| Summary: | The “Multivariate Ring Learning with Errors” problem was presented as a generalization of Ring Learning with Errors (RLWE), introducing efficiency improvements with respect to the RLWE counterpart thanks to its multivariate structure. Nevertheless, the recent attack presented by Bootland, Castryck and Vercauteren has some important consequences on the security of the multivariate RLWE problem with “non-coprime” cyclotomics; this attack transforms instances of <i>m</i>-RLWE with power-of-two cyclotomic polynomials of degree <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mi>n</mi><mo>=</mo><msub><mo>∏</mo><mi>i</mi></msub><msub><mi>n</mi><mi>i</mi></msub></mrow></semantics></math></inline-formula> into a set of RLWE samples with dimension <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><msub><mo movablelimits="true" form="prefix">max</mo><mi>i</mi></msub><mrow><mo>{</mo><msub><mi>n</mi><mi>i</mi></msub><mo>}</mo></mrow></mrow></semantics></math></inline-formula>. This is especially devastating for low-degree cyclotomics (e.g., <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><msub><mo>Φ</mo><mn>4</mn></msub><mrow><mo>(</mo><mi>x</mi><mo>)</mo></mrow><mo>=</mo><mn>1</mn><mo>+</mo><msup><mi>x</mi><mn>2</mn></msup></mrow></semantics></math></inline-formula>). In this work, we revisit the security of multivariate RLWE and propose new alternative instantiations of the problem that avoid the attack while still preserving the advantages of the multivariate structure, especially when using low-degree polynomials. Additionally, we show how to parameterize these instances in a secure and practical way, therefore enabling constructions and strategies based on <i>m</i>-RLWE that bring notable space and time efficiency improvements over current RLWE-based constructions.
|
|---|