@Mojtaba In slide 28 (52:00) you write m*((q+1)>>1). This will fix 0 to zro and map 1 to 7. In slide 29 also, you write if (f2[0]>(q/4)) & (f2[0]3 and f2[0]
Firstly, we compute A*s, and in the next step we will perform A*s + e. In that slide, the second operation is not shown. You can see the details here: ua-cam.com/video/gp7KFOs7y3g/v-deo.html 1:06:50
51:28 The student posed an excellent question. Nonetheless, the answer appears to be incorrect! We do not raise the size of the k to accommodate a larger message! In fact, the size of the message is 32Bytes without having a 32Bytes k in Crystal Kyber!
why "rejection" and "CBD" used ? can we use only one of them to generate A and s,e ? (Also, since rejection's output that is used for A is assumed to be NTT domain. why is so ? )
The slide at 29:43, I was figuring out the storage of M-LWE, and I think it should be O(kn) instead. Considering that the whole matrix is divided into k^2 matrix, and for each divided matrix we only need to store the first column. The column length is divided by k everytime it is divided, so each divided matrix instead of needing to store n column vector, they only need to store n/k column vector. So the storage big O should be O((n/k)*k^2), which should be O(kn). I am not sure how it will affect the computation big-O.
سلام مجتبی. خوشحال شدم یک ایرانی تبار در رابطه با موضوع رمزنگاری تولید محتوا کرده. اگر امکان مکالمه بیشتری بین ما وجود داره خوشحال میشم مکالمه ای داشته باشیم یکی از داشنجوی های دانشگاه فردوسی مشهد هستم. من حسین هستم
sir can i get the pdf of this presentation , as im a second year undergrade student so this pdf will help me alot . so it will be great if you can provide me the pdf and one thing more how can i use or implement kyber . im having some difficulty because im trying it in windows and the cmd are for linux and mac os . Your help would be great. thank you .
Such a horrible presentation tbh... In the LWE Encryption, his code did the right thing (almost), but he explained it horribly wrong. We usually send 0 for message bit 0, and send [q/2] for 1, that is actually (q-1)/2 for an odd prime q. Next, when the erroneous value comes in, it checks if it's on the upper-half or on the lower-half of the field circle. Upper-half means it is close to 0 and it decrypts 0, and lower-half means it is close to (q-1)/2 and it decrypts 1. And this is almost what his code does. But, it seems as if it's not even his own code, considering how he explained it. Now, his code sends 0 for 0 and (q+1)/2 (that is 7) for 1 (which should have been (q-1)/2, that's why I said "almost"). Now, it still works because the errors are bounded in the interval [-1,1]. If the errors were in the interval [-2,2], it would've decrypted 0 for message 1 and error 2. But this is just a minor detail as q is supposed to be a large odd prime and error values are very very small in practical scenarios.
@Mojtaba In slide 28 (52:00) you write m*((q+1)>>1). This will fix 0 to zro and map 1 to 7. In slide 29 also, you write if (f2[0]>(q/4)) & (f2[0]3 and f2[0]
@Mojtaba Great presentation! Why in 47:29 in the t's formula you didn't consider to compute A*s + e ? You only compute t = A*s in your example. Thanks
Firstly, we compute A*s, and in the next step we will perform A*s + e. In that slide, the second operation is not shown. You can see the details here: ua-cam.com/video/gp7KFOs7y3g/v-deo.html 1:06:50
51:28 The student posed an excellent question. Nonetheless, the answer appears to be incorrect! We do not raise the size of the k to accommodate a larger message! In fact, the size of the message is 32Bytes without having a 32Bytes k in Crystal Kyber!
why "rejection" and "CBD" used ? can we use only one of them to generate A and s,e ? (Also, since rejection's output that is used for A is assumed to be NTT domain. why is so ? )
The slide at 29:43, I was figuring out the storage of M-LWE, and I think it should be O(kn) instead. Considering that the whole matrix is divided into k^2 matrix, and for each divided matrix we only need to store the first column. The column length is divided by k everytime it is divided, so each divided matrix instead of needing to store n column vector, they only need to store n/k column vector. So the storage big O should be O((n/k)*k^2), which should be O(kn).
I am not sure how it will affect the computation big-O.
I'm wondering if you are going to give a presentation about Attacks on Kyber
Yeah, same. Especially side-channel attacks.
A nice presentation, would you please share the PDF file?
Sir very good presentation can u share code for kyber for this
why in 22:00 say as=t is easy to find s, and 22:10, say its hard to find e in ae=t? whats relationship with ae=t and as+e=t?
I'm guessing it's a mistake. From my understanding, the complexity should be 2^O(m) to solve the As+e=t problem. All possible e values must be tried.
There is an error at slide 11. The system of equations yields result x≈0.46109, y≈-0.096502.
@1:23:30 how to give the seed in keccak ? will it be randomly generated or it will secret ?
it is randomly generated. Once used to generate the secret key, it can be discarded
thank you so much
it's very beneficial
سلام مجتبی. خوشحال شدم یک ایرانی تبار در رابطه با موضوع رمزنگاری تولید محتوا کرده.
اگر امکان مکالمه بیشتری بین ما وجود داره خوشحال میشم مکالمه ای داشته باشیم
یکی از داشنجوی های دانشگاه فردوسی مشهد هستم. من حسین هستم
sir can i get the pdf of this presentation , as im a second year undergrade student so this pdf will help me alot .
so it will be great if you can provide me the pdf and one thing more how can i use or implement kyber . im having some difficulty because im trying it in windows and the cmd are for linux and mac os .
Your help would be great.
thank you .
Such a horrible presentation tbh... In the LWE Encryption, his code did the right thing (almost), but he explained it horribly wrong. We usually send 0 for message bit 0, and send [q/2] for 1, that is actually (q-1)/2 for an odd prime q. Next, when the erroneous value comes in, it checks if it's on the upper-half or on the lower-half of the field circle. Upper-half means it is close to 0 and it decrypts 0, and lower-half means it is close to (q-1)/2 and it decrypts 1. And this is almost what his code does. But, it seems as if it's not even his own code, considering how he explained it. Now, his code sends 0 for 0 and (q+1)/2 (that is 7) for 1 (which should have been (q-1)/2, that's why I said "almost"). Now, it still works because the errors are bounded in the interval [-1,1]. If the errors were in the interval [-2,2], it would've decrypted 0 for message 1 and error 2. But this is just a minor detail as q is supposed to be a large odd prime and error values are very very small in practical scenarios.