Advertisement

Provably Weak Instances of Ring-LWE

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9215)

Abstract

The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been proposed as hard problems to form the basis for cryptosystems, and various security reductions to hard lattice problems have been presented. So far these problems have been stated for general (number) rings but have only been closely examined for cyclotomic number rings. In this paper, we state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of the Decision Ring-LWE problem. We construct an explicit family of number fields for which we have an efficient attack. We demonstrate the attack in both theory and practice, providing code and running times for the attack. The attack runs in time linear in q, where q is the modulus.

Our attack is based on the attack on Poly-LWE which was presented in [EHL]. We extend the EHL-attack to apply to a larger class of number fields, and show how it applies to attack Ring-LWE for a heuristically large class of fields. Certain Ring-LWE instances can be transformed into Poly-LWE instances without distorting the error too much, and thus provide the first weak instances of the Ring-LWE problem. We also provide additional examples of fields which are vulnerable to our attacks on Poly-LWE, including power-of-2 cyclotomic fields, presented using the minimal polynomial of \(\zeta _{2^n} \pm 1\).

Keywords

Weak Instance Number Field Cyclotomic Field Cryptographic Size Spectral Norm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Lattice-based cryptography has become a very hot research topic recently with the emergence of new applications to homomorphic encryption. The hardness of the Ring-LWE problem was related to various well-known hard lattice problems [R, MR09, MR04, LPR, BL+], and the hardness of the Poly-LWE problem was reduced to Ring-LWE in [LPR, DD]. The hardness of the Poly-LWE problem is used as the basis of security for numerous cryptosystems, including [BV, BGV, GHS]. The hardness of Ring-LWE was also shown [SS] to form a basis for the proof of security of a variant of NTRU [HPS, IEEE].

In [EHL], the first weaknesses in the Poly-LWE problem were discovered for classes of number fields satisfying certain properties. In addition, a list of properties of number fields were identified which are sufficient to guarantee a reduction between the Ring-LWE and the Poly-LWE problems, and a search-to-decision reduction for Ring-LWE. Unfortunately, in [EHL], no number fields were found which satisfied both the conditions for the attack and for the reductions. Thus [EHL] produced only examples of number fields which were weak instances for Poly-LWE.

The contributions of this paper at a high level are as follows: In Sect. 3 we strengthen and extend the attacks presented in [EHL] in several significant ways. In Sect. 4, most importantly, we show how the attacks can be applied also to the Ring-LWE problem. In Sect. 5, we construct an explicit family of number fields for which we have an efficient attack on the Decision Ring-LWE Problem. This represents the first successful attacks on the Decision Ring-LWE problem for number fields with special properties. For Galois number fields, we also know that an attack on the decision problem gives an attack on the search version of Ring-LWE [EHL]. In addition, in Sect. 9, we present the first successful implementation of the EHL attack at cryptographic sizes and attack both Ring-LWE and Poly-LWE instances. For example for \(n=1024\) and \(q=2^{31}-1\), the attack runs in about 13 hours. Code for the attack is given in Appendix A. In Sect. 6 we give a more general construction of number fields such that heuristically a large percentage of them will be vulnerable to the attacks on Ring-LWE.

In more detail, we consider rings of integers in number fields \(K=\mathbb {Q}[x]/(f(x))\) of degree n, modulo a large prime number q, and we give attacks on Poly-LWE which work when f(x) has a root of small order modulo q. The possibility of such an attack was mentioned in [EHL] but not explored further. In Sects. 3.1 and 3.2, we give two algorithms for this attack, and in Sects. 7 and 7.3 we give many examples of number fields and moduli, some of cryptographic size, which are vulnerable to this attack. The most significant consequence of the attack is the construction of the number fields which are weak for the Ring-LWE problem (Sect. 6).

To understand the vulnerability of Ring-LWE to these attacks, we state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of Ring-LWE. We demonstrate the attack in both theory and practice for an explicit family of number fields, providing code and running times for the attack. The attack runs in time linear in q, where q is the modulus. The essential point is that Ring-LWE instances can be mapped into Poly-LWE instances, and if the map does not distort the error too much, then the instances may be vulnerable to attacks on Poly-LWE. The distortion is governed by the spectral norm of the map, and we compute the spectral norm for the explicit family we construct in Sect. 5 and analyze when the attack will succeed. For the provably weak family which we construct, the feasibility of the attack depends on the ratio of \(\sqrt{q}/n\). We prove that the attack succeeds when \(\sqrt{q}/n\) is above a certain bound, but in practice we find that we can attack instances where the ratio is almost 100 times smaller than that bound. Even for Ring-LWE examples which are not taken from the provably weak family, we were able to attack in practice relatively generic instances of number fields where the spectral norm was small enough (see Sect. 9).

We investigate cyclotomic fields (even 2-power cyclotomic fields) given by an alternate minimal polynomial, which are weak instances of Poly-LWE for that choice of polynomial basis. Section 7.3 contains numerous examples of 2-power cyclotomic fields which are vulnerable to attack when instantiated using an alternative polynomial basis, thus showing the heavy dependence in the hardness of these lattice-based problems on the choice of polynomial basis. In addition, we analyze the case of cyclotomic fields to understand their potential vulnerability to these lines of attack and we explain why cyclotomic fields are immune to attacks based on roots of small order (Sect. 8). Finally, we provide code in the form of simple routines in SAGE to implement the attacks and algorithms given in this paper and demonstrate successful attacks with running times (Sect. 9).

As a consequence of our results, one can conclude that the hardness of Ring-LWE is both dependent on special properties of the number field and sensitive to the particular choice of q, and some choices may be significantly weaker than others. In addition, for applications to cryptography, since our attacks on Poly-LWE run in time roughly O(q) and may be applicable to a wide range of fields, including even 2-power cyclotomic fields with a bad choice of polynomial basis, these attacks should be taken into consideration when selecting parameters for Poly-LWE-based systems such as [BV, BGV] and other variants. For many important applications to homomorphic encryption (see for example [GLN, BLN]), these attacks will not be relevant, since the modulus q is chosen large enough to allow for significant error growth in computation, and would typically be of size 128 bits up to 512 bits. For that range, the attacks presented in this paper would not run. However, in other applications of Ring-LWE to key exchange for the TLS protocol [BCNS], parameters for achieving 128-bit security are suggested where \(n=2^{10}\) and \(q=2^{32}-1\), with \(\sigma \approx 3\), and these parameters would certainly be vulnerable to our attacks for weak choices of fields and q.

2 Background on Poly-LWE

Let f(x) be a monic irreducible polynomial in \(\mathbb {Z}[x]\) of degree n, and let q be a prime such that f(x) factors completely modulo q. Let \(P = \mathbb {Z}[x]/f(x)\) and let \(P_q = P/qP = \mathbb {F}_q[x]/f(x)\). Let \(\sigma \in \mathbb {R}^{>0}\). The uniform distribution on \(P \simeq \mathbb {Z}^n\) will be denoted \(\mathcal {U}\). By Gaussian distribution of parameter \(\sigma \) we refer to a discrete Gaussian distribution of mean 0 and variance \(\sigma ^2\) on P, spherical with respect to the power basis. This will be denoted \(\mathcal {G}_\sigma \). It is important to our analysis that we assume that in practice, elements are sampled from Gaussians of parameter \(\sigma \) truncated at width \(2 \sigma \).

There are two standard Poly-LWE problems. Our attack solves the decision variant, but it also provides information about the secret.

Problem 1

(Decision Poly-LWE Problem). Let \(s(x) \in P\) be a secret. The decision Poly-LWE problem is to distinguish, with non-negligible advantage, between the same number of independent samples in two distributions on \(P\times P\). The first consists of samples of the form \((a(x), b(x) := a(x) s(x) + e(x) )\) where e(x) is drawn from a discrete Gaussian distribution of parameter \(\sigma \), and a(x) is uniformly random. The second consists of uniformly random and independent samples from \(P \times P\).

Problem 2

(Search Poly-LWE Problem). Let \(s(x) \in P\) be a secret. The search Poly-LWE problem, is to discover s given access to arbitrarily many independent samples of the form \((a(x), b(x) := a(x)s(x) + e(x))\) where e(x) is drawn from a Discrete Gaussian of parameter \(\sigma \), and a(x) is uniformly random.

The polynomial s(x) is called the secret and the polynomials \(e_i(x)\) are called the errors.

2.1 Parameter Selection

The selection of parameters for security is not yet a well-explored topic. Generally parameter recommendations for Poly-LWE and Ring-LWE are just based on the recommendations for general LWE, ignoring the extra ring structure e.g. [PG, RV+, BCNS]. Sample concrete parameter choices have been suggested, where w is the width of the Gaussian error distribution (precisely, \(w = \sqrt{2\pi } \sigma \)):
  1. 1.

    \(P_{LP1} = (n,q,w) = (192, 4093, 8.87)\), \(P_{LP2} = (256, 4093, 8.35)\), \(P_{LP3} = (320, 4093, 8.00)\) for low, medium and high security, recommended by Lindner and Peikert in [LP];

     
  2. 2.

    \(P_{GF} = (n,q,w) = (512, 12289,12.18)\) for high security used in [GF+];

     
  3. 3.

    \(P_{BCNS} = (n,q,w) = (1024, 2^{31}-1, 3.192)\) suggested in [BCNS] for the TLS protocol. Here, \(q = 2^{32}-1\) was actually suggested but it is not prime. Here, the authors remark that q is taken to be large for correctness but could potentially be decreased.

     

3 Attacks on Poly-LWE

The attack we are concerned with is quite simple. It proceeds in four stages:
  1. 1.

    Transfer the problem to \(\mathbb {F}_q\) via a ring homomorphism \(\phi : P_q \rightarrow \mathbb {F}_q\).

     
  2. 2.

    Loop through guesses for the possible images \(\phi (s(x))\) of the secret.

     
  3. 3.

    Obtain the values \(\phi (e_i(x))\) under the assumption that the guess at hand is correct.

     
  4. 4.

    Examine the distribution of the \(\phi (e_i(x))\) to determine if it is Gaussian or uniform.

     

If f is assumed to have a root \(\alpha \equiv 1 \mod q\) or \(\alpha \) of small order modulo q, then this attack is due to Eisentraeger-Hallgren-Lauter [EHL].

The first part is to transfer the problem to \(\mathbb {F}_q\). Write \(f(x) = \prod _{i=1}^n (x-\alpha _i)\) for the factorization of f(x) over \(\mathbb {F}_q\) which is possible by assumption. By the Chinese remainder theorem, if f has no double roots, then
$$ P_q \simeq \prod _{i=1}^n \mathbb {F}_q[x]/(x-\alpha _i) \simeq \mathbb {F}_q^n $$
There are n ring homomorphisms
$$ \phi : P_q \rightarrow \mathbb {F}_q[x]/(x-\alpha _i) \simeq \mathbb {F}_q, \quad g(x) \mapsto g(\alpha _i). $$
Fix one of these, by specifying a root \(\alpha = \alpha _i\) of f(x) in \(\mathbb {F}_q\). Apply the homomorphism to the coordinates of the \(\ell \) samples \((a_i(x), b_i(x))\), obtaining \((a_i(\alpha ), b_i(\alpha ))_{i=1,\ldots , \ell }\).
Next, loop through all \(g \in \mathbb {F}_q\). Each value g is to be considered a guess for the value of \(s(\alpha )\). For each guess g, assuming that it is a correct guess and \(g=s(\alpha )\), then
$$ e_i(\alpha ) = b_i(\alpha ) - a_i(\alpha )g = b_i(\alpha ) - a_i(\alpha )s(\alpha ). $$
In the case that the samples were LWE samples and the guess was correct, then this produces a collection \((e_i(\alpha ))\) of images of errors chosen according to some distribution. If the distributions \(\phi (\mathcal {U})\) and \(\phi (\mathcal {G}_{\sigma })\) are distinguishable, then we can determine whether the distribution was uniform or Gaussian. Note that \(\phi (\mathcal {U})\) will of course be uniform on \(\mathbb {F}_q\). If our guess is incorrect, or if the samples are not LWE samples, then the distribution will appear uniform.

Therefore, after looping through all guesses, if all the distributions appeared uniform, then conclude that the samples were not LWE samples; whereas if one of the guesses worked for all samples and always yielded an error distribution which appeared Gaussian, assume that particular g was a correct guess. In the latter case this also yields one piece of information about the secret: \(g=s(\alpha ) \mod q\).

The attack will succeed whenever
  1. 1.

    q is small enough to allow looping through \(\mathbb {F}_q\),

     
  2. 2.

    \(\phi (\mathcal {U})\) and \(\phi (\mathcal {G}_{\sigma })\) are distinguishable.

     

Our analysis hinges on the difficulty of distinguishing \(\phi (\mathcal {U})\) from \(\phi (\mathcal {G}_{\sigma })\), as a function of the parameters \(\sigma \), n, \(\ell \), q, and f. Distinguishability becomes easier when \(\sigma \) is smaller (so \(\mathcal {U}\) and \(\mathcal {G}_{\sigma }\) are farther apart to begin with), n is smaller and q is larger (since then less information is lost in the map \(\phi \)), and \(\ell \) is larger (since there are more samples to test the distributions). The dependence on f comes primarily as a function of its roots \(\alpha _i\) modulo q, which may have properties that make distinguishing easier.

Ideally, for higher security, one will choose parameters that make distinguishing nearly impossible, i.e. such that \(\phi (\mathcal {G}_{\sigma })\) appears very close to uniform modulo q.

Example

([EHL]). We illustrate the attack in the simplest case \(\alpha =1\). Assume \(f(1) \equiv 0 \hbox { mod } q\), and consider the distinguishability of the two distributions \(\phi ({\mathcal U})\) and \(\phi ({\mathcal G}_\sigma )\). Given \((a_i(x), b_i(x))\), make a guess \(g\in \mathbb {F}_q\) for the value of s(1) and compute \(b_i(1)-g\cdot a_i(1)\). If \(b_i \) is uniform, then \(b_i(1)-g \cdot a_i(1)\) is uniform for all g. If \(b_i=a_i s +e_i\), then there is a guess g for which \(b_i(1)-ga_i(1)=e_i(1)\) where \(e_i(x)=\sum _{j=1}^n e_{ij}x^j\) and \(g=s(1)\). Since \(e_i(1) = \sum _{j=1}^n e_{ij}\), where \(e_{ij}\) are chosen from \(\mathcal {G}_{\sigma }\), it follows that \(e_i(1)\) are sampled from \({\mathcal G}_{\sqrt{n}\sigma }\) where \(n\sigma ^2<< q\). The attack can be described loosely as follows: for each sample, test each guess g in \(\mathbb {F}_q\) to see if \(b_i(1)-g \cdot a_i(1)\) is small modulo q, and only keep those guesses which pass the test. Repeat with the next sample and continue to keep only the guesses which pass.

3.1 Attack Based on a Small Set of Error Values Modulo q

In this section, we assume that there exists a root \(\alpha \) of f such that \(\alpha \) has small order r modulo q, that is \(\alpha ^r \equiv 1 \mod q\). Then
$$\begin{aligned} e(\alpha )= \sum _{i=0}^{n-1} e_i \alpha ^i = (e_0 + e_r+e_{2r}+ \cdots ) + \alpha (e_1+e_{r+1}+\cdots ) + \cdots + \alpha ^{r-1}(e_{r-1}+e_{2r-1}+\cdots ). \end{aligned}$$
(1)
If r is small enough, then \(e(\alpha )\) takes on only a small number of values modulo q. If so, then we can efficiently distinguish whether a value modulo q belongs to that subset.

Let S be the set of possible values of \(e(\alpha )\) modulo q. We assume for simplicity that n is divisible by r. Then the coefficients \(e_j+e_{j+r}+\cdots + e_{n-r+j}\) of (1) fall into a subset of \(\mathbb {Z}/q\mathbb {Z}\) of size at most \(4\sigma n/r\). We sum over r terms, hence, \(|S| = (4\sigma n/r )^r\) residues modulo q. For \(r=2\), this becomes \((2n\sigma )^2\).

The attack described below succeeds with high probability if \(|S| << q\), that is
$$\begin{aligned} (4\sigma n /r)^r << q. \end{aligned}$$

Proposition 1

Assume that
$$\begin{aligned} (4\sigma n /r)^r < q. \end{aligned}$$
(2)
Algorithm 1 terminates in time at most \(\widetilde{O}(\ell q + n q)\), where the \(\widetilde{O}\) notation hides the log(q) factors and the implied constant depends upon r. Furthermore, if the algorithm returns NOT PLWE, then the samples were not valid Poly-LWE samples. If it outputs anything other than NOT PLWE, then the samples are valid Poly-LWE samples with probability \(1-(\frac{\#S}{q})^\ell \). In particular, this probability tends to 1 as \(\ell \) grows.

Proof

As discussed above, there are at most q possible values for the elements of S under the assumption (2). To compute each one takes n additions per coefficient (of which there are r), combined with an additional r multiplications and r additions. (Here we have assumed the \(\alpha ^i\) have been computed; this takes r multiplications.) Each addition or multiplication takes time at most \(\log q\). Therefore, computing S takes time at most \(\widetilde{O}(qnr)\). For sorting, it is best to sort as S is computed; placing each element correctly takes \(\log q\) time.

The principal double loop takes time at most \(\widetilde{O}(\ell q)\). If \(b(\alpha )\) and \(a(\alpha )\) are precomputed, then for each guess g, the computation of \(b(\alpha )- g a(\alpha )\) only costs one multiplication and one subtraction modulo q (i.e. \(2\log q\)) while it requires only \(\log q\) bit comparisons to decide whether this is in the set S.

In Step 4, for later samples, only guesses which were successful in the previous samples (i.e. gave a value which was in the set S) are considered. For a sample chosen uniformly at random, one expects the number of successful guesses to be roughly \(\frac{\#S}{q}\). Thus for the second sample, we repeat the above test for only \((\#S)\) guesses. At the \(\ell ^{th}\) sample, retaining only guesses which were successful for all previous samples, we expect to test only \((\frac{\#S}{q})^\ell q\) guesses, which very quickly goes to zero. Hence, if we examine \(\ell \) samples, our tolerance for false positives is proportional to \((\frac{\#S}{q})^\ell \).

3.2 Attack Based on the Size of the Error Values

In this section, we describe the most general \(\phi : P_q \rightarrow \mathbb {F}_q\) attack on the Poly-LWE problem, one which can be carried out in any situation. The rub is that the probability of success will be vanishingly small unless we are in a very special situation. Therefore our analysis actually bolsters the security of Poly-LWE.

Suppose that \(f(\alpha ) \equiv 0 \mod q\). Let \(E_i\) be the event that \(b_i(\alpha )-ga_i(\alpha ) \mod q\) is in the interval \([-q/4, q/4)\) for some sample i and guess g for \(s(\alpha ) \mod q\). The main idea is to compare \(P(E_i\mid \mathcal {D}=\mathcal {U})\) and \(P(E_i\ | \ \mathcal {D} = \mathcal {G}_{\sigma }).\) If \(\mathcal {D} = \mathcal {U}\), then \(b_i(\alpha )-ga_i(\alpha )\) is random modulo q for all guesses g, that is, \(P(E_i \ | \ \mathcal {D} = \mathcal {U}) =\frac{1}{2}.\) If \(\mathcal {D} = \mathcal {G}_{\sigma }\), then \(b_i(\alpha )-s(\alpha )a_i(\alpha )=e_i(\alpha ) \mod q\). We consider
$$e_i(\alpha )=\sum _{j=0}^{n-1} e_{ij} \alpha ^j,$$
where \(e_{ij}\) is chosen according to the distribution \(\mathcal {G}_{\sigma }\) (truncated at \(2\sigma \)) and distinguish two cases:
  1. 1.

    \(\alpha = \pm 1\)

     
  2. 2.

    \(\alpha \ne \pm 1\) and \(\alpha \) has small order \(r\ge 3\) modulo q

     
Case 1 (\(\alpha = \pm 1\)).
The error \(e_i( \alpha )\) is chosen according to the distribution \(\mathcal {G}_{ \sigma \sqrt{n} }\) truncated at \(2 \sigma \sqrt{n}\). Hence
$$ -2 \sigma \sqrt{n}\le e_i( \alpha ) \le 2 \sigma \sqrt{n}.$$
Therefore, assuming that
$$2 \sigma \sqrt{n} < \dfrac{q}{4},$$
we obtain \(P(E_i \ | \ \mathcal {D} = \mathcal {G}_{\sigma })=1\) for \(g=s(\alpha )\). Hence \(\mathcal {U}\) and \(\mathcal {G}_\sigma \) are distinguishable.

Case 2 (\(\alpha \ne \pm 1\) and \(\alpha \) has small order \(r\ge 3\) modulo q).

The error can be written as
$$e(\alpha )= \sum _{i=0}^{r-1} e_i \alpha ^i = (e_{0}+e_{r}+ \cdots ) + \alpha (e_1+e_{r+1}+\cdots ) + \cdots + \alpha ^{r-1}(e_{r-1}+e_{2r-1}+\cdots )$$
where we assume that n is divisible by r for simplicity. For \(j=0, \cdots ,r -1,\) we have that \( e_j + e_{ j+r } + \cdots + e_{ j+ n-r } \) is chosen according to the distribution \( \mathcal {G}_{\sqrt{\frac{n}{r}} \sigma }\). As a consequence \(e(\alpha )\) is sampled from \(\mathcal {G}_{ \bar{\sigma } }\) where
$$\bar{\sigma }^2 = \sum _{i=0}^{r-1} \dfrac{n}{r} \sigma ^2 \alpha ^{2i} = \dfrac{n}{r} \sigma ^2 \dfrac{\alpha ^{2r}-1}{\alpha ^2-1}.$$
Hence
$$ -2 \dfrac{\sqrt{n}}{\sqrt{r}} \sigma \dfrac{\sqrt{\alpha ^{2r}-1}}{\sqrt{\alpha ^2-1}} \le e( \alpha ) \le 2 \dfrac{\sqrt{n}}{\sqrt{r}} \sigma \dfrac{\sqrt{\alpha ^{2r}-1}}{\sqrt{\alpha ^2-1}} .$$
Therefore, assuming that
$$\begin{aligned} 2 \dfrac{\sqrt{n}}{\sqrt{r}} \sigma \dfrac{\sqrt{\alpha ^{2r}-1}}{\sqrt{\alpha ^2-1}} < \dfrac{q}{4}, \end{aligned}$$
(3)
we obtain \(P(E_i \ | \ \mathcal {D} = \mathcal {G}_{\sigma })=1\) for \(g=s(\alpha )\), and uniform and Gaussian are distinguishable. Note that Hypothesis (2) implies in particular that \(\alpha ^r >q\).

In each of the two cases, we have given conditions on the size of \(\sigma \) under which \(\mathcal {U}\) and \(\mathcal {G}_\sigma \) are distinguishable and an attack is likely to succeed. We now elaborate on the algorithm that would be used.

We denote by \(\ell \) the number of samples observed. For each guess g mod q, we compute \(b_i - g a_i\) for \(i=1, \ldots , \ell \). If there is a guess g mod q for which the event \(E_i\) occurs for all \(i=1, \ldots ,\ell \), then the algorithm returns the guess if it is unique and INSUFFICIENT SAMPLES otherwise; the samples are likely valid Poly-LWE samples. Otherwise, it reports that they are certainly not valid Poly-LWE samples.

Proposition 2

Assume that we are in one of the following cases:
  1. 1.
    \(\alpha = \pm 1\) and
    $$\begin{aligned} 8\sigma \sqrt{n} < q. \end{aligned}$$
     
  2. 2.
    \(\alpha \) has small order \(r\ge 3\) modulo q, and
    $$ 8 \sigma \dfrac{\sqrt{n}}{\sqrt{r}} \dfrac{\sqrt{\alpha ^{2r}-1}}{\sqrt{\alpha ^2-1}} < q. $$
     

Then Algorithm 2 terminates in time at most \(\widetilde{O}(\ell q)\), where the implied constant is absolute. Furthermore, if the algorithm returns NOT PLWE, then the samples were not valid Poly-LWE samples. If it outputs anything other than NOT PLWE, then the samples are valid Poly-LWE samples with probability at least \(1-(\frac{1}{2})^\ell \).

Proof

The proof is as in Proposition 1, without the first few steps.

We remark that Propositions and Algorithms 1 and 2 overlap in some cases. For \(\alpha =\pm 1\), Algorithm 2 is more applicable (i.e. more parameter choices are susceptible), while for \(\alpha \) of other small orders, Algorithm 1 is more applicable.

4 Moving the Attack from Poly-LWE to Ring-LWE

We use the term Poly-LWE to refer to LWE problems generated by working in a polynomial ring, and reserve the term Ring-LWE for LWE problems generated by working with the canonical embedding of a number field as in [LPR, LPR13]. In the previous sections we have expanded upon Eisenträger, Hallgren and Lauter’s observation that for certain distributions on certain lattices given by Poly-LWE, the ring structure presents a weakness. We will now consider whether it is possible to expand that analysis to LWE instances created through Ring-LWE for number fields besides cyclotomic ones.

In particular, the necessary ingredient is that the distribution be such that under the ring homomorphisms of Sect. 3, the image of the errors is a ‘small’ subset of \(\mathbb {Z}/q\mathbb {Z}\), either the error values themselves are small, or they form a small, identifiable subset of \(\mathbb {Z}/q\mathbb {Z}\). Assuming a spherical Gaussian in the canonical embedding of R or \(R^\vee \), we describe a class of number fields for which this weakness occurs. A similar analysis would apply without the assumption that the distribution is spherical in the canonical embedding.

Here, we setup the key players (a number field and its canonical embedding, etc.) for general number fields so that these definitions specialize to those in [LPR13]. There are some choices inherent in our setup: it may be possible to generalize Ring-LWE to number fields in several different ways. We consider the two most natural ways.

4.1 The Canonical Embedding

Let K be a number field of degree n with ring of integers R whose dual is \(R^\vee \). We will embed the field K in \(\mathbb {R}^n\). Note that our setup is essentially that of [DD], rather than [LPR13], but the difference is notational.

Let \(\sigma _1, \ldots , \sigma _n\) be the n embeddings of K, ordered so that \(\sigma _1\) through \(\sigma _{s_1}\) are the \(s_1\) real embeddings, and the remaining \(n-s_1 = 2s_2\) complex embeddings are paired in such a way that \(\overline{\sigma _{s_1+k}} = \sigma _{s_1+s_2+k}\) for \(k=1, \ldots , s_2\) (i.e. list \(s_2\) non-pairwise-conjugate embeddings and then list their conjugates following that).

Define a map \(\theta : K \rightarrow \mathbb {R}^n\) given by
$$ \theta (r) = (\sigma _1(r), \ldots , \sigma _{s_1}(r), Re(\sigma _{s_1+1}(r)), \ldots , Re(\sigma _{s_1 + s_2}(r)), Im(\sigma _{s_1 + 1}(r)), \ldots , Im(\sigma _{s_1+s_2}(r)) ). $$
The image of K is the \(\mathbb {Q}\)-span of \(\theta (\omega _i)\) for any basis \(\omega _i\) for K over \(\mathbb {Q}\). This is not the usual Minkowski embedding, but it has the virtues that (1) the codomain is a real, not complex, vector space; and (2) the spherical or elliptical Gaussians used as error distributions in [LPR13] are, in our setup, spherical or elliptical with respect to the usual inner product. We denote the usual inner product by \(\langle \cdot , \cdot \rangle \) and the corresponding length by \(|x| = \sqrt{\langle x, x \rangle }\). It is related to the trace pairing on K, i.e. \(\langle \theta (r), \theta (s) \rangle = {\text {Tr}}(r\overline{s})\).

Then R and \(R^\vee \) form lattices in \(\mathbb {R}^n\).

4.2 Spherical Gaussians and Error Distributions

We define a Ring-LWE error distribution to be a spherical Gaussian distribution in \(\mathbb {R}^n\). That is, for a parameter \(\sigma > 0\), define the continuous Gaussian distribution function \(D_\sigma : \mathbb {R}^n \rightarrow (0,1]\) by
$$ D_\sigma (x) := (\sqrt{2\pi }\sigma )^{-n}{\text {exp}}\left( - |x|^2 / (2\sigma ^2) \right) . $$
This gives a distribution \(\varPsi \) on \(K \otimes \mathbb {R}\), via the isomorphism \(\theta \) to \(\mathbb {R}^n\). By approximating \(K \otimes \mathbb {R}\) by K to sufficient precision, this gives a distribution on K.

From this distribution we can generate the Ring-LWE error distribution on R, respectively \(R^\vee \), by taking a valid discretization \(\lfloor \varPsi \rceil _{R}\), respectively \(\lfloor \varPsi \rceil _{R^\vee }\), in the sense of [LPR13]. Now we have at hand a lattice, R, respectively \(R^\vee \), and a distribution on that lattice. The parameters (particularly \(\sigma \)) are generally advised to be chosen so that this instance of LWE is secure against general attacks on LWE (which do not depend on the extra structure endowed by the number theory).

4.3 The Ring-LWE Problems

Write \(R_q := R/qR\) and \(R_q^\vee = R^\vee /qR^\vee \). The standard Ring-LWE problems are as follows, where K is taken to be a cyclotomic field [LPR, LPR13].

Definition 1

(Ring-LWE Average-Case Decision [LPR]). Let \(s \in R_q^\vee \) be a secret. The average-case decision Ring-LWE problem, is to distinguish with non-negligible advantage between the same number of independent samples in two distributions on \(R_q \times R_q^\vee \). The first consists of samples of the form \((a, b:=as +e )\) where e is drawn from \(\chi := \lfloor \varPsi \rceil _{R^\vee }\) and a is uniformly random, and the second consists of uniformly random and independent samples from \(R_q \times R_q^\vee \).

Definition 2

(Ring-LWE Search [LPR]). Let \(s \in R_q^\vee \) be a secret. The search Ring-LWE problem, is to discover s given access to arbitrarily many independent samples of the form \((a, b:=as +e )\) where e is drawn from \(\chi := \lfloor \varPsi \rceil _{R^\vee }\) and a is uniformly random.

In proposing general number field Ring-LWE, one of two avenues may be taken:
  1. 1.

    preserve these definitions exactly as they are stated, or

     
  2. 2.

    eliminate the duals, i.e. replace every instance of \(R^\vee \) with R in the definitions above.

     

To distinguish these two possible definitions, we will refer to dual Ring-LWE and non-dual Ring-LWE. Lyubashevsky, Peikert and Regev remark that for cyclotomic fields, dual and non-dual Ring-LWE lead to computationally equivalent problems [LPR, Sect. 3.3]. They go on to say that over cyclotomics, for implementation and efficiency reasons, dual Ring-LWE is superior.

Generalising dual Ring-LWE to general number fields is the most naive approach, but it presents the problem that working with the dual in a general number field may be difficult. Still, it is possible there are families of accessible number fields for which this may be the desired avenue.

We will analyse the effect of the Poly-LWE vulnerability on both of these candidate definitions. In fact, the analysis will highlight some potential differences in their security, already hinted at in the discussion in [LPR, Sect. 3.3].

4.4 Isomorphisms from \(\theta (R)\) to a Polynomial Ring

Suppose K is a monogenic number field, meaning that R is isomorphic to a polynomial ring \(P = \mathbb {Z}[X]/f(X)\) for some monic irreducible polynomial f (f is a monogenic polynomial). In this case, we obtain \(R = \gamma R^\vee \), for some \(\gamma \in R\) (here, \(\gamma \) is a generator of the different ideal), so that \(\theta (R^\vee )\) and \(\theta (R)\) are related by a linear transformation. Thus a (dual or non-dual) Ring-LWE problem concerning the lattice \(\theta (R)\) or \(\theta (R^\vee )\) can be restated as a Poly-LWE problem concerning P.

Let \(\alpha \) be a root of f. Then R is isomorphic to P, via \(\alpha \mapsto X\). An integral basis for R is \(1, \alpha , \alpha ^2, \ldots , \alpha ^{n-1}\). An integral basis for \(R^\vee \) is \( \gamma ^{-1}, \gamma ^{-1}\alpha , \gamma ^{-1}\alpha ^2, \ldots , \gamma ^{-1}\alpha ^{n-1}\). Let \(M_\alpha \) be the matrix whose columns are \(\{ \theta (\alpha ^i) \}\). Let \(M^\vee _\alpha \) be the matrix whose columns are \(\{ \theta (\gamma ^{-1}\alpha ^i) \}\). If \({\mathbf v}\) is a vector of coefficients representing some \(\beta \in K\) in terms of the basis \(\{ \alpha ^i \}\) for \(K/\mathbb {Q}\), then \(\theta (\beta ) = M_\alpha {\mathbf v}\). In other words, \(M_\alpha : P \rightarrow \theta (R)\) is an isomorphism (where P is represented as vectors of coefficients). Similarly, \(M^\vee _\alpha : P \rightarrow \theta (R^\vee )\) is an isomorphism.

4.5 The Spectral Norm

Given an \(n \times n\) matrix M, its spectral norm \(\rho = ||M||_2\) is the \(\ell _2\) norm on its \(n^2\) entries. This is equal to the largest singular value of M. This is also equal to the largest radius of the image of a unit ball under M. This last interpretation allows one to bound the image of a spherical Gaussian distribution of parameter \(\sigma \) on the domain of M by another of parameter \(\rho \sigma \) on the codomain of M (in the sense that the image of the ball of radius \(\sigma \) will map into a ball of radius \(\rho \sigma \) after application of M).

The normalized spectral norm of M is defined to be \(\rho ' = ||M||_2/\det (M)^{1/n}\). The condition number of M is \(k(M) = ||M||_2||M^{-1}||_2\).

4.6 Moving the Attack from Poly-LWE to Ring-LWE

Via the isomorphism \(M:=M_\alpha ^{-1}\) (respectively \(M:=(M^\vee _\alpha )^{-1}\)), an instance of the non-dual (respectively dual) Ring-LWE problem gives an instance of the Poly-LWE problem in which the error distribution is the image of the error distribution in \(\theta (R)\) (respectively \(\theta (R^\vee )\)). In general, this may be an elliptic Gaussian distorted by the isomorphism. If the distortion is not too large, then it may be bounded by a spherical Gaussian which is not too large. In that case, a solution to the Poly-LWE problem with the new spherical Gaussian error distribution may be possible. If so, it will yield a solution to the original Ring-LWE problem.

This is essentially the same reduction described in [EHL]. However, those authors assume that the isomorphism is an orthogonal linear map; we are loosening this condition. The essential question in this loosening is how much the Gaussian distorts under the isomorphism. Our contribution is an analysis of the particular basis change.

This distortion is governed by the spectral norm \(\rho \) of M. If the continuous Gaussian in \(\mathbb {R}^n\) is of parameter \(\sigma \) (with respect to the standard basis of \(\mathbb {R}^n\)), then the new spherical Gaussian bounding its image is of parameter \(\rho \sigma \) with respect to P (in terms of the coefficient representation). The appropriate analysis for discrete Gaussians is slightly more subtle. Loosely speaking, we find that a Ring-LWE instance is weak if the following three things occur:
  1. 1.

    K is monogenic.

     
  2. 2.

    f satisfies \(f(1) \equiv 0 \pmod q\).

     
  3. 3.

    \(\rho \) and \(\sigma \) are sufficiently small.

     

The first condition guarantees the existence of appropriate isomorphisms to a polynomial ring; the second and third are required for the Poly-LWE attack to apply. The purpose of the third requirement is that the discrete Gaussian distribution in \(\mathbb {R}^n\) transfers to give vectors e(x) in the polynomial ring having the property that e(1) lies in the range \([-q/4,q/4)\) except with negligible probability; this allows Algorithm 2 and the conclusions of Proposition 2 to apply.

Let us now state our main result.

Theorem 1

Let K be a number field such that \(K = \mathbb {Q}(\beta )\), and the ring of integers of K is equal to \(\mathbb {Z}[\beta ]\). Let f be the minimal polynomial of \(\beta \) and suppose q is a prime such that f has root 1 modulo q. Finally, suppose that the spectral norm \(\rho \) of \(M_\beta ^{-1}\) satisfies
$$ \rho < \frac{q}{4\sqrt{2\pi }\sigma {n}}. $$
Then the non-dual Ring-LWE decision problem for \(K, q, \sigma \) can be solved in time \(\widetilde{O}(\ell q)\) with probability \(1 - 2^{-\ell }\), using a dataset of \(\ell \) samples.

Proof

Sampling a discrete Gaussian with parameter \(\sigma \) results in vectors of norm at most \(\sqrt{2\pi }\sigma \sqrt{n}\) except with probability at most \(2^{-2n}\) [LPR13, Lemma 2.8]. Considering the latter to be negligible, then we can expect error vectors to satisfy \(|| \mathbf {v} ||_2 < \sqrt{2\pi }\sigma \sqrt{n}\) and their images in the polynomial ring to satsify
$$ |e(1)| = || e(x) ||_1 < \sqrt{n}|| e(x) ||_2 < \sqrt{n} \rho \sqrt{2\pi }\sigma \sqrt{n} = \rho \sqrt{2\pi }\sigma n. $$
Therefore, if
$$ \rho \sqrt{2\pi }\sigma n < q/4, $$
then we may apply the attack of Sect. 3.2 that assumes \(f(1)\equiv 0 \pmod q\) and that error vectors lie in \([-q/4,q/4)\).

In what follows, we find a family of polynomials satisfying the conditions of the theorem, and give heuristic arguments that such families are in fact very common. The other cases (other than \(\alpha =1\)) appear out-of-reach for now, simply because the bounds on \(\rho \) are much more difficult to attain. We will not examine them closely.

4.7 Choice of \(\sigma \)

The parameters of Sect. 2.1 are used in implementations where the Gaussian is taken over \((\mathbb {Z}/q\mathbb {Z})^n\), and security depends upon the proportion of this space included in the ‘bell,’ meaning, it depends upon the ratio \(q/\sigma \). In the case of Poly-LWE, sampling is done on the coefficients, which are effectively living in the space \((\mathbb {Z}/q\mathbb {Z})^n\), so this is appropriate. However, in Ring-LWE, the embedding \(\theta (R)\) in \(\mathbb {R}^n\) may be very sparse (i.e. \(\theta (R^\vee )\) may be very dense). Still, the security will hinge upon the proportion of \(\theta (R)/q\theta (R)\) that is contained in the bell. We have not seen a discussion of security parameters for Ring-LWE in the literature, and so we propose that the appropriate meaning of the width of the Gaussian, w, in this case is
$$\begin{aligned} w := \sqrt{2\pi } \sigma ' := \sqrt{2\pi } \sigma {\det (M_\alpha )}^{1/n}, \end{aligned}$$
(4)
where \(\sigma '\) is defined by the above equality. The reason for this choice is that \(\theta (R)\) has covolume \(\det (M_\alpha )\); a very sparse lattice (corresponding to large determinant) needs a correspondingly large \(\sigma \) so that the same proportion of its vectors lie in the bell.
If \(\rho \) represents the spectral norm of \(M_\alpha ^{-1}\) (which has determinant \(\det (M_\alpha )^{-1}\)), then
$$ \rho ' := \rho \; {\det (M_\alpha )}^{1/n} $$
is the normalized spectral norm. Therefore \(\rho /\sigma = \rho '/\sigma '\). Hence the bound of Theorem 1 becomes
$$\begin{aligned} \rho ' < \frac{q}{4 w {n}}. \end{aligned}$$
(5)

5 Provably Weak Ring-LWE Number Fields

Consider the family of polynomials
$$ f_{n,q}(x) = x^{n} + q-1 $$
for q a prime. These satisfy \(f(1) \equiv 0 \pmod q\). By the Eisenstein criterion, they are irreducible whenever \(q-1\) has a prime factor that appears to exponent 1. These polynomials have discriminant [M] given by
$$ (-1)^{\frac{n^2-n}{2}}n^n(q-1)^{n-1}. $$

Proposition 3

Let n be power of a prime \(\ell \). If \(q-1\) is squarefree and \(\ell ^2 \not \mid ((1-q)^n-(1-q))\) then the polynomials \(f_{n,q}\) are monogenic.

Proof

This is a result of Gassert in [G, Theorem 5.1.4]. As stated, Theorem 5.1.4 of [G] requires \(\ell \) to be an odd prime. However, for the monogenicity portion of the conclusion, the proof goes through for \(p=2\).

Proposition 4

Suppose that \(f_{n,q}\) is irreducible, and the associated number field has \(r_2\) complex embeddings. Then \(r_2 = n/2\) or \((n-1)/2\) (whichever is an integer), and the normalized spectral norm of \(M_\alpha ^{-1}\) is exactly
$$ 2^{-r_2/n}\sqrt{(q-1)^{1-\frac{1}{n}}}. $$

Proof

Let a be a positive real n-th root of \(q-1\). Then the roots of the polynomial are exactly \(a \zeta _{2n}^j\) for j odd such that \(1 \le j < 2n\). The embeddings take \(a\zeta _{2n}\) to each of the other roots. There is \(r_1=1\) real embedding if n is odd (otherwise \(r_1=0\)), and the rest are \(r_2\) complex conjugate pairs, so that \(n = r_1 + 2r_2\). Then the dot product of the r-th and s-th columns of \(M_\alpha ^{-1}\) is
$$ \sum _{k=0}^{n-1} a^{r+s}\zeta _{2n}^{(r-s)(2k+1)} = 0 $$
Therefore, the columns of the matrix are orthogonal to one another. Hence, the matrix is diagonalizeable, and its eigenvalues are the lengths of its column vectors, which is for the r-th column,
$$ \left( \sum _{k=0}^{n-1} || a^r \zeta _{2n}^{2k+1} ||^2 \right) ^{1/2} = \sqrt{n}a^r $$
Therefore the smallest singular value of \(M_\alpha \) is \(\sqrt{n}\) and the largest is \(\sqrt{n}a^{n-1}\). Correspondingly, the largest singular values of \(M_\alpha ^{-1}\) is \(1/\sqrt{n}\).
A standard result of number theory relates the determinant of \(M_\alpha \) to the discriminant of K via
$$ {\text {det}}(M_\alpha ) = 2^{-r_2}\sqrt{{\text {disc}}(f_{n,q})}, $$
where \(r_2 \le \frac{n}{2}\) is the number of complex embeddings of K. Combining the smallest singular value with this determinant (the discriminant is given explicitly at the beginning of this section) gives the result.

Theorem 2

Suppose q is prime, n is an integer and \(f = f_{n,q}\) satisfies
  1. 1.

    n is a power of the prime \(\ell \),

     
  2. 2.

    \(q-1\) is squarefree,

     
  3. 3.

    \(\ell ^2 \not \mid ((1-q)^n-(1-q))\),

     
  4. 4.
    we have \(\tau > 1\), where
    $$ \tau := \frac{ q }{2\sqrt{2} w n(q-1)^{\frac{1}{2}-\frac{1}{2n}}}. $$
     

Then the non-dual Ring-LWE decision problem for f and w (defined by (4)) can be solved in time \(\widetilde{O}(\ell q)\) with probability \(1 - 2^{-\ell }\), using a dataset of \(\ell \) samples.

Proof

Under the stated conditions, f has a root 1 modulo q, and therefore Poly-LWE is vulnerable to the attack specified in Algorithm 2. The other properties guarantee the applicability of Theorem 1 via Propositions 3 and 4.

Under the assumption that \(q-1\) is infinitely often squarefree, this provides a family of examples which are susceptible to attack (taking, for example, n as an appropriate power of 2; note that in this case item (3) is automatic).

Interestingly, their susceptibility increases as q increases relative to n. It is the ratio \(\sqrt{q}/n\), rather than their overall size, which controls the vulnerability (at least as long as q is small enough to run a loop through the residues modulo q).

The quantity \(\tau \) can be considered a measure of security against this attack; it should be small to indicate higher security. For the various parameters indicated in Sect. 2.1, the value of \(\tau \) is:

Parameters

\(P_{LP1}\)

\(P_{LP2}\)

\(P_{LP3}\)

\(P_{GF}\)

\(P_{BCNS}\)

\(\tau \)

0.0136

0.0108

0.0090

0.0063

5.0654

The bound on \(\tau \) in Theorem 1 is stronger than what is required in practice for the attack to succeed. In particular, the spectral norm of the transformation \(M_\alpha ^{-1}\) does not accurately reflect the average behaviour; it is worst case. As n increases, it is increasingly unlikely that error samples happen to lie in just the right direction from the origin to be inflated by the full spectral norm. Furthermore, we assumed in the analysis of Theorem 1 an overly generous bound on the error vectors.

The proof is in the pudding: in Sect. 9 we have successfully attacked parameters for which \(\tau < 0.02\), including \(P_{LP1}\).

6 Heuristics on the Prevalence of Weak Ring-LWE Number Fields

In this section, we argue that many examples satisfying Theorem 1 are very likely to exist. In fact, each of the individual conditions is fairly easy to attain. We will see in what follows that given a random monogenic number field, there is with significant probability at least one prime q for which Ring-LWE is vulnerable (i.e. the bound (5) is attained) for parameters comparable to those of \(P_{BNCS}\). Note that in this parameter range, the spectral norm is expensive to compute directly.

6.1 Monogenicity

Monogenic fields are expected to be quite common in the following sense. If f of degree \(n \ge 4\) is taken to be a random polynomial (i.e. its coefficients are chosen randomly), then it is conjecturally expected that with probability \(\gtrsim 0.307\), P will be the ring of integers of a number field [K]. In particular, if f has squarefree discriminant, this will certainly happen. Furthermore, cyclotomic fields are monogenic, as are the families described in the last section.

However, at degrees \(n \sim 2^{10}\), the discriminant of f is too large to test for squarefreeness, so testing for monogenicity may not be feasible. Kedlaya has developed a method for constructing examples of arbitrary degree [K].

6.2 Examples, \(n = 2^{10}\), \(q \sim 2^{32}\)

Consider the following examples:
$$\begin{aligned} f(x) = x^{1024} + (2^{31}+14)x + 2^{31},&\quad q = 4294967311, \\ f(x) = x^{1024} + (2^{31}+2^{30}+22)x + (2^{31}+2^{30}),&\quad q = 6442450967, \\ f(x) = x^{1024} + (2^{31}+2^{30}+29)x + (2^{31}+2^{30}+5),&\quad q = 6442450979. \end{aligned}$$
These examples are discussed at greater length in Sect. 7.2, where the method for constructing them is explained. In each case, \(f(1) \equiv 0 \pmod q\).

In this size range, we were not able to compute the spectral norm of K directly in a reasonable amount of time. In the next few sections we will make persuasive heuristic arguments that it can be expected to have \(\rho '\) well within the required bound (5), i.e. \(\rho ' < 2^{17}\). That is, we expect these examples and others like them to be vulnerable.

6.3 Heuristics for the Spectral Norm

To find large q requires taking more complex polynomials f, which in turn may inflate the spectral norm, so the complexity of f must be balanced.

One approach is to consider polynomials of the form \(f(x) = x^n + ax + b\). Let us recall a standard result of number theory. For a number field K with \(r_1\) real embeddings and \(r_2\) conjugate pairs of complex embeddings, the determinant of the canonical embedding is \(\sqrt{\varDelta _K}2^{-r_2}\). Therefore, if \(\varDelta _K > 2^{2r_2}\) (call this Assumption A), we obtain \(\det (M_f) > 1\). Then \(|| M_f ||_2 > 1\). We are interested in the spectral norm of the inverse:
$$ ||M_f^{-1}||_2 \le k(M_f)/||M_f||_2 \le k(M_f), $$
where \(k(M_f)\) represents the condition number of \(M_f\). Now,
$$ \rho ' = ||M_f^{-1}||_2\det (M_f)^{1/n}. $$
As mentioned above, \(\det (M_f)\) is given in terms of \(\varDelta _K\). Under the assumption that \(\mathbb {Z}[X]/f(X)\) is indeed a ring of integers, \(\varDelta _K = {\text {Disc}}(f)\) (call this Assumption B). By [M],
$$ {\text {Disc}}(f) = (n-1)^{n-1}a^n + (-1)^{n-1}n^n(b+1)^{n-1}. $$
It is evident that by judicious choice of a and b, it is possible to obtain a range of discriminant sizes. We can expect there to be plenty of examples in the range \( n^2 < \varDelta _K < n^3\) (in this range, Assumption A is satisfied). Then we obtain
$$ \rho ' \le 2 k(M_f). $$
The condition number of \(M_f\) is hard to access theoretically, but heuristically, for random perturbations of any fixed matrix, most perturbations are well-conditioned (having small condition number) [TV]. The matrix \(M_f\) is a perturbation of \(M_p\) for \(p = x^n+1\). The extent of this perturbation can be bounded in terms of the coefficients a and b, since the perturbation is controlled by the perturbation in the roots of the polynomial. It is a now-standard result in numerical analysis, due to Wilkinson, that roots may be ill-conditioned in this sense, but the condition number can be bounded in terms of the coefficients a and b. This implies that, heuristically, \(k(M_f)\) is likely to be small quite frequently.

In conclusion, we expect to find that many f(x) will have \(\rho '\) quite small.

6.4 Experimental Evidence for the Spectral Norm

We only ran experiments in a small range due to limitations of our Sage implementation [S]. The polynomials \(x^{32}+ax+b\), \(-60 \le a,b \le 60\) were plotted on a \(\max \{a,b\}\)-by-\(\rho '\) plane. The result is as follows:

There are some examples with quite high \(\rho '\), but the majority cluster low. The grey line is \(y=\sqrt{x}\). Therefore, we may conjecture based on this experiment, that we may expect to find plenty of f satisfying \(\rho ' < \sqrt{\max \{a,b\}}\).

Experimentally, we may guess that the examples of Sect. 6.2, for which \(n = 2^{10}\) and \(\max \{a,b\} \le 2^{30}\), will frequently satisfy \(\rho ' < 2^{15}\), which is the range required by Theorem 1. (Note that the coefficients cannot be taken smaller if f is to have root 1 modulo a prime \(q \sim 2^{31}\).)

7 Weak Poly-LWE Number Fields

7.1 Finding f and q with Roots of Small Order

It is relatively easy to generate polynomials f and primes q for which f has a root of given order modulo q. There are two approaches: given f, find suitable q; and given q, find suitable f. Since there are other conditions one may require for other reasons (particularly on f), we focus on the first of these.

Given f, in order to find q such that f has a root of small order (this includes the cases \(\alpha = \pm 1\)), the following algorithm can be applied.

It is also possible to generate examples by first choosing q and searching for appropriate f. For example, taking \(f(x) = \varPhi _m(x)g(x) + q\) where g(x) is monic of degree \(m-n\) suffices. Both methods can be adapted to find f having any specified root modulo q.

7.2 Examples, \(n \sim 2^{10}\), \(q \sim 2^{32}\)

For the range \(n \sim 2^{10}\), we hope to find \(q \sim 2^{32}\). Examples were found by applying Algorithm 3 to polynomials f(x) of the form \(x^n + ax + b\) for ab chosen from a likely range. Examples are copious and not difficult to find (see Appendix A.2 for code).

Case \(\alpha =1\) . A few typical examples of irreducible f with 1 as a root modulo q are:
$$\begin{aligned} f(x) = x^{1024} + (2^{31}+14)x + 2^{31},&\quad q = 4294967311, \\ f(x) = x^{1024} + (2^{31}+2^{30}+22)x + (2^{31}+2^{30}),&\quad q = 6442450967, \\ f(x) = x^{1024} + (2^{31}+2^{30}+29)x + (2^{31}+2^{30}+5),&\quad q = 6442450979. \end{aligned}$$
These examples satisfy condition 1 of Proposition 2 with \(\sigma =3\), hence are vulnerable.
Case \(\alpha = -1\) . Here is an irreducible f with root \(-1\):
$$\begin{aligned} f(x) = x^{1024} + (2^{31}+9)x - (2^{31}+7),&\quad q = 4294967311 \sim 2^{32}. \end{aligned}$$
This example similarly satisfies condition 1 of Proposition 2 and so is vulnerable.
Case \(\alpha \) Small Order. Here is an irreducible f with a root of order 3:
$$\begin{aligned} f(x) = x^{1024} + (2^{16}+2)x - 2^{16},&\quad q = 1099514773507 \sim 2^{40}. \end{aligned}$$
This example has \(q \sim 2^{40}\); taking this larger q allows us to satisfy (2) of Proposition 1 and hence it is vulnerable to Algorithm 1.

7.3 Examples of Weak Poly-LWE Number Fields with Additional Properties

In this section we will give examples of number fields \(K = \mathbb {Q}[x]/(f(x))\) which are vulnerable to our attack on Poly-LWE. They will be vulnerable by satisfying one of the following two possible conditions:
  • R \(f(1) \equiv 0 \; \pmod q\).

  • R \(^{\varvec{\prime }}\) f has a root of small order modulo q.

We must also require:
  • Q The prime q can be chosen suitably large.

The examples we consider are cyclotomic fields and therefore Galois and monogenic. One should note that guaranteeing these two conditions together is nontrivial in general. In addition to these, there are additional conditions for the attack explained in [EHL]. The desirable conditions are:
  • G K is Galois.

  • M K is monogenic.

  • S The ideal (q) splits completely in the ring of integers R of K, and \(q \not \mid [R:\mathbb Z[\beta ]]\).

  • O The transformation between the canonical embedding of K and the power basis representation of K is given by a scaled orthogonal matrix.

Conditions G and S are needed for the Search-to-Decision reduction and Conditions M and O are needed for the Ring-LWE to Poly-LWE reduction in [EHL].

Note that checking the splitting condition for fields of cryptographic size is not computationally feasible in general. However, we are able to give a sufficient condition for certain splittings which is quite fast to check.

Proposition 5

Using the notation as above, if \(f(2) \equiv 0 \mod q\) then q splits in R.

Proof

Since \(2^{2^{k-1}} \equiv -1 \pmod q,\) it follows that \((2^\alpha )^{2^{k-1}}\equiv (-1)^\alpha \equiv -1 \pmod q\) for all odd \(\alpha \) in \(\mathbb Z\). We’ll show that \(2,2^3, 2^5, \ldots , 2^m\) where \(m=2^k-1\) are all distinct mod q, hence showing that f(x) has \(2^{k-1}\) distinct roots mod q i.e. f(x) splits mod q. Assume that \(2^i \equiv 2^j \pmod q\) for some \(1\le i< j \le 2^k-1\). Then \(2^{j-i} \equiv 1 \pmod q\), which means that the order of 2 modulo q divides \(j-i\). However, by the fact below (Lemma 1), the order of 2 mod q is \(2^k\), which is a contradiction since \(j-i< 2^k.\)

Lemma 1

Let q be a prime such that \(2^{2^{k-1}} \equiv -1 \pmod q\) for some integer k. Then the order of 2 modulo q is \(2^k\).

Proof

Let a be the order of 2 modulo q. By assumption \((2^{2^{k-1}})^2 \equiv 2^{2^k} \equiv 1 \pmod q.\) Then \(a | 2^k\) i.e. \(a=2^\alpha \) for some \(\alpha \le k.\) Say \(\alpha \le k-1.\) Then \(1=(2^{2^\alpha })^{2^{k-1-\alpha }}= 2^{2^{k-1}} \equiv -1 \pmod q\), a contradiction.

The converse of Proposition 5 does not hold. For instance, let K be the splitting field of the polynomial \(x^{8}+1\) and \(q=401\). Then q splits in R. However \(f(2)=257 \not \equiv 0 \pmod q\).

We now present a family of examples for which \(\alpha =-1\) is a root of f of order two. Conditions G, M, S, R\(^\prime \) (order 2) and Q are all satisfied. The field K is the cyclotomic number field of degree \(\phi (2^k)=2^{k-1}\), but instead of the cyclotomic polynomial we take the minimal polynomial of \(\zeta _{2^k} + 1.\) In each case, q is obtained by factoring \(2^{2^{k-1}}+1\) for various values of k and splitting is verified using Proposition 5.

k

2

3

4

5

6

7

7

8

8

q

5

17

257

65537\(\sim 2^{16}\)

6700417 \(\sim 2^{22}\)

274177 \(\sim 2^{18}\)

\(q_5\sim 2^{45}\)

\(q_6\sim 2^{55}\)

\(q_1\sim 2^{72}\)

k

9

9

10

10

10

11

11

11

q

\(q_7\sim 2^{50}\)

\(q_2 \sim 2^{205}\)

2424833\(\sim 2^{21}\)

\(q_3\sim 2^{162}\)

\(q_4 \sim 2^{328}\)

\(q_8\sim 2^{25} \)

\(q_9\sim 2^{32}\)

\(q_{10} \sim 2^{131}\)

Several of these examples are of cryptographic size1., i.e. the field has degree \(2^{10}\) and the prime is of size \(\sim 2^{32}\) or greater. These provide examples which are weak against our Poly-LWE attack, by Proposition 2.

8 Cyclotomic (in)vulnerability

One of our principal observations is that the cyclotomic fields, used for Ring-LWE, are uniquely protected against the attacks presented in this paper. The next proposition states that the polynomial ring of the m-th cyclotomic polynomial \(\varPhi _m\) will never be vulnerable to the attack based on a root of small order.

Proposition 6

The roots of \(\varPhi _m\) have order m modulo every split prime q.

Proof

Consider the field \(\mathbb {F}_q\), q prime. Since \(\mathbb {F}_q\) is perfect, the cyclotomic polynomial \(\varPhi _m(x)\) has \(\phi (m)\) roots in an extension of \(\mathbb {F}_q\). This polynomial has no common factor with \(x^k-1\) for \(k < m\). However, it divides \(x^m-1\). Therefore its roots have order dividing m, but not less than m. That is, its roots are all of order exactly m in the field in which they live. Now, if we further assume that \(\varPhi _m(x)\) splits modulo q, then its \(\phi (m)\) roots are all elements of order m modulo q, so in particular, \(m \mid q-1\). The roots of \(\varPhi _m(x)\) are all elements of \(\mathbb {Z}/q\mathbb {Z}\) of order exactly m.

The question remains whether there is another polynomial representation for the ring of cyclotomic integers for which f does have a root of small order. This may in fact be the case, but the error distribution is transformed under the isomorphism to this new basis, so this does not guarantee a weakness in Poly-LWE for \(\varPhi _m\).

However, it is not necessary to search for all such representations to rule out the possibility that this provides an attack. The ring \(R_q \cong \mathbb {F}_q^n\) has exactly \(n = \phi (m)\) homomorphisms to \(\mathbb {Z}/q\mathbb {Z}\). If \(R_q\) can be represented as \((\mathbb {Z}/q\mathbb {Z})[X]/f(X)\) with \(f(\alpha )=0\), then the map \(R_q \rightarrow \mathbb {Z}/q\mathbb {Z}\) is given by \(p \mapsto p(\alpha )\) is one of these n maps. It suffices to write down these n maps (in terms of any representation!) and verify that the errors map to all of \(\mathbb {Z}/q\mathbb {Z}\) instead of a small subset. It is a special property of the cyclotomics that these n homomorphisms coincide. Thus we are reduced to the case above.

9 Successfully Coded Attacks

The following table documents Ring-LWE and Poly-LWE parameters that were successfully attacked on a Thinkpad X220 laptop with Sage Mathematics Software [S], together with approximate timings. For code, see Appendix A. The first row indicates that cryptographic size is attackable in Poly-LWE. The second row indicates that a generic example attackable by Poly-LWE is also susceptible to Ring-LWE (see Sect. 6). We were unable to test the Ring-LWE attack for \(n>256\) only because Sage’s built-in Discrete Gaussian Sampler was not capable of initializing (thus we were unable to produce samples to test). The last two rows illustrate the \(\tau \) of Theorem 1 that is required for security in practice (approximately \(\tau < 0.013\) instead of \(\tau < 1\) in theory). In the Ring-LWE rows, parameters were chosen to illustrate the boundary of feasibility for a fixed n. Since the feasibility of the attack depends on the ratio \(\sqrt{q}/n\), there is no reason to think larger n are invulnerable (provided q also grows), but we were unable to produce samples to test against. The Poly-LWE example illustrates that runtime for large q is feasible (runtimes for Poly-LWE and Ring-LWE are the same; it is only the samples which differ).

Case

f

q

w

\(\tau \)

\(\begin{array}{c} \text {Samples per run} \end{array}\)

\(\begin{array}{c} \text {Successful runs} \end{array}\)

\(\begin{array}{c} \text {Time per run} \end{array}\)

Poly-LWE

\(x^{1024}+2^{31}-2\)

\(2^{31}-1\)

3.192

N/A

40

1 of 1

13.5 hrs

Ring-LWE

\(\begin{array}{c} x^{128}+524288x +524285 \end{array}\)

524287

8.00

N/A

20

8 of 10

24 sec

Ring-LWE

\(x^{192}+4092\)

4093

8.87

0.0136

20

1 of 10

25 sec

Ring-LWE

\(x^{256}+8189\)

8190

8.35

0.0152

20

2 of 10

44 sec

Footnotes

  1. 1.

    \(q_1= 5704689200685129054721, q_2= 9346163971535797776916355819960689658 4051237541638188580280321,\) \(q_3=7455602825647884208337395736200454918783366342657, q_5= 67280421310721, q_6= 59649589127497217\) \(q_4= 74164006262753080152478714190193747405994078109751902390582131614441 5759504705008092818711693940737\) \(q_7=1238926361552897, q_8=45592577, q_9=6487031809, q_{10}=46597757852200185 43264560743076778192897\)

Notes

Acknowledgments

The authors are indebted to the organizers of the research conference Women in Numbers 3 (Rachel Pries, Ling Long and the fourth author), as well as to the Banff International Research Station, for bringing together this collaboration. The authors would also like to thank Martin Albrecht for help with Sage.

References

  1. IEEE.
    P1363.1: Standard Specifications for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices, December 2008. http://grouper.ieee.org/groups/1363/
  2. BCNS.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 36th IEEE Symposium on Security and Privacy 2015 (2015). http://eprint.iacr.org/2014/599.pdf
  3. BLN.
    Bos, J.W., Lauter, K., Naehrig, M.: Private predictive analysis on encrypted medical data. J. Biomed. Inform. 54, 234–243 (2014)CrossRefGoogle Scholar
  4. BL+.
    Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC 2013 Proceedings of the 2013 ACM Symposium on Theory of Computing, pp. 575–584. ACM, New York (2013)Google Scholar
  5. BV.
    Brakerski, Z., Vaikuntanathan, V.: Fully homomorphic encryption from ring-LWE and security for key dependent messages. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 505–524. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  6. BGV.
    Brakerski, Z., Gentry, C., Vaikuntanathan, V.: Fully homomorphic encryption without bootstrapping. ACM Trans. Comput. Theor. 6(3), 36 (2014). Article No 13MathSciNetCrossRefGoogle Scholar
  7. DD.
    Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  8. EHL.
    Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Heidelberg (2014) Google Scholar
  9. G.
    Gassert, T.A.: Prime decomposition in iterated towers and discriminant formulae. Ph.D. thesis, University of Massachusetts, Amherst (2014)Google Scholar
  10. GF+.
    Göttert, N., Feller, T., Schneider, M., Buchmann, J., Huss, S.: On the design of hardware building blocks for modern lattice-based encryption schemes. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 512–529. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  11. GHS.
    Gentry, C., Halevi, S., Smart, N.P.: Fully homomorphic encryption with polylog overhead. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 465–482. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  12. GLN.
    Graepel, T., Lauter, K., Naehrig, M.: ML confidential: machine learning on encrypted data. In: Kwon, T., Lee, M.-K., Kwon, D. (eds.) ICISC 2012. LNCS, vol. 7839, pp. 1–21. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  13. HPS.
    Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  14. K.
    Kedlaya, K.: A construction of polynomials with squarefree discriminants. Proc. Am. Math. Soc. 140, 3025–3033 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  15. LP.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  16. LPR.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  17. LPR13.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. M.
    Masser, D.W.: 3136. The discriminants of special equations. Math. Gaz. 50(372), 158–160 (1966)CrossRefGoogle Scholar
  19. MR04.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004MathSciNetCrossRefzbMATHGoogle Scholar
  20. MR09.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  21. PG.
    Pöppelmann, T., Güneysu, T.: Towards practical lattice-based public-key encryption on reconfigurable hardware. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 68–86. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  22. R.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version STOC 2005MathSciNetCrossRefGoogle Scholar
  23. RV+.
    Roy, S.S., Vercauteren, F., Mentens, N., Chen, D.D., Verbauwhede, I.: Compact ring-LWE cryptoprocessor. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 371–391. Springer, Heidelberg (2014) Google Scholar
  24. S.
    Stein, W.A., et al.: Sage Mathematics Software (Version 6.4.1), The Sage Development Team (2014). http://www.sagemath.org
  25. SS.
    Stehlé, D., Steinfeld, R.: Making \(\mathtt{{NTRU}}\)Encrypt and \(\mathtt{{NTRU}}\)Sign as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. TV.
    Tao, T., Vu, V.: Smooth analysis of the condition number and the least singular value. Math. Comput. 79(272), 2333–2352 (2010)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Department of Mathematics and StatisticsMcGill UniversityMontrealCanada
  2. 2.Microsoft ResearchOne Microsoft WayRedmondUSA
  3. 3.Department of Mathematics, Faculty of Arts and ScienceBogazici UniversityBebek-IstanbulTurkey
  4. 4.Department of MathematicsUniversity of ColoradoBoulderUSA

Personalised recommendations