Keywords

1 Introduction

The well-known public key system \(\mathsf {NTRU}\) was created and refined by Hoffstein, Pipher and Silverman in [17, 18]. The \(\mathsf {NTRU}\) encryption scheme, \(\mathsf {NTRUEncrypt}\), is one of the fastest known lattice-based cryptosystems and regarded as an alternative to RSA and ECC due to its potential of countering attacks by quantum computers. The underlying problem of \(\mathsf {NTRUEncrypt}\) has been used to design various cryptographic primitives including digital signatures [16], identity-based encryption [8] and multi-linear maps [11, 23]. In the course of assessing the security of \(\mathsf {NTRU}\), Coppersmith and Shamir first claimed in [5] that one can convert breaking \(\mathsf {NTRU}\) to solving hard problems on the so-called \(\mathsf {NTRU}\) lattice. Then an army of cryptanalyses [1, 2, 4, 9, 10, 12, 15, 19, 21, 22, 29, 34] have brought security estimations on \(\mathsf {NTRU}\) and its variants, and \(\mathsf {NTRU}\) is still considered secure in practice.

The Learning With Errors problem (\(\mathsf {LWE} \)), introduced by Regev in 2005 [32], is shown to be as hard as certain lattice problems in the worst case. The Ring Learning With Errors problem (\(\mathsf {RLWE} \)) is an algebraic variant of \(\mathsf {LWE} \), proposed by Lyubashevsky, Peikert and Regev [25], whose hardness is guaranteed by some hard problems over ideal lattices. Due to its better compactness and efficiency over \(\mathsf {LWE} \), \(\mathsf {RLWE} \) has been used as the foundation of new cryptographic applications. In a celebrated paper [33], Stehlé and Steinfeld first modified \(\mathsf {NTRUEncrypt}\) by incorporating \(\mathsf {RLWE} \) and proved that the security of \(\mathsf {NTRU}\) follows by a reduction from \(\mathsf {RLWE} \) provided that a right set of parameters are used, which is the first sound theoretical base for the security of \(\mathsf {NTRU}\) in the asymptotic sense. It is worth noting that several novel ideas and powerful techniques have been developed in [33]. One remarkable contribution is to show that, for n being a power of 2, and private keys fg sampled according suitable conditions and parameters from the ring \(\mathbb {Z}[X]/(X^n+1)\), the public key \(h=\frac{f}{g}\) is close to that uniformly sampled under the statistical distance. Based on the provably secure \(\mathsf {NTRU}\) scheme, more interesting cryptographic primitives are achieved, such as fully homomorphic encryption [3, 24], proxy re-encryption [30].

In most known ring-based cryptosystems, the rings of the form \(\mathbb {Z}[X]/(X^{2^m}+1)\) are preferred choices. This family of rings has some nice algebraic features and various results on it have been already established. However, as these rings are very scarce, it has a limitation on the choice of the rings. It is noted that another family of rings, the prime cyclotomic rings of the form \(\mathcal R=\mathbb {Z}[X]/(X^{n-1}+\cdots +X+1)\) with n being a prime, is also of particular interest in many aspects, especially in the context of \(\mathsf {RLWE} \) and \(\mathsf {NTRU}\). As a large subring, this ring is much closer to the original \(\mathsf {NTRU}\) ring. It is also remarked that a class of subfield attacks [1] is proposed recently and affects the asymptotic security of \(\mathsf {NTRU}\) for large moduli q. Note that the subfield attack is not applicable to the setting of [33], but it is still meaningful to consider \(\mathsf {NTRU}\) over the fields with no subfields of desired relative degree. In this sense, prime cyclotomic ring seems a good choice of the potential to counter the subfield attack. Establishing \(\mathsf {IND\text {-}CPA}\) (indistinguishability under chosen-plaintext attack) secure results with respect to this class of rings will be an important topic. Indeed, as stated in [33], the results for \(\mathbb {Z}[X]/(X^{2^m}+1)\) are likely to hold for more general cases including that for prime cyclotomic rings. However, to the best of our knowledge, there were no actual discussions on this issue found in literature.

Our Contribution. The main purpose of this paper is to study the problem of provable security of \(\mathsf {NTRU}\) in a modified setting with respect to prime cyclotomic rings. We show results similar to that of [33] still hold over prime cyclotomic rings. Consequently, to instantiate a provably secure \(\mathsf {NTRU}\), the density of usable cyclotomic polynomial degree \(n < N\) is increased from \(\varTheta \left( \frac{\log N}{N}\right) \) to \(\varTheta \left( \frac{1}{\log N}\right) \). Even though some main ideas of [33] are applicable in our discussion, many technical differences also need to be taken care of. Furthermore, some new results on prime cyclotomic rings developed here might be of general interest. We believe that these results could be used to design more applications based on prime cyclotomic rings.

Organization. We start in Sect. 2 with some notations and basic facts that will be useful to our discussion. We shall develop and prove a series of relevant results over prime cyclotomic rings in Sect. 3. Section 4 describes a modified \(\mathsf {NTRUEncrypt}\) over prime cyclotomic rings and a reduction to its \(\mathsf {IND\text {-}CPA}\) security from \(\mathsf {RLWE} \) which has been proven hard under worst-case assumptions on ideal lattices. We conclude in Sect. 5. We have a couple of results whose proofs are similar to that in [33], these proofs are included in Appendices A, B and C for completeness.

2 Preliminaries

Lattice. A lattice \(\mathcal {L}\) is a discrete subgroup of \(\mathbb {R}^m\) and represented by a basis, i.e.there is a set of linearly independent vectors \(\mathbf {b}_1,\cdots ,\mathbf {b}_n \in \mathbb {R}^m\) such that \(\mathcal {L}= {\{}{\sum _i x_i\mathbf {b}_i | x_i\in \mathbb {Z}}{\}}\). The integer m is the dimension and the integer n is the rank of \(\mathcal {L}\). A lattice is full-rank if its rank equals its dimension. The first minimum \(\lambda _1(\mathcal {L})\) (resp. \(\lambda _1^{\infty }(\mathcal {L})\)) is the minimum of Euclidean (resp. \(\ell _\infty \)) norm of all non-zero vectors of the lattice \(\mathcal {L}\). More generally, the k-th minimum \(\lambda _k(\mathcal {L})\) for \(k\le n\) is the smallest r such that there are at least k linearly independent vectors of \(\mathcal {L}\) whose norms are not greater than r. Given a basis \(\mathbf {B}= (\mathbf {b}_1,\cdots ,\mathbf {b}_n)\) of a full-rank lattice \(\mathcal {L}\), the set \(\mathcal {P}(\mathbf {B}) = {\{}{\sum _i c_i\mathbf {b}_i | c_i\in [0,1)}{\}}\) is the fundamental parallelepiped of \(\mathbf {B}\) whose volume \(|\det (\mathbf {B})|\) is an invariant of \(\mathcal {L}\), called the volume of \(\mathcal {L}\) and denoted by \(\det (\mathcal {L})\). The dual lattice of \(\mathcal {L}\) is the lattice \(\widehat{\mathcal {L}} = {\{}{\mathbf {c}\in \mathbb {R}^m | \forall i, \langle \mathbf {c},\mathbf {b}_i\rangle \in \mathbb {Z}}{\}}\) of the same dimension and rank with \(\mathcal {L}\).

Given a ring \(\mathcal R\) with an additive isomorphism \(\theta \) mapping \(\mathcal R\) to the lattice \(\theta (\mathcal R)\) in an inner product space and an ideal I of \(\mathcal R\), we call the sublattice \(\theta (I)\) an ideal lattice. Due to their smaller space requirement and faster operation speed, ideal lattices have been a popular choice for most lattice-based cryptosystems. More importantly, the hardness of classical lattice problems, \(\mathsf {SVP}\) (Shortest Vector Problem) and \(\gamma \)-\(\mathsf {SVP}\) (Approximate Shortest Vector Problem with approximation factor \(\gamma \)), does not seem to substantially decrease (except maybe very large approximate factors [6]). Thus, it is believed that the worst-case hardness of \(\gamma \)-\(\mathsf {SVP}\)over ideal lattices, denoted by \(\gamma \)-Ideal-\(\mathsf {SVP}\), is against subexponential quantum attacks, for any \(\gamma \le {{\mathrm{poly}}}(n)\).

Probability and Statistics. Let D be a distribution over a discrete domain E. We write to represent the random variable z that is sampled from the distribution D and denote by D(x) the probability of z evaluates to \(x \in E\). We denote by U(E) the uniform distribution over a finite domain E. For two distributions \(D_1, D_2\) over a same discrete domain E, their statistical distance is \(\varDelta (D_1;D_2) = \frac{1}{2}\sum _{x\in E}|D_1(x)-D_2(x)|\). Two distributions \(D_1,D_2\) are said to be statistically close with respect to n if their statistical distance \(\varDelta (D_1;D_2)=o(n^{-c})\) for any constant \(c>0\).

Gaussian Measures. We denote by \(\rho _{r,\mathbf {c}}(\mathbf {x})\) the n-dimensional Gaussian function with center \(\mathbf {c}\in \mathbb {R}^n\) and width r, i.e. \(\rho _{r,\mathbf {c}}(\mathbf {x}) = \exp \left( -\frac{\pi \Vert \mathbf {x}-\mathbf {c}\Vert ^2}{r^2}\right) \). When the center is \(\mathbf {0}\), the Gaussian function is simply written as \(\rho _{r}(\mathbf {x})\). Let \(S\) be a subset of \(\mathbb {R}^n\), we denote by \(\rho _{r,\mathbf {c}}(S)\) (resp. \(\rho _{r}(S)\)) the sum \(\sum _{\mathbf {x}\in S}\rho _{r,\mathbf {c}}(\mathbf {x})\) (resp. \(\sum _{\mathbf {x}\in S}\rho _{r}(\mathbf {x})\)). Let \(D_{\mathcal {L},r,\mathbf {c}}\) be the discrete Gaussian distribution over a lattice \(\mathcal {L}\) with center \(\mathbf {c}\) and width r, the probability of a vector \(\mathbf {x}\in \mathcal {L}\) under this distribution is \(D_{\mathcal {L},r,\mathbf {c}}(\mathbf {x}) = \frac{\rho _{r,\mathbf {c}}(\mathbf {x})}{\rho _{r,\mathbf {c}}(\mathcal {L})}\). For \(\delta > 0\), the smoothing parameter \(\eta _\delta (\mathcal {L})\) is the smallest \(r > 0\) such that \(\rho _{1/r}(\widehat{\mathcal {L}}) \le 1+\delta \). The smoothing parameter is bounded in terms of some lattice quantities. The following lemmata will be useful in our discussion.

Lemma 1

([28], Lemma 3.3). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). Then \(\eta _\delta (\mathcal {L}) \le \sqrt{\frac{\ln (2n(1+1/\delta ))}{\pi }}\cdot \lambda _n(\mathcal {L})\).

Lemma 2

([31], Lemma 3.5). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). Then \(\eta _\delta (\mathcal {L}) \le \frac{\sqrt{\ln (2n(1+1/\delta ))/\pi }}{ \lambda _1^{\infty }\left( \widehat{\mathcal {L}}\right) }\).

Lemma 3

([28], Lemma 4.4). Let \(\mathcal {L}\subseteq \mathbb {R}^n\) be a full-rank lattice and \(\delta \in (0,1)\). For \(\mathbf {c}\in \mathbb {R}^n\) and \(r \ge \eta _\delta (\mathcal {L})\), we have .

Lemma 4

([28], Corollary 2.8). Let \(\mathcal {L}' \subseteq \mathcal {L}\subseteq \mathbb {R}^n\) be full-rank lattices and \(\delta \in (0,\frac{1}{2})\). For \(\mathbf {c}\in \mathbb {R}^n\) and \(r \ge \eta _\delta (\mathcal {L}')\), we have \(\varDelta (D_{\mathcal {L},r,\mathbf {c}} \bmod \mathcal {L}'; U(\mathcal {L}/\mathcal {L}')) \le 2\delta \).

Lemma 5

([28], Theorem 4.1). There exists a polynomial-time algorithm that, given a basis \((\mathbf {b}_1,\cdots ,\mathbf {b}_n)\) of a lattice \(\mathcal {L}\subseteq \mathbb {Z}^n\), a parameter \(r = \omega (\sqrt{\log n})\max \Vert \mathbf {b}_i\Vert \) and \(\mathbf {c}\in \mathbb {R}^n\), outputs samples from a distribution statistically close to \(D_{\mathcal {L},r,\mathbf {c}}\) with respect to n.

Furthermore, we denote by \(\psi _r\) the Gaussian distribution with mean 0 and width r over \(\mathbb {R}\) and by \(\psi _r^n\) the spherical Gaussian distribution over \(\mathbb {R}^n\) of the vector \((v_1,\cdots ,v_n)\) in which each \(v_i\) is drawn from \(\psi _r\) independently. In this paper, we shall restrict \(\psi _r\) over \(\mathbb {Q}\) rather than \(\mathbb {R}\). As explained in [7], this will only lead to a negligible impact on our results.

Cyclotomic Ring. Let \(\xi _n\) be a primitive n-th complex root of unity and \(\varPhi _n(X)\) the n-th cyclotomic polynomial. It is known that \(\varPhi _n(X) \in \mathbb {Z}[X]\) and is of degree \(\varphi (n)\), the totient of n. All roots of \(\varPhi _n(X)\) form the set \({\{}{\xi _n^i | i \in \mathbb {Z}_n^*}{\}}\). In this paper, we will be working with a cyclotomic ring of the form \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any prime n, if a prime q satisfies \(q = 1 \bmod n\), then \(\varPhi _n(X)\) splits into \(n-1\) distinct linear factors modulo q. Given n, the existence of infinite such primes is guaranteed by Dirichlet’s theorem on arithmetic progressions. Furthermore, by Linnik’s theorem, the smallest such q can be bounded by \({{\mathrm{poly}}}(n)\) (a more precise bound \(O(n^{5.2})\) has been proven in [36]). Another important class of rings involved in our discussion is the family of rings of the form \(\mathcal R_q = \mathcal R/q\mathcal R\). As indicated earlier, our main focus will be prime cyclotomic rings, i.e.those rings associate with polynomials \(\varPhi _n(X) = X^{n-1} + X^{n-2} + \cdots + 1\) with n a prime.

Given a positive integer n, we define the polynomial \(\varTheta _n(X)\) to be \(X^n-1\) if n is odd, and \(X^{\frac{n}{2}}+1\) if n is even. It is easy to see that there is a natural ring extension \(\mathcal R'=\mathbb {Z}[X]/\varTheta _n(X)\) of the cyclotomic ring \(\mathcal R=\mathbb {Z}[X]/\varPhi _n(X)\). In particular, when \(n>1\) is a power of 2, \(\mathcal R= \mathcal R'\); when n is a prime, the relation \(\varTheta _n(X) = \varPhi _n(X)\cdot (X-1)\) implies a ring isomorphism \(\mathcal R' \simeq \mathcal R\times \mathbb {Z}\) by the Chinese Remainder Theorem.

Hardness of RLWE. The “pure” Ring Learning With Errors problem (\(\mathsf {RLWE} \)) introduced in [25] involves the dual of the ring. For the ring \(\mathbb {Z}[X]/(X^{2^m}+1)\), its dual is just a scaling of itself. Therefore, many \(\mathsf {RLWE} \) instances are established over such rings to avoid dual. In [7], Ducas and Durmus proposed an “easy-to-use” \(\mathsf {RLWE} \) setting and instantiated \(\mathsf {RLWE} \) over prime cyclotomic rings. In this paper, we follow the setting of [7].

Definition 1

( \(\mathsf {RLWE} \) error distribution in [7]). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Given \(\psi \) a distribution over \(\mathbb {Q}[X]/\varTheta _n(X)\), we define \(\overline{\psi }\) as the distribution over \(\mathcal R\) obtained by \(e = {\lfloor }e' \bmod \varPhi _n(X){\rceil } \in \mathcal R\) with . Here we denote by \({\lfloor }f{\rceil }\) the polynomial whose coefficients are derived by rounding coefficients of f to the nearest integers.

Definition 2

( \(\mathsf {RLWE} \) distribution in [7]). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\) and \(\mathcal R_q = \mathcal R/q\mathcal R\). For \(s \in \mathcal R_q\) and \(\psi \) a distribution over \(\mathbb {Q}[X]/\varTheta _n(X)\), we define \(A_{s,\psi }\) as the distribution over \(\mathcal R_q \times \mathcal R_q\) obtained by sampling the pair \((a, as+e)\) where and \(e \hookleftarrow \overline{\psi }\).

Definition 3

( \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) ). Let \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\) and \(\mathcal R_q = \mathcal R/q\mathcal R\). The problem \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) in the ring \(\mathcal R\) is defined as follows. Given k samples drawn from \(A_{s,\psi }\) where and k samples from \(U(\mathcal R_q \times \mathcal R_q)\), distinguish them with an advantage \(1/{{\mathrm{poly}}}(n)\).

The following theorem indicates that \(\mathsf {RLWE} \) under the above settings is hard based on the worst-case hardness of \(\gamma \)-Ideal-\(\mathsf {SVP}\). The ideal lattices we discuss here are with respect to the so-called canonical embedding, i.e. \(\theta (f) = (f(\xi _n^i))_{i\in \mathbb {Z}_n^*}\).

Theorem 1

([7], Theorem 2). Let n be an odd prime, and let \(\mathcal R_q\) be the ring \(\mathbb {Z}_q[X]/\varPhi _n(X)\) where q is a prime congruent to 1 modulo 2n. Also, let \(\alpha \in (0,1)\) be a real number such that \(\alpha q > \omega (\sqrt{\log n})\). There exists a randomized quantum reduction from \(\gamma \)-Ideal-\(\mathsf {SVP}\) on ideal lattices in \(\mathbb {Z}[X]/\varPhi _n(X)\) to \(\mathsf {RLWE} \) \(_{q,\psi _t^{n},k}\) for \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\) (with \(\gamma = \tilde{O}\left( \frac{\sqrt{n}}{\alpha }\right) \)) that runs in time \(O(q\cdot {{\mathrm{poly}}}(n))\).

Let \(\mathcal R_q^{\times }\) be the set of all invertible elements of \(\mathcal R_q\). By restricting \(A_{s,\psi }\) to \(\mathcal R_q^{\times } \times \mathcal R_q\), we obtain a modified \(\mathsf {RLWE} \) distribution and denote it by \(A_{s,\psi }^{\times }\). Replacing \(A_{s,\psi }\) and \(U(\mathcal R_q \times \mathcal R_q)\) by \(A_{s,\psi }^{\times }\) and \(U(\mathcal R_q^{\times } \times \mathcal R_q)\) respectively, we get a variant of \(\mathsf {RLWE} \) which is denoted by \(\mathsf {RLWE} ^{\times }\). When \(q = \varOmega (n)\), the invertible elements account for a non-negligible fraction in the \(\mathcal R_q\). Thus \(\mathsf {RLWE} ^{\times }\) remains hard. Furthermore, as explained in [33], the nonce s in \(A_{s,\psi }^{\times }\) can be sampled from \(\psi \) without incurring security loss. We denote by \(\mathsf {RLWE} ^{\times }_{HNF}\) this variant of \(\mathsf {RLWE} ^{\times }\).

3 New Results on Prime Cyclotomic Rings

In this section, we will report on a series of results on prime cyclotomic rings. Some of the results are adapted from corresponding conclusions in [33], but the modifications are not trivial considering the differences between the cyclotomic rings of prime and a power of 2 orders. Firstly, we present several notations and basic properties aiming at prime cyclotomic rings.

3.1 Notations and Properties

Let n be a prime and \(\mathcal R\) be the ring \(\mathbb {Z}[X]/\varPhi _n(X)=\mathbb {Z}[X]/(X^{n-1}+\cdots +1)\). For any \(f \in \mathcal R\), we call a vector \((f_0,\cdots ,f_{n-2})\in \mathbb {Z}^{n-1}\) the coefficient vector of f if \(f = \sum _{i=0}^{n-2}f_iX^i\). For any \(\mathbf {s}= (s_1, \cdots , s_m) \in \mathcal R^m\), we view \(\mathbf {s}\) as a \(m(n-1)\)-dimensional vector in \(\mathbb {Z}^{m(n-1)}\) by coefficient embedding. Given \(\mathbf {s},\mathbf {t}\in \mathcal R^m\), their Euclidean inner product is denoted by \(\langle \mathbf {s}, \mathbf {t}\rangle \). To get a clean expression of \(\langle \mathbf {s}, \mathbf {t}\rangle \) as a coefficient of a polynomial related to \(\mathbf {s}\) and \(\mathbf {t}\), we introduce two operations on \(f \in \mathcal R\) as follows.

Let \(f \in \mathcal R\) of coefficient vector \((f_0,\cdots ,f_{n-2})\), we define \(f^{\smallsmile }\) to be the polynomial \(\sum _{i=0}^{n-2}(\sum _{j=i}^{n-2}f_j)X^i\) and \(f^{\smallfrown }\) the polynomial \(\sum _{i=0}^{n-3}(f_i - f_{i+1})X^i + f_{n-2}X^{n-2}\), respectively. One important consequence is that, regarding \(\smallsmile \) and \(\smallfrown \) as two functions over \(\mathcal R\), these operations are inverse to each other, namely

Proposition 1

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\), then

$$\begin{aligned} \forall f \in \mathcal R, (f^{\smallsmile })^{\smallfrown } = (f^{\smallfrown })^{\smallsmile } = f. \end{aligned}$$

Proof

Let \((g_0,\cdots ,g_{n-2})\) and \((h_0,\cdots ,h_{n-2})\) be the coefficient vectors of the polynomials \(f^{\smallsmile }\) and \(f^{\smallfrown }\) respectively. According to the definitions of these two operations, we have

$$\begin{aligned} g_i = \sum _{j=i}^{n-2}f_j \text { for } i \in {\{}{0,\cdots ,n-2}{\}} \end{aligned}$$

and

$$\begin{aligned} h_i = f_i - f_{i+1} \text { for } i < n-2\ \ \ \ \text {and}\ \ \ \ h_{n-2} = f_{n-2}. \end{aligned}$$

Then, a straightforward computation leads to that

$$\begin{aligned} g_i - g_{i+1} = f_i \text { for } i < n-2\ \ \ \ \text {and}\ \ \ \ g_{n-2} = f_{n-2} \end{aligned}$$

and

$$\begin{aligned} \sum _{j=i}^{n-2} h_j = f_i \text { for } i \in {\{}{0,\cdots ,n-2}{\}}. \end{aligned}$$

Thus we conclude that \(g^{\smallfrown } = h^{\smallsmile } = f\), i.e. \((f^{\smallsmile })^{\smallfrown } = (f^{\smallfrown })^{\smallsmile } = f\).     \(\square \)

The following lemma manifests an expression of the Euclidean inner product of two elements in \(\mathcal R\).

Lemma 6

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Denote by \(X^{-1}\) the inverse of X. Let \(f \in \mathcal R\) of coefficient vector \((f_0,\cdots ,f_{n-2})\) and \(g \in \mathcal R\) of coefficient vector \((g_0,\cdots ,g_{n-2})\). Then

$$\begin{aligned} \sum _{i=0}^{n-2}f_ig_i = { the\ constant\ coefficient\ of\ the\ polynomial}\ f(X)g^{\smallsmile }(X^{-1}). \end{aligned}$$

Proof

Let \((g'_0,\cdots ,g'_{n-2})\) be the coefficient vector of the polynomial \(g^{\smallsmile }\). Notice that the term \(X^n\) is equivalent to the identity element of \(\mathcal R\). Hence \(X^{-1}\) is equivalent to \(X^{n-1}\) when it comes to the algebraic computations over \(\mathcal R\). Then we have

$$\begin{aligned} f(X)g^{\smallsmile }(X^{-1}) = f(X)g^{\smallsmile }(X^{n-1})= \sum _{i,j\in {\{}{0,\cdots ,n-2}{\}}} f_ig'_j X^{i+(n-1)j}. \end{aligned}$$

The constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) is only contributed by the term \(X^{i+(n-1)j}\) with \(i+(n-1)j = 0,n-1\bmod n\), i.e. \(i=j\text { or }j-1\). Note that \(X^{n-1}=-(X^{n-2}+\cdots +1)\), thus the constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) equals \(\sum _{i=0}^{n-2}f_ig'_i - \sum _{i=0}^{n-3}f_ig'_{i+1} = \sum _{i=0}^{n-3}f_i(g'_{i}-g'_{i+1}) + f_{n-2}g'_{n-2}\). The terms \(\{g'_{i}-g'_{i+1}\}_{i=0}^{n-3}\) and \(g'_{n-2}\) are the coefficients of the polynomial \((g^{\smallsmile })^{\smallfrown } = g\). Consequently, the constant coefficient of \(f(X)g^{\smallsmile }(X^{-1})\) equals \(\sum _{i=0}^{n-2}f_ig_i\).     \(\square \)

Corollary 1

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(\mathbf {s}= (s_1, \cdots , s_m) \in \mathcal R^m\) and \(\mathbf {t}= (t_1, \cdots , t_m) \in \mathcal R^m\), then

$$\begin{aligned} \langle \mathbf {s}, \mathbf {t}\rangle = { the\ constant\ coefficient\ of\ the\ polynomial } \, \sum _{i=1}^{m}s_i(X)t_i^{\smallsmile }(X^{-1}). \end{aligned}$$

Remark

For the ring \(\mathbb {Z}[X]/(X^n+1)\), the Euclidean inner product of any two elements f and g equals the constant coefficient of the polynomial \(f(X)g(X^{-1})\), which is simpler than the case in our discussion. The rather involved expression of Euclidean inner product contributes to a sequence of technical differences compared to that in [33].

Now we introduce several norms and demonstrate some relations among them. For any \(t \in \mathcal R\), we define its \(\mathrm {T}_2\) -norm by \(\mathrm {T}_2(t)^2 = \sum _{i=1}^{n-1} |t(\xi _n^i)|^2\) and its algebraic norm by \({{\mathrm{N}}}(t) = \prod _{i=1}^{n-1} |t(\xi _n^i)|\). Also we define the polynomial norm \(\Vert t\Vert \) by the Euclidean norm of the coefficient vector of t.

Lemma 7

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(t \in \mathcal R\), we have

$$\begin{aligned} {{\mathrm{N}}}(t)^{\frac{2}{n-1}} \le \frac{1}{n-1} \mathrm {T}_2(t)^2 \ \ \ {and} \ \ \ \Vert t\Vert ^2 = \frac{\mathrm {T}_2(t)^2 + t(1)^2}{n} \ge \frac{\mathrm {T}_2(t)^2}{n}. \end{aligned}$$

Proof

The first inequality can be proven directly by arithmetic-geometric inequality. Since \(\Vert t\Vert ^2 = \frac{\sum _{i=0}^{n-1}|t(\xi _n^i)|^2}{n} = \frac{\mathrm {T}_2(t)^2 + t(1)^2}{n}\) is the Parseval’s identity [35], the second one follows immediately, as \(t(1)^2 \ge 0\).     \(\square \)

Moreover, we present the following result to illustrate that the product of two polynomials in \(\mathcal R\) is of well-bounded norm.

Lemma 8

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any \(f, g \in \mathcal R\), we have

$$\begin{aligned} \Vert f g\Vert _\infty \le 2\Vert f\Vert \Vert g\Vert \ \ \ {and} \ \ \ \Vert f g\Vert \le 2\sqrt{n-1}\Vert f\Vert \Vert g\Vert . \end{aligned}$$

Proof

Let \(\mathcal R' = \mathbb {Z}[X]/(X^n-1)\) and \(f', g'\in \mathcal R'\) be the polynomials with the same coefficients as fg respectively, i.e.the coefficients of \(X^{n-1}\) are 0. Let \(h' = \sum _{i=0}^{n-1}h_i'X^i\) be the product of \(f'\) and \(g'\) in \(\mathcal R'\) where \(h_i' \in \mathbb {Z}\) for \(i \in {\{}{0,\cdots ,n-1}{\}}\). Let \(h = f\cdot g \in \mathcal R\). Notice that \(\varPhi _n(X)\) is a factor of \(X^n-1\), hence we know that \(h' \bmod \varPhi _n(X) = h \in \mathcal R\), i.e. \(h = h' \bmod \varPhi _n(X) = \sum _{i=0}^{n-2} (h_i'-h_{n-1}')X^i\).

Let \((f_0,\cdots ,f_{n-2})\) and \((g_0,\cdots ,g_{n-2})\) be the coefficient vectors of f and g. We also set \(f_{n-1} = g_{n-1} = 0\). For any \(i \in \{0,\cdots ,n-1\}\), we have \(h_i' = \sum _{j=0}^{n-1}{f_jg_{(i-j)\bmod n}}\). By Cauchy-Schwarz inequality, we know that \(|h_i'| \le \Vert f\Vert \Vert g\Vert \). Therefore

$$\begin{aligned} \Vert h\Vert _{\infty } = \max _{0\le i \le n-2}|h_i'-h_{n-1}'| \le \max _{0\le i \le n-2}(|h_i'|+|h_{n-1}'|) \le 2\Vert f\Vert \Vert g\Vert . \end{aligned}$$

By equivalence of norms, we conclude that \(\Vert h\Vert \le \sqrt{n-1} \Vert h\Vert _{\infty } \le 2\sqrt{n-1}\Vert f\Vert \Vert g\Vert \).    \(\square \)

Remark

The second inequality indicates that an upper bound of the multiplicative expansion factor of \(\mathcal R\), which is \(\gamma _{\times }(\mathcal R) = \max _{f,g\in \mathcal R} \frac{\Vert fg\Vert }{\Vert f\Vert \Vert g\Vert }\), is \(2\sqrt{n-1}\). This is comparable to that of power-of-2 cyclotomic rings in the asymptotic sense, as the expansion factor of the ring \(\mathbb {Z}[X]/(X^n+1)\) is exactly \(\sqrt{n}\) (see [13]).

3.2 Duality Results for Module Lattices

In [33], Stehlé and Steinfeld reveals a nice duality between two module lattices for the n-th cyclotomic ring with n a power of 2. However, that duality cannot be simply generalized to the case of prime cyclotomic rings. Next, we will propose a new duality relationship between two module lattices for a prime cyclotomic ring.

To begin with, we introduce a few families of \(\mathcal R\)-modules. Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). We denote by \({\{}{\phi _i}{\}}_{i=1,\cdots ,n-1}\) all roots of \(\varPhi _n(X)\) modulo q. Note that if \(\phi \) is a root of \(\varPhi _n(X)\) modulo q, then so is \(\phi ^{-1} \bmod q\). By the Chinese Remainder Theorem, we see that

$$\begin{aligned} \mathcal R_q \simeq \mathbb {Z}_q[X]/(X-\phi _1) \times \cdots \times \mathbb {Z}_q[X]/(X-\phi _{n-1}) \simeq (\mathbb {Z}_q)^{n-1}. \end{aligned}$$

From this, we see that each ideal of \(\mathcal R_q\) is of the form \(\prod _{i\in S}(X-\phi _i)\cdot \mathcal R_q\) with \(S\subseteq {\{}{1,\cdots ,n-1}{\}}\), and we denote it by \(I_S\). Let \(\mathcal R_q^{\times }\) be the set of all invertible elements of \(\mathcal R_q\). Given \(\mathbf {a}\in \mathcal R_q^m\), we define two \(\mathcal R\)-modules \(\mathbf {a}^{\perp }(I_S)\) and \(\mathcal {L}(\mathbf {a}, I_S)\) in exactly the same manner as in [33]:

$$\begin{aligned} \mathbf {a}^{\perp }(I_S) := \left\{ (t_1, \cdots , t_m) \in \mathcal R^m | \ \ \forall i, (t_i\bmod q) \in I_S\ \text { and }\ \sum _{i=1}^{m} t_ia_i = 0\bmod q\right\} , \end{aligned}$$
$$\begin{aligned} \mathcal {L}(\mathbf {a}, I_S) := \left\{ (t_1, \cdots , t_m) \in \mathcal R^m | \ \ \exists s \in \mathcal R_q, \forall i, (t_i\bmod q)=a_i\cdot s\bmod I_S\right\} . \end{aligned}$$

Then we can define a new \(\mathcal R\)-module \(\mathcal {L}^{^{\smallfrown }}(\mathbf {a}, I_S)\) to be

$$\begin{aligned} \mathcal {L}^{^{\smallfrown }}(\mathbf {a}, I_S) := \left\{ (t_1, \cdots , t_m) \in \mathcal R^m | (t_1^{\smallsmile },\cdots ,t_m^{\smallsmile }) \in \mathcal {L}(\mathbf {a}, I_S)\right\} . \end{aligned}$$

Module lattices \(\mathbf {a}^{\perp }(I_S)\) and \(\mathcal {L}^{^{\smallfrown }}(\mathbf {a}, I_S)\) can be related by duality argument. More precisely,

Lemma 9

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Given \(S\subseteq {\{}{1,\cdots , n-1}{\}}\) and \(\mathbf {a}\in \mathcal R_q^m\), let \(\mathbf {a}^{\times } \in \mathcal R_q^m\) be defined by \(a_i^{\times } = a_i(X^{-1})\) and \(I_{\bar{S}}^{\times }\) be the ideal \(\prod _{i\in \bar{S}}(X-\phi _i^{-1})\cdot \mathcal R_q\) where \(\bar{S}\) is the complement of \(S\). Then (considering both sets as \(m(n-1)\)-dimensional lattices by identifying \(\mathcal R\) with \(\mathbb {Z}^{n-1}\))

$$\begin{aligned} \widehat{\mathbf {a}^{\perp }(I_{S})} = \frac{1}{q}\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times }). \end{aligned}$$

Proof

Firstly, we prove that \(\frac{1}{q}\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times }) \subseteq \widehat{\mathbf {a}^{\perp }(I_{S})}\). For any \(\mathbf {t}= (t_1,\cdots ,t_m) \in \mathbf {a}^{\perp }(I_{S})\) and \(\mathbf {t}' = (t'_1,\cdots , t'_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), Corollary 1 says that their inner product \(\langle \mathbf {t},\mathbf {t}'\rangle \) equals the constant coefficient of the polynomial \(\sum _{i=1}^{m}t_i(X)t'^{\smallsmile }_i(X^{-1})\). According to the definition of \(\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) and Proposition 1, there exists \(s \in \mathcal R_q\) such that \((t'^{\smallsmile }_i\bmod q) = a_i^{\times }\cdot s + b'_i\) for some \(b'_i \in I_{\bar{S}}^{\times }\). Then we get

$$\begin{aligned} \sum _{i=1}^{m}t_i(X)t'^{\smallsmile }_i(X^{-1}) = s(X^{-1})\cdot \sum _{i=1}^{m}t_i(X)a_i(X) + \sum _{i=1}^{m}t_i(X)b'_i(X^{-1}) \bmod q \end{aligned}$$

Both two sums in the right hand side evaluate to 0 in \(\mathcal R_q\), which means that \(\langle \mathbf {t},\mathbf {t}'\rangle = 0 \bmod q\). Therefore, we finish the proof of this part.

Secondly, it suffices to prove that \(\widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })} \subseteq \frac{1}{q}\mathbf {a}^{\perp }(I_{S})\). For any \(\mathbf {t}\in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) and \(\mathbf {t}' \in \widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })}\), the constant coefficient of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1}) = \langle \mathbf {t}',\mathbf {t}\rangle \) is an integer due to duality. Notice that if \((t_1,\cdots ,t_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), then \(\left( (t_1^{\smallsmile }\cdot X^k)^{\smallfrown },\cdots , (t_m^{\smallsmile }\cdot X^k)^{\smallfrown }\right) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\). Thus, for \(k \in {\{}{1,\cdots ,n-2}{\}}\), the constant coefficient of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1})X^{-k}\) is also an integer, which implies that all coefficients of \(\sum _{i=1}^{m}t'_i(X) t_i^{\smallsmile }(X^{-1})\) are integers. For any \((t_1, \cdots , t_m) \in \widehat{\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })}\), we deduce from the fact \((q^{\smallfrown },0,\cdots ,0) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\) that \(qt_1 \in \mathbb {Z}^{n-1}\). Let \(\nu _{I_{\bar{S}}^{\times }}\) be the polynomial \(\prod _{i \in \bar{S}}(X-\phi _i^{-1})\). Since \(\left( \nu ^{\smallfrown }_{I_{\bar{S}}^{\times }}, 0, \cdots , 0\right) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\), we obtain \(qt_1(X) \cdot \nu _{I_{\bar{S}}^{\times }}(X^{-1}) = 0 \bmod \mathcal R_q\), that means \((qt_1 \bmod q) \in I_{S}\). For the same reason, we have \((qt_i \bmod q) \in I_{S}\) for any \(i \in {\{}{1,\cdots ,m}{\}}\). If we set \(s = 1\), then \((a^{\times \smallfrown }_1,\cdots ,a^{\times \smallfrown }_m) \in \mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\). It shows that the polynomial \(\sum _{i=1}^{m}\left( qt_i(X)a_i(X)\right) = q\sum _{i=1}^{m}\left( t_i(X)a_i^{\times }(X^{-1})\right) = 0 \bmod q\). Combining the fact that \((qt_i \bmod q)\in I_{S}\), we conclude that \(q(t_1,\cdots ,t_m) \in \mathbf {a}^{\perp }(I_{S})\). The proof is completed.     \(\square \)

Remark

The above result on the duality is different from that proven in [33], because the inner product has a more involved form. The original ideas of [33] have been exploited here, but we also add more details to treat technical differences.

3.3 On the Absence of Unusually Short Vector in \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\)

We now show that for , the first minimum of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) for the \(\ell _\infty \) norm is overwhelming unlikely unusually small. First we observe that the lattice \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) is transformed from the lattice \(\mathcal {L}(\mathbf {a}, I_{S})\). To describe the transformation, we define a matrix \(\mathbf {H}\in \mathbb {Z}^{m(n-1) \times m(n-1)}\) as

$$\begin{aligned} \mathbf {H}= \left( \begin{array}{ccccc} 1 &{} &{} &{} &{} \\ -1 &{} 1 &{} &{} &{} \\ &{} -1 &{} \ddots &{} &{} \\ &{} &{} \ddots &{} 1 &{} \\ &{} &{} &{} -1 &{} 1 \\ \end{array} \right) \otimes \mathbf {Id}_{m}, \end{aligned}$$

where \(\mathbf {Id}_{m}\) is an m-dimensional identity matrix. Let \(\mathbf {B}\in \mathbb {Z}^{m(n-1)\times m(n-1)}\) be a basis of \(\mathcal {L}(\mathbf {a}, I_{S})\) whose rows correspond to the basis vectors, then \(\mathbf {B}' = \mathbf {B}\cdot \mathbf {H}\) is a basis of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\). It is thus easy to see that \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) and \(\mathcal {L}(\mathbf {a}, I_{S})\) are of the same volume, i.e. \(\det \left( \mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\right) = \det \left( \mathcal {L}(\mathbf {a}, I_{S})\right) = q^{(m-1)|S|}\). This is because there are \(q^{m(n-1-|S|)+|S|}\) points of \(\mathcal {L}(\mathbf {a}, I_{S})\) in the cube \([0, q-1]^{m(n-1)}\). Also, the first minimums of these two lattices may not have a significant difference. Hence we first present a result on \(\mathcal {L}(\mathbf {a}, I_{S})\) which is a variant on prime cyclotomic rings of Lemma 8 in [33].

Lemma 10

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2\) and \(\epsilon > 0\), set

$$\begin{aligned} \beta := 1- \frac{1}{m} + \frac{1-\sqrt{1+4m(m-1)\left( 1-\frac{|S|}{n-1}\right) +4m\epsilon }}{2m} \ge 1- \frac{1}{m} - \epsilon - (m-1)\left( 1-\frac{|S|}{n-1}\right) \!, \end{aligned}$$

then we have \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) \ge \frac{1}{\sqrt{n}}q^{\beta }\) with probability \(\ge 1-\frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) over the uniformly random choice of \(\mathbf {a}\) in \((\mathcal R_q^{\times })^m\).

Remark

The above lemma can be shown by following the original idea but with some slight modifications on the inequalities for different norms in prime cyclotomic rings. For completeness, we give a proof in Appendix A. It is also noted that our statement of the lemma is essentially the same as that in Lemma 8 of [33], this is primarily because there is a simple relation for the Euclidean and algebraic norms in both prime and power-of-2 cyclotomic rings.

Next, we shall show that the first minimum \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S}))\) is at most \(\frac{n}{2}\) times that of \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\).

Lemma 11

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Then, for any \(\mathbf {a}\in (\mathcal R_q^{\times })^m\) and \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), we have

$$\begin{aligned} \lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) \le \frac{n-1}{2}\lambda _1^{\infty }(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})). \end{aligned}$$

Proof

We first show that \(\Vert X^{\frac{n-1}{2}}t^{\smallsmile }\Vert _{\infty } \le \frac{n-1}{2}\Vert t\Vert _{\infty }\) for any \(t\in \mathcal R\). Let \((t_0,\cdots ,t_{n-2})\) be the coefficient vector of t. We denote by \((t_0^{\smallsmile },\cdots ,t_{n-2}^{\smallsmile })\) and \((t_0',\cdots ,t_{n-2}')\) the coefficient vectors of the polynomials \(t^{\smallsmile }\) and \(X^{\frac{n-1}{2}}t^{\smallsmile }\), then:

From \(t_i^{\smallsmile } = \sum _{j=i}^{n-2}t_j\), we get

Notice that each \(t_i'\) is a sum of consecutive \(t_j\)’s of length at most \(\frac{n-1}{2}\), thus \(\Vert X^{\frac{n-1}{2}}t^{\smallsmile }\Vert _{\infty } = \max _{i}{|t_i'|} \le \frac{n-1}{2}\max _{i}{|t_i|}=\frac{n-1}{2}\Vert t\Vert _{\infty }\) holds.

For any \(\mathbf {s}= (s_1,\cdots , s_m) \in \mathcal {L}^\smallfrown (\mathbf {a}, I_{S})\), the vector \(\mathbf {s}^\smallsmile = (s_1^\smallsmile ,\cdots ,s_m^\smallsmile )\) belongs to \(\mathcal {L}(\mathbf {a}, I_{S})\) and thus the vector \(\mathbf {s}' = \left( X^{\frac{n-1}{2}}s_1^\smallsmile ,\cdots ,X^{\frac{n-1}{2}}s_m^\smallsmile \right) \) is also in \(\mathcal {L}(\mathbf {a}, I_{S})\). Then

$$\begin{aligned} \Vert \mathbf {s}'\Vert _{\infty } = \max _i{\Vert X^{\frac{n-1}{2}}s_i^\smallsmile \Vert _{\infty }} \le \frac{n-1}{2}\max _i{\Vert s_i\Vert _{\infty }} = \frac{n-1}{2}\Vert \mathbf {s}\Vert _{\infty }. \end{aligned}$$

Since there exists a unique \(\mathbf {s}\in \mathcal {L}(\mathbf {a}, I_{S})\) such that \(\mathbf {r}= \mathbf {s}^{\smallfrown }\) for any \(\mathbf {r}\in \mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\), we conclude that \(\lambda _1^{\infty }(\mathcal {L}(\mathbf {a}, I_{S})) \le \frac{n-1}{2}\lambda _1^{\infty }(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S}))\).     \(\square \)

Lemmata 10 and 11 lead to the following result on \(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})\) immediately.

Lemma 12

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2\) and \(\epsilon > 0\), set

$$\begin{aligned} \beta := 1- \frac{1}{m} + \frac{1-\sqrt{1+4m(m-1)\left( 1-\frac{|S|}{n-1}\right) +4m\epsilon }}{2m} \ge 1- \frac{1}{m} - \epsilon - (m-1)\left( 1-\frac{|S|}{n-1}\right) \!, \end{aligned}$$

then we have \(\lambda _1^{\infty }(\mathcal {L}^{\smallfrown }(\mathbf {a}, I_{S})) \ge \frac{2}{(n-1)\sqrt{n}}q^{\beta }\) with probability \(\ge 1-\frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) over the uniformly random choice of \(\mathbf {a}\) in \((\mathcal R_q^{\times })^m\).

3.4 Results on Regularity

Let \(\mathbb {D}_{\chi }\) be the distribution of the tuple \((a_1,\cdots ,a_m, \sum _{i=1}^m{t_ia_i}) \in (\mathcal R_q^{\times })^m \times \mathcal R_q\) with \(a_i\)’s being independent and uniformly random in \(\mathcal R_q^{\times }\) and \(t_i\)’s being sampled from the distribution \(\chi \) over \(\mathcal R_q\). We call the statistical distance between \(\mathbb {D}_{\chi }\) and the uniform distribution over \((\mathcal R_q^{\times })^m \times \mathcal R_q\) the regularity of the generalized knapsack function \((t_1,\cdots ,t_m) \mapsto \sum _{i=1}^m{t_ia_i}\). In [27], Micciancio gave some results on regularity for general finite rings and constructed a class of one-way functions. In [33], an improved result was claimed for the ring \(\mathbb {Z}[X]/(X^n+1)\) with n a power of 2 and a Gaussian distribution \(\chi \).

We can derive the result of the regularity for prime cyclotomic rings. It provides a foundation of security for more cryptographic primitives based on prime cyclotomic rings. In the later part, we will concentrate on \(\mathsf {NTRU}\) applications corresponding to the case \(m = 2\).

Lemma 13

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(S\subseteq {\{}{1,\cdots , n-1}{\}}\), \(m \ge 2, \epsilon > 0, \delta \in (0,\frac{1}{2})\), \(\mathbf {c}\in \mathbb {R}^{m(n-1)}\) and , with \(r \ge \frac{n-1}{2}\sqrt{\frac{n\ln (2m(n-1)(1+1/\delta ))}{\pi }}\cdot q^{\frac{1}{m}+(m-1)\frac{|S|}{n-1}+\epsilon }\). Then for all except a fraction \(\le \frac{2^{n-1}}{(q-1)^{\epsilon (n-1)}}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), we have

$$\begin{aligned} \varDelta \left( \mathbf {t}\bmod \mathbf {a}^{\perp }(I_{S}); U(\mathbb {Z}^{m(n-1)}/\mathbf {a}^{\perp }(I_{S}))\right) \le 2\delta . \end{aligned}$$

In particular, for all except a fraction \(\le 2^{n-1}(q-1)^{-\epsilon (n-1)}\) of \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), we have

$$\begin{aligned} \left| D_{\mathbb {Z}^{m(n-1)},r,\mathbf {c}}(\mathbf {a}^{\perp }(I_{S})) - q^{-(n-1)-(m-1)|S|}\right| \le 2\delta . \end{aligned}$$

Proof

By combining Lemmata 2, 4, 9 and 12, the first part follows. For \(\mathbf {a}\in (\mathcal R_q^{\times })^m\), the lattice \(\mathbf {a}^{\perp }(I_{S})\) is of the volume \(\det \left( \mathbf {a}^{\perp }(I_{S})\right) = \det \left( \frac{1}{q}\mathcal {L}^{\smallfrown }(\mathbf {a}^{\times }, I_{\bar{S}}^{\times })\right) ^{-1} = q^{m(n-1)}/q^{(m-1)(n-1-|S|)} = q^{n-1+(m-1)|S|}\). Notice that \(|\mathbb {Z}^{m(n-1)}/\mathbf {a}^{\perp }(I_{S})| = \det \left( \mathbf {a}^{\perp }(I_{S})\right) \), thus we complete the proof of the second part.     \(\square \)

Remark

Our regularity result is under the coefficient embedding. We have also considered the canonical embedding and generalized some results of [26]. In the latter case, for \(\delta = q^{-\epsilon n}\) with \(\epsilon \in (0,1)\), the polynomial factor of the lower bound of required width gets reduced to \(O(n^{1.5})\) from \(O(n^{2})\) in Lemma 13 and the power exponent can also be slightly smaller. However, our key result, which is Theorem 2 in next section, requires the parameter \(\delta \) in Lemma 13 to be very small. Under the canonical embedding and with \(\delta =q^{-n-\epsilon n}\), a desired result similar to the lemma is not currently available. Thus we only work with the coefficient embedding in this paper and leave the relevant results for our next work.

3.5 Bounded Gap of Ideal Lattices

Let \(I\) be an ideal of the n-th cyclotomic ring and \(\mathcal {L}_I\) be the ideal lattice corresponding to \(I\) (under the coefficient embedding). For the case that n is a power of 2, one has \(\lambda _{\varphi (n)}(\mathcal {L}_I) = \lambda _1(\mathcal {L}_I)\). For n being a prime, however, we do not know whether this nice property hold or not, but we are able to show that the gap between \(\lambda _{n-1}(\mathcal {L}_I)\) and \(\lambda _1(\mathcal {L}_I)\) is bounded by \(\sqrt{n}\).

Lemma 14

Let n be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For any non-zero ideal \(I\) of \(\mathcal R\), we have:

$$\begin{aligned} \lambda _{n-1}(\mathcal {L}_{I}) \le \sqrt{n} \cdot \lambda _1(\mathcal {L}_{I}). \end{aligned}$$

Proof

Let \(\mathbf {a}= (a_0,\cdots ,a_{n-2})\) be a non-zero shortest vector of \(\mathcal {L}_{I}\) and \(a \in \mathcal R\) be the polynomial of coefficient vector \(\mathbf {a}\). Then the polynomial \(X^k\cdot a\) also induces a vector of \(\mathcal {L}_{I}\) denoted by \(\mathbf {a}^{(k)}=\left( a^{(k)}_0,\cdots ,a^{(k)}_{n-2}\right) \). For any \(k \in {\{}{1,\cdots ,n-2}{\}}\), the coordinates of \(\mathbf {a}^{(k)}\) can be represented by the \(a_i\)’s as follows:

$$\begin{aligned}a^{(k)}_i= {\left\{ \begin{array}{ll} a_{n-k+i}-a_{n-1-k}, &{}i < k-1\\ -a_{n-1-k}, &{}i=k-1 \\ a_{i-k}-a_{n-1-k}, &{}i>k-1\end{array}\right. }. \end{aligned}$$

Then, we have

$$\begin{aligned} \Vert \mathbf {a}^{(k)}\Vert&= \sqrt{\sum _{i=0}^{n-2}a_i^2 - 2a_{n-1-k}(\sum _{i \ne n-1-k} a_i) + (n-2)a_{n-1-k}^2}\\&\le \sqrt{\sum _{i=0}^{n-2}a_i^2 + (n-1)a_{n-1-k}^2 + (\sum _{i \ne n-1-k} a_i)^2}\\&\le \sqrt{\sum _{i=0}^{n-2}a_i^2 + (n-1)a_{n-1-k}^2 + (n-2)(\sum _{i \ne n-1-k} a_i^2)}\\&\le \sqrt{n} \cdot \Vert \mathbf {a}\Vert . \end{aligned}$$

All these \(\mathbf {a}^{(k)}\)’s and \(\mathbf {a}\) are linearly independent so that we conclude that \(\lambda _{n-1}(\mathcal {L}_{I_S}) \le \sqrt{n} \cdot \lambda _1(\mathcal {L}_{I_S})\).     \(\square \)

Back to the ring \(\mathcal R_q\), combining Minkowski’s theorem, we obtain the following corollary.

Corollary 2

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(S\subseteq {\{}{1,\cdots , n-1}{\}}\) and denote by \(\mathcal {L}_{I_S}\) the lattice generated by the ideal \(\langle q,\prod _{i\in S}(X-\phi _i)\rangle \). Then

$$\begin{aligned} \lambda _{n-1}(\mathcal {L}_{I_S}) \le \sqrt{n} \cdot \lambda _1(\mathcal {L}_{I_S}) \le n\cdot q^{\frac{|S|}{n-1}}. \end{aligned}$$

4 Revised \(\mathsf {NTRUEncrypt}\) over Prime Cyclotomic Rings

In this section, we will describe a variant of \(\mathsf {NTRUEncrypt}\) over prime cyclotomic rings with provable security under the worst-case hardness assumption. The revised \(\mathsf {NTRUEncrypt}\) is determined by parameters \(n, q, p, r, \alpha , k\) and denoted by \(\mathsf {NTRUEncrypt}\) \((n,q,p,r,\alpha ,k)\). First, we choose a prime \(n \ge 7\) and let \(\mathcal R\) be the ring \(\mathbb {Z}[X]/\varPhi _n(X)\). Then we pick a prime \(q = 1 \bmod n\) so that \(\varPhi _n(X) = \prod _{i=1}^{n-1}(X-\phi _i) \bmod q\) with distinct \(\phi _i\)’s, and let \(\mathcal R_q = \mathcal R/q\mathcal R\). The parameter \(p \in \mathcal R_q^{\times }\) is chosen to be of small norm, such as \(p=2,3\) or \(p=x+2\). The parameter r is the width of discrete Gaussian distribution used for key generation. The parameters \(\alpha \) and k are used for \(\mathsf {RLWE} \) error generation. We list below three main components of \(\mathsf {NTRUEncrypt}\) \((n,q,p,r,\alpha ,k)\):

  • Key Generation. Sample \(f'\) from \(D_{\mathbb {Z}^{n-1},r}\); if \(f = pf'+1 \bmod q \notin \mathcal R_q^{\times }\), resample. Sample g from \(D_{\mathbb {Z}^{n-1},r}\); if \(g \bmod q\notin \mathcal R_q^{\times }\), resample. Then return private key \(sk = f \in \mathcal R_q^{\times }\) with \(f = 1 \bmod p\) and public key \(pk = h = pg/f \in \mathcal R_q^{\times }\).

  • Encryption. Given message \(M \in \mathcal R/p\mathcal R\), let \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\), set and return ciphertext \(C = hs + pe + M \in \mathcal R_q\).

  • Decryption. Given ciphertext C and private key f, compute \(C' = f\cdot \, C \bmod q\) and return \(C' \bmod p\).

Next we explain when and why the scheme works and how to assess its security.

4.1 Key Generation

In the above key generation algorithm, we generate the polynomials f and g by using a discrete Gaussian sampler. Lemma 5 provides a sampler outputting a distribution within exponentially small statistical distance to a certain discrete Gaussian. Actually, the conditions in our results are more demanding than that in Lemma 5. Ignoring the negligible impact, we assume we already have a polynomial-time perfect discrete Gaussian sampler.

To ensure both f and g are invertible modulo q, we may need to resample quite a few times. The following result indicates that the key generation algorithm terminates in expected polynomial time for some selective parameters.

Lemma 15

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Let q be a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). For any \(\delta \in (0,1/2)\), let \(r \ge n\sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\cdot q^{1/(n-1)}\). Then

holds for \(a \in \mathcal R\) and \(p \in \mathcal R_q^{\times }\).

Proof

It suffices to bound the probability that \(p\cdot f' + a\) belongs to \(I:= \langle q,X-\phi _k\rangle \) by \((1/q+2\delta )\) for any \(k \le n-1\). First we have \(\lambda _{n-1}(\mathcal {L}_{I}) \le nq^{\frac{1}{n-1}}\) by Corollary 2 since the ideal I corresponds to \(I_{\{k\}}\). This, together with Lemma 1, implies that \(r \ge \eta _{\delta }(\mathcal {L}_{I})\). Applying Lemma 4, we have that the probability of \(p\cdot f' + a = 0 \bmod I\) does not exceed \(1/q+2\delta \).     \(\square \)

Next, we claim that the norms of f and g are small with overwhelming probability.

Lemma 16

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(r \ge n\sqrt{\frac{2\ln (6(n-1))}{\pi }}\cdot q^{1/(n-1)}\). The secret key polynomials f, g satisfy, with probability \(\ge 1-2^{-n+4}\),

$$\begin{aligned} \Vert f\Vert \le 2n\Vert p\Vert r\ \ \ {and} \ \ \ \Vert g\Vert \le \sqrt{n-1}r. \end{aligned}$$

If \(\deg p = 0\), then \(\Vert f\Vert \le 2\sqrt{n-1} \cdot \Vert p\Vert r\) with probability \(\ge 1-2^{-n+4}\).

Proof

Setting \(\delta = \frac{1}{10(n-1)-1}\), then we get \(r \ge \sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\) from the assumption. Applying Lemma 1 to \(\mathbb {Z}^{n-1}\), we know that \(r \ge \eta _\delta (\mathbb {Z}^{n-1})\). Therefore, we can use Lemma 3 to get,

Since \(r \ge n\sqrt{\frac{\ln (2(n-1)(1+1/\delta ))}{\pi }}\cdot q^{1/(n-1)}\), Lemma 15 yields

This means that the norm of the key polynomial g is less than \(r\sqrt{n-1}\) with probability \(\ge \) \(1-2^{4-n}\). The same argument holds true for the polynomial \(f'\) such that \(f = p\cdot f'+1\).

If \(\deg p = 0\), we have \(\Vert f\Vert \le 1 + \Vert p\Vert \Vert f'\Vert \le 2\Vert p\Vert r\sqrt{n-1}\) with probability \(\ge \) \(1-2^{4-n}\). For general cases, applying Lemma 8, we know that \(\Vert f\Vert \le 1 + \Vert p\Vert \Vert f'\Vert \le 1 + 2(n-1)\Vert p\Vert r \le 2n \cdot \Vert p\Vert r\) with probability \(\ge \) \(1-2^{4-n}\).     \(\square \)

We are also able to prove that the public key h, the ratio of pg and \(f=pf'+1\), enjoys a favorable uniformity for some well-chosen r’s, just like that shown in [33]. We denote by \(D^{\times }_{r,z}\) the discrete Gaussian \(D_{\mathbb {Z}^{n-1},r}\) restricted to \(\mathcal R_q^{\times } + z\).

Theorem 2

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(0< \epsilon < \frac{1}{2}\) and \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+2\epsilon }\). Then

$$\begin{aligned} \varDelta \left( \frac{y_1+p\cdot D^{\times }_{r,z_1}}{y_2+p\cdot D^{\times }_{r,z_2}} \bmod q; U(\mathcal R^{\times }_q)\right) \le \frac{2^{3(n-1)}}{q^{{\lfloor }\epsilon (n-1){\rfloor }}} \end{aligned}$$

for \(p \in \mathcal R_q^{\times }\), \(y_i \in \mathcal R_q\) and \(z_i = -y_ip^{-1} \bmod q \) for \(i \in {\{}{1,2}{\}}\).

Remark

Our proof follows essentially the same approach as in [33]. For completeness, we include it in Appendix B. This result provides a new instance of Decisional Small Polynomial Ratio (\(\mathsf {DSPR}\)) assumption introduced in [24].

4.2 Decryption

Just like in the classical \(\mathsf {NTRUEncrypt}\), the correctness of decryption is based on the fact that a polynomial of \(\ell _\infty \) norm \(< q/2\) is invariant under modulo q reduction. In our decryption procedure, we have \(C' = f\cdot C = pgs+pfe+fM \bmod q\). When \(\Vert pgs+pfe+fM\Vert _{\infty }<\frac{q}{2}\), \(C'\) is in fact \(pgs+pfe+fM\) and hence \(C'\bmod p = fM\bmod p = M\) due to \(f = 1 \bmod p\), i.e.the decryption succeeds. Now we are to confirm that, given a set of proper parameters, the \(\ell _\infty \) norms of pgs, pfe and fM will be small enough (e.g., less than \(\frac{q}{6}\)) with high probability. This ensures a successful decryption.

We first show that the polynomial drawn from \(\mathsf {RLWE} \) error distribution has a relatively small norm with a high probability.

Lemma 17

Let \(n \ge 7\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). For \(t > 1\) and \(u > 0\), we have

Proof

We will need the following inequality in our proof:

$$\begin{aligned} {\lfloor }x{\rceil }^2 \le \frac{1}{4\epsilon } + \frac{1}{1-\epsilon }x^2. \end{aligned}$$

In fact, for \(x \in \mathbb {R}\), we have \(({\lfloor }x{\rceil }-x)^2 \le \frac{1}{4}\). For any \(\epsilon \in (0,1)\), we have \({\lfloor }x{\rceil }^2 \le \frac{1}{4} - x^2 + 2{\lfloor }x{\rceil }x \le \frac{1}{4} - x^2 + \frac{1}{1-\epsilon }x^2+(1-\epsilon ){\lfloor }x{\rceil }^2 = \frac{1}{4} + \frac{\epsilon }{1-\epsilon }x^2+(1-\epsilon ){\lfloor }x{\rceil }^2\). A routine computation leads to the result.

Let \(\mathbf {b}= {\lfloor }\mathbf {b}' \bmod \varPhi _n(X){\rceil } \in \mathcal R\) with . Let vector \(\mathbf {v}= \frac{1}{t}(b_0,\cdots ,b_{n-1})\) where \((b_0,\cdots ,b_{n-1})\) is the coefficient vector of \(\mathbf {b}'\). Then we obtain

$$\begin{aligned} \Vert \mathbf {b}\Vert ^2&\le \frac{1}{1-\epsilon }\sum _{i=0}^{n-2}(b_i-b_{n-1})^2 + \frac{n-1}{4\epsilon } = \frac{t^2}{1-\epsilon }\Vert \mathbf {M}\mathbf {v}\Vert ^2 + \frac{n-1}{4\epsilon }, \end{aligned}$$

where

$$\mathbf {M}= \left( \begin{array}{ccccc} 1 &{} &{} &{} &{} -1 \\ &{} 1 &{} &{} &{} -1 \\ &{} &{} \ddots &{} &{}\vdots \\ &{} &{} &{} 1 &{} -1\\ &{} &{} &{} &{} 0 \\ \end{array} \right) \in \mathbb {R}^{n\times n}.$$

Let \(\varSigma = \mathbf {M}^{\top }\mathbf {M}\), we have

$$\varSigma = \left( \begin{array}{ccccc} 1 &{} &{} &{} &{} -1 \\ &{} 1 &{} &{} &{} -1 \\ &{} &{} \ddots &{} &{}\vdots \\ &{} &{} &{} 1 &{} -1\\ -1 &{}-1 &{}\cdots &{}-1 &{} (n-1) \\ \end{array} \right) \in \mathbb {R}^{n\times n}.$$

In our estimation, we need traces \(\mathbf {tr}(\varSigma )\), \(\mathbf {tr}(\varSigma ^2)\) and the operator norm \(\Vert \varSigma \Vert \). It is easy to check that \(\mathbf {tr}(\varSigma )=2(n-1), \ \mathbf {tr}(\varSigma ^2)=(n-1)(n+2)\). It can be calculated that the characteristic polynomial of \(\varSigma \) is \(\lambda (\lambda -1)^{n-2}(\lambda -n)\), so n is the largest eigenvalue of \(\varSigma \) and hence \(\Vert \varSigma \Vert =n\).

All coordinates of \(\mathbf {b}'\) follow the distribution \(\psi _t\) independently, so the coordinates of \(\mathbf {v}\) follow standard Gaussian independently. As shown in [20], an tail bound for \(\Vert \mathbf {M}\mathbf {v}\Vert ^2\) holds

$$\begin{aligned}&\Pr \left( \Vert \mathbf {M}\mathbf {v}\Vert ^2> 2(n-1)+2\sqrt{(n-1)(n+2)u}+2nu\right) \\ =&\Pr \left( \Vert \mathbf {M}\mathbf {v}\Vert ^2 > \mathbf {tr}\left( \varSigma \right) +2\sqrt{\mathbf {tr}\left( {\varSigma }^2\right) u}+2\Vert \varSigma \Vert u\right) \le \exp (-u).\\ \end{aligned}$$

Let

$$\epsilon = \left( 1+\sqrt{\frac{4t^2\left( 2(n-1)+2\sqrt{(n-1)(n+2)u}+2nu\right) }{n-1}}\right) ^{-1}\in (0,1)$$

and

$$A = \sqrt{\frac{2(n-1)+2\sqrt{(n-1)(n+2)u}+2nu}{1-\epsilon } + \frac{n-1}{4t^2\epsilon }}.$$

Then it can be verified that

$$A = \sqrt{2(n-1)+2\sqrt{(n-1)(n+2)u}+2nu} + \sqrt{\frac{n-1}{4t^2}} < \sqrt{2n}(\sqrt{u}+2),$$

thus we have

    \(\square \)

Setting u in Lemma 17 to \(\mathrm {\varTheta }(\log ^{1+\kappa } n)\) and applying Lemmata 8 and 16, we are able to get the following:

Lemma 18

In \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\), let \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}>1\). Then for \(\kappa > 0\), we have

$$\begin{aligned} \Vert pgs\Vert _\infty ,\Vert pfe\Vert _\infty \le 8\sqrt{2}n^{2}\mathbf {\varTheta }\left( \log ^{\frac{1+\kappa }{2}}n\right) \Vert p\Vert ^2 r t \end{aligned}$$

with probability at least \( 1-n^{-\mathrm {\varTheta }\left( \log ^\kappa n\right) }\).

Furthermore, if \(\deg p = 0\), then

$$\Vert pgs\Vert _\infty ,\Vert pfe\Vert _\infty \le 4\sqrt{2}n\mathbf {\varTheta }\left( \log ^{\frac{1+\kappa }{2}}n\right) \Vert p\Vert ^2 r t$$

with probability at least \( 1-n^{-\mathrm {\varTheta }\left( \log ^\kappa n\right) }\).

It is also hoped that fM has smaller norm. Indeed, we can prove

Lemma 19

In \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\), we have

  1. 1.

    \(\Vert M\Vert \le (n-1)\Vert p\Vert .\)

  2. 2.

    \(\Vert fM\Vert _\infty \le 4n^{2}\Vert p\Vert ^2r\) with probability at least \( 1-2^{-n+4}\).

Furthermore, if \(\deg p = 0\), we have \(\Vert M\Vert \le \frac{\sqrt{n-1}}{2}\Vert p\Vert \) holds, and with probability at least \( 1-2^{-n+4}\), \(\Vert fM\Vert _\infty \le 2n\Vert p\Vert ^2r\) holds.

Proof

By reducing modulo the \(pX^i\)’s, we can write M into \(\sum _{i=0}^{n-2}\epsilon _ipX^i\) with \( -1/2 < \epsilon _i \le 1/2\). Using Lemma 8, we have

$$\begin{aligned} \Vert M\Vert \le 2\sqrt{n-1}\Vert \sum _{i=0}^{n-2}\epsilon _iX^i\Vert \Vert p\Vert \le (n-1)\Vert p\Vert . \end{aligned}$$

For the case \(\deg p = 0\), we have \(\Vert M\Vert = \Vert p\Vert \cdot \Vert \sum _{i=0}^{n-2}\epsilon _iX^i\Vert \le \frac{\sqrt{n-1}}{2}\Vert p\Vert \). Then, combining Lemmata 8 and 16 with the above result, the proof is completed.     \(\square \)

Overall, we give a set of parameters such that \(\mathsf {NTRUEncrypt}\) decrypts correctly with high probability.

Theorem 3

If \(\omega \left( n^{2}\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\)(resp. \(\omega \left( n\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) if \(\deg p = 0\)) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} > 1\), then the decryption algorithm of \(\mathsf {NTRUEncrypt}\) recovers M with probability \(1-n^{-\omega (1)}\) over the choice of sefg.

4.3 Security Reduction and Parameters

In a manner similar to [33], we are able to establish a security reduction of \(\mathsf {NTRUEncrypt}\) from the decisional \(\mathsf {RLWE} ^{\times }_{HNF}\). One technical idea is that one can produce a legal pair of public key and ciphertext pair \((h=pa, C = pb+M = hs+pe+M)\) by using the pair \((a, b = as+e)\) sampled from \(\mathsf {RLWE} \) distribution. The proof of Lemma 20 is shown in Appendix C.

Lemma 20

Let \(n \ge 8\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q > 8n\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(\mathcal R_q = \mathcal R/q\mathcal R\). Let \(\epsilon , \delta > 0\), \(p \in \mathcal R_q^{\times }\), \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\), and \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\). If there exists an \(\mathsf {IND\text {-}CPA}\) attack against the variant of \(\mathsf {NTRUEncrypt}\) that runs in time T and has success probability \(1/2+\delta \), then there exists an algorithm solving \(\mathsf {RLWE} \) \(_{q,\psi ,k}\) with \(\psi = \overline{\psi _{t}^{n}}\) that runs in time \(T' = T+O(kn)\) and has success probability \(\frac{1}{2}+\delta '\) where \(\delta ' = \frac{\delta }{2} - q^{-\varOmega (n)}\).

Now we integrate all above results and discuss the parameter requirements. To ensure the uniformity of public keys, the parameters r, n and q should satisfy the condition claimed in Theorem 2, i.e. \(r \ge (n-1)^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+2\epsilon }\) for \(0< \epsilon < \frac{1}{2}\). To ensure a high probability of success decryption, we need that \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} > 1\) and \(\omega \left( n^{2}\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) (resp. \(\omega \left( n\log ^{0.5}n \right) \Vert p\Vert ^2rt/q < 1\) if \(\deg p = 0\)) as stated in Theorem 3. To satisfy the condition of \(\mathsf {RLWE} \) (Theorem 1), it requires that \(\alpha q > \omega (\sqrt{\log n})\). From these requirements, to obtain a variant of \(\mathsf {NTRUEncrypt}\) with provable security against \(\mathsf {IND\text {-}CPA}\) attack, we may set main parameters as follows.

  • \(q = {{\mathrm{poly}}}(n)\), \(\epsilon \in \left( 0,\frac{1}{2}\right) \), and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{4.75}\log ^{1.5} n \Vert p\Vert ^2\right) \),

  • \(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\),

  • \(k = O(1)\), \(\alpha q = \varOmega (\log ^{0.75} n)\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} = \varOmega (n^{0.75}\log ^{0.5}n)\).

If p is set to be an integer (i.e. \(\deg p = 0\)) which is a most routine case used in \(\mathsf {NTRUEncrypt}\) scheme, the parameters may be relaxed:

  • \(q = {{\mathrm{poly}}}(n)\), \(\epsilon \in \left( 0,\frac{1}{2}\right) \), and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{3.75}\log ^{1.5} n \Vert p\Vert ^2\right) \),

  • \(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\),

  • \(k = O(1)\), \(\alpha q = \varOmega (\log ^{0.75} n)\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4} = \varOmega (n^{0.75}\log ^{0.5}n)\).

Combining with Theorem 1, we have obtained our main result.

Theorem 4

Let \(n \ge 8\) be a prime and \(\mathcal R= \mathbb {Z}[X]/\varPhi _n(X)\). Suppose \(q = {{\mathrm{poly}}}(n)\) is a prime such that \(\varPhi _{n}(X)\) splits into \(n-1\) distinct linear factors modulo q and \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{4.75}\log ^{1.5} n \Vert p\Vert ^2\right) \) (resp. \(q^{\frac{1}{2}-\epsilon } = \omega \left( n^{3.75}\log ^{1.5} n \Vert p\Vert ^2\right) \), if \(\deg p = 0\)), for arbitrary \(\epsilon \in \left( 0,\frac{1}{2}\right) \) and \(p \in \mathcal R_q^{\times }\). Let \(r = n^2\sqrt{\ln (8nq)}\cdot q^{\frac{1}{2}+\epsilon }\) and \(t = \sqrt{n}\alpha q\left( \frac{(n-1)k}{\log ((n-1)k)}\right) ^{1/4}\) where \(k = O(1)\) and \(\alpha q = \varOmega (\log ^{0.75} n)\). If there exists an \(\mathsf {IND\text {-}CPA}\) attack against the variant of \(\mathsf {NTRUEncrypt}\) \((n, q, p, r, \alpha , k)\) that runs in time \({{\mathrm{poly}}}(n)\) and has success probability \(\frac{1}{2}+\frac{1}{{{\mathrm{poly}}}(n)}\), then there exists a \({{\mathrm{poly}}}(n)\)-time algorithm solving \(\gamma \)-Ideal-\(\mathsf {SVP}\) on ideal lattices in \(\mathbb {Z}[X]/\varPhi _n(X)\) with \(\gamma = O\left( \sqrt{n} q/\log ^{0.75} n\right) \). Moreover, the decryption success probability exceeds \(1-n^{-\omega (1)}\) over the choice of the encryption randomness.

In the modified \(\mathsf {NTRUEncrypt}\), the parameter r is \(\tilde{\varOmega }(n^2\cdot q^{\frac{1}{2}+\epsilon })\) and that in [33] is \(\tilde{\varOmega }(n\cdot q^{\frac{1}{2}+\epsilon })\). Note tha the term \(q^{\frac{1}{2}+\epsilon }\) is much greater than its polynomial coefficient \(n^2\) or n, thus, in this sense, our result is close to that for power-of-2 cyclotomic rings. By setting \(\epsilon = o(1)\) and p to be of degree 0, the smallest modulus q and approximate factor \(\gamma \) reach \(\tilde{\varOmega }(n^{7.5})\) and \(\tilde{\varOmega }(n^{8})\) respectively. These compare to \(\tilde{\varOmega }(n^{5})\) and \(\tilde{\varOmega }(n^{5.5})\) for \(\mathsf {NTRUEncrypt}\) over power-of-2 cyclotomic rings.

5 Conclusion and Future Work

In this paper, we extended the provable security of an \(\mathsf {NTRU}\) variant, originally proposed by Stehlé and Steinfeld for power-of-2 cyclotomic rings, to the family of prime cyclotomic rings. As this class of rings is closer to the original \(\mathsf {NTRU}\) rings, the results here may bring a new security estimation for the original \(\mathsf {NTRU}\) settings. We also developed a series of tools for prime cyclotomic rings that provide a foundation to generalize more cryptosystems to this class of rings. These tools might be of some independent interest.

We present a theoretical construction with suggested parameters in the asymptotic sense. There are a batch of cryptanalyses work aiming at \(\mathsf {NTRU}\), such as hybrid attack [19], subfield attack [1] and straightforward attack [22]. Detailed analyses of our \(\mathsf {NTRU}\) variant against these attacks should be well-considered. Furthermore, the operations over the rings \(\mathbb {Z}[X]/(X^n\pm 1)\) are still more efficient than that over prime cyclotomic rings. The further investigation of the relation between the prime cyclotomic ring and \(\mathsf {NTRU}\) ring may improve the efficiency of related cryptosystems. We leave them to the future work.

As shown in [25, 26], canonical embedding provides a neat description of the geometry of cyclotomic rings, which may lead to more compact and general results. To get similar conclusions with respect to the canonical embedding, we need to develop more powerful tools and that is left as a future investigation.

The ideal lattices (under the coefficient embedding) over prime cyclotomic rings are not (anti-)circulant, thus to study the gap between their minimums could be useful in cryptanalysis. Another interesting problem is a finer estimation of Euclidean norm of elements in an ideal of the prime cyclotomic ring, as it is useful in reducing some complexity estimations.