Skip to main content

Algebraically Structured LWE, Revisited

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11891)

Abstract

In recent years, there has been a proliferation of algebraically structured Learning With Errors (LWE) variants, including Ring-LWE, Module-LWE, Polynomial-LWE, Order-LWE, and Middle-Product LWE, and a web of reductions to support their hardness, both among these problems themselves and from related worst-case problems on structured lattices. However, these reductions are often difficult to interpret and use, due to the complexity of their parameters and analysis, and most especially their (frequently large) blowup and distortion of the error distributions.

In this paper we unify and simplify this line of work. First, we give a general framework that encompasses all proposed LWE variants (over commutative base rings), and in particular unifies all prior “algebraic” LWE variants defined over number fields. We then use this framework to give much simpler, more general, and tighter reductions from Ring-LWE to other algebraic LWE variants, including Module-LWE, Order-LWE, and Middle-Product LWE. In particular, all of our reductions have easy-to-analyze and frequently small error expansion; in some cases they even leave the error unchanged. A main message of our work is that it is straightforward to use the hardness of the original Ring-LWE problem as a foundation for the hardness of all other algebraic LWE problems defined over number fields, via simple and rather tight reductions.

This material is based upon work supported by the National Science Foundation under Award CNS-1606362. The views expressed are those of the authors and do not necessarily reflect the official policy or position of the National Science Foundation.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-36030-6_1
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   79.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-36030-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   99.99
Price excludes VAT (USA)

Notes

  1. 1.

    We caution that \({\mathcal {O}}^\mathcal {L}\) is not “monotonic” in \(\mathcal {L}\) under set inclusion, i.e., \(\mathcal {L}' \subseteq \mathcal {L}\) does not imply any inclusion relationship between \({\mathcal {O}}^{\mathcal {L}'}\) and \({\mathcal {O}}^{\mathcal {L}}\), in either direction. In particular, \(\mathcal {L}\) and \(c\mathcal {L}\) have the same coefficient ring for any integer \(c > 1\), but there can exist \(\mathcal {L}'\) with \(c\mathcal {L}\subsetneq \mathcal {L}' \subsetneq \mathcal {L}\) that has a different coefficient ring.

  2. 2.

    For example, consider the ring of integers \({\mathcal {O}}_K\) where \(K = \mathbb {Q}(\alpha )\) for \(\alpha ^3-\alpha ^2-2\alpha -8=0\). In a classical result, Dedekind showed that this order is non-monogenic, but it has \(\vec {p} = (t, tx, tx^{2})\) as a basis, where \(x=(\alpha ^{2}-\alpha -2)/4\) and \(t=1-2x\). We caution that \(x \not \in {\mathcal {O}}_{K}\), so this is actually not a tweaked power basis according to our definition, but it still suffices for a special case of our reduction that does not extend \(\vec {p}\) by more powers of x.

  3. 3.

    Note that the covariance of \(D_{\sqrt{\varSigma }}\) is actually \(\varSigma /(2\pi )\), due to the normalization factor in the definition of \(\rho _{\sqrt{\varSigma }}\).

  4. 4.

    Recall that a matrix H is Hankel if each entry \(H_{jk}\) is determined by \(j+k\) (equivalently, it is an “upside down” Toeplitz matrix). So, an \(n \times d\) Hankel matrix is defined by an \((n+d-1)\)-dimensional vector whose ith entry defines the entries \(H_{jk}\) for \(i=j+k\).

  5. 5.

    This can also be seen by using one of the characterizations of algebraic integers, that x is an algebraic integer if and only if \(x\mathcal {L}\subseteq \mathcal {L}\) for some nonzero finitely generated \(\mathbb {Z}\)-module \(\mathcal {L}\subseteq \mathbb {C}\).

References

  1. Albrecht, M.R., Deo, A.: Large modulus ring-LWE \(\ge \) module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_10

    CrossRef  Google Scholar 

  2. Bolboceanu, M., Brakerski, Z., Perlman, R., Sharma, D.: Order-LWE and the hardness of Ring-LWE with entropic secrets. Cryptology ePrint Archive, Report 2018/494 (2018). https://eprint.iacr.org/2018/494

  3. Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. TOCT 6(3), 13 (2014). Preliminary version in ITCS 2012

    MathSciNet  CrossRef  Google Scholar 

  4. Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC, pp. 575–584 (2013)

    Google Scholar 

  5. Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of ring-LWE revisited. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 147–167. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_6

    CrossRef  MATH  Google Scholar 

  6. Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054868

    CrossRef  Google Scholar 

  7. Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)

    MathSciNet  CrossRef  Google Scholar 

  8. Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 196–214. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_7

    CrossRef  MATH  Google Scholar 

  9. Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010

    MathSciNet  CrossRef  Google Scholar 

  10. Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex. 16(4), 365–411 (2007). Preliminary version in FOCS 2002

    MathSciNet  CrossRef  Google Scholar 

  11. Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC, pp. 333–342 (2009)

    Google Scholar 

  12. Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016)

    MathSciNet  CrossRef  Google Scholar 

  13. Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_22

    CrossRef  Google Scholar 

  14. Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC, pp. 461–473 (2017)

    Google Scholar 

  15. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005

    MathSciNet  CrossRef  Google Scholar 

  16. Regev, O.: The learning with errors problem (invited survey). In: IEEE Conference on Computational Complexity, pp. 191–204 (2010)

    Google Scholar 

  17. Roşca, M., Sakzad, A., Stehlé, D., Steinfeld, R.: Middle-product learning with errors. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 283–297. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_10

    CrossRef  Google Scholar 

  18. Rosca, M., Stehlé, D., Wallet, A.: On the ring-LWE and polynomial-LWE problems. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 146–173. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_6

    CrossRef  Google Scholar 

  19. Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Chris Peikert .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Peikert, C., Pepin, Z. (2019). Algebraically Structured LWE, Revisited. In: Hofheinz, D., Rosen, A. (eds) Theory of Cryptography. TCC 2019. Lecture Notes in Computer Science(), vol 11891. Springer, Cham. https://doi.org/10.1007/978-3-030-36030-6_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-36030-6_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-36029-0

  • Online ISBN: 978-3-030-36030-6

  • eBook Packages: Computer ScienceComputer Science (R0)