http://scrumy.com/PostQuantum


1. A comprehensive list of attacks against Public-Key Algorithms (RSA, ECC, Knapsack, ElGamal, ...) 
and their applications (Padding, Sign-then-Encrypt vs. Sign-then-Encrypt, ...):
* Side-channel attacks
  * Timing
  * Power
  * Response
    * Error-messages
* Known-plaintext
* Chosen-plaintext
* Withholding of information
* Encrypt-then-Sign vs. Sign-then-Encrypt
* Prime-Factorisation
* Random number generator leaks
* Non-deterministic (random) signatures leaking private key bits
* Specific algorithmic problems
  * RSA
    * Low exponent (3) attacks
    * Too short keylength
  * Knapsack
  * 
...
https://github.com/iSECPartners/LibTech-Auditing-Cheatsheet#appendix-b-cryptographic-attacks-cheat-sheet

2. IETF-Draft
* AdditionalPublicKeys
* New ciphersuites for NTRU
* PASS-sign
* NKE
* NTRU-MLS


3. NTRU security handbook, NTRU-MLS security handbook


4. PASS-sign security handbook



5. Deployment Timeline



6. OpenSSL implementation


7. Timbuktu audit


8. Interoperability Tests


9. Wireshark patches to analyze NTRU keys, certs, NTRU-TLS, NTRU-MLS, PASSsign, Additional-Public-Keys, AdditionalSignatures


10. Getting the crypto primitives into the crypto libraries and get the APIs extended
  * OpenSSL
  * NSS (Firefox+Thunderbird, ...)
  * CryptoAPI

11. Finding an post-quantum replacement for SRP


12. Implementation of Diffie-Hellman keyexchange between TLS-client and TLS-server for PerfectForwardSecrecy
  For this piece, I think we need to extend TLS (new ciphersuite like DHPQ+...) and have it implemented by the TLS clients and by the TLS servers. 
  The CA´s are not part of that game, this could be done independently of them, I think. 

13. OpenPGP implementation
14. OpenPGP standardisation

15: NTRU importer for Visualisation in Blender


16: DH-Replacement Try#1:
 Lars Luthman <mail@larsluthman.net> wrote:
Any public key encryption algorithm can be used for key exchange, the
trivial generic method is to have each party generate a random bit
string, encrypt it to the other party's key, send it, receive the other
encrypted bit string, decrypt it, and compute the master secret as a
hash of the XOR of both bit strings. Forward secrecy simply means that
you generate a new keypair for every exchange.
Try this with PASSsign

17: DH-Replacement Try#2:
https://eprint.iacr.org/2013/718.pdf