1 Introduction

Most public-key cryptosystems currently in use, based on the hardness of solving (elliptic curve) discrete logarithm or factoring large integers, will be broken, if large-scale quantum computers are ever built. The arrival of such quantum computers is now believed by many scientists to be merely a significant engineering challenge, and is estimated to be within the next two decades or so. Historically, it has taken almost two decades to deploy the modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we should begin now to prepare our information security systems to be able to resist quantum computing. In addition, for the content we want to protect over a period of 15 years or longer, it becomes necessary to switch to post-quantum cryptography today. In the majority of contexts, ephemeral key establishment (KE), which plays a central role in modern cryptography, is among the most critical asymmetric primitives to upgrade to post-quantum security.

Lattice-based cryptography is one of the promising mathematical approaches to achieving security resistant to quantum attacks. For cryptographic usage, compared with the classic hard lattice problems such as SVP and CVP, the learning with errors (LWE) problem is proven to be much more versatile [Reg09]. One of the main technical contributions in recent years on achieving practical key establishment based on LWE and its variants is the improvement and generalization of the key reconciliation mechanisms [Reg09, DXL12, LPR10, LP10]. But the key reconciliation mechanisms were only previously used and analyzed, for both KE and PKE, in a non-black-box way. This means, for new key reconciliation mechanisms developed in the future to be used for constructing lattice-based cryptosystems, we need to analyze their security from scratch. Moreover, for the various parameters involved in key reconciliation, the bounds on what could or couldn’t be achieved are unclear. As a consequence, we lack basic criteria to evaluate various reconciliation mechanisms and to indicate whether they can be further improved.

Abstraction/generalization is fundamental to natural science (mathematics, physics), and is particularly important to cryptography. For example, in the area of signature, Schnorr signature is generalized via Fiat-Shamir transformation [FS86], with abstraction of \(\varSigma \)-protocol [CDS94]. The similar abstraction and generalization also plays a fundamental role in CCA-secure PKE, and in many more areas of modern cryptography. Abstraction and generalization is particularly helpful and expected for lattice-based cryptography, as they are usually less easy to understand and evaluate, and are related to the ongoing NIST post-quantum cryptography standardization [NIST].

1.1 Our Contributions

In this work, we abstract the key ingredients in previous key establishment and PKE schemes based on LWE and its variants, by introducing and formalizing the building tool, referred to as key consensus (KC) and its asymmetric variant AKC. KC and AKC allow two communicating parties to reach consensus from close values obtained by some secure information exchange, such as exchanging their LWE samples. We then discover upper bounds on parameters for any KC and AKC. As a conceptual contribution, this simplifies the design and analysis of these cryptosystems in the future. We then design and analyze both generic and highly practical KC and AKC schemes, which are referred to as symmetric key consensus with noise (OKCN) and asymmetric key consensus with noise (AKCN) respectively for presentation simplicity.

We propose the first construction of key establishment merely based on the LWR problem with concrete analysis and evaluation, to the best of our knowledge. We use the randomness lifting technique to present a unified protocol structure that can be instantiated with either KC or AKC. We provide an analysis breaking the correlation between the rounded deterministic noise and the secret, and design an algorithm to calculate the error probability numerically. When applied to LWE-based key establishment, OKCN and AKCN can result in more practical or well-balanced schemes, compared to the related LWE-based protocols in the literature. The protocols developed in this work are implemented. The code and scripts, together with those for evaluating concrete security and failure rates, are (anonymously) available from Github http://github.com/OKCN.

1.2 Related Work

AKC (resp., KC) was pioneered by the works on lattice-based PKE [LP10, LPR10] (resp., the work on key establishment [DXL12]). LWR-based key establishment was pioneered by the Lizard protocol [CKLS16]. The Lizard protocol is AKC-based, and is based on (special variants of) both LWE and LWR. To the best our knowledge, key establishment protocol merely from the LWR problem was first achieved in an early version of our work [JZ16].Footnote 1 The works [BBG+17, DKRV17, BGL+18] considered AKC-based key transport protocols from some variants of LWR (some of which use sparse-ternary secret keys), and show that randomness lifting is not necessary for AKC-based protocol from LWR. But these protocols do not support KC-based instantiations. We remark that, for the recommended parameters in all the works, randomness lifting corresponds to uniform sampling from \([-2^k, 2^k-1]\) for some positive integer k, which is fast and easy.

2 Preliminaries

A string or value \(\alpha \) means a binary one, and \(|\alpha |\) is its binary length. For any real number x, \(\lfloor x \rfloor \) denotes the largest integer that less than or equal to x, and \(\lfloor x \rceil = \lfloor x + 1/2 \rfloor \). For any positive integers a and b, denote by \(\mathsf {lcm}(a, b)\) the least common multiple of them. For any \(i,j\in \mathbb {Z}\) such that \(i<j\), denote by [ij] the set of integers \(\{i,i+1,\cdots , j-1,j\}\). For any positive integer t, we let \(\mathbb {Z}_t\) denote \(\mathbb {Z} / t\mathbb {Z}\). The elements of \(\mathbb {Z}_t\) are represented, by default, as \([0, t-1]\). Nevertheless, sometimes, \(\mathbb {Z}_t\) is explicitly specified to be represented as \(\left[ -\lfloor (t-1)/2\rfloor , \lfloor t/2\rfloor \right] \).

If S is a finite set then |S| is its cardinality, and \(x\leftarrow S\) is the operation of picking an element uniformly at random from \(\mathcal {S}\). For two sets \(A,B\subseteq \mathbb {Z}_q\), define \(A+B\triangleq \{a+b|a\in A, b\in B\}\). For an addictive group \((G, +)\), an element \(x \in G\) and a subset \(S \subseteq G\), denote by \(x + S\) the set containing \(x + s\) for all \(s \in S\). For a set S, denote by \(\mathcal {U}(S)\) the uniform distribution over S. For any discrete random variable X over \(\mathbb {R}\), denote \(\mathsf {Supp}(X) = \{x \in \mathbb {R} \mid \Pr [X = x] > 0\}\).

We use standard notations and conventions below for writing probabilistic algorithms, experiments and interactive protocols. If \(\mathcal {D}\) denotes a probability distribution, \(x\leftarrow \mathcal {D}\) is the operation of picking an element according to \(\mathcal {D}\). If \(\alpha \) is neither an algorithm nor a set then \(x\leftarrow \alpha \) is a simple assignment statement. If A is a probabilistic algorithm, then \(A(x_1, x_2, \cdots ; r)\) is the result of running A on inputs \(x_1, x_2, \cdots \) and coins r. We let \(y\leftarrow A(x_1, x_2, \cdots )\) denote the experiment of picking r at random and letting y be \(A(x_1, x_2, \cdots ; r)\). By \(\Pr [R_1; \cdots ; R_n: E]\) we denote the probability of event E, after the ordered execution of random processes \(R_1, \cdots , R_n\).

2.1 The LWE and LWR Problems

Given positive continuous \(\alpha > 0\), define the real Gaussian function \(\rho _{\alpha }(x) \triangleq \exp (-x^2 / 2\alpha ^2) / \sqrt{2\pi \alpha ^2}\) for \(x \in \mathbb {R}\). Let \(D_{\mathbb {Z}, \alpha }\) denote the one-dimensional discrete Gaussian distribution over \(\mathbb {Z}\), which is determined by its probability density function \(D_{\mathbb {Z}, \alpha } (x) \triangleq \rho _{\alpha } (x) / \rho _{\alpha }(\mathbb {Z}), x\in \mathbb {Z}\). Finally, let \(D_{\mathbb {Z}^n, \alpha }\) denote the n-dimensional spherical discrete Gaussian distribution over \(\mathbb {Z}^n\), where each coordinate is drawn independently from \(D_{\mathbb {Z}, \alpha }\).

Given positive integers n and q that are both polynomials in the security parameter \(\lambda \), an integer vector \(\mathbf {s} \in \mathbb {Z}_q^n\), and a probability distribution \(\chi \) on \(\mathbb {Z}_q\), let \(A_{q, \mathbf {s}, \chi }\) be the distribution over \(\mathbb {Z}_q^n \times \mathbb {Z}_q\) obtained by choosing \(\mathbf {a} \in \mathbb {Z}_q^n\) uniformly at random, and an error term \(e\leftarrow \chi \), and outputting the pair \((\mathbf {a}, b = \mathbf {a}^T \mathbf {s} + e) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\). The error distribution \(\chi \) is typically taken to be the discrete Gaussian probability distribution \(D_{\mathbb {Z}, \alpha }\) defined previously; However, as suggested in [BCD+16], other alternative distributions of \(\chi \) can be taken. Briefly speaking, the (decisional) learning with errors (LWE) assumption [Reg09] says that, for sufficiently large security parameter \(\lambda \), no probabilistic polynomial-time (PT) algorithm can distinguish, with non-negligible probability, \(A_{q, \mathbf {s}, \chi }\) from the uniform distribution over \(\mathbb {Z}_q^n \times \mathbb {Z}_q\). This holds even if \(\mathcal {A}\) sees polynomially many samples, and even if the secret vector \(\mathbf {s}\) is drawn randomly from \(\chi ^n\) [ACPS09].

The LWR problem [BPR12] is a “decarbonized” variant of the LWE problem. Let \(\mathcal {D}\) be some distribution over \(\mathbb {Z}_q^n\), and \(\mathbf {s} \leftarrow \mathcal {D}\). For integers \(q \ge p \ge 2\) and any \(x\in \mathbb {Z}_q\), denote

$$\begin{aligned} \lfloor x \rceil _p=\lfloor \frac{p}{q}x \rceil . \end{aligned}$$
(1)

Then, for positive integers n and \(q \ge p \ge 2\), the LWR distribution \(A_{n, q, p}(\mathbf {s})\) over \(\mathbb {Z}_q^n \times \mathbb {Z}_p\) is obtained by sampling \(\mathbf {a}\) from \(\mathbb {Z}_q^n\) uniformly at random, and outputting \(\left( \mathbf {a}, \left\lfloor \mathbf {a}^T \mathbf {s} \right\rceil _p \right) \in \mathbb {Z}_q^n \times \mathbb {Z}_p\). Briefly speaking, the (decisional) LWR assumption says that, for sufficiently large security parameter, no PT algorithm \(\mathcal {A}\) can distinguish, with non-negligible probability, the distribution \(A_{n, q, p}(\mathbf {s})\) from the distribution \((\mathbf {a} \leftarrow \mathbb {Z}_q^n, \lfloor u \rceil _p)\) where \(u \leftarrow \mathbb {Z}_q\). This holds even if \(\mathcal {A}\) sees polynomially many samples. An efficient reduction from the LWE problem to the LWR problem, for super-polynomial large q, is provided in [BPR12]. Let B denote the bound for any component in the secret \(\mathbf {s}\). It is recently shown that, when \(q \ge 2mBp\) (equivalently, \(m\le q/2Bp\)), the LWE problem can be reduced to the (decisional) LWR assumption with m independently random samples [BGM+16]. Moreover, the reduction from LWE to LWR is actually independent of the distribution of the secret \(\mathbf {s}\).

3 Key Consensus with Noise

Before presenting the definition of key consensus (KC) scheme, we first introduce a new function \(|\cdot |_t\) relative to arbitrary positive integer \(t\ge 1\): \(|x|_{t} = \min \{x \bmod t, t - x \bmod t\}, \quad \forall x\in \mathbb {Z},\) where the result of modular operation is represented in \(\{0,...,(t-1)\}\). For instance, \(|-1|_t = \min \{-1 \mod t, (t+1) \mod t\}=\min \{t-1, 1\}=1\). In the following description, we use \(|\sigma _1-\sigma _2|_q\) to measure the distance between two elements \(\sigma _1,\sigma _2\in \mathbb {Z}_q\).

Definition 1

A KC scheme \(KC=(\textsf {params}, \textsf {Con}, \textsf {Rec})\) is specified as follows.

  • \(\textsf {params}=(q,m,g,d,aux)\) denotes the system parameters, where qmgd are positive integers satisfying \(2\le m,g\le q, 0\le d\le \lfloor \frac{q}{2}\rfloor \), and aux denotes some auxiliary values that are usually determined by (qmgd) and could be set to be a special symbol \(\emptyset \) indicating “empty”.

  • \(({k_1, v}) \leftarrow \textsf {Con}(\sigma _1, {\textsf {params}})\): On input of \((\sigma _1\in \mathbb {Z}_q,\textsf {params})\), the probabilistic polynomial-time conciliation algorithm \(\textsf {Con}\) outputs \((k_1,v)\), where \(k_1 \in \mathbb {Z}_m\) is the shared-key, and \(v \in \mathbb {Z}_g\) is a hint signal that will be publicly delivered to the communicating peer to help the two parties reach consensus.

  • \(k_2 \leftarrow \textsf {Rec}(\sigma _2, v, \textsf {params})\): On input of \((\sigma _2\in \mathbb {Z}_q,v,\textsf {params})\), the deterministic polynomial-time reconciliation algorithm \(\textsf {Rec}\) outputs \(k_2 \in \mathbb {Z}_m\).

  • Correctness: A KC scheme is correct, if for any \(\sigma _1,\sigma _2\in \mathbb {Z}_q\) such that \(|\sigma _1-\sigma _2|_q \le d\), \((k_1, v) \leftarrow \mathsf {Con}(\sigma _1, \mathsf {params})\) and \(k_2 \leftarrow \mathsf {Rec}(\sigma _2, v, \mathsf {params})\), it holds \(k_1=k_2\).

  • Security: A KC scheme is secure, if \(k_1\) and v are independent, and \(k_1\) is uniformly distributed over \(\mathbb {Z}_m\), whenever \(\sigma _1 \leftarrow \mathbb {Z}_q\) and \(k_1\) is the output of \(\mathsf {Con}(\sigma _1, \mathsf {params})\). The probability is taken over the sampling of \(\sigma _1\) and the random coins used by Con.

3.1 Efficiency Upper Bound of KC

The following theorem reveals an upper bound on the parameters q (dominating security and efficiency), m (parameterizing range of consensus key), g (parameterizing bandwidth), and d (parameterizing error rate), which allows us to take balance on these parameters according to different priorities. Due to space limitation, the proof is given in the full version [JZ16].

Theorem 1

If \(KC=(\mathsf {params}, \mathsf {Con}, \mathsf {Rec})\) is a correct and secure key consensus scheme, and \(\mathsf {params} = (q, m, g, d, aux)\), then \(2md \le q\left( 1 - \frac{1}{g}\right) \).

3.2 Construction and Analysis of OKCN

The key consensus scheme, named symmetric key consensus with noise (OKCN)”, is presented in Algorithm 1. The following fact is direct from the definition of \(|\cdot |_t\).

figure a

Fact 1

For any \(x,y,t,l\in \mathbb {Z}\) where \(t\ge 1\) and \(l\ge 0\), if \(|x - y|_q \le l\), then there exists \(\theta \in \mathbb {Z}\) and \(\delta \in [-l, l]\) such that \(x=y+\theta t+\delta \).

Theorem 2

Suppose that the system parameters satisfy \((2d + 1)m < q\left( 1 - \frac{1}{g}\right) \) where \(m\ge 2\) and \(g \ge 2\). Then, the OKCN scheme is correct.

Proof

Suppose \(|\sigma _1 - \sigma _2|_q \le d\). By Fact 1, there exist \(\theta \in \mathbb {Z}\) and \(\delta \in [-d,d]\) such that \(\sigma _2=\sigma _1 + \theta q + \delta \). From line 4 and 6 in Algorithm 1, we know that there is a \(\theta ^\prime \in \mathbb {Z}\), such that \(\alpha \sigma _1 + e + \theta ^\prime q^\prime = \sigma _A = k_1 \beta + v'\). And from the definition of \(\alpha , \beta \), we have \(\alpha /\beta = m / q\). Taking these into the formula of \(k_2\) in \(\textsf {Rec}\) (line 11 in Algorithm 1), we have

$$\begin{aligned} k_2&= \lfloor \alpha \sigma _2 / \beta - (v + 1/2)/g \rceil \bmod m \end{aligned}$$
(2)
$$\begin{aligned}&= \lfloor \alpha (\theta q + \sigma _1 + \delta ) / \beta - (v + 1/2)/g \rceil \bmod m \end{aligned}$$
(3)
$$\begin{aligned}&= \left\lfloor m (\theta -\theta ^\prime ) + \frac{1}{\beta } (k_1\beta + v' - e) + \frac{\alpha \delta }{\beta }- \frac{1}{g}(v + 1/2)\right\rceil \bmod m \end{aligned}$$
(4)
$$\begin{aligned}&= \left\lfloor k_1 + \left( \frac{v'}{\beta } - \frac{v + 1/2}{g}\right) - \frac{e}{\beta } + \frac{\alpha \delta }{\beta } \right\rceil \bmod m \end{aligned}$$
(5)

Notice that \(|v'/\beta - (v + 1/2)/g| = |v'g - \beta (v + 1/2)|/\beta g \le 1/2g\). So

$$\begin{aligned} \left| \left( \frac{v'}{\beta } - \frac{v + 1/2}{g}\right) - \frac{e}{\beta } + \frac{\alpha \delta }{\beta } \right| \le \frac{1}{2g} + \frac{\alpha }{\beta }(d + 1/2). \end{aligned}$$

From the assumed condition \((2d+1)m<q(1-\frac{1}{g})\), we get that the right-hand side is strictly smaller than 1 / 2; Consequently, after the rounding, \(k_2=k_1\).     \(\square \)

Theorem 3

OKCN is secure. Specifically, when \(\sigma _1\leftarrow \mathbb {Z}_q\), \(k_1\) and v are independent, and \(k_1\) is uniform over \(\mathbb {Z}_m\), where the probability is taken over the sampling of \(\sigma _1\) and the random coins used by \(\textsf {Con}\).

figure b

Proof

Recall that \(q'=\mathsf {lcm}(q,m),\alpha =q'/q,\beta =q'/m\). We first demonstrate that \(\sigma _A\) is subject to uniform distribution over \(\mathbb {Z}_{q'}\). Consider the map \(f: \mathbb {Z}_{q} \times \mathbb {Z}_{\alpha } \rightarrow \mathbb {Z}_{q'}\); \(f(\sigma , e) = (\alpha \sigma + e) \bmod q'\), where the elements in \(\mathbb {Z}_q\) and \(\mathbb {Z}_{\alpha }\) are represented in the same way as specified in Algorithm 1. It is easy to check that f is an one-to-one map. Since \(\sigma _1\leftarrow \mathbb {Z}_q\) and \(e\leftarrow \mathbb {Z}_\alpha \) are subject to uniform distributions, and they are independent, \(\sigma _A = (\alpha \sigma _1 + e) \bmod q' = f(\sigma _1,e)\) is also subject to uniform distribution over \(\mathbb {Z}_{q'}\).

In the similar way, defining \(f':\mathbb {Z}_{m} \times \mathbb {Z}_{\beta } \rightarrow \mathbb {Z}_{q'}\) such that \(f'(k_1, v') = \beta k_1 + v'\), then \(f'\) is obviously a one-to-one map. From line 6 of Algorithm 1, \(f'(k_1, v') = \sigma _A\). As \(\sigma _A\) is distributed uniformly over \(\mathbb {Z}_{q'}\), \((k_1, v')\) is uniformly distributed over \(\mathbb {Z}_m \times \mathbb {Z}_{\beta }\), and so \(k_1\) and \(v'\) are independent. As v only depends on \(v'\), \(k_1\) and v are independent.     \(\square \)

Special Parameters, and Performance Speeding-Up. The first and the second line of Con (line 3 and 4 in Algorithm 1) play the role in transforming a uniform distribution over \(\mathbb {Z}_q\) to a uniform distribution over \(\mathbb {Z}_{q'}\). If one chooses qgm to be power of 2, i.e., \(q = 2^{\bar{q}},g = 2^{\bar{g}},m = 2^{\bar{m}}\) where \(\bar{q},\bar{g},\bar{m}\in \mathbb {Z}\), then such transformation is not necessary, and the random noise e used in calculating \(\sigma _A\) in Algorithm 1 is avoided. If we take \(\bar{g} + \bar{m} = \bar{q}\), it can be further simplified into the variant depicted in Algorithm 2, with the constraint on parameters is further relaxed.

Corollary 1

If mg are power of 2, \(q=m \cdot g\), and \(2md < q\), then the KC scheme described in Algorithm 2 is correct and secure. Notice that the constraint on parameters is further simplified to \(2md < q\) in this case.

To the best of our knowledge, OKCN is the first multi-bit reconciliation mechanism, and the first that can be instantiated to tightly match the upper-bound proved in Theorem 1.

4 Asymmetric Key Consensus with Noise

Definition 2

 An asymmetric key consensus scheme \(AKC=(\textsf {params},\textsf {Con}, \textsf {Rec})\) is specified as follows:

  • \(\textsf {params}=(q, m, g, d, aux)\) denotes the system parameters, where q, \(2\le m,g\le q, 1\le d\le \lfloor \frac{q}{2}\rfloor \) are positive integers, and aux denotes some auxiliary values that are usually determined by (qmgd) and could be set to be empty.

  • \(v \leftarrow \textsf {Con}(\sigma _1, k_1, \textsf {params})\): On input of \((\sigma _1 \in \mathbb {Z}_q, k_1 \in \mathbb {Z}_m, \textsf {params})\), the probabilistic polynomial-time conciliation algorithm \(\textsf {Con}\) outputs the public hint signal \(v\in \mathbb {Z}_g\).

  • \(k_2 \leftarrow \textsf {Rec}(\sigma _2, v, \textsf {params})\): On input of \((\sigma _2, v, \textsf {params})\), the deterministic polynomial-time algorithm \(\textsf {Rec}\) outputs \(k_2 \in \mathbb {Z}_m\).

  • Correctness: An AKC scheme is correct, if for any \(\sigma _1,\sigma _2\in \mathbb {Z}_q\) such that \(|\sigma _1-\sigma _2|_q \le d\), and \(v \leftarrow \mathsf {Con}(\sigma _1, k_1, \mathsf {params}), k_2\leftarrow \mathsf {Rec}(\sigma _2, v, \mathsf {params})\), it holds \(k_1 = k_2\).

  • Security: An AKC scheme is secure, if v is independent of \(k_1\) whenever \(\sigma _1\) is uniformly distributed over \(\mathbb {Z}_q\), and v is the output of \(\mathsf {Con}(\sigma _1, k_1, \mathsf {params})\). Specifically, for arbitrary \(\tilde{v}\in \mathbb {Z}_g\) and arbitrary \(\tilde{k}_1,\tilde{k}^\prime _1\in \mathbb {Z}_m\), it holds that \(\Pr [v=\tilde{v}|k_1=\tilde{k}_1]=\Pr [v=\tilde{v}|k_1=\tilde{k}^\prime _1]\), where the probability is taken over \(\sigma _1\leftarrow \mathbb {Z}_q\) and the random coins used by Con.

Theorem 4

Let AKC be an asymmetric key consensus scheme with \(\mathsf {params} = (q, m, d, g, aux)\). If AKC is correct and secure, then \(2md \le q\left( 1 - \frac{m}{g}\right) \).

The proof of Theorem 4 is given in the full version [JZ16]. Comparing the formula \(2md \le q(1 - m/g)\) in Theorem 4 with the formula \(2md \le q(1 - 1/g)\) in Theorem 1, we see that the only difference is a factor m in g. This indicates that, on the same values of (qmd), an AKC scheme has to use a bigger bandwidth parameter g compared to KC.

4.1 Construction and Analysis of AKCN

The AKCN scheme, referred to as asymmetric key consensus with noise, is depicted in Algorithm 3. For AKCN, we can offline compute and store \(k_1\) and \(g \lfloor k_1 q/m \rceil \) in order to accelerate online performance.

figure c

The design of AKCN was guided by, and motivated for, the upper-bound for AKC proved in this work. In designing AKCN, we combine all the existing optimizations in the literature in order to almost meet the upperbound proved in Theorem 4. AKCN is a generalization of the basic reconciliation mechanisms proposed in [LPR10, LP10], and its design was also inspired by the design of our OKCN and the works [BPR12, PG13]. But AKCN and the underlying reconciliation mechanism of [PG13] could be viewed as incomparable in general. In particular, the reconciliation mechanisms proposed in [LPR10, LP10] correspond to the special case of AKCN when \(g=q\) and \(m=2\). Note that, with AKCN, we use Eq. 1 described in the definition of LWR [BPR12], which may also be derived implicitly from [Pei09].

Theorem 5

Suppose the parameters of AKCN satisfy \((2d + 1)m < q\left( 1 - \frac{m}{g}\right) \). Then, the AKCN scheme described in Algorithm 3 is correct.

Proof

From the formula generating v, we know that there exist \(\varepsilon _1, \varepsilon _2 \in \mathbb {R}\) and \(\theta \in \mathbb {Z}\), where \(|\varepsilon _1| \le 1/2\) and \(|\varepsilon _2| \le 1/2\), such that

$$\begin{aligned} v = \frac{g}{q}\left( \sigma _1 + \left( \frac{k_1q}{m} + \varepsilon _1 \right) \right) + \varepsilon _2 + \theta g \end{aligned}$$

Taking this into the formula computing \(k_2\) in Rec, we have

$$\begin{aligned} k_2&= \left\lfloor m(v / g - \sigma _2 / q) \right\rceil \bmod m \\&= \left\lfloor m \left( \frac{1}{q}(\sigma _1 + k_1 q / m + \varepsilon _1) + \frac{\varepsilon _2}{g} + \theta - \frac{\sigma _2}{q}\right) \right\rceil \bmod m\\&= \left\lfloor k_1 + \frac{m}{q}\left( \sigma _1 - \sigma _2 \right) + \frac{m}{q} \varepsilon _1 + \frac{m}{g} \varepsilon _2 \right\rceil \bmod m \end{aligned}$$

By Fact 1 (page 6), there exist \(\theta ' \in \mathbb {Z}\) and \(\delta \in [-d, d]\) such that \(\sigma _1 = \sigma _2 + \theta ' q + \delta \). Hence,

$$\begin{aligned} k_2 = \left\lfloor k_1 + \frac{m}{q} \delta + \frac{m}{q} \varepsilon _1 + \frac{m}{g} \varepsilon _2 \right\rceil \bmod m \end{aligned}$$

Since \(|m\delta / q + m \varepsilon _1/q + m \varepsilon _2 / g| \le md/q + m/2q + m/2g < 1/2\), \(k_1 = k_2\).     \(\square \)

Theorem 6

The AKCN scheme is secure. Specifically, v is independent of \(k_1\) when \(\sigma _1\leftarrow \mathbb {Z}_q\).

Proof

For arbitrary \(\tilde{v}\in \mathbb {Z}_g\) and arbitrary \(\tilde{k}_1,\tilde{k}^\prime _1\in \mathbb {Z}_m\), we prove that \(\Pr [v=\tilde{v}|k_1=\tilde{k}_1]=\Pr [v=\tilde{v}|k_1=\tilde{k}^\prime _1]\) when \(\sigma _1\leftarrow \mathbb {Z}_q\).

For any \((\tilde{k}, \tilde{v})\) in \(\mathbb {Z}_m \times \mathbb {Z}_g\), the event \((v =\tilde{v} \mid k_1 = \tilde{k})\) is equivalent to the event that there exists \(\sigma _1 \in \mathbb {Z}_q\) such that \(\tilde{v} = \lfloor g(\sigma _1 + \lfloor \tilde{k} q / m \rceil )/q \rceil \bmod g\). Note that \(\sigma _1 \in \mathbb {Z}_q\) satisfies \(\tilde{v} = \lfloor g(\sigma _1 + \lfloor \tilde{k} q / m \rceil )/q \rceil \bmod g\), if and only if there exist \(\varepsilon \in (-1/2, 1/2]\) and \(\theta \in \mathbb {Z}\) such that \(\tilde{v} = g(\sigma _1 + \lfloor \tilde{k} q / m \rceil ) / q + \varepsilon - \theta g\). That is, \(\sigma _1 = (q (\tilde{v} - \varepsilon ) / g - \lfloor \tilde{k} q / m\rceil ) \bmod q\), for some \(\varepsilon \in (-1/2, 1/2]\). Let \(\varSigma (\tilde{v}, \tilde{k}) = \{\sigma _1 \in \mathbb {Z}_q \mid \exists \varepsilon \in (-1/2, 1/2] \ s.t. \ \sigma _1 = (q (\tilde{v} - \varepsilon ) / g - \lfloor \tilde{k} q / m\rceil ) \bmod q \}\). Defining the map \(\phi : \varSigma (\tilde{v}, 0) \rightarrow \varSigma (\tilde{v}, \tilde{k})\), by setting \(\phi (x) = \left( x - \lfloor \tilde{k} q / m \rceil \right) \bmod q\). Then \(\phi \) is obviously a one-to-one map. Hence, the cardinality of \(\varSigma (\tilde{v}, \tilde{k})\) is irrelevant to \(\tilde{k}\). Specifically, for arbitrary \(\tilde{v}\in \mathbb {Z}_g\) and arbitrary \(\tilde{k}_1,\tilde{k}^\prime _1\in \mathbb {Z}_m\), it holds that \(\left| \varSigma (\tilde{v}, \tilde{k}_1)\right| =\left| \varSigma (\tilde{v}, \tilde{k}^\prime _1)\right| =\left| \varSigma (\tilde{v}, 0)\right| \).

Now, for arbitrary \(\tilde{v}\in \mathbb {Z}_g\) and arbitrary \(\tilde{k}\in \mathbb {Z}_m\), when \(\sigma _1\leftarrow \mathbb {Z}_q\) we have that \(\Pr [v = \tilde{v} \mid k_1 = \tilde{k}] = \Pr \left[ \sigma _1 \in \varSigma (\tilde{v}, \tilde{k}) \mid k_1 = \tilde{k}\right] =|\varSigma (\tilde{v}, \tilde{k})| / q = |\varSigma (\tilde{v}, 0)|/q\). The right-hand side only depends on \(\tilde{v}\), and so v is independent of \(k_1\).     \(\square \)

4.2 Discussions on KC vs. AKC

Key establishment (KE) schemes based upon KC and AKC have different performances and features.

  • KC-based KE corresponds to Diffie-Hellman key establishment in the lattice world, while AKC-based to El Gamal key transport.

  • When deploying AKC-based KE in practice, if the randomness used by the responder (e.g., a low-power device like smart card) is poor, it will significantly ruin the session-key security. Or, if the responder is just lazy (or for economic reasons), who may re-use session-keys across multiple sessions, as demonstrated with some deployed TLS implementations in reality. In comparison, with KC-based KE, the two players play a symmetric role in generating the session-key, and thus the damage caused by poor randomness can be alleviated. In addition, symmetry is usually a desirable feature for cryptographic schemes in practice.

  • On the same parameters (qmg) (which imply the same bandwidth), OKCN-based KE has lower error probability than AKCN-based. Or, on the same parameters (qmd) (which imply the same error probability), OKCN-based KE has smaller bandwidth than AKCN-based. This comparison is enabled by the upper-bounds on these parameters proved in Theorems 1 and 4.

  • KC-based KE is more versatile, in the sense that it can also be straightforwardly adapted into a key transport protocol or a CPA-secure PKE scheme. Moreover, in another work [CGZ18], we show that the deterministic version of OKCN is also a fundamental building tool for lattice-based signature.

  • KC-based KE is more appropriate for incorporating into the existing standards like IKE and TLS that are based on Diffie-Hellman via the SIGMA mechanism [Kra03]. We note that key transport is explicitly abandoned with TLS1.3.

  • For the parameters proposed in this work, OKCN is actually (slightly) more efficient than AKCN.

For the above reasons, we focus more on KC-based key establishment (specifically, key exchange) than AKC-based in this work. Still, we aim for a unified protocol structure that can be instantiated with either KC or AKC, in order to simplify system complexity.

Fig. 1.
figure 1

LWR-based key establishment from KC, where \(\mathbf {K}_1,\mathbf {K}_2\in \mathbb {Z}_m^{l_A\times l_B}\) and \(|{\mathbf {K}_1}|=|{\mathbf {K}_2}|=l_A\,l_B|m|\).

Full size image

5 LWR-Based Key Establishment

The KC-based key establishment (KE) from the LWR problem is depicted in Fig. 1. Denote by \((n, l_A, l_B, q, p, KC, \chi )\) the system parameters, where p|q, and p and q are chosen to be power of 2. Let \(KC = (\mathsf {params} = (p, m, g, d, aux), \mathsf {Con}, \mathsf {Rec})\) be a correct and secure key consensus scheme, \(\chi \) be a small noise distribution over \(\mathbb {Z}_q\), and \(\mathsf {Gen}\) be a pseudo-random generator (PRG) generating the matrix \(\mathbf {A}\) from a small seed. In the actual implementation, we use OKCN-simple as the underlying KC mechanism. For presentation simplicity, we assume \(\mathbf {A}\in \mathbb {Z}_q^{n\times n}\) to be square matrix. The length of the random seed, i.e., \(\kappa \), is typically set to be 256. The actual session-key is derived from \(\mathbf {K}_1\) and \(\mathbf {K}_2\) via some key derivation function KDF. For presentation simplicity, the functions Con and Rec are applied to matrices, meaning that they are applied to each of the coordinates respectively. For presentation simplicity, we describe the LWR-based key establishment protocol from any KC scheme. But it can be trivially adapted to work on any correct and secure AKC scheme. In this case, the responder user Bob simply chooses \(\mathbf {K}_2\leftarrow \mathbb {Z}_m^{l_A\times l_B}\), and the output of \(\textsf {Con}(\varvec{\varSigma }_2, \mathbf {K}_2, \textsf {params})\) is simply defined to be \(\mathbf {V}\). The security proof of the LWR-based KE protocol is analogous to that in [Pei14, BCD+16], and is given in the full version.

5.1 Analysis of Correctness and Failure Rate

For any integer x, let \(\{x\}_p\) denote \(x - \frac{q}{p} \lfloor x \rceil _p\), where \(\lfloor x \rceil _p=\lfloor \frac{p}{q}x \rceil \). Then, for any integer x, \(\{x\}_p \in [-q/2p, q/2p-1]\), hence \(\{x\}_p\) can be naturally regarded as an element in \(\mathbb {Z}_{q/p}\). In fact, \(\{x\}_p\) is equal to \(x \bmod q/p\), where the result is represented in \([-q/2p, q/2p-1]\). When the notation \(\{\cdot \}_p\) is applied to a matrix, it means \(\{\cdot \}_p\) applies to every element of the matrix respectively.

We have \(\varvec{\varSigma }_2 = \mathbf {Y}_1^T \mathbf {X}_2 + \lfloor \varvec{\varepsilon }^T \mathbf {X}_2 \rceil _p = \lfloor \mathbf {A} \mathbf {X}_1 \rceil _p^T \mathbf {X}_2 + \lfloor \varvec{\varepsilon }^T \mathbf {X}_2 \rceil _p = \frac{p}{q} (\mathbf {A} \mathbf {X}_1 - \{\mathbf {A} \mathbf {X}_1\}_p)^T \mathbf {X}_2 + \lfloor \varvec{\varepsilon }^T \mathbf {X}_2 \rceil _p\). And \(\varvec{\varSigma }_1 = \mathbf {X}_1^T \mathbf {Y}_2 = \mathbf {X}_1^T \lfloor \mathbf {A}^T \mathbf {X}_2 \rceil _p = \frac{p}{q} (\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 - \mathbf {X}_1^T \{\mathbf {A}^T \mathbf {X}_2\}_p)\). Hence,

$$\begin{aligned} \varvec{\varSigma }_2 - \varvec{\varSigma }_1&= \frac{p}{q}(\mathbf {X}_1^T \{\mathbf {A}^T \mathbf {X}_2\}_p - \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2) + \lfloor \mathbf {\varepsilon }^T \mathbf {X}_2 \rceil _p \mod p \\&= \left\lfloor \frac{p}{q}(\mathbf {X}_1^T \{\mathbf {A}^T \mathbf {X}_2\}_p - \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 + \mathbf {\varepsilon }^T \mathbf {X}_2 )\right\rceil \mod p \end{aligned}$$

The general idea is that \(\mathbf {X}_1, \mathbf {X}_2, \varvec{\varepsilon }, \{\mathbf {A}^T \mathbf {X}_2\}_p\) and \(\{\mathbf {A} \mathbf {X}_1\}_p\) are small enough, so that \(\varvec{\varSigma }_1\) and \(\varvec{\varSigma }_2\) are close. If \(|\varvec{\varSigma }_1 - \varvec{\varSigma }_2|_p \le d\), the correctness of the underlying KC guarantees \(\mathbf {K}_1 = \mathbf {K}_2\). For given concrete parameters, we numerically derive the probability of \(|\varvec{\varSigma }_2 - \varvec{\varSigma }_1|_p > d\) by numerically calculating the distribution of \(\mathbf {X}_1^T \{\mathbf {A}^T \mathbf {X}_2\}_p - (\{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varepsilon ^T\mathbf {X}_2)\) for the case of \(l_A = l_B = 1\), then applying the union bound. The independency between variables indicated by the following Theorem 7 can greatly simplify the calculation.

Let \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) denote the event that there exist invertible elements of ring \(\mathbb {Z}_{q/p}\) in both vectors \(\mathbf {X}_1\) and \(\mathbf {X}_2\). We claim that \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) happens with overwhelming probability. This claim follows from . In our application, \(\Pr [x \leftarrow \chi : x \textsf { is non-invertible}]\) is far from one, hence, \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) holds with overwhelming probability.

Lemma 1

Consider the case of \(l_A = l_B = 1\). For any \(a \in \mathbb {Z}_{q/p}, \mathbf {x} \in \mathbb {Z}^n_{q/p}\), denote \(S_{\mathbf {x}, a} = \{\mathbf {y} \in \mathbb {Z}_{q/p}^n \mid \mathbf {x}^T \mathbf {y} \bmod (q/p) = a\}\). For any fixed \(a \in \mathbb {Z}_{q/p}\), conditioned on \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) and \(\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a\), the random vectors \(\{\mathbf {A}^T \mathbf {X}_2\}_p\) and \(\{\mathbf {A} \mathbf {X}_1\}_p\) are independent, and are subjected to uniform distribution over \(S_{\mathbf {X}_1, a}, S_{\mathbf {X}_2, a}\) respectively.

Proof

Under the condition of \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\), for any fixed \(\mathbf {X}_1\) and \(\mathbf {X}_2\), define the map \(\phi _{\mathbf {X}_1, \mathbf {X}_2}\): \(\mathbb {Z}_q^{n \times n} \rightarrow \mathbb {Z}_{q/p}^n \times \mathbb {Z}_{q/p}^n\), such that \(\mathbf {A} \mapsto (\{\mathbf {A} \mathbf {X}_1\}_p, \{\mathbf {A}^T \mathbf {X}_2\}_p)\).

We shall prove that the image of \(\phi _{\mathbf {X}_1, \mathbf {X}_2}\) is \(S = \{(\mathbf {y}_1, \mathbf {y}_2) \in \mathbb {Z}_{q/p}^n \times \mathbb {Z}_{q/p}^n \mid \mathbf {X}_2^T \mathbf {y}_1 = \mathbf {X}_1^T \mathbf {y}_2 \mod (q/p) \}\). Denote \(\mathbf {X}_1 = (x_1, \mathbf {X}_1'^T)^T\) and \(\mathbf {y}_2 = (y_2, \mathbf {y}_2'^T)^T\). Without loss of generality, we assume \(x_1\) is invertible in the ring \(\mathbb {Z}_{q/p}\). For any \((\mathbf {y}_1, \mathbf {y}_2) \in S\), we need to find an \(\mathbf {A}\) such that \(\phi _{\mathbf {X}_1, \mathbf {X}_2}(\mathbf {A}) = (\mathbf {y}_1, \mathbf {y}_2)\).

From the condition \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\), we know that there exists an \(\mathbf {A}' \in \mathbb {Z}^{(n-1) \times n}\) such that \(\{\mathbf {A}' \mathbf {X}_2\}_p = \mathbf {y}_2'\). Then, we let \(\mathbf {a}_1 = x_1^{-1} (\mathbf {y}_1 - \mathbf {A}'^T \mathbf {X}_1') \bmod (q/p)\), and \(\mathbf {A} = (\mathbf {a}_1, \mathbf {A}'^T)\). Now we check that \(\phi _{\mathbf {X}_1, \mathbf {X}_2}(\mathbf {A}) = (\mathbf {y}_1, \mathbf {y}_2)\).

$$\begin{aligned} \{\mathbf {A} \mathbf {X}_1\}_p&= \left\{ \begin{pmatrix} \mathbf {a}_1&\mathbf {A}'^T \end{pmatrix} \begin{pmatrix} x_1 \\ \mathbf {x}_1' \end{pmatrix}\right\} _p = \{ x_1 \mathbf {a}_1 + \mathbf {A}'^T \mathbf {X}_1' \}_p = \mathbf {y}_1 \\ \{\mathbf {A}^T \mathbf {X}_2\}_p&= \left\{ \begin{pmatrix} \mathbf {a}_1^T \\ \mathbf {A}' \end{pmatrix} \mathbf {X}_2 \right\} _p = \left\{ \begin{pmatrix} \mathbf {a}_1^T \mathbf {X}_2 \\ \mathbf {A}' \mathbf {X}_2 \end{pmatrix} \right\} _p = \left\{ \begin{pmatrix} x_1^{-1}(\mathbf {y}_1^T - \mathbf {X}_1'^T \mathbf {A}) \mathbf {X}_2 \\ \mathbf {A}' \mathbf {X}_2 \end{pmatrix} \right\} _p \\&= \left\{ \begin{pmatrix} x_1^{-1}(\mathbf {X}_1^T \mathbf {y}_2 - \mathbf {X}_1'^T \mathbf {y}_2') \\ \mathbf {y}_2' \end{pmatrix} \right\} _p = \left\{ \begin{pmatrix} y_2 \\ \mathbf {y}_2' \end{pmatrix} \right\} _p = \mathbf {y}_2 \end{aligned}$$

Hence, if we treat \(\mathbb {Z}_q^{n \times n}\) and S as \(\mathbb {Z}\)-modules, then \(\phi _{\mathbf {X}_1, \mathbf {X}_2}: \mathbb {Z}_q^{n \times n} \rightarrow S\) is a surjective homomorphism. Then, for any fixed \((\mathbf {X}_1, \mathbf {X}_2)\), \((\{\mathbf {A} \mathbf {X}_1\}_p, \{\mathbf {A}^T \mathbf {X}_2\}_p)\) is uniformly distributed over S. This completes the proof.     \(\square \)

Theorem 7

Under the condition \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\), the following two distributions are identical:

  • \((a, \mathbf {X}_1, \mathbf {X}_2, \{\mathbf {A} \mathbf {X}_1\}_p, \{\mathbf {A}^T \mathbf {X}_2\}_p)\), where \(\mathbf {A} \leftarrow \mathbb {Z}_q^{n \times n}\), \(\mathbf {X}_1 \leftarrow \chi ^{n}\), \(\mathbf {X}_2 \leftarrow \chi ^{n}\), and \(a = \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q / p)\).

  • \((a, \mathbf {X}_1, \mathbf {X}_2, \mathbf {y}_1, \mathbf {y}_2)\), where \(a \leftarrow \mathbb {Z}_{q/p}, \mathbf {X}_1 \leftarrow \chi ^{n}\), \(\mathbf {X}_2 \leftarrow \chi ^{n}\), \(\mathbf {y}_1 \leftarrow S_{\mathbf {X}_2, a}\), and \(\mathbf {y}_2 \leftarrow S_{\mathbf {X}_1, a}\).

Proof

For any \(\tilde{a}\in \mathbb {Z}_{q/p}\), \(\tilde{\mathbf {X}}_1, \tilde{\mathbf {X}}_2 \in \mathsf {Supp} (\chi ^{n})\), \(\tilde{\mathbf {y}}_1, \tilde{\mathbf {y}}_2\in \mathbb {Z}_{q/p}^n\), we have

$$\begin{aligned}&\Pr [a = \tilde{a}, \mathbf {X}_1 = \tilde{\mathbf {X}}_1, \mathbf {X}_2 = \tilde{\mathbf {X}}_2, \{\mathbf {A} \mathbf {X}_1\}_p = \tilde{\mathbf {y}}_1, \{\mathbf {A}^T \mathbf {X}_2\}_p = \tilde{\mathbf {y}}_2 \mid \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)] \\ =&\Pr [ \{\mathbf {A} \mathbf {X}_1\}_p = \tilde{\mathbf {y}}_1, \{\mathbf {A}^T \mathbf {X}_2\}_p = \tilde{\mathbf {y}}_2 \mid a = \tilde{a}, \mathbf {X}_1 = \tilde{\mathbf {X}}_1, \mathbf {X}_2 = \tilde{\mathbf {X}}_2, \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2) ] \\&\Pr [a = \tilde{a}, \mathbf {X}_1 = \tilde{\mathbf {X}}_1, \mathbf {X}_2 = \tilde{\mathbf {X}}_2 \mid \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2) ] \end{aligned}$$

From Lemma 1, the first term equals to \(\Pr [\mathbf {y}_1 \leftarrow S_{\tilde{\mathbf {X}}_2, \tilde{a}}; \mathbf {y}_2 \leftarrow S_{\tilde{\mathbf {X}}_1, \tilde{a}}: \mathbf {y}_1 = \tilde{\mathbf {y}}_1, \mathbf {y}_2 = \tilde{\mathbf {y}}_2 \mid a = \tilde{a}, \mathbf {X}_1 = \tilde{\mathbf {X}}_1, \mathbf {X}_2 = \tilde{\mathbf {X}}_2, \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)]\).

For the second term, we shall prove that a is independent of \((\mathbf {X}_1, \mathbf {X}_2)\), and is uniformly distributed over \(\mathbb {Z}_{q/p}\). Under the condition of \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\), the map \(\mathbb {Z}_q^{n \times n} \rightarrow \mathbb {Z}_{q/p}\), such that \(\mathbf {A} \mapsto \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p)\), is a surjective homomorphism between the two \(\mathbb {Z}\)-modules. Then, \(\Pr [a = \tilde{a} \mid \mathbf {X}_1 = \tilde{\mathbf {X}}_1, \mathbf {X}_2 = \tilde{\mathbf {X}}_2, \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)] = p/q\). Hence, under the condition of \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\), a is independent of \((\mathbf {X}_1, \mathbf {X}_2)\), and is distributed uniformly at random. So the two ways of sampling result in the same distribution.     \(\square \)

We design and implement the following algorithm to numerically calculate the distribution of \(\varvec{\varSigma }_2 - \varvec{\varSigma }_1\) efficiently. For any \(c_1, c_2 \in \mathbb {Z}_q, a \in \mathbb {Z}_{q/p}\), we numerically calculate \(\Pr [ \mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p = c_1]\) and \(\Pr [ \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2, \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]\), then derive the distribution of \(\mathbf {\varSigma }_2 - \mathbf {\varSigma }_1\).

As \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) occurs with overwhelming probability, for any event E, we have \(|\Pr [E] - \Pr [E | \mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)]| < negl\). For simplicity, we ignore the effect of \(\mathsf {Inv}(\mathbf {X}_1, \mathbf {X}_2)\) in the following calculations. By Theorem 7, \(\Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p = c_1] = \Pr [\mathbf {X}_1 \leftarrow \chi ^n, \mathbf {y}_2 \leftarrow \mathbb {Z}_{q/p}^n; \mathbf {X}_1^T \mathbf {y}_2 = c_1]\). This probability can be numerically calculated by computer programs. The probability \(\Pr [ \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2, \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]\) can also be calculated by the similar way. Then, for arbitrary \(c\in \mathbb {Z}_q\),

$$\begin{aligned}&\Pr [\mathbf {\varSigma }_1 - \mathbf {\varSigma }_2 = c] = \Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p - \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 + \varvec{\varepsilon }^T \mathbf {X}_2 = c] \\ =&\sum _{\begin{array}{c} c_1 - c_2 = c \\ a \in \mathbb {Z}_{q/p} \end{array}} \begin{array}{c} \Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p = c_1, \{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2 \mid \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a] \cdot \\ \Pr [\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a] \end{array} \\ =&\sum _{\begin{array}{c} c_1 - c_2 = c \\ a \in \mathbb {Z}_{q/p} \end{array}} \begin{array}{c} \Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p = c_1 \mid \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a ] \cdot \\ \Pr [\{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2 \mid \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a] \Pr [\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a] \end{array} \\ =&\!\!\sum _{\begin{array}{c} a \in \mathbb {Z}_{q/p} \\ c_1 - c_2 = c \end{array}} \!\!\frac{\Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p\! =\! c_1, c_1 \bmod (q/p)\! =\! a] \Pr [\{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2, \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]}{\Pr [\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]} \\ =&\sum _{\begin{array}{c} a \in \mathbb {Z}_{q/p} \\ c_1 - c_2 = c \\ c_1 \bmod (q/p) = a \end{array}} \frac{\Pr [\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p = c_1] \Pr [\{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2 = c_2, \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]}{\Pr [\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a]} \end{aligned}$$

By Theorem 7, conditioned on \(\mathsf {Inv(\mathbf {X}_1, \mathbf {X}_2)}\) and \(\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 \bmod (q/p) = a\), \(\mathbf {X}_1^T\{\mathbf {A}^T \mathbf {X}_2\}_p\) is independent of \(\{\mathbf {A} \mathbf {X}_1\}_p^T \mathbf {X}_2 - \varvec{\varepsilon }^T \mathbf {X}_2\), which implies the second equality. The scripts are available from http://github.com/OKCN.

5.2 Parameter Selection and Evaluation

It is suggested in [ADPS16, BCD+16] that rounded Gaussian distribution can be replaced by discrete distribution that is very close to rounded Gaussian in the sense of Rényi divergence [BLL+15] (Table 1).

Table 1. Discrete distributions of every component in the LWR secret. We choose the standard variances “var.” large enough to prevent potential combinational attacks.
Full size table
Table 2. Parameters for LWR-Based key establishment with OKCN-simple. “bw.” refers to the bandwidth in kilo-bytes.“err.” refers to the overall error rate that is calculated by the algorithm developed in Sect. 5.1. “\(|\mathbf {K}|\)” refers to the length of consensus bits.
Full size table

Security Estimation. The dual attack tries to distinguish the distribution of LWE samples and the uniform distribution. Suppose \((\mathbf {A}, \mathbf {b} = \mathbf {A} \mathbf {s} + \mathbf {e}) \in \mathbb {Z}_q^{m \times n} \times \mathbb {Z}_q^m\) is an LWE sample, where \(\mathbf {s}\) and \(\mathbf {e}\) are drawn from discrete Gaussian of variance \(\sigma _s^2\) and \(\sigma _e^2\) respectively. Then we choose a positive real \(c \in \mathbb {R}, 0 < c \le q\), and construct \(L_c(\mathbf {A}) = \{ (\mathbf {x}, \mathbf {y}/c) \in \mathbb {Z}^m \times (\mathbb {Z}/c)^n \mid \mathbf {x}^T \mathbf {A} = \mathbf {y}^T \mod q \}\), which is a lattice with dimension \(m + n\) and determinant \((q/c)^n\). For a short vector \((\mathbf {x}, \mathbf {y}) \in L_c(\mathbf {A})\) found by the BKZ algorithm, we have \(\mathbf {x}^T \mathbf {b} = \mathbf {x}^T (\mathbf {A} \mathbf {s} + \mathbf {e}) = c \cdot \mathbf {y}^T \mathbf {s} + \mathbf {x}^T \mathbf {e} \mod q\). If \((\mathbf {A}, \mathbf {b})\) is an LWE sample, the distribution of the right-hand side will be very close to a Gaussian of standard deviation \(\sqrt{c^2 \Vert \mathbf {y}\Vert ^2 \sigma _s^2 + \Vert \mathbf {x}\Vert ^2 \sigma _e^2}\), otherwise the distribution will be uniform. \(\Vert (\mathbf {x}, \mathbf {y})\Vert \) is about \(\delta _0^{m + n} (q/c)^{\frac{n}{m + n}}\), where \(\delta _0\) is the root Hermite factor. We heuristically assume that \(\Vert \mathbf {x}\Vert = \sqrt{\frac{m}{m + n}} \left\| (\mathbf {x}, \mathbf {y})\right\| \), and \(\Vert \mathbf {y}\Vert = \sqrt{\frac{n}{m + n}} \left\| (\mathbf {x}, \mathbf {y})\right\| \). Then we can choose \(c = \sigma _e/\sigma _s\) that minimizes the standard deviation of \(\mathbf {x}^T \mathbf {b}\). The advantage of distinguishing \(\mathbf {x}^T \mathbf {b}\) from uniform distribution is \(\varepsilon = 4 \exp (-2\pi ^2 \tau ^2)\), where \(\tau = \sqrt{c^2 \Vert \mathbf {y}\Vert ^2 \sigma _s^2 + \Vert \mathbf {x}\Vert ^2 \sigma _e^2} / q\). This attack must be repeated \(R = \max \{1, 1/(2^{0.2075b} \varepsilon ^2)\}\) times to be successful.

The primal attack reduces the LWE problem to the unique-SVP problem. Let \(\varLambda _{w}(\mathbf {A}) = \{(\mathbf {x}, \mathbf {y}, z) \in \mathbb {Z}^n \times (\mathbb {Z}^m / w) \times \mathbb {Z} \mid \mathbf {A} \mathbf {x} + w \mathbf {y} = z \mathbf {b} \mod q \}\), and a vector \(\mathbf {v}= (\mathbf {s}, \mathbf {e}/w, 1) \in \varLambda _{w}(\mathbf {A})\). \(\varLambda _{w}(\mathbf {A})\) is a lattice of \(d = m + n + 1\) dimensions, and its determinant is \((q/w)^m\). From geometry series assumption, we can derive \(\Vert \mathbf {b}_i^*\Vert \approx \delta _0^{d - 2i - 1} \det (\varLambda _w(\mathbf {A}))^{1/d}\). We heuristically assume that the length of projection of \(\mathbf {v}\) onto the vector space spanned by the last b Gram-Schmidt vectors is about \(\sqrt{\frac{b}{d}} \left\| (\mathbf {s}, \mathbf {e}/w, 1)\right\| \approx \sqrt{\frac{b}{d} \left( n \sigma _s^2 + m \sigma _e^2 / w^2 + 1\right) }\). If this length is shorter than \(\Vert \mathbf {b}_{d - b}^*\Vert \), this attack can be successful. Hence, the successful condition is \(\sqrt{\frac{b}{d} \left( n \sigma _s^2 + m \sigma _e^2 / w^2 + 1\right) } \le \delta _0^{2b - d - 1} \left( \frac{q}{w}\right) ^{m/d}\). We know that the optimal w balancing the secret \(\mathbf {s}\) and the noise \(\mathbf {e}\) is about \(\sigma _e / \sigma _s\).

We aim at providing parameter sets for long term security, and estimate the concrete security in a more conservative way than [APS15] from the defender’s point of view. We first consider the attacks of LWE whose secret and noise have different variances. Then, we treat the LWR problem as a special LWE problem whose noise is uniformly distributed over \([-q/2p, q/2p - 1]\). In our security estimation, we simply ignore the difference between the discrete distribution and the rounded Gaussian, on the following grounds: the dual attack and the primal attack only concern about the standard deviation, and the Rényi divergence between the two distributions is very small (Table 3).

Table 3. Security estimation of the parameters described in Table 2. “C, Q, P” stand for “Classical, Quantum, Plausible” respectively.
Full size table
Fig. 2.
figure 2

LWE-based key establishment from KC and AKC, where \(\mathbf {K}_1,\mathbf {K}_2\in \mathbb {Z}_m^{l_A\times l_B}\) and \(|{\mathbf {K}_1}|=|{\mathbf {K}_2}|=l_A\,l_B|m|\). \(\mathbf {1}\) refers to the matrix which every elements are 1.

Full size image

6 LWE-Based Key Establishment

In this section, following the protocol structure in [Pei14, ADPS16, BCD+16], we present the applications of OKCN and AKCN to key establishment protocols based on LWE. Denote by \((\lambda , n, q, \chi , KC, l_A, l_B, t)\) the underlying parameters, where \(\lambda \) is the security parameter, \(q \ge 2\), n, \(l_A\) and \(l_B\) are positive integers that are polynomial in \(\lambda \) (for protocol symmetry, \(l_A\) and \(l_B\) are usually set to be equal and are actually small constant). To save bandwidth, we cut off t least significant bits of \(\mathbf {Y}_2\) before sending it to Alice.

Let \(KC=(\textsf {params}, \textsf {Con}, \textsf {Rec})\) be a correct and secure KC scheme, where \(\textsf {params}\) is set to be (qgmd). The KC-based key establishment protocol from LWE is depicted in Fig. 2, and the actual session-key is derived from \(\mathbf {K}_1\) and \(\mathbf {K}_2\) via some key derivation function KDF. There, for presentation simplicity, the Con and Rec functions are applied to matrices, meaning they are applied to each of the coordinates separately. Note that \(2^t \mathbf {Y}_2' + 2^{t-1} \mathbf {1}\) is an approximation of \(\mathbf {Y}_2\), so we have \(\varvec{\varSigma }_1 \approx \mathbf {X}_1^T \mathbf {Y}_2 = \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 + \mathbf {X}_1^T \mathbf {E}_2\), \(\varvec{\varSigma }_2 = \mathbf {Y}_1^T \mathbf {X}_2 + \mathbf {E}_{\sigma } = \mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2 + \mathbf {E}_1^T \mathbf {X}_2 + \mathbf {E}_{\sigma }\). As we choose \(\mathbf {X}_1, \mathbf {X}_2, \mathbf {E}_1, \mathbf {E}_2, \mathbf {E}_{\sigma }\) according to a small noise distribution \(\chi \), the main part of \(\varvec{\varSigma }_1\) and that of \(\varvec{\varSigma }_2\) are the same \(\mathbf {X}_1^T \mathbf {A}^T \mathbf {X}_2\). Hence, the corresponding coordinates of \(\varvec{\varSigma }_1\) and \(\varvec{\varSigma }_2\) are close in the sense of \(|\cdot |_q\), from which some key consensus can be reached. The failure probability depends upon the number of bits we cut t, the underlying distribution \(\chi \) and the distance parameter d, which will be analyzed in detail in subsequent sections. In the following security definition and analysis, we simply assume that the output of the PRG \(\textsf {Gen}\) is truly random. For presentation simplicity, we have described the LWE-based key establishment protocol from a KC scheme. But it can be straightforwardly adapted to work on any correct and secure AKC scheme, as clarified in Sect. 5.

6.1 Noise Distributions and Correctness

For a correct KC with parameter d, if the distance of corresponding elements of \(\varvec{\varSigma }_1\) and \(\varvec{\varSigma }_2\) is less than d in the sense of \(|\cdot |_q\), then the scheme depicted in Fig. 2 is correct. Denote \(\varepsilon (\mathbf {Y}_2) = 2^t \lfloor \mathbf {Y}_2/2^t \rfloor + 2^{t-1} \mathbf {1} - \mathbf {Y}_2\). Then

$$\begin{aligned} \varvec{\varSigma }_1 - \varvec{\varSigma }_2&= \mathbf {X}_1^T(2^t \mathbf {Y}_2' + 2^{t-1} \mathbf {1}) - \mathbf {Y}_1^T \mathbf {X}_2 - \mathbf {E}_{\sigma } \\&= \mathbf {X}_1^T(\mathbf {Y}_2 + \varepsilon (\mathbf {Y}_2)) - \mathbf {Y}_1^T \mathbf {X}_2 - \mathbf {E}_{\sigma } \\&= \mathbf {X}_1^T(\mathbf {A}^T \mathbf {X}_2 + \mathbf {E}_2 + \varepsilon (\mathbf {Y}_2)) - (\mathbf {A} \mathbf {X}_1 + \mathbf {E}_1)^T \mathbf {X}_2 - \mathbf {E}_{\sigma } \\&= \mathbf {X}_1^T (\mathbf {E}_2 + \varepsilon (\mathbf {Y}_2)) - \mathbf {E}_1^T \mathbf {X}_2 - \mathbf {E}_{\sigma } \end{aligned}$$

We consider each pair of elements in matrix \(\varvec{\varSigma }_1, \varvec{\varSigma }_2\) separately, then derive the overall error rate by union bound. Now, we only need to consider the case \(l_A = l_B = 1\). In this case, \(\mathbf {X}_i, \mathbf {E}_i, \mathbf {Y}_i, (i = 1, 2)\) are column vectors in \(\mathbb {Z}_q^n\), and \(\mathbf {E}_{\sigma } \in \mathbb {Z}_q\).

If \(\mathbf {Y}_2\) is independent of \((\mathbf {X}_2, \mathbf {E}_2)\), then we can directly calculate the distribution of \(\varvec{\sigma }_1 - \varvec{\sigma }_2\). But now \(\mathbf {Y}_2\) depends on \((\mathbf {X}_2, \mathbf {E}_2)\). To overcome this difficulty, we show that \(\mathbf {Y}_2\) is independent of \((\mathbf {X}_2, \mathbf {E}_2)\) under a condition of \(\mathbf {X}_2\) that happens with very high probability.

Proposition 1

For any positive integer qn, and a column vector \(\mathbf {s} \in \mathbb {Z}_q^n\), let \(\phi _{\mathbf {s}}\) denote the map \(\mathbb {Z}_q^n \rightarrow \mathbb {Z}_q: \phi _{\mathbf {s}}(\mathbf {x}) = \mathbf {x}^T \mathbf {s}\). If there exits a coordinate of \(\mathbf {s}\) which is not zero divisor in ring \(\mathbb {Z}_q\), then map \(\phi _{\mathbf {s}}\) is surjective.

For a column vector \(\mathbf {s}\) composed by random variables, denote by \(F(\mathbf {s})\) the event that \(\phi _{\mathbf {s}}\) is surjective. The following proposition gives a lower bound of probability of \(F(\mathbf {s})\), where \(\mathbf {s} \leftarrow \chi ^{n}\). In our application, this lower bound is very close to 1.

Proposition 2

Let \(p_0\) be the probability that e is a zero divisor in ring \(\mathbb {Z}_q\), where e is subject to \(\chi \). Then \(\Pr [\mathbf {s} \leftarrow \chi ^{n}: F(\mathbf {s})] \ge 1 - p_0^n\)

Theorem 8

If \(\mathbf {s}, \mathbf {e} \leftarrow \chi ^{n}, \mathbf {A} \leftarrow \mathbb {Z}_q^{n \times n}, \mathbf {y} = \mathbf {A} \mathbf {s} + \mathbf {e} \in \mathbb {Z}_q^n\), then under the condition \(F(\mathbf {s})\), \(\mathbf {y}\) is independent of \((\mathbf {s}, \mathbf {e})\), and is uniformly distributed over \(\mathbb {Z}_q^{n}\).

Proof

For all \(\tilde{\mathbf {y}}, \tilde{\mathbf {s}}, \tilde{\mathbf {e}}\), \(\Pr [\mathbf {y} = \tilde{\mathbf {y}} \mid \mathbf {s} = \tilde{\mathbf {s}}, \mathbf {e} = \tilde{\mathbf {e}}, F(\mathbf {s})] = \Pr [\mathbf {A}\tilde{\mathbf {s}} = \tilde{\mathbf {y}} - \tilde{\mathbf {e}} \mid \mathbf {s} = \tilde{\mathbf {s}}, \mathbf {e} = \tilde{\mathbf {e}}, F(\mathbf {s})]\). Let \(\mathbf {A} = (\mathbf {a}_1, \mathbf {a}_2, \dots , \mathbf {a}_n)^T, \tilde{\mathbf {y}} - \tilde{\mathbf {e}} = (c_1, c_2, \dots , c_n)^T\), where \(\mathbf {a}_i \in \mathbb {Z}_q^n\), and \(c_i \in \mathbb {Z}_q\), for every \(1 \le i \le n\). Since \(\phi _{\mathbf {s}}\) is surjective, the number of possible choices of \(\mathbf {a}_i\), satisfying \(\mathbf {a}_i^T \cdot \tilde{\mathbf {s}} = c_i\), is \(|\text {Ker} \phi _{\mathbf {s}}| = q^{n - 1}\). Hence, \(\Pr [\mathbf {A}\tilde{\mathbf {s}} = \tilde{\mathbf {y}} - \tilde{\mathbf {e}} \mid \mathbf {s} = \tilde{\mathbf {s}}, \mathbf {e} = \tilde{\mathbf {e}}, F(\mathbf {s})] = (q^{n-1})^n/q^{n^2} = 1/q^n\). Since the right-hand side is the constant \(1/q^{n}\), the distribution of \(\mathbf {y}\) is uniform over \(\mathbb {Z}_q^{n}\), and is irrelevant of \((\mathbf {s}, \mathbf {e})\).     \(\square \)

We now begin to analyze the error rate of the scheme presented in Fig. 2.

Denote by E the event \(|\mathbf {X}_1^T (\mathbf {E}_2 + \varepsilon (\mathbf {Y}_2)) - \mathbf {E}_1^T \mathbf {X}_2 - \mathbf {E}_{\sigma }|_q > d\). Then \(\Pr [E] = \Pr [E | F(\mathbf {S})]\,\Pr [F(\mathbf {S})] + \Pr [E | \lnot F(\mathbf {S})]\,\Pr [\lnot F(\mathbf {S})]\). From Theorem 8, we replace \(\mathbf {Y}_2 = \mathbf {A}^T \mathbf {X}_2 + \mathbf {E}_2\) in the event \(E | F(\mathbf {S})\) with uniformly distributed \(\mathbf {Y}_2\). Then,

$$\begin{aligned} \Pr [E]&= \Pr [\mathbf {Y}_2 \leftarrow \mathbb {Z}_q^{n}: E | F(\mathbf {S})]\,\Pr [F(\mathbf {S})] + \Pr [E | \lnot F(\mathbf {S})]\,\Pr [\lnot F(\mathbf {S})] \\&= \Pr [\mathbf {Y}_2 \leftarrow \mathbb {Z}_q^{n}: E | F(\mathbf {S})]\,\Pr [F(\mathbf {S})] + \Pr [\mathbf {Y}_2 \leftarrow \mathbb {Z}_q^{n}: E | \lnot F(\mathbf {S})]\,\Pr [\lnot F(\mathbf {S})] \\&\quad +\Pr [E | \lnot F(\mathbf {S})]\,\Pr [\lnot F(\mathbf {S})] - \Pr [\mathbf {Y}_2 \leftarrow \mathbb {Z}_q^{n}: E | \lnot F(\mathbf {S})]\,\Pr [\lnot F(\mathbf {S})] \\&= \Pr [\mathbf {Y}_2 \leftarrow \mathbb {Z}_q^{n}: E] + \varepsilon \end{aligned}$$

where \(|\varepsilon | \le \Pr [\lnot F(\mathbf {S})]\). In our application, \(p_0\) is far from 1, and n is very large, by Theorem 2, \(\varepsilon \) is very small, so we simply ignore \(\varepsilon \). If \(\mathbf {Y}_2\) is uniformly distributed, then \(\varepsilon (\mathbf {Y}_2)\) is a centered uniform distribution. Then, the distribution of \(\mathbf {X}_1^T (\mathbf {E}_2 + \varepsilon (\mathbf {Y}_2)) - \mathbf {E}_1^T \mathbf {X}_2 - \mathbf {E}_{\sigma }\) can be directly computed by programs.

Discrete Distributions. In this work, for LWE-based key establishment, we use the following discrete distributions, which are specified in Table 4, where “bits” refers to the number of bits required to sample the distribution and “var.” means the standard variation of the Gaussian distribution approximated.

Table 4. Discrete distributions proposed in this work, and their Rényi divergences.
Full size table

Instantiations, and Comparisons with Frodo. For “OKCN simple” proposed in Algorithm 2, it achieves a tight parameter constraint, specifically, \(2md<q\). In comparison, the parameter constraint achieved by Frodo is \(4md<q\). As we shall see, such a difference is one source that allows us to achieve better trade-offs among error probability, security, (computational and bandwidth) efficiency, and consensus range. In particular, it allows us to use q that is one bit shorter than that used in Frodo. Beyond saving bandwidth, employing a one-bit shorter q also much improves the computational efficiency (as the matrix \(\mathbf {A}\) becomes shorter, and consequently the cost of generating \(\mathbf {A}\) and the related matrix operations are more efficient), and can render stronger security levels simultaneously. Here, we briefly highlight one performance comparison: OKCN-T2 (resp., Frodo-recommended) has 18.58kB (resp., 22.57kB) bandwidth, 887.15kB (resp., 1060.32kB) matrix \(\mathbf {A}\), at least 134-bit (resp., 130-bit) quantum security, and error rate \(2^{-39}\) (resp., \(2^{-38.9})\) (Table 5).

Table 5. Parameters proposed for OKCN-LWE with t least significant bits cut off.
Full size table

6.2 CCA-Secure AKCN-LWE, and Comparison with FrodoKEM

FrodoKEM [FrodoKEM] in submission to NIST PQC standardization is AKC-based and is a CCA-secure key encapsulation mechanism (KEM). The underlying AKC mechanism of FrodoKEM corresponds to the special case of AKCN for the parameters \(\mathsf {params}=(q,m,g,d)\) where \(g=q\) and \(m=4\) or \(m=8\). In addition, FrodoKEM chooses \(t_2=0\), i.e., without compression of \(\mathbf {Y}_2\). This means that, on the same parameters, AKCN-LWE outperforms FrodoKEM in bandwidth. We also note that the discrete distributions proposed by FrodoKEM, referred to as \(\chi _{\textsf {Frodo-}640}\) and \(\chi _{\textsf {Frodo-}976}\), are different from those of KC-based Frodo [BCD+16]. By replacing the underlying AKC mechanism of FrodoKEM with our AKCN, we get an AKCN-based CCA-secure KEM scheme. Two set of parameters for our AKCN-based CCA-secure KEM, referred to as AKCN-640 and AKCN-976 respectively, are briefly summaried in Table 6.

Table 6. Brief comparison between CCA-secure AKCN-LWE and FrodoKEM. The ciphertext size is the total length of bytes sent by Bob. For AKCN-640, its ciphertext is \(7\%\) smaller than Frodo-640. While its error probability is larger than Frodo-640, it’s still under \(2^{-130}\) that is sufficiently smaller for 103-bit pq-security. For AKCN-976, its ciphertext is \(12.8\%\) smaller than Frodo-976, and its error probability is still under \(2^{-160}\) that is sufficiently smaller for 150-bit pq-security.
Full size table