Entropic Hardness of Module-LWE from Module-NTRU

Co-authored with Katharina Boudgoust, Adeline Roux-Langlois, and Weiqiang Wen.
In the proceedings of Indocrypt 2022. Also available on IACR ePrint.


The Module Learning With Errors problem (M-LWE) has gained popularity in recent years for its security-efficiency balance, and its hardness has been established for a number of variants. In this paper, we focus on proving the hardness of (search) M-LWE for general secret distributions, provided they carry sufficient min-entropy. This is called entropic hardness of M-LWE. First, we adapt the line of proof of Brakerski and Döttling on R-LWE (TCC’20) to prove that the existence of certain distributions implies the entropic hardness of M-LWE. Then, we provide one such distribution whose required properties rely on the hardness of the decisional Module-NTRU problem.