On the tightness of the error bound in Ring-LWE

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the Ring Learning With Errors problem (Ring-LWE) has been widely used as a building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction to ideal lattice problems. This reduction assumes a lower bound on the width of the error distribution that is often violated in practice. In this paper we show that caution is needed when doing so, by providing for any ε > 0, a family of number fields K of increasing degree n for which Ring-LWE can be broken easily as soon as the errors required by the reduction are scaled down by |∆K | with ∆K the discriminant of K. 1. The Ring-LWE problem About a decade ago Regev [18] proposed a new hard problem for use in public-key cryptography, namely the learning with errors problem (LWE), which informally stated is about solving an approximate linear system A ·  s1 s2 .. sn  ≈  b1 b2 .. bm  for an unknown secret s = (s1, s2, . . . , sn) over Z/qZ, with q some integer modulus. The entries of A have been selected independently and uniformly at random and the bi’s carry small error terms, obtained by sampling from a fixed Gaussian centered around 0 and reducing the outcome mod q. These errors are elements of R/qZ, but in practice they are rounded to the nearest element of Z/qZ. To recover s uniquely, the system has to be overdetermined, i.e. m > n. In fact in Regev’s model an attacker is allowed to ask for new equations indefinitely, in the hope of gradually unveiling s: hence the terminology learning with errors. The LWE problem is being acclaimed for three reasons. Firstly it enjoys a ‘hardness proof’ in the form of a reduction to worst-case instances of certain well-established lattice problems [2, 17, 18], providing security guarantees that are lacking for classical hard problems such as integer factorization or discrete logarithm computation. Secondly, it seems that LWE would remain hard in a post-quantum world, unlike the classical problems [19]. Thirdly, LWE has proven to be very versatile for use in cryptography, enabling applications that were impossible before, such as homomorphic encryption [1, 3]. Its major drawback however is that the key sizes of the resulting cryptosystems are impractically large: typically one needs the entire (m× n)-matrix A. One idea to address this [3, 16] is to endow (Z/qZ) with a ring structure, for instance by identifying it with Z[x]/(q, f) for some monic degree n polynomial f ∈ Z[x] (using the 2000 Mathematics Subject Classification 11T71(primary), 11R04, 11R11, 11R18, 11T22(secondary). This work was supported by the European Commission through the ICT programme under contracts H2020ICT-2014-1 644209 HEAT and H2020-ICT-2014-1 645622 PQCRYPTO. Page 2 of 12 W. CASTRYCK, I. ILIASHENKO AND F. VERCAUTEREN polynomial basis 1, x, x, . . . , xn−1), and to replace A by the matrix Aa of multiplication by some ring element a. This is often referred to as Polynomial-LWE. By storing a rather than Aa one gains a factor n, thereby addressing the key size issue. But restricting to multiplication matrices comes at the cost of giving up on the randomness, thereby invalidating the mentioned hardness proof, and in fact it is possible to cook up instances of the problem having certain flaws [11, 14]. In [16] Lyubashevsky, Peikert and Regev tweaked this idea in a remarkable way by introducing Ring-LWE. To start with, one fixes a degree n number field K with ring of integers R = OK , and as before one chooses an integral modulus q. The central role is played by the codifferent R∨ of K, which is defined as the inverse (fractional) ideal of the different ideal ∂ ⊂ R. Alternatively it can be viewed as the dual of R with respect to the trace pairing: R∨ = {x ∈ K |TrK/Q(xR) ⊂ Z}. (1.1) The reductions of R and R∨ modulo q are denoted by Rq and R ∨ q , respectively. The Ring-LWE problem is then about guessing a secret s ∈ R∨ q from an arbitrary number of approximate equations of the form