A Fast Multiplication Algorithm and RLWE-PLWE Equivalence for the Maximal Real Subfield of the $2^r p^s$-th Cyclotomic Field
Wilmar Bolaños, Antti Haavikko, Rodrigo Martín Sánchez-Ledesma
TL;DR
This work proves the RLWE-PLWE equivalence for the maximal real subfields of cyclotomic fields with conductor $n=2^r p^s$, showing that the canonical embedding has a condition number bounded by a polynomial in $n$ and introducing a fast $\mathcal{O}(n\log n)$ multiplication algorithm in the field's ring of integers via the Discrete Cosine Transform. It provides explicit minimal polynomials $\Psi_n(x)$ and reduction formulas in $\mathbb{Z}[x]/(\Psi_n)$, together with efficient change-of-basis procedures between the power basis and the modified Chebyshev basis, enabling practical arithmetic in the real subfields. The paper extends previous results to arbitrary odd primes $p$, detailing two case analyses $n=p^s$ and $n=2^r p^s$ and proving the RLWE–PLWE equivalence under these conditions. It also presents a computational robustness study against root-based PLWE attacks, offering empirical evidence that maximal real cyclotomic instances exhibit near-ideal security profiles across representative parameter regimes, reinforcing their practicality for structured-lattice cryptography.
Abstract
This paper proves the RLWE-PLWE equivalence for the maximal real subfields of the cyclotomic fields with conductor $n = 2^r p^s$, where $p$ is an odd prime, and $r \geq 0$ and $s \geq 1$ are integers. In particular, we show that the canonical embedding as a linear transform has a condition number bounded above by a polynomial in $n$. In addition, we describe a fast multiplication algorithm in the ring of integers of these real subfields. The multiplication algorithm uses the fast Discrete Cosine Transform (DCT) and has computational complexity $\mathcal{O}(n \log n)$. Both the proof of the RLWE-PLWE equivalence and the fast multiplication algorithm are generalizations of previous results by Ahola et al., where the same claims are proved for a single prime $p = 3$.