Skip to content

Scloud+

Unstructured-LWE KEM · ePrint 2024/1306 · FO-transformed IND-CCA2

Run a real Scloud+ key exchange in your browser — KeyGen, Encaps and Decaps over unstructured LWE with ternary secrets, BW₃₂ Barnes-Wall lattice coding, and a genuine Fujisaki-Okamoto re-encryption check.

New here? Here's the path

The sections are ordered easiest → deepest. You don't need any math background to start.

  1. The Big Picture — plain-English idea, no math.
  2. Guided Walkthrough — click through one full key exchange step by step.
  3. Core exhibits — LWE, ternary secrets, BW₃₂, keygen, the FO transform.
  4. Compare & reflect — sizes, performance, and how much it's been reviewed.

Reality Check

What This Demo Is

  • A faithful-but-simplified TypeScript implementation of the ePrint 2024/1306 ideas
  • Real SHAKE-256, SHA3-256 and SHA3-512 running in your browser (pure Keccak)
  • A genuine KEM round-trip: KeyGen → Encaps → Decaps with a real FO re-encryption check and implicit rejection
  • BW₃₂-style lattice coding with measurable error-correction radius

What This Demo Is Not

  • Not constant-time — JavaScript cannot guarantee timing-safe execution
  • Not audited or suitable for production key exchange
  • Not a substitute for a vetted C/Rust implementation
  • Not endorsed by the S-Cloud+ authors or any standards body

What the Textbook Doesn't Show

Standard LWE-KEM treatments stop at "add noise, hope it rounds away." S-Cloud+ takes a different path: Barnes-Wall BW₃₂ lattice coding provides structured error correction that doubles the tolerable noise compared to simple rounding. This is the key insight — by encoding each 5-bit message chunk into a 32-dimensional lattice point, the decoder can correct errors up to the packing radius of BW₃₂, letting the authors shrink modulus and matrix dimensions while maintaining the same security level. The result: smaller keys than FrodoKEM at comparable strength, without relying on algebraic ring structure like ML-KEM.