For 256 bits of security, n = 1024, q = 40961, and F(x) = x<sup>1024</sup> + 1
TheseBased on the BKZ 2.0 lattice reduction approach, these choices of parameters will provide greater than 128 or 256 bits of security, respectively. <ref>{{Cite Ifbook|title we= assumeBKZ that2.0: theBetter gaussianLattice parameterSecurity σEstimates|url is= 8http:/sqrt(2π)/link.springer.com/chapter/10.1007/978-3-642-25385-0_1|publisher and= theSpringer uniformBerlin samplingHeidelberg|date bound= (b)2011|isbn = 5(see978-3-642-25384-3|pages Singh)<ref name=": 1"-20|series />,= Lecture thenNotes thein probabilityComputer ofScience|language key= agreementen|first failure= isYuanmi|last <u>less= than</u>Chen|first2 2<sup>-71</sup>= forPhong theQ.|last2 128= Nguyen|editor-bitfirst secure= parametersDong and 2<sup>Hoon|editor-91</sup>last for= theLee|editor-first2 256= Xiaoyun|editor-bitlast2 secure= parameters.Wang}}</ref>
If we assume that the gaussian parameter σ is 8/sqrt(2π) and the uniform sampling bound (b) = 5(see Singh)<ref name=":1" />, then the probability of key agreement failure is <u>less than</u> 2<sup>-71</sup> for the 128-bit secure parameters and 2<sup>-91</sup> for the 256-bit secure parameters.
