Fancy cryptography in the wild 🎩

Curated list of deployments of fancy cryptography.

Cryptography counts as fancy if it uses primitives beyond symmetric ciphers, (EC)DH as key agreement, digital signatures, public key encryption such as RSA-OAEP, or KEMs, or uses those primitives in unusual ways, especially if it relies on properties beyond IND-CCA2.

A secondary goal of this list is to provide cryptographers with a list of schemes that still need to be upgraded to post-quantum cryptography.

💫 Contributions welcome

Large-scale mainstream deployments

• Android Nearby Share/Quick Share.
  PAKE and various weird stuff
  Reading: TBD.
  Fully PQ: 😔.

• Apple Homekit device enrollment
  aPAKE (SRP).
  Reading: documentation.
  Fully PQ: 😔.

• Apple Keychain key escrow
  aPAKE (SRP), threshold cryptography? ("majority of HSMs agrees").
  Reading: documentation.
  Fully PQ: 😔.

• Apple Carkey
  aPAKE (SPAKE2+).
  Reading: documentation.
  Fully PQ: 😔.

• Apple Private Relay.
  Blind signatures for anonymous tokens.
  Reading: overview.
  Fully PQ: 😔.

• Apple Private Cloud Compute.
  Blind signatures for anonymous tokens.
  Reading: blog.
  Fully PQ: 😔.

• Apple/Google Exposure Notifications.
  Bespoke protocol.
  Reading: overview.
  Fully PQ: 😊 (with the exception of some signatures which could easily be changed to ML-DSA).

• Chrome compromised passwords check.
  Private Set Intersection.
  Reading: blog.
  Fully PQ: 😔.

• Cloudflare Geo Key Manager.
  Attribute/Identity-based encryption.
  Reading: blog.
  Fully PQ: 😔.

• 1Password user authentication. aPAKE (SRP)
  Reading: blog.
  Fully PQ: 😔.

• Mozilla Firefox telemetry.
  Oblivious HTTP, Prio privacy-preserving statistics.
  Reading: blog, prio paper, OHTTP spec, Distributed Aggregation Protocol spec.
  Fully PQ: 😔 (if PQ configurations of TLS and HPKE are used).

• Passport chip access control
  PAKE (PACE)
  Reading: overview, spec.
  Fully PQ: 😔.

• Facebook Messenger chat history sharing
  PAKE (CPace)
  Reading: Labyrinth (p35)
  Fully PQ: 😔.

• Signal private group system.
  Key-verification anonymous credentials.
  Reading: blog.
  Fully PQ: 😔.

• WhatsApp encrypted backups.
  aPAKE (OPAQUE) for backup key retrieval from PIN.
  Reading: presentation, Meta whitepaper, Academic paper, audit.
  Fully PQ: 😔.

• (...)

Web3 / Blockchain

• Zcash shielded transactions.
  zk-SNARKs, homomorphic Pedersen commitments, re-randomizable signing keys.
  Reading: security analysis (with PQ notes), circuit statements, Groth16 (trusted setup), Halo2 (trustless), commitment specs, RedDSA.
  Fully PQ: 😔. Has PQ privacy when the adversary doesn't know the recipient's address; no PQ correctness.

• (...)

Proofs of Concept / Growing / Niche

• Facebook secure update propagation.
  Homomorphic hasing (aka incremental hashing)
  Reading: blog, code.
  Fully PQ: 🤨 potentially with a PQ-signature scheme signing homomorphic hashes

• Facebook ads attribution.
  Private match and compute Reading: blog, code.
  Fully PQ: 😔.

• Google ads attribution.
  Private join and compute Reading: blog, code.
  Fully PQ: 😔.

• Google ads attribution. Partially homomorphic encryption for private set intersection using Paillier
  Reading: blog, Media coverage, patent.
  Fully PQ: 😔. Paillier is not post-quantum secure.

• IACR voting Mixnets
  Reading: Helios.
  Fully PQ: TBD.

• (...)

See also

• MPC Deployments
• IETF PQUIP working group's "state of protocols and PQC"