S-Cloud+ Vault Explorer
Interactive demonstration of the S-Cloud+ Vault — a secure container for encrypted payloads using lattice-based Key Encapsulation (ePrint 2024/1306, Wang et al. — Tsinghua University / Huawei). Featuring BW₃₂ Barnes-Wall lattice coding, ternary secrets, and FO-transformed IND-CCA2 security.
Reality Check
What this project demonstrates
- Client-side encryption model
- Secure container concept
- Key derivation → encryption flow
What this project simplifies
- No secure enclave / HSM
- No hardened authentication layer
- No malicious client defense
What this project is NOT
- Not production-ready secure storage
- Not resistant to XSS or compromised browser
- Not a substitute for audited systems
Security Model
- Encryption algorithm: AES-256-GCM (or as implemented in S-Cloud+)
- Key derivation: Argon2id (or as implemented in S-Cloud+)
- Key location: Client-side only; never leaves the device
- Remote storage: Only ciphertext is intended to be stored remotely
Threats Considered
- Data-at-rest exposure
- Network interception
Threats NOT Covered
- Malicious browser environment
- Keylogging
- XSS / injected scripts
Reality Check
What This Demo Is
- A faithful TypeScript port of ePrint 2024/1306 parameters and algorithms
- Real SHAKE-128/256 and SHA3-256 running in your browser (pure Keccak)
- Full KEM round-trip: KeyGen → Encaps → Decaps with implicit rejection
- BW₃₂ lattice coding with measurable error-correction radius
What This Demo Is Not
- Not constant-time — JavaScript cannot guarantee timing-safe execution
- Not audited or suitable for production key exchange
- Not a substitute for a vetted C/Rust implementation
- Not endorsed by the S-Cloud+ authors or any standards body
What the Textbook Doesn't Show
Standard LWE-KEM treatments stop at "add noise, hope it rounds away." S-Cloud+ takes a different path: Barnes-Wall BW₃₂ lattice coding provides structured error correction that doubles the tolerable noise compared to simple rounding. This is the key insight — by encoding each 5-bit message chunk into a 32-dimensional lattice point, the decoder can correct errors up to the packing radius of BW₃₂, letting the authors shrink modulus and matrix dimensions while maintaining the same security level. The result: smaller keys than FrodoKEM at comparable strength, without relying on algebraic ring structure like ML-KEM.