The lecture “Post-Quantum (Lattice-based) Cryptography” introduces the framework of lattice-based cryptography, its common tools and concepts, and important constructions of advanced cryptographic primitives. The central hardness assumptions underlying lattice-based cryptography are believed to be intractable even for quantum algorithms, and as such provide a foundation for post-quantum security. Beyond that, lattice-based cryptography enables a wealth of constructions of theoretical and practical interest.

The content of the lecture depends on the chosen focus, and includes:
- The hardness assumptions SIS (“short integer solutions”) and LWE (“learning with errors”), and their relation of average hardness to worst-case hardness of lattice problems.
- Lattice trapdoors and discrete Gaussian sampling, as well as related techniques.
- Signature schemes based on SIS and/or LWE, from lattice trapdoors and/or rejection sampling.
- Encryption schemes based on LWE, including advanced encryption schemes such as:
  - Fully-homomorphic encryption;
  - Identity-based encryption or attribute-based encryption.
- (Algebraically) structured lattices and related assumptions.