Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fast Multiplication and the PLWE-RLWE Equivalence for an Infinite Family of Maximal Real Subfields of Cyclotomic Fields

Joonas Ahola, Iván Blanco-Chacón, Wilmar Bolaños, Antti Haavikko, Camilla Hollanti, Rodrigo Martín Sánchez-Ledesma

TL;DR

The paper addresses the RLWE--PLWE equivalence for maximal totally real subfields of cyclotomic fields with conductor $n=2^r3^s$, proving equivalence and enabling fast, quasilinear multiplication in the ring of integers using a Chebyshev-like basis and a Discrete Cosine Transform. Central to the approach is a polynomially bounded condition number for the embedding matrix, achieved via a Chebyshev basis, which ensures that reductions between RLWE and PLWE preserve pseudo-randomness with polynomial noise growth. The authors provide detailed algorithms for fast multiplication, including base-change between bases with $\mathcal{O}(n\log n)$ cost and DCT-based multiplication that works for $n=2^r$ and $n=2^r3^s$, with DCT modulo a suitable prime. They also offer numerical evidence that maximal real cyclotomic subfields can be at least as secure as cyclotomic ones against root-based attacks, informing parameter selection for post-quantum schemes. Overall, the work advances efficient PLWE implementations while maintaining security guarantees in a broader family of number fields, enriching the landscape of practical, secure lattice-based cryptography.

Abstract

We prove the equivalence between the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems for the maximal totally real subfield of the $2^r 3^s$-th cyclotomic field for $r \geq 3$ and $s \geq 1$. Moreover, we describe a fast algorithm for computing the product of two elements in the ring of integers of these subfields. This multiplication algorithm has quasilinear complexity in the dimension of the field, as it makes use of the fast Discrete Cosine Transform (DCT). Our approach assumes that the two input polynomials are given in a basis of Chebyshev-like polynomials, in contrast to the customary power basis. To validate this assumption, we prove that the change of basis from the power basis to the Chebyshev-like basis can be computed with $\mathcal{O}(n \log n)$ arithmetic operations, where $n$ is the problem dimension. Finally, we provide a heuristic and theoretical comparison of the vulnerability to some attacks for the $p$-th cyclotomic field versus the maximal totally real subextension of the $4p$-th cyclotomic field for a reasonable set of parameters of cryptographic size.

Fast Multiplication and the PLWE-RLWE Equivalence for an Infinite Family of Maximal Real Subfields of Cyclotomic Fields

TL;DR

The paper addresses the RLWE--PLWE equivalence for maximal totally real subfields of cyclotomic fields with conductor , proving equivalence and enabling fast, quasilinear multiplication in the ring of integers using a Chebyshev-like basis and a Discrete Cosine Transform. Central to the approach is a polynomially bounded condition number for the embedding matrix, achieved via a Chebyshev basis, which ensures that reductions between RLWE and PLWE preserve pseudo-randomness with polynomial noise growth. The authors provide detailed algorithms for fast multiplication, including base-change between bases with cost and DCT-based multiplication that works for and , with DCT modulo a suitable prime. They also offer numerical evidence that maximal real cyclotomic subfields can be at least as secure as cyclotomic ones against root-based attacks, informing parameter selection for post-quantum schemes. Overall, the work advances efficient PLWE implementations while maintaining security guarantees in a broader family of number fields, enriching the landscape of practical, secure lattice-based cryptography.

Abstract

We prove the equivalence between the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems for the maximal totally real subfield of the -th cyclotomic field for and . Moreover, we describe a fast algorithm for computing the product of two elements in the ring of integers of these subfields. This multiplication algorithm has quasilinear complexity in the dimension of the field, as it makes use of the fast Discrete Cosine Transform (DCT). Our approach assumes that the two input polynomials are given in a basis of Chebyshev-like polynomials, in contrast to the customary power basis. To validate this assumption, we prove that the change of basis from the power basis to the Chebyshev-like basis can be computed with arithmetic operations, where is the problem dimension. Finally, we provide a heuristic and theoretical comparison of the vulnerability to some attacks for the -th cyclotomic field versus the maximal totally real subextension of the -th cyclotomic field for a reasonable set of parameters of cryptographic size.
Paper Structure (12 sections, 8 theorems, 68 equations, 2 figures, 1 table)

This paper contains 12 sections, 8 theorems, 68 equations, 2 figures, 1 table.

Table of Contents

  1. Introduction
  2. LWE and its structured variants
  3. Relation between RLWE and PLWE problems
  4. Contributions and Organization
  5. The Discrete Cosine Transform, $\mathsf{DCT}$
  6. RLWE--PLWE equivalence for $n = 2^r 3^s$
  7. Fast multiplication in $\mathbb{Z}[x]/(\Psi_n(x))$ via the $\mathsf{DCT}$
  8. Case $n = 2^r$
  9. Case $n=2^r 3^s$
  10. DCT modulo a prime number
  11. PLWE in $\mathbb{Z}[x] / (\Psi_n(x))$ via fast base change
  12. Small roots of cyclotomic polynomials modulo a prime

Key Result

Theorem 1.1

Assuming the Generalised Riemann Hypothesis, there exists a quantum polynomial time algorithm, that given an ideal $\frak{a}$ of $\mathcal{O}_K$ for $K$ a cyclotomic number field of prime power conductor, returns an element $v\in \frak{a}$ of Euclidean norm

Figures (2)

  • Figure 1: Each point of the plot is a pair $(p-1,q)$ for primes $p$ and $q$ such that $f_p(\alpha) \equiv 0 \mod q$ for some $\alpha \in S$ where $f_p(x) = \Phi_p(x)$ or $f_p(x) = \Psi_{4p}(x)$. For both polynomials the degree of the field extension is $\deg f_p(x) = p-1$ and the cardinality of the finite field is $q$.
  • Figure 2: Small roots $\alpha \in S$ for the pairs $(p,q)$. The points are coloured in red for a root of $\Phi_p(x)$ and in blue for $\Psi_{4p}(x)$.

Theorems & Definitions (19)

  • Definition 1.1: The R/PLWE distributions
  • Definition 1.2: R/PLWE problems
  • Definition 1.3: Equivalence between problems
  • Theorem 1.1
  • Definition 2.1: $\mathsf{DCT}$
  • Lemma 2.1
  • proof
  • Definition 2.2
  • Lemma 2.2
  • proof
  • ...and 9 more