Lattice Cryptography for Applied Cryptographers

A plain-language course on lattices and lattice cryptography, written for applied cryptographers, protocol engineers, and software engineers who want to understand how modern post-quantum schemes work under the hood.

The course starts with the background maths and builds up slowly: vectors, matrices, modular arithmetic, sampling, noise, lattices, SIS, LWE, rings, modules, ML-KEM, ML-DSA, and Falcon.

I hope you find it useful,
Conor

Chapters

Chapters marked Soon are still being written.

Part 1: The maths you need before lattices

Part 2: Lattices from first principles

8

What is a lattice?Soon

9

Bases: one lattice, many descriptionsSoon

10

Good bases and bad basesSoon

11

Distance, shortest vectors, and minimum distanceSoon

12

Closest points and decodingSoon

13

Fundamental regions: reducing modulo a latticeSoon

Part 3: The hard problems

14

SVP: finding the shortest vectorSoon

15

CVP and BDD: finding the nearest lattice pointSoon

16

Approximate SVP and why approximation mattersSoon

17

Why high-dimensional lattices are hardSoon

Part 4: q-ary lattices and the dual

18

Lattices defined by modular equationsSoon

19

Public matrices as lattice descriptionsSoon

20

The dual lattice, gentlySoon

Part 5: SIS, the short relation problem

21

SIS from scratchSoon

22

Why SIS is hardSoon

23

SIS as hashing, commitments, and signaturesSoon

Part 6: LWE, the noisy equation problem

24

LWE from scratchSoon

25

Search-LWE and Decision-LWESoon

26

Noise, rounding, and correctness failureSoon

27

LWE encryption by handSoon

28

Worst-case to average-case hardnessSoon

Part 7: How lattices actually break

29

How lattice attacks work at a high levelSoon

30

Lattice reduction and security estimatesSoon

31

Parameters and tradeoffsSoon

Part 8: Structure - polynomials, rings, modules

32

Why plain SIS and LWE are too largeSoon

33

Polynomials as compressed vectorsSoon

34

Polynomial multiplication as structured matrix multiplicationSoon

35

NTRU intuitionSoon

36

Ring-LWE, Ring-SIS, and module latticesSoon

37

Fast multiplication and the NTTSoon

Part 9: ML-KEM and key encapsulation

38

From encryption to KEMsSoon

39

ML-KEM under the hoodSoon

Part 10: ML-DSA and Fiat-Shamir signatures

40

What a lattice signature provesSoon

41

Fiat-Shamir signatures from lattice relationsSoon

42

Rejection sampling and leakageSoon

43

ML-DSA under the hoodSoon

Part 11: Falcon - hash-and-sign signatures

44

NTRU latticesSoon

45

Hash-and-sign and trapdoor samplingSoon

46

Gaussian sampling and Falcon under the hoodSoon

Part 12: Shipping it - implementation and migration

47

Implementation failure modesSoon

48

PQC migration and scheme selectionSoon