A Trace Map Attack Against Special Ring-LWE Samples

Abstract

The learning with errors (LWE) problem is one of the hard problems supporting the security of modern lattice-based cryptography. Ring-LWE is the analog of LWE over the ring of integers of a cyclotomic field, and it has provided efficient cryptosystems. In this paper, we give cryptanalysis against ring-LWE using the trace map over the ring of integers of a cyclotomic field, without using any reduction to other structured lattice problems. Since it maps to a ring of a smaller degree, a trace map attack is expected to be able to decrease the hardness of ring-LWE. However, the trace map does not necessarily transform ring-LWE samples to samples over the smaller ring with a common secret. We give a sufficient and necessary condition on a pair of ring-LWE samples for which the trace map attack is applicable. We call such a pair of samples special. We demonstrate how efficiently the trace map attack can solve ring-LWE when a special pair of samples is given. Specifically, we compare blocksizes of the Blockwise Korkine-Zolotarev (BKZ) algorithm required for solving ring-LWE in the trace map attack and a standard attack. Moreover, we discuss the (in)feasibility of the trace map attack for random ring-LWE samples to evaluate how the trace map attack can give a threat against ring-LWE-based cryptosystems on a practical side.