Cryptology ePrint Archive: Report 2015/106

Provably weak instances of Ring-LWE

Yara Elias and Kristin E. Lauter and Ekin Ozman and Katherine E. Stange

Abstract: The ring and polynomial learning with errors problems (Ring-LWE and Poly-LWE) have been proposed as hard problems to form the basis for cryptosystems, and various security reductions to hard lattice problems have been presented. So far these problems have been stated for general (number) rings but have only been closely examined for cyclotomic number rings. In this paper, we state and examine the Ring-LWE problem for general number rings and demonstrate provably weak instances of Ring-LWE. We construct an explicit family of number fields for which we have an efficient attack. We demonstrate the attack in both theory and practice, providing code and running times for the attack. The attack runs in time linear in q, where q is the modulus.

Our attack is based on the attack on Poly-LWE which was presented in [EHL]. We extend the EHL-attack to apply to a larger class of number fields, and show how it applies to attack Ring-LWE for a heuristically large class of fields. Certain Ring-LWE instances can be transformed into Poly-LWE instances without distorting the error too much, and thus provide the first weak instances of the Ring-LWE problem. We also provide additional examples of fields which are vulnerable to our attacks on Poly-LWE, including power-of-2 cyclotomic fields, presented using the minimal polynomial of $\zeta_{2^n} \pm 1$.

Category / Keywords: public-key cryptography / attack, ring-lwe, learning with errors, poly-lwe, lattice-based cryptography, number theory

Original Publication (with minor differences): IACR-CRYPTO-2015

Date: received 12 Feb 2015, last revised 21 Sep 2015

Contact author: klauter at microsoft com

Available format(s): PDF | BibTeX Citation

Version: 20150922:012723 (All versions of this report)

Short URL: ia.cr/2015/106

Discussion forum: Show discussion | Start new discussion