Content deleted Content added
mNo edit summary |
→Parameter choices: Adding info about the NewHope variant. |
||
Line 79:
Because the key exchange uses random sampling and fixed bounds there is a small probability that the key exchange will fail to produce the same key for the initiator and responder. If we assume that the Gaussian parameter ''σ'' is 8/√(2{{pi}}) and the uniform sampling bound (''b'') = 5 (see Singh),<ref name=":1" /> then the probability of key agreement failure is <u>less than</u> 2<sup>−71</sup> for the 128-bit secure parameters and <u>less than</u> 2<sup>−91</sup> for the 256-bit secure parameters.
In their November 2015 paper, Alkim, Ducas, Popplemann, and Schwabe recommend the following parameters n = 1024, q =12289, and <math>\Phi(x)</math> = x<sup>1024</sup> + 1.<ref name=":3" /> This represents a 70% reduction in public key size over the n = 1024 parameters of Singh, and was submitted to NIST's [[Post-Quantum Cryptography Standardization]] project under the name [[NewHope]]. A listing of a number of different parameter choices for key exchanges using the Ring Learning with Errors problem are given at this link ([http://www.ringlwe.info/parameters-for-rlwe.html click here]).<ref>{{Cite web
| url = http://www.ringlwe.info/parameters-for-rlwe.html
| title = Parameters for RLWE
| |||