Hi all,
If I understand it properly, in the proposal the client need to send the whole
matrix A during the first initiation message. I draw this conclusion from the
datagram:
| a, A := NEWHOPE_KEYGEN(SEED) |
| CLIENT_HDATA := ID || Z || X || A |
| |
| --- CLIENT_HDATA --->
May I ask why? Is it because the keypair generation is modularized, and
hence a and A are connected from a protocol point of view? However, in the
original construction of new hope, or other R-LWE based schemes, a and A
are sampled independently, giving out the seed of A will not leak information
on a. So how about the following:
| A := NEWHOPE_PK_KEYGEN(SEED1) |
| a := NEWHOPE_SK_KEYGEN(SEED2) |
| CLIENT_HDATA := ID || Z || X || SEED1 |
| |
| --- CLIENT_HDATA --->
This will save significant data for the first transmission: over 1 KB of A
compared to 32 bits of SEED1. The server will be able to recover A from
NEWHOPE_PK_KEYGEN which will be a public function.