Selected Areas in Cryptology - Spring 2022

Part I

Announcements Exam Literature Topics Course notes Old exams

This first part is taught by
Tanja Lange
Coding Theory and Cryptology
Eindhoven Institute for the Protection of Information
Department of Mathematics and Computer Science
Technische Universiteit Eindhoven
P.O. Box 513
5600 MB Eindhoven

The easiest ways to reach Tanja is by e-mail: The MasterMath semester starts on February 7, 2022 and the lectures for this course are on Thursdays in the mornings, hence the first session is on February 10.
The second part will be taught by Bart Mennink.

We will cover only the very basics of quantum algorithms. I recommend you take Ronald de Wolf's Quantum Computing course (also MasterMath) for much more information. Videos are already posted for that course.

Details are filled in as time permits. The official home page is here.
The official time slot is Thursday 10:15 - 13:00. Because of the pandemic situation I will run this first part online, using the inverted classroom method. Hence, for the first part the lectures are replaced by pre-recorded videos, see below, slides and recommendations for further reading. All material is already provided and we will go through it in the order in which it is listed. For each week I will specify which videos I expect you to have watched. We will have an interactive part, also online, in the form of instruction/discussion sessions where I provide exercises for you to solve live and to test your understanding from the video and material. This interactive session runs 11:00 - 12:00, with an option for extension by up to 60 min if there are more questions.

The goal of this course is to provide insight into cryptography secure against quantum computers (post-quantum cryptography) as well as various methods for the mathematical cryptanalysis of cryptographic systems

Cryptology deals with mathematical techniques for design and analysis of algorithms and protocols for digital security in the presence of malicious adversaries. For example, encryption and digital signatures are used to construct private and authentic communication channels, which are instrumental to secure Internet transactions.
This course in cryptology consists of two main topics:
This first part focuses on post-quantum cryptography dealing with cryptographic systems that are secure even given the existence of quantum computers and the second part focuses on cryptanalysis, the analysis of the security of cryptographic systems.
After a general introduction to cryptography (the constructive side of cryptology) and cryptanalysis the course introduces the main contenders for secure systems: lattice-based encryption, code-based encryption, hash-based signatures, and multivariate-quadratic-based signatures. These systems are examples of public-key systems and this is the main area affected by quantum computers; symmetric-key systems, such as hash functions and block and stream ciphers) are used as building blocks inside them and for the transmission of data in bulk.
The second part of the course will center around those symmetric-key cryptosystems. The course covers a description of the basic security properties and designs of such systems (such as authenticated schemes, encryption schemes, and primitives). It is demonstrated how security is argued generically and under which security assumptions. Finally, it is discussed how cryptographic primitives are designed that are supposed to meet these security assumptions.


The first session will take place on 10 Feb, starting at 11:00.


Details of the exam format depend on the number of students taking the course for credits and the pandemic situation.

See below for old exams to practice.


There are a few books covering topics we touch in class but there is no 'textbook' that covers everything. For further reading on the individual topics see below.
It is not necessary to purchase any book to follow the course.


This first part covers the following topics:


This video motivates the topic of post-quantum cryptography

See also the slides.

If you are taking this course without having prior knowledge in cryptology, please watch the following videos as preparation:

These videos were prepared for a bachelor course on cryptography. If you want to see more, check out the YouTube channel for it and its course page

Quantum computing

This video shows how period finding can be used to break RSA.

See also the slides.

This video shows how to represent qubits using normal bits. This representation can be used to verify algorithms and will be used in the following videos.

See also the slides.

Watch this video

to learn about quantum gates and basic circuits. See also the slides.

This video covers Simon's algorithm.

See also the slides.

Finally we cover Grover's algorithm,

see also the slides.

Further reading:

Code-based crypto

This video explains basic notions of coding-theory and the McEliece scheme.

See also the slides.

This video covers Niederreiter's version, statements about their equivalence, and attacks on the schoolbook versions.

See also the slides.
If the security notions on the last slide do not make sense to you, watch the last video in the introduction section.

This video defines binary Goppa codes and how to use them in code-based crypto

See also the slides.

This video proves two bounds on the minimum distance of Goppa codes and shows how to decode.

See also the slides.

This video covers information-set decoding, which are generic attacks on code-based cryptography.

See also the slides.

This last video covers quantum attacks on code-based cryptography

See also the slides.

We didn't do the running time analysis for Leon or Stern. I gave some motivation why the improvements are improvements but didn't trace all the binomial coefficients. Here is a taste of this. I will denote the binomial coefficient n choose k by C(n,k) to save my sanity in typing this.
There are n choose t ways the t error positions can be distributed over the n positions. When we select the n-k columns to make a left-right split and to transform the right hand side into the identity matrix we determine, whether step 2 can be successful. On that level, the likelihood of a selection to work changes from C(k,p)*C(n-k,t-p)/C(n,t) for Lee-Brickel to C(k,p)*C(n-k-z,t-p)/C(n,t) for Leon (because there are p columns chosen out of the k columns on the left, and t-p of those on the right; for Leon in addition we insist on having z positions to be zero in return for a cheaper step). For Stern the probability is (C(k/2,p))^2*C(n-k-z,t-2p)/C(n,t). Take a look at the original Stern paper or our paper reporting on our 2008 attack.

Further reading

Hash-based signatures

This video introduces hash-based signatures and shows how to sign messages with up to 4 bits.

See also the slides.

This video introduces Lamport and Winternitz one-time signatures.

See also the slides.

In this video we generalize from one-time signatures to schemes that can sign a fixed number of messages and cover general stateful hash-based signatures.

See also the slides.

The fourth video covers stateless hash-based signatures

See also the slides.

The fifth video describes some ingredients to few-times signates and defines r-subset resilience.

See also the slides.

You can find the python code snippets from the slides here.

Andreas Hülsing gave a lecture on hash-based signatures in the 2019 edition of this course and covered also security reductions. His slides available.
Further reading/watching:

Isogeny-based crypto

The first video recalls some background on elliptic curves.

See also the slides.
I fixed the definitions of discriminant and j-invariant.

The second video recalls the Diffie-Hellman key-exchange and presents exponentiation as a walk on graphs, We will see similar walks for isogenies soon. For the graphs that multiply by G^2, g^4, and g^8 I assume that those values are precomputed. So, you can change the DH parameters to G, g, g^2, g^4, g^8, so have those as part of the system.

See also the slides.

This video gets to isogenies and shows how one can use the isogeny graph to get a DH-like structure.

See also the slides.

This video got a bit too long, but covers all the remaining math background that we need.

See also the slides.
To give proper credit:
Tate's theorem says that two curves over a field Fq are isogenous if and only if they have the same number of points,

This video gives the full description of the CSIDH system. You need the previous video to really understand why this works, but you can also watch this one first for motivation.

See also the slides.

SIDH is a different system based on isogenies. It is a bit harder to understand but we now have all material necessary to do so.

See also the slides.

Further reading/watching:

Lattice-based crypto

This video introduces lattices and shows the LLL algorithm to reduce lattices bases.

See also the slides.

Better lattice attacks are the topic of this video.

See also the slides.

The Goldreich, Goldwasser, Halevi systems have the advantage that you can see lattices at work. Note that the signature system is not secure, and this talks shows why.

I used slides by Thijs Laarhoven for this video.

NTRU is one of the oldest lattice-based encryption systems and one of the finalists in the NIST competition

See also the slides.
Note, I fixed a sign error in the definition of R_q.

This video discussed attacks on NTRU.

See also the slides.

The 6th and last video discusses reaction attacks on NTRU.

See also the slides.

Further reading:

Multi-variate-quadratics-based crypto

This video defines how multivariate systems work and what the hard problem is.

See also the slides.

This video explains the Sakumoto–Shirai–Hiwatari identification scheme which is the basis of MQDSS.

iee also the slides.

This video explains how one can hide structure in the system of multivariate equations.

See also the slides.
I know that this video has terrible quality, haven't been able to fix it.

Further reading:

Class notes and links to videos

To appear during the course.

10 Feb 2022
Please watch the introduction to post-quantum cryptography as well as Shor vs. RSA in preparation for the live session. The third video for today is Quantum computing for cryptographers I. This year the semester has one lecture less. I will skip the rest of the quantum computing videos, but feel free to ask questions about those, too.

If you are taking this course without background in cryptography, please see the extra videos in the Introduction section.

For this session we'll use a big-blue button server. Please see the Zulip chat for the link.

Here is the exercise sheet for the live session

17 Feb 2022
Please watch the first 5 videos on code-based crypto in preparation for today's session. This time we will meet on wonder, please see the Zulip chat for the URL.
Here is the exercise sheet for the live session.

24 Feb 2022
Please watch video IV on quantum computig (Grover's algorithm), video VI on quantum-attacks on code-based cryptography, and the first 3 videos (I-III) on hash-based signatures in preparation.

Here is the exercise sheet for the live session.

03 Mar 2022
The topics for this week are hash-based signatures and isogeny-based cryptography. I'm still working on recording a 5th vidoe on hash-basehd signatures. Please watch the remaiing video on hash-based signatures and the first 3 videos on isogeny-based cryptography.

Here is the exercise sheet for the live session.

10 Mar 2022
Please watch the remaining 3 videos on isogeny-based crypto (IV-VI) and the first video on lattice-based crypto.

Here is the exercise sheet for the live session.

17 Mar 2022
The topic today is lattice-based cryptography. Please watch the first five lectures (I-V) on this topic, i.e., the one from last week and 4 more..

Here is the exercise sheet for the live session.

24 Mar 2022
The topics today are lattice-based cryptography and multivariate quadratic systems. Please watch the remaining video (VI) on lattice-based crypto and the three videos on multivariate-quadratic signatures.
This is the last session on post-quantum crypto in this course, next week Bart Mennink will continue.

Here is the exercise sheet for the live session.

Old exams

Here are some test exercises.

The exercises for the first exam 2015 are here. I will not make solutions available for my part but you can email me what you think is the correct solution and I'll give you feedback.

The exercises for the second exam 2015 are here.

The exercises for the first exam 2017 are here.

The exercises for the second exam 2017 are here.

The exercises for the first exam 2019 are here.