Large parts of the cryptography in use today,
key-agreement protocols and digital signatures based on the
hardness of factoring large integers or solving the
discrete-logarithm problem, are not secure against attackers
equipped with a large universal quantum computer. It is not
clear when such a large quantum computer will be built, but
continuous progress by various labs around the world suggests
that it may well be less than two decades until today's
cryptography will become insecure.
To address this issue, NIST started a public competition to
identify suitable replacements for today's cryptosystems. In
my talk, I will describe two of these systems: the
key-encapsulation mechanism Kyber and the digital signature
scheme Dilithium. Both schemes are based on the hardness of
solving problems in module lattices and they together form the
"Cryptographic Suite for Algebraic Lattices -- CRYSTALS".