Hasso-Plattner-InstitutSDG am HPI
Hasso-Plattner-InstitutDSG am HPI

Quantum-Safe Cryptography (Sommersemester 2022)

Dozent: Prof. Dr. Anja Lehmann (Cyber Security - Identity Management) , Dr. Gregor Seiler (Cyber Security - Identity Management)

Allgemeine Information

  • Semesterwochenstunden: 2
  • ECTS: 3
  • Benotet: Ja
  • Einschreibefrist: 01.04.2022 - 30.04.2022
  • Prüfungszeitpunkt §9 (4) BAMA-O: 08.07.2022
  • Lehrform: V (Blocktermine)
  • Belegungsart: Wahlpflichtmodul
  • Lehrsprache: Englisch

Studiengänge, Modulgruppen & Module

Cybersecurity MA
  • CYAD: Cyber Attack and Defense
    • HPI-CYAD-K Konzepte und Methoden
  • CYAD: Cyber Attack and Defense
    • HPI-CYAD-T Techniken und Werkzeuge
  • CYAD: Cyber Attack and Defense
    • HPI-CYAD-S Spezialisierung
  • IDMG: Identity Management
    • HPI-IDMG-K Konzepte und Methoden
  • IDMG: Identity Management
    • HDI-IDMG-T Techniken und Werkzeuge
  • IDMG: Identity Management
    • HPI-IDMG-S Spezialisierung
IT-Systems Engineering MA
Data Engineering MA
Digital Health MA


The course is given by Dr. Gregor Seiler (IBM Research Europe)


During this course the participants will obtain an overview of the field of quantum-safe cryptography, and gain a detailed working knowledge of the different classes of quantum-safe cryptographic schemes. In particular their underlying mathematical problems, advantages and limitations will be discussed.

The security of all of the currently deployed public-key schemes depends on the intractability of the integer factorization and discrete logarithm problems. While there are no known efficient classical algorithms for these problems that run on standard computers, the situation changes if one also considers so-called quantum algorithms that require fault-tolerant quantum computers to be executed. In fact, both the integer factorization problem and the discrete logarithm problem are efficiently solvable by Shor's quantum algorithm. Fortunately, there are still significant engineering problems that need to be overcome before any organization can succeed in building the required quantum computers. On the contrary, there are no known fundamental barriers that would render the eventual availability of such quantum computers unlikely, very large resources are being spent on their development, and there has been significant progress in recent years. This is particularly relevant to public-key encryption since the data encrypted today can be decrypted by anyone should quantum computers become available.

The subfield of cryptography concerned with research into alternate cryptographic schemes that still run on classical computers but are also secure against adversaries with access to quantum computers is called quantum-safe cryptography. There are several classes of quantum-safe schemes based on a variety of hard mathematical problems, and there will soon be standards for these schemes thanks to the PQC standardization effort by NIST that is ongoing since 2017.


The in-person part of course will be organized in two blocks at the beginning and end of the semester. The first block will be in the form of a lecture where the necessary mathematical prerequisites and hardness assumptions will be introduced. The main emphasis will be placed on Euclidean lattices, error-correcting codes, and isogenies between elliptic curves. Then a selection of the schemes from round 3 of the NIST PQC standardization effort and their accompanying papers will be distributed among the participants. The time between the two blocks is to be used by the participants to study their assigned paper and prepare a presentation for it. The second block will then consist of the presentations by the participants.

Moodle: https://moodle.hpi.de/course/view.php?id=309


The grades for the course will be based on the presentations, and a written report to be handed-in by the participants.


  • Block lectures: 22.4, 29.4, 6.5 (11:00-15:00, H2.57/58, with lunch break ~12:30-13:30)
  • Student presentations: 8.7 and 15.7 (full day, H2.57/58)