Parts XII–XV:
Algebraic, Quantum &
Post-Quantum Cryptography

Bartosz Naskręcki

Elements of Cryptanalysis • Adam Mickiewicz University

Chapters 34–45

Part XII

Algebraic Cryptanalysis — Chapters 34–36

Chapter 34

Gröbner Bases

Polynomial System Solving

Definition — Gröbner Basis
A Gröbner basis \(G\) of an ideal \(I \subseteq k[x_1,\ldots,x_n]\) w.r.t. a monomial ordering satisfies: \[ \langle \mathrm{LT}(G) \rangle = \langle \mathrm{LT}(I) \rangle \] Computed via Buchberger’s algorithm using S-polynomials and reduction.
Cryptanalytic Application
Express a block cipher as a system of multivariate polynomial equations over \(\mathbb{F}_2\). If the Gröbner basis can be computed, the key is recovered — but worst-case doubly exponential.

Chapter 35

Algebraic Analysis of S-Boxes

S-Box as Polynomial System

AES S-Box Equations
The AES S-box \(S: \mathrm{GF}(2^8) \to \mathrm{GF}(2^8)\) satisfies: \[ S(x) = A \cdot x^{254} + c \quad \text{in } \mathrm{GF}(2^8) \] (since \(x^{-1} = x^{254}\) in \(\mathrm{GF}(2^8)\))

This yields 39 quadratic equations in 16 binary variables per S-box.

Full AES System
AES-128: \(\sim 8000\) quadratic equations in \(\sim 1600\) binary variables. Solving this would break AES — but current Gröbner basis algorithms cannot handle this scale.

Chapter 36

Algebraic Attacks

XL, XSL & Cube Attacks

XL Algorithm
Multiply equations by all monomials up to degree \(D\), then linearize. Complexity: \(O(n^D)\). Effective when \(D\) is small.
Cube Attack (Dinur-Shamir)
Treat cipher as multivariate polynomial; sum over “cube” variables to extract linear equations in key bits. Black-box approach.
Current Status
  • No algebraic attack breaks full AES
  • Cube attacks break reduced-round variants (e.g., Trivium to 799/1152 rounds)
  • Algebraic techniques complement differential/linear methods

Part XIII

The Quantum Threat — Chapters 37–39

Chapter 37

Quantum Computing Foundations

Qubits & Quantum Gates

Qubit State
\[ |\psi\rangle = \alpha|0\rangle + \beta|1\rangle, \quad |\alpha|^2 + |\beta|^2 = 1 \] \(n\) qubits: superposition of \(2^n\) basis states simultaneously.
Key Gates
  • Hadamard: \(H|0\rangle = \frac{1}{\sqrt{2}}(|0\rangle + |1\rangle)\) — creates superposition
  • CNOT: \(|a,b\rangle \to |a, a \oplus b\rangle\) — entanglement
  • Phase: \(|x\rangle \to e^{i\phi}|x\rangle\) — phase kickback

Chapter 38

Shor's Algorithm

Quantum Factoring & DLP

Shor’s Algorithm (1994)
Factors \(n\) in \(O((\log n)^3)\) on a quantum computer.
  1. Reduce factoring to order-finding: find \(r\) such that \(a^r \equiv 1 \pmod{n}\)
  2. Use Quantum Fourier Transform to find \(r\) efficiently
  3. If \(r\) is even: \(\gcd(a^{r/2} \pm 1, n)\) gives a factor
Impact on Cryptography
RSABroken (factoring)
DH / ElGamalBroken (DLP)
ECCBroken (ECDLP)
AES-256Reduced to 128-bit (Grover)

Chapter 39

Grover's Algorithm

Quantum Search

Grover’s Algorithm (1996)
Searches an unstructured database of \(N\) items in \(O(\sqrt{N})\) queries. \[ |\psi\rangle \xrightarrow{O(\sqrt{N}) \text{ iterations}} |\text{target}\rangle \] Each iteration: Oracle \(\to\) Diffusion (inversion about the mean).
Impact on Symmetric Crypto
  • AES-128: effectively 64-bit security ⇒ not sufficient
  • AES-256: effectively 128-bit security ⇒ quantum-safe
  • SHA-256 preimage: \(2^{128}\) quantum queries

Mitigation: double key lengths for symmetric primitives.

Part XIV

Lattice-Based Cryptography — Chapters 40–42

Chapter 40

Lattice Problems

SVP, CVP & Hardness

Definition — Lattice
\(\mathcal{L}(B) = \{Bx : x \in \mathbb{Z}^n\}\) for basis matrix \(B \in \mathbb{R}^{m \times n}\).
Hard Problems
SVP: Find the shortest nonzero vector. CVP: Find the closest lattice point to a target. Both are NP-hard (under randomized reductions).
LLL Algorithm
Finds a vector within \(2^{(n-1)/2}\) of optimal in polynomial time \(O(n^6 \log^3 B)\). Practical for \(n \leq 500\); exact SVP remains exponential.

Chapter 41

LWE & ML-KEM (Kyber)

Learning With Errors

LWE Problem
Given \((A, b = As + e \bmod q)\) where \(s\) is secret, \(e\) is small noise: distinguish \(b\) from uniform. Worst-case hard if approximate SVP is hard.
ML-KEM (FIPS 203, formerly Kyber)
NIST’s primary post-quantum KEM standard.
  • Module-LWE over \(R_q = \mathbb{Z}_q[x]/(x^{256}+1)\)
  • ML-KEM-768: 128-bit security, 1184-byte public key
  • Encapsulation: \(\sim\)1 ms on modern hardware

Chapter 42

Lattice Attacks

Attacking Lattice Schemes

BKZ Algorithm
Block Korkine-Zolotarev: iteratively applies SVP oracles on blocks of size \(\beta\). Quality: \(\|b_1\| \leq \beta^{n/(2\beta)} \cdot \det(\mathcal{L})^{1/n}\). Cost grows exponentially in \(\beta\): \(\sim 2^{0.292\beta}\) (sieving).
ML-KEM Level\(n\)BKZ \(\beta\)Cost
ML-KEM-512512~406\(\sim 2^{118}\)
ML-KEM-768768~625\(\sim 2^{183}\)
ML-KEM-10241024~856\(\sim 2^{250}\)

Part XV

Code-Based Crypto & Frontiers — Chapters 43–45

Chapter 43

McEliece Cryptosystem

Code-Based Public-Key Encryption

McEliece (1978)
  • Private key: Goppa code generator matrix \(G\), scrambler \(S\), permutation \(P\)
  • Public key: \(\hat{G} = SGP\) (looks like a random code)
  • Encrypt: \(c = m\hat{G} + e\) where \(\mathrm{wt}(e) \leq t\)
  • Decrypt: use Goppa decoding to correct errors
Security
Based on hardness of decoding random linear codes (NP-hard). Drawback: large public keys (\(\sim\)1 MB for 128-bit security).

Chapter 44

NIST PQC Standards

Post-Quantum Standardization

StandardTypeBasisFIPS
ML-KEMKEMModule-LWE203
ML-DSASignatureModule-LWE204
SLH-DSASignatureHash-based205
Migration Timeline
  • 2024: FIPS standards published
  • 2025–2030: Hybrid deployments (classical + PQC)
  • 2030+: Full PQC transition mandated by NIST/NSA
  • Threat: “harvest now, decrypt later” attacks on long-lived secrets

Chapter 45

Synthesis & Future Directions

The Evolution of Cryptanalysis

Historical Arc
  • 800s: Al-Kindi — frequency analysis
  • 1863: Kasiski — polyalphabetic attacks
  • 1932: Rejewski — Enigma
  • 1949: Shannon — information theory
  • 1990: Biham-Shamir — differential
  • 1994: Matsui/Shor — linear/quantum
  • 2024: NIST PQC standards
Open Frontiers
  • Isogeny-based crypto (SIKE broken, CSIDH alive)
  • Fully homomorphic encryption
  • Multi-party computation
  • AI-assisted cryptanalysis
  • Quantum error correction timelines

Parts XII–XV: Summary

ChTopicKey Result
34Gröbner basesBuchberger’s algorithm; polynomial system solving
35Algebraic S-boxesAES S-box: 39 quadratic equations per S-box
36Algebraic attacksXL, cube attacks; no break on full AES
37Quantum foundationsQubits, superposition, entanglement
38Shor’s algorithmPoly-time factoring/DLP ⇒ RSA/ECC broken
39Grover’s algorithm\(\sqrt{N}\) search ⇒ double symmetric key lengths
40Lattice problemsSVP/CVP NP-hard; LLL approximation
41LWE & ML-KEMFIPS 203 standard; module-LWE
42Lattice attacksBKZ cost \(\sim 2^{0.292\beta}\)
43McElieceCode-based PKE; large keys but unbroken
44NIST PQCML-KEM, ML-DSA, SLH-DSA standardized
45Synthesis1200 years: Al-Kindi to post-quantum

End of Parts XII–XV

← Back to Slides Index
← Parts X–XI