Professional Documents
Culture Documents
A Brief Introduction To Lattice-Based Cryptography
A Brief Introduction To Lattice-Based Cryptography
A Brief Introduction To Lattice-Based Cryptography
lattice-based cryptography
Douglas Stebila
PMAMC&OC • 2023-03-09
Outline
1. Background: Why post-quantum?
2. Learning with errors problems
3. Public key encryption from LWE
4. Difficulty of LWE and lattice problems
5. Standardization of post-quantum
cryptography
2
1. Background
Why post-quantum?
3
4
5
6
Public-key Symmetric
cryptography cryptography
Elliptic curve
AES AES GCM
RSA signatures Diffie–Hellman
encryption integrity
key exchange
7
RSA digital signatures
Key generation Signing Verification
• Pick large random To sign message 𝑚 using Get a trusted copy of the
primes 𝑝, 𝑞 ≈ 2!"#$ secret key 𝑛, 𝑑: signer’s public key 𝑛, 𝑒
• Compute • Signature:
𝑛 = 𝑝𝑞, 𝜎 = 𝐻(𝑚)( mod 𝑛 To verify message m
𝜙 𝑛 = 𝑝−1 𝑞−1 against signature 𝜎 and
• Pick 𝑒 ∈ ℤ∗% public key 𝑛, 𝑒
• Compute • Check if
𝑑 = 𝑒 '! mod 𝜙 𝑛 𝜎 ) = 𝐻 𝑚 mod 𝑛
• Public key: 𝑛, 𝑒 Hard to forge signatures
• Secret key: 𝑛, 𝑑 if factoring is hard*
8
Diffie–Hellman key exchange
Public parameters: g is a generator of an abelian group of prime order q
Alice Bob
x ∈R ℤq y ∈R ℤq
X⟵g x send X ⟶ Y⟵g y
⟵ send Y
k⟵ Y x = g xy
Hard to compute shared k⟵ X y = g xy
secret if discrete
logarithms are hard*
9
Theorem (Shor, 1984):
There exists a polynomial-
time quantum algorithm that
can factor and compute
discrete logarithms.
10
Ba
se
com d on
put diffic
Public-key no in u Symmetric
t q logari g disc lty of
uan thm ret
cryptography tum s – e cryptography
res
ista
Based on nt!
difficulty of
Elliptic curve
factoring large AES AES GCM
numbers – RSA signatures Diffie–Hellman
encryption integrity
not quantum key exchange
resistant!
11
Post-quantum cryptography
a.k.a. quantum-resistant algorithms
13
Solving systems of linear equations
secret
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13
4 1 11 10 4
5 5 9 5 8
× =
3 9 0 10 1
1 3 3 2 10
12 7 3 4 4
6 5 11 4 12
3 3 5 0 9
4 1 11 10 6 4
5 5 9 5 9 8
× =
3 9 0 10 11 1
1 3 3 2 11 g 10
u s in
s olv ed n
12 7 3 4 Ea s ily in a t io 4
a n e lim
i
6 5 11 4 Gauss TH 136) 12
(MA
3 3 5 0 9
4 1 11 10 6 0 4
5 5 9 5 9 -1 7
× + =
3 9 0 10 11 1 2
1 3 3 2 11 1 11
12 7 3 4 1 5
6 5 11 4 0 12
3 3 5 0 -1 8
16
Learning with errors problem
[Regev 2005]
random secret small noise
Z7⇥4
13 Z4⇥1
13 Z7⇥1
13 Z7⇥1
13
4 1 11 10 4
5 5 9 5 7
× + =
3 9 0 10 2
1 3 3 2 11
12 7 3 4 5
6 5 11 4 12
3 3 5 0 8
4 1 11 10 4
5 5 9 5 7
× + =
3 9 0 10 2
1 3 3 2 11
12 7 3 4 5
6 5 11 4 12
3 3 5 0 8
8
4 1 11 10
5 5 9 5
2738 3842 3345 2979 …
3 9 0 10
2896 595 3607
1 3 3 2
640 377 1575
12 7 3 4
2760
6 5 11 4
…
3 3 5 0
640 × 8 × 15 bits = 9.4 KiB
23
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13
11 10 4 1
1 11 10 4
4 1 11 10
10 4 1 11
11 10 4 1
24
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13
25
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
random
Z7⇥4
13
26
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
Z13 [x]/hx4 + 1i
= 10 + 5x + 10x2 + 7x3
27
Ring learning with errors problem
[Lyubashevsky, Peikert, Regev 2010]
Z13 [x]/hx4 + 1i
× secret
+ small noise
= 10 + 5x + 10x2 + 7x3
4 1 11 10 4 1
5 5 9 5 7 2
× = b·cp : Zq ! Zp :
3 9 0 10 2 Divide Zq into 0
1 3 3 2 11 p equal intervals 3
and map x to the
12 7 3 4 5 1
<latexit sha1_base64="HraJN0mZnCuaEia75KToZCIuiQ0=">AAAExXicjVNdb9MwFE23MkaBscEjLxYNEkKlasb3pKEJeNjjkCibmKvKcZzUqmN7ttO1ZBF/h7/Ev+E67aDtXvBDcn18zsm9N9exFty6Xu93Y2OzeWvr9vad1t1793ce7O49/GZVYSjrUyWUOYuJZYJL1nfcCXamDSN5LNhpPP7kz08nzFiu5Fc302yQk0zylFPiABru/sJScZkw6VCIRSqUMgjTRDmETb0banSAcE7cKI7L79XwAmGnlgEdwjlufeYTnjAwWaKGiEtPxq1Qh4hdFER4hJkJEdbDRCYoJxqF0xAB0Y2YR30+U6RSxJ39yx/utnvdXr3QzSBaBO1gsU6Ge5tbOFG0yKE2Koi151FPu0FJjONUsKqFC8s0oWOSsXMIJcmZHZR1Syv0FJAEpdCNVEFvanRZUZLc+hPbgcCX7N92lscg9Vu7au/Sd4OSS104JuncPS1EXTP8FJRww6gTMwgINRwSRHREDKFQ+4pTmRmiR5xOV9IvY6XGjsR2Fc0L4bhRl1VrBXZ8/GNO9JHgsSFmBm0Bpu3EQMqMKmRiO5QI2tHKcj8qXGadhFFl6sGxy3FXQ8GGaUGoZ9kR0WwtFZ2lWijn0esQPg/NzkF7GHXf+BwluwQgh6EoccacNVVZ4gMsWOrq7PDIgh97Xr54qV2FDeGWxWpadl/DtgyxhdZpt3i6mWA4DCt8UFWr1k4tjP/TYO2rPBst0rnhDJ2szqNBWaeMBZGZgIHuoHbkn3Pp1ZpmzNw/zdU6G3L0JmuafDaBcYEyamHMMi7LGKbO8GlVyxmwroEKbk60fk9uBv397vtu9GW/ffRxcYW2g8fBk+BZEAVvg6PgODgJ+gFt7DReNQ4bH5rHTdl0zcmcutFYaB4FK6v58w9CPqE5</latexit>
index of its interval
6 5 11 4 12 4
3 3 5 0 8 2
30
3. Public key encryption
from learning with errors
31
Public Key Encryption: Overview
•Alice creates a private key / public key pair
•Anyone can encrypt messages for Alice based on
her public key, but only Alice can decrypt those
messages
32
Public Key Encryption: Algorithms
KeyGen() Generates a
private key sk and
→ (sk, pk) a public key pk.
Encrypt a message
Encrypt(pk, m) m using public key
→c pk to obtain
ciphertext c.
Decrypt a
Decrypt(sk, c) ciphertext c using
→m private key sk to
obtain message m.
33
Public key encryption from LWE
Key generation
Secret key
A s + e = b
Public key
Ciphertext
Receiver's public key
q
s' b + e'' = v' v' + m = c
2
q round
b' s = v c – v ≈ m m
2
Secret key
≈ s' A s ≈ s' A s
=> Can decrypt as long as noise terms are small with high probability
37
Security of public key encryption
Theorem:
If the decision learning with errors problem is hard,
then this public key encryption scheme is
semantically secure against chosen plaintext
attacks.
39
Hardness of decision LWE – "lattice-based"
average-case
decision LWE
40
Lattices
Let B = {b1 , bn } ✓ Zn⇥n
q be a set of linearly independent basis vectors for Z n
q.
Define the corresponding lattice
( n )
X
L = L(B) = zi b i : zi 2 Z .
i=1
41
Lattices
Discrete additive
subgroup of Zn
Equivalently,
integer linear
combinations
of a basis
Two n ⇥ n matrices B and B 0 generate the same lattice L if and only if B and
<latexit sha1_base64="WIQP5rMtQrdoT856R/8A06IofF8=">AAADDnicbVE9jxMxEPUuX0f4ClDSjMgiKNAqe0hAg3QKDQXFIV3uTkqiaOKdJNbZ3pXtJYmi1LTHn6FDtPwFfgsUzCYpyIWRLD/NzPM8vxmVWvnQbv+K4mvXb9y8dXC7cefuvfsPmg8fnfqicpK6stCFOx+hJ60sdYMKms5LR2hGms5GF+/r+tlncl4V9iQsShoYnFg1VhIDp4bN331bKJuTDY2TWQGJhX5QhjzYBAwGpyTjpJMA2pzv5wlMyJLDQBCmBB4NgcYQuA+SPjOmEvXy4yoBNV5zCqsXNd55Ax2BI+ZRDqMFIFRWmSKvNLrN1PlLUCmldTe8gw50E5hNiVkJI+WZsa90DjMVpqBsoAk54C85xeV6aE6BnFEWbWCVpYEsSaExbLbaaXsdsA+yLWiJbRwPm3/6eSErw09Ljd73snYZBkt0/H1Nq0a/8lSivMAJ9RhaNscPluslreAZZ3IYF44Py1hn/2Us0Xi/MCPurG30V2t18n+1XhXGbwdLZcsqkJWbQeNKQyig3jjkypEMvIVcoXSKtYKcokPJnuxOmW+k7uTIVkYFMqvaruyqOfvg9DDNXqevPh22jjpb4w7EE/FUvBCZeCOOxAdxLLpCRhh9iS6jr/Fl/C3+Hv/YtMbRlvNY7ET88y8wDPD8</latexit>
44
Shortest vector problem
Given some
basis for the
lattice, find
the shortest
non-zero
lattice point.
poly(n)
Theorem. [Reg05] For any modulus q 2p and any discretized Gaussian
error distribution of parameter ↵q 2 n where 0 < ↵ < 1, solving the
decision LWE problem for (n, q, U , ) with at most m = poly(n) samples is
at least as hard as quantumly solving GapSVP and SIVP on arbitrary n-
dimensional lattices for some = Õ(n/↵).
49
Solving the (approximate) shortest vector problem
The complexity of GapSVP depends heavily on how and n relate, and get
harder for smaller .
51
Standardizing post-quantum cryptography
“IAD will initiate a
transition to quantum
resistant algorithms in
the not too distant
future.”
– NSA Information
Assurance Directorate,
Aug. 2015
52
Primary goals for post-quantum crypto
53
Families of post-quantum cryptography
Hash- & symmetric-based Code-based Multivariate quadratic
• Can only be used to make • Long-studied cryptosystems with • Variety of systems with various
signatures, not public key moderately high confidence for levels of confidence and trade-offs
encryption some code families • Substantial break of Rainbow
• Very high confidence in hash- • Challenges in communication algorithm in Round 3
based signatures, but large sizes
signatures required for many
signature-systems
54
NIST Post-quantum Crypto Project timeline
Call for PQ Submission Round 2 Round 3 Round 3 Draft Final
proposals deadline deadline deadline selection standards standard
Dec. 2016 Nov. 2017 Mar. 2019 Oct. 2020 Jul. 2022 2022–2023 2024?
Round 1: Round 2: Round 3: Selection:
69 schemes 26 schemes Finalists: • 3 signatures Round 4
1/3 signatures 9 signatures • 3 signatures • 1 PKE deadline
2/3 PKE 17 PKE • 4 PKE
Alternates:
• 3 signatures
x1
x6 x6 • 5 PKE
Oct. 2022
Round 4: x1
x4 • 4 3 PKEs
Additional signatures
deadline
Jun. 2023
http://www.nist.gov/pqcrypto 55
NIST Round 3 selections and Round 4
Selections Round 4
Key encapsulation Key encapsulation
mechanisms mechanisms
• Lattice-based: Kyber • Code-based: BIKE,
Classic McEliece, HQC
• Isogeny-based: SIKE
Signatures
• Lattice-based: Dilithium, Signatures
Falcon
• Call for additional signature
• Hash-based: SPHINCS+ schemes
56
Paths to standardization and adoption
NIST round 3 NIST draft FIPS
NIST
selection standard standard
Internet Engineering
Task Force (IETF)
CFRG
CFRG
standard
58
Will we be ready in time?
Quantum threat
survey 50%
Selection Final likelihood
standard
quantum computer
Quantum threat
survey 50%
SHA-2 PQ Final likelihood
standardized standard
60
Trade-offs with post-quantum crypto
Confidence in quantum-resistance
Pick ~2
Fast computation Small communication
61
Trade-offs with post-quantum crypto
RSA and elliptic Lattice-based Hash-based
curves cryptography signatures
62
Addressing the challenges of using PQ crypto
Lack of
confidence in
security
Slow
Make better PQ crypto
computation
Large
communication
63
Addressing the challenges of using PQ crypto
Lack of
"Hybrid": Use multiple
confidence in algorithms
security
64
Hybrid approach: use traditional and
post-quantum simultaneously such that
successful attack needs to break both
post-
traditional hybrid
quantum
65
Wrapping up
66
Post-quantum crypto at University of Waterloo
Main research areas: Involved in several NIST candidates:
• Design of post-quantum cryptosystems • Winner:
• Cryptanalysis of post-quantum problems on • CRYSTALS-Kyber (module learning with
classical or quantum computers errors)
• Efficient implementations of post-quantum • Round 3 alternates:
cryptography
• FrodoKEM (learning with errors)
• Adapting network protocols to post-quantum • NTRU (also lattice based)
algorithms
• SIKE (isogenies on elliptic curves)
67
https://openquantumsafe.org/ • https://github.com/open-quantum-safe/
Open Quantum Safe Project
Led by University of
Waterloo
Apache curl, Open
nginx Chromium
Use in applications httpd links VPN Industry partners:
• Amazon Web
Services
Language • Cisco
Integration into forks OpenSSL Open SDKs
BoringSSL • evolutionQ
of widely used open- S/MIME, TLS 1.3, X.509 C#, C++, Go,
OpenSSL 3 provider SSH Java, Python, • IBM Research
source projects Rust • Microsoft Research
Slides at https://www.douglas.stebila.ca/research/presentations/ 70
Appendix
71
Module learning with errors problem
random secret small noise
ha, si + e
<latexit sha1_base64="xIH0VPEHH+N4oiXKEChDUznXuPs=">AAAESHicjVPNbhMxEHabUkr5S+HIZUWChGiIskX8VUKq4MKxSIRW6kaV15ndWPHalj3bJrj7EDwNVzjzBDwGJ8QN72ZbuukFS+v9/Hm+8Xg8E2vBLQ4GP1dWW2vX1q9v3Ni8eev2nbvtrXufrMoNgyFTQpnDmFoQXMIQOQo41AZoFgs4iKfvyv2DEzCWK/kR5xpGGU0lTzij6Knj9nY3ElSmAoIIYYZx4mjRu8C2iMxidzuA7nG7M+gPqhFcBWENOqQe+8dbrfVorFiegUQmqLVH4UDjyFGDnAkoNqPcgqZsSlM48lDSDOzIVbcqgkeeGQeJMv6TGFTsZYWjmS13bM+DjOKk/Nt5FntpubRN95i8GjkudY4g2cJ7kosAVVDmJRhzAwzF3APKDPcBBmxCDWXos9c4NjVUTzibNcJ3sVJTpLFtslkukBt1Wmw2aOTTzwvDEgkeG2rmPi3e0vZib5Qalcux7TEqWE8ry8vX4jLtjYEpU72dvYz72l/YgBaUlVZ2QjUshaLTRAuFJXsO/fE+2ZnXvgn7L8oYJZx6IqNy7KIU0JrCuWg3EpBgFV00sd4fPHFPn2ksi4NbiNXM9Z/7petG1qdOYz3jXEDU7RbRblE0XaOqHf+ng6VTeTqpw7ni2WeyOApHrgr5orR7QScs54X0bEkzBfynOVu2rjtgSZPNT3y5+GtUwhhSLl3sq87wWVHJwVudE4XvnHC5T66C4U7/dT/8sNPZe1u30AZ5QB6SxyQkL8keeU/2yZAw8oV8Jd/I99aP1q/W79afhenqSq25TxpjbfUvOT55Jw==</latexit>
bha, sicp
<latexit sha1_base64="zr47yLw25KSUIVNCNoXMELyM+Zo=">AAAEVnicjVNdb9MwFPXW7oPxsQ4eeYlokRAKVTPExyYhTfDC45Aom7RUlePepFad2LJvthYvv4Vfwys879eAk2Zj6V7wg3N8fM719c11pAQ3OBhcra232hubW9v3du4/ePhot7P3+JuRuWYwZFJIfRpRA4JnMESOAk6VBppGAk6i2ady/+QctOEy+4oLBaOUJhmPOaPoqHHnoBeKWEipvVDQLBHghQhzjGJLC/8GmyLU9a6u1GPVG3e6g/6gGt5dENSgS+pxPN5rbYYTyfIUMmSCGnMWDBSOLNXImYBiJ8wNKMpmNIEzBzOaghnZ6o6F99wxEy92icYyQ69ibzssTU25Y3wHUorT8msWaeSs5dI0w2P8fmR5pnKEjC2jx7nwUHpllbwJ18BQLBygTHOXoMemVFOGrpaNYxNN1ZSzeSN9G0k5QxqZJpvmArmWF8VOg0Y++74UlkjwSFO9cGVxSuNHTpRomWcT4zMqmK+k4eW/41niT4BJXf1Jcxv3lbuwBiUoK1VmShWspKKSWAmJJXsN3fGu2Knzfgj6b8scM7hwREqziQ0TQKMLa8PDUECMVXbh1Lh48NK+eq2wbBFuIJJz23/jlrYXGlc6hfWMCwFhr1eEh0XRDI2yDvyfAVZO5cm0TudOZFfJ4iwY2Srlmwb3vW5Qzkvr5YpnBvjPc7mqrt/BiiddnLt2cdeojBEkPLOR6zrN50VlB6e6Jgr3coLVd3IXDPf7B/3gy3736GP9hLbJU/KMvCABeUeOyGdyTIaEkR/kJ/lFfreuWn/aG+2tpXR9rfY8IY3R7vwF13l9zg==</latexit>
https://eprint.iacr.org/2013/098, https://eprint.iacr.org/2015/769.pdf 74
NTRU problem
For an invertible s 2 Rq⇤ and a distribution on R, define the NTRU distri-
<latexit sha1_base64="FeeMshmowo5yoehahXJagnMDOLQ=">AAAEhXicbZPfT9RAEMfLcQpWUdBHXyZSAxo879Cg8UWiRn0iSDgguZ7Hdju9bmh3y+4WuFz6f+r/Yoyz90M4YNOHyfza73xmGxWZMLbZ/D1Xm6/fubuweM+//2Dp4aPllccHRpWaY5urTOmjiBnMhMS2FTbDo0Ijy6MMD6OTzy5+eIbaCCX37aDAbs76UiSCM0uu3krtNJRKyBil9b8qDUyCkFRgBXWAwEAoJOz1Tn++DCgWA4OYRGkRla4egpCnIgBn7QUbEGNCOsCmCKHFCxslw539vfZMTQXBTm9oNlxlFYBVEI0rZhrblFlQpS1KayDA1/+FBHCeoiZpdEWGiWVaq3MYyWjAku+HkeibE1H4l3NNpXxx6sSofWeiC7lwaKDQiubNq26j8r+JM3QUYixw1AAMy4sMSQfries6kGANJhkgzOUUSLA4VzoWsu+mREFD6g9ACrEv5BBlmaNmFis/FBbzWSwJ7cKoHEETdZVnA+CpMqQruEJiPREXdI3LZVk2lfliA5Se9HRcS9q30vks39HGqMeGH9KQV8W4NJJcCpPSiIKnbirXh9Mza9wKeD+lFPoYHB9PYVPQDOC0VFZQSrW2NmXc6C2vNhvN0YGbRmtirHqTs9tb/hPGipNAaXnGjOm0moXtDhk9Up45fKXBgvET1scOmZLlaLrD0b9RwXPyjBElilY58l6tGLLcmEEeUWbObGqux5zztlintMn77lBIeqEo+fiipMzcqt2PRrg1ckuLiwXjmp4dpxUyzbil33Hmloux1BmfW4jbYOUTrtZ1ODeNg81Ga6vx5sfm6vanCbhF76n3zFv3Wt47b9v77u16bY/XftX+zi/ML9YX6q/qb+tb49Ta3KTmiTdz6h//AduSeq8=</latexit>
e/s
ha, si + e
<latexit sha1_base64="xIH0VPEHH+N4oiXKEChDUznXuPs=">AAAESHicjVPNbhMxEHabUkr5S+HIZUWChGiIskX8VUKq4MKxSIRW6kaV15ndWPHalj3bJrj7EDwNVzjzBDwGJ8QN72ZbuukFS+v9/Hm+8Xg8E2vBLQ4GP1dWW2vX1q9v3Ni8eev2nbvtrXufrMoNgyFTQpnDmFoQXMIQOQo41AZoFgs4iKfvyv2DEzCWK/kR5xpGGU0lTzij6Knj9nY3ElSmAoIIYYZx4mjRu8C2iMxidzuA7nG7M+gPqhFcBWENOqQe+8dbrfVorFiegUQmqLVH4UDjyFGDnAkoNqPcgqZsSlM48lDSDOzIVbcqgkeeGQeJMv6TGFTsZYWjmS13bM+DjOKk/Nt5FntpubRN95i8GjkudY4g2cJ7kosAVVDmJRhzAwzF3APKDPcBBmxCDWXos9c4NjVUTzibNcJ3sVJTpLFtslkukBt1Wmw2aOTTzwvDEgkeG2rmPi3e0vZib5Qalcux7TEqWE8ry8vX4jLtjYEpU72dvYz72l/YgBaUlVZ2QjUshaLTRAuFJXsO/fE+2ZnXvgn7L8oYJZx6IqNy7KIU0JrCuWg3EpBgFV00sd4fPHFPn2ksi4NbiNXM9Z/7petG1qdOYz3jXEDU7RbRblE0XaOqHf+ng6VTeTqpw7ni2WeyOApHrgr5orR7QScs54X0bEkzBfynOVu2rjtgSZPNT3y5+GtUwhhSLl3sq87wWVHJwVudE4XvnHC5T66C4U7/dT/8sNPZe1u30AZ5QB6SxyQkL8keeU/2yZAw8oV8Jd/I99aP1q/W79afhenqSq25TxpjbfUvOT55Jw==</latexit>
it is lower triangular and its largest entry in each row is on the diagonal.
Fact. The HNF H of an integer matrix A is unique, and there is an n ⇥ n
unimodular matrix U such that H = AU .
77
Closest vector problem
Given some
basis for the
lattice and a
target point in
the space,
find the closest
lattice point.
79
Strategies for solving LWE
SIS strategy BDD strategy Direct strategy
Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 80
Short integer solution strategy [APS S4.1]
Solve decision LWE by finding a short vector ~v such that h~v , ~ai = 0.
<latexit sha1_base64="bAVgi3QOlqlYxapkiUDS+STEoTI=">AAAD2XicbVLJbhNBEJ3YLInZEjhyKZEgBclYdiIWISGFICRQfAgExxEeK6rpqfG00ouZ7nEwlg/cEFe+iY/gXzhQM3YgJvTp6b2u7VVFQyWdbzZ/LlWqly5fubq8Urt2/cbNW6trtw+dzTNBHWGVzY4idKSkoY6XXtHRMCPUkaJudPKy0Lsjypy05r0fD6mvcWBkIgV6po7Xln6ExkoTk/G1A6tGBDEJWXyHdvcVRGNIWJVmAAgutZmHEQlvM9gIGUxG0w1wuUjBp+iZU2gGimCu1WcApxBmM+E5NDcatdpKGNFAmon0pOVnmjJRQNhVua7DHiqUdeiic5RpNIBqYDPpUw29F/sHEB48amz1n4GwOpIGuRuJCjT51MZnmdrovRQEGcW5KEb9G7rNoR1HoC588bacdmFQB5KFlMAJVBRDnHOts9DNdrtdh929Dw+4Lpn43EBvEjglOEXji7SutNYRZuwVG1uHnDso05bcwz+u08dcjriS4fRc+WzGQjplC8pMxTrOr6lRO15dbzaa5YOLoDUH68H87R+v/gpjK3LNexeKje61mkPfn2DGcynuP+T+hihOcEA9hgY1uf6kvLcp3GcmhoSvILE8X8mej5igdm6sI/6p0afuX60g/6f1cp887U+kGeaeDZgVSnJVOFgcL8Qy46WoMQMUfBFSgEgxQ+H5xBeqfJq1usCRyXWxoGlhV+tfcy6Cw61G63Fj++3W+s7u3Ljl4G5wL9gMWsGTYCd4HewHnUBU6pV3lV4lrPaqX6pfq99mXytL85g7wcKrfv8NYTs7rA==</latexit>
• Lattice reduction [APS §5.3]: Use lattice reduction to find short vectors
in the scaled dual lattice (LLL, BKZ)
Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 81
Bounded distance decoding strategy [APS S4.2]
Solve search LWE by finding a short e such that h~a, ~xi = b e for some unknown
<latexit sha1_base64="GZdEKGR9xIoqjJrCbMsPUCzF82Y=">AAAD7HicbVJNbxNBDN0mfLThq4UjF4sWwaGNkkIBISFKKRISPQRCW6RuVM1OnN1RZj3LzGzbEOVfcENc+U3wXzjgSdJCWubksZ/t52cnhVbONxq/5irVS5evXJ1fqF27fuPmrcWl23vOlFbirjTa2E+JcKgV4a5XXuOnwqLIE437Sf91iO8foXXK0Ec/KLCTi5RUT0nh2XW4NPczJqOoi+RrbaOPEBwKKzPY2X8DyQB6HFOUggCXGethBVfAlRz3meBfrAWlGiE+QjkUo9WJcTKC2E4CLyCBNeCknrHgTI5QUp/MMXHuBLpSr9UW4gRTRUPlMVdfcMSOYMKWSIR64ICYEzoPBbdDEDo1VvksP4XtMElCu7bWQtVHZjmDd6uwtb0dhkEqc7TjyeHgVasNcXuj/rhzWuYDdksZhg1wb5ip+lwitPdaf9EbnedQOoR3gkgQU8M8we5YItNjUXAsnBbeK4mgiMsIyFSaoYWuypHCJoQ+QxzzHCAIRFFYU1glPG/A21L60uJqKEgsW9hLGXhgPa1z/9DutIINrMNIPAZS90zDw8XlRr0xfnDRaE6N5Wj6WoeLv+OukawQeamFcwfNRuE7Q2G5jeadxDx3IWRfpHjAJokcXWc4PsER3GdPd7zkniEPY++/GUOROzfIE0bmwmfufCw4/xc7KH3vWWeoqCg9kpw06pU67CfcM4tqUXo9YENIvgolQWbCCun56me6nEyozvjCRQTBRjWWq3lenIvG3nq9+aT+6P368ubWVLj56G50L3oYNaOn0Wb0NmpFu5GsvKxghSqmStWv1W/V7xNoZW6acyeaedUffwAUCUKv</latexit>
~x.
Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 82
Direct strategy [APS S4.3]
Solve search LWE by finding an ~s0 such that h~a, ~s0 i is close to b.
<latexit sha1_base64="J12eyrr/8a+MHyRj5IC8o6ADlak=">AAADjHicbZJPb9NAEMWdhEIboH/gyGVEg+BAo6SFgkBILajAgUNQSFspjqrxZpysut61dtehIcoH5cQX4cDYSUnTdk9P82b9Zn7eKFXS+Ubjd6lcubNy997qWvX+g4frG5tbj46dyaygjjDK2NMIHSmpqeOlV3SaWsIkUnQSnX/K/ZMRWSeN/uHHKfUSHGgZS4GeS2dbpYtQG6n7pH21bdSIwBFaMYRvJ0cQjSFmT+oBoIZaOCIxcdPnNXAZd/ghei4q1ANFUJg4fQmXXRDawqmBdCCUcQTeQC2q1atrYUQDqSfSUyJ/0ZQLuYSjiyFmzsvFFN3DVhvC9ut6s/fuFjs2FghZCJOkRvMSYOL/g9YgJ9MHo3lWArKW2/vM1Mooy9evXwYfsoM7O19oEbjPga4AguDGLu/iTzMrZk3OsdI7OXS0kBo11iaRqBz8lH54ZQB0RbQ1xnMW6f5i57PN7Ua9URy4KZpzsR3MT+ts82/YNyJLeEuh0Llus5H63gStl0LxB8PMUYriHAfUZakxIdebFE9kCs+ynETOKzZMqahevTHBxLlxEnFngn7ornt58Tavm/n4bW8idZp50mIWFGcq/9f5e2PeloRXYxYorORZQQzRovD8KpdSLmajLtVIZ0lOrMDVvA7npjjerTf363vfd7cPPs7BrQZPgqfBi6AZvAkOgq9BK+gEovSnvFJeL29U1iuvKu8rH2at5dL8zuNg6VQ+/wO8Sh8x</latexit>
Albrecht, Player, Scott. Journal of Mathematical Cryptology 2015. Cryptology ePrint archive 2015/046. 83
Picking concrete parameters
• Competing requirements:
• Want small dimension (to reduce communication)
• Want large dimension (to make problem harder)
• Want small noise (to reduce probability of error)
• Want large noise (to make problem harder)
• Want small modulus (to make problem harder and save
communication)
• Want large modulus (to reduce probability of error)
• Picking concrete parameters is tricky
• Lots to consider and state of art is advancing
• Costing quantum attacks is subtle
• See NTRU and Kyber NIST submissions for worked examples
https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions 84