Whitepaper Post-Quantum

Quantum compung is increasingly seen as a threat to communica- ons security: rapid progress towards realizing praccal quantum computers has drawn aenon to the long understood potenal of such machines to break fundamentals of contemporary cryptogra- phic infrastructure. While this potenal is so far firmly theorecal, the cryptography community is preparing for this possibility by de- veloping Post-Quantum Cryptography (PQC), that is, cryptography resisng the increased capabilies of quantum computers.

In this white paper, we explore the background, impact, and ur- gency of this threat, and summarize the cryptographic schemes be- ing evaluated. We also provide recommendaons on what steps should be taken today to be prepared for the changes to come, and discuss how Arm is approaching PQC.

In two technical appendices, the interested reader learns about how quantum computers could break RSA and ECC and gets an overview of the main ideas behind lace-based cryptography, a promising candidate for quantum safe cryptography.

Short on me? See → What to do now? for concrete guidance.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Pre-sharedPre-shared How cryptography confidentialconfidential datadata d_@A~X45!d_@A~X45! secures today’s network traffic – A primer Insecure Channel Secure Channel Symmetric Secure Channel Tounderstand the impact of quantum compung on cryp- pqc is real Cryptography 8d#5a!dX?)^ tography, it is useful to have an overview of the different kinds of cryptography mainly used to secure today’s net- Figure 1: Symmetric Cryptography as a black box trans- work traffic. This secon provides a short summary. forming an insecure channel into a secure channel on the basis of pre-shared confidenal data. Secure communicaon over insecure links

The breadth of today’s connecvity technologies (such as BLE, Cellular, WiFi) allows communicaon to happen Historically, secure communicaon could only be es- almost everywhere, between everyone and everything. tablished via symmetric cryptography, that is, on the ba- However, while these technologies provide channels for sis of a pre-shared secret piece of informaon which the the exchange of informaon, those channels are a priori communicang pares had exchanged upfront. The pri- insecure – that is, they lack some or all of the following mary problem with this approach, of course, is the need properes: to establish the shared symmetric key in the first place.

• Confidenality: Nobody except the designated com- municang pares can infer anything about the infor- Public Key Cryptography 1 maon that is being exchanged. Public Key Cryptography3 builds secure channels without • Integrity: Informaon cannot be modified in transit any confidenality assumpon (such as the existence of without the modificaon being detected. a pre-shared symmetric key).

• Authencaon: The pares know whom they talk to. Pre-sharedPre-shared authenticauthentic datadata If we call a channel with the above properes secure, the problem thus arises to find construcons for secure chan- nels from the insecure links provided by the various con- Insecure Channel necvity technologies. Cryptography can be viewed as Public key Authenticated Channel offering tools for a variety of such construcons2, as we pqc is real signatures pqc is real will recall now. Figure 2: Public Key Signatures as a black box transform- Symmetric Cryptography ing an insecure channel into an authencated channel on the basis of pre-shared authenc data. Symmetric cryptography builds secure channels from the assumpon of a single piece of pre-shared confidenal informaon, the symmetric key: • Signature schemes such as RSA-PSS, ECDSA or EdDSA • Symmetric ciphers such as AES or ChaCha construct construct authencated and integrity protected chan- confidenal channels from a symmetric key. nels from a piece of authenc public data associated • Message authencaon codes (MACs) such as the hash- with each communicang party, called the public key. based HMAC or the cipher-based CMAC construct au- • Key establishment protocols such as (EC)DHE construct thencated and integrity protected channels from a shared confidenal data from authencated and in- symmetric key. tegrity protected channels. • Finally, combined Authencated encrypon schemes Note that it is highly remarkable that such construcons such as AES-GCM or ChaCha/Poly establish secure chan- exist in the first place: for example, a key establishment nels from a symmetric key. protocol resembles a magic conversaon by which the two communicang pares agree on something that a 1 Except for a bound on the amount of informaon that has been passive listener cannot figure out. communicated. 2 This is also called Construcve Cryptography [Mau12]. 3Public Key Cryptography is also called asymmetric cryptography.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Pre-sharedPre-shared

y authenticauthentic datadata Authenticated Channel Confidential data h Key Confidential data p a pqc is real 8d#5a!dX?)^8d#5a!dX?)^ r establishment g o t p y r C

y

e Insecure Channel Public Key Authenticated Channel Key K

Figure 3: Key Establishment as a black box transforming c pqc is real Signatures pqc is real establishment i l b u

an authencated channel into shared confidenal data. P

Confidential data

y Confidential data

h d_@A~X45! p d_@A~X45! a r

The means to reliably distribute public keys is the pub- g o t p y

lic key infrastructure (PKI). The most prevailing PKI are r C

c i

X.509 cerficate chains, which bootstrap public key dis- r t

e Insecure Channel Secure Channel Symmetric Secure Channel m Secure Channel tribuon using signatures and a small number of public pqc is real 8d#5a!dX?)^

m Cryptography 8d#5a!dX?)^ y keys distributed out-of-band. S

Pung it together: TLS and friends Figure 4: Combining public key cryptography and asym- metric cryptography to establish secure communicaon Combining the construcons that symmetric and public channels from insecure ones. key cryptography provide, one arrives at the following two-step scheme for establishing secure communicaon channels over insecure links: and trust in its validity derives from me and effort spent on them, while a formal proof of their hardness is consid- • An inial authencaon and key establishment phase ered infeasible. For example, schemes from the RSA fam- based on public key cryptography authencates one ily rely on the hardness of integer factorizaon for which or both pares in the communicaon and establishes no polynomial me algorithm is known. a shared secret between them. It is common for cryptographic schemes to have a fi- • The actual communicaon happens in the bulk en- nite lifeme due to gradually decreasing praccal secu- crypon phase, where the established symmetric key rity resulng from advances in algorithmic research and is used to construct a secure channel using symmet- increased computaonal power: ric cryptography. • The hash funcon SHA-1 was standardized in 1995, a theorecal collision aack was found in 2004 and For example, this approach is taken by the popular finally put to pracce with increased compute power Transport Layer Security (TLS) protocol, and following TLS in 2017. terminology the inial key establishment phase is oen called handshake. In this language, the above two-step • Increasingly large RSA Factoring Challenges are be- 4 approach essenally says: Shake hands first, then talk. ing solved (the latest one being the factorizaon of an 829-bit modulus in February 2020) raising the (How) Do we know it is secure? bar for what is considered to be a safe use of RSA.

Cryptographic schemes are not usually proved secure in This gradual degradaon of security is somewhat expected absolute terms. Instead, modern cryptography develops and can somemes, as in the example of RSA, be counter- precise noons of security and uses those noons to for- acted by increased key sizes of the underlying schemes. mally reason how the claimed security of a parcular scheme The impact of quantum compung on cryptography, follows from an underlying hardness assumpon. Such however, is of a different nature: the reason why the em- hardness assumpon is usually the statement that a par- pirical evidence of security is crumbling with the advent cular computaonal problem cannot be solved efficiently, of quantum compung is that the laer introduces en-

4 rely new computaonal capabilies that haven’t been In addion to signatures and key establishment, there are also considered by classical algorithmic research, and whose public key encrypon schemes such as RSA-OAEP which could theo- recally be used to protect the actual traffic, but their inferior perfor- limits are hence sll to be understood. mance compared to symmetric primives renders this approach im- praccal. Instead, where sll in use, public key encrypon realizes the key establishment phase in the above hybrid strategy, with one party choosing a secret and sending it to the peer aer encrypon with the peer’s public key. This approach, however, comes at the danger of the sending side choosing insufficiently random secrets, and is nowa- days mostly replaced by Key Encapsulaon Mechanisms (KEM), which combine random key generaon and public-key encrypon into a sin- gle primive.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. For the interested reader, Appendix A: How quantum How quantum computers threaten RSA & ECC provides a high-level de- scripon of the quantum computaonal model and an compung impacts outline of how Shor’s algorithm breaks RSA and (EC)DHE. cryptography The impact on symmetric cryptography

A new computaonal model The impact of quantum compung on symmetric crypto- graphy appears to be less crical: Quantum compung uses phenomena from quantum phy- Grover’s search algorithm [Gro96] is a quantum al- sics to perform computaon, and the quantum computa- gorithm performing an unstructured search over n ob- onal model is an abstracon of the state and capabilies √ jects in n steps – a quadrac speedup over the clas- of such quantum computaons which allows us to ignore sically opmal n steps for a full traversal. This implies the physical details and their realizability – in the same that brute force aacks to cryptographic schemes, such way as, for example, the model of Turing machines pro- as searching through an enre key space, are potenally vides a way to study classical computaon independently quadracally faster on a quantum computer than on a from its physical realizaon. This opens a new field of classical computer. As a consequence, key sizes might quantum algorithmic research, and specifically the ques- need to be doubled in the presence of quantum com- on arises to what extent the quantum computaonal puters, for example by using AES-256 in place of AES- model allows for algorithms solving problems in fewer 128. Beyond that, however, the techniques established operaons than classical algorithms. to construct symmetric ciphers appear to remain valid even in the fact of quantum compung. The same ap- The impact on public key cryptography plies to the security of hash funcons: there are quantum algorithms for collision search which are potenally poly- In 1994, Peter Shor [Sho94] discovered that the quantum nomially faster than classical algorithms, but the schemes computaonal model allows for the construcon of an and techniques themselves appear to remain valid. efficient algorithm for integer factorizaon, a highly re- markable insight for mulple reasons: Summary • Theorecally, it demonstrated the superiority of quan- tum compung by exhibing a problem for which no Today’s network communicaon is secured through the efficient classical algorithm is known but which a hy- combined use of public key cryptography and symmetric pothecal quantum computer can solve efficiently. cryptography: the former establishes authencaon and shared secrets, the laer performs the bulk encrypon. • Praccally, it is remarkable that the problem demon- Quantum compung threatens the main public key strated to be amenable to significant speedup on a cryptosystems in use today (RSA and ECC), while it seems quantum computer happens to be the problem un- that it will affect symmetric cryptography (such as AES or derlying the widely used RSA cryptosystems. the SHA) only in a minor way. Assuming that praccal quantum computers can be Moreover, Shor also exhibited an efficient quantum algo- built – the feasibility of which we will talk about below rithm for the problem underlying the – it will therefore be necessary to find and deploy cryp- popular (EC)DHE key exchange mechanisms. tosystems for authencaon and key establishment that As a result, Shor’s algorithms therefore demonstrate withstand the quantum computaonal model. The de- that the most popular public key cryptosystems which velopment of such “quantum safe” cryptography is called our ability to establish secure communicaon channels Post-Quantum Cryptography (PQC). relies upon, are no longer secure within the hypothecal model of quantum compung. This discovery triggered Post-Quantum Cryptography vs. interest in quantum algorithms and the queson of what it takes to actually build a quantum computer. Quantum-Cryptography It is important to note that increasing key sizes, which Post-Quantum Cryptography is to be disnguished from can be an acceptable response to gradual degradaon of Quantum Cryptography, which concerns cryptographic al- praccal security due to increased compute power, does gorithms which make use of quantum phenomena. Post- not apply to make RSA and (EC)DHE quantum safe: Shor’s Quantum Cryptography, in turn, is concerned with algo- algorithm puts those problems in a different complexity rithms that run on a classical computer and cannot be class altogether, and keys scaled to accommodate for this broken even with a quantum computer. We will not dis- 5 would render the schemes impraccal. cuss quantum-cryptography in this paper. The study of 5This was entertainingly demonstrated by the pqRSA (post-quan- quantum algorithms aacking cryptographic schemes is tum RSA) proposal, which uses mul-GB keys. called quantum cryptanalysis.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Concretely, quantum compung puts the security of (When) Does it maer? today’s prominent key establishment mechanisms RSA and Today’s public key cryptography will need replacing in the (EC)DHE at risk. Those schemes must therefore be re- face of praccal quantum compung. But when do we placed as soon as the data they protect is required to be need to act, and will we be ready? Answering these ques- confidenal for longer than the minimal feasible me for ons mainly depends on three factors: quantum compung to become praccal. We will look into this in Praccality of quantum compung below. • The characteriscs of the system to be protected. Confidenality of data at rest • The progress towards praccal quantum compung. In addion to the security of ephemeral encrypon used • The development of Post-Quantum Cryptography. in protocols such as TLS, we have to consider the confi- The present secon describes each aspect in more detail, denality of encrypted data at rest. Such data will usu- but here is the boom line, in terms of confidenality: ally be encrypted with a symmetric encrypon scheme Suppose we require confidenality of our data for c such as AES, and as discussed in The impact on symmetric years and that quantum computers may break RSA/ECC cryptography, those schemes are currently expected to in q years. If c > q, we’re in trouble today. Otherwise, remain suitable in principle in the face of quantum com- we need to transion to PQC within the next q − c years. pung, but may require an increase of key sizes. So, if s is the me it takes to bring PQC to life, we are in Confidenality of encrypted data at rest is thus at risk trouble if s > q − c. Or, in the words of Michele Mosca: if both (a) and either (b.1) or (b.2) hold in the following: c + s > q If , then worry. (a) An aacker has gained access to the encrypted data So, should we worry? The confidenality requirement itself (for example, through a data breach) or inter- c q s depends on the data, and esmates for and are hard cepted a non quantum safe channel through which to obtain – we’ll go into details below. However, cau- the encrypted data was communicated (for exam- c = 20 ous esmates such as (data confidenality for ple, an RSA/ECC based TLS communicaon between 20 s = 10 years) and (PQC standardizaon and deploy- systems storing the encrypted data). ment in 10 years) show that even with q = 30 (quantum computers breaking RSA and ECC in 30 years) it’s me to (b.1) The aacker has also intercepted a non quantum think about and prepare the transion to PQC now. safe channel establishing or communicang the sym- metric key protecng the encrypted data at rest. What are you protecng? (b.2) The symmetric encrypon scheme uses key sizes Confidenality of data in transit which could make it vulnerable to polynomially im- proved quantum algorithms such as Grover’s algo- Data sent over an encrypted channel may be intercepted, rithm – for example, AES-128. stored and retroacvely decrypted if key material is later exposed through informaon leakage or through the ad- Prevenng (b.1) is an instance of protecng data in vent of an effecve aack against the underlying cryp- transit: at some point before the lifeme of the data at tographic scheme. Confidenality is therefore at risk as rest surpasses the me towards praccal quantum at- soon as an aack against the underlying cryptography is tacks, it needs to be re-encrypted with a key that is estab- conceivable within the meframe during which the data lished and communicated solely through quantum safe needs to stay confidenal. cryptographic mechanisms. This also prevents (b.2) if the It is important to understand that prevenng such a re-established keys are sufficiently long. Note that in this breach of confidenality requires changing cryptographic approach, the encrypted data chunks themselves need systems ahead of me, well before they can actually be not be considered confidenal.6 praccally aacked. Data access Example: Suppose a system uses a security protocol run over an insecure channel, such as TLS over the inter- An authencaon mechanism may fail to provide access net. Assume that the data has to remain confidenal control in the future if key material is exposed or if an at- for 20 years, and that a praccal threat to the proto- tack against the underlying primive is found. Concretely, col or the underlying cryptography is conceivable in 25 6An alternave approach is to treat the encrypted data itself years. Then the system needs to be upgraded no later as confidenal and only exchange it either out of band or through than 5 years in the future to maintain confidenality of through quantum safe channels. In this case, it is sufficient to re- the data it will handle at that point. If the data has to encrypt the data with a key established and communicated through quantum safe mechanisms at any point prior to quantum compung remain confidenal for more than 25 years, it is at risk praccally threatening today’s public key cryptography. today and systems should be upgraded immediately.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. quantum compung threatens today’s prominent signa- Ulmately, there are too many technical, economi- ture schemes RSA and (EC)DSA, so it must be ensured cal and polical unknowns to allow for an accurate pre- that those schemes are no longer in use when quantum dicon of when we might see quantum computers ca- compung has become praccal. pable of running Shor’s algorithm, but esmates range To migate the threat to authencaon, authenca- from 10 years in the worst case to 30 years or more in on soware should be kept upgradable to allow replace- the best case. While this might seem far away, it is im- ment once praccal aacks become available. portant to realize that dimensions of the same order of Note that in contrast to the threat to confidenality, magnitude apply to the confidenality requirements of it is not necessary to upgrade the soware ahead of me. data and communicaons – as discussed in the previous However, where soware upgrades are not possible, a secon What are you protecng? – and to the develop- quantum safe authencaon mechanism needs to be de- ment and transioning to Post-Quantum Cryptography– ployed today. as we’ll discuss in the next secon. We highly recommend [NM19] for further reading. Example: Consider a long-lived IoT device. To allow soware to be patched over me the system allows Availability of quantum safe cryptography remote firmware upgrade. The firmware itself has to be signed by the vendor to be accepted by the device, Given a system’s security requirements, as well as a guess and special firmware verificaon code is responsible for for when quantum compung could break RSA/ECC, we checking the validity of the signature. If this firmware infer when Post-Quantum Cryptography needs to be avail- verificaon code itself is immutable, a quantum safe sig- able and put in place. For example, if we predict a quan- nature mechanism needs to be deployed today. Secon tum computer running Shor’s algorithm in 30 years, and Problem: Firmware updates elaborates on this. we would like our data to remain confidenal for 25 years, Post-Quantum Cryptography should be made available in the next 5 years. But what does availability entail? Praccality of quantum compung Bringing cryptography to life Quantum compung received widespread aenon when Google [Aru+19] announced quantum supremacy: they Introducing cryptographic change is a long-lived and mul- built a 54-qubit quantum computer capable of perform- faceted process, encompassing at least the following: ing an arficial computaonal task in 200s for which it (a) Cryptographic research was argued that no available classical computer would be (b) Standardizaon able to solve it in less than 10,000 years. (c) Development of secure implementaons While quantum supremacy was an important mile- (d) Plaorm development (e.g. accelerators or ISA) stone, today’s quantum computers are sll far away from (e) Integraon into exisng infrastructure being able to break RSA or ECC. Specifically, from an en- (f) Public Awareness gineering perspecve, the following problems need to be (g) Educaon overcome to reach the point where quantum computers (h) Deployment can run complex quantum algorithms such as Shor’s: What’s more, most of those aspects mulply with the (a) Controlling a larger number of physical qubits. number of proposals for “quantum safe” cryptography, of (b) Controlling errors accumulated during operaon via which there are dozens, as we will see. In other words: quantum error correcon, ideally giving rise to error- developing and transioning to PQC is a lot of work. free logical qubits built from a set of physical qubits. In order to guide and structure these parallel streams of research on Post-Quantum Cryptography and narrow (c) Providing quantum random access memory (QRAM) down the range of PQC primives, standards bodies have for intermediate results and for efficient conversion launched various projects, working groups and compe- of classical data into quantum states. ons around PQC, the most prominent of which is the NIST PQC project which we will look into next. Solving those challenges is going to be a very expensive, mul-year process, funding and enthusiasm for which will NIST PQC project also depend on when “praccal” quantum supremacy will demonstrate that quantum compung can solve compu- Overview taonal problems of commercial value. Interesngly, the In December 2016, the US Naonal Instute of Standards very transion to Post-Quantum Cryptography might be and Technology (NIST) iniated the PQC project guiding a weakening force in the development of quantum com- the development, evaluaon and standardizaon of pub- pung which PQC protects against. lic key cryptography secure in the advent of quantum com- puters. We will refer to this process as the NIST PQC

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. project. The goal is the standardizaon of a set of quan- prevent those devices from being compromised when quan- tum safe key encapsulaon and signature schemes. tum computers become a reality, a quantum safe signa- ture mechanism should be used for firmware updates. Background Luckily, while general-purpose quantum safe signa- ture schemes are sll in development under the NIST PQC NIST has a history of conducng processes leading to the project, the infrequent use of firmware signatures allows standardizaon of cryptography: examples are the stan- us to consider the use of a restricted but more mature dardizaon of the Rijndael block cipher as AES in 2001 class of signature schemes called stateful signatures. and the standardizaon of the Keccak hash funcon as SHA-3 in 2015. NIST currently also runs the Lightweight The project Cryptography compeon as well as The NIST hash-based signatures project described below. NIST runs the Stateful Hash-based Signatures project, the goal of which is to standardize one or more stateful hash- Timeline based signature schemes. Those are very mature signa- ture schemes, but they come with two severe limitaons: The meline for the NIST PQC project is as follows: • The private key evolves with every signature, and ac- ✓ Call for proposals: Dec ’16 - Nov ’17 cidental duplicated use of the same private key breaks ✓ Round 1: Dec ’17 - Jan ’19, 69 complete submissions. the security of the scheme. ✓ Round 2: Jan’ 19 - Jul ’20, 26 candidates remaining. • They are finite-use: aer a pre-defined number of signatures and associated private key evoluons, the – Round 3: Since July 2020, 15 candidates remaining, 7 private key becomes unusable. “finalists”, and 8 “alternate candidates”. ⇒ Dra standards from finalists track available: ’22-’23. While those properes render stateful hash-based signa- tures unsuitable for many domains – and exclude them ⇒ Round 4: TBD, focusing on “alternate” track from being considered in the NIST PQC project – they are ⇒ Potenal amendment of standard: TBD potenally acceptable in the aforemenoned use cases.

Current status and expected outcome Expected Outcome On July 22nd 2020, NIST announced the 15 candidates It is strongly expected that the project will result in the for Round 3 of the NIST PQC project. They’re split in two standardizaon of two schemes called LMS and XMSS, separate tracks: a ’finalists’ track comprising 7 schemes and NIST has already published a dra standard. – 4 key encapsulaon mechanisms and 3 signature sche- mes – and an ’alternate’ track comprising 8 schemes – 5 The NIST PQC project is only the beginning key encapsulaon mechanisms and 3 signature schemes. At the end of Round 3, NIST expects to standardize A standard is only one step in the transion towards PQC: one or two KEMs and one or two signature schemes from hardware and soware implementaons need to be pro- the finalists track. The candidates from the alternate track vided, integraon of PQC into standards such as TLS and will be subject to further analysis in a fourth round, and X.509 developed and implemented, tests run at various may be added to the standard at a later point. scales. Then, with sufficient public awareness of the need Considering the impact of previous projects, e.g. the for PQC, it will gradually find its way into mainstream use. standardizaon of AES and SHA-3, it is expected that the The potenal duraon of this process should not be outcome of the NIST PQC project will have a major impact underesmated: for example, ECC was proposed in 1984, on which PQC schemes will find their way into widespread standardized as a standalone primive in 1999 and 2000, use. integrated into TLS in 2006, and despite smaller keys and lower computaonal complexity than RSA, it took over The NIST hash-based signatures project a decade for it to become widely supported and used. Even today, the majority of server cerficates on the in- Problem: Firmware updates ternet use RSA signatures. A more encouraging exam- ple is TLS 1.3, which was standardized in 2018 and as of As explained in Secon What are you protecng?, there August 2020 is already supported by 32% of major web is potenal need to use PQC today when deploying long- servers7. In contrast to ECC and TLS 1.3, though, PQC lived systems that cannot be updated. affects performance in a negave way (see Resource us- One important example of long-lived immutable au- age: No “one size fits all”), which will likely slow down its thencaon arises in the deployment of IoT devices with adopon further. firmware update mechanisms: in this context, the firm- ware verificaon code itself might not be updatable. To 7Source: SSL Pulse

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Libraries for PQC The 15 candidates remaining in Round 3 of the NIST PQC project cover all of those categories, but only the There are a number of libraries to choose from when bench- categories marked with an ∗ are represented by candi- marking and tesng PQC primives, including: dates in the finalist track of Round 3 — see Figure 5. • libpqcrypto consolidates implementaons from NIST As can be seen, 5 of the 7 finalists of the NIST PQC PQC submissions, providing a unified API and tesng project are based on structured laces, and it is con- framework. It is part of the PQCRYPTO project. sidered highly likely that at least one structured-lace based key encapsulaon mechanism and one structured- • OpenQuantumSafe (OQS) provides both a PQC library lace based signature scheme will be standardized at the libOQS and an integraon of the supported PQC prim- end of Round 3. ives into OpenSSL and OpenSSH.

• pqm4 is a PQC library for Cortex-M4, including a test- Isogeny-based

Code-based Unstructured lattices ing and benchmarking framework for the STM32F4 1 Discovery board. It too is part of the PQCRYPTO project. 3 1

1 • The SUPERCOP benchmarking framework contains nu- merous opmized implementaons of PQC primives. 1

Multivariate 2 This list is for convenience of the reader only and is 5 6 not an endorsement by Arm. Structured lattices 2

Symmetric Taxonomy of

Post-Quantum Figure 5: Categorizaon of remaining candidates of Round 3 of the NIST PQC project. Outer circle: Finalist Cryptography + Alternate track. Inner circle: Finalist track only. Note the dominance of Structured Laces. In this secon, we give an overview over the main classes of cryptographic primives that have been suggested for Post-Quantum Cryptography. The purpose is solely to Maturity give the reader an impression of the varied landscape of PQC and it is not assumed that the names of the different Most PQC families are new in the praccal sense that classes mean anything to the reader. Readers interested they are not currently in widespread use, nor do they in some technical content will find a short introducon to rest on the same foundaons as today’s prevalent cryp- the ideas behind lace-based cryptography in Appendix tography — the only excepon is public key cryptogra- B: An introducon to lace-based cryptography. phy based on symmetric primives, such as hash-based signatures. Theorecally, however, they all predate the Overview increased focus on Post-Quantum Cryptography as trig- gered by the NIST PQC project by mulple years: While numerous proposals for quantum safe public key cryptography have been brought forward during the NIST • Code-based cryptography goes back to McEliece’s work PQC project, promising candidates can roughly be cate- in 1978 [McE78], using so-called Goppa-codes. It is gorized as follows: considered secure but has not found widespread use

∗ because of its large keys. The use of quasi-cyclic codes • Lace-based cryptography to reduce key sizes was first considered in 2005 [Gab05]. – Unstructured • Hash-based signatures (which falls under the last cat- – Structured∗ egory) go back to Lamport-Diffie and Merkle in 1979 ∗ [Lam79; Mer79], and they are aracve since their se- • Code-based cryptography ∗ curity is based on the existence of secure hash func- – Goppa-codes ons alone. – Quasi-Cyclic codes • “Unstructured” lace-based cryptography has its roots • Supersingular ellipc curve cryptography in a seminal paper by Ajtai in 1996 [Ajt96]. The famous • Mulvariate cryptography∗ “learning with errors” (LWE) problem, which lies at the • Public-key cryptography from symmetric primives heart of many lace-based PQC schemes, was intro- duced by Regev in 2005 [Reg09].

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. • The more efficient sibling of unstructured laces are CC20] or X.509 [Kam+18; Bin+17; Tru+18] are in acve so-called “structured” laces. The NTRU family of cryp- development. tographic schemes was introduced in 1996, while the number-theorec “ring learning with errors” (RLWE) [LPR13] variant of the LWE problem was first consid- ered for cryptographic purposes in 2010. The increased 104 efficiency of structured lace based schemes comes at the cost of a less well studied hardness assumpon, and quantum algorithmic progress has been made in this field recently [CDW16], sending a note of cauon. 103

• Supersingular ellipc curve cryptography is a relavely Quasi-Cyclic codes young field: the use of supersingular ellipc curves for Ciphertext (Bytes) Goppa codes Unstructured lattices cryptography was first proposed in 2011 [JD11]. 102 Structured lattices Isogenies • Mulvariate cryptography was first proposed by Mat- RSA (not PQ-safe) sumoto and Imai in 1988 [MI88], and the main ideas ECC (not PQ-safe) 102 103 104 105 106 underlying some of the NIST PQC candidates in this Public key (Bytes) field were developed in the late 1990’s. Figure 6: Public key size and Encapsulated Secret size for The ideas behind many PQC schemes are therefore Key Encapsulaon Mechanisms from Round 3 of the NIST not new. Most concrete instanaons proposed for the PQC project. Filled markers represent the finalist track. NIST PQC project, however, are young, and carefully re- viewing parameters and security arguments for each can- didate is a me and resource consuming collaborave un- dertaking. During the two completed rounds of the NIST Resource usage: No ``one size fits all'' PQC project, the review process has uncovered numer- ous issues in proposed PQC schemes, and it may well con- In this secon we survey the performance characteriscs nue to do so in the remainder of the NIST PQC project. of the PQC families menoned above. The takeaway is Beyond the abstract security of cryptographic sche- that there are no candidates for PQC which come close to mes, quesons of implementaon security arise, for ex- current public key cryptography in terms of both size of ample: Which schemes lend themselves to side-channel cryptographic material and performance. Instead, each resistant (for example, constant-me) implementaons? family has its strength and weaknesses, making it more What are potenal pialls? How can we test or verify suitable for some applicaons, and less so for others. the correctness of an implementaon? Answering those As a reference, we consider RSA and ECC: RSA-2048 quesons is essenal for the development of trustwor- uses keys and ciphertexts/signatures of size 256B, while thy PQC implementaons and an acve area of research. for Curve25519 and Ed25519 they are as small as 32B. See e.g. [PQC19] for an interesng discussion. Moreover, opmized implementaons allow for the use Unl the review process has led to sufficient confi- of ECC on microcontrollers which are constrained both in dence in a set of PQC schemes and their implementa- terms of their memory and computaonal abilies. ons, the use of Post-Quantum Cryptography today has Now to the numbers for PQC: Figures 6, 7, 8, 9, 10 to be approached with great cauon. give an impression of the resource characteriscs for the Key Encapsulaon and Signature schemes considered in Hybrid modes the two tracks of Round 3 of the NIST PQC project, grouped by the family of schemes.9,10 Where long-lived data requires protecon by quantum safe cryptographic mechanisms today or in the near fu- Note: The numbers underlying those graphs are for one ture, so-called hybrid schemes should be used. Those specific plaorm. Moreover, NIST PQC candidates are hybrids combine a classical scheme like ECC with one or evolving over me, both in terms of their specificaon more conjecturally quantum safe PQC schemes and are and in terms of opmized implementaons for various therefore expected to be at least as secure as the chosen plaorms. Different plaorms and/or beer (future) 8 classical scheme. implementaons will likely lead to improvements. Various standards for the integraon of such hybrid modes into security protocols such as TLS [CC20; SFG20; 9Source: SUPERCOP benchmarking framework, version supercop-20200702, machine aarch64; A53 (410fd034); 8Germany’s Federal Office for Informaon Security has re- 2018 Broadcom BCM2837B0; 4 x 1400MHz; pi3bplus. cently recommended the use of hybrid modes with the mature 10The logical size of cryptographic material is not necessarily a but resource-expensive schemes McEliece (Round 3 finalist) and lower bound on an implementaon’s RAM usage, since it might be FrodoKEM (Round 3 alternate) where quantum safe cryptography is possible to process data gradually. For example, it has been demon- required already today [BSI20]. strated that the SPHINCS signature scheme can be implemented using 16kB of RAM despite signatures being 41kB in size [HRS15].

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Quasi-Cyclic codes Quasi-Cyclic codes Goppa codes Goppa codes Unstructured lattices Unstructured lattices 5 10 Structured lattices 108 Structured lattices Isogenies Isogenies RSA (not PQ-safe) RSA (not PQ-safe) ECC (not PQ-safe) ECC (not PQ-safe) 104 107

103 Secret Key (Bytes) 106 Encapsulation (Cycles)

102 105

102 103 104 105 106 105 106 107 108 109 1010 Public key (Bytes) Key generation (Cycles)

Figure 7: Public key size and Secret key size for Key En- Figure 9: Cycles for Key Generaon and Key Encapsula- capsulaon Mechanisms from Round 3 of the NIST PQC on for Key Encapsulaon Mechanisms from Round 3 of project. Filled markers represent the finalist track. the NIST PQC project, measured on a Cortex-A53. Filled markers represent the finalist track.

Structured lattices Hash-based signatures 106 ECC (not PQ-safe) Multivariate 1010

105 109

104 108

Signature (Bytes) 103 107 Sign (Cycles)

106 102 Structured lattices Hash-based signatures 105 101 ECC (not PQ-safe) 101 102 103 104 105 106 Multivariate Public Key (Bytes) 104 104 105 106 107 108 109 1010 Keygen (Cycles) Figure 8: Public Key Size and Signature size for Signature schemes from Round 3 of the NIST PQC project. Filled Figure 10: Cycles for Key Generaon and Signing for Sig- markers represent the finalist track. nature schemes from Round 3 of the NIST PQC project, measured on a Cortex-A53. Filled markers represent the finalist track. The following rough observaons can be made:

• Isogeny-based cryptography comes closest to RSA/ECC penales of around an order of magnitude compared in terms of the size of cryptographic material, with key to their structured siblings. and ciphertext size of around 400B for SIKE-p503. Its • Hash-based signatures schemes have small public keys, weakness is the large computaonal complexity. but comparavely large signatures. • Code-based schemes oen have large public keys (most- ly between 10kB and 1MB), but score with smaller pri- We conclude that for every metric there are candi- vate keys or ciphertexts. For example, the McEliece dates performing well in that metric, but that no candi- schemes have short 128B ciphertexts, while schemes date PQC scheme comes close to the characteriscs of based on quasi-cyclic codes have short private keys. classical public key cryptography in all of them. • Most mulvariate signatures have large public keys (be- Judging resource characteriscs only, structured lat- tween 10kB and 1MB) but offer very small signatures. ces appear to hit a sweet spot: their computaonal com- • Structured Laces have given rise to a large number plexity is in the range of ECC, and keys of a few kB are of PQC proposals with acceptable performance char- likely praccal for most plaorms, despite being more acteriscs in any metric. than an order of magnitude larger than those of ECC. • Candidates based on unstructured laces pay for their stronger mathemacal foundaons with performance

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. What to do now? Step 3: Overprovision resources Crypto-agility is only useful if your system is able to ac- Quantum compung threatens the public key cryptosys- commodate future cryptographic primives. As we have tems in use today, and a variety of proposals for quantum seen in Resource usage: No “one size fits all”, PQC is more safe cryptography are being developed and scrunized resource hungry than classical crypto, so it is important to under the guidance of the NIST PQC project. However, overprovision systems with sufficient resources so they dra standards are not expected before 2022/2023, and can host whatever PQC scheme(s) prevail. while candidates have been narrowed down significantly It is likely that Round 3 of the NIST PQC project will for Round 3 of the NIST PQC project, one cannot yet pre- lead to the standardizaon of structured lace schemes: dict which precise schemes will ulmately prevail. other Round 3 finalists have large public keys which limit In this state of uncertainty, it is premature to deploy their uses, while NIST aims to offer schemes that cover a systems stacally bound to the use of a parcular PQC wide range of applicaons. Schemes based on structured primive: doing so not only introduces the risk of the sys- laces have similar performance to ECC, and keys of a tem failing to meet its security goal due to advances in few kB seem acceptable even on smaller systems: cryptanalysis, but also endangers interoperability if the chosen scheme does not prevail. Recommendaon: At the least, we recommend sys- tems be overprovisioned to be able to host the Round Recommendaon: 3 finalists based on structured laces. Do not rely on pre-standardized cryptography. However, as menoned before, schemes based on Step 1: Know your data structured laces pay for their comparably small key sizes with their reliance on assumpons whose hardness on a Define and track which data needs protecng and for how quantum computer is not yet well understood, and for long it has to stay confidenal. Understand which sys- which recent progress has been made. tems are involved in generang, processing and commu- nicang the data, and esmate those systems’ lifemes. Recommendaon: Where possible, we recommend Finally, assess which key establishment, encrypon and systems be overprovisioned to also be able to host al- authencaon schemes protect against unsolicited access, ternate track candidates of Round 3 of the NIST PQC and esmate their lifeme. project, in parcular as the unstructured lace key en- The availability of such data and algorithm ’expiraon capsulaon scheme FrodoKEM or the hash-based sig- labels’ can then be used to implement security infrastruc- nature scheme SPHINCS+. ture which ensures that data is protected by cryptogra- phic mechanisms that are expected to be secure for the Step 4: Use stateful hash-based signatures lifeme of the data. As a result, systems would in parc- for immutable authencaon ular: Use the stateful hash-based signatures LMS/XMSS for au- • Switch to quantum safe schemes for the establish- thencaon mechanisms that cannot be updated, such ment of keys used to secure the communicaon of as immutable firmware verificaon code. See Problem: confidenal data, before the lifeme of the data sur- Firmware updates. passes the me towards praccal quantum aacks. • Switch to quantum safe authencaon schemes be- Step 5: Trial the use of PQC fore classical authencaon schemes become vulner- able to praccal quantum aacks. Assess crypto-agility and the ability to run various PQC primives, as well as security infrastructure such as TLS • Re-encrypt encrypted data at rest with a fresh key es- building on them, in a test environment. tablished and communicated through quantum safe Hybrid modes are potenally even suitable for in-field schemes, before the lifeme of the data surpasses use.11 However, don’t forget about implementaon se- the me towards praccal quantum aacks. curity when using hybrid implementaons and ensure that the underlying classical implementaon is well-established See What are you protecng? for more informaon. and considered secure. See Libraries for PQC for references. Step 2: Crypto-agility

Ensure that security infrastructure supports changing the available cryptographic schemes and their assessment of security. For example, designers of IoT systems should 11A well-known example for such a test are Google’s and Cloud- ensure that devices support remote firmware upgrades. flare’s experiments trialling the use of hybrid modes in TLS.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Problem (RSA factoring problem). Given the product n = What is Arm doing? p · q of two large primes p, q, find p, q. Arm is following the numerous aspects of research on Problem (Discrete Logarithm Problem — DLP). Given a PQC and the NIST PQC project very closely. Moreover, group G and elements g, h ∈ G with h = ga for some Arm is acvely working on the following topics: a ∈ Z, find such an a.

• Arm is contribung to the development of the lace- Classically, the group G is either a subgroup of the based CRYSTALS-Kyber key encapsulaon scheme, which mulplicave group of a prime field Fp, or a subgroup of reached the finalist track of Round 3 of the NIST PQC the group of points on an ellipc curve. project. Arm is also involved in NewHope, which reached The main observaon is that both the RSA factoring Round 2 of the NIST PQC project. and the DLP problem can be reduced to finding the peri- odicity of a known funcon: • Arm is working to ensure that promising PQC sche- mes work well on Arm technology. Observaon. The Discrete Logarithm Problem for (G, g, h) reduces to finding the periodicity of the funcon • Arm is exploring support for PQC in the Mbed TLS se- curity soware stack, with emphasis on usability on α β fG,g,h :(α, β) 7−→ g /h : Z × Z → G. resource constrained IoT devices. Namely, for h = gγ the periodicity of f is (γ, 1): • Arm is invesgang PQC within the context of the PSA G,g,h Cerfied security framework and open security stan- α+γ β+1 fG,g,h((α, β) + (γ, 1)) = g /h dards such as the IETF working group for Soware α β · γ Updates for Internet of Things (SUIT). = g /h g /h = fG,g,h(α, β). For more informaon, contact [email protected]. Observaon. The RSA factoring problem reduces to find- ing the periodicity of the funcon

e Appendix A: How fn,x : e 7−→ x : Z → Z/nZ quantum computers for x ∈ Z/nZ with gcd(x, n) = 1.

Here is the argument in a nutshell: If fn,x is d-periodic threaten RSA & ECC and 1 ≠ x ∈ Z/nZ with gcd(x, n) = 1, we have

In this secon, we give an overview of how the quan- d 1 = fn,x(0) = fn,x(0 + d) = x . tum computaonal model allows for the construcon of polynomial-me algorithms breaking RSA and ECC. Now, for 75% of all x, all such d will be even — we omit The exposion is occasionally deliberately imprecise the proof here — so going through d, d/2, d/4, ... we at the benefit of brevity and intuion, and the goal is that then find f s.t. y := xf ≠ 1 and y2 = x2f = 1. In other the reader will get an impression of the main ideas and words, y2 − 1 = (y − 1)(y + 1) is a mulple of n, and for share our fascinaon for the field. We refer to [NC11; 50% of choices of x this will give away the factorizaon NM19] for more informaon. of n via p = gcd(y  1, n) or q = gcd(y  1, n) — again We assume familiarity with and readiness for some we omit the details. mathemacal notaon, as well as familiarity with the no- Abstracng from both observaons, we therefore gain on of a group. Z/nZ denotes the ring of integers mod- interest in understanding the following problem: ulo n, where addion and mulplicaon are computed modulo n: for example, 3 · 5 = 15 = 2 in Z/13Z, or Problem (Hidden Subgroup Problem). Assume that we f : G → X 3 · 5 = 15 = 0 in Z/15Z. Fp is another name for Z/pZ are given a funcon from some abelian group ⊆ in case p is a prime. G to a set X, and that there is a subgroup H G such that f is H-periodic, i.e. f(x + t) = f(x) if and only if ∈ The hidden subgroup problem t H. The hidden subgroup problem is to find H. The above observaons can therefore be restated as Both RSA and the discrete logarithm problem can be re- saying that the RSA factoring and the DLP problem can be duced to special cases of what is called the hidden sub- reduced to the hidden subgroup problem for G = Z and group problem, and Shor’s algorithm provides a strategy G = Z × Z, respecvely. for solving the laer. We begin by recalling the RSA and We next explain how the hidden subgroup problem discrete logarithm problems. can be approached in the quantum computaonal model.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. The state space of quantum compung |011⟩ |111⟩ |011⟩ |111⟩ |010⟩ |110⟩ |010⟩ |110⟩ The unit of informaon in classical compung is the bit, which can have value 0 or 1 — in other words, the state |001⟩ |101⟩ |001⟩ |101⟩ space of a single bit is {0, 1}. Similarly, the state space of |000⟩ |100⟩ |000⟩ |100⟩ n bits is {0, 1}n, with each bit being either 0 or 1. In (universal) quantum compung, in turn, the basic 3 unit of informaon is the qubit. In contrast to a bit which Figure 11: 3-qubit states as subsets of the cube {0, 1} . is either in state 0 or in state 1, a qubit is in state 0 or 1 Le: pure. Right: non-pure/entangled/in superposion only with some probability — as a simplified model, one |(00, 11)⟩ |(10, 11)⟩ |(01, 11)⟩ |(11, 11)⟩ |(00, 11)⟩ |(01, 11)⟩ |(10, 11)⟩ |(11, 11)⟩ can think of the state space of a single qubit as the set {0, 1} of probability distribuons on . The classical states |(00, 01)⟩ |(10, 01)⟩ |(01, 01)⟩ |(11, 01)⟩ |(00, 10)⟩ |(01, 10)⟩ |(10, 10)⟩ |(11, 10)⟩ 0 or 1 can be viewed as “pure” qubit states where the qubit is certainly in state 0 or 1, respecvely, but equally |(00, 10)⟩ |(10, 10)⟩ |(01, 10)⟩ |(11, 10)⟩ |(00, 01)⟩ |(01, 01)⟩ |(10, 01)⟩ |(11, 01)⟩ a qubit might be 0/1 with probability 75%/25% — those states are said to be a superposion of the classical states. |(00, 00)⟩ |(10, 00)⟩ |(01, 00)⟩ |(11, 00)⟩ |(00, 00)⟩ |(01, 00)⟩ |(10, 00)⟩ |(11, 00)⟩ Similarly, a configuraon of n qubits can be in any clas- sical/pure state x ∈ {0, 1}n with some probability, and a simplified model for the state space of n qubits is thus Figure 12: 4-qubit states as subsets of the 4 × 4-square n ∼ the space of probability distribuons on {0, 1} .12 {0, 1}4 = {0, 1, 2, 3}2. Le: Uniform subset with equal The actual state space model for a qubit adds a phase probability for all points. Right: Non-uniform distribuon. shi to the probabilisc model: for a single qubit, the state is not a pair (p0, p1) of probabilies for state 0 and only individual points what gives quantum compung its 1, respecvely, but a pair of complex numbers (α0, α1) ∈ 2 2 2 power. H := C such that |α0| + |α1| = 1, and the pi are re- 2 13 Finally, a qubit can be measured. Measurement ran- covered as |αi| . The usual notaon is α0|0⟩ + α1|1⟩ domly collapses a qubit into one of the pure states |0⟩ with |0⟩ = (1, 0) and |1⟩ = (0, 1). Similarly,∑ the state or |1⟩, with the probabilies for each represented by the space for n qubits is a linear combinaon ∈{ }n αx|x⟩ ∑ x 0,1 qubit state itself. For example, on measurement, the qubit such that |α |2 = 1, and the underlying probabilies x x 3 |0⟩ + 4 |1⟩ would collapse to |0⟩ with probability 9 = |α |2 n 5 5 25 are recovered as x . Valid state transions between - 36% and to |1⟩ with probability 16 = 64%. qubit states are modeled as length-preserving (unitary) 25 linear maps.14 A summary of the various views on classical and quan- The HSP on a Quantum Computer tum state spaces is given in Figure 16. The blueprint to approach the hidden subgroup problem For the rest of this chapter, we will geometrically de- in the quantum computaonal model is remarkably sim- pict qubits by displaying pure states as points and super- ple and we will describe it in this secon. posions as sets of colored points. For example, the state Assume the context of the HSP: f : G → X is a of three qubits can be interpreted as a subset of cube of funcon with periodicity H ⊆ G, and we would like to unit length as depicted in Figure 11, or the state of four find H. Recall that f having periodicity H means that for qubits can be interpreted as a subset of a square of length x, t ∈ G we have f(x + t) = f(x) precisely if t ∈ H. 4 as depicted in Figure 12. In general, roughly speaking an enre subset of a k-dimensional object with l bits pre- cision in each dimension can be represented by a single Step 1: Uniform superposion over domain kl-qubit configuraon. It is this ability to represent enre We start with a qubit state represenng G uniformly. That subsets where classical compung allows us to represent is, each x ∈ G occurs equally likely with probability 1/|G|. 15 12Already in this simplified probabilisc model one can observe The state is depicted on the le in Figure 13. the important property of quantum entanglement: describing the state of n+m qubits is not equivalent to individually describing an n- Step 2: Compute f in a separate register qubit and an m-qubit state. In probabilisc terms, the states that can be decomposed in this way correspond to probability distribuon on In the second step, we ’tag’ each x with its image f(x) { }n+m 0, 1 where the first n and last m coordinates are independent, under f. This is, we apply x 7→ (x, f(x)) to the uniform but not every distribuon on {0, 1}n+m has this property. 13The state space of just a single qubit is of remarkable complexity state constructed in the previous step. This state is de- 16 and beauty: it is a 3-dimensional sphere, and ignoring phase shis picted on the right in Figure 13. reduces it to the 2-dimensional Bloch sphere by means of the Hopf ∑ 15 √1 |x⟩. Algebraically, this is the state | | fibraon. G x∈G 14 ∑ The complex-linear model allows us to observe another impor- 16 √1 |x⟩|f(x)⟩. Algebraically, this is | | tant property, namely no-cloning: the cloning map x 7→ x⊗x : H → G x∈G H ⊗ H is not linear.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Step 5: Measure & Repeat At this point, we have constructed the superposion over the periodicity subgroup H that we are trying to deter- mine. Measuring this state gives a single random ele- ment of H. Repeang Steps 1-5 produces arbitrarily many elements of H.

Keeping it honest

Figure 13: Le: Uniform superposion of domain G. The previous secons have swept many important details Right: Applying x 7→ (x, f(x)) ’tagging’ each point with under the rug, and readers interested in a more precise its image under f. Different colors represent different val- treatment may consult e.g. [RP11, Chapter 8] or [NC11, ues under f. Chapter 5.3]. Most importantly, implemenng the blue- print above in the case of RSA requires the knowledge of e a finite quoent Z/LZ s.t. the map fn,x : e 7−→ x : Z → Z/nZ is well-defined on Z/LZ, but it can be seen that this is as hard as the original problem. Instead, one chooses a sufficiently large L and observes that, albeit no longer exact, the blueprint sll allows us to extract the desired periodicity with sufficiently high probability. Figure 14: Various level-sets of periodic funcon af- ter measuring value-register in uniform superposion of (x, f(x)). Appendix B: An

Step 3: Measure the tag to obtain level-set introducon to Given the superposion over (x, f(x)), we now ’mea- lace-based sure’ the qubits describing the value f(x). This collapses the superposion of all (x, f(x)) to a superposion of those (x, f(x)) where f(x) is a random but fixed value in cryptography the image of f. That is, we obtain a random, non-empty In this appendix, we give a brief introducon to some −1 level-set f (f(x)) = x + H for some x ∈ G. Some of ideas behind lace-based cryptography. We begin with those states are depicted in Figure 14.17 a gentle and hopefully intuive journey from the classi- cal Caesar and Vigenère ciphers to the main idea behind Step 4: The Quantum Fourier Transform symmetric encrypon based on the fundamental learn- ing with errors (LWE) problem. We will then explain that At this point, we have constructed the superposion of this scheme is a homomorphic encrypon scheme and a random level set x + H. Those level sets are all H- how this property allows to construct a public key encryp- periodic in the sense that shiing them by t ∈ H does on scheme from it. In the final, slightly more technical not change them — this is depicted by the dashed arrows secons, we explain the relaon between LWE and classi- in Figure 14 — and the goal is to extract this periodicity. cal lace problems, which is a main source of confidence Extracon of periodicity is a job for the Fourier Trans- in the hardness of LWE, and hence the security of lace form, offering conversion between me to frequency do- based cryptography. mains, the numerous applicaons of which the reader In addion to modular arithmec in Z/nZ already might have come across before – as a nice example, see used Appendix A: How quantum computers threaten RSA the Tide-predicng machine. In the context of quantum & ECC, we assume that the reader is familiar with basic compung, it is a parcular powerful tool since the Fourier noons from linear algebra such as vectors, matrices, and Transform can be implemented in polylogarithmic me scalar products. RLWE will be explained at an intuive on a quantum computer — this is known as the Quan- level only, and beyond the noon a polynomial ring, no tum Fourier Transform (QFT). knowledge of number theory is necessary. We are oming the details here as they would go be- yond the scope of this arcle, but the interested reader is encouraged to look into [RP11, Chapter 7.8] or [NC11, Chapter 5] for details. ∑ 17 √1 |x + t⟩|f(x)⟩ x ∈ G Algebraically, this is | | for some . H t∈H

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. From the Caesar cipher to weak pseudo- Symmetric encrypon from weak PRFs random funcons While the above sounds — and, taken literally, is indeed Caesar and Vigenère — very naïve, it is at heart a sound procedure: A key k defines a secret funcon Fk, and encrypon The reader will undoubtedly have come across the fa- enck(m) := (h, m + Fk(h)) consists in choosing a ran- mous Caesar cipher: a plaintext is encrypted by shiing dom hint h and masking the message m with the fresh each leer a fixed number of posions. For example, ’passphrase’ Fk(h). In our example, k is the secret book, h is a page number, Fk(h) is the lookup of the inial let- pqcisreal ters on page h in book k, and + is Caesar shiing. De- ↓ Shi by 6 crypon is simply given by deck(h, c) := c − Fk(h). vwioyxkgr Intuively, this procedure is safe if the mask Fk(h) appears random, assuming the hints h are chosen ran- Of course, this is easily reversed. A slightly beer ap- domly. And indeed, the above is an informal descripon proach is the Vigenère cipher, which uses different yet of a well-known construcon of a symmetric encrypon repeang shis depending on which leer is being en- scheme from a weak pseudo-random funcon.18 crypted and encodes those shis in a passphrase: For example, the passphrase pqcisreal corresponds to the Definion. A weak pseudo-random funcon (weak PRF) {F } ∈K repeated shi sequence 15,16,2,8,18,17,4,0,11, giving is a family of funcons k k indexed by a key-space K such that an aacker cannot disnguish the stream shorsalgorithmbreaksrsaonaquantumcomputer h1,Fk(h1), h2,Fk(h2), . . . , k, hi randomly chosen ↓ pqcisreal from truly random data. hxqzkrpgzgyvpesvelzitasfrabjqpbmdgoxekvmj

This is beer than the Caesar cipher, but there are many Weak PRFs and Block Ciphers problems remaining: Weak PRFs are called ’weak’ since they are a relaxed vari- • Knowing any pair of corresponding plaintext and ci- ant of the definion of a pseudo-random funcon (PRF), phertext reveals the passphrase and allows an aacker where an aacker can choose the arguments hi to query to decrypt any other message protected by the same Fk on freely and adapvely, and on the basis of which passphrase. they should decide whether they are querying one of the Fk, or rather a random funcon. • The repeve nature of the shis allows us to recover The most popular examples of PRFs are block ciphers, the plaintext by analyzing leer frequencies. which are PRFs where all Fk are efficiently inverble. The most popular example of a block cipher in turn is the Ad- • Human readable passphrases are prone to brute force vanced Encrypon Standard AES. aack. Praccally relevant block ciphers oen have an ad- hoc construcon and heurisc, informal arguments of se- Alice goes to the library curity. Block ciphers with formal proofs (or rather, reduc- All of the above problems with the Vigenère cipher could ons) of security do exist, but are not usually of praccal be fixed by choosing fresh and truly random passphrases significance. As we shall see, lace-based cryptography with every encrypon and by spling the plaintext into opens the door to construcons of (weak) PRFs and their chunks as large as the passphrase. Those changes, how- associated cryptographic schemes which are both prov- ever, would render the scheme impraccal because all ably secure and of acceptable performance. those passphrases would need to be pre-agreed. An alternave is to sck with one passphrase per en- The LWE problem crypon, but to dynamically derive those passphrases from a public hint and some shared secret: for example, each Weak PRFs from Linear Algebra? passphrase could be the first word on a random page in At the heart of lace-based cryptography is the following a secret book both sides have agreed upon upfront, the extremely simple funcon family from linear algebra: hint to which would be the page number. Or, to avoid { } brute forcing the passphrase, as well as to harden the re- Definion. The funcon family Fs is indexed by vectors covery of the book from the knowledge of which words s of a fixed length, and defined by ∑ appear on which pages, one could form the passphrases ⊤ Fs(t) := st = siti, from the first leers of the words on the chosen page. i 18The momentarily considered approach of choosing for every en- crypon a truly random passphrase of the same size as the message to be encrypted, is nothing but the famous one-me pad.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. where t is another vector of the same length as s. But now a problem becomes apparent which the aen- ve reader will likely have spoed much earlier: our mask- This family {Fk} is not a weak PRF, since each Fs is 19 generang funcon Fs is not determinisc , and depend- linear while a randomly chosen funcon likely is not, so ing on our choice of ε — for example, we could pick ε = a an aacker can easily disnguish Fk from a random func- or ε = b — the result of the encrypon will be different. on by performing a linearity check. Concretely, the decrypon roune evaluates Fs(t) itself Somewhat surprisingly, adding noise/errors converts and might pick a different noise ε′, leading to {Fk} into what does seem to be a weak PRF: ′ dec (enc (ℓ)) = ℓ + (ε − ε ). Definion (Informal). Let s be a secret vector, and s s

⊤ This term equals ℓ in average, but may slightly deviate F (t) := st + ε, ε small fresh random error term. s from it each me. The learning with errors problem (LWE) [Reg09] asks us To summarize: on the one hand, the addion of noise to disnguish is essenal to make LWE hard. On the other hand, it pre- vents instanaon of the transformaon of weak PRFs t1,Fs(t1), t2,Fs(t2), . . . , s, ti random into symmetric ciphers as-is. We will study ways around this problem in the next secon. from truly random data. How to handle the noise? More precisely, the LWE problem LWEq,α is stated for vectors over Z/qZ for some q, and the noise ε is chosen There are mulple ways to handle non-determinism in from a discrete Gaussian distribuon with standard devi- the mask-generang funcon Fs. aon αq and mean 0. We refer to [Reg09] for the details, which are not relevant for our purpose. Method 1: Error correcng codes per leer Example: The simplest example of the LWE problem is Recall that encrypng and decrypng leads to the case where q = 2, where s, t are bitvectors and ′ decs(encs(ℓ)) = ℓ + (ε − ε ), Fs(t) = (s1 AND t1) XOR ... XOR (sn AND tn) XOR ε. so we only recover the leer ℓ approximately, up to a This is called the Learning Parity with Noise problem. small le/right shi. However, if we do not allow any let- ter ℓ as the plaintext, but restrict to a subset of leers at The reader is invited to pause and reflect on the re- sufficient distance, we are able to remove the noise ε−ε′ markable simplicity of the above candidate weak PRF, be- aer decrypon. Z Z ing ’just’ randomized linear algebra over /q . For example, if we only allow the noise ε to be a ≜ 0 or b ≜ 1, then decs(encs(ℓ)) differs from ℓ by at most Symmetric Encrypon from LWE: A first try one shi to the le or right, and restricng ℓ to the let- ters a, d, g, j, m, p, s, v allows to remove the decrypon We leave the queson of hardness of LWE aside for now noise: we would e.g. ’round down’ n to m, or ’round up’ u and consider how to instanate the construcon of a sym- to v. Of course, with growing noise we need to widen the metric encrypon scheme from a weak PRF using LWE. distances between leers, too, but the idea of essenally For concreteness, we consider q = 26 and idenfy applying an error correcng code in the plaintext alpha- Z/26Z = {a, b, c, . . . , x, y, z} as in the Caesar and Vi- bet stays the same. For example, if we would allow the genère ciphers — with respect to this idenficaon, Cae- noise ε to shi up to 6 leers we would need to restrict sar shiing is just addion modulo 26. The secret key s the plaintext leers to just ℓ ∈ {a, n} to be able to re- as well as the ’hint’ t are fixed-size vectors of leers, say move the noise. [p,q,c,i,s,r,e,a,l] [j,u,s,t,a,h,i,n,t] This idea appears in [GGH97] (based on [AD97]) and s = ≜ , t = ≜ . [15,16,2,8,18,17,4,0,11] [9,20,18,19,0,7,8,13,19] in [Reg04], and is used in the first LWE-based encrypon scheme by Regev [Reg09]. It also underlies the NIST PQC To encrypt a leer ℓ, we pick a small random noise term Round 3 Finalist CRYSTALS-Kyber: the ciphertext alphabet ≜ ε biased towards a 0, and compute is a large Z/qZ, while the plaintext alphabet is reduced to just {0, q } ⊂ Z/qZ, allowing for a large noise term ε enc (ℓ) 2 s which in turn hardens the underlying LWE problem. That ⊤ = st + ε + ℓ is, the plaintext is broken down into bits, and each indi- ⊤ q [p,q,c,i,s,r,e,a,l] [j,u,s,t,a,h,i,n,t] vidual bit is represented as either 0 or 2 and encrypted = ≜ · ≜ + ε + ℓ ⊤ under the LWE procedure. [15,16,2,8,18,17,4,0,11] [9,20,18,19,0,7,8,13,19] 1003 19 = ≜ + ε + ℓ = p + ε + ℓ. This is called a randomized weak PRF in the literature [App+09]. p

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Note that the width of the noise is a tradeoff between the sum of the two ciphertexts efficiency and security: the larger the noise, the harder ⊤ (at least intuively) the LWE problem. However, at the c1 + c2 = (t1 + t2, s(t1 + t2) + ε1 + ε2 + (ℓ1 + ℓ2)), same me a large noise requires a larger gap between ℓ + ℓ the allowed plaintext leers, and hence implies a larger is a valid encrypon of the sum 1 2 of the two plain- ε + ε plaintext to ciphertext expansion factor. texts — at least if the noise 1 2 is not too large. This extends to arbitrary sums and, more generally, Method 2: Leave gaps in the noise linear combinaons of more than two ciphertexts, as long The previous approach uses small noise terms and spreads as the coefficients of those combinaons are small enough out plaintext leers. Dually, we can use small plaintext to keep the noise value within its bounds — we do not 0 leers and spread out the noise terms instead: For exam- go into details. Considering encrypons of as a special ple, we could choose the noise ε from {a, d, g, j, m, p, s, v} case, we in parcular obtain: { } and the plaintext leer ℓ from a, b, c . Observaon. Small linear combinaons of encrypons of This approach is popular in the context of fully homo- 0 are again encrypons of 0. morphic encrypon [Gen09; BV11; BGV11]. We will also need the following: Method 3: Error correcng codes per word Observaon. (0, ℓ) is a valid LWE-encrypon of ℓ, ob- Error correcon at the level of individual leers requires tained by choosing 0 for both the hint t and the noise ε. a sufficiently large alphabet Z/qZ. In parcular, it does not work in the Learning Parity with Noise case q = 2. In- Encrypon which supports computaons on encryp- stead, one can apply error correcon at the level of words ted data which have a controlled effect on the underlying by approximately decrypng a sequence of leers and plaintexts is called homomorphic encrypon. If arbitrary then using an error correcng code at the level of such plaintext computaons can be performed on the corre- words. This idea was implemented in [GRS08]. sponding ciphertexts, the scheme is called fully homo- morphic. The above observaon can therefore be phrased as saying that LWE-based encrypon is naturally “addi- Method 4: Remove the noise - Learning with Rounding vely homomorphic” — and in fact, one can even con- One way to look at adding small amount of noise to a struct fully homomorphic encrypon based on LWE. mask is that it hides low bits, and the same could be achieved Depending on how one looks at it, homomorphic en- by removing those low-bits instead of randomizing them. crypon is either a defect or a feature: it is a defect in This is the idea of the Learning with Rounding (LWR) prob- the sense that it makes the scheme malleable — if you lem [BPR11], which replaces the randomized weak PRF do online banking, you would not want an aacker to be ⊤ ⌊ st⊤ ⌉ Fs(t) := st + ε by Fs(t) := r , where r measures able to fiddle with the encrypted transfer request to turn how many low-bits should be omied from st⊤. a $1,000 into a $1,000,000. On the other hand, it is a This approach is natural and brings us back to the feature in the sense that it allows one to offload compu- world of determinisc weak PRFs. It is at the heart of the taon to untrusted third pares. NIST PQC Round 3 Finalist SABER. Fully homomorphic encrypon is a fascinang field, but out of scope of this paper, so we will not go further Public Key Encrypon from LWE into it here. Suffice to say that apart from the dominance of (structured) lace-based cryptography in the Round 3 So far, we have only considered symmetric encrypon Finalist Track of the NIST PQC project, its use for fully ho- schemes based on the LWE problem, but — as detailed in momorphic encrypon is yet another reason why lace- The impact on symmetric cryptography — it is public key based cryptography is here to stay. cryptography that is threatened by quantum computers. In this secon we outline how LWE can be used as the Encrypons of 0 as public keys basis for a public key encrypon scheme. In the last secon we have seen that:

Homomorphic Encrypon • For any plaintext leer ℓ, the sum of (0, ℓ) and an ar- The LWE-based symmetric encrypon scheme has some bitrary encrypon of 0 is an encrypon of ℓ. remarkable properes: • ’Small’ linear combinaons of encrypons of 0 are Observaon. For encrypons of plaintexts ℓ1 and ℓ2, again encrypons of 0.

⊤ c1 := encs(ℓ1) = (t1, st1 + ε1 + ℓ1) This leads to the following idea of turning LWE into a ⊤ public key cryptosystem: c2 := encs(ℓ2) = (t2, st2 + ε2 + ℓ2),

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. n×m • As a public key, publish a set {ci} of encrypons of 0. Problem. Given a random matrix A ∈ (Z/qZ) with m ≫ n, the Short Integer Soluon (SIS) [Ajt96] problem • To encrypt ℓ, form a fresh encrypon of 0 via a ran- ⊤ asks us to find ’small’ vectors t ∈ (Z/qZ)m s.t. At = 0. dom ’small’ linear combinaon cfresh of the ci. The ⊤ encrypon of ℓ is (0, ℓ) + cfresh. Note that finding a small t with At = 0 is the same as finding collisions for the map • Decrypon is unchanged: given (t, c), the receiver ⊤ computes the mask Fs(t) = st + ε and removes t7→At⊤ {t ∈ (Z/qZ)m small} −−−−→ (Z/qZ)n. (∗) the noise from c − Fs(t) to recover the plaintext (the noise ε can in fact be chosen to be 0 here). Not only is this a remarkably simple candidate for a Note that decrypon does not involve the public key, collision-resistant funcon family, but note also that it is ⊤ ⊤ nor does it require recovery of the coefficients used to ’almost’ addively homomorphic — that is, At0 +At1 = ⊤ combine the ci. Indeed, as we shall see below, the laer A(t0 + t1) — with the caveat that the addion of ele- is a hard problem. ments of the le hand side of (∗) is only a parally de- fined operaon due to the smallness constraint. Some notaon This ’almost homomorphic’ one-way funcon turns out to be a powerful replacement for the classical ho- At this point it’s useful to introduce some common nota- momorphic one-way funcon e 7→ ge defining the Dis- on, simplifying subsequent discussions and helping the crete Logarithm Problem: For example, the “Fiat-Shamir reader interested in further literature study. ⊤ with Abort” [Lyu09] approach to lace signature sche- Each encrypon ci of 0 is of the form (ti, sti + ε), so mes used in the Round 3 Finalist CRYSTALS-Dilithium es- { } the public key ci can be expressed in matrix form as senally arises from the classical scheme 7→ e 7→ ⊤ pk = (A, b := sA + ε), by replacing e g with t At . ⊤ where A = [t1 . . . tn] and ε = [ε1 . . . εm]. The en- Hardness of LWE and laces crypon of a leer ℓ is then given by ⊤ ⊤ enc(A,b)(l) = (Aλ , bλ + ℓ), We have not touched on two obvious quesons: for a ’small’ random λ, and decrypon is given by • What evidence do we have that LWE/SIS are hard? − ⊤ decs(h, c) = decode(c sh ), • Why is this appendix called “Anintroducon to lace- where decode removes the noise as one of the ways dis- based cryptography” — where are the laces? cussed in How to handle the noise?. This is the way LWE-based cryptosystems are usually Laces and lace problems presented in the literature. An n-dimensional lace is a discrete subgroup Λ of Rn As a sanity check, let us ask: can an aacker learn Z { ⊤ } which spans it. Equivalently, it is the set of -linear com- anything about s from the public key (ti, sti + εi) ? n binaons of a basis {b1, . . . , bn} of R . Figure 15 shows No, since the very LWE assumpon says that the laer is an example of a two-dimensional lace together with indisnguishable from truly random data. one possible choice of basis. Two things can already be observed in that picture: The Short Integer Soluon problem Observaon. The lace generated by a basis can contain The reader might wonder: given a public key (A, b) and vectors that are shorter than the basis: in the figure, the an encrypon (Aλ⊤, bλ⊤ + ℓ) of some leer ℓ, can’t we shortest vector 3b − 2b is shorter than both b and b . recover λ⊤ from Aλ⊤ by linear algebra, and thereby de- 1 2 1 2 ⊤ duce also the mask bλ and finally ℓ? Observaon. The lace point closest to a vector given as The hidden complexity here is that while linear alge- an R-linear combinaon of a lace basis is not linked to ⊤ ⊤ bra allows us to find some vector µ s.t. Aµ = Aλ , we the basis coefficients in an obvious way: in the figure, the need a small one: assuming only Aµ⊤ = Aλ⊤, the real ≈ 2 − lace point closest to v 3 b1 is 2b1 b2. mask bλ⊤ and the candidate mask bµ⊤ differ by Those observaons are at the heart of the following ⊤ − ⊤ ⊤ ⊤ − ⊤ − ⊤ bλ bµ = sAλ + ελ sAµ εµ two central algorithmic problems about laces: = ε(µ − λ)⊤, Problem. Given Λ, the shortest vector problem (SVP) asks which is only within the allowed (and removable) range us to find the shortest non-zero vector in Λ. of noise provided that µ is a small vector. LWE-based public key encrypon — in fact, the LWE Problem. Given Λ, the closest vector problem (CVP) asks problem itself — therefore rests on the following prob- us to find the lace point closest to a given vector. lem:

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. n Suppose Λ ⊂ R is a lace with basis {b1, . . . , bn}, n and v ∈ R is a vector close to the lace point s1b1 + ... + snbn, si ∈ Z. We want to find s = [s1 . . . sn]. b 2 To reduce the problem to LWE, we use the following

b “measurement approach”: we pick an arbitrary “coordi- 1 n nate∑ funcon” φ : R → R and consider φ(v). Since ≈ 2 v 3 b1 ≈ v i sibi, we should also have 2b1 − b2 ∑ ⊤ φ(v) ≈ siφ(bi) = s · [φ(b1) . . . φ(bn)] . (∗) 3b1 − 2b2 i Doesn’t this look like a sample from the mask-generang ⊤ funcon Fs(t) := st + ε underlying LWE? If we gen- Figure 15: A 2-dimensional lace generated by {b1, b2}. erate a large number of those samples and invoke the assumed LWE-solver, we should be able to find s. Ul- mately, this idea turns out to be fruiul, but to make Both problems are usually formulated as a connu- it work, numerous technical obstacles have to be over- ous spectrum of decision problems indexed by an approx- come. For the benefit of the reader interested in diving imaon factor: for Gap-SVP , we are given (Λ, d) and into the details, we briefly sketch those obstacles. γ Z/qZ q need to decide if the length of the shortest vector in Λ is Firstly, LWE lives over for some , and in par- φ(b ) ∈ Z φ : Rn → R smaller than d or larger than γd; the problem Gap-CVP cular, we need i . The set of γ φ(b ) ∈ Z φ(Λ) ⊂ Z is defined similarly. sasfying i — or, equivalently, — is Λ Λ∗ Gap-SVP and Gap-CVP get easier with larger ap- called the dual lace of , and denoted . Moreover, γ γ ∈ Rn ∈ R γ for an arbitrary v , we have φ(v) , and we need proximaon factor . In the extreme cases, the LLL al- Z gorithm (a lace reducon technique) solves Gap-SVP to discreze it to a value in . γ φ in polynomial me, for an approximaon factor γ which Secondly, how do we choose from the dual lace Λ∗ is exponenal in the lace-dimension n, e.g. γ = 2n. At ? There are opposing constraints: on the one hand, [φ(b ) . . . φ(b )] ∈ (Z/qZ)n the other end of the spectrum, it is known that Gap-SVP we need 1 n to be uniformly γ q φ is NP-hard for any constant γ. The middle ground of a γ random modulo , which suggests choosing from a suf- Λ∗ which is polynomial in n is what many LWE-based cryp- ficiently wide distribuon on . On the other hand, the φ ∗ φ tosystems relate to. longer , the larger the error in ( ), and hence should See [AR05] for a graph illustrang the hardness of lat- be kept small. The soluon turns out to be to choose φ Λ∗ ce problems as the approximaon factor varies. from a suitable Gaussian distribuon on . The con- strucon of such samples is a difficult problem in itself, and two approaches are described in [Reg10, Proposion From LWE to laces 2.1]. We do not go into further details here. The fundamental result about the hardness of LWE is the Thirdly and finally, there’s a correlaon between φ ∗ following relaon to Gap-SVPγ. Recall that LWEq,α asks and the noise in ( ), while LWE requires hint and noise us to disnguish samples st⊤ + ε from random, where generaon to be independent. This needs to be fixed by s ∈ (Z/qZ)n is secret and fixed, t ∈ (Z/qZ)n is uni- ’smoothing’ the noise by adding Gaussian noise to φ(v). formly random, and the noise ε ∈ Z/qZ is chosen from Working out the details here is rather technical, but a discrete Gaussian distribuon of standard deviaon αq. we hope that we could convince the reader that the un- derlying idea behind the reducon is quite natural. Theorem 1 (Informal). There is an efficient quantum re- α ducon from Gap-SVPO˜(n/√α) to LWEq,α, provided and Efficiency consideraons q aren’t too small: αq > 2 n. The inefficiency of plain LWE For example, if q = n2 and α = 1/n, we see that an efficient quantum algorithm LWEn2,1/n yields an ef- Let us get a rough esmate of the efficiency of the above ficient quantum algorithm for Gap-SVPO˜(n2) with poly- LWE-based public key cryptosystem, assuming hint and nomial approximaon factor, and no such algorithm is secret vectors of length n. The expansion from plaintext known. Note how an increased width α of the noise in to ciphertext is determined by three factors: LWE leads to a beer approximaon factor in Gap-SVP. • The mask generaon hint, a vector in (Z/qZ)n.

Main idea • The mask itself, an element of Z/qZ.

At the heart of the reducon is a quite intuive idea to • The size Σ of the plaintext alphabet. use LWE to solve instances of the closest vector problem:

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. ≈ This gives an expansion factor of (n+1) log2(q)/ log2(Σ). Example: Let us consider the parameters used by the ≈ The secret key has size n log2(q) bits. RLWE-based scheme NewHope, a popular NIST PQC Round 2 candidate. It uses q = 12289 and encrypts the Example: Let us consider the parameters used by plaintext bit-wise (Σ = 1), which would give an expan- FrodoKEM, a NIST PQC Round 3 Alternate Track can- sion factor of 28 and e.g. a 28·32 = 896 byte ciphertext didate, and moreover the only candidate remaining for a 256-bit plaintext, if the RLWE blueprint was used whose security is based on unstructured laces. We unmodified. The actual numbers for NewHope differ will see that the result would be of limited praccal slightly since the each plaintext bit is masked two (for use, and indeed FrodoKEM applies some modificaons NewHope-512) or four (for NewHope-1024) mes, and to the LWE-encrypon blueprint to improve efficiency, NewHope applies some ciphertext compression, giving which we will discuss aerwards. ciphertext sizes of 1088B and 2176B. FrodoKEM provides three choices for (Σ, q, n), namely (4, 215, 640), (8, 216, 976), and (16, 216, 1344). If those parameters were used for plain LWE encrypon, Choice of rings the ciphertext overhead would be ≈ 650 bytes per bit, RLWE is oen used over polynomial rings Z[X]/(P (X)), leading e.g. to ciphertexts of ≈ 83kB for the encrypon where P (X) is an irreducible polynomial. The choice of k of a randomly chosen 128-bit secret — too much for the 2k+1-th cyclotomic polynomial P (X) = X2 + 1 general purpose use. In contrast, the secret keys have a is parcularly popular and used in the NIST PQC Round 3 ≈ smaller size, from 1.2kB for the first parameter set to Finalists CRYSTALS-Kyber, CRYSTALS-Dilithium and SABER. ≈ 2.6kB for the third parameter set. More generally, RLWE is studied for rings of integers in number fields. One idea to improve efficiency of plain LWE is to bal- The choice of Z[X]/(Xn + 1) with n a power of 2 is ance the sizes of secret key and cipher text: for key gener- aracve for performance: for a prime q with 2n|q−1 (as aon, we generate mulple independent secret key vec- is the case for CRYSTALS-Kyber and CRYSTALS-Dilithium, s , . . . , s h tors 1 m, and during encrypon, a single hint is but not for SABER), the Number Theorec Transform al- used to generate masks F (h),...,F (h) for all of the s1 sm lows us to represent elements (Z/qZ)[X]/(Xn + 1) in a s i. This reduces the plaintext to ciphertext expansion by way that mulplicaon has complexity which is linear in m the factor , but increases the secret key length by the n, as opposed to the quadrac complexity of naïve poly- same amount. This approach is e.g. applied in FrodoKEM nomial mulplicaon. with m = 8, leading to ciphertext lengths between 10kB and 20kB and secret keys between ≈ 10kB and ≈ 21kB Security of RLWE (excluding the public key). The reducon of SVP to LWE carries over to RLWE. How- Ring Learning With Errors ever, in contrast to LWE, it does not target SVP for general laces, but only laces which are contained within the One major reason for the large key sizes in plain LWE is chosen ring — so-called ideal laces, examples of the Z/qZ the fact that generang a single scalar mask in re- “structured” laces giving the field its name20,21. quires the choice and transmission of a mask generang The reducon of Ideal-SVP to RLWE gives a less sas- hint vector, since mask generaon involves the scalar prod- factory lower bound on the hardness of RLWE than the F (t) = st⊤ + ε uct s . At the same me, the only struc- one we obtain for LWE: generally, since SVP for struc- tural property of the scalar product that we actually used tured laces is less studied than for general laces, and in the construcon of LWE-based encrypon was its bi- specifically, since recently [CDW16] a polynomial quan- F (t) = s • linearity: any mask generaon of the form s tum algorithm was found for Ideal-SVP √ . No such t+ε • exp( n) with bilinear would yield a candidate cryptosystem algorithm is known for general laces, so there is — at (though the queson of security will very much depend least in asymptocal terms — a gap between the hard- • on the specific choice of ). ness of lace problems for unstructured and structures Those consideraons movated the study of the Ring laces that was not expected at first. Learning With Errors (RLWE) problem, in which the (di- mension reducing) scalar product in the mask genera- Further variants of (R)LWE on funcon of LWE is replaced by a (dimension preserv- ing) mulplicaon (more precisely, a ring structure) on Numerous other choices of bilinear maps • for the mask (Z/qZ)n. As a result, the mask itself is an n-dimensional generaon have been studied: For example, as an “in- vector which can be used to mask n plaintext leers, and terpolaon” between LWE (using vectors with scalar en- so the plaintext to ciphertext expansion factor drops from 20The term “structured” lace can also refer to laces obtained (n + 1) log2(q)/Σ to 2 log2(q)/Σ. from other algebraic variants of LWE, see Further variants of (R)LWE. 21The “measurement approach” from Main idea goes through for RLWE in an analogous fashion, provided it is formulated in the right generality — see [LPR13].

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. tries) and RLWE (using ring elements) one can consider Module-LWE (MLWE), where the mask generang hints are vectors with ring entries. We recommend [PP19] for a survey and general treatment of those approaches.

Concrete security of (R)LWE

While the reducons from (Ideal-)SVP to (R)LWE give con- fidence in the asymptoc complexity of (R)LWE, they do not provide concrete security guarantees for specific cryp- tosystems and parameter choices. While those could be obtained by esmang the complexity of the reducon itself as well as the complexity of (Ideal-)SVP,the concrete security for lace cryptosystems is usually directly es- mated in terms of concrete cryptanalysis using known lat- ce algorithms. The interested reader can find more in- formaon on the Esmate all the {LWE,NTRU} schemes!.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. Classical Quantum Model Probabilisc view Algebraic view { }  Probability space on 0, 1     ≤ ≤    0 p, q 1 α, β ∈ C Single p · 0 + q · 1 · | ⟩ · | ⟩ {0, 1}   α 0 + β 1  unit p + q = 1 |α|2 + |β|2 = 1

Convex combinaons of ’pure’ states C-linear combinaons of ’pure’ states Probability space on {0, 1}n    

 ≤ ≤   ∈ C  ∑ 0 px 1 ∑ αx Mulple { }n p ∑ α |x⟩ ∑ 0, 1  xx  x 2  ∈{ }n px = 1   |αx| = 1  units x 0,1 x∈{0,1}n x∈{0,1}n x∈{0,1}n

Convex combinaons of ’pure’ states C-linear combinaons of ’pure’ states

Figure 16: State spaces in classical and quantum compung

References [AD97] Miklós Ajtai and Cynthia Dwork. “A Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence”. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on Theory of Compung. STOC ’97. El Paso, Texas, USA: Associaon for Compung Machinery, 1997, pp. 284–293. : 0897918886. : 10.1145/258533. 258604. : https://doi.org/10.1145/258533.258604. [Ajt96] M. Ajtai. “Generang Hard Instances of Lace Problems (Extended Abstract)”. In: Proceedings of the Twenty- eighth Annual ACM Symposium on Theory of Compung. STOC ’96. ACM, 1996, pp. 99–108. [App+09] Benny Applebaum et al. “Fast Cryptographic Primives and Circular-Secure Encrypon Based on Hard Learn- ing Problems”.In: Advances in Cryptology - CRYPTO 2009. Ed. by Shai Halevi. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 595–618. : 978-3-642-03356-8. [AR05] Dorit Aharonov and Oded Regev. “Lace Problems in NP ∩ CoNP”. In: J. ACM 52.5 (Sept. 2005), pp. 749– 765. : 0004-5411. : 10.1145/1089023.1089025. : https://doi.org/10.1145/1089023. 1089025. [Aru+19] Frank Arute et al. “Quantum Supremacy using a Programmable Superconducng Processor”. In: Nature 574 (2019), pp. 505–510. : https://www.nature.com/articles/s41586-019-1666-5. [BGV11] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. Fully Homomorphic Encrypon without Bootstrap- ping. Cryptology ePrint Archive, Report 2011/277. 2011. [Bin+17] Nina Bindel et al. Transioning to a Quantum-Resistant Public Key Infrastructure. Cryptology ePrint Archive, Report 2017/460. 2017. [BPR11] Abhishek Banerjee, Chris Peikert, and Alon Rosen. Pseudorandom Funcons and Laces. Cryptology ePrint Archive, Report 2011/401. 2011. [BSI20] Federal Office for Informaon Security Germany (BSI). Migraon zu Post-Quanten-Kryptografie. Tech. rep. 2020. : https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Krypto/Post-Quanten- Kryptografie.pdf. [BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient Fully Homomorphic Encrypon from (Standard) LWE. Cryp- tology ePrint Archive, Report 2011/344. 2011. [CC20] Ma Campagna and Eric Crocke. Hybrid Post-Quantum Key Encapsulaon Methods (PQ KEM) for Transport Layer Security 1.2 (TLS). Internet-Dra dra-campagna-tls-bike-sike-hybrid-03. IETF Secretariat, Mar. 2020. : https://tools.ietf.org/html/draft-campagna-tls-bike-sike-hybrid-03.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. [CDW16] Ronald Cramer, Léo Ducas, and Benjamin Wesolowski. Short Sckelberger Class Relaons and applicaon to Ideal-SVP. Cryptology ePrint Archive, Report 2016/885. 2016. [Gab05] Philippe Gaborit. “Shorter keys for code-based cryptography”. In: (Jan. 2005). [Gen09] Craig Gentry. “A Fully Homomorphic Encrypon Scheme”.PhD thesis. Stanford, CA, USA, 2009. : 9781109444506. [GGH97] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. “Eliminang Decrypon Errors in the Ajtai-Dwork Cryp- tosystem”. In: Advances in Cryptology - CRYPTO ’97, 17th Annual Internaonal Cryptology Conference, Santa Barbara, California, USA, August 17-21, 1997, Proceedings. Vol. 1294. Lecture Notes in Computer Science. Springer, 1997, pp. 105–111. : 10.1007/BFb0052230. [Gro96] Lov K. Grover. “A Fast Quantum Mechanical Algorithm for Database Search”. In: Proceedings of the Twenty- eighth Annual ACM Symposium on Theory of Compung. STOC ’96. ACM, 1996. [GRS08] Henri Gilbert, Mahew J. B. Robshaw, and Yannick Seurin. “How to Encrypt with the LPN Problem”. In: Au- tomata, Languages and Programming. Ed. by Luca Aceto et al. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 679–690. : 978-3-540-70583-3. [HRS15] Andreas Hülsing, Joost Rijneveld, and Peter Schwabe. ARMed SPHINCS – Compung a 41KB signature in 16KB of RAM. Cryptology ePrint Archive, Report 2015/1042. 2015. [JD11] David Jao and Luca De Feo. “Towards Quantum-resistant Cryptosystems from Supersingular Ellipc Curve Isogenies”. In: Proceedings of the 4th Internaonal Conference on Post-Quantum Cryptography. PQCrypto’11. 2011. [Kam+18] Panos Kampanakis et al. The Viability of Post-quantum X.509 Cerficates. Cryptology ePrint Archive, Report 2018/063. 2018. [Lam79] Leslie Lamport. Construcng Digital Signatures from a One Way Funcon. Tech. rep. CSL-98. Oct. 1979. : https : / / www . microsoft . com / en - us / research / publication / constructing - digital - signatures-one-way-function/. [LPR13] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Laces and Learning with Errors over Rings”. In: J. ACM 60.6 (Nov. 2013). [Lyu09] Vadim Lyubashevsky. “Fiat-Shamir with Aborts: Applicaons to Lace and Factoring-Based Signatures”. In: Advances in Cryptology – ASIACRYPT 2009. Ed. by Mitsuru Matsui. Berlin, Heidelberg: Springer Berlin Heidel- berg, 2009, pp. 598–616. : 978-3-642-10366-7. [Mau12] Ueli Maurer. “Construcve Cryptography – A New Paradigm for Security Definions and Proofs”. In: The- ory of Security and Applicaons. Ed. by Sebasan Mödersheim and Catuscia Palamidessi. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 33–56. [McE78] R. J. McEliece. A Public-Key Cryptosystem Based On Algebraic Coding Theory. The Deep Space Network Progress Report. 1978. [Mer79] Ralph Charles Merkle. “Secrecy, Authencaon, and Public Key Systems.” PhD thesis. 1979. [MI88] Tsutomu Matsumoto and Hideki Imai. “Public Quadrac Polynomial-Tuples for Efficient Signature-Verificaon and Message-Encrypon”. In: Advances in Cryptology — EUROCRYPT ’88. Ed. by D. Barstow et al. Berlin, Hei- delberg: Springer Berlin Heidelberg, 1988, pp. 419–453. : 978-3-540-45961-3. [NC11] Michael A. Nielsen and Isaac L. Chuang. Quantum Computaon and Quantum Informaon: 10th Anniversary Edion. 10th. USA: Cambridge University Press, 2011. : 1107002176. [NM19] Engineering Naonal Academies of Sciences and Medicine. Quantum Compung: Progress and Prospects. Ed. by Emily Grumbling and Mark Horowitz. Washington, DC: The Naonal Academies Press, 2019. : 978- 0-309-47969-1. : 10 . 17226 / 25196. : https : / / www . nap . edu / catalog / 25196 / quantum - computing-progress-and-prospects. [PP19] Chris Peikert and Zachary Pepin. Algebraically Structured LWE, Revisited. Cryptology ePrint Archive, Report 2019/878. https://eprint.iacr.org/2019/878. 2019. [PQC19] PQC mailing list. “Footguns as an axis for security analysis”. In: 2019. : https://groups.google.com/ a/list.nist.gov/forum/#!topic/pqc-forum/l2iYk-8sGnI. [Reg04] Oded Regev. “New Lace-Based Cryptographic Construcons”.In: J. ACM 51.6 (Nov. 2004), pp. 899–942. : 0004-5411. : 10.1145/1039488.1039490. : https://doi.org/10.1145/1039488.1039490.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved. [Reg09] Oded Regev. “On Laces, Learning with Errors, Random Linear Codes, and Cryptography”. In: J. ACM 56.6 (Sept. 2009). : 0004-5411. : 10.1145/1568318.1568324. : https://doi.org/10.1145/ 1568318.1568324. [Reg10] Oded Regev. “The Learning with Errors Problem (Invited Survey)”.In: Proceedings of the 2010 IEEE 25th Annual Conference on Computaonal Complexity. CCC ’10. USA: IEEE Computer Society, 2010, pp. 191–204. : 9780769540603. : 10.1109/CCC.2010.26. : https://doi.org/10.1109/CCC.2010.26. [RP11] Eleanor Rieffel and Wolfgang Polak. Quantum compung. Scienfic and Engineering Computaon. A gentle introducon. MIT Press, Cambridge, MA, 2011, pp. xiv+372. : 978-0-262-01506-6. [SFG20] Douglas Steblia, Sco Fluhrer,and Shay Gueron. Hybrid key exchange in TLS 1.3. Internet-Dra dra-stebila-tls- hybrid-design-03. IETF Secretariat, Feb. 2020. : https://tools.ietf.org/html/draft-stebila- tls-hybrid-design-03. [Sho94] P. W. Shor. “Algorithms for Quantum Computaon: Discrete Logarithms and Factoring”. In: Proceedings of the 35th Annual Symposium on Foundaons of Computer Science. SFCS ’94. IEEE Computer Society, 1994, pp. 124–134. [Tru+18] Alexander Truskovsky et al. Mulple Public-Key Algorithm X.509 Cerficates. Internet-Dra dra-truskovsky- lamps-pq-hybrid-x509-01. IETF Secretariat, Aug. 2018. : http://www.ietf.org/internet-drafts/ draft-truskovsky-lamps-pq-hybrid-x509-01.txt.

Copyright ©2020 Arm Limited (or its affiliates). All rights reserved.