# Lattice-based cryptography

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions are currently important candidates for post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

## History

In 1996, Miklós Ajtai introduced the first lattice-based cryptographic construction whose security could be based on the hardness of well-studied lattice problems,[1] and Cynthia Dwork showed that a certain average-case lattice problem, known as Short Integer Solutions (SIS), is at least as hard to solve as a worst-case lattice problem.[2] She then showed a cryptographic hash function whose security is equivalent to the computational hardness of SIS.

In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced a lattice-based public-key encryption scheme, known as NTRU.[3] However, their scheme is not known to be at least as hard as solving a worst-case lattice problem.

The first lattice-based public-key encryption scheme whose security was proven under worst-case hardness assumptions was introduced by Oded Regev in 2005,[4] together with the Learning with Errors problem (LWE). Since then, much follow-up work has focused on improving Regev's security proof[5][6] and improving the efficiency of the original scheme.[7][8][9][10] Much more work has been devoted to constructing additional cryptographic primitives based on LWE and related problems. For example, in 2009, Craig Gentry introduced the first fully homomorphic encryption scheme, which was based on a lattice problem.[11]

## Mathematical background

In linear algebra, a lattice ${\displaystyle L\subset \mathbb {R} ^{n}}$ is the set of all integer linear combinations of vectors from a basis ${\displaystyle \{\mathbf {b} _{1},\ldots ,\mathbf {b} _{n}\}}$ of ${\displaystyle \mathbb {R} ^{n}}$. In other words, ${\displaystyle L={\Big \{}\sum a_{i}\mathbf {b} _{i}\ :\ a_{i}\in \mathbb {Z} {\Big \}}\;.}$ For example, ${\displaystyle \mathbb {Z} ^{n}}$ is a lattice, generated by the standard basis for ${\displaystyle \mathbb {R} ^{n}}$. Crucially, the basis for a lattice is not unique. For example, the vectors ${\displaystyle (3,1,4)}$, ${\displaystyle (1,5,9)}$, and ${\displaystyle (2,-1,0)}$ form an alternative basis for ${\displaystyle \mathbb {Z} ^{3}}$.

The most important lattice-based computational problem is the Shortest Vector Problem (SVP or sometimes GapSVP), which asks us to approximate the minimal Euclidean length of a non-zero lattice vector. This problem is thought to be hard to solve efficiently, even with approximation factors that are polynomial in ${\displaystyle n}$, and even with a quantum computer. Many (though not all) lattice-based cryptographic constructions are known to be secure if SVP is in fact hard in this regime.

## Selected lattice-based schemes

This section presents selected lattice-based schemes, grouped by primitive.

### Encryption

Selected schemes for the purpose of encryption:

### Homomorphic encryption

Selected schemes for the purpose of homomorphic encryption:

• Gentry's original scheme.[11]
• Brakerski and Vaikuntanathan.[13][14]

### Hash functions

Selected schemes for the purpose of hashing:

### Key exchange

Selected schemes for the purpose of key exchange, also called key establishment, key encapsulation and key encapsulation mechanism (KEM):

• CRYSTALS-Kyber,[17] which is built upon module learning with errors (module-LWE). Kyber was selected for standardization by the NIST.[18]
• FrodoKEM,[19][20] a scheme based on the learning with errors (LWE) problem. FrodoKEM joined the standardization call conducted by the National Institute of Standards and Technology (NIST),[18] and lived up to the 3rd round of the process. It was then discarded due to low performance reasons. In October, 2022, the Twitter account associated to cryptologist Daniel J. Bernstein posted security issues in frodokem640.[21]
• NewHope is based on the ring learning with errors (RLWE) problem.[22]
• NTRU Prime.[23]
• Peikert's work, which is based on the ring learning with errors (RLWE) problem.[8]
• Saber,[24] which is based on the module learning with rounding (module-LWR) problem.

### Signing

This section listsa selection of lattice-based schemes for the purpose of digital signatures.

• CRYSTALS-Dilithium,[25][26] which is built upon module learning with errors (module-LWE) and module short integer solution (module-SIS). Dilithium was selected for standardization by the NIST.[18] According to a message from Ray Perlner, writing on behalf of the NIST PQC team, the NIST module-LWE signing standard is to be based on version 3.1 of the Dilithium specification.
• Falcon, which is built upon short integer solution (SIS) over NTRU. Falcon was selected for standardization by the NIST.[27][18]
• GGH signature scheme.
• Güneysu, Lyubashevsky, and Pöppelmann's work, which is based on ring learning with errors (RLWE).[28]

#### CRYSTALS-Dilithium

CRYSTALS-Dilithium or simply Dilithium [25][26] is built upon module-LWE and module-SIS. Dilithium was selected for standardization by the NIST.[18] According to a message from Ray Perlner, writing on behalf of the NIST PQC team, the NIST module-LWE signing standard is to be based on version 3.1 of the Dilithium specification. NIST's changes on Dilithium 3.1 intend to support additional randomness in signing (hedged signing) and other improvements.[31]

In August 2023, NIST published FIPS 204 (Initial Public Draft), and started calling Dilithium as Module-Lattice-Based Digital Signature Algorithm (ML-DSA).[32]

## Security

Lattice-based cryptographic constructions hold a great promise for public-key post-quantum cryptography.[33] Indeed, the main alternative forms of public-key cryptography are schemes based on the hardness of factoring and related problems and schemes based on the hardness of the discrete logarithm and related problems. However, both factoring and the discrete logarithm are known to be solvable in polynomial time on a quantum computer.[34] Furthermore, algorithms for factorization tend to yield algorithms for discrete logarithm, and vice versa. This further motivates the study of constructions based on alternative assumptions, such as the hardness of lattice problems.

Many lattice-based cryptographic schemes are known to be secure assuming the worst-case hardness of certain lattice problems.[1][4][5] I.e., if there exists an algorithm that can efficiently break the cryptographic scheme with non-negligible probability, then there exists an efficient algorithm that solves a certain lattice problem on any input. In contrast, cryptographic schemes based on, e.g., factoring would be broken if factoring was easy "on an average input,'' even if factoring was in fact hard in the worst case. However, for the more efficient and practical lattice-based constructions (such as schemes based on NTRU and even schemes based on LWE with more aggressive parameters), such worst-case hardness results are not known. For some schemes, worst-case hardness results are known only for certain structured lattices[7] or not at all.

## Functionality

For many cryptographic primitives, the only known constructions are based on lattices or closely related objects. These primitives include fully homomorphic encryption,[11] indistinguishability obfuscation,[35] cryptographic multilinear maps, and functional encryption.[35]

## References

1. ^ a b Ajtai, Miklós (1996). "Generating Hard Instances of Lattice Problems". Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. pp. 99–108. CiteSeerX 10.1.1.40.2489. doi:10.1145/237814.237838. ISBN 978-0-89791-785-8. S2CID 6864824.
2. ^ Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence
3. ^ Hoffstein, Jeffrey; Pipher, Jill; Silverman, Joseph H. (1998). "NTRU: A ring-based public key cryptosystem". Algorithmic Number Theory. Lecture Notes in Computer Science. Vol. 1423. pp. 267–288. CiteSeerX 10.1.1.25.8422. doi:10.1007/bfb0054868. ISBN 978-3-540-64657-0.
4. ^ a b Regev, Oded (2005-01-01). "On lattices, learning with errors, random linear codes, and cryptography". Proceedings of the thirty-seventh annual ACM symposium on Theory of computing - STOC '05. ACM. pp. 84–93. CiteSeerX 10.1.1.110.4776. doi:10.1145/1060590.1060603. ISBN 978-1581139600. S2CID 53223958.
5. ^ a b Peikert, Chris (2009-01-01). "Public-key cryptosystems from the worst-case shortest vector problem". Proceedings of the 41st annual ACM symposium on Symposium on theory of computing - STOC '09. ACM. pp. 333–342. CiteSeerX 10.1.1.168.270. doi:10.1145/1536414.1536461. ISBN 9781605585062. S2CID 1864880.
6. ^ Brakerski, Zvika; Langlois, Adeline; Peikert, Chris; Regev, Oded; Stehlé, Damien (2013-01-01). "Classical hardness of learning with errors". Proceedings of the 45th annual ACM symposium on Symposium on theory of computing - STOC '13. ACM. pp. 575–584. arXiv:1306.0281. doi:10.1145/2488608.2488680. ISBN 9781450320290. S2CID 6005009.
7. ^ a b Lyubashevsky, Vadim; Peikert, Chris; Regev, Oded (2010-05-30). "On Ideal Lattices and Learning with Errors over Rings". Advances in Cryptology – EUROCRYPT 2010. Lecture Notes in Computer Science. Vol. 6110. pp. 1–23. CiteSeerX 10.1.1.352.8218. doi:10.1007/978-3-642-13190-5_1. ISBN 978-3-642-13189-9.
8. ^ a b Peikert, Chris (2014-07-16). "Lattice cryptography for the Internet" (PDF). IACR. Retrieved 2017-01-11.
9. ^ Alkim, Erdem; Ducas, Léo; Pöppelmann, Thomas; Schwabe, Peter (2015-01-01). "Post-quantum key exchange – a new hope". Cryptology ePrint Archive.
10. ^ Bos, Joppe; Costello, Craig; Ducas, Léo; Mironov, Ilya; Naehrig, Michael; Nikolaenko, Valeria; Raghunathan, Ananth; Stebila, Douglas (2016-01-01). "Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE". Cryptology ePrint Archive.
11. ^ a b c Gentry, Craig (2009-01-01). A Fully Homomorphic Encryption Scheme (Thesis). Stanford, CA, USA: Stanford University.
12. ^ NGUYEN, Phon. Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from crypto ’97. In Crypto ’99: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 288–304, London, UK, 1999. Springer-Verlag.
13. ^ Brakerski, Zvika; Vaikuntanathan, Vinod (2011). "Efficient Fully Homomorphic Encryption from (Standard) LWE". Cryptology ePrint Archive.
14. ^ Brakerski, Zvika; Vaikuntanathan, Vinod (2013). "Lattice-Based FHE as Secure as PKE". Cryptology ePrint Archive.
15. ^ "LASH: A Lattice Based Hash Function". Archived from the original on October 16, 2008. Retrieved 2008-07-31.
16. ^ Contini, Scott; Matusiewicz, Krystian; Pieprzyk, Josef; Steinfeld, Ron; Guo, Jian; Ling, San; Wang, Huaxiong (2008). "Cryptanalysis of LASH" (PDF). Fast Software Encryption. Lecture Notes in Computer Science. Vol. 5086. pp. 207–223. doi:10.1007/978-3-540-71039-4_13. ISBN 978-3-540-71038-7. S2CID 6207514.
17. ^ AVANZI, R. et al. CRYSTALS-KYBER Algorithm Specifications And Supporting Documentation. CRYSTALS Team, 2021. Available from the Internet on <https: //www.pq-crystals.org/>, accessed on November 4th, 2022.
18. CSRC, National Institute of Standards and Technology. Post-Quantum Cryptography. 2019. Available from the Internet on <https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/>, accessed in November 2nd, 2022.
19. ^ FrodoKEM team. FrodoKEM. 2022. Available from the Internet on <https://frodokem.org/>, accessed on November 2nd, 2022.
20. ^ ALKIM, E. et al. FrodoKEM learning with errors key encapsulation algorithm specifications and supporting documentation. 2020. Available from the Internet on <https://frodokem.org/files/FrodoKEM-specification-20200930.pdf>, accessed in November 1st, 2022
21. ^ BERNSTEIN, Daniel J. FrodoKEM documentation claims that "the FrodoKEM parameter sets comfortably match their target security levels with a large margin". Warning: That's not true. Send 2^40 ciphertexts to a frodokem640 public key; one of them will be decrypted by a large-scale attack feasible today. 2022. Available from the Internet on <https://twitter.com/hashbreaker/status/1587184970258255872>, accessed in November 2nd, 2022.
22. ^ SCHWABE, Peter et al. NewHope's Web site. 2022. Available from the Internet on <https://newhopecrypto.org/>, accessed in December 6th, 2022.
23. ^ BERNSTEIN, Daniel J. et al., NTRU Prime: round 3. 2020. Available from the Internet on <https://ntruprime.cr.yp.to/>, accessed in November 8th, 2022.
24. ^ D'ANVERS, Jan-Pieter, KARMAKAR, Angshuman, ROY, Sujoy Sinha, and VERCAUTEREN, Frederik. Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. 2018. Available from Internet on <https://eprint.iacr.org/2018/230>, accessed in November 5th, 2022.
25. ^ a b BAI, S. et al. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (Version 3.1). CRYSTALS Team, 2021. Available from the Internet on <https://www.pq-crystals.org/>, accessed in November 2nd, 2021.
26. ^ a b SEILER, Gregor et al. pq-crystals/dilithium (Dilithium at GitHub), 2022. Available from the Internet on <https://github.com/pq-crystals/dilithium>, accessed in December 29th, 2022.
27. ^ FOUQUE, Pierre-Alain et al. Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU. 2020. Available from the Internet on <https://falcon-sign.info/>, accessed in November 8th, 2020.
28. ^ Güneysu, Tim; Lyubashevsky, Vadim; Pöppelmann, Thomas (2012). "Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems" (PDF). Cryptographic Hardware and Embedded Systems – CHES 2012. Lecture Notes in Computer Science. Vol. 7428. IACR. pp. 530–547. doi:10.1007/978-3-642-33027-8_31. ISBN 978-3-642-33026-1. Retrieved 2017-01-11.
29. ^ ESPITAU, Thomas et al. MITAKA: A Simpler, Parallelizable, Maskable Variant of Falcon. 2021.
30. ^ ALKIM, E. et al. The Lattice-Based Digital Signature Scheme qTESLA. IACR, 2019. Cryptology ePrint Archive, Report 2019/085. Available from Internet on <https://eprint.iacr.org/2019/085>, accessed in NOVEMBER 1st, 2022.
31. ^ PERLNER,Ray A.. Planned changes to the Dilithium spec. April 20th, 2023. Google Groups. Available from the Internet on <https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/3pBJsYjfRw4/m/GjJ2icQkAQAJ>, accessed in June 14th, 2023.
32. ^ RAIMONDO, Gina M., and LOCASCIO, Laurie E., FIPS 204 (Draft) Federal Information Processing Standards Publication – Module-Lattice-Based Digital Signature Standard. August 24, 2023. Information Technology Laboratory, National Institute of Standards and Technology. Gaithersburg, MD, United States of America. DOI 10.6028/NIST.FIPS.204.ipd. Available from the Internet on <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf>, accessed in September 2nd, 2023.
33. ^ Micciancio, Daniele; Regev, Oded (2008-07-22). "Lattice-based cryptography" (PDF). Nyu.edu. Retrieved 2017-01-11.
34. ^ Shor, Peter W. (1997-10-01). "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509. arXiv:quant-ph/9508027. doi:10.1137/S0097539795293172. ISSN 0097-5397. S2CID 2337707.
35. ^ a b Garg, Sanjam; Gentry, Craig; Halevi, Shai; Raykova, Mariana; Sahai, Amit; Waters, Brent (2013-01-01). "Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits". Cryptology ePrint Archive. CiteSeerX 10.1.1.400.6501.

## Bibliography

• Oded Goldreich, Shafi Goldwasser, and Shai Halevi. "Public-key cryptosystems from lattice reduction problems". In Crypto ’97: Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology, pages 112–131, London, UK, 1997. Springer-Verlag.
• Oded Regev. Lattice-based cryptography. In Advances in cryptology (CRYPTO), pages 131–141, 2006.