On the security of the multivariate ring learning with errors problem
Carl Bootland (KU Leuven), Wouter Castryck (KU Leuven), and Frederik Vercauteren (KU Leuven)
Abstract: The Multivariate Ring Learning with Errors ($m$-RLWE) problem was introduced in 2015 by Pedrouzo-Ulloa, Troncoso-Pastoriza and Pérez-González. Instead of working over a polynomial residue ring with one variable as in RLWE, it works over a polynomial residue ring in several variables. However, care must be taken when choosing the multivariate rings for use in cryptographic applications as they can be either weak or simply equivalent to univariate RLWE. For example, Pedrouzo-Ulloa et al.\ suggest using tensor products of cyclotomic rings, in particular power-of-two cyclotomic rings. They claim incorrectly that the security increases with the product of the individual degrees. In this paper, we present simple methods to solve the search $m$-RLWE problem far more efficiently than is stated in the current literature by reducing the problem to the RLWE problem in dimension equal to the maximal degree of its components (and not the product) and where the noise increases with the square-root of the degree of the other components. Our methods utilise the fact that the defining cyclotomic polynomials share algebraically related roots. We use these methods to successfully attack the search variant of the $m$-RLWE problem for a set of parameters estimated to offer more than 2600 bits of security, and being equivalent to solving the bounded distance decoding problem in a highly structured lattice of dimension 16384, in less than two weeks of computation time or just a few hours if parallelized on 128 cores.
cryptography and securitynumber theory
Audience: researchers in the topic
( chat | paper | slides | video )
Comments: Chair: Divesh Aggarwal and Emmanuel Thomé
Algorithmic Number Theory Symposium (ANTS XIV)
Series comments: Registration is now open. Registration is free but required to access the chat and livestream.
This is a hybrid synchronous/asynchronous conference with several ways to participate.
- Click the "paper" link to view contributed papers and posters (open to all).
- Click the "video" link to view pre-recorded talks of accepted papers (open to all).
These are 15-20 minutes aimed at a general algorithmic number theory audience. - Click the "slides" link to view slides used in the pre-recorded video when available (open to all).
- Click the "chat" link to access the chat stream related to the talk or poster before, during, and after the live event (registration required).
- Click the "livestream" button to join the live event when it is taking place (registration required and you must be logged in).
For accepted papers the audience will be expected to have watched the pre-recorded video and have the paper in front of them.
The invited talks will be recorded and made available via the "video" link after the talk is over. None of the other sessions will be recorded.
| Organizer: | Steven Galbraith* |
| Curator: | Andrew Sutherland* |
| *contact for this listing |