Middle-Product Learning with Errors

  • Miruna Roşca
  • Amin Sakzad
  • Damien Stehlé
  • Ron Steinfeld
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10403)


We introduce a new variant \(\mathsf {MP}\text {-}\mathsf {LWE}\) of the Learning With Errors problem (\(\mathsf {LWE}\)) making use of the Middle Product between polynomials modulo an integer q. We exhibit a reduction from the Polynomial-\(\mathsf {LWE}\) problem (\(\mathsf {PLWE}\)) parametrized by a polynomial f, to \(\mathsf {MP}\text {-}\mathsf {LWE}\) which is defined independently of any such f. The reduction only requires f to be monic with constant coefficient coprime with q. It incurs a noise growth proportional to the so-called expansion factor of f. We also describe a public-key encryption scheme with quasi-optimal asymptotic efficiency (the bit-sizes of the keys and the run-times of all involved algorithms are quasi-linear in the security parameter), which is secure against chosen plaintext attacks under the \(\mathsf {MP}\text {-}\mathsf {LWE}\) hardness assumption. The scheme is hence secure under the assumption that \(\mathsf {PLWE}\) is hard for at least one polynomial f of degree n among a family of f’s which is exponential in n.


\(\mathsf {LWE}\) \(\mathsf {PLWE}\) Public-key encryption 


  1. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03356-8_35 CrossRefGoogle Scholar
  2. [ADPS16]
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - A new hope. In: Proceeding of USENIX, pp. 327–343 (2016)Google Scholar
  3. [AG11]
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22006-7_34 CrossRefGoogle Scholar
  4. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceeding of STOC, pp. 99–108. ACM (1996)Google Scholar
  5. [BCLvV16]
    Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU Prime. Cryptology ePrint Archive (2016). http://eprint.iacr.org/2016/461
  6. [CDPR16]
    Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49896-5_20 CrossRefGoogle Scholar
  7. [CDW17]
    Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). doi:10.1007/978-3-319-56620-7_12 CrossRefGoogle Scholar
  8. [CIV16a]
    Castryck, W., Iliashenko, I., Vercauteren, F.: On the tightness of the error bound in Ring-LWE. LMS J. Comput. Math. (2016)Google Scholar
  9. [CIV16b]
    Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of ring-LWE revisited. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 147–167. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49890-3_6 CrossRefGoogle Scholar
  10. [CLS15]
    Chen, H., Lauter, K., Stange, K.E.: Attacks on search RLWE. Cryptology ePrint Archive (2015). http://eprint.iacr.org/2015/971
  11. [EHL14]
    Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Cham (2014). doi:10.1007/978-3-319-13051-4_11 CrossRefGoogle Scholar
  12. [ELOS15]
    Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015). doi:10.1007/978-3-662-47989-6_4 CrossRefGoogle Scholar
  13. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceeding of STOC, pp. 197–206. ACM (2008)Google Scholar
  14. [HCS16]
    Lauter, K., Chen, H., Stange, K.E.: Vulnerable Galois RLWE families and improved attacks. Cryptology ePrint Archive (2016). http://eprint.iacr.org/2016/193
  15. [HPS98]
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: A ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). doi:10.1007/BFb0054868 CrossRefGoogle Scholar
  16. [HQZ04]
    Hanrot, G., Quercia, M., Zimmermann, P.: The middle product algorithm I. Appl. Algebra Engrg. Comm. Comput. 14(6), 415–438 (2004)MathSciNetCrossRefMATHGoogle Scholar
  17. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). doi:10.1007/11787006_13 CrossRefGoogle Scholar
  18. [LPR13]
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)MathSciNetCrossRefMATHGoogle Scholar
  19. [Lyu09]
    Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_35 CrossRefGoogle Scholar
  20. [Lyu16]
    Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 196–214. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53890-6_7 CrossRefGoogle Scholar
  21. [Mic07]
    Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007)MathSciNetCrossRefMATHGoogle Scholar
  22. [MP12]
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_41 CrossRefGoogle Scholar
  23. [Pei16]
    Peikert, C.: How (Not) to instantiate ring-LWE. In: Zikas, V., Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). doi:10.1007/978-3-319-44618-9_22 Google Scholar
  24. [PR06]
    Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). doi:10.1007/11681878_8 CrossRefGoogle Scholar
  25. [PRSD17]
    Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: Proceeding of STOC. ACM (2017)Google Scholar
  26. [Reg09]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefMATHGoogle Scholar
  27. [Sch87]
    Schnorr, C.P.: A hierarchy of polynomial time lattice basis reduction algorithms. Theor. Comput. Sci. 53(2–3), 201–224 (1987)MathSciNetCrossRefMATHGoogle Scholar
  28. [Sho99]
    Shoup, V.: Efficient computation of minimal polynomials in algebraic extensions of finite fields. In: Proceeding of ISSAC, pp. 53–58. ACM (1999)Google Scholar
  29. [SSTX09]
    Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). doi:10.1007/978-3-642-10366-7_36 CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  • Miruna Roşca
    • 1
    • 2
  • Amin Sakzad
    • 3
  • Damien Stehlé
    • 1
  • Ron Steinfeld
    • 3
  1. 1.ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL)LyonFrance
  2. 2.BitdefenderBucharestRomania
  3. 3.Faculty of Information TechnologyMonash UniversityMelbourneAustralia

Personalised recommendations