The landscape, the threat, and the knapsack warm-up
Bartosz Naskręcki — UAM, Spring 2026
The Quantum Threat in One Slide Ch 46.1
Every public-key primitive in widespread use today rests on either integer factorisation or discrete logarithm:
RSA, RSA-PSS, RSA-OAEP — factoring
Diffie–Hellman, ECDH, X25519 — DLP
DSA, ECDSA, Ed25519 — DLP
Shor (1994): a fault-tolerant quantum computer factors and computes discrete logs in polynomial time. The entire list above falls in one stroke.
Symmetric crypto is barely affected: Grover's algorithm gives only a quadratic speed-up, halving the effective key length. AES-256 still has ~128 quantum bits of security.
Hash functions are similarly only halved: collision-resistance drops from $n/2$ to $n/3$ via BHT, preimage from $n$ to $n/2$ via Grover.
Public-key infrastructure must move. Symmetric and hash primitives merely need bigger parameters.
Chapter 46 — Why Post-Quantum, Why Now
Harvest Now, Decrypt Later Ch 46.1
The migration deadline is not the day the quantum computer arrives.
It is some number of years before that day, equal to the data's required confidentiality lifetime.
Threat model. A passive adversary captures encrypted traffic today and stores it. When a sufficiently large quantum computer exists in 2030 / 2035 / 2040, they decrypt yesterday's traffic.
Concrete domains where this matters now: medical records, diplomatic cables, intellectual property, long-term financial contracts.
NSA CNSA 2.0 (2022, updated 2024):
Use case
PQC by
Software/firmware signing
2025
TLS / IPsec
2030
Full transition
2033
EU agencies (BSI, ANSSI, ENISA) advocate hybrid deployment first — classical KEM + PQC KEM concatenated — as defence-in-depth during the transition.
Diversity matters. ML-KEM and ML-DSA both rest on Module-LWE. NIST deliberately standardised at least one alternative-family scheme per role: HQC as alternative KEM, SLH-DSA as alternative signature.
Chapter 46 — The five families
NIST PQC Competition Timeline Ch 46.3
Lesson: the competition format works. Two round-3 finalists (Rainbow, SIKE) were broken during public review — before standardisation.
Chapter 46.3 — The competition
Part 2 of today
The Knapsack Warm-up
Subset-sum, Merkle–Hellman, and the first cautionary tale
Subset-Sum / 0-1 Knapsack Ch 46.4
Subset-Sum. Given positive integers $a_1, \ldots, a_n$ and a target $S$, find $\bx \in \{0,1\}^n$ with
\[
\sum_{i=1}^n x_i a_i \;=\; S.
\]
Karp (1972). The decision version is NP-complete.
The temptation: build a public-key cryptosystem where ciphertext is the sum and plaintext is the bit-vector. Encryption is trivial, decryption inherits NP-hardness.
The catch. NP-hardness is a worst-case statement. We need every random instance hard, not just some adversarial one. A trapdoor that makes decryption easy for the recipient may make the public sequence non-random in a way an attacker can exploit.
Chapter 46.4 — Subset-sum
Superincreasing Knapsacks Are Easy Ch 46.5
Superincreasing. A sequence $w_1, \ldots, w_n$ is superincreasing if
\[
w_k \;\gt\; \sum_{i=1}^{k-1} w_i \quad \text{for all } k \ge 2.
\]
Subset-sum is solved by greedy in $O(n)$: from $w_n$ down to $w_1$, take $w_k$ if $w_k \le$ remaining.
Setup. Pick a superincreasing $w_1, \ldots, w_n$ (secret). Pick a modulus $m \gt \sum_i w_i$ and multiplier $r$ coprime to $m$ (secret). Public key. $a_i = r \cdot w_i \bmod m$ — no longer superincreasing, looks random mod $m$. Encrypt. $S = \sum_i x_i a_i$ (integer sum, not modular). Decrypt. $S' = r^{-1} S \bmod m = \sum_i x_i w_i$ (because $\sum_i w_i \lt m$). Greedy recovers $\bx$.
The modular twist disguises the easy-instance superincreasing structure. To everyone without $r$, the public sequence looks like a hard random knapsack. To you, it is the easy one in disguise.
Chapter 46.6 — Merkle–Hellman
Why It Broke: Shamir 1984 + LLL 1985 Ch 46.7
Shamir 1984. A polynomial-time attack that does not solve general subset-sum — it exploits the modular-linear-image structure of the public key. The continued-fraction expansion of $a_i / m$ leaks the secret multiplier.
Lesson 1: structured trapdoors leak structure.
Lagarias–Odlyzko 1985.Low-density subset-sum (density $d = n / \log_2 \max a_i \lesssim 0.94$) is broken by lattice reduction:
Build a special lattice in which a short vector encodes $\bx$.
Run LLL.
The shortest vector reveals the bit-vector.
Lesson 2: when in doubt, throw LLL at it.
These two attacks are the bridge to Week 2: LLL is the workhorse algorithm that breaks the knapsack and reduces lattice bases for cryptanalysis of every modern lattice scheme.
Chapter 46.7 — Two attacks, one bridge
Lab Today — What You Will Build Ch 46 lab
Set up your Python environment: pip install numpy matplotlib sympy jupyter.
Implement the superincreasing greedy decoder. Verify it on the toy example from these slides.
Build merkle_hellman_keygen, encrypt, decrypt. Verify a round-trip on an 8-byte plaintext.
Compute the density of your generated keys for $n = 8, 16, 32, 64$. Where does the Lagarias–Odlyzko attack threshold ($d \approx 0.94$) sit relative to your defaults?
Generate a deliberately low-density $n = 32$ key (modulus $\approx 2^{128}$) and dump (public_key, ciphertext) to pk_w1.json. Save this file.
Next Tuesday (W2) we will read your pk_w1.json, build the Lagarias–Odlyzko lattice, run LLL, and recover the plaintext bit-vector. Bring your file.
Chapter 46 — Lab handover
Recap & What's Next
Quantum-resistant crypto is needed now because of harvest-now-decrypt-later.
Five families: lattice (W2–4), code (W5), hash (W6), multivariate & isogeny (W7), then standards & deployment (W8).
NP-hardness alone is not enough. Merkle–Hellman demonstrates this: the trapdoor leaks structure (Shamir) and the public sequence is a low-density knapsack (Lagarias–Odlyzko).
LLL is the bridge to next week: it breaks the knapsack and attacks lattice schemes.
Crypto-agility — the ability to swap algorithms cheaply — matters as much as any one algorithm choice.
Read upstream Ch 40 (lattice problems & LLL) before next Tuesday. The lab will assume you know what a Gram–Schmidt orthogonalisation is.