Skip to main content

The MLWE Equation

The Official Problem Statement

The Simple Story

Here's the formal problem statement (in plain terms!):

Given:

  • A multiplication table (matrix A\mathbf{A})
  • A result vector (t\mathbf{t})

Find:

  • A secret vector (s\mathbf{s})
  • An error vector (e\mathbf{e})

Such that: As+e=t\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{t}

Where:

  • s=Bob’s secret (what we’re hiding)\mathbf{s} = \text{Bob's secret (what we're hiding)}
  • e=Random fog (confuses Eve)\mathbf{e} = \text{Random fog (confuses Eve)}
  • t=Fogged result (what Eve sees)\mathbf{t} = \text{Fogged result (what Eve sees)}

Problem: Two unknowns (s\mathbf{s} and e\mathbf{e}), one equation! Too many solutions!

Secret: Choose just one pair (s\mathbf{s}, e\mathbf{e}) that produces t\mathbf{t}. That's the MLWE problem.

Mental Model

Hold this picture in your head:

The MLWE Problem:

Given:
  ┌───┬───┬───┐
  │ A │ B │ C │ ← Matrix 𝐀
  ├───┼───┼───┤
  │ D │ E │ F │
  ├───┼───┼───┤
  │ G │ H │ I │
  └───┴───┴───┘

And vector:
  ┌───┐
  │ J │ ← Vector 𝐭
  └───┘

Find:
  ┌───┐
  │ s │ ← Vector 𝐬 (secret)
  ├───┤
  │ e │ ← Vector 𝐞 (error)
  └───┘ 

Such that:
  𝐀·𝐬 + 𝐞 = 𝐭

In other words:

What secret s\mathbf{s} and error e\mathbf{e} multiply with A\mathbf{A} to produce t\mathbf{t}?

This is exactly "Finding the Closest Point on a Lattice"! (SVP - Shortest Vector Problem)

See It Happen

Let's see what Eve and Bob do:

Try It Yourself

Question 1: Given A=[3,5]\mathbf{A} = [3, 5], t=[10]\mathbf{t} = [10], find all (s\mathbf{s}, e\mathbf{e}) pairs such that As+e=t\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{t}

Show Answer

Equation: 3s+e=103s + e = 10

Try different values:

sse=103se = 10 - 3sReasonable?
010✗ Too large
17✗ Too large
24✗ Too large
31Reasonable!
4-2Reasonable!

But we don't know what "reasonable" means! Could be (ss, ee) = (5, -5), (6, -8), etc.

Many possibilities!

Question 2: If error must be between -2 and +2, which values of ss work with A=[3]\mathbf{A} = [3], t=[10]\mathbf{t} = [10]?

Show Answer

Equation: 3s+e=103s + e = 10

Error e[2,1,0,1,2]e \in [-2, -1, 0, 1, 2]

Try each:

  • e=2e = -2: 3s=12s=43s = 12 \rightarrow s = 4
  • e=1e = -1: 3s=11s=3.673s = 11 \rightarrow s = 3.67 ✗ (not integer)
  • e=0e = 0: 3s=10s=3.333s = 10 \rightarrow s = 3.33 ✗ (not integer)
  • e=+1e = +1: 3s=9s=33s = 9 \rightarrow s = 3
  • e=+2e = +2: 3s=8s=2.673s = 8 \rightarrow s = 2.67 ✗ (not integer)

Valid solutions: (s=4s=4, e=2e=-2) or (s=3s=3, e=+1e=+1)

Which one is the "true" secret? We don't know!

Question 3: Why does this become much harder with multiple equations? (ML-KEM has k=3k=3 equations)

Show Answer

With 3 equations:

[A11A12A13A21A22A23A31A32A33][s0s1s2]+[e0e1e2]=[t0t1t2]\begin{bmatrix} A_{11} & A_{12} & A_{13} \\ A_{21} & A_{22} & A_{23} \\ A_{31} & A_{32} & A_{33} \end{bmatrix} \begin{bmatrix} s_0 \\ s_1 \\ s_2 \end{bmatrix} + \begin{bmatrix} e_0 \\ e_1 \\ e_2 \end{bmatrix} = \begin{bmatrix} t_0 \\ t_1 \\ t_2 \end{bmatrix}

Now we must find:

  • s=(s0,s1,s2)\mathbf{s} = (s_0, s_1, s_2) - 3 unknowns
  • e=(e0,e1,e2)\mathbf{e} = (e_0, e_1, e_2) - 3 unknowns

Total: 6 unknowns! But we still only know A\mathbf{A} and t\mathbf{t}!

Each unknown can take ~5 possible values (error -2 to +2)

Total possibilities: ~5^6 = 15,625

Much harder! (In real ML-KEM: 5^256 ≈ 10^178)

The Math

MLWE Problem Statement

Module-Learning With Errors (MLWE): Given ARqk×k\mathbf{A} \in R_q^{k \times k} and tRqk\mathbf{t} \in R_q^k, find s,eRqk\mathbf{s}, \mathbf{e} \in R_q^k such that:

As+e=t\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{t}

Where:

  • Rq=Zq[x]/(x256+1)R_q = \mathbb{Z}_q[x]/(x^{256} + 1) (polynomial ring, coefficients 0 to 3328)
  • k=3k = 3 for ML-KEM768 (matrix size)
  • sχη1k\mathbf{s} \leftarrow \chi_{\eta_1}^k (secret from small error distribution)
  • eχη2k\mathbf{e} \leftarrow \chi_{\eta_2}^k (error from small error distribution)

In words:

Find a polynomial vector s\mathbf{s} that, when multiplied by matrix A\mathbf{A}, and added to a small error polynomial vector e\mathbf{e}, produces result t\mathbf{t}

Security Reduction

The beauty of MLWE is its security reduction to SVP:

Theorem: If you can solve MLWE efficiently → You can solve SVP → Break lattice problems

Since SVP has no known efficient algorithm (40+ years of research), MLWE is believed hard!

Quantum resistance: No known quantum algorithm better than Grover's speedup (square root)

MLWE Parameters (ML-KEM768)

ParameterSymbolValueMeaning
Polynomial degreenn256Each polynomial: 256 coefficients
Coefficient modulusqq3329Coefficients: 0 to 3328
Matrix sizekk3Matrix: 3×3 = 9 polynomials
Error param 1η1\eta_12Key generation error (-2 to +2)
Error param 2η2\eta_22Encapsulation error (-2 to +2)

Result:

  • Each entry = polynomial with 256 coefficients
  • Matrix A\mathbf{A} = 9 polynomials = 2,304 coefficients total
  • Each coefficient values: 0, 1, 2, ..., 3328

Total possibilities:

  • Each coefficient: 3,329 values
  • Matrix: 3,329^2,304 ≈ 10^10,000 astronomically large!
  • Even with error distribution: Still huge search space!

Why We Care

MLWE in ML-KEM Key Generation

Bob's key generation algorithm:

t=As+e(modq)\mathbf{t} = \mathbf{A}\mathbf{s} + \mathbf{e} \pmod{q}

Alice receives: (A,t)(\mathbf{A}, \mathbf{t}) (public key)

Alice's encapsulation:

  • Uses A\mathbf{A} and t\mathbf{t}
  • Derives shared secret
  • Sends ciphertext (c1,c2)(\mathbf{c}_1, \mathbf{c}_2)

Bob's decapsulation:

  • Has s\mathbf{s} (private key)
  • Can recover e\mathbf{e} from t\mathbf{t}
  • Derives same shared secret!

Eve's problem: Find s\mathbf{s} given (A,t)(\mathbf{A}, \mathbf{t}) → Equivalent to MLWE → Hard!

MLWE vs LWE

LWE (Learning With Errors): As+e=b\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{b}

With:

  • AZqm×n\mathbf{A} \in \mathbb{Z}_q^{m \times n} (regular matrix)
  • sZqn\mathbf{s} \in \mathbb{Z}_q^n (vector of integers)
  • eZqm\mathbf{e} \in \mathbb{Z}_q^m (error vector)

MLWE (Module-LWE): As+e=t\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{t}

With:

  • ARqk×k\mathbf{A} \in R_q^{k \times k} (matrix of polynomials)
  • sRqk\mathbf{s} \in R_q^k (vector of polynomials)
  • eRqk\mathbf{e} \in R_q^k (error of polynomials)

Why MLWE: Faster operations, smaller keys, NTT enabled!

Quick Check

Can you state the MLWE problem?

Try saying this out loud:

"MLWE is: Given matrix 𝐀 and result 𝐭, find secret vector 𝐬 and error vector 𝐞 such that 𝐀·𝐬 + 𝐞 = 𝐭. The problem is there are too many (𝐬, 𝐞) pairs possible, making it hard to find the true secret!"

Can you work with polynomial MLWE?

Try this simplified examples:

Given:

  • Matrix A=[[x+1],[x1]]\mathbf{A} = [[x+1], [x-1]]
  • Matrix t=[x2+x]\mathbf{t} = [x² + x]

Goal: Find s\mathbf{s} and e\mathbf{e} such that As+e=t\mathbf{A} \cdot \mathbf{s} + \mathbf{e} = \mathbf{t}

Let s=[x]\mathbf{s} = [x] (single entry) Then As=[(x+1)x,(x1)x]=[x2+x,x2x]\mathbf{A} \cdot \mathbf{s} = [(x+1)x, (x-1)x] = [x² + x, x² - x]

We want this plus e\mathbf{e} to equal [x2+x,x2+x][x² + x, x² + x]

So e\mathbf{e} must satisfy: [x2+x,x2x]+e=[x2+x,x2+x][x² + x, x² - x] + \mathbf{e} = [x² + x, x² + x]

Thus: e=[0,(x2+x)(x2x)]=[0,2x]\mathbf{e} = [0, (x² + x) - (x² - x)] = [0, 2x]

One solution: s=[x]\mathbf{s} = [x], e=[0,2x]\mathbf{e} = [0, 2x]

But there are many more!

Key Takeaways

MLWE equation = As+e=t\mathbf{A}\mathbf{s} + \mathbf{e} = \mathbf{t} (two unknowns!) Given to attacker = A\mathbf{A} and t\mathbf{t} (public key) Eve's problem = Find s\mathbf{s} and e\mathbf{e} → Too many possibilities Bob's advantage = Has s\mathbf{s} (secret) → Can recover Security reduction = MLWE solves SVP → SVP is hard → MLWE is hard MLWE for ML-KEM = t=As+e\mathbf{t} = \mathbf{A}\mathbf{s} + \mathbf{e} in polynomial ring R3329R_{3329} Parameters = n=256n=256, q=3329q=3329, k=3k=3, η=2\eta=2 (256-bit security)