The Learning with Errors (\LWE) problem has been widely utilized as a foundation for numerous cryptographic tools over the years. In this study, we focus on an algebraic variant of the \LWE problem called \emph{Group ring} \LWE ($\GRLWE$). We select group rings (or their direct summands) that underlie specific families of finite groups constructed by taking the semi-direct product of two cyclic groups. Unlike the Ring-\LWE problem described in \cite{lyubashevsky2010ideal}, the multiplication operation in the group rings considered here is non-commutative. As an extension of Ring-$\LWE$, it maintains computational hardness and can be potentially applied in many cryptographic scenarios. In this paper, we present two polynomial-time quantum reductions. Firstly, we provide a quantum reduction from the worst-case shortest independent vectors problem (\SIVP) in ideal lattices with polynomial approximate factor to the search version of $\GRLWE$. This reduction requires that the underlying group ring possesses certain mild properties; Secondly, we present another quantum reduction for two types of group rings, where the worst-case \SIVP problem is directly reduced to the (average-case) decision $\GRLWE$ problem. The pseudorandomness of $\GRLWE$ samples guaranteed by this reduction can be consequently leveraged to construct semantically secure public-key cryptosystems.

翻译：容错学习（LWE）问题多年来已被广泛用作众多密码学工具的基础。本研究关注一种代数变体的LWE问题，称为**群环LWE**（GRLWE）。我们选取由两个循环群取半直积构造的特定有限群族所对应的群环（或其直和项）作为基础结构。与\cite{lyubashevsky2010ideal}中描述的环LWE问题不同，本文所考察的群环中的乘法运算是非交换的。作为环LWE的扩展，该问题保持了计算困难性，并可能应用于多种密码学场景。本文提出了两个多项式时间的量子归约。首先，我们给出了从具有多项式近似因子的理想格中最坏情况最短独立向量问题（SIVP）到GRLWE搜索版本的量子归约，该归约要求底层群环具备某些温和性质；其次，针对两类群环，我们提出了另一个量子归约，将最坏情况的SIVP问题直接归约到（平均情况下的）判定GRLWE问题。该归约所保证的GRLWE样本的伪随机性，可进一步用于构造语义安全的公钥密码系统。