Improved key-reconciliation method

In [1], Peikert proposed efficient and practical lattice-based protocols for key transport, encryption and authenticated key exchange. One of the main technical innovations of [1] is a reconciliation technique that allows two parties who ”approximately agree” on a secret value to reach exact agreement, a setting common to essentially all lattice-based encryption schemes. In [1], this reconciliation technique was described for reaching agreement on a single bit. Peikert’s reconciliation technique has been extended in [2], allowing for agreement on more than one bit. In both cases, only one reconciliation bit is required to reach exact agreement. As symmetric keys typically require many bits, say 128 or more, the parties compute multiple secret values, and reach exact agreement on each of those values individually. In this paper, we propose a reconciliation method that sends more than one reconciliation bit. In this way, the parties can agree on the same number of bits as with Peikert’s method with less stringent conditions on ”how approximate” the approximate agreement must be. Allowing for less stringent conditions on the approximate agreement improves security of the system. Alternatively, with virtually the same approximation requirements (i.e., with virtually the same security guarantees), an instance of our method allows the two parties to agree on one a secret value that is one bit longer than with the method from [2]. We numerically illustrate the advantages of our method with the impact to the recommended schemes in [2].