Content deleted Content added
Improved wording |
Carvalho1988 (talk | contribs) →The Key Exchange: Clarified the key exchange. |
||
Line 34:
'''Responder's Steps:'''
# Generate two small polynomials s<sub>R</sub>(x) and e<sub>R</sub>(x) by sampling from the distribution D.
# Compute '''v(x) =''' '''t<sub>I</sub>(x)·s<sub>R</sub>(x) + e<sub>R</sub>(x)''' ''Note that
# The distribution of the coefficients of v(x) are smoothed by looping through the coefficients and randomly adjusting certain values. For j = 0 to n-1:
## If v<sub>j</sub> = 0, draw a random bit (b). If b = 0 then v<sub>j</sub> = 0 otherwise v<sub>j</sub> = q-1
Line 49:
'''Initiators Final Steps:'''
# Receive t<sub>R</sub>(x) and c from the Responder
# Compute '''w(x) = t<sub>R</sub>(x)·s<sub>I</sub>(x) + e<sub>I</sub>(x)''' = a(x)s<sub>I</sub>(x)s<sub>R</sub>(x) + e<sub>R</sub>(x)s<sub>I</sub>(x) + e<sub>I</sub>(x) ''Note that while this this does not equal v(x) (above)
# An n-long bit stream (uj) is formed by looping through the coefficients of w(x) and performing "Key Reconciliation." For j = 0 to n-1:
## If c<sub>j</sub> = 0 and -q/8 ≤ w<sub>j</sub> < 3q/8 then u<sub>j</sub> = 0 otherwise u<sub>j</sub> = 1
Line 65:
For 256 bits of security, n = 1024, q = 40961, and F(x) = x<sup>1024</sup> + 1
Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. This is generally referred to as the soundness of the If we assume that the gaussian parameter σ is 8/sqrt(2π) and the uniform sampling bound (b) = 5 (see Singh)<ref name=":1" />, then the probability of key agreement failure is <u>less than</u> 2<sup>-71</sup> for the 128-bit secure parameters and 2<sup>-91</sup> for the 256-bit secure parameters.
=== Key Exchange Security ===
| |||