International Association
for Cryptologic Research

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the Ring Learning With Errors problem (Ring-LWE) has been widely used as a building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction to ideal lattice problems. This reduction assumes a lower bound on the width of the error distribution that is often violated in practice. In this paper we show that caution is needed when doing so, by providing for any $\varepsilon > 0$, a family of number fields $K$ of increasing degree $n$ for which Ring-LWE can be broken easily as soon as the errors required by the reduction are scaled down by $|\Delta_K|^{\varepsilon/n}$ with $\Delta_K$ the discriminant of $K$.