Ring learning with errors key exchange

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Since the 1980s the security of cryptographic key exchanges and digital signatures over the Internet has been primarily based on a small number of public key algorithms. The security of these algorithms is based on a similarly small number of computationally hard problems in classical computing. These problems are the difficulty of factoring the product of two carefully chosen prime numbers, the difficulty to compute discrete logarithms in a carefully chosen finite field, and the difficulty of computing discrete logarithms in a carefully chosen elliptic curve group. These problems are very difficult to solve on a classical computer (the type of computer the world has known since the 1940s through today) but are rather easily solved by a relatively small quantum computer using only 5 to 10 thousand of bits of memory. There is optimism in the computer industry that larger scale quantum computers will be available around 2030. If a quantum computer of sufficient size were built, all of the public key algorithms based on these three classically hard problems would be insecure. This public key cryptography is used today to secure Internet websites, protect computer login information, and prevent our computers from accepting malicious software.

Cryptography that is not susceptible to attack by a quantum computer is referred to as quantum safe, or post-quantum cryptography. One class of quantum resistant cryptographic algorithms is based on a concept called "learning with errors" introduced by Oded Regev in 2005. A specialized form of Learning with errors operates within the ring of polynomials over a finite field. This specialized form is called ring learning with errors or RLWE.

There are a variety of cryptographic algorithms which work using the RLWE paradigm. There are public-key encryption algorithms, homomorphic encryption algorithms, and RLWE digital signature algorithms in addition to the public key, key exchange algorithm presented in this article

A key exchange algorithm is a type of public key algorithm which establishes a shared secret key between two communicants on a communications link. The classic example of a key exchange is the Diffie–Hellman key exchange. The exchange consists of one transmission from one end of the line and one transmission from the other end of the link. Diffie–Hellman and Elliptic Curve Diffie–Hellman are the two most popular key exchange algorithms.

The RLWE Key Exchange is designed to be a "quantum safe" replacement for the widely used Diffie–Hellman and elliptic curve Diffie–Hellman key exchanges that are used to secure the establishment of secret keys over untrusted communications channels. Like Diffie–Hellman and Elliptic Curve Diffie–Hellman, the Ring-LWE key exchange provides a cryptographic property called "forward secrecy"; the aim of which is to reduce the effectiveness of mass surveillance programs and ensure that there are no long term secret keys that can be compromised that would enable bulk decryption.

Starting with a prime integer q, the Ring-LWE key exchange works in the ring of polynomials modulo a polynomial ${\displaystyle \Phi (x)}$ with coefficients in the field of integers mod q (i.e. the ring ${\displaystyle R_{q}:=Z_{q}[x]/\Phi (x)}$). Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod ${\displaystyle \Phi (x)}$.

The idea of using LWE and Ring LWE for key exchange was first proposed and filed at the University of Cincinnati in 2011 by Jintai Ding. The idea comes from the associativity of matrix multiplications, and the errors are used to provide the security. The paper appeared in 2012 after a provisional patent application was filed in 2012. The security of the protocol is proven based on the hardness of solving the LWE problem.