# NewHope

In cryptography, NewHope is a key-agreement protocol by Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe that is designed to resist quantum computer attacks.[1][2]

NewHope is based on a mathematical problem known as Ring learning with errors (RLWE) that is believed to be difficult to solve. NewHope has been selected as a round-two contestant in the NIST Post-Quantum Cryptography Standardization competition,[3] and was used in Google's CECPQ1 experiment as a quantum-secure algorithm, alongside the classical X25519 algorithm.[4][5]

## Design choices

The designers of NewHope made several choices in developing the algorithm:[6]

• Binomial Sampling: Although sampling to high-quality discrete Gaussian distribution is important in post-quantum lattice-based compact signature scheme such as Falcon (GPV-style Hash-and-Sign paradigm) and BLISS (GLP-style Fiat-Shamir paradigm) to prevent signature from leaking information about the private key, it's otherwise not so essential to key exchange schemes. The author chose to sample error vectors from binomial distribution.
• Error Reconciliation: What distinguishes NewHope from its predecessors is its method for error reconciliation. Previous ring learning with error key exchange schemes correct errors one coefficient at a time, whereas NewHope corrects errors 2 or 4 coefficients at a time based on high-dimension geometry. This allows for lower decryption failure rate and higher security.
• Base Vector Generation: The authors of NewHope proposed deriving the base "generator" vector (commonly denoted as A or ${\displaystyle a}$) from the output of the XOF function SHAKE-128 in order to prevent "back-doored" values from being used, as may happen with traditional Diffie-Hellman through Logjam attack.
• Security Levels: In the early versions of the papers describing NewHope, authors proposed using 1024-degree polynomial for 128-bit "post-quantum" security level, and a 512-degree polynomial as "toy" instance for cryptanalysis challenge.[7] In the version submitted to NIST, the 512-degree version is codified to provide 128-bit "classical" security level.