\/papers\/threebears\/threebears-july2019.pdf. Mike Hamburg. [n.d.]. ThreeBears: Algorithm\u00a0specifications and supporting documentation. Retrieved from https:\/\/www.shiftleft.org\/papers\/threebears\/threebears-july2019.pdf."},{"key":"e_1_2_2_79_1","volume-title":"NTRU: A ring-based public key cryptosystem. Algor. Number Theory","author":"Hoffstein Jeffrey","year":"1998"},{"key":"e_1_2_2_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS.2019.8702794"},{"key":"e_1_2_2_81_1","volume-title":"On practical discrete Gaussian samplers for lattice-based cryptography","author":"Howe James","year":"2016"},{"key":"e_1_2_2_82_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897937.2898037"},{"key":"e_1_2_2_83_1","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2018.i3.372-393"},{"key":"e_1_2_2_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/2724713"},{"key":"e_1_2_2_85_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74143-5_9"},{"key":"e_1_2_2_86_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-45146-4_14"},{"key":"e_1_2_2_87_1","volume-title":"NAEP: Provable security in the presence of decryption failures. IACR ePrint Archive.","author":"Howgrave-Graham Nick","year":"2003"},{"key":"e_1_2_2_88_1","first-page":"123","article-title":"Power analysis on NTRU prime","volume":"2020","author":"Huang Wei-Lun","year":"2020","journal-title":"IACR Trans. Cryptogr. Hardware Embed. Syst."},{"key":"e_1_2_2_89_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_12"},{"key":"e_1_2_2_90_1","volume-title":"Somitra Kumar Sanadhya, and Anupam Chattopadhyay","author":"Jati Arpan","year":"2019"},{"key":"e_1_2_2_91_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-44598-6_2"},{"key":"e_1_2_2_92_1","doi-asserted-by":"publisher","DOI":"10.1109\/12.403725"},{"key":"e_1_2_2_93_1","doi-asserted-by":"publisher","DOI":"10.1587\/transfun.E94.A.1156"},{"key":"e_1_2_2_94_1","volume-title":"Proceedings of the International Conference on Microelectronics (ICM\u201909)","author":"Kamal Abdel Alim"},{"key":"e_1_2_2_95_1","doi-asserted-by":"publisher","DOI":"10.1007\/s13389-013-0061-7"},{"key":"e_1_2_2_96_1","volume-title":"Two post-quantum signature use-cases: Non-issues, challenges and potential solutions. IACR ePrint Archive","author":"Kampanakis Panos","year":"2019"},{"key":"e_1_2_2_97_1","doi-asserted-by":"crossref","unstructured":"Matthias J. Kannwischer Joost Rijneveld and Peter Schwabe. 2018. Faster multiplication in Z2m [x] on cortex-M4 to speed up NIST PQC candidates. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2018\/1018 Matthias J. Kannwischer Joost Rijneveld and Peter Schwabe. 2018. Faster multiplication in Z2m [x] on cortex-M4 to speed up NIST PQC candidates. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2018\/1018","DOI":"10.1007\/978-3-030-21568-2_14"},{"key":"e_1_2_2_98_1","unstructured":"Matthias J. Kannwischer Joost Rijneveld Peter Schwabe and Ko Stoffelen. 2019. pqm4: Testing and benchmarking NIST PQC on ARM Cortex-M4. Retrieved from https:\/\/github.com\/mupq\/pqm4\/tree\/c32bcd017b202d418c9135e2df77be73a69044a0. Matthias J. Kannwischer Joost Rijneveld Peter Schwabe and Ko Stoffelen. 2019. pqm4: Testing and benchmarking NIST PQC on ARM Cortex-M4. Retrieved from https:\/\/github.com\/mupq\/pqm4\/tree\/c32bcd017b202d418c9135e2df77be73a69044a0."},{"key":"e_1_2_2_99_1","first-page":"595","article-title":"Multiplication of multidigit numbers on automata","volume":"7","author":"Karatsuba Anatolii","year":"1963","journal-title":"Sov. Phys. Dokl."},{"key":"e_1_2_2_100_1","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2018.i3.243-266"},{"key":"e_1_2_2_101_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-56620-7_1"},{"key":"e_1_2_2_102_1","volume-title":"The Art of Computer Programming: Sorting and Searching","author":"Knuth Donald Ervin"},{"key":"e_1_2_2_103_1","volume-title":"Yao","author":"Knuth Donald E.","year":"1976"},{"key":"e_1_2_2_104_1","volume-title":"Post-quantum key exchange on FPGAs. IACR ePrint Archive","author":"Kuo Po-Chun","year":"2017"},{"key":"e_1_2_2_105_1","unstructured":"Adam Langley. [n.d.]. Post-quantum confidentiality for TLS. Retrieved from https:\/\/www.imperialviolet.org\/2018\/04\/11\/pqconftls.html. Adam Langley. [n.d.]. Post-quantum confidentiality for TLS. Retrieved from https:\/\/www.imperialviolet.org\/2018\/04\/11\/pqconftls.html."},{"key":"e_1_2_2_106_1","unstructured":"Adam Langley. [n.d.]. Real-world measurements of structured-lattices and supersingular isogenies in TLS. Retrieved from https:\/\/www.imperialviolet.org\/. Adam Langley. [n.d.]. Real-world measurements of structured-lattices and supersingular isogenies in TLS. Retrieved from https:\/\/www.imperialviolet.org\/."},{"key":"e_1_2_2_107_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10623-014-9938-4"},{"key":"e_1_2_2_108_1","volume-title":"Jeong Eun Song, and Kunsoo Park.","author":"Lee Mun-Kyu","year":"2007"},{"key":"e_1_2_2_109_1","doi-asserted-by":"publisher","DOI":"10.1587\/transfun.E93.A.153"},{"key":"e_1_2_2_110_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF01457454"},{"key":"e_1_2_2_111_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-19074-2_21"},{"key":"e_1_2_2_112_1","volume-title":"Proceedings of the IEEE 58th International Midwest Symposium on Circuits and Systems (MWSCAS\u201915)","author":"Liu Bingxin","year":"2015"},{"key":"e_1_2_2_113_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS.2016.7527455"},{"key":"e_1_2_2_114_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-06734-6_14"},{"key":"e_1_2_2_115_1","volume-title":"LAC: Practical ring-LWE based public-key encryption with byte-level modulus. IACR ePrint Archive","author":"Lu Xianhui","year":"2018"},{"key":"e_1_2_2_116_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-13190-5_1"},{"key":"e_1_2_2_117_1","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2019.i3.180-201"},{"key":"e_1_2_2_118_1","volume-title":"Public Key Cryptography","author":"Micciancio Daniele"},{"key":"e_1_2_2_119_1","doi-asserted-by":"publisher","DOI":"10.1038\/543171a"},{"key":"e_1_2_2_120_1","volume-title":"Modular multiplication without trial division. Math. Comput. 44, 170","author":"Montgomery Peter L","year":"1985"},{"key":"e_1_2_2_121_1","unstructured":"Michele Mosca and Douglas Stebila. 2017. Open quantum safe. Software for Prototyping Quantum-resistant Cryptography. Open Quantum Safe. Michele Mosca and Douglas Stebila. 2017. Open quantum safe. Software for Prototyping Quantum-resistant Cryptography. Open Quantum Safe."},{"key":"e_1_2_2_122_1","doi-asserted-by":"publisher","DOI":"10.1145\/3292548"},{"key":"e_1_2_2_123_1","volume-title":"Nguyen and David Pointcheval","author":"Phong","year":"2002"},{"key":"e_1_2_2_124_1","unstructured":"NIST. 2016. Post-Quantum Crypto Project. Retrieved from http:\/\/csrc.nist.gov\/groups\/ST\/post-quantum-crypto\/. NIST. 2016. Post-Quantum Crypto Project. Retrieved from http:\/\/csrc.nist.gov\/groups\/ST\/post-quantum-crypto\/."},{"key":"e_1_2_2_125_1","volume-title":"Proceedings of the Conference on Progress in Cryptology (LATINCRYPT\u201917)","author":"Oder Tobias","year":"2017"},{"key":"e_1_2_2_126_1","doi-asserted-by":"publisher","DOI":"10.46586\/tches.v2018.i1.142-174"},{"key":"e_1_2_2_127_1","volume-title":"Benchmarking post-quantum cryptography in TLS. IACR ePrint Archive","author":"Paquin Christian","year":"2019"},{"key":"e_1_2_2_128_1","doi-asserted-by":"publisher","DOI":"10.1016\/0004-3702(86)90072-X"},{"key":"e_1_2_2_129_1","volume-title":"Electr. Colloq. Comput. Complex. 15","author":"Peikert Chris","year":"2008"},{"key":"e_1_2_2_130_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14623-7_5"},{"key":"e_1_2_2_131_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11659-4_12"},{"key":"e_1_2_2_132_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-30530-7_7"},{"key":"e_1_2_2_133_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33481-8_8"},{"key":"e_1_2_2_134_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCAS.2014.6865754"},{"key":"e_1_2_2_135_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-22174-8_19"},{"key":"e_1_2_2_136_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66787-4_25"},{"key":"e_1_2_2_137_1","volume-title":"A complete and optimized key mismatch attack on NIST candidate NewHope. IACR ePrint Archive","author":"Qin Yue","year":"2019"},{"key":"e_1_2_2_138_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-16350-1_13"},{"key":"e_1_2_2_139_1","volume-title":"Anupam Chattopadhyay, and Shivam Bhasin.","author":"Ravi Prasanna","year":"2019"},{"key":"e_1_2_2_140_1","doi-asserted-by":"publisher","DOI":"10.1145\/1568318.1568324"},{"key":"e_1_2_2_141_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-29360-8_15"},{"key":"e_1_2_2_142_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-48324-4_34"},{"key":"e_1_2_2_143_1","unstructured":"Sujoy Sinha Roy Oscar Reparaz Frederik Vercauteren and Ingrid Verbauwhede. 2014. Compact and side channel secure discrete Gaussian sampling. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2014\/591. Sujoy Sinha Roy Oscar Reparaz Frederik Vercauteren and Ingrid Verbauwhede. 2014. Compact and side channel secure discrete Gaussian sampling. IACR ePrint Archive. Retrieved from https:\/\/eprint.iacr.org\/2014\/591."},{"key":"e_1_2_2_144_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44709-3_21"},{"key":"e_1_2_2_145_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 383--401","author":"Roy Sujoy Sinha","year":"2013"},{"key":"e_1_2_2_146_1","volume-title":"Exploring NIST LWC\/PQC Synergy R5Sneik: How SNEIK 1.1 algorithms were designed to support round5. IACR ePrint Archive","author":"Saarinen Markku-Juhani O.","year":"2019"},{"key":"e_1_2_2_147_1","volume-title":"Arithmetic coding and blinding countermeasures for ring-LWE. IACR ePrint Archive","author":"Saarinen Markku-Juhani O.","year":"2016"},{"key":"e_1_2_2_148_1","volume-title":"Proceedings of the International Conference on Selected Areas in Cryptography. Springer, 192--212","author":"Saarinen Markku-Juhani O.","year":"2017"},{"key":"e_1_2_2_149_1","volume-title":"Proceedings of the International Conference on Smart Card Research and Advanced Applications. Springer, 95--110","author":"Saarinen Markku-Juhani O.","year":"2018"},{"key":"e_1_2_2_150_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-78372-7_17"},{"key":"e_1_2_2_151_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-16350-1_14"},{"key":"e_1_2_2_152_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF01581144"},{"key":"e_1_2_2_153_1","volume-title":"Faster AVX2 optimized NTT multiplication for Ring-LWE lattice cryptography. IACR ePrint Archive","author":"Seiler Gregor","year":"2018"},{"key":"e_1_2_2_154_1","doi-asserted-by":"publisher","DOI":"10.1109\/SFCS.1994.365700"},{"key":"e_1_2_2_156_1","doi-asserted-by":"publisher","DOI":"10.1109\/CICC.2018.8357070"},{"key":"e_1_2_2_157_1","unstructured":"Douglas Stebila Michele Mosca Christian Paquin Dimitris Sikeridis and Goutam Tamvada. [n.d.]. OQS-OpenSSL_1_1_1-Fork of OpenSSL by OpenOQS project. Retrieved from https:\/\/github.com\/open-quantum-safe\/openssl. Douglas Stebila Michele Mosca Christian Paquin Dimitris Sikeridis and Goutam Tamvada. [n.d.]. OQS-OpenSSL_1_1_1-Fork of OpenSSL by OpenOQS project. Retrieved from https:\/\/github.com\/open-quantum-safe\/openssl."},{"key":"e_1_2_2_158_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-20465-4_4"},{"key":"e_1_2_2_159_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-53644-5_8"},{"key":"e_1_2_2_160_1","volume-title":"Improved key-reconciliation method. IACR ePrint Archive","author":"Tolhuizen Ludo","year":"2017"},{"key":"e_1_2_2_161_1","first-page":"714","article-title":"The complexity of a scheme of functional elements realizing the multiplication of integers","volume":"3","author":"Toom Andrei L.","year":"1963","journal-title":"Soviet Mathematics Doklady"},{"key":"e_1_2_2_162_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178291.3178294"},{"key":"e_1_2_2_163_1","volume-title":"Hirschhorn","author":"Whyte William","year":"2008"},{"key":"e_1_2_2_164_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.micpro.2013.04.008"},{"key":"e_1_2_2_165_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-35423-7_27"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3422178","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3422178","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:03:21Z","timestamp":1750197801000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3422178"}},"subtitle":["A Survey"],"short-title":[],"issued":{"date-parts":[[2021,1,2]]},"references-count":164,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1145\/3422178"],"URL":"https:\/\/doi.org\/10.1145\/3422178","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,1,2]]},"assertion":[{"value":"2018-01-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-08-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-01-02","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}