Analysis of Error Dependencies on Newhope

Abstract

Among many submissions to NIST post-quantum cryptography (PQC) project, NewHope is a promising key encapsulation mechanism (KEM) based on the Ring-Learning with errors (Ring-LWE) problem. Since NewHope is an indistinguishability (IND)-chosen ciphertext attack secure KEM by applying the Fujisaki-Okamoto transform to an IND-chosen plaintext attack secure public-key encryption, accurate calculation of decryption failure rate (DFR) is required to guarantee resilience against attacks that exploit decryption failures. However, the current upper bound (UB) on DFR of NewHope is rather loose because the compression noise, the effect of encoding/decoding of NewHope, and the approximation effect of centered binomial distribution are not fully considered. Furthermore, since NewHope is a Ring-LWE based cryptography, there is a problem of error dependency among error coefficients, which makes accurate DFR calculation difficult. In this paper, we derive much tighter UB on DFR than the current UB by using constraint relaxation and union bound. Especially, the above-mentioned factors are all considered in the derivation of new UB and the centered binomial distribution is not approximated. Since the error dependency is also considered, the new UB is much closer to the real DFR than the current UB. Furthermore, the new UB is parameterized by using Chernoff-Cramer bound to facilitate the calculation of new UB for the parameters of NewHope. Since the new UB is much lower than the DFR requirement of PQC, this DFR margin can be used to improve NewHope. As a result, the security level and bandwidth efficiency of NewHope are improved by 7.2 % and 5.9 %, respectively.