Paper 2023/1839

Ring-LWE Hardness Based on Non-invertible Ideals

Charanjit S. Jutla
Chengyu Lin, Columbia University
Abstract

We extend the known pseudorandomness of Ring-LWE to be based on lattices that do not correspond to any ideal of any order in the underlying number field. In earlier works of Lyubashevsky et al (EUROCRYPT 2010) and Peikert et al (STOC 2017), the hardness of RLWE was based on ideal lattices of ring of integers of number fields, which are known to be Dedekind domains. While these works extended Regev's (STOC 2005) quantum polynomial-time reduction for LWE, thus allowing more efficient and more structured cryptosystems, the additional algebraic structure of ideals of Dedekind domains leaves open the possibility that such ideal lattices are not as hard as general lattices. In this work we show that hardness of $q$-Ring-LWE can be based on worst-case hardness of ideal lattices in arbitrary orders $O$, as long as the order $O$ satisfies the property that $\frac{1}{m}\cdot O$ contains the ring of integers, for some $m$ co-prime to $q$. The reduction requires that the noise be a factor $m$ more than the original Ring-LWE reduction. We also show that for the power-of-two cyclotomic number fields, there exist orders with $m=4$ such that non-trivial ideals of the order, which are not contained in the conductor, are non-invertible. Since the conductor itself is non-invertible, this gives a non-trivial multiplicative set that lies outside the ideal class group. Another reduction shows that hardness of $q$-Ring-LWE can be based on worst-case hardness of lattices that correspond to sum of ideal-lattices in arbitrary and different orders in the number field, as long as the (set of) orders $\{O_i\}$ satisfy the property that $\frac{1}{m}\cdot O_i$ contains the ring of integers, for some $m$ co-prime to $q$. We also show that for the power-of-two cyclotomic number fields, there exist orders $O_1, O_2$ with $m=8$ such that there are ideals $I_1, I_2$ of $O_1, O_2$ resp. with $I_1+ I_2$ not an ideal of any order in the number field.

Note: An earlier unpublished version of this paper was titled "Enhancing Ring-LWE Hardness Using Dedekind Index Theorem" and appeared on eprint as IACR Cryptol. ePrint Arch., 1631, 2022.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Preprint.
Keywords
Ring-LWEIdeal LatticesOrders in Number FieldsConductor IdealNon-invertible IdealIdeal-Class Group
Contact author(s)
csjutla @ us ibm com
linmrain @ gmail com
History
2023-12-09: last of 2 revisions
2023-11-30: received
See all versions
Short URL
https://ia.cr/2023/1839
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX 

@misc{cryptoeprint:2023/1839,
      author = {Charanjit S. Jutla and Chengyu Lin},
      title = {Ring-LWE Hardness Based on Non-invertible Ideals},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1839},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1839}},
      url = {https://eprint.iacr.org/2023/1839}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.