This paper introduces ring-LWE, an algebraic variant of the Learning with Errors (LWE) problem, and proves its hardness under worst-case assumptions on ideal lattices. Ring-LWE is defined over a ring of integer polynomials modulo a cyclotomic polynomial, and its security is based on the hardness of approximating the shortest vector problem (SVP) in ideal lattices. The paper shows that the ring-LWE distribution is pseudorandom under these assumptions, and provides efficient cryptographic applications, including a practical public-key cryptosystem with a security reduction. Ring-LWE also enables more efficient implementations of LWE-based schemes and opens the door to new cryptographic applications. The paper also discusses the use of the canonical embedding in algebraic number theory, which provides a more geometric and algebraic structure for ideal lattices compared to the coefficient embedding. The main results include a worst-case hardness reduction from SVP to ring-LWE and a search-to-decision equivalence for ring-LWE. The paper also compares ring-LWE to related work and discusses its implications for cryptographic applications.This paper introduces ring-LWE, an algebraic variant of the Learning with Errors (LWE) problem, and proves its hardness under worst-case assumptions on ideal lattices. Ring-LWE is defined over a ring of integer polynomials modulo a cyclotomic polynomial, and its security is based on the hardness of approximating the shortest vector problem (SVP) in ideal lattices. The paper shows that the ring-LWE distribution is pseudorandom under these assumptions, and provides efficient cryptographic applications, including a practical public-key cryptosystem with a security reduction. Ring-LWE also enables more efficient implementations of LWE-based schemes and opens the door to new cryptographic applications. The paper also discusses the use of the canonical embedding in algebraic number theory, which provides a more geometric and algebraic structure for ideal lattices compared to the coefficient embedding. The main results include a worst-case hardness reduction from SVP to ring-LWE and a search-to-decision equivalence for ring-LWE. The paper also compares ring-LWE to related work and discusses its implications for cryptographic applications.