Towards a Ring Analogue of the Leftover Hash Lemma

: The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems, such as the Regev and Dual-Regev encryption schemes as well as their leakage-resilient counterparts. The LHL does not hold in the ring setting, when the ring is far from a field, which is typical for efficient cryptosystems. Lyubashevsky et al. (Eurocrypt ’13) proved a “regularity lemma,” which can be used instead of the LHL, but applies only for Gaussian inputs. This is in contrast to the LHL, which applies when the input is drawn from any high min-entropy distribution. Our work presents an approach for generalizing the “regularity lemma” of Lyubashevsky et al. to certain conditional distributions. We assume the input was sampled from a discrete Gaussian distribution and consider the induced distribution, given side-channel leakage on the input. We present three instantiations of our approach, proving that the regularity lemma holds for three natural conditional distributions.


Introduction
The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems. Specifically, it is often useful to argue that for high-min entropy input x ∈ Z m q and random matrix A ← Z n×m q , Ax is uniform random, given A. The above fact is used in the proof of security for both the Regev and Dual-Regev encryption schemes. More sophisticated proof approaches that utilize the LHL along with the structure of the matrix A have been used to argue leakage resilience of these cryptosystems, such as in [1,13].¹ Analogues of the statement above do not necessarily hold in the ring setting. Specifically, assuming a high min-entropy input x = x 1 , . . . , x l , setting a 1 = 1, and a 2 , . . . , a l chosen uniformly at random from the ring, the uniformity of a l+1 = ∑︀ i∈ [l] a i x i does not follow from the LHL lemma, in cases where the ring is far from a field, which is the typical case for efficient cryptosystems.
Fortunately, Lyubashevsky et al. [25,26] proved a "regularity lemma" showing that the distribution over a l+1 as above is (close to) uniform random, even given a 2 , . . . , a l , but only for the case where the input x is drawn from a discrete Gaussian distribution of sufficiently high standard deviation. While sufficient for proving the security of certain cryptosystems, unlike the more general leftover hash lemma, the statement of the regularity lemma of [25] implies nothing about uniformity of a l+1 in the case that x is a high min-entropy input from another distribution.

The ring setting.
Consider the number field K = Q[x]/Φm(x), where Φm(x) is the m-th cyclotomic polynomial of degree φ(m). The ring of integers, R ⊂ K, is defined as R = Z[x]/Φm(x). Rq := Zq[x]/Φm(x) denotes the set of polynomials obtained by taking an element of Z[x]/Φm(x) and reducing each coefficient modulo q. In this paper, we further assume that m is a power of two, so Φm(x) = x n +1 has degree n = m/2, and set q to be a prime such that q ≡ 1 mod m. In this case Φm(x) completely splits into n factors in Zq[x]. This is the setting favored in practice since it allows for optimizations in the implementation, such as fast arithmetic over the ring Rq.

A Ring Analogue of the LHL.
For rings Rq such as the above, a result analogous to the leftover hash lemma-proving that a l+1 = ∑︀ i∈ [l] a i x i is indistinguishable from random, given a 2 , . . . , a l , as long as x 1 , . . . , x l has sufficiently high min-entropyis impossible. For example, if the j-th NTT coordinate of each ring element in x = x 1 , . . . , x l is leaked, then the j-th NTT coordinate of a l+1 = ∑︀ i∈ [l] a i x i is known², and so a l+1 is very far from uniform. Yet this is only a 1/n leakage rate!³ Nevertheless, Lyubashevsky et al. [25,26] proved a "regularity lemma" showing that for matrix A = [I k |Ā] ∈ (Rq) k×l , where I k ∈ (Rq) k×k is the identity matrix andĀ ∈ (Rq) k×(l−k) is uniformly random, and x chosen from a discrete Gaussian distribution (centered at 0) over R l q , the distribution over Ax is (close to) uniform random. A similar result was proven by Micciancio [28], but requires super-constant dimension l, thus yielding non-compact cryptosystems. In contrast, the regularity lemma of [25] holds even for constant dimension l as small as 2. The fundamental technical question we consider in this work is: For which distributions D over x ∈ R l q , is the distribution over Ax (close to) uniform random, for R, q, A as above and constant l?

Our Results
We prove a "regularity lemma" for three conditional distributions, which we describe next. Only the parameter s-the standard deviation of the discrete Gaussian for sampling each coordinate of x-differs in each setting.

Conditional Distribution I.
We assume a secret key x = (x 1 , . . . , x l ), where each x i ∈ Rq. Moreover, each x i itself is represented as an ndimensional vector. So in total, x is an l · n-dimensional vector. We consider the conditional distribution on x when the sum of x and e is revealed, where each coordinate of e is a Gaussian random variable with standard deviation at least s. This setting captures leakage on x by an adversary who uses a fast, but inaccurate device to obtain noisy measurements of each sampled coordinate of the secret key (e.g. through a power or timing channel). We prove that it is sufficient to set s ≥ √ 2 · 2n · q k/l+2/ (nl) . See Theorem 2.1 and Corollary 2.2.
2 Applying NTT to a i , x i ∈ Rq-resulting in n-dimensional vectors,̂︀ a i ,̂︀ x i ∈ Z n q -allows for component-wise multiplication/addition, so the j-th NTT coordinate of a i x i , i ∈ [l] will be known and so the j-th NTT coordinate of a l+1 is known. 3 We thank an anonymous reviewer for pointing out this counterexample to us.

Conditional Distribution II.
We consider the conditional distribution over x = (x 1 , . . . , x l ) when we leak ℓ coordinates from each x i , i ∈ [l]. and we set parameters such that the fraction of leaked coordinates-ℓ·l n·l -is constant. The ℓ leaked coordinates are arbitrary, but the same ℓ coordinates must be leaked from each x i , i ∈ [l].⁴ Low noise is added to each leaked coordinate (only 2n standard deviation, as opposed to √ 2 · 2n · q k/l+2/(nl) standard deviation as in Conditional Distribution I). No information at all is leaked about the remaining coordinates. This setting corresponds to a side-channel attack launched during the sampling of x, where the attacker has a slower, but more accurate device which allows it to obtain more accurate measurements for a constant fraction of the coordinates of the secret key, but no information for the remaining coordinates. ⁵ We prove that it is sufficient to set s ≥ 2n · q kn+2 l(n−ℓ) , where ℓ · l is the number of leaked coordinates. See Theorem 2.3 and Corollary 2.6.

Conditional Distribution III.
Here, we consider the conditional distribution on x, when the magnitude of x with Gaussian channel error e is revealed (note that e is a scalar). We assume e is sampled from a univariate Gaussian with standard deviation s. A motivation for this type of leakage is that (discrete) Gaussian sampling of x is often implemented via rejection sampling in practice [7,12]. E.g. a vector could be sampled from a "close" multi-dimensional binomial distribution and rejection sampling then used to obtain a sample from the correct distribution. The rejection condition depends on the weight of x under the target distribution, which in turn depends on the magnitude of x, and so this information is vulnerable to leakage during computation. ⁶ We prove that it is sufficient to set s ≥ √︀ 14/5 · (n ′ /n) · ln n ′ · 2n · q k/l+2/(nl) , where n ′ = n · l + 1. See Theorem 2.9 and Corollary 2.10.

Applications to leakage resilience.
Since applications of the LHL/Regularity Lemma in lattice-based cryptography are widespread, a number of Ring-LWE (RLWE) cryptosystems achieve certain leakage resilience properties using our results. Such cryptosystems include the ring analogues of Regev encryption [24], Dual-Regev encryption [25], and identitybased encryption (IBE) based on Dual-Regev encryption [19] (see ring version in [3]). Specifically, by substituting our "regularity lemma" for the original "regularity lemma" in the security proofs, those schemes still enjoy security guarantees even given certain leakage on the randomness for encryption (for Regev) the secret key (for Dual-Regev), and the secret key corresponding to the challenge identity (for IBE).

Our High-Level Approach
] is uniform random (over cosets of Λ ⊥ (A)), then the distribution of Ax is also uniform random over cosets of (qR) k . The input/output distributions can then be discretized over the ring R. Therefore, the goal is to show that when x is sampled from continuous distribution D, we have that [x mod Λ ⊥ (A)] is uniform random. Consider the case where the distribution D is exactly a Gaussian distribution with mean 0 and standard deviation s. In this case, if s is greater than or equal to the smoothing parameter of Λ ⊥ (A), this by definition ensures that the distribution [x mod Λ ⊥ (A)] is uniform random. Thus, [25] prove their regularity lemma by showing that with high probability over choice of A, the smoothing parameter, ηε(Λ ⊥ (A)), is upperbounded by s.
Before presenting our approach to extending the above result, it is instructive to give a high-level recap of how to derive upper bounds on the smoothing parameter.
Let ρs := e −π ⟨x,x⟩ s 2 and let ψs (the normalization of ρs) correspond to the probability density function (PDF) of the normalized n-dimensional Gaussian distribution with mean 0 and standard deviation s. In the following, for a function f we concisely represent ∑︀ v∈Λ f (v) by f (Λ). To show that the distribution over [x mod Λ] is (close to) uniform when x is sampled from a distribution with PDF ψs, one needs to show that for every coset (Λ + c) of the lattice, ψs(Λ + c) ≈ 1 det(Λ) . Focusing on the zero coset, where c = 0, we can prove this using the Poisson summation formula, which says that for any lattice Λ and integrable function ρs: where for a function f ,̂︀ f denotes the n-dimensional Fourier transform of f and Λ ∨ is the dual lattice of Λ (see Appendix A.2). It remains to show that̂︁ ψs(Λ ∨ ) is close to 1 (i.e. is upperbounded by 1 + ε).
The proof approach outlined above can be applied to (integrable) normalized PDF Ψ that are not Gaussians centered at 0: To show that the distribution over [x mod Λ] is (close to) uniform when x is sampled from a distribution with PDF Ψ, it is sufficient to show that̂︀ Ψ(Λ ∨ ) is upperbounded by 1 + ε.
In this work, we consider PDF's, Ψ, that correspond to the PDF of x, from the point of view of the adversary, given the leakage. The technical contribution of this work is to show that, for each conditional distribution, (with overwhelming probability over choice ofĀ)̂︀ Ψ(Λ ⊥ (A) ∨ ) is close to 1. Specifically, for each distribution, our approach requires: (1) Determining the PDF Ψ, (2) Computing (an upper bound for) the multi-dimensional

Related Work
Leakage-resilient cryptography. There is a significant body of work on leakage-resilient cryptographic primitives, beginning with the work of Dziembowski and Pietrzak [16] on leakage-resilient stream-ciphers. Other constructions include [1,5,6,14,22,22,23,23,27,30,31]. With the exception of [1], most of these results construct new cryptosystems from the bottom up. In our work, we consider whether we can prove that an existing cryptosystem enjoys leakage resilience, without modification of the scheme.

Lattice-based & leakage-resilient cryptography.
Goldwasser et al. [20] initiated the study of leakage resilience of lattice based cryptosystems. This was followed by series of works [1,13,15], all these papers however study leakage resilience of schemes based on standard LWE problem in both symmetric as well as public key setting.

Robustness of Ring-LWE
To the best of our knowledge the ePrint version [10] of this work is the first effort to study the robustness of RLWE based cryptosystems under leakage. Subsequent to the publishing of ePrint [10], interest has sparked in analyzing the RLWE-based schemes and their leakage resilience. Albrecht et al. [2] implemented cold boot attack on RLWE based KEM schemes and compared the number of operations required to mount the attack when secret is stored with different encodings. Recently, Bolboceanu et al. [4] studied the hardness of RLWE problem in cases where the secret is sampled from distributions other than uniform random distribution over the ring. In [11], it is shown that under specific structured leakage on the NTT encoding of secret key, it is possible to recover the entire secret key given multiple RLWE samples and they implement the attack to recover the secret in real world parameter settings. Stehlé and Steinfeld [34] studied the leftover hash lemma in the ring setting for power of 2 cyclotomics and Rosca et al. [33] generalized their result to non-cyclotomic rings. However, both these results study the case where input is sampled from discrete Gaussian distribution.

Extending the Regularity Lemma
For a positive integer n, we denote by [n] the set {1, . . . , n}. We denote vectors in boldface x and matrices using capital letters A. For vector x over R n or C n , define the ℓ 2 norm as ‖x‖ 2 = ( ∑︀ i |x i | 2 ) 1/2 . We write as ‖x‖ for simplicity. Background and standard definitions related to lattices and algebraic number theory are in Appendix A. Our results are applicable when R is the ring of integers in the m th cyclotomic number field K of degree n, m = 2n is a power of 2 and prime q is s.t. q ≡ 1 mod m. We denote by I k ∈ (Rq) k×k the identity matrix.

Conditional Distribution I
Recall that x = (x 1 , . . . , x l ), where each coordinate of each x i ∈ Rq is sampled from a discrete Gaussian with standard deviation s and each x i is represented as a vector in either the polynomial or canonical basis.⁷ We assume leakage of all coordinates, with Gaussian noise of standard deviation v = τ · s added. It turns out that this conditional distribution is fairly simple to handle since if X and Y are independent Gaussian random variables, then the distribution of X conditioned on X + Y is also a Gaussian that is not centered at 0. Fortunately, the regularity lemma of [26] straightforwardly extends to Gaussians that are not centered at 0. We discuss formal details next, however, we mainly view Conditional Distribution I as a warm-up to the more is uniformly random. Then for all σ ≥ 2n · q k/l+2/ (nl) and c ∈ R n·l then︂ ρσ,c except with probability at most 2 −Ω(n) over choice ofĀ.
Proof. The theorem follows from Lemma B.7 and the regularity lemma from [26].
The following corollary follows from Lemmas B.12 and B.13 and Theorem 2.1.

Corollary 2.2.
Let R, n, q, k, l, c, σ be as in Theorem 2.1. Assume that A = [I k |Ā] ∈ (Rq) k×l is chosen as in Theorem 2.1. Then, with probability 1 − 2 −Ω(n) over the choice ofĀ, the distribution of Ax ∈ R k q , where x ∈ R l is chosen from D Λ,σ,c , the discrete Gaussian probability distribution over R l with parameter σ and center c, satisfies that the probability of each of the q nk possible outcomes is in the interval (1 ± 2 −Ω(n) )q −nk (and in particular is within statistical distance 2 −Ω(n) of the uniform distribution over R k q ).

Conditional Distribution II
Recall that x = (x 1 , . . . , x l ), where each x i ∈ Rq and each x i is represented as a vector in the canonical embedding. We assume leakage of ℓ coordinates-with low noise added-of each x i for i ∈ [l] and restrict the coordinates leaked across each x i to be the same. Let S ⊆ [n], where |S| = ℓ denote the set of positions (from each x i ) that are leaked. Lemma D.1 shows that, conditioned on leakage, each component (resp. 0), and variance σ 2 j ≥ 4n 2 (resp. is uniformly random. Let σ := (σ 1 , . . . , σn) ∈ R n >0 and c := (c 1 , . . . , c ln ) ∈ R ln be vectors, where ℓ positions in σ are set to 2n, and all others are set to s. Let k, l, ℓ be such that l − k − l · ℓ/n > 0 and l − k − 1 ≥ 1, and let s ≥ 2n · q For proving Theorem 2.3, we begin with exposition on the forms of the Ideals qR ∨ ⊆ J ⊆ R ∨ in power-of-two cyclotomics as well as some lemmas.
Thus, the number of ideals I such that qR ⊆ I ⊆ R (and hence also the number of ideals J ∈ T) is exactly 2 n . Moreover, note that for each ideal J ∈ T, Thus, we see that for each J ∈ T, 1 ≤ |J/qR ∨ | ≤ q n . Let T 1 denote the set of ideals J ∈ T such that |J/qR ∨ | < 2 n . Let T 2 denote the set of ideals J such that |J/qR ∨ | ≥ 2 n . Furthermore, let T 1 2 be the set of J ∈ T 2 such that s ≥ η 2 −2n (( 1 q J) ∨ ) (where η 2 −2n denotes the smoothing parameter and s is fixed as above). Let T 2 2 := T 2 \ T 1 2 . Let σ := (σ 1 , . . . , σn) ∈ R n >0 be a vector with ℓ positions are set to 2n, while the other positions are set to value s.
The proof of Lemma 2.4 can be found in Appendix E.1.
The proof of Lemma 2.5 can be found in Appendix E.1. We now conclude the proof of Theorem 2.3.
Proof of Theorem 2.3. Since by Lemma B.7 we have that for any (n · l)-dimensional vectors, c, x and any ndimensional vector σ = (σ 1 , . . . , σn):̂︂ then following the proof of [26] step-by-step, it is sufficient to show that We will show that and that To show (2), note that by Lemma 2.4, for ideals J ∈ T 1 (we have that On the other hand, by definition of T 2 2 , for ideals J ∈ T 2 2 , we have that Combining the above, we get that for J ∈ T 1 ∪ T 2 2 , Similarly to [26], using the lower bound of s from Theorem 2.3, we bound Moreover, by Lemma 2.5 and the fact that |T 1 2 | ≤ |T| = 2 n , we can bound where the last line follows from the setting of parameters in Theorem 2.3. This completes the proof.
The following corollary follows from Lemmas B.12 and B.13 and Theorem 2.3.
Corollary 2.6. Let k, l, ℓ, σ and c be as in Theorem 2.3. Assume that A = [I k |Ā] ∈ (Rq) k×l is chosen as in Theorem 2.3. Then, with probability 1 − 2 −Ω(n) over the choice ofĀ, the distribution of Ax ∈ R k q , where x ∈ R l is chosen from D R l ,σ l ,c , the discrete Gaussian probability distribution over R l with parameter σ l and center c, satisfies that the probability of each of the q nk possible outcomes is in the interval (1 ± 2 −Ω(n) )q −nk (and in particular is within statistical distance 2 −Ω(n) of the uniform distribution over R k q ).
In particular, this means that the standard deviation used to sample x should be increased from 2n · q k/l+2/(nl) (as in [26]) to 2n · q kn+2 l(n−ℓ) .

Conditional Distribution III
We slightly change the dimensions so that x is represented by a vector of dimension n ′ := l · n + 1. When n is a power of two, a spherical Gaussian in the coefficient representation is also a spherical Gaussian in the canonical embedding representation [24]. So we can assume that x is generated using the coefficient representation, where each coordinate is sampled independently from a discrete Gaussian, D Z,s ′ . During sampling of x, an additional coordinate is sampled and stored together with the remainder of the secret. We compute the PDF corresponding to the conditional distribution on x, given z = |r + e|, where r = ‖x‖ as: where N is the normalization factor. For details on how the PDF is computed, is the sum of two Gaussian functions centered at zs 2 v 2 +s 2 and − zs 2 v 2 +s 2 respectively with the same standard deviation σ.
where the probability is taken over choice of x and e.
The proof is found in Appendix E.2.
By Lemma 2.7, we have that with all but negligible probability, c : For the proof, we will require certain properties of the Fourier transform of Ψσ,c, when c is bounded as above. We state those properties in the following theorem, which is proved in Appendix C. , where x is a vector over n ′ dimensions. and let̂︂ Ψσ,c(y) denote the n ′ -dimensional Fourier transform of Ψσ,c. Then We next present the main theorem of this section.
and Z, written as Λ ⊥ (A) Proof. Note that Λ ⊥ (A) is a lattice of even dimension l · n (where n is a power of two), but Theorem 2.8 holds only for n ′ equal to l · 2 a + 1. Therefore, we define n ′ := l · n + 1, and we have the n ′ -dimensional lattice We have the following properties of Λ ⊥ (A) + , which can be verified by inspection: By Poisson summation formula, it is sufficient to show that with probability 1 − 2 −Ω(n) over choice of A, |̂︂ Ψσ,c|(Λ ⊥ (A) + ) ∨ ) ≤ 1 + 2 −Ω(n) , wherê︂ Ψσ,c denotes the Fourier transform of Ψσ,c over n ′ dimensions and the notation |̂︂ Ψσ,c| means the summation of the absolute value of the function over the lattice Λ ⊥ (A) + ) ∨ .
The proof appears in Appendix E.2. Given the corollary, the analysis of Conditional Distribution III is complete. In particular, this means that the standard deviation used to sample x should be increased from 2n · q k/l+2/(nl) (as in [26]) to √︁ 1+τ 2 τ 2 · 2n · q k/l+2/(nl) .

Conclusions and Future Directions
In this work, we present a general approach for analyzing the leakage resilience of RLWE-based cryptosystems, by determining and analyzing the explicit PDF resulting from the conditional distribution of the RLWE secret given the leakage. Our approach can be used to provide a security analysis for existing cryptosystems in the presence of leakage, with appropriate choice of parameters (and without any modifications to the scheme). We instantiate our approach by considering three leakage settings and corresponding conditional distributions I, II and III.
A key technical tool in the analysis of conditional distribution II is extending the regularity lemma of [25]; to cases where x is drawn from a non-spherical Gaussian with standard deviation significantly smaller than the smoothing parameter in a constant fraction of the dimensions and larger than the smoothing parameter in the remaining dimensions. In the analysis of conditional distribution III we find applications of the Radial Fourier Transform to lattice-based cryptography.

Future Directions.
We believe that our approach of generalizing the regularity lemma to conditional distributions can be used as an important tool in the security analysis of RLWE-based cryptosystems. In future work, we plan to extend our analysis to other conditional distributions, with implications for other leakage settings. A first candidate is generalizing conditional distribution II to (certain types of) multivariate Gaussians with covariance matrices that are not diagonal. Such a generalization would allow us to capture leakage of coordinates in the polynomial instead of canonical representation.

A.1 Notation
For a positive integer n, we denote by [n] the set {1, . . . , n}. We denote vectors in boldface x and matrices using capital letters A. For vector x over R n or C n , define the ℓ 2 norm as ‖x‖ 2 = ( ∑︀ i |x i | 2 ) 1/2 . We write as ‖x‖ for simplicity.

A.2 Lattices and background
Let T = R/Z denote the cycle, i.e. the additive group of reals modulo 1. We also denote by Tq its cyclic subgroup of order q, i.e., the subgroup given by {0, 1/q, . . . , (q − 1)/q}. Let H be a subspace, defined as H ⊆ C Z * m , (for some integer m ≥ 2), A lattice is a discrete additive subgroup of H. We exclusively consider the full-rank lattices, which are generated as the set of all linear integer combinations of some set of n linearly independent basis vectors The determinant of a lattice L(B) is defined as |det(B)|, which is independent of the choice of basis B. The minimum distance λ 1 (Λ) of a lattice Λ (in the Euclidean norm) is the length of a shortest nonzero lattice vector.
The dual lattice of Λ ⊂ H is defined as following, where ⟨·, ·⟩ denotes the inner product.

Discretization
Discretization is an important procedure used in applications based on lattices, such as converting continuous Gaussian distribution (defined in Appendix B) into a discrete Gaussian distribution (Definition B.9). Given a lattice Λ = L(B) represented by some "good" basis B = {b i }, a point x ∈ H, and a point c ∈ H representing a lattice coset Λ + c, the discretization process outputs a point y ∈ Λ + c such that the length of y − x is not too large. This is denoted as y ← ⌊x⌉ Λ+c . A discretization procedure is called valid if it is efficient; and depends only on the lattice coset Λ + (c − x), not on particular representative used to specify it. Note that for a valid discretization, ⌊z + x⌉ Λ+c and z + ⌊x⌉ Λ+c are identically distributed for any z ∈ Λ. For more details and actual description of algorithms used for discretization we refer the interested reader to [26].

A.3 Algebraic Number Theory
For a positive integer m, the m th cyclotomic number field is a field extension K = Q(ζm) obtained by adjoining an element ζm of order m (i.e. a primitive m th root of unity) to the rationals. The minimal polynomial of ζm is the m th cyclotomic polynomial where ωm ∈ C is any primitive m th root of unity in C.
For every i ∈ Z * m , there is an embedding σ i : K → C, defined as σ i (ζm) = ω i m . Let n = φ(m), the totient of m. The trace Tr : K → Q and norm N : K → Q can be defined as the sum and product, respectively, of the embeddings: Tr For any x ∈ K, the lp norm of x is defined as ‖x‖p = ‖σ(x)‖p = ( ∑︀ i∈[n] |σ i (x)| p ) 1/p . We omit p when p = 2. Note that the appropriate notion of norm ‖·‖ is used throughout this paper depending on whether the argument is a vector over C n , or whether the argument is an element from K; whenever the context is clear.

A.4 Ring of Integers and Its Ideals
Let R ⊂ K denote the set of all algebraic integers in a number field K. This set forms a ring (under the usual addition and multiplication operations in K), called the ring of integers of K. Ring of integers in K is written The (absolute) discriminant ∆ K of K measures the geometric sparsity of its ring of integers. The discriminant of the m th cyclotomic number field K is in which the product in denominator runs over all the primes dividing m.
An (integral) ideal I ⊆ R is a non-trivial (i.e. I ≠ ∅ and I ≠ {0}) additive subgroup that is closed under multiplication by R, i,e., r · a ∈ I for any r ∈ R and a ∈ I. The norm of an ideal I ⊆ R is the number of cosets of I as an addictive subgroup in R, defined as index of I, i.e., N(I) = |R/I|. Note that N(IJ) = N(I)N(J).
A fractional ideal I in K is defined as a subset such that I ⊆ R is an integral ideal for some nonzero d ∈ R. Its norm is defined as N(I) = N(dI)/N(d). An ideal lattice is a lattice σ(I) embedded from a fractional ideal I by σ in H. The determinant of an ideal lattice σ(I) is det(σ(I)) = N(I) · √︀ ∆ K . For simplicity, however, most often when discussing about ideal lattice, we omit mention of σ since no confusion is likely to arise. For any fractional ideal I in K, its dual ideal is defined as where p runs over all odd primes dividing m. Also, define t =m g ∈ R, wherem = m 2 if m is even, otherwisem = m. Rq × (K R /qR ∨ ), outputs a pair (a = pa ′ mod qR, b) ∈ Rq × R ∨ q with the following guarantees: if the input pair is uniformly distributed then so is the output pair; and if the input pair is distributed according to the RLWE distribution A s,ψ for some (unknown) s ∈ R ∨ and distribution ψ over K R , then the output pair is distributed according to As,χ, where χ = ⌊p · ψ⌉ w+pR ∨ .

Lemma A.5. [26, Lemma 2.24]
Let p and q be positive coprime integers, ⌊·⌉ be a valid discretization to (cosets of) pR ∨ , and w be an arbitrary element in R ∨ p . If R-DLWE q,ψ is hard given l samples, then so is the variant of R-DLWE q,ψ in which the secret is sampled from χ := ⌊p · ψ⌉ w+pR ∨ , given l − 1 samples.

B Regularity and Fourier Transforms
Let ρs,c denote an n-dimensional Gaussian function with standard deviation s and mean c.

Definition B.1 (Fourier Transform).
Given an integrable function f : R n → C, we denote bŷ︀ f : R n → C the Fourier transform of f , defined aŝ︀

Theorem B.2 (Poisson Summation Formula).
:Let Λ ⊂ R n be an arbitrary lattice of dimension n, and let f : R n → C be an appropriate function ⁸ Then where Λ ∨ is the dual lattice of Λ and̂︀ f is a Fourier transform of f .
The following is a modified version of Lemma 3.8 from [32]. Proof. First, since Ψ is a pdf, we have that̂︀ Ψ(0) = 1. We have: where the equality follows from properties of the Fourier transform.
The proof of the following lemma proceeds as the proof of Corollary 2.8 in [19].
Lemma B.13. Let Λ ′ be an n-dimensional lattice and Ψ a probability distribution over R n . Assume that for all c ∈ R n it is the case that Let Λ be an n-dimensional lattice such that Λ ′ ⊆ Λ then the distribution of (D Λ,Ψ mod Λ ′ ) is within statistical distance of at most 4ε of uniform over (Λ mod Λ ′ ).
Definition B.14. For a matrix A ∈ R k×l q we define Λ ⊥ (A) = {z ∈ R l : Az = 0 mod qR}, which we identify with a lattice in H l . Its dual lattice (which is again a lattice in H l ) is denoted by Λ ⊥ (A) ∨ .

Theorem B.15. [26] Let R be the ring of integers in the m th cyclotomic number field K of degree n, and q ≥ 2 an integer. For positive integers k
is uniformly random. Then for all s ≥ 2n, In particular, if s > 2n · q k/l+2/(nl) then EĀ , and so by Markov's inequality, The following corollary was presented in [26].
Corollary B.16. Let R, n, q, k and l be as in Theorem B.15. Assume that A = [I k |Ā] ∈ (Rq) k×l is chosen as in Theorem B.15. Then, with probability 1 − 2 −Ω(n) over the choice ofĀ, the distribution of Ax ∈ R k q , where each coordinate of x ∈ R l q is chosen from a discrete Gaussian distribution of parameter s > 2n · q k/l+2/(nl) over R, satisfies that the probability of each of the q nk possible outcomes is in the interval (1 ± 2 −Ω(n) )q −nk (and in particular is within statistical distance 2 −Ω(n) of the uniform distribution over R k q ).
We next state an additional corollary of the regularity theorem from [26].

C Proof of Theorem 2.8
In this section, we prove the following theorem, which provides an upper bound on the Fourier transform of a pdf for the analysis of Conditional Distribution III in Section 2.3. , where x is a vector over n ′ dimensions. and let̂︂ Ψσ,c(y) denote the n ′ -dimensional Fourier transform of Ψσ,c. Then |̂︂ Ψσ,c(y)| ≤ n ′ n ′ · e −π‖y‖ 2 σ 2 for ‖y‖ > 1/σ.
The following lemma computes a lower bound of the normalization factor of the pdf in Theorem 2.8. Once we prove the lemma, we proceed to the proof of Theorem 2.8.
. Let r = ‖x‖. Since f is a radial function, we slightly abuse notation and denote by f (r) := e − π(r−c) 2 . Now, we have that where V n ′ denotes the volume of n ′ -dimensional ball V n ′ = π n ′ /2 Γ(1+n ′ /2) . Since f is an even function and n ′ is odd, so r n ′ −1 is an even function, we have that r n ′ −1 f (r) is even and so Let a = π/σ 2 . Since n ′ is odd, we now have that Combining the above with (C1) and (C2) and substituting for a, we get that ∫︀ R n ′ f (x) dx ≥ σ n ′ , which completes the proof of the lemma.
Let r := ‖x‖, we slightly abuse notation and view f as a function of r, f (r) := e − π(r−c) 2 Ψσ,c is a radial function, so is its Fourier transform, thus, we again slightly abuse notation and view F :=̂︀ f as a function of κ := ‖y‖. We may now use the formula for the radial Fourier transform of an n ′ -dimensional, radial function f to find F [21]: where the [x] means the largest integer not exceeding x. We now have: where the first equality follows from (C3), the second equality follows from (C5), (C6) and the settings of .
In order to bound (C7), we will individually upper bound I: and II: where the second equality follows since f (r) is an even function, cos(2πκr) is an even function and for n ′ = l · 2 a + 1, all powers of r in the integrand are even, which means that the entire integrand is an even function.
To compute an upper bound on as above, we integrate each term separately. Since the analysis is essentially the same for each term, we focus on upper bounding the term A := Thus, we have that Plugging the above back into (C8), and recalling that |c ′ j | = , we have that Where the last inequality follows since (︀ n i )︀ ≤ 2 n and n! ≤ n n . We now turn to upper-bounding I. Recalling that , we have that where the second equality follows since f (r) is an even function, sin(2πκr) is an odd function and for n ′ = l · 2 a + 1, all powers of r in the integrand are odd, which means that the entire integrand is an even function.
To compute an upper bound on as above, we integrate each term separately. Since the analysis is essentially the same for each term, we focus on the term B := Thus, we have that Plugging the above back into (C10), and recalling that |c , we have that Proof.
where (E1) follows from Lemma B.4, (E2) follows from Lemma A.1, and (E3) follows from the fact that Proof. Recall that σ := (σ 1 , . . . , σn) ∈ R n >0 is defined as a vector such that ℓ positions are set to 2n, while the other positions are set to s. Define z 1 , . . . , zn in the following way: Applying Poisson summation twice we arrive at: where (E6) follows from definitions of ρ and z i . To derive (E7), let us first introduce the following claim. , when σ i = 2n. Since there are ℓ positions in σ when σ i = 2n, we obtain (E7). Finally (E8) follows by definition of smoothing parameter η 2 −2n (( 1 q J) ∨ ). Now, using the fact that η 2 −2n ≤ (∆ K |J/qR ∨ |) 1/n , the fact that ∆ K = n n and the fact that |J/qR ∨ | ≥ 2 n , and the set of parameters, we have that which completes the proof of the lemma.

E.2 Additional Proofs in Conditional Distribution III
Recall that a generic PDF of one dimensional Gaussian distribution is defined as: where r is the magnitude of x. It also can be viewed as probability density function of secret key for its magnitude ‖X‖ = r, denoted as ψs(‖X‖ = r). The error is sampled from a 1-dimensional Gaussian distribution with center at 0. We write probability density function of error E at value y is Let F Z|A (f (Z) = b) generically represent the probability density function of random variable Z at value b of f (Z), conditioned on event A.
We now derive the density function of secret key X given the value z of |‖X‖ + E|. The weight placed on a value x = (x 1 , . . . , x n ′ ) by the conditional distribution depends only on the magnitude of x (i.e. r = ‖x‖) and can be computed as: Proof. Using union bound, we have Note that since s > n, and using the fact that λ 1 ((R l × Z) ∨ ) ≥ λ 1 (R ∨ ) ≥ Corollary 2.10. Let k, l, σ and c be as in Theorem 2.9. Assume that A = [I k |Ā] ∈ (Rq) k×l is chosen as in Theorem 2.9. Then, with probability 1 − 2 −Ω(n) over the choice ofĀ, the distribution of Ax ∈ R k q , where (x, x n ′ ) ∈ R l × Z is chosen from D R l ×Z,Ψσ,c satisfies that the probability of each of the q nk possible outcomes is in the interval (1±2 −Ω(n) )q −nk (and in particular is within statistical distance 2 −Ω(n) of the uniform distribution over R k q ).