20
Advanced Topics

Post-Quantum Cryptography

Cryptography is built on computational problems that are believed to be hard, like breaking a candidate PRP, factoring large integers, calculating discrete logarithms in elliptic curves, to name a few. But quantum computers can solve some problems faster than classical computers; they change the landscape of hard problems. It is therefore important to understand their consequences on cryptography.

Quantum vs. post-quantum: There are two ways quantum computers can affect cryptography:

  • We can imagine designing and deploying new cryptography that requires a quantum computer. Think of Alice and Bob sending entangled photons to each other. This kind of cryptography is called quantum cryptography; it is extremely limited and requires specialized hardware.

  • We can imagine cryptography that runs on traditional, classical computers, but is designed to be secure even against adversaries who have access to a quantum computer. This kind of cryptography is called post-quantum cryptography.

This chapter discusses only post-quantum cryptography.

Urgency: Scalable quantum computers that pose a serious threat to cryptography do not yet exist, and may not exist for many decades. Still, they are plausible enough to warrant serious attention now, because data encrypted and stored today could be decrypted by a future quantum adversary.

Fortunately, paranoia is a virtue in cryptography, and cryptographers like to prepare for the worst-case scenario. Since 2017, NIST has been organizing a process to develop and select new post-quantum cryptographic standards. In 2022, four algorithms (one KEM and three signature schemes) were chosen as future standards. Section 20.3 describes some greatly simplified aspects of the winning KEM design.

20.1. Capabilities of quantum computing

Which problems are easier to solve on a quantum computer? This section summarizes known results that are relevant to cryptography. I will not attempt to describe how quantum computers work, or how these algorithms work; that is well beyond the scope of this book.

20.1.1. Attacking symmetric-key cryptography

Quantum computers can speed up brute-force searches from 2n2^n time to 2n/22^{n/2} time, using a method called Grover's algorithm:

Claim 20.1.1 (Grover's algorithm)

Let F:{0,1}n{0,1}F : \bits^n \to \bits be a function. There is a quantum algorithm, called Grover's algorithm, that makes only O(2n/2)O(2^{n/2}) quantum evaluations of FF and outputs a value X{0,1}nX \in \bits^n such that F(X)=1F(X) = 1, if any such XX exists.

You can think of Grover's algorithm as a faster method for finding needles in haystacks. The haystack is {0,1}n\bits^n, and the needle is the special input XX that causes FF to output 1. Grover's algorithm can be used to attack symmetric-key cryptography by applying it to a suitable needle-identification function FF.

For example, a quantum computer can break an SKE scheme in the following way: First, obtain a few ciphertexts with known plaintexts:

C1=Enc(K,M1);C2=Enc(K,M2);Cm=Enc(K,Mm); \ctxt_1 = \Enc(\key,\ptxt_1); \quad \ctxt_2 = \Enc(\key,\ptxt_2); \quad \ldots \quad \ctxt_m = \Enc(\key,\ptxt_m);

There need to be enough samples mm so that, with high probability, only one value of K\key is consistent with them all. Usually a very small value of mm is sufficient. Next, define the following function FF:

F(K)F(\key):
for i=1i=1 to mm:
// Ci,Mi\ctxt_i, \ptxt_i hard coded constants:
if Dec(K,Ci)Mi\Dec(\key,\ctxt_i) \ne \ptxt_i:
return 0\bit0
return 1\bit1

This function checks whether a candidate K\key is consistent with all of the (Mi,Ci)(\ptxt_i,\ctxt_i) pairs, which are hard-coded as constants into the algorithm's description. By design, there is likely only one value of K\key that causes FF to output 1, and Grover's algorithm can find it in time O(2λ/2)O(2^{\secpar/2}).

Grover's algorithm speeds up brute-force attacks, but they remain exponential-time. Additionally, Grover's algorithm is inherently sequential — it cannot be obviously parallelized like a classical brute-force search. The threat of Grover's algorithm can be neutralized by simply doubling the length of the keys. To ensure that quantum brute-force attacks require 2λ2^\secpar effort, we can choose keys that are 2λ2\secpar bits long. Of course, this defense helps only if brute-force attacks are the best possible attack. For many symmetric-key primitives, this is assumed to be case; however, it is not true for asymmetric-key primitives.

20.1.2. Breaking asymmetric-key cryptography

In 1994, Peter Shor struck fear into the hearts of cryptographers everywhere by demonstrating that quantum computers could break most asymmetric-key cryptography in polynomial time:

Claim 20.1.2 (Shor's algorithm)

There are quantum algorithms for the following tasks, whose running time is polynomial in kk:

  • Factoring kk-bit numbers.

  • Solving the discrete logarithm problem in any cyclic group of order <2k{} < 2^k, even groups based on elliptic curves.

Both algorithms use a common approach called Shor's algorithm.

All of the public-key cryptography that you've seen so far relies on either the hardness of factoring (as in RSA) or the discrete logarithm problem (as in Diffie-Hellman, El Gamal, Schnorr signatures). A quantum computer of reasonable size could break all of these schemes. New techniques are needed for post-quantum secure public-key cryptography.

20.2. The learning-with-errors problem

If you were asked to solve for the unknown sis_i's in the following system of equations, your task would be relatively easy:

3=s1+2s22s3+6s51=4s1+3s24s33s4+6s54=s1s2+4s3+3s43s51=s1s2+2s3+3s4+s55=4s1+5s2+5s3+3s4+s5 \begin{array}{rrrrrr} 3 = & {} s_1 & {}+ 2 s_2 & {}- 2 s_3 & {} & {}+ 6 s_5 \\ 1 = & {} 4 s_1 & {}+ 3 s_2 & {}- 4 s_3 & {}- 3 s_4 & {}+ 6 s_5 \\ 4 = & {} - s_1 & {} - s_2 & {}+ 4 s_3 & {}+ 3 s_4 & {}- 3 s_5 \\ 1 = & {} s_1 & {} - s_2 & {}+ 2 s_3 & {}+ 3 s_4 & {}+ s_5 \\ 5 = & {} 4 s_1 & {}+ 5 s_2 & {}+ 5 s_3 & {}+ 3 s_4 & {}+ s_5 \end{array}

You can write these as a single matrix equation, then solve it by inverting the square matrix that appears:

[31415]=[1220643436114331123145531][s1s2s3s4s5]\begin{aligned} \begin{bmatrix}3 \\ 1 \\ 4 \\ 1 \\ 5\end{bmatrix} = \left[\begin{array}{rrrrr} 1 & 2 & -2 & 0 & 6 \\ 4 & 3 & -4 & -3 & 6 \\ -1 & -1 & 4 & 3 & -3 \\ 1 & -1 & 2 & 3 & 1 \\ 4 & 5 & 5 & 3 & 1 \end{array}\right] \begin{bmatrix} s_1 \\ s_2 \\ s_3 \\ s_4 \\ s_5 \end{bmatrix}\end{aligned}

This problem is not made any harder by increasing the number of constraints (the height of this matrix), although in this case not every left-hand-side will have a solution. These systems of linear equations can also be solved modulo q\qmod, as long as the matrix is invertible mod q\qmod.

Now suppose you are asked to solve a system of approximate equations:

2s1+2s22s3+6s574s1+3s24s33s4+6s51s1s2+4s3+3s43s58s1s2+2s3+3s4+s524s1+5s2+5s3+3s4+s582s1+s3s4+2s5 \begin{array}{rrrrrr} 2 \hl{\approx} & {} s_1 & {}+ 2 s_2 & {}- 2 s_3 & {} & {}+ 6 s_5 \\ 7 \hl{\approx} & {} 4 s_1 & {}+ 3 s_2 & {}- 4 s_3 & {}- 3 s_4 & {}+ 6 s_5 \\ 1 \hl{\approx} & {} - s_1 & {} - s_2 & {}+ 4 s_3 & {}+ 3 s_4 & {}- 3 s_5 \\ 8 \hl{\approx} & {} s_1 & {} - s_2 & {}+ 2 s_3 & {}+ 3 s_4 & {}+ s_5 \\ 2 \hl{\approx} & {} 4 s_1 & {}+ 5 s_2 & {}+ 5 s_3 & {}+ 3 s_4 & {}+ s_5 \\ 8 \hl{\approx} & {} 2 s_1 & & {}+ s_3 & {}- s_4 & {}+ 2 s_5 \\ \vdots \phantom{\approx} & \vdots & \vdots & \vdots & \vdots & \vdots \end{array}

Here, \approx means that the two sides differ by only a very small amount – say, {1,0,1}\{-1,0,1\}. Such a system of approximate equations is much harder to solve.

We can rewrite these approximate equations as exact equations by introducing an error vector:

[271828]=[122064343611433112314553120112][s1s2s3s4s5]+[e1e2e3e4e5e6] \begin{bmatrix}2 \\ 7 \\ 1 \\ 8 \\ 2 \\ 8 \\ \vdots \end{bmatrix} = \left[\begin{array}{rrrrr} 1 & 2 & -2 & 0 & 6 \\ 4 & 3 & -4 & -3 & 6 \\ -1 & -1 & 4 & 3 & -3 \\ 1 & -1 & 2 & 3 & 1 \\ 4 & 5 & 5 & 3 & 1 \\ 2 & 0 & 1 & -1 & 2 \\ \vdots & \vdots & \vdots & \vdots & \vdots \end{array}\right] \begin{bmatrix} s_1 \\ s_2 \\ s_3 \\ s_4 \\ s_5 \end{bmatrix} \hl{ + \begin{bmatrix} e_1 \\ e_2 \\ e_3 \\ e_4 \\ e_5 \\ e_6 \\ \vdots \end{bmatrix}}

Here, the error vector is e=(e1,e2,e3,)\vec{e} = (e_1, e_2, e_3, \ldots), whose entries are known to be “small” (say, from {1,0,+1}\{-1,0,+1\}) but are otherwise unknown.

Equations like the one above are useful for cryptography because of the following dichotomy:

  • When the number of approximate equations is high (the matrix is tall), there is generally at most one possible solution in the unknown sis_i's and eie_i's.

  • On the other hand, it appears to be very hard to find that solution or to even determine whether one exists. All known algorithms for this problem, even quantum algorithms, require exponential time.

Linear algebra

This chapter uses linear algebra; for a review, see section A.6. Matrices are written as capital bold letters: M\mat M. Vectors are written as lowercase: x\vec x. All vectors are column vectors by default, and made into row vectors by taking their transpose x\vec x^\top.

Learning With Errors: Learning with errors (LWE) is a cryptographic problem based on approximate linear equations of this kind. An adversary is given a matrix M\mat M and a vector x=Ms+e\vec x = \mat M \vec s + \vec e, where s\vec s is sampled uniformly and e\vec e is sampled from a distribution of “small” values. All arithmetic is performed modulo q\qmod.

An output of this LWE process is “close” (within a small error vector) of a vector of the form Ms\mat M \vec s. If M\mat M is much taller than it is wide, not every x\vec x is close to a vector of the form Ms\mat M \vec s, so not every x\vec x is a possible LWE output. However, it is believed to be hard to determine whether a x\vec x has this property. Thus, the LWE assumption is that x\vec x is indistinguishable from a uniformly distributed vector.

The vector e\vec e in LWE is called the noise vector. Each component of e\vec e is sampled independently from a distribution on “small” values, so we call vectors from this distribution “short.” Since we are working mod q\qmod, instead of thinking about “small” values, think “close to 0,” in either direction. For example, q1\qmod-1 is “small” because q11\qmod-1 \equiv -1. In general, for the purposes of LWE it is helpful to think of Zq\Z_\qmod not as {0,1,,q1}\{0,1, \ldots, \qmod-1\} but as {q12,,0,,q12}\{ -\lfloor \frac{\qmod-1}2 \rfloor, \ldots, 0, \ldots, \lceil \frac{\qmod-1}2 \rceil \}.

The LWE problem is not particularly sensitive to the precise distribution of noise elements; two common choices are a [discretized] Gaussian distribution (normal distribution) and a uniform distribution over {c,,c}\{-c, \ldots, c\} for some small cc.

Definition 20.2.1 (Learning with errors)

Consider the following parameters:

  • nn: the length of the secret (width of matrix).

  • mm: the number of approximate equalities (height of matrix).

  • q\qmod: the modulus.

  • E\mathcal{E}: the distribution over noise elements.

The learning with errors (LWE) assumption is that the following libraries are indistinguishable, even to quantum adversaries:

Llwe-realn,m,q\lib{lwe-real}^{n,m,\qmod}
lwe.sample()\subname{lwe.sample}(\,):
M(Zq)m×n\mat{M} \gets (\Z_\qmod)^{m \times n}
s(Zq)n\vec{s} \gets (\Z_\qmod)^{n}
eEm\vec{e} \gets \mathcal{E}^m
x=Ms+e\vec{x} = \mat{M} \cdot \vec{s} + \vec{e}
return (M,x)(\mat{M},\vec{x})
\indist
Llwe-randn,m,q\lib{lwe-rand}^{n,m,\qmod}
lwe.sample()\subname{lwe.sample}(\,):
M(Zq)m×n\mat{M} \gets (\Z_\qmod)^{m \times n}
x(Zq)m\vec{x} \gets (\Z_\qmod)^{m}
return (M,x)(\mat{M},\vec{x})
(,+)(,) \left(\, \mytallmatrix{M}\,, \mytallmatrix{M}\, \mycolvec{s} + \mytallcolvec{e-shaded} \,\right) \indist \left(\,\mytallmatrix{M}\,, \mytallcolvec{x} \,\right)

Why “learning” with errors? The secret vector s\vec s defines a function mms\vec m \mapsto \vec m^\top \vec s. The adversary learns input/output samples of this function, one for each row of M\mat M and x\vec x, but with added errors/noise.

LWE Security and Parameters: The security of LWE depends on a reasonable choice of the parameters listed above. The choice of these parameters is not as straightforward as it is for, say, RSA. There is not a one-size-fits-all recommendation, because different LWE-based constructions require matrices of different sizes, and are affected differently by the LWE noise. However, the following suggestions can give you a rough sense for the size of the numbers involved, for basic applications of LWE:

  • The secret length nn should be the security parameter λ\secpar.

  • The modulus q\qmod should be approximately λ2\secpar^2.

  • The noise distribution E\mathcal E should produce outputs bounded in magnitude by approximately λ\sqrt{\secpar}.

Using these parameters, the LWE assumption is believed to hold for any parameter mm (polynomial in the security parameter), even against quantum adversaries!

LWE With Short Secrets: The primary secret s\vec s in LWE is a uniformly sampled vector. Interestingly, the hardness of LWE does not change if s\vec s is instead sampled from the noise distribution:

Claim 20.2.2 (LWE with short secrets)

If the LWE assumption is true, then it is also true (with mostly the same parameters) when the secret s\vec s is sampled from the noise distribution. That is, the following two libraries are indistinguishable:

Llwe*-realn,m,q\lib{lwe*-real}^{n,m,\qmod}
lwe.sample()\subname{lwe.sample}^*(\,):
M(Zq)m×n\mat M \gets (\Z_\qmod)^{m \times n}
sEn\vec s \gets \hl{\mathcal{E}^n}
eEm\vec e \gets \mathcal{E}^m
x=Ms+e\vec x = \mat{M} \vec{s} + \vec{e}
return (M,x)(\mat M,\vec x)
\indist
Llwe*-randn,m,q\lib{lwe*-rand}^{n,m,\qmod}
lwe.sample()\subname{lwe.sample}^*(\,):
M(Zq)m×n\mat M \gets (\Z_\qmod)^{m \times n}
x(Zq)m\vec x \gets (\Z_\qmod)^{m}
return (M,x)(\mat M,\vec x)
Proof:

Consider the following library L\L^*. It first obtains a standard LWE sample (generated with a uniform secret vector) of dimension (n+m)×n(n+m) \times n, from an external subroutine that we will write as lwe.samplen+m\subname{lwe.sample}_{n+m}. It uses this LWE sample to generate a new sample of dimension m×nm \times n as follows:

L\L^*
lwe.sample()\subname{lwe.sample}^*(\,):
([M1M2],[x1x2]):=lwe.samplen+m(),\left(\begin{bmatrix} \mat M_1 \\ \mat M_2 \end{bmatrix}, \begin{bmatrix} \vec x_1 \\ \vec x_2 \end{bmatrix}\right) := \subname{lwe.sample}_{n+m}(),
where M1,x1\mat M_1,\vec x_1 have height nn and M2,x2\mat M_2,\vec x_2 have height mm
// M1\mat M_1 is a square matrix
M:=M2(M1)1\mat M^* := - \mat M_2 (\mat M_1)^{-1}
x:=Mx1+x2\vec x^* := \mat M^* \vec x_1 + \vec x_2
return (M,x)(\mat M^*, \vec x^*)

This library contains one (intentional) bug: Its behavior is undefined when M1\mat M_1 is not an invertible matrix. For now, let's continue as if M1\mat M_1 is always invertible; then at the end of the proof we will discuss how to be more careful about this step.

With this L\L^* in mind, we will show that:

Llwe*-real(1)LLlwe-real(2)LLlwe-rand(3)Llwe*-rand. \lib{lwe*-real} \overset{(1)}\equiv \L^* \link \lib{lwe-real} \overset{(2)}\indist \L^* \link \lib{lwe-rand} \overset{(3)}\equiv \lib{lwe*-rand}.

Step (2) follows directly from the standard LWE assumption, so we focus on steps (1) and (3). First, no matter which Llwe-*\lib{lwe-*} library L\L^* is linked to, M2\mat M_2 is distributed uniformly and independent of M1\mat M_1, causing M\mat M^* to be distributed uniformly.

When L\L^* is linked to Llwe-real\lib{lwe-real}, the output of lwe.samplen+m\subname{lwe.sample}_{n+m} has the following structure:

x1=M1s+e1,x2=M2s+e2,\begin{aligned} \vec x_1 &= \mat M_1 \vec s + \vec e_1, \\ \vec x_2 &= \mat M_2 \vec s + \vec e_2,\end{aligned}

where e1,e2\vec e_1, \vec e_2 are sampled from the noise distribution. Then:

x=(M2(M1)1)M(M1s+e1)x1+(M2s+e2)x2=M2s+Me1+M2s+e2=Me1+e2.\begin{aligned} \vec x^* &= \overbrace{\bigl( -\mat M_2 \cdot (\mat M_1)^{-1} \bigr)}^{\mat M^*} \overbrace{\bigl( \mat M_1 \vec s + \vec e_1 \bigr)}^{\vec x_1} + \overbrace{\bigl( \mat M_2 \vec s + \vec e_2 \bigr)}^{\vec x_2} \\ &= \hl{{-\mat M_2 \vec s}} + \mat M^* \vec e_1 + \hl{\mat M_2 \vec s} + \vec e_2 \\ &= \mat M^* \vec e_1 + \vec e_2.\end{aligned}

So (M,x)(\mat M^*,\vec x^*) has the structure of an LWE output, where e1\vec e_1 — which is sampled from the noise distribution — now plays the role of the LWE secret. Since e1\vec e_1 and e2\vec e_2 are independent of each other and of M\mat M^*, the output of lwe.sample\subname{lwe.sample}^* exactly matches that of Llwe*-real\lib{lwe*-real} and we have (1).

When L\L^* is linked to Llwe-rand\lib{lwe-rand}, x2\vec x_2 is distributed uniformly and independent of M\mat M^*. Hence, x=Mx1+x2\vec x^* = \mat M^* \vec x_1 + \vec x_2 acts like a variant of OTP using vector addition, where x2\vec x_2 plays the role of OTP key. So x\vec x^* is distributed uniformly, and the output of lwe.sample\subname{lwe.sample}^* matches that of Llwe*-rand\lib{lwe*-rand} and we have (3).

When M1\mat M_1 is sampled uniformly, it is indeed highly likely to be invertible. Unfortunately, the probability that M1\mat M_1 fails to be invertible is not negligible. To deal with this problem, we change how L\L^* generates M1\mat M_1. Instead of taking nn rows directly from the LWE sample, take a collection of 2n2n rows (requiring a standard LWE sample of dimension (2n+m)×n(2n+m)\times n now), then throw away any of these rows that are linearly dependent of the ones above it. It can be shown that, except with negligible probability, this process results in nn rows remaining—in other words, an invertible n×nn \times n matrix.

20.3. Key exchange from LWE

In this section we discuss how LWE can be used for key exchange. The goal is not to show a realistic protocol (as you will see, the protocol we construct is impractical), but rather to merely provide some basic intuition for applying LWE to public-key cryptography.

Big Picture: Inspired By Diffie-Hellman: The heart of Diffie-Hellman KE is that there are two ways to compute the expression gabg^{ab}:

gab=(ga)b=(gb)a. g^{ab} = (g^a)^b = (g^b)^a.

Additionally, Alice can send gag^a, and Bob can send gbg^b, because these values “hide” aa and bb from an eavesdropper in some way.

LWE-based key exchange is motivated by two different ways to compute a vector-matrix-vector product:

=()=() \myrowvec{a} \,\mymatrix{G}\, \mycolvec{b} = \left(\, \myrowvec{a}\, \mymatrix{G} \,\right) \mycolvec{b} = \myrowvec{a} \left(\, \mymatrix{G}\, \mycolvec{b} \,\right)

Here, G\mat G is a public matrix, and a\vec a and b\vec b are vectors, so that the product aGb\vec a^\top \mat G \vec b a single scalar. The names are chosen to be suggestive of Diffie-Hellman. Suppose Alice and Bob sample secret vectors a\vec a and b\vec b, then Alice sends aG\vec a^\top \mat G and Bob sends Gb\mat G \vec b. Both users could compute the common value aGb\vec a^\top \mat G \vec b in their own way, using the observation above. Would the resulting KE protocol be secure?

Unfortunately not: The protocol messages aG\vec a^\top \mat G and Gb\mat G \vec b do not hide the secret vectors a\vec a and b\vec b in the same way that gag^a and gbg^b hide exponents aa and bb in DHKE. However, the LWE assumption suggests that Alice and Bob can hide a\vec a and b\vec b by adding noise!

Adding noise: If both Alice and Bob add standard LWE noise to their protocol messages, we obtain the following KE protocol:

“Short” vectors sampled from the noise distribution are drawn here as shaded boxes. Thanks to lemma 20.2.2, it is safe for both users to sample their secret LWE vectors (a\vec a and b\vec b) from the noise distribution. We use this fact later.

The two protocol messages each have the form of an LWE vector, which suggests that they hide a\vec a and b\vec b. Keep in mind that Alice's protocol message is simply the transpose of a standard LWE vector (using G\mat G^\top as the LWE matrix):

aG+e1=(Ga+e1). \vec a^\top \mat G + \vec e_1^\top = \left(\mat G^\top \vec a + \vec e_1 \right)^\top.

Although noise is vital for security, it undermines the agreement aspect of key exchange. Alice will compute output:

ay=a(Gb+e2)=aGb+ae2, \vec a^\top \vec y = \vec a^\top \left( \mat G \vec b + \vec e_2 \right) = \vec a^\top G \vec b + \vec a^\top \vec e_2,

whereas Bob will compute output:

xb=(aG+e1)b=aGb+e1b. \vec x^\top \vec b = \left( \vec a^\top \mat G + \vec e_1^\top \right) \vec b = \vec a^\top G \vec b + \vec e_1^\top \vec b.

Their outputs differ by an error amount:

ϵ=ae2e1b. \epsilon = \left| \vec a^\top \vec e_2 - \vec e_1^\top \vec b \right|.

Each vector in this expression (a\vec a, b\vec b, e1\vec e_1, e2\vec e_2) is a short vector, sampled from the noise distribution. It is possible to choose secure parameters for the noise distribution, to ensure that ϵ\epsilon is sufficiently small: Say, Pr[ϵ>q/4]\PR{ \epsilon > q/4 } is negligible. The quantitative analysis is tedious, and beyond the scope of this book. But the conclusion is that Alice and Bob compute values that may not be identical, but are certainly close.

Reconciliation: Alice and Bob now hold values in Zq\Z_q that are within distance q/4q/4. You can visualize the situation as follows, where we list the elements of Zq\Z_q in a circle, like the face of a clock.

Call Alice's value K\key and Bob's K\key'. In the diagram above, Alice doesn't know Bob's K\key' but she knows that it is always in the shaded region.

To convert their approximately equal values into truly equal values, Alice can uniformly sample a bit α\alpha and send the message R=K+αq/2%qR = K + \alpha \lfloor q/2 \rfloor \pct q to Bob. In other words, if α=0\alpha=0, then Alice sends KK, which is very close to Bob's KK'; If α=1\alpha=1 then Alice sends a value that is diametrically opposite KK in the Zq\Z_q circle, and therefore more than q/4q/4 away from Bob's KK'. Bob can easily distinguish these two cases, and thereby learn α\alpha. Finally, Alice and Bob can agree on a common value! But an eavesdropper will not learn α\alpha because, as we will show, KK is pseudorandom to an eavesdropper, and acts as a one-time pad to mask α\alpha.

Careful readers will have noticed that Alice and Bob have gone to all this work only to agree on a single bit! This is true, and this is what makes the protocol impractical. In principle, Alice and Bob could run λ\secpar parallel instances of this protocol, to agree on a λ\secpar-bit key, but this would be incredibly expensive. Real-world LWE-based KE protocols are much more efficient, and we will briefly discuss them later. Still, they are based on the core ideas from this simplified protocol.

The protocol that results from this discussion is presented below. For reasons that shall become clear in the security analysis, Alice must add a noise term to her value of KK.

Construction 20.3.1 (Simple LWE-based key exchange)

Let n=mn=m, qq, and E\mathcal E be suitable LWE parameters. A key exchange protocol based on LWE is the following:

Of course, the final two protocol messages (from Alice to Bob) can be sent together as a single message.

The matrix G\mat G can be sampled by one of the users and included in the first protocol message. Alternatively, it can be global, and reused across several instances of the protocol, as long as it has been sampled uniformly.

Claim 20.3.2 (Passive security of LWE-based key exchange)

Construction 20.3.1 is a passively secure KE protocol if the LWE assumption holds.

Proof:

Hybrid Sequence:
The starting point is Lke-real\lib{ke-real}, which outputs the protocol transcript (G,x,y,R)(\mat G, \vec x, \vec y, R) and corresponding output key α\alpha.
We can apply the LWE assumption to replace y\vec y with a uniformly sampled vector. The standard three-hop maneuver is not shown.
Both x\vec x and KK are computed in a similar way: a multiplication (on the left) by a\vec a^\top, followed by an addition of a noise term. We can therefore write both x\vec x and KK in terms of a single matrix expression, by appending y\vec y to the LWE matrix G\mat G and ee to the noise vector e1\vec e_1.
Now (x,K)(\vec x, K) are computed as (the transpose of) an LWE sample, using a uniformly sampled (n+1)×n(n+1) \times n LWE matrix [Gy][\mat G \mid \vec y]. We can therefore apply the LWE assumption to replace these values with uniform ones.
Now KK is distributed uniformly and used only to compute RR. Thus, RR is a ciphertext in the OTP variant that uses addition mod q\qmod, so it is distributed uniformly. The result of this change is Lke-rand\lib{ke-rand}, which completes the proof.
Lke-real\lib{ke-real}
G(Zq)n×n\mat G \gets (\Z_\qmod)^{n \times n}
aEn\vec a \gets \mathcal E^n
e1En\vec e_1^\top \gets \mathcal E^n
x:=aG+e1\vec x^\top := \vec a^\top \mat G + \vec e_1^\top
bEn\vec b \gets \mathcal E^n
e2En\vec e_2 \gets \mathcal E^n
y:=Gb+e2\vec y := \mat G \vec b + \vec e_2
eEe \gets \mathcal E
K:=ay+eK := \vec a^\top \vec y + e
α{0,1}\alpha \gets \bits
RR
:=K+αq/2%q{}:= K + \alpha\lfloor \qmod/2 \rfloor \pct \qmod
Zq{}\gets \Z_\qmod
ke.eavesdrop( ):
return (G,x,y,R,α)(\mat G, \vec x, \vec y, R, \alpha)

LWE-based key exchange in practice: This KE protocol has been presented as a glimpse into the general techniques of post-quantum cryptography. As you saw, it is far from practical and requires considerable effort to agree on just a single bit.

In 2024, NIST standardized a new post-quantum PKE/KEM scheme called ML-KEM. It is based on the LWE approach described in this chapter but offers better performance through a few techniques:

  • Our simple KE protocol has throughput of one bit because it is based on a vector-matrix-vector multiplication expression that results in a single scalar value. However, it is also possible to design a KE protocol based on matrix-matrix-matrix multiplication, which will allow Alice and Bob to (approximately) agree on an entire matrix of values. Exercises 20.4 and 20.7 give a roadmap to such a construction.

  • Standard LWE involves a uniformly chosen matrix, but there exist LWE variants in which the matrix has some additional algebraic structure. For example, in the ring LWE variant, the matrix is not arbitrary but is built from n×nn \times n blocks, where each block has the special form:

    [a1a2a3anana1a2an1an1ana1an2a2a3a4a1] \begin{bmatrix} a_1 & a_2 & a_3 & \cdots & a_n \\ -a_n & a_1 & a_2 & \cdots & a_{n-1} \\ -a_{n-1} & -a_n & a_1 & \cdots & a_{n-2} \\ & \vdots & & \ddots & \vdots \\ -a_2 & -a_3 & -a_4 & \cdots & a_1 \end{bmatrix}

    Matrices of this form offer a few benefits: First, each n×nn \times n block is entirely determined by its first row, meaning that it is nn times cheaper to communicate these kinds of matrices in a protocol. Second, there are more efficient algorithms for multiplying these special kinds of matrices.

Exercises

  1. Explain how to break a PRG G:{0,1}λ{0,1}λ+G : \bits^\secpar \to \bits^{\secpar+\ell} in time O(2λ/2)O(2^{\secpar/2}) on a quantum computer. Clearly describe an attack and analyze its distinguishing advantage.

  2. This exercise develops a quantum algorithm for finding collisions in a hash function.

    1. Using an analysis similar to lemma 4.5.5, show that the following program has at least a 50 percent chance of outputting collision\texttt{collision} when m=2n/3m = 2^{n/3}:

      for i=1i=1 to mm:
      X{0,1}nX \gets \bits^n
      if XXX \in \mathcal{X}:
      output collision\texttt{collision}
      X:=X{X}\mathcal{X} := \mathcal{X} \cup \{X\}
      for i=1i=1 to m2m^2:
      Y{0,1}nY \gets \bits^n
      if YXY \in \mathcal{X}:
      output collision\texttt{collision}
      output fail\texttt{fail}
    2. Let H\ro be a random oracle with nn output bits. We will write inputs to H\ro as integers rather than strings. Consider the following quantum algorithm for finding a collision in H\ro. What is the probability that it successfully finds a collision, and what is its running time?

      m:=2n/3m := 2^{n/3}
      for i=1i=1 to mm:
      X:=H(i)X := \ro(i)
      if P[X]P[X] defined:
      output “collision\texttt{collision}: ii and P[X]P[X]
      P[X]:=iP[X] := i
      // define the following function FF, whose
      // input domain is {m+1,,m+m2}\{ m+1, \ldots, m+m^2 \},
      // that has P[]P[\cdot] (from above) hard-coded:
      F(i)F(i):
      Y:=H(i)Y := \ro(i)
      if P[Y]P[Y] defined: return 1\bit1
      else: return 0\bit0
      use Grover's algorithm to find ii^* such that F(i)=1F(i^*) = 1
      if Grover's algorithm fails: output fail\texttt{fail}
      otherwise: output “collision\texttt{collision}: ii^* and P[H(i)]P[\ro(i^*)]
  3. Let n,m,qn,m,\qmod be parameters for the LWE problem. Suppose for the sake of simplicity that the error distribution E\mathcal E outputs values from the range {d,,d}\{-d, \ldots, d\}.

    1. With these parameters, how many outputs are possible from lwe.sample in Llwe-realn,m,q\lib{lwe-real}^{n,m,\qmod}? (definition 20.2.1)

    2. With these parameters, how many outputs are possible from lwe.sample in Llwe-randn,m,q\lib{lwe-rand}^{n,m,\qmod}?

    3. Suppose we use the suggested parameters n=λn = \secpar, q=λ2\qmod = \secpar^2, and d=λd = \sqrt{\secpar}. How do your answers to (a) and (b) scale with mm and λ\secpar, especially when mm is much larger than nn?

  4. In this exercise, we extend LWE secrets from vectors to matrices. Prove that if the LWE assumption is true for parameters n,m,qn,m,\qmod, then for any parameter \ell the following two libraries are indistinguishable:

    Llwe-multi-realn,m,,q\lib{lwe-multi-real}^{n,m,\ell,\qmod}
    lwe.multi.sample()\subname{lwe.multi.sample}(\,):
    M(Zq)m×n\mat{M} \gets (\Z_\qmod)^{m \times n}
    S(Zq)n×\mat{S} \gets (\Z_\qmod)^{n \times \ell}
    EEm×\mat{E} \gets \mathcal{E}^{m \times \ell}
    X=MS+E\mat{X} = \mat{M} \cdot \mat{S} + \mat{E}
    return (M,X)(\mat{M},\mat{X})
    \indist
    Llwe-multi-randn,m,,q\lib{lwe-multi-rand}^{n,m,\ell,\qmod}
    lwe.multi.sample()\subname{lwe.multi.sample}(\,):
    M(Zq)m×n\mat{M} \gets (\Z_\qmod)^{m \times n}
    X(Zq)m×\mat{X} \gets (\Z_\qmod)^{m \times \ell}
    return (M,X)(\mat{M},\mat{X})
  5. Formally show that the warmup protocol shown in the first figure in section 20.3 is not a passively secure KE protocol.

  6. In construction 20.3.1, Alice and Bob exchange a single scalar R=K+αq/2R = K + \alpha \lfloor q/2 \rfloor that helps them agree on an output bit α\alpha . Consider the following approach that works when qq is a multiple of 4, and the noise (difference between KK and KK') is bounded by q/8q/8. Alice sends a only single bit, indicating whether her value of KK is in the shaded region below; both users output a bit indicating whether Alice's KK is left or right of the dashed line.

    1. Explain/prove why the bit sent by Alice leaks nothing about the output bit.

    2. Explain how Bob can output the same secret bit as Alice.

  7. Using exercise 20.4 as inspiration, design a KE protocol in which the two parties agree on n2n^2 bits, after exchanging O(n2)O(n^2) elements of Zq\Z_q (nn is the LWE parameter). Prove that your protocol is secure.

  8. Propose a PKE scheme based on construction 20.3.1 and prove that it is CPA-secure under the LWE assumption. Your scheme can support single-bit plaintexts.

  9. \star There are variants of LWE that are unconditionally secure. For example, if the matrix is sufficiently wide (n2mlogqn \ge 2m \log q) and the secret vector is sampled not from (Zq)n(\Z_q)^n but from {0,1}n\{0,1\}^n, then the resulting LWE variant is secure, without any noise! In other words, the following two libraries are indistinguishable:

    Llhl-realn,m,q\lib{lhl-real}^{n,m,q}
    lwe.sample()\subname{lwe.sample}(\,):
    M(Zq)m×n\mat M \gets (\Z_q)^{m \times n}
    s{0,1}n\vec s \gets \hl{\{0,1\}^n}
    x=Ms\vec x = \mat{M} \vec{s}
    return (M,x)(\mat M,\vec x)
    \indist
    Llhl-randn,m,q\lib{lhl-rand}^{n,m,q}
    lwe.sample()\subname{lwe.sample}(\,):
    M(Zq)m×n\mat M \gets (\Z_q)^{m \times n}
    x(Zq)m\vec x \gets (\Z_q)^{m}
    return (M,x)(\mat M,\vec x)

    In section 20.3 we develop a KE protocol starting from the idea that (aG)b=a(Gb)(\vec a^\top \mat G) \vec b = \vec a^\top (\mat G \vec b), but where both users add LWE noise to their vectors.

    1. Design a KE protocol in which one participant adds noise, but the other uses this noiseless LWE variant. Identify the error term (difference between users' approximately-equal Zq\Z_q values), and prove that your protocol is secure.

    2. Propose two different PKE schemes based on this KE protocol, and prove that they are CPA-secure. The participants in the KE protocol have asymmetric roles, and the two PKE schemes arise by assigning different participants to the roles of ciphertext and public key.

Chapter Notes

For an accessible and nontechnical summary of limitations of quantum (not post-quantum) cryptography, see the recent report from several European government agencies [103].

Grover's algorithm is named for its creator, Lov Grover [117]. The collision-finding algorithm in exercise 20.2 is due to Brassard, Høyer, and Tapp [54]. There is debate as to whether this quantum algorithm could ever be more efficient than the classical birthday attack (see Bernstein [36]).

Shor's algorithm is named after its creator, Peter Shor [202].

The learning with errors assumption was introduced by Regev [188]. Claim 20.2.2 is due to Applebaum, Cash, Peikert, and Sahai [6]. For a comprehensive overview of LWE and lattice-based cryptography in general, see the retrospective article by Peikert [179].

The ML-KEM standard is based on the Kyber KEM, of Avanzi, Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, Schwabe, Seiler, and Stehlé [8].

Construction 20.3.1 is based on the PKE schemes of Lyubashevsky, Palacio, and Segev [151] and Lindner and Peikert [148]. The two approaches suggested in exercise 20.9 give rise to well-known PKE schemes: the one proposed by Regev in the paper that introduced the LWE assumption [188] and the “dual-Regev” scheme proposed by Gentry, Peikert, and Vaikuntanathan [109]. These use a noiseless variant of LWE based on a result called the leftover hash lemma, which is due to Impagliazzo and Zuckerman [125]. The noise-reconciliation method of exercise 20.6 is due to Peikert [178].

  1. Previous Chapter19. Zero-Knowledge Proofs