It all Started with Compression: Another Look at Reconciliation Mechanism

Abstract

In a (Ring-)LWE-based key exchange scheme, the error reconciliation technique is usually employed to help the two parties establish the exactly same shared key. In an error reconciliation mechanism, a hint should be produced and sent by one party, which makes the key exchange scheme sequential and the two parties asymmetrical. There is an alternative approach to realize key exchange, the encryption-based key encapsulation mechanism (KEM), where a message is encrypted by one party and the other party decrypts the corresponding ciphertext to derive the shared key from the recovered message. In this paper, we try to unify the two approaches and show that the two mainstream reconciliation instantiations, Ding et. al's branch and Peikert's branch, can both be derived by just choosing a certain message in some encryption-based KEMs we constructed, in which the compressed ciphertext is just the hint and the certain message is exactly the reconciled value. This explains why reconciliation-based key exchange scheme must be sequential and have two asymmetrical parties and will bring more generalization for reconciliation mechanism. As a byproduct, a new (Ring-)LWE-based encryption structure is proposed.