Write a proposal for a post-quantum lattice KEX
As part of #24985 (moved), we'll need a solid, reviewed proposal for which post-quantum key exchange we intend concretely to use.
My current idea for the key exchange is to use q=12289 and n=1024 (the lattice parameters from NewHope and other designs), along with the constant-time sampling protections I devised while working on prop#270, ripping out the Voronoi-cell based reconciliation mechanism and instead using a variant of the XE5 reconciliation from the NIST HILA5 submission (possibly tuning down the failure probability by increasing the noise, which raises the security level, since our key exchange is interactive and thus we don't care about having the 2^-128^ failure probability which allows HILA5 to be used for public key encryption schemes).