3 Ring LWE

The learning with errors (LWE) problem is to efficiently distinguish vectors created from a ‘noisy’ set of linear equations between uniformly random vectors. Given a matrix A ∈ Zm×n q and a vector v ∈ Zq , the goal is to determine whether v has been sampled uniformly at random from Zq or whether v = As+ e for some random s ∈ Zq and e ∈ χm, where χ is a small ‘noise’ distribution over Zq. Observe that this is phrased as a decision problem. The search version of LWE (to recover the vector s, given polynomially many samples of the form As + e) can be shown to be equivalent. The problem is very closely related to coding theory. If we choose the parameter q = 2, this becomes the well-studied learning parity with noise (LPN) problem, which is believed to be hard. Recovering the key from the more general LWE problem is essentially equivalent to decoding a noisy linear code, also a long established difficult problem in coding theory. However, for modern cryptographic purposes it is more important to ensure indistinguishability of encryptions rather than just security against key recovery. For this purpose it helps to look at the problem from a lattice-based perspective. The vector v = As + e can be seen as an element of the q-ary lattice Λq(A ) with a small perturbation vector added. The task here is to distinguish this from a uniformly random vector. In 2005, Regev [Reg05] formalised this relationship by giving a reduction from worst-case lattice problems to LWE (for certain parameter choices):