Three minority families and two famous 2022 breaks
Bartosz Naskręcki — UAM, Spring 2026
Why These Three? Ch 48.1
ML-KEM and ML-DSA dominate deployment. Why also study NTRU, MQ, and isogenies?
NTRU is the oldest practical PQC scheme (1996, predates LWE). Falcon (FIPS 206 draft) reuses NTRU lattices.
Multivariate remains a NIST round-4 candidate (UOV); Rainbow's 2022 break is a teaching moment in algebraic cryptanalysis.
Isogeny schemes have the smallest public keys / signatures in the entire PQC space (CSIDH, SQIsign < 1 KB).
Recurring theme. Younger mathematics + smaller cryptanalytic community = more fragility. Both Rainbow and SIDH/SIKE were broken in 2022, both within the NIST competition.
NIST's strategy of standardising multiple families (HQC, SLH-DSA) is a deliberate hedge against exactly this kind of fragility.
Chapter 48.1 — Three minority families
NTRU: The Original PQC Scheme (1996) Ch 48.2
Ring. $R = \Z[x]/(x^N - 1)$, $R_q = R / qR$. Polynomial multiplication = cyclic convolution. Parameters. $(N, p, q)$ with $\gcd(p, q) = 1$, typically $p = 3$, $q \in \{2048, 4096\}$. Keygen. Sample short ternary $f, g \in R$ with $f$ invertible mod $p$ and mod $q$. Compute $F_p = f^{-1} \in R_p$, $F_q = f^{-1} \in R_q$. Public key $h = p \cdot F_q \cdot g \pmod q$. Encrypt. $c = h \cdot r + m \pmod q$ for short $r$ and short $m \in R_p$. Decrypt. $a = f \cdot c \pmod q$ → centred → reduce mod $p$ → multiply by $F_p$ → recover $m$.
Security ↔ finding the short pair $(f, g)$ given $h$ — a structured-lattice problem (the NTRU lattice).
NTRU-Prime (Bernstein et al. 2017) ditches cyclotomic structure: $R = \Z_q[x]/(x^p - x - 1)$ with $p$ prime. A round-3 NIST finalist; lost to Kyber but lives on as a conservative variant.
Chapter 48.2 — NTRU
Multivariate & UOV in One Slide Ch 48.4–48.5
MQ. Given $m$ multivariate quadratics $p_1, \ldots, p_m \in \F_q[x_1, \ldots, x_n]$, find $\bx \in \F_q^n$ with $p_i(\bx) = 0$ for every $i$. NP-hard.
Build secret system $\mathcal{F}$ that is easy to invert; publish $\mathcal{P} = T \circ \mathcal{F} \circ S$ where $T, S$ are secret affine bijections.
UOV (Kipnis–Patarin–Goubin 1999). Split variables into vinegar (random) + oil (solved-for). Central polynomials have no oil×oil terms:
Rainbow (Ding–Schmidt 2005) is a layered UOV: each layer's "oil" becomes the next layer's "vinegar". A NIST round-3 finalist for digital signatures.
April 2022: Ward Beullens publishes "Breaking Rainbow Takes a Weekend on a Laptop."
Models the secret-key recovery as a refined MinRank problem.
Solves it via Gröbner bases.
Param
Claimed sec
Beullens cost
Rainbow-I
$2^{128}$
$2^{53}$ (~weekend)
Rainbow-III
$2^{192}$
$2^{74}$
Rainbow eliminated. UOV (single-layer) survives as round 4.
Lessons. Algebraic security is fragile (small constant factor ⇒ 75-bit collapse). Public scrutiny works (the break landed during NIST review). Layered constructions can be more vulnerable than the single-layer base.
Chapter 48.6 — Beullens 2022
Supersingular Isogeny Graphs Ch 48.7
Supersingular. $E$ over $\F_{p^2}$ supersingular ⇔ $|E(\F_{p^2})| = (p \pm 1)^2$. ~$p/12$ classes. Isogeny. Non-zero map $\phi \colon E \to E'$ preserving identity; degree-$\ell$ ⇔ subgroup of $E[\ell]$ size $\ell$.
The graph: vertices = supersingular $j$-invariants, edges = $\ell$-isogenies. For small $\ell$ a Ramanujan expander — random walks mix in $O(\log p)$.
SIDH: Alice walks length $\sim \log p$ to $E_A$; Bob to $E_B$; both compute $E_{AB}$.
SIDH publishes auxiliary points $\phi_A(P_B), \phi_A(Q_B)$ — trapdoor and vulnerability.
Toy 2-isogeny graph (~$p \approx 71$, ~6 vertices)
Chapter 48.7 — SIDH setup
Castryck–Decru 2022 — SIDH Falls Ch 48.8
July–Aug 2022: Castryck & Decru publish a polynomial-time SIDH key-recovery.
Kani (1997). A $(d_1, d_2)$-isogeny of genus-2 surfaces decomposes into elliptic-curve isogenies.
Use SIDH's auxiliary points to glue two genus-1 walks into a genus-2 object.
Decompose → kernel reveals Alice's secret.
Param
Recovery
SIKEp434
~1 hour
SIKEp751
~1 day
SIKE withdrawn from NIST PQC the same month.
Attack idea: glue two SIDH walks into a genus-2 surface.
Lesson: any "convenience" auxiliary output is a structural hint. Cryptosystems must publish the minimum.
Chapter 48.8 — Castryck–Decru
What Survives + Sizes vs the Standards Ch 48.8
CSIDH (2018) and SQIsign (2020) survive: no auxiliary points, so Castryck–Decru does not apply.
Scheme
pk
Note
CSIDH-512
~64 B
Quantum sub-exp via Kuperberg
SQIsign-I
~64 B
Sigs ~200 B (smallest in PQC!)
NIST has invited an on-ramp signature competition with SQIsign in scope.
Public-key size comparison (NIST L1, log scale)
SQIsign & CSIDH have the smallest keys; McEliece pays in MB.
Chapter 48.8 — CSIDH & SQIsign
Lab Today Ch 48 lab
Run the toy NTRU implementation in Ch 48.2 with $N = 11$, $p = 3$, $q = 31$. Verify keygen + encrypt + decrypt round-trip.
Empirically estimate the decryption-failure rate at $q = 31, 64, 128, 256$. Plot it.
Construct the NTRU lattice $L_h = \{(u, v) \in \Z^N \times \Z^N : v = h \cdot u \pmod q\}$. Check that $(f, g)$ is short. Run LLL on a tiny instance and observe what comes back.
Run the toy UOV in Ch 48.5 over $\F_{31}$, $v = 6$, $o = 4$. Verify signing succeeds in $\le 4$ vinegar attempts.
(Sage required) Enumerate supersingular $j$-invariants over $\F_{431^2}$, plot the 2-isogeny graph, verify diameter is $O(\log p)$.
(Project candidate) Pick a NIST-relevant scheme and write a 2-page explainer of its design choices, in your own words, for a fellow student.
Multivariate — UOV survives, Rainbow broken (Beullens 2022, weekend on a laptop).
Isogeny — SIDH/SIKE broken (Castryck–Decru 2022, polynomial time, hours of CPU). CSIDH and SQIsign survive because they do not publish auxiliary points.
The recurring lesson: smaller, younger families with more compact public output are correspondingly more fragile to algebraic attacks.
Next Tuesday (W8): NIST PQC standards in deployment — FIPS 203/204/205, draft 206, HQC, hybrid TLS handshakes with OpenSSL + oqs-provider, CNSA 2.0 deadlines, and project presentations.