Abstract
The “Multivariate Ring Learning with Errors” problem was presented as a generalization of Ring Learning with Errors (RLWE), introducing efficiency improvements with respect to the RLWE counterpart thanks to its multivariate structure. Nevertheless, the recent attack presented by Bootland, Castryck and Vercauteren has some important consequences on the security of the multivariate RLWE problem with “non-coprime” cyclotomics; this attack transforms instances of m-RLWE with power-of-two cyclotomic polynomials of degree n=∏ini into a set of RLWE samples with dimension maxi{ni}. This is especially devastating for low-degree cyclotomics (e.g., Φ4(x)=1+x2). In this work, we revisit the security of multivariate RLWE and propose new alternative instantiations of the problem that avoid the attack while still preserving the advantages of the multivariate structure, especially when using low-degree polynomials. Additionally, we show how to parameterize these instances in a secure and practical way, therefore enabling constructions and strategies based on m-RLWE that bring notable space and time efficiency improvements over current RLWE-based constructions.
Highlights
Lattices have become a very promising tool for the development and improvement of new cryptographic constructions, notably those belonging to the field of homomorphic encryption
We instantiate a simple cryptosystem based on m-Ring Learning with Errors (RLWE), and exemplify with it the use of the multivariate structure of multivariate version of RLWE (m-RLWE) to improve on complex number embedding, enabling fully packed complex numbers, compared to the exponentially decreasing packing ratio of current approaches working with multivariate rings [39,40]
This section focuses on two different aspects: (1) We show how the introduced multivariate rings over the RLWE problem enable considerable improvements in the efficiency of the homomorphic packing/unpacking into slots, greatly improving essential blocks for homomorphic encryption, such as bootstrapping, and (2) we analyze the structure of the available set of automorphisms on these rings, showing that our solution can improve on both the runtime and the memory requirements with respect to the state of the art [74]
Summary
Lattices have become a very promising tool for the development and improvement of new cryptographic constructions, notably those belonging to the field of homomorphic encryption. A multivariate version of RLWE (m-RLWE) was proposed as a means to efficiently deal with encrypted multidimensional structures, such as videos or images [9,10,11,12] In this scenario, the use of a tensorial decomposition in “coprime” cyclotomic rings (see [3,4,13]) is a priori not applicable, as these structures require that the ideals have the same form (e.g., (1 + zn )). (d) the FHEW scheme features [22] a ring tensoring for a speed-up of the homomorphic accumulator, and bivariate rings are used as a means to enhance the efficiency of polynomial products inside the refreshing procedure in [23] It is discussed in [24] that the m-RLWE problem can be reduced from discrete Gaussian. We informally introduce the definition of m-RLWE, the attack by Bootland, Castryck and Vercauteren [25], and the rationale of our solution, all exemplified in the bivariate case
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
