A brief introduction to

lattice-based cryptography
Douglas Stebila

PMAMC&OC • 2023-03-09
 Outline
1. Background: Why post-quantum?
2. Learning with errors problems
3. Public key encryption from LWE
4. Difficulty of LWE and lattice problems
5. Standardization of post-quantum
cryptography

2
 1. Background
Why post-quantum?

3
4
5
6
 Public-key Symmetric
cryptography cryptography

Elliptic curve
AES AES GCM
RSA signatures Diffie–Hellman
encryption integrity
key exchange
7
 RSA digital signatures
Key generation Signing Verification
• Pick large random To sign message 𝑚 using Get a trusted copy of the
primes 𝑝, 𝑞 ≈ 2!"#$ secret key 𝑛, 𝑑: signer’s public key 𝑛, 𝑒
• Compute • Signature:
𝑛 = 𝑝𝑞, 𝜎 = 𝐻(𝑚)( mod 𝑛 To verify message m
𝜙 𝑛 = 𝑝−1 𝑞−1 against signature 𝜎 and
• Pick 𝑒 ∈ ℤ∗% public key 𝑛, 𝑒
• Compute • Check if
𝑑 = 𝑒 '! mod 𝜙 𝑛 𝜎 ) = 𝐻 𝑚 mod 𝑛
• Public key: 𝑛, 𝑒 Hard to forge signatures
• Secret key: 𝑛, 𝑑 if factoring is hard*

8
 Diffie–Hellman key exchange
Public parameters: g is a generator of an abelian group of prime order q

Alice Bob
x ∈R ℤq y ∈R ℤq
X⟵g x send X ⟶ Y⟵g y

⟵ send Y
k⟵ Y x = g xy
Hard to compute shared k⟵ X y = g xy
secret if discrete
logarithms are hard*
9
Theorem (Shor, 1984):
There exists a polynomial-
time quantum algorithm that
can factor and compute
discrete logarithms.
10
 Ba
se
com d on
put diffic
Public-key no in u Symmetric
t q logari g disc lty of
uan thm ret
cryptography tum s – e cryptography
res
ista
Based on nt!
difficulty of
Elliptic curve
factoring large AES AES GCM
numbers – RSA signatures Diffie–Hellman
encryption integrity
not quantum key exchange
resistant!
11
 Post-quantum cryptography
a.k.a. quantum-resistant algorithms

Cryptography based on computational

assumptions believed to be resistant to attacks
by quantum computers

Uses only classical (non-quantum) operations to

implement
12
2. Learning with errors problems

13
Solving systems of linear equations
secret
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13

4 1 11 10 4
5 5 9 5 8
× =
3 9 0 10 1
1 3 3 2 10
12 7 3 4 4
6 5 11 4 12
3 3 5 0 9

Linear system problem: given blue, find red 14

Solving systems of linear equations
secret
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13

4 1 11 10 6 4
5 5 9 5 9 8
× =
3 9 0 10 11 1
1 3 3 2 11 g 10
u s in
s olv ed n
12 7 3 4 Ea s ily in a t io 4
a n e lim
i
6 5 11 4 Gauss TH 136) 12
(MA
3 3 5 0 9

Linear system problem: given blue, find red 15

 Learning with errors problem
[Regev 2005]
random secret small noise
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13 Z7⇥1
13

4 1 11 10 6 0 4
5 5 9 5 9 -1 7
× + =
3 9 0 10 11 1 2
1 3 3 2 11 1 11
12 7 3 4 1 5
6 5 11 4 0 12
3 3 5 0 -1 8

16
 Learning with errors problem
[Regev 2005]
random secret small noise
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13 Z7⇥1
13

4 1 11 10 4
5 5 9 5 7
× + =
3 9 0 10 2
1 3 3 2 11
12 7 3 4 5
6 5 11 4 12
3 3 5 0 8

Search LWE problem: given blue, find red 17

 Decision learning with errors problem
random secret small noise looks random
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13 Z7⇥1
13

4 1 11 10 4
5 5 9 5 7
× + =
3 9 0 10 2
1 3 3 2 11
12 7 3 4 5
6 5 11 4 12
3 3 5 0 8

Decision LWE problem: given blue, distinguish green from random 19

 Search-decision equivalence
•Easy fact: If the search LWE problem is easy,
then the decision LWE problem is easy.

•Fact: If the decision LWE problem is easy, then

the search LWE problem is easy.
• Requires nq calls to decision oracle
• Intuition: test each value for the first component of the
secret, then move on to the next one, and so on.
[Regev STOC 2005] 20
 Choice of error distribution
• Usually a discrete Gaussian distribution of width ↵ < 1
for error rate s = ↵q

• Define the Gaussian function

2 2
⇢s (x) = exp( ⇡kxk /s )

• The continuous Gaussian distribution has probability

density function Z
f (x) = ⇢s (x)/ ⇢s (z)dz = ⇢s (x)/sn
Rn
21
 Short secrets
•The secret distribution s was originally taken to
be the uniform distribution

•Short secrets: use s = e

•There's a tight reduction showing that LWE with
short secrets is hard if LWE with uniform secrets is
hard.

[Applebaum et al., CRYPTO 2009] 22

Toy example versus real-world example
Z7⇥4
13 Z640⇥8
215
<latexit sha1_base64="4Sm8rRYeGBxy2Gxpb+U2b2rlg04=">AAADtHicZVJNbxMxEHWzfJTwlcKRy6oBiUMUZavSlgNSBReORSK0IptGtjPZWPHalu1tG1zf+TVc4a/wb7A3qeimlnb37fN74/HMEMWZsYPB361Wcu/+g4fbj9qPnzx99ryz8+KbkZWmMKSSS31GsAHOBAwtsxzOlAZcEg6nZPEp7p9egDZMiq92qWBc4kKwGaPYBmrS2c1LbOeEuO/+3B3sD9LcshJMeuQnbu/cZe+8n3S6g/6gXuldkK1BF63XyWSn5fKppFUJwlKOjRllA2XHDmvLKAffzisDCtMFLmAUoMDhxLGrL+PTN4GZpjOpwyNsWrO3HQ6XJu6YXgAx+fg1y5IEa/w1zfB2djR2TKjKgqCr6LOKp1amsRzplGmgli8DwFSzkGBK51hjakPRGscWGqs5o1eN9B2RcmExMU22rLhlWl76doO2bPFjJYyIM6KxXoayBKXpkSAqtKzE1PQo5rSnpGGxSUwUvSlQqeuWmdu4r8KFNSiOaVSZOVawkYoqZopLG9kbGI4PxS6D90PWP4g5CrgMRInF1OUFWKO9y40NETRwl7/2K9b7pjKk70fZ2OUcZjbnWBQc0ryXdrP4zjUr5vZ6w7MA+99zvanOdR1kw1MuL0KPwmzURgIFE46EVmt25Ws7BNUNEcc12xzOu2C413/fz75k3eOP67ndRq/QLnqLMnSIjtFndIKGiKKf6Bf6jf4kh8k4oQmspK2tteclaqxE/AMfHD2s</latexit>
sha1_base64="v7bbGwjnwQ/nTorcM9qCD0a2++0=">AAADtHicZVLLbhMxFHUTHiW8UliyGTUgdRFFmaq0ZYEUwYZlkQityKSR7dxMrHhsy/a0Da73fAY/AFv4FX6Br8CetKKTWpqZM8fn3Ht9r4nizNh+/89Go3nn7r37mw9aDx89fvK0vfXss5GlpjCkkkt9QrABzgQMLbMcTpQGXBAOx2TxPu4fn4E2TIpPdqlgXOBcsBmj2AZq0t7OCmznhLgv/tTt7/WTzLICTHLoJ2731KWvvZ+0O/1ev1rJbZBegc5g58ff7wiho8lWw2VTScsChKUcGzNK+8qOHdaWUQ6+lZUGFKYLnMMoQIFDxrGrDuOTV4GZJjOpwyNsUrE3HQ4XJu6YbgCx+Pg1y4IEa/w19fB2djh2TKjSgqCr6LOSJ1YmsR3JlGmgli8DwFSzUGBC51hjakPTamlzjdWc0Yta+Y5IubCYmDpblNwyLc99q0Zbtvi6EkbEGdFYL0NbgtJ0SRDlWpZiaroUc9pV0rA4JCby7hSo1NXIzE3cU+HAGhTHNKrMHCtYK0XlM8Wljew1DOlDs4vgfZv29mONAs4DUWAxdVkO1mjvMmNDBA3cZS/9ivW+rgzl+1E6dhmHmc04FjmHJOsmnTS+M83yub1c8yzA/vdcrqszXQVZ8xTLszCjcDcqI4GcCUfCqDW78JUdguqaiNc1Xb+ct8Fwt/eml35MO4N3aLU20Qu0jXZQig7QAH1AR2iIKPqGfqJf6HfzoDlu0iaspI2NK89zVFtN8Q8C70BL</latexit>
sha1_base64="5mYPGkXL37U9d2YHSJODuak0GuA=">AAADtHicZVJNbxMxEHWbAiV8pXDksmqoVKQoylbQlgNSBBeORSK0IptGtjPZWPHalu1tG1zf+S8IrvBX+Av8CuxNK7qppd19+/zezHjGRHFmbK/3Z229sXHn7r3N+80HDx89ftLaevrZyFJTGFDJpT4h2ABnAgaWWQ4nSgMuCIdjMn8f94/PQBsmxSe7UDAqcC7YlFFsAzVubWcFtjNC3Bd/6vZf9ZLMsgJMcujHbu/Upa+9H7favW6vWsltkF6Bdn/3x9/vGzsvj8Zb6y6bSFoWICzl2Jhh2lN25LC2jHLwzaw0oDCd4xyGAQocMo5cdRif7ARmkkylDo+wScXedDhcmLhjOgHE4uPXLAoSrPHX1MPb6eHIMaFKC4Iuo09LnliZxHYkE6aBWr4IAFPNQoEJnWGNqQ1Nq6XNNVYzRi9q5Tsi5dxiYupsUXLLtDz3zRpt2fzrUhgRZ0RjvQhtCUrTIUGUa1mKielQzGlHScPikJjIOxOgUlcjMzdxV4UDa1Ac06gyM6xgpRSVTxWXNrLXMKQPzS6C923a3Y81CjgPRIHFxGU5WKO9y4wNETRwl73wS9b7ujKU74fpyGUcpjbjWOQckqyTtNP4zjTLZ/ZyxTMH+99zuarOdBVkxVMszsKMwt2ojARyJhwJo9bswld2CKprIl7XdPVy3gaDve6bbvoxbfffoeXaRM/RNtpFKTpAffQBHaEBougb+ol+od+Ng8aoQRuwlK6vXXmeodpqiH8ZkkCo</latexit>

8
4 1 11 10
5 5 9 5
2738 3842 3345 2979 …
3 9 0 10
2896 595 3607
1 3 3 2
640 377 1575
12 7 3 4
2760
6 5 11 4
…
3 3 5 0
640 × 8 × 15 bits = 9.4 KiB
23
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13

4 1 11 10 Each row is the cyclic

10 4 1 11 shift of the row above

11 10 4 1
1 11 10 4
4 1 11 10
10 4 1 11
11 10 4 1

24
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13

4 1 11 10 Each row is the cyclic

3 4 1 11 shift of the row above
…
2 3 4 1 with a special wrapping rule:
12 2 3 4 x wraps to –x mod 13.
9 12 2 3
10 9 12 2
11 10 9 12

25
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13

4 1 11 10 Each row is the cyclic

shift of the row above
…
with a special wrapping rule:
x wraps to –x mod 13.

So I only need to tell you the first row.

26
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
Z13 [x]/hx4 + 1i

4 + 1x + 11x2 + 10x3 random

× 6 + 9x + 11x2 + 11x3 secret

+ 0 – 1x + 1x2 + 1x3 small noise

= 10 + 5x + 10x2 + 7x3

27
 Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
Z13 [x]/hx4 + 1i

4 + 1x + 11x2 + 10x3 random

× secret

+ small noise

= 10 + 5x + 10x2 + 7x3

Search ring-LWE problem: given blue, find red 28

Learning with rounding problem
random secret
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13 Z7⇥1
5
<latexit sha1_base64="a89XLJGtgI1q+yaZQIWphXeMEBI=">AAAEOHicjVNNb9MwGPYWGGN8bIPjLhEtEkKlaobGYBLSBBeOQ6JsYi6V7b5NrTq2ZTvbipcDv4YrnPklHDkhrvwCnDQTS3fBUpzHr9/n8ePXNtWCW9fr/Vhajq5dX7mxenPt1u07d9c3Nu+9tyo3DPpMCWWOKLEguIS+407AkTZAMirgkE5fl/OHJ2AsV/Kdm2kYZCSVfMwZcSE03Nhq44y4CaX+QzHc+eh3Y+x4BjZOivZwo9Xr9qoWXwVJDVqobgfDzWgFjxTLM5COCWLtcdLTbuCJcZwJKNZwbkETNiUpHAcoSVhp4KtdFPHDEBnFY2XCJ11cRS8zPMlsOWM7AZSmy7+dZTRQy6Ftyrvx84HnUucOJJurj3MROxWXdYhH3ABzYhYAYYYHgzGbEEOYC9VqLJsaoiecnTXse6rU1BFqm9EsF44bdVqsNcKOTz/NE0skODXEzEJZQqbt0JCUGpXLke0wIlhHK8vL0+Ey7YyAKVOdlb2Muzps2IAWhJVZdkI0LFjR6VgL5croBQzLh2Jngfsy6T4rPUo4DYGMyJHHKThrCu/xHhYwdpU7PLFBDx77J0+1K7Ah3AJVZ767E4a+jW0onXZ172YCcLtd4L2iaEo7VQv/p8DCqjyd1HauKIdKFsfJwFeWsSAyFRDjTtxKyn5OPV/gTMH945wvZgePpcgCJ5udhOsStlERKaRcehpuneFnRUWHkHURKMLLSRbfyVXQ3+6+6CZvt1v7r+ontIq20AP0CCVoF+2jN+gA9RFDn9EX9BV9i75HP6Nf0e956vJSzbmPGi368xeJy3M8</latexit>

4 1 11 10 4 1
5 5 9 5 7 2
× = b·cp : Zq ! Zp :
3 9 0 10 2 Divide Zq into 0
1 3 3 2 11 p equal intervals 3
and map x to the
12 7 3 4 5 1
<latexit sha1_base64="HraJN0mZnCuaEia75KToZCIuiQ0=">AAAExXicjVNdb9MwFE23MkaBscEjLxYNEkKlasb3pKEJeNjjkCibmKvKcZzUqmN7ttO1ZBF/h7/Ev+E67aDtXvBDcn18zsm9N9exFty6Xu93Y2OzeWvr9vad1t1793ce7O49/GZVYSjrUyWUOYuJZYJL1nfcCXamDSN5LNhpPP7kz08nzFiu5Fc302yQk0zylFPiABru/sJScZkw6VCIRSqUMgjTRDmETb0banSAcE7cKI7L79XwAmGnlgEdwjlufeYTnjAwWaKGiEtPxq1Qh4hdFER4hJkJEdbDRCYoJxqF0xAB0Y2YR30+U6RSxJ39yx/utnvdXr3QzSBaBO1gsU6Ge5tbOFG0yKE2Koi151FPu0FJjONUsKqFC8s0oWOSsXMIJcmZHZR1Syv0FJAEpdCNVEFvanRZUZLc+hPbgcCX7N92lscg9Vu7au/Sd4OSS104JuncPS1EXTP8FJRww6gTMwgINRwSRHREDKFQ+4pTmRmiR5xOV9IvY6XGjsR2Fc0L4bhRl1VrBXZ8/GNO9JHgsSFmBm0Bpu3EQMqMKmRiO5QI2tHKcj8qXGadhFFl6sGxy3FXQ8GGaUGoZ9kR0WwtFZ2lWijn0esQPg/NzkF7GHXf+BwluwQgh6EoccacNVVZ4gMsWOrq7PDIgh97Xr54qV2FDeGWxWpadl/DtgyxhdZpt3i6mWA4DCt8UFWr1k4tjP/TYO2rPBst0rnhDJ2szqNBWaeMBZGZgIHuoHbkn3Pp1ZpmzNw/zdU6G3L0JmuafDaBcYEyamHMMi7LGKbO8GlVyxmwroEKbk60fk9uBv397vtu9GW/ffRxcYW2g8fBk+BZEAVvg6PgODgJ+gFt7DReNQ4bH5rHTdl0zcmcutFYaB4FK6v58w9CPqE5</latexit>
index of its interval
6 5 11 4 12 4
3 3 5 0 8 2

Search LWR problem: given blue, find red

[Banerjee, Peikert, Rosen EUROCRYPT 2012] 29
 Problems
Learning with errors
Module-LWE Search With uniform secrets
Ring-LWE
Learning with rounding Decision With short secrets
NTRU problem

30
 3. Public key encryption
from learning with errors

31
 Public Key Encryption: Overview
•Alice creates a private key / public key pair
•Anyone can encrypt messages for Alice based on
her public key, but only Alice can decrypt those
messages

•Goal: Provide confidentiality

32
Public Key Encryption: Algorithms
KeyGen() Generates a
private key sk and
→ (sk, pk) a public key pk.

Encrypt a message
Encrypt(pk, m) m using public key
→c pk to obtain
ciphertext c.

Decrypt a
Decrypt(sk, c) ciphertext c using
→m private key sk to
obtain message m.
33
 Public key encryption from LWE
Key generation
Secret key

A s + e = b

Public key

[Lindner, Peikert. CT-RSA 2011] 34

 Public key encryption from LWE
Encryption
s' A + e' = b'

Ciphertext
Receiver's public key

q
s' b + e'' = v' v' + m = c
2

Shared secret mask

[Lindner, Peikert. CT-RSA 2011] 35
 Public key encryption from LWE
Decryption v' +
q
m = c
2
Ciphertext

q round
b' s = v c – v ≈ m m
2

Almost the same shared secret mask

as the sender used

Secret key

[Lindner, Peikert. CT-RSA 2011] 36

 Approximately equal shared secret
The sender uses The receiver uses

v' = s' (A s + e) + e'' v = (s' A + e') s

= s' A s + (s' e + e'') = s' A s + (e' s)

≈ s' A s ≈ s' A s
=> Can decrypt as long as noise terms are small with high probability
37
 Security of public key encryption
Theorem:
If the decision learning with errors problem is hard,
then this public key encryption scheme is
semantically secure against chosen plaintext
attacks.

•Is the decision learning with errors problem hard?

Lindner, Peikert; CT-RSA 2011 38

 4. Difficulty of LWE
Lattice problems

39
Hardness of decision LWE – "lattice-based"

worst-case gap shortest

vector problem (GapSVP)

poly-time [Regev05, BLPRS13]

average-case
decision LWE

40
 Lattices
Let B = {b1 , bn } ✓ Zn⇥n
q be a set of linearly independent basis vectors for Z n
q.
Define the corresponding lattice
( n )
X
L = L(B) = zi b i : zi 2 Z .
i=1

(In other words, a lattice is a set of integer linear combinations.)

Define the minimum distance of a lattice as

1 (L) = min kvk .

v2L\{0}

41
 Lattices

Discrete additive
subgroup of Zn

Equivalently,
integer linear
combinations
of a basis

Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf 42

 Lattices

There are many

bases for the
same lattice –
some short and
orthogonalish,
some long and
acute.

Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf 43

 Equivalence of bases

Two n ⇥ n matrices B and B 0 generate the same lattice L if and only if B and
<latexit sha1_base64="WIQP5rMtQrdoT856R/8A06IofF8=">AAADDnicbVE9jxMxEPUuX0f4ClDSjMgiKNAqe0hAg3QKDQXFIV3uTkqiaOKdJNbZ3pXtJYmi1LTHn6FDtPwFfgsUzCYpyIWRLD/NzPM8vxmVWvnQbv+K4mvXb9y8dXC7cefuvfsPmg8fnfqicpK6stCFOx+hJ60sdYMKms5LR2hGms5GF+/r+tlncl4V9iQsShoYnFg1VhIDp4bN331bKJuTDY2TWQGJhX5QhjzYBAwGpyTjpJMA2pzv5wlMyJLDQBCmBB4NgcYQuA+SPjOmEvXy4yoBNV5zCqsXNd55Ax2BI+ZRDqMFIFRWmSKvNLrN1PlLUCmldTe8gw50E5hNiVkJI+WZsa90DjMVpqBsoAk54C85xeV6aE6BnFEWbWCVpYEsSaExbLbaaXsdsA+yLWiJbRwPm3/6eSErw09Ljd73snYZBkt0/H1Nq0a/8lSivMAJ9RhaNscPluslreAZZ3IYF44Py1hn/2Us0Xi/MCPurG30V2t18n+1XhXGbwdLZcsqkJWbQeNKQyig3jjkypEMvIVcoXSKtYKcokPJnuxOmW+k7uTIVkYFMqvaruyqOfvg9DDNXqevPh22jjpb4w7EE/FUvBCZeCOOxAdxLLpCRhh9iS6jr/Fl/C3+Hv/YtMbRlvNY7ET88y8wDPD8</latexit>

B 0 are related by a unimodular matrix, i.e. B 0 = BU where U is a n ⇥ n matrix

with integer entries and determinant ±1.

44
 Shortest vector problem

Given some
basis for the
lattice, find
the shortest
non-zero
lattice point.

Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf 45

 Shortest vector problems
• Shortest vector problem (SVP): Given a basis B for L, find a vector
<latexit sha1_base64="EuuDhnVwgHPNNsOGcwEyZDZG/n0=">AAAGPHicpVRNb9NAEHUhgVK+WjhyGVEjpVKJ4iIBqlRUCqIgcSgq/ZDqyNqsJ8mq9traXadpXf8Gfg3X8ju4c0NcOXFg7JjSJG3VghXF49lZz3tvnrcVB0KbRuPrxJWrleq165M3pm7eun3n7vTMvU0dJYrjBo+CSG23mMZASNwwwgS4HStkYSvArdbuq3x9q4dKi0h+NPsxNkPWkaItODOU8mYqNbeFHSFTYTAUB5hNuXkErsG+abXT9W6kDGoDPeQmUhCriF4dQs12Q2a6mio21zJ7bjGDVdFDCQwIjtBgr9jQpg2DOs6C9H1mz0NbSJ9qyrfZLgVpLwNXSDhZCDrhXTBdZqjmEI7LDmEJ3IDo+cxzaid2zNn1EeQvY8LaF1SCoC/EwnM7LAxZQeaN6FPn4hlegGPX4VL8ZCQfH6CK/oOoGyCUAFzuR+aivF8jF/m4gV1KgFUWD2mQLY5pAIy42YrixgX1gL0uKgQUhu60dCqDgqmyITqnojOihSKpfTSoQvI9dREkIoGgNsDpayB061GIRoSYJ2mFftqQEj7sEZicxVI+1bPcTlPEGOlPnueZd/9qGgYBM0ZwPMM++dfMVLA/hENj7pG0tIjnzINLUuj5P6bxpDvip5D1PQF/bVU+nGUsOWYs6nx8MHjTs416o7hgPHDKYNYqrzVv+hfh40lI2HnAtN5xGrFppkwR8SA/aBKNMeO7rIM7FEpGw2qmxZGWwSPK+IVW7Yi4F9mTO1IWar0ftqiymMboWp48bW0nMe3nzVTIODEo+aBROwnARJCfj+ALRfMm6X3BuBKEFXiXKcbJbMNd+gOoQzmUSZgLlk2RXM6oOOPB5kLdeVp/8mFhdnmlFG7SemA9tGqWYz2zlq231pq1YfHKp8rnylHlS/Wo+q36vfpjUHplotxz3xq6qj9/A4AHE1w=</latexit>

~v 2 L such that k~v k = 1 (L).

• Approximate shortest vector problem (SVP ): Fix > 1. Given a
basis B for L, find a non-zero vector ~v 2 L such that k~v k  · 1 (L).

• Decision approximate shortest vector problem (GapSVP ): Fix

> 1 and r > 0. Given a basis B for L where either 1 (L)  r or
1 (L) · r, determine which is the case. Sometimes this is stated with
r = 1.
• Shortest independent vector problem (SIVP ): Fix > 1. Given a
basis B for a lattice L, find a linearly independent set {~v1 , . . . , ~vn } such
that maxi k~vi k  · n (L).
46
 Relations among lattice problems

Almost all problems reduce to

<latexit sha1_base64="cXV64QAGCmU94cNEWWsj6jPFGFo=">AAADcXicdVJLb9NAELYTHiU8msIJcRm1QUKiipIgAeJUQEJwC4KkleIoWq/Hyar7MLvjqpHlf8ef4C9wLUcOrJ1IJH3saTTzfd/MfDtxJoWjXu9X2Gjeun3n7s691v0HDx/ttvcej53JLccRN9LYk5g5lELjiARJPMksMhVLPI5PP1b14zO0Thj9nZYZThWba5EKzsinZnvhNNJG6AQ1taIY50IXSmiRsTmWxUDosvVeKuMImJSQWeN1lQOLSc4RyEAnUowWLi2+jYflLJozpVinC/DJWMBzpjKJhxugLxuotYq7UeYdML0EhbQwCdCCETgjzzyhmkVoR0xXdJNeTwfONMQIucOk6lGTb+JtDnYIeVYRGEjjahwtEFLGyS9Vs9wPS4UuO16trrk8dtyKjLqtCHXy38JZ+6DX7dUPrgb9dXAQrN9w1v4bJYbnyv8Hl8y5Sb+X0bRglgSXWLYiv03G+KkXn/hQM4VuWtR3UMLzetXUT5kaTVBnNxkFU84tVeyR9d6Xa1Xyutokp/TttBA6ywk1XzVKc1mZVB0VJMIiJ7n0AfM++FmBL5j1jvnT2+pyvhp1K4c6V4JQlS1vV/+yOVeD8aDbf9199XVwcPRhbdxO8CzYD14E/eBNcBR8DobBKODhz/B3eBH+aVw0nzahub+CNsI150mw9Zov/wE9xR0G</latexit>

SVP . For example, SIVP re-

duces to SVP : any method that
solves all instances of SVP can
be used to solve instances of
SIVP
p , up to a loss of the factor
of n in the subscript.

Laarhoven, van de Pol, and de Weger, Cryptology ePrint Archive 2012/533 47

 Regev's reduction: LWE to shortest vector

poly(n)
Theorem. [Reg05] For any modulus q  2p and any discretized Gaussian
error distribution of parameter ↵q 2 n where 0 < ↵ < 1, solving the
decision LWE problem for (n, q, U , ) with at most m = poly(n) samples is
at least as hard as quantumly solving GapSVP and SIVP on arbitrary n-
dimensional lattices for some = Õ(n/↵).

The polynomial-time reduction is extremely non-tight: approximately O(n13 ).

[Regev; STOC 2005] 48

 Finding short vectors in lattices
LLL basis reduction algorithm Block Korkine Zolotarev (BKZ) algorithm

• Finds a basis close to • Trade-off between

Gram–Schmidt
• Polynomial runtime (in
dimension), but basis
quality (shortness /
orthogonality) is poor
runtime and basis
quality
• In practice the best
algorithm for
cryptographically
relevant scenarios

49
Solving the (approximate) shortest vector problem
The complexity of GapSVP depends heavily on how and n relate, and get
harder for smaller .

Algorithm Time Approx. factor

LLL algorithm poly(n) 2⌦(n log log n/ log n)
various 2⌦(n log n) poly(n)
various 2⌦(n) time and space poly(n)
˜
Sch87 2⌦(n/k) 2k
p
NP \ co-NP n
NP-hard no(1)

In cryptography, we tend to use ⇡ n.

50
5. Standardization of PQ cryptography

51
Standardizing post-quantum cryptography
“IAD will initiate a
transition to quantum
resistant algorithms in
the not too distant
future.”

– NSA Information
Assurance Directorate,
Aug. 2015

Aug. 2015 (Jan. 2016)

52
 Primary goals for post-quantum crypto

Confidentiality in the public Authentication & integrity in

key setting the public key setting

• Public key encryption • Digital signature schemes

schemes
• Alternatively: key encapsulation mechanisms
• KEMs are a generalization of two-party
Diffie–Hellman-style key exchange
• Easy to convert KEM into PKE and vice
versa

53
 Families of post-quantum cryptography
Hash- & symmetric-based Code-based Multivariate quadratic
• Can only be used to make • Long-studied cryptosystems with • Variety of systems with various
signatures, not public key moderately high confidence for levels of confidence and trade-offs
encryption some code families • Substantial break of Rainbow
• Very high confidence in hash- • Challenges in communication algorithm in Round 3
based signatures, but large sizes
signatures required for many
signature-systems

Lattice-based Elliptic curve isogenies

• High level of academic interest in
this field, flexible constructions
• Can achieve reasonable
communication sizes
• Newest mathematical construction
• Small communication, slower
computation
• Substantial break of SIKE in
Round 4

54
NIST Post-quantum Crypto Project timeline
Call for PQ Submission Round 2 Round 3 Round 3 Draft Final
proposals deadline deadline deadline selection standards standard

Dec. 2016 Nov. 2017 Mar. 2019 Oct. 2020 Jul. 2022 2022–2023 2024?
Round 1: Round 2: Round 3: Selection:
69 schemes 26 schemes Finalists: • 3 signatures Round 4
1/3 signatures 9 signatures • 3 signatures • 1 PKE deadline
2/3 PKE 17 PKE • 4 PKE
Alternates:
• 3 signatures
x1
x6 x6 • 5 PKE
Oct. 2022
Round 4: x1
x4 • 4 3 PKEs

Additional signatures
deadline

Jun. 2023
http://www.nist.gov/pqcrypto 55
 NIST Round 3 selections and Round 4
Selections Round 4
Key encapsulation Key encapsulation
mechanisms mechanisms
• Lattice-based: Kyber • Code-based: BIKE,
Classic McEliece, HQC
• Isogeny-based: SIKE
Signatures
• Lattice-based: Dilithium, Signatures
Falcon
• Call for additional signature
• Hash-based: SPHINCS+ schemes
56
 Paths to standardization and adoption
NIST round 3 NIST draft FIPS
NIST
selection standard standard

Internet Engineering
Task Force (IETF)
CFRG
CFRG
standard

TLS working TLS PQ

group standard

LAMPS X.509 X.509 PQ

working group standard

Early Preliminary Standard FIPS-certified

Implementers
prototypes adoption adoption adoption

Certificate CA/B Forum

Deployment
authorities guidelines

58
 Will we be ready in time?
Quantum threat
survey 50%
Selection Final likelihood
standard

2022 2024? 2027 2032 2036

Harvest and decrypt: Mosca – 1/7 chance

of breaking RSA-2048

record encrypted communication Mosca – 1/2 chance

now, decrypt it once you have a of breaking RSA-2048

quantum computer

[Mosca] IEEE Security & Privacy 16(5):38–41, Sep/Oct 2018. https://doi.org/10.1109/MSP.2018.3761723

[Quantum threat] https://evolutionq.com/quantum-threat-timeline-2021.html 59
 Timeline to replace cryptographic algorithms
First full
collision
SHA-1 SHA-1 for SHA-1
standardized weakened

Quantum threat
survey 50%
SHA-2 PQ Final likelihood
standardized standard

1995 2001 2005 Jan. Aug. 2024? 2027 2032 2036

2017 2017

Mosca – 1/7 chance

of breaking RSA-2048
Browsers stop accepting
SHA-1 certificates
Mosca – 1/2 chance
of breaking RSA-2048
16 years

60
 Trade-offs with post-quantum crypto
Confidence in quantum-resistance

Pick ~2
Fast computation Small communication
61
 Trade-offs with post-quantum crypto
RSA and elliptic Lattice-based Hash-based
curves cryptography signatures

Confidence in Confidence in Confidence in

quantum- quantum- quantum-
resistance resistance resistance

Fast Small Fast Small Fast Small

computation communication computation communication computation communication

TLS handshake: TLS handshake: TLS handshake:

1.3 KB 11.2 KB 24.6 KB

62
Addressing the challenges of using PQ crypto
Lack of
confidence in
security

Slow
Make better PQ crypto
computation

Large
communication
63
Addressing the challenges of using PQ crypto
Lack of
"Hybrid": Use multiple
confidence in algorithms
security

Actually not too bad; research

Slow on algorithmic optimizations;
computation general CPU improvements

Change how security and

Large network protocols use PQ
communication crypto

64
 Hybrid approach: use traditional and
post-quantum simultaneously such that
successful attack needs to break both

post-
traditional hybrid
quantum

65
Wrapping up

66
 Post-quantum crypto at University of Waterloo
Main research areas:
• Design of post-quantum cryptosystems
• Cryptanalysis of post-quantum problems on
classical or quantum computers
• Efficient implementations of post-quantum
cryptography
• Adapting network protocols to post-quantum
algorithms
Main mathematical problems:
• Isogeny-based
• Lattice-based (learning with errors, NTRU)
Involved in several NIST candidates:
• Winner:
• CRYSTALS-Kyber (module learning with
errors)
• Round 3 alternates:
• FrodoKEM (learning with errors)
• NTRU (also lattice based)
• SIKE (isogenies on elliptic curves)
Lead the Open Quantum Safe open-
source software project
67
https://openquantumsafe.org/ • https://github.com/open-quantum-safe/
 Open Quantum Safe Project
Led by University of
Waterloo
Apache curl, Open
nginx Chromium
Use in applications httpd links VPN Industry partners:
• Amazon Web
Services
Language • Cisco
Integration into forks OpenSSL Open SDKs
BoringSSL • evolutionQ
of widely used open- S/MIME, TLS 1.3, X.509 C#, C++, Go,
OpenSSL 3 provider SSH Java, Python, • IBM Research
source projects Rust • Microsoft Research

C language library, Additional contributors:

common API
• x86/x64 (Linux,
liboqs • Senetas
• PQClean project
• Individuals
Mac, Windows)
• ARM (Android, Financial support:
Linux) key exchange / KEMs signatures • AWS
• Canadian Centre
for Cyber Security
• Cisco
lattice- multi-variate hash-based • NLNet
isogenies code-based
based polynomial / symmetric • NSERC
• Unitary Fund
https://openquantumsafe.org/ • https://github.com/open-quantum-safe/ • Verisign
 Where to learn more
NIST Post-Quantum
Crypto Standardiation
https://nist.gov/pqcrypto
Quantum threat timeline
https://globalriskinstitute.org/publication
s/quantum-threat-timeline/
Open Quantum Safe
project
https://openquantumsafe.org
https://github.com/open-quantum-safe/
Slides at https://www.douglas.stebila.ca/research/presentations/
Background on post-quantum CO 485 Mathematics of
crypto
• Post-Quantum Cryptography, by Bernstein,
Public Key Cryptography
Buchmann, Dahmen (2009)
https://link.springer.com/book/10.1007/978-3- • Includes lattice-based
540-88702-7 cryptography and isogeny-based
• EU Overview Report (Feb 2021) cryptography
https://www.enisa.europa.eu/publications/post
-quantum-cryptography-current-state-and-
quantum-mitigation
CO 487 Applied
Lattice-based crypto
Cryptography
• Mathematics of Public Key Cryptography, by
Steven Galbraith (2012)
https://www.math.auckland.ac.nz/~sgal018/cr
• Includes lattice-based
ypto-book/crypto-book.html cryptography and cryptographic
• A Decade of Lattice Cryptography, by Chris protocols
Peikert (2017)
https://web.eecs.umich.edu/~cpeikert/pubs/lat
tice-survey.pdf
• On the concrete hardness of learning with
errors, by Albrecht, Player, Scott (2015)
https://eprint.iacr.org/2015/046
70
Appendix

71
Module learning with errors problem
random secret small noise

p11 p12 p13 p14

p21 p22 p23 p24
× + =
p31 p32 p33 p34
p41 p42 p43 p44
p51 p52 p53 p54

every matrix entry is a polynomial in Zq [x]/(xn + 1)

<latexit sha1_base64="YTkiMAzOXx7l5pyunVed5kJncfU=">AAAEXHicjVNdb9MwFPW2boyNwQYSL7xYtEgDutIM8TUJMcELj0OibKIplePeplYd29jO1pDl5/BreIUHnvgr3KSdWLsXLCU5Pr7n+vg6NzJSON9u/15aXqmtrl1bv76xeWPr5q3tndufnE4thw7XUtuTiDmQQkHHCy/hxFhgSSThOBq/K9ePT8E6odVHnxnoJSxWYig480j1t98ArmY0Yd6KCQXlcSIcZdRomSmdCCapULQRYsQoivLPRf9rd9J7sjv5oh4HDxv97Xq71a4GvQqCGaiT2Tjq76yshQPN0wT34pI51w3axvdyZr3gEoqNMHVgGB+zGLoIFUvA9fLqpAV9gMyADrXFR3lasZcVOUtcueKaCErL5ddlSYTScurm0/vhy14ulEk9KD7NPkwl9ZqWtaIDYYF7mSFg3Ao0SPmIWcY9VnRu29gyMxJ8Mmc/j7Qeexa5eTZJpRdWnxUbc7QX42/TwBJJEVlmMywLRrpmhEGx1akauCZnkjeNdqK8QaHi5gC4ttV9usu4ZfDAFoxkvIxyI2ZgwYqJh0ZqX7IXELfHYieofR20npceFZwhkTA1yMMYvLNFnocHoYShr9yFI4f54FG+99T4IrRMOIj0JG89w2neCB2WzvjZ22cSwkajCA+KYj6117PE/5lgYVcRj2Z2rmTGShbdoJdXlkPJVCyBhk1aD8r3VHq+oBmD/6c5X4xGj2WSBU2SneLvgseohBHEQuXRtLOKSg4YdUEU2DnBYp9cBZ391qtW8GG/fvh21kLr5B65T3ZJQF6QQ/KeHJEO4eQ7+UF+kl8rf2qrtc3a1jR0eWmmuUPmRu3uX0JdfeI=</latexit>

Search Module-LWE problem: given blue, find red

[Langlois & Stehlé, https://eprint.iacr.org/2012/090, DCC 2015] 72
 Ring-LWE versus Module-LWE
Ring-LWE Module-LWE
4 1 11 10
3 4 1 11
2 3 4 1
12 2 3 4
9 12 2 3
10 9 12 2
11 10 9 12

Figure from https://eprint.iacr.org/2012/090.pdf 73

 Learning with Rounding
Learning with Errors Learning with Rounding
• Noise comes from adding an • Noise comes from rounding to a
explicit (Gaussian) error term smaller interval

ha, si + e
<latexit sha1_base64="xIH0VPEHH+N4oiXKEChDUznXuPs=">AAAESHicjVPNbhMxEHabUkr5S+HIZUWChGiIskX8VUKq4MKxSIRW6kaV15ndWPHalj3bJrj7EDwNVzjzBDwGJ8QN72ZbuukFS+v9/Hm+8Xg8E2vBLQ4GP1dWW2vX1q9v3Ni8eev2nbvtrXufrMoNgyFTQpnDmFoQXMIQOQo41AZoFgs4iKfvyv2DEzCWK/kR5xpGGU0lTzij6Knj9nY3ElSmAoIIYYZx4mjRu8C2iMxidzuA7nG7M+gPqhFcBWENOqQe+8dbrfVorFiegUQmqLVH4UDjyFGDnAkoNqPcgqZsSlM48lDSDOzIVbcqgkeeGQeJMv6TGFTsZYWjmS13bM+DjOKk/Nt5FntpubRN95i8GjkudY4g2cJ7kosAVVDmJRhzAwzF3APKDPcBBmxCDWXos9c4NjVUTzibNcJ3sVJTpLFtslkukBt1Wmw2aOTTzwvDEgkeG2rmPi3e0vZib5Qalcux7TEqWE8ry8vX4jLtjYEpU72dvYz72l/YgBaUlVZ2QjUshaLTRAuFJXsO/fE+2ZnXvgn7L8oYJZx6IqNy7KIU0JrCuWg3EpBgFV00sd4fPHFPn2ksi4NbiNXM9Z/7petG1qdOYz3jXEDU7RbRblE0XaOqHf+ng6VTeTqpw7ni2WeyOApHrgr5orR7QScs54X0bEkzBfynOVu2rjtgSZPNT3y5+GtUwhhSLl3sq87wWVHJwVudE4XvnHC5T66C4U7/dT/8sNPZe1u30AZ5QB6SxyQkL8keeU/2yZAw8oV8Jd/I99aP1q/W79afhenqSq25TxpjbfUvOT55Jw==</latexit>
bha, sicp
<latexit sha1_base64="zr47yLw25KSUIVNCNoXMELyM+Zo=">AAAEVnicjVNdb9MwFPXW7oPxsQ4eeYlokRAKVTPExyYhTfDC45Aom7RUlePepFad2LJvthYvv4Vfwys879eAk2Zj6V7wg3N8fM719c11pAQ3OBhcra232hubW9v3du4/ePhot7P3+JuRuWYwZFJIfRpRA4JnMESOAk6VBppGAk6i2ady/+QctOEy+4oLBaOUJhmPOaPoqHHnoBeKWEipvVDQLBHghQhzjGJLC/8GmyLU9a6u1GPVG3e6g/6gGt5dENSgS+pxPN5rbYYTyfIUMmSCGnMWDBSOLNXImYBiJ8wNKMpmNIEzBzOaghnZ6o6F99wxEy92icYyQ69ibzssTU25Y3wHUorT8msWaeSs5dI0w2P8fmR5pnKEjC2jx7nwUHpllbwJ18BQLBygTHOXoMemVFOGrpaNYxNN1ZSzeSN9G0k5QxqZJpvmArmWF8VOg0Y++74UlkjwSFO9cGVxSuNHTpRomWcT4zMqmK+k4eW/41niT4BJXf1Jcxv3lbuwBiUoK1VmShWspKKSWAmJJXsN3fGu2Knzfgj6b8scM7hwREqziQ0TQKMLa8PDUECMVXbh1Lh48NK+eq2wbBFuIJJz23/jlrYXGlc6hfWMCwFhr1eEh0XRDI2yDvyfAVZO5cm0TudOZFfJ4iwY2Srlmwb3vW5Qzkvr5YpnBvjPc7mqrt/BiiddnLt2cdeojBEkPLOR6zrN50VlB6e6Jgr3coLVd3IXDPf7B/3gy3736GP9hLbJU/KMvCABeUeOyGdyTIaEkR/kJ/lFfreuWn/aG+2tpXR9rfY8IY3R7vwF13l9zg==</latexit>

• Shown to be as hard as LWE when

modulus/error ratio satisfies certain
bounds

https://eprint.iacr.org/2013/098, https://eprint.iacr.org/2015/769.pdf 74
 NTRU problem
For an invertible s 2 Rq⇤ and a distribution on R, define the NTRU distri-
<latexit sha1_base64="FeeMshmowo5yoehahXJagnMDOLQ=">AAAEhXicbZPfT9RAEMfLcQpWUdBHXyZSAxo879Cg8UWiRn0iSDgguZ7Hdju9bmh3y+4WuFz6f+r/Yoyz90M4YNOHyfza73xmGxWZMLbZ/D1Xm6/fubuweM+//2Dp4aPllccHRpWaY5urTOmjiBnMhMS2FTbDo0Ijy6MMD6OTzy5+eIbaCCX37aDAbs76UiSCM0uu3krtNJRKyBil9b8qDUyCkFRgBXWAwEAoJOz1Tn++DCgWA4OYRGkRla4egpCnIgBn7QUbEGNCOsCmCKHFCxslw539vfZMTQXBTm9oNlxlFYBVEI0rZhrblFlQpS1KayDA1/+FBHCeoiZpdEWGiWVaq3MYyWjAku+HkeibE1H4l3NNpXxx6sSofWeiC7lwaKDQiubNq26j8r+JM3QUYixw1AAMy4sMSQfries6kGANJhkgzOUUSLA4VzoWsu+mREFD6g9ACrEv5BBlmaNmFis/FBbzWSwJ7cKoHEETdZVnA+CpMqQruEJiPREXdI3LZVk2lfliA5Se9HRcS9q30vks39HGqMeGH9KQV8W4NJJcCpPSiIKnbirXh9Mza9wKeD+lFPoYHB9PYVPQDOC0VFZQSrW2NmXc6C2vNhvN0YGbRmtirHqTs9tb/hPGipNAaXnGjOm0moXtDhk9Up45fKXBgvET1scOmZLlaLrD0b9RwXPyjBElilY58l6tGLLcmEEeUWbObGqux5zztlintMn77lBIeqEo+fiipMzcqt2PRrg1ckuLiwXjmp4dpxUyzbil33Hmloux1BmfW4jbYOUTrtZ1ODeNg81Ga6vx5sfm6vanCbhF76n3zFv3Wt47b9v77u16bY/XftX+zi/ML9YX6q/qb+tb49Ta3KTmiTdz6h//AduSeq8=</latexit>

bution Ns, to be the distribution that outputs e/s 2 Rq where e .

Definition [NTRU decision problem]. Given independent samples ai 2 Rq

where every sample is distributed according to either:

1. Ns, for some randomly chosen s 2 Rq (fixed for all samples), or

2. the uniform distribution on Rq ,
distinguish which is the case.

This is a “noisy quotient” problem.

[Hoffstein, Pipher, Silverman ANTS 1998] 75
 NTRU
Learning with Errors NTRU
• Noisy product • Noisy quotient <latexit sha1_base64="D4DXA1EmiyWi2CAVe3NG0wP45NY=">AAACFHicbVDLTgIxFO3gC/GFunTTSExc4Ywh6pLoxiVGeSQwIZ1yBxrazqTtGMmET3CLP+POuHXvv7iwwCwEPEmTk3PuzT09QcyZNq777eTW1jc2t/LbhZ3dvf2D4uFRQ0eJolCnEY9UKyAaOJNQN8xwaMUKiAg4NIPh3dRvPoPSLJJPZhSDL0hfspBRYqz0CBe6Wyy5ZXcGvEq8jJRQhlq3+NPpRTQRIA3lROu258bGT4kyjHIYFzqJhpjQIelD21JJBGg/nUUd4zOr9HAYKfukwTP170ZKhNYjEdhJQcxAL3tT8T+vnZjwxk+ZjBMDks4PhQnHJsLTf+MeU0ANH1lCqGI2K6YDogg1tp2FKy/zqAsayEQwA2JcsHV5y+WsksZl2bsqVx4qpeptVlwenaBTdI48dI2q6B7VUB1R1EevaILenInz7nw4n/PRnJPtHKMFOF+/mLGfjQ==</latexit>

e/s
ha, si + e
<latexit sha1_base64="xIH0VPEHH+N4oiXKEChDUznXuPs=">AAAESHicjVPNbhMxEHabUkr5S+HIZUWChGiIskX8VUKq4MKxSIRW6kaV15ndWPHalj3bJrj7EDwNVzjzBDwGJ8QN72ZbuukFS+v9/Hm+8Xg8E2vBLQ4GP1dWW2vX1q9v3Ni8eev2nbvtrXufrMoNgyFTQpnDmFoQXMIQOQo41AZoFgs4iKfvyv2DEzCWK/kR5xpGGU0lTzij6Knj9nY3ElSmAoIIYYZx4mjRu8C2iMxidzuA7nG7M+gPqhFcBWENOqQe+8dbrfVorFiegUQmqLVH4UDjyFGDnAkoNqPcgqZsSlM48lDSDOzIVbcqgkeeGQeJMv6TGFTsZYWjmS13bM+DjOKk/Nt5FntpubRN95i8GjkudY4g2cJ7kosAVVDmJRhzAwzF3APKDPcBBmxCDWXos9c4NjVUTzibNcJ3sVJTpLFtslkukBt1Wmw2aOTTzwvDEgkeG2rmPi3e0vZib5Qalcux7TEqWE8ry8vX4jLtjYEpU72dvYz72l/YgBaUlVZ2QjUshaLTRAuFJXsO/fE+2ZnXvgn7L8oYJZx6IqNy7KIU0JrCuWg3EpBgFV00sd4fPHFPn2ksi4NbiNXM9Z/7petG1qdOYz3jXEDU7RbRblE0XaOqHf+ng6VTeTqpw7ni2WeyOApHrgr5orR7QScs54X0bEkzBfynOVu2rjtgSZPNT3y5+GtUwhhSLl3sq87wWVHJwVudE4XvnHC5T66C4U7/dT/8sNPZe1u30AZ5QB6SxyQkL8keeU/2yZAw8oV8Jd/I99aP1q/W79afhenqSq25TxpjbfUvOT55Jw==</latexit>

• Actually predates LWE

[Hoffstein, Pipher, Silverman ANTS 1998] 76

 Hermite normal form

Definition. An m ⇥ n matrix A is in Hermite normal form if (informally)

<latexit sha1_base64="J9Y1qJW6XWMQYnfNZtr0R8mLabM=">AAADaXicbVJbaxNREN5tvLTrpa2+iL4MZoUKEpIK6ovQqJQ8SYWmLTShnJydTQ45l/WcWZsQ8s/8I776Wn+CD86mKTStB5Ydvplv5pvLoNAqULP5K16r3bl77/76RvLg4aPHm1vbT46CK73ErnTa+ZOBCKiVxS4p0nhSeBRmoPF4MP5c+Y9/oA/K2UOaFtg3YmhVrqQghs62427POmUztJT0CCc0yGdfMFdWVf7GHNoWUgM9UgYD2BSMIK8mkLZTUAGUhStWB71RhGCdN0JDzr85qBx2lM0XkJ6+BkUVS7tz9MB5hB2WWngQNmMXO4QfYiBgNX5aJUchR+DdecVyFmiEkCkxdFboRpL0DGZhrIrkdg/7QhKrP2RC5+s+pJ0UXM51OCnhkKuv9lFa9b3ENwshXMRjBXJ0aq+1zkHGZQvBV+xuCqFkiTQSxEXgI7S7aWMjOduqNxvNxYPbRmtp1KPlOzjb+tvLnCwN9yC1COG01SyoPxOelNQ4T3plwELIsRjiKZtWsKb+bLH/ObxiJKsmzp8lWKDXGTNhQpiaAUey8FG46avA//lOS8o/9GfKFiWhlZeF8lIDOaiOiXfhUZKeVkuRnk9GghwJz7Pnk1upMrmUuoKhLauLMfNqXK2bw7ltHO02Wu8ab7/t1vc+LQe3Hr2IXkY7USt6H+1Fnegg6kYy/hn/ji/iP2sXte3as9rzy9C1eMl5Gq28Wv0fjvoThg==</latexit>

it is lower triangular and its largest entry in each row is on the diagonal.
Fact. The HNF H of an integer matrix A is unique, and there is an n ⇥ n
unimodular matrix U such that H = AU .

77
 Closest vector problem

Given some
basis for the
lattice and a
target point in
the space,
find the closest
lattice point.

Diagram from http://www.cs.bris.ac.uk/pgrad/csjhvdp/files/bkz.pdf 78

 Closest vector problems

• Closest vector problem (CVP): Given a basis B for L and a vector

<latexit sha1_base64="yxeVMmjlKSA1RnEcH7YvTCfQ5TQ=">AAAEi3iclVNLT9tAEDZJ2tK0UGiPvYyKKwWpDTFIbYU4oEAfhx5A4iXhNFqvx/GK9dr1rhOo8Q/tpb+kh46d8EiAQ/c0mvlm5ptvZr1ECm06nd9ztXrj0eMn80+bz54vLL5YWn55pOMs5XjIYxmnJx7TKIXCQyOMxJMkRRZ5Eo+9s50yfjzEVItYHZiLBHsRGygRCM4MufrLtZHr4UCoXBiMxC8smm5pgWvw3HhBviNjjdrAELmJU0jSmCpH0LLdiJlQE+Bor7BXNwv4KoaogAGxERrsrg0BJYxxnMn8e2EDUz4hJrXsEbhCQQXwvHy/+BHZ7yAQUxiXjHxY3CCvSumMh2BCZghzCRVsVMB7uE64tIF4REKJiMn2zFjdOFM++uCTwkxxBB957As1uGfC7u5u0XeZTEJWDfpFnIPdgS0Y+8hw1lz9MzX5emG34QEhGEhmjKBW/ynJrUlNiCmWU90US2KhzLVMNoyECR9UBFyJV6xdSUfis77TukVn9WoB1wVpnmazdRBS06ovrRuEmohWkSI36gS5YFJeAC/vBUw8S7G92nRR+Tdn1l9a6bQ71YO7hjMxVqzJ2+sv/XX9mGcRKsMl0/rU6SSml7OUmsjybjONCeNnbICnZCoWoe7l1Q8p4C15/GoPQUx6Vd7bGTmLtL6IPEJWW5+Nlc77YqeZCT71cqGSzKDi40ZBJksFyu9GB5bSakkYXzCeCuIKPGQp44Y+5VSX8zHVKR+qLCoVq+RyZsW5axytt50P7Y399ZXt7kS4eeu19cZqWY710dq2vll71qHFa3/qjfpCfbGx0NhobDa2xtDa3CTnlTX1Gp//AcLudn4=</latexit>

w 2 Qm , find a vector ~v 2 L such that kw~ ~v k is minimal.

p
• Bounded distance decoding problem (BDD↵ ): Fix 0 < ↵ < 1/ 2.
Given a basis B for a lattice L and a vector w 2 Qm such that there is a
lattice point ~v with kw
~ ~v k  ↵ 1 (L), find ~v .
(This is a CVP instance that is especially close to a lattice point.)

79
Strategies for solving LWE
SIS strategy BDD strategy Direct strategy

•See Albrecht, Player, Scott for a good survey

Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 80
 Short integer solution strategy [APS S4.1]

Solve decision LWE by finding a short vector ~v such that h~v , ~ai = 0.
<latexit sha1_base64="bAVgi3QOlqlYxapkiUDS+STEoTI=">AAAD2XicbVLJbhNBEJ3YLInZEjhyKZEgBclYdiIWISGFICRQfAgExxEeK6rpqfG00ouZ7nEwlg/cEFe+iY/gXzhQM3YgJvTp6b2u7VVFQyWdbzZ/LlWqly5fubq8Urt2/cbNW6trtw+dzTNBHWGVzY4idKSkoY6XXtHRMCPUkaJudPKy0Lsjypy05r0fD6mvcWBkIgV6po7Xln6ExkoTk/G1A6tGBDEJWXyHdvcVRGNIWJVmAAgutZmHEQlvM9gIGUxG0w1wuUjBp+iZU2gGimCu1WcApxBmM+E5NDcatdpKGNFAmon0pOVnmjJRQNhVua7DHiqUdeiic5RpNIBqYDPpUw29F/sHEB48amz1n4GwOpIGuRuJCjT51MZnmdrovRQEGcW5KEb9G7rNoR1HoC588bacdmFQB5KFlMAJVBRDnHOts9DNdrtdh929Dw+4Lpn43EBvEjglOEXji7SutNYRZuwVG1uHnDso05bcwz+u08dcjriS4fRc+WzGQjplC8pMxTrOr6lRO15dbzaa5YOLoDUH68H87R+v/gpjK3LNexeKje61mkPfn2DGcynuP+T+hihOcEA9hgY1uf6kvLcp3GcmhoSvILE8X8mej5igdm6sI/6p0afuX60g/6f1cp887U+kGeaeDZgVSnJVOFgcL8Qy46WoMQMUfBFSgEgxQ+H5xBeqfJq1usCRyXWxoGlhV+tfcy6Cw61G63Fj++3W+s7u3Ljl4G5wL9gMWsGTYCd4HewHnUBU6pV3lV4lrPaqX6pfq99mXytL85g7wcKrfv8NYTs7rA==</latexit>

• Blum, Kalai, Wasserman algorithm [APS §5.2]: combinatorial method

• Lattice reduction [APS §5.3]: Use lattice reduction to find short vectors
in the scaled dual lattice (LLL, BKZ)

If we want to solve search LWE, use the search-decision equivalence in combi-

nation with solving decision LWE.

Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 81
 Bounded distance decoding strategy [APS S4.2]

Solve search LWE by finding a short e such that h~a, ~xi = b e for some unknown
<latexit sha1_base64="GZdEKGR9xIoqjJrCbMsPUCzF82Y=">AAAD7HicbVJNbxNBDN0mfLThq4UjF4sWwaGNkkIBISFKKRISPQRCW6RuVM1OnN1RZj3LzGzbEOVfcENc+U3wXzjgSdJCWubksZ/t52cnhVbONxq/5irVS5evXJ1fqF27fuPmrcWl23vOlFbirjTa2E+JcKgV4a5XXuOnwqLIE437Sf91iO8foXXK0Ec/KLCTi5RUT0nh2XW4NPczJqOoi+RrbaOPEBwKKzPY2X8DyQB6HFOUggCXGethBVfAlRz3meBfrAWlGiE+QjkUo9WJcTKC2E4CLyCBNeCknrHgTI5QUp/MMXHuBLpSr9UW4gRTRUPlMVdfcMSOYMKWSIR64ICYEzoPBbdDEDo1VvksP4XtMElCu7bWQtVHZjmDd6uwtb0dhkEqc7TjyeHgVasNcXuj/rhzWuYDdksZhg1wb5ip+lwitPdaf9EbnedQOoR3gkgQU8M8we5YItNjUXAsnBbeK4mgiMsIyFSaoYWuypHCJoQ+QxzzHCAIRFFYU1glPG/A21L60uJqKEgsW9hLGXhgPa1z/9DutIINrMNIPAZS90zDw8XlRr0xfnDRaE6N5Wj6WoeLv+OukawQeamFcwfNRuE7Q2G5jeadxDx3IWRfpHjAJokcXWc4PsER3GdPd7zkniEPY++/GUOROzfIE0bmwmfufCw4/xc7KH3vWWeoqCg9kpw06pU67CfcM4tqUXo9YENIvgolQWbCCun56me6nEyozvjCRQTBRjWWq3lenIvG3nq9+aT+6P368ubWVLj56G50L3oYNaOn0Wb0NmpFu5GsvKxghSqmStWv1W/V7xNoZW6acyeaedUffwAUCUKv</latexit>

~x.

• Babai’s nearest plane algorithm

• Lindner–Peikert nearest planes, BDD by enumeration [APS §5.4]
• Reducing BDD to unique SVP [APS §5.5]: use Kannan’s embedding of
the LWE lattice into a higher dimensional lattice with an appropriate
structure, then solve uSVP e.g. using lattice reduction

Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 82
 Direct strategy [APS S4.3]

Solve search LWE by finding an ~s0 such that h~a, ~s0 i is close to b.
<latexit sha1_base64="J12eyrr/8a+MHyRj5IC8o6ADlak=">AAADjHicbZJPb9NAEMWdhEIboH/gyGVEg+BAo6SFgkBILajAgUNQSFspjqrxZpysut61dtehIcoH5cQX4cDYSUnTdk9P82b9Zn7eKFXS+Ubjd6lcubNy997qWvX+g4frG5tbj46dyaygjjDK2NMIHSmpqeOlV3SaWsIkUnQSnX/K/ZMRWSeN/uHHKfUSHGgZS4GeS2dbpYtQG6n7pH21bdSIwBFaMYRvJ0cQjSFmT+oBoIZaOCIxcdPnNXAZd/ghei4q1ANFUJg4fQmXXRDawqmBdCCUcQTeQC2q1atrYUQDqSfSUyJ/0ZQLuYSjiyFmzsvFFN3DVhvC9ut6s/fuFjs2FghZCJOkRvMSYOL/g9YgJ9MHo3lWArKW2/vM1Mooy9evXwYfsoM7O19oEbjPga4AguDGLu/iTzMrZk3OsdI7OXS0kBo11iaRqBz8lH54ZQB0RbQ1xnMW6f5i57PN7Ua9URy4KZpzsR3MT+ts82/YNyJLeEuh0Llus5H63gStl0LxB8PMUYriHAfUZakxIdebFE9kCs+ynETOKzZMqahevTHBxLlxEnFngn7ornt58Tavm/n4bW8idZp50mIWFGcq/9f5e2PeloRXYxYorORZQQzRovD8KpdSLmajLtVIZ0lOrMDVvA7npjjerTf363vfd7cPPs7BrQZPgqfBi6AZvAkOgq9BK+gEovSnvFJeL29U1iuvKu8rH2at5dL8zuNg6VQ+/wO8Sh8x</latexit>

• Exhaustive search [APS §5.1]: Exhaustive search for each component of ~s

based on the error distribution.
• Arora–Ge [APS §5.6]: solve a system of noiseless non-linear polynomials
with ~s as the root

Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 83
Picking concrete parameters
• Competing requirements:
• Want small dimension (to reduce communication)
• Want large dimension (to make problem harder)
• Want small noise (to reduce probability of error)
• Want large noise (to make problem harder)
• Want small modulus (to make problem harder and save
communication)
• Want large modulus (to reduce probability of error)
• Picking concrete parameters is tricky
• Lots to consider and state of art is advancing
• Costing quantum attacks is subtle
• See NTRU and Kyber NIST submissions for worked examples
https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions 84