MasterMath course

Selected Areas in Cryptology - Part 1

Spring 2024


Monika Trimoska
m [dot] trimoska [at] tue [dot] nl

Aim of the course

After a brief introduction to cryptography (the constructive side of cryptology) and cryptanalysis, the first part of the course introduces the main contenders for post-quantum systems based on error-correcting codes, hash functions, isogenies, lattices, or systems of multivariate equations. For each of these five families, we will first look into the underlying hard problems, and then at a specific digital signature scheme, as an example of how we use the hardness of these problems to build cryptographic systems. Digital signatures are part of public-key cryptography and this is the main area affected by quantum computers; symmetric-key systems (such as hash functions and block and stream ciphers) are used as building blocks inside them and for the transmission of data in bulk. The second part of the course will center around those symmetric-key cryptosystems, and will be taught by Bart Mennink.

General info

  • The lectures start on February 8 and take place every Thursday, 10:00 - 12:45 (Week 6-21).
  • Utrecht University, room BBG 005.
  • There are 7 lectures in Part 1.
  • The recordings of the lectures can be found at ; Password: t7i8
  • There is an assignment sheet for each lecture. The assignments are not evaluated, but you can send your solutions (any number of exercices) to get feedback.
  • The lectures are divided in two parts: 1.5 hours of lecture followed by 45 minute tutorial session (plus breaks).
  • The tutorial session in week $i$ is dedicated to answering your questions from assignment $(i-1)$.
  • Some of the exercices are about experimenting with the mathematical objects that are studied via a computer algebra system. You can submit those for feedback in either SageMath or Magma, according to your preference. For a quick intro to SageMath, see here.

Course materials

♦ Lecture 1
Algebraic cryptanalysis: MQ solving
[recording: Lecture 1 (1/3) SAC (s24), Lecture 1 (2/3) SAC (s24), Lecture 1 (3/3) SAC (s24)]
[slides intro, handout]
[slides, handout]
[demo script]

♦ Lecture 2
Multivariate cryptography: trapdoor constructions; UOV
[recording: Lecture 2 (1/2) SAC (s24), Lecture 2 (2/2) SAC (s24)]
[slides, handout]
[demo script]

♦ Lecture 3
Code-based cryptography I: equivalence problems; the Fiat-Shamir construction
[recording: Lecture 3 (1/2) SAC (s24), Lecture 3 (2/2) SAC (s24)]
[slides, handout]

♦ Lecture 4
Code-based cryptography II: information set decoding; the MPC-in-the-Head construction (moved to next lecture)
[recording: Lecture 4 (1/2) SAC (s24), Lecture 4 (2/2) SAC (s24)]
[slides, handout]

♦ Lecture 5
the MPC-in-the-Head construction
[recording: Lecture 8 (1/2) SAC (s24), Lecture 8 (2/2) SAC (s24)]
We did not cover Hash-based signatures. If you'd like to learn about SPHINCS+, there is a very nice lecture by Andreas Hülsing at this PQCrypto summer school. Tanja Lange is also covering Hash-based signatures in her PQC lecture series.

♦ Lecture 6
Isogeny-based cryptography: CSIDH
[recording: Lecture 11 (1/3) SAC (s24), Lecture 11 (2/3) SAC (s24), Lecture 11 (3/3) SAC (s24)]
[slides, handout]

♦ Lecture 7
Lattice-based cryptography
[recording: Lecture 12 (1/2) SAC (s24), Lecture 12 (2/2) SAC (s24)]

Other resources

I need a refresher on: I'd like to know more/work on:
  • [references for further reading will be posted here]


The exam is planned for June 13, 2024, and the retake for July 4, 2024. The exam will be a written or an oral exam, depending on the number of students. The final decision will be made in April.
The assignments are not included in the grade, but feedback will be given if submitted.

Created with ♥, and Manim.