Algebraic Algorithms for LWE

The Learning with Errors (LWE) problem, proposed by Regev in 2005, has become an ever-popular cryptographic primitive, due mainly to its simplicity, flexibility and convincing theoretical arguments regarding its hardness. Among the main proposed approaches to solving LWE instances — namely, lattice algorithms, combinatorial algorithms, and algebraic algorithms — the last is the one that has received the least attention in the literature, and is the focus of this paper. We present a detailed and refined complexity analysis of the original Arora-Ge algorithm, which reduced LWE to solving a system of high-degree, error-free polynomials. Moreover, we generalise their method and establish the complexity of applying Gröbner basis techniques from computational commutative algebra to solving LWE. As a result, we show that the use of Gröbner basis algorithms yields an exponential speed-up over the basic Arora-Ge algorithm. On the other hand, our results show that such techniques do not yield a subexponential algorithm for the LWE problem. We also apply our algebraic algorithm to the BinaryError-LWE problem, which was recently introduced by Micciancio and Peikert. We show that BinaryError-LWE in dimension n can be solved in subexponential time given access to a quasi-linear number of samplesm under a regularity assumption. We also give precise complexity bounds for BinaryError-LWE given access to linearly many samples. Our approach outperforms the best currently-known generic heuristic exact CVP solver as soon as m/n ≥ 6.6. The results in this work depend crucially on the assumption that the encountered systems have no special structure. We give experimental evidence that this assumption holds and also prove the assumption in some special cases. Therewith, we also make progress towards proving Fröberg’s long-standing conjecture from algebraic geometry.

[1]  Richard J. Lipton,et al.  A Probabilistic Remark on Algebraic Program Testing , 1978, Inf. Process. Lett..

[2]  Richard Zippel,et al.  Probabilistic algorithms for sparse polynomials , 1979, EUROSAM.

[3]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[4]  Bruno Buchberger,et al.  Computer algebra symbolic and algebraic computation , 1982, SIGS.

[5]  Daniel Lazard,et al.  Gröbner-Bases, Gaussian elimination and resolution of systems of algebraic equations , 1983, EUROCAL.

[6]  Ralf Fröberg,et al.  An inequality for Hilbert series of graded algebras. , 1985 .

[7]  D. Anick,et al.  Thin algebras of embedding dimension three , 1986 .

[8]  Jean-Charles Faugère,et al.  Efficient Computation of Zero-Dimensional Gröbner Bases by Change of Ordering , 1993, J. Symb. Comput..

[9]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[10]  David A. Cox,et al.  Ideals, Varieties, and Algorithms , 1997 .

[11]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[12]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[13]  Marc Giusti Proceedings of the 2002 international symposium on Symbolic and algebraic computation , 2002, ISSAC 2002.

[14]  Antoine Joux,et al.  Algebraic Cryptanalysis of Hidden Field Equation (HFE) Cryptosystems Using Gröbner Bases , 2003, CRYPTO.

[15]  Magali Bardet,et al.  Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie , 2004 .

[16]  J. Faugère,et al.  On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations , 2004 .

[17]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[18]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[19]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[20]  Vinod Vaikuntanathan,et al.  Simultaneous Hardcore Bits and Cryptography against Memory Attacks , 2009, TCC.

[21]  Luk Bettale,et al.  Hybrid approach for solving multivariate systems over finite fields , 2009, J. Math. Cryptol..

[22]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[23]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[24]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[25]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[26]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[27]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[28]  Nico Döttling,et al.  Lossy Codes and a New Variant of the Learning-With-Errors Problem , 2013, EUROCRYPT.

[29]  Antoine Joux,et al.  Solving shortest and closest vector problems: The decomposition approach , 2013, IACR Cryptol. ePrint Arch..

[30]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[31]  Claude-Pierre Jeannerod,et al.  Rank-profile revealing Gaussian elimination and the CUP matrix decomposition , 2011, J. Symb. Comput..

[32]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[33]  Lisa Nicklasson,et al.  On the Hilbert series of ideals generated by generic forms , 2015, 1502.06762.

[34]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[35]  Jean-Charles Faugère,et al.  On the complexity of the F5 Gröbner basis algorithm , 2013, J. Symb. Comput..

[36]  B. Salvy,et al.  Asymptotic Behaviour of the Degree of Regularity of Semi-Regular Polynomial Systems , 2022 .