Revision as of 05:18, 18 July 2016 edit Dannyniu (talk \| contribs) 356 edits →Parameter Choices: typo RWLE -> RLWE. ← Previous edit		Revision as of 11:35, 23 July 2016 edit undo Dannyniu (talk \| contribs) 356 edits →The Key Exchange: change the description based on Chris Peikert's method to the description of the general RLWE-KEX procedure. Next edit →
Line 40: # Generate two small polynomials s<sub>R</sub>(x) and e<sub>R</sub>(x) by sampling from the distribution D. # Compute '''v(x) =''' '''t<sub>I</sub>(x)·s<sub>R</sub>(x) + e<sub>R</sub>(x)''' ''Note that v(x) = a(x)s<sub>I</sub>(x)s<sub>R</sub>(x) + e<sub>I</sub>(x)s<sub>R</sub>(x) + e<sub>R</sub>(x) and that e<sub>R</sub>(x) + e<sub>I</sub>(x)s<sub>R</sub>(x) will be small because e<sub>R</sub>(x) was chosen to be small and the coefficients of e<sub>I</sub>(x)s<sub>R</sub>(x) will be bounded in their growth and still relatively small.'' # ~~The~~Depending ~~distribution~~on ofthe specific scheme used, the coefficients of '''v(x)''' ~~are~~may ~~smoothed~~be byadded ~~looping~~with ~~through~~small ~~the~~randomized ~~coefficients~~values ~~and~~to ~~randomly~~hide ~~adjusting~~skewed ~~certain values~~distribution. ~~For j = 0 to n-1:~~ # As '''v(x)''' and '''w(x)''' differ by small amount, a reconciliation information c is produced based on '''v(x)''' ~~## If v<sub>j</sub> = 0, draw a random bit (b). If b = 0 then v<sub>j</sub> = 0 otherwise v<sub>j</sub> = q-1~~ # Respondent side's key stream u is calculated, based on the reconciliation information c and the polynomial '''v(x)'''. ~~## If v<sub>j</sub> = (q-1)/4, draw a random bit (b). If b = 0 then v<sub>j</sub> = (q-1)/4 otherwise v<sub>j</sub> = (q+3)/4~~ ~~# Two n-long bit streams, cj, and uj, are formed from the coefficients of v(x), (v<sub>n-1</sub>, ... , v<sub>0</sub> ), via "Cross Rounding" and "Modular Rounding" respectively. For j = 0 to n-1:~~ ## Set c<sub>j</sub> to be the lowest bit of the [[Floor and ceiling functions\|floor]] of quotient (4v<sub>j</sub>)/q[[nearest integer function\|;]] that is <math display="inline">c_j = \lfloor 4 v_j/q \rfloor\mod 2</math> ~~## Set u<sub>j</sub> to be the lowest bit of the quotient (2v<sub>j</sub>)/q after [[Nearest integer function\|rounding]]; that is <math>u_j = \lfloor 2v_j/q\rceil\mod 2</math>~~ ~~#Form the key (k) as the concatenation of u<sub>n-1</sub>, ..., u<sub>0</sub>.~~ ~~# Form an n-long "reconciliation" bit string (c) as the concatenation of c<sub>n-1</sub>, ..., c<sub>0</sub>.~~ # Compute t<sub>R</sub>(x) = a(x)·s<sub>R</sub>(x) + e<sub>R</sub>(x). # The Respondent sends t<sub>R</sub>(x) and c to the Initiator. '''Initiators Final Steps:''' # Receive t<sub>R</sub>(x) and c from the Responder # Compute '''w(x) = t<sub>R</sub>(x)·s<sub>I</sub>(x) + e<sub>I</sub>(x)''' = a(x)s<sub>I</sub>(x)s<sub>R</sub>(x) + e<sub>R</sub>(x)s<sub>I</sub>(x) + e<sub>I</sub>(x) ''Note that while this does not equal v(x) (above) the first term in the result a(x)s<sub>I</sub>(x)s<sub>R</sub>(x) equals the first term in v(x) and the other terms are all small. The ~~following~~ reconciliation ~~steps~~method will correct (with high probability) the differences.'' ~~# An n-long bit stream (uj) is formed by looping through the coefficients of w(x) and performing "Key Reconciliation." For j = 0 to n-1:~~ ~~## If c<sub>j</sub> = 0 and -q/8 ≤ w<sub>j</sub> < 3q/8 then u<sub>j</sub> = 0 otherwise u<sub>j</sub> = 1~~ ~~## If c<sub>j</sub> = 1 and -3q/8 ≤ w<sub>j</sub> < q/8 then u<sub>j</sub> = 0 otherwise u<sub>j</sub> = 1~~ ~~# Form the key (k) as the concatenation of u<sub>n-1</sub>, ..., u<sub>0</sub>~~ If the key exchange worked properly, the initiator's string: u<sub>n-1</sub>, ..., u<sub>0</sub> and the respondent's string: u<sub>n-1</sub>, ..., u<sub>0</sub> will be the same.▼ # Initiator side's key stream is produced from the reconciliation information c and polynomial '''w(x)'''. Depending on the specifics of the parameters chosen n, q, σ, or b, there is an extremely small probability that this key exchange will fail to produce the same key. Parameters for the key exchange can be chosen to make the probability of failure in the key exchange very small; much less than the probability of undetectable garbles or device failures.▼ The methods of reconciliation and key string generation depends on the specific RLWE-KEX scheme in question. some method is based on modular arithmetic, while others may be based on high-dimension geometry. <ref name=":2"/><ref name=":3"/><ref name=":8"/> ▲If the key exchange worked properly, the initiator's string~~: u<sub>n-1</sub>, ..., u<sub>0</sub>~~ and the respondent's string~~: u<sub>n-1</sub>, ..., u<sub>0</sub>~~ will be the same. ▲Depending on the specifics of the parameters chosen ~~n, q, σ, or b~~, there is an extremely small probability that this key exchange will fail to produce the same key. Parameters for the key exchange can be chosen to make the probability of failure in the key exchange very small; much less than the probability of undetectable garbles or device failures. == Parameter Choices ==

Ring learning with errors key exchange: Difference between revisions