Ring learning with errors KEX and probabilistic encryption

Question

I came across Prof. Bill Buchanan's video "Lattice Crypto: Ring LWE with Key Exchange" explaining the RLWE-KEX. I understood everything he explained until the last part, where he is talking about removing errors from the shared key using probabilistic encryption.

• Alice has the shared key as: $\text{sh} = \mathbf{A \cdot S_b \cdot S_a} + E_b \cdot S_a$
• Bob has the shared key as : $\text{sh} = \mathbf{A \cdot S_a \cdot S_b} + E_a \cdot S_b$

where;

• $\text{sh}$ represents the shared key,
• $\mathbf{A}$ represents the shared polynomial,
• $S_a$ represents Alice's secret key,
• $S_b$ represents Bob's secret key,
• $E_a$ represents Alice's error,
• $E_b$ represents Bob's error.

The bold part is the same for both parties, the Italics part contains the secret for each party and the error from the other party.

My question is: how errors ($E_a$ and $E_b$) could be removed using the probabilistic algorithm?

Answer 1

The $E_b \cdot S_a$ and $E_a \cdot S_b$ cannot be fully removed, however they are polynomials with small coefficients whereas $A \cdot S_b \cdot S_a$ is a polynomial with large coefficients. This allows both sides to possess close approximations to the coefficients of $A \cdot S_b \cdot S_a$.

By extracting only crude information about the size of a coefficient (e.g. is the coefficient between $q \over 4$ and $3q \over 4$) both sides can obtain one or two shared secret bits per coefficient with high probability.