On the Ring-LWE and Polynomial-LWE problems

The Ring Learning With Errors problem (RLWE) comes in various forms. Vanilla RLWE is the decision dual-RLWE variant, consisting in distinguishing from uniform a distribution depending on a secret belonging to the dual O_K^vee of the ring of integers O_K of a specified number field K. In primal-RLWE, the secret instead belongs to O_K. Both decision dual-RLWE and primal-RLWE enjoy search counterparts. Also widely used is (search/decision) Polynomial Learning With Errors (PLWE), which is not defined using a ring of integers O_K of a number field K but a polynomial ring ZZ[x]/f for a monic irreducible f in ZZ[x]. We show that there exist reductions between all of these six problems that incur limited parameter losses. More precisely: we prove that the (decision/search) dual to primal reduction from Lyubashevsky et al. [EUROCRYPT~2010] and Peikert [SCN~2016] can be implemented with a small error rate growth for all rings (the resulting reduction is non-uniform polynomial time); we extend it to polynomial-time reductions between (decision/search) primal RLWE and PLWE that work for a family of polynomials f that is exponentially large as a function of deg f (the resulting reduction is also non-uniform polynomial time); and we exploit the recent technique from Peikert et al. [STOC~2017] to obtain a search to decision reduction for RLWE for arbitrary number fields. The reductions incur error rate increases that depend on intrinsic quantities related to K and f

On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial

Recently, Blanco-Chac\'on proved the equivalence between the Ring Learning With Errors and Polynomial Learning With Errors problems for some families of cyclotomic number fields by giving some upper bounds for the condition number $\operatorname{Cond}(V_n)$ of the Vandermonde matrix $V_n$ associated to the $n$th cyclotomic polynomial. We prove some results on the singular values of $V_n$ and, in particular, we determine $\operatorname{Cond}(V_n)$ for $n = 2^k p^\ell$, where $k, \ell \geq 0$ are integers and $p$ is an odd prime number

RLWE and PLWE over cyclotomic fields are not equivalent

We prove that the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems over the cyclotomic field $\mathbb{Q}(\zeta_n)$ are not equivalent. Precisely, we show that reducing one problem to the other increases the noise by a factor that is more than polynomial in $n$. We do so by providing a lower bound, holding for infinitely many positive integers $n$, for the condition number of the Vandermonde matrix of the $n$th cyclotomic polynomial

Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory

The present survey reports on the state of the art of the different cryptographic functionalities built upon the ring learning with errors problem and its interplay with several classical problems in algebraic number theory. The survey is based to a certain extent on an invited course given by the author at the Basque Center for Applied Mathematics in September 2018.Comment: arXiv admin note: text overlap with arXiv:1508.01375 by other authors/ comment of the author: quotation has been added to Theorem 5.

Trace-based cryptoanalysis of cyclotomic Rq,0×RqR_{q,0}\times R_q-PLWE for the non-split case

We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring $\mathbb{F}_q[x]/(\Phi_{p^k}(x))$ with $k>1$ in the case where $q\equiv 1\pmod{p}$ but $\Phi_{p^k}(x)$ is not totally split over $\mathbb{F}_q$. Our attack uses the fact that the roots of $\Phi_{p^k}(x)$ over suitable extensions of $\mathbb{F}_q$ have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.Comment: 19 pages; 1 figure; Major update to previous version due to some weaknesses detecte

Trace-based cryptanalysis of cyclotomic R_{q,0}xR_q-PLWE for the non-split case

We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring Fq[x]/(Φp k (x)) with k > 1 in the case where q ≡ 1 (mod p) but Φp k (x) is not totally split over Fq. Our attack uses the fact that the roots of Φp k (x) over suitable extensions of Fq have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.Agencia Estatal de InvestigaciónUniversidad de Alcal

Cryptanalysis of PLWE based on zero-trace quadratic roots

We extend two of the attacks on the PLWE problem presented in (Y. Elias, K. E. Lauter, E. Ozman, and K. E. Stange, Ring-LWE Cryptography for the Number Theorist, in Directions in Number Theory, E. E. Eischen, L. Long, R. Pries, and K. E. Stange, eds., vol. 3 of Association for Women in Mathematics Series, Cham, 2016, Springer International Publishing, pp. 271-290) to a ring $R_q=\mathbb{F}_q[x]/(f(x))$ where the irreducible monic polynomial $f(x)\in\mathbb{Z}[x]$ has an irreducible quadratic factor over $\mathbb{F}_q[x]$ of the form $x^2+\rho$ with $\rho$ of suitable multiplicative order in $\mathbb{F}_q$. Our attack exploits the fact that the trace of the root is zero and has overwhelming success probability as a function of the number of samples taken as input. An implementation in Maple and some examples of our attack are also provided.Comment: 18 pages. arXiv admin note: substantial text overlap with arXiv:2209.1196

RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field

We generalise our previous work by giving a polynomial upper bound on the condition number of certain quasi-Vandermonde matrices to es tablish the equivalence between the RLWE and PLWE problems for the totally real subfield of the cyclotomic fields of conductor 2r , 2rp and 2rpq with r ≥ 1 and p, q arbitrary primes. Moreover, we give some cryptographic motivations for the study of these subfields.Agencia Estatal de Investigació