**187 lattice-crypto questions.**

In lattice cryptography it seems like giving out long vectors for a lattice that can be drawn from much shorter vectors (generating an identical lattice) is somehow useful for public-private key ...

How viable is lattice-based cryptography in a "practical" setting?
It has been said that lattice-based cryptography would be a "post-quantum" cryptography scheme, but is it feasibly implementable?

Both the papers GPV'08 and MP'11 present trapdoors for lattices that allow to recover $s\in\mathbb{Z}_q^n$ and the error vector $e\in\mathbb{Z}_q^m$ when given $y=As+e$, for $A\in\mathbb{Z}_q^{m\times ...

In public key encryption from LWE, we do the following steps
$\textbf{PKE.KeyGen($1^n$)}$ takes as input the security parameter n, samples $A \leftarrow \mathbb{Z}_p^{n \times m}$ and $\textbf{e} \...

I have two related questions:
Version 1: Let $B=\{b_1,b_2,\dots,b_n\}$ be an orthogonal basis for $R^n$. What is the associated reduced basis obtained by applying LLL algorithm to $B$?
I know how ...

This is a garage made encryption scheme provided as cryptanalysis practice during 34C3 CTF.
The challenge is done under the following assumptions
All Mersenne twister instances are MT19937 64bit ...

We have SampleLeft function in lattice trapdoors as
Algorithm $\textbf{SampleLeft}(A,M_1,T_A,u,\sigma)$:
$\textbf{Input}$: a rank $n$ matrix $A$ in $\mathbb{Z}^{n×m}_q$ and a matrix $M_1$ in $\...

In generating an LWE sample, we do
$s\xleftarrow{$}\mathbb{Z}_q^{n}, A \xleftarrow{$}\mathbb{Z}_q^{n \times m}~$and $e\xleftarrow{$}\mathbb{{\chi}^{m}}$
Then we compute $b^T$ = $s^TA$ + $e^T$ and ...

There are many two-party or three-party key exchange protocols from lattice.
But, it seems that there is no famous multi-party key exchange protocol.
Does anyone know the relevant knowledge?
Or ...

This might be a very short very obvious answer, because I've yet to come across a question similar to mine in my searches.
Given a lattice L, with a good base B1 and a bad base B2, what stops an ...

Let's assume we have the q-ary lattice
$$ \mathcal{L}_q({\bf A})=\{ {\bf z}\in \mathbb{Z}^{n} : \exists {\bf s}\in \mathbb{Z}^{n}_{q} \ , \ {\bf z}={\bf A s}^{T} \mod q \},$$
where ${\bf A}\in \...

In paper: Practical Implementation of Ring-SIS/LWE Based Signature
and IBE, authors provided the source code for IBE.
In the Extract algorithm, they said: $a \cdot x = u \bmod p$
but I can not ...

Are there lattice-based cryptosystems based i.e., SIS (Short Integer Solutions) and LWE (Learning with Errors) blockchain solutions for a post quantum world?
Has the Unique Shortest Vector Problem (...

In LPR12, page 4 is described a ring-LWE encryption in which we are working in a ring $R = \mathbb{Z}[x]/(x^n + 1)$ for a $n$ a power of 2. The public key is of the form $(a, b= a\cdot s + e)$ where $...

I am implementing the key exchange scheme proposed by zhang et al. on Sage. In the implementation of the scheme, they have used the two distributions $\chi_{\alpha}, \chi_{\beta}$.
How to choose $\...

Regev requires $q$ to be prime on lemma 4.2 of his paper for LWE.
Why does he require that and how this effect the proof of lemma 4.2?

Recently I'm studying learning with errors crypto systems and I'm running into a problem. I try to prove that the plaintext is in some specific range(for example 0~10) using zero knowledge proof.
...

I'm reading up on how post-quantum cryptography works, and stumbled upon the notion of discrete Gaussian sampling. However, I can't understand where it fits in the greater picture - currently it feels ...

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that ...

Say $L_1,L_2$ are contained in $\mathbb Z^r$ with
\begin{gather*}
\operatorname{rank}(L_1) = \operatorname{rank}(L_2) = r, \\
\gcd(\det(L_1), \det(L_2)) = 1.
\end{gather*}
How do I prove $\...

The Short integer solution problem is parameterized by four values:
$n$, the dimension of the vectors that must be added
$m$, the number of samples (dimension of the solution)
$\beta$, upper-bound ...

Short Integer Solution ($SIS_{n,m,q,\beta}$) is defined as
Given a matrix $A \in \mathbb{Z}_{q}^{n \times m}$, find a non-zero vector $x \in \mathbb{Z}^{m}$ such that $A \cdot x = 0\mod q$ and $||x|| ...

I'm trying to understand the GGH graded encoding scheme, but something there leaves me very confused and I can not figure out how to explain it:
Let $R := \mathbb{Z}[X]/(X^n+1)$, where $n$ is a power ...

There is an elaborate discussion on the breaking of TLCG on the link below, where they show how to break the generator with known parameters given the most significant bits.
Problem with LLL reduction ...

On this course, Micciancio talks about function families (functions parametrized by some value) that can be used in cryptography.
On page 2, he presents the following function family parametrized by ...

How does tail cutting and precision of discrete Gaussian sampling implementations affect LWE / Ring-LWE security? Is there a rule of thumb or guideline for choosing the tail cut and the precision for ...

In the cryptosystem based on Ring-LWE, the noise amount is measured by canonical-embedding norm.
What is the intuition behind canonical-embedding?

Recently, I started doing research about Lattice Based Cryptography. and searched on YouTube a lot of public talks or seminars about it.
But is there any course video (graduated course) related to ...

I'm computer guy having trouble with cryptography.
I recently read the BGV Homomorphic encryption paper which was constructed under both LWE and RLWE assumptions.
I was implementing Threshold ...

I have seen very small work in multivariate RSA polynomial modular equation solutions using Coppersmith's based lattice reduction algorithm (LLL).
Is there any mechanism to solve the following type ...

In section 3.2 (page 10) of Vikram Singh's paper A practical Key Exchange for the internet using Lattice Cryptography, he gives the number of elements in each set for odd $q$. However, the results do ...

In the paper Post-quantum key exchange for the TLS protocol from the ring learning with errors problem one of the authors, Douglas Stebila, uses the FFT algorithm for polynomial multiplication but he ...

Are Lattice-based cryptography still prone to side channel attacks? What are some mitigration strategies, if any.

An answer to this question what are the NTRU keysize and application in industry? mentions that lattice cryptography has public keys and private keys of the same size. That seems like a property that ...

In the Kyber paper in section 3 about the Kyber IND-CPA Encryption there is a proof by sequence of games containing three games. I understand that in the first game hop the M-LWE advantage is used to ...

Let $\Lambda$ be an $n$-dimensional lattice and $\Lambda^*$ be its dual lattice.
For any $k \in \{1, 2, ..., n\}$, let $\lambda_k(\Lambda)$ be the $k$-th successive minima of $\Lambda$ (analogously ...

It's easy to see that the crucial part of any lattice scheme is the added error. And different schemes seem to use different error distributions, some use Gaussian some use centered Binomial. Though, ...

I have recently started studying lattices. The book that I am following is "Complexity of lattice problem by Shafi Goldwasser and Daniele micciancio" but it is too much inclined towards computational ...

- post-quantum-cryptography
- lwe
- homomorphic-encryption
- key-exchange
- public-key
- cryptanalysis
- provable-security
- ring-lwe
- ntru
- signature
- number-theory
- trapdoor
- sis
- rsa
- random-number-generator
- implementation
- randomness
- complexity
- side-channel-attack
- hardness-assumptions
- encryption
- protocol-design
- reference-request
- dsa
- modular-arithmetic

- Making a job offer to a candidate while privately advising them to decline
- Is this quadrilateral cyclic?
- Does disintegrating a polymorphed enemy still kill it after the 2018 errata?
- Will it be possible to see BFR approaching the moon from earth, with naked eye?
- Are there any indications why Roddenberry chose to make Star Trek a "battleship universe"?
- How to get the maximum attachment size of a mail server which perform ip connection whitelisting?
- How can a company recover after a Glassdoor debacle?
- Shannon Entropy of 0.922, 3 Distinct Values
- Python Blackjack game
- Drawing the Peano curve
- As DM, how do I deal with PCs that expect everything in the game to be relevant to the story?
- How to connect to public WiFi
- Why is counting election totals more difficult than lottery administration?
- Why does the humidifier make a stove's flame orange?
- What is the name of these little plastic things that protect wires from being cut into by the sharp edges of a drilled hole?
- Own implementation of Lazy<T> object
- Giving a test lecture, what should I keep in mind?
- Building circuit to amplify small sensor signals using an Instrumentation Amplifier and 24-Bit ADC
- Has women's suffrage ever decided an election?
- Man running icon
- Tikz and Secant Line diagram
- How can I create a mechanism for natural reproductive control in males?
- Does this cantrip have a fair risk/reward balance?
- MySQL cli does not remember history of some commands