(2026-04) A Primer on Dependency in Polynomial Product; Identify, Exploit, and Trim
2026-04-23
Many lattice-based encryption schemes admit a negligible but nonzero decryption failure rate (DFR), which is tied to both correctness and security through failure-based attacks. Several module-lattice constructions (e.g., LAC at NIST PQC Round 2 and DAWN at Asiacrypt 2025), as well as average-case noise analyses in FHE, estimate the DFR from one-coordinate marginals combined with an independence approximation across the coefficients of polynomial products. Geometrically, this approximation models the noise as uniformly distributed on a sphere. In the rare-event regime relevant to concrete security, the approximation can be optimistic: polynomial convolution introduces structured dependencies with no analogue in unstructured lattice settings, and the true noise spreads towards a cube rather than a sphere.
To make this effect explicit, we study polynomial products in power-of-two cyclotomic rings through a norm-wise decomposition. The decomposition separates an outer term (corresponding to the sphere's radius), which is effectively captured by coefficient-wise models, from an inner term (representing the uneven parts of the spherical surface) that measures convolution-induced dependencies. This gives an exact account of the heavier tails observed in polynomial products and of the gap between independence-based estimates and actual failure behavior.
This perspective has consequences for both attacks and design. On the attack side, it yields a principled proxy criterion for constructing high-DFR candidate ciphertexts in failure-based attacks. In particular, it explains why the attack of Guo et al. (Asiacrypt 2019) remains effective against LAC under fixed Hamming-weight sampling, and it improves failure-finding efficiency by identifying the underlying class of bad randomness pairs beyond pattern-based subsets. On the design side, it motivates trimming high-dependency samples during key generation and encryption. We provide a certified trimmed DFR bound based on conditional spectral control and a complementary three-vector heuristic DFR bound with experimental validation for calibrated interpretation. We formalize the resulting approach as generic frameworks TrimPKE and TrimKEM, prove security in the QROM while accounting for rejection, and instantiate them for LAC and DAWN as case studies.