**On the Integer Polynomial Learning with Errors Problem**

*Julien Devevey and Amin Sakzad and Damien Stehlé and Ron Steinfeld*

**Abstract: **Several recent proposals of efficient public-key encryption
are based on variants of the polynomial learning with errors problem
($\mathsf{PLWE}^f$) in which the underlying polynomial ring $\mathbb{Z}_q[x]/f$ \
is replaced with the (related) modular integer ring $\mathbb{Z}_{f(q)}$;
the corresponding problem is known as Integer Polynomial Learning with Errors
($\mathsf{I-PLWE}^f$). Cryptosystems based on $\mathsf{I-PLWE}^f$ and its variants can
exploit optimised big-integer arithmetic
to achieve good practical performance, as exhibited by the $\mathsf{ThreeBears}$ cryptosystem.
Unfortunately, the average-case hardness of $\mathsf{I-PLWE}^f$
and its relation to more established lattice problems have to date remained unclear.

We describe the first polynomial-time average-case reductions for the search variant of $\mathsf{I-PLWE}^f$, proving its computational equivalence with the search variant of its counterpart problem $\mathsf{PLWE}^f$. Our reductions apply to a large class of defining polynomials $f$. To obtain our results, we employ a careful adaptation of Rényi divergence analysis techniques to bound the impact of the integer ring arithmetic carries on the error distributions. As an application, we present a deterministic public-key cryptosystem over integer rings. Our cryptosystem, which resembles $\mathsf{ThreeBears}$, enjoys one-way (OW-CPA) security provably based on the search variant of $\mathsf{I-PLWE}^f$.

**Category / Keywords: **foundations / lattices, ring-LWE, average-case reduction, OW-CPA, I-RLWE

**Original Publication**** (with major differences): **IACR-PKC-2021

**Date: **received 4 Mar 2021

**Contact author: **julien devevey at ens-lyon fr, amin sakzad at monash edu, damien stehle at ens-lyon fr, ron steinfeld at monash edu

**Available format(s): **PDF | BibTeX Citation

**Version: **20210304:133126 (All versions of this report)

**Short URL: **ia.cr/2021/277

[ Cryptology ePrint archive ]