The Learning with Errors (LWE) problem has been widely utilized as a foundation for numerous cryptographic tools over the years. In this study, we focus on an algebraic variant of the LWE problem called Group ring LWE (GR-LWE). We select group rings (or their direct summands) that underlie specific families of finite groups constructed by taking the semi-direct product of two cyclic groups. Unlike the Ring-LWE problem described in \cite{lyubashevsky2010ideal}, the multiplication operation in the group rings considered here is non-commutative. As an extension of Ring-LWE, it maintains computational hardness and can be potentially applied in many cryptographic scenarios. In this paper, we present two polynomial-time quantum reductions. Firstly, we provide a quantum reduction from the worst-case shortest independent vectors problem (SIVP) in ideal lattices with polynomial approximate factor to the search version of GR-LWE. This reduction requires that the underlying group ring possesses certain mild properties; Secondly, we present another quantum reduction for two types of group rings, where the worst-case SIVP problem is directly reduced to the (average-case) decision GR-LWE problem. The pseudorandomness of GR-LWE samples guaranteed by this reduction can be consequently leveraged to construct semantically secure public-key cryptosystems.

翻译：带误差学习（LWE）问题多年来已被广泛用作众多密码学工具的基础。本研究聚焦于LWE问题的一种代数变体——群环LWE（GR-LWE）。我们选取了由两个循环群通过半直积构造的特定有限群族所对应的群环（或其直和项）。与\cite{lyubashevsky2010ideal}中描述的环LWE问题不同，本文所考虑的群环上的乘法运算具有非交换性。作为环LWE的推广，该问题保持了计算困难性，并可潜在应用于多种密码学场景。本文提出了两个多项式时间的量子归约：首先，我们给出了一个从理想格中具有多项式近似因子的最坏情况最短独立向量问题（SIVP）到搜索版本GR-LWE问题的量子归约，该归约要求底层的群环满足某些温和性质；其次，我们给出了另外两类群环上的量子归约，将最坏情况SIVP问题直接归约到（平均情况）判定型GR-LWE问题。由此归约保证的GR-LWE样本的伪随机性可进一步用于构造语义安全的公钥密码系统。