Lattice Cryptography for Applied Cryptographers

A plain-language course on lattices and lattice cryptography, written for applied cryptographers, protocol engineers, and software engineers who want to understand how modern post-quantum schemes work under the hood.

The course starts with the background maths and builds up slowly: vectors, matrices, modular arithmetic, sampling, noise, lattices, SIS, LWE, rings, modules, ML-KEM, ML-DSA, and Falcon.

I hope you find it useful,
Conor

Chapters

Chapters marked Soon are still being written.

Part 1: The tools you need before lattices

1

Getting Started

2

Vectors, length, and "short" things

3

Dot products, matrices, and many equations at once

4

Modular arithmetic and wraparoundSoon

5

Sampling, randomness, and noiseSoon

Part 2: Lattices from first principles

6

What is a lattice?Soon

7

Bases: one lattice, many descriptionsSoon

8

Good bases and bad basesSoon

9

Distance, shortest vectors, and minimum distanceSoon

10

Closest points and decodingSoon

11

Fundamental regions: reducing modulo a latticeSoon

12

The dual lattice, gentlySoon

Part 3: The hard problems

13

SVP: finding the shortest vectorSoon

14

Approximate SVP and why approximation mattersSoon

15

CVP and BDD: finding the nearest lattice pointSoon

16

Why high-dimensional lattices are hardSoon

Part 4: q-ary lattices, the bridge into real crypto

17

Lattices defined by modular equationsSoon

18

Public matrices as lattice descriptionsSoon

Part 5: SIS, the short relation problem

19

SIS from scratchSoon

20

Why SIS is hardSoon

21

SIS as hashing, commitments, and signaturesSoon

Part 6: LWE, the noisy equation problem

22

LWE from scratchSoon

23

Search-LWE and Decision-LWESoon

24

LWE encryption by handSoon

25

Noise, rounding, and correctness failureSoon

26

Worst-case to average-case hardnessSoon

Part 7: Rings and modules

27

Why plain SIS and LWE are too largeSoon

28

Polynomials as compressed vectorsSoon

29

Polynomial multiplication as structured matrix multiplicationSoon

30

Ring-LWE, Ring-SIS, and module latticesSoon

Part 8: ML-KEM and key encapsulation

31

From encryption to KEMsSoon

32

ML-KEM under the hoodSoon

Part 9: ML-DSA and lattice signatures

33

What a lattice signature provesSoon

34

Fiat-Shamir signatures from lattice relationsSoon

35

Rejection sampling and leakageSoon

36

ML-DSA under the hoodSoon

Part 10: Falcon and NTRU

37

NTRU intuitionSoon

38

NTRU latticesSoon

39

Hash-and-sign and trapdoor samplingSoon

40

Gaussian sampling and Falcon under the hoodSoon

Part 11: Attacks, parameters, and implementation

41

How lattice attacks work at a high levelSoon

42

Lattice reduction and security estimatesSoon

43

Parameters and tradeoffsSoon

44

Implementation failure modesSoon

45

PQC migration and scheme selectionSoon