Lattice-based cryptography and the Learning With Errors problem

The Learning With Errors problem

Classical public-key cryptography — RSA, ECDH, ECDSA — derives its security from problems that quantum computers can solve efficiently. Shor's algorithm factors large integers and computes discrete logarithms in polynomial time. A sufficiently large cryptographically-relevant quantum computer breaks RSA and ECC completely.

Lattice cryptography is built on a different mathematical foundation. The Learning With Errors (LWE) problem, introduced by Oded Regev in 2005, is believed to be hard for both classical and quantum computers. The reduction is clean: solving LWE is provably as hard as solving worst-case lattice problems in n-dimensional space — problems for which no polynomial-time algorithm exists, classically or quantumly.

LWE is defined as follows. Given a matrix A drawn uniformly at random over Z_q, a secret vector s, and a vector of small errors e drawn from a discrete Gaussian distribution, the attacker is given (A, b = As + e) and must recover s. With errors, this is computationally intractable at practical parameter sizes — even for quantum algorithms including Grover's, which provides only quadratic speedup on unstructured search and does not affect lattice hardness meaningfully.

CRYSTALS-Kyber-1024 (NIST FIPS 203 / ML-KEM)

Kyber is a key encapsulation mechanism (KEM) built on Module-LWE (MLWE) — a structured version of LWE that uses polynomial rings over Z_q, giving it a significant efficiency advantage over plain LWE at equivalent security levels. Kyber was selected as the only KEM in NIST's post-quantum standardization process, finalized as FIPS 203 (ML-KEM) in August 2024.

CQ1 implements Kyber-1024, the highest parameter set, targeting NIST Security Level 5 — equivalent classical bit-security of 256 bits. This is appropriate for financial key exchange where long-term confidentiality is required. Key sizes are larger than ECC equivalents: a Kyber-1024 public key is 1,568 bytes; a classical ECDH P-256 key is 65 bytes. The tradeoff is explicitly designed in — quantum resistance requires larger algebraic structures. CQ1's FPGA pipeline handles the NTT (Number Theoretic Transform) operations at hardware speed, absorbing the key-size overhead without throughput penalty.

CRYSTALS-Dilithium-3 (NIST FIPS 204 / ML-DSA)

Dilithium is a digital signature scheme based on Module-LWE and Module-SIS (Short Integer Solution). It was standardized as FIPS 204 (ML-DSA) simultaneously with Kyber. Dilithium-3 targets NIST Security Level 3 — approximately 192-bit classical equivalent. CQ1 executes both the signing and verification operations in FPGA fabric.

For financial institutions, Dilithium-3 replaces ECDSA in certificate signing, transaction attestation, and inter-bank message authentication. A Dilithium-3 signature is 3,293 bytes — larger than an ECDSA P-256 signature (64 bytes), but CQ1 sustains >12,000 signing ops/sec at <1.2ms P99 latency, making the size increase operationally transparent at current transaction volumes.

Why hardware execution matters for PQC

Post-quantum algorithms have a larger attack surface in software than classical algorithms. The NTT operations central to both Kyber and Dilithium are vulnerable to cache-timing attacks and power-analysis attacks when running on shared-memory CPUs. Software implementations that pass NIST's Known Answer Tests can still be broken by side-channel observation in data center environments.

CQ1's FPGA execution is physically isolated. The NTT runs on dedicated fabric with no shared memory bus, deterministic execution time, and active power-line filtering. This is not an incremental improvement — it is a different security model. The same cryptographic boundary that meets FIPS 140-3 Level 3 physical requirements is the boundary inside which PQC key operations execute.