Lab

Learning With Errors (LWE)

Interactive demo of the Learning With Errors problem: why a small error turns an easy linear system into the hard problem behind ML-KEM and part of the module-lattice signature story.

Educational demo - don't copy/paste into production

All cryptography runs locally in your browser. Keys and plaintext never leave your device, but this is still a simplified demo.

JavaScript Required

The LWE Explorer requires JavaScript to run in your browser. Please enable JavaScript to use this tool.

What this is

ML-KEM is built on Module-LWE, and ML-DSA uses related module-lattice assumptions, including an LWE-shaped noisy-linear-equation problem. You are given many noisy linear equations b = A·s + e (mod q) and asked to recover the secret s. Without the error e this is high-school algebra. The small error is the entire difficulty.

The two views

Solve: elimination amplifies the error into noise.
Search: the secret is a needle in a qⁿ haystack.
Both stay easy here only because n and q are tiny.

Dimension

Modulus

Mode

Noise width: +/- 1

Reveal secret & error

The public samples

Each row is one equation. Cells are colored by magnitude in balanced form (calm = small, red = large). With reveal on you can see b = ⟨a,s⟩ + e.

No error: elimination recovers the secret instantly. Now raise the noise slider.

Why the error changes everything

Without noise: trivial

Set the noise to zero. Pick n equations, invert the matrix mod q, and read off the secret. Gaussian elimination solves it in a blink. Public-key crypto cannot live here, because anyone can do the same.

With noise: elimination self-destructs

Add a tiny error and solve again. Elimination multiplies rows by constants mod q, and those multipliers turn an error of ±1 into a value spread across all of Z_q. The recovered secret is garbage. The structure that made it easy is exactly what the noise destroys.

Search is the honest route

The only reliable way back is to look for the secret whose equations all have small residuals. In the heatmap the true secret is the one low-residual spot in a field of noise. Here you can scan all qⁿ candidates. At n = 768 over q = 3329 (real ML-KEM), that space is astronomically large.

It is a lattice problem

The rows of A define a lattice, and b sits close to the lattice point given by the secret. Recovering s is Bounded Distance Decoding: the Closest Vector Problem you can drag in the Lattices tab, lifted into high dimension over a finite field.

From this demo to module-lattice PQC

Module-LWE

ML-KEM does not use plain LWE. It uses Module-LWE, where the entries are small polynomials instead of single numbers. It is the same shape, b = A·s + e, with extra structure that shrinks key sizes and speeds up the math, while keeping the hardness.

Real parameters

ML-KEM uses q = 3329 with rank up to 4 over degree-256 polynomials, so the effective dimension is in the high hundreds. The error is a small centered binomial. Those choices put the closest-vector search far out of reach of both classical and quantum computers.

Why quantum does not help

Shor breaks RSA because factoring hides a periodic structure. LWE has no such structure for a quantum Fourier transform to expose. The best quantum attacks only speed up the search modestly, which is why module-lattice assumptions anchor the post-quantum standards.

Try it next door

Once the geometry clicks, the ML-KEM tab runs the standardized Module-LWE KEM. The ML-DSA tab shows the related module-lattice signature construction.

Challenge 1: Break it, then watch it heal

Do this: In Solve mode, drag the noise slider to 0. The recovered secret matches the true secret exactly.

Now: Nudge the noise to +/- 1. The same secret and matrix, but the recovered answer is suddenly wrong. Look at how big the error became after elimination.

Challenge 2: Find the needle

Do this: Switch to Search mode with n = 2. One cell glows green: the secret. Click it to confirm every residual is small.

Now: Click a nearby dark cell. Its residuals jump to random size. That sharp contrast is what hides the secret, and it only sharpens as the dimension grows.

Challenge 3: Feel the blow-up

Do this: In Search mode, switch n from 2 to 3 and read the search-space size in the readout. Going from q² to q³ multiplies it by q.

Real ML-KEM lives at effective dimension in the hundreds. Each extra dimension multiplies the haystack again.

Security model

Everything runs in your browser with no network calls. All arithmetic (modular inverse, Gaussian elimination, residual search) is plain JavaScript over a small prime. These are teaching parameters and are not secure; the standardized schemes use module-lattice problems in high dimension.