Cryptology ePrint Archive: Report 2021/418

Ring-LWE over two-to-power cyclotomics is not hard

Hao Chen

Abstract: The Ring-LWE over two-to-power cyclotomic integer rings has been the hard computational problem for lattice cryptographic constructions. Its hardness and the conjectured hardness of approximating ideal SIVP for ideal lattices in two-to-power cyclotomic fields have been the fundamental open problems in lattice cryptography and the complexity theory of computational problems of ideal lattices. In this paper we present a general theory of sublattice attack on the Ring-LWE with not only the Gaussian error distribution but also general error distributions. By the usage of our sublattice attack we prove that the decision Ring-LWE over two-to-power cyclotomic integer rings with certain polynomially bounded modulus parameters when degrees d_n = 2^{n−1} going to the infinity can be solved by a polynomial (in d_n) time algorithm for wide error distributions with widths in the range of Peikert-Regev-Stephens-Davidowitz hardness reduction results in their STOC 2017 paper. Hence we also prove that approximating idealSIV Ppoly(dn) with some polynomial factors for ideal lattices in two-to-power cyclotomic fields can be solved within quantum polynomial time. Therefore the lattice cryptographic constructions can not be based on the ”hardness” of Ring-LWE over two-to-power cyclotomic integer rings even in the classical computational model.

Category / Keywords: public-key cryptography / Ring-LWE, Two-to-power cyclotomics, Sublattice attack

Date: received 29 Mar 2021

Contact author: chenhao at fudan edu cn,haochen@jnu edu cn

Available format(s): PDF | BibTeX Citation

Version: 20210330:062903 (All versions of this report)

Short URL: ia.cr/2021/418


[ Cryptology ePrint archive ]