Lattice-based cryptography

Lattice-based cryptography builds encryption, key exchange, and digital signatures on the presumed hardness of computational problems over lattices, high-dimensional grids of points. It is the dominant family in post-quantum cryptography: the NIST standards ML-KEM, ML-DSA, and the forthcoming FN-DSA / Falcon are all lattice schemes, chosen for their combination of speed, compact keys, and decades of cryptanalytic scrutiny.

Lattices and hard problems

A lattice is the set of all integer combinations of a basis of vectors in n-dimensional space. The core computational problems ask for short or close lattice vectors: the Shortest Vector Problem (SVP) and Closest Vector Problem (CVP). For the high dimensions used in cryptography (several hundred), the best known algorithms, classical or quantum, run in time exponential in the dimension; lattice reduction algorithms such as LLL and BKZ only find approximations. A landmark result by Ajtai connects average-case instances, the kind cryptography generates randomly, to worst-case lattice problems, giving the field an unusually strong theoretical foundation (Peikert 2015).

From LWE to deployed schemes

Modern constructions rest on the Learning With Errors problem (LWE), introduced by Oded Regev in 2005: given random linear equations perturbed by small noise, recover the secret. Solving LWE is provably as hard as approximating worst-case lattice problems (Peikert 2015). Plain LWE is inefficient, so deployed schemes use structured variants: Ring-LWE over polynomial rings, and Module-LWE, a middle ground that stacks small ring blocks and allows one optimized arithmetic core to serve all security levels. A separate lineage, the NTRU cryptosystem published in 1998, predates LWE and provides the lattice structure behind Falcon.

The three NIST algorithms map onto this foundation:

  • ML-KEM (from CRYSTALS-Kyber) is a Module-LWE key encapsulation mechanism standardized as FIPS 203, the default quantum-resistant key exchange mechanism.
  • ML-DSA (from CRYSTALS-Dilithium) is a Module-LWE and Module-SIS signature standardized as FIPS 204, the primary digital signature scheme recommendation.
  • FN-DSA (from Falcon) is a hash-and-sign scheme over NTRU lattices with notably small signatures; its standard (planned FIPS 206) remains in draft as of early 2026, partly because its floating-point Gaussian sampler is hard to implement safely.

Why lattices won the NIST competition

Lattice schemes swept the NIST selections because they sit at the practical sweet spot: no other family matched their combination of small-enough sizes and high speed.

Scheme Public key Ciphertext or signature Classical comparison
ML-KEM-768 1184 bytes 1088 bytes (ciphertext) X25519: 32 bytes each
ML-DSA-65 1952 bytes 3309 bytes (signature) Ed25519: 32 and 64 bytes
FN-DSA-512 897 bytes about 666 bytes (signature) RSA-2048: 256 byte signature

Kilobyte-scale objects fit existing protocols, unlike the hundred-kilobyte keys of code-based cryptography or the large signatures of hash-based signatures. Performance is excellent: polynomial arithmetic accelerated by the number-theoretic transform makes ML-KEM faster than the RSA operations it replaces (Kyber). ML-KEM and ML-DSA also avoid floating point and run naturally in constant time. Finally, lattices are versatile; the same foundations support fully homomorphic encryption and other advanced constructions, sustaining a large research community that continuously probes the assumptions.

Security assumptions and open questions

Lattice security is conjectural, as with all practical cryptography. Concrete parameters are set by estimating the cost of the best lattice reduction attacks (the core-SVP methodology), and those estimates have drifted modestly as algorithms improved, which is why standards carry security margins. Open questions receive sustained attention:

  • Structure. Module and ring variants add algebraic symmetry that plain LWE lacks. No attack exploiting that structure beyond generic ones is known, but the assumption is strictly stronger and less studied.
  • Quantum cryptanalysis. No quantum algorithm meaningfully outperforms classical ones on general lattice problems; there is no analog of Shor's algorithm for LWE. A 2024 preprint claimed a quantum polynomial-time algorithm for related lattice problems; a flaw was found within days and the claim was withdrawn (Chen 2024), an episode that demonstrated both the risk and the field's scrutiny.
  • Monoculture. With ML-KEM, ML-DSA, and FN-DSA all lattice-based, a single major advance would hit the entire primary standard set. NIST selected the code-based HQC and hash-based SLH-DSA as deliberate hedges, and hybrid cryptography with elliptic curves covers the transition.
  • Implementation. Side-channel resistance, masking cost, and safe handling of decryption failures remain active engineering topics, especially for FN-DSA's sampler.

None of these questions has produced an attack that threatens standardized parameters as of early 2026.

Sources

  1. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  2. FIPS 204, Module-Lattice-Based Digital Signature Standard (NIST, 2024)
  3. A Decade of Lattice Cryptography (IACR ePrint, 2015)
  4. CRYSTALS-Kyber (official site) (CRYSTALS team, 2021)
  5. Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU (Falcon team, 2020)
  6. Quantum Algorithms for Lattice Problems (withdrawn claim) (IACR ePrint, 2024)
Cite this entry
"Lattice-based cryptography." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/lattice-based-cryptography@misc{pqwiki-lattice-based-cryptography, title = {Lattice-based cryptography}, howpublished = {\url{https://postquantum.wiki/lattice-based-cryptography}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }