Scloud+
Unstructured-LWE KEM · ePrint 2024/1306 · FO-transformed IND-CCA2
Run a real Scloud+ key exchange in your browser — KeyGen, Encaps and Decaps over unstructured LWE with ternary secrets, BW₃₂ Barnes-Wall lattice coding, and a genuine Fujisaki-Okamoto re-encryption check.
New here? Here's the path
The sections are ordered easiest → deepest. You don't need any math background to start.
- The Big Picture — plain-English idea, no math.
- Guided Walkthrough — click through one full key exchange step by step.
- Core exhibits — LWE, ternary secrets, BW₃₂, keygen, the FO transform.
- Compare & reflect — sizes, performance, and how much it's been reviewed.
Reality Check
What This Demo Is
- A faithful-but-simplified TypeScript implementation of the ePrint 2024/1306 ideas
- Real SHAKE-256, SHA3-256 and SHA3-512 running in your browser (pure Keccak)
- A genuine KEM round-trip: KeyGen → Encaps → Decaps with a real FO re-encryption check and implicit rejection
- BW₃₂-style lattice coding with measurable error-correction radius
What This Demo Is Not
- Not constant-time — JavaScript cannot guarantee timing-safe execution
- Not audited or suitable for production key exchange
- Not a substitute for a vetted C/Rust implementation
- Not endorsed by the S-Cloud+ authors or any standards body
What the Textbook Doesn't Show
Standard LWE-KEM treatments stop at "add noise, hope it rounds away." S-Cloud+ takes a different path: Barnes-Wall BW₃₂ lattice coding provides structured error correction that doubles the tolerable noise compared to simple rounding. This is the key insight — by encoding each 5-bit message chunk into a 32-dimensional lattice point, the decoder can correct errors up to the packing radius of BW₃₂, letting the authors shrink modulus and matrix dimensions while maintaining the same security level. The result: smaller keys than FrodoKEM at comparable strength, without relying on algebraic ring structure like ML-KEM.