Large Modulus Ring-LWE $$\ge $$ Module-LWE

Albrecht, Martin R.; Deo, Amit

doi:10.1007/978-3-319-70694-8_10

Large Modulus Ring-LWE $\ge $ Module-LWE

Martin R. Albrecht¹⁵ &
Amit Deo¹⁵

Conference paper
First Online: 30 November 2017

5250 Accesses
31 Citations

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10624))

Abstract

We present a reduction from the module learning with errors problem (MLWE) in dimension $d$ and with modulus $q$ to the ring learning with errors problem (RLWE) with modulus $q^{d}$. Our reduction increases the LWE error rate $\alpha $ by a quadratic factor in the ring dimension $n$ and a square root in the module rank $d$ for power-of-two cyclotomics. Since, on the other hand, MLWE is at least as hard as RLWE, we conclude that the two problems are polynomial-time equivalent. As a corollary, we obtain that the RLWE instance described above is equivalent to solving lattice problems on module lattices. We also present a self reduction for RLWE in power-of-two cyclotomic rings that halves the dimension and squares the modulus while increasing the error rate by a similar factor as our MLWE to RLWE reduction. Our results suggest that when discussing hardness to drop the RLWE/MLWE distinction in favour of distinguishing problems by the module rank required to solve them.

The research of Albrecht was supported by EPSRC grant “Bit Security of Learning with Errors for Post-Quantum Cryptography and Fully Homomorphic Encryption” (EP/P009417/1). The research of Deo was supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).

You have full access to this open access chapter, Download conference paper PDF

1 Introduction

Lattice-based cryptography has emerged as a central area of research in the pursuit of designing quantum-safe primitives and advanced cryptographic constructions. For example, lattice-based schemes have been proposed for public-key encryption [Reg09, LP11], key exchange protocols [LP11, ADPS16, BCD+16], digital signatures [BG14, DDLL13], identity-based encryption [GPV08, DLP14] and fully homomorphic encryption schemes [Gen09, BGV12, GSW13].

A fundamental problem in lattice-based cryptography is the Learning with Errors problem (LWE) [Reg05]. For a given dimension $n$, modulus $q$ and error distribution $\chi $, samples of the LWE distribution in normal-form are constructed as $(\mathbf a , b = \frac{1}{q} \langle \mathbf a , \mathbf s \rangle + e \bmod 1)$, where $\mathbf a \in \mathbb {Z}_q^n$ is chosen uniformly at random and all components of the secret $\mathbf s \in \mathbb {Z}_{q}^n$ and e are drawn from the distribution $\chi $. Distinguishing the LWE distribution from uniform is known as the decision LWE problem, whereas finding the secret $\mathbf s $ is known as the search LWE problem.

The seminal work of Regev [Reg05] establishes reductions from standard problems such as finding short vectors in general lattices to LWE, suggesting that LWE is indeed a difficult problem to solve. In particular, the ability to solve LWE in dimension n implies an efficient algorithm to find somewhat short vectors in any n-dimensional lattice. The concrete and asymptotic hardness of LWE has recently been surveyed in [APS15, HKM17]. Although LWE has proven to be a versatile ingredient for cryptography, it suffers from large key sizes (quadratic in the dimension) which motivated the development of more efficient LWE variants.

The Ring Learning with Errors problem (RLWE) was introduced in [LPR10]. RLWE can be seen as a specialisation of LWE where n-dimensional vectors are replaced by polynomials of degree smaller than n. Informally, for RLWE we first choose a ring R of dimension n, modulus q and error distribution $\chi $ over a related space of dimension n denoted $K_\mathbb {R}$. Then, to sample the RLWE distribution, we sample $a \in R/qR$ uniformly, a secret polynomial s in a suitable space and error e according to $\chi $. We then output $(a, b = \frac{1}{q} a \cdot s + e \bmod {R}^{\vee })$ as the RLWE sample where ${R}^{\vee } $ denotes the dual of the ring R. A complete and more precise definition is given in Sect. 2.3. Similar to the case of plain LWE, the decision problem is to distinguish the RLWE distribution from uniform and the search problem is to find the secret s. As alluded to above, the RLWE problem generally offers an increase in efficiency over plain LWE. Intuitively, this can be seen by considering each RLWE sample as a structured set of n LWE samples.

It has been shown that RLWE is at least as hard as standard lattice problems on ideal lattices [LPR10, PRSD17]. However, these ideal lattice problems have received much less attention than their analogues on general lattices. Furthermore, some problems that are presumed hard on general lattices such as GapSVP are actually easy on ideal lattices and a recent series of works [CGS14, CDPR16, CDW17] showed that finding short vectors in ideal lattices is potentially easier on a quantum computer than in the general case. More precisely, the length of the short vectors found in quantum polynomial time are a sub-exponential multiple of the length of the shortest vector in the lattice. Currently, it is not known how to efficiently find such vectors in general lattices efficiently. However, the vectors that can be found in quantum polynomial time are mainly of theoretical interest since they are still too long to affect current RLWE-based cryptography. Another important caveat to note is that if there was a way to find even shorter vectors in ideal lattices, RLWE could still prove to be a difficult problem. This is due to the fact that RLWE has not been proven to be equivalent to finding short vectors in ideal lattices, i.e. the problem might be strictly harder.

It is worth noting that the reductions from lattice problems to LWE resp. RLWE [Reg05, LPR10, PRSD17] mentioned above have no dependency on q apart from the requirement that q must exceed some lower bound that depends on the dimension and error distribution. In these reductions, the class of lattices is simply defined by the dimension in plain LWE and the ring in the case of RLWE. Similarly, the approximation factors defining the lattice problems are also independent of q.

This interpretation of known hardness results is inconsistent with the current state-of-the-art cryptanalytic techniques for solving LWE. The cost of all known strategies scales with q [HKM17].

Indeed, for LWE it is well-known [BLP+13] that we can trade the size of the fundamental security parameter $n$ and the modulus $q$ without affecting security, as long as $n \log q$ remains constant. Furthermore, in the case of plain LWE we can choose $n$ freely, reducing our dependence on large $q$ to increase security. However, in the case of RLWE the analogue reduction to [BLP+13] is not known and the choice of ring $R$ — and hence the dimension $n$ — can lead to practical implementation advantages and a simpler interpretation of formally defined RLWE (see Sect. 3.1). Typically, a power-of-two cyclotomic ring is used, i.e. a ring isomorphic to $\mathbb {Z}[X]/\left\langle X^{n}+1\right\rangle $ with $n = 2^k$. In addition to its simplicity, this choice also improves performance due to its amenability to FFT-based algorithms. In fact, power-of-two cyclotomic rings have proven extremely popular in the literature and dominate the design space, e.g. [LMPR08, Gen10, BGV12, DDLL13, BCNS15, ADPS16]. However, as stressed in [LPR13], “powers of two are sparsely distributed, and the desired concrete security level for an application may call for a ring dimension much smaller than the next-largest power of two. So restricting to powers of two could lead to key sizes and runtimes that are at least twice as large as necessary.” Alternatively, if an implementation wishes to support intermediate field sizes, a new implementation of multiplication in the intermediate ring is required to achieve comparable performance.

The Module Learning with Errors problem (MLWE) [BGV12, LS15] was proposed to address shortcomings in both LWE and RLWE by interpolating between the two. It will be defined formally in Sect. 2. For now, one way to informally view the MLWE problem is to take the RLWE problem and replace the single ring elements (a and s) with module elements over the same ring. Using this intuition, RLWE can be seen as MLWE with module rank 1.

As expected, MLWE comes with hardness guarantees given by lattice problems based on a certain class of lattices. In this case, the lattices are generated by modules as opposed to ideals in the RLWE case and in contrast to RLWE, it has been shown that MLWE is equivalent to natural hard problems over these lattices. Indeed, solving the approximate shortest vector problem on module lattices for polynomial approximation factors would permit solving MLWE (and thus RLWE) efficiently. We note that this reduction, too, only has a mild dependency on $q$. Furthermore, MLWE has been suggested as an interesting option to hedge against potential attacks exploiting the algebraic structure of RLWE [CDW17]. Thus, MLWE might be able to offer a better level of security than RLWE, while still offering performance advantages over plain LWE.

An example illustrating the flexibility of MLWE is given by the CRYSTALS suite [BDK+17, DLL+17], where MLWE is used to build both key encapsulation and signature schemes. The advantage of using modules when implementing such systems is that the concrete-security/efficiency trade-off is highly tunable. Remembering that working in power-of-two dimensional rings enables efficient implementations, we can fix our ring and then change the rank of the module as desired. For example, suppose we were working in a module over a ring of dimension $n = 256$, then we can increase the effective dimension from 1024 to 1280 by simply increasing the rank of the module. This effective dimension would not be attainable using power-of-two dimensional rings in RLWE. Thus, MLWE promises to adjust the security level with much greater granularity than efficient RLWE instantiations and implementations for one security level can easily be extended to other security levels.

Contributions. After some preliminaries in Sect. 2, our main contribution is a reduction from MLWE in dimension $d$ over some general ring $R/qR$ to RLWE in $R/q^{d}R$. This was posed as an open problem in [LS15]. Our solution is given in Theorem 1 and Corollary 1. In Sect. 3.1, we carry out a tighter analysis of the reduction for power-of-two cyclotomic rings. It turns out that for the decision variants, we cannot obtain satisfactory bounds for our reduction to preserve non-negligible advantage unless we allow for super polynomial q and absolute noise in addition to negligible noise rate. We address this problem in Sect. 4 by considering the search variants. An instantiation of Corollary 3 for power-of-two cyclotomic rings is the following:

Corollary

There exists an efficient reduction from search MLWE in modulus q, rank d and error rate $\alpha $ to search RLWE in modulus $q^d$ and error rate $\alpha \cdot n^2 \sqrt{d}$.

In essence, this says that RLWE with modulus $q^d$ is at least as hard as MLWE with modulus q and module rank d in the same ring. More generally, Corollary 3 shows that there is a freedom to trade between the rank of module and the modulus as long as we hold $d \log q = d' \log q'$ fixed for cyclotomic power-of-two rings. This means that for any decrease in d, we can always balance this off by increasing q exponentially without loss of security.

Our reduction is an application of the main result of Brakerski et al. [BLP+13] in the context of MLWE. In its simplest form, the reduction proceeds from the observation that for $\mathbf a , \mathbf s \in \mathbb {Z}_{q}^{d}$ with $\mathbf s $ small it holds that

$$\begin{aligned} q^{d-1} \cdot \left\langle \mathbf a ,\mathbf s \right\rangle \approx \left( \sum _{i=0}^{d-1} q^{i} \cdot a_{i}\right) \cdot \left( \sum _{i=0}^{d-1} q^{d-i-1} \cdot s_{i}\right) \bmod q^{d} = \tilde{a} \cdot \tilde{s} \bmod q^{d}. \end{aligned}$$

It should be noted that we incur an extra factor of $n^{3/2}\,d^{1/2}$ in error rate expansion when comparing our results to those in [BLP+13]. The extra factor of $n^{3/2}$ arises since we need to drown an (unknown) discrete Gaussian over an (unknown) lattice determined by the secret of the input MLWE instance. Naturally, the factor of d accounts for summing Gaussians when compressing the MLWE sample in rank d into a RLWE sample.

The error distribution of the output in our reduction is an ellipsoidal Gaussian (with bounded widths) as opposed to a spherical one. This type of error distribution appears in the standard hardness result for RLWE [LPR10] and should not be considered unusual. However, we also describe how to perform a reduction from search MLWE to spherical error search RLWE using Rényi divergence arguments (see Sect. 4.1). This is a tool that has recently received attention in lattice-based cryptography because it allows to tighten security reductions for search (and some decisional) problems [LSS14, BLL+15, BGM+16, LLM+16].

In Sect. 5, we present self-reductions from power-of-two RLWE in dimension $n$ and modulus $q$ to RLWE in dimension $n/2$ and modulus $q^{2}$ following the same strategy. Here, the error rate typically expands from $\alpha $ to $\tilde{\mathcal {O}}(\alpha \cdot n^{9/4})$ if we have access to $\mathcal {O}(1)$ samples and wish to preserve a non-negligible success probability.

Finally, in Appendix A, we show how to achieve the same flexibility as MLWE-based constructions for public-key encryption by explicitly only considering RLWE elements but relying on a MLWE/large modulus RLWE assumption resp. relying on the leftover hash lemma.

Interpretation. Our reduction along with the standard hardness results for MLWE [LS15] implies that RLWE with modulus $q^d$ and error rate $\alpha $ is at least as hard as solving the approximate lattice problem Module-SIVP over power-of-two cyclotomic rings. The approximation factor in this case is $\gamma = \tilde{\mathcal {O}}(n^{5/2}\,d^{1/2})$. As there are also converse reductions from RLWE to Module-SIVP e.g. the dual attack [MR09] which requires finding short vectors in a module lattice, these observations imply RLWE is equivalent to Module-SIVP. Previous hardness results only stated that RLWE is at least as hard as Ideal-SIVP [LPR10].^{Footnote 1} We note, though, that it is not known if Module-SIVP is strictly harder than Ideal-SIVP.

Our results suggest that the distinction between MLWE and RLWE does not yield a hardness hierarchy. There are two different interpretations of this implication. The first and perhaps suspicious conclusion is that MLWE should not be used to hedge against powerful algorithms solving RLWE for any modulus. However, such an algorithm would essentially solve RLWE over any power-of-two cyclotomic field by our reduction in Sect. 5. Furthermore, as already mentioned in [BLP+13], an adversary solving our output RLWE instance with modulus $q^d$ and any dimension n implies an adversary that can solve the standard LWE problem in dimension d and modulus q given n samples. While such an adversary cannot be ruled out in principle, it cannot be enabled by the algebraic structure of RLWE or ideal lattices. However, we note that this line of argument is less powerful when restricting to small constant d.

On the other hand, assuming that such a powerful adversary does not exist, an alternative interpretation is that our results suggest that the difficulty of solving RLWE increases with the size of the modulus when keeping dimension $n$ and noise rate $\alpha $ (roughly) constant. This interpretation is consistent with cryptanalytic results as the best, known algorithms for solving LWE depend on $q$ [APS15, HKM17] and the analogous result for LWE in [BLP+13]. Indeed, our output RLWE instance in modulus $q^d$ has noise of size at least $q^{d/2}$. Thus, our RLWE output instances cannot be solved by finding short vectors in lattices of module rank 2 using standard primal or dual attacks in contrast to typical RLWE instances used in the literature. This augments standard reductions from RLWE resp. MLWE to Ideal-SIVP resp. Module-SIVP [Reg05, LPR10, LS15] which do not by themselves suggest that the problem becomes harder with increasing $q$.

2 Preliminaries

An n-dimensional lattice is a discrete subgroup of $\mathbb {R}^n$. Any lattice $\varLambda $ can be seen as the set of all integer linear combinations of a set of basis vectors . That is, $\varLambda :=\left\{ \sum _{i=1}^j z_i \mathbf b _i :z_i \in \mathbb {Z}^n for i = 1, \dots , j \right\} $. The lattices we will be considering will have full rank i.e. $j=n$. We use the matrix $\mathbf B = [\mathbf b _1, \dots , \mathbf b _n]$ to denote a basis. $\tilde{\mathbf{B }}$ is used to denote the Gram-Schmidt orthogonalisation of columns in $\mathbf B $ (from left to right) and $\Vert \mathbf B \Vert $ is the length of the longest vector (in Euclidean norm) of the basis given by $\mathbf B $. Additionally, for any $\mathbf x \in \mathbb {R}^n$, we write $\Vert \mathbf x \Vert $ to denote the standard Euclidean norm of $\mathbf x $. The dual of a lattice $\varLambda $ is defined as $\varLambda ^* = \{ \mathbf x \in span (\varLambda ) : \forall \ \mathbf y \in \varLambda , \left\langle \mathbf x ,\mathbf y \right\rangle \in \mathbb {Z}\}$ where $\left\langle \cdot , \cdot \right\rangle $ is an inner product.

Given a matrix $\mathbf M \in \mathbb {C}^{m \times n}$, the singular values of $\mathbf M $ are defined to be the positive square roots of the eigenvalues of $\mathbf M ^{\dagger }\mathbf M $ where $\mathbf M ^{\dagger }$ denotes the conjugate transpose of $\mathbf M $. The matrix $\mathbf M ^{\dagger }\mathbf M $ takes a diagonal form in some orthonormal basis of $\mathbb {R}^n$ since it is self-adjoint. We write $\sigma _i(\mathbf M )$ for the $i$th singular value of $\mathbf M $ where $\sigma _1(\mathbf M ) \ge \cdots \ge \sigma _n(\mathbf M )$. We also denote the identity matrix in n dimensions using $\mathbb {I} _n$. In addition to the conjugate transpose denoted by ${(\cdot )}^\dagger $, the transpose of a matrix or vector will be denoted by ${(\cdot )}^T$. The complex conjugate of $z \in \mathbb {C}$ will be written as $\bar{z}$.

The uniform probability distribution over some finite set $\mathcal {S}$ will be denoted $U(\mathcal {S})$. If s is sampled from a distribution D, we write . Also, we let denote the act of sampling each component $s_i$ according to $D$ independently. We also write ${{\mathrm{Supp}}}(D)$ to mean the support of the distribution D. Note that we use standard big-$\mathcal {O}$ notation where $\tilde{\mathcal {O}}$ hides logarithmic factors.

For any algebraic number field K, an element $x \in K$ is said to be integral if it is a root of some monic polymonial with integer coefficients. The set of all integral elements forms the ring of integers of K denoted by $\mathcal {O}_K$. We also denote isomorphisms via the symbol $\simeq $.

2.1 Coefficient Embeddings

Let $K := \mathbb {Q}(\zeta )$ be an algebraic number field of degree n where $\zeta \in \mathbb {C}$ is an algebraic number. Then for any $s \in K$, we can write $s = \sum _{i=0}^{n-1} s_i\cdot \zeta ^i$ where $s_i \in \mathbb {Q}$. We can embed this field element into $\mathbb {R}^n$ by associating it with its vector of coefficients $s_{vec}$. Therefore, for any $s \in K$ we have $s_{vec} = {(s_0, \dots , s_{n-1})}^T$.

We can also represent multiplication by $s \in K$ in this coefficient embedding using matrices. The appropriate matrix will be denoted by $ rot (s) \in \mathbb {R}^{n\times n}$. In particular, for $r,s,t \in K$ with $r = st$, we have that $r_{vec} = rot (s) \cdot t_{vec}$. Note that the matrix $ rot (s)$ must be invertible with inverse $ rot (s^{-1})$ for $s \ne 0$. The explicit form of $ rot (s)$ depends on the particular field K. In the case where K is a cyclotomic power-of-two field, i.e. $K = \mathbb {Q}[X]/\left\langle X^n + 1 \right\rangle $ for power-of-two n, we have

(1)

2.2 Canonical Embeddings

We will often use canonical embeddings to endow field elements with a geometry. A number field $K(\zeta )$ has $n = r_1 + 2r_2$ field homomorphisms $\sigma _i : K \rightarrow \mathbb {C}$ fixing each element of $\mathbb {Q}$. Let $\sigma _1, \dots , \sigma _{r_1}$ be the real embeddings and $\sigma _{r_1+1}, \dots , \sigma _{r_1 + 2r_2}$ be complex. The complex embeddings come in conjugate pairs, so we have $\sigma _{i} = \overline{\sigma _{i+r_2}}$ for $i = r_1+1, \dots , r_1+r_2$ if we use an appropriate ordering of the embeddings. Define

$$\begin{aligned} H :=\{ \mathbf x \in \mathbb {R}^{r_1} \times \mathbb {C}^{2r_2} : x_{i} = \overline{x_{i+r_2}}, i = r_1+1, \dots , r_1+r_2 \}. \end{aligned}$$

and let ${(\mathbf e _i)}_{i=1}^n$ be the (orthonormal) basis assumed in the above definition of H. We can easily change to the basis ${(\mathbf h _i)}_{i=1}^n$ defined by

$\mathbf h _i = \mathbf e _i$ for $i = 1, \dots , r_1$
$\mathbf h _i = \frac{1}{\sqrt{2}} (\mathbf e _i + \mathbf e _{i+r_2})$ for $i = r_1+1, \dots , r_1+r_2$
$\mathbf h _i = \frac{\sqrt{-1}}{2} (\mathbf e _i - \mathbf e _{i+r_2})$ for $i = r_1+r_2+1, \dots , r_1+2r_2$

to see that $H \simeq \mathbb {R}^n$ as an inner product space. The canonical embedding is defined as $\sigma _C: K \rightarrow \mathbb {R}^{r_1} \times \mathbb {C}^{2r_2}$ where

$$\begin{aligned} \sigma _C(x) :=(\sigma _1(x), \dots , \sigma _n(x)). \end{aligned}$$

The image of any field element under the canonical embedding lies in the space H, so we can always represent $\sigma _C(x)$ via the real vector $\sigma _H(x) \in \mathbb {R}^n$ through the change of basis described above. So for any $x \in K$, $\sigma _H(x) = U_H^{\dagger } \cdot \sigma _C(x)$ where the unitary matrix is given by

$$\begin{aligned} U_H= \left[ \begin{array}{ccc} \mathbb {I} _{r_1} &{}0 &{}0 \\ 0 &{} \frac{1}{\sqrt{2}}\mathbb {I} _{r_2} &{} \frac{i}{\sqrt{2}}\mathbb {I} _{r_2} \\ 0 &{} \frac{1}{\sqrt{2}}\mathbb {I} _{r_2} &{} \frac{-i}{\sqrt{2}}\mathbb {I} _{r_2} \\ \end{array} \right] \in \mathbb {C}^{n \times n}. \end{aligned}$$

(2)

Addition and multiplication of field elements is carried out component-wise in the canonical embedding, i.e. for any $x,y \in K$, $\sigma _C{(xy)}_i = \sigma _C{(x)}_i \cdot \sigma _C{(y)}_i$ and $\sigma _C(x+y) = \sigma _C(x) + \sigma _C(y)$. Multiplication is not component-wise for $\sigma _H$. Specifically, in the basis ${(\mathbf e _i)}_{i=1}^n$, we have that multiplication by $x \in K$ can be written as left multiplication by the matrix $X_{ij} = \sigma _i(x) \delta _{ij}$ where $\delta _{ij}$ is the Kronecker delta. Therefore, in the basis ${(\mathbf h _{i})}_{i=1}^n$, the corresponding matrix is $X_H = U_H^{\dagger } X U_H \in \mathbb {R}^{n \times n}$ which is not diagonal in general. However, for any $X_H$, we have $X_H\cdot X_H^T = X_H \cdot X_H^{\dagger } = U_H^{\dagger } X X^{\dagger } U_H$. Explicitly, ${(X_H \cdot X_H^T)}_{ij} = |\sigma _i(x)|^2 \delta _{ij}$ i.e. $X_H \cdot X_H^T$ is a diagonal matrix. Likewise for $X_H^T \cdot X_H$. Therefore, the singular values of $X_H$ are precisely given by $|\sigma _i(x)|$ for $i = 1, \dots , n$.

Remark 1

We use $\sigma _i(\cdot )$ to denote both singular values and embeddings of field elements. If the argument is a matrix, it should be assumed that we are referring to singular values. Otherwise, $\sigma _i(\cdot )$ denotes a field embedding.

For a ring R contained in field K, we define the canonical embedding of the module $R^d$ into the space $H^d$ in the obvious way, i.e. by embedding each component of $R^d$ into H separately. Furthermore, if we have a matrix of ring elements $\mathbf G \in R^{d' \times d}$ for integers d and $d'$, we denote the action of $\mathbf G $ on $R^d$ in canonical space $H^d$ as $\mathbf G _H \in \mathbb {R}^{nd' \times nd}$. It is well-known that the dimension of $\mathcal {O}_K$ as a $\mathbb {Z}$-module is equal to the degree of K over $\mathbb {Q}$, meaning that the lattice $\sigma _H(R)$ is of full rank.

2.3 Ring-LWE and Module-LWE

Let R be some ring with field of fractions K and dual $ {R}^{\vee } := \{ x \in K : {{\mathrm{Tr}}}(xR) \subseteq \mathbb {Z}\} $. Also let $ K_{\mathbb {R}} = K \otimes _{\mathbb {Q}} \mathbb {R}$ and define $\mathbb {T} _{{R}^{\vee }} := K_{\mathbb {R}}/{R}^{\vee } $. Note that distributions over $K_\mathbb {R}$ are sampled by choosing an element of the space H (as defined in Sect. 2.2) according to the distribution and mapping back to $K_\mathbb {R}$ via the isomorphism $H \simeq K_\mathbb {R}$. For example, sampling the Gaussian distribution $D_\alpha $ over $K_\mathbb {R}$ is done by sampling $D_\alpha $ over $H \simeq \mathbb {R}^n$ and then mapping back to $K_\mathbb {R}$. In all definitions below, let $\varPsi $ be a family of distributions over $K_\mathbb {R}$ and D be a distribution over ${R}_q^{\vee } $ where ${R}_q^{\vee } := {R}^{\vee }/(q{R}^{\vee })$ and $R_q := R/(qR)$.

Definition 1 (RLWE Distribution)

For $s \in {R}_q^{\vee } $ and error distribution $\psi $ over $K_\mathbb {R}$, we sample the ring learning with errors (RLWE) distribution $A^{(R)}_{q, s, \psi }$ over $R_q \times \mathbb {T} _{{R}^{\vee }}$ by outputting $(a, \frac{1}{q}(a\cdot s) + e \bmod {R}^{\vee })$, where and .

Definition 2 (Decision/Search RLWE problem)

The decision ring learning with errors problem $RLWE^{(R)}_{m, q, \varPsi }(D)$ entails distinguishing m samples of $U(R_q \times \mathbb {T}_{{R}^{\vee }})$ from $A^{(R)}_{q, s, \psi }$ where and $\psi $ is an arbitrary distribution in $\varPsi $.

The search variant s-$RLWE^{(R)}_{m, q, \varPsi }(D)$ entails obtaining the secret .

Definition 3 (MLWE Distribution)

Let $M :=R^d$. For $\mathbf s \in {({R}_q^{\vee })}^d$ and an error distribution $\psi $ over $K_\mathbb {R}$, we sample the module learning with error distribution $A^{(M)}_{d, q, \mathbf s , \psi }$ over ${(R_q)}^d \times \mathbb {T} _{{R}^{\vee }}$ by outputting $(\mathbf a , \frac{1}{q}\left\langle \mathbf a , \mathbf s \right\rangle + e \bmod {R}^{\vee })$ where and .

Definition 4 (Decision/Search MLWE problem)

Let $M=R^d$. The decision module learning with errors problem $MLWE^{(M)}_{m, q, \varPsi }(D)$ entails distinguishing m samples of $U({(R_q)}^d \times \mathbb {T} _{{R}^{\vee }})$ from $A^{(M)}_{q, \mathbf s , \psi }$ where and $\psi $ is an arbitrary distribution in $\varPsi $.

The search variant s-$MLWE^{(M)}_{m, q, \varPsi }(D)$ entails obtaining the secret element .

When $\varPsi = \{ \psi \}$, we replace $\varPsi $ by $\psi $ in all of the definitions above. It can be shown that the normal form of the above problems where the secret distribution is a discretized version of the error distribution is at least as hard as the case where the secret is uniformly distributed. Therefore, it is customary to assume the normal form when discussing hardness.

2.4 Statistical Distance and Rényi Divergence

Definition 5 (Statistical Distance)

Let P and Q be distributions over some discrete domain X. The statistical distance between P and Q is defined as $ \varDelta (P,Q) := \sum _{i \in X} | P(i) - Q(i) | / 2$. For continuous distributions, replace the sum by an appropriate integral.

Claim

If P and Q are two probability distributions such that $ P(i) \ge (1 - \epsilon ) Q(i)$ for all i, then $ \varDelta (P,Q) \le \epsilon $.

We will also make use of the Rényi divergence as an alternative to the statistical distance to measure the similarity between two distributions.

Definition 6

(Rényi Divergence) For any distributions P and Q such that ${{\mathrm{Supp}}}(P) \subseteq {{\mathrm{Supp}}}(Q)$, the Rényi divergence of P and Q of order $a \in [1, \infty ]$ is given by

$$\begin{aligned} R_{a}\left( P\vert \vert Q\right) ={\left\{ \begin{array}{ll} \exp \left( \sum _{x \in \text {Supp}(P)} P(x) \log \frac{P(x)}{Q(x)} \right) &{} \text { for } a=1,\\ { \left( \sum _{x \in \text {Supp}(P)} \frac{{P(x)}^a}{{Q(x)}^{a-1}} \right) } ^{\frac{1}{a-1}} &{}\text { for }a\in (1, \infty ),\\ \max _{x \in \text {Supp}(P)} \frac{P(x)}{Q(x)} &{} \text { for } a = \infty . \end{array}\right. } \end{aligned}$$

For the case where P and Q are continuous distributions, we replace the sums by integrals and let P(x) and Q(x) denote probability densities. We also give a collection of well-known results on the Rényi divergence (cf. [LSS14]), many of which can be seen as multiplicative analogues of standard results for statistical distance. The proof of this lemma is given in [vEH14, LSS14].

Lemma 1 (Useful facts on Rényi divergence)

Let $a \in [1, +\infty ]$. Also let P and Q be distributions such that $\text {Supp}(P) \subseteq \text {Supp}(Q)$. Then we have:

Increasing Function of the Order: The function $a \mapsto R_{a}\left( P\vert \vert Q\right) $ is non-decreasing, continuous and tends to $R_{\infty }\left( P \vert \vert Q\right) $ as $a \rightarrow \infty $.
Log Positivity: $R_{a}\left( P\vert \vert Q\right) \ge R_{a}\left( P\vert \vert P\right) = 1$.
Data Processing Inequality: $R_{a}\left( P^f\vert \vert Q^f\right) \le R_{a}\left( P\vert \vert Q\right) $ for any function f where $P^f$ and $Q^f$ denote the distributions induced by performing the function f on a sample from P and Q respectively.
Multiplicativity: Let P and Q be distributions on a pair of random variables $(Y_1, Y_2)$. Let $P_{2\vert 1}(\cdot \vert y_1)$ and $Q_{2\vert 1}(\cdot \vert y_1)$ denote the distributions of $Y_2$ under P and Q respectively given that $Y_1 = y_1$. Also, for $i \in \{1,2\}$ denote the marginal distribution of $Y_i$ under P resp. Q as $P_i$ resp. $Q_i$. Then
- $R_{a}\left( P\vert \vert Q\right) = R_{a}\left( P_1\vert \vert Q_1\right) \cdot R_{a}\left( P_2\vert \vert Q_2\right) $.
- $R_{a}\left( P\vert \vert Q\right) = R_{\infty }\left( P_1 \vert \vert Q_1\right) \cdot \max _{y_1 \in \text {Supp}(P_1)}R_{a}\left( P_{2\vert 1}(\cdot \vert y_1)\vert \vert Q_{2\vert 1}(\cdot \vert y_1)\right) $.
Probability Preservation: Let $E \subseteq \text {Supp}(Q)$ be an arbitrary event. If $a \in (1, \infty )$, then $Q(E) \ge {P(E)}^{\frac{a}{a-1}}/R_{a}\left( P\vert \vert Q\right) $. Furthermore, we have $Q(E) \ge P(E)/R_{\infty }\left( P \vert \vert Q\right) $.
Weak Triangle Inequality: Let $P_1, P_2$ and $P_3$ be three probability distributions such that $\text {Supp}(P_1) \subseteq \text {Supp}(P_2) \subseteq \text {Supp}(P_3)$. Then
$$\begin{aligned} R_{a}\left( P_1\vert \vert P_3\right) \le {\left\{ \begin{array}{ll} R_{a}\left( P_1\vert \vert P_2\right) \cdot R_{\infty }\left( P_2 \vert \vert P_3\right) , \\ R_{\infty }\left( P_1 \vert \vert P_2\right) ^{\frac{a}{a-1}} \cdot R_{a}\left( P_2\vert \vert P_3\right) \text { if } a \in (1, +\infty ). \end{array}\right. } \end{aligned}$$

2.5 Gaussian Measures

Definition 7 (Continuous Gaussian distribution)

The Gaussian function of parameter r and centre c is defined as

$$\begin{aligned} \rho _{r, c} (x) = \exp \left( -\pi {(x-c)}^2 / r^2\right) \end{aligned}$$

and the Gaussian distribution $ D_{r, c} $ is the probability distribution whose probability density function is given by $ \frac{1}{r} \rho _{r,c}$.

Definition 8 (Multivariate Gaussian distribution)

Let $\varSigma = S^{T}S$ for some rank-n matrix $S \in \mathbb {R}^{m \times n}$. The multivariate Gaussian function with covariance matrix $\varSigma $ centred on $\mathbf c \in \mathbb {R}^n$ is defined as

$$\begin{aligned} \rho _{S, \mathbf c }(\mathbf x ) = \exp \left( -\pi {(\mathbf x - \mathbf c )}^T {(S^{T}S)}^{-1} (\mathbf x -\mathbf c ) \right) \end{aligned}$$

and the corresponding multivariate Gaussian distribution denoted $D_{S,\mathbf c }$ is defined by the density function $\frac{1}{\sqrt{\det (\varSigma )}} \rho _{S,\mathbf c }$.

Note that if the centre c is omitted, it should be assumed that $c = 0$. If the covariance matrix is diagonal, we describe it using the vector of its diagonal entries. For example, suppose that ${(S^{T}S)}_{ij} = {(s_i)}^2 \delta _{ij}$ and let $\mathbf s = {(s_1, \dots s_{n})}^T$. Then we would write $D_\mathbf{s }$ to denote the centred Gaussian distribution $D_S$.

We are often interested in families of Gaussian distributions. For $\alpha > 0$, we write $\varPsi _{\le \alpha }$ to denote the set of Gaussian distributions with diagonal covariance matrix of parameter $\mathbf r $ satisfying $r_i \le \alpha $ for all i.

We also have discrete Gaussian distributions i.e. normalised distributions defined over some discrete set (typically lattices or lattice cosets). The notation for a discrete Gaussian over some n-dimensional lattice $\varLambda $ and coset vector $\mathbf u \in \mathbb {R}^n$ with parameter r is $D_{\varLambda + \mathbf u , r}$. This distribution has probability mass function $\frac{1}{\rho _r(\varLambda + \mathbf u )}\rho _r$ where $\rho _r(\varLambda +\mathbf u ) = \sum _\mathbf{x \in \varLambda +\mathbf u }\rho _r(\mathbf x )$. It was shown in [GPV08] that we can efficiently sample from a (not too narrow) discrete Gaussian over a lattice to within negligible statistical distance. It was further shown that we can actually sample the discrete Gaussian precisely in [BLP+13]. This result is given below as Lemma 2.

Lemma 2

(Lemma 2.3 in [BLP+13], Sampling discrete Gaussians). There is a probabilistic polynomial-time algorithm that, given a basis $\mathbf B $ of an n-dimensional lattice $\varLambda = \mathcal {L}(\mathbf B )$, $\mathbf c \in \mathbb {R}^n$ and parameter $r \ge \Vert \tilde{\mathbf{B }}\Vert \cdot \sqrt{ \ln (2n + 4) / \pi }$ outputs a sample distributed according to $D_{\varLambda + \mathbf c , r}$.

Next we define the smoothing parameter of a lattice followed by a collection of lemmas that we will make use of.

Definition 9

(Smoothing parameter). For a lattice $\varLambda $ and any $\epsilon >0$, the smoothing parameter $\eta _{\epsilon }(\varLambda )$ is defined as the smallest $s\!>\!0$ s.t. .

Lemma 3

(Lemma 3.1 in [GPV08], Upper bound on smoothing parameter). For any $\epsilon > 0$ and n-dimensional lattice $\varLambda $ with basis $\mathbf B $,

$$\begin{aligned} \eta _{\epsilon } (\varLambda ) \le \Vert \tilde{\mathbf{B }}\Vert \sqrt{\ln (2n(1 + 1/\epsilon )) / \pi }. \end{aligned}$$

Lemma 4

(Claim 3.8 in [Reg09], Sums of Gaussians over cosets). For any n-dimensional lattice $\varLambda $, $\epsilon > 0$, $r \ge \eta _{\epsilon } (\varLambda )$ and $\mathbf c \in \mathbb {R}^n$, we have

$$\begin{aligned} \rho _r (\varLambda + \mathbf c ) \in \left[ \frac{1-\epsilon }{1+\epsilon }, 1 \right] \cdot \rho _r (\varLambda ). \end{aligned}$$

The claim $R_{\infty }\left( D_\mathbf{t } \vert \vert Y\right) \le \frac{1+\epsilon }{1-\epsilon }$ in the lemma below follows immediately from the proof given in [LS15].

Lemma 5

(Adapted from Lemma 7 in [LS15], Drowning ellipsoidal discrete Gaussians). Let $\varLambda $ be an n-dimensional lattice, $\mathbf u \in \mathbb {R}^n$, $\mathbf r \in {(R^+)}^n$, $\sigma > 0$ and $t_i = \sqrt{r_i^2 + \sigma ^2}$ for all i. Assume that $\min _i r_i \sigma / t_i \ge \eta _{\epsilon }(\varLambda )$ for some $\epsilon \in (0, 1/2)$. Consider the continuous distribution Y on $\mathbb {R}^n$ obtained by sampling from $D_{\varLambda + \mathbf u , \mathbf r }$ and then adding a vector from $D_{\sigma }$. Then we have $\varDelta (Y, D_\mathbf{t } ) \le 4 \epsilon $ and $R_{\infty }\left( D_\mathbf{t } \vert \vert Y\right) \le \frac{1+\epsilon }{1-\epsilon }$.

In the lemma below, ring elements are sampled in the coefficient embedding.

Lemma 6

(Adapted from Lemma 4.1 in [SS13], Upper bound on least singular value). Let n be a power of two and $R = \mathbb {Z}[X]/\left\langle X^n+1 \right\rangle $. Then for any $\delta \in (0,1)$, $t \ge \sqrt{2\pi }$ and $\sigma \ge \frac{t}{\sqrt{2\pi }} \cdot \eta _{\delta }(\mathbb {Z}^n)$, we have

3 Reduction for General Rings

In this section, we show how to reduce an MLWE instance in module rank d and modulus q to an MLWE instance in rank $d'$ and modulus $q'$. The particular case where $d'=1$ yields a reduction from MLWE to RLWE. We start by describing the high-level intuition behind the reduction for the case $d'=1$ and where the modulus goes from q to $q^d$. In this case, our strategy is to map $(\mathbf a , \mathbf s ) \in {(R_q)}^d \times {({R}_q^{\vee })}^d$ to $(\tilde{a}, \tilde{s}) \in R_q \times {R}^{\vee } _{q'}$ aiming to satisfy the approximate equation

$$\begin{aligned} \frac{1}{q} \left\langle \mathbf a , \mathbf s \right\rangle \approx \frac{1}{q^d} (\tilde{a} \cdot \tilde{s}) \bmod {R}^{\vee }. \end{aligned}$$

(3)

We then map from b to $\tilde{b} \approx b \bmod {R}^{\vee } $. For $q = \varOmega ( poly (n))$, if we take $\tilde{s} = {(q^{d-1}, \dots , 1)}^T \cdot \mathbf s $ and $\tilde{a} = {(1, \dots , q^{d-1})}^T \cdot \mathbf a $, we obtain

$$\begin{aligned} \begin{aligned} \frac{1}{q^d} (\tilde{a} \cdot \tilde{s})&= \frac{1}{q} \left\langle \mathbf a , \mathbf s \right\rangle + \frac{1}{q^2} (\dots ) + \frac{1}{q^3} (\dots ) + \ldots \bmod R\\&\approx \frac{1}{q} \left\langle \mathbf a , \mathbf s \right\rangle \bmod R. \end{aligned} \end{aligned}$$

(4)

This mapping satisfies the requirement but leads to a narrow, yet non-standard error distribution. The reduction in Theorem 1 is a generalisation of the above idea. Specifically, take $\mathbf G \in {(R)}^{d' \times d}$ and $\tilde{\mathbf{s }} = \mathbf G \cdot \mathbf s \bmod {(q'R)}^{d'}$. Then we simply require that

$$\begin{aligned} \frac{1}{q'} \sum _{i=1}^{d'} \sum _{j=1}^d \tilde{a}_i g_{ij} s_j \approx \frac{1}{q} \sum _{j=1}^d a_j s_j \bmod {R}^{\vee }. \end{aligned}$$

(5)

This requirement can be satisfied if we choose $\tilde{\mathbf{a }}$ such that

$$\begin{aligned} \frac{1}{q'} \sum _{i=1}^{d'} \tilde{a}_i g_{ij} \approx \frac{1}{q} a_j \bmod R \end{aligned}$$

(6)

for $j = 1, \dots , d$. To carry out this strategy, we will sample $\tilde{\mathbf{a }}$ over an appropriate lattice defined by $\mathbf G $ in the canonical embedding. The main challenge in applying this strategy is that we want the error in the new MLWE sample to follow a standard error distribution, i.e. a continuous Gaussian.

Theorem 1

Let R be the ring of integers of some algebraic number field K of degree n, let d, $d'$, q, $q'$ be integers, $\epsilon \in (0, 1/2)$, and $\mathbf G \in R^{d' \times d}$. Also, fix $\mathbf s = (s_1, \dots , s_d) \in {({R}_q^{\vee })}^d$. Further, let $\mathbf B _{\varLambda }$ be some known basis of the lattice $\varLambda = \frac{1}{q'} \mathbf G _H^T R^{d'} + R^d$ (in the canonical embedding), $\mathbf B _R$ be some known basis of R in H and

$$\begin{aligned} r \ge \max {\left\{ \begin{array}{ll} \Vert \tilde{\mathbf{B }}_{\varLambda }\Vert \ \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \\ \frac{1}{q}\ \Vert \tilde{\mathbf{B }}_R\Vert \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \\ \frac{1}{q} \max _i \Vert \tilde{\mathbf{B }}_{s_{i}R}\Vert \cdot \frac{1}{\min _k |\sigma _k(s_i)|}\cdot \sqrt{2 \ln (2n(1+1/\epsilon )) / \pi }\end{array}\right. } \end{aligned}$$

where $\mathbf B _{s_{i}R}$ is a basis of $s_{i}R$ in the canonical embedding. There exists an efficient probabilistic mapping $\mathcal {F}: {(R_q)}^d \times \mathbb {T} _{{R}^{\vee }} \longrightarrow {(R_{q'})}^{d'} \times \mathbb {T} _{{R}^{\vee }}$ such that:

1.
The output distribution given uniform input $\mathcal {F}(U({(R_q)}^d \times \mathbb {T} _{{R}^{\vee }}))$ is within statistical distance $4\epsilon $ of the uniform distribution over ${(R_{q'})}^{d'} \times \mathbb {T} _{{R}^{\vee }}$.
2.
Let $M = R^d$, $M' = R^{d'}$ and define $B :=\max _{i,j}{|\sigma _i(s_j)|}$. The distribution of $\mathcal {F}(A^{(M)}_{q, \mathbf s , D_{\alpha }})$ is within statistical distance $(4d+6) \epsilon $ of $A^{(M')}_{q', \mathbf Gs , D_{\varvec{\alpha }'}}$ where ${(\varvec{\alpha }')}_i^2 = \alpha ^2 + r^2(\beta ^2 + \sum _{j=1}^{d} |\sigma _i(s_j)|^2)$ and $\beta $ satisfies $\beta ^2 \ge B^2 d$.

Proof

We use the canonical embedding on each component of $R^d$ individually, e.g. $\mathbf a _{H} = (\sigma _{H}(a_1), \dots , \sigma _H({a_{d}})) \in H^d \simeq \mathbb {R}^{nd}$ and similarly for other module elements. We will also refer to the canonical embedding of R as simply R to ease notation. Suppose we are given $(\mathbf a , b) \in {(R_q)}^d \times \mathbb {T} _{{R}^{\vee }}$. The mapping $\mathcal {F}$ is performed as follows:

1.
Sample $\mathbf f \leftarrow D_{\varLambda - \frac{1}{q} \mathbf a _H , r}$. Note that the parameter r is large enough so that we can sample the discrete Gaussian efficiently by Lemma 2.
2.
Let $\mathbf v = \frac{1}{q} \mathbf a _H + \mathbf f \in \varLambda /R^{d}$ and set $\mathbf x \in {(R_{q'})}^{d'}$ to be a random solution of $\frac{1}{q'} \mathbf G _H^T \mathbf x = \mathbf v \bmod R^d$. Then set $\tilde{\mathbf{a }} \in M'$ to be the unique element of $M'$ such that $\tilde{\mathbf{a }}_{H} = \mathbf x $.
3.
Sample $\tilde{e}$ from the distribution $D_{r\beta }$ over $K_\mathbb {R}\simeq H$ for some $\beta > B\sqrt{d}$ and set $\tilde{b} = b+\tilde{e}$.
4.
Finally, output $(\tilde{\mathbf{a }}, \tilde{b}) \in {(R_{q'})}^{d'} \times \mathbb {T} _{{R}^{\vee }}$.

Distribution of $\tilde{a}$ . Suppose that $\mathbf a \in {(R_q)}^d$ was drawn uniformly at random. Step 2 of the reduction can be performed by adding a random element of the basis of solutions to $\frac{1}{q'} \mathbf G _H^T \mathbf y = 0 \bmod R^d$ to a particular solution of $\frac{1}{q'} \mathbf G _H^T \mathbf x = \mathbf v \bmod R^d$. In order to show that $\tilde{\mathbf{a }}$ is nearly uniform random, we will show that the vector $\mathbf x $ is nearly uniform random over the set ${(R_{q'})}^{d'}$. Note that every $\mathbf x \in {(R_{q'})}^{d'}$ is a solution to $\frac{1}{q'} \mathbf G _H^T \mathbf x = \mathbf v \bmod R^d$ for some $\mathbf v $ and the number of solutions to this equation in ${(R_{q'})}^{d'}$ for each $\mathbf v $ is the same. Thus, proving that $\mathbf v $ is almost uniform suffices. Observe that $r \ge \eta _\epsilon (\varLambda )$. Therefore, Lemma 4 tells us that for any particular $\bar{\mathbf{a }} \in {(R_q)}^d$ and $\bar{\mathbf{f }} \in \varLambda - \frac{1}{q} \bar{\mathbf{a }}_H$, we have

$$\begin{aligned} \begin{aligned} \Pr [\mathbf a = \bar{\mathbf{a }} \wedge \mathbf f = \bar{\mathbf{f }}]&= q^{-nd} \cdot \rho _r(\bar{\mathbf{f }}) / \rho _r( \varLambda - \frac{1}{q} \bar{\mathbf{a }}_H) \\&= \frac{q^{-nd}}{\rho _r(\varLambda )} \cdot \frac{\rho _r(\varLambda )}{\rho _r(\varLambda - \frac{1}{q} \bar{\mathbf{a }}_H)} \cdot \rho _r(\bar{\mathbf{f }})\\&\in C \cdot \left[ 1, \frac{1+\epsilon }{1-\epsilon } \right] \cdot \rho _r(\bar{\mathbf{f }}) \end{aligned} \end{aligned}$$

(7)

where $C := q^{-nd}/\rho _r(\varLambda )$ is a constant. By summing this equation over appropriate values of $\bar{\mathbf{a }}$ and $\bar{\mathbf{f }}$, Lemma 4 tells us that for any coset $\bar{\mathbf{v }} \in \varLambda /R^{d}$,

$$\begin{aligned} \begin{aligned} \Pr [\mathbf v = \bar{\mathbf{v }}]&\in C \cdot \left[ 1, \frac{1+\epsilon }{1-\epsilon }\right] \cdot \rho _r(q^{-1}R^{d} + \bar{\mathbf{v }})\\&\in C \cdot \rho _r(q^{-1}R^{d}) \cdot \left[ 1, \frac{1+\epsilon }{1-\epsilon }\right] \cdot \frac{\rho _r(q^{-1}R^{d} + \bar{\mathbf{v }})}{\rho _r(q^{-1}R^{d})}\\&\in C' \cdot \left[ \frac{1-\epsilon }{1+\epsilon }, \frac{1+\epsilon }{1-\epsilon }\right] \end{aligned} \end{aligned}$$

(8)

where $C' := C \rho _r(q^{-1}R^d)$. Note that we may apply Lemma 4 here since we know that $r \ge \eta _{\epsilon } ({(q)}^{-1} R^{d})$ by Lemma 3. This allows us to conclude that the distribution of $\mathbf v $ is within statistical distance $1 - {[(1-\epsilon ) / (1+\epsilon )]}^2 \le 4 \epsilon $ of the uniform distribution. This means that $\mathbf x $ is uniformly random over ${(R_{q'})}^{d'}$ to within statistical distance $4 \epsilon $ implying that $\tilde{\mathbf{a }}$ is uniform random over ${(R_{q'})}^{d'}$ to within statistical distance $4 \epsilon $. It is also clear that $\tilde{b}$ is exactly uniform random given that b is uniform random. This proves the first claim (uniform-to-uniform).

Distribution of −f . In our analysis of the resulting error, it will be useful to understand the distribution of the vector $-\mathbf f $ for fixed $\tilde{\mathbf{a }}$ (and thus fixed $\mathbf v = \bar{\mathbf{v }}$). Note that fixing a value $\mathbf f = \bar{\mathbf{f }}$ fixes $\frac{1}{q} \mathbf a = \bar{\mathbf{v }} - \bar{\mathbf{f }} \bmod R^d$. By summing over all appropriate values of $\mathbf f $ in Eq. 7, one can show that the distribution of $-\mathbf f $ for any fixed $\tilde{\mathbf{a }}$ is within statistical distance $1 - (1-\epsilon )(1+\epsilon ) \le 2 \epsilon $ of $D_{\frac{1}{q} R^{d} - \bar{\mathbf{v }}, r}$. Distribution of the error. Suppose we are given the MLWE sample $(\mathbf a , b = \frac{1}{q} \left\langle \mathbf a , \mathbf s \right\rangle + e) \in {(R_q)}^d \times \mathbb {T} _{{R}^{\vee }}$ where $e \in K_\mathbb {R}$ is drawn from $D_{\alpha }$. We have already shown that our map outputs $\tilde{\mathbf{a }} \in {(R_{q'})}^{d'}$ that is almost uniformly random. Now we condition on a fixed $\tilde{\mathbf{a }} = \bar{\tilde{\mathbf{a }}}$ and analyse the distribution of

$$\begin{aligned} (\tilde{b} - \frac{1}{q'} \left\langle \bar{\tilde{\mathbf{a }}} \cdot \tilde{\mathbf{s }} \right\rangle ) \bmod {R}^{\vee }. \end{aligned}$$

(9)

Let $\mathbf f _i \in \mathbb {R}^n$ be the vector consisting of the $i^{th}$ block of n entries of $\mathbf f \in \mathbb {R}^{nd}$ for $i=1,\dots ,d$. Using the fact that $\tilde{\mathbf{s }} = \mathbf G \mathbf s $ and that ${R}^{\vee } $ is closed under multiplication by elements of R, we can rewrite this as

$$\begin{aligned} (\tilde{b} - \frac{1}{q'} \left\langle \bar{\tilde{\mathbf{a }}} \cdot \tilde{\mathbf{s }} \right\rangle ) = \sum _{i=1}^d s_i \cdot \sigma _H^{-1}(-\mathbf f _i) + \tilde{e} + e \bmod {R}^{\vee }. \end{aligned}$$

(10)

In fact, we want to analyse the RHS of the above equation in canonically embedded space. To do so, define the invertible matrix $S_{i,H} :=U_H S_i U_H^{\dagger } \in \mathbb {R}^{n \times n}$ where $U_H$ is given in Eq. (2) and $S_i$ is the diagonal matrix with the field embeddings of $s_i$ along the diagonal i.e. ${[S_i]}_{jk} = \sigma _j(s_i) \delta _{jk}$. Note that $S_{i,H}$ is the matrix representing multiplication by s in the basis ${(\mathbf h _i)}_{i=1}^n$ of H. Therefore, in canonical space, the error is given by

$$\begin{aligned} \sum _{i=1}^d S_{i,H} \cdot (-\mathbf f _i) + \sigma _H(\tilde{e}) + \sigma _H(e) \bmod {R}^{\vee } \end{aligned}$$

(11)

where $\sigma _H(\tilde{e})$ and $\sigma _H(e)$ are distributed as $D_{r\beta }$ and $D_{\alpha }$ respectively. Also, letting $\bar{\mathbf{v }}_i$ denote the $i^{th}$ block of n coordinates of $\bar{\mathbf{v }}$, we know that $-\mathbf f _i$ is almost distributed as $D_{\frac{1}{q}R - \bar{\mathbf{v }}_i,r}$. It then follows that $S_{i,H}\cdot (-\mathbf f _i)$ is close in distribution to $D_{\frac{1}{q}S_{i,H} \cdot R - S_{i,H}\cdot \bar{\mathbf{v }}_i, r{(S_{i,H})}^T}$ i.e. an ellipsoidal discrete Gaussian. In fact the covariance matrix $r^2 S_{i,H}S_{i,H}^T$ is diagonal with respect to our basis ${(\mathbf h _i)}_{i=1}^n$ of $\mathbb {R}^n$ (see Sect. 2.2) with eigenvalues given by $r^2 |\sigma _j(s_i)|^2$ for $j=1, \dots , n$. Note that we can conceptualise $\sigma _H(\tilde{e})$ as $\sum _{i=1}^d \tilde{e}^{(i)}$ where each $\tilde{e}^{(i)}$ is distributed as a continuous spherical Gaussian in $\mathbb {R}^n$ with parameter $\gamma _i \ge rB$. Recalling that $-\mathbf f $ is distributed as $D_{\frac{1}{q}R^d - \bar{\mathbf{v }}, r}$ to within statistical distance $2\epsilon $, we can now apply Lemma 5 d times to conclude that

$$\begin{aligned} \sum _{i=1}^d S_{i,H}\cdot (-\mathbf f _i) + \sigma _H(\tilde{e}) = \sum _{i=1}^d S_{i,H}\cdot (-\mathbf f _i)+\tilde{e}^{(i)} \end{aligned}$$

(12)

is distributed as the continuous Gaussian with a diagonal covariance matrix to within statistical distance $2\epsilon + 4d\epsilon $. In particular, the diagonal entries of the convariance matrix are given by $r^2 \left( \beta ^2 + \sum _{j=1}^d |\sigma _i(s_j)|^2 \right) $ for $i=1, \dots , n$. Considering the original error term $\sigma _H(e)$ that follows the distribution $D_{\alpha }$ completes the proof. $\square $

Remark 2

It is permissible to take $B:=\min _{i,j} |\sigma _j(s_i)|$ in the above theorem. However, this will not save us any asymptotic factors in the output error distribution so we use $B:=\max _{i,j} |\sigma _j(s_i)|$ to allow for cleaner looking bounds.

The following corollary specialises to a map from MLWE in module rank $d$ to $d/k$ and from modulus $q$ to $q^{k}$ for general rings. Taking $k=d$ constitutes a reduction from MLWE to RLWE. Note that the new secret distribution is non-standard in general, but we can always use the usual re-randomizing process to obtain a uniform secret. We also highlight the fact that the lower bound on r is not particularly tight due to a loose upper bound on the quantities $\Vert \tilde{\mathbf{B }}_{s_{i}R}\Vert $. This issue is addressed for power-of-two cyclotomics in Sect. 3.1. In fact, for a general cyclotomic ring R, it holds that $\Vert \mathbf B _{s_{i}R}\Vert = \Vert \sigma _H(s_i)\Vert $.

Corollary 1

Let R be a ring with basis $\mathbf B _R$ in the canonical embedding and $\chi $ be a distribution satisfying

for some $(B, \delta )$ and $(B', \delta ')$. Also let $\alpha > 0$ and take any $\epsilon \in (0, 1/2)$. For any $k>1$ that divides d and

$$\begin{aligned} r \ge \max {\left\{ \begin{array}{ll} \frac{1}{q}\ \Vert \tilde{\mathbf{B }}_{R}\Vert \ \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \\ \frac{1}{q}\ B'\ \Vert \tilde{\mathbf{B }}_R\Vert \ \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \end{array}\right. }, \end{aligned}$$

there is an efficient reduction from $MLWE^{(R^d)}_{m, q, \varPsi _{\le \alpha }}(\chi ^d)$ to $MLWE^{(R^{d/k})}_{m, q^k, \varPsi _{\le \alpha '}}(\mathbf G \cdot \chi ^d)$ for $\mathbf G = \mathbb {I} _{d/k} \otimes (1, q, \dots , q^{k-1}) \in R^{d/k \times d}$ and

$$\begin{aligned} {(\alpha ')}^2 \ge \alpha ^2 + 2r^2 B^2 d. \end{aligned}$$

Moreover, this reduction reduces the advantage by at most $[1-{(1-\delta - \delta ')}^d] + (4d+10) \epsilon m$.

Proof

We run the reduction from Theorem 1, taking $q' = q^k$, $\beta ^2 \ge B^2d$ and $\mathbf G \in R^{d/k \times d}$ as in the corollary statement. First, note that $\Vert \tilde{\mathbf{B }}_{s_{i}R}\Vert \le \max _j |\sigma _j(s_i)|\cdot \Vert \tilde{\mathbf{B }}_R\Vert $ by considering multiplication in the canonical embedding and Lemma 2 from [ABB10]. In the coefficient embedding, we have that $\mathbf G = \mathbb {I} _{d/k} \otimes (1, q, \dots , q^{k-1}) \otimes \mathbb {I} _n$ and the lattice of interest is $\frac{1}{q^k} \mathbf G ^T \mathbb {Z}^{nd/k} + \mathbb {Z}^{nd}$ with basis $\mathbf B = \mathbb {I} _{d/k} \otimes \mathbf Q \otimes \mathbb {I} _n$ where

To move from the coefficient embedding to the canonical embedding, we simply multiply by the matrix $\mathbf B _{R^d} := \mathbb {I} _d \otimes \mathbf B _R$. Therefore, in the canonical embedding, the basis is given by $\mathbf B _\varLambda = \mathbb {I} _{d/k} \otimes \mathbf Q \otimes \mathbf B _R$. Orthogonalising from left to right, we can see that $\Vert \tilde{\mathbf{B }}_\varLambda \Vert $ is precisely $\frac{1}{q} \Vert \tilde{\mathbf{B }}_R\Vert $.

Let E be the event that $\max _i |\sigma _i(s)| \le B$ and F be the event $\max _{i,j} \frac{|\sigma _i(s)|}{|\sigma _j(s)|} \le B'$ where . The fact that $P(E \cap F) = P(E) + P(F) - P(E \cup F) \ge P(E) + P(F) - 1 \ge 1- \delta -\delta '$ implies the result. $\square $

3.1 Power-of-Two Cyclotomic Rings

We now give a more specific account of Theorem 1 in the case where R for power-of-two is a cyclotomic ring, i.e. $R = \mathbb {Z}[X]/\left\langle X^n+1 \right\rangle $ for power-of-two n. We will also be considering discrete Gaussian secret distributions and normal form MLWE. The corollary given in this section is almost identical to Corollary 1 apart from the definition of the pairs $(B, \delta )$ and $(B', \delta ')$. This change makes the corollary amenable to known results for discrete Gaussian secret distributions.

It can be shown that the map taking the canonical embedding to the coefficient embedding is a scaled isometry with scaling factor $1/\sqrt{n}$. In particular, the canonical to coefficient embedding map sends a spherical Gaussian r to $r/\sqrt{n}$. Furthermore, the dual ring is given by ${R}^{\vee } := \frac{1}{n} \cdot R$ and takes the simple form of $\frac{1}{n} \mathbb {Z}^n$ in the coefficient embedding.

Let $\tau >0$. We will be considering the case where the secret s is drawn from $D_{{R}^{\vee }, \tau }$ (and then reduced modulo $q{R}^{\vee } $). In the coefficient embedding, this is equivalent to drawing the secret from the distribution $D_{\frac{1}{n}\mathbb {Z}^n, \tau /\sqrt{n}}$.

Let $S_H$ be the matrix of multiplication by s in the canonical embedding. For cyclotomic power-of-two rings, there is a simple relationship between components of the canonical embedding $\sigma _i(s)$ and the singular values of the matrix $ rot (s)$. Let $\mathbf B _R = \sqrt{n} \cdot U$ denote the scaled isometry mapping from coefficient space to canonical space where U is unitary. Then we have ${S_H}^T{S_H} = U^{-1} \cdot rot (s)^T rot (s) \cdot U$. Since ${S_H}^T{S_H}$ is diagonal with elements given by $|\sigma _i(s)|^2$, the eigenvalues of $ rot (s)^T rot (s)$ are exactly these diagonal elements. This implies $|\sigma _i(s)|$ are exactly the singular values of $ rot (s)$. We will use this fact in the next claim.

Lemma 7

Let $R = \mathbb {Z}[X]/ \left\langle X^n+1 \right\rangle $ for some power-of-two n. Then for any $\delta \in (0,1)$, $t \ge \sqrt{2\pi }$ and $\tau \ge \frac{t}{\sqrt{2\pi n}} \cdot \eta _{\delta }(\mathbb {Z}^n)$, we have

Proof

Let $b = ns$. The distribution of b is $D_{\mathbb {Z}^n, \tau \sqrt{n}}$. Let $\sigma _n( rot (b))$ denote the least singular value of $ rot (b)$. Now we can write

where the inequality comes from Lemma 6. $\square $

In the proof of the following lemma, we will say that a distribution D over $\mathbb {Z}^n$ is $(B,\delta )$-bounded for real numbers $B, \delta >0$ if .

Lemma 8

Let $R = \mathbb {Z}[X]/ \left\langle X^n+1 \right\rangle $ for some power-of-two n. Then for any $\delta \in (0,1)$ and $\tau \ge 0$,

for some universal constant $C>0$. We also have that

Proof

Take $B>0$ and let $b=ns$. We have

As mentioned in [BLP+13], we know that $D_{\mathbb {Z}^n, r}$ is $(Cr\sqrt{n\log (n/\delta )}, \delta )$-bounded for some universal constant $C>0$ by taking a union bound over the n coordinates. Furthermore, an application of Lemma 1.5 in [Ban93] implies that $D_{\mathbb {Z}^n, r}$ is $(r\sqrt{n}, 2^{-n})$-bounded. Applying these results completes the proof. $\square $

Corollary 2

Let $R = \mathbb {Z}[X]/\left\langle X^n+1 \right\rangle $ for power-of-two n and $\chi $ be a distribution over ${R}^{\vee } $ satisfying

for some $(B_1, \delta _1)$ and $(B_2, \delta _2)$. Also let $\alpha > 0$ and take any $\epsilon \in (0, 1/2)$. For any $k>1$ that divides d,

$$\begin{aligned} r \ge \left( \frac{\max \{\sqrt{n}, B_1B_2\}}{q}\right) \ \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi }, \end{aligned}$$

there is an efficient reduction from $MLWE^{(R^d)}_{m, q, \varPsi _{\le \alpha }}(\chi ^d)$ to $MLWE^{(R^{d/k})}_{m, q^k, \varPsi _{\le \alpha '}}(\mathbf G \cdot \chi ^d)$ for $\mathbf G = \mathbb {I} _{d/k} \otimes (1, q, \dots , q^{k-1}) \in R^{d/k \times d}$ and

$$\begin{aligned} {(\alpha ')}^2 \ge \alpha ^2 + 2r^2 B_1^2 d. \end{aligned}$$

Moreover, this reduction reduces the advantage by at most $[1-{(1-\delta _1 - \delta _2)}^d] + (4d+10) \epsilon m$.

Proof

We apply Theorem 1 taking $\beta ^2 \ge B_1^2d$. For power-of-two cyclotomic rings, $\Vert \mathbf B _{s_{i}R}\Vert = \Vert \sigma _H(s)\Vert $. Furthermore, if $B_1 \ge \Vert \sigma _H(s)\Vert $, then it is guaranteed that $B_1 \ge \max _i |\sigma _i(s)|$. The rest of the proof is the same as in Corollary 1. $\square $

To put the above corollary into context, we now discuss the pairs $(B_1, \delta _1)$ and $(B_2, \delta _2)$ when the secret distribution $\chi $ is $D_{{R}^{\vee }, \tau }$. From Lemma 8, for any $\delta _1 \in (0,1)$, we have $B_1 = \mathcal {O}(\tau \sqrt{n\log (n/\delta _1)})$. Next, for any $\delta _2 \in (0,1)$, we fix the parameter $\delta $ from Lemma 7 (e.g. $\delta =1/2$) and take t from Lemma 7 proportional to $n/\delta _2$. Then, as long as $\tau \ge \mathcal {O}(\sqrt{n\log (n)}/\delta _2)$, we can take $B_2 = \mathcal {O}(n/(\tau \delta _2 ))$. To summarize, we may take:

$B_1 = \mathcal {O}(\tau \sqrt{n\log (n/\delta _1)})$ for arbitrary $\tau >0$ and $\delta _1 \in (0,1)$
$B_2 = \tilde{\mathcal {O}}\left( \frac{n}{\tau \delta _2}\right) $ for $\tau \ge \mathcal {O}(\sqrt{n\log (n)}/\delta _2)$ and any $\delta _2 \in (0,1)$
$B_1B_2 = \tilde{\mathcal {O}}\left( \frac{n\sqrt{n\log (n/\delta _1)}}{\delta _2}\right) $ for $\tau \ge \mathcal {O}(\sqrt{n\log (n)}/\delta _2)$ and any $\delta _1, \delta _2 \in (0,1)$.

In an ideal setting, we would like to conclude that a probabilistic polynomial-time (PPT) algorithm that solves RLWE with non-negligible advantage implies a PPT algorithm capable of solving MLWE with non-negligible advantage. In order to achieve this, it is necessary that the loss in advantage incurred by any reduction should be negligible in the security parameter $\lambda $. Therefore, we would require that $\delta _1, \delta _2$ and $\epsilon $ all be negligible in the corollaries above. The requirement that $\delta _2$ be negligible is particularly troublesome since this implies that $B_1$ and $B_2$ are super-polynomial in $\lambda $ if we want to use the results above. This would mean that the resulting error in our reduction would also be super-polynomial. In particular, the case of normal form MLWE where $\tau = \alpha q$ ($=\textsf {poly}(n)$) is not covered by the analysis given in the case that $\delta _2$ is negligible. This issue will be addressed in Sect. 4 where we show that taking $\delta _2 = \mathcal {O}(1/d)$ suffices when considering search variants.

Yet, the analysis given so far remains relevant for sufficiently good algorithms for solving RLWE. For example, given access to an algorithm solving decision RLWE with advantage $1/\mathsf {poly}(\lambda )$, it would be adequate to consider $\delta _1, \delta _2$ and $\epsilon $ as $1/\mathsf {poly}(\lambda )$. These choices lead to a reduction from MLWE to RLWE (with polynomial noise) with $1/\mathsf {poly}(\lambda )$ loss in advantage which is acceptable given a sufficiently effective algorithm for solving RLWE.

4 Search Reductions Using Rényi Divergence

Given our analysis of the reduction explicited in Theorem 1, it is fairly straight-forward to obtain analogous results based on Rényi divergence. We will show that our reduction can be used to solve search MLWE with non-negligible probability given an algorithm for solving search RLWE with non-negligible success probability. Note that this result could potentially be derived from statistical distance arguments, but we choose to use the Rényi divergence because it later allows us to reduce to a strictly spherical error distribution while increasing the width of the resulting error distribution only by small powers of n. In contrast, statistical distance arguments require the drowning noise to increase by super-polynomial factors. This is because we require negligible statistical distances to target distributions whereas we only require that Rényi divergences are $\mathcal {O}(1)$ to obtain meaningful results.

Theorem 2

Let R be the ring of integers of some algebraic number field K of degree n, d, $d'$, q, $q'$ be integers, $\epsilon \in (0, 1/2)$, and $\mathbf G \in R^{d' \times d}$. Also, fix $\mathbf s = (s_1, \dots , s_d) \in {({R}_q^{\vee })}^d$. Further, let $\mathbf B _{\varLambda }$ be some known basis of the lattice $\varLambda = \frac{1}{q'} \mathbf G _H^T R^{d'} + R^d$ (in the canonical embedding), $\mathbf B _R$ be some known basis of R in H and

$$\begin{aligned} r \ge \max {\left\{ \begin{array}{ll} \Vert \tilde{\mathbf{B }}_{\varLambda }\Vert \ \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \\ \frac{1}{q}\ \Vert \tilde{\mathbf{B }}_R\Vert \cdot \sqrt{2 \ln (2nd(1+1/\epsilon )) / \pi } \\ \frac{1}{q} \Vert \tilde{\mathbf{B }}_{s_{i}R}\Vert \cdot \frac{1}{\min _k |\sigma _k(s_i)|}\cdot \sqrt{2 \ln (2n(1+1/\epsilon )) / \pi }\end{array}\right. } \end{aligned}$$

where $\mathbf B _{s_{i}R}$ is a basis of $s_{i}R$ in the canonical embedding. Let $M = R^d$, $M' = R^{d'}$ and define $B :=\max _{i,j}{|\sigma _i(s_j)|}$. There exists an efficient probabilistic mapping $\mathcal {F}: {(R_q)}^d \times \mathbb {T} _{{R}^{\vee }} \longrightarrow {(R_{q'})}^{d'} \times \mathbb {T} _{{R}^{\vee }}$ such that

$$\begin{aligned} R_{\infty }\left( A^{(M')}_{q', \mathbf Gs , D_{\varvec{\alpha }'}} \vert \vert \mathcal {F}(A^{(M)}_{q, \mathbf s , D_{\alpha }})\right) \le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^{d+3} \end{aligned}$$

where ${(\varvec{\alpha }')}_i^2 = \alpha ^2 + r^2(\beta ^2 + \sum _{j=1}^{d} |\sigma _i(s_j)|^2)$ and $\beta $ satisfies $\beta ^2 \ge B^2 d$.

Proof

We take the mapping $\mathcal {F}$ described in the proof of Theorem 1 and adopt the same notation. Recall that $(\tilde{\mathbf{a }}, \tilde{b})$ denotes the output of $\mathcal {F}$. Denote the distribution of interest $\mathcal {F}(A^{(M)}_{q, \mathbf s , D_{\alpha }})$ as $\tilde{A}^{(M')}_{q', \mathbf Gs , \tilde{D}}$ i.e. the distribution of $(\tilde{\mathbf{a }}, \tilde{b})$ given that $(\mathbf a ,b)$ follows the distribution $A^{(M)}_{q, \mathbf s , D_{\alpha }}$.

Distribution of $\tilde{\varvec{a}}$ . Let $K_{sol}$ denote the number of solutions to the equation $\frac{1}{q'}\mathbf G _H^T\mathbf x = \mathbf v \bmod R^{d}$ and $K_v$ the number of possible vectors $\mathbf v $. Recall that $K_{sol}$ is constant in $\mathbf v $. For any $\bar{\tilde{\mathbf{a }}} \in R_{q'}^{d'}$, we have (from Eq. (8)) that

$$\begin{aligned} \Pr [\tilde{\mathbf{a }} = \bar{\tilde{\mathbf{a }}}]&= \sum _{\bar{\mathbf{v }} \in \varLambda /\mathbb {Z}^{nd}} \Pr [\tilde{\mathbf{a }} = \bar{\tilde{\mathbf{a }}} \vert \mathbf v = \bar{\mathbf{v }}] \cdot \Pr [\mathbf v = \bar{\mathbf{v }}]\\&\ge C' \cdot \left( \frac{1-\epsilon }{1+\epsilon } \right) \frac{1}{K_{sol}} \ge {\left( \frac{1-\epsilon }{1+\epsilon } \right) }^2 \cdot \frac{1}{K_{sol} K_v}. \end{aligned}$$

Note that picking $\tilde{\mathbf{a }}$ at random is identical to choosing $\mathbf v $ at random followed by picking a uniformly random solution to $\frac{1}{q'}\mathbf G _H^T\mathbf x = \mathbf v \bmod R^{d}$. Therefore, the distribution of $\tilde{\mathbf{a }}$ which we denote by $D^{(\tilde{\mathbf{a }})}$ satisfies

$$\begin{aligned} R_{\infty }\left( U(R_{q'}^{d'}) \vert \vert D^{(\tilde{\mathbf{a }})}\right) \le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2. \end{aligned}$$

(13)

Distribution of −f . Previously, we concluded that the distribution of $-\mathbf f $ was close in statistical distance to $D_{\frac{1}{q}R^{d} - \bar{\mathbf{v }}, r}$ conditioned on some fixed $\tilde{\mathbf{a }}$. Once again, summing over appropriate values of $\mathbf f $ in Eq. (7) tells us that

$$\begin{aligned} \Pr [-\mathbf f = \bar{\mathbf{f }} | \tilde{\mathbf{a }} = \bar{\tilde{\mathbf{a }}}] \ge C\cdot \rho _r(\bar{\mathbf{f }}) \ge \frac{1-\epsilon }{1+\epsilon } \cdot \frac{\rho _r(\bar{\mathbf{f }})}{\rho _r(\frac{1}{q}R^{d} - \bar{\mathbf{v }})}. \end{aligned}$$

Therefore, writing $D^{(-\mathbf f )}$ as the distribution of $-\mathbf f $, we see that

$$\begin{aligned} R_{\infty }\left( D_{\frac{1}{q}R^{d} - \bar{\mathbf{v }}, r} \vert \vert D^{(-\mathbf f )}\right) \le \frac{1+\epsilon }{1-\epsilon }. \end{aligned}$$

Distribution of the error term. We now analyse the distribution of the error term given in Eq. (10). Let $\mathbf f _i$ denote the $i^{th}$ block of n consecutive coordinates of $\mathbf f \in \mathbb {R}^{nd}$ Once again, we split the RHS of this error term and analyse it as $\sum _{i=1}^{d} \left( S_{i,H}^T\cdot (-\mathbf f _i) + \tilde{e}^{(i)} \right) + e$ where each $\tilde{e}^{(i)}$ is sampled independently from a continuous Gaussian on $\mathbb {R}^n$ with parameter $\gamma _i \ge rB$. Let $D^{(i)}$ denote the distribution of $\left( S_{i,H}^T\cdot (-\mathbf f _i) + \tilde{e}^{(i)} \right) $. We now use the data-processing inequality with the function $(-\mathbf f , \tilde{e}^{(1)}, \dots , \tilde{e}^{(d)}) \longmapsto (S_{1,H}^T\cdot (-\mathbf f _1) + \tilde{e}^{(1)}, \dots , S_{d,H}^T\cdot (-\mathbf f _d) + \tilde{e}^{(d)})$. For $i = 1, \dots , d$, define $Y^{(i)}$ as the distribution obtained by sampling from $D_{\frac{1}{q}S_{i,H}R+S_{i,H}\cdot \bar{\mathbf{v }}_i, r(S_{i,H}^T)}$ and then adding a vector sampled from $D_{\gamma _i}$. Note that $Y^{(i)}$ is the distribution of $\mathbf S _i^T\cdot (-\mathbf f _i) + \tilde{e}^{(i)}$ in the case that the distribution of $-\mathbf f $ is exactly $D_{\frac{1}{q}R^{d} - \bar{\mathbf{v }},r}$. Let $D_{\gamma } = D_{\gamma _1} \times \cdots \times D_{\gamma _d}$. The data-processing inequality for Rényi divergence implies that

$$\begin{aligned} R_{\infty }\left( Y^{(1)} \times \cdots \times Y^{(d)} \vert \vert D^{(1)} \times \cdots \times D^{(d)}\right)&\le R_{\infty }\left( D_{\frac{1}{q}R^{d} - \bar{\mathbf{v }}, r} \times D_{\gamma } \vert \vert D^{(-\mathbf f )} \times D_{\gamma }\right) \\&\le \frac{1+\epsilon }{1-\epsilon }. \end{aligned}$$

Now we apply Lemma 5 by recalling that the covariance matrix $S_{i,H}^{T}S_{i,H}$ is diagonal with elements $|\sigma _j(s_i)|$ for $j = 1, \dots n$. This allows us to conclude that for $i = 1, \dots , d$,

$$\begin{aligned} R_{\infty }\left( D_{{(\gamma _i^2 + r^2S_{i,H}^{T}S_{i,H})}^{1/2}} \vert \vert Y^{(i)}\right) \le \frac{1+\epsilon }{1-\epsilon }. \end{aligned}$$

By first applying the data-processing inequality to the function that sums the samples and then considering the triangle inequality and independence, the above equation implies that

$$\begin{aligned} R_{\infty }\left( D_{{(\alpha ^2 + r^2\beta ^2 + r^2 \sum _{i=1}^d S_{i,H}^{T}S_{i,H})}^{1/2}} \vert \vert \tilde{D}\right)&\le \frac{1+\epsilon }{1-\epsilon } \cdot \prod _{i=1}^d R_{\infty }\left( D_{{(\gamma ^2 + r^2S_{i,H}^{T}S_{i,H})}^{1/2}} \vert \vert Y^{(i)}\right) \nonumber \\&\le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^{d+1} \end{aligned}$$

(14)

where $\tilde{D}$ is the distribution of the RHS of Eq. (10) (i.e. the sum of the distributions $D^{(i)}$).

Distribution of the reduction’s output. We now complete the proof by combining the results above.

$$\begin{aligned} R_{\infty }\left( A^{(M')}_{q', \mathbf Gs , D_{\varvec{\alpha }'}} \vert \vert \tilde{A}^{(M')}_{q', \mathbf Gs , \tilde{D}}\right)&\le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2 \cdot R_{\infty }\left( D_{\varvec{\alpha }'} \vert \vert \tilde{D}\right) \\&\le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2 \cdot {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^{d+1} \end{aligned}$$

where the first inequality comes from the multiplicative property of Rényi divergence along with the inequality in (13) and the second comes from the weak triangle inequality along with (14). $\square $

Corollary 3

For power-of-two n, let $R = \mathbb {Z}[X]/\left\langle X^n+1 \right\rangle $, m be a positive integer and $\chi $ be a distribution over ${R}^{\vee } $ satisfying

for some $(B_1, \delta _1)$ and $(B_2, \delta _2)$. Also let $\alpha > 0$. For any $k>1$ that divides $d>1$ and

$$\begin{aligned} r \ge \left( \frac{\max \{\sqrt{n}, B_1B_2\}}{q}\right) \ \cdot \sqrt{2 \ln (2nd(1+m(d+3))) / \pi }, \end{aligned}$$

there exists an efficient reduction from search $MLWE^{(R^d)}_{m, q, \varPsi _{\le \alpha }}(\chi ^d)$ to search $MLWE^{(R^{d/k})}_{m, q^k, \varPsi _{\le \alpha '}}(U({R}_q^{\vee }))$ for

$$\begin{aligned} {(\alpha ')}^2 \ge \alpha ^2 + 2r^2 B_1^2 d. \end{aligned}$$

In particular, if there is an algorithm solving search $MLWE^{(R^{d/k})}_{m, q^k, \varPsi _{\le \alpha '}}(U({R}_q^{\vee }))$ with success probability p, then for search $MLWE^{(R^d)}_{m, q, \varPsi _{\le \alpha }}(\chi ^d)$ an algorithm exists which succeeds with probability at least ${[1-(\delta _1 + \delta _2)]}^d \cdot p/8$.

Proof

We use the reduction and analysis from Theorem 2 with $\beta ^2 \ge B_1^2d$ and $\mathbf G = I_{d/k} \otimes (1, q, \dots , q^{k-1}) \in R^{d/k \times d}$ followed by a standard re-randomization of the resulting secret. Since we sample d such ring elements, we are in the realm of Theorem 2 with probability at least ${(1-(\delta _1 + \delta _2))}^d$. Since we have m samples, we must raise the Rényi divergence in Theorem 2 to the $m^{th}$ power. Taking $\epsilon = \frac{1}{m(d+3)}$ ensures that ${\left( \frac{1+\epsilon }{1-\epsilon } \right) }^{(d+3)m} \le 8$. The result now follows from the probability preservation property of the Rényi divergence and the fact that we can reverse the mapping between secrets. $\square $

The results of this section are far more satisfying than the analysis given in the previous section when analysing a secret distribution of the form $D_{{R}^{\vee }, \tau }$. Let us assume that the probability of success p of an algorithm for solving RLWE is non-negligible. Then all we require is that $\delta _1, \delta _2 = O(1/d)$ in order to solve the search MLWE with non-negligible success probability. Therefore, we may take $B_1 = \tilde{\mathcal {O}}(\tau \sqrt{n})$ and $B_2 = \mathcal {O}(dn/\tau )$ for this secret distribution as long as $\tau \ge \tilde{\mathcal {O}}(d\sqrt{n})$. In this case, we have $\alpha ' = \tilde{\mathcal {O}}(\tau n^2 \sqrt{d}/q)$. This simplifies to $\alpha ' = \tilde{\mathcal {O}}(\alpha n^{2} \sqrt{d})$ when considering the normal form of MLWE where $\tau = \alpha q$. Therefore, we see that even for typical error and secret distributions with polynomial standard deviations, search MLWE is not qualitatively harder than search RLWE with larger modulus, i.e. an efficient algorithm for the latter implies an efficient algorithm for the former.

4.1 Strictly Spherical Error Distributions

We will now present a lemma that allows us to reduce from MLWE to RLWE with a spherical error distribution.

Lemma 9

For integers m, n, let $\mathbf M \in \mathbb {R}^{m \times n}$ be a matrix with non-zero singular values $\sigma _i$ for $i = 1, \dots , n$ and take $\beta ^2 \ge \sigma _1^2$. Then

$R_{2}\left( D_{r\beta }\vert \vert D_{r{(\beta ^2\mathbb {I} + \mathbf M ^T\mathbf M )}^{1/2}}\right) \le {\left( 1 + \frac{\sigma _1^4}{\beta ^4} \right) }^{n/2}$,
$R_{\infty }\left( D_{r\beta } \vert \vert D_{r{(\beta ^2\mathbb {I} + \mathbf M ^T\mathbf M )}^{1/2}}\right) \le {\left( 1 + \frac{\sigma _1^2}{\beta ^2} \right) }^{n/2}$.

We can now extend Theorem 2 to get a spherical output error distribution by applying the above Lemma to the final result along with the triangle inequality. In particular, the Rényi divergences given in Theorem 2 increase by factors of ${\left( 1+ \frac{d^4\max _{i,j}|\sigma _j(s_i)|^4}{\beta ^4}\right) }^{n/2}$ and ${\left( 1+ \frac{d^2\max _{i,j}|\sigma _j(s_i)|^2}{\beta ^2}\right) }^{n/2}$ for orders 2 and $\infty $ respectively. Therefore, when applying the theorem to m MLWE samples, we require that $\beta $ increase by factors of ${(mn)}^{1/4}$ for order 2 and ${(mn)}^{1/2}$ for infinite order to ensure $\mathcal {O}(1)$ Rényi divergences. These ideas will be concretised in the proof of Theorem 3 in the next section.

5 Reducing RLWE in (n, q) to $(n/2, q^2)$

Throughout this entire section, we assume that n is a power of two. The reduction strategy is to represent polynomial multiplications in ring dimension n using $n \times n$ matrices by working in the coefficient embedding. The reduction follows the same blueprint as in Sect. 3 apart from the fact that we are no longer working exclusively in the canonical embedding. Since we are considering power-of-two cyclotomic rings, polynomial multiplication is always represented by a matrix of the form given in Eq. (1). Going from ring dimension n to n / 2 just halves the dimension of these matrices. For clarity, we adopt the notation $R_{n,q} = \mathbb {Z}_q[X] / \left\langle X^n+1\right\rangle $ and $R_{n} = \mathbb {Z}[X] / \left\langle X^{n} + 1\right\rangle $.

Our aim is to reduce RLWE in dimension and modulus (n, q) to RLWE in $(n/2, q^2)$ via some mapping: $a \in R_{n,q} \longmapsto \tilde{a} \in R_{n/2,q^2}$, $b \in \mathbb {T} _{{R_{n}}^{\vee }} \longmapsto \tilde{b} \in \mathbb {T} _{{R_{n/2}}^{\vee }}$, $s \in {R_{n,q}}^{\vee } \longmapsto \tilde{s} \in {R_{n/2,q^2}}^{\vee } $. We can start by defining a relationship between $ rot (s)$ and $ rot (\tilde{s})$. In order to make clear the distinction between the two rings, we denote $n \times n$ matrices associated with multiplications in $R_{n,q}$ by writing the subscript n, q. Given $\mathbf G , \mathbf H \in \mathbb {Z}^{n/2 \times n}$, the linear relationship will be defined via the equation

$$\begin{aligned} rot (\tilde{s})_{n/2, q^2} = 2 \cdot \mathbf H \cdot rot (s)_{n,q} \cdot \mathbf G ^T. \end{aligned}$$

(15)

Note that the factor of 2 is present to account for the fact that the new secret should be in the dual ring ${R_{n/2, q^2}}^{\vee } = \frac{2}{n}R$ and the matrix $\mathbf H $ ensures that we end up with a square matrix $ rot (\tilde{s})_{n/2,q^2}$. We also need to be careful that $\mathbf G $ and $\mathbf H $ are chosen so the matrix $ rot (\tilde{s})_{n/2,q^2}$ has the correct form. Define the map between b and $\tilde{b}$ (up to some Gaussian error) as

$$\begin{aligned} \tilde{b}_{vec} \approx 2\mathbf H \cdot b_{vec}. \end{aligned}$$

In order for the reduction to work, we require that $\tilde{b} \approx \tilde{a} \cdot \tilde{s} / q^2 \bmod {R_{n/2}}^{\vee } $ i.e.

$$\begin{aligned} 2 \cdot \mathbf H \cdot rot (s)_{n,q} \cdot \frac{1}{q} a_{vec} \approx 2 \cdot \mathbf H \cdot rot (s)_{n,q} \cdot \mathbf G ^T \cdot \frac{1}{q^2} \tilde{a}_{vec} \bmod {2/n}. \end{aligned}$$

It is easy to see that we can satisfy this requirement by choosing $\tilde{a}$ such that

$$\begin{aligned} \frac{1}{q} a_{vec}^T = \frac{1}{q^2} \mathbf G ^T \cdot \tilde{a}_{vec}^T \bmod 1. \end{aligned}$$

Explicit forms for our choice of $\mathbf G $ and $\mathbf H $ are

$$\begin{aligned} \mathbf G&= \mathbb {I} _{n/2} \otimes (1,q) \in \mathbb {Z}^{n/2 \times n}, \end{aligned}$$

(16)

$$\begin{aligned} \mathbf H&= \mathbb {I} _{n/2} \otimes (1,0) \in \mathbb {Z}^{n/2 \times n}. \end{aligned}$$

(17)

Claim

Take $\mathbf G $ and $\mathbf H $ as above. Then $ rot (\tilde{s})_{n/2,q^2}$ is of the correct form (i.e. represents multiplication by some polynomial in $(R_{n/2, q^2})$).

Proof

We can write simple explicit forms ${(\mathbf G ^T)}_{kl} = \delta _{k, 2l-1} + q\delta _{k, 2l}$ and ${(\mathbf H )}_{ij} = \delta _{2i-1, j}$. Then the matrix multiplication $\mathbf H \cdot rot (s)_{n,q}\cdot \mathbf G ^T$ yields ${( rot (\tilde{s})_{n/2,q^2})}_{il} = {( rot (s)_{n,q})}_{2i-1, 2l-1} + {(q rot (s)_{n,q})}_{2i-1, 2l}$ which is of the correct form. $\square $

Note that the mapping between secrets is

$$\begin{aligned} s = \sum _{i=0}^{n-1} s_i \cdot X^i \longmapsto \tilde{s} = (s_0 -qs_{n-1}) + \sum _{i=1}^{n/2-1} \left( s_{2i} + qs_{2i-1} \right) \cdot X^i. \end{aligned}$$

(18)

Now the proof of correctness for this reduction is essentially the same as Theorem 2 with a few alterations. One of the more important changes is that we use Lemma 9 and target a spherical error. We do this to ensure that multiplication by $\mathbf H $ leads to a Gaussian with parameters that we can easily bound.

Theorem 3

Let n be a power of two, q be an integer, fix $s \in {R_{n,q}}^{\vee } $ and

$$\begin{aligned} r \ge \frac{1}{q} \cdot \max \left\{ 1,\frac{\Vert s_{vec}\Vert }{\sigma _n( rot (s))}\right\} \cdot \sqrt{2\ln (2n(1 + 1/\epsilon ))/\pi }. \end{aligned}$$

Further, let $\sigma _1 :=\sigma _1( rot (s))$ and $\beta \ge 2\sigma _1\sqrt{n}$.

For any $\alpha > 0$, there exists an efficient mapping $\mathcal {F}: R_{n,q} \times \mathbb {T} _{{R_{n,q}}^{\vee }} \rightarrow R_{n/2,q} \times \mathbb {T} _{{R_{n/2, q^2}}^{\vee }}$ such that

$R_{2}\left( A^{R_{n/2}}_{q^2, \tilde{s}, D_{\alpha '}}\vert \vert \mathcal {F}(A^{R_{n}}_{q, s, D_{\alpha }})\right) \le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^4 \cdot {\left( 1 + \frac{16n^2\sigma _1^4}{\beta ^4} \right) }^{n/2}$,
$R_{\infty }\left( A^{R_{n/2}}_{q^2, \tilde{s}, D_{\alpha '}} \vert \vert \mathcal {F}(A^{R_{n}}_{q, s, D_{\alpha }})\right) \le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^4 \cdot {\left( 1 + \frac{4n\sigma _1^2}{\beta ^2} \right) }^{n/2}$

where $\tilde{s}$ is given in Eq. (18) and ${(\alpha ')}^2 = 4\alpha ^2 + r^2\beta ^2$.

Proof

Suppose we are given $(a, b) \in R_{n,q} \times \mathbb {T} _{{R_{n,q}}^{\vee }}$ and take $\mathbf G , \mathbf H \in \mathbb {Z}^{n/2 \times n}$ as in Eqs. (16) and (17) respectively. The mapping $\mathcal {F}$ is performed as follows:

1.
Sample $\mathbf f \leftarrow D_{\varLambda - \frac{1}{q} a_{vec} , r}$ over the lattice $\varLambda = \frac{1}{q^2} \mathbf G ^T \mathbb {Z}^{n/2} + \mathbb {Z}^{n}$. Note that the parameter r is large enough so we can sample the discrete Gaussian efficiently by Lemma 2 since $\Vert \tilde{\mathbf{B }}_\varLambda \Vert = q^{-1}$.
2.
Let $\mathbf v = \frac{1}{q} a_{vec} + \mathbf f \in \varLambda /\mathbb {Z}^{n}$ and set $\mathbf x $ to be a random solution of $\frac{1}{q^2} \mathbf G ^T \mathbf x = \mathbf v \bmod 1$. Then set $\tilde{a} \in R_{n/2, q^2}$ to be the unique polynomial such that $\tilde{a}_{vec} = \mathbf x $.
3.
Sample $\tilde{e}$ from the distribution $D_{r\beta }$ over $K_\mathbb {R}\simeq H \simeq \mathbb {R}^{n/2}$ and set $\tilde{b} = 2\mathbf H \cdot b+\tilde{e} \in \mathbb {T} _{{R_{n/2, q^2}}^{\vee }}$.
4.
Finally, output $(\tilde{a}, \tilde{b}) \in (R_{n/2, q^2}) \times \mathbb {T} _{{R_{n/2, q^2}}^{\vee }}$.

Distribution of $\tilde{a}$ : We can precisely repeat the argument given in the proof of Theorem 2 after noting that $r \ge \eta _{\epsilon }(\varLambda )$ and $r \ge \eta _{\epsilon }(q^{-1}\mathbb {Z}^n)$. The only conceptual difference is that we are now working in the coefficient embedding. Denoting the distribution of $\tilde{a}$ given uniform a by $D^{(\tilde{a})}$, we find that

$$\begin{aligned} R_{\infty }\left( U(R_{n/2, q^2}) \vert \vert D^{(\tilde{a})}\right) \le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2. \end{aligned}$$

(19)

Distribution of the error: We now condition on fixed $\tilde{a} = \bar{\tilde{a}}$ and set $\bar{\mathbf{v }} = \mathbf G ^T \bar{\tilde{a}}_{vec}$. Denoting the distribution of $-\mathbf f $ as $D^{(-\mathbf f )}$ we also have that

$$\begin{aligned} R_{\infty }\left( D_{\frac{1}{q}\mathbb {Z}^n - \bar{\mathbf{v }}, r} \vert \vert D^{(-\mathbf f )}\right) \le \left( \frac{1+\epsilon }{1-\epsilon } \right) . \end{aligned}$$

All that remains is to analyse the distribution of

$$\begin{aligned} \left( \tilde{b} - \frac{1}{q^2} \tilde{a} \cdot \tilde{s}\right) _{vec}&= 2 \mathbf H \cdot rot (s) \cdot (-\mathbf f ) + 2\mathbf H \cdot e_{vec} + \tilde{e}_{vec} \bmod 2/n \end{aligned}$$

(20)

$$\begin{aligned}&=2\mathbf H \cdot \left( rot (s) \cdot (-\mathbf f ) + e_{vec} + \tilde{e}_{vec}^*\right) \bmod 2/n \end{aligned}$$

(21)

where $\tilde{e}_{vec}^*$ (resp. $e_{vec}$) is drawn from the spherical distribution $D_{r\beta /(2\sqrt{n})}$ (resp. $D_{\alpha /\sqrt{n}}$). Note that the $\sqrt{n}$ factors take into account that we are working in the coefficient embedding.

The distribution of $ rot (s) \cdot D_{\frac{1}{q}\mathbb {Z}^n - \bar{\mathbf{v }}, r}$ is $D_{\frac{1}{q} rot (s)\mathbb {Z}^n - rot (s)\bar{\mathbf{v }}, r\cdot rot (s)^T}$. By working in the orthogonal basis where the covariance matrix $ rot (s)^T rot (s)$ is diagonal, we can apply Lemma 5. We also apply the data-processing inequality on $(-\mathbf f , \tilde{e}_{vec}^*) \longmapsto - rot (s) \cdot \mathbf f + \tilde{e}_{vec}^*$ along with the triangle inequality to obtain

$$\begin{aligned} R_{\infty }\left( D_{err} \vert \vert D^{(- rot (s) \cdot \mathbf f + \tilde{e}_{vec}^*)}\right) \le \left( \frac{1+\epsilon }{1-\epsilon } \right) \cdot \left( \frac{1+\epsilon }{1-\epsilon } \right) , \end{aligned}$$

(22)

where $D_{err}$ is a continuous Gaussian distribution with covariance $\varSigma = r^2(\frac{\beta ^2}{4n} \mathbb {I} + rot (s)^T rot (s))$ and $D^{(- rot (s) \cdot \mathbf f + \tilde{e}_{vec}^*)}$ is the exact distribution of $- rot (s) \cdot \mathbf f + \tilde{e}_{vec}^*$.

Distance to spherical error: We now apply Lemma 9 to find that

$$\begin{aligned} R_{2}\left( D_{r\beta /(2\sqrt{n})}\vert \vert D_{err}\right)&\le {\left( 1 + \frac{16n^2\sigma _1^4}{\beta ^4} \right) }^{n/2},\\ R_{\infty }\left( D_{r\beta /(2\sqrt{n})} \vert \vert D_{err}\right)&\le {\left( 1 + \frac{4n\sigma _1^2}{\beta ^2} \right) }^{n/2}. \end{aligned}$$

Finally, using the weak triangle inequality with intermediate distribution $2\mathbf H \cdot D_{err}$ and the data-processing inequality, we obtain

$$\begin{aligned} R_{2}\left( 2\mathbf H \cdot D_{{({(r\beta )}^2/(4n) + \alpha ^2/n)}^{1/2}}\vert \vert D^{(RHS)}\right)&\le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2 \cdot {\left( 1 + \frac{16n^2\sigma _1^4}{\beta ^4} \right) }^{n/2},\\ R_{\infty }\left( 2\mathbf H \cdot D_{{({(r\beta )}^2/(4n) + \alpha ^2/n)}^{1/2}} \vert \vert D^{(RHS)}\right)&\le {\left( \frac{1+\epsilon }{1-\epsilon } \right) }^2 \cdot {\left( 1 + \frac{4n\sigma _1^2}{\beta ^2} \right) }^{n/2} \end{aligned}$$

where $D^{(RHS)}$ is the distribution of the RHS in Eq. (20).

Distribution of the reduction output: We conclude by combining the above results in the same way as in the proof of Theorem 2. We must also scale up by a factor of $\sqrt{n}$ to account for the fact that we have been working in the coefficient embedding. $\square $

Corollary 4

Let n be a power of two and $\chi $ be a distribution over ${R}^{\vee } _n$ satisfying

for some $(B_1, \delta _1)$ and $(B_2, \delta _2)$. Also, let $\alpha >0$ and $\epsilon \in (0,1/2)$. For any

$$\begin{aligned} r \ge \frac{1}{q} \cdot \max \{1, B_1B_2\} \cdot \sqrt{2\ln (2n(4m+1))/\pi }, \end{aligned}$$

let ${(\alpha '_c)}^2 = 4\alpha ^2 + 4r^2 B_1^2 {(mn)}^{2c}$. Suppose there exists an algorithm solving search $RLWE^{(R_{n/2})}_{m, q^2, D_{\alpha '_c}}(U({R}^{\vee } _{n/2,q^2}))$ for $c = 1/4$ (resp. $c=1/2$) with success probability $p_{1/4}$ (resp. $p_{1/2}$). Then there exists algorithms solving $RLWE^{(R_{n})}_{m,q,D_{\alpha }}(\chi )$ with success probabilities at least $(1-(\delta _1 + \delta _2))\frac{p_{1/4}^2}{8e^{1/2}}$ and $(1-(\delta _1 + \delta _2))\frac{p_{1/2}}{8e^{1/2}}$.

Proof

We will be applying the reduction in Theorem 3 with $\epsilon = 1/(4m)$ along with a re-randomizing of the secret. We take $\beta = 2B_1 {(mn)}^c$ in the theorem. Recall that for power-of-two cyclotomic rings, we have $\Vert \sigma _H(s)\Vert =\sqrt{n}\Vert s_{vec}\Vert $, $\min _j |\sigma _j(s)| = \sigma _n( rot (s))$ and $\max _j |\sigma _j(s)| = \sigma _1( rot (s))$. This means that we are able to apply the reduction and analysis of Theorem 3 with probability at least $1-(\delta _1 + \delta _2)$. Since we have m samples, we need to raise the Rényi divergences to the $m^{th}$ power. Therefore, in the case that $c=1/4$ (resp. $c=1/2$), we have that the Rényi divergence of order 2 (resp. order $\infty $) is upper bounded by $8 \cdot e^{1/2}$. Note that the reduction defines a reversible map between the secrets. Therefore, the result is obtained by running the reduction, re-randomizing the secret, solving the resulting search RLWE instance and then mapping back to the original secret. $\square $

Typically, we would have access to $m=\mathcal {O}(1)$ RLWE samples. Considering the normal form of RLWE with secret distribution $D_{{R}^{\vee }, \alpha q}$, we can take the parameters $B_1$ and $B_2$ to be $\tilde{\mathcal {O}}(\alpha q \sqrt{n})$ and $\tilde{\mathcal {O}}(n/(\alpha q))$ respectively. Therefore, the above corollary says that if we can solve RLWE in dimension n / 2, modulus $q^2$ and error rate $\alpha \cdot n^{9/4}$ with non-negligible probability in polynomial time, then we can also solve RLWE with dimension n, modulus q and error rate $\alpha $ is polynomial time with non-negligible probability.

Notes

1.
Except for RLWE instances with modulus $q^{n}$ which are known to be as hard as LWE in dimension $n$ and modulus $q$ [BLP+13].

References

Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert [Gil10], pp. 553–572
Google Scholar
Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - a new hope. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, pp. 327–343. USENIX Association (2016)
Google Scholar
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9(3), 169–203 (2015)
Article MathSciNet MATH Google Scholar
Banaszczyk, W.: New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296(1), 625–635 (1993)
Article MathSciNet MATH Google Scholar
Bos, J.W., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: take off the ring! Practical, quantum-secure key exchange from LWE. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 16: 23rd Conference on Computer and Communications Security, pp. 1006–1018. ACM Press, October 2016
Google Scholar
Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: 2015 IEEE Symposium on Security and Privacy, pp. 553–570. IEEE Computer Society Press, May 2015
Google Scholar
Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V., Schanck, J.M., Schwabe, P., Stehlé, D.: CRYSTALS - kyber: a CCA-secure module-lattice-based KEM. Cryptology ePrint Archive, Report 2017/634 (2017). http://eprint.iacr.org/2017/634
Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_2
Chapter Google Scholar
Bogdanov, A., Guo, S., Masny, D., Richelson, S., Rosen, A.: On the hardness of learning with rounding over small modulus. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 209–224. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_9
Chapter Google Scholar
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser, S. (ed.) ITCS 2012: 3rd Innovations in Theoretical Computer Science, pp. 309–325. Association for Computing Machinery, January 2012
Google Scholar
Bai, S., Langlois, A., Lepoint, T., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 3–24. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_1
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 575–584. ACM Press, June 2013
Google Scholar
Cramer, R., Ducas, L., Peikert, C., Regev, O.: Recovering short generators of principal ideals in cyclotomic rings. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 559–585. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_20
Chapter Google Scholar
Cramer, R., Ducas, L., Wesolowski, B.: Short stickelberger class relations and application to ideal-SVP. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 324–348. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56620-7_12
Chapter Google Scholar
Canetti, R., Garay, J.A. (eds.): CRYPTO 2013. LNCS, vol. 8042. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4
MATH Google Scholar
Campbell, P., Groves, M., Shepherd, D.: Soliloquy: a cautionary tale. In: ETSI 2nd Quantum-Safe Crypto Workshop, pp. 1–9 (2014)
Google Scholar
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti and Garay [CG13], pp. 40–56
Google Scholar
Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D.: CRYSTALS - Dilithium: digital signatures from module lattices. Cryptology ePrint Archive, Report 2017/633 (2017). http://eprint.iacr.org/2017/633
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_2
Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 169-178. ACM Press, May/June 2009
Google Scholar
Gentry, C.: Toward basing fully homomorphic encryption on worst-case hardness. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 116–137. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_7
Chapter Google Scholar
Gilbert, H. (ed.): EUROCRYPT 2010. LNCS, vol. 6110. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5
MATH Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM Press, May 2008
Google Scholar
Gentry, C., Sahai, A., Waters, B.: Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based. In: Canetti and Garay [CG13], pp. 75–92
Google Scholar
Herold, G., Kirshanova, E., May, A.: On the asymptotic complexity of solving LWE. Des. Codes Crypt. 1–29 (2017). https://link.springer.com/journal/10623/onlineFirst/page/6
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Chapter Google Scholar
Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4
Chapter Google Scholar
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_21
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert [Gil10], pp. 1–23
Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Chapter Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)
Article MathSciNet MATH Google Scholar
Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_14
Chapter Google Scholar
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-540-88702-7_5
Chapter Google Scholar
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC 2017 (2017)
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th Annual ACM Symposium on Theory of Computing, pp. 84–93. ACM Press, May 2005
Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009). Article no. 34
Article MathSciNet MATH Google Scholar
Stehlé, D., Steinfeld, R.: Making NTRUEncrypt and NTRUSign as secure as standard worst-case problems over ideal lattices. Cryptology ePrint Archive, Report 2013/004 (2013). http://eprint.iacr.org/2013/004
van Erven, T., Harremos, P.: Rényi divergence and kullback-leibler divergence. IEEE Trans. Inf. Theory 60(7), 3797–3820 (2014)
Article MATH Google Scholar

Download references

Acknowledgements

We thank Adeline Roux-Langlois and Léo Ducas for helpful discussions on an earlier draft of this work. We also thank our anonymous referees for their feedback.

Author information

Authors and Affiliations

Information Security Group, Royal Holloway, University of London, London, UK
Martin R. Albrecht & Amit Deo

Authors

Martin R. Albrecht
View author publications
You can also search for this author in PubMed Google Scholar
Amit Deo
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Martin R. Albrecht or Amit Deo .

Editor information

Editors and Affiliations

The University of Tokyo, Tokyo, Japan
Tsuyoshi Takagi
Nanyang Technological University, Singapore, Singapore
Thomas Peyrin

A Design Space for RLWE Public-Key Encryption

Recall the simple public-key encryption scheme from [LPR10] which serves as the blueprint for many subsequent constructions. The scheme publishes a public-key $(a,b = a\cdot s + e)$, where both $s$ and $e$ are small elements from the ring of integers of a power-of-two cyclotomic field. Encryption of some polynomial $m$ with $\{0,1\}$ coefficients is then performed by sampling short $r,e_{1},e_{2}$ and outputting:

$$\begin{aligned} \big (u,\, v\big ) = \big (a\cdot r + e_{1},\quad b\cdot r + e_{2} + \lfloor q/2 \rfloor \cdot m \bmod q\big ). \end{aligned}$$

The decryption algorithm computes

$$\begin{aligned} u\cdot s - v = (a\cdot r + e_{1})\cdot s - (a \cdot s + e) \cdot r - e_{2} - \lfloor q/2 \rfloor \cdot m. \end{aligned}$$

Let $\sigma $ be the norm of $s,e, r,e_{1},e_{2}$. Clearly, the final message will have noise of norm $\ge \sigma ^{2}$. Thus to ensure correct decryption, $q$ has a quadratic dependency on $\sigma $. As a consequence, in this construction, increasing $\sigma $ and $q$ can only reduce security by increasing the gap between noise and modulus.

However, this issue can be avoided and is avoided in MLWE-based constructions by picking some $\sigma ' < \sigma $ at the cost of publishing more samples in the public key. For example, if $d=2$ the public key becomes

$$\begin{aligned} \left( (a',b'),\, (a'',b'') \right) = \left( (a', a'\cdot s + e'),\, (a'', a''\cdot s + e'')\right) , \end{aligned}$$

where $s,e'e,''$ have norm $\sigma $. Encryption of some $\{0,1\}$ polynomial $m$ is then performed by sampling short $r',r'',e_{1},\,e_{2}$ with norm $\sigma '$ and outputting

$$\begin{aligned} \left( u,\, v\right) = \left( a'\cdot r' + a''\cdot r'' + e_{1},\quad b'\cdot r' + b''\cdot r'' + e_{2} + \lfloor q/2 \rfloor \cdot m \bmod q\right) . \end{aligned}$$

The decryption algorithm computes

$$\begin{aligned} u\cdot s - v = (a'\cdot r' + a''\cdot r'' + e_{1})\cdot s - (a'\cdot s + e')\cdot r' - (a''\cdot s + e'')\cdot r'' - e_{2} - \lfloor q/2 \rfloor \cdot m. \end{aligned}$$

The security of the public key reduces to the hardness of RLWE in dimension $n$ with modulus $q$ and noise size $\sigma $ as before. The security of encryptions reduces to the hardness of MLWE in dimension $d=2$ over ring dimension $n$, modulus $q$ and noise size $\sigma '$, i.e. the level of security is maintained for $\sigma '<\sigma $ by increasing the dimension. While we still require $q>\sigma \cdot \sigma '$, the size of $\sigma '$ can be reduced at the cost of increasing $d$ resp. by relying on RLWE with modulus $q^{d}$. Finally, note that we may think of Regev’s original encryption scheme [Reg09] as one extreme corner of this design space (for LWE) with $d=2\,n \log q$, where $r',r''$ are binary and where $e_{1},e_{2}=0,0$. That is, in the construction above, we can replace the Module-LWE assumption by the leftover hash lemma if $d$ is sufficiently big.

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Albrecht, M.R., Deo, A. (2017). Large Modulus Ring-LWE $\ge $ Module-LWE. In: Takagi, T., Peyrin, T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Lecture Notes in Computer Science(), vol 10624. Springer, Cham. https://doi.org/10.1007/978-3-319-70694-8_10

Download citation

DOI: https://doi.org/10.1007/978-3-319-70694-8_10
Published: 30 November 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70693-1
Online ISBN: 978-3-319-70694-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Abstract

1 Introduction

Corollary

2 Preliminaries

2.1 Coefficient Embeddings

2.2 Canonical Embeddings

Remark 1

2.3 Ring-LWE and Module-LWE

Definition 1 (RLWE Distribution)

Definition 2 (Decision/Search RLWE problem)

Definition 3 (MLWE Distribution)

Definition 4 (Decision/Search MLWE problem)

2.4 Statistical Distance and Rényi Divergence

Definition 5 (Statistical Distance)

Claim

Definition 6

Lemma 1 (Useful facts on Rényi divergence)

2.5 Gaussian Measures

Definition 7 (Continuous Gaussian distribution)

Definition 8 (Multivariate Gaussian distribution)

Lemma 2

Definition 9

Lemma 3

Lemma 4

Lemma 5

Lemma 6

3 Reduction for General Rings

Theorem 1

Proof

Remark 2

Corollary 1

Proof

3.1 Power-of-Two Cyclotomic Rings

Lemma 7

Proof

Lemma 8

Proof

Corollary 2

Proof

4 Search Reductions Using Rényi Divergence

Theorem 2

Proof

Corollary 3

Proof

4.1 Strictly Spherical Error Distributions

Lemma 9

5 Reducing RLWE in (n, q) to \((n/2, q^2)\)

Claim

Proof

Theorem 3

Proof

Corollary 4

Proof

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

A Design Space for RLWE Public-Key Encryption

A Design Space for RLWE Public-Key Encryption

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation