8

This is regarding the number post-quantum key exchange protocol New-Hope (https://eprint.iacr.org/2015/1092.pdf). In the paper, we can see that the number of samples generated by the protocol is $2n$ where $n$ is $1024$, the rank of matrix $a$. Once in server side $b\leftarrow as+e$ and once in client side $u\leftarrow as'+e'$. But the authors in the paper (page 18 appendix B) says that the number of samples in each instantiation of the protocol is $5n$.

I can't understand why. Also, as far as I know the LWE samples are related when the matrix $a$ and the secret $s$ remains same. But, in the protocol the secret changes $s$ and $s'$.

Can someone please explain this? Thank you in advance.

Patriot
  • 3,162
  • 3
  • 20
  • 66
Rick
  • 1,305
  • 8
  • 17

1 Answers1

11

They're actually sampling $5n$ elements from $\Psi_{16}$. Perhaps Protocol 2 on page 5 shows this most clearly, where $\textbf{s}, \textbf{e} \stackrel{\$}{\leftarrow} \Psi_{16}^n$ and $\textbf{s}', \textbf{e}', \textbf{e}'' \stackrel{\$}{\leftarrow} \Psi_{16}^n$ are sampled (on line 3 on Alice' side, and line 1 on Bob's).

This probably also answers part of your follow-up question, but for completeness: the values $\textbf{s}$ and $\textbf{s}'$ are sampled independently by Alice and Bob, and are thus not at all related. The final shared secret is neither $\textbf{s}$ nor $\textbf{s}'$, but the reconciled $v$.

Joost
  • 226
  • 3
  • 9