Commutative property in Quotient ring does not work

Question

I was trying to implement Ring-LWE key exchange (not a real world implementation) just to see if I understood it correctly. I have been reading the theory fundamentals behind it but apparently it was not enough to make the implementation work. For my first implementation, I used the following parameters: $\mathbb{Z_{2^{23}-1}} / (x^{1024} + 1)$

The basic idea of Ring-LWE key exchange is the following:

dimension = 4 (arbitrary)

$A, S, S' = [rx^3 + rx^2 + rx + r,\\ rx^3 + rx^2 + rx + r,\\ rx^3 + rx^2 + rx + r,\\ rx^3 + rx^2 + rx + r]$ s.t. $r \in \mathbb{Z_{q}}$ (randomly generate)

$B = AS + error$, $B' = AS' + error$

$Shared key = SB' = S'B \to$ I did not use any error ($error =0$) but still shared key does not match. If there is some error (or noise) added to $B$, the we use reconciliation technique to make sure both parties achieve the same shared key.

I implemented the code (without any $error=0$ to test the commutative property):

Sage code:

from random import randint

def generate_matrix(dimention, modulus):
    array = []
    upper_limit = modulus * dimention

    for i in range(0, dimention):
        f = 0
        for j in range(0, dimention):
            f = f + (randrange(modulus, upper_limit) * x^j)

        array.append(f)

    return Matrix(array)

dimention = 128 # arbitrary
modulus = 40961
R = PolynomialRing(GF(65537), "X")
X = R.gen()
S = R.quotient(X^1024 + 1, "x")
x = S.gen()

A = generate_matrix(dimention, modulus)
Secret = generate_matrix(dimention, modulus)
Secret_ = generate_matrix(dimention, modulus)

B = A.transpose()*Secret
B_ = A.transpose()*Secret_

alice = Secret*B_
bob = Secret_*B

print alice == bob

As first I though maybe the Ring library in java is problematic , thus, I rewrite the code in sage. But still the shared key does not match. In order words, commutative property in Quotient ring does not work out.

Links:

• Implementation #1, ring library that it uses (java)
• Implementation #2 (sage)
• Parameter choices according to this
• Regev's basic reconciliation method (irrelevant to my question)

Note: I asked this question on both crypto.SE and stackoverflow but no answer so far.