 Hello everyone, my name is Katerina Stiraike and I'm going to present the paper Limits on the Efficiency of Ringle W. Ease and on the Active Kit Change. This is a joint work with C. Al Gore, British Camath and the Lauren Roussin. Let me start by reminding you that if you have an kit change protocol, those ideas lie at the foundation of public heat photography and which has been widely used in practice throughout the years. In this protocol, we have two parties, Alice and Bob, who want to agree on a common kit. In order to do so, they sample secret exponents and exchange elements of a publicly known group. Using their secret information, they can agree on a common element of the group, which is equal to G to the AD, which is supposed to be hard to guess without the secret information. Two decades after the introduction of this protocol, Peter Schor showed that the efficient quantum algorithms could in principle break the difficult element of the exchange protocol. Since then, a lot of work has been done in constructing the protocols that withstand quantum attacks. The next post-quantum cryptography standardization is an effort towards this direction. One of the primitives included in this standardization effort is key calculations, and there are many proposals based on various primitives. In this talk, we consider lattice-based proposals, and in particular proposals based on the learning with errors assumption. The variation of the learning with errors assumption that we consider is the following. Assume that we have a matrix, an N by N matrix A in GQ, and two vectors, X and D, drawn from a distribution type, which is called the noise distribution. Commonly used noise distributions are, for instance, the discrete Gaussian. Also assume that Q is a uniform vector. Then the LWD assumption states that A, the X plus A, is instinctive from A, U. So distinguishing noise linear equations is hard from uniform is hard. Some parameters that will be useful for us are the following. First, the modular Q. So small modular Q implies faster protocols, and it's very good in practice. However, a very few constructions are known from small Q. Another useful parameter is what it's called a noise-to-modular ratio, which intuitively measures how big the noise is compared to the modular Q. Large noise-to-modular ratio gives better theoretical guarantees, but again, it's harder to construct protocols with large noise-to-modular ratio. Now back to the LWD Q exchange protocols, there are two types of proposed protocols. The Q exchange through public encryption and the Q exchange through reconciliation. In the first case, Alice samples a public key and sends it to Bob. Then Bob picks the common secret key and sends the encryption to Alice under her public key. Then the common key is the key that Alice can get by decrypting the Bob's message. This protocol has two main drawbacks. The first one is that it's inherently interactive. And the other one is that one part, in this case, Bob, completely controls the common secret key. The other protocols are what is called secret key exchange through reconciliation. And they were introduced by Dink, Zee and Lee and by Fikert, and they are the focus of this talk. Reconciliation protocols have the following form. Alice and Bob have a common public key square matrix A. And then first each one of them samples a secret and a narrow vector. And then the exchange, the corresponding LWD samples are shown in the picture. Notice that Alice creates the LWD samples by left multiplying A with a secret vector, whereas Bob uses the right multiplication for his LWD samples. And then Alice computes the common secret and its party takes the inner product of its secret vector and they receive message. This allows them to compute the quantity x1, x2 plus of noise that it's different for its party. And after this first round, the parties have an approximate common key agreement. The question that was posed by Dink and Bob and Fikert is to add to make this approximate agreement into a regular agreement is to add the next round of communication. And the question that we investigate is whether this kind of interaction is inherent. The question is that there is indeed an interactive key exchange agreement when the noise in the approximate key is very small relative to the modular cube. Remember that after the first round, parties have x1, x2 plus of noise. If the extra noise is small, the parties can remove it by just rounding. Because if the noise modular ratio is small, then the parties can agree with high probability. However, this solution is not satisfying for a couple of reasons. First, in practical scenarios, you have to be very small. In fact, in certain cases, it can be as small as 257. Additionally, as we already said, when the noise modular ratio is small, the theoretical guarantees of our cryptographic assumptions are worse. Our main question is the following. Is it possible to have non-directive LW-based key exchange when Q is small? Our result can summarized in the following statement. Natural ideas for achieving non-directive key agreement in this model do not work. As we said, in LW-based key agreement, parties have a publicly known metrics A and exchange in parallel LW-based samples. We generalize this model by allowing parties to exchange more than one sample. So they share many metrics, say AI, and they exchange many LW-based samples as shown in the picture. For ease of notation, we will denote this as shown in the slide by just a subscript of i. Each party might have, might then run a different reconciliation function, which we denote by REC-1 for Alice and REC-2 for Bob. In our model, the parties first exchange many LW-based samples and then they locally run their reconciliation function in order to compute the common key. In this model, we show that natural choices of reconciliation functions cannot achieve agreement. So let's start with our first impossibilities. Remember that the parties can achieve approximate agreement after only one round. An easy analysis shows that they actually achieve agreement with probability 1 minus 1 over 2. Thus, a natural question is whether we can amplify this agreement probability by repetition. Namely, assume that instead of just one sample, the parties exchange many samples. Then, words of the samples, they take them abroad to the corresponding secret as in the one sample case. This gives many samples where they almost agree. Finally, they run a reconciliation function on this approximately equal value. And then the question is, is it possible to achieve exact agreement following this methodology? Our result says that it is not. In fact, no matter what reconciliation function the parties use, they cannot agree with probability better than 1 minus 1 over 2 square. Hence, it is impossible to amplify the problem by repetition. Actually, the model, modeling the problem of non-directive agreement in the approach way is captured by a problem studying information theory or the non-directive agreement distillation. Non-directive agreement distillation. Alice and Bob get correlated samples. Both players look at their shared randomness and apply a function and output a bit. Their goal is to maximize the probability that their outputs agree. In regards to the problem, to this problem, the notion of maximal correlation has been introduced. It turns out that maximal correlation almost tightly captures the maximum agreement probability that the players can get. In fact, if the maximal correlation is bounded away from 1, then the repetition does not help. In our case, the joint distribution of Alice and Bob is the following. Alice gets X1, A, X2 plus noise and then Bob gets X1, A, X2 plus another noise. This joint distribution has a very special form which is described through the notion of A distribution. And Lovelace has shown how to compute the maximal correlation in this special type of distribution. So we acquire a result using Lovelace's result and showing that the maximal correlation in this case is bounded away from 1. So now let's move on to our second possibility. As we said in the first case, we assume that the input of the reconciliation functions are just elements of the form X1, A, X2 plus noise. Where the noise is different for each type. However, in reality, the reconciliation function can be any function that depends on the public matrix AI, the CKSI, the noise and the message in C. For our second result, we consider the case where at least one of the reconciliation function is noise ignorant. Namely, it does not depend on the noise of the party. In this case, in the slide, we assume that Alice's reconciliation function is noise ignorant. Namely, it doesn't depend on E1. We show that if the LWS function holds, then it is impossible to achieve key agreement with noise ignorant reconciliation function. Let's see a proof case of the result. Assume that the reconciliation function of Alice does not depend on the noise E1, as shown in the slide. This means that it depends only on the matrices A on the secret X and the message received that have a form A, X2 plus noise. If the protocol achieves key agreement, then it must be the case that the two reconciliation functions R1 and R2 agree on the corresponding input. Then we assume that we slightly change the message received by both by adding a very small but notable noise, W. Since Alice reconciliation function is noise ignorant, it must be the case that this small noise did not change Alice's input output. Combining these two equations, we get that Bob's output should not change by adding this small noise. On the other hand, if we are trying to evaluate this function X2, so Bob's reconciliation function on a uniform element, instead of an LWS sample, then assuming that it actually depends on the messages received by Alice, we can show that adding this small noise changes the output of both with not so much probability. Combining these two facts, we get a distinction for learning with errors, namely, if we run REC on LWS samples plus some small noise, if we run on the uniform elements plus noise, we can see a difference. Let me summarize our two impossibility results. In the first case, we show that the repetition does not change, and actually we have an information theoretic impossibility. In the second case, we show that the reconciliation function cannot be noise ignorant. This result is based on the LWS. Both of our results readily extend to the ring LWS, which is the cryptographic last base assumption most commonly used in practice. Apart from our two impossibility results, we also show some other connections between care agreement and other cryptographic remedies. Specifically, using the result of the NZR and REC, we know that it is possible to achieve non-directive care agreement based on indistinguishability specification in the LWS. We observe that this construction would be realized in a slight generalization of our model, where the obfuscated program is public, and again the parties only exchange LWS samples during the problem. Hence, general impossibility results in our model seems implausible. Additionally, an undirected care agreement in our model would give a direct construction of weak PRFs based on polynomial multiple LWS. Finally, I conclude with some open problems. The most interesting direction of this work is to find alternative protocols for non-directive care exchange based on LWS. In particular, liquid resilience techniques for LWS and the recent work on key homomorphic PRFs by off-key might be useful. On the other hand, it is also interesting to extend the impossibility results in order to get a better understanding of the difficulties of the problem. Thank you for listening to my talk.