Curated list of deployments of fancy cryptography.

Cryptography counts as fancy if it uses primitives beyond symmetric ciphers, (EC)DH as key agreement, digital signatures, public key encryption such as RSA-OAEP, or KEMs, or uses those primitives in unusual ways, especially if it relies on properties beyond IND-CCA2.

A secondary goal of this list is to provide cryptographers with a list of schemes that still need to be upgraded to post-quantum cryptography.

💫 Contributions welcome

• Android Nearby Share/Quick Share.
  PAKE and various weird stuff
  Reading: TBD.
  Not fully PQ 😔.

• Apple Homekit device enrollment
  aPAKE (SRP / SPAKE2+ (Matter))
  Reading: documentation.
  Not fully PQ 😔.

• Apple Keychain key escrow
  aPAKE (SRP), threshold cryptography? ("majority of HSMs agrees").
  Reading: documentation.
  Not fully PQ 😔.

• Apple Carkey
  aPAKE (SPAKE2+).
  Reading: documentation.
  Not fully PQ 😔.

• Apple Private Relay.
  Blind signatures for anonymous tokens.
  Reading: overview.
  Not fully PQ 😔.

• Apple Private Cloud Compute.
  Blind signatures for anonymous tokens.
  Reading: blog.
  Not fully PQ 😔.

• Apple/Google Exposure Notifications.
  Bespoke protocol.
  Reading: overview (archive.org).
  Fully PQ 😊 (with the exception of some signatures which could easily be changed to ML-DSA).

• Apple Live Caller ID lookup.
  PIR using FHE.
  Reading: blog
  Fully PQ 😊 (with the exception of anonymous tokens used for rate-limiting)

• Chrome compromised passwords check.
  Private Set Intersection.
  Reading: blog.
  Not fully PQ 😔.

• Cloudflare Geo Key Manager.
  Attribute/Identity-based encryption.
  Reading: blog.
  Not fully PQ 😔.

• 1Password user authentication.
  aPAKE (SRP)
  Reading: blog.
  Not fully PQ 😔.

• Mozilla Firefox telemetry.
  Oblivious HTTP, Prio privacy-preserving statistics.
  Reading: blog, prio paper, OHTTP spec, Distributed Aggregation Protocol spec.
  Not fully PQ 😔 (if PQ configurations of TLS and HPKE are used).

• Matter device enrollment
  aPAKE (SPAKE2+)
  Reading: documentation
  Not fully PQ 😔.

• Passport chip access control
  PAKE (PACE)
  Reading: overview, spec.
  Not fully PQ 😔.

• Facebook Messenger chat history sharing
  PAKE (CPace)
  Reading: Labyrinth (p35)
  Not fully PQ 😔.

• Signal private group system.
  Key-verification anonymous credentials.
  Reading: blog.
  Not fully PQ 😔.

• Signal group send endorsements.
  Anonymous endorsement tokens based similar to Privacy Pass with blind batch issuance and homomorphic combination.
  Reading: source code.
  Not fully PQ 😔.

• WhatsApp encrypted backups.
  aPAKE (OPAQUE) for backup key retrieval from PIN.
  Reading: presentation, Meta whitepaper, Academic paper, audit.
  Not fully PQ 😔.

• Signal Secure Value Recovery.
  OPRF-based rate-limited key derivation for recovering account settings from a user-chosen PIN or password.
  Reading: Academic paper, Client code (HNDL secure), Server code (HNDL secure).
  Not fully PQ 😔.

• league of entropy (drand).
  Public verifiable decentralised randomness using threshold signatures and distributed key generation.
  Reading: website, docs
  Not fully PQ 😔.

• Proton user authentication
  aPAKE (SRP)
  Reading: blog.
  Not fully PQ 😔.

• (...)

• Zcash shielded transactions.
  zk-SNARKs, homomorphic Pedersen commitments, re-randomizable signing keys, key-private public-key encryption (see Post-Quantum Zcash presentation below for more detail).
  Reading: security analysis (with PQ notes), circuit statements, Groth16 (trusted setup), Halo2 (trustless), commitment specs, RedDSA.
  Not fully PQ 😔. Has PQ privacy when the adversary doesn't know the recipient's address; no PQ correctness.
  Future proposals:

  • Post-Quantum Zcash presentation: slides, video
    
  • Proposal for "quantum resilience" (draft): "This ZIP proposes a change to the construction of Orchard notes that is intended to support a smoother transition to future versions of Zcash designed to be secure against discrete-log-breaking adversaries, including adversaries using quantum computers."

• Nillion's decentralized database (nilDB)
  Decentralized storage, Shamir secret sharing, XOR secret sharing, additive secret sharing, Paillier.
  Reading: blog, docs, code
  Fully PQ 😊 with the exception of Paillier mode.

• Taproot (BIP 342)
  Public key in Bitcoin that can be openned as if it was a commitment. Commitment is PQ, but public key is not.
  Reading: academic paper
  Not fully PQ 😔. Commitment is PQ, but public key is not.

• (...)

• Bitcoin PIPEs v2
  Witness encryption to enable Covenants and ZKPs from signatures
  Reading: Paper
  PQ? TBD ⏳.

• Facebook secure update propagation.
  Homomorphic hashing (aka incremental hashing)
  Reading: blog, code.
  Partially PQ 🤨 potentially with a PQ-signature scheme signing homomorphic hashes

• Facebook ads attribution.
  Private match and compute
  Reading: blog 1, blog 2, code.
  Not fully PQ 😔.

• Google ads attribution.
  Private join and compute
  Reading: blog, code.
  Not fully PQ 😔.

• Google ads attribution.
  Partially homomorphic encryption for private set intersection using Paillier
  Reading: blog, Media coverage, patent.
  Not fully PQ 😔. Paillier is not post-quantum secure.

• IACR voting
  Mixnets
  Reading: Helios.
  PQ? TBD ⏳.

• Proton E2EE email forwarding
  Proxy re-encryption for ECDH (X25519) in OpenPGP
  Reading: blog, paper, spec rfc draft.
  Not fully PQ 😔.

• (...)

• MPC Deployments
• IETF PQUIP working group's "state of protocols and PQC"
• UK National Cyber Security Centre "Advanced Cryptography" whitepaper