Content deleted Content added
m Section heading change: Parameter Choices → Parameter choices using a script |
Added math notation Tags: nowiki added Visual edit |
||
Line 15:
== Introduction ==
Starting with a [[Prime number|prime]] integer q, the [[Ring Learning with Errors|Ring-LWE]] key exchange works in the [[ring of polynomials]] modulo a polynomial
In 2014, Peikert<ref>{{Cite journal|last=Peikert|first=Chris|date=2014-01-01|title=Lattice Cryptography for the Internet|url=http://eprint.iacr.org/2014/070|journal=|volume=|issue=|doi=|pmid=|access-date=|via=}}</ref> presented a key transport scheme based on Ring-LWE. For somewhat greater than 128 [[bits of security]], Singh presents a set of parameters which have 6956-bit public keys for the Peikert's scheme.<ref name=":1">{{Cite journal|last=Singh|first=Vikram|date=2015|title=A Practical Key Exchange for the Internet using Lattice Cryptography|url=http://eprint.iacr.org/2015/138}}</ref> The corresponding private key would be roughly 14000 bits. An RLWE version of the classic MQV variant of a Diffie-Hellman key exchange was later published by Zhang et al. in 2014. The security of both key exchanges is directly related to the problem of finding approximate short vectors in an ideal lattice.This article will closely follow the RLWE work of Ding in "A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem".<ref name=":0">{{Cite book|url=https://eprint.iacr.org/2012/688.pdf|title=A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem|last=Ding|first=Jintai|last2=Xie|first2=Xiang|last3=Lin|first3=Xiaodong|publisher=|year=2012|isbn=|___location=|pages=|via=}}</ref> For this presentation a typical polynomial is expressed as:
Line 21:
a(x) = a<sub>0</sub> + a<sub>1</sub>x + a<sub>2</sub>x<sup>2</sup> + ... + a<sub>n-3</sub>x<sup>n-3</sup> + a<sub>n-2</sub>x<sup>n-2</sup> + a<sub>n-1</sub>x<sup>n-1</sup>
The coefficients of this polynomial, the a<sub>i</sub>'s, are integers mod q. The polynomial
The RLWE-KEX uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm]]." The infinity norm for a polynomial is simply the value of the largest coefficient of the polynomial when the coefficients are considered as integers in Z rather than <math>Zq</math>(i.e.from the set {-(q-1)/2,..., 0, ... (q-1)/2} ). The algorithm's security depends on an ability to generate random polynomials which are small with respect to the infinity norm. This is done simply by randomly generating the coefficients for a polynomial (s<sub>n-1</sub>, ..., s<sub>0</sub>) which are guaranteed or very likely to be small. There are two common ways to do this:
Line 31:
== The Key Exchange ==
The key exchange will take place between two devices. There will be an initiator for the key exchange designated as (I) and a respondent designated as (R). Both I and R know q, n, a(x), and have the ability to generate small polynomials according to the distribution <math>\chi_\alpha</math> with parameter <math>\alpha</math>. The distribution <math>\chi_\alpha</math> is usually the discrete gaussian distribution on the ring R<sub>q</sub> = <math>Zq</math>[x]/
The key exchange begins with the initiator (I) doing the following:
Line 71:
== Parameter choices ==
The RWLE-KEX exchange presented above worked in the Ring of Polynomials of degree n-1 or less mod a polynomial
For 128 bits of security, n = 512, q = 25601, and
For 256 bits of security, n = 1024, q = 40961, and
Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter σ is 8/sqrt(2π) and the uniform sampling bound (b) = 5 (see Singh),<ref name=":1" /> then the probability of key agreement failure is <u>less than</u> 2<sup>−71</sup> for the 128-bit secure parameters and <u>less than</u> 2<sup>−91</sup> for the 256-bit secure parameters.
In their November 2015 paper, Alkim, Ducas, Popplemann, and Schwabe recommend the following parameters n = 1024, q =12289, and
| url = http://www.ringlwe.info/parameters-for-rlwe.html
| title = Parameters for RLWE
| |||