Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently. In 2024 NIST announced the Module-Lattice-Based Digital Signature Standard for post-quantum cryptography.

History

In 1996, Miklós Ajtai introduced the first lattice-based cryptographic construction whose security could be based on the hardness of well-studied lattice problems, and Cynthia Dwork showed that a certain average-case lattice problem, known as short integer solutions (SIS), is at least as hard to solve as a worst-case lattice problem. She then showed a cryptographic hash function whose security is equivalent to the computational hardness of SIS. In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced a lattice-based public-key encryption scheme, known as NTRU. However, their scheme is not known to be at least as hard as solving a worst-case lattice problem. The first lattice-based public-key encryption scheme whose security was proven under worst-case hardness assumptions was introduced by Oded Regev in 2005, together with the learning with errors problem (LWE). Since then, much follow-up work has focused on improving Regev's security proof and improving the efficiency of the original scheme. Much more work has been devoted to constructing additional cryptographic primitives based on LWE and related problems. For example, in 2009, Craig Gentry introduced the first fully homomorphic encryption scheme, which was based on a lattice problem.

Mathematical background

In linear algebra, a lattice is the set of all integer linear combinations of vectors from a basis of. In other words, For example, is a lattice, generated by the standard basis for. Crucially, the basis for a lattice is not unique. For example, the vectors (3, 1, 4), (1, 5, 9), and (2, -1, 0) form an alternative basis for. The most important lattice-based computational problem is the shortest vector problem (SVP or sometimes GapSVP), which asks us to approximate the minimal Euclidean length of a non-zero lattice vector. This problem is thought to be hard to solve efficiently, even with approximation factors that are polynomial in n, and even with a quantum computer. Many (though not all) lattice-based cryptographic constructions are known to be secure if SVP is in fact hard in this regime.

Selected lattice-based schemes

This section presents selected lattice-based schemes, grouped by primitive.

Encryption

Selected schemes for the purpose of encryption:

Homomorphic encryption

Selected schemes for the purpose of homomorphic encryption:

Hash functions

Selected lattice-based cryptographic schemes for the purpose of hashing:

Key exchange

Selected schemes for the purpose of key exchange, also called key establishment, key encapsulation and key encapsulation mechanism (KEM):

Signing

This section lists a selection of lattice-based schemes for the purpose of digital signatures.

CRYSTALS-Dilithium

CRYSTALS-Dilithium or simply Dilithium is built upon module-LWE and module-SIS. Dilithium was selected by the NIST as the basis for a digital signature standard. According to a message from Ray Perlner, writing on behalf of the NIST PQC team, the NIST module-LWE signing standard is to be based on version 3.1 of the Dilithium specification. NIST's changes on Dilithium 3.1 intend to support additional randomness in signing (hedged signing) and other improvements. Dilithium was one of the two digital signature schemes initially chosen by the NIST in their post-quantum cryptography process, the other one being SPHINCS⁺, which is not based on lattices but on hashes. In August 2023, NIST published FIPS 204 (Initial Public Draft), and started calling Dilithium as Module-Lattice-Based Digital Signature Algorithm (ML-DSA). As of October 2023, ML-DSA was being implemented as a part of Libgcrypt, according to Falco Strenzke.

Security

Lattice-based cryptographic constructions hold a great promise for public-key post-quantum cryptography. Indeed, the main alternative forms of public-key cryptography are schemes based on the hardness of factoring and related problems and schemes based on the hardness of the discrete logarithm and related problems. However, both factoring and the discrete logarithm problem are known to be solvable in polynomial time on a quantum computer. Furthermore, algorithms for factorization tend to yield algorithms for discrete logarithm, and conversely. This further motivates the study of constructions based on alternative assumptions, such as the hardness of lattice problems. Many lattice-based cryptographic schemes are known to be secure assuming the worst-case hardness of certain lattice problems. I.e., if there exists an algorithm that can efficiently break the cryptographic scheme with non-negligible probability, then there exists an efficient algorithm that solves a certain lattice problem on any input. However, for the practical lattice-based constructions (such as schemes based on NTRU and even schemes based on LWE with efficient parameters), meaningful reduction-based guarantees of security are not known. Assessments of the security levels provided by reduction arguments from hard problems - based on recommended parameter sizes, standard estimates of the computational complexity of the hard problems, and detailed examination of the steps in the reductions - are called concrete security and sometimes practice-oriented provable security. Authors who have investigated concrete security for lattice-based cryptosystems have found that the provable security results for such systems do not provide any meaningful concrete security for practical values of the parameters.

Functionality

For many cryptographic primitives, the only known constructions are based on lattices or closely related objects. These primitives include fully homomorphic encryption, indistinguishability obfuscation, cryptographic multilinear maps, and functional encryption.