Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [lattice-crypto]

Lattice-cryptography is the study and use of lattice problems applied to cryptography.

Lattice cryptography is the use of lattice problems from number theory, applied to the design of cryptographic primitives. Examples of lattice primitives are NTRU, JarJar, New Hope, and New Hope-Simple. Examples of lattice problems used in the design of these primitives are the GapCVP, GapSVP, CVP, and SVP problems. These represent search and decision forms of each problem.

684 questions
62
votes
4 answers

Polynomial-time Quantum Algorithms for Lattice Problems

A new paper, by Yilei Chen, whose title is Quantum Algorithms for Lattice Problems (https://eprint.iacr.org/2024/555) appeared on eprint and it claims to solve hard lattice problems, such as the approximate (gap) shortest vector problem…
Hilder Vitor Lima Pereira
  • 7,476
  • 1
  • 25
  • 45
33
votes
3 answers

New quantum attack on lattices (or Shor strikes again)?

Lior Eldar and Peter W. Shor published a paper on arXiv.org in which they present a new quantum algorithm against a variant of BDD. They claim that their new algorithm can efficiently solve the following problem: Given a lattice $L$, a vector $v$,…
mephisto
  • 2,968
  • 20
  • 29
31
votes
1 answer

Uniform vs discrete Gaussian sampling in Ring learning with errors

The Wikipedia article on RLWE mentions two methods of sampling "small" polynomials namely uniform sampling and discrete Gaussian sampling. Uniform sampling is clearly the simplest, involving simply uniformly selecting the coefficients from the set…
Morty
  • 639
  • 4
  • 13
25
votes
3 answers

What does the work "An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor" mean?

In An Efficient Quantum Algorithm for Lattice Problems Achieving Subexponential Approximation Factor, the author claims they give a polynomial-time quantum algorithm for solving the Bounded Distance Decoding problem with a subexponential…
Eric_Qin
  • 807
  • 7
  • 13
21
votes
1 answer

Quantum complexity of LWE

As per my understanding, LWE is quantum secure because there is no known quantum algorithm to solve LWE in polynomial time. Due to the reductions given by Regev et al., if there is any algorithm that solves LWE in polynomial time, it will imply that…
Rick
  • 1,305
  • 8
  • 17
19
votes
1 answer

What are the benefits of lattice based cryptography?

Previously we visited the benefits of elliptic curves for cryptography. Lattice based cryptography is starting to become quite popular in academia. The primary benefit of lattice based crypto is the resistance to quantum algorithms. Are there other…
mikeazo
  • 39,117
  • 9
  • 118
  • 183
18
votes
2 answers

Why is Approximate GCD a hard problem?

There are many Fully Homomorphic Encryption over the Integers schemes whose security is based on the intractability of the Approximate GCD (AGCD) problem. The paper Algorithms for the Approximate Common Divisor Problem surveys several lattice…
robertkin
  • 448
  • 3
  • 11
17
votes
4 answers

Kyber and Dilithium explained to primary school students?

Kyber and Dilithium are post-quantum cryptographic designs, but the resources are hard to understand. Is it possible to explain those ciphers to children?
Flan1335
  • 381
  • 2
  • 6
16
votes
0 answers

Given a 'good' basis for a lattice, how can we solve the CVP?

I'm doing a little bit of reading about lattices. I read that if we can find a 'short' basis for our given lattice, we can solve CVP and SVP very efficiently. However, the paper didn't describe an algorithm. Can anyone briefly describe an algorithm…
pg1989
  • 4,736
  • 25
  • 43
15
votes
1 answer

Is lattice-based cryptography practical?

How viable is lattice-based cryptography in a "practical" setting? It has been said that lattice-based cryptography would be a "post-quantum" cryptography scheme, but is it feasibly implementable?
Steven Sagona
  • 323
  • 1
  • 13
15
votes
1 answer

Impact of Ryan and Heninger's CRYPTO 2023 paper on post quantum cryptosystems

From Schneier's blog, which seems to have been written in response to a somewhat recent Quanta magazine article: The winner of the Best Paper Award at CRYPTO this year (2023) was a significant improvement to lattice-based cryptanalysis. So the…
kodlu
  • 25,146
  • 2
  • 30
  • 63
14
votes
5 answers

Why is lattice-based cryptography believed to be hard against quantum computer?

Why is lattice-based cryptography believed to be hard against quantum computer? Learning With Errors(LWE) problem (reduction to SVP) is just one example. Can you provide some intuition of the hardness?
mallea
  • 1,715
  • 1
  • 12
  • 23
14
votes
3 answers

Why are only lattice problems used in cryptography?

There are thousands of NP-hard problems out there. Why have only lattice problems been applied to cryptography?
Little Nan
  • 239
  • 1
  • 3
13
votes
0 answers

Potential Flaws With Lattice Based Cryptography?

From researching post-quantum cryptographic schemes it seems hash-based and lattice-based algorithms are the most promising (MQ-based seem to be covered by patents and have more potential unknowns which could be used to exploit them.) Hash-based…
CoryG
  • 589
  • 3
  • 11
13
votes
2 answers

What does "Worst-case hardness" mean in lattice-based cryptography?

In the wiki page of Lattice-based Cryptography the "Worst-case hardness" is defined as below: Worst-case hardness of lattice problems means that breaking the cryptographic construction (even with some small non-negligible probability) is provably…
Habib
  • 961
  • 8
  • 23
1
2 3
45 46