## Abstract

A statistical framework applicable to Ring-LWE was outlined by Murphy and Player (IACR eprint 2019/452). Its applicability was demonstrated with an analysis of the decryption failure probability for degree-1 and degree-2 ciphertexts in the homomorphic encryption scheme of Lyubashevsky, Peikert and Regev (IACR eprint 2013/293). In this paper, we clarify and extend results presented by Murphy and Player. Firstly, we make precise the approximation of the discretisation of a Normal random variable as a Normal random variable, as used in the encryption process of Lyubashevsky, Peikert and Regev. Secondly, we show how to extend the analysis given by Murphy and Player to degree-*k* ciphertexts, by precisely characterising the distribution of the noise in these ciphertexts.

## 1 Introduction

The Ring-LWE problem [6, 12] has become a standard hard problem underlying lattice-based cryptography. In [7], a detailed algebraic background for Ring-LWE was given, together with a statistical framework based on *δ*-subgaussian random variables [9, 10]. Another statistical framework applicable to Ring-LWE, based on a Central Limit approach, was outlined in [11]. It is argued in [11] that this is a more natural approach than one using *δ*-subgaussian arguments, when considering the important application setting of homomorphic encryption [5].

Ciphertexts in all homomorphic encryption schemes have an inherent *noise* which is small in fresh cipher-texts and grows during homomorphic evaluation operations. If the noise grows too large, decryption will fail. A thorough understanding of the statistical properties of the noise is therefore essential for choosing efficient parameters while ensuring correctness. Rather than analysing the noise directly, we consider the embedding of the noise via the *canonical embedding* (see e.g. [7]) in a complex space *H*.

In this paper, we present results on discretisation and product distributions applicable to Ring-LWE cryptography, which clarify and extend results presented in [11]. For concreteness, these results could be applied to the homomorphic encryption scheme of Section 8.3> of [7], termed SymHom by [11] and analysed there.

In a Ring-LWE discretisation, an element of the complex space *H* is rounded to some randomly determined nearby element of *H* in a lattice coset *Λ* + *c*. We require that all components of the vector expressing this discretisation in an appropriate basis for *H* are bounded by an appropriate threshold in order for a successful decryption to take place. The statistical properties of the discretisation process are therefore of fundamental importance in determining correctness. Our results demonstrate how we can obtain a good multivariate Normal approximation for (embedded) noise of a degree-1 (fresh) ciphertext vector expressed in a decryption basis after a change of basis transformation. This justifies the approach used in [11, Theorem 1] for bounding the decryption failure probability of such ciphertexts.

In homomorphic Ring-LWE cryptosystems such as SymHom, for
*k* ciphertext *c*_{mult} is formed as the result of the homomorphic multiplication of two ciphertexts *c*_{1} and *c*_{2} of degrees *k*_{1} and *k*_{2} respectively. The noise in *c*_{mult} is defined to be the product of the noises in the input ciphertexts *c*_{1} and *c*_{2}. We show that using the Central Limit Framework of [11], the distribution of a vector expressing the (embedded) noise in a degree-*k* SymHom ciphertext in an appropriate decryption basis can be approximated by a multivariate Normal distribution. This extends the analysis for degree-2 ciphertexts given in [11, Theorem 2].

### 1.1 Contributions

In Section 3 we make precise the approximation of the *CRR discretisation* (Definition 2.5) of a Normal random variable as a Normal random variable, so potentially allowing a more direct and powerful approach to CRR discretisation than a *δ*-subgaussian approach. Moreover, our techniques are potentially generalisable to other randomised discretisation methods. Our first main result is Proposition 3.5, which describes the distribution of the *Balanced Reduction* (Definition 2.4) of a Normal random variable. To obtain Proposition 3.5, we first show in Lemma 3.1 that the Balanced Reduction of a Normal random variable gives a Triangular distribution, which is itself approximated by a Normal distribution (Lemma 3.2).

In Section 4 we extend the analysis of degree-2 ciphertexts given in [11] to degree-*k* ciphertexts. Our second main result is Lemma 4.4, which shows that a component
*k*-fold *⊗*-product *Z* ^{(k)} has a
*distribution* (Section 4.1).

## 2 Background

In this section, we give the relevant background for our discussion. In Section 2.1 we recall the necessary algebraic background to Ring-LWE, following [7]. In Section 2.2 we recall results on discretisation following [10]. In Section 2.3 we recall the definition and basic properties of the Meijer *G*-Function [2, 3, 4].

### 2.1 Algebraic Background

The mathematical structure underlying Ring-LWE is the polynomial quotient ring obtained from the *m ^{th}* cyclotomic polynomial of degree

*n*. For simplicity, we consider the case where

*m*is a large prime, so

*H*(Definition 2.1).

### Definition 2.1

*The* conjugate pair space *H is*
*where T is the n* × *n unitary* conjugate pairs matrix *given by*
*where*
*is the*
*identity matrix and*
*is the*
*reverse diagonal matrix of* 1*s*.

We note that
*T*^{†} denotes the conjugate transpose of *T*. We can represent elements of *H* as vectors with respect to a basis for *H*, and two such bases of *H* of direct relevance are specified in Definition 2.2.

### Definition 2.2

*The I*-basis *for H is given by the columns of the n* ×*n identity matrix I _{n}, that is to say by standard basis vectors. The* T-basis

*for H is given by the columns of the conjugate pair matrix T*.

We note that an element of *H* is expressed as a vector in the *I*-basis as a vector of *n′* conjugate pairs and by construction in the *T*-basis as a *real-valued* vector. A vector expressing an element of *H* in the *I*-basis has the same norm as a vector expressing the same element in the *T*-basis as *T* is a unitary matrix
*H* has a natural well-defined multiplication operation, and Definition 2.3 specifies this multiplication operation for vectors expressing elements of *H* in the *I*-basis and in the *T*-basis.

### Definition 2.3

*If*
*and*
*are vectors expressing elements of H in the I-basis for H, then the ⊙-product*
*is their componentwise product. If u and v are (real-valued) vectors expressing elements of H in the T-basis for H, then the ⊗-product*

The *⊗*-product of two real-valued vectors can be expressed by considering appropriate pairs of components. The space *H* can be regarded as
*u*, *v ∈* ℝ^{2} expressing elements of *H* _{2} in the *T*-basis for *H* _{2}, their *⊗*-product is given by

### 2.2 Discretisation Background

The discretisation process in (for example) a homomorphic Ring-LWE cryptosystem “rounds” an element of *H* to some randomly determined nearby element of *H* in a lattice coset *Λ* + *c* of some lattice *Λ* in *H*. As an illustration of a discretisation process, we use the coordinate-wise randomised rounding method of discretisation or *CRR discretisation* given in the first bullet point of Section 2.4.2 of [7]. We give a formal statistical description of CRR discretisation in terms of a random *Balanced Reduction* function following [10].

### Definition 2.4

*The univariate* Balanced Reduction *function* ℛ *on* ℝ *is the random function*

*The multivariate* Balanced Reduction *function* ℛ *on* ℝ* ^{l} with support on* [−1, 1]

^{l}is the random function*with component functions*

*that are independent univariate Balanced Reduction functions*.

### Definition 2.5

*Suppose B is a (column) basis matrix for the n-dimensional lattice Λ in H. If* ℛ *is the Balanced Reduction function, then the* coordinate-wise randomised rounding discretisation *or* CRR discretisation
*of the random variable X on H to the lattice coset Λ* + *c with respect to the basis matrix B is the random variable*

The CRR discretisation
*X* with respect to the basis *B* of *Λ* is a random variable on the lattice coset *Λ*+*c*, and is a valid (does not depend on the chosen coset representative *c*) discretisation [7, 10].

### 2.3 Meijer *G*-Functions

Our analysis in Section 4 will be most easily expressed in terms of Meijer *G*-functions [2–4], which are specified in general in Definition 2.6. Definition 2.7 gives three classes of Meijer *G*-functions that are of direct relevance to us.

### Definition 2.6

*The* Meijer *G*-Function
*is defined for x* ≠ 0 *and integers ξ*, *v*, *p*, *q with* 0 ≤ *ξ* ≤ *q and* 0 ≤ *v* ≤ *p by the line integral*

*in the complex plane, where Γ denotes the gamma function and*
*The integral path L runs from* −*i*∞ *to i*∞ *such that all poles of*
*are to the right of the path (for*
*and all the poles of*
*are to the left of the path (for k* = 1, . . . , *v), though other paths are possible*.

### Definition 2.7

*For a positive integer k and the integral path L of Definition 2.6, the functions*
*and*
*are the Meijer-G functions given by*

For small *k*, we note that
*dt* is a modified Bessel function of the second kind [1]. Similarly, we also have

## 3 Discretisation Distributions in Ring-LWE

In Section 3.1, we show that the Balanced Reduction of a Gaussian random variable underlying a degree-1 ciphertext in situations of interest is essentially a Triangular random variable, which can itself be approximated by a Normal random variable. In Section 3.2, we make precise the multivariate Normal approximation of the CRR discretisation of the embedded noise in a degree-1 SymHom ciphertext.

### 3.1 The Balanced Reduction of a Normal Random Variable

A Ring-LWE encryption process is based on the discretisation of Normal random variables in *H* .We therefore consider the discretisation
*I*-basis) which is the image of some real-valued multivariate Normal random variable *X′* under *T* .However,

### Lemma 3.1

*If*
*then its Balanced Reduction*
*has the Triangular distribution △(density function*
*for*
*and* 0 *otherwise) as its limiting distribution as the standard deviation*

*Sketch Proof*. We can express the density function *f*_{ℛ(Y)} of ℛ(*Y*) in terms of the density function
*Y*. By considering the Fourier series for
*f*_{ℛ(Y)} on (−1, 1) and hence show that

The Fourier form shown in the proof of Lemma 3.1 (Appendix A) in fact shows that the Balanced Reduction of a Normal N(*μ*, σ^{2}) random variable with *any* mean *μ* is very close to a Triangular distribution *△*with mean **E**(*△*) = 0 and variance Var
*σ*, as illustrated in Figure 1 for the small standard deviation *σ* = 0.50. Ring-LWE applications typically use a larger standard deviation than 0.5, so giving an even closer approximation.

The Triangular distribution can obviously itself be approximated by a Normal
**E**(*△*) = 0 and variance Var
^{2}) Normal random variable for *σ* > 0.50, is illustrated in Figure 1.

### Lemma 3.2

*Suppose that*
*has a Triangular distribution with distribution function*
*for*
*If Φ is the distribution function of a standard Normal N*(0, 1) *random variable, then the random variable*
*has a Normal distribution with mean* 0 *and variance*

*Proof*. If
*Z*. Thus the distribution function
*W′* is

Thus *W′* and *Z* have the same distribution function and so

The discrepancy between the Triangular random variable *W ∼ △* and the approximating Normal random variable
*Ghost* distribution because of its shape and elusive nature. Lemma 3.4 gives the statistical properties of the Ghost distribution. Proposition 3.5 summarises the distribution of the Balanced Reduction of a Normal random variable, using the notation to denote “is approximately distributed as”.

### Definition 3.3

*Suppose that*
*has a Triangular distribution with distribution function*
*for*
*If Φ is the distribution function of a standard Normal N*(0, 1) *random variable, then the random variable*
*has a* Ghost *distribution. Such a random variable W′′ is denoted* *W′′* ~ .

### Lemma 3.4

*A Ghost random variable* *W′′* ~ *has mean* **E** (*W′′*) = 0 *and variance Var*(*W′′*) = 0*.0012, so has standard deviation St Dev*(*W′′*) = 0*.035. Furthermore, the tail probabilities of W′′ are given by the following Table*.

θ |
0.03 | 0.15 | 0.37 | 0.62 | 0.84 |
---|---|---|---|---|---|

P(|W′′| > θ) |
10^{−1} |
10^{−2} |
10^{−3} |
10^{−4} |
10^{−5} |

*Proof*. The results can be obtained by numerical integration and so on. □

### Proposition 3.5

*The distribution of the Balanced Reduction* ℛ(*N*(*μ*, σ^{2})) *of a univariate Normal distribution for standard deviations σ of interest in Ring-LWE can essentially be approximated (with a slight abuse of notation) as*

### 3.2 The Distribution of a CRR Discretisation

We consider the CRR discretisation
*X* = *TX′* that is the image under *T* of a spherically symmetric real-valued Normal random variable
*ρ* is typically larger than the length of the basis vectors, that is to say the column lengths of *B* or equivalently of the real matrix *T*^{†}*B*. We can express this CRR discretisation as either a complex-valued random vector
*I*-basis for *H* or as a real-valued random vector
*T*-basis for *H*. Following Proposition 3.5, the distributions of these vectors are essentially given by

We observe that the first of these three distributions is typically the dominating distribution. For example, the real-valued distribution of *B* in Ring-LWE. Similarly, the variance matrix of
*ρ*^{2}*I _{n}*. For practical purposes we can therefore consider that

In the decryption of a degree-1 ciphertext, such a discretisation (that is, the noise in the ciphertext embedded in *H*) is considered as a real-valued vector in a “decryption basis”. An appropriate change of basis matrix *C* to such a decryption basis can be expressed as
*C′*. We therefore consider the real-valued vector

where *C′* = *CT* and *CB* are real matrices. The decryption is successful if every component of

In summary, this discussion justifies the approach used in [11, Theorem 1] for obtaining a bound for a decryption failure probability for

## 4 Product Distributions in Ring-LWE

The noise in a degree-*k* ciphertext in SymHom can be seen as the *k*-fold ⊙-product of the noises of *k* degree-1 ciphertexts in the *I*-basis for *H*. We are interested in the *k*-fold ⊙-product of the form

We consider the equivalent ⊗-product *T*-basis, with approximate distribution

The ⊗-product in R*n* decomposes into
^{2}. Thus we consider the distribution on ℝ^{2} given by the *k*-fold ⊗-product of spherical bivariate Normal random variables

In particular, we consider the distribution of a 1-dimensional component of this 2-dimensional distribution. This approach allows us to construct an approximate multivariate distribution for the vector expressing the embedded noise in an appropriate decryption basis.

### 4.1 The 𝒦 Distribution

We use the 𝒦 *distribution*, which we now introduce, to analyse the component distribution of a *k*-fold ⊗product.

### Definition 4.1

*A symmetric continuous univariate random variable X has a* 𝒦 *distribution with* shape *k (positive integer) and* variance *v*^{2} > 0 *if it has density function*
*where*
*is the Meijer G-function of Definition 2.7. We write X ∼* 𝒦(*k*, v^{2}) *to denote that X has such a distribution*.

We note that an 𝒦(1, 1) distribution is a standard Normal N(0, 1) distribution and that 𝒦(2, 1) is a univariate Laplace distribution. The density functions of the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are shown in Figure 3, and tail probabilities are tabulated in Figure 4 for the 𝒦(*k*, 1) distributions for shape *k* = 1, . . . , 6. The tail probability functions for the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are illustrated in Figure B1 in Appendix B. It can be seen that 𝒦(*k*, 1) is far more highly weighted around 0 and in the tails for shape *k* > 1 than the comparable standard Normal distribution N(0, 1) = 𝒦(1, 1) with the same mean 0 and variance 1.

### 4.2 The ⊗-product of Spherical Bivariate Normal Distributions

We now establish the distribution of a component
*k*-fold ⊗-product *Z* ^{(k)} of spherical bivariate Normal distributions. Lemma 4.2 gives the density function
*Z* ^{(k)}. Lemma 4.3 then gives the associated characteristic function
*Z* ^{(k)}. Finally, Lemma 4.4 shows that a component
*k*-fold ⊗-product *Z*^{(k)} has the 𝒦 distribution with shape *k*. Full proofs of these results are provided in Appendix C.

### Lemma 4.2

*Suppose that*
*are independent spherical bivariate Normal random variables and that* G*k is the Meijer G-function ofDefinition 2.7. Their k-fold⊗-product*
*has density function*
*on* ℝ^{2} *given*
*where*

*Sketch Proof*. The proof establishes the density function
*G*-functions. The final form of the density function

### Lemma 4.3

*Suppose that*
*are independent spherical bivariate Normal random variables and that* ℋ*k is the Meijer G-function ofDefinition 2.7. Their k-fold⊗-product*
*has characteristic function*
*on* ℝ^{2} *given by*
*where*

*Sketch Proof*. The characteristic function
*G*-functions.

### Lemma 4.4

*Suppose that*
*are independent spherical bivariate Normal random variables, and let*
*be their k-fold ⊗-product. A component*
*of Z*^{(k)} *has a* 𝒦(*k*, *ρ*^{2}) *distribution (Definition 4.1) with shape k and variance*

*Sketch Proof*. The characteristic function corresponding to the density function *f _{Y}* is the appropriate marginal characteristic function derived from Lemma 4.3.

### 4.3 Application to Homomorphic Multiplication Noise Growth

By considering repeated multiplication of degree-1 ciphertexts we can see that the (embedded) noise in a degree-*k* ciphertext is an element of *H* that can be expressed as a real valued random vector
*T*-basis formed by a *k*-fold ⊗-product. The discussion of Section 4.2 shows that the distribution of a component
*k* and some variance *ρ*^{2} obtained as the product of individual variances. Furthermore, a component

For decryption, we consider the embedded noise of a degree-*k* ciphertext expressed as the real random vector *C′W*^{(k)} in an appropriate decryption basis. We can use a Central Limit framework [11] to approximate the distribution of *C′W*^{(k)} as a multivariate Normal distribution under mild conditions on *C′* for “product variance” *ρ*^{2} as

This Normal approximation can then be used to obtain information about the probability of decryption failure, as was done for *k* = 2 in [11, Theorem 2].

The quality of the approximation will decrease as the degree *k* increases due to the heavier tails of 𝒦(*k*, *ρ*^{2}) as *k* increases. In the case of a somewhat homomorphic encryption scheme, requiring to support only a few multiplications, this may not be problematic. Moreover, the quality of this approximation can be checked empirically if required.

## Article note

Rachel Player was supported by an ACE-CSR Ph.D. grant, by the French Programme d’Investissement d’Avenir under national project RISQ P141580, and by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701).

## Acknowledgement

We thank the anonymous referees for their comments on previous versions of this paper, and we thank Carlos Cid for his interesting discussions about this paper.

## References

[1] M. Abramowitz and I. A. Stegun, *Handbook of Mathematical Functions* Dover Publications, 1965.Search in Google Scholar

[2] R. Askey and A. Daalhuis and A. Olde, *Meijer G-function* NIST Handbook of Mathematical Functions (F. Olver *et al*. ed.), Cambridge University Press, 2010.Search in Google Scholar

[3] H. Bateman and A. Erdélyi, *Higher Transcendental Functions* 1, McGraw-Hill, 1953.Search in Google Scholar

[4] R. Beals and J. Szmiglieski, Meijer G-Functions: A Gentle Introduction, *Notices Amer. Math. Soc*. 60 (2013), 886–872.10.1090/noti1016Search in Google Scholar

[5] C. Gentry, Fully Homomorphic Encryption using Ideal Lattices, in: *41st Annual ACM Symposium on Theory of Computing, STOC 2009* Proceedings, ACM, (2009), 169–178.Search in Google Scholar

[6] V. Lyubashevsky and C. Peikert and O. Regev, On Ideal Lattices and Learning with Errors over Rings, in: *Advances in Cryptology - EUROCRYPT 2010* Lecture Notes in Comput. Sci. 6110, Springer, (2010), 1–23.Search in Google Scholar

[7] V. Lyubashevsky and C. Peikert and O. Regev, *A Toolkit for Ring-LWE Cryptography* preprint (2013), https://eprint.iacr.org/2013/293Search in Google Scholar

[8] V. Lyubashevsky and C. Peikert and O. Regev, A Toolkit for Ring-LWE Cryptography, in: *Advances in Cryptology - EUROCRYPT 2013* Lecture Notes in Comput. Sci. 7881, Springer, (2013), 35–54.Search in Google Scholar

[9] D. Micciancio and C. Peikert, Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller, in: *Advances in Cryptology - EUROCRYPT 2012* Lecture Notes in Comput. Sci. 7237, Springer, (2012), 700–718.Search in Google Scholar

[10] S. Murphy and R. Player, *-subgaussian Random Variables in Cryptography* *in* Information Security and Privacy – 24th Australasian Conference, ACISP 2019, Lecture Notes in Computing. Sci. 11547, Springer, (2019), 251–268.Search in Google Scholar

[11] S. Murphy and R. Player, *A Central Limit Framework for Ring-LWE Decryption* preprint (2019), https://eprint.iacr.org/2019/452Search in Google Scholar

[12] D. Stehlé and R. Steinfeld and K. Tanaka and K. Xagawa, Eflcient Public Key Encryption Based on Ideal Lattices, in: *Advances in Cryptology - ASIACRYPT 2009* Lecture Notes in Comput. Sci. 5912, Springer, (2009), 617–635.Search in Google Scholar

### A Proof of a Result of Section 3 about a Normal Balanced Reduction

### Lemma 3.1

If
*△* (density function

*Proof*. Let *f _{Y}* denote the density function of

*Y*to [0, 1). By construction,

*F*

_{ℛ(Y)}of ℛ(

*Y*) is given by

The distribution function
*z*) takes the value 0 for

For
*F* _{ℛ(Y)} of ℛ(*Y*) therefore evaluates as

whereas, for

Thus the density function *f*_{ℛ(Y)} of ℛ(*Y*) is given by

The density function
*Y′* on [0, 1) can be expressed as a Fourier series in (*y* − *μ*) (of period 1) with coefficients

where
*f*_{ℛ(Y)} of ℛ(*Y*) on (−1, 1) is therefore given by

□

### B Illustration of tail probability functions of 𝒦 distributions

The tail probability functions for the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are illustrated in Figure B1.

### C Proofs of Results of Section 4 about the ⊗-product

### Lemma 4.2

Suppose that
*G*-function of Definition 2.7. Their *k*-fold ⊗-product
^{2} given by

*Proof*. For simplicity, we suppose
*Z*^{(k)}| of this *k*-fold⊗-product *Z* ^{(k)} is
*r* ≥ 0, which we demonstrate by induction. When *k* = 1, the length
*x*-distribution with 2 degrees of freedom. Thus the density function
*G*-function.

We now assume inductively that the length
*k* − 1)-fold ⊗-product

However,
*G*-function notation of Definition 2.7, so

as the final integral is a multiplicative convolution of Meijer *G*-functions. Thus

The result for the density function
*Z*^{(k)} then follows immediately from the polar transformation linking

### Lemma 4.3

Suppose that
*G*-function of Definition 2.7. Their *k*-fold ⊗-product
^{2} given by

*Proof*. For simplicity, we set
*Z*^{(k)} is
*Z*^{(k)} is given by

We can write
*t* and *z* in polar co-ordinates, so
*Z*^{(k)} can be expressed as

where
*G*-functions. Thus the characteristic function *Z*^{(k)} can be evaluated as a multiplicative convolution to give

### Lemma 4.4

Suppose that
*k*-fold⊗-product.A component
*Z* ^{(k)} has a
*k* and variance

*Proof*. For simplicity, we set
*ρ*^{2} = 1. Suppose *Z*^{(k)} has orthogonal components

The characteristic function
*Z*^{(k)} is therefore given by

Suppose
*X* has density function
*ϕ _{X}* of

*X*is given by

Thus

**Received:**2019-06-05

**Accepted:**2019-07-01

**Published Online:**2020-11-17

© 2020 S. Murphy and R. Player, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.