Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [lattice-crypto]

Lattice-cryptography is the study and use of lattice problems applied to cryptography.

Lattice cryptography is the use of lattice problems from number theory, applied to the design of cryptographic primitives. Examples of lattice primitives are NTRU, JarJar, New Hope, and New Hope-Simple. Examples of lattice problems used in the design of these primitives are the GapCVP, GapSVP, CVP, and SVP problems. These represent search and decision forms of each problem.

570 questions
11
votes
0 answers

Why SIVP Is Worst Case Problem?

I just started to study lattice Cryptography. I'm now studying worst-case to average-case reduction for SIS. In previous question, "worst means any and average means random". And I wonder why the Shortest Independent Vectors Problem(SIVP) is the…
Jonghyun Kim
  • 477
  • 2
  • 8
10
votes
1 answer

Use of q-ary lattices in developing cryptosystems

Why q-ary lattices are used to most cryptosystems rather than lattices. In most of the papers q-ary lattices are used. Is there any advantage? and Given $$B=(v_1,v_2,v_3,.....v_n)$$ is the basis, lattice generated by B $$…
preethi
  • 889
  • 7
  • 22
9
votes
1 answer

Gaussian distribution in lattices

In many lattice based cryptosystems, Gaussian distribution is used. Can you explain why only Gaussian distribution is preferred?
preethi
  • 889
  • 7
  • 22
8
votes
1 answer

What's the purpose of the smoothing parameter in lattice-based cryptography?

I see nearly all the lattice-based crypto papers talk about the smoothing parameter $\eta$. And I believe even some parameters are chosen with respect to that. However, I do not quite understand what's the purpose of it. What's its relation to…
user4936
8
votes
2 answers

Cardinality of the group of units in a cyclotomic ring?

In the NTRU key generation, one samples a polynomial from $K = (\mathbb Z/q\mathbb Z)[X]/(X^n+1)$ and tests if it is invertible. What are the chances of this to happen? In other words: Let $q$ be a prime and $n>4$ be a power of $2$. What is the…
Tal-Botvinnik
  • 524
  • 3
  • 12
7
votes
1 answer

Find collision in Ajtai's hash function using short vector

Background What is Ajtai's hash function? Given a matrix $A \hookleftarrow U(\mathbb{Z}_q^{n \times m})$ and a column vector $\vec{m} \in \mathbb{Z}_d^m$, the hash of the message $\vec{m}$ is given by $H(\vec{m}) = A\vec{m} \mod q$ Ajtai's…
user33284
  • 73
  • 4
6
votes
3 answers

Is the HNF basis the worst basis for a lattice?

I am researching lattice problems and some methods for solving them. I read some books that mentioned Babai's algorithm for finding the Closest Vector Problem (CVP) cannot be successful with a "bad" basis for a lattice. Which begs a question: what…
Mina
  • 61
  • 1
6
votes
1 answer

How to generate new LWE samples

Assume we are given a small fixed number of LWE samples with secret $s$ and error $e$, where the error distribution is taken so that the LWE problem is hard. My question: How can one further generate LWE samples (with the same secret $s$), given…
ruparunpa
  • 85
  • 4
5
votes
0 answers

Relation between LPN and GAPSVP?

I have a question regarding the relationship between the (search) LPN problem and the GapSVP problem. I have read a related problem that explains the main theorem in Reg05: the GapSVP problem can be reduced to a search LWE problem (especially, the…
M.Z.
  • 155
  • 9
5
votes
1 answer

What is the difference between discrete-then-gaussian and gaussian-then-discrete?

In lattice cryptography, we always face the probem of discrete gaussian sampling. To the beginners, it is a bit complex. However, gaussian sampling from a continous space is much easier to understand, and a lot of tools are available. Say, we can…
Licheng Wang
  • 313
  • 1
  • 7
5
votes
0 answers

How babai nearest plane algorithm solves approximate CVP

Babai's nearest plane algorithm solves approximate-CVP (Closest Vector Problem) where the approximation factor is $2(\frac{2}{\sqrt{3}})^n$. Let $b_1,...,b_n$ be a basis and $t$ be the target. This algorithm finds an integer $c$ such that the…
preethi
  • 889
  • 7
  • 22
5
votes
1 answer

What is a "lattice" in cryptography?

There are some questions here concerning lattice-based cryptography and this kind of cryptography seems to be especially useful if quantum computers are assumed to exist. When reading such questions I always asked myself: "What is a lattice?" And…
SEJPM
  • 45,967
  • 7
  • 99
  • 205
4
votes
0 answers

LWR parameter estimation

I am trying to estimate parameters for LWR $(n,q,p)$ instance using the LWE estimator. My $q,p$ are $283,256$-bit prime numbers and I am trying to find required $n$ for 128 bit security. For this, I need to know the $\alpha$ to be used in the…
MeV
  • 149
  • 5
4
votes
1 answer

Finding the basis of the transpose of a q-ary lattice

Given $q$ and a matrix $A \in \mathbb{Z}_q^{n \times m}$, the $q$-ary lattice is defined as $$\Lambda(A)=\{x \in \mathbb{Z}^m:Ax=0 \bmod q\} $$ An instance of a q-ary lattice and its short basis is computed in Generating short basis for hard random…
preethi
  • 889
  • 7
  • 22
4
votes
1 answer

Is there any course video for lattice cryptography?

Recently, I started doing research about Lattice Based Cryptography. and searched on YouTube a lot of public talks or seminars about it. But is there any course video (graduated course) related to it?
will Liu
  • 43
  • 7
1
2 3 4 5 6 7 8