Ring-LWE Cryptography for the Number Theorist

Abstract

In this paper, we survey the status of attacks on the ring and polynomial learning with errors problems (RLWE and PLWE). Recent work on the security of these problems (Eisentraeger et al., Weak Instances of PLWE. In: Proceedings of the selected areas of cryptography 2014. Lecture notes in computer science. Springer, New York, 2014; Elias Y., Lauter K., Ozman E., Stange K., Provably weak instances of ring-LWE. In: Advances in Cryptology – CRYPTO 2015. Springer, 2015 gives rise to interesting questions about number fields. We extend these attacks and survey related open problems in number theory, including spectral distortion of an algebraic number and its relationship to Mahler measure, the monogenic property for the ring of integers of a number field, and the size of elements of small order modulo q.

1 Introduction

Public key cryptography relies on the existence of hard computational problems in mathematics: i.e., problems for which there are no known general polynomial-time algorithms. Hard mathematical problems related to lattices were first suggested as the basis for cryptography almost two decades ago [1, 2, 24]. While other better-known problems in public key cryptography such as factoring and the discrete logarithm problem are closely tied to computational number theory, lattice-based cryptography has seemed somewhat more distant. Recent developments, including the introduction of the ring-learning with errors problem instantiated in the ring of integers of a number field [30], have connected the area to new questions in computational number theory.

At the same time, lattice-based cryptography has seen a dramatic surge of activity. Since there are no known polynomial-time algorithms for attacking standard lattice problems on a quantum computer (in contrast to the case for widely deployed cryptographic systems such as RSA, discrete log, and elliptic curves), lattice-based cryptography is considered to be a promising cryptographic solution in a post-quantum world. One of the most exciting recent developments has been the construction of fully homomorphic encryption schemes [9–11, 18, 19] which allow meaningful operations to be performed on data without decrypting it: one can add and multiply encrypted numbers, returning the encrypted correct result, without knowledge of the plaintext or private key. The addition and multiplication of ciphertexts is possible due to the ring structure inherent in polynomial rings: these translate into AND and OR gates which can be used to build arbitrary circuits. Exciting applications include privacy problems in the health sector for electronic medical records, predictive analysis and learning from sensitive private data, and genomic computations [8, 20, 27, 28].

These new homomorphic encryption solutions are based on versions of hard “learning problems” with security reductions to and from standard lattice problems such as the shortest vector problem [36]. The idea behind the whole class of learning problems is that it is hard to “learn” a secret vector, given only sample inner products of that vector with other random vectors, provided these products are obscured by adding a small amount of Gaussian noise (“errors”).

The ring version, which we call Ring-LWE or RLWE, was introduced in [30], presenting a fundamental hardness result which can be described informally as follows: for any ring of integers R, any algorithm that solves the (search version of the) Ring-LWE problem yields a comparably efficient quantum algorithm that finds approximately shortest vectors in any ideal lattice in R.

Soon after the introduction of Ring-LWE, an efficient cryptosystem allowing for homomorphic multiplication was proposed in [9] based on a variant of the RLWE problem, the Polynomial Learning With Errors problem (here denoted PLWE). Improvements to that cryptosystem (e.g. [11, 19]) have followed in the same vein, with the same hardness assumption. The reader should note that the terminology of “Ring-LWE” vs. “Poly-LWE” is not entirely standard, and some authors use “Ring-LWE” to refer to a larger class of problems including both.

We focus in this paper on PLWE, specified by the following choices:

1. (1)

   a polynomial ring \(P_{q} = \mathbb{F}_{q}[x]/(f(x))\), with f(x) a monic irreducible polynomial of degree n over \(\mathbb{Z}\) which splits completely over \(\mathbb{F}_{q}\),

2. (2)

   a basis for the polynomial ring, which will often be taken to be a power basis in the monogenic case (in particular, the choice of a basis can be used to endow the ring with the standard inner product on the ring),

3. (3)

   and a parameter specifying the size of the Gaussian noise to be added (the size of the “error”), spherical with respect to this inner product.

We also focus on RLWE obtained from the same setup, but with the inner product instead given by the Minkowski embedding of a ring of integers of the form \(\mathbb{Z}[x]/(f(x))\). More general situations, including the case where the defining polynomial for the number ring does not split modulo q, or the case where q is composite, or the distribution is non-spherical or non-Gaussian, are considered in the cryptographic literature, but the setup above will suffice for our present purpose, which is to give a number theorist an entrée into the subject.

A key point is that for cryptographic applications, the errors must be chosen to be relatively small, to allow for correct decryption. For PLWE, “small” refers to the coefficient size (absolute value of the smallest residue), where the error is a polynomial, i.e., represented according to a polynomial basis for the ring. But to relate RLWE to other standard lattice problems, [30] considers the embedding of the ring \(\mathbb{Z}[x]/(f(x))\) into the real vector space \(\mathbb{R}^{n}\) under the Minkowski embedding (before reduction modulo q), and uses a Gaussian in \(\mathbb{R}^{n}\); this induces an entirely different distribution on the error vectors for general number rings. It was shown in [12, 30] that in the case of 2-power cyclotomic rings, the distributions are the same. However, in [15] it was shown that in general rings the distortion of the distribution is governed by the largest singular value of the change-of-basis matrix between the Minkowski and the polynomial basis. Thus the RLWE and PLWE distributions are not equivalent in general rings.

Although RLWE and PLWE for cyclotomic rings, particularly two-power cyclotomic rings, are the current candidates for practical lattice-based homomorphic encryption with ideal lattices, it will be important for a full study of their security to consider the RLWE and PLWE problems for general rings. This includes studying the two problems independently, and analysing their relationships via the distortion of distributions just mentioned. One lesson from [15] is that deviating from these recommended candidates can lead to an insecure system.

The RLWE and PLWE problems are formulated as either ‘search’ or ‘decision’ problems (see Sect. 2 below). A security reduction was presented in [30] showing that, for any cyclotomic ring R, an algorithm for the decision version of the Ring-LWE problem yields a comparably efficient algorithm for the search version of the Ring-LWE problem. This search-to-decision reduction was subsequently extended to apply to any Galois field in [14].

In [14], an attack on PLWE was presented in rings \(P_{q} = \mathbb{F}_{q}[x]/(f(x))\), where f(1) ≡ 0 (mod q). In addition, [14] gives sufficient conditions on the ring so that the ‘search-to-decision’ reduction for RLWE holds, and also that RLWE instances can be translated into PLWE instances, so that the RLWE decision problem can be reduced to the PLWE decision problem. Thus, if a number field K satisfies the following six conditions simultaneously, then the results of [14] give an attack on the search version of RLWE:

1. (1)

   \(K = \mathbb{Q}(\beta )\) is Galois of degree n.

2. (2)

   The ideal (q) splits completely in \(R = \mathcal{O}_{K}\), the ring of integers of K, and \(q \nmid [R: \mathbb{Z}[\beta ]]\).

3. (3)

   K is monogenic, i.e., is generated by β over \(\mathbb{Z}\).

4. (4)

   The transformation between the canonical embedding of K and the power basis representation of K is given by a scaled orthogonal matrix.

5. (5)

   If f is the minimal polynomial of β, then f(1) ≡ 0  (mod q).

6. (6)

   The prime q can be chosen suitably large.

The first two conditions are sufficient for the RLWE search-to-decision reduction; the next two conditions are sufficient for the RLWE-to-PLWE reduction; and the last two conditions are sufficient for the attack on PLWE. Unfortunately, it is difficult to construct number fields satisfying all six conditions simultaneously. In [14] examples of number fields were given which are vulnerable to the attack on PLWE.

In [15], the attack on PLWE was extended by weakening the conditions on f(x) and the reduction from RLWE to PLWE was extended by weakening condition (4). A large class of fields were constructed where the attack on PLWE holds and RLWE samples can be converted to PLWE samples, thus providing examples of weak instances for the RLWE problem.

Exciting number theory problems often arise from cryptographic applications. In this paper we survey and extend the attacks on the PLWE and RLWE problems and raise associated number-theoretic questions. In Sect. 2, we recall the PLWE and RLWE problems. In Sects. 3 and 4 we survey and extend the attacks on PLWE which were introduced in [14, 15]. In Sect. 5, we explain the reduction between the RLWE and PLWE problems. Finally in Sect. 6 we raise related questions in number theory; in particular, we investigate the spectral distortion of an algebraic number and its relationship to Mahler measure, the monogenic property for the ring of integers of a number field, and the size of elements of small order modulo q.

2 The Fundamental Hard Problems: PLWE and RLWE

2.1 PLWE

Take \(f(x) \in \mathbb{Z}[x]\) to be monic and irreducible of degree n. Suppose q is a prime modulo which f(x) factors completely (this is not necessary for the definition of the problem, but we will assume this throughout the paper). Write

$$\displaystyle{P:= \mathbb{Z}[x]/f(x),\quad P_{q}:= P/qP\mathop{\cong}\mathbb{F}_{q}[x]/f(x).}$$

Let \(\sigma \in \mathbb{R}^{>0}\). By a Gaussian distribution \(\mathcal{G}_{\sigma }\) of parameter σ, we mean a Gaussian of mean 0 and variance σ ² on P which is spherical with respect to the power basis 1, x, x ², …, x ⁿ⁻¹ of P. The prime q is generally assumed to be polynomial in n, sometimes as large as 2⁵⁰ but in some applications much smaller (even as small as 2¹²), and σ is taken fairly small (perhaps σ = 8), so that in practice the tails of the Gaussian will decay to negligible size well before its variable reaches size q. Since P has integer coordinates, we must ‘discretize’ the Gaussian in an appropriate fashion; the result is simply referred to as a discretized Gaussian. We will not go into the technical details in this paper, but instead refer the reader to [30].

There are two standard PLWE problems, quoted here from [9]. The difficulty involves determining a secret obscured by a small error drawn from the discretized Gaussian.

Problem 2.1 (Search PLWE Problem).

Let s(x) ∈ P _q be a secret. The search PLWE problem , is to discover s(x) given access to arbitrarily many independent samples of the form (a _i (x),b _i (x):= a _i (x)s(x) + e _i (x)) ∈ P _q × P _q , where for each i, e _i (x) is drawn from a discretized Gaussian of parameter σ, and a _i (x) is uniformly random.

The polynomial s(x) is the secret and the polynomials e _i (x) are the errors. There is a decisional version of this problem:

Problem 2.2 (Decision PLWE Problem).

Let s(x) ∈ P _q be a secret. The decision PLWE problem is to distinguish, with non-negligible advantage, between the same number of independent samples in two distributions on P _q × P _q . The first consists of samples of the form (a(x),b(x):= a(x)s(x) + e(x)) where e(x) is drawn from a discretized Gaussian distribution of parameter σ, and a(x) is uniformly random. The second consists of uniformly random and independent samples from P _q × P _q .

Search-to-decision reductions were proved for cyclotomic number fields in [30] and extended to work for Galois number fields in [14]. Of course, the phrase ‘to distinguish’ must be interpreted to mean that the distinguisher’s acceptance probabilities, given PLWE samples versus uniform samples, differ by a non-negligible amount.

2.2 RLWE

The original formulation of the hard learning problem for rings, RLWE, presented in [30], was based on the ring of integers, R, of a number field. The authors studied a general class of problems where the error distribution was allowed to vary.

Here we are concerned with only two choices of distributions. The first is to consider rings, R, which are isomorphic to a polynomial ring P, and study the PLWE problem (PLWE was stated as a “variant” of RLWE in [9, 30]). The distribution in this case is with respect to the polynomial basis of one of its polynomial representations.

The second is to choose the error according to a discretized Gaussian with respect to a special basis of the ambient space in which R was embedded via the Minkowski embedding. We will refer to this as RLWE. Therefore, in our language, when R is isomorphic to some polynomial ring P, RLWE differs from PLWE only in the error distribution.

We will state the fundamental RLWE problems and then discuss the relationship between the RLWE and PLWE problems. Let K be a number field of degree n with ring of integers R. Let R ^∨ denote the dual of R,

$$\displaystyle{R^{\vee } =\{\alpha \in K: Tr(\alpha x) \in \mathbb{Z}\mbox{ for all }x \in R\}.}$$

Let us write R _q : = R∕qR and R _q ^∨ = R ^∨∕qR ^∨. We will embed K in \(\mathbb{C}^{n}\) via the usual Minkowski embedding. The vector space \(\mathbb{C}^{n}\) is endowed with a standard inner product, and we will use the spherical Gaussian with respect to this inner product, discretized to R ^∨, as the discretized Gaussian distribution. We will refer to this as the canonical discretized Gaussian. This will not, in general, coincide with the discretized Gaussian defined in PLWE for a P≅R, and this is the fundamental difference between the two problems.

The standard RLWE problems for a canonical discretized Gaussian are as follows:

Problem 2.3 (Search RLWE Problem [30]).

Let s ∈ R _q ^∨ be a secret. The search RLWE problem is to discover s given access to arbitrarily many independent samples of the form (a,b:= as + e) where e is drawn from the canonical discretized Gaussian and a is uniformly random.

Problem 2.4 (Decision RLWE Problem [30]).

Let s ∈ R _q ^∨ be a secret. The decision RLWE problem is to distinguish with non-negligible advantage between the same number of independent samples in two distributions on R _q × R _q ^∨ . The first consists of samples of the form (a,b:= as + e) where e is drawn from the canonical discretized Gaussian and a is uniformly random, and the second consists of uniformly random and independent samples from R _q × R _q ^∨ .

An isomorphism between R and an appropriate polynomial ring P can be used to relate an instance of the RLWE problem to an instance of the PLWE problem. In particular, one requires R to be monogenic (having a power basis). Analysing the relationship between the two problems involves a close look at the change of basis under an isomorphism from R to the appropriate P. We will take up this issue in Sect. 5.

3 Summary of Attacks

In practice today, parameters for cryptosystems based on the RLWE and PLWE problems are set according to two known attacks, the distinguishing attack [31, 37] and the decoding attack [29]. These attacks work in general for learning-with-error problems and do not exploit the special structure of the ring versions of the problem. In this paper, we will focus solely on the new attacks presented in [14, 15] that exploit the special number-theoretic structure of the PLWE and RLWE rings.

The attacks presented in [14, 15] can be described in terms of the ring homomorphisms from P _q to smaller rings. As \(P_{q}\mathop{\cong}\mathbb{F}_{q}^{n}\), the only candidates are the projections to each factor:

$$\displaystyle{\pi _{\alpha }: P_{q} \rightarrow \mathbb{F}_{q},\quad p(x)\mapsto p(\alpha )}$$

for each root α of f(x). In P _q , the short vectors sampled by the Gaussian are easy to recognize since they have small coefficients. But they are hard to tease out of b(x) = a(x)s(x) + e(x) without knowledge of s(x), and the possibilities for s(x) are too many to examine exhaustively. By contrast, in a small ring like \(\mathbb{F}_{q}\), it is easy to examine the possibilities for s(α) exhaustively. And the ring homomorphism preserves the relationship of the important players: b(α) = a(α)s(α) + e(α). Hence we can loop through the possibilities for s(α), obtaining for each the putative value

$$\displaystyle{e(\alpha ) = b(\alpha ) - a(\alpha )s(\alpha ).}$$

The Decision Problem for PLWE, then, is solved as soon as we can recognize the set of e(α) that arise from the Gaussian.

Unfortunately (or fortunately), one does not expect to be able to do this in general. Heuristically, let \(\mathcal{S}\subset P_{q}\) denote the subset of polynomials that are produced by the Gaussian with non-negligible probability. In P _q , parameters are such that this is a small set. But \(\mathbb{F}_{q}\) is a much smaller ring and one expects that generically, the image of \(\mathcal{S}\) will ‘smear’ across all of \(\mathbb{F}_{q}\). Something quite special must happen if we expect the image of \(\mathcal{S}\) to remain confined to a small subset of \(\mathbb{F}_{q}\), and hence be recognizable.

That ‘something special’ is certainly possible, however: suppose that α = 1. The polynomials \(g(x) \in \mathcal{S}\) have small coefficients, and hence have small images g(1) in \(\mathbb{F}_{q}\). This is simply because n is much smaller than q, so that the sum of n small coefficients is still small modulo q. More generally, all of the attacks suggested in [14, 15] come down to considering α with certain advantageous properties, so that the image of \(\mathcal{S}\) can be recognized.

The cyclotomic cases currently under consideration for PLWE and RLWE are uniquely protected against this occurrence: α = 1 is never a root modulo q of a cyclotomic polynomial of degree > 1 when q is sufficiently large.

3.1 Attacking α = 1

The approach described above and the α = 1 attack was first presented in [14]. The details are as follows. Suppose

$$\displaystyle{f(1) \equiv 0\mbox{ mod }q.}$$

We are given access to a collection of samples (a _i (x), b _i (x)). We wish to determine if a sample is valid, of the form

$$\displaystyle{b_{i}(x) = s(x)a_{i}(x) + e_{i}(x)}$$

for e _i (x) produced by a Gaussian, or random (uniformly random). The algorithm is as follows:

Algorithm 1:

 

1. (1)

   Let the set of valid guesses be \(S = \mathbb{F}_{q}\).

2. (2)

   Loop through the available samples. For each sample:

   1. (a)

      Loop through guesses s ∈ S for the value of s(1). For each s:

      1. (i)

         Compute e _i : = b _i (1) − sa _i (1)

      2. (ii)

         If e _i is not small in absolute value¹ modulo q, then conclude that the sample cannot be valid for s with non-negligible probability, and remove s from S.

3. (3)

   If S = ∅, conclude that the sample was random. If S is non-empty, conclude that the sample is valid.

If the guess s is correct, then e _i  = e _i (1) = ∑ _j = 1 ⁿ e _ij where e _ij are chosen from a Gaussian \(\mathcal{G}_{\sigma }\) of parameter σ. It follows that e _i (1) are approximately sampled from a Gaussian \(\mathcal{G}_{\sqrt{n}\sigma }\) of parameter \(\sqrt{n}\sigma\) where n σ ² ≪ q.

3.2 Attacking α of Small Order

The following attack described and developed in [14, 15] requires α to have small order mod q. The fundamental idea is the same as for the α = 1 attack, except that to discern whether or not e _i (α) is a possible image of a Gaussian-sampled error is more complicated.

Assume that \(\alpha ^{r} \equiv 1\mod q\), then

$$\displaystyle{ e(\alpha ) =\sum _{ i=1}^{n}e_{ i}\alpha ^{i} = (e_{ r} + e_{2r} + \cdots \,) + \cdots +\alpha ^{r-1}(e_{ r-1} + e_{2r-1} + \cdots \,). }$$

If r is small enough, e(α) takes on only a small number of values modulo q. This set of values may not be easy to describe, but q is small enough that it can be enumerated and stored. The attack proceeds as for α = 1 except that to determine if a sample is potentially valid for s in step (2)(a)(ii), we compare to the stored list of possible values.

4 Attacking α of Small Residue

A third attack described in [15] is based on the size of the residue e _i (α) mod q. This is more subtle. Here, the errors e(α) may potentially take on all values modulo \(\mathbb{F}_{q}\) with non-negligible probability. But it may be possible to notice if the probability distribution across \(\mathbb{F}_{q}\) is not uniform, given enough samples.

This method of attack differs from the previous ones, but is also applicable to α = 1 and α of small order, so all cases will be treated together.

Assume that

$$\displaystyle{ f(\alpha ) \equiv 0\mod q }$$

(1)

for some α. Let E _i be the event that

$$\displaystyle{b_{i}(\alpha ) - ga_{i}(\alpha )\mod q\mbox{ is in the interval }[-q/4,q/4)}$$

for some sample i and guess g for \(s(\alpha )\mod q\). We wish to compare the probabilities

$$\displaystyle{P(E_{i}\ \vert \ \mathcal{D} = \mathcal{U})\ \ \mbox{ and}\ \ P(E_{i}\ \vert \ \mathcal{D} = \mathcal{G}_{\sigma }).}$$

Here, \(\mathcal{D} = \mathcal{U}\) refers to the situation where b _i is uniformly random, while \(\mathcal{D} = \mathcal{G}_{\sigma }\) refers to the situation where b _i is obtained as a _i s + e _i for some secret s, where e _i follows a Gaussian \(\mathcal{G}_{\sigma }\) truncated at 2σ (in practice, the Gaussian is truncated as the tails decay to negligible values). If \(\mathcal{D} = \mathcal{U}\), then b _i (α) − ga _i (α) is random modulo q for all guesses g, that is,

$$\displaystyle{P(E_{i}\ \vert \ \mathcal{D} = \mathcal{U}) = \dfrac{1} {2}.}$$

If \(\mathcal{D} = \mathcal{G}_{\sigma }\), then \(b_{i}(\alpha ) - s(\alpha )a_{i}(\alpha ) = e_{i}(\alpha )\mod q\). Indeed, the terms of b _i (α) − s(α)a _i (α) that are a multiple of f vanish at α modulo q by Assumption (1). We consider

$$\displaystyle{e_{i}(\alpha ) =\sum _{ j=0}^{n-1}e_{ ij}\alpha ^{j},}$$

where e _ij is chosen according to the distribution \(\mathcal{G}_{\sigma }\) and distinguish three cases corresponding to

1. (1)

   α = ±1

2. (2)

   α ≠ ± 1 and α has small order r modulo q

3. (3)

   α ≠ ± 1 and α is not of small order r modulo q

We will now drop the subscript i for simplicity. In Case (1), the error e(α) is distributed according to \(\mathcal{G}_{\bar{\sigma }}\) where

$$\displaystyle{\bar{\sigma }=\sigma \sqrt{n}.}$$

In Case (2), the error can be written as

$$\displaystyle{e(\alpha ) =\sum _{ i=0}^{r-1}e_{ i}\alpha ^{i} = (e_{ 0} + e_{r} + \cdots \,) +\alpha (e_{1} + e_{r+1} + \cdots \,) + \cdots +\alpha ^{r-1}(e_{ r-1} + e_{2r-1} + \cdots \,)}$$

where we assume that n is divisible by r for simplicity. For j = 0, ⋯ , r − 1, we have that

$$\displaystyle{e_{j} + e_{j+r} + \cdots + e_{j+n-r}}$$

is distributed according to \(\mathcal{G}_{\tilde{\sigma }}\) where

$$\displaystyle{\tilde{\sigma }=\sigma \sqrt{\frac{n} {r}}.}$$

As a consequence e(α) is sampled from \(\mathcal{G}_{\bar{\sigma }}\) where

$$\displaystyle{\bar{\sigma }^{2} =\sum _{ i=0}^{r-1}\tilde{\sigma }^{2}\alpha ^{2i} =\sum _{ i=0}^{r-1}\dfrac{n} {r}\sigma ^{2}\alpha ^{2i} = \dfrac{n} {r}\sigma ^{2}\dfrac{\alpha ^{2r} - 1} {\alpha ^{2} - 1}.}$$

In Case (3), the error e(α) is distributed according to \(\mathcal{G}_{\bar{\sigma }}\) where

$$\displaystyle{\bar{\sigma }^{2} =\sum _{ i=0}^{n-1}\sigma ^{2}\alpha ^{2i} =\sigma ^{2}\dfrac{\alpha ^{2n} - 1} {\alpha ^{2} - 1}.}$$

If \(\dfrac{q} {4} \geq 2\bar{\sigma }\), then errors always lie in \([-\frac{q} {4}, \frac{q} {4})\) and

$$\displaystyle{P(E_{i}\ \vert \ \mathcal{D} = \mathcal{G}_{\sigma }) = 1.}$$

Otherwise, assuming for simplicity that \(N = \dfrac{2\bar{\sigma } - q/2} {q}\) is an integer, we have

$$\displaystyle{P(E_{i}\ \vert \ \mathcal{D} = \mathcal{G}_{\sigma }) = \left (\int _{0}^{2\bar{\sigma }}\mathcal{G}_{\bar{\sigma }}\right )^{-1}\left (\int _{ 0}^{\frac{q} {4} }\mathcal{G}_{\bar{\sigma }} +\sum _{ k=0}^{N-1}\int _{\frac{3q} {4} +kq}^{\frac{5q} {4} +kq}\mathcal{G}_{\bar{\sigma }}\right ).}$$

In the situation where this value exceeds 1∕2, i.e., \(P(E_{i}\ \vert \ \mathcal{D} = \mathcal{G}_{\sigma }) = \dfrac{1} {2}+\epsilon\) with ε > 0, the following algorithm attacks PLWE. Let

$$\displaystyle{N = \left \lceil \dfrac{\ell q+\epsilon \ell} {2} \right \rceil }$$

where ℓ is the number of samples observed. For each guess g mod q, we compute \(b_{i} - ga_{i}\mod q\) for i = 1, ⋯ , ℓ. We denote by C the number of elements obtained in the interval [−q∕4, q∕4). If C < N, the algorithm outputs

$$\displaystyle{\mathcal{D} = U,}$$

otherwise, the algorithm outputs

$$\displaystyle{\mathcal{D} = \mathcal{G}_{\sigma }.}$$

In the analysis of the probability of success of the algorithm, we denote by B the binomial distribution and by F the cumulative Binomial distribution. If \(\mathcal{D} = \mathcal{U}\), the algorithm is successful with probability

$$\displaystyle{P(C < N\vert \mathcal{D} = U) = F(N - 1;\ell q, \frac{1} {2}).}$$

If \(\mathcal{D} = \mathcal{G}_{\sigma }\), we denote by C _s the number of elements of the form \(b_{i} - sa_{i}\mod q\) in the interval [−q∕4, q∕4). In this case, the algorithm is successful with probability

$$\displaystyle\begin{array}{rcl} & & P\left (C \geq N\vert \mathcal{D} = \mathcal{G}_{\sigma }\right ) =\sum _{ i=0}^{\ell}P\left (C - C_{ s} \geq N - i\right ) \times P\left (C_{s} = i\right ) {}\\ & & =\sum _{ i=0}^{\ell}\left (1 - F(N - i - 1,\ell q-\ell,1/2)\right ) \times B(i,\ell,1/2+\epsilon ) {}\\ \end{array}$$

When ε > 0, the algorithm is successful since

$$\displaystyle\begin{array}{rcl} & & \dfrac{1} {2}(P(C < N\vert \mathcal{D} = U) + P(C \geq N\vert \mathcal{D} = \mathcal{G}_{\sigma })) {}\\ & & = \dfrac{1} {2}(P(C < N\vert \mathcal{D} = U) + 1 - P(C < N\vert \mathcal{D} = \mathcal{G}_{\sigma })) {}\\ & & = \dfrac{1} {2} + \dfrac{1} {2}(P(C < N\vert \mathcal{D} = U) - P(C < N\vert \mathcal{D} = \mathcal{G}_{\sigma })) > \dfrac{1} {2} {}\\ \end{array}$$

Example 4.1.

In Case (1), when n = 2¹⁰, q ≈ 2⁵⁰, and σ = 8, we can compute ε ≈ 0. 5. Therefore, the attack is successful for any irreducible polynomial of degree 2¹⁰ and with a root 1 mod q.

In Case (2), when n = 2⁹, q ≈ 2⁵⁰, σ = 8, and α = q − 1, α has order 2 and we can compute ε ≈ 0. 002. This is particularly interesting since there is an irreducible polynomial with these properties that generates a power of 2 cyclotomic number field [15]; however, it is not the usual cyclotomic polynomial.

In Case (3), when n = 2⁶, q ≈ 2⁶⁰, σ = 8, and α = 2, computations show that ε = 0. 02. Therefore, this attack is successful for any irreducible polynomial of degree 2⁶ with a root α = 2 modulo a prime q ≈ 2⁶⁰.

5 RLWE-to-PLWE Reduction

Suppose that K is a number field, and R is its ring of integers. For technical reasons, we give a slight variant on the Minkowski embedding, which is as follows: \(\theta: K \rightarrow \mathbb{R}^{n}\)

$$\displaystyle\begin{array}{rcl} \theta (r):= (\sigma _{1}(r),\ldots,\sigma _{s_{1}}(r),& Re& (\sigma _{s_{1}+1}(r)),\ldots \ldots Re(\sigma _{s_{1}+s_{2}}(r)), {}\\ & Im& (\sigma _{s_{1}+1}(r)),\ldots,Im(\sigma _{s_{1}+s_{2}}(r))). {}\\ \end{array}$$

where the σ _i are the s ₁ + s ₂ embeddings of K, ordered so that the s ₁ real embeddings are first, and the s ₂ complex embeddings are paired so that \(\overline{\sigma _{s_{1}+k}} =\sigma _{s_{1}+s_{2}+k}\).

A spherical Gaussian of parameter σ with respect to the usual inner product on \(\mathbb{R}^{n}\) can be discretized to the canonical discretized Gaussian on R or its dual R ^∨.

Suppose R≅P for some polynomial ring P under a map α ↦ x for some root α of f(x). Suppose further that R is monogenic. Then R ^∨≅P also as R-modules (as its different ideal is principal). For RLWE, \(\mathbb{R} \otimes R^{\vee }\) is equipped with a basis b _i , i = 0, …, n − 1 with respect to which the Gaussian is spherical (the standard basis of \(\mathbb{R}^{n}\), pulled back by θ). For PLWE, \(\mathbb{R} \otimes P\) is equipped with such a basis also, i.e., the standard power basis x ⁱ, i = 0, …, n − 1. To relate the two problems, one must write down the change-of-basis matrix between them. It is the matrix

$$\displaystyle{N_{\alpha }:=\gamma M_{\alpha }^{-1}: \mathbb{R} \otimes R^{\vee }\rightarrow \mathbb{R} \otimes P}$$

where γ is such that R ^∨ = γ R, and where M _α is the matrix with columns [α ⁱ] _b (i.e., the i-th column is the element α ⁱ represented with respect to the basis b = {b _i }).

The properties of N _α determine how much the Gaussian is distorted in moving from one problem to the other. If it is not very distorted, then solving one problem may solve the other.

Details are to be found in [15], but in short, the normalized spectral norm gives a good measure of ‘distortion’. This is defined for an n × n matrix M by

$$\displaystyle{\vert \vert M\vert \vert _{2}/\mathop{\mathrm{det}}\nolimits (M)^{1/n}.}$$

6 Number-Theoretical Open Problems

In this section we will describe a number of open problems in number theory that are motivated by attacks to PLWE and RLWE, some very speculative and some more precise.

6.1 Conditions for Smearing

As described in Sect. 3, we are concerned with the map

$$\displaystyle{\pi: P_{q} \rightarrow \mathbb{F}_{q},\quad g(x)\mapsto g(\alpha ).}$$

Question 6.1.

For which subsets \(\mathcal{S}\subset P_{q}\), is the image \(\pi (\mathcal{S}) = \mathbb{F}_{q}\)?

If \(\pi (\mathcal{S}) = \mathbb{F}_{q}\), we will say that \(\mathcal{S}\) smears under π.

Partial solutions to this problem may come in a wide variety of shapes. For example, can one prove that almost all \(\mathcal{S}\) of a given size smear? Can one characterize the types of situations that lead to a negative answer (e.g. α = 1 and \(\mathcal{S}\) consisting of polynomials of small coefficients)? What if we restrict to the PLWE case, where \(\mathcal{S}\) consists of polynomials with small coefficients? Or the RLWE case, where \(\mathcal{S}\) is the image of a canonical discretized Gaussian?

6.2 The Spectral Distortion of Algebraic Numbers, and Mahler Measure

By Sect. 5, the normalized spectral norm of N _α is a property of any algebraic number α for which \(\mathbb{Z}[\alpha ]\) is a maximal order. We will therefore denote it ρ _α , and call it the spectral distortion of α. It measures the extent to which the power basis α ⁱ is distorted from the canonical basis of the associated number field. Recall from Sect. 5 that for number rings with small spectral distortion we expect to have an equivalence between the RLWE and PLWE problems. For completeness, we state a slightly more general definition, separate from its cryptographic origins, as follows:

Definition 6.2.

Let α be an algebraic number of degree n and \(K = \mathbb{Q}(\alpha )\). Let M be the matrix whose columns are given by θ(α ⁱ), where \(\theta: K \rightarrow \mathbb{R}^{n}\),

$$\displaystyle\begin{array}{rcl} \theta (r) = (\sigma _{1}(r),\ldots,\sigma _{s_{1}}(r),& Re& (\sigma _{s_{1}+1}(r)),\ldots Re(\sigma _{s_{1}+s_{2}}(r)), {}\\ & Im& (\sigma _{s_{1}+1}(r)),\ldots,Im(\sigma _{s_{1}+s_{2}}(r))) {}\\ \end{array}$$

where the σ _i are the s ₁ + s ₂ complex embeddings of K, ordered so that the s ₁ real embeddings are first, and the s ₂ complex embeddings are paired so that \(\overline{\sigma _{s_{1}+k}} =\sigma _{s_{1}+s_{2}+k}\). The spectral distortion of α is \(\vert \vert M\vert \vert _{2}/(\mathop{\mathrm{det}}\nolimits (M))^{ \frac{1} {n} }\).

Question 6.3.

What are possible spectral distortions of algebraic numbers?

It follows from the special properties of 2-power roots of unity that they have spectral distortion equal to 1. However, even other roots of unity do not have spectral distortion equal to 1 (and this is what necessitates the more elaborate RLWE-to-PLWE reduction argument given in [12] for cyclotomic rings which are not 2-power cyclotomics).

Is the spectral distortion a continuum, or is the collection of values discrete in regions of \(\mathbb{R}\)? Does this relate to Mahler measure?

The Mahler measure of a polynomial can be defined as the product of the absolute values of the roots which lie outside the unit circle in the complex plane, times the absolute value of the leading coefficient. For a polynomial

$$\displaystyle{f(x) = a(x -\alpha _{1})(x -\alpha _{2})\cdots (x -\alpha _{n})}$$

the Mahler measure is

$$\displaystyle{M(f):= \vert a\vert \prod _{\vert \alpha _{i}\vert \geq 1}\vert \alpha _{i}\vert.}$$

The Mahler measure of an algebraic number α is defined as the Mahler measure of its minimal polynomial.

Interestingly, polynomials which have small Mahler measure (all roots very close to 1 in absolute value) seem to have small spectral distortion. For example, consider “Lehmer’s polynomial”, the polynomial with the smallest known Mahler measure greater than 1:

$$\displaystyle{f(x) = x^{10} + x^{9} - x^{7} - x^{6} - x^{5} - x^{4} - x^{3} + x + 1.}$$

The Mahler measure is approximately 1. 176, and the spectral distortion for its roots is approximately 3. 214. This spectral distortion is rather small, and compares favourably, for example, with the spectral distortion for 11th roots of unity, which is approximately 2. 942. Other examples of polynomials with small Mahler measure also have small spectral distortion: f(x) = x ³ − x + 1 has Mahler measure approximately 1. 324 and spectral distortion approximately 1. 738.

To explain the phenomenon observed for polynomials with small Mahler measure and to relate the Mahler measure to the spectral norm, we need to have some estimate on the spectral norm in terms of the entries of the matrix. The entries of the matrix M are powers of the roots {α _j } of the minimal polynomial. When the Mahler measure is small, the entries of the matrix M have absolute value close to 1, since the absolute values of the roots are as close as possible to 1. To make the connection with the spectral norm more precise, [35] gives an improvement on Schur’s bound and expresses the bound on the largest singular value in terms of the entries of the matrix. Thus we can use Schur’s bound or this improvement to see that polynomials with small Mahler measure must have relatively small spectral norm.

It could also be interesting to look at other properties of M, such as the entire vector of singular values of M, its conditioning number, etc.

6.3 Galois Versus Monogenic

We say that K is monogenic if the ring of integers R of K is monogenic, i.e., a simple ring extension \(\mathbb{Z}[\beta ]\) of \(\mathbb{Z}.\) In this case, K will have an integral basis of the form {1, β, β ², …, β ⁿ⁻¹} which is called a power integral basis. In this section we will focus on properties (1) and (4) from the introduction.

Example 6.4.

The following are examples of number fields that are both Galois and monogenic:

• Cyclotomic number fields, \(K = \mathbb{Q}(\zeta _{n})\) where ζ _n is a primitive nth root of unity,

• Maximal real subfields of cyclotomic fields, \(K = \mathbb{Q}(\zeta _{n} +\zeta _{ n}^{-1})\),

• Quadratic number fields \(K = \mathbb{Q}(\sqrt{d})\).

Question 6.5.

Are there fields of cryptographic size which are Galois and monogenic, other than the cyclotomic number fields and their maximal real subfields? How can one construct such fields explicitly?

The problem of characterizing all number fields which are monogenic goes back to Hasse, however, a complete solution is not known to date. Here we will summarize some of the known related results.

Proposition 6.6 ([34]).

Let p be a prime and K a Galois extension of \(\mathbb{Q}\) of degree n. Let e be the ramification index of p and f be the inertia degree of p. If one of the conditions below is satisfied, then K is not monogenic:

• If f = 1: ep < n

• If f ≥ 2: ep ^f ≤ n + e − 1

Let K be a Galois extension of prime degree ℓ. (Such extensions are called cyclic extensions.) The following result of Gras [23] states that cyclic extensions are often non-monogenic.

Theorem 6.7 ([23]).

Any cyclic extension K of prime degree ℓ ≥ 5 is non-monogenic except for the maximal real subfield of the (2ℓ + 1)-th cyclotomic field with prime conductor 2ℓ + 1.

Theorem 6.8 ([22]).

Let n ≥ 5 be relatively prime to 2,3. There are only finitely many abelian number fields of degree n that are monogenic.

For number fields of smaller degree it may be possible to give a complete characterization. For instance, for cyclic cubic extensions K, Gras [21] and Archinard [3] gave necessary and sufficient conditions for K to be monogenic.

Even though monogenic fields are rare in the abelian case for large degree, Dummit and Kisilevsky [13] have shown that there exist infinitely many cyclic cubic fields which are monogenic. A result of Kedlaya [25] implies that there are infinitely many monogenic number fields of any given signature. In fact, we expect monogenicity frequently: if f is an irreducible polynomial with squarefree discriminant, then the number field K obtained by adjoining a root of f to \(\mathbb{Q}\) is monogenic. For polynomials of fixed degree ≥ 4 whose coefficients are chosen randomly, it is conjectured that with probability ≳ 0. 307, the root will generate the ring of integers of the associated number field [25]. However, to require K also to be Galois is much more restrictive. Moreover, for fields of cryptographic size (n ∼ 2¹⁰), the discriminant of f is too large to test whether it is squarefree. Therefore testing whether an arbitrary number field of cryptographic size is monogenic is not known to be feasible in general.

6.4 Finding Roots of Small Order Mod p

We have seen that a root of small order of f(x) modulo q provides a method of attack on the PLWE problem in the ring \(\mathbb{Z}_{q}[x]/(f(x))\). The attack is even more effective if, in addition, this root is small as a minimal residue modulo q (‘minimal’ meaning the smallest in absolute value). See Example 4.1, Case(3) in Sect. 4. Cyclotomic fields are protected against this attack by the observation that the roots of a cyclotomic polynomial modulo q are of full order n. However for ‘random’ polynomials, there is a priori no particular reason to expect roots of any particular order modulo q, or to expect the roots to be small. Motivated by these two requirements, it is natural to ask the following question:

Question 6.9.

For random polynomials f(x) and random primes q for which f(x) has a root α modulo q, what can one say about the order of α modulo q?

A special case of this question, for f monic of degree one, is to ask, for a fixed a, how often is a a primitive root modulo p? A famous conjecture of Artin states that this should happen for infinitely many p provided a is not a perfect square or − 1, and describes the density of such primes. This has been the subject of much research, and the question above is a sort of number field analogue. Some investigations in the direction of a number field analogue of Artin’s conjecture exist; for a gateway to the literature, see [33, 38].

Computationally, to locate polynomials having a small root of small order, it is easiest to start with the desired order, find a suitable q, and then build the polynomial. The algorithm is as follows:

Algorithm 2

 

Input: :

Integers r, n, q ₀ such that r > 2 represents the desired order, n ≥ 1 represents the desired degree, and q ₀ > log₂(n) represents the desired bitsize of q.

1. (1)

   Let s be the degree of the cyclotomic polynomial \(\Phi _{r}(x)\).

2. (2)

   Let a = 1 (our candidate for the element of order r mod q). Test \(\Phi _{r}(a)\) for primality. If it is a prime of approximate bitsize q ₀, let q be this prime. Otherwise, increment a and try again.

3. (3)

   Once a and q are fixed, choose a set S of n elements of \(\mathbb{Z}/q\mathbb{Z}\) that includes a and the other n − 1 smallest minimal residues (or choose any other subset of residues).

4. (4)

   Choose i = 1 and increment i until the polynomial

   $$\displaystyle{f(x) =\prod _{s\in S}(x - s) + qi}$$

   of degree n is irreducible.

Output: :

A monic irreducible polynomial \(f(x) \in \mathbb{Z}[x]\), a prime q roughly of size q ₀, such that f splits modulo q, and \(a \in \mathbb{Z}/q\mathbb{Z}\) such that f(a) ≡ 0 (mod q) and a ^r ≡ 1 (mod q).

Note that if one wishes to relax the condition that f splits modulo q, one could take f(x) = (x − a)ⁿ + q, which is irreducible, to avoid Step 4.

Using this method, it is easy to find examples of (K, q) such that f(x) has a root of small order modulo q. Among them, an example of cryptographic size is afforded by n = 2¹⁰, r = 3, a = 33554450, q = 1125901148356951 and i = 1 (the polynomial is too unwieldy to print here). Using the last two parts of the method, one can, in fact, easily construct polynomials having as roots many elements of small order modulo q.

A simpler starting point is the following second question:

Question 6.10.

What is the distribution of elements of small order among residues modulo q?

There is a significant body of research on the distribution of primitive roots (see Artin’s conjecture) and quadratic residues. More recently there have been advances on the distribution of elements of small order. For example, the number of elements of bounded size and specified order is bounded above in [7]; see also [5, 6, 26]. More useful in our present context, for the purposes of finding elements of small order, would be a guarantee that such elements exist in some small interval.

A more precise question is as follows:

Question 6.11.

What is the smallest residue modulo a prime q which has order exactly r?

Let q be a prime and r > 2. Let n _r, q represent the smallest residue modulo q which has order exactly r. A first observation is the following (which allows us to choose a more suitable starting point for a in the algorithm above).

Proposition 6.12.

Let φ(r) represent the Euler function, giving the number of positive integers less than and coprime to r. Then, if r has at most two distinct prime factors, which are odd, then

$$\displaystyle{\vert n_{r,q}\vert \geq (q/\varphi (r))^{1/\varphi (r)}}$$

Proof.

The element n _r, q is a root of the r-th cyclotomic polynomial, of degree φ(r), modulo q. Since \(\Phi _{r}(n_{r,q})\neq 0\) as an integer relation, it must be that \(\vert \Phi _{r}(n_{r,q})\vert \geq q\). It is known that under the given hypotheses on the factorization of r, the coefficients of \(\Phi _{r}\) are chosen from { ± 1, 0} [32]. Therefore \(\vert \Phi _{r}(n_{r,q})\vert \leq \varphi (r)\vert n_{r,q}^{\varphi (r)}\vert \) from which the result follows. □ 

In general, combining upper and lower bounds on n _r, q would limit the search space for an element of small order.

Remark 6.13.

1. (1)

   Other restrictions on the coefficients of \(\Phi _{r}\) give rise to similar results. To derive an asymptotic statement, one could turn to asymptotic results such as [17].

2. (2)

   The case of r = 3, the study of n _3, q gives the full story, as the cube roots of unity are of the form

   $$\displaystyle{1,n_{3,q},-n_{3,q} - 1.}$$
3. (3)

   In general, the primes q such that n _r, q  = a for a fixed a and r are among those dividing \(\Phi _{r}(a)\), hence there are finitely many.

4. (4)

   Elliott has some results on k-th power residues [16].

We will call n _r, q minimal if, in addition to being the smallest residue of order r modulo q, it also satisfies \(\Phi _{r}(n_{r,q}) = \pm q\). For non-minimal n _r, q , the lower bound in Proposition 6.12 increases. A conjecture of Bouniakowski implies that minimality happens infinitely often.

Conjecture 6.14 (Bouniakowski, [4]).

Let \(f(x) \in \mathbb{Z}[x]\) be a non-constant irreducible polynomial such that f(x) is not identically zero modulo any prime p. Then f(n) is prime for infinitely many \(n \in \mathbb{Z}\) .

Proposition 6.15.

Let r > 2. If Bouniakowski’s Conjecture holds, then there are infinitely many primes q for which n _r,q is minimal.

Proof of Proposition 6.15.

The cyclotomic polynomials for r > 1 satisfy the Bouniakowski conditions, as they are irreducible and \(\Phi _{r}(1)\not\equiv 0\ (\text{mod}\ p)\) since 1 is not of exact order r modulo any p. Hence \(\Phi _{r}(x)\) takes on infinitely many prime values; for such a prime q, the smallest such x in absolute value is n _r, q and this is minimal. □