# Quantum-Safe Cryptography

Quantum computers are a new and potentially more powerful way of computing compared to the classical computers we use today. This means we need to reassess cryptographic security, as it may not be enough to protect against new cryptographic attacks that could be possible with quantum computers. This is important to consider in a world where quantum computers may become more widespread.

These attacks can be used in the data that is being transmitted now, this is known as harvest now and decrypt later. This means that is not sufficient to wait until quantum computing becomes a problem, but to prevent it now.

Quantum-safe cryptographic schemes are being developed to withstand attacks from both classical and quantum computers. Below is a table resuming the quantum algorithms used to impact asymmetric, symmetric and hash cryptographic algorithms and the possible mitigations.

| Quantum Algorithm | Functionality      | [Security Strength]security (n = number of bits) | Impacted Cryptographic Algorithms                 | Mitigation             |
|-------------------|--------------------|-----------------------------------------------------|--------------------------------------------------|------------------------|
| Shor              | factoring          | poly(n)                                             | RSA                                              | Migrate to QSC         |
| Shor              | discrete logarithm | poly(n)                                             | Diffie-Hellman, DSA, Elliptic Curve Cryptography | Migrate to QSC         |
| Grover            | key search         | 2^(n/2)                                             | Symmetric key algorithms (e.g., AES)             | Sufficient key length  |
| Grover            | pre-image attack   | 2^(n/2)                                             | Hash functions (e.g., SHA-256)                   | Sufficient hash length |
| BHT               | collision attack   | 2^(r/3) ou 2^(2n/5)                                 | Hash functions (e.g., SHA-256)                   | Sufficient hash length |ngth |t hash length

As we can see the most impacted system of cryptography is asymmetric cryptography. The proposed mitigation is to change to Quantum-safe cryptography (QSC) algorithms.


## Computational Complexity

In cryptography, the computational complexity class NP (non-deterministic polynomial time) plays an important role. Its a core concept in the field of computational complexity. It helps in classifying problems based on the computational effort required to verify solutions, and it poses deep questions about what can be efficiently computed. This class consists of decision problems for which proposed solutions can be verified in polynomial time using a deterministic Turing machine (DTM). The importance of NP stems from the fact that it is conjectured to consist of many computational problems that cannot be solved efficiently by both classical and quantum computers.

The first generation of successful asymmetric key cryptosystems developed in the 1970s based their security on mathematical problems such as prime factorization and discrete logarithms that are now conjectured to belong to the NP-intermediate subclass of NP. This subclass consists of problems that are believed not to have polynomial-time solutions on DTMs but at the same time are also not as hard as the hardest problems in NP.

The latter belongs to the subclass NP-complete. Following Shor's algorithm in the 1990s, it became clear that at least some NP-intermediate problems are amenable to efficient solutions on quantum computers that are not DTMs. 
Therefore, modern quantum-safe cryptography schemes are based on NP-complete problems or relatde[NP-hrd6 problems, which currently are not known to be solvable efficiently even on quantum computes.r



## Average vs worst-case hardness

While there are many known NP-hard problems, not every such problem is suitable as a basis for cryptographic security. In this context, the notion of average-case hardness is useful for cryptography. A problem is average-case hard if most instances of the problem drawn randomly from some distribution are hard, whereas a problem is worst-case hard if it is hard only on some isolated worst-case instances.

Quantum-safe cryptologists therefore search for mathematical problems that are average-case hardness and employ theoretical tools such as worst-case to average-case reductions to identify suitable protocols whose security and efficiency can be guaranteed.

## Mathematical Structures

Mathematicians have developed some mathematical structures to use in the quantum-safe migration of asymmetric encryption. All these structures meet the requirement of hardness. Here is a list of some well-known structures:

- Lattice-based cryptography - This class of algorithms relies on the hardness of problems such as the shortest vector problem (SVP) and the closest vector problem (CVP) in lattice structures. Notable lattice-based schemes include NTRU and Learning with Errors (LWE).
- Code-based cryptography - This type of cryptography is based on the difficulty of decoding a general linear code. The most notable example is the McEliece cryptosystem.
- Multivariate cryptography - These systems involve equations of multiple variables over a finite field. A well-known system in this category is the HFE (Hidden Field Equations) scheme.
- Hash-based cryptography - These are cryptographic systems that use only cryptographic hash functions. They are often used for digital signatures, like the Merkle signature scheme.
- Isogeny-based cryptography - These systems are based on the difficulty of certain problems in the algebraic structure of ellipic curves. 


##  NIST and Quantum-Safe Cryptography

Recognizing the potential impact of quantum computing on current cryptographic systems, NIST initiated a program to standardize quantum-safe cryptographic algorithms in 2016. Following a six-year review process, NIST announced in 2022 a list of four finalists to become a part of NIST’s quantum-safe cryptographic standard.


| QSC Algorithm      | Cryptographic family | Application                    |
|--------------------|----------------------|--------------------------------|
| CRYSTALS-Kyber     | Lattice-based        | Key encapsulation mechanism    |
| CRYSTALS-Dilithium | Lattice-based        | Digital signatures             |
| FALCON             | Lattice-based        | Lightweight digital signatures |
| SPHINCS+           | Hash-based           | Digital Signatures         


Of the four NIST finalists, three are lattice-based and one, SPHINCS+, is hash-bgth |

## Lattice-based Cryptography

As the name suggests, lattice-based cryptography (LBC) is based on the hardness of certain problems defined on mathematical structures called lattices. Of fundamental importance are two computational problems on lattices, namely the shortest vector problem and the learning with errors problem.

### Lattices
In simple mathematical terms, a lattice can be thought of as a collection of regularly spaced points that repeat at fixed intervals. To describe how these points are positioned relative to each other, we use vectors. The specific arrangement of these vectors, which defines the layout of the lattice, is referred to as the basis.

Imagine you have a box of toy construction bricks, and you want to build various objects with the same set of pieces. Each unique object you create requires a specific arrangement, and the way you choose and arrange the bricks serves as the basis for constructing different objects. If you change the selection or arrangement of bricks, you get a different object with distinct characteristics. It's important to note that lattices are not limited to two or three dimensions; they can extend to higher dimensions, and in fields like cryptography, they may involve 1000s or more dimensions.

Not every basis is unique - it may just be a different perspective of the same structure.

This leads to an important concept in lattice mathematics, thatf  [lattice-basis reducon23. This is the process of taking a given integer lattice and attempting to find a good basis comprising short, nearly orthogonal vector

![image.png | 500](attachment:40434f57-0bcb-433f-b932-518d8f02e0c2.png)

Lattice-basis reduction in two dimensions from a "bad" basis {v1, v2} to a "good basis" {u1, u2}

Lattice-basis reductions can be performed in polynomial-time usinge h [Lenstra–Lenstra–Lovász algohm (LLL).LLL
### Shortest-Vector Problem (SVP)
The shortest vector problem (SVP) is the challenge of finding the shortest distance, i.e. vector, between any two points in the lattice. Miklós Ajtai has shown that the shortest vector problem is NP-hard in the worst case for certain random lattices, even when lattice-basis reduction to a good basis is possible.

### Closest-Vector Problem (CVP)
In the closest vector problem (CVP) we are looking to find the closest point on the lattice to the origin, or location given. 
The CVP is also known to be NPd.-har

### The Bounded Distance Decoding problem (BDD)
In this ,case we know that the origin supplied is close to the lattice, but not how c.
dd.
d

### The learning with errors problem (LWE)
The learning with errors problem is based on the mathematics of lattices combined with the idea of introducing errors into an equation. 
As is the case with any mathematical basis for cryptographic algorithms we can easily introduce noise as we make a series of calculations, but trying to find the inverse is very dift.ficul

The remarkable feature of the LWE problem is that without the errors, it reduces to a set of linear equations that can be easily solved using a technique like Gaussian elimination. 
However, the inclusion of a suitable error distribution renders it an NP-hard m.proble

### Pratical Application of LWE encryption using python
Bob will send an encrypted message to  First, they will need to agree on the problem parameters. The parameters are and chi,q,N,X.
- n is known as the security parameter, vector dimension.
- q is a modulus
- N represents the number of samples
- chi are errors to be introduced

These parameters are all public information in pri.p..)
s.


In [35]:
import numpy as np
from matplotlib import pyplot as plt
n=8
q=127
N=int(1.1*n*np.log(q))
sigma=1.0
print(f"n={n},q={q},N={N},sigma={sigma}")

n=8,q=127,N=42,sigma=1.0


To define chi we create a function that approximates random error/noise contributions epsilon drawn from a discrete Gaussian distribution chi with standard deviation sigma.

In [36]:
def chi(stdev, modulus):
    return round((np.random.randn() * stdev**2))%modulus

Next step is to Alice generate a key pair. Let's start with the private key by choosing n values between 0 and q.

In [37]:
#Alice's private key
alice_private_key = np.random.randint(0, high=q, size=n)
#print(f"Alice's private key: {alice_private_key}")

Alice now sets up her public key, by choosing random vectors, which are then combined with the generated errors.

In [38]:
#Alice's Public Key
alice_public_key = []

# N is the number of values we want in the key
for i in range(N):
    # Get n random values between 0 and <q
    a = np.random.randint(0, high=q, size=n)
    # get an error to introduce
    epsilon = chi(sigma, q)
    #  calculate dot product (ie like array multiplication)
    b = (np.dot(a, alice_private_key) + epsilon) % q
    # value to be added to the key -
    sample = (a, b)
    alice_public_key.append(sample)
    
#print(f"Alice's public key: {alice_public_key}")

Alice can now share her public key. 
Bob can now seu Alice's public key to send her an necrypted message 
Bob will send Alice a 1 bit message..

In [30]:
#Bob's Message
bob_message_bit = 1

To encrypt the message with Alice's public key, he will need to choose an arbitrare number of samples ar random from her public key. 
For this, he creates a mask, a random binary vector r of N length.

In [10]:
r = np.random.randint(0, 2, N)

We will now apply this mask to the entries of Alice's public key.

In [15]:
#Encryption
sum_ai=np.zeros(n, dtype=int)
sum_bi=0

for i in range(N):
    sum_ai = sum_ai + r[i] * alice_public_key[i][0]
    sum_bi = sum_bi + r[i] * alice_public_key[i][1]
sum_ai = [ x % q for x in sum_ai ]

ciphertext = (sum_ai, (bob_message_bit*int(np.floor(q/2))+sum_bi)%q)
print(f"ciphertext is: {ciphertext}")

ciphertext is: ([19, 35, 14, 104, 3, 107, 85, 104], 38)


Finally, Bob sends the ciphertext to Alice. Alice can now use her private key to decrypt Bob's message.

In [12]:
#Decryption
adots = np.dot(ciphertext[0], alice_private_key) % q
b_adots = (ciphertext[1] - adots) % q

decrypted_message_bit = round((2*b_adots)/q) % 2

print(f"original message bit={bob_message_bit}, decrypted message bit={decrypted_message_bit}")

assert bob_message_bit == decrypted_message_bit

original message bit=1, decrypted message bit=1


The code shown before only sent 1 bit of information. Lets change the code a little bit to be able to send ascii messages (> 1 bit).


In [40]:
bob_message = "hello world!"
bob_message_bits_temp = ''.join(format(ord(i), '08b') for i in bob_message)
bob_message_bits = []
for x in bob_message_bits_temp:
    bob_message_bits.append(int(x))

print(f"Bob's message is = {bob_message}")
decrypted_bits = []

for ib in range(len(bob_message_bits)):
    #Encryption
    bob_message_bit = bob_message_bits[ib]

    r = np.random.randint(0, 2, N)
    
    sum_ai=np.zeros(n, dtype=int)
    sum_bi=0
    for i in range(N):
        sum_ai = sum_ai + r[i] * alice_public_key[i][0]
        sum_bi = sum_bi + r[i] * alice_public_key[i][1]
    sum_ai = [ x % q for x in sum_ai ]

    ciphertext = (sum_ai, (bob_message_bit*int(np.floor(q/2))+sum_bi)%q)

    # Decryptiom
    adots = np.dot(ciphertext[0], alice_private_key) % q
    b_adots = (ciphertext[1] - adots) % q

    decrypted_message_bit = round((2*b_adots)/q) % 2
    assert decrypted_message_bit == bob_message_bit

    decrypted_bits.append(decrypted_message_bit)
    
chunks = [decrypted_bits[i:i+8] for i in range(0, len(decrypted_bits), 8)]

# Convert each chunk to decimal and then to ASCII
ascii_characters = [chr(int(''.join(map(str, chunk)), 2)) for chunk in chunks]

# Join the ASCII characters to get the final string
resulting_string = ''.join(ascii_characters)

print(f"Decrypted message = {resulting_string}")

Bob's message is = hello world!
Decrypted message = hello world!


## Python Library liboqs

This Python library can be used for prototyping and experimenting with quantum-safe cryptography. To use this python library we first need to follow the tutorial: https://github.com/open-quantum-safe/liboqs-Python

The creator of this library does not recommend using it in production environments.

We can import the module by using `import oqs`. The other modules are strictly for outputting appearance reasons.

In [1]:
import warnings
warnings.filterwarnings('ignore')
import oqs
from pprint import pprint

The library liboqs provides many KEM and digital signature implementations. In cryptographic protocols, a key encapsulation mechanism (KEM) is used to secure symmetric key material for transmission using asymmetric algorithms. A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. 


### KEM - Key Encapsulation Mechanism
To list all the available KEM algorithms use the following command:

In [3]:
kems = oqs.get_enabled_kem_mechanisms()
pprint(kems, compact=True)

['BIKE-L1', 'BIKE-L3', 'BIKE-L5', 'Classic-McEliece-348864',
 'Classic-McEliece-348864f', 'Classic-McEliece-460896',
 'Classic-McEliece-460896f', 'Classic-McEliece-6688128',
 'Classic-McEliece-6688128f', 'Classic-McEliece-6960119',
 'Classic-McEliece-6960119f', 'Classic-McEliece-8192128',
 'Classic-McEliece-8192128f', 'HQC-128', 'HQC-192', 'HQC-256', 'Kyber512',
 'Kyber768', 'Kyber1024', 'sntrup761', 'FrodoKEM-640-AES', 'FrodoKEM-640-SHAKE',
 'FrodoKEM-976-AES', 'FrodoKEM-976-SHAKE', 'FrodoKEM-1344-AES',
 'FrodoKEM-1344-SHAKE']


Looking at the list we see the `Kyber512` algorithm one of the finalist in the NIST post-quantum cryptography project. We will use this algorithm for the KEM implementation.

In [4]:
kemalg = "Kyber512"
bob = oqs.KeyEncapsulation(kemalg)
alice = oqs.KeyEncapsulation(kemalg)

The next step is to generate the keypair in Bob's end. Alice will be the sender and Bob the receiver. 

In [5]:
bob_public_key = bob.generate_keypair() # only the public key will be stored in a variable

Now that we have Bob's public key we can encrypt the secret.

In [23]:
ciphertext, shared_secret_alice = alice.encap_secret(bob_public_key)

We have the ciphertext, now Bob needs to decrypt the ciphertext with his private key.

In [24]:
shared_secret_bob = bob.decap_secret(ciphertext)
print("\nShared secretes coincide:", shared_secret_bob == shared_secret_alice)


Shared secretes coincide: True


We have successfully implement KEM, with a post-quantum cryptography algorithm, in python using the liboqs. 

### Digital Signature

To list all the available digital signature algorithms use the following command:

In [26]:
sigs = oqs.get_enabled_sig_mechanisms()
pprint(sigs, compact=True)

['Dilithium2', 'Dilithium3', 'Dilithium5', 'Falcon-512', 'Falcon-1024',
 'SPHINCS+-SHA2-128f-simple', 'SPHINCS+-SHA2-128s-simple',
 'SPHINCS+-SHA2-192f-simple', 'SPHINCS+-SHA2-192s-simple',
 'SPHINCS+-SHA2-256f-simple', 'SPHINCS+-SHA2-256s-simple',
 'SPHINCS+-SHAKE-128f-simple', 'SPHINCS+-SHAKE-128s-simple',
 'SPHINCS+-SHAKE-192f-simple', 'SPHINCS+-SHAKE-192s-simple',
 'SPHINCS+-SHAKE-256f-simple', 'SPHINCS+-SHAKE-256s-simple']


We will use the algorithm Dilithium5, one of the finalists from the NIST post-quantum cryptography project.

In [34]:
sigalg = "Dilithium5"
bob = oqs.Signature(sigalg)
alice = oqs.Signature(sigalg)

bob_public_key = bob.generate_keypair() # only the public key will be stored in a variable

message = b"hello world"

signed_ciphertext = bob.sign(message) # sign the message with Bob's private key.

alice.verify(message, signed_ciphertext,bob_public_key) # verify the signature with Bob's public key. C

True

If the result is True, it means that the message was digitally signed by Bob.