# Quantum-safe cryptography

# Table of Contents

1. [Introduction](#introduction)  
2. [Introduction to Quantum-safe Cryptography](#introduction-to-quantum-safe-cryptography)  
3. [Quantum Algorithms and Impacts to Cryptography](#quantum-algorithms-and-impacts-to-cryptography)  
4. [Basic Principles of Quantum-safe Cryptography](#basic-principles-of-quantum-safe-cryptography)  
   - [Computational Complexity](#computational-complexity)  
   - [Average vs Worst-case Hardness](#average-vs-worst-case-hardness)  
   - [Mathematical Structures](#mathematical-structures)  
5. [NIST Standardization of Quantum-safe Cryptography](#nist-standardization-of-quantum-safe-cryptography)  
   - [Finalists of the First NIST Quantum-safe Cryptography Standardization Effort](#finalists-of-the-first-nist-quantum-safe-cryptography-standardization-effort)  
6. [Lattice-based Cryptography](#lattice-based-cryptography)  
   - [Lattices](#lattices)  
   - [The Shortest Vector Problem](#the-shortest-vector-problem)  
   - [The Closest Vector Problem](#the-closest-vector-problem)  
   - [The Bounded Distance Decoding Problem](#the-bounded-distance-decoding-problem)  
   - [The Learning with Errors Problem](#the-learning-with-errors-problem)  
   - [Encryption Using the Learning with Errors Cryptosystem](#encryption-using-the-learning-with-errors-cryptosystem)  
   - [Illustration of LWE Encryption in Python](#illustration-of-lwe-encryption-in-python)  
   - [Module-LWE and the CRYSTALS Suite](#module-lwe-and-the-crystals-suite)  
   - [Key Encapsulation Mechanisms and CRYSTALS-Kyber](#key-encapsulation-mechanisms-and-crystals-kyber)  
   - [IND-CPA and IND-CCA Security in Lattice-based Cryptography](#ind-cpa-and-ind-cca-security-in-lattice-based-cryptography)  
7. [Hybrid Cryptography](#hybrid-cryptography)  
8. [Summary](#summary)


## Introduction
In this lesson we will look at how moving to quantum-safe cryptography can protect data today against the threat of quantum algorithms that could break it's protection in future .

By the end of the lesson we will have covered:

- What quantum-safe cryptography is
- Standardization efforts including NIST competitions
- Mathematical basis of some new algorithms such as Lattices and Learning with Errors
- Some Python code examples demonstrating how new mathematic challenges can be used for encryption
- A look at some specific quantum-safe algorithms including those in the CRYSTALS suite
- Hybrid cryptography

## Introduction to Quantum-safe Cryptography

Since quantum computers represent a distinct and potentially more powerful paradigm for computing than the classical computers in use today, cryptographic security needs to be reassessed for a world where quantum computers may proliferate, enabling new cryptographic attacks that would not be possible using classical computers.

These attacks may occur in future on data that is being transmitted or stored now known as harvest now, decrypt later, so it is not sufficient to wait until the required systems are available, but to make changes now.

The field of quantum-safe cryptography (QSC) encompasses efforts to identify and develop cryptographic schemes that can withstand attacks both from quantum and classical computing systems. This is also sometimes called quantum-resistant, or post-quantum cryptography.

In earlier lessons, we discussed some of the potential security risks that the development of general-purpose quantum computers poses to a number of traditional cryptographic primitives such as symmetric key algorithms, cryptographic hash functions, and asymmetric key algorithms. Additionally, we mentioned cryptographically relevant quantum algorithms and the protocols they impact.

We see that the most significant impacts of quantum algorithms occur in the context of asymmetric key cryptography, where Shor's algorithm offers a polynomial-time solution to the prime factoring and discrete logarithm problems. Therefore, asymmetric cryptosystems based on factoring and discrete logarithms need to be replaced by new quantum-safe cryptography schemes.

This is in contrast to the symmetric key and cryptographic hashing protocols impacted by the Grover and BHT algorithms, where the quantum speedups are not super-polynomial. Therefore, in this latter case, existing algorithms such as AES and SHA-256 can be fortified at least in the medium term by ensuring sufficiently long key and hash lengths.


## Quantum Algorithms and Impacts to Cryptography

| **Quantum Algorithm** | **Functionality**      | **Security Strength** ($n$ = number of bits) | **Impacted Cryptographic Protocols**                   | **Mitigation**            |
|------------------------|------------------------|---------------------------------------------|--------------------------------------------------------|---------------------------|
| Shor                   | factoring              | $poly(n)$                                   | RSA                                                    | Migrate to QSC            |
| Shor                   | discrete logarithm     | $poly(n)$                                   | Diffie–Hellman, DSA, Elliptic Curve Cryptography       | Migrate to QSC            |
| Grover                 | key search             | $2^{n/2}$                                   | Symmetric key algorithms (e.g., AES)                   | Sufficient key length     |
| Grover                 | pre-image attack       | $2^{n/2}$                                   | Hash functions (e.g., SHA-256)                         | Sufficient hash length    |
| BHT                    | collision attack       | $2^{n/3}$ or $2^{n/5}$                       | Hash functions (e.g., SHA-256)                         | Sufficient hash length    |



## Basic Principles of Quantum-safe Cryptography


### Computational Complexity

In cryptography, the computational complexity class NP (non-deterministic polynomial time) plays an important role. This class consists of decision problems for which proposed solutions can be verified in polynomial time using a deterministic Turing machine (DTM). The importance of NP stems from the fact that it is conjectured to consist of many computational problems that cannot be solved efficiently by both classical and quantum computers.

The first generation of successful asymmetric key cryptosystems developed in the 1970s based their security on mathematical problems such as prime factorization and discrete logarithms that are now conjectured to belong to the NP-intermediate subclass of NP. This subclass consists of problems that are believed not to have polynomial-time solutions on DTMs but at the same time are also not as hard as the hardest problems in NP.

The latter belong to the subclass NP-complete. Following Shor's algorithm in the 1990s, it became clear that at least some NP-intermediate problems are amenable to efficient solutions on quantum computers that are not DTMs.

Therefore, modern quantum-safe cryptography schemes are based on NP-complete problems or related NP-hard problems, which currently are not known to be solvable efficiently even on quantum computers.


### Average vs Worst-case Hardness

While there are many known NP-hard problems, not every such problem is suitable as a basis for cryptographic security. In this context, the notion of average-case hardness is useful for cryptography. A problem is average-case hard if most instances of the problem drawn randomly from some distribution are hard, whereas a problem is worst-case hard if it is hard only on some isolated worst-case instances. Quantum-safe cryptologists therefore search for mathematical problems that satisfy the assumption of average-case hardness and employ theoretical tools such as worst-case to average-case reductions to identify suitable protocols whose security and efficiency can be guaranteed.


### Mathematical Structures

Cryptologists have put forth a number of different mathematical structures that satisfy the necessary hardness requirements as potential candidates for quantum-safe migration of asymmetric key cryptosystems. Some well-known families include:

1. **Lattice-based cryptography**: This class of algorithms relies on the hardness of problems such as the shortest vector problem (SVP) and the closest vector problem (CVP) in lattice structures. Notable lattice-based schemes include NTRU and Learning with Errors (LWE).

2. **Code-based cryptography**: This type of cryptography is based on the difficulty of decoding a general linear code. The most notable example is the McEliece cryptosystem.

3. **Multivariate cryptography**: These systems involve equations of multiple variables over a finite field. A well-known system in this category is the HFE (Hidden Field Equations) scheme.

4. **Hash-based cryptography**: These are cryptographic systems that use only cryptographic hash functions. They are often used for digital signatures, like the Merkle signature scheme.

5. **Isogeny-based cryptography**: These systems are based on the difficulty of certain problems in the algebraic structure of elliptic curves. Supersingular Isogeny Diffie-Hellman (SIDH) is an example.


## NIST Standardization of Quantum-safe Cryptography

Recognizing the potential impact of quantum computing on current cryptographic systems, NIST initiated a program to standardize quantum-safe cryptographic algorithms in 2016 using a process similar to the one NIST followed to standardize the Advanced Encryption Standard (AES) in the early 2000s. In an open and transparent process involving security domain stakeholders, several QSC candidates were submitted for evaluation, and following a six-year review process, NIST announced a list of four finalists to become a part of NIST’s quantum-safe cryptographic standard.


### Finalists of the First NIST Quantum-safe Cryptography Standardization Effort

| **QSC Algorithm**     | **Cryptographic family** | **Application**                         |
|-----------------------|--------------------------|------------------------------------------|
| CRYSTALS-Kyber        | Lattice-based            | Key encapsulation mechanism              |
| CRYSTALS-Dilithium    | Lattice-based            | Digital signatures                       |
| FALCON                | Lattice-based            | Lightweight digital signatures           |
| SPHINCS+              | Hash-based               | Digital signatures                       |

Of the four NIST finalists, three are lattice-based and one, **SPHINCS+**, is hash-based. The Kyber and Dilithium algorithms, part of the [CRYSTALS cryptographic suite](https://csrc.nist.gov/projects/post-quantum-cryptography), were selected to be general-purpose protocols for key encapsulation and digital signatures, respectively. **FALCON** was recommended for applications requiring smaller digital signatures than those provided by Dilithium. **SPHINCS+** meanwhile was primarily chosen as a backup option to the lattice-based approaches, as it uses a different mathematical structure. Lattice-based cryptography therefore seems well-positioned to form the basis for the first-generation of QSC standards.

In August 2023, [NIST published three draft standards](https://csrc.nist.gov/news/2023/three-draft-fips-for-post-quantum-cryptography) for comments – which include the algorithms above:

- [FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard](https://csrc.nist.gov/pubs/fips/203/final)
- [FIPS 204, Module-Lattice-Based Digital Signature Standard](https://csrc.nist.gov/pubs/fips/204/final)
- [FIPS 205, Stateless Hash-Based Digital Signature Standard](https://csrc.nist.gov/pubs/fips/205/final)



## Lattice-based Cryptography

As the name suggests, lattice-based cryptography (LBC) is based on the hardness of certain problems defined on mathematical structures called lattices.

Of fundamental importance are two computational problems on lattices, namely the shortest vector problem and the learning with errors problem, which we discuss below after some preliminary definitions.




### Lattices

We can think of what a lattice is in the world around us. The Eiffel Tower (Paris), or Birds-nest stadium (Beijing). Those structures have many linked elements which can be thought of as a series of points joined together along straight lines.

Diamonds are another form of lattice. There is a clear, repeating structure of Carbon atoms. They are then effectively joined together by atomic bonds; and this structure that is formed is what gives diamond its unique properties. However, different crystal structures can have very different layouts (can be thought of as our lattice structure), and therefore ends up with distinct features. Hence, lattices serve as the foundational mathematical framework that dictates the unique traits of different structures which we use in cryptography.

In simple mathematical terms, a lattice can be thought of as a collection of regularly spaced points that repeat at fixed intervals. To describe how these points are positioned relative to each other, we use vectors. The specific arrangement of these vectors, which defines the layout of the lattice, is referred to as the **basis**.

Imagine you have a box of toy construction bricks, and you want to build various objects with the same set of pieces. Each unique object you create requires a specific arrangement, and the way you choose and arrange the bricks serves as the basis for constructing different objects. If you change the selection or arrangement of bricks, you get a different object with distinct characteristics.

Similarly, in a lattice, the **basis** is like the set of atomic building blocks that define the lattice's structure. Depending on how you arrange these building blocks (atoms or points) in the lattice, you can create various lattice structures with different properties. Just as changing the toy construction brick pieces changes the object you build, altering the basis changes the lattice's characteristics and properties.

It's important to note that lattices are not limited to two or three dimensions; they can extend to higher dimensions, and in fields like cryptography, they may involve 1000s or more dimensions.

### ▼ Mathematical description of lattices

- Given $n$ linearly independent vectors $\mathcal{A} = \{\mathbf{v}_1, \ldots, \mathbf{v}_n \mid \mathbf{v}_i \in \mathbb{R}^m\}$, the lattice $\mathcal{L}$ generated by $\mathcal{A}$ is the set of integer linear combinations $\mathcal{L} = \left\{ \sum_i c_i \mathbf{v}_i \mid c_i \in \mathbb{Z} \right\}$.

- A basis $B$ of a lattice $\mathcal{L}$ is any set of linearly independent vectors $B = \{\mathbf{b}_1, \ldots, \mathbf{b}_n\}$ that spans the lattice i.e., $\mathcal{L}(B) = \left\{ \sum_i z_i \mathbf{b}_i \mid z_i \in \mathbb{Z} \right\}$.

- Importantly, the basis for a given lattice is not unique. Two different basis sets $B, B'$ can describe the same lattice.

Not every basis is unique — it may just be a different perspective on the same structure.

This leads to an important concept in lattice-based cryptography, that of **lattice-basis reduction**. This is the process of taking a given lattice and attempting to find a *good basis* comprising short, nearly orthogonal vectors.


![Lattice-reduction-wiki.png](attachment:Lattice-reduction-wiki.png)

*Figure 1. Lattice-basis reduction in two dimensions from a “bad” basis $\{\mathbf{v}_1, \mathbf{v}_2\}$ to a “good” basis $\{\mathbf{u}_1, \mathbf{u}_2\}$*

Lattice-basis reductions can be performed in polynomial-time using the **Lenstra–Lenstra–Lovász** algorithm (LLL).




### The Shortest Vector Problem


### The shortest vector problem

The **shortest vector problem** (SVP) is the challenge of finding the shortest distance, i.e. vector, between any two points in the lattice.

#### ▼ Mathematical description of the SVP

Given a lattice $\mathcal{L}$ embedded in a vector space $\mathcal{V}$ with norm $\mathcal{N}$, the [SVP]25 asks for the shortest non-zero vector in $\mathcal{L}$ as measured by $\mathcal{N}$, that is, find a vector $v$ such that its length $\|v\|_{\mathcal{N}} = \min_{v \in \mathcal{L} \setminus \{0\}} \|v'\|_{\mathcal{N}} = \lambda(\mathcal{L})$.

![SVP.png](attachment:SVP.png)

Figure 2. The SVP on a lattice specified by basis vectors {b1, b2}: The red vector is the shortest vector

Miklós Ajtai has shown that the shortest vector problem is NP-hardReference: M.Ajtai,“Generating hard instances of lattice problems”, New York, NY,USA: Association for Computing Machinery, Jul. 1996, pp. 99–108.link in the worst case for certain random lattices, even when lattice-basis reduction to a good basis is possible.

Ajtai also demonstrated that there exists a worst-case to average-case reduction for the shortest vector problem, laying the foundation for its use in cryptography.

### The Closest Vector Problem

In the closest vector problem (CVP) we are looking to find the closest point on the lattice to the origin, or location given.

The CVP is also known to be NP-hard.

![CVP.png](attachment:CVP.png)

*Figure 3. The CVP on a lattice specified by basis vectors $\{\mathbf{b}_1, \mathbf{b}_2\}$: The red point represents the closest lattice vector to the given external vector shown in green that is not on the lattice.*

The **shortest vector problem** is a special case of the **closest vector problem**.


### ▼ Mathematical description of CVP

A lattice $\mathcal{L}$ embedded in a vector space $\mathcal{V}$ with metric $M$ is given, along with a vector $v \in \mathcal{V}$ but not necessarily in $\mathcal{L}$. The task then is to find the vector $u$ in $\mathcal{L}$ closest to $v$ as measured by $M$ i.e., $d_M(u, v) = \min_{w' \in \mathcal{L}} d_M(w', v)$ where $d_M$ is the distance function of the metric $M$.



### The Bounded Distance Decoding Problem

Very similar to the CVP is the **bounded distance decoding** (BDD) problem.

In this case we know that the origin supplied is close to the lattice, but not *how* close, i.e. **bounded**.

#### ▼ Mathematical description of the BDD problem

It is additionally specified that the external vector $v$ is at most within a distance $\sigma \lambda(\mathcal{L})$, where $\lambda(\mathcal{L})$ is the length of the shortest vector in the lattice and $\sigma$ is a small parameter.


### The Learning with Errors Problem


The **learning with errors** problem $\text{LWE}_{\chi, q}$ with modulus $q$ and error distribution $\chi$ is:

Given access only to polynomially many samples $(\mathbf{a}, t)$ of choice from Alice's distribution $\mathcal{A}_{s, \chi}$, "learn" and output the secret vector $s \in \mathbb{Z}_q^n$.

- Let $\mathbb{Z}_q$ be the ring of integers modulo $q$.
- Let $\mathbb{Z}_q^n$ be the set of $n$-dimensional vectors over $\mathbb{Z}_q$.
- An adversary — say, Alice — chooses a fixed vector $s \in \mathbb{Z}_q^n$ and keeps it a secret.
- Alice also specifies $\chi$, a fixed "error" probability distribution over $\mathbb{Z}_q$.
- Using the above ingredients, she constructs a distribution $\mathcal{A}_{s,\chi}$ on $\mathbb{Z}_q^n \times \mathbb{Z}_q$ as follows:
  1. From the uniform distribution over $\mathbb{Z}_q^n$, Alice chooses a vector $\mathbf{a} \in \mathbb{Z}_q^n$.
  2. From the given distribution $\chi$, she picks a number $\varepsilon \in \mathbb{Z}_q$.
  3. She then evaluates $t = \langle \mathbf{a}, s \rangle + \varepsilon$, where $\langle \mathbf{a}, s \rangle = \sum a_i s_i$ is the standard inner product on $\mathbb{Z}_q^n$ and the addition is in $\mathbb{Z}_q$.
  4. Alice outputs $(\mathbf{a}, t)$.

Note the errors introduced: $\varepsilon$ drawn from $\chi$.

Early developments in the LWE problem employed the one-dimensional discrete Gaussian distribution on $\mathbb{Z}_q$ as the error distribution.

The remarkable feature of the LWE problem is that without the errors, it reduces to a set of linear equations that can be easily solved using a technique like Gaussian elimination.

However, the inclusion of a suitable error distribution renders it an NP-hard problem.

### Encryption Using the Learning with Errors Cryptosystem

The LWE problem discussed above leads to a public key cryptosystem introduced by Regev.

The exact process will be covered in the Python example below.

---

### ▼ Mathematics of key generation, encryption, and decryption

**Parameters**: The cryptosystem is characterized by the vector dimension or security parameter $n$, modulus $q$, number of LWE samples $N$, and error distribution $\chi$. Typical choices that guarantee both security and correctness are:

- $q$ is a prime between $n^2$ and $2n^2$
- $N = 1.1 \cdot n \log q$
- $\chi = \Psi_\alpha$, with $\alpha = 1/(\sqrt{n \log^2 n})$, where $\Psi_\alpha$ is obtained by sampling the normal distribution $\mathcal{N}(0, \alpha^2 / (2\pi))$ and reducing the result modulo 1

**Private key**: The private key is the secret vector $s \in \mathbb{Z}_q^n$.

**Public key**: Choose $N$ samples $(\mathbf{a}_i, b_i)_{i=1}^N$ from the LWE distribution $\mathcal{A}_{s,\chi}$.

---

### Encryption:

- Encryption utilizes the public key and is carried out bit by bit.
- For each bit of the message, randomly choose a binary vector $r \in \{0, 1\}^N$.
  - If the message bit is 0, the encryption is $\left( \sum_i a_i r_i, \sum_i b_i r_i \right)$.
  - If the message bit is 1, the encryption is $\left( \sum_i a_i r_i, \left\lfloor \frac{q}{2} \right\rfloor + \sum_i b_i r_i \right)$.

---

### Decryption:

- The decryption utilizes the private key $s$.
- The pair $(\mathbf{a}, b)$ decrypts to 0 if $b - \langle \mathbf{a} \cdot s \rangle$ is closer to 0 than $\left\lfloor \frac{q}{2} \right\rfloor$ modulo $q$, else it decrypts to 1.

---

### Security

The security of the LWE public key cryptosystem was analyzed by Regev:

1. Firstly, it was shown that recovering the error/noise vector $e = [e_1, ..., e_N] \leftarrow \chi^N$ involved in the construction of the public key is as hard as the bounded distance decoding (BDD) problem, which, as noted above, is believed to be NP-hard. This establishes the correspondence between LWE and explicit lattice problems.

2. Secondly, security against chosen plain text attacks (CPA) is based on the observation that an algorithm for distinguishing between encryptions of 0 and 1 in the above cryptosystem can also distinguish between the distribution $\mathcal{A}_{s,\chi}$ and the uniform distribution over $\mathbb{Z}_q^n \times \mathbb{Z}_q$, which would imply a solution of LWE itself.



### Illustration of LWE Encryption in Python

The following simple example shows the use of **LWE** for encryption and decryption. Bob will send an encrypted message to Alice.

First, Alice and Bob agree on the **problem parameters**. These are explained in detail in the maths section above, but in summary we require $n$, $q$, $N$, $\chi$.

We start with some of the basic parameters:

- $N$ represents the number of samples
- $q$ is a modulus
- $n$ is known as the security parameter, or vector dimension

These parameters are all crucial inputs when using the encryption scheme.


In [4]:
import numpy as np
from matplotlib import pyplot as plt
n=8
q=127
N=int(1.1*n*np.log(q))
sigma=1.0
print(f"n={n},q={q},N={N},sigma={sigma}")

n=8,q=127,N=42,sigma=1.0


We also need a way of introducing errors.

Here $\chi$ represents the errors we want to introduce — we use a discrete Gaussian distribution on $\mathbb{Z}_q$, characterized by mean 0 and standard deviation $\sigma$.

This definition of the errors to introduce is also public.

So in Python, we need a simple function that approximates random error/noise contributions $\varepsilon$ drawn from a discrete Gaussian distribution $\chi$ with standard deviation $\sigma$.

Some example values are printed so that you can see the distribution around 0.


In [5]:
def chi(stdev, modulus):
    return round((np.random.randn() * stdev**2))%modulus

# print some examples
sd=2
m=1000
for x in range(10):
  print("chi = ",chi(sd,m))

chi =  2
chi =  3
chi =  997
chi =  0
chi =  1
chi =  3
chi =  0
chi =  996
chi =  9
chi =  995


Next, Alice needs to generate her key pair.

She sets up her private key by choosing n values between 0 and q

In [6]:
#Alice's private key
alice_private_key = np.random.randint(0, high=q, size=n)
print(f"Alice's private key: {alice_private_key}")

Alice's private key: [  6  33  22 115 103  83  60  42]


Alice now sets up her **public key**, by choosing random vectors, which are then combined with the generated errors.

### ▼ Mathematics
More precisely, she needs to generate the sample $A_{s,\chi}$.

Accordingly, she randomly chooses vectors $\mathbf{a} \in \mathbb{Z}_q^n$ and errors $\varepsilon$ from $\chi$ to construct $N$ samples $(\mathbf{a}, b)$.


In [7]:
#Alice's Public Key
alice_public_key = []

# N is the number of values we want in the key
for i in range(N):
    # Get n random values between 0 and <q
    a = np.random.randint(0, high=q, size=n)
    # get an error to introduce
    epsilon = chi(sigma, q)
    #  calculate dot product (ie like array multiplication)
    b = (np.dot(a, alice_private_key) + epsilon) % q
    # value to be added to the key -
    sample = (a, b)
    alice_public_key.append(sample)
    
print(f"Alice's public key: {alice_public_key}")

Alice's public key: [(array([ 25, 104, 110,  89,   5,  26,  71,  45]), np.int64(41)), (array([82, 20, 21, 87, 67, 82,  0, 59]), np.int64(119)), (array([41, 38, 30, 90, 41, 86, 89, 20]), np.int64(80)), (array([ 43, 109,  16,  21,  63,  49,   6,  21]), np.int64(6)), (array([ 28,  36,  20, 102,   9,   3,  84,  62]), np.int64(122)), (array([ 83,  26,  99,   0,  46,  33, 112, 113]), np.int64(125)), (array([  9,  47,  50, 118,   1, 120,  72,  46]), np.int64(79)), (array([108,  87,  29,  39,  87, 116, 102,  70]), np.int64(97)), (array([ 78,   4, 124,  56,  36,  34,  88,  28]), np.int64(20)), (array([  0,  20,  49,  74, 107,  57,  33, 107]), np.int64(87)), (array([110,  49,  19,  25, 115, 108,  73,  85]), np.int64(37)), (array([97, 14, 60, 18, 40, 33, 11,  4]), np.int64(55)), (array([  6,  20, 109, 124, 114, 108,  77, 117]), np.int64(95)), (array([ 18,  89, 111,  72,  23,  90,  75,  20]), np.int64(118)), (array([  1, 118,  99,  45,  83,  24, 114,  56]), np.int64(0)), (array([104,   4,  86,  68

Alice can now share her public key.

Bob can now use this to send Alice an encrypted message.

Bob's message is a single bit.

In [8]:
#Encryption
bob_message_bit = 1
print(f"Bob's message bit={bob_message_bit}")

Bob's message bit=1


To encrypt the message, Bob needs to select an arbitrary number of samples at random from Alice's public key to form the ciphertext.

For this, he creates a mask, a random binary vector r of length N

In [9]:
# a list of N values between 0 and <2 - ie 0 or 1
r = np.random.randint(0, 2, N)
print(r)

[0 1 1 1 1 1 0 0 0 0 0 0 1 1 1 0 0 0 0 0 1 1 0 0 0 1 1 0 1 0 0 1 0 1 1 0 0
 0 1 0 0 0]


In [10]:
# We now take this mask and apply it to the relevant entry in Alice's public key, calculating a sum of the values found.
sum_ai=np.zeros(n, dtype=int)
sum_bi=0

for i in range(N):
    sum_ai = sum_ai + r[i] * alice_public_key[i][0]
    sum_bi = sum_bi + r[i] * alice_public_key[i][1]
sum_ai = [ x % q for x in sum_ai ]
# sum_bi = sum_bi 
ciphertext = (sum_ai, (bob_message_bit*int(np.floor(q/2))+sum_bi)%q)
print(f"ciphertext is: {ciphertext}")

ciphertext is: ([np.int64(70), np.int64(42), np.int64(34), np.int64(18), np.int64(66), np.int64(66), np.int64(88), np.int64(57)], np.int64(7))


In [11]:
# Finally, Bob broadcasts the ciphertext, which Alice can decrypt using her private key.
#Decryption
adots = np.dot(ciphertext[0], alice_private_key) % q
b_adots = (ciphertext[1] - adots) % q

decrypted_message_bit = round((2*b_adots)/q) % 2

print(f"original message bit={bob_message_bit}, decrypted message bit={decrypted_message_bit}")

assert bob_message_bit == decrypted_message_bit

original message bit=1, decrypted message bit=1


Since this protocol works bit by bit for encrypting longer bit strings, we simply repeat the operations in a loop. The following shows a scenario where Bob wishes to transfer 16 encrypted bits.

In [12]:
bob_message_bits = np.random.randint(0, 2, 16)
print(f"Bob's message bits are : {bob_message_bits}")
decrypted_bits = []

for ib in range(len(bob_message_bits)):
    bob_message_bit = bob_message_bits[ib]

    r = np.random.randint(0, 2, N)
    
    sum_ai=np.zeros(n, dtype=int)
    sum_bi=0
    for i in range(N):
        sum_ai = sum_ai + r[i] * alice_public_key[i][0]
        sum_bi = sum_bi + r[i] * alice_public_key[i][1]
    sum_ai = [ x % q for x in sum_ai ]

    ciphertext = (sum_ai, (bob_message_bit*int(np.floor(q/2))+sum_bi)%q)

    adots = np.dot(ciphertext[0], alice_private_key) % q
    b_adots = (ciphertext[1] - adots) % q

    decrypted_message_bit = round((2*b_adots)/q) % 2
    assert decrypted_message_bit == bob_message_bit

    decrypted_bits.append(decrypted_message_bit)
    
print(f"Decrypted message bits = {np.array(decrypted_bits)}")

Bob's message bits are : [1 0 0 0 0 1 1 1 1 1 1 0 1 1 0 0]
Decrypted message bits = [1 0 0 0 0 1 1 1 1 1 1 0 1 1 0 0]


### Module-LWE and the CRYSTALS Suite

The learning with errors (LWE) problem, introduced in a simplified form above and generally valid on arbitrary lattices, has been extended to algebraic rings within the so-called Ring-LWE framework primarily to improve the efficiency of resulting cryptosystems. However, the extra algebraic structure of Ring-LWE may be potentially exploitable, even though no such exploits are currently known.

Two of the four finalists in NIST's QSC standardization process — namely, the CRYSTALS-Kyber key encapsulation mechanism (KEM) and the CRYSTALS-Dilithium digital signature protocol — are based on structures known as module lattices and the related Module-LWE.

We refer interested readers to specialized courses on these topics for the mathematical details but note here that Module-LWE is seen as a compromise between LWE and Ring-LWE. It provides more efficiency than LWE (though less than Ring-LWE) but also gives a higher level of security assurance than Ring-LWE because it does not rely as heavily on the algebraic structure of the problem.

### Key Encapsulation Mechanisms and CRYSTALS-Kyber

> NOTE: This example requires some additional local installation, and currently cannot be run on this site. You can review the output below, or alternatively copy the cells to a suitable local environment if you wish to run these examples

Here we make use of the algorithms provided by the liboqs open source project which provides a libraries for prototyping and experimenting with quantum-safe cryptography. Refer to the links below to setup and test, and then run these examples in your local Python environment.

- Python Library: This provides the Python language binding for liboqs - https://github.com/open-quantum-safe/liboqs-Python
- liboqs implementation: This is required by the Python library, and provides the actual algorithm implementations and must be built - https://github.com/open-quantum-safe/liboqs

Alice wishes to create and securely communicate a shared secret to Bob using a quantum-safe encryption approach. She will use the `Kyber512` KEM algorithm provided by liboqs.

We begin by importing relevant Python modules :


In [None]:
import warnings
warnings.filterwarnings('ignore')
import oqs
from pprint import pprint

In [None]:
kems = oqs.get_enabled_kem_mechanisms()
pprint(kems, compact=True)

We see that one of the options in the list is `Kyber512` which we will employ in this example. Key exchange using Kyber involves three simple steps namely

1. Key generation
2. Encapsulation
3. Decapsulation

In the key generation step, the recepient Bob, needs to generate an asymmetric key pair using `Kyber512` and broadcast his public key.

In [None]:
kemalg = "Kyber512"
bob = oqs.KeyEncapsulation(kemalg)
bob_public_key = bob.generate_keypair()

Next in the encapsulation step, upon receiving Bob's public key, Alice generates both the shared secret and it's corresponding ciphertext using Kyber512 and Bob's public key. The ciphertext which encapsulates the shared secret is then broadcasted to Bob.

In [None]:
alice = oqs.KeyEncapsulation(kemalg)
ciphertext, shared_secret_alice = alice.encap_secret(bob_public_key)

In [None]:
# Finally, in the decapsulation step, Bob uses his private key to recover the shared secret from the ciphertext.
shared_secret_bob = bob.decap_secret(ciphertext)
print("\nShared secretes coincide:", shared_secret_bob == shared_secret_alice)

Note that in contrast to key exchange using RSA, no extraneous padding or key derivation functions are involved here. Kyber's design as a KEM allows for a very minimal user interface while providing the gold standard IND-CCA2 security for key exchange.

### IND-CPA and IND-CCA Security in Lattice-based Cryptography

In the lesson on Symmetric Key Cryptography, we introduced the notion of **semantic security** or **IND-CPA security** which refers to **indistinguishability under chosen-plaintext attack**.

Traditional cryptosystems whether symmetric (such as AES) or asymmetric (such as RSA) use deterministic functions to implement encryption operations. This means that a given plaintext, combined with a given encryption key will always encrypt to the same ciphertext. Such deterministic cryptosystems are vulnerable to **chosen plaintext attack** whereby an adversary is able to extract information by requesting encryptions of arbitrary plaintexts of their choice from the deterministic encryption function.

To achieve IND-CPA security in this context, **additional randomness** is introduced at encryption time either through *initialization vectors* or *padding*. For instance AES is only IND-CPA secure when used in  
Cipher Block Chaining (CBC) or Galois/Counter Mode (GCM) modes of operation that use random initialization vectors. Similarly with RSA, **OAEP padding** is needed to ensure IND-CPA security.

In contrast, lattice-based schemes for encryption are inherently randomized due to the problem definition itself. In particular, in the LWE based encryption scheme outlined above, there are two distinct elements of randomness:

- **(1)** The error (or noise) $\varepsilon$ drawn from the distribution $\chi$  
- **(2)** The random binary vectors $\mathbf{r} \in \{0,1\}^N$ used for encrypting each bit in the message.

The errors $\varepsilon$ contribute to the security of the public key, ensuring that it's computationally hard to deduce the secret key $\mathbf{s}$. The random binary vectors $\mathbf{r}$ on the other hand provide the essential randomness needed for making repeated encryptions of the same plaintext bit non-deterministic. Thus LWE based schemes are considered IND-CPA secure without the need for external mechanisms such as padding.

Modern cryptosystems aim to achieve so called **IND-CCA** security which stands for **indistinguishability under chosen-ciphertext attack**. In this setting the adversary has the ability to obtain decryptions of a non-trivial set of ciphertexts of their choosing with the aim of extracting information to subsequently break the cryptosystem. A scheme is IND-CCA secure if, even with this capability, the adversary cannot do better than random guessing when trying to distinguish encrypted messages. IND-CCA is a stronger security notion than IND-CPA and subsumes it.

Quantum safe KEMs such as **Kyber** are designed to be IND-CCA secure. This is achieved in two steps:

1. An IND-CPA secure public key encryption (PKE) scheme is defined. In the case of Kyber such a PKE is based on **Module-LWE**.

2. A variant of the Fujisaki-Okamoto transform (FO) is applied to obtain a CCA-secure KEM. The FO transformation is a generic method to convert encryption schemes that are IND-CPA secure into ones that are IND-CCA secure. For details we refer readers to the [original papers](https://eprint.iacr.org/2017/634.pdf).

For more information on the security features of **Kyber** and **Dilithium**, as well as reference implementations in various programming languages, you are encouraged to consult the [CRYSTALS suite documentation](https://pq-crystals.org/).



## Hybrid Cryptography

Hybrid cryptography refers to using quantum-safe public-key algorithms are combined with traditional public key algorithms (like RSA or elliptic curves) such that the solution is at least no less secure than existing traditional cryptography.

This can help address 2 issues:

1. Existing standards may mandate specific algorithms to be used for encryption, or that such algorithms are in some way approved. To add quantum safety, encryption could first be done using the regular algorithm, but then further protected by a quantum-safe algorithm, whilst still meeting required standards.

2. Quantum algorithms are new, and further analysis is needed to ensure they are indeed safe and correct. For example one of the initial algorithms shortlisted by NIST was subsequently cracked and proven to be insecure. To mitigate this risk, encryption can be done both using a standard, well-reviewed, secure (apart from quantum!) algorithm, in addition to a post-quantum algorithm.


## Summary

The migration to quantum-safe cryptography (QSC) of asymmetric key cryptosystems is necessitated by the expected advent of quantum computers that can break traditional asymmetric key algorithms predicated on the classical hardness of NP-intermediate problems. QSC is conjectured to be robust to quantum attacks because its security is based on NP-hard problems, which generally cannot be efficiently solved even with quantum computers.

In this context, hard problems rooted in the theory of mathematical lattices such as the learning with errors (LWE) problem have emerged as leading contenders for QSC standardization. In particular, the CRYSTALS-Kyber and CRYSTALS-Dilithium algorithms, based on modular lattices, are well positioned as near-term alternatives to popular asymmetric key protocols like RSA, Elliptic Curve, Diffie-Hellman, and DSA.

As we navigate the complex landscape of quantum-safe cryptography, embracing these innovative solutions will be pivotal in upholding the integrity and confidentiality of our digital interactions in the quantum era.