On the Ring-LWE and Polynomial-LWE Problems

Rosca, Miruna; Stehlé, Damien; Wallet, Alexandre

doi:10.1007/978-3-319-78381-9_6

Miruna Rosca^15,16,
Damien Stehlé¹⁵ &
Alexandre Wallet¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10820))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

4404 Accesses
40 Citations

Abstract

The Ring Learning With Errors problem ($\mathsf {RLWE}$) comes in various forms. Vanilla $\mathsf {RLWE}$ is the decision dual-$\mathsf {RLWE}$ variant, consisting in distinguishing from uniform a distribution depending on a secret belonging to the dual $\mathcal {O}_K^{\vee }$ of the ring of integers $\mathcal {O}_K$ of a specified number field K. In primal-$\mathsf {RLWE}$, the secret instead belongs to $\mathcal {O}_K$. Both decision dual-$\mathsf {RLWE}$ and primal-$\mathsf {RLWE}$ enjoy search counterparts. Also widely used is (search/decision) Polynomial Learning With Errors ($\mathsf {PLWE}$), which is not defined using a ring of integers $\mathcal {O}_K$ of a number field K but a polynomial ring $\mathbb {Z}[x]/f$ for a monic irreducible $f \in \mathbb {Z}[x]$. We show that there exist reductions between all of these six problems that incur limited parameter losses. More precisely: we prove that the (decision/search) dual to primal reduction from Lyubashevsky et al. [EUROCRYPT 2010] and Peikert [SCN 2016] can be implemented with a small error rate growth for all rings (the resulting reduction is non-uniform polynomial time); we extend it to polynomial-time reductions between (decision/search) primal $\mathsf {RLWE}$ and $\mathsf {PLWE}$ that work for a family of polynomials f that is exponentially large as a function of $\deg f$ (the resulting reduction is also non-uniform polynomial time); and we exploit the recent technique from Peikert et al. [STOC 2017] to obtain a search to decision reduction for $\mathsf {RLWE}$ for arbitrary number fields. The reductions incur error rate increases that depend on intrinsic quantities related to K and f.

You have full access to this open access chapter, Download conference paper PDF

RLWE and PLWE over cyclotomic fields are not equivalent

Article Open access 30 April 2022

Lossiness and Entropic Hardness for Ring-LWE

Ring-LWE Cryptography for the Number Theorist

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Different shades of $\mathsf {RLWE}$. Ring Learning With Errors ($\mathsf {RLWE}$) was introduced by Lyubashevsky et al. in [LPR10], as a means of speeding up cryptographic constructions based on the Learning With Errors problem ($\mathsf {LWE}$) [Reg05]. Let K be a number field, $\mathcal {O}_K$ its ring of integers and $q \ge 2$ a rational integer. The search variant of $\mathsf {RLWE}$ with parameters K and q consists in recovering a secret $s \in \mathcal {O}_K^{\vee } / q \mathcal {O}_K^{\vee }$ with $\mathcal {O}_K^{\vee }$ denoting the dual of $\mathcal {O}_K$, from arbitrarily many samples $(a_i, a_i \cdot s + e_i)$. Here each $a_i$ is uniformly sampled in $\mathcal {O}_K/ q \mathcal {O}_K$ and each $e_i$ is a small random element of $K_{\mathbb {R}} := K \otimes _{\mathbb {Q}} \mathbb {R}$. The noise term $e_i$ is sampled such that its Minkowski embedding vector follows a Gaussian distribution with a small covariance matrix (relative to $q\mathcal {O}_K^\vee $). The decision variant consists in distinguishing arbitrarily many such pairs for a common s chosen uniformly in $\mathcal {O}_K^{\vee } / q \mathcal {O}_K^{\vee }$, from uniform samples in $\mathcal {O}_K/ q \mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^{\vee }$. More formal definitions are provided in Sect. 2, but these suffice for describing our contributions.

Lyubashevsky et al. backed in [LPR10] the conjectured hardness of $\mathsf {RLWE}$ with a quantum polynomial-time reduction from the (worst-case) Approximate Shortest Vector Problem ($\mathsf {ApproxSVP}$) restricted to the class of Euclidean lattices corresponding to ideals of $\mathcal {O}_K$, with geometry inherited from the Minkowski embeddings. They showed its usefulness by describing a public-key encryption with quasi-optimal efficiency: the bit-sizes of the keys and the run-times of all involved algorithms are quasi-linear in the security parameter. A central technical contribution was a reduction from search $\mathsf {RLWE}$ to decision $\mathsf {RLWE}$, when K is cyclotomic, and decision $\mathsf {RLWE}$ for cyclotomic fields is now pervasive in lattice-based cryptography, including in practice [ADPS16, BDK+18, DLL+18]. The search-to-decision reduction from [LPR10] was later extended to the case of general Galois rings in [EHL14, CLS17].

Prior to $\mathsf {RLWE}$, Stehlé et al. [SSTX09] introduced what is now referred to as Polynomial Ring Learning With Errors ($\mathsf {PLWE}$), for cyclotomic polynomials of degree a power of 2. $\mathsf {PLWE}$ is parametrized by a monic irreducible $f \in \mathbb {Z}[x]$ and an integer $q \ge 2$, and consists in recovering a secret $s \in \mathbb {Z}_q[x]/f$ from arbitrarily many samples $(a_i, a_i \cdot s + e_i)$ where each $a_i$ is uniformly sampled in $\mathbb {Z}_q[x]/f$ and each $e_i$ is a small random element of $\mathbb {R}[x]/f$. The decision variant consists in distinguishing arbitrarily many such samples for a common s sampled uniformly in $\mathbb {Z}_q[x]/f$, from uniform samples. Here the noise term $e_i$ is sampled such that its coefficient vector follows a Gaussian distribution with a small covariance matrix. Stehlé et al. gave a reduction from the restriction of $\mathsf {ApproxSVP}$ to the class of lattices corresponding to ideals of $\mathbb {Z}[x]/f$, to search $\mathsf {PLWE}$, for f a power-of-2 cyclotomic polynomial.

Finally, a variant of $\mathsf {RLWE}$ with $s \in \mathcal {O}_K/ q \mathcal {O}_K$ rather than $\mathcal {O}_K^\vee / q \mathcal {O}_K^\vee $ was also considered (see, e.g., [DD12] among others), to avoid the complication of having to deal with the dual $\mathcal {O}_K^\vee $ of $\mathcal {O}_K$. In the rest of this paper, we will refer to the latter as primal-$\mathsf {RLWE}$ and to standard $\mathsf {RLWE}$ as dual-$\mathsf {RLWE}$.

The case of cyclotomics. Even though [LPR10] defined $\mathsf {RLWE}$ for arbitrary number fields, the problem was mostly studied in the literature for K cyclotomic. This specialization had three justifications:

it leads to very efficient cryptographic primitives, in particular if q totally splits over K;
the hardness result from [LPR10] holds for cyclotomics;
no particular weakness was known for these fields.

Among cyclotomics, those of order a power of 2 are a popular choice. In the case of a field K defined by the cyclotomic polynomial f, we have that $\mathcal {O}_K= \mathbb {Z}[\alpha ]$ for $\alpha $ a root of f. Further, in the case of power-of-2 cyclotomics, mapping the coefficient vector of a polynomial in $\mathbb {Z}[x]/f$ to its Minkowski embedding is a scaled isometry. This makes primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$ collapse into a single problem. Still in the case of power-of-2 cyclotomics, the dual $\mathcal {O}_K^\vee $ is a scaling of $\mathcal {O}_K$, implying that dual and primal-$\mathsf {RLWE}$ are equivalent. Apart from the monogenicity property, these facts do not hold for all cyclotomics. Nevertheless, Ducas and Durmus [DD12] showed it is still possible to reduce dual-$\mathsf {RLWE}$ to primal-$\mathsf {RLWE}$.

Looking at other fields. The $\mathsf {RLWE}$ hardness proof holds with respect to a fixed field: the reduction in [LPR10] maps $\mathsf {ApproxSVP}$ for lattices corresponding to $\mathcal {O}_K$-ideals with small approximation factors, to decision/search dual-$\mathsf {RLWE}$ on K. Apart from the very specific case of field extensions [GHPS12], hardness on K seems unrelated to hardness on another field $K'$. One may then wonder if $\mathsf {RLWE}$ is easier for some fields. The attacks presented in [EHL14, ELOS15, CLS17, CLS16] were used to identify weak generating polynomials f of a number field K, but they only work for error distributions with small width relative to the geometry of the corresponding ring [CIV16b, CIV16a, Pei16]. At this occasion, the relationships between the $\mathsf {RLWE}$ and $\mathsf {PLWE}$ variants were more closely investigated.

Building upon [CGS14, CDPR16], Cramer et al. [CDW17] gave a quantum polynomial-time $\mathsf {ApproxSVP}$ algorithm for ideals of $\mathcal {O}_K$ when K is a cyclotomic field of prime-power conductor, when the $\mathsf {ApproxSVP}$ approximation factor is $2^{\widetilde{O}(\sqrt{\deg K})}$. For general lattices, the best known algorithm [SE94] runs in time $2^{\widetilde{O}(\sqrt{n})}$ for such an approximation factor, where n is the lattice dimension (here $n = \deg K$). We note that the result from [CGS14, CDPR16] was partly extended in [BBdV+17] to principal ideals generated by a short element in a completely different family of fields. These results show that all fields are not equal in terms of $\mathsf {ApproxSVP}$ hardness (unless they turn out to be all weak!). So far, there is no such result for $\mathsf {RLWE}$.

On the constructive front, Bernstein et al. [BCLvV16] showed that some non-cyclotomic polynomials f also enjoy practical arithmetic over $\mathbb {Z}_q[x]/f$ and lead to efficient cryptographic design (though the concrete scheme relies on the presumed hardness of another problem than $\mathsf {RLWE}$).

Hedging against the weak field risk. Two recent works propose complementary approaches to hedge against the risk of a weakness of $\mathsf {RLWE}$ for specific fields. First, in [PRS17], Peikert et al. give a new (quantum) reduction from $\mathsf {ApproxSVP}$ for $\mathcal {O}_K$-ideals to decision dual-$\mathsf {RLWE}$ for the corresponding field K. All fields support a (quantum) reduction from $\mathsf {ApproxSVP}$, and hence, from this respect, one is not restricted to cyclotomics. Second, following an analogous result by Lyubashevsky for the Small Integer Solution problem [Lyu16], Roşca et al. [RSSS17] introduced the Middle-Product LWE problem and showed that it is at least as hard as $\mathsf {PLWE}$ for any f in an exponentially large family of f’s (as a function of their degree). Neither result is fully satisfactory. In the first case, it could be that $\mathsf {ApproxSVP}$ is easy for lattices corresponding to ideals of $\mathcal {O}_K$ for any K: this would make the result vacuous. In the second case, the result of [RSSS17] focuses on $\mathsf {PLWE}$ rather than the more studied $\mathsf {RLWE}$ problem.

Our results. The focus on the $\mathsf {RLWE}$ hardness for non-cyclotomic fields makes the discrepancies between the $\mathsf {RLWE}$ and $\mathsf {PLWE}$ variants more critical. In this article, we show that the six problems considered above — dual-$\mathsf {RLWE}$, primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$, all in both decision and search forms — reduce to one another in polynomial time with limited error rate increases, for huge classes of rings. More precisely, these reductions are obtained with the following three results.

We show that for every field K, it is possible to implement the reduction from decision (resp. search) dual-$\mathsf {RLWE}$ to decision (resp. search) primal-$\mathsf {RLWE}$ from [LPR10, Le. 2.15] and [Pei16, Se. 2.3.2], with a limited error growth. Note that there exists a trivial converse reduction from primal-$\mathsf {RLWE}$ to dual-$\mathsf {RLWE}$.
We show that the reduction mentioned above can be extended to a reduction from decision (resp. search) primal-$\mathsf {RLWE}$ in K to decision (resp. search) $\mathsf {PLWE}$ for f, where K is the field generated by the polynomial f. The analysis is significantly more involved. It requires the introduction of the so-called conductor ideal, to handle the transformation from the ideal $\mathcal {O}_K$ to the order $\mathbb {Z}[x]/f$, and upper bounds on the condition number of the map that sends the coefficient embeddings to the Minkowski embeddings, to show that the noise increases are limited. Our conditioning upper bound is polynomial in n only for limited (but still huge) classes of polynomials that include those of the form $x^n + x \cdot P(x) - a$, with $\deg P < n/2$ and a prime that is ${\ge }25\cdot \Vert P\Vert _1^2$ and ${\le }\mathrm {poly}(n)$. A trivial converse reduction goes through for the same f’s.
We exploit the recent technique from [PRS17] to obtain a search to decision reduction for dual-$\mathsf {RLWE}$.

Concretely, the error rate increases are polynomial in $n=\deg K$, the root discriminant $|\varDelta _K|^{1/n}$ and, for the reduction to $\mathsf {PLWE}$, in the root algebraic norm $\mathcal {N} (\mathcal {C}_{\mathbb {Z}[\alpha ]})^{1/n}$ of the conductor ideal $\mathcal {C}_{\mathbb {Z}[\alpha ]}$ of $\mathbb {Z}[\alpha ]$, where $\alpha $ is a root of f defining K. We note that in many cases of interest, all these quantities are polynomially bounded in n. To enjoy these limited error rate growths, the first two reductions require knowledge of specific data related to K, namely, a short element (with respect to the Minkowski embeddings) in the different ideal $(\mathcal {O}_K^\vee )^{-1}$ and a short element in $\mathcal {C}_{\mathbb {Z}[\alpha ]}$. In general, these are hard to compute.

Techniques. The first reduction is derived from [LPR10, Le. 2.15] and [Pei16, Se. 2.3.2]: if it satisfies some arithmetic properties, a multiplication by an element $t \in \mathcal {O}_K$ induces an $\mathcal {O}_K$-module isomorphism from $\mathcal {O}_K^{\vee }/q \mathcal {O}_K^{\vee }$ to $\mathcal {O}_K/q \mathcal {O}_K$. For the reduction to be meaningful, we need t to have small Minkowski embeddings. We prove the existence of such a small t satisfying the appropriate arithmetic conditions, by generalizing the inclusion-exclusion technique developed in [SS13] to study the key generation algorithm of the NTRU signature scheme [HHPW10].

The Lyubashevsky et al. bijection works with $\mathcal {O}_K^{\vee }$ and $\mathcal {O}_K$ replaced by arbitrary ideals of K, but this does not provide a bijection from $\mathcal {O}_K/q \mathcal {O}_K$ to $\mathbb {Z}[\alpha ]/ q \mathbb {Z}[\alpha ]$, as $\mathbb {Z}[\alpha ]$ may only be an order of $\mathcal {O}_K$ (and not necessarily an ideal). We circumvent this difficulty by using the conductor ideal of $\mathbb {Z}[\alpha ]$. Intuitively, the conductor ideal describes the relationship between $\mathcal {O}_K$ and $\mathbb {Z}[\alpha ]$. As far as we are aware, this is the first time the conductor ideal is used in the $\mathsf {RLWE}$ context. This bijection and the existence of an appropriate multiplier t as above provide a (non-uniform) reduction from primal-$\mathsf {RLWE}$ to a variant of $\mathsf {PLWE}$ for which the noise terms have small Minkowski embeddings (instead of small polynomial coefficients).

We show that for many number fields, the linear map between polynomial coefficients and Minkowski embeddings has a condition number that is polynomially bounded in n, i.e., the map has bounded distortion and behaves not too noticeably differently from a scaling. This implies that the latter reduction is also a reduction from primal-$\mathsf {RLWE}$ to standard $\mathsf {PLWE}$ for these rings. We were able to show condition number bounds that are polynomial in n only for restricted families of polynomials f, yet exponentially large as n increases. These include in particular those of the form mentioned above. Note that the primality condition on the constant coefficient is used only to ensure that f is irreducible and hence defines a number field. For these f’s, we use Rouché’s theorem to prove that the roots are close to the scaled n-th roots of unity $(a^{1/n} \cdot \alpha _n^k)_{0 \le k < n}$, and then that f “behaves” as $x^n-a$ in terms of geometric distortion.

Our search-to-decision reduction for dual-$\mathsf {RLWE}$ relies on techniques developed in [PRS17]. In that article, Peikert et al. consider the following ‘oracle hidden center’ problem (OHCP). In this problem, we are given access to an oracle $\mathcal {O}$ taking as inputs a vector ${\varvec{z}} \in \mathbb {R}^k$ and a scalar $t \in \mathbb {R}^{\ge 0}$, and outputting a bit. The probability that the oracle outputs 1 (over its internal randomness) is assumed to depend only on $\exp (t) \cdot \Vert {\varvec{z}} - {\varvec{x}}\Vert $, for some vector ${\varvec{x}}$. The goal is to recover $\mathcal {O}$’s center ${\varvec{x}}$. On the one hand, Peikert et al. give a polynomial-time algorithm for this problem, assuming the oracle is ‘well-behaved’ ([PRS17, Prop. 4.4]). On the other hand, they show how to map a Bounded Distance Decoding (BDD) instance to such an OHCP instance if they have access to Gaussian samples in the dual of the BDD lattice, where the engine of the oracle is the decision dual-$\mathsf {RLWE}$ oracle [PRS17, Se. 6.1]. We construct the OHCP instance from the decision $\mathsf {RLWE}$ oracle in a different manner. We use our input search dual-$\mathsf {RLWE}$ samples and take small Gaussian combinations of them. By re-randomizing the secret and adding some noise, we can obtain arbitrarily many dual-$\mathsf {RLWE}$ samples. Subtracting from the input samples well-chosen $z_i$’s in $K_{\mathbb {R}}$ and setting the standard deviation of the Gaussian combination appropriately leads to a valid OHCP instance. The main technical hurdle is to show that a Gaussian combination of elements of $\mathcal {O}_K^{\vee }/q \mathcal {O}_K^{\vee }$ is close to uniform. For this, we generalize a ring Leftover Hash Lemma proved for specific pairs $(\mathcal {O}_K,q)$ in [SS11].

Related works. The reductions studied in this work can be combined with those from $\mathsf {ApproxSVP}$ for $\mathcal {O}_K$-ideals to dual-$\mathsf {RLWE}$ [LPR10, PRS17]. Recently, Albrecht and Deo [AD17] built upon [BLP+13] to obtain a reduction from Module-$\mathsf {LWE}$ to $\mathsf {RLWE}$. This can be both combined with our reductions and the quantum reductions from $\mathsf {ApproxSVP}$ for $\mathcal {O}_K$-modules to Module-$\mathsf {LWE}$^{Footnote 1} [LS15, PRS17]. Downstream, the reductions can be combined with the reduction from $\mathsf {PLWE}$ to Middle-Product $\mathsf {LWE}$ from [RSSS17]. The latter was showed to involve an error rate growth that is linearly bounded by the so-called the expansion factor of f: it turns out that those f’s for which we could bound the condition number of the Minkowski map by a polynomial function of $\deg f$ also have polynomially bounded expansion factor. These reductions and those considered in the present work are pictorially described in Fig. 1.

The ideal-changing scaling element t and the distortion of the Minkowski map were closely studied in [CIV16b, CIV16a, Pei16] for a few precise polynomials and fields. We use the same objects, but provide bounds that work for all (or many) fields.

Impact. As it is standard for the hardness foundations of lattice-based cryptography, our reductions should not be considered for setting practical parameters. They should rather be viewed as a strong evidence that the six problems under scope are essentially equivalent and do not suffer from a design flaw (unless they all do). We hope they will prove useful towards understanding the plausibility of weak fields for $\mathsf {RLWE}$.

Our first result shows that there exists a way of reducing dual-$\mathsf {RLWE}$ to primal-$\mathsf {RLWE}$ while controlling the noise growth. Even though the reduction is non-uniform, it gives evidence that these problems are qualitatively equivalent. Our second result shows that $\mathsf {RLWE}$ and $\mathsf {PLWE}$ are essentially equivalent for a large class of polynomials/fields. In particular, the transformation map between the Minkowski embeddings and the coefficient embeddings has a bounded distortion. Finally, our search to decision fills an important gap. On the one hand, it precludes the possibility that search $\mathsf {RLWE}$ could be harder than decision $\mathsf {RLWE}$. On the other hand, it gives further evidence of the decision $\mathsf {RLWE}$ hardness. In [PRS17], the authors give a reduction from $\mathsf {ApproxSVP}$ for $\mathcal {O}_K$-ideals to decision $\mathsf {RLWE}$. But in the current state of affairs, $\mathsf {ApproxSVP}$ for this special class of lattices seems easier than $\mathsf {RLWE}$, at least for some parameters. Indeed, Cramer et al. [CDW17] gave quantum algorithms that outperform generic lattice algorithms for some range of approximation factors in the context of ideal lattices. On the opposite, $\mathsf {RLWE}$ is qualitatively equivalent to $\mathsf {ApproxSVP}$ for $\mathcal {O}_K$-modules [LS15, AD17].

As the studied problems reduce to one another, one may then wonder which one to use for cryptographic design. Using dual-$\mathsf {RLWE}$ requires knowledge of $\mathcal {O}_K$, which is notoriously hard to compute for an arbitrary field K. This may look as an incentive to use the corresponding $\mathsf {PLWE}$ problem instead, as it does not require the knowledge of $\mathcal {O}_K$. Yet, for it to be useful in cryptographic design, one must be able to decode the noise from its representative modulo a scaled version of the lattice corresponding to $\mathbb {Z}[\alpha ]$. This seems to require the knowledge of a good basis of that lattice, which may not be easy to obtain either, depending on the considered polynomial f.

Notations. If D is a distribution, we write $x \hookleftarrow D$ to say that we sample x from D. If $D_1, D_2$ are continuous distributions over the same measurable set $\varOmega $, we let $\varDelta (D_1,D_2) = \int _\varOmega |D_1(x) - D_2(x)| \mathrm {d}x$ denote their statistical distance. Similarly, we let $R(D_1 \Vert D_2) = \int _\varOmega D_1(x)^2/D_2(x) \mathrm {d}x$ denote their Rényi divergence. If E is a set of finite measure, we let U(E) denote the uniform distribution over E. For a matrix $V=(v_{ij})$, we let $\Vert V\Vert =\sqrt{ \sum _{1\le i,j\le n} |v_{ij}|^2 }$ denote its Frobenius norm.

This is the proceedings’ version. The full version contains additional appendices and it is available on the IACR eprint archive.

2 Preliminaries

In this section, we give some background on algebraic number theory used in lattice-based cryptography, recall properties of Euclidean lattices, and state the precise definitions of the $\mathsf {RLWE}$ variants we will consider. More details on standard tools of algebraic number theory can be found in the full version. Useful references include [Ste17, Cona].

2.1 Some Algebraic Number Theory

Rings and ideals in number fields. In this article, we call any subring of K a number ring. For a number ring R, an (integral) R-ideal is an additive subgroup $I\subseteq R$ which is closed by multiplication in R, i.e., such that $IR=I$. A more compact definition is to say that I is an R-module. If $a_1, \ldots , a_k$ are elements in R, we let $\langle a_1,\ldots , a_k\rangle =a_1R+\ldots +a_kR$ and call it the ideal generated by the $a_i$’s. The product of two ideals I, J is the ideal generated by all elements xy with $x \in I$ and $y \in J$. The sum, product and intersection of two R-ideals are again R-ideals.

Two integral R-ideals I, J are said to be coprime if $I+J=R$, and, in this case, we have $I\cap J=IJ$. Any non-zero ideal in a number ring has finite index, i.e., the quotient ring R/I is always finite when I is a non-zero R-ideal. An R-ideal $\mathfrak {p}$ is said to be prime if whenever $\mathfrak {p}=IJ$ for some R-ideals I, J, then either $I=\mathfrak {p}$ or $J=\mathfrak {p}$. In a number ring, any prime ideal $\mathfrak {p}$ is maximal [Ste17, p. 19], i.e., R is the only R-ideal containing it. It also means that the quotient ring $R/\mathfrak {p}$ is a finite field. It is well-known that any $\mathcal {O}_K$-ideal admits a unique factorization into prime $\mathcal {O}_K$-ideals, i.e., it can be written $I=\mathfrak {p}_1^{e_1}\cdots \mathfrak {p}_k^{e_k}$ with all $\mathfrak {p}_i$’s distinct prime ideals. It fails to hold in general number rings and orders, but we describe later in Lemma 2.1 how the result can be extended in certain cases.

A fractional R-ideal I is an R-module such that $xI\subseteq R$ for some $x\in K^\times $. An integral ideal is a fractional ideal, and so are the sum, the product and the intersection of two fractional ideals. A fractional R-ideal I is said to be invertible if there exists a fractional R-ideal J such that $IJ=R$. In this case, the (unique) inverse is the integral ideal $I^{-1}=\lbrace x \in K: xI\subseteq R \rbrace $. Any $\mathcal {O}_K$-ideal is invertible, but it is again false for a general number ring.

The algebraic norm of a non-zero integral R-ideal I is defined as $\mathcal N_R(I)=\left| R/I\right| $, and we will omit the subscript when $R=\mathcal {O}_K$. It satisfies $\mathcal N_R(IJ)=\mathcal N_R(I)\mathcal N_R(J)$ for every R-ideals I, J.

The dual of a fractional R-ideal I is $I^\vee =\{\alpha \in K: \text{ Tr }(\alpha I)\subseteq \mathbb {Z}\}$, which is also a fractional R-ideal. We always have $II^\vee = R^\vee $, so that $I^\vee =I^{-1}R^\vee $ when I is invertible. We also have $I^{\vee \vee }=I$ for any R-ideal I.

A particularly interesting dual is $\mathcal {O}_K^\vee $, whose inverse $(\mathcal {O}_K^\vee )^{-1}$ is called the different ideal. The different ideal is an integral ideal, whose norm $\varDelta _K = \mathcal N ((\mathcal {O}_K^\vee )^{-1})$ is called the discriminant of the number field. We note that, for every f defining K, the field discriminant $\varDelta _K$ is a factor of the discriminant of f. The latter is denoted $\varDelta _f$ and is defined as $\varDelta _f =\prod _{i\ne j}(\alpha _i-\alpha _j)$, where $\alpha _1,\ldots ,\alpha _n$ are the roots of f. This provides an upper bound on $\varDelta _K$ in terms of the defining polynomial f.

Orders in number fields. An order $\mathcal {O}$ in K is a number ring which is a finite index subring of $\mathcal {O}_K$. In particular, the ring of integers $\mathcal {O}_K$ is the maximal order in K. Number rings such as $\mathbb {Z}[\alpha ]$, with $\alpha $ a root of a defining polynomial f, are of particular interest. The conductor of an order $\mathcal {O}$ is defined as the set $\mathcal C_{\mathcal O} = \lbrace x \in K: x\mathcal {O}_K\subseteq \mathcal O \rbrace $. It is contained in $\mathcal {O}$, and it is both an $\mathcal {O}$-ideal and an $\mathcal {O}_K$-ideal: it is in fact the largest ideal with this property. It is never empty, as it contains the index $[\mathcal {O}_K:\mathcal {O}]$.

If it is coprime with the conductor, an ideal in $\mathcal {O}_K$ can be naturally considered as an ideal in $\mathcal {O}$, and reciprocally. This is made precise in the following lemma.

Lemma 2.1

([Cona, Th. 3.8]). Let $\mathcal {O}$ be an order in K.

1.
Let I be an $\mathcal {O}_K$-ideal coprime to $\mathcal {C}_{\mathcal {O}}$. Then $I\cap \mathcal {O}$ is an $\mathcal {O}$-ideal coprime to $\mathcal {C}_{\mathcal {O}}$ and the natural map $\mathcal {O}/I\cap \mathcal {O}\longrightarrow \mathcal {O}_K/I$ is a ring isomorphism.
2.
Let J be an $\mathcal {O}$-ideal coprime to $\mathcal {C}_{\mathcal {O}}$. Then $J\mathcal {O}_K$ is an $\mathcal {O}_K$-ideal coprime to $\mathcal {C}_{\mathcal {O}}$ and the natural map $\mathcal {O}/J \longrightarrow \mathcal {O}_K/J\mathcal {O}_K$ is a ring isomorphism.
3.
The set of $\mathcal {O}_K$-ideals coprime to $\mathcal {C}_{\mathcal {O}}$ and the set of $\mathcal {O}$-ideals coprime to $\mathcal {C}_{\mathcal {O}}$ are in multiplicative bijection by $I\longmapsto I\cap \mathcal {O}$ and $J\longmapsto J\mathcal {O}_K$.

The above description does not tell how to “invert” the isomorphisms. This can be done by a combination of the following lemmas and passing through the conductor, as we will show in the next section.

Lemma 2.2

Let $\mathcal {O}$ be an order in K and I an $\mathcal {O}_K$-ideal coprime to the conductor $\mathcal {C}_{\mathcal {O}}$. Then the inclusions $\mathcal {C}_{\mathcal {O}}\subseteq \mathcal {O}$ and $\mathcal {C}_{\mathcal {O}}\subseteq \mathcal {O}_K$ induce isomorphisms $\mathcal {C}_{\mathcal {O}}/I\cap \mathcal {C}_{\mathcal {O}}\simeq \mathcal {O}/I\cap \mathcal {O}$ and $\mathcal {C}_{\mathcal {O}}/I\cap \mathcal {C}_{\mathcal {O}}\simeq \mathcal {O}_K/I$.

Proof

By assumption we have $\mathcal {C}_{\mathcal {O}}+I=\mathcal {O}_K$, so that the homomorphism $\mathcal {C}_{\mathcal {O}} \rightarrow \mathcal {O}_K/I$ is surjective. By Lemma 2.1, the set $I\cap \mathcal {O}$ is an $\mathcal {O}$-ideal coprime to $\mathcal {C}_{\mathcal {O}}$ so that $\mathcal {C}_{\mathcal {O}} + I\cap \mathcal {O}=\mathcal {O}$. This implies that the homomorphism $\mathcal {C}_{\mathcal {O}} \rightarrow \mathcal {O}/I\cap \mathcal {O}$ is surjective too. Both homomorphisms have kernel $I\cap \mathcal {C}_{\mathcal {O}}$. $\square $

Lemma 2.3

([Cona, Cor. 3.10]). Let $\mathcal {O}$ be an order in K and $\beta \in \mathcal {O}$ such that $\beta \mathcal {O}_K$ is coprime to $\mathcal {C}_{\mathcal {O}}$. Then $\beta \mathcal {O}_K\cap \mathcal {O}=\beta \mathcal {O}$.

Quotients of ideals. We will use the following result.

Lemma 2.4

([LPR10, Le. 2.14]). Let I and J two $\mathcal {O}_K$-ideals. Let $t\in I$ such that the ideals $t\cdot I^{-1}$ and J are coprime and let $\mathcal {M}$ be any fractional $\mathcal {O}_K$-ideal. Then the function $\theta _t:\mathcal {M}\rightarrow \mathcal {M}$ defined as $\theta _t(x)=t\cdot x$ induces an $\mathcal {O}_K$-module isomorphism from $\mathcal {M}/J\mathcal {M}$ to $I\mathcal {M}/IJ\mathcal {M}$.

The authors of [LPR10] also gave an explicit way to obtain a suitable t by solving a set of conditions stemming from the Chinese Remainder Theorem. However, this construction does not give good control on the magnitudes of the Minkowski embeddings of t.

2.2 Lattices

For the remainder of this article, a lattice is defined as a full-rank discrete additive subgroup of an $\mathbb {R}$-vector space V which is a Cartesian power $H^m$ (for $m\ge 1$) of $H := \{ {\varvec{x}} \in \mathbb {R}^{s_1}\times \mathbb {C}^{2s_2}: \forall i \le s_2: x_{s_1+s_2+i} = \overline{x_{s_1+i}}\}$. This space H is sometimes called the “canonical” space. A given lattice $\mathcal L$ can be thought as the set of $\mathbb {Z}$-linear combinations $({\varvec{b}}_i)_i$ of some linearly independent vectors of V. These vectors are said to form a lattice basis, and we define the lattice determinant as $\det \mathcal L = (\det (\langle {\varvec{b}}_i, {\varvec{b}}_j \rangle )_{i,j})^{1/2}$ (it does not depend on the choice of the basis of $\mathcal L$). For $v\in V$, let $\Vert v\Vert =(\sum _{i\le \dim V} |v_i|^2)^{1/2}$ denote the standard Hermitian norm on V and $\Vert v\Vert _\infty = \max _{i\le \dim V} |v_i|$ denote the infinity norm. The minimum $\lambda _1(\mathcal L)$ is the Hermitian norm of a shortest non-zero element in $\mathcal L$. We define $\lambda _1^\infty (\mathcal L)$ similarly. If $\mathcal L$ is a lattice, then we define its dual as $\mathcal L^* = \{{\varvec{y}} \in V: {\varvec{y}}^T \mathcal {L} \subseteq \mathbb {Z}\}$.

Ideal lattices. While it is possible to associate lattices with fractional ideals of a number ring, we will not need it. Any fractional $\mathcal {O}_K$-ideal I is a free $\mathbb {Z}$-module of rank $n= \deg (K)$, i.e., it can be written as $\mathbb {Z}u_1+\cdots +\mathbb {Z}u_n$ for some $u_i$’s in K. Its canonical embedding $\sigma (I)$ is a lattice of dimension n in the $\mathbb {R}$-vector space $H \subseteq \mathbb {R}^{s_1}\times \mathbb {C}^{2s_2}$. Such a lattice is called an ideal lattice (for $\mathcal {O}_K$). For the sake of readability, we will abuse notations and often identify I and $\sigma (I)$. It is possible to look at the coefficient embedding of such lattices as well, but we will not need it in this work. The lattice corresponding to $I^{\vee }$ is $\overline{I^*}$. The discriminant of K satisfies $\varDelta _K = (\det \mathcal {O}_K)^2$. In the following lemma, the upper bounds follow from Minkowski’s theorem whereas the lower bounds are a consequence of the algebraic structure underlying ideal lattices.

Lemma 2.5

(Adapted from [PR07, Se. 6.1]). Let K be a number field of degree n. For any fractional $\mathcal {O}_K$-ideal I, we have:

$$ \begin{array}{ccccc} \sqrt{n} \cdot \mathcal N(I)^{1/n} &{}\le &{} \lambda _1(I) &{}\le &{} \sqrt{n} \cdot (\mathcal N(I) \sqrt{\varDelta _K})^{1/n}, \\ \mathcal N(I)^{1/n} &{}\le &{} \lambda _1^{\infty }(I) &{}\le &{} (\mathcal N(I) \sqrt{\varDelta _K})^{1/n}. \end{array} $$

Gaussians. It is standard practice in the $\mathsf {RLWE}$ setting to consider Gaussian distributions with diagonal covariance matrices. In this work, we will be interested in the behavior of samples after linear transformations that are not necessarily diagonal. As the resulting covariance matrix may not be diagonal, we adopt a more general framework. Let $\varvec{\Sigma } \succ 0$, i.e., a symmetric positive definite matrix. We define the Gaussian function on $\mathbb {R}^n$ of covariance matrix $\varvec{\Sigma }$ as $\rho _{\varvec{\Sigma }}(\mathbf{x}):=\exp (-\pi \cdot \mathbf{x}^T\varvec{\Sigma }^{-1} \mathbf{x})$ for every vector $\mathbf{x}\in \mathbb {R}^n$. The Gaussian distribution $D_{\varvec{\Sigma }}$ is the probability distribution whose density is proportional to $\rho _{\varvec{\Sigma }}$. When $\varvec{\Sigma } = \mathrm {diag}(r_i^2)_i$ for some ${\varvec{r}}\in \mathbb {R}^n$, we write $\rho _{{\varvec{r}}}$ and $D_{{\varvec{r}}}$, respectively.

Let $({\varvec{e}}_i)_{i\le n}$ be the canonical basis of $\mathbb {C}^n$. We define ${\varvec{h}}_i = {\varvec{e}}_i$ for $i\le s_1$, and ${\varvec{h}}_{s_1+i} = ({\varvec{e}}_{s_1+i}+{\varvec{e}}_{s_1+s_2+i})/\sqrt{2}$ and ${\varvec{h}}_{s_1+s_2+i} = ({\varvec{e}}_{s_1+i}-{\varvec{e}}_{s_1+s_2+i})/\sqrt{-2}$ for $i \le s_2$. The ${\varvec{h}}_i$’s form an orthonormal $\mathbb {R}$-basis of H. We define the Gaussian distribution $D_{\varvec{\Sigma }}^H$ as the distribution obtained by sampling $x\hookleftarrow D_{\varvec{\Sigma }}$ and returning $\sum _i x_i {\varvec{h}}_i$. We will repeatedly use the observation that if ${\varvec{x}}$ is sampled from $D_{\varvec{\Sigma }}^H$ and t belongs to $K_{\mathbb {R}}$, then $t \cdot {\varvec{x}}$ is distributed as $D_{\varvec{\Sigma }'}^H$ with $\varvec{\Sigma }'=\mathrm {diag}(|\sigma _i(t)|)\cdot \varvec{\Sigma }\cdot \mathrm {diag}(|\sigma _i(t)|)$.

For a lattice $\mathcal L$ over $V = H^m$ (for some $m \ge 1$) and a coset ${\varvec{c}} \in V/\mathcal {L}$, we let $D_{\mathcal L + {\varvec{c}}, r}$ denote the discretization of $D_{r\mathbf{I}}^H$ over $\mathcal L + {\varvec{c}}$ (we omit the subscript for $D_{\mathcal L + {\varvec{c}}, r}$ as all our lattices are over Cartesian powers of H). For $\varepsilon >0$, we define the smoothing parameter $\eta _{\varepsilon } (\mathcal L)$ as the smallest $r>0$ such that $\rho _{(1/r) \mathbf{I}} (\mathcal L^* \setminus {\varvec{0}}) \le \varepsilon $. We have the following upper bounds.

Lemma 2.6

([MR04, Le. 3.3]). For any lattice $\mathcal L$ over $H^m$ and $\varepsilon \in (0,1)$, we have $\eta _\varepsilon (\mathcal L)\le \sqrt{\log (2mn (1+1/\varepsilon ))/\pi }/\lambda _1^\infty (\mathcal L^*)$.

Lemma 2.7

(Adapted from [PR07, Le. 6.5]). For any $\mathcal {O}_K$-ideal I and $\varepsilon \in (0,1)$, we have $\eta _\varepsilon (I)\le \sqrt{\log (2n(1+1/\varepsilon )) / (\pi n)} \cdot ({\mathcal N}(I) \varDelta _K)^{1/n}$.

The following are standard applications of the smoothing parameter.

Lemma 2.8

([GPV08, Cor. 2.8]). Let $\mathcal {L}'\subseteq \mathcal {L}$ be full-rank lattices, $\varepsilon \in (0,1/2)$ and $r\ge \eta _\varepsilon (\mathcal {L}')$. Then $\varDelta (D_{\mathcal {L},r} \bmod \mathcal {L}', U(\mathcal {L}/\mathcal {L}')) \le 2 \varepsilon $.

Lemma 2.9

([PR06, Le. 2.11]). Let $\mathcal {L}$ be an n-dimensional lattice, $\varepsilon \in (0,1/3)$ and $r\ge 4\eta _\varepsilon (\mathcal {L})$. Then $D_{\mathcal {L},r} ({\varvec{0}}) \le 2^{-2n+1}$.

Lemma 2.10

(Adapted from [MR04, Le. 4.4]). Let $\mathcal {L}$ be an n-dimensional lattice, $\varepsilon \in (0,1/3)$ and $r \ge \eta _\varepsilon (\mathcal {L})$. Then $\Pr _{{\varvec{x}} \hookleftarrow D_{\mathcal {L}, r}}[ \Vert {\varvec{x}}\Vert \ge 2r \sqrt{n}] \le 2^{-2n}$.

2.3 Computational Problems

We now formally define the computational problems we will study.

Definition 2.11

($\mathsf {RLWE}$ and $\mathsf {PLWE}$ distributions). Let K a degree n number field defined by f, $\mathcal {O}_K$ its ring of integers, $\varvec{\Sigma } \succ 0$ and $q\ge 2$.

For $s \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $, we define the dual-$\mathsf {RLWE}$ distribution $\mathcal {A}_{s,\varvec{\Sigma }}^\vee $ as the distribution over $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^\vee $ obtained by sampling $a\hookleftarrow U(\mathcal {O}_K/q\mathcal {O}_K)$, $e\hookleftarrow D_{\varvec{\Sigma }}^H$ and returning the pair $(a,a\cdot s+e)$.

For $s \in \mathcal {O}_K/q\mathcal {O}_K$, we define the primal-$\mathsf {RLWE}$ distribution $\mathcal {A}_{s,\varvec{\Sigma }}$ as the distribution over $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K$ obtained by sampling $a\hookleftarrow U(\mathcal {O}_K/q\mathcal {O}_K)$, $e\hookleftarrow D_{\varvec{\Sigma }}^H$ and returning the pair $(a,a\cdot s+e)$.

For $s \in \mathbb {Z}_q[x]/f$, we define the $\mathsf {PLWE}$ distribution $\mathcal {B}_{s,\varvec{\Sigma }}$ as the distribution over $\mathbb {Z}_q[x]/f \times \mathbb {R}_q[x]/f$ obtained by sampling $a\hookleftarrow U(\mathbb {Z}_q[x]/f)$, $e\hookleftarrow D_{\varvec{\mathsf {\Sigma }}}$ and returning the pair $(a,a\cdot s+e)$ (with $\mathbb {R}_q = \mathbb {R}/q\mathbb {Z}$).

In the definition above, we identified the support H of $D_{\varvec{\Sigma }}^H$ with $K_{\mathbb {R}}$, and the support $\mathbb {R}^n$ of $D_{\varvec{\Sigma }}$ with $\mathbb {R}[x]/f$. Note that sampling from $\mathcal {A}_{s,\varvec{\Sigma }}^\vee $ and $\mathcal {A}_{s,\varvec{\Sigma }}$ seems to require the knowledge of a basis of $\mathcal {O}_K$. It is not known to be computable in polynomial-time from a defining polynomial f of an arbitrary K. In this article, we assume that a basis of $\mathcal {O}_K$ is known.

Definition 2.12

(The $\mathsf {RLWE}$ and $\mathsf {PLWE}$ problems). We use the same notations as above. Further, we let $\mathcal {E}_{\succ }$ be a subset of $\varSigma \succ 0$ and $D_{\succ }$ be a distribution over $\varSigma \succ 0$.

Search dual-$\mathsf {RLWE}_{q,\mathcal {E}_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$) consists in finding s from a sampler from $\mathcal {A}_{s,\varvec{\Sigma }}^\vee $ (resp. $\mathcal {A}_{s,\varvec{\Sigma }}$ and $\mathcal {B}_{s,\varvec{\Sigma }}$), where $s \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ (resp. $s \in \mathcal {O}_K/q\mathcal {O}_K$ and $s \in \mathbb {Z}_q[x]/f$) and $\varvec{\Sigma } \in \mathcal {E}_{\succ }$ are arbitrary.

Decision dual-$\mathsf {RLWE}_{q,D_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$) consists in distinguishing between a sampler from $\mathcal {A}_{s,\varvec{\Sigma }}^\vee $ (resp. $\mathcal {A}_{s,\varvec{\Sigma }}$ and $\mathcal {B}_{s,\varvec{\Sigma }}$) and a uniform sampler over $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^\vee $ (resp. $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K$ and $\mathbb {Z}_q[x]/f \times \mathbb {R}_q[x]/f$), with non-negligible probability over $s \hookleftarrow \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ (resp. $s \in \mathcal {O}_K/q\mathcal {O}_K$ and $s \in \mathbb {Z}_q[x]/f$) and $\varvec{\Sigma } \hookleftarrow D_{\succ }$.

The problems above are in fact defined for sequences of number fields of growing degrees n such that the bit-size of the problem description grows at most polynomially in n. The run-times, success probabilities and distinguishing advantages of the algorithms solving the problems are considered asymptotically as functions of n.

The following reduction from dual-$\mathsf {RLWE}$ to primal-$\mathsf {RLWE}$ is a consequence of Lemma 2.4. A proof is given in the full version.

Theorem 2.13

(Adapted from [Pei16, Se. 2.3.2]). Let $\varvec{\Sigma } \succ 0$ and $s \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $. Let $t \in (\mathcal {O}_K^\vee )^{-1}$ such that $t (\mathcal {O}_K^\vee )+q\mathcal {O}_K=\mathcal {O}_K$. Then the map $(a, b) \mapsto (a, t \cdot b)$ transforms $\mathcal A_{s,\varvec{\Sigma }}^\vee $ to $\mathcal A_{t\cdot s, \varvec{\Sigma }'}$ and $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^\vee )$ into $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K)$, with $\varvec{\Sigma }'=\mathrm {diag}(|\sigma _i(t)|)\cdot \varvec{\Sigma }\cdot \mathrm {diag}(|\sigma _i(t)|)$. The natural inclusion $\mathcal {O}_K\rightarrow \mathcal {O}_K^\vee $ induces a map that transforms $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K)$ to $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^\vee )$, and $\mathcal A_{s, \varvec{\Sigma }}$ to $\mathcal A_{s, \varvec{\Sigma }}^\vee $.

We will consider variants of the decision problems for which the distinguishing must occur for all $s \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ (resp. $s \in \mathcal {O}_K/q\mathcal {O}_K$ and $s \in \mathbb {Z}_q[x]/f$) and all $\varvec{\Sigma }\succ 0$ rather than with non-negligible probability over s. We call this variant worst-case decision dual-$\mathsf {RLWE}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$). Under some conditions on $D_{\succ }$ and $\mathcal {E}_{\succ }$, these variants are computationally equivalent.

Lemma 2.14

(Adapted from [LPR10, Se. 5.2]). We use the same notations as above. If $\Pr _{\varvec{\Sigma } \hookleftarrow D_{\succ }}[\varvec{\Sigma } \notin \mathcal {E}_{\succ }] \le 2^{-n}$, then decision dual-$\mathsf {RLWE}_{q,D_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$) reduces to worst-case decision dual-$\mathsf {RLWE}_{q, \mathcal {E}_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$).

Assume further that $D_{\succ }$ can be sampled from in polynomial-time. If $\max _{\varvec{\Sigma } \in \mathcal {E}_{\succ }} R( D_{\succ } \Vert D_{\succ }+\varvec{\Sigma }) \le \mathrm {poly}(n)$, then worst-case decision dual-$\mathsf {RLWE}_{q, \mathcal {E}_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$) reduces to decision dual-$\mathsf {RLWE}_{q,D_{\succ }}$ (resp. primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$).

Note that it is permissible to use the Rényi divergence here even though we are considering decision problems. Indeed, the argument is applied to the random choice of the noise distribution and not to the distinguishing advantage. The same argument has been previously used in [LPR10, Se. 5.2].

Proof

The first statement is direct. We prove the second statement only for dual-$\mathsf {RLWE}$, as the proofs for primal-$\mathsf {RLWE}$ and $\mathsf {PLWE}$ are direct adaptations. Assume we are given a sampler that outputs $(a_i,b_i)$ with $a_i\hookleftarrow U(\mathcal {O}_K/q\mathcal {O}_K)$ and $b_i$ either uniform in $K_{\mathbb {R}}/q\mathcal {O}_K^\vee $ or of the form $b_i = a_i s + e_i$ with $s \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ and $e_i \hookleftarrow D_{\varvec{\Sigma }}^H$. The reduction proceeds by sampling $s' \hookleftarrow U(\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee )$ and $\varvec{\Sigma }' \hookleftarrow D_{\succ }$, and mapping all input $(a_i,b_i)$’s to $(a_i', b_i') = (a_i, b_i + a_i s' + e_i')$ with $e_i' \hookleftarrow D_{\varvec{\Sigma }'}^H$. This transformation maps the uniform distribution to itself, and $\mathcal {A}_{s,\varvec{\Sigma }}^\vee $ to $\mathcal {A}_{s+s',\varvec{\Sigma }''}^\vee $ with $\varvec{\Sigma }''_{ij} = \varvec{\Sigma }_{ij} + \varvec{\Sigma }'_{ij}$ for all i, j. If the success probability (success being enjoying a non-negligible distinguishing advantage) over the error parameter sampled from $D_{\succ }$ is non-negligible, then so is it for the error parameter sampled $ D_{\succ }+\varvec{\Sigma }$, as, by assumption, the Rényi divergence $R( D_{\succ } \Vert D_{\succ }+\varvec{\Sigma })$ is polynomially bounded. $\square $

Many choices of $ D_{\succ }$ and $\mathcal {E}_{\succ }$ satisfy the conditions of Lemma 2.14. The following is inspired from [LPR10, Se. 5.2]. We define the distribution $\mathcal {E}_{\succ }$ as follows, for an arbitrary r: Let $s_{ij} = r^2 (1+n x_{ij})$ for all $i>j$, $s_{ii} = r^2 (1+n^3 x_{ii})$ for all i and $s_{ij} = s_{ji}$ for all $i<j$, where the $x_{ij}$’s are independent samples from the $\varGamma (2,1)$ distribution (of density function $x \mapsto x\exp (-x)$); the output matrix is $(s_{ij})_{ij}$. Note that it is symmetric and strictly diagonally dominant (and hence $\succ 0$) with probability $1 -2^{-\varOmega (n)}$. Then the set of all $\varSigma \succ 0$ with coefficients of magnitudes ${\le }r^2n^4$ satisfies the first condition of Lemma 2.14, and the set of all $\varSigma \succ 0$ with coefficients of magnitudes ${\le }r^2$ satisfies the second condition of Lemma 2.14. We can hence switch from one variant to the other while incurring an error rate increase that is ${\le }\mathrm {poly}(n)$.

3 Controlling Noise Growth in Dual to Primal Reduction

The reduction of Theorem 2.13 is built upon the existence of t as in Lemma 2.4. While this existence is guaranteed constructively by [LPR10], the size is not controlled by the construction. Another t that satisfies the conditions is $t = f'(\alpha )$, where $f'$ is the derivative of f defining $K = \mathbb {Q}[\alpha ]$. Indeed, from [Conb, Rem. 4.5], we know that $f'(\alpha )\in (\mathcal {O}_K^\vee )^{-1}$. However, the noise growth incurred by multiplication by $f'(\alpha )$ may be rather large in general: we have $N(f'(\alpha ))=\varDelta _f=[\mathcal {O}_K:\mathbb {Z}[\alpha ]]^2\cdot \mathcal {N}((\mathcal {O}_K^\vee )^{-1})$.

In this section, we give a probabilistic proof that adequate t’s with controlled size can be found by Gaussian sampling.

Let I and J be integral ideals of $\mathcal {O}_K$. Theorem 3.1 below states that a Gaussian sample t in I is such that $t\cdot I^{-1}+J=\mathcal {O}_K$ with non-negligible probability. The main technical hurdle is to show that the sample is not trapped in $IJ'$ with $J'$ a non-trivial factor of J. We handle this probability in different ways depending on the algebraic norm of $J'$, extending an idea used in [SS13, Se. 4].

For small-norm factors $J'$ of J, the Gaussian folded modulo $IJ'$ is essentially uniform over $I/IJ'$, by Lemma 2.8. This requires the standard deviation parameter s to be above the smoothing parameter of $IJ'$. We use the smoothing parameter bound from Lemma 2.7.
For large-norm factors $J'$, we argue that the non-zero points of $IJ'$ are very unlikely to be hit, thanks to the Gaussian tail bound given in Lemma 2.10 and the fact that the lattice minimum of $IJ'$ is large, by Lemma 2.5.
For middle-norm factors $J'$, neither of the arguments above applies. Instead, we bound the probability that t belongs to $IJ'$ by the probability that t belongs to $IJ''$, where $J''$ is a non-trivial factor of $J'$, and use the first argument above. The factor $J''$ must be significantly denser than $J'$ so that we have smoothing. But it should also be significantly sparser than $\mathcal {O}_K$ so that the upper bound is not too large.

Setting the standard deviation parameter of the discrete Gaussian so that at least one of the three arguments above applies is non-trivial. In particular, this highly depends on how the ideal J factors into primes (whether the pieces are numerous, balanced, unbalanced, etc.). The choice we make below works in all cases while still providing a reasonably readable proof and still being sufficient for our needs, from an asymptotic perspective. In many cases, better choices can be made. If J is prime, we can take a very small s and use only the second argument. If all factors of J are small, there is good enough ‘granularity’ in the factorization to use the third argument, and again s can be chosen very small.

Theorem 3.1

Let I and J be integral $\mathcal {O}_K$-ideals, and write $J=\mathfrak {p}_1^{e_1}\ldots \mathfrak {p}_k^{e_k}$ for some prime ideals $\mathfrak {p}_i$. We sort the $\mathfrak {p}_i$’s by non-decreasing algebraic norms. Assume that we can take $\delta \in [\frac{4n+\log _2 \varDelta _K}{\log _2 \mathcal N(J)}, 1]$.^{Footnote 2} We define:

$$s={\left\{ \begin{array}{ll}\left( \mathcal N(J)^{1/2}\mathcal N(I)\varDelta _K\right) ^{1/n}~~~~~\text {if}~~~\mathcal N(\mathfrak {p}_k)\ge \mathcal N(J)^{1/2+\delta },\\ \left( \mathcal N(J)^{1/2+2\delta }\mathcal N(I)\varDelta _K\right) ^{1/n}~\text {else}. \end{array}\right. }$$

Then we have

Proof

We bound the probability P of the negation, from above. We have

We rewrite it as $P = P_1 + P_2$ with

We have $P_1 \le 1- (1-1/\mathcal N(\mathfrak {p}_1))^k \le k/\mathcal N(\mathfrak {p}_1)$. Our task is now to bound $P_2$.

Assume first that $\mathcal N(\mathfrak {p}_k) \ge \mathcal N(J)^{1/2+\delta }$. This implies that $\prod _{i\in S} \mathcal N(\mathfrak {p}_i) \le \mathcal N(J)^{1/2-\delta }$ for all $S\subseteq [k]$ not containing k. By Lemma 2.7, we have $s\ge \eta _\varepsilon (I\prod _{i\in S}\mathfrak {p}_i)$ for all such S’s, with $\varepsilon = 2^{-2n}$. We “smooth” out those ideals, i.e., we use Lemma 2.8 to obtain, for all $S\subseteq [k]\setminus \lbrace k\rbrace $:

Now if S is a subset containing k, then we have $\mathcal {N}(\prod _{i\in S}\mathfrak {p}_i) \ge \mathcal N(J)^{1/2+\delta }$. By Lemma 2.5, we have $\lambda _1(I\prod _{i\in S}\mathfrak {p}_i)\ge \sqrt{n} \cdot \mathcal N(I)^{1/n}\mathcal N(J)^{(1/2 + \delta )/n}$. On the other hand, by Lemma 2.10, we have $\Pr _{t\hookleftarrow D_{I,s}}[ \Vert t\Vert \ge 2 s\sqrt{n} ]\le 2^{-2n}$. Thanks to our choice of s, the assumption on $\delta $ and Lemma 2.9, we obtain

This allows us to bound $P_2$ as follows:

$$ P_2 \le 2^k \cdot \left( \varepsilon + 2^{-2n+2} + \mathcal N(J)^{-(1/2+\delta )} \right) . $$

By assumption on $\delta $, we have $\mathcal N(J) \ge 2^{2n}$ and $P_2 \le 2^{-n+3}$. This completes the proof for the large $\mathcal N(\mathfrak {p}_k)$ case.

Now, assume that $\mathcal N(\mathfrak {p}_k) < \mathcal N(J)^{1/2+2\delta }$. Then, as above, the definition of s implies that, for any $S\subseteq [k]$ with $\mathcal N(\prod _{i\in S} \mathfrak {p}_i)\le \mathcal N(J)^{1/2+\delta }$, we have $| \Pr [ t\in I\prod _{i\in S} \mathfrak {p}_i] - 1/\prod _{i\in S}\mathcal N(\mathfrak {p}_i)| \le 2^{-2n+1}$. Also as above, if we have $\mathcal N(\prod _{i\in S} \mathfrak {p}_i)\ge \mathcal N(J)^{1/2+3\delta }$, then $\lambda _1(I\prod _{i\in S}\mathfrak {p}_i)$ is too large for a non-zero element of $I\prod _{i\in S}\mathfrak {p}_i$ to be hit with significant probability. Assume finally that

$$ \mathcal N(J)^{1/2+2\delta } \le \mathcal N(\prod _{i\in S} \mathfrak {p}_i)\le \mathcal N(J)^{1/2+3\delta }. $$

As $\mathcal N(\mathfrak {p}_k) < \mathcal N(J)^{1/2+\delta }$, there exists $S' \subseteq S$ such that

$$ \mathcal N(J)^{\delta } \le \mathcal N(\prod _{i\in S'} \mathfrak {p}_i)\le \mathcal N(J)^{1/2+2\delta }. $$

By inclusion, we have that $\Pr [ t\in I\prod _{i\in S} \mathfrak {p}_i] \le \Pr [ t\in I\prod _{i\in S'} \mathfrak {p}_i]$. Now, as the norm of $\prod _{i\in S'} \mathfrak {p}_i$ is small enough, we can use the smoothing argument above to claim that

By assumption on $\delta $, the latter is ${\le }2^{-n+2}$. Collecting terms allows to complete the proof. $\square $

The next corollary shows that the needed t can be found with non-negligible probability.

Corollary 3.2

Let I be an integral $\mathcal {O}_K$-ideal. Let $q \ge \max (2n,2^{16} \cdot \varDelta _K^{8/n})$ be a prime rational integer and $\mathfrak {p}_k$ a prime factor of $q \mathcal {O}_K$ with largest norm. We define:

$$s={\left\{ \begin{array}{ll} q^{1/2} \cdot \left( \mathcal N(I)\varDelta _K\right) ^{1/n}~\text {if}~~~\mathcal N(\mathfrak {p}_k)\ge q^{(5/8) \cdot n},\\ q^{3/4} \cdot \left( \mathcal N(I)\varDelta _K\right) ^{1/n}~\text {else}. \end{array}\right. }$$

Then, for sufficiently large n, we have

Proof

The result follows from applying Theorem 3.1 with $J = q \mathcal {O}_K$ and $\delta = 1/8$. The first lower bound on q ensures that $k/ \mathcal N(\mathfrak {p}_1) \le 1/2$, where $k \le n$ denotes the number of prime factors of $q \mathcal {O}_K$ and $\mathfrak {p}_1$ denotes a factor with smallest algebraic norm. The second lower bound on q ensures that we can indeed set $\delta = 1/8$. $\square $

We insist again on the fact that the required lower bounds on s can be much improved under specific assumptions on the factorization of q. For example, one could choose a q such that all the factors of $q\mathcal {O}_K$ have large norms, by sampling q randomly and checking its primality and the factorization of the defining polynomial f modulo q. In that case, the factors $q^{1/2}$ and $q^{3/4}$ can be decreased drastically.

We note that if the noise increase incurred by a reduction from an LWE-type problem to another is bounded as $n^c_1 \cdot q^c_2$ for some $c_1 <1$ and some $c_2 >0$, then one may set the working modulus q so that the starting LWE problem has a sufficient amount of noise to not be trivially easy to solve, and the ending LWE problem has not enough noise to be information-theoretically impossible to solve (else the reduction would be vacuous). Indeed, it suffices to set q sufficiently larger than $n^{c_1/(1-c_2)}$.

4 From Primal-$\mathsf {RLWE}$ to $\mathsf {PLWE}$

The goal of this section is to describe a reduction from primal-$\mathsf {RLWE}$ to $\mathsf {PLWE}$. As an intermediate step, we first consider a reduction from primal-$\mathsf {RLWE}$ to a variant $\mathsf {PLWE}^\sigma $ of $\mathsf {PLWE}$ where the noise is small with respect to the Minkowski embedding rather than the coefficient embedding. Then, we assess the noise distortion when looking at its Minkowski embedding versus its coefficient embedding.

If $K=\mathbb {Q}[x]/f$ for some $f=\prod _{j\le n}(x-\alpha _j)$, the associated Vandermonde matrix $V_f$ has jth row $(1, \alpha _j, \cdots , \alpha _j^{n-1})$ and corresponds to the linear map between the coefficient and Minkowski embedding spaces. Thus a good approximation of the distortion is given by the condition number $\mathrm{Cond}(V_f)=s_n/s_1$, where the $s_i$’s refer to the largest/smallest singular values of $V_f$. As we also have $\mathrm{Cond}(V_f)=\Vert V_f\Vert \cdot \Vert V_f^{-1}\Vert $, these matrix norms also quantify how much $V_f$ distorts the space. For a restricted, yet exponentially large, family of polynomials defining number fields, we show that both $\Vert V_f\Vert $ and $\Vert V_f^{-1}\Vert $ are polynomially bounded.

To do this, we start from $f_{n,a}=x^n-a$ whose distortion is easily computable. Then we add a “small perturbation” to this polynomial. Intuitively, the roots of the resulting polynomial should not move much, so that the norms of the “perturbed” Vandermonde matrices should be essentially the same. We formalize this intuition in Sect. 4.2 and locate the roots of the perturbed polynomial using Rouché’s theorem.

Mapping a sample of $\mathsf {PLWE}^\sigma $ to a sample of the corresponding $\mathsf {PLWE}$ simply consists in changing the geometry of the noise distribution. A noise distribution with covariance matrix $\mathbf{\Sigma }$ in the Minkowski embedding corresponds to a noise distribution of covariance matrice $(V_f^{-1})^{T}\mathbf{\Sigma }V_f^{-1}$ in the coefficient space. The converse is also true, replacing $V_f^{-1}$ by $V_f$. Moreover, the noise growths incurred by the reductions remain limited whenever $\Vert V_f\Vert $ and $\Vert V_f^{-1}\Vert $ are small.

Overall, reductions between primal-$\mathsf {RLWE}$ to $\mathsf {PLWE}$ can be obtained by combining Theorems 4.2 and 4.7 below (with Lemma 2.14 to randomize the noise distributions).

4.1 Reducing Primal-$\mathsf {RLWE}$ to $\mathsf {PLWE}^\sigma $

We keep the notations of the previous section, and let $\mathbb {Z}[x]/(f)=\mathcal {O}$.

Definition 4.1

(The $\mathsf {PLWE}^\sigma $ problem). Let also $\mathbf{\Sigma }$ be a positive definite matrix, and $q\ge 2$. For $s \in \mathcal {O}/q\mathcal {O}$, we define the $\mathsf {PLWE}^{\sigma }$ distribution $\mathcal {B}_{s,\mathbf{\Sigma }}^{\sigma }$ as the distribution over $\mathcal {O}/q\mathcal {O}\times K_{\mathbb {R}}/q\mathcal {O}$ obtained by sampling $a\hookleftarrow U(\mathcal {O}/q\mathcal {O})$, $e\hookleftarrow D_{\mathbf{\Sigma }}^H$ and returning the pair $(a,a\cdot s+e)$

Let $ D_{\succ }$ be a distribution over $\varSigma \succ 0$. Decision $\mathsf {PLWE}^{\sigma }$ consists in distinguishing between a sampler from $\mathcal {B}_{s,\mathbf{\Sigma }}^{\sigma }$ and a uniform sampler over $\mathcal {O}/q\mathcal {O}\times K_{\mathbb {R}}/q\mathcal {O}$, with non-negligible probability over $s\hookleftarrow \mathcal {O}/q\mathcal {O}$ and $\mathbf{\Sigma }\hookleftarrow D_{\succ }$.

Theorem 4.2

Assume that $q\mathcal {O}_K+ \mathcal {C}_{\mathcal {O}}=\mathcal {O}_K$. Let $\mathbf{\Sigma }$ be a positive definite matrix and $s \in \mathcal {O}_K/q\mathcal {O}_K$. Let $t\in \mathcal {C}_{\mathcal {O}}$ such that $t\mathcal {C}_{\mathcal {O}}^{-1}+q\mathcal {O}_K=\mathcal {O}_K$. Then the map $(a, b) \mapsto (t \cdot a, t^2 \cdot b)$ transforms $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K)$ to $U(\mathcal {O}/q\mathcal {O}\times K_{\mathbb {R}}/q\mathcal {O})$ and $\mathcal A_{s,\mathbf{\Sigma }}$ to $\mathcal B_{t\cdot s, \mathbf{\Sigma }'}^\sigma $, where the new covariance is $\mathbf{\Sigma }'=\mathrm {diag}(|\sigma (t_i)|^2) \cdot \mathbf{\Sigma }\cdot \mathrm {diag}(|\sigma _i(t)|^2)$.

Let $\mathcal B_{s,\varvec{\Sigma }}^\sigma $ be a $\mathsf {PLWE}^\sigma $ distribution. The natural inclusion $\mathcal {O}\rightarrow \mathcal {O}_K$ induces a map that transforms $U(\mathcal {O}/q\mathcal {O}\times K_{\mathbb {R}}/q\mathcal {O})$ to $U(\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K)$ and $\mathcal B_{s,\mathbf{\Sigma }}^\sigma $ to $\mathcal A_{s, \mathbf{\Sigma }}$.

Proof

Let $(a,b=a\cdot s+e)$ be distributed as $\mathcal A_{s,\mathbf{\Sigma }}$. Let $a'=t \cdot a$ and $b'=t^2 \cdot b=a'\cdot (t \cdot s)+e'$, with $e'=t^2 \cdot e$. Then $a'$ is uniformly distributed in $\mathcal {C}_{\mathcal {O}}/q\mathcal {C}_{\mathcal {O}}$ by applying Lemma 2.4 for $I=\mathcal {C}_{\mathcal {O}}$, $J=q\mathcal {O}_K$ and $\mathcal {M}=\mathcal {O}_K$. It is also uniformly distributed in $\mathcal {O}/q\mathcal {O}$ by combining Lemmas 2.2 and 2.3. The noise follows the claimed distribution, see the observation in Sect. 2.2. The fact that $t \cdot s \in \mathcal {O}/q\mathcal {O}$ completes the proof that $\mathcal A_{s,\mathbf{\Sigma }}$ is mapped to $\mathcal B_{t \cdot s, \mathbf{\Sigma }'}^\sigma $.

Now, let (a, b) be uniform in $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K$. We already know that $a'$ is uniformly distributed in $\mathcal {O}/q\mathcal {O}$. Let us now consider the distribution of $b'$. Thanks to the assumption on $q\mathcal {O}_K$, we also have $t^2\mathcal {C}_{\mathcal {O}}^{-1}+q\mathcal {O}_K=\mathcal {O}_K$. Therefore, by Lemma 2.4, multiplication by $t^2$ induces an isomorphism $\mathcal {O}_K/q\mathcal {O}_K\simeq \mathcal {C}_{\mathcal {O}}/q\mathcal {C}_{\mathcal {O}}$, and hence, by Lemmas 2.2 and 2.3, an isomorphism $\mathcal {O}_K/q\mathcal {O}_K\simeq \mathcal {O}/q\mathcal {O}$. This gives the first reduction.

We now turn to the converse reduction. By coprimality and Lemmas 2.2 and 2.4, we have $|\mathcal {O}/q\mathcal {O}|=|\mathcal {O}_K/q\mathcal {O}_K|$. This implies that any (a, b) uniform in $\mathcal {O}/q\mathcal {O}\times K_{\mathbb {R}}/q\mathcal {O}$ is also uniform in $\mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K$. The inclusion $\mathcal {O}\subseteq \mathcal {O}_K$ allows to conclude. $\square $

As Theorem 2.13, Theorem 4.2 relies on a the existence of a good multiplier. Writing $K=\mathbb {Q}[x]/(f)=\mathbb {Q}[\alpha ]$ and $\mathcal {O}=\mathbb {Z}[\alpha ]$, the element $f'(\alpha )$ again satisfies the constraints. Indeed, we know that $\mathcal {O}^\vee =\frac{1}{f'(\alpha )}\mathcal {O}$ (see [Conb, Th. 3.7]), and we have the inclusion $\mathcal {O}_K\subseteq \mathcal {O}^\vee $. Multiplying by $f'(\alpha )$, we obtain $ f'(\alpha )\mathcal {O}_K\subseteq \mathcal {O}.$ By definition, this means that $f'(\alpha ) \in \mathcal {C}_{\mathcal {O}}$, as claimed. While a large $f'(\alpha )$ would mean a large noise growth in the primal-$\mathsf {RLWE}$ to $\mathsf {PLWE}^\sigma $ reduction, we described in Sect. 3 how to find a smaller adequate multiplier if needed.

We have $\mathcal {N}(f'(\alpha ))=[\mathcal {O}_K:\mathbb {Z}[\alpha ]]^2\cdot \varDelta _K$, and, from [Ste17, p. 48], the prime factors of $[\mathcal {O}_K:\mathbb {Z}[\alpha ]]$ are exactly those of $\mathcal N(\mathcal {C}_{\mathcal {O}})$. Provided the valuations are not too high, there should be smaller elements in $\mathcal {C}_{\mathcal {O}}$ than $f'(\alpha )$. We provide in the full version concrete examples of number fields with defining polynomials f such that the norm of $f'(\alpha )$ is considerably larger than both the norms of $\mathcal {C}_{\mathcal {O}}$ and $(\mathcal {O}_K^\vee )^{-1}$.

4.2 Distortion Between Embeddings

To bound the norms of a Vandermonde matrix associated to a polynomial and its inverse, we study the magnitude of the roots and their pairwise distances. It is known that $\Vert V\Vert ^2=\text{ Tr }(V^*V)$, where $*$ denotes the transpose-conjugate operator. For Vandermonde matrices, this gives

$$\begin{aligned} \Vert V_f\Vert ^2 =\sum _{j \in [n]} \sum _{k \in [n]} |\alpha _j|^{2(k-1)}, \end{aligned}$$

(1)

which can be handled when the magnitudes of the $\alpha _j$’s are known. The entries of $V_{f}^{-1}=(w_{ij})$ have well-known expressions as:

$$\begin{aligned} w_{ij} = (-1)^{n-i}\dfrac{ e_{n-i}({\overline{\varvec{\alpha }}^j}) }{ \prod \limits _{k\ne j}(\alpha _j-\alpha _k) }, \end{aligned}$$

(2)

where $e_0= 1$, $e_{j}$ for $j >0$ stands for the elementary symmetric polynomial of total degree j in $n-1$ variables, and ${\overline{\varvec{\alpha }}}^j=(\alpha _1,\cdots , \alpha _{j-1},\alpha _{j+1},\cdots , \alpha _n)$, the vector of all roots but $\alpha _j$. We have the following useful relations with the symmetric functions $E_i$ of all the roots (for all j):

$$\begin{aligned} {\left\{ \begin{array}{ll}E_1(\varvec{\alpha }) =&{} \alpha _j + e_1({\overline{\varvec{\alpha }}}^j),\\ E_i(\varvec{\alpha }) =&{} \alpha _je_{i-1}({\overline{\varvec{\alpha }}}^j) + e_i({\overline{\varvec{\alpha }}}^j)~\text {for}~2\le i\le n-1,\\ E_n(\varvec{\alpha }) =&{} \alpha _je_{n-1}({\overline{\varvec{\alpha }}}^j). \end{array}\right. } \end{aligned}$$

(3)

Combining (3) with Vieta’s formulas, bounds on the magnitudes of the roots leads to bounds on the numerators of the $w_{ij}$’s. The denominators encode the separation of the roots, and deriving a precise lower bound turns out to be the main difficulty. By differentiating $f(x)=\prod _{j\in [n]} (x-\alpha _j)$, we note that $\prod _{k\ne j} |\alpha _j-\alpha _k|=|f'(\alpha _j)|$.

A family of polynomials with easily computable distortion. We first introduce a family of polynomials for which $\Vert V_f\Vert $ and $\Vert V_f^{-1}\Vert $ are both simple to estimate. For $n\ge 2$ and $a\ge 1$, we define $f_{n,a}=x^n-a$. The roots can be written^{Footnote 3} as $\alpha _j=a^{1/n}\mathrm {e}^{2\mathsf {i}\pi \frac{j}{n} }$, for $0\le j< n$. As these are scalings of the roots of unity, both their magnitude and separation are well-understood. With (1), we obtain $\Vert V_{f_{n,a}}\Vert \le na^{\frac{n-1}{n}} \le na$.

For any j, we readily compute $|f_{n,a}'(\alpha _j)|=na^{\frac{n-1}{n}}$. Using (3), we observe that $|e_i(\overline{\varvec{\alpha }}^j)|=|\alpha _j|^i$ for $1\le i< n$. We obtain that the row norm of $V_{f_{n,a}}^{-1}$ is given by its first row as

$$ \sum _{j\in [n]} |w_{1j}| = \dfrac{1}{na^{\frac{n-1}{n}}}\cdot \sum _{j\in [n]} |\alpha _j|^{n-1} = 1,$$

from which it follows that $\Vert V_{f_{n,a}}^{-1}\Vert \le \sqrt{n}$.

Small perturbations of $f_{n,a}$. Let $P(x)=\sum _{1 \le j \le \rho \cdot n} p_j x^j$ for some constant $\rho \in (0,1)$, where the $p_j$’s are a priori complex numbers. Locating the roots of $g_{n,a}=f_{n,a} + P$ is our first step towards estimating $\Vert V_{g_{n,a}}\Vert $ and $\Vert V_{g_{n,a}}^{-1}\Vert $. We will use the following version of Rouché’s theorem.

Theorem 4.3

(Rouché, adapted from [Con95, pp. 125–126]). Let f, P be complex polynomials, and let D be a disk in the complex plane. If for any z on the boundary $\partial D$ we have $|P(z)|< |f(z)|$, then f and $f+P$ have the same number of zeros inside D, where each zero is counted as many times as its multiplicity.

The lemma below allows to determine sufficient conditions on the parameters such that the assumptions of Theorem 4.3 hold. We consider small disks $D_k=D(\alpha _k, 1/n)$ of radius 1/n around the roots $\alpha _1, \cdots , \alpha _n$ of $f_{n,a}$, and we let $\partial D_k$ denote their respective boundaries. We let $\Vert P\Vert _1=\sum _j |p_j|$ denote the 1-norm of P.

Lemma 4.4

We have, for all $k\le n$ and $z\in \partial D_k$:

$$ |P(z)| \le (a\mathrm {e})^{\rho }\cdot \Vert P\Vert _1 \ ~{and}~ \ |f_{n,a}(z)| \ge a \left( 1-\cos (a^{-1/n}) - \frac{2 \mathrm {e}^{a^{-1/n}}}{n a^{2/n}}\right) . $$

Proof

Write $z=\alpha _k+\frac{\mathrm {e}^{\mathsf {i}t}}{n}$ for some $t\in [0,2\pi )$. We have $|z| \le a^{1/n}+1/n$, and hence $|z|^{\rho n}\le a^{\rho }\left( 1+\frac{1}{na^{1/n}}\right) ^{\rho n}$. The first claim follows from the inequality $|P(z)|\le \max (1, |z|^{\rho n})\cdot \Vert P\Vert _1$.

Next, we have $|f_{n,a}(z)|= a |(1+\frac{\mathrm {e}^{\mathsf {i}t'}}{na^{1/n}})^n - 1|$, where $t'=t-2k\pi /n$. W.l.o.g., we assume that $k=0$. Let $\mathrm{Log}$ denote the complex logarithm, defined on $\mathbb {C}\setminus \mathbb {R}^-$. Since the power series $\sum _{k\ge 1} (-1)^{k-1} u^k /k$ converges to $\mathrm{Log}(1+u)$ on the unit disk, we have $\mathrm{Log}(1+\frac{\mathrm {e}^{\mathsf {i}t}}{na^{1/n}})=\frac{\mathrm {e}^{\mathsf {i}t}}{na^{1/n}} + \delta $, for some $\delta $ satisfying $|\delta | \le |u| \cdot \sum _{k\ge 1} |u|^k/(k+1) \le |u|^2$ for $u = \frac{\mathrm {e}^{\mathsf {i}t}}{na^{1/n}}$ (note that it has modulus $\le 1/n \le 1/2$). Similarly, we can write $\exp (n\delta )=1+\varepsilon $ for some $\varepsilon $ satisfying $|\varepsilon | \le 2 n |\delta | \le 2/(na^{2/n})$. We hence have:

with $A=\exp (\mathrm {e}^{\mathsf {i}t} a^{-1/n})$. Elementary calculus leads to the inequalities $|A-1|>1-\cos (a^{-1/n})$ and $|A|\le \mathrm {e}^{a^{-1/n}}$ for all $t\in [0,2\pi )$. Details can be found in the full version. The second claim follows. $\square $

We note that when $a = 2^{o(n)}$ and n is sufficiently large, then the lower bound on $|f_{n,a}(z)|$ may be replaced by $|f_{n,a}(z)|>a/3$. To use Rouché’s theorem, it is then enough that $a, \rho $ and $\Vert P\Vert _1$ satisfy $ a > (3\mathrm {e}^\rho \Vert P\Vert _1)^{\frac{1}{1-\rho }}. $ We can now derive upper bounds on the norms of $V_{g_{n,a}}$ and its inverse.

Lemma 4.5

For any $a> (\Vert P\Vert _1\cdot C^{-1}\cdot \mathrm {e}^\rho )^{\frac{1}{1-\rho }}$ with $C=|1-\cos (a^{-1/n})-\frac{2\mathrm {e}^{a^{-1/n}}}{na^{2/n}}|$, we have:

$$ \Vert V_{g_{n,a}}\Vert \le an\mathrm {e}\ ~\text { and }~ \ \Vert V_{g_{n,a}}^{-1}\Vert \le n^{5/2} (\Vert P\Vert _1+1)a^{1/n}\mathrm {e}^2. $$

Proof

Let $\alpha _j=a^{1/n}\mathrm {e}^{2\mathsf {i}\pi j/n}$ be the roots of $f_{n,a}$ (for $0\le j <n$). Thanks to the assumptions and Lemma 4.4, Theorem 4.3 allows us to locate the roots $(\beta _j)_{0 \le j < n}$ of $g_{n,a}$ within distance 1/n from the $\alpha _j$’s. Up to renumbering, we have $|\alpha _j-\beta _j|\le 1/n$ for all j. In particular, this implies that $|\beta _j|\le a^{1/n}+1/n$ for all j. The first claim follows from (1).

Another consequence is that any power less than n of any $|\beta _j|$ is $\le a \mathrm {e}$. We start the estimation of $\Vert V_{g_{n,a}}^{-1}\Vert $ by considering the numerators in (2). Let $k_0 = 1+ \lfloor n(1-\rho ) \rfloor $. For any $k< k_0$, we know that $E_k({\varvec{\beta }})=0$. Using (3), we obtain $|e_k(\overline{\varvec{\beta }}^j)|=|\beta _j|^k \le a\mathrm {e}$ for $k<k_0$ and that $e_{k_0-1}(\overline{\varvec{\beta }}^j)=(-1)^{k_0-1}\beta _j^{k_0-1}$. Then (3) gives $E_{k_0}(\varvec{\beta })=(-1)^{k_0}p_{n-k_0} = (-1)^{k_0-1}\beta _j^{k_0}+e_{k_0}(\overline{\varvec{\beta }}^j)$, which implies that $|e_{k_0}(\overline{\varvec{\beta }}^j)|\le |\beta _j|^{k_0}+|p_{n-k_0}|$. By induction, we obtain, for all $k< n-k_0$:

$$\begin{aligned} |e_{k_0+k}(\overline{\varvec{\beta }}^j)|\le&~|p_{n-k_0-k}|+|p_{n-k_0-k+1}\beta _j|+\cdots +|p_{n-k_0}\beta _j^k|+|\beta _j|^{k_0+k}\\ \le&~(\Vert P\Vert _1+1)\max (1, |\beta _j|^n), \end{aligned}$$

so that $|e_k(\overline{\varvec{\beta }}^j)|\le (\Vert P\Vert _1+1)a\mathrm {e}$ for $k\ge 1$.

We now derive a lower bound on the denominators in (2). The separation of the $\beta _j$’s is close to that of the $\alpha _j$’s. Concretely: $|\beta _j-\beta _k| \ge |\alpha _j - \alpha _k | - 2/n$ for all j, k. Therefore, we have $\prod _{k\ne j}|\beta _j -\beta _k| \ge \prod _{k\ne j} (|\alpha _j-\alpha _k|-2/n)$. Using the identity $|\alpha _j-\alpha _k|=2a^{1/n}\sin (|k-j|\pi /n)$ and elementary calculus, we obtain $\prod _{k\ne j} |\beta _j -\beta _k| \ge a^{\frac{n-1}{n}}/(n\mathrm {e})$. Details can be found in the full version. Thus any coefficient $w_{ij}$ of $V_{g_{n,a}}^{-1}$ satisfies $|w_{ij}|\le n(\Vert P\Vert _1+1)a^{1/n}\mathrm {e}^2$. The claim follows from equivalence between the row and Frobenius norms. $\square $

We now assume that the $p_j$’s and a are integers. The following lemma states that, for a prime and sufficiently large, the polynomial $g_{n,a}$ is irreducible, and thus defines a number field.

Lemma 4.6

Assume that P is an integer polynomial. For any prime $a > \Vert P\Vert _1+1$, the polynomial $g_{n,a}$ is irreducible over $\mathbb {Q}$.

Proof

Let $\beta $ be a root of $g_{n,a}$. Then we have $a=|\beta ^n+P(\beta )|\le |\beta |^n+\Vert P\Vert _1\max (1,|\beta |^n)$. The assumption on a implies that $|\beta |>1$. In other words, all the roots of $g_{n,a}$ have a magnitude ${>}1$. Now, assume by contradiction that $g_{n,a}=h_1h_2$ for some rational polynomials $h_1, h_2$. Since $g_{n,a}$ is monic, it is primitive and we can choose $h_1,h_2$ as integer polynomials. The product of their constant coefficients is then the prime a. Hence the constant coefficient of $h_1$ or $h_2$ is $\pm 1$, which contradicts the fact that the roots of $g_{n,a}$ have magnitude ${>}1$. $\square $

Overall, we have proved the following result.

Theorem 4.7

Let $\rho \in (0,1)$ and $p_j \in \mathbb {Z}$ for $1\le j \le \rho \cdot n$. Then for $a \ge (3 \mathrm {e}^\rho \Vert P\Vert _1)^{1/(1-\rho )}$ smaller than $2^{o(n)}$ and prime, and n sufficiently large, the polynomial $g_{n,a} = x^n + \sum _{1 \le j \le \rho \cdot n} p_j x^j + a$ is irreducible over $\mathbb {Q}$ and satisfies:

$$ \Vert V_{g_{n,a}}\Vert \le an\mathrm {e}\ ~\text {and}~ \ \Vert V_{g_{n,a}}^{-1}\Vert \le n^{5/2} (\Vert P\Vert _1+1)a^{1/n} \mathrm {e}^2. $$

In particular, if a and $\Vert P\Vert _1$ are polynomial in n, then both $\Vert V_{g_{n,a}}\Vert $ and $\Vert V_{g_{n,a}}^{-1}\Vert $ are polynomial in n.

In the full version of this article, we give another family of well-behaved polynomials.

5 Search to Decision Dual-$\mathsf {RLWE}$

The reduction relies on the recent technique of [PRS17]. To leverage it, we use a generalized Leftover Hash Lemma over rings. The proof generalizes a technique used in [SS11] to the case where the irreducible factors of the defining polynomial (of K) reduced modulo q do not share the same degree. Alternatively, a generalization of the regularity lemma from [LPR13, Se. 7] to arbitrary number fields could be used. Such a generalization may go through and improve our results a little.

5.1 A Ring-Based Leftover Hash Lemma

Let $m\ge 2$. We identify any rank m $\mathcal {O}_K$-module $M \subseteq K^m$ with the lattice $\sigma (M) \subseteq H^m$. For such modules, the dual may be defined as

$$ \widehat{M}=\lbrace \mathbf {t} \in K^m\,:\,\forall \, \mathbf {x}\in M, \text{ Tr }(\langle \mathbf t ,\mathbf x \rangle ) \in \mathbb {Z}\rbrace . $$

Here $\langle \cdot , \cdot \rangle $ is the K-bilinear map defined by $\langle \mathbf x ,\mathbf y \rangle =\sum _{i=1}^m x_iy_i$. We have $\sigma (\widehat{M})=\overline{\sigma (M)^*}$ in $H^m$. For some $q \ge 2$ and a fixed $\mathbf {a}\in (\mathcal {O}_K/q\mathcal {O}_K)^m$, we focus on the modules:

$$ L(\mathbf {a}) = \frac{\mathbf {a}}{q}\mathcal {O}_K^{\vee } + (\mathcal {O}_K^\vee )^m ~~ \text {and} ~~ \mathbf {a}^{\perp } = \lbrace \mathbf {t} \in \mathcal {O}_K^m~:~\langle \mathbf {t},\mathbf {a} \rangle = 0\bmod q\mathcal {O}_K\rbrace . $$

To prove our Leftover Hash Lemma variant, the main argument relies on an estimation of $\lambda _1^{\infty }(\widehat{\mathbf {a}^\perp })$, which is obtained by combining the following two lemmas. The first one was stated in [LS15, Se. 5] without a proof, for the case of cyclotomic fields (this restriction is unnecessary). We give a proof of the general case in the full version of this article.

Lemma 5.1

Let $q \ge 2$ and $\mathbf {a}\in (\mathcal {O}_K/q\mathcal {O}_K)^m$. Then we have $\widehat{\mathbf {a}^{\perp }} = L(\mathbf {a})$.

We now obtain a probabilistic lower bound on $\lambda _1^{\infty }(\widehat{\mathbf {a}^{\perp }})=\lambda _1^\infty (L(\mathbf {a}))$. In full generality, it should depend on the ramification of the selected prime integer q, i.e., the exponents appearing in the factorization of $q\mathcal {O}_K$ in prime ideals. It is a classical fact that the ramified prime integers are exactly the primes dividing the discriminant of the field, so that there are only finitely many such q’s. Moreover, it is always possible to use modulus switching techniques [BLP+13, LS15] if q ramifies. Therefore, we consider only the non-ramified case.

Lemma 5.2

Let $q \ge 2$ a prime that does not divide $\varDelta _K$. For any $m\ge 2$ and $\delta >0$, and except with a probability $\le 2^{3n(m+1)}q^{-mn\delta }$ over the uniform choice of ${\varvec{a}} \in ((\mathcal {O}_K/q\mathcal {O}_K)^\times )^m$, we have:

$$\lambda _1^{\infty }(L(\mathbf {a})) \ge \varDelta _K^{-1/n}\cdot q^{-\frac{1}{m}-\delta }.$$

Proof

Thanks to the assumption on q, we can write $q \mathcal {O}_K=\mathfrak {p}_1 \ldots \mathfrak {p}_k$ for distinct prime ideals $\mathfrak {p}_i$. By Lemma 2.4 and the Chinese Remainder Theorem, we have $\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee \simeq \mathcal {O}_K/q\mathcal {O}_K\simeq \bigoplus _{i=1}^k \mathbb {F}_{q^{d_i}}$, where $q^{d_i} = \mathcal {N}(\mathfrak {p}_i)$.

Let $\mathbf {a}=(a_1,\cdots , a_m)$ sampled uniformly in $((\mathcal {O}_K/q\mathcal {O}_K)^{\times })^m$. Fix some bound $B>0$ and let $p_B$ be the probability that $qL(\mathbf {a})=\mathbf {a}\mathcal {O}_K^\vee +q(\mathcal {O}_K^\vee )^m$ contains a $\mathbf {t}=(t_1,\cdots , t_m)$ such that $0< \Vert \mathbf {t}\Vert _{\infty } < B$. Our goal is to bound $p_B$ from above. By the union bound, we have that

$$p_B\le \sum _{s\in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee } \ \sum _{\begin{array}{c} \mathbf {t} \in (\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee )^m \\ 0<\Vert \mathbf {t}\Vert _\infty < B \end{array}} p(\mathbf {t}, s),$$

with $p(\mathbf {t}, s) = \Pr _{\mathbf {a}}[\forall \, j, t_j=a_js\bmod q\mathcal {O}_K^\vee ]$ for any s and ${\varvec{t}}$ over $\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $. By independance of the $a_j$’s, we can write $p(\mathbf {t},s)=\prod _{j \in [m]} p(t_j,s)$ with $p(t_j,s)=\Pr _{a_j}[t_j=a_js \bmod q\mathcal {O}_K^\vee ]$. As $\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ and $\mathcal {O}_K/q\mathcal {O}_K$ are isomorphic, estimating this probability amounts to studying the solutions in $(\mathcal {O}_K/q\mathcal {O}_K)^{\times }$ of the equation $t=as \bmod q\mathcal {O}_K$, for all $t,s \in \mathcal {O}_K/q\mathcal {O}_K$.

Note that if there is an i such that $t =0 \bmod \mathfrak {p}_i$ and $s \ne 0\bmod \mathfrak {p}_i$, or vice-versa, then there is no solution, so that $p(t,s)=0$. Now, assume that s and t are 0 modulo the same $\mathfrak {p}_i$’s. Let $S\subseteq [k]$ denote the set of their indices, and let $d_S$ be such that $q^{d_S}=\mathcal {N}(\prod _{i \in S} \mathfrak {p}_i)$. On the one hand, for all $i\in [k]\setminus S$, both t and s are invertible modulo $\mathfrak {p}_i$ so there is exactly one solution modulo those i’s. On the other hand, for all $i\in S$, all the elements of $\mathbb {F}_{q^{d_i}}^{\times }$ are solutions. This gives $\prod _{i\in S}(q^{d_i}-1)$ possibilities out of the $\prod _{i}(q^{d_i}-1)$ elements of $(\mathcal {O}_K/q\mathcal {O}_K)^{\times }$. Overall, we obtain that $p(t,s)=\prod _{i\in [k]\setminus S} (q^{d_i}-1)^{-1}$. Hence, for $\mathbf {t}$ with coordinates $t_j$ such that s and all $t_j$’s are 0 modulo the same $\mathfrak {p}_i$’s, we have:

$$p(\mathbf {t}, s) =q^{-m(n-d_S)}\prod _{i\in [k]\setminus S}(1-\frac{1}{q^{d_i}})^{-m}\le q^{-m(n-d_S)}\cdot 2^{mk},$$

the last inequality coming from the fact that $1-1/q^{d_i}\ge 1/2$ for all i.

Let $\tau $ denote the isomorphism mapping $\mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ to $\mathcal {O}_K/q\mathcal {O}_K$. The probability to bound is now

$$ p_B \le 2^{mk}\cdot \sum _{S\subseteq [k]} \ \sum _{\begin{array}{c} \tau (s)\in \mathcal {O}_K/q\mathcal {O}_K\\ \forall i \in S: \mathfrak {p}_i\,\vert \, \tau (s) \end{array}} \ \sum _{\begin{array}{c} \tau (\mathbf {t}) \in (\mathcal {O}_K/q\mathcal {O}_K)^m\\ 0< \Vert \mathbf {t}\Vert _\infty < B\\ \forall \, j, \forall i \in S: \mathfrak {p}_i\,\vert \, \tau (t_j) \end{array}} q^{-m(n-d_S)}.$$

For any $r>0$, we let $\mathcal B(r)$ denote the (open) ball in H of center 0 and radius r, with respect to the infinity norm. Such a ball has a volume $\text{ Vol }(\mathcal B(r))=(2r)^n$. For any $S\subseteq [k]$, we define $N(B,S)=|\mathcal B(B) \cap \mathcal L(\tau ^{-1}(\prod _{i \in S} \mathfrak {p}_i))|-1$. Since there are $2^{k}$ subsets in [k] and $q^{n-d_S}$ elements $\tau (s) \in \mathcal {O}_K/q\mathcal {O}_K$ such that $\mathfrak {p}_i | s$ for all $i \in S$, we have

$$\begin{aligned} p_B \le 2^{k(m+1)} \cdot \max _{S\subseteq [k]} \frac{N(B,S)^m}{q^{(n-d_S)(m-1)}}. \end{aligned}$$

(4)

We now give an upper bound for N(B, S), from which we will obtain the result. Let $I_S=\prod _{i \in S} \mathfrak {p}_i$ and $\lambda _S=\lambda _1^{\infty }(\tau ^{-1}(I_S))$. Observe that any two distinct balls of radius $\lambda _S/2$ and centered around elements of $\mathcal B(B)\cap \mathcal L(\tau ^{-1}(I_S))$ do not intersect. Moreover, all of them are contained in $\mathcal B(B+\lambda _S/2)$. This implies that

$$ N(B,S) \le \frac{\text{ Vol }(\mathcal B(B+\lambda _S/2))}{\text{ Vol }(\mathcal B(\lambda _S/2))}=\left( \frac{2B}{\lambda _S}+1\right) ^n.$$

It remains to give a lower bound on $\lambda _S$. As $\tau ^{-1}(I_S)=I_S\mathcal {O}_K^\vee $, we have $\mathcal N(\tau ^{-1}(I_S))=q^{d_S}/\varDelta _K$. With Lemma 2.5, this gives $\varDelta _K^{-1/n}q^{d_S/n}\le \lambda _S$. If we set $B=\varDelta _K^{-1/n}q^\beta $, then $n\beta <d_S$ leads to $N(B,S)=0$ and $n\beta \ge d_S$ implies the upper bound $N(B,S)\le 2^{2n}q^{n\beta -d_S}$. With (4), this gives

$$ p_B \le 2^{(m+1)(k+2n)} \cdot \max _{\begin{array}{c} S\subseteq [k]\\ d_S\le n\beta \end{array}} q^{m(\beta -1)n+(n-d_S)}. $$

The maximum is reached for $d_S=0$ (i.e., when $S=\emptyset $). In this case, the exponent of q is $-mn\delta $ for $\beta =1-\frac{1}{m}-\delta $. We obtain that $\lambda _1^\infty (qL(\mathbf {a}))\ge \varDelta _K^{-1/n}q^{1-\frac{1}{m}-\delta }$ except with probability ${\le }2^{3n(m+1)}q^{-mn\delta }$. $\square $

We are now ready to state the variant of the Leftover Hash Lemma.

Theorem 5.3

Let $q\ge 2$ prime that does not divide $\varDelta _K$. Let $\delta >0, \varepsilon \in (0,1/2)$ and $m\ge 2$. For a given $\mathbf {a}$ in $((\mathcal {O}_K/q\mathcal {O}_K)^\times )^m$, let $U_\mathbf{a }$ be the distribution of $\sum _{i\le m}t_ia_i$ where the vector ${\varvec{t}}=(t_1,\cdots , t_m)$ is sampled from $D_{\mathcal {O}_K,s}$ with $s\ge \sqrt{\log (2mn(1+1/\varepsilon ))/\pi }\cdot \varDelta _K^{1/n}q^{1/m+\delta }$. Then, except for $\le 2^{3n(m+1)}q^{-mn\delta }$ of $\mathbf {a}$’s, the distance to uniformity of $U_{\mathbf {a}}$ is ${\le }2\varepsilon $.

Proof

First we note that the map $\mathbf {t}\mapsto \sum _{i\le m} t_ia_i$ is a well-defined surjective $\mathcal {O}_K$-module homomorphism from $\mathcal {O}_K^m$ to $\mathcal {O}_K/q\mathcal {O}_K$, with kernel $\mathbf {a}^\perp $. The distance to uniformity of $U_{\mathbf {a}}$ is hence the same as the distance to uniformity of $\mathbf {t} \bmod \mathbf {a}^\perp $. By Lemma 2.8, the claim follows whenever $s \ge \eta _\varepsilon (\mathbf {a}^{\perp })$. By Lemma 2.6, t it suffices to find an appropriate lower bound on $\lambda _1^\infty (L(\mathbf {a}))$. Lemma 5.2 allows to complete the proof. $\square $

Corollary 5.4

(Leftover Hash lemma). If $\mathbf {t}$ is sampled from $D_{\mathcal {O}_K,s}$ with $s\ge \sqrt{\log (2mn(1+1/\epsilon ))/\pi }\cdot \varDelta _K^{1/n}q^{1/m+\delta }$, and the $a_i$’s are sampled from $U((\mathcal {O}_K/q\mathcal {O}_K)^\times )$, then:

$$\begin{aligned} \varDelta&\biggl [ \biggl (a_1, \cdots , a_m, \sum _{i\le m}t_ia_i\biggr ), U\biggl ( ( (\mathcal {O}_K/q\mathcal {O}_K)^\times )^m \times \mathcal {O}_K/q\mathcal {O}_K\biggr ) \biggr ] \\&\le 2\varepsilon + 2^{3n(m+1)} \cdot q^{-mn\delta }. \end{aligned}$$

5.2 Search $\mathsf {RLWE}$ to Decision $\mathsf {RLWE}$

We now give the reduction from search to decision. As all proofs can be done similarly, we focus on the dual-$\mathsf {RLWE}$ version of the problems. For the sake of simplicity, we consider only the case of diagonal covariance matrices. The proof readily extends to general covariance matrices. To obtain the reduction, we need to generate suitable new samples from a starting set of samples from search dual-$\mathsf {RLWE}$.

The lemma below is adapted from [LS15, Le. 4.15]. We will use it to analyze the error distribution we get when generating new samples.

Lemma 5.5

Let $\alpha >0$, $\mathcal L$ a rank-m $\mathcal {O}_K$-module, $\varepsilon \in (0,1/2)$, a vector $\mathbf {t}\in D_{\mathcal L+\mathbf {c},\mathbf {r}}$ for some $\mathbf c \in H^m$, and $e^\prime \in K_{\mathbb {R}}$ chosen according to $D_{\alpha }^H$. If $r_i\ge \eta _\varepsilon (\mathcal L)$ and $\frac{\alpha }{\delta _i} \ge \eta _\varepsilon (\mathcal L)$ for all i, then $\varDelta (\langle \mathbf {t},\mathbf {e} \rangle +e^\prime , D_{\mathbf {x}}^H)\le 4\varepsilon $ with $x_i=\sqrt{(r_i\delta _i)^2+\alpha ^2}$ and $\delta _i=(\sum _{k\in [m]} |\sigma _i(e_k)|^2)^{1/2}$ for all i.

We can now give a reduction from search dual-$\mathsf {RLWE}$ to worst-case decision dual-$\mathsf {RLWE}$. It may be combined with the worst-case decision dual-$\mathsf {RLWE}$ to decision dual-$\mathsf {RLWE}$ from Lemma 2.14.

Theorem 5.6

Let ${{\varvec{r}}}\in (\mathbb {R}^{\ge 0})^n$ be such that $r_i=r_{i+s_2}$ for any $i>s_1$ and $r_i\le r$ for some $r>0$. Let $d=\sqrt{n}\cdot \varDelta _K^{1/n}q^{1/m+1/n}$, and consider ${\varSigma }=\{{\varvec{{r}}}^\prime \,:\, r_i'\le \sqrt{d^2\cdot r^2\cdot m+d^2}\}$. Then there exists a probabilistic polynomial-time reduction from search dual-$\mathsf {RLWE}_{q, D_\mathbf{r }}$ with $m \le q/(2n)$ input samples to worst-case decision dual-$\mathsf {RLWE}_{q,{\varSigma }}$.

Proof

We have m samples $(a_i,b_i=a_is+e_i)\in \mathcal {O}_K/q\mathcal {O}_K\times K_{\mathbb {R}}/q\mathcal {O}_K^\vee $ from the dual-$\mathsf {RLWE}$ distribution $\mathcal A_{s,\mathbf r }^\vee $, for a uniform $s\in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $ that we want to find. This is equivalent to finding the error term $\mathbf {e}=(e_1,\ldots ,e_m)$. By assumption on m, the $a_i$’s are all invertible with non-negligible probability. If it is not the case, the reduction aborts. From now on, we hence assume that they are uniformly distributed in $(\mathcal {O}_K/q\mathcal {O}_K)^\times $.

We use the same technique as in [PRS17], in that we find the ith embeddings $\sigma _i(e_1),\ldots ,\sigma _i(e_m)$ of the error terms by constructing an m-dimensional instance of the Oracle Hidden Center Problem (OHCP). The only difference consists in the way we create the samples that we give to the decision oracle. The reduction uses the dual-$\mathsf {RLWE}$ decision oracle to build the oracles $\mathcal {O}_i:\mathbb {R}^m\times \mathbb {R}^{\ge 0}\rightarrow \{0,1\}$ for $i\le s_1$ and $\mathcal {O}_i:\mathbb {C}^m\times \mathbb {R}^{\ge 0}\rightarrow \{0,1\}$ for $s_1< i \le s_1+s_2$.

For $i\le s_1$, we define $k_i:\mathbb {R}\rightarrow K_{\mathbb {R}}$ as $k_i(x)=\sigma ^{-1}(x\cdot \mathbf {v}_i)$ and for $s_1 < i\le s_1+s_2$, we define $k_i:\mathbb {C}\rightarrow K_{\mathbb {R}}$ as $k_i(x)=\sigma ^{-1}(x\cdot \mathbf {v}_i+\overline{x}\cdot {\mathbf {v}_{i+s_2}})$, where the $\mathbf {v}_i$’s form the canonical basis of H.

On input $(z_1,\ldots ,z_m, \alpha )$, oracle $\mathcal {O}_i$ will output 1 with probability depending on $\exp (\alpha ) \Vert \mathbf {e}-\overline{\mathbf {z}}\Vert $, where $\overline{\mathbf {z}}=(k_i(z_1),\ldots ,k_i(z_m))$. It works as follows. It first chooses a uniform $s^\prime \in \mathcal {O}_K^\vee /q\mathcal {O}_K^\vee $. On input $(z_1,\ldots ,z_m, \alpha )$, it samples $\mathbf {t}=(t_1,\ldots ,t_m)\in \mathcal {O}_K^m$ Gaussian with parameter $\exp (\alpha )\cdot \sqrt{n}\cdot \varDelta _K^{1/n}q^{1/m+1/n}$ and some $e^\prime $ from $D_d$. The oracle then creates $(a^\prime ,b^\prime )=(\langle \mathbf t , \mathbf a \rangle ,\langle \mathbf t , \mathbf b -\bar{\mathbf{z }} \rangle +a's'+e')$, where $\mathbf b =(b_1,\cdots , b_m)$.

By Corollary 5.4, the distribution of $(\mathbf a , \langle \mathbf t , \mathbf a \rangle )$ is exponentially close to $U( ((\mathcal {O}_K/q\mathcal {O}_K)^\times )^m \times \mathcal {O}_K/q\mathcal {O}_K)$. Since $b_j=a_js+e_j$ for all j, we get $b^\prime =a^\prime (s+s^\prime )+\langle \mathbf t , \mathbf e - \bar{\mathbf{z }} \rangle +e^\prime $, so oracle $\mathcal {O}_i$ creates $\mathsf {RLWE}$ samples for a uniformly distributed $s+s^\prime $, provided the error term follows a suitable distribution. We let $\delta _\ell =(\sum _{j\in [m]}\sigma _\ell (e_j-k_i(z_j))|^2)^{1/2}$ for $\ell \le n$. In particular, we have $\delta _i=\Vert \sigma _i(e_1)-z_1,\ldots ,\sigma _i(e_m)-z_m\Vert $. Let us now study the distribution of the error term $\langle \mathbf {t},\mathbf {e}-\overline{\mathbf {z}} \rangle +e'$. We can see that once the value of $\langle \mathbf t , \mathbf a \rangle =c$ and the $a_i$’s are known, one can write $\mathbf {t}=(ca_1^{-1},0,\ldots ,0)+(-a_1^{-1}\sum _{i\ge 2} t_ia_i,t_2,\ldots ,t_m)$, where the second vector belongs to $\mathbf {a}^\perp $. This means that the actual support of $\mathbf {t}$ is a shift of the $\mathbf {a}^\perp $ lattice by the vector $(ca_1^{-1},0,\ldots ,0)$. Using Lemma 5.5, we get that the distribution of the error is $D_{\mathbf {x}}^H$ where $x_j=\sqrt{\exp ^2(\alpha )\cdot d^2\cdot \delta _j^2+d^2}$.

Let $\mathcal {S}_{i,(z_1,\ldots ,z_m,\alpha )}$ be the samples obtained by applying the procedure above many times. Oracle $\mathcal {O}_i$ calls the dual-$\mathsf {RLWE}$ decision oracle with these and outputs 1 if and only if the latter accepts. With non-negligible probability over the choice of the initial errors, the distribution of the samples we get when we call the oracle $\mathcal {O}_i$ on $(\mathbf {0},0)$ belongs to the set $\varSigma $. One can now show that using the same technique as in [PRS17], it is possible to recover good approximations of the vector $(\sigma _i(e_1),\ldots ,\sigma _i(e_m))$. By substracting them from the initial search samples, rounding and then taking the inverses of the $a_i$’s, we obtain s. $\square $

Notes

1.
The reduction from [LS15] is limited to cyclotomic fields, but [PRS17] readily extends to module lattices.
2.
The parameter $\delta $ should be thought as near 0. It can actually be chosen such if $\mathcal {N}(J)$ is sufficiently large.
3.
For the rest of this section, ‘$\mathsf {i}$’ will refer to the imaginary unit.

References

Albrecht, M.R., Deo, A.: Large modulus ring-LWE $\ge $ module-LWE. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 267–296. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_10
Chapter Google Scholar
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: USENIX (2016)
Google Scholar
Bauch, J., Bernstein, D.J., de Valence, H., Lange, T., van Vredendaal, C.: Short generators without quantum computers: the case of multiquadratics. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 27–59. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_2
Chapter Google Scholar
Bernstein, D.J., Chuengsatiansup, C., Lange, T., van Vredendaal, C.: NTRU Prime (2016). http://eprint.iacr.org/2016/461
Bos, J.W., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. In: EuroS&P (2018)
Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC (2013)
Google Scholar
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Chapter Google Scholar
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Chapter Google Scholar
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop (2014). http://docbox.etsi.org/Workshop/2014/201410_CRYPTO/S07_Systems_and_Attacks/S07_Groves_Annex.pdf
Castryck, W., Iliashenko, I., Vercauteren, F.: On the tightness of the error bound in Ring-LWE. LMS J. Comput. Math. 130–145 (2016)
Google Scholar
Castryck, W., Iliashenko, I., Vercauteren, F.: Provably weak instances of ring-LWE revisited. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 147–167. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_6
Chapter Google Scholar
Chen, H., Lauter, K., Stange, K.E.: Attacks on search RLWE. SIAM J. Appl. Algebra Geom. (SIAGA) 1, 665–682 (2017)
Article MATH Google Scholar
Chen, H., Lauter, K., Stange, K.E.: Vulnerable Galois RLWE families and improved attacks. In: Proceedings of SAC. Springer (2016)
Google Scholar
Conrad, K.: The conductor ideal. http://www.math.uconn.edu/~kconrad/blurbs/gradnumthy/conductor.pdf
Conrad, K.: The different ideal. http://www.math.uconn.edu/~kconrad/blurbs/gradnumthy/different.pdf
Conway, J.B.: Functions of One Complex Variable. Springer, New York (1995). https://doi.org/10.1007/978-1-4612-6313-5
Book MATH Google Scholar
Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_3
Chapter Google Scholar
Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehlé, D.: CRYSTALS - Dilithium: digital signatures from module lattices. In: TCHES (2018)
Google Scholar
Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: SAC (2014)
Google Scholar
Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_4
Chapter Google Scholar
Gentry, C., Halevi, S., Peikert, C., Smart, N.P.: Ring switching in BGV-style homomorphic encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 19–37. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_2
Chapter Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC (2008)
Google Scholar
Hoffstein, J., Howgrave-Graham, N., Pipher, J., Whyte, W.: Practical lattice-based cryptography: NTRUEncrypt and NTRUSign. In: Nguyen, P., Vallée, B. (eds.) The LLL Algorithm. Information Security and Cryptography, pp. 349–390. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-02295-1_11
Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. JACM 60(6), 43 (2013)
Article MathSciNet MATH Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Chapter Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr. 75(3), 565–599 (2015)
Article MathSciNet MATH Google Scholar
Lyubashevsky, V.: Digital signatures based on the hardness of ideal lattice problems in all rings. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 196–214. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_7
Chapter Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measure. In: Proceedings of FOCS, pp. 371–381. IEEE (2004)
Google Scholar
Peikert, C.: How (not) to instantiate ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_22
Google Scholar
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Chapter Google Scholar
Peikert, C., Rosen, A.: Lattices that admit logarithmic worst-case to average-case connection factors. In: STOC (2007)
Google Scholar
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of Ring-LWE for any ring and modulus. In: STOC (2017)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009)
Article MathSciNet MATH Google Scholar
Roşca, M., Sakzad, A., Stehlé, D., Steinfeld, R.: Middle-product learning with errors. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 283–297. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63697-9_10
Chapter Google Scholar
Schnorr, C.-P., Euchner, M.: Lattice basis reduction: improved practical algorithms and solving subset sum problems. Math. Program. 66, 181–199 (1994)
Article MathSciNet MATH Google Scholar
Stehlé, D., Steinfeld, R.: Making NTRU as secure as worst-case problems over ideal lattices. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 27–47. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_4
Chapter Google Scholar
Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure standard worst-case problems over ideal lattices (2013). http://perso.ens-lyon.fr/damien.stehle/NTRU.html
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_36
Chapter Google Scholar
Stevenhagen, P.: Lecture notes on number rings (2017). http://websites.math.leidenuniv.nl/algebra/ant.pdf

Download references

Acknowledgments

We thank Karim Belabas, Guillaume Hanrot, Alice Pellet--Mary, Bruno Salvy and Elias Tsigaridas for helpful discussions. This work has been supported in part by ERC Starting Grant ERC-2013-StG-335086-LATTAC, by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701) and by BPI-France in the context of the national project RISQ (P141580).

Author information

Authors and Affiliations

ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), Lyon, France
Miruna Rosca, Damien Stehlé & Alexandre Wallet
Bitdefender, Bucharest, Romania
Miruna Rosca

Authors

Miruna Rosca
View author publications
You can also search for this author in PubMed Google Scholar
Damien Stehlé
View author publications
You can also search for this author in PubMed Google Scholar
Alexandre Wallet
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alexandre Wallet .

Editor information

Editors and Affiliations

Aarhus University, Aarhus, Denmark
Jesper Buus Nielsen
University of Leuven, Leuven, Belgium
Vincent Rijmen

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Rosca, M., Stehlé, D., Wallet, A. (2018). On the Ring-LWE and Polynomial-LWE Problems. In: Nielsen, J., Rijmen, V. (eds) Advances in Cryptology – EUROCRYPT 2018. EUROCRYPT 2018. Lecture Notes in Computer Science(), vol 10820. Springer, Cham. https://doi.org/10.1007/978-3-319-78381-9_6

Download citation

DOI: https://doi.org/10.1007/978-3-319-78381-9_6
Published: 31 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78380-2
Online ISBN: 978-3-319-78381-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

On the Ring-LWE and Polynomial-LWE Problems

Abstract

Similar content being viewed by others

RLWE and PLWE over cyclotomic fields are not equivalent

Lossiness and Entropic Hardness for Ring-LWE

Ring-LWE Cryptography for the Number Theorist

Keywords

1 Introduction

2 Preliminaries

2.1 Some Algebraic Number Theory

Lemma 2.1

Lemma 2.2

Proof

Lemma 2.3

Lemma 2.4

2.2 Lattices

Lemma 2.5

Lemma 2.6

Lemma 2.7

Lemma 2.8

Lemma 2.9

Lemma 2.10

2.3 Computational Problems

Definition 2.11

Definition 2.12

Theorem 2.13

Lemma 2.14

Proof

3 Controlling Noise Growth in Dual to Primal Reduction

Theorem 3.1

Proof

Corollary 3.2

Proof

4 From Primal-\(\mathsf {RLWE}\) to \(\mathsf {PLWE}\)

4.1 Reducing Primal-\(\mathsf {RLWE}\) to \(\mathsf {PLWE}^\sigma \)

Definition 4.1

Theorem 4.2

Proof

4.2 Distortion Between Embeddings

Theorem 4.3

Lemma 4.4

Proof

Lemma 4.5

Proof

Lemma 4.6

Proof

Theorem 4.7

5 Search to Decision Dual-\(\mathsf {RLWE}\)

5.1 A Ring-Based Leftover Hash Lemma

Lemma 5.1

Lemma 5.2

Proof

Theorem 5.3

Proof

Corollary 5.4

5.2 Search \(\mathsf {RLWE}\) to Decision \(\mathsf {RLWE}\)

Lemma 5.5

Theorem 5.6

Proof

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation