Today's public-key cryptography rests on two problems: factoring large numbers (RSA) and the discrete logarithm (elliptic-curve and classic Diffie-Hellman systems). Both are hard for ordinary computers. Both are easy for a sufficiently large quantum computer running Shor's algorithm. That's the entire reason post-quantum cryptography exists — and lattices are why we have an answer.
What is a lattice?
Start simple. Take two vectors in a plane and consider every point you can reach by adding integer multiples of them: zero of the first plus three of the second, minus-two of the first plus one of the second, and so on. The set of all those reachable points is a lattice — a regular, infinitely repeating grid. The two vectors you started with are a basis.
Now scale that picture up: instead of two vectors in a plane, use hundreds or a thousand vectors in a space of hundreds or a thousand dimensions. The lattice is still "all integer combinations of the basis vectors," but our visual intuition collapses completely. And that collapse is exactly where the cryptography lives.
The hard problems
Two questions about lattices look trivial in two dimensions and become intractable in high dimensions:
- Shortest Vector Problem (SVP): find the shortest non-zero vector in the lattice — the grid point closest to the origin.
- Closest Vector Problem (CVP): given an arbitrary point in space (not necessarily on the lattice), find the lattice point nearest to it.
Here's the crucial wrinkle: the difficulty depends entirely on which basis you're handed. The same lattice can be described by a "good" basis (short, nearly perpendicular vectors) that makes these problems easy, or a "bad" basis (long, skewed vectors) that makes them hopelessly hard — even though both describe the identical grid of points. Cryptography hides a good basis as the private key and publishes a bad one as the public key.
Shor's algorithm is a specialized tool for problems with hidden periodic structure — factoring and discrete logs fit that mold perfectly. Lattice problems don't expose that kind of structure, and despite decades of effort no quantum algorithm gives more than a modest speedup. That's the bet: not "quantum can't help" as a proven law, but "we have no idea how it would, after years of trying."
Learning With Errors: the workhorse
Most modern lattice schemes don't phrase themselves directly in terms of SVP. They use a problem called Learning With Errors (LWE), introduced by Oded Regev in 2005, which turns out to be equivalent in hardness to worst-case lattice problems.
The idea is disarmingly concrete. Imagine a system of linear equations with a secret vector s:
Solve for s given many equations of the form
(a₁s₁ + a₂s₂ + … + aₙsₙ) ≈ b (mod q) Each equation is correct — except for a small, deliberate error
If those equations were exact, a first-year linear-algebra student could solve them with Gaussian elimination in minutes. The whole trick is the word "approximately." Each equation has a small random error added to it. That noise is just large enough to make elimination explode — errors compound catastrophically as you combine equations — yet small enough that someone holding the secret can still decrypt cleanly. The gap between "decodable with the key" and "noise-locked without it" is the security.
Making it practical: rings and modules
Plain LWE is secure but bulky — keys and ciphertexts are large matrices. To make it usable, researchers added algebraic structure. Ring-LWE represents vectors as polynomials, which lets a single polynomial stand in for a whole matrix and shrinks key sizes dramatically. Module-LWE is the middle ground — a few polynomials arranged in a small matrix — trading a little efficiency for a more conservative security margin. This is the variant most of the standardized schemes chose.
Separately, the NTRU family (dating to 1996) reached similar lattice-based security through a different polynomial construction, and was one of the earliest practical lattice cryptosystems.
The standards that shipped
In 2024 NIST finalized its first post-quantum standards, and lattices dominated the lineup:
| Standard | Purpose | Foundation |
|---|---|---|
| ML-KEM (FIPS 203) from CRYSTALS-Kyber |
Key encapsulation — establishing a shared secret | Module-LWE |
| ML-DSA (FIPS 204) from CRYSTALS-Dilithium |
Digital signatures | Module lattices |
| SLH-DSA (FIPS 205) from SPHINCS+ |
Digital signatures (backup) | Hash-based, not lattice |
The inclusion of hash-based SLH-DSA is deliberate diversification — if a future break is found in lattice assumptions, the world still has a signature scheme resting on completely different math (the same family we cover in hash-based signatures). A lattice-based signature scheme derived from Falcon is also expected to round out the set.
The trade-offs
Lattice cryptography is not free. Its keys and ciphertexts are substantially larger than the elliptic-curve equivalents they replace — kilobytes where ECC used dozens of bytes. That matters for constrained protocols, TLS handshakes, and bandwidth-sensitive systems. The computation itself is fast, often faster than RSA, but the size inflation is real and is why deployments are arriving as hybrid schemes that run a classical and a post-quantum algorithm side by side, secure as long as either one holds.
The reason for hybrids isn't doubt about the quantum threat — it's humility about young assumptions. Lattice hardness has held up well, but it hasn't faced the decades of attack that factoring has. Running both means a surprise in either foundation doesn't sink the connection.
Why this matters now
The threat isn't only future. "Harvest now, decrypt later" is a live strategy: an adversary can record encrypted traffic today and decrypt it once a capable quantum computer exists. Anything that must stay confidential for a decade or more — medical records, state secrets, source code, long-lived identities — is already exposed if it's protected only by classical cryptography. That's why the migration started before the quantum computers did.
Lattices won this round not because they're elegant — high-dimensional geometry rarely is — but because they offer something rare: efficient cryptography whose security reduces to a problem that has resisted both classical and quantum attack for decades. The internet's next layer of trust is being built on the simple, stubborn difficulty of finding your way around a grid you can't see.