Home The condition number associated with ideal lattices from odd prime degree cyclic number fields
Article Open Access

The condition number associated with ideal lattices from odd prime degree cyclic number fields

  • Robson Ricardo de Araujo EMAIL logo
Published/Copyright: February 4, 2025
Download Article (PDF)
Become an author with De Gruyter Brill
Submit Manuscript Author Information
Journal of Mathematical Cryptology
From the journal Journal of Mathematical Cryptology Volume 19 Issue 1

Abstract

The condition number of a generator matrix of an ideal lattice derived from the ring of integers of an algebraic number field is an important quantity associated with the equivalence between two computational problems in lattice-based cryptography, the “Ring Learning With Errors (RLWE)” and the “Polynomial Learning With Errors (PLWE)”. In this work, we compute the condition number of a generator matrix of the ideal lattice from the whole ring of integers of any odd prime degree cyclic number field using canonical embedding.

Keywords: condition number; RLWE; PLWE; Abelian number fields; ideal lattices
MSC 2010: 11T71; 15A12; 11R20; 11C99

1 Introduction

The Ring Learning with Errors (RLWE) problem and the Polynomial Learning with Errors (PLWE) problem are the basis for some of the most promising post-quantum cryptographic protocols [1,2]. These problems are part of lattice-based cryptography since they arise from Learning with Errors (LWE) problem, which is at least as difficult to solve as the approximate shortest independent vector problem ( α -SIVP). In turn, these problems are known to be NP-hard for certain α [3]. Although the decision version of RLWE has known security reduction for α -SVP, the advantage of PLWE is that it is more efficient and suitable for implementation. Essentially, RLWE is defined over the ring of integers of an algebraic number field K = Q ( a ) through canonical embedding, whereas PLWE is defined over a quotient of a polynomial ring F q [ x ] ( f ( x ) ) through coefficient embedding.

In some cases, the problems RLWE and PLWE are equivalent, which occurs when there is an algorithm that transforms a solution of one of them into a solution of the other, and vice versa, in polynomial time. The theoretical problem of the relation (in particular, the equivalence) between RLWE and PLWE was first described in [4]. Especially since then, it has been shown that RLWE and PLWE are equivalent or non-equivalent in several situations (e.g., [59]).

To determine the equivalence (or not) between RLWE and PLWE, an important quantity is the condition number associated with a generator matrix of the ideal lattice used in the RLWE construction. If K is an algebraic number field of degree n and O K denotes its ring of integers, the canonical embedding of K consists of the map σ K : K C n given by σ K ( x ) = ( σ 1 ( x ) , , σ n ( x ) ) , for all x O K , where σ 1 , , σ n are the monomorphisms from K to C . In this way, σ K ( O K ) can be seen as a lattice in an n -dimensional Euclidean space H isomorphic to R n , where the lattice is understood to be a full-rank discrete additive subgroup of H (or R n ). The lattice Λ = σ K ( O K ) is said to be an ideal lattice and is associated with an n × n matrix M such that v Λ if and only if v T = M u T for some u Z n . The matrix M is called a generator matrix of Λ . The condition number of M (or, of K ) is defined as the quantity Cond ( M ) = M M 1 , where A Tr ( A * A ) denotes the Frobenius norm of a matrix A (where A * denotes the conjugate transpose of the complex matrix A and Tr denotes the trace of a matrix). The condition number is important in RLWE/PLWE equivalence because it measures the distortion caused in the transformation from one to the other when the algebraic structures involved are paired [8]. In these situations, the RLWE/PLWE equivalence is established if the condition number is O ( n r ) for some constant r > 0 depending only on the field K .

Let K be a cyclic number field of odd prime degree p . Since K Q is an Abelian field extension, there is a cyclotomic field Q ( ζ m ) containing K according to the Kronecker–Weber theorem. The minimal m with this property is called the conductor of K . It is known that p is either unramified or ramified in O K . If p is unramified in O K , then the conductor of K is given by m = i = 1 r p i , where r 1 and p 1 , , p r are prime positive integer numbers such that p i 1 ( mod p ) for i = 1 , , r (unramified case). In turn, if p is ramified in O K , then the conductor of K is given by m = p 2 u , where u = 1 or u = i = 1 r p i with r 1 and p 1 , , p r are prime positive integer numbers such that p i 1 ( mod p ) (ramified case). In this context, algebraic lattices coming from Z -modules of O K through canonical embedding and their associated trace forms have recently been studied for different applications (e.g., [1013]).

Our objective in this work is to compute the condition number of a generator matrix of the lattice σ K ( O K ) , where K is an odd prime degree cyclic number field. The unramified case is described in Section 2 – the condition number is given in Theorem 2.1. In turn, the condition number of K in the ramified case is available in Theorem 3.1, which is covered in Section 3. Finally, we conclude this work in Section 4 with suggestions for further research related to RLWE/PLWE equivalence for K .

2 The unramified case

Let K be a cyclic number field of prime degree p > 2 . Suppose that p is unramified in the ring of integers O K . This means that the conductor of K is given by m = p 1 p r , where r 1 and p 1 , , p r are prime positive integer numbers satisfying p i 1 ( mod p ) , for each i = 1 , , r . Then, K Q ( ζ m ) , where ζ m is an m th primitive root of unity. In this case, the Hilbert–Speiser theorem [14, Theorem 1.7] states that K has a normal integral basis: in fact, if t Tr Q ( ζ m ) K ( ζ m ) and θ denotes a generator of the Galois group Gal ( K Q ) , then { t , θ ( t ) , , θ p 1 ( t ) } is a Z -basis of O K .

Since K Q is a Galois field extension of the odd degree, K is a totally real number field. Therefore, the monomorphisms from K to C are exactly the i -powers of θ for i = 0 , , p 1 and have their images contained in R . So, the canonical embedding associated with K can be defined as σ K ( x ) = ( x , θ ( x ) , , θ p 1 ( x ) ) R n , for all x K . Thus, a generator matrix of the lattice Λ = σ K ( O K ) is given by

(1) M K = ( θ i ( θ j ( t ) ) ) i , j { 0 , 1 , , p 1 } = t θ ( t ) θ p 1 ( t ) θ ( t ) θ 2 ( t ) t θ p 1 ( t ) t θ p 2 ( t ) .

Also, in [11, Theorem 2.2], it is shown that

(2) Tr K ( t 2 ) = m + 1 m p

and for i , j { 0 , 1 , , p 1 } with i j ,

(3) Tr K ( θ i ( t ) θ j ( t ) ) = 1 m p .

Furthermore, in the following, we use the fact shown in [15, Lemma 2.3] that, for any a , b C ,

(4) det a b b b b a b b b b a b b b b a k × k = ( a b ) k 1 ( a + ( k 1 ) b ) .

Finally, we are able to show the main theorem of this section:

Theorem 2.1

If K is a cyclic number field of prime degree p > 2 , where p is unramified in O K , then the condition number of a generator matrix of Λ = σ K ( O K ) is given by

(5) Cond ( M K ) = 1 + ( p 1 ) m + p 1 + 1 m ,

where m is the conductor of K.

Proof

The matrix G M K * M K = M K T M K is the Gram matrix of Λ because K is a totally real number field. Since Tr K ( θ i ( t ) θ j ( t ) ) = Tr K ( t θ j i ( t ) ) for all i , j { 0 , 1 , , p 1 } , θ p ( t ) = θ 0 ( t ) = t , and by (2) and (3), we have that

(6) G = Tr K ( t 2 ) T r K ( t θ ( t ) ) Tr K ( t θ p 1 ( t ) ) Tr K ( t θ ( t ) ) T r K ( t 2 ) Tr K ( t θ p 2 ( t ) ) Tr K ( t θ p 1 ( t ) ) Tr K ( t θ p 2 ( t ) ) Tr K ( t 2 ) = m + 1 m p 1 m p 1 m p 1 m p m + 1 m p 1 m p 1 m p 1 m p m + 1 m p .

So, M K = Tr ( G ) = m ( p 1 ) + 1 . To compute M K 1 , we observe that Tr ( ( M K 1 ) T M K 1 ) = Tr ( G 1 ) , which corresponds to the sum of the eigenvalues of the symmetric matrix G 1 counted with multiplicity. Since the eigenvalues of G 1 are equal to the inverse of the eigenvalues of G , M K 1 = Tr ( G 1 ) = i = 1 p λ i 1 , where λ 1 , , λ p are the eigenvalues of G . Thus, to complete this proof, we need to compute the eigenvalues of G . By (4), denoting by I p the p × p identity matrix, we have

(7) det ( G x I p ) = ( m x ) p 1 ( 1 x ) ,

whence it follows that the eigenvalues of G are λ 1 = λ 2 = = λ p 1 = m and λ p = 1 . So, M K 1 = 1 + ( p 1 ) m . Therefore,

(8) Cond ( M K ) = M K M K 1 = ( m ( p 1 ) + 1 ) 1 + p 1 m ,

which completes this proof after a simple rearrangement of the last expression.□

3 The ramified case

Let K be a cyclic number field of prime degree p > 2 . In this section, we suppose that p is ramified in the ring of integers O K . In this case, the conductor of K is given by m = p 2 u , where u = 1 or u = p 1 p r for some prime positive integer numbers p 1 , , p r such that p i 1 ( mod p ) , i = 1 , , r . In this case, the Leopoldt theorem [16, Theorem 2] implies that K has an integral basis given by B = { 1 , θ ( t ) , , θ p 1 ( t ) } , where θ is a generator of the cyclic Galois group Gal ( K Q ) and t Tr Q ( ζ m ) K ( ζ m ) (note that B is not a normal integral basis of K , which in fact is regarded by the Hilbert–Speiser theorem).

As commented in the previous section, the canonical embedding associated with K can be seen as σ K : K R p defined by σ K ( x ) = ( x , θ ( x ) , , θ p 1 ( x ) ) , for all x K . Then, a generator matrix of the ideal lattice Λ = σ K ( O K ) is given by

(9) M K = 1 θ ( t ) θ 2 ( t ) θ p 1 ( t ) 1 θ 2 ( t ) θ 3 ( t ) t 1 θ 3 ( t ) θ 4 ( t ) θ ( t ) 1 t θ ( t ) θ p 2 ( t ) .

Since m is not a squarefree integer, it is well known that

(10) Tr K ( t ) = Tr Q ( ζ m ) ( ζ m ) = 0 .

Additionally, in [13], it is shown that

(11) Tr K ( t 2 ) = m ( p 1 ) p

and for i , j { 0 , , p 1 } , i j ,

(12) Tr K ( θ i ( t ) θ j ( t ) ) = Tr K ( t θ j i ( t ) ) = m p .

With this setting, in the following theorem, we show the condition number of a generator matrix of σ K ( O K ) :

Theorem 3.1

If K is a cyclic number field of prime degree p > 2 , where p is ramified in O K , the condition number of a generator matrix of Λ = σ K ( O K ) is given by

(13) Cond ( M K ) = 2 p 2 1 + 1 m p 2 m + 6 + 7 + m 2 p ( 1 + m ) + m p 2 ,

where m is the conductor of K.

Proof

The proof is similar to that presented for Theorem 2.1. In this case, due to formulas (10), (11), and (12), the Gram matrix of Λ , G = M K T M K , is given by

(14) G = p Tr K ( t ) Tr K ( t ) Tr K ( t ) Tr K ( t ) Tr K ( t 2 ) Tr K ( t θ ( t ) ) Tr K ( t θ p 2 ( t ) ) Tr K ( t ) Tr K ( t θ ( t ) ) Tr K ( t 2 ) Tr K ( t θ p 3 ( t ) ) Tr K ( t ) Tr K ( t θ p 2 ( t ) ) Tr K ( t θ p 3 ( t ) ) Tr K ( t 2 ) = p 0 0 0 0 m ( p 1 ) p m p m p 0 m p m ( p 1 ) p m p 0 m p m p m ( p 1 ) p .

Thus, M K = Tr ( G ) = p ( m + 1 ) 2 m + m p . Finally, to compute M K 1 = Tr ( G 1 ) , we need the eigenvalues of G . Using the Laplace expansion in combination with (4), we have that

(15) det ( G x I p ) = ( p x ) ( m x ) p 2 ( m p x ) .

This implies that λ 1 = p , λ 2 = λ 3 = = λ p 1 = m , and λ p = m p are the eigenvalues of G . Consequently, their inverses are the eigenvalues of G 1 . So,

(16) M K 1 = Tr ( G 1 ) = 1 p + 2 ( p 1 ) m .

Therefore,

(17) Cond ( M K ) = M K M K 1 = p ( m + 1 ) 2 m + m p 1 p + 2 ( p 1 ) m

from which the result follows after rearrangements in this expression.□

4 Conclusion and future research

Considering that K is an odd prime degree cyclic number field and σ K is the canonical embedding associated with it, in this work, we have shown formulas for the condition number of a generator matrix of the lattice σ K ( O K ) depending only on the degree and the conductor of K . If p not divides m , this condition number is presented in Theorem 2.1. In turn, if p divides m , the condition number is computed in Theorem 3.1.

As noted in the introduction of this work, the condition number of a generator matrix of an ideal lattice can be used in a cryptographic context related to the equivalence between the RLWE and PLWE problems. Although the quantities shown in this work indicate that RLWE and PLWE are equivalent for odd prime degree cyclic number fields, once the condition numbers computed here are of polynomial order, the non-monogenicity of these number fields (as shown in [17]) prevents the expected conclusion a priori. Thus, future research could investigate whether the RLWE and PLWE problems are equivalent in the context of odd prime degree cyclic number fields, which could lead to new studies related to RLWE/PLWE equivalence for non-monogenic number fields.

Acknowledgment

The author thanks the referee for her/his suggestions to improve this work.

  1. Funding information: This work was supported by National Council for Scientific and Technological Development (CNPq) – Process 405842/2023-6 and by Federal Institute of São Paulo through its program PIPECT 2024.

  2. Author contributions: The author has accepted responsibility for the entire content of this manuscript and approved its submission.

  3. Conflict of interest: The author declares no competing interests.

  4. Ethical approval: The conducted research is not related to either human or animals use.

  5. Data availability statement: Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

References

[1] Stehlé D, Steinfeld R, Tanaka K, Xagawa K. Efficient public key encryption based on ideal lattices. Adv Cryptol-ASIACRYPT 2009 Lecture Notes in Comput Sci. 2009;5912:617–35. https://doi.org/10.1007/978-3-642-10366-7_36. Search in Google Scholar

[2] Lyubashevsky V, Peikert C, Regev O. On ideal lattices and learning with errors over rings. J Assoc Comput Mach. 2013;60:1–35. https://doi.org/10.1145/2535925. Search in Google Scholar

[3] Micciancio D. The shortest vector in a Lattice is hard to approximate to within some constant. SIAM J Comput. 2001;30:2008–35. https://doi.org/10.1137/S0097539700373039. Search in Google Scholar

[4] Rosca M, Stehlé D, Wallet A. On the ring-LWE and polynomial-LWE problems. Adv Cryptology-EUROCRYPT 2018 Lecture Notes Comput Sci. 2018;10820:146–73. https://doi.org/10.1007/978-3-319-78381-9_6. Search in Google Scholar

[5] Ducas L, Durmus A. Ring-(lwe) in polynomial rings. Public Key Cryptography - PKC 2012 Lecture Notes Comput Sci. 2012;7293:34–51. https://doi.org/10.1007/978-3-642-30057-8_3. Search in Google Scholar

[6] Blanco-Chacón I. On the RLWE/PLWE equivalence for cyclotomic number fields. Appl Algebr Eng Comm. 2022;33:53–71. https://doi.org/10.1007/s00200-020-00433-z. Search in Google Scholar

[7] Blanco-Chacón I, López-Hernanz L. RLWE/PLWE equivalence for the maximal totally real subextension of the 2rpq-th cyclotomic field. Adv Math Commun. 2022;13:1–32. https://doi.org/10.3934/amc.2022093. Search in Google Scholar

[8] Blanco-Chacón I. RLWE/PLWE equivalence for totally real cyclotomic subextensions via quasi-Vandermonde matrices. J Algebra Appl. 2022;21:2250218. https://doi.org/10.1142/S0219498822502188. Search in Google Scholar

[9] DiScala AJ, Sanna C, Signorini E. RLWE and PLWE over cyclotomic fields are not equivalent. Appl Algebr Eng Comm. 2022;22:174–8. https://doi.org/10.1007/s00200-022-00552-9. Search in Google Scholar

[10] Nunes JVL, Interlando JC, Neto TPN, Lopes JOD. New p-dimensional lattices from cyclic extensions. J Algebra Appl. 2017;16:1750186. https://doi.org/10.1142/S0219498817501869. Search in Google Scholar

[11] de Oliveira EL, Interlando JC, Neto TPN, Lopes JOD. The integral trace form of cyclic extensions of odd prime degree. Rocky Mt J Math. 2017;47:1075–88. 10.1216/RMJ-2017-47-4-1075Search in Google Scholar

[12] de Araujo RR, Costa SIR. Well-rounded algebraic lattices in odd prime dimension. Arch Math. 2019;112:139–48. https://doi.org/10.1007/s00013-018-1232-7. Search in Google Scholar

[13] de Araujo RR, Chagas ACMM, Andrade AA, Neto TPN. Trace form associated to cyclic number fields of ramified odd prime degree. J Algebra Appl. 2020;19:2050080. https://doi.org/10.1142/S0219498820500802. Search in Google Scholar

[14] Johnston H. Notes on Galois module. 2016. University of Exeter; https://empslocal.ex.ac.uk/people/staff/hj241/GM_CourseNotes109.pd.Search in Google Scholar

[15] Di Scala AJ, Sanna C, Signorini E. On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial. J Math Cryptol. 2021;15:174–8. https://doi.org/10.1515/jmc-2020-0009. Search in Google Scholar

[16] Lettl G. The ring of integers of an Abelian number field. J Reine Angew Math. 1990;404:162–70. https://doi.org/10.1515/crll.1990.404.162. Search in Google Scholar

[17] Gras M. Non monogénéité de laanneau des entiers des extensions cycliques de Q de degré premier l ≥ 5. J Number Theory. 1986;23:347–53. https://doi.org/10.1016/0022-314X(86)90079-X. Search in Google Scholar
Received: 2024-05-20
Revised: 2024-10-18
Accepted: 2024-11-08
Published Online: 2025-02-04

© 2025 the author(s), published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Articles in the same Issue

  1. A McEliece cryptosystem using permutation codes
  2. Research Articles
  3. The condition number associated with ideal lattices from odd prime degree cyclic number fields
  4. A small serving of mash: (Quantum) algorithms for SPDH-Sign with small parameters
  5. The least primitive roots mod p
  6. On the independence heuristic in the dual attack
  7. Sherlock Holmes zero-knowledge protocols secure against active attackers
  8. Inner product functional encryption based on the UOV scheme
  9. Review Article
  10. Leveled homomorphic encryption schemes for homomorphic encryption standard
  11. Special Issue based on CIFRIS24
  12. Modern techniques in somewhat homomorphic encryption
  13. Investigation of metabelian platform groups for protocols based on (simultaneous) conjugacy search problem
  14. Smaller public keys for MinRank-based schemes
  15. Application of Mordell–Weil lattices with large kissing numbers to acceleration of multiscalar multiplication on elliptic curves
  16. First-degree prime ideals of composite extensions
  17. Dynamic-FROST: Schnorr threshold signatures with a flexible committee
  18. BTLE: Atomic swaps with time-lock puzzles
  19. Security analysis of ZKPoK based on MQ problem in the multi-instance setting
https://doi.org/10.1515/jmc-2024-0022
Keywords for this article
condition number; RLWE; PLWE; Abelian number fields; ideal lattices
Creative Commons
BY 4.0

Articles in the same Issue

  1. A McEliece cryptosystem using permutation codes
  2. Research Articles
  3. The condition number associated with ideal lattices from odd prime degree cyclic number fields
  4. A small serving of mash: (Quantum) algorithms for SPDH-Sign with small parameters
  5. The least primitive roots mod p
  6. On the independence heuristic in the dual attack
  7. Sherlock Holmes zero-knowledge protocols secure against active attackers
  8. Inner product functional encryption based on the UOV scheme
  9. Review Article
  10. Leveled homomorphic encryption schemes for homomorphic encryption standard
  11. Special Issue based on CIFRIS24
  12. Modern techniques in somewhat homomorphic encryption
  13. Investigation of metabelian platform groups for protocols based on (simultaneous) conjugacy search problem
  14. Smaller public keys for MinRank-based schemes
  15. Application of Mordell–Weil lattices with large kissing numbers to acceleration of multiscalar multiplication on elliptic curves
  16. First-degree prime ideals of composite extensions
  17. Dynamic-FROST: Schnorr threshold signatures with a flexible committee
  18. BTLE: Atomic swaps with time-lock puzzles
  19. Security analysis of ZKPoK based on MQ problem in the multi-instance setting
Sign up now to receive a 20% welcome discount
Institutional Access
How does access work?
Have an idea on how to improve our website?
Please write us.
© 2025 De Gruyter Brill
Downloaded on 22.11.2025 from https://www.degruyterbrill.com/document/doi/10.1515/jmc-2024-0022/html
Scroll to top button