2.1. Quantum Cryptography

2.2. Quantum Key Distribution

3.1. Code-Based Cryptosystems

3.2. Hash-Based Cryptosystems

3.3. Multivariate Cryptosystems

3.4. Lattice-Based Cryptosystems

4.1. Shortest Vector Problem (SVP)

4.2. Closest Vector Problem (CVP)

4.3. Lattice reduction

5.1. Description

• Alice chooses randomly two polynomials $f\left(x\right)\in {\mathcal{L}}_{(}d+1,d)$ and $g\left(x\right)\in {\mathcal{L}}_{(}d,d)$. These two polynomials are Alice’s private key.
• Alice computes the inverses polynomials

  $$F_q\left(x\right)=f{\left(x\right)}^{-1}\in R_q\mathrm{and}{F}_p\left(x\right)=f{\left(x\right)}^{-1}\in R_p$$

  (6)
• Alice computes $h\left(x\right)=F_q\left(x\right)★g\left(x\right)\in R_q$ and the polynomial $h\left(x\right)$ is Alice’s public key. Alice’s private key is the pair $(f\left(x\right),F_p\left(x\right))$ and by only using this key, she can decrypt messages. Otherwise, she can store , which is probably intertible $modq$ and compute $F_p\left(x\right)$ when she needs it.
  Alice publishes her key h.
• Bob wants to encrypt a message and chooses his plaintext $m\left(x\right)\in R_p$. The $m\left(x\right)$ is a polynomial with coefficients $m_i$ such that $-\frac{1}{2}p\le m_i\le \frac{1}{2}p$.
• Bob chooses a random polynomial $r\left(x\right)\in \mathcal{T}(d,d)$, which is called ephemeral key, and computes

  $$e\left(x\right)\equiv ph\left(x\right)★r\left(x\right)+m\left(x\right)(modq)$$

  (7)

  and this is the encrypted message that Bob sends to Alice.
• Alice computes

  $$a\left(x\right)\equiv f\left(x\right)★e\left(x\right)(modq)$$

  (8)
• Alice chooses the coefficients of a in the interval from $-q/2\mathrm{to}q/2$ (center lifts $a\left(x\right)$ to an element of R).
• Alice computes

  $$b\left(x\right)\equiv F_p\left(x\right)★a\left(x\right)(modp)$$

  (9)

  and she recovers the message m as if the parameters have been chosen correctly, the polynomial $b\left(x\right)$ equals to the plaintext $m\left(x\right)$.

5.2. Discrete implementation

• Assume the trusted party chooses the parametres $(N,p,q,d)=(11,3,61,2)$. As we can see $N=11$ and $p=3$ are prime numbers, $gcd(3,61)=gcd(11,2)=1$ and the condition $q>(6d+1)p$ is satisfied as it is $61>(6·2+1)3=39$.
• Alice chooses the polynomials

  $$\begin{array}{c}\hfill f\left(x\right)=x^{10}-x^8-x^6+x^4+x^2+x+1\in \mathcal{L}(3,2)\\ \hfill g\left(x\right)=x^9-x^8-x^6+x^4+x^2+1\in \mathcal{L}(2,2)\end{array}$$
  These polynomials, $f,g$ is the private key of Alice.
• Alice computes the inverses
  $F_{61}\left(x\right)=f{\left(x\right)}^{-1}mod61=$

  $$=45x^{10}+49x^9+26x^8+40x^7+53x^6+47x^5+21x^4+24x^3+60x^2+32x+31\in R_{61}$$

  $$F_3\left(x\right)=f{\left(x\right)}^{-1}=x^9+x^7+x^5+2x^4+2x^3+2x^2+x\in R_3$$
  Alice can store $(f\left(x\right),F_3\left(x\right))$ as her private key.
• Alice computes
  $h\left(x\right)=F_{61}\left(x\right)★g\left(x\right)=$

  $$=11x^{10}+49x^9+26x^8+46x^7+28x^6+53x^5+31x^4+36x^3+30x^2+5x+50$$

  and publishes her public key $h\left(x\right)$.
• Bob decides to encrypt the message $m\left(x\right)=x^7-x^4+x^3+x+1$ and uses the ephemeral key $r\left(x\right)=x^9+x^7+x^4-x^3+1$.
• Bob computes and sends to Alice the encrypted message

  $$e\left(x\right)\equiv ph\left(x\right)★r\left(x\right)+m\left(x\right)(modq)$$

  that is

  $$e\left(x\right)=11x^{10}+49x^9+52x^8+35x^7+30x^6+25x^5+35x^4+32x^3+18x^2+56x+28(mod61)$$
  .
• Alice receive the ciphertext $e\left(x\right)$ and computes
  $f\left(x\right)★e\left(x\right)=$

  $$=58x^{10}+60x^9+60x^8+4x^7+56x^5+6x^4+55x^2+3x+6\in R_{61}$$
• Therefore Alice centerlifts modulo 61 to obtain

  $$a\left(x\right)=-3x^{10}-x^9-x^8+4x^7+5x^5+6x^4-6x^2+3x+6\in R_{61}$$
• She reduces $a\left(x\right)$ modulo 3 and computes

  $$F_3\left(x\right)★a\left(x\right)=x^7+2x^4+x^3+x+1\in R_3$$

  and recovers Bob’s message $m\left(x\right)=x^7-x^4+x^3+x+1$

5.3. Security

• Brute-Force Attack. In this type of attack, are being tested all possible values of the private key until the correct one is found. Brute-force attacks are generally not practical for NTRU, as the size of the key space is very large.
• Key Recovery Attack. This type of attack relies on exploiting vulnerabilities in the key generation process of NTRU. For example, if the random number generator used to generate the private key is weak, a fraudulent user may be able to recover the private key.
• Side-channel Attack. This type of attack take advantage of the weaknesses in the implementation of NTRU, such as timing attack, power analysis attack, and fault attack. Side-channel attacks require physical access to the device running the implementation.

6.1. The Learning with Errors Problem

6.2. Description

• Choose q a prime number between $n^2$ and $2n^2$.
• Let $m=(1+ϵ)(n+1)logq$ for some arbitary constant $ϵ>0$.
• The probability distribution is chosen to be $\chi ={\mathsf{\Psi }}_{a\left(n\right)}$ for $a\left(n\right)\in O(1/\sqrt{n}logn)$

• Alice chooses uniformly at random $s\in {\mathbb{Z}}_q^n$. s is the private key.
• Alice generates a public key by choosing m vectors $a_1,a_2,...,a_m\in {\mathbb{Z}}_q^n$ independently from the uniform distribution. She also chooses elements (error offsets) $e_1,e_2,...,e_m\in {\mathbb{Z}}_q^n$ independently according to $\chi$. The public key is ${(a_i,b_i)}_{i=1}^m$, where $b_i=\langle a_i,s\rangle +e_i$.
  In matrix form, the public key is the LWE sample $(A,b=As+emodq)$, where s is the secret vector.
• Bob in order to encrypt a bit, chooses a random set S uniformly among all $2^m$ subsets of $\left[m\right]$. The encryption is $({\sum }_{i\in S}{a}_i,{\sum }_{i\in S}{b}_i)$ if the bit is 0 and $({\sum }_{i\in S}{a}_i,\lfloor \frac{q}{2}\rfloor +{\sum }_{i\in S}{b}_i)$ if the bit is 1.
  In matrix form, Bob can encrypt a bit m by calculating two LWE problems : one using A as random public element, and one using b. Bob generates his own secret vectors $s^{\prime },e^{\prime }$ and e and make the LWE samples $(A,b^{\prime }=A^T{s}^{\prime }+e^{\prime }modq)$, $(b,v^{\prime }=b^T{s}^{\prime }+e^{\prime \prime }modq)$. Bob has to add the message that wants to encrypt to one of these samples, where $v^{\prime }$ is a random integer between 0 and q. The encrypted message of Bob consists of the two samples $(A,b^{\prime }=A^T{s}^{\prime }+e^{\prime }modq)$, $(b,v^{\prime }=b^T{s}^{\prime }+e^{\prime \prime }+\frac{q}{2}mmodq)$ .
• Alice wants to decrypt Bob’s ciphertext. The decryption of a pair $(a,b)$ is 0 if $b-\langle a,s\rangle$ is closer to 0 than to $\lfloor \frac{q}{2}\rfloor$ modulo q. In other case the decryption is 1.
  In matrix form, Alice firstly calculates $\Delta v=v^{\prime }-b^{\prime T}s$. As long as $e^T{s}^{\prime }+e^{\prime \prime }-s^T{e}^{\prime }$ is small enough, Alice recovers the message as $mes=\lfloor \frac{2}{q}\Delta v\rceil$.

6.3. Discrete implementation

• Alice chooses the private key $s=[2,5,0,6]$.
• Let $m=3$ so Alice generates the public key with the aid of three vectors $a_i,i=1,2,3$ and three elements $e_i,i=1,2,3$ (error terms). She chooses : $a_1=[1,6,2,4]$ and $e_1=1$, $a_2=[0,3,5,1]$ and $e_2=0$ and $a_3=[2,1,6,3]$ and $e_3=-1$. Therefore, Alice’s public key is:

  $$\left\{\right([1,6,2,4],4),([0,3,5,1],8),([2,1,6,0],0\left)\right\}$$
• Bob wants to encrypt 0 so he takes the subset $S=\{1,2\}$. So he computes

  $$(\sum _{i\in S}{a}_i,\sum _{i\in S}{b}_i)=([1,6,2,4]+[0,3,5,1],4+8)=([1,9,7,5],12)$$
• Alice performs the decryption algorithm by computing

  $$b-\langle a,s\rangle =12-\langle [1,9,7,5],[2,5,0,6]\rangle =12-12=0$$

  and obviously the decryption is 0 since the output value is closer to 0 (in this case equal to 0) than to $\lfloor \frac{13}{2}\rfloor$ modulo 13.

6.4. Implementations and Variants

6.5. Security

• Dual Attack. This type of attack is based on the dual lattice and is most effective against LWE instances with small size of plaintext messages.
  Thus, hybrid dual attacks that are appropriate for spare and small secrets and in a hybrid attack one guesses part of the secret and performs some attacks on the remaining part [13] Since guessing reduces the dimension of the problem, the cost of the attack on the part of the secret that remains it is reduced. In addition,0 the lattice attack component can be reused for multiple guesses. The optimal attack is achieved when the cost of guessing equals to the cost of the lattice attack and we define where the lattice attack component is a primal attack as the hybrid primal attack, and respectively, the hybrid dual attack.
• Shieving Attack. This type of attack is relied on the idea of sieving, which claims to find linear combinations of the LWE samples that reveal information about the secret. Sieving attacks can be used to solve the LWE problem with fewer samples than its original complexity.
• Algebraic attack. This type of attack is based on the idea of finding algebraic relations between the LWE samples that let put secret data information. Algebraic attacks can be suitable for solving the LWE problem with fewer samples than the original complexity as well.
• Side-channel attack. This type of attack exploits weaknesses in the implementation of the LWE-based scheme, such as timing attack and others. Side-channel attacks are generally easier to mount than attacks against the LWE problem itself, but they require physical access to the device running the implementation.
• Attack that use the BKW algorithm. This is a classic attack, is considered to be sub-exponential and is most effective against small or small structured LWE instances.

7.1. Description

• The key generation algorithm K generates a lattice L by choosing a basis matrix V that is nearly orthogonal. An integer matrix U it is chosen which has determinant $det\left(U\right)=\pm 1$ and the algorithm computes $W=UV$. Then, the algorithm outputs $ek=W$ and $dk=V$.
• The encryption algorithm E receives as input an encryption key $ek=W$ and a plain message $m\in P$. It chooses a random vector $u\in {\mathbb{Z}}^n$ and a random noise vector u. Then it computes $x=uW$, $z=x+r$ and encrypts the message $w=E_s(h(x,r),m)$. It outputs the ciphertext $c=(z,w)$.
• The decryption algorithm D takes as input a decryption key $dk=V$ and a ciphertext $c=(z,w)$. It computes $x=\lfloor z{V}^{-1}\rceil V$ and $r=z-x$ and decrypts as $m=D_s(h(x,r),w)$. If $D_s$ algorithm outputs the symbol ⊥ the decryption fails and then D outputs ⊥, otherwise the algorithm outputs m.

• Alice chooses a set of linearly independent vectors $v_1,v_2,...,v_n\in {\mathbb{Z}}^n$ which form the matrix $V=[v_1,v_2,...,v_n],v_i\in {\mathbb{Z}}^n,1\le i\le n$. Alice, by calculating the Hadamard Ratio of matrix V and verifying that is not too small, checks her vector’s choice. This is Alice’s private key and we let L be the lattice generated by these vectors.
• Alice chooses an $n\times n$ unimodular matrix U with integer coefficients, that satisfies $det\left(U\right)=\pm 1$.
• Computes a bad basis $w_1,w_2,...,w_n$ for the lattice L, as the rows of $W=UV$, and this is Alice’s public key. Then, she publishes the key $w_1,w_2,...,w_n$.
• Bob chooses a plaintext that he wants to encrypt and he chooses a small vector m (e.g. a binary vector) as his plaintext. Then he chooses a small random "noise" vector r which acts as a random element and r is been chosen randomly between $-\delta$ and $\delta$, where $\delta$ is a fixed public parameter.
• Bob computes the vector $e=mW+r={\sum }_{i=1}^n{m}_i{w}_i+r=x_1{w}_1+x_2{w}_2+...+x_n{w}_n+r$ using Alice’s public key and sends the ciphertext e to Alice.
• Alice, with the aid of Babai’s algorithm, uses the basis $v_1,v_2,...,v_n$ to find vector in L that is close to e. This vector is the $a=mW$, since the "noise" vector r is small and since she uses a good basis. Then, she computes $a{W}^{-1}=mW{W}^{-1}$ ans she recovers m.

7.2. Discrete implementation

• Alice chooses a private basis $\overrightarrow{v_1}=(48,1)$ and $\overrightarrow{v_2}=(-1,48)$ that it is a good basis since $\overrightarrow{v_1}$ and $\overrightarrow{v_2}$ are orthogonal vectors, e.g. it is $\langle \overrightarrow{v_1},\overrightarrow{v_2}\rangle =0$. The rows of the matrix $V=\left(\begin{array}{cc}48& 1\\ -1& 48\end{array}\right)$ is Alice’s private key. The lattice L spanned by $\overrightarrow{v_1}$ and $\overrightarrow{v_2}$ has determinant $det\left(L\right)=2305$ and the Hadamard ratio of the basis is $\mathcal{H}=(det\left(L\right)/|\overrightarrow{v_1}\left|\right|\overrightarrow{v_2}{\left|\right)}^{1/3}\simeq 1$
• Alice chooses the unimodular matrix U that its determinant is equal to 1, such as $U=\left(\begin{array}{cc}5& 8\\ 3& 5\end{array}\right)$ with $det\left(U\right)=+1$.
• Alice computes the matrix W, such that $W=UV=\left(\begin{array}{cc}232& 389\\ 139& 243\end{array}\right)$. Its rows are Alice’s bad basis $\overrightarrow{w_1}=(232,389)$ and $\overrightarrow{w_2}=(139,243)$, since it is $cos(\overrightarrow{w_1},\overrightarrow{w_2})\simeq 0,99948$ and these vectors are nearly parallel and so they are suitable for a public key.
• It is very important the noise vector to be selected carefully and that it is not shift where the nearest point is located. For Alice’s basis that generates the lattice L, $\overrightarrow{r}$ is chosen that $|\overrightarrow{r}|<20$. So, it is choosen the vector $\overrightarrow{r}$ to be ($r_x,r_y$) with $-10\le r_x$ and $r_y\le 10$.
• Bob wants to encrypt the message $m=(35,27)$ . The message can be seen as a linear combination of the basis $\overrightarrow{w_1},\overrightarrow{w_2}$, such as $35\overrightarrow{w_1}+25\overrightarrow{w_2}$ and the noise vector $\overrightarrow{r}$ can be added.
• The corresponding ciphertext is $e=mW+r=(35,27)\left(\begin{array}{cc}232& 389\\ 139& 243\end{array}\right)+(-9,1)=(19285,17064)+(-9,1)=(19276,17065)$ and Bob sends it to Alice.
• Alice using the private basis, she applies Babai’s algorithm and finds the closest lattice point. So, she solves the equation $a_1(48,1)+a_2(-1,48)=(19276,17065)$ and finds $a_1\simeq 463.02$ and $a_2\simeq 345.8$. So, the closest lattice point is $a_1(48,1)+a_2(-1,48)=463(48,1)+346(-1,48)=(21878,17071)$ and this lattice vector is close to e.
• Alice realizes that Bob must have computed $(21878,17071)$ as a linear combination of the public basis vectors and then solving the linear combination again $m_1(232,389)+m_2(139,243)=(21878,17071)$ she finds $m_1=35$ and $m_2=27$ and recovers the message $m=(m_1,m_2)=(35,27)$.

7.3. Security

• Leak information and obtain the private key V from the public key W.
  For this type of attack, it is performed a lattice basis reduction (LLL) algorithm on the public key, the matrix W. It is possible that the output is a basis $W^{\prime }$ that is good enough to allow the efficient solution of the required closest vector instances. If the dimension of the lattice is large enough, is very difficult for this attack to succeed.
• Try to obtain information about the message from the ciphertext e, assuming that the error vector r is small.
  For this type of attack, it is useful that in the ciphertext $e=mW+r$, the error vector r is a vector with small entries. An idea is to compute $e{W}^{-1}=mW{W}^{-1}+r{W}^{-1}$ and try to deduce possible values for some entries of $r{W}^{-1}$ . For example, if the j-th column of $W^{-1}$ has particularly small norm, then one can deduce that the j-th entry of $r{W}^{-1}$ is always small and hence get an accurate estimate for the j-th entry of m. To defeat this attack one should only use some low-order bits of some entries of m to carry information, or use an appropriate randomised padding scheme
• Try to solve the Closest Vector Problem of e with respect to the lattice that is being generated by W, for example by performing the Babai’s nearest plane algorithm or the embedding technique.