Content deleted Content added
→The Key Exchange: fix maths equation. |
No edit summary |
||
Line 15:
== Introduction ==
Starting with a [[Prime number|prime]] integer q, the [[Ring Learning with Errors|Ring-LWE]] key exchange works in the [[ring of polynomials]] modulo a polynomial Φ(x) with coefficients in the field of integers mod q (i.e. the ring
a(x) = a<sub>0</sub> + a<sub>1</sub>x + a<sub>2</sub>x<sup>2</sup> + ... + a<sub>n-3</sub>x<sup>n-3</sup> + a<sub>n-2</sub>x<sup>n-2</sup> + a<sub>n-1</sub>x<sup>n-1</sup>
The coefficients of this polynomial, the a<sub>i</sub>'s, are integers mod q. The polynomial Φ(x) will be
The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm]]." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as
# Using [[Uniform distribution (discrete)|Uniform Sampling]] - The coefficients of the small polynomial are uniformly sampled from a set of small coefficients. Let b be an integer that is much less than q. If we randomly choose coefficients from the set: { -b, -b+1, -b+2. ... -2, -1, 0, 1, 2, ... , b-2, b-1, b} the polynomial will be small with respect to the bound (b). Singh suggest using b = 5.<ref name=":1" /> Thus coefficients would be chosen from the set { q-5, q-4, q-3, q-2, q-1, 0 , 1, 2, 3, 4, 5 }.
# Using [[Gaussian distribution|Discrete Gaussian]] Sampling - For an odd value for q, the coefficients are randomly chosen by sampling from the set { -(q-1)/2 to (q-1)/2 } according to a discrete Gaussian distribution with mean 0 and distribution parameter σ. The references describe in full detail how this can be accomplished. It is more complicated than uniform sampling but it allows for a proof of security of the algorithm. An overview of Gaussian sampling is found in a presentation by Peikert.<ref>{{Cite web|title = http://www.cc.gatech.edu/~cpeikert/pubs/slides-pargauss.pdf|url = http://www.cc.gatech.edu/~cpeikert/pubs/slides-pargauss.pdf|website = www.cc.gatech.edu|accessdate = 2015-05-29}}</ref>
For the rest of this article, the random small polynomials will be sampled according to a distribution which is simply specified as '''D'''. Further q will be an odd prime such that q is congruent to 1 mod 4 and 1 mod 2n. The maximum degree of the polynomials (n) will be a power of 2. This follows the work of Singh.<ref name=":1" /> Other cases for q and n are thoroughly discussed in "A Toolkit for Ring-LWE Cryptography" and in Singh's "Even More Practical Key Exchange for the Internet using Lattice Cryptography."<ref name=":2" /> <ref>{{Cite web|title = Cryptology ePrint Archive: Report 2015/1120|url = http://eprint.iacr.org/2015/1120|website = eprint.iacr.org|access-date = 2016-01-17}}</ref> and another paper by Singh. A fixed public polynomial, a(x), shared by all users of the network. It is deterministically generated from a cryptographically secure source.
Given a(x) as stated, we can randomly choose small polynomials s(x) and e(x) to be the "private key" in a public key exchange. The corresponding public key will be the polynomial t(x) = a(x)s(x) + e(x). The security of the key exchange that follows is based the difficulty of finding a pair of small polynomials s'(x) and e'(x) such that for a given t(x), a(x)s'(x) + e'(x) = t(x).
Line 70:
Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter σ is 8/sqrt(2σ) and the uniform sampling bound (b) = 5 (see Singh),<ref name=":1" /> then the probability of key agreement failure is <u>less than</u> 2<sup>−71</sup> for the 128-bit secure parameters and <u>less than</u> 2<sup>−91</sup> for the 256-bit secure parameters.
In their November 2015 paper, Alkim, Ducas, Popplemann, and Schwabe recommend the following parameters n = 1024, q =12289, and Φ(x) = x<sup>1024</sup> + 1.<ref name=":3" /> This represents a 70% reduction in public key size over the n = 1024 parameters of Singh.
== Key Exchange Security ==
| |||