Frontier
Cryptography

The limits of classical cryptography

RSA, Diffie-Hellman, and elliptic curve cryptography all rely on the hardness of integer factorization or discrete logarithms. These problems are believed hard for classical computers, but Shor's algorithm solves both efficiently on a quantum computer. When sufficiently large quantum computers exist, every RSA key, every ECDSA signature, and every Diffie-Hellman key exchange becomes breakable.

But the quantum threat is only part of the story. Classical cryptography gives you confidentiality and integrity, but it cannot answer deeper questions. Can you prove your age without revealing your birthdate? Can two companies compare their customer lists without sharing them? Can a cloud server process your data without ever seeing it? These questions require fundamentally new tools.

Four frontiers

This chapter introduces four families of cryptographic techniques that extend what is possible beyond the classical toolkit.

What quantum computers do differently

Classical computers use bits that are either 0 or 1. Quantum computers use qubits that can exist in a superposition of both states simultaneously. This lets quantum algorithms explore exponentially many possibilities in parallel, using interference to amplify correct answers and cancel wrong ones.

This does not make quantum computers universally faster. For most problems, they offer no advantage. But for specific problems, including the mathematical foundations of public-key cryptography, they are devastatingly efficient.

Shor's algorithm intuition

Factoring a large number $N = p \times q$is believed to be hard for classical computers. Shor's algorithm reduces factoring to finding the period of a modular exponentiation function:

A classical computer checks periods one at a time. A quantum computer uses the Quantum Fourier Transform to find the period $r$ in one shot. Once you know the period, you can compute:

This breaks RSA (factor N), Diffie-Hellman (compute discrete logs), and ECDSA (compute discrete logs on elliptic curves). Every public-key scheme from the previous chapters is vulnerable.

Harvest now, decrypt later

NIST estimates “cryptographically relevant quantum computers” could emerge within the next 10 to 20 years. But the threat is already here: adversaries can record encrypted traffic today, store it, and decrypt it when quantum computers arrive.

If the data you are protecting today must remain confidential for a decade or more (medical records, government secrets, financial data), the migration to post-quantum cryptography is already urgent.

What is a lattice?

A lattice is a set of points generated by integer combinations of basis vectors. In two dimensions, think of a grid tilted and stretched by two vectors $\mathbf{b}_1$ and $\mathbf{b}_2$. Any lattice point can be written as:

Two key problems define lattice hardness:

Learning With Errors (LWE)

LWE is the foundation of ML-KEM (formerly Kyber) and ML-DSA (formerly Dilithium), the NIST-standardized post-quantum algorithms. The idea: take a secret vector $\mathbf{s}$, compute $\mathbf{A} \cdot \mathbf{s} + \mathbf{e}$ where $\mathbf{A}$ is a public matrix and $\mathbf{e}$ is a small random error vector.

Given $\mathbf{A}$ and $\mathbf{b}$, find $\mathbf{s}$. Without the error, this is simple linear algebra. With the error, it becomes a lattice problem that no known algorithm, classical or quantum, can solve efficiently in high dimensions.

The size trade-off

Post-quantum keys are significantly larger than their classical counterparts. This is the price of quantum resistance.

The three properties

A zero-knowledge proof must satisfy three properties:

The cave analogy

Imagine a circular cave with a door in the middle that requires a secret password. The cave has two paths, A and B, that lead to opposite sides of the door.

The prover enters from a random side. The verifier, standing outside, calls out which side the prover should exit from. If the prover knows the password, they can always pass through the door and exit from the requested side. If they do not know it, they can only exit from the side they entered, giving them a 50% chance of guessing correctly each round.

After 20 rounds, the probability of a bluffer passing every challenge is less than $(1/2)^{20} \approx 0.0001\%$. The verifier becomes overwhelmingly confident the prover knows the secret, without ever learning the password.

A real protocol: Schnorr identification

The Schnorr protocol lets a prover demonstrate knowledge of a secret $x$ such that $h = g^x$ without revealing $x$.

The verifier never learns $x$. They only see $a$, $c$, and $z$, which could have been generated without knowing $x$ (this is the simulation argument that proves zero-knowledge).

What SNARK stands for

How it works (simplified)

The computation is expressed as an arithmetic circuit (additions and multiplications over a finite field). The prover commits to the circuit's wire values using polynomial commitments. The verifier checks a few evaluations to confirm the computation was done correctly.

The key insight: checking a polynomial identity at a random point is enough to confirm the entire computation, with overwhelming probability. A degree-$d$ polynomial can agree with a different polynomial at most $d$ points. A single random check catches any discrepancy.

Real-world applications

The millionaires' problem

Andrew Yao proposed this problem in 1982: two people each hold a number. They want to determine which number is larger, but neither wants to reveal their number. The classical solution is to tell a trusted third party. MPC eliminates the third party entirely.

The result sounds impossible, but it is not. Cryptographic protocols let the two parties compute the comparison collaboratively, exchanging carefully crafted messages, such that neither party ever learns the other's input. Only the final answer (who is richer) is revealed.

Secret sharing: the foundation of MPC

Shamir's secret sharing splits a secret into $n$ shares such that any $t$ shares can reconstruct the secret, but $t-1$ shares reveal nothing. The trick: encode the secret as the constant term of a random polynomial of degree $t-1$.

Each share is an evaluation of the polynomial at a distinct point: share $i$ is $p(i)$. To reconstruct, use Lagrange interpolation with $t$ points to recover $p(0) = s$:

This is information-theoretically secure: not just hard to break with limited computing power, but mathematically impossible. With fewer than $t$ shares, infinitely many polynomials fit the data, each with a different secret. No amount of computation helps.

From sharing to computing

Once inputs are secret-shared, the parties can add and multiply shares using specific protocols. Addition is trivial: each party just adds their local shares. Multiplication requires an extra communication round (using techniques like Beaver triples).

By chaining additions and multiplications, any function expressible as an arithmetic circuit can be computed on secret-shared data. The parties exchange intermediate messages, but no individual message reveals any input. Only the final result is reconstructed.

What “homomorphic” means

A function is homomorphic if it preserves structure. For encryption, this means operations on ciphertexts correspond to operations on the underlying plaintexts:

The symbols $\oplus$ and $\otimes$ denote operations on ciphertexts. When you decrypt the result, you get the same answer as if you had performed the corresponding operation on the plaintexts directly.

A simple example: additive homomorphism

In a scheme like Paillier encryption, the ciphertext of a number $m$ with randomness $r$ is:

Multiplying two ciphertexts:

Multiplication in ciphertext space corresponds to addition in plaintext space. This is additive homomorphism. You can sum encrypted votes, aggregate encrypted sensor data, or compute encrypted statistics, all without decrypting individual values.

The full picture

Post-quantum cryptography replaces the mathematical foundations threatened by quantum computers. Lattice-based schemes like ML-KEM are already being deployed in browsers and messaging apps.

Zero-knowledge proofs let you prove a statement is true without revealing anything else. From identity verification to blockchain scaling, ZKPs enable privacy and efficiency that were previously incompatible.

Secure multi-party computation lets multiple parties compute a joint result without any party revealing its input. Secret sharing is the building block; MPC protocols chain it into arbitrary computation.

Homomorphic encryption lets you compute on data you cannot see. From partially homomorphic schemes used in production today to fully homomorphic encryption pushing the boundary of what is possible.