Conference Paper

# Polly Cracker, Revisited

DOI: 10.1007/978-3-642-25385-0_10 Conference: Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings
Source: DBLP

ABSTRACT

We initiate the formal treatment of cryptographic constructions ("Polly Cracker") based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. We start by formalising the relation between the ideal remainder problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the negative side, we define a symmetric Polly Cracker encryption scheme and prove that this scheme only achieves bounded CPA security. Furthermore, we show that a large class of algebraic transformations cannot convert this scheme to a fully secure Polly-Cracker-style scheme. On the positive side, we formalise noisy variants of the ideal membership, ideal remainder, and Gröbner basis problems. These problems can be seen as natural generalisations of the LWE problem and the approximate GCD problem over polynomial rings. We then show that noisy encoding of messages results in a fully IND-CPA-secure somewhat homomorphic encryption scheme. Our results provide a new family of somewhat homomorphic encryption schemes based on new, but natural, hard problems. Our results also imply that Regev's LWE-based public-key encryption scheme is (somewhat) multiplicatively homomorphic for appropriate choices of parameters.

### Full-text

Available from: Ludovic Perret
PollyCracker Revisited
Martin Albrecht
1
Pooya Farshim
2
Jean-Charles Faug`ere
1
Ludovic Perret
1
1 SALSA Project - INRIA, UPMC, Univ Paris 06
2 Information Security Group, Royal Holloway, University of London
25. May 2011
Page 1
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 2
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 3
Homomorphic Encryption I
I
From an algebraic perspective, homomorphic encryption can be seen
as the ability to evaluate multivariate (Boolean) polynomials over
ciphertexts.
I
Hence, an instantiation of homomorphic encryption over the ring of
multivariate polynomials itself is perhaps the most natural.
Page 4
Homomorphic Encryption II
I
Let I P = F[x
0
, . . . , x
n1
] be some ideal and denote by Encode()
an injective function, with inverse Decode(), that maps bits to
elements in the quotient ring P/I.
I
Assume that Decode(Encode(m
0
) Encode(m
1
)) = m
0
m
1
for
{+, ·}.
I
We can encrypt a message m as
c = f + Enco de(m) for f I.
I
Decryption is performed by computing remainders modulo I.
Page 5
Homomorphic Encryption III
I
This construction is somewhat homomorphic
c
0
+ c
1
= f
0
+ Encode(m
0
) + f
1
+ Encode(m
1
)
= f + Encode(m
0
) + Encode(m
1
) for some f I.
c
0
· c
1
= (f
0
+ Encode(m
0
)) · (f
1
+ Encode(m
1
))
= f
0
· f
1
+ f
0
· Encode(m
1
) + f
1
· Encode(m
0
)
+Encode(m
0
) · Encode(m
1
)
= f + Encode(m
0
) · Encode(m
1
) for some f I.
I
This construction is Polly Cracker.
Page 6
Homomorphic Encryption IV
I
However, our conﬁdence in Polly Cracker-style schemes has been
shaken as almost all such proposals are broken.
I
It is a long standing open research challenge to propose a secure
Polly Cracker-style encryption scheme,
I
. . . even better if we can make it somewhat homomorphic.
Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.
Why you cannot even hope to use Gr¨obner bases in Public Key
Cryptography: An open letter to a scientist who failed and a challenge to
those who have not yet failed.
Journal of Symbolic Computations, 18(6):497–501, 1994.
Page 7
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 8
Notation I
I
P = F[x
0
, . . . , x
n1
] with some ordering on monomials.
I
P
b
elements in P of degree at most b.
I
LM(f ) is the leading monomial appearing in f P.
I
LC(f ) is the coeﬃcient corresponding to LM(f ) in f .
I
LT(f ) is LC(f )LM(f ).
Page 9
Notation II
An example in F[x, y, z] with term ordering deglex:
f = 3yz + 2x + 1
I
LM(f ) = yz,
I
LC(f ) = 3 and
I
LT(f ) = 3yz.
Page 10
Notation III
Deﬁnition (Generated Ideal)
Let f
0
, . . . , f
m1
be polynomials in P. Deﬁne the set
hf
0
, . . . , f
m1
i :=
(
m1
X
i=0
h
i
f
i
: h
0
, . . . , h
m1
P
)
.
This set I is an ideal called the ideal generated by f
0
, . . . , f
m1
.
Page 11
Notation IV
Deﬁnition (Gr¨obner Basis)
Let I be an ideal of F[x
0
, . . . , x
n1
] and ﬁx a monomial ordering. A ﬁnite
subset
G = {g
0
, . . . , g
m1
} I
is said to be a Gr¨obner basis of I if for any f I there exists g
i
G
with
LM(g
i
) | LM(f ).
For each ideal I and monomial ordering there is a unique reduced
Gr¨obner basis which can be computed in polynomial time from any
Gr¨obner basis.
Gr¨obner bases allow to compute remainders modulo I: r = f
mod I = f mod G .
Page 12
Characterisation of Gr¨obner bases I
Deﬁnition (S-Polynomial)
The S-polynomial of f and g is deﬁned as
S(f , g ) =
x
γ
LT(f )
· f
x
γ
LT(g)
· g .
where
x
γ
= LCM(LM(f ), LM(g)).
Page 13
Characterisation of Gr¨obner bases II
Deﬁnition (t-Representation)
Fix a monomial order and let F = {f
0
, . . . , f
m1
} P be an unordered
set of polynomials and let t be a monomial. Given a polynomial f P,
we say that f has a t-representation if f can be written in the form
f = h
0
f
0
+ · · · + h
m1
f
m1
,
such that whenever h
i
f
i
6= 0, we have h
i
f
i
t.
Furthermore, we write that f
F
0 if and only if f has an
LM(f )-representation with respect to F .
Page 14
Characterisation of Gr¨obner bases III
Theorem
A basis G = {g
0
, . . . , g
s1
} for an ideal I is a Gr¨obner basis if and only if
S(g
i
, g
j
)
G
0
for all i 6= j.
Page 15
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 16
Generating Gr¨obner bases
begin1
for 0 i < n do2
for 0 j < M
<x
d
i
do
3
c
ij
$F q ;4 g i x d i + P j c ij m j ; 5 return (g 0 , . . . , g n1 );6 end7 Algorithm 1: GBGen dense (1 λ , P, d) Theorem Let f , g F[x 0 , . . . , x n1 ] with a = LM(f ) and b = LM(g ) and LCM(a, b) = a · b. Then S(f , g ) {f ,g} 0. Page 17 Formalising the Problems I proc. Initialize(1 λ , P, d): begin P$
P
λ
;
G
$GBGen(1 λ , P, d); return (1 λ , P); end proc. Sample(): begin f$
P
b
;
f f (f mod G );
return f ;
end
proc. Finalize(G
0
):
begin
return (G = G
0
);
end
Figure: Game GB
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 18
Formalising the Problems II
Deﬁnition (Gr¨obner Basis (GB) Problem)
The advantage of a ppt algorithm A in solving the Gr¨obner basis problem
with respect to basis generation algorithm GBGen(·) is deﬁned by
gb
P,GBGen(·),d,b,m(·),A
(λ) := Pr
h
GB
A
P,GBGen(·),d,b,m(·)
(λ) T
i
,
where game GB
P,GBGen(·),d,b,m(·)
is shown in Figure 1.
Page 19
Formalising the Problems III
proc. Initialize(1
λ
, P, d):
begin
P
$P λ ; G$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$P b ; f f (f mod G ); return f ; end proc. Challenge(): begin f$
P
b
;
return f ;
end
proc. Finalize(r
0
):
begin
return (r
0
= f mod G);
end
Figure: Game IR
P,GBGen(·),d ,b,m
. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 20
Formalising the Problems IV
Deﬁnition (Ideal Remainder (IR) Problem)
The advantage of a ppt algorithm A in solving the ideal remainder
problem is deﬁned by
ir
P,GBGen(·),d,b,m(·),A
(λ) := Pr
h
IR
A
P,GBGen(·),d,b,m(·)
(λ) T
i
1/C(λ),
where game IR
P,GBGen(·),d,b,m(·)
is shown in Figure 2.
Page 21
Formalising the Problems V
proc. Initialize(1
λ
, P, d):
begin
P
$P λ ; G$
GBGen(1
λ
, P, d);
c
${0, 1}; return (1 λ , P); end proc. Sample(): begin f$
P
b
;
f f (f mod G );
return f ;
end
proc. Challenge():
begin
f
$P b ; if c =1 then f f (f mod G ); return f ; end proc. Finalize(c 0 ): begin return (c = c 0 ); end Figure: Game IM P,GBGen(·),d ,b,m . An adversary is valid if it calls the Sample oracle at most m(λ) times. Page 22 Formalising the Problems VI Deﬁnition (Ideal Membership (IM) Problem) The advantage of a ppt algorithm A in solving the ideal membership problem is deﬁned by Adv im P,GBGen(·),d,b,m(·),A (λ) := 2 · Pr h IM A P,GBGen(·),d,b,m(·) (λ) T i 1, where game IM P,GBGen(·),d,b,m(·) is shown in Figure 3. Note We can view the IM problem as the decisional version of the IR problem. Page 23 Hardness I Lemma (IR <=> GB) For any ppt adversary A against the IR problem, there exists a ppt adversary B against the GB problem such that Adv ir P,GBGen(·),d,b,m,A (λ) poly(λ) Adv gb P,GBGen(·),d,b,m,B (λ). Conversely, for any ppt adversary B against the GB problem, there exists a ppt adversary A against the IR problem such that Adv gb P,GBGen(·),d,b,m,B (λ) = Adv ir P,GBGen(·),d,b,m,A (λ). Page 24 Hardness II Proof for ﬁrst direction. Consider an arbitrary element g i in the Gr¨obner basis G. We can write g i as m i + ˜g i for some ˜g i < g i and m i = LM(g i ). Now, assume the normal form of m i is r i and suppose that r i < m i . This implies that m i = P n1 j=0 h j g j + r i for some h i P. Hence, we have m i r i hGi: an element hG i with leading monomial m i . Repeat this process for all monomials up to and including degree d and accumulate the results m i r i in a list ˜ G. The list ˜ G is a list of elements hG i with LM( ˜ G) LM(G ) which implies ˜ G is a Gr¨obner basis. We cannot amplify our conﬁdence since we only have a limited number of samples. Page 25 Hardness III IR <=> IM When the search space of remainders is poly(λ), the IM and IR problems are equivalent, since the attacker can exhaustively search for the remainder using the IM oracle. Thus, we have decision to search reduction for some parameters. Page 26 Hardness IV Assuming that f 0 , . . . , f m1 is a random system, the complexity of currently best known algorithms (i.e. with F 5 ) to solve the GB problem is given by O  n + D D ω = O (n D ) ω where 2 ω < 3 is the linear algebra constant, and D is given by the index of the ﬁrst non-positive coeﬃcient of: X k0 c k z k = (1 z b ) m (1 z) n . Thus Gr¨obner bases are exponential in n, if D is polynomial in n. Page 27 Hardness V Corollary Let c 0. Then for m(λ) = c · n(λ) or m(λ) = c · n(λ) b polynomials of degree b in some ideal I, the Gr¨obner basis of I can be computed in exponential or polynomial time in n(λ) respectively. Deﬁnition (GB/IR/IM Assumption) Let P be such that n(λ) = (λ). Assume b d > 0, b > 1, and that m(λ) = c · n(λ) for a constant c 1. Then the advantage of any ppt algorithm in solving the GB/IR/IM problem is negligible as function of λ. Page 28 Outline Motivation Gr¨obner Basics Gr¨obner Basis and Ideal Membership Problems Symmetric PollyCracker Symmetric to Asymmetric Conversion Noisy Variants Page 29 Symmetric PollyCracker I Algo. Gen P,GBGen(·),d ,b (1 λ ) begin P$
P
λ
;
G
$GBGen(1 λ , P, d); SK (G , P, b); PK (P, b); return (SK, PK); end Algo. Enc(m, SK): begin f$
P
b
;
f (f mod G );
c m + f ;
return c;
end
Algo. Dec(c, SK):
begin
m c mod G ;
return m;
end
Algo. Eval(c
0
, . . . , c
t1
, C , PK):
begin
gates of C over P;
return the result;
end
Figure: The noise-free symmetric Polly Cracker scheme SPC
P,GBGen(·),d ,b
.
Page 30
Security I
The m(·)-time IND-CPA security of a (homomorphic) symmetric-key
encryption scheme is deﬁned in the usual way by requiring that the
ind-bcpa
m(·),SKE,A
(λ) := 2 · Pr
h
IND-BCPA
A
m(·),SKE
(λ) T
i
1
is negligible as a function of the security parameter λ. The diﬀerence
with the usual CPA security is that the adversary can query the
encryption oracle at most m(λ) times.
Page 31
Security II
Theorem
Let A be a ppt adversary against the m-time IND-BCPA security of the
scheme described in Figure 4. Then there exists a ppt adversary B
against the IM problem such that for all λ N we have
ind-bcpa
m,SPC,A
im
P,GBGen(·),d,b,m,B
(λ).
Conversely, let A be a ppt adversary against the IM problem. Then there
exists a ppt adversary B against the m-time IND-BCPA security of the
scheme described in Figure 4 such that for all λ N we have
im
P,GBGen(·),d,b,m,A
ind-bcpa
m,SPC,B
(λ).
Page 32
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 33
Conversions in the Literature
I
There are a few techniques in the literature, which convert an
IND-CPA symmetric additive homomorphic scheme to an IND-CPA
I
One such conversion is to publish N encryptions of zero f
0
, . . . , f
N1
and to encrypt as
c =
X
sS
f
s
+ m
where S is a subset of {0, . . . , N 1}.
While PollyCracker is additive homomorphic and secure up to some
bound, none of the proposed conversions give a secure scheme.
Page 34
Impossibility Result I
Theorem (Dickenstein, Fitchas, Giusti, and Sessa)
Let I = hf
0
, . . . , f
m1
i be an ideal in P = F[x
0
, . . . , x
n1
], h be such that
deg(h) D, and
h (h mod I) =
m1
X
i=0
h
i
f
i
,
where h
i
P and deg(h
i
f
i
) D.
Let G be the output of some Gr¨obner basis computation algorithm up to
degree D (i.e. all computations with degree greater than D are ignored
and dropped). Then h mod I can be computed by polynomial reduction
of h via G .
Page 35
Impossibility Result II
Theorem
Let I = hf
0
, . . . , f
m1
i be an ideal in P = F[x
0
, . . . , x
n1
]. If there is a
ppt algorithm A which samples elements from I uniformly given only
(f
0
, . . . , f
m1
) I, then there exists a ppt algorithm B which computes a
Gr¨obner basis for I.
Proof.
We can compute the normal forms of any f produced by A in polynomial
time since we know f
0
, . . . , f
m1
. If f is arbitrary in the ideal I, we know
that normals forms are equivalent to Gr¨obner basis computations. Thus,
we have a polynomial time algorithm for computing Gr¨obner bases.
Page 36
Outline
Motivation
Gr¨obner Basics
Gr¨obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 37
Discrete Gaussian
A noise distribution χ will parametrise various games below. The discrete
Gaussian distribution is of particular interest to us.
Deﬁnition (Discrete Gaussian Distribution)
Let α > 0 be a real number and q N. The discrete Gaussian
distribution χ
α,q
, is a Gaussian distribution rounded to the nearest
integer and reduced modulo q with mean zero and standard deviation αq.
Page 38
Gr¨obner Bases with Noise I
proc. Initialize(1
λ
, P, d):
begin
P
$P λ ; G$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$P b ; e$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Finalize(G
0
):
begin
˜
G reduced GB of G;
˜
G
0
reduced GB of G
0
;
return
˜
G =
˜
G
0
;
end
Figure: Game GBN
P,GBGen(·),d ,b
.
Page 39
Gr¨obner Bases with Noise II
Deﬁnition (Gr¨obner Basis with Noise (GBN) Problem)
The Gr¨obner Basis with Noise Problem is deﬁned through game
GBN
P,GBGen(·),d,b
as shown in Figure 5. The advantage of a ppt
algorithm A in solving the GBN problem is
gbn
P,GBGen(·),d,b,χ,A
(λ) := Pr
h
GBN
A
P,GBGen(·),d,b
(λ) T
i
.
Note that we do not impose a restriction on the number of samples any
more.
Page 40
Ideal Remainders with Noise I
proc. Initialize(1
λ
, P, d):
begin
P
$P λ ; G$
GBGen(1
λ
, P, d);
return (1
λ
, P);
end
proc. Sample():
begin
f
$P b ; e$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f
$P b ; return f ; end proc. Finalize(r 0 ): begin return (r 0 = f mod G); end Figure: Game IRN P,GBGen(·),d ,b . Page 41 Ideal Remainders with Noise II Deﬁnition (Ideal Remainder with Noise (IRN) Problem) The Ideal Remainder with Noise Problem is deﬁned through game IRN P,GBGen(·),d,b as shown in Figure 6. The advantage of a ppt algorithm A in solving the IRN problem is Adv irn P,GBGen(·),d,b,χ,A (λ) := Pr h IRN A P,GBGen(·),d,b (λ) T i 1/C (λ). Lemma (IRN Hard GBN Hard) For any ppt adversary A against the IRN problem, there exists a ppt adversary B against the GBN problem such that Adv irn P,GBGen(·),d,b,χ,A (λ) Adv gbn P,GBGen(·),d,b,χ,B (λ). . . . and vice versa. Page 42 Ideal Membership with Noise (Ideal Coset) I proc. Initialize(1 λ , P, d): begin P$
P
λ
;
G
$GBGen(1 λ , P, d); c$
{0, 1};
return (1
λ
, P);
end
proc. Sample():
begin
f
$P b ; e$
χ;
f f (f mod G ) + e;
return f ;
end
proc. Challenge():
begin
f ,e
\$
P
b
, χ;
if c = 0 then
f f (f mod G ) + e;
return f ;
end
proc. Finalize(c
0
):
begin
return (c
0
= c);
end
Figure: Game IMN
P,GBGen(·),d ,b
.
Page 43
Ideal Membership with Noise (Ideal Coset) II
Deﬁnition (Ideal Membership with Noise (IMN) Problem)
The Ideal Membership with Noise (IMN) Problem is deﬁned as a game,
denoted IMN
P,GBGen(·),d,b
, shown in Figure 7. The advantage of a ppt
algorithm A in solving the ideal membership with noise problem is
deﬁned by
imn
P,GBGen(·),d,b,χ,A
(λ) := 2 · Pr
h
IMN
A
P,GBGen(·),d,b
(λ) T
i
1.
Lemma (IMN Hard IRN Hard)
For any ppt adversary A against the IMN problem, there exists a ppt
adversary B against the IRN problem such that
imn
P,GBGen(·),d,b,χ,A
irn
P,GBGen(·),d,b,χ,B
(λ),
if q(λ)
dim
F
q
(P(λ)/GBGen(·))
is polynomial in λ.
. . . and vice versa.
Page 44
Security I
Lemma (LWE Hard GBN Hard for d = 1, b = 1)
Let q be a prime number. Then for any ppt adversary A against the
GBN problem with b = d = 1, there exists a ppt adversary B against the
LWE problem such that
gbn
P,GBGen(·),1,1,χ,A
lwe
n,q,χ,B
(λ).
Proof.
Whenever A calls its Sample oracle, B queries its own Sample oracle to
obtain (a, b) where a = (a
0
, . . . , a
n1
). It returns
P
a
i
x
i
b to A. When
A calls its Finalize on G, since d = 1, we may assume that G is of the
form [x
0
s
0
, . . . , x
n1
s
n1
] with s
i
F
q
. Algorithm B terminates by
calling its Finalize oracle on s = (s
0
, . . . , s
n1
).
Page 45
Security II
Lemma (GBN Hard for 2b GBN Hard for b)
For any ppt adversary A against the GBN problem at degree b with noise
χ
α,q
, there exists a ppt adversary B against the GBN problem at degree
2b with noise χ
Nα
2
q,q
such that
gbn
P,GBGen(·),d,b
α,q
,A
gbn
P,GBGen(·),d,2b
Nα
2
q,q
,B
(λ)
for N =
n+b
b
.
Proof.
Multiply samples f
i
, f
j
to get f
i,j
= f
i
· f
j
. To ensure suﬃcient randomness,
sum up N such products.
Page 46
Security III
Approximate GCD:
I
The GBN problem for n = 1 is the approx. GCD problem over F
q
[x].
I
This problem has not yet received much attention, and hence it is
unclear under which parameters it is hard.
I
However, the notion of a Gr¨obner basis can been extended to
Z[x
0
, . . . , x
n1
].
I
This implies a version of the GBN problem over Z.
I
This can be seen as a direct generalisation of the approximate GCD
problem in Z.
Page 47
Security IV
GBN over F
2
:
I
For d = 1 and q = 2 we can reduce Max-3SAT instances to GBN
instances by translating each clause individually to a Boolean
polynomial.
I
The Gr¨obner basis returned by an arbitrary algorithm A solving GBN
using a bounded number of samples will provide a solution to the
Max-3SAT problem.
I
Vice versa, we may convert a GBN problem for d = 1 to a Max-SAT
problem (more precisely Partial Max-Sat) by running an ANF to
CNF conversion algorithm.
Page 48
Security V
Best known attack (for d = 1):
I
We reduce GBN to a larger LWE instance.
I
Denote by N =
n+b
b
the number of monomials up to degree b.
I
Let M : P F
N
q
be a function which maps polynomials in P to
vectors in F
N
q
by assigning the i-th component of the image vector
the coeﬃcient of the i-th monomial M
b
.
I
Reply to each Sample query by the LWE oracle by calling the GBN
Sample oracle to retrieve f , compute v = M(f ) and return (a, b)
with a = (v
N1
, . . . , v
1
) and b = v
0
.
I
When the LWE oracle queries its Finalize with s query the GBN
Finalize with [x
0
s
0
, . . . , x
n1
s
n1
].
Page 49
Polly Cracker with Noise
I
GBN/IRN/IMN allow to construct a noisy version of our symmetric
Polly Cracker scheme: SPCN .
I
SPCN is IND-CPA under the GBN assumption.
I
Using any symmetric-to-asymmetric conversion from literature this
leads to a public-key Polly Cracker scheme.
I
This scheme is somewhat homomorphic and can support a ﬁxed but
arbitrary number of multiplications.
I
This also implies that Regev’s public-key scheme based on LWE is
multiplicative homomorphic under some choice of parameters.
Remark
We implemented a toy version of this scheme.
Page 50
Page 51
• Source
• "The probability distribution used for error sampling implies that each of its components will have a small norm (w.r.t. the size of the field) with high probability. Since its introduction, LWE has proven to be a rich and versatile source of many innovative cryptosystems, such as the oblivious transfer protocol by Peikert et al. [37], a cryptosystem by Akavia et al. [1] that is secure even if almost the entire secret key is leaked, homomorphic encryption [2, 14, 31] and many others. Below we reproduce the definition of LWE from [38, 39]. "
##### Article: Algebraic Algorithms for LWE Problems
[Hide abstract] ABSTRACT: We analyse the complexity of algebraic algorithms for solving systems of linear equations with \emph{noise}. Such systems arise naturally in the theory of error-correcting codes as well as in computational learning theory. More recently, linear systems with noise have found application in cryptography. The \emph{Learning with Errors} (LWE) problem has proven to be a rich and versatile source of innovative cryptosystems, such as fully homomorphic encryption schemes. Despite the popularity of the LWE problem, the complexity of algorithms for solving it is not very well understood, particularly when variants of the original problem are considered. Here, we focus on and generalise a particular method for solving these systems, due to Arora \& Ge, which reduces the problem to non-linear but noise-free system solving. Firstly, we provide a refined complexity analysis for the original Arora-Ge algorithm for LWE. Secondly, we study the complexity of applying algorithms for computing Gröbner basis, a fundamental tool in computational commutative algebra, to solving Arora-Ge-style systems of non-linear equations. We show positive and negative results. On the one hand, we show that the use of Gröbner bases yields an exponential speed-up over the basic Arora-Ge approach. On the other hand, we give a negative answer to the natural question whether the use of such techniques can yield a subexponential algorithm for the LWE problem. Under a mild algebraic assumption, we show that it is highly unlikely that such an improvement exists. We also consider a variant of LWE known as BinaryError-LWE introduced by Micciancio and Peikert recently. By combining Gröbner basis algorithms with the Arora-Ge modelling, we show under a natural algebraic assumption that BinaryError-LWE can be solved in subexponential time as soon as the number of samples is quasi-linear, e.g.\ m=O(nloglog⁡n)m=O(n \log \log n). We also derive precise complexity bounds for BinaryError-\LWE with m=O(n)m=O(n), showing that this new approach yields better results than best currently-known generic (exact) CVP solver as soon as m/n≥6.6m/n \geq 6.6. More generally, our results provide a good picture of the hardness degradation of BinaryError-LWE for a number of samples ranging from m=n(1+Ω(1/log(n))m=n\left(1+\Omega\big(1/{\rm log}(n)\right) (a case for which BinaryError-\LWE{} is as hard as solving some lattice problem in the worst case) to m=O(n2)m=O(n^2) (a case for which it can be solved in polynomial-time). This addresses an open question from Micciancio and Peikert. Whilst our results do not contradict the hardness results obtained by Micciancio and Peikert, they should rule out BinaryError-\LWE for many cryptographic applications. The results in this work depend crucially on the assumption the algebraic systems considered systems are not easier and not harder to solve than a random system of equations. We have verified experimentally such hypothesis. We also have been able to prove formally the assumptions is several restricted situations. We emphasize that these issues are highly non-trivial since proving our assumptions in full generality would allow to prove a famous conjecture in commutative algebra known as Fröberg's Conjecture.
Full-text · Article · Oct 2014 · ACM Communications in Computer Algebra
• Source
• "In cryptology, the hardness of PoSSo q is now a subject of major interest, e.g. [30] [23] [24] [16] [18] [14] [17] [25] [1] [29] [15] [34] [36] [21]. In one hand, this problem is used as a trapdoor to design many cryptographic primitives, mostly in multivariate cryptography [32] [33] [37]. "
##### Conference Paper: Solving Polynomial Systems over Finite Fields: Improved Analysis of the Hybrid Approach
[Hide abstract] ABSTRACT: The Polynomial System Solving (PoSSo) problem is a fundamental NP-Hard problem in computer algebra. Among others, PoSSo have applications in area such as coding theory and cryptology. Typically, the security of multivariate public-key schemes (MPKC) such as the UOV cryptosystem of Kipnis, Shamir and Patarin is directly related to the hardness of PoSSo over finite fields. The goal of this paper is to further understand the influence of finite fields on the hardness of PoSSo. To this end, we consider the so-called hybrid approach. This is a polynomial system solving method dedicated to finite fields proposed by Bettale, Faugère and Perret (Journal of Mathematical Cryptography, 2009). The idea is to combine exhaustive search with Gröbner bases. The efficiency of the hybrid approach is related to the choice of a trade-off between the two methods. We propose here an improved complexity analysis dedicated to quadratic systems. Whilst the principle of the hybrid approach is simple, its careful analysis leads to rather surprising and somehow unexpected results. We prove that the optimal trade-off (i.e. number of variables to be fixed) allowing to minimize the complexity is achieved by fixing a number of variables proportional to the number of variables of the system considered, denoted n. Under some natural algebraic assumption, we show that the asymptotic complexity of the hybrid approach is 2(3.31-3.62 log2(q)-1)n, where q is the size of the field (under the condition in particular that log(q) &Lt; n). This is to date, the best complexity for solving PoSSo over finite fields (when q > 2). We have been able to quantify the gain provided by the hybrid approach compared to a direct Gröbner basis method. For quadratic systems, we show (assuming a natural algebraic assumption) that this gain is exponential in the number of variables. Asymptotically, the gain is 21.49n when both n and q grow to infinity and log(q) &Lt; n.
Full-text · Conference Paper · Jul 2012
• Source
• "Setting all coefficients of X d j in g i to be 0 for i = j guarantees that G is a reduced Gröbner basis. Note that sampling these coefficients at random as well and then reducing the Gröbner basis afterward, as originally done in [1], gives the same output distribution. We denote by Q = P/I the quotient ring and identify it with a subspace Q ⊂ P as above, such that P = I ⊕ Q. "
##### Conference Paper: Polly Cracker, Revisited, Revisited
[Hide abstract] ABSTRACT: In this paper, we consider the Polly Cracker with Noise (PCN) cryptosystem by Albrecht, Farshim, Faugère, and Perret (Asiacrypt 2011), which is a public-key cryptosystem based on the hardness of computing Gröbner bases for noisy random systems of multivariate equations. We examine four settings, covering all possible parameter ranges of PCN with zero-degree noise. In the first setting, the PCN cryptosystem is known to be equivalent to Regev's LWE-based scheme. In the second, it is known to be at most as secure as Regev's scheme. We show that for one other settings it is equivalent to a variants of Regev's with less efficiency and in the last setting it is completely insecure and we give an efficient key-recovery attack. Unrelated to the attack, we also fix some flaws in the security proofs of PCN.
Preview · Conference Paper · May 2012