Curated list of deployments of fancy cryptography.
Cryptography counts as fancy if it uses primitives beyond symmetric ciphers, (EC)DH as key agreement, digital signatures, public key encryption such as RSA-OAEP, or KEMs, or uses those primitives in unusual ways, especially if it relies on properties beyond IND-CCA2.
A secondary goal of this list is to provide cryptographers with a list of schemes that still need to be upgraded to post-quantum cryptography.
-
Android Nearby Share/Quick Share.
PAKE and various weird stuff
Reading: TBD.
Fully PQ: 😔. -
Apple Homekit device enrollment
aPAKE (SRP).
Reading: documentation.
Fully PQ: 😔. -
Apple Keychain key escrow
aPAKE (SRP), threshold cryptography? ("majority of HSMs agrees").
Reading: documentation.
Fully PQ: 😔. -
Apple Carkey
aPAKE (SPAKE2+).
Reading: documentation.
Fully PQ: 😔. -
Apple Private Relay.
Blind signatures for anonymous tokens.
Reading: overview.
Fully PQ: 😔. -
Apple Private Cloud Compute.
Blind signatures for anonymous tokens.
Reading: blog.
Fully PQ: 😔. -
Apple/Google Exposure Notifications.
Bespoke protocol.
Reading: overview.
Fully PQ: 😊 (with the exception of some signatures which could easily be changed to ML-DSA). -
Chrome compromised passwords check.
Private Set Intersection.
Reading: blog.
Fully PQ: 😔. -
Cloudflare Geo Key Manager.
Attribute/Identity-based encryption.
Reading: blog.
Fully PQ: 😔. -
1Password user authentication. aPAKE (SRP)
Reading: blog.
Fully PQ: 😔. -
Mozilla Firefox telemetry.
Oblivious HTTP, Prio privacy-preserving statistics.
Reading: blog, prio paper, OHTTP spec, Distributed Aggregation Protocol spec.
Fully PQ: 😔 (if PQ configurations of TLS and HPKE are used). -
Passport chip access control
PAKE (PACE)
Reading: overview, spec.
Fully PQ: 😔. -
Facebook Messenger chat history sharing
PAKE (CPace)
Reading: Labyrinth (p35)
Fully PQ: 😔. -
Signal private group system.
Key-verification anonymous credentials.
Reading: blog.
Fully PQ: 😔. -
WhatsApp encrypted backups.
aPAKE (OPAQUE) for backup key retrieval from PIN.
Reading: presentation, Meta whitepaper, Academic paper, audit.
Fully PQ: 😔. -
(...)
-
Zcash shielded transactions.
zk-SNARKs, homomorphic Pedersen commitments, re-randomizable signing keys.
Reading: security analysis (with PQ notes), circuit statements, Groth16 (trusted setup), Halo2 (trustless), commitment specs, RedDSA.
Fully PQ: 😔. Has PQ privacy when the adversary doesn't know the recipient's address; no PQ correctness. -
(...)
-
Facebook secure update propagation.
Homomorphic hasing (aka incremental hashing)
Reading: blog, code.
Fully PQ: 🤨 potentially with a PQ-signature scheme signing homomorphic hashes -
Facebook ads attribution.
Private match and compute Reading: blog, code.
Fully PQ: 😔. -
Google ads attribution.
Private join and compute Reading: blog, code.
Fully PQ: 😔. -
Google ads attribution. Partially homomorphic encryption for private set intersection using Paillier
Reading: blog, Media coverage, patent.
Fully PQ: 😔. Paillier is not post-quantum secure. -
IACR voting Mixnets
Reading: Helios.
Fully PQ: TBD. -
(...)