Post-Quantum Cryptography

(Learning with errOrs based encryption with chosen ciphertexT secUrity for poSt quantum era)

What's LOTUS?

LOTUS is a lattice-based cryptosystem developed by NICT. LOTUS consists of LOTUS-PKE for public key encryption and LOTUS-KEM for key encapsulation. LOTUS aims at providing post-quantum security, meaning it may remain secure against large-scale quantum computers. Some highlighted properties of LOTUS are as follows:
  • Its security relies on the standard Learning With Errors (LWE) assumption.
  • It targets IND-CCA2 security, even with 256-bit security level (the highest security level in NIST PQC project).
  • It is based on a long line of research.


  • December 27, 2017. Initial website is up.
  • January 04, 2018. Update the implementation code to clean the message buffer in the case of decryption failure. We thank Tancrède Lepoint for pointing out the issue.
  • October 15, 2018. LOTUS implementation codes are released under the MIT license.


LOTUS Team: lotus-inquiry(at)nict(dot)go(dot)jp

Le Trieu Phong
Takuya Hayashi
Yoshinori Aono
Shiho Moriai

Security Fundamentals Laboratory

Cybersecurity Research Institute

National Institute of Information and Communications Technology (NICT), Japan

Copyright (c) National Institute of Information and Communications Technology. All Rights Reserved.