I did the same. Something that helped me get my head around it was realising that NTT is mostly a performance optimization, a bit like montgomery form in RSA. You can conceptually implement ML-KEM without it, it'll just be slower (it also won't be interoperable because the wire format involves the NTT'd form - I think, it's been a while since I looked at it in detail).
Do you have any recommendations for effective self-learning paths? I have murky old foundations in all three fields (took first year linear algebra and a variety of logic courses) so am not starting from nothing but the few times I’ve tried to jump back in I always get a bit bogged down and can’t keep with it.
Good stuff to know, just in case the life extension tech explodes and we're all alive by the time cryptographically relevant quantum computers actually hit the scene.
Yes, but it exists because it was deemed better to be cautious and implement PQC despite the uncertainty and different points of view around the time scale to have cryptographically relevant quantum computers (or, from a different point of view, precisely due to the uncertainties). Their comment was in the wrong tone, but the doubts are there. BTW, PQC can be interesting to learn regardless of the discussion around quantum computers.
"will we have a CRQC soon" is the subject of much debate but "will we have a CRQC ever" is pretty uncontroversially a possibility, and so it is worth defending against harvest-now-decrypt-later attacks in the present - which is why X25519MLKEM768 is widely deployed already.
However, the time needed to get one plays a crucial role. Governments need to protect some piece of data for a very long time, but common people are generally fine with keeping something secret for their lives' duration. I don't care if someone decrypts my laptop's SSD after I'm dead.
* [Enough Polynomials and Linear Algebra to Implement Kyber](https://words.filippo.io/kyber-math/)
* [Basic Lattice Cryptography. The concepts behind Kyber (ML-KEM) and Dilithium (ML-DSA)](https://eprint.iacr.org/2024/1287.pdf)
* [A Complete Beginner Guide to the Number Theoretic Transform (NTT)](https://eprint.iacr.org/2024/585.pdf)
Seems to me that these lattices and error-correcting codes are very close to each other, but for some reason they are discussed separately.
I'd wager that there will be some reductions between those problems - maybe I could dig more around that.
mb see https://www.amazon.com/Lattice-Coding-Signals-Networks-Quant...
https://www.reddit.com/r/VXJunkies/