Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory

by   Iván Blanco Chacón, et al.

The present survey reports on the state of the art of the different cryptographic functionalities built upon the ring learning with errors problem and its interplay with several classical problems in algebraic number theory. The survey is based to a certain extent on an invited course given by the author at the Basque Center for Applied Mathematics in September 2018.



There are no comments yet.


page 1

page 2

page 3

page 4


On Bergman's Diamond Lemma for Ring Theory

This expository paper deals with the Diamond Lemma for ring theory, whic...

Problems in group theory motivated by cryptography

This is a survey of algorithmic problems in group theory, old and new, m...

Non-Commutative Ring Learning With Errors From Cyclic Algebras

The Learning with Errors (LWE) problem is the fundamental backbone of mo...

Right Ideals of a Ring and Sublanguages of Science

Among Zellig Harris's numerous contributions to linguistics his theory o...

Algebraic Extension Ring Framework for Non-Commutative Asymmetric Cryptography

Post-Quantum Cryptography PQC attempts to find cryptographic protocols r...

The Polynomial Learning With Errors Problem and the Smearing Condition

As quantum computing advances rapidly, guaranteeing the security of cryp...

The supersingular isogeny path and endomorphism ring problems are equivalent

We prove that the path-finding problem in ℓ-isogeny graphs and the endom...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

According to MIRACL Labs, it is estimated that a quantum computer capable of breaking most of modern cryptography will be built in the next 10-15 years (20-25 years according to Microsoft Research). All of cryptography is built on supposedly hard mathematical problems, most of which, like integer factorisation or the discrete logarithm problem, become relatively easy in the context of a working quantum computer. In response to this threat there is a need to migrate from these vulnerable constructs to constructs known to remain strong even in a post-quantum world.

An example of such a hard problem is the shortest vector problem in a lattice, which is known to be NP-hard. While there already exist post-quantum solutions for much of standard cryptography, like public key encryption and digital signature, it is currently unclear how some of the more elaborate protocols, like those seeking for integrity or non-repudiation can be successfully migrated. In particular in the last 10+ years bilinear pairings on elliptic curves have opened up many new possibilities, which will unfortunately be rendered insecure in a post-quantum world. Already commercial products based on bilinear pairings have found applications in the ‘real world’, and so much work must be done to ensure that we will be able to retain this functionality into the future.

At the same time there is much fundamental work to be done on the post-quantum primitives themselves. Indeed an early decision is to choose between one or various of the following technologies, for each cryptographic feature:

  • Code based cryptography ([16]) is built on the infeasibility of syndrome decoding for general linear error-correcting codes over finite fields.

  • Multivariate based cryptography ([6]) is a scheme based on the fact that solving general systems of multivariate polynomial equations over finite fields is proved to be NP-hard.

  • Isogeny based cryptography ([9]), is a protocol for key exchange, analogous to Diffie-Hellman, but the cyclic groups present here are attached to supersingular elliptic curves defined over finite field.

  • Finally, lattice based cryptography, admits a large number of different formulations and constructions. This report focuses on one of the most promising lattice-based technologies: Ring Learning With Errors (RLWE). This scheme is based on the RLWE problem, which is based in turn on the difficulty of solving the shortest vector problem (SVP) on ideal lattices.

At the time of writing, code, lattice and multivariate-based methods seem to be the strongest contenders, as they appear to have the flexible structure needed on which to base more complex protocols. Within these three categories, the lattice-based one has by far a larger number of non-broken primitives/protocols. Lattice based cryptography has a relatively mature history, primarily due to the work done by the early proponents of the related NTRU cryptosystem ([12]). This was a patented technology which enjoyed some minor success, but never really gained traction, as when it was invented, a quantum computer still seemed very far off. Its patents have now expired.

RLWE first came to prominence with the paper by Lyubashevsky, Peikert and Regev ([14]). A key-exchange algorithm proposed by them was recently optimized and implemented by Alkim, Ducas, Pöppelmann, and Schwabe ([1]). This was then implemented by Google in a well-publicised experiment ([3]). In recent times there have been many implementation improvements, see for example the recent paper by Scott ([20]). So there can be no doubting the practicality of the technology, opinions supporting this view include those of a good number of researchers in Intel Labs and MIRACL Labs.

RLWE is built on an earlier scheme: the Learning with Errors (LWE) problem, which admits a security reduction from the SVP on arbitrary lattices, proved to be NP-hard. The disadvantage is a quadratic overhead in the key sizes, which is unfeasible in practice but is overcome in the RLWE scenario, at the cost of being backed in the SVP over just ideal lattices, which even if based on experience is widely believed to be intractable, there is no proof of it at the moment. In spite of that, RLWE variant appears to be eminently practical. While, in common with most post-quantum proposals, the key sizes are much larger than those of existing methods, they often require much less computing power. For example while an elliptic curve based cryptosystem might use keys of 256 bits, an equivalent system based on RLWE might require keys of 4096 bits, while running maybe 10-100 times faster (

[13]). These differences might be seen as balancing each other out. Likewise, 30% of the surviving proposals for the NIST are based of RLWE.

Our report is structured as follows:

In section 2 we provide a quick introduction to the different funtionalities of cryptography and introduce the main terms and facts on complexity as they show up in the literature. We provide several examples, elaborating on those presented in the course by the author.

In section 3 we expose the main concepts of lattice-based cryptography. We focus on the classical LWE, over which RLWE is built and discuss its advanteges and drawbacks.

Section 4 is an quick overview of a few key concepts in algebraic number theory: rings of integers, canonical embedding, and other topics. These pieces will make the foundations of RLWE, but the reader who is familiar with this material can safely skip it.

Section 5 introduces the RLWE problem in its various formulations and reports on several attacks to the scheme, which motivate some number theoretical problems and conjectures.

Section 6 addresses RLWE-based digital signatures and homomorphic encryption, a functionality which is gaining much interest today, since it allows to solve a good number of logistic and security problems in cloud computing and storing. We close the survey by discussing in detail some NIST figures.

A couple of remarks to end this introduction: first, by a polynomial time algorithm we mean an algorithm for which there exists a polynomial and a size function of the family of the algorithm inputs , such that the time it takes to run the algorithm on input is . Second, we will use sometimes the -notation: a function is if it is for some .

Acknowledgements: The author thanks Gary McGuire for carefully reading a preliminary version of this survey, to Mike Scott for providing most of the practical highlights on RLWE and to the Basque Center for Applied Mathematics for their invitation to give this course. Active and insightful discussion with the audience of the course, and in particular with Sebastiá Xambó set the author to write this work.

2. Post-quantum cryptography

2.1. Cryptography features

Requirements such as confidentiality and proofs of identity are crucial in electronic financial and legal transactions, while some other features like non-repudiation or operating on encrypted data (homomorphic encryption) are gaining much traction within the last few years. We examine here most of these functionalities.

The best known cryptographic problem is confidentiality. This is attained by the use of well-designed encryption/decription schemes.

To start with, we fix a finite alphabet , with some methematical structure such as an abelian group or a field (e.g. the finite field for and prime, or an elliptic curve over this field). We consider three sets (keys), (plaintexts) and (ciphertexts) with . Finally, we consider a set which parametrizes the level of security, i.e., the larger , the safer the scheme.

Definition 2.1 (Cipher schemes).

A cipher over is a family of pairs of efficiently computable functions where for each , (encryption function) and (decryption function) are such that for each key and for each plaintext , the following correctness property holds:

That is to say, decryption undoes encryption.

Efficiently computable means that both and can be computed by an algorithm which is polynomial in the security parameter , i.e., there exist polynomials only depending on the scheme, such that for each , , , and , the number of steps to compute (resp. ) is upper bounded by (resp. ). Moreover, the algorithm for can be probabilistic, while should always be deterministic.

Since in our definition both the encryption and decryption parties have the same key (i.e., the scheme is symmetric), they should agree beforehand on that key somehow. For instance, they might do it physically in a secret meeting but they can also use a digital key exchange protocol. As usual, any arbitrary legitimate sender (receiver) will be called Alice (Bob), and any arbitrary eavesdropper will be called Eve.

Definition 2.2 (Key exchange protocol).

A key exchange protocol is an efficient method for Alice and Bob to agree on a key through a (potentially non-safe) channel. One of the most famous protocols is Diffie-Hellman’s (DH), where Alice and Bob start by agreeing on a finite feld and a primitive root , made public. To agree on a private key, Alice selects an integer and Bob selects an integer . Then, Alice sends to Bob, who on receiving it, raises it to modulo , getting . Next, Bob sends to Alice, who raises it to , obtaining also , the agreed private key.

Notice that without knowledge of or , Eve cannot obtain from and in an efficient manner (on a classic computer!), the obtruction being the unfeasibility of the discrete logarithm, namely, to obtain from modulo , if is known. Nowadays, a combined usage of Diffie-Hellman (or some variant) with a suitable symmetric cipher is used in most internet protocols, like TLS or TCP/IP. A variant of DH is ECDH, where the multiplicative group is replaced by the additive group of an elliptic curve over .

Definition 2.3 (Digital signatures).

A signature scheme is a pair , where is an efficient key generating probabilistic algorithm, and is a family of pairs of polynomial-random-algorithm-computable functions (space of tags) and such that whenever (secret key) and (public key) are sampled from on security level , it is, for every message :

For a security level , is called the signature function and the verification function, which returns 1 if the signature is valid and 0 otherwise. This scheme provides a proof that the message was created by a known sender (authentication) and the sender cannot deny having sent the message (non-repudiation).

Integrated Encryption Schemes implement both encryption and authentication. Two of the most commonly used are ECIES, which operates with elliptic curves and DLIES, which operates over .

Example 2.4.

If is a cipher over , and for each , and are bijective, we can turn the cipher into a signature scheme by setting , and

Classic designs of digital signature schemes include Rabin’s algorithm, Lamport schemes and Merkle trees, as well as RSA-based protocols.

Definition 2.5 (Homomorphic encryption).

Let be a cipher over where and are abelian groups under the operations and respectively. The cipher is said to be homomorphic if for each key and plaintexts , it is

Example 2.6.

RSA encryption is homomorphic. Indeed, for an RSA integer and an exponent modulo with inverse , encryption goes as , which clearly commutes with the product modulo , but not with the sum.

When in addition, and have ring structure and encryption commutes with both ring operations, the cipher is said to be fully homomorphic (FHE). Notice that RSA is not fully homomorphic.

Homomorphic encryption allows to perform operations on the plaintext by operating directly on the ciphertexts, i.e., without decrypting first. This is relevant when the operations are outsourced and performed over a non-trustable server. Applications of homomorphic encryption include encrypted database queries, cloud computing, genetic computing, health data management or outsourced generation of blockchain addresses.

2.2. P, NP, NP-hard and NP-complete

The author has often seen that the terms intractable, unfeasible, and hard, are used in the post-quantum cryptography literature in a rather loose (at best!) manner and this may lead to believe that certain computational problems enjoy certain complexity guarantees that they simply have not. We make here precise the main terms that will appear in the problems which back lattice cryptography.

Definition 2.7 (The P and NP classes).

The P class consists of the decission problems whose solution can be found on a deterministic Turing machine in polynomial time in the input size. The NP class consists of the decission problems for which a putative solution can be checked to be a real solution or not in polynomial time on a determnistic Turing machine.

Equivalently, the NP-class consists of the decission problems such that a solution can be found in polynomial time on a non-deterministic Turing machine. A common misconception is that the NP term in NP-hard stands for non-polynomial when in fact it stands for non-deterministic polynomial acceptable problems.

Definition 2.8 (reduction).

We say that a problem A admits a reduction to a problem B if any instance of A can be transformed to an instance of B in polynomial time, namely, if solving B suffices for solving A.

Informally, NP-hard and NP-complete problems are those at least as hard as those in the NP-class, but while NP-complete problems belong to NP, NP-hard ones need not to, hence NP-hard problems can be regarded as more intractable than NP-complete ones. More precisely:

Definition 2.9.

The NP-hard class consists of those problems A such that every problem in NP can be reduced to A in polynomial time. The NP-complete class consists of those NP problems which are NP-hard.

Example 2.10.

In a major breakthrough, Agrawal, Kayal and Saxena proved that primality testing, i.e., deciding whether a positive integer is prime or not is a P problem.

More relevant to cryptographers, the celebrated Shor’s algorithm solves the factoring problem (i.e. finds the prime factorisation of a positive integer) in polynomial time on a quantum computer. This does not mean that this problem is in the P-class, as a (probabilistic) quantum algorithm is not equivalent, in general, to a Turing or sequential machine. On the other hand, the prime factorsation problem is clearly NP: checking if a putative solution (i.e. a prime decomposition) is a prime factorisation of an integer can be done in (deterministic) polynomial time. However it is not known if prime factorisation is NP-hard (and hence NP-complete). It is expected, moreover, not to be in the P class, but as pointed out before, it can be carried out, with arbitrarily high probability, on a quantum computer.

To factor a positive integer , Shor’s algorithm runs over all the integers in the range . For , if is a unit modulo , the algorithm calls a sub-routine to compute the order of modulo . With this period, the algorithm produces a non-trivial factor of .

The period-finding sub-routine is run on a quantum computer, but the use of the period to produce a factor is classical.

Example 2.11.

There is a polynomial time quantum reduction from the discrete logarithm problem (DLP) to the the order-finding problem.

Indeed, given , use the polynomial time quantum sub-routine in Shor’s algorithm to find , the order of . Second, use Shor’s algorithm to find .

Now, observe that . Thus, . Hence, it suffices to test, for , if (by the Euclidean algorithm), and in that case, also by the Euclidean algorithm, if is coprime to . If so, check if .

So, a quantum computer would render insecure protocols as RSA and Diffie-Hellman. Even more, Tate and Weil’s pairings allow to reduce ECDLP to DLP, hence, symmetric cryptography based on elliptic curves would also be broken in a post-quantum scenario. This is a reason to consider schemes which use pairing-free abelian varieties, hence other than elliptic curves. Jacobians of hyperelliptic curves are known to be good candidates but beyond genus 3, the complexity of finding explicit equations and explicit computations for the addition law render them unfeasible.

On the other hand, NP-complete problems are not expected to be solvable even in a quantum compute, hence NP-hard are neither. However, this is only conjectural.

Another well-known conjecture is whether or not. If equality held, all cryptographic (classic and postquantum) primitives based on NP-complete problems (which are, in particular, NP problems, hence P problems, by the assumed equality) would be useless. On the contrary, if, as it is widely believed, , then every NP-hard problem would be non-polynomial, hence suitable for cryptography: indeed, if is NP-hard, in case , take in . Then cannot be polynomial (otherwise, would be so).

But for the moment, lacking a proof of , all we can say is that NP-hard problems are strongly expected to be suitable for (postquantum) cryptography.

3. Lattice based cryptography

The security of lattice-based schemes relies on two NP-hard problems, which are expected to be intractable on a quantum computer, and which we explain next. By length, we mean Euclidean length, denoted . By a lattice we understand, from now on, a finitely generated additive subgroup of . When the rank of a finitely generated abelian group is , the lattice is said to have full rank.

Problem 3.1 (Svp).

Let be a full rank lattice in and denote by the length of the shortest non-zero vector. The shortest vector problem (SVP) is to determine a vector with length . For , the -approximate shortest vector problem (-SVP) is to determine a non-zero vector with length smaller than .

Problem 3.2 (Cvp).

Let be a full rank lattice in . The closest vector problem (CVP) consists in, given , to find such that

If is an arbitrary lattice, i.e., if no extra condition is imposed on it, in [2] (resp. in [15]) it is proved that CVP (resp. SVP) is NP-hard. Hence, if , these two problems cannot be solved in polynomial time, even with the aid of a quantum computer.

3.1. Learning with errors (LWE)

Let be a rational prime for which a suitable choice will be made later. A provably quantum-secure instantiation of lattice-based cryptography relies on the LWE problem, which we describe in this subsection.

Definition 3.3 (LWE-oracles).


be a discrete random variable

with values over . For , chosen uniformly at random, a LWE-oracle with respect to and , denoted , is a probabilistic algorithm which, at each execution, performs the following steps:

  • Samples a vector uniformly at random from .

  • Computes the scalar product .

  • Samples from .

  • Outputs the vector .

Definition 3.4 (The LWE problem).

Let be a discrete random variable with values in as before. The LWE problem for and is defined as follows:

  • Search version: for an element chosen uniformly at random and a LWE-oracle , if an adversary is given access to arbitrarily many samples of the LWE distribution, this adversary must recover .

  • Decisional version: for an element chosen uniformly at random and a LWE oracle , the adversary is asked to distinguish, with non-negligible advantage, between arbitrarily many samples from and the same number of samples where and are chosen independently and uniformly at random from and .

From now on, will be a discrete Gaussian variable values on , which is defined as follows: For we set . Write

and define to be the distribution on such that the probability of is

. Finally, the discrete Gaussian distribution

with values in , mean , and parameter is defined by the probability function

Some words of caution: first, the variance of

is close to , but is not exactly , in lattice-based cryptography what is relevant is the parameter , rather than the variance. Second, the discrete Gaussian over is more complicated than truncating a continuous Gaussian to its closest integer. Effective sampling from discrete Gaussian distributions is a major topic and in practical cases it is approached only by numerical approximation. The reader is referred to [7] for a formal discussion as well as for generalisations to lattices in , which will be used in next chapters.

In the Machine Learning terminology, an algorithm which solves the search version of LWE is a

training algorithm using the collection of LWE samples as a training set. On the other hand, Regev found in [18] a polynomial time quantum reduction from the SVP problem to the LWE problem. This means that a training algorithm A for the LWE problem can be turned, in polynomial time (on a quantum computer), into an algorithm B (of the same complexity as A) which solves the SVP problem. Since we have seen before that the SVP problem is NP-hard, it follows that the LWE problem is also NP-hard.

Based on this hardness guarantee, the LWE problem can be used to build the following cryptosystem:

Construction 3.5 (LWE cryptosystem, Regev ([18])).
  • Parameters: , .

  • Private key: chosen uniformly at random.

  • Public key:

    • Sample , independently and uniformly at random.

    • Sample , independently from , which is assumed here to be a discrete Gaussian of zero mean and parameter .

    • Publish .

  • Encryption: for a bit , consider it as an element of by mapping the and of to the and of . Select a random subset and map

  • Decryption: on receiving an encrypted message , compute . This equals .Hence, divide by . For suitable choice of , the remainder has absolute value below , so decrytption is just the quotient of the division of by (with huge probability).

The right choice of , and is given in the following result, whose proof is omited since it is very similar to the cryptographic scheme presented in the next subsection, whose proof we provide.

Theorem 3.6.

If , and is of the order of , then the LWE cryptosystem is correct and pseudorandom

I.e. statistically indistinguishable from a uniform distribution


As we can see, a public key for LWE has vectors in , since is of the order of , it turns out that a public key has an -size of the order . This quadratic overhead is an unfeasible constrain from a practical point of view, in particular in settings such as hand-held digital broadcasting, mobile encryption and small devices in future applications of the IoT (Internet of Things), where the hardware has a relatively small memory. A variation of the LWE problem, the ring learning with errors (RLWE) problem was introduced to tackle this quadratic overhead. The foundations of the problem require several notions from algebraic number theory, which we present next.

4. Some basics of algebraic number theory

Here we present the notions of algebraic number theory used to build the RLWE cryptosystem. Readers who are familiar with them can easily skip this section, while readers who are not are referred to [21], Chapter 2 for more details.

4.1. Algebraic number fields

A number field is a field extension of finite degree , where satisfies a relation for some irreducible polynomial , which is monic without loss of generality. The polynomial is called the minimal polynomial of , and is also the degree of . Notice that is in particular an -dimensional -vector space and the set is a -basis of called the power basis. Notice that associating with the indeterminate yields a natural isomorphism between and .

A number field of degree has exactly field embeddings (injective field homomorphisms) fixing the base field , which we denote . These embeddings map to each of the complex roots of its minimal polynomial . An embedding whose image lies in (corresponding to a real root of ) is called a real embedding; otherwise it is called a complex embedding. Since complex roots of come in conjugate pairs, so do the complex embeddings. The number of real embeddings is denoted and the number of pairs of complex embeddings is denoted , so we have . The canonical embedding is then defined as

Note that is a field homomorphism from to , where multiplication and addition in the latter are both component-wise.

4.2. Algebraic integers

An algebraic integer is an element whose minimal polynomial over has integer coefficients. For a number field of degree , let denote the set of all algebraic integers in . This set forms a ring (under addition and multiplication in ), called the ring of integers of . It happens that is a free -module of rank , i.e., it is the set of all -linear combinations of some basis of . Such a set is called an integral basis.

Example 4.1.

Let be an integer. The set of primitive -th roots of unity (those of the form , with coprime to ) forms a multiplicative group of order . The -th cyclotomic polynomial is

This is the minimal polynomial of for each , so that is an algebraic number field of degree . It can be proved ([21] Chap 3) that the ring of integers of is precisely .

Example 4.2.

Let be a square-free integer. Consider the number field . It can be shown that the ring of integers of is if and otherwise.

Definition 4.3 (The discriminant).

Let be a number field of degree n, and its ring of integers. The discriminant of , denoted is the square of the determinant of the following matrix:

where is a -basis of . Notice that since lattice base-change matrices are unimodular, the definition does not depend on the choice of the basis.

4.3. Ideals and ideal lattices

Recall that an ideal of a ring is an additive subgroup such that for each and each , it is .

For instance, for , the subring is not an ideal of the ring of integers, just a subring with finite index.

If is discrete, for an embedding , is a lattice. An ideal lattice for the pair is the image for an ideal of . When for a number field of degree , the canonical embedding provides in a natural way an ideal lattice for each ideal of . Notice that the square root of is the volume of the fundamental parallelogram of the lattice . From now on, by ideal embeddings we will mean with respect to the canonical embedding.

Notice that for the canonical embedding, multiplication and addition are preserved component-wise. For instance, for the ring , the coordinate embedding does not preserve addition and multiplication component-wise: multiplying by , for instance, is equivalent to shifting the coordinates and negate the independent term. This is one of the advantages of using the canonical embedding.

5. Ring learning with errors in its several variants

5.1. Statement of the problems

To define the ring learning with errors (RLWE) problem, let be a number field of degree and ring of integers . By using the canonical embedding we can regard it as a full rank lattice.

A closely related (and equivalent under some conditions) problem is the polynomial learning with errors problem (PLWE). To define it, we start with a monic irreducible polynomial and consider the ring . Notice that the polynomial defines a number field for each root of and all of them are -isomorphic. Moreover, the ring is a finite-index sub-order of the ring of integers . The restriction of the canonical embedding to this suborder provides also a lattice. A very common choice is , where , which is the -th cyclotomic polynomial.

Let be a rational prime which we will choose later.

Definition 5.1 (RLWE and PLWE-oracles).
  • Set and . Fix also a discrete random variable with values in . For , chosen uniformly at random, a RLWE-oracle with respect to and is a probabilistic algorithm which, at each execution performs the following steps:

    • Samples an element uniformly at random,

    • Samples an element from and computes ,

    • Outputs the pair .

  • For a monic irreducible polynomial , set and . Fix also a discrete random variable with values in . For , chosen uniformly at random, a PLWE-oracle with respect to and is a probabilistic algorithm which, does exactly the same steps as an RLWE-oracle, but with the difference that is now a quotient polynomial ring instead of the quotient of a ring of integers.

Definition 5.2 (The RLWE problem).

Set and as before. Let be a discrete random variable with values in . The RLWE-problem for is defined as follows:

  • Search version: for an element chosen uniformly at random and a RLWE-oracle , if an adversary is given access to arbitrarily many samples of the RLWE distribution, this adversary must recover .

  • Decisional version: for an element chosen uniformly at random and a RLWE-oracle , the adversary is asked to distinguish, with non-negligible advantage, between arbitrarily many samples from and the same number of samples where are chosen uniformly at randon from .

If we set instead of , we have the analogous definitions for the PLWE problem in its search and decisional versions.

Some words on the class of distributions we will use from now on. Notice that one sample is an -tuple of coordinates with values in , but it is something more than n LWE samples ( is not only an - vector space, but has also a ring structure). This is the reason why instead of taking -independent discrete -valued Gaussians, we rather use an -valued Gaussian. As in the -dimensional case, the mean will also be and the variance-covariance matrix (or rather, the multidmensional parameter) will be chosen to be diagonal (which is referred to as saying that the distribution is elliptic). This is useful when carrying out the security-reduction proofs. Moreover, it is enough for most of the proofs to assume that the diagonal elements of the covariance matrix are bounded in absolute value by , for a parameter which will be made explicit in the next theorem. Hence, from now on, we assume that is an elliptic -dimensional Gaussian of -mean and the elements of the diagonal are bounded as explained. The details are delicate and can be omited in a first study, since the aforementioned bound is what really matters for most proofs, but the reader is referred to [14], p. 19 for more information.

The next result backs the security of the decisional RLWE-problem (hence of the search RLWE-problem) in the security of the SVP over ideal lattices.

Theorem 5.3 ([14], page 19).

Let be the -th cyclotomic number field of degree and its ring of integers. Let and let , be a prime bounded by a polynomial in such that . There is a polynomial time quantum reduction from -SVP on ideal lattices of to the decisional RLWE problem for and .

The proof consists of two parts: the first is a quantum reduction from worst case approximate SVP on ideal lattices to the search version of RLWE. The reduction works in general, not for just cyclotomic number fields. It uses the iterative quantum reduction for general lattices in [18] as a black box, the main effort being the classical (non-quantum) part, which requires a careful handling of the canonical embedding and the Chinese Remainder Theorem.

The second part shows that the RLWE distribution is pseudorandom via a classical reduction from the search version, which has been shown hard in the first part. It uses the fact that the cyclotomic field is Galois and the fact that , which ensures that the ideal splits totally into ideals in .

In [17] Theorem 6.2, the authors build on the same number-theoretical kind of arguments as in [14] to prove an analogue of 5.3 for non-cyclotomic Galois number fields.

As pointed out before, for the cyclotomic number field, the ring of integers satisfies , with a primitivee -th root of unity. Since this ring is isomorphic to , with the -th cyclotomic polynomial, it easily follows that both the RLWE and PLWE problems are equivalent each other. For number fields other than cyclotomic, all we can say at the time of writing is the following:

Theorem 5.4.

There is a polynomial quantum reduction algorithm from decision (resp search) RLWE in to decision (resp. search) PLWE for , where is the splitting field of , for an infinite family of polynomials, in particular for the family where , runs over polynomials with and runs over primes such that For , the -norm is defined as , with a polynomial. Notice that there is a trivial reduction from PLWE to RLWE.

To close the picture, the following result is also true:

Theorem 5.5 ([19]).

For an arbitrary Galois number field , there is a quantum reduction algorithm from search RLWE in to decision RLWE.

5.2. The LPR (Lyubashevsky, Peikert and Regev) RLWE-cryptosystem

Both RLWE and PLWE problems can be turned into public key cryptosystems, as we show next. We will focus in the PLWE version, which is more suitable for computer implementations, i.e., we will set for a monic irreducible and a prime. Notice that the ring is, as a ring, isomorphic to for suitable depending on the splitting type of of in the corresponding ring of integers.

As said in the former subsection, the parameter of is upper bounded entry-wise by , and is chosen to be less than and as in 5.3. Take big enough so that the variance of is close enough to its parameter and such that (this will be used to grant the correctness of the cryptosystem).

Construction 5.6 (The RLWE cryptosystem).
  • Key generation: choose uniformly at random and choose sampled from and reduced modulo . The secret key will be and the public key will be the pair .

  • Encryption: take a plaintext consisting of a stream of bits and regard it as a polynomial in , mapping each bit to a coefficient, say, . Choose sampled from and reduced modulo . Set and .

  • Decryption: Perform and round the coefficients either to zero or to , whichever is closest mod .

Proposition 5.7.

The PLWE cryptosystem is correct (i.e. decryption undoes encryption) and pseudorandom.


For correctness, notice that for the chosen values of , and , with arbitrarily large probability, the value will have magnitude less than , so the bits of can be recovered by dividing by , dismissing the reminder, and decrypting, bit by bit, to this quotient.

For pseudorandomness, first note that RLWE samples are pseudorandom even when is sampled from , by a transformation to the Hermite normal form. Therefore, public keys are pseudorandom and we can replace them by a uniform pair in . The observations of a passive adversary are and which are also pseudorandom, since is also sampled from . ∎

5.3. Attacks on RLWE

A detailed report on the state of the art of attacks on the RLWE cryptosystem can be found in [8], where the authors discuss a list of open questions in algebraic number theory motivated by this cryptosystem. This interplay between applied and pure number theory constitutes a fruitful link which is expected to motivate a flow of results from each direction to the other. We present here only a few of these attacks and questions, working out some details. Within this subsection, we assume that is a number field of degree , and in the PLWE setting, that the defining polynomial splits totally over . This is unnecessary but it will simplify the exposition, while keeping the essential facts.

A first fact to mention is that at the time of writing, there is no direct attack against RLWE, i.e., without a reduction to an attack on PLWE, other than general attacks against arbitrary lattices , using bounded distance decoders. This topic is under research by the author of this survey. So, all the attacks presented here attemp at breaking PLWE first and then to reduce RLWE to PLWE.

Theorem 5.8 (Elias et al. [8]).

If satisfies the following six conditions, there is a polynomial time attack to the search version of the associated RLWE scheme:

  • is Galois of degree .

  • The ideal splits totally in .

  • is monogenic, i.e, .

  • The transformation between the canonical embedding of and the power basis representation of

    is given by a scaled orthogonal matrix.

  • If is the minimal polynomial of , then .

  • The prime can be chosen suitably large.

The first two conditions are sufficient for the RLWE search-to-decision reduction in the case where , which is implied by the third condition. The third and fourth conditions are sufficient for the RLWE-to-PLWE reduction; and the last two conditions are sufficient for the attack on PLWE. Unfortunately (for the attacker’s point of view), it is difficult to construct number fields satisfying all six conditions simultaneously.

Next, we explain the attack on PLWE if 5 and 6 hold.

Setting as usual and , fix a public key and a secret key , i.e with sampled from the discrete Gaussian and reduced modulo .

For each root of , consider the projection given by . By short vector in we refer to those with small coefficients, which in practice means that these are upper bounded, in absolute value, by . For suitable parameter, these short vectors lie inside a prescribed region with non-negligible probability and are easy to recognise. However, for a pair , it is difficult to check if it exists and a short vector such that , in which case the attacker would guess that . The reason is that there are possibilities for to test, which is prohibitive.

By contrast, in a small ring like , it is easy to examine the possibilities for exhaustively: we can loop through the possibilities for , obtaining for each the putative value . The Decision Problem for PLWE, then, is solved as soon as we can recognize the set of that arise from the Gaussian with high probability.

Again, this is difficult in general, but if 5 holds, i.e., if is a root of , the attacker has a chance:

Let us denote by the subset of polynomials that are produced by the Gaussian with non-negligible probability. This is a small set, due to the parameter choice. However, is also a much smaller set than and one expects that generically, or something very close. One says that in this case smears across all of .

But we are supposing that . The polynomials have small coefficients, and hence have small images . This is simply because is much smaller than , due to 6, so that the sum of small coefficients is still small modulo .These ideas can be turned into the following algorithm:

Algorithm 5.9.

Suppose . The input is a collection of pairs , where each sample is drawn either uniformly at random or from the PLWE distribution . The output is to decide, for each sample, from which distribution is taken, with non-negligible probability. The algorithm is as follows:

  • For to do

  • Set ; This is the first guess for , which will be updated after each iteration.

    • For each do

    • Compute ;

    • If is not small in absolute value modulo q, then conclude that the sample cannot be valid for with nonnegligible probability, and update ;

    • Next ;

  • If , conclude that the sample was random, otherwise declare the sample as valid;

  • Next i;

Remark 5.10.

Notice that in the inner loop, if the sample is valid, then , and if is the variance of (which is spherical with respect to our embedding, fixed beforehand), then, is sampled from a discrete Gaussian distribution of zero mean and parameter . The region of non-negligible probability for this Gaussian, say, makes a sensible guess for the set .

Notice that the cyclotomic cases are protected against this attack: is never a root modulo of a cyclotomic polynomial of degree greater than 1 when is sufficiently large. However, with minor modifications, it is possible to extend the former attack to the case where small order modulo . Indeed, denote by the order of modulo . For a polynomial , to decide if is sampled from a Gaussian distribution in a similar fashion as in Remark 5.10 is more complicated. However, one can still take advantage of a small , as we explain next.

For , set with . Define for and write

If is sampled from a Gaussian with variance , then each term is sampled from a 1-dmensional Gaussian of variance . This defines a smallness region to look at in order to guess tentative values of . With this observation, we can derive the following algorithm:

Algorithm 5.11.

Suppose . The input is a collection of pairs , where each sample is drawn either uniformly at random or from the PLWE distribution . The output is to decide, for each sample, from which distribution is taken, with non-negligible probability. The algorithm is as follows:

  • For to do

  • Set ;

    • For each do

    • Compute ;

    • If , then conclude that the sample cannot be valid for with nonnegligible probability, and update ;

    • Next ;

  • If , conclude that the sample was random, otherwise declare the sample as valid;

  • Next i;

5.4. Some number theoretical open questions motivated by attacks on PLWE

As seen before, being simultaneously Galois and monogenic, having as a root of the minimal polynomial modulo (or some other root of small order) and the non-smearing under the evaluation map of the set of small vecotrs in can be regarded as weakness conditions to build a RLWE-based cryptosystem. We give next a list of number theoretical problems which are motivated by the search of security in RLWE-based primitives and are still open, up to date.

Question 5.12.

Are there fields of cryptographic size (i.e. ) which are Galois and monogenic, other than the cyclotomic number fields and their maximal real subfields? How can one construct such fields explicitly? Is it possible to test algorithmically both features?

Notice that for fields of cryptographic size, the discriminant is too big to test whether or not it is square free, hence to decide if it is monogenic. An algorithmic approach which circumvects this testing is not available at the time of writing. Although for fields of small degree, a complete characterisation may be feasible (sufficient and necessary conditions for a cubic number field have been found by Gras and Archinard), the situation is much different for large degree fields. For instance, cyclic extensions tend to be non-monogenic:

Theorem 5.13.

Any cyclic extension of prime degree is non-monogenic except for the maximal real subfield of the -th cyclotomic field.

Another result in this direction is as follows:

Theorem 5.14.

Let 5 be relatively prime to . There are only finitely many abelian number fields of degree that are monogenic.

Question 5.15.

Let be a root of modulo . For which subsets it is ?

Or, at least, can one determine the conditions for non-smearing, like in the case when and is a set of small vectors in ?

Finally, as seen before, polynomials with small order roots modulo should be avoided. Again, cyclotomic polynomials are safe for attacks built on small order roots, as their roots have maximal order. The problem here is as follows:

Question 5.16.

For random polynomials and random primes for which has a root modulo , what can one say about the order of modulo ?

A special instance of this question is this famous open problem:

Problem 5.17.

For given , how often is a primitive root modulo as runs over the primes?

A conjecture by Artin states that is a primitive root modulo for infinitely many primes such that is not a perfect square or modulo . Moreover, the conjecture describes the density of such primes.

6. Beyond encryption and some NIST figures

6.1. RLWE Digital Signatures

We focus here in the most recent RLWE digital signature scheme, the GLYPH ([5] 2017), which improves an earlier scheme by Gunyesu,Lyubashevsky and Poppelman (GLP). This and other RLWE-based signatures schemes have the smallest public keys and signature sizes among postquantum digital signature schemes.

A first difference to mention here is that instead of discrete Gaussians, the coefficients of small polynomials are sampled uniformly from with . Secondly, the lengths of signatures must not exceed a prescribed parameter , regardless of the size of the message to sign. To attain this, the scheme uses a hash function , which takes arbitrary messages to bit strings of length . Third, the procedure has a sampling rejection step: if the infinity norm of a signature polynomial exceeds a fixed bound, , that polynomial will be discarded and the signing process starts again. This process will be repeated until the infinity norm of the signature polynomial is less than or equal the bound. Rejection ensures that the output signature is not exploitably correlated with the signer’s secret key values. In GLYPH, the bound, will be , where k is the number of non-zero coefficients allowed in acceptable polynomials.

Last, the maximum degree of the signature polynomials will be and therefore have coefficients. Typical values for are 512, and 1024. The coefficients of these polynomials will be taken from the field where

is an odd prime congruent to

mod . For , GLYPH sets , and . The scheme is as follows:

  • Key generation:

    • Generate two polynomials and with coefficients chosen uniformly from the set . The pair is the private key.

    • Compute , with chosen uniformly at random. The public key is .

  • Signature generation:

    • Generate two small polynomials and .

    • Compute .

    • Map into a bit string .

    • Compute . The denotes concatenation of strings.

    • Compute and .

    • While the infinity norms of or is greater than go to step 2.1.

    • The signature is the triple of . Transmit the signature along with the message . Notice that we are not discussing here signatures of encrypted messages, which is a more sophisticated cryptographic functionality.

  • Signature verification:

    • Verify that the infinity norms of and do not exceed . If not, reject the signature.

    • Compute .

    • Map into a bit string .

    • Compute .

    • If reject the signature, otherwise accept the signature as valid.

Notice that , hence if the signature is not tampered, hence the scheme is correct.

6.2. RLWE Homomorphic encryption

Although homomorphic encryption was first introduced by Rivest, Adleman and Shamir back in the 70’s, it was first constructed by Craig Gentry in 2009 in its seminal paper [10]. The possibility of cheap cloud computing and distributed storage have drastically changed how business and individuals process their data and although traditional encryption like AES are very fast, to perform even simple analytics on encrypted data requires either the cloud server to access the secret keys, leading to security concerns or to download the data, decrypt and operate, which is costly. Homomorphic encryption is the solution to this challenge.

Areas where homomorphic encryption has applications include electronic voting systems and processing or computing on encrypted or compressed health, financial or other kinds of sensitive data on external servers like cloud or distributed devices.

Homomorphic and fully homomorphic encryption(FHE) has already been introduced here in Definition 2.5, and Example 2.6 provides an example of non-fully homomorphic encryption scheme. RLWE provides a FHE scheme, as we see next.

Definition 6.1 (The BGV cryptosystem ([4])).

Denote , with the -th cyclotomic polynomial and . Consider as the space of plaintexts the ring , for fixed . The scheme is parametrized by a sequence of decreasing moduli such that and an -th level ciphertext is a vector .

  • Key generation: Chose by sampling from a discrete Gaussian such that the probability of the set is close enough to .

  • Encryption/Decryption: A plaintext is encrypted to if and only if modulo equals in with for some .

Observe that adding or multiplying two i-level ciphertexts results in an -level ciphertext, so computations over level -ciphertexts are not allowed, as they cannot be decrypted. Several recent refinements to this scheme have been proposed ([11]) and the topic is still under research.

Several open-source implementations of homomorphic encryption are available. For instance, HELib, a widely used library from IBM that implements the BGV cryptosystem, SEAL, a Microsoft version, (pronounced LOL), a Haskell library for ring-based lattice cryptography that supports FHE or PALISADE, a general lattice encryption library. it is possible to add new implementations after public review by contacting contact@HomomorphicEncryption.org. In sum, homomorphic encryption is already ripe for mainstream use but the lack of standardisation makes difficult to start using it.

6.3. NIST figures

In 2017, the American National Institute of Standards and Technology (NIST), opened an open process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. In their own words:

The question of when a large-scale quantum computer will be built is a complicated one. While in the past it was less clear that large quantum computers are a physical possibility, many scientists now believe it to be merely a significant engineering challenge. Some engineers even predict that within the next twenty or so years sufficiently large quantum computers will be built to break essentially all public key schemes currently in use. Historically, it has taken almost two decades to deploy our modern public key cryptography infrastructure. Therefore, regardless of whether we can estimate the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems to be able to resist quantum computing.

The deadline for submission was November 30, 2017. The total number of submissions (for encryption, key exchange and signatures) was 71. At the time of writing, 14 submissions have been attacked or withdrawn (due to an attack or the finding of a fatal mistake by the authors). Of the remaining 57, some of the proposals (mainly code-based ones) have merged. Taking this into account, 50 proposals remain unbroken. Some of them have been found to have non-fatal statistical attacks, which can be avoided with a right choice of parameters.

Now, of these 50 proposals: 9 are code-based, 21 are lattice-based, 2 are hash-based (and both have been found to have non-fatal attacks or there are parameter concerns), 9 are multivariate-based, 1 is a supersingular isogeny Diffie-Hellman (SIDH) key-exchange protocol, which has a potential attack. The remaining 8 submissions are hybrid or are based on problems such as random walks (1), braids (2), Chebychev polynomials (1) or hypercomplex numbers (1).

Finally, in the lattice-based category, 15 are RLWE-based. Of these 15, 2 of them are PLWE-based. For details cf. https://www.safecrypto.eu/pqclounge/


  • [1] E. Alkim, L. Ducas, T. Pöppelmann, P. Schwabe. Post-quantum key exchange: a new hope. Proceedings of the 25th USENIX Security Symposium 2016 pp 327–343.
  • [2] P. E. Boas. Another NP-Complete Problem and the Complexity of Computing Short Vectors in a Lattice. Tech. Report 81-04, Mathematische Instituut, University of Amsterdam, 1981.
  • [3] M. Braithwaite. Experimenting with post-quantum cryptography. Google Security Blog, 2016. https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
  • [4] Z. Brakersky, C. Gentry, V. Vaikuntanathan. (Leveled) Fully Homomorphic Encryption without Bootstrapping. https://people.csail.mit.edu/vinodv/6892-Fall2013/BGV.pdf
  • [5] A. Chopra. GLYPH: A New Instantiation of the GLP Digital Signature Scheme. https://eprint.iacr.org/2017/766.pdf
  • [6] J. Ding, B.Y. Yang. Multivariate public key cryptography. \(https://link.springer.com/content/pdf/10.1007/978-3-540-88702-7_{6}.pdf\)
  • [7] N.C. Dwarakanath, S. D. Galbraith. Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Preprint: https://www.math.auckland.ac.nz/ sgal018/gen-gaussians.pdf
  • [8] Y. Elias, K. Lauter, E. Ozman, K. Stange. Ring-LWE cryptography for the number theorist. In: E. Eischen, L. Long, R. Pries, K. Stange (eds) Directions in Number Theory. Association for Women in Mathematics Series, vol 3. Springer 2016.
  • [9] L. de Feo: Mathematics of isogeny based cryptography. https://arxiv.org/pdf/1711.04062.pdf
  • [10]

    C. Gentry. Fully Homomorphic Encryption Using Ideal Lattices. In the 41st ACM Symposium on Theory of Computing (STOC), 2009.

  • [11]

    S. Halevi, V. Shoup. Faster Homomorphic Linear Transformations in HElib.

  • [12] J. Hoffstein, J. Pipher, J. H. Silverman. NTRU: A ring-based public key cryptosystem. ANTS-III, pp 267-–288, 1998.
  • [13] R.Le Clercq, S. S. Roy, F. Vercauteren, I. Verbauwhede. Efficient software implementation of RLWE encryption. https://eprint.iacr.org/2014/725.pdf
  • [14] V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings. In: Gilbert H. (eds) Advances in Cryptology – EUROCRYPT 2010. Lecture Notes in Computer Science, 6110. Springer.
  • [15] D. Micciancio.The shortest vector in a lattice is hard to approximate to within some constant.In Proc.39th Annual IEEE Symposium on Foundations of Computer Science, 1998.
  • [16] R. Overbeck, N. Sendrier. Code-based cryptography. In: D.J. Bernstein, J. Buchmann, E. Dahmen (eds) Post-Quantum Cryptography (2009). Springer, Berlin, Heidelberg .
  • [17] C. Peikert, O. Regev, N. Stephens-Davidowitz. Pseudorandomness of Ring-LWE for any ring and modulus. In STOC, 2017.
  • [18] O. Regev. On lattices, learning with errors, random linear codes and cryptography. J. ACM, 56 (6), 2009.
  • [19] M. Rosca, D. Stehlé, A. Wallet. On the ring-LWE and polynomial-LWE problems. In: Nielsen J., Rijmen V. (eds) Advances in Cryptology – EUROCRYPT 2018. Lecture Notes in Computer Science, vol 10820. Springer.
  • [20] M. Scott. A note on the implementation of the Number Field Transform. IMACC 2017. https://eprint.iacr.org/2017/727.pdf
  • [21] I. Stewart. Algebraic number theory and Fermat’s last theorem. AK Peters Ltd, 2002.