RLWE and PLWE over cyclotomic fields are not equivalent

We prove that the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems over the cyclotomic field $\mathbb{Q}(\zeta_n)$ are not equivalent. Precisely, we show that reducing one problem to the other increases the noise by a factor that is more than polynomial in $n$. We do so by providing a lower bound, holding for infinitely many positive integers $n$, for the condition number of the Vandermonde matrix of the $n$th cyclotomic polynomial.


Introduction
Since the theoretical results of Ajtai [1], lattice-based cryptography has gained increasing interest.Indeed, numerous lattice-based encryption and digital signature schemes, with performance comparable or even superior to that of their number-theoretic counterparts, have been proposed [2,10,13,16].In particular, because of their presumed resistance against quantum attacks, lattice-based proposals are the most numerous in the final phase of the NIST postquantum standardization process, with finalist candidates in both key encapsulation [3,5,11] and digital signature schemes [4,15].
The main building block of lattice-based cryptographic schemes is the Learning With Errors (LWE) problem [19], which, roughly speaking, consists of retrieving a secret vector s ∈ Z n q from a noisy random sample of matrix products.On the one hand, LWE-based encryption schemes enjoy good computational efficiency and solid theoretical security bases.On the other hand, they require the ciphertexts or the public keys to be nearly quadratic with respect to the security parameters.To overcome this inefficiency, algebraic variants of the LWE problem have been introduced, which consider the problem no longer over Z q but over the quotient ring Z q [X]/(f ), where f ∈ Z q [X] is a monic and irreducible polynomial.The variant known as Polynomial-LWE (PLWE), was first proposed using power-of-two degree cyclotomic polynomials [22].Later, Lyubashevsky, Peikert, and Regev [18] introduced the Ring-LWE (RLWE) variant over the ring of integers O K of a number field K = Q(θ) (for surveys on RLWE, see [7,14]).
The main advantage of RLWE (and of later generalizations such as Module-LWE [17]) is the provable-security link with hard computational problems over (ideal) lattices, as for plain LWE.Nevertheless, most of the concrete constructions of lattice-based schemes, while enjoying the security proofs of RLWE, are expressed in the simpler formalism of PLWE.The latter is in fact preferable in implementations, where the modular arithmetic between polynomials can be efficiently implemented.For these reasons, it is interesting to study for which families of polynomials f the RLWE and PLWE problems are equivalent, that is, every solution of the first problem can be turned in polynomial time into a solution of the second problem, and viceversa, incurring in a noise increase that is polynomial in the degree of f .More precisely, let K = Q(θ) be a monogenic number field of degree m, and let f ∈ Z[X] be the minimal polynomial of θ, so that O K ∼ = Z[X]/(f ).The geometric notion of short element derives from a choice of a norm on K by embedding the number field in C m .On the one hand, RLWE makes use of the canonical embedding (or Minkowski embedding) σ from K to C m , where σ i (θ) (i = 1, . . ., m) are the Galois conjugates of θ.On the other hand, PLWE makes use of the coefficient embedding, which maps each x ∈ O K to the vector (x 0 , . . ., x m−1 ) ∈ Z m of its coefficients with respect to the power basis 1, θ, . . ., θ m−1 .As a linear map, the canonical embedding σ has a matrix representation V ∈ C m×m , so that, for each x ∈ O K , we have σ(x) = V • (x 0 , . . ., x m−1 ) .For the equivalence between RLWE and PLWE, it is important to determine when, whether x is small, then so is σ(x) , and vice versa.This notion is quantified by V having a small condition number Cond(V ) := V V −1 , where V := Tr(V * V ) is the Frobenius norm of V , and V * is the conjugate transpose of V .Precisely, for the equivalence of the RLWE and PLWE problems it must be Cond(V ) = O(m r ) for some constant r > 0, depending only on the family of polynomials f .An important case is that of cyclotomic fields.When K = Q(ζ n ) is the nth cyclotomic field, V n := V is the Vandermonde matrix of the nth cyclotomic polynomial Φ n (X), that is, , where ζ n,0 , . . ., ζ n,m−1 are the primitive nth roots of unity, and m = ϕ(n) is the Euler totient function of n.Note that Φ n (X) has degree m.If n is a power of 2, then it is easy to show that V n is a scaled isometry, so that Cond(V n ) = m and consequently RLWE and PLWE are equivalent.Blanco-Chacón [6] (see also [8,9]) proved that Cond(V n ) = O(n r k ), where r k > 0 is a constant depending only on the number k of distinct prime factors of n.Therefore, RLWE and PLWE restricted to the positive integers n with a bounded number of prime factors are equivalent.Furthermore, in a previous work [12], the authors gave an explicit formula for the condition number of V n when n is a prime power or a power of 2 times an odd prime power.Our main result is the following.
Theorem 1.1.There exist infinitely many positive integers n such that In particular, for every fixed r > 0, we have that As a consequence of Theorem 1.1 and the previous considerations, one immediately gets the following corollary.
It might be interesting to determine the maximal order of Cond(V n ) and, in particular, if the lower bound of Theorem 1.1 can be improved significantly.For a plot of the values of Cond(V n ) up to n = 10000, see Figure 1.The library used for the calculation of Cond(V n ) is available in [21].

Proof of Theorem 1.1
Throughout this section, let n be a positive integer and put m := ϕ(n).We write Id k for the k × k identity matrix, and we count rows and columns starting from 0, so that the first row or column is the 0th.Furthermore, let be the m × mn matrix obtained by "continuing" V n to the right.
Lemma 2.1.We have W n W * n = mn Id m .Proof.The scalar product of the ith row of W n and the jth column of W * n is equal to where we used the formula for the sum of a geometric progression.The claim follows.
Let a n (j) denote the coefficient of X j in the nth cyclotomic polynomial Φ n (X), that is, The study of the coefficients of the cyclotomic polynomials has a very long history, which goes back at least to Gauss.For a survey, see [20].Let A(n) be the maximum of the absolute values of a n (0), . . ., a n (m − 1).We need the following result of Vaughan [23].
Theorem 2.2.We have A(n) > exp n log 2/ log log n for infinitely many positive integers n.
Let C n be the companion matrix of Φ n (X), which is the m × m matrix defined as , and let be the m × mn matrix obtained by the juxtaposition of the first n powers of C m n .Lemma 2.3.We have for every integer j ≥ 0. Consequently, we have that (1) for every integer j ≥ 0. Therefore, by juxtaposition of (1) for j = 0, m, 2m, . . ., (n − 1)m, we obtain that W n = V n S n .The claim follows.
Lemma 2.4.We have Proof.From Lemma 2.1 and Lemma 2.3, it follows that . Moreover, by the definition of S n , we have that and the claim follows.
Lemma 2.5.Let k be a positive integer and let Then, for every integer j ∈ Proof.Actually, a stronger claim holds: For every integer j ∈ [1, k], the 0th, 1th, . . ., (k − j)th columns of C j are equal to the (j − 1)th, jth, . . ., (k − 1)th columns of C, respectively.This follows easily by induction on j.
We are ready to prove Theorem 1.1.From Lemma 2.4 and Lemma 2.5, it follows that In turn, this implies that

Acknowledgements.
The authors are members of CrypTO, the group of Cryptography and Number Theory of Politecnico di Torino.A. J. Di Scala and C. Sanna are members of GNSAGA of INdAM. A. J. Di Scala is a member of DISMA Dipartimento di Eccellenza MIUR 2018-2022.E. Signorini is a cryptographer at Telsy S.p.A.
As a consequence, Theorem 2.2 yields thatCond(V n ) > exp n log 2/ log log n / √ n,for infinitely many positive integers n.Therefore, for every fixed r > 0, we have thatlim sup n→+∞ Cond(V n ) n r = +∞, so that Cond(V n ) = O(n r).The proof is complete.

Figure 1 .
Figure 1.The condition number of V n with n squarefree, 1 < n < 10000.The data is partitioned according to the number ω(n) of prime factors of n.