Lattice-based Post Quantum Cryptography using

Variations of Learning with Error (LWE)

Abstract. Before the advent of quantum cryptography, public key cryptography

techniques such as RSA, Diffie-Hellman (DH), and Elliptic Curve Cryptography
(ECC) showed their importance. Whereas the discrete logarithm problem
underpins the security of DH and ECC, the factorization problem serves as the
foundation for RSA security. Solving these issues with the computing resources
available today is thought to be challenging. Nonetheless, the quantum computer
would have little trouble solving these issues. These prompts pursue alternative
cryptographic algorithms that remain viable in quantum computing. The
algorithms need to be efficient and secure enough in computing that not even a
quantum computer should be able to solve. Many candidates are lattice-based
algorithms. Most lattice-based algorithms are securely implemented with the help
of Learning with Error (LWE). Much research has been done to explain how
lattice-based cryptography operates using LWE. This paper provides a basic yet
detailed explanation of LWE variations. The potential attacks and defenses are
also discussed.

Keywords: Public Key Cryptography, Post Quantum Cryptography, Lattice-

Based Cryptography, Learning with Error, Attack on Lattice-Based
Cryptography

1 Introduction

Individuals intercept and store encrypted information like account details, passwords, etc. This
encrypted information is not helpful at the moment. One of the popular public key cryptography
algorithms is RSA, whose security depends on the factorization problem. Although the most
efficient factoring algorithm, the General Number Field Sieve, even with a supercomputer,
factoring a product of two huge primes would take around 16 million years. However, within 10
to 20 years, this information can be decrypted in a minute due to the availability of access to a
quantum computer. This procedure is known as Store Now, Decrypt Later (SNDL). And it works
because today's information will still be valuable in a decade. Things like industrial and
pharmaceutical research and top-secret government intelligence, and everyone is aware of this
threat.

The National Security Administration says that a sufficiently large quantum computer if built,
could undermine all widely deployed public key algorithms. Even though sufficiently powerful
quantum computers are still years away, they are already a threat because of SNDL, which is
why the US Congress just passed legislation mandating all agencies to start transitioning right
now to new methods of cryptography that cannot be broken by quantum computers.
 2

In 1994, Peter Shor [1] and Don Coppersmith [2] discovered how to calculate the RSA public
modulus factors using a quantum Fourier transform. It operates like a conventional Fourier
transform, applying it to a periodic signal and returning the signal's frequencies. The steps to
determine an RSA public modulus 𝑁's prime factors, 𝑝 and 𝑞, are as follows.

1. Take any number 𝑔 such that 𝐺𝐶𝐷(𝑔, 𝑁) = 1;

2. To get one more than a multiple of N, find the number of times (exponent 𝑟) 𝑔 must multiply
by itself. (Eq. 1).
3. Calculate two new integers that most likely share factors with 𝑁 using that exponent (𝑟).
(Eq. 2).
4. Lastly, identify the shared factors between those numbers and 𝑁 using Euclid's approach;
this should yield 𝑝 and 𝑞.

The above-mentioned steps do not require a quantum or supercomputer to run, but this method
executes faster than other methods on a classical computer.

𝑔𝑟 = 𝑚𝑁 + 1 (1)
𝑟 𝑟
〖(𝑔〗2 + 1) 〖(𝑔〗2 − 1) = 𝑚𝑁 (2)

These two terms (Eq. 2) most likely have similar causes to 𝑁. Any big product of two prime
numbers can be factored by a quantum computer because the g can be thought of as the generator
that always contains the cycle, which produces a periodic cycle. The qubits are divided into two
sets at the start of the procedure. Five years later, the projected number of physical qubits needed
to crack RSA encryption had decreased from one billion in 2012 to 230 million. Following
additional technological advances in 2019, that estimate fell to barely 20 million physical qubits.

In 2016, NIST called for a proposal to discover new cryptographic algorithms resistant to
quantum computing. 82 distinct suggestions were submitted by cryptographers worldwide, and
after thorough testing, some of them were found to be broken. On July 5th, 2022, NIST announced
the inclusion of 4 suggestions in its Post-Quantum Cryptography (PQC) standard. The
mathematics of lattices provides the foundation for 3 algorithms among 4.

2 PQC: The Theoretical Basis

2.1 Lattice-Based Cryptography and its alternative

The most widely used algorithm for cryptography under investigation for PQC is Lattice-Based
Cryptography (LBC). The three categories of lattice-based systems include lattice-based
signature schemes (Falcon, Rainbow, Dilithium), lattice-based encryption (Learning with
Errors—LWE, Ring-LWE, NTRU), and lattice-based key exchanges (Kyber, Frodo). Numerous
lattice-based systems have been suggested and implemented in hardware and have been the
subject of substantial research [3, 4]. Remarkably, lattice-based systems comprise up to three of
 3

the four contenders chosen for standardization by NIST. However, with the advent of quantum
computers and their new attack vectors, hash-based digital signatures attracted more academic
attention [5, 6, 7]. Code-based cryptography refers to safe encryption techniques that use error-
correcting codes as their foundation [4, 8]. Despite the algorithm's early proposal, security
remains assured, even in the face of quantum attacks. As a result, NIST decided to consider this
approach for the fourth round. Using multivariable polynomials over a finite field for asymmetric
encryption is known as multivariable cryptography. The multivariable polynomial problem is
appropriate for PQC since it is non-deterministic polynomial-time (NP)-complete. Isogeny of the
Elliptic Curves technique has been studied [3, 9], but it was attacked, and as a result, it was
removed from the list of possible algorithms for the fourth round.

2.2 What is Lattice?

A lattice is shown as points in two dimensions in Fig.1. The origin, 𝑂 and base vectors {𝑏1 , 𝑏2 }
and {𝑏3 , 𝑏4 } define a lattice. A linear combination of the basis vectors is used to represent each
point on the lattice; for instance, 𝑉 = −2𝑏1 + 𝑏2 . Take two vectors, 𝑏1 and 𝑏2 . By adding
together different integer combinations of these vectors, say three times 𝑏1 and one time
𝑏2 (3𝑏1 + 𝑏2 ), you can get different points. All the points you can get to by combining this basis
in other ways are called a lattice. Let’s consider point P, and find the combination of 𝑏1 and 𝑏2
will bring us closest to the lattice point P (Fig. 2). It takes us negative three times 𝑏1 and positive
four times 𝑏2 to get to the closest lattice point (3𝑏1 − 4𝑏2 ).

Fig. 1. Lattice with good basis and bad basis

Fig. 2. Closest point with a good basis Fig. 3. Closest point with a bad basis
 4

Take 𝑏3 and 𝑏4 for example. This bad basis also builds up the same lattice. To find out the
combination of 𝑏3 and 𝑏4 that gets you to the lattice point closest to P. This has become a lot
harder, but why is that? Each time we take a step, we try to get closer in either direction, but with
the basis, each time we take a step in the right direction with one vector, it puts us off in the other
direction. And that's why these vectors are a lot harder to work with. In the end, it takes us seven
times 𝑏3 and negative six times 𝑏4 to get to the closest lattice point (7𝑏3 − 10𝑏4 ).

Two NP-hard classical issues in LBC are as follows:

• Shortest Vector Problem (SVP): Finding a lattice's shortest non-zero vector is challenging.
The graph's shortest vector is denoted by 𝑠. There exist certain conditions in which the SVP
is NP-hard.
• Closest Vector Problem (CVP): Determine the vector closest to a given lattice and vector
𝑉. For example, 𝑧 is the closest vector to 𝑡.

As the number of dimensions increases, the number of lattice points increases. Solving the
closest vector issue in three dimensions is simple for the normal computer. One hundred
dimensions ought to be doable. However, a thousand dimensions can be employed in future
offered encryption systems. If you make a correct step in one of those 999 dimensions, you might
make a wrong one in the other 999. You lose everything else while winning some. With that
many dimensions, it becomes incredibly impossible to determine the closest point, even with the
most powerful computers, unless you know a suitable collection of vectors.

So, how can encryption and decryption be performed? Let’s try to understand with two-
dimensional example mentioned above. Each person has a good set of vectors that describes a
lattice, but they keep these vectors secret, and they only share their lattice publicly using a set of
vectors that is hard to work with (e.g., bad vectors). Now, if the sender wants to send someone a
message, the sender picks a point on their lattice; for example, say this point corresponds to the
number 𝑥. So if the sender wants to send the number seven, sender can take that point but then
add some random noise or error to it. So the message sender send is not precisely at that point
but close to it. Now, to decode the message, the receiver must figure out which lattice point is
closest to the message point. This will be extremely hard to do in a thousand dimensions unless
anyone has the good set of vectors, which the receiver does. So it's easy for the receiver, who has
the good vectors, but hard for everyone else. And as far as we know, this problem is extremely
difficult to solve for both normal and quantum computers.

3 Literature Review

Considerable research has been done recently on quantum computers, which use quantum
mechanical phenomena to solve mathematical puzzles that are challenging or unsolvable for
traditional computers. In addition to outlining NIST's initial plan for moving further in this area,
the Internal Report of NIST discusses the current understanding of it and the status of quantum
computing and PQC. The study highlights agencies' need to concentrate on crypto agility and
acknowledges the difficulty of implementing new cryptographic infrastructures [5, 4].
 5

[10] examines 14 real-world applications from the Internet, workplace, critical infrastructure, and
financial sectors that use digital signatures. They assess the applications' signing requirements
against NIST candidate methods for the PQC Standardization phase three, in addition to
comprehending the usage of digital signing. This is accomplished using a suggested framework
in which they create a feasibility matrix by mapping each algorithm's applicability against the
needs of the applications.

Although encryption, digital signatures, key exchange, and homomorphic encryption offer
assurances in theory, their implementation on modern computing platforms necessitates
deliberate decision-making and compromises to handle the variety of platforms. The study [9]
examines the current state of LBC algorithms, recent fundamental ideas for lattice applications
in computer security, difficulties in implementing lattices in hardware and software, and new
requirements for their acceptance. The survey aims to provide helpful background information
on mathematics.

The [11] study aims to compare the hardware of the NIST PQC competition contestants. To do
this, they convert the high-level C specifications of selected PQC candidates into ASIC and
FPGA implementations using a hardware design approach called High-Level Synthesis (HLS).

IoT and Networking

[12] adapt some PQCs that may be useful for Internet of Things (IoT) devices to function with
existing cryptography software. They measure their performance to derive recommendations for
the optimal choice of hardware applications with limited resources. Their findings demonstrate
that many of these algorithms may be effectively implemented in IoT hardware, offering
sufficient defense against future attacks by quantum computers. Certain mathematical operations
not significantly accelerated by quantum algorithms have been identified in this field of study,
and cryptographic systems have been developed based on those discoveries [7].

Quantum computing has many uses in 5G and beyond networks. Due to its exponential data
processing speed, it can handle a wide range of scientific and business difficulties. [13] presents
a thorough overview of the main uses of quantum computing, including optimization, quantum
simulation, and unstructured search. Additionally, it can enhance the accuracy and speed of
several current technologies, such as machine learning.

Quantum Key Distribution (QKD), a crucial component of quantum cryptography, establishes

and distributes symmetric cryptographic keys between two geographically separated users by
utilizing the laws of quantum physics. QKD creates cryptographic keys that are resistant to
eavesdropping and are information-theoretically safe. [14] provides an overview of the security
problems and strategies related to network protocols, interfaces, and management organizations
in 5G networks. They start by going over the foundations of QKD and talk about how QKD
networks are made and used. They provide an overview of QKD network architecture, including
its elements and standards. They next go over a synopsis of QKD and post-quantum key
 6

distribution strategies, as well as methods for integrating them into already-in-use security
frameworks like VPNs (IPsec and MACsec).

Because PQC protects against quantum attacks, it is crucial for the IoT. [15] provides a thorough
review of the literature on PQC for IoT networks, outlining the difficulties and future perspectives
for the field's development. This effort focuses on PQC, which is helpful for devices with
resource constraints. Additionally, a survey of those quantum attacks is conducted, which can be
applied to both conventional and lightweight cryptographic primitives.

[16] thoroughly analyzes the threats of quantum computing assaults, possible countermeasures,
and unmet difficulties facing DER networks. First, the cyber-physical DER systems' new security
flaws and attack vectors from quantum computing attacks are investigated. Additionally, this
study assesses security tactics against quantum attacks. It presents two possible protection
strategies, QKD and PQC, which can be used with DER networks. Lastly, unexplored research
directions and difficulties for the next generation of quantum-safe DER are explored.

PQC apps should primarily focus on domains closely related to human life, including automotive
communications. The purpose of the survey [17] is to offer recommendations for post-quantum
candidates that are most suited to different device needs. It also offers effective and physically
secure implementations that can be integrated into current embedded applications with the same
ease as standard PKC.

Blockchain

The most important techniques and methods that have advanced quantum computing and the
many types of post-quantum cryptosystems are briefly discussed in [18]. Their work also serves
as a reference for comprehending the foundations of blockchain technology and the current
security measures. In light of quantum risks, they offer an analysis of the most significant
cryptocurrencies ranked by market capitalization (MC), and they conclude with a study of
proposed post-quantum blockchain (PQB) schemes.

In order to secure blockchain technologies, [19] examines the state of the art in PQC and how
Distributed Ledger Technology (DLT) and blockchains can use them. Additionally, the most
pertinent PQB systems and their primary difficulties are examined. Moreover, a comprehensive
analysis is presented of the traits and efficacy of the most promising post-quantum digital
signature and public-key encryption systems for blockchains. Therefore, the goal of this work is
to give upcoming blockchain researchers and developers a comprehensive overview and practical
guidance on PQB security

Key distribution

Security protocols for quantum key distribution have been demonstrated where every device
operates flawlessly in terms of technology and protocol functionality. The primary obstacles in
quantum communication are the secret key rate, QKD device size, cost, and distance. [20]
 7

conducts a thorough analysis of various facets of PQC, device-independent cryptography

techniques, secure multiparty communication protocols, quantum secure direct communication,
semi-quantum key distribution, and non-deterministic quantum key distribution protocols. They
also talked about various experiments done in the field of quantum cryptography, as well as
threats and difficulties associated with the paradigm change from classical to quantum
encryption.

Although QKD is the most well-known example of this field, numerous other applications exist,
including delegated quantum computation, quantum money, randomness creation, and secure
two and multi-party computation. The study [21, 22] of quantum adversaries' constraints and
difficulties, such as the impossibility of quantum bit commitment, the difficulty of quantum
rewinding, and the creation of quantum security models for classical primitives, is another aspect
of quantum cryptography. They examine the field of theoretical quantum cryptography,
especially for cryptographers unfamiliar with the quantum world, focusing on the constructions
and constraints outside of QKD.

When incorporating QKD into security infrastructures, it is crucial to consider how QKD can be
integrated with other cryptographic primitives. [23] aims to support such an analysis, focusing
mostly on European research findings. First, they compare and contrast the characteristics of the
primary establishing methods that are now in use, QKD included. Next, they examine two general
scenarios: first, employing QKD in a network with multiple users to provide any-to-any key setup
service, and second, using QKD as a key renewal approach for a symmetric cipher over a point-
to-point link. They review the limitations and possible benefits of applying QKD in certain
situations.

[24] undertakes a comprehensive analysis of PQC algorithms via the lens of conventional
cryptography. Initially, the notion and historical context of PQC are presented. Next, a study is
conducted on the Kyber post-quantum encryption algorithm. Lastly, a summary of this
developing discipline's successes, challenges, and unresolved issues is provided, along with some
future projections.

With an emphasis on secure key generation and storage in addition to secure execution, the [25]
study seeks to raise awareness of the significance of physical security. More precisely, the
potential for side-channel analysis in the quantum realm is explored and contrasted with attacks
carried out in the classical realm. In addition, to better understand their features, advantages, and
drawbacks, suggestions for quantum random number generation and quantum physically
unclonable functions are contrasted to their classical counterparts and further studied.

4 Learning With Errors (LWE) Algorithms

Developing cryptographic methods resistant to attacks from quantum computers is the Learning
with Errors (LWE) cryptosystem, which is crucial for PQC. Its foundation is the eponymous
LWE problem, a key issue in LBC. The security of many cryptographic protocols is based on the
idea that solving LWE on a classical or quantum computer is computationally challenging. This
 8

makes the LWE cryptographic scheme resistant to attacks from potent quantum algorithms like
Shor's. To provide security assurances in a post-quantum scenario, several cryptographic
primitives essential for post-quantum security—including encryption and digital signature
schemes—exploit the difficulty of solving LWE. These strategies are efficient and realistic, and
they thoroughly examine them to ensure they are secure and viable.

4.1 Definition:

Given a random matrix 𝐴 ∈ 𝑍𝑞𝑚 × 𝑛 , a secret vector 𝑠 ∈ 𝑍𝑞𝑛 , and an error vector 𝑒 with small
entries, the task is to distinguish the distribution of (𝐴, 𝐴 . 𝑠 + 𝑒) from a uniform distribution over
𝑍𝑞𝑚 × 𝑛 × 𝑍𝑞𝑚 .

4.2 Variants and Extensions:

Ring-LWE [26]: This variant leverages the structure of polynomial rings to achieve more
efficient algorithms and compact key sizes. It involves similar equations as LWE but defined
over polynomial rings 𝑍𝑞 [𝑥] / (𝑓(𝑥)).

Module-LWE [27]: This variant generalizes LWE and Ring-LWE by considering module
structures over polynomial rings. It strikes a balance between LWE's flexibility and Ring-LWE's
efficiency.

4.3 Cryptographic Schemes Based on LWE and Its Variants

4.3.1 Encryption Schemes

Regev's Cryptosystem [28]: An LWE-based public key encryption scheme providing semantic
security under the assumption that LWE is hard.

FHE Schemes: Fully Homomorphic Encryption (FHE) schemes, such as those by Gentry, Sahai,
and Waters [29], and Brakerski and Vaikuntanathan [30], utilize LWE to perform computations
on encrypted data without decrypting it first.

4.3.2 Digital Signatures

BLISS [31]: The BLISS (Bimodal Lattice Signature Scheme) uses Ring-LWE to create efficient
and secure digital signatures.

Dilithium: Dilithium is part of the NIST PQC standardization process. It is based on Module
LWE and offers robust security and efficiency.
 9

4.3.3 Key Exchange and Identification:

NewHope [32]: An efficient key exchange protocol based on Ring-LWE was used in Google's
experimental post-quantum key exchanges in TLS.

FrodoKEM [33]: A key encapsulation mechanism based directly on LWE without relying on
structured lattices, providing conservative security assurances.

4.4 Hardness Assumptions and Security

Worst-Case to Average-Case Reductions: Regev [28] shows that LWE's security relies on
reductions from worst-case lattice problems. This provides strong evidence for its hardness under
quantum attacks.

Quantum Security: The conjectured hardness of lattice problems under quantum attacks makes
LWE-based schemes attractive for PQC.

4.5 Efficiency and Practical Implementations

Performance Improvements: Over the years, numerous works have improved the efficiency of
LWE-based schemes through better algorithms, parameter selection, and implementation
techniques. For example, optimizations in polynomial arithmetic have significantly boosted the
performance of Ring-LWE-based schemes.

Implementation Projects: Libraries like PALISADE, Lattigo, and Microsoft SEAL have been
developed to efficiently implement lattice-based cryptographic primitives.

The LWE problem involves solving a system of linear equations perturbed by minor errors. The
security of LWE-based cryptographic schemes relies on the difficulty of solving these noisy
equations.

Algorithm 1 – Learning with Error (LWE)

Setup Example
1 Choose a prime modulus 𝑞. 𝑞 = 11
2 Choose a dimension n. 𝑛 = 3
3 Choose a secret vector 𝑠 ∈ 𝑍𝑞𝑛 . 𝑠 = (3, 5, 7)
4 Define a small error distribution 𝜒 sample small integers like −1, 0, 1, 2
over 𝑍𝑞 .
Generate LWE Sample
5 Choose a random vector 𝑎 ∈ 𝑍𝑞𝑛 . Random vector: 𝑎 = (2, 3, 5)
6 Sample a small error 𝑒 from the error Error: 𝑒 = 2
distribution 𝜒.
7 Compute 𝑏 = 𝑎 ⋅ 𝑠 + 𝑒 𝑚𝑜𝑑 𝑞. 𝑏 = (2 ⋅ 3) + (3 ⋅ 5) + (5 ⋅ 7) + 2
 10

= 6 + 15 + 35 + 2 = 58
= 58 𝑚𝑜𝑑 11 = 3
Output
8 The LWE sample is the pair (𝑎, 𝑏). (𝑎, 𝑏) = ((2, 3, 5), 3)

Ring-LWE operates over polynomial rings, offering improved efficiency compared to LWE.

Algorithm 2 – Ring Learning with Error

(R-LWE)
Setup
1 Choose a prime modulus 𝑞. 𝑞 = 17
2 Define a polynomial ring 𝑅 = 𝑍[𝑥] / 𝑅 = 𝑍[𝑥] / 〖(𝑥〗2 + 1)
𝑓(𝑥), where 𝑓(𝑥) is a cyclotomic
polynomial.
3 Choose a secret vector of polynomials 𝑠(𝑥) = 3 + 5𝑥
𝑠 ∈ 𝑅𝑞
4 Define a small error distribution 𝜒 sample small integers like −1, 0, 1, 2
over 𝑅
Generate R-LWE Sample
5 Choose a random vector of Random polynomial: 𝑎(𝑥) = 2 + 𝑥
polynomials 𝑎 ∈ 𝑅𝑞 .
6 Sample a small error polynomial 𝑒(𝑥) Error polynomial: 𝑒(𝑥) = 1
from the error distribution 𝜒.
7 Compute 𝑏(𝑥) = 𝑎(𝑥) ⋅ 𝑠(𝑥) + 𝑏(𝑥) = 𝑎(𝑥) ⋅ 𝑠(𝑥) + 𝑒(𝑥)
𝑒(𝑥) 𝑚𝑜𝑑 (𝑓(𝑥), 𝑞). = (2 + 𝑥)(3 + 5𝑥) + 1
= 6 + 10𝑥 + 3𝑥 + 5𝑥2 + 1
= 6 + 13𝑥 − 5 + 1 = 2 + 13𝑥
Output
8 The Ring-LWE sample is the pair (𝑎(𝑥), 𝑏(𝑥)) = (2 + 𝑥, 2 + 13𝑥)
(𝑎(𝑥), 𝑏(𝑥)).

Module-LWE generalizes LWE and Ring-LWE, combining the benefits of both.

Algorithm 3 – Module Learning with

Error (M-LWE)
Setup
1 Choose a prime modulus 𝑞. 𝑞 = 17
2 Define a polynomial ring 𝑅 = 𝑍[𝑥] / 𝑅 = 𝑍[𝑥] / 〖(𝑥〗2 + 1)
𝑓(𝑥), where 𝑓(𝑥) is a cyclotomic
polynomial.
3 Choose a rank 𝑘 for the module. 𝑘=2
4 Choose a secret vector of polynomials 𝑠(𝑥) = (3 + 𝑥, 5 + 2𝑥)
𝑠 ∈ 𝑅𝑞𝑘
 11

5 Define a small error distribution 𝜒 sample small integers like −1, 0, 1, 2

over 𝑅
Generate M-LWE Sample
6 Choose a random vector of Random polynomial: 𝑎(𝑥) = (2 + 3𝑥, 1 +
polynomials 𝑎 ∈ 𝑅𝑞𝑘 . 4𝑥)
7 Sample a small error polynomial 𝑒(𝑥) Error polynomial: 𝑒(𝑥) = (1, 𝑥)
from the error distribution 𝜒.
8 Compute 𝑏(𝑥) = 𝑎(𝑥) ⋅ 𝑠(𝑥) + 𝑏1(𝑥) = (2 + 3𝑥)(3 + 𝑥) + (1 +
𝑒(𝑥) 𝑚𝑜𝑑 (𝑓(𝑥), 𝑞). 4𝑥)(5 + 2𝑥) + 1
= (6 + 2𝑥 + 9𝑥 + 3𝑥 2 )
+ (5 + 2𝑥 + 20𝑥
+ 8𝑥 2 ) + 1
= (6 + 11𝑥 – 3 + 5 + 22𝑥 – 8 + 1)
= (1 + 33𝑥) 𝑚𝑜𝑑 17 = (1 + 16𝑥)
𝑏2(𝑥) = (2 + 3𝑥)(5 + 2𝑥)
+ (1 + 4𝑥)(3 + 𝑥)
+ 𝑥
= (10 + 4𝑥 + 15𝑥 + 6𝑥 2 )
+ (3 + 𝑥 + 12𝑥
+ 4𝑥 2 ) + 𝑥
= (10 + 19𝑥 – 6 + 3 + 13𝑥 – 4 + 𝑥)
= (3 + 33𝑥) 𝑚𝑜𝑑 17 = (3 + 16𝑥)
Output
9 The Module-LWE sample is the pair (𝑎(𝑥), 𝑏(𝑥)) = ((2 + 3x, 1 + 4x), (1
(𝑎(𝑥), 𝑏(𝑥)). + 16x, 3 + 16x))

Module-LWE is a generalization of Ring-LWE, i.e., if you can solve Module-LWE, then you can
also solve Ring-LWE. More specifically, Ring-LWE is Module-LWE with a module of rank 1.

One reason one can see has nothing to do with security directly but rather with the efficiency of
running the algorithms and scaling them. If you want to increase the level of security in R-LWE,
you have to increase the polynomial size. In M-LWE, you only need to increase the size of the
matrices, and the polynomials remain the same. This allows you to optimize the calculation of
the polynomials for the specific size. You can also create custom hardware for that polynomial
size. Conversely, the matrices are always the same calculations, just more of them when you have
bigger ones. So, just do the parallel implementation so they can run faster. Comparative Analysis
based on dimension, key sizes, and efficiency is given in Table 1. Time and space complexity
are given in Table 2.

This makes it easier to adopt M-LWE and allows for better performance, especially with varying
levels of security.

Table 1. Comparative analysis of LWE Variations.

Type Dimension Key Sizes Efficiency

 12

Larger public key Higher computational

larger dimensions sizes due to the and storage overhead
LWE
(e.g., 500-1000) necessity of storing
multiple vectors
Needs the More efficient
Smaller key sizes due
polynomial structure. computations and
R-LWE to compact
Typical 𝑛 is around storage due to ring
polynomial
1024 operations
Intermediate key It balances the
𝑛 around 512, but
sizes, benefiting from efficiency of Ring-
involves an
M-LWE both polynomial LWE with additional
additional rank
structure and module flexibility when
parameter 𝑘
flexibility choosing parameters.

Table 2. Time and Space Complexities of LWE Variations.

Type Time Complexity Space Complexity

LWE 𝑂 (𝑛2 ) 𝑂 (𝑛2 )
R-LWE 𝑂 (𝑛 log 𝑛) 𝑂 (𝑛)
M-LWE 𝑂 (𝑘 2 𝑛) 𝑂 (𝑘 2 𝑛)

5 Attacks on Lattice Base Cryptography

NIST Standardization of PQC Candidates should consider practicality in addition to security,

such as examining the ability to withstand violent assaults and creating defences against Side
Channel Attacks (SCA) [34], [35], and [36]. The physical security concerns of lattice-based
designs have not been well studied. Schemes whose performance is greatly hindered by any
attempt to resist side-channel assaults are less attractive than those that can resist side-channel
attacks at a low cost.

Timing attacks, such as differentiating between the execution durations of different instructions,
conditional branching, and cache memory hit-or-miss attacks, use these variations in execution
times to function. Countermeasures for timing attacks on LBC include guaranteeing a fixed
number of calls to each function, regardless of the secret values; guaranteeing consistent timings
for all function execution (NTT, Gaussian Samplers); and repeatedly randomly jumbling sampler
outputs. Employing various convolution settings in conjunction with several sampling and
shuffling phases is advised to guarantee sufficient protection.

Power Analysis Attacks on LBC [37], [38] can retrieve confidential information by correlating a
device's power leakage and the secret values processed during algorithm execution.

As per Fault Attacks on LBC [39], [40], and [42] , it entails intentionally introducing a mistake
 13

into a system that performs cryptographic computations.

• How: supply voltage change, system clock speed, and ambient temperatures.
• Why: learn more about the secret key using malfunctioning behavior.

6 Conclusion and Future Work

The foundation of LBC is the LWE problem and its variants, which present a viable route toward
safe cryptographic solutions in a post-quantum environment. Research is still expanding upon
the underlying work, advancing theoretical comprehension and real-world applications. As the
area develops, lattice-based techniques are expected to be crucial in protecting digital
communications against the arrival of quantum computing. Larger dimensions are typically
needed for LWE, which also increases key sizes and computational overhead. Using polynomial
rings, Ring-LWE lessens these requirements and increases its computational and spatial
efficiency. A compromise is provided by modular-LWE, which combines the efficiency and
compactness of Ring-LWE with the extra flexibility and efficiency improvements from modular
structures.

In contrast to conventional encryption methods such as RSA and ECC, LBC requires a larger
public key. Thus, much effort is being made to decrease the key size. The greater key size results
in longer encryption, decryption, key distribution, and key generation. There is, therefore, room
to improve each of these.

References

1. Shor, Peter W. “Polynomial-Time Algorithms for Prime Factorization and Discrete

Logarithms on a Quantum Computer.” SIAM Journal on Computing, vol. 26, no. 5, Oct.
1997, pp. 1484–509. DOI.org (Crossref), https://doi.org/10.1137/S0097539795293172.
2. Silverman, Joseph H., editor. Cryptography and Lattices: International Conference, CaLC
2001 Providence, RI, USA, March 29–30, 2001 Revised Papers. Springer Berlin Heidelberg,
2001. DOI.org (Crossref), https://doi.org/10.1007/3-540-44670-2.
3. Elkhatib, Rami, et al. “Accelerated RISC-V for Post-Quantum SIKE.” IEEE Transactions on
Circuits and Systems I: Regular Papers, vol. 69, no. 6, June 2022, pp. 2490–501. DOI.org
(Crossref), https://doi.org/10.1109/TCSI.2022.3162626.
4. Nejatollahi, Hamid, et al. “Post-Quantum Lattice-Based Cryptography Implementations: A
Survey.” ACM Computing Surveys, vol. 51, no. 6, Nov. 2019, pp. 1–41. DOI.org (Crossref),
https://doi.org/10.1145/3292548.
5. Chen L, Jordan S, Liu Y-K, Moody D, Peralta R, Perlner R, Smith-Tone D (2016) Report on
post-quantum cryptography. (National Institute of Standards and Technology, Gaithersburg,
MD), NIST Internal Report (NISTIR) 8105. https://doi.org/10.6028/NIST.IR.8105
6. Potii, Oleksandr, et al. “Post Quantum Hash Based Digital Signatures Comparative Analysis.
Features of Their Implementation and Using in Public Key Infrastructure.” 2017 4th
International Scientific-Practical Conference Problems of Infocommunications. Science and
Technology (PIC S&T), IEEE, 2017, pp. 105–09. DOI.org (Crossref),
https://doi.org/10.1109/INFOCOMMST.2017.8246360.
7. Bernstein DJ, Lange T. Post-quantum cryptography. Nature. 2017 Sep 13;549(7671):188-
194. doi: 10.1038/nature23461
 14

8. Kuo, Yao-Ming, et al. “RISC-V Galois Field ISA Extension for Non-Binary Error-Correction
Codes and Classical and Post-Quantum Cryptography.” IEEE Transactions on Computers,
2022, pp. 1–1. DOI.org (Crossref), https://doi.org/10.1109/TC.2022.3174587.
9. Balamurugan, C., Singh, K., Ganesan, G., & Rajarajan, M. (2021). Code-based post-quantum
cryptography.
10. Tan, T. G., Szalachowski, P., & Zhou, J. (2022). Challenges of post-quantum digital signing
in real-world applications: A survey. International Journal of Information Security, 21(4),
937-952.
11. Basu, K., Soni, D., Nabeel, M., & Karri, R. (2019). Nist post-quantum cryptography-a
hardware evaluation study. Cryptology ePrint Archive.
12. Septien-Hernandez JA, Arellano-Vazquez M, Contreras-Cruz MA, Ramirez-Paredes JP. A
Comparative Study of Post-Quantum Cryptosystems for Internet-of-Things Applications.
Sensors (Basel). 2022 Jan 9;22(2):489. doi: 10.3390/s22020489. PMID: 35062450; PMCID:
PMC8779321.
13. Chamola, V., Jolfaei, A., Chanana, V., Parashari, P., & Hassija, V. (2021). Information
security in the post quantum era for 5G and beyond networks: Threats to existing
cryptography, and post-quantum cryptography. Computer Communications, 176, 99-118.
14. Mehic, M., Michalek, L., Dervisevic, E., Burdiak, P., Plakalovic, M., Rozhon, J., ... &
Voznak, M. (2023). Quantum cryptography in 5g networks: A comprehensive overview.
IEEE Communications Surveys & Tutorials.
15. Securing the future internet of things with post-quantum cryptography, Adarsh Kumar, Carlo
Ottaviani, Sukhpal Singh Gill, Rajkumar Buyya, First published: 09 December 2021,
https://doi.org/10.1002/spy2.200
16. Ahn, J., Kwon, H. Y., Ahn, B., Park, K., Kim, T., Lee, M. K., ... & Chung, J. (2022). Toward
quantum secured distributed energy resources: Adoption of post-quantum cryptography (pqc)
and quantum key distribution (qkd). Energies, 15(3), 714.)
17. K. -A. Shim, "A Survey on Post-Quantum Public-Key Signature Schemes for Secure
Vehicular Communications," in IEEE Transactions on Intelligent Transportation Systems,
vol. 23, no. 9, pp. 14025-14042, Sept. 2022, doi: 10.1109/TITS.2021.3131668.
18. Andrada-Teodora Ciulei, Marian-Codrin Cretu, Emil Simion: Preparation for Post-Quantum
era: a survey about blockchain schemes from a post-quantum perspective. IACR Cryptol.
ePrint Arch. 2022: 26 (2022)
19. T. M. Fernández-Caramès and P. Fraga-Lamas, "Towards Post-Quantum Blockchain: A
Review on Blockchain Cryptography Resistant to Quantum Computing Attacks," in IEEE
Access, vol. 8, pp. 21091-21116, 2020, doi: 10.1109/ACCESS.2020.2968985.
20. Kumar, A., Garhwal, S. State-of-the-Art Survey of Quantum Cryptography. Arch Computat
Methods Eng 28, 3831–3868 (2021). https://doi.org/10.1007/s11831-021-09561-2
21. Broadbent, A., & Schaffner, C. (2016). Quantum cryptography beyond quantum key
distribution. Designs, Codes and Cryptography, 78, 351-382.
22. Broadbent, A., & Schaffner, C. (2016). Quantum cryptography beyond quantum key
distribution. Designs, Codes and Cryptography, 78, 351-382.
23. Alléaume, R., Branciard, C., Bouda, J., Debuisschert, T., Dianati, M., Gisin, N., ... &
Zeilinger, A. (2014). Using quantum key distribution for cryptographic purposes: a
survey. Theoretical Computer Science, 560, 62-81.
24. Li S, Chen Y, Chen L, Liao J, Kuang C, Li K, Liang W, Xiong N. Post-Quantum Security:
Opportunities and Challenges. Sensors (Basel). 2023 Oct 26;23(21):8744. doi:
10.3390/s23218744. PMID: 37960442; PMCID: PMC10648643.
25. Chowdhury, S., Covic, A., Acharya, R. Y., Dupee, S., Ganji, F., & Forte, D. (2021). Physical
security in the post-quantum era: A survey on side-channel analysis, random number
generators, and physically unclonable functions. Journal of Cryptographic Engineering, 1-37.
26. Lyubashevsky, V., Peikert, C., & Regev, O. (2010). On ideal lattices and learning with errors
over rings. Journal of the ACM (JACM), 60(6), 1-35.
 15

27. Langlois, A., & Stehlé, D. (2015). Worst-case to average-case reductions for module
lattices. Designs, Codes and Cryptography, 75(3), 565-599.
28. Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography.
Journal of the ACM (JACM), 56(6), 1-40.
29. Gentry, C., Sahai, A., & Waters, B. (2013). Homomorphic encryption from learning with
errors: Conceptually-simpler, asymptotically-faster, attribute-based. CRYPTO.
30. Brakerski, Z., & Vaikuntanathan, V. (2014). Efficient fully homomorphic encryption from
(standard) LWE. SIAM Journal on Computing, 43(2), 831-871.
31. Ducas, L., Durmus, A., Lepoint, T., & Lyubashevsky, V. (2013). Lattice signatures and
bimodal Gaussians. CRYPTO.
32. Alkim, E., Ducas, L., Pöppelmann, T., & Schwabe, P. (2016). Post-quantum key exchange -
a new hope. USENIX Security Symposium.
33. Bos, Joppe & Bronchain, Olivier & Custers, Frank & Renes, Joost & Verbakel, Denise &
Vredendaal, Christine. (2023). Enabling FrodoKEM on Embedded Devices. IACR
Transactions on Cryptographic Hardware and Embedded Systems. 74-96.
10.46586/tches.v2023.i3.74-96.
34. Albrecht, M. R., Player, R., & Scott, S. (2016). On the concrete hardness of Learning with
Errors. Journal of Mathematical Cryptology, 9(3), 169-203.
35. Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, Gauss, and Reload – A
Cache Attack on the BLISS Lattice-Based Signature Scheme. In: Gierlichs, B. and
Poschmann, A.Y. (eds.) Cryptographic Hardware and Embedded Systems – CHES 2016. pp.
323–345. Springer, Berlin, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-
2_16.
36. Pessl, P.: Analyzing the Shuffling Side-Channel Countermeasure for Lattice-Based
Signatures. In: Dunkelman, O. and Sanadhya, S.K. (eds.) Progress in Cryptology –
INDOCRYPT 2016. pp. 153–170. Springer International Publishing, Cham (2016).
https://doi.org/10.1007/978-3-319-49890-4_9.
37. Primas, R., Pessl, P., Mangard, S.: Single-Trace Side-Channel Attacks on Masked Lattice-
Based Encryption. In: Fischer, W. and Homma, N. (eds.) Cryptographic Hardware and
Embedded Systems – CHES 2017. pp. 513–533. Springer International Publishing, Cham
(2017). https://doi.org/10.1007/978-3-319-66787-4_25.
38. Lee, M.-K., Song, J.E., Choi, D., Han, D.-G.: Countermeasures against Power Analysis
Attacks for the NTRU Public Key Cryptosystem. IEICE Trans. Fundamentals. E93-A, 153–
163 (2010). https://doi.org/10.1587/transfun.E93.A.153.
39. Kamal, A.A., Youssef, A.: Fault Analysis of the NTRUEncrypt Cryptosystem. IEICE Trans.
Fundamentals. E94-A, 1156–1158 (2011). https://doi.org/10.1587/transfun.E94.A.1156.
40. Kamal, A.A., Youssef, A.M.: Fault analysis of the NTRUSign digital signature scheme.
Cryptogr. Commun. 4, 131–144 (2012). https://doi.org/10.1007/s12095-011-0061-3.
41. Espitau, T., Fouque, P.-A., Gérard, B., Tibouchi, M.: Loop-Abort Faults on Lattice-Based
Fiat-Shamir and Hash-and-Sign Signatures. In: Avanzi, R. and Heys, H. (eds.) Selected Areas
in Cryptography – SAC 2016. pp. 140–158. Springer International Publishing, Cham (2017).
https://doi.org/10.1007/978-3-319-69453-5_8.
42. Bindel, N., Buchmann, J., Krämer, J.: Lattice-Based Signature Schemes and Their Sensitivity
to Fault Attacks. In: 2016 Workshop on Fault Diagnosis and Tolerance in Cryptography
(FDTC). pp. 63–77 (2016). https://doi.org/10.1109/FDTC.2016.11