# lattice-crypto's questions - English 1answer

178 lattice-crypto questions.

### 2 Original NTRU : How to calculate the size of private key?

In the original NTRU paper：NTRU: A Ring-Based Public Key Cryptosystem,1996, the author proposes 3 choices of implementation parameters: moderate, high and highest. Let's take moderate security level ...

### 1 Counting the number of binary solutions of quadratic system

I have a quadratic system of equations related to a balanced RSA modulus $n=pq$ (i.e. $\log p\approx\log q$), and I want to give an upper bound on the number of solutions. Indeed, let $p_i,q_i$ be ...

### 1 Extending the basis

0 answers, 19 views lattice-crypto trapdoor
Suppose I have $A \in \mathbb{Z}_q^{n \times m},A_1 \in \mathbb{Z}_q^{n \times m},A_2 \in \mathbb{Z}_q^{n \times m}$. I am following the $\textbf{ExtBasis}$ algorithm of this (Page No. 13). I ...

### 3 Encoding of the message in Regev encryption

1 answers, 39 views lattice-crypto lwe

### 2 A query on Learning with errors(LWE) problem

1 answers, 77 views lattice-crypto lwe

### About practical implementation of Ring-SIS/LWE Based Signature and IBE

0 answers, 46 views implementation lattice-crypto
In paper: Practical Implementation of Ring-SIS/LWE Based Signature and IBE, authors provided the source code for IBE. In the Extract algorithm, they said: $a \cdot x = u \bmod p$ but I can not ...

### -1 Lattice-based cryptosystems for blockchain/ledger?

Are there lattice-based cryptosystems based i.e., SIS (Short Integer Solutions) and LWE (Learning with Errors) blockchain solutions for a post quantum world? Has the Unique Shortest Vector Problem (...

### 1 Effitiently sampling the error (noise) distribution in ring-LWE

0 answers, 28 views lattice-crypto ring-lwe

### 4 Decision-LWE to Search-LWE

1 answers, 79 views lattice-crypto lwe
Regev requires $q$ to be prime on lemma 4.2 of his paper for LWE. Why does he require that and how this effect the proof of lemma 4.2?

### 1 Can zero knowledge proof and zero knowledge proof of knowledge transfer to each other?

2 answers, 193 views zero-knowledge-proofs lattice-crypto
Recently I'm studying learning with errors crypto systems and I'm running into a problem. I try to prove that the plaintext is in some specific range(for example 0~10) using zero knowledge proof. ...

### 2 Discrete Gaussian Sampling role in Lattice-Based Crypto?

I'm reading up on how post-quantum cryptography works, and stumbled upon the notion of discrete Gaussian sampling. However, I can't understand where it fits in the greater picture - currently it feels ...

### 19 Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply ...

### 19 Quantum complexity of LWE

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that ...

### 2 Dividing elements in $R_q$ by $z$ in Grag-Gentry-Halevi (GGH) Graded Encoding Scheme

I'm trying to understand the GGH graded encoding scheme, but something there leaves me very confused and I can not figure out how to explain it: Let $R := \mathbb{Z}[X]/(X^n+1)$, where $n$ is a power ...

### 2 Breaking Truncated Linear Congruential Generator with known parameters

1 answers, 174 views cryptanalysis lattice-crypto
There is an elaborate discussion on the breaking of TLCG on the link below, where they show how to break the generator with known parameters given the most significant bits. Problem with LLL reduction ...

### 1 Function families from lattices

1 answers, 57 views lattice-crypto one-way-function
On this course, Micciancio talks about function families (functions parametrized by some value) that can be used in cryptography. On page 2, he presents the following function family parametrized by ...

### 3 Effect of tail cutting and precision of discrete Gaussian sampling on LWE / Ring-LWE security

How does tail cutting and precision of discrete Gaussian sampling implementations affect LWE / Ring-LWE security? Is there a rule of thumb or guideline for choosing the tail cut and the precision for ...

### What is the intuition of canonical-embedding in homomorphic encryption based on RingLWE?

1 answers, 207 views homomorphic-encryption lattice-crypto
In the cryptosystem based on Ring-LWE, the noise amount is measured by canonical-embedding norm. What is the intuition behind canonical-embedding?

### 3 Is there any course video for lattice cryptography? [closed]

Recently, I started doing research about Lattice Based Cryptography. and searched on YouTube a lot of public talks or seminars about it. But is there any course video (graduated course) related to ...

### 1 Is it secure using LWE-based cryptosystem under RLWE-based parameters?

I'm computer guy having trouble with cryptography. I recently read the BGV Homomorphic encryption paper which was constructed under both LWE and RLWE assumptions. I was implementing Threshold ...

### Lattice Reduction Method to solve multivariate equation

0 answers, 45 views public-key lattice-crypto
I have seen very small work in multivariate RSA polynomial modular equation solutions using Coppersmith's based lattice reduction algorithm (LLL). Is there any mechanism to solve the following type ...

### 1 Practical Key exchange for Internet

1 answers, 53 views lattice-crypto ring-lwe
In section 3.2 (page 10) of Vikram Singh's paper A practical Key Exchange for the internet using Lattice Cryptography, he gives the number of elements in each set for odd $q$. However, the results do ...

### 5 R-LWE key exchange why using FFT instead of Karatsuba

3 answers, 302 views key-exchange lattice-crypto
In the paper Post-quantum key exchange for the TLS protocol from the ring learning with errors problem one of the authors, Douglas Stebila, uses the FFT algorithm for polynomial multiplication but he ...

### 4 Lattice-based cryptography prone to side channel attacks?

Are Lattice-based cryptography still prone to side channel attacks? What are some mitigration strategies, if any.

### Lattice cryptography, key size of public and private key?

An answer to this question what are the NTRU keysize and application in industry? mentions that lattice cryptography has public keys and private keys of the same size. That seems like a property that ...

### 1 Why do the game-hops in Kyber and related papers contain 2 steps at a time?

0 answers, 29 views provable-security lattice-crypto
In the Kyber paper in section 3 about the Kyber IND-CPA Encryption there is a proof by sequence of games containing three games. I understand that in the first game hop the M-LWE advantage is used to ...

### 4 Relation between k-th shortest vector of a lattice and (n-k+1)-th shortest of its dual

Let $\Lambda$ be an $n$-dimensional lattice and $\Lambda^*$ be its dual lattice. For any $k \in \{1, 2, ..., n\}$, let $\lambda_k(\Lambda)$ be the $k$-th successive minima of $\Lambda$ (analogously ...

### 3 How does error distribution affect security in lattices?

It's easy to see that the crucial part of any lattice scheme is the added error. And different schemes seem to use different error distributions, some use Gaussian some use centered Binomial. Though, ...

### -1 A good book on lattices [closed]

I have recently started studying lattices. The book that I am following is "Complexity of lattice problem by Shafi Goldwasser and Daniele micciancio" but it is too much inclined towards computational ...

### 1 Hardness of $SIS$ and its reduction to an NP-complete problem

Short Integer Solution ($SIS_\gamma^{(q,n,m,\beta)}$): Given a matrix $A\in Z_{q}^{n×m}$, find $x \in Z^m$, such that $Ax=0\mod q$ and $||x|| \le \beta$ Is $SIS\in NP$ ? If $SIS \in NP$, then it ...

### 3 Minkowski's theorem in lattice-based cryptography

I am studying basic lattice-based cryptography. In the course given by O. Regev, on page number 7, there is Claim 1 and Corollary 2 (Minkowski's First Theorem), both of which are difficult for me to ...

### XORing bitstrings to get small hamming weight using lattice SVP algo

I have a list of bit vectors of same length, and I want to find the combination of them which bitwise-XOR sum have the smallest (non-zero) hamming weight (or just a "rather small" hamming weight). ...

### 2 Lattices with hidden short vectors and an algorithm for a special case of the SVP

0 answers, 54 views implementation lattice-crypto
For the purpose of testing algorithms for lattice basis reduction or finding short vectors, it would be useful to have examples of lattices where short vectors are hidden, that is, a nontrivial ...

### 4 What is the difference between Module-LWE and Ring-LWE?

Recently, the CRYSTALS lattice-based cryptographic suite has been published, which is based on "module lattices". What is Module-LWE? How is it different from Ring-LWE?

### 8 Potential Flaws With Lattice Based Cryptography?

From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns ...

### Is there a connection between lattice based cryptography and random walk on a lattice?

What is the connection between lattice based cryptograph and random walk?

### 3 Why don't we use an Extendable Output Function to efficiently store the public key of Regev's LWE-based encryption scheme over standard lattices?

In LWE-based schemes the public key is generated by choosing a random matrix (or polynomial) $A$, and outputting the pair $(A, b = A\cdot s + e)$, where $s$ and $e$ are vectors/polynomials with ...

### 5 Why is does the protocol of Ding et al. produce biased bits and does it relate to passive security?

1 answers, 173 views protocol-design lattice-crypto
I am not understanding the following from "Lattice Cryptography for the Internet" by C. Peikert (pages 9): We remark that a work of Ding et al. DXL14 proposes a different reconciliation method ...