The Ring-LWE Problem in Lattice-Based Cryptography: The Case of Twisted Embeddings

Abstract

Several works have characterized weak instances of the Ring-LWE problem by exploring vulnerabilities arising from the use of algebraic structures. Although these weak instances are not addressed by worst-case hardness theorems, enabling other ring instantiations enlarges the scope of possible applications and favors the diversification of security assumptions. In this work, we extend the Ring-LWE problem in lattice-based cryptography to include algebraic lattices, realized through twisted embeddings. We define the class of problems Twisted Ring-LWE, which replaces the canonical embedding by an extended form. By doing so, we allow the Ring-LWE problem to be used over maximal real subfields of cyclotomic number fields. We prove that Twisted Ring-LWE is secure by providing a security reduction from Ring-LWE to Twisted Ring-LWE in both search and decision forms. It is also shown that the twist factor does not affect the asymptotic approximation factors in the worst-case to average-case reductions. Thus, Twisted Ring-LWE maintains the consolidated hardness guarantee of Ring-LWE and increases the existing scope of algebraic lattices that can be considered for cryptographic applications. Additionally, we expand on the results of Ducas and Durmus (Public-Key Cryptography, 2012) on spherical Gaussian distributions to the proposed class of lattices under certain restrictions. As a result, sampling from a spherical Gaussian distribution can be done directly in the respective number field while maintaining its format and standard deviation when seen in ${\mathbb{Z}}^n$ via twisted embeddings.

1. Introduction

Lattice-based cryptography comprehends the class of cryptosystems whose security is based on the conjectured intractability of hard lattice problems such as the Shortest Independent Vectors Problem (SIVP), the Shortest Vector Problem (SVP), and the Closest Vector Problem (CVP) [1,2]. The main computational problem in the foundation of most modern lattice-based cryptosystems is Learning with Errors (LWE) [3]. Since its introduction in the cryptographic realm in 2005, algebraically structured variants have been proposed, such as Learning with Errors over Rings [4], denoted Ring-LWE, and Module-LWE [5,6,7], among others [8].

Although the Ring-LWE hardness results hold for any number field [4,9], its most used instantiation in lattice-based cryptosystems is over power-of-two cyclotomic number fields, as evidenced by the finalists of NIST’s Post-Quantum Cryptography standardization effort [10]. This choice of a number field is particularly interesting because its ring of integers is isomorphic to the polynomial ring $R=\mathbb{Z}\left[x\right]/(x^n+1)$, for n a power of two. The fact that $x^n+1$ is maximally sparse allows efficient polynomial multiplication using the number-theoretic transform combined with the negacyclic convolution. In addition to that, the transformation from the ring R to its dual, denoted $R^{\vee }$, is a simple scaling of the form $R=m{R}^{\vee }$, allowing applications to work directly on R, with no loss in their underlying worst-case hardness guarantees [4].

Another advantage of power-of-two cyclotomic number fields is that the sampling of error terms can be performed directly in the ring R considering a power basis, since the transformation to the associated vector subspace H isomorphic to ${\mathbb{R}}^n$ is just a rigid rotation followed by scaling. For other choices of cyclotomic fields, sampling from a spherical Gaussian distribution can be done in an extended ring and performing a reduction modulo the cyclotomic polynomial ${\Phi }_m\left(x\right)$, which leads to the desired spherical distribution in the canonical embedding [11]. For general number fields, the best option in terms of security still is a sampling from an error distribution in H and computing the inverse transformation with respect to the canonical embedding [4,12].

There are several works in the literature exploring properties of number fields used in the foundation of some cryptosystems based on ideal lattices. An example is a quantum polynomial-time algorithm to find a small generator of a principal ideal in the ring of algebraic integers of cyclotomic rings [13], which applies to a few schemes including the fully-homomorphic encryption scheme of Smart and Vercauteren [14]. Moreover, a sequence of works has characterized weak instances of Ring-LWE and Poly-LWE problems and proposed attacks using special properties for specific parameters [15,16,17,18,19,20,21,22,23,24]. Another motivation for searching for alternative number fields is the inflexibility of system parameters that grow as a power-of-two. In such cryptosystems, when it is required to increase the security level, it may be necessary to increase the lattice dimension which implies doubling its size. However, a more suitable dimension could be a value much smaller than the next power of two. In fact, a ring dimension ranging from 700 to 800 suffices for 128-bit security [25].

Although these weak instances are not addressed by worst-case hardness theorems [26], new proposals adopting non-conventional rings have emerged as alternatives, thus favoring the diversification of security assumptions. For NTRU-based schemes, examples are the NTTRU [27], the third-round NTRU submission [28] in the NIST Post-Quantum Cryptography contest [10], and NTRU Prime [29]. For Ring-LWE, the instantiations have been restricted to cyclotomic number fields. Lyubashevsky, Peikert, and Regev introduced a toolkit with techniques for secure implementation of Ring-LWE primitives over any cyclotomic number field [12], allowing applications to work on cyclotomic rings with non-power-of-two dimension. Later on, this toolkit was implemented in software in two distinct libraries [30,31]. An alternative instantiation could be the adoption of the polynomial ring $\mathbb{Z}\left[x\right]/(x^p-x-1)$ for p prime, which was proposed for NTRU Prime [29], and suggested for the Ring-LWE setting [32]. In this sense, we conjecture whether the Ring-LWE problem could be parameterized by number fields other than the cyclotomic for cryptographic applications.

1.1. Contributions

In this context, we extend the Ring-LWE class of problems to embrace more general algebraic constructions of lattices which allow additional factors on the embedding coordinates. We replace the canonical embedding by twisted embeddings. Since the canonical embedding is a special case of twisted embeddings, this replacement maintains the consolidated results for Ring-LWE. Twisted embeddings have been useful in coding theory, since they allow the construction of algebraic lattices with improved properties for Rayleigh fading channels, providing high density, maximum diversity, and great minimum product distance [33,34,35].

We extend the Ring-LWE problem by replacing the canonical embedding with twisted embeddings on both the search and decision variants. As a result, we obtain the Twisted Ring-LWE problem, in which the error terms are sampled in the space H isomorphic to ${\mathbb{R}}^n$ under the inner product induced by a twisted embedding. We show that Twisted Ring-LWE is at least as secure as Ring-LWE through a security reduction from Ring-LWE to Twisted Ring-LWE. We also recomputed the approximation factors in the worst-case to average-case reductions from hard lattice problems taking into account the new twist factor.

As a result, algebraic constructions from coding theory via twisted embeddings can also be used in cryptographic applications based on the Ring-LWE problem. In this work, we focused our attention on the algebraic construction of rotated ${\mathbb{Z}}^n$-lattices via twisted embeddings. Ducas and Durmus [11] showed that a spherical Gaussian distribution in the ring $\mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$, where ${\Theta }_m\left(x\right)=x^m-1$ if m is odd, and ${\Theta }_m\left(x\right)=x^{\frac{m}{2}}+1$ if m is even, corresponds to a distribution with the same format in the space H, but linearly wider in the ring dimension. This occurs because the lattice obtained from the ring $\mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$ is a rotated ${\mathbb{Z}}^n$-lattice in the canonical embedding. The same holds for the ring of integers of a power-of-two cyclotomic number field. Thus, we generalize this result of Ducas and Durmus by showing that if the parameter ring leads to a rotated ${\mathbb{Z}}^n$-lattice under twisted embeddings, then both the format and the standard deviation of a spherical Gaussian distribution in $K_{\mathbb{R}}$ is preserved when seen in H. Examples of ideal lattices equivalent to ${\mathbb{Z}}^n$ are those obtained from power-of-two cyclotomic number fields [36], and their maximal real subfields [37], and the maximal real subfields of p-th cyclotomic number fields. Since power-of-two cyclotomic rings have been widely used in cryptographic applications, we consider parameterizing the Ring-LWE problem with the ring of integers of the maximal real subfield of a cyclotomic number field. We discuss the limitations of using maximal real subfields in a public-key encryption scheme [12] using the polynomial representation in terms of the arithmetic operations and the expansion factor of the defining polynomial. However, we argue that these limitations could be circumvented by using the coefficient vector representation, as done in [12]. Finally, we also argue that twisted embeddings can be used as a tool to connect Ring-LWE instances over distinct rings, which may lead to a response to the open question left by Peikert, Regev, and Stephens-Davidowitz [9]. In fact, if the parameter rings generate the same algebraic lattice in the space H, their Ring-LWE instances can be efficiently converted between themselves.

1.2. Organization

This paper is organized as follows. Section 2 is devoted to the introduction of concepts and results on lattices and algebraic number theory to be used throughout the paper. In particular, Section 2.4 presents the original statement of the Ring-LWE problem in its search and decision variants, and also the computational problems which form the foundation of the (Ring)-LWE hardness.

Section 3 introduces the twisted embeddings and generalizes the class of Ring-LWE problems by adopting twisted embeddings. We prove that multiplying the coordinates of vectors in the canonical representation by a twisting factor does not affect the hardness of Ring-LWE. This is shown via a reduction from both search and decision versions of Ring-LWE to their corresponding twisted forms. Moreover, we compute the new approximation factors for the reduction from SIVP to DGS (Discrete Gaussian Sampling problem), and also for the reduction from DGS to Ring-LWE. Since the new approximation factors are simply multiplied by a scalar associated with the lattice dimension n, the asymptotic factors are not affected by the change of embeddings.

Section 4 extends to a more general class of number fields the results of Ducas and Durmus on spherical Gaussian sampling [11]. We show that correct noise sampling can be performed directly in the field representation of lattices equivalent to ${\mathbb{Z}}^n$ without any increase in the standard deviation. Section 4.1 discusses the practical impacts of instantiating the Ring-LWE problem over the ring of integers of the maximal real cyclotomic number field $\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$, where $p\ge 5$ is a prime number. We analyze the main computational operations in the compact public-key cryptosystem of Lyubashevsky, Peikert, and Regev [12], and also the format of the ring’s defining polynomial in terms of the expansion factor. Finally, Section 5 discuss our results and highlight future research directions on the practical aspects of the Twisted Ring-LWE problem.

2. Preliminaries on Lattices and Algebraic Number Theory

In this section, we introduce concepts, results and notation to be used throughout the paper. For a positive integer number m, denote by $\left[m\right]$ the set $\{1,2,\dots ,m\}$. For $1\le p<\infty$, the ${\ell }_p$-norm of a vector $\mathbf{a}$ in ${\mathbb{R}}^n$ or ${\mathbb{C}}^n$ is ${\parallel \mathbf{a}\parallel }_p={\left({\sum }_{i=1}^n{\left|a_i\right|}^p\right)}^{1/p}$, and the ${\ell }_{\infty }$-norm is ${\parallel \mathbf{a}\parallel }_{\infty }={max}_{i\in \left[n\right]}\left|a_i\right|$.

2.1. The Space H

Frequently, lattices are defined in the Euclidean space ${\mathbb{R}}^n$. However, in the Ring-LWE context [4,9], it is more convenient to define lattices in a specific subspace of ${\mathbb{C}}^n$ isometric to ${\mathbb{R}}^n$: the space H.

Definition 1

(Space H). Let $s_1$ and $s_2$ be non-negative integer numbers such that $n=s_1+2s_2>0$. The subspace $H\subseteq {\mathbb{C}}^n$is defined as

$$H=\left\{\left(a_1,a_2,\dots ,a_n\right)\in {\mathbb{R}}^{s_1}\times {\mathbb{C}}^{2s_2}:a_{j+s_1+s_2}=\overline{a_{j+s_1}},\forall j\in \left[s_2\right]\right\}.$$

We consider H endowed with the inner product obtained as a restriction of the standard inner product of ${\mathbb{C}}^n$:

$${\langle \mathbf{a},\mathbf{b}\rangle }_H:=\sum _{i\in \left[n\right]}{a}_i\overline{b_i}=\sum _{i\in \left[s_1\right]}{a}_i{b}_i+\sum _{j\in \left[s_2\right]}\left(a_{j+s_1}{b}_{j+s_1+s_2}+a_{j+s_1+s_2}{b}_{j+s_1}\right)\in \mathbb{R}.$$

The norm (usually ${\ell }_2$-norm) of $\mathbf{a}=(a_1,a_2,\dots ,a_n)\in H$ is defined as $\parallel \mathbf{a}\parallel =\sqrt{{\langle \mathbf{a},\mathbf{a}\rangle }_H}$.

For $i\in \left[n\right]$, denote by ${\mathbf{u}}_i$ the vector with all zero coordinates except for the i-th position, which is equal to one. We consider $\{{\mathbf{u}}_1,{\mathbf{u}}_2,\dots ,{\mathbf{u}}_n\}$ the canonical basis of ${\mathbb{R}}^n$ (over $\mathbb{R}$) and ${\mathbb{C}}^n$ (over $\mathbb{C}$). An orthonormal basis for H can be defined in terms of the canonical basis of ${\mathbb{C}}^n$:

Definition 2

(Canonical basis of H). Let $s_1$ and $s_2$ be non-negative integer numbers such that $n=s_1+2s_2>0$. For $i\in \left[s_1\right]$, define ${\mathbf{h}}_i={\mathbf{u}}_i$. For $i\in \left[s_2\right]$, define ${\mathbf{h}}_{i+s_1}=\frac{1}{\sqrt{2}}\left({\mathbf{u}}_{i+s_1}+{\mathbf{u}}_{i+s_1+s_2}\right)$ and ${\mathbf{h}}_{i+s_1+s_2}=\frac{i}{\sqrt{2}}({\mathbf{u}}_{i+s_1}-{\mathbf{u}}_{i+s_1+s_2})$. Then, the set $\mathcal{B}=\{{\mathbf{h}}_1,{\mathbf{h}}_2,\dots ,{\mathbf{h}}_n\}$ is an orthonormal basis of H, which we call the canonical basis of H as an n-dimensional $\mathbb{R}$-vector space.

Notice that any vector $\mathbf{a}=(a_1,a_2,\dots ,a_n)\in H\subseteq {\mathbb{C}}^n$ can be written as an $\mathbb{R}$-linear combination of the vectors of the canonical basis $\mathcal{B}$ of H as

$$\mathbf{a}=\sum _{i\in \left[s_1\right]}{a}_i{\mathbf{h}}_i+\sum _{i\in \left[s_2\right]}\sqrt{2}\Re \left(a_{i+s_1}\right){\mathbf{h}}_{i+s_1}+\sum _{i\in \left[s_2\right]}\sqrt{2}\Im \left(a_{i+s_1}\right){\mathbf{h}}_{i+s_1+s_2},$$

where $\Re (·)$ and $\Im (·)$ denote the real and imaginary parts of a complex number, respectively.

The linear map $\kappa \left({\sum }_{i\in \left[n\right]}{b}_i{\mathbf{h}}_i\right):={\sum }_{i\in \left[n\right]}{b}_i{\mathbf{u}}_i$, with $b_i\in \mathbb{R}$, defines an isomorphism between the $\mathbb{R}$-vector spaces H and ${\mathbb{R}}^n$, such that ${\langle \mathbf{a},\mathbf{b}\rangle }_H=\langle \kappa \left(\mathbf{a}\right),\kappa \left(\mathbf{b}\right)\rangle$, where $\langle ·,·\rangle$ denotes the standard inner product in ${\mathbb{R}}^n$. Then, it follows that H and ${\mathbb{R}}^n$ are isometric, that is, H is an Euclidean space, as defined next. In particular, the norm of an element $\mathbf{a}\in H$ coincides with the usual norm (${\ell }_2$-norm) of $\kappa \left(\mathbf{a}\right)\in {\mathbb{R}}^n$, that is, $\parallel \mathbf{a}\parallel ={\parallel \kappa \left(\mathbf{a}\right)\parallel }_2$.

2.2. Lattices in Euclidean Vector Spaces

An Euclidean vector space $(E,{\langle ·,·\rangle }_E)$ is an n-dimensional $\mathbb{R}$-vector space E with an inner product ${\langle ·,·\rangle }_E$, which is isometric to ${\mathbb{R}}^n$ with the standard inner product. Consider an orthonormal basis $\mathcal{B}\left(E\right)=\{{\mathbf{e}}_1,{\mathbf{e}}_2,\dots ,{\mathbf{e}}_n\}$ of E.

A set $\Lambda \subset E$ is said to be a full-rank lattice (or simply lattice), if $\Lambda$ is a discrete additive subgroup of E with rank n. Equivalently, $\Lambda \subset E$ is a lattice if there exists a set of linearly independent vectors $\mathbf{B}=\{{\mathbf{v}}_1,{\mathbf{v}}_2,\dots ,{\mathbf{v}}_n\}\subset E$ such that

$$\Lambda =\Lambda \left(\mathbf{B}\right)=\left\{\sum _{i\in \left[n\right]}{a}_i{\mathbf{v}}_i:a_i\in \mathbb{Z}\right\}.$$

The set $\mathbf{B}$ is called a basis (or a $\mathbb{Z}$-basis) of $\Lambda$. For each ${\mathbf{v}}_j\in \mathbf{B}$, it can be written in terms of the orthonormal basis $\mathcal{B}\left(E\right)$ as ${\mathbf{v}}_j={\sum }_{i\in \left[n\right]}{v}_{ij}{\mathbf{e}}_i$ for $v_{ij}\in \mathbb{R}$.

The minimum distance of a lattice $\Lambda$ in the ${\ell }_p$-norm, denoted ${\lambda }_1^{\left(p\right)}(\Lambda )$, is the length of a shortest nonzero lattice vector, that is, ${\lambda }_1^{\left(p\right)}(\Lambda )={min}_{\mathbf{0}\ne \mathbf{x}\in \Lambda }{\parallel \mathbf{x}\parallel }_p$. Similarly, for any $k\le n$, the k-th successive minimum of a lattice $\Lambda$, denoted ${\lambda }_k^{\left(p\right)}(\Lambda )$, is the smallest $\widehat{r}>0$ such that $\Lambda$ contains at least k linearly independent vectors of norm at most $\widehat{r}$.

The matrix $\mathbf{M}={\left[v_{ij}\right]}_{n\times n}$, for which the j-th column is given by the coefficients of ${\mathbf{v}}_j$ written in the orthonormal basis $\mathcal{B}\left(E\right)$, is called a generator matrix of $\Lambda$. Two basis generate the same lattice if and only if the associated generator matrices $\mathbf{M}$ and ${\mathbf{M}}^{\prime }$ are related as ${\mathbf{M}}^{\prime }=\mathbf{M}\mathbf{U}$, where $\mathbf{U}$ is unimodular (has integer entries and $det\left(\mathbf{U}\right)=\pm 1$). The matrix $\mathbf{G}={\mathbf{M}}^t\mathbf{M}$ is called the Gram matrix of $\Lambda$ with respect to $\mathbf{M}$. Since the basis $\mathcal{B}\left(E\right)$ of the Euclidean vector space is orthonormal, then $\mathbf{G}={\left[{\langle {\mathbf{v}}_i,{\mathbf{v}}_j\rangle }_E\right]}_{n\times n}$. The determinant of $\mathbf{G}$ is called the determinant of $\Lambda$ and is denoted by $det(\Lambda )$. Clearly, $det(\Lambda )=det{\left(\mathbf{M}\right)}^2$ does not depend of a particular basis of $\Lambda$.

The dual lattice of $\Lambda$ is the lattice ${\Lambda }^{*}=\{\mathbf{a}\in E:{\langle \mathbf{a},\mathbf{b}\rangle }_E\in \mathbb{Z},\forall \mathbf{b}\in \Lambda \}$ and has generator matrix ${\left({\mathbf{M}}^t\right)}^{-1}$. It is known that ${\left({\Lambda }^{*}\right)}^{*}=\Lambda$ and if $\Lambda$ has generator matrix $\mathbf{M}$, then ${\left({\mathbf{M}}^t\right)}^{-1}$ is a generator matrix for ${\Lambda }^{*}$ and therefore $det\left({\Lambda }^{*}\right)=det{(\Lambda )}^{-1}$.

A lattice $\Lambda \subset E$ is called integral if ${\langle \mathbf{a},\mathbf{b}\rangle }_E\in \mathbb{Z}$ for all $\mathbf{a},\mathbf{b}\in \Lambda$. Equivalently, $\Lambda$ is an integral lattice if and only if $\Lambda \subset {\Lambda }^{*}\subset \left(\Lambda /det(\Lambda )\right)$. An integral lattice is called unimodular, or self-dual, if $det(\Lambda )=1$ or, equivalently, if $\Lambda ={\Lambda }^{*}$.

Two lattices $\Lambda$ and ${\Lambda }^{\prime }$ are said to be equivalent if one can be obtained from the other through a rotation, a reflection, or a change of scale. We denote this equivalence by $\Lambda \simeq {\Lambda }^{\prime }$. Two Gram matrices $\mathbf{G}$ and ${\mathbf{G}}^{\prime }$ of two equivalent lattices $\Lambda$ and ${\Lambda }^{\prime }$, respectively, are related as ${\mathbf{G}}^{\prime }=c^2{\mathbf{U}}^t\mathbf{G}\mathbf{U}$, where $c\ne 0$ is a real constant and $\mathbf{U}$ is unimodular.

We say that a lattice $\Lambda$ in $(E,{\langle ·,·\rangle }_E)$ is orthogonal if it has a basis $\mathbf{B}=\{{\mathbf{v}}_1,{\mathbf{v}}_2,\dots ,{\mathbf{v}}_n\}$ such that $\langle {\mathbf{v}}_i,{\mathbf{v}}_j\rangle =0$ if $i\ne j$, for all $i,j\in \left[n\right]$. This means that $\Lambda$ has a diagonal Gram matrix. Moreover, if the basis $\mathbf{B}$ satisfies $\langle {\mathbf{v}}_i,{\mathbf{v}}_j\rangle =0$ if $i\ne j$ and $\langle {\mathbf{v}}_i,{\mathbf{v}}_j\rangle =c$ if $i=j$, for all $i,j\in \left[n\right]$ and $c\in \mathbb{R}$, then $\Lambda$ is equivalent to the ${\mathbb{Z}}^n$-lattice. In this case, $\Lambda$ has a Gram matrix $\mathbf{G}=c{\mathbf{Id}}_n$. In particular, when $c=1$, we say that $\Lambda$ is an orthonormal lattice.

Gaussian Measures

For $r>0$, define the Gaussian function ${\rho }_{r,\mathbf{c}}:H\to (0,1]$ centered at $\mathbf{c}$ as

$${\rho }_{r,\mathbf{c}}\left(\mathbf{a}\right)={exp(-\pi \parallel \mathbf{a}-\mathbf{c}\parallel }^2/r^2).$$

(1)

The subscript $\mathbf{c}$ is taken to be $\mathbf{0}$ when omitted. By normalizing this function, we obtain the continuous Gaussian probability distribution $D_r$ of width r, whose density is given by $r^{-n}·{\rho }_r\left(\mathbf{x}\right)$.

We extend this definition to elliptical Gaussian distributions in ${\left\{{\mathbf{h}}_i\right\}}_{i\in \left[n\right]}$ (the canonical basis of H) as follows. Let $\mathbf{r}=(r_1,\dots ,r_n)\in {\left({\mathbb{R}}^{+}\right)}^n$ be a vector of positive real numbers such that $r_{j+s_1+s_2}=r_{j+s_1}$ for each $j\in \left[s_2\right]$. Then, a sample from the n-dimensional distribution $D_{\mathbf{r}}$ is given by ${\sum }_{i\in \left[n\right]}{x}_i{\mathbf{h}}_i$, where the $x_i$ are chosen independently from the (one-dimensional) Gaussian distribution $D_{r_i}$ over $\mathbb{R}$.

The smoothing parameter is a lattice parameter defining the width beyond which a discrete Gaussian starts to behave similarly to a continuous distribution [38]. It is related to the minimum distance and the successive minimum of a lattice and it will be used to derive the approximation factors in the worst-case to average-case reduction for to the Twisted Ring-LWE problem. The Gaussian mass of a coset $\mathbf{c}+\Lambda$ is defined as ${\rho }_r(\mathbf{c}+\Lambda )={\sum }_{\mathbf{x}\in \mathbf{c}+\Lambda }{\rho }_r\left(\mathbf{x}\right)$.

Definition 3

(Smoothing parameter). For an n-dimensional lattice Λ and positive real $ϵ>0$, the smoothing parameter ${\eta }_{ϵ}(\Lambda )$ is the smallest r such that ${\rho }_{1/r}({\Lambda }^{*}\backslash \left\{\mathbf{0}\right\})\le ϵ$.

For any $\mathbf{c}\in {\mathbb{R}}^n$, real $r>0$, and an arbitrary lattice $\Lambda$ with dimension n, normalizing the Gaussian function ${\rho }_{r,\mathbf{c}}\left(\mathbf{a}\right)$ gives the discrete Gaussian distribution over $\Lambda$ as

$$D_{\Lambda ,r,\mathbf{c}}\left(\mathbf{a}\right)=\frac{{\rho }_{r,\mathbf{c}}\left(\mathbf{a}\right)}{{\rho }_{r,\mathbf{c}}(\Lambda )},$$

for all $\mathbf{a}\in \Lambda$.

2.3. Algebraic Number Theory

In this section, we summarize concepts and results from algebraic number theory, presenting as an example the case of cyclotomic number fields and their maximal real subfields. Details can be found in [39,40].

An (algebraic) number field K is a finite extension of the field $\mathbb{Q}$. This means that $\mathbb{Q}\subset K$ and K is a $\mathbb{Q}$-vector space with finite dimension. The degree of K, denoted $[K:\mathbb{Q}]$, is the dimension of the $\mathbb{Q}$-vector space K. In general, if K and L are number fields such that $K\subset L$, the symbol $[L:K]$ is defined to be the integer number $[L:\mathbb{Q}]/[K:\mathbb{Q}]$ and is called the degree of the extension $L/K$.

By the Primitive Element Theorem, there exists an element $\theta \in K$ such that $K=\mathbb{Q}\left(\theta \right)$, which is equivalent to say that $\{1,\theta ,{\theta }^2,\dots ,{\theta }^{n-1}\}$, with $n=[K:\mathbb{Q}]$, is a power basis of K over $\mathbb{Q}$. Also, if $p\left(x\right)$ is the minimal polynomial of $\theta$ over $\mathbb{Q}$, then K is isomorphic to $\mathbb{Q}\left[x\right]/\left(p\right(x\left)\right)$ and $K=\mathbb{Q}\left({\theta }^{\prime }\right)$ for some root ${\theta }^{\prime }$ of $p\left(x\right)$. The roots of $p\left(x\right)$ are called the conjugates of $\theta$.

Example 1

(Cyclotomic number field). A number field of particular interest is $\mathbb{Q}\left({\zeta }_m\right)$, the m-th cyclotomic field, where ${\zeta }_m=exp(2\pi i/m)$ is a primitive m-th root of unity for any integer number $m\ge 1$. The degree of $\mathbb{Q}\left({\zeta }_m\right)$ is $\phi \left(m\right)$, where $\phi (·)$ denotes Euler’s totient function. The minimal polynomial of ${\zeta }_m$, called the m-th cyclotomic polynomial, is ${\Phi }_m\left(x\right)={\prod }_{k\in {\mathbb{Z}}_m^{*}}(x-{\zeta }_m^k)$, where ${\mathbb{Z}}_m^{*}$ denotes the group of invertible elements in ${\mathbb{Z}}_m$.

Example 2

(Maximal real subfield). For $m\not\equiv 2(mod4)$, $m>1$, the number field $\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})\subset \mathbb{R}\cap \mathbb{Q}\left({\zeta }_m\right)$ is the maximal real subfield of $\mathbb{Q}\left({\zeta }_m\right)$ and has degree $\phi \left(m\right)/2$.

Let K be a number field. A map $\overline{}:K\to K$ is called an involution of K if $\overline{a+b}=\overline{a}+\overline{b}$, $\overline{a·b}=\overline{a}·\overline{b}$, and $\overline{\overline{a}}=a$, for all $a,b\in K$. If $K=\mathbb{C}$, the complex conjugation is an example of involution. If $K=\mathbb{Q}\left({\zeta }_m\right)$ is a cyclotomic number field, then $\overline{{\zeta }_m}={\zeta }_m^{-1}$ is the same involution given by the complex conjugation. In this work, whenever the cyclotomic number field is used, we implicitly assume this involution. For the maximal real subfield $\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})$, we consider the involution given by the identity map.

The subfield $F=\{a\in K\mid \overline{a}=a\}$, called the fixed field by involution of K, satisfies $[K:F]\le 2$. When $[K:F]=1$ (or $F=K$), we say that the involution is trivial (it is the identity); otherwise, the involution is said to be non-trivial. If $K=\mathbb{Q}\left({\zeta }_m\right)$, the fixed field by the involution $\overline{{\zeta }_m}={\zeta }_m^{-1}$ of K is its maximal real subfield [36].

2.3.1. Field Monomorphisms

Let K be a number field of degree n. There are exactly n distinct monomorphisms (of fields) from K to $\mathbb{C}$. These monomorphisms are $\mathbb{Q}$-monomorphisms. If $K=\mathbb{Q}\left(\theta \right)$ and $p\left(x\right)$ is the minimal polynomial of $\theta$, these monomorphisms can be defined as ${\sigma }_i\left(\theta \right)={\theta }_i$ for $i\in \left[n\right]$, where ${\theta }_i$ are all the distinct roots of $p\left(x\right)$.

A monomorphism ${\sigma }_i:K\to \mathbb{C}$ is said to be real if ${\sigma }_i\left(K\right)\subset \mathbb{R}$. Otherwise, it is said to be complex. If ${\sigma }_i$ is a complex monomorphism, then $\overline{{\sigma }_i}$ is another complex monomorphism defined by $\overline{{\sigma }_i}\left(a\right)=\overline{{\sigma }_i\left(a\right)}$. So, we can write the degree n as $n=s_1+2s_2$, where $s_1\ge 0$ is the number of real monomorphisms and $2s_2\ge 0$ is the number of complex monomorphisms from K to $\mathbb{C}$. The canonical embedding from K into the subspace H is the homomorphism

$$\sigma \left(a\right)=\left({\sigma }_1\left(a\right),{\sigma }_2\left(a\right),\dots ,{\sigma }_n\left(a\right)\right).$$

Its image is a lattice, used in the Ring-LWE problem [4,9].

The pair $(s_1,s_2)$ is called the signature of K. We say that K is totally real when $s_2=0$, and that K is totally complex when $s_1=0$. The number field K is said to be a CM-field if it is totally complex and has degree two over its fixed field by the involution F [36].

Any cyclotomic number field $K=\mathbb{Q}\left({\zeta }_m\right)$, with $m\ge 3$, is totally complex. Their monomorphisms are defined as ${\sigma }_i\left({\zeta }_m\right)={\zeta }_m^i$ for each $i\in \left[m\right]$ such that $gcd(i,m)=1$. In turn, any maximal real cyclotomic subfield $\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})$ is totally real. Their monomorphisms are defined as ${\sigma }_i({\zeta }_m+{\zeta }_m^{-1})={\zeta }_m^i+{\zeta }_m^{-i}$ for each $i\in \left[⌊m/2⌋\right]$ such that $gcd(i,m)=1$. Note that $\mathbb{Q}\left({\zeta }_m\right)$ is a CM-field once $\mathbb{Q}\left({\zeta }_m\right)$ is a totally complex field of degree two over $\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})$.

The number field K is said to be a Galois number field if, for every $x\in K$, the minimal polynomial of x over $\mathbb{Q}$ has all its roots in K. In this case, the set of automorphisms $\sigma :K\to K$, where $\sigma \left(a\right)=a$ for all $a\in \mathbb{Q}$, constitutes a group under the composition, called Galois group of K over $\mathbb{Q}$ and denoted by $Gal(K/\mathbb{Q})$. If $K\subset \mathbb{C}$ is a Galois number field, then the monomorphisms from K to $\mathbb{C}$ are exactly the elements of $Gal(K/\mathbb{Q})$. An important fact is that any Galois number field is totally real or totally complex. Cyclotomic number fields and their maximal real subfields are Galois number fields. Specifically, the set $Gal(\mathbb{Q}\left({\zeta }_m\right)/\mathbb{Q})$ is isomorphic to ${\mathbb{Z}}_m^{*}$ and $Gal(\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})/\mathbb{Q})$ is isomorphic to ${\mathbb{Z}}_m^{*}/\{\pm 1\}$.

2.3.2. Ring of Integers and Its Ideals

Let K be a Galois number field. For every $a\in K$, the trace and norm of any element $a\in K$ can be defined, respectively, as

$${Tr}_K\left(a\right)=\sum _{\sigma \in Gal(K/\mathbb{Q})}\sigma \left(a\right)\mathrm{and}{N}_K\left(a\right)=\prod _{\sigma \in Gal(K/\mathbb{Q})}\sigma \left(a\right).$$

For all $a\in K$, ${Tr}_K\left(a\right)$ and $N_K\left(a\right)$ are elements of $\mathbb{Q}$.

The set of all elements in a number field K that are the root of a monic polynomial in $\mathbb{Z}\left[x\right]$ is a ring called the ring of integers of K, denoted by ${\mathcal{O}}_K$. If K is a number field of degree n, its ring of integers has a $\mathbb{Z}$-basis with n elements, which is called an integral basis of K. If $a\in {\mathcal{O}}_K$, then ${Tr}_K\left(a\right)$ and $N_K\left(a\right)$ are elements of $\mathbb{Z}$.

If $\mathcal{I}$ is a nonzero (integral) ideal of ${\mathcal{O}}_K$, then $\mathcal{I}$ has a $\mathbb{Z}$-basis with n elements. The same holds if $\mathcal{I}$ is a fractional ideal of K, which is a subset of K satisfying the condition that $d\mathcal{I}\subset {\mathcal{O}}_K$ is an integral ideal for some element $d\in {\mathcal{O}}_K$. Note that every integral ideal is also fractional ($d=1$). Also, any $\mathbb{Z}$-basis of some nonzero fractional ideal of K, including its ring of integers, is a $\mathbb{Q}$-basis of K. If $K=\mathbb{Q}\left({\zeta }_m\right)$ is the m-th cyclotomic number field, then ${\mathcal{O}}_K=\mathbb{Z}\left[{\zeta }_m\right]$, which is the set of all $\mathbb{Z}$-linear combinations of powers of ${\zeta }_m$. Similarly, the ring of integers of $\mathbb{Q}({\zeta }_m+{\zeta }_m^{-1})$ is $\mathbb{Z}[{\zeta }_m+{\zeta }_m^{-1}]$. In general, the ring of integers of a number field $K=\mathbb{Q}\left(\theta \right)$ does not have the form $\mathbb{Z}\left[\theta \right]$. When this is the case, we say that K is a monogenic number field.

The fractional ideal ${\mathcal{D}}_K^{-1}=\{a\in K:{Tr}_K\left(a{\mathcal{O}}_K\right)\subset \mathbb{Z}\}$ is the codifferent ideal, that is, the dual ideal of the ring of integers. Frequently, the codifferent ideal is also denoted by ${\mathcal{O}}_K^{\vee }$. Note that ${\mathcal{O}}_K\subset {\mathcal{D}}_K^{-1}$. If ${\mathcal{O}}_K=\mathbb{Z}\left[\theta \right]$ for some $\theta \in K$, then ${\mathcal{O}}_K^{\vee }={\left(p^{\prime }\left(\theta \right)\right)}^{-1}{\mathcal{O}}_K$, where $p^{\prime }\left(x\right)$ is the derivative of the minimal polynomial $p\left(x\right)$ of $\theta$ [41] (Section 13.2, J). The inverse ideal of the codifferent, that is, ${\mathcal{D}}_K={\left({\mathcal{D}}_K^{-1}\right)}^{-1}$, is an ideal of ${\mathcal{O}}_K$ called different of K. In general, the dual ideal of any fractional ideal $\mathcal{I}$ of K is the fractional ideal ${\mathcal{I}}^{\vee }$ of K, defined as

$${\mathcal{I}}^{\vee }:=\{a\in K:{Tr}_K\left(a\mathcal{I}\right)\subset \mathbb{Z}\}={\mathcal{I}}^{-1}·{\mathcal{O}}_K^{\vee }.$$

If $\mathcal{I}$ is a nonzero fractional ideal of ${\mathcal{O}}_K$, the norm of $\mathcal{I}$ is $N\left(\mathcal{I}\right)=|{\mathcal{O}}_K/\mathcal{I}|$ (the cardinality of the quotient of additive groups). If $\mathcal{I}$ and $\mathcal{J}$ are ideals of ${\mathcal{O}}_K$, then $N\left(\mathcal{I}\mathcal{J}\right)=N\left(\mathcal{I}\right)N\left(\mathcal{J}\right)$, where $\mathcal{I}\mathcal{J}$ denotes the product of $\mathcal{I}\mathrm{and}\mathcal{J}$, that is, the set all finite sums of products ab for $a\in \mathcal{I}$ and $b\in \mathcal{J}$. If $\mathcal{I}$ is a principal ideal generated by some $a\in K$, then $N\left(\mathcal{I}\right)=|N_K\left(a\right)|$.

2.4. The Ring-LWE Problem

In the following definitions, a lattice $\Lambda$ is usually represented by a basis $\mathbf{B}$ and, in the context of algebraic lattices, $\Lambda$ can be seen as a fractional ideal $\mathcal{I}$ of an arbitrary number field K via canonical embedding.

Firstly, we define the computational problems which form the foundation of the (Ring)-LWE hardness, namely the decision version of the Shortest Vector Problem (GapSVP), the Shortest Independent Vectors Problem (SIVP), and the Discrete Gaussian Sampling (DGS) problem, which is denoted K-DGS when the underlying lattice is taken over a number field K [4].

Definition 4

(GapSVP${}_{\gamma }$). For an approximation factor $\gamma =\gamma \left(n\right)\ge 1$, the GapSVP${}_{\gamma }$ is: given a lattice Λ and length $d>0$, output YES if ${\lambda }_1(\Lambda )\le d$ and NO if ${\lambda }_1(\Lambda )>\gamma d$.

Definition 5

(SIVP${}_{\gamma }$). For an approximation factor $\gamma =\gamma \left(n\right)\ge 1$, the SIVP${}_{\gamma }$ is: given a lattice Λ, output n linearly independent lattice vectors of length at most $\gamma \left(n\right)·{\lambda }_n(\Lambda )$.

By seeing a fractional ideal $\mathcal{I}$ of an arbitrary number field K as a lattice using the canonical embedding, let $D_{\mathcal{I},r}$ denote the discrete Gaussian distribution of width r over $\mathcal{I}$ in the field tensor product $K_{\mathbb{R}}=K{\otimes }_{\mathbb{Q}}\mathbb{R}$, which is isomorphic to the space H.

Definition 6

(K-DGS${}_{\gamma }$). For a function γ that maps lattices to nonnegative reals, the K-DGS${}_{\gamma }$ problem is: given an ideal $\mathcal{I}$ in K and a parameter $r\ge \gamma =\gamma \left(\mathcal{I}\right)$, output an independent sample from a distribution that is within negligible distance of $D_{\mathcal{I},r}$.

Alternatively, for the purpose of the worst-case to average-case reduction for (Ring-)LWE, the DGS problem can be stated as follows: given an n-dimensional lattice $\Lambda$ and a number $r\ge \sqrt{2n}·{\eta }_{ϵ}(\Lambda )/\alpha$, output a sample from $D_{\Lambda ,r}$.

In order to define the Ring-LWE distribution and the computational problems associated with it, let K be a number field with ring of integers $R={\mathcal{O}}_K$. Recall that $R^{\vee }$ is the (fractional) codifferent ideal of K, and let $\mathbb{T}=K_{\mathbb{R}}/R^{\vee }$. Let $q\ge 2$ be a (rational) integer modulus and, for any fractional ideal $\mathcal{I}$ of K, let ${\mathcal{I}}_q=\mathcal{I}/q\mathcal{I}$.

Definition 7

([4] Ring-LWE distribution). For $s\in R_q^{\vee }$ (the “secret”) and an error distribution ψ over $K_{\mathbb{R}}$, a sample from the Ring-LWE distribution ${\mathcal{A}}_{s,\psi }$ over $R_q\times \mathbb{T}$ is generated by choosing $a\leftarrow R_q$ uniformly at random, choosing $e\leftarrow \psi$, and outputting $(a,b=(a·s)/q+emod{R}^{\vee })$.

Definition 8

([4] Ring-LWE, search). Let Ψ be a family of distributions over $K_{\mathbb{R}}$. The search version of the Ring-LWE problem, denoted R-LWE${}_{q,\Psi }$, is defined as follows: given access to arbitrarily many independent samples from ${\mathcal{A}}_{s,\psi }$, for some arbitrary $s\in R_q^{\vee }$ and $\psi \in \Psi$, find s.

Definition 9

([4,9] Ring-LWE, average-case decision). Let Υ be a distribution over a family of error distributions, each over $K_{\mathbb{R}}$. The average-case Ring-LWE decision problem, denoted R-LWE${}_{q,{\rm Y}}$, is to distinguish (with non-negligible advantage) between independent samples from ${\mathcal{A}}_{s,\psi }$ for a random choice of $(s,\psi )\leftarrow U\left(R_q^{\vee }\right)\times {\rm Y}$, and the same number of uniformly random and independent samples from $R_q\times \mathbb{T}$.

3. The Twisted Ring-LWE

Firstly, we collect important results on algebraic lattices obtained through twisted embeddings. Then, we present the class of problems Twisted Ring-LWE, which is the main contribution of this work. The hardness of Twisted Ring-LWE is demonstrated by security reductions from the original Ring-LWE problem. Also, we recompute the approximation factors in the worst-case to average reduction from the SIVP problem, considering the twist factor defining the twisted embedding.

3.1. Twisted Embeddings

In this section consider the following setting. Let K be an algebraic number field with degree n, signature $(s_1,s_2)$, and $\overline{}$ a fixed involution. Consider F to be the fixed field by the involution of K. Let ${\sigma }_i$ be the real monomorphisms for $i\in \left[s_1\right]$, and ${\sigma }_{i+s_1}$ be the complex monomorphisms for $i\in \left[2s_2\right]$ from K to $\mathbb{C}$, where ${\sigma }_{i+s_1+s_2}=\overline{{\sigma }_{i+s_1}}$ for all $i\in \left[s_2\right]$. The twisted embeddings defined next are a generalization of the canonical embedding [36]. An element $\tau \in K$ is said to be totally positive if $\tau \in F$ and ${\tau }_i={\sigma }_i\left(\tau \right)$ is a positive real number for all $i\in \left[n\right]$.

Definition 10

(Twisted embeddings). For any totally positive $\tau \in F$, the τ-twisted embedding (or simply twisted embedding) is the homomorphism ${\sigma }_{\tau }:K\to H$, defined as

$$\begin{array}{cc}\hfill {\sigma }_{\tau }\left(a\right)=& (\sqrt{{\tau }_1}{\sigma }_1\left(a\right),\dots ,\sqrt{{\tau }_{s_1}}{\sigma }_{s_1}\left(a\right),\hfill \\ \hfill & \sqrt{{\tau }_{1+s_1}}{\sigma }_{1+s_1}\left(a\right),\dots ,\sqrt{{\tau }_{2s_2+s_1}}{\sigma }_{2s_2+s_1}\left(a\right)).\hfill \end{array}$$

Since $\tau =1$ in F is totally positive, then ${\sigma }_1=\sigma$, which means that twisted embeddings are generalizations of the canonical embedding. Twisted embeddings provide a way to obtain a variety of lattices in $H\simeq {\mathbb{R}}^n$ in addition to the ones obtained via canonical embedding, as a consequence of Proposition 1 [36].

Proposition 1

([36]). If M is a free $\mathbb{Z}$-module of rank n in K (particularly, if M is the ring of integers of K or any fractional ideal of K), then ${\sigma }_{\tau }\left(M\right)$ is a full-rank lattice in H.

Twisted embeddings can be extended from K to $K_{\mathbb{R}}$ as follows. For any totally positive element $\tau \in F$, the $\mathbb{R}$-vector space ${\sigma }_{\tau }\left(K_{\mathbb{R}}\right)$ is isomorphic to $H\simeq {\mathbb{R}}^n$. If $\mathcal{B}$ is a $\mathbb{Q}$-basis of the number field K, then $\mathcal{B}$ is an $\mathbb{R}$-basis of $K_{\mathbb{R}}$. So, for all totally positive $\tau \in F$, ${\sigma }_{\tau }\left(\mathcal{B}\right)$ is an $\mathbb{R}$-basis of H.

Consider the natural extension of the trace function ${Tr}_K:K\to \mathbb{Q}$ to ${Tr}_K:K_{\mathbb{R}}\to \mathbb{R}$. For any totally positive $\tau \in F$, we can define an inner product in $K_{\mathbb{R}}$ as

$${\langle a,b\rangle }_{\tau }:={\langle {\sigma }_{\tau }\left(a\right),{\sigma }_{\tau }\left(b\right)\rangle }_H={Tr}_K\left(\tau a\overline{b}\right),a,b\in K_{\mathbb{R}}.$$

(2)

By considering the inner product ${\langle ·,·\rangle }_{\tau }$, the $\mathbb{R}$-vector space $K_{\mathbb{R}}$ is an Euclidean vector space of dimension n isometric to both $(H,{\langle ·,·\rangle }_H)$ and $({\mathbb{R}}^n,\langle ·,·\rangle )$.

For each $a\in K_{\mathbb{R}}$, the ${\ell }_p$-norms of a under the canonical embedding are simply ${\parallel a\parallel }_p={\parallel \sigma \left(a\right)\parallel }_p={\left({\sum }_{i\in \left[n\right]}{\left|{\sigma }_i\left(a\right)\right|}^p\right)}^{1/p}$ for $p<\infty$, and ${max}_{i\in \left[n\right]}\left|{\sigma }_i\left(a\right)\right|$ for $p=\infty$. Similarly, the ${\ell }_p$-norms induced from ${\mathbb{C}}^n$ under twisted embeddings are defined as

$${\parallel a\parallel }_{p,\tau }:={\parallel {\sigma }_{\tau }\left(a\right)\parallel }_p={\left(\sum _{i\in \left[n\right]}{\left|\sqrt{{\tau }_i}{\sigma }_i\left(a\right)\right|}^p\right)}^{1/p}$$

for $p<\infty$, and the ${\ell }_{\infty }$-norm is

$${\parallel a\parallel }_{\infty ,\tau }:={\parallel {\sigma }_{\tau }\left(a\right)\parallel }_{\infty }=\underset{i\in \left[n\right]}{max}\left|\sqrt{{\tau }_i}{\sigma }_i\left(a\right)\right|,$$

where ${\tau }_i={\sigma }_i\left(\tau \right)$ for a totally positive element $\tau \in F$. Thus, any free $\mathbb{Z}$-module M of rank n can be seen as a full-rank lattice directly in the Euclidean vector space ($K_{\mathbb{R}}$,${\langle ·,·\rangle }_{\tau }$), although the image of ${\sigma }_{\tau }\left(M\right)$ is frequently considered as in $(H,{\langle ·,·\rangle }_H)$.

Using the fact that ${\sigma }_{\tau }(a·b)=\sigma \left(a\right)\odot {\sigma }_{\tau }\left(b\right)={\sigma }_{\tau }\left(a\right)\odot \sigma \left(b\right)$ for any $a,b\in K_{\mathbb{R}}$, where ⊙ is the component-wise multiplication in the space H, it follows that

$${\parallel a·b\parallel }_{p,\tau }\le {\parallel a\parallel }_{\infty }{\parallel b\parallel }_{p,\tau }{\mathrm{and}\parallel a·b\parallel }_{p,\tau }\le {\parallel a\parallel }_p{\parallel b\parallel }_{\infty ,\tau }.$$

(3)

Notice that, since multiplication of elements in $K_{\mathbb{R}}$ is mapped to coordinate-wise multiplication in H, we have that for any element $a\in K_{\mathbb{R}}$, the distribution of $a·D_{\mathbf{r}}$ is $D_{{\mathbf{r}}^{\prime }}$, where $r_i^{\prime }=r_i·\left|\sqrt{{\tau }_i}{\sigma }_i\left(a\right)\right|$ for $i\in \left[n\right]$. Because of the induced norms from $\mathbb{C}$, which maps elements of K to H, an elliptical distribution defined in the space H can be seen as a distribution directly over $K_{\mathbb{R}}$. For practical applications, sampling from an error distribution in $K_{\mathbb{R}}$ is done by generating the error in H and mapping it to its corresponding element in $K_{\mathbb{R}}$, via twisted embeddings. However, in some special cases, an error can be efficiently sampled directly in $K_{\mathbb{R}}$ without requiring the computation of the inverse of the Vandermonde matrix with respect to ${\sigma }_{\tau }$ [11].

Since $K_{\mathbb{R}}\simeq {\mathbb{R}}^n$ under twisted embeddings, it follows that $K_{\mathbb{R}}$ admits an orthonormal basis. Thus, for any $\mathbb{Z}$-basis $\mathcal{B}=\{v_1,v_2,\dots ,v_n\}$ of the free $\mathbb{Z}$-module M of rank n in K, the matrix ${\left[{\langle v_i,v_j\rangle }_{\tau }\right]}_{n\times n}$ is a Gram matrix of the lattice M in ($K_{\mathbb{R}}$,${\langle ·,·\rangle }_{\tau }$), which coincides with the Gram matrix of ${\sigma }_{\tau }\left(M\right)$ in $(H,{\langle ·,·\rangle }_H)$ with respect to the basis $\{{\sigma }_{\tau }\left(v_1\right),{\sigma }_{\tau }\left(v_2\right),\dots ,{\sigma }_{\tau }\left(v_n\right)\}$. It should be clear that, for different totally positive elements, the lattices obtained from M may not be equivalent, as can be seen below.

Example 3.

Let $K=\mathbb{Q}\left(\sqrt{3}\right)=\{a+b\sqrt{3}:a,b\in \mathbb{Q}\}$ be a totally real number field with degree two. It follows that the fixed field by the usual involution is $F=K$. For any totally positive element $\tau \in F$, consider the lattice $M_{\tau }={\mathcal{O}}_K=\mathbb{Z}\left[\sqrt{3}\right]$ in the inner product space $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$. The set $\{1,\sqrt{3}\}$ is a $\mathbb{Z}$-basis of $M_{\tau }$ and the Gram matrix of the lattice $M_{\tau }$ is given by

$${\mathbf{G}}_{\tau }=\left[\begin{array}{cc}{Tr}_K\left(\tau \right)& {Tr}_K\left(\tau \sqrt{3}\right)\\ {Tr}_K\left(\tau \sqrt{3}\right)& {Tr}_K\left(3\tau \right)\end{array}\right].$$

(4)

For example, for $\tau =1$ and $\tau =2+\sqrt{3}$, the Gram matrices are given by:

$${\mathbf{G}}_1=\left[\begin{array}{cc}2& 0\\ 0& 6\end{array}\right]\mathrm{and}{\mathbf{G}}_{2+\sqrt{3}}=\left[\begin{array}{cc}4& 6\\ 6& 12\end{array}\right].$$

(5)

Suppose that these two lattices are equivalent. Then, there exists a square matrix $\mathbf{U}$ with integer entries and determinant $\pm 1$, and a real number $k\ne 0$ such that ${\mathbf{G}}_{2+\sqrt{3}}=k^2{\mathbf{U}}^t{\mathbf{G}}_1\mathbf{U}$. Since the determinant of both matrices in (5) is equal to 12, then $k=\pm 1$. Now, consider $\mathbf{U}$ to be a matrix for which the rows are given by the vectors $(a,b)\in {\mathbb{Z}}^2$ and $(c,d)\in {\mathbb{Z}}^2$. So, the system of equations ${\mathbf{G}}_{2+\sqrt{3}}={\mathbf{U}}^t{\mathbf{G}}_1\mathbf{U}$ has no solution $(a,b,c,d)\in {\mathbb{Z}}^4$ because the equation $2=a^2+3c^2$, provided by the first entry, has no solution $(a,c)\in {\mathbb{Z}}^2$. This gives a contradiction. Therefore, the lattices given by the same module $M={\mathcal{O}}_K$ in the two different inner product spaces $(K_{\mathbb{R}},{\langle ·,·\rangle }_1)$ and $(K_{\mathbb{R}},{\langle ·,·\rangle }_{2+\sqrt{3}})$ are not equivalent.

Any full-rank lattice M in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ is said to be an algebraic lattice. If $M=\mathcal{I}$ is a fractional ideal in K and the lattice $\mathcal{I}$ is integral (that is, ${\langle a,b\rangle }_{\tau }\in \mathbb{Z}$ for all $a,b\in \mathcal{I}$), then $\mathcal{I}$ can be called an ideal lattice in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$. Since ${\langle a,b\rangle }_{\tau }={Tr}_K\left(\tau a\overline{b}\right)$, an ideal $\mathcal{I}$ of K constitutes an ideal lattice in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ if and only if $\tau \mathcal{I}\overline{\mathcal{I}}\subset {\mathcal{D}}_K^{-1}$ ($={\mathcal{O}}_K^{\vee }$). Ideal lattices can be obtained if and only if K is either a totally real number field or a CM-field. In particular, ideal lattices can be obtained via cyclotomic number fields and their maximal real subfields.

Let $\mathcal{I}$ be a fractional ideal of K. It is known that $\sigma \left({\mathcal{I}}^{\vee }\right)=\overline{\sigma {\left(\mathcal{I}\right)}^{*}}$ in H under the canonical embedding. However, the same does not hold for twisted embeddings in general, as can be inferred from Proposition 2.

Proposition 2.

Let $\tau \in F$ be a totally positive element and let $\mathcal{I}$ a fractional ideal of K. Then, in the Euclidean vector space $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, it follows that:

(i) 

${\mathcal{I}}^{*}={\tau }^{-1}{\overline{\mathcal{I}}}^{\vee }$; and

(ii) 

$\mathcal{I}$ is an unimodular (self-dual) lattice in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ if and only if $\tau \mathcal{I}\overline{\mathcal{I}}={\mathcal{D}}_K^{-1}$.

Proof. 

By definition, $a\in {\mathcal{I}}^{*}$ if and only if ${Tr}_K\left(\tau a\overline{\mathcal{I}}\right)\subset \mathbb{Z}$, which occurs if and only if $\tau a\in {\overline{\mathcal{I}}}^{\vee }$, which is equivalent to $a\in {\tau }^{-1}{\overline{\mathcal{I}}}^{\vee }$. This proves $\left(i\right)$. Secondly, $\mathcal{I}$ is unimodular when $\mathcal{I}$ is integral and $\mathcal{I}={\mathcal{I}}^{*}$. The lattice $\mathcal{I}$ is integral if and only if $\tau \mathcal{I}{\overline{\mathcal{I}}}^{-1}\subset {\mathcal{D}}_K^{-1}$. In turn, by $\left(i\right)$, $\mathcal{I}={\mathcal{I}}^{*}$ if and only if $\mathcal{I}={\tau }^{-1}{\overline{\mathcal{I}}}^{\vee }={\tau }^{-1}{\overline{\mathcal{I}}}^{-1}{\mathcal{D}}_K^{-1}$, which is equivalent to $\tau \mathcal{I}\overline{\mathcal{I}}={\mathcal{D}}_K^{-1}$. Therefore, $\mathcal{I}$ is unimodular if and only if $\tau \mathcal{I}\overline{\mathcal{I}}={\mathcal{D}}_K^{-1}$.    □

3.2. The Twisted Ring-LWE Problem

In this section, we propose an extended version of the Ring-LWE problem, adopting twisted embeddings rather than the canonical embedding. We refer to this new class of problems as Twisted Ring-LWE, or simply Ring-LWE${}^{\tau }$. We also prove that solving the Twisted Ring-LWE problem is at least as hard as solving the original Ring-LWE problem [4], providing a polynomial-time reduction from Ring-LWE to Twisted Ring-LWE.

In the Ring-LWE distribution, the error e is randomized by a distribution $\psi$ over the space $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau =1})$. In this sense, an error in $K_{\mathbb{R}}$ can be seen as the inverse image of a sample from the distribution $\psi$ in $H\simeq {\mathbb{R}}^n$ via the canonical embedding. In our general case, we consider K a number field with an involution, F its associated fixed field, $\tau \in F$ a totally positive element, and ${\sigma }_{\tau }$ the twisted embedding. The error e is randomized by a distribution $\psi$ over $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$. In the following, it is assumed $q\ge 2$ is an integer number, $R:={\mathcal{O}}_K$, and ${\mathcal{I}}_q:=\mathcal{I}/q\mathcal{I}$ for any fractional ideal $\mathcal{I}$ of K.

Definition 11

(Twisted Ring-LWE distribution). For a totally positive element $\tau \in F$, let ${\psi }_{\tau }$ denote an error distribution over the inner product ${\langle ·,·\rangle }_{\tau }$ and $s\in R_q^{\vee }$ (the “secret”) be an uniformly randomized element. The Twisted Ring-LWE distribution${\mathcal{A}}_{s,{\psi }_{\tau }}$ produces samples of the form

$$(a,b=a·s+emodq{R}^{\vee })\in R_q\times K_{\mathbb{R}}/q{R}^{\vee },$$

(6)

where a is uniformly randomized in $R_q$ and the error e is randomized by ${\psi }_{\tau }$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$.

Analogously to Ring-LWE [4], which is defined in the space $K_{\mathbb{R}}$ provided with the inner product associated to the canonical embedding, we can define both search and decision problems in the space $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ as follows. We strictly follow the search problem as defined by Lyubashevsky et al. [4] and the decision problem which was further defined by Peikert et al. [9].

Definition 12.

For a positive real $\alpha >0$, the family ${\Psi }_{\le \alpha }^{\left(\tau \right)}$ is the set of all elliptical Gaussian distributions $D_{\mathbf{r}}$ over $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, where each parameter $r_i\le \alpha$.

Definition 13

(Ring-LWE${}^{\tau }$, search). Let ${\Psi }^{\left(\tau \right)}$ be a family of distributions over the inner product space ($K_{\mathbb{R}}$,${\langle ·,·\rangle }_{\tau }$). The search version of the Ring-LWE${}^{\tau }$ problem is defined as follows: given access to arbitrarily many independent samples from $A_{s,{\psi }_{\tau }}$ for some arbitrary $s\in R_q^{\vee }$ and ${\psi }_{\tau }\in {\Psi }^{\left(\tau \right)}$, find s.

Definition 14.

Fix an arbitrary $f\left(n\right)=\omega \left(\sqrt{logn}\right)$. For $\alpha >0$, a distribution sampled from ${{\rm Y}}_{\alpha }^{\left(\tau \right)}$ is an elliptical Gaussian $D_{\mathbf{r}}$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, where $\mathbf{r}$ is sampled as follows: for $i\in \left[s_1\right]$, sample $x_i\leftarrow D_1$ and set $r_i^2={\alpha }^2(x_i^2+f^2\left(n\right))/2$. For $i=s_1+1,\dots ,s_1+s_2$, sample $x_i,y_i\leftarrow D_{1/\sqrt{2}}$ and set $r_i^2=r_{i+s}^2=\alpha (x_i^2+y_i^2+f^2\left(n\right))/2$.

Notice that, in Definition 14, sampling $x_i\leftarrow D_1$ for $i\in \left[s_1\right]$ and $x_i,y_i\leftarrow D_{1/\sqrt{2}}$ for $i=s_1+1,\dots ,s_1+s_2$ is done according to the Gaussian function given in Equation (1), using the norm induced by the corresponding twisted embedding.

Definition 15

(Ring-LWE${}^{\tau }$, average-case decision). Let ${{\rm Y}}^{\left(\tau \right)}$ be a distribution over a family of error distributions, each in the inner product space ($K_{\mathbb{R}}$,${\langle ·,·\rangle }_{\tau }$). The average-case decision version of the Ring-LWE${}^{\tau }$ problem is to distinguish, with non-negligible advantage, between arbitrarily many independent samples from ${\mathcal{A}}_{s,{\psi }_{\tau }}$, for a random choice of $(s,{\psi }_{\tau })\leftarrow U\left(R_q^{\vee }\right)\times {{\rm Y}}^{\left(\tau \right)}$, and the same number of uniformly random and independent samples from $R_q\times K_{\mathbb{R}}/R^{\vee }$.

Generally speaking, the Twisted Ring-LWE distribution and both search and decision variants of Twisted Ring-LWE collapse to their original definitions in the Ring-LWE problem when $\tau =1$.

3.3. Hardness of Twisted Ring-LWE

In this section we provide evidence of the hardness of the Ring-LWE${}^{\tau }$ class of problems. Firstly, we provide reductions from the Ring-LWE problem to the Ring-LWE${}^{\tau }$ problem. By doing so, the Ring-LWE${}^{\tau }$ problem is proven to be at least as hard as NP-hard lattice problems. It occurs that these are indeed self reductions, in the sense that they preserve the secret term $s\in R_q^{\vee }$, only distorting the error distribution over $K_{\mathbb{R}}$.

We recall that the reduction to the search version of Ring-LWE is defined over a set of elliptical Gaussian distributions over $K_{\mathbb{R}}$ (Definition 12).

Theorem 1.

Let K be an arbitrary number field and $\tau \in F$ be totally positive. Let $(s,\psi )$ be randomly chosen from $(U\left(R_q^{\vee }\right)\times \Psi )$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau =1})$. Then there is a polynomial-time reduction from Ring-LWE${}_{q,\psi }$ to Ring-LWE${}_{q,{\psi }_{\tau }}^{\tau }$.

Proof. 

We assume the existence of an oracle for Ring-LWE${}^{\tau }$ that, given a set of independent samples from ${\mathcal{A}}_{s,{\psi }_{\tau }}$, for some arbitrary $s\in R_q^{\vee }$ and ${\psi }_{\tau }\in {\Psi }^{\left(\tau \right)}$, recovers the secret term s. Given a set of independent samples from the Ring-LWE distribution ${\mathcal{A}}_{s,\psi }$, solving the search version of Ring-LWE amounts to finding the secret s. In order to evoke the Ring-LWE${}^{\tau }$ oracle to solve Ring-LWE, we must ensure that the error terms from the input samples follow a Gaussian distribution ${\psi }_{\tau }\in {\Psi }^{\left(\tau \right)}$. Let the input samples from ${\mathcal{A}}_{s,\psi }$ be represented as

$$(a_i,b_i=a_i·s+e_{i}modq{R}^{\vee })\in R_q\times \mathbb{T},$$

where $e_i\stackrel{\psi }{\leftarrow }{K}_{\mathbb{R}}$. Thus, we use the fact that $e_i={\sigma }^{-1}\left({\tilde{\mathbf{e}}}_i\right)$, for some ${\tilde{\mathbf{e}}}_i$ obtained from the Gaussian distribution $\psi$ over H. The Ring-LWE${}^{\tau }$ samples are obtained by first computing the corresponding representatives of each pair $(a_i,b_i)$ in H as

$$\begin{array}{cc}\hfill \left\{\left(\sigma \left(a_i\right),\sigma \left(b_i\right)\right)\right\}& =\left\{\left(\sigma \left(a_i\right),\sigma \left(a_i\right)·\sigma \left(s\right)+{\tilde{\mathbf{e}}}_i\right)\right\}.\hfill \end{array}$$

By applying the inverse transformation ${\sigma }_{\tau }^{-1}$, we obtain that

$$\begin{array}{cc}\hfill \left\{\left({\sigma }_{\tau }^{-1}\left(\sigma \left(a_i\right)\right),{\sigma }_{\tau }^{-1}\left(\sigma \left(b_i\right)\right)\right)\right\}& =\left\{\left({\sigma }_{\tau }^{-1}\left(\sigma \left(a_i\right)\right),{\sigma }_{\tau }^{-1}\left(\sigma \left(a_i\right)\right)·s+{\sigma }_{\tau }^{-1}\left({\tilde{\mathbf{e}}}_i\right)\right)\right\}.\hfill \end{array}$$

(7)

Notice that s was unchanged by the transformations, so it is a randomized element over $R_q^{\vee }$. Because $a_i$ was sampled according to a uniform distribution over $R_q$ and both $\sigma$ and ${\sigma }_{\tau }^{-1}$ transformations are injective, ${\sigma }_{\tau }^{-1}\left(\sigma \left(a_i\right)\right)$ is also uniform in $R_q$. And, finally, since $e_i^{\prime }={\sigma }_{\tau }^{-1}\left({\tilde{\mathbf{e}}}_i\right)$ is randomized by ${\psi }_{\tau }$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, the set of samples in (7) follows the distribution ${\mathcal{A}}_{s,{\psi }^{\tau }}$. Given the set of samples (7) as input for the Ring-LWE${}^{\tau }$ solver, it finds the secret s. Then, mapping the solution to the Ring-LWE instance of the Ring-LWE${}^{\tau }$ solution is done by the identity transformation. Since the computation of the transformations $\sigma$ and ${\sigma }_{\tau }^{-1}$ can be seen as vector-matrix multiplications, the reduction costs $O\left(n^2\right)$ operations. Thus, the given reduction from Ring-LWE to Ring-LWE${}^{\tau }$ runs in polynomial time. This concludes the proof.    □

Theorem 2.

Let K be an arbitrary number field and $\tau \in F$ be a totally positive element. Let $(s,\psi )$ be randomly chosen from $(U\left(R_q^{\vee }\right)\times {\rm Y})$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau =1})$. There is a polynomial-time reduction from Ring-LWE${}_{q,{\rm Y}}$ to Ring-LWE${}_{q,{{\rm Y}}^{\left(\tau \right)}}^{\tau }$.

Proof. 

Given a set of m pairs of the form $(a_i,b_i)\in R_q\times \mathbb{T}$, each drawn either from ${\mathcal{A}}_{s,\psi }$ or from a uniform distribution over $R_q\times \mathbb{T}$, we prove that the (decision) Ring-LWE problem can be solved using only an oracle for (decision) Ring-LWE${}^{\tau }$ and a polynomial-time function for mapping the input instances. As in the reduction for the search variant, we apply the transformations $\sigma$ and ${\sigma }_{\tau }^{-1}$, in this order, to each pair $(a_i,b_i)\in R_q\times \mathbb{T}$. As a result, those pairs drawn from $(U\left(R_q\right),U\left(\mathbb{T}\right))$ are still uniformly distributed over $R_q\times \mathbb{T}$, since both $\sigma$ and ${\sigma }_{\tau }^{-1}$ are injective maps. On the other hand, the pairs drawn from ${\mathcal{A}}_{q,\psi }$ now follow the Ring-LWE${}^{\tau }$ distribution ${\mathcal{A}}_{q,{\psi }_{\tau }}$. Thus, given an algorithm that solves (decision) Ring-LWE${}^{\tau }$, it distinguishes in two different sets the $m/2$ samples drawn from ${\mathcal{A}}_{q,{\psi }_{\tau }}$ and those $m/2$ uniformly distributed. Since mapping Ring-LWE to Ring-LWE${}^{\tau }$ instances preserves distributions, the solution for (decision) Ring-LWE problem is done by an identity transformation. Finally, the computation of the transformations $\sigma$ and ${\sigma }_{\tau }^{-1}$ costs $O\left(n^2\right)$ operations; thus, the reduction runs in polynomial time. This concludes the proof.    □

3.4. Computing the Approximation Factors

Throughout this section, consider an arbitrary number field K of degree n with ring of integers $R={\mathcal{O}}_K$, and $\mathcal{I}$ a fractional ideal in K. Concerning the canonical embedding, a twisted embedding modifies the representatives of a fractional ideal $\mathcal{I}$ when seen as a lattice ${\sigma }_{\tau }\left(\mathcal{I}\right)$ in H. Thus, since we use lattice measures such as the minimum distance and the successive minima in the security reductions, we analyze the effect of redefining the inner product in the Ring-LWE security reductions.

By strictly following the setting of Lyubashevsky et al. [4], we start by deriving upper bounds for the smoothing parameter concerning the ${\ell }_p$-norm under twisted embeddings. From the inequalities in (3), we are able to relate the ${\ell }_p$-norm under twisted embeddings with the infinity norm under the canonical embedding as

$${\parallel a\parallel }_{\infty }\ge \frac{{\parallel a\parallel }_{p,\tau }}{{\left({\sum }_{i\in \left[n\right]}{\tau }_i^{p/2}\right)}^{\frac{1}{p}}}.$$

We can also relate ${\ell }_p$-norms under both embeddings in H as

$$\frac{1}{{max}_{i\in \left[n\right]}{\tau }_i}·{\parallel a\parallel }_{p,\tau }\le {\parallel a\parallel }_p\le \frac{1}{{min}_{i\in \left[n\right]}{\tau }_i}·{\parallel a\parallel }_{p,\tau }.$$

Using the above inequalities, Lemmas 1 and 2 present upper bounds for the smoothing parameter associated with twisted embeddings, which are a straightforward adaptation of Lemmas 2.7 and 3.5 from [42]. Notice that, when $\tau =1$, these upper bounds are exactly the same as presented in [42]. Consider that ${\lambda }_n^{(p,\tau )}(\Lambda )$ and ${\lambda }_1^{(p,\tau )}(\Lambda )$ denotes the k-th successive minimum and the minimum distance of a lattice $\Lambda$ in the ${\ell }_p$-norm, respectively, under a $\tau$-twisted embedding.

Lemma 1.

Let K be an arbitrary number field with fixed field by the involution F and $\tau \in F$ totally positive. For any $p\in [2,\infty ]$, any n-dimensional lattice Λ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, and any $ϵ>0$,

$${\eta }_{ϵ}(\Lambda )\le {\lambda }_n^{(p,\tau )}(\Lambda )·\frac{n^{1/2-1/p}}{{min}_{i\in \left[n\right]}{\tau }_i}·\sqrt{log\left(2n\right(1+1/ϵ\left)\right)/\pi }.$$

In particular, for any $\omega \left(\sqrt{logn}\right)$ function, there is a negligible function $ϵ\left(n\right)$ for which

$${\eta }_{ϵ}(\Lambda )\le {\lambda }_n^{(p,\tau )}(\Lambda )·\frac{n^{1/2-1/p}}{{min}_{i\in \left[n\right]}{\tau }_i}·\omega \left(\sqrt{logn}\right).$$

Lemma 2.

Let K be an arbitrary number field with fixed field by the involution F and $\tau \in F$ totally positive. For any $p\in [1,\infty ]$, any n-dimensional lattice Λ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, and any $ϵ>0$,

$${\eta }_{ϵ}(\Lambda )\le \frac{{max}_{i\in \left[n\right]}{\tau }_i·n^{1/p}·\sqrt{log\left(2n\right(1+1/ϵ\left)\right)/\pi }}{{\lambda }_1^{(p,\tau )}\left({\Lambda }^{*}\right)}.$$

In particular, for any $\omega \left(\sqrt{logn}\right)$ function, there is a negligible function $ϵ\left(n\right)$ such that

$${\eta }_{ϵ}(\Lambda )\le \underset{i\in \left[n\right]}{max}{\tau }_i·n^{1/p}·\omega \left(\sqrt{logn}\right)/{\lambda }_1^{(p,\tau )}\left({\Lambda }^{*}\right).$$

The (search) Ring-LWE hardness consists in two reductions: $\left(i\right)$ a worst-case to average-case reduction from DGS to Ring-LWE (Theorem 3); and $\left(ii\right)$ a reduction from the Generalized Independent Vectors Problem (GIVP), which is a generalization of SIVP, to DGS (Lemma 3).

Theorem 3

([4] (Theorem 4.1)). Let K be an arbitrary number field of degree n with ring of integers $R={\mathcal{O}}_K$, and $\mathcal{I}$ a fractional ideal in K. Let $\alpha =\alpha \left(n\right)>0$, and let $q=q\left(n\right)\ge 2$ be such that $\alpha q\ge 2·\omega \left(\sqrt{logn}\right)$. For some negligible $ϵ=ϵ\left(n\right)$, there is a probabilistic polynomial-time quantum reduction from K-DGS${}_{\gamma }$ to R-LWE${}_{q,{\Psi }_{\le \alpha }}$, where

$$\gamma =max\left\{{\eta }_{ϵ}\left(\mathcal{I}\right)·(\sqrt{2}/\alpha )·\omega \left(\sqrt{logn}\right),\sqrt{2n}/{\lambda }_1\left({\mathcal{I}}^{\vee }\right)\right\}.$$

Lemma 3

([3] (Lemma 3.17)). For any $ϵ=ϵ\left(n\right)\le \frac{1}{10}$ and any $\phi (\Lambda )\ge \sqrt{2}{\eta }_{ϵ}(\Lambda )$, there is a polynomial time reduction from GIVP${}_{2\sqrt{n}\phi }$ to DGS${}_{\phi }$.

Thus, we use the inequalities for the smoothing parameter ${\eta }_{ϵ}$ derived in Lemmas 1 and 2 to recompute the approximation factors in Theorem 3 and Lemma 3. We start by computing the approximated factor $\gamma$ from Theorem 3. As long as $\alpha <\sqrt{logn/n}$, it follows that the K-DGS${}_{\gamma }$ parameter is

$$\gamma ={\eta }_{ϵ}\left(\mathcal{I}\right)·(\sqrt{2}/\alpha )·\omega \left(\sqrt{logn}\right)={\eta }_{ϵ}\left(\mathcal{I}\right)·\tilde{O}(1/\alpha ).$$

Using the inequality ${\eta }_{ϵ}\left(\mathcal{I}\right)\le {\lambda }_n^{(p,\tau )}(\Lambda )·\frac{n^{1/2-1/p}}{{min}_{i\in \left[n\right]}{\tau }_i}·\omega \left(\sqrt{logn}\right)$ from Lemma 1, we obtain that the parameter $\phi$ in Lemma 3 is

$$\phi \le {\lambda }_n^{(p,\tau )}(\Lambda )·\frac{n^{1/2-1/p}}{{min}_{i\in \left[n\right]}{\tau }_i}·\omega \left(\sqrt{logn}\right)·\tilde{O}(1/\alpha ).$$

Now, using the above inequality for $\phi$, we define the upper bound for the GIVP parameter to be $\mu$, for which

$$\mu =2\sqrt{n}\phi \le 2\sqrt{n}·{\lambda }_n^{(p,\tau )}(\Lambda )·\frac{n^{1/2-1/p}}{{min}_{i\in \left[n\right]}{\tau }_i}·\omega \left(\sqrt{logn}\right)·\tilde{O}(1/\alpha ).$$

Remark 1.

Notice that, regardless of the ${\ell }_p$-norm, $\mu =\tilde{O}(\sqrt{n}/\alpha )$. Since $\tilde{O}(\sqrt{n}/\alpha )$ is the approximation factor for the search version of the Ring-LWE problem [4] (Section 4), we conclude that the approximation factors remain unchanged with respect to the change of embeddings due to the asymptotic notation. Moreover, since the twisting factor is constant concerning the number field degree n, the approximation factors for the decision version of the Twisted Ring-LWE problem also remain unchanged.

4. Applications of the Twisted Ring-LWE

In this section, we discuss how to extend to a more general class of number fields the results of Ducas and Durmus for sampling from a spherical Gaussian distribution [11], focusing on the algebraic realization of ${\mathbb{Z}}^n$-lattices.

Durmus and Ducas proved a special case when a spherical Gaussian distribution with width s in the power basis corresponds to a spherical Gaussian distribution with width $s\sqrt{m^{\prime }}$ over the space H (Theorem 4) [11]. In order to sample directly over the cyclotomic ring $\mathbb{Q}\left[x\right]/\left({\Phi }_m\left(x\right)\right)$, leading to the correct distribution in the embedding representation, they sample the error polynomial in the ring $\mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$, where ${\Theta }_m\left(x\right)=x^m-1$ if m is odd, and ${\Theta }_m\left(x\right)=x^{\frac{m}{2}}+1$ if m is even. Then, the reduction modulo ${\Phi }_m$ leads to the correct distribution under the canonical embedding. This method avoids resorting to complex embeddings and the inverse of the Vandermonde matrix.

In the statement of Theorem 4, let $m^{\prime }=m$ if m is odd and $m^{\prime }=m/2$ if m is even. Also, let $\beta$ represent the polynomial reduction from $\mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$ to $\mathbb{Q}\left[x\right]/\left({\Phi }_m\left(x\right)\right)$, and let the linear operator $\mathbf{T}:H\to H$ with matrix in the canonical basis of H be:

$$\mathbf{T}=\frac{1}{\sqrt{2}}\left(\begin{array}{cc}{\mathbf{Id}}_{\varphi \left(m\right)/2}& i{\mathbf{Id}}_{\varphi \left(m\right)/2}\\ {\mathbf{Id}}_{\varphi \left(m\right)/2}& -i{\mathbf{Id}}_{\varphi \left(m\right)/2}\end{array}\right),\mathrm{with}i=\sqrt{-1}.$$

(8)

Theorem 4

([11] (Theorem 5)). Let $v\in \mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$ be a random variable distributed as ${\psi }_s^{m^{\prime }}$ in the power basis. Then, the distribution of $({\mathbf{T}}^{-1}\circ \sigma \circ \beta )\left(v\right)$, seen in the canonical basis of H, is the spherical Gaussian ${\psi }_{s\sqrt{m^{\prime }}}^{\varphi \left(m\right)}$.

The shape of the distribution is preserved because the transformation ${\mathbf{T}}^{-1}\circ \sigma$ is, in fact, a scaled-orthogonal map from the power basis of $\mathbb{Q}\left[x\right]/\left({\Phi }_m\left(x\right)\right)$ to the space H, where ${\mathbf{T}}^{-1}$ is Hermitian (${\mathbf{T}}^{-1}={\overline{\mathbf{T}}}^t$). The proof for Theorem 4 reduces to proving that $\mathbf{M}\in {\mathbb{C}}^{\varphi \left(m\right)\times m^{\prime }}$, the matrix representing the linear map $\gamma$ from the power basis of $\mathbb{Z}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$ to the canonical basis of ${\mathbb{C}}^{\varphi \left(m\right)}$ satisfies $\mathbf{C}=\mathbf{M}{\overline{\mathbf{M}}}^t=m^{\prime }{\mathbf{Id}}_{\varphi \left(m\right)}$. The coefficients of $\mathbf{M}$ are given by $m_{i,j}={\sigma }_j\left(x^i\right)={\zeta }_m^{ij}$. Then, for all $i,j\in {\mathbb{Z}}_m^{*}$, we have that

$$c_{i,j}=\sum _{k\in \left[m^{\prime }\right]}{\zeta }_m^{ik}\overline{{\zeta }_m^{jk}}=\sum _{k\in \left[m^{\prime }\right]}{\left({\zeta }_m^{i-j}\right)}^k=\left\{\begin{array}{cc}{m}^{\prime }\hfill & \mathrm{if}i=j,\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Thus, $\mathbf{E}={\mathbf{T}}^{-1}\mathbf{M}=\overline{\mathbf{E}}$, so $\mathbf{E}{\mathbf{E}}^t=\mathbf{E}{\overline{\mathbf{E}}}^t={\mathbf{T}}^{-1}\mathbf{M}{\overline{\mathbf{M}}}^t\mathbf{T}=m^{\prime }{\mathbf{Id}}_{\varphi \left(m\right)}$. This last equation implies that, if a random variable $v\in \mathbb{Q}\left[x\right]/\left({\Theta }_m\left(x\right)\right)$ has covariance matrix $s^2{\mathbf{Id}}_{m^{\prime }}$, then the covariance matrix of $({\mathbf{T}}^{-1}\circ \gamma )\left(v\right)$ is $s^2\mathbf{E}{\mathbf{Id}}_{m^{\prime }}{\overline{\mathbf{E}}}^t=s^2{m}^{\prime }{\mathbf{Id}}_{\varphi \left(m\right)}$, and the distribution of $({\mathbf{T}}^{-1}\circ \gamma )\left(v\right)$ is the spherical Gaussian ${\psi }_{s\sqrt{m^{\prime }}}^{\varphi \left(m\right)}$.

In the following, we discuss how the shape of spherical Gaussian distributions may be preserved when seen in the space H for special algebraic constructions under twisted embeddings. Following Ducas and Durmus’ approach, we are interested in lattices equivalent to ${\mathbb{Z}}^n$, whose Gram matrices have the form $c{\mathbf{Id}}_n$ for $c\in \mathbb{R}$. In this sense, the matrix mapping elements of $K_{\mathbb{R}}$ to the space H is a scaled-orthogonal map [11]. It follows that any algebraic realization of the ${\mathbb{Z}}^n$-lattice preserves the shape of an error distribution over $K_{\mathbb{R}}$ when seen as in H.

In Theorem 5, we prove that fractional ideals realizing lattices equivalent to ${\mathbb{Z}}^n$ in an orthonormal basis, which are the special case when the Gram matrix is simply ${\mathbf{Id}}_n$, preserve both format and standard deviation of spherical Gaussian distributions. We recall that ideal lattices can be obtained if and only if K is a totally real number field, or if K is a CM-field [36].

Theorem 5.

Let K be a number field with an involution and F its associated fixed field. Consider $\tau \in F$ totally positive and $\mathcal{I}\subset {\mathcal{O}}_K$ a fractional ideal such that $\mathcal{I}$ is an ideal lattice in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$. If $\mathcal{I}$ is a lattice equivalent to ${\mathbb{Z}}^n$, then both the shape and the standard deviation of a spherical Gaussian distribution in an orthonormal basis of $\mathcal{I}\subset K_{\mathbb{R}}$ are preserved when seen in the canonical basis of the space H (via the twisted embedding ${\sigma }_{\tau }$).

Proof. 

Let n be the degree of K and let $v\in \mathcal{I}$ be a random variable over the spherical Gaussian distribution with covariance matrix $s^2{\mathbf{Id}}_n$ in an orthonormal $\mathbb{Z}$-basis of $\mathcal{I}$, for some real number s. Since the twisted embedding ${\sigma }_{\tau }:K_{\mathbb{R}}\to H$ is a linear transformation, the covariance matrix of ${\sigma }_{\tau }\left(v\right)$ in the canonical basis of H is $\mathbf{E}{s}^2{\mathbf{Id}}_n{\mathbf{E}}^t$, where $\mathbf{E}={\mathbf{T}}^{-1}\mathbf{M}$, with $\mathbf{T}$ as in (8) and $\mathbf{M}$ is the generator matrix of ${\sigma }_{\tau }\left(\mathcal{I}\right)$. Since $\mathbf{M}{\mathbf{M}}^t={\mathbf{M}}^t\mathbf{M}={\mathbf{Id}}_n$, and because $\mathbf{M}{\mathbf{M}}^t$ is the Gram matrix of the ${\mathbb{Z}}^n$-equivalent lattice $\mathcal{I}$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$, the covariance matrix of ${\sigma }_{\tau }\left(v\right)$ is

$$\mathbf{E}{s}^2{\mathbf{Id}}_n{\mathbf{E}}^t={\mathbf{T}}^{-1}\mathbf{M}{s}^2{\mathbf{Id}}_n{\mathbf{M}}^t\mathbf{T}=s^2{\mathbf{Id}}_n,$$

which proves that ${\sigma }_{\tau }\left(v\right)$ is randomized in the spherical Gaussian distribution over the canonical basis of H with the same standard deviation as v over $K_{\mathbb{R}}$ in the orthonormal basis of $\mathcal{I}$. This concludes the proof.    □

Examples of ideal lattices equivalent to ${\mathbb{Z}}^n$ are those obtained from cyclotomic number fields $\mathbb{Q}\left({\zeta }_{2^k}\right)$ [36], and their maximal real subfields [37], and the maximal real subfields $\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ for any prime $p\ge 5$ [43]. The case of the power-of-two cyclotomic number fields were previously addressed by Lyubashevsky et al. [4], and Ducas and Durmus [11]. In the following, we discuss the family of lattices equivalent to ${\mathbb{Z}}^n$ built on $\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$, for any $p\ge 5$ prime.

Let $p\ge 5$ be a prime number, $n=(p-1)/2$, and $\zeta ={\zeta }_p=exp(-2i\pi /p)$. The cyclotomic construction of the ${\mathbb{Z}}^n$-lattice (Proposition 3) is on the ring of integers of the maximal real subfield of a cyclotomic number field, denoted $\mathbb{Q}(\zeta +{\zeta }^{-1})$, whose integral basis is $\mathcal{C}=\{e_j={\zeta }^j+{\zeta }^{-j}\mid 1\le j\le n\}$.

Proposition 3

([44] (Proposition 1)). Let $p\ge 5$ be a prime number, and let $K=\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ and $\tau =\frac{1}{p}(1-{\zeta }_p)(1-{\zeta }_p^{-1})$. Then ${\mathcal{O}}_K$ in $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ is a lattice equivalent to ${\mathbb{Z}}^n$ with basis ${\mathcal{C}}^{\prime }=\{e_1^{\prime },\dots ,e_n^{\prime }\mid e_n^{\prime }=e_n\mathrm{and}{e}_j^{\prime }=e_j+e_{j+1}^{\prime }\}$, where $\mathcal{C}=\{e_1,\dots ,e_n\}$ is an integral basis of K.

The generator matrix of the ${\mathbb{Z}}^n$-lattice in $H={\mathbb{R}}^n$ (this is an equality because K is totally real), realized in Proposition 3, is given by

$$\mathbf{M}=\mathbf{D}{\mathbf{M}}^{\prime }\mathbf{U},$$

(9)

where $\mathbf{D}=diag{\left[\sqrt{\frac{{\sigma }_k\left(\tau \right)}{p}}\right]}_{n\times n}$, ${\mathbf{M}}^{\prime }={\left[{\sigma }_i({\zeta }^j+{\zeta }^{-j})\right]}_{i,j\in \left[n\right]\times \left[n\right]}$ and

$$\mathbf{U}={\left[\begin{array}{cccccc}1& 0& 0& \cdots & 0& 0\\ 1& 1& 0& \cdots & 0& 0\\ 1& 1& 1& \cdots & 0& 0\\ ⋮& ⋮& ⋮& \ddots & ⋮& ⋮\\ 1& 1& 1& \cdots & 1& 1\end{array}\right]}_{n\times n}.$$

As an immediate consequence of Theorem 5, in Corollary 1 we prove that the construction for the ${\mathbb{Z}}^n$-lattice mentioned above, in fact does not change the shape of the error distribution and, more importantly, the standard deviation is the same when the distribution is seen over H.

Corollary 1.

Let $K=\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ for $p\ge 5$ prime and let $v\in {\mathcal{O}}_K$ be a random variable distributed as ${\psi }_s^n$ in the basis ${\mathcal{C}}^{\prime }$. Then, the distribution of $({\mathbf{T}}^{-1}\circ {\sigma }_{\tau })\left(v\right)$ for $\tau =\frac{1}{p}(1-{\zeta }_p)(1-{\zeta }_p^{-1})$, seen in the canonical basis of H, is the spherical Gaussian ${\psi }_s^n$.

Proof. 

In the realization of the ${\mathbb{Z}}^n$-lattice (Proposition 3), the matrix representing the linear map ${\sigma }_{\tau }$ from the basis ${\mathcal{C}}^{\prime }$ of ${\mathcal{O}}_K$ to the canonical basis of ${\mathbb{R}}^n$ is given by $\mathbf{M}$ (9). Since ${\mathcal{O}}_K$ is a lattice equivalent to ${\mathbb{Z}}^n$ in the basis ${\mathcal{C}}^{\prime }$, the result follows immediately from Theorem 5. This concludes the proof.    □

4.1. Practical Impacts on a Public-Key Cryptosystem

In this section, we use the fact that $K=\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ is a subfield of $\mathbb{Q}\left({\zeta }_p\right)$, for p prime, to analyze the practical impacts of instantiating the Ring-LWE problem over the ring of integers of K in the compact public-key cryptosystem of Lyubashevsky, Peikert, and Regev [12] (Section 8.2).

The public-key cryptosystem presented below is parameterized by an m-th cyclotomic ring R and two coprime integers $p^{\prime }$ and q. The message space is defined as $R_{p^{\prime }}$ and it is required that q be coprime with every odd prime dividing m. Consider that ${\psi }_{\tau }$ is an error distribution over $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ and $\lfloor ·\rceil$ denotes a valid discretization to (cosets) of $R^{\vee }$ or $p^{\prime }{R}^{\vee }$. Also, $\widehat{m}=m/2$ if m is even, otherwise $\widehat{m}=m$. Finally, for any $\overline{a}\in {\mathbb{Z}}_q$, let $〚\overline{a}〛$ denote the unique representative $a\in (\overline{a}+q\mathbb{Z})\cap [-q/2,q/2)$, which is entry-wise extended to polynomials.

• Gen: choose a uniformly random $a\in R_q$. Choose $x\leftarrow {\lfloor {\psi }_{\tau }\rceil }_{R^{\vee }}$ and $e\leftarrow {\lfloor p^{\prime }·{\psi }_{\tau }\rceil }_{p^{\prime }{R}^{\vee }}$. Output $(a,b=\widehat{m}(a·x+e)modqR)\in R_q\times R_q$ as the public key, and x as the secret key.
• Enc${}_{(a,b)}(\mu \in R_{p^{\prime }})$: choose $z\leftarrow {\lfloor {\psi }_{\tau }\rceil }_{R^{\vee }},e^{\prime }\leftarrow {\lfloor p^{\prime }·{\psi }_{\tau }\rceil }_{p^{\prime }{R}^{\vee }}$, and $e^{\prime \prime }\leftarrow {\lfloor p^{\prime }·{\psi }_{\tau }\rceil }_{t^{-1}\mu +p^{\prime }{R}^{\vee }}$. Let $u=\widehat{m}(a·z+e^{\prime })modqR$ and $v=z·b+e^{\prime \prime }\in R_q^{\vee }$. Output $(u,v)\in R_q\times R_q^{\vee }$.
• Dec${}_x(u,v)$: compute $v-u·xmodq{R}^{\vee }$, and decode it to $d=〚v-u·x〛\in R^{\vee }$. Output $\mu =t·dmod{p}^{\prime }R$.

In such an encryption scheme, the most computationally expensive operations are given by the error sampling and the discretization of the error terms, and the polynomial multiplication. As proved in Corollary 1, when R is the ring of integers of $\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$, the sampling of error terms can be performed directly over $(K_{\mathbb{R}},{\langle ·,·\rangle }_{\tau })$ in the orthonormal basis ${\mathcal{C}}^{\prime }$ while preserving the spherical format and the standard deviation with respect to the corresponding distribution in H. In this case, the error sampling is similar to that performed when K is a cyclotomic field with dimension a power of two, where the spherical format is preserved but the standard deviation increases by $m^{\prime }$. Because of that, any algorithm for one-dimensional discrete Gaussian sampling can be used in our instantiation, including those already adopted in the power-of-two cyclotomic case. The efficiency of discrete sampling when $K=\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ is emphasized by the fact that the discretization in ${\mathbb{Z}}^n$-lattices is simply a coordinate-wise rounding to the nearest integer.

In Ring-LWE cryptosystems, arithmetic operations such as addition and multiplication are performed in the polynomial representation of the ring of integers. The ring of integers of the maximal real subfield $\mathbb{Q}({\zeta }_p+{\zeta }_p^{-1})$ is $\mathbb{Z}[{\zeta }_p+{\zeta }_p^{-1}]$. Thus, associating ${\zeta }_p+{\zeta }_p^{-1}$ with indeterminate x yields an isomorphism between $\mathbb{Z}[{\zeta }_p+{\zeta }_p^{-1}]$ and $\mathbb{Z}\left[x\right]/\left({\Psi }_p\left(x\right)\right)$, where ${\Psi }_p\left(x\right)$ is the minimal polynomial of ${\zeta }_p+{\zeta }_p^{-1}$. This would require a change of basis from ${\mathcal{C}}^{\prime }$, the basis used for error sampling, to the power basis $\{{({\zeta }_p+{\zeta }_p^{-1})}^j\mid 0\le j<n\}$. The coefficients of the defining polynomial ${\Psi }_p\left(x\right)$ vary according to the choice of p. Aranés and Arenas provided a closed formula for the coefficients of ${\Psi }_{p^{\upsilon }}\left(x\right)$ for p prime and $\upsilon \ge 1$ (Theorem 7). Consider that, for strictly positives r and k, $A_r\left(k\right)$ are the determinants of order k, defined in Theorem 6. For details, we refer the reader to [45].

Theorem 6

([45] (Theorem 1)). For any strictly positive integers r and k, we have that

$$A_r\left(k\right)=\left(\genfrac{}{}{0pt}{}{r+k-2}{k}\right)+\left(\genfrac{}{}{0pt}{}{r+k-3}{k-1}\right),$$

where $\left(\genfrac{}{}{0pt}{}{n}{k}\right)$ denotes the binomial coefficient $\frac{n!}{k!(n-k)!}$.

Theorem 7

([45] (Theorem 2)). The coefficients $a_j$ of the polynomial ${\Psi }_{p^{\upsilon }}\left(x\right)$ are given by the following formulae. If p is odd,

$$a_j=\left\{\begin{array}{cc}0,\hfill & \mathit{if}j>m-p^{\upsilon -1};\hfill \\ {\displaystyle \sum _{\begin{array}{c}k=1\\ k\equiv 1(mod2)\end{array}}^{\left[\frac{m-j}{p^{\upsilon -1}}\right]}}{(-1)}^{(m-j-k{p}^{\upsilon -1})/2}{A}_{j+2}\left(\frac{m-j-k{p}^{\upsilon -1}}{2}\right),\hfill & \mathit{if}m+j\equiv 1(mod2);\hfill \\ {(-1)}^{\frac{m-j}{2}}{\displaystyle \sum _{k=0}^{\left[\frac{m-j}{2p^{\upsilon -1}}\right]}}{(-1)}^k{A}_{j+2}\left(\frac{m-j}{2}-k{p}^{\upsilon -1}\right),\hfill & \mathit{if}m+j\equiv 0(mod2);\hfill \end{array}\right.$$

and in the case $p=2$, $\upsilon \ge 3$:

$$a_j=\left\{\begin{array}{cc}{(-1)}^{\frac{m-j}{2}}{A}_{j+2}\left(\frac{m-j}{2}\right),\hfill & ifjiseven;\hfill \\ 0,\hfill & otherwise.\hfill \end{array}\right.$$

Notice that, in our case, $\upsilon =1$; thus, all coefficients are always non-zero. For example, when $p=31$, we have that $n=15$ and the defining polynomial ${\Psi }_p\left(x\right)$ is

$$\begin{array}{cc}\hfill {\Psi }_{31}\left(x\right)& =x^{15}+x^{14}-14x^{13}-13x^{12}+78x^{11}+66x^{10}-220x^9-165x^8\hfill \\ \hfill & +330x^7+210x^6-252x^5-126x^4+84x^3+28x^2-8x-1,\hfill \end{array}$$

which is very dense and the coefficients are not restricted to the set $\{0,1\}$. However, depending on the choice of value for the coefficient’s modulus q, the defining polynomial may have a complete factorization modulo q, which allows algorithms based on the Chinese Remainder Theorem (CRT) for efficient polynomial multiplication. For example, for $p=31$ and $q=61$, the defining polynomial factors in 15 distinct degree-one polynomials as follows:

$$\begin{array}{c}{\Psi }_{31}\left(x\right)\mathrm{mod}61=(x+5)(x+6)(x+15)(x+16)(x+21)(x+22)(x+24)(x+27)\hfill \\ \hfill (x+29)(x+36)(x+38)(x+41)(x+48)(x+49)(x+51).\end{array}$$

(10)

Thus, $f\left(x\right)={\Psi }_{31}\left(x\right)$ can be factored as $f\left(x\right)={\prod }_{i\in \left[k\right]}{f}_i\left(x\right)(modq)$, where $f_i\left(x\right)$ are polynomials of small degree. The multiplication $a·b$ modulo $f\left(x\right)$ is done by computing $a_i=amod{f}_i\left(x\right)$ and $b_i=bmod{f}_i\left(x\right)$, for $i\in \left[k\right]$, computing the component-wise multiplication $\left(a_i{b}_i\right)$ and, finally, using the inverse operation to obtain the polynomial c such that $cmod{f}_i\left(x\right)=a_i{b}_{i}mod{f}_i\left(x\right)$, as discussed by Lyubashevsky and Seiler [27]. Although the asymptotic cost of an algorithm based on this technique is $O(nlogn)$, the hidden constants may be large due to the increased number of reductions modulo q in comparison with CRT-based algorithms for power-of-two cyclotomic number fields [27,46]. Another important aspect of the defining polynomial is captured by the expansion factor, a property introduced by Lyubashevsky and Micciancio [47]. The expansion factor of a polynomial f is

$$EF(f,k)=\underset{g\in \mathbb{Z}\left[x\right],deg\left(g\right)\le k(deg(f)-1)}{max}{\parallel g\parallel }_f/{\parallel g\parallel }_{\infty },$$

where ${\parallel g\parallel }_f$ is the norm of the polynomial g after reduction modulo f. By computing the expansion factor of ${\Psi }_p\left(x\right)$, we can measure the increase in magnitude of the maximum coefficient of ${\parallel g\parallel }_{{\Psi }_p\left(x\right)}$. Also, the expansion factor helps us in choosing a value for q such that the coefficients do not wrap around after arithmetic operations, avoiding the occurrence of decryption errors.

In order to analyze the expansion factor of ${\Psi }_p\left(x\right)$, we compare it with $x^n+1$, the defining polynomial of cyclotomic polynomial rings with dimension a power of two, which is widely adopted in practical applications. For that, we recall Lemma 4, which defines an upper bound for the magnitude of the coefficients of a polynomial $g\in \mathbb{Z}\left[x\right]$ after a reduction modulo f.

Lemma 4.

If g is a polynomial in $\mathbb{Z}\left[x\right]$ and f is a monic polynomial in $\mathbb{Z}\left[x\right]$ such that $deg\left(g\right)\ge deg\left(f\right)$, then ${\parallel g\parallel }_f\le {\parallel g\parallel }_{\infty }{\left({2\parallel f\parallel }_{\infty }\right)}^{deg\left(g\right)-deg\left(f\right)+1}$.

For the case $f\left(x\right)={\Psi }_p\left(x\right)$, it is sufficient to analyze the value of ${\parallel f\parallel }_{\infty }$. Firstly, for $f\left(x\right)=x^n+1$, we have that ${\parallel f\parallel }_{\infty }=1$. On the other hand, when $f\left(x\right)={\Psi }_p\left(x\right)$, ${\parallel f\parallel }_{\infty }$ assumes the maximum value of $a_j$ according to Theorem 7. For example, for $p=31$, ${\parallel f\parallel }_{\infty }=330$, leading to an exponential growth of coefficients, which is roughly ${330}^{deg\left(g\right)-deg\left(f\right)+1}$ times bigger with respect to the case when $f\left(x\right)=x^{16}+1$. Such growth of coefficients require an increased value for the choice of the modulus q in order to avoid the coefficients to wrap around after polynomial operations. This also leads to an increase in the length of system parameters and memory/bandwidth requirement for transmission of public parameters.

In the positive direction, since the dimension of K does not increase as a power-of-two, one may want to find a ring instantiation that closely achieves a target security level. For example, to obtain a ring dimension between 700 and 800, the required for achieving 128-bit security [27], possible choices for the value of p ranges from the 223-th to the 252-th prime number, comprehending 29 possible choices.

In a nutshell, we have discussed some practical impacts of instantiating the Twisted Ring-LWE problem when K is the maximal real subfield of a cyclotomic number field, whose dimension is $n=(p-1)/2$ for any prime $p\ge 5$. The increased cost in arithmetic operations is inherent to this particular instantiation and field representation, but the same cannot be said about all algebraic constructions which lead to lattices equivalent to ${\mathbb{Z}}^n$. This is reinforced by the fact that the ring of integers of power-of-two cyclotomic number fields also leads to lattices equivalent to ${\mathbb{Z}}^n$ and, yet, it allows for very efficient algorithms for arithmetic operations in the power basis representation. Thus, in Section 5, we briefly discuss on an alternative field representation when K is the maximal real subfield of a cyclotomic number field. Moreover, we present future research possibilities related to the Twisted Ring-LWE problem.

5. Discussion

In this paper, we introduce an extension to the Ring-LWE class of problems, namely The Twisted Ring-LWE Problem [4,9]. The Ring-LWE problem uses the canonical embedding to map some underlying ring to a lattice in ${\mathbb{R}}^n$. By doing so, we can define geometric norms and error distributions on the tensor field $K_{\mathbb{R}}$, which is isomorphic to ${\mathbb{R}}^n$. The Twisted Ring-LWE problem is obtained by adopting twisted embeddings [36] rather than the canonical embedding, which is a specialization of twisted embeddings. We prove that the Twisted Ring-LWE Problem is as secure as the original Ring-LWE Problem by providing a security reduction from both variants of Ring-LWE to their twisted forms.

As a result, we broaden the scope of number of algebraic lattices that can be used for lattice-based cryptosystems, including those algebraic constructions of lattices that allow additional factors on the embedding coordinates. This type of construction has been useful in coding theory, since they allow the construction of algebraic lattices with improved properties for Rayleigh fading channels, providing high density, maximum diversity, and great minimum product distance [33,34,35]. Notice that these constructions cannot be obtained via canonical embedding. We took as an example the construction of rotated ${\mathbb{Z}}^n$-lattices. We prove that we can perform efficient and secure sampling from spherical Gaussian distributions in $K_{\mathbb{R}}$, if the parameter ring leads to a rotated ${\mathbb{Z}}^n$-lattice in the space H via twisted embeddings. This generalizes the results of Ducas and Durmus in Theorem 5 [11] and the power-of-two cyclotomic case.

An example of a construction of the ${\mathbb{Z}}^n$-lattice via twisted embeddings is from maximal real subfields of both power-of-two and p-th cyclotomic number fields. We analyze instantiating the Ring-LWE problem using maximal real subfields of p-th cyclotomic number fields in a public-key encryption scheme [12]. By doing so, we can instantiate the Ring-LWE problem in a dimension close to 700 to achieve 128-bit security [25] and provide variability of security assumptions, avoiding the use of the widely adopted power-of-two cyclotomic number field. However, representing the field elements as residue polynomials modulo the defining polynomial is of limited interest, since the coefficients’ modulus may become very large to avoid the occurrence of decryption errors. This occurs because the expansion factor of the defining polynomial of maximal real subfields of p-th cyclotomic number fields grows exponentially.

Future Work

Lyubashevsky, Peikert, and Regev [12] suggested representing the field elements as coefficient vectors in an integral basis apart from the power basis. By taking the underlying ring as the ring of integers of the maximal real subfield of a cyclotomic number field on an orthonormal basis, we can perform efficient Gaussian sampling with hardness guarantee, as discussed in Section 4. Moreover, we can perform efficient ring arithmetic by taking the ring representatives under the twisted embedding, in which both addition and multiplication are taken component-wise. Although the change of representation may need floating-point arithmetic, one may explore lattice basis symmetries to accelerate the computation of the twisted embedding or find a basis more suitable for arithmetic operations. In addition to that, all algorithmic tasks can be performed directly in the space H, without resorting to change of representation from $K_{\mathbb{R}}$. We leave as future work a full analysis and the software implementation of the instantiation of the Twisted Ring-LWE Problem in a cryptosystem adopting the coefficient vector representation.

We also leave as future work detailing how to connect Twisted Ring-LWE instantiations over different number fields, if the ring of integers of both number fields leads to equivalent lattices under twisted embeddings. By doing so, we can connect an instance on a power-of-two cyclotomic number field to an instance of a maximal real subfield as both rings of integers lead to a construction of the ${\mathbb{Z}}^n$-lattice. This may lead to a response to the open question left by Peikert, Regev, and Stephens-Davidowitz [9]. As a consequence, we may be able to explore algebraic properties inherent to maximal real subfields helping to assert the concrete hardness of power-of-two cyclotomic number fields.