Vulnerable Galois RLWE Families and Improved Attacks

Lattice-based cryptography was introduced in the mid 1990s in two different forms, independently by Ajtai-Dwork [AD97] and Hoffstein-Pipher-Silverman [HPSS08]. Thanks to the work of Stehlé-Steinfeld [SS11], we now understand the NTRU cryptosystem introduced by Hoffstein-Pipher-Silverman to be a variant of a cryptosystem which has security reductions to the Ring Learning With Errors (RLWE) problem. The RLWE problem was introduced in [LPR13] as a version of the LWE problem [Reg09]: both problems have reductions to hard lattice problems and thus are interesting for practical applications in cryptography. RLWE has more structure which allows for greater efficiency, but also in some cases additional attacks. The hardness of RLWE is an important problem to study due to applications in cryptography, in particular as the basis of numerous homomorphic encryption schemes [BV11, BV14, BGV12, Bra12, SS11, LATV12, BLLN13]. Although so far in practical cryptographic applications only cyclotomic rings are used, it is interesting to study the hardness of RLWE for general number rings. Recently, new attacks on the RLWE problem for certain number rings and special moduli were introduced [EHL14, ELOS15, CLS15, CIV]. This paper is an extension of [CLS15], and here we explore further the hardness of the RLWE problem for various number rings, construct a new family of vulnerable Galois number fields, give improved attacks for certain rings satisfying some additional assumptions, and apply some number theoretic results on Gauss sums to deduce the likely failure of these attacks for cyclotomic rings and unramified moduli. To be more specific, the RLWE problem is stated given a choice of number ring of degree n, R, modulus q, and error distribution. In cryptographic applications, it is most efficient to sample the error distribution coordinate-wise according to a polynomial basis for the ring. For 2-power cyclotomic rings which are monogenic with a well-behaved power basis, it is justified to sample the RLWE error distribution directly in the polynomial basis for the ring, according to results in [BV11, LPR13, EHL14], where the Polynomial Learning With Errors (PLWE) problem was introduced. Although the PLWE and RLWE problems are equivalent for 2-power cyclotomic fields, in general number rings the two problems are not at all equivalent, as was shown in [ELOS15]. For certain choices of ring, R, and modulus q, efficient attacks on PLWE were presented in [EHL14]. In [ELOS15], these attacks were extended to apply to the decision version of the RLWE problem in certain rings, and in [CLS15, CIV], attacks on the search version of the RLWE problem for certain choices of ring and modulus were presented. So it is important to study the hardness of the both PLWE and RLWE problems and the relationship between the two problems in general rings.