Paper 2021/277

On the Integer Polynomial Learning with Errors Problem

Julien Devevey, Amin Sakzad, Damien Stehlé, and Ron Steinfeld

Abstract

Several recent proposals of efficient public-key encryption are based on variants of the polynomial learning with errors problem (${\mathsf{PLWE}}^f$) in which the underlying polynomial ring ${\mathbb{Z}}_q[x]/f$ \ is replaced with the (related) modular integer ring ${\mathbb{Z}}_{f(q)}$; the corresponding problem is known as Integer Polynomial Learning with Errors ($$). Cryptosystems based on $$ and its variants can exploit optimised big-integer arithmetic to achieve good practical performance, as exhibited by the $$ cryptosystem. Unfortunately, the average-case hardness of $$ and its relation to more established lattice problems have to date remained unclear. We describe the first polynomial-time average-case reductions for the search variant of $$, proving its computational equivalence with the search variant of its counterpart problem $$. Our reductions apply to a large class of defining polynomials $$. To obtain our results, we employ a careful adaptation of Rényi divergence analysis techniques to bound the impact of the integer ring arithmetic carries on the error distributions. As an application, we present a deterministic public-key cryptosystem over integer rings. Our cryptosystem, which resembles $$, enjoys one-way (OW-CPA) security provably based on the search variant of $$.