Improving security and bandwidth efficiency of NewHope using error-correction schemes

Among many submissions to the NIST post-quantum cryptography (PQC) project, NewHope is a promising key encapsulation mechanism (KEM) based on the Ring-Learning with errors (Ring-LWE) problem. Since the most important factors to be considered for PQC are security and cost including bandwidth and time/space complexity, in this paper, by doing exact noise analysis and using Bose Chaudhuri Hocquenghem (BCH) codes, it is shown that the security and bandwidth efficiency of NewHope can be substantially improved. In detail, the decryption failure rate (DFR) of NewHope is recalculated by performing exact noise analysis, and it is shown that the DFR of NewHope has been too conservatively calculated. Since the recalculated DFR is much lower than the required $2^{-128}$, this DFR margin is exploited to improve the security up to 8.5 \% or the bandwidth efficiency up to 5.9 \% without changing the procedure of NewHope. The additive threshold encoding (ATE) used in NewHope is a simple error correcting code (ECC) robust to side channel attack, but its error-correction capability is relatively weak compared with other ECCs. Therefore, if a proper error-correction scheme is applied to NewHope, either security or bandwidth efficiency or both can be improved. Among various ECCs, BCH code has been widely studied for its application to cryptosystems due to its advantages such as no error floor problem. In this paper, the ATE and total noise channel are regarded as a super channel from an information-theoretic viewpoint. Based on this super channel analysis, various concatenated coding schemes of ATE and BCH code for NewHope have been investigated. Through numerical analysis, it is revealed that the security and bandwidth efficiency of NewHope are substantially improved by using the proposed error-correction schemes.