Zero-Knowledge References

Those references are taken from ingopedia repository by ingonyama-zk at commit 3e3c4c5b2a5ecbd85eeb30829554a762d2896a8c.

Zero Knowledge

Curated Resources

• zkProof Standards - Resource
• ZK Mesh - resource
• Curated list of ZKP implementations
• Awesome - Matter labs - ZK proofs
• Awesome - Mikerah - Privacy on Blockchains
• Awesome - Worldcoin - ZK Machine Learning
• Resource: Awesome_Plonk
• ZK research 0x
• ZK canon
• Moonmath manual
• ZKP knowledge base: Delendum

Articles

• Introductory:
  • ZK Whiteboard Sessions
  • An incomplete guide to zk: why zk matters
  • Applications of ZKPs
  • PCP - Probablistically Checkable Proofs
  • ZKP beginner resources
  • ZK jargon decoder
  • Amit Sahai explaining ZK to people of all ages - video
  • An introduction to how zk snarks are possible - Vitalik
  • Using zkSnarks for privacy: Vitalik
  • ZudoKu - intuitive no-math ZK Primer using Sudokus
  • Introduction to Zk SNARKS -Decentriq
  • Zk blog
  • Zk_primer_1 M.Green
  • Zk_primer_2 M.Green
  • Interactive_proofs and Zk
  • Zk - proofs with examples
  • Merkle Trees
  • KU Lueven: Intro to ZK part 1
  • Simple intro to ZKP
  • A cambrian explosion of crypto proofs -Ben Sasson
  • Hunting of the SNARK Walton-Pocock: Part 1, Part 2,Part 3
  • On interactive proofs and ZKP - Yannik Goldgrabe
  • Exploring ZK with Groth
  • Breaking supersingular isogeny DH * Galbraith
• ZK whiteboard sessions by ZK Hack:
  • Part 1: What is a SNARK?
  • Part 2: Building a SNARK (Part I):
  • Part 3: Building a SNARK (Part 2)
  • Part 4: SNARKS vs. STARKS
  • Part 5: PLONK and Custom Gates with Adrian Hamelink
  • Part 6: Lookup Arguments for Performance Optimisation
  • Part 7: Zero Knowledge Virtual Machines (zkVM)
  • Part 8: Achieving Decentralised Private Computation
  • Part 9: Introduction to zkRollups
  • Plonk origin and roadmap
  • Part 10: Polygon zkEVM
  • Part 11: zk SWAPS
  • Part 12: zk ID - Polygon Zero
  • Part 13: Plonky2 - recursive proofs
  • Part 14: Nova - recursive snark, VDF application
• Trusted Setup:
  • Introduction -Vitalik
  • Aztec Ceremony
  • Trusted setup - Tau
  • Setup ceremonies
  • Zk snark setup phase
• Vitalik Snark tutorial:
  • Snarks 1: QAP from zero to hero
  • Snarks 2: Elliptic curve pairings
  • Snarks 3: Zk snarks
• All about STARKS:
  • Introduction
    • Stark from home
    • STARK glossary
    • Stark Thread - Eli Ben Sasson
  • Papers
    • STARK paper
    • DEEP - FRI
    • Proximity Gaps for Reed-Solomon Codes
  • Vitalik Stark tutorials:
    • Starks 1 proofs with polynomials
    • Starks 2
    • Starks 3
  • STARK Math series:
    • Journey Begins
    • Arithmetization I
    • Arithmetization II
    • Low Degree Testing
    • A framework for efficient STARKS
  • Stark 101 - hands on
  • Anatomy of a STARK
    • Part2: BrainSTARK
    • Code: Brainfuck
  • BrainSTARK
  • STARK vs SNARK
    • SNARK vs STARK vs Bulletproofs
  • STARK Week
  • EthSTARK
    • code
    • documentation
  • Recursive STARK -Avihu Levy
• Recursive Snarks:
  • Recursive SNARK -zkProof
  • Recursive SNARK - overview - Michael Straka
  • Fast Recursive arguments based on Plonk and Halo
  • Field selection for recursive SNARKS
  • ZKsnark aggregation - Delendum
• Zero Knowledge Hands-on:
  • zero knowledge with Bellman
  • Cryptohack - hands on cryptography
  • Zk hack puzzles
  • Hands on ZK - ZK learning group
  • Intro to zk: do it yourself circuits
  • Zk Sudoku - Python
  • Arnacube implementations
  • Rust Cryptographic libraries
  • DAPP fron scratch - Vivian Plasencia
  • Crrl: Cryptography research library - Thomas Pornin
  • Zordle - Zk wordle
  • Mental Poker: Part 1
  • Mental poker: Part 2
  • 0xparc learning groups - covering cricom and halo2
  • Constructing ZK SNARK circuits - DSL Zk calculator
  • Social Applied ZK projects on Ethereum
  • Uncloak courses
• Ethereum
  • vitalik blog
  • Ethereum-powered ZK-Rollups: World Beaters
  • Ethereum Crypto research
  • Ethereum - Scalability
  • Ethworks: Blockchain scaling
  • Mihailo Belijc
  • Ethereum - Proof of Efficiency: New consensus mechanism
• General
  • Digital identity in ZK
  • ZKp security in practice
  • Wei Dai - Navigating privacy in Blockchains
  • Zk lottery
  • Threshold Encryption
  • Vulnerabilities in zk systems
  • Vulnerability in Fiat-Shamir
  • Frozen heart vulnerability: Bulletproof
  • Frozen heart vulnerability: Plonk
  • Hertzbleed attack: sidechannel
    • paper
  • Stress testing Zk systems: Zk docs
  • An intuitiive understanding of cryptography
  • Zero knowledge Proof mining
  • zk ML
  • Practical Cryptography for Devs: Nakov
  • deep dive into DKG chain of snarks and arkworks
  • Decentralizing zk rollups
  • Miden VM
    • Range Checks in Miden VM
    • Miden VM program decoder
    • Memory in MidenVM
    • u32 in MidenVM
  • GKR implementaton - Justin Thaler
  • Verifiable computing stack
  • ZKp from Information theoretic Proof systems 1 - Yuval Ishai
  • ZKP from Information theoretic Proof systems 2 - Yuval Ishai
  • A cambrian explosion of ZKP's - Ben-Sasson
  • Secure computing and hardware acceleration
  • Crypto canon
  • DAO canon
  • Having a safe CEX: proof of solvency and beyond
  • What's next in ZK
• MPC
  • Yau;s garbled circuits: MPC
  • A gentle introduction to YAU's Garbled circuits
  • Setup ceremonies - Pruden & Matlala
  • Collaborative zk-Snarks
  • a Multi-Prover Zero-Knowledge Proof System
  • Trinocchio: Privacy-Preserving Outsourcing by Distributed Verifiable Computation
  • Zero-Knowledge Proofs on Secret-Shared Data via Fully Linear PCPs
  • Prio: Private, Robust, and Scalable Computation of Aggregate Statistics
  • ATLAS (Goyal, CMU) Efficient and Scalable MPC in the Honest Majority Setting
• Gaming
  • Dark Forest - the zk SNARK game
  • Cairo Games Vol2: Solns
  • Blockchain games and game mechanics
  • Crypto gaming - A practical thesis
  • The strongest Crypto gaming thesis
  • ZKP for gaming
• Comprehensive protocol books:
  • Mina Protcol
  • Halo 2 book
  • Filecoin
• ZK Rollups
  • Zk rollups an incomplete guide
  • Decentralized zk-Rollup
  • Zk rollups popular
  • Ethereum: Zk rollups
  • How ZK rollups work: Simon Brown
• ZK bridges
  • Vulnerabilities in ZK bridges
  • Primer on Cross chain bridges and how to break them: Niv Yehezkel
  • Block chain bridges: Introduction
  • Introduction to validating bridges and L2 protocols - Patrick McCory
  • zkEVMOS - Bridges and Interoperability
  • Bridging the blockchain multiverse with ZKP
  • Cross chain Futur - Delendum
  • Navigating privacy on Blockchains - Wei Dai
• Accelerating Zero Knowledge:
  • Supranational VDF's and crypto accelerators
  • Measuring Snark performance frontends-backends and future - Thaler
  • SNark security and peformance - Thaler
  • Supranational codes
  • Decentralized Speed: Advances in Zero Knowledge Proofs
  • Hardware Acceleration for Zero Knowledge Proofs
  • ZK and TLS
  • Algorithms for modern Hardware
  • learning CUDA from scratch - entropy
  • Low latency multipliers and cryptographic puzzles
  • Zprize submissions summary - entropy
    • hackmd version
• Dmitry Khovratovich notes
• MIT research site
  • Zk sharks - MIT
• How to be a Rustacean
  • Idiomatic Rust - For beauty over brawn
  • Print and keep nearby - cheats.rs
  • Turtorials
  • Benchmarking with Rust
  • Uncloak Study group

Zero Knowledge Lectures/books/videos/Schools

• Why and how Zero knowledge works
• The math behind ZkSNARK - video
• De-mystifying Zk proofs -workshop
• An evolution of ZKP - Sarah Meiklejohn
• Schools/Courses
  • BIU_Crypto_School_2019 -Zero Knowledge
  • Youtube link
  • BIU_Crypto_School_2022 - Advances in Secure computation
  • Defi MOOC
  • Zero Knowledge Proof MOOC
  • CS355:Topics in Cryptography- Stanford online
• Cryptography lectures
• Foundations of Block chains - Tim Roughgarden
• Foundations of probabilistic proofs - Alessandro Chisea
• Basics of zkSTARK and zkSNARK
• An Introduction to Secret-Sharing-Based Secure Multiparty Computation - Daniel Escudero
• Proofs Arguments and Zero Knowledge - Justin Thaler
  • This is a regularly updated book, discord zk study club from mid april.
• ZKP - Modular approach -Yuval Ishai
• A review of zk-SNARKS
• Recursive SNARKs - Stanford lecs
• All about Verifiable Delay Functions (VDF's) - VDFresearch
• Chiesea - Thesis - Recursive SNARK
• Berry Lecture Notes
• Cryptographic Protocls: lectures
• Zero Knowledge: A tutorial by Oded Goldreich
• Workshops/conferences
  • AppliedZk workshop
  • Zk summit videos
  • Zk summit 2022 slides
  • plonkathon
  • MIT IAP 2023 - Modern Zero Knowledge Cryptography
• Berkley workshop 2022

ZK protocols and implementations

• Pinocchio - 2013
• TinyRAM - 2013
• vnTinyRAM - 2014
  • Mike Hearn
• Geppetto - 2015
• Buffet - 2015
• Groth -2016
  • Code: ConSensys - gnark,Code: Arkworks
  • Groth16 Malleability - Geometry research
  • Proof of forgery
  • Groth16 aggregation proposal
  • Groth - Talk
  • Deep into bellman library - Star Li
• Ligero - 2017
• ZoKrates - 2018, Code: ZoKrates
  • Proving hash preimage with Zokrates - Decentriq
  • Efficient ECC in Zokrates- Decentriq
• xjSNARK - 2018
• vRAM - 2018
• Bulletproof - 2018
  • ZKP using Bullet proofs - Lovesh Harchandani
  • Code: Dalek
  • Code: Lovesh
  • Notes
• Hyrax - 2018
• zk-STARK -2018
  • Code: Winterfell -multi threaded zk STARK, Crate: Winterfell
  • CAIRO
  • MiniSTARK
• Sonic - 2019
  • Sonic - Benthams Gaze
• Plonk - 2019
  • Plonk high level summary
  • Talk: Ariel Gabizon
  • Talk: Zac Williamson
  • Understanding Plonk - Vitalik
  • From AIRs to RAPs - how PLONK-style arithmetization works
  • On optimizations of Plonk
  • Custom gates on plonk -Do whatever
  • Plonk Cafe
  • Plonk: Anatomy of a proof generation: Scroll
  • code: Heliaxdev, code: Kobigurkan ,code: ZKgarage, code: Dusknetwork,code: Jellyfish includes plookup ,Resource: Awesome_Plonk
  • Resource: Plonk by hand -1 Metastate
  • Resource: Plonk by hand -2 Metastate
  • Resource: Plonk by hand -3 Metastate
  • Resource: Plonk and Plookup Metastate
  • Turboplonk
  • Custom gates in plonk
  • Plonk: Thomas Piellard
  • ZKP intro to Plonk - Star Li
  • Multi set checks in Plonk and Plookup: Gabizon
  • Plonk - Kimchi: Mina Protocol
    • Kimchi
• Redshift - 2019
  • Redhsift Summary
• Spartan - 2019
  • code: Microsoft
• Halo - 2019
  • Halo - Thomas Piellard
• Aurora - 2019
  • Thesis Spooner
• MIRAGE - 2020
• Marlin - 2020
  • Code: Sciprlab-Arkworks
  • Doc: Pre lunar and not updated to Aleo/testnet3
  • Thesis
  • Eurocrypt 2020: Talk video
  • ZK summit - Talk: Pratyush
  • Sin7y tech review: blog
• Fractal -2020
  • Fractal - talk
  • code: Sciprlabs-Libiop
  • Resource: Demystifying Fractal 1 -Metastate
  • Resource:Demystifying Fractal 2 - Metastate
• Lunar - 2020 - Optimizations for Marlin.
  • ZK study club video
• SuperSonic - 2020
  • Resource: Demystifying supersonic 1 -Metastate
  • Resource: Demystifying supersonic 2- Metastate
• Virgo - 2020, code
• Plookup -2020
  • Marlin + Plookup (High-Level Summary)
  • code: Jellyfish
  • Plookup in action -Talk
  • Plonk and Plookup - Metastate
  • Plonk and Plookup - Khovratovich
  • Mina Protocol
  • AES with lookup : Daira Hopwood
  • Lookup tables - Ariel Gabizon
• Zilch - 2021, code
• Darlin - 2021,code
• Plonkup -2021
• SnarkPack -2021 Practical snark aggregation
  • Blog: efficient aggregation
  • SNark aggregation: general
• FFlonk -2021 a FFT friendly Plonk
• Brakedown - 2021
• Nova - 2021, code - Srinath Setty - Talk - Srinath Setty - Video - Nova - Entropy - IACR talk slides
• Plonky2 - 2022
  • code
  • documentation
  • Plonky: code
    • Plonky: Fast recursive arguments based on Plonk and Halo
    • Plonky: Adding zero Knowledge to Plonk and Halo
• Halo 2 - library
  • Guide to Halo2 source code
• Gemini - 2022, Arkworks
  • talk
• Caulk - 2022
  • Code
  • Caulk+
• Orion -2022
  • Code
  • IACR -talk
• Hyperplonk - 2022
  • Hyperplonk - benedikt Bunz
  • Blog- Delendum
  • Hardware friendliness of MLE-Sumcheck
  • Checking univariate identities in Linear time
• flookup: Fractional decomposition-based lookups in quasi-linear time independent of table size -2022
• Baloo: Nearly Optimal Lookup Arguments - 2022
• CQ: Cached coefficients for fast lookups 2022
  • code: Geometry
• Supernova 2022

Elliptic Curves/Polynomial Commitments/R1CS/QAP/FFT/MSM/hash functions

Finite Fields

• Number theory explained from first principles
• An introduction to the theory of finite fields
• MIT lectures -FInite Field arithmetic
• Finite field arithmetic Doche Lange
• Aztec emulated field and group operations
• Extension fields: Entropy

Polynomials

• Curious History of Schwarz-Zippel lemma

Elliptic curves

• An introduction to the Arithmetic of Elliptic curves - Comprehensive series of lectures - Pre req: Galois Theory,
• ECC cryptobook
• Cures over finite fields - Lectures
• Elliptic curves Chapter 4 Washington
• Elliptic Curves: MIT lectures
• Corbellini - ECC
• ECC primer
• Silverman - ECC talk
• Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms
• Solinas - Efficient Arithmetic on Koblitz Curves
• Koblitz curve cryptosystems
• Elliptic Curve Cryptosystems (Koblitz Curves)
• Algorithm to Find Elliptic curves with a subgroup of a given size
• Elliptic curves number theory and cryptography
• Elliptic curve Arithmetic Curve addition - Doche-Lange
• Elliptic Curve Arithmetic Exponentiation -Doche Lange
• Elliptic curves of characteristic 2 or 3 - John Cook
• Addition/Doubling formulae
• Visualize Elliptic curves
• j invariant of a curve
• subgroup checks in BLS12
• Complete addition formulae : Bernstein - Lange
• Complete addition formulae for prime order curves
  • FPGA implementation of complete formulae with Montgomery multiplier
• Survey of Elliptic curves for Proof systems
• Edwards curves
• Twisted Edwards curves
• Subgroup checks for BLS12
• Cofactor explained: Elliptic curves dirty little secret
• Pairings:
  • Pairings for beginners - Craig Costello
  • Pairings - Vitalik Buterin
  • Pairing friendly curves
  • Estimating the Bit Security of Pairing-Friendly Curves - NCCgroup
  • Pairing implementation revisited
  • Groth_Sahai proofs are not scary
  • Bilinear pairings in cryptography - Dennis Meffert
  • Pairings and poly commitments - David Wong
  • Circom pairing
    • Code
  • Pairings or bilinear maps
• Specific curves
  • BLS12-381 For The Rest Of Us
  • BN254 for the rest of us
  • Benchmarking pairing-friendly elliptic curves libraries
  • ecgfp5 - Pornin: Goldilocks
    • ed448 blog John Cook
  • A deep dive into ed25519
  • Pasta curves -Electric coin

Arithmetization

• General
  • Arithmetic Circuits: A survey
  • How to transform code into an arithmetic circuit?
  • Complexity Zoo
• R1CS constraint system
  • Daira Hopwood - Efficient R1CS circuits: Video
    • Notes
  • Quadratic Arithmetic programs R1CS 0 to H - Vitalik Buterin
  • Aleo - Basics of R1CS Zero Knowledge Proofs: How Cryptographers can prove anything
  • Alex Pinto - Constraint system for snarks
  • Alex Pinto - How to build QAP
  • Alex Pinto - Vanishing polynomial for QAP
  • QAP from zero to hero: Vitalik
  • R1CS workshop - Mir
• AIR Arithmetization
  • AIR to RAPs - Gabizon
  • AIR-Multivariate Sumcheck - W.Borgeaud

Fast Fourier Transforms on Finite Fields (NTT: Number Theoretic transform)

• FFT - Vitalik
• Reed-Solomon code: Vitalik
• FFT Notes
• The Fast Fourier Transform in a Finite Field - Pollard
• Number Theoretic Transform (NTT): Introduction
• NTT with code
• NTL: a library for NTT
• Efficient primes for NTT - Goldilocks
  • Goldilocks in nuFHE
  • Goldilocks NTT trick - Solberg
• Elliptic Curve Fast Fourier Transform (ECFFT) Part I: Fast Polynomial Algorithms over all Finite Fields: Eli Ben-Sasson et.al
  • Talk -zk study club
  • ECFFT algorithm
  • Rust Implementation -Wboregaud
  • Rust ECFFT BN254- Wboregeaud
• ECFFT-2 Ben-Sasson et.al
• FFT - Ferror Moreno thesis
• Zcash once again for FFT
• FFT for polynomial multiplication
• A quick barycentric evaluation tutorial - Vitalik
• Barycentric interpolation - Math Oxford
• Thesis: BUNTTERFLY: A Flexible Hardware Generator for the Number Theoretic Transform - Jason Vranek
• CycloneNTT

Hardware acceleration for Zero Knowledge

• PipeZK
• Cloud ZK
  • Cloud ZK - Ingonyama

Polynomial Commitment Schemes

• General
  • Overview of commitment schemes: Justin Drakes
  • Comparison of Commitment Schemes
  • Finite fields and polynomials
  • PCS multiproofs using random evaluation - Dankrad Feist
  • Schwarz - Zippel Lemma
  • Intro to Sumcheck protocol -oxsage
    • Inuition behind sumcheck - Wong
• KZG
  • KZG commitments
  • KZG - Suyash
  • Polynomial commitments - Dankrad Feist
    • How to use KZG in proofs
  • Fast KZG proofs
  • Amortized KZG - Khovratovich
    • Multiplying a vector by a Toeplitz matrix
    • PCS multiproofs - Feist
  • New sharding design with tight beacon and shard block integration - Dankrad Feist
  • Protodanksharding - FAQ Vitalik
  • Universal verification equation for data availability sampling
  • KZG friendly curves: El Housseini
  • KZG in practice: Scroll
• Vector Commitments
  • Verkle Trie - Dankrad Feist
  • Aggregatable vector sub commitments
  • Catalano-Fiore VC
• FRI Fast Reed Solomon Interactive Oracle Proofs of Proximity
  • FRI hackernoon
  • FRI properties
  • FRI erasure code fraud proof
  • Barycentric low deg check - Dankrad Feist
• Inner product Arguments (IPA)
  • Inner product arguments - Dankrad Feist

Multi Scalar Multiplications

• Fast Multi-scalar Multiplication Methods on Elliptic Curves with Precomputation Strategy Using Montgomery Trick
• Faster batch forgery identification See section 4 for MSM, bucket method
• Pippenger's exponentiation algorithm - Bernstein
• Efficient multi-exponentiation
  • implementation in Python
• A Taxonomy of Circuit Languages - Talk - Alex Ozdemir
• Multi-scalar multiplication: state of the art & new ideas with Gus Gutoski
• Improved Fast exponentiations - Bodo Moller
• Fast exponentiation with precomputation - Brickell Gordon et al
• Matter labs -ALgorithms
• Ryah Henry - Thesis
• Efficient Multi exponentiation: Bucket method - Bootle
• Hardware acceleration
  • MSM with FPGA -Connor Masterson thesis
  • PipeMSM
  • EdMSM
  • CycloneMSM

Modular arithmetic

• A Fast Large-Integer Extended GCD Algorithm and Hardware Design for Verifiable Delay Functions and Modular Inversion
• Optimized Binary GCD for Modular Inversion
• Library of Algorithms
• Modular Multiplication and Hardware implementations - Review
• Evaluation of large integer multiplications in hardware - Review
• Hardware friendly modular mult
• Montgomery REDC using positive inverse mod r

Related Math

• The Matrix cookbook
• Ideal Class Groups

Hash functions in ZK

• ZK hashes- General
  • ZKP friendly hash functions: SOK
  • Whats the deal with hashes: zk hack
• Merlin: Fiat-Shamir magic generator
• Keccak: Sponge and Duplex constructions
  • Sponge functions: paper
• POSEIDON: A New Hash Function for Zero-Knowledge Proof Systems
  • some documentation
  • Encryption With Poseidon: Dima Khovratovich
  • SAFE A tool box for Poseidon API
    • SAFE: Faster and simple hashing with ZKP
  • code: filecoin
  • code: Ingonyama (python)
  • code: snarkVM Aleo Poseidon
  • Encoding of long objects in Poseidon - Dmitry Khovratovich
  • Poseidon in Filecoin - Dmitry Khovratovich
  • Talk Grassi
  • code: Dusk network
  • code: Dust netowrk - Poseidon merkle
  • code: Triplewz - GO
  • Poseidon vs Rescye
  • Plonky2: Poseidon gate
  • Penumbra: Poseidon Decaf377
• Rescue-Prime: a Standard Specification (SoK)
  • Observations on Rescue
• MiMc
  • Mimc7 in Plonk - Custom gates
  • Mimc Roy slides
• Reinforced concrete
  • implementation
  • Plonkup reinforced concrete zkstudyclub
  • Dusk network
  • Code: Luke Pearson
• Sinsemilla: A circuit-efficient, lookup-based collision-resistant hash function
  • halo book
  • ZCash protocol specification
• Blake
  • code
• Merkle Trees
  • Merkle trees
  • Sparse Merkle trees
  • Merkle Commitment scheme
  • Merkle trees and proof of inclusion
• S box properties
• Hash to Curve
  • Hash to Curve
  • Hash to secp256k1 curve
  • Optimized BLS signatures on EVM
• Hash Bounties
  • Algebraic Hash bounties

Homomorphic Encryption

Articles

• TFHE deep dive: ZAMA AI - Ilaria Chilloti
  • Part 1: Ciphertext types
  • Part 2: Encoding and linear ops
  • part 3: key switching and levelled multiplications
  • Part 4: programmable bootstrapping
  • General
    • Survey on FHE and applications
    • Encrypted search using FHE
    • Exploring FHE: Vitalik
    • ML and FHE

HE Libraries/implementations

• Awesome FHE library list
• Microsoft SEAL
• TenSEAL - Openmined
• PySyft - Openmined
• Tfhe - torus
• Google - FHE
• IBM - FHE
• PALISADE
• Zama AI - Concrete - Rust
• Paillier - Julia
• Cupcake - Facebook Research

Accelerating FHE

• Papers
  • FPT: a Fixed-Point Accelerator for Torus Fully Homomorphic Encryption

PQC (Post Quantum Cryptography)

General

• NIST announcement for PQC algorithms
  • NIST summary