EUROCRYPT 2018: Advances in Cryptology – EUROCRYPT 2018 pp 146-173

# On the Ring-LWE and Polynomial-LWE Problems

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)

## Abstract

The Ring Learning With Errors problem ($$\mathsf {RLWE}$$) comes in various forms. Vanilla $$\mathsf {RLWE}$$ is the decision dual-$$\mathsf {RLWE}$$ variant, consisting in distinguishing from uniform a distribution depending on a secret belonging to the dual $$\mathcal {O}_K^{\vee }$$ of the ring of integers $$\mathcal {O}_K$$ of a specified number field K. In primal-$$\mathsf {RLWE}$$, the secret instead belongs to $$\mathcal {O}_K$$. Both decision dual-$$\mathsf {RLWE}$$ and primal-$$\mathsf {RLWE}$$ enjoy search counterparts. Also widely used is (search/decision) Polynomial Learning With Errors ($$\mathsf {PLWE}$$), which is not defined using a ring of integers $$\mathcal {O}_K$$ of a number field K but a polynomial ring $$\mathbb {Z}[x]/f$$ for a monic irreducible $$f \in \mathbb {Z}[x]$$. We show that there exist reductions between all of these six problems that incur limited parameter losses. More precisely: we prove that the (decision/search) dual to primal reduction from Lyubashevsky et al. [EUROCRYPT 2010] and Peikert [SCN 2016] can be implemented with a small error rate growth for all rings (the resulting reduction is non-uniform polynomial time); we extend it to polynomial-time reductions between (decision/search) primal $$\mathsf {RLWE}$$ and $$\mathsf {PLWE}$$ that work for a family of polynomials f that is exponentially large as a function of $$\deg f$$ (the resulting reduction is also non-uniform polynomial time); and we exploit the recent technique from Peikert et al. [STOC 2017] to obtain a search to decision reduction for $$\mathsf {RLWE}$$ for arbitrary number fields. The reductions incur error rate increases that depend on intrinsic quantities related to K and f.

## Notes

### Acknowledgments

We thank Karim Belabas, Guillaume Hanrot, Alice Pellet--Mary, Bruno Salvy and Elias Tsigaridas for helpful discussions. This work has been supported in part by ERC Starting Grant ERC-2013-StG-335086-LATTAC, by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and by BPI-France in the context of the national project RISQ (P141580).

## References

Albrecht, M.R., Deo, A.: Large modulus ring-LWE $$\ge$$ module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017).
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX (2016)Google Scholar
3. [BBdV+17]
Bauch, J., Bernstein, D.J., de Valence, H., Lange, T., van Vredendaal, C.: Short generators without quantum computers: the case of multiquadratics. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 27–59. Springer, Cham (2017).
4. [BCLvV16]
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU Prime (2016). http://eprint.iacr.org/2016/461
5. [BDK+18]
Bos, J.W., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: EuroS&P (2018)Google Scholar
6. [BLP+13]
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC (2013)Google Scholar
7. [CDPR16]
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016).
8. [CDW17]
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017).
9. [CGS14]
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop (2014). http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf
10. [CIV16a]
Castryck, W., Iliashenko, I., Vercauteren, F.: On the tightness of the error bound in Ring-LWE. LMS J. Comput. Math. 130–145 (2016)Google Scholar
11. [CIV16b]
Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of ring-LWE revisited. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 147–167. Springer, Heidelberg (2016).
12. [CLS17]
Chen, H., Lauter, K., Stange, K.E.: Attacks on search RLWE. SIAM J. Appl. Algebra Geom. (SIAGA) 1, 665–682 (2017)
13. [CLS16]
Chen, H., Lauter, K., Stange, K.E.: Vulnerable Galois RLWE families and improved attacks. In: Proceedings of SAC. Springer (2016)Google Scholar
14. [Cona]
15. [Conb]
16. [Con95]
Conway, J.B.: Functions of One Complex Variable. Springer, New York (1995).
17. [DD12]
Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012).
18. [DLL+18]
Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - Dilithium: digital signatures from module lattices. In: TCHES (2018)Google Scholar
19. [EHL14]
Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: SAC (2014)Google Scholar
20. [ELOS15]
Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015).
21. [GHPS12]
Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Ring switching in BGV-style homomorphic encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 19–37. Springer, Heidelberg (2012).
22. [GPV08]
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)Google Scholar
23. [HHPW10]
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 349–390. Springer, Heidelberg (2010). Google Scholar
24. [LPR10]
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. JACM 60(6), 43 (2013)
25. [LPR13]
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013).
26. [LS15]
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
27. [Lyu16]
Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 196–214. Springer, Heidelberg (2016).
28. [MR04]
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. In: Proceedings of FOCS, pp. 371–381. IEEE (2004)Google Scholar
29. [Pei16]
Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). Google Scholar
30. [PR06]
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006).
31. [PR07]
Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: STOC (2007)Google Scholar
32. [PRS17]
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC (2017)Google Scholar
33. [Reg05]
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)
Roşca, M., Sakzad, A., Stehlé, D., Steinfeld, R.: Middle-product learning with errors. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 283–297. Springer, Cham (2017).
35. [SE94]
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
36. [SS11]
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011).
37. [SS13]
Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure standard worst-case problems over ideal lattices (2013). http://perso.ens-lyon.fr/damien.stehle/NTRU.html
38. [SSTX09]
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009).
39. [Ste17]
Stevenhagen, P.: Lecture notes on number rings (2017). http://websites.math.leidenuniv.nl/algebra/ant.pdf

© International Association for Cryptologic Research 2018

## Authors and Affiliations

• Miruna Rosca
• 1
• 2
• Damien Stehlé
• 1
• Alexandre Wallet
• 1
1. 1.ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL)LyonFrance
2. 2.BitdefenderBucharestRomania