On the Hardness of the Computational Ring-LWR Problem and Its Applications

Chen, Long; Zhang, Zhenfeng; Zhang, Zhenfei

doi:10.1007/978-3-030-03326-2_15

Long Chen^15,16,
Zhenfeng Zhang^15,17 &
Zhenfei Zhang¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11272))

Included in the following conference series:

International Conference on the Theory and Application of Cryptology and Information Security

1908 Accesses
4 Citations

Abstract

In this paper, we propose a new assumption, the Computational Learning With Rounding over rings, which is inspired by the computational Diffie-Hellman problem. Assuming the hardness of R-LWE, we prove this problem is hard when the secret is small, uniform and invertible. From a theoretical point of view, we give examples of a key exchange scheme and a public key encryption scheme, and prove the worst-case hardness for both schemes with the help of a random oracle. Our result improves both speed, as a result of not requiring Gaussian secret or noise, and size, as a result of rounding. In practice, our result suggests that decisional R-LWR based schemes, such as Saber, Round2 and Lizard, which are among the most efficient solutions to the NIST post-quantum cryptography competition, stem from a provable secure design. There are no hardness results on the decisional R-LWR with polynomial modulus prior to this work, to the best of our knowledge.

You have full access to this open access chapter, Download conference paper PDF

Ring-LWE: Applications to Cryptography and Their Efficient Realization

Round5: Compact and Fast Post-quantum Public-Key Encryption

Lossiness and Entropic Hardness for Ring-LWE

1 Introduction

Organizations and research groups are looking for candidate algorithms to replace RSA and ECC based schemes [48, 49] due to the threat of quantum computers [58]. Among all candidates, lattice based solutions seem to offer the most promising solutions. One of the fundamental features enabled by the Learning With Errors (LWE) [39, 57]/the Small Integer Solution (SIS) [1, 45] family of problems, is that the average-case security of the cryptosystem stems from the worst-case hardness of well studied lattice problems [2, 16, 39, 45, 51, 55, 57].

The celebrated work of worst-case/average-case reductions was firstly presented in [51, 57] for LWE and in [39] for R-LWE. In both cases, the errors follow a rounded Gaussian distribution. Albeit great improvements in a sequence of work [3, 13, 28,29,30, 35, 47, 52, 56], Gaussian sampling is still the most intricate part to implementing (R-)LWE based schemes.

An average-case/worse-case reduction without Gaussian sampling is a long standing problem. It has been studied by a series of works from different angles [9, 12, 26, 43, 44]. Generally, there are two ways to solve this problem. One may either reduce LWE to LWE with uniform/binary errors [9, 26, 43, 44], or reduce LWE to the Learning With Rounding (LWR) problem [4, 5, 10, 12]. Here the (R-)LWR problem, introduced in [10], is a variant of (R-)LWE where random errors are replaced by a deterministic rounding function. Interestingly, there exists a reduction from LWE with uniform errors to LWR [12] that indicates a connection between the aforementioned two solutions.

In addition to avoiding Gaussian sampling, it is also common to resort to a ring setting [39, 41, 55]. However, the above methods are no longer applicable, since the reductions from generic LWE to “binary LWE” in [9, 26, 43, 44] all rely on a search-to-decision reduction from [43]. How to carry over this reduction to the ring setting is still an open problem. Moreover, there is no reduction from R-LWE to the decisional version of R-LWR when the modulus is polynomial, to our best knowledge.^{Footnote 1}

Another obstacle of deploying (R-)LWE based cryptosystems is that the sizes of public keys and the ciphertexts are significantly larger than those of RSA and ECC [13]. One direction to lower the size of public keys/ciphertexts, is to choose a smaller modulus q. However, a smaller q leads to a higher (and sometime non-negligible) decryption error rate. In some cases, this may result in an invalidation of a security proof. For example, in [3], the failure probability is around $2^{-61}$ for a security level of 128. The security proof in [3, 13, 14] only provides an indistinguishability between a session key derived by Bob and a uniformly random string. Now that Alice and Bob may derive different session keys with a non-negligible probability, it is also essential to prove the pseudorandomness of Alice’s key. This is not captured by the existing proofs. In addition, many schemes rely on the Fujisaki-Okamoto transformation [33] to achieve CCA-2 security. This also requires a negligible failure probability [36]. In history we have seen non-negligible failure lead to attacks, such as [37].

A trivial solution to decryption errors is to perform key validation. This, however, needs additional round trips for the protocol. An alternative solution is to further tuning the parameters. For example, to use a narrower secret/error. However, the worst-case hardness theorems for R-LWE [39, 55] require the widths of the error distributions to exceed certain $\varOmega (\sqrt{n}) $ bounds, where n is the degree of the secret polynomial. On the other hand, if the errors are smaller than $\sqrt{n}$, LWE can be solved in polynomial time using the Arora-Ge’s algorithm [7] with $m = O (n^2)$ samples. There is a natural extension of this attack to R-LWE by viewing each R-LWE instance as n LWE samples. In general, as pointed out in [54], error distributions that are too far from the provably hard ones shall not be used, to avoid weak instances of the R-LWE problem [17, 18, 31, 32].

Due to its great simplicity and efficiency, R-LWR based constructions, namely, Saber [24], Round2 [8], Lizard [21], Round5 [11] and OKCN [38], are among the most promising candidates to the NIST post-quantum cryptography competition [48]. See [42] for a comparison of performance versus security among all lattice based candidates. Specifically,Saber [24] provides a decisional module-LWR based KEM,to which R-LWR can be viewed as a special case. The KEM and PKE algorithms in Round2 [8] may be based on either decisional LWR or decisional R-LWR, while the algorithms in the ring version of Lizard [21] is based on both of decisional R-LWE and decisional R-LWR. Thus, the hardness of R-LWR is a long await result in the community, to show that those three schemes indeed stem from a provable secure design.

1.1 Our Contributions

In the literature, there exists a reduction from search R-LWE to search R-LWR [12], using the tool of Rényi Divergence (RD). However, it is hard to instantiate a scheme directly from this result since cryptosystems are usually based on decisional problems. On the other hand, it seems very difficult to provide a reduction from decisional R-LWE to decisional R-LWR when the modulus is polynomial, due to the limitation of RD in dealing with decisional problems [9].

To bridge this gap, we propose a new assumption, the Computational Learning With Rounding over rings (R-CLWR) in this paper, in analogy to the Computational Diffie-Hellman (CDH) assumption. Next, we provide a reduction from decisional R-LWE to R-CLWR when the secret of the R-LWE instances is uniform from the set of all invertible elements whose coefficients lie in a small interval $[-\beta ,\beta ]^n$ for some integer $\beta <q$. Combining the existing average-case/worst-case reduction for R-LWE [39, 55], we prove that the R-CLWR problem is hard, assuming the hardness of some worst-case lattice problems.

Applications. We give two applications of R-CLWR, a public key encryption (PKE) scheme in Sect. 5 and a Diffie-Hellman type key exchange scheme in Sect. 6. Asymptotically speaking, our scheme improves a classical R-LWE based solutions in two ways:

1.
we allow for smaller size of public keys/ciphertexts as a result of rounding;
2.
we remove the cumbersome Gaussian samplings.

We remark that it is hard to find overlaps between the concrete world and the asymptotic world. In practice, most of the NIST submissions and other schemes [3, 13, 14] only consider the best known cryptanalytic attacks [20, 42] and ignore the average-case/worst-case proof. For the same reason, none of the Ring-LWE/LWR based NIST candidates sample errors from rounded Gaussian. Our result is asymptotic. Thus, we do not provide a direct comparison between our scheme and the NIST submissions in this paper. Instead, we give asymptotic parameters for both R-LWE scheme and our R-CLWR based scheme for a fair comparison. In addition, we also assume that the decryption failure probability needs to be exponentially small within this asymptotic world.

	R-LWE	R-CLWR
Samples - KeyGen	2	1
Samples - Encrypt	3	1
Sampler	Gaussian	Uniform & Invertible
Modulus	$\varOmega (n^{5.5}\log ^{0.5} n)$	$\varOmega (n^{3.75}\log ^{0.25} n)$

A R-LWE based scheme needs to proceed two Gaussian samplings during key generation and three Gaussian samplings during encryption. The modulus of the public key and the ciphertext is $q=\varOmega (n^{5.5}\log ^{0.5} n)$.
A R-CLWR based scheme needs to proceed one sampling during the key generation and one sampling during the encryption. The sampling procedure is to simply draw an element from a small interval and output when it is invertible, The modulus of the public key and the ciphertext is $p=\varOmega (n^{3.75}\log ^{0.25} n)$.

To show the power of our result, we give security proofs for a variant of Saber and Round2, as well as Lizard, based on the R-CLWR assumption. Nonetheless, since the worst-case connection does not imply definite security for any concrete choice of parameters, our proofs will be based on asymptotic simplifications of their original algorithms.

Technique Overview. The notion of R-CLWR is inspired by the following observation. Decisional Diffie-Hellman (DDH) based schemes, such as ElGamal [34], are provable secure under the CDH assumption and the random oracle model (ROM). There, instead of distinguishing the ciphertexts of different plaintexts, the adversary needs to find a pre-image of the hash function using the public key and ciphertexts. Therefore, with the help of ROM, one converts the underlying decisional problem into a computational problem. At a high level, we apply same methodology to lattice based cryptography and reduce the security of the cryptosystem (a decisional problem) to a computational problem. In doing so, we are able to utilize the tool of RD. A similar idea is also used in the secure analysis of Newhope [3].

To present the R-CLWR problem, first, let us present a set of interactive experiments between a challenger $\mathcal {C}$ and an adversary $\mathcal {A}$. There exist a source $\mathcal {S}$ where the $\mathcal {C}$ gets all its input from. For simplicity, assuming all sources $\mathcal {S}$ can be partitioned in two parts: a variable part var that is different for distinct sources, and a constant part con that remains the same for all sources. We view the challenger as a function that takes inputs $X\leftarrow var$ and $aux\leftarrow con$, and outputs two quantities, Input and Target (from $\mathcal {A}$’s point of view).

Next, we are ready to describe a computational assumption based on the above experiments. Suppose there are two experiments, namely, $\mathsf {Exp}_1$ and $\mathsf {Exp}_2$. In $\mathsf {Exp}_1$, $X_1$ contains a set of R-LWR samples that are sampled from $var_1$. In $\mathsf {Exp}_2$, $X_2$ contains a set of uniform samples from $var_2$. Assuming all the rest variables in those experiments remain identical (i.e., $\mathcal A$ and $\mathcal C$), if the success probability in $\mathsf {Exp}_2$ is negligible for any adversary, then, that in $\mathsf {Exp}_1$ will also be negligible. Intuitively, this definition captures that, assuming all rest variables remain the same, $\mathcal A$ cannot learn more information from R-LWR samples than from uniform samples.

In what it follows, we provide definitions for the R-CLWR assumption (Definition 7) and the R-CRLWE assumption (Definition 8), along with the following reductions:

$$\begin{aligned} {\textsf {R-LWE}}~\text {(decisional)}\Longrightarrow {\textsf {R-CRLWE}} \Longrightarrow {\textsf {R-CLWR}}. \end{aligned}$$

As stated earlier, the first “$\Longrightarrow $” allows us to convert a decisional problem into a computational problem, so that RD becomes applicable to the second “$\Longrightarrow $”. Then, the key becomes to show that RD between an R-LWR sample $\left( a,\lfloor as\rfloor _p\right) $ and a rounded R-LWE sample $(a,\lfloor as+e\rfloor _p)$ is small. A natural way to obtain this result is to extend the estimation of [12] to meet the requirement of the average-case/worst-case reduction for R-LWE [39, 55]. We highlight the challenge for this task at a high level. For R-LWE, [12] requires the error distribution to be bounded, the coefficients to be independent, and the secret to be invertible over the ring. By contrast, in the first “$\Longrightarrow $” the worst case hardness results [39, 55] require the error to follow rounded Gaussian over the H space (see Sect. 2) where the secret is not necessarily invertible unless the ring $R_q$ is also a finite field. This rules out common rings such as $x^n+1$ with n a power of 2. We solve this issue with rejection sampling arguments. We will provide more details in Sect. 4.

It is also worth pointing out that conversions between R-LWE instances and R-LWR instances are not straightforward. For simplicity, let $(a,as+e)\in R_q^2$ be an R-LWE instance, and $(a',\lfloor a's'\rfloor _p)\in R_q\times R_p$ be an R-LWR instance. Notice that a and $as+e$ are both in $R_q$, while $\lfloor a's'\rfloor _p$ is in $R_p$. In a security proof, we need to replace $as+e$ with a random element u, and pass u to the next R-LWE instance as a public input. In comparison, for R-LWR, $\lfloor as\rfloor _p$ is in $R_p$ instead of $R_q$; and it will not be a valid public input to the next R-LWR instance, unless we change the modulus for the hardness assumption from q to p. This is indeed an issue for Round2 [8], whose proof only works when q dividable by p. We solve this problem by introducing a new probabilistic function $\textsc {Inv}(\cdot )$ in this paper that “lifts” an $R_p$ element back to $R_q$. Particularly, we have $\lfloor {\textsc {Inv}}(\lfloor a\rfloor _p)\rfloor _p=\lfloor a\rfloor _p$ and ${\textsc {Inv}}(\lfloor a\rfloor _p)$ is uniform in $R_q$ when a is uniform in $R_q$. Note that q is not required to be dividable by p. This allows for NTT friendly prime q-s for efficient implementations. We will provide details in Sect. 5.

2 Preliminaries

For a set S and a probability distribution $\chi $ over S, denote by $x\leftarrow _\$ \chi $ sampling $x \in S$ according to $\chi $. When $\chi $ is a uniform distribution over S, denote by $x\leftarrow _\$ \mathcal {U}(S)$ to sample x uniformly at random from S. For simplicity, we sometimes write it as $x \leftarrow _\$ S$. Additionally, we use $\mathcal {U}(\lfloor \mathbb {Z}_q\rfloor _p)$ to denote the distribution of $\lfloor x \rfloor _p$ where $x \leftarrow _\$ \mathcal {U}(\mathbb {Z}_q)$.

2.1 The Rounding Function

For any integer modulus $q\ge 2$, $\mathbb {Z}_q$ denotes the quotient ring of integers modulo q. We define a (floor) rounding function $\lfloor \cdot \rfloor _p:\mathbb {Z}_q\rightarrow \mathbb {Z}_p$ as $\lfloor x\rfloor _p = \lfloor (p/q)\cdot \bar{x}\rfloor \bmod p$, where $q\ge p\ge 2$ will be apparent from the context, $\bar{x}$ is an integer congruent to $x\bmod q$. We extend $ \lfloor \cdot \rfloor _p$ componentwise to vectors and matrices over $\mathbb {Z}_q$, and coefficient-wise (with respect to the “power basis”) to the quotient ring $R_q$. Note that in [4, 10, 12], LWR is defined with the function $\lfloor \cdot \rceil _p$, while it can be extended directly to $\lfloor \cdot \rfloor _p$ with a similar definition while preserving the proof. We opt to use $\lfloor \cdot \rfloor _p$ for the following reason: in the implementation when q and p are both powers of some common base b (e.g., 2), $\lfloor \cdot \rfloor _p$ is equivalent to dropping the least-significant digit(s) in base b. Moreover, $\lfloor x \rfloor _p$ is uniformly random in $\mathbb {Z}_p$ if x is uniformly random in $\mathbb {Z}_q$ when p divides q.

2.2 Rényi Divergence

In [9], Bai et al. show that Rényi divergence (RD) is a powerful tool to improve or generalize security reductions in lattice-based cryptography. The formal definition is shown below.

Definition 1

(Rényi divergence). Let $\mathcal {P}$, $\mathcal {Q}$ be two distributions s.t. $Supp(\mathcal {P})\subseteq Supp(\mathcal {Q})$. For $a \in (1, +\infty )$, the Rényi divergence of order a is defined by

$$\mathsf{RD}_a(\mathcal {P}\Vert \mathcal {Q})=\left( \sum _{x\in Supp(\mathcal {P})} \left( \mathcal {P}(x)^a /{\mathcal {Q}(x)^{a-1}}\right) \right) ^{\frac{1}{a-1}}.$$

Specifically, the Rényi divergence of order $+\infty $ is given by

$$\mathsf{RD}_{\infty }(\mathcal {P}\Vert \mathcal {Q}) = \max _{x\in Supp(\mathcal {P})} \left( \mathcal {P}(x)/\mathcal {Q}(x)\right) .$$

The Rényi divergence has following useful properties.

Lemma 1

([9]). For two distributions $\mathcal {P}$, $\mathcal {Q}$ and two families of distributions $(\mathcal {P}_i)_i$, $(\mathcal {Q}_i)_i$, the Rényi divergence verifies the following properties:

Data processing inequality. For any function f, $RD_a(\mathcal {P}_f \Vert \mathcal {Q}_f) \le RD_a(\mathcal {P}\Vert \mathcal {Q})$.
Multiplicativity. $RD_a(\prod _i \mathcal {P}_i\Vert \prod _i \mathcal {Q}_i) = \prod _i RD_a(\mathcal {P}_i\Vert \mathcal {Q}_i)$.
Probability preservation. For any event $E \subseteq Supp(\mathcal {Q}) $ and $a\in (1, +\infty )$,
$$\mathcal {Q}(E) \ge \mathcal {P}(E)^{a/(a-1)}/RD_a(\mathcal {P}\Vert \mathcal {Q}),$$

$$\mathcal {Q}(E) \ge \mathcal {P}(E)/RD_\infty (\mathcal {P}\Vert \mathcal {Q}).$$

2.3 Lattice and Algebra

Now we are ready to present a few well-known results related to lattice based cryptography. For more details, see [39, 40, 46, 54, 55].

Lattice. A (full-rank) lattice is a set of the form $L =\sum _{i\le n} \mathbb {Z}\mathbf {b}_i$, where $\mathbf {b}_i$’s are linearly independent vectors in $\mathbb {R}^n$. The integer n is called the lattice dimension, and the $\mathbf b _i$’s are called a basis of L. The first minimum $\lambda _1(L)$ (resp. $\lambda _1^\infty (L)$) is the Euclidean (resp. infinity) norm of any shortest non-zero vector of L. If $\mathfrak {B} = (\mathbf {b}_i)_i$ is a basis matrix of L, the fundamental parallelepiped of $\mathfrak {B}$ is the set $P(\mathfrak {B}) = \left\{ \sum _{i\le n} c_i \mathbf {b}_i:c_i \in [0,1)\right\} $. The volume $|\det (\mathfrak {B})|$ of $P(\mathfrak {B})$ is an invariant of the lattice L, denoted by $\det (L)$. Minkowski’s theorem states that $\lambda _1 (L) \le \sqrt{n}(\det L)^{1/n}$. The k-th successive minima $\lambda _k(L)$ for any $k \le n$ is defined as the smallest r such that L contains at least k linearly independent non-zero vectors of norm $\le r $. The dual lattice of L is defined as $L^* = \{\mathbf {c}\in \mathbb {R}^n : \forall i, \langle \mathbf {c}, \mathbf {b}_i \rangle \in \mathbb {Z}\}$.

H Space. We follow the framework of [39] by working over the H Space to deal with ideal lattices. Recall that $H\subseteq \mathbb {R}^{s_1}\times \mathbb {C}^{s_2}$ is defined as

$$H := {(x_1, \ldots , x_n) \in \mathbb {R}^{s_1} \times \mathbb {C}^{2s_2}: x_{s_1+s_2+j} = \overline{x_{s_1+j}},\; \forall j \in {1, \ldots , s_2}}$$

for some nonnegative integers $s_1$, $s_2$ with $n = s_1 + 2s_2$. As shown in [39], H is isomorphic to $\mathbb {R}^n$.

Let $f(x)\in \mathbb {Q}[x]$ be a (monic) polynomial of degree n that is irreducible over $\mathbb {R}$, and $\zeta $ be a root of f(x) such that $f(\zeta )=0$. A number field is then a field extension $K=\mathbb {Q}(\zeta )$ obtained by adjoining an element $\zeta $ to the rationals. There exists an isomorphism between $K \cong \mathbb {Q}[X]/(f(X))$, given by $\zeta \mapsto X$. Hence, elements in K can be represented with polynomials, using the power basis $\{1,\zeta ,\ldots ,\zeta ^{n-1}\}$.

The Ring of Integers of a cyclotomic number field, denoted by R, is the set of all algebraic integers in the number field K. Hence, $R \subset K$ forms a ring under the same operations in K. In addition $\mathbb {Z}[\zeta ]\cong \mathbb {Z}[X]/f(X)$ under the above isomorphism. In other words, the power basis $\{1,\zeta ,\ldots ,\zeta ^{n-1}\}$ for R has a $\mathbb {Z}$-basis. Looking ahead, we will use $R_q=R/qR$ to denote the localisation of R, for some modulus q. When dealing with $R_q$, we assume that the coefficients are in $[-q/2,q/2)$ (except for $R_2$ where the coefficients are in $\{0,1\}$).

Canonical Embedding. For a given f, there are n none-necessarily distinct roots or power basis. This allows us to define n embeddings $\sigma _i : K \rightarrow \mathbb {C}$ by sending $\zeta $ to one of the roots of f. The canonical embedding $ \sigma : K \rightarrow \mathbb {C}^n$ is the concatenation of all the embeddings for n, i.e. $\sigma (a) =(\sigma _ i (a))_{ i\in n}, a \in K$. Let $\mathbf {R}$ be an $n \times n$ Vandermonde matrix

$$\mathbf {R}=\left( \begin{array}{cccc} 1, &{} \sigma _ 1 (\zeta ) , &{} \ldots ,&{} \sigma _ 1^{n-1} (\zeta ) \\ \vdots &{} &{} &{} \vdots \\ 1, &{} \sigma _ n (\zeta ), &{} \ldots ,&{} \sigma _ n^{n-1} (\zeta ) \\ \end{array} \right) .$$

Then $\sigma (a) =\mathbf {R}\mathbf {a}$, where $\mathbf {a}$ is the vector of the coefficients of the polynomial a.

The trace and norm are the sum and product, respectively, of the canonical embeddings: $ Tr(x) = \sum _{i\in [n]}{\sigma _i(x)} \text { and } \mathcal {N}(x) = \prod _{i\in [n]} \sigma _i(x)$. The norm of an ideal I is its index as an additive subgroup of R, i.e., $\mathcal {N}(I) = |R/I|$.

In addition, with a proper indexation, the image H of $\sigma $ is the $\mathbb {Q}$ vector space generated by the columns of $\sqrt{2}\cdot \mathbf {T}$ where:

$$ \mathbf {T}=\frac{1}{\sqrt{2}}\left( \begin{array}{cc} \mathbf {I}_{\phi (m)/2} &{} i \mathbf {I}_{\phi (m)/2} \\ \mathbf {I}_{\phi (m)/2} &{} -i \mathbf {I}_{\phi (m)/2} \end{array}\right) $$

with $i=\sqrt{-1}$ and $\mathbf {I}$ is the identity matrix. In other words, for any element $x \in \mathbb {Q}(\zeta )$, there exists a vector $\mathbf {v} \in \mathbb {Q}^n$ such that $\sigma (x)=\mathbf {R}\mathbf {x} = \sqrt{2}\mathbf {T}\mathbf {v}$, and vice versa. For the rest of the paper, we will refer to the column vectors of $\mathbf {T}$ as the canonical basis for the embedding space H.

Defining

$$\begin{aligned} \mathbf {B}:= 1/\sqrt{2}\cdot \mathbf {T}^{-1}\mathbf {R} \end{aligned}$$

(1)

the transformation matrix from the canonical basis to the power basis, then, for any $a \in \mathbb {Q}(\zeta )$, there exists a corresponding vector $\mathbf {v} = \mathbf {B}\mathbf {a}$ where $\mathbf {a}$ is the vector form of a. It is straightforward to see that $\mathbf {B}$ is invertible since both $\mathbf {R}$ and $\mathbf {T}$ are nonsingular. Hence we also have $\mathbf {v}=\mathbf {B}^{-1}\mathbf {x}$. This allows us to bound the norm of $\mathbf {v}$ in functions of $\mathbf {x}$. According to the results in the functional analysis^{Footnote 2}, there are positive constants $c_1$ and $c_2$ such that

$$\begin{aligned} c_1\Vert \mathbf {x}\Vert \le \Vert \mathbf {B}^{-1}\mathbf {x}\Vert \le c_2\Vert \mathbf {x}\Vert \end{aligned}$$

(2)

for any $\mathbf {x}$. The absolute values of $c_1$ and $c_2$ depends solely on $\mathbf {B}$ which is only determined by the ring R, and $c_1^n\le \det (\mathbf {B}^{-1})\le c_2^n$.

For cyclotomic rings $\mathbb {Z}[x]/(x^n+1)$ where n is a power of 2, we have $c_1=c_2$ since $\mathbf {B}$ is an orthogonal matrix [27]. Estimating the asymptotic bounds for other rings is still an open problem, although it was shown in [23], that even if $c_1$ and $c_2$ were not bounded by some constant, they seems to grow very slowly in n. Hence in this paper, we assume that

$$\begin{aligned} c_2\le \left( 1+1/n\right) ^{\tau _1} c_1 \end{aligned}$$

(3)

for some constant $\tau _1$, $c_1$ and $c_2$.

The Ideal Lattice. We follow [39] by viewing an ideal I in R as a lattices with a $\mathbb {Z}$-basis $U = \{u_1, . . . , u_n\}$, under the canonical embedding $\sigma $. Correspondingly, denote the volume $vol(I) := vol(\sigma (I))$ of an ideal, the minimum distance $\lambda _1 (I) := \lambda _1 (\sigma (I))$, etc.

The (absolute) discriminant $\varDelta _K = vol(R)^2$ of a number field K is the squared volume of its ring of integers $R = O_K $, viewed as a lattice; equivalently,

$$\varDelta _K = |\det (Tr(u_i \cdot u_ j ))| = |\det (\mathbf {U}^*\cdot \mathbf {U})|$$

where $\mathbf {U}= \sigma (U)$ for an arbitrary $\mathbb {Z} $-basis $U= (u_1 ,\ldots ,u_ n) $ of R. A useful dimension-normalized quantity is the root discriminant $\delta _K:=\sqrt{\varDelta _K}^{1/n}=vol(R)^{1/n} $ (sometimes also denoted $\delta _R$). It is a measurement of the “sparsity” of the algebraic integers in K. It follows directly from the definition that $vol(I) = \mathcal {N}(I) \cdot \sqrt{ \varDelta _K }$ for any fractional ideal I in K. The following standard fact is an immediate consequence of Minkowski’s first theorem (for the upper bound) and the arithmetic mean-geometric mean inequality (for the lower bound).

Lemma 2

([54]). For any fractional ideal I in a number field K of degree n,

$$\sqrt{n}\cdot \mathcal {N}(I)^{ 1/n}\le \lambda _1(I) \le \sqrt{n}\cdot \mathcal {N}(I)^{ 1/n}\cdot \delta _K .$$

Dual Lattice. For any lattice L in K (i.e., for the $\mathbb {Z}$-span of any $\mathbb {Q}$-basis of K), its dual is defined as $L^\vee = \{x \in K : Tr(xL) \in \mathbb { Z}\}.$ Recall that the ring of integers of $\mathbb {Q}( \zeta )$ is $\mathbb {Z}[\zeta ] :=\mathbb {Z}[X]/(f )$. Let $I^\vee \subset K $ be the dual fractional ideal of I. Under the canonical embedding, $I^\vee $ embeds as the complex conjugate of the (usual defined) dual lattice of I, i.e., $\sigma (I^\vee ) = \overline{\sigma (I)^*}$. Specifically, the dual (or co-different ideal) of $\mathbb {Z}[\zeta ]$, denoted by $\mathbb {Z}[\zeta ] ^\vee $, is the fractional ideal $ \frac{1}{f'(\zeta )}\mathbb {Z}[\zeta ]$, where $f'$ is the derivative of f [22]. That is, given a vector $\mathbf {a}$ corresponding to $a\in R^\vee $, we can injectively map a to $b={f'(\zeta )} a\in R$ though a linear transformation $ \mathbf {D}\mathbf {a}= \mathbf {b}$. Similar to matrix $\mathbf {B}$, here, the matrix $\mathbf {D}$ is determined by the ring R, and there exist constants $c_3$ and $c_4$ such that

$$\begin{aligned} c_3\Vert \mathbf {x}\Vert \le \Vert \mathbf {D}^{-1}\mathbf {x}\Vert \le c_4\Vert \mathbf {x}\Vert \end{aligned}$$

(4)

for any $\mathbf {x}$. Again, it is an open problem to give asymptotical bounds for $c_3$ and $c_4$, except for the case of cyclotomic ring $\mathbb {Z}[x]/(x^n+1)$ with n is a power of 2, where $c_3=c_4=1/n$. Therefore, for the rest of rings, we assume that

$$\begin{aligned} c_4\le \left( 1+1/n\right) ^{\tau _2} c_3 \end{aligned}$$

(5)

for some constant $\tau _2$, $c_3$ and $c_4$.

For a function $\mathcal {F}$ that maps lattices to non-negative reals, the bounded distance decoding problem (BDD) over H is defined as given a lattice $L\subset H$, a distance bound $d \le \mathcal {F}(L)$, and a coset $\mathbf {e} + L$ where $\Vert \mathbf {e}\Vert \le d$, find $\mathbf {e}$.

2.4 Gaussian Distribution

For $\alpha > 0$, the continuous Gaussian distribution $D_\alpha ^H$ of parameter (or width) $\alpha $ over H is defined to by a probability density function $f(\mathbf {x})=\frac{1}{\alpha ^n}\rho _\alpha (\mathbf {x}) =\frac{1}{\alpha ^n}\exp \left( -\pi \frac{\left\langle \mathbf {x},\mathbf {x}\right\rangle }{\alpha ^2}\right) $. This naturally induce a distribution over the field tensor product $K_\mathbb {R}=K\otimes _{\mathbb {Q}}\mathbb {R}$ with respect to the canonical basis. When converting to the power basis, the random vector $\mathbf {y}=\mathbf {B}\mathbf {x}$ follows a probability density function $f'(\mathbf {y}) =\frac{1}{\alpha ^n\sqrt{\mathbf {\Sigma }}}\exp \left( -\pi \frac{ \mathbf {y}^T\mathbf {\Sigma }^{-1}\mathbf {y}}{\alpha ^2}\right) $, where $\mathbf {\Sigma }=\mathbf {B}\mathbf {B}^T$ for $\mathbf {B}$ defined in (1). The rounded Gaussian, denoted by $\bar{D}_\alpha ^H$, is the distribution $\lfloor x\rceil \bmod q\in R_q$ where $x\leftarrow D_\alpha ^H$ and the rounding is performed over the power basis.

Next we recall an important definition, the smoothing parameter [46], and its various related lattice quantities.

Definition 2

For a lattice L and positive real $\varepsilon > 0 $, the smoothing parameter $\eta _\varepsilon (L)$ is defined to be the smallest r such that $\rho _{1/r}\left( L^* /\{0\}\right) \le \varepsilon $.

Lemma 3

([46]). For any n-dimensional lattice L, we have $\eta _{ 2 ^{-2n}} (L) \le \sqrt{n}/\lambda _1 (L^*),$ and $\eta _\varepsilon (L) \le \sqrt{\ln (n/\varepsilon )}\lambda _n (L) $ for all $0< \varepsilon < 1$.

Lemma 4

([46]). For any lattice L, $\varepsilon > 0 $, $r \ge \eta _\varepsilon (L)$, and $\mathbf {c} \in H$, the statistical distance between $(D_r + \mathbf {c}) \bmod L$ and uniform distribution modulo L is at most $\varepsilon $.

The next lemma describes the tail cutting property of a Gaussian distribution.

Lemma 5

(Tail Cutting). A one-dimensional Gaussian $D_\alpha $ over $\mathbb {R}$ satisfies the tail bound $\Pr _{ x\leftarrow D_\alpha }\left[ |x|\ge B\right] \le 2 \exp (-\pi (B/\alpha )^2)$ for any $B \ge 0$. Particularly, if $B>\sqrt{n}\alpha $ for some integer n, $\Pr _{ x\leftarrow D_\alpha }\left[ |x|\ge B\right] $ is exponentially small in n.

2.5 The Learning with Errors Problem over the Ring

The first hardness result for decisional R-LWE problem is for cyclotomic fields [39, 40], assuming that the BDD problem is hard. In [55], the result is extended to any ring, with the help of a discrete Gaussian sampling problem.

Let K be some number field of dimension n. Let $R = \mathcal {O}_K$ be its ring of integers which embeds as a lattice. $R^\vee \subset K $ is the dual fractional ideal of R. For simplicity and convenience for our applications, we present the problem in its discretized, “normal” form [6], where the secret are drawn from the same distribution with the error. See [40, 41, 54] for more general forms.

Definition 3

( R-LWE Distribution). For an $s\in R_q^\vee $ and a distribution $\chi $ over the field tensor product $K_\mathbb {R}=K\otimes _{\mathbb {Q}}\mathbb {R}$, a sample from the R-LWE distribution $\mathcal {O}_{s,\chi }$ over $R_q \times K_\mathbb {R}/qR^\vee $ is generated by choosing $a\leftarrow R_q$ uniformly at random, choosing $e\leftarrow \chi $, and outputting $(a,b = a\cdot s + e)$.

Definition 4

( R-LWE Average-Case Decisional Problem). The decision version of the R-LWE problem, denoted by R-$\textsf {DLWE}_{q,\chi ',\chi }$, is to distinguish with non-negligible advantage between independent samples from $\mathcal {O}_{s,\chi }$ for some s chosen from $\chi '$, and the same number of uniformly random and independent samples from $R_q \times K_\mathbb {R}/qR^\vee $.

The claim that R-$\textsf {DLWE}_{q,\chi ',\chi }$ is hard for any probabilistic polynomial time distinguisher $\mathcal {A}$ is equivalent to the following statement: Let $\Pr (\mathcal {A}^{\mathcal {O}_{ \chi ,s}}=1)=p_0(s)$ and $\Pr (\mathcal {A}^{\mathcal {U}(R_q \times R_q)}=1)=p_1$. Denote by $S_\varepsilon $ the set where for any elements $s\in S$, $|p_0(s)-p_1|>\varepsilon $ except for some negligible $\varepsilon $. Then there is a negligible $\delta $ such that $\Pr \left( s\in S |s\leftarrow \chi '\right) <\delta .$

Theorem 1

([40, 41]). Let K be the m-th cyclotomic number field with dimension $n = \psi (m)$ and $R =\mathcal {O}_K$ be its ring of integers. Let $\xi = \xi (n) > 0$, and let $q = q(n) \ge 2$, $q = 1 \bmod m$ be a poly(n)-bounded prime such that $\xi q \ge \omega ( \sqrt{\log n})$. Then there is a polynomial-time quantum reduction from $\tilde{O}(\sqrt{n}/\xi )$-approximate SIVP (or SVP) on ideal lattices in K to the problem of solving R-$\textsf {DLWE}_{q,D_{\alpha }}$, given $l-1$ samples, where $\alpha = q\xi \cdot (nl/ log(nl))^{1/4}$.

The theorem above captures reductions from ideal lattice GapSVP (GapSIVP) to R-LWE. To guarantee an average-case/worst-case reduction as in [40], the error distribution $\chi $ needs to be a continuous Gaussian distribution $D_\alpha ^H$ over H. In practice, it is more convenient to work with a discretized “non-dual” form of R-LWE [27], where the secret and the error are both in $R_q$ instead of $R_q^\vee $. Accordingly, samples will be of the form $\left( a_i,b_i=s\cdot a_i+e_i \bmod qR\right) \in R_q\times R_q.$ To achieve so, we multiply the error distribution by $t=f'( \zeta )$, then discretize it by rounding each coefficient in the power basis to the nearest integer. Consequently, the error distribution becomes $\overline{t\cdot D_\alpha ^H}$ over R. In the paper we adapt the “normal” form R-LWE [6], i.e., the secret is also drawn from the distribution $\overline{t\cdot D_\alpha ^H}$.

3 Warm up

Our computational assumption is defined by the success probability among multiple experiments, where each experiment is a sequence of interactions between a challenger $\mathcal {C}$ and an adversary $\mathcal {A}$ as defined in Definition 5. In addition, we use a third party, the Source, denoted by $\mathcal {S}$, who is responsible for generating the samples for $\mathcal {C}$, as illustrated in Fig. 1.

Definition 5

($\mathsf {Exp}(\mathcal {C}, \mathcal {A})$). The experiment is defined as a sequence of interactions as follows:

1.
$\mathcal {S}$ samples from var and con to obtain a sample (X, aux), and sends it to $\mathcal {C}$;
2.
$\mathcal {C}$ computes $(\mathsf{Input},\mathsf{Target})\leftarrow \mathcal {C}(X,aux)$, and sends $\mathsf{Input}$ to the $\mathcal {A}$;
3.
$\mathcal {A}$ replies with a guess $\mathsf{Output}$.

The adversary wins the experiment if $\mathsf{Target}= \mathsf{Output}$.

We claim that the success probability of $\mathcal {A}$ will depend on three factors: (a), the distribution of the source var; (b) the distribution of the Target; and (c) the connection between Input and Target, i.e., the combination of $\mathcal {C}$ and $\mathcal {A}$. Our goal is to ensure that, for variance $\mathsf {Exp}_i$, the success probability of $\mathcal {A}_i$ will only depend on the distribution of the source $\mathcal {S}_i$. To achieve so, we use a same challenger $\mathcal {C}$ and adversary $\mathcal {A}$ pair throughout the experiments.

As a result, those experiments will reveal the impact of different $\mathcal {S}$-s on $\mathcal {A}$’s success probability. If $\mathcal {A}$ successfully guesses an $\mathsf{Output}$ for an $X_i$, we can deduce that $\mathcal {C}$ leaks enough information about $\mathcal {S}$ for the adversary to compute $\mathsf{Target}$. Thus, for two sources $\mathcal {S}_1$ and $\mathcal {S}_2$, our definition captures that, no matter what information is leaked through $\mathcal {C}$, if an adversary cannot compute $\mathsf{Target}$ from $X_1$ for source $\mathcal {S}_1$, then it cannot compute $\mathsf{Target}$ from $X_2$ for source $\mathcal {S}_2$. That is, the adversary cannot learn more information from $\mathcal {S}_1$ than from $\mathcal {S}_2$ for a fixed $\mathcal {C}$.

Then, for any PPT challenger $\mathcal {C}$, if the success probability of any adversary $\mathcal {A}$ in $\mathsf {Exp}_1$ of Table 1 is negligible, so does $\mathcal {A}$ in $\mathsf {Exp}_2$.

Table 1. $\mathsf {Exp}_1$ v.s. $\mathsf {Exp}_2$

Full size table

To show that the above model is useful in a security proof, let us present a proof of an (informal) Diffie-Hellman version of the assumption within the above model. Looking ahead, we will use a similar approach to proof R-CLWR.

Definition 6

(The Diffie-Hellman analogue to our assumption). Let $\mathbb {G}$ be a group. Let $\mathcal {Z}_{s}$ be the distribution of $(a,b)=(g,g^s)$ where $g\leftarrow _\$\mathbb {G}$ is a randomly chosen group element and s is an randomly chosen and fixed index. Accordingly, let $\mathcal {U}$ be the distribution of $(a,b)=(g, u)$ where $g,u\leftarrow _\$ \mathbb {G}$. Let $var_1$ denote the distribution $\mathcal {Z}_{s}^l$ and $var_2$ denote the distribution $\mathcal {U}^l$. Let con be an arbitrary distribution over $\{0,1\}^*$ which is independent of $var_1$ and $var_2$. For a fixed PPT challenger $\mathcal {C}$, $\mathring{P}_{\mathcal {C}}(\mathcal {A})$ is the probability for a PPT adversary $\mathcal {A}$ to win the $\mathsf {Exp}_1(\mathcal {C},\mathcal {A})$ with $\mathcal {S}_1$ in Table 1, while $\mathring{Q}_{\mathcal {C}}(\mathcal {A})$ is that for $\mathcal {A}$ to the $\mathsf {Exp}_2(\mathcal {C},\mathcal {A})$ with $\mathcal {S}_2$. Then, if $\mathring{Q}_{\mathcal {C}}$ is negligible for any PPT adversary $\mathcal {A}$, so is $\mathring{P}_{\mathcal {C}}$.

We claim that this assumption implies the $\mathsf{CDH}$ assumption. Recall that $\mathsf{CDH}$ says that given $g^x$ and $g^y$ for a randomly chosen element g, no PPT adversary is able to compute $g^{xy}$. Slightly different with the traditional $\mathsf{CDH}$ assumption, here we require g is randomly chosen from a cyclic group instead of a fixed element. So $ g, g^x, g^y g^{xy}$ all can be as distributions. We sketch a reduction through the following games.

Game 1. The Input for $\mathcal {A}$ is $(g^x,g^y)$, and the Target is $g^{xy}$.
Game 2. The Input for $\mathcal {A}$ is $(u,g^y)$ for some random u, and the Target is $u^y$.
Game 3. The Input for $\mathcal {A}$ is (u, v) for some random u and v, and the Target is w for some random w.

Observe that, in Game 3, u, v and w are independent, therefore the success probability of the adversary will be $1/\left| \mathbb {G}\right| $, which is negligible.

In the rest of the reduction, we will firstly proof the success probability of the adversary in Game 2 is also negligible. To meet the notation, we set $var_1$ to be the distribution of $((a_1,b_1), (a_2,b_2))$ for $(a_1,b_1)=(g,g^y)$ and $(a_2,b_2)=(u,u^y)$, and $var_2$ to be that for $(a_1,b_1)=(g,v)$ and $(a_2,b_2)=(u,w)$. Set con to be dummy. $\mathcal {C}$ is then defined as given $X=((a_1,b_1), (a_2,b_2))$, compute $\mathsf{Input}=(a_2, b_1)$ and $\mathsf{Target}= b_2$. As per Definition 6, if the success probability of $\mathsf {Exp}_2$ in Table 2 is negligible, so is that of $\mathsf {Exp}_1$. Therefore, the success probability of the adversary in Game 2 is negligible.

Table 2. Reduction between Game 2 and 3

Full size table

Table 3. Reduction between Game 1 and 2

Full size table

Then we will proof the success probability of the adversary in Game 1 is also negligible. Let con be the distribution of choosing an arbitrary index y; $var_1$ be the distribution of $(a_1,b_1)$ for $(a_1,b_1)=(g,g^x)$; and $var_2$ be that for $(a_1,b_1)=(g,v)$. Accordingly, $\mathcal {C}$ is defined as given $X = ((a_1,b_1), y)$ and computes $\mathsf{Input}=(b_1, a_1^y)$ and $\mathsf{Target}= b_1^y$. As per Definition 6, if the success probability of $\mathsf {Exp}_2$ in Table 3 is negligible, so is that of $\mathsf {Exp}_1$. Therefore, the success probability of the adversary in Game 1 is negligible.

In the next section, we will give more details on how to instantiate the framework as per Definition 6 where the underlying discrete log problem is replaced by a lattice problem.

4 The Computational Ring-LWR Assumption

For simplicity, we make use of the following additional notations. We refer to a uniformly distribution over $[-\beta , \beta ]$ as $U_\beta $. Accordingly, denote by $U_\beta ^n$ the distribution over $R_q$ where each coefficient is no greater than $\beta $. For a distribution $\chi $ over K, we say $\bar{\chi }$ is the discretization distribution over R, which is obtained by rounding each coefficient in the power basis to the nearest integer. For a distribution $\chi '$ over R, denote by $(\chi ')^\times $ the distribution of the output of the following process: sample an element $a\leftarrow \chi '$, output a if a is invertible; repeat until an output is obtained.

Now we are ready to give a formal definition of the R-CLWR assumption. This definition, as hinted in previous section, allows us to prove that an adversary cannot learn more information from R-CLWR sample inputs than from uniform inputs. Our definition follows the framework of the Table 1. The only variation here is on the definitions of $var_1$ and $var_2$.

Definition 7

(Computational Ring-LWR Assumption). Let q, p and l be positive integers. Fix an s that is chosen from a distribution $\chi $ over R. Denote by $\mathcal {X}_{s}$ the distribution of $(a, \lfloor as\rfloor _p)$ where $a\leftarrow _\$ R_q$; and denote by $\mathcal {U}$ the distribution of $(a, \lfloor b\rfloor _p)$ where $a,b \leftarrow _\$ R_q$. Let $\mathcal {S}_i = (var_i, con)$, where $var_1$ denotes the distribution $\mathcal {X}_{s}^l$; $var_2$ denote the distribution $\mathcal {U}^l$; and con is an arbitrary distribution over $\{0,1\}^*$ which is independent from $var_1$ and $var_2$. For a fixed PPT challenger $\mathcal {C}$, let $P_{\mathcal {C},\mathcal {A}}(\chi )$ be the probability for a PPT adversary $\mathcal {A}$ to win $\mathsf {Exp}_1(\mathcal {C}, \mathcal {A})$ with $\mathcal {S}_1$, while $Q_{\mathcal {C},\mathcal {A}}$ be that for $\mathcal {A}$ to win $\mathsf {Exp}_2(\mathcal {C}, \mathcal {A})$ with $\mathcal {S}_2$.

The computational ring-LWR assumption with regard to a secret distribution $\chi $, denoted by R-$\textsf {CLWR}_{p,q,l,\chi }$, or R-$\textsf {CLWR}_{\chi }$ for short, is that for any challenger $\mathcal {C}$, if $Q_{\mathcal {C},\mathcal {A}}$ is negligible for any PPT adversary $\mathcal {A}$, so is $P_{\mathcal {C},\mathcal {A}}$.

Correspondingly, we also define the computational rounded learning with errors over the ring (R-CRLWE) assumption. Notice its difference from a computational LWE over the ring assumption, which, by the analogy to R-CLWR, replaces R-LWR samples ($\lfloor as\rfloor _p$) with R-LWE samples ($as+e$). By contrast, in R-CRLWE, one replaces R-LWR samples with rounded R-LWE samples ($\lfloor as+e\rfloor _p$).

Definition 8

(Computational Ring-RLWE Assumption). Let q, p, l, s, $\chi $ and $\mathcal {U}$ be the same as Definition 7. Denote by $\mathcal {Y}_{s,\chi '}$ the distribution of $(a,{\lfloor as+e\rfloor _p})$ where $a\leftarrow _\$ R_q$ and $e\leftarrow \chi '$ over R. Let $\mathcal {S}_i = (var_i, con)$, where $var_1$ denotes the distribution $\mathcal {Y}_{s,\chi '}^l$; $var_2$ denotes the distribution $\mathcal {U}^l$; con denotes an arbitrary distribution over $\{0,1\}^*$ which is independent of $S_1$ and $S_2$. For a fixed PPT challenger $\mathcal {C}$, let $P'_{\mathcal {C},\mathcal {A}}(\chi ,\chi ')$ be the probability for a PPT adversary $\mathcal {A}$ to $\mathsf {Exp}_1(\mathcal {C}, \mathcal {A})$ with $\mathcal {S}_1$, while $Q_{\mathcal {C},\mathcal {A}}$ to be that for $\mathcal {A}$ to win $\mathsf {Exp}_2(\mathcal {C}, \mathcal {A})$ with $\mathcal {S}_2$.

The computational ring-RLWE assumption with a secret distribution $\chi $ and an error distribution $\chi '$, denoted by R-$\textsf {CRLWE}_{p,q,l,\chi ,\chi '}$ or R-$\textsf {CRLWE}_{\chi ,\chi '}$ for short, is that for any challenger $\mathcal {C}$, if $Q_{\mathcal {C},\mathcal {A}}$ is negligible for any PPT adversary $\mathcal {A}$, so is $P'_{\mathcal {C},\mathcal {A}}(\chi ,\chi ')$.

This definition suggests that the adversary cannot learn more information from R-CRLWE inputs than from uniform inputs. Next, we show that the R-CLWR assumption holds for uniform secrets, assuming the hardness of the decisional R-LWE assumption. Formally, we will have the following theorem.

Theorem 2

(Main Theorem). Following the notions in Definitions 7 and 8. For any ring R satisfying (3) and (5), the largest degree of the irreducible factors modulo integer q of the polynomial f is less than $k_q$. If l is a constant, ${\alpha }\ge {c_2c_4}\sqrt{n\ln (2n)}q^{k_q/n} \cdot \delta _K$, $\beta =\varOmega (nl\alpha )$ and $q/p=\varOmega (nl\alpha / c_2 c_4)$, there is a reduction from the decisional ring-LWE assumption R-$\textsf {LWE}_{q,\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ to the computational ring-LWR assumption R-$\textsf {CLWR}_{p,q,l,(U_{\beta }^n)^\times }$ (Fig. 2).

Combing with the worst-case/average-case reduction in Theorem 1, the hardness of our R-CLWR problem will be based on the worse-case hardness of lattice problems. It is worth pointing out that, the majority of practical cryptosystems uses a cyclotomic ring $R=\mathbb {Z}[x]/(x^n+1)$ where n is a power of 2. For this ring, we have the following result.

Corollary 1

Following the same notations. For $R=\mathbb {Z}[x]/(x^n+1)$ where n is a power of 2, if l is a constant, ${\alpha }\ge 2\sqrt{n\ln (2n)}\cdot q^{2/n}$, $\beta =\varOmega (nl\alpha )$ and $q/p=\varOmega (n^2l\alpha )$, there is a reduction from the decisional ring-LWE assumption R-$\textsf {LWE}_{q,\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ to the computational ring-LWR assumption R-$\textsf {CLWR}_{p,q,l,(U_{\beta }^n)^\times }.$

4.1 From R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }$ to R-$\textsf {CLWR}_{(U_{\beta }^n)^\times }$

We begin with proving the following lemma which shows the RD between the two distributions on $\mathbb {Z}$, namely $U_{\beta }$ and $U_\beta +\bar{D}_\alpha $, is bounded by $1+1/n$.

Lemma 6

Following the same notion. In addition, let $U_\beta $ be a uniform distribution from $[-\beta ,\beta ]$ over $\mathbb {Z}$ where $\beta >\alpha $. Let the distribution $\psi =\bar{D}_\alpha +U_\beta $. Then ${\mathsf{RD}_2\left( U_\beta \parallel \psi \right) }\le 1+\frac{\alpha }{c\beta } $ where $c=\frac{(1-\exp \left( -\pi \right) )^2}{2}\approx 0.4577$. Specifically, when $\beta >n\alpha /c$, ${\mathsf{RD}_2\left( U_\beta \parallel \psi \right) }<1+1/n.$

Proof

Please see the full version [19].

With Lemma 6, we are ready to proof the first reduction.

Lemma 7

Following the same notation, if $\beta =\varOmega (nl\alpha )$, $P_{\mathcal {C},\mathcal {A}}(U_{\beta }^n)\le 2 P_{\mathcal {C}}(U_\beta ^n+\bar{D}_\alpha ^n).$ Hence there is a reduction from R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }$ to R-$\textsf {CLWR}_{(U_{\beta }^n)^\times }$.

Proof

Note that $P_{\mathcal {C},\mathcal {A}}((U_\beta ^n)^\times )\le P_{\mathcal {C},\mathcal {A}}((U_\beta ^n+\bar{D}_\alpha ^n)^\times ) \cdot \mathsf{RD}_2\left( U_{\beta }\Vert U_\beta +\bar{D}_\alpha \right) ^{nl}.$ Lemma 6 says $\mathsf{RD}_2\left( U_{\beta }\Vert U_\beta +\bar{D}_\alpha \right) ^{nl}\le 2$ when $\beta =\varOmega (nl\alpha )$. On the other hand, assuming the hardness of R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_\alpha ^n)^\times }$, we have that for any challenger $\mathcal {C}$, $P_{\mathcal {C},\mathcal {A}}((U_\beta ^n+\bar{D}_\alpha ^n)^\times )$ is negligible when $Q_{\mathcal {C},\mathcal {A}}$ is negligible. By the above result, $P_{\mathcal {C},\mathcal {A}}((U_\beta ^n)^\times )$ is also negligible. So the assumption R-$\textsf {CLWR}_{(U_\beta ^n)^\times }$ holds. $\square $

4.2 From R-$\textsf {CRLWE}_{(U_\beta ^n+\bar{D}^n_{\alpha '})^\times ,\bar{D}^n_{\alpha '}}$ to R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }$

The following lemma is adapted from [12] with a slight modification on the noise distribution. We provide a proof for completeness.

Lemma 8

([12]). Assume $B < q/2p$. For every unit $s \in R_q$ and noise distribution $\chi $ that is balanced over $R_q$ and each coefficient is bounded by B with probability larger than $\delta $, we have $\mathsf{RD}_2(\mathcal {X}_s\Vert \mathcal { Y}_s )\le (1 + 2pB/q )^n/\delta ^n$ where $\mathcal {X}_s$ is the random variable $(a,\lfloor a\cdot s \rfloor _p)$ and $\mathcal {Y}_s$ is the random variable $(a, \lfloor a\cdot s+ e \rfloor _p)$ with $a\leftarrow R_q$ and $e\leftarrow \chi $.

Proof

By the definition,

$$\begin{aligned} RD_2(X_s\Vert Y_s)&= E_{a\leftarrow R_q}\frac{ Pr(X_s = (a, \lfloor a \cdot s \rfloor _p))}{Pr(Y_s = (a, \lfloor a \cdot s+e \rfloor _p))}\\&= E_{a\leftarrow R_q} \frac{1}{\Pr _{e\leftarrow \chi }\left( \lfloor a\cdot s + e \rfloor _p= \lfloor a \cdot s \rfloor _p\right) }. \end{aligned} $$

We define the set $border_{p,q}(B)=\left\{ x\in \mathbb {Z}_q:\left| x-\frac{q}{p}\lfloor x\rfloor _p \right| <B\right\} $. For a ring element $ a\in R_q $, we use $a_i$ to denote the ith coefficient in the power basis. For fixed s and for any $t\in [n]$, we define the set

$$BAD_{s,t}=\left\{ a\in R_q:\left| \{i\in [n],(a\cdot s)_i\in border_{p,q}(B)\}\right| =t \right\} .$$

These are candidate a-s for which $a \cdot s$ has exactly t coefficients which are dangerously close to the rounding boundary. Fix an arbitrary t and $a \in BAD_{s,t}$. For any $i \in [n]$ such that $(a\cdot s)_i \notin border_{p,q}(B)$, $\Pr _{e_i}[\lfloor (as)_i + e_i \rfloor _p = \lfloor (as)_i\rfloor _p]\ge \delta .$ For any $i \in [n]$ such that $(a\cdot s)_i \in border_{p,q}(B)$, we still have $\lfloor (a \cdot s)_i + e_i\rfloor _p = \lfloor (a\cdot s)_i\rfloor _p$ as long as $e_i \in [-B,\ldots ,0].$ By the assumption on the noise distribution, we have $\Pr _{e_i}[\lfloor (a\cdot s)_i + e_i\rfloor _p = \lfloor (a \cdot s)_i\rfloor _p] \ge 1/2.$ Because e is independent over all coefficients and a has exactly t coefficients in $border_{p,q}(B)$, $\Pr _{e\leftarrow \chi }\left( \lfloor a\cdot s + e \rfloor _p = \lfloor a\cdot s \rfloor _p\right) \ge \frac{1}{2^t}\delta ^{n-t}\ge \frac{1}{2^t}\delta ^{n}.$

Since s is a unit in $R_q$, $a\cdot s$ will be uniform over $R_q$ and

$$\Pr \left[ a \in BAD_{s,t}\right] \le {n\atopwithdelims ()t}\left( 1-\frac{|border_{p,q}(B)|}{q}\right) ^ {n-t }\left( \frac{ |border_{p,q}(B)|}{q}\right) ^t.$$

Conditioning on the event $a\in BAD_{s,t}$, we conclude

$$ \mathsf{RD}_2(X_s\Vert Y_s) \le \delta ^{-n}\sum ^n_{t=0}2^t \cdot \Pr [a\in BAD_{s,t}] = \delta ^{-n} \left( 1 + \frac{|border_{p,q}(B)|}{q}\right) ^n.$$

$\square $

Lemma 9

Adopt the same notions and symbols in Definitions 7 and 8. If $p>\frac{q\sqrt{\pi }}{2nl\alpha \sqrt{\ln (2nl)}},$ we have $P_{\mathcal {C},\mathcal {A}}(U_\beta ^n+\bar{D}_\alpha ^n)^\times \le e^2 P'_{\mathcal {C},\mathcal {A}}(U_\beta ^n+\bar{D}_\alpha ^n)^\times .$ Hence there is a reduction from R-$\textsf {CRLWE}_{(U_\beta ^n+\bar{D}^n_{\alpha '})^\times ,\bar{D}^n_{\alpha '}}$ to R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }$.

Proof

We have $P_{\mathcal {C},\mathcal {A}}(U_\beta ^n+\bar{D}_\alpha ^n)\le P'_{\mathcal {C},\mathcal {A}}(U_\beta ^n+\bar{D}_\alpha ^n)\cdot RD_2(\mathcal {X}_s\Vert \mathcal { Y}_s )^{l}.$ Note that a one-dimensional Gaussian $D_\alpha $ over $\mathbb {R}$ satisfies the tail bound $\Pr _{ x\leftarrow D_\alpha }\left[ |x|\ge B\right] \le 2 \exp (-\pi (B/\alpha )^2)$ for any $B \ge 0$. We set $B=\sqrt{\frac{\ln (2nl)}{\pi }}\alpha $, so $2 \exp (-\pi (B/\alpha )^2)\le 1/nl$ and $\delta \ge 1-\frac{1}{nl}$. Also we set $p>q/2nlB$, then we have

$$\begin{aligned} \begin{aligned} \mathsf{RD}_2(\mathcal {X}_s\Vert \mathcal { Y}_s )^{l}&\le (1 + 2pB/q )^{nl}/\delta ^{nl} \le \frac{(1 + 1/nl )^{nl}}{(1-1/nl)^{nl}}\le e^2 \end{aligned} \end{aligned}$$

(6)

Assuming R-$\textsf {CRLWE}_{\left( U_\beta ^n+\bar{D}_{\alpha '}^n\right) ^\times , \bar{D}_{\alpha '}^n }$ assumption holds, then for any $\mathcal {C}$ and $\mathcal {A}$, $P'_{\mathcal {C},\mathcal {A}}\left( (U_\beta ^n+\bar{D}_{\alpha '}^n)^\times , \bar{D}_{\alpha '}^n\right) $ is negligible so long as $Q_{\mathcal {C},\mathcal {A}}$ is negligible. By the result of (6), $P_{\mathcal {C},\mathcal {A}}(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times $ is also negligible. This proves the R-$\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }$ assumption. $\square $

4.3 From R-$\textsf {CRLWE}_{\left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {CRLWE}_{\left( U_\beta ^n+\bar{D}_{\alpha '}^n\right) ^\times ,\bar{D}_{\alpha '}^n}$

Lemma 10

Following the same notations. Additionally, let $\overline{t\cdot D^H_\alpha }$ be the discretization of $t\cdot D_{\alpha }^H$, where $D_{\alpha }^H$ is the continuous Gaussian with width $\alpha $ over the H space. $\bar{D}^n_{\alpha '}$ is the discretization of the continuous Gaussian with width $\alpha $ according to the power basis. $\mathcal {Y}'_{\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ is the random variable $(a, \lfloor a\cdot s+ e \rfloor _p)$ with $a\leftarrow _\$ R_q$ and $s,e\leftarrow \overline{t\cdot D^H_\alpha }$, and $\mathcal {Y}'_{\bar{D}^n_{\alpha '},\bar{D}^n_{\alpha '}}$ is the random variable $(a, \lfloor a\cdot s+ e\rfloor _p)$ with $a\leftarrow _\$ R_q$ and $s,e\leftarrow \bar{D}^n_{\alpha '}$. For any ring R satisfying (3) and (5), when $\alpha /c_1c_3\le \alpha '\le \left( 1+\frac{1}{n}\right) ^{\tau _1+\tau _2}\alpha /c_2c_4,$ we have $\mathsf{RD}_\infty \left( \mathcal {Y}'_{\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}\Vert \mathcal {Y}'_{\bar{D}^n_{\alpha '},\bar{D}^n_{\alpha '}}\right) \le e^{\tau _1+\tau _2}.$

Proof

According to the data processing inequality of Rényi divergence, it is sufficient to show $\mathsf{RD}_\infty \left( D_{\alpha }^n\Vert t\cdot D_{\alpha }^H\right) \le e^{\tau _1+\tau _2}$. So we need to prove for all $\mathbf {x}\in \mathbb {R}^n$, ${\rho (\mathbf {x})}/{\rho '(\mathbf {x})}\le e^{\tau _1+\tau _2}$. Recall that $t\cdot D_{\alpha }^H$ has the probability density function over the power basis $\rho (\mathbf {x}) =({\alpha ^n\det (\mathbf {D})\det (\mathbf {B})})^{-1}$ $\exp \left( -\pi { \mathbf {x}^T\left( \mathbf {D}^{-1}\right) ^T\mathbf {\Sigma }^{-1}\mathbf {D}^{-1}\mathbf {x}}/{\alpha ^2}\right) ,$ and $D_{\alpha }^n$ has the probability density function over the power basis $\rho '(\mathbf {x}) ={\alpha '^{-n}}\exp \left( -\pi { \mathbf {x}^T\mathbf {x}}/{\alpha '^2}\right) .$ Hence,

$$\frac{\rho (\mathbf {x})}{\rho '(\mathbf {x})} =\frac{\alpha '^n}{\alpha ^n\det (\mathbf {D})\det (\mathbf {B})}\exp \left( \pi \left( \frac{ \mathbf {x}^T\mathbf {x}}{\alpha '^2}-\frac{ \mathbf {x}^T\left( \mathbf {D}^{-1}\right) ^T\mathbf {\Sigma }^{-1}\mathbf {D}^{-1}\mathbf {x}}{\alpha ^2}\right) \right) .$$

According to (2) and (4), $\mathbf {\Sigma }=\mathbf {B}^T\mathbf {B}$, $\Vert \mathbf {D}^{-1}\mathbf {x}\Vert \ge c_1\Vert \mathbf {x}\Vert $ for any $\mathbf {x} \in \mathbb {R}^n$ and $\Vert \mathbf {B}^{-1}\mathbf {y}\Vert \ge c_3\Vert \mathbf {y}\Vert $ for any $\mathbf {y} \in \mathbb {R}^n$. If $\alpha '\ge \alpha /c_1c_3$, we have $\frac{\mathbf {x}^T\left( \mathbf {D}^{-1}\right) ^T\mathbf {\Sigma }^{-1}\mathbf {D}^{-1}\mathbf {x}}{\alpha ^2}\ge \frac{ c_1^2 c_3^2 \mathbf {x}^T\mathbf {x}}{\alpha ^2}\ge \frac{ \mathbf {x}^T\mathbf {x}}{\alpha '^2}.$ Therefore,

$$ \frac{\rho (\mathbf {x})}{\rho '(\mathbf {x})} \le \frac{\alpha '^n}{\alpha ^n\det (\mathbf {D})\det (\mathbf {B})}\le e^{\tau _1+\tau _2} $$

when $\alpha ' \le \left( 1+\frac{1}{n}\right) ^{\tau _1+\tau _2}\alpha c_2c_4\le \left( 1+\frac{1}{n}\right) ^{\tau _1+\tau _2}\alpha |\det (\mathbf {D})|^{1/n}|\det (\mathbf {B})|^{1/n}$. According to (3) and (5), we have $c_2\le \left( 1+\frac{1}{n}\right) ^{\tau _1}c_1$ and $c_3\le \left( 1+\frac{1}{n}\right) ^{\tau _2}c_4$. Therefore there must exist at least an $\alpha '$ that satisfies $\alpha /c_1c_3\le \alpha '\le \left( 1+\frac{1}{n}\right) ^{\tau _1+\tau _2}\alpha /c_2c_4.$ $\square $

Lemma 11

Adopt the same notions and symbols as above. For any ring R satisfying (3) and (5), when $\alpha /c_1c_3\le \alpha '\le \left( 1+{1}/{n}\right) ^{\tau _1+\tau _2}\alpha / c_2c_4$, we have $P'_{\mathcal {C},\mathcal {A}}\left( \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times , \overline{t\cdot D^H_\alpha }\right) \le e^{l(\tau _1+\tau _2)} P'_{\mathcal {C},\mathcal {A}}\left( \left( U_\beta ^n+\bar{D}_\alpha ^n\right) ^\times , \bar{D}_\alpha ^n\right) .$ Hence there is a reduction from R-$\textsf {CRLWE}_{\left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {CRLWE}_{\left( U_\beta ^n+\bar{D}_{\alpha '}^n\right) ^\times ,\bar{D}_{\alpha '}^n}$.

4.4 From R-$\textsf {LWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {CRLWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}$

Lemma 12

Adopt the same notions and symbols in Definitions 7 and 8. Assume the advantage of any probabilistic polynomial time algorithm to solve the decisional R-LWE problem R-$\textsf {LWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}$ is less than $\varepsilon $, then we have $\left| P'_{\mathcal {C},\mathcal {A}}\left( \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }\right) -Q_{\mathcal {C},\mathcal {A}}\right| < \varepsilon $ for any PPT adversary $\mathcal {A}$.

Proof

We construct an adversary $\mathcal {B}$ who breaks the decisional R-LWE problem as follows. At the high level, $\mathcal {B}$ will play the role as the challenger $\mathcal {C}$ in the experiment. Given samples $(x_1,y_1),\ldots ,(x_{l},y_{l})$, the algorithm $\mathcal {B}$ sets $a_i=x_i$ and $b_i=\lfloor y_i\rfloor _p$ for $i\leqslant l$, and $X = (a_1,b_1),\ldots ,(a_{l},b_{l}) $. Since $\mathcal {B}$ can obtain all the view of any challenger $\mathcal {C}$, $\mathcal {B}$ can simulate all the behaviors of $\mathcal {C}$ and compute the corresponding $\mathsf{Input}$ and $\mathsf{Target}$. $\mathcal {B}$ also check whether the $\mathsf{Output}$ of $\mathcal {A}$ equals the $\mathsf{Target}$. If the check is passed, $\mathcal {B}$ outputs 1; otherwise it outputs 0.

When $(x_1,y_1),\ldots ,(x_{l},y_{l})$ are R-LWE samples,

$$\Pr (\mathcal {B}\left( (x_1,y_1),\ldots ,(x_{l},y_{l})\right) =1)=P'_{\mathcal {C},\mathcal {A}}\left( \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }\right) ;$$

by contrast, when $(x_1,y_1),\ldots ,(x_{l},y_{l})$ are uniform samples,

$$\Pr \left( \mathcal {B}\left( (x_1,y_1),\ldots ,(x_{l},y_{l})\right) =1\right) =Q_{\mathcal {C},\mathcal {A}}$$

for adversary $\mathcal {A}$. Thus, assuming the hardness of decisional ring-LWE, we have $\left| P'_{\mathcal {C},\mathcal {A}}\left( \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }\right) -Q_{\mathcal {C},\mathcal {A}}\right| < \varepsilon $ for negligible $\varepsilon $.

$\square $

4.5 From R-$\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {LWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}$

Lemma 13

Let $D_{\hat{\alpha }}^n$ be a continuous Gaussian with width $\hat{\alpha }$ and $ D^H_{\alpha }$ be a continuous Gaussian over H with width $\alpha $. Let $t=f'(\zeta )$. If the assumption (3) and (5) holds, when $\frac{\alpha }{\left( 1+{1}/{n}\right) ^{\tau _1+\tau _2}c_1c_3}\le \hat{ \alpha }\le \frac{\alpha }{c_2 c_4},$ we have $RD_\infty (D_{\hat{\alpha }}^n| t\cdot D^H_{\alpha })\le e^{\tau _1+\tau _2}.$

The proof is similar to Lemma 10. We omit the details and recommend readers to refer the full version [19].

Lemma 14

Let $D_{\hat{\alpha }}^n$ be a continuous Gaussian distribution over $K_\mathbb {R}$ where $K\cong \mathbb {Q}[X]/(f(X))$. The largest degree of the irreducible factors modulo integer q of the polynomial f is less than $k_q$. Let $\hat{\alpha } \ge \sqrt{n\ln (n/\varepsilon )}q^{k_q/n} \cdot \delta _K$ and $\beta $ is any positive integer. If $a\leftarrow U_\beta ^n+ \overline{D_{\hat{\alpha }}^n}$, the probability of that a is invertible is larger than $1-q^{-k_q}-\varepsilon $.

Proof

Our goal is to bound the probability that a is in $\mathcal {I}:=\langle q,\phi \rangle $ by $q^{-n/k_q}+\varepsilon $, for any $k\le k_q$, when $a\leftarrow U_\beta ^n+\overline{D_{\hat{\alpha }}^n}$. Specifically, denote $a:=a_1+a_2$ where $a_1\leftarrow U_\beta ^n$ and $a_2\leftarrow \overline{D_{\hat{\alpha }}^n}$. We have $\mathcal {N}(\mathcal {I})\ge q^{k_q}$. By Minkowski’s theorem, this implies $\lambda _1(\mathcal {I})\le \sqrt{n} q^{k_q/n}$. Since $\mathcal {I}$ is an ideal of R, we have $\lambda _n(\mathcal {I})=\lambda _1(\mathcal {I})$. Then, in Lemma 2, we have $ \lambda _n(\mathcal {I})\le \sqrt{n} q^{k_q/n} \cdot \delta _K$, and in Lemma 3, we have $\eta _\varepsilon (\mathcal {I}) \le \sqrt{\ln (n/\varepsilon )}\lambda _n (\mathcal {I})\le \sqrt{n\ln (n/\varepsilon )}q^{k_q/n} \cdot \delta _K$. In addition, Lemma 4 shows that the statistical distance between $b\bmod \mathcal {I}$ and a uniform distribution modulo $\mathcal {I}$ is less than $\varepsilon $ for $b\leftarrow D_{\hat{\alpha }}^n$. Since $a_1=\lfloor b \rceil \in R$ and $\mathcal {I}\subseteq R$, $a_1$ will be uniform in $R\bmod \mathcal {I}$ with a statistical distance $\varepsilon $. This implies that $a=a_1+a_2$ is uniform in $R\bmod \mathcal {I}$ with statistical distance $\varepsilon $. So we have $a=0\bmod \mathcal {I}$ with probability less than $q^{-k_q}+\varepsilon $. When we set $\varepsilon =1/2$, we get the desired result. $\square $

Lemma 15

Following the above notations. For any ring R satisfying (3) and (5), when $ {\alpha }\ge c_2c_4\sqrt{n\ln (2n)}q^{2/n} \cdot \delta _K$, there is a reduction from R-$\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {LWE}_{\left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }}$.

Proof

Let $\Pr (\mathcal {A}^{\mathcal {O}_{ \chi ,s}}=1)=p_0(s)$, $\Pr (\mathcal {A}^{\mathcal {U}(R_q \times R_q)}=1)=p_1$ and the set $S_\varepsilon $ denote the all s that $|p_0(s)-p_1|>\varepsilon $ for any non-negligible $\varepsilon $, then we have

$$\begin{aligned}&\Pr \left( s\in S_\varepsilon |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) \\ =&\Pr \left( s\in S_\varepsilon |s\leftarrow \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times \right) \Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) \\ +&\Pr \left( s\in S_\varepsilon |s\leftarrow U_\beta ^n+\bar{D}^H_\alpha \text {and output when { s} not invertible}\right) \\&\Pr \left( s \text { is not invertible}|s\leftarrow U_\beta ^n+\bar{D}^H_\alpha \right) \\ \ge&\Pr \left( s\in S_\varepsilon |s\leftarrow \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times \right) \Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) .\end{aligned} $$

Next, Lemma 13 says for $\frac{\alpha }{\left( 1+1/n\right) ^{\tau _1+\tau _2}c_1c_3}\le \hat{ \alpha }\le \frac{\alpha }{c_2 c_4}$,

$$\begin{aligned} \Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right)&\ge \frac{\Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{ D^n_{\hat{\alpha }}}\right) }{RD_\infty (D_{\hat{\alpha }}^n\parallel t\cdot D^H_{\alpha })}\\&\ge \frac{\Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{ D^n_{\hat{\alpha }}}\right) }{\exp (\tau _1+\tau _2)} \end{aligned} $$

In addition, in Lemma 14 we have proved $\Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{ D^n_{\hat{\alpha }}}\right) $ is non-negligible for $\hat{\alpha }\ge \sqrt{n\ln (n/\varepsilon )}q^{k_q/n} \cdot \delta _K$. So $\Pr \left( s\in R_q^\times |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) $ is also non-negligible. This implies $\Pr \left( s\in S |s\leftarrow U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) $ is non-negligible as long as $\Pr \left( s\in S |s\leftarrow \left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times \right) $ is also non-negligible, i.e. an adversary can solve R-$\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ so long as it can solve R-$\textsf {LWE}_{\left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }}$. $\square $

4.6 From R-$\textsf {LWE}_{\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}$ to R-$\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t \cdot D^H_\alpha }}$

Lemma 16

Let $\psi =\overline{t \cdot D_\alpha ^H}+U_\beta ^n$ be a distribution. If there is a PPT algorithm $\mathcal {A}'$ that distinguishes $\mathcal {O}_{s, \chi }$ from $\mathcal {U}$ within m queries for $s\leftarrow \psi $, then there is a PPT algorithm $\mathcal {A}$ which distinguishes $\mathcal {O}_{s,\chi }$ from $\mathcal {U}$ within m queries for $s\leftarrow \overline{t \cdot D_\alpha ^H}$.

Proof

Given m elements $(a_i ,b_i) \in R_q\times R_q$, drawn from either $\left( \mathcal {O}_{s,\bar{D}_\alpha }\right) ^m$ for $s\leftarrow \overline{t \cdot D_\alpha ^H}$, or $\left( \mathcal {U}(R_q \times R_q)\right) ^m$, the reduction algorithm chooses $s'\leftarrow U_\beta ^n$ and outputs m elements $(a_i,b_i+a_is') \in R_q\times R_q$. Obviously, when $(a_i ,b_i)$ are drawn from $\mathcal {O}_{s,\bar{D}_\alpha }$, $(a_i ,b_i+a_is')$ are drawn from $\mathcal {O}_{s+s',\bar{D}_\alpha }$ and the distribution of $s+s'$ will be $\psi =\overline{t \cdot D_\alpha ^H}+U_\beta ^n$. When $(a_i ,b_i)$ are all drawn from $\mathcal {U}(R_q \times R_q)$, $(a_i ,b_i+a_is')$ are also drawn from $\mathcal {U}(R_q \times R_q)$. $\square $

5 Application I: A Public Key Encryption

In this section, we will provide an IND-CPA secure PKE scheme based on the R-CLWR assumption. Our scheme improves R-LWE based schemes in both time and space efficiency. At a high level, our scheme uses the standard KEM-DEM approach, where the KEM, similar to that of [53], stems from an IND-CPA secure scheme.

5.1 Reconciliation Mechanism

Reconciliation was firstly proposed by [25], and has a few variants, for example, [3, 53]. In this paper, for the ease of presentation, we will follow the work of [53].

Let us define the reconciliation rounding function as $ {\left[ \cdot \right] _{{2},q}}:x \rightarrow \left\lfloor {{\frac{2}{q}}\cdot x} \right\rfloor \bmod 2$, and the reconciliation cross-rounding function as ${\left\langle \cdot \right\rangle _{{2},q}}:x \rightarrow \left\lfloor {\frac{4}{q}}\cdot x \right\rfloor \bmod 2$. Then the algorithm Rec will be defined as follows. On input and $z \in \left\{ {0,1} \right\} $, ${\textsc {Rec}}(y,z)$ outputs ${\left[ x \right] _{{2},q}}$, where x is the closest element to y such that ${\left\langle x \right\rangle _{{2},q}} = z$. First, when q is even, we have following results.

Lemma 17

If $x\in \mathbb {Z}_q$ is uniformly random, ${\left[ x \right] _{{2},q}}$ is uniformly random given ${\left\langle x \right\rangle _{{2},q}}$.

Lemma 18

If $|x-y|<q/8$, then we have ${\textsc {Rec}}(y,\left\langle x \right\rangle _{{2},q})={\left[ x \right] _{{2},q}}$.

On the other hand, when the modulus q is odd, we make use of a randomized doubling function: let ${\textsc {Dbl}}: \mathbb {Z}_q \rightarrow \mathbb {Z}_{2q}, x \mapsto {\textsc {Dbl}}(x) = 2x-e$, where e is sampled from $\{-1,0,1\}$ with probabilities $p_{-1} = p_1 = 1/4 $ and $p_0 = 1/2$. We have two similar lemmas.

Lemma 19

For odd q, if $x\in \mathbb {Z}_q$ is uniformly random and $\bar{x} \leftarrow _\$ {\textsc {Dbl}}(x)$, then $\left[ \bar{x } \right] _{2,2q}$ is uniformly random given $\left\langle \bar{x} \right\rangle _{2,2q}$.

Lemma 20

For odd q, let $|x-y|<q/8$ for $x,y\in \mathbb {Z}_q$. Let $\bar{x} = {\textsc {Dbl}}(x)$. Then ${\textsc {Rec}}\left( y,\left\langle \bar{x } \right\rangle _{2,2q}\right) ={\left[ \bar{x } \right] _{{2},2q}}$.

Moreover, the above reconciliation mechanism can be extended coefficient-wise to $R_q$ with respect to the power basis.

5.2 PKE Schemes

Before describing our R-CLWR based PKE, let us recall a variant of the R-LWE based scheme in [53]. This scheme slightly differentiate from [53] in that the element a in a public key is derived from a PRNG which can be modeled as a random oracle. This modification is adopted by many (R-)LWE based schemes such as [3, 13, 15]. For simplicity, we choose the ring $R=\mathbb {Z}[x]/(x^n+1)$ where n is a power of 2. Here q is odd, since Theorem 1 requires a prime q.

Ring-LWE Based PKE. Let $\mathcal {H}:\{0,1\}^n \rightarrow \{0,1\}^k$ be a hash function for integer k. $\mathcal {G}:\{0,1\}^{k'} \rightarrow R_q$ be a pusedorandom generator. The R-LWE based scheme consists of the following three algorithms.

RLWE.KeyGen($1^\lambda $): Given the security parameter $\lambda $, choose $seed\leftarrow \{0,1\}^{k'}$, $a=\mathcal {G}(seed)\in R_q$ and $s,e_1\leftarrow \overline{t\cdot D_\alpha ^H}$. Output $\left( seed,b=sa+e_1 \right) \in \{0,1\}^{k'}\times R_q$ as the public key and s as the secret key.
RLWE.Encryption($pk=(seed,b)$, $m\in \{0,1\}^k$): Given the message m, choose $r,e_2,e_3\leftarrow \overline{t\cdot D_\alpha ^H}$. Compute $\hat{v}=br+e_2$ and $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$. Also compute $a=\mathcal {G}(seed)$, $u=ra+e_3$ and $w=\mathcal {H}\left( [{\textsc {Dbl}}(\hat{v})]_{{2},2q}\right) \oplus m$. The ciphertext is $ct=\left( u,v,w \right) \in R_q\times \{0,1\}^n \times \{0,1\}^k$.
RLWE.Decryption($ct=\left( u,v,w \right) $, $sk=s$): Compute $v'= su$ and output $m'=w\oplus \mathcal {H}({\textsc {Rec}}(v',v))$.

Correctness. In fact, $\begin{aligned} \hat{v}=br+e_2=(as+e_1)r+e_2=asr+(e_1r+e_2) \end{aligned} $ and $v'= su=(ar+e_3)s=asr+se_3.$ Suppose each coefficient of $e_1,e_2,e_3,r,s$ is bounded by B with overwhelming probability, we have $\left| e_2r+e_1\right| \le nB^2+B$ and $|se_3|\le nB^2$. To ensure correctness, we need to make sure $|\hat{v}-v'|<q/8$, hence we require

$$\begin{aligned} 2nB^2+B<q/8. \end{aligned}$$

(7)

Ring-CLWR Based PKE. Next, we describe the R-CLWR version of the above scheme. Firstly, as mentioned in the Sect. 1.1, we make use of a probabilistic function ${\textsc {Inv}}(\cdot ) :\mathbb {Z}_p\rightarrow \mathbb {Z}_q$ that takes $x\in \mathbb {Z}_p$ as input and uniform randomly chooses an element from the set $\{u\in \mathbb {Z}_q|{\lfloor u\rfloor _p=x}\}$ as the output. Apparently, we have $\lfloor {\textsc {Inv}}(\lfloor x\rfloor _p)\rfloor _p=\lfloor x\rfloor _p$ and ${\textsc {Inv}}(\lfloor x\rfloor _p)$ is uniform in $\mathbb {Z}_q$ when x is uniform in $\mathbb {Z}_q$. We extend ${\textsc {Inv}}(\cdot )$ coefficient-wisely to $R_q$ with respect to the power basis. Also note that both ${\textsc {Inv}}(\cdot )$ and its extension to $R_q$ are polynomial time algorithms. so long as p, q and n are of polynomial size.

RCLWR.KeyGen($1^\lambda $): Given the security parameter $\lambda $, choose a $seed\leftarrow \{0,1\}^{k'}$ and $a=\mathcal {G}(seed)\in R_q$. Then, sample s from $(U_\beta ^n)^\times $ by repeating $s\leftarrow U_\beta ^n $ until s is invertible. Output $\left( seed,b=\lfloor sa \rfloor _p\right) $ as the public key and s as the secret key.
RCLWR.Encryption($pk=(seed,b)$, $m\in \{0,1\}^k$): Given a message m, sample r from $(U_\beta ^n)^\times $ by repeating $r\leftarrow U_\beta ^n $ until r is invertible. Compute $\bar{v}=\lfloor {\textsc {Inv}}(b)r \rfloor _p$, $\hat{v}={\textsc {Inv}}(\bar{v})$ and $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$. Also compute $a=\mathcal {G}(seed)$, $u=\lfloor ra\rfloor _p$ and $w=\mathcal {H}\left( [{\textsc {Dbl}}(\hat{v})]_{{2},2q}\right) \oplus m$. The ciphertext is $ct=\left( u,v,w \right) \in R_p\times \{0,1\}^n \times \{0,1\}^k$.
RCLWR.Decryption($ct=\left( u,v,w \right) $, $sk=s$): Compute $v'= s{\textsc {Inv}}(u)$ and output $m'=w\oplus \mathcal {H}({\textsc {Rec}}(v',v))$.

Correctness. To show the correctness of the scheme, we need to make sure $|\hat{v}-v'|<q/4$. Specifically, we have

$$\begin{aligned} \hat{v}={\textsc {Inv}}(\bar{v})={\textsc {Inv}}(b)r+e_1=(as+e_2)r+e_1=asr+(e_2r+e_1) \end{aligned} $$

and

$$v'= s{\textsc {Inv}}(u)=(ar+e_3)s=asr+se_3.$$

$$\begin{aligned} 2n\beta q/p+q/p<q/8. \end{aligned}$$

(8)

5.3 Security Proof

In this subsection, we prove the IND-CPA security of the above PKE based on R-CLWR assumption as per Definition 7.

First, we will reduce the IND-CPA security to searching the pre-image of a hash function $\mathcal {H}$ through the following Game.

1.
The challenger $\mathcal {C}$ gives the adversary $\mathcal {A}$ the public key pk.
2.
$\mathcal {A}$ chooses two messages $m_0$ and $m_1$ and gives them to the challenger.
3.
$\mathcal {C}$ chooses a random bit b and gives $\mathcal {A}$ a ciphertext $ct_b$ that encrypts $m_b$.
4.
The adversary $\mathcal {A}$ outputs a bit $b'$ as a guess of b.

Since $\mathcal {H}$ is modeled as a random oracle, the adversary $\mathcal {A}$ will successfully guess the bit b with probability 1 / 2, unless he has previously queried the value $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$ corresponding to the challenge ciphertext to the random oracle. Therefore, we can construct an adversary $\mathcal {A}'$ from $\mathcal {A}$, which, upon inputting the public key pk and $(u,v)\in R_p\times \{0,1\}^n$, outputs the value $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$. In a bit more details, when $\mathcal {A}'$ receives pk and $(u,v)\in R_p\times \{0,1\}^n$, it returns pk to $\mathcal {A}$. When $\mathcal {A}$ generates the message pair $(m_0, m_1)$, $\mathcal {A}'$ chooses $r\leftarrow \{0,1\}^n$, $b\leftarrow \{0,1\}$ and sends $\mathcal {A}$ the ciphertexts $(u,v,m_b\oplus r)$. In the meantime, $\mathcal {A}'$ answers the $\mathcal {H}$ queries of $\mathcal {A}$ by keeping a random oracle table. Since we have assumed that $\mathcal {A}$ successfully guesses the bit b with a non-negligible advantage, the value of $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$ must be queried by $\mathcal {A}$ with a non-negligible probability. Consequently, $\mathcal {A}'$ can successfully output the value $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$ with a non-negligible probability.

Next, we will show that the success probability of $\mathcal {A}'$ is negligible under the R-CLWR assumption. Specifically, we can construct following games.

Game 1. Choose $a \leftarrow R_q$ and $s,r\leftarrow (U_\beta ^n)^\times $. $b=\lfloor sa \rfloor _p$, $\bar{v}=\lfloor {\textsc {Inv}}(b)r \rfloor _p$, $\hat{v}={\textsc {Inv}}(\bar{v})$, $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$ and $u=\lfloor ra\rfloor _p$. $\mathcal {A}'$ is given (u, v) and its target is to compute $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$.
Game 2. Choose $a \leftarrow R_q$ and $s,r\leftarrow (U_\beta ^n)^\times $. $b\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$, $\bar{v}=\lfloor {\textsc {Inv}}(b)r \rfloor _p$, $\hat{v}={\textsc {Inv}}(\bar{v})$, $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$ and $u=\lfloor ra\rfloor _p$. $\mathcal {A}'$ is given (u, v) and its target is to compute $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$.
Game 3. Choose $a \leftarrow R_q$ and $s,r\leftarrow (U_\beta ^n)^\times $. $c\leftarrow R_q$, $\bar{v}=\lfloor cr \rfloor _p$, $\hat{v}={\textsc {Inv}}(\bar{v})$, $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$ and $u=\lfloor ra\rfloor _p$. $\mathcal {A}'$ is given (u, v) and its target is to compute $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$.
Game 4. Choose $a \leftarrow R_q$ and $s,r\leftarrow (U_\beta ^n)^\times $. $c\leftarrow R_q$, $\bar{v}\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$, $\hat{v}={\textsc {Inv}}(\bar{v})$, $v=\langle {\textsc {Dbl}}(\hat{v})\rangle _{{2},2q}$ and $u\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$. $\mathcal {A}'$ is given (u, v) and its target is to compute $[{\textsc {Dbl}}(\hat{v})]_{{2},2q}$.

Firstly, we define $var_1$,$var_2$, con and $\mathcal {C}$ as follows. We set con as the distribution of choosing r from $(U_\beta ^n)^\times $. Let $var_1$ be the distribution of (a, b) where $b=\lfloor sa \rfloor _p$ and $var_2$ be the distribution of (a, b) where $b\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$. The challenger $\mathcal {C}$ computes $\mathsf{Input}=\left( \lfloor ra\rfloor _p,\langle {\textsc {Dbl}}({\textsc {Inv}}(\lfloor {\textsc {Inv}}(b)r \rfloor _p))\rangle _{{2},2q}\right) =(u,v)$ and $\mathsf{Target}=[ {\textsc {Dbl}}({\textsc {Inv}}(\lfloor {\textsc {Inv}}(b)r \rfloor _p))]_{{2},2q}.$ According to the R-CLWR assumption, if the success probability for any $\mathcal {A}$ is negligible when $b\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$,that is also negligible when (a, b) is an R-LWR instance. Therefore, the success probability of Game 1 is negligible if that of Game 2 is negligible.

Secondly, the success probability of Game 2 and that of Game 3 are same, since ${\textsc {Inv}}(b)$ is uniform in $R_q$ for $b\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$, and the views and the goals of the adversary in both games remain the same.

Thirdly, we define $var_1$, $var_2$, con and $\mathcal {C}$ as follows. We set con to be dummy. Let $var_1$ be the distribution of $((c,\bar{v}),(a,u))$ where $\bar{v}=\lfloor cr \rfloor _p$ and $u=\lfloor ra\rfloor _p$, while $S_2$ to be the distribution of $((c,\bar{v}),(a,u))$ where $\bar{v},u\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$. The challenger $\mathcal {C}$ computes the $\mathsf{Input}= (u,\langle {\textsc {Dbl}}( {\textsc {Inv}}(\bar{v}))\rangle _{{2},2q})=(u,v)$ and $\mathsf{Target}=[ {\textsc {Dbl}}( {\textsc {Inv}}(\bar{v}))]_{{2},2q}.$

According to the R-CLWR assumption, if the success probability for any $\mathcal {A}$ is negligible when $\bar{v},u\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$, then that is also negligible when $((c,\bar{v}),(a,u))$ is an R-LWR instance. Therefore, the success probability of Game 3 is negligible if that of Game 4 is negligible.

Finally, u and $\bar{v}$ are independent in Game 4. Since $\bar{v}\leftarrow \mathcal {U}(\lfloor R_q \rfloor _p)$, ${\textsc {Inv}}(\bar{v})$ is uniform in $R_q$. According to Lemma 19, $[ {\textsc {Dbl}}( {\textsc {Inv}}(\bar{v}))]_{{2},2q}$ is uniformly random given $\langle {\textsc {Dbl}}( {\textsc {Inv}}(\bar{v}))\rangle _{{2},2q}$, so the success probability of Game 4 is negligible.

Combining all above analyses, we conclude that the success probability of $\mathcal {A}'$ in Game 1 is negligible under the R-CLWR assumption. In other words, the R-CLWR based PKE scheme is IND-CPA secure.

5.4 Parameters and Comparisons

Time Complexity. As discussed in the introduction, the sampling subroutine is usually the most intricate part during the implementations. In an R-LWE based scheme, one needs to produce two samplings during the key generation and three samplings during the encryption. In comparison, in an R-CLWR based scheme, one only needs to proceed a single sampling for each key generation and encryption. Moreover, an R-LWE based scheme needs to sample from rounded Gaussian, while we can simply sample uniformly from a small interval and reject when it is non-invertible for an R-CLWR based scheme.

In terms of efficiency, we believe that our sampling subroutine will be much more efficient for the following reasons. First, it allows us to save a huge amount of entropy in practice. Secondly, and more importantly, a single sampling routing becomes more efficient in our case as we only require uniform sampling.

Nonetheless one may be concerned that the overall improvement may not be as much due to the required rejection sampling. Here, we give two arguments. Firstly, the total number of samples required to generate a valid one will be small according to Hoeffding’s inequality. This is shown in Lemma 21. In the meantime, the invertibitiy check for a ring element can be carried out efficiently through the extended GCD algorithm.

Lemma 21

Let $D_\alpha ^n$ be a continuous Gaussian distribution over $K_\mathbb {R}$ where $K\cong \mathbb {Q}[X]/(f(X))$. The largest degree of the irreducible factors modulo integer q of the polynomial f is less than $k_q$. Let $\hat{\alpha } \ge \sqrt{n\ln (n/\varepsilon )}q^{k_q/n} \cdot \delta _K$ and $\beta >3 n\hat{\alpha }$. If $b\leftarrow U_\beta ^n$, the probability of that b is invertible is larger than $1-2q^{-k_q}-2\varepsilon $.

Proof

According to Lemma 14, when $a\leftarrow U_\beta ^n+ \overline{D_{\hat{\alpha }}^n}$, the probability of that a is non-invertible is smaller than $q^{-k_q}+\varepsilon $. According to Lemma 6, $\mathsf{RD}_2(U_\beta ^n\parallel U_\beta ^n+\overline{D_{\hat{\alpha }}^n})=\mathsf{RD}_2(U_\beta \parallel U_\beta +\overline{D_{\hat{\alpha }}})^n\le 2. $ So

$$\Pr (b \text { is non-inv})\le \Pr (a \text { is non-inv}) \cdot \mathsf{RD}_2\left( U_\beta ^n\parallel U_\beta ^n+\overline{D_{\hat{\alpha }}^n}\right) \le 2q^{-k_q}+2\varepsilon .\quad $$

$\square $

Space Complexity.Next, we will choose the parameters for these two schemes to deliver a fair comparison. As motivated in the introduction, we aim to keep decryption failure probability less than $O(1/e^{n})$.

For the R-LWE based scheme, as per average-case/worst-case reduction in Theorem 3, $\alpha =\varOmega (n^{1/4}\log ^{1/4} n)$. Since $R=\mathbb {Z}[x]/(x^n+1)$, we have $c_1=c_2=1/\sqrt{n}$, $c_3=c_4=1/n$. Since $t=n\cdot \zeta ^{n-1}$, each coefficient of the error from $\overline{t\cdot D_\alpha ^H}$ is one-dimensional rounded Gaussian with width $\alpha '=n^{1.5 }\alpha $, which is smaller than $B=\varOmega (n^{0.5}\alpha ')=\varOmega (n^{0.5}\alpha /c_2c_4)=\varOmega (n^{2.25}\log ^{1/4} n)$ with probability $1-O(e^{-n})$. To make sure that (7) holds with probability $1-O(e^{-n})$, we must choose $q=\varOmega (n^{5.5}\log ^{0.5} n)$. If we set $q=n^{5.5}\log ^{0.5} n$, the public key has size of $k'+n\log (q)=k'+2.75\cdot n\log n$ and the ciphertext has size of $k+n+n\log (q)=k+n+2.75\cdot n\log n$.

For the R-CLWR based scheme with uniform secret, according to the reductions, $\beta =\varOmega (n\alpha ')=\varOmega (n^{2.75}\log ^{1/4} n)$ and $q/p=\varOmega (n^{2.75}\log ^{0.75} n)$. To make sure that (8) holds with overwhelming probability, we can choose $q=n^{6.5}\log n$ and $p=n^{3.75}\log ^{1/4} n$. That results in the public key of size $k'+n\log (p)=k'+0.9375\cdot n\log n$ and the ciphertext of size $k+n+n\log (p)=k+n+0.9375\cdot n\log n$.

6 Application II: Diffie-Hellman Type Key Exchange

For completeness, we also describe a key exchange protocol based on R-CLWR with binary secret. The protocol is described in Table 4. Alice and Bob previously share the public ring element $a\in R_q$. For every new exchange instance, Alice and Bob generate their secret ring elements $s,s'$ respectively, which are uniformly over $(U_\beta ^n)^\times $. $\kappa $ and $\kappa '$ are the session key which are finally acquired by Alice and Bob respectively.

Table 4. A key exchange protocol based on R-CLWR.

Full size table

The security proof is similar to the PKE scheme in Sect. 5, since the pusedo-randomness of $\kappa '$ can be reduced from the computational problem that $\mathcal {A}'$ inputs $(b,b',c)$ and outputs $km'$. So the proof is similar to the PKE scheme.

7 Application III: New Proofs for Variant Schemes

In this section, we will prove the IND-CPA security of a variant of Saber and Round2, under the R-CLWR assumption, for proper parameters and distributions. Below we give an asymptotic simplification of their algorithms. There are two differences between the scheme to be presented and Saber/Round2. First, our scheme does not encrypt the message m directly, instead, we encrypt a bit string g and mask m by a one-time pad. Second, during the encryption, we lifted b to $R_q$ before multiplying it by r and rounding. These two modifications make the scheme suitable for our computational assumption.

Theorem 3

The simplified Round2 and Saber scheme is IND-CPA secure under the R-CLWR assumption R-$\textsf {CLWR}_{p,q,1,\chi }$ and R-$\textsf {CLWR}_{p,q,2,\chi '}$ under the random oracle model.

The proof is similar to Subsect. 5.3, and please refer to the full version [19].

Similarly, we can prove the IND-CPA security of the PKE scheme of the ring version of Lizard under R-LWE and R-CLWR, for proper parameters and distributions. We also need an asymptotic simplification of the algorithm that is similar to the scheme in previous subsection.

Theorem 4

The simplified Lizard scheme is IND-CPA secure under the ring-CLWR assumption R-$\textsf {LWE}_{q,\chi }$ and R-$\textsf {CLWR}_{p,q,2,\chi '}$ in the random oracle model.

The proof can be found in the full version [19].

8 Conclusion

The learning with rounding over the ring problem is the most practical variants within the (R-)LWX family of problems. However, it is yet still unclear on how to build a proof for polynomial modulus and uniform secret. In this paper, we take an alternative approach by proposing the computational learning with rounding problem over the ring and show that variance practical schemes, including those that are among most practical solutions in NIST PQC competitions, can be derived from this provable secure framework.

Notes

1.
[10] proved hardness of decisional Ring-LWR for super-polynomial q is as secure as decisional Ring-LWE for super-polynomial q. However, the hardness of decisional Ring-LWE for super-polynomial q is not well understood yet.
2.
The following statement can be found in most functional analysis textbooks. Here we refer to [50] Corollary 2.3.1.: Let X, Y be two Banach space, if $T:X\rightarrow Y$ is a one-to-one onto bounded linear operator, there are two positive numbers $a,b>0$, such that $a\Vert x\Vert \le \Vert Tx\Vert \le b\Vert x\Vert , \; \;\;\forall x\in X.$

References

Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 99–108 (1996)
Google Scholar
Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, 4–6 May 1997, pp. 284–293 (1997)
Google Scholar
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 327–343 (2016)
Google Scholar
Alperin-Sheriff, J., Apon, D.: Dimension-preserving reductions from LWE to LWR. IACR Cryptology ePrint Archive 2016:589 (2016)
Google Scholar
Alwen, J., Krenn, S., Pietrzak, K., Wichs, D.: Learning with rounding, revisited. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 57–74. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_4
Chapter Google Scholar
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Chapter Google Scholar
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Chapter Google Scholar
Baan, H.: Round2: KEM and PKE based on GLWR. Cryptology ePrint Archive, Report 2017/1183 (2017). https://eprint.iacr.org/2017/1183
Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015, Part I. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_1
Chapter MATH Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_42
Chapter Google Scholar
Bhattacharya, S.: Round5: compact and fast post-quantum public-key encryption. Submitted for publication, August 2018
Google Scholar
Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016, Part I. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9
Chapter MATH Google Scholar
Bos, J.W., et al.: Take off the ring! practical, quantum-secure key exchange from LWE. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 1006–1018 (2016)
Google Scholar
Bos, J. W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 553–570 (2015)
Google Scholar
Bos, J.W., et al.: CRYSTALS - Kyber: a CCA-secure module-lattice-based KEM. IACR Cryptology ePrint Archive 2017:634 (2017)
Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In Symposium on Theory of Computing Conference, STOC 2013, Palo Alto, CA, USA, 1–4 June 2013, pp. 575–584 (2013)
Google Scholar
Chen, H., Lauter, K.E., Stange, K.E.: Attacks on search RLWE. IACR Cryptology ePrint Archive 2015:971 (2015)
Google Scholar
Chen, H., Lauter, K.E., Stange, K.E.: Vulnerable galois RLWE families and improved attacks. IACR Cryptology ePrint Archive 2016:193 (2016)
Google Scholar
Chen, L., Zhang, Z., Zhang, Z.: On the hardness of the computational Ring-LWR problem and its applications. Cryptology ePrint Archive, Report 2018/536 (2018). https://eprint.iacr.org/2018/536
Chen, Y., Nguyen, P.Q.: BKZ 2.0: better lattice security estimates. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_1
Chapter Google Scholar
Cheon, J. H., Kim, D., Lee, J., Song, Y.: Lizard: Cut off the tail! Practical post-quantum public-key encryption from LWE and LWR. IACR Cryptology ePrint Archive, 2016:1126 (2016)
Google Scholar
Conrad, K.: The different ideal. Expository papers/Lecture notes (2009). http://www.math.uconn.edu/kconrad/blurbs/gradnumthy/different.pdf
Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_38
Chapter Google Scholar
D’Anvers, J.-P., Karmakar, A., Sinha Roy, S., Vercauteren, F.: Saber: module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. In: Joux, A., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2018. LNCS, vol. 10831, pp. 282–305. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89339-6_16
Chapter Google Scholar
Ding, J.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR Cryptology ePrint Archive 2012:688 (2012)
Google Scholar
Döttling, N., Müller-Quade, J.: Lossy codes and a new variant of the learning-with-errors problem. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 18–34. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_2
Chapter Google Scholar
Ducas, L., Durmus, A.: Ring-LWE in polynomial rings. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 34–51. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_3
Chapter Google Scholar
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Chapter Google Scholar
Ducas, L., Nguyen, P.Q.: Faster Gaussian lattice sampling using lazy floating-point arithmetic. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 415–432. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_26
Chapter Google Scholar
Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)
Article MathSciNet Google Scholar
Eisenträger, K., Hallgren, S., Lauter, K.: Weak instances of PLWE. In: Joux, A., Youssef, A. (eds.) SAC 2014. LNCS, vol. 8781, pp. 183–194. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-13051-4_11
Chapter Google Scholar
Elias, Y., Lauter, K.E., Ozman, E., Stange, K.E.: Provably weak instances of ring-LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 63–92. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47989-6_4
Chapter Google Scholar
Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_34
Chapter Google Scholar
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_2
Chapter Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Hofheinz, D., Hövelmanns, K., Kiltz, E.: A modular analysis of the Fujisaki-Okamoto transformation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 341–371. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_12
Chapter MATH Google Scholar
Howgrave-Graham, N., et al.: The impact of decryption failures on the security of NTRU encryption. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 226–246. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_14
Chapter Google Scholar
Jin, Z., Zhao, Y.: Optimal key consensus in presence of noise. arXiv preprint arXiv:1611.06150 (2016)
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM (JACM) 60(6), 43 (2013)
Article MathSciNet Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Chapter Google Scholar
Deo, A., et al.: Estimate all the LWE, NTRU schemes! https://estimate-all-the-lwe-ntru-schemes.github.io/docs/. Accessed 4 May 2018
Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_26
Chapter Google Scholar
Micciancio, D., Peikert, C.: Hardness of SIS and LWE with small parameters. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 21–39. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_2
Chapter Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Symposium on Foundations of Computer Science (FOCS 2004), 17–19 October 2004, Rome, Italy, Proceedings, pp. 372–381 (2004)
Google Scholar
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Article MathSciNet Google Scholar
Micciancio, D., Walter, M.: Gaussian sampling over the integers: Efficient, generic, constant-time. IACR Cryptology ePrint Archive 2017:259 (2017)
Google Scholar
NIST. Post-Quantum Cryptography - Round 1 Submissions. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions
NSA. Information Assurance. https://www.nsa.gov/what-we-do/information-assurance/
Peide, L.: Functional Analysis Foundation. Wuhan University Press (2001)
Google Scholar
Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 333–342. ACM (2009)
Google Scholar
Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Chapter Google Scholar
Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11659-4_12
Chapter MATH Google Scholar
Peikert, C.: How (Not) to instantiate Ring-LWE. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 411–430. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_22
Chapter Google Scholar
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, Montreal, QC, Canada, 19–23 June 2017, pp. 461–473 (2017)
Google Scholar
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: CHES, pp. 353–370 (2014)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005)
Google Scholar
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 1484–1509 (1996)
MathSciNet MATH Google Scholar

Download references

Acknowledgements

The authors would like to thank Jiang Zhang, Jeffrey Hoffstein and Yunlei Zhao for thoughtful discussions. Also we would like to thank the anonymous reviewers for their valuable comments. This work is supported by the National Key Research and Development Program of China (No. 2017YFB0802000), the National Natural Science Foundation of China (No. U1536205).

Author information

Authors and Affiliations

TCA Laboratory, State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, Beijing, China
Long Chen & Zhenfeng Zhang
New Jersey Institute of Technology, Newark, USA
Long Chen
University of Chinese Academy of Sciences, Beijing, China
Zhenfeng Zhang
OnBoard Security Inc., Wilmington, USA
Zhenfei Zhang

Authors

Long Chen
View author publications
You can also search for this author in PubMed Google Scholar
Zhenfeng Zhang
View author publications
You can also search for this author in PubMed Google Scholar
Zhenfei Zhang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zhenfeng Zhang .

Editor information

Editors and Affiliations

Nanyang Technological University, Singapore, Singapore
Thomas Peyrin
University of Auckland, Auckland, New Zealand
Steven Galbraith

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Chen, L., Zhang, Z., Zhang, Z. (2018). On the Hardness of the Computational Ring-LWR Problem and Its Applications. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11272. Springer, Cham. https://doi.org/10.1007/978-3-030-03326-2_15

Download citation

DOI: https://doi.org/10.1007/978-3-030-03326-2_15
Published: 27 October 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03325-5
Online ISBN: 978-3-030-03326-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

On the Hardness of the Computational Ring-LWR Problem and Its Applications

Abstract

Similar content being viewed by others

Ring-LWE: Applications to Cryptography and Their Efficient Realization

Round5: Compact and Fast Post-quantum Public-Key Encryption

Lossiness and Entropic Hardness for Ring-LWE

1 Introduction

1.1 Our Contributions

2 Preliminaries

2.1 The Rounding Function

2.2 Rényi Divergence

Definition 1

Lemma 1

2.3 Lattice and Algebra

Lemma 2

2.4 Gaussian Distribution

Definition 2

Lemma 3

Lemma 4

Lemma 5

2.5 The Learning with Errors Problem over the Ring

Definition 3

Definition 4

Theorem 1

3 Warm up

Definition 5

Definition 6

4 The Computational Ring-LWR Assumption

Definition 7

Definition 8

Theorem 2

Corollary 1

4.1 From R-\(\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }\) to R-\(\textsf {CLWR}_{(U_{\beta }^n)^\times }\)

Lemma 6

Proof

Lemma 7

Proof

4.2 From R-\(\textsf {CRLWE}_{(U_\beta ^n+\bar{D}^n_{\alpha '})^\times ,\bar{D}^n_{\alpha '}}\) to R-\(\textsf {CLWR}_{(U_\beta ^n+\bar{D}_{\alpha '}^n)^\times }\)

Lemma 8

Proof

Lemma 9

Proof

4.3 From R-\(\textsf {CRLWE}_{\left( U_\beta ^n+\overline{t\cdot D^H_\alpha }\right) ^\times ,\overline{t\cdot D^H_\alpha }}\) to R-\(\textsf {CRLWE}_{\left( U_\beta ^n+\bar{D}_{\alpha '}^n\right) ^\times ,\bar{D}_{\alpha '}^n}\)

Lemma 10

Proof

Lemma 11

4.4 From R-\(\textsf {LWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}\) to R-\(\textsf {CRLWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}\)

Lemma 12

Proof

4.5 From R-\(\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}\) to R-\(\textsf {LWE}_{(U_\beta ^n+\overline{t\cdot D^H_\alpha })^\times ,\overline{t\cdot D^H_\alpha }}\)

Lemma 13

Lemma 14

Proof

Lemma 15

Proof

4.6 From R-\(\textsf {LWE}_{\overline{t\cdot D^H_\alpha },\overline{t\cdot D^H_\alpha }}\) to R-\(\textsf {LWE}_{U_\beta ^n+\overline{t\cdot D^H_\alpha },\overline{t \cdot D^H_\alpha }}\)

Lemma 16

Proof

5 Application I: A Public Key Encryption

5.1 Reconciliation Mechanism

Lemma 17

Lemma 18

Lemma 19

Lemma 20

5.2 PKE Schemes

5.3 Security Proof

5.4 Parameters and Comparisons

Lemma 21

Proof

6 Application II: Diffie-Hellman Type Key Exchange

7 Application III: New Proofs for Variant Schemes

Theorem 3

Theorem 4

8 Conclusion

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author