Lattice-Based Post-Quantum Public Key Encryption Scheme Using ElGamal’s Principles

: Modern technologies like quantum and cloud computing have reshaped computing, offering immense power and scalability. While beneficial, they also challenge the security of traditional cryptographic systems. Quantum computing threatens RSA and ECC with algorithms like Shor’s algorithm, which can accelerate computations exponentially. This risks exposing these systems to attacks, necessitating quantum-resistant cryptography. Cloud computing poses data security concerns, requiring robust cryptographic mechanisms and access controls. Lattice-based cryptography, leveraging problems like the Short Integer Solution (SIS), emerges as a solution. This paper presents a novel quantum-resistant public key encryption scheme based on ElGamal and SIS, ensuring security against quantum and classical threats in modern cryptographic environments.


Introduction
Traditional encryption strategies have encountered significant limitations due to the rapid advancement in computing technologies such as quantum computing, grid computing, and cloud computing.These advanced technologies possess vastly superior computational capabilities, posing great challenges for conventional cryptographic systems.In response to these challenges, lattices have emerged as a relevant approach.In recent years, lattices have provided a rich foundation for numerous cryptographic constructions, including encryption schemes, signatures, one-way functions, collision-resistant hash functions, and key exchange protocols.These fundamental components are integrated within a unified cryptographic framework known as lattice-based cryptography.Lattices hold substantial importance in contemporary cryptography due to the strong security guarantees provided by lattice-based structures, rooted in the hardness assumptions of lattice problems.Problems like Learning With Errors (LWE) and Shortest Vector Problem (SVP) represent average-case challenges widely utilized in lattice-based systems, illustrating their resilience against advanced computing threats, including quantum and exponential attacks.Furthermore, lattice-based systems demonstrate efficient implementation and high simplicity.Public-key encryption was first introduced by Diffie and Hellman in 1976, posing the question of establishing a cryptosystem where each recipient holds a pair of keys: a secret key (SK) and a public key (PK).This pioneering work laid the foundation for subsequent developments, including the RSA cryptosystem introduced by Rivest, Shamir, and Adleman in 1978, which relies on the complexity of factoring large integers and is used both for encryption and digital signatures.Six years later, ElGamal introduced another public key exchange framework and signature protocol based on discrete logarithms, leveraging the complexity of the Diffie-Hellman problem and the discrete logarithm problem (DLP).
However, contemporary computational technologies present new challenges to traditional cryptographic foundations.To address these challenges and meet the demands of modern cryptography, this paper proposes a novel post-quantum public-key encryption scheme based on the Short Integer Solution (SIS) problem, leveraging principles similar to ElGamal's public key encryption.The security analysis of these proposed schemes is grounded in the complexity of approximating a short integer solution, a fundamental problem in lattice-based cryptography and the basis for constructing cryptographic schemes such as Learning With Errors (LWE) and related primitives.The scheme includes a key exchange protocol based on the SIS problem, as formulated by Ajtai [1], and emphasizes simplicity in construction while considering cryptographic principles such as Chosen Ciphertext Attack (CCA) security.
The novelty of our approach lies in its integration of lattice-based operations within the framework of the classical ElGamal cryptosystem.By leveraging the SIS problem, our scheme offers enhanced security against quantum threats while preserving compatibility with established cryptographic principles.Notably, our scheme demonstrates exceptional efficiency when encrypting smaller messages, making it an attractive choice for applications requiring secure communication over resource-constrained environments.Furthermore, our proposed scheme serves as a foundational research contribution, providing a simplified yet effective solution for secure communication.Its efficiency and simplicity make it an ideal starting point for further research and exploration in the field of lattice-based cryptography.As such, our work not only addresses current cryptographic challenges but also paves the way for future advancements in the field.
The paper is outlined as follows.The second section provides the background of lattice-based cryptographic systems, introducing computational problems such as the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP).The third section explains the ElGamal public key encryption scheme and the construction of a key exchange protocol based on the SIS problem.Building on these concepts, the fourth section introduces the proposed scheme, the construction of a post-Quantum ElGamal cryptosystem.This section presents the algorithm and pseudocode of the proposed scheme and analyzes its security.The fifth section covers the experimental aspects, and the sixth section compares the efficiency of the proposed scheme with classical ElGamal encryption.Finally, the seventh section concludes the paper.

Lattice-Based Cryptography
In this section, we explore the latest cryptographic technique known as lattice-based cryptography [2,3].These structures offer promising prospects for post-quantum cryptography, featuring robust security guarantees and highly efficient implementation.The security of lattice-based cryptography relies on intricate challenges posed by point lattices within an m-dimensional Euclidean space R m .Furthermore, lattice cryptography ensures resilience against quantum attacks, with security grounded in worst-case scenarios.Here, we provide formal definitions and attributes based on previous research in this field.

Lattice
A lattice can be understood as a discrete set formed by combining sets of vectors.The definition of a lattice is described as follows: Here, m and n denote the order and dimension of the lattice, respectively, while b 1 , b 2 . . .b n are referred to as the basis vectors of the lattice.The minimum distance of a lattice L is defined as the length of the shortest nonzero vector (b) in the lattice: (2) Essentially, a lattice represents a discrete arrangement of points in space, forming a set of points in an n-dimensional space.For example, a lattice in a 2-dimensional space is illustrated in Figure 1.Using the basis vectors (1, 1) and (1, −1), the lattice R 2 is generated, showing various configurations.For instance, (1, 1) + (1, −1) = (2, 0) and 2(1, 1) + (1, −1) = (3, 1), resulting in different lattice points as depicted in Figure 1.
Cryptography 2024, 8, x FOR PEER REVIEW Here, m and n denote the order and dimension of the lattice, respectively, wh … bn are referred to as the basis vectors of the lattice.The minimum distance of a l is defined as the length of the shortest nonzero vector (b) in the lattice: Essentially, a lattice represents a discrete arrangement of points in space, fo set of points in an n-dimensional space.For example, a lattice in a 2-dimensional illustrated in Figure 1.Using the basis vectors (1, 1) and (1, −1), the lattice R 2 is gen showing various configurations.For instance, (1, 1) + (1, −1) = (2, 0) and 2(1, 1) + (3, 1), resulting in different lattice points as depicted in Figure 1.Any basis of a lattice can be expressed as a matrix B = [b1,b2 … bn] ∈ Z mxn , wh a basis matrix, and basis vectors are taken as the column.

Definition 2. ℒ generated by a basis matrix B ∈ Z mxn is determined as ℒ (B) = [Ba:
where Ba is a matrix-vector multiplication.
A basis B is not single for any ℒ (B).A matrix is called unimodular if the deter is 1.For any unimodular matrix U ∈ Z nxn , B. U is a basis for ℒ (B).

Lemma 2. A subset of R m forms a lattice if and only if it constitutes a discrete additive su 2.3. Computational Problems of Lattices
The Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) are challenges within lattice theory [4,5].In the context of SVP, the goal is to locate nonzero vector that minimizes the Euclidean norm within a lattice.Conversely, CV The foundation for a lattice is a set of independent vectors that generates L. A lattice has diverse bases.Each basis of the lattice consists of the same number of elements.
where Ba is a matrix-vector multiplication.
A basis B is not single for any L (B).A matrix is called unimodular if the determinant is ±1.For any unimodular matrix U ∈ Z nxn , B. U is a basis for L (B).Lemma 2. A subset of R m forms a lattice if and only if it constitutes a discrete additive subgroup.

Computational Problems of Lattices
The Shortest Vector Problem (SVP) and Closest Vector Problem (CVP) are pivotal challenges within lattice theory [4,5].In the context of SVP, the goal is to locate a short nonzero vector that minimizes the Euclidean norm within a lattice.Conversely, CVP aims to find a lattice vector that is closest to a given vector in Euclidean space.
Extensions of these fundamental problems include the approximate SVP (apprSVP) and approximate CVP (apprCVP).These variants involve finding solutions that are close to the optimal solution but not necessarily the exact shortest or closest vector, respectively.Both apprSVP and apprCVP are notoriously difficult problems with worst-case complexity scenarios in lattice-based cryptography and computational complexity theory.
Despite their theoretical complexity, SVP and CVP have found widespread practical applications in cryptographic systems.They serve as foundational problems in the design of lattice-based cryptographic protocols, offering robust security guarantees based on the assumed hardness of these lattice problems.The ability to efficiently solve or approximate SVP and CVP is crucial for evaluating the security and efficiency of lattice-based cryptographic schemes in real-world applications.

Definition 3. Shortest Vector Problem (SVP).
Given any basis matrix B ∈ Z mxn of a lattice L (B), the Shortest Vector Problem (SVP) aims to find the shortest nonzero vector b ∈ L such that ||b|| = D min (L) represents the minimum Euclidean norm of any nonzero vector in the lattice L.
In this context: m denotes the dimension of the ambient Euclidean space R m b denotes the rank of the lattice L (B), The Shortest Vector Problem is fundamental in lattice theory and has significant applications in cryptography and computational complexity theory, where its computational hardness forms the basis for the security of lattice-based cryptographic protocols.

Definition 4. Closest Vector Problem (CVP).
Given any basis matrix B ∈ Z mxn of a lattice L (B) and a vector c, which is not in L, the Closest Vector Problem (CVP) seeks to find a lattice vector b ∈ L that is closest to c.In other words, the goal is to find b ∈ L such that ||c − b|| = D min (L), where D min (L) represents the minimum Euclidean distance from c to any vector in L (B).
In this context: m denotes the dimension of the ambient Euclidean space R m , -b denotes the rank of the lattice L (B), The Closest Vector Problem is another fundamental challenge in lattice theory and finds applications in various fields, including cryptography, coding theory, and algorithm design.Its computational complexity is crucial in assessing the security and efficiency of lattice-based cryptographic algorithms and protocols.

Short Integer Solution (SIS)
The Short Integer Solution (SIS) problem is used in lattice-based cryptography constructions [6,7].
where A = ( → a 1 , . .., → a m ).It is finding a short vector in the lattice This problem is fundamental in lattice-based cryptography due to its hardness assumption, which underpins the security of many cryptographic primitives.The challenge of finding such short vectors in high-dimensional lattices forms the basis for constructing secure encryption schemes and digital signature algorithms that are resilient against quantum attacks.
The security of lattice-based cryptography relies on the difficulty of solving the SIS problem, especially in its worst-case scenario.Unlike many classical cryptographic algorithms vulnerable to quantum computing techniques like Shor's algorithm, the SIS problem and its variants are believed to resist efficient quantum attacks.This resilience makes lattice-based cryptography an attractive candidate for post-quantum cryptography, ensuring the confidentiality and integrity of digital communications in an era where quantum computers may pose a threat to traditional cryptographic systems.
Researchers continue to explore and refine lattice-based cryptographic techniques, leveraging the hardness of problems like SIS to develop robust cryptographic protocols suitable for securing sensitive data and communications across various domains, including finance, healthcare, and government sectors.
The Construction of a One-Way Hash Function Constructing a one-way hash function based on lattice problems is a complex and ongoing research area within cryptography.While traditional hash functions like SHA-256 rely on mathematical constructs such as modular arithmetic and bitwise operations, there is growing interest in designing hash functions that leverage lattice problems due to their resistance against quantum attacks.
Lattice-based hash function design explores the hardness of specific lattice problems, notably the Learning With Errors (LWE) problem and the Short Integer Solution (SIS) problem [8][9][10].These problems are believed to be difficult to solve even with quantum computers, making them attractive for cryptographic applications in a post-quantum computing era.
One potential approach involves transforming the difficulty of solving these lattice problems into a secure hashing mechanism.By encoding inputs into lattice vectors and deriving outputs based on the hardness assumptions of lattice problems, researchers aim to create hash functions that provide strong collision resistance and pre-image resistance.
The appeal of lattice-based hash functions lies in their potential to provide long-term security guarantees against emerging quantum computing threats.As such, they represent a promising avenue for developing robust cryptographic primitives that can withstand future advancements in computing technology.
Set m > nlog q.Define f A : {0, 1} m → Z n q as After that f A covers Z n q nearly uniformly (notice that since m > nlog q, the number of elements in the domain, 2 m , is much larger than the number of elements in the range, q n ).

ElGamal Public Key Encryption Scheme
Initially, the Diffie-Hellman key distribution scheme was presented [11].Assume that A and B want to share a secret K AB , where A has a secret x A and B has a secret x B .Let p be a large prime and α be a primitive element mod p, both known.A calculates y A ≡ α X A mod p, and sends y A .Also, B calculates y B ≡ α X B mod p and sends y B .Then, the secret K AB is calculated as A mod p ≡ y X A B mod p.Thus, A and B are able to calculate K AB .However, for an intruder, calculating K AB seems to be complicated.There is no definitive evidence yet that breaking the system is equivalent to computing discrete logarithms.
In any cryptographic system based on discrete logarithms, p must be chosen so that p − 1 has at least one large prime factor.If p − 1 has only small prime factors, computing discrete logarithms becomes easy.Now assume that A wants to send B a message m, where 0 ≤ m ≤ p − 1.First, A chooses a number k uniformly between 0 and p − 1.Note that k will serve as the secret x A in the key distribution scheme.Then, A calculates the "key" where y B ≡ α x B mod p is either in a public file or is sent by B. The encrypted message is then the pair (c 1 , c 2 ), where and K is calculated in (6).Note that the size of the ciphertext is twice that of the message.Additionally, the multiplication operation in (7) can be substituted with any other invertible operation, such as summation modulo p.
The decryption operation is divided into two parts.The first stage is recovering K, which is easy for B since K ≡ (α k X B ≡ c X B 1 mod p, and x B is known to B only.The second stage is to divide c 2 by K and recover the message m.
The public file includes one entry for each user, namely y i for user i, since α and p are given for all users.It is plausible that each user chooses their own α and p, which is more suitable from a security standpoint.However, this increases the size of the public file.
Using the same value k to encrypt multiple blocks of a message is not recommended.If k is reused, knowledge of one block m 1 of the message allows an intruder to compute other blocks as follows: Let After that m 1 /m 2 ≡ c 2,1 /c 2,2 mod p, and m 2 is easily calculated if m 1 is known.Following this, if m 1 /m 2 ≡ c 2,1 /c 2,2 , then m 2 can be easily calculated given m 1 .
Cracking the system equates to compromising the Diffie-Hellman key exchange scheme.Firstly, if m can be derived from c 1 , c 2, and y, then K can also be derived from y, c 1, and c 2 (which appear as random numbers since k and m are unknown).This is sufficient to undermine the security of the key distribution scheme.Secondly, even if m is known, computing k or x from c 1 and c 2 and y is tantamount to solving discrete logarithm problems.This is because both x and k appear in the exponent in y and c 1 .
The Diffie-Hellman key exchange scheme relies on the discrete logarithm problem for its security.In recent years, the emergence of quantum computing has posed a significant threat to traditional cryptographic systems based on these assumptions [12][13][14][15][16].Quantum algorithms, such as Shor's algorithm, have demonstrated the potential to efficiently solve the discrete logarithm problem and compromise the security of schemes like ElGamal encryption [17][18][19].
To address these challenges, ongoing research in post-quantum cryptography explores alternative mathematical foundations that resist quantum attacks.Lattice-based cryptography, leveraging problems like Learning With Errors (LWE) and Short Integer Solution (SIS), offers promising avenues.These problems are believed to be hard even for quantum computers, making lattice-based schemes attractive candidates for securing communications in a post-quantum era.The researchers are designing quantum algorithms using these problems [20,21].
By transitioning to lattice-based cryptography and exploring other post-quantum cryptographic primitives, researchers aim to future-proof cryptographic systems against the looming threat of quantum computing capabilities.This shift underscores the importance of adapting cryptographic protocols to withstand evolving technological landscapes and ensure long-term security in digital communications.
On 5 July 2022, NIST announced the adoption of quantum-resistant algorithms for standardization as follows: For public key encryption and key establishment, NIST will adopt CRYSTALS-KYBER, a lattice-based scheme [22].
CRYSTALS-DILITHIUM is preferred for general-purpose digital signing, including future digital certificates and signed documents.SPHINCS+ offers additional confidence in long-term security by leveraging hash functions, although with some trade-offs in performance.FALCON was also selected for potential performance benefits in specific use cases, with its standards expected to be released in the coming months.These quantumsafe signatures function similarly to traditional digital signatures, enabling the holder of a private key to verify they signed a specific message.They are designed to replace traditional RSA and ECC digital signatures with algorithms resistant to quantum computing threats.
The research presented an AI-based side-channel attack on CRYSTALS-KYBER.According to the research, while the scheme itself remains uncompromised, vulnerabilities were identified in its implementation under specific conditions.Nevertheless, these findings underscore the importance of considering such attacks [26,27].Therefore, we propose a straightforward construction of a post-quantum secure lattice-based cryptographic system.

The Construction of Key Exchange Protocol Based Using SIS Problem
The "Short Integer Solution problem" (SIS problem), initially proposed by Ajtai, poses a significant challenge in cryptography.Several efforts have been focused on developing a key exchange protocol based on the SIS problem.Despite various attempts to formulate such protocols, the fundamental architecture remains unchanged.
(1) Suppose that Alice and Bob agree to do a key exchange.The system generates a random matrix R ∈ Z nxm q .
(2) Alice picks a secret key s A ∈ Z m q with norm ||s A || ≤ β.She computes P A = Rs A and sends P A to Bob.
(3) Bob picks a secret key s B ∈ Z n q with norm ||s B || ≤ β.He computes P B = s T B R, and sends P B to Alice.(4) Getting P B , Alice computes To ensure the security of Alice's secret key through the application of the SIS problem, it is crucial to ensure that the dimension n of the lattice is significantly smaller than the ambient dimension m.
On the other hand, it is also imperative to ensure that m ≫ n when applying the Short Integer Solution problem to safeguard Bob's secret key.This ensures that both parties have more variables than equations, making it impractical to perform key exchange using the Short Integer Solution problem.

Novel Construction of Post-Quantum ElGamal Cryptosystem
Based on the key exchange described above, we offer the public key cryptosystem, which works like the classical Elgamal cryptosystem.To generate the keys needed for encryption and decryption, we follow a series of steps.
Firstly, we determine the level of security we want.This is represented by a parameter called "1 nxm ".Then, using this parameter, we run a key generation algorithm that gives us several important values: q (the modulus), n (the number of rows), and m (the number of columns).These values are crucial for our encryption scheme.Next, we create a random matrix, M, which has n rows and m columns.Each element in this matrix is randomly chosen from a special set of numbers, Z nxm q .After that, we generate a secret vector, s A .This vector has m elements, each randomly chosen from Z m q .Importantly, the size of this vector is kept below a certain threshold, ensuring that it does not become too large.Now, armed with these values, we compute our public key.This consists of the modulus q, the dimensions of our matrix (n and m), the matrix itself (M), and a transformed version of M using our secret vector s A .This transformed version is denoted as P A .Once we have our public key, we are ready to encrypt a message.To do this, we take the public key and the message we want to encrypt.First, we create another random vector, s B .This vector has n elements, each chosen from Z n q , and its size is also restricted to avoid becoming too large.With s B in hand, we perform two main calculations.First, we mix up the message using a randomly generated matrix, giving us one part of our encrypted message, denoted as c1.Second, we encode the message further using our public key and the random vector s B , giving us the second part of our encrypted message, denoted as c2.
Finally, we output both parts of our encrypted message: c1 and c2.Now, if we want to decrypt a message, we need the encrypted message and our private key.First, we unscramble the first part of the encrypted message using our private key, s A .This gives us some information about the original message.Then, we use this information to decode the second part of the encrypted message, c2.We do this by dividing c2 by what we unscrambled before.The result is our decrypted message, which should match the original message we wanted to send.
Formally, this process can be illustrated as follows: Based on the key exchange described above, we offer the public key cryptosystem, which works like the classical Elgamal cryptosystem.

1.
In order to generate the keys, we have to implement the following steps: The public key is (q, n, m, M, P A = Ms A ) and the private key is s A ∈ Z m q with norm ||s A || ≤ β • Steps: (1) Start the key generation algorithm Gen(1 nxm ) to getobtain the parameters, q, n, and m, where q is the modulus, n is the number of rows, and m is the number of columns.(2) Generate a random matrix M of size n × m with elements chosen uniformly from the ring Z q .
The offered scheme consists of three algorithms as follows: Key_Generation, Encryption, and Decryption.The following pseudocode illustrates the work of the scheme: function Key_Generation(): //Step 1: Generate parameters q, n, and m q, n, m = RunG(1n) //Step 2: Generate a random matrix M M = GenerateRandomMatrix(n, m, q) //Step 3: Generate a random secret vector s A sA = GenerateRandomVector(m, q, β)

Security of the Offered Scheme
It must be mentioned that the offered scheme must be coupled with a CCA-secure private-key encryption scheme.The key must be c 1 = s T B R and , and H is modeled as a random oracle.Our scheme is based on the following security assumptions: - The scheme is coupled with a CCA-secure private-key encryption scheme.- The key generation algorithm produces ciphertexts c 1 = s T B R and c 2 = P T A s B •m, where k = H(P A ˆT * s B ), and H is modeled as a random oracle.
Let us identify the potential attack vectors against our proposed encryption scheme: 1.
Key Distribution Attack: • Attempting to break the key distribution algorithm involves finding a short vector s A such that M•s A ≈ P A mod 1, where M is the randomly generated matrix and P A is the public key.• The security of the key distribution relies on the presumed hardness of the Short Integer Solution (SIS) problem.

•
Successfully compromising the key distribution algorithm would imply an efficient solution to the SIS problem, undermining the foundational security assumption of our scheme.

2.
Encryption Scheme Attack: • Breaking the encryption scheme entails undermining the security model based on ElGamal encryption, such as DHIES or ECIES, which are widely accepted in cryptographic protocols.• These encryption schemes rely on the presumed hardness of problems like dis- crete logarithms or factorization.• A successful attack on our encryption scheme contradicts the established security assumptions of ElGamal encryption and related models.
Based on the security assumptions and the attack vectors mentioned above, let us offer the formal security proof using a reduction strategy: 1.
Adversarial Assumption: • Assume there exists an adversary A that can break our encryption scheme with a non-negligible advantage.

2.
Constructing Algorithm B: • We construct algorithm B, which utilizes A ′ s capability to break our encryption scheme to solve the SIS problem with a non-negligible advantage: o B simulates the key generation process and provides simulated outputs to A. o Upon A ′ s successful retrieval of the secret key sA, B uses sA to construct an SIS instance (M,b), where M is the matrix used in key generation.

3.
Solving the SIS Problem: • Utilizing sA, B efficiently solves the SIS instance (M,b): The solution to this instance contradicts the presumed hardness of the SIS problem, as B efficiently finds a short vector s A in the lattice defined by M.

4.
Implications of Security Assumptions: • Breaking the key distribution algorithm and retrieving s A implies an efficient solution to the SIS problem.• This contradicts the security assumptions underlying the hardness of SIS, which forms the basis of security for our encryption scheme.

•
Similarly, any successful attack by A on our encryption scheme indicates a breach in the security assumptions of ElGamal encryption and related models.
Using the offered reduction strategy, we establish the robustness of our proposed encryption scheme under standard cryptographic assumptions.This offered security analysis validates the scheme's ability to protect sensitive information against potential adversarial attacks, reinforcing its suitability for secure communication protocols.

Experiments
We have implemented the scheme using Python 3.8.NumPy, SciPy, PyCryptodome, and Cryptography libraries were used.We conducted the experiments on a desktop computer running Windows 10 Pro, with Python scripts implementing cryptographic operations.Time measurements were gathered using Python's time module or performance profiling tools, while memory consumption was tracked using system resource monitoring tools or Python memory profiling libraries.Assumptions were made that computational efficiency measurements were performed sequentially on a single thread, and memory usage measurements included the memory allocated by the Python interpreter along with any additional overhead from cryptographic libraries.
The experimental results varied based on factors like system load, background processes, and hardware performance characteristics.In order to enhance accuracy, multiple runs of each experiment were conducted and averaged to minimize variability.
We conducted a series of experiments to analyze various aspects of our cryptographic scheme's performance.
Experiment 1: Key Generation Time.Objective: Measure the time taken to generate public and private keys.Setup: We varied the parameters n and m to create matrices of different sizes.We performed key generation for matrices of size 100 × 100, 200 × 200, and 300 × 300.The average key generation times were as follows: • 100100 × 100: 2.5 s • 200 × 200: 5.8 s • 300 × 300: 10.2 s Experiment 2: Encryption and Decryption Time.We measured the time taken to encrypt and decrypt a given plaintext.Setup: We encrypted plaintexts of sizes 1 KB, 10 KB, and 100 KB using fixed keys and decrypted the resulting ciphertexts.The average encryption and decryption times per plaintext size were recorded accordingly. Encryption: • 1 KB: 0.15 ms • 10 KB: 0.98 ms • 100 KB: 8.2 ms Decryption: • 1 KB: 0.12 ms • 10 KB: 0.85 ms • 100 KB: 7.6 ms Experiment 3: Key and Ciphertext Sizes.We measured the sizes of generated public and private keys, as well as ciphertexts.Setup: We generated keys with varying parameters and encrypted plaintexts of different sizes to record the sizes of the resulting keys and ciphertexts.We encrypted plaintexts of sizes 1 KB, 10 KB, and 100 KB and recorded the sizes of the resulting ciphertexts.The average sizes of public and private keys, along with ciphertexts, were as follows. Keys: • Public Key: 4 KB • Private Key: 2 KB Cyphertexts: • 1 KB: 1.5 KB • 10 KB: 15 KB • 100 KB: 150 KB Experiment 4: Memory Consumption.We measured the memory consumption during key generation, encryption, and decryption operations.Setup: We profiled the memory usage of the scheme while performing operations with varying input sizes.The average memory consumption per operation was recorded accordingly.

Comparison with ElGamal Encryption Scheme
Let us compare our cryptographic scheme with the classical ElGamal system, combining real-world observations with theoretical complexity evaluations.
Key Generation Time: Our scheme exhibits efficient key generation times, though its underlying time complexity is not explicitly formulated.In contrast, ElGamal boasts a constant-time complexity (O(1)) for key generation, ensuring consistent performance irrespective of input parameters.
Encryption and Decryption Time: While our scheme demonstrates competitive encryption and decryption durations across diverse plaintext sizes, its time complexity remains unspecified.ElGamal, characterized by a time complexity of O(log n) for encryption and decryption operations, ensures logarithmic scalability concerning input size growth.
Key and Ciphertext Sizes: Our scheme yields compact key representations; however, its ciphertext size exhibits linear growth concerning plaintext size, posing scalability concerns.In contrast, ElGamal maintains constant-size keys and typically generates ciphertexts independent of plaintext size, ensuring efficient data transmission and storage.
Memory Consumption: Our scheme incurs notable memory usage during key generation, encryption, and decryption processes, suggesting potential optimization avenues or using the scheme for encrypting not scaled messages.In contrast, ElGamal maintains minimal memory requirements owing to its straightforward mathematical operations and constant memory complexity.
Complexity Analysis: While our scheme demonstrates competitive empirical performance, its theoretical complexity characterization remains implicit.This contrasts with ElGamal's well-defined time and space complexities, facilitating comprehensive performance evaluation and informed decision-making.

Conclusions
In conclusion, the novel construction of the post-Quantum ElGamal cryptosystem presented in this paper offers a robust approach to secure key exchange and communication.The key generation algorithm enables the generation of private and public keys, essential for encryption and decryption processes.By utilizing random vectors and mathematical operations, the encryption algorithm ensures confidentiality while the decryption algorithm allows authorized parties to recover the original message securely.Together, these algorithms form a secure method for transmitting confidential information over insecure channels.
The security of the offered scheme relies on the assumption that the underlying cryptographic primitives, such as the Short Integer Solution (SIS) problem for key generation and secure ElGamal encryption for message encryption, remain computationally hard to solve.Moreover, coupling the scheme with a CCA-secure private-key encryption scheme enhances its overall security posture.
The scheme is easy to construct and it is based on the basic principles.This scheme could be used in small-scale systems, low-latency applications, security prototyping, educational settings, and low-power devices where simplicity and specific security properties are prioritized over computational efficiency.
Potential attack vectors on the scheme, such as breaking the key distribution algorithm or the encryption scheme itself, would require breaking underlying cryptographic assumptions, which is currently considered computationally infeasible.Thus, the offered scheme provides a strong foundation for secure communication in the face of emerging threats.Continued research and analysis will further validate and enhance the security of the proposed approach, ensuring its efficacy in real-world cryptographic applications.In the future, it is worth working on increasing the efficiency of the scheme.

Figure 1 . 1 .
Figure 1.A lattice made up of every vector in R 2 with integral coefficients.The foundation for a lattice is a set of independent vectors that generates ℒ.A has diverse bases.Each basis of the lattice consists of the same number of element Lemma 1.Each lattice ℒ ∈ R m has minimum 1 basis.

Figure 1 .
Figure 1.A lattice made up of every vector in R 2 with integral coefficients.

Lemma 1 .
Each lattice L ∈ R m has minimum 1 basis.Any basis of a lattice can be expressed as a matrix B = [b 1 ,b 2 . . .b n ] ∈ Z mxn , where B is a basis matrix, and basis vectors are taken as the column.Definition 2. L generated by a basis matrix B ∈ Z mxn is determined as B) = {Bx|x ∈Z n } denotes the lattice generated by B -||b|| denotes the Euclidean norm of vector b B) = {Bx|x ∈ Zn} denotes the lattice generated by B, -||c − b|| denotes the Euclidean distance between vectors c and b, -Dmin (L) denotes the minimum Euclidean distance from c to any vector in L (B).