Conference Paper

Polly Cracker, Revisited

DOI: 10.1007/978-3-642-25385-0_10 Conference: Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings
Source: DBLP

ABSTRACT

We initiate the formal treatment of cryptographic constructions ("Polly Cracker") based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. We start by formalising the relation between the ideal remainder problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the negative side, we define a symmetric Polly Cracker encryption scheme and prove that this scheme only achieves bounded CPA security. Furthermore, we show that a large class of algebraic transformations cannot convert this scheme to a fully secure Polly-Cracker-style scheme. On the positive side, we formalise noisy variants of the ideal membership, ideal remainder, and Gröbner basis problems. These problems can be seen as natural generalisations of the LWE problem and the approximate GCD problem over polynomial rings. We then show that noisy encoding of messages results in a fully IND-CPA-secure somewhat homomorphic encryption scheme. Our results provide a new family of somewhat homomorphic encryption schemes based on new, but natural, hard problems. Our results also imply that Regev's LWE-based public-key encryption scheme is (somewhat) multiplicatively homomorphic for appropriate choices of parameters.

Full-text

Available from: Ludovic Perret
PollyCracker Revisited
Martin Albrecht
1
Pooya Farshim
2
Jean-Charles Faug`ere
1
Ludovic Perret
1
1 SALSA Project - INRIA, UPMC, Univ Paris 06
2 Information Security Group, Royal Holloway, University of London
25. May 2011
Page 1
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 2
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 3
Homomorphic Encryption I
I
From an algebraic perspective, homomorphic encryption can be seen
as the ability to evaluate multivariate (Boolean) polynomials over
ciphertexts.
I
Hence, an instantiation of homomorphic encryption over the ring of
multivariate polynomials itself is perhaps the most natural.
Page 4
Homomorphic Encryption II
I
Let I P = F[x
0
, . . . , x
n1
] be some ideal and denote by Encode()
an injective function, with inverse Decode(), that maps bits to
elements in the quotient ring P/I.
I
Assume that Decode(Encode(m
0
) Encode(m
1
)) = m
0
m
1
for
{+, ·}.
I
We can encrypt a message m as
c = f + Enco de(m) for f I.
I
Decryption is performed by computing remainders modulo I.
Page 5
Homomorphic Encryption III
I
This construction is somewhat homomorphic
c
0
+ c
1
= f
0
+ Encode(m
0
) + f
1
+ Encode(m
1
)
= f + Encode(m
0
) + Encode(m
1
) for some f I.
c
0
· c
1
= (f
0
+ Encode(m
0
)) · (f
1
+ Encode(m
1
))
= f
0
· f
1
+ f
0
· Encode(m
1
) + f
1
· Encode(m
0
)
+Encode(m
0
) · Encode(m
1
)
= f + Encode(m
0
) · Encode(m
1
) for some f I.
I
This construction is Polly Cracker.
Page 6
Homomorphic Encryption IV
I
However, our confidence in Polly Cracker-style schemes has been
shaken as almost all such proposals are broken.
I
It is a long standing open research challenge to propose a secure
Polly Cracker-style encryption scheme,
I
. . . even better if we can make it somewhat homomorphic.
Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.
Why you cannot even hope to use Gr¨obner bases in Public Key
Cryptography: An open letter to a scientist who failed and a challenge to
those who have not yet failed.
Journal of Symbolic Computations, 18(6):497–501, 1994.
Page 7
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 8
Notation I
I
P = F[x
0
, . . . , x
n1
] with some ordering on monomials.
I
P
b
elements in P of degree at most b.
I
LM(f ) is the leading monomial appearing in f P.
I
LC(f ) is the coefficient corresponding to LM(f ) in f .
I
LT(f ) is LC(f )LM(f ).
Page 9
Notation II
An example in F[x, y, z] with term ordering deglex:
f = 3yz + 2x + 1
I
LM(f ) = yz,
I
LC(f ) = 3 and
I
LT(f ) = 3yz.
Page 10
Notation III
Definition (Generated Ideal)
Let f
0
, . . . , f
m1
be polynomials in P. Define the set
hf
0
, . . . , f
m1
i :=
(
m1
X
i=0
h
i
f
i
: h
0
, . . . , h
m1
P
)
.
This set I is an ideal called the ideal generated by f
0
, . . . , f
m1
.
Page 11
Notation IV
Definition (Gr¨obner Basis)
Let I be an ideal of F[x
0
, . . . , x
n1
] and fix a monomial ordering. A finite
subset
G = {g
0
, . . . , g
m1
} I
is said to be a Gr¨obner basis of I if for any f I there exists g
i
G
with
LM(g
i
) | LM(f ).
For each ideal I and monomial ordering there is a unique reduced
Gr¨obner basis which can be computed in polynomial time from any
Gr¨obner basis.
Gr¨obner bases allow to compute remainders modulo I: r = f
mod I = f mod G .
Page 12
Characterisation of Gr¨obner bases I
Definition (S-Polynomial)
The S-polynomial of f and g is defined as
S(f , g ) =
x
γ
LT(f )
· f
x
γ
LT(g)
· g .
where
x
γ
= LCM(LM(f ), LM(g)).
Page 13
Characterisation of Gr¨obner bases II
Definition (t-Representation)
Fix a monomial order and let F = {f
0
, . . . , f
m1
} P be an unordered
set of polynomials and let t be a monomial. Given a polynomial f P,
we say that f has a t-representation if f can be written in the form
f = h
0
f
0
+ · · · + h
m1
f
m1
,
such that whenever h
i
f
i
6= 0, we have h
i
f
i
t.
Furthermore, we write that f
F
0 if and only if f has an
LM(f )-representation with respect to F .
Page 14
Characterisation of Gr¨obner bases III
Theorem
A basis G = {g
0
, . . . , g
s1
} for an ideal I is a Gr¨obner basis if and only if
S(g
i
, g
j
)
G
0
for all i 6= j.
Page 15
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 16
Generating Gr¨obner bases
begin1
for 0 i < n do2
for 0 j < M
<x
d
i
do
3
c
ij
$
F
q
;4
g
i
x
d
i
+
P
j
c
ij
m
j
;
5
return (g
0
, . . . , g
n1
);6
end7
Algorithm 1: GBGen
dense
(1
λ
, P, d)
Theorem
Let f , g F[x
0
, . . . , x
n1
] with
a = LM(f ) and b = LM(g ) and
LCM(a, b) = a · b.
Then
S(f , g )
{f ,g}
0.
Page 17
Formalising the Problems I
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
f f (f mod G );
return f ;
end
proc. Finalize(G
0
):
begin
return (G = G
0
);
end
Figure: Game GB
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 18
Formalising the Problems II
Definition (Gr¨obner Basis (GB) Problem)
The advantage of a ppt algorithm A in solving the Gr¨obner basis problem
with respect to basis generation algorithm GBGen(·) is defined by
Adv
gb
P,GBGen(·),d,b,m(·),A
(λ) := Pr
h
GB
A
P,GBGen(·),d,b,m(·)
(λ) T
i
,
where game GB
P,GBGen(·),d,b,m(·)
is shown in Figure 1.
Page 19
Formalising the Problems III
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
f f (f mod G );
return f ;
end
proc. Challenge():
begin
f
$
P
b
;
return f ;
end
proc. Finalize(r
0
):
begin
return (r
0
= f mod G);
end
Figure: Game IR
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 20
Formalising the Problems IV
Definition (Ideal Remainder (IR) Problem)
The advantage of a ppt algorithm A in solving the ideal remainder
problem is defined by
Adv
ir
P,GBGen(·),d,b,m(·),A
(λ) := Pr
h
IR
A
P,GBGen(·),d,b,m(·)
(λ) T
i
1/C(λ),
where game IR
P,GBGen(·),d,b,m(·)
is shown in Figure 2.
Page 21
Formalising the Problems V
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
c
$
{0, 1};
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
f f (f mod G );
return f ;
end
proc. Challenge():
begin
f
$
P
b
;
if c =1 then
f f (f mod G );
return f ;
end
proc. Finalize(c
0
):
begin
return (c = c
0
);
end
Figure: Game IM
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 22
Formalising the Problems VI
Definition (Ideal Membership (IM) Problem)
The advantage of a ppt algorithm A in solving the ideal membership
problem is defined by
Adv
im
P,GBGen(·),d,b,m(·),A
(λ) := 2 · Pr
h
IM
A
P,GBGen(·),d,b,m(·)
(λ) T
i
1,
where game IM
P,GBGen(·),d,b,m(·)
is shown in Figure 3.
Note
We can view the IM problem as the decisional version of the IR problem.
Page 23
Hardness I
Lemma (IR <=> GB)
For any ppt adversary A against the IR problem, there exists a ppt
adversary B against the GB problem such that
Adv
ir
P,GBGen(·),d,b,m,A
(λ)
poly(λ)
Adv
gb
P,GBGen(·),d,b,m,B
(λ).
Conversely, for any ppt adversary B against the GB problem, there exists
a ppt adversary A against the IR problem such that
Adv
gb
P,GBGen(·),d,b,m,B
(λ) = Adv
ir
P,GBGen(·),d,b,m,A
(λ).
Page 24
Hardness II
Proof for first direction.
Consider an arbitrary element g
i
in the Gr¨obner basis G. We can write g
i
as m
i
+ ˜g
i
for some ˜g
i
< g
i
and m
i
= LM(g
i
).
Now, assume the normal form of m
i
is r
i
and suppose that r
i
< m
i
. This
implies that m
i
=
P
n1
j=0
h
j
g
j
+ r
i
for some h
i
P. Hence, we have
m
i
r
i
hGi: an element hG i with leading monomial m
i
.
Repeat this process for all monomials up to and including degree d and
accumulate the results m
i
r
i
in a list
˜
G.
The list
˜
G is a list of elements hG i with LM(
˜
G) LM(G ) which
implies
˜
G is a Gr¨obner basis.
We cannot amplify our confidence since we only have a limited number
of samples.
Page 25
Hardness III
IR <=> IM
When the search space of remainders is poly(λ), the IM and IR problems
are equivalent, since the attacker can exhaustively search for the
remainder using the IM oracle.
Thus, we have decision to search reduction for some parameters.
Page 26
Hardness IV
Assuming that f
0
, . . . , f
m1
is a random system, the complexity of
currently best known algorithms (i.e. with F
5
) to solve the GB problem is
given by
O

n + D
D
ω
= O
(n
D
)
ω
where 2 ω < 3 is the linear algebra constant, and D is given by the
index of the first non-positive coefficient of:
X
k0
c
k
z
k
=
(1 z
b
)
m
(1 z)
n
.
Thus Gr¨obner bases are exponential in n, if D is polynomial in n.
Page 27
Hardness V
Corollary
Let c 0. Then for m(λ) = c · n(λ) or m(λ) = c · n(λ)
b
polynomials of
degree b in some ideal I, the Gr¨obner basis of I can be computed in
exponential or polynomial time in n(λ) respectively.
Definition (GB/IR/IM Assumption)
Let P be such that n(λ) = (λ). Assume b d > 0, b > 1, and that
m(λ) = c · n(λ) for a constant c 1. Then the advantage of any ppt
algorithm in solving the GB/IR/IM problem is negligible as function of λ.
Page 28
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 29
Symmetric PollyCracker I
Algo. Gen
P,GBGen(·),d ,b
(1
λ
)
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
SK (G , P, b);
PK (P, b);
return (SK, PK);
end
Algo. Enc(m, SK):
begin
f
$
P
b
;
f (f mod G );
c m + f ;
return c;
end
Algo. Dec(c, SK):
begin
m c mod G ;
return m;
end
Algo. Eval(c
0
, . . . , c
t1
, C , PK):
begin
apply the Add and Mult
gates of C over P;
return the result;
end
Figure: The noise-free symmetric Polly Cracker scheme SPC
P,GBGen(·),d ,b
.
Page 30
Security I
The m(·)-time IND-CPA security of a (homomorphic) symmetric-key
encryption scheme is defined in the usual way by requiring that the
advantage of any probabilistic polynomial-time adversary A
Adv
ind-bcpa
m(·),SKE,A
(λ) := 2 · Pr
h
IND-BCPA
A
m(·),SKE
(λ) T
i
1
is negligible as a function of the security parameter λ. The difference
with the usual CPA security is that the adversary can query the
encryption oracle at most m(λ) times.
Page 31
Security II
Theorem
Let A be a ppt adversary against the m-time IND-BCPA security of the
scheme described in Figure 4. Then there exists a ppt adversary B
against the IM problem such that for all λ N we have
Adv
ind-bcpa
m,SPC,A
(λ) = 2 · Adv
im
P,GBGen(·),d,b,m,B
(λ).
Conversely, let A be a ppt adversary against the IM problem. Then there
exists a ppt adversary B against the m-time IND-BCPA security of the
scheme described in Figure 4 such that for all λ N we have
Adv
im
P,GBGen(·),d,b,m,A
(λ) = Adv
ind-bcpa
m,SPC,B
(λ).
Page 32
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 33
Conversions in the Literature
I
There are a few techniques in the literature, which convert an
IND-CPA symmetric additive homomorphic scheme to an IND-CPA
public-key additive homomorphic scheme.
I
One such conversion is to publish N encryptions of zero f
0
, . . . , f
N1
and to encrypt as
c =
X
sS
f
s
+ m
where S is a subset of {0, . . . , N 1}.
While PollyCracker is additive homomorphic and secure up to some
bound, none of the proposed conversions give a secure scheme.
Page 34
Impossibility Result I
Theorem (Dickenstein, Fitchas, Giusti, and Sessa)
Let I = hf
0
, . . . , f
m1
i be an ideal in P = F[x
0
, . . . , x
n1
], h be such that
deg(h) D, and
h (h mod I) =
m1
X
i=0
h
i
f
i
,
where h
i
P and deg(h
i
f
i
) D.
Let G be the output of some Gr¨obner basis computation algorithm up to
degree D (i.e. all computations with degree greater than D are ignored
and dropped). Then h mod I can be computed by polynomial reduction
of h via G .
Page 35
Impossibility Result II
Theorem
Let I = hf
0
, . . . , f
m1
i be an ideal in P = F[x
0
, . . . , x
n1
]. If there is a
ppt algorithm A which samples elements from I uniformly given only
(f
0
, . . . , f
m1
) I, then there exists a ppt algorithm B which computes a
Gr¨obner basis for I.
Proof.
We can compute the normal forms of any f produced by A in polynomial
time since we know f
0
, . . . , f
m1
. If f is arbitrary in the ideal I, we know
that normals forms are equivalent to Gr¨obner basis computations. Thus,
we have a polynomial time algorithm for computing Gr¨obner bases.
Page 36
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 37
Discrete Gaussian
A noise distribution χ will parametrise various games below. The discrete
Gaussian distribution is of particular interest to us.
Definition (Discrete Gaussian Distribution)
Let α > 0 be a real number and q N. The discrete Gaussian
distribution χ
α,q
, is a Gaussian distribution rounded to the nearest
integer and reduced modulo q with mean zero and standard deviation αq.
Page 38
Gr¨obner Bases with Noise I
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
e
$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Finalize(G
0
):
begin
˜
G reduced GB of G;
˜
G
0
reduced GB of G
0
;
return
˜
G =
˜
G
0
;
end
Figure: Game GBN
P,GBGen(·),d ,b
.
Page 39
Gr¨obner Bases with Noise II
Definition (Gr¨obner Basis with Noise (GBN) Problem)
The Gr¨obner Basis with Noise Problem is defined through game
GBN
P,GBGen(·),d,b
as shown in Figure 5. The advantage of a ppt
algorithm A in solving the GBN problem is
Adv
gbn
P,GBGen(·),d,b,χ,A
(λ) := Pr
h
GBN
A
P,GBGen(·),d,b
(λ) T
i
.
Note that we do not impose a restriction on the number of samples any
more.
Page 40
Ideal Remainders with Noise I
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
e
$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f
$
P
b
;
return f ;
end
proc. Finalize(r
0
):
begin
return (r
0
= f mod G);
end
Figure: Game IRN
P,GBGen(·),d ,b
.
Page 41
Ideal Remainders with Noise II
Definition (Ideal Remainder with Noise (IRN) Problem)
The Ideal Remainder with Noise Problem is defined through game
IRN
P,GBGen(·),d,b
as shown in Figure 6. The advantage of a ppt
algorithm A in solving the IRN problem is
Adv
irn
P,GBGen(·),d,b,χ,A
(λ) := Pr
h
IRN
A
P,GBGen(·),d,b
(λ) T
i
1/C (λ).
Lemma (IRN Hard GBN Hard)
For any ppt adversary A against the IRN problem, there exists a ppt
adversary B against the GBN problem such that
Adv
irn
P,GBGen(·),d,b,χ,A
(λ) Adv
gbn
P,GBGen(·),d,b,χ,B
(λ).
. . . and vice versa.
Page 42
Ideal Membership with Noise (Ideal Coset) I
proc. Initialize(1
λ
, P, d):
begin
P
$
P
λ
;
G
$
GBGen(1
λ
, P, d);
c
$
{0, 1};
return (1
λ
, P);
end
proc. Sample():
begin
f
$
P
b
;
e
$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f ,e
$
P
b
, χ;
if c = 0 then
f f (f mod G ) + e;
return f ;
end
proc. Finalize(c
0
):
begin
return (c
0
= c);
end
Figure: Game IMN
P,GBGen(·),d ,b
.
Page 43
Ideal Membership with Noise (Ideal Coset) II
Definition (Ideal Membership with Noise (IMN) Problem)
The Ideal Membership with Noise (IMN) Problem is defined as a game,
denoted IMN
P,GBGen(·),d,b
, shown in Figure 7. The advantage of a ppt
algorithm A in solving the ideal membership with noise problem is
defined by
Adv
imn
P,GBGen(·),d,b,χ,A
(λ) := 2 · Pr
h
IMN
A
P,GBGen(·),d,b
(λ) T
i
1.
Lemma (IMN Hard IRN Hard)
For any ppt adversary A against the IMN problem, there exists a ppt
adversary B against the IRN problem such that
Adv
imn
P,GBGen(·),d,b,χ,A
(λ) Adv
irn
P,GBGen(·),d,b,χ,B
(λ),
if q(λ)
dim
F
q
(P(λ)/GBGen(·))
is polynomial in λ.
. . . and vice versa.
Page 44
Security I
Lemma (LWE Hard GBN Hard for d = 1, b = 1)
Let q be a prime number. Then for any ppt adversary A against the
GBN problem with b = d = 1, there exists a ppt adversary B against the
LWE problem such that
Adv
gbn
P,GBGen(·),1,1,χ,A
(λ) = Adv
lwe
n,q,χ,B
(λ).
Proof.
Whenever A calls its Sample oracle, B queries its own Sample oracle to
obtain (a, b) where a = (a
0
, . . . , a
n1
). It returns
P
a
i
x
i
b to A. When
A calls its Finalize on G, since d = 1, we may assume that G is of the
form [x
0
s
0
, . . . , x
n1
s
n1
] with s
i
F
q
. Algorithm B terminates by
calling its Finalize oracle on s = (s
0
, . . . , s
n1
).
Page 45
Security II
Lemma (GBN Hard for 2b GBN Hard for b)
For any ppt adversary A against the GBN problem at degree b with noise
χ
α,q
, there exists a ppt adversary B against the GBN problem at degree
2b with noise χ
Nα
2
q,q
such that
Adv
gbn
P,GBGen(·),d,b
α,q
,A
(λ) = Adv
gbn
P,GBGen(·),d,2b
Nα
2
q,q
,B
(λ)
for N =
n+b
b
.
Proof.
Multiply samples f
i
, f
j
to get f
i,j
= f
i
· f
j
. To ensure sufficient randomness,
sum up N such products.
Page 46
Security III
Approximate GCD:
I
The GBN problem for n = 1 is the approx. GCD problem over F
q
[x].
I
This problem has not yet received much attention, and hence it is
unclear under which parameters it is hard.
I
However, the notion of a Gr¨obner basis can been extended to
Z[x
0
, . . . , x
n1
].
I
This implies a version of the GBN problem over Z.
I
This can be seen as a direct generalisation of the approximate GCD
problem in Z.
Page 47
Security IV
GBN over F
2
:
I
For d = 1 and q = 2 we can reduce Max-3SAT instances to GBN
instances by translating each clause individually to a Boolean
polynomial.
I
The Gr¨obner basis returned by an arbitrary algorithm A solving GBN
using a bounded number of samples will provide a solution to the
Max-3SAT problem.
I
Vice versa, we may convert a GBN problem for d = 1 to a Max-SAT
problem (more precisely Partial Max-Sat) by running an ANF to
CNF conversion algorithm.
Page 48
Security V
Best known attack (for d = 1):
I
We reduce GBN to a larger LWE instance.
I
Denote by N =
n+b
b
the number of monomials up to degree b.
I
Let M : P F
N
q
be a function which maps polynomials in P to
vectors in F
N
q
by assigning the i-th component of the image vector
the coefficient of the i-th monomial M
b
.
I
Reply to each Sample query by the LWE oracle by calling the GBN
Sample oracle to retrieve f , compute v = M(f ) and return (a, b)
with a = (v
N1
, . . . , v
1
) and b = v
0
.
I
When the LWE oracle queries its Finalize with s query the GBN
Finalize with [x
0
s
0
, . . . , x
n1
s
n1
].
Page 49
Polly Cracker with Noise
I
GBN/IRN/IMN allow to construct a noisy version of our symmetric
Polly Cracker scheme: SPCN .
I
SPCN is IND-CPA under the GBN assumption.
I
Using any symmetric-to-asymmetric conversion from literature this
leads to a public-key Polly Cracker scheme.
I
This scheme is somewhat homomorphic and can support a fixed but
arbitrary number of multiplications.
I
This also implies that Regev’s public-key scheme based on LWE is
multiplicative homomorphic under some choice of parameters.
Remark
We implemented a toy version of this scheme.
Page 50
Page 51
  • Source
    • "The probability distribution used for error sampling implies that each of its components will have a small norm (w.r.t. the size of the field) with high probability. Since its introduction, LWE has proven to be a rich and versatile source of many innovative cryptosystems, such as the oblivious transfer protocol by Peikert et al. [37], a cryptosystem by Akavia et al. [1] that is secure even if almost the entire secret key is leaked, homomorphic encryption [2, 14, 31] and many others. Below we reproduce the definition of LWE from [38, 39]. "
    [Show abstract] [Hide abstract] ABSTRACT: We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of error-correcting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem has proven to be a rich and versatile source of innovative cryptosystems, such as fully homomorphic encryption schemes. Despite the popularity of the LWE problem, the complexity of algorithms for solving it is not very well understood, particularly when variants of the original problem are considered. Here, we focus on and generalise a particular method for solving these systems, due to Arora \& Ge, which reduces the problem to non-linear but noise-free system solving. Firstly, we provide a refined complexity analysis for the original Arora-Ge algorithm for LWE. Secondly, we study the complexity of applying algorithms for computing Gröbner basis, a fundamental tool in computational commutative algebra, to solving Arora-Ge-style systems of non-linear equations. We show positive and negative results. On the one hand, we show that the use of Gröbner bases yields an exponential speed-up over the basic Arora-Ge approach. On the other hand, we give a negative answer to the natural question whether the use of such techniques can yield a subexponential algorithm for the LWE problem. Under a mild algebraic assumption, we show that it is highly unlikely that such an improvement exists. We also consider a variant of LWE known as BinaryError-LWE introduced by Micciancio and Peikert recently. By combining Gröbner basis algorithms with the Arora-Ge modelling, we show under a natural algebraic assumption that BinaryError-LWE can be solved in subexponential time as soon as the number of samples is quasi-linear, e.g.\ m=O(nloglog⁡n)m=O(n \log \log n). We also derive precise complexity bounds for BinaryError-\LWE with m=O(n)m=O(n), showing that this new approach yields better results than best currently-known generic (exact) CVP solver as soon as m/n≥6.6m/n \geq 6.6. More generally, our results provide a good picture of the hardness degradation of BinaryError-LWE for a number of samples ranging from m=n(1+Ω(1/log(n))m=n\left(1+\Omega\big(1/{\rm log}(n)\right) (a case for which BinaryError-\LWE{} is as hard as solving some lattice problem in the worst case) to m=O(n2)m=O(n^2) (a case for which it can be solved in polynomial-time). This addresses an open question from Micciancio and Peikert. Whilst our results do not contradict the hardness results obtained by Micciancio and Peikert, they should rule out BinaryError-\LWE for many cryptographic applications. The results in this work depend crucially on the assumption the algebraic systems considered systems are not easier and not harder to solve than a random system of equations. We have verified experimentally such hypothesis. We also have been able to prove formally the assumptions is several restricted situations. We emphasize that these issues are highly non-trivial since proving our assumptions in full generality would allow to prove a famous conjecture in commutative algebra known as Fröberg's Conjecture.
    Full-text · Article · Oct 2014 · ACM Communications in Computer Algebra
  • Source
    • "In cryptology, the hardness of PoSSo q is now a subject of major interest, e.g. [30] [23] [24] [16] [18] [14] [17] [25] [1] [29] [15] [34] [36] [21]. In one hand, this problem is used as a trapdoor to design many cryptographic primitives, mostly in multivariate cryptography [32] [33] [37]. "
    [Show abstract] [Hide abstract] ABSTRACT: The Polynomial System Solving (PoSSo) problem is a fundamental NP-Hard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate public-key schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of PoSSo over finite fields. The goal of this paper is to further understand the influence of finite fields on the hardness of PoSSo. To this end, we consider the so-called hybrid approach. This is a polynomial system solving method dedicated to finite fields proposed by Bettale, Faugère and Perret (Journal of Mathematical Cryptography, 2009). The idea is to combine exhaustive search with Gröbner bases. The efficiency of the hybrid approach is related to the choice of a trade-off between the two methods. We propose here an improved complexity analysis dedicated to quadratic systems. Whilst the principle of the hybrid approach is simple, its careful analysis leads to rather surprising and somehow unexpected results. We prove that the optimal trade-off (i.e. number of variables to be fixed) allowing to minimize the complexity is achieved by fixing a number of variables proportional to the number of variables of the system considered, denoted n. Under some natural algebraic assumption, we show that the asymptotic complexity of the hybrid approach is 2(3.31-3.62 log2(q)-1)n, where q is the size of the field (under the condition in particular that log(q) &Lt; n). This is to date, the best complexity for solving PoSSo over finite fields (when q > 2). We have been able to quantify the gain provided by the hybrid approach compared to a direct Gröbner basis method. For quadratic systems, we show (assuming a natural algebraic assumption) that this gain is exponential in the number of variables. Asymptotically, the gain is 21.49n when both n and q grow to infinity and log(q) &Lt; n.
    Full-text · Conference Paper · Jul 2012
  • Source
    • "Setting all coefficients of X d j in g i to be 0 for i = j guarantees that G is a reduced Gröbner basis. Note that sampling these coefficients at random as well and then reducing the Gröbner basis afterward, as originally done in [1], gives the same output distribution. We denote by Q = P/I the quotient ring and identify it with a subspace Q ⊂ P as above, such that P = I ⊕ Q. "
    [Show abstract] [Hide abstract] ABSTRACT: In this paper, we consider the Polly Cracker with Noise (PCN) cryptosystem by Albrecht, Farshim, Faugère, and Perret (Asiacrypt 2011), which is a public-key cryptosystem based on the hardness of computing Gröbner bases for noisy random systems of multivariate equations. We examine four settings, covering all possible parameter ranges of PCN with zero-degree noise. In the first setting, the PCN cryptosystem is known to be equivalent to Regev's LWE-based scheme. In the second, it is known to be at most as secure as Regev's scheme. We show that for one other settings it is equivalent to a variants of Regev's with less efficiency and in the last setting it is completely insecure and we give an efficient key-recovery attack. Unrelated to the attack, we also fix some flaws in the security proofs of PCN.
    Preview · Conference Paper · May 2012
Show more