Provably Weak Instances of Ring-LWE Revisited
In CRYPTO 2015, Elias, Lauter, Ozman and Stange described an attack on the non-dual decision version of the ring learning with errors problem (RLWE) for two special families of defining polynomials, whose construction depends on the modulus q that is being used. For particularly chosen error parameters, they managed to solve non-dual decision RLWE given 20 samples, with a success rate ranging from 10 % to 80 %. In this paper we show how to solve the search version for the same families and error parameters, using only 7 samples with a success rate of 100 %. Moreover our attack works for every modulus \(q'\) instead of the q that was used to construct the defining polynomial. The attack is based on the observation that the RLWE error distribution for these families of polynomials is very skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al. the smallest errors are negligible and simple linear algebra suffices to recover the secret. But enlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWE problem unsuitable for cryptographic applications. These observations also apply to dual RLWE, but do not contradict the seminal work by Lyubashevsky, Peikert and Regev.
This work was supported by the European Commission through the ICT programme under contract H2020-ICT-2014-1 644209 HEAT and contract H2020-ICT-2014-1 645622 PQCRYPTO. We would like to thank Ron Steinfeld and the anonymous referees for their valuable comments.
- 3.Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Symposium on Theory of Computing Conference, STOC 2013, pp. 575–584. ACM (2013)Google Scholar
- 11.Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In: Symposium on Theory of Computing, STOC 2009, pp. 333–342. ACM (2009)Google Scholar
- 12.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Symposium on Theory of Computing, pp. 84–93. ACM (2005)Google Scholar