top of page

Dr. Matthias J. Kannwischer

密碼實驗室 主任

Dr. Matthias J. Kannwischer 專精於量子安全密碼學研究。他在荷蘭 Radboud University 獲得應用後量子密碼學博士學位,導師為 Peter Schwabe 和中央研究院楊柏因教授。

在加入 Chelpis Quantum Corp QSMC 之前,他曾是台北中央研究院博士後研究員,以及德國 Max Planck Institute for Security and Privacy 和荷蘭 Radboud University 的博士生。他是 UOVMAYO 的共同提交者,也是 pqm4 後量子軟體框架的維護者。



Quantum-Safe Cryptography


Researchers at Chelpis have many years experience in cryptography implementations. Since the early days of the NIST post-quantum cryptography competition, they have been creating and maintaining open-source projects including pqm4 and PQClean with the latter being used in various other projects including liboqs and the Signal messenger. Recently, Chelpis researchers have joined the Post-Quantum Cryptography Alliance (PQCA)  - a Linux foundation project for production-grade open-source post-quantum cryptography. As a part of PQCA, Chelpis is part of the technical steering committee of the Post-Quantum Code Package (PQCP) and maintains and develops two libraries targeting 32-bit microcontrollers and 64-bit Arm CPUs (e.g., Smartphones, Arm-based servers, and Apple processors). 

UOV Signatures

While the first round of post-quantum cryptography standards are expected to be published in 2024, they do not meet the requirements of all applications. In particular, due to their large signature sizes, it may be impossible to migrate certain applications to these post-quantum signature schemes. Due to this need, NIST has initiated an additional signature competition aiming to standardize signature schemes with small signatures and fast verification. Chelpis researchers are part of the submission teams of two signature schemes sent to NIST for standardization: UOV and MAYO. These are currently being evaluated by NIST and the cryptography community. UOV was proposed in 1995 and has withstood any attempts to break it. With modern parameters selected for optimal performance, UOV achieves signatures as small as 128 bytes with public keys of 44 kilobytes. For applications that do not have to transmit the public key (often), this provides a vast advantage over 2420-byte ML-DSA signatures and 666-byte FN-DSA signatures. Furthermore, UOV outperforms ML-DSA signing and verification times on certain CPUs.

MAYO Signatures

The MAYO signature scheme was proposed in 2021 by Beullens building on the construction of UOV, but achieving much smaller public key sizes by introducing additional structure in the construction of the public map. Chelpis researchers have joined forces with Beullens and submitted MAYO to NIST for standardization. At security level one, MAYO achieves signatures of 321 bytes with public keys of 1168 bytes and is, hence, outperforming any other post-quantum signature in terms of combined public key size. It is best suited for applications that do require to transmit both public keys and signatures frequently (e.g., TLS). Compared to ML-DSA’s 2420-byte signatures and 1312-byte public keys, MAYO has significant advantages for these applications. Furthermore, MAYO is achieving faster signing and verification times than ML-DSA on certain CPUs.

Formosa: Formally-verified Open Source Cryptography

While the research on high-assurance high-speed cryptographic software has received significant attention from the research community in recent years, its practical deployment is lacking behind. For large scale deployment, we require cryptographic software libraries that come with a complete set of primitives performing at a high-speed, and providing a high level of assurance. Ideally, this software should provide formal guarantees about security and correctness. While research papers in the past have provided various artifacts that provide some pieces of formally-verified cryptographic functionality, up to today, there exists no library that provides a complete set of features that would allow them to use them as a drop-in replacement for any of the non-verified libraries. Chelpis researchers are contributing to the European-led project Formosa crypto (Formally-verified open-source amazing Cryptography) aiming at exactly this: Producing cryptographic software that comes with computer-verifiable proofs enabling much higher assurance regarding the security and correctness of the implementations.

bottom of page