Optimal Key Consensus in Presence of Noise

In this work, we introduce and formalize a new primitive, referred to as key consensus (KC), and its asymmetric variant AKC, which are for reaching consensus from close values. Some inherent constraints on the relationship among bandwidth, correctness and consensus range, for any KC and AKC schemes, are then revealed, which are particularly instrumental in choosing and evaluating parameters towards different optimization or balance goals. KC and AKC are fundamental to lattice based cryptography, in the sense that a list of cryptographic primitives based on LWE or Ring-LWE (including key exchange, public key encryption, oblivious transfer, and more) can be modularly constructed from them. As a conceptual contribution, this much simplifies the design and analysis of these cryptosystems in the future. Highly practical KC and AKC schemes are then designed and analyzed, within a generalized framework and with tight constraints on parameters that are almost the same as the inherent ones discovered. The structure generalization and constraint tightness allow us to choose and evaluate parameters towards optimal balance among security, computational cost, bandwidth, consensus range, and error rate. When applied to LWE or RLWE based cryptosystems, generally speaking, by carefully choosing parameters they can result in (to our knowledge) state-of-the-art practical schemes of key exchange, CPA-secure public key encryption, and oblivious transfer.