One day, quantum computers will become a reality. When that day comes, RSA, Elliptic Curves and many other fundamental cryptographic primitives will become obsolete. PostQuantum Cryptography offers secure alternatives and we can help you get ready.
Related technology
Fully Homomorphic Encryption
Meet the Holy Grail of cryptography.
Fully homomorphic encryption is the ultimate cryptographic tool to build more secure cloud computing services that respect everybody's privacy. It allows to confidentialy share data, and the encrypted data can then be processed without ever needing to decrypt or reveal it.
Our CEO is the main editor of the upcoming standard ISO/IEC 180336 on partially homomorphic encryption.
Homomorphic encryption is the future, and we can help you get there!
Related service
Cryptographic Protocols
Security by design is not an abstract concept.
Beware of alleged "military grade secure" products. It is one thing to use AES256 or RSA4096, using it correctly is a different kettle of fish.
We can help you build innovative products that require any standard or advanced cryptographic tools, such as elliptic curves, identitybased encryption, anonymous signatures, ecash, DRM, PayTV and many others.
Related research projects
HEAT
Using Fully Homomorphic Encryption in Practice.
The HEAT project will develop advanced cryptographic technologies using Fully Homomorphic Encryption to process sensitive information in ecrypted form, without needing to compromise on the privacy and security of the citizens and organizations that provide the input data.
CRYPTOCOMP
A cryptocalculus platform for the Cloud.
The principle of cloud computing is to allow users to outsource computation resources to the cloud by allowing a remote service to execute, in their name, some procedures on their private data. While many commercial services are growing fast, to this day, all require the client to place total trust in the service regarding the confidentiality of their data. The aim of CRYPTOCOMP is to develop an efficient cloudbased cryptocalculus platform which, using the latest advances in Fully Homomorphic Encryption, would make it impossible for the cloud service to learn anything whatsoever about the user's data, while still executing the procedures as intended.
Traditional computers work with bits, simple binary values equal to 0 or 1. Quantum computers on the other hand work with qubits, quantum bits that can be a superposition of both 0 and 1 at the same time. Additional properties, such as the possibility of computing with entangled qubits, allow quantum computer to run specific algorithms that could not run on traditional computers.
A majority of modern cryptographic primitives relies on two problems: integer factorization and discrete logarithm. Both these problems happen to be efficiently solvable using a large enough quantum computer. Luckily, such large quantum computers do not exist yet. Still, most experts agree that at one point in the future, maybe in 5 years, 15 years, or more, they will exist. When that day comes, all security products will need to shift to socalled PostQuantum Cryptographic primitives.
Many hard problems have been proposed for postquantum cryptography, but the most trustworthy solutions can be grouped in three families:
 Codebased cryptography
 Lattice cryptography
 Multivariate cryptography
CryptoExperts’ team includes experts in each of these specific research topics, so we can tell you exactly which solution best fits your postquantum cryptographic needs.
CODEBASED CRYPTOGRAPHY
Codebased cryptography encompasses all cryptographic constructions relying on hard problems from the theory of errorcorrecting codes. The oldest member of this family is the McEliece cryptosystem, dating back to 1978, relying on the hardness of decoding in a random binary code. Since then, many other constructions have been proposed, offering a wide range of functionalities: public key encryption, short digital signatures, zeroknowledge authentication, provably secure PRNG, cryptographic hashing, etc.
On top of being postquantum, codebased cryptosystems have the following traits:
 they work over small binary fields, so no need for an arithmetic coprocessor
 public key encryption or signature verification is very lightweight, requiring only a few hundred binary XORs
 most codebased systems require to store a large random looking binary matrix, so they are probably not the best candidate for the most memory constrained environments
LATTICE CRYPTOGRAPHY
Lattice cryptography is algorithmically simple and highly parallelizable. Also, it is very versatile: besides the classical functionalities (key exchange, signature, encryption), it can be used to build powerful cryptographic features such as fully homomorphic encryption, allowing any untrusted environment to perform computations over encrypted data (fully homomophic encryption is one of CryptoExperts’ core technology: check it out!). Finally, lattice cryptography features a very strong security guarantee: choosing any random parameters provably yields a system as secure as possible.
On top of being postquantum, lattice cryptosystems have the following traits:
 some lattice systems are standardized (IEEE P1363 and X9.98 standards), and very efficient
 signatures in lattice cryptography are faster than with elliptic curves and RSA
 most systems have small parameters (about the size of RSA parameters and less), making them suitable to constrained environments
MULTIVARIATE CRYPTOGRAPHY
PublicKey Multivariate Cryptography is a part of publickey cryptography in which the public key is given as a set of polynomials in several variables, of small degree over a small finite field. Among the most famous multivariate publickey schemes are C*, HFE, UOV and Rainbow. Multivariate schemes make it possible to obtain signature schemes which provide short signatures. For instance the QUARTZ algorithm allows to sign messages with approximately 100 bit long signatures. Multivariate cryptography also make it possible to design signature schemes in which the verification of the signature is very fast. High performances can also often be reached for the signature phase, so that digital signature schemes can be implemented cheaply on ASICs. Another advantage of multivariate schemes is their flexibility in the design of various schemes, with adhoc properties.
On top of being postquantum, multivariate cryptosystems have the following traits:
 they work over small binary fields, so no need for an arithmetic coprocessor
 public key encryption or signature verification is very lightweight, requiring only a few hundred binary operations
 most multivariate systems require to store a large random looking matrix, so they are probably not the best candidate for the most memory constrained environments
Related publications

NFLlib: NTTbased Fast Lattice Library.In CTRSA 2016, 2016.

Improved security proofs in latticebased cryptography: using the Rényi divergence rather than the statistical distance.In ASIACRYPT (1) 2015, 2015. Best Paper Award

🇫🇷 Quatre millions d'échanges de clés par seconde.In SSTIC 2015, 2015.

Lattice Signatures and Bimodal Gaussians.In CRYPTO (1) 2013, pp. 4056, 2013.

A family of weak keys in HFE and the corresponding practical keyrecovery.In J. Mathematical Cryptology, 2012.

ParallelCFS  Strengthening the CFS McElieceBased Signature Scheme.In Selected Areas in Cryptography 2010, pp. 159170, 2010.

Security Bounds for the Design of CodeBased Cryptosystems.In ASIACRYPT 2009, pp. 88105, 2009.

SHA3 Proposal: FSB.In Submission to the NIST SHA3 competition, 2008.

Toward a Rigorous Variation of Coppersmith's Algorithm on Three Variables.In EUROCRYPT 2007, pp. 361378, 2007.

When Stream Cipher Analysis Meets PublicKey Cryptography.In Selected Areas in Cryptography 2006, pp. 266284, 2006.

Inverting HFE Is Quasipolynomial.In CRYPTO 2006, pp. 345356, 2006.

A Family of Fast Syndrome Based Cryptographic Hash Functions.In Mycrypt 2005, pp. 6483, 2005.

A Public Key Encryption Scheme Based on the Polynomial Reconstruction Problem.In EUROCRYPT 2003, pp. 229240, 2003.

Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases.In CRYPTO 2003, pp. 4460, 2003.

Solving Underdefined Systems of Multivariate Quadratic Equations.In Public Key Cryptography 2002, pp. 211227, 2002.

FLASH, a Fast Multivariate Signature Algorithm.In CTRSA 2001, pp. 298307, 2001.

How to Achieve a McElieceBased Digital Signature Scheme.In ASIACRYPT 2001, pp. 157174, 2001.

QUARTZ, 128Bit Long Digital Signatures.In CTRSA 2001, pp. 282297, 2001.

A ChosenCiphertext Attack against NTRU.In CRYPTO 2000, pp. 2035, 2000.

Cryptanalysis of the TTM Cryptosystem.In ASIACRYPT 2000, pp. 4457, 2000.

Unbalanced Oil and Vinegar Signature Schemes.In EUROCRYPT 1999, pp. 206222, 1999.

Lattice Reduction: A Toolbox for the Cryptanalyst.In J. Cryptology, 1998.

C*+ and HM: Variations Around Two Schemes of T. Matsumoto and H. Imai.In ASIACRYPT 1998, pp. 3549, 1998.

Improved Algorithms for Isomorphisms of Polynomials.In EUROCRYPT 1998, pp. 184200, 1998.

Trapdoor oneway permutations and multivariate polynominals.In ICICS 1997, pp. 356368, 1997.