Lattice Cryptography for Applied Cryptographers
A plain-language course on lattices and lattice cryptography, written for applied cryptographers, protocol engineers, and software engineers who want to understand how modern post-quantum schemes work under the hood.
The course starts with the background maths and builds up slowly: vectors, matrices, modular arithmetic, sampling, noise, lattices, SIS, LWE, rings, modules, ML-KEM, ML-DSA, and Falcon.
I hope you find it useful,
Conor
Chapters
Chapters marked Soon are still being written.
Part 1: The maths you need before lattices
Part 2: Lattices from first principles
9
Bases: one lattice, many descriptionsSoon
10
Good bases and bad basesSoon
11
Distance, shortest vectors, and minimum distanceSoon
12
Closest points and decodingSoon
13
Fundamental regions: reducing modulo a latticeSoon
Part 3: The hard problems
14
SVP: finding the shortest vectorSoon
15
CVP and BDD: finding the nearest lattice pointSoon
16
Approximate SVP and why approximation mattersSoon
17
Why high-dimensional lattices are hardSoon
Part 4: q-ary lattices and the dual
18
Lattices defined by modular equationsSoon
19
Public matrices as lattice descriptionsSoon
20
The dual lattice, gentlySoon
Part 5: SIS, the short relation problem
23
SIS as hashing, commitments, and signaturesSoon
Part 6: LWE, the noisy equation problem
25
Search-LWE and Decision-LWESoon
26
Noise, rounding, and correctness failureSoon
27
LWE encryption by handSoon
28
Worst-case to average-case hardnessSoon
Part 7: How lattices actually break
29
How lattice attacks work at a high levelSoon
30
Lattice reduction and security estimatesSoon
31
Parameters and tradeoffsSoon
Part 8: Structure - polynomials, rings, modules
32
Why plain SIS and LWE are too largeSoon
33
Polynomials as compressed vectorsSoon
34
Polynomial multiplication as structured matrix multiplicationSoon
36
Ring-LWE, Ring-SIS, and module latticesSoon
37
Fast multiplication and the NTTSoon
Part 9: ML-KEM and key encapsulation
38
From encryption to KEMsSoon
39
ML-KEM under the hoodSoon
Part 10: ML-DSA and Fiat-Shamir signatures
40
What a lattice signature provesSoon
41
Fiat-Shamir signatures from lattice relationsSoon
42
Rejection sampling and leakageSoon
43
ML-DSA under the hoodSoon
Part 11: Falcon - hash-and-sign signatures
45
Hash-and-sign and trapdoor samplingSoon
46
Gaussian sampling and Falcon under the hoodSoon
Part 12: Shipping it - implementation and migration
47
Implementation failure modesSoon
48
PQC migration and scheme selectionSoon