Chen, Lauter, and Stange have announced two fast attack strategies
against various large instances of Search-Ring-LWE:
https://eprint.iacr.org/2015/971
The targeted rings are Galois, with a provable equivalence between
Search-Ring-LWE and Decision-Ring-LWE, and this equivalence is actually
exploited by the attack. It will be interesting to hear how this is
explained by people who have been advertising such equivalences as an
indication of security.
Peikert wrote that "LPR'10 proves that search-R-LWE is (quantumly) at
least as hard as worst-case Ideal-SVP, in the ring of integers R of
*any* number field". If this is correct then the new paper also breaks
worst-case Ideal-SVP for the targeted fields, also undermining the
notion that worst-case-to-average-case reductions are an indication of
security---the reductions here are attack tools!
The new paper also means that the scorecard of broken ideal-lattice
problems now includes not just some short-generator problems (e.g.,
poly-time post-quantum key recovery for the Smart--Vercauteren system)
but also some Search-Ring-LWE problems. If the choice of ring doesn't
matter for security then apparently we have to throw away _all_ crypto
based on the Ring-LWE problem.
I don't think the situation is actually so bad. All of the exciting new
attacks are relying on interesting number-theoretic features of the
targeted rings and moduli. Number-theoretic features exploited by the
main Chen--Lauter--Stange attack include
* a Galois field (converting a decision attack into a search attack),
* a modulus factoring into prime ideals of small norm (so the
quotient fields can be searched), and
* an extra condition that seems hard to characterize but that the
authors say is encouraged by index-2 subfields.
As a historical note, my ideal-lattice blog post recommended
* using "a very large Galois group" (exactly the opposite of using a
Galois field),
* taking a modulus whose quotient ring "is a field" (so the only
factor has huge norm), and
* taking a field "of prime degree" (so there aren't any intermediate
subfields).
I said that I was "eliminating the structures that I find worrisome in
existing ideal-lattice-based encryption systems", but of course there's
some amount of guesswork here; what ultimately matters is how far the
attacks can be pushed.
---Dan