Module-LWE-Based Key Exchange Protocol Using Error Reconciliation Mechanism

Lattice-based key exchange protocols have attracted tremendous attention for its post-quantum security. In this work, we construct a Module-LWE-based key exchange protocol using Peikert’s error reconciliation mechanism. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96-byte, i.e., 3.2% ∼ 6.1%, under the different parameter sets, and without reducing the post-quantum security levels. Moreover, our key exchange protocol slightly reduces the probability of session key agreement failure and the time consumed by modular multiplication of numbers and ring elements by approximately 30%. +us, the key exchange protocol in this paper is more suitable for the lightweight communication systems.


Introduction
Key exchange protocol, which enables secure communications over an untrusted network by deriving and distributing shared keys between two or more parties, is one of the most fundamental cryptographic primitives and is widely applied in modern Internet protocols such as TLS [1] and SSL [2]. However, Shor [3] discovered an efficient quantum solving algorithm for the integer factorization and discrete logarithm problems in 1994, which would render numbertheoretic cryptosystems insecure if large-scale quantum computers become available. With the rapid developments of quantum technology and quantum computer, we are getting closer to the quantum crisis of current public key cryptosystems. erefore, it is urgent to propose postquantum cryptographic schemes, such as public key encryptions (PKE), signatures, and key exchanges, that can resist quantum computer attacks. Lattice-based cryptography is one of the main directions in this field and has become the most promising post-quantum cryptography (PQC) candidate for standardization.
Lattice-based key exchange protocols are generally constructed using the learning with errors (LWE) problem and its variants. In 2005, Regev [4,5] introduced the LWE problem and showed that solving the LWE problem with a Gaussian error distribution is at least as hard as quantumly solving the approximates shortest vector problem (GapSVP) and shortest independent vector problem (SIVP) on lattices in the worst case. Later, Peikert [6] gave a classical reduction from the approximate GapSVP (and its variants) to the search version of LWE, but with somewhat worse parameters.
Although LWE provides provably secure cryptosystems, most LWE-based schemes are inefficient which motivates the research around more efficient LWE variants. ese variants improve the asymptotic and practical efficiency by considering the ring of integers of a number field [7,8], a ring of polynomials [9], or a module over a number field [10,11]. Lyubashevsky et al. [7] introduced the ring learning with errors (Ring-LWE) problem and proved its hardness is related to the hardness of the lattice problems based on ideal lattices. Later, the module learning with errors (Module-LWE) problem was introduced by Langlois and Stele [11] in 2015, and Module-LWE comes with the hardness guarantees given by lattice problems based on module lattices. Since the algebraic structures of module lattices are more complicated than ideal lattices, Module-LWE might be able to provide a better level of security than Ring-LWE, while still providing performance advantages over LWE . In this paper, we focus  on the key exchange protocols based on Module-LWE, as  Module-LWE provides a nice security-efficiency trade-off by  bridging LWE and Ring-LWE. Lattice-based key exchange protocols generally include two types of protocols constructed using error reconciliation mechanism or key encapsulation mechanism (KEM). Most LWE-based (and its variants) key exchange protocols are constructed using error reconciliation mechanism, such as Ding's key exchange [12], BCNS [13], NewHope [14], Frodo [15], etc. Ding et al. [12] proposed an LWE-based Diffie-Hellman-like key exchange protocol and gave its security proof in 2012. Later, for Peikert's tweaked version [16] of Ding's key exchange protocol [12], Bos et al. [13] presented a concrete instantiation whose security is based on Ring-LWE problem and gave an implementation integrated into OpenSSL, with the affirmed goal of providing post-quantum security for TLS. Unfortunately, the performance of BCNS seems quite disappointing. In 2015, Alkim et al. [14] improved and generalized Peikert's error reconciliation mechanism [16] using an analog error-correction approach and presented an unauthenticated key exchange protocol that solved the performance and security issues in BCNS [13]. Subsequently, Bos et al. [15] proposed the Frodo protocol based on similar ideas to the LWE-based protocol in [12], but as in the Ring-LWE-based key exchange protocols BCNS [13] and NewHope [14], Bos et al. incorporated and extended Peikert's error reconciliation mechanism [16] and further modified the protocol to save bandwidth.
Key exchange protocols constructed using KEM include NewHope-simple [17] and Kyber.KE [18], etc. Most of the exiting lattice-based key exchange protocols are constructed using KEM for its simplicity and modularity, although it will cause more communication cost. Alkim et al. [17] introduced NewHope-simple in 2016, which is a variant of the NewHope [14]. e main advantage of NewHope-simple over NewHope is simplicity; in particular, NewHope-simple avoids the error reconciliation mechanism. In 2018, Bos et al. [18] presented Kyber.KE that was constructed using a IND-CCA-secure KEM, and the security of Kyber.KE is based on the hardness of Module-LWE in the classical and quantum random oracle models. Recently, Xue et al. [19] presented an authentication key exchange (AKE) protocol following a generic construction with a KEM and a signature scheme in 2021. Compared with the Kyber.AKE [18], Xue's AKE protocol reduced the communication overhead under the same post-quantum security levels.
In this work, we propose a key exchange protocol constructed using error reconciliation mechanism, its security based on the hardness of Module-LWE problem. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96 bytes, i.e., 3.2% ∼ 6.1%, under the same post-quantum security levels and different parameter sets, and the time consumed by modular multiplication of ring elements and numbers by approximately 30%. Secondly, the number of the most time-consuming operations (such as discrete binomial sampling and modular multiplication of ring elements) is reduced in our key exchange protocol since the reencryption is not used. us, our key exchange protocol is more suitable for lightweight communication protocol, such as Internet of Vehicles environment and smart home terminals. irdly, our protocol slightly reduces the probability of the agreement failure for the compression algorithm used is less than that in Kyber.KE. Moreover, the key exchange protocol proposed in this paper is relatively symmetric: the process of the protocol is symmetric, and the computational as well as communication costs of two parties are nearly the same. Finally, our key exchange protocol inherits the parameter sets of Kyber.KE, which lead to the same post-quantum security strength, and the computational efficiency is almost the same as Kyber.KE according to the performance analysis.
Section 2 gives the necessary preliminaries and definitions. en, Section 3 describes our key exchange protocol, analyzes the correctness and security, and gives parameter sets and its performance. Finally, Section 4 makes a conclusion of our work.

Preliminaries
Denote the security parameter by λ, and the negligible function by negl(λ) ∈ λ − ω (1) . Let q be a prime, n be a power of two, positive integer k be the rank of Module-LWE, and q ≡ 1mod2n. We write Z for the set of integers, Q for the set of rational numbers, and R for the set of reals. Let . We use bold lowercase letters a for column vectors, bold uppercase letters A for matrices, and (·) T for the transpose of vectors/matrices. Denote probability distributions by calligraphic letters S, and discrete set by uppercase letters S. We write x←S to denote sampling x from the distribution S, and x←S to denote that x is chosen uniformly at random from a set S. For an even (resp., odd) positive integer p, we define x � xmod ± p to be unique element x in the range − p/2 < x ≤ p/2 (resp., − (p − 1)/2 < x ≤ (p − 1)/2 such that x � xmod p, and x � xmod + p to be unique element x in the range 0 ≤ x < p such that x � xmod p. Assume that Sample(·) is an extendable output function, that is, a function on bit strings in which the output can be extended to any desired length. Let y ∼ S � Sample(x) (resp., y ∼ S � Sample(x)); i.e., if function Sample(·) takes x as input, then its output is y according to distribution S (resp., uniformly over a set S).

Module-LWE Problem and Compression Algorithm.
e Module-LWE problem was first defined by Brakerski et al. [10] and studied in detail by Langlois and Stehlé [11]. Let K be a number field of degree n, and R be the ring of integers of K. Let K R : � K ⊗ Q R, T R : � K R /R, and T qR : � K R /qR. We refer the reader to [20] and [11,[21][22][23][24] for the thorough introduction to algebraic number theory. Let χ be a distribution on K R . e search Module-LWE problem MLWE q,k,m,n,χ is to find s ∈ (R q ) k given (A, b: � As + e), where A←(R q ) m×k , s←(R q ) k , and e←χ m , whereas the decision variant of the Module-LWE problem dMLWE q,k,m,n,χ asks to distinguish the distribution (A, b: � As + e) from uniform distribution (A, u), where A←(R q ) m×k , s←(R q ) k , e←χ m , and u←(T qR ) m .
It can be shown that the normal form of the above problems where the secret distribution is a discretized version of the error distribution is no easier than the case where the secret is chosen uniformly at random. When the error distribution χ is a Gaussian distribution of parameter η > 0 or a centered binomial distribution of parameter η > 0, we write MLWE q,k,m,n,η (dMLWE q,k,m,n,η ). We denote Adv MLWE q,k,m,n,χ [A] by the advantage of the adversary A in solving the search Module-LWE problem, and Adv dMLWE q,k,m,n,χ [D] by the advantage of the distinguisher D in distinguishing between the two distributions of the decision Module-LWE problem. More precisely, the Module-LWE problem is defined as follows.
Definition 1. Let q ≥ 2 be a modulus, m � poly(λ) be the number of samples, k > 0 be the rank of Module-LWE, and n � poly(λ) be the degree of modular polynomial. Let χ be a distribution on K R .
We say that the search problem MLWE q,k,m,n,χ is hard, if it holds for every PPT adversary A that where A←(R q ) m×k , s←(R q ) k , and e←χ m . We say that the decision problem dMLWE q,k,m,n,χ is hard, if it holds for every PPT distinguisher D that where Let integer η > 0; the central binomial distribution β η is defined as follows: randomly choosing samples ( For v ∈ R, v←β η means that each of its coefficients is sampling from β η independently. Next, we review the compression algorithm in [18]. Definition 2. Let 0 < d < ⌈ log(q) ⌉ be an integer and q > 0 be a modulus. e compression algorithm consists of two functions: Compress q (·, d) and Decompress q (·, d).
ese two functions are defined as follows: If Compress q (·, d) or Decompress q (·, d) is used with vector v ∈ (R q ) k , then the function is applied to each coefficient individually.

Error Reconciliation Mechanism.
When constructing key exchange protocol using LWE problem and its variants, a serious matter is that there usually are errors in the protocol, which leads to similar values instead of the same values.
ese errors are significant to the post-quantum security and should be handled since the key exchange protocol requires communication parties get common session key.
e error reconciliation mechanism, first introduced by Ding et al. [12], is the key technique to deal with errors. It mainly include Ding's error reconciliation mechanism [12], Peikert's error reconciliation mechanism (and its multibit variant) [16], and D 4 lattice decoding [14] so far. Peikert's error reconciliation mechanism is widely used because of its simplicity and efficiency, such as BCNS [13] and Frodo [15], and the detailed process of reconciliation mechanism and its correctness is described in [16]. Next, we recall Peikert's reconciliation mechanism.
When modulus q is odd, it is necessary to work in Z 2q rather than Z q to avoid bias in the derived bits. Since we use odd q in this paper, we need to introduce the randomized doubling function from [16]. e randomized doubling function dbl(·): e randomized doubling function is extended to polynomials f ∈ R q by applying it to each of f 's coefficients.

Key Exchange Protocol
In this section, we propose a Module-LWE-based unauthenticated key exchange protocol using Peikert's error reconciliation mechanism, which is a variant of Kyber.KE [18]. We first describe the concrete process of the key exchange protocol and then prove its correctness and security. Finally, we give the parameter sets and analyze the performance of our key exchange protocol, including communication cost and computation overhead.

Key Exchange Protocol Using Peikert's Error Reconciliation
Mechanism. We present a Module-LWE-based key exchange protocol using Peikert's error reconciliation mechanism, instead of using IND-CCA-secure KEM as in Krber.KE [18]. In particular, Alice (initiator) sends (b, ρ) to Bob (responder) in both our key exchange protocol and Kyber.KE, where b is the output of the compression function. However, Bob sends (u, c) to Alice in the second round of our key exchange protocol, where u is the output of the compression function and c is the output of the crossrounding function. But Bob sends (u, v, d) to Alice in the second round of Kyber.KE, where both u and v are the output of the compression function and d is a 256-bit random bit string. e specific description of the protocol is shown in Figure 1.
Compared with Kyber.KE [18], our key exchange protocol has the following differences.

Our Key Exchange Protocol Is Relatively Symmetric and Reduces the Communication Cost in the Second Round.
e Kyber.KE is asymmetric: Alice generates key pair and sends public key to the Bob, then Bob encrypts random session key with public key and sends the ciphertext back to Alice, and finally Alice decrypts the received ciphertext to get the session key. It is known from [18] that the communication costs in the first and second rounds of Kyber.KE are not equal. However, the communication costs of both rounds are equal in our key exchange protocol, and we reduce the communication cost in the second round. See Section 3.4 for detailed analysis.

Our Key Exchange Protocol Slightly Reduces the Probability of Session Key Agreement Failure.
e Kyber.KE always compresses public key and ciphertext using compression algorithm; this is done not only to save communication traffic but also to ensure correctness. Generally, the least significant bits are discarded and the other bits are retained using the compression function. us, the probability of the session key agreement failure can be effectively reduced without using the compression algorithm or reducing the number of times of the compression algorithm is used. In Kyber.KE, the compression algorithm will add an extra error term on sent messages, which means the encoded messages are not uniformly at random and then may leak some information. However, the ideal situation (no compression algorithm is used) and the real situation are indistinguishable under certain parameter sets according to the analysis of [18]. Compared with Kyber.KE, our key exchange protocol reduces the number of the compression functions used by 4 times and the decompression functions used by 2 times; thus it can slightly reduce the probability of session key agreement failure of the key exchange protocol. If the compression algorithm is not used, it will not affect the correctness of the protocol but increase the additional communication traffic. erefore, we still use the compression algorithm and prove that it has no effect on the correctness and security of the protocol in Sections 3.2 and 3.3.

Correctness.
is section gives the correctness proof of our Module-LWE-based key exchange protocol. According to Section 2.2, when q is odd, there will be an additional randomized doubling function dbl(·) in Peikert's error reconciliation mechanism, and it maps x ∈ Z q to Assume that the tiny error between b ∈ R k q and b ′ after using compression algorithm is Peikert's error reconciliation mechanism shows that the error tolerance range is ⌊ q/2 ⌋ when q is odd. erefore, the output of reconciliation function is i.e., Compared with the correctness proof in Kyber.KE, inequation (1) is almost the same. us, we have that the probability that inequation (1) holds is no less than 1 − 2 − 128 by choosing appropriate parameter sets, which means that the probability of session key agreement failure is less than 2 − 128 .
Note that there is a slight difference between inequation (1) and the inequation in Kyber.KE [18], because v is not compressed in our key exchange protocol; i.e., the error term c v of v is missed in inequation (1). Even though the norm of c v is relatively small, it increases the probability of session key agreement failure in Kyber.KE under the same parameter sets. In other words, the probability of session key agreement failure in our key exchange protocol is smaller than that in Kyber.KE.

Security Proof.
is section gives the security proof of our key exchange protocol by designing a sequence of games.
e Module-LWE-based key exchange protocol described in Figure 1 is constructed using Peikert's error reconciliation mechanism; its security relies on the hardness of Module-LWE problem. One can prove that the generated session key is undistinguishable from equal-length random bit string. Theorem 1. Let q be an odd prime, n, k be public parameters, and η be the parameter of binomial distribution. en the key exchange protocol described in Figure 1 is secure, provided that the decision Module-LWE problem dMLWE q,k,k+1,n,η is hard. More precisely, if D is an distinguisher for dMLWE q,k,k+1,n,η , then Adv KE q,k,k,n,η (A) ≤ 2 · Adv dMLWE q,k,k+1,n,η (D), where A is an adversary for the key exchange protocol described in Figure 1.
Proof. Let b * be the bit guessed by adversary, and A an adversary for the key exchange protocol described in Figure 1. Consider the following sequence of games. Game 0.
is is the original game, where the messages are honestly generated according to the description in Figure 1 Security and Communication Networks distinguisher D with the same running times as that of A, . Game 2. In this game, assume that (u 0 , v) is chosen uniformly at random from R k q × R q ; i.e., both (A T , u 0 ) and (b ′ T , v) are chosen uniformly at random from R k×k q × R k q and R k q × R q , respectively. By the assumption that the decision Module-LWE problem dMLWE q,k,k+1,n,η is hard, we know that Game 1 and Game 2 are computationally indistinguishable. In other words, there exists a Module-LWE distinguisher D with the same running times as that of A, . In Game 2, since v ∈ R q is uniformly random and v: � db l(v), according to Lemma 3 in Section 2.2, we know that real session key k : � ⌈ v ⌉ 2q,2 is uniformly random in 0, 1 { } n given c: � 〈v〉 2q,2 . erefore, Collecting the probabilities yields the required bound.

Parameter Sets and Performance.
In this section, we give the parameter sets of the protocol described in Figure 1 and analysis of their performance. Based on the analysis of Section 3.1, the parameter sets of Kyber.KE can perfectly satisfy the correctness of our key exchange protocol. e parameter sets of the protocol described in Figure 1 and their performance are listed in Table 1, where "Alice ⟶ Bob" (resp. "Bob ⟶ Alice") denotes the communication cost in the first (resp., second) round. It is known that Alice sends (b, ρ) to Bob in both the key exchange protocol described in Figure 1 and Kyber.KE [18]. However, Bob sends (u, c) to Alice in the second round of the key exchange protocol described in Figure 1 and sends (u, v, d) in Kyber.KE. We take the parameter set "Default" as an example to calculate the reduced communication cost in the key exchange protocol described in Figure 1. Both in our key exchange protocol and in Kyber.KE, u is a vector of three polynomials with 256 11-bit coefficients. In Kyber.KE, v is a polynomial with 256 3-bit coefficients and d is a 256-bit random string; i.e., 32 × 3 + 32 � 128 bytes are required to store v and d. But in our key exchange protocol, each coefficient of v � dbl(v) ∈ R 2q is in Z 2q ; then the crossrounding function takes v as input and outputs a 256-bit (32byte) string c. According to the analysis above, our key exchange protocol reduces the total communication cost by 96-byte, i.e., 4.2%. Note that no matter which parameter sets we choose, the total communication cost reduced is invariant. erefore, compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 3.2% ∼ 6.1% for different parameter sets.
In terms of computational efficient, the number of the most time-consuming operations, such as discrete binomial sampling and modular multiplication of ring elements, used in our key exchange protocol is less than that in Kyber.KE, since our key exchange protocol does not use the reencryption. In relatively time-consuming operations, we mainly talk about the modular multiplication of ring elements and numbers. Note that the randomized doubling function, cross-rounding function, modular rounding function, and compression algorithm are all modular multiplications of ring elements and numbers. Moreover, the time consumed by these operations is the same for vectors of the same dimension. In particular, Kyber.KE includes 6 compression functions and 4 decompress functions, whereas our key exchange protocol includes 2 compression functions, 2 decompress functions, 1 randomized doubling function, 1 cross-rounding function, and 1 modular rounding function.
erefore, compared with Kyber.KE, our key exchange protocol reduces the time consumed by modular multiplication of numbers and ring elements by approximately 30%, and the only difference between two protocols is that some operations are transferred from the initiator to the responder.
From the aspect of security, both our key exchange protocol and Kyber.KE are based on Module-LWE problem, and the scale of the problem is equal.
us the security strength of our key exchange protocol is the same as that of Kyber.KE. Table 1 shows that the communication costs of both rounds are equal, which means our key exchange protocol is a Diffie-Hellman-like symmetric key exchange protocol. Since symmetric key exchange protocols can ensure that the computation and communication costs of the two parties are roughly the same instead of occupying the computing resources of one party, it is more suitable to be deployed among users of the same level, such as the Internet of Vehicles (IOV) environment.

Conclusion
In this paper, we propose a Module-LWE-based key exchange protocol using Peikert's error reconciliation mechanism. Compared with Kyber.KE, our key exchange protocol reduces the total communication cost by 96 bytes, i.e., 3.2% ∼ 6.1%, under the same post-quantum security levels and different parameter sets. Furthermore, our key exchange protocol slightly reduces the probability of session key agreement failure due to the reduction in the use of compression algorithms, has the less number of the most timeconsuming operations (such as discrete binomial sampling and modular multiplication of ring elements) since the reencryption is not used, and reduces the time consumed by modular multiplication of numbers and ring elements by approximately 30%. Unlike the protocol using the KEM, our key exchange protocol is a Diffie-Hellman-like symmetric protocol, which means the computation and communication costs of the two parties are roughly the same. With the advantages and properties above, our key exchange protocol is more suitable for the lightweight communication protocol, such as deployed in the IOV environment and smart home terminals.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.