On the Hardness of Ring/Module/Polynomial LWR Problems

The Learning with Rounding (LWR) problem is an important variant of the Learning with Errors (LWE) problem. Recently, Liu et al. proposed a comprehensive study of LWR problems defined over algebraic number fields in CRYPTO 2020. However, their search-to-decision reductions of LWR problems depend heavily on the existence of the socalled Normal Integral Basis (NIB). Meanwhile, the aesthetic deficiency is a lack of discussions of choices of secret s, and one may could not show the worst-case hardness of decision LWR problems strictly even for fields with NIB. In this paper, we give a more refined analysis of reductions between different LWR problems. Our contributions are summarized as follows: (1) We give a search-to-decision reduction of ring/module LWR problems defined over any number field K = Q[x]/(Φ(x)) which is Galois over Q with suitable parameters, regardless of the existence of NIB. (2) To the best of our knowledge, we give the first reduction from search ring/module LWE problems to corresponding search/decision LWR problems. Hence, combining known hardness results of LWE problems, we could reduce worst-case ideal/module lattices problems to search/decsion LWR problems strictly. (3) For the first time, we show the worst-case hardness of search/decision polynomial LWR problems defined over polynomial rings Zq[x]/(Φ(x)) with comparable small parameters, which could be regarded as a theoretical support for some ring/module LWR based crypto-systems, e.g. the NIST Round 3 candidate Saber. As a finish, we also give some hardness results of middle product polynomial LWR problems.

[1]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[2]  Chris Peikert,et al.  Pseudorandomness of ring-LWE for any ring and modulus , 2017, STOC.

[3]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[4]  Marco Chiani,et al.  New exponential bounds and approximations for the computation of error probability in fading channels , 2003, IEEE Trans. Wirel. Commun..

[5]  Chris Peikert,et al.  Algebraically Structured LWE, Revisited , 2019, IACR Cryptol. ePrint Arch..

[6]  Chris Peikert,et al.  A Toolkit for Ring-LWE Cryptography , 2013, IACR Cryptol. ePrint Arch..

[7]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[8]  Damien Stehlé,et al.  On the Ring-LWE and Polynomial-LWE problems , 2018, IACR Cryptol. ePrint Arch..

[9]  Zhedong Wang,et al.  Almost Tight Security in Lattices with Polynomial Moduli - PRF, IBE, All-but-many LTF, and More , 2020, Public Key Cryptography.

[10]  Yang Wang,et al.  Provably Secure NTRUEncrypt over Any Cyclotomic Field , 2018, SAC.

[11]  Abhishek Banerjee,et al.  Pseudorandom Functions and Lattices , 2012, EUROCRYPT.

[12]  Yang Wang,et al.  Module-LWE versus Ring-LWE, Revisited , 2019, IACR Cryptol. ePrint Arch..

[13]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[14]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[15]  Feng-Hao Liu,et al.  Rounding in the Rings , 2020, CRYPTO.

[16]  Long Chen,et al.  On the Hardness of the Computational Ring-LWR Problem and its Applications , 2018, IACR Cryptol. ePrint Arch..

[17]  Abhishek Banerjee,et al.  New and Improved Key-Homomorphic Pseudorandom Functions , 2014, CRYPTO.

[18]  Zvika Brakerski,et al.  Hardness of LWE on General Entropic Distributions , 2020, IACR Cryptol. ePrint Arch..

[19]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[20]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[21]  Daniel Apon,et al.  Dimension-Preserving Reductions from LWE to LWR , 2016, IACR Cryptol. ePrint Arch..

[22]  Damien Stehlé,et al.  CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[23]  Silas Richelson,et al.  On the Hardness of Learning with Rounding over Small Modulus , 2016, TCC.

[24]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[25]  Martin R. Albrecht,et al.  Large Modulus Ring-LWE ≥ Module-LWE , 2017, ASIACRYPT.

[26]  Damien Stehlé,et al.  Worst-case to average-case reductions for module lattices , 2014, Designs, Codes and Cryptography.

[27]  Óscar García-Morchón,et al.  Round5: Compact and Fast Post-Quantum Public-Key Encryption , 2019, IACR Cryptol. ePrint Arch..

[28]  Ron Steinfeld,et al.  Middle-Product Learning with Errors , 2017, CRYPTO.