Security Analysis – Hybrid ECDH + LWE

📊 Security Levels

Estimated Security Parameters

Classical Security

0 bits ~128 bits (ECDH P-256) 256 bits

Against classical computers running the best known attacks (Pohlig-Hellman, Pollard's rho for ECDLP; lattice reduction for LWE).

Post-Quantum Security

0 bits ~128 bits (LWE-Kyber) 256 bits

Against quantum computers running the best known quantum algorithms (Grover + BKZ). ECDH is broken by Shor's; LWE resists all known quantum attacks.

Hybrid Security

0 bits max(ECDH, LWE) 256 bits

At least as secure as the stronger of the two. Against any attacker (classical or quantum), they must break both ECDH and LWE simultaneously.

🔒 Foundations

Security Assumptions

Assumption: Given curve $E$ over $\mathbb{F}_p$, generator $G$, and point $Q = kG$, computing $k$ is hard.

$$\text{ECDLP: Given } (E, G, Q = kG), \text{ find } k$$ $$\text{Best classical: } O(\sqrt{p}) \text{ (Pollard's rho)} \approx 2^{128} \text{ for P-256}$$ $$\text{Quantum (Shor's): } O((\log p)^3) \text{ — polynomial! Breaks P-256}$$

⚠️

Quantum Vulnerability

Shor's algorithm (1994) can solve ECDLP in polynomial time on a quantum computer. A 4096-qubit fault-tolerant quantum computer could break P-256 in hours. Timeline estimates: 2030-2040 for cryptographically relevant quantum computers.

Assumption: Given $(\mathbf{A}, \mathbf{b} = \mathbf{As} + \mathbf{e})$, finding $\mathbf{s}$ is computationally hard.

$$\text{LWE}_{n,q,\chi}: \text{Given } (\mathbf{A}, \mathbf{As+e}), \text{ find } \mathbf{s}$$ $$\text{Best classical: } 2^{O(\sqrt{n \log(q/\sigma)^2})} \text{ (BKZ lattice reduction)}$$ $$\text{Best quantum: Similar — no polynomial quantum algorithm known}$$

Hardness reduction: Regev showed LWE is at least as hard as worst-case SIVP (Shortest Independent Vector Problem) — a notoriously hard lattice problem. If you could solve LWE, you'd solve SIVP for all lattices.

✓

Quantum Resistance

No polynomial-time quantum algorithm for LWE is known. Grover's search gives only a quadratic speedup (halves the bit-security), which is compensated by choosing slightly larger parameters.

Assuming LWE and ECDH key exchange succeed in establishing a shared key, AES-256-GCM provides:

Confidentiality: AES-256 is secure against all known classical and quantum attacks (Grover halves key strength to 128 bits — still secure).
Authenticity: GCM provides a 128-bit authentication tag that detects any tampering.
Integrity: Decryption fails (throws OperationError) if the ciphertext or tag is modified.

$$\text{AES-256 quantum security: } 2^{128} \text{ (Grover's gives } 2^{128} \text{, not } 2^{256} \text{)}$$

📊 Comparison

Algorithm Comparison

Property	ECDH (P-256)	Plain LWE	Kyber-512	Hybrid (Ours)
Classical security	128 bits	128+ bits	~100 bits	128+ bits
Quantum security	Broken (Shor)	128+ bits	~100 bits	128+ bits
Deployment history	20+ years	Theoretical	NIST 2024	Both combined
Key generation speed	Very fast	Moderate	Fast (NTT)	Both combined
Public key size	64 bytes	Large (n²)	800 bytes	Both combined
Quantum attack exists?	Yes (Shor)	No known	No known	Must break both
NIST standardized	Yes (P-256)	No	Yes (ML-KEM)	Both components
Used in this demo	✓ Real (P-256)	✓ Simplified (n=4)	Structure only	✓ Full hybrid

🎭 Attack Scenarios

What If One Algorithm Is Broken?

Scenario 1: Quantum Computer Breaks ECDH

⚛️

A large-scale fault-tolerant quantum computer runs Shor's algorithm and recovers Alice's ECDH private key from her public key.

The attacker now knows $K_{ECDH}$. But to decrypt the file, they need:

$K_{hybrid} = \text{SHA-256}(\underbrace{K_{ECDH}}_{\text{known}} \| \underbrace{K_{LWE}}_{\text{still secret!}})$

✓

Data remains safe. LWE is still secure. The hybrid key is computationally indistinguishable from random without both components.

Scenario 2: New Attack on LWE

🔬

A breakthrough algorithm (classical or quantum) efficiently solves LWE, recovering the LWE secret from the public key.

The attacker now knows $K_{LWE}$. But to decrypt the file, they need:

$K_{hybrid} = \text{SHA-256}(\underbrace{K_{ECDH}}_{\text{still secret!}} \| \underbrace{K_{LWE}}_{\text{known}})$

✓

Data remains safe. ECDH is still secure classically. The SHA-256 hash prevents recovery from partial input.

⚠️ Honest Limitations

Demo Limitations

🔮 Simplified LWE Parameters

n=4, q=97 provides zero real security. A 4×4 linear system with noisy data can be solved by brute force in milliseconds. This is for demonstration only. Real Kyber uses n=256, q=3329.

Demo only — not for production

🔑 No Key Storage / Transport

The hybrid key exists only in the browser's memory during this session. In a real system, you'd need a secure out-of-band channel to transmit the key, or a Public Key Infrastructure (PKI) to handle key agreements.

🌐 No Network Transfer

The "file transfer" in this demo is: encrypt → download → re-upload → decrypt. A real system would need secure networking (TLS with PQ extensions), certificate validation, and authentication.

📱 Browser Security Boundary

All crypto runs in the browser's JS runtime. A real system would use hardware security modules (HSMs) or secure enclaves for key storage. Browser-based crypto is fine for demos but has side-channel risks.

⚡ Try the Demo Learning Outcomes →