A Mathematical Perspective on Post-Quantum Cryptography

: In 2016, the National Institute of Standards and Technology (NIST) announced an open competition with the goal of ﬁnding and standardizing suitable algorithms for quantum-resistant cryptography. This study presents a detailed, mathematically oriented overview of the round-three ﬁnalists of NIST’s post-quantum cryptography standardization consisting of the lattice-based key encapsulation mechanisms (KEMs) CRYSTALS-Kyber, NTRU and SABER; the code-based KEM Classic McEliece; the lattice-based signature schemes CRYSTALS-Dilithium and FALCON; and the multivariate-based signature scheme Rainbow. The above-cited algorithm descriptions are precise technical speciﬁcations intended for cryptographic experts. Nevertheless, the documents are not well-suited for a general interested mathematical audience. Therefore, the main focus is put on the algorithms’ corresponding algebraic foundations, in particular LWE problems, NTRU lattices, linear codes and multivariate equation systems with the aim of fostering a broader understanding of the mathematical concepts behind post-quantum cryptography.


Introduction
In recent years, significant progress in researching and building quantum computers has been made. The existence of such computers threatens the security of many modern cryptographic systems. This affects, in particular, asymmetric cryptography, i.e., KEMs and digital signatures. By leveraging Shor's quantum algorithm to find the period of a function in a large group, a quantum computer can solve a distinct set of mathematical problems. In particular, this includes integer factorization and the discrete logarithm, which are the basis for a wide range of cryptographic schemes. Therefore, a fully fledged quantum computer would be able to efficiently break the security of many modern cryptosystems. To defend against this threat, the need for novel mathematical problems which are resistant to Shor's algorithm arises. Such problems are thereby promising candidates to withstand the superior computing possibilities of quantum computers.
In 2016, NIST announced an open competition with the goal of finding and standardizing suitable algorithms for quantum-resistant cryptography. The standardization effort by NIST is aimed at KEMs and digital signatures [1]. This process is currently in its third round of candidate selection (April 2022).
At this point, the submitted algorithms are complex technical specifications without a presentation of the underlying mathematical fundamentals and therefore do not allow an easy access to these novel post-quantum algorithm approaches. As some of these algorithms will probably become widely used in industrial areas very soon, it is vital to foster a broad understanding of these mathematical concepts. In this document, we therefore address the described lack of educational presentation. As we do not intend to give a detailed comparison of the presented methods and their performance in practice, we would like to refer to the post-quantum database PQDB [2]. This website is an internal project within Fraunhofer AISEC and aims to provide an up-to-date overview of implementation details and performance measurements of post-quantum secure cryptographic schemes according to available research.
In the following sections, the round-three finalists of NIST's competition are presented, and their mathematical details and properties are outlined. For a quick access to any of these algorithms, we have structured the document in separate parts containing distinct mathematical concepts, which thereby offer independent readability. These concepts correspond to the algorithms' respective algebraic foundations, which are LWE problems as well as NTRU lattices in Section 2, linear codes in Section 3 and multivariate equation systems in Section 4.

Lattice Fundamentals
The cryptographic interest in lattices mainly arises from the fact that a given lattice L can have widely different bases. While a good basis can simplify some computational tasks significantly, a bad basis can make them almost impossible. In this section, we will give a short introduction to the fundamental mathematics and the two most important computational problems of lattices. An example of a lattice with corresponding basis is shown in Figure 1. We can equivalently generate L via a matrix B containing the basis vectors as column vectors. Definition 2 (lattice, rank, dimension, full-rank lattice). Let {b 1 , b 2 , ..., b m } be a set of linearly independent vectors of R n . Let B be the n × m matrix with column vectors b 1 , ..., b m . Then: is called lattice in R n generated by B. We call m the rank and n the dimension of the lattice. For m equals n, the lattice is called the full-rank lattice.
Observe that the basis underlying a lattice L is not unique. Observe that the lattice generated by the vectors 0 1 , 1 0 is Z 2 , the set of all integer points. Z 2 is also generated by the vectors 2 1 , 1 1 . Figure 2 also illustrates this fact. On the other hand, n linearly independent vectors in Z n are not necessarily a basis of Z n . As an example, observe that the modified vectors from the example above 2 0 , 1 1 do not form a basis of Z 2 .

Computational Lattice Problems
The particular structure of lattices allows them to have special mathematical properties. The following computations can be efficiently evaluated using linear algebra algorithms: • Let g 1 , ..., g k ∈ R n be a set of vectors generating the lattice L. Calculate a basis b 1 , ..., b m ∈ R n of L. • Let L be a lattice. Evaluate whether a given vector c is an element of L.
Other computational lattice problems appear to be generally hard and are -as indicated in the introduction -even believed to be resistant against Shor's algorithm. Therefore, they are interesting candidates for usage in post-quantum-cryptography. These problems are presented in the following.

Shortest Vector Problem
Let L be a lattice with some basis B ∈ R n×m and · some norm. Let λ(L) be the length of the shortest nonzero vector in L. The task of finding l ∈ L such that l = λ(L), i.e., finding any shortest vector of L, is called the shortest vector problem (SVP). Figure 3 illustrates such a shortest vector in a lattice.

Closest Vector Problem
Let L be a lattice with some basis B ∈ R n×m and · some norm. Given q ∈ R n , the task of finding l ∈ L such that l − q is minimal, i.e., find the lattice vector l closest to a given arbitrary vector, is called the closest vector problem (CVP). Figure 4 illustrates a random point with its corresponding closest lattice vector.  Let Z q = Z/qZ be the ring of integers modulo q. We can naturally form a linear equation system For example, consider the following system: Then, the associated equations look like: Solving this equation system can be efficiently realized using the Gaussian algorithm. However, adding even only small error values e ∈ Z n q to the equation system yields: which renders solving the equation system and retrieving the solution vector s surprisingly hard. This fact is founded in the relation to the hard lattice problems described above, which is presented in a nutshell below.

Decisional LWE
The LWE problem can also be rephrased as a decision problem, usually abbreviated dLWE. Given an LWE sample (A, b) as defined above (s and e are kept secret), the task is to guess whether the values of b have been calculated as A · s + e with small error values e, or whether they have been chosen arbitrarily. Both variants are equivalently hard. The reduction from LWE to dLWE has been proven by Regev ([3], Lemma 4.2), the inverse reduction from dLWE to LWE is trivial.

Linking LWE to Computational Lattice Problems
Consider an LWE problem of the form: where A ∈ Z n×m q , b ∈ Z n q and small vectors s ∈ Z m q , e ∈ Z n q . It is straightforward to solve a concrete LWE instance by solving the closest vector problem. Observe that the closest vector to b is almost always the lattice vector A · s with distance e.
To give an intuition of the relationship between learning with errors and the shortest vector problem, consider the following lattice: where the '||' operator denotes concatenation and I n denotes the n × n identity matrix. It can be observed that the column vector (s, e, 1) is an element of L by verifying that It can be shown that the vector (s, e, 1) is actually a shortest vector in L and therefore is an SVP solution for L. This means retrieving the vector (s, e, 1) directly yields the secret s as well as the error vector e and therefore solves the LWE system.

LWE-Based Encryption Schemes
This section aims to serve as a high-level introduction to LWE-based encryption schemes, so that their basic idea can be easily understood. The following simplified example will only be used to transmit a message consisting of a single bit, but it can be trivially extended to transmit a bitstring of any desired length.
Consider an LWE instance A · s + e = b, where A ∈ Z n×m q is chosen uniformly random and s ∈ Z m q and e ∈ Z n q are chosen from an error distribution, i.e., their values are rather small. Let us assume the values A and b are public while the corresponding values s and e are kept secret. The LWE problem then states that it is hard to calculate s or e.
To build the actual encryption scheme, we will randomly sample the additional values r ∈ Z n q as well as errors e 1 ∈ Z m q and e 2 ∈ Z q . With that, we construct the equation system: which can be equivalently represented as: in a compact form. It is then easy to see that this is also another instance of the LWE problem. With knowledge of (A, b, u, v), it is hard to calculate any of the other values. Furthermore, the decisional LWE problem states that it is even hard to differentiate between the values u, v calculated in the method described above and u, v with some arbitrary value v . This is a core part of our encryption system.
For now, let us assume we would just send (u, v) back to the recipient, who (knowing s) could then calculate the value s T · u = s T · (A T · r + e 1 ). Taking into account that the error values are relatively small, we observe that s T · u ≈ s T · A T · r and also that This means we have found a way to indirectly transmit about the same value in two separate ways, and we have done so unnoticed by a third person: without knowledge of s, it cannot be deduced how close exactly these values are to each other (dLWE assumption).
The trick is to hide the message in one of these values. When the message is 0, we will just transmit v = v. However, in case it is 1, we will transmit v = v + q/2 (remember that we are operating on Z q , so this is the value "opposite" to 0). The receiver can then calculate µ = v − s T · u. If µ is close to zero (mod q), the message was 0; if it is closer to q/2, the message was 1.
Let us summarize the process more formally. Let round n (·) denote rounding to the nearest multiple of n. For a one-bit message encoded as µ ∈ {0, q/2 }, the ciphertext is from which the receiver can calculate: = round q/2 ((As + e) T r + e 2 + µ − s T A T r − s T e 1 ) = round q/2 ((As) T r + e T r + e 2 + µ − (As) T r − s T e 1 ) = round q/2 (µ + e T r + e 2 − s T e 1 ) = µ.
For the last equality to hold (and thus, the decryption to succeed), we need the overall effect of the error term (e T r + e 2 − s T e 1 ) to stay below q/4. In practice, all candidate schemes use an error distribution and a modulus q where this is not always the case in order to have reasonable ciphertext sizes. The failure probability in all cases is extremely small, so it is usually negligible in practice. However, care must be taken that attackers cannot learn anything about the secret key by intentionally crafting ciphertexts that cause decryption failures.

Flavors of LWE: Ring-LWE and Module-LWE
The sample cryptosystem described above can be trivially extended to encapsulate bitstrings of a fixed length by running the same protocol times in parallel. In contrast to the flavors described below, this approach is called Plain LWE (note that even though Z q is a ring, the term Ring-LWE refers to another approach, see below). A production-ready scheme that uses Plain LWE is Frodo [4]. Because of its simplicity it is considered to have the least potential for attacks. However, this is paid for by communication costs about 15 times higher than with Ring-LWE or Module-LWE. The comparison of Frodo's public key and ciphertext size to the respective sizes of Kyber and Saber shows this fact. Because of the relatively bad performance, it is not among the NIST standardization finalists (but included as an alternate candidate) and is thus not included in this report. Other variants of LWE can be created by exchanging the underlying algebraic structure. Various flavors have been researched, and we will detail the relevant ones in the following.
Ring-LWE was first proposed by Vadim Lyubashevsky, Chris Peikert and Oded Regev in 2010 [5]. Calculations take place in a polynomial ring R q := Z q [x]/ f (x) for some polynomial f (x). Therefore, polynomial multiplication is used instead of matrix multiplication.
Module-LWE is a variant that further improves Ring-LWE and was proposed by Adeline Langlois and Damien Stehlé in 2012 [6]. It uses the exact same structure as the sample system detailed above, but the scalars are replaced by ring elements of R q , as defined in the previous paragraph. Consequently, vectors become elements of so-called modules, which are a generalization of vector spaces over rings, hence the name (see Table 1 for a comparison).
Most early practical implementations of LWE-based cryptography, such as the NewHope scheme [7], use Ring-LWE. However, it was shown that Ring-LWE possibly provides more attack surface, so that a Ring-LWE scheme is at most as secure as an equally parameterized Module-LWE scheme [8]. For that reason, NIST has decided not to consider Ring-LWE schemes in the third round.

Learning with Rounding
The learning with rounding (LWR) problem is a variant of the LWE problem. Consider a single line of the LWE problem As + e = b, where A ∈ Z n×m q is chosen uniformly and s ∈ Z m q and e ∈ Z n q from a small error distribution, i.e., (As) k + e k = (a k1 · s 1 + ... + a km · s m ) + e k = b k .
Instead of sampling and adding a random small error e k , noise is added to the equation by simple rounding. In this case, that means defining a rounding function · p : Z q → Z p for some p < q dividing Z q into p roughly same-sized intervals and mapping an element in Z q to the index of its corresponding interval. For example, when p and q are both powers of 2, rounding simplifies to mapping an element to its log 2 (p) most significant bits.
This rounding function can be extended to vectors in Z n q by component-wise rounding, i.e., rounding each (As) k separately. Counter-intuitively, although the noise in LWR is deterministically computed, it is computationally as difficult as solving LWE, i.e., deriving s from A and A · s p is hard [9]. Just as in the LWE case, variants of LWR can be created by exchanging the underlying structure. For example, the scheme Saber uses Module-LWR.

Kyber
Kyber [10] is a CCA-secure KEM derived from a CPA-secure public-key encryption (PKE) scheme based on Module-LWE. For n, q ∈ N, the underlying ring is R q = Z q [X] / (X n + 1), i.e., the ring of polynomials up to degree n − 1 with coefficients in Z q . The corresponding module is R k q with rank k ∈ N. The following primitives are required: a noise space B, where sampling a value from B yields a random small integer value in the range {−4, ..., 4}. Additionally, for the KEM construction, secure hash functions H 1 , H 2 and a secure key derivation function KDF are required.
Internally, the plaintext encrypted by Kyber is a ring element r ∈ R q . Therefore, the input bitstring m ∈ {0, 1} 256 is converted to a ring element r = toRing(m), i.e., a polynomial, as follows: It can already be observed that even after having added a vector with small coefficients the original polynomial can easily be reconstructed. The reverse operation f romRing reconstructs a bitstring from a given ring element through coefficient-wise division by q 2 and subsequent rounding. The Kyber specification introduces encoding and compression functions, which we have simplified to the toRing and f romRing functions to increase readability and understanding.
Analogously to the general LWE-based encryption scheme described in Section 2.2, the Kyber key generation (Algorithm 1) instantiates a particular LWE problem, As + e = b, by generating coefficients A for the linear equation system and sampling a solution vector s as well as an error vector e. Algorithm 1 Kyber PKE Key Generation: keyGen. Input: none 1.
Generate A ∈ R k×k q 2. Sample s ∈ R k q with coefficients from B 3.
Sample e ∈ R k q with coefficients from B 4.
Calculate b = As + e Output: public key pk = (A, b), secret key s The solution vector s functions as the secret key, while A and the vector b = As + e are used as the public key. Calculating s from the public key would be identical to solving an instance of the LWE problem.
The Kyber PKE encryption (Algorithm 2) looks similar to the LWE-based encryption scheme introduced in Section 2.2 expanded to a Module-LWE setting.
Sample r ∈ R k q with coefficients from B 2.
Sample e 1 ∈ R k q with coefficients from B 3.
Sample e 2 ∈ R q with coefficients from B 4.
Calculate u = A T r + e 1 5. Calculate With knowledge of the secret value s, the reconstruction of the message m is possible through the corresponding Kyber PKE decryption routine (Algorithm 3).

Algorithm 3 Kyber PKE Decryption: dec
Applying the operation f romRing(m * ) reconstructs the original m with very high probability. Indeed, the Kyber encryption scheme is a probabilistic algorithm returning the original message m with very high probability (see Table 2 for concrete failure probability values), depending on the amount of noise within the sampled vectors.
To construct a CCA-secure KEM from the given PKE, a variant of the Fujisaki-Okamoto transformation (FO-transformation) is used. Fujisaki and Okamoto [11] presented the first generic transformation from asymmetric and symmetric encryption schemes to a secure hybrid encryption scheme. Later, Hofheinz, Hövelmanns and Kiltz [12] extended the work of Fujisaki and Okamoto and presented a generic transformation toolkit, including a transformation of a PKE scheme into a secure KEM. Algorithm 4 shows the Kyber KEM key generation.
Generate (pk, s) = PKE.keyGen() Output: public key pk, secret key sk = (s, σ) In the KEM encapsulation (Algorithm 5), observe that the value r is used in the underlying PKE as a seed for the generation of the otherwise random values during encryption. Although a deterministic public key encryption algorithm is usually not desirable, for a KEM, the receiver needs to be able to repeat the encryption procedure in the same way as the sender. We denote the deterministic version of the encryption routine with given seed r by PKE.enc r (pk, m). Furthermore, the message m is hashed before being fed to the PKE encryption routine.
Calculate K = KDF(K || H 2 (c)) Output: encapsulation c, shared secret K The decapsulation routine (Algorithm 6) calculates the required values analogously to the encapsulation routine.

1.
Calculate To gain some intuition of how ciphertext validation in Kyber works, have a look at the decryption process as described in detail in Section 2.2. In the Kyber PKE scheme, the message m is embedded within the difference of the vectors v and s T u, i.e., where e, e 1 , e 2 are random error vectors. There are a lot of different combinations of values of these error terms that all correspond to the same m. In the KEM, however, the randomness becomes deterministic by deriving it from a chosen r, so there is a unique set of values (e, e 1 , e 2 ) for each m. This property establishes the required CCA-security of the KEM. When an adversary sends a random ciphertext to the decapsulation routine, it will always decipher to a message m, but the probability that the adversary has chosen the specific ciphertext (generated by the correct "random" terms) corresponding to m is negligible.
The Kyber instances with their corresponding parameter choices are shown in Table 2.

Saber
Saber [13] is a CCA-secure KEM derived from a CPA-secure PKE based on Module-LWR. For n, q ∈ N, the underlying ring is R q = Z q [X]/(X n + 1), i.e., the ring of polynomials up to degree n − 1 with coefficients in Z q . The corresponding module is R k q with rank k ∈ N.
The following primitives are required: a noise space B, where sampling a value from B yields a random small integer value in the range {−5, ..., 5}. Additionally, for the KEM construction, secure hash functions H 1 , H 2 , H 3 and a secure key derivation function KDF are required.
Saber's rounding function does not strictly round down, as we have seen in the general case of LWR in Section 2.2; instead, it rounds to the median of each of the p intervals. (This is basically just the most naive approach for rounding.) This is implemented by adding half of the interval's length h ≈ q 2p and subsequently rounding down, i.e., To implement that efficiently, Saber only uses powers of 2 for the parameters q and p. This simplifies rounding to an addition followed by a bitwise shift.
Like Kyber, the Saber PKE (Algorithms 7-9) is based on the classic LWE-based encryption scheme introduced in Section 2.2. However, error addition is replaced by rounding. This is the only difference to the Kyber PKE presented in Section 2.2.2.
Generate A ∈ R k×k q 2. Sample s ∈ R k q with coefficients from B 3.
Calculate b = As p Output: public key pk = (A, b), secret key s Algorithm 8 Saber PKE Encryption: enc Sample r ∈ R k q with coefficients from B 2.
Calculate u = A T r p 3. Calculate Analogously to Kyber, to construct a CCA-secure KEM from the given PKE, a variant of the FO-transformation is used. In fact, the key generation algorithm (Algorithm 10) is completely identical.
Generate (pk, s) = PKE.keyGen() Output: public key pk, secret key sk = (s, σ) Again, the KEM construction (Algorithms 11 and 12) is very similar to Kyber. The only structural difference is the absent additional hash function used on the message m.
Input: public key pk, secret key sk = (s, σ), encapsulation c 1. Calculate The Saber instances with their corresponding parameter choices are shown in Table 3.

Dilithium
Dilithium [14] is a signature scheme based on Module-LWE. For n, q ∈ N, the underlying ring is R q = Z q [X] / (X n + 1), i.e., the ring of polynomials up to degree n − 1 with coefficients in Z q . The corresponding module is R l q with rank l ∈ N. Additionally, Dilithium requires a secure hash function H.
The key generation (Algorithm 13) is almost identical to Kyber's key generation. An LWE instance is generated, i.e., a matrix A ∈ R k×l q with k ∈ N, a secret vector s ∈ R l q and an error term e ∈ R k q . As usual, A and b are public, while s is kept private.
Sample s ∈ R l q with small coefficients 3.
Sample e ∈ R k q with small coefficients 4.
Calculate b = As + e Output: public key pk = (A, b), secret key s Dilithium's signing process (Algorithm 14) is probabilistic. In the first step, a random vector y ∈ R l q is sampled. As we will see in the verification process, to achieve correctness, we will use the rounded version of Ay by means of a function round(). This function takes a given vector of polynomials and rounds each coefficient of every polynomial. The signature is formed by calculating a pair (z, c), where c is formed by hashing the message m and the value round(Ay). The hash function H maps an input to a polynomial with coefficients in {−1, 0, 1}.
Due to the fact that z depending on the secret key, s potentially leads to serious security issues, and z is not output directly. Instead, in order to remove the statistical dependencies between z and s, Dilithium follows a so-called rejection sampling approach. For the details of rejection sampling, we refer to [15,16]. In case z is rendered invalid ('rejected'), the algorithm restarts from step 1.

Algorithm 14 Dilithium Signature generation.
Input: public key pk = (A, b), secret key s, message m ∈ {0, 1} Until z is valid: Sample y ∈ R l q with small coefficients 2.
Calculate z = y + cs Output: signature σ = (z, c) Given a correct signature σ, it is possible to recover w using the following calculation: To indeed recover w, the last step requires round(Ay − ce) = round(Ay). Since c and e both have small coefficients, their product ce does not influence the outcome of the rounding. In order to verify the signature, we can use a recovered w to recalculate c = H(m || w ) and compare it to the provided signature value c (Algorithm 15). Observe that if z has not been calculated by using the secret key s, i.e., by z = y + cs, the terms Acs would not cancel in the equation above leading to an incorrect w = w. Hence, the value c would be incorrect as well leading to a rejection of the provided signature.
The Dilithium instances with their corresponding parameter choices are shown in Table 4. NTRU is a lattice-based cryptosystem, which was first developed by Hoffstein, Pipher and Silverman in 1996. It originates from the two well-known schemes NTRUEncrypt and NTRUSign. For its abbreviation, "NTRU", one can find multiple explanation attempts, for example: n-th degree truncated polynomial ring or 'number theorists r us'. As the former indicates, NTRU's operations take place in the ring of truncated polynomials R q = Z q [X]/(X n − 1), where n and q are two positive coprime integers and Z q = Z/qZ denotes the ring of integers modulo q. Therefore, R q is the ring of all polynomials of degree < n with coefficients in Z q . Similar to RSA, where it cannot be proven that breaking RSA is as hard as integer factorization, the security of NTRU underlies just a hardness assumption. Let the notation R ≡ denote congruence in the ring R. The so-called NTRU assumption states that the following task is difficult to solve: Given h ∈ R q , find ternary polynomials f , g ∈ Z 3 [X]/(X n − 1) (a ternary polynomial has coefficients in Z 3 ) such that Later, we will see that this can actually be solved as a shortest vector problem.

NTRU-Based Encryption Schemes
This section will provide an overview of the main theory used to build NTRU cryptosystems. To build a cryptosystem around the NTRU assumption, we need two primes, n and p, as well as an integer, q, which is coprime to both. Furthermore, p is significantly smaller than q; in our case, we always have p = 3. These integers will define the rings in which the operations take place.
In the first step, we sample two ternary polynomials f , g ∈ R 3 , where f needs to be invertible in R 3 and R q . Then, we need to calculate said inverses: While f q is used to calculate the public key: f and f 3 serve as the secret key. It is now easy to see that deriving the secret key from the public key provides a solution to the NTRU assumption.
To now encrypt a message m ∈ R 3 , we need another random ternary polynomial r ∈ R 3 and calculate the ciphertext as: The r ensures that encryption is not deterministic, while multiplication by 3 enables correct decryption, as we are about to see.
The decryption process then consists of two steps. First, we calculate: The second step is calculated in R 3 , which ensures that the first term of a vanishes. Multiplying by f 3 then leads to the original message m: The attentive reader might ask why the condition p q is obligatory, and indeed, this is not clearly evident. The problem lies in the transition between R q and R p . It is vital for flawless decryption that a = p · r · g + f · m does not only hold true in R q but also in Z[X].
To be more precise, if the coefficients of p · r · g + f · m become a reduced mod q, a reduction mod p would not yield m.
In conclusion, the correctness is assured if this calculation yields a polynomial of degree < n and coefficients < q. Since r, g, f , m ∈ R p have small coefficients, it is sufficient to require p q. Another observable fact is that the decryption process also establishes the possibility to obtain the message m without the knowledge of f . Indeed (according to the NTRU assumption), it is sufficient for an adversary to find any ternary polynomialf such that f · h is again ternary modulo q, since this still ensures thatf · c does not become reduced modulo q and the subsequent reduction modulo p would yield m. The authors showed in [17] that in all likelihood the only polynomials with this property are just rotations of f (i.e., polynomials obtained by cyclically rotating the coefficients of f ).

Linking NTRU to Computational Lattice Problems
To get an idea of the connection between lattices and NTRU, consider the lattice: consisting of every possible solution for a fixed NTRU assumption given h ∈ R q .
In the following, all calculations are reduced modulo (X n − 1), and we therefore write u · h = v mod q. To find a basis of L, observe that every (u, v) ∈ L equivalently fulfills: for some k ∈ R q . This can be rewritten as: h i x i and k = ∑ n−1 i=0 k i x i , this can be transformed into: Defining M h as the bottom-left quadrant, it is easy to see that the matrix I n 0 n M h q · I n defines a basis of the lattice L. It is obvious that ( f , g) ∈ L, and since f , g ∈ R 3 , it is also a rather short vector. Furthermore, it can be shown that with overwhelming probability ( f , g) is indeed the shortest vector of L. Therefore, being able to solve an SVP also enables finding the secret key of any NTRU cryptosystem.

NTRU
Even though the NIST round three submission of NTRU [18] is mainly based on the generic NTRU encryption scheme we have just seen, it contains a few major differences that need further explanation. The most obvious change regards the underlying polynomial rings. Before, we just considered the two truncated polynomial rings R q = Z q [X]/(X n − 1) and R p = Z p [X]/(X n − 1) that were both generated by (X n − 1). Instead, we consider polynomial rings that are generated by the three polynomials To differentiate the corresponding rings, we introduce the following notation: For example, the formerly used R 3 is now denoted as R The key generation (Algorithm 16) mainly consists of the same steps as in the generic NTRU construction. The difference is that sampling and operations take place in different rings and spaces. Note that g is always a multiple of φ 1 . Other than that, the step of calculating the inverse h q is added. All these modifications aim to add another layer of security against forging ciphertexts, as we will see in the decryption step.

6.
Calculate Output: public key h, secret key sk = ( f , f p , h q ) The encryption process (Algorithm 17) only differs in using a lift-function on the message m before encryption. Let (m · φ −1 1 ) R φn 3 denote a calculation within the ring R φ n 3 , then: It is easy to see that Li f t(m) R φn 3 ≡ m. Now, as a consequence of g andm being multiples of φ 1 , the same is true for c.
Sample r ∈ R φ n 3

Calculate c
The decryption differs the most compared to the general NTRU construction and therefore requires further explanation. In case of a correctly encrypted message m, deciphering takes place in steps 2 and 3. It is not obvious that the calculation in step 2 still yields the same result as in the general NTRU scheme since f q is the inverse in R φ n q and not in R Using the fact that g is a multiple of φ 1 and f q is the inverse of f in R φ n q , we can equivalently say (1) Step 2 then resolves to Finally, we can obtain m in step 3 since f 3 is indeed the inverse in the considered ring R φ n 3 by calculating The first term vanishes since it is a multiple of 3, and as seen before,m = Li f t(m) The decryption (Algorithm 18) contains a built-in validation process, which justifies the additional steps. As shown later, this enables the construction of a KEM that avoids re-encryption (in contrast to classic FO-transformation).
The first step validates whether or not c is a multiple of φ 1 , which is true for any correctly generated ciphertext, as seen before. In order to verify that r is correctly sampled from R φ n 3 (step 6 and 7) , step 4 and 5 retrieve r using c, Li f t(m) and h q . If any of the validation steps fail, the procedure returns the error vector (0, 0, 1); otherwise, (r, m, 0) is returned.
Sample σ ∈ {0, 1} 256 Output: public key h, secret key sk = ( f , f p , h q , σ) Encapsulation (Algorithm 20) consists of three steps: Random sampling r, m ∈ R φ n 3 , generating the ciphertext using PKE.enc() and calculating the shared secret K as the hash of r and m with some cryptographic hash function H 1 .

Algorithm 20 NTRU KEM Encapsulation.
Input: public key h
K = H 1 (r || m) Output: encapsulation c, shared secret K Decapsulation (Algorithm 21) starts with the decryption of c using PKE.dec(). Next, two hashes are calculated, the correct one as a hash of r and m and a decoy as a hash of the sampled values s and c with some cryptographic hash function H 2 . In case of valid decryption, the former is returned; otherwise, the decoy value is returned.
else set K = k 2 Output: shared secret K The NTRU submission recommends two different families of parameter sets, which are referred to as NTRU-HRSS and NTRU-HPS. The explanations of this section regard NTRU-HRSS, but the details of both can be found in the algorithm specification [18].

Falcon
Falcon [19] is a signature scheme based on the Gentry-Peikert-Vaikuntanathan (GPV) signature scheme using the NTRU structure [20]. On a very high level, the underlying idea of the GPV framework is as follows. The public key is a full-rank matrix A ∈ Z n×m q (with m > n) generating a lattice L, while the secret key is a matrix B ∈ Z m×m q generating a corresponding lattice L ⊥ q . The lattices L and L ⊥ q are orthogonal modulo q, meaning that ∀x ∈ L, y ∈ L ⊥ q : x, y = 0 mod q.
Equivalently, the rows of A and B are pairwise orthogonal, i.e., B · A t = 0 mod q. Given a hash H(m) of some arbitrary message m and a hash-function H that maps onto L, a valid signature s has to fulfill two properties:
s < β for some boundary β, i.e., s has to be short.
A solution s satisfying the first property can be easily computed using standard linear algebra; however, additionally considering the second property, finding a valid s is much harder. These requirements are almost identical to the short integer solution problem (SIS), the only difference being that an SIS solution s fulfills A · s = 0 mod q instead. The SIS problem is average-case-hard and reducible to SVP [21].
However, with knowledge of the secret matrix B, a valid signature s can be efficiently computed. The first step is to find any solution s to the first requirement A · s = H(m). Afterwards, a sufficiently close vector v in the orthogonal lattice L ⊥ q needs to be found. Knowing B, this can be achieved using an efficient CVP approximation algorithm such as Babai's Algorithm [22] satisfying s − v < β.
Finally, s = s − v forms a valid signature since A · s = A · s − A · v = H(m) − 0 due to v being orthogonal to the rows of A.
The overall framework of Falcon is quite similar to GPV and uses the basic idea of the NTRU scheme to generate the required lattices. Similar to NTRU, Falcon's operations take place in the ring of truncated polynomials R q = Z q [X]/(X n + 1), where n and q are two positive coprime integers and Z q = Z/qZ denotes the ring of integers modulo q. Therefore, R q is the ring of all polynomials of degree < n with coefficients in Z q .
For the key generation (Algorithm 22) a set of four polynomials f , g ∈ R q and F, G ∈ R = Z[x]/(X n + 1) that fulfills is needed. Afterwards, analogously to NTRU, we calculate h = g · f −1 ∈ R q . From these polynomials, we can generate the public key matrix A ∈ Z n×2n q and the secret key matrix B ∈ Z 2n×2n where every polynomial is represented as its corresponding matrix (see Section 2.3.1 for notation details). It is easy to check that
Find F, G ∈ R such that f · G − g · F = q mod (X n + 1) 3.
Calculate h = g · f −1 Output: public key h, secret key sk = ( f , g, F, G) To make a Falcon signature probabilistic, a random r ∈ {0, 1} 320 is sampled and used to generate the hash c = H(r || m) with some cryptographic hash function H. Due to the construction of A = 1 h , finding an s satisfying property 1 is easy. Since holds, we can always use s = (c, 0) . As described above, we are looking for a vector v ∈ L ⊥ q close to s . Falcon does that using a variant of Babai's algorithm [23]. Then, the difference s − v satisfies properties 1 and 2 and forms a valid signature (Algorithm 23).
To increase security, only the second component of s = (s 1 , is transmitted, which is already sufficient to verify the validity of s. Due to we can see that s 1 just represents a shift by a small constant.
Set s = (c, 0) 4. Find Analogously to the signature generation, for verification (Algorithm 24), the message m is hashed together with the provided r. Assuming s 2 was correctly generated, the missing value s 1 can be calculated by and is declared valid if it is sufficiently small, i.e., (s 1 , s 2 ) < β.
Algorithm 24 Falcon Verification. Calculate The Falcon instances with their corresponding parameter choices are shown in Table 5.

Linear Code Fundamentals
Error-correcting codes are a standard approach to detect and correct communication errors that might happen due to noise during transmission. This technique can be applied to the construction of cryptographic systems where errors are intentionally inserted and can only be corrected by the intended receiver.

Linear Codes
Definition 3 (hamming weight, hamming distance). For a given vector x = (x 1 , . . . , x n ) ∈ F n 2 , we call x i the hamming weight of x. Note that this simply counts the number of entries equal to 1. Given another vector y = (y 1 , . . . , y n ) ∈ F n 2 , we call the hamming distance, which denotes the number of bits in which x and y differ.
Definition 4 (inear code). Let C be a linear subspace of the vector space F n 2 with dimension k. Furthermore, let d = min be the minimum distance of two distinct elements of C. C is called linear code or, equivalently, (n, k, d)-code. The elements of C are called codewords.
Elements of an (n, k, d)-code C are binary vectors of length n. However, since C has dimension k, only k entries can be arbitrarily chosen, and this choice already defines the remaining n − k entries. This means we end up with vectors of length n containing only k bits of non-redundant information. Therefore, it is possible to represent C as the span of k linear independent codewords c 1 , . . . , c k ∈ C, i.e., where G ∈ F n×k 2 with codewords c 1 , . . . , c k as columns. G is called generator matrix of C. We can transform G to its standard form (this definition deviates a little from standard literature; however, it is more useful in the context of Classic McEliece). G = (T || I k ) , where I k is the k × k identity matrix and T ∈ F Given a generator matrix G = (T || I k ) in standard form, there is a neat way to check whether a given word c ∈ F n 2 is a valid codeword, i.e., an element of C. Let H = (I n−k || −T) ∈ F (n−k)×n 2 and c ∈ F n 2 be a valid codeword, i.e., c = G · x for some x ∈ F k 2 . Then, Therefore, a linear code C can equivalently be defined via its parity check matrix H since C is exactly the kernel of the map H, so C = {x ∈ F n 2 | H · x = 0}. This also motivates the following definition.
Definition 5 (syndrome). Let C be a linear code with parity check matrix H and x ∈ F n 2 be a vector. We call H · x ∈ F n−k 2 the syndrome of x.

Binary Goppa Codes
A traditional and well-studied family of linear codes are the so-called binary Goppa codes [24]. They were proposed for cryptography in 1978 due to their good security properties and fast decoding capabilities [25].
Definition 6 (binary Goppa code, support, Goppa polynomial). Let F 2 m be a finite field for some m ∈ N and g(x) ∈ F 2 m [x] be an irreducible polynomial of degree t < 2 m . Let L = (α 1 , α 2 , . . . , α n ) be a sequence of n distinct elements of F 2 m which are not roots of g(x). Then, we define a binary Goppa code Γ(g, L) by We call L support and g(x) Goppa polynomial.
While we will not delve into the mathematical structure behind binary Goppa codes, it is important to highlight that a given Goppa code depends on its Goppa polynomial and its support. In order to derive the parity check matrix of a given Goppa code Γ(g, L), we defineÎ to be the inverse of x − α i reduced modulo g(x) for i ∈ {1, ..., n}. Note that the condition of α 1 , . . . , α n not being roots of g ensures that the inverses 1 x−α 1 , . . . , 1 x−α n exist since, otherwise, x − α i would divide g.
SinceÎ i (x, α i ) is already reduced modulo g(x) and the addition of polynomials with the same degree cannot increase their degree, we can rewrite the defining condition of Γ(g, L) in the following way: Again, we can rewrite the condition as: From this equation, one can easily derive the parity check matrixĤ for Γ(g, L): The inverses inĤ can then be calculated using n executions of the extended euclidean algorithm (EEA). Applying EEA directly to any (x − α i ) and g(x) = ∑ t i=0 g i · x i would lead to a simpler version ofĤ: The details of the derivation can be found in [26]. In Classic McEliece, we will always consider a binary version of the parity check matrixĤ ∈ F t×n 2 m . That means that all elements in F 2 m are converted to a column vector representing their binary form of length m. We call the resulting matrix H ∈ F mt×n 2 the binary parity check matrix. Theorem 1. Let Γ(g, L) be an (n, k, d) binary Goppa code, where g ∈ F 2 m [x] has degree t. Then, we can lower-bound the dimension k by k ≥ n − mt and the minimum distance d by d ≥ 2t + 1.
Since H is an mt × n matrix, the corresponding generator matrix G has dimension n × k with k ≥ n − mt. The derivation of the lower bound for the minimum distance is not easy to see; that is why we refer to [27] for a detailed proof.

Computational Linear Code Problems
Analogously to lattices, there exist various code-based calculation problems which are considered to be computationally hard and are therefore suitable for cryptographic algorithms.
Given a linear (n, k, d)-code C ⊂ F n 2 with a random parity-check matrix H ∈ F (n−k)×n 2 and q ∈ F n 2 , the task of finding the closest codeword c ∈ C to q, i.e., the codeword c which minimizes dist(q, c), is computationally hard and is called a syndrome decoding problem.
Due to its structured parity-check matrix, the hardness of the syndrome decoding problem cannot directly be applied to Goppa codes. However, research indicates that distinguishing a Goppa parity-check matrix from a parity-check matrix of a random code is difficult. The parity-check matrixĤ introduced in Equation (3) gives an intuition of that fact. Observe, that each entry is a polynomial inverse depending on a random Goppa support and a random Goppa polynomial. This Goppa code indistinguishability assumption is the basis for the Classic McEliece cryptosystem, which we will discuss in the following section.

Classic McEliece
Classic McEliece [28] is a CCA-secure key encapsulation mechanism based on a version of the Niederreiter encryption scheme. A message is represented as an error vector e whose syndrome, i.e., the parity check matrix (public key) applied on e, is used as encryption.
Knowing the structure (secret key) of the underlying code, the receiver is able to restore the error vector e from the syndrome using a syndrome decoding algorithm [29].
The Classic McEliece scheme uses binary Goppa codes, which form linear (n, k, d)codes. During key generation (Algorithm 25), Classic McEliece generates a random binary Goppa code Γ(g, L). As described above, the code Γ(g, L) consists of a Goppa polynomial The idea of Classic McEliece encryption (Algorithm 26) is to send the syndrome H(c + e) of an erroneous codeword c ∈ Γ(g, L) with error e ∈ F n 2 . We can observe that H(c + e) is independent of the concrete codeword c, because H(c + e) = Hc + He = He holds for all codewords. Therefore, we drop c and just calculate He. The value e serves as message, and we require it to have weight t, which is defined to be the largest value possible while also guaranteeing correct decryption. Therefore, the size of the message space is ( n t ). Using the provided parity-check matrix H, the corresponding syndrome He is calculated and sent to the receiver.

Algorithm 26 Classic McEliece PKE Encryption: enc.
Input: public key H ∈ F mt×n 2 , message e ∈ F n 2 with weight t 1.
Compute C = He ∈ F n−k 2 Output: ciphertext C Knowing the structure of the Goppa code, i.e., the secret Goppa polynomial g and support (α 1 , . . . , α n ), the receiver is able to reconstruct e from the provided syndrome C = He. In order to do that, the given syndrome C ∈ F n−k 2 is extended to the column vector C = (C, 0, . . . , 0) ∈ F n 2 by appending k zeros. We first observe that H(C + e) = H((He, 0, . . . , 0) + e) = H(He, 0, . . . , 0) + He = He + He = 0 Note that H(He, 0, . . . , 0) = He holds because H is in standard form, i.e., H = (I n−k || −T) for some matrix T. The equation above implies that c = C + e is a codeword in our Goppa code Γ(g, L). Furthermore, we know there can only be one codeword in Γ(g, L) with distance ≤ t to C since, due to Theorem 1, Goppa codewords have a minimum distance of 2t + 1 (see Figure 5). Since e has weight t, the codeword C + e is the unique codeword with distance ≤ t to C . Having the secret Goppa parameters, the receiver is able to use a syndrome-decoding algorithm, e.g., Patterson's Algorithm [30], to find the closest codeword to C , obtaining c = C + e. Then, simple addition yields e = C + c. These steps are summarized in Algorithm 27. Note that general syndrome decoding is difficult, as seen in Section 3.1. Therefore, a third party without knowledge of the secret Goppa parameters is not able to perform this decryption step.
Find the unique codeword c ∈ Γ(g, L) that is at distance ≤ t from C . If there is no such codeword, return ⊥ 3.
If weight(e) = t or C = He, return ⊥ Output: message e Classic McEliece KEM key generation (Algorithm 28) samples an additional value σ ∈ F n 2 . Despite that, the key generation is identical to the key generation of the PKE.

Multivariate Cryptography
Multivariate cryptography uses multivariate polynomials, i.e., polynomials in multiple variables, for the construction of key pairs. Its security is based on the assumption that solving a set of multivariate quadratic polynomial equations over a finite field is computationally hard.

Multivariate Polynomial Functions
Definition 7 (multivariate quadratic polynomial function). Let F be a field. A function f : F n → F is called multivariate function. Let p be a polynomial in the variables x 1 , . . . , x n ∈ F. If f can be represented as p(x 1 , . . . , x n ), f is called multivariate polynomial function (for finite F, this is possible for any function). If f only contains terms of degree two or less, f is called multivariate quadratic polynomial function.
To give an example, the function can be interpreted as a function P : F n → F k by component-wise application and is called polynomial map.

MQ Problem
Let F be a finite field. Let p 1 , . . . , p k : F n → F be multivariate quadratic polynomial functions. Finding a solution s ∈ F n to the system of equations is called an MQ (multivariate quadratic) problem [32]. This problem has been proven to be computationally hard.

Multivariate Signature Schemes
Multivariate public-key cryptosystems (MPKC) are constructions where polynomial maps are used to represent public and private keys. However, MPKC constructions are mainly used as digital signature schemes and are not suited for encryption purposes [33].
Let F be a finite field. The main idea of generating a signature s ∈ F n to a given message m ∈ F k is to calculate one of possibly many pre-images of the image m under a polynomial map P. This is equivalent to finding a solution s to the system of equations where P = (p 1 , . . . , p k ) and m = (m 1 , . . . , m k ). P is called a public map and represents the public key. We can design an MPKC scheme in a way that allows finding pre-images under a public map without directly solving the MQ problem. Usually, this mechanism involves some polynomial map F : F n → F k , which we call the central map. We hide F by applying the following compositions involving the two affine maps S : F n → F n and T : F k → F k . The resulting function P = T • F • S : F n → F k is the public key to the corresponding secret key (T , F , S). In general, the central map F requires efficient computation of pre-images. The affine maps S and T have to be invertible; therefore, they need to be of full rank. As mentioned above, a signature s for a given message m is a pre-image of m under P. With knowledge of the decomposition P = T • F • S, s can be computed by calculating the pre-image of T −1 (m) under F and subsequent application of S −1 . To verify a signature s for a message m, we simply need to verify whether m = P (s) holds. Note that there could exist multiple valid signatures for a given message m.
The key component of an MPKC is the design of the central map F . Without prior knowledge of the secret key (T , F , S), an attacker cannot distinguish the public map from a randomly generated polynomial map. The complexity of a direct attack is therefore reduced to the difficulty of the MQ problem. However, observe that the security assumption of this system is stronger than in the case of the MQ problem due to possible efficient attacks against the central map F . There exists an alternative approach for breaking an MPKC without trying to directly attack the public map. The idea is to find two alternative affine maps that suffice the same criteria of transforming the central map F into P. Thus, the cryptosystem can be broken by finding alternative private keys which correspond to the same public map. In this context, we need to define a new problem called the IP problem (Isomorphism of Polynomials) [32].

IP Problem
Let P, F be two polynomial maps from F n to F k with: Assuming two invertible affine transformations S : F n → F n and T : F k → F k with P = T • F • S exist, finding S and T is called an IP problem, which is also computationally hard [34]. Solving the IP problem could possibly break an MPKC by finding alternative secret affine functions to a given public map and an arbitrarily chosen central map.

Rainbow
The Rainbow signature scheme [35] is closely related to arguably the most common multivariate-based signature scheme, namely, Unbalanced Oil and Vinegar (UOV). In order to understand Rainbow, we first need to properly introduce UOV.
The basic idea of UOV consists of dividing the set of variables of the central map F into two disjoint subsets, which we refer to as oil and vinegar variables. The most important property is that the quadratic polynomials of F are not allowed to contain cross-terms between two oil variables. UOV has the general advantage of offering fast computations of both public and private keys, as well as a simple structure. A major disadvantage lies in the comparably large key sizes.
The UOV scheme is an MPKC scheme, as described in . . , f k . We restrict those to their homogeneous forms, i.e., omitting constant and linear terms. Then, each f r has the form: where x 1 , . . . , x v and x v+1 , . . . x n correspond to the vinegar variables and oil variables, respectively. A central map F is generated by randomly assigning values to the coefficients ij from F. The affine transformations S and T are also sampled by randomly assigning their coefficients, which is repeated if they turn out not to be invertible. The calculation of pre-images under F works as follows: • We randomly assign values to the vinegar variables x 1 , . . . , x v (highlighted in red), thus reducing the product between two vinegar variables to constants and the product of an oil and a vinegar variable to a linear term: This results in a linear system of k equations in n − v = k variables, namely, x v+1 , . . . , x n . By applying Gaussian elimination, we solve this system and thereby derive the remaining oil values x v+1 , . . . , x n . In case the system does not have a solution, we repeat the previous step by sampling some other random values for the vinegar variables.
As mentioned in Section 4.1, this MPKC construction is designed in a way that makes it hard to find pre-images under a given public map P; however, knowing the secret decomposition P = T • F • S enables an efficient computation of pre-images, i.e., signature generation.
Rainbow generalizes the UOV concept. The Rainbow signature scheme consists of two layers of Oil-Vinegar polynomials, where the second layer includes all variables from the first layer, i.e., the set of vinegar variables from layer two contains all variables of layer one.
A concrete Rainbow instance is defined by an initializing number v 1 of vinegar variables for layer one and the number of oil variables for layers one and two, i.e., This construction improves the ratio between the signature size and the message size from v+o o in the UOV case to v 1 +o 1 +o 2 o 1 +o 2 in the two-layer Rainbow case due to v 1 < v, i.e., signatures are relatively smaller (in practice, this amounts to an about 26% reduction [36]). Due to the reduced number of coefficients needed in the first layer, this also results in a smaller private key. Recent attacks have shown this construction to be vulnerable resulting in a loss of these efficiency gains, see Section 4.2.1.
To generate a concrete key pair (Algorithm 31), the following maps are sampled: ij are randomly chosen from F. • Two secret randomly chosen invertible affine maps T : F k → F k and S : F n → F n . Their coefficients are randomly sampled from F which is repeated if the maps turn out not to be invertible. • The public key P = T • F • S : F n → F k .

Algorithm 31
Rainbow Key Generation. Input: none 1. Sample S ∈ F n → F n 2.
Sample F ∈ F n → F k 3.
Sample T ∈ F k → F k 4.
Calculate P = T · F · S ∈ F n → F k Output: public key P, secret key sk = (T , F , S) In case one of the linear systems has no solution, we start from the beginning by choosing other random values for the vinegar variables of the first layer.
A valid signature of a message m under P can be computed by hashing and subsequently finding pre-images under the secret maps T , F and S (Algorithm 32).
Find pre-image u −1 of u under F 4.
Calculate s = S −1 (u −1 ) Output: signature s Let m ∈ {0, 1} be a message and s ∈ F n a signature. The signature s is accepted if H(m) = P (s) holds; otherwise, it is rejected (Algorithm 33).
Calculate m H = H(m) Output: valid if m H = m H , else invalid The Rainbow instances with their corresponding parameter choices are shown in Table 7.  [37] in February 2022 has shown a considerable improvement in previously known attacks against Rainbow. The main enhancement arises from the combination of a previously developed rectangular MinRank attack [38] and an improved guessing technique. In order to resist this attack, the Rainbow parameters would be required to even exceed the length of the standard (and better-understood) UOV approach. This essentially renders the preferred usage of Rainbow over UOV questionable since the performance gain is rather small compared to the additional complexity of the scheme.
Funding: This research work was funded by Volkswagen AG as part of a joint project.
Institutional Review Board Statement: Not applicable.