Keywords

1 Introduction

1.1 The Post-quantum World

Key exchange is a very important cryptographic primitive which allows communicating parties to agree on same keys over insecure network. In 1976, the first key exchange primitive – Diffie-Hellman key exchange protocol was proposed in [20]. This ground-breaking work is a key part of public key cryptography and it inspires cryptographers to build new public key cryptosystems and key exchange protocols. With properly chosen parameters and implementations, Diffie-Hellman key exchange and its variants are hard to break with current computing resources.

However, such cryptosystems are no longer secure against sufficiently large quantum computers. In 1994, Shor proposed a quantum algorithm which can solve discrete logarithm problem (DLP) and integer factorization problem (IFP) on a quantum computer [32] in polynomial time. Therefore, if a sufficient large quantum computer is built, Shor’s algorithm is expected to break cryptosystems which are constructed based on DLP, IFP and their elliptic curve variants etc., including RSA, DSA, ElGamal etc. It is vital to develop secure and practical post-quantum alternatives for the upcoming post-quantum world.

During recent years, various works are focusing on the lattice-based Ring Learning With Errors (RLWE) problem [25], which is the ring variant of Learning With Errors (LWE) problem [27]. They enjoy high efficiency as well as strong security, making them very promising towards the post-quantum world.

In 2015, NSA announced that it is planning the transition to quantum-resistant cryptography suites in near future. In 2016, NIST formally published calls for new post-quantum cryptography algorithms [19]. This stresses importance and urgency to develop post-quantum alternatives for near future. NIST focused on three primitives: public key encryption, digital signature and key establishment.

1.2 Quantum-Resistant RLWE+Rounding Key Exchange with One Sample

The first complete key exchange solution appeared in the LWE & RLWE-based key exchange protocols proposed by Ding et al. in 2012 [21]. There are various similar works that construct LWE/RLWE-based key exchange protocols, including BCNS [14], NewHope [6], Frodo [13], NewHope-Simple [5], HILA5 [28], Kyber [15] etc. Also there are various new protocols in NIST’s round 1 submissions [19].

[11] proposed the Learning With Rounding (LWR) problem, which can reduce communication cost of LWE problem through rounding. Since rounding and recovering algorithms generate deterministic errors, [11] suggests that error term in LWE problem can be discarded with properly chosen parameters. Till now, concrete security of LWR and its ring variant – RLWR problem is not well understood. In LWR and RLWR, “error” on the term \(\mathbf {a}\cdot \mathbf {s}\) is only generated by deterministic rounding and recovering algorithm, and this brings security concerns over LWR and RLWR problems. This is also the reason why we prefer the“RLWE+Rounding” approach, instead of using RLWR directly.

Inspired by the notion of RLWR and RLWE-based key exchange, we introduce a new rounding technique dedicated to our key exchange design to reduce the communication cost and increase the security simultaneously. Unlike LWR/RLWR-based cryptosystems, we keep the freshly generated and secret error term \(2\mathbf {e}\) in our RLWE instance \(\mathbf {a}\cdot \mathbf {s}+2\mathbf {e}\), then we apply our new rounding technique. We call this a RLWE+Rounding sample. By designing new rounding and recovering techniques, we reduce communication cost substantially and further improve the practical efficiency of our key exchange protocol. Moreover, it actually adds larger perturbation – “error” on \(\mathbf {a}\cdot \mathbf {s}\) compared to standard RLWE instance, which helps to improve security of our protocol even further.

In addition, we give two flexible parameter choices and implementation that ensure low key exchange failure probability and cover security of AES-128/192/256 using our new security analysis technique for only one sample case.

1.3 Parameter Settings for ONE-Sample RLWE Case

It is very clear that for an RLWE-based ephemeral key exchange, an attack can only get one sample. And each RLWE sample can be expanded to n LWE samples by rotating elements in the convolution polynomial ring. Recently a work of [29] developed techniques in solving standard LWE instances with a restricted number of samples. However, it is not adapted in practical security analysis of RLWE key exchanges directly. Especially we can not adopt the LWE-estimator [4] directly because of the perturbations from the rounding/recovering functions in our key exchange scheme. We developed the security analysis of the dual embedding attack (we call “SIS attack” in this work) on solving ONE-sample RLWE case.

Further, in Table 1 we show the complexity of solving the standard LWE instance using SIS attack given n and 2n samples. We use Regev’s parameter settings \((n,\alpha =\frac{1}{\sqrt{2\pi n}\log ^2 n}, q\approx n^2)\) in the original LWE paper [27]. We estimate the hardness of standard LWE for \(n=\{128,512,1024,2048\}\) using the LWE-estimator [4] and restrict the number of given samples to n and 2n. From the table we can see that the gap of complexities is distinctly larger with n increasing. Note that the n and 2n samples here can be seen as extracted from ONE-sample RLWE case and TWO-samples RLWE case respectively. Hence for the security analysis of RLWE instance, the available number of samples may lead a big gap for high dimensions.

Table 1. Hardness estimation for restricted number of LWE samples with Regev’s parameter settings from LWE-estimator.
Full size table

1.4 Contribution

In this paper, we introduce an appropriate method to estimate the security of only one RLWE sample. Complexity of various practical attacks on having only one sample and multiple samples are very different. We discuss such differences carefully. We apply the one sample model to construct an ephemeral-only RLWE-based key exchange protocol. Our construction is an ephemeral RLWE+Rounding variant of the classic Diffie-Hellman key exchange protocol, which can be regarded as a direct drop-in replacement for current widely-deployed Diffie-Hellman key exchange protocol and its variants. We use the new RLWE+Rounding technique instead of RLWR to improve the security of our scheme and reduce communication cost simultaneously. We note that multiple key reuse attacks targeting RLWE-based key exchange protocols do not work for our protocol. Moreover, we study the practical SIS attack on the only one-sample RLWE case. We give secure parameter settings for AES-128/192/256 security levels, which are based on the progressive BKZ simulator as a practical reference and using the sieving-BKZ estimation as a lower bound, taking the impact of exponential memory requirement of sieving subroutine into account. We present protocol specifications, parameter choices, security analysis and performance analysis of our protocol.

Advantages. Here we briefly summarize advantages of our construction as follows: (1) one RLWE sample and flexible parameter choices. Attackers can only use one RLWE sample for lattice attacks since our construction is an ephemeral-only key exchange; (2) reduced Communication Cost. Our rounding technique gives at least 10% smaller communication cost compared with similar RLWE-based ones at similar security level; (3) longer Final Shared Keys. Our protocol generates a 512 or 1024 bits key, while most similar works generate 256-bit key. We believe long shared key is extremely important for real-world applications, e.g. the master key in TLS protocol is 384 bits; (4) forward Secure. Our protocol is an ephemeral Diffie-Hellman-like schemes instead of KEM, where in practice, the latter approach reuses public key. If the secret key is leaked, then all previous captured traffic can be decrypted.

2 Ephemeral-Only RLWE+Rounding Key Exchange

2.1 Preliminaries

Let \(R_q=\mathbb {Z}_q[x]/f(x)\) be the quotient ring of integer polynomials with \(f(x)=x^n+1\), q a prime number, and n a number as a power of 2. A polynomial \(\mathbf {a}\) in \(R_q\) is represented as \(\mathbf {a}=a_1+a_2x+\cdots +a_{n}x^{n-1}\). Coefficients of a polynomial \(\mathbf {a}\) can also denoted by a vector \(\mathbf {a} = (a_1,...,a_{n})\).

Let \(\varLambda \) be a discrete subset of \(\mathbb {Z}^n\). For any vector \(\mathbf c \in \mathbb {R}^n\) and any positive parameter \(\sigma >0\), let \(\rho _{\sigma ,\mathbf c }(\mathbf x )=e^{-\pi \Vert \mathbf x -\mathbf c \Vert ^2/\sigma ^2}\) be the Gaussian function on \(\mathbb {R}^n\) with the center \(\mathbf c \) and the parameter \(\sigma \). Denote \(\rho _{\sigma ,\mathbf c }(\varLambda )=\sum _{x\in \varLambda }\rho _{\sigma , \mathbf c (x)}\) be the discrete integral of \(\rho _{\sigma ,\mathbf c }\) over \(\varLambda \), and \(D_{\varLambda ,\sigma ,\mathbf c }\) be the discrete Gaussian distribution over \(\varLambda \) with the center \(\mathbf c \) and the parameter \(\sigma \). For all \(\mathbf y \in \varLambda \), we have \(D_{\varLambda ,\sigma ,\mathbf c }(\mathbf y )=\frac{\rho _{\sigma ,\mathbf c }(\mathbf y )}{\rho _{\sigma ,\mathbf c }(\varLambda )}\). In this paper, we fix \(\varLambda \) to be \(\mathbb {Z}^n\) and \(\mathbf c \) to be zero vector. For ease of notation, we denote \(D_{\mathbb {Z}^n,\sigma ,0}\) as \(D_{\mathbb {Z}^n,\sigma }\). Let U[ab] be the uniform distribution over discrete set {\(a,a+1,\cdots ,b-1,b\)} over integers. Let \(\xleftarrow {\$}\chi \) denote a random sampling according to the distribution \(\chi \). Here we represent \(\mathbb {Z}_q\) as \(\{-\frac{q-1}{2},\cdots ,\frac{q-1}{2}\}\). However, on occasion, we treat elements in \(\mathbb {Z}_q\) as elements in \(\{0,\cdots ,q-1\}\) for convenience, but we will remark the switch clearly.

Let \(||\cdot ||_1\) be the \(l_1\)-norm, \(||\cdot ||_2\) be the \(l_2\)-norm, \(||\cdot ||_\infty \) be the \(l_\infty \)-norm. Let \(\lfloor x\rfloor \) be the floor function which outputs the greatest integer that is less than or equal to x, \(\lceil x\rceil \) be ceiling function which outputs the least integer that is greater than or equal to x, \(\lfloor x\rceil \) be the rounding function which rounds x to nearest integer. Let “\(a\Vert b\)” denotes the concatenation of a and b. Function \(\log \) denotes the natural logarithm, \(\log _2\) denotes logarithm with base 2.

First we recall and introduce useful lemmas.

Lemma 1

([34], Lemma 2.5). For \(\sigma >0\), \(r\ge 1/\sqrt{2\pi }\), .    \(\square \)

Lemma 2

For \(\mathbf {a},\mathbf {b}\in R_q\), \(\Vert \mathbf {a}\cdot \mathbf {b}\Vert _\infty \le \Vert \mathbf {a}\Vert _2\cdot \Vert \mathbf {b}\Vert _2\).

Proof

Denote the coefficient vector of polynomial \(\mathbf {a}(x)=a_1+a_2x+a_3x^2+\cdots +a_{n-1}x^{n-2}+a_{n}x^{n-1}\in R_q\) as \((a_1, a_2, a_3, \cdots , a_{n-1}, a_{n})\).

For \(\mathbf {c}=\mathbf {a}\cdot \mathbf {b}\in R_q\), \(c_{n}\) equals the inner product of \((a_1,a_2,\cdots ,a_{n-1},a_{n})\) and \((b_{n},b_{n-1},\cdots ,b_2,b_1)\). Similar computations can be applied to coefficients \(c_{n-1},\cdots ,c_2,c_1\) as well. By applying Cauchy-Schwarz inequality and property of norm (i.e. for any vector \(\mathbf x \), \(\Vert \mathbf x \Vert _\infty \le \Vert \mathbf x \Vert _2\le \Vert \mathbf x \Vert _1\)), we have \(\Vert \mathbf {c}\Vert _\infty \le \Vert \mathbf {a}\Vert _2\cdot \Vert \mathbf {b}\Vert _2\).    \(\square \)

2.2 Core Functions

In this section, we define several functions which are crucial to construct our RLWE-based key exchange protocols.

Hint Function. Hint functions \(\sigma _0(x)\), \(\sigma _1(x)\) from \(\mathbb {Z}_q\) to \(\{0,1\}\) are defined as:

\(\sigma _0(x)={\left\{ \begin{array}{ll} 0, x\in [-\lfloor \frac{q}{4}\rfloor , \lfloor \frac{q}{4}\rfloor ] \\ 1, otherwise \end{array}\right. } \), \(\sigma _1(x)={\left\{ \begin{array}{ll} 0, x\in [-\lfloor \frac{q}{4}\rfloor +1, \lfloor \frac{q}{4}\rfloor +1] \\ 1, otherwise \end{array}\right. } \)

Signal Function. A signal function Sig() is defined as:

For any \(y\in \mathbb {Z}_q\), Sig\((y)=\sigma _b(y)\), where \(b\overset{\$}{\leftarrow }\{0,1\}\). If Sig\((y)=1\), we say y is in the outer region, otherwise y is in the inner region.

Signal function is defined for an integer \(x\in \mathbb {Z}_q\). Signal function for \(\mathbf {a}\in R_q\) is computed by applying Sig() for each coefficient \(a_i\in \mathbb {Z}_q\). In this document, we use the same notation “Sig()” for both signal functions over \(\mathbb {Z}_q\) and \(R_q\).

Reconciliation Function. Mod\(_2()\) is a deterministic function with error tolerance \(\delta \). Mod\(_2()\) is defined as: for any x in \(\mathbb {Z}_q\) and \(w=\text {Sig}(x)\), Mod\(_2(x,w)=(x+w\cdot \frac{q-1}{2}\mod q)\mod 2\). Here we treat elements in \(\mathbb {Z}_q\) as elements in \(\mathbb {Z}\) before we perform the modulo 2 operation.

We define the error tolerance \(\delta \), as the largest integer such that for any \(x, y\in \mathbb {Z}_q\), if \(\Vert x-y\Vert _\infty \le \delta \), then Mod\(_2(x,w)=\) Mod\(_2(y,w)\), where \(w=\) Sig(y). Error tolerance \(\delta \) is \(\frac{q}{4}-2\), which is the key to ensure correctness of key exchange over RLWE with overwhelming probability.

Reconciliation function is defined for an integer \(x\in \mathbb {Z}_q\). The function for \(\mathbf {a}\in R_q\) is computed by applying Mod\(_2\)() for each coefficient \(a_i\in \mathbb {Z}_q\). We use the same notation “Mod\(_2\)()” for reconciliation functions over \(\mathbb {Z}_q\) and \(R_q\).

Lemma 3

Let \(q>8\) be an odd integer. Function Mod\(_2()\) as defined above is a robust extractor with respect to signal function Sig() with error tolerance \(\delta =\frac{q}{4}-2\).

For concrete proofs of Lemma 3, please refer to [21].

Rounding Function. For \(x\in \mathbb {Z}_q\), \(q>p>0\) be integers. x is a coefficient of polynomial in \(R_q\), qp are parameters of our protocol.

For the convenience of notation, we change the representation of \(x\in \{-\frac{q-1}{2},\cdots ,\frac{q-1}{2}\}\) to \(x\in \{0,\cdots ,q-1\}\) before Round() runs. Function Round(xpq) is defined in Algorithm 1.

figure a

Rounding function is defined for an integer \(x\in \mathbb {Z}_q\). Rounding function for \(\mathbf {a}\in R_q\) is computed by applying Round() for each coefficient \(a_i\in \mathbb {Z}_q\) of \(\mathbf {a}\in R_q\). In this document, we use the same notation Round() for both rounding functions over \(\mathbb {Z}_q\) and \(R_q\).

Recovering Function. Recover() is a deterministic function. \(q>p>0\) be integers. \(x'\) is one coefficient of rounded polynomial, qp are parameters of our protocol. Function Recover\((x',p,q)\) is defined in Algorithm 2.

figure b

In order to be consistent with theoretical analysis, we change representation of \(x''\in \{0,\cdots ,q-1\}\) to \(x''\in \{-\frac{q-1}{2},\cdots ,\frac{q-1}{2}\}\) after Recover() runs.

Recovering function is defined for an integer \(x'\). Recovering function for vector \(\mathbf {a}\) is computed by applying Recover() for each coefficient \(a_i\) in vector \(\mathbf {a}\). In this document, we use the same notation “Recover()” for both recovering functions over integer \(x'\) and vector \(\mathbf {a}\).

Lemma 4

For parameter p and q, let \(t={\lceil \log _2{q}\rceil -\lceil \log _2{p}\rceil }\), \(\mathbf x =(x_1,x_2,\cdots ,x_{n})\) be a vector whose each coefficient is uniformly random sampled integer in \(\mathbb {Z}_q\), \(\mathbf x' \) be a vector whose each coefficient \(x_i'=\) Recover(Round(\(x_i,p,q\)),pq). Let \(\mathbf d =\mathbf x-x' \) be a vector whose each coefficient \(d_i=x_i-x_i'\) (\(i\in [1,n]\)). Then \(d_i\) is an even number with possible values in set \(\{-2^{t},-2^{t}+2,\cdots ,2^{t}-2\}\). \(\Pr [d_i=-2^{t}]=\Pr [d_i=-2^{t}+2]=\cdots =\Pr [d_i=2^{t}-2]=\frac{1}{2^t}\)     \(\square \)

Note that our rounding and recovering algorithm is very different from Kyber [15]. Our algorithms round and recover integers with same parity in order to meet the need of our reconciliation mechanism, while Kyber directly rounds and recovers to nearest integer with same or different parity.

A Derivation Function. In each key exchange execution, we use a 128-bit seed to generate fresh \(\mathbf {a}\). Set seed to pseudorandom number generator. Each coefficient \(a_i\in \mathbb {Z}_q\) (\(i\in [1,n]\)) of \(\mathbf {a}\in R_q\) is derived as follows:

figure c

2.3 Protocol Specification

In this section, we present our RLWE-based key exchange protocol.

2.3.1 Specification. We give the description of key exchange between party i and party j. In our protocol, users share following parameters: \(n, \sigma , q, p\). The protocol is illustrated in Fig. 1.

  • Initiate. Party i instantiates key exchange by generating 128-bit random seed, computes fresh \(\mathbf {a}=\text {Derive\_a}(seed)\) and public key \(\mathbf {p_i}=\mathbf {a}\cdot \mathbf {s_i}+2\mathbf {e_i}\in R_q\), where \(\mathbf {s_i}\) and \(\mathbf {e_i}\) are sampled from \(D_{\mathbb {Z}^n,\sigma }\). Round \(\mathbf {p_i}\) as \(\mathbf {p_i'}=\) Round\((\mathbf {p_i},p,q)\), send \(\mathbf {p_i'}\) and seed to party j.

  • Response. Party j computes fresh \(\mathbf {a}=\text {Derive\_a}(seed)\), public key \(\mathbf {p_j}=\mathbf {a}\cdot \mathbf {s_j}+2\mathbf {e_j}\in R_q\), where \(\mathbf {s_j}\) and \(\mathbf {e_j}\) are sampled from \(D_{\mathbb {Z}^n,\sigma }\). Round \(\mathbf {p_j}\) as \(\mathbf {p_j'}=\) Round\((\mathbf {p_j},p,q)\). Recover public key received from party i as \(\mathbf {p_i''}=\) Recover\((\mathbf {p_i'},p,q)\). Computes key exchange material \(\mathbf {k_j}=\mathbf {p_i''}\cdot \mathbf {s_j}\in R_q\), signal value \(w_j=\) Sig\((\mathbf {k_j})\) and final shared key \(sk_j=\) Mod\(_2(\mathbf {k_j},w_j)\). Send \(\mathbf {p_j'}\) and \(w_j\) to party i.

  • Finish. Party i recovers public key received from party j as \(\mathbf {p_j''}=\) Recover\((\mathbf {p_j'},p,q)\). Compute key exchange material \(\mathbf {k_i}=\mathbf {p_j''}\cdot \mathbf {s_i}\in R_q\) and final shared key \(sk_i=\) Mod\(_2(\mathbf {k_i},w_j)\).

Fig. 1.
figure 1

The proposed RLWE key exchange protocol

Full size image

2.3.2 Correctness. With above protocol, we have

(1)
(2)

\(\mathbf {k_i-k_j}=2(\mathbf {e_js_i-e_is_j})+(\mathbf {d_js_i-d_is_j})\). In order to achieve key exchange with overwhelming success probability, \(\Vert \mathbf {k_i-k_j}\Vert _\infty \le \) error tolerance \(\delta \) of error reconciliation mechanism, i.e. \(\Vert \mathbf {k_i-k_j}\Vert _\infty \le \frac{q}{4}-2\). Since the elements in \(\mathbf d_i\) and \(\mathbf d_j\) are all even, we have

(3)

where \(\mathbf {s,e}\in R_q\xleftarrow {\$} D_{\mathbb {Z}^n,\sigma }\). Definition of \(\mathbf {d'}\) is consistent with Lemma 4.

With Lemmas 1 and 2, we have \(4\Vert \mathbf {se}\Vert _\infty \le 4\Vert \mathbf {s}\Vert _2\cdot \Vert \mathbf {e}\Vert _2\le 4{(r\sigma \sqrt{n})}^2=4r^2\sigma ^2n\), where \(r\ge 1/\sqrt{2\pi }\) is defined in Lemma 1 and n is the degree of polynomial. With Lemma 4, we have \(2\Vert \mathbf {d's}\Vert _\infty \le 2\Vert \mathbf {d'}\Vert _2\cdot \Vert \mathbf {s}\Vert _2=2\Vert \mathbf {d'}\Vert _2\cdot r\sigma \sqrt{n}\). Recall that error tolerance \(\delta =\frac{q}{4}-2\). Therefore as long as \(q\ge 4\cdot [2+(4r^2\sigma ^2n)+(2\Vert \mathbf {d'}\Vert _2\cdot r\sigma \sqrt{n})]\), key exchange failure probability is estimated to be \((\sqrt{2\pi er^2}\cdot e^{-\pi r^2})^n\).

2.3.3 Parameter Choice.

Parameter choices covering security of AES-128/192/256 are given in Table 2.

Table 2. Our parameter choice
Full size table

Note that for parameter choice \((n, \sigma , q, p)=(1024, 2.6, 120833, 7552)\), it is enough to cover security of AES-128/192/256. We will elaborate this in Sect. 3.4. Modulus \(q=120833\) can instantiate NTT efficiently as \(q\equiv 1\mod 2n\). A failed key exchange implies that at least one bit in \(sk_i\) and \(sk_j\) mismatches.

For Lemma 4 and above parameter choices, let \(t={\lceil \log _2{q}\rceil -\lceil \log _2{p}\rceil }\). We have \(\Pr [d_i=-2^{t}]=\Pr [d_i=-2^{t}+2]=\cdots =\Pr [d_i=2^{t}-2]=\frac{1}{2^t}\). Therefore, \(n=512, t=4\), \(\Vert d\Vert _2=32\sqrt{43}\), \(n=1024, t=4\), \(\Vert d\Vert _2=32\sqrt{86}\).

2.4 Passive Security

We define the passive security of our Diffie-Hellman-like ephemeral-only RLWE-based key exchange protocol in Sect. 2.3. Notations are consistent with Sect. 2.3. We start with the security of our key exchange protocol without rounding and recovering public key. Our proof refers to the methodology in [13]. Then we discuss the hardness of our protocol.

Definition 1

We say a key exchange protocol is secure under passive adversary, if for any PPT adversary the advantage is negligible.

Note that even if the secret information is involved in signal function computation, intuitively it is infeasible for adversary \(\mathcal {A}\) to recover secret from the binary signal \(w_j\). Thus the signal \(w_j\) can not be seen as a RLWE sample from the perspective of both security proof and real attacks (on key exchange itself and RLWE problem) in our setting, i.e. keys from key exchange execution are not reused.

Intuitively, any probabilistic polynomial time (PPT) adversary should not distinguish a real shared key (\(sk \in \{0,1\}^n\)) from a random one (\({ rand} \overset{\$}{\leftarrow } \{0,1\}^n\)) even if he gets the transcripts (public key and signal value) of the protocol. We define the advantage of an passive adversary \(\mathcal {A}\) as:

$$\mathbf{Adv }_{\mathcal {A}}=\left| \Pr (\mathcal {A}(\mathbf {a,p_i,p_j},w_j,sk)=1) - \Pr (\mathcal {A}(\mathbf {a,p_i,p_j},w_j,{ rand})=1)\right| .$$

Then we want the adversary to distinguish the final shared key \(sk\in \{0,1\}^n\) from uniformly random one (\({ rand} \overset{\$}{\leftarrow } \{0,1\}^n\)) within negligible probability.

Lemma 5

For any odd \(q>2\), if x is uniformly random in \(\mathbb {Z}_q\), then Mod\(_2(x,w)\) is uniformly random conditioned on signal \(w\in \{0,1\}\).

Please refer to [21] for concrete proofs of Lemma 5. In addition, we give the following lemma for the security proof of our protocol.

Lemma 6

\(\mathbf {k_j}\) can be seen as a RLWE sample in the security proof, when \(\mathbf {p_i}\) is computed as RLWE instance.

Proof

Due to the proposition of multiplication distribution, the multiplication of two Gaussians is itself a Gaussian [16]. In our protocol, both \(\mathbf s\) and \(\mathbf e\) are sampled from Gaussian distribution \(D_{\mathbb Z^n,\sigma }\) with small standard deviation. Hence the secret polynomial can be computed as \(\mathbf {k_j}=\mathbf {p_i\cdot s_j}=\mathbf {a\cdot s_i\cdot s_j} + 2\mathbf {s_j\cdot e_i}\). Since \(\mathbf {s_j}\) and \(\mathbf {e_i}\) are sampled from \(D_{\mathbb Z^n,\sigma }\), due to the proposition that the product of two Gaussian PDFs is proportional to Gaussian PDF with a standard deviation that is the square root of half of the denominator, i.e. \(\sigma _{\mathbf {s_j\cdot e_i}}= \sqrt{\frac{\sigma _{\mathbf {s_j}}^2\cdot \sigma _{\mathbf {e_i}}^2}{\sigma _{\mathbf {s_j}}^2+ \sigma _{\mathbf {e_i}}^2}}=\frac{\sqrt{2}}{2}\sigma \). If we denote by \(\mathbf {a'=a\cdot s_i}\), \(\mathbf {e_i'=s_j\cdot e_i}\), we can get a RLWE instance \((\mathbf {a',e_i'})\) with parameters \((n,q,\sigma _{\mathbf {e_i'}})\). Namely, \(\mathbf {k_j}\) can be seen as an RLWE instance with parameters \((n,q,\frac{\sqrt{2}}{2}\sigma )\) if \(\mathbf {p_i}\) is RLWE itself.

In the following Theorem and its proof, we rewrite \(\mathbf {k_j}\) as \(\mathbf {k_j}=\mathbf {a'\cdot s_j} + 2\mathbf {e_i'}\) for the sake of convenience. As discussed above that essentially \(\mathbf {k_j}\) can not be used as an RLWE instance in real attack since the secret key can not be recovered from the published signal \(\omega _j\).     \(\square \)

Theorem 1

The construction above is secure against passive PPT adversaries, if the pseudorandom function Derive_a() is secure and the decision RLWE hardness assumption holds.

Proof

Theorem 1 can be stated in this way: Let \(n,q,\sigma \) be parameters in our proposed key exchange protocol and let \(D_{\mathbb Z^n,\sigma }\) be the Gaussian distribution defined in Sect. 2.1. If the pseudorandom function \(Derive\_a()\) is secure against PPT adversary \(\mathcal {B}_0\) and the decision RLWE problem is hard for \((n,q,\sigma )\), then the key exchange protocol in Fig. 1 guarantees keys indistinguishable from uniform random. Namely,

$$\begin{aligned} \mathbf{Adv}_{\mathcal {A}} \le \mathbf{Adv}_{Derive\_a}(\mathcal {B}_0) + \mathbf{Adv}_{n,q,D_{\mathbb {Z}^n,\frac{\sqrt{2}}{2}\sigma }}(\mathcal {A}\circ \mathcal {B}_1) + \mathbf{Adv}_{n,q,D_{\mathbb {Z}^n,\sigma }}(\mathcal {A}\circ \mathcal {B}_2). \end{aligned}$$
(4)

holds where \(\mathcal {B}_1\) and \(\mathcal {B}_2\) are assumed PPT adversaries who can distinguish the RLWE samples from uniform random.

We prove the security by a sequence of games and lemmas. Let \(S_i\) be the challenge where the adversary guesses b in game i. The first game Game\(_0\) is the real game which the adversary gets all of the original published information, while in the last game Game\(_4\) the adversary gets uniformly random parameters without RLWE information. We show that the views of Game\(_0\) and Game\(_4\) are computational indistinguishable for any PPT adversaries, under the decision RLWE hardness assumption.

Game\(_0\). This is the original game between the protocol challenger and the passive adversary \(\mathcal {A}\). That is, the adversary obtains \(\mathbf {a,p_i,p_j},w_j,\mathbf k_b\), where \(\mathbf {p_i=a\cdot s_i}+2\mathbf {e_i}\) and \(\mathbf {p_j=a\cdot s_j}+2\mathbf {e_j}\). Then \(\mathcal {A}\) outputs a guess \(b^\prime \). Note that there are three RLWE pairs in Game\(_0\): \((\mathbf a, \mathbf {p_i})\) with secret vector \(\mathbf {s_i}\), and \((\mathbf a, \mathbf {p_j})\) and \((\mathbf a', \mathbf {k_j})\) both with secret vector \(\mathbf {s_j}\). Here we can rewrite \(\mathbf{Adv}_{\mathcal {A}}\) as

$$\begin{aligned} \mathbf{Adv}_{\mathcal {A}}=\left| \Pr (S_0)-1/2\right| . \end{aligned}$$
(5)

Game\(_1\). This game is identical to Game\(_0\) except that instead of generating \(\mathbf a\) pseudorandomly from seed using function Derive_a(), the challenger samples \(\mathbf a\) uniformly at random.

Lemma 7

Any PPT passive adversary cannot distinguish Game\(_0\) and Game\(_1\), if the assumption holds that the pseudorandom function Derive_a() is secure.

Proof

It is obvious that the two games are indistinguishable under our assumption that the pseudorandom function Derive_a() is secure, i.e.

$$\begin{aligned} \left| \Pr (S_0)-\Pr (S_1)\right| \le \mathbf{Adv}_{Derive\_a}(\mathcal {B}_0). \end{aligned}$$
(6)

    \(\square \)

Game\(_2\). This game is identical to Game\(_1\) except that instead of setting \(\mathbf {p_i=a\cdot s_i}+2\mathbf {e_i}\), the challenger sets \(\mathbf {p_i=r_i}\), where \(\mathbf {r_i}\overset{\$}{\leftarrow }R_q\).

Lemma 8

Any PPT passive adversary cannot distinguish Game\(_1\) and Game\(_2\), if the decision RLWE assumption holds.

That is to say, in Game\(_1\), the challenge \((\mathbf a, \mathbf {p_i})\) is sampled honestly from RLWE oracle. In Game\(_2\), \((\mathbf a, \mathbf {p_i})\) is uniformly sampled from \(R_q\times R_q\) at random. These two distributions are computationally indistinguishable under the assumption that the decision RLWE problem is hard for parameter set \((n,q,\sigma )\).

Proof

We prove the lemma by showing that if there exists an adversary \(\mathcal {A}\) who can distinguish Game\(_1\) and Game\(_2\), then we can construct another adversary \(\mathcal {B}_1\) to distinguish the RLWE samples from uniform random. \(\mathcal {B}_1\) works as follows. Once obtaining challenges \((\mathbf {a, b_i})\in R_q\times R_q\) from the RLWE oracle, where \(\mathbf {b_i}\) is either \(\mathbf {a\cdot s_i}+2\mathbf {e_i}\) or random \(\mathbf {r_i}\) in \(R_q\), \(\mathcal {B}_1\) samples \(\mathbf {s_j}\xleftarrow {\$} D_{\mathbb Z^n,\sigma }\) and sets \(\mathbf {k_j=b_i\cdot s_j}\). \(\mathcal {B}_1\) also computes \(\mathbf {p_j=a\cdot s_j}+2\mathbf {e_j}\). Finally \(\mathcal {B}_1\) sends \((\mathbf {a, p_i=b_i, p_j}, w_j, \mathbf {k_j})\) to \(\mathcal {A}\). \(\mathcal {B}_1\) outputs whatever \(\mathcal {A}\) outputs. We note that \(\mathcal {B}_1\) can compute \(w_j\) by himself. If \(\mathbf {b_i}\) is an RLWE sample, then what \(\mathcal {A}\) obtains are exactly the same as in Game\(_1\), if \(\mathbf {b_i}\) is uniformly random in \(R_q\), then what \(\mathcal {A}\) obtains are exactly the same as in Game\(_2\). This implies that if \(\mathcal {A}\) can distinguish Game\(_1\) and Game\(_2\) with noticeable advantage, then \(\mathcal {B}\) can distinguish RLWE samples from uniformly random with the same advantage. Simultaneously, the adversary \(\mathcal {B}_1\) sets \(\mathbf {k_j=u_j}\) by \(\mathbf {u_j=b_i\cdot s_j}\), where \(\mathbf {b_i}\) is either sampled from RLWE or uniformly random \(\mathbf {r_i}\) in \(R_q\).

Intuitively it leads to \(\mathbf {u_j=b_i\cdot s_j}\) is RLWE or uniformly random \(\mathbf {r_j}\), according to the analysis under Lemma 6. Hence indeed what \(\mathcal {B}_1\) sends to \(\mathcal {A}\) can be rewritten as \((\mathbf {a, p_i=b_i, p_j}, w_j, \mathbf {k_j=u_j})\) to \(\mathcal {A}\). Thus we have two RLWE samples \((\mathbf {a,p_i=b_i})\) and \((\mathbf {a',k_j=u_j})\) in Game\(_2\) where under the RLWE assumption, RLWE sample \((\mathbf {a,p_i})\) with \(D_{\mathbb Z^n,\sigma }\) is indistinguishable with random sample \((\mathbf {a,r_i})\), and RLWE sample \((\mathbf {a',k_j})\) with \(D_{\mathbb Z^n,\frac{\sqrt{2}}{2}\sigma }\) is indistinguishable with \((\mathbf {p_i,r_j})\) respectively. This finishes the proof and simultaneously we can get the following inequation:

$$\begin{aligned} \left| \Pr (S_1)-\Pr (S_2)\right| \le \mathbf{Adv}_{n,q,D_{\mathbb {Z}^n,\frac{\sqrt{2}}{2}\sigma }}(\mathcal {A}\circ \mathcal {B}_1). \end{aligned}$$
(7)

    \(\square \)

Game\(_3\). This game is identical to Game\(_2\) except that instead of setting \(\mathbf {p_j=a\cdot s_j}+2\mathbf {e_j}\), the challenger sets \(\mathbf {p_j=r_j}\), where \(\mathbf {r_j}\overset{\$}{\leftarrow }R_q\).

Lemma 9

Any PPT passive adversary cannot distinguish Game\(_2\) and Game\(_3\), if the decision RLWE assumption holds.

Proof

The proof for Lemma 9 is analogous to the proof for Lemma 8, i.e. we should show if there exists an adversary \(\mathcal {A}\) who can distinguish Game\(_2\) and Game\(_3\), then we can construct another adversary \(\mathcal {B}_2\) to distinguish the RLWE samples from uniform random. \(\mathcal {B}_2\) works as follows. Once obtaining challenges \((\mathbf a, \mathbf {b_j})\) where \(\mathbf {b_j}\) is either RLWE instance or random \(\mathbf {r_j}\) in \(R_q\), \(\mathcal {B}_2\) sets \(\mathbf {p_j}=\mathbf {b_j}\). Finally \(\mathcal {B}_2\) sends \((\mathbf {a, p_i, p_j=b_j}, w_j, \mathbf {k_j})\) to \(\mathcal {A}\). \(\mathcal {B}_2\) outputs whatever \(\mathcal {A}\) outputs. Hence we have

$$\begin{aligned} \left| \Pr (S_2)-\Pr (S_3)\right| \le \mathbf{Adv}_{n,q,D_{\mathbb {Z}^n,\sigma }}(\mathcal {A}\circ \mathcal {B}_2). \end{aligned}$$
(8)

    \(\square \)

Furthermore, in Game\(_3\), the adversary is given \((\mathbf a, \mathbf {b_j})\) which is either sampled uniformly at random. However, when \(\mathbf {p_i}\) is uniformly sampled, elements of \(\mathbf {k_j=p_i\cdot s_j}\in R_q\) is also uniformly distributed. Thus the elements in \(w_j\) can be seen uniformly distributed owing to the construction of signal function. Due to Lemma 5, \(sk_j\) computed by the reconciliation function from \(\mathbf {k_j}\) and \(w_j\) is also distributed uniformly at random. Namely, there is no RLWE information in Game\(_3\) so the adversary can not distinguish the key is generated from the key exchange protocol or just uniformly sampled. Hence, we have the following equation in Game\(_3\).

$$\begin{aligned} \left| \Pr (S_3)\right| =1/2. \end{aligned}$$
(9)

Consequently, we can get in Eq. (4) (and finish the proof for Theorem 1) by combining the formulas from (5) to (9).     \(\square \)

Now we deal with the security regarding to rounding and recovering \(\mathbf {a\cdot s}+2\mathbf {e}\) in the next lemma.

Lemma 10

For following two key exchange protocols:

  1. 1.

    \(\mathbf {p_i=a\cdot s_i}+2\mathbf {e_i, p_j=a\cdot s_j}+2\mathbf {e_j, k_i=p_j\cdot s_i, k_j=p_i\cdot s_j}, w_j=\text {Sig}(\mathbf {k_j}), sk_i=\text {Mod}_2(\mathbf {k_i},w_j), sk_j=\text {Mod}_2(\mathbf {k_j},w_j)\)

  2. 2.

    \(\mathbf {p_i=a\cdot s_i}+2\mathbf {e_i, p_j=a\cdot s_j}+2\mathbf {e_j, p_i'}=\text {Round}(\mathbf {p_i},p,q), \mathbf {p_i''}=\text {Recover}(\mathbf {p_i'},p,q),\mathbf {p_j'}=\text {Round}(\mathbf {p_j},p,q), \mathbf {p_j''}=\text {Recover}(\mathbf {p_j'},p,q), \mathbf {k_i=p_j''\cdot s_i, k_j=p_i''\cdot s_j}, w_j=\text {Sig}(\mathbf {k_j}), sk_i=\text {Mod}_2(\mathbf {k_i},w_j), sk_j=\text {Mod}_2(\mathbf {k_j},w_j)\)

The hardness of computing final shared key of second protocol is at least as hard as computing final shared key of first protocol.

Proof

With publicly known algorithm Round() and Recover(), publicly known parameters and public terms \(\mathbf {p_i',p_j'}\), any adversary can compute \(\mathbf {p_i''\approx p_i}\) and \(\mathbf {p_j''\approx p_j}\). However, \(\mathbf {p_i''\ne p_i}\), \(\mathbf {p_j''\ne p_j}\), Round() and Recover() function generate additional errors, which makes recovering private key \(\mathbf {s_i}\) or \(\mathbf {s_j}\) using transcripts from our key exchange at least no easier than using \(\mathbf {p_i, p_j}\) or \(\mathbf {k_i, k_j}\) to solve RLWE problem.     \(\square \)

3 Estimating Security of One RLWE Sample

Before showing the analysis in this section, we stress that only ONE sample can be used in the real attack for our ephemeral protocol settings. It is infeasible for attacker to recover secret key or apply lattice attacks given the binary signal vector from our ephemeral key exchange. Hence the signal w can not be used as another RLWE sample in the real attack (and also the security proof in Sect. 2.4).

3.1 Prerequisites

Lattice Theory. A lattice L is defined as an infinite space expanded by basis \(\mathbf B=\{\mathbf{b}_1,\dots ,\mathbf{b}_n\}\), where \(\mathbf{b}_i \) \( (i=1,\dots ,n)\) are a set of linearly independent vectors in \(\mathbb {R}^m\). Here n is the dimension of L. The n-dimensional volume of L is denoted by Vol(L), which is computed by the determinant of basis B, i.e. Vol(L) = det(B). We denote \(V_n(R)=R^n\cdot \frac{\pi ^{n/2}}{\varGamma (n/2+1)}\) as the volume of n-dimensional Euclidean ball of radius R.

Ring LWE (RLWE) Problem. Let \(m \ge 1\) be a power of 2 and \(q \ge 2\) be an integer, let \(R_q = \mathbb Z_q[x]/\mathrm \Phi _m(x)\), where \(\mathrm \Phi _{m}(x) = x^{n} + 1\) is the m-th cyclotomic polynomial with \(n=m/2\). Let \(\chi \) be a \(\beta \)-bounded distribution. For secret polynomial \(\mathbf {s}\xleftarrow {\$}\chi \) and error polynomial \(\mathbf {e}\xleftarrow {\$}\chi \), choosing \(\mathbf {a}\in R_q\) uniformly random, output \((\mathbf {a, b=a\cdot s+e}\in R_q)\). Search version of RLWE problem is: for \(\mathbf {s}\xleftarrow {\$}\chi \), given poly(n) number of samples of \((\mathbf {a, b = a\cdot s + e})\in (R_q,R_q)\), find \(\mathbf {s}\) (and \(\mathbf {e}\) simultaneously).

Proposition. Let \(\mathbf {z} = \text {Recover}(\text {Round}(\mathbf {a \cdot s+2e},p,q),p,q)=\mathbf {as+2e+d}= \mathbf {as+2f} \in R_q\), where \(\mathbf {s, e}\xleftarrow {\$} D_{\mathbb {Z}^n,\sigma }\) and \(2\mathbf {f}=2\mathbf {e}+\mathbf {d}\) (elements in \(\mathbf d\) are even). Hence we can regard \(\mathbf {f}\) as error term \(\mathbf {e}\) in the definition of RLWE above. The attack on our protocol is given \(\mathbf {z}\) and \(\mathbf {a}\), output private key \(\mathbf {s}\). This problem is equivalent to:

$$\begin{aligned}&\mathbf {z} = \mathbf {a \cdot s} + 2\mathbf {f} \mod q\\\Leftrightarrow & {} 2^{-1}\mathbf {z} = 2^{-1}\mathbf {a \cdot s + f} \mod q\\\Leftrightarrow & {} \mathbf {z'' = a'' \cdot s + f} \mod q \end{aligned}$$

Standard deviation of term \(\mathbf {f}\) is denoted as \(\sigma _{f}\). Note that \(\sigma _f\) is different from \(\sigma \) notation in Sect. 2.1 as f no longer follows discrete Gaussian distribution (histogram shows similar shape as Gaussian distribution), therefore \(\sigma _f\) is computed as the square root of variance.

Shortest Vector Problem. Given an input basis \(B=(\mathbf{b}_1,\dots ,\mathbf{b}_n)\) of a lattice L, Shortest Vector Problem (SVP) is to find a non-zero shortest vector in L. We introduce the following two variants of the SVP to be used in this section.

Short Integer Solution Problem. Given an integer q and a matrix \(\mathbf A\in {\mathbb Z_q^{n\times m}}\), Short Integer Solution problem (SIS) is to compute a short vector \(\mathbf y\in \mathcal {B}\) s.t. \(\mathbf {Ay\equiv 0} \mod q\), where \(\mathcal {B}\) is a set of short vectors with some norm bound.

Unique Shortest Vector Problem. Unique SVP problem (uSVP) is for a given lattice L which satisfies \(\lambda _1(L)\ll \lambda _2(L)\), find the shortest vector in L. Here \(\lambda _i(L)\) means the length of i-th linear independent shortest vector for \(i=1,2\).

Root Hermite Factor. To evaluate the performance of lattice algorithms for solving SVP, we use the root Hermite Factor (rHF) defined in [22] as:

$$\begin{aligned} \delta =\mathrm{rHF}(\mathbf{b}_1,\dots ,\mathbf{b}_n)=(\Vert \mathbf{b}_1\Vert _2/\mathrm{Vol}(L)^{1/n})^{1/n}. \end{aligned}$$

Geometric Series Assumption (GSA). The Geometric Series Assumption [31] indicates the quality of an LLL-type reduced basis. It says \(l_2\) norm of GSO vectors \(\Vert \mathbf{b}_i^*\Vert \) in the reduced basis decrease geometrically with a constant r as \({\Vert \mathbf{b}_i^*\Vert _2}^2/{\Vert \mathbf{b}_1\Vert _2}^2=r^{i-1}\) (\(i=1,\dots ,n\) and \(r \in [3/4,1)\)).

Lattice Algorithms. There are some lattice algorithms such as BKZ and sieving to solve SVP and its variants. BKZ algorithm was originally proposed in [30], which computes basis that are almost \(\beta \)-reduced, namely the projected lengths of each basis vectors are the shortest ones in the relative \(\beta \)-sized local blocks. BKZ algorithm runs in exponential time and there are some efficient improvements for BKZ algorithms [18, 38]. In 2016, Aono et al. proposed a precise simulator to estimate runtime of progressive BKZ algorithm (pBKZ), which processes given basis by increasing block size with some strategy [8]. When dimension n is large (\(n \ge 100\)), runtime TimeBKZ\((n,\beta _t)\) of pBKZ with target blocksize \(\beta _t\) is estimated by Eq. (18) in [8]. Further details may be found in [8] and a reference implementation is freely available at [9].

In 2001, Ajtai et al. proposed a sieving algorithm to solve SVP, which requires a runtime of \(2^{0.52n+o(n)}\) in n dimension lattice and simultaneously requires exponential storage of \(2^{0.2n+o(n)}\) [1]. According to recent research results, for a n-dimensional lattice L and fixed blocksize \(\beta \) in BKZ, the runtime of sieving algorithm can be estimated in \(2^{0.292\beta +o(\beta )}\) clock cycles for a \(\beta \)-dimensional subroutine [4], and totally BKZ-\(\beta \) costs \(8n\cdot 2^{0.292\beta +16.4}\) operations [12]. The phase transition of time cost and memory cost is considered in our work. Namely, we assume that practically the exponential large memory \((\beta \cdot 2^{0.292*\beta +o(\beta )})\) cost of sieve will increase the computation cost by at least one magnitude \(({\mathrm x}10)\).

3.2 Algorithms for Solving RLWE

In this work we use the adapted SIS attack algorithm on solving RLWE, which is an adaptation of the dual-embedding method mentioned in [29] and [10]. Note that the SIS attack with “rescaling technique” is also called as “Bai-Galbraith’s” embedding attack in [3], which is developed by Bai and Galbraith to improve the attack on binary LWE in [10]. In the adapted SIS algorithm, we do not introduce the rescaling technique but just enlarge the lattice dimension. There are also some analysis to the embedding attack and its variants in previous articles [35,36,37, 39].

3.3 Significance of Number of Samples in Practical Attack

At first we claim that because of the setting of our key exchange protocol: only one RLWE instance \((\mathbf {a, b = a \cdot s + e}\ \mathrm {mod}\ q)\in (R_q,R_q)\) is given, Kannan’s embedding technique [23] and Liu-Nguyen’s decoding attack [24] cannot be adopted since the lattice \(L_{(\mathbf A, q)}=\{\mathbf {v}\in \mathbb Z^m_q \ | \ \mathbf {v \equiv Ax}\ (\mathrm {mod}\ q), \mathbf x\in D_{\sigma }^n\}\) is trivial when \(m\le n\). Therefore our estimator should be different from some other key exchange schemes as NewHope [6] and Albrecht’s estimator [3] etc. which regard RLWE and normal LWE problem as having the same difficulty without considering the number of available RLWE samples. From the discussion in Sect. 1.3 and the estimations in Table 1, we observe that there is a big gap of hardness estimations between ONE-sample RLWE and multiple-samples RLWE. Note that indeed the lowest number m of required LWE samples from the 2016 estimate (Section 3.4) are as follows: m is 576 for \((n,q,\sigma _f)=(512, 120833, 4.92)\) and m is 1097 for \((n,q,\sigma _f)=(1024, 120833, 4.72)\). Therefore, the optimal number in the 2016 estimate can be obtained only from “more than one RLWE samples” \((m=576> n=512\ \mathrm{and\ } m=1097 > n=1024)\). Hence in practical attack, we can get only one n-dimensional RLWE instance, which can be amplified to \(2n+1\) without changing the distribution of error vectors. Therefore the lattice dimension of solving RLWE in our case is \(d=2n+1\).

3.4 Our Simulator

At AsiaCrypt 2017 [3], Albrecht et al. re-estimated the hardness of LWE problem using Kannan’s embedding and Bai-Gal’s embedding respectively under estimation in NewHope [6] (denoted as “2016 estimate”). 2016 estimate states that if the Gaussian Heuristic and the GSA [31] hold for BKZ-\(\beta \) reduced basis and

$$\begin{aligned} \sqrt{\beta /d}\cdot \Vert (\mathbf e | 1)\Vert _2 \approx \sqrt{\beta }\sigma \le \delta ^{2\beta -d}\cdot \mathrm {Vol}(L_{(\mathbf A, q)})^{1/d}. \end{aligned}$$
(10)

Then error \(\mathbf e\) can be found by BKZ-\(\beta \) with root Hermite Factor \(\delta \). In our case, we assume \(\mathbf f\) is the Gaussian distributed error vector plus the uniformly distributed perturbation sampled from a bounded set due to Rounding-Recovering functions and \((\mathbf s | \mathbf f | 1)\) is the target vector in our attack. So there is a gap between the distribution of \(\mathbf f\) and the Gaussian distribution. However, given a same standard deviation \(\sigma _f\), the expected length of vectors sampled from the hybrid distribution is bigger than the one sampled from Gaussian distribution on average, by a simple computation using the center limit theorem. Hence in our estimation we assume \(\mathbf f\) is Gaussian distributed. We adapt the left side of the inequality (10) as \(\sqrt{\beta /d}\cdot \Vert (\mathbf s | \mathbf f | 1)\Vert _2 \approx \sqrt{\beta \cdot ({\sigma _e}^2 + {\sigma _f}^2)}\). For BKZ reduction runtime estimation, we will give the result of progressive BKZ and Albrecht’s BKZ with sieving estimator.

Step 1. A short vector \(\Vert \mathbf {b}_1\Vert _2=\delta ^d\cdot \mathrm {det}(\mathbf B)\) is assumed to be inside of the BKZ-\(\beta \) reduced basis \(\mathbf B \) of dimension d [17], where the root Hermite Factor is

$$\begin{aligned} \delta = (((\pi \beta )^{1/\beta }\beta )/(2\pi e))^{\frac{1}{2(\beta -1)}}. \end{aligned}$$
(11)

Since \(\sigma _f\) can be experimentally derived from \(\sigma _e\), we can compute lower bound of \(\sigma _f\) in RLWE\((n,q,\sigma _f)\) which covers security of AES-128/192/256 using Eqs. (11) and (12). Note that f no longer follows discrete Gaussian distribution (histogram shows similar shape as Gaussian distribution). Therefore we take a heuristic approach to estimate \(\sigma _f\).

In our case, \(d=2n+1\) is the dimension of lattice and also \(\mathrm {Vol}(L_{(\mathbf A, q)}) = q^n\). Therefore we can pre-compute the expected root Hermite factor \(\delta \) for \(\beta =10,\cdots ,n\) and adapt inequality (10) to

$$\begin{aligned} \sqrt{\beta \cdot ({\sigma _e}^2 + {\sigma _f}^2)} \le \delta ^{2\beta -2n-1}\cdot q^{n/(2n+1)}. \end{aligned}$$
(12)

To compute the target \(\beta \) in the progressive BKZ simulator, we use the correspondence between \(\delta \) and the GSA constant r: Given a d-dimensional basis, in order to use progressive BKZ simulator, we need target \(\beta _t\) for our parameter choice. At this stage, we can get the target GSA constant \(r_t=\delta ^{-4d/(d-1)}\). Therefore we can compute the terminating blocksize \(\beta _t\) in progressive BKZ corresponding to \(r_t\) by equations (10) and (11) given in [8].

Step 2. We compute the complexity of BKZ-\(\beta \) with sieving SVP oracle estimated as \(8d\cdot 2^{0.292\beta +16.4}\) double precision floating point operations [2, 12]. we translate this to complexity of bit unit by \(T_{sieving-BKZ} = 8d\cdot 2^{0.292\beta +16.4} \cdot 64 \ \ (\mathrm{bits}).\)

Simultaneously, \(T_{BKZ}\) can also be replaced by progressive BKZ simulator explained in Sect. 3.1. We run the progressive BKZ simulator for both \(n=512\) and \(n=1024\) cases. Considering the number of iterations for each fixed blocksize in BKZ, we get following two fitting functions to estimate the runtime of two cases respectively.

$$\begin{aligned} \log _2(Time_{pBKZ}(secs))= \left\{ \begin{array}{ll} 0.003924\cdot \beta ^2 - 0.568\cdot \beta + 41.93 &{} (n=512)\\ 0.004212\cdot \beta ^2 - 0.6886\cdot \beta + 55.49 &{} (n=1024) \end{array} \right. \end{aligned}$$
(13)

Then we compute the complexity of bit unit by \(T_{pBKZ} = Time_{pBKZ}\times 2.7\times 10^9\times 64 \ \ (\mathrm{bits}).\) on our Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz server.

We generate 1,000 and 2,000 \(\mathbf {as}+2\mathbf e\) samples for parameter choice \((n, \sigma , q, p)=(1024, 2.6, 120833, 7552)\) and \((n, \sigma , q, p)=(512, 4.19, 120833, 7552)\). For each sample, we apply Round() and Recover() functions, giving us

$$ \mathbf z=\mathrm {Recover(Round}(\mathbf a\cdot \mathbf s+2\mathbf e,p,q),p,q)=\mathbf a\cdot \mathbf s+2\mathbf f. $$

With \(\frac{\mathbf {z-as}}{2}=\mathbf f\), we compute standard deviation \(\sigma _f\). Results are given in Table 3, where the parameter settings can ensure \(2^{-60}\) failure probability.

Table 3. Our simulation data and parameter settings covering security of AES-128/192/256
Full size table

Due to the uncertainty simulation for runtime with large dimension and large \(\beta \) (>1000 and >200 respectively), we are not sure about the simulation results for our key exchange protocol. We will leave it as future work. However, our parameter choices can cover results from pBKZ simulator. Therefore we show results from pBKZ simulator in Table 3 as well.

The 2016 estimate for AES-128 and AES-192/256 security gives 142.27 and 279.05 bit operations respectively. Practically the exponential memory’s access of sieving algorithm will increase the computation cost by at least one magnitude \(({\mathrm x}10)\), therefore we conclude that our parameter choices with \(n=512\) can achieve at least 145.59 bits security, \(n=1024\) can achieve at least 282.37 bits security. With results given in Table 3, we claim that parameter choices given in Table 2 cover security of AES-128/192/256.

Furthermore, Aono et al. proposed a method to compute the lower bound N on the cost of extreme-pruning enumeration algorithm, for a certain pruning success probability \(\alpha '\) to find a shortest vector, which bases on a simulated HKZ-reduced basis [7]. We use the formula (17) in [7] and set \(\alpha '=1\). Analogous to the sieving-BKZ model in 2016 estimate, we compute the complexity of BKZ with enumeration subroutine by \(T_{enum-BKZ} = 8d\cdot N\ (\mathrm{bits})\). When we compute \(T_{enum-BKZ}\) using the blocksizes 366 and 831 given in Table 3, we get 194 bit security and 596 bit security respectively. It means that our parameter settings are safe under the BKZ with enumeration subroutine model.

4 Implementation and Performance

In this section, we introduce our implementation and performance of our key exchange scheme in Sect. 2.3. Note that in our implementation, a number in \(\mathbb {Z}_q\) is represented as \([0,q-1]\). One can convert the regions defined for hint and signal functions from \(\{-\frac{q-1}{2},\cdots ,\frac{q-1}{2}\}\) to corresponding regions in \([0,q-1]\).

We use Victor Shoup’s NTL library [33] in our implementation, where the fast Number Theoretic Transformation (NTT) technique with adapted butterfly operation is applied, for doing polynomial operations as multiplication, division, GCD, factoring and so on. Simultaneously, we use the Discrete Gaussian Sampler (DGS) based on Cumulative Distribution Table (CDT) in [26].

4.1 Experimental Results

Our implementation uses C++ language. We run 100,000 times experiments for each parameter choice on a computer with Intel Xeon E5-2697 v2 @ 2.70 GHz CPU, running CentOS Linux release 7.4.1708, g++ version 6.3.0. We evaluate the average runtime for discrete Gaussian sampling (TimeDGS), polynomial multiplication (TimePM), key generation (TimeKeyPair), party i timing (Time\(P_i\)) and party j timing (Time\(P_j\)) respectively. We show the experimental results in Table 4 with two decimal precision.

Table 4. Runtime (millisecond) of our implementation
Full size table

Rounding, recovering and error reconciliation are extremely efficient. Most expensive ones are discrete Gaussian sampling and polynomial multiplication.

4.2 Communication Cost Comparison

We show the communication cost of our work with several similar RLWE-based key exchange or KEM protocols in Table 5. Our construction has smallest communication cost compared with rest of the RLWE-based protocols. Thus, we believe that our construction provides better trade-off between security and communication cost.

Table 5. Communication cost comparison between several Diffie-Hellman-like key exchange and KEM constructions from RLWE problem
Full size table

5 Conclusion

It is crucial to build secure and practical post-quantum cryptography primitives for the upcoming post-quantum world. We believe that our new ephemeral-only Diffie-Hellman-like RLWE+Rounding key exchange gives a new solution. We also apply a proper approach to estimate the security of only one RLWE sample, which is closely related to our key exchange protocol design. We also take the overwhelming memory requirement of sieving algorithm into consideration. Our elegant and simple design gives better security and smaller communication cost.