We prove the equivalence between the Ring Learning With Errors (RLWE) and the Polynomial Learning With Errors (PLWE) problems for the maximal totally real subfield of the $2^r 3^s$-th cyclotomic field for $r \geq 3$ and $s \geq 1$. Moreover, we describe a fast algorithm for computing the product of two elements in the ring of integers of these subfields. This multiplication algorithm has quasilinear complexity in the dimension of the field, as it makes use of the fast Discrete Cosine Transform (DCT). Our approach assumes that the two input polynomials are given in a basis of Chebyshev-like polynomials, in contrast to the customary power basis. To validate this assumption, we prove that the change of basis from the power basis to the Chebyshev-like basis can be computed with $\mathcal{O}(n \log n)$ arithmetic operations, where $n$ is the problem dimension. Finally, we provide a heuristic and theoretical comparison of the vulnerability to some attacks for the $p$-th cyclotomic field versus the maximal totally real subextension of the $4p$-th cyclotomic field for a reasonable set of parameters of cryptographic size.

翻译：我们证明了对于 $r \geq 3$ 和 $s \geq 1$，$2^r 3^s$ 次分圆域的极大全实子域上环上容错学习（RLWE）问题与多项式容错学习（PLWE）问题的等价性。此外，我们描述了一种快速算法，用于计算这些子域整数环中两个元素的乘积。该乘法算法具有拟线性复杂度，因为它利用了快速离散余弦变换（DCT）。我们的方法假设两个输入多项式是在切比雪夫类多项式基下给出的，而非通常的幂基。为验证这一假设，我们证明了从幂基到切比雪夫类基的基变换可通过 $\mathcal{O}(n \log n)$ 次算术运算完成，其中 $n$ 为问题维度。最后，针对密码学规模参数的合理集合，我们通过启发式和理论分析比较了 $p$ 次分圆域与 $4p$ 次分圆域的极大全实子扩张在某些攻击下的脆弱性。