This is the upstream cryptanalysis-course reference. We use it as the spine for the weeks that reuse upstream chapters; weeks with new chapters (W1, W6, W7) have their own decks.
Slide range
Course week
How to use
Part XIII (Slides 2–15)
(already covered in half 1)
Skim or skip. Recap if students forget Shor / Grover detail.
For the new chapters in this course, open the dedicated decks: w1_pqc_landscape.html, w6_hash_based.html, w7_ntru_mv_isogeny.html.
Part XIII
The Quantum Threat
Chapters 37–39
Quantum Computing Basics Ch 37
Classical bits are 0 or 1. Qubits can exist in a superposition of both states simultaneously.
Definition — Qubit. A qubit is a unit vector in ℂ²:
|ψ⟩ = α|0⟩ + β|1⟩ where |α|² + |β|² = 1
Measurement yields 0 with probability |α|² and 1 with probability |β|², collapsing the state.
On the Bloch sphere: |ψ⟩ = cos(θ/2)|0⟩ + eiφsin(θ/2)|1⟩
Three pillars of quantum advantage:
Superposition — a qubit encodes both 0 and 1 simultaneously
Entanglement — correlations with no classical analogue; measuring one qubit instantly determines the other
Interference — amplitudes can add or cancel, amplifying correct answers
Key caveat: We cannot read out all values from a superposition. Measurement collapses the state to a single outcome. Quantum algorithm design is the art of using interference to boost the probability of the desired answer.
Chapter 37 — Quantum Computing Foundations
Quantum Gates and Circuits Ch 37
Quantum gates are unitary matrices (U†U = I), ensuring reversibility and norm preservation.
Gate
Matrix
Action
Pauli-X
[0 1; 1 0]
Bit flip: |0⟩↔|1⟩
Pauli-Z
[1 0; 0 -1]
Phase flip: |1⟩→-|1⟩
Hadamard H
(1/√2)[1 1; 1 -1]
Creates equal superposition
CNOT
4×4
Flips target if control is |1⟩
Quantum parallelism: applying H⊗n to |0⟩⊗n yields an equal superposition over all 2n basis states:
H⊗n|0⟩⊗n = (1/√2n) Σx=02n-1 |x⟩
Applying a unitary Uf evaluates f on all inputs simultaneously. But the art lies in extracting the answer via interference and measurement.
Bell state (maximally entangled): |Φ+⟩ = (|00⟩ + |11⟩)/√2
Created by H on qubit 0, then CNOT(0,1).
Chapter 37 — Quantum Computing Foundations
Shor's Algorithm: Factoring in Polynomial Time Ch 38
Peter Shor (1994) showed that a quantum computer can factor integers in O(n³ log n) operations, where n is the number of bits.
Core Reduction. Factoring N reduces to finding the period r of f(x) = ax mod N (the multiplicative order of a modulo N).
If r is even and ar/2 ¬≡ -1 (mod N), then gcd(ar/2 ± 1, N) gives nontrivial factors.
Success probability: For semiprimes N = pq, at least 1/2 per random choice of a. Typically 1–2 attempts suffice.
Quantum Fourier Transform (QFT):
QFT|j⟩ = (1/√N) Σk=0N-1 ωjk|k⟩
where ω = e2πi/N. Implemented with O(n²) gates on n qubits — exponentially faster than classical FFT on the full vector.
The QFT detects periodicity in superposition: peaks at multiples of Q/r reveal the period r. Continued fractions extract the exact value.
Chapter 38 — Shor's Algorithm
Shor's Impact: What Breaks? Ch 38
System
Hard Problem
Quantum Attack
Status
RSA
Integer factoring
Shor: polynomial time
Broken
Diffie-Hellman
Discrete log in Zp*
Shor: polynomial time
Broken
ECDH / ECDSA
Elliptic curve discrete log
Shor variant: polynomial time
Broken
AES-128
Key search (2128)
Grover: 264
Weakened
AES-256
Key search (2256)
Grover: 2128
Believed secure
SHA-256
Preimage (2256)
Grover: 2128
Believed secure
Total break, not merely weakened. Shor's algorithm does not just reduce RSA's security margin — it eliminates it entirely. A 4096-bit RSA key, classically requiring longer than the age of the universe to factor, could be broken in hours on a sufficiently large quantum computer. Estimated requirement: ~4,000 logical qubits (or ~4–12 million physical qubits with error correction) for RSA-2048.
Chapter 38 — Shor's Algorithm
Grover's Algorithm: O(√N) Search Ch 39
Lov Grover (1996): find a marked element among N items in O(√N) queries, vs. O(N) classically.
Oracle Uf (phase oracle): flips the sign of the target state.
Uf|x⟩ = (-1)f(x)|x⟩ = I - 2|x*⟩⟨x*|
Diffusion D (inversion about the mean):
D = 2|s⟩⟨s| - I, where |s⟩ = uniform superposition.
Geometric picture: The state lies in a 2D plane spanned by |w⟩ (target) and |w⊥⟩ (non-targets). Each Grover iteration rotates by 2θ toward |w⟩, where sin θ = 1/√N.
Overshooting. Unlike classical search, too many iterations decrease success probability — the state rotates past the target. The oscillation follows sin²((2t+1)θ).
Chapter 39 — Grover's Search Algorithm
Grover’s Algorithm: Quantum Circuit Visual
Chapter 39 — Grover’s Algorithm
Grover's Effect on Symmetric Cryptography Ch 39
Grover halves the effective bit-security of symmetric ciphers and hash functions:
Cipher
Key bits
Classical
Post-Grover
Action
3DES
168
168-bit
84-bit
Retire
AES-128
128
128-bit
64-bit
Upgrade
AES-192
192
192-bit
96-bit
Marginal
AES-256
256
256-bit
128-bit
Safe
ChaCha20
256
256-bit
128-bit
Safe
Hash functions: SHA-256 preimage resistance drops from 256-bit to 128-bit (still safe). Collision resistance: birthday attack already gives 128-bit; Grover provides no further advantage for collisions.
The good news: Grover's speedup is only quadratic, not exponential. The fix is simple — double the key length. AES-256 retains 128-bit security even against quantum adversaries.
Practical caveat: Running Grover on AES-128 requires a quantum circuit implementing AES as a reversible oracle on ~2,800 logical qubits, plus ~264 sequential iterations. The actual wall-clock time may exceed classical brute force due to the slow quantum clock speed. The real concern is algorithmic improvements that combine Grover with structural attacks.
Chapter 39 — Grover's Search Algorithm
Timeline: When Will Quantum Computers Break Crypto? Ch 38–39
Resource gap. Breaking RSA-2048 requires ~4,000 logical qubits (Gidney & Ekerå 2021) or ~4–20 million physical qubits with surface-code error correction. Current processors: ~1,000 noisy physical qubits. The gap is large but closing.
"Harvest now, decrypt later." Adversaries can record encrypted traffic today and store it until a quantum computer becomes available to decrypt it. For data with a long secrecy lifetime (government, medical, financial), migration to post-quantum cryptography is already urgent.
Chapters 38–39 — Quantum Algorithms & Impact
Discussion Reflection
Should we migrate to post-quantum cryptography today?
Consider the following factors:
Data lifetime: How long must your secrets remain secret?
Migration time: How long will it take your organisation to deploy new algorithms?
Mosca's theorem: If data lifetime + migration time > time to quantum computer, you are already too late.
Risk tolerance: Can you afford the downside of being wrong about the timeline?
Performance cost: PQC algorithms have larger keys and may be slower — is this acceptable?
Parts XIII–XV — Discussion
Part XIV
Lattice-Based Cryptography
Chapter 40
Lattice Fundamentals Ch 40
Definition — Lattice. Given a basis matrix B ∈ Rn×n, the lattice generated by B is:
L(B) = { Bx : x ∈ Zn }
The set of all integer linear combinations of the basis vectors.
Key property: A lattice has infinitely many bases. Some are "good" (short, nearly orthogonal); most are "bad" (long, nearly parallel). Finding a good basis from a bad one is computationally hard.
Determinant: det(L) = |det(B)|, independent of basis choice. Governs the density of lattice points.
Minkowski's Theorem. Every n-dimensional lattice L with determinant Δ contains a nonzero vector of length at most:
λ1(L) ≤ √n · Δ1/n
Finding such a short vector is the Shortest Vector Problem (SVP).
Ajtai's breakthrough (1996): Average-case lattice problems are as hard as worst-case lattice problems. This gives lattice-based crypto a unique theoretical advantage — breaking the scheme on random instances implies solving every instance of a hard lattice problem.
Chapter 40 — Lattice Problems and LWE
Hard Lattice Problems Ch 40
SVP (Shortest Vector Problem). Given a lattice basis B, find the shortest nonzero lattice vector v ∈ L(B).
NP-hard to approximate within any constant factor.
CVP (Closest Vector Problem). Given a lattice basis B and a target point t, find the lattice point closest to t.
At least as hard as SVP.
LWE (Learning With Errors) — Regev 2005. Given (A, b = As + e mod q), find the secret s, where:
A ∈ Zqm×n is a random matrix
s ∈ Zqn is the secret
e ∈ Zm is a small error vector (from a discrete Gaussian)
Hardness: Regev proved a (quantum) reduction from worst-case lattice problems (GapSVP) to LWE.
Why LWE? The error e is what makes LWE hard. Without it, solving As = b mod q is trivial linear algebra. With it, the problem becomes as hard as worst-case lattice problems.
Chapter 40 — Lattice Problems and LWE
Lattice: Shortest Vector Problem Visual
Shortest Vector Problem (SVP).
Given a lattice basis B, find the shortest nonzero lattice vector \( \mathbf{v} \) minimizing \( \|\mathbf{v}\| \).
LLL Algorithm (Lenstra-Lenstra-Lovász, 1982):
Finds a vector within \( 2^{(n-1)/2} \) of the shortest in polynomial time. Not exact, but good enough for some applications.
Hardness: Exact SVP is NP-hard under randomized reductions. Approximate SVP within polynomial factors is believed hard — this is the foundation of lattice-based cryptography (ML-KEM, ML-DSA).
Key idea: Bad basis → hard to find short vectors. Good basis → easy. Basis reduction algorithms trade off quality vs. time.
Chapter 37 — Lattice-Based Cryptography
The LLL Algorithm: Lattice Reduction Ch 40
The Lenstra–Lenstra–Lovász (LLL) algorithm (1982) is a polynomial-time lattice reduction algorithm.
LLL guarantee. Given an n-dimensional lattice basis, LLL outputs a reduced basis whose shortest vector satisfies:
||b1|| ≤ 2(n-1)/2 · λ1(L)
Running time: O(n5 d log3 B) where B bounds the entries.
LLL finds an approximately shortest vector. The approximation factor 2(n-1)/2 is exponential in n — too weak for cryptographic parameters.
BKZ (Block Korkine-Zolotarev): Generalises LLL by applying SVP solvers to blocks of size β. As β increases:
Approximation quality improves (shorter vectors)
Running time increases exponentially in β
Best known: 2O(β) time via lattice sieving
Cryptographic parameters are chosen so that BKZ with the required block size β to break the scheme would take ≥ 2128 operations. For ML-KEM-768, this means β ≥ 600+, which is far beyond feasibility.
Chapter 40 — Lattice Problems and LWE
ML-KEM (Kyber): NIST FIPS 203 Ch 40
ML-KEM (Module Learning With Errors Key Encapsulation Mechanism) is the primary NIST post-quantum key exchange standard.
Module-LWE. Generalises LWE to work over polynomial rings Rq = Zq[X]/(Xn+1), with module rank k:
Public key: (A, t = As + e) over Rqk×k
Secret: s ∈ Rqk with small coefficients
Error: e ∈ Rqk with small coefficients
NTT (Number Theoretic Transform): Enables O(n log n) polynomial multiplication in Rq, making ML-KEM highly efficient.
Key encapsulation steps:
KeyGen: Sample (s, e), compute t = As + e, output pk=(A,t), sk=s
Encaps: Sample (r, e', e''), compute u = ATr + e', v = tTr + e'' + ⌈q/2⌋ · m. Output ciphertext (u,v) and shared key K.
Decaps: Compute v - sTu ≈ ⌈q/2⌋ · m. Recover m via rounding. Derive K.
Correctness. v - sTu = ⌈q/2⌋·m + (small noise). Rounding recovers m when the noise is sufficiently small. Decryption failure probability < 2-140 for ML-KEM-768.
Chapter 40 — Lattice Problems and LWE
Key Size Comparison: Post-Quantum vs Classical Ch 40
Scheme
Security
Public Key
Ciphertext / Sig
RSA-3072
128-bit (classical)
384 B
384 B
ECC P-256
128-bit (classical)
32 B
64 B
ML-KEM-768
128-bit (PQ)
1,184 B
1,088 B
ML-KEM-1024
192-bit (PQ)
1,568 B
1,568 B
ML-DSA-65
128-bit (PQ)
1,952 B
3,309 B
Classic McEliece
128-bit (PQ)
261 KB
128 B
Trade-off. Post-quantum public keys and ciphertexts are significantly larger than ECC equivalents. ML-KEM-768 keys are ~37× larger than ECC P-256 keys. Classic McEliece keys are ~8,000× larger!
Performance is competitive. ML-KEM is actually faster than RSA and comparable to ECC in encapsulation/decapsulation time. The NTT-based arithmetic is highly efficient on modern processors. The main cost is bandwidth, not computation.
Hybrid mode (recommended): Combine ML-KEM with ECDH during the transition period. If either is broken, the other still protects the session key.
Chapter 40 — Lattice Problems and LWE
Attacking Lattice Schemes: BKZ Reduction Ch 40
Best known attacks reduce LWE to approximate SVP via BKZ lattice reduction.
BKZ-β attack pipeline:
Construct a lattice from the LWE instance
Run BKZ with block size β
Reduced basis reveals the short secret/error vector
SVP subroutines:
Enumeration: 2O(n²) time, polynomial space
Sieving: 2O(n) time and 2O(n) space
Best sieve: 20.292n classical, 20.265n quantum
No quantum speedup for lattice problems. Unlike factoring, no efficient quantum algorithm is known for SVP or LWE. Grover gives at most a quadratic speedup for sieving, already accounted for in parameter choices.
Chapter 40 — Lattice Problems and LWE
ML-KEM Security Estimates Ch 40
ML-KEM parameter security (NIST FIPS 203):
Parameter Set
n, k, q
Security (NIST level)
ML-KEM-512
256, 2, 3329
Level 1 (~128-bit)
ML-KEM-768
256, 3, 3329
Level 3 (~192-bit)
ML-KEM-1024
256, 4, 3329
Level 5 (~256-bit)
Parameters are chosen conservatively: ML-KEM-768 requires BKZ block sizes costing
far more than 2128 operations. Security margins account for potential
algorithmic improvements in lattice sieving.
Chapter 40 — Lattice Problems and LWE
Part XV
Code-Based Crypto & Frontiers
Chapters 43–45
McEliece (1978): The Oldest Unbroken Public-Key Scheme Ch 43
Robert McEliece proposed his cryptosystem in 1978, just one year after RSA. It remains unbroken after 47 years.
Key idea. Disguise a decodable error-correcting code (Goppa code) as a random-looking linear code.
Private key: Goppa code with efficient decoding (Patterson's algorithm)
Public key: G' = SGP, where S is scrambling, P is permutation
Encrypt: c = mG' + e (add t random errors)
Decrypt: Use the private Goppa decoder to correct e and recover m
Security basis. Decoding a random linear code is NP-hard (Berlekamp, McEliece, van Tilborg 1978). The public key G' is indistinguishable from a random generator matrix.
Achilles' heel: key size. Classic McEliece at 128-bit PQ security requires a 261 KB public key. This has limited its practical adoption despite its excellent security track record.
NIST status: Classic McEliece advanced to Round 4 of the NIST PQC competition. Selected for future standardisation alongside the lattice-based primary standards.
Chapter 43 — Code-Based Cryptography
Error-Correcting Codes and Syndrome Decoding Ch 43
Goppa codes are a family of algebraic error-correcting codes defined over finite fields.
Binary Goppa code Γ(L, g): Given a set L = {α1, ..., αn} ⊂ F2m and a polynomial g(x) of degree t over F2m, the code consists of all vectors c ∈ F2n such that:
Σi ci / (x - αi) ≡ 0 mod g(x)
Parameters: length n, dimension ≥ n - mt, minimum distance ≥ 2t+1.
Syndrome decoding (NP-hard). Given a parity-check matrix H and syndrome s = HcT, find a word e of minimum weight such that HeT = s.
This is the computational problem underlying McEliece security.
Best known attacks:
Information Set Decoding (ISD): 2O(n) — Lee-Brickell, Stern, BJMM algorithms
Quantum ISD: Grover-assisted variants give ~√ speedup, but problem remains hard
No known polynomial-time quantum algorithm for syndrome decoding
Chapter 43 — Code-Based Cryptography
NIST Post-Quantum Standards (2024) Ch 44
Standard
Type
Hard Problem
Family
Published
ML-KEM (FIPS 203)
Key Encapsulation
Module-LWE
Lattice
Aug 2024
ML-DSA (FIPS 204)
Digital Signature
Module-LWE + SIS
Lattice
Aug 2024
SLH-DSA (FIPS 205)
Digital Signature
Hash function security
Hash-based
Aug 2024
FN-DSA (draft)
Digital Signature
NTRU lattice
Lattice
Forthcoming
Classic McEliece
KEM
Syndrome decoding
Code-based
Round 4
Diversity by design. NIST deliberately selected algorithms from multiple families (lattice, hash-based, code-based) to hedge against a breakthrough attack on any single hard problem.
Lesson from SIKE. The isogeny-based candidate SIKE was broken in 2022 by Castryck and Decru using unexpected mathematical insights. This demonstrates that even well-studied schemes can fall — diversification is essential.
Chapter 44 — NIST Post-Quantum Standards
NIST Post-Quantum Standards 2024
Chapter 44 — NIST PQC Standards
PQC Parameter Comparison Ch 44
Algorithm
NIST Level
Public Key
Secret Key
CT / Sig
KeyGen
Encaps / Sign
Decaps / Verify
Key Encapsulation Mechanisms
ML-KEM-512
1
800 B
1,632 B
768 B
Fast
Fast
Fast
ML-KEM-768
3
1,184 B
2,400 B
1,088 B
Fast
Fast
Fast
ML-KEM-1024
5
1,568 B
3,168 B
1,568 B
Fast
Fast
Fast
Classic McEliece
1–5
261 KB–1.3 MB
–
128–240 B
Slow
Fast
Fast
Digital Signatures
ML-DSA-44
2
1,312 B
2,560 B
2,420 B
Fast
Fast
Fast
ML-DSA-65
3
1,952 B
4,032 B
3,309 B
Fast
Fast
Fast
ML-DSA-87
5
2,592 B
4,896 B
4,627 B
Fast
Fast
Fast
SLH-DSA-128s
1
32 B
64 B
7,856 B
Slow
Slow
Fast
SLH-DSA-128f
1
32 B
64 B
17,088 B
Moderate
Moderate
Fast
Key observation: ML-KEM and ML-DSA offer an excellent balance of security, key size, and performance. SLH-DSA has the smallest keys but the largest signatures. Classic McEliece has enormous keys but the smallest ciphertexts.
Mosca's inequality: If data_lifetime + migration_time > quantum_arrival, you are already too late to begin.
Chapter 44 — NIST Post-Quantum Standards
Migration to PQC: Phases 3–4 Ch 44
Phase 3 — Full PQC (2028–2035)
Remove classical components once PQC is battle-tested
Update certificates, protocols, hardware tokens
Re-encrypt stored data with PQC
Phase 4 — Crypto-Agility (Ongoing)
Design systems to swap algorithms without redesign
Prepare for potential breaks in PQC schemes
Monitor advances in quantum computing and cryptanalysis
The SIKE lesson (2022): Castryck and Decru broke SIKE using unexpected connections to isogeny theory. Even mature, well-studied schemes can fall overnight. Crypto-agility is not optional.
Chapter 44 — NIST Post-Quantum Standards
Course Synthesis: The Eternal Dialectic Ch 45
From Al-Kindi (850 AD) to post-quantum (2024), a single pattern recurs:
Cipher
Attack
Stronger Cipher
Monoalphabetic substitution
Frequency analysis (Al-Kindi, 850)
Polyalphabetic ciphers (Alberti, 1467)
Vigenère cipher
Kasiski / IC analysis (1863)
Rotor machines (Enigma, 1918)
Enigma
Bomba / Banburismus (Rejewski, Turing)
One-time pad (Shannon, 1949)
DES
Differential & linear cryptanalysis
AES (Rijndael, 2001)
RSA / DH / ECC
Shor's algorithm (1994)
Lattice / code-based PQC (2024)
Key insight. Every successful attack has made cryptography stronger, not weaker. Differential cryptanalysis did not destroy block ciphers — it led to AES with provable resistance. Shor's algorithm has not destroyed public-key cryptography — it has catalysed post-quantum schemes built on even harder mathematical problems.
Chapter 45 — Synthesis
Four Grand Themes of Cryptanalysis Ch 45
Theme
Era
Central Idea
Key Technique
Frequency Analysis
850–1900
Natural language is not uniform
Letter/digram counts, IC
Algebraic Structure
1930–2000
Ciphers are mathematical objects
Group theory, S-box analysis
Computational Hardness
1976–present
Security rests on intractable problems
Factoring, DLP, lattice problems
Quantum Threats
1994–present
Quantum computers break hardness assumptions
Shor, Grover, post-quantum design
Convergence. Modern cryptanalysis demands proficiency in all four themes simultaneously. A post-quantum implementer must understand statistical testing, algebraic structure, computational hardness reductions, and quantum algorithms.
The human element persists. Despite all mathematical advances, implementation errors (Heartbleed, BEAST, CRIME) and social engineering remain the dominant real-world attack vectors. Theory and practice must advance together.
Chapter 45 — Synthesis
The Security Landscape: Classical vs Quantum Ch 45
Problem
Classical
Quantum
Status
Integer Factoring
Sub-exponential
Polynomial (Shor)
Broken
Discrete Log (Zp*)
Sub-exponential
Polynomial (Shor)
Broken
Elliptic Curve DL
Exponential
Polynomial (Shor)
Broken
Lattice SVP
Exponential
Exponential
Resistant
Syndrome Decoding
Exponential
Exponential
Resistant
Hash Preimage
Exponential
√ speedup (Grover)
Resistant
The cliff vs the slope. Public-key schemes face a cliff-edge collapse when quantum computers arrive — their security goes from high to zero. Symmetric ciphers face a gradual slope — their security is halved, but doubling the key length restores it.
Cryptographic family health:
Lattice-based: Strong security + good performance. Primary NIST standard.
Code-based: Long track record. Large keys.
Hash-based: Minimal assumptions. Signature-only, large sigs.
Symmetric: Use AES-256. Problem solved.
Chapter 45 — Synthesis
Open Problems: Foundations & Quantum Ch 45
Foundational questions:
P vs NP: If P = NP, no computationally-secure cryptography is possible (except OTP). All modern crypto assumes P ≠ NP.
One-way functions: Do they exist? Equivalent to P ≠ NP for many purposes.
Does a quantum speedup exist for lattice SVP beyond Grover?
Can quantum algorithms break LWE directly (not via SVP)?
Quantum random oracle model: formal security in the quantum setting
Chapter 45 — Synthesis
Practical Frontiers Ch 45
Side-channel resistance: Formal verification of constant-time implementations
Crypto-agility: Protocol designs that swap algorithms without redesign
AI-assisted cryptanalysis: Machine learning for cipher analysis, protocol verification
Fully homomorphic encryption: Practical FHE from LWE (bootstrapping efficiency)
The SIKE lesson (2022).
Castryck and Decru's break used unexpected connections to isogeny
theory. Even mature, well-studied schemes can fall. The field must
remain perpetually humble and vigilant.
Chapter 45 — Synthesis
Lessons for the Practitioner (1–3) Ch 45
1. Never rely on obscurity.
Every proprietary cipher that has been analysed has been broken. Kerckhoffs' principle (1883): the system must be secure even if everything except the key is public.
2. Understand your threat model.
Classical, quantum, and side-channel attackers require different defences. A scheme secure against classical adversaries may be completely broken by a quantum computer.
3. Crypto-agility is essential.
Systems must be designed so that algorithms can be swapped without rebuilding the architecture. The SIKE break showed that even "well-studied" schemes can fall overnight.
Chapter 45 — Synthesis
Lessons for the Practitioner (4–6) Ch 45
4. Implementation matters as much as theory.
Heartbleed, BEAST, CRIME, and ROCA were all attacks on implementations, not on the underlying mathematics. Constant-time code, formal verification, and careful engineering are essential.
5. Diversity is a defence.
Relying on a single hardness assumption is fragile. NIST's portfolio approach — lattice, hash-based, code-based — provides resilience against a breakthrough in any one family.
6. Start migrating now.
Apply Mosca's inequality. For long-lived data, the transition to PQC should already be underway. Hybrid deployment (PQC + classical) is the recommended first step.
Chapter 45 — Synthesis
Course Map: All 15 Parts Ch 45
Part
Title
Key Technique
Era
I
Foundations
Frequency analysis
850–1900
II
Classical Polyalphabetic
Kasiski / IC methods
1400–1920
III
Polygraphic Ciphers
Hill cipher, matrix attacks
1929–1940
IV
Enigma
Group-theoretic cycle analysis
1918–1945
V
Information Theory
Entropy, perfect secrecy, unicity distance
1949–1970
VI
Linear Cryptanalysis
Linear approximations of S-boxes
1993–2001
VII
Differential Cryptanalysis
Input difference propagation
1990–2001
VIII
AES
Wide trail strategy, MixColumns
1998–2001
IX
RSA
Factoring (NFS, ECM, Wiener)
1977–2020
X
Diffie-Hellman
Index calculus, Pohlig-Hellman
1976–2020
XI
Elliptic Curves
MOV, Smart's attack, pairings
1985–2020
XII
Algebraic Cryptanalysis
Gröbner bases, SAT solvers
2000–2020
XIII
Quantum Threat
Shor & Grover algorithms
1994–2024
XIV
Lattice Cryptography
LWE, LLL/BKZ reduction
1996–2024
XV
Code-Based & Frontiers
Syndrome decoding, PQC migration
2017–2024
Chapter 45 — Synthesis
Course Summary
The Art and Science of Codebreaking Continues
Cryptanalysis is not merely the art of breaking ciphers. It is a discipline that compels us to think rigorously about what it means for a system to be secure — to distinguish genuine confidence from false assurance, and to remain perpetually humble before the ingenuity of future adversaries.
The journey from Al-Kindi to post-quantum cryptography is, at its deepest level, a journey in the philosophy of knowledge — what can be known, what can be hidden, and what remains forever uncertain.