Attacks on the Search-RLWE problem with small errors

TL;DR

This paper introduces a novel attack on the search RLWE problem with small errors, exploiting subfield vulnerabilities and extending existing reductions, demonstrating practical vulnerabilities in certain cryptographic instances.

Contribution

The paper presents a new attack method on small-error RLWE, identifying subfield vulnerabilities and extending search-to-decision reductions to broader Galois fields.

Findings

Identified subfield vulnerabilities in Galois RLWE instances.

Successfully attacked multiple vulnerable RLWE instances.

Extended reduction results to general Galois fields with unramified primes.

Abstract

The Ring Learning-With-Errors (RLWE) problem shows great promise for post-quantum cryptography and homomorphic encryption. We describe a new attack on the non-dual search RLWE problem with small error widths, using ring homomorphisms to finite fields and the chi-squared statistical test. In particular, we identify a "subfield vulnerability" (Section 5.2) and give a new attack which finds this vulnerability by mapping to a finite field extension and detecting non-uniformity with respect to the number of elements in the subfield. We use this attack to give examples of vulnerable RLWE instances in Galois number fields. We also extend the well-known search-to-decision reduction result to Galois fields with any unramified prime modulus q, regardless of the residue degree f of q, and we use this in our attacks. The time complexity of our attack is O(nq2f), where n is the degree of K and f is the residue degree of q in K. We also show an attack on the non-dual (resp. dual) RLWE problem with narrow error distributions in prime cyclotomic rings when the modulus is a ramified prime (resp. any integer). We demonstrate the attacks in practice by finding many vulnerable instances and successfully attacking them. We include the code for all attacks.