In this work we revisit their instantiation and stand-alone implementation. Specifically, we propose new parameters and a better suited error distribution, analyze the scheme's hardness against attacks by quantum computers in a conservative way, introduce a new and more efficient error-reconciliation mechanism, and propose a defense against backdoors and all-for-the-price-of-one attacks. By these measures and for the same lattice dimension, we more than double the security parameter, halve the communication overhead, and speed up computation by more than a factor of 8 in a portable C implementation and by more than a factor of 27 in an optimized implementation targeting current Intel CPUs. These speedups are achieved with comprehensive protection against timing attacks.
Category / Keywords: public-key cryptography / Post-quantum key exchange, Ring-LWE, high-speed software, vectorization Original Publication (with minor differences): USENIX Security 2016 Date: received 10 Nov 2015, last revised 12 Dec 2017 Contact author: newhope at cryptojedi org Available format(s): PDF | BibTeX Citation Note: Fixes an off-by-one error in the definition of the binomial distribution. Version: 20171212:132212 (All versions of this report) Short URL: ia.cr/2015/1092