How (Not) to Instantiate Ring-LWE

  • Chris PeikertEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9841)


The learning with errors over rings (Ring-LWE) problem—or more accurately, family of problems—has emerged as a promising foundation for cryptography due to its practical efficiency, conjectured quantum resistance, and provable worst-case hardness: breaking certain instantiations of Ring-LWE is at least as hard as quantumly approximating the Shortest Vector Problem on any ideal lattice in the ring.

Despite this hardness guarantee, several recent works have shown that certain instantiations of Ring-LWE can be broken by relatively simple attacks. While the affected instantiations are not supported by worst-case hardness theorems (and were not ever proposed for cryptographic purposes), this state of affairs raises natural questions about what other instantiations might be vulnerable, and in particular whether certain classes of rings are inherently unsafe for Ring-LWE.

This work comprehensively reviews the known attacks on Ring-LWE and vulnerable instantiations. We give a new, unified exposition which reveals an elementary geometric reason why the attacks work, and provide rigorous analysis to explain certain phenomena that were previously only exhibited by experiments. In all cases, the insecurity of an instantiation is due to the fact that the error distribution is insufficiently “well spread” relative to the ring. In particular, the insecure instantiations use the so-called non-dual form of Ring-LWE, together with spherical error distributions that are much narrower and of a very different shape than the ones supported by hardness proofs.

On the positive side, we show that any Ring-LWE instantiation which satisfies (or only almost satisfies) the hypotheses of the “worst-case hardness of search” theorem is provably immune to broad generalizations of the above-described attacks: the running time divided by advantage is at least exponential in the degree of the ring. This holds for the ring of integers in any number field, so the rings themselves are not the source of insecurity in the vulnerable instantiations. Moreover, the hypotheses of the worst-case hardness theorem are nearly minimal ones which provide these immunity guarantees.


Error Distribution Number Field Full Version Ideal Lattice Gaussian Error 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



I thank Léo Ducas, Kristin Lauter, Vadim Lyubashevsky, Oded Regev, and Katherine Stange for many valuable discussions and comments on topics related to this work. I also thank the anonymous reviewers for helpful comments, and especially for pointing out a misinterpretation of the parameters in [14, Sect. 9].


  1. 1.
    Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time using discrete Gaussian sampling. In: STOC, pp. 733–742 (2015)Google Scholar
  2. 2.
    Ajtai, M., Kumar, R., Sivakumar, D.: A sieve algorithm for the shortest lattice vector problem. In: STOC, pp. 601–610 (2001)Google Scholar
  3. 3.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX Security Symposium (2016, to appear)Google Scholar
  4. 4.
    Alperin-Sheriff, J., Peikert, C.: Practical bootstrapping in quasilinear time. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 1–20. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE Symposium on Security and Privacy, pp. 553–570 (2015)Google Scholar
  8. 8.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC, pp. 575–584 (2013)Google Scholar
  9. 9.
    Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of Ring-LWE revisited. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 147–167. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_6 CrossRefGoogle Scholar
  10. 10.
    Chen, H., Lauter, K., Stange, K.E.: Attacks on search RLWE. Cryptology ePrint Archive, Report 2015/971 (2015).
  11. 11.
    Chen, H., Lauter, K., Stange, K.E.: Vulnerable galois RLWE families and improved attacks. Cryptology ePrint Archive, Report 2016/193 (2016).
  12. 12.
    Crockett, E., Peikert, C.: \(\Lambda \circ \lambda \): a functional library for lattice cryptography. Cryptology ePrint Archive, Report 2015/1134 (2015).
  13. 13.
    Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  14. 14.
    Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of Ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) Advances in Cryptology – CRYPTO 2015. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  15. 15.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  16. 16.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013). Preliminary version in Eurocrypt 2010MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for Ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004MathSciNetCrossRefzbMATHGoogle Scholar
  21. 21.
    Micciancio, D., Regev, O.: Lattice-based cryptography. Post Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In: STOC, pp. 351–358 (2010)Google Scholar
  23. 23.
    Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: STOC, pp. 333–342 (2009)Google Scholar
  24. 24.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Heidelberg (2014)Google Scholar
  25. 25.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC 2005MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University of MichiganAnn ArborUSA

Personalised recommendations