soft3/mudra/lattice-KEM.md

crypto/lattice-KEM

key encapsulation mechanism based on the hardness of Module-LWE (Learning With Errors) over structured lattices. the sender encapsulates a shared secret under the receiver's public key; the receiver decapsulates with the secret key. interactive — the receiver must publish a public key first.

ML-KEM (FIPS 203)

NIST standardized CRYSTALS-Kyber as ML-KEM in 2024. three parameter sets:

parameter set classical security public key ciphertext shared secret
ML-KEM-512 128 bit 800 bytes 768 bytes 32 bytes
ML-KEM-768 192 bit 1184 bytes 1088 bytes 32 bytes
ML-KEM-1024 256 bit 1568 bytes 1568 bytes 32 bytes

post-quantum secure: no known quantum algorithm solves Module-LWE efficiently.

Module-RLWE variant over Goldilocks

in cyber, the lattice KEM operates over Module-RLWE (Ring Learning With Errors) with Goldilocks field arithmetic (p = 2^64 - 2^32 + 1). the same field used by Hemera, nox, and stark verification — native arithmetic, no field conversion.

LATTICE KEM PROTOCOL
════════════════════

Setup:
  Ring R = Z_p[x] / (x^64 + 1)        cyclotomic polynomial, degree 64
  Module dimension: 4×4 over R
  Field: p = 2^64 - 2^32 + 1           Goldilocks

keygen():
  secret s ← small_distribution(R^4)
  public A ← uniform(R^{4×4})
  public b = A·s + e                    e ← error_distribution
  return (sk=s, pk=(A, b))

enc(pk, message):
  r ← small_distribution(R^4)
  ciphertext_1 = A^T · r + e'
  ciphertext_2 = b^T · r + e'' + encode(message)
  return (c1, c2)

dec(sk, c1, c2):
  message = decode(c2 - s^T · c1)
  return message

the security assumption: given A and b = A·s + e, recovering s is computationally hard. the error term e masks the secret — without it, the system would be solvable by linear algebra.

comparison with dCTIDH

property lattice KEM dCTIDH
interaction interactive (receiver publishes key first) non-interactive (NIKE)
quantum security post-quantum (Module-LWE) conjectured post-quantum (isogeny class group)
public key size 800-1568 bytes 64-256 bytes
performance fast ~5x slower
standardization NIST FIPS 203 (2024) research

lattice KEM handles the interactive case (neptune approach). dCTIDH covers non-interactive scenarios like stealth addresses and anonymous channels where no prior communication is possible.

applications in cyber

see crypto/key-exchange, crypto/encryption, crypto/quantum, cryptography

Graph