Fast Multiplication and the PLWE-RLWE Equivalence for an Infinite Family of Maximal Real Subfields of Cyclotomic Fields

TL;DR

This paper establishes the equivalence of RLWE and PLWE problems for a family of maximal real subfields of cyclotomic fields and introduces a fast, quasilinear multiplication algorithm using Chebyshev-like bases.

Contribution

It proves RLWE-PLWE equivalence for specific cyclotomic subfields and develops a fast multiplication algorithm leveraging Chebyshev bases with $ ext{O}(n ext{log} n)$ complexity.

Findings

Proves RLWE-PLWE equivalence for maximal real subfields of certain cyclotomic fields.

Develops a fast multiplication algorithm using Chebyshev-like bases.

Provides a comparison of attack vulnerabilities for different cyclotomic fields.

Abstract

We prove the equivalence between the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems for the maximal totally real subfield of the $2^r 3^s$-th cyclotomic field for $r \geq 3$ and $s \geq 1$. Moreover, we describe a fast algorithm for computing the product of two elements in the ring of integers of these subfields. This multiplication algorithm has quasilinear complexity in the dimension of the field, as it makes use of the fast Discrete Cosine Transform (DCT). Our approach assumes that the two input polynomials are given in a basis of Chebyshev-like polynomials, in contrast to the customary power basis. To validate this assumption, we prove that the change of basis from the power basis to the Chebyshev-like basis can be computed with $\mathcal{O}(n \log n)$ arithmetic operations, where $n$ is the problem dimension. Finally, we provide a heuristic and theoretical comparison of the vulnerability to some attacks for the $p$-th cyclotomic field versus the maximal totally real subextension of the $4p$-th cyclotomic field for a reasonable set of parameters of cryptographic size.