Provably Weak Instances of Ring-LWE Revisited

  • Wouter CastryckEmail author
  • Ilia Iliashenko
  • Frederik Vercauteren
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9665)


In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10 % to 80 %. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100 %. Moreover our attack works for every modulus \(q'\) instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev.



This work was supported by the European Commission through the ICT programme under contract H2020-ICT-2014-1 644209 HEAT and contract H2020-ICT-2014-1 645622 PQCRYPTO. We would like to thank Ron Steinfeld and the anonymous referees for their valuable comments.


  1. 1.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  2. 2.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory, London (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 575–584. ACM (2013)Google Scholar
  4. 4.
    Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  5. 5.
    Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  6. 6.
    Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO, Part I. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  7. 7.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  8. 8.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Symposium on Theory of Computing, STOC 2009, pp. 333–342. ACM (2009)Google Scholar
  12. 12.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Symposium on Theory of Computing, pp. 84–93. ACM (2005)Google Scholar
  13. 13.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34 (2009)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Wouter Castryck
    • 1
    • 2
    Email author
  • Ilia Iliashenko
    • 1
  • Frederik Vercauteren
    • 1
  1. 1.KU Leuven ESAT/COSIC and iMindsLeuven-HeverleeBelgium
  2. 2.Vakgroep WiskundeUniversiteit GentGhentBelgium

Personalised recommendations