Algebraic Algorithms for LWE

Martin R. Albrecht1_{, Carlos Cid}1_{, Jean-Charles Faug`ere}2_{, and Ludovic Perret}2 1 _{Information Security Group}

Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom

2

INRIA, Paris-Rocquencourt Center, POLSYS Project UPMC Univ Paris 06, UMR 7606, LIP6, F-75005, Paris, France

CNRS, UMR 7606, LIP6, F-75005, Paris, France

[email protected], [email protected], [email protected], [email protected]

Abstract. The Learning with Errors (LWE) problem, proposed by Regev in 2005, has become an ever-popular cryptographic primitive, due mainly to its simplicity, flexibility and convincing theoretical arguments regarding its hardness. Among the main proposed approaches to solvingLWEinstances — namely, lattice algorithms, combinatorial algorithms, and algebraic algorithms — the last is the one that has received the least attention in the literature, and is the focus of this paper. We present a detailed and refined complexity analysis of the original Arora-Ge algorithm, which reducedLWEto solving a system of high-degree, error-free polynomials. Moreover, we generalise their method and establish the complexity of applying Gr¨obner basis techniques from computational commutative algebra to solving LWE. As a result, we show that the use of Gr¨obner basis algorithms yields an exponential speed-up over the basic Arora-Ge algorithm. On the other hand, our results show that such techniques do not yield a subexponential algorithm for the LWE problem.

We also apply our algebraic algorithm to the BinaryError-LWE problem, which was recently intro-duced by Micciancio and Peikert. We show that BinaryError-LWEin dimensionncan be solved in subexponential time given access to a quasi-linear number of samplesmunder a regularity assumption. We also give precise complexity bounds for BinaryError-LWEgiven access to linearly many samples. Our approach outperforms the best currently-known generic heuristic exact CVP solver as soon as

m/n≥6.6.

The results in this work depend crucially on the assumption that the encountered systems have no spe-cial structure. We give experimental evidence that this assumption holds and also prove the assumption in some special cases. Therewith, we also make progress towards proving Fr¨oberg’s long-standing conjecture from algebraic geometry.

1

Introduction

Learning with Errors. Since its introduction, the Learning with Errors problem (LWE) has proven to be a rich and versatile source of many innovative cryptographic constructions, such as the oblivious transfer protocol by Peikert et al. [37], a leakage-resilient cryptosystem by Akavia et al. [1], and homomorphic encryption [3, 15, 30], among many others.

Definition 1 (LWE [38, 39]).Letn, m ≥1 be integers,qbe an odd positive integer,χbe a probability distribution onZqands∈Znq be a secret vector. We denote byL

(n)

s,χthe probability distribution onZnq×m×

Zmq obtained by choosingA ∈Z n×m

q uniformly at random, sampling a vectore∈Z m

q according toχ m_, and returning(A,s·A+e) = (A,c) ∈ Zqn×m×Zmq .LWEis the problem of finding s ∈ Znq from

(A,s·A+e)sampled according toL(n)s,χ.

In what follows,χα,qwill denote a discrete Gaussian distribution overZwhich returns an integerxwith

probabilityexp −π x2_/s2 /P

y∈Zexp −π y

2_/s2

, wheres=αq, considered moduloq. A typical set-ting isαq=n_{, with0 ≤≤1. It has been shown that as soon as >1/2, worst-case GAPSVP}

˜

Arora and Ge’s algorithm. In [5], Arora and Ge proposed the first algebraic algorithm to solve theLWE

problem. Their approach reduces LWE to finding the common root of a multivariate system of high-degree, error-free polynomials. The proposed algorithm solvesLWEin2O˜(n2) _{operations, hence being} sub-exponential when < 1₂. This shows that Regev’s original reduction in [38, 39] is indeed tight. In more detail, let(a, c) ∈ _Zn

q ×Zq be anLWE sample and write f = c−P n

i=1ai·xi where the xiare variables. If we assume that the erroreis in the interval{−T, . . . , T}, then the polynomialF = f ·QT

i=1(f +i)·(f −i)of degree2T + 1 evaluates to zero whenxi = si. Thus, ifT < bq/2cthen F = 0is a constraint on the possible values for the secret vectors, and collecting many such equations and solving the resulting multivariate high-degree system of equations allows to recover the secret. In [5] these systems are solved by the linearisation method, i.e. first replacing monomials with a new linearised variable and then by solving the resulting linear system of equations. This method requiresO n2T+1equations to succeed, which could be obtained by collecting more samples. However, sinceχα,qis a discrete Gaussian distribution, requesting more samples also increases the probability that the noise of at least one sample falls outside of the chosen interval{−T, . . . , T}invalidating the constraintF = 0. Hence, as the number of samples grows so does the required value ofT so that the polynomial system remains error-free. This on the other hand may require a further increase in the number of samples (cf. Section 3). This trade-off is analysed in [5] to obtain the complexity of the Arora-Ge algebraic algorithm to solveLWE. We note however that the discussion above implies that the algorithm from [5] is not applicable if the number of available samples is smaller thanO n2T+1

.

In Section 4, we make a detailed analysis of the original Arora-Ge algorithm, and derive the precise com-plexity of applying linearisation as described above. The results of our analysis are given in the following theorem.

Result 1 Letn, q, σ=αq/√2πbe parameters of anLWEχα,q instance,2≤ω <3be the linear algebra

constant andDAG= 8σ2logn+ 1.

IfDAG∈o(n)then the Arora-Ge algorithm solves the computationalLWEproblem in O2ω·DAGlog_Dn

AG ·σ qlogq

=O28ω σ2logn(logn−log(8σ2logn))·poly(n)

operations and in

O2ω·nlogDAGn ·_{σ qlogq}

=O2ω nlog(8σ2logn)−ω nlogn·poly(n)

operations ifn∈o(σ2_log(n)).

Specialising toσ = √nwe obtain a complexity ofO 2(2+)ωnlog logn

. Our results shows that, in this case, the original Arora-Ge algorithm is asymptotically slower than the BKW algorithm [2] and lattice reduction if sieving is used to implement the SVP oracle, but asymptotically faster than lattice reduction if enumeration is used to implement the SVP oracle [4].

Gr¨obner bases. Gr¨obner bases are fundamental tools in commutative algebra and algebraic geometry. A Gr¨obner basisGfor an idealI in a polynomial ring is a basis such that any leading term of any element in the idealIis divisible by a leading term of an element inG. In univariate polynomial rings the notion of a Gr¨obner basis coincides with the greatest common divisor; for linear polynomials it coincides with the notion of a row echelon form. Gr¨obner bases go back to the seminal work of Buchberger [16, 17, 19] who also gave a first algorithm for computing them by showing that repeated computation and reduction ofS-polynomialscomputes a Gr¨obner basis. Gr¨obner basis algorithms have been frequently applied (suc-cessfully) on the algebraic cryptanalysis of a range of cryptographic schemes [27].

In this work we are interested in the fact that Gr¨obner bases allow to find all common roots of multivariate polynomial systems. Indeed, the linearisation approach described above is a special case of a Gr¨obner basis computation. In contrast to this special case, though, general Gr¨obner basis algorithms are also applicable if less thanO nd

In Section 5 we show that applying standard Gr¨obner basis algorithms yields an exponential speed-up for solvingLWEcompared to Result 1, under a regularity assumption. In particular, we arrive at the following theorem.

Result 2 Letωbe the linear algebra constant, letH2(x) =−xlog2(x)−(1−x) log2(1−x)be the binary entropy function andCsome known constant which can be explicitly computed. Let(ai, bi)i≥1be elements of_Zn

q ×Zq sampled according toLWEχα,q with a standard deviationσ =

√

n

√

2π. There is an algorithm solving the computationalLWEproblem in

O

2n

ω(1+C)H2(1+CC)+ π·log2(e)

4

(1) operations with success probability of at least1− 2

π√n = 1−o(1), if the system of equations encountered during the execution of the algorithm is semi-regular.

Hence, applying Gr¨obner basis algorithms gives an exponential speed-up over the algorithm from [5]. This places it in the same complexity class as the BKW algorithm or lattice reduction when sieving implements the SVP oracle, albeit with a larger leading constant in the exponent. It is worth noting that all known algo-rithms for achieving time complexity2O(n)_{– BKW, sieving, Gr¨obner bases – also require2}O(n)_memory. BinaryError-LWE. A variant of LWE with errors values in{0,1}(or any uniform range) was recently introduced by Micianccio and Peikert in [35]. This generalises an earlier result of D¨ottling and M¨uller-Quade [22] who first introduced a variant ofLWEwith uniform errors whilst keeping a strong security reduction to lattice problems. These two works highlight the current interest of the cryptographic com-munity in studying variants ofLWEwith small non-Gaussian errors. From a practical perspective these variants are interesting because they allow to forgoe Gaussian sampling (with large parameters) which is often the most expensive step when implementing lattice-based cryptography. In this regard [35] represents a significant step forward as it allows to sample the error from a binary distribution while still regaining a reduction to GAPSVP,albeit with a severe limit on the number of samplesm:

Theorem 1 (BinaryError-LWE[35]).Letn, m=n1 + _clog(n)1 forc >1be integers, andq≥nO(1) be a sufficiently large polynomially bounded (prime) modulus. Then, solving LWE with parametersn, m, q and independent uniformly random binary errors is at least as hard as approximating lattice problems in the worst-case onΘ n/log(n)-dimensional lattices within a factorO˜(√n·q).

As already pointed out in [22, 35], the algorithm from [5] yields a polynomial-time algorithm for solving BinaryError-LWE as soon as m = O n2

. Hence, there is a gap between m = n1 + 1 clog(n)

for c > 1, where the hardness reduces to standard LWE, andm = O n2

where the problem is known to be easy due to the Arora-Ge algorithm. However, understanding the hardness of the problem for samples within this interval should be of great interest: applications in lattice-based cryptography typically require the provision ofn1 + _clog(n)1 < m <O n2

samples, e.g.m= O(n)orm = ˜O(n). It is hence a natural and relevant open question how the security of BinaryError-LWE degrades as more samples are made available.

From [5] and our generalisation using Gr¨obner basis algorithms, it follows that the complexity of solving LWE with uniform errors in{−T, . . . , T}is at most the cost of computing a Gr¨obner basis form polyno-mials of degree2T+ 1innvariables. In Section 6, we show – under a similar regularity assumption as above – that BinaryError-LWE can be solved in sub-exponential time as soon as the number of samples is quasi-linear, e.g.m=O(nlog logn).

Result 3 Letωbe the linear algebra constant and letH2(x) =−xlog2(x)−(1−x) log2(1−x)be the bi-nary entropy function. Ifm=O(nlog logn), then there exists an algorithm which solves the

BinaryError-LWEproblem in

Om22ω n8 log loglog log logn n

operations if the equation system encountered in the execution of the algorithm is semi-regular.

Ifm=C·n, withC≥1, then there exists an algorithm which solves the BinaryError-LWEproblem in

On22ω n(1+β)H2(1+ββ)

operations with with β = C−1 2−

p

C(C−1)if the system of equations encountered during the execution of the algorithm is semi-regular.

More concretely, the algorithm discussed in this paper can solve the BinaryError-LWEproblem in dimen-sionnin timen2_·20.344n_{as soon asm≥6.6n. For comparison, the best currently-known generic exact} CVP solver [11] takes time20.377n_{. We note that many other LWE solving strategies such as combinatorial} algorithms [2] or lattice reduction in the low advantage regime [34] do not apply in this setting.

Our results (Theorem 7, Section 6) show therefore that, despite its attractive implementation features, BinaryError-LWEshould be ruled out for cryptographic applications that require a quasi-linear number of samples. Finally we note that while our results can also apply to the natural generalisations of

BinaryError-LWEto any uniform error in a bounded interval{−T, . . . , T}[35, Theorem 4.6], in this paper we focus on the BinaryError-LWE case for brevity.

Regularity Assumptions. Our complexity estimates depend crucially on two algebraic assumptions about the systems we consider. The assumption is as follows for BinaryError-LWE:

Assumption 2. Let(A,s·A+e) = (A,c) ∈ Znq×m×Zmq be sampled according toL (n)

s,U(F2), and let

P(x) =X(X−1). We define:

f1=P c1− n X

j=1

sjAj,1= 0, . . . , fm=P cm− n X

j=1

sjAj,m= 0.

It holds thathf1, . . . , fmiis semi-regular (Definition 2, Section 2), i.e. has only trivial algebraic depen-dencies.

For generalLWE, Assumption 1 is similar but we consider a polynomialP(X) =XQCGB·σ

i=1 (X+i)(X− i), whereCGBdepends on the parameters of the Gaussian distribution.

It is believed that random systems of equations are semi-regular. Hence, our semi-regularity assumptions essentially state that our systems are neither easier nor harder to solve than random systems of equations. If the systems considered in this work were easier than random systems this would imply that the analysis of Section 5 could be much improved and lead to progress towards a sub-exponential classical algorithm for solving GAPSVP. On the other hand, if these systems were harder to solve than random systems, this would reveal new algebraic dependencies amongst LWE samples, which could likely also be used to improve (non-algebraic) solving strategies. Hence, our assumption in this paper that there isno special structurein our problem instances seems to be a reasonable one. We note also that Gr¨obner basis algorithms do not rely on this regularity assumption. Indeed, they have been successfully used in the past to exploit that a problem instance which does not behave like a semi-regular sequence [27].

Section 7.1 reports on our experimental verification that Assumptions 1 and 2 hold for reasonable parameter sets. For example, for BinaryError-LWE, we have verified them forn≤100.

Fr¨oberg’s Conjecture. Our assumptions are closely related to the long-standing Fr¨oberg conjecture [28] in algebraic geometry which states that semi-regular sequences form a dense subset among the set of all sequences. More precisely, the Fr¨oberg conjecture states that generically the rank of some linear map associated to Macaulay matrices (the matrices occurring in a Gr¨obner basis computation) is maximal. A property is said to be generic if it holds on a Zariski open subsetZOwhen the characteristic of the base field

Kis0. In Zariski’s topology, a closed subset is defined as the vanishing set of algebraic equations. Hence,

The main difficulty in proving Fr¨oberg’s conjecture is to prove that the polynomialhis not identically zero or thatZOis not empty (see [29]).

To prove Fr¨oberg’s conjecture it is sufficient to find one explicit family of polynomials which can be proven semi-regular for anymandn. Proving Assumptions 1 or 2 would provide such family and hence prove Fr¨oberg’s conjecture. Furthermore, any non-trivial partial results on our assumptions would lead to progress on the general Fr¨oberg’s conjecture. over a sufficiently big finite field, sequences with the same number of polynomials (m) and same number of variables (n),m=n+1in characteristic0,mpolynomials of degree

2withn≤11, andmpolynomials of degree3withn≤8[20, 28, 29]. Indeed, Fr¨oberg and Hollman [29] already investigated semi-regularity for powers of generic linear forms. In characteristic0, [29, Lemma 2.1] proves that a sequence ofn+ 1squares of generic linear forms innvariables is generically semi-regular. In Section 7 we report on progress towards proving Fr¨oberg conjecture by investigating our assumptions. In Theorem 8 (Section A.2), we first prove that the equationsf1, . . . , fmgenerated for BinaryError-LWE are linearly independent with high probability. Secondly, we show that the sequencef1, . . . , fmis semi-generic (Definition 3), i.e.{xi·fj}

1≤j≤n

1≤i≤n spans a vector space of maximal dimension. We prove that such algebraic independence at low degree holds withm ≤ n+bn−2

2 cin Theorem 10. This improves on a result of [29, Theorem 2.2] where Fr¨oberg and Hollman proved that the squares ofmgeneric linear forms are semigeneric as long asm≤n+ 15andn≤6. Finally, we consider algebraic independence at higher degree and prove in Theorem 11 that BinaryError-LWEsamples give rise to a semi-regular sequence with high probability form=n+ 1and for a sufficiently large field.

In closing, we note that Fr¨oberg’s conjecture is similar in spirit to the Gaussian Heuristic often relied on in the complexity analysis of lattice-reduction algorithms. For example, the complexity analysis of the currently best know heuristic CVP solver [11] mentioned above and predictions for the quality of output for the BKZ algorithm [18] rely on it. Where Fr¨oberg’s conjecture asserts that most ideals have a predictable degree of regularity, i.e. no special structure deviating from this expectation, the Gaussian Heuristic asserts that for most lattices the shortest vectors of random lattices have a predictable norm, i.e. no special structure deviating from this expectation.

Open problems. While computational commutative algebra provides a rich resource to improve on the re-sults in [5] for solving LWE and variants thereof, our rere-sults indicate that it is unlikely that sub-exponential algorithms for solving LWE can be found by directly applying standard Gr¨obner basis algorithms to LWE. A promising avenue, however, is to combine geometric with algebraic techniques to improve our under-standing of the hardness of LWE. Secondly, applying algebraic techniques to Ring-LWE, which offers a much richer algebraic structure, is an area for future work.

2

Computation of Gr¨obner Bases

Lazard [32] showed that computing a Gr¨obner basis for a system of homogeneous polynomialsf1. . . , fmis equivalent to perform Gaussian elimination on theMacaulay matricesMacaulay_d,m ford, wheremin deg(f1), . . . ,deg(fm)

≤d≤Dfor some integerD. The Macaulay matrixMacaulay_d,m for a set of homogeneous polynomialsf1. . . , fmis defined as the coefficient matrix of(ti,j·fi)where1 ≤ i ≤ mandti,j runs through all monomials of degreed−deg(fi). It can be shown that Macaulay matrices up to degreedcan be used to compute a partial Gr¨obner basis, calledd-Gr¨obner basis. Lazard showed that fordbig enough, ad-Gr¨obner basis is indeed a Gr¨obner basis:

Theorem 2 ( [32]).Let qbe a prime and letf = (f1, . . . , fm) ∈ (Zq[x1, . . . , xn])mbe homogeneous polynomials and≺be a monomial ordering. There exists a positive integerDfor which Gaussian elimi-nation on allMacaulay_d,m (f1, . . . , fm)matrices ford,1≤d≤Dcomputes a Gr¨obner basis ofhf1, . . . , fmi w.r.t. to≺.

Definition 2 (Semi-regular Sequence [8, 10]).Letm ≥n, andf1, . . . , fm ∈ Zq[x1, . . . , xn]be homo-geneous polynomials of degreesd1, . . . , dmrespectively andIthe ideal generated by these polynomials. The system is said to be asemi-regular sequenceif the Hilbert polynomial [19] associated toIw.r.t. the grevlex order is:

HP(z) =

Qm i=1(1−z

di₎

(1−z)n

+

, (2)

with[S]₊being the polynomial obtained by truncating the seriesSbefore the index of its first non-positive coefficient. We shall call degree of regularity of a semi-regular sequence the quantity:

1 + deg HP(z).

This degree of regularity is the degreeDinvolved in Theorem 2 for a semi-regular sequence.

Finally, letf1, . . . , fm∈Zq[x1, . . . , xn]be a sequence of affine polynomials. We denote byf1H, . . . , fmH∈

Zq[x1, . . . , xn]the corresponding homogeneous components of highest degree. We shall say thatf1, . . . , fm is semi-regular if the sequencefH

1 , . . . , fmHis semi-regular.

Throughout this paper, we will use the following complexity results about computing Gr¨obner bases for semi-regular sequences.

Proposition 1 (adapted from [9]).Let F = (f1, . . . , fm) ∈ (Zq[x1, . . . , xn])m be affine polynomials withm > n. Iff1, . . . , fmis semi-regular, then the number of operations inZq required to compute a Gr¨obner basis for any admissible order is bounded by:

O

m Dreg

_n+D reg Dreg

ω

,asDreg → ∞, (3)

where2≤ω <3is the linear algebra constant andDregis the degree of regularity ofhf1, . . . , fmi. In general, (3) only holds for thegrevlex monomial ordering, but efficient algorithms exist to convert a Gr¨obner basis from one ordering to another [26]. However, in our case wherem > nwe expect a unique solution which implies the Gr¨obner bases with respect to all monomial orderings are identical and the issue does not arise (cf. [12]).

The complexity bound (3) is pessimistic as we do not take the particular structure of the matrices involved into account. Typically, Macaulay matrices have huge rank defects which correspond to useless compu-tations. More recent algorithms such asF4[23] andF5 [24] take advantage of the structure of Macaulay matrices and avoid some or all of these useless computations. This leads to considerable speed-ups in prac-tice [25, 27] and in theory [9]. However, to simplify the asymptotical analysis we apply Theorem 2 which performs row reductions on Macaulay matrices.

The following classical approximation of the binomial coefficient due to Stirling will be useful to prove some of our results below.

Lemma 1. Let H2(x) = −xlog2(x)−(1−x) log2(1−x)be the binary entropy. Fornand k large enough, we havelog₂ n_k

≈n H2 _nk. Similarly, we have the following lemma.

Lemma 2.

log

_n+D

D

≈  



Dlog(n/D), ifD∈o(n),

nlog(D/n), ifn∈o(D).

3

The Arora & Ge Algorithm

The Arora & Ge algorithm proceeds by generating a non-linear system of (error-free) multivariate equations fromLWEsamples by making use of the following well-known fact about the Gaussian distribution.

Lemma 3. Letχdenote the Gaussian distribution with standard deviationσ. Furthermore, forx >0, we denoteQ(x) =1₂1−erf√x

2

. Then, for allC >0, it holds that:

Pr[e $

←χ:|e|> C·σ]≈2×Q(C)≤ 2 C√2πe

−C2_/2

∈eO(−C2).

That is, for a C > 0, elements sampled from a Gaussian distribution take only values on the interval

[−C·σ, . . . , C·σ]ofZqwith probability at least1−eO(−C

2₎

if we represent elements inZqas integers in[−bq₂c, . . . ,bq₂c]. Moreover, ife←$ χthenP(e) = 0for

P(X) =X C·σ Y

i=1

(X+i)(X−i),

with probability at least1−eO(−C2). ClearlyPis of degree2C·σ+ 1∈ O(C·σ). It follows that if(ai, bi) = (ai,hai,si+ei)∈Znq ×Zq, andei←$ χ, then

P −b+

n X

j=1

(ai)(j)xj

= 0, (4)

with probability at least1−eO(−C2). Each sample(ai,hai,si+ei) = (ai, bi) ∈ Znq ×Zq allows to generate a non-linear equation of degree2C·σ+ 1in thencomponents of the secretswhich holds with probability1−eO(−C2).

The Arora & Ge algorithm then proceeds by generatingMAGindependent equations of the form (4), to be then solved by linearisation. However, a value forC– denoted byCAG– occurring in Lemma 3 has to be chosen sufficiently large so that all errorseilie with high probability in the interval[−CAG·σ, . . . , CAG· σ]⊆Zq, i.e. such that the secretsis indeed a common solution of theMAGequations. To this end, letSAG be the system of equations generated fromMAGequations as in (4) and bound the probability of failure by the union bound:

pf =MAG×Pr[e←$ χα,q:|e|> CAG·σ]≤ MAG eO(C2AG)

.

Hence,pf is an upper bound on the probability that the secrets∈Znq is not a solution toSAG. Let also DAG= 2CAGσ+ 1be the degree of the equations occuring inSAG. It is shown in [5] (cf. Section 4) that takingCAG∈O˜(σ)allows us to make the probability of failure negligible.

In summary, the Arora & Ge algorithm reduces solvingLWEto linearisation of a system ofMAGequations of degreeDAG= 2CAGσ+ 1∈O˜(σ2). In particular, the following theorem holds:

Theorem 3 ( [5]).LetDAG< q. The system obtained by linearizing

MAG=O

n+DAG DAG

ω

σ qlogq

=nO(DAG)_{= 2}O˜(DAG)

equations as in(4)has at most one solution with high probability.

Note thatO n+DAG

DAG

of the Arora-Ge algorithm is the cost of performing Gaussian elimination on a matrix of sizeMAG× n+DAG

DAG

, i.e.

C_AGplx =nO(DAG)_{= 2}O˜(σ2)_{= 2}O˜(n2)_.

Note also that, if we have the standard deviationσ=n_{, then the algorithm requires2}O˜(n2₎

LWE samples for performing the linearisation step. It follows that the Arora & Ge algorithm is subexponential when <1/2.

4

Refined Analysis of the Arora & Ge Algorithm

We note that the analysis above and in [5] leaves much room for improvements, as it hides not only con-stantsin the exponentbut also logarithm factors. In this section, we make a more refined analysis of the complexity of the Arora & Ge algorithm when using the linearisation method, so that we can then compare potential improvements due to the application of Gr¨obner bases in Section 5.

As established in the previous section, the overall complexity of solving an LWE instance with the Arora & Ge algorithm is that of executing Gaussian elimination on a matrix of sizeMAG× n+D_D AG

AG

. Gaussian elimination on anm×nmatrix of rankrhas complexityO mnrω−2

[31]. The Arora & Ge algorithm hence has a complexity of

O MAG·

_n+D AG DAG

ω−1!

=O MAG·

_{n+ 2C}

AGσ+ 1

2CAGσ+ 1

ω−1! .

We now consider the bound onCAG.

Lemma 4. Letn, q, σ=αq/√2πbe parameters of anLWEχα,q instance whereq= poly(n). Letp

0

f ∈

[0,1]be a constant upper bound on the probability of failure and

CAG≤2σlogn+a1/2≈4σlogn, witha= 4(σlogn)2_{+ 2 log(σ qlogq)−2 logp}0

f+ 2 logn. Finally, let alsoDAG= 2CAGσ+ 1. Then, the system obtained by linearizing n+DAG

DAG

σ qlogqequations of degree as in(4)is correct, i.e. the secret is a zero of all the polynomials, with probability bigger than1−p0_f.

Proof. The probability of failure is upper bounded by:

pf =MAG×Pr[e

$

←χα,q:|e|> CAG·σ]≈

2 n+DAG

DAG

σ qlogq √

2π CAGeC

2 AG/2

<

n+DAG

DAG

σ qlogq

CAG·eC

2 AG/2

.

We bound n+DAG

DAG

bynDAG_{. While this approximation is rather loose, it allows to simplify our expression}

sufficiently to recover a closed form of the complexity. With this simplification, our goal is to findCAG such that:

0≤ n

DAG_{·σ qlogq}

CAG·eC

2 AG/2

=p0f ≤1.

That is:

elog σ qlogq

e(2CAGσ+1) logn

elogp0f · _elogCAG·_eC2AG/2

= 1.

Thus we need to solve

0 = log(σ qlogq) + 2CAGσlogn+ logn−logCAG−logp0f−C 2 AG/2 >log(σ qlogq) + 2CAGσlogn+ logn−logp0f−C

forCAG. The last line has2roots:

[R1= 2σ·log(n)−a1/2, R2= 2σ·log(n) +a1/2], witha= 4(σlogn)2+ 2 log(σ qlogq)−2 logp0_f+ 2 logn.

Note thata1/2 _{>2σlog(n)and henceR}

1 < 0. Thus, the smallest possible value forCAGisR2. Now, assume thatq∈poly(n), i.e.q≈nc_{. Also, recall thatp}0

fis a constant. Thus, fornbig enough: a= 4(σlogn)2+ 2 log(σ qlogq)−2 logp0_f+ 2 logn

= 4(σlogn)2+ 2clog(σ n clogn)−2 logp0_f+ 2 logn ≈4(σlogn)2.

So, we haveCAG≤2σlogn+a1/2≈4σlogn. ut

We arrive at the following theorem:

Theorem 4. Letn, q, σ=α q/√2πbe parameters of anLWEχα,q instance. IfDAG(= 8σ

2_{logn+ 1)∈} o(n)then the Arora & Ge algorithm solves the computationalLWEproblem in time complexity

O2ω·DAGlogD_AGn _{·σ qlogq=O2}8ω σ2logn(logn−log(8σ2logn))_·poly(n)

and memory complexity

O22·DAGlogDAGn ·σ qlogq

=O216σ2logn(logn−log(8σ2logn))·poly(n).

Ifn∈o(σ2_{log(n))then the Arora & Ge algorithm solves the computationalLWEproblem in time} com-plexity

O2ω·nlogDAGn ·σ qlogq

=O2ω nlog(8σ2logn)−ω nlogn·poly(n)

and memory complexity

O22nlogDAGn ·_{σ qlogq}

=O22nlog(8σ2logn)−2nlogn·poly(n).

Proof. The result follows immediately from plugging the Lemmata 2 and 4 into Theorem 3.

5

Solving

LWE

with Gr¨obner Bases

In this section we address the natural question of whether the complexity of the basic Arora & Ge algorithm can be improved by using Gr¨obner basis algorithms instead of the linearisation method. The main motiva-tion is that the constantCAG(and hence the degree of the equations) depends on the number of equations MAG considered. Hence, on the one hand, we may lower the number of equations to a value lower than

˜

O(n2)whilst keeping the probability of failure small enough. On the other hand, this means that the cost of solving the resulting system will grow compared to that of linearisation. The optimisation target is then to find a tradeoff allowing to improve upon linearisation.

We assume thatσ=n_{, with0≤≤1. Let alsoθ,0 ≤θ≤≤1. We consider the number of samples} of the following form:

MGB=eγθ, withγθ=n2·(−θ).

Lemma 5. Let(a1, b1), . . . ,(am, bm)be elements ofZnq ×Zq sampled according toLWEχα,q. IfC =

p

2 log(m)then the equations generated as in(4)vanish with probability at least:

pg= 1− s

1

π·log(m).

Proof. By Lemma 3, the probability of failure satisfies

≤ 2m

C√2πe

−C2/2₌ 2m p

4π·log(m)e

− √2 log(m)2/2

= _p 1

π·log(m).

From this the probably of successpg≥1−pffollows. ut

Remark 1. Ifm∈ O(n)then it holds thatpg∈1−o(1).

We can then deduce the degreeDGBrequired forMGB =eγθ equations. From Lemma 5, we have to fix CGB=

p

2·log(MGB) = √

2·γθ. Thus: DGB= 2

p

2·log(MGB)·σ+ 1 ∈ Oplog(MGB)·σ

=O(√γθ·σ) =O n2−θ

=O γθ·nθ

.

To ease the analysis below, we further simplifyDGBto:

DGB≈γθ·nθ= log(MGB)·nθ.

Furthermore, we restrict our attention to the caseσ=√n/√2π. Now, in order to analyse the complexity of the Gr¨obner basis computation, we need to make the following assumption about the structure of the generated equations:

Assumption 1 Let(a1, b1), . . . ,(aMGB, bMGB)be elements ofZ

n

q ×Zq sampled according toLWEχα,q.

LetP(X) =XQCGB·σ

i=1 (X+i)(X−i).We define:

fi=P −b+ n X

j=1

(ai)(j)xj

= 0,∀i,1≤i≤MGB. (5)

Then,hf1, . . . , fmiis semi-regular. We justify this assumption in Section 7.

FromDGBandMGBwe now need to establish the degree of regularity. Whilst there are classical results on the degree of regularity in the literature, these do not apply here. In particular, we need to consider systems of equations having a non-constant degree. For brevity and due to the fact a detailed analysis is beyond the scope of this paper, we only provide the general statement which allows to derive the result below in Appendix A (Proposition 3).

Lemma 6. LetA ≥1, andf1, . . . , fm ∈Zq[x1, . . . , xn]be semi-regular polynomials of degree _An, and Dreg be the degree of regularity of these polynomials. Ifm = e

π·n

4·A2, then3 it holds thatD_reg behaves

asymptotically as

CA·n,whereCAis a constant which depends onA.

The constantCAin the Lemma can be computed explicitly for any value ofAas explained in Proposition 3. ForA= 1, we get in particular thatDreg= 1.41·n, fornbig enough. Putting all these results together we can now derive the complexity of solvingLWEusing a Gr¨obner basis algorithm.

3

Theorem 5. LetA≥1, ω,CAbe as defined in Lemma 6,ω,2≤ω <3, be the linear algebra constant, andH2(x) =−xlog2(x)−(1−x) log2(1−x). Let(ai, bi)i≥1be elements ofZnq×Zqsampled according toLWEχα,qwith a standard deviationσ=

√

n

√

2π andA≥1. There is an algorithm recovering the secret in O

2n

ω(1+CA)H2

_CA

1+CA

+π·log2(e)

4·A2

(time) and

O

2n

2 (1+CA)H2

_CA

1+CA

+π·log2(e)

4·A2

(memory).

The algorithm has success probability≥1− 2

π√n = 1−o(1).

Proof. LetMGB=e

π·n

4·A2 _andD

GB=n/A. We generate a system ofMGBnon-linear equations of degree DGB as (5). Under our regularity assumption 1, the complexity of computing a Gr¨obner basis for this system is:

O

n e4π··An2

n(1 +CA) CAn

ω

, (6)

Combining this with Lemma 1 gives the complexity. By Lemma 3, the probability of failure verifies is

≤ 2m

C√2πe

−C2/2_{. In our case,C≈} √2πn

2 which gives a failure probability≤ 2

π√n. ut

Note that the complexities in Theorem 5 are minimized by taking a constantA= 1. So, we get a complexity of O

2n 2.35ω+1.13 (time) andO 25.85n(memory). Thus, our analysis shows that using Gr¨obner bases yields an exponential speed-up (forσ=√n/√2πand under Assumption 1) over the basic Arora-Ge approach (cf. Theorem 4). On the slightly negative side, our results also give a negative answer to the natural question whether the combination of Gr¨oner basis techniques with the Arora-Ge modelling can yield a subexponential algorithm for theLWEproblem4_{: from Lemma 6, one can notice that there is no}

choice ofA(constant,logn, . . . ) which makes the number of samples sub-exponential whilst keeping the degree of regularity sub-linear.

6

Solving

LWE

with Bounded Errors

We now turn to studying the complexity of solving BinaryError-LWE using the modelling of Arora & Ge [5] and applying a Gr¨obner basis algorithm for solving the resulting system of equations. As dis-cussed earlier, BinaryError-LWE is an LWE instance over _Zq but with errors restricted to the binary field [35]. This variant is particularly attractive for real-world practical implementations of LWE-based cryptographic schemes. Generating noise-free non-linear equations for BinaryError-LWEis straightfor-ward: if e = (e1, . . . , em) ∈ {0,1}m andP(X) = X(X −1), then we have P(ei) = 0, for all i,1≤i≤m.

Now, let(G,s×G+e) = (G,c)∈Znq×m×Zmq be sampled according toL (n)

s,U(F2). Then

ei=ci− n X

j=1

sjGj,i, for1≤i≤m.

It follows that the secrets∈Znq is a solution of the following algebraic system:

f1=P c1− n X

j=1 sjGj,1

= 0, . . . , fm=P cn− n X

j=1 sjGj,n

= 0. (7)

4

This is an algebraic system ofmquadratic equations inZq[x1, . . . , xn].As already pointed out in [5, 35], this system can be solved using linearization ifm = O n2

. However the casem < O n2

remained untreated. Here, we address this problem of evaluating the complexity of solving the algebraic system (7) with an arbitrary numbermof equations.

As discussed in Section 2, answering this question in general is hard. But for one particular class of systems, namelysemi-regular systems of equations, this question has in fact been settled. In particular, the following result [6–8, 10] allows us to classify the complexity of solving polynomial systems with respect to the number of equations.

Theorem 6. (i) Letm = C·n, withC > 1, and letf1, . . . , fm ∈ Zq[x1, . . . , xn] be a semi-regular system of equations. The degree of regularity off1, . . . , fmbehaves asymptotically as

Dreg=

C−1

2 −

p

C(C−1)

n− a1

2 C(C−1)1/6

n13

− 2− 2C−1

4 C(C−1)1/2 !

+O ₁

n13

,

wherea1≈2.3381is the largest zero of the classical Airy function.

(ii) Letm = n·log1/(n), for any constant > 0, orm = nlog logn. The degree of regularity of f1, . . . , fmbehaves asymptotically as:

Dreg= n2

8m(1 +o(1)).

A proof ofi)can be found, for instance, in [10, Theorem1]. A proof similar to the case of ii) can be found in [7]. However, there is slight difference between [7] (binary fields) and our case (generic prime fields). In Appendix A we briefly sketch a proof forii)of Theorem 6.

Hence, under the assumption that the system (7) behaves like a semi-regular system of equations, Theo-rem 6 allows one to compute an upper bound on the complexity for solving it with Gr¨obner basis algo-rithms. While no proof currently exists that would demonstrate that the system (7) does indeed behave like a semi-regular system, we make the following assumption based on the discussion in Section 7.

Assumption 2 Let(G,s×G+e) = (G,c) ∈ Znq×m×Zmq be sampled according toL (n)

s,U(F2), and let

P(x) =X(X−1). We define:

f1=P c1− n X

j=1 sjGj,1

= 0, . . . , fm=P cn− n X

j=1 sjGj,m

= 0. (8)

It holds thathf1, . . . , fmiis semi-regular.

Based on Assumption 2, we can now state the main result of this section. We classify the hardness of our approach with various number of samples. The first one corresponds to the number of equations required in the security proof [35, Theorem 1.2]. We then consider a slightly larger number of equations than what is required in the security proof, i.e.m= 2nequations. In addition we give the results for a quasi-linear number of equations.

Theorem 7. Letω,2≤ω <3, be the linear algebra constant, andH2(x) =−xlog2(x)−(1−x) log2(1− x). Under Assumption 2, we have the following.

(i) Ifm=n1 +_log(n)1 , then there is an algorithm solvingBinaryError-LWEwith a time complexity:

(ii) Ifm= 2·n, then there is an algorithm solvingBinaryError-LWEwith a time complexity O n220.43ω n

. (10)

(iii) More generally, ifm=C·n, withC >1, there is an algorithm solvingBinaryError-LWEin: On22ω n(1+β)H2(1+ββ)

(time) and On222n(1+β)H2(1+ββ)

(memory), (11)

withβ=C−1 2−

p

C(C−1).

(iv) Ifm=O(nlog logn), then there is a subexponential algorithm solvingBinaryError-LWEwith com-plexity

Om22ω n8 log loglog log logn n

(time), Om222n8 log loglog log lognn

(memory). (12)

(v) Finally, if m = n·log1/(n), for any > 0, then there is a subexponential algorithm solving BinaryError-LWEwhose complexity is:

O 

m22

ω nlog log1/(n) 8 log1/(n)



(time), O 

m22

2nlog log1/(n) 8 log1/(n)



(memory). (13)

Proof. As explained Section 2, the complexity of computing a Gr¨obner basis is:

O

m Dreg

_n+D reg Dreg

ω

(time), O m Dreg

_n+D reg Dreg

2!

(memory). (14)

Under our semi-regularity assumption, Theorem 6 gives:Dreg = 0.5·n+o(n)form=n

1 + _log(n)1 , Dreg= 0.08·n+o(n)form= 2·nand more generally

Dreg=

C−1

2 −

p

C(C−1)

n+o(n)

form=C·n, for any constantC > 1. In these cases, the binomial coefficient in (14) has the following form:

_α·n

β·n

, for someα > β >0.

We obtain (9) – (11) by takingβ =C−1 2−

p

C(C−1)by applying Lemma 1. For (12) and (13), we

combine Lemma 2 and Theorem 6. ut

It follows from Theorem 7 that we can solve BinaryError-LWEin dimensionnin timen2₂0.344n _using memoryn2₂0.289n_{as soon as as soon asm ≥6.6n. We note that this is better than the best} currently-known generic (exact) CVP solver [11]. Theorem 7 also provides a good picture of the hardness degradation of BinaryError-LWEfor the number of available samples ranging fromm =n1 + _clog(n)1 forc >1, a case for which BinaryError-LWEis as hard as solving some lattice problem in the worst case (as shown in [35]) tom=O n2

, the case for which it can be solved in polynomial-time. In view of items(iv)-(v) of Theorem 7, we conclude that BinaryError-LWEshould be ruled out for cryptographic applications that require a quasi-linear number of samples.

7

Justifications of our Assumptions

would demonstrate either Assumption 1 or 2, we argue below why it is reasonable to believe that these as-sumptions hold. Each semi-regularity assumption essentially states that our systems are not easier and not harder to solve than a random system of equations and reiterate that if these systems were easier than ran-dom systems this would imply that the analysis of Section 5 could be much improved and lead to progress towards a subexponential classical algorithm for solving Bounded Distance Decoding. Furthermore, this subexponential classical algorithm would work despite ignoring the particular error distribution and would consist of applying a generic Gr¨obner basis algorithm. We consider this case to be unlikely. Furthermore, we note that Arora and Ge showed in [5] that Assumption 1 holds form= 2O˜(σ2)_{(Theorem 3).}

Following [5], we prove that Assumption 2 holds for m = O n2

in Section A.2. We also prove sev-eral partial results regarding our assumptions in Section A.2 and present experimental evidencethat these assumptions hold for reasonably large parameters in Section 7.1.

7.1 Experimental Verification

We experimentally confirmed that our assumptions hold for reasonably large parameters. Namely, we ver-ified Assumption 1 for systems up ton= 8variables. In particular we computed forn= 8andm= 256, α·q/√2π= 1using MAGMA[13] (V2.20-4) and Sage [41]. The generated system of equations has degree

9and the degree of semi-regularity is13. The highest degree reached was indeed degree13.

Whilen≤8might seem rather small, we point out that it is the lastnfor which we can reasonably expect to run experiments on current hardware. Theorem 5 bounds the memory complexity byO 25.85n

. We note that forn = 8, our computation required 65GB of memory and 68 hours to complete. Hence, we would require about25.85_{·65GB of memory to perform this computation forn= 9which is beyond our} reach.

To verify Assumption 2, we generated systems as in (8). We tookqas the next prime larger thann(orn2_in some instances). We then computed a Gr¨obner basis of the equations using MAGMA. Below we report the maximal degree reachedDrealin our experiments, and the theoretical degree of regularityDreg, as given by Assumption 2. We note that the largest of these experiments took7days to complete.

n m Dreg Dreal

∈ {5, . . . ,25} dnlog₂(n)e 3 3 ∈ {26, . . . ,53} dnlog₂(n)e 4 4

60 d2nlog₂(n)e 3 3

100 4· dnlog₂(n)e 3 3

In addition of these experimental results, we provide formal proofs of our assumptions in several cases in Appendix A.2.

References

1. Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In Omer Reingold, editor,TCC 2009, volume 5444 ofLNCS, pages 474–495. Springer, March 2009.

2. Martin R. Albrecht, Carlos Cid, Jean-Charles Faug`ere, Robert Fitzpatrick, and Ludovic Perret. On the complexity of the BKW algorithm on LWE.Designs, Codes and Cryptography, pages 1–30, 2013.

3. Martin R. Albrecht, Pooya Farshim, Jean-Charles Faug`ere, and Ludovic Perret. Polly cracker, revisited. In Lee and Wang [33], pages 179–196.

4. Martin R. Albrecht, Rachel Player, and Sam Scott. On the concrete hardness of learning with errors. Cryptology ePrint Archive, Report 2015/046, 2015.http://eprint.iacr.org/2015/046.

5. Sanjeev Arora and Rong Ge. New algorithms for learning in presence of errors. In Luca Aceto, Monika Henzinger, and Jiri Sgall, editors,ICALP 2011, Part I, volume 6755 ofLNCS, pages 403–415. Springer, July 2011.

7. Magali Bardet, Jean-Charles Faug`ere, and Bruno Salvy. Complexity study of Gr¨obner basis computation. Techni-cal report, INRIA, 2002.http://www.inria.fr/rrrt/rr-5049.html.

8. Magali Bardet, Jean-Charles Faug`ere, and Bruno Salvy. On the complexity of Gr¨obner basis computation of semi-regular overdetermined algebraic equations. InProc. International Conference on Polynomial System Solving (ICPSS), pages 71–75, 2004.

9. Magali Bardet, Jean-Charles Faug`ere, and Bruno Salvy. On the Complexity of the F5 Gr¨obner basis Algorithm.

Journal of Symbolic Computation, pages 1–24, September 2014. 24 pages.

10. Magali Bardet, Jean-Charles Faug`ere, Bruno Salvy, and Bo-Yin Yang. Asymptotic behaviour of the degree of regularity of semi-regular polynomial systems. InProc. of MEGA 2005, Eighth International Symposium on Effective Methods in Algebraic Geometry, 2005.

11. Anja Becker, Nicolas Gama, and Antoine Joux. Solving shortest and closest vector problems: The decomposition approach. Cryptology ePrint Archive, Report 2013/685, 2013.http://eprint.iacr.org/2013/685. 12. Luk Bettale, Jean-Charles Faug`ere, and Ludovic Perret. Hybrid Approach for solving multivariate systems over

finite fields.Journal of Mathematical Cryptology, 3(3):177–197, 2010.

13. Wieb Bosma, John J. Cannon, and Catherine Playoust. The Magma algebra system I: The user language.Journal of Symbolic Computation, 24(3-4):235–265, 1997.

14. Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehl´e. Classical hardness of learning with errors. In Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors,45th ACM STOC, pages 575–584. ACM Press, June 2013.

15. Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In Rafail Ostrovsky, editor,52nd FOCS, pages 97–106. IEEE Computer Society Press, October 2011.

16. Bruno Buchberger. Ein Algorithmus zum Auffinden der Basiselemente des Restklassenringes nach einem nulldimensionalen Polynomideal. PhD thesis, University of Innsbruck, 1965.

17. Bruno Buchberger, Georges E. Collins, Rudiger G. K. Loos, and Rudolph Albrecht. Computer algebra symbolic and algebraic computation.SIGSAM Bull., 16(4):5–5, 1982.

18. Yuanmi Chen and Phong Q. Nguyen. BKZ 2.0: Better lattice security estimates. In Lee and Wang [33], pages 1–20.

19. David A. Cox, John B. Little, and Don O’Shea.Ideals, Varieties and Algorithms. Springer Verlag, 2005. 20. 1986. D. J. Anick. 100(1) :235?259. Thin algebras of embedding dimension three.J. Algebra, 100 (1):235 – 259,

1986.

21. R. DeMillo and R. Lipton. A probabilistic remark on algebraic program testing.Information Processing Letters, 7(4):192–194, 1978.

22. Nico D¨ottling and J¨orn M¨uller-Quade. Lossy codes and a new variant of the learning-with-errors problem. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 ofLNCS, pages 18–34. Springer, May 2013.

23. Jean-Charles Faug`ere. A new efficient algorithm for computing Gr¨obner bases (F4).Journal of Pure and Applied Algebra, 139:61–88, June 1999.

24. Jean Charles Faug`ere. A new efficient algorithm for computing Gr¨obner bases without reduction to zero(F5). In Teo Mora, editor,ISSAC 2002: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, July 07–10, 2002, Universit´e de Lille, Lille, France, pages 75–83, New York, NY 10036, USA, 2002. ACM Press.

25. Jean-Charles Faug`ere, Franc¸oise Levy dit Vehel, and Ludovic Perret. Cryptanalysis of minrank. In Wagner [42], pages 280–296.

26. Jean-Charles Faug`ere, Patrizia M. Gianni, Daniel Lazard, and Teo Mora. Efficient computation of zero-dimensional Gr¨obner bases by change of ordering.Journal of Symbolic Computation, 16(4):329–344, 1993. 27. Jean-Charles Faug`ere and Antoine Joux. Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems

using gr¨obner bases. In Dan Boneh, editor,CRYPTO 2003, volume 2729 ofLNCS, pages 44–60. Springer, August 2003.

28. Ralf Fr¨oberg. An inequality for Hilbert series of graded algebras.Mathematica Scandinavica, 56:117–144, 1985. 29. Ralf Fr¨oberg and Joachim Hollman. Hilbert series for ideals generated by generic forms. J. Symb. Comput.,

17(2):149–157, 1994.

30. Craig Gentry. A fully homomorphic encryption scheme. PhD thesis, Stanford University, 2009. Available at http://crypto.stanford.edu/craig.

31. Claude-Pierre Jeannerod, Cl´ement Pernet, and Arne Storjohann. Rank-profile revealing Gaussian elimination and the CUP matrix decomposition.J. Symb. Comput., 56:46–68, 2013.

32. Daniel Lazard. Gr¨obner-bases, Gaussian elimination and resolution of systems of algebraic equations. In Pro-ceedings of the European Computer Algebra Conference on Computer Algebra, volume 162 ofLecture Notes in Computer Science, Berlin, Heidelberg, New York, 1983. Springer Verlag.

34. Richard Lindner and Chris Peikert. Better key sizes (and attacks) for LWE-based encryption. In Aggelos Kiayias, editor,CT-RSA 2011, volume 6558 ofLNCS, pages 319–339. Springer, February 2011.

35. Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters. In Ran Canetti and Juan A. Garay, editors,CRYPTO 2013, Part I, volume 8042 ofLNCS, pages 21–39. Springer, August 2013. 36. Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In

Michael Mitzenmacher, editor,41st ACM STOC, pages 333–342. ACM Press, May / June 2009.

37. Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. In Wagner [42], pages 554–571.

38. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors,37th ACM STOC, pages 84–93. ACM Press, May 2005.

39. Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 56(6):34:1–34:40, September 2009.

40. J. T. Schwartz. Fast probabilistic algorithms for verification of polynomial identities. Journal of the ACM, 27(4):701–717, 1980.

41. William Stein et al. Sage Mathematics Software Version 6.2. The Sage Development Team, 2013. Available at http://www.sagemath.org.

42. David Wagner, editor.CRYPTO 2008, volume 5157 ofLNCS. Springer, August 2008.

43. R. Zippel. Probabilistic algorithms for sparse polynomials. In Symbolic and algebraic computation (EU-ROSAM’79), Internat. Sympos., volume 72 ofLecture Notes in Computer Science, pages 216–226. Springer Verlag, 1979.

A

Appendix

A.1 Degree of Regularity

The proof of Theorem 6-ii)is derived from the following more general result.

Proposition 2. Let >0, andF(n)∈ {log1/(n),log logn}. Assumingm=F(n)n, then the degree of regularity of a system of quadratic semi-regular equationsf1, . . . , fm ∈Zq[x1, . . . , xn]behaves asymp-totically as:

Dreg=

F(n)−1/2−pF2_(n)−F(n)n= 1

8

n F(n)+O

_n

F2_(n)

.

Proof. We assume that we havemquadratic equations innvariables. In this case, we have to consider the Hilbert series:

Hm,n(z) =

1−z2m

(1−z)n = ∞

X

d=0 hdzd.

The degree of regularity is the indexDregsuch thathDreg <0. We try to findDreg =`(n)n=` nsuch

thath` n<0. To do so, we consider : h` n =

I _H m,n(z)

z` n dz= I

ef(z)ndz,

where the contour is a circle centered in0whose radius is smaller than1. In our context:

f(z) = log(Hm,n(z))

n =

mlog 1−z2

−nlog (1−z)−n `log (z)

n .

Laplace’s Method gives then:

h` n≈ X

{a|f0_(a)=0}

ef(a)n.

When the equationf0_{(z) = 0has two solutions, we haveh}

` n ≈ef(z

−_)n

+ef(z+_)n

→ ∞. Hence, since whend=Dreg=` nwe must havehd= 0this implies that the equationf0(z) = 0has a multiple root. In our case, we have:

f0(z) = 1 1−z −

2m z n(1−z2₎−

` z.

Now, we setm=n F(n). We have multiple root if the discriminant off0is0. As a consequence,`=`(n)

is the smallest real root of : 4n3F(n)2+4n3−8n3F(n)

`2+ −8n3F(n)3−16n3F(n)+20n3F(n)2+4n3

`−2n3F(n)+n3F(n)2+n3. This yields :

`(n) =F(n)−1/2−pF2_(n)−F(n)n= 1

8

n F(n)+O

_n

F2_(n)

.

u t

In Section 5, we use the following result.

Proposition 3. Letαandβbe constants>0, andf1, . . . , fm∈K[x1, . . . , xn]be semi-regular polynomi-als of degreeαn. We define the functionF(X, `) =

log(1+`)−`log(`)+`log(1+`)−log(1+`−X)+log(`−X)`−log(`−X)α−log(1+`−X)`+log(1+`−X)α−log(β).

Assumingm=βn, then it holds that:

Dreg n ≈

αifα < α0

PositiveRealRoot F(α, `)

, ifα0≤α <6, andα0is the real value such thatF(α0, α0) = 0.

We give below the value ofα0for variousβ.

β α0

eπ/4 _0.3595671731

2 0.293815373 3 0.641794121 1.1 0.019208159

Forβ = eπ/4, the degree of regularity is then for instance≈1.41n. Below, we compare the theoretical degree of regularity obtained from Proposition 3 for variousβandαwith the degree of regularity obtained by computing the generic Hilbert series (Definition 2).

0.5 1 1.5 2 2.5 3

0 2 4 6

α

(

β

=

2

)

de

gree

of

re

gularty

di

vided

by

n

dreg/nforβ = 2

α7→α

0.5 1 1.5 2 2.5 3 0

1 2 3 4

α

β

=

3

de

gree

of

re

gularty

di

vided

by

n

dreg/nforβ = 3

α7→α

real experiments (n=10000)

0 0.2 0.4 0.6 0.8 1

0 2 4 6 8 10

α

β

=

1

.

1

de

gree

of

re

gularty

di

vided

by

n

dreg/nforβ= 1.1

α7→α

real experiments (n=10000)

The proof of this result is beyond the scope of this paper. The first step is similar to the the previous Proposition 2, i.e. we use Laplace’s method to approximate the coefficienth` n in the Hilbert series. The next step requires different tools than the ones used classically to cancel the coefficient asymptotically. The proof will be the full version of this paper.

To simplify the analysis, it is possible to upper bound uniformly the degree of regularity, i.e.:

Proposition 4. Letαandβbe constants>0, andf1, . . . , fm∈K[x1, . . . , xn]be semi-regular polynomi-als of degreeαn. Ifm=βn_:

Dreg≤n· β β−1

Forβ =eπ4, we have β

β−1 = 1.83.

A.2 Formal Proof in Limited Cases

A technical difficulty for proving results towards Fr¨oberg’s conjecture is that over a finite field the notion of Zariski open set is meaningless due to the field equations. However, the notion of genericity can be understood via the classical Schwartz-Zippel-DeMillo-Lipton lemma [21, 40, 43].

Lemma 7 (Schwartz, Zippel, DeMillo, Lipton [21, 40, 43]). LetKbe a field andP ∈ K[x1, . . . , xn] be a non-zero polynomial. Selectr1, . . . , rn uniformly at random from a finite subsetX ofK. Then, the

Linear Independence. Assumption 2 for BinaryError-LWEimplies in particular that the equations (8) are linearly independent with high probability which we prove below for any1≤m≤ n+1₂

.

Theorem 8. Let (A,s·A +e) = (A,c) ∈ Znq×m×Zmq be sampled according to L (n)

s,U(F2), and let

P(x) =X(X−1). Assume thatq >2m.Then, for all1≤m≤ n+1₂

, the equations

f1=P c1− n X

j=1 xjAj,1

, . . . , fm=P cm− n X

j=1 xjAj,m

, (15)

are linearly independent with probability≥1−2m

q . In particular, the homogeneous componentsf H 1 , . . . , f

H m of degree2are linearly independent with probability≥1−2m

q .

Proof. The coefficients of thefis can be viewed as polynomials of degree≤2in the components of the matrixA. We denote the number of monomials of degree2byN, and byMac2them×Nmatrix whose rows are the coefficients of thefH

i s. This is the Macaulay matrix of thefiHs at degree2. We assume that the monomials are sorted with respect to a graded reverse lexicographical order. LetMat2 be am×m sub-matrix ofMac2. We can viewDet(Mat2)as a polynomialpof degree 2mwhose variables are the components ofA. According to Lemma 9 (Appendix A.3), the polynomialpis non-zero for all1 ≤m≤

n+1 2

. The Schwartz-Zippel-DeMillo-Lipton Lemma (Lemma 7) yields thatp(A) 6= 0with probability

≥1−2m

q . ut

Note that the notion of semi-genericity only depends on the homogeneous components of highest degree. Thus, the polynomialP in Theorem 8 can be replaced byX2_{and the proof would remain the same. By} a similar argument the constantscis are not relevant to the proof. This illustrates that it is equivalent to consider the semi-regularity of the systems as in Assumption 2 or the semi-regularity of the square of linear forms as done by Fr¨oberg and Hollman [29].

A consequence of Theorem 8 is:

Corollary 1. Letq >2m. There is a polynomial-time algorithm solvingBinaryError-LWEwith probabil-ity1−2m

q as soon asn < m≤ n+1

2

.

In [35] it was already mentioned that BinaryErrors-LWEcan be solved in polynomial-time as soon as the number of samples isO n2

, albeit no proof was given. In particular, a direct adaptation of [5, Theorem 3.1] to BinaryErrors-LWE gives:

Theorem 9. Let (A,s·A +e) = (A,c) ∈ _Zn×m

q ×Zmq be sampled according to L (n)

s,U(F2), and let

P(x) = X(X−1). The system obtained by linearizing thefi’s, as defined in(15), has unique solution with probability≥1−2m_·qN2−m_{, withN}

2= n+2₂

. The bound is then non-trivial (<1) ifm≥cN2, for some constantc >0.

Proof. We know thats∈Znq is a solution off1, . . . , fm. Givens0 6=s, the idea is to bound the probability thats0vanishes simultaneously the linearised system corresponding tof1, . . . , fm.

By definition,c= (s·A) +e. So, we can write:

fi=P ei− n X

j=1

(sj−xj)Aj,i.

Now by settingx∗

j = (sj−xj), we have:

f_i∗(x∗₁, . . . , x∗_n) =fi(s1−x∗1, . . . ,sn−x∗n) =P ei− n X

j=1 x∗_jAj,i

Thus,∃s0 _{6= ssuch thatf}

i(s0) = 0 ⇐⇒ ∃a non-zeros∗ ∈ Znq such thatfi∗(s∗) = 0. We can view f_i∗(s∗)has a multivariate polynomial of degree2in the components ofA. Thus, assuming thatf_i∗(s∗)is non-identically zero, it holds that:

Pr_(A,c)←

$L (n)

s,U(F2 )

fi∗(s∗) = 0|ei=b

≤2/q, withb∈ {0,1}.

The fact that thef_i∗(s∗)is a non-zero polynomial – viewed as a polynomial whose variables in the compo-nents ofAfollows easily from [5, Lemma 3.4].

The same result holds if you replacef_i∗by its linearizationLf∗

i. Thus, for anyS

0 _=s0_⊗s0 _∈

ZN2

q with s06=s∈_Zn

q, it holds that:

Pr_(A,c)←

$L (n)

s,U(F2 )

Lf1(S

0_{) = 0, . . . , L}

fm(S

0_{) = 0}

=

m Y

i=1

Pr_(A,c)←

$L (n)

s,U(F2 )

Lfi(S

0_{) = 0} .

We then have Pr_(A,c)

←$L(sn,U)(F2 )

Lfi(S

0_{) = 0}

=

1

2Pr(A,c)←$Ls(n,U)(F2 )

Lfi(S

0_{) = 0|ei= 0}

+1

2Pr(A,c)←$Ls(n,U)(F2 )

Lfi(S

0_{) = 0|ei= 1} ≤2/q.

Finally, we consider the eventES0 = “L_f

1(S

0_{) = 0, . . . , L}

fm(S

0_{) = 0”. The probability that the linearised}

system has more than one solution is the probability of the event∪S0E_S0which is:

Pr_(A,c)←

$L (n)

s,U(F2 )

(linearised system has not unique solution)≤2m·qN2−m_.

u t

For linearisation to succeed (Theorem 9) we require a number of samplesm ≥ c n+2₂ . In contrast, for a Gr¨obner basis algorithm to succeed in polynomial time (Corollary 1)m = n+1₂ suffices. Hence, ap-plying a Gr¨obner basis algorithm reduces the number of samples required to solve BinaryError-LWEin polynomial-time and at the same degree as linearisation.

Semigenericity. Following the terminology in [29], we consider the notion of semigenericity.

Definition 3. Letf1, . . . , fm ∈Zq[x1, . . . , xn]be homogeneous equations of degreed. We shall say that a sequence of polynomialsf1, . . . , fmis semigeneric if{xi·fj}11≤≤ji≤≤nn spans a vector space of maximal dimension, i.e.min n·m, d−1+n_d

. For affine polynomialsf1, . . . , fm ∈ Zq[x1, . . . , xn], we shall say that the sequencef1, . . . , fmis semigeneric iff1H, . . . , fmHis semigeneric.

For BinaryError-LWE, this corresponds to investigate Assumption 2 for Macaulay matrices at degree3. In [29, Theorem 2.2], the authors prove that the square ofmgeneric linear forms are semigeneric as long asm≤n+ 15andn≤6. Here, we prove that system (15) is semigeneric form ≤n+bn−2

2 c ≈( 3 2)n without any restriction onnby employing a strategy similar to the proof of Theorem 8.

Theorem 10. Letq = Ω(n2)and let(A,s·A+e) = (A,c) ∈ Znq×m×Zmq be sampled according to L(n)_s,U(

F2). For anymsuch that 1 ≤ m ≤ n+b

n−2

2 cthe sequence(15)is semigeneric with probability

≥1−2mn

q .

Proof. LetNbe the number of monomials of degree3and letMat3be a sub-matrix of sizem·n×m·n of the Macaulay matrixf₁H, . . . , f_mHat degree3. We can viewDet(Mat3)as a polynomialpof degree2mn whose variables are the components ofA. According to Lemma 11 (Appendix A.3),pis non-zero. Hence, Lemma 7 yields thatp(A)6= 0with probability≥1−2mn

Full Proof of Assumption 2 form= n+ 1. We conclude this part by proving that Assumption 2 holds form=n+ 1equations. However, the proof imposes a minimum size onq.

We will make use of the following lemma below for which the proof is exactly as for [29, Lemma 2.1].

Lemma 8. LetP(x) =X(X−1)and consider a matrixA∗∈Znq×n+1such that all coefficients are zero except:

– A∗[i, i] = 1, for alli,1≤j ≤n.

– A∗[i, n+ 1] = 1, for alli,1≤i≤n.

Letc=s·A∗+e,s∈Znq be chosen uniformly at random,e∈ {0,1}n+1be sampled uniformly. Then, the sequenceP c1−P

n

k=1xkA∗k,1

, . . . , P cn+1−P n

k=1xkA∗k,n+1

∈Zq[x1, . . . , xn]is semi-regular.

Example 1 Forn= 5the matrixA∗in Lemma 8 is



    

1 1 1 1 1 0 1 0 0 1 0 0 1 0 1 0 0 0 0 1 0 0 0 1 1



     .

Theorem 11. Letq = O(en_{), let (A,s·A+e) = (A,c) ∈}

Znq×m×Zmq be sampled according to L(n)_s,U(

F2), and let P(X) = X(X −1). With probability at least1 −o(1), it holds that the sequence

f1=P c1−P n

j=1xjAj,1

, . . . , fn+1=P cn+1−P n

j=1xjAj,n+1

is semi-regular.

Proof. It is well known that the degree of regularity of a semi-generic sequence ofm=n+ 1equations isdn+1

2 e. So, we need to prove that the Macaulay matrices associated tof H

1 , . . . , fn+1H of degree2to n+1

2 are of maximal possible rank. That is, the only linear dependencies occurring in the Macaulay matrices are the one induces by the trivial syzygies, i.e.fH

i fjH=fjHfiH. Until now, we investigated degrees2and3for which there is no trivial syzygies.

Let[td_{]HP(z)be thedth coefficient of the Hilbert polynomials (2). This coefficient gives the rank defects,} and then the expected rank, of the Macaulay matrix offH

1, . . . , fmH at degreed ≥ 2. As in the previous proofs, we can write easily that Macaulay matrix offH

1 , . . . , fmHat each degreedhas the expected rank if a minor is non-zero. The degree of this minor isO nd−1

. To conclude the proof we note that Lemma 8 provides a family of sufficiently generic systems withm=n+ 1equations. ut We note that the results of this section can be adapted from BinaryError-LWEto UniformError-LWE. We can generalize for instance Theorem 8 to UniformError-LWE.

Theorem 12. Let T > 0, and (G,s×G+e) = (G,c) ∈ Znq×m×Z m

q be sampled according to L(n)_{s,U([−T ...,T])}. Let alsoP(x) =XQT

i=1(X−i). We assume thatq >(2T+1)·m. For all1≤m≤ n+1

2

, we define:

f1=P c1− n X

j=1 xjGj,1

, . . . , fm=P cm− n X

j=1 xjGj,m

.

It holds thatf1H, . . . , fmHare linearly independent with probability≥1−

(2T+1)m q .

Proof. LetN be the number of monomials of degree≤2T+ 1. We defineMacasm×Nmatrix whose rows are the coefficients of thefis. Letp= Det(Mat)be the determinant of am×msub-matrixMatof

Mac. Ifpis non-zero, Schwartz-Zippel-DeMillo-Lipton Lemma yields the result stated. The fact thatpis

A.3 Auxilary Lemmas

This appendix collects proofs allowing to show that tge polynomials used in Appendix A.2 are non-zero which allows us to apply Schwartz-Zippel-DeMillo-Lipton Lemma.

The lemma below is used in Theorem 8 to show that the determinant considered is non-zero.

Lemma 9. For alli,1≤i≤n, construct an× n−(i−1)

matrixGias follows. All the coefficients of Giare zero except:

– Gi[i, j] = 1, for allj,1≤j≤ n−(i−1).

– Gi[j+ (i−1), j] = 1, for allj,1≤j≤ n−(i−1)

.

Now, letG∗=G1kG2k · · · kGnbe a block matrix,s∈Znq chosen uniformly at random, ande∈ {0,1} m

sampled uniformly. We setc=s×G∗+eandP(x) =X(X−1)and define:

f1=P c1− n X

j=1 xjG∗j,1

, . . . , fm=P cm− n X

j=1 xjG∗j,m

.

Then, the homogeneous componentsfH

1 , . . . , fmHof degree2are linearly independent.

Proof. Letfi,jbe the thejth equation derived from the matrixGi(the equation corresponding to thejth column of theith matrixGi) . We start with the simple casem =nwhereG∗ = G1. The monomial of highest degree inf1,1=P(c1−x1)is simplyx21. More generally, for alli,1≤j ≤n, the monomials of degree2inf1,j =P(cj−x1−xj)arex21, x1xjandx2j. Remark then that the system

F1:= [ ˜f1,1=f1,1,f˜1,2=−f1,1+f1,2, . . . ,f˜1,n=−f1,1+f1,n]

has a triangular shape: the leading monomial off˜1,j isx1·xj (all the terms of degree2divisible byx1) and hence distinct.

More generally, letG∗=G1kG2kG3k · · · kGn. We consider, for alli,1≤i≤n:

Fi:= [ ˜fi,1=fi,1,f˜i,2=−fi,1+fi,2, . . . ,f˜i,n−i+1=−fi,1+fi,n−i+1]. (16) All these equations are in triangular form, and leading monomials ofFi are the monomialsxixj, with j≥i. Consequently the set of equationsS

1≤i≤nFiare linearly independent. Finally, the numbers of rows ofG∗isn+ (n−1) + (n−2) +· · ·(n−(n−1)) =n2_{−n(n−1)/2 =n(n+ 1)/2 =} n+1

2

. ut

Example 2 Forn= 4, andm=n(n+ 1)/2 = 10the matrixG∗is as follows:



  

1 1 1 1 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 0 0 0 1 0 0 1 0 1 1 0 0 0 0 1 0 0 1 0 1 1



   .

The equationsfi,jcorresponding are then

[x21+ 15·x1+ 5, x21+ 2·x1·x2+x

2 2+ 4, x21+ 2·x1·x3+x23+ 10·x1+ 10·x3+ 12,

x21+ 2·x1·x4+x 2

4+ 9·x1+ 9·x4+ 3, x22+ 5·x2+ 6, x22+ 2·x2·x3+x

2 3+ 4, x22+ 2·x2·x4+x

2

4+ 16·x2+ 16·x4, x23+ 13·x3+ 8, x23+ 2·x3·x4+x

2