lattice-crypto's questions - English 1answer

187 lattice-crypto questions.

In lattice cryptography it seems like giving out long vectors for a lattice that can be drawn from much shorter vectors (generating an identical lattice) is somehow useful for public-private key ...

How viable is lattice-based cryptography in a "practical" setting? It has been said that lattice-based cryptography would be a "post-quantum" cryptography scheme, but is it feasibly implementable?

Both the papers GPV'08 and MP'11 present trapdoors for lattices that allow to recover $s\in\mathbb{Z}_q^n$ and the error vector $e\in\mathbb{Z}_q^m$ when given $y=As+e$, for $A\in\mathbb{Z}_q^{m\times ...

In public key encryption from LWE, we do the following steps $\textbf{PKE.KeyGen($1^n$)}$ takes as input the security parameter n, samples $A \leftarrow \mathbb{Z}_p^{n \times m}$ and $\textbf{e} \...

I have two related questions: Version 1: Let $B=\{b_1,b_2,\dots,b_n\}$ be an orthogonal basis for $R^n$. What is the associated reduced basis obtained by applying LLL algorithm to $B$? I know how ...

This is a garage made encryption scheme provided as cryptanalysis practice during 34C3 CTF. The challenge is done under the following assumptions All Mersenne twister instances are MT19937 64bit ...

We have SampleLeft function in lattice trapdoors as Algorithm $\textbf{SampleLeft}(A,M_1,T_A,u,\sigma)$: $\textbf{Input}$: a rank $n$ matrix $A$ in $\mathbb{Z}^{n×m}_q$ and a matrix $M_1$ in $\...

In generating an LWE sample, we do $s\xleftarrow{$}\mathbb{Z}_q^{n}, A \xleftarrow{$}\mathbb{Z}_q^{n \times m}~$and $e\xleftarrow{$}\mathbb{{\chi}^{m}}$ Then we compute $b^T$ = $s^TA$ + $e^T$ and ...

There are many two-party or three-party key exchange protocols from lattice. But, it seems that there is no famous multi-party key exchange protocol. Does anyone know the relevant knowledge? Or ...

This might be a very short very obvious answer, because I've yet to come across a question similar to mine in my searches. Given a lattice L, with a good base B1 and a bad base B2, what stops an ...

Let's assume we have the q-ary lattice $$ \mathcal{L}_q({\bf A})=\{ {\bf z}\in \mathbb{Z}^{n} : \exists {\bf s}\in \mathbb{Z}^{n}_{q} \ , \ {\bf z}={\bf A s}^{T} \mod q \},$$ where ${\bf A}\in \...

In paper: Practical Implementation of Ring-SIS/LWE Based Signature and IBE, authors provided the source code for IBE. In the Extract algorithm, they said: $a \cdot x = u \bmod p$ but I can not ...

Are there lattice-based cryptosystems based i.e., SIS (Short Integer Solutions) and LWE (Learning with Errors) blockchain solutions for a post quantum world? Has the Unique Shortest Vector Problem (...

In LPR12, page 4 is described a ring-LWE encryption in which we are working in a ring $R = \mathbb{Z}[x]/(x^n + 1)$ for a $n$ a power of 2. The public key is of the form $(a, b= a\cdot s + e)$ where $...

I am implementing the key exchange scheme proposed by zhang et al. on Sage. In the implementation of the scheme, they have used the two distributions $\chi_{\alpha}, \chi_{\beta}$. How to choose $\...

Regev requires $q$ to be prime on lemma 4.2 of his paper for LWE. Why does he require that and how this effect the proof of lemma 4.2?

Recently I'm studying learning with errors crypto systems and I'm running into a problem. I try to prove that the plaintext is in some specific range(for example 0~10) using zero knowledge proof. ...

I'm reading up on how post-quantum cryptography works, and stumbled upon the notion of discrete Gaussian sampling. However, I can't understand where it fits in the greater picture - currently it feels ...

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that ...

Say $L_1,L_2$ are contained in $\mathbb Z^r$ with \begin{gather*} \operatorname{rank}(L_1) = \operatorname{rank}(L_2) = r, \\ \gcd(\det(L_1), \det(L_2)) = 1. \end{gather*} How do I prove $\...

The Short integer solution problem is parameterized by four values: $n$, the dimension of the vectors that must be added $m$, the number of samples (dimension of the solution) $\beta$, upper-bound ...

Short Integer Solution ($SIS_{n,m,q,\beta}$) is defined as Given a matrix $A \in \mathbb{Z}_{q}^{n \times m}$, find a non-zero vector $x \in \mathbb{Z}^{m}$ such that $A \cdot x = 0\mod q$ and $||x|| ...

I'm trying to understand the GGH graded encoding scheme, but something there leaves me very confused and I can not figure out how to explain it: Let $R := \mathbb{Z}[X]/(X^n+1)$, where $n$ is a power ...

There is an elaborate discussion on the breaking of TLCG on the link below, where they show how to break the generator with known parameters given the most significant bits. Problem with LLL reduction ...

On this course, Micciancio talks about function families (functions parametrized by some value) that can be used in cryptography. On page 2, he presents the following function family parametrized by ...

How does tail cutting and precision of discrete Gaussian sampling implementations affect LWE / Ring-LWE security? Is there a rule of thumb or guideline for choosing the tail cut and the precision for ...

In the cryptosystem based on Ring-LWE, the noise amount is measured by canonical-embedding norm. What is the intuition behind canonical-embedding?

Recently, I started doing research about Lattice Based Cryptography. and searched on YouTube a lot of public talks or seminars about it. But is there any course video (graduated course) related to ...

I'm computer guy having trouble with cryptography. I recently read the BGV Homomorphic encryption paper which was constructed under both LWE and RLWE assumptions. I was implementing Threshold ...

I have seen very small work in multivariate RSA polynomial modular equation solutions using Coppersmith's based lattice reduction algorithm (LLL). Is there any mechanism to solve the following type ...

In section 3.2 (page 10) of Vikram Singh's paper A practical Key Exchange for the internet using Lattice Cryptography, he gives the number of elements in each set for odd $q$. However, the results do ...

In the paper Post-quantum key exchange for the TLS protocol from the ring learning with errors problem one of the authors, Douglas Stebila, uses the FFT algorithm for polynomial multiplication but he ...

Are Lattice-based cryptography still prone to side channel attacks? What are some mitigration strategies, if any.

An answer to this question what are the NTRU keysize and application in industry? mentions that lattice cryptography has public keys and private keys of the same size. That seems like a property that ...

In the Kyber paper in section 3 about the Kyber IND-CPA Encryption there is a proof by sequence of games containing three games. I understand that in the first game hop the M-LWE advantage is used to ...

Let $\Lambda$ be an $n$-dimensional lattice and $\Lambda^*$ be its dual lattice. For any $k \in \{1, 2, ..., n\}$, let $\lambda_k(\Lambda)$ be the $k$-th successive minima of $\Lambda$ (analogously ...

It's easy to see that the crucial part of any lattice scheme is the added error. And different schemes seem to use different error distributions, some use Gaussian some use centered Binomial. Though, ...

I have recently started studying lattices. The book that I am following is "Complexity of lattice problem by Shafi Goldwasser and Daniele micciancio" but it is too much inclined towards computational ...

Related tags

Hot questions

Language

Popular Tags