Tight Bound on NewHope Failure Probability

Abstract

<monospace>NewHope</monospace> Key Encapsulation Mechanism (KEM) has been presented at USENIX 2016 by Alkim <i>et al.</i> and was one of the lattice-based candidates to the post-quantum standardization initiated by the NIST. However, despite the relative simplicity of the protocol, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work we refine this analysis to get a tight upper-bound on this probability which happens to be much lower than what was originally evaluated. As a consequence, we propose a set of alternative parameters, increasing the security and the compactness of the scheme. However using a smaller modulus prevent the use of a full NTT algorithm to perform multiplications of elements in dimension 512 or 1024. Nonetheless, similarly to previous works, we combine different multiplication algorithms and show that our new parameters are competitive on a constant time vectorized implementation. Our most compact parameters bring a speed-up of <inline-formula><tex-math notation="LaTeX">$17\%$</tex-math></inline-formula> (resp. <inline-formula><tex-math notation="LaTeX">$11\%$</tex-math></inline-formula> ) in performance but allow to gain more than <inline-formula><tex-math notation="LaTeX">$19\%$</tex-math></inline-formula> over the bandwidth requirements and to increase the security of <inline-formula><tex-math notation="LaTeX">$10\%$</tex-math></inline-formula> (resp. <inline-formula><tex-math notation="LaTeX">$7\%$</tex-math></inline-formula> ) in dimension 512 (resp. 1024).