← Back to Topic Graph View All Domains

Questions: Lattice-Based Cryptography

5 questions to test your understanding

Score: 0 / 5
Question 1 Short Answer

Classical cryptography (RSA, DH) relies on average-case hardness assumptions that have no connection to worst-case complexity. Lattice cryptography has worst-case to average-case reductions. Why is this a significant theoretical advantage?

Think about your answer, then reveal below.
Question 2 Multiple Choice

The Shortest Vector Problem (SVP) asks for the shortest nonzero vector in a lattice. The best known algorithms for exact SVP run in time 2^{O(n)}, while the best approximation algorithms achieve factors of 2^{O(n log log n / log n)}. What does this imply for parameter selection in lattice crypto?

ALattice parameters must be larger than RSA parameters for equivalent security
BThe dimension n of the lattice is the primary security parameter. Since the best known attacks are exponential in n (no sub-exponential algorithm like GNFS for factoring), moderate dimensions (n = 512 to 1024) suffice for 128-bit security. This is more efficient than RSA (which needs 3072+ bits) because lattice problems scale better with the security parameter
CLattice crypto requires quantum computers for key generation
DSVP difficulty means lattice schemes are unconditionally secure
Question 3 True / False

The Short Integer Solution (SIS) problem asks: given a random matrix A in Z_q^{n x m}, find a short nonzero vector x such that Ax = 0 mod q. This is the basis for lattice-based hash functions and signatures.

TTrue
FFalse
Question 4 Multiple Choice

All NIST post-quantum standards are based on lattice problems. Why did lattices dominate over code-based, multivariate, and isogeny-based alternatives?

ALattice problems are the only problems believed to be quantum-resistant
BLattices offer the best combination of: theoretical foundations (worst-case hardness), versatility (supporting encryption, signatures, FHE, ZK proofs), efficiency (moderate key sizes, fast operations), and maturity (decades of cryptanalysis). Code-based schemes have large keys, multivariate schemes have large signatures, and isogeny-based schemes were catastrophically broken (SIDH, 2022)
CNIST mandated lattice-based algorithms for regulatory reasons
DLattice problems have been proven hard, unlike alternatives
Question 5 Short Answer

A lattice in R^n is generated by a 'good' basis (short, nearly orthogonal vectors) or a 'bad' basis (long, nearly parallel vectors). Both generate the same lattice. Why is the gap between good and bad bases useful for cryptography?

Think about your answer, then reveal below.