Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Reference toSyena=Garuda=a Bird-likeHindu divinityin India
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.: ...Garuda in India
≤100≤100≤100 B.C.E.: Greek legend of Icarus
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus
559559559: Manned kiteglide off a tower inChina
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus
559559559: Manned kiteglide off a tower inChina
March 10, 1912:
First bombingmission, duringItalo-Turkish War
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight insteam-poweredaluminummonoplane inFrance
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight insteam-poweredaluminummonoplane inFrance
1914-1918:
WWI
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
Nuclear Energy
1789: Martin Klaprothdiscovers uranium
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
Nuclear Energy
1789: Martin Klaprothdiscovers uranium
1905: Einstein’s paperputting forthmass=energy
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
Nuclear Energy
1789: Martin Klaprothdiscovers uranium
1905: Einstein’s paperputting forthmass=energy
1939: Otto Frischconfirms energy releasefrom fission
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
Nuclear Energy
1789: Martin Klaprothdiscovers uranium
1905: Einstein’s paperputting forthmass=energy
1939: Otto Frischconfirms energy releasefrom fission
July 16, 1945: Firstfission explosion
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
...Garuda in India
≤100≤100≤100 B.C.E.:
Greek legend ofIcarus...
187418741874: Felix duTemple makesshort flight...
1914-1918:
WWI
1920: NationalAir Mail begins
Nuclear Energy
1789: Martin Klaprothdiscovers uranium
1905: Einstein’s paperputting forthmass=energy
1939: Otto Frischconfirms energy releasefrom fission
July 16, 1945: Firstfission explosion
December 1951: Firstnuclear reactor, byArgonne National Labs,in Idaho
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914-1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
≤ 1500≤ 1500≤ 1500B.C.E.:
Encryptedrecipe on claytablets inMesopotamia
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914-1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
≤ 1500≤ 1500≤ 1500B.C.E.:
Encryptedrecipe on claytablets inMesopotamia
≤ 1865≤ 1865≤ 1865:Ciphers in USCivil War
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914-1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
≤ 1500≤ 1500≤ 1500B.C.E.:
Encryptedrecipe on claytablets inMesopotamia
≤ 1865≤ 1865≤ 1865:Ciphers in USCivil War
1920− 19451920− 19451920− 1945:Enigmainvented byGermans thenused in WWII
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914-1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
≤ 1500≤ 1500≤ 1500B.C.E.:
Mesopotamia...
≤ 1865≤ 1865≤ 1865:Ciphers in USCivil War
1920− 19451920− 19451920− 1945:Enigmainvented byGermans thenused in WWII
197619761976 & 197819781978:DH and RSAinvented
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914–1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
...≤ 1945≤ 1945≤ 1945...
≤ 1973≤ 1973≤ 1973–’747474: RSAand DH actually
invented at GCHQ!
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914–1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
...≤ 1945≤ 1945≤ 1945...
≤ 1973≤ 1973≤ 1973–’747474: RSAand DH actually
invented at GCHQ!
199419941994: Peter Shorfinds quantumalgorithm that, intheory, easilybreaks DH andRSA.
J. Maurice Rojas Notes on Post-Quantum
Historical Context...
Flight
≤150≤150≤150 B.C.E.:
Garuda...
≤100≤100≤100 B.C.E.:
Icarus...
187418741874: duTemple’sflight...
1914–1918:
WWI
1920: AirMail begins
Nuclear Energy
1789:
uranium
1905:
Einstein’spaper...
1939: Frischconfirmsfission...
1945: Fissionexplosion
1951: Firstreactor
Cryptology
...≤ 1945≤ 1945≤ 1945...
≤ 1973≤ 1973≤ 1973–’747474: RSAand DH actually
invented at GCHQ!
199419941994: Peter Shorfinds quantumalgorithm that, intheory, easilybreaks DH andRSA.
199819981998: GCHQ:“Yeah, we didinvent RSA andDH...”
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.
3 RSA is based on the “hardness” of Integer Factoring:
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.
3 RSA is based on the “hardness” of Integer Factoring: Giventhat n is a product of two distinct primes, find the primes!
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.
3 RSA is based on the “hardness” of Integer Factoring: Giventhat n is a product of two distinct primes, find the primes!
4 As far as we know (on the outside), there are no practicalquantum computers... Unless you count D-Wave’s128-“qubit” computer which costs $10M...
J. Maurice Rojas Notes on Post-Quantum
What are DH and RSA? Who Cares?
1 DH and RSA are methods for sharing encryption keys, nowused in routers and internet servers everywhere...
2 DH is based on the Discrete Log Problem: Given a, g, p∈N,find x∈{0, . . . , p− 1} with gx=a mod p.
3 RSA is based on the “hardness” of Integer Factoring: Giventhat n is a product of two distinct primes, find the primes!
4 As far as we know (on the outside), there are no practicalquantum computers... Unless you count D-Wave’s128-“qubit” computer which costs $10M...
5 So what?
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
Not so fast...
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
Not so fast... What about archival data?
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
Not so fast... What about archival data? e.g., medical records
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
Not so fast... What about archival data? e.g., medical records,contracts, etc...
J. Maurice Rojas Notes on Post-Quantum
Why Cares if Quantum Computing Comes?
As we’ve already seen from the 25 year lag of “inside” discoverydisclosure (and the some recent controversial leaks), “inside”completion of a quantum computer is likely to remain hidden,be it by NSA or Google or IBM or Siemens or Sony or Dubai...
“OK, so I’ll stop using public-key crypto now...”
Not so fast... What about archival data? e.g., medical records,contracts, etc...
Experts say we could have an honest, working quantumcomputer within 15 years...
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
Examples
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
Examples
• Inverting an n× n matrix takes O(n3) arithmetic operations(or O(n2.3727) if you’re really clever).
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
Examples
• Inverting an n× n matrix takes O(n3) arithmetic operations(or O(n2.3727) if you’re really clever).
• Factoring an N -digit integer takes 2O(N1/3(lgN)2/3) seconds onour best (classical) computers.
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
Examples
• Inverting an n× n matrix takes O(n3) arithmetic operations(or O(n2.3727) if you’re really clever).
• Factoring an N -digit integer takes 2O(N1/3(lgN)2/3) seconds onour best (classical) computers.
But what about N=200, say?
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=O(g) ⇐⇒ thereare constants C,M>0 with |f(x)|≤Mg(x) for all x≥C. ⋄
Examples
• Inverting an n× n matrix takes O(n3) arithmetic operations(or O(n2.3727) if you’re really clever).
• Factoring an N -digit integer takes 2O(N1/3(lgN)2/3) seconds onour best (classical) computers.
But what about N=200, say? Or N=500?
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
• A 1978 cryptosystem of McEliece
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
• A 1978 cryptosystem of McEliece (quantum-resistant so far!)
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
• A 1978 cryptosystem of McEliece (quantum-resistant so far!)needs a key-size of b2+o(1) to force breakage to take ≥2b
seconds.
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
• A 1978 cryptosystem of McEliece (quantum-resistant so far!)needs a key-size of b2+o(1) to force breakage to take ≥2b
seconds.
• RSA needs a key-size of 0.016...b3/(lg b)2 to force breakage totake ≥2b seconds (on a classical computer).
J. Maurice Rojas Notes on Post-Quantum
Complexity Theory vs. Practical Complexity
Definition
We say two functions f, g : N −→ R satisfy f=o(g) ⇐⇒limx→+∞
f(x)g(x) =0. ⋄
Examples
• Shor’s Algorithm can factor N -digit RSA integers withinN2+o(1) seconds, on a quantum computer with N1+o(1)
qubits.
• A 1978 cryptosystem of McEliece (quantum-resistant so far!)needs a key-size of b2+o(1) to force breakage to take ≥2b
seconds.
• RSA needs a key-size of 0.016...b3/(lg b)2 to force breakage totake ≥2b seconds (on a classical computer).
But the devil is in the constants!: real-world security needsaround b=128 =⇒ thousands of bits for RSA but millions ofbits for McEliece [Bernstein, 2009]!
J. Maurice Rojas Notes on Post-Quantum
Moral: Deep Understanding Needed!
• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!
J. Maurice Rojas Notes on Post-Quantum
Moral: Deep Understanding Needed!
• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.
J. Maurice Rojas Notes on Post-Quantum
Moral: Deep Understanding Needed!
• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.Example: The Closest Vector Problem (CVP) is: Given
vectors v1, . . . , vN ∈Zn and a target vector t∈Qn, find theclosest integer linear combination α1v1 + · · ·+ αnvn to t.
J. Maurice Rojas Notes on Post-Quantum
Moral: Deep Understanding Needed!
• If we are to maintain our comfortable lives (with reasonableprivacy), we need to get work now on improving alternativecryptosystems!• A particularly promising vein of quantum-resistantcryptosystems come from lattice vector problems: thesecryptosystems are closely related to NP-hard problems thathave good average-case behavior: average instances are provablyalmost as hard as worst-case instances.Example: The Closest Vector Problem (CVP) is: Given
vectors v1, . . . , vN ∈Zn and a target vector t∈Qn, find theclosest integer linear combination α1v1 + · · ·+ αnvn to t.
• Solving CVP, even within a factor of√n, in time polynomial
in n would imply P=NP, i.e., you would simultaneously solvenumerous other important problems in polynomial-time (andwin $1M)!
J. Maurice Rojas Notes on Post-Quantum
♥♥♥ Thank you for your attention.
See:• Bernstein, Buchmann, Dahmen’s 2009 Springer book onPost-Quantum Cryptography
• Web-sites of Dan Bernstein and Tanja Lange• Blog of Scott Aaronson• Math 470• Math 415• Math 427...
...and www.math.tamu.edu/~rojas for further info onalgorithmic algebraic geometry.
J. Maurice Rojas Notes on Post-Quantum