Article submitted to the ACM-SIAM Symposium on Discrete Algorithms, SODA 2017.
Abstract:The "Ring Learning with Errors" (RLWE) problem was formulated as a variant of the "Learning with Errors" (LWE) problem, with the purpose of taking advantage of an additional algebraic structure in the underlying considered lattices; this enables improvements on the efficiency and cipher expansion on those cryptographic applications which were previously based on the LWE problem. In Eurocrypt 2010, Lyubashevsky et al. introduced this hardness problem and showed its relation to some known hardness problems over lattices with a special structure. In this work, we generalize the results and the hardness problems presented by Lyubashevsky et al. to the more general case of multivariate rings, highlighting the main differences with respect to the security proof for the RLWE counterpart. We denote this hardness problem as "Multivariate Ring Learning with Errors" (m-RLWE or multivariate RLWE) and we show its relation to hardness problems over the tensor product of ideal lattices. Additionally, the m-RLWE problem is more adequate than its univariate version for cryptographic applications dealing with multidimensional structures.