Module-LWE-Based Key Exchange Protocol Using Error Reconciliation Mechanism

Jia, Wenjuan; Xue, Guanhao; Wang, Baocang; Hu, Yupu

doi:https://doi.org/10.1155/2022/8299232

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 8299232 | https://doi.org/10.1155/2022/8299232

Module-LWE-Based Key Exchange Protocol Using Error Reconciliation Mechanism

Wenjuan Jia,¹Guanhao Xue,¹Baocang Wang,²and Yupu Hu²

Academic Editor: Rongmao Chen

Received03 Oct 2021

Accepted23 Dec 2021

Published01 Feb 2022

Abstract

Lattice-based key exchange protocols have attracted tremendous attention for its post-quantum security. In this work, we construct a Module-LWE-based key exchange protocol using Peikert’s error reconciliation mechanism. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96-byte, i.e., 3.2%6.1%, under the different parameter sets, and without reducing the post-quantum security levels. Moreover, our key exchange protocol slightly reduces the probability of session key agreement failure and the time consumed by modular multiplication of numbers and ring elements by approximately 30%. Thus, the key exchange protocol in this paper is more suitable for the lightweight communication systems.

1. Introduction

Key exchange protocol, which enables secure communications over an untrusted network by deriving and distributing shared keys between two or more parties, is one of the most fundamental cryptographic primitives and is widely applied in modern Internet protocols such as TLS [1] and SSL [2]. However, Shor [3] discovered an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would render number-theoretic cryptosystems insecure if large-scale quantum computers become available. With the rapid developments of quantum technology and quantum computer, we are getting closer to the quantum crisis of current public key cryptosystems. Therefore, it is urgent to propose post-quantum cryptographic schemes, such as public key encryptions (PKE), signatures, and key exchanges, that can resist quantum computer attacks. Lattice-based cryptography is one of the main directions in this field and has become the most promising post-quantum cryptography (PQC) candidate for standardization.

Lattice-based key exchange protocols are generally constructed using the learning with errors (LWE) problem and its variants. In 2005, Regev [4, 5] introduced the LWE problem and showed that solving the LWE problem with a Gaussian error distribution is at least as hard as quantumly solving the approximates shortest vector problem (GapSVP) and shortest independent vector problem (SIVP) on lattices in the worst case. Later, Peikert [6] gave a classical reduction from the approximate GapSVP (and its variants) to the search version of LWE, but with somewhat worse parameters.

Although LWE provides provably secure cryptosystems, most LWE-based schemes are inefficient which motivates the research around more efficient LWE variants. These variants improve the asymptotic and practical efficiency by considering the ring of integers of a number field [7, 8], a ring of polynomials [9], or a module over a number field [10, 11]. Lyubashevsky et al. [7] introduced the ring learning with errors (Ring-LWE) problem and proved its hardness is related to the hardness of the lattice problems based on ideal lattices. Later, the module learning with errors (Module-LWE) problem was introduced by Langlois and Stele [11] in 2015, and Module-LWE comes with the hardness guarantees given by lattice problems based on module lattices. Since the algebraic structures of module lattices are more complicated than ideal lattices, Module-LWE might be able to provide a better level of security than Ring-LWE, while still providing performance advantages over LWE. In this paper, we focus on the key exchange protocols based on Module-LWE, as Module-LWE provides a nice security-efficiency trade-off by bridging LWE and Ring-LWE.

Lattice-based key exchange protocols generally include two types of protocols constructed using error reconciliation mechanism or key encapsulation mechanism (KEM). Most LWE-based (and its variants) key exchange protocols are constructed using error reconciliation mechanism, such as Ding’s key exchange [12], BCNS [13], NewHope [14], Frodo [15], etc. Ding et al. [12] proposed an LWE-based Diffie-Hellman-like key exchange protocol and gave its security proof in 2012. Later, for Peikert’s tweaked version [16] of Ding’s key exchange protocol [12], Bos et al. [13] presented a concrete instantiation whose security is based on Ring-LWE problem and gave an implementation integrated into OpenSSL, with the affirmed goal of providing post-quantum security for TLS. Unfortunately, the performance of BCNS seems quite disappointing. In 2015, Alkim et al. [14] improved and generalized Peikert’s error reconciliation mechanism [16] using an analog error-correction approach and presented an unauthenticated key exchange protocol that solved the performance and security issues in BCNS [13]. Subsequently, Bos et al. [15] proposed the Frodo protocol based on similar ideas to the LWE-based protocol in [12], but as in the Ring-LWE-based key exchange protocols BCNS [13] and NewHope [14], Bos et al. incorporated and extended Peikert’s error reconciliation mechanism [16] and further modified the protocol to save bandwidth.

Key exchange protocols constructed using KEM include NewHope-simple [17] and Kyber.KE [18], etc. Most of the exiting lattice-based key exchange protocols are constructed using KEM for its simplicity and modularity, although it will cause more communication cost. Alkim et al. [17] introduced NewHope-simple in 2016, which is a variant of the NewHope [14]. The main advantage of NewHope-simple over NewHope is simplicity; in particular, NewHope-simple avoids the error reconciliation mechanism. In 2018, Bos et al. [18] presented Kyber.KE that was constructed using a IND-CCA-secure KEM, and the security of Kyber.KE is based on the hardness of Module-LWE in the classical and quantum random oracle models. Recently, Xue et al. [19] presented an authentication key exchange (AKE) protocol following a generic construction with a KEM and a signature scheme in 2021. Compared with the Kyber.AKE [18], Xue’s AKE protocol reduced the communication overhead under the same post-quantum security levels.

In this work, we propose a key exchange protocol constructed using error reconciliation mechanism, its security based on the hardness of Module-LWE problem. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96 bytes, i.e., 3.2%6.1%, under the same post-quantum security levels and different parameter sets, and the time consumed by modular multiplication of ring elements and numbers by approximately 30%. Secondly, the number of the most time-consuming operations (such as discrete binomial sampling and modular multiplication of ring elements) is reduced in our key exchange protocol since the reencryption is not used. Thus, our key exchange protocol is more suitable for lightweight communication protocol, such as Internet of Vehicles environment and smart home terminals. Thirdly, our protocol slightly reduces the probability of the agreement failure for the compression algorithm used is less than that in Kyber.KE. Moreover, the key exchange protocol proposed in this paper is relatively symmetric: the process of the protocol is symmetric, and the computational as well as communication costs of two parties are nearly the same. Finally, our key exchange protocol inherits the parameter sets of Kyber.KE, which lead to the same post-quantum security strength, and the computational efficiency is almost the same as Kyber.KE according to the performance analysis.

Section 2 gives the necessary preliminaries and definitions. Then, Section 3 describes our key exchange protocol, analyzes the correctness and security, and gives parameter sets and its performance. Finally, Section 4 makes a conclusion of our work.

2. Preliminaries

Denote the security parameter by , and the negligible function by . Let be a prime, be a power of two, positive integer be the rank of Module-LWE, and . We write for the set of integers, for the set of rational numbers, and for the set of reals. Let , , and . We use bold lowercase letters for column vectors, bold uppercase letters for matrices, and for the transpose of vectors/matrices. Denote probability distributions by calligraphic letters , and discrete set by uppercase letters . We write to denote sampling from the distribution , and to denote that is chosen uniformly at random from a set . For an even (resp., odd) positive integer , we define to be unique element in the range (resp., such that , and to be unique element in the range such that . Assume that is an extendable output function, that is, a function on bit strings in which the output can be extended to any desired length. Let (resp., ); i.e., if function takes as input, then its output is according to distribution (resp., uniformly over a set ).

2.1. Module-LWE Problem and Compression Algorithm

The Module-LWE problem was first defined by Brakerski et al. [10] and studied in detail by Langlois and Stehlé [11]. Let be a number field of degree , and be the ring of integers of . Let , , and . We refer the reader to [20] and [11, 21–24] for the thorough introduction to algebraic number theory. Let be a distribution on .

The search Module-LWE problem is to find given , where , , and , whereas the decision variant of the Module-LWE problem asks to distinguish the distribution from uniform distribution , where , , , and .

It can be shown that the normal form of the above problems where the secret distribution is a discretized version of the error distribution is no easier than the case where the secret is chosen uniformly at random. When the error distribution is a Gaussian distribution of parameter or a centered binomial distribution of parameter , we write . We denote by the advantage of the adversary in solving the search Module-LWE problem, and by the advantage of the distinguisher in distinguishing between the two distributions of the decision Module-LWE problem. More precisely, the Module-LWE problem is defined as follows.

Definition 1. Let be a modulus, be the number of samples, be the rank of Module-LWE, and be the degree of modular polynomial. Let be a distribution on .
We say that the search problem is hard, if it holds for every PPT adversary thatwhere , , and .
We say that the decision problem is hard, if it holds for every PPT distinguisher thatwhere , , , and .

Let integer ; the central binomial distribution is defined as follows: randomly choosing samples from , and output . For , means that each of its coefficients is sampling from independently. Next, we review the compression algorithm in [18].

Definition 2. Let be an integer and be a modulus. The compression algorithm consists of two functions: and . These two functions are defined as follows:

If or is used with vector , then the function is applied to each coefficient individually.

2.2. Error Reconciliation Mechanism

When constructing key exchange protocol using LWE problem and its variants, a serious matter is that there usually are errors in the protocol, which leads to similar values instead of the same values. These errors are significant to the post-quantum security and should be handled since the key exchange protocol requires communication parties get common session key. The error reconciliation mechanism, first introduced by Ding et al. [12], is the key technique to deal with errors. It mainly include Ding’s error reconciliation mechanism [12], Peikert’s error reconciliation mechanism (and its multibit variant) [16], and lattice decoding [14] so far. Peikert’s error reconciliation mechanism is widely used because of its simplicity and efficiency, such as BCNS [13] and Frodo [15], and the detailed process of reconciliation mechanism and its correctness is described in [16]. Next, we recall Peikert’s reconciliation mechanism.

Defining for , for an integer that divides (typically ), the modular rounding function is defined by . Defining , , and . The cross-rounding function is defined by , and the reconciliation function is defined by if ; otherwise , where .

Both modular rounding and cross-rounding functions are extended to polynomials coefficientwise. Lemma 1 shows that the modular rounding of a uniform random element is uniform random in given cross-rounding of ; i.e., hides . Lemma 2 shows that one can recover from an element close to an element , given only and the cross-rounding .

Lemma 1 (see [16], Claim 3.1). For even , if is uniformly random, then is uniformly random given .

Lemma 2 (see [16], Claim 3.2). For even , if for some and , then .

When modulus is odd, it is necessary to work in rather than to avoid bias in the derived bits. Since we use odd in this paper, we need to introduce the randomized doubling function from [16]. The randomized doubling function is defined by , where is sampled from with probabilities and . The randomized doubling function is extended to polynomials by applying it to each of ’s coefficients.

Lemma 3 shows that, for a uniform random element , the modular rounding of is uniform random in given cross-rounding ; i.e., hides . Moreover, if are close, then so are ; i.e., if for some , then we have . Thus, one can recover of a random element from an element close to and the cross-rounding , as described by Lemma 4.

Lemma 3 (see [16], Claim 3.3). For odd , if is uniformly random and , then is uniformly random given .

Lemma 4 (see [16], Section 3.2). For odd , let ; if for some and , then .

3. Key Exchange Protocol

In this section, we propose a Module-LWE-based unauthenticated key exchange protocol using Peikert’s error reconciliation mechanism, which is a variant of Kyber.KE [18]. We first describe the concrete process of the key exchange protocol and then prove its correctness and security. Finally, we give the parameter sets and analyze the performance of our key exchange protocol, including communication cost and computation overhead.

3.1. Key Exchange Protocol Using Peikert’s Error Reconciliation Mechanism

We present a Module-LWE-based key exchange protocol using Peikert’s error reconciliation mechanism, instead of using IND-CCA-secure KEM as in Krber.KE [18]. In particular, Alice (initiator) sends to Bob (responder) in both our key exchange protocol and Kyber.KE, where is the output of the compression function. However, Bob sends to Alice in the second round of our key exchange protocol, where is the output of the compression function and is the output of the cross-rounding function. But Bob sends to Alice in the second round of Kyber.KE, where both and are the output of the compression function and is a 256-bit random bit string. The specific description of the protocol is shown in Figure 1.

Compared with Kyber.KE [18], our key exchange protocol has the following differences.

3.1.1. Our Key Exchange Protocol Is Relatively Symmetric and Reduces the Communication Cost in the Second Round

The Kyber.KE is asymmetric: Alice generates key pair and sends public key to the Bob, then Bob encrypts random session key with public key and sends the ciphertext back to Alice, and finally Alice decrypts the received ciphertext to get the session key. It is known from [18] that the communication costs in the first and second rounds of Kyber.KE are not equal. However, the communication costs of both rounds are equal in our key exchange protocol, and we reduce the communication cost in the second round. See Section 3.4 for detailed analysis.

3.1.2. Our Key Exchange Protocol Slightly Reduces the Probability of Session Key Agreement Failure

The Kyber.KE always compresses public key and ciphertext using compression algorithm; this is done not only to save communication traffic but also to ensure correctness. Generally, the least significant bits are discarded and the other bits are retained using the compression function. Thus, the probability of the session key agreement failure can be effectively reduced without using the compression algorithm or reducing the number of times of the compression algorithm is used. In Kyber.KE, the compression algorithm will add an extra error term on sent messages, which means the encoded messages are not uniformly at random and then may leak some information. However, the ideal situation (no compression algorithm is used) and the real situation are indistinguishable under certain parameter sets according to the analysis of [18]. Compared with Kyber.KE, our key exchange protocol reduces the number of the compression functions used by 4 times and the decompression functions used by 2 times; thus it can slightly reduce the probability of session key agreement failure of the key exchange protocol. If the compression algorithm is not used, it will not affect the correctness of the protocol but increase the additional communication traffic. Therefore, we still use the compression algorithm and prove that it has no effect on the correctness and security of the protocol in Sections 3.2 and 3.3.

3.2. Correctness

This section gives the correctness proof of our Module-LWE-based key exchange protocol. According to Section 2.2, when is odd, there will be an additional randomized doubling function in Peikert’s error reconciliation mechanism, and it maps to .

Assume that the tiny error between and after using compression algorithm is ; i.e.,

Similarly, suppose that for .

Thus the difference between and is

Peikert’s error reconciliation mechanism shows that the error tolerance range is when is odd. Therefore, the output of reconciliation function is if the difference between and satisfies . Then the inequation above turns toi.e.,

Compared with the correctness proof in Kyber.KE, inequation (1) is almost the same. Thus, we have that the probability that inequation (1) holds is no less than by choosing appropriate parameter sets, which means that the probability of session key agreement failure is less than .

Note that there is a slight difference between inequation (1) and the inequation in Kyber.KE [18], because is not compressed in our key exchange protocol; i.e., the error term of is missed in inequation (1). Even though the norm of is relatively small, it increases the probability of session key agreement failure in Kyber.KE under the same parameter sets. In other words, the probability of session key agreement failure in our key exchange protocol is smaller than that in Kyber.KE.

3.3. Security Proof

This section gives the security proof of our key exchange protocol by designing a sequence of games. The Module-LWE-based key exchange protocol described in Figure 1 is constructed using Peikert’s error reconciliation mechanism; its security relies on the hardness of Module-LWE problem. One can prove that the generated session key is undistinguishable from equal-length random bit string.

Theorem 1. Let be an odd prime, be public parameters, and be the parameter of binomial distribution. Then the key exchange protocol described in Figure 1 is secure, provided that the decision Module-LWE problem is hard. More precisely, if is an distinguisher for , thenwhere is an adversary for the key exchange protocol described in Figure 1.

Proof. Let be the bit guessed by adversary, and an adversary for the key exchange protocol described in Figure 1. Consider the following sequence of games. Game 0. This is the original game, where the messages are honestly generated according to the description in Figure 1. Our goal is to bound . Note that, in Game 0, the Module-LWE samples are , , and .

Game 1. In this game, assume that is chosen uniformly at random from ; i.e., is chosen uniformly at random from instead of a Module-LWE sample. In Game 1, the Module-LWE samples are and . By the assumption that the decision Module-LWE problem is hard, we know that Game 0 and Game 1 are computationally indistinguishable. In other words, there exists a Module-LWE distinguisher with the same running times as that of , such that .

Game 2. In this game, assume that is chosen uniformly at random from ; i.e., both and are chosen uniformly at random from and , respectively. By the assumption that the decision Module-LWE problem is hard, we know that Game 1 and Game 2 are computationally indistinguishable. In other words, there exists a Module-LWE distinguisher with the same running times as that of , such that .

In Game 2, since is uniformly random and , according to Lemma 3 in Section 2.2, we know that real session key is uniformly random in given . Therefore, .

Collecting the probabilities yields the required bound.

3.4. Parameter Sets and Performance

In this section, we give the parameter sets of the protocol described in Figure 1 and analysis of their performance. Based on the analysis of Section 3.1, the parameter sets of Kyber.KE can perfectly satisfy the correctness of our key exchange protocol. The parameter sets of the protocol described in Figure 1 and their performance are listed in Table 1, where “Alice Bob” (resp. “Bob Alice”) denotes the communication cost in the first (resp., second) round.

It is known that Alice sends to Bob in both the key exchange protocol described in Figure 1 and Kyber.KE [18]. However, Bob sends to Alice in the second round of the key exchange protocol described in Figure 1 and sends in Kyber.KE. We take the parameter set “Default” as an example to calculate the reduced communication cost in the key exchange protocol described in Figure 1. Both in our key exchange protocol and in Kyber.KE, is a vector of three polynomials with 256 11-bit coefficients. In Kyber.KE, is a polynomial with 256 3-bit coefficients and is a 256-bit random string; i.e., bytes are required to store and . But in our key exchange protocol, each coefficient of is in ; then the cross-rounding function takes as input and outputs a 256-bit (32-byte) string . According to the analysis above, our key exchange protocol reduces the total communication cost by 96-byte, i.e., 4.2%. Note that no matter which parameter sets we choose, the total communication cost reduced is invariant. Therefore, compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 3.2%6.1% for different parameter sets.

In terms of computational efficient, the number of the most time-consuming operations, such as discrete binomial sampling and modular multiplication of ring elements, used in our key exchange protocol is less than that in Kyber.KE, since our key exchange protocol does not use the reencryption. In relatively time-consuming operations, we mainly talk about the modular multiplication of ring elements and numbers. Note that the randomized doubling function, cross-rounding function, modular rounding function, and compression algorithm are all modular multiplications of ring elements and numbers. Moreover, the time consumed by these operations is the same for vectors of the same dimension. In particular, Kyber.KE includes 6 compression functions and 4 decompress functions, whereas our key exchange protocol includes 2 compression functions, 2 decompress functions, 1 randomized doubling function, 1 cross-rounding function, and 1 modular rounding function. Therefore, compared with Kyber.KE, our key exchange protocol reduces the time consumed by modular multiplication of numbers and ring elements by approximately 30%, and the only difference between two protocols is that some operations are transferred from the initiator to the responder.

From the aspect of security, both our key exchange protocol and Kyber.KE are based on Module-LWE problem, and the scale of the problem is equal. Thus the security strength of our key exchange protocol is the same as that of Kyber.KE.

Table 1 shows that the communication costs of both rounds are equal, which means our key exchange protocol is a Diffie-Hellman-like symmetric key exchange protocol. Since symmetric key exchange protocols can ensure that the computation and communication costs of the two parties are roughly the same instead of occupying the computing resources of one party, it is more suitable to be deployed among users of the same level, such as the Internet of Vehicles (IOV) environment.

4. Conclusion

In this paper, we propose a Module-LWE-based key exchange protocol using Peikert’s error reconciliation mechanism. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96 bytes, i.e., 3.2%6.1%, under the same post-quantum security levels and different parameter sets. Furthermore, our key exchange protocol slightly reduces the probability of session key agreement failure due to the reduction in the use of compression algorithms, has the less number of the most time-consuming operations (such as discrete binomial sampling and modular multiplication of ring elements) since the reencryption is not used, and reduces the time consumed by modular multiplication of numbers and ring elements by approximately 30%. Unlike the protocol using the KEM, our key exchange protocol is a Diffie-Hellman-like symmetric protocol, which means the computation and communication costs of the two parties are roughly the same. With the advantages and properties above, our key exchange protocol is more suitable for the lightweight communication protocol, such as deployed in the IOV environment and smart home terminals.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

T. Dierks and E. Rescorla, “The transport layer security (tls) protocol version 1.2,” RFC, vol. 5246, pp. 1–104, 2008.
View at: Google Scholar
A. O. Freier, P. L. Karlton, and P. C. Kocher, “The secure sockets layer (ssl) protocol version 3.0,” RFC, vol. 6101, pp. 1–67, 2011.
View at: Google Scholar
P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134, Santa Fe, NM, USA, November 1994.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pp. 84–93, STOC’05, Baltimore, MD, USA, May 2005.
View at: Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, no. 6, pp. 1–40, 2009.
View at: Publisher Site | Google Scholar
C. Peikert, “Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,” in Proceedings of the 41st Annual ACM Symposium on Theory of Computing, pp. 333–342, STOC’09, Bethesda, MD, USA, May 2009.
View at: Google Scholar
V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and learning with errors over rings,” in Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 6110, pp. 1–23, Monaco, France, May 2010.
View at: Publisher Site | Google Scholar
M. Rosca, D. Stehlé, and A. Wallet, “On the ring-LWE and polynomial-LWE problems,” in Proceedings of the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, vol. 10820, pp. 146–173, EUROCRYPT’18, Tel Aviv, Israel, April 2018.
View at: Publisher Site | Google Scholar
D. Stehlé, R. Steinfeld, K. Tanaka, and K. Xagawa, “Efficient public key encryption based on ideal lattices,” in Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security, vol. 5912, pp. 617–635, Tokyo, Japan, December 2009.
View at: Publisher Site | Google Scholar
Z. Brakerski, C. Gentry, and V. Vaikuntanathan, “Fully homomorphic encryption without bootstrapping,” pp. 309–325, 2012, https://eprint.iacr.org/2011/277.
View at: Google Scholar
A. Langlois and D. Stehlé, “Worst-case to average-case reductions for module lattices,” Designs, Codes and Cryptography, vol. 75, no. 3, pp. 565–599, 2015.
View at: Publisher Site | Google Scholar
J. Ding, X. Xie, and X. Lin, “A simple provably secure key exchange scheme based on the learning with errors problem,” IACR Cryptology ePrint Archive, vol. 2012, 2688 pages, 2012.
View at: Google Scholar
J. Bos, C. Costello, M. Naehrig, and D. Stebila, “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 553–570, San Jose, CA, USA, May 2015.
View at: Publisher Site | Google Scholar
E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “Post-quantum key exchange—a new hope,” in Proceedings of the 25th USENIX Security Symposium, pp. 327–343, Austin, TX, USA, August 2016.
View at: Google Scholar
J. Bos, C. Costello, L. Ducas et al., “Take off the ring! Practical, quantum-secure key exchange from LWE,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1006–1018, Vienna, Austria, October 2016.
View at: Google Scholar
C. Peikert, “Lattice cryptography for the internet,” in Proceedings of the International Workshop on Post-Quantum Cryptography, vol. 8772, pp. 197–219, Waterloo, Canada, October 2014.
View at: Publisher Site | Google Scholar
E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe, “NEWHOPE without reconciliation,” IACR Cryptology ePrint Archive, vol. 2016, 1157 pages, 2016.
View at: Google Scholar
J. Bos, L. Ducas, E. Kiltz et al., “CRYSTALS-Kyber: a CCA-secure module-lattice-based KEM,” in Proceedings of the IEEE European Symposium on Security and Privacy, pp. 353–367, London, UK, April 2018.
View at: Publisher Site | Google Scholar
G. Xue, B. Wang, Q. Qu, and W. Zhang, “Efficient lattice‐based authenticated key exchange based on key encapsulation mechanism and signature,” IET Information Security, vol. 15, no. 1, pp. 107–116, 2021.
View at: Publisher Site | Google Scholar
R. A. Mollin, Algebraic Number Theory, Chapman and Hall/CRC Press, New York, NY, USA, 2nd edition, 2011.
M. R. Albrecht and A. Deo, “Large modulus ring-LWE >= module-LWE,” in Proceedings of the 23th International Conference on the Theory and Applications of Cryptology and Information Security, vol. 10624, pp. 267–296, Hong Kong, China, January 2017.
View at: Publisher Site | Google Scholar
K. Boudgoust, C. Jeudy, A. Roux-Langlois, and W. Wen, “Towards classical hardness of module-LWE: the linear rank case,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, vol. 12492, pp. 289–317, Daejeon, Republic of Korea, December 2020.
View at: Publisher Site | Google Scholar
K. Boudgoust, C. Jeudy, A. Roux-Langlois, and W. Wen, “On the hardness of module-LWE with binary secret,” in Topics in Cryptology-CT-RSA 2021, K. G. Paterson, Ed., vol. 12704, pp. 503–526, Springer, New York, NY, USA, 2021.
View at: Publisher Site | Google Scholar
H. Lin, Y. Wang, and M. Wang, “Hardness of Module-Lwe and Ring-Lwe on General Entropic Distributions,” IACR Cryptology ePrint Archive, vol. 2020, 1238 pages, 2020.
View at: Google Scholar

Copyright

Copyright © 2022 Wenjuan Jia et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

915

Downloads

727

Citations