Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE

Lattice-based cryptography offers some of the most attractive primitives believed to be resistant to quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key exchange protocols based on hard problems in ideal lattices, mainly based on the Ring Learning With Errors (R-LWE) problem. While ideal lattices facilitate major efficiency and storage benefits over their nonideal counterparts, the additional ring structure that enables these advantages also raises concerns about the assumed difficulty of the underlying problems. Thus, a question of significant interest to cryptographers, and especially to those currently placing bets on primitives that will withstand quantum adversaries, is how much of an advantage the additional ring structure actually gives in practice. Despite conventional wisdom that generic lattices might be too slow and unwieldy, we demonstrate that LWE-based key exchange is quite practical: our constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7×, but remain under 12 KiB in each direction. Our protocol is competitive when used for serving web pages over TLS; when partnered with ECDSA signatures, latencies increase by less than a factor of 1.6×, and (even under heavy load) server throughput only decreases by factors of 1.5× and 1.2× when serving typical 1 KiB and 100 KiB pages, respectively. To achieve these practical results, our protocol takes advantage of several innovations. These include techniques to optimize communication bandwidth, dynamic generation of public parameters (which also offers additional security against backdoors), carefully chosen error distributions, and tight security parameters

The Structure of the Atypical Killer Cell Immunoglobulin-like Receptor, KIR2DL4

The engagement of Natural Killer (NK) cell Immunoglobulin-Like Receptors (KIRs) with their target ligands, Human Leukocyte Antigen (HLA) molecules, is a critical component of innate immunity. Structurally, KIRs typically have either two (D1-D2) or three (D0-D1-D2) extracellular immunoglobulin domains, with the D1 and D2 domain recognizing the α1 and α2 helices of HLA respectively, while the D0 domain of the KIR3DLs binds a loop region flanking the α1 helix of the HLA molecule. KIR2DL4 is distinct from other KIRs (except KIR2DL5) in that it does not contain a D1 domain and instead has a D0-D2 arrangement. Functionally, KIR2DL4 is also atypical in that, unlike all other KIRs, KIR2DL4 has both activating and inhibitory signaling domains. Here, we determined the 2.8 Å crystal structure of the extracellular domains of KIR2DL4. Structurally, KIR2DL4 is reminiscent of other KIR2DL receptors, with the D0 and D2 adopting the C2-type immunoglobulin fold arranged with an acute elbow angle. However, KIR2DL4 self-associated via the D0 domain in a concentration-dependent manner and was observed as a tetramer in the crystal lattice, by size-exclusion chromatography, dynamic light scattering, analytical ultra-centrifugation and small-angle X-ray scattering experiments. The assignment of residues in the D0 domain to forming the KIR2DL4 tetramer precludes an interaction with HLA akin to that observed for KIR3DL1. Accordingly, no interaction was observed to HLA by direct binding studies. Our data suggest that the unique functional properties of KIR2DL4 may be mediated by self-association of the receptor