Ring-LWE in Polynomial Rings

  • Léo Ducas
  • Alain Durmus
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7293)


The Ring-LWE problem, introduced by Lyubashevsky, Peikert, and Regev (Eurocrypt 2010), has been steadily finding many uses in numerous cryptographic applications. Still, the Ring-LWE problem defined in [LPR10] involves the fractional ideal R  ∨ , the dual of the ring R, which is the source of many theoretical and implementation technicalities. Until now, getting rid of R  ∨ , required some relatively complex transformation that substantially increase the magnitude of the error polynomial and the practical complexity to sample it. It is only for rings R = ℤ[X]/(X n  + 1) where n a power of 2, that this transformation is simple and benign.

In this work we show that by applying a different, and much simpler transformation, one can transfer the results from [LPR10] into an “easy-to-use” Ring-LWE setting (i.e. without the dual ring R  ∨ ), with only a very slight increase in the magnitude of the noise coefficients. Additionally, we show that creating the correct noise distribution can also be simplified by generating a Gaussian distribution over a particular extension ring of R, and then performing a reduction modulo f(X). In essence, our results show that one does not need to resort to using any algebraic structure that is more complicated than polynomial rings in order to fully utilize the hardness of the Ring-LWE problem as a building block for cryptographic applications.


Encryption Scheme Polynomial Ring Power Basis Homomorphic Encryption Fractional Ideal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [ACPS09]
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  2. [AG11]
    Arora, S., Ge, R.: New Algorithms for Learning in Presence of Errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. [BGV11]
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping, Cryptology ePrint Archive, Report 2011/277 (2011); To appear at ITCS 2012Google Scholar
  4. [BPR11]
    Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom Functions and Lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012); Cryptology ePrint Archive, Report 2011/401 (2011)CrossRefGoogle Scholar
  5. [BV11a]
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: FOCS (2011)Google Scholar
  6. [BV11b]
    Brakerski, Z., Vaikuntanathan, V.: Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011)Google Scholar
  7. [Con09]
    Conrad, K.: The different ideal (2009),
  8. [DPSZ11]
    Damgard, I., Pastro, V., Smart, N.P., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. Cryptology ePrint Archive, Report 2011/535 (2011)Google Scholar
  9. [Gen10]
    Gentry, C.: Toward Basing Fully Homomorphic Encryption on Worst-Case Hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010)Google Scholar
  10. [GHS11]
    Gentry, C., Halevi, S., Smart, N.P.: Fully Homomorphic Encryption with Polylog Overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012); Cryptology ePrint Archive, Report 2011/566 (2011)CrossRefGoogle Scholar
  11. [LATV11]
    Lopez-Alt, A., Tromer, E., Vaikuntanathan, V.: Cloud-assisted multiparty computation from fully homomorphic encryption. Cryptology ePrint Archive, Report 2011/663 (2011)Google Scholar
  12. [LL96]
    Lam, T.Y., Leung, K.H.: On the cyclotomic polynomial φ pq (x). The American Mathematical Monthly 103(7), 562–564 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  13. [LM06]
    Lyubashevsky, V., Micciancio, D.: Generalized Compact Knapsacks Are Collision Resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006, Part II. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. [LPR10]
    Lyubashevsky, V., Peikert, C., Regev, O.: On Ideal Lattices and Learning with Errors over Rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. [Lyu11]
    Lyubashevsky, V.: Lattice Signatures without Trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012); Cryptology ePrint Archive, Report 2011/537 (2011)CrossRefGoogle Scholar
  16. [MP11]
    Micciancio, D., Peikert, C.: Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012); Cryptology ePrint Archive, Report 2011/501 (2011)CrossRefGoogle Scholar
  17. [SS11]
    Stehlé, D., Steinfeld, R.: Making NTRU as Secure as Worst-Case Problems Over Ideal Lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. [Ste05]
    Stein, W.: Introduction to algebraic number theory (2005),
  19. [Was97]
    Washington, L.C.: Introduction to cyclotomic fields. Graduate Texts in Mathematics, vol. 83. Springer, New York (1997)zbMATHCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012

Authors and Affiliations

  • Léo Ducas
    • 1
  • Alain Durmus
    • 1
  1. 1.Dépt. InformatiqueENSParisFrance

Personalised recommendations