1 Introduction

Since the theoretical results of Ajtai [1], lattice-based cryptography has gained increasing interest. Indeed, numerous lattice-based encryption and digital signature schemes, with performance comparable or even superior to that of their number-theoretic counterparts, have been proposed [2, 10, 13, 16]. In particular, because of their presumed resistance against quantum attacks, lattice-based proposals are the most numerous in the final phase of the NIST post-quantum standardization process, with finalist candidates in both key encapsulation [3, 5, 11] and digital signature schemes [4, 15].

The main building block of lattice-based cryptographic schemes is the Learning With Errors (LWE) problem [19], which, roughly speaking, consists of retrieving a secret vector \(s \in {\mathbb {Z}}_q^n\) from a noisy random sample of matrix products. On the one hand, LWE-based encryption schemes enjoy good computational efficiency and solid theoretical security bases. On the other hand, they require the ciphertexts or the public keys to be nearly quadratic with respect to the security parameters. To overcome this inefficiency, algebraic variants of the LWE problem have been introduced, which consider the problem no longer over \({\mathbb {Z}}_q\) but over the quotient ring \({\mathbb {Z}}_q[X]/(f)\), where \(f\in {\mathbb {Z}}_q[X]\) is a monic and irreducible polynomial. The variant known as Polynomial-LWE (PLWE), was first proposed using power-of-two degree cyclotomic polynomials [22]. Later, Lyubashevsky, Peikert, and Regev [18] introduced the Ring-LWE (RLWE) variant over the ring of integers \({\mathcal {O}}_K\) of a number field \(K = {\mathbb {Q}}(\theta )\) (for surveys on RLWE, see [7, 14]).

The main advantage of RLWE (and of later generalizations such as Module-LWE [17]) is the provable-security link with hard computational problems over (ideal) lattices, as for plain LWE. Nevertheless, most of the concrete constructions of lattice-based schemes, while enjoying the security proofs of RLWE, are expressed in the simpler formalism of PLWE. The latter is in fact preferable in implementations, where the modular arithmetic between polynomials can be efficiently implemented. For these reasons, it is interesting to study for which families of polynomials f the RLWE and PLWE problems are equivalent, that is, every solution of the first problem can be turned in polynomial time into a solution of the second problem, and viceversa, incurring in a noise increase that is polynomial in the degree of f. From a theoretical point of view, the problem of equivalence between RLWE and PLWE was formalized for the first time by Rosca, Stehlé, and Wallet [24], who also explained the relationship between the noise increase and the condition number of a certain Vandermonde matrix associated with f, as detailed below.

More precisely, let \(K = {\mathbb {Q}}(\theta )\) be a monogenic number field of degree m, and let \(f \in {\mathbb {Z}}[X]\) be the minimal polynomial of \(\theta\), so that \({\mathcal {O}}_K \cong {\mathbb {Z}}[X]/(f)\). The geometric notion of short element derives from a choice of a norm on K by embedding the number field in \({\mathbb {C}}^m\). On the one hand, RLWE makes use of the canonical embedding (or Minkowski embedding) \(\sigma\) from K to \({\mathbb {C}}^m\), where \(\sigma _i(\theta )\) (\(i=1,\ldots ,m\)) are the Galois conjugates of \(\theta\). On the other hand, PLWE makes use of the coefficient embedding, which maps each \(x \in {\mathcal {O}}_K\) to the vector \((x_0, \ldots , x_{m-1}) \in {\mathbb {Z}}^m\) of its coefficients with respect to the power basis \(1, \theta , \ldots , \theta ^{m-1}\). As a linear map, the canonical embedding \(\sigma\) has a matrix representation \(V \in {\mathbb {C}}^{m \times m}\), so that, for each \(x \in {\mathcal {O}}_K\), we have \(\sigma (x) = V \cdot (x_0, \dots , x_{m-1})^\intercal\). For the equivalence between RLWE and PLWE, it is important to determine when, whether \(\Vert x\Vert\) is small, then so is \(\Vert \sigma (x)\Vert\), and vice versa. This notion is quantified by V having a small condition number \({\text {Cond}}(V) := \Vert V\Vert \Vert V^{-1}\Vert\), where \(\Vert V\Vert := \sqrt{{\text {Tr}}(V^*\!\,V)}\) is the Frobenius norm of V, and \(V^*\) is the conjugate transpose of V. Precisely, for the equivalence of the RLWE and PLWE problems it must be \({\text {Cond}}(V) = O(m^r)\) for some constant \(r > 0\), depending only on the family of polynomials f.

The equivalence problem can be studied in general for any number field. Although equivalence has been proved for restricted families of polynomials defining number fields [24], the greatest interest arguably concerns cyclotomic fields, which are the most used in cryptographic applications. For cyclotomic fields, the equivalence is well known for the power-of-two case [22] and recently the problem has received more attention both from a theoretical point of view [6, 12] and in practical applications [25]. However, to the best of our knowledge, prior to this work a general result on RLWE and PLWE equivalence for cyclotomic fields was still missing. When \(K = {\mathbb {Q}}(\zeta _n)\) is the \(n\hbox {th}\) cyclotomic field, \(V_n := V\) is the Vandermonde matrix of the \(n\hbox {th}\) cyclotomic polynomial \(\varPhi _n(X)\), that is,

$$V_{n} : = \left( {\begin{array}{*{20}l} 1 & {\zeta _{{n,0}} } & {\zeta _{{n,0}}^{2} } & \cdots & {\zeta _{{n,0}}^{{m - 1}} } \\ 1 & {\zeta _{{n,1}} } & {\zeta _{{n,1}}^{2} } & \cdots & {\zeta _{{n,1}}^{{m - 1}} } \\ 1 & {\zeta _{{n,2}} } & {\zeta _{{n,2}}^{2} } & \cdots & {\zeta _{{n,2}}^{{m - 1}} } \\ \vdots & \vdots & \vdots & \ddots & \vdots \\ 1 & {\zeta _{{n,m - 1}} } & {\zeta _{{n,m - 1}}^{2} } & \cdots & {\zeta _{{n,m - 1}}^{{m - 1}} } \\ \end{array} } \right), $$

where \(\zeta _{n,0}, \ldots , \zeta _{n,m-1}\) are the primitive nth roots of unity, and \(m = \varphi (n)\) is the Euler totient function of n. Note that \(\varPhi _n(X)\) has degree m. If n is a power of 2, then it is easy to show that \(V_n\) is a scaled isometry, so that \({\text {Cond}}(V_n) = m\) and consequently RLWE and PLWE are equivalent. Blanco-Chacón [6] (see also [8, 9]) proved that \({\text {Cond}}(V_n) = O(n^{r_k})\), where \(r_k > 0\) is a constant depending only on the number k of distinct prime factors of n. Therefore, RLWE and PLWE restricted to the positive integers n with a bounded number of prime factors are equivalent. Furthermore, in a previous work [12], the authors gave an explicit formula for the condition number of \(V_n\) when n is a prime power or a power of 2 times an odd prime power.

Our main result is the following.

Theorem 1

There exist infinitely many positive integers n such that

$$\begin{aligned} {\text {Cond}}(V_n) > \exp \!\big (n^{\log 2 / \log \log n}\big ) / \sqrt{n} . \end{aligned}$$

In particular, for every fixed \(r > 0\), we have that \({\text {Cond}}(V_n) \ne O(n^r)\).

As a consequence of Theorem 1 and the previous considerations, one immediately gets the following corollary.

Corollary 1

RLWE and PLWE over cyclotomic fields are not equivalent.

Corollary 1 settles the question of the equivalence between RLWE and PLWE over cyclotomic fields by answering it negatively. Therefore, from both a practical and a theoretical point of view, future investigations have to keep in mind that, in general, results on RLWE over cyclotomic fields cannot be translated into results on PLWE over cyclotomic fields, and vice versa, unless further restrictions on the generating polynomials are imposed.

An interesting direction would be to determine the maximal order of \({\text {Cond}}(V_n)\) and, in particular, if the lower bound of Theorem 1 can be improved significantly. For a plot of the values of \({\text {Cond}}(V_n)\) up to \(n=10,000\), see Fig. 1. The library used for the calculation of \({\text {Cond}}(V_n)\) is available in [21].

Fig. 1
figure 1

The condition number of \(V_n\) with n squarefree, \(1< n < 10,000\). The data is partitioned according to the number \(\omega (n)\) of prime factors of n

Full size image

2 Proof of Theorem 1

Throughout this section, let n be a positive integer and put \(m := \varphi (n)\). We write \({\text {Id}}_k\) for the \(k \times k\) identity matrix, and we count rows and columns starting from 0, so that the first row or column is the 0th. Furthermore, let

$$\begin{aligned} W_n := \begin{pmatrix} 1 &{} \zeta _{n,0} &{} \zeta _{n,0}^2 &{} \cdots &{} \zeta _{n,0}^{mn-1} \\ 1 &{} \zeta _{n,1} &{} \zeta _{n,1}^2 &{} \cdots &{} \zeta _{n,1}^{mn-1} \\ 1 &{} \zeta _{n,2} &{} \zeta _{n,2}^2 &{} \cdots &{} \zeta _{n,2}^{mn-1} \\ \vdots &{} \vdots &{} \vdots &{} \ddots &{} \vdots \\ 1 &{} \zeta _{n,m-1} &{} \zeta _{n,m-1}^2 &{} \cdots &{} \zeta _{n,m-1}^{mn-1} \\ \end{pmatrix} \end{aligned}$$

be the \(m \times mn\) matrix obtained by “continuing” \(V_n\) to the right.

Lemma 1

We have \(W_n W_n^* = mn {\text {Id}}_m\).

Proof

The scalar product of the ith row of \(W_n\) and the jth column of \(W_n^*\) is equal to

$$\begin{aligned} \sum _{k\,=\,0}^{mn - 1} \left( \zeta _{n, i} \overline{\zeta _{n, j}}\right) ^k = {\left\{ \begin{array}{ll} mn &{} \text { if } i = j ; \\ 0 &{} \text { if } i \ne j ; \end{array}\right. } \end{aligned}$$

where we used the formula for the sum of a geometric progression. The claim follows. \(\square\)

Let \(a_n(j)\) denote the coefficient of \(X^j\) in the nth cyclotomic polynomial \(\varPhi _n(X)\), that is,

$$\begin{aligned} \varPhi _n(X) = \sum _{j \,=\, 0}^m a_n(j) X^j . \end{aligned}$$

The study of the coefficients of the cyclotomic polynomials has a very long history, which goes back at least to Gauss. For a survey, see [20]. Let A(n) be the maximum of the absolute values of \(a_n(0), \dots , a_n(m - 1)\). We need the following result of Vaughan [23].

Theorem 2

We have \(A(n) > \exp \!\left( n^{\log 2 / \log \log n} \right)\) for infinitely many positive integers n.

Let \(C_n\) be the companion matrix of \(\varPhi _n(X)\), which is the \(m \times m\) matrix defined as

$$\begin{aligned} C_n := \begin{pmatrix} 0 &{} 0 &{} \cdots &{} 0 &{} -a_n(0) \\ 1 &{} 0 &{} \cdots &{} 0 &{} -a_n(1) \\ 0 &{} 1 &{} \cdots &{} 0 &{} -a_n(2) \\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ 0 &{} 0 &{} \cdots &{} 1 &{} -a_n(m - 1) \\ \end{pmatrix} , \end{aligned}$$

and let

$$\begin{aligned} S_n := \big ({\text {Id}}_m \mid C_n^m \mid C_n^{2m} \mid \cdots \mid C_n^{(n-1)m}\big ) \end{aligned}$$

be the \(m \times mn\) matrix obtained by the juxtaposition of the first n powers of \(C_n^m\).

Lemma 2

We have \(V_n^{-1} W_n = S_n\).

Proof

Let \(K := {\mathbb {Q}}(\zeta _{n})\) be the nth cyclotomic field. For each \(k \in \{0, \dots , m-1\}\) we have that \(1, \zeta _{n,k}, \zeta _{n,k}^2, \dots , \zeta _{n, k}^{m - 1}\) is a basis of K over \({\mathbb {Q}}\). Moreover, multiplication by \(\zeta _{n, k}\) is a \({\mathbb {Q}}\)-linear map \(K \rightarrow K\) whose transformation matrix respect to the aforementioned basis is equal to \(C_n\). Therefore, if \(z_0, \dots , z_{m-1} \in K\) satisfy

$$\begin{aligned} \begin{pmatrix} z_0 \\ z_1 \\ \vdots \\ z_{m-1} \end{pmatrix} = V_n \begin{pmatrix} c_0 \\ c_1 \\ \vdots \\ c_{m - 1} \end{pmatrix} \end{aligned}$$

for some \(c_0, \dots , c_{m-1} \in {\mathbb {Q}}\), then it follows that

$$\begin{aligned} \begin{pmatrix} \zeta _{n,0}^j z_0 \\ \zeta _{n,1}^j z_1 \\ \vdots \\ \zeta _{n,m-1}^j z_{m-1} \end{pmatrix} = V_n C_n^j \begin{pmatrix} c_0 \\ c_1 \\ \vdots \\ c_{m - 1} \end{pmatrix} \end{aligned}$$

for every integer \(j \ge 0\). Consequently, we have that

$$\begin{aligned} \begin{pmatrix} \zeta _{n,0}^j &{} \zeta _{n,0}^{j+1} &{} \cdots &{} \zeta _{n,0}^{j+m-1} \\ \zeta _{n,1}^j &{} \zeta _{n,1}^{j+1} &{} \cdots &{} \zeta _{n,1}^{j+m-1} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ \zeta _{n,m-1}^j &{} \zeta _{n,m-1}^{j+1} &{} \cdots &{} \zeta _{n,m-1}^{j+m-1} \\ \end{pmatrix} = V_n C_n^j {\text {Id}}_m = V_n C_n^j, \end{aligned}$$
(1)

for every integer \(j \ge 0\). Therefore, by juxtaposition of (1) for \(j = 0, m, 2m, \dots , (n - 1)m\), we obtain that \(W_n = V_n S_n\). The claim follows. \(\square\)

Lemma 3

We have \(\Vert V_n^{-1}\Vert ^2 = \tfrac{1}{mn}\sum _{k = 0}^{n - 1} \Vert C_n^{km}\Vert ^2\).

Proof

From Lemmas 1 and 2, it follows that

$$\begin{aligned} mn \Vert V_n^{-1}\Vert ^2 = mn {\text {Tr}}\!\left( V_n^{-1} \big (V_n^{-1}\big )^*\right) = {\text {Tr}}\!\left( V_n^{-1} W_n W_n^* \big (V_n^{-1}\big )^*\right) = {\text {Tr}}(S_n S_n^*) . \end{aligned}$$

Moreover, by the definition of \(S_n\), we have that

$$\begin{aligned} {\text {Tr}}(S_n S_n^*)&= {\text {Tr}}\Big (\big ({\text {Id}}_m \mid C_n^m \mid \cdots \mid C_n^{(n-1)m}\big ) \begin{pmatrix} {\text {Id}}_m \\ (C_n^m)^* \\ {\vdots } \\ \big (C_n^{(n-1)m}\big )^* \end{pmatrix} \Big ) \\&= \sum _{k \,=\, 0}^{n - 1} {\text {Tr}}\big (C_n^{km} \big (C_n^{km}\big )^*\big ) = \sum _{k \,=\, 0}^{n - 1} \Vert C_n^{km}\Vert ^2 , \end{aligned}$$

and the claim follows.

Lemma 4

Let k be a positive integer and let

$$\begin{aligned} C := \begin{pmatrix} 0 &{} 0 &{} \cdots &{} 0 &{} c_0 \\ 1 &{} 0 &{} \cdots &{} 0 &{} c_1 \\ 0 &{} 1 &{} \cdots &{} 0 &{} c_2 \\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ 0 &{} 0 &{} \cdots &{} 1 &{} c_{k-1} \end{pmatrix} \in {\mathbb {C}}^{k \times k} . \end{aligned}$$

Then, for every integer \(j \in [1, k]\), the \((k - j)\)th column of \(C^j\) is equal to \(\begin{pmatrix}c_0&c_1&\cdots&c_{k-1} \end{pmatrix}^\intercal\).

Proof

Actually, a stronger claim holds: For every integer \(j \in [1, k]\), the 0th, 1th, ..., \((k - j)\)th columns of \(C^j\) are equal to the \((j - 1)\)th, jth, ..., \((k - 1)\)th columns of C, respectively. This follows easily by induction on j.

We are ready to prove Theorem 1. From Lemmas 3 and 4, it follows that

$$\begin{aligned} \Vert V_n^{-1}\Vert ^2 = \tfrac{1}{mn}\sum _{k = 0}^{n - 1} \Vert C_n^{km}\Vert ^2 \ge \tfrac{1}{mn} \Vert C_n^m\Vert ^2 \ge \tfrac{1}{mn} \sum _{j \,=\, 0}^{m-1} |a_n(j)|^2 \ge \tfrac{1}{mn} A(n)^2 . \end{aligned}$$

In turn, this implies that

$$\begin{aligned} {\text {Cond}}(V_n) = \Vert V_n\Vert \Vert V_n^{-1}\Vert = m \Vert V_n^{-1}\Vert \ge \sqrt{\tfrac{m}{n}} A(n) \ge \tfrac{1}{\sqrt{n}} A(n) . \end{aligned}$$

As a consequence, Theorem 2 yields that

$$\begin{aligned} {\text {Cond}}(V_n) > \exp \!\left( n^{\log 2 / \log \log n} \right) / \sqrt{n} , \end{aligned}$$

for infinitely many positive integers n. Therefore, for every fixed \(r > 0\), we have that

$$\begin{aligned} \limsup _{n \rightarrow +\infty } \frac{{\text {Cond}}(V_n)}{n^r} = +\infty , \end{aligned}$$

so that \({\text {Cond}}(V_n) \ne O(n^r)\). The proof is complete.