Analysis of Error Dependencies on Newhope

Among many submissions to NIST post-quantum cryptography (PQC) project, NewHope is a promising key encapsulation mechanism (KEM) based on the Ring-Learning with errors (Ring-LWE) problem. Since NewHope is an indistinguishability (IND)-chosen ciphertext attack secure KEM by applying the Fujisaki-Okamoto transform to an IND-chosen plaintext attack secure public-key encryption, accurate calculation of decryption failure rate (DFR) is required to guarantee resilience against attacks that exploit decryption failures. However, the current upper bound (UB) on DFR of NewHope is rather loose because the compression noise, the effect of encoding/decoding of NewHope, and the approximation effect of centered binomial distribution are not fully considered. Furthermore, since NewHope is a Ring-LWE based cryptography, there is a problem of error dependency among error coefficients, which makes accurate DFR calculation difficult. In this paper, we derive much tighter UB on DFR than the current UB by using constraint relaxation and union bound. Especially, the above-mentioned factors are all considered in the derivation of new UB and the centered binomial distribution is not approximated. Since the error dependency is also considered, the new UB is much closer to the real DFR than the current UB. Furthermore, the new UB is parameterized by using Chernoff-Cramer bound to facilitate the calculation of new UB for the parameters of NewHope. Since the new UB is much lower than the DFR requirement of PQC, this DFR margin can be used to improve NewHope. As a result, the security level and bandwidth efficiency of NewHope are improved by 7.2 % and 5.9 %, respectively.


Introduction
Current public-key algorithms based on integer decomposition, discrete logarithm, and elliptic curve discrete logarithm problems (e.g, RSA and elliptic curve cryptography) have been unlikely to be broken by currently available technology.However, with the advent of quantum computing technology such as Shor's quantum algorithm for integer factorization, current public-key algorithms can be easily broken.For that reason, in order to avoid such security problem of future systems, new public-key algorithms called post-quantum cryptography (PQC) should be developed to replace the existing public-key algorithms.Therefore, the National Institute of Standards and Technology (NIST) has recently begun a PQC project to identify and evaluate post-quantum public-key algorithms secure against quantum computing [1].Among the various PQC candidates, lattice-based cryptosystems have become one of the most promising candidate algorithms for post-quantum key exchange.Lattice-based cryptosystems have been developed based on worst-case assumptions about lattice problems that are believed to be resistant to quantum computing.
Among various lattice problems, learning with errors (LWE) problem introduced by Regev in 2005 [2] has been widely analyzed and used.Furthermore, the Ring-LWE problem presented by Lynbashevsky, Peikert, and Regev in 2010 [3], which improves the computational and implementation efficiency of LWE, has also been widely used [4], [5], [6], [7], [8].NewHope has been proposed by Alkim, Ducas, Pöppelmann, and Schwabe [9], [10], which is one of the various cryptosystems based on Ring-LWE.NewHope has attracted a lot of attention [11], [12], [13] and it was verified in an experiment of Google [14].The key reasons that NewHope attracts so much attention are the use of simple and practical noise distribution, a centered binomial distribution, and a proper choice of ring parameters for better performance and security.
NewHope is an indistinguishability (IND)-chosen ciphertext attack (CCA) secure key encapsulation mechanism (KEM) that exchanges the shared secret key based on the IND-chosen plaintext attack (CPA) secure public-key encryption (PKE).Note that the IND-CPA secure PKE can be transformed into the IND-CCA secure KEM using Fujisaki-Okamoto (FO) transform [15].The IND-CCA secure KEM obtained by applying FO transform to IND-CPA secure PKE requires a very low decryption failure rate (DFR) because an attacker can exploit the decryption failure [15], [16].Therefore, the DFR in NewHope should be lower than 2 −128 to make sure of resilience against attacks that exploit decryption failures.Note that as in Frodo [5] and Kyber [6], this study aims to achieve the DFR lower than 2 −140 to allow enough margin in NewHope.In [4], [9], an upper bound on DFR of NewHope is derived but this upper bound on DFR is rather loose because the compression noise, the effect of encoding/decoding of NewHope, and approximation effect of centered binomial distribution are fully considered.Furthermore, according to [20], [21], accurate calculation of DFR is difficult because there is a problem of error dependency in Ring-LWE based cryptosystems.However, the DFR of IND-CCA secure KEM obtained by apply-ing FO transform to IND-CPA secure PKE must be calculated as accurately as possible because DFR is closely related to the security.
In this paper, an upper bound on DFR, which is much closer to the real DFR than the previous upper bound on DFR derived in [4], [9], is derived by considering the above-ignored factors.Also, the centered binomial distribution is not approximated to the subgaussian distribution.Especially, the new upper bound on DFR considers the error dependency among error coefficients by using the constraint relaxation, which is an approximation of a difficult problem to a nearby problem that is easier to solve, and union bound.Furthermore, the new upper bound is parameterized by using Chernoff-Cramer (CC) bound in order to facilitate calculation of new upper bound for the parameters of NewHope.Since the new upper bound on DFR is much lower than the DFR requirement of PQC, this DFR margin is used to improve the security and bandwidth efficiency, which is reducing the ciphertext size.
Contributions The contributions of this paper is divided into three categories.
(1) Understanding NewHope as a Digital Communication System NewHope can be understood as a digital communication system.Bob and Alice are transmitter and receiver, respectively, and the 256-bit shared secret key is a message bit stream.The difference between the encoding output v and the received signal v distorted by many factors can be modeled as a digital communication channel.We analyze all the noise sources of this channel and numerically calculate the noise distribution of NewHope.Also, we analyze the encoding/decoding of Additive threshold encoding (ATE) in NewHope, which is an error-correcting code (ECC) for NewHope.
(2) DFR Analysis of NewHope By Considering Error Dependency The previous upper bound on DFR of NewHope [4], [9] is loosely derived because the compression noise, effect of encoding/decoding of ATE in NewHope, effect of error dependency among error coefficients, and approximation effect of the centered binomial distribution are not fully considered.However, we derive a much closer upper bound on DFR to the real DFR than the previous upper bound on DFR by considering the above factors ignored in the derivation of previous upper bound [4], [9].Also, the exact centered binomial distribution is used for deriving the upper bound on DFR without approximating it to the subgaussian distribution.As a result, a new upper bound on DFR is derived, which is less than 2 −418 for n = 1024 and 2 −399 for n = 512.Note that the previous upper bound on DFR is less than 2 −216 for n = 1024 and 2 −213 for n = 512.
(3) Improvement of Security and Bandwidth Efficiency of NewHope By Using New DFR Margin Since the new upper bound on DFR is much lower than the required 2 −128 , this DFR margin can be exploited to improve the security level by 7.2 % or bandwidth efficiency by 5.9 % without changing the procedures of NewHope.

Parameters
There are three important parameters in NewHope: n, q, and k.
n: the dimension n = 512 or 1024 for NewHope guarantees the security properties of Ring-LWE and enables efficient number theoretic transform (NTT) [18].q: the modulus q = 12289 is determined to support security and efficient NTT and it is closely related with the bandwidth.k: the noise parameter k = 8 is the parameter of centered binomial distribution, which determines the noise strength and hence directly affects the security and DFR [4].

Notations
-R q = Z q [x]/(X n + 1): the ring of integer polynomials modulo X n + 1 where each coefficient is reduced modulo q. a $ ← − χ: the sampling of a ∈ R q following the probability distribution χ over R q .
ψ k : denote the centered binomial distribution with parameter k, which is practically realized by , where b i and b i are uniformly and independently sampled from {0, 1}.The variance of ψ k is k/2 [4].
a • b: the coefficient-wise product of polynomials a and b.

NewHope Protocol
NewHope is a lattice-based KEM for Alice (Server) and Bob (Client) to share 256-bit secret key with each other.The protocol of NewHope is briefly explained based on Fig. 1 as follows, where the functions are the same ones as defined in [4].
Step 1) seed $ ← − {0, 1, . . ., 255} 32 denotes a uniform sampling of 32 byte arrays (corresponding to 256 bits) with 32 integer elements selected between 0 and 255 by using a random number generator.Then SHAKE256(l, d), a strong hash function [19], takes an integer l that specifies the number of output bytes and a byte array d as its input.In NewHope, z ← SHAKE256(64, seed) denotes that 32 byte arrays (seed) are hashed to generate 64 pseudorandom byte arrays (z) with 64 integer elements uniformly selected between 0 and 255.Then GenA expands 32 pseudorandom byte arrays z[0 : 31] using SHAKE128 hash function [19] to generate the polynomial â ∈ R q where z[0 : 31] is the first 32 byte arrays of z.Since â is generated from the seed sampled following a uniform distribution, the coefficients of â also follow a uniform distribution on [0, q − 1].
Step 4) A 256-bit shared secret key (µ) is created and encoded by ATE encoder to generate a 1024-symbol codewords v.
Step 5) Generate a ciphertext (û, v ) by using the public key components b, â ,the various errors t, e , e and v.
Step 6) To efficiently reduce bandwidth, compression is performed on the coefficients of v to generate the polynomial h, and then the ciphertext polynomials (û, h) are transformed into the byte arrays c by using EncodeC(), and c is transmitted to Alice.Alice performs decompression on ĥ to restore v .However, this decompressed polynomial v decomp is different from v generated in Step 5, due to the loss from compression and decompression.Alice creates v by using the received ciphertext c and sk generated in Step 2. Each coefficient of v is a sum of the corresponding coefficients of v and errors.Note that v is not a polynomial used in NewHope, but it is added in Fig. 1 for easy explanation of the results in this paper.Step 7) The 256-bit shared secret key (µ) is recovered (or decrypted) from the coefficients of v by performing the decoding of ATE.
3 Understanding NewHope as a Digital Communication System

NewHope as a Digital Communication System
In order to facilitate analysis of DFR of NewHope, it is much more convenient to understand the protocol of NewHope as a digital communication system.For NewHope, the mapping Z 256 2 → Z n 2 and the mapping Z n → Z 256 2 through ATE, n = 512 or n = 1024, can be regarded as encoding and decoding of ECC, respectively.Also, the mapping Z n 2 → R q and R q → Z n through ATE can be regarded as modulation and demodulation, respectively.Then NewHope can be understood as a digital communication system as follows.
Bob and Alice are transmitter and receiver, respectively, and the 256-bit shared secret key (µ) is a message bit stream.Also, the process of transmitting and receiving messages (Steps 4, 5, 6, and 7) can be viewed as a digital communication channel.In more detail, the transmitter (Bob) generates a 256bit message bit stream, encodes this massage into an n-bit codeword, modulates each codeword bit to a symbol of Z q , and transmits the resulting signal (Step 4).At the receiver (Alice), the received signal through the noisy channel is demodulated and decoded (Step 7).For NewHope, a process of adding the compression noise and the difference noise generated in Steps 5 and 6 can be regarded as noisy communication channel.This overall process in Steps 4-7 can be described as a digital communication system shown in Fig. 2.
In Fig. 2, µ enc is the encoded signal of µ by applying encoding of ATE, and n t represents the overall noise generated in Steps 5 and 6, which is called the total noise n t .After interpreting NewHope as a digital communication system, the DFR in NewHope is equivalent to the block error rate P r(µ = µ ) in a digital communication system.Therefore, in order to calculate tight upper bound on DFR of NewHope, exact analysis of encoding/modulation and decod- ing/demodulation of NewHope and the noisy channel is required.In the following sebsection 3.2, each operation in Fig. 2 is explained in detail and analyzed.The encoding of ATE is performed such that one message bit µ i is repeated m times and the modulation of ATE is a mapping of each bit to an element of Z q (usually either 0 or q 2 ) as the coefficients of v.Note that the m repetitions is the same operation as the encoding of an m-repetition code.The demodulation of ATE is to calculate the absolute value of the difference between the received erroneous symbol v i and q/2 over integer domain Z.The decoding of ATE is to sum up four absolute values corresponding to the same µ enc,i , µ enc,i+256 , µ enc,i+512 , µ enc,i+768 to generate µ s,i and compare it with the threshold m • q/4 to determine if the estimate µ i of µ i is 0 or 1 as follows.
Analysis of Difference Noise, Compression Noise, and Total Noise of NewHope Total noise n t is defined as the noise contained in the received signal v except the transmitted signal v.The ith coefficient n t,i of the total noise polynomial n t contained in the polynomial v in Step 6 is expressed as follows.
where (•) i denotes the ith coefficient of the given polynomial, To analyze the compression noise n c,i , we first need to investigate the coefficient of the polynomial v = ass + es + e being compressed, where the coefficients of s, s , e, and e follow the predetermined centered binomial distribution.However, since the coefficients of polynomial a follow a uniform distribution, the coefficient of the compressed polynomial h will eventually follow a uniform distribution.A compression to v is performed by applying v i * r/q to the coefficients v i of v to generate the coefficient h i of h, where • is a rounding function that rounds to the closest integer, r denotes the compression rate on v , and r = 8 for NewHope.Then the range of the compressed coefficients h i of h is changed from [0, q − 1] to [0, r − 1] so that the number of bits required to store a coefficient is reduced from 14 bits (= log 2 q ) for v to 3 bits (= log 2 r ) for NewHope with r = 8.Note that the smaller the value of r is, the more compression is performed.A decompression is performed by applying h i * q/r to each of the coefficients of h.Then the coefficient takes the value from 0, q/r , 2q/r . . ., (r − 1) • q/r .This compression and decompression are illustrated in Fig. 4, where the coefficients v i of v from different patterns (or ranges) are mapped to different v decomp,i values through compression and decompression.In the end, compression and decompression can be seen as a rounding operation.Therefore, the compression noise is inevitably generated with the maximum magnitude q/2r and the distribution Pr nc (x) of the compression noise is derived as follows: ( To analyze the difference noise n d,i = (es − e s + e ) i , we use the fact that the coefficients of e, e , e , s, and s are independent and identically distributed (i.i.d.) following the same centered binomial distribution.In order to derive the distribution of coefficient n d,i of n d , a number of convolution operations are required because it is a sum of many i.i.d.random variables, each of which is obtained by multiplying two i.i.d.random variables following the centered binomial distribution.However, since it is difficult to calculate the multiple convolutions of the above distribution in closed form, the distribution of difference noise is numerically calculated [13].
Total noise is a sum of compression noise and difference noise which are independently generated.Thus, the distribution of total noise is obtained by performing convolution of the distributions of compression noise and difference noise as shown in Fig. 5.However, due to the error dependency among total noise coefficients n t.i , the distribution of only one total noise coefficient cannot be used to calculate the accurate DFR or derive a better upper bound on DFR [20], [21].

New Upper Bound on DFR of NewHope
In this paper, a new upper bound on DFR of NewHope, which is much tighter than the upper bound given in [4], [9], is derived by considering the total noise in section 3 and the centered binomial distribution without doing subgaussian approximation.More importantly, the error dependency is considered in deriving an upper bound on DFR by using constraint relaxation, which is an approximation of a difficult problem to a nearby problem that is easier to solve, and union bound.
A new upper bound on DFR of NewHope is derived by considering two types of error dependency as shown in Fig. 6.The first analysis of BER is performed on the output bit of one ATE decoder to derive an upper bound on the BER Pr(µ i = µ i ).In this case, the error dependencies among four input values are considered.Note that analysis of one ATE decoder is good enough because all 256 ATE decoders are statistically identical.The second analysis is performed on 256 output bits µ i of ATE decoders in NewHope to derive an upper bound on DFR P r(µ = µ ) of NewHope.In this case, the error dependencies among 256 bits µ i are considered.Fig. 5: Distributions of total noise, compression noise, and difference noise of NewHope (These distributions are symmetric with respect to q 2 where q = 12289).
Propose Upper Bound on BER of NewHope Suppose that Pr(µ i = 0) = Pr(µ i = 1) = 1/2, then the BER is average of two conditional probability depending on µ i .
Since Pr(µ i = µ i |µ i = 0) and Pr(µ i = µ i |µ i = 1) are statistically identical, we will analysis the BER given µ i = 1.Then the total noise given µ i = 1 is defined by n µi=1 t,i = (n t,i + µ enc,i ) mod q .Note that 0 and 1 of Z 2 are mapped into 0 and q 2 of Z q , respectively.The output µ s,i of decoding/demodulation of NewHope, which is defined in section 3.2, is determined by four dependent coefficients of v given µ i = 1 as follows: where µ s,i ∈ Z.In NewHope, most operations are performed over R q = Z q [x]/(X n + 1), but for the convenience of analysis, we consider the two domains Z and Z q , and express the polynomials e, s, e , s , e , and n c in R q = Z q [x]/(X n +1) by the vectors e, s, e , s , e , and n c in Z n×1 .Then, it is clear that e, s, e , s , e ∈ Z n×1 are the random vectors following the centered binomial distribution with the parameter k = 8 and n c ∈ Z n×1 is the random vector following the uniform distribution over the support [− q 2 , q 2 ].To express the product of two polynomials over R q = Z q [x]/(X n + 1) as an operation • for the corresponding vectors over Z n×1 , we define a new operation , which is called cyclic shift product, as follows: where sign(x) = 1 when x ≥ 0, otherwise sign( where (•) T denotes the transpose of vector.Using the newly defined vectors e, s, e , s , e , n c and operation , ATE µ s,i in ( 5) can be expressed as: where n * t,i = (e s ) i − (e s) i + e i + n c,i , and α i is an integer making n * t,i be in [0, q −1] such that, n µi=1 t,i = n * t,i −α i q + q 2 and |α i | ≤ (2nk 2 +k +(q −1)/r)/q .For example, if |n * t,i | ≤ q 2 , then α i = 0. Finally, under the condition that an all-one message bit is transmitted, the event of bit error is equivalent to the following inequality.
where 2q − 2 it a maximum value of |n * t,i+256 * l − qα i+256 * l |.In order to find the support satisfying (8), some of sets and vector should be defined.Let Ω = supp(e, s, e , s , e , n c ) = {e, s, e , s , e , n c |e, s, e , s , e ∈ where k is the centered binomial parameter, r is the compression rate such that, Pr(Ω) = 1 and let the bit error support Since (8) is the sum of four absolute values, it can be divided into 16 cases, and the new vector y i ∈ {−1, 1} 4×1 , whose jth element y i j is −sign(i mod 2 j − 2 j−1 ) for i = 0, 1, • • • , and 15, is used for dividing into 16 cases.For example, y 0 = (1, 1, 1, 1) and y 7 = (1, −1, −1, −1).Then, by using y j ∈ {−1, 1} 4×1 , the set Ω j that satisfies each of 16 cases of (8) can be defined as follows: where the details of Ω j is shown in Table 1.The Ω 0 , Ω 1 , • • • , and Ω 15 are clearly disjoint set such that Ω = ∪ 15 i=0 Ω i and then absolute operator in (8) can be replaced with y k by Ω k as follows: The bit error support E can be partitioned into 16 supports E 0 , E 1 , • • • , and E 15 by using the support Ω k as follows: It is obvious that E j ⊆ Ω j for j = 0, 1, • • • , 15, and Also, E k is expressed using Ω k as follows: For the convenience of explanation, the inequality in ( 12) is expressed by using the new variable β = −1, 0, • • • , q − 2 as follows: where A i = 3 l=0 α i+256 * l y k l and A i is fully determined by n * t,i , n * t,i+256 , n * t,i+512 , and n * t,i+768 , and |A i | < 4α max where α max = (2nk 2 + k + (q − 1)/r)/q .There are two constraints in (13) such that A i is a finite integer, and 3 l=0 n * t,i+256 * l and β are congruent modulo q.Thus, E k can be expressed as union of supports satisfying two constraint as follows: where A min = −4α max and A max = 4α max .
In order to calculate the BER, the occurring probability Pr(E) of the bit error support E should be calculated.As mentioned above, since the bit error support E can be disjointly partitioned, Pr(E) = 15 i=0 Pr(E i ).If E 0 is first considered, it can be expressed as the union of different supports as follows: where E 0,j =1 = j:j =1 Next, in order to derive the upper bound of the occurring probability of E 0 , the upper bound of occurring probability of each support E 0,j =1 and E 0,j=1 is derived by using the following Theorems 1 and 2.
In the equation n t,i,µi=1 = n * t,i −α i q + q 2 , since α i makes n t,i,µi=1 be in [0, q −1] and the message is q 2 , α i = 0 if and only if − q 2 ≤ n * t,i ≤ q 2 .Conversely, .Then, we can relax the constraint {Ω| 3 l=0 n * t,i+256 * l = jq + β} and make the superset whose occurring probability is greater than or equal to origin set E 0,j =1 as follows: The occurring probability of E 0,j =1 is bounded by using union bound.

Theorem 2
The occurring probability of E 0,j=1 is at most Pr(q−1 ≤ Proof.If A i = 0, then E 0,j=1 can be relaxed by eliminating the constraints { 0 ∈ Ω 0 |A i = 0} as follows: Therefore, Pr(E 0,j=1 ) ≤ Pr(q − 1 ≤ It is clear that each partial inner product has a similar structure and hence, we define new random variable W j , Note that both (e s) and (e s ) are decomposed into n/4 i.i.d.random variables W j , and therefore total n/2 i.i.d.random variables W j are obtained to produce In conclusion, by using Theorems 1 and 2 and union bound, the occurring probability of E 0 is upper bounded as follows: Next, in order to calculate the BER, Pr(E 1 ), Pr(E 2 ), • • • , and Pr(E 15 ) should be calculated, and they can be calculated by using Theorem 4 as follow.
Proof.Recall that 16 vectors y 0 , y 1 , • • • , and y 15 determine the signs of four noise elements such as ±n * t,i , ±n * t,i+256 , ±n * t,i+512 and ±n * t,i+768 , and four coefficients such as ±α i , ±α i+256 , ±α i+512 , and ±α i+768 .Likewise the proof of Theorem 1, the superset of E k,j =1 is found.| is greater than q/2 .Clearly, Pr(E k,j =1 ), ∀k = 1, 2, ..., 15 is upper bonded as same as Pr(E 0,j =1 ) by using the union bound as follows: Also, Theorem 2 is applied to other Pr(E k,j=1 ), ∀k = 1, 2, ..., 15 as follows: Therefore, we obtain the upper bound on Pr(E k,j=1 ) as follows: Since expectation of W j for j = 0, 1, 16) consist of sum of product of i.i.d. e and s whose means are zero, the expectation of W j is zero.This fact guarantees that for any y j , the distributions of 3 l=0 n * t,i+256 * l y k l are statistically identical and therefore the upper bounds on Pr(E 1 ), Pr(E 2 ), • • • , and Pr(E 15 ) are same as Pr(E 0 ).In summary, by using Theorems 1, 2, 3, and 4, the upper bound on Pr(E), which is the BER of NewHope, is derived by using union bound as follows: Pr(E j ) Derivation of Upper Bound on DFR of NewHope By using the Pr(E) in (17), the DFR can be easily upper bounded by using the union bound.
Theorem 5 The DFR Pr(µ = µ ) of NewHope is upper bounded as Pr(µ = µ ) ≤ 255 i=0 Pr(µ i = µ i ).Proof.Since the DFR is the union of all bit error events, the DFR is upper bounded by the sum of BERs by using the union bound.
Each BER is identical so that the upper bound on the DFR is expressed as: Parametrization of the Proposed Upper Bound on DFR of NewHope The computational complexity of deriving the distribution of ).Therefore, as k increases, the proposed upper bound cannot be easily computed.For this reason, the proposed upper bound on DFR of NewHope is parametrized for easy calculation by using CC bound in spite of losing some tightness.
Theorem 6 (Chernoff-Cramer bound) Let Φ be a distribution over R and let χ 1 , ..., χ n be i.i.d.random variable of Φ, with average µ.Then, for any t such that The proposed upper bound has two occurring probability Pr(|n * t,i+l | > q 2 ) and Pr(q (18) and those probabilities can be applied with CC bound respectively.In order to apply CC bound to Pr(|n * t,i+l | > q 2 ), we need to calculate the moment generating function (MGF) of multiplication of two centered binomial random variable.Suppose that X and Y follow the binomial distribution with parameter 2k, and X c and Y c follow the centered binomial distribution with parameter k.Then Since n * t,i is the sum of many products of two independent random variables drawn from the centered binomial distribution, CC bound can be applied as follows: sign(i − j) e j s (i−j) mod n − e j s (i−j) mod n Although the MGF of , where W j is in (16).For the convenience of analysis, the new variable W is defined as: By using ] in (19), Even if the computational complexity of M Φ W is O(k 8 ), by using cosh 2k (t) ≤ e −kt 2 and new random variable Z = (s 0 + s , the upper bound of M Φ W can be derived, which has the complexity O(k 4 ) as follows: Then, by using CC bound and in (22), Pr(q Finally, a simplified upper bound on DFR of NewHope is derived as follows: Verification of the proposed upper bounds on DFR of NewHope We compare the proposed upper bound in (18) and the simplified upper bound using CC bound in (23) with the current upper bound on DFR of NewHope [4], [9] for various k.Note that the current upper bound on DFR of NewHope [4], [9] is only provided when k = 8.Additionally, we compare the proposed upper with the DFR derived by assuming no error dependency as in [13].For of expression, we will use "Proposed upper bound" to denote the the upper bound derived in (18), "CC upper bound" to denote the simplified upper bound using CC bound in "Current upper bound" to denote the current upper bound on DFR of NewHope [4], [9], "No error dependency" to denote the DFR values calculated by assuming no error dependency as in [13], and "Monte Carlo" to denote the DFR values obtained by performing Monte Carlo simulation of NewHope protocol.Fig. 8 compares the various upper bounds on DFR of NewHope for various noise parameter k for n = 1024.First of all, it is confirmed that the two proposed upper bounds improve the upper bound more than fifty order of magnitude compared to the current upper bound for k = 8.If we compare the proposed upper bound and CC upper bound, we can see that CC bound is more loose as expected.Nevertheless, since the computational complexity of the proposed upper bound substantially increases as k increases, the proposed upper bound is difficult to calculate when k is large.However, CC upper bound can be calculated for most k because CC upper bound is parameterized for easy calculation.In Fig. 8, Monte Carlo is the DFR value obtained by performing Monte Carlo simulation of NewHope protocol.Therefore, this DFR value reflects the error dependency, but this simulation is only possible for higher noise case (i.e., larger k values).If we compare the Monte Carlo with no error dependency, it is confirmed that Monte Carlo DFR values are slightly larger than the no error dependency.The reason for this is that NewHope uses error correction codes called ATE [20], and therefore the DFR performance is degraded due to error dependency.Also, according to argument in [20], since NewHope uses ATE as an ECC, no error dependency becomes too positive.Fig. 8 shows that as k increases, the proposed upper bound and no error dependency become almost identical.Therefore, it is guaranteed that the proposed upper bound is a fairly tight upper bound, especially for large k.
Fig. 9 compares the various upper bounds on DFR of NewHope for various noise k for n = 512.First of all, it is confirmed that the two proposed upper bounds improve the upper bound more than forty order of magnitude compared to the current upper bound for k = 8.Unlike the case of n = 1024, the proposed upper bound can be calculated for most k when n = 512.Thus, when n = 512, we can calculate tight upper bound values for most k.
In conclusion, when n = 1024 and n = 512, it is confirmed that the proposed upper bound is fairly tight.Figs 8 and 9 show that when the noise parameter k is 8, the proposed upper bound on DFR of NewHope is much smaller than the DFR requirement of PQC.Therefore, by utilizing this new DFR margin, the security and bandwidth efficiency of NewHope can be improved, which will be verified in the next section.

Improved Security and Bandwidth Efficiency of
NewHope Based on New Upper Bound on DFR

Improved Security
Since there exists a trade-off relation between the security level and the DFR, it is necessary to properly select the noise parameter k of centered binomial distribution such that the security level and the DFR are appropriately determined to meet the requirements.Since it is confirmed by the new upper bound on DFR that NewHope is designed to have unnecessarily low DFR, the security level can be more improved by using the new DFR margin which is the difference between new upper bound and the required DFR.
Table 2 shows the improved security levels which are calculated as the cost of the primal attack and the cost of dual attack [22] to NewHope.It is possible to improve the security level by 7.2 % (n = 1024, k = and 8.9 % (n = 512, k = 14) while guaranteeing the required DFR of 2 −140 compared with the current NewHope.Note that such security level improvement does not require much increase of time/space complexity in NewHope because it only changes the noise parameter k without any additional procedure.Therefore, this improvement of security can be easily applied to NewHope.

Improved Bandwidth Efficiency
The bandwidth efficiency of NewHope can also be improved by utilizing new DFR margin.An improvement of bandwidth efficiency is achieved by reducing (or more compressing) the ciphertext size which, however, increases the compression noise resulting in the DFR degradation.Even with such increased compression noise, both the improvement of bandwidth efficiency and the required DFR of 2 −140 can be achieved by utilizing new DFR margin.
Table 3 shows the improved bandwidth efficiency of NewHope achieved by additional ciphertext compression.It is possible to improve the bandwidth efficiency by 5.9 % by changing the compression rate on v from 8 (3 bits per coefficient) to 4 (2 bits per coefficient) and the security level by 2.5 % by changing the noise parameter from 8 to 10 for n = 1024.Similarly, it is possible to improve the bandwidth efficiency by 5.9 % and the security level by 1.9 % by changing the noise parameter from 8 to 9 for n = 512.The improvement of the security and bandwidth efficiency requires little change in the protocol of NewHope, so that this improvement can be easily applied to NewHope.

Closeness of Centered Binomial Distribution and the Corresponding Rounded Gaussian Distribution for Various k
The properties of rounded Gaussian distribution ξ are key factor to the worstcase to average-case reduction for Ring-LWE.However, since a very high-precision and high-complexity sampling is required for the rounded Gaussian distribution, NewHope uses the centered binomial distribution ψ k for practical sampling without having rigorous security proof.It is generally accepted that as the centered binomial distribution and the rounded Gaussian distribution are closer to each other, NewHope is regarded as more secure.The closeness of two distribution can be measured through many methods.Among them, Rényi divergence is a well-known method, which is parameterized by a real a > 1 and defined for two distributions P and Q as follows [23], [24].
We define ξ k to be the rounded Gaussian distribution with the variance σ 2 = k/2, which is the distribution of k/2 • x where x follows the standard normal distribution.Fig. 10 shows that the Rényi divergence (a = 9 is used as in [4]) of the centered binomial distribution ψ k and the rounded Gaussian distribution ξ k with the same variance k/2.It is clear that the Rényi divergence decreases as

Conclusions
Since NewHope is an IND-CCA secure KEM by applying the FO transform to an IND-CPA secure PKE, accurate DFR calculation is required to guarantee resilience against attacks that exploit decryption failures.However, the upper bound on DFR of NewHope derived in [4], [9] is rather loose because the compression noise and effect of encoding/decoding of ATE in NewHope are not fully considered.Also, the centered binomial distribution is approximated by subgaussian distribution.Furthermore, since NewHope is a Ring-LWE based cryptosystem, there is a problem of error dependency among error coefficients, which makes accurate DFR calculation difficult.
In this paper, an upper bound on DFR, which is much closer to the real DFR than previous upper bound on DFR derived in [4] , [9], is derived by considering the above-ignored factors.Also, the centered binomial distribution is not approximated by the subgaussian distribution.Especially, the new upper bound on DFR considers the error dependency among error coefficients by using the constraint relaxation and union bound.Furthermore, the new upper bound on DFR is parameterized by using CC bound in order to facilitate calculation of new upper bound on DFR for the parameters of NewHope.
According to the new upper bound on DFR of NewHope, since it is much lower than the DFR requirement of PQC, this DFR margin can be used to improve the security and bandwidth efficiency.As a result, the security level of NewHope is improved by 7.2%, or the bandwidth efficiency is improved by 5.9%.This improvement in the security and bandwidth efficiency can be easily achieved in NewHope because there is little change in time/space complexity of NewHope.

3. 2
Analysis of Encoding/Modulation and Decoding/Demodulation and Channel Noise of NewHope Analysis of Encoding/Modulation and Decoding/Demodulation of NewHope: ATE In NewHope, ATE is used to encode and modulate a message bit µ i , and decode and demodulate an erroneous message bit v i .Note that ATE performs both encoding/decoding as an ECC and modulation/demodulation.The encoding/modulation and decoding/demodulation procedures of ATE with m repetitions are shown in Fig 3 where m = 4 for n = 1024 and m = 4 for n = 512 [17].

Fig. 6 :
Fig. 6: Two types of error dependency in the demodulation and decode of NewHope.

For NewHope with 𝑘 = 8 Fig. 10 :
Fig. 10: Rényi divergence of the centered binomial distribution ψ k and the rounded Gaussian distribution ξ k with the same variance k/2 according to k (a = 9).
and α i+768 is not zero.The fact implies at least one among |n *

Table 2 :
Improved security level of NewHope based on new DFR margin (The noise parameter of current NewHope is k = 8) and the required DFR is 2 −140 .

Table 3 :
Improved bandwidth efficiency of NewHope based on new DFR margin (The noise parameter and compression rate of current NewHope are k = 8 and r = 8, respectively and the required DFR is 2 −140 .).