On the Integer Polynomial Learning with Errors Problem

Several recent proposals of efficient public-key encryption are based on variants of the polynomial learning with errors problem (PLWE\(^f\)) in which the underlying polynomial ring \(\mathbb {Z}_q[x]/f\) is replaced with the (related) modular integer ring \(\mathbb {Z}_{f(q)}\); the corresponding problem is known as Integer Polynomial Learning with Errors (I-PLWE\(^f\)). Cryptosystems based on I-PLWE\(^f\) and its variants can exploit optimised big-integer arithmetic to achieve good practical performance, as exhibited by the ThreeBears cryptosystem. Unfortunately, the average-case hardness of I-PLWE\(^f\) and its relation to more established lattice problems have to date remained unclear.We describe the first polynomial-time average-case reductions for the search variant of I-PLWE\(^f\), proving its computational equivalence with the search variant of its counterpart problem PLWE\(^f\). Our reductions apply to a large class of defining polynomials f. To obtain our results, we employ a careful adaptation of Rényi divergence analysis techniques to bound the impact of the integer ring arithmetic carries on the error distributions. As an application, we present a deterministic public-key cryptosystem over integer rings. Our cryptosystem, which resembles ThreeBears, enjoys one-way (OW-CPA) security provably based on the search variant of I-PLWE\(^f\).