mathematics-10-02579-v2.pdf资源-CSDN文库

需积分: 5 12 浏览量 2024-09-14 11:12:00 上传评论收藏 675KB PDF 举报

资源推荐

资源详情

资源评论



 

Citation: Richter, M.; Bertram, M.;

Seidensticker, J.; Tschache, A. A

Mathematical Perspective on

Post-Quantum Cryptography.

Mathematics 2022, 10, 2579. https://

doi.org/10.3390/math10152579

Academic Editor: Angel

Martín-del-Rey

Received: 27 June 2022

Accepted: 21 July 2022

Published: 25 July 2022

Publisher’s Note: MDPI stays neutral

with regard to jurisdictional claims in

published maps and institutional afﬁl-

iations.

Licensee MDPI, Basel, Switzerland.

This article is an open access article

distributed under the terms and

conditions of the Creative Commons

Attribution (CC BY) license (https://

creativecommons.org/licenses/by/

4.0/).

mathematics

Article

A Mathematical Perspective on Post-Quantum Cryptography

Maximilian Richter

* , Magdalena Bertram

, Jasper Seidensticker

and Alexander Tschache

Secure Systems Engineering, Fraunhofer AISEC, 14199 Berlin, Germany;

magdalena.bertram@aisec.fraunhofer.de (M.B.); jasper.seidensticker@aisec.fraunhofer.de (J.S.)

Volkswagen AG, 38440 Wolfsburg, Germany; alexander.tschache@volkswagen.de

* Correspondence: maximilian.richter@aisec.fraunhofer.de

Abstract:

In 2016, the National Institute of Standards and Technology (NIST) announced an open

competition with the goal of ﬁnding and standardizing suitable algorithms for quantum-resistant

cryptography. This study presents a detailed, mathematically oriented overview of the round-three

ﬁnalists of NIST’s post-quantum cryptography standardization consisting of the lattice-based key

encapsulation mechanisms (KEMs) CRYSTALS-Kyber, NTRU and SABER; the code-based KEM

Classic McEliece; the lattice-based signature schemes CRYSTALS-Dilithium and FALCON; and the

multivariate-based signature scheme Rainbow. The above-cited algorithm descriptions are precise

technical speciﬁcations intended for cryptographic experts. Nevertheless, the documents are not

well-suited for a general interested mathematical audience. Therefore, the main focus is put on the

algorithms’ corresponding algebraic foundations, in particular LWE problems, NTRU lattices, linear

codes and multivariate equation systems with the aim of fostering a broader understanding of the

mathematical concepts behind post-quantum cryptography.

Keywords:

post-quantum cryptography; lattices; learning with errors; linear codes; multivariate

cryptography; Kyber; Saber; Dilithium; NTRU; Falcon; Classic McEliece; Rainbow; NIST

MSC: 11T71

1. Introduction

In recent years, signiﬁcant progress in researching and building quantum computers

has been made. The existence of such computers threatens the security of many modern

cryptographic systems. This affects, in particular, asymmetric cryptography, i.e., KEMs

and digital signatures. By leveraging Shor’s quantum algorithm to ﬁnd the period of a

function in a large group, a quantum computer can solve a distinct set of mathematical

problems. In particular, this includes integer factorization and the discrete logarithm, which

are the basis for a wide range of cryptographic schemes. Therefore, a fully ﬂedged quantum

computer would be able to efﬁciently break the security of many modern cryptosystems.

To defend against this threat, the need for novel mathematical problems which are resistant

to Shor’s algorithm arises. Such problems are thereby promising candidates to withstand

the superior computing possibilities of quantum computers.

In 2016, NIST announced an open competition with the goal of ﬁnding and standard-

izing suitable algorithms for quantum-resistant cryptography. The standardization effort

by NIST is aimed at KEMs and digital signatures [

]. This process is currently in its third

round of candidate selection (April 2022).

At this point, the submitted algorithms are complex technical speciﬁcations without a

presentation of the underlying mathematical fundamentals and therefore do not allow an

easy access to these novel post-quantum algorithm approaches. As some of these algorithms

will probably become widely used in industrial areas very soon, it is vital to foster a broad

understanding of these mathematical concepts. In this document, we therefore address

the described lack of educational presentation. As we do not intend to give a detailed

Mathematics 2022, 10, 2579. https://doi.org/10.3390/math10152579 https://www.mdpi.com/journal/mathematics

Mathematics 2022, 10, 2579 2 of 33

comparison of the presented methods and their performance in practice, we would like to

refer to the post-quantum database PQDB [

]. This website is an internal project within

Fraunhofer AISEC and aims to provide an up-to-date overview of implementation details

and performance measurements of post-quantum secure cryptographic schemes according

to available research.

In the following sections, the round-three ﬁnalists of NIST’s competition are presented,

and their mathematical details and properties are outlined. For a quick access to any of

these algorithms, we have structured the document in separate parts containing distinct

mathematical concepts, which thereby offer independent readability. These concepts

correspond to the algorithms’ respective algebraic foundations, which are LWE problems

as well as NTRU lattices in Section 2, linear codes in Section 3 and multivariate equation

systems in Section 4.

2. Lattice-Based Cryptography

2.1. Lattice Fundamentals

The cryptographic interest in lattices mainly arises from the fact that a given lattice

can have widely different bases. While a good basis can simplify some computational

tasks signiﬁcantly, a bad basis can make them almost impossible. In this section, we will

give a short introduction to the fundamental mathematics and the two most important

computational problems of lattices.

2.1.1. Lattices

Deﬁnition 1

(lattice, basis)

Let

B = {b

, ...,

}

be a set of linearly independent vectors of

. Then, the set of all integer linear combinations

L(B) =

(

∑

| a

∈ Z

)

⊂ R

is called a

lattice

generated by

. We furthermore refer to

, ...,

}

as a

basis

of the

lattice L.

An example of a lattice with corresponding basis is shown in Figure 1. We can

equivalently generate L via a matrix B containing the basis vectors as column vectors.

Figure 1. A 2-dimensional lattice.

Deﬁnition 2

(lattice, rank, dimension, full-rank lattice)

Let

, ...,

}

be a set of linearly

independent vectors of R

. Let B be the n × m matrix with column vectors b

, ..., b

. Then:

L(B) = {Bx | x ∈ Z

}

is called

lattice

generated by

. We call

the

rank

and

the

dimension

of the lattice.

For m equals n, the lattice is called the full-rank lattice.

Mathematics 2022, 10, 2579 5 of 33

Then, the associated equations look like:

10 · s

+ 3 · s

+ 5 · s

+ 1 · s

= 10

4 · s

+ 1 · s

+ 2 · s

= 3

3 · s

+ 1 · s

+ 5 · s

= 8

Solving this equation system can be efﬁciently realized using the Gaussian algorithm.

However, adding even only small error values e ∈ Z

to the equation system yields:

A · s + e = b ,

which renders solving the equation system and retrieving the solution vector

surprisingly

hard. This fact is founded in the relation to the hard lattice problems described above,

which is presented in a nutshell below.

Decisional LWE

The LWE problem can also be rephrased as a decision problem, usually abbreviated

dLWE. Given an LWE sample

as deﬁned above (

and

are kept secret), the task

is to guess whether the values of

have been calculated as

A · s + e

with small error

values

, or whether they have been chosen arbitrarily. Both variants are equivalently hard.

The reduction from LWE to dLWE has been proven by Regev ([

], Lemma 4.2), the inverse

reduction from dLWE to LWE is trivial.

Linking LWE to Computational Lattice Problems

Consider an LWE problem of the form:

A · s + e = b ,

where

A ∈ Z

n×m

b ∈ Z

and small vectors

s ∈ Z

e ∈ Z

. It is straightforward to solve

a concrete LWE instance by solving the closest vector problem. Observe that the closest

vector to b is almost always the lattice vector A · s with distance e.

To give an intuition of the relationship between learning with errors and the shortest

vector problem, consider the following lattice:

L = {x ∈ Z

m+n+1

| (A || I

|| (−b)) · x = 0 mod q} ,

where the ’

’ operator denotes concatenation and

denotes the

n × n

identity matrix. It

can be observed that the column vector (s, e, 1) is an element of L by verifying that



A I

−b











= A · s + e − b = b − b = 0 mod q

holds. It can be shown that the vector

, 1

)

is actually a shortest vector in

and therefore

is an SVP solution for

. This means retrieving the vector

, 1

)

directly yields the secret

as well as the error vector e and therefore solves the LWE system.

LWE-Based Encryption Schemes

This section aims to serve as a high-level introduction to LWE-based encryption

schemes, so that their basic idea can be easily understood. The following simpliﬁed

example will only be used to transmit a message consisting of a single bit, but it can be

trivially extended to transmit a bitstring of any desired length.

Consider an LWE instance

A · s + e = b

, where

A ∈ Z

n×m

is chosen uniformly random

and

s ∈ Z

and

e ∈ Z

are chosen from an error distribution, i.e., their values are rather

剩余32页未读，继续阅读

评论收藏

内容反馈

nfgo

粉丝: 704
资源: 71

mathematics-10-02579-v2.pdf

(ebook-pdf).-.mathematics.-.algebraic.geometry.(v3_geometry_math

数学软件三巨头（Matlab、Mathematica、Maple）优秀教程精选

mathematics-for-machine-learning-solutions.pdf

mathematics-09-03089-v2.pdf

Concrete.Mathematics.-.2nd.Edition.pdf

Methods of Applied Mathematics-F.B.Hildebrand-1965

Differential.Analysis.on.Complex.Manifolds.-.Wells.-.9780387738918.pdf

Algorithms and Discrete Applied Mathematics-2015.pdf

The.Mathematics.of.Physics.and.Chemistry-H..Margenau.and.G.M..Murphy

Maple.And.Mathematica.-.A.Problem.So.For.Mathematics.rar

Advanced Mathematics and Mechanics Applications Using MATLAB的全部代码

具体数学中文版Concrete Mathematics--A Foundation for Computer Science

SUMS02 Introductory Mathematics -- Algebra and Analysis, Geoff Smith (1998) .pdf

Pure Mathematics -1 Advance Level.pdf

Mathematics.for.3D.Game.Programming.and.Computer.Graphics.3rd.Edition.pdf

Advanced Engineering mathematics 10th ed-Linear Algebra. Vector Calculus.pdf

[离散数学及应用].McGraw.Hill.-.Discrete.Mathematics.and.Its.Applications,.Fourth.Edition

LaTeX公式编写参考文档-UTN28-PlainTextMath-v2.pdf

Mathematics - California Mathematics - Concepts, Skills And Problem Solving

L. Lovasz - Discrete Mathematics Lecture Notes.pdf

skript-mathe-3:蒂宾根WS1617中的Mathematics 3演讲脚本

Recursive Mathematics - Volume 1 Recursive Model Theory part3

Behavioral.Mathematics.for.Game.AI

BurpLoaderKeygen.jar.zip

最新版ISO/IEC 27001:2022、ISO 27002:2022中英文合集

最新资源