A statistical framework applicable to Ring-LWE was outlined by Murphy and Player (IACR eprint 2019/452). Its applicability was demonstrated with an analysis of the decryption failure probability for degree-1 and degree-2 ciphertexts in the homomorphic encryption scheme of Lyubashevsky, Peikert and Regev (IACR eprint 2013/293). In this paper, we clarify and extend results presented by Murphy and Player. Firstly, we make precise the approximation of the discretisation of a Normal random variable as a Normal random variable, as used in the encryption process of Lyubashevsky, Peikert and Regev. Secondly, we show how to extend the analysis given by Murphy and Player to degree-k ciphertexts, by precisely characterising the distribution of the noise in these ciphertexts.
The Ring-LWE problem [6, 12] has become a standard hard problem underlying lattice-based cryptography. In , a detailed algebraic background for Ring-LWE was given, together with a statistical framework based on δ-subgaussian random variables [9, 10]. Another statistical framework applicable to Ring-LWE, based on a Central Limit approach, was outlined in . It is argued in  that this is a more natural approach than one using δ-subgaussian arguments, when considering the important application setting of homomorphic encryption .
Ciphertexts in all homomorphic encryption schemes have an inherent noise which is small in fresh cipher-texts and grows during homomorphic evaluation operations. If the noise grows too large, decryption will fail. A thorough understanding of the statistical properties of the noise is therefore essential for choosing efficient parameters while ensuring correctness. Rather than analysing the noise directly, we consider the embedding of the noise via the canonical embedding (see e.g. ) in a complex space H.
In this paper, we present results on discretisation and product distributions applicable to Ring-LWE cryptography, which clarify and extend results presented in . For concreteness, these results could be applied to the homomorphic encryption scheme of Section 8.3> of , termed SymHom by  and analysed there.
In a Ring-LWE discretisation, an element of the complex space H is rounded to some randomly determined nearby element of H in a lattice coset Λ + c. We require that all components of the vector expressing this discretisation in an appropriate basis for H are bounded by an appropriate threshold in order for a successful decryption to take place. The statistical properties of the discretisation process are therefore of fundamental importance in determining correctness. Our results demonstrate how we can obtain a good multivariate Normal approximation for (embedded) noise of a degree-1 (fresh) ciphertext vector expressed in a decryption basis after a change of basis transformation. This justifies the approach used in [11, Theorem 1] for bounding the decryption failure probability of such ciphertexts.
In homomorphic Ring-LWE cryptosystems such as SymHom, for a degree-k ciphertext cmult is formed as the result of the homomorphic multiplication of two ciphertexts c1 and c2 of degrees k1 and k2 respectively. The noise in cmult is defined to be the product of the noises in the input ciphertexts c1 and c2. We show that using the Central Limit Framework of , the distribution of a vector expressing the (embedded) noise in a degree-k SymHom ciphertext in an appropriate decryption basis can be approximated by a multivariate Normal distribution. This extends the analysis for degree-2 ciphertexts given in [11, Theorem 2].
In Section 3 we make precise the approximation of the CRR discretisation (Definition 2.5) of a Normal random variable as a Normal random variable, so potentially allowing a more direct and powerful approach to CRR discretisation than a δ-subgaussian approach. Moreover, our techniques are potentially generalisable to other randomised discretisation methods. Our first main result is Proposition 3.5, which describes the distribution of the Balanced Reduction (Definition 2.4) of a Normal random variable. To obtain Proposition 3.5, we first show in Lemma 3.1 that the Balanced Reduction of a Normal random variable gives a Triangular distribution, which is itself approximated by a Normal distribution (Lemma 3.2).
In Section 4 we extend the analysis of degree-2 ciphertexts given in  to degree-k ciphertexts. Our second main result is Lemma 4.4, which shows that a component of the k-fold ⊗-product Z (k) has a distribution (Section 4.1).
In this section, we give the relevant background for our discussion. In Section 2.1 we recall the necessary algebraic background to Ring-LWE, following . In Section 2.2 we recall results on discretisation following . In Section 2.3 we recall the definition and basic properties of the Meijer G-Function [2, 3, 4].
2.1 Algebraic Background
The mathematical structure underlying Ring-LWE is the polynomial quotient ring obtained from the mth cyclotomic polynomial of degree n. For simplicity, we consider the case where m is a large prime, so and we let Our focus is solely on the vector space aspects of Ring-LWE, and in particular our discussion is based on the complex space H (Definition 2.1).
The conjugate pair space H is where T is the n × n unitary conjugate pairs matrix given by where is the identity matrix and is the reverse diagonal matrix of 1s.
We note that where T† denotes the conjugate transpose of T. We can represent elements of H as vectors with respect to a basis for H, and two such bases of H of direct relevance are specified in Definition 2.2.
The I-basis for H is given by the columns of the n ×n identity matrix In, that is to say by standard basis vectors. The T-basis for H is given by the columns of the conjugate pair matrix T.
We note that an element of H is expressed as a vector in the I-basis as a vector of n′ conjugate pairs and by construction in the T-basis as a real-valued vector. A vector expressing an element of H in the I-basis has the same norm as a vector expressing the same element in the T-basis as T is a unitary matrix Furthermore, the complex space H has a natural well-defined multiplication operation, and Definition 2.3 specifies this multiplication operation for vectors expressing elements of H in the I-basis and in the T-basis.
If and are vectors expressing elements of H in the I-basis for H, then the ⊙-product is their componentwise product. If u and v are (real-valued) vectors expressing elements of H in the T-basis for H, then the ⊗-product
The ⊗-product of two real-valued vectors can be expressed by considering appropriate pairs of components. The space H can be regarded as where For two real-valued vectors u, v ∈ ℝ2 expressing elements of H 2 in the T-basis for H 2, their ⊗-product is given by
2.2 Discretisation Background
The discretisation process in (for example) a homomorphic Ring-LWE cryptosystem “rounds” an element of H to some randomly determined nearby element of H in a lattice coset Λ + c of some lattice Λ in H. As an illustration of a discretisation process, we use the coordinate-wise randomised rounding method of discretisation or CRR discretisation given in the first bullet point of Section 2.4.2 of . We give a formal statistical description of CRR discretisation in terms of a random Balanced Reduction function following .
The univariate Balanced Reduction function ℛ on ℝ is the random function
The multivariate Balanced Reduction function ℛ on ℝl with support on [−1, 1]l is the random function with component functions that are independent univariate Balanced Reduction functions.
Suppose B is a (column) basis matrix for the n-dimensional lattice Λ in H. If ℛ is the Balanced Reduction function, then the coordinate-wise randomised rounding discretisation or CRR discretisation of the random variable X on H to the lattice coset Λ + c with respect to the basis matrix B is the random variable
The CRR discretisation of the random variable X with respect to the basis B of Λ is a random variable on the lattice coset Λ+c, and is a valid (does not depend on the chosen coset representative c) discretisation [7, 10].
2.3 Meijer G-Functions
Our analysis in Section 4 will be most easily expressed in terms of Meijer G-functions [2–4], which are specified in general in Definition 2.6. Definition 2.7 gives three classes of Meijer G-functions that are of direct relevance to us.
The Meijer G-Function is defined for x ≠ 0 and integers ξ, v, p, q with 0 ≤ ξ ≤ q and 0 ≤ v ≤ p by the line integral
in the complex plane, where Γ denotes the gamma function and The integral path L runs from −i∞ to i∞ such that all poles of are to the right of the path (for and all the poles of are to the left of the path (for k = 1, . . . , v), though other paths are possible.
For a positive integer k and the integral path L of Definition 2.6, the functions and are the Meijer-G functions given by
For small k, we note that and where dt is a modified Bessel function of the second kind . Similarly, we also have and as well as and
3 Discretisation Distributions in Ring-LWE
In Section 3.1, we show that the Balanced Reduction of a Gaussian random variable underlying a degree-1 ciphertext in situations of interest is essentially a Triangular random variable, which can itself be approximated by a Normal random variable. In Section 3.2, we make precise the multivariate Normal approximation of the CRR discretisation of the embedded noise in a degree-1 SymHom ciphertext.
3.1 The Balanced Reduction of a Normal Random Variable
A Ring-LWE encryption process is based on the discretisation of Normal random variables in H .We therefore consider the discretisation of a random variable (in the I-basis) which is the image of some real-valued multivariate Normal random variable X′ under T .However, is a real-valued multivariate Normal random variable. Thus we must consider the Balanced Reduction of of the Normal random variable and Lemma 3.1 essentially shows that such a Balanced Reduction gives a Triangular distribution.
If then its Balanced Reduction has the Triangular distribution △(density function for and 0 otherwise) as its limiting distribution as the standard deviation
Sketch Proof. We can express the density function fℛ(Y) of ℛ(Y) in terms of the density function of the “modulo 1” reduction of Y. By considering the Fourier series for on [0, 1), we can obtain a Fourier series for fℛ(Y) on (−1, 1) and hence show that A full proof is given in Appendix A. □
The Fourier form shown in the proof of Lemma 3.1 (Appendix A) in fact shows that the Balanced Reduction of a Normal N(μ, σ2) random variable with any mean μ is very close to a Triangular distribution △with mean E(△) = 0 and variance Var for even a moderate standard deviation σ, as illustrated in Figure 1 for the small standard deviation σ = 0.50. Ring-LWE applications typically use a larger standard deviation than 0.5, so giving an even closer approximation.
The Triangular distribution can obviously itself be approximated by a Normal distribution with the same mean E(△) = 0 and variance Var in the manner outlined in Lemma 3.2. This closeness of this approximating distribution to a Triangular distribution, and essentially also to a Balanced Reduction of an N(0, σ2) Normal random variable for σ > 0.50, is illustrated in Figure 1.
Suppose that has a Triangular distribution with distribution function for If Φ is the distribution function of a standard Normal N(0, 1) random variable, then the random variable has a Normal distribution with mean 0 and variance
Proof. If then is the inverse distribution function of Z. Thus the distribution function of W′ is
Thus W′ and Z have the same distribution function and so
The discrepancy between the Triangular random variable W ∼ △ and the approximating Normal random variable and hence between the Balanced Reduction of an appropriate Normal distribution and an distribution, is a very small distribution. This small distribution is formally specified in Definition 3.3 and illustrated in Figure 2, and we term this distribution the Ghost distribution because of its shape and elusive nature. Lemma 3.4 gives the statistical properties of the Ghost distribution. Proposition 3.5 summarises the distribution of the Balanced Reduction of a Normal random variable, using the notation to denote “is approximately distributed as”.
Suppose that has a Triangular distribution with distribution function for If Φ is the distribution function of a standard Normal N(0, 1) random variable, then the random variable has a Ghost distribution. Such a random variable W′′ is denoted W′′ ~ .
A Ghost random variable W′′ ~ has mean E (W′′) = 0 and variance Var(W′′) = 0.0012, so has standard deviation St Dev(W′′) = 0.035. Furthermore, the tail probabilities of W′′ are given by the following Table.
|P(|W′′| > θ)||10−1||10−2||10−3||10−4||10−5|
Proof. The results can be obtained by numerical integration and so on. □
The distribution of the Balanced Reduction ℛ(N(μ, σ2)) of a univariate Normal distribution for standard deviations σ of interest in Ring-LWE can essentially be approximated (with a slight abuse of notation) as
3.2 The Distribution of a CRR Discretisation
We consider the CRR discretisation of a complex-valued random vector X = TX′ that is the image under T of a spherically symmetric real-valued Normal random variable with component standard deviation . This component standard deviation ρ is typically larger than the length of the basis vectors, that is to say the column lengths of B or equivalently of the real matrix T†B. We can express this CRR discretisation as either a complex-valued random vector in the I-basis for H or as a real-valued random vector in the T-basis for H. Following Proposition 3.5, the distributions of these vectors are essentially given by
We observe that the first of these three distributions is typically the dominating distribution. For example, the real-valued distribution of differs from a Normal distribution by The distribution is usually negligible for the lattice basis matrices B in Ring-LWE. Similarly, the variance matrix of is usually negligible in comparison with ρ2In. For practical purposes we can therefore consider that has an distribution or equivalently that has a distribution.
In the decryption of a degree-1 ciphertext, such a discretisation (that is, the noise in the ciphertext embedded in H) is considered as a real-valued vector in a “decryption basis”. An appropriate change of basis matrix C to such a decryption basis can be expressed as for a real matrix C′. We therefore consider the real-valued vector which can be expressed as
where C′ = CT and CB are real matrices. The decryption is successful if every component of is less than an appropriate threshold.
In summary, this discussion justifies the approach used in [11, Theorem 1] for obtaining a bound for a decryption failure probability for by using the distributional approximation
4 Product Distributions in Ring-LWE
The noise in a degree-k ciphertext in SymHom can be seen as the k-fold ⊙-product of the noises of k degree-1 ciphertexts in the I-basis for H. We are interested in the k-fold ⊙-product of the form of the discretisation vectors given by degree-1 ciphertexts. The discussion of Section 3.2 shows that this distribution can be approximated as
We consider the equivalent ⊗-product expressing the embedded noises as real vectors in the T-basis, with approximate distribution
The ⊗-product in Rn decomposes into independent ⊗-products in ℝ2. Thus we consider the distribution on ℝ2 given by the k-fold ⊗-product of spherical bivariate Normal random variables
In particular, we consider the distribution of a 1-dimensional component of this 2-dimensional distribution. This approach allows us to construct an approximate multivariate distribution for the vector expressing the embedded noise in an appropriate decryption basis.
4.1 The 𝒦 Distribution
We use the 𝒦 distribution, which we now introduce, to analyse the component distribution of a k-fold ⊗product.
A symmetric continuous univariate random variable X has a 𝒦 distribution with shape k (positive integer) and variance v2 > 0 if it has density function where is the Meijer G-function of Definition 2.7. We write X ∼ 𝒦(k, v2) to denote that X has such a distribution.
We note that an 𝒦(1, 1) distribution is a standard Normal N(0, 1) distribution and that 𝒦(2, 1) is a univariate Laplace distribution. The density functions of the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are shown in Figure 3, and tail probabilities are tabulated in Figure 4 for the 𝒦(k, 1) distributions for shape k = 1, . . . , 6. The tail probability functions for the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are illustrated in Figure B1 in Appendix B. It can be seen that 𝒦(k, 1) is far more highly weighted around 0 and in the tails for shape k > 1 than the comparable standard Normal distribution N(0, 1) = 𝒦(1, 1) with the same mean 0 and variance 1.
4.2 The ⊗-product of Spherical Bivariate Normal Distributions
We now establish the distribution of a component of the k-fold ⊗-product Z (k) of spherical bivariate Normal distributions. Lemma 4.2 gives the density function of the bivariate random variable Z (k). Lemma 4.3 then gives the associated characteristic function of Z (k). Finally, Lemma 4.4 shows that a component of the k-fold ⊗-product Z(k) has the 𝒦 distribution with shape k. Full proofs of these results are provided in Appendix C.
Suppose that are independent spherical bivariate Normal random variables and that Gk is the Meijer G-function ofDefinition 2.7. Their k-fold⊗-product has density function on ℝ2 given where
Sketch Proof. The proof establishes the density function by an inductive argument based on the multiplicative convolution of particular Meijer G-functions. The final form of the density function then follows from a polar transformation. □
Suppose that are independent spherical bivariate Normal random variables and that ℋk is the Meijer G-function ofDefinition 2.7. Their k-fold⊗-product has characteristic function on ℝ2 given by where
Sketch Proof. The characteristic function is evaluated by means of polar co-ordinates to give a multiplicative convolution of Meijer G-functions.
Suppose that are independent spherical bivariate Normal random variables, and let be their k-fold ⊗-product. A component of Z(k) has a 𝒦(k, ρ2) distribution (Definition 4.1) with shape k and variance
Sketch Proof. The characteristic function corresponding to the density function fY is the appropriate marginal characteristic function derived from Lemma 4.3.
4.3 Application to Homomorphic Multiplication Noise Growth
By considering repeated multiplication of degree-1 ciphertexts we can see that the (embedded) noise in a degree-k ciphertext is an element of H that can be expressed as a real valued random vector in the T-basis formed by a k-fold ⊗-product. The discussion of Section 4.2 shows that the distribution of a component can be approximated by a Kdistribution with shape k and some variance ρ2 obtained as the product of individual variances. Furthermore, a component is independent of every other component, except its complex conjugate “twin” component to which it is uncorrelated.
For decryption, we consider the embedded noise of a degree-k ciphertext expressed as the real random vector C′W(k) in an appropriate decryption basis. We can use a Central Limit framework  to approximate the distribution of C′W(k) as a multivariate Normal distribution under mild conditions on C′ for “product variance” ρ2 as
This Normal approximation can then be used to obtain information about the probability of decryption failure, as was done for k = 2 in [11, Theorem 2].
The quality of the approximation will decrease as the degree k increases due to the heavier tails of 𝒦(k, ρ2) as k increases. In the case of a somewhat homomorphic encryption scheme, requiring to support only a few multiplications, this may not be problematic. Moreover, the quality of this approximation can be checked empirically if required.
Rachel Player was supported by an ACE-CSR Ph.D. grant, by the French Programme d’Investissement d’Avenir under national project RISQ P141580, and by the European Union PROMETHEUS project (Horizon 2020 Research and Innovation Program, grant 780701).
We thank the anonymous referees for their comments on previous versions of this paper, and we thank Carlos Cid for his interesting discussions about this paper.
 M. Abramowitz and I. A. Stegun, Handbook of Mathematical Functions Dover Publications, 1965.Search in Google Scholar
 R. Askey and A. Daalhuis and A. Olde, Meijer G-function NIST Handbook of Mathematical Functions (F. Olver et al. ed.), Cambridge University Press, 2010.Search in Google Scholar
 H. Bateman and A. Erdélyi, Higher Transcendental Functions 1, McGraw-Hill, 1953.Search in Google Scholar
 C. Gentry, Fully Homomorphic Encryption using Ideal Lattices, in: 41st Annual ACM Symposium on Theory of Computing, STOC 2009 Proceedings, ACM, (2009), 169–178.Search in Google Scholar
 V. Lyubashevsky and C. Peikert and O. Regev, On Ideal Lattices and Learning with Errors over Rings, in: Advances in Cryptology - EUROCRYPT 2010 Lecture Notes in Comput. Sci. 6110, Springer, (2010), 1–23.Search in Google Scholar
 V. Lyubashevsky and C. Peikert and O. Regev, A Toolkit for Ring-LWE Cryptography, in: Advances in Cryptology - EUROCRYPT 2013 Lecture Notes in Comput. Sci. 7881, Springer, (2013), 35–54.Search in Google Scholar
 D. Micciancio and C. Peikert, Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller, in: Advances in Cryptology - EUROCRYPT 2012 Lecture Notes in Comput. Sci. 7237, Springer, (2012), 700–718.Search in Google Scholar
 S. Murphy and R. Player, -subgaussian Random Variables in Cryptography in Information Security and Privacy – 24th Australasian Conference, ACISP 2019, Lecture Notes in Computing. Sci. 11547, Springer, (2019), 251–268.Search in Google Scholar
 D. Stehlé and R. Steinfeld and K. Tanaka and K. Xagawa, Eflcient Public Key Encryption Based on Ideal Lattices, in: Advances in Cryptology - ASIACRYPT 2009 Lecture Notes in Comput. Sci. 5912, Springer, (2009), 617–635.Search in Google Scholar
A Proof of a Result of Section 3 about a Normal Balanced Reduction
If then its Balanced Reduction has the Triangular distribution △ (density function and 0 otherwise) as its limiting distribution as the standard deviation
Proof. Let fY denote the density function of and let denote the density function of the “modulo 1” reduction of Y to [0, 1). By construction, so the distribution function F ℛ(Y) of ℛ(Y) is given by
The distribution function of ℛ(z) takes the value 0 for the value for and the value 1 for Thus this distribution function can be expressed for as
For this distribution function F ℛ(Y) of ℛ(Y) therefore evaluates as
whereas, for and noting that we have
Thus the density function fℛ(Y) of ℛ(Y) is given by
The density function of Y′ on [0, 1) can be expressed as a Fourier series in (y − μ) (of period 1) with coefficients
where is the characteristic function of The density function fℛ(Y) of ℛ(Y) on (−1, 1) is therefore given by
B Illustration of tail probability functions of 𝒦 distributions
The tail probability functions for the 𝒦(1, 1), 𝒦(2, 1) and 𝒦(4, 1) distributions are illustrated in Figure B1.
C Proofs of Results of Section 4 about the ⊗-product
Suppose that are independent spherical bivariate Normal random variables and that is the Meijer G-function of Definition 2.7. Their k-fold ⊗-product has density function on ℝ2 given by where
Proof. For simplicity, we suppose as this gives a direct re-scaling of the stated result. We first show that the density function for the length |Z(k)| of this k-fold⊗-product Z (k) is for r ≥ 0, which we demonstrate by induction. When k = 1, the length has the distribution of the length of a x-distribution with 2 degrees of freedom. Thus the density function is given by the appropriate Meijer G-function.
We now assume inductively that the length of the (k − 1)-fold ⊗-product has density function Direct calculation shows that has density function
However, in the Meijer G-function notation of Definition 2.7, so
as the final integral is a multiplicative convolution of Meijer G-functions. Thus has the appropriate form and the inductive demonstration is complete.
The result for the density function of the spherically symmetric Z(k) then follows immediately from the polar transformation linking and
Suppose that are independent spherical bivariate Normal random variables and that is the Meijer G-function of Definition 2.7. Their k-fold ⊗-product has characteristic function on ℝ2 given by where
Proof. For simplicity, we set The density function of Z(k) is so the characteristic function of Z(k) is given by
We can write and for t and z in polar co-ordinates, so In terms of these polar co-ordinates, the characteristic function of Z(k) can be expressed as
where is a Bessel function of the first kind . However, both terms and making up the integrand are Meijer G-functions. Thus the characteristic function of Z(k) can be evaluated as a multiplicative convolution to give
Suppose that are independent spherical bivariate Normal random variables, and let be their k-fold⊗-product.A component of Z (k) has a distribution (Definition 4.1) with shape k and variance
Proof. For simplicity, we set so ρ2 = 1. Suppose Z(k) has orthogonal components and so we can write Thus the joint characteristic function where so Lemma 4.3 shows that
The characteristic function of a component say of Z(k) is therefore given by
Suppose so X has density function The characteristic function ϕX of X is given by
Thus are the same characteristic function, and therefore has the same distribution as
© 2020 S. Murphy and R. Player, published by De Gruyter
This work is licensed under the Creative Commons Attribution 4.0 International License.