A Tutorial Introduction To Lattice-Based Cryptography and Homomorphic Encryption
A Tutorial Introduction To Lattice-Based Cryptography and Homomorphic Encryption
Michael Purcell
School of Computing
Australian National University
Canberra, ACT, 2600
[email protected]
Contents
1 Introduction 5
1.1 Motivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2 Tutorial organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 A simple lattice-based encryption scheme . . . . . . . . . . . . . . . . . . . . . . . . 7
3 Cryptography Basics 15
3.1 Computational security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Private and public encryptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Security definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Lattice Theory 18
4.1 Lattice basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.2 Dual lattice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.3 Some lattice problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Ajtai’s worst-case to average-case reduction . . . . . . . . . . . . . . . . . . . . . . . 26
4.5 An application of SIS: Collision resistant hash functions . . . . . . . . . . . . . . . . 28
A PREPRINT - S EPTEMBER 29, 2022
10 Homomorphic Encryption 75
10.1 Basic definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
10.2 Gentry’s original FHE using squashing and bootstrapping . . . . . . . . . . . . . . . . 76
∗
10.3 BV : SHE by relinearization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
10.4 BV : Leveled FHE by dimension-modulus reduction . . . . . . . . . . . . . . . . . . 83
10.4.1 Modulus reduction to reduce ciphertext size . . . . . . . . . . . . . . . . . . . 83
10.4.2 The BV scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
10.4.3 BV is bootstrappable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
10.5 Additional tools for computational efficiency . . . . . . . . . . . . . . . . . . . . . . 86
10.5.1 Noise management by modulus switching . . . . . . . . . . . . . . . . . . . . 86
2
A PREPRINT - S EPTEMBER 29, 2022
3
A PREPRINT - S EPTEMBER 29, 2022
E Notation 138
References 141
4
A PREPRINT - S EPTEMBER 29, 2022
1 Introduction
1.1 Motivations
Why study Lattice-based Cryptography? There are a few ways to answer this question.
1. It is useful to have cryptosystems that are based on a variety of hard computational problems
so the different cryptosystems are not all vulnerable in the same way.
2. The computational aspects of lattice-based cryptosystem are usually simple to understand and
fairly easy to implement in practice.
3. Lattice-based cryptosystems have lower encryption/decryption computational complexities
compared to popular cryptosystems that are based on the integer factorisation or the discrete
logarithm problems.
4. Lattice-based cryptosystems enjoy strong worst-case hardness security proofs based on ap-
proximate versions of known NP-hard lattice problems.
5. Lattice-based cryptosystems are believed to be good candidates for post-quantum cryptogra-
phy, since there are currently no known quantum algorithms for solving lattice problems that
perform significantly better than the best-known classical (non-quantum) algorithms, unlike
for integer factorisation and (elliptic curve) discrete logarithm problems.
6. Last but not least, interesting structures in lattice problems have led to significant advances in
Homomorphic Encryption, a new research area with wide-ranging applications.
Let’s look at that fourth point in more detail.
Note first that the discrete logarithm and integer factorisation problem classes, which underlie sev-
eral well-known cryptosystems, are only known to be in NP, they are not known to be NP-complete
or NP-hard. The way we understand their complexity is by looking at the average run-time complex-
ity of the current best-known (non-polynomial) algorithms for those two problem classes on randomly
generated problem instances. Using that heuristic complexity measure, we can show that
1. there are special instances of those problems that can be solved in polynomial time but, in
general, both problems can be solved only in sub-exponential time; and
2. on average, most of the discrete logarithm and integer factorisation problem instances are as
hard as each other.
So we believe these two problems to be average-case hard problem classes, but we cannot yet prove
that. Interestingly, we know there are quantum algorithms that can solve these two problems efficiently
(Bernstein et al., 2009).
The above then begs the question of whether we can design cryptosystems based on known NP-hard
or worst-case hard problem classes. In constructing a (public-key) cryptosystem using a problem class
ACH with average-case hardness like Integer Factorisation or Discrete Logarithm, it is sufficient to
show that the generation of a key pair (at random) and the solution of the private key corresponds to
a problem instance I ∈ ACH , and we rely on average hardness to say I is hard to solve with good
probability. But in constructing a (public-key) cryptosystem using a problem class WCH with only
known worst-case complexity, we need to do a bit more work, in that it is not sufficient to generate a
key pair (at random) and show the solution of the private key is a problem instance I ∈ WCH , we need
to actually show that I is one of the hard or worst cases in WCH .
In other words, to build a cryptosystem based on a worst-case hard problem class, we do not just
need to know that hard instances exist, but we need a way to explicitly generate the hard problem
instances. And that is an issue because we do not know how to do that for most worst-case hard
problem classes. But this is what makes lattice problems interesting: we know how to generate, through
reductions, the worst-case problem instances of approximation versions of NP-hard lattice problems
and build efficient cryptosystems based on them. In practice, this means breaking these cryptosystems,
even with some small non-negligible probability, is provably as hard as solving the underlying lattice
problem approximately to within a polynomial factor in polynomial time.
How hard are these approximation lattice problems? In most cases, the underlying lattice problem
is the Shortest Vector Problem (SVP), and the approximation version is called the GapSVPλ problem
for an approximation factor λ. These gap lattice problems are known to be NP-hard only for small
5
A PREPRINT - S EPTEMBER 29, 2022
2
approximation factors like nO(1/ log n)
p. We also know that these gap lattice problems are not NP-
hard for approximation factors above n/ log n, unless the polynomial time hierarchy collapses. See
Micciancio and Goldwasser (2002); Khot (2005, 2010) for surveys of these results. The best-known
algorithm for solving these gap lattice problems to within poly(n) factor has time complexity 2O(n)
(Ajtai et al., 2001), which leads us to the following conjecture that underlies the security of lattice-
based cryptography:
The target audiences are students, practitioners and researchers who want to learn the “core curriculum”
of lattice-based cryptography and homomorphic encryption from a single source.
In writing the tutorial, we have benefited from peer-reviewed published papers as well as many less-
formal explanatory material in the form of lecture notes and blog articles. We are not always careful and
comprehensive in citing the latter class of material, and we apologise in advance for errors of omission.
The tutorial can be divided into three parts in pedagogical order as follows. Each part will be presented
with definitions, examples, discussions around the intuitions of abstract concepts and more importantly
corresponding computer code to help develop the understanding.
After brief introductions to the basics of Computational Complexity Theory in Section 2 and Cryp-
tography in Section 3, the first part of the tutorial focuses on the LWE problem, a foundational hard
lattice problem. This part begins with some Lattice Theory in Section 4, followed by material on
Discrete Gaussian Distributions in Section 5. The LWE problem is then described in some detail in
Section 6, including hardness proofs.
The second part discusses the Ring LWE (RLWE) problem, which is a generalization of LWE from
the integer domain to an algebraic number field domain that allows more computationally efficient cryp-
tosystems to be built. As LWE does not straightforwardly generalize to its ring version, some required
background knowledge will be presented with intuition, examples and computer code, including cyclo-
tomic polynomials and their Galois groups in Section 7 and algebraic number theory in Section 8. (For
readers that require a more extensive background, the appendix covers Abstract Algebra, Galois Theory
and Algebraic Number Theory in significantly more details.) The RLWE problem is described in some
detail in Section 9, including hardness proofs. (A mindmap is given in Appendix D to help readers
navigate and remember the many components of RLWE proofs.)
Having introduced the LWE and RLWE problems, the final part of the tutorial (Section 10) shows
how efficient homomorphic encryption (HE) schemes can be developed based on the LWE and RLWE
problems. These schemes are both similar and different to Gentry’s original fully HE scheme. The
similarity is in designing a somewhat HE scheme first, then using bootstrapping to achieve fully HE. The
difference is that they avoided using Gentry’s “squashing” technique, but used the algebraic properties
of (R)LWE instances to make the somewhat HE schemes bootstrappable.
6
A PREPRINT - S EPTEMBER 29, 2022
Before diving into the technical details of lattice-based cryptosystems and homomorphic encryption
schemes, we describe a simple public-key encryption scheme introduced by Regev (2009) to illustrate
the connection between the scheme’s security and lattice problems. This scheme is based on the learning
with errors (LWE) problem, see Section 6 for details. Its simplicity inspired subsequent developments
in homomorphic encryption schemes that are based on lattices, and is a fundamental building block in
many such schemes.
Note that in this example Zq is the collection of integers in the range [−q/2, q/2) rather than its
standard usage for representing the ring Z/Zq , and [x]q is the reduction of x into Zq such that [x]q =
x mod q. We use boldface to denote vectors and matrices. When working with matrices, all vectors
are by default considered as column vectors. Vector multiplications are denoted by a · b, whilst matrix
and scalar multiplications are denoted without the “dot” in the middle. For simplicity, we use [b | −A]
to denote the action of appending the column vector b to the front of the matrix −A. The parameters
n, q, N, χ correspond to the vector dimension, the plaintext modulus, the number of LWE samples, and
the noise distribution over Zq , respectively. In particular, χ is chosen such that Pr(|e · r| < 2q /2) >
1 − negl(n) for a random binary vector r = {0, 1}N . The scheme is summarized as follows, but in an
alternative format to be consistent with later homomorphic encryption schemes that will be presented in
Section 10.
The purpose of the binary vector r is to randomize the use of the public key so that it is impossible to
derive m from the ciphertext c. To demonstrate how decryption works, the ciphertext can be re-written
as h jqk i
c = bT r + m | −AT r ,
2 q
which implies
h jqk i h jqk i
[c · s]q = bT r + m − tT AT r = (tT AT + eT )r + m − tT AT r
2 q 2 q
h jqk i
T
= e r+ m .
2 q
Because Pr(|eT r| < 2q /2) > 1 − negl(n), we have (with overwhelming probability)
if m = 0;
2 (−1/2, 1/2)
[c · s]q ∈
q [−1, −1/2) ∪ (1/2, 1) if m = 1.
Notice that if b0 = At then an attacker who knows A and b0 could recover the secret t by solving
a system of linear equations. The security of the system therefore depends on the presence of the noise
vector e.
7
A PREPRINT - S EPTEMBER 29, 2022
If an attacker knows b instead of b0 , then the attack described above will not work. If, however, such
an attacker could recover the noise vector e, then they could use that information to compute b0 . They
could then recover t as described above. Recovering e is an instance of a well-known lattice problem
called the bounded distance decoding (BDD) problem. So, an attacker that can solve the BDD problem
could recover the secret t. In other words, recovering t is “no harder” than solving the BDD problem.
Conversely, Regev showed that the BDD problem is “no harder” than recovering t. That is, an
attacker who could recover t given A and b could solve the BDD problem as well. This result implies
that if the BDD problem is hard, then attacking the cryptosystem is hard as well. This kind of result is
called a reduction. Crucially, the BDD problem is believed to be hard. So, Regev’s result constitutes a
proof of security for the LWE-based cryptosystem described above.
8
A PREPRINT - S EPTEMBER 29, 2022
Figure 1: A Sage implementation of the simple lattice-based encryption system described above.
Note: This implementation is not suitable for use in real-world applications.
#!/usr/bin/env sage
# Define parameters
def sample_noise(N, R):
D = dgi.DiscreteGaussianDistributionIntegerSampler(sigma=1.0)
return vector([R(D()) for i in range(N)])
q = 655360001
n = 1000
N = 500
R = Integers(q)
Q = Rationals()
Z2 = Integers(2)
# Generate keys
t = vector([R.random_element() for i in range(n)])
secret_key = vector([R(1)] + t.list())
# Encrypt Message
message = R(randrange(2))
m_vec = vector([message] + [R(0) for i in range(n)])
r = vector(R, [randrange(2) for i in range(N)])
# Decrypt Message
temp = (2/q) * Q(ciphertext*secret_key)
decrypted_message = R(Z2(temp.round()))
# Verification
print(decrypted_message == message)
9
A PREPRINT - S EPTEMBER 29, 2022
The following concepts are introduced under the assumption that a general purpose computer is of the
form of a Turing machine. The primary reference of this subsection is Sipser (2013)’s book Introduction
to the Theory of Computation, Third Edition.
Decision A language (or decision problem) is a set of strings that are decidable by a Turing machine. We use
problem Σ to denote the alphabet and Σ∗ to denote the set of all strings over the alphabet Σ of all lengths. A
special case is when Σ = {0, 1} and Σ∗ = {0, 1}∗ is the set of all strings of 0s and 1s of all lengths. In
this case, a language A = {x ∈ {0, 1}∗ | f (x) = 1}, where f : {0, 1}∗ → {0, 1} is a Boolean function.
Time complexity Let M be a deterministic Turing machine that halts on all inputs. We measure the time complexity
or running time of M by the function t : N → N, where t(n) is the maximum number of steps that
M takes on any input of length n. Generally speaking, t(n) can be any function of n and the exact
number of steps may be difficult to calculate, so we often just analyse t(n)’s asymptotic behaviour by
taking its leading term, denoted by O(t(n)). We also relax its codomain by letting t : N → R+ be a
non-negative real valued function.
It is worth mentioning that when analysing the time complexity of a function, we often consider its
time complexity in the worst case, i.e., the longest running time of all inputs of a particular length n.
At the end of this chapter, we will emphasize the importance of the worst-case complexity in the proof
of security of modern cryptosystems. We will give a clue of how this was achieved by Ajtai through an
average-case to worst-case reduction.
Time complexity Definition 2.1.1. The time complexity class, TIME(t(n)), is defined as the set of all languages that
class are decidable by a Turning machine in time O(t(n)).
Obviously, t can be any function, e.g., logarithm, polynomial, exponential, etc. In practice, poly-
nomial differences in running time are considered to be much better than exponential differences due
to the super fast growth rate of the latter. For this reason, we separate languages into different classes
according to their worst case running time on a deterministic single-tape Turing machine.
P Definition 2.1.2. P is the class of languages that are decidable in polynomial time by a deterministic
single-tape Turing machine, i.e.,
[
P = TIME (n k ).
k∈N
Some problems are computationally hard, so cannot be decided by a deterministic single-tape Turing
machine in polynomial time. But given a possible solution, sometimes we can efficiently verify whether
or not the solution is genuine. The length of the solution has to be polynomial in the length of the input
string length, for otherwise the verification process cannot be done efficiently. Based on the ability to
efficiently verify, we can define the complexity class NP.
NP Definition 2.1.3. NP is the class of languages that can be verified in polynomial time.
10
A PREPRINT - S EPTEMBER 29, 2022
Sometimes, a problem can be solved by reducing it to another problem, whose solution can be
found relatively easier, provided the reduction between the two problems is efficient. For example, a
polynomial time reduction is often acceptable.
PT reduction Definition 2.1.4. A language A is polynomial time reducible to another language B, written as A ≤P
B, if a polynomial time computable function f : Σ∗ → Σ∗ exists, where for every w,
w ∈ A ⇐⇒ f (w) ∈ B.
Essentially, we are saying that NP-complete is the set of the hardest problems in NP. There are,
however, hard problems that are not in NP such as an optimization problem. Given a solution of an
optimization problem, it is often not trivial to verify the solution is optimal among all the answers,
so this type of problems are not polynomial time verifiable and hence not in NP. For these problems,
we can define a similar complexity class as NP-complete but without requiring their solutions to be
polynomially checkable.
NP-hard Definition 2.1.6. A language is NP-hard if every problem in NP is polynomial time reducible to it.
The two terms NP-complete and NP-hard are sometimes used interchangeably because an optimiza-
tion problem can also be formed as a decision problem. For example, instead of asking for the shortest
route from the travelling salesman problem, we can ask whether there exists a route that is shorter than
a threshold.
Many optimization problems are NP-hard, which means there is no polynomial time solution under
the assumption P 6= NP. Hence, when an answer for an NP-hard problem is needed, the fallback is to
use an approximation algorithm to compute a near-optimal solution that is within an acceptable range.
For a NP-hard problem, it is sometimes easier to build a cryptosystem based on its approximated version
rather than the NP-hard problem itself. For this reason, cryptographers are concerned about whether or
not an optimization problem is hard to be approximated within a certain range. This brings us to the
study of the hardness of approximation or inapproximability in the next subsection.
An optimization problem aims at finding the optimum result of a computational problem. This optimum
result can either be the maximum or minimum of some value. Throughout this section, we focus on
minimization problems only. The same results also hold for maximization problems. 1 In the previous
section, we said an optimization problem can be made into a decision problem by comparing the solution
with a threshold. More formally, it is defined as the next.
NPO Definition 2.2.1. An NP-optimization (NPO) problem is an optimization problem such that
For a minimization problem in NPO, its decision version asks “Is OP T (x) ≤ q?”, where OP T (x)
is the unknown optimal solution (or its cost, we use interchangeably) to the instance x. For example, in
the maximum clique problem, an instance is a graph, an optimal solution is the maximum clique in the
given graph and its cost is the clique size. Given an NPO problem, its decision version is an NP problem,
so NPO is an analogy of NP but for optimization problems. On the other hand, PO (P-optimization)
problem is the set of optimization problems whose decision versions are in P, such as finding the shortest
path.
1
Lecture 18: Gap Inapproximability, 6.892 Algorithmic Lower Bounds: Fun with Hardness Proofs (Spring
2019), Erik Demaine, available at http://courses.csail.mit.edu/6.892/spring19/lectures/
L18.html
11
A PREPRINT - S EPTEMBER 29, 2022
Definition 2.2.2. An algorithm ALG for a minimization problem is called c-approximation algorithm
c-approx for c ≥ 1 if for all instances x, it satisfies
cost(ALG(x))
≤ c. (1)
cost(OP T (x))
The ratio c is not necessarily a constant, it can be any function of the input size, i.e., c = f (n) for
an arbitrary function f (·). Practically, we prefer a near optimal solution ALG(x) such that the ratio c
is as small as possible or at least does not grow quickly in the input size. This, however, may not be
possible for some problems such as the maximum clique problem, whose best possible ratio is O(n1− )
for small > 0. From a provable security’s perspective, the smaller the ratio c is, the harder the c-
approximation problem is. This leads to a cryptosystem with higher security because it requires more
time and computational resources for an attacker to break the system.
For a given c = f (n), there are different ways of proving c-approximating a problem is hard. One
way is by proving a c-gap problem is hard, which is in direct analogy to the c-approximation problem
in hand. This way, if the gap problem is hard, then the c-approximation problem is also hard.
c-gap Definition 2.2.3. For a minimization problem, a c-gap problem (where c > 1) distinguishes two cases
for the optimal solution OP T (x) of an instance x and a given k as follows:
The value k is a given input. For example, in the c-gap version of the shortest vector problem,
we can set k = λ1 (L) to be the shortest vector in a given lattice L. Intuitively, a c-gap problem is a
decision problem where the unknown optimal solution OP T of the corresponding optimization problem
is mapped to the opposite side of a gap. It is, however, different from a decision problem in the sense
that there is a gap between k and c · k.
The connection between c-gap and c-approximation problems is that if a c-gap problem is proved
c-gap implies to be hard, then the corresponding c-approximation problem is also hard. In other words, there is a
inapprox reduction from a c-gap problem to a c-approximation problem. The proof is straightforward. Assuming
the problem can be c-approximated in polynomial time by an algorithm A, so for an input x we have
OP T (x) ≤ A(x) ≤ c · OP T (x). If x is a YES instance of the gap problem, then
OP T (x) ≤ k =⇒ A(x) ≤ c · OP T (x) ≤ c · k.
If x is a NO instance, then
OP T (x) > c · k =⇒ A(x) > c · k.
Either way the instance x can be distinguished easily using the decision procedure A(x) ≤ c · k.
Gap and approximation lattice problems are the foundation of provable security for latticed-based
cryptosystems. We will see more of these problems in Section 4 and some of their cryptographical
applications in the hardness proofs of the short integer solution problem, learning with error problem
and ring learning with error problem.
So far, we have introduced the time complexity classes P and NP in the worst case scenario. That is,
the longest running time over all inputs at a given input length. A problem that is hard to be solved in
polynomial time in the worst case is known as worst-case hard. There is another related concept called
average-case hardness, which is stronger than worst-case hardness, in the sense that the former implies
the latter but not vice versa. To finish section, we briefly discuss the critical role of average-case hard
problems for cryptography and how they can be constructed by a worst-case to average-case reduction
that was achieved by Ajtai (1996).
Without going into the details, we state some remarks of average-case problems to help the reader
to get an intuitive understanding of these problems. More discussions of these problems can be found
in Chapter 18 of Arora and Barak (2009). First, an average-case problem consists of a decision problem
and a probability distribution, from which inputs can be sampled in polynomial time. Such a problem
is called a distributional problem. This is different from a worst-case decision problem, where all
12
A PREPRINT - S EPTEMBER 29, 2022
inputs are considered when determining its hardness. Second, the first remark entails that average-case
complexity is defined with respect to a specific distribution over the inputs. This suggests that a problem
may be difficult with one distribution but easy with another distribution. For example, integer factor-
ization may be difficult for large prime numbers, but easy for small integers. Hence, which probability
distribution is used is crucial for the hardness of the integer factorization problem. Finally, average-case
complexity has its own complexity classes distP and distNP, which are the average-case analogs of P
and NP, respectively.
To prove a cryptosystem is computationally secure, one could build an efficient reduction from a
known worst-case problem to it, so that if the cryptosystem can be attacked successfully, such an attack
model provides a solution to the worst-case problem. However, knowing alone the underlying problem
is worst-case hard is not sufficient to build a secure cryptosystem in real-world, because many of the
system’s instances may correspond to easy instances of the worst-case problem, which can be solved
efficiently.
For this reason, an ideal situation is when a cryptosystem’s security is based on an average-case
problem and the exact distribution to sample hard instances is known. But this is hard to achieve. It
is more difficult to prove that a certain distribution generates only hard instances, because this would
imply the problem is also worst-case hard. An alternative is to construct an average-case problem,
such that its instances correspond to the hard instances in a worst-case problem. This is known as the
worst-case to average-case reduction. A visual representation of this type of constructions is illustrated
in Figure 2. In this figure, a random cryptographic instance corresponds to an average-case instance.
By construction, it is almost always true that an average-case instance links to a hard instance of some
worst-case problem. This reduction implies that if the worst-case problem is known or believed (in high
confident) to be hard, then the cryptosystem is guaranteed to be secure with high probability.
Reductions
cryptosystem average-case worst-case
x1 a1 w1
x2 a2 w2
x3 a3 w3
x4 a4 w4
w5
xl am
wn
13
A PREPRINT - S EPTEMBER 29, 2022
The work by Ajtai served exactly this purpose by introducing the short integer solution (SIS) prob-
lem and proving that SIS is an average-case problem with polynomial time reductions from three worst-
case lattice problems to it. This work is knowable the first worst-case to average-case reduction. The
significant implication of Ajtai’s work in cryptography is the fact that it laid the foundation for the se-
curity of modern cryptosystems to be based on worst-case problems (via average-case problems). More
importantly, this work sparked a number of important following up works including the learning with
error and ring learning with error problems that advanced lattice-based cryptography to a new era.
14
A PREPRINT - S EPTEMBER 29, 2022
3 Cryptography Basics
The history of cryptography dates back to the pre-computer era, but with the same goal as today’s, that
is, securely sharing secret information between parties on public communication channels. A simple but
motivating example is shown next, which is a shift cipher encryption technique used by Julius Caesar
(during 81-45BC) to securely communicate with his troops on battlefields (Hoffstein et al., 2008).
jsjrdkfqqnslgfhpgwjfpymwtzlmnrrnsjsyqzhnzx
enemyfallingbackbreakthroughimminentlucius
As the name of the technique suggests, each letter in the plaintext (below the horizontal line) was shifted
by a pre-determined number of places along a fixed direction in the alphabet. This transforms it into a
ciphertext (above the horizontal line) that do not hold the original information any more.
Back then, Caesar’s method was still able to effectively protect his secret messages to the troops from
eavesdroppers. But with the help of nowadays multi-core GHz processor-computers that handle billions
of instructions per second, this encryption method will fail within seconds. The example motivates the
need to design more complex ciphertexts that are hard to decrypt, where the hardness should both be
measurable and tunable by some parameters in order to cope with the increasing computing resources
of potential attackers.
With the help of mathematics and computer science, in particular probability theory and computa-
computational tional complexity theory, the safety of modern encryption methods can be captured by computational
security security , a security notion, which allows an attacker to succeed in guessing the secret message with a
measurable chance and computational effort such as running time. A frequently used approach to real-
ize this security notion is to parameterize the probability of success and algorithmic running time of an
attack by an integer-valued security parameter. This was named “asymptotic approach” and discussed
in more details in Chapter 3 of Katz and Lindell (2014). Some of the following results are also taken
from that chapter, but presented in different orders and notations to ensure consistency of this tutorial
paper.
Under the notion of computational security, one can draw the connection between an encryption
scheme and a computational problem that has been proved (or believed with high confidence) to be
hard to solve within a practical time. A famous example is that the security of the RSA encryption
scheme relies on the large integer factorization problem, which is presumed (without an actual proof)
hard to solve by an efficient non-quantum algorithm. The RSA problem is to solve the unknown x in
the equation xe = c mod N .2 The problem is easy when N is prime, so it comes down to primality test
of N .
security The security parameter described above, sometimes denoted by n (or λ or κ), reflects the input size
parameter of the underlying hard computational problem. The larger the security parameter, the larger the input
size, so the problem is more difficult to be solved in a practical time frame, which ensures the encryption
scheme is less likely to be attacked with success. In the RSA scheme, the security parameter is the bit
length n of the modulus N . The larger n is, the more difficult it is to prime factor N to efficiently solve
the RSA problem. By convention, the security parameter n is often supplied to a scheme in the unary
format 1n by repeating the number 1 n times.
Now that we discussed the security parameter, we formally introduce two types of encryption schemes,
that is, the private (or symmetric) and public (asymmetric) key encryption schemes. The two types
are similar in the sense that they both consists of three sub-steps for key generation, encryption and
decryption. The main difference is that private key encryption uses only one key for both encryption
and decryption (hence the name symmetric), whilst public key encryption uses one key for each purpose.
Definition 3.2.1. Define the following three polynomial time algorithms:
2
Throughout the paper, we use = instead of ≡ to denote the congruent modulo relation in order to be consistent
with most others in the field. This is also noted in the Notation table in Appendix E.
15
A PREPRINT - S EPTEMBER 29, 2022
• Key generation: A probabilistic algorithm that generates a key k ← Keygen(1n ) for encryption
and decryption, where |k| > n.
• Encryption: A probabilistic algorithm that encrypts the plaintext m ∈ {0, 1}∗ to a ciphertext
c ← Enc(k, m) using the key.
• Decryption: A deterministic algorithm that decrypts the ciphertext with the key to get the
plaintext m ← Dec(k, c).
The collection (Keygen, Enc, Dec) forms a private key encryption scheme if for all n, k, m, it satisfies
m ← Dec(k, Enc(k, m)).
Definition 3.2.2. Define the following three polynomial time algorithms:
• Key generation: A probabilistic algorithm that generates a pair of keys (pk, sk) ← Keygen(1n ),
where pk is the public key for encryption and sk is the secret key for decryption and both have
sizes larger than n.
• Encryption: A probabilistic algorithm that encrypts the plaintext m ∈ {0, 1}∗ to a ciphertext
c ← Enc(pk, m) using the public key.
• Decryption: A deterministic algorithm that decrypts the ciphertext using the secret key to get
m ← Dec(sk, c).
The collection (Keygen, Enc, Dec) forms a public key encryption scheme if for all n, (pk, sk), m, it
satisfies m ← Dec(sk, Enc(pk, m)).
Generally speaking, public key encryption uses longer keys due to the fact that one key is public. This
in return makes it slower than private key encryption. It is, however, more convenient when under
private key encryption, no secure channel is available for sharing the key or the key needs to be changed
constantly for different parties. Regardless, the requirement for the keys (in both private and public key
encryptions) to be larger than n is to ensure the keys are at least of certain sizes in order to indicate the
lower bound of an encryption scheme.
As n directly reflects the security of an encryption scheme, it is convenient to parameterize an
attacker’s running time and probability of success by n. More specifically, the running time is defined
as the time taken to attack the scheme by a randomized algorithm. For practical purpose, this is often
preferred to be polynomial in n, denoted by poly(n). From the designer’s point of view, an encryption
scheme is only considered secure if both the probability of success is significantly small and such a
probability decreases as n gets larger. A frequently used function that captures these two characteristics
is called a negligible function.
Definition 3.3.1. A function µ : N → R is negligible , if for every positive integer c, there exists an
integer Nc such that for all n > Nc , we have |µ(n)| < n−c .
An example is the negative exponential function µ(n) = 2−n . For c = 6, the threshold to satisfy
the above condition is Nc = 30.
When a function is not defined explicitly, we use negl(n) to indicate it is negligible. Another
characteristic that makes negligible function a suitable candidate for measuring an attacker’s probability
of success is due to the fact that it is still negligible even after multiplied by a polynomial function of
n, that is, |poly(n)| · negl(n) is also negligible (Proposition 3.6 (Katz and Lindell, 2014)). This assures
that if an attacker has a negligible probability of success, his chance stays extremely small even if the
same attack is repeated a polynomial number of times (in n).
An example (Example 3.2 (Katz and Lindell, 2014)) to illustrate this negligible probability and the
running time is when an adversary’s probability of success is 240 ·2−n by running an attacking algorithm
for n3 minutes. If the security parameter is set to n = 40, the adversary only needs to run the attack
for roughly 403 ≈ 44 days to break the system with a probability 1. But if the security parameter is set
large n = 500, the adversary’s chance of breaking the system is 2−460 that is almost 0 even if the attack
runs for 237 years.
16
A PREPRINT - S EPTEMBER 29, 2022
Definition 3.3.2. An encryption scheme is secure if any probabilistic polynomial time (PPT) adversary
has only a negligible probability of success to break the scheme.
Here, probabilistic refers to the attack being a randomized algorithm, which typically runs faster
than deterministic algorithms.
So far, we have implicitly discussed the notion of security (or breaking an encryption scheme)
without formally defining the meaning of it. The concrete security definition that is most relevant to this
tutorial paper is semantic security. Below we give a formal definition of it and an equivalent definition,
called indistinguishability which is easier to work with in practice. Both definitions can be defined for
either private or public key encryptions, with the difference being a public key is also given for the
public key encryption case.
At a high level, semantic security means given a ciphertext that encrypts one of two messages, a
PPT adversary has no better chance than random guessing that the ciphertext is an encryption of one
message or the other.
Semantic Definition 3.3.3. An (public or private key) encryption scheme Π is semantically secure if for every
security PPT adversary A, there is another PPT adversary A0 such that their chances of guessing the plaintext
m are almost identical, regardless A0 is only given the length of m. That is, let c ← Enc(k, m), then
|P r[A(1n , c) = m] − P r[A0 (1n , |m|) = m]| ≤ negl(n).
It is convenient to consider the attack model as a distinguisher (i.e., a PPT algorithm) that tries
to exhibit the non-randomness from the ciphertexts in order to associate a ciphertext with a particular
plaintext. If the adversary’s chance of success is better than random, then the encryption scheme is
vulnerable to attacks. The process of guessing the source of a given ciphertext can be formalized as an
adversarial indistinguishability experiment (Section 3.2.1 (Katz and Lindell, 2014)). Given a PPT
adversary A and a (public or private) encryption scheme Π, the experiment outputs IndisExpA,Π (n) = 1
for a successful guess of the source plaintext.
Indistinguish- Definition 3.3.4. An (private or public key) encryption scheme Π is indistinguishable if it satisfies
able
1
P r IndisExpA,Π (n) = 1 ≤ + negl(n)
2
for all PPT adversary A and security parameter n.
The following theorem states the equivalent relationship between semantic security and indistin-
guishability. The same equivalent relation can also be proved under the public key encryption setting.3
Theorem 3.3.5 (Theorem 3.13 (Katz and Lindell, 2014)). A private key encryption scheme is indistin-
guishable in the presence of an eavesdropper if and only if it is semantically secure in the presence of
an eavesdropper.
Both semantic security and indistinguishability discussed above are in the presence of an eavesdrop-
per, who passively receives/intercepts a plaintext and tries to guess the corresponding plaintext. In the
case of public-key encryption, the adversary has access to the public key and the encryption method, so
it is possible for the adversary to compare the intercepted ciphertext with a self-encrypted ciphertext,
and use this piece of information to increase the probability of successfully guessing the plaintext. By
assuming the adversary has an oracle access to the encryption scheme which allows repeated interac-
tions, this attack model is valid for both public and private key encryptions (Section 3.4.2 (Katz and
Lindell, 2014)). The security notion defined under such a chosen-plaintext attack (CPA) model is called
CPA security and is a stronger security definition than the previous one which is defined in the pres-
ence of an eavesdropper. Similarly, semantic security and indistinguishability can also be defined under
chosen plaintext attack, and a similar equivalent relations can be established between semantic security
under CPA and IND-CPA . This stronger level of security is useful when introducing homomorphic
encryption.
3
See a proof in Lecture 9: Public Key Encryption of the course CS 276 – Cryptography (Oct 1, 2014) at UC
Berkeley by the instructor Sanjam Garg.
17
A PREPRINT - S EPTEMBER 29, 2022
4 Lattice Theory
4.1 Lattice basics
Lattices are useful mathematical tools for connecting different areas of mathematics, computer science
and cryptography. They are widely used for cryptoanalysis and building secure cryptosystems. In this
section, we will introduce the basics of lattices in the general setting Rn . In addition, we introduce dual
lattices and some computational lattice problems that are commonly used to achieve provable security of
lattice-based hard problems and cryptosystems. At the end of this section, we will sketch Ajtai (1996)’s
polynomial time worst-case-to-average-case reduction to reinforce our understanding of lattices as well
as appreciate the great breakthrough in provable security of lattice-based cryptography, even against
quantum computing in some cases. Although we introduce lattices in the most general setting, their
results also hold for special lattices such as ideal lattices in the ring learning with error problem.
Intuitively, a lattice is similar to a vector space except that it consists of discrete vectors only, that
is, elements in lattice vectors have discrete values as opposed to real-valued vectors in a vector space.
For example, Figure 3 is a lattice in R2 . More formally, we have the following definition.
Lattice Definition 4.1.1. Let v1 , . . . , vn ∈ Rm be a set of linearly independent vectors. The lattice L generated
by v1 , . . . , vn is the set of integer linear combinations of v1 , . . . , vn . That is,
L = {a1 v1 + · · · + an vn | a1 , . . . , an ∈ Z}.
Here, the difference with vector spaces is that the coefficients in the linear combination are integers.
Dimension, The integers m and n are the dimension and rank of the lattice respectively. If m = n, then L is a
rank full-rank lattice. In most cases, we work with full-rank lattices.
It follows from the definition that a lattice is closed under addition. Hence, we can say that an n-
dimensional lattice is a discrete additive subgroup of Rn . It is isomorphic to the additive group of Zn .
That is,
(L, +) ∼
= (Zn , +) ( (Rn , +).
It is often convenient to work with lattices whose coordinates are integers. These are called integer
lattices or integral lattices. For example, the set of even integers forms an integer lattice, but not the
set of odd integers because it is not closed under addition.
b2
0 b1
Basis A basis of a lattice L is a set of linearly independent vectors B = {b1 , . . . , bn } that spans the
lattice, that is,
L(B) = {z1 b1 + · · · + zn bn | zi ∈ Z}.
For example, the vectors {b1 , b2 } form a basis of the lattice in Figure 3.
In what follows, we will frequently appeal to properties of a class of matrices known as unimodular
matrices. Unimodular matrices can be used to translate between different lattice bases. They are also
used, sometimes implicitly, when performing important lattice operations such as lattice basis reduction.
18
A PREPRINT - S EPTEMBER 29, 2022
b2
b1
Figure 4: The same lattice L with a different basis B 0 = {b01 , b02 } and its fundamental domain F 0 , where
B 0 = AB for a unimodular change of basis matrix A = 11 12 .
Unimodular Definition 4.1.2. A matrix A ∈ Zn×n is unimodular if it has a multiplicative inverse in Zn×n . That is,
matrix A ∈ Zn×n is unimodular if and only if A−1 ∈ Zn×n . Equivalently, a matrix A ∈ Zn×n is unimodular
if and only if | det(A)| = 1.
Similar to a vector space, a lattice does not need to have a unique basis. The following proposition
establishes the fact that one basis can be transformed to another via multiplication by the matrix A
provided that A is a unimodular matrix.
Proposition 4.1.3. If B and B 0 be two basis matrices, then L(B) = L(B 0 ) if and only if B 0 = AB for
some unimodular matrix A.
Proof. Suppose that B 0 = AB for some unimodular matrix A. Then, by definition both A and A−1
have integer entries. Therefore we have L(B 0 ) ⊂ L(A−1 B 0 ) = L(B) and L(B) ⊂ L(AB) = L(B 0 ).
Now suppose that L(B) = L(B 0 ). Then there exist integer square matrices A, A0 ∈ Zn×n such that
B = AB and B = A0 B 0 . Therefore we have B = A0 AB or equivalently (I − A0 A)B = 0. Because
0
For example, the vectors {b01 , b02 } in Figure 4 form a different basis for the lattice in Figure 3, with
the relation B 0 = AB where the change of basis matrix A = 11 12 is unimodular.
An important concept of a lattice is the fundamental domain. It is closely related to the sparsity of a
lattice as can be seen from the following definition.
Fundamental Definition 4.1.4. Let L be an n-dimensional lattice with a basis {v1 , . . . , vn }. The fundamental do-
domain main or (fundamental parallelepiped) of L is a region defined as
F (v1 , . . . , vn ) = {t1 v1 + · · · + tn vn | ti ∈ [0, 1)}.
The lattice L and the given basis in Figure 3 has the fundamental domain coloured in grey. It is the
convex region that is surrounded by the given basis vectors and the nearby lattice points.
Determinant Definition 4.1.5. Let L be an n-dimensional lattice with a fundamental domain F . Then the n-
dimensional volume of F is called the determinant of L, denoted by det(L).
Given a basis {v1 , . . . , vn } of an n-dimensional lattice L, we can write each basis vector vi =
(vi1 , . . . , vin ) as a vector of its coordinates. Then we have a basis matrix
v11 · · · v1n
B = ... ..
.
.. .
. (2)
19
A PREPRINT - S EPTEMBER 29, 2022
In cryptography, we are interested in full-rank lattices, whose determinant can be easily calculated using
a basis matrix as stated in the next proposition.
Proposition 4.1.6. If L is an n-dimensional full-rank lattice with a basis {v1 , . . . , vn } and an associated
fundamental domain F = F (v1 , . . . , vn ), then the volume of F (or determinant of L) is equal to the
absolute value of the determinant of the basis matrix B, that is,
det(L) = V ol(F ) = | det B|.
Although the fundamental domain may have a different shape under another choice of a basis, it can
be proved that area (or volume) stays unchanged. This gives rise to the determinant of a lattice which is
an invariant quantity under the choice of a fundamental domain.
Invariant Corollary 4.1.7. The determinant of a lattice is an invariant quantity under the choice of a basis for L.
determinant
Proof. Let L be a lattice and let B and B 0 be the basis matrices for two different bases for L. There
exists a unimodular matrix A such that B 0 = AB. Consequently, we have
| det(B 0 )| = | det(AB)| = | det(A)| · | det(B)| = | det(B)|.
So, we have | det(L)| = | det(B 0 )| = | det(B)|.
Example 4.1.8. Let L be a 3-dimensional lattice with a basis
{v1 = (2, 1, 3), v2 = (1, 2, 0), v3 (2, −3, −5)}.
Then a basis matrix is
2 1 3
B = 1 2 0 . (3)
2 −3 −5
The determinant of the lattice is det(L) = | det(B)| = 36.
Geometrically, this also makes sense. By definition, each fundamental domain contains exactly one
lattice vector (in Figure 3 and 4 the origin). Consider fundamental domains that are centered on lattice
points rather than having lattice points at one corner. That is, consider
F̃ (v1 , v2 , . . . , vn ) = {t1 v1 + t2 v2 + . . . + tn vn | ti ∈ [−1/2, 1/2)}.
Take a large ball centered at the origin and notice that, because each fundamental domain contains
exactly one lattice point, the volume of the ball is approximately equal to the number of lattice points in
the ball multiplied by the volume of the fundamental domain. More precisely, we have
Vol (Br (0))
lim = Vol F̃ (v1 , v2 , . . . , vn ) = det(L).
r→∞ |Br (0) ∩ L|
By definition, choosing a different basis doesn’t change the lattice. So, the volume of the fundamental
domain, and therefore the determinant of the lattice, is a property of the lattice and does not depend on
the basis used to represent that lattice.
Two remarks. First, a lattice L can be partitioned into disjoint fundamental domains, the union of
which covers the entire L. Second, since the choice of a fundamental domain is arbitrary and it covers
real vectors that are not in L, each real vector can be uniquely identified by a lattice vector and a real
vector in a fundamental domain. These are captured in the following proposition. For the proof, see
Proposition 6.18 of Hoffstein et al. (2008).
Proposition 4.1.9. Let L be an n-dimensional lattice in Rn with a fundamental domain F . Then every
vector w ∈ Rn can be written as
w =v+t (4)
for a unique lattice vector v ∈ L and a unique real vector t ∈ F .
Equivalently, the union of the translated fundamental domains cover the span of the lattice basis
vectors, i.e.,
span(L) = {F + v | v ∈ L}.
20
A PREPRINT - S EPTEMBER 29, 2022
Another useful interpretation of Equation 4 is that for any vector w ∈ Rn , there is a unique real
vector t ∈ F in the fundamental domain such that w − t ∈ L(B) is a lattice vector. In other words,
given an arbitrary vector w ∈ Rn in the span, we can efficiently reduce it to a vector t ∈ F in the
Modulo basis fundamental domain by taking w modulo the basis (or modulo the fundamental domain as used by
some authors). More precisely, for a basis {v1 , . . . , vn } of L ∈ Rn , it is obvious that the basis is also
a basis of the span Rn , so we have w = α1 v1 + · · · + αn vn for coefficients α1 , . . . , αn ∈ R. The
coefficients can also be written as αi = ai + ti for ai ∈ Z and ti ∈ (0, 1). This implies the real vector
can be re-written as w = (a1 v1 + · · · + an vn ) + (t1 v1 + · · · + tn vn ) = v + t, where in the first
pair of parentheses is a lattice vector v and in the second pair is a real vector t within the fundamental
domain. From this, we can compute t = w − v. This also gives an alternative formula for computing
the modulo basis operation by
w mod B = w − B · bB−1 · wc. (5)
For example, given a 2-dimensional lattice L ∈ R with a basis B = 0 2 and a real vector w = (2, 3).
2 3 0
The shortest vector problem (formally defined in Section 4.3) is to find the shortest non-zero vector
in a given lattice. For a lattice L, notice that λ1 (L) is the solution to the shortest vector problem for that
lattice.
The shortest vector problem can be generalized to the problem of finding the ith successive minima.
The ith successive minima is the minimum length r such that the lattice contains i linearly independent
vectors of length at most r. This can also be defined in relation to the dimension of the space spanned
by the intersection between L and a zero-centered closed ball B̄(0, r) with radius r.
Successive Definition 4.1.11. Given a lattice L, the ith successive minima of L is defined as
minima
λi (L) = min{r | dim(span(L ∩ B̄(0, r))) ≥ i},
where B̄(0, r) = {x ∈ Rn | ||x|| ≤ r} is the closed ball of radius r around 0.
For example, if the lattice L = Zn , then the 1st to the nth successive minima λ1 = · · · = λn = 1
are equal to 1. The length of a shortest vector is a special case of the successive minima when i = 1.
We will see the successive minima again when introducing shortest independent vector problem as a
generalization of the shortest independent problem in 4.3.
Notice that a set of vectors that achieves the successive minima of a lattice is not necessarily a
basis for that lattice. Consider the following example which is derived from the work by Korkine and
Zolotareff (1873) and was presented its current form in Nguyen and Vallée (2010). Let
2 0 0 0 1
0 2 0 0 1
B = 0 0 2 0 1 .
0 0 0 2 1
0 0 0 0 1
Notice that 2e5 ∈ L(B) and that kvk ≥ 2 for all v ∈ L(B) \ {0}. So, λi (L(B)) = 2 for 1 ≤ i ≤ 5. If
we let
2 0 0 0 0
0 2 0 0 0
B̃ = 0 0 2 0 0 .
0 0 0 2 0
0 0 0 0 2
21
A PREPRINT - S EPTEMBER 29, 2022
then we have L(B̃) ⊂ L(B) and det(B̃) = 32. On the other hand, we see that det(B) = 16. Therefore,
B̃ cannot be a basis for L(B). In fact, it can be shown that no basis of L(B) realizes all of the successive
minima of L(B).
In this subsection, we introduce dual lattices. This is a useful concept that will be used at several
different places, such as defining smoothing parameter for discrete Gaussian distribution and in the
hardness proof of the ring learning with error problem. It is important to develop a geometric intuition
of the relationship between a lattice and its dual.
The dual (sometimes also called reciprocal) of a lattice is the set of vectors in the span of the lattice
(e.g., the span is Rn if the lattice is Zn ) whose inner product with the lattice vectors are integers.
Dual lattice Definition 4.2.1. Given a full-rank lattice L, its dual lattice is defined as
L∗ = {y ∈ span(L) | ∀x ∈ L, x · y ∈ Z}.
For example, the dual lattice of Zn is Zn and the dual lattice of 2Zn is 12 Zn as shown in Figure 6.
An important observation is that the more vectors a lattice has, the less vectors its dual has and vice
versa, because there are more (or less) constraints. Most importantly, it can be verified that the dual of
a lattice is also a lattice.
Proposition 4.2.2. If L is a lattice then L∗ is a lattice.
Proof. It suffices to show that L∗ is closed under subtraction. That is, to show that if x, y ∈ L∗ then
x − y ∈ L∗ . This follows from the linearity of the inner product. More explicitly, for every z ∈ L we
have (x − y) · z = x · z − y · z. Because x · z ∈ Z and y · z ∈ Z, we have (x − y) · z ∈ Z. The result
then follows from the definition of L∗ .
b2
d2
d1 b1
Figure 5: A lattice L = 2Z2 (black points) and its dual L∗ = 12 Z2 (blue points). The basis of L is
B = {b1 = (2, 0), b2 = (0, 2)} and the dual basis of L∗ is D = {d1 = ( 12 , 0), d2 = (0, 12 )}.
Given a lattice L, it is natural to ask if we can find a basis for L∗ . This leads us to define the dual
basis of a lattice.
Dual basis Definition 4.2.3. For a lattice L and a basis B = (b1 , . . . , bn ) ∈ Rm×n , the dual basis D =
(d1 , . . . , dn ) ∈ Rm×n is defined as the unique basis that satisfies
22
A PREPRINT - S EPTEMBER 29, 2022
The first condition says both bases span the same vector space. The second condition implies that
bi · dj = δij = 1 if i = j and 0 otherwise. Abusing notation, we use B to denote both the basis of a
lattice and the basis matrix. If L is a full-rank lattice (i.e., m = n), then the basis matrix B is invertible,
so the dual basis matrix can be expressed as D = (B T )−1 = (B −1 )T .
Proposition 4.2.4. If L is a lattice with basis B, then the dual basis is a basis for L∗ .
Proof. This follows immediately from the definition of the dual lattice and the linearity of the inner
product.
Having established that the dual of a lattice is itself a lattice, we can ask what we get if repeat the
process and compute the dual of a dual lattice.
Proposition 4.2.5. For any lattice L, we have (L∗ )∗ = L.
Proof. If B is a basis for a full-rank lattice L, then a dual basis is D = (B T )−1 . Then the dual basis
of D is (DT )−1 that is equal to B. The same argument works for rank-deficient lattices, but with slight
variation because their bases are non-square matrices.
1
Proposition 4.2.6. For any lattice L, we have det(L∗ ) = det(L) .
Although a lattice and its dual are both lattices, they are fundamentally different objects. The dual
of a lattice can be thought as functions that are applied to the lattice such that the inner products of the
lattice vectors and each dual vector are integers.
Here is a geometric interpretation of a lattice and its dual. For each lattice vector v, its inner products
with the dual vectors produce integers of different values. So v partitions the dual lattice into parallel
Hyperplanes non-overlapping hyperplanes that are perpendicular to v according to its inner product values with the
dual vectors. Elements in the same hyperplane have the same inner product with the lattice vector v,
so they form an equivalence class. Alternatively, we can say v partitions the dual lattice into a set of
equivalence classes. Figure. 6 gives two examples of how a lattice vector v ∈ L = 2Z2 partitions the
dual lattice L∗ = 12 Z2 . In addition, the distance between two neighbouring hyperplanes is the inverse
of the vector length (i.e., 1/||v||).
Example 4.2.7. When L = 2Z and L∗ = 12 Z, the vector v = 21 partitions L to |2Z| hyperplanes, each
contains exactly one integer from L and the neighbouring hyperplanes are distance 2 apart.
When L = 2Z2 and L∗ = 21 Z2 , the vector v = (2, 0) partitions the dual lattice into hyperplanes
as shown in Figure 6a, where the hyperplanes are the vertical lines that are perpendicular to the lattice
1
vector v. The distance between the neighbouring hyperplanes is ||v|| = 12 . So the dual is denser than
L. If v = (2, 2), the dual is partitioned into hyperplanes as shown in Figure 6b. The distance between
1 1
the neighbouring hyperplanes is ||v|| = 2√ 2
.
Having briefly introduced lattices and some related concepts, we are ready to define some computational
lattice problems in this subsection. The most well known two are the shortest vector problem and
closest vector problem. These two are search problems because the aims are to find a shortest or closest
lattice vector. Few cryptosystems, however, are based on these two problems directly. Instead, most
cryptosystems are based on their decision versions or relaxed approximation variants. Below, we state
the two well known lattice problems and some variants.
23
A PREPRINT - S EPTEMBER 29, 2022
v1
(a) The dual lattice is partitioned into hyperplanes according to the given lattice vector v = (2, 0).
v1
(b) The dual lattice is partitioned into hyperplanes according to the given lattice vector v = (2, 2).
Figure 6: For a given lattice vector v ∈ L = 2Z2 , the dual lattice L∗ = 12 Z2 can be partitioned into
parallel non-overlapping hyperplanes (vertical lines) that are perpendicular to v. Elements in the same
hyperplane have the same dot product with v, so they form an equivalence class.
24
A PREPRINT - S EPTEMBER 29, 2022
SVP is hard to solve in high-dimensional lattices. An important variant of SVP is finding a set of
short linearly independent lattice vectors as stated below.
A special case of CVP is the bounded distance decoding problem, which is used in the learning
with error problem’s hardness proof (Regev, 2009). The name reflects that the problem is to “decode” a
given Rn vector. The extra condition makes it a special case of CVP is that the given non-lattice vector
is within a bounded distance to the lattice.
An alternative way of defining BDD is to find the lattice vector x ∈ L given the instance y =
x + e ∈ Rn , where e is often interpreted as a noise with norm ||e|| ≤ αλ1 (L).
As discussed in Section 2.2, knowing c-gap problems are hard implies the corresponding c-
approximate problems are also hard. But c-approximations are often used to prove some problems
are hard to solve (e.g., SIS) because it is relatively easier to build reductions from them. Below we state
the gap/approximate variants of the standard lattice problems. Let γ(n) : N → N be a gap function in
the input size such that γ(n) ≥ 1, for example γ(n) is a polynomial of n.
25
A PREPRINT - S EPTEMBER 29, 2022
SVPγ USVPγ
SBPγ
SIVPγ
SIS
Figure 7: Reductions to the SIS problem from hard lattice problems (SVPγ , USVPγ and SBPγ ). The
intermediate lattice problem in the reductions is the γ-approximation of the shortest independent vector
problem (SIVPγ ).
To finish off this section, we present a high level overview of Ajtai’s worst-case to average-case
reduction. As briefly explained in Section 2.3, such a reduction allows one to build cryptosystems
based on an average-case hardness problem, so that users can rest assured that their random encryption
instances are guaranteed to be secure with high confidence.
Ajtai’s proof is based on three well-studied lattice problems, SVPγ , USVPγ and SBPγ . The second
problem is a variant of SVP that finds the unique shortest non-zero vector in the lattice L(B), i.e.,
find the non-zero vector v ∈ L(B) such that ||v|| = λ1 (L(B)) and if w ∈ L(B) such that ||w|| ≤
nc ||v|| then w is parallel to v. The third problem is to find a shortest basis {b1 , . . . , bn } of a given
lattice, where the basis length is defined as maxni=1 ||bi ||. All three problems are used in their gap (or
approximation) versions.
The average-case hard problem constructed by Ajtai is known as the short integer solution (SIS)
SIS problem. Let ai ∈ Znq be a length n vector with entries taken uniformly from Zq . Let A = [a1 | · · · |
am ] be an n × m matrix whose columns are m linearly independent ai s. The SIS problem is to find a
non-zero vector x ∈ Zm such that
• ||x|| ≤ β and
• Ax = 0 ∈ Znq , i.e., x1 a1 + · · · + xm am = 0 mod q.
Notice that the norm bound exists to ensure the problem is not easily solvable by for example Gaussian
elimination. It must satisfy β < q to avoid the trivial solution x = (q, 0, . . . , 0). Moreover, β and m
must be large enough to allow a solution to exist. A sufficient condition of guaranteeing a solution is
given in a subsequent work Micciancio and Regev (2007). See Section 4 of Peikert (2016) for more
detailed insights.
√
Lemma 4.4.1 (Lemma 5.2 Micciancio and Regev (2007)). For any q, A, β ≥ mq n/m , the SIS in-
stance (q, A, β) admits a solution.
Proof. The proof is done using the pigeonhole principle by constructing x = (x1 , . . . , xm ) where each
xi ∈ {0, . . . , 0, q n/m }, so that there are (q n/m )m = q n this type of vectors, more than the size of the
codomain Ax ∈ Znq . Hence, there must exist two distinct vectors x1 and x2 of this form such that
26
A PREPRINT - S EPTEMBER 29, 2022
Ax1 = Ax p 1 mod q. This entails Ax0 = 0 mod q for x0 = x1 − x2 . The norm of this vector satisfies
√ n/m
0
||x || ≤ mq 2n/m = mq because each of its coordinate is at most q n/m . Hence, there always
exist a solution with such maximum norm.
The structure of the reduction is shown in Figure 7. The essential part of the proof is a polynomial-
time reduction from the lattice problem SBPγ to SIS. The other two lattice problems can be reduced to
SBPγ (See Ajtai (1996) Appendix).
To simplify the reduction, note SBPγ is related to SIVPγ because given a set of linearly independent
lattice vectors r1 , . . . , rn ∈ L, a basis {s1 , . . . , sn } of L can be constructed in polynomial time such
that maxni=1 ||si || ≤ n maxni=1 ||ri ||. Hence, the task becomes reducing the lattice problem SIVPγ to
SIS, where the approximation factor γ = nc3 −1 is polynomial in n. This is also a well accepted hard
lattice problem Micciancio and Regev (2009).
SIVPγ to SIS The reduction starts by assuming there is a probabilistic polynomial time (PPT) algorithm A that
solves SIS with a non-negligible probability.4 The next step is to transform a hard SIVPγ instance to a
random SIS instance and show that if such an SIS solution A exists, it gives rise to a PPT algorithm B
that solves SIVPγ for a polynomial factor. This solution then transforms into a solution for SBPγ , as
well as SVPγ and USVPγ .
For simplicity, denote M = maxi ||ai || and bl(L) the length of the shortest basis. The key to
guarantee M < nc3 −1 bl(L) is to iteratively shorten the longer vectors by half to achieve M2 . Repeating
this steps at most log2 M steps we get vectors of the desired length. Each iteration of this process is as
follows:
1. Construct near cubical parallelepiped: Starting from the lattice vectors a1 , . . . , an , con-
struct other lattice vectors f1 , . . . , fn such that they are nearly pairwise orthogonal and have
similar length, but constraint the maximum length maxni=1 ||fi || ≤ n3 M . The reason is to form
a parallelepiped W = P (f1 , . . . , fn ) that is almost a hypercube, as shown in a 2-dimensional
lattice in Figure 8. This step was proved in Lemma 3 of Ajtai (1996).
2. Induce near uniform SIS instance: We then evenly cut W into q n small non-overlapping
Pn tj
parallelepipeds which have the form wj = ( i=1 qi fi ) + 1q W , where tji ∈ [0, q) is an integer.
Now sample m random lattice vectors from L, then reduce them modulo W to ensure they
are within the bigger parallelepiped. Denote these reduced vectors by ξ1 , . . . , ξm . If ξk is in a
Pn tj
smaller parallelepiped wj = ( i=1 qi fi ) + 1q W , then take (tj1 , . . . , tjn ) and put it as a column
of a matrix A. The claim is that each of the wj ’s is selected with almost equal chance, so we
have a random n × m matrix A. The key intuition is that for a short basis of L, if W intersects
with a translation of the fundamental domain formed by the short basis, then W will contain
a large proportion of the translated fundamental domain. This property remains true for an
arbitrary translation and scaling of W using u + 1q W for a vector u ∈ Rn . With this property,
if W is cut into small non-overlapping regions evenly, then random lattice vectors within W
will induce a near uniform distribution over the pieces wj ’s. This implies that the matrix A is
a random instance of SIS. This step was proved in Lemma 8 of Ajtai (1996).
3. Halve vector length: Now give the matrix A to the PPT algorithm Pn A to output an SIS solution
(h1 , . . . , hm ) ∈ Zm . It remains to prove that the vector u = i=1 hi ξi is only half of size of
the starting vectors, i.e., ||u|| ≤ M 2 and they are non-zero. This step was proved in Lemma 13
of Ajtai (1996).
In order to motivate subsequent works inspired by SIS, we make two remarks about the above
reduction. First, the polynomial approximation factor in the lattice problems are large enough to raise
a minor security concern of SIS-based encryption schemes, because the larger the factor is the easier
the problems could be. As analysed in Cai and Nerurkar (1997), a typical factor size is larger than n8 .
In a following section, we will introduce the discrete Gaussian technique to reduce these factors down
to Õ(n) in SIS hardness proof. Second, the public key size required by an SIS-based cryptosystem is
4
Ajtai related SIS with finding a short vector in a q-ary lattice L⊥
q (A) = {x | Ax = 0 mod q}. His reduction
starts with assuming A is a PPT algorithm to find a short lattice vector in a given L⊥ q (A). For the purpose of
sketching the main steps of the proof, it is not necessary to relate SIS with the q-ary lattice problem.
27
A PREPRINT - S EPTEMBER 29, 2022
f2
f1
Figure 8: In a lattice L = Z2 , the near cubic parallelepiped W formed by the large independent vectors
{f1 , f2 }. It is divided into q 2 smaller pieces, each of which is hit with equal probability by random
lattice vectors reduced within W .
Õ(n4 ) that is quite inefficient for practical purposes. This will be dramatically improved by developing
different average-case problems as we will see in the learning with error and ring learning with error
problems.
SIS has been used as the foundation of one-way functions and hash functions (Lyubashevsky et al.,
2010).
A hash function maps inputs of arbitrary length and compresses them into short fixed-length outputs
known as digests.
Hash function Definition 4.5.1. A (keyed) hash function with output length l is a pair of probabilistic polynomial-
time algorithms (Gen, H) satisfying the following:
• The algorithm Gen(1n ) → s generates a key s from the security parameter 1n .
• For a string x ∈ {0, 1}∗ of arbitrary length, the algorithm H outputs a string H s (x) ∈
{0, 1}l(n) .
The general interest in hash functions is the case when the outputs are shorter than the inputs for
both computational and storage efficiency. In such a case, a hash function’s domain is larger than its
range, which implies the possibility of having two distinct inputs being mapped to the same output. We
often say the two distinct inputs collide and the scenario is called a collision.
For a hash function Π = (Gen, H), an adversary A and the security parameter n, we can define the
Hash- collision-finding experiment Hash-collA,Π (n) as:
collA,Π (n)
1. Run the algorithm Gen(1n ) → s.
2. The adversary A is given the key s.
3. The adversary produces two strings x, and x0 .
4. Hash-collA,Π (n) = 1 if x 6= x0 and H s (x) = H s (x0 ) and 0 otherwise.
A cryptographic hash function requires the chance of finding a collision is negligible, which is
defined more formally as follows.
28
A PREPRINT - S EPTEMBER 29, 2022
Collision Definition 4.5.2. A hash function Π = (Gen, H) is collision resistant if for any probabilistic polyno-
resistant mial time adversary A, it satisfies
P r[Hash-collA,Π (n) = 1] ≤ negl(n).
From Ajtai’s SIS problem and the worst-case-to-average-case reduction, one can easily build a col-
lision resistant hash function where the key is the matrix A ∈ Zn×m
q and the hash function is given
by
fA : {0, . . . , d − 1}m → Znq
fA (x) = Ax mod q.
If there is a collision fA (x) = fA (x0 ) between distinct inputs x and x0 , then A(x − x0 ) = 0 and
x − x0 ∈ L⊥ q (A). Furthermore, because each element of x − x is in the set {−1, 0, 1}, we see that
0
x − x is a short vector. Hence, an efficient algorithm that produces collisions for this hash function
0
29
A PREPRINT - S EPTEMBER 29, 2022
We start by reviewing some terms and intuitions about the better-understood continuous Gaussian dis-
tribution. A Gaussian function is a continuous function of the form
(x − c)2
f (x) = a · exp − .
2σ 2
The mostly common Gaussian function is the probability density function (PDF) of the Gaussian distri-
bution. For simplicity, we work with the case when a = 1, so we can define the Gaussian measure in
Gaussian R as
measure (x − c)2
ρσ,c (x) = exp − .
2σ 2
√
Another algebraic expression of the Gaussian measure is by using a scale parameter s = 2πσ. Substi-
tute σ in the above equation and generalize the Gaussian measure to the higher dimensional space Rn ,
we get
−π||x − c||2
ρs,c (x) = exp − . (6)
s2
Integrating the measure over Rn , the total measure is5
Z
ρs,c (x) dx = sn ,
x∈Rn
Gaussian PDF hence we can define the n-dimensional (continuous) Gaussian probability density function as
ρs,c (x)
Ds,c (x) =
. (7)
sn
This is the n-dimensional Gaussian PDF that we know from probability theory, but presented in a non-
standard way.
Equation (6) and Equation (7) would still make sense if x is a non-continuous lattice vector. Since a
lattice L is a countable set, the total Gaussian measure over L and the “discretized” density function are
X
ρs,c (L) = ρs,c (x)
x∈L
ρs,c (L)
Ds,c (L) =
.
sn
Discrete Hence, we can define the discrete Gaussian distribution over the lattice L for all lattice vectors x ∈ L
Gaussian as
Ds,c (x) ρs,c (x)
DL,s,c (x) = = .
Ds,c (L) ρs,c (L)
The discrete Gaussian distribution is commonly used nowadays to introduce randomness in the proof
of lattice problems and lattice-based cryptosystems. Unlike a uniform distribution over a space (e.g.,
5
The total measure is not 1 because the coefficient a in the Gaussian function is ignored.
30
A PREPRINT - S EPTEMBER 29, 2022
the way uniformity was proved in Ajtai’s SIVPγ to SIS problem), Gaussian distribution does not have
sharp boundaries, which is useful when smoothing a distribution over a space. More precisely, given
a Gaussian distribution ρs,c (s) whose center is a lattice point (i.e., c ∈ L), if random samples from
this distribution are taken modulo the lattice fundamental domain, the resulting samples will induce a
distribution within the fundamental domain. Whether or not such a distribution is close to the uniform
distribution depends on the scale s of the Gaussian distribution. Obviously, the larger s is, the closer the
induced distribution is to uniform.
To give a quantitative threshold on how large s needs to be, Micciancio and Regev introduced the
smoothing parameter. As the name suggests, the purpose of this parameter is to measure the minimum
Gaussian noise magnitude, so that if the noise is added to a lattice Zn , the lattice is “blured” to almost a
uniform distribution over Rn (formally stated in Lemma 5.1.4). For the rest of this section, we assume
(n) > 0 (or just > 0 if the context is clear) is a negligible function of the space dimension n.
Smoothing Definition 5.1.1. The smoothing parameter of an n-dimensional lattice L, denoted η (L), is the small-
parameter est scale s such that the Gaussian measure gives almost all weights to the origin in the dual lattice, that
is, ρ1/s (L∗ \ {0}) ≤ .
The parameter is defined in terms of the dual lattice. A possible reason is that the dual lattice also
appears in the Poisson summation formula (Lemma 2.8 Micciancio and Regev (2007)) that is key tool
to prove some properties of the discrete Gaussian distribution, for example, Lemma 5.1.4.
Next, we relate the smoothing parameter to two standard lattice quantities. These relations tight the
smoothing parameter hence discrete Gaussian, with lattice problems and lattice-based cryptosystems.
The proofs of these lemmas can be found in the reference paper.
relate to λ1 (L∗ ) Lemma 5.1.2 (Lemma 3.2 Micciancio √and Regev (2007)). The smoothing parameter of an n-
dimensional lattice L satisfies η (L) ≤ λ1 (Ln∗ ) , where = 2−n .
√
The key to prove this lemma√is to assume the discrete Gaussian scale satisfies s > n/λ1 (L∗ ), so
√ ball of radius n/s from the dual lattice is the same as removing only the zero vector,
removing a closed
that is, L∗ \ ( n/s)B = L∗ \ {0}. This assumption of the scale also inversely relates√the smoothing
parameter to the shortest vector in the dual lattice as stated in the lemma. The factor n comes from
Equation (5) in Lemma 2.10 Micciancio and Regev (2007).
To intuitively understand the inverse relation between η (L) and λ1 (L∗ ), the definition of smoothing
parameter suggests that the parameter is to give almost all weights to the lattice origin, so the longer
the dual’s shortest vector is the smaller η (L) needs to be. This also connects η (L) with the shortest
vector in the original lattice L. Given λ1 (L) is in an inverse relation with λ1 (L∗ ), hence the smoothing
parameter is related to λ1 (L).
relate to λn (L) Lemma 5.1.3 (Lemma 3.3 Micciancio and Regev (2007)). The smoothing parameter of an n-
dimensional lattice L satisfies
r
ln(2n(1 + 1/))
η (L) ≤ · λn (L).
π
We finish this subsection by stating two key properties of the discrete Gaussian distribution. These
properties make discrete Gaussian extremely useful when proving the hardness of lattice-based prob-
lems and building lattice-based cryptosystems.
Recall that any vector t ∈ Rn in the span of a lattice L is uniquely identifiable by a lattice vector
v and a (translation of) vector w ∈ F in the lattice fundamental domain F . This gives rise to a way of
reducing an arbitrary vector in Rn to a vector within F by taking w = t mod F the vector modulo the
fundamental domain. The next lemma addresses the near uniformity of the distribution over F induced
by applying this modulo operation.
Near uniformity Lemma 5.1.4 (Lemma 4.1 Micciancio and Regev (2007)). Let L be an n-dimensional lattice and Ds,c
be a Gaussian distribution with arbitrary scale s ≥ η (L) and center c ∈ Rn , the statistical distance
between Ds,c mod F and a uniform distribution U (F ) over the fundamental domain F is
∆(Ds,c mod F, U (F )) ≤ .
2
The uniform distribution over F has a PDF U (F ) = 1/vol(F ) = det(L∗ ), so the proof in Miccian-
cio and Regev (2007) employed Poisson summation formula to rewrite the discrete Gaussian in terms
31
A PREPRINT - S EPTEMBER 29, 2022
of det(L∗ ) too, so that this term can be cancelled when computing the statistical distance. As discussed
before, this Lemma motivates the definition of smoothing parameter, which is a useful criterion when
sampling uniform samples in the fundamental domain from a discrete Gaussian distribution.
The next lemma proves that the discrete and continuous Gaussian distributions share similar char-
acteristics when the scale of the discrete Gaussian is sufficiently large.
Similar to Lemma 5.1.5 (Lemma 4.3 Micciancio and Regev (2007)). Let DL,s,c be a discrete Gaussian distri-
continuous bution over an n-dimensional lattice L with arbitrary scale s ≥ 2η (L) and center c ∈ Rn . For
Gaussian 0 < < 1, the following are satisfied
2
2
Ex∼DL,s,c [x − c] ≤ s2 n,
1−
i 1 2
h
2
Ex∼DL,s,c ||x − c|| ≤ + s2 n.
2π 1 −
In this subsection, we revisit the hardness proof of Ajtai’s short integer solution (SIS) problem, but use
the discrete Gaussian tool as an important technique to reduce the gaps of the hard lattice problems.
Recall that SIS is parameterized by a modulus q, the number of linearly independent vectors m and a
norm bound β. These parameters are often considered as functions of the security parameter n. The
purpose of SIS is to find a short integer vector x ∈ Zm such that
• ||x|| ≤ β and
• Ax = 0 ∈ Znq for an arbitrary integer matrix A ∈ Zn×m
q .
As stated in Lemma
√ 4.4.1 and Lemma 5.2 in Micciancio and Regev (2007), the norm bound of x needs
to satisfy β(n) ≥ mq n/m in order to guarantee an SIS solution.
The overal proof strategy in Micciancio and Regev is similar to Ajtai’s by introducing an intermedi-
ate lattice problem - incremental guaranteed distance decoding - for a simple reduction to SIS. The
standard lattice problems can be reduced to this intermediate problem, but are not covered in this section
because the focus is the discrete Gaussian sampling technique. This intermediate problem is different
to the bounded distance decoding (BDD) problem (Section 4), in the sense that it finds a lattice vector
within a bounded distance to the target, not necessarily the closest to the target which is given close to
the lattice in BDD.
Definition 5.2.1. Given a basis B of an n-dimensional lattice L, a set of linearly independent lattice
vectors S ⊆ L, a target vector t ∈ Rn and a real r > γ(n)λn (B), the incremental guaranteed distance
decoding (INCGDD) problem outputs a lattice vector v ∈ L such that ||v − t|| ≤ (||S||/g) + r.
The norm ||S|| of the set is the length of the longest lattice vector in S. The additional parameter
r is needed to guarantee a solution exists for certain settings of S and g, as illustrated by the example
in Micciancio and Regev (2007). If S is the basis of Zn and g = 4, there is no solution to the target
t√= (1/2, . . . , 1/2) satisfies
√ ||v − t|| ≤ ||S||/g = 1/4, since √ the closest lattice
√ vector is at distance
n/2. Hence, if γ(n) = n/2 and φ(B) = λ√n (B), then r > n/2·λn (B) = n/2 and it guarantees
a solution v where the distance bound 1/4 + n/2 is met. Unless otherwise mentioned, the rest of this
section assumes φ(B) = λn (B).
Recall P (B) is the fundamental domain (or
Pnparallelepiped) of the lattice L(B). This is generalized
to the half-opened parallelepiped P (S) = { i=1 xi si | xi ∈ [0, 1)} generated by the set of linearly
independent vectors S = {s1 , . . . , sn }.
The next lemma presents a sampling technique to produce uniformly random vectors within a lat-
tice’s fundamental domain as well as Gaussian lattice vectors. This sampling procedure is the core
technique to reduce INCGDD to SIS as shall be seen later. The intuition of this sampling technique
32
A PREPRINT - S EPTEMBER 29, 2022
is really simple. It is based on the observation that every vector in Rn can be uniquely identified by
a lattice vector plus a small “noise” vector in the shifted fundamental domain. Hence, we generate a
Gaussian sample in Rn , then split it into the “noise” vector and the lattice vector. The former is almost
uniformly distributed in the fundamental domain and the latter follows a discrete Gaussian with a shifted
center by the “noise” magnitude.
Lemma 5.2.2 (Lemma 5.7 Micciancio and Regev (2007)). Given an n-dimensional lattice L(B), a
vector t ∈ Rn and a scale s ≥ η (L) for some > 0, there is a PPT sampling algorithm S(B, t, s) to
output a pair (c, y) ∈ P (B) × L(B) such that
• c is nearly (with statistical distance at most /2) uniformly distributed over P (B),
• for any vector ĉ ∈ P (B), given c = ĉ it entails y ∼ DL,s,t+ĉ .
Proof. The sampling procedure S simply generates a continuous Gaussian sample r ← Ds,t . This
sample is then reduced to within the fundamental domain by c = −r mod P (B). Since the Gaussian
scale is at least as large as the smoothing parameter, it implies that this sample is nearly uniformly
random by Lemma 5.1.4.
Let y = r + c. Since c = −r mod P (B), it implies r = v − c, where v ∈ L(B) is a lattice vector.
Hence, y is a lattice vector. For any ĉ ∈ P (B), the new sample r + ĉ ∼ Ds,t+ĉ is still Gaussian with a
shifted center. Since y = r + c, the condition c = ĉ is the same as saying y = r + ĉ is a lattice vector.
Therefore, the distribution of y conditioning on y being a lattice vector (equivalently c = ĉ) is just the
discrete Gaussian distribution DL,s,t+ĉ .
From the outputs of the sampling procedure, one is able to build a random matrix A to call the
SIS oracle to produce a short non-zero integer vector x that is an SIS solution. More importantly, x is
used to produce a lattice vector s that is the solution of the INCGDD problem. Let the n by m matrix
C = [c1 , . . . , cm ] ∈ P (B)m be the output by running the sampling procedure m times, where each ci
is one part of the pair (ci , yi ) ← S(B, t, s).
Lemma 5.2.3 (Lemma 5.8 Micciancio and Regev (2007)). Given an n-dimensional lattice L(B), a
full-rank sublattice S ⊆ L(B), the sampling output C = [c1 , . . . , cm ] and an integer q, there is a PPT
algorithm AF (B, S, C, q) that makes a single call to the SIS oracle z ← F(A) to produce a vector
x ∈ Rn such that
• A is uniformly random,
• x ∈ L(B) is a lattice vector,
√
• ||x − Cz|| ≤ mn||S||||z||/q.
Recall that a strong motivation to study discrete Gaussian distribution is to simply Ajtai’s SIS re-
duction. The following proof indeed states a simpler way of building a random matrix A for the SIS
oracle.
Since vi and ci are all uniformly random, so is their modulo sum wi . The first two steps create uni-
formly distributed samples within the parallelepiped P (S). They are much simpler than the procedure
in Ajtai’s reduction, which has to start with a larger parallelepiped to ensure near orthogonal which is a
33
A PREPRINT - S EPTEMBER 29, 2022
key step to generate uniform samples from the smaller parallelepiped. From here, it is not hard to see A
is uniform too.
Step 2 suggests that W = V + C, so C − W = −V contains only lattice vectors. Given z is an SIS
solution, SAz/q = kS for an integer vector k. Hence, x = −V z + kS is also a lattice vector in L(B).
We skip the last part of the proof which can be found in Micciancio and Regev (2007).
We finish this section by stating the final reduction theorem without proving it. The proof of this
theorem is nothing but calling the two procedures above to produce an INCGDD solution, and a justifi-
cation that the change of producing a solution is non-negligible.
O(1)
Theorem 5.2.4. For any g(n) > 0, polynomially
p bounded functions m(n), β(n) = n , negligible
−ω(1)
function (n) = n , and q(n) > g(n)n m(n)β(n), there is a PPT reduction from INCGDDηγ,g
√
for γ(n) = β(n) n to SISq,m,β , so that if there is a solution to a random SIS instance then it solves
INCGDD in the worst case with a non-negaligible probability.
34
A PREPRINT - S EPTEMBER 29, 2022
1 3 1 9
0 −2 −2 −8
0 2 2 8
1 3 1 9
0 −2 −2 −8
0 0 0 0
1 0 −2 3
0 1 1 4
0 0 0 0
The LWE problem, however, introduces noises (or errors) into the linear equations, making the above
problem significantly harder. More precisely, Gaussian elimination involves linear combinations of
rows. This process may amplify the noises so that the resulting rows are unable to maintain the original
information that is embedded in the equations.
We introduce and recall some notations before going into the main content of this section. Denote
Z/qZ by Zq and let Znq = {(a1 , . . . , an ) | ai ∈ Zq } be its n-dimensional generalization. The notation
x ← Znq indicates x is uniformly sampled from Znq . Let T = R/Z = [0, 1) be R mod 1.
In regards to errors in the LWE samples, we use φ and χ to denote the error distributions over T
and Zq , respectively. In the hardness proof, Regev (2009) set the error distribution φ = Ψα which can
be obtained by sampling from a continuous Gaussian with mean 0 and standard deviation √α2π (or scale
α) and reducing the outputs modulo 1. But in practice, these errors are discretized for convenience by
multiplying samples from Ψα by q and rounding to the nearest integer modulo q. This gives rise to the
discretized error distribution Ψ̄α over Zq .
Throughout his work, Regev proved the hardness result of LWE based on the continuous error distri-
bution Ψα and only used the discretized error Ψ̄α when presenting a secure LWE-based cryptosystem.
6
Õ(·) is a variation of the O(·) notation that ignores logarithmic terms: Õ(g(n)) = O(g(n) logk n) for some
k. This time complexity class is known as quasilinear time and sometimes expressed as O(n1+ ) for an > 0.
35
A PREPRINT - S EPTEMBER 29, 2022
In fact, both error distributions entail the same hardness of the LWE problem as emphasized by Lemma
4.3 of Regev (2009). For simplicity, we present the LWE problem and its hardness proof based on the
discretized error distribution χ = Ψ̄α over Zq , the reader should keep in mind the original proofs were
based on the continuous error distribution φ = Ψα over T = R/Z = [0, 1).
Definition 6.1.1. Given the following parameters
LWE a fixed s ∈ Znq and an error distribution χ over Zq , the LWE distribution As,χ over Znq × Zq is obtained
distribution by these steps
The integer q which controls the size of the ring Zq is often a large integer and a function of n, but
it does not need to be a prime number for the hardness proof of the LWE search problem. It is only
required to be a prime when reducing the search to decision LWE, in which the ring Zq needs to be a
field to build the connection between the two problems as we will see next.
It has been demonstrated that solving a system of exact linear equations can be done efficiently with
Gaussian elimination, but solving a system of noisy linear equations is conjectured to be hard.7 This
motivates the search version of the LWE problem stated next. For simplicity, we denote by (A, b) ⊆
Zn×N
q × ZNq the N samples generated from a LWE distribution.
Definition 6.1.2. Given the parameter q and the error distribution χ over Zq , the search version of the
LWE (or just LWE) problem , denoted by LWEq,χ , is to compute the secret key s given samples (A, b)
from the LWE distribution As,χ .
Although all hardness proofs were done on search LWE, the decision version is what is often used
to build secure cryptosystems upon.
Definition 6.1.3. Given the parameter q and the error distribution χ over Zq , the decision version of
the LWE (or DLWE) problem , denoted by DLWEq,χ , is to distinguish between the LWE samples (A, b)
and uniformly random samples (A, u) over Zn×N
q × ZNq .
Search to An efficient reduction from LWE to DLWE can be constructed so that if there is a solution for
decision DLWE, there is a solution for LWE. The reduction is by applying the same procedure to guess (at most
poly(n) times) each element si of the secret key s. To guess the first element s1 , we generate a random
r ∈ Zq and add it to the first element of each column vector ai ∈ Znq , so we get the new random column
vectors
ãi = ai + (r, 0, . . . , 0) ∈ Znq .
To utilize the DLWE oracle, we output the pair
(ãi , b + r · k mod q) (8)
for each k ∈ Zq . If k is the correct guess of the first secret vector component, i.e., k = s1 , then
b + r · k = ãi · s + i (mod q), so the corresponding pair in Equation (8) looks like (ãi , ãi · s + i )
which follows the LWE distribution. If k 6= s1 , then the corresponding pair is uniform in the domain
Znq × Zq , provided q is prime to make Zq a field so the product r · k can map to each field element with
equal chance. Apply the DLWE oracle to distinguish the LWE pair from the uniform pair to obtain the
correct guess of s1 . We have a simple reduction from LWE to DLWE.
Before going forward, it should be made clear that there are different variants of LWE from three
different perspectives, which are decision or search, discrete or continuous error distribution, average-
case or worst-case. We have explicitly discussed the first two perspectives above. The last one suggests
7
Another way of seeing the hardness of this problems is that LWE is a generalization of the Learning Parity
with Noise problem (Pietrzak, 2012), in which q = 2 and the error distribution χ is a Bernoulli distribution with
p(1) = and p(0) = 1 − . This problem is believed to be hard too.
36
A PREPRINT - S EPTEMBER 29, 2022
that the LWE distribution and LWE problem can be defined either for all secret s or for a uniform
random s. The next lemma shows a reduction from the search, continuous error, worst-case LWE to
decision, discrete error, average-case LWE.
Lemma 6.1.4. Let q = poly(n) be a prime integer, φ be an error distribution over T and φ̄ be its
discretization over Zq . Assume there is a DLWEq,φ̄ oracle that distinguishes the LWE distribution As,φ̄
from the uniform distribution for a non-negligible fraction of s, then there is an efficient algorithm that
solves LWEq,φ for all s.
To keep things simple in this paper, we illustrate the hardness proof in terms of the search, discrete
error, worst-case LWE problem. The only difference from the original proof is the discretized error
distribution rather than continuous.
Theorem 6.2.1 (Theorem 1.1 (Regev, 2009)). Let n, p be integers and α ∈ (0, 1) be such that αp >
2n. If there exists an efficient algorithm that solves LW Ep,Ψ̄α then there exists an efficient quantum
algorithm that approximates the decision version of the shortest vector problem (GAPSVP) and the
shortest independent vectors problem (SIVP) to within Õ(n/α) in the worst case.
The major steps of the hardness proof of the LWE problem, as outlined by Regev, is sketched in
Figure 9. In the box, there is a classical (i.e., non-quantum) reduction from BDD to LWE, which sug-
gests LWE is hard. The more preferable reduction is from the more standard (and well studied) lattice
problem GAPSVP, but involves both quantum and classical reductions. The focus of this subsection is
the classical reduction in the box. For details of the others steps, the read is referred to the original paper
(Regev, 2009).
As it is often convenient to build a cryptosystem based on DLWE and there is an efficient reduction
from LWE to DLWE, if there is a solution to the cryptosystem, such a solution can be used to solve
LWE. This in return can solve the worst-case GAPSVP (and SIVP) using a quantum algorithm, which
is conjectured to be difficult with high confidence. Note that the assumption that these lattice problems
are hard to be solved using quantum algorithms is a stronger assumption than using classical algorithms,
which obviously are more difficult to be achieved. Peikert (2009) proposed a classical reduction that
can replace the quantum step in this proof, but compromising the hardness to be based on non-standard
(variant) of lattice problems, or a large modulus q that weakens a cryptosystem’s security that is inverse
proportional to the size of q.
quantum
classical
LWE
Figure 9: Reductions
√ to the LWE decision problem. If DGS can be solved for a small scale r close to
its lower bound 2nη (L)/α, then both lattice problems can be solved with close to optimal solutions.
The key to solve DGS for small r is to iteratively apply a subroutine to gradually reduce the scale. The
subroutine supplies discrete Gaussian samples to an LWE oracle to classically solve BDD, the result of
which is then used by a quantum algorithm to produce shorter discrete Gaussian samples.
Theorem 6.2.2 (Theorem 3.1 (Regev, 2009)). Let = (n) be some negligible function of n. Also,
let p = p(n) be some integer and α = α(n) ∈ (0, 1) be such that αp > 2n. Assume that we have
access to an oracle W that solves LW Ep,Ψα given a polynomial number of samples. Then there exists
an efficient quantum algorithm for DGS√2nη (L)/α .
37
A PREPRINT - S EPTEMBER 29, 2022
DGS problem The Discrete Gaussian Sampling (DGS) problem is defined as generating a lattice vector in L ac-
√
cording to a discrete Gaussian distribution DL,r over L with the scale r ≥ 2nη (L)/α that is larger
than the lattice’s smoothing parameter η (L). For the sake of explaining only the BDD to LWE reduc-
tion, we accept (without proving) that GAPSVPγ and SIVPγ are more likely to be solved if DGS can be
performed with as small scale r as possible. Hence, it is sufficient to show that one can run DGS with
a small r. It turns out that this can be achieved by using an LWE oracle and an iterative step which in-
volves the use of classical and quantum algorithms (in the box of Figure 9) in order to produce samples
from a discrete Gaussian distribution with small r. More specifically, starting from nc samples of a dis-
crete Gaussian distribution DL,r where r is large, the iterative step is able to produce nc samples from
a narrower Gaussian distribution DL,r0 where r0 < r/2. Repeating this step a polynomial √ number of
times so that the last step produces samples from a Gaussian DL,r0 where the width r0 ≥ 2nη (L)/α
reaches its lower bound. One part of the iterative step requires an LWE oracle and an efficient DGS
algorithm for r > 22n λn (L) to solve the intermediate problem using a classical algorithm. The inter-
mediate problem is CVP for a given vector that has bounded norm, which is also known as the Bounded
Distance Decoding (BDD) problem . The efficient DGS algorithm for large scale is proved plausible
by the Bootstrapping Lemma 3.2 of Regev (2009). The other part of the iterative step is a quantum
algorithm that uses the solution of the intermediate problem to solve DGS for a narrower distribution
that is at most half of the previous scale. The quantum part is out of the scope of this material, hence is
not included.
The classical step was demonstrated using the special lattice L = Zn in a follow up paper (Proposi-
tion 2.1 (Regev, 2010)). Although the original reduction in Regev (2009) involves working in the dual
lattice L∗ , the lattice and its dual are identical when L = Zn . Note as BDD can be solved easily in
Zn (without the LWE oracle), so this restricted context is for demonstration purpose only and does not
guarantee LWE hardness.
BDD to LWE Proposition 6.2.3. Let q ≥ 2 be an integer and α ∈ (0, 1) be a real number. Assume there is an LWE
oracle for the modulus q and error distribution Ψα . Then, given as input an n-dimensional lattice L,
a sufficient polynomial number of samples from the √ discrete Gaussian distribution DL ,r and a BDD
∗
instance x = v + e ∈ R such that ||e|| ≤ αq/ 2r, there is a polynomial time algorithm finds the
n
It is worth mentioning that the scale α of the error distribution Ψα for LWE is restricted to (0, 1)
in order to ensure the Gaussian error distribution is still distinguishable from the uniform distribution
once reduced to within a smaller region. In fact, as long as α < √ η (L), the Gaussian error is still
distinguishable. This implies
√ that it is sufficient to have α ∈ (0, O( log n)), because the smoothing
parameter η (L) ≤ O( log n) · λn (L) by Lemma 5.1.3 and the nth successive minima λn (Zn ) = 1.
Sketch of proof. To utilize the LWE oracle, we wish to construct random LWE samples from the given
BDD instance x such that its closest lattice vector v ∈ L is the secret vector s ∈ Znq for the LWE
distribution. Hence, the problem becomes producing from the given BDD instance sufficient LWE
samples in the domain Znq × Zq .
To do so, we need help from the given discrete Gaussian samples. The rational is that such a
discrete Gaussian sample behaves like a random element in a smaller domain after modulo reduction.
Furthermore, it still distributes normally after multiplying with a random continuous element. So by
manipulating this discrete Gaussian element, it outputs an LWE sample that can be used by the oracle.
More precisely, sample y according to the discrete Gaussian distribution DZn ,r over Zn with a relatively
large scale r, then output the pair
(a = y mod q, b = bhy, xie mod q) ∈ Znq × Zq . (9)
To see why the pair is in the LWE domain, we notice first r being large ensures that y is almost uniformly
distributed in Znq . This is consistent with LWE’s first component distribution.
Expressing y in terms of a and q, we get y = qZn + a. Substitute y and x into Equation 9, we get
b = bhqZn , vi + bha, vi + hy, eie mod q
= bha, vi + hy, eie mod q.
The first term is an integer, so rounding is ignored. For the second
√ term, since y ∈ DZ ,r its expected
n
√
norm is roughly ||y|| ≤ nr. In addition, given ||e|| ≤ αq/ 2r, then by Corollary 3.10 of Regev
38
A PREPRINT - S EPTEMBER 29, 2022
(2009), the second term isp almost normally distributed with norm approximately at most αq n/2 and
p
then reduced to roughly α n/2, which is consistent with the error distribution Ψα for the LWE oracle.
Therefore, the pair (a, b) follows the LWE distribution and hence can be used by the oracle to recover
the secret key s.
Since s = v mod q, the LWE oracle and the modulo operation reveal the least significant digits of
v in base q. Next, we update the non-lattice vector from x to (x − s)/q ∈ Rn which gets rid of the least
significant digits of x, and employ the above BDD to LWE process to search for the next set of least
significant digits in base q in the new secret vector (v − s)/q mod q ∈ L. Iterating this process enough
times, we will recover the entire closest lattice vector v ∈ L to the given BDD instance x.
Two remarks about the proof. First, to completely hide the discreetness of y by additive noise,
additional Gaussian noise is needed to add to b as shown in Equation 12 of Regev (2009). Second, the
assumed LWE oracle may only work for a noise distribution of a certain magnitude. However, the noise
magnitude hy, ei is strongly related to the distance e = x − v from the given vector to the lattice. The
way to address this potential issue is by adding to the second element b in equation 9 an extra noise,
whose magnitude can be varied to ensure the LWE oracle works (Lemma 3.7 (Regev, 2009)). We will
see in Section 9 that this becomes a challenge in the ring-LWE problem, in which a vector of Gaussian
noises is added rather than a single noise whose effect on the result is much easier to be controlled.
The last paragraph of the above proof is formalized in the next lemma for general lattices. It gives
(q)
rise to reduction from CVPL,d to CVPL,d . The latter problem is to find the closest lattice vector reduced
modulo q. That is, for a given vector x = v + e ∈ Rn with ||e|| ≤ d, finds the coefficient vector
L−1 v mod q ∈ Znq . Here, the notation L is used in a non-standard way to denote the basis matrix,
where the columns of L are the basis vectors v1 , . . . , vn , so L− 1 is the inverse of the basis matrix.
(p)
Lemma 6.2.4 (Lemma 3.5 (Regev, 2009)). Given a lattice L, an integer p ≥ 2 and a CVPL,d oracle
for d < λ1 (L)/2, there is an efficient algorithm that solves CVPL,d .
Proof. The lemma can be proved using the same bit-by-bit iterating strategy as in the special case
L = Zn in the above proof. Let x = v + e ∈ Rn be a BDD instance. Create a sequence of vectors
(p)
x1 = x, x2 , . . . . Start from x1 , use the CVPL,d oracle to find the coefficient vector a1 = L−1 v1 mod q
of x1 ’s, and update the vector by
xi+1 = (xi − L(ai mod q))/p,
where L(ai mod q) denote the lattice vector corresponds to ai mod q, the least significant bit of the
coefficient vector in base q. Substitute xi = vi + ei into the above equation, we get
xi+1 = (vi − L(ai mod q))/q + ei /q,
where the error is reduced by a factor of q in the updated instance. Repeat this process n times, we get
a BDD instance xn+1 with much smaller error ||en+1 || ≤ d/pn . Unlike in the special case where the
process is repeated to solve all bits of the vector, it is sufficient to get down to xn+1 that is very close to
the lattice, then use an algorithm (e.g., the nearest plane algorithm (Babai, 1986)) to solve for its closest
lattice vector an+1 . Work backwards to add the solved bits to an+1 , we obtain a solution a1 for the
given BDD instance x1 .
To finish off this section, we state the LWE-based encryption scheme that was proposed by Regev.
Later, this scheme became a popular building block for LWE-based homomorphic encryption schemes
as we will see in Section 10 (especially in the second generation of homomorphic encryption schemes).
The scheme is parameterized by n, N , q and χ that correspond to the dimension (or security
parameter), sample size, modulus and the noise distribution over Zq of, same as the setting for the
LWE distribution. The parameters need to be set to appropriate values to ensure the system is cor-
rect, secure and efficiently computable. An example setting in Regev (2009) is taking a prime number
q ∈ [n2 , 2n2 ], N = (1 + )(n + 1) log q for an arbitrary constant > 0, and χ = Ψ̄α(n) , where the
√
scale α(n) = 1/( n log2 n)
39
A PREPRINT - S EPTEMBER 29, 2022
Correctness For the correct choices of the parameters, it can be proved (Lemma 5.1 and Claim 5.2 (Regev, 2009))
that there is only a negligible chance that the norm of an error sampled from the distribution
P χ is greater
than b 2qP
c/2. Hence, when decrypting the ciphertext of 0, the scheme gives c2 − s · c1 = i∈S i , whose
norm | i∈S i | < b 2q c/2, which implies the result is closer to 0 than to b 2q c. Use the same argument,
the decryption of the ciphertext of 1 is also correct.
security The semantic security of the cryptosystem is based on the hardness of the DLWE problem. If there is
a PPT distinguisher that can tell apart the encryptions of 0 and 1, then we can build another distinguisher
that tells apart the LWE distribution from the uniform distribution for a non-negligible fraction of all
secret keys s (Lemma 5.4 (Regev, 2009)). More specifically, assuming W is a distinguisher between
the encryptions of 0 and 1, that is, |p0 (W ) − p1 (W )| ≥ n1c for some constant c > 0, then it is possible
to build another distinguisher W 0 such that |p0 (W 0 ) − pu (W 0 )| ≥ 2n1 c . By the above remark, it is
sufficient to prove a DLWE distinguisher for a non-negligible fraction of s. Define a set Y = {s |
|p0 (s) − pu (s)| ≥ 4n1 c }. Construct a distinguisher Z that estimates p0 ((A, b)) and pu ((A, b)) up to an
additive error 64n1
c by applying W a polynomial number of times. Then Z accepts if the two estimates
0
40
A PREPRINT - S EPTEMBER 29, 2022
Cyclotomic polynomials are polynomials whose roots are the primitive roots of unity. To understand
what it means, we define next.
Roots of unity Definition 7.1.1. For any positive integer n, the n-th roots of unity are the (complex) solutions to the
equation xn = 1, and there are n solutions to the equation.
Theorem 7.1.2. Let n be a positive integer and define ζn = e2πi/n . Then the set of all n-th roots of
unity is given by
{ζnk | k = 0, 1, . . . , n − 1}, (10)
Im
ζ31
•
ζ30
•
Re
•
ζ32
√ √
Figure 10: The 3rd roots of unity ζ 0 = 1, ζ 1 = − 21 + i 23 and ζ 2 = − 12 − i 2 .
3
We sometimes drop
the subscript to simplify the notation to ζ k if the context is clear.
In general, the equation xn = 1 can be defined over different fields. In the real field R, the only
possible roots of unity are ±1. In the complex field C, the nth roots of unity form a cyclic group under
41
A PREPRINT - S EPTEMBER 29, 2022
multiplication. The generator is e2πi/n and the group order is n, as shown in Theorem 7.1.2. In a finite
field, for example F7 = Z/7Z = {0, 1, 2, 3, 4, 5, 6}, the 3rd roots of unity are {1, 2, 4}, because these
are the only numbers equal to 1 modulo 7 when raising to the third power.
Primitive root Definition 7.1.4. An n-th root of unity r is called primitive if it is not a d-th root of unity for any integer
d smaller than n; i.e. rn = 1 and rd 6= 1 for d < n.
Geometrically, r is primitive if it is a vertex of a regular polygon that lies on the unit circle, but not
a vertex of a smaller regular polygon that lies on the unit circle.
Example 7.1.5. 1 is not primitive. The two real roots ±1 of the 4th roots of unity are not primitive,
because they are also the 2nd roots of unity. Both complex roots of the 3rd roots of unity are primitive.
The primitive 6th roots of unity are shown in Figure 11.
Im
• •
• •
Re
• •
√ √
Figure 11: The 6th roots of unity ζ 0 = 1, ζ 1 = 21 + i 23 , ζ 2 = − 21 + i 23 , ζ 3 = −1, ζ 4 = − 21 −
√ √
i 23 , ζ 5 = 12 − i 23 . The primitive roots are ζ 1 , ζ 5 that are coloured in green. ζ 0 , ζ 2 , ζ 4 are not
primitive because they are also the 3rd roots of unity. ζ 0 , ζ 3 are not primitive because they are also the
2nd roots of unity.
The following theorem provides an easy way to find the n-th primitive roots of unity.
Theorem 7.1.6. The n-th primitive roots of unity are {ζnk | 1 ≤ k ≤ n − 1 and gcd(k, n) = 1}.
If n is prime, then all the n-th roots of unity except 1 are primitive. It follows from Theorem 7.1.6
that the number of n-th primitive roots of unity is equal to the number of natural numbers smaller than
n that is coprime with n, which is also known as the Euler’s totient function
ϕ(n) = |{k | 1 ≤ k ≤ n − 1 and gcd(k, n) = 1}|.
For example, there are four 12th primitive roots of unity {ζ, ζ 5 , ζ 7 , ζ 11 }.
We now have the necessary components to formally define cyclotomic polynomials.
Cyclotomic Definition 7.1.7. The n-th cyclotomic polynomial Φn (x) is the polynomial whose roots are the n-th
polynomial primitive roots of unity. That is, Y
Φn (x) = (x − ζnk ),
1≤k<n
gcd(k,n)=1
where ζnk = e2kπi/n is an nth root of unity (as before in Theorem 7.1.2).
Example 7.1.8. The first few cyclotomic polynomials and their roots are listed in Table 1. For n = 4,
the 4th cyclotomic polynomial is Φ4 (x) = (x − i)(x + i) = x2 + 1, because the 4th roots of unity are
{±1, ±i} and the primitive roots are ±i.
In lattice-based cryptography, we are only interested in some special forms of cyclotomic polyno-
mials as they make certain proofs feasible and computations easier. Next, we introduce two special
cases.
Remark 7.1.9. If n is prime, then the n-th cyclotomic polynomial is given by
n−1
X
n−1 n−2
Φn (x) = x +x + ··· + 1 = xt .
t=0
42
A PREPRINT - S EPTEMBER 29, 2022
n Φn (x) roots
1 x−1 1
2 x+1 ζ 1 = −1
3 x2 + x + 1 ζ 1, ζ 2
4 x2 + 1 ζ 1 = i, ζ 3 = −i
5 x4 + x3 + x2 + x + 1 ζ 1, ζ 2, ζ 3, ζ 4
6 x2 − x + 1 ζ 1, ζ 5
7 x6 + x5 + x4 + x3 + x2 + x + 1 ζ 1, ζ 2, ζ 3, ζ 4, ζ 5, ζ 6
8 x4 + 1 ζ 1, ζ 3, ζ 5, ζ 7
Table 1: First few cylotomic polynomials
The second equality is because d | n splits [1, n] into nd mutually exclusive subsets. The third equality
uses the definition of cyclotomic polynomial. The last equality is because the subset of integers nd and
d are identical.
43
A PREPRINT - S EPTEMBER 29, 2022
Equation (11) says that a number is an n-th root of unity if and only if it is a d-th primitive root of
unity for some natural number d that divides n.
Example 7.1.10. The 6th roots of unity are shown in Figure 11. ζ 0 = 1 is the 1st primitive root. ζ 3
is the 2nd primitive root. ζ 2 and ζ 4 are the 3rd primitive roots. ζ 1 and ζ 5 are the 6th primitive roots.
Hence, the product of these four cyclotomic polynomials is a polynomial whose roots are the 6th roots
of unity, i.e., Φ1 (x)Φ2 (x)Φ3 (x)Φ6 (x) = x6 − 1.
This theorem implies that cyclotomic polynomials are irreducible over the field of rationals Q. As
we will see in Section 9, ring LWE is defined with respect to the quotient ring of polynomials Z[x] by
the ideal generated by a cyclotomic polynomial. Theorem 7.1.12, together with the First Isomorphism
Theorem (Theorem A.2.19), gives the following characterisation of these quotient rings.
Theorem 7.1.13. For all m ∈ N, we have
Z[x]/(Φm (x)) ∼
= Z[ζm ]
Galois theory associates to every polynomial a group, called the Galois group of the polynomial, that
holds useful algebraic information about the roots of the polynomial that can be used to answer im-
portant questions about the polynomial. In this subsection, we use Galois theory to study the roots of
cyclotomic polynomials and the symmetric structure in their permutations that will turn out to be useful
in the RLWE hardness proof. We will start with a simple example to motivate the discussion.
Example 7.2.1. Consider a quadratic polynomial with roots r and s:
f (x) = x2 + bx + c (12)
The polynomial can be written in the alternative form of (x − r)(x − s), which expands out to
x2 − (r + s)x + rs.
Equating coefficients with (12), we get
−b = r + s (13)
c = rs. (14)
To express r and s in terms of b and c, we can first square (13) to obtain
b2 = (r + s)2 = r2 + 2rs + s2 .
Subtracting both sides by 4c then yields
b2 − 4c = r2 − 2rs + s2 = (r − s)2 .
Taking square roots, we now get
p
r−s= b2 − 4c (15)
p
s−r =− b2 − 4c. (16)
Adding (13) to (15) and (16) now gives the familiar quadratic formula.
√ √
−b + b2 − 4c −b + b2 − 4c
r= and s = .
2 2
44
A PREPRINT - S EPTEMBER 29, 2022
Equations (13) and (14) and their equivalents for arbitrary higher-degree polynomials are called the
elementary symmetric polynomials (of the roots). For another example, a cubic polynomial x3 + bx2 +
cx + d with roots r, s, t have the following elementary symmetric polynomials:
−b = r + s + t
c = rs + rt + st
−d = rst.
The high-level steps outlined briefly in Example 7.2.1, codified properly in Galois theory, can be used
to answer the question of whether the roots of an arbitrary polynomial f can be expressed in terms of its
coefficients: start with the elementary symmetric polynomials of f and then systematically simplify the
formulas by breaking the symmetries in them. We are thus led to the following definition of the splitting
field of a polynomial, which contains the elementary symmetric polynomials and other polynomials of
(subsets of) the roots that can be obtained from them.
Splitting field Definition 7.2.2. Let f be a polynomial with rational coefficients. The splitting field K of f is the
smallest field that contains the roots of f . (K is called the splitting field because we can split f into
linear factors in K. Also, by the properties of a field, K can be understood as the set of multi-variate
polynomial expressions in the roots of f with rational coefficients.)
The symmetric polynomials in the splitting field for a polynomial f are exactly those that are invari-
ant under permutations of the roots of f , and these permutations can be obtained via automorphisms.
Automorphism Definition 7.2.3. An automorphism α of the splitting field K of a polynomial f is a bijection from K to
K such that
α(a + b) = α(a) + α(b)
α(ab) = α(a)α(b).
Note that for all a ∈ K that is a rational number, α(a) = a by the property of α. It then follows that
for all polynomials Q(r1 , . . . , rn ) ∈ K, where each ri is a root of f , we have
α(Q(r1 , . . . , rn )) = Q(α(r1 ), . . . , α(rn )).
Now consider f (ri ), which is in K because it is a polynomial in a root of f . Since
f (α(ri )) = α(f (ri )) = α(0) = 0,
we can see that an automorphism always send a root of f to another root of f ; further, given automor-
phisms are bijections, each automorphism can be identified with a permutation of the roots of f .
A collection of permutations is a group if it is closed under composition of permutations. Since
automorphisms compose, the set of permutations of the roots of a polynomial f that correspond to
an automorphism is a group, called the Galois Group of the polynomial f , or equivalently the Galois
Group Gal(K(ζ)/K) of the field extension K(ζ)/K, where the cyclotomic extension K(ζ) is the
splitting field of f .
For most polynomials f , every permutation of the roots induces an automorphism so the Galois
Group of f is the set of all permutations of the roots. But for some polynomials, the Galois Group is a
strict subset of the permutations of the roots because some permutations do not induce an automorphism.
This is the case for cyclotomic polynomials.
Let G be the Galois group of the n-th cyclotomic polynomial, where n is prime. The roots of the
polynomial are {ζ, ζ 2 , . . . , ζ n−1 }. Each α ∈ G maps ζ by α(ζ) = ζ a for some a ∈ {1, . . . , n − 1}.
Since
α(ζ k ) = α(ζ)k = ζ ak ,
the number a completely determines where all the other roots go. In general, the Galois group of
a polynomial can permute the roots arbitrarily, but the Galois group of cyclotomic polynomials only
allow permutations of the form
45
A PREPRINT - S EPTEMBER 29, 2022
Example 7.2.4. For n = 5, these are the only permutations induced by automorphisms:
(ζ 1 , ζ 2 , ζ 3 , ζ 4 ) for a = 1
(ζ 2 , ζ 4 , ζ 1 , ζ 3 ) for a = 2
(ζ 3 , ζ 1 , ζ 4 , ζ 2 ) for a = 3
(ζ 4 , ζ 3 , ζ 2 , ζ 1 ) for a = 4
The above chain of reasoning can be more formally stated in the following theorem, where (Z/nZ)∗
is the multiplicative integer modulo n group.
Theorem 7.2.5. The mapping
ω : Gal(K(ζn )/K) → (Z/nZ)∗
ω(σ) = aσ mod n
Injective that is given by σ(ζ) = ζ aσ for all n-th roots of unity ζ is an injective group homomorphism.
homomorphism
Proof. For any automorphisms σ, τ ∈ Gal(K(ζn )/K), a primitive root ζn ∈ µn satisfies στ (ζn ) =
σ(ζnaτ ) = ζnaσ aτ by applying the automorphism one after the other. In addition, the two automorphisms
gives another automorphism in the Galois group by composition, so στ (ζn ) = ζnaστ . Hence, we have
ζnaσ aτ = ζnaστ . This implies aσ aτ = aστ mod n, because ζn has order n. Therefore, we have ω(στ ) =
aστ = aσ aτ mod n = ω(σ)ω(τ ) which entails ω is a homomorphism. The injectivity is not difficult to
see either.
We know the group (Z/nZ)∗ is abelian. The map ω embeds the Galois groups of cyclotomic
extensions to this abelian group, so the Galois group is also abelian. For a general base field K, the
group homomorphism need not be surjective. There are two special cases, K = Q and K = Fp , for a
prime p, that are of most interest for building lattice cryptosystems. We will look at the property of the
map ω in each special case one by one.
Theorem 7.2.6. The Galois group of the cyclotomic extension Q(ζn ) is isomorphic to the multiplicative
Isomorphism integer modulo n group. That is,
when K = Q
Gal(Q(ζn )/Q) ∼
= (Z/nZ)∗ .
For each automorphism σ ∈ Gal(Q(ζn )/Q), there is an integer i ∈ (Z/nZ)∗ such that the automor-
phism σ 7→ [i] is mapped to the equivalent class of i if and only if σ(ζn ) = ζni .
The automorphisms in the Galois group are functions on the roots of unity. We can think of the
equivalent class [i] as a function too given by [i] : ζ 7→ ζ i for all roots ζ ∈ µn . The theorem says each
automorphism in the Galois group is uniquely mapped to an integer in the multiplicative group (or a
function). Theorem 7.2.6 is useful for proving the pseudorandomness of the ring LWE distribution as
we will see in a later section.
Observe that the order of the Galois group is equal to the degree of the Galois extension over Q,
which is equal to the degree ϕ(n) of the n-th cyclotomic polynomial. The order of the multiplicative
group is equal to the number of integers in [0, n − 1] that are coprime with n. The two numbers are
obviously equal.
When K is a field with non-zero prime characteristic char(K) = p (e.g., K = Fp ), as is often
the case in cryptography, the homomorphism ω is not necessarily surjective. Theorem 7.2.7 caters for
this case. For our purpose, we are primarily interested in the cyclotomic polynomials Φd (x) where
gcd(d, p) = 1.
Theorem 7.2.7. Let Fq be a finite field with a prime power order q and gcd(q, n) = 1, the Galois group
Image of Galois of a cyclotomic extension Fq (ζn ) of the finite field is mapped by the homomorphism ω to the cyclic group
group when hq mod ni in (Z/nZ)∗ . That is,
K = Fp
ω(Gal(Fq (ζn )/Fq )) = hq mod ni ⊆ (Z/nZ)∗ .
In particular, the dimension of the cyclotomic extension is the order of q modulo n.
46
A PREPRINT - S EPTEMBER 29, 2022
Power map Theorem 7.2.8. For a prime p and prime power q = pn , the pth power map ωp : x 7→ xp on Fq
generates the Galois group Gal(Fq (ζn )/Fq ).
Proof. (of Theorem 7.2.7 for the special case when q = p for a prime p) Theorem 7.2.8 implies that
the Galois group Gal(Fq (ζn )/Fq ) is generated by the pth power map ωp : x 7→ xp for all x ∈ Fq (ζn ).
In addition, by Theorem 7.2.5 the group homomorphism ω associates to ωp an non-negative integer
a mod n such that ωp (ζ) = ζ a for all nth roots of unity ζ ∈ µn . This entails ζ p = ζ a , which is
true if a = p mod n. Hence, the homomorphism ω maps the pth power map ωp in the Galois group
to p mod n in the group (Z/nZ)∗ . Since Gal(Fq (ζn )/Fq ) = hωp i, its image is the cyclic group
hp mod ni ∈ (Z/nZ)∗ .
The assumption char(Fq ) = p implies the polynomial xn − 1 is separable in Fq [x], so Fq (ζn ) is
an Galois extension given that it is also the splitting field of xn − 1. Hence, we have [Fq (ζn ) : Fq ] =
|Gal(Fq (ζn )/Fq )| = |hp mod ni|, which is the order of p modulo n.
Knowing cyclotomic polynomials are irreducible over Q, we would like to know whether they are
also irreducible in a finite field Fq of prime power order q. This brings out the following theorem and
corollary. Denote Φ̄n (x) as reducing the coefficients of Φn (x) modulo q.
Factor Φn (x) Theorem 7.2.9. Let q be prime power and gcd(q, n) = 1, the monic irreducible factors of the polyno-
in Fp mial Φ̄n (x) ∈ Fp [x] are distinct and each has a degree equal to the order of q modulo n.
Corollary 7.2.10. The polynomial Φ̄n (x) is irreducible in Fq [x] if gcd(q, n) = 1 and hq mod ni =
(Z/nZ)∗ . That is, q mod n is a generator of the group (Z/nZ)∗ .
Example 7.2.11. For n = 5, the polynomial
Φ̄5 (x) = x4 + x3 + x2 + x + 1
can be factored in F11 as
(x − 3)(x − 4)(x − 5)(x − 9)
because the order of 11 modulo 5 is 1. Similarly, it can be factored in F19 as
(x2 + 5x + 1)(x2 + 15x + 1)
because the order of 19 modulo 5 is 2. Similarly, it can be factored in F3 as
x4 + x3 + x2 + x + 1
because the order of 3 modulo 5 is 4. The last case is an example of the corollary where the cyclic group
h3 mod 5i is a generator of the group (Z/5Z)∗ . More details on the derivation of these factorizations
can be found in Example 8.1.26.
47
A PREPRINT - S EPTEMBER 29, 2022
This section introduces some of the results in Algebraic Number Theory that will be needed in the
hardness proof of the ring LWE (RLWE) problem. In RLWE, proofs and computations are conducted
in number fields and rings of integers, which are generalizations of the rational field Q and integers
Z. However, unlike elements in Z that can be uniquely factorized, which is an essential property that
guarantees the validity of some hard computational problems such as integer factorization, elements of
rings of integers are not necessarily uniquely factorizable in general. Instead we need to work with sets
of elements that possess such unique factorization. As we will see in this section, the ideals of these
rings of integers are natural candidates for this purpose and we will state some useful properties of the
ideals. In particular, the connection with lattice theory comes from a natural mapping between these
ideals of a ring of integers to full-ranked lattices that we call ideal lattices.
Algebraic Number Theory is a deep and interesting area and we do not attempt to cover all important
results in this compact section. Instead, we cover only those mathematical results that are directly
relevant to the future sections. Additional results that may assist the reader to better understand the
main content are kept in the appendix. This section is organized as follows:
1. First, we familiarize the reader with algebraic number field, its ring of integers and ideals of
the ring of integers including the generalized fractional ideals. The most important observation
is that a fractional ideal can be uniquely factorized into prime ideals. This plays a significant
part when employing the Chinese Remainder Theorem (CRT) for number fields.
2. Second, to build the geometric interpretation of these algebraic objects, we introduce canoni-
cal embedding, which maps fractional ideals to special lattices called ideal lattices. The em-
bedding allows us to talk about geometric quantities of algebraic objects and enables certain
features of ideal lattices that are convenient for the RLWE’s proof and computations.
3. Finally, we go through dual lattices in number fields and relate them with fractional ideals.
It’s worth noting that many of the concepts covered in this section are used primarily for analysis
of the hardness results of the RLWE problem. As such, some readers may find it useful to first skim
this section quickly to identify key concepts, and only come back for details as they work through Sec-
tion 9. The only computations that are explicitly needed in RLWE-based cryptosystems are Fast Fourier
Transform operations to transform polynomials between their natural and canonical embeddings.
We have seen the LWE problem, which was defined in the integer domain Z and proved to be hard by
reductions from hard lattice problems in the domain in Rn . The drawback of LWE is the large public key
that is a matrix of m independent length n column vectors. The RLWE problem (as will be introduced
in Section 9) is defined in a more general domain, called the ring of integers. It greatly reduces the
public key size by defining the problem in domain with additional algebraic structures.
Recall that an algebraic number (integer) is a complex number
√ that is a root of a non-zero polynomial
with rational (integer) coefficients. For example, 1/2 and 2 are roots of the polynomials x2 − 1/2
p
and x2 − 2 respectively, so the former is an algebraic number and the latter is an algebraic integer.
Algebraic numbers and algebraic integers generalize rational numbers and rational integers by forming
the notions of number field and ring of integers, just like the rational field Q and the integer ring Z.
Number field Definition 8.1.1. An algebraic number field (or simply number field) is a finite extension of the field of
rationals by algebraic numbers, i.e., Q(r1 , . . . , rn ), where r1 , . . . , rn are algebraic numbers.
In a special case when the element ζn adjoins to Q is an nth root of unity, which is also an algebraic
Cyclotomic number, the number field Q(ζn ) is also known as the nth cyclotomic (number) field. This is the
field working domain for reducing the RLWE search to decision problem. In a number field K, the set of
all algebraic integers forms a ring under the usual addition and multiplication operations in K. These
elements form a ring and is the generalization of the ring of rational integers.
Ring of integers Definition 8.1.2. The ring of integers of an algebraic number field K, denoted by OK , is the set of all
algebraic integers that lie in the field K.
48
A PREPRINT - S EPTEMBER 29, 2022
Some√ examples√of a number field and its ring of integers are the basic Q and Z, the quadratic
field Q( 2) and Z[ 2], the nth cyclotomic field Q(ζn ) and Z[ζn ]. In general, determining the ring of
integers is a difficult problem, unless for special cases, see Theorem C.1.6 in Appendix C.
OK is a free Since Z is contained in OK , it is easy to see OK is also Z-module. In addition, OK is a free
Z-module Z-module, as there always Pn exists a Z-basis B = {b1 , . . . , bn } ⊆ OK such that every element r ∈ OK
Basis can be written as r = i=1 ai bi , where ai ∈ Z. The basis B is called an integral basis of the number
field K and its ring of integers OK . If the basis can be written as {1, r, . . . , rn−1 } the powers of an
element r ∈ K, then it is called a power basis. A field K always has a power basis by the Primitive
Element Theorem (Appendix C Theorem C.1.2). If K = Q(ζm ) is a cyclotomic field, the power basis
ϕ(m)−1
{1, ζm , . . . , ζm } is also an integral basis of OK .
As OK is commutative, we do not differentiate left and right ideals. The definition intentionally
excluded the zero ideal {0} in order to simplify the work of defining ideal division later. Since OK has
a Z-basis, each of its ideals has a Z-basis too, which entails the ideal is a free Z-module too. As we will
see later, this basis will be mapped to a basis of an ideal lattice by canonical embeddings.
We now define ideal multiplication and division which lead to the definition of prime ideals.
Recall that if I and J are ideals then the set sum I + J = {x + y | x ∈ I, y ∈ J} is also an ideal.
The set product S = {xy | x ∈ I, y ∈ J}, however, may not be an ideal because it is not necessarily
closed under addition. For this reason, the product of two ideals I and J is defined as the set of all
Ideal product finite sums of products of two ideal elements:
( n )
X
IJ := ai bi | ai ∈ I and bi ∈ J, n ∈ N ,
i=1
By grouping all finite sums of products, the set is closed under addition. Furthermore, it is closed under
multiplication by OK , so the above definition of product is also an ideal. Since OK is commutative,
ideal multiplication is commutative too.
Example 8.1.4. Given the ring of integers OK = Z and two ideals I = 2Z = {2, 4, 6, 8, . . . , } and
J = 3Z = {3, 6, 9, 12, . . . , }, their product is IJ = {2 · 3, 2 · 6, 2 · 3 + 2 · 6, . . . }.
Since the zero ideal is excluded from the ideal definition, it is convenient to define ideal division.
The intuition is the same as non-zero integer division.
Ideal division Definition 8.1.5. Let I and J be two ideals of OK . We say J divides I, denoted J | I, if there is another
ideal M ⊆ OK such that I = JM .
The following theorem gives a more intuitive way of thinking about ideal division by relating divi-
sion with containment.
Theorem 8.1.6. Let I and J be two ideals of OK . Then J | I if and only if I ⊆ J.
49
A PREPRINT - S EPTEMBER 29, 2022
By this lemma and Theorem 8.1.6, we can define a prime ideal in analogy to a prime number.
Prime ideal Definition 8.1.8. A proper ideal I ( OK is prime if whenever I | JK, either I | J or I | K.
Principal ideals and maximal ideals are defined in the same way as that in general rings. An impor-
tant observation is that in OK , prime ideals are also maximal.
Lemma 8.1.9. All prime ideals in OK are maximal.
The proof relies on the results that the quotient of a commutative ring by a prime ideal gives an
integral domain, and the quotient by a maximal ideal gives a field. See Lemma C.2.8 in Appendix C.
The importance of this lemma is that when working in OK /I, the quotient ring by a prime ideal I is a
field, as implied by Proposition A.2.17 in Appendix A.
The most important result of this subsection, which is also one of the main theorems in Algebraic
Number Theory, is that ideals of OK can be uniquely factorized into prime ideals. Alternatively, we say
the ideals of OK form a unique factorization domain.
Definition 8.1.10. An integral domain D is a unique factorization domain (UFD) if every non-zero
non-unit element x ∈ D can be written as a product
x = p1 · · · pn
of finitely many irreducible elements pi ∈ D uniquely up to reordering of the irreducible elements.
We know Z is a UFD, √ because every integer can be uniquely factored into a prouct of prime num-
bers. But the extension Z( √5) is not a√UFD, because not every element has a unique factorization, for
example 6 = 2 · 3 = (1 + −5)(1 − −5), which can be factored in two ways. To avoid such issues,
we do not work with the individual elements in OK , but study the ideals of OK , which do form a UFD
because OK is a Dedekind domain. (See Appendix C for more detail about Dedekind domain.)
UFD Theorem 8.1.11. For an algebraic number field K, every proper ideal I of OK admits a unique fac-
torization
I = q1 · · · qk , (17)
into prime ideals qi of OK .
Example 8.1.12. When working in the 5th cyclotomic field K = F11 (ζ5 ) and OK = Z11 [ζ5 ], the ideal
I = (11) of OK can be uniquely factorized into the product of these four prime ideals:
(11) = (11, ζ5 − 3)(11, ζ5 − 9)(11, ζ5 − 5)(11, ζ5 − 4).
The detailed derivation is given in Example 8.1.26.
The usefulness of UFD in our context is that it gives a unique isomorphism between a quotient ring
OK /I and its Chinese Remainder Theorem (CRT) representation. To generalize CRT to the ring of
integers OK , we first define coprime ideals in OK . Since ideals in OK can be uniquely factorized, it
makes sense to talk about coprimality. The standard definition is similar to coprime integers, which do
not share a common divisor.
Ideal GCD Definition 8.1.13. Let I and J be integral ideals of OK , their greatest common divisor (GCD)
gcd(I, J) = I + J.
Coprime Definition 8.1.14. Two ideals I and J in OK are coprime if I + J = OK .
In other words, two integral ideals are coprime if their sum is the entire ring of integers. For example,
the integral ideals (2) and (3) in Z are coprime because (2) + (3) = (1) = Z. But the integral ideals
(2) and (4) are not coprime because (2) + (4) = (2) 6= Z.
Qk
CRT in OK Theorem 8.1.15. Let I1 , . . . , Ik be pairwise coprime ideals in a ring of integers OK and I = i=1 Ii .
Then the map
OK → (OK /I1 , . . . , OK /Ik )
induces an isomorphism
OK /I ∼= OK /I1 × · · · × OK /Ik .
The core element of the proof of CRT in OK is to show that the kernel of the map is I1 ∩ · · · ∩ Ik ,
Qk
which is identical to i=1 Ii under the assumption that the ideals are pairwise coprime. The result then
follows from the First Isomorphism Theorem.
50
A PREPRINT - S EPTEMBER 29, 2022
Given an integral ideal J ⊆ OK and an invertible element x ∈ K, the corresponding fractional ideal
I can be expressed as
I = x−1 J := {x−1 a | a ∈ J} ⊆ K.
From this expression, it is clearer that the non-zero element d ∈ K in the above definitions is for can-
celling the denominator x of elements in the fractional ideal. When x = 1, it entails the integral ideals
of OK including OK itself are all fractional ideals. This is also why fractional ideals are generalizations
of them. Since an integral ideal is a free Z-module and a fractional ideal is related to an integral ideal
by an invertible element, it follows that a fractional ideal is a free Z-module too with a Z-basis.
It can be seen that a fractional ideal is closed under addition and multiplication by the elements in
OK , but it is NOT an ideal of OK , because it is not necessarily a subset of OK . Neither it is an ideal of
the number field K, because a field has only zero and itself as ideals.
Example 8.1.17. Let K = Q and OK = Z. Given the integral ideal 5Z and x = 4 ∈ Q, whose inverse
is 14 , the corresponding fractional ideal in Q is 54 Z.
Frac ideal The product of two fractional ideals can be defined analogous to the product of two integral ideals.
product That is, for fractional ideals I and J,
( n )
X
IJ := ai bi | ai ∈ I and bi ∈ J, n ∈ N .
i=1
It is also easy to check that the product of two fractional ideals is still a fractional ideal.
The fractional ideals in a number field K form a multiplicative group. To see this, we have demon-
strated that they are closed under multiplication and the unit ideal (1) = OK is the multiplicative
identity in the group. It remains to show that every fractional ideal has an inverse in the group. This is
done via the following two lemmas. The first lemma states that every prime ideal of OK has an inverse.
The second lemma states that every non-zero integral ideal of OK has an inverse, which uses the result
of the first lemma and the fact that every prime ideal in OK is also maximal. See Appendix C for the
proofs of these two lemmas.
Lemma 8.1.18. If P is a prime ideal in OK , then P has an inverse P −1 = {a ∈ K | aP ⊆ OK } that
is a fractional ideal.
Lemma 8.1.19. Every non-zero integral ideal of OK has an inverse.
The two lemmas combined prove that a fractional ideal has an inverse. For more detail of the proof,
Frac ideal see Theorem 3.1.8 of Stein (2012). To be more precise, the inverse of a fractional ideal I has the form
inverse
I −1 = {x ∈ K | xI ⊆ OK }. (19)
In the special case when the product of two fractional ideals is a principal fractional ideal IJ = (x), the
inverse has the form I −1 = x1 J.
Multiplicative Theorem 8.1.20. The set of fractional ideals in a number field K is an abelian group under multipli-
group cation with the identity element OK .
51
A PREPRINT - S EPTEMBER 29, 2022
A key result of this subsection is that a fractional ideal can also be uniquely factorized into a product
of prime ideals.
UFD Theorem 8.1.21. Let K be a number field. If I is a fractional ideal in K, then there exist prime ideals
p1 , . . . , pn and q1 , . . . , qm in OK , unique up to ordering, such that
I = (p1 · · · pn )(q1 · · · qm )−1 .
The theorem follows from the fact that a fractional ideal has the form I = a1 J, where J is an integral
ideal and a ∈ OK . Since both J and (a) are integral ideals of OK , Theorem 8.1.11 implies they have
unique prime ideal factorization.
We state here two technical lemmas that will be needed in the RLWE result. The first lemma shows
that given two ideals I, J ⊆ R of a Dedekind domain R (e.g., a ring of integers OK of a number field K
is a Dedekind domain), it is possible to construct another ideal that is coprime with either one of them.
Lemma 8.1.24 (Lemma 5.2.2 (Stein, 2012), Lemma 2.1.4 (Lyubashevsky et al., 2010)). If I and J
are non-zero integral ideals of a Dedekind domain R, then there exists an element t ∈ I such that
(t)I −1 ⊆ R is an integral ideal coprime to J.
Proof. Let p1 , . . . , pr be the prime factors of the ideal J. We create a coprime ideal of J as follows. Let
ni be the largest power of pi such that pni i |I for all i ∈ [1, r]. As pi is a prime ideal, pni i +1 ( pni i .So
there exits an element ti ∈ pei i such that it is not in pni i +1 . By construction, we know the ideals
Qr
pe11 +1 , . . . , perr +1 , I/ i=1 pei i are pairwise coprime, so by the Chinese Remainder Theorem, there is
Qr
an element t ∈ R such that t ≡ ti mod pei i +1 and t ≡ 0 mod I/ i=1 pei i . Since ti ∈ pei i , it entails
t ≡ 0 mod pei i for all i ∈ [1, n], so t ∈ I as in the lemma.
To prove (t)I −1 is coprime to J, it sufficient to show none of J’s prime divisor can divide it.
Suppose pi |(t)I −1 , then pi I|(t). The assumption pei i |I implies that pei i +1 |(t), so (t) ⊆ pei i +1 . This
contradicts with the above that t ≡ ai mod pei i +1 . So the two are coprime.
The element t ∈ I can be efficiently computable using CRT in OK . Hence, given two ideals in R,
we can efficiently construct another one that is coprime with either one of them. The next lemma is
essential in the reduction from K-BDD problem to RLWE.
Lemma 8.1.25 (Lemma 5.2.4 (Stein, 2012), Lemma 2.1.5 (Lyubashevsky et al., 2010)). Let I and J
be ideals in a Dedekind domain R and M be a fractional ideal in the number field K. Then there is an
isomorphism
M/JM ∼ = IM/IJM.
Proof. Given ideals I, J ⊆ R, by Lemma 8.1.24 we have (t)I −1 ⊆ R is coprime to J for an element
t ∈ I. Then we can define a map
θt : K → K
u 7→ tu.
52
A PREPRINT - S EPTEMBER 29, 2022
In the hardness proof of RLWE as will be shown in Section 9, we can use Lemma 8.1.25 to show
that for R = Z[x]/(Φm (x)), an ideal I and a prime integer q,
R/(q)R = ∼ I/(q)I
I ∨ /(q)I ∨ ∼
= R∨ /(q)R∨ ,
where R∨ denotes the dual of R that we will define later in Section 8.3.
We end this subsection by looking at the (unique) factorisation of the ideal (q) in the ring of integers
Rq = Zq [x]/(Φm (x)). Since q is prime, the principal ideal generated by it can be split into prime ideals
qi as follows:
n/(ef ) n/(ef )
Y Y
(q) = qei = (q, Fi (ζm ))e ,
i=1 i=1
where n = ϕ(m), e = ϕ(q 0 ) is the Euler totient function of q 0 , the largest power of q that divides m,
f is the multiplicative order of q modulo m/q 0 , i.e., q f = 1 mod (m/q 0 ), and each qi is generated by
two elements,
Q the prime number q and the monic irreducible factor Fi (x) of the cyclotomic polynomial
Φm (x) = i (Fi (x))e when splitting over Zq [x] (see Theorem 7.2.9). For details, see Chapter 4 of
Stein (2012).
Example 8.1.26. For m = 5, the 5th cyclotomic polynomial is
Φ5 (x) = x4 + x3 + x2 + x + 1,
so n = 4 and K = Q(ζ5 ) the 4-dimensional cyclotomic field. Let q = 19, then we have q 0 = 190 = 1 to
be the largest power of q that divides 5. So e = ϕ(1) = 1 and the multiplicative order of 19 mod (4/1)
is f = 2. Assuming we are given how the cyclotomic polynomial splits in Z19 [x], i.e.,
Φ5 (x) = x4 + x3 + x2 + x + 1 = (x2 + 5x + 1)(x2 + 15x + 1),
then we can split the ideal into prime ideals in the ring of integers R = Z[ζ5 ] as
(q) = q1 q2
=⇒ (19) = (19, (ζ5 )2 + 5ζ5 + 1)(19, (ζ5 )2 + 15ζ5 + 1).
8
Note this also works if q = pk is a prime power coprime with m.
53
A PREPRINT - S EPTEMBER 29, 2022
Note the index i is not any integer between 1 and m, but those coprime with m. So for the above
example, when q = 11 ∼ = 1 mod 5, the polynomial splits in Z11 [x] as
Φ5 (x) = (x − 3)(x − 9)(x − 5)(x − 4),
where each 3, 9, 5, 4 is a primitive 5th root of unity in Z11 , generated by the 1st, 2nd, 3rd and 4th power
of 3 in mod 11. So the ideal splits as
(q) = q1 q2 q3 q4
=⇒ (11) = (11, ζ5 − 3)(11, ζ5 − 9)(11, ζ5 − 5)(11, ζ5 − 4).
Similar to LWE, the RLWE problem’s hardness is also based on hard lattice problems, except these
are special lattices called ideal lattices. In this subsection, we will study how algebraic objects such
as ring of integers and its ideals are mapped to full-ranked lattices via embeddings. The embedding
we will build is from a number field K to the n-dimensional Euclidean space Rn or a space H that is
isomorphic to Rn . As OK and its ideals are additive groups, our embedding must preserves the additive
group structure of these objects.
As a degree n polynomial can be uniquely identified by its coefficients, our naive choice of
embedding is by sending a polynomial f = a0 + a1 x + · · · an−1 xn−1 to a coefficient vector
(a0 , a1 , · · · , an−1 ) ∈ Rn . This coefficient embedding is clearly an additive ring homomorphism and
hence satisfies our basic requirements. Furthermore, it is related by a linear transformation to the canon-
ical embedding that will be introduced next. However, the RLWE’s proof and computations do not use
the coefficient embedding. We list some reasons here and leave the details to Section 9.
• Firstly, when working with cyclotomic fields, the canonical embedding makes both polynomial
addition and multiplication efficient component-wise operations (under the point-value repre-
sentation). These operations have simple geometric interpretations that lead to tight bounds.
• Secondly, in the coefficient embedding, specifying the error distribution in RLWE, which is
an n-dimensional Gaussian, requires an n-by-n covariance matrix in general. With the canon-
ical embedding, the error distribution in RLWE takes the simple form of a product of one-
dimensional Gaussians. This dramatically decreases the number of parameters that need to be
taken care of when working with RLWE.
• Finally, the canonical embedding makes the Galois automorphisms simply permutations of
the embedded vector components. This is important for the reduction from decision to search
RLWE, and is not possible with the coefficient embedding.
54
A PREPRINT - S EPTEMBER 29, 2022
conjugate pairs. Let s1 be the number of real embeddings and s2 be the number of conjugate pairs of
complex embeddings, then the total number of embeddings is n = s1 + 2s2 . Let {σi }si=1 1
be the real
and {σj }nj=sl +1 be the complex embeddings, where σs1 +j = σs1 +s2 +j are in the same conjugate pair
for each j ∈ [1, . . . , s2 ], then we have the following definition of a canonical embedding.
Canonical Definition 8.2.1. A canonical embedding σ of an n-dimensional number field K is defined as
embedding ∼ Cn
σ : K → Rs1 × C2s2 ⊆ Cs1 × C2s2 =
σ(r) 7→ (σ1 (r), . . . , σs1 (r), σs1 +1 (r), . . . , σs1 +2s2 (r)). (20)
Canonical By this definition, the canonical embedding maps a number field to an n-dimensional space, named
space canonical space, which is expressed as
H = (x1 , . . . , xn ) ∈ Rs1 × C2s2 | xs1 +j = xs1 +s2 +j , for all j ∈ [s2 ] .
Intuitively, one can think of the canonical embedding as sending each element r ∈ K (i.e., a polynomial)
to a coordinate (i.e., length n vector) in the canonical space, where the coordinates are where r sends
the roots of f to.
The canonical space H can be shown to be isomorphic to Rn by establishing a one-to-one cor-
respondence between the standard basis of Rn and a basis of H as the row vectors in the following
matrix
Is1 ×s1 0 0
Here are some examples to illustrate canonical embedding, canonical space and its basis.
√ √
Example 8.2.2. √ When K = Q( 2) is a quadratic field. The minimal polynomial of 2 is x2 −2, which
has two roots ± 2. The canonical embedding consists two real embeddings only and is defined as
√ √ √
σ( 2) = ( 2, − 2).
The basis of the canonical space H is
1 0
B= .
0 1
√
Given the integral basis {1, 2} of K, the basis vectors are mapped to the canonical space H and can
be written in terms of the basis of H as real vectors
τ (1) = (1, 1)
√ √ √
τ ( 2) = ( 2, − 2),
√ √
which form a Z-basis of the image σ(OK ), that is, σ(OK ) = {a(1, 1) + b( 2, − 2) | a, b ∈ Z}.
Example
√ √
8.2.3. When K = Q(ζ8 ) is the 8th cyclotomic field. The 8th primitive root of unity ζ8 =
2 2 4
2 + i 2 and its minimal polynomial is the 8th cyclotomic polynomial Φ8 (x) = x + 1. The roots of
Φ8 (x) are
√ √ √ √
2 2 3 2 2
ζ8 = +i , ζ8 = − +i ,
2√ 2√ √2 √2
2 2 7 2 2
ζ85 = − −i , ζ8 = −i .
2 2 2 2
9
Note in Lyubashevsky et al. (2010), the row vectors are multiplied by √12 to make them an orthonormal basis,
so B is a unitary matrix (i.e., BB ∗ = I, where B ∗ is B’s conjugate transpose).
55
A PREPRINT - S EPTEMBER 29, 2022
The canonical embedding consists of exactly four complex embeddings, i.e., σ = (σ1 , σ2 , σ3 , σ4 ),
√ √ ! √ √ √ √ ! √ √
2 2 2 2 2 2 2 2
σ1 +i = +i , σ2 +i =− +i ,
2 2 2 2 2 2 2 2
√ √ ! √ √ √ √ ! √ √
2 2 2 2 2 2 2 2
σ3 +i = −i , σ4 +i =− −i ,
2 2 2 2 2 2 2 2
where σ1 = σ3 and σ2 = σ4 are in conjugate pairs. The basis of the canonical space H is
1 0 i 0
0 1 0 i
B= .
1 0 −i 0
0 1 0 −i
By Equation 21, the canonical embedding of the primitive element ζ8 can be written in terms of this
basis as the real vector
√ √ ! √ √ √ √ !
2 2 2 2 2 2
τ +i = (Re(σ1 ), Re(σ2 ), Im(σ1 ), Im(σ2 )) = ,− , , .
2 2 2 2 2 2
By multiplying each row of B with this expression, we get back to the canonical embedding σ =
(σ1 , σ2 , σ3 , σ4 ).
Given the canonical embedding, it allows us to talk about the geometric norm of an algebraic element
Lp -norm x ∈ K. More precisely, we can define the Lp -norm of x by looking at the Lp -norm of its image σ(x)
that is embedded into the real space Rn
1/p
|σi (x)|p if p < ∞,
P
||x||p = ||σ(x)||p = i∈[n] (22)
max
i∈[n] |σi (x)| if p = ∞.
In the next example, we illustrate the Lp -norm of a root of unity in a cyclotomic field.
Example 8.2.4. Let K = Q(ζn ) be the nth cyclotomic field and σ : K → H be its canonical embed-
ding. The cyclotomic polynomial Φn (x) is the minimal polynomial of ζn and it has only complex roots
for n ≥ 3, as the two real roots are non-primitive. Since the Galois group Gal(K/Q) ∼ = (Z/nZ)∗ is iso-
morphic to the multiplicative group (Theorem 7.2.6), the complex embeddings are given by σi (ζn ) = ζni
for i ∈ (Z/nZ)∗ and n = 2s2 = |(Z/nZ)∗ |. Since the primitive roots of unity are closed under σi ,
the magnitude |σi (ζnj )| = 1. So the LP -norm of an nth root of unity is ||ζnj ||p = n1/p for p < ∞ or
j
||ζm ||∞ = 1.
We have shown that the canonical embedding σ sends a number field to a space isomorphic to Rn .
When restricted to the ring of integers OK that is closed under addition, we would like to see what σ
does to preserve the discreteness and the additive group structure of OK . The following theorem states
that the canonical embedding maps OK to a full-rank lattice.
τ (OK ) is Theorem 8.2.5. Let K be an n-dimensional number field, then σ(OK ) is a full-rank lattice in Rn .
lattice
Proof.PLet {e1 , . . . , en } be an integral basis of OK , then every element x ∈ OK canP
be written as
n n
x = i=1 zi ei , where zi ∈ Z. The embedding of x can then be written as σ(x) = i=1 zi σ(ei ),
where the coefficients are fixed because σ fixes Q. Hence, σ(OK ) is also a Z-module generated by
{σ(e1 ), . . . , σ(en )}.
By definition, a lattice is a free Z-module. If we can show {σ(e1 ), . . . , σ(en )} is a basis of σ(OK ),
then σ(OK ) is a free Z-module. To do so, write each σ(ei ) in terms of the canonical space basis
according to Equation 21 as a real vector, so we have the following basis matrix for σ(OK )
σ1 (e1 ) ··· σs1 (e1 ) Re(σs1 +1 (e1 )) ··· Re(σs1 +s2 (e1 )) Im(σs1 +1 (e1 )) ... Im(σs1 +s2 (e1 ))
N T
= .. .. .. .. .. .. .
. . . . . .
σ1 (en ) ··· σs1 (en ) Re(σs1 +1 (en )) ··· Re(σs1 +s2 (en )) Im(σs1 +1 (en )) ... Im(σs1 +s2 (en ))
56
A PREPRINT - S EPTEMBER 29, 2022
Then show that the matrix has a non-zero determinant, and consequently the rows are independent. By
Equation 20 of canonical embedding, we can write the images of the integral basis {e1 , . . . , en } under
the canonical embedding as the matrix
σ1 (e1 ) ··· σs1 (e1 ) σs1 +1 (e1 ) σs1 +1 (e1 ) ··· σs1 +s2 (e1 ) σs1 +s2 (e1 )
MT = .. .. .. .. .. .. .
. . . . . .
σ1 (en ) ··· σs1 (en ) σs1 +1 (en ) σs1 +1 (en ) ··· σs1 +s2 (en ) σs1 +s2 (en )
The two matrices are of the same dimension and their determinants are related by
1
det N = det M, (23)
2s2
so it remains to show det M 6= 0. If a rational matrix A changes a basis of K to another basis by
X
e0j = Akj ek ,
k
then the above matrix M is also changed to a new matrix M 0 = M A. We know K always has a
power basis {1, r, . . . , rn−1 } (Theorem C.1.2) and the matrix M T in terms of the power basis is a
Vandermonde matrix with a non-zero determinant as the powers of r are all distinct. Then we can
conclude that the above matrix M has non-zero determinant and so does the matrix N .
An important corollary of Theorem 8.2.5 is that every fractional ideal of K is also mapped to a
full-rank ideal.
Corollary 8.2.6. If I is a fractional ideal in an n-dimensional number field K, then σ(I) is a full-rank
lattice in Rn .
As mentioned earlier, the canonical embedding allows polynomial addition and multiplication to be
done component-wise efficiently, which is a convenient feature for both the deduction from search to
decision RLWE and polynomial computations. We explain next why such a nice feature comes with
the canonical embedding. We know a polynomial can be uniquely represented by both the coefficient
and point-value representations, and the latter allows us to multiply two polynomials component-wise
(Cormen et al., 2001). To allow efficient transformation O(n log n) between the two representations, we
should evaluate a degree n polynomial at the n-th roots of unity, which is essentially what fast Fourier
transform (FFT) does. We know both the n-th cyclotomic field K and its ring of integers OK have a
ϕ(n)−1
power basis B = {1, ζn , . . . , ζn }, which consists of the n-th roots of unity just as we need. We
can use the power basis to build a Vandermonde matrix M T . Since K can also be interpreted as a
Pn−1
polynomial ring quotient by the ideal (f ), an element a ∈ K can be viewed as a(x) = i=0 ai xi and
its image under the embedding is σi (a(x)) = a(σi (x)). Hence, each embedding σi (a(x)) is equivalent
to evaluate a(x) at σi (x). Therefore, we have
M T · (a0 , . . . , an−1 )T = σ(a) = B · (τ (a))T .
Therefore, for a polynomial a ∈ OK , its image σ(a) (or τ (a) in terms of the basis B) is precisely its
point-value representation evaluated at the n-th roots of unity.
In short, when using the canonical embedding, the image of K is a lattice with a power basis
consisting of the primitive roots of unity. Since each element in K is also a polynomial, when converting
to the point-value representation, the primitive roots of unity are the precise points that are needed.
So adding or multiplying two polynomials in the point-value representation is equivalent to adding or
multiplying two elements σ(K) w.r.t. the power basis.
57
A PREPRINT - S EPTEMBER 29, 2022
through some geometric quantities of I (i.e., its ideal lattice σ(I)) including its determinant and mini-
mum distance. The results in this subsection are directly related to the gap (or approximation) factors
of hard ideal lattice problems.
To begin with, we first state the main result that is directly relevant to the RLWE’s hardness proof.
Recall that the minimum distance λ1 (L) of a lattice L is the length of the shortest non-zero vector in L,
where the length is measured by Lp -norm as defined in Equation 22.
Lemma 8.2.7. Let I be a fractional ideal in an n-dimensional number field K, then its minimum
distance measured by Lp -norm satisfies
q
1/p 1/n 1/p 1/n 1/n
n · N (I) ≤ λ1 (I) ≤ n · N (I) · ∆K . (24)
Here, N (I) is the norm of the fractional ideal and ∆K is the discriminant of the number field K.
We will introduce these concepts next, which not only helps to understand the lemma, but give insights
about the algebraic structures of OK and its ideals under the canonical embedding.
Given a subgroup H of G, the Lagrange’s Theorem says that the order of G satisfies |G| = |G :
H||H|, where |G : H| is the index of H that measures the number of cosets of H in G. If H is a normal
subgroup, then the index is equivalent to the order of the quotient group G/H. Since an ideal I of OK
is an additive normal subgroup and it has a geometric interpretation due to the canonical embedding,
we relate its index to the norm as next.
Ideal norm Definition 8.2.8. Let I be a non-zero ideal of OK . The norm of I, denoted by N (I), is the index of I
as a subgroup of OK , i.e., N (I) = |OK /I|.
As for the norm of number field elements (Appendix C), the norm of ideals is also multiplicative.
That is, N (IJ) = N (I)N (J). If I = J/d is a fractional ideal in K with the integral ideal J, then its
norm is
N (I) = N (dI)/|N (d)| (25)
Example 8.2.9. When OK = Z, the integral ideal J = 5Z and the fractional ideal I = J/4 = 45 Z, the
norm N (I) = N (J)/|N (4)| = 5/4.
For the fractional ideal I and integral ideal dI with d ∈ OK , we have dx ∈ dI for any non-zero
x ∈ I. Hence, when viewed as subgroups, their indices satisfies [OK : (dx)] ≥ [OK : dI] and it
follows N (dx) ≥ N (dI). By Equation 25 and the multiplicity of norm, we have N (x) ≥ N (I) for any
non-zero x ∈ I. Combine this with Equation 22 of Lp -norm, we can prove the lower bound of λ1 (I).
The upper bound is proved by the discriminant of K and Minkowski’s First Theorem (Theorem C.4.2;
see also Lemma 6.1 of Peikert and Rosen (2007) for the proof of the upper bound).
The discriminant of a number field loosely speaking measures the size of the ring of integers OK .
Without loss of generality, for the basis elements e1 , . . . , en of K, define the n by n matrix
σ1 (e1 ) σ1 (e2 ) · · · σ1 (en )
σ2 (e1 ) σ2 (e2 ) · · · σ2 (en )
M = . .. .. ,
.. . ··· .
σn (e1 ) σn (e2 ) · · · σn (en )
where σ = (σ1 , . . . , σn ) is the canonical embedding of K. By the same argument in the proof of
Theorem 8.2.5, we know the determinant of M is non-zero. We know this matrix is related to the basis
matrix N of the ideal lattice and their determinants satisfy Equation 23. This matrix looks just like the
basis matrix for a lattice that was introduced in Section 4. Now we are ready to define the discriminant
of K.
Definition 8.2.10. Let K be an n-dimensional number field with an integral basis {e1 , . . . , en }. The
∆K discriminant of K is
∆K = discK/Q (e1 , . . . , en ) = det(M )2 .
An important property of number field discriminant is that it is invariant under the choice of an
integral basis. This can be seen from the following lemma and corollary.
58
A PREPRINT - S EPTEMBER 29, 2022
Lemma 8.2.11. Suppose x1 , . . . , xn , y1 , . . . , yn ∈ K are elements in the number field and they are
related by a transformation matrix A, then
discK/Q (x1 , . . . , xn ) = det(A)2 discK/Q (y1 , . . . , yn ).
Since the change of integral basis matrix A is an unimodular matrix, i.e., det A = ±1, we conclude
that discriminant is an invariant quantity.
Invariant ∆(K) Corollary 8.2.12. Suppose {e1 , . . . , en } and {e01 , . . . , e0n } are both integral bases of the number field
K, then
discK/Q (e1 , . . . , en ) = discK/Q (e01 , . . . , e0n ).
We finish this subsection by making some observations about ∆K . First, the determinant of the
basis matrix M is equivalent to the fundamental domain of σ(OK ). This entails that the absolute10
discriminant of K measures the geometric sparsity of OK . Larger |∆K | implies larger det M , so the
more sparse the ideal lattice is.
Second, equation 23 says | det N | = 21s2 | det M |. Since N is the basis matrix of the ideal lattice
σ(OK ), by definition of field discriminant, this equation implies
1 p
det(σ(OK )) = s2 |∆K |. (26)
2
Finally, an integral lattice I is an additive subgroup of OK so Lagrange’s Theorem entails |OK | =
|OK : I||I|. The canonical embedding σ is an isomorphism between OK and I to the corresponding
ideal lattices. Moreover, I being a subgroup is sparser than OK when mapped by σ, so has larger
Ideal lattice determinant. Hence, we have
determinant
det(σ(I)) = [σ(OK ) : σ(I)] det(σ(OK ))
= N (I) det(σ(OK ))
1 p
= s2 N (I) |∆K | (27)
2
Equation 27 also holds for a fractional ideal J = I/d. Substitute the integral ideal I = dJ into
the equation will incur a factor d on both sides, because det(σ(dJ)) = d det(σ(J)) and N (dJ) =
N (d)N (J) = dN (J).
In the previous subsection, we have built a connection between a number field K and its image H =
σ(K) under the canonical embedding σ and shown that H ∼ = Rn . In this subsection, we discuss
how dual lattices in K are defined. The motivation is to understand the structure of dual lattices of
an ideal lattice σ(I). The notion of dual appears in crucial parts of the development of lattice-based
cryptography, including the definition of smoothing parameters of a lattice (Definition 5.1.1) and the
general definition of RLWE distribution (Definition 9.2.1).
Lattice in K Definition 8.3.1. A lattice in an n-dimensional number field K is the Z-span of a Q-basis of K.
For lattices in Rn , dot product is an obvious metric between two geometric vectors. For lattices in a
number field, we need a more general inner product that can be obtained through the trace operator.
Definition 8.3.2. Given a canonical embedding of a number field K
σ : K → Rs1 × C2s2
σ(α) 7→ (σ1 (α), . . . , σn (α)),
Trace operator the trace of an element α ∈ K is defined as
T rK\Q : K → Q
n
X
T rK/Q (α) = σi (α).
i=1
10
Although it is defined as the square of a matrix determinant, discriminant can be negative as the matrix entries
can be complex numbers.
59
A PREPRINT - S EPTEMBER 29, 2022
Dual lattice Definition 8.3.3. Let L be a lattice in a number field K. Its dual lattice is
L∨ = {x ∈ K | T rK/Q (xL) ⊆ Z}.
Example 8.3.4. The lattice L = Z[i] in the number field K = Q(i) has a basis B = {1, i}. The dual
lattice L∨ = 12 Z[i] with a basis B ∨ = { 12 , 2i }.
The dual of a number field lattice is also a lattice. Here are some properties of the dual in Rn that
also hold true for dual in number fields.
Corollary 8.3.5. For lattices in a number field K, the following hold:
1. L∨∨ = L,
2. L1 ⊆ L2 ⇐⇒ L∨ ∨
2 ⊆ L1 ,
1 ∨
3. (αL)∨ ⇐⇒ αL , for an invertible element α ∈ K.
The following theorem relates the dual lattice to differentiation and provides an easier way of com-
puting the dual basis and dual lattice from a given lattice.
Dual basis Theorem 8.3.6. Let K = Q(α) be an n-dimensional number field with a power basis {1, α, . . . , αn−1 }
and f (x) ∈ Q[x] be the minimal polynomial of the element α, which can be expressed as
f (x) = (x − α)(c0 + c1 x + · · · + cn−1 xn−1 ).
n o
Then the dual basis to the power basis relative to the trace product is f 0c(α)
0
, . . . , fcn−1
0 (α) . In particular,
if K = Q(α) and the primitive element α ∈ OK is an algebraic integer, then the lattice L = Z[α] =
Z + Zα + · · · + Zαn−1 and its dual are related by the first derivative of the minimal polynomial, that is,
1
L∨ = L.
f 0 (α)
Example 8.3.7. An important application of this theorem in RLWE is when K = Q[ζm ] is the m-th
cyclotomic number field, where m = 2n = 2k > 1 is a power of 2. Let the lattice L = OK = Z[ζm ].
The minimal polynomial of ζm is f (x) = xn + 1, whose derivative is f 0 (x) = nxn−1 . By Theorem
8.3.6,
1 1 1 n+1 1
L∨ = (Z[ζm ])∨ = 0 Z[ζm ] = n−1 Z[ζm ] = n ζm Z[ζm ] = n L.
f (ζm ) nζm
−(n−1) n+1
The second last equality is because the roots of unity form a cyclic group so ζm = ζm .
This example shows an essential property of cyclotomic number fields when choosing appropriate
parameter settings. It says the ideal lattice σ(OK ) and its dual are related by only a scaling factor, so
there is no difference working in either domain when defining the RLWE problem. We will see more
detail in the next section.
We further study the ideal lattice OK in a general number field. By definition, the dual of OK is
∨
OK = {x ∈ K | T rK/Q (xOK ) ⊆ Z}.
Since each element in OK is an algebraic integer, in that has an integer trace.11 So on the one hand,
OK ⊆ OK ∨
. On the other hand, not all elements with integer traces are in OK∨
. The next theorem shows
that these elements need to form a fractional ideal.
∨ ∨
OK is frac Theorem 8.3.8. The dual lattice OK is the largest fractional ideal in K whose elements have integer
ideal traces.
Theorem 8.3.9. For a fractional ideal I in K, its dual lattice is a fractional ideal satisfying the equation
I ∨ = I −1 OK∨
.
11
This can be verified by taking the power basis {1, r, . . . , rn−1 } of K which is also a Z-basis of OK . Each
x ∈ OK can be written as x = c0 + c1 r + · · · + cn−1 rn−1 . By definition, only T r(c0 ) ∈ Z and the rest are 0.
60
A PREPRINT - S EPTEMBER 29, 2022
We have seen the inverse of a fractional ideal in Equation 19, it is tempting to see if the inverse of
the dual OK
∨
(which is also a fractional ideal) is any special. By definition of fractional ideal inverse
(Equation 19), we have
(OK )−1 = {x ∈ K | xOK ⊆ OK } = OK
∨ −1 ∨
(OK ) = {x ∈ K | xOK ⊆ OK }.
Since OK ⊆ OK ∨
, their inverses satisfy (OK ) ⊆ OK . Unlike the dual which is a fractional ideal
∨ −1
and not necessarily within OK , this inclusion makes (OK ) an integral ideal, which is also called the
∨ −1
Different ideal different ideal. For example, let K = Q(i) and OK = Z[i]. The dual ideal is OK ∨
= Z[i]∨ = 21 Z[i],
so the different ideal is DK = ( 2 Z[i]) = 2Z[i].
1 −1
In the special case when OK has a power basis, Theorem 8.3.6 can also be expressed in terms of
different ideal because
∨ 1
OK = 0 OK
f
−1
=⇒ f 0 OK = (OK∨ −1
)
=⇒ (f 0 ) = DK
When f = xn + 1, the last equality implies DK = nOK .See Theorem C.5.11 in Appendix C for formal
statements of these results.
DK = nOK Lemma 8.3.10. For m = 2n = 2k ≥ 2 a power of 2, let K = Q(ζm ) be an mth cyclotomic number
field and OK = Z[ζm ] be its ring of integers. The different ideal satisfies DK = nOK .
This lemma plays an important role in RLWE in the special case where the number field is an m-th
cyclotomic field. It implies that the ring of integers n−1 OK = OK ∨
and its dual are equivalent by a
scaling factor. Hence, the secret polynomial s and the random polynomial a can both be sampled from
the same domain Rq , unlike in the general context where the preference is to leave s ∈ Rq∨ in the dual.
61
A PREPRINT - S EPTEMBER 29, 2022
Multiply by x
1 2 3 4 −4 1 2 3
Multiply by x
Multiply by x
−2 −3 −4 1 −3 −4 1 2
Figure 12: Let R = Z[x]/(x4 +1). Given the polynomial a = 1+2x+3x2 +4x3 , the nega-cyclic action
is equivalent to multiplying a by x, which yields a ? x = x + 2x2 + 3x3 + 4x4 = −4 + x + 2x2 + 3x3 .
After n = 4 rounds of anti-cyclic actions, we get back to −a.
We first re-define some lattice problems in terms of an ideal lattice in a number field which is going to
be our working domain for the following proofs. Recall that the canonical embedding enables us to talk
about geometric norms of number field elements by mapping them to elements in the canonical space
which is isomorphic to Rn . Hence, we can define the Lp -norm of an element x ∈ K as
1/p
|σi (x)|p if p < ∞,
P
||x||p = ||σ(x)||p = i∈[n]
max
i∈[n] |σi (x)| if p = ∞.
With geometric norm, it makes sense to compare the lengths of two elements in a number field.
62
A PREPRINT - S EPTEMBER 29, 2022
In this subsection, we define RLWE distribution in a (general) number field. The definition is similar
to the LWE distribution definition, but with different domains for random samples and noise elements.
With this definition, it is sufficient to prove the hardness of the (search) RLWE problem by drawing
deductions from some ideal lattice problems introduced in the preceding subsection. The more special-
ized RLWE definition in a cyclotomic number field will be introduced in a later subsection in order to
reduce the search to decision RLWE, which is more convenient to support the security of an encryption
scheme. That being said, it may be useful to jump to the start of Section 9.4 to see a concrete example
of the ring R = Z[x]/(xn + 1) in order to have a more intuitive understanding of this domain before
moving forward.
When presenting the generalized definition, Lyubashevsky et al. (2010) used the notation KC =
K ⊗Q C to represent the tensor product between the number field K and C. This tensor product
KC is where the RLWE errors are sampled from according to a certain error distribution ψ. For an
n-dimensional separable (Definition B.1.25) number field K = Q(α) and the minimal polynomial
f (x) ∈ Q[x] of the primitive element α, we have the following isomorphisms. The first isomorphism
is by the definition of number field and the second is by the definition of tensor product (see Page 21 of
Milne (2020))
K ⊗Q C ∼
= (Q[x]/(f (x))) ⊗Q C ∼
= C[x]/(f (x)).
It is often convenient to think of KC as the canonical space H. This is because the minimal poly-
nomial f (x) = f1 (x) · · · fn (x) splits into irreducible factors in the complex space C, so we have an
isomorphism between KC and the canonical space H by the Chinese Remainder Theorem, because the
principle ideals are coprime
n
KC = K ⊗Q C ∼
Y
= C[x]/(fi (x)) = H.
i=1
The RLWE errors are sampled from KC and followed by modulo R∨ to reduce them to within the
dual lattice. For a number field K and its ring of integers R = OK , let Rq = R/qR and Rq∨ = R∨ /qR∨
and T = KC /R∨ (a high-dimensional torus). The following RLWE definition generalizes Definition
9.4.1 to an arbitrary number field.
We use f ? g to denote polynomial multiplication in order to distinguish it from vector dot product.
From Section 8.2.1, we know that polynomial addition and multiplication can be done efficiently under
the canonical embedding.
63
A PREPRINT - S EPTEMBER 29, 2022
RLWE for a fixed s ∈ Rq∨ and an error distribution ψ over KC , the RLWE distribution As,ψ over Rq × T, is
distribution obtained by repeating these steps
• sample an element a ← Rq ,
• sample a noise element ← ψ over KC ∼
= H,
• compute the polynomial b = (s ? a)/q + mod R∨ ,
• output (a, b).
As will be seen later, Definition 9.4.1 in cyclotomic field is a special case of the above. Although in
this general setting, a and s are taken from Rq and its dual Rq∨ respectively, when K is a cyclotomic field
with the cyclotomic polynomial Φm (x) where m is a power of 2, it has been shown in Example 8.3.7
R = nR∨ that
R = nR∨ . (29)
Hence, it makes no difference that s and a are sampled from different domains in the cyclotomic field
case. This relationship between R and R∨ is essential when reducing the search to decision RLWE.
The error distribution ψ above is not a 1-dimensional Gaussian distribution any more. Unlike in the
LWE case where the 1-dimensional error is added to the dot product a · s, in RLWE the n-dimensional
error is added to the resulting polynomial a ? s. Depending on how a polynomial is represented, the
number of parameters in the high-dimensional error distribution varies. In the coefficient representation,
the n-dimensional Gaussian error distribution is parameterized by the n × n covariance matrix. In
contrast, in the canonical embedding representation, the same Gaussian distribution Dr is the product
of n independent 1-dimensional Gaussian with either the same or different scales r = (r1 , . . . , rn ).
(This is another justification for using canonical embedding in RLWE.) When r is a constant vector, Dr
is called a spherical Gaussian distribution, otherwise it is called an elliptical Gaussian distribution.
An important observation when using a high-dimensional error distribution is when reducing ideal
lattice problems to RLWE. As remarked after the LWE hardness proof, in order to employ the assumed
LWE oracle to solve BDD, one may need to adjust the embedded random noise magnitude to fulfil the
oracle’s requirement. This can be done relatively easier by adding additional controlled noise to meet
the appropriate noise magnitude for the LWE oracle. But in the RLWE case, there is no straightforward
error adjustment to meet the target high-dimensional error distribution for the RLWE oracle, so the
proof has to assume the RLWE oracle works for a wide range of error distributions that are defined next.
Ψ≤α family Definition 9.2.2. For α > 0, the set Ψ≤α consists of all elliptical Gaussian distributions Dr over KC
such that each Dri has scale ri ≤ α.
With this family of error distributions, we can define the search RLWE problem as follows.
Search RLWE Definition 9.2.3. Given the parameter q and the family of error distributions Ψ≤α , the search RLWE
problem, denoted by RLWEq,Ψ≤α , is to compute the secret key s given samples {(a, b)} from the RLWE
distribution As,ψ for an arbitrary s ∈ Rq∨ and ψ ∈ Ψ≤α .
The decision RLWE is an average case problem for a random secret key and a random error dis-
tribution. The distribution for the secret key s is uniform over the dual lattice R∨ . The distribution
Υα over the elliptical Gaussian error distributions Ψ≤α is chosen to be a Gamma distribution with
shape 2 and scale 1.12 Since the reduction from search to decision RLWE can only be made possi-
ble in cyclotomic number fields, we define Υα specifically in these cyclotomic fields. Recall that for
m = 2n = 2k > 2, the canonical embedding for a cyclotomic number field K = Q(ζm ) consists only
n complex embeddings which are in n/2 conjugate pairs σi = σi+n/2 for i ∈ [1, n/2], so the scale
parameters that correspond to a conjugate pair can be set identical. This gives rise to the next definition
of the distribution Υα .
12
Lyubashevsky et al. (2010) emphasized that any efficiently samplable continuous distributions can be used,
e.g., Gaussian distribution.
64
A PREPRINT - S EPTEMBER 29, 2022
The mean of Γ(2, 1) is 2, by the above definition of Υα we have ||ri || ≈ O(αn1/4 ). Recall that
in the proof of LWE hardness, we discussed the upper bound of the scale parameter α in the Gaussian
error distribution Ψα in order for Ψα to be distinguishable from the uniform distribution once reduced
by mod Znp . The same argument carries over to the RLWE problem too, that is, ψ mod R∨ and the
uniform distribution over T = KC /R∨ should be distinguishable, for otherwise the decision RLWE is
unsolvable. The difference is in the nth successive minima λn (R). When K is a cyclotomic number
field, it has a power basis {1, ζ, . . . , ζ n−1 }, which is also a basis of R. Under the canonical embedding,
each element ζ k in the power basis is mapped to an element (σ1 (ζ k ), . . . , σn (ζ k )) in the canonical
space, where each σi maps ζ k to a different element in the power basis√with ||σi (ζ k )|| = √ 1. Hence,
the Euclidean norm of ζ k ’s image under the canonical √ embedding is n and λ n (R) = n. This
implies p the nth successive minima λn (R∨ ) = 1/ n and hence the upper bound of α in RLWE is
√
α ≤ O( log n/n) by Lemma 5.1.3, which is smaller than O( log n) in LWE.
We now state the main theorem of decision RLWE in the context of cyclotomic field K = Q(ζm ) =
Q[x]/(xn + 1), where its ring of integers is R = OK = Z[x]/(xn + 1).
p
SVP, SIVP to Theorem 9.2.6. Let K be defined above, α < log n/n and q = q(n) ≥ 2 be a prime such that
RDLWE q = 1 mod m and αq ≥ ω(log n). There is polynomial time quantum reduction from the ideal lattice
√
Õ( n/α)-SIVP (or SVP) problem to
• RDLWEq,Υα or
• RDLWEq,Dξ given only l samples, where ξ = α(nl/ log(nl))1/4 is the scale parameter for the
spherical Gaussian error distribution.
The first reduction is to the decision RLWE with a random elliptical Gaussian error distribution,
whilst the second is to the decision RLWE with a fixed spherical Gaussian error distribution but given
only a small number of samples. We will make clear the connection between these two problems in a
following subsection.
The threshold α for the Gaussian distribution’s scales is upper bounded to guarantee the solvability
of the decision RLWE. In the meantime, the scales must also be sufficiently large to guarantee the
sampled Gaussian noise once reduced to a smaller domain is almost uniformly distributed. See Section
4 of Lyubashevsky et al. (2010) for an additional explanation for the choice of α.
Similar to the (search) LWE’s hardness proof, the hardness of (search) RLWE relies on reductions from
hard ideal lattice problems K-SVPγ and K-SIVPγ , through the intermediate K-DGS problem. We omit
the reductions from the two ideal lattice problems to K-DGS, but only focus on the classical part of
the quantum reduction to RLWE. The following theorem states a quantum reduction, which can be
separated into a quantum and a classical step. We emphasize again that the context of this reduction is
for arbitrary number fields (not necessarily cyclotomic).
In contrast to the small o notation (i.e., f (n) = o(g(n))) that indicates an upper bound of a function’s
growth, the small omega notation (i.e., f (n) = ω(g(n))) indicates a lower bound of the function’s
growth. More precisely, f (n) = ω(g(n)) if for all k > 0 there √ exists a threshold n0 such that for all
n > n0 it satisfies |f (n)| > k|g(n)|.
√ Throughout the proof, ω( log n) is used to denote a function that
grows asymptotically faster than log n.
65
A PREPRINT - S EPTEMBER 29, 2022
quantum
classical classical
RLWEq,Ψ≤α
√
K-DGS to Theorem 9.3.1. Let α = α(n) > 0 and q = q(n) ≥ 2 such that αq ≥ 2ω( log n). There is a PPT
RLWE quantum reduction from K-DGSγ to RLWEq,Ψ≤α , where
√ p √
γ = max{η (I)( 2/α)ω( log n), 2n/λ1 (I ∨ )}. (30)
Given α < log n/n as stated in Theorem 9.2.6 and the smoothing √ parameter
p
η (I) > 1/λ1 (I ∨ )
√
by Claim 2.13 of Regev (2009), it always satisfies that γ = η (I)( 2/α)ω( log n) in the above
theorem.
Again, the motivation behind the theorem is to obtain discrete Gaussian samples over an ideal lattice
I (in K) with scale s as close to the lower bound γ as possible, so that certain standard ideal lattice
problems can be solved with the help of these short discrete Gaussian samples. The feasibility of
obtaining short samples can be proved using almost the same strategy as that in the BDD to LWE
reduction. Recall that the BDD to LWE reduction gives rise to an iterative strategy to reduce the discrete
Gaussian sample norms. In the RLWE setting, this means (as shown in Figure 13) to solve the K-BDD
problem with an RLWE oracle and some discrete Gaussian samples with scale r, then feed the K-BDD
output to a quantum algorithm to produce new discrete Gaussian samples with scaler0 < r/2 half of the
previous norms. We ignore the quantum step of the reduction (Lemma 4.4 (Lyubashevsky et al., 2010)).
The classical part is stated in the next lemma.
K-BDD to Lemma 9.3.2 (Lemma 4.3 (Lyubashevsky et al., 2010)). Let α = α(n) > 0, q = q(n) ≥ 2 be an
√
RLWE integer with known factorization. Let I be a fractional ideal of a number field K and r ≥ 2qη (I)
for some negligible = (n). Given a discrete Gaussian
√ oracle for DI,r , there is a PPT reduction from
K-BDDd in the dual lattice I ∨ where d = αq/( 2r) to RLWEq,Ψ≤α .
To solve the K-BDD problem for an element in the ideal lattice I of K, the same bit-by-bit strategy
as in Lemma 6.2.4 can be applied. That is, find a solution in the scaled ideal lattice qI and then iteratively
build a solution in I from the least to the most significant bit in the base q. Since Lemma 6.2.4 was
proved for general lattices, it also holds for ideal lattices without re-proving. The K-BDD problem in a
scaled ideal lattice qI is called q-BDD. Hence, it remains to prove a solution for q-BDD with the help
of an RLWE oracle and discrete Gaussian samples.
q-BDD to Lemma 9.3.3. Assume there is an oracle for RLWEq,Ψ≤α and a discrete Gaussian oracle for generating
√
RLWE samples from DI,r where r ≥ 2qη (I). Given a K-BDDI ∨ ,d instance y = x + e, where x ∈ I ∨ and
||e||∞ ≤ d, there is a polynomial time algorithm solves q-BDDI ∨ ,d , that is, finds x mod qI ∨ .
The proof of this lemma follows a similar strategy as that of Proposition 6.2.3. That is, construct
RLWE samples for the oracle using the given K-BDD instance y and the discrete Gaussian samples
over I. The proof, however, is more involved, because the solution of K-BDD is in I ∨ and discrete
Gaussian noise elements are sampled from I, whilst the RLWE oracle works in Rq and its dual. Hence,
it is necessary to be able to transform elements between these domains without losing their structures.
To achieve this, we re-state the following two important results that have been proved in Section 8.1.3,
but in the context of a number field K and its ring of integers OK .
66
A PREPRINT - S EPTEMBER 29, 2022
Lemma 9.3.4. If I and J are non-zero integral ideals of R = OK , then there exists an element t ∈ I
such that (t)I −1 ⊆ R is an integral ideal coprime to J.
Lemma 9.3.5. Let I and J be ideals in R = OK and M be a fractional ideal in the number field K.
Then there is an isomorphism
M/JM ∼ = IM/IJM.
To make the proof work, we only focus on special cases of Lemma 9.3.5. More precisely, let J = (q)
and M = R be the ring of integers itself or M = I ∨ be the dual ideal. Given the prime factors of the
integer q, say q = ab where a, b ∈ Z are primes, the principal ideal can be written as (q) = (a)(b) the
product of prime ideals in Z. Using a prime ideal factorization technique (will be briefly discussed in
the next subsection), we can find the prime factors of (a) and (b) in R hence (q). It then follows from
Lemma 9.3.4 that there is an element t ∈ I to construct an ideal (t)I −1 coprime to J = (q) (see proofs
of these lemmas in Section 8.1, also see the proof of lemma 5.2.2 of Stein (2012) to see why we need
to know the prime factors of the ideal J). Then the map
θt : K → K
u 7→ ut
induces two important isomorphisms
Rq = R/(q)R = ∼ IR/I(q)R = Iq (31)
Iq∨ = I /(q)I ∼
∨ ∨ ∨
= II /I(q)I = II∨ −1 ∨
R /I(q)I −1 ∨ ∨ ∨
R = R /(q)R = Rq∨ . (32)
Both isomorphisms in Equation 31 and 32 are precisely what we need in order to prove Lemma 9.3.3.
Below we state the process to build the reduction. To construct As,ψ samples from y ∈ K, repeat the
following steps:
1. Compute the element t ∈ I such that (t)I −1 and (q) are coprime by Lemma 9.3.4. Define the
function θt (x) = xt, which yields the two isomorphisms
Rq =∼ Iq
Iq∨ ∼
= Rq∨ .
2. Sample z ← DI,r using the discrete Gaussian oracle, and compute
a = θt−1 (z mod qI) ∈ Rq .
3. Sample e0 ← Dα/√2 a continuous Gaussian noise, and compute
b = ((z mod qI) ? y)/q + e0 mod R∨ .
4. Output the pair (a, b).
Once the RLWE oracle is given the samples {(a, b)}, it produces the secret key s ∈ Rq∨ and output
x mod qI ∨ = θt−1 (s) ∈ Iq∨ .
We now prove that {(a, b)} are nearly genuine samples from the As,ψ distribution, hence the RLWE
oracle produces a result for the q-BDD problem. The proof is structured as follows: first, show a
distributes uniformly in Rq and b follows b = (a ? s)/q + mod R∨ ; then show that the secret key in
RLWE gives rise to the solution θt−1 (s) = x mod qI ∨ .
√
Proof. Since z is sampled from the discrete Gaussian distribution DI,r with a large scale r ≥ 2qη (I),
when reduced it by taking modulo qI, the reduced sample is almost uniformly distributed within Iq , and
hence its image a under the isomorphism θt−1 is also uniformly distributed within Rq .
For the second component, we can re-write it as
b = ((z mod qI) ? y)/q + e0 mod R∨
= ((z mod qI) ? (x + e))/q + e0 mod R∨
= ((z mod qI) ? x)/q + ((z mod qI)/q) ? e + e0 mod R∨ .
67
A PREPRINT - S EPTEMBER 29, 2022
The key is to show that the first term is identical to (a ? s)/q mod R∨ and the second and third terms
combined is within negligible distance to the elliptical Gaussian Dr over KC .
Given z mod qI = θt (a) = a ? t mod qI, we have
θt (a) − a ? t = 0 mod qI
=⇒ θt (a) − a ? t ∈ qI
=⇒ (θt (a) − a ? t) ? x ∈ qII ∨ = qII −1 R∨ = qR∨
=⇒ θt (a) ? x = a ? t ? x mod qR∨ .
It follows from this and θt (x mod qI ∨ ) = s that
(z mod Iq ) ? x = θt (a) ? x = a ? t ? x mod Rq∨ = a ? s mod Rq∨
=⇒ ((z mod Iq ) ? x)/q = (a ? s)/q mod R∨
Therefore, we have proved that
b = (a ? s)/q + ((z mod qI)/q) ? e + e0 mod R∨
It remains to show the other parts combined is close to the discrete Gaussian Dr over KC . We skip this
step, which is proved in Lemma 4.8 of Lyubashevsky et al. (2010).
We have shown that the samples {(a, b)} follow the RLWE distribution and hence are legitimate
inputs for the RLWE oracle. Since the oracle outputs the secret key s ∈ Rq∨ , by the induced isomorphism
θt−1 : Rq∨ → Iq∨ , we have found θt−1 (s) = x mod qI ∨ , the least significant digit of the K-BDD solution
s ∈ I ∨.
To recap, we have shown in this subsection a polynomial time classical reduction from K-BDD to
the search RLWE problem. In order for the reduction to work, we need to know the prime factorization
of the integer q = q(n) ≥ 2. The number field K needs not be cyclotomic, so the result holds in general
number fields.
In this subsection, we will re-state the RLWE problem in a special number field, i.e., the cyclotomic
field, which is the most common setting for RLWE-based cryptosystems. It is the working domain for
the search to decision reduction of the RLWE problem.
Recall the mth cyclotomic polynomial Φm (x) is the polynomial whose roots are the primitive mth
roots of unity. As we have seen in Remark 7.1.9, when m = 2n = 2k ≥ 2 is a positive power of
2, the corresponding cyclotomic polynomial has the simple algebraic form Φm (x) = xn + 1. Using
this cyclotomic polynomial, we can define R = Z[x]/(Φm (x)) to be the ring of integer coefficient
polynomials modulo (the principle ideal generated by) Φm (x). This is the primary domain where RLWE
is defined in the special case. There are two way to interpret the ring R stated below.
1. R = Z[x]/(xn + 1) is a quotient ring where every polynomial in R has integer coefficients and
degree less than n.
2. R = Z[x]/(Φm (x)) is isomorphic to Z[ζm ], the ring of integers OK for the m-th cyclotomic
field K = Q(ζm ). This interpretation is supported by Theorem 8.1.23. The choices of m
and n are motivated by Lemma 8.3.10 that relates OK and its dual by a scaling factor, i.e.,
OK ∨
= n−1 OK . This simplifies the RLWE definition by allowing the secret polynomial s to
be sampled from the same domain as a public polynomial a as in Definition 9.4.1.)
The first interpretation is the natural interpretation but the second interpretation is more useful when
proving hardness result of RLWE. We have been through some important properties of OK such as its
fractional ideals form a UFD and its geometric interpretation under the canonical embedding.
To work in a finite domain, some elements in the following RLWE definition are taken from R
modulo a prime q, that is, Rq = Zq [x]/(Φm (x)), where the polynomial coefficients are in Zq . This
turns Rq into a field of order q n because each coefficient has q choices and there are n coefficients, see
Theorem B.1.11 for more details.
68
A PREPRINT - S EPTEMBER 29, 2022
Recall that the reduction from search to decision LWE in Section 6.1 used a simple argument by guess-
ing each vector component of the secret key s using the decision LWE oracle. We plan to use the same
strategy to reduce the search to decision RLWE problem by calling the decision oracle to solve the
RLWE problem component by component. Also recall that the connection between a number field and
its geometrical embedding is via the canonical embedding (Section 8.2.1). The canonical embedding is
chosen over the coefficient embedding for several reasons, including the equivalence between number
field element multiplications and embedded canonical vectors’ component-wise multiplications.
A consequence of the component-wise operations is that a change in a single component of the
secret polynomial s leads to a change in a single component of the polynomial b and vice versa. This
is in contrast to the LWE case, where b = s · a + is the vector dot product, so any change in s is not
associated with a single component change in b and vice versa. This raises the question of whether or
not a RLWE oracle that is limited to discover a single component of the secret vector is able to discovery
the entire s.
Hence, we need a way to leverage that oracle-distinguishable component to guess the value of all
the other components of the secret s, by using the automorphisms of the underlying cyclotomic field to
‘shuffle’ the components (Section 7.2). In addition, in shuffling the components and adding a guess for
each component of the secret s, we need to make sure
• a new sample (a0 , b0 ) presented to the decision RLWE oracle obtained by transforming a given
RLWE sample (a, b) is close to a sample from an RLWE distribution when the guess is correct,
and close to a sample from the uniform distribution when the guess is incorrect.
• the noise vector in the transformed b0 value stays in the noise distribution family Ψ≤α .
Below, we state the main theorem of this subsection. Its proof is divided into several parts in the rest of
this subsection. For details of these proofs, see Section 5 of Lyubashevsky et al. (2010).
Theorem 9.5.1. Let R be the ring of integers of a cyclotomic field K and q = q(n) = 1 mod m be a
prime such that αq ≥ η (R∨ ) for some negligible = (n). There is a randomized polynomial time
reduction from the search problem RLWEq,Ψ≤α to the average-case decision problem RDLWEq,υα .
The search to decision RLWE reduction is achieved by a combination of four separate reductions
as shown in Figure 14. The first reduction is from RLWE to component-wise RLWE in the canonical
representation. The second reduction is from a component-wise search oracle to a worst-case decision
oracle. The third reduction is between a worst-case and average-case decision oracle. And the last
reduction guarantees that given an overall decision oracle it also works for a particular component.
69
A PREPRINT - S EPTEMBER 29, 2022
RLWEq,Ψ≤α DRLWEq,Υα
Given a prime q satisfying q = 1Qmod m, the ideal (q) in Rq = Zq [x]/(Φm (x)) factors into
ϕ(m) distinct prime ideals: (q) = i∈Z∗m
qi . (See Example 8.1.26 for more details.) Further,
by Lemmas 9.3.4, 9.3.5 and (18), there is an efficiently computable isomorphism between Rq∨ and
(R /qi R ). Given we are going to guess the secret key s one component at a time in the
∨ ∨
L
i∈Z∗
m
canonical representation, this gives rise to the restricted RLWE definition.
qi -RLWE Definition 9.5.2. Given
• an oracle that generates samples from the RLWE distribution As,ψ , for an arbitrary s ∈ Rq∨
and ψ ∈ Ψ≤α , and
• a prime ideal qi in the factorisation of (q),
the qi -RLWEq,Ψ≤α problem is to find s mod qi R∨ .
An important observation is that each prime ideal qi is mapped by the automorphisms in the Galois
group to a different prime ideal. Recall that the key result (Theorem 7.2.6) in Section 7.2 states that the
Galois group of a cyclotomic field K = Q(ζm ) is isomorphic to the integer multiplicative group, i.e.,
Gal(K/Q) ∼ = (Z/mZ)∗ .
If we think each i ∈ (Z/mZ)∗ as a function of the roots of unity that is given by i : ζm 7→ ζm i
, then
each automorphism τ in the Galois group is uniquely mapped with a multiplicative integer i if and only
if τ (ζm ) = ζm
i
.
All of these come down to the observations that each automorphism τ ∈ Gal(K/Q) maps the ring
of integers R to itself and its dual R∨ = n1 R to itself. More importantly, we have the next lemma.
It enables us to transfer between different prime ideals qi and qj . This is also known as the Galois
automorphisms act transitively on the prime ideals qj . This helps with solving all components of the
secret key s in the CRT-basis using a particular qi -RLWE oracle. In other words, once we have an oracle
for a single CRT component, we can use this oracle to solve for all the other components too.
τk (qi ) = qi/k Lemma 9.5.3. Let τk ∈ Gal(K/Q) be an automorphism, then we have τk (qi ) = qi/k for any i, k ∈
Z∗m .
For the proof of this lemma, see Lemma 2.16 of Lyubashevsky et al. (2010). Since a cyclotomic
field is also a Galois extension field, for a more general result see Theorem 9.2.2 of Stein (2012), where
K is a Galois extension of Q.
We have shown that both R and R∨ are closed under Galois automorphisms. To transfer a RLWE
sample (a, b) using an automorphism, we also need to make sure the family Ψ≤α of elliptical Gaussian
distributions is also closed under Galois automorphisms. This can be easily seen from the next lemma.
Ψ≤α is closed Lemma 9.5.4. For any α > 0, the family Ψ≤α of elliptical Gaussian distributions is also closed under
under τ Galois automorphisms of K, that is, for any τ ∈ Gal(K/Q) and any ψ ∈ Ψ≤α , we have τ (ψ) ∈ Ψ≤α .
Proof. Given a n-dimensional K = Q(ζ), it has a power basis {1, ζ, . . . , ζ n }. We know each Galois au-
tomorphism of K maps ζ to a different root of unity. Under the canonical embedding, this automorphism
70
A PREPRINT - S EPTEMBER 29, 2022
permutes the components of ζ, so does it permutes the components of any element in K. Since each
Dr ∈ Ψ≤α is a distribution over the space KC that is isomorphic to the canonical space, τ (Dr ) is still
over the same space but with possibly an reordering of the scale vector r. Hence, τ (Dr ) ∈ Ψ≤α .
Proof. Assume there is a qi -RLWEq,Ψ≤α oracle that solves s mod qi R∨ from As,ψ samples {(a, b)} ⊆
Rq × T for arbitrary s ∈ Rq∨ and ψ ∈ Ψ≤α . We want to show that this oracle works for all CRT
components, i.e., it solves s mod qj R∨ for all j ∈ Z∗m .
Let k ∈ Z∗m such that i = j/k, then the automorphism τk ∈ Gal(K/Q) maps a RLWE sample
(a, b) 7→ τk ((a, b)) = (τk (a), τk (b))
= (τk (a), τk ((a ? s)/q + ))
Since R, R∨ and Ψ≤α are closed under automorphisms, the transformed sample τk ((a, b)) is also in the
domain Rq × T, and most importantly distributed according to Aτk (s),τk (ψ) . In addition, the prime ideal
is mapped by τk (qj ) = qj/k = qi , we can then use the qi -RLWEq,Ψ≤α oracle to solve τk (s) mod qi R∨
from the transformed RLWE samples, because it works for arbitrary secret key and error distribution.
By taking the inverse of the automorphism τk , we get an answer for the CRT component mod qj R∨ ,
that is,
τk−1 (τk (s) mod qi R∨ ) 7→ s mod τk (qi )τk (R∨ ) = s mod qj R∨ .
Since this works for every j ∈ Z∗m , we get all the CRT components. Since all the prime ideals qi are
also coprime and their product is the ideal (q), by CRT we have an induced isomorphism
R/(q) ∼
M
= (R/qi )
i
=⇒ R/qR ∼
M
= (R/qi R)
i
=⇒ R∨ /qR∨ ∼
M
= (R∨ /qi R∨ ),
i
where the last step is by the fact that R∨ = (1/n)R. Therefore, according to this isomorphism, we can
compute the entire secret s ∈ Rq∨ .
As we recover the secret key component by component in the CRT representation, we add an extra
piece of information to an RLWE sample, not only at the component of interest, but all the components
before it. This gives rise to a new “hybrid” distribution as defined next and is used for the rest of the
proof of Theorem 9.5.1.
Hybrid Definition 9.5.6. For a given RLWE distribution As,ψ and an integer i ∈ Z∗m in the multiplicative
distribution group, the hybrid RLWE distribution Ais,ψ over Rq∨ × T is obtained by the following steps:
Note both indices i and j are integers coprime with m. Denote i− the largest integer in Z∗m that
is smaller than i. By convention, denote 1− to be 0 and A1−s,ψ = As,ψ = As,ψ the original RLWE
0
distribution.
71
A PREPRINT - S EPTEMBER 29, 2022
WDRLWEiq,Ψ≤α Definition 9.5.7. For i ∈ Z∗m , the worst-case decision RLWE relative to qi problem, denoted
WDRLWEiq,Ψ≤α , is to distinguish between the hybrid RLWE distributions Ai− i
s,ψ and As,ψ for arbitrary
s ∈ Rq∨ and ψ ∈ Ψ≤α .
Now we state and prove the second reduction. It works in a similar fashion as the search to decision
LWE reduction. That is, modify the original RLWE samples by adding an extra piece of information,
which incorporates the guess of one particular CRT component s mod qi R∨ .
Lemma 9.5.8. For any i ∈ Z∗m , there is a PPT reduction from qi -RLWEq,Ψ≤α to WDRLWEiq,Ψ≤α .
Proof. Given an RLWE sample (a, b) ← As,ψ , we can construct a hybrid RLWE sample (a, b+h/q) ∈
Ai−
s,ψ by taking h ← Rq such that h mod qj R is uniformly random and independent for j ≤ i− and
∨ ∨
We omit the worst-case to average-case decision RLWE relative to qi reduction because the proof
uses mostly probability tools, but only state the average-case definition and the reduction lemma.
Definition 9.5.9. For i ∈ Z∗m and a distribution Υα over Ψ≤α , the average-case decision RLWE
relative to qi problem, denoted DRLWEiq,Υ , is to distinguish with a non-negligible probability the hybrid
RLWE distributions Ai− i ∨
s,ψ and As,ψ over the random choice (s, ψ) ← U (Rq ) × Υα .
Lemma 9.5.10. For any α > 0 and every i ∈ Z∗m , there is a randomized polynomial time reduction
from WDRLWEiq,Ψ≤α to DRLWEiq,Υα .
Finally, the proof of Theorem 9.5.1 comes down to the last step which shows that given a decision
RLWE oracle, it solves the decision problem relative to qi . This relies on the fact that the hybrid
distribution Am−1
s,ψ is within negligible distance to the uniform distribution over the same domain.
Lemma 9.5.11. Let α ≥ η (R∨ )/q for some > 0. For any s ∈ Rq∨ and error distribution ψ ∈ Ψ≤α
sampled according to the distribution Υα , the hybrid RLWE distribution Am−1
s,ψ is within statistical
distance /2 of the uniform distribution over (Rq , T).
With this lemma, we are able to prove the final step as given next.
Lemma 9.5.12. There is a polynomial time reduction from DRLWEiq,Υα to DRLWEq,Υα for some i ∈
Z∗m .
Proof. Given Lemma 9.5.11, it is not difficult to see this lemma follows. We know A0s,ψ = As,ψ is the
RLWE distribution and Am−1 s,ψ is nearly uniform, so the DRLWEq,Υ oracle can distinguish the two. This
is an easy task for the oracle.
If we bring the two distributions closer, say for i ∈ Z∗m and start with i = 1, we ask the oracle to
distinguish the two hybrid distributions Ai−
s,ψ and As,ψ . Intuitively, both distributions should be close
i
to the RLWE distribution for small i and to the uniform distribution for large i. So the oracle will
not distinguish them. But there must be an index i such that at that point Ai− s,ψ is closer to the RLWE
distribution and As,ψ is closer to the uniform distribution, so the oracle can easily distinguish them.
i
This index i ∈ Z∗m is what will be used for all the previous reduction steps that we have discussed.
72
A PREPRINT - S EPTEMBER 29, 2022
To end this section, we state a simple RLWE-based public-key encryption scheme presented by Lyuba-
shevsky et al. (2010).
Let R = Z[x]/(xn + 1), where n is taken to be a power of 2 to make the modulo polynomial
cyclotomic, hence R a cyclotomic field. This is the domain for the secret key and noise vectors that
are sampled according to a specific distribution χ. Restrict the public key and ciphertexts to be in the
domain Rq = Zq [x]/(xn + 1). The scheme is presented as follows with slight modifications to be
consistent with the BFV scheme that will be presented in the next section.
Decryption works if the parameters are properly set and polynomials sampled from R have small
coefficients (according to the distribution χ). Because
u + v · s = bq/2c · m + (e · r + e1 + e2 · s) mod q. (33)
If those polynomials are taken with large coefficients, after multiplications they will neither staying
within modulo q, nor being rounded to 0.
As for its security, the public key (b, a) is a RLWE sample with the secret vector s, so it is pseudo-
random which implies there no way to recover s because that requires a solution to the search RLWE
problem. In terms of semantic security (definition 3.3.3), the pairs (b, u − bq/2e · m mod q) and (a, v)
are also RLWE samples with the corresponding secret vector r, so the ciphertext c is pseudo-random
too, which implies semantic security.
Public key: Sample random polynomials a ← Rq and e ← χ and output the public key
(b = − [a · s + e]q , a).
73
A PREPRINT - S EPTEMBER 29, 2022
Figure 15: A Sage implementation of the RWLE-based encryption scheme described above.
Note: This implementation is not suitable for use in real-world applications.
#!/usr/bin/env sage
# Define parameters
def sample_noise(n, P):
D = dgi.DiscreteGaussianDistributionIntegerSampler(sigma=1.0)
return P([D() for i in range(n)])
q = 655360001
n = 2ˆ10
P = QuotientRing(PolynomialRing(Integers(q), name="x"),
xˆn + 1)
Q = PolynomialRing(Rationals(), name="y")
Z2 = Integers(2)
# Generate keys
secret_key = sample_noise(n, P)
e = sample_noise(n, P)
a = P.random_element()
b = -(a*secret_key) + e
public_key = (b,a)
# Encrypt Message
message = P([randrange(0,2) for i in range(n)])
r = sample_noise(n, P)
e1 = sample_noise(n, P)
e2 = sample_noise(n, P)
u = b*r + e1 + (q//2)*message
v = a*r + e2
ciphertext = (u,v)
# Decrypt Message
w1 = u + v*secret_key
w2 = (2/q) * Q(w1.list())
# Verification
print(decrypted_message == message)
74
A PREPRINT - S EPTEMBER 29, 2022
10 Homomorphic Encryption
Shortly after the RSA encryption scheme (Rivest et al., 1978b) was released, Rivest et al. (1978a) raised
the question of whether it is possible to perform arithmetic operations (e.g., addition and multiplication)
on encrypted data without the secret key, and the results can be decrypted to the correct results if the
same operations were performed on the unencrypted data. An encryption scheme possessing such a
property is called a homomorphic encryption scheme.
We formally define here the sub-routines of a public key homomorphic encryption (HE) scheme. Similar
to non-HE schemes, an HE scheme also has a key generation process, an encryption process, and a
decryption process. The difference is that an HE scheme consists of an extra evaluation process that
evaluates a function, which is often expressed as an arithmetic circuit on the ciphertexts, and produces
an “evaluated ciphertext”.
HE scheme Definition 10.1.1. A homomorphic encryption scheme is a four tuple of PPT algorithms
HE = (HE.Keygen, HE.Enc, HE.Eval, HE.Dec)
that takes the security parameter λ as the input. Each of the PPT algorithms is defined as follows:
• Setup: Given the security parameter λ, generate a parameter set params = (n, q, N, χ) ←
HE.Setup(1λ ) for the following steps.
• Key generation: Given the parameters generated above, the algorithm produces
(pk, sk, evk) ← HE.Keygen(params) a set of keys that consists of a public key, a secret key
and an evaluation key.
• Encryption: The algorithm takes the public key and a plaintext m (i.e., the secret message) to
produce a ciphertext text c ← HE.Enc(pk, m, n, q, N ).
• Evaluation: Given the evaluation key, the evaluation function f : {0, 1}l → {0, 1} and a set of
ciphertexts, the algorithm produces an evaluated ciphertext cf ← HE.Eval(evk, f, c1 , . . . , cl ).
• Decryption: The algorithm decrypts the ciphertext using the secret key to find the correspond-
ing plaintext mf ← HE.Dec(sk, cf ).
This is a basic form of an HE scheme. A more complicated scheme may take extra input parameters
for additional purposes such as reducing ciphertext noise magnitude and so on.
The plaintext mf corresponds to the function output of f when applied to the plaintexts directly.
If the decrypted ciphertext after evaluations does not match with mf , the HE scheme is considered
as unsuccessful. More formally, let m1 and m2 be two plaintexts, pk and sk be the public key and
secret key for encryption and decryption, respectively. A homomorphic encryption scheme satisfies
the property that for an operation in the plaintext space, there is a corresponding operation • in the
ciphertext space such that
Dec(sk, Enc(pk, m1 ) • Enc(pk, m2 )) = m1 m2 , (34)
Most of the HE schemes have the same operations in both plaintext and ciphertext spaces. That
is, additions of ciphertexts can be decrypted to additions of plaintexts. Similarly for multiplications.
The name “homomorphic” is likely taken from the concept of homomorphism in mathematics, which
is a structure-preserving map between two algebraic structures. The analogy here is that the decryption
function is a homomorphism from the ciphertext space to the plaintext space that preserves the same
operations in the two spaces as stated in Equation (34).
It is important to note that the encryption function is not homomorphic, that is,
Enc(pk, m1 ) • Enc(pk, m2 )) 6= Enc(pk, m1 m2 ),
because encryptions in HE are non-deterministic in order to satisfy semantic security (Definition 3.3.3).
Recall that semantic security assures that given a ciphertext c that encrypts one of the two messages m1
and m2 , it is impossible for a PPT attacker to guess the source message from c with a better chance than
random guessing.
75
A PREPRINT - S EPTEMBER 29, 2022
Example 10.1.2. The RSA encryption system, without message padding, is a homomorphic encryption
system for multiplication. (Of course, without message padding, the RSA system is not semantically
secure.)
Example 10.1.3. Here is a simple homomorphic encryption system given by Brakerski and Vaikun-
tanathan (2014). Let s ∈ Znq be the secret key. The private message m ∈ {0, 1} is encrypted by
c = (a, b = a · s + 2e + m) ∈ Znq × Zq ,
where e is a random noise with small magnitude. The decryption of this ciphertext with the secret key is
done by
m = ((b − a · s) mod q) mod 2,
provided e is small enough to ensure b − a · s = 2e + m is within Zq . Given two ciphertexts c1 and c2
that respectively encrypts the messages m1 and m2 as above, their sum can be easily computed by the
bilinearity of dot product, so
c1 + c2 = (a1 + a2 , b1 + b2 )
= (a1 + a2 , (a1 + a2 ) · s + 2(e1 + e2 ) + (m1 + m2 )).
Decryption proceeds as before and produces the sum of the two messages m1 + m2 , so the scheme is
additive homomorphic. The scheme can also be shown to be multiplicative homomorphic.
In many homomorphic encryption systems, the ciphertext noise increases after each homomorphic
evaluation operation, and if the overall noise is higher than a threshold called the noise ceiling (e.g.,
the modulo q in the above example), decryption can fail to output the correct result. Given a noise
ceiling and the noise bound (on which the noise distribution is supported), the number of homomorphic
evaluations that can be performed on the ciphertexts is usually restricted. The breakthrough made by
Gentry (2009) enables an unlimited number of homomorphic evaluations on ciphertexts using squashing
and bootstrapping, which are described in the next subsection. Below, we listed a few commonly
mentioned HE categories, which are grouped by the class of arithmetic circuits they can evaluate.
• Partially HE (PHE) - Schemes that can evaluate circuits containing only one type of arithmetic
gates, that is, either addition or multiplication, for unbounded circuit depth.
• Leveled HE (LHE) - Schemes that can evaluate circuits containing both addition and multipli-
cation gates, but only for a pre-determined multiplication depth L.
• Somewhat HE (SHE) - Schemes that can evaluate a subset of circuits containing both addition
and multiplication gates, whose complexity grows with the circuit depth. SHE is more general
than LHE. Examples include Gentry (2009, 2010).
• Leveled Fully HE - Almost identical to leveled HE, except these schemes can evaluate all
circuits of depth L. Examples include Brakerski and Vaikuntanathan (2014); Brakerski et al.
(2014); Brakerski (2012).
• Fully HE (FHE) - Schemes that can evaluate all circuits containing both addition and multi-
plication gates for unbounded circuit depth. Examples include Gentry (2009) and Brakerski
and Vaikuntanathan (2014); Brakerski et al. (2014); Brakerski (2012) under the weak circular
security, which guarantees security when using only one pair of secret and public keys.
As discussed above, noise growth needs to be well controlled during homomorphic evaluations in order
to guarantee correct decryption. Under such a constraint, a scheme can only perform a certain number
of arithmetic on ciphertexts, unless the ciphertext noise can be constantly reduced after evaluations. An
obvious noise elimination method is ciphertext decryption that completely clears the embedded noise
in the ciphertext. So the question is how to utilize a scheme’s own decryption circuit to reduce noise
growth and carry on more homomorphic evaluations.
Gentry’s original construction to achieve FHE consists of three components. The first component is
a SHE scheme that can handle both addition and multiplication for a non-trivial but limited number of
steps. The second component is a squashing process to make the SHE scheme’s decryption step easier in
order to permit bootstrapping. The third component is the actual bootstrapping process that enables the
76
A PREPRINT - S EPTEMBER 29, 2022
evaluation of the scheme’s own decryption circuit, plus an extra evaluation step. The key observation
here is that during bootstrapping, a ciphertext will be doubly encrypted and decrypted only from the
inner layer. This is then followed by a single arithmetic step on the (singly encrypted) ciphertexts. The
three components put together gives a scheme, whose ciphertext noise can be reduced before running
the next arithmetic step, and consequently leads to FHE. A formal definition of bootstrappable is stated
next.
Definition 10.2.1. A scheme is C-homomorphic if it can evaluate any circuit in the class C.
c1 ,c2 c1 ,c2
Definition 10.2.2. Let HE be a C-homomorphic scheme and fadd (s) and fmult (s) be two decryption
functions augmented by an addition and an multiplication, respectively. Then HE is bootstrappable if
c1 ,c2 c1 ,c2
{fadd (s), fmult (s)}c1 ,c2 ∈ C the two augmented decryptions are in the class.
The definition suggests that decryption needs to be simple enough so that not only it is in C, but
it needs to be followed by an arithmetic operation to allow further evaluation. To ensure this, Gentry
added a “hint” to the ciphertext to make decryption simpler. This process is later known as squashing
. Next, we restate the simple concrete HE scheme by Dijk et al. (2010) that was also used by Gentry
(2010) to illustrate the squashing and bootstrapping concept.
Set the parameters N = λ, P = λ2 and Q = λ5 for the given security parameter λ. The (secret
key) encryption scheme consists of the following steps:
However, it is not bootstrappable due to the complexity of the decryption step. More precisely,
the decryption function (c mod p) mod 2 is equivalent to LSB(c) XOR LSB(bc/pe), where LSB is the
least significant bit. The most time-consuming step in the decryption function is the multiplication of
two large numbers c · 1/p. To simplify this multiplication, Gentry’s idea is to replace c · 1/p by summing
a small set of numbers, which is known as the sparse subset sum problem (SSSP) . This sum is the “hint”
to decryption to reduce its running time and consequently permit bootstrapping. The modified scheme
is as follows:
• Key generation: First, generate (pk, sk) ← Keygen(λ), where sk = p is the odd integer. Then,
generate a real
P vector y ∈ [0, 2) such that there exists a subset of indices S ⊆ {1, . . . , β} of
β
size α and i∈S yi ≈ 1/p mod 2 can approximate the original secret key sk. Finally, output
the keys (pk∗ , sk∗ ), where pk∗ = (pk, y) and sk∗ = S. Here when α and β are set properly,
given the set y and 1/p, it is hard to find the subset of indices S that is the new secret key sk∗ .
So the “hint” is added to the public key.
• Encryption: First, compute c ← Enc(pk, m). Then, compute zi = c · yi . Finally, output
c∗ = (c, z).
• Decryption: Run LSB(c) XOR LSB(bc/pe). Here,
Pwe approximatePc/p by b i∈S zi e. From
P
the key generation step, we know that i∈S zi = i∈S c · yi = c · i∈S yi ≈ c · 1/p mod 2.
P
The summation is over a small subset and is relatively easier to compute than the multiplication
of two long numbers.
This revised scheme is also both additive and multiplicative homomorphic, which can be achieved
by extracting the ciphertext c from c∗ then apply the addition and multiplication operations as in the
original scheme. The cost of squashing decryption is the scheme’s security, which is now also based
on the hardness assumption of SSSP, in addition to the scheme’s original security assumption. In other
77
A PREPRINT - S EPTEMBER 29, 2022
words, the attacker is also given the encryption of the secret key by the corresponding public key. This
situation is properly dealt with by the additional security assumption stated next and is necessarily
assumed when pursuing for FHE.
Definition 10.2.3. A public key encryption scheme is weak circular secure if it is CPA secure even in
the presence of the encryption of the secret key bits.
It is worth keeping in mind that this concrete scheme is only a simplified illustration of Gentry’s
original SHE construction based on ideal lattices (Gentry, 2009). Besides his breakthrough to achieve
FHE using squashing and bootstrapping, Gentry’s work also inspired a great number of subsequent
developments in FHE, especially those that tried to improve efficiency without using squashing and
bootstrapping. In the next few subsections, we will see a sequence of such works.
We will cover the body of works in Brakerski and Vaikuntanathan (2014); Brakerski et al. (2014); Brak-
erski (2012); Fan and Vercauteren (2012) that were inspired by Regev (2009)’s scheme. These second-
generation homomorphic encryption schemes are more efficient than Gentry’s original construction and
also based on standard lattice problems via the learning with error problem.
The first work in this line of research is Brakerski and Vaikuntanathan (2014). Without using boot-
strapping, Brakerski and Vaikuntanathan were able to construct an SHE scheme BV∗ 13 that can perform
a non-trivial number of homomorphic evaluations. With an additional dimension-modulus reduction
step that we describe in Section 10.4, this scheme’s efficiency can be further improved to allow it to
achieve leveled FHE without using Gentry (2010)’s squashing idea, which needs an extra hardness
assumption to guarantee a scheme’s security.
The scheme is similar to Regev’s scheme, which we describe in Section 1.3, but with minor changes
and an evaluation key specifically for homomorphic multiplications. Given the security parameter λ,
BV∗ produces the parameters
Key generation
The important part of the key generation, which does not appear in Regev’s scheme, is the generation
of the evaluation key for relinearization, a term that will be explained in detail next. First, run Regev’s
secret key generation to produce a sequence of secret vectors
s0 , . . . , sL ← BV∗ .SecretKeygen(n, q), where si = (1, ti ) and ti ← Znq , ∀i ∈ [0, L].
Each of the L secret keys will then be embedded in the evaluation key that is used for relinearizing
quadratic terms that appear during homomorphic multiplications. In particular, the evaluation key is a
13
We name the scheme after the authors’ surname initials.
78
A PREPRINT - S EPTEMBER 29, 2022
Decryption
The decryption is also identical to Regev.Dec(sk, c), but the rounding operation is omitted because
of the setting t = q so the noise can be eliminated by taking modulo 2. To decrypt the ciphertext
cL = (PT r + m, L), which has gone through the complete circuit, the algorithm computes
h i
[c · sL ]q ← BV∗ .Dec(sL , c, q).
2
Substitute terms into the dot product, we get
[c · sL ]q = (bT r + m) − tTL AT r q
= m + 2eT r q
79
A PREPRINT - S EPTEMBER 29, 2022
As long as the noise is well controlled such that the whole term m + 2eT r is within the symmetric range
Zq , the decryption process will output the correct message m, after taking modulo 2 to get rid of the
noise. Note the fresh ciphertext is encrypted under s0 , but after it has gone through L multiplications, it
becomes a ciphertext encrypted under sL , which explains why we have tL in the second equality in the
above derivation.
Homomorphic evaluation
The function f : {0, 1}t → {0, 1} to be evaluated is represented as a binary arithmetic circuit. As
multiplications incur most of the noise and a ciphertext contains a tag to track the multiplicative depth, it
is convenient to construct the circuit with arbitrary fan-in for addition “+” and fan-in 2 for multiplication
“×”. Furthermore, its layers are organized in a way that they contain only one type of arithmetic
operations. That is, no layer contains both addition and multiplication operations. Finally, the circuit is
assumed to have exactly L multiplicative depth.14
For notational convenience, denote fc (x) := [c · x]q so that the evaluation of the function at
x = s is equivalent to decryption of the ciphertext under the secret key. The evaluation algorithm
BV∗ .Eval(evk, f, c1 , . . . , ct ) is defined separately for addition and multiplication as done next. The
key thing to note is that the ciphertext after going through each circuit gate should satisfy the invariant
property
fc (x) := [c · x]q = [m + 2e]q (36)
for some noise term e that is not too large to make the whole term exceeds the range Zq . If it is beyond
the range, there will be no guarantee that the exact noise can be eliminated by taking modulo 2. If the
invariant property is guaranteed through all circuit gates, the final evaluated output can then be decrypted
to the correct message. Therefore, checking the evaluations are homomorphic becomes checking the
invariant property is guaranteed throughout the arithmetic circuit.
To check that cladd satisfies the invariant Equation (36), we show that the decryption of the additive
ciphertext equals the sum of the messages. That is,
fcadd (sl ) = [cadd · sl ]q
= [(c1 + · · · + ct ) · sl ]q
h i
= [c1 · sl ]q + · · · + [ct · sl ]q
q
= [fc1 (sl ) + · · · + fct (sl )]q
= (m1 + · · · + mt ) + 2(e1 + · · · + et ) .
| {z }
noise q
So long as the aggregated noise is well controlled such that the entire term is still within Zq , the decryp-
tion step will output the correct summed message after a further reduction by modulo 2.
Homomorphic multiplication The homomorphic multiplication algorithm involves the important re-
linearization step which reduces a quadratic to a linear function by approximation. To prove multipli-
cation is also homomorphic, we need to define cmult and prove that fcmult (x) = [fc1 (x) · fc2 (x)]q
just as in the homomorphic addition case. The trouble is that when multiplying two functions of x[i], it
14
This circuit construction equalizes the number of multiplications and the multiplicative depth L. But in prac-
tice, what matters the most to the noise growth is the degree of the function being evaluated, not the number of
multiplications. For example, both functions f (a, b, c) = a · b + b · c and g(a, b, c) = a · b · c contain two
multiplications, but g is a degree three polynomial, hence incurs more noise after being evaluated.
80
A PREPRINT - S EPTEMBER 29, 2022
Pn
becomes a quadratic function of x[i]. More precisely, writing fc (x) = [ i=0 hi · x[i]]q as a function
of x[i], where the coefficient set (h0 , . . . , hn ) is the ciphertext c, we have
" n ! n
n
!#
X X X
[fc1 (x) · fc2 (x)]q = hi · x[i] hj · x[j] = hi,j · x[i] · x[j] . (38)
i=0 i=0 q i,j=0
q
The number of coefficients, which is essentially the ciphertext size, has gone up to approximately n2 /2,
as compared to n + 1 coefficients in the previous linear function.
Relinearization One solution is to approximate the quadratic function by a linear function, known as
relinearization relinearization. It implies the quadratic terms will be replaced by their linear approximates, with proper
protections such as “encrypting” sl [i] · sl [j] under a new secret key to make it a fresh linear ciphertext.
More precisely, let the new secret key be ṡ = (1, ṫ) and the corresponding public key be Ṗ, then call
the previous encryption subroutine to get the “ciphertext”
ċi,j ← BV∗ .Enc(Ṗ, sl [i] · sl [j], n, q, N, l), where
ċi,j = ṫT (AT r) + sl [i] · sl [j] + 2eT r | −AT r q .
The ciphertext can also be decrypted by taking dot product with the new secret vector, so we get
XTX T
r) + sl [i] · sl [j] + 2eT r − TX
fċi,j (ṡ) = [ċi,j · ṡ]q = ·X
XX
(AX
ṫ X (A
r) X ṫ q .
If the noise 2eT r has small magnitude, the quadratic term [sl [i] · sl [j]]q ≈ [ċi,j · ṡ]q can be well ap-
proximated by the dot product. So the evaluation of Equation (38) at x = sl becomes a linear function
of the new secret vector ṡ as shown below
n n
" n #
X X X
[fc1 (sl ) · fc2 (sl )]q = hi,j · sl [i] · sl [j] ≈ hi,j · (ċi,j · ṡ) = ḣk · ṡ[k] ,
i,j=0 i,j=0 k=0 q
q q
with only (n + 1) coefficients, a considerable reduction from its original quadratic form.
To further guarantee an accurate approximation of the quadratic function, it is necessary to keep
each coefficient hi,j as small as possible, so that if [sl [i] · sl [j]]q ≈ [ċi,j · ṡ]q is with small error, then
the error stays small when multiplying each side by the coefficient [hi,j · sl [i] · sl [j]]q ≈ [hi,j · ċi,j · ṡ]q .
To achieve this, turn the coefficient hi,j to its binary form
blog qc blog qc
X X
hi,j = 2τ · hi,j,τ mod q = 2τ · hi,j,τ ,
τ =0 τ =0
q
where each hi,j,τ ∈ {0, 1} and blog qc is the max bit length minus 1 for samples in Zq . The second
equality is satisfied by definition of [·]q , in which [x]q = x mod q. Substitute this into the ciphertext
multiplication, the LHS of the above approximation becomes
X
hi,j,τ · (2τ · sl [i] · sl [j]) (39)
[fc1 (sl ) · fc2 (sl )]q =
0≤i,j≤n
0≤τ ≤blog qc q
81
A PREPRINT - S EPTEMBER 29, 2022
By now, it should be clear why the evaluation key was set up in that particular form. With this approxi-
mation, when evaluating Equation (39) at x = sl , it follows that
X
hi,j,τ · (2τ · sl [i] · sl [j])
[fc1 (sl ) · fc2 (sl )]q =
0≤i,j≤n
0≤τ ≤blog qc q
X
(40)
≈
hi,j,τ · (bl+1,i,j,τ − al+1,i,j,τ · sl+1 )
.
0≤i,j≤n
0≤τ ≤blog qc q
We are now ready to define the multiplicative ciphertext for the inputs cl1 and cl2 as follows
cl+1
mult
∗
= (cmult , l + 1) ← BV .Mult(evk = Ψ, cl1 , cl2 , q), where
X X
∈ Zn+1 (41)
cmult = hi,j,τ · bl+1,i,j,τ
, hi,j,τ · al+1,i,j,τ ,
q
0≤i,j≤n 0≤i,j≤n
0≤τ ≤blog qc q 0≤τ ≤blog qc q
To verify that cmult satisfies the invariant property in Equation (36), we work through the following
derivation
[cmult · sl+1 ]q
X X
=
hi,j,τ · bl+1,i,j,τ − hi,j,τ · al+1,i,j,τ · sl+1
0≤i,j≤n 0≤i,j≤n
0≤τ ≤blog qc 0≤τ ≤blog qc q
X
=
hi,j,τ · (bl+1,i,j,τ − al+1,i,j,τ · sl+1 )
0≤i,j≤n
0≤τ ≤blog qc q
X
hi,j,τ · (2el+1,i,j,τ + 2τ · sl [i] · sl [j])
=
0≤i,j≤n
0≤τ ≤blog qc q
X
fc1 (sl ) × fc2 (sl ) +
= hi,j,τ · 2el+1,i,j,τ
0≤i,j≤n
0≤τ ≤blog qc q
X
(m1 + 2e1 ) × (m2 + 2e2 ) +
= hi,j,τ · 2el+1,i,j,τ
0≤i,j≤n
0≤τ ≤blog qc q
X
(42)
= m1 × m2 + 2
m1 · e2 + m2 · e1 + 2e1 · e2 + hi,j,τ · el+1,i,j,τ .
0≤i,j≤n
0≤τ ≤blog qc
| {z }
noise q
Therefore, to guarantee the decryption can correctly produce m1 × m2 , it is necessary to keep the noise
small enough so that the whole term in Equation (42) is within Zq .
82
A PREPRINT - S EPTEMBER 29, 2022
The BV∗ scheme presented above (with relinearization) produces a constant ciphertext c in the domain
(n+1)
Zq , with the maximum bit length (n + 1) log q, which is considered quite large for large values
of n and q. To reduce it, consequently reduce the decryption complexity to make the scheme more
bootstrappable (without the need for squashing), Brakerski and Vaikuntanathan (2014) performed a
dimension-modulus reduction at the completion of homomorphic evaluations. This reduction step was
later used in Brakerski et al. (2014) and Brakerski (2012) to achieve fully leveled HE without using
bootstrapping. Below, we discuss dimension-modulus reduction and how it helps to reduce ciphertext
bit length.
Proof. By definition of modulo operation, there exists a unique integer k such that [c · s]q = c·s−kq ∈
[−q/2, q/2). Using the integer k, we can define a noise term
ep = c0 · s − kp ∈ Z.
By taking modulo p, the noise satisfies ep = [c0 · s]p mod p. If we can show ep = [c0 · s]p without
taking modulo p, it then follows that
[c0 · s]p = ep = c0 · s − kp = c · s − kq = [c · s]q mod 2.
To show ep = [c0 · s]p , it is sufficient to prove its norm satisfies ||ep || < p/2. Re-write the noise as
p p p p
ep = c0 · s + · (−kq) = c0 · s + · ([c · s]q − c · s) = · [c · s]q + (c0 − c) · s.
q q q q
We can show its norm satisfies
p p
||ep || = || · [c · s]q + (c0 − · c) · s||
q q
p 0 p
≤ · || [c · s]q || + ||(c − · c) · s||
q q
n
p X p
≤ · || [c · s]q || + ||(c0 [i] − · c[i])|| · ||s[i]||
q i=1
q
n
p X
≤ · || [c · s]q || + 1 · ||s[i]||
q i=1
p
≤ || [c · s]q || + ||s||
q
< p/2.
The last inequality follows from the assumption of the vector s as stated in the Lemma’s premises. The
third last inequality follows because c0 is close to (p/q) · c and they are congruent modulo 2. In this
case, each element differs by at most 1.
83
A PREPRINT - S EPTEMBER 29, 2022
Encryption and decryption The encryption and decryption steps are identical to that of BV∗ , but
with a different decryption parameter.
cl = c = PT r + m q , l ← BV.Enc(P, m, n, q, N )
h i
m = [ĉ · (1, ŝ)]p ← BV.Dec(ŝ, ĉ, p)
2
Dimension-modulus reduction By Lemma 10.4.3, modulus reduction is a valid step that guarantees
correct decryption. In Brakerski and Vaikuntanathan (2014), the modulus reduction is made possible by
multiplying the decryption equivalent function fc (x) = c · x by the factor p/q to scale its coefficients
modulus reduc- down to within the new domain to get a new decryption equivalent function
tion
84
A PREPRINT - S EPTEMBER 29, 2022
" n #
p q+1 X p
φ(x) = · · (c · x) = hi · · x[i] .
q 2 p i=0
q
p
The fractional term (q + 1)/2 is the inverse of 2 in modulo q. It is useful for getting rid of the coefficient
in front of the encrypted message m.
The reduction of ciphertext dimension is achieved by approximating the longer vector x by a shorter
one. It follows a similar approximation strategy for the quadratic terms in BV∗ . The first thing is to turn
hi to its binary form to keep a smaller approximation error. The function then becomes
X p τ
φ(x) = hi,τ · · 2 · x[i] .
q
0≤i≤n
0≤τ ≤blog qc p
The term inside the bracket now looks like a part of b̂i,τ in the evaluation key ψ̂i,τ , so the function can
be approximated using the second half of the evaluation key as
X
φ(x) ≈
hi,τ · b̂i,τ − âi,τ · ŝ
.
0≤i≤n
0≤τ ≤blog qc p
10.4.3 BV is bootstrappable
To see BV is bootstrappable and hence can be made fully HE within a pre-determined level (i.e., leveled
FHE), we introduce the function class Arith[L, T ] that consists of arithmetic circuits over the message
space {0, 1} with only addition and multiplication gates such that each circuit has 2L + 1 layers, where
the odd layers contain only the add gates with fan-in T and the even layers contain only the multiply
gates with fan-in 2. The following theorem states that BV and BV∗ are capable of evaluating certain
size arithmetic circuits.
Theorem 10.4.4 (Theorem 4.3 (Brakerski and Vaikuntanathan, 2014)). Let n = n(λ) ≥ 5 be a poly-
nomial of the security parameter, q ≥ 2n ≥ 3 be an odd modulus for ∈ (0, 1), χ be an n-bounded
distribution and N = (n + 1) log q + 2λ. Furthermore, let k = λ, p = 16nk log(2q) √ be odd and χ̂ be
a k-bounded distribution. Then BV∗ and BV are both Arith[L = Ω( log n), T = q]-homomorphic.
As it was further proved by Lemma 4.6 of Brakerski and Vaikuntanathan (2014) that BV’s
decryption is a circuit with 2 fan-in and O(log k + log log p) depth, the decryption circuit is in
Arith[O(log k), 1], even with an augmented addition or multiplication gate. Hence, as long as the param-
eter n is made sufficiently large, the decryption circuit is included in the class Arith[L = Ω( log n), T =
85
A PREPRINT - S EPTEMBER 29, 2022
√
q], which implies the encryption scheme BV is bootstrappable and can be made leveled FHE. The gen-
eration of the relinearization key requires the circuit maximum level to be pre-specified. It constraints
the scheme from getting to (non-leveld) FHE. This situation can be avoided by assuming weak circular
security, which then simplifies the size of the relinearization key to just one pair of keys and hence gets
rid of the prerequisite for L being pre-determined.
BitDecompq (x) Let x = (x1 , . . . , xn ) ∈ Zn and l = dlog qe. Each xi mod q can be written in binary
representation (from least significant bit to most significant bit) as follows
x1 = (x1,0 , . . . , x1,l−1 )
..
.
xn = (xn,0 , . . . , xn,l−1 ).
Let wi = (x1,i , . . . , xn,i ) be the set of i-th binary bits. The bit decomposition function is defined as
BitDecompq (x) → (w0 , . . . , wl−1 ).
Pl−1
The wi ’s so-constructed thus satisfy x = i=0 2i · wi mod q.
For example, consider the case when x = (1, 3) ∈ Z2 , q = 4, and l = dlog 4e = 2. The decomposed
vectors are w0 = (1, 1) and w1 = (0, 1), and they satisfy
X1
2i · wi = 1 · (1, 1) + 2 · (0, 1) = (1, 3) = x mod 4.
i=0
So BitDecompq (x) = (1, 1, 0, 1) ∈ {0, 1}4 .
86
A PREPRINT - S EPTEMBER 29, 2022
PowersOfTwoq (y) Let y ∈ Zn , the powers of two function produces a vector by multiplying y with
2i in modulo q for each i ∈ [0, l − 1]. That is,
PowersOfTwoq (y) → [(y, y · 2, . . . , y · 2l−1 )]q ∈ Znl
q .
If y = (3, 2), then PowersOfTwo4 (y) = (3, 2, 2, 0).
It is not hard to see the next equality. That is, the dot product of the two vectors is congruent to the
dot product of the two functions modulo q, which then leads to the dot product of the two functions in
the range Zq .
SwitchKeyGenq,χ (s1 , s2 ) This function encrypts the value of PowersOfTwoq (s1 ) under the secret
key s2 = (1, t2 ). The steps are as follows. Sample a matrix As1 :s2 ← ZN
q
1 ×n2
and a noise vector
es1 :s2 ← χN1 . Then compute
bs1 :s2 = [As1 :s2 t2 + es1 :s2 + PowersOfTwoq (s1 )]q ∈ ZN
q
1
SwitchKeyq (Ps1 :s2 , cs1 ) To transform a ciphertext cs1 ∈ Znq 1 +1 to a new one encrypted under the
secret key s2 , compute
cs2 = [BitDecompq (cs1 )T Ps1 :s2 ]q ∈ Znq 2 +1 .
To verify that this transformation preserves the secret message (as proved by Lemma 3 of Brakerski
et al. (2014)), we see that for si = (1, ti )
[cs2 · s2 ]q = [[BitDecompq (cs1 )T Ps1 :s2 ]q · s2 ]q
= [BitDecompq (cs1 )T (Ps1 :s2 s2 )]q
= [BitDecompq (cs1 )T (bs1 :s2 − As1 :s2 · t2 )]q
= [BitDecompq (cs1 )T (es1 :s2 + PowersOfTwoq (s1 ))]q
= [BitDecompq (cs1 ) · es1 :s2 + BitDecompq (cs1 ) · PowersOfTwoq (s1 )]q
= [cs1 · s1 + BitDecompq (cs1 ) · es1 :s2 ]q .
| {z }
error
The error is of small magnitude because BitDecompq (cs1 ) is a binary vector. This also reveals the
motivation of defining the vector decomposition procedure.
The security of the key switching procedure needs both functions to be secure. The second function
SwitchKeyq (Ps1 :s2 , cs1 ) is obviously semantically secure, because its output is a transformation of
the original ciphertext, which is encrypted by a semantically secure procedure. If it is not semantically
secure, it becomes a PPT algorithm to solve the LWE problem. The first function’s output is the auxiliary
information Ps1 :s2 , so its security means this output must be computationally indistinguishable from a
N ×(n +1)
uniform matrix sampled from the same domain Zq 1 2 . This again relies on the result that DLWE
is hard to solve. See Lemma 3.6 of Brakerski (2012) or Lemma 4 of (Brakerski et al., 2014) for a more
formal statement of SwitchKeyGenq,χ (s1 , s2 )’s security.
87
A PREPRINT - S EPTEMBER 29, 2022
As mentioned above, the BGV scheme can be made leveled FHE without using the computationally
expensive bootstrapping step. This is achieved by iteratively refreshing an evaluated (especially multi-
plicative) ciphertext by modulus switching. The BGV scheme also uses Regev’s encryption scheme as
its building block. The security assumption, however, is based the hardness of either LWE or RLWE.
The two problems are summarized as General LWE (GLWE), with a binary indicator b = 0 indicates
LWE and b = 1 indicates RLWE. For this reason, the encryption scheme needs a slightly different
parameter set params = (n, d, q, N, χ) to incorporate the RLWE problem, where d corresponds to the
quotient polynomial degree in RLWE.
Below we present each step of the BGV scheme, after a brief note on tensor products.
Tensor product For n-dimensional vectors x and y, their tensor product x⊗y is a n×n matrix or an n2 -dimensional
vector, where each element has the form x[i] · y[j]. For example, for the vectors x = (x1 , x2 ) and
y = (y1 , y2 ), their tensor product is the 2 by 2 matrix
x1 y1 x1 y2
x⊗y = .
x2 y1 x2 y2
The notion of tensor product will appear in ciphertext multiplications, which result in functions of
the tensor product elements x[i] · y[j]. A property of the tensor product that will be useful later is
hx ⊗ y, v ⊗ wi = hx, vi · hy, wi. This relation is particularly useful when decrypting a ciphertext
tensor using a secret key tensor hc1 ⊗ c2 , s1 ⊗ s2 i = hc1 , s1 i · hc2 , s2 i, where the decryption can be
done separately.
Setup Given the security parameter λ, arithmetic circuit’s multiplicative depth L and the GLWE
indicator b ∈ {0, 1}, the encryption scheme starts by choosing appropriate parameter values to en-
sure the specific GLWE problem is 2λ -secure. Furthermore, it specifies an extra parameter µ =
µ(λ, L, b) = θ(log λ + log L) that decides the size of the modulus q. More precisely, at each level
j ∈ {L, L − 1, . . . , 0}, the Setup step generates a sequence of parameter sets
paramsj ← BGV.Setup(1λ , 1(j+1)·µ , b),
including a sequence of moduli qL , . . . , q0 , whose sizes decrease from (L + 1) · µ bits to µ bits. These
moduli will be used in modulus switching to manage ciphertext noise.
Key generation For j = L to 0, generate a sequence of secret vectors as the secret key for BGV as
follows:
sk = {sL , . . . , s0 } ← BGV.SecretKeygen({nj , qj }j ),
n n
where sj = (1, tj ), ti ← Zqjj for LWE and ti ← χnj from the domain Rqjj for RLWE.
These secret vectors will be used in key switching, where a ciphertext is transformed to another
ciphertext under a different secret key. To allow key switching, compute the tensor product of each sj
with itself to get
s0j = sj ⊗ sj
For all j ∈ [L − 1, 0], “encrypt” the tensor product s0j+1 under the next secret vector sj by running the
key switching sub-routine to produce the auxiliary information
τs0j+1 →sj ← SwitchKeyGen(s0j+1 , sj ).
Finally, we use Regev’s public key generation step to produce a sequence of random matrices as part of
the public key for BGV.
Pj = [bj | −Aj ] ← BGV.PublicKeygen(sj = (1, tj ), N, χ, paramsj ), for all j ∈ [L, 0],
N ×nj
where Aj ← Zqj , and bj = [Aj tj + 2e]qj for a random noise vector e ← χN .
In summary, the public key of the BGV scheme is
pk = {PL , . . . , P0 , τs0L →sL−1 , . . . , τs01 →s0 } ← BGV.PublicKeygen(sk, params).
88
A PREPRINT - S EPTEMBER 29, 2022
Encryption The encryption of a message m ∈ {0, 1} is identical to Regev’s encryption, that is,
generate a random vector r ← {0, 1}N then compute the ciphertext
c = PTL r + m q ← BGV.Enc(PL , m, nL , qL , N )
L
Decryption The decryption of a ciphertext that is encrypted under the secret key sj is also identical
to Regev’s decryption
h i
[c · sj ]qj ← BGV.Dec(sj , c, qj )
2
Homomorphic evaluation Given two ciphertext c1 and c2 that are encrypted under the same secret
key sj , the addition and multiplication of the two ciphertexts respectively produce the evaluated cipher-
text
cadd = c1 + c2
cmult = c1 · c2 ,
where addition is performed component wise as in Equation (37) and multiplication is the expansion of
the ciphertext multiplication as in Equation (38). Both evaluated ciphertexts are the coefficient vectors
of the linear equations over the tensor product x ⊗ x, so they can be decrypted by the secret key
s0j = sj ⊗ sj .
Refresh The key component of BGV is the refresh step that is done after each homomorphic evalua-
tion. It contains two sub-routines.
1. Switch key: The first sub-routine transforms a ciphertext to another ciphertext, both encrypt
s0
the same message but under different secret keys. Denote cqjj ∈ {cadd , cmult } a ciphertext
that is encrypted under the secret key s0j , then
s0
csqj−1
j
← SwitchKeyqj (τs0j →sj−1 , cqjj ).
2. Switch modulus: The second sub-routine reduces the ciphertext modulus in order to increase
the gap between the noise ceiling and the ciphertext noise, while reducing both values at the
same time. It runs the scale function to produce
csqj−1
j−1
← Scale(csqj−1
j
, qj , qj−1 , 2).
The BGV scheme is simpler than BV, in the sense that it does not relinearize quadratic ciphertext.
In addition, the scheme is leveled FHE with no bootstrapping and its hardness is based on GLWE.
The correctness of BGV is proved separately for each step by Lemma 6, 7, 8, 9 and 10 of Brakerski
et al. (2014) respectively. Most of the hard work for these correctness proofs have been done in the
correctness proofs of the building block encryption scheme, the modulus switching and key switching
routines. The intuition is identical to correctness of previous schemes, that is, so long as the noise is
well controlled and does not wrap around the modulus qj (i.e., noise ceiling), decryption will produce
the correct message. In Section 5.4, Brakerski et al. (2014) guaranteed the parameters of BGV can be
set to achieve such a goal.
In addition to removing dependence on bootstrapping, BGV can also reduce per-gate computation
by basing its security on the RLWE problem. The per-gate computation is measured by the time taken
to compute on ciphertexts to the time taken to compute on plaintexts. For security parameter λ and
circuit multiplicative depth L, the per-gate computation Ω̃(λ4 ) in BV is reduced to Õ(λ · L3 ) in BGV,
and could be further reduced to Õ(λ2 ) when using bootstrapping as an optimization technique.
As a further simplification and improvement of their previous works, Brakerski (2012) proposed an en-
cryption scheme that works with a fixed modulus q, but scales down a ciphertext by a factor q each time.
We call this scheme B after the sole author’s surname initial. The name “scale invariant” suggests the
scheme does not decrease the moduli as in BGV. Given a ciphertext c ∈ Zq , the fractional ciphertext
ĉ = c/q ∈ Z1 is within the symmetric range [−1/2, 1/2). The benefits of working with fractional
89
A PREPRINT - S EPTEMBER 29, 2022
ciphertexts are threefolds. First, it simplifies the scheme by not having a series of moduli and switching
them iteratively. Second, it makes the evaluation noise grows linearly in the noise distribution bound B
and consequently requires a smaller noisy ceiling q to guarantee decryption. For this matter, fractional
ciphertexts appear only in homomorphic multiplications. Finally, on the security contribution, this work
enables a classical reduction from the GAPSVPnO(log n) problem with a quasi-polynomial approxima-
tion factor. This is an improvement over Peikert (2009), in which the classical reduction can only be
built for the same modulus size q ≈ 2n/2 from GAPSVP2Ω(n) with an exponential factor, which makes
this lattice problem easy and hence unusable by HE schemes that want to rely on a classical reduction
from lattice problems.
We now state the procedures of B, which uses the same building blocks as previous schemes.
Setup The parameters are the same as BV. That is, it has a pre-determined level L = L(n) for the
arithmetic circuits that will be evaluated and a parameter set params = (n, q, N, χ).
Key generation In this scheme, the fresh ciphertexts go into circuit level 0 and the completely evalu-
ated ciphertexts are produced at level L. Sample a sequence of secret vectors
s0 , . . . , sL ← B.SecretKeygen(n, q)
where si = (1, ti ) with a random vector ti ← Znq . Generate a public key as usual by
P0 = [b | −A] ← B.PublicKeygen(t0 , params)
where A ← Zq N ×n
, and b = [At0 + e]q for a random noise vector e ← χN . Furthermore, to allow key
switching during homomorphic evaluation, first compute the tensor product of each secret vector si−1
with itself for i ∈ [1, L]
s̃i−1 = BitDecomp(si−1 ) ⊗ BitDecomp(si−1 ),
then compute the auxiliary information
P(i−1):i ← SwitchKeyGen(s̃i−1 , si ).
The final output of the key generation process is
(pk, sk, evk) ← B.Keygen(params), where
pk = P0 , sk = sL , evk = {P(i−1):i }i∈[1,L] .
Encryption and decryption The two processes are identical to Regev’s encryption and decryption,
respectively. That is,
h jqk i
c = PT0 r + · m ← B.Enc(P0 , m, n, q, N )
2 q
2
m= · [c · sL ]q ← B.Dec(sL , c, q)
q 2
Homomorphic evaluation Addition and multiplications are defined separately, but both follow a two-
step process. The first step is to produce an intermediate ciphertext in the powers of two format:
c̃add = PowersOfTwo(c1 + c2 ) ⊗ PowersOfTwo((1, 0, . . . , 0)),
2
c̃mult = · PowersOfTwo(c1 ) ⊗ PowersOfTwo(c2 ) .
q
The tensor product with a dummy vector in the additive ciphertext is to ensure correct decryption when
taking dot product with the corresponding secret vector in the following key switch process. At gate i,
the input ciphertexts are decryptable by si−1 . So these intermediate tensored ciphertexts are decryptable
by the tensor secret vector s̃i−1 . The second step is to transform an intermediate ciphertext to another
ciphertext (non in tensor product format) under a new secret vector si . That is, for c̃ ∈ {c̃add , c̃mult },
this is achieved by computing
c = SwitchKey(P(i−1):i , c̃).
The scheme is thus completed, and as claimed it is a simpler construction than previous HE schemes.
The homomorphic properties and security can be proved similarly as for previous schemes, see Theorem
4.2 and Lemma 4.1 of Brakerski (2012). Furthermore, the scheme is leveld FHE without bootstrapping
and can be made non-leveld by assuming weak circular security (Corollary 4.5 (Brakerski, 2012)) as in
the BV scheme.
90
A PREPRINT - S EPTEMBER 29, 2022
We finish this section by introducing the BFV scheme (Fan and Vercauteren, 2012), whose security is
solely based on the RLWE problem. Despite its similarity to the aforementioned schemes, it makes
HE schemes practical by explicitly stating the specific parameters need to achieve a certain security
level.Therefore, we will emphasize on analysing the noise bounds of ciphertexts output by different
encryption scheme subroutines, rather than presenting the homomorphic operations most of which have
been discussed in preceding subsections.
BFV is built upon the RLWE-based encryption scheme, named LPR (Lyubashevsky et al., 2010)
that was stated at the end of the previous section. Its plaintext space is generalized to Rt from R2
as in the simplified scheme. This also implies the fractional factor is now ∆ = bq/tc rather than
bq/2c. Besides that, the underlying domain Rq = Zq [x]/(Φm (x)) is generalized to an arbitrary mth
cyclotomic field for a suitable modulus q and cyclotomic polynomial Φ(m), although the preferred one
is still Φ(m) = xn + 1 for m being a power of 2 and n = m/2.
A technical term that often appears in the analysis of BFV’s noise bounds is expansion factor. When
multiplying two polynomials a = a0 + a1 · x + · · · ad · xd and b = b0 + b1 · x + · · · bd · xd , the
coefficient of xi can be larger than ai + bi due to the fact that there may be more than one term in
expansion a · b15 with the degree i. For this reason, we define the expansion factor of the polynomial ring as
factor γR = max{||a · b||/(||a|| · ||b||) | a, b ∈ R}, where ||a|| = maxi |ai | is the maximum coefficient
of the polynomial. It is worth mentioning that expansion factor appears only when analysing noise
bounds in the polynomial coefficient embedding context, not in the canonical embedding context in
which multiplications are element-wise.
Let ci = (ui , vi ) be a ciphertext. Decryption works by first computing
[fci (s)]q = [ui + vi · s]q (43)
= ∆ · mi + e0i , (44)
where = e · r + e1 + e2 · s, as shown in Equation (33), followed by the multiplication of a fractional,
e0i
rounding and modulo t, that is,
t · [fci (s)]q
Dec(s, ci ) = .
q t
91
A PREPRINT - S EPTEMBER 29, 2022
After multiplying with t/q, the coefficient t/q·∆ rounds to 1 and (t/q·noise) rounds to 0. So decryption
addition noise is guaranteed correct after taking the final [·]t . Notice homomorphic addition only incurs an extra
additive noise by a factor of t because ||rt || ≤ 1 and < 1 by construction. The incurred noise is
usually much smaller than the noise ceiling q.
Homomorphic multiplication Similar to the previous schemes, much of the effort in BFV’s construc-
tion deals with relinearization after homomorphic multiplications. The noise growth after a ciphertext
multiplication is bounded by 2 · t · δR
2
· ||s||, which is better than quadratic growth (Lemma 2 (Fan and
Vercauteren, 2012)).
It takes several steps to see how the noise bound is obtained. We have known from previous sections
that a direct ciphertext multiplication produces a quadratic function as follows
fc1 (s) · fc2 (s) = h0 + h1 · s + h2 · s2 , where (45)
h0 = u1 · u2 , h1 = u1 · v2 + u2 · v1 , h2 = v1 · v2 .
By looking at Equation (44), it is not hard to see that when multiplying fc1 (s) · fc2 (s), it will results a
term ∆2 · m1 · m2 and several other terms with q being part of their coefficients. To get the message
product back to ∆ · m1 · m2 in order to allow decryption to work, one way is to multiply it by 1/∆. But
this can cause round problem in other terms that contain q as part of their coefficients. Let = q/t − ∆
be the rounding error, so the term q/∆ = q/(q/t − ). The problem with this is that it does not always
round up back to t. For example, with q = 17 we have q/∆ = 2.15 when t = 2 and q/∆ ≈ 5.67
when t = 5. So the later creates a rounding error that becomes problematic in subsequent steps.
Hence, an alternative solution is to multiplying all the terms by t/q then applying rounding. This is
straightforward for the terms with q being part of the coefficients. For the message product term, it
gives (t/q · ∆) · (∆ · m1 · m2 ) and t/q · ∆ = t/q · (q/t − ) = 1 − (t/q) · ∈ (0.5, 1.5) as || ≤ 1/2
and t ≤ q with equality implies = 0. Hence, multiply Equation (45) with the fraction, we get
t t
· fc1 (s) · fc2 (s) = · (h0 + h1 · s + h2 · s2 ).
q q
As shown above, the coefficients need to be rounded to get the ciphertext back on track for decryption,
so the above equation can be re-written as
t t t t 2 t t
· fc1 (s) · fc2 (s) = · h0 + · h1 · s + · h2 · s + · h0 − · h0
q q q q q q
t t t t
+ · h1 − · h1 ·s+ · h2 − · h2 · s2
q q q q
t t t
= · h0 + · h1 · s + · h2 · s2 + ra . (46)
q q q
The three updated “coefficients” make the appropriate multiplicative ciphertext
!
t t t
cmult = (h0 , h1 , h2 ) := · h0 , · h1 , · h2 ← BFV.Mult(c1 , c2 ).
q q q q q q
Since rounding error is at most 1/2 between integer coefficients, the approximation error satisfies
||ra || < 1/2 + 1/2 · ||s|| · δR + 1/2 · ||s|| · δR 2
. The bound can be made further loose to be
||ra || < 1/2 · (1 + ||s|| · δR )2 in order to be used by the following homomorphic multiplication noise
bound analysis.
By moving the approximation error ra to the LHS of Equation (46) and reducing both sides to Rq ,
we get
t t t t
· fc1 (s) · fc2 (s) − ra = · h0 + · h1 · s + · h2 · s2 . (47)
q q q q q q
To derive the multiplication noise bound, we explicitly write out all the terms in fc1 (s) · fc2 (s) using
Equation (44), so we get
fc1 (s) · fc2 (s) =(∆ · m1 + e01 + q · rq,1 ) · (∆ · m2 + e02 + q · rq,2 )
=∆2 · m1 · m2 + ∆ · (m1 · e02 + m2 · e01 ) + ∆ · q · (m1 · rq,2 + m2 · rq,1 )
+ q · (rq,1 · e02 + rq,2 · e01 ) + q 2 · rq,1 · rq,2 + e01 · e02 .
15
We also use boldface to represent polynomials and · to represent polynomial multiplications.
92
A PREPRINT - S EPTEMBER 29, 2022
Same as in homomorphic addition, we want to express the product of secret messages in the plaintext
space Rt , so we can write m1 · m2 = [m1 · m2 ]t + t · rt , where ||rt || < t · δR /4.Multiplying the above
equation by t/q on both sides, we get
t t · ∆2 t·∆
· fc1 (s) · fc2 (s) = · ([m1 · m2 ]t + t · rt ) + · (m1 · e02 + m2 · e01 )
q q q
+ t · ∆ · (m1 · rq,2 + m2 · rq,1 ) + t · (rq,1 · e02 + rq,2 · e01 )
t
+ t · q · rq,1 · rq,2 + · e01 · e02 .
q
Since modulo q will be applied onto this as shown in Equation (47) followed by rounding, it is con-
venient to split the above into terms with and without integer coefficients. To do so, we can substitute
t · ∆ = q − rt (q) into the above equation. After re-arranging the terms, we get
t
· fc1 (s) · fc2 (s) =∆ · [m1 · m2 ]t + (m1 · e02 + m2 · e01 ) + (q − rt (q)) · (rt + m1 · rq,2 + m2 · rq,1 )
q
+ t · (rq,1 · e02 + rq,2 · e01 ) + q · t · rq,1 · rq,2 + r∆
t rt (q)
+ · [e01 · e02 ]∆ − · (∆ · m1 · m2 + (m1 · e02 + m2 · e01 ) + r∆ ) .
q q
| {z }
rr
All the terms except rr have integer coefficients, so they will not be affected by rounding. Substitute
this into Equation (47), we get
t t t
· h0 + · h1 · s + · h2 · s2
q q q q
=∆ · [m1 · m2 ]t
+ (m1 · e02 + m2 · e01 ) − rt (q) · (rt + m1 · rq,2 + m2 · rq,1 )
+ t · (rq,1 · e02 + rq,2 · e01 ) + (rr − ra )
=∆ · [m1 · m2 ]t + e03 .
multiplication Using the bounds proved above, it can be shown that ||e03 || < 2 · δR · t · E · (δR · ||s|| + 1) + 2 · t2 · δR
2
·
noise (||s|| + 1) , which is dominated by 2 · t · δR · ||s|| .
2 2 2 2
Relinearization As discussed in BV’s relinearization, the problem with the direct multiplicative ci-
phertext is its increased length from 2 to 3 “coefficients”. To overcome this, Fan and Vercauteren (2012)
presented two methods to relinearize the ciphertext with only two new coefficients and a small noise.
h0 + h1 · s + h2 · s2 q = [h00 + h01 · s + err]q .
relinearization The first method, which is similar to the relinearization process in the BV scheme, produces a
version 1 relinearization key {rlkτ }
rlkτ = bτ = −(aτ · s + eτ ) + T τ · s2 q , aτ
that looks almost like the evaluation key in BV, except that the coefficient
l
(τ )
X
h2 = T τ · h2 mod q
τ =0
(τ )
is written in T -nary representation, where l = blogT qc and h2 ∈ RT . The polynomials were sampled
by aτ ← Rq and eτ ← χ. The purpose of expressing h2 in T -nary representation is to reduce the
amplification effect on ciphertext noise after multiplications. The same idea was also discussed in
Section 10.3, which used T = 2 to minimize the relinearization noise for BV.
The main difference from the aforementioned schemes is that s2 is encrypted by the corresponding
public key aτ in the same (pk, sk) pair, while in the BV scheme for example, each quadratic secret
key is encrypted by the next public key. So for this relinearization step to be secure, the weak circular
93
A PREPRINT - S EPTEMBER 29, 2022
security assumption (Definition 10.2.3) is needed. This is also why the BFV uses only a single secret
key and a single public key instead of a series of keys.
Given the relinearization key {rlkτ = (bτ , aτ ) | τ ∈ [0, l]}, the two new coefficients are set to
l l
" # " #
(τ ) (τ )
X X
0 0
h0 = h0 + bτ · h2 and h1 = h1 + aτ · h2 .
τ =0 q τ =0 q
where the relinearization noise’s coefficients bound is ||err1 || ≤ (l + 1) · T · B · δR /2. So the larger T
is, the larger the error will be. However, T should also be set not too small in order to match the noise
magnitude after one ciphertext multiplication.
relinearization The second method relies on the noise reduction effect by modulus reduction as shown in Sec-
version 2 tion 10.4.2. The motivation is to still be able to approximate a quadratic ciphertext by a linear one,
but without slicing the coefficient h2 into many pieces which potentially increases the relinearization
space and time. The idea is to encrypt a scaled quadratic secret key p · s2 in the larger domain Zp·q
for an integer p, then scale it down to within Zq by dividing it by p. More precisely, randomly sample
a ← Rp·q and e ← χ0 from a different noise distribution, then output the relinearization key
rlk = b = −(a · s + e) + p · s2 p·q , a .
Given this relinearization key, the two new coefficients are constructed by
h2 · b h2 · a
0 0
h0 = h0 + and h1 = h1 + .
p q p q
Again, to make sure these new coefficients can lead to the correct decryption, we get
h2 · b h2 · a
[h00 + h01 · s]q = h0 + h1 · s + + ·s
p p q
h2 · b h2 · a
= h0 + h1 · s + + ·s
p p
h2 · b h2 · b h2 · a h2 · a
+ − + − ·s
p p p p q
2
h2 · (−(a · s + e) + ps + p · q · rpq + a · s)
= h0 + h1 · s +
p
h2 · b h2 · b h2 · a h2 · a
+ − + − ·s
p p p p q
= h0 + h1 · s + h2 · s2
−h2 · e h2 · b h2 · b h2 · a h2 · a
+ + − + − · s
.
p p p p p
| {z }
err2 q
q·B·δR
So the second relinearization generates noise of magnitude ||err2 || < p + 1
2 + 1
2 · ||s|| · δR .
The combined noise magnitude of homomorphic addition and multiplication with each relineariza-
tion step were stated in Lemma 3 of Fan and Vercauteren (2012). Given the fact that relinearization
noises can be managed by setting parameters T (version 1) and p (version 2) at appropriate values,
94
A PREPRINT - S EPTEMBER 29, 2022
Theorem 1 of Fan and Vercauteren (2012) proved the maximum multiplicative depth of the evaluated
circuit according to the other parameter values.
Finally, the scheme can be made bootstrappable by simplifying the decryption algorithm. The sim-
plification can be done before the scheme evaluating its own decryption by a modulus switching from
the original modulus q to a smaller modulus q 0 = 2n by scaling the ciphertext (u, v) to get
u0 = b2n /q · ue and v0 = b2n /q · ve .
This is because if q 0 = 2n and set t = 2n−k , then ∆ = bq/tc = 2k . So in the decryption step,
t/q · [fc (s)]q becomes 1/∆ · [fc (s)]q and division by ∆ is efficient (Section 5.2 (Fan and Vercauteren,
2012)).
Below, we summarize the BFV scheme and provide an implementation in Sage.
Public key: Sample random polynomials a ← Rq and e ← χ and output the public key
(b = − [a · s + e]q , a).
To end this section, we provide some closing thoughts on the developments of HE and refer the reader
to some recent works in the field.
95
A PREPRINT - S EPTEMBER 29, 2022
First of all, the LWE and RLWE-based HE schemes presented in this section are natural extensions
of the building block encryption schemes Regev (Section 1.3) and LPR (Section 9.6). They inherit
and preserve the additive and multiplicative homomorphic properties of these building block encryp-
tion schemes. The reason addition and multiplication are preserved is because, in all these encryption
schemes, the ciphertext is constructed from the plaintext and the LWE / RLWE samples using simple
linear algebra operations. Take the LPR encryption scheme as an example. Its ciphertext (u, v) is
created by computing
u = b · r + e1 + bq/2c · m mod q
v = a · r + e2 mod q.
The pair u without the message part and v are RLWE samples.
Secondly, the schemes presented here followed just one narrow path of HE developments, which is
also referred as the second generation of HE developments in Halevi (2017). However, their simplicity
of not needing to perform bootstrapping to reach FHE within a pre-determined multiplication depth
have led to some practical implementations, including some standalone open-source libraries such as
Microsoft (SEAL), IBM HElib 16 , PALISADE 17 , NFLlib 18 , and some open-source R and Python
libraries such as HomomorphicEncryption (Aslett et al., 2015), pyFHE (Erabelli, 2020) and PySEAL
19
. Although some of these libraries’ documentations have recommended parameter choices to achieve
efficient HE encryption for certain security levels, for standardized HE schemes, parameters definitions
and selections, the reader is referred to the Homomorphic Encryption Standard (Albrecht et al., 2018).
Thirdly, although HE continues to attract tremendous attention among researchers and practitioners
alike, its adoption in secure data computation is still not a mainstream affair. There are at least a few
reasons for this.
• An important issue is the high space requirements for storing and processing the ciphertexts,
which can be large even under the relatively efficient RLWE-based schemes. To encrypt even
binary plaintexts, the ciphertext space Zq or Rq = Z[x]/(Φ(x)) needs to be large enough to
allow a decent number of homomorphic multiplications. The ciphertext space size is directly
influenced by the modulus q, which then affects the bit length of ciphertexts. Under reasonable
security parameters, the ciphertext size can be up to 100 times larger than the plaintext.
• A direct consequence of large ciphertexts is longer ciphertext computations, which is another
limitation of HE’s practicality.
• An inherent limitation of HE is that conditional statements like if x then y else z and
while x do y cannot be evaluated easily in encrypted space. In the if x then y else z case, we
cannot simplify the statement to either y or z in the encrypted space because while we can
compute the encrypted value of x, we cannot know what it is. Similarly, the while x do y
statement cannot be executed in encrypted space because we cannot know when to stop. This
limitation is inherited from the semantic security property of HE and cannot be solved within
an HE scheme itself, although one can sometimes use secure multi-party computation tech-
niques in combination with HE to evaluate these conditionals; see, for example, Chialva and
Dooms (2018).
• Many other common operations cannot be done efficiently or purely in HE. For example, state-
ments like x = y or x < y usually can only be evaluated by turning x and y into suitable binary
representations that are then processed using logical gates that can be evaluated in HE. Integer
divisions, in particular, have proved difficult and known schemes like those in Veugen (2014)
require two-party protocols.
Although there are now several significant niche applications of HE, all the above limitations make it
challenging to run many existing algorithms on homomorphically encrypted data, sometimes turning
linear-time algorithm to high polynomial algorithms.
An early paper by Naehrig et al. (2011) discussed some concrete application scenarios, where only
somewhat HE schemes are sufficient to fulfil these applications, and experimentally argued the newly
16
https://github.com/homenc/HElib
17
https://palisade-crypto.org/
18
https://github.com/CryptoExperts/FV-NFLlib
19
https://github.com/Lab41/PySEAL
96
A PREPRINT - S EPTEMBER 29, 2022
developed scheme (at the time) BV (Brakerski, 2012) was an efficient candidate. A decade later, there
have been numerous contributions that advanced the development of HE schemes, including reduction
of their computational cost and ciphertext size expansion, and permission of arithmetic operations over
encrypted real and complex numbers. Besides these performance improvements, there has been an
increasing trend, together with the explosion of other computer science areas (e.g., machine learning
and artificial intelligence), of applying HE under the current state of affairs, especially when combin-
ing with optimized data processing techniques (e.g., single instruction, multiple data SIMD) or other
cryptographic primitives, which remarkably improve HE’s computational overhead.
Some examples of more recent applications including HE’s combination with secure multiparty
computation to achieve efficient (less communication overhead) and secure arithmetic circuits compu-
tation (Damgård et al., 2012); with batching, hashing, modulus switching and other data processing
optimization techniques for efficient private set intersection where one set’s size is significantly smaller
than the other (Chen et al., 2017); predicting homomorphically encrypted data using neural networks
with encoding and parallel computing techniques that are based Chinese Remainder Theorem (Gilad-
Bachrach et al., 2016). More HE applications in training machine learning models (e.g., logistic re-
gression, decision tree, naive Bayes, etc) or applying them on homomorphically encrypted data have
surveyed in Wood et al. (2020).
We present an implementation of the BFV cryptosystem in Sage. Note that this implementation is
intended for pedagogical purposes and is not suitable for use in real-world applications.
import numpy as np
import sage.stats.distributions.discrete_gaussian_integer as dgi
P = PolynomialRing(Integers(), name="x")
f = xˆn + 1
R = QuotientRing(P, f)
sigma = 1.0
D = dgi.DiscreteGaussianDistributionIntegerSampler(sigma=sigma)
parameters = (q,n,t,R,D)
97
A PREPRINT - S EPTEMBER 29, 2022
def symmetrize(a,b):
’’’
Convert integer polynomial coefficients to the symmetric
representation of elements in Z/bZ.
’’’
A = np.array(vector(a))
A = A % b
mask = A >= b/2
A[mask] -= b
return R(list(A))
def sample_e(n,D):
P = PolynomialRing(Integers(), name="x")
f = xˆn + 1
R = QuotientRing(P, f)
return R([D() for _ in range(n)])
def sample_2(n):
P = PolynomialRing(Integers(), name="x")
f = xˆn + 1
R = QuotientRing(P, f)
return R([randint(0,1) for _ in range(n)])
def sample_r(n):
P = PolynomialRing(Integers(), name="x")
f = xˆn + 1
R = QuotientRing(P, f)
return R.random_element()
98
A PREPRINT - S EPTEMBER 29, 2022
Usage Example Here we demonstrate how to generate keys, encrypt a random message, and decrypt
the resulting ciphertext. We verify that D(E(m, kp ), ks ) = m for a given public key kp , secret key ks ,
and a random message m.
print(symmetrize(message, t) == decrypted_message)
99
A PREPRINT - S EPTEMBER 29, 2022
Usage Example We verify that if m1 and m2 are random messages and ci = E(mi , kp ), then
D(f (c1 , c2 ), ks ) = m1 + m2 .
def multiply_ciphertexts(c1,c2,parameters):
’’’
Compute product of two ciphertexts in the ciphertext domain.
100
A PREPRINT - S EPTEMBER 29, 2022
10.10.8 Relinearization
We implement Method 2 described above to relinearize the product of two ciphertexts. The relineariza-
tion operation is defined in terms of both the parameters used for the basic BFV cryptographic oper-
ations described above and two additional parameters, a second (large) prime number p and a second
noise distribution D2.
p = 655360001
sigma2 = 2.0
D2 = dgi.DiscreteGaussianDistributionIntegerSampler(sigma=sigma2)
We define a function that generates the relinearization key kr and another function L that applies kr
to convert a three-coefficient ciphertext product into a two-coefficient ciphertext that can be decrypted.
def relinearize(ciphertext_product,
relinearization_key,
parameters):
q,n,t,R,D = parameters
hh0, hh1, hh2 = ciphertext_product
b,a = relinearization_key
u = hh0 + multiply_round(hh2*b, 1/p, parameters)
v = hh1 + multiply_round(hh2*a, 1/p, parameters)
return (symmetrize(u, q), symmetrize(u, q))
relinearization_key = generate_relinearlization_key(secret_key,
parameters,
p,
D2)
ciphertext_product = multiply_ciphertexts(ciphertext_1,
ciphertext_2,
parameters)
relinearized_ciphertext = relinearize(ciphertext_product,
relinearization_key,
parameters)
decrypted_message = decrypt(relinearized_ciphertext,
secret_key,
parameters)
101
A PREPRINT - S EPTEMBER 29, 2022
A Abstract Algebra
This section introduces the basics of abstract algebra, including groups, rings, modules, fields, and
ideals. The material covered are standard in algebra textbooks like Artin (1991). For students who want
to learn how to think about abstract algebra, we recommend Alcock (2021).
There are at least two motivations to study group theory for lattice-based cryptography. First, more
advanced algebraic structures such as rings and fields are build upon the concepts of groups. Second, it
provides a different view of lattices which are additive subgroups of Rn .
Group Definition A.1.1. A group G = (S, ·) is a set of elements together with a binary operator “·” such that
A group is an abstract algebraic structure. Elements in S can be integers, fractions, matrices, func-
tions, etc. The group operator can be addition, multiplication, matrix multiplication, function composi-
tion, etc. The pair forms a group as long as the four groups axioms are satisfied.
When dealing with binary operators, one often wonders whether or not the same result will be
produced if switching the order of the two inputs. That is, does x · y = y · x for all x, y ∈ S? For
some groups this is true, but not in general. For example, the condition is true for the additive group of
integers (Z, +)), but not the multiplicative group of n × n integer matrices (M, ×). Such a property is
called abelian or commutative.
Definition A.1.2. A group (G, ·) is abelian (or commutative) if x · y = y · x for all x, y ∈ G.
In cryptography, we almost always work with abelian groups such as the integer group or the poly-
nomial group.
The number of elements in a group can be finite or infinite. For groups with finitely many elements,
we can definite the group order and element order as follows.
Order Definition A.1.3. The order of a group G is the number of elements in G.
Definition A.1.4. For an element a in a group (G, ·), if there exists a positive integer k such that
| ·{z
a · · a} = e is the group identity, then the element a has order k. If no such an integer k exists, then a
k
has infinite order.
Orders of groups and group elements are useful when working with finite groups. Every non-zero
element in (Z, +) has infinite order. Let Z/3Z = {0, 1, 2} be the group of integers modulo 3. The order
of the group (Z/3Z, +) is 3. The orders of the elements 0, 1, 2 are 1, 3, 3, respectively.
Some important examples of groups are:
• Symmetric group Sn : the set of all permutations of the indices [n] := {1, . . . , n}. The group
has order |Sn | = n!.
• Cyclic group: a group that is generated by a single element. For example, (Z, +) is an infinite
cyclic group that is generated by 1. Another example is (Z/nZ, +) which is a finite cyclic
group of order n that is generated by 1. The element g ∈ G that generates the entire group G
is called a generator. The common notation is G = hgi or G = Cn if G has a finite order n.
• Dihedral group Dn : a group of symmetries - reflection f and rotation r - of a regular n-gon.
For example, D4 = {e, f, r, r2 , r3 , f r, f r2 , f r3 }. The group operation is function composi-
tion.
102
A PREPRINT - S EPTEMBER 29, 2022
• Klein four group K4 or V4 - a group of 4 elements in which each non-identity element has
order 2 and the composition of two non-identity elements produces the third one. The Klein
four group is isomorphic to the product of two cyclic groups of order 2, i.e., V4 ∼
= C2 × C2 .
Definition A.1.5. Let (G, ·) be a group. A subset H of G is a subgroup of (G, ·) if H forms a group
with G’s operator.
Sometimes we omit the group operator for simplicity. An important type of subgroups is normal
subgroup.
Definition A.1.6. Let G be a group. A subgroup N of G is normal if N is invariant under group
Normal conjugation. That is, for all elements g ∈ G and all elements h ∈ N , we have g −1 hg ∈ N .
subgroup
The notation for normal subgroups is H / G (or H E G). Normal subgroups are important because
they partition a group G into cosets, i.e., quotient group or factor group, which is important toward
learning quotient rings. In addition, quotient groups regroup elements into non-overlapping classes
which may help to reveal underlying structures of the original group that are difficult to be seen without
the action of grouping.
To introduce quotient groups, we first introduce equivalence relations, based on which group ele-
ments are put together.
Definition A.1.7. A binary relation ∼ on a set S is said to be an equivalence relation if it satisfies the
following axioms for all a, b, c ∈ S:
• reflexive: a ∼ a,
• symmetric: a ∼ b if and only if b ∼ a,
• transitive: if a ∼ b and b ∼ c, then a ∼ c.
Left coset Definition A.1.8. Given a subgroup H of G, we can define a left coset of H in G as the set of elements
obtained by applying a fixed element of G (under the group operation) on the left of H. That is, for each
element g ∈ G, the left coset of H is
gH = {gh | h ∈ H}.
Right coset The right coset is defined respectively. Let G = (Z, +) and H = (2Z, +). The left cosets of H in
G are 0 + 2Z and 1 + 2Z, because any additional cosets constructed by the other elements of G will be
identical to these two. We denote the cosets by 0̄ and 1̄, respectively.
Each coset is an equivalence class with the equivalence relation “belong to the same coset”. This
can be checked easily. For elements a, b ∈ G, they belong to the same coset (i.e., aH = bH) if and
only if b−1 a ∈ H. Given a normal subgroup H / G, it divides G into several equal-sized equivalence
classes.
Quotient group Definition A.1.9. The quotient group of G by a normal subgroup H / G, denoted by G/H, is the set
of cosets of H in G.
An important observation is that the set of cosets forms a group with the group operation in G. The
identity element in the quotient group is precisely the normal subgroup H. That is why G/H is called
a quotient GROUP. For example, the set {0̄, 1̄} and addition form a group, in which 0̄ is the identity. It
can be checked that the normal subgroup assumption is necessary because it ensures the set of cosets
forms a group. This is not always true if H is just an ordinary subgroup of G.
Index Given a subgroup H of G, all cosets of H have the same size, so we have a quantity, namely the
index of H in G and denoted by |G : H|, that is defined as the number of coset of H in G. If H is a
normal subgroup of G, then the index |G : H| = |G/H| is equal to the order of the quotient group.
We sometimes have a function f acts on a group (G, ·) by mapping elements of G to another set H.
In that case, we would like to know whether or not the same group structure is preserved in H by the
function f . This function is formally defined as a group homomorphism.
Group Definition A.1.10. A homomorphism from a group (G, ·) to a group (H, ∗) is a function f : G → H
homomorphism such that for all elements a, b ∈ G it holds that
f (a · b) = f (a) ∗ f (b).
103
A PREPRINT - S EPTEMBER 29, 2022
In other words, the relationship between the two elements in G are mapped to the relationship
between the two corresponding elements in H. There are different types of group homomorphisms, de-
pending on the function type and the function’s codomain. The two important groups homomorphisms
are isomorphisms and automorphisms.
Isomorphism Definition A.1.11. A homomorphism is called an isomorphism if it is bijective.
If there is an isomorphism between two groups (G, ·) and (H, ∗), then they are isomorphic and
denoted by (G, ·) ∼ = (H, ∗). Isomorphisms are important because they tell you when two groups are
identical. In addition, knowing one group will tell you everything about the other. An example of a
group isomorphism is f : (R, +) → (R+ , ×) given by the function f (x) = ex . A special case of
isomorphism is between a group and itself, which we will see when introducing Galois theory.
Definition A.1.12. A homomorphism is called an automorphism if it is an isomorphism such that the
domain and codomain are the same. That is, an isomorphism f : G → G.
Unlike groups, rings are algebraic structures associate with two binary operators, addition and multipli-
cation such that ring axioms are satisfied.
Ring Definition A.2.1. A ring R = (S, +, ×) is a set with two operations, namely addition and multiplica-
tion, such that the following ring axioms are satisfied:
• (S, +) is an abelian group under addition,
• (S, ×) is closed under multiplication, associative and contains the unique multiplicative iden-
tity 1,
• multiplication is distributive with respect to addition, i.e., a × (b + c) = a × b + a × c for all
a, b, c ∈ S.
A ring R is commutative (called commutative ring) if multiplication is also commutative in R.
For example, the set of integers forms a commutative ring with integer addition and multiplication.
However, none of the integers except 1 has a multiplicative inverse in the integer set. The set of n × n
(real or integer) matrices forms a non-commutative ring with matrix addition and multiplication. Not
all matrices have inverses. An important ring in lattice-based cryptography is the ring of polynomials
or polynomial ring Q[x] or Z[x] with polynomial addition and multiplication as the ring operations.
Again, not all polynomials in the ring Q[x] and Z[x] have inverses in the same ring.
The pair (S, ×) in a ring R almost forms a multiplicative group, but it lacks of multiplicative inverses
in general. Without multiplicative inverses (of non-zero elements), division cannot be carried out in
rings. For this purpose, we introduce division rings.
Definition A.2.2. A unit in a ring R is any element that has a multiplicative inverse in R.
For example, 1 is the only unit in the ring of integers. But 1, 2 are both units in the ring (Z3 , +, ×).
Division ring Definition A.2.3. A division ring is a ring R in which every non-zero element is a unit. That is, every
non-zero element has a multiplicative inverse in R.
In a division ring, the pair (S, ×) forms a multiplicative group, but not necessary abelian. If it is
abelian, the ring is a field, which will be introduced in the next subsection. Similar to a group and its
subgroups, subrings can be defined with respect to a ring.
Definition A.2.4. Let (R, +, ×) be a ring. A subset S ⊂ R is a subring if (S, +, ×) forms a ring with
the ring’s addition and multiplication.
The concept of a vector space can be generalized to a module which is defined similarly, but over a
ring instead of a field. The main difference is that every element in a field has a multiplicative inverse, so
a vector in a vector space can be scaled up or down by a scalar and its multiplicative inverse. However,
not every element in a ring has a multiplicative inverse, so an element in a module cannot always be
scaled up and down.
Module Definition A.2.5. Let R be a ring and 1 being its multiplicative identity. A left R-module M consists
of an abelian group (M, +) and an operation · : R × M → M such that for all r, s ∈ R and x, y ∈ M ,
the following are satisfied:
104
A PREPRINT - S EPTEMBER 29, 2022
• r · (x + y) = r · x + r · y
• (r + s) · x = r · x + s · x
• (rs) · x = r · (s · x)
• 1·x=x
The concept of a right R-module is defined similarly. The distinction between a left and right
module arises from the fact that the underlying ring R is not necessary commutative. In general, unless
mentioned otherwise, we always refer a module to a left module. A Z-module is a module over the
integer ring Z. It is both a left and right module as Z is commutative. In Section 9, we will talk
about the ring of integers of a number field. Without stating the proper definition here, the ring of
integers is a the ring of all algebraic integers in a number field, where an algebraic integer is a root of
an integer coefficient polynomial. It is not hard to see that the ring of integers form an abelian group
under addition, as the sum of two algebraic integers is still an algebraic integer. For specific purposes,
we often say the ring of integers is also a Z-module, as the above conditions are all satisfied.
Definition A.2.6. Suppose M is a left R-module and N is a subgroup of M . Then N is an R-submodule
(or just submodule) if for any n ∈ N and any r ∈ R, we have r · n ∈ N .
The definition of submodule is similar to subspace of a vector space, where the subspace is closed
under addition and scalar multiplication. A important type of module is called a free module.
Free module Definition A.2.7. A free module is a module that has a basis.
Here a basis is a set of linearly independent vectors that generates M . That is, every element of M
can be written as a linear combination of the set of linearly independent vectors, where the coefficients
are taken from the underlying ring R. So a free Z-module is a module with a basis such that every
element in the module is an integer combination of the basis.
Ideals
Similar to a normal subgroup, an ideal can partition a ring into cosets which form a ring with less
elements, known as the quotient ring. As noted, not all subgroups can partition a group into a quotient
group. Similarly, an ideal must have some special properties in order to construct a quotient ring.
First, a ring is an additive group with an extra operation, an ideal of the ring should be a normal
subgroup under addition (in fact, being a subgroup is enough as a ring is an abelian group under addition
which implies normality), so an ideal must be closed under addition. Second, for cosets to be closed
under multiplication, ideals must be closed under multiplication by any ring elements. More specifically,
an ideal I partitions a ring R into a set of equivalence classes, each denoted by [a] := a + I = {a + r |
r ∈ I}. Since we want this set of equivalence classes to form a ring, it must satisfy
• [a] + [b] = (a + I) + (b + I) = (a + b) + (I + I) = (a + b) + I = [a + b]
• [a][b] = (a + I)(b + I) = ab + aI + bI + II = ab + I = [ab].
So we can see that ideals have to satisfy at least three criteria. First, closed under addition by itself.
Second, closed under multiplication by itself. Third, closed under addition by all elements in the ring.
Noted that the third criterion includes the second, so at least two criteria need to be satisfied. The formal
definition of an ideal is stated as below.
Definition A.2.8. For an arbitrary ring (R, +, ×), the subset I ⊂ R is a left ideal of the ring if it
satisfies:
• (I, +) is an additive subgroup of the group (R, +),
• I is closed under left multiplication by all elements of R. That is, for every r ∈ R and every
x ∈ I, their product rx ∈ I.
An right ideal is defined respectively. If I is both a left and right ideals, then it is a two-sided ideal of
the ring. Again, since most rings considered in cryptography are commutative, we do not distinguish left
and right ideals. Throughout, we use the term ideals for two-sided ideals unless mentioned otherwise.
For example, the set of even integers form an ideal in the integer ring, because even integers are closed
under addition and any integer multiplied by an even integer is still even.
Note that although an ideal is closed under addition and multiplication, it is not a ring because it
does not necessary have a multiplicative identity, which is required by our definition of rings.
105
A PREPRINT - S EPTEMBER 29, 2022
The quotient ring R/I has the additive identity 0̄ = 0 + I (similar to a normal subgroup being the
identity of the quotient group) and the multiplicative identity 1̄ = 1 + I.
Some ideals have additional properties that can make the corresponding quotient rings special. Be-
low we introduce three special ideals.
A prime ideal can be thought as a generalization of a prime number. Recall that if p is a prime
number and p|ab for integers a and b, then either p|a or p|b.
Prime ideal Definition A.2.10. An ideal P of a ring R is prime if it satisfies the following two properties:
• P 6= R,
• for any two elements a, b ∈ R, if their product ab ∈ P , then either a ∈ P or b ∈ P .
The set of even integers in the ring of integers is a prime ideal. To see why prime ideals are important,
we introduce the concept of integral domains that are defined upon commutative rings.
Integral domain Definition A.2.11. An integral domain is a non-zero commutative ring in which the product of two
non-zero elements is non-zero.
Integral domains are generalizations of the rings of integers of algebraic number fields that will be
discussed in a later section. Integral domains provide a natural setting to study division, because they
allow the cancellation of a non-zero factor a in an equation like ab = ac.
Proposition A.2.12. If I ( R is a prime ideal, then the quotient ring R/I is an integral domain.
Proof. I being a prime ideal implies that no two elements that are not in I can be multiplied to an
element in I. Since I is the additive identity in the quotient ring R/I, it is the zero element in the
quotient ring. This implies that no two non-zero elements (i.e., elements not in 0̄) can be multiplied to
a zero element (i.e., an element in 0̄).
For example, 12Z is not a prime ideal, so the quotient ring Z/12Z is not an integral domain because
3 · 4 = 12 = 0 mod 12. But Z/5Z is an integral domain. Another example is the ring of polynomials
whose coefficients come from an integral domain.
Proposition A.2.13. If R is an integral domain, then the ring of polynomials R[x] is also an integral
domain.
Proof. R is integral domain, the product of the leading coefficients of two non-zero polynomials is also
non-zero, so R[x] is an integral domain.
Principal ideal Definition A.2.14. An ideal in a ring R is principal if it can be generated by a single element of R
through multiplication by every element of R.
106
A PREPRINT - S EPTEMBER 29, 2022
For example, 2Z is a principle ideal in the integer ring, because it can be generated by 2 multiplying
every element of Z.
Definition A.2.15. A principal ideal domain (PID) is an integral domain in which every ideal is prin-
cipal.
As will be explained in detail later, fields are commutative division rings that possess nice properties
for building cryptosystems. Given a ring R, one can construct a field by taking the quotient ring with a
maximal ideal of R.
Maximal ideal Definition A.2.16. A maximal ideal in a ring is an ideal that is maximal among all the proper ideals
of the ring.
In other words, if I is a maximal ideal in a ring R, then I is contained in only two ideals of R, i.e., I
itself and the entire ring R. An important observation is that every maximal ideal is a prime ideal. This
can be easily seen if we define the divisibility of ideals.
Proposition A.2.17. If I is a maximal ideal of a commutative ring R, then the quotient ring R/I is a
field.
Proof. (Sketch) I being a prime ideal is not sufficient to construct a field. Because the quotient ring
R/I may have a proper ideal that is not the trivial ideal. That is, there may be an ideal I 0 in R/I that is
not equal to {0} or R/I. Hence, multiplication of an element in I 0 by an element not in I 0 will only get
to elements in I 0 . This implies that not all non-zero elements in R/I have multiplicative inverses.
The quotient ring R/I constructed using the maximal ideal is called a residual field.
Another concept that will be mentioned later and could help to understand the structure of fields are
the characteristic of a ring. If it helps, the characteristic of a ring can be thought as the cyclic period of
a ring. For example, the ring Z/4Z has a characteristic 4 which is the rings cyclic period.
Characteristic Definition A.2.18. The characteristic of a ring R, denoted by char(R), is the smallest number of times
that the ring’s multiplicative identity 1 can be added to itself to get the additive identity 0. If the ring’s
multiplicative identity can never be summed to get 0, then the ring has a characteristic zero.
The characteristic of a ring R may also be taken as the smallest positive integer n such that
a + · · · + a = 0 for every element a ∈ R (if the characteristic exists). For example, the character-
| {z }
n
istic of Z3 is 3 because 1 + 1 + 1 = 3 = 0 mod 3 or 2 + 2 + 2 = 6 = 0 mod 3. We will talk more
about the characteristics of fields in the following subsection.
The First Isomorphism Theorem for rings is the fundamental method for identifying quotient rings.
kernel In the below, ring homomorphism is defined analogously to group homomorphism, and the kernel of a
map ϕ : R → S is the subset of R that map to the zero element in S: ker(ϕ) = {r ∈ R : ϕ(r) = 0}.
First Theorem A.2.19. Let R and S be rings and let ϕ : R → S be a ring homomorphism. Then
Isomorphism
Theorem 1. the kernel of ϕ is an ideal of R;
2. the image of ϕ is a subring of S; and
3. R/ker(ϕ) is isomorphic to the image of ϕ.
A field is a commutative division ring. That is, a field is a ring if (S ∗ , ×) is an abelian group under
multiplication, where S ∗ := S \ {0} is the set of non-zero elements. More formally, we have the next
definition.
Field
Definition A.3.1. A field F = (S, +, ×) is a set with two binary operators, addition and multiplication,
such that the following field axioms are satisfied:
107
A PREPRINT - S EPTEMBER 29, 2022
Proof. If R is a field, then every non-zero element has a multiplicative inverse. If I is a non-zero ideal
of R and a ∈ I, then a−1 a = 1 ∈ I. So I = R. If R has no proper non-zero ideal, then the ideal I = R
is a principal ideal. That is, I = (a) for a 6= 0. Hence, there must exist an element b ∈ R such that
ab = 1. Hence, R is a field.
This proposition implies an important property of a field: its only ideals are the zero ideal and the
field itself.
Finite field One type of fields that is essential in cryptography is called finite fields. These are fields with finitely
many elements. The number of elements in a finite field is the order of the field (just like the order of a
group). For example, Z2 = {0, 1} is a finite field of order 2.
Field characteristics is an important concept that can be used to decide the separability of extension
fields. We will see more about the connection between field characteristic and separability in a later
section.
Char(F ) = 0
or prime Lemma A.3.4. The characteristic of any field is either 0 or a prime number.
Proof. Let n be the characteristic of the field F . It is easy to see that n 6= 1, because a field is not a
trivial ring, so 1 6= 0. Assume n = pq is a composite number, where 1 < p, q < n. This implies that
(1 + · · · + 1) (1 + · · · + 1) = 1 + · · · + 1 = 0. Hence, we have pq = 0 which contradicts with the fact
| {z }| {z } | {z }
p q n
that the field is also an integral domain.
Corollary A.3.5. This lemma implies that the characteristic of any finite field is a prime number.
Corollary A.3.6. The characteristic of a subfield is the same as the characteristic of the field.
Theorem A.3.7. In a field of characteristic p where p is prime, the only p-th roots of unity is 1.
In a field of prime characteristic p, we have xp − 1 = (x − 1)p because after expanding (x − 1)p , all
terms except xp and −1p have coefficients that are multiples of p, which vanish when taking modulo p.
Hence, solving xp − 1 = 0 is equivalent to solving (x − 1)p = 0, where the only solution is x = 1.
So far in this section, we have introduced the concepts of groups, rings, fields and other related
concepts. These will serve as a foundation for studying the Galois theory and algebraic number theory.
108
A PREPRINT - S EPTEMBER 29, 2022
B Galois Theory
In the previous section, we have introduced some basics about group, ring and field theories. We start
this section by introducing field extension that is fundamental to understand number field. All things
lead to the Galois group in the end, which is interesting in itself as well as gives insights of cyclotomic
number field that is widely used across recent lattice-based cryptography and homomorphic encryption
developments.
The concept of field extensions is fundamental in solving polynomials, especially polynomials with
rational coefficients, denoted by Q[x]. The first attempt to solve these polynomials is to find their roots
in the field of rationals Q. For some rational (coefficient) polynomials, however,
√ their roots only exist
beyond Q. For example, the polynomial x2 − 2 has two irrational roots ± 2. For this reason, we need
to construct a field that is larger than Q so that it includes all roots of the polynomial x2 − 2, but not too
large that includes many unnecessary values. To achieve this goal, we first define extension fields.
Definition B.1.1. If a field F is contained in a field E, then E is called an extension field of F .
An extension E is finite if its degree is finite. Otherwise, it is infinite. There are at least two ways
of counting the dimension of an extension. One way is through the degree of the minimal polynomial
of a primitive element that generates the extension. This will be discussed in more detail in subsequent
subsections.
The other way of counting the dimension of the extension field is by counting the number of linearly
independent vectors in its basis (same as for vector spaces in linear algebra). Hence, one could specify
a basis of the
√ extension over the
√ base√ field in order to get the degree of the extension. For example, the
degree [Q( 2) : Q] = √ 2, [Q( √ √3) :√Q] = 4, [C : R] = 2 because the corresponding basis for each
2,
extension field is {1, 2}, {1, 2, 3, 6}, {1, i} respectively.
Similar to Lagrange’s theorem in group theory, the degrees of extensions follow the “Tower Law”.
Proposition B.1.3. (The Tower Law) If L/M and M/K are field extensions (finite or infinite), then the
degrees of the extensions satisfy
[L : K] = [L : M ][M : K].
Intuitively, L forms a M -vector space and M forms a K-vector space, so L also forms a K-vector
space. Each dimension in L over M is again a [M : K]-dimensional vector space.
The following subsections introduce some special types of field extensions that eventually lead to
Galois extensions and Galois groups.
109
A PREPRINT - S EPTEMBER 29, 2022
Proof. Let E be an extension over F with a finite degree [E : F ] = n. For an element x ∈ E, the
elements 1, x, x2 , . . . , xn ∈ E because E is a field. These n + 1 elements are also in the n-dimensional
vector space over F , so must be linear dependent. Hence, there exists a set of non-zero coefficients
{a0 , . . . , an } such that 1 + a1 x + a2 x2 + · · · + an xn = 0. This implies that x is algebraic.
Algebraic
closed Definition B.1.8. A field F is algebraically closed if for any polynomial f (x) ∈ F [x], all of its roots
are in the field F .
Obviously Q and R are not algebraically closed, but C is. This is the Fundamental Theorem of
Algebra. It implies that all polynomials can be completely solved or factored into linear factors in the
complex field C.
As mentioned earlier, given a field extension Q(r)/Q, another way of identifying the degree of
the extension is by identifying the degree of the minimal polynomial of r over Q. To finish off this
subsection, we define what minimal polynomial is.
110
A PREPRINT - S EPTEMBER 29, 2022
Definition B.1.9. A polynomial f (x) ∈ F [x] is reducible over the field F if it can be factored into
Irreducible polynomials with smaller degrees. Otherwise, it is irreducible.
polynomial Example B.1.10. Given the following polynomials over the field of rationals Q:
f1 (x) = x2 + 4x + 4 = (x + 2)(x + 2),
f2 (x) = x2 − 4 = (x + 2)(x − 2),
√ √
f3 (x) = 9x2 − 3 = (3x + 3)(3x − 3),
f4 (x) = x2 + 1 = (x + i)(x − i),
the polynomials f1 (x) and f2 (x) are reducible over Q whilst the other two are irreducible over Q.
The polynomials f3 (x) and f4 (x) are reducible over R and C, respectively. The polynomial f4 (x) is
irreducible over R.
Theorem B.1.11. Let p be a prime and f (x) ∈ Fp [x] be a monic irreducible polynomial of degree n.
The quotient ring Fp [x]/f (x) is a field of order pn . (Each polynomial in Fp [x]/f (x) has coefficients
taken from the field Fp and the polynomial degree is at most n − 1.)
Proof. Each coset in the quotient ring Fp [x]/f (x) has the form a0 + a1 x + · · · + an−1 xn−1 , where
ai ∈ Fp . So there are pn different cosets. The polynomial f (x) is irreducible implies the quotient ring
is also a field.
Minimal Definition B.1.12. Let E/F be a field extension. If r is algebraic over F , its minimal polynomial over
polynomial F is the irreducible monic polynomial f (x) ∈ F [x] of the least degree satisfying f (r) = 0.
It is necessary for r to be algebraic, for otherwise it is not a root of any polynomial in F [x].
Uniqueness
Note the minimal polynomial of an algebraic number over a base field is unique up to scalar multi-
plication. A simple argument is as the following. Let Jr = {f (x) ∈ F [x] | f (r) = 0} be the set of all
polynomials in F [x] where r is a root, then Jr is an ideal of the polynomial ring F [x] (easy to verify).
Let p, q ∈ Jr be two monic polynomials of least degree n > 0, then p − q ∈ Jr because Jr is an ideal.
Also p − q has degree less than n because p, q are monic. This contradicts with p, q being least degree
polynomials in Jr , unless p = q.
For different base fields, the minimal polynomial of a number
√ could be different. Here is an example.
Given the field extension R/Q, the minimal polynomial of 2 over Q is x2√− 2 because this polynomial
is monic, irreducible and has the least degree over√the base field
√ Q where 2 is a root. However, in the
field extension R/R, the minimal polynomial for 2 is x − 2.
The degree of an extension E = F (r) is the degree of the minimal polynomial of r over F . This
√ is
formally proved by Theorem B.1.14 in the next
√ subsection. In the above example, the degree [Q( 2) :
Q] = 2, because the minimal polynomial of 2 over Q is x2 − 2.
The simple extension F (r) is the smallest extension over F that contains F and r. The number r
can be either transcendental or algebraic, but we are only interested in algebraic simple extensions.
In the previous section, we mentioned that if r is an algebraic number over the base field F then
its unique minimal polynomial p(x) always exists. In addition, since p(x) is irreducible over F , the
principal ideal hp(x)i is also maximal in F [x]. This gives us a way of building the extension field F (r)
from the polynomial ring F [x] using the principal ideal by Proposition A.2.17 as stated in the following
theorem.
Theorem B.1.14. Let E/F be a field extension and r ∈ E be an algebraic number over F with minimal
polynomial p(x) ∈ F [x] of degree n, then
1. F (r) ∼
= F [x]/hp(x)i.
111
A PREPRINT - S EPTEMBER 29, 2022
112
A PREPRINT - S EPTEMBER 29, 2022
Normal iff
splitting Theorem B.1.20. A finite algebraic extension E over F is normal if and only if it is the splitting field
of some polynomial f (x) ∈ F [x].
The theorem implies that if E is the splitting field of one polynomial over F , then it is the splitting
field of every other polynomial over F with one root in E.
Proof. Let K be the splitting field of f (x) and r ∈ K is a root of f (x). The re-write the polynomial as
f (x) = (x − r)m g(x)
with m ≥ 1 and g(r) 6= 0. Take the formal derivative, we get
f 0 (x) = m(x − r)m−1 g(x) + (x − r)m g 0 (x) = (x − r)m−1 [mg(x) + (x − r)g 0 (x)].
Evaluating the second factor mg(x) + (x − r)g 0 (x) at r gives mg(r) + 0 = 0 ⇐⇒ m = 0 because
g(r) 6= 0.
If f (x) is separable, by definition m = 1 and f 0 (x) = g(x) + (x − r)g 0 (x). So f 0 (r) 6= 0 and none
of the two factors of f (x) divides f 0 (x). This implies they are coprime.
If f (x) is not separable, then m > 1 and f 0 (r) = 0. Hence, x − r is a common factor of f and f 0 ,
so they are not coprime.
Example B.1.24. In the examples above, f (x) = x2 − 2 is separable, because its formal derivative
f (x)0 = (x2 − 2)0 = 2x and gcd(f, f 0 ) = 1. If f (x) = (x2 − 1)2 , then its formal derivative
f 0 (x) = ((x2 − 1)2 )0 = 4x(x2 − 1) and gcd(f, f 0 ) = x2 − 1, so the polynomial (x2 + 1)2 is not
separable.
Separable
extension Definition B.1.25. An algebraic extension E over F is separable if for every element α ∈ E, its
minimum polynomial over F is separable.
The Fundamental Theorem of Galois Theory states a correspondence between intermediate field
extensions and subgroups of a Galois group. Hence, we would like to know the separability of the
intermediate field extensions between a base field and a separable extension.
Intermediate
extensions are Theorem B.1.26. Given field extensions L/M/K. If L/K is separable, then the intermediate exten-
separable sions L/M and M/K are also separable.
char(F ) =
In the previous section, we stated that a field characteristic is either 0 or a prime. The following
0 =⇒
results connect the characteristic of a polynomial to its separability.
separable
Theorem B.1.27. Every irreducible polynomial over a field of characteristic zero is separable, and
hence every algebraic extension is separable.
20
Formal derivative is similar to derivative in calculus, but for elements of a polynomial ring.
113
A PREPRINT - S EPTEMBER 29, 2022
Proof. Let E/F be a field extension with char(F ) = 0, and f (x) ∈ F [x] be the minimal polynomial
of α ∈ E over F . Assuming f (x) is not separable. That is, without loss of generality, there is a root
β with multiplicity 2. Then f (β) = 0 and its formal derivative f 0 (β) = 0, because f (x) has a factor
(x − β)2 , which becomes 2(x − β) in f 0 (x).
However, f 0 (x) does not have zero coefficients, because it is over a field of zero characteristic. The
fact that f (x) is a minimal polynomial implies it is irreducible, and f 0 (x) has a lower degree than f (x)
imply that gcd(f, f 0 ) = 1. Hence, there are a, b ∈ F [x] such that af (x) + bf 0 (x) = 1. Substituting
x = β, we get a contradiction, so f (x) cannot be non-separable. Hence, every irreducible polynomial
over F is separable. This implies every algebraic extension is separable and every finite extension is
also separable because every finite extension is algebraic by Proposition B.1.7.
In the preceding subsections, we have defined different types of field extensions, finite, algebraic, sim-
ple, normal and separable. This section will connect some of these extensions to an important field
extension, called Galois extension and will define the Galois groups of Galois extensions.
Group action
To start with, we introduce group action on a set. One way to define a group action on a set is by the
following definition.
Definition B.2.1. A group (G, ∗) acts on a set S if there is a map
µ:G×S →S
such that
• for all s ∈ S, we have µ(e, s) = s,
• for all x, y ∈ G and s ∈ S, we have µ(x ∗ y, s) = µ(x, µ(y, s)).
For simplicity, we write µ(x, s) as x(s). Another way of defining group action is by a group homo-
morphism.
Definition B.2.2. A group G acts on a set S if there is a homomorphism
φ : G → Sym(S)
from the group to the symmetric group (or the permutation group P erm(S)) of S.
In this case, we say φ is the group action of G on S. Each element of G is mapped to a certain
permutation of the set S by the action. For example, when the Dihedral group
D4 = hr, f i = {e, r, r2 , r3 , f, f r, f r2 , f r3 )
acts on itself, each element in D4 is mapped to a certain permutation of the set S = D4 . For example,
the elements rotation r and reflection f correspond to the following permutations of D4
r : {e, r, r2 , r3 , f, f r, f r2 , f r3 ) 7→ {r, r2 , r3 , e, rf = f r3 , rf r = f, rf r2 = f r, rf r3 = f r2 )
f : {e, r, r2 , r3 , f, f r, f r2 , f r3 ) 7→ {f, f r, f r2 , f r3 , e, r, r2 , r3 ).
114
A PREPRINT - S EPTEMBER 29, 2022
The action of D4 only gives rise to certain permutes of D4 . In other words, there are 8 elements in D4
and the symmetric group has size |P erm(D4 )| = 8!, the homomorphism φ is injective, which we call
faithful as stated next.
Faithful action
Definition B.2.3. A group action φ of G on a set S is faithful if φ is injective. That is, for every two
distinct elements g, h ∈ G, there exists an element s ∈ S such that g(s) 6= h(s).
If a group action is faithful, then we can think the group G embeds into the permutation group of S,
as in the above example of D4 , where each element of G = D4 corresponds to a certain permutation of
the set S = D4 .
Similarly, we can define a group G acts on a ring R (or a field F ). The difference is that a ring
has more algebraic structures than a set, so simple permutations of the ring elements do not necessarily
preserve the ring structure. For this reason, we replace permutations by automorphisms, which are
bijective ring homomorphisms between R and itself. Let Aut(R) be the automorphism group of R.
Definition B.2.4. An action of a group G on a ring R is a group homomorphism
φ : G → Aut(R).
Fixed field
Some elements in the ring R or field F stay invariant under the action. They make up the fixed field.
Definition B.2.5. Given a field extension E/F and a group action of G on E, the fixed field of E under
the action of G
E G = {a ∈ E | g(a) = a, ∀g ∈ G}.
is the set of elements in the extension field that are fixed point-wise by all automorphisms of R.
Automorphism
group Definition B.2.6. Let E/F be a field extension. The automorphism group of the field extension
Aut(E/F ) = {α ∈ Aut(E) | α(x) = x, ∀x ∈ F }
= {α ∈ Aut(E) | αF = IdF }
is the set of automorphisms that fixes F when acting on E.
The automorphism group is a group with function composition as the group operator. It is a subgroup
of the group of automorphisms of E, i.e., Aut(E/F ) ⊆ Aut(E). Now, we are ready to define the Galois
group of a field extension.
Definition B.2.7. The Galois group of a field extension E/F , denoted by Gal(E/F ), is the automor-
Galois group phism group of the field extension. That is,
Gal(E/F ) := Aut(E/F ) = {α ∈ Aut(E) | αF = IdF }.
By definition, the Galois group is a subset of the automorphism group or permutation group (or
symmetric group) of the extension E.
As explained in the previous section that an extension field can be viewed as a vector space over the
base field, so when working with Galois groups, instead of thinking where all elements in the extension
are mapped to, it is convenient to know where the basis vectors are mapped to by the automorphisms.
Let us work through some simple examples.
√
Example
√ B.2.8. Let the field extension be Q( 2)/Q. It is a 2-dimensional Q-vector space with a basis
{1, 2}. The Galois group must fix the base field, √ so it contains the identity map I. In addition, it
should contain another automorphism σ that maps 2 to another √ element a√in the extension whiling
fixing Q. Since
√ σ is an automorphism, it must satisfy a 2
= σ( 2) 2
= σ(( 2)2 ) = σ(2)
√ = 2. So
2
whatever σ( 2) = a is, it must satisfy a − √ 2 = 0 in the
√ extension, which means a = ± 2.√Since the
identity√map is already
√ included, it entails σ( 2) = − 2. Hence, the Galois group Gal(Q( 2)/Q) =
{I, σ : 2 7→ − 2} ∼ = 2C which is isomorphic to the cyclic group of order 2.
√
Example√ B.2.9.√Let the field extension be Q( 2, i)/Q. This √ is a 4-dimensional Q-vector space with a
basis {1, 2, i, 2i}. The minimal polynomials over Q for 2 and i are x2 −2 and x2 +1, respectively.
The Galois group of the field extension contains all the automorphisms that fix√Q while √ permuting roots
in each minimal polynomial. That is, it contains a map τ that permutes { 2, − 2} and a map σ
that permutes {i, −i}. We can identify these automorphisms as shown in Table 2. The Galois group is
isomorphic to the Klein four group V4 = C2 × C2 .
115
A PREPRINT - S EPTEMBER 29, 2022
√ √
2 1 i 2i
√ √
I 2 1 i 2i
√ √
σ 2 1 −i − 2i
√ √
τ − 2 1 i − 2i
√ √
στ − 2 −i1 2i
√
Table 2: The Galois group of the extension Q( 2, i). It is isomorphic to the Klein four group V4 =
C2 × C2 .
It is important to note that not all automorphisms (or permutations) that fix the base field are in
the Galois group. From the above two examples, we can see that the Galois group only contains those
automorphisms √ that permute
√ roots of the same minimal polynomial while fixing the base field. In
Example B.2.9, 2 and − 2 come from the minimal polynomial x2 − 2 in Q and i and −i come from
the minimal polynomial x2 + 1 in Q. Let us take a look at a counter example.
√ √ √ √
Example B.2.10. Let the field extension be Q( √ 2, 3)/Q.
√ The permutation
√ φ : 2 →
7 3 is not
in the Galois group. Assuming it is, then φ( 2) = 3 implies φ( 2)2 = 3. By the definition of
√ √ 2
homomorphism, φ( 2)2 = φ( 2 ) = φ(2) = 2 because φ fixes Q. This implies 2 = 3.
√
Example
√ B.2.11. A slightly more complicated example is with a field extension Q( 4 2, i)/Q. The roots
4
2 and i have the minimal
√ polynomials
√ x4 − 2 and x2 + 1 over Q, respectively. The polynomial
x4 − 2 has four roots ± 4 2 and ±i 4 2. The polynomial x2 + 1 has two roots ±i. The Galois group
should contain automorphisms that permutes roots for each polynomial. The process of finding the
automorphisms is more or less trial and error.21 Let
√4
√
4
σ( 2) = i 2 and σ(i) = i,
√
4
√
4
τ (i) = −i and τ ( 2) = 2.
Then we have
√ √
σ 2 ( 2) = − 2 and σ 2 (i) = i,
4 4
√ √
σ 3 ( 2) = −i 2 and σ 3 (i) = i,
4 4
√ √
σ 4 ( 2) = 2 and σ 4 (i) = i,
4 4
√ √
τ 2 (i) = i and τ 2 ( 2) = 2.
4 4
So the orders of σ and τ in the Galois group are 4 and 2, respectively. Hence, the Galois group is
{I, σ, σ 2 , σ 3 , τ, στ, σ 2 τ, σ 3 τ }.
Combining the definitions of fixed field and Galois group, we know that for a field extension E/F ,
the fixed field by the Galois group should at least contain the base field F . Because all automorphisms
in the Galois group at least fix F , though they may fix more than F . Hence, we can define what it means
for a field extension to be Galois.
Galois
extension Definition B.2.12. A field extension E/F is an Galois extension if the fixed field by the Galois group
Gal(E/F ) is exactly F . That is, E Gal(E/F ) = F .
In other words, the Galois group has to fix exactly the base field, nothing more nothing less. An
important theorem that characterizes Galois extension using previously defined extension types is the
following.
Normal and
separable =⇒ Theorem B.2.13. An algebraic field extension is a Galois extension if it is normal and separable.
Galois
This theorem says that for an algebraic field extension to be a Galois extension, any polynomial that
has a root in the extension must have all its roots in the extension and these roots must be all distinct. The
requirement of being normal and separable is a sufficient condition for a field extension to be Galois.
21
Perhaps there are better ways of finding the Galois group, but they are not in the scope of this material.
116
A PREPRINT - S EPTEMBER 29, 2022
√ √
Example B.2.14. The Galois group Gal(Q( 3 2)/Q) = {I} contains only the √ identity map. If φ( 3 2) =
a is another automorphism, then it must satisfy a3 − 2 = 0. So φ must map 3 2 to a root of√the minimal
polynomial a3 − 2 = 0 in the extension. But the only root that is in the extension is 3 2, because
the other two roots are complex.√So φ is the identity map. Given the Galois group contains only the
identity map, the fixed field is Q( 3 2) not Q, so the field extension is not Galois. By Theorem B.2.13, the
extension is not both normal and separable. In fact, this is true, because the extension does not contain
the two complex roots of the minimal polynomial x3 − 2.
The example suggests that a field extension can have a Galois group, but it is not necessarily a Galois
extension.
Since a Galois extension is normal and separable, we would expect the number of automorphisms
in the Galois group to be related to the number of roots of a minimal polynomial. The next lemma
connects the number of automorphisms in the Galois group to the degree of a Galois extension.
Lemma B.2.15. If a finite field extension E/F is Galois, then the number of elements in the Galois
group is the degree of the field extension. That is, |Gal(E/F )| = [E : F ].
√
For example, the field extension Q( 2, i)/Q has degree 4 (as it is a 4 dimensional vector space over
Q) and there are 4 automorphisms in the Galois group as stated in Table 2.
The next theorem is the most important theorem in Galois Theory. It builds a connection between
subgroups of a Galois group and field extensions of a base field. The theorem is important in the sense
that it provides a way of understanding field extensions from group’s perspective, which is relatively
well studied. In the most basic form, it states that if L/M/K is a finite Galois extension, then there
is a one-to-one correspondence between an intermediate extension and a subgroup of the Galois group
Gal(L/K). The next theorem explicitly defines what it means for a one-to-one correspondence between
the two different algebraic structures.
L GL = Gal(K/K)
⊆
⊆
M GM = Gal(M/K)
⊆
⊆
K GK = Gal(L/K)
(a) A finite Galois extension. (b) Subgroups of the Galois group GK =
Gal(L/K).
Figure 16: A finite Galois extension and the corresponding Galois groups.
Fundamental
Theorem of Theorem B.2.16. (Fundamental Theorem of Galois Theory) Suppose L/M/K is a finite Galois exten-
Galois Theory sion with the corresponding Galois group GK = Gal(L/K).
117
A PREPRINT - S EPTEMBER 29, 2022
3. The intermediate field extension M/K is Galois if and only if GM / GK is a normal subgroup.
In this case, the corresponding Galois group is given by
Gal(M/K) ∼
= GK /GM .
The first point of the theorem says that if M is an intermediate extension between L/K, then M
corresponds to the set of automorphisms of L that fixes M . If M = K, then M corresponds to the set
of automorphisms of L that fixes K, which is the entire Gal(L/K). If M = L, then M corresponds to
the set of automorphisms of L that fixes L, which is identity map.
The second point says the degree of the M -vector space L equals the number of automorphisms of
L that fix M . If M = K or M = L, then the degrees [L : M ] = [L : K] = |GK | = Gal(L/K) or
[L : M ] = [L : L] = |GL | = 1, respectively. Combining the two qualities, we get [L : M ][M : K] =
|GK | = [L : K] which is consistent with the Tower Law in Proposition B.1.3.
Q(ω, θ) {I}
Q {I, σ, σ 2 , τ, στ, σ 2 τ }
(a) A finite Galois extension and the intermediate ex- (b) Subgroups of the Galois group Gal(Q(ω, θ)/Q).
tensions.
Figure 17: A finite Galois extension Q(ω, θ)/Q and the corresponding Galois groups, where ω =
√ √
2 + i 2 and θ = 2. Each structure is a lattice and there is a one-to-one correspondence between
−1 3 3
them.
√ √
3
Example B.2.17. Let the field extension be Q(θ, ω)/Q, where θ = 3 2 and ω = −1 2 ± i 2 . The exten-
sion is a 6-dimensional Q-vector space with a basis {1, θ, θ , ω, θω, θ ω}. Define the automorphisms
2 2
118
A PREPRINT - S EPTEMBER 29, 2022
Recall that an algebraic number (integer) is a complex number that is a root of a non-zero polynomial
with rational (integer) coefficients. Below we define algebraic number fields, which are special cases of
extension fields where the base field is the rationals Q.
Number field Definition C.1.1. An algebraic number field (or simply number field) is a finite extension of the field
of rationals by algebraic numbers, i.e., Q(r1 , . . . , rn ), where r1 , . . . , rn are algebraic numbers.
Cyclotomic An nth root of unity ζn is an algebraic number, so the cyclotomic extension Q(ζm ) is also a number
field field that is called the nth cyclotomic number field (or nth cyclotomic field).
A number field K = Q(r) forms a vector space over the base field Q with the basis {1, r, . . . , rn−1 },
Power basis which is called the power basis of K because it is formed by the powers of a number r. By the Primitive
Element Theorem, it is always possible to get a power basis for a number field.
Primitive Theorem C.1.2 (Primitive element theorem). If K is an extension field of Q and it has finite degree
element [K : Q] < ∞, then K has a primitive element r such that r ∈ / Q and K = Q(r).
√
Example
√ C.1.3. The
√ number field K = Q( 2) is a degree 2 Q-vector space. It has a primitive element
2 and a basis {1, 2}.
√ √ √ √
The number field K = Q( 3 2) has degree 3. It has a primitive element 3 2 and a basis {1, 3 2, 3 4}.
√ √ √ √
√The√ √ K√= Q( 2, 3) has degree 4. It has
number field a primitive
√ element
√ r = √ 2 + √3, so √ K=
Q( 2, 3) = Q( 2+ 3). It has a power basis {1, r, r2 , r√3 } = {1,
√ √ 2+ 3, 5+2 6, 11 2+9 3}.
To see this is a basis, we know from field extension that {1, 2, 3, 6} is a basis of K. This basis can
be expressed in terms of the linear combinations of the power basis.
For a number field K, the set of all algebraic integers forms a ring under the usual addition and
multiplication operations in K (exercise). This set generalizes the set of rational integers Z. It is
particularly important for the RLWE problem.
Ring of integers Definition C.1.4. The ring of integers of an algebraic number field K, denoted by OK , is the set of all
algebraic integers that lie in the field K.
For example, the set Z of rational integers is the ring of integers of the number field Q, i.e., Z = OQ .
Recall that an integral domain is a non-zero commutative ring in which the product of two non-zero
OK is ID elements is non-zero. Z is an integral domain, so is its generalization OK , because OK ⊆ K is in a
number field which is an integral domain. In general, determining the ring of integers of a number field
is a difficult problem, unless the number field is quadratic that is a Q-vector space of degree 2 as stated
in the next theorem.
Square free Definition C.1.5. A number is squarefree if its prime decomposition contains no repeated factors.
All prime numbers are squarefree. Some composite numbers are squarefree and some are not. For
example, 4 is not squarefree, but 6 is.
OK in Theorem C.1.6. Let K be a quadratic number field and m be a unique squarefree integer such that
√
quadratic K K = Q( m). Then the set OK of algebraic integers in K is given by
√
Z + Z m, if m 6= 1 mod 4
(
OK = √
Z + Z 1+2 m , if m = 1 mod 4
√ √ √
For example, if K = Q( −7) then OK = Z + Z 1+ 2 −7 . If K = Q( −5) then OK =
√
Z + Z −5.
119
A PREPRINT - S EPTEMBER 29, 2022
Since the set of rational integers Z ⊆ OK is always contained in the ring of integers of a number
field K (of degree n), this makes OK a Z-module. Recall that a module is a generalization of a vector
OK is free space where scalar multiplications are defined in a ring rather than a field. In fact, OK is a free Z-
Z-module module, which means it has a basis B = {b1 , . . . , bn } ⊆ OK such that every element in OK can be
written as an integer linear combination of the basis. The basis is called a Z-basis of OK . P
It is also a
n
Q-basis of K, because every element r ∈ K can be written as a linear combination r = i=1 ai bi ,
where ai ∈ Q.
Integral basis More importantly, the basis B is called an integral basis of the number field K (and of the ring of
integers OK as used by Ben Green). Note that although the ring of integers OK always has a basis, it
does NOT always have a power basis. A special case is when K is a cyclotomic number field. In this
case, the power basis of K is also an integral basis of K (or OK ).
The essential connection between OK and lattices is by relating the number field K to the n-
dimensional Euclidean space Rn . This is done via an embedding of K to a space H that is isomorphic to
Rn . Suppose K is a number field with degree [K : Q] = n, then we have n field embeddings (i.e., field
or injective ring homomorphisms) σi : K → C such that the base field Q is fixed by the embeddings.
For a primitive element r in K but not in Q, i.e., K = Q(r), each embedding σi : K → C is given by
the map from r to a root of r’s minimal polynomial f (x) ∈ Q[x]. The following proposition states that
there are n distinct such embeddings from K to C.
Proposition C.1.7. Let K be an algebraic number field of degree n. Then there are precisely n distinct
field embeddings from K to C.
The embeddings {σi }i∈[n] map the primitive element r to different roots of r’s minimal polynomial
f (x), which is a collection of real and complex numbers. Hence, we can distinguish these embeddings
Real and as real and complex embeddings. If σi (K) ⊆ R (or σi (r) ∈ R) then it is a real embedding, otherwise
complex it is a complex embedding. By Complex Conjugate Root Theorem22 , the images of the complex
embeddings embeddings are in conjugate pairs, so we only need to keep half of the complex embeddings and split
each of them into the real and complex parts. Let s1 be the number of real embeddings and s2 be
the number of conjugate pairs of complex embeddings, then the total number of embeddings is n =
s1 + 2s2 . In addition, let {σi }i∈[s1 ] be the real embeddings, {σj }j∈[s1 +1,n] be the complex embeddings
and σs1 +j = σs1 +s2 +j be the conjugate pairs for j ∈ [s2 ], then we have the following definition of a
canonical embedding of a algebraic number field.
Canonical Definition C.1.8. A canonical embedding (or Minkowski embedding) σ of an algebraic number field
embedding K of degree n to the n-dimensional complex plane Cn is defined as
σ : K → Rs1 × C2s2 ⊆ Cn
σ(r) 7→ (σ1 (r), . . . , σs1 (r), σs1 +1 (r), . . . , σn (r)).
As mentioned above, the complex embeddings are in conjugate pairs so it is not necessary to keep
τ embedding both complex embeddings ini a conjugate pair. This gives rise to a different (and more practical) em-
bedding
τ :K→V
τ (r) 7→ (σ1 (r), . . . , σs1 (r), σs1 +1 (r), . . . , σs1 +s2 (r)),
where for all i ∈ [s1 + s2 , n], each σi separates the real and imaginary parts as σi (r) =
(Re(σr (r)), Im(σi (r))), so the image of this embedding can be explicitly write out as
τ (r) = (σ1 (r), . . . , σs1 (r),
Re(σs1 +1 (r)), Im(σs1 +1 (r)), . . . , Re(σs1 +s2 (r)), Im(σs1 +s2 (r))). (48)
Canonical The canonical embedding maps a number field to an n-dimensional space, named canonical space
space (or Minkowski space) and can be expressed as
H = (x1 , . . . , xn ) ∈ Rs1 × C2s2 | xs1 +j = xs1 +s2 +j , ∀j ∈ [s2 ] ⊆ Cn .
The canonical space H can be verified to be isomorphic to Rn using the following steps. We can
establish a one to one correspondence between the standard basis of Cn and an orthonormal basis of H.
In detail, let {ei }i∈[n] be the standard basis of Cn where in each ei the ith component is 1 and the rest
are zero. Then we can build a basis {bi }i∈[n] for H such that
22
The complex roots of real coefficient polynomials are in conjugate pairs.
120
A PREPRINT - S EPTEMBER 29, 2022
Similarly, we can prove the space V , to which K is mapped to by the embedding τ is also isomorphic
to Rn .
In the next example, we will look at the canonical embedding of a cyclotomic number field and
construct a basis of the canonical space by using the above rules.
√ √
Example C.1.9. Let K = Q(ζ8 ) be a cyclotomic number field, where ζ8 = 22 + i 22 is an 8th
primitive root of unity. The minimal polynomial of ζ8 is the 8th cyclotomic polynomial Φ8 (x) = x4 + 1
with degree ϕ(8) = 4, whose roots are the 8th primitive roots
√ √
2 2
ζ8 = +i ,
2√ 2√
2 2
ζ83 = − +i ,
√2 √2
2 2
ζ85 = − −i ,
√ 2 √ 2
2 2
ζ87 = −i .
2 2
The degree of the cyclotomic field is n = 4, so all 4 embeddings σi : K → C4 are complex, that is,
s1 = 0 and s2 = 2. The four complex embeddings are
√ √ ! √ √
2 2 2 2
σ1 +i = +i ,
2 2 2 2
√ √ ! √ √
2 2 2 2
σ2 +i =− +i ,
2 2 2 2
√ √ ! √ √
2 2 2 2
σ3 +i = −i ,
2 2 2 2
√ √ ! √ √
2 2 2 2
σ4 +i =− −i ,
2 2 2 2
where σ1 , σ3 and σ2 , σ4 are in conjugate pairs. So the embedding by Equation 48 is
√ √ ! √ √ √ √ !
2 2 2 2 2 2
τ +i = , ,− , .
2 2 2 2 2 2
121
A PREPRINT - S EPTEMBER 29, 2022
Now we know a number field K is mapped to a canonical space that is isomorphic to Rn , we can
defined the notion of geometric norm on the number field K just as we did in Rn . For any element
Lp -norm x ∈ K, the Lp -norm of x is defined as
1/p
p
if p < ∞,
P
|σ i (x)|
||x||p = ||σ(x)||p = i∈[n]
max |σ (x)|
i∈[n] iif p = ∞.
Example C.1.10. We use this example to illustrate the Lp -norm of a root of unity in a cyclotomic
number field.
Let σ : K(ζn ) → H be the canonical embedding for the nth cyclotomic field. The minimal poly-
nomial of ζn is the nth cyclotomic polynomial Φn (x) which has only complex roots for n ≥ 3, be-
cause the two real roots are not primitive. The complex embeddings are given by σi (ζn ) = ζni , where
i ∈ (Z/nZ)∗ , so n = 2s2 = |(Z/nZ)∗ |.
For any nth root of unity ζnj ∈ K, an embedding σi (ζnj ) is still a root of unity and hence has
magnitude 1. So the LP -norm of an nth root of unity ||ζnj ||p = n1/p for p < ∞ and ||ζm
j
||∞ = 1.
We have specified the canonical embedding of a number field to a space that is isomorphic to Rn .
What we are really interested in is how the ring of integers is mapped by the embedding. The follow-
ing theorem states that the canonical embedding maps OK to a full-rank lattice. Towards the end of
this section, we will discuss the minimum distance (or the shortest vector) of this lattice and how the
determinant of this lattice σ(OK ) is related to a quantity of the number field, called the discriminant.
τ (OK ) is Theorem C.1.11. Let K be an n-dimensional number field and τ : K → V = ∼ Rn be the embedding
lattice of K as defined in Equation 48, then τ maps the ring of integers OK to a full-rank lattice in Rn .
NT = .. .. .. .. .. .. .
. . . . . .
σ1 (en ) ··· σr1 (en ) Re(σr1 +1 (en )) Im(σr1 +1 (en )) ··· Re(σr1 +r2 (en )) Im(σr1 +r2 (en ))
It can be prove that det N is related to det M , where M is a matrix defined by using the canonical
embedding σ of K. In addition, det M 6= 0, so det N 6= 0. The details are skipped. See the proof of
Lemma 10.6.1 on page 65 of Ben Green’s book or the proof of Proposition 4.26 on page 80 of Milne’s
book.
The ring of integers OK in a number field carries a lot of similarities to Z, but it lacks an important
property of being a unique factorization domain.
UFD Definition C.2.1. An integral domain D is a unique factorization domain (UFD) if every non-zero
non-unit element x ∈ D can be written as a product
x = p1 · · · pn
of 0 < n < ∞ irreducible elements pi ∈ D uniquely up to reordering of the irreducible elements.
122
A PREPRINT - S EPTEMBER 29, 2022
Dedekind Dedekind domain. A Dedekind domain is an integral domain in which every non-zero proper ideal
domain factors into a product of prime ideals. The ring of integers OK is just a special case of a Dedekind
domain as we will see at the end of this subsection once we have stated that the integral ideals of OK
form a UFD. In addition, we introduce fractional ideals of OK and prove that they form a multiplicative
group under ideal multiplication.
The RLWE problem is constructed based on ideal lattices, which are the images of the canonical
embedding of integral (or fractional) ideals of OK (Proposition 3.5.1 (Mukherjee, 2016), Proposition
4.26 of J. S. Milne’s book Algebraic Number Theory). Since integral and fractional ideals are related by
an algebraic integer d ∈ OK (which is considered as the denominator), RLWE can be defined in either
setting.
Since OK is commutative, we do not distinguish between left and right ideal. The above definition
is consistent with ideals in ordinary rings, except that the zero ideal {0} is excluded in order to define
ideal division later. Since OK has a Z-basis, its integral ideals have Z-basis too. In other words, every
non-zero integral ideal of OK is a free Z-module.
Principle ideal We can define a principal ideal in a similar way as an ideal that is generated by a single element via
multiplications with all elements in OK . That is, the principle ideal generated by an element x ∈ OK is
(x) := {αx | α ∈ OK }.
Given elements x1 , . . . , xr ∈ OK , the ideal generated by the xi ’s is
X
(x1 , . . . , xr ) := αi xi | αi ∈ OK
i∈[r]
the set of linear combinations of the xi ’s, where the coefficients are taken from OK .
We can also define some basics operations on ideals. If I and J are both integral ideals of OK , their
Ideal sum sum is defined as
I + J := {x + y | x ∈ I and y ∈ J},
23
which is still an ideal in OK . The sum ideal does not respect the additive structure on OK . For
example, if I = J = (1), then I + J = (1) 6= (1 + 1) = (2). The sum of two ideals is not so important,
what more important for the following works is the product of two ideal.
We would thought that the product set S = {xy | x ∈ I and y ∈ J} is also an ideal just like the sum
Ideal product but it is not, because it may not be closed under addition. For this reason, the product of two ideals I
and J is defined as
X
IJ := ai bi | ai ∈ I and bi ∈ J .
i∈[r]
It consists of all finite sums of the products of two ideal elements.24 By grouping all finite sums of
products, the set is closed under addition. Closed under multiplication by elements in OK can be easily
checked. Since OK is commutative, ideal multiplication is commutative too.
Example C.2.3. Given the ring of integers OK = Z and two of its ideals I = 2Z = {2, 4, 6, 8, . . . , }
and J = 3Z = {3, 6, 9, 12, . . . , }, their ideal product is IJ = {2 · 3, 2 · 6, 2 · 3 + 2 · 6, . . . }.
23
It can be proved that I + J and (I ∪ J) are equivalent.
24
Again, it can be proved that IJ and (IJ) are equivalent.
123
A PREPRINT - S EPTEMBER 29, 2022
We have defined ideal multiplication, it is natural to also define ideal division, provided ideals of
OK does not include the zero ideal according to the definition.
Ideal division Definition C.2.4. Let I and J be two ideals of OK . We say J divides I, denoted J | I, if there is an
ideal M ⊆ OK such that I = JM .
The following theorem gives a more intuitive way of thinking about ideal division by relating divi-
sion with containment.
Divisibility Theorem C.2.5. Let I and J be two ideals of OK . Then J | I if and only if I ⊆ J.
⇐⇒
containment Divisibility implies containment, because if J | I then I = JK ⊆ J, so I ⊆ J. The converse may
not be true in general, but is certainly true in these ideals are in the ring of integers. Next, we define
prime ideals in OK which is the same as how prime ideals are defined in rings.
Prime ideal Definition C.2.6. An ideal I of OK is prime if
1. I 6= OK and
2. if xy ∈ I, then either x ∈ I or y ∈ I.
The next lemma gives an equivalent definition of prime ideals in terms of other ideals in OK .
Lemma C.2.7. An ideal I of OK is prime if and only if for ideals J and K of OK , whenever JK ⊆ I,
either J ⊆ I or K ⊆ I.
By the equivalence relation between division and containment, a prime ideal I can be more intu-
itively defined as a proper ideal such that whenever I | JK, either I | J or I | K. This is consistent
with how prime numbers are defined in Z.
An important observation is that in OK , prime ideals are also maximal. So we do not introduce
maximal ideals separately. Recall that a maximal ideal in a ring is an ideal that is contained in exactly
two ideals, i.e, itself and the entire ring.
Prime is Lemma C.2.8. In OK , all prime ideals are maximal.
maximal
The proof relies on the results that a commutative ring quotienting by a prime ideal gives an integral
domain, quotienting by a maximal ideal gives a field.
Proof. If I is a prime ideal of OK , then OK /I is an integral domain. In addition, the integral domain
is finite. This implies that for every x in the integral domain, it satisfies that xn = 1 for some n, so
x · (xn−1 ) = 1. Hence, every non-zero element in the integral domain has an inverse, which means the
quotient ring OK /I is a field. Therefore, I is maximal.
An important property of the ideals of OK is that they can be uniquely factorized into irreducible
factors, in this case prime ideals. This is one of the main theorems in the course of Algebraic Number
Theory. Note that it is not always √true that OK is a unique
√ factorization domain. As we have√ seen, an
counter
√ example is when K = Q( −5) and O K = Z( −5), in which 6 = 2 ∗ 3 = (1 + −5) ∗ (1 −
−5).25
Ideals(OK ) is Theorem C.2.9. For an algebraic number field K, every non-zero proper ideal I of OK admits a unique
UFD factorization
I = P1 · · · Pk ,
into prime ideals Pi of OK .
124
A PREPRINT - S EPTEMBER 29, 2022
will then refine this definition in a number field. Let R be an integral domain, recall a field of fractions
of R is
F rac(R) = {(p, q) ∈ R × (R \ {0}) | (p, q) ∼ (r, s) ⇐⇒ ps = qr}.
It is clear that F rac(R) is an R-module and it contains R. Given an R-module M , recall a submodule
N of M is a subgroup of M that is closed under scalar multiplication by elements in R, that is, ar ∈ N
for any a ∈ N and any r ∈ R. Now, we can define fractional ideal of an integral domain.
Frac ideal Definition C.2.10. Let R be an integral domain and Q = F rac(R) be the field of fractions. A fractional
ideal I of R is an R-submodule of Q such that there exists a non-zero element d ∈ R satisfying dI ⊆ R.
I is an R-submodule of Q implies that I is an (additive) subgroup of Q and it is closed under mul-
tiplication by all elements in R. The existence of d ∈ R can be thought as cancelling the denominator
of I, which is also why d needs to be non-zero. Combining with being an submodule, we have rI ⊆ R
is an integral ideal. As we will explain later that a fractional ideal is neither an ideal of OK nor K,
so some prefer to call them “fractional ideals in K” while others refer to them as “fractional ideals of
OK ”. For simplicity, we sometimes refer to them just as fractional ideals without mentioning OK or
K.
We further refine the definition for our purpose. In the context of a number field, OK is an integral
domain and K = F rac(OK ) is its field of fractions. By the above definition, a fractional ideal I
is an OK -submodule of K such that there exists a non-zero element d ∈ OK satisfying dI ⊆ OK .
Alternatively, we can just say that dI is an integral ideal, which implies it is closed under addition and
multiplication by the ring elements, hence equivalent as being a submodule.
Definition C.2.11. Let K be a number field and OK be its ring of integers. A fractional ideal I of OK
is a set such that dI ⊆ OK is an integral ideal for a non-zero d ∈ OK .
Alternatively, given an integral ideal J ⊆ OK and an element x ∈ K × (or an invertible element
x ∈ K), the corresponding fractional ideal I can be expressed as
I = x−1 J := {x−1 a | a ∈ J} ⊆ K.
From this expression, it is clearer that the non-zero element d in the above definitions is for cancelling
the denominator x of in this expression. Note x is in K but not OK because it needs to be invertible.
Since a non-zero integral ideal is a free Z-module and a fractional ideal is related to an integral ideal by
Free Z-module an invertible element, it follows that a fractional ideal is a free Z-module too. So it has a Z-basis.
Note that a fractional ideal is not an ideal of R (unless it is contained in R), because it is not
necessarily a subset of the integral domain R. For example, as we will see in the following example,
4 Z 6⊆ OK is a fractional ideal of OK . Nor it is an ideal of the field of fractions F rac(R), because
5
125
A PREPRINT - S EPTEMBER 29, 2022
Example C.2.14. In the number field K = Q, let P = (2) = {2, 4, 6, . . . } be a prime ideal in OK = Z.
Then its inverse P −1 = {Z, Z2 , Z4 , Z6 , . . . } is a fractional ideal of Z.
Since a fractional ideal and the corresponding integral ideal can be obtained from each other, we
can express a fractional ideal as I = yJ for an integral ideal J and an invertible element y = x−1 . To
prove I has an inverse (yJ)−1 , it is sufficient to show that the integral ideal J has an inverse, because
the principal ideal (y) has an inverse (1/y).
Integral ideal Lemma C.2.15. Every non-zero integral ideal of OK has an inverse.
inverse
Proof. Prove by contradiction. Assume not every non-zero integral ideal of OK has an inverse. Let
I be the maximal non-zero integral ideal of OK that has no inverse. P is still a prime ideal of OK ,
then I ⊆ P . Multiplying both sides by P −1 , we get I ⊆ P −1 I ⊆ P −1 P = OK . The key here is to
show that I 6= P −1 I. Since I is an integral ideal of OK , the equality holds if P −1 ⊆ OK because an
ideal is closed by multiplication with ring elements. But we already know from the above lemma that
the inverse of a prime ideal is a fractional ideal of OK that is not in the ring, so OK ⊆ P −1 . Hence,
the equality cannot hold, that is we must have I ( P −1 I ⊆ P −1 P = OK . Since I is the maximal
integral ideal in OK that does not have an inverse, the ideal P −1 I must have an inverse J such that
(P −1 I)J = OK , so (P −1 J)I = OK and P −1 J is an inverse of I.
The two lemmas together prove that a fractional ideal has an inverse. See Proof of Theorem 3.1.8 on
Page 46 in William Stein’s Algebraic Number Theory for more detail. To be more precise, the inverse
Frac ideal of a fractional ideal I has the form
inverse
I −1 = {x ∈ K | xI ⊆ OK }. (49)
Given fractional ideals I and J, if IJ = (x) is a principal fractional ideal26 , then its inverse is
I −1 = x1 J. It can be proved that this inverse is also a fractional ideal and it is unique for the given
fractional ideal I. See Conrad’s lecture notes on “Ideal Factorization” (Definition 2.5, Theorem 2.7 and
Theorem 4.1).
Multiplicative Theorem C.2.16. The set of fractional ideals of the ring of integers OK of a number field K is an
group abelian group under multiplication with the identity element OK .
The same theorem is also stated in Alaca and Williams (2004)’s Theorem 8.3.4. Since fractional
ideals include integral ideals, these two theorems are identical.
Theorem C.2.17. Let K be an algebraic number field and OK be the ring of integers of K . Then
the set of all non-zero integral and fractional ideals of OK forms an abelian group with respect to
multiplication.
Finally, we come to another important result of this section, which states that a fractional ideal can
be uniquely factored into the product of prime ideals.
Unique Theorem C.2.18. If I is a fractional ideal of OK then there exits prime ideals P1 , . . . , Pn and
factorization Q1 , . . . , Qm , unique up to order, such that
I = (P1 · · · Pn )(Q1 · · · Qm )−1 .
The theorem follows from the fact that a fractional ideal I = J/a, where J is an integral ideal and
a ∈ OK . Since both J and (a) are ideals of OK , Theorem C.2.9 implies they have unique prime ideal
factorization, so the theorem holds.
26
Since both I and J are fractional ideals, their product is also a fractional ideal, which is not necessary an
integral ideal, so it is named principal fractional ideal to differentiate it from a principal ideal.
126
A PREPRINT - S EPTEMBER 29, 2022
127
A PREPRINT - S EPTEMBER 29, 2022
In other words, two integral ideals are coprime if their sum is the entire ring of integers. For example,
the integral ideals (2) and (3) in Z are coprime because (2) + (3) = (1) = Z. But the integral ideals
(2) and (4) are not coprime because (2) + (4) = (2) 6= Z.
Now we have defined coprime ideals in OK , we can state the Chinese Remainder Theorem in
Dedekind domains.
CRT in OK Theorem C.2.22. Let D be a Dedekind domain.
1. Let P1 , . . . , Pk be distinct prime ideals in D and b1 , . . . , bk be positive integers. Let α1 , . . . , αk
be elements of D. Then there exists an α ∈ D such that for all i ∈ [1, k], it satisfies α =
αi mod Pibi .
2. Let I1 , . . . , Ik be pairwise coprime ideals of D and α1 , . . . , αk be elements of D. Then there
exists an α ∈ D such that for all i ∈ [1, k], it satisfies α = αi mod Ii .
Another way of stating the second point above that is similar to the CRT in rings is the next theorem.
Theorem C.2.23. Let I1 , . . . , Ik be pairwise corprime ideals in a Dedekind domain D and I =
Qk
i=1 Ii . Then the map
D → (D/I1 , . . . , D/Ik )
induces an isomorphism
D/I ∼ = D/I1 × · · · × D/Ik .
To prove CRT in OK , first prove the map is surjective. Then prove that the kernel of the map is
Qk
I1 ∩ · · · ∩ Ik , which can be shown to be identical to i=1 Ii under the assumption that they are pairwise
coprime. Then it follows from the First Isomorphism Theorem.
The connection of this subsection to the RLWE result are the following two lemmas. The first lemma
shows that given two ideals I, J ⊆ R of a Dedekind domain R (i.e., a ring of integers OK of a number
field K), it possible to construct another ideal that is coprime with either one of them.
Lemma C.2.24. If I and J are non-zero integral ideals of a Dedekind domain R, then there exists an
element a ∈ I such that (a)I −1 ⊆ R is an integral ideal coprime to J.
Proof. Since a ∈ I, the principal ideal (a) ⊆ I. By Theorem C.2.5, we have I | (a), that is, there is
an ideal M ⊆ R such that IM = (a), so M = (a)I −1 ⊆ R is an ideal of R. We skip the proof of
coprimality. See Lemma 5.5.2 of Stein (2012).
The element a ∈ I can be efficiently computable using CRT in OK . Hence, given two ideals in R,
we can efficiently construct another one that is coprime with either one of them. This corresponds to
Lemma 2.14 of Lyubashevsky et al. (2010). The next lemma is essential in the reduction from K-BDD
problem to RLWE.
Lemma C.2.25. Let I and J be ideals in a Dedekind domain R and M be a fractional ideal in the
number field K. Then there is an isomorphism
M/JM = ∼ IM/IJM.
128
A PREPRINT - S EPTEMBER 29, 2022
is injective.
Second, show the map is surjective. That is, for any v ∈ IM , its reduction v mod IJM has a
preimage in M/JM . Since tI −1 and J are coprime, by CRT we can compute an element c ∈ tI −1
such that c = 1 mod J. Let a = cv ∈ tM , then a − v = cv − v = v(c − 1) ∈ IJM . Let w = a/t ∈ M ,
then θt (w) = t(a/t) = a = v mod IJM . Hence, any arbitrary element v ∈ IM satisfies the preimage
of v mod IJM is w mod IM .
In the hardness proof of RLWE as will be shown in the next section, we let M = R or M = I ∨ =
I −1
R∨ and J = (q) for a prime integer q, then the isomorphism becomes
R/(q)R ∼= I/(q)I or
∨ ∼ ∨
I /(q)I = R /(q)R∨ .
∨
As we have built a connection between a number field and a Euclidean space, we can relate more features
of a Euclidean space to that of a number field. In this subsection, we will introduce two quantities, trace
and norm, of elements in a number field. These quantities are useful to calculate the discriminant and
determinant of elements in a number field. Recall that for a linear transformation φ : V → V from a
vector space V to itself, we can write φ in its matrix representation
P [φ] by applying φ to a basis of V .
That is, for each ej ∈ {ei }i∈[n] in a basis of V , we have φ(ej ) = i∈[n] aij ei is the linear combination
of the basis, so [φ] = (aij ) is the coefficient matrix. With this matrix representation of the linear map,
we can define its trace and determinant like in the context of linear algebra.
Example C.3.1. Let φ : C → C be the complex conjugation. Take the basis {1, i} for the complex
space C. Apply the complex conjugation to this basis, we get
φ(1) = 1 + 0 · i,
φ(i) = 0 · 1 + (−1) · i.
1 0
So the matrix representation of the complex conjugation is [φ] = . Each column j consists of
0 −1
the coefficients of φ(ej ).
Since a number field K is a Q-vector space, we can speak of linear transformations on K too. For
any element α ∈ K, we can define a map mα (x) = αx as a multiplication by α for all x ∈ K. It is
easy to see that mα is also a linear map from K to itself, so there is a matrix representation of this linear
map mα .
√ √
Example C.3.2. Let √ K = Q( 2) be a number field with a basis {1, 2}. For a, b ∈ Q, we have an
element α = a + b 2 ∈ K and its associated linear map mα . Apply this map to the basis of K, we get
√
mα (1) = a · 1 + b · 2,
√ √
mα ( 2) = 2b · 1 + a · 2.
a 2b
So the matrix representation of the linear map is [mα ] = .
b a
Now, we can define the trace and norm on a number field which will appear in the RLWE problem.
Trace and norm Definition C.3.3. The trace and norm of an element α in a number field K are defined as
in K
T rK\Q : K → Q
T rK\Q (α) = T r([mα ]) ∈ Q,
NK\Q : K → Q
NK\Q (α) = det([mα ]) ∈ Q.
Example C.3.4. In the above example, the trace and norm of mα are the trace and determinant of its
matrix representation, i.e., 2a and a2 − 2b2 , respectively.
129
A PREPRINT - S EPTEMBER 29, 2022
It is also possible to define trace and norm using the canonical embedding that was introduced in the
previous section. This is due the the following theorem which states a connection between these two
quantities and automorphisms in the Galois group of a general field extension.
Theorem C.3.5. If E/F is a finite Galois extension, then the trace and norm of an element α ∈ E are
X
T rE/F (α) = σ(α)
σ∈Gal(E/F )
Y
NE/F (α) = σ(α).
σ∈Gal(E/F )
The intuition is that when the extension field E is Galois, each automorphism σ(α) in the Galois
group is an eigenvalue of the linear transformation mα . Recall from linear algebra that the trace and
determinant of a square matrix are the sum and product of its eigenvalues respectively. The connection
with the canonical embedding is due to the following two observations:
This gives rise to the following definitions of trace and norm of an element in a number field in terms of
the canonical embedding, which appear in some books too.
Definition C.3.6. Given a canonical embedding of a number field K
σ : K → Rs1 × C2s2
σ(α) 7→ (σ1 (α), . . . , σn (α)),
Trace and norm the trace and norm of an element α ∈ K are defined as
by canonical
embedding T rK\Q : K → Q
X
T rK/Q (α) = σi (α),
i∈[n]
NK\Q : K → Q
Y
NK/Q (α) = σi (α).
i∈[n]
√ √
Example C.3.7. In the same example where K = Q( 2) and√α = a + b 2, the minimal polynomial
of α over Q is f (x) = ( x−a 2
b ) − 2, which has two roots a ± b 2. So the canonical embedding σ of K
√ √
maps α to each of these two roots.
√ Hence,√the trace of α is T r(α) = (a + b 2) + (a − b 2) = 2a
and the norm is N (α) = (a + b 2)(a − b 2) = a2 − 2b2 , which are consistent with the results in the
above example.
Both definitions imply that trace is additive and norm is multiplicative, that is, T r(x+y) = T r(x)+
T r(y) and N (xy) = N (x)N (y). In addition, Definition C.3.6 entails that
X X
T r(xy) = σi (xy) = σi (x)σi (y) = hσ(x), σ(y)i. (50)
The second equality is due to the fact that each σi is a homomorphism. The last equality is by definition
of the inner product between complex vectors.
To start off this section, we state below some results in order to give some insights about the motivation
of studying how ring of integers and its ideals are embedded in Rn .
Small norm Proposition C.4.1. Let K be a number field and I be an integral ideal of OK . Then there is some
element element x ∈ I such that |NK/Q (x)| ≤ MK N (I).
130
A PREPRINT - S EPTEMBER 29, 2022
r2 n! p
Here, MK is the Minkowski constant defined as MK = π4 nn |∆K |, where n is the degree
of K and also the number of embeddings of K with n = r1 + 2r2 for r1 real embeddings and r2 pairs
of complex embeddings. ∆K is the discriminant of the number field K, which will be introduced later.
Minkowski 1st Theorem C.4.2. Let L be an n-dimensional lattice and B ⊆ Rn be a centrally symmetric, compact,
Theorem convex body. Suppose V ol(B) ≥ 2n det(L), then B contains a non-zero lattice vector of L.
To prove Proposition C.4.1, it uses results from lattice theory and Theorem C.4.2. Given the canon-
ical embedding σ maps K to a space isomorphic to Rn , the first step is to prove OK is associated with
a lattice in Rn and so are the ideals of OK . Then it left to prove that the lattice associated with an ideal
intersects with a bounded convex body in Rn by Theorem C.4.2, provided certain parameter conditions
are satisfied. The first step is our focus in this section, so we do not discuss the second step.
Recall a canonical embedding σ : K → H ∼ = Rn gives rise to another embedding τ : K → V ∼ = Rn
as defined in Equation 48, which maps the ring of integers OK to a full-rank lattice as stated in Theorem
C.1.11. This implies that the embedding τ maps a fractional (integral) ideal of OK to a full-rank lattice
too.28 We give a name of such a lattice.
Definition C.4.3. The embedding τ : K → V maps a fractional ideal of the ring of integers OK to a
Ideal lattice full-rank lattice, called the ideal lattice.
For the interest of building lattice-based cryptosystems, we study ideal lattices and their determi-
nants. But for a general case, we state the next theorem.
Theorem C.4.4. Let τ : K → V be the embedding of the n-dimensional number field K as defined in
det(τ (OK )) Equation 48. Then τ (OK ) is a full-rank ideal lattice in Rn and its determinant satisfies
1 p
det(τ (OK )) = |∆K |.
2r2
Since we have proved in Theorem C.1.11 that τ (OK ) is a full-rank lattice in Rn , it remains to
prove its determinant. There are two new quantities in the theorem that have not been introduced, the
discriminant ∆K of the number field K and the norm N (I) of an ideal I ⊆ OK . So we delay the proof
till the end of this subsection.
Recall from Section 4 that an n-dimensional lattice L is similar to a vector space Rn but with only
discrete vectors. It is isomorphic to the group (Zn , +). It shares many properties with Rn such as
having a basis {v1 , . . . , vn }. The determinant of a lattice is the size of its fundamental domain that is
surrounded by its basis. This gives rise to the following equality
det(L) = V ol(F ) = | det(B)|,
where F is the fundamental domain and B is a basis matrix of L. An useful observation is that the
determinant is an invariant quantity under the choice of a basis, because any two bases of L are related
by a unimodular matrix.
Let K be an algebraic number field of degree n and σi : K → C be a field homomorphism for all
i ∈ [n]. For the elements x1 , . . . , xn ∈ K, define the n by n matrix M to be the linear map where
Mij = σi (xj ), that is,
σ1 (x1 ) σ1 (x2 ) · · · σ1 (xn )
σ2 (x1 ) σ2 (x2 ) · · · σ2 (xn )
M = . .. .. .
.. . ··· .
σn (x1 ) σn (x2 ) · · · σn (xn )
It can be proved that the matrix is always non-singular if the elements {x1 , . . . , xn } form a basis of
K over Q (Lemma 1.7.1 Ben Green’s Algebraic Number Theory). Without loss of generality, assume
M = M (e1 , . . . , en ) for a basis {e1 , . . . , en } of a n-dimensional number field K.
Element Definition C.4.5. Let K be an n-dimensional number field with a basis {e1 , . . . , en } and M be the
discriminant matrix defined above. The discriminant of the elements is
discK/Q (e1 , . . . , en ) = det(M )2 .
28
See Corollary 10.6.2 of Ben Green’s book Algebraic Number Theory or Lemma 7.1.8 of Stein (2012).
131
A PREPRINT - S EPTEMBER 29, 2022
From the previous section, we know that the trace of an element is a rational number, so the dis-
criminant is also a rational number. Note although it is defined as the square of a matrix determinant,
discriminant can be negative as complex numbers are involved. From the discriminant of basis elements
and the integral basis of a number field K, we can define the discriminant of K.
∆(K) Definition C.4.7. Let K be an n-dimensional number field and {e1 , . . . , en } be an integral basis of K.
The discriminant of the number field K is
∆K = discK/Q (e1 , . . . , en ) = det (T rK/Q (ei ej ))ij = det(M )2 .
The discriminant loosely speaking measures the size of the ring of integers OK in the number field
K and it is invariant under the choice of an integral basis, which is the same as the determinant of a
lattice. This can be seen from the following Lemma and corollary.
Lemma C.4.8. Suppose x1 , . . . , xn , y1 , . . . , yn ∈ K are elements in the number field and they are
related by a transformation matrix A, then
discK/Q (x1 , . . . , xn ) = det(A)2 discK/Q (y1 , . . . , yn ).
Invariant ∆(K) Corollary C.4.9. Suppose {e1 , . . . , en } and {e01 , . . . , e0n } are both integral bases of the number field
K, then
discK/Q (e1 , . . . , en ) = discK/Q (e01 , . . . , e0n ).
From Theorem C.4.4, it can be seen that the (absolute) discriminant of a number field measures the
geometric sparsity of its ring of integers, because the larger the discriminant, the larger the size of the
fundamental region, hence the more sparse the ideal lattice.
Another quantity appears in the theorem is the norm of an ideal. Recall that the index |G : H| of a
subgroup H in G is the number of cosets of H in G. We define the norm of an ideal and its relation to
the norm of an element in the following lemma (see Lemma 4.4.3 in Ben Green’s book).
Ideal norm Definition C.4.10. Let I be a non-zero ideal of OK . The norm of I, denoted by N (I) (or sometimes
(OK : I)), is the index of I as a subgroup of OK , i.e., N (I) = |OK /I|.
Lemma C.4.11. Suppose I = (α) is a principal ideal of OK for some non-zero α ∈ OK . Then
N (I) = |NK/Q (α)|.
As for the norm of number field elements, the norm of ideals is also multiplicative. That is, N (IJ) =
N (I)N (J). In addition, if I is a fractional ideal of OK , then its norm satisfies N (I) = N (dI)/|N (d)|,
where d ∈ OK is the element that makes dI ∈ OK an integral ideal.
Sketch proof of Theorem C.4.4. To prove the determinant of the lattice τ (OK ), we know from the proof
of Theorem C.1.11 that {τ (e1 ), . . . , τ (en )} is a basis of the lattice and the basis matrix is
σ1 (e1 ) ··· σr1 (e1 ) Re(σr1 +1 (e1 )) Im(σr1 +1 (e1 )) ··· Re(σr1 +r2 (e1 )) Im(σr1 +r2 (e1 ))
N T
= .. .. .. .. .. .. ,
. . . . . .
σ1 (en ) ··· σr1 (en ) Re(σr1 +1 (en )) Im(σr1 +1 (en )) ··· Re(σr1 +r2 (en )) Im(σr1 +r2 (en ))
so det(τ (OK )) = | det(N )|. In addition, the canonical embedding σ associates with the matrix
σ1 (e1 ) ··· σr1 (e1 ) σr1 +1 (e1 ) σr1 +1 (e1 ) ··· σr1 +r2 (e1 ) σr1 +r2 (e1 )
M T
= .. .. .. .. .. .. ,
. . . . . .
σ1 (en ) ··· σr1 (en ) σr1 +1 (en ) σr1 +1 (en ) ··· σr1 +r2 (en ) σr1 +r2 (en )
132
A PREPRINT - S EPTEMBER 29, 2022
whose determinant satisfies ∆K = det(M )2 . It can be seen that the columns in N T correspond to the
real (or complex) parts of the complex embeddings can be obtained from M T by adding (or subtracting)
the complex conjugate columns. For example, expressing the matrices in column vector format, we get
N T = (. . . , Re(σr1 +1 (e1 )), Im(σr1 +1 (e1 )), . . . )
1
= (. . . , (σr1 +1 (e1 ) + σr1 +1 (e1 )), . . . )
2
1
= − (. . . , σr1 +1 (e1 ), σr1 +1 (e1 ), . . . ).
2i
Apply the same operations for all r2 pairs of columns, we get det(N ) = − (2i)1 r2 det M . Hence,
1 1 p
det(τ (OK )) = | det(N )| = r
| det M | = |∆K |.
22 2 r2
From Theorem C.4.4, it follows the determinant of an ideal lattice is also related to the discriminant
of the number field.
det(τ (I)) Corollary C.4.12. Let I be an ideal of OK . Then the ideal lattice τ (I) has determinant
1 p
det(τ (I)) = r2 N (I) |∆K |.
2
We have stated that τ (I) is a lattice in Rn called ideal lattice. The same strategy can also be used
to state the relationship between the associated matrix determinants det(N ) and det(M ). The only
difference is that I is a sublattice of OK , so its determinant is larger than det(OK ). The scale is exactly
the index of I in OK as a subgroup, which is the norm of I by Definition C.4.10 of ideal norm.
For more detail of the proofs and intuitions in this subsection, the readers should refer to Conrad’s
lecture notes on “Different ideal”.
Lattice in K Definition C.5.1. A lattice in an n-dimensional number field K is the Z-span of a Q-basis of K.
By the Primitive Element Theorem (Theorem C.1.2), K always has a power basis which is a Q-
basis. So the integer linear combination of the Q-basis forms a lattice in K. For example, the ring of
integers OK is a lattice in the number field K. Similar to lattices in general, number field lattices have
dual too and share much of the same properties as the general dual lattices as we will see next. Unlike
general lattices in Rn which equips with the dot product, the operator that equips with number field
lattices is the trace as defined previously. More precisely, the dual lattice in a number field consists with
elements that have integer trace product with the given lattice by Equation 50.
Dual lattice Definition C.5.2. Let L be a lattice in a number field K. Its dual lattice is
L∨ = {x ∈ K | T rK/Q (xL) ⊆ Z}.
To check whether or not an element belongs to the dual, one can check its trace product with the
lattice basis. This also gives a way of writing out the dual of a given lattice.
Example C.5.3. Let K = Q(i) and the lattice L = Z[i]. Let B = {1, i} be a basis of L. To find the
dual of L, take an element a + bi ∈ K and consider its trace product with the basis vector in B and
check if the trace products are integers. More precisely, we need to check the conditions under which
T rK/Q (a + bi) ∈ Z
T rK/Q ((a + bi)i) ∈ Z.
a −b
Let α = a + bi and β = −b + ai. By Definition C.3.3 of trace, we have [mα ] = and
b a
−b −a
[mβ ] = . For both traces to be integers, we must have 2a ∈ Z and −2b ∈ Z, so the dual
a −b
lattice L∨ = 21 Z[i] and the basis of the dual is B ∨ = { 21 , 2i }.
133
A PREPRINT - S EPTEMBER 29, 2022
From the example, it can be seen that the basis and the dual basis satisfy T r(ei e∨j ) = δij . This gives
rise to the following theorem that states the dual of a number field lattice is also a lattice.
L∨ is lattice L ∨ number field K and a lattice L ⊆∨ K with
Theorem C.5.4. For an n-dimensional a Z-basis
{e1 , . . . , en }, the dual L∨ = Zei is a lattice with a dual basis {e1 , . . . , e∨
n } satisfying
what is δij ? T rK/Q (ei e∨ j ) = δij .
Dual lattices in number fields share similar properties with dual lattices in general. We state a few
of them in the following corollary.
Corollary C.5.5. For lattices in a number field, the following hold:
1. L∨∨ = L,
2. L1 ⊆ L2 ⇐⇒ L∨ ∨
2 ⊆ L1 ,
1 ∨
3. (αL)∨ ⇐⇒ αL , for an element α ∈ K × .
The following theorem relates the dual lattice to differentiation and provides an easier way of com-
puting the dual basis and dual lattice from a given lattice.
Dual basis Theorem C.5.6. Let K = Q(α) be an n-dimensional number field with a power basis
{1, α, . . . , αn−1 } and f (x) ∈ Q[x] be the minimal polynomial of the element α, which can be expressed
as
f (x) = (x − α)(c0 + c1 x + · · · + cn−1 xn−1 ).
n o
Then the dual basis to the power basis relative to the trace product is f 0c(α)0
, . . . , fcn−1
0 (α) .
In particular, if K = Q(α) and the primitive element α ∈ OK is an algebraic integer, then the
lattice L = Z[α] = Z + · · · + Zαn−1 and its dual are related by the first derivative of the minimal
polynomial, that is,
1
L∨ = 0 L.
f (α)
Example√C.5.7. Let us work through √ an example to illustrate both theorems. Let the number field
K = Q( d) and its lattice L = Z[ d].
√
This
√ is a 2-dimensional number field with the primitive element α = d and the power basis
{1, d}. The √ minimal polynomial of α in Q[x] is f (x) = x 2
− d with the 0
√ f (x) √
derivative = 2x so
0
f (α) = 2 d. Moreover, the minimal polynomial can be written as f (x) = (x − d)(x + d). By
Theorem C.5.6, the dual basis is { 21 , 2√1
d
}. In addition, if d ∈ Z then α ∈ OK , so the dual lattice
∨ 1
L = 2√d L. This is consistent with the dual basis obtained, because according to the dual basis, the
√
dual lattice L∨ = Z 12 + Z 2√
1
d
= 2√1
d
(Z + Z d) = 2√ 1
d
L.
√
To confirm the dual basis of {1, d} is { 12 , 2√ 1
d
}, we apply Theorem C.5.4 to check their trace
products. We have
1 √ 1 1
T r(1 · ) = T r( d · √ ) = T r( ) = 1
2 2 d 2
1 √ 1
T r(1 · √ ) = T r( d · ) = 0.
2 d 2
Example C.5.8. An important application of this theorem in our context is when the number field
K = Q[ζm ] is the mth cyclotomic number field, where m = 2n = 2k > 1. The ring of integers is then
L = OK = Z[ζm ]. The minimal polynomial of ζm is f (x) = xn +1 with the derivative f 0 (x) = nxn−1 .
According to the theorem, we have
1 1 1 n+1 1
(Z[ζm ])∨ = 0 Z[ζm ] = n−1 Z[ζ m ] = ζ m Z[ζ m ] = .
f (ζm ) nζm n n
The second last equality is because the roots of unit form a cyclic group and hence ζ −(n−1) = ζ n+1 ∈
OK .
134
A PREPRINT - S EPTEMBER 29, 2022
As a special lattice in K, the ring of integers OK was further studied and the following theorems
offer some useful observations of its dual. By definition, the dual of OK is
∨
OK = {x ∈ K | T rK/Q (xOK ) ⊆ Z}.
On the one hand, OK ∨
is at least as large as OK . Each element in OK is an algebraic integer that has an
29
integer trace , so OK ⊆ OK ∨
which happens when x = 1. On the other hand, OK ∨
is no larger than the
set of elements in K that have integer trace as shown in the next theorem.
∨ ∨
OK is frac Theorem C.5.9. The dual lattice OK is the largest fractional ideal in K whose elements have integer
ideal traces.
not necessarily within OK , this inclusion makes (OK ) an integral ideal. Here, we give it a different
∨ −1
∨ −1 30
Different ideal name, different ideal and denote it by DK := (OK ) . For example, let K = Q(i) and OK = Z[i].
The dual ideal is OK ∨
= Z[i]∨ = 21 Z[i], so the different ideal DK = ( 12 Z[i])−1 = 2Z[i].
The next theorem relates the different ideal with the differentiation of the minimal polynomial. It
can be proved easily by applying Theorem C.5.6.
Theorem C.5.11. Let OK = Z[α] be the ring of integers of a number field K and f (x) ∈ Z[x] be the
minimal polynomial of α, then the different ideal DK = (f 0 (α)).
As mentioned before, OK does not always have a power basis, so not all OK can be written as Z[α].
Let us look at a special case in the above example where OK = Z[i], the minimal polynomial of α = i
is f (x) = x2 + 1 and its derivative is f 0 (α) = 2i. Hence, the different ideal DK = (2i) is a principal
ideal of OK , so DK = 2i · Z[i] = 2Z[i]. The example can be generalized to some special cyclotomic
fields, in which there is an explicit relations between the different ideal and the ring of integers. It can
be easily proved using the above theorem.
DK = nOK Lemma C.5.12. For m = 2n = 2k ≥ 2 a power of 2, let K = Q(ζm ) be an mth cyclotomic number
field and OK = Z[ζm ] be its ring of integers. The different ideal satisfies DK = nOK .
This lemma plays an important role in RLWE in the special case where the number field is an m
cyclotomic field. It implies that the ring of integers n−1 OK = OK ∨
and its dual are equivalent by a
scaling factor. Hence, the secret polynomial s and the random polynomial a can both be sampled from
the same domain Rq , unlike in the general context where the preference is to leave s ∈ Rq∨ in the dual.
To finish off this subsection, we state the relation between the norm of the different ideal and the
discriminant of the number field. See Theorem 4.6 in Conrad’s lecture notes on “different ideal”.
29
This can be verified by taking the power basis {1, r, . . . , rn−1 } of K which is also a Z-basis of OK . An
element x ∈ OK can be written as x = c0 + c1 r + · · · + cn−1 rn−1 . By definition, only T r(c0 ) ∈ Z and the rest
are 0.
30
To be clear. Some refer DK as the different ideal of K and the notation suggests it too. But K is a field which
has exactly two ideals, the zero ideal and itself, so DK is not an ideal of K but of OK .
135
A PREPRINT - S EPTEMBER 29, 2022
Theorem C.5.13. For a number field K, its discriminant ∆K and different ideal DK satisfies N (DK ) =
|∆K |.
136
A PREPRINT - S EPTEMBER 29, 2022
D Mind Maps
D.1 A mindmap for RLWE
Z[x]/(Φm (x))
∼
= Z(ζm ) = OQ(ζm )
Ideal Norms
Cyclotomics & their Canonical
and Geometric
Galois Groups Embedding
Quantities [1,3]
m-th Cyclotomic
Polynomials for
m = 2k = 2n [1,4]
Efficient Polynomial
Automorphisms & Multiplication [2]
Permutations of
Polynomial Coeffs Ideal Lattices from
[4] Fractional Ideals [1]
137
A PREPRINT - S EPTEMBER 29, 2022
E Notation
We list here the key symbols and notations used in the tutorial.
Symbol Meaning
Z Integers
Q Rational numbers
Fq for prime number q Z/qZ = {0, 1, 2, . . . , q − 1}
Z[x] Polynomials where the coefficients are integers
F [x] Polynomials where the coefficients take on values in F
Fq [x] Polynomials where the coefficients take on values in Fq
Z[α] the ring obtained by adjoining α to Z
Q(α) the smallest extension field of Q that contains α
F [a] for a field F the set {f (a) : f (x) ∈ F [x]}
F (a) for a field F the smallest extension field of F that contains a
(a) for a in ring R the ideal {ar : r ∈ R}
(a1 , . . . , an ) for ai in ring R the ideal {r1 a1 + · · · + rn an : ri ∈ R}
R/I for a ring R and an ideal I the quotient ring of R by I, which is the set of cosets of I in R
Z∗n multiplicative group modulo n; i.e. the set of all (multiplicatively)
invertible elements in Zm ; or equivalently {k : k ∈ {0, 1, . . . , n −
1}, gcd(n, k) = 1}
(Z/nZ)∗ same as Z∗n
E/F for fields E and F a field extension, where F (the subfield) is contained in E (the ex-
tension field)
ζn the n-th root of unity
Φn (x) the n-th cyclotomic polynomial
ϕ(n) Euler’s totient function
bxe rouding to the integer nearest to x
[n] {1, 2, . . . , n}
a = b mod q a and b are congruent modulo q
Zq sometimes refer to the range [−q/2, q/2) ∩ Z
[x]q the reduction of x to the integer in [−q/2, q/2) s.t. [x]q = x mod q
Table 3: List of key symbols
138
A PREPRINT - S EPTEMBER 29, 2022
References
M. Ajtai. Generating hard instances of lattice problems. In Proceedings of the 28th Annual ACM
Symposium on Theory of Computing, pages 99–108, 1996.
M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In J. S.
Vitter, P. G. Spirakis, and M. Yannakakis, editors, Proceedings on 33rd Annual ACM Symposium on
Theory of Computing, July 6-8, 2001, Heraklion, Crete, Greece, pages 601–610. ACM, 2001.
Ş. Alaca and K. S. Williams. Introductory algebraic number theory. Cambridge University Press
Cambridge, 2004.
M. Albrecht, M. Chase, H. Chen, J. Ding, S. Goldwasser, S. Gorbunov, S. Halevi, J. Hoffstein, K. Laine,
K. Lauter, S. Lokam, D. Micciancio, D. Moody, T. Morrison, A. Sahai, and V. Vaikuntanathan. Ho-
momorphic encryption security standard. Technical report, HomomorphicEncryption.org, Toronto,
Canada, November 2018.
L. Alcock. How to think about Abstract Algebra. Oxford University Press, 2021.
S. Arora and B. Barak. Computational complexity: a modern approach. Cambridge University Press,
2009.
M. Artin. Algebra. Prentice Hall, 1991.
L. J. Aslett, P. M. Esperança, and C. C. Holmes. A review of homomorphic encryption and software
tools for encrypted statistical machine learning. arXiv preprint arXiv:1508.06574, 2015.
L. Babai. On lovász’lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13,
1986.
D. J. Bernstein, J. Buchmann, and E. Dahmen. Post-Quantum Cryptography. Springer, 2009.
Z. Brakerski. Fully homomorphic encryption without modulus switching from classical GapSVP. In
Annual Cryptology Conference, pages 868–886. Springer, 2012.
Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE.
SIAM Journal on Computing, 43(2):831–871, 2014.
Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without
bootstrapping. ACM Transactions on Computation Theory (TOCT), 6(3):1–36, 2014.
J.-Y. Cai and A. P. Nerurkar. An improved worst-case to average-case connection for lattice problems.
In Proceedings of the 38th Annual Symposium on Foundations of Computer Science, pages 468–477.
IEEE, 1997.
H. Chen, K. Laine, and P. Rindal. Fast private set intersection from homomorphic encryption. In Pro-
ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages
1243–1255, 2017.
D. P. Chi, J. W. Choi, J. S. Kim, and T. Kim. Lattice based cryptography for beginners. IACR Cryptol.
ePrint Arch., page 938, 2015.
D. Chialva and A. Dooms. Conditionals in homomorphic encryption and machine learning applications.
IACR Cryptol. ePrint Arch., page 1032, 2018.
K. Conrad. Cyclotomic extensions. 2009.
T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. The MIT Press,
2nd edition, 2001.
I. Damgård, V. Pastro, N. Smart, and S. Zakarias. Multiparty computation from somewhat homomorphic
encryption. In Annual Cryptology Conference, pages 643–662. Springer, 2012.
M. v. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorphic encryption over the inte-
gers. In Annual international conference on the theory and applications of cryptographic techniques,
pages 24–43. Springer, 2010.
S. Erabelli. pyFHE-a Python library for fully homomorphic encryption. PhD thesis, Massachusetts
Institute of Technology, 2020.
J. Fan and F. Vercauteren. Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint
Arch., 2012:144, 2012.
C. Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM
Symposium on Theory of Computing, pages 169–178, 2009.
139
A PREPRINT - S EPTEMBER 29, 2022
C. Gentry. Computing arbitrary functions of encrypted data. Communications of the ACM, 53(3):
97–105, 2010.
R. Gilad-Bachrach, N. Dowlin, K. Laine, K. Lauter, M. Naehrig, and J. Wernsing. Cryptonets: Applying
neural networks to encrypted data with high throughput and accuracy. In International conference on
machine learning, pages 201–210. PMLR, 2016.
S. Halevi. Homomorphic encryption. In Y. Lindell, editor, Tutorials on the Foundations of Cryptogra-
phy. Springer, 2017.
J. Hoffstein, J. Pipher, and J. H. Silverman. An introduction to mathematical cryptography, volume 1.
Springer, 2008.
J. Katz and Y. Lindell. Introduction to modern cryptography. CRC press, 2014.
S. Khot. Hardness of approximating the shortest vector problem in lattices. J. ACM, 52(5):789–808,
2005.
S. Khot. Inapproximability results for computational problems on lattices. In P. Q. Nguyen and
B. Vallée, editors, The LLL Algorithm - Survey and Applications, Information Security and Cryp-
tography, pages 453–473. Springer, 2010.
A. Korkine and G. Zolotareff. Sur les formes quadratiques. Mathematische Annalen, 6:366–389, 1873.
V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In
Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages
1–23. Springer, 2010.
D. Micciancio and S. Goldwasser. Complexity of lattice problems - a cryptograhic perspective, volume
671 of The Kluwer international series in engineering and computer science. Springer, 2002.
D. Micciancio and O. Regev. Worst-case to average-case reductions based on gaussian measures. SIAM
J. Comput., 37(1):267–302, 2007.
D. Micciancio and O. Regev. Lattice-based cryptography. In Post-quantum cryptography, pages 147–
191. Springer, 2009.
J. S. Milne. Algebraic number theory (v3.08), 2020. Available at www.jmilne.org/math/.
T. Mukherjee. Cyclotomic polynomials in ring-lwe homomorphic encryption schemes. Master’s thesis,
Rochester Institute of Technology, 2016.
M. Naehrig, K. Lauter, and V. Vaikuntanathan. Can homomorphic encryption be practical? In Proceed-
ings of the 3rd ACM workshop on Cloud computing security workshop, pages 113–124, 2011.
P. Nguyen and B. Vallée. The LLL algorithm. Springer, Berlin, Heidelberg, 2010.
C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of
the 41st annual ACM symposium on Theory of computing, pages 333–342, 2009.
C. Peikert. A decade of lattice cryptography. Found. Trends Theor. Comput. Sci., 10(4):283–424, 2016.
C. Peikert and A. Rosen. Lattices that admit logarithmic worst-case to average-case connection factors.
In Proceedings of the 39th Annual ACM Symposium on Theory of Computing, pages 478–487, 2007.
K. Pietrzak. Cryptography from learning parity with noise. In M. Bieliková, G. Friedrich, G. Gottlob,
S. Katzenbeisser, and G. Turán, editors, SOFSEM 2012: Theory and Practice of Computer Science
- 38th Conference on Current Trends in Theory and Practice of Computer Science, volume 7147 of
Lecture Notes in Computer Science, pages 99–114. Springer, 2012.
B. Porter. Cyclotomic polynomials. 2015.
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In H. N. Gabow and
R. Fagin, editors, Proceedings of the 37th Annual ACM Symposium on Theory of Computing, pages
84–93. ACM, 2005.
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM
(JACM), 56(6):1–40, 2009.
O. Regev. The learning with errors problem. Invited survey in CCC, 7(30):11, 2010.
R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and privacy homomorphisms. Founda-
tions of Secure Computation, Academic Press, pages 169–179, 1978a.
R. L. Rivest, A. Shamir, and L. M. Adleman. A method for obtaining digital signatures and public-key
cryptosystems. Commun. ACM, 21(2):120–126, 1978b.
140
A PREPRINT - S EPTEMBER 29, 2022
141
Index
Z-module, 49 BV, 84
∆K , 58 BFV, 91
c-approximation, 12 homomorphic encryption (HE)
c-gap problem, 12 fully, 76
leveled, 76
adjoin, 138 leveled fully, 76
arithmetic circuit, 85 partial, 76
automorphism, 45, 54, 69 property, 75
average-case hardness, 12 somewhat, 76
scheme, 75
bootstrappable, 77 homomorphism, 103
bootstrapping, 85 group, 107
ring, 107
canonical embedding, 54, 70
characteristic ideal factorization, 70
of a ring, 107 ideal GCD, 50
characteristics ideal lattice, 57
of a field, 108 ideal norm, 58
Chinese Remainder Theorem, 50 index, 103
coefficient embedding, 54 injective homomorphism, 46
computational security, 15 integral basis, 49
coprime, 50 integral domain, 106
CPA, 78 irreducible, 44
CRT, 50 irreducible polynomial, 111
cyclotomic extension, 41, 45 isomorphic, 46
cyclotomic field, 48 isomorphism, 104
cyclotomic polynomial, 41, 42, 44
kernel, 107
different ideal, 61 key switching, 87
dimension reduction, 85
discrete Gaussian distribution, 30 lattice, 18
SIS security proof, 32 basis, 18
division ring, 104 determinant, 19
dual basis, 60, 134 invariant determinant, 20
dual lattice, 22, 60 lattice problems
dual basis, 22 BDD, 38
BDDα , 25
elementary symmetric polynomials, 45 CVP, 25
Euler’s formula, 41 INCGDD, 32
Euler’s totient function, 42 SBP, 26
evaluation key, 81 SIS, 26
expansion factor, 91 SVP, 24
USVP, 26
field extension, 109, 138 left coset, 103
finite field, 108 LWE, 6, 35
First Isomorphism Theorem, 44, 50, 107, 112 decision (DLWE), 36
fractional ideal, 51, 63 distribution, 36
free module, 105 hardness proof, 37
fundamental domain (parallelepiped), 19 search, 36
search to decision, 36
Galois group of a field extension, 45, 115
Galois group of a polynomial, 45 maximal ideal, 107
group homomorphism, 103, 107 minimal polynomial, 44, 54, 111
Minkowski, 58, 131
hash function, 28 module, 104
collision resistant, 29 modulus reduction, 84, 86
HE scheme modulus switching, 86
142
A PREPRINT - S EPTEMBER 29, 2022
143