# The Security of Learning With Errors: A Post-Quantum Cryptosystem

## Additional Funding Sources

This research, conducted at the Complexity Across Disciplines Research Experience for Undergraduates site, was supported by the National Science Foundation under Grant No. DMS-1659872 and by Boise State University.

## Abstract

Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.

In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.

The spectral distortion of an *n* ✕ *n* matrix *M* is defined as ‖*M*‖_{2}/det(*M*)^{1/n}, where *M* is a matrix derived from the Minkowski embedding of a number field *K*, and is used to bound the error when moving between problem instances.

We show that if *K* = ℚ(ζ_{n}) for ζ_{n}, a primitive n-th root of unity, then *M ^{H} M* is a structured symmetric Toeplitz matrix.

Moreover, we provide a closed form for the spectral distortion when *n* = 2^{i}*p*^{j for i, j ≥ 0 and prime p.}

We say that a map π_{α} : *P*_{q} → 𝔽_{q}, *g*(*α*) smears if π(*S*) = 𝔽_{q}, where *P*_{q} = 𝔽_{q}[*x*]/(*f*(*x*)), *f*(*x*) is a monic irreducible polynomial over ℤ that splits completely over 𝔽_{q}, *f*(α) = 0, and *S* ⊂ *P _{q}*.

When π_{α} does not smear, a PLWE problem instance is susceptible to attacks.

We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of P_{q} are sampled.

The Security of Learning With Errors: A Post-Quantum Cryptosystem

Certain attacks on the Ring Learning with Errors (RLWE) post-quantum cryptosystem rely on reduction to the Polynomial Learning with Errors (PLWE) problem.

In this work, we answer questions posed recently by Y. Elias and others regarding the concepts of spectral distortion and smearing that are used as conditions for a successful attack.

The spectral distortion of an *n* ✕ *n* matrix *M* is defined as ‖*M*‖_{2}/det(*M*)^{1/n}, where *M* is a matrix derived from the Minkowski embedding of a number field *K*, and is used to bound the error when moving between problem instances.

We show that if *K* = ℚ(ζ_{n}) for ζ_{n}, a primitive n-th root of unity, then *M ^{H} M* is a structured symmetric Toeplitz matrix.

Moreover, we provide a closed form for the spectral distortion when *n* = 2^{i}*p*^{j for i, j ≥ 0 and prime p.}

We say that a map π_{α} : *P*_{q} → 𝔽_{q}, *g*(*α*) smears if π(*S*) = 𝔽_{q}, where *P*_{q} = 𝔽_{q}[*x*]/(*f*(*x*)), *f*(*x*) is a monic irreducible polynomial over ℤ that splits completely over 𝔽_{q}, *f*(α) = 0, and *S* ⊂ *P _{q}*.

When π_{α} does not smear, a PLWE problem instance is susceptible to attacks.

We provide an estimation on the probability of smearing as a function of |S| and the distribution from which elements of P_{q} are sampled.

## Comments

T31