Some Notes on Post-Quantum Cryptanalysis

Abstract: Cryptography as it is used today relies on a foundational level on the assumptionthat either the Integer Factoring Problem (IFP) or the DiscreteLogarithm Problem (DLP) is computationally intractable. In the 1990s PeterShor developed a quantum algorithm that solves both problems in polynomialtime. Since then alternative foundational mathematical problems to replace IFPand DLP have been suggested. This area of research is called post-quantumcryptology.To remedy the threat of quantum computers the National Institute of Standardsand Technology (NIST) has organized a competition to develop schemesfor post-quantum encryption and digital signatures. For both categories latticebased cryptography candidates dominate. The second most promising type of candidate for encryption is code-based cryptography.The lattice-based candidates are based on the difficulty of either the LearningWith Errors problem (LWE) or the Nth Degree Truncated Polynomial problem(NTRU), of which LWE is the focus of this thesis. The difficulty of both theseproblems in turn relies on the difficulty of variations of the Shortest VectorProblem (SVP). Code-based cryptography is based on the difficulty of decodingrandom linear codes.The main focus of this thesis is on solving the LWE problem using the Blum-Kalai-Wasserman algorithm (BKW).We have the following improvements of thealgorithm.1. We combined BKW with state-of-the-art lattice sieving methods to improvethe complexity of the algorithm. We also elaborate on the similaritiesand differences between BKW and lattice sieving, two approachesthat on a shallow level look very different.2. We developed a new binary approach for the distinguishing phase of theBKW algorithm and showed that it performs favorably compared to previousdistinguishers.3. We investigated the Fast Fourier Transform (FFT) approach for the distinguishingpart of BKW showing that it performs better than theorypredicts and identically with the optimal distinguisher. We showed thatwe could improve its performance by limiting the number of hypothesesbeing tested.4. We introduced practical improvements of the algorithm such as nonintegralstep sizes, a file-based sample storage solution and an implementationof the algorithm.We also improved the classical state-of-the-art approaches for k-sieving -lattice sieving where k vectors are combined at a time - by using quantumalgorithms. At the cost of a small increase in time complexity we managedto drastically decrease the space requirement compared to the state-of-the-artquantum algorithm for solving the SVP.Finally, we developed an algorithm for decoding linear codes where the noiseis Gaussian instead of binary. We showed how code-based schemes with Gaussian noise are easily broken. We also found other applications for the algorithm in side-channel attacks and in coding theory.