Introduction

With the predicted advent of quantum computers compromising the bulk of existent cryptographic constructions, lattice-based cryptography has emerged as a promising foundation for long term security. In particular, the Learning with Errors (henceforth LWE) problem introduced in [42], as well as its variants over rings (RLWE) [27] and modules (MLWE) [22], provides a natural intermediate step to base cryptographic hardness on lattice short vector problems in a post-quantum setting. Indeed, second round submissions to the NIST post-quantum standardization process such as NewHope [3] and KYBER [5] rely on the hardness of LWE variants. Cryptography based on the classical LWE problem is typically somewhat impractical, in part due to large key sizes. To solve this, the ring variant was introduced as a way to provide extra structure in LWE to trade a potential loss of security for an increase in efficiency. MLWE generalizes ring and classical LWE, providing a smoother transition between security and efficiency than the binary option presented by ring or classical LWE. The flexibility of MLWE is highly desirable in practice, as demonstrated by third-round NIST finalists KYBER and SABER, both based on MLWE [1].

Conceptually, one may view all these problems as variations on a single problem. The (search) LWE problem tasks a solver with recovering a secret vector \({{\textbf {s}}} \in {\mathbb {Z}}_q^n\) from a collection of pairs \(({{\textbf {a}}}_i, b = \langle {{\textbf {a}}}_i,{{\textbf {s}}} \rangle + e_i)\), where \(\langle \cdot ,\cdot \rangle \) denotes the inner product, each \({{\textbf {a}}}_i \in {\mathbb {Z}}_q^n\) is uniformly random and the \(e_i\)’s are small random errors. In practice, we view this collection of equations in matrix–vector form:

$$\begin{aligned} A {{\textbf {s}}} + {{\textbf {e}}} = {{\textbf {b}}}, \end{aligned}$$

where all operations and entries are over \({\mathbb {Z}}_q\) and the challenge is to recover \({{\textbf {s}}}\) from \(A, {{\textbf {b}}}\). A popular ring variant replaces \(A, {{\textbf {s}}}, {{\textbf {e}}}\) with elements ase from the ring \(R_q := \frac{{\mathbb {Z}}_q[x]}{x^n+1}\), requiring the solver to obtain s from samples \(a_i \cdot s + e_i\). For power-of-two n this can be expressed in matrix–vector form by considering the matrix rot(a), the negacyclic matrix obtained from the coefficients of a. Explicitly, for \(a = a_0 +a_1 x +... +a_{n-1} x^{n-1}\) and bold faced letters denoting coefficient vectors, a sample from the RLWE distribution takes the form:

$$\begin{aligned} \begin{pmatrix} a_0 &{} -a_{n-1} &{} \dots &{} -a_{1} \\ a_1 &{} a_{0} &{} \dots &{} -a_2 \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ a_{n-1} &{} a_{n-2} &{} \dots &{} a_0 \end{pmatrix} {{\textbf {s}}} + {{\textbf {e}}} = {{\textbf {b}}} \end{aligned}$$

where once again operations and entries are over \({\mathbb {Z}}_q\). This is exactly a structured version of the classical LWE problem, where the uniformly random matrix A has been replaced by the negacyclic matrix rot(a). Of course, this should be no harder to solve, yet no substantial progress has been made in using the structure of rot(a) to solve the problem efficiently. We can extend this matrix–vector view to MLWE as well. An MLWE instance takes place in a module M of dimension d over \(R_q\), such that a solver has to recover \({{\textbf {s}}} \in M\) from a collection of pairs \(({{\textbf {a}}}_i, \langle {{\textbf {a}}}_i, {{\textbf {s}}} \rangle + e_i)\) where \({{\textbf {a}}}_i\) is a uniformly random element of M and each \(e_i\) is a small random element of \(R_q\). A collection of such pairs can be viewed as \(A{{\textbf {s}}} + {{\textbf {e}}} = {{\textbf {b}}}\), where the ambient space \({\mathbb {Z}}_q\) has been replaced by \(R_q\), e.g., with d samples:

$$\begin{aligned} \begin{pmatrix} a_{1,1} &{} a_{1,2} &{} \dots &{} a_{1,d} \\ a_{2,1} &{} a_{2,2} &{} \dots &{} a_{2,d} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ a_{d,1} &{} a_{d,2} &{} \dots &{} a_{d,d} \end{pmatrix} {{\textbf {s}}} + {{\textbf {e}}} = {{\textbf {b}}} \end{aligned}$$

where all operations are over \(R_q\) and each \(a_{i,j}\) is uniformly random. Of course, we could extend this to have operations over \({\mathbb {Z}}_q\) by applying the rot\((\cdot )\) operation coordinatewise, to obtain a structured LWE instance in dimension nd.

An advantage of these structured matrices is that they allow for streamlined storage and operations. For example, storing a uniformly random matrix A requires one to store all \(n^2\) of its entries, but rot(a) requires a factor n less memory since one need only store its first column. Equivalently, one RLWE sample generates n LWE samples while reducing the storage space and key sizes. Multiplication can also be speeded up by using the Chinese Remaindering Theorem (CRT) or other techniques.

This concept of improving efficiency by adding structure motivates this work; can we perform an analog of the transformation taking an LWE matrix A to an RLWE matrix rot(a) for the module M? We solve this by constructing a new variant of the LWE problem over a certain non-commutative space known as a cyclic algebra. In recent years, cyclic algebras have received significant attention in the field of coding theory (see, e.g., [25, 32, 44]) due to the particular nature of the matrix lattices they induce, and we view them as a suitable option for defining an LWE problem over a non-commutative ring. Though some efforts have been made to construct non-commutative LWE problems, for example [8, 16], the majority of non-commutative cryptography has relied on group theoretic constructions, whose underlying hard problems are often less robust than those of lattice cryptography. Somewhat informally, for a cyclic algebra \({\mathcal {A}}\) and well-chosen parameters there exists an automorphism \(\theta \) of \(R_q\) and a \(\gamma \in R_q\) such that an LWE style sample \(a \cdot s + e\) over \({\mathcal {A}}\) can be written in matrix–vector form

$$\begin{aligned} \begin{pmatrix} a_0 &{} \gamma \theta (a_{d-1}) &{} \gamma \theta ^2(a_{d-2}) &{} \ldots &{}\gamma \theta ^{d-1}(a_{1}) \\ a_1 &{} \theta (a_{0}) &{} \gamma \theta ^2(a_{d-1}) &{} \ldots &{}\gamma \theta ^{d-1}(a_{2}) \\ a_2 &{} \theta (a_{1}) &{} \theta ^2(a_{0}) &{} \ldots &{}\gamma \theta ^{d-1}(a_{3}) \\ \vdots &{} \vdots &{} \vdots &{}\ddots &{} \vdots \\ a_{d-1} &{} \theta (a_{d-2}) &{} \theta ^2(a_{d-3}) &{} \ldots &{} \theta ^{d-1}(a_{0}) \\ \end{pmatrix} {{\textbf {s}}} + {{\textbf {e}}} = {{\textbf {b}}} \end{aligned}$$

where all entries and operations are now over \(R_q\). Though more complex than the transformation taking LWE to RLWE this fulfills our goal of providing a structured version of MLWE, since we have replaced the uniformly random matrix A over \(R_q\) with a structured matrix which we denote \(\phi (a)\) that requires a factor of d less storage. Of course, by applying the rot\((\cdot )\) operation coordinatewise, one can extend this to a high-dimensional version of the LWE problem, now with two sets of structure lying on top of each other.

Contributions and Methodology

The main novel contribution of this work is a definition of Cyclic Algebra LWE (CLWE), together with justifications for its construction and a polynomial time reduction from short vector problems over matrix lattices induced by two-sided ideals in the maximal order of a cyclic algebra to CLWE, establishing its security on the assumption that such problems are hard. As in [27], the algorithm bases the security of CLWE on short vector problems over two-sided ideal lattices in \({\mathcal {A}}\); similarly to ideal lattices in K, these have some extra underlying structure that might make computational problems easier. However, we leave the relative complexity of these problems an open area of investigation.

CLWE represents a middle ground between RLWE and MLWE. Cyclic algebras are equipped with a proper ring multiplication which preserves the dimension of the lattice. Specifically, we consider the following advantages of our CLWE construction:

  • Efficiency. CLWE can be seen a structured variant of MLWE. Assuming for simplicity that the public key in LWE-based schemes is a sample \((A,{{\textbf {b}}})\), a public key generated as \(A =\) rot(\(\phi (a)\)) requires only as much storage as that of an equivalent dimension RLWE public key.Footnote 1 On the negative side, one should note that we do not know currently how to construct CLWE instances of arbitrary dimension, which might have an impact on concrete efficiency of the schemes.

  • Security. Recent works on quantum attacks on related ideal lattice problems (e.g., [10, 14, 17, 18] amongst others) require that the underlying group, in this case the unit group of \({\mathcal {O}}_K\), is commutative, see, e.g., [20], which is untrue for a non-commutative algebra. We conjecture that the security level is higher than RLWE, but welcome further cryptanalysis. We actively avoid known attacks on previous attempts to create structured MLWE (see Sect. 3.2). We remark that solving ideal-SVP in a number field is not known to impact the security of RLWE. Moreover, there are currently no known algorithms solving RLWE faster than MLWE for similar parameter sets (either theoretically or practically). It is even known from [2] that for some specific choices of parameters, RLWE is asymptotically no easier than MLWE.

  • Decryption failure rates. The scalar multiplication of MLWE is dimension-lossy. In other words, the message space of MLWE is restricted in \(R_q\), whose dimension is smaller than that of the module lattice. It leaves less room for error correction coding in MLWE-based schemes (e.g., a KYBER instance for a key size of 256 within \(R_q\) of dimension 256). In contrast, the dimension of the message space of CLWE is that of the (non-commutative) ring, which is higher by a factor of d. Thus, it accommodates better error correction coding (see Sect. 5.2), and low decryption failure rates are desired under chosen ciphertext attacks (CCA). Even trivial repetition coding can dramatically reduce decryption failure rates (e.g., NewHope)Footnote 2

Our search-to-decision reduction only holds for one choice of modulus q (once the algebra has been fixed) and structured modules of constant rank d. This issue needs to be remedied in the future.

Related Work and Organization

This work is related to a number of different areas: lattice-based cryptography, information theory and number theory.

In lattice-based cryptography, an alternative construction for structured module LWE, called multivariate-RLWE, was presented in [35, 36], where they tensor product two (or more) number fields in order to provide a structured module matrix. However, an efficient implementation of [35] was attacked in [12], together with a warning about taking care when putting structure on a module. In short, [12] attacks certain instances of multivariate-RLWE by providing a homomorphism to some underlying subfield K, dramatically reducing the dimension of the lattice problem to be attacked. Fortunately for this work, a somewhat technical condition on the choice of \(\gamma \) known as the non-norm condition precludes such a homomorphism existing to reduce the dimension of CLWE (see Sect. 3.2). It is worth pointing out that that their problem has been addressed in [36], and in fact this fix looks somewhat like our non-norm condition (e.g., unlike the original version, full rank is maintained in [36]).

This paper is inspired by the abundant literature of space-time coding based on cyclic division algebras (see the monographs [9, 32] and references therein). On a high level, our construction is reminiscent of multiblock space-time codes [21, 23], with the caveat of scaling up the number of blocks to make the codes practically undecodable. In the context of space-time coding, our construction generalizes [21] and offers greater flexibility in the code parameters (the number of blocks vs. the number of antennas). Multiblock space-time codes have been used in [25] to achieve information-theoretic security over wiretap channels, as opposed to computational security in a classic cryptographic setting of this paper. There is a major difference between the roles of cyclic algebras in coding and cryptography, though: the primary concern for coding is the non-vanishing determinant (NVD), while the non-commutative ring structure becomes crucial for cryptography. For efficient multiplication of elements in a cyclic algebra, we heavily rely on the CRT technique of [33].

We present two approaches (subfields and compositum fields) to the construction of novel cyclic division algebras, which enlarge the pool of algebras and may find other applications. Specifically, our proof that the natural order of the family of cyclic division algebras constructed in Theorem 2 (including those in [21]) is in fact maximal, is an original contribution.

The rest of this paper is organized as follows. In Sect. 2 we provide necessary background material on lattices, number fields, and cyclic algebras. In Sect. 3 we provide a definition and discussion of CLWE, together with novel constructions of cyclic division algebras for the CLWE problem. In Sect. 4 we provide a reduction from structured lattice problems to search CLWE, as well as a search-worst case decision reduction for CLWE. In Sect. 5 we show a sample CLWE cryptosystem and provide an estimate of its asymptotic operation complexity. Finally, the paper is concluded in Sect. 6 with a discussion of open problems. For a smooth flow of the main text, certain proofs, sideline discussions and technical details are deferred to appendices.

Preliminaries

Lattices

A lattice is a discrete additive subgroup of a vector space V. If V has dimension n a lattice \({\mathcal {L}}\) can be viewed as the set of all integer linear combinations of a set of linearly independent vectors \(B = \lbrace {{\textbf {b}}}_1,\ldots ,{{\textbf {b}}}_k \rbrace \) for some \(k \le n\), written \({\mathcal {L}} = {\mathcal {L}}(B) = \lbrace \sum _{i=1}^k z_i {{\textbf {b}}}_i: z_i \in {\mathbb {Z}} \rbrace \). If \(k=n\) we call the lattice full-rank, and we will only consider lattices of full-rank. We can extend this notion of lattices to matrix spaces by stacking the columns of a matrix. We recall two standard lattice definitions.

Definition 1

Given a lattice \({\mathcal {L}}\) in a space V endowed with a metric \(\Vert \cdot \Vert \), the minimum distance of \({\mathcal {L}}\) is defined as \(\lambda _1 ({\mathcal {L}}) = \min _{{{\textbf {v}}} \in \varLambda /\lbrace 0 \rbrace } \Vert {{\textbf {v}}} \Vert \). Similarly, \(\lambda _n({\mathcal {L}})\) is the minimum length of a set of n linearly independent vectors, where the length of a set of vectors \( \lbrace {{\textbf {x}}}_1,\ldots , {{\textbf {x}}}_n \rbrace \) is defined as \(\max _i(\Vert {{\textbf {x}}}_i \Vert )\).

Definition 2

Given a lattice \({\mathcal {L}} \subset V\), where V is endowed with an inner product \(\langle \cdot , \cdot \rangle \), the dual lattice \({\mathcal {L}}^*\) is defined \({\mathcal {L}}^* = \lbrace {{\textbf {v}}} \in V : \langle {\mathcal {L}} , {{\textbf {v}}} \rangle \subset {\mathbb {Z}} \rbrace \).

Gaussian Distributions

Definition 3

For a vector space V with norm \(\Vert \cdot \Vert \) and an \(r >0\), we define the Gaussian function \(\rho _r: V \rightarrow (0,1]\) by \(\rho _r({{\textbf {x}}}) = \exp (- \pi \Vert {{\textbf {x}}} \Vert /r^2)\).

We can use this function to define the spherical Gaussian distribution \(D_r\) over V, which outputs \({{\textbf {v}}}\) with probability proportional to \(\rho _r({{\textbf {v}}})\). Similarly, we can sample an elliptical Gaussian \(D_{{\textbf {r}}}\) in a basis \({{\textbf {b}}}_1,\ldots ,{{\textbf {b}}}_n\) of V, for \({{\textbf {r}}} = (r_1,\ldots ,r_n)\) a vector of positive reals, by sampling \(x_1,\ldots ,x_n\) independently from the one-dimensional Gaussian distributions \(D_{r_i}\) and outputting \(\sum _{i =1}^n x_i {{\textbf {b}}}_i\).

When sampling a Gaussian over a lattice \({\mathcal {L}}\), we will use the discrete form of the Gaussian distribution. We define the distribution \(D_{\varLambda ,r}\) over \(\varLambda \) by outputting \({{\textbf {x}}}\) with probability \(\frac{\rho _r({{\textbf {x}}})}{\rho _r({\mathcal {L}})}\) for each \({{\textbf {x}}} \in {\mathcal {L}}\). This version of the discrete Gaussian is centered at 0, which in general need not be the case.

An important lattice quantity, known as the smoothing parameter, was introduced in [31]. The motivation for the name is provided by Sect. 1 following the definition.

Definition 4

For a lattice \({\mathcal {L}}\) and \(\varepsilon > 0\), the smoothing parameter \(\eta _\varepsilon ({\mathcal {L}})\) is defined as the smallest \(r > 0\) satisfying \(\rho _{1/r}({\mathcal {L}}^* / \lbrace {{\textbf {0}}} \rbrace ) \le \varepsilon \).

The following is a special case of [31], Lemma 4.1.

Lemma 1

For a lattice \({\mathcal {L}}\) over \({\mathbb {R}}^n\), \(\varepsilon > 0, r \ge \eta _\varepsilon ({\mathcal {L}})\), and \({{\textbf {x}}} \in {\mathbb {R}}^n\), the statistical distance between \((D_r + {{\textbf {x}}}) \mod \mathcal {L}\) and the uniform distribution modulo \({\mathcal {L}}\) is bounded above by \(\varepsilon /2\). Equivalently, \(\rho _r({\mathcal {L}} + {{\textbf {x}}}) \in [\frac{1- \varepsilon }{1+ \varepsilon },1] \cdot \rho _r({\mathcal {L}})\).

We introduce well-known lemmas used to relate the smoothing parameter to standard lattice properties. The first comes from [6], the second from [40].

Lemma 2

For a lattice \({\mathcal {L}}\) of dimension n and \(c \ge 1\), it holds that \(c \sqrt{n}/ \lambda _1({\mathcal {L}}^*) \ge \eta _\varepsilon ({\mathcal {L}})\) for \(\varepsilon = \exp (-c^2n)\).

Lemma 3

For a lattice \({\mathcal {L}}\) and \(\varepsilon \in (0,1)\), it holds that \(\eta _\varepsilon ({\mathcal {L}}) \le \frac{\sqrt{\log (1/\varepsilon )/\pi }}{\lambda _1({\mathcal {L}}^*)}\).

Algebraic Number Theory

Definition 5

A number field K is a finite degree extension of the rationals \({\mathbb {Q}}\). Typically, we define a number field by adjoining some algebraic element \(\alpha \in {\mathbb {C}}\) and set \(K = {\mathbb {Q}}(\alpha )\). The degree of K refers to its degree as a field extension.

To define a cyclic algebra, we will need to take an additional extension of K. In particular, we will need the extension to be Galois over K, defined as follows.

Definition 6

Let L/K be an extension of number fields of dimension d. The Galois group of L over K is the group Aut(L/K) of automorphisms of L that fix K. We say that the extension is Galois if the subfield of L fixed by Aut(L/K) is exactly K.

We define a cyclic Galois extension L/K to be a Galois extension such that the Galois group of L over K is the cyclic group generated by some element \(\theta \) of degree \(d := [L:K]\). Finally, we require the ring of integers of a number field.

Definition 7

Given a number field K, its ring of integers \({\mathcal {O}}_K\) is the ring consisting of those elements of K whose minimal polynomial over \({\mathbb {Q}}\) lie in \({\mathbb {Z}}[x]\).

It is easy to check that if L/K is an extension of number fields then \({\mathcal {O}}_L \cap K = {\mathcal {O}}_K\).

The Canonical Embedding

Let \(K = {\mathbb {Q}}(\alpha )\) be a number field of degree n. It is a well-known fact that there are exactly n distinct ring embeddings \(\sigma _i : K \rightarrow {\mathbb {C}}\). These embeddings correspond to the n distinct injective ring homomorphisms mapping \(\alpha \) to the roots of its minimum polynomial f. We split these embeddings and say that there are \(r_1\) real embeddings (whose image lie in \({\mathbb {R}}\)) and \(r_2\) conjugate pairs of complex embeddings (the complex embeddings come in pairs since complex roots of f occur in conjugate pairs), such that \(r_1 + 2 r_2 = n\). The standard convention is to order the embeddings such that the \(r_1\) real embeddings come first and the complex embeddings are arranged such that \(\sigma _{r_1+ j} = \overline{\sigma _{r_1 + r_2 + j}}\) for \(1 \le j \le r_2\).

Definition 8

Let \(K = {\mathbb {Q}}(\alpha )\) be a number field of degree \(n = r_1 + 2r_2\). The canonical embedding \(\sigma \) is the ring homomorphism \(\sigma : K \rightarrow {\mathbb {R}}^{r_1} \times {\mathbb {C}}^{2 r_2}\) defined by

$$\begin{aligned} \sigma (x) = (\sigma _1(x),\ldots ,\sigma _n(x)). \end{aligned}$$

Formally, \(\sigma \) maps into the space

$$\begin{aligned} H = \lbrace (x_1,\ldots ,x_n) \in {\mathbb {R}}^{r_1} \times {\mathbb {C}}^{2 r_2} \, | \, x_{r_1 + r_2 + j} = \overline{x_{r_1 + j}} \, \, \forall 1 \le j \le r_2 \rbrace \subset {\mathbb {C}}^n, \end{aligned}$$

which is isomorphic to \({\mathbb {R}}^n\) as an inner product space.

We can equip H with the orthonormal basis \(\lbrace {{\textbf {h}}}_i \rbrace \), where \({{\textbf {h}}}_i = {{\textbf {e}}}_i\) for \(1 \le i \le r_1\) and \({{\textbf {h}}}_j = \frac{1}{\sqrt{2}}({{\textbf {e}}}_j + {{\textbf {e}}}_{j + r_2}), {{\textbf {h}}}_{j+r_2} = \frac{\sqrt{-1}}{\sqrt{2}}({{\textbf {e}}}_j - {{\textbf {e}}}_{j + r_2})\) for \(r_1 < j \le r_1+r_2\), and use the well-defined \(\ell _p\) norm induced by viewing H as a subset of \({\mathbb {C}}^n\). Observe that multiplication in K maps to coordinatewise multiplication in H. The \(\ell _2\) norm on H allows us to efficiently sample a Gaussian distribution \(D_{{\textbf {r}}}\) over K by sampling such a Gaussian coordinatewise over H, although technically this distribution is over the field tensor product \(K_{\mathbb {R}} = K \otimes _{\mathbb {Q}} {\mathbb {R}} \cong H\). Furthermore, it satisfies the property that for any \(x \in K_{\mathbb {R}}\) we have the equality of distributions \(x \cdot D_{{\textbf {r}}}\) and \(D_{{{\textbf {r}}}'}\), where \(r_i' = r_i \cdot \vert \sigma _i(x)\vert \). When we have an extension of number fields L/K, we will denote their respective canonical embeddings \(\sigma _L\) and \(\sigma _K\) as maps into \(H_L\) and \(H_K\) to avoid confusion.

Relative Embeddings

In the case of an extension L of a number field K it is sometimes more convenient to apply a different order on its embeddings induced by extending embeddings of K to those of L. Given a tower \(L/K/{\mathbb {Q}}\) where K has degree n and L has degree d over K, there are precisely n embeddings \(\sigma _1,\ldots ,\sigma _n\) of K into \({\mathbb {C}}\). Assuming \(L/{\mathbb {Q}}\) is Galois, each of these can be extended to an embedding \(\alpha _i: L \rightarrow {\mathbb {C}}\) such that \(\alpha _i \vert _K = \sigma _i\). However, these extensions are not unique, and it is easy to see that there are \([L:K] = d\) choices for each \(\alpha _i\). In particular, in the case where L/K is a cyclic extension with Galois group generated by \(\theta \) it holds that the composite automorphisms \(\alpha _i \circ \theta ^j( \cdot ), 1 \le j \le d\), run through the d choices of \(\alpha _i\). Hence, for a fixed choice of \(\alpha _1,\ldots ,\alpha _n\) the nd automorphisms of L can each be uniquely represented by some \(\alpha _i \circ \theta ^j(\cdot )\), which we denote by \(\alpha _i^j(\cdot ), 1 \le i \le n, 1\le j \le d\). Given the usual ordering of embeddings of K, this induces two systematic orderings on the embeddings of L by running through either the i or j coordinates first.

Cyclic Algebras

Definition 9

Let K be a number field with degree n, and let L be a Galois extension of K of degree d such that the Galois group of L over K is cyclic of degree d, Gal\((L/K) = \langle \theta \rangle \). For nonzero \(\gamma \in K\) we define the resulting cyclic algebra

$$\begin{aligned} {\mathcal {A}} = (L/K, \theta , \gamma ) := L \oplus u L \oplus ... \oplus u^{d-1}L \end{aligned}$$

where \(\oplus \) denotes the direct sum, \(u \in {\mathcal {A}}\) is some auxiliary generating element of \({\mathcal {A}}\) satisfying the additional relations \(xu = u \theta (x), \forall x \in L\) and \(u^d = \gamma \). We will call d the degree of the algebra \({\mathcal {A}}\). We call such an algebra a division algebra if every element \(a \in {\mathcal {A}}\) has an inverse \(a^{-1} \in {\mathcal {A}}\) such that \(aa^{-1} = 1\).

The relations among K, L and \({\mathcal {A}}\) are illustrated in Fig. 1. In fact, every central simple algebra over a number field is cyclic.

Fig. 1
figure 1

Structure of a cyclic algebra

Since \(\theta \) fixes K, the center of the cyclic algebra is precisely K. Oftentimes the condition \(\gamma \in K\) is replaced by the stronger condition \(\gamma \in {\mathcal {O}}_K\), and we will use this condition in our work to guarantee the existence of a certain subring known as the natural order. Note that the division property does not hold for arbitrary \(\gamma \), and such algebras are not always easy to construct, which we will discuss later in this section.

We present a matrix representation of elements of \({\mathcal {A}}\) which proves useful for computing multiplication in cyclic algebras. We can naturally view an element \(a \in {\mathcal {A}}\) as an d-dimensional vector Vec(a) over L, in which case we can view left multiplication of elements as matrix–vector operations. This is done by defining the map \(\phi : {\mathcal {A}} \rightarrow M_{d \times d}(L)\), where for \(x = x_0 + ux_1 + ... + u^{d-1} x_{d-1} \in {\mathcal {A}}\) with each \(x_i \in L\),

$$\begin{aligned} \phi (x) = \begin{pmatrix} x_0 &{} \gamma \theta (x_{d-1}) &{} \gamma \theta ^2(x_{d-2}) &{} \ldots &{}\gamma \theta ^{d-1}(x_{1}) \\ x_1 &{} \theta (x_{0}) &{} \gamma \theta ^2(x_{d-1}) &{} \ldots &{}\gamma \theta ^{d-1}(x_{2}) \\ x_2 &{} \theta (x_{1}) &{} \theta ^2(x_{0}) &{} \ldots &{}\gamma \theta ^{d-1}(x_{3}) \\ \vdots &{} \vdots &{} \vdots &{}\ddots &{} \vdots \\ x_{d-1} &{} \theta (x_{d-2}) &{} \theta ^2(x_{d-3}) &{} \ldots &{} \theta ^{d-1}(x_{0}) \\ \end{pmatrix}. \end{aligned}$$

We call this mapping a left regular representation of \({\mathcal {A}}\), because it holds for any \(a,b \in {\mathcal {A}}\) that \(\phi (a) \text {Vec}(b) = \text {Vec}(ab)\), and that \(\phi (ab) = \phi (a) \cdot \phi (b)\). In the case where \({\mathcal {A}}\) is a division algebra it follows that each \(\phi (a)\) is an invertible matrix. Since \(\theta \) is well defined on \(L_{\mathbb {R}}\), we abuse notation and extend this map to \(\phi : \bigoplus _{i=0}^{d-1}u^i L_{\mathbb {R}} \rightarrow M_{d \times d} (L_{\mathbb {R}})\). We derive lattices from subrings of a cyclic algebra by vectorizing their images under \(\phi \).

Definition 10

Let \({\mathcal {A}} = (L/K, \theta , \gamma )\) be a cyclic division algebra. A \({\mathbb {Z}}\)-order \(\varLambda \) in \({\mathcal {A}}\) is a finitely generated \({\mathbb {Z}}\)-module such that \(\varLambda \cdot {\mathbb {Q}} = {\mathcal {A}}\) and that \(\varLambda \) is a subring of \({\mathcal {A}}\) with the same identity element as \({\mathcal {A}}\). We call \(\varLambda \) maximal if there is no \({\mathbb {Z}}\)-order \(\varGamma \) such that \(\varLambda \subsetneq \varGamma \subsetneq {\mathcal {A}}\). Here, \(\varLambda \cdot {\mathbb {Q}} = \lbrace \sum _{i=1}^m a_i q_i : a_i \in \varLambda , q_i \in {\mathbb {Q}}, m \in {\mathbb {Z}}_{\ge 1} \rbrace \).

Since we are only concerned with \({\mathbb {Z}}\)-orders in this paper, we will just refer to them as orders.

Example 1

The ring of integers \({\mathcal {O}}_K\) of a number field K is the unique maximal order of a number field. In the case of cyclic algebras a maximal order is not necessarily unique.

An order of particular interest that we will use in our LWE construction is known as the natural order, defined as \(\varLambda := \bigoplus _{i=0}^{d-1} u^i {\mathcal {O}}_L\). Unlike in the case of \({\mathcal {O}}_K\), this order is not necessarily maximal. (However, we are going to work with natural orders that are also maximal.) Note that in order for \(\varLambda \) to be closed under multiplication the element \(\gamma \) must lie in \({\mathcal {O}}_K\).

Non-Norm Condition

It is not a priori obvious whether well-defined cyclic division algebras or orders actually exist. As observed earlier, the existence of \(\gamma \) enforcing the division algebra condition is a key component in constructing such objects. Fortunately, it is sufficient for \(\gamma \) to satisfy the so-called non-norm condition [44].

Proposition 1

The cyclic algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\) of degree d is a division algebra if and only if none of the elements \(\gamma ^t\), \(1\le t \le d-1\), appears in \(N_{L/K}(L)\), where \(N_{L/K}\) represents the relative norm of L into K.

In other words, this condition states that the lowest power of \(\gamma \) that is norm of some element of L, is \(\gamma ^d\).

Order Ideals

Analogous to the use of \({\mathcal {O}}_K\) ideals in RLWE, we will be interested in ideals of an order \(\varLambda \) of a cyclic division algebra \({\mathcal {A}}\). Although \(\varLambda \) is a ring, it is non-commutative—thus there are three types of ideals. A left (respectively right) ideal \({\mathcal {I}}\) of \(\varLambda \) is an additive subgroup of \(\varLambda \) such that for any \(i \in {\mathcal {I}}, r \in \varLambda \), we have \(r \cdot i \in {\mathcal {I}}\) (respectively \(i \cdot r \in {\mathcal {I}}\)). A two-sided ideal of \(\varLambda \) is an additive subgroup that is closed under left and right scaling by \(\varLambda \), i.e., a right ideal that is also a left ideal. The sum and product of two ideals \({\mathcal {I}}, {\mathcal {J}}\) are defined as usual; \({\mathcal {I}} + {\mathcal {J}} = \lbrace i + j: i \in {\mathcal {I}}, j \in {\mathcal {J}} \rbrace \) and \({\mathcal {I}} \cdot {\mathcal {J}} = \lbrace \sum ^m_{l=1} i_l \cdot j_l : i_l \in {\mathcal {I}}, j_l \in {\mathcal {J}}, m \in {\mathbb {N}}\rbrace \). In the case of two-sided ideals we have the standard notion of a fractional ideal; \({\mathcal {I}}\) is a fractional ideal of \(\varLambda \) if \(c {\mathcal {I}} = {\mathcal {J}}\) for a two-sided ideal \({\mathcal {J}}\) and some \(c \in K\). In the rest of this paper, a (fractional or integral) ideal is always restricted to be two-sided, unless otherwise stated.

We remark that the structure of the collection of two-sided ideals of the natural order is not as simple as those of \({\mathcal {O}}_K\), or indeed those of an arbitrary maximal order. In a maximal order, the group of two-sided ideals is a free abelian group generated by the prime (e.g., maximal) ideals [43, Theorem 22.10], from which one can deduce obvious definitions of inverse and coprime ideals. For a general order \(\varLambda \), we define its prime ideals as its maximal two-sided ideals and the inverse of an ideal \({\mathcal {I}} \subset \varLambda \) is

$$\begin{aligned} {\mathcal {I}}^{-1} = \lbrace x \in {\mathcal {A}} : {\mathcal {I}} \cdot x \cdot {\mathcal {I}} \subset {\mathcal {I}} \rbrace , \end{aligned}$$

which lines up with the expected definition in the two-sided case (e.g., \({\mathcal {I}} \cdot {\mathcal {I}}^{-1} = {\mathcal {I}}^{-1} \cdot {\mathcal {I}} = \varLambda \)).

For the case of the natural order, we do not have such a well-behaved ideal group, but a nice exposition is given in [33, Sect. 3]. In particular, for a two-sided ideal \({\mathcal {I}} \subset \varLambda \), \({\mathcal {I}} \cap {\mathcal {O}}_K\) is an ideal of \({\mathcal {O}}_K\). For an ideal \({\mathcal {I}} \subset {\mathcal {O}}_K\), \(({\mathcal {I}}\cdot \varLambda ) \cap {\mathcal {O}}_K = {\mathcal {I}}\), from which it follows that this intersection map is a surjection onto the ideals of \({\mathcal {O}}_K\). However, it is not in general an injection since several ideals of \(\varLambda \) may have the same intersection with \({\mathcal {O}}_K\). Since the ideals of \(\varLambda \) do not in general form a finitely generated abelian group, we define two ideals \({\mathcal {I}}, {\mathcal {J}}\) of \(\varLambda \) to be coprime if \({\mathcal {I}} + {\mathcal {J}} = \varLambda \).

Nonetheless, since the orders to be constructed in Theorem 2 are both natural and maximal, it will always hold for a two-sided ideal \({\mathcal {I}}\) that \({\mathcal {I}} \cdot {\mathcal {I}}^{-1} = {\mathcal {I}}^{-1} \cdot {\mathcal {I}}= \varLambda \) and \(({\mathcal {I}}^{-1})^{-1} = {\mathcal {I}}\). These properties will be required in the proofs of Lemmas 6 and 7.

Some Useful Ideals

For an order \(\varLambda \) we define the codifferent ideal

$$\begin{aligned} \varLambda ^\vee = \lbrace x \in {\mathcal {A}} : \text {Tr}(x \varLambda ) \subset {\mathbb {Z}} \rbrace \end{aligned}$$

where Tr refers to the reduced trace, defined Tr\((a) := \text {Tr}_{K/{\mathbb {Q}}}(\text {Trace}(\phi (a)))\). Similarly, for an ideal \({\mathcal {I}}\) we define the dual ideal

$$\begin{aligned} {\mathcal {I}}^\vee = \lbrace x \in {\mathcal {A}} : \text {Tr}(x{\mathcal {I}}) \subset {\mathbb {Z}}\rbrace . \end{aligned}$$

Since the matrix trace satisfies Trace(AB) = Trace(BA), this definition is two-sided. Note that the codifferent ideal and a general dual ideal may be fractional ideals rather than full ideals, and they satisfy the equality \({\mathcal {I}}^{\vee } = \varLambda ^{\vee } \cdot {\mathcal {I}}^{-1}\) for any ideal \({\mathcal {I}}\).

We will also be interested in principal ideals, but must take more care with these than in commutative settings. For a central element \(t \in K\), we can define simply \(\langle t \rangle = t \cdot \varLambda \), the set of elements of \(\varLambda \) divisible by t. However, for a general t that does not lie in the center of \(\varLambda \) we need the slightly more complex definition

$$\begin{aligned} \langle t \rangle = \left\{ \sum ^m_{i=1} r_i t s_i: r_i, s_i \in \varLambda , m \in {\mathbb {N}} \right\} , \end{aligned}$$

which can easily be seen to be a two-sided ideal, moreover the smallest one that contains t.

Orders and Ideals as Lattices

Any order \(\varLambda \) of a cyclic algebra \({\mathcal {A}} = (L/K,\theta , \gamma )\) has dimension \(n d^2\) over \({\mathbb {Z}}\) and thus generates a lattice of dimension \(nd^2\) over \({\mathbb {Z}}\). We will consider the following representation of these lattices, which extends naturally to ideals of orders as well. Consider an element \(x = \bigoplus _{i = 0}^{d-1} u^i x_i \in \varLambda \). We can consider x as a vector over \(H_L\) of dimension d by \(\sigma _{\mathcal {A}}(x) := \lbrace \sigma _L(x_0), \sigma _L(x_1),\ldots ,\sigma _L(x_{d-1}) \rbrace \). Then, the collection \(\sigma _{\mathcal {A}}(\varLambda )\) forms a lattice of dimension \(nd^2\) over \({\mathbb {Z}}\). We will refer to this representation as the “module representation" and will sometimes double index the element x, denoting by \(x_{i,j}\) the embedding \(\sigma _j(x_i)\), and extend this notation in the obvious manner to the space \(\bigoplus _{i=0}^{d-1} u^iL_{\mathbb {R}}\). Though this representation is conceptually simple, we remark that it has some drawbacks in the case where \(\vert \sigma _i(\gamma ) \vert \ne 1\) for some i when considering sizes of lattice elements; we will choose \(\gamma \) carefully in our constructions to remove this issue.

As in (R)LWE, we will need to sample Gaussian distributions over our ambient space in certain norms. In the case of RLWE, the continuous Gaussians are sampled in \(K_{\mathbb {R}} \cong H\). Since a cyclic algebra \({\mathcal {A}}\) can be viewed as a d-dimensional algebra over L, we use the visualization from the previous subsection and sample our error distributions over \(\bigoplus _{i=0}^{d-1} u^iL_{\mathbb {R}}\), which has the same structure as a vector space as \({H_L}^d\). For simplicity we restrict ourselves to the case when \(\vert \sigma _i(\gamma ) \vert = 1\) for each i. Although this is a strong condition on \(\gamma \) it holds in the case where it is a root of unity, which we will enforce later.

We consider the norm of an element of \({\mathcal {A}}\) to be equal to the norm of the corresponding module element in \(L^d\) of dimension \(nd^2\) used in [22], e.g., \(\Vert x \Vert = \Vert (\sigma _L(x_0), \sigma _L(x_1),\ldots ,\sigma _L(x_{d-1})) \Vert _2\) for \(x = x_0 + u x_1 + ... + u^{d-1} x_{d-1} \in {\mathcal {A}}\). It is straightforward to check that this is indeed a norm in the case where \(\vert \sigma _i(\gamma ) \vert = 1\) for each i, since \(\gamma \) is fixed under \(\theta \) and multiplying by \(\gamma \) does not change the norm of an entry of \(\sigma _L\). In fact, if \(\vert \sigma _i(\gamma ) \vert = 1\) for each i, \(\Vert x \Vert \) is equivalent to a representation in Frobenius norm \(\Vert \cdot \Vert _{F}\) of matrices:

$$\begin{aligned} \Vert x \Vert ^2 = \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (x)) \Vert _{F}^2 \end{aligned}$$

where \(\sigma \), when applied to \(\phi (x)\), is a short notation of its extension to L. We have

$$\begin{aligned} \Vert xy \Vert ^2&= \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (xy)) \Vert _{F}^2 = \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (x)) \sigma (\phi (y))\Vert _{F}^2 \\&\le \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (x))\Vert _F^2 \Vert \sigma (\phi (y))\Vert _{F}^2 \\&\le \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (x))\Vert _F^2 \sum _{\sigma \in \sigma _K} \Vert \sigma (\phi (y))\Vert _{F}^2 = \Vert x \Vert ^2 \Vert y \Vert ^2 \end{aligned}$$

where the first inequality is due to the sub-multiplicativity of Frobenius norm. In this case, the norm is sub-multiplicative.

It is clear that this norm extends to any \(y \in \bigoplus _{i=0}^{d-1} u^i L_{\mathbb {R}}\) in a natural manner. Now that we have defined a norm, it is easy to define a Gaussian distribution \(D_{{{\textbf {r}}}}\) on \({\mathcal {A}}\), or its discrete analogue on \(\varLambda \) by sampling over the module \({L_{\mathbb {R}}}^d\).

The CRT

In this subsection we state the CRT for order ideals, and deduce some important consequences. We note that the following lemmas are merely adaptations of those in [27, Sect. 2.3.8] extended to the case of cyclic algebras. The first is just the CRT.

Lemma 4

Let \({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_r\) be pairwise coprime ideals of an order \(\varLambda \) of a cyclic algebra \({\mathcal {A}}\), and let \( {\mathcal {I}} = \prod _{i=1}^r {\mathcal {I}}_i\). Then, the natural map \(\varLambda \rightarrow \bigoplus _{i=1}^r (\varLambda /{\mathcal {I}}_i)\) induces an isomorphism \(\varLambda /{\mathcal {I}} \rightarrow \bigoplus _{i=1}^r (\varLambda /{\mathcal {I}}_i)\).

We call a CRT basis for a set of coprime order ideals \({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_r\) a basis \(C = \lbrace c_1,\ldots ,c_r \rbrace \) of elements of \(\varLambda \) satisfying \(c_i = 1 \mod \mathcal {I}_i, c_i = 0 \mod \mathcal {I}_j\) for \(i \ne j\).

Lemma 5

Given pairwise coprime ideals \({\mathcal {I}}_1,\ldots ,{\mathcal {I}}_r\) of an order \(\varLambda \), there is a deterministic polynomial time algorithm that outputs a CRT basis \(c_1,\ldots ,c_r \in \varLambda \) for those ideals.

The proof is the same as in the ring case [27, Lemma 2.13]. Using Lemma 5 we can efficiently invert the natural CRT isomorphism. Given \(a = (a_1,\ldots ,a_r) \in \bigoplus _{i=1}^r (\varLambda /{\mathcal {I}}_i)\), it can be easily checked that its inverse is \(b = \sum _{i=1}^r a_i c_i \mod \mathcal {I}\).

The next two lemmas will be required later to construct an efficiently invertible bijection between quotient spaces \({\mathcal {I}}/\langle q \rangle \cdot {\mathcal {I}}\) and \(\varLambda /\langle q \rangle \).

Lemma 6

Assume q is unramified in L. Let \({\mathcal {I}}\) be an ideal of the natural order \(\varLambda \) which is maximal and let \({\mathcal {J}} = q \cdot \varLambda = \langle q \rangle \cdot \varLambda \), where q is a prime integer and \(\langle q \rangle = \prod _{i=1}^r {\mathfrak {q}}_i\) is a decomposition into prime ideals in \({\mathcal {O}}_K\). Assume \(\gamma \notin {\mathfrak {q}}_i\) for each i. Then, there exists an element \(t \in {\mathcal {I}}\cap {\mathcal {O}}_K\) such that the ideal \(t \cdot {\mathcal {I}}^{-1} \subset \varLambda \) is coprime to \({\mathcal {J}}\), and we can compute such a t efficiently given \({\mathcal {I}}\) and the prime factorization of \({\mathcal {J}}\).

Remark 1

The condition on \(\gamma \) will be immaterial in our use case, since when \(\gamma \) is a unit the only \({\mathcal {O}}_K\) ideal that contains \(\gamma \) is \({\mathcal {O}}_K\) itself. Meanwhile, the unramification of q will arise (relatively) naturally in the work, so it is not really a restriction.

Proof

For an ideal \({\mathcal {I}}\) denote by \(\overline{{\mathcal {I}}}\) its intersection with K, which is a non-trivial ideal of \({\mathcal {O}}_K\) (see [33, Sect. 3]). We apply the corresponding [27, Lemma 2.14] to obtain \(t \in \overline{{\mathcal {I}}}\) such that \(t \cdot \overline{{\mathcal {I}}}^{-1}\) and \(\overline{{\mathcal {J}}}\) are coprime as ideals of \({\mathcal {O}}_K\) and \(t \in \overline{{\mathcal {I}}} \setminus \bigcup _{i=1}^r {\mathfrak {q}}_i \cdot \overline{{\mathcal {I}}}\). Assume, for a contradiction, that \(t \cdot {\mathcal {I}}^{-1} + {\mathcal {J}} \ne \varLambda \) i.e., the ideals are not coprime. Then, there is some maximal ideal \({\mathcal {M}}\) of \(\varLambda \) containing \(t \cdot {\mathcal {I}}^{-1}\) and \({\mathcal {J}}\). Since q is unramified in L and \(\gamma \notin {\mathfrak {q}}_i\), by [33, Propositions 1 and 4], this ideal must be one of the ideals \({\mathfrak {q}}_i \cdot \varLambda \) since it contains \({\mathcal {J}}\). Then \(t \cdot {\mathcal {I}}^{-1} \subset {\mathfrak {q}}_i \cdot \varLambda \) and consequentially \(t \in {\mathfrak {q}}_i \cdot {\mathcal {I}}\) because \({\mathcal {I}}\cdot {\mathcal {I}}^{-1}=\varLambda \) in a maximal order. Since t and \({\mathfrak {q}}_i\) are central, it follows that \(t \in {\mathfrak {q}}_i \cdot \overline{{\mathcal {I}}}\), a contradiction. \(\square \)

The next lemma will be the one we use in our reduction. As in RLWE, in practice we are interested in the case where \({\mathcal {J}} = \langle q \rangle \) for a prime integer q and \({\mathcal {P}} = \varLambda ^\vee \). We will use the familiar notation \({\mathcal {I}}_q := {\mathcal {I}}/q \cdot {\mathcal {I}}\) for an ideal \({\mathcal {I}}\) and \(q \in {\mathbb {Z}}\) throughout the paper.

Lemma 7

Let \(\varLambda \), \(\gamma \) and q be given in Lemma 6. Let \({\mathcal {I}}, {\mathcal {J}}\) be ideals of \(\varLambda \), with \(t \in {\mathcal {I}}\cap {\mathcal {O}}_K\) chosen as above such that \( t \cdot {\mathcal {I}}^{-1}\) and \({\mathcal {J}}\) are coprime as ideals, and let \({\mathcal {P}}\) denote an arbitrary fractional ideal of \(\varLambda \). Then, the function \(\chi _t: {\mathcal {A}} \rightarrow {\mathcal {A}}\) defined as \(\chi _t(x) = t \cdot x\) induces a module isomorphism from \({\mathcal {P}}/{\mathcal {J}} \cdot {\mathcal {P}} \rightarrow {\mathcal {I}}\cdot {\mathcal {P}}/ {\mathcal {I}} \cdot {\mathcal {J}} \cdot {\mathcal {P}}\). Furthermore, in the case \({\mathcal {J}} = \langle q \rangle \) for a prime integer q we can efficiently compute the inverse.

Proof

The proof is similar to that of [27]. Since t lies in the center of \(\varLambda \), it is clear that multiplication by t induces a module homomorphism. Given the map \(\chi _t: {\mathcal {P}} \rightarrow {\mathcal {I}}\cdot {\mathcal {P}}/{\mathcal {I}} \cdot {\mathcal {J}}\cdot {\mathcal {P}}\) and \(j \in {\mathcal {J}} \cdot {\mathcal {P}}\), \(\chi _t(j) = t \cdot j \in {\mathcal {I}} \cdot {\mathcal {J}} \cdot {\mathcal {P}}\), so it is clear that \({\mathcal {J}} \cdot {\mathcal {P}}\) is in the kernel of this map. Conversely, if \(\chi _t(x) = 0\) then \(t \cdot x \in {\mathcal {I}} \cdot {\mathcal {J}} \cdot {\mathcal {P}}\), from which it follows that \({\mathcal {I}}^{-1} \cdot t \cdot x \subset {\mathcal {J}} \cdot {\mathcal {P}}\). From the definition of coprime, \(t \cdot {\mathcal {I}}^{-1} + {\mathcal {J}} = \varLambda \), from which it follows that there exists \(a \in t \cdot {\mathcal {I}}^{-1}, b \in {\mathcal {J}}\) such that \(a + b = 1\). Hence, \(x = (a+b)\cdot x = a \cdot x + b \cdot x\). Since \(a \cdot x, b \cdot x \in {\mathcal {J}} \cdot {\mathcal {P}}\), it follows that \(x \in {\mathcal {J}} \cdot {\mathcal {P}}\), from which injectivity follows immediately.

To demonstrate efficient invertibility, we must work slightly harder. Now let \( {\mathcal {J}} = \langle q \rangle \). Compute t as in Lemma 6 and observe that the bijection \(\chi _t : \varLambda _q \rightarrow {\mathcal {I}}_q\) is an additive homomorphism. Thus, it suffices to compute the inverse of all elements of a \({\mathbb {Z}}\) basis of \({\mathcal {I}}_q\), since then any element can be inverted by computing its representation in this basis and inverting that. We construct such a basis as follows. First, choose \(n^2 \cdot d^4\) elements \(x_i, i = 1,\ldots , n^2 \cdot d^4\) from \(\varLambda _q\) uniformly at random and compute \(y_i = \chi _t (x_i)\) for each i. It follows that each \(y_i\) is a uniformly random element of \({\mathcal {I}}_q\). Then, with high probability the \(y_i\)’s form a spanning set of \({\mathcal {I}}_q\) (see the proceeding lemma), which we can reduce to a \({\mathbb {Z}}\) basis \(y_1',\ldots ,y_{n \cdot d^2}'\). This basis satisfies the desired property that each element has a known inverse. If this algorithm fails (e.g., there is no suitable basis \(y_1',...y_{n \cdot d^2}'\)), we repeat, choosing a fresh set of elements \(x_1,\ldots ,x_{n^2 \cdot d^4}\) until we succeed. \(\square \)

Lemma 8

Given a set of \(n^2 \cdot d^4\) independent and uniformly random elements \(\varXi \subset {\mathbb {Z}}_q^{n \cdot d^2}\), the probability that \(\varXi \) contains no set of \(n \cdot d^2\) linearly independent vectors (over \({\mathbb {Z}}_q\)) is exponentially small in d.

This lemma is a straightforward adaptation of Corollary 3.16 of [42].

Lattice Problems

Computational problems on lattices represent the foundations of the security of (R)LWE, and will do so for our Cyclic LWE as well. The standard lattice problems are as follows.

Definition 11

Let \(\Vert \cdot \Vert \) be some norm on \({\mathbb {R}}^n\) and let \(\xi \ge 1\). Then the approximate Shortest Vector Problem (\(\hbox {SVP}_\xi \)) on input a lattice \({\mathcal {L}}\) is to find some nonzero vector \({{\textbf {x}}}\) such that \(\Vert {{\textbf {x}}} \Vert \le \xi \cdot \lambda _1({\mathcal {L}})\).

Definition 12

Let \(\Vert \cdot \Vert \) be some norm on \({\mathbb {R}}^n\) and let \(\xi \ge 1\). Then the (approximate) Shortest Independent Vectors Problem (\(\hbox {SIVP}_\xi \)) on input a lattice \({\mathcal {L}}\) is to find n linearly independent nonzero vectors \({{\textbf {x}}}_1,\ldots ,{{\textbf {x}}}_n\) such that \(\max _{i}(\Vert {{\textbf {x}}}_i \Vert ) \le \xi \cdot \lambda _n({\mathcal {L}})\).

Definition 13

Let \(\Vert \cdot \Vert \) be some norm on \({\mathbb {R}}^n\), let \({\mathcal {L}}\) be a lattice, and let \(d < \lambda _1({\mathcal {L}})/2\). Then the Bounded Distance Decoding problem (\(\hbox {BDD}_{{\mathcal {L}}, d}\)) on input \({{\textbf {y}}} = {{\textbf {x}}} + {{\textbf {e}}}\) for \({{\textbf {x}}} \in {\mathcal {L}}\) and \(\Vert {{\textbf {e}}} \Vert \le d\) is to compute \({{\textbf {x}}}\), or equivalently \({{\textbf {e}}}\).

The above problems are all well investigated and believed to be sufficiently hard to base post-quantum cryptographic security on; there are no known algorithms for any of these problems (for suitable parameters) running in polynomial time in dimension n.

Unfortunately, these problems are not directly suitable for CLWE, where we will be interested in their adaptations to lattices generated by order ideals, similarly to how ideal lattices are used the ring case. Specifically we have the same problems on lattices that they induce under the map \(\sigma _{\mathcal {A}}(\cdot )\). So, SVP becomes:

Definition 14

Let \({\mathcal {A}}\) be a cyclic algebra, let \({\mathcal {I}}\) be some (possibly fractional) ideal of the natural order \(\varLambda \). Then, for an approximation factor \(\xi \ge 1\), the \({\mathcal {A}}\)-\(\hbox {SVP}_\xi \) is to find a nonzero element \(a \in {\mathcal {I}}\) such that \(\vert a \vert := \Vert \sigma _{\mathcal {A}}(a) \Vert _2 \le \xi \cdot \lambda _1({\mathcal {I}})\), where as usual \(\lambda _1({\mathcal {I}})\) denotes the minimal length of nonzero elements of \({\mathcal {I}}\) in the given norm.

Remark 2

When we use these problems in our security reductions, we will assume that the ideals are in fact integral ideals (e.g., we exclude fractional ideals). Observe that this may be done without loss of generality, since solving the \({\mathcal {A}}\)-SVP problem on the fractional ideal \({\mathcal {I}}\) may be done by solving it on the integral ideal \(c {\mathcal {I}}\) (where \(c \in K\) is the element such that \(c{\mathcal {I}}\) is integral) and rescaling the solution.

Essentially we have a specialized version of the SVP problem; we must find an element of \({\mathcal {I}}\) with minimal norm (up to approximation factor) in the ideal \({\mathcal {I}}\). The extension of SIVP to \({\mathcal {A}}\)-SIVP is analogous, but since we consider our objects as \({\mathbb {Z}}\)-lattices we require the independent ‘vectors’ \(a_1,\ldots ,a_r\) to be linearly independent over \({\mathbb {Z}}\). For BDD, we need a suitable ambient space, and use the following definition.

Definition 15

Let \({\mathcal {A}}\) be a cyclic algebra, let \({\mathcal {I}}\) be some (possibly fractional) ideal of a maximal \({\mathbb {Z}}\)-order \(\varLambda \), and let \(\delta < \lambda _1({\mathcal {I}})/2\). Then the \({\mathcal {A}}\)-\(\hbox {BDD}_{{\mathcal {I}}, \delta }\) problem, on input \(y = x + e\) for \(x \in {\mathcal {I}}\) and \(e \in \bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}}\) satisfying \(\vert e \vert \le \delta \), is to compute x.

The Learning with Errors Problem

We will briefly recall the initial Learning With Errors (LWE) problem here; in Sect. 3 we will extend it to cyclic algebras. The problem comes in two forms; search and decision, both of which are based on the LWE distribution. Let n and q be positive integers, and let \(\alpha > 0\) be some error parameter. Define \({\mathbb {T}} := {\mathbb {R}}/ {\mathbb {Z}}\), the unit torus.

Definition 16

For a secret \({{\textbf {s}}} \in {\mathbb {Z}}_q^n\), a sample \(({{\textbf {a}}}, b) \leftarrow A_{{{\textbf {s}}}, \alpha }\) is taken by sampling a uniformly random vector \({{\textbf {a}}} \in {\mathbb {Z}}_q^n\) and \(e \leftarrow D_\alpha \) and outputting \(({{\textbf {a}}},b) = ({{\textbf {a}}}, \langle {{\textbf {a}}}, {{\textbf {s}}} \rangle /q + e \mod \mathbb {Z})\).

Given the above distribution, the LWE problem comes in two forms.

Definition 17

The search LWE problem is to recover \({{\textbf {s}}}\) from a collection of samples \(A_{{{\textbf {s}}}, \alpha }\). The decision LWE problem on input a collection of samples on \({\mathbb {Z}}_q^n \times {\mathbb {T}}\) is to decide whether they are uniform samples or were taken from \(A_{{{\textbf {s}}}, \alpha }\) for some secret \({{\textbf {s}}}\), where \({{\textbf {s}}}\) is drawn uniformly at random from \({\mathbb {Z}}_q^n\).

Typically, the number of samples provided in each of these problems depends on the application. Since the decision problems has a probabilistic element, we will be interested in the advantage of the algorithms that solve it, which is defined as the difference between their acceptance probabilities on samples from an LWE distribution \(A_{{{\textbf {s}}}, \alpha }\) and the uniform distribution. In practice, the decision problem is of more interest in cryptography.

We will not define the popular extensions of these problems to number fields or modules, known as Ring-LWE and Module-LWE, but the unfamiliar reader may find details in [27] and [22], respectively, both of which we reference frequently in this work.

The CLWE Problem

In this section we present the general definition of CLWE together with justifications for choices made in the definition, as well as constructions of specific algebras to use. We will save the security properties for Sect. 4.1.

Definition 18

Let L/K be a Galois extension of number fields of dimension \([L : K] = d\), \([K: {\mathbb {Q}}] = n\) with cyclic Galois group generated by \(\theta (\cdot )\). Let \({\mathcal {A}} := (L/K, \theta , \gamma )\) be the resulting cyclic algebra with center K and invariant u with \(u^d = \gamma \in {\mathcal {O}}_K\). Let \(\varLambda \) be an order of \({\mathcal {A}}\). For an error distribution \(\psi \) over \(\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}}\), an integer modulus \(q \ge 2\), and a secret \(s \in \varLambda ^\vee _q\), a sample from the CLWE distribution \(\varPi _{q, s, \psi }\) is obtained by sampling \(a \leftarrow \varLambda _q\) uniformly at random, \(e \leftarrow \psi \), and outputting \((a,b) =(a, (a \cdot s)/q + e \mod \varLambda ^\vee ) \in (\varLambda _q, \bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}})/\varLambda ^\vee \).

Remark 3

Unlike in commutative spaces, the order of multiplication of a and s is important; our choice is \((a \cdot s)\), but similar security properties would hold if one took \((s \cdot a)\) instead. Also observe that our modulo reduction in the second coordinate of the pair is well defined, since \((a \cdot s) \in \varLambda ^\vee _q\).

As usual, the associated CLWE problem will come in search and decision variants.

Definition 19

Let \(\varPsi \) be a family of error distributions over \(\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}}\). The search CLWE problem, which we denote by \(\hbox {CLWE}_{q, s, \psi }\), is to recover s from a collection of independent samples from \(\varPi _{q,s, \psi }\) for arbitrary \(s \in \varLambda ^\vee _q\) and \(\psi \in \varPsi \).

We do not state the number of samples allowed for this (or the next) problem, as typically it depends on the application.

Definition 20

Let \(\varUpsilon \) be some distribution on a family of error distributions over \(\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}}\) and \(U_\varLambda \) denote the uniform distribution on \((\varLambda _q, (\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}})/\varLambda ^\vee )\). Then, the decision CLWE problem, written D-\(\hbox {CLWE}_{q, \varUpsilon }\), is on input a collection of independent samples from either \(\varPi _{q, s, \psi }\) for a random choice of \((s, \psi ) \leftarrow U(\varLambda ^\vee _q) \times \varUpsilon \) or from \(U_\varLambda \), to decide which is the case with non-negligible advantage.

Discussions

Relation to Module-LWE

First, we explain why we choose the order of multiplication \(a \cdot s\). As discussed in the introduction, the transformation from a (primal) RLWE sample to n related LWE samples provides our motivation. Here, one RLWE sample \(a \cdot s + e\), where \(a,s,e \in R_q \cong \frac{{\mathbb {Z}}_q[x]}{x^n+1}\), generates n LWE samples by considering the multiplication operation as \(A{{\textbf {s}}} + {{\textbf {e}}}\), where \(A :=\) rot(a) is a negacyclic matrix. For appropriate choices of error distributions, this is precisely n LWE samples with the exception that there is some structure in the matrix A. By ordering the multiplication \(a \cdot s\), we get a similar transform from CLWE to MLWE. Assuming for now that we have a discretized form of CLWE, and observing that for \(q \in {\mathbb {Z}}\) we have \(\varLambda _q \cong \bigoplus _{i=0}^{d-1} u^i {\mathcal {O}}_L/q {\mathcal {O}}_L\) (see [33]), we transform a CLWE sample \(a \cdot s + e\) into matrix–vector form to get \(\phi (a) \cdot {{\textbf {s}}} + {{\textbf {e}}}\), where \({{\textbf {s}}}\) and \({{\textbf {e}}}\) are vectors of dimension d over \({\mathcal {O}}_L/q {\mathcal {O}}_L\). Setting \(A = \phi (a)\), one can see that for appropriate choices of error distribution this is similar to d samples from the MLWE distribution with some additional structure in the matrix A, as intended.

The Natural Order vs. Maximal Order

In this work we consider the case where the natural order \(\varLambda \) of \({\mathcal {A}}\) is also a maximal order. The benefit of using the natural order is that it is simple to construct and represent, whereas finding a maximal order is computationally slow. Additionally, the natural order is somewhat orthogonal, in the sense that it has the same span in each \(u^i\) coordinate independently of the other coordinates. This is advantageous when considering the relation to MLWE, where the module is always taken to be the full module \({\mathcal {O}}_K^d\).

As mentioned above, two-sided ideals in a maximal order form a free abelian group, which is not necessarily the case in the natural order. Further, as lattices, a maximal order gives denser (maximally so) sphere packing than the natural order, since the latter is a sublattice (of at least one maximal order). Fortunately, we will construct in Theorem 2 cyclic algebras whose natural order is also maximal, thus enjoying both the simplicity of the natural order and the convenience of a maximal order.

Example 2

Quaternion algebra over \({\mathbb {Q}}\) is defined by \({\mathbb {H}} = \left\{ x + jy: x, y \in {\mathbb {Q}}(i)\right\} \), with the usual relations \(i^2=j^2=-1\) and \(ij = -ji\). It can be seen as a cyclic division algebra \(({\mathbb {Q}}(i)/{\mathbb {Q}}, \overline{(\cdot )}, -1)\) where \(\overline{(\cdot )}\) denotes the complex conjugate and \(-1\) is a non-norm element. A quaternion has matrix representation

$$\begin{aligned} \left( \begin{array}{cc} x &{} -{\overline{y}} \\ y &{} {\overline{x}} \end{array}\right) . \end{aligned}$$

The Lipschitz integers \({\mathcal {L}} \subset {\mathbb {H}}\) form the (non-maximal) natural order \({\mathcal {L}}=\left\{ x+jy : x, y \in {\mathbb {Z}}[i]\right\} .\) The maximal Hurwitz order is given by

$$\begin{aligned} {\mathcal {H}} = \left\{ a+bi+cj+d(-1+i+j+ij)/2 : a, b, c, d \in {\mathbb {Z}}\right\} . \end{aligned}$$

It is easy to check that, as \({\mathbb {Z}}\)-lattices of dimension 4, the Lipschitz order is a sublattice of the Hurwitz order, of index 2.

A Pair of Number Fields

In MLWE, we are free to choose the dimension of our module over the underlying number field K. However, in the cyclic algebra case we are restricted to cases where we can find LK, and \(\gamma \) such that \({\mathcal {A}} = (L/K, \theta , \gamma )\) is well defined. From a theoretical standpoint it is not immediately clear whether we want to consider asymptotic security in terms of n or d, but following our motivation from MLWE we suggest that n is likely the suitable choice since the module dimension d is typically small in applications using MLWE, whereas the dimension of the underlying field K is large. However, there seems to be no a priori reason why with the right techniques one could not consider both n and d asymptotically; the only case a cyclic algebra precludes is high-dimensional MLWE over a low dimension number field L, because the parameter d occurs in both the module and field dimension.

Evading BCV Style Attacks

In our CLWE construction we have enforced that \(\gamma \) is selected so that \({\mathcal {A}}\) is a division algebra. We do this to avoid attacks in the style of [12] on the m-RLWE protocol. For \(m = 2\), the m-RLWE protocol of [35] can be considered as a structured variant of MLWE, where the matrix A in the operation \(A{{\textbf {s}}} + {{\textbf {e}}}\) is a negacyclic matrix over some ring \(R_q\). More explicitly, 2-RLWE considers the tensor product of two fields \(K = K_1 \otimes K_2\) and runs the LWE assumption in the ring of integers \(R_q\). The example use case given in [35] considers power-of-two cyclotomics \(K_1, K_2\) defined by the polynomials \(x^{k_1} + 1\) and \(y^{k_2} + 1\), respectively, claiming that the resulting problem in \(R_q = \frac{{\mathbb {Z}}_q[x,y]}{(x^{k_1}+1, y^{k_2} +1)}\) effectively corresponds to an RLWE problem of dimension \(k_1 \cdot k_2\) due to an obvious homomorphism between K and the two-power cyclotomic field L of degree \(k_1 \cdot k_2\). The problem also represents a structured MLWE instance over \(\frac{{\mathbb {Z}}_q[x]}{(x^{k_1}+1)}\) of dimension \(k_2\).

However, the observation of [12] is that there is a smaller field \(K'\) containing \(K_1\) such that there is a homomorphism from K into \(K'\) with a well-defined image for y. This is because the roots of distinct two-power cyclotomic polynomials are algebraically related. For example, in the case \(k_1 = 8, k_2 = 4\), it is clear that the map taking y to \(x^2\) and fixing \(K_1\) is a well-defined homomorphism from K to \(K_1\). Using this homomorphism, [12] simplifies the problem of solving one 2-RLWE instance by considering it as four RLWE instances in dimension \(k_1\) rather than one instance in dimension \(k_1 \cdot k_2\), essentially removing the module dimension \(k_2\) from the problem.

We argue that the non-norm condition of \(\gamma \) precludes the existence of a homomorphism removing the module structure by taking a well-defined cyclic algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\) to a smaller subfield containing K. We restrict our search to maximal subfields of \({\mathcal {A}}\), since any subfield is contained in at least one maximal subfield. It is a well-known result on division algebras that any maximal subfield E of \({\mathcal {A}}\) contains K and satisfies \([E:K] = d\), and that in the case of a cyclic division algebra \({\mathcal {A}}\) there is a choice of \(u' \in {\mathcal {A}}\) such that the cyclic algebra \({\mathcal {A}}' := \bigoplus _j u'^j E\) is isomorphic to \({\mathcal {A}}\) (see Sect. 15.1, Proposition a of [41]). Assume, for a contradiction, that we had such a homomorphism \(\chi : {\mathcal {A}} \rightarrow L\), where without loss of generality we assume the maximal subfield is L by the aforementioned proposition. Since L is Galois, the restriction of \(\chi \) to L is an automorphism of L. It is clear that \(\chi \) must agree on conjugates, since \(\chi (u) \cdot \chi (\ell ) = \chi (u \cdot \ell ) = \chi (\theta (\ell ) \cdot u) = \chi (u) \cdot \chi (\theta (\ell ))\) for any \(\ell \in L\). However, this contradicts \(\chi \) being injective on L and it follows that no such homomorphism exists. Hence, we conclude that the attack style of [12] does not threaten our algebraic structure.

Concrete Algebras for CLWE

In order to apply the CLWE assumption in a practical cryptosystem, one must choose a concrete algebra as an ambient space. More generally, we are interested in finding families of algebras suitable for CLWE that allow for asymptotic analysis and varied security levels. Our search for algebras is motivated by the restrictions and conditions discussed in the previous section. In particular, we are interested in cyclic division algebras satisfying the following properties:

  • The non-norm element \(\gamma \) must lie in \({\mathcal {O}}_K\) to keep the natural order closed under multiplication, and should satisfy \(\vert \gamma \vert = 1\) in order to maintain both the coordinatewise independence and sub-multiplicative properties of the norm.Footnote 3

  • The dimension \(n:= [K: {\mathbb {Q}}]\) of the division algebra should be large and the degree \(d:= [L:K]\) should be small. This is to maintain the analogy with structured MLWE (the degree corresponds to the module rank) and follows from the search-decision reduction, which takes time polynomial in n but not in d.

  • The base field K should be cyclotomic and q should split completely in K. This is also a result of the methodology of the search-decision reduction, which uses the well-understood factorization of \(\langle q \rangle \) in \({\mathcal {O}}_K\). In addition, since the bulk of lattice-based cryptography is done over cyclotomic fields, we consider algebras which are small extensions of these as somewhat natural. We observe that an improved proof of decision security may allow this point to be dropped, whereas the other two points feel more integral.

Although significant effort has been expended by coding theorists to construct cyclic division algebras satisfying a variety of conditions, such as in [44] or [21], we find ourselves with a fairly unique set of restrictions. In particular, for reasons relating to desired applications, the majority of algebras used in coding theory are either of small total dimension or have small \([K:{\mathbb {Q}}]\) and scale asymptotically in [L : K]. Since we are interested in scaling up K asymptotically, we will have to build novel algebras satisfying the above requirements ourselves. We will, however, make heavy use of the following theorem as an intermediate step. Here \(\zeta _m\) denotes a primitive mth root of unity where \(\varphi (m)=n\) is the degree of the base field \(K = {\mathbb {Q}}(\zeta _m)\).

Theorem 1

[21] Let \(m = p^a\) be a prime power and let \(K = {\mathbb {Q}}(\zeta _m)\). Then, there exist infinitely many cyclic Galois extensions M/K of degree m such that \(\zeta _m^i\) is not a norm of M/K for \(0<i < m\).

We remark that the theorem is effective in the sense that it provides an explicit description of M, and we provide a summary of the recipe for constructing M. The crucial aspect of its construction is that M is a subfield of some cyclotomic extension of K, \(K(\zeta _{q'})\) for a prime \(q'\), but we present its full description for completeness.

First, find some prime \(q'\) such that \(q' = 1 \mod p^a\) but \(q' \ne 1 \mod p^{a+1}\), so that \(p^a\) is the highest power of p dividing \(q'-1\).Footnote 4 Set \(M' = K(\zeta _{q'})\) so that by coprimality \(M' = {\mathbb {Q}}(\zeta _{mq'})\). Then Gal\((M'/K)\) is a cyclic group of order \(q'-1\) generated by some automorphism \(\sigma \). Denote by M the subfield of \(M'\) fixed by \(\sigma ^m\). Then \([M:K] = m\) by the fundamental theorem of Galois theory and the extension is both cyclic and Galois. Finally, localization theory is used to show that the powers of \(\zeta _m\) are not norms in this extension. In this way, the theorem constructs M explicitly.

The part of this theorem of our interest is that it allows us to scale K asymptotically, but this comes with a drawback of very high degree M, i.e., it only permits a degree-m extension M of a degree-\(\varphi (m)\) base field K. We present a new method that uses this theorem as a starting point to construct good algebras satisfying our restrictions. More precisely, our construction will begin with Theorem 1 and then use elementary methods from Galois theory to build more favorable fields.

Constructions using Subfields

We squash the field M from Theorem 1 to a subfield L of small index over the base K satisfying the necessary properties to generate a cyclic algebra.

Theorem 2

Let \(K = {\mathbb {Q}}(\zeta _m)\), where \(\varphi (m)=n\), be a prime power cyclotomic with \(m = p^a\) for some integer a and prime p. Then, there exists a cyclic Galois extension L/K of any index d dividing m within which \(\zeta _m\) satisfies the non-norm condition.

Remark 4

Since the proof will provide an explicit description of L, the correct interpretation of this theorem is that we can construct cyclic division algebras \({\mathcal {A}} = (L/K, \theta , \gamma )\) with \(\langle \theta \rangle = \text {Gal}(L/K), \gamma = \zeta _m, K = {\mathbb {Q}}(\zeta _m),\) and [L : K] is any divisor of \(m = p^a\). Figure 2 shows all possible cases of intermediate field L between K and M.

Proof

Let \(K= {\mathbb {Q}}(\zeta _m)\) for a fixed \(m = p^a\) with prime p and integer a. Following the construction of Theorem 1 fix a cyclic Galois extension M/K of degree m such that \(\zeta _m^i\) is not a norm of an element of M into K for any \(i = 1,2,\dots , m-1\). We will choose L as a suitable intermediate extension M/L/K. Let \(\sigma \) denote the generator of Gal(M/K), an automorphism of degree m. For d dividing m, \(\sigma ^{d}\) fixes an extension L of K with \([M:L] = \vert \text {Gal}(M/L) \vert = m/d\) and it follows from the tower lemma that \([L:K] = d\). We will show that L is a satisfactory extension of K.

First, since Gal(M/L) is a normal subgroup of Gal(M/K) we see that L/K is a normal, and hence Galois,Footnote 5 extension. It follows from standard Galois Theory that

$$\begin{aligned} \text {Gal}(L/K) \cong \text {Gal}(M/K)/\text {Gal}(M/L). \end{aligned}$$

Both groups in the quotient are cyclic, and so Gal(L/K) is cyclic with some generator \(\theta \). Furthermore, this isomorphism also allows us to deduce \(\vert \text {Gal}(L/K) \vert = d\).

We’ve shown that L/K is a cyclic Galois extension of degree d; we are left to show that \(\zeta _m^i\) is not a norm for \(i =1,\dots , d-1\). Let \({\overline{M}}\) denote \(N_{M/K}(M^\times )\) and \({\overline{L}}\) denote \(N_{L/K}(L^\times )\). Say \(\zeta _m^i \in {\overline{L}}\), fixing \(x \in L\) such that \(N_{L/K}(x)= \zeta _m^i\). Now by transitivity of the norm,

$$\begin{aligned} N_{M/K}(x)&= N_{L/K}(N_{M/L}(x)) \\&= N_{L/K}(x^{m/d}) \\&= \zeta _m^{(m/d)i} \end{aligned}$$

where the first equality follows from \(x \in L\) and the second since the norm is multiplicative. \({\overline{M}}\) does not contain any power of \(\zeta _m\) except \(\zeta _m^m = 1\) since \(\zeta _m\) is a non-norm element in M/K, so it follows that \(m \vert (m/d)i\) and so \(d \vert i\). From this we conclude that \(\zeta _m, \zeta _m^2,\dots ,\zeta _m^{d-1}\) do not lie in \({\overline{L}}\) and so \(\zeta _m\) satisfies the non-norm condition. \(\square \)

Fig. 2
figure 2

Cyclic subfields between M and K from Galois correspondence. \(\langle \sigma ^i\rangle \) denotes the group generated by \(\sigma ^i\), where \(\sigma \) is the generator of Gal(M/K)

Remark 5

We presented the proof in the above form for ease of legibility, but it is straightforward to extend the argument in the final paragraph to show that \(\zeta _m^{jd+1}\) satisfies the non-norm condition for any \(j =0,1,\dots , (m/d) -1\).

This is an effective construction that allows us to build cyclic division algebras of the form \({\mathcal {A}} = (L/K, \theta , \gamma )\) where \(\vert \gamma \vert = 1\), K is an arbitrary prime power cyclotomic, and L is an extension of K with degree divisible by the prime p. For cryptographically relevant examples, we can consider degree 2 or 4 extensions of a 2-power cyclotomic or degree 3 extensions of a 3-power cyclotomic. Given the impossibility result of Appendix A and the restriction on the absolute value of \(\gamma \), we view these algebras as essentially the best possible, at least for the case where K is a prime-power cyclotomic.

As discussed in Sect. 3.1, the natural order is not necessarily a maximal order. Nevertheless, the following theorem shows that the specific family of algebras we have constructed in Theorem 2 represents a lucky case (its proof is given in Appendix B).

Theorem 3

For the family of cyclic division algebras \({\mathcal {A}}=(L/K,\theta , \zeta _m)\) constructed in Theorem 2, the natural order of \({\mathcal {A}}\) is maximal.

This makes our constructed family of algebras very attractive, as it enjoys both the simplicity of the natural order and the nice property of a maximal order.

Remark 6

In the context of multiblock space-time coding [21], the construction of Theorem 1 allows for a space-time code for m antennas and \(\varphi (m)\) blocks, i.e., a relatively small number of blocks. With our new construction Theorem 2, any number \(\varphi (mk)\), \(k \in {\mathbb {N}}\) such that mk is a power of p, of blocks becomes possible. Further, using a maximal order leads to optimum coding gains; it was not realized in [21] that the natural order from Theorem 1 is actually maximal.

Constructions using Compositum Fields

The algebras with prime-power cyclotomic centers of the previous subsection use the field construction technique of Theorem 2, and as such they are restricted to algebras whose dimension N is in the form \(p^k(p-1)\) for a prime p and integer k. We present another method of constructing algebras using compositum fields that allows us to target dimensions not achievable in this setting.

This method starts from extensions which are nearly what we are looking for and applies field compositums (cf. [43, Chapter 30]). Say we have a Galois field extension \(L'/K'\) with non-norm element \(\gamma \in {\mathcal {O}}_{K'}\) whose Galois group is cyclic of degree d. Let F be some other Galois number field with \(F \cap L'= {\mathbb {Q}}\). Then Gal\((L'F/K'F) \cong \text {Gal}(L'/K')\) and \(\gamma \) is a non-norm element in \(L'F/K'F\). Relabeling this extension as L/K and letting \(\theta \) denote the cyclic generator of the Galois group gives a cyclic field extension with non-norm \(\gamma \) such that \([L:K] = d\) and \([K:{\mathbb {Q}}] = [K':{\mathbb {Q}}] \cdot [F : {\mathbb {Q}}]\). The relations among these fields are illustrated in Fig. 3a.

One can generalize this method to the case where the base field can not be written conveniently as a compositum of two fields. Let \(L'/K'\) be a cyclic Galois extension of degree d with non-norm element \(\gamma \) and let K be another Galois number field which contains \(K'\). Then \(KL'/K\) is a cyclic Galois extension of degree k for some k dividing d, and in particular if \(K \cap L' = K'\) then \(k = d\) since the fields are linearly disjoint above \(K'\). See Fig. 3b for the relations among these fields.

Fig. 3
figure 3

Constructions using field compositums: a base field K is a compositum \(K'F\), b K cannot be written as a compositum

Similar to the subfield method, we also have the following theorem for the compositum field method (the proof is given in Appendix B).

Theorem 4

Let \(K = {\mathbb {Q}}(\zeta _n)\) where \(n=p^r\) and p is prime, L/K be a finite cyclic extension of degree d with \(Gal(L/K) = \langle \theta \rangle \) and \(Gal(L/{\mathbb {Q}})\) abelian, and \(F = {\mathbb {Q}}(\zeta _{q^t})\) where \(F\cap L = {\mathbb {Q}}\). Suppose the natural order \(\varLambda \subset {\mathcal {A}}=(L/K,\theta ,\zeta _n)\) is maximal. Then, if \([F:{\mathbb {Q}}]\) and d are coprime, the natural order \(\varLambda ^\prime \) of the cyclic division algebra \({\mathcal {A}}^\prime = (LF/KF, \theta ^\prime , \zeta _n)\) is also maximal.

Sample Parameters

Now that we have discussed our techniques for constructing suitable number fields we proceed to demonstrate that these methods are able to attain cryptographically relevant dimensions. In this section, we present a small selection of proof-of-concept dimensions in Table 1 where we take our motivation for choices of dimension from KYBER and NewHope, since they are the successful second round NIST candidates whose methods are most similar to our own. Thus, we aim for dimensions in the region of between 512 and 1024, dimensions proposed for both NewHope and KYBER (which also achieves dimension 768). Of course, these schemes are restricted to having power-of-two ring dimension n and so their choices of dimension may not be optimal in general, but FrodoKEM [13], a plain LWE scheme, suggests dimensions in around the same range, specifically 640, 976, and 1344, so we consider dimensions in this region a sensible starting point. Corresponding to KYBER and other MLWE-based schemes we will set a small ‘module’ rank \(d:=[{\mathcal {A}}:L]\). We are constricted in our choice of fields by the fact that d appears as a square in the total dimension \(N = nd^2\), but for the most part we are able to work around this problem.

Table 1 Sample parameters of cyclic algebras

Subfields

Two-Power Cyclotomic K We begin with straightforward cases where we can apply Theorem 2 immediately to obtain fields in suitable dimensions. Let K be a two-power cyclotomic field, \(K = {\mathbb {Q}}(\zeta _{2^k})\), with dimension \(n := 2^{k-1}\). Since the rank \(d = [L:K] = [{\mathcal {A}}:L]\) is a small power of two, the dimension n of K will be dictated by the choice of module rank d. We construct rank 2 and 4 examples as follows:

  • For \(d = 2\) we have \([{\mathcal {A}}:K] = 4\), so for total dimension 1024 we set \(K = {\mathbb {Q}}(\zeta _{512})\).

  • For \(d =4\) we have \([{\mathcal {A}}:K] = 16\), so for total dimension 1024 we set \(K = {\mathbb {Q}}(\zeta _{128})\).

To obtain algebras in dimension 512, simply pick K with dimension n/2 e.g., \({\mathbb {Q}}(\zeta _{256})\) and \({\mathbb {Q}}(\zeta _{64})\), respectively. In all cases, Theorem 2 lets us pick the non-norm element \(\gamma \) as a root of unity.

Three-Power Cyclotomic K Since \(3\not \mid 1024\), one cannot achieve algebras in dimension 1024 with a 3-power cyclotomic center and instead we set about searching for algebras of nearby dimensions. Although we are unable to build fields in this case with dimension around 1024, we can get close to the more lightweight cryptographic dimension of 512 used in schemes targeting a lower security level. Recall that if \(K = {\mathbb {Q}}(\zeta _{3^k})\) then K has dimension \(n := \phi (3^k) = 2 \cdot 3^{k-1}\). Again, the module rank is a power of 3 and the choice of module rank will define the choice of n.

  • For \(d=3\) we have \([{\mathcal {A}}:K] = 9\), so for total dimension 486 we set \(K = {\mathbb {Q}}(\zeta _{81})\). The next achievable dimension is 1458, for which \(K = {\mathbb {Q}}(\zeta _{243})\).

  • For \(d = 9\) we have \([{\mathcal {A}}:K] = 81\). To achieve the same total dimensions we take small base fields \(K = {\mathbb {Q}}(\zeta _9)\) and \({\mathbb {Q}}(\zeta _{27})\), respectively.

Compositum Fields

We give example algebras of dimensions 576, 768 and 1152 in Table 1 with less restrictive dimension using field compositum techniques. We propose two alternate methods of applying field compositums in Fig. 3a: either use Theorem 2 to make an algebra which already has large dimension by selecting large center K and small extension L, then compose a small field F onto K and L to tweak the total dimension. Alternatively, one can create algebras by selecting small fields L and K using Theorem 1 and composing both with a large field F.

We begin with an example of the first method that achieves dimension 768. Let \(L'\) be a degree two extension of the field \(K' = {\mathbb {Q}}(\zeta _{64})\) chosen by Theorem 2 with non-norm root of unity \(\gamma \), so that the corresponding algebra \({\mathcal {A}}'\) has dimension 128. Compose both \(L'\) and \(K'\) with the field \(F = {\mathbb {Q}}(\zeta _9)\), denoting the compositums by L and K respectively. Then \(\gamma \) is still a non-norm element in the extension L/K, a degree two extension that is cyclic and Galois, and the algebra \({\mathcal {A}}= (L/K, \theta , \gamma )\) is a cyclic algebra of dimension \(6 \times 128 = 768\), as required. We observe that here the center K corresponds to the fields with fast operations used in [29].

Our final method of composing large degree fields onto small degree extensions is aimed at targeting odd module ranks. Begin by choosing the desired module rank d as a (likely small) odd prime. Then set \(K' = {\mathbb {Q}}(\zeta _d)\) and pick \(L'\) as a cyclic Galois extension of \(K'\) in which the dth root of unity is a non-norm element using Theorem 1. Let \(F := {\mathbb {Q}}(\zeta _{2^k})\) and again let L and K denote its compositum with \(L'\) and \(K'\) respectively. Then \({\mathcal {A}} = (L/K, \theta , \gamma )\) is a cyclic algebra with \(n := [K:{\mathbb {Q}}] = (d-1)2^{k-1}\) and \(d = [L:K]\) a small prime. The form of the total dimension \(N = d^2(d-1)2^{k-1}\) constrains our choice of dimension, but for examples of cryptographically relevant sizes with \(d=3\) one can consider setting \(k =6\) or \(k=7\) to achieve dimension \(N = 576\) or \(N =1152\) respectively.

Extensions where q Splits Completely

All suggested algebras in the previous section satisfy the conditions required for our chosen norm \(\Vert \sigma _{\mathcal {A}}(x) \Vert _2\) to be well defined. In particular, they have root of unity non-norm \(\gamma \) and K is cyclotomic. Because any \(q = 1 \mod m\) splits completely in \({\mathbb {Q}}(\zeta _m)\), it is straightforward to find q which splits completely in \({\mathcal {O}}_K\).

Later in this paper, in order to enable efficient multiplication algorithms, it will turn out that it is convenient to have a modulus q that splits completely into a product of prime ideals in both \({\mathcal {O}}_K\) and \({\mathcal {O}}_L\). Recall Lemmas 6 and 7 also require q be unramified in L. An appeal to Chebotarev’s Density Theorem suggests that a proportion of 1/d of the primes q that split completely in K also do so in L. In cases where d is small this suggests that finding such primes should not prove too arduous; but since cryptosystems require specific parameters rather than density arguments, we provide constructions satisfying the requisite conditions on q in Appendix C.

Security Proof

The ‘standard’ security reductions used in [42] and [27] firstly reduce certain lattice problems to search LWE and RLWE, then establish hardness of the decision problem via a search-decision reduction. This proof follows a sequence of shorter reductions as shown in Fig. 4.

Fig. 4
figure 4

Reductions for LWE. The bold arrow denotes a quantum step

The reduction from the approximate SVP to the search LWE problem implies that search LWE is at least as hard as approximate SVP. It can be explained as follows: first, the approximate SVP is reduced to the problem of sampling a discrete Gaussian of narrow variance over a lattice, where intuitively sampling from a sufficiently narrow Gaussian should output a vector whose norm is reasonably short compared to the first minima. Then, a quantum algorithm reduces the problem of sampling from a narrow Gaussian to that of solving the BDD problem on the dual lattice. Finally, a transformation maps an instance of the BDD problem to an appropriate instance of the LWE problem, reducing the BDD problem to that of search LWE.

For applications in cryptography, the hardness of the decision problem is preferred to that of the search problem. Assuming that the decision problem is hard implies that LWE samples are computationally indistinguishable from uniform, so intuitively an LWE sample can be used to hide a message m as an element of \({\mathbb {Z}}_q^n\) by adding it to b.

Using similar machinery, we reduce a BDD problem to search CLWE using the same method as in [27]. The methodology of their search-decision reduction is an adaptation of that of Regev’s, which relies on guessing each coordinate of the secret \({{\textbf {s}}}\) separately. The adaptation to the ring case instead guesses the coordinate of the secret ring element s modulo a suitable collection of ideals \({\mathfrak {p}}_i\) such that guessing \(s \mod \mathfrak {p}_i {\mathcal {O}}_K^\vee \) requires only a polynomial number of guesses, from which s is recovered using the CRT. We apply a similar method in suitable subrings to deduce the hardness of our decision problem. The main technical novelty is to deal with non-commutativity in the proof.

For the remainder of this paper, we will always be working in an extension of number fields L/K, where \([L:{\mathbb {Q}}] = [L:K] \cdot [K: {\mathbb {Q}}] = d \cdot n\). Recall from the motivation of structured MLWE and the sample algebras given that in practice we seek asymptotic security in n, since the parameter d corresponds to the typically small module dimension.

Hardness of Search CLWE

In the following, let \({\mathcal {A}}\) be a cyclic division algebra over a number field L with center K and natural, maximal order \(\varLambda \) with \(\vert \gamma \vert =1\). Let \(\alpha = \alpha (n) \in (0,1)\) and \(q = q(n) \ge 2\), unramified in L, be parameters such that \(\alpha \cdot q \ge \omega (\sqrt{\log N})\). We denote by \({\mathcal {A}}-\) \(\hbox {DGS}_\xi \) the problem of sampling a discrete Gaussian \(D_{{\mathcal {I}}, \xi }\), where \({\mathcal {I}}\) is some ideal of the order \(\varLambda \). Also denote by N the total dimension of \({\mathcal {A}}, N := nd^2\).

For the reduction of BDD to Search CLWE, we begin with the cyclic algebra analogy of the BDD-to-LWE samples transformation from Sect. 4 of [27]. As is standard for LWE security, we use the following ‘modulo q’ definition of BDD:

Definition 21

For any \(q \ge 2\) the \(q{\mathcal {A}}-\) \(\hbox {BDD}_{{\mathcal {I}},\delta }\) problem is as follows: given an instance of the \({\mathcal {A}}-\) \(\hbox {BDD}_{{\mathcal {I}}, \delta }\) problem \(y = x+e\) with solution \(x \in {\mathcal {I}}\) and error \(e \in \bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}}\) satisfying \(\Vert e \Vert _{2, \infty } \le \delta \), output \(x \mod q{\mathcal {I}}\).

We use (a special case of) Lemma 3.5 from [42], which lifts immediately since it is lattice preserving.

Lemma 9

For any \(q \ge 2\) there is a deterministic polynomial time reduction from \({\mathcal {A}}-\) \(\hbox {BDD}_{{\mathcal {I}}, \delta }\) to \(q{\mathcal {A}}-\) \(\hbox {BDD}_{{\mathcal {I}},\delta }\).

We now present an algorithm which transforms \(q{\mathcal {A}}\)-BDD samples to CLWE samples given some additional Gaussian samples. The algorithm is the same in spirit as Lemma 4.7 of [27], but has some technical differences induced by the structure of cyclic algebras.

Lemma 10

Let \({\mathcal {A}}\) be as above. There is a probabilistic polynomial time algorithm that on input a prime integer \(q \ge 2\), a fractional ideal \({\mathcal {I}}^\vee \subset \varLambda \), a \(q{\mathcal {A}}-\) \(\hbox {BDD}_{{\mathcal {I}}^\vee , \alpha q \cdot \omega (\sqrt{\log (nd)})/\sqrt{2nd} \cdot r}\) instance \(y = x + e\) where \(x \in {\mathcal {I}}^\vee \), a parameter \(r \ge \sqrt{2}q \cdot \eta ({\mathcal {I}})\), and samples from the discrete Gaussian \(D_{{\mathcal {I}},r'}\) with \(r' \ge r\), outputs samples that are within negligible statistical distance of the CLWE distribution \( \varPi _{q, s, \varSigma }\) for a secret \(s = \chi _t(x \mod q {\mathcal {I}}^\vee ) \in \varLambda ^{\vee }_q\), where \(\chi _t\) is as in Lemma 7 and \(\varSigma \) is an error distribution such that in the case where \(\vert \gamma \vert = 1\) the resulting error \(e''\) has marginal distribution in its ijth coordinate that is Gaussian with parameter \(r_{i,j} \le \alpha \).

Proof

The proof will be in two parts—first, we will describe the algorithm, then we will prove correctness.

Begin by computing an element \(t \in {\mathcal {I}}\) such that \({\mathcal {I}}^{-1} \cdot \langle t \rangle \) and \(\langle q \rangle \) are coprime using Lemma 6. We can now create a sample from the CLWE distribution as follows: take an element \(z \leftarrow D_{{\mathcal {I}},r'}\) from the Gaussian samples, and compute a pair

$$\begin{aligned} (a, b) = (\chi ^{-1}_t( z \mod q{\mathcal {I}}), (z \cdot y)/q + e' \mod \varLambda ^\vee ) \in (\varLambda _q \times (\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}})/\varLambda ^\vee ) \end{aligned}$$

where \(e' \leftarrow D_{\alpha /\sqrt{2}}\).

We now claim that these samples are within negligible statistical distance of the CLWE distribution and that s is uniformly random. First we show that \(a \in \varLambda _q\) is statistically close to uniform. By assumption, \(r \ge q \cdot \eta ({\mathcal {I}})\) and so by appealing to Lemma 1 it can be seen that any value \(z \mod q {\mathcal {I}}\) is obtained with probability in the interval \([\frac{1 - \varepsilon }{1 + \varepsilon }, 1] \cdot \beta \) for some positive \(\beta \), from which it follows immediately that the statistical distance between \(z \mod q{\mathcal {I}}\) and the uniform distribution is bounded above by \(2\varepsilon \). Since \(\chi _t\) of Lemma 7 and its inverse are both bijections, we conclude that \(a = \chi _t^{-1}(z \mod q{\mathcal {I}})\) is within statistical distance \(2\varepsilon \) of the uniform distribution over \(\varLambda _q\).

Now we must show that b is in the form \((a \cdot s)/q + e''\), for some suitable error \(e''\) and a uniformly random s, where we condition on some fixed value of a. By construction,

$$\begin{aligned} b :&= (z \cdot y)/q + e' \mod \varLambda ^\vee \\&= (z \cdot x)/q + (z \cdot e)/q + e' \mod \varLambda ^\vee , \end{aligned}$$

so since \(z = t \cdot a \mod \varLambda _q^\vee \) and t lies in the center of \({\mathcal {A}}\) it follows that \((z \cdot x)/q = (a \cdot t \cdot x)/q = (a \cdot s)/q \mod \varLambda ^\vee \) for \(s := \chi _t(x \mod q {\mathcal {I}}^\vee )\). It follows that s is uniformly random over \(\varLambda ^\vee _q\) as long as x is uniform over \({\mathcal {I}}^\vee \), since \(\chi _t\) is a bijection.

Finally it is left to show that, conditioned on a fixed value of a, the marginal distribution of the ijth coordinate of the error term \( e'' = (z \cdot e)/q + e'\) is negligibly close to that specified by \(\varSigma \). We can explicitly calculate the error as

$$\begin{aligned} e'' = \sum _{i = 0}^{d-1} u^i \left( \sum _{j + k = i} \theta ^k(z_j) \cdot e_k(1-(1- \gamma ) \mathbbm {1}_{j +k \ge d})\right) + e' \end{aligned}$$
(1)

where the sum \(j + k\) is taken modulo d and the function \((1-(1- \gamma ) \mathbbm {1}_{j +k \ge d})\) is 1 if \(j+k < d\) and \(\gamma \) otherwise.Footnote 6 Since \(\vert \gamma \vert = 1\) and \(z \leftarrow D_{{\mathcal {I}},r}\) is spherically distributed, it follows that multiplying by \(\gamma \) and applying the permutation of j coordinates induced by \(\theta \) does not change the distribution of \(z_{i,j}\). Hence, each marginal distribution may be analyzed independently as in the case of MLWE, and the result follows using the analysis of the error from Lemma 4.15 of [22]. \(\square \)

Though we do not specify the covariance of \(\varSigma \), one can see that each entry of \(\sigma _{\mathcal {A}}(z)\) appears in \(\sigma _{\mathcal {A}}(e'')\) exactly d times, and so by symmetry each element of \(\sigma _{\mathcal {A}}(e'')\) has nonzero correlation with at most \(d^2\) other entries. Hence, a proportion of at most \(\frac{nd^4}{n^2d^4} = \frac{1}{n}\) of entries of \(\varSigma \) are nonzero. This is the family of error distributions we will claim hardness of search CLWE for; we remark that it is a Gaussian distribution whose marginals are Gaussian with variance at most \(\alpha \).

Definition 22

We define the family of error distributions \(\varSigma _\alpha \) as the set of all Gaussian distributions \(\varSigma \) over \(\bigoplus _{i=0}^{d-1} u^i L_{\mathbb {R}}\) whose marginal distribution in its (ij)th coordinate is Gaussian with parameter \(r_{i,j} \le \alpha \).

The following theorem is our analogy of Lemma 4.10 of [22].

Theorem 5

Given an oracle that solves \(\hbox {CLWE}_{q, \varSigma _{\alpha }}\) for input \(\alpha \in (0,1)\), an integer \(q \ge 2\), an ideal \({\mathcal {I}} \subset \varLambda \), a number \(r \ge \sqrt{2}q \cdot \eta _\varepsilon ({\mathcal {I}})\) satisfying \(r' := r \cdot \omega (\sqrt{\log {N}})/(\alpha q) > \sqrt{2N}/\lambda _1({\mathcal {I}}^\vee )\), and polynomially many samples from the discrete Gaussian \(D_{{\mathcal {I}},r}\) there exists an efficient quantum algorithm that outputs an independent sample from \(D_{{\mathcal {I}}, r'}\).

As usual, we obtain Theorem 5 in two steps, first the main reduction of Lemma 10, then the following quantum step adapted from [42]. We use a form of \({\mathcal {A}}-\hbox {BDD}_{{\mathcal {I}},\delta }\) from [22] where we bound the offset in the norm \(\Vert e \Vert _{2,\infty } := \max _j\sqrt{(\sum _{i = 0}^{d-1} \vert \sigma _j(e_i) \vert ^2)} \le \delta \), where \(\sigma \) denotes the canonical embedding of \({\mathcal {I}}\).

Lemma 11

There is an efficient quantum algorithm that given any \(N = n \cdot d^2\)-dimensional lattice from some ideal \({\mathcal {I}}\), a real \(\delta < \lambda _1({\mathcal {I}}^{\vee })/(2 \sqrt{2 nd})\), and an oracle that solves \({\mathcal {A}}\)-\(\hbox {BDD}_{{\mathcal {I}}^{\vee },\delta }\) with all but negligible probability, outputs an independent sample from \(D_{{\mathcal {I}}, \sqrt{d} \omega (\sqrt{\log (nd)})/\sqrt{2} \delta }\).

We can then prove Theorem 6 in the standard iterative manner; for a very large value of r, e.g., \(r \ge 2^{2N}\lambda _N({\mathcal {I}})\), start by sampling classically from \(D_{{\mathcal {I}}, r}\). Then apply the above algorithm to obtain a polynomial number of samples from \(D_{{\mathcal {I}}, r'}\). Repeating this step gives samples from progressively narrower distributions, until we arrive at the desired Gaussian parameter \(s \ge \xi \). In order to classically sample the initial collection of Gaussian samples, we use the standard Lemma 3.2 of [42] to sample \(D_{{\mathcal {I}}, r}\) on the module representation \(\bigoplus _{i=0}^{d-1} u^i L_{\mathbb {R}}\).

Theorem 6

Let \({\mathcal {A}}\) be a cyclic division algebra over a number field L with center K and natural, maximal order \(\varLambda \) with \(\vert \gamma \vert =1\). Let \(\alpha = \alpha (n) \in (0,1)\) and \(q = q(n) \ge 2\), unramified in L, be parameters such that \(\alpha \cdot q \ge \omega (\sqrt{\log N})\). Then, there is a polynomial-time quantum reduction from \({\mathcal {A}}\)-\(\hbox {DGS}_\xi \) to search \(\hbox {CLWE}_{q, \varSigma _\alpha }\) for any \(\xi = r \cdot \sqrt{d}\omega (\sqrt{\log {(d \cdot n)}})/ \alpha q\), where \(r > \sqrt{2} q \cdot \eta _\varepsilon ({\mathcal {I}})\).

From this we deduce the following corollary, similarly to [22], since the lattice structure of our algebra is merely a special case of their modules.

Corollary 1

Let \({\mathcal {A}}, \varLambda , \alpha \) and q be as above. Then, there is a polynomial-time quantum reduction from \({\mathcal {A}}\)-\(\hbox {SIVP}_\xi \) to search \(\hbox {CLWE}_{q, \varSigma _\alpha }\) for any \(\sqrt{8 Nd} \cdot \xi = (\omega (\sqrt{d n})/\alpha )\).

Search To Decision Reduction

In this subsection we will show that the hardness of decision CLWE follows from that of the search problem. Once again, we will follow a combination of the expositions of [27] and [22] for the ring and module cases, making necessary changes for the structure of cyclic algebras. We will make heavy use of the following CRT style decomposition, a rephrasing of [33, Lemma 4].

Lemma 12

Let \(\varLambda \) be the natural order of a cyclic division algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\) and let \({\mathcal {I}}\) be an ideal of \({\mathcal {O}}_K\) which splits completely as \({\mathcal {I}} = {\mathfrak {q}}_1...{\mathfrak {q}}_n\) as an ideal of \({\mathcal {O}}_K\). Then, we have the isomorphism

$$\begin{aligned} \varLambda /{\mathcal {I}}\varLambda \cong {\mathcal {R}}_1 \times ... \times {\mathcal {R}}_n, \end{aligned}$$

where \({\mathcal {R}}_i = \bigoplus _{j=0}^{d-1} u^j ({\mathcal {O}}_L/{\mathfrak {q}}_i{\mathcal {O}}_L)\) is the ring subject to the relations \(( \ell + {\mathfrak {q}}_i {\mathcal {O}}_L)u = u(\theta (\ell ) + {\mathfrak {q}}_i {\mathcal {O}}_L)\) and \(u^d = \gamma + {\mathfrak {q}}_i\).

Of course, this is not a true CRT decomposition, because we are considering ideals of \({\mathcal {O}}_K\) rather than those of \(\varLambda \). In the case where \(\gamma \) is a unit, \(\varLambda ^\vee = \bigoplus _i u^i {\mathcal {O}}_L^\vee \) and the above lemma is also valid in the case where each instance of \({\mathcal {O}}_L\) and \(\varLambda \) are replaced with their respective duals. Also note that \(\gamma \) is a non-norm element in this lemma. The reduction from DGS to search CLWE requires \(\varLambda \) to be maximal, and currently the only known value of \(\gamma \) which makes the natural order maximal is an n-th root of unity, which is also a non-norm element. So these conditions are consistent.

As in [27], our reduction will be limited to certain choices of algebras. The above lemma considers the splitting of the ideal \({\mathcal {I}}\) as an ideal of the base field K. Setting \({\mathcal {I}} = \langle q \rangle \), the ideal generated by the modulus q, we will consider cases where q splits completely in the base field. Now consider the family of algebras \({\mathcal {A}}\) in Sect. 3.3 and let \(K = {\mathbb {Q}}(\zeta _{p^a})\) have dimension n. It follows that if \(q \equiv 1 \mod p^a\) then q splits completely into a product of prime ideals \({\mathfrak {q}}_1,\ldots ,{\mathfrak {q}}_n\) as an ideal of \({\mathcal {O}}_K\). Hence, we obtain the decomposition

$$\begin{aligned} \varLambda /q\varLambda \cong R_1 \times ... \times R_n \end{aligned}$$

where \(R_i\) is as in Lemma 12.

Also as in [27], we see no way to avoid randomizing the error distribution in the resulting decision problem. Further, we show that an oracle for D-\(\hbox {CLWE}_{q, \varUpsilon _\alpha }\) on an algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\) is also an oracle for the decision problem on any algebra \(\mathcal {A'} = (L/K, \theta , \gamma ')\) over the same number fields LK and some other root of unity \(\gamma ' \in {\mathcal {O}}_K\). Intuitively this implies that for fixed L and K as in Sect. 3.3 the hardness of the D-CLWE problem is invariant under the choice of root of unity \(\gamma \) and will be required for Lemma 15. This is because there exist efficient, easy-to-compute isomorphisms sending \({\mathcal {A}}\) to \({\mathcal {A}}'\), which we will define shortly. The security reduction is similar in spirit to that for Ring LWE applying field automorphisms.

The main theorem of this subsection is Theorem 7 (given in the end of this subsection); we emphasize that our algorithm is only intended to be efficient in the dimension n of the base field K, since we expect to fix d as a small constant in practice. We will prove Theorem 7 in the usual manner: first we show that it is sufficient to recover the value of \(s \in \varLambda ^\vee /q\varLambda ^\vee \) in one of the rings \(R_i\) (Lemma 13). Then, we use a hybrid distribution to define a decision problem in \(R_i\), for which we demonstrate a search to decision reduction (Lemma 14). We then use a hybrid argument to conclude the proof (Lemma 16).

CLWE in \(R_i\)

In this section we will abuse notation and denote by \(s \mod R_i\) the value of \(s \in \varLambda ^\vee /q \varLambda ^\vee \) in the \(R_i\) coordinate under the isomorphism of Lemma 12.

Definition 23

The \(R_i-\hbox {CLWE}_{q, \varSigma _\alpha }\) problem is to find the value \(s \mod R_i\) given access to the CLWE distribution \(\varPi _{q,s,\varSigma }\) for some arbitrary \(\varSigma \in \varSigma _\alpha \).

In the following lemmata we make use of the automorphisms of K coordinatewise on the rings \(R_i\). Since K is a Galois extension of \({\mathbb {Q}}\) and q splits completely, it follows that the automorphisms \(\sigma _i\) of K act transitively on the ideals \({\mathfrak {q}}_i\). We demonstrate how to extend these to functions of \({\mathcal {A}}\). First, extend these automorphisms to automorphisms \(\alpha _i\) of L in some arbitrary manner. Then, we can extend these to isomorphisms \(\alpha _i : {\mathcal {A}} \rightarrow {\mathcal {A}}'\), with \(\mathcal {A'} = (L/K, \theta , \gamma ')\), which agree with \(\alpha _i\) on L and send u to \(u'\) with \(u'^d = \alpha _i(\gamma )\) and \(x u' = u' \theta (x)\) for \(x \in L\). By the construction of K from [21], \(\alpha _i(\gamma )\) is a non-norm element since it is some primitive nth root of unity, and so it is easy to check that this \({\mathcal {A}}'\) is a well-defined division algebra and that \(\alpha _i\) is indeed an isomorphism which sends \({\mathcal {A}}\) to \({\mathcal {A}}'\). Furthermore, it fixes the family of error distributions \(\varSigma _\alpha \). This is because each component of \(z \cdot e + e'\) is defined coordinatewise over the d copies of \(L_{\mathbb {R}}\) in the module representation of \({\mathcal {A}}\), and since \(\alpha _i\) induces the same permutation of the entries of the canonical embedding of L in each coordinate as an automorphism of L it fixes the family of choices for each of \(z, e, e'\); hence, since \(\alpha _i\) is an isomorphism the family of distributions \(z \cdot e + e'\) is fixed. It follows that the extended \(\alpha _i\) function maps the \(R_i-\) \(\hbox {CLWE}_{q, \varSigma _\alpha }\) problem in \({\mathcal {A}}\) to the same problem in \({\mathcal {A}}'\), and moreover that this map preserves \(\varLambda ^\vee \) and the CRT style decomposition (Lemma 12) of \(\varLambda ^\vee _q\) by sending \(R_i\) to some \(R_j\), where j depends on the choice of \(\sigma _i\). We are now ready for the first step of our reduction.

Lemma 13

There is a deterministic polynomial time reduction from \(\hbox {CLWE}_{q, \varSigma _\alpha }\) to \(R_i\hbox {CLWE}_{q,\varSigma _\alpha }\).

Proof

Let \({\mathcal {O}}_i\) be an oracle for the \(R_i-\hbox {CLWE}_{q,\varSigma _\alpha }\) problem. Since Lemma 12 defines an isomorphism, it is sufficient to use \({\mathcal {O}}_i\) to solve the \(R_j-\) \(\hbox {CLWE}_{q,\varSigma _\alpha }\) for each j. Let \(\alpha _{j/i}\) be an extension of the automorphism of K mapping \({\mathfrak {q}}_j\) to \({\mathfrak {q}}_i\), which exists by transitivity. Then, given a sample \((a, b) \leftarrow \varPi _{q, s, \varSigma }\), we construct the sample \((\alpha _{j/i}(a), \alpha _{j/i}(b))\). Since \(\varLambda _q\) and \(\varLambda _q^\vee \) are fixed by each \(\alpha _{j/i}\), the resulting pair is a valid CLWE sample in \({\mathcal {A}}' = (L/K, \theta , \alpha _{j/i}(\gamma ))\); feeding these samples into \({\mathcal {O}}_i\) outputs a value \(t_j \mod R_i\).

We claim \(\alpha _{j/i}^{-1}(t_j) = s \mod R_j\). Since \(\alpha _{j/i}\) is an automorphism, each sample (ab) is mapped to a new CLWE sample \((\alpha _{j/i}(a), \alpha _{j/i}(a \cdot s/q + e) \mod \varLambda ^\vee )\) in a new algebra \({\mathcal {A}}'\). We may write the second coordinate as \(\alpha _{j/i}(a) \cdot \alpha _{j/i}(s)/ q + \alpha _{j/i}(e) \mod \varLambda ^\vee \). Since our automorphisms fix our family of error distributions \(\varSigma _\alpha \) and map the uniform distribution to the uniform distribution, it follows that this is a valid CLWE instance with secret \(\alpha _{j/i}(s)\) and error distribution \(\varSigma '\in \varSigma _\alpha \). Hence, \({\mathcal {O}}_i\) outputs \(t = \alpha _{j/i}(s) \mod R_i\), from which we recover \(\alpha _{j/i}^{-1}(t) = s \mod R_j\), as required. \(\square \)

Hybrid CLWE and Search-Decision

For this section we must introduce the cyclic algebra analog of the Hybrid LWE distribution used in [27]; we use the decomposition into the rings \(R_i\) rather than the CRT.

Definition 24

For a secret \(s \in \varLambda _q^\vee \), distribution \(\varSigma \) over \(\bigoplus _{j} u^j L_{\mathbb {R}}\), and \(i \in [n]\), we define a sample from the distribution \(\varPi _{q,s,\varSigma }^i\) over \(\varLambda _q \times (\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}})/\varLambda ^\vee \) by taking \((a,b) \leftarrow \varPi _{q,s,\varSigma }\) and \(h \in \varLambda ^\vee _q\) which is uniformly random and independent \(\mod R_j, j \le i\) and \(0 \mod R_j, j > i\), and outputting \((a,b + h/q)\). If \(i=0\), we define \(\varPi _{q,s,\varSigma }^0 = \varPi _{q,s,\varSigma }\).

Using this distribution we define a worst-case decision problem relative to one \(R_i\) and reduce it to the search problem \(R_i-\)CLWE.

Definition 25

For \(i \in [n]\) and a family of distributions \(\varSigma _\alpha \), the W-D-\(\hbox {CLWE}^i_{q, \varSigma _\alpha }\) problem is defined as the problem of finding j given access to \(\varPi _{q,s,\varSigma }^j\) for \(j \in \lbrace i-1,i \rbrace \) and valid CLWE secret s and error distribution \(\varSigma \in \varSigma _\alpha \).

For a technical reason in the following proof, we restrict our secret s so that \(s \mod \mathcal {R}_i\) lies in a set \(G_i\) with the property that \(g \ne h \in G_i\) implies \(g-h\) is an invertible element. Applying this restriction for each i places \(s \in G\) for a set \(G = G_1 \times \dots \times G_n\) of size \(\vert G \vert = \prod _i \vert G_i \vert \). We will call such a set G a pairwise different set. We need to guarantee that there exist sufficiently large choices of G. It is not difficult to see that the maximal set sizes \(\vert G_i \vert = q^d\) and \(\vert G \vert = q^{nd}\), because any set of matrices in \(M_{d \times d}({\mathbb {F}}_q)\) of size at least \(q^d +1\) contains two matrices with the same first row, whose difference is therefore uninvertible. Constructions of such maximal sets G are given in Appendix D.

Lemma 14

Assuming constant d and \(s \in G\), there is a probabilistic polynomial-time reduction from \(R_i-\) \(\hbox {CLWE}_{q,s,\varSigma _\alpha }\) to W-D-\(\hbox {CLWE}_{q,\varSigma _\alpha }^i\) for any \(i \in [n]\).

Proof

We follow the standard search-decision methodology of guessing the value of the secret mod \(R_i\) and then modifying the samples so that the decision oracle tells us whether or not our guess was correct. Note that there are only \(|G_i|\) possible values of \(s \mod R_i\), which is bounded above by \(q^{d^2}\), polynomial in n, and so we may efficiently enumerate over the possible values.

We define the transform which takes a value \(g \in \varLambda ^\vee _q\) and maps \(\varPi _{q,s,\varSigma }\) to \(\varPi _{q,s,\varSigma }^{i-1}\) if \(g = s \mod R_i\) or \(\varPi _{q,s,\varSigma }^i\) otherwise as follows. On input a CLWE sample \((a,b) \leftarrow \varPi _{q,s,\varSigma }\), output the pair

$$\begin{aligned} (a',b') = (a + v, b+ (h+vg)/q) \in \varLambda _q \times (\bigoplus _{i = 0}^{d-1} u^i L_{{\mathbb {R}}})/\varLambda ^\vee , \end{aligned}$$

where \(v \in \varLambda _q\) is uniformly random mod \(R_i\) and \(0 \mod R_j\) for \(j \ne i\) and \(h \in \varLambda ^\vee _q\) is uniformly random and independent mod \(R_j, j < i\) and 0 on the other \(R_j\). It is clear that \(a'\) is still uniformly distributed on \(\varLambda _q\), so we are left to show \(b'\) is correctly distributed. For a fixed value of \(a'\), we write

$$\begin{aligned} b '&= b +(h +vg)/q \\&= (as + h +vg)/q + e \\&= (a's + h +v(g-s))/q + e, \end{aligned}$$

where e is still drawn from \(\varSigma \). If \(g = s \mod R_i\), then \(v(g-s) = 0 \mod R_i\), and so the distribution of the pair \((a',b')\) is precisely \(\varPi _{q,s,\varSigma }^{i-1}\). Otherwise, \(v(g-s)\) is uniformly random mod \(R_i\) by assumption on G and 0 mod the other \(R_j\), and so letting \(h' = h +v(g-s)\) we see that the distribution of \((a',b')\) is precisely \(\varPi _{q,s,\varSigma }^i\). \(\square \)

Remark 7

This is the only stage of the proof which enforces that the asymptotic complexity scales only with n and not with d, since we are forced to guess all of s mod \(R_i\) at once.

Since the above reduction is secret preserving, the required decision oracle for W-D-\(\hbox {CLWE}_{q,\varSigma _\alpha }^i\) has the additional restriction that \(s \in G\), but for the purposes of the rest of our proof it will be more convenient to have access to an oracle solving the at least as hard problem where s is arbitrary. Additionally, in practical applications we will use the decision problem for arbitrary s, so we see no benefit of the tighter reduction where s is restricted.

Worst-Case to Average-Case Decision Reduction

Now that we have removed the restriction that \(s \in G\), we are able to follow the skeleton of the RLWE search-decision reduction of [27] more liberally.

Definition 26

The error distribution \(\varUpsilon _\alpha \) on the family of possible error distributions is sampled from by choosing an error distribution \(\varSigma \leftarrow \varSigma _\alpha \) and adding it to \(D_{{\textbf {r}}}\), where each \(r_i:= \alpha ((n \cdot d^2)^{1/4} \cdot \sqrt{y_i})\) for \(y_1,\ldots ,y_{n \cdot d^2}\) sampled from \(\varGamma (2,1)\).

Definition 27

For \(i \in [n]\) and a distribution \(\varUpsilon _\alpha \) over possible error distributions, an algorithm solves the D-\(\hbox {CLWE}_{q, \varUpsilon _\alpha }^i\) problem if with a non-negligible probability over the choice pairs \((s, \varSigma ) \leftarrow U(\varLambda _q^\vee ) \times \varUpsilon _\alpha \) it has a non-negligible difference in acceptance probability on inputs from \(\varPi _{q,s, \varSigma }^i\) and \(\varPi _{q,s,\varSigma }^{i-1}\).

This is the average case decision problem relative to \(R_i\); in our worst-case to average-case reduction we will need to randomize the choice of error distribution, which we do by sampling from \(\varUpsilon _\alpha \).

Lemma 15

For any \(\alpha > 0\) and \(i \in [n]\) there is a randomized polynomial-time reduction from W-D-\(\hbox {CLWE}_{q, \varSigma _\alpha }^i\) to D-\(\hbox {CLWE}_{q, \varUpsilon _\alpha }^i\).

Proof

Since the definition of \(\varUpsilon _\alpha \) is a distribution over the family of distributions obtained by sampling from \(\varSigma _\alpha \) and adding an elliptical Gaussian, the proof is the same as Lemma 5.12 of [27], except we replace each instance of mod \({\mathfrak {q}}_i R^\vee \) with mod \(R_i\) and each instance of \(R_q\) with \(\varLambda _q\). \(\square \)

Remark 8

This choice of \(\varUpsilon _\alpha \) means that the error covariance matrix in our decision problem is closer to diagonal than that in the corresponding search problem! In fact, if one increased the elliptical error in the decision problem, one could ‘flood out’ the non-diagonal entries of the covariance matrix, leading to elliptical error which is easier to handle in practice.

Finally, we use a hybrid argument. We must first show that \(\varPi _{q,s,\varSigma }^n\) is uniformly random given \(\varSigma \) sampled from \(\varUpsilon _\alpha \), but again this follows the same method as the ring case, except we must replace their use of Lemma 1 by [37, Lemma 2.4].

Lemma 16

Let \(\varUpsilon _\alpha \) be as above and let \(s \in \varLambda _q^\vee \). Then given an oracle \({\mathcal {O}}\) which solves the D-\(\hbox {CLWE}_{q, \varUpsilon _\alpha }\) problem there exists an efficient algorithm that solves D-\(\hbox {CLWE}_{q, \varUpsilon _\alpha }^i\) for some \(i \in [n]\) using \({\mathcal {O}}\).

Proof

The proof is identical to the ring case, Lemma 5.14 of [27], except that the indexing set \({\mathbb {Z}}_m^*\) is replaced by [n]. \(\square \)

Denote by \(\hbox {CLWE}_{q, \varSigma _\alpha ,G}\) the search CLWE problem where \(s \in G\) for arbitrary fixed \(G \subset \varLambda _q^\vee \). To sum up, we have obtained the main result of this section:

Theorem 7

Let \(\varLambda \) be the natural order of a cyclic algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\), d constant, \(q \in \) poly(n) and assume that \(\alpha \cdot q \ge \eta _\varepsilon (\varLambda ^\vee )\) for a negligible \(\varepsilon = \varepsilon (n)\). Then, there is a probabilistic reduction from \(\hbox {CLWE}_{q, \varSigma _\alpha ,G}\) for any pairwise different \(G \subset \varLambda _q^\vee \) to D-\(\hbox {CLWE}_{q ,\varUpsilon _\alpha }\) which runs in time polynomial in n.

Summary and a Remedy for Secret Space

There are certain technicalities and subtleties in our security proof, which we briefly summarize as follows.

The hardness of Search CLWE in Sect. 4.1 requires a natural order \(\varLambda \) that is maximal. Nonetheless, Lemma 10 (due to Lemmas 6 and 7) is the only stage of the proof that assumes such a natural, maximal order. An improved proof technique may be able to drop this assumption (e.g., to use the natural order). The search to decision reduction in Sect. 4.2 requires a natural order \(\varLambda \), due to the CRT decomposition of Lemma 12. A better version of CRT may extend the reduction to a maximal order. Fortunately, the orders we take from Theorem 2 are both natural and maximal, thereby meeting these requirements. The requirement of unramified q in Theorem 6 (due to Lemma 6) is minimal: for the algebras of Theorem 2, the only unsuitable primes are the p and \(q'\) used in the construction (cf. Sect. 3.3).

Lemma 14 enforces that s lies in a pairwise different set G. It is the only stage of the proof which requires such a set. We emphasize that our reduction takes the search CLWE problem where \(s \in G\) for arbitrary fixed G to the decision CLWE problem for arbitrary secret s. In other words, we claim hardness for the full decision problem, based on hardness of a restricted search problem. Also, our reduction implies that the decision problem is as hard as the search problem for the hardest choice of G. See Appendix D for more details.

Remark 9

The so-called normal form is used de facto in LWE-based cryptography. We note that the normal form reduction is agnostic to the secret space G. More precisely, starting with a secret \(s \in G\) gets cancelled in the transformation and replaced by a new secret \(s'\) derived from the error distribution (see Lemma 18 in Sect. 5.1). Therefore, the secret space in the normal form of CLWE is the expected space in relation to other LWE normal forms.

Even if our secret space is still exponentially large in n, it may be a concern with security of CLWE if the above reductions were best possible (e.g., decision CLWE is polynomial-time equivalent to restricted search, rather than at least as hard). Fortunately, it is possible to remedy the loss of secret space by using a prime modulus q that totally ramifies in relative extension L/K. The proofs of the following theorems are given in Appendix E.

Theorem 8

Let \({\mathcal {A}}\) be a cyclic division algebra over a number field L with center K and natural, maximal order \(\varLambda \) with \(\vert \gamma \vert =1\). Let \(\alpha = \alpha (n) \in (0,1)\) and \(q = q(n) \ge 2\), completely split in K, and the ideals above q in K totally ramify in L, be parameters such that \(\alpha \cdot q \ge \omega (\sqrt{\log N})\). Then, there is a polynomial-time quantum reduction from \({\mathcal {A}}\)-\(\hbox {DGS}_{{\mathcal {I}},\xi }\) to search \(\hbox {CLWE}_{q, \varSigma _\alpha }\) for any \(\xi = r \cdot \sqrt{d}\omega (\sqrt{\log {(d \cdot n)}})/ \alpha q\), where d is constant, \(r > \sqrt{2} q \cdot \eta _\varepsilon ({\mathcal {I}})\) and \({\mathcal {I}}\) and \(q\varLambda \) are coprime.

Note the DGS to search CLWE reduction requires a restriction on the ideal lattice problems that it holds for, but the search to decision part does not depend on any chosen ideal:

Theorem 9

Let \(\varLambda \) be the natural order of a cyclic division algebra \({\mathcal {A}} = (L/K, \theta , \gamma )\), d is constant, \(q \in \) poly(n) such that the ideals above q in \({\mathcal {O}}_K\) are maximally ramified in \({\mathcal {O}}_L\), and assume that \(\alpha \cdot q \ge \eta _\varepsilon (\varLambda ^\vee )\) for a negligible \(\varepsilon = \varepsilon (n)\). Then, there is a probabilistic reduction from \(\hbox {CLWE}_{q, \varSigma _\alpha }\) to D-\(\hbox {CLWE}_{q ,\varUpsilon _\alpha }\) which runs in time polynomial in n.

Explicit Primes for the Reduction

Which primes is the reduction valid for? We need \(q\in {\mathbb {Z}}\) such that q splits completely in K, say as \(q{\mathcal {O}}_K = {\mathfrak {q}}_1...{\mathfrak {q}}_g\), and that these primes are maximally ramified in L, i.e., \({\mathfrak {q}}_i{\mathcal {O}}_L = {\mathfrak {Q}}_i^{[L:K]}\).

To find such primes, we need to review how the algebras used are constructed. We set \(K = {\mathbb {Q}}(\zeta _m)\) and \(M = {\mathbb {Q}}(\zeta _{mq'})\), where \(q'=1 \mod m\) is a prime, and \(\mathrm {gcd}(m,q')=1\). For a degree d extension of K, fix an intermediate field \(K\subset L\subset M\) of the correct degree, via the generator of the Galois group of M/K. Recall that we impose \(\mathrm {gcd}(d,m)>1\).

From [45], the ramified primes of \({\mathbb {Q}}\) in M are the primes dividing \(mq'\), and the ramified primes of K in M are the primes dividing \(q'\). Since \(q'\) is prime, there is only one prime q dividing it, which is itself. To see that \(q=q'\) has the correct ramification, observe the following:

By our choice of q, it is completely split in K. If we label the ramification index e, the inertial degree f, and the number of primes q splits into by g, using the identity \([K:{\mathbb {Q}}] = e^q_{K/{\mathbb {Q}}}f^q_{K/Q}g^q_{K/{\mathbb {Q}}}\), we know that \(g^q_{K/{\mathbb {Q}}} = [K:{\mathbb {Q}}]\), and \(f^q_{K/{\mathbb {Q}}} = e^q_{K/{\mathbb {Q}}} =1\). Moreover, q is ramified in \({\mathbb {Q}}(\zeta _{mq})\), and q does not divide m. This (with the condition on q) implies that \(f^q_{M/{\mathbb {Q}}} = 1\). Also, \(e^q_{M/{\mathbb {Q}}} = \phi (q) = q-1 = [M:K]\) and \(g^q_{M/{\mathbb {Q}}} = [K:{\mathbb {Q}}]\) . Multiplicativity of the ramification index and inertial degree then gives \(e^q_{L/K} = [L:K]\), \(f^q_{L/K} = 1\) and \(g^q_{L/K} = 1\), for any intermediate field L.

This means that once an algebra is fixed, there is only one prime that the above reduction is valid for. This might seem like a significant issue; but, to construct an algebra of fixed size, there are infinitely many primes q that can be used to construct M, and thus L. This means that if we know the kind of prime we want to use before the algebra is constructed, there are in effect infinitely many primes to choose from. For example, we can consider \(K = {\mathbb {Q}}(\zeta _{128})\), and construct a degree 4 extension of K to generate an algebra of dimension 1024 over \({\mathbb {Q}}\) using the prime \(q=3457\), and the above reduction holds for those parameters.

CLWE in Cryptography

In this section we present a proof-of-concept cryptosystem using CLWE. To demonstrate our comparison against MLWE our scheme will closely resemble the typical ‘compact’ LWE cryptography schemes over modules, in particular KYBER (see [5]), although it is likely that an adaptation of Regev style encryption from [42] would suit CLWE as well.

Making CLWE Suitable for Cryptography: Normal Form

We implicitly use some standard LWE facts: firstly, we discretize our error distribution e to \(\varLambda _q^\vee \); discretizing does not reduce security since an attacker may always discretize the samples themselves. Secondly, we can ‘tweak’ the problem so that \(e,s \in \varLambda _q\). Fortunately, in the case where \(\gamma \) is a unit, \(\varLambda ^\vee = \bigoplus _i u^i {\mathcal {O}}_L^\vee \) and so this tweak is precisely multiplying on the right by the tweak factor taking \({\mathcal {O}}_L^\vee \) to \({\mathcal {O}}_L\) (see, e.g., [38]). Finally, we require hardness of a ‘normal’ form for the CLWE distribution, where s is sampled from the same distribution as the noise e.

We require two facts for our proof: firstly, given that q splits completely in K the ring \(\varLambda _q\) is isomorphic to the direct product of n full matrix algebras over \(M_{d \times d}({\mathbb {F}}_q)\), which can be seen by appealing to the CRT-style decomposition of Lemma 12 and Wedderburn’s Theorem as in [33, Propositions 1 and 4]. Secondly, we require that a non-negligible fraction in n of elements of \(\varLambda _q\) are invertible, which follows for fixed, small, d and \(q \in \text {poly}(n)\) from this direct product decomposition. Otherwise, our proof follows the outline for that of plain LWE from [4]. Given these two facts, we proceed with showing that the normal form of the CLWE distribution is as hard as the case of taking the secret uniformly at random.

Lemma 17

For a fixed d and \(q \ge (n+1)\), a non-negligible proportion of elements of \(\varLambda _q\) are invertible.

Proof

Following the decomposition of Lemma 12 and Wedderburn’s Theorem, it is sufficient to show that a non-negligible proportion of elements of

$$\begin{aligned} M_{d \times d}({\mathbb {F}}_q) \times \dots \times M_{d \times d}({\mathbb {F}}_q) \end{aligned}$$

are invertible, where there are n copies of \(M_{d \times d}({\mathbb {F}}_q)\). The proportion of invertible elements of \( M_{d \times d}({\mathbb {F}}_q)\) is precisely

$$\begin{aligned}&\dfrac{(q^d-1)(q^d - q)\dots (q^d - q^{d-1})}{q^{d^2}} \\&\quad = \left( \dfrac{q^d-1}{q^d}\right) \ldots \left( \dfrac{q^d-q^{d-1}}{q^d}\right) \\&\quad = \left( 1- \frac{1}{q^d}\right) \ldots \left( 1-\frac{1}{q}\right) \\&\quad \ge \left( 1-\frac{1}{q}\right) ^d, \end{aligned}$$

from which it follows that the total fraction of invertible elements in \(\varLambda _q\) is at least \(((1-\frac{1}{q})^d)^n\). By assumption, \(q \ge n+1\), and so \((1 -\frac{1}{q})^{nd} \ge ((1- \frac{1}{n+1})^n)^d \ge ({e^{-1}})^d = e^{-d}\), as required. \(\square \)

Remark 10

This lower bound of \(e^{-d}\) means that the normal form reduction will be asymptotic in n but only valid for fixed d. However, as d increases the number of invertible matrices in \(\varLambda _q\) is bounded above by \((1- \frac{1}{q})^{nd}\), and so the reduction would be efficient in d in the case where one enforced a relation on q and d, such as \(q \ge nd + 1\), or more succinctly \(q \ge N\).

Lemma 18

There is a probabilistic polynomial time reduction from the CLWE problem with uniformly random secret s, possibly over a limited secret space G, and error distribution \(\chi \) to the CLWE problem with secret \(s' \leftarrow \chi \).

Proof

It is sufficient to show that there is an efficient transformation taking samples with secret s to samples with some new secret \(s'\) taken from \(\chi \). Sample pairs \((a,b) \leftarrow \varPi _{q,s,\chi }\) until a pair \((a_1, b_1:= a_1 \cdot s + e_1)\) such that \(a_1\) is invertible in \(\varLambda _q\) is obtained. Since a non-negligible fraction of elements of \(\varLambda _q\) are invertible by Lemma 17, this step takes only polynomial time.

Now, given a pair \((a_i,b_i) \leftarrow \varPi _{q,s,\chi }\), we obtain a sample from the CLWE distribution \(\varPi _{q,e_1,\chi }\) by outputting \(({\overline{a}}_i, {\overline{b}}_i) = (a_i a_1^{-1}, a_i a_1^{-1}b_1 - b_i)\). Since \(a_1^{-1}\) is invertible, \({\overline{a}}_i\) is uniform. Similarly,

$$\begin{aligned} a_i a_1^{-1}b_1 - b_i&= (a_i a_1^{-1}(a_1 \cdot s + e_1)) - a_i \cdot s + e_i \\&= a_i a_1^{-1}e_1 -e_i, \end{aligned}$$

and so \(({\overline{a}}_i, {\overline{b}}_i)\) is a valid CLWE sample with secret \(e_1\) and error distribution \(\chi \). Relabeling \(e_1\) as \(s'\) completes the proof. \(\square \)

Sample Cryptosystem

Our scheme is parameterized by an algebra \({\mathcal {A}} := (L/K, \theta , \gamma )\), where \({\mathcal {A}}\) is as in Sect. 3.3, an error distribution \(\varSigma \), and a prime modulus \(q \equiv 1 \mod m\) (recall \(K = {\mathbb {Q}}(\zeta _{m})\)) which is completely split in L. We will denote with bold faced letters the vector form of an element of \(\varLambda _q\), e.g., if \(a = a_0 + u a_1 +... +u^{d-1} a_{d-1}\) then \({{\textbf {a}}} = (a_0, a_1,\ldots ,a_{d-1})\). We note that \({\mathcal {O}}_L/q{\mathcal {O}}_L\) has a polynomial representation of dimension \(n \cdot d\), and so we encode our message \(\in \lbrace 0,1 \rbrace ^{n \cdot d^2}\) as an entry of \(\varLambda _q\) as a vector \({{\textbf {m}}}\) of d \(\lbrace 0,1 \rbrace \) polynomials. The scheme proceeds as follows:

  • Alice generates a CLWE sample \((a,b := a \cdot s + e)\), where \(a \in \varLambda _q\) is uniformly random and \(s, e \leftarrow \varSigma \), and outputs public key \({{\textbf {a}}}, {{\textbf {b}}}\).

  • To encrypt \({{\textbf {m}}} \in \lbrace 0,1 \rbrace ^{n \cdot d^2}\), Bob samples \(t, e_1, e_2 \leftarrow \varSigma \) and outputs \({{\textbf {u}}} := \phi (a)^T {{\textbf {t}}} + {{\textbf {e}}}_1, {{\textbf {v}}} := \phi (b)^T {{\textbf {t}}} + {{\textbf {e}}}_2 + \lceil \frac{q}{2} \rfloor \cdot {{\textbf {m}}}\).

  • To decrypt, Alice computes \({{\textbf {c}}} = {{\textbf {v}}} - \phi (s)^T {{\textbf {u}}}\) and recovers each coordinate of \({{\textbf {m}}}\) by rounding the corresponding entry of \({{\textbf {c}}}\) to 0 or \(\lceil \frac{q}{2} \rfloor \) and outputting 0 or 1 respectively.

Remark 11

There are two benefits of instantiating this scheme in the cyclic algebra setting rather than over modules as in [5], both following from the matrix embedding \(\phi \). Firstly, in the module setting Alice must publish a matrix A rather than the vector \({{\textbf {a}}}\) in her key, since \(\phi (a)\) lets us generate a matrix; this saves a factor of d in the size of the public key. Secondly, by extending \({{\textbf {b}}}\) to \(\phi (b)\) we are able to increase the dimension of \({{\textbf {v}}}\), and correspondingly increase the size of the message by a factor of d.

Example 3

Recall our explicit algebras from Sect. 3.3. Without considering streamlined implementation for specific NIST submissions, we will pick toy comparison parameters for equivalent module-based systems and ring-based schemes, e.g., KYBER and NewHope. For the module case, consider a module of dimension 4 over a ring L of dimension 256, with 2-power cyclotomic base field \([K:{\mathbb {Q}}] = 64\). Our public key \(({{\textbf {a}}}, {{\textbf {b}}})\) requires storing only 8 elements of \(R_q ={\mathcal {O}}_L/q \cdot {\mathcal {O}}_L\) rather than 20 in the form \((A, {{\textbf {b}}})\). Our message consists of 1024 bits, corresponding to the total dimension of the algebra rather than the module versions 256 which corresponds to the field dimension; if the private key size is 256, our CLWE scheme allows a rate-1/4 binary error correction code, while KYBER does not. Our ciphertext sizes are the same. As far as the modulus q is concerned, we find \(q=3329\) splits completely in a quartic cyclic extension L of K, which matches with the modulus q used in KYBER;Footnote 7 meanwhile, \(q=3457\) splits completely in K but ramifies totally in another relative extension of K. Overall this represents a noteworthy gain in key and message size without loss in efficiency. For the ring case, consider an instantiation of NewHope in dimension 1024. Both public keys are in the form (as) and so require equivalent levels of storage (8 elements of a field of dimension 256 or 2 in dimension 1024), and the same phenomenon is true of ciphertext sizes and message length. However, a larger modulus \(q=12289\) is used in NewHope. Hence, we hope to gain in security without losing much efficiency. A limitation of our current method is that we cannot achieve rank \(d=3\), similar to the RLWE limitation over power-of-2 rings.

Before considering security and correctness we need a somewhat technical lemma allowing the use of the matrix transpose operation. Essentially, it states that if the CLWE problem is hard in an algebra \({\mathcal {A}}\), then for \(a, s, e \in \varLambda _q\), the equation \(\phi (a)^T {{\textbf {s}}} + {{\textbf {e}}}\) is a valid CLWE instance in some other algebra \({\mathcal {A}}'\) for which the CLWE problem is still hard.

Lemma 19

Let \({\mathcal {A}} = (L/K, \theta , \gamma )\), where \(\gamma \) is a unit, be a cyclic division algebra with matrix embedding \(\phi (a)\) and natural order \(\varLambda \). Then there exists another cyclic algebra \({\mathcal {A}}' = (L/K, \theta , \gamma ^{-1})\) with matrix embedding \(\phi '(a')\) and natural order \(\varLambda '\) such that for \(a \in {\mathcal {A}}\) there exists \(a' \in \varLambda '\) satisfying \(\phi (a)^T = \phi '(a')\). Moreover, \({\mathcal {A}}'\) still satisfies the division algebra condition, and \(\varLambda _q'\) and \(\varLambda _q\) canonically isomorphic as additive groups.

Proof

The fact that \({\mathcal {A}}'\) is still a division algebra follows from the non-norm property on \(\gamma \) and the fact that \(N_{L/K}(L^\times )\) is a multiplicative group. \(\varLambda _q'\) and \(\varLambda _q\) are additive isomorphic because both algebras share the same underlying fields and \(\gamma , \gamma ^{-1}\) are both units of \({\mathcal {O}}_L\). Since the first row of \(\phi (a)\) is precisely \((x_0, \gamma \theta (x_{d-1}), \gamma \theta ^2(x_{d-2}), \ldots ,\gamma \theta ^{d-1}(x_{1}))\), by setting \(a' = x_0 + u \gamma \theta (x_{d-1}) +\dots + u^{d-1} \gamma \theta ^{d-1}(x_1)\) and observing that \(\theta ^d\) is the identity it is easy to check that \(\phi (a)^T = \phi '(a')\). \(\square \)

The proofs of correctness and security are similar in spirit to those of other compact LWE schemes such as, e.g., NewHope [3] or KYBER [5]. We proceed with a somewhat informal security argument.

Lemma 20

The defined scheme is IND-CPA secure under the assumption that the decision \(\hbox {CLWE}_{q,\varUpsilon }\) problem is hard.

Proof

The goal of an IND-CPA adversary is to distinguish, with non-negligible advantage, between encryptions of two plaintexts \(m_1, m_2\). The challenger chooses \(i \in \lbrace 0,1 \rbrace \) uniformly at random and encrypts \(m_i\) as \({{\textbf {u}}}, {{\textbf {v}}}\). By the assumption that the decision CLWE problem is hard, the adversary cannot distinguish between the case where \(b = as +e\) and the case where it is replaced by a uniform random \(b'\), so we replace b in the public key given to the adversary by \(b'\) and also use \(b'\) to compute the challenge ciphertext \({{\textbf {v}}}'\). Setting \({{\textbf {v}}}'' := {{\textbf {v}}}' - \lceil \frac{q}{2} \rfloor \cdot {{\textbf {m}}}_i\), it follows by Lemma 19 that \({{\textbf {u}}}, {{\textbf {v}}}''\) represent two samples from a valid CLWE distribution with secret \({{\textbf {t}}}\), and so the adversary cannot distinguish them from uniform with non-negligible advantage. Hence, the challenger cannot distinguish \({{\textbf {v}}}'\) and hence \({{\textbf {v}}}\) from uniform with non-negligible advantage and so cannot guess i with non-negligible advantage. \(\square \)

Finally, we demonstrate conditions on the error term for the scheme to be correct.

Lemma 21

The defined scheme is correct as long as the \(\ell _\infty \) norm of \({{\textbf {e}}}' =(\phi (e)^T {{\textbf {t}}} + {{\textbf {e}}}_2 - \phi (s)^T {{\textbf {e}}}_1)\) is less than \(\lceil \frac{q}{4} \rfloor \), where the \(\ell _\infty \) norm is over the vector of all polynomial coefficients of each \(u^i\) entry of \({{\textbf {e}}}'\) of dimension \(n \cdot d^2\).

Proof

To decrypt, Alice computes \({{\textbf {v}}} - \phi (s)^T {{\textbf {u}}}\) and computes \({{\textbf {m}}}\) by rounding. Since \(\phi (\cdot )\) is a homomorphism, we have

$$\begin{aligned} {{\textbf {v}}} - \phi (s)^T {{\textbf {u}}}&= \phi (b)^T {{\textbf {t}}} + {{\textbf {e}}}_2 + \left\lceil \frac{q}{2} \right\rfloor \cdot {{\textbf {m}}} - \phi (s)^T( \phi (a)^T {{\textbf {t}}} + {{\textbf {e}}}_1) \\&= \phi (e)^T {{\textbf {t}}} + {{\textbf {e}}}_2 - \phi (s)^T {{\textbf {e}}}_1 + \left\lceil \frac{q}{2} \right\rfloor \cdot {{\textbf {m}}} \\&= {{\textbf {e}}}' + \left\lceil \frac{q}{2} \right\rfloor \cdot {{\textbf {m}}}. \end{aligned}$$

from which the result follows immediately. \(\square \)

We note that the error term \({{\textbf {e}}}'\) will be unsurprising to those familiar with LWE-based cryptography. Although we do not provide concrete correctness estimations, the error parameters for our decision reduction are equivalent to those of MLWE up to some small covariance terms. We do not expect this covariance to greatly affect the distribution of the error and thus for equivalent parameter choices we expect a similarly small probability of decryption failure.

Operational Complexity in Cyclic Algebras

In the previous subsection we showed that the CLWE problem can be used to construct a standard LWE-based cryptosystem. Assuming that parameters across all variants of the LWE assumption are roughly equivalent, the CLWE problem supports key and message sizes as advantageous as those of the RLWE problem, and better than those of the module case. Along with storage considerations, another important facet of the ambient space in LWE cryptography is the efficiency of operations. Here, we will consider the asymptotic complexity of multiplication in a cyclic algebra in order to compare it to the ring and module variants. Since in practice we consider operations modulo some prime q, addition in rings, modules, and cyclic algebras can be considered as addition in vector spaces over \({\mathbb {Z}}_q\), which has complexity dominated by that of multiplication.

Consequently, we only concern ourselves with a comparison of the cost of computing the multiplication operation \(A {{\textbf {s}}}\) in the three cases. In order to keep our comparison consistent, we let N denote the total dimension of the underlying LWE instance. In the ring case, N denotes the ring dimension; in the module case, \(N = nd\), where n denotes the ring dimension and d the module rank; in the cyclic algebra case \(N = nd^2\), where the ring dimension is nd and the algebra has ‘module’ rank d. However, since it will be important later we remark here that the cyclotomic part of the ring will be of dimension n rather than nd. The three cases can be considered as follows:

  • In the ring case, the operation \(A {{\textbf {s}}}\) over \({\mathbb {Z}}_q\) is a representation of the ring operation \(a \cdot s\) in \(R_q \cong {{\mathbb {Z}}_q[X]}/{(X^N+1)}\). Using the CRT decomposition in dimension N of [28], this operation is decomposed into coordinatewise multiplication in a vector of dimension N over \({\mathbb {Z}}_q\), following which the decomposition is reversed to recover \(a \cdot s\). The complexity of this technique is dominated by that of the CRT decomposition, which takes time \(O(N \log N)\), although the coordinatewise multiplication also requires time O(N).

  • In the module case, A is a \(d \times d\) matrix over \(R_q\). In this case, one can compute \(A {{\textbf {s}}}\) by applying the CRT in dimension n coordinatewise on A and \({{\textbf {s}}}\). This requires \(d^2+d\) applications of the CRT, for a total asymptotic complexity of \(O(d^2 n\log n) = O(Nd \log (N/d))\). Again, this hides a coordinatewise multiplication step which takes time O(Nd) in this setting.

  • In the cyclic algebra case, A is a matrix in the shape \(\phi (a)\), where \(\phi (a)\) is the left regular representation of \(a \in \varLambda _q\). We estimate the complexity of the operation \(\phi (a) \cdot {{\textbf {s}}}\) in Appendix F. Explicitly, our algorithm has complexity \(O(N \log (N/d^2)) + {\tilde{O}}(Nd^{\omega -2})\) in the case where q splits completely in L, with \(\omega \in [2, 2.373]\) denoting the exponent of matrix multiplication. The latter term corresponds to the cost of multiplication in our analog of the finite fields used in the CRT method for RLWE.

We see that, in the case of completely splitting q, cyclic algebras compare favorably with modules for multiplication in the same dimension N and when d grows to infinity, depending on the exact relationship between \(\log d^2\) and \(d^{\omega -2}\). Recall that for our reduction to hold, we require d to be constant, in which case all three complexities discussed above are the same (since the constant d will be hidden by the constant appearing in the \(O(\cdot )\)). Moreover, we currently do not know how to construct CLWE instances for arbitrary field degree and module rank, e.g., \(n = 256\) and \(d = 3\) like in Kyber.

Conclusions and Future Work

The primary goal of this work is the introduction of the Learning with Errors problem over Cyclic Algebras, CLWE, adding to the family of available LWE assumptions for use in cryptography. To this end, the central pillars of an LWE problem are provided for the cyclic algebra case. First, in order to provide a foundation for the construction the notion of lattices derived from two-sided ideals of the natural order of a cyclic algebra are applied in cryptography for the first time. Then, in Sect. 3, the CLWE problem is formally introduced, following which explicit algebras are provided with dimensions and structure appropriate for cryptographic use. Then, in Sect. 4, the usual LWE security reductions are established in the CLWE case, namely, samples from the CLWE distribution appear pseudorandom to an onlooker with no knowledge of the secret s. Finally, in Sect. 5, the necessary steps are taken to mold the CLWE problem into a practical format for cryptography. Normal form reduction is shown and a sample cryptosystem in this form is provided. Additionally, the complexity of operations in CLWE cryptography is compared to that of RLWE and MLWE-based schemes.

Cyclic algebras exhibit substantial novel structures within lattice-based cryptography, and discovering use cases for these previously unseen features represents an exciting area of future research. We outline a few directions of future research in the following.

From a theoretical standpoint, the most pressing question to be solved about CLWE is whether or not the search and decision problem are polynomial time equivalent, or instead if the hardness of the decision variant can be based directly on hard lattice problems via some other technique. In this work, the effectiveness of our technique to show the hardness of the decision problem depended on the modulus q: the case of completely split q resulted a loss of secret space; while the case of ramified q remedied this issue, we have not managed to come up with efficient multiplication.

Another method of establishing the hardness of decision RLWE that is not shown for CLWE in this work is a direct to decision reduction, which more generally represents a security proof for the decision problem that holds for wider classes of cyclic division algebras than those of Sect. 4.2. The direct to decision reduction of [40] is the only security reduction for RLWE which establishes the hardness of the decision problem without enforcing that K is a cyclotomic field within which q splits completely, as in the search-decision reduction of [27] and the presented analog for CLWE. Dropping this restriction, and hence widening the possible choices of cyclic algebras supporting the hardness of the decision problem, would provide larger design space for CLWE-based cryptography.

As for another direction of future work, we view a drawback of our work to be that we are restricted to certain instances of cyclic algebras. Although in practice most cryptography would use a fixed choice of algebra, this is a function of our methods and may be possible to remove. Additionally, showing the aforementioned direct-to-decision reduction may generalize the choice of algebras.

Finally, this work is focused on the theoretical construction of a non-commutative Ring-LWE assumption, and we leave practical analysis and implementation of cryptography based on CLWE as further research.