**178 lattice-crypto questions.**

In the original NTRU paper：NTRU: A Ring-Based Public Key Cryptosystem,1996, the author proposes 3 choices of implementation parameters: moderate, high and highest. Let's take moderate security level ...

I have a quadratic system of equations related to a balanced RSA modulus $n=pq$ (i.e. $\log p\approx\log q$), and I want to give an upper bound on the number of solutions. Indeed, let $p_i,q_i$ be ...

Suppose I have $A \in \mathbb{Z}_q^{n \times m},A_1 \in \mathbb{Z}_q^{n \times m},A_2 \in \mathbb{Z}_q^{n \times m}$. I am following the $\textbf{ExtBasis}$ algorithm of this (Page No. 13). I ...

In public key encryption from LWE, we do the following steps
$\textbf{PKE.KeyGen($1^n$)}$ takes as input the security parameter n, samples $A \leftarrow \mathbb{Z}_p^{n \times m}$ and $\textbf{e} \...

I have two related questions:
Version 1: Let $B=\{b_1,b_2,\dots,b_n\}$ be an orthogonal basis for $R^n$. What is the associated reduced basis obtained by applying LLL algorithm to $B$?
I know how ...

This is a garage made encryption scheme provided as cryptanalysis practice during 34C3 CTF.
The challenge is done under the following assumptions
All Mersenne twister instances are MT19937 64bit ...

How viable is lattice-based cryptography in a "practical" setting?
It has been said that lattice-based cryptography would be a "post-quantum" cryptography scheme, but is it feasibly implementable?

We have SampleLeft function in lattice trapdoors as
Algorithm $\textbf{SampleLeft}(A,M_1,T_A,u,\sigma)$:
$\textbf{Input}$: a rank $n$ matrix $A$ in $\mathbb{Z}^{n×m}_q$ and a matrix $M_1$ in $\...

In generating an LWE sample, we do
$s\xleftarrow{$}\mathbb{Z}_q^{n}, A \xleftarrow{$}\mathbb{Z}_q^{n \times m}~$and $e\xleftarrow{$}\mathbb{{\chi}^{m}}$
Then we compute $b^T$ = $s^TA$ + $e^T$ and ...

There are many two-party or three-party key exchange protocols from lattice.
But, it seems that there is no famous multi-party key exchange protocol.
Does anyone know the relevant knowledge?
Or ...

This might be a very short very obvious answer, because I've yet to come across a question similar to mine in my searches.
Given a lattice L, with a good base B1 and a bad base B2, what stops an ...

Let's assume we have the q-ary lattice
$$ \mathcal{L}_q({\bf A})=\{ {\bf z}\in \mathbb{Z}^{n} : \exists {\bf s}\in \mathbb{Z}^{n}_{q} \ , \ {\bf z}={\bf A s}^{T} \mod q \},$$
where ${\bf A}\in \...

In paper: Practical Implementation of Ring-SIS/LWE Based Signature
and IBE, authors provided the source code for IBE.
In the Extract algorithm, they said: $a \cdot x = u \bmod p$
but I can not ...

Are there lattice-based cryptosystems based i.e., SIS (Short Integer Solutions) and LWE (Learning with Errors) blockchain solutions for a post quantum world?
Has the Unique Shortest Vector Problem (...

In LPR12, page 4 is described a ring-LWE encryption in which we are working in a ring $R = \mathbb{Z}[x]/(x^n + 1)$ for a $n$ a power of 2. The public key is of the form $(a, b= a\cdot s + e)$ where $...

I am implementing the key exchange scheme proposed by zhang et al. on Sage. In the implementation of the scheme, they have used the two distributions $\chi_{\alpha}, \chi_{\beta}$.
How to choose $\...

Regev requires $q$ to be prime on lemma 4.2 of his paper for LWE.
Why does he require that and how this effect the proof of lemma 4.2?

Recently I'm studying learning with errors crypto systems and I'm running into a problem. I try to prove that the plaintext is in some specific range(for example 0~10) using zero knowledge proof.
...

I'm reading up on how post-quantum cryptography works, and stumbled upon the notion of discrete Gaussian sampling. However, I can't understand where it fits in the greater picture - currently it feels ...

The Wikipedia article on RWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply ...

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that ...

Say $L_1,L_2$ are contained in $\mathbb Z^r$ with
\begin{gather*}
\operatorname{rank}(L_1) = \operatorname{rank}(L_2) = r, \\
\gcd(\det(L_1), \det(L_2)) = 1.
\end{gather*}
How do I prove $\...

The Short integer solution problem is parameterized by four values:
$n$, the dimension of the vectors that must be added
$m$, the number of samples (dimension of the solution)
$\beta$, upper-bound ...

Short Integer Solution ($SIS_{n,m,q,\beta}$) is defined as
Given a matrix $A \in \mathbb{Z}_{q}^{n \times m}$, find a non-zero vector $x \in \mathbb{Z}^{m}$ such that $A \cdot x = 0\mod q$ and $||x|| ...

I'm trying to understand the GGH graded encoding scheme, but something there leaves me very confused and I can not figure out how to explain it:
Let $R := \mathbb{Z}[X]/(X^n+1)$, where $n$ is a power ...

There is an elaborate discussion on the breaking of TLCG on the link below, where they show how to break the generator with known parameters given the most significant bits.
Problem with LLL reduction ...

On this course, Micciancio talks about function families (functions parametrized by some value) that can be used in cryptography.
On page 2, he presents the following function family parametrized by ...

How does tail cutting and precision of discrete Gaussian sampling implementations affect LWE / Ring-LWE security? Is there a rule of thumb or guideline for choosing the tail cut and the precision for ...

In the cryptosystem based on Ring-LWE, the noise amount is measured by canonical-embedding norm.
What is the intuition behind canonical-embedding?

Recently, I started doing research about Lattice Based Cryptography. and searched on YouTube a lot of public talks or seminars about it.
But is there any course video (graduated course) related to ...

I'm computer guy having trouble with cryptography.
I recently read the BGV Homomorphic encryption paper which was constructed under both LWE and RLWE assumptions.
I was implementing Threshold ...

I have seen very small work in multivariate RSA polynomial modular equation solutions using Coppersmith's based lattice reduction algorithm (LLL).
Is there any mechanism to solve the following type ...

In section 3.2 (page 10) of Vikram Singh's paper A practical Key Exchange for the internet using Lattice Cryptography, he gives the number of elements in each set for odd $q$. However, the results do ...

In the paper Post-quantum key exchange for the TLS protocol from the ring learning with errors problem one of the authors, Douglas Stebila, uses the FFT algorithm for polynomial multiplication but he ...

Are Lattice-based cryptography still prone to side channel attacks? What are some mitigration strategies, if any.

An answer to this question what are the NTRU keysize and application in industry? mentions that lattice cryptography has public keys and private keys of the same size. That seems like a property that ...

In the Kyber paper in section 3 about the Kyber IND-CPA Encryption there is a proof by sequence of games containing three games. I understand that in the first game hop the M-LWE advantage is used to ...

Let $\Lambda$ be an $n$-dimensional lattice and $\Lambda^*$ be its dual lattice.
For any $k \in \{1, 2, ..., n\}$, let $\lambda_k(\Lambda)$ be the $k$-th successive minima of $\Lambda$ (analogously ...

It's easy to see that the crucial part of any lattice scheme is the added error. And different schemes seem to use different error distributions, some use Gaussian some use centered Binomial. Though, ...

I have recently started studying lattices. The book that I am following is "Complexity of lattice problem by Shafi Goldwasser and Daniele micciancio" but it is too much inclined towards computational ...

Short Integer Solution ($ SIS_\gamma^{(q,n,m,\beta)}$): Given a matrix $A\in Z_{q}^{n×m}$, find $x \in Z^m $, such that $Ax=0\mod q$ and $||x|| \le \beta$
Is $SIS\in NP$ ?
If $SIS \in NP$, then it ...

I am studying basic lattice-based cryptography. In the course given by O. Regev, on page number 7, there is Claim 1 and Corollary 2 (Minkowski's First Theorem), both of which are difficult for me to ...

I have a list of bit vectors of same length, and I want to find the combination of them which bitwise-XOR sum have the smallest (non-zero) hamming weight (or just a "rather small" hamming weight).
...

For the purpose of testing algorithms for lattice basis reduction or finding short vectors, it would be useful to have examples of lattices where short vectors are hidden, that is, a nontrivial ...

Recently, the CRYSTALS lattice-based cryptographic suite has been published, which is based on "module lattices". What is Module-LWE? How is it different from Ring-LWE?

From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns ...

What is the connection between lattice based cryptograph and random walk?

In LWE-based schemes the public key is generated by choosing a random matrix (or polynomial) $A$, and outputting the pair $(A, b = A\cdot s + e)$, where $s$ and $e$ are vectors/polynomials with ...

I am not understanding the following from "Lattice Cryptography for the Internet" by C. Peikert (pages 9):
We remark that a work of Ding et al. DXL14 proposes a different
reconciliation method ...

I see on eprint that there are many papers suggesting ways to compute parameters for LWE. How can those be used to compute parameters for ring-LWE (assuming that known algorithms solving LWE are the ...

- post-quantum-cryptography
- lwe
- homomorphic-encryption
- key-exchange
- public-key
- cryptanalysis
- provable-security
- ntru
- ring-lwe
- number-theory
- sis
- rsa
- signature
- random-number-generator
- implementation
- randomness
- complexity
- hardness-assumptions
- trapdoor
- protocol-design
- reference-request
- modular-arithmetic
- factoring
- one-way-function
- side-channel-attack

- How to make sure a job will match the job description?
- Did close to 3,000 Puerto Ricans die in Hurricane Maria?
- Are propositions of logic for the tractarian Wittgenstein "sinnlos satze"?
- What is the origin of 3 meals a day?
- Has there ever been a peaceful overthrow of a monarch?
- How to easily create a polynomial function that gives a desired output?
- Why can't you take a hoverboard on a plane?
- Stop password characters from being shown
- Can I use NDA materials to force my employer to pay my salary if I haven't signed NDA agreement?
- What are the biggest pitfalls to avoid with student loans?
- Is this houserule preventing effects from dropping creatures to below 1 HP if they make their save exploitable or broken?
- What does "go blue" mean here?
- Clarification of gpl v3 section 9
- Nigerian scammer openly say they are from Nigeria - but why?
- how to create this gamma symbol
- Why is this 4th-note written as two 8th-notes tied together?
- A "What am I?" puzzle
- sh script for executing mysql script with entering pass
- Is there a reason why MS-DOS didn't use more English words for commands?
- In C++, am I paying for what I am not eating?
- How long will it take to discover they live on a moon and not on a planet?
- Windows 10 Notepad can't find text
- Is there a UX term for a "happy state"?
- Dogs & Portraits: Should I buy the Canon 50mm f/1.4 or the Tamron 35mm f/1.8 for my APS-C DSLR?