On Public Key Encryption from Noisy Codewords

Ben-Sasson, Eli; Ben-Tov, Iddo; Damgård, Ivan; Ishai, Yuval; Ron-Zewi, Noga

doi:10.1007/978-3-662-49387-8_16

Eli Ben-Sasson¹⁷,
Iddo Ben-Tov¹⁷,
Ivan Damgård¹⁸,
Yuval Ishai^17,19 &
…
Noga Ron-Zewi^20,21

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9615))

Included in the following conference series:

Public-Key Cryptography -- PKC 2016

1705 Accesses
2 Citations

Abstract

Several well-known public key encryption schemes, including those of Alekhnovich (FOCS 2003), Regev (STOC 2005), and Gentry, Peikert and Vaikuntanathan (STOC 2008), rely on the conjectured intractability of inverting noisy linear encodings. These schemes are limited in that they either require the underlying field to grow with the security parameter, or alternatively they can work over the binary field but have a low noise entropy that gives rise to sub-exponential attacks.

Motivated by the goal of efficient public key cryptography, we study the possibility of obtaining improved security over the binary field by using different noise distributions. Inspired by an abstract encryption scheme of Micciancio (PKC 2010), we study an abstract encryption scheme that unifies all the three schemes mentioned above and allows for arbitrary choices of the underlying field and noise distributions.

Our main result establishes an unexpected connection between the power of such encryption schemes and additive combinatorics. Concretely, we show that under the “approximate duality conjecture” from additive combinatorics (Ben-Sasson and Zewi, STOC 2011), every instance of the abstract encryption scheme over the binary field can be attacked in time $2^{O(\sqrt{n})}$, where n is the maximum of the ciphertext size and the public key size (and where the latter excludes public randomness used for specifying the code). On the flip side, counter examples to the above conjecture (if false) may lead to candidate public key encryption schemes with improved security guarantees.

We also show, using a simple argument that relies on agnostic learning of parities (Kalai, Mansour and Verbin, STOC 2008), that any such encryption scheme can be unconditionally attacked in time $2^{O(n/\log n)}$, where n is the ciphertext size. Combining this attack with the security proof of Regev’s cryptosystem, we immediately obtain an algorithm that solves the learning parity with noise (LPN) problem in time $2^{O(n/\log \log n)}$ using only $n^{1+\epsilon }$ samples, reproducing the result of Lyubashevsky (Random 2005) in a conceptually different way.

Finally, we study the possibility of instantiating the abstract encryption scheme over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field decryption errors are inherent. On the positive side, building on the construction of matching vector families (Grolmusz, Combinatorica 2000; Efremenko, STOC 2009; Dvir, Gopalan and Yekhanin, FOCS 2010), we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption.

A full version of this extended abstract can be found in [6].

You have full access to this open access chapter, Download conference paper PDF

An Asymptotically Optimal Method for Converting Bit Encryption to Multi-Bit Encryption

Entropically secure encryption with faster key expansion

Article Open access 23 March 2024

Symbolic Encryption with Pseudorandom Keys

Keywords

1 Introduction

Public key encryption is one of the most intriguing concepts of modern cryptography. Decades after the introduction of the first public key encryption schemes [13, 17, 31, 38, 42], there are still only a handful of candidate constructions. While public key encryption schemes such as RSA are widely deployed in practice, their concrete efficiency, including the size of keys and ciphertexts, leaves much to be desired. In particular, there is still a considerable efficiency gap between the best known public key encryption schemes and their private key counterparts.

Motivated by the goal of finding new public key encryption schemes with attractive efficiency features, we study an abstract encryption scheme which captures a class of known schemes that rely on the hardness of inverting a noisy linear encoding. This class includes the public key encryption scheme of Alekhnovich [3], whose security is based on the conjectured intractability of the “learning parity with noise” (LPN) problem, and the schemes of Regev [40] and of Gentry, Peikert and Vaikuntanathan (GPV) [18], whose security is based on the conjectured intractability of the “learning with errors” (LWE) problem.

In all of the above schemes, there is a publicly known linear code which is typically chosen at random, and the public keys and ciphertexts are generated by picking a secret uniform random codeword and adding a secret random noise vector, or alternatively by computing the syndrome of such a noisy codeword. Among other differences, the schemes differ in the choice of the underlying field and the distribution from which the noise is picked. In the schemes proposed by Regev and GPV, the field size grows polynomially with the security parameter and the noise distribution is a discrete Guassian. The scheme of Alekhnovich has the advantage of working over the binary field, but its noise distribution is restricted to noise patterns whose Hamming weight is smaller than the square root of the ciphertext size and public key size^{Footnote 1}.

The choice of binary field made by Alekhnovich [3] is attractive because of the potential for better concrete efficiency, especially on light-weight devices [12, 23, 37]. However, the choice of noise distribution made in [3] has a negative impact on efficiency since the low-weight noise makes a brute-force guessing attack possible. In particular, if we require the scheme to resist $2^t$ time attacks then this requires the public keys as well as the ciphertexts to be of size at least $\varOmega (t^2)$, even when encrypting a single bit. In contrast, the known attacks on the schemes of Regev and GPV, using lattice algorithms, only require the public keys and ciphertexts to be of size $\varTheta (t\log t)$. The main question we study is whether it is possible to obtain a similar or better level of succinctness by using linear codes over the binary field, thus obtaining a cryptosystem that enjoys the best of both worlds.

1.1 Overview of Contribution

Towards a systematic study of the above question, we study an abstract encryption scheme which unifies the schemes of Regev, GPV, and Alekhnovich, and allows for arbitrary choices of the underlying field and noise distributions. This scheme is inspired by an abstract encryption scheme of Micciancio described in the online talk [33], which unifies the encryption schemes of Regev and GPV.

Our first result unconditionally rules out the possibility of instantiating the abstract encryption scheme over the binary field to yield an optimally succinct cryptosystem, in the sense that the ciphertexts and public keys are only O(t) bits long^{Footnote 2}. This result is obtained using a simple argument that relies on a previous result of Kalai et al. on agnostic learning of parities [24]. Combining this attack with the security proof of Regev’s cryptosystem [40] immediately yields an algorithm that solves the learning parity with noise (LPN) problem in time $2^{O(n/ \log \log n)}$ using only $n^{1+\epsilon }$ samples, providing a conceptually different proof for the main result of Lyubashevsky [29].

Our main result establishes an unexpected connection between the power of such encryption schemes and additive combinatorics. We show that under a conjecture from additive combinatorics it is also impossible to obtain near-optimal succinctness over the binary field in the case in which the decryption error of a single encryption is a sufficiently small constant. More concretely, every instance of the abstract encryption scheme over the binary field can be attacked in time $2^{O(\sqrt{n})}$, where n is the maximum of the ciphertext size and the public key size. This suggests that the parameters of Alekhnovich’s original construction cannot be significantly improved by choosing different noise distributions.

The high level idea behind this result is as follows. The unified encryption scheme is parameterized by three independent noise distributions: a distribution $\mu _{sk}$, applied during the key generation, and distributions $\mu _0$ and $\mu _1$ that are used for encrypting the messages 0 and 1 respectively. To enable correct decryption with high probability, it must be the case that the distributions $\langle \mu _{sk},\mu _0\rangle $ and $\langle \mu _{sk},\mu _1\rangle $ are statistically far (where $\langle \cdot ,\cdot \rangle $ denotes the inner product of independent random samples). On the other hand, the security of the scheme implies that noisy linear encoding with respect to these noise distributions must be one-way, and in particular these distributions should not satisfy certain combinatorial properties that enable an adversary to guess the noise and solve the resulting system of linear equations. Our conditional negative results are obtained by applying the approximate duality conjecture from [8] to establish limits on the existence of distributions which satisfy the above. On the flip side, counter examples to the approximate duality conjecture (if false) would give distributions $\mu _{{\mathrm{sk}}}, \mu _0, \mu _1$ that can potentially serve as a basis for cryptosystems (over the binary field) that resist exponential time attacks.

As a secondary contribution of this work, we study the possibility of instantiating the unified scheme over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field, a small decryption error probability is inherent. On the positive side, building on the construction of matching vector families from [14], which builds in turn on the constructions of [16, 21], we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption.

Before providing a more detailed account of our results, we provide some background on the problem of noisy linear decoding and public key encryption schemes based on its conjectured hardness.

1.2 Learning Parity with Noise

The learning parity with noise (LPN) problem is the problem of solving random linear equations over ${\mathbb {F}}_2$ which are corrupted by some noise. More specifically, in this problem there is an unknown vector $s \in {\mathbb {F}}_2^n$, and one is given independent random samples of the form $(a_i,b_i)$, where $a_i$ is a uniform random vector in ${\mathbb {F}}_2^n$, $b_i = \langle a_i,s \rangle + e_i$, and each noise bit $e_i \in \left\{ {0,1}\right\} $ is 1 with probability $ \eta < \frac{1}{2}$ and 0 otherwise independently of $a_i$ (all operations are performed over ${\mathbb {F}}_2$). The goal is to recover the unknown vector s from these samples. If the noise rate $\eta $ equals 0 then this can simply be done using Gaussian elimination. When $\eta >0$ the problem is conjectured to be intractable. Indeed, solving LPN given m samples can be viewed as the problem of decoding a noisy codeword in a random linear code of block length m and dimension n, a longstanding open problem in coding theory.

It is known that the hardness of solving the above search version of LPN with a uniform random unknown vector s implies the hardness of the decision version of LPN, namely distinguishing between samples of the form $(a_i,b_i)$ as above and uniformly random and independent vectors in ${\mathbb {F}}_2^{n+1}$ [5, 10]. From a coding theory perspective, this means that if it is hard to decode noisy random codewords in a random linear code, then the joint distribution (G, b) is pseudorandom, where G is a random generator matrix of a random linear code and b is a noisy random codeword in the code.

A naive approach for solving LPN is to search among all vectors in ${\mathbb {F}}_2^n$ to find a vector $s'$ the largest number of equations. This algorithm takes $2^{O(n)}$ time and one can show, using the Chernoff bound, that O(n) independent random samples suffice to ensure that $s'$ will be the correct solution with high probability. In [11], Blum et al. showed that, quite surprisingly, one can solve the LPN problem in time $2^{O(n/\log n)}$. However, a drawback of this algorithm is that it requires $2^{O(n/\log n)}$ independent random samples. In [29] (see also [25]) it was shown that the number of samples could be reduced to $n^{1+\epsilon }$ at the price of increasing the running time to $2^{O(n/\log \log n)}$. More specifically, they showed that using only $n^{1+\epsilon }$ initial independent random samples one can generate additional “almost fresh” random samples by XORing sufficiently large random subsets of the initial samples. These new samples can be used in turn as an input to the algorithm of [11].

1.3 Alekhnovich’s Public Key Encryption Scheme

In 2003, Alekhnovich [3] proposed a public key encryption scheme whose security was based on the intractability of the LPN problem. Roughly speaking, this scheme can be used to encrypt a bit $\sigma \in \{0,1\}$ as follows. Let n be a security parameter, $m = 2n$, and $k = n^{1/2 - \epsilon }$ for some small constant $\epsilon >0$. The key generation proceeds by choosing a random noise vector $e \in {\mathbb {F}}_2^m$ in which each entry is set to 1 with independent probability $\eta =k/m$, a uniform random $m \times n$ matrix G over the binary field, and a uniform random $w \in {\mathrm{Image}}(G)$ (that is, w is uniform in the column span of G). The private key is the noise vector e and the public key is the $m \times (n+1)$ matrix $\tilde{G} = ( G \mid b)$ obtained from G by appending the noisy codeword $b = w +e$ to the right of the matrix G. (As discussed above, we do not count G towards the size of the public key.)

The encryption of $\sigma =0$ is a random vector $c \in {\mathbb {F}}_2^{m}$ of the form $c = \tilde{w} + \tilde{e}$, where $\tilde{w}$ is a uniform random vector in $\ker (\tilde{G}^T)$ and $\tilde{e} \in {\mathbb {F}}_2^m$ is a random noise vector distributed identically to (but independently of) the private key e. The encryption of $\sigma =1$ is a uniform random vector in ${\mathbb {F}}_2^{m}$. In order to decrypt a ciphertext $c \in {\mathbb {F}}_2^m$, one simply outputs the inner product $\langle c,e \rangle $. It can be easily seen that this inner product is a nearly uniform random bit when c is an encryption of 1, and is equal to the inner product $ \langle e, \tilde{e} \rangle $ when c is an encryption of 0. By the birthday paradox, the inner product $ \langle e, \tilde{e} \rangle $ is 0 with probability $1-o(1)$ and consequently, by repeating the encryption process ${\mathrm{polylog}}(n)$ times, one can distinguish between encryptions of 0 and 1 with negligible error probability.

The security of the above scheme can be based on the intractability of the LPN problem with noise rate $\eta $. Indeed, since the matrix $\tilde{G}$ is indistinguishable from a uniform random matrix, the code from which $\tilde{w}$ is picked is indistinguishable from a random linear code, implying that the noisy codeword c is also pseudorandom. However, by the choice of the noise rate $\eta $, the Hamming weight of the private key e is bounded by $n^{1/2-\epsilon /2}$ with overwhelming probability. By trying all different possibilities for such a private key, the scheme can be attacked in time $2^{O(\sqrt{n})}$.

It is instructive to consider the abstract requirements from the noise distributions e and $\tilde{e}$ that are necessary for the correctness and security of the above scheme. To enable correct decryption with high probability, the inner product of e and $\tilde{e}$ (where the two noise vectors are independently sampled) should be statistically far from uniform, i.e., significantly biased towards either 0 or 1. On the other hand, a sufficient condition for security is that the LPN decision problem be intractable with respect to both of the noise distributions e and $\tilde{e}$. The main question that motivates this work is whether there can be other choices of noise distributions that satisfy the above correctness requirement and may provide substantially better security than the original choice of Alekhnovich.

1.4 Learning with Errors

The learning with errors (LWE) problem, introduced by Regev for the construction of his public key encryption scheme [40], is a generalization of the LPN problem to arbitrary rings ${\mathbb {Z}}_q$ (where q is a prime power). More specifically, in this problem one is given independent random samples of the form $(a_i,b_i)$ where now $a_i$ is a uniform random vector in ${\mathbb {Z}}_q^n$, $b_i = \langle a_i,s \rangle + e_i$ for a fixed unknown vector $s \in {\mathbb {Z}}_q^n$ and $e_i$ is distributed according to some fixed distribution $\chi $ on ${\mathbb {Z}}_q$ independently of $a_i$ (all operations are performed over ${\mathbb {Z}}_q$). Concretely, the distribution $\chi $ is usually chosen to be some small discrete Gaussian. The goal is again to recover the unknown vector s.

As was the case with LPN, assuming that the distribution $\chi $ is sufficiently far from uniform, one can solve LWE naively in time $q^{O(n)}$ using $O(n \log q)$ samples, and the algorithm of Blum et al. [11] can be adapted to solve this problem in time $q^{O(n/\log n)}$ using $q^{O(n/\log n)}$ samples. However, what is remarkable about LWE is that its hardness can be based on the worst-case hardness of well-studied lattice problems. This makes all cryptographic constructions based on the hardness of LWE secure under assumptions on the worst-case hardness of these lattice problems. See the survey [41] for more details.

1.5 Public Key Encryption Based on Learning with Errors

As mentioned above, Regev introduced the LWE problem as a basis for the construction of his public key encryption scheme [40] which can be used to encrypt a bit $\sigma \in \left\{ {0,1}\right\} $ as follows. Let n be a security parameter, $m = (1+\epsilon )n \log q$ and $q = {\mathrm{poly}}(n)$. The key generation proceeds by choosing a random noise vector $e \in {\mathbb {F}}_q^m$ in which each coordinate is distributed independently according to a small discrete Gaussian, a uniform random $m \times n$ matrix G over ${\mathbb {F}}_q$, and a uniform random $w \in {\mathrm{Image}}(G)$. The private key is the noise vector e and the public key is the $m \times (n+1)$ matrix $\tilde{G} = (G \mid b)$ obtained from G by appending the noisy codeword $b = w +e$ to the right of the matrix G.

The encryption of a bit $\sigma \in \left\{ {0,1}\right\} $ is a random vector $c \in {\mathbb {F}}_q^{n+1}$ of the form $c = \tilde{G}^T \cdot \tilde{e}+ v_\sigma $ where $\tilde{e}$ is a uniform random vector in $\left\{ {0,1}\right\} ^{m}$ and $v_\sigma \in {\mathbb {F}}_q^{n+1}$ is the vector all of whose coordinates equal 0 except for the $(n+1)$-th coordinate which equals $\sigma \cdot \lfloor \frac{q}{2} \rfloor $. In order to decrypt a ciphertext $c \in {\mathbb {F}}_q^{n+1}$ one computes $\sigma ' =: c_{n+1} - \langle x, P_n(c) \rangle $, where $P_n: {\mathbb {F}}_q^{n+1} \rightarrow {\mathbb {F}}_q^n$ denotes the projection on the first n coordinates and x is such that $w = Gx$, and outputs 0 if $\sigma '$ is closer to 0 than to $ \lfloor \frac{q}{2} \rfloor $ and 1 otherwise. Finally, it can be verified that $\sigma ' = \sigma \cdot \lfloor \frac{q}{2} \rfloor + \langle e, \tilde{e} \rangle $. Consequently, if one chooses the Guassian distribution of the coordinates of e to be small enough then $ \langle e, \tilde{e} \rangle $, which is the sum of at most m such independent Gaussians, would be smaller than $\lfloor \frac{q}{4} \rfloor $ in absolute value with high probability and therefore would enable one to distinguish between encryptions of 0 and 1 with small error probability. In fact, the error here can be completely eliminated by truncating the tail of the Gaussian noise distribution.

The main advantage of Regev’s encryption scheme is that while Alekhnovich’s encryption scheme can be attacked in time $2^{O(\sqrt{n})}$ by enumerating over all possible private keys, the best known attacks on Regev’s encryption scheme, using lattice algorithms, run in time $2^{O(n)}$. This advantage of Regev’s scheme stems from the possibility to exploit the large modulus q for picking noise distributions e and $\tilde{e}$ whose inner product is statistically far from uniform and yet the noisy decoding problem corresponding to these distributions can be conjectured to have nearly exponential hardness. Note, however, that since q is polynomial in n, the ciphertext is of size $\varOmega (n\log n)$ and therefore falls slightly short of being optimally succinct.

Another related public key encryption scheme, based on the hardness of LWE, is the public key encryption scheme proposed by Gentry, Peikert and Vaiknutanathan (GPV) [18] which is described by the authors as a “dual of Regev’s scheme in which the key generation and the encryption algorithms are swapped”. A useful property of the encryption scheme of [18] is that it allows an identity-based encryption in which arbitrary strings are allowed to serve as public keys.

1.6 Related Work

Originating from the seminal work of Ajtai [1], there has been a large body of research on basing lattice-based cryptosystems on the minimal possible assumptions and improving the efficiency of such provably secure constructions. In particular, the work of Micciancio and Mol [34] considers the possibility of replacing the standard Gaussian noise by other noise distributions, which may admit a more efficient sampling algorithm, while maintaining provable security under standard assumptions. In contrast, the goal of the present work is to explore the space of constructions that might be secure, in the sense that they resist known attacks, regardless of the underlying intractability assumption or the way security is argued. Moreover, unlike the work on lattice-based cryptography, our main focus is on constructions that use linear codes over the binary field.

As noted above, the unified encryption scheme we study is inspired by the abstract encryption scheme described in Micciancio’s online talk [33] which generalizes the encryption schemes of Regev and GPV. In particular, as in [33], this unified scheme relies on duality between noisy codeword encoding and syndrome encoding. This duality has also been noticed and used in other settings in the context of lattice-based public key encryption, for example in [34, 44]^{Footnote 3}.

Finally, one should note that the unified scheme we study does not capture all of the code-based and lattice-based public key encryption schemes from the literature. For instance, it does not capture the code-based McEliece cryptosystem and its variants [31, 36], as well as lattice- and LWE-based cryptosystems such as [2, 4, 19, 22, 30, 32, 35, 39]. However, these alternative constructions do not seem well suited to the goal of obtaining near-optimal succinctness over binary fields. The former code-based schemes require the public key size to grow quadratically with the security parameter, whereas the latter lattice-based schemes do not admit a “native” implementation over binary fields.

2 Our Results in More Detail

To study the public key encryption schemes of Alekhnovich [3], Regev [40] and Gentry, Peikert and Vaikuntanathan (GPV) [18] in a unified way, we start by defining an abstract encryption scheme that captures these encryption schemes. More specifically, for each of the schemes [3, 18, 40] we define an abstract version that we call ${\varPi _{\mathrm{Alek}}}, {\varPi _{\mathrm{Reg}}}, {\varPi _{\mathrm{GPV}}} $, respectively, in which the field size as well as the noise distributions used in the key generation and encryption processes are allowed to be arbitrary.

Following Miciancio [33], we observe that for an identical choice of parameters all the abstract schemes are equivalent to each other in terms of security: Given a pair of schemes $E,E' \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $, there exists an efficiently computable randomized mapping which for every bit $\sigma \in \left\{ {0,1}\right\} $ maps the joint distribution of the public key ${\mathrm{pk}} $ and the encryption of $\sigma $ using ${\mathrm{pk}} $ in E to the joint distribution of the public key ${\mathrm{pk}} '$ and the encryption of $\sigma $ using ${\mathrm{pk}} '$ in $E'$ ^{Footnote 4}.

At a high level, all the abstract schemes work as follows (see Table 1 in the full version [6] for more details). Each of the schemes is parametrized by integers $n<m$, a field ${\mathbb {F}}_q$ (whose size may depend on n), a distribution $\mu _{{\mathrm{sk}}}$ over ${\mathbb {F}}_q^m$ and a pair of distributions $\mu _0,\mu _1$ over ${\mathbb {F}}_q^{m+1}$. In all three schemes the private key is a random noise vector $e \sim \mu _{{\mathrm{sk}}}$. The public key consists of two parts: A random linear code $C: {\mathbb {F}}_q^n \rightarrow {\mathbb {F}}_q^m$, specified by either a uniform random generator matrix $G^T \in {\mathbb {F}}_q^{n \times m}$ (in ${\varPi _{\mathrm{Alek}}} $ and ${\varPi _{\mathrm{Reg}}} $) or a uniform random parity-check matrix $H^T \in {\mathbb {F}}_q^{(m-n) \times m}$ (in ${\varPi _{\mathrm{GPV}}} $), together with either a noisy codeword $b=w+e$ where w is a random codeword in C (in ${\varPi _{\mathrm{Alek}}} $ and ${\varPi _{\mathrm{Reg}}} $) or its syndrome $u=H^T \cdot e$ (in ${\varPi _{\mathrm{GPV}}} $).

The encryption process is similar: Let $\tilde{C} : {\mathbb {F}}_q^{m-n} \rightarrow {\mathbb {F}}_q^{m+1}$ be the code specified by the parity-check matrix

$$\begin{aligned} \tilde{G}^T =\left( \begin{array}{cc} G &{} b\\ 0_{n}^{T} &{} -1 \end{array}\right) ^T , \end{aligned}$$

where $\tilde{G}$ is the $(m+1) \times (n+1)$ matrix obtained by appending the column b to the right of the matrix G and adding below a row whose first n entries equal zero and whose last entry equals $-1$. Let

$$\begin{aligned} \tilde{H}=\left( \begin{array}{c} H \\ u^T \end{array}\right) \end{aligned}$$

be the $(m+1) \times (m-n)$ matrix obtained by adding the row $u^T$ below the matrix H, and note that $\tilde{H}^T$ is a generator matrix for the code $\tilde{C}$. In order to encrypt a bit $\sigma \in \left\{ {0,1}\right\} $ one chooses a random noise vector $\tilde{e} \sim \mu _{\sigma }$. The encryption of $\sigma $ is either a noisy codeword $b= \tilde{w}+\tilde{e}$ where $\tilde{w}$ is a uniform random codeword in $\tilde{C}$ (in ${\varPi _{\mathrm{Alek}}} $ and ${\varPi _{\mathrm{GPV}}} $) or its syndrome $\tilde{G}^T \cdot \tilde{e}$ (in ${\varPi _{\mathrm{Reg}}} $).

Finally, in all the three schemes using the private key e one can obtain the inner product $\langle e \circ (-1), \tilde{e} \rangle $, where $e \circ (-1)$ denotes the vector obtained from e by adding $-1$ below the vector e. To enable decryption one has to choose noise distributions $\mu _{{\mathrm{sk}}}$, $\mu _0$ and $\mu _1$ such that it is possible to distinguish between the distributions $\langle \mu _{{\mathrm{sk}}} \circ (-1), \mu _0 \rangle $ and $\langle \mu _{{\mathrm{sk}}} \circ (-1), \mu _1 \rangle $ efficiently.

2.1 Unconditional Negative Result

Our first result shows a simple unconditional attack running in time $2^{O(n / \log n)}$ on any instance of the abstract encryption scheme over the binary field. The attack uses a simple argument based on the algorithm for agnostic learning of parities of Kalai et al. [24], a powerful algorithm that learns parities with noise from arbitrary distributions. More specifically, this algorithm is given independent random samples of the form $(a_i,b_i)$, where $b_i = \langle a_i, s \rangle +e_i $ for a fixed unknown vector $s \in {\mathbb {F}}_2^n$ and $(a_i,e_i)$ are distributed according to an arbitrary distribution over ${\mathbb {F}}_2^n \times {\mathbb {F}}_2$ (In particular, the $e_i$’s may depend on the $a_i$’s). Assuming that the noise bit $e_i$ is non-zero with probability at most $\eta $ (or alternatively, $b_i \ne \langle a_i, s \rangle $ with probability at most $\eta $), the algorithm returns a circuit $h: {\mathbb {F}}_2^n \rightarrow {\mathbb {F}}_2$ that errs with probability at most $\eta $ on future examples, that is $\Pr _{(a_i,b_i)}[h(a_i) \ne b_i] \le \eta $. The running time and number of samples used by this algorithm is $2^{O(n/\log n)}$ which matches the performance of the original LPN algorithm of [11]. Note that though quite powerful, this algorithm is not a proper learner since it returns an arbitrary circuit which is not necessarily a parity function. For simplicity, assume for now that the algorithm returns the original vector s.

By the equivalence of the abstract encryption schemes ${\varPi _{\mathrm{Alek}}} $, ${\varPi _{\mathrm{Reg}}} $ and ${\varPi _{\mathrm{GPV}}} $ it suffices to show an attack on the encryption scheme ${\varPi _{\mathrm{Reg}}} $. The property of this scheme that we shall use for the attack is that the decryption of a ciphertext $c \in {\mathbb {F}}_2^{n+1}$ is $c_{n+1} - \langle s, P_n(c)\rangle $ where $P_n: {\mathbb {F}}_2^{n+1} \rightarrow {\mathbb {F}}_2^n$ denotes the projection on the first n bits and $s \in {\mathbb {F}}_2^n$ is such that $w = Gs$. Using the public key we generate $2^{O(n/\log n)}$ samples of the form $(P_n(c'), c'_{n+1} - \xi )$ where $\xi \in \left\{ {0,1}\right\} $ is a uniform random bit and $c'$ is a random encryption of $\xi $ and feed them to the algorithm for agnostic learning of parities described above. Assuming that the decryption algorithm has low error probability we have that $ c'_{n+1} - \langle s, P_n(c')\rangle =\xi $ with probability at least $1 - \eta $, or alternatively, $ \langle s, P_n(c')\rangle \ne c'_{n +1} - \xi $ with probability at most $\eta $. Hence the algorithm of [24] will recover the vector s and consequently we can recover the private key $e = b- Gs$.

The attack described above has also some positive consequences to learning, where it can be used for learning parities corrupted by arbitrary noise distributions in sub-exponential time using a relatively small number of samples. More specifically, we observe that Regev’s security proof [40], which shows that his original encryption scheme is secure assuming the hardness of LWE, can be generalized to show the security of the abstract encryption scheme under similar assumptions. In more detail, one can show that any instance of the abstract encryption scheme over an arbitrary field ${\mathbb {F}}_q$, using an arbitrary noise distribution $\mu _{{\mathrm{sk}}}$ and noise distributions $\mu _0, \mu _1$ of sufficiently high min-entropy, is secure assuming the hardness of learning linear functions over ${\mathbb {F}}_q$ corrupted by noise coming from the distribution $\mu _{{\mathrm{sk}}}$. We further observe that this security guarantee holds even assuming the hardness of learning such functions using a relatively small number of samples.

Stated positively, the above says that any attack on an instance of the abstract encryption scheme as above can be turned into an algorithm that learns linear functions over ${\mathbb {F}}_q$ corrupted by noise coming from the distribution $\mu _{{\mathrm{sk}}}$ using a relatively small number of samples. In particular, the attack described above can be turned into such an algorithm. We further observe that an instance of this latter algorithm solves the LPN problem in time $2^{O(n/\log \log n)}$ using $ n^{1+\epsilon }$ samples, reproducing the result of [29] (see also [25]) in a conceptually different way.

2.2 Conditional Negative Results

Our main result is a (non-uniform) attack running in time $2^{O(\sqrt{m})}$ on any instance of the abstract encryption scheme over the binary field in the case in which the decryption error of a single encryption is a sufficiently small constant, assuming the ‘approximate duality conjecture’ of [8]. For the attacks we first formulate combinatorial properties of the distributions $\mu _{\mathrm{sk}}, \mu _0$ and $\mu _1$ that imply an attack on the abstract encryption scheme and then show that these combinatorial properties are satisfied assuming the approximate duality conjecture or its variant. We elaborate on these two parts below.

Attacks based on combinatorial properties of $\mu _{{\mathrm{sk}}}, \mu _0, \mu _1$. The main combinatorial property we shall use for the attacks is sparsity. More precisely, we say that a distribution $\mu $ over ${\mathbb {F}}_2^m$ for $m \ge n$ is $(n,k,\rho )$ -sparse if there exist k subsets $A_1,\ldots ,A_k \subseteq {\mathbb {F}}_2^m$ (not necessarily distinct) and k full rank linear transformations $L_1,\ldots ,L_k: {\mathbb {F}}_2^m \rightarrow {\mathbb {F}}_2^n$ (not necessarily distinct) such that $\Pr _{\mu } \big (\bigcup _{i=1}^k A_i \big ) \ge \rho $ and $L_i(A_i)$ is constant for every $i \in [k]$. In other words, this means that there exist k affine subspaces $V_1, \ldots , V_k \subseteq {\mathbb {F}}_2^m$, of co-dimension n each, such that with probability at least $\rho $ a random vector sampled from $\mu $ falls into the union of these subspaces.

We show that if an instance of the abstract encryption scheme over the binary field satisfies that the distribution $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse or one of the distributions $\mu _0$ or $\mu _1$ is $(m+1-n+\log k+\log (1/\rho ),k,\rho )$-sparse, and the decryption error of a single encryption is relatively small compared to $\rho $, then one can attack this instance in time O(k). To illustrate the idea behind our attacks assume that we are attacking ${\varPi _{\mathrm{Alek}}} $ and that the distribution $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse. In this case one can search for a ’good’ private key $e'$ by enumerating over all $i \in [k]$ and solving a corresponding system of linear equations to find a vector $e' \in \bigcup _{i=1}^k V_i$ and a vector $x' \in {\mathbb {F}}_2^n$ such that $b = Gx' + e'$. We can further test whether $e'$ is a ’good’ private key by generating random encryptions of 0 and 1 using the public key and computing the success probability of $e'$ in decrypting these encryptions. Since the distribution $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse, with probability at least $\rho $ we will succeed in finding a ‘good’ private key $e'$ which can be used in turn in order to decrypt the ciphertext.

The case in which one of the distributions $\mu _0$ or $\mu _1$ is $(m+1-n + \log k+\log (1/\rho ),k,\rho )$-sparse is a bit more tricky. In this case it will be convenient to attack the scheme ${\varPi _{\mathrm{GPV}}} $ and by symmetry it suffices to show such an attack in the case in which $\mu _0$ is $(m+1-n+\log k+\log (1/\rho ),k,\rho )$-sparse. As in the $\mu _{{\mathrm{sk}}}$ case, we can still search in time O(k) for $e' \in \bigcup _{i=1}^k V_i$ and a vector $x' \in {\mathbb {F}}_2^{m-n}$ such that $c = \tilde{H} \cdot x' + e'$. Our main observation is that since $\bigcup _{i=1}^k V_i$ is not too large, with high probability over the choice of the matrix $\tilde{H}$, there is no $e' \ne \tilde{e}$ such that $e' \in \bigcup _{i=1}^k V_i$ and $c = \tilde{H} x' +e'$ for some $x' \in {\mathbb {F}}_2^{m-n}$. This implies in turn that by enumerating over all $i \in [k]$ and solving a corresponding system of linear equations, with high probability one can verify whether $\tilde{e} \in \bigcup _{i=1}^k V_i$ and if this is the case one can also find $\tilde{e}$. It thus suffices to be able to distinguish between $\tilde{e} \sim \mu _0$ and $\tilde{e} \sim \mu _1$, conditioned on the event that $\tilde{e} \in \bigcup _{i=1}^k V_i$. Assuming that the decryption error is sufficiently small compared to $\rho $, this can be done by computing the inner product $\langle e^{(sk)} \circ (-1), \tilde{e} \rangle $ with a random $e^{({\mathrm{sk}})} \sim \mu _{{\mathrm{sk}}}$.

Attacks based on the approximate duality conjecture. For a pair of subsets $A,B \subseteq {\mathbb {F}}_2^m$ their duality measure is given by

$$\begin{aligned} D(A,B) = {\mathbb {E}}_{a\in A, b\in B}\left[ (-1)^{\langle {a,b}\rangle }\right] . \end{aligned}$$

(1)

Note that $D(A,B)=1$ implies that $\langle {a,b}\rangle $ is constant. The question is what can be said about the structure of A, B when D(A, B) is sufficiently large but strictly smaller than 1. The approximate duality conjecture of [8] (cf., also Conjecture 1.7.2 in [27]) postulates that in this case there exist large subsets $A' \subseteq A$, $B' \subseteq B$, of density at least $2^{-O(\sqrt{m})}$ inside A, B respectively, with $D(A',B')=1$.

We note that the bound of $2^{-O(\sqrt{m})}$ in the approximate duality conjecture is tight, and to see this take $A=B={\left( {\begin{array}{c}m\\ \sqrt{m}\end{array}}\right) }$ to be the set of vectors that have $\sqrt{m}$ ones. The birthday paradox shows that D(A, B) is a fixed positive constant, independent of m (in fact, taking vectors of weight $\alpha \sqrt{m}$ for $\alpha $ approaching 0 makes D(A, B) approach 1). But it can be verified that for any pair $A'\subset A$ and $B'\subset B$ satisfying $D(A',B')=1$, the size of one of the sets $A'$ or $B'$ is a $2^{-\sqrt{m}}$ fraction of |A|. Such a pair is obtained by taking $A'$ ($B'$ respectively) to contain all vectors supported on the first (last, respectively) m / 2 coordinates.

In [7] it was shown that assuming the well-known polynomial Freiman-Ruzsa conjecture from additive combinatorics (cf., [20]), the approximate duality conjecture holds when replacing the lower bound $2^{-O(\sqrt{m})}$ on the ratios $|A'|/|A|$ and $|B'|/B|$ with the weaker bound of $2^{-O( m/\log m)}$. Furthermore, in [28] a version of the approximate duality conjecture over the reals was shown to hold (unconditionally) with the stronger bound of $2^{-O( \sqrt{m})}$. The approximate duality conjecture has found so far various applications in complexity theory: To the construction of two-source extractors [8], to relating rank to communication complexity [7] and to lower bounds on matching vector codes [9].

We show that the approximate duality conjecture implies that in any instance of the abstract encryption scheme over the binary field one of the distributions $\mu _{{\mathrm{sk}}}, \mu _0$ or $\mu _1$ is sparse which by the above implies an attack on this instance. To see this suppose that $\varPi $ is an instance of the abstract encryption scheme over the binary field in which $\mu _{{\mathrm{sk}}} \circ (-1), \mu _0, \mu _1$ are distributed uniformly over subsets $A,B_0,B_1 \subseteq {\mathbb {F}}_2^{m+1}$ respectively. Then by correctness of the decryption algorithm we have that either $D(A,B_0) \ge 1 - \epsilon $ or $D(A,B_1) \le -(1-\epsilon )$ for some constant $\epsilon <1$. Without loss of generality assume that $D(A,B_0) \ge 1-\epsilon $ and note that in this case the approximate duality conjecture implies that there exist subsets $A' \subseteq A$, $B' \subseteq B_0$, of density at least $2^{-c\sqrt{m}}$ inside A, $B_0$ respectively, with $D(A',B')=1$. The latter implies in turn that $\dim ({\mathrm{span}}\left( A'\right) ) + \dim ({\mathrm{span}}\left( B'\right) ) \le m+2$. Consequently, we have that either $\dim ({\mathrm{span}}\left( A'\right) ) \le m +2 - n + 2 c\sqrt{m}$ in which case $A'$ is contained in the union of $2^{2c\sqrt{m}+1}$ affine subspaces of co-dimension n and so $\mu _{{\mathrm{sk}}} \circ (-1)$ is $(n,2^{2c\sqrt{m}+1}, 2^{- c \sqrt{m}})$-sparse or that $\dim ({\mathrm{span}}\left( B'\right) ) \le n - 2c \sqrt{m}$ in which case $\mu _0$ is $(m-n + 2c \sqrt{m}, 1, 2^{-c \sqrt{m}})$-sparse. This implies in turn an attack running in time $2^{O(\sqrt{m})}$ in the case in which the decryption error is $2^{-\varOmega (\sqrt{m})}$. Note that the attack is non-uniform since the attacker needs to know the subsets $A'$ and $B'$.

In order to show such an attack in the case in which $\mu _{{\mathrm{sk}}}, \mu _0, \mu _1$ are general distributions, not necessarily uniform over a subset, we prove that the standard formulation of the approximate duality conjecture implies a generalized version of it that holds also when the expectation in (1) is taken over arbitrary distributions. In order to handle larger decryption errors we apply the approximate duality conjecture iteratively to obtain $t=2^{O(\sqrt{m})}$ pairs of subsets $A_1,B_1, \ldots ,A_t,B_t$ such that $D(A_i,B_i)=1$ for all $1 \le i \le t$ and such that the probability of being contained in the union of $\varOmega (t)$ such subsets is $\varOmega (1-\epsilon )$. This implies that either $\mu _{{\mathrm{sk}}} \circ (-1)$ is $(n,2^{3c\sqrt{m}+1}, \varOmega (1-\epsilon ))$-sparse or $\mu _0$ is $(m-n + 2c \sqrt{m}, 2^{c \sqrt{m}}, \varOmega (1-\epsilon ))$-sparse which implies in turn an attack that runs in time $2^{O(\sqrt{m})}$ in the case in which the decryption error is a sufficiently small constant.

Finally, we note that if the approximate duality conjecture is false, then a counter example to this conjecture would be a pair of sets $A,B \subseteq {\mathbb {F}}_2^{m}$ such that D(A, B) is high but no large pair of subsets $A',B'$ of A, B respectively are dual. In this case, if we let $\varPi $ be a (possibly non-uniform) instance of the unified scheme in which $\mu _{{\mathrm{sk}}}, \mu _0,\mu _1$ are distributed uniformly over the sets $A, B\circ 0, B\circ 1$ respectively, then the fact that D(A, B) is high implies that the advantage of the decryption algorithm in $\varPi $ is high. On the other hand, the lack of linear structure in the above distributions makes them secure against our brute-force linear algebra attacks which could potentially make $\varPi $ secure against sub-exponential time attacks.

2.3 Perfectly Correct Decryption

Our last collection of results is concerned with the possibility of achieving perfectly correct decryption in the abstract encryption scheme over constant-size rings. As mentioned above, when the field size is polynomial in n, one can truncate the tail of the Gaussian noise distribution used in Regev’s original encryption scheme [40] to achieve a perfectly correct decryption. We investigate whether one can achieve perfect decryption also over constant-size rings.

Our first result in this regard is negative, showing that over the binary field any instance of the abstract encryption scheme with perfectly correct decryption can be attacked in time ${\mathrm{poly}}(m)$. On the positive side, we propose to use the construction of matching vector families from [14], which builds on the constructions of [16, 21], to obtain candidates for instances of the abstract encryption scheme over constant-size rings that achieve perfectly correct decryption but resist ${\mathrm{poly}}(m)$-time attacks.

It should be noted that Dwork et al. [15] provide a general method for eliminating decryption errors in public key encryption schemes. However, applying their method has a high toll on efficiency and it only guarantees perfectly correct decryption with high probability over the randomness of the key generation.

2.4 Open Problems

We end this section by highlighting several open problems for future research.

The approximate duality conjecture and its implications to public key encryption. This work presents a new connection between additive combinatorics and public key encryption by showing non-trivial attacks on any binary instance of an abstract public key encryption scheme that captures the schemes of Alekhnovich [3], Regev [40] and Gentry, Peikert and Vaikuntanathan [18], assuming the approximate duality conjecture from additive combinatorics. On the positive side, if the approximate duality conjecture is false then counter examples to this conjecture may lead to candidate binary instances of the abstract encryption scheme with improved security guarantees. This motivates further study of the connection between public key encryption from noisy codewords and additive combinatorics in general and the approximate duality conjecture in particular.

Extending to non-binary fields. Our unconditional results could be possibly extended to show an attack in time $q^{O(n/ \log n)}$ on any instance of the generalized encryption schemes over an arbitrary finite field ${\mathbb {F}}_q$, given an algorithm for agnostic learning of linear functions over ${\mathbb {F}}_q$. However, we are not aware of such an algorithm over non-binary fields and it seems that the results of [24] do not immediately apply in this setting. Our conditional results, on the other hand, do generalize to show an attack in time $q^{O(\sqrt{n})}$ on any instance of the generalized encryption schemes over an arbitrary constant-size field ${\mathbb {F}}_q$ assuming a variant of the approximate duality conjecture over such fields (see e.g. Conjecture 1.7.2 in [27]).

Perfectly correct decryption. We have shown that, over the binary field, our general framework cannot be instantiated to yield an encryption scheme with perfect decryption. We proposed a plausible approach for obtaining perfect decryption over constant-size rings by using matching vectors. The security of this construction, as well as the possibility of obtaining perfect security over constant-size fields, remain to be further studied.

2.5 Paper Organization

Some of the material is omitted due to space limitations but can be found in the full version of this paper [6]. In Sect. 3 we fix some notation and terminology, and in Sect. 4 we formally define the abstract encryption scheme we study. In Sect. 5 we present our unconditional attack, running in time $2^{O(n/\log n)}$, on the abstract encryption scheme over the binary field and consequences of this attack to learning. In Sect. 6 we present combinatorial properties of the distributions $\mu _{{\mathrm{sk}}}$, $\mu _0$ and $\mu _1$ that imply an attack on the abstract encryption scheme over the binary field. In Sect. 7 we show that these latter properties are satisfied assuming the approximate duality conjecture which implies an attack on the abstract encryption scheme over the binary field running in time $2^{O(\sqrt{m})}$.

3 Preliminaries

We start with fixing some notation. For a prime power q let ${\mathbb {F}}_q$ denote the finite field with q elements. All operations below are performed over ${\mathbb {F}}_q$ and all vectors are assumed to be column vectors unless otherwise stated. For integers $m \ge n$ let $\mathcal {M}^*_{m \times n}(q)$ denote the set of all $m \times n$ full rank matrices over ${\mathbb {F}}_q$. For an integer m let $P_m: {\mathbb {F}}_q^{m+1} \rightarrow {\mathbb {F}}_q^m$ denote the projection on the first m coordinates. Let $0_m,1_m$ denote the all-zeros and all-ones vectors of length m, respectively. For a pair of vectors u, v let $u \circ v$ denote their concatenation.

Let $\mu $ be a distribution over ${\mathbb {F}}_q^m$. For an element $a \in {\mathbb {F}}_q^m$ let ${\mathrm{Pr}}_{\mu }(a)= {\mathrm{Pr}}_{e \sim \mu } [e = a]$. The support ${\mathrm{supp}}(\mu )$ of $\mu $ is the set containing all elements $a \in {\mathbb {F}}_q^m$ for which ${\mathrm{Pr}}_{\mu }(a)>0$. For a subset $A \subseteq {\mathbb {F}}_q^m$ we let ${\mathrm{Pr}}_{\mu }(A) ={\mathrm{Pr}}_{e \sim \mu } [e \in A]$ and we denote by $\mu |A$ the distribution $\mu $ conditioned on the event that $e \in A$. For a pair of distributions $\mu , \mu '$ over ${\mathbb {F}}_q^m$ we denote by $\langle \mu ,\mu '\rangle $ the distribution of $\langle e, e' \rangle $ where $e \sim \mu $ and $e' \sim \mu '$ independently. Finally, we write that $a \in _R A$ if a is chosen uniformly at random from the set A.

3.1 Public Key Encryption

A public key encryption scheme $\varPi $ consists of three randomized polynomial time algorithms: the key generation algorithm Gen, the encryption algorithm Enc and the decryption algorithm Dec, which satisfy:

1.
The key generation algorithm ${\mathrm{Gen}} $ takes as input the security parameter $1^n$ and outputs a pair of keys $({\mathrm{sk}},{\mathrm{pk}})$ where ${\mathrm{sk}} $ is the private key and ${\mathrm{pk}} $ is the public key. We write this as $({\mathrm{sk}}, {\mathrm{pk}}) \leftarrow {\mathrm{Gen}} (1^n)$.
2.
The encryption algorithm ${\mathrm{Enc}} $ takes as input a public key pk and a message bit $\sigma \in \left\{ {0,1}\right\} $ and outputs a ciphertext c. We write this as $c \leftarrow {\mathrm{Enc}} _{{\mathrm{pk}}}(\sigma )$.
3.
The decryption algorithm ${\mathrm{Dec}} $ takes as input a private key sk and a ciphertext c and outputs a bit $\sigma ' \in \left\{ {0,1}\right\} $. We assume without loss of generality that ${\mathrm{Dec}} $ is deterministic and write this as $\sigma ' := {\mathrm{Dec}} _{{\mathrm{sk}}}(c)$.

The advantage of the decryption algorithm is given by

$$\begin{aligned} {\mathrm{Adv}}^{{\mathrm{Dec}}}(n) = \Pr [ {\mathrm{Dec}} _{{\mathrm{sk}}}({\mathrm{Enc}} _{{\mathrm{pk}}}(1)) =1] - \Pr [ {\mathrm{Dec}} _{{\mathrm{sk}}}({\mathrm{Enc}} _{{\mathrm{pk}}}(0))=1], \end{aligned}$$

(2)

where the probabilities in (2) are taken over the internal coin tosses of the algorithms ${\mathrm{Gen}} $ and $ {\mathrm{Enc}} $. We say that the decryption algorithm is perfectly correct if $ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n)=1$.

A typical choice of parameters in public key encryption schemes is that $ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n)= 1 - \eta (n)$ for $\eta (n)$ which is a negligible function in n. However, in the case where $ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n)$ is a fixed constant one can achieve ($1-\eta (n)$)-advantage in the decryption process by repeating the key generation and encryption processes ${\mathrm{polylog}}(n)$ times. In this work we are interested in negative results and our unconditional results hold even when $ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n)$ is negligible in n. Our conditional results, on the other hand, hold only if a single encryption (without repetitions) achieves advantage $ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n) = 1- \epsilon $ where $\epsilon >0$ is a sufficiently small constant.

A (uniform) attack $\mathcal {A} $ on a public key encryption scheme $\varPi $ is a randomized algorithm that takes as input a public key pk and a ciphertext c and outputs a bit $\sigma ' \in \left\{ {0,1}\right\} $ and we write this as $\sigma ' \leftarrow \mathcal {A} ({\mathrm{pk}}, c)$. The advantage of the attack $\mathcal {A} $ is given by

$$\begin{aligned} {\mathrm{Adv}}^{\mathcal {A}}(n) = \Pr [\mathcal {A} ({\mathrm{pk}},{\mathrm{Enc}} _{{\mathrm{pk}}}(1))=1 ] - \Pr [ \mathcal {A} ({\mathrm{pk}},{\mathrm{Enc}} _{{\mathrm{pk}}}(0)) = 1], \end{aligned}$$

(3)

where the probabilities in (3) are taken over the internal coin tosses of the algorithms ${\mathrm{Gen}} $ and ${\mathrm{Enc}} $ as well as the attack $\mathcal {A} $. A non-uniform attack $\mathcal {A} $ is defined similarly to the above except that it is modeled as a non-uniform Boolean circuit and we say that it has running time t(n) if the associated circuit family has size t(n).

4 Unified Encryption Scheme

In what follows we present the formal definition of the abstract encryption scheme ${\varPi _{\mathrm{Alek}}} $, ${\varPi _{\mathrm{Reg}}} $ and ${\varPi _{\mathrm{GPV}}} $ and show their equivalence.

General Parameters: Integers $m>n$, field ${\mathbb {F}}_q$ (q may depend on n), efficiently samplable distribution $\mu _{{\mathrm{sk}}}$ over ${\mathbb {F}}_q^m$, a pair of efficiently samplable distributions $\mu _0, \mu _1$ over ${\mathbb {F}}_q^{m+1}$, efficiently computable decryption function $g: {\mathbb {F}}_q \rightarrow \left\{ {0,1}\right\} $.

${\varPi _{\mathrm{Alek}}} $ scheme:

Private key: Choose a random vector $e \in {\mathbb {F}}_q^m$ according to the distribution $\mu _{{\mathrm{sk}}}$. The private key is e.
Public key: Choose a uniform random matrix $G \in \mathcal {M}^*_{m \times n}(q)$ and a uniform random vector $w \in {\mathrm{Image}}(G)$ and let $b=w+e$. The public key is $\tilde{G}=\left( \begin{array}{cc} G &{} b\\ 0_{n}^{T} &{} -1 \end{array}\right) .$
Encryption: In order to encrypt a bit $\sigma \in \left\{ {0,1}\right\} $ choose a random vector $\tilde{e} \in {\mathbb {F}}_q^{m+1}$ according to the distribution $\mu _\sigma $ and a uniform random vector $\tilde{w} \in \ker (\tilde{G}^T)$. The encryption of $\sigma $ is $\tilde{w}+\tilde{e}$.
Decryption: The decryption of a vector $c \in {\mathbb {F}}_q^{m+1}$ is $g(\langle e \circ (-1), c \rangle )$.

${\varPi _{\mathrm{Reg}}} $ scheme:

Private key: Choose a random vector $e \in {\mathbb {F}}_q^m$ according to the distribution $\mu _{{\mathrm{sk}}}$. The private key is e.
Public key: Choose a uniform random matrix $G \in \mathcal {M}^*_{m \times n}(q)$ and a uniform random $w \in {\mathrm{Image}}(G)$ and let $b = w+e$. The public key is $\tilde{G}=\left( \begin{array}{cc} G &{} b\\ 0_{n}^{T} &{} -1 \end{array}\right) .$
Encryption: In order to encrypt a bit $\sigma \in \left\{ {0,1}\right\} $ choose a random vector $\tilde{e} \in {\mathbb {F}}_q^{m+1}$ according to the distribution $\mu _\sigma $. The encryption of $\sigma $ is $\tilde{G}^T \cdot \tilde{e}$.
Decryption: The decryption of a vector $c \in {\mathbb {F}}_q^{n+1}$ is $g( -\langle x \circ (-1), c \rangle )$ where $x \in {\mathbb {F}}_q^n$ is such that $b = Gx+e$.

${\varPi _{\mathrm{GPV}}} $ scheme:

Private key: Choose a random vector $e \in {\mathbb {F}}_q^m$ according to the distribution $\mu _{{\mathrm{sk}}}$. The private key is e.
Public key: Choose a uniform random matrix $H \in \mathcal {M}^*_{m \times (m-n)}(q)$ and let $u=H^T \cdot e$. The public key is $\tilde{H}=\left( \begin{array}{c} H \\ u^T \end{array}\right) .$
Encryption: In order to encrypt a bit $\sigma \in \left\{ {0,1}\right\} $ choose a random vector $\tilde{e} \in {\mathbb {F}}_q^{m+1}$ according to the distribution $\mu _\sigma $ and a uniform random vector $\tilde{w} \in {\mathrm{Image}}(\tilde{H})$. The encryption of $\sigma $ is $\tilde{w}+\tilde{e}$.
Decryption: The decryption of a vector $c \in {\mathbb {F}}_q^{m+1}$ is $g(\langle e \circ (-1), c \rangle )$.

A straightforward computation gives the following.

Claim 1

(Advantage of Decryption). For every $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}}, {\varPi _{\mathrm{Reg}}}, {\varPi _{\mathrm{GPV}}}}}\right\} $,

$$ {\mathrm{Adv}}^{{\mathrm{Dec}}}(n) = \Pr [g (\langle \mu _{{\mathrm{sk}}} \circ (-1), \mu _1 \rangle ) = 1] - \Pr [g (\langle \mu _{{\mathrm{sk}}} \circ (-1), \mu _0 \rangle ) = 1] .$$

The following claim shows that for an identical setting of parameters all the abstract encryption schemes defined above are equivalent in terms of security. For an encryption scheme $\varPi $ and a bit $\sigma \in \left\{ {0,1}\right\} $ let $({\mathrm{pk}} ^{\varPi }, {\mathrm{Enc}} ^{\varPi }_{{\mathrm{pk}}}(\sigma ))$ denote the joint distribution of the public key and the encryption of the bit $\sigma $ using this public key in $\varPi $.

Claim 2

(Equivalence of Abstract Encryption Schemes). For every pair of encryption schemes $\varPi ,\varPi ' \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ there exists a randomized mapping $\varphi _{\varPi \rightarrow \varPi '}$, computable in time ${\mathrm{poly}}(m,q)$, such that for every bit $\sigma \in \left\{ {0,1}\right\} $ the distributions $\varphi _{\varPi \rightarrow \varPi '}({\mathrm{pk}} ^{\varPi },{\mathrm{Enc}} ^{\varPi }_{{\mathrm{pk}}}(\sigma ))$ and $({\mathrm{pk}} ^{\varPi '},{\mathrm{Enc}} ^{\varPi '}_{{\mathrm{pk}}}(\sigma ))$ are identical.

5 Unconditional Attack

In this section we show an unconditional simple attack running in time $2^{O(n/ \log n)}$ on any instance of the abstract encryption scheme over the binary field. The attack is based on the following algorithm for agnostic learning of parities (The theorem below is given as Theorem 2 in [24] for the special case in which $a = \log n /1000$, $b = n/a$, $\epsilon = 2^{-n^{0.99}}$ and the success probability is 0.99. The general parameters can be deduced from the proof of this theorem.)

Theorem 1

(Agnostic Learning of Parities, [24]). For any integers a, b such that $a b \ge n$ and for any $\epsilon >0$ there exists a randomized algorithm running in time ${\mathrm{poly}}\big ( \epsilon ^{-2^a}, 2^b \big )$ which satisfies the following guarantees for every distribution D over $(x,y) \in {\mathbb {F}}_2^n \times {\mathbb {F}}_2$. With probability at least $1 - \exp (-n)$, given ${\mathrm{poly}}\big ( \epsilon ^{-2^a}, 2^b \big )$ independent random samples from D, the algorithm outputs a circuit computing $h: {\mathbb {F}}_2^n \rightarrow {\mathbb {F}}_2$ such that

$$ {\mathrm{Pr}}_{(x,y) \sim D}[h(x) \ne y] \le \min _{s \in {\mathbb {F}}_2^n} {\mathrm{Pr}}_{(x,y) \sim D}[\langle x,s \rangle \ne y] + \epsilon .$$

Our main result in this section is the following.

Theorem 2

Let $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ be with $q=2$ and ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge \epsilon $. Then for any integers a, b such that $a b \ge n$ and for any $\gamma >0$ there exists a (uniform) attack $\mathcal {A} _{\mathrm{agnost}}$ $\varPi $ running in time ${\mathrm{poly}}\big ( \gamma ^{-2^a}, 2^b, m \big )$ with ${\mathrm{Adv}}^{\mathcal {A} _{\mathrm{agnost}}}(n) \ge \epsilon - \gamma - \exp (-n)$.

By setting $a = \log n /1000$, $b = n/a$ and $\gamma = 2^{-n^{0.99}}$ in the above theorem we obtain the following corollary.

Corollary 1

Let $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ be with $q=2$ and ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge \epsilon $. Then there exists a (uniform) attack $\mathcal {A} _{\mathrm{agnost}}$ on $\varPi $ running in time ${\mathrm{poly}}(2^{n/\log n},m)$ with ${\mathrm{Adv}}^{\mathcal {A} _{\mathrm{agnost}}}(n) \ge \epsilon -2^{-n^{0.99}} - \exp (-n)$,

Proof

(Proof of Theorem 2 ). By Claim 2 it suffices to prove the theorem for $\varPi = {\varPi _{\mathrm{Reg}}} $ and without loss of generality we may assume that the decryption function g is the identity function over ${\mathbb {F}}_2$. Let D be the distribution over $(x,y) \in {\mathbb {F}}_2^n \times {\mathbb {F}}_2$ where $x = G^T \cdot P_m(e')$ and $y = \langle b \circ (-1) , e' \rangle - \xi $ for $\xi \in _R \left\{ {0,1}\right\} $ and $e' \sim \mu _\xi $. Note that D can be generated efficiently using the public key $\tilde{G}$. The attack $\mathcal {A} _{\mathrm{agnost}}$ runs the algorithm guaranteed by Theorem 1 with the parameters a, b and $\gamma /2$ on the distribution D and outputs $ c_{n+1} - h(P_n(c))$. By Theorem 1 we clearly have that the attack runs in time ${\mathrm{poly}}\big ( \gamma ^{-2^a}, 2^b,m \big )$. It remains to analyze the advantage of the attack in guessing the message bit $\sigma $.

For a vector $y \in {\mathbb {F}}_2^m$ let

$$ \epsilon (y) := {\mathrm{Pr}}[\langle y \circ (-1), \mu _1 \rangle = 1] - {\mathrm{Pr}}[\langle y \circ (-1), \mu _0 \rangle =1 ],$$

and note that by Claim 1 we have that ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) = {\mathbb {E}}[\epsilon (\mu _{{\mathrm{sk}}})]$. Let $s \in {\mathbb {F}}_2^n$ be such that $w = Gs$. Then we have that

$$\begin{aligned}&{\mathrm{Pr}}_{(x,y) \sim D}[\langle x,s \rangle \ne y] \\&\quad = \frac{1}{2} \cdot {\mathrm{Pr}}\big [\langle G^T \cdot P_m(\mu _1),s \rangle = \langle b \circ (-1) , \mu _1 \rangle \big ]\\&\qquad + \frac{1}{2} \cdot {\mathrm{Pr}}\big [\langle G^T \cdot P_m(\mu _0),s \rangle = 1+ \langle b \circ (-1) , \mu _0 \rangle \big ] \\&\quad = \frac{1}{2} \cdot {\mathrm{Pr}}\big [\langle P_m(\mu _1), Gs\rangle = \langle b \circ (-1), \mu _1 \rangle \big ] + \frac{1}{2} \cdot {\mathrm{Pr}}\big [\langle P_m(\mu _0), Gs\rangle = 1+ \langle b \circ (-1), \mu _0 \rangle \big ] \\&\quad =\frac{1}{2} \cdot {\mathrm{Pr}}[\langle \mu _1, (b- w) \circ (-1) \rangle =0] + \frac{1}{2} \cdot {\mathrm{Pr}}[\langle \mu _0, (b- w) \circ (-1) \rangle =1 ]\\&\quad = \frac{1}{2} \cdot {\mathrm{Pr}}[\langle \mu _1, e \circ (-1) \rangle =0] + \frac{1}{2} \cdot {\mathrm{Pr}}[\langle \mu _0, e\circ (-1) \rangle =1 ]\\&\quad = \frac{1}{2} - \frac{1}{2} \cdot \bigg ( {\mathrm{Pr}}[\langle \mu _1, e \circ (-1) \rangle = 1] - {\mathrm{Pr}}[\langle \mu _0, e \circ (-1) \rangle =1 ] \bigg )\\&\quad = \frac{1- \epsilon (e)}{2}. \end{aligned}$$

Consequently, with probability at least $1 - \exp (-n)$, the circuit h satisfies

$$ {\mathrm{Pr}}_{(x,y)\sim D}[h(x) \ne y] \le \frac{1- \epsilon (e)}{2}+ \frac{\gamma }{2}= \frac{1- (\epsilon (e) - \gamma )}{2}.$$

Suppose that c is an encryption of a bit $\sigma \in \left\{ {0,1}\right\} $. Conditioned on the above, we have that

$$\begin{aligned}&\Pr [c_{n+1} - h(P_n(c)) = 1 \mid \sigma =1] - \Pr [c_{n+1} - h(P_n(c)) =1 \mid \sigma =0] \\&\quad =\Pr \big [\langle b \circ (-1), \mu _1 \rangle - h(G^T \cdot P_m(\mu _1)) = 1 \big ]\\&\qquad - \Pr \big [\langle b \circ (-1), \mu _0 \rangle - h(G^T \cdot P_m(\mu _0)) = 1\big ] \\&\quad = 1- \Pr \big [h(G^T \cdot P_m(\mu _1)) \ne 1+ \langle b \circ (-1), \mu _1 \rangle \big ]\\&\qquad - \Pr \big [h(G^T \cdot P_m(\mu _0)) \ne \langle b \circ (-1), \mu _0 \rangle \big ] \\&\quad = 1- 2{\mathrm{Pr}}_{(x,y) \sim D} [h(x) \ne y] \\&\quad \ge \epsilon (e) - \gamma . \end{aligned}$$

Averaging over all $e \sim \mu _{{\mathrm{sk}}}$ we obtain that the advantage of the attack is at least

$${\mathbb {E}}[\epsilon (\mu _{{\mathrm{sk}}})] - \gamma - \exp (-n) = {\mathrm{Adv}}^{{\mathrm{Dec}}}(n) - \gamma - \exp (-n) \ge \epsilon -\gamma - \exp (-n).$$

6 Attacks Based on Combinatorial Properties of $\mu _{{\mathrm{sk}}}, \mu _0, \mu _1$

In Sects. 6.1 and 6.2 we present combinatorial properties of the distribution $\mu _{\mathrm{sk}} $ and the pair of distributions $\mu _0,\mu _1$, respectively, that imply an attack on the abstract encryption scheme over the binary field. In Sect. 7 we shall show that assuming the approximate duality conjecture at least one of the distributions $\mu _{{\mathrm{sk}}}$, $\mu _0$ or $\mu _1$ satisfies these combinatorial properties. This will imply in turn an attack on the abstract encryption scheme over the binary field assuming the approximate duality conjecture.

The main combinatorial property we shall utilize for the attacks is sparsity, defined as follows.

Definition 1

( $(n,k,\rho )$ -Sparse Distribution). Suppose that $\mu $ is a distribution over ${\mathbb {F}}_2^m$ for $m \ge n$. We say that $\mu $ is $(n,k,\rho )$ -sparse if there exist k subsets $A_1,\ldots ,A_k \subseteq {\mathbb {F}}_2^m$ and k full rank linear transformations $L_1,\ldots ,L_k: {\mathbb {F}}_2^m \rightarrow {\mathbb {F}}_2^n$ such that $\Pr _{\mu } \big (\bigcup _{i=1}^k A_i \big ) \ge \rho $ and $L_i(A_i)$ is constant for every $i \in [k]$.

Note that $A_1, \ldots , A_k$ and $L_1, \ldots , L_k$ in the definition above are not required to be distinct. At a high level, asumming that one of the noise distributions $\mu _{\mathrm{sk}} $, $\mu _0$ or $\mu _1$ is sparse one can ’guess’ the noise vector used in the key generation process (in the case in which $\mu _{{\mathrm{sk}}}$ is sparse) or in the encryption process (in the case in which $\mu _0$ or $\mu _1$ are sparse) by enumerating over all $i \in [k]$ and solving a corresponding system of linear equations.

6.1 Attack Based on Combinatorial Properties of $\mu _{{\mathrm{sk}}}$

Lemma 1

(Attack Based on Combinatorial Properties of $\mu _{{\mathrm{sk}}}$ ). Let $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ be with $q=2$ and ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1 - \epsilon $ and suppose that the distribution $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse. Then there exists a non-uniform attack $\mathcal {A} _{{\mathrm{sk}}}$ on $\varPi $ running in time $(k/\epsilon ) \cdot {\mathrm{poly}}(m)$ with $ {\mathrm{Adv}}^{\mathcal {A} _{{\mathrm{sk}}}}(n) \ge (\rho - 4\sqrt{\epsilon })/10$.

Proof

By Claim 2 it suffices to prove the lemma for $\varPi ={\varPi _{\mathrm{Alek}}} $ and without loss of generality we may assume that g is the identity function over ${\mathbb {F}}_2$. Since $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse there exist k subsets $A_1,\ldots ,A_k \subseteq {\mathbb {F}}_2^m$ and k full rank linear transformations $L_1,\ldots ,L_k: {\mathbb {F}}_2^m \rightarrow {\mathbb {F}}_2^n$ such that $\Pr _{\mu _{{\mathrm{sk}}}} \big (\bigcup _{i=1}^k A_i \big ) \ge \rho $ and $L_i(A_i)$ is constant for every $i \in [k]$.

Our main observation is that if $e'$ satisfies that $b= w' + e'$ for some $w' \in {\mathrm{Image}}(G)$ and in addition

$$\begin{aligned} \Pr [\langle e' \circ (-1), \mu _1 \rangle = 1] - \Pr [\langle e' \circ (-1), \mu _0 \rangle = 1] \ge 1 - \epsilon ' \end{aligned}$$

(4)

then decrypting the ciphertext using $e'$ as the private key achieves advantage $1-\epsilon '$. We search for $e'$ that satisfies the above by enumerating over all $i \in [k]$ and solving a corresponding system of linear equations and we test whether $e'$ satisfies (4) via sampling.

Fix $y \in {\mathbb {F}}_2^m$. By the Hoeffding bound for sampling if we draw $\ell = m / (\sqrt{\epsilon }/2)^2$ independent random samples $e^{(0)}_1,\ldots , e^{(0)}_{\ell } \sim \mu _0$ and $\ell $ independent random samples $ e^{(1)}_1,\ldots , e^{(1)}_{\ell } \sim \mu _1$ then

$$\begin{aligned}&\bigg | \bigg ( \Pr [\langle y \circ (-1), \mu _1 \rangle = 1] - \Pr [\langle y \circ (-1), \mu _0 \rangle = 1] \bigg ) \\&\;\;\;\;\;\; - \bigg ( \Pr _{j \in [\ell ]}[\langle y \circ (-1), e_j^{(1)} \rangle = 1] - \Pr _{j \in [\ell ]}[\langle y \circ (-1), e_j^{(0)} \rangle = 1] \bigg ) \bigg | \le \sqrt{\epsilon } \nonumber \end{aligned}$$

(5)

with probability at least $1 - 4\cdot 2^{-2m}$. By union bound this implies in turn that (5) holds for every $y \in {\mathbb {F}}_2^m$ with probability at least $1 - 4 \cdot 2^{-m}$. In particular, there exist $\ell $ vectors $e^{(0)}_1,\ldots , e^{(0)}_{\ell } \in {\mathrm{supp}}(\mu _0)$ and $\ell $ vectors $ e^{(1)}_1,\ldots , e^{(1)}_{\ell } \in {\mathrm{supp}}(\mu _1)$ for which (5) holds for every $y \in {\mathbb {F}}_2^m$.

Inspection reveals that the attack above can be implemented using a non-uniform circuit of size $(k/\epsilon ) \cdot {\mathrm{poly}}(m)$. Next we analyze the advantage of the attack in guessing the message bit $\sigma $. We will show that with probability at least $ (\rho - \sqrt{\epsilon })/10 $ the attack finds $e' $ which satisfies (6) and that in this case the advantage of guessing the correct message bit is at least $1 -3\sqrt{\epsilon }$. This will imply in turn that $ {\mathrm{Adv}}^{\mathcal {A} _{{\mathrm{sk}}}}(n) \ge (\rho - 4\sqrt{\epsilon })/10$.

We start by showing a lower bound on the probability that the attack finds $e'$ which satisfies (6). Since ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1- \epsilon $ by Claim 1, together with a standard probabilistic argument, we have that e satisfies

$$ \Pr [\langle e \circ (-1), \mu _1 \rangle = 1] - \Pr [\langle e \circ (-1), \mu _0 \rangle = 1] \ge 1 - \sqrt{\epsilon } $$

with probability at least $1 - \sqrt{\epsilon }$. By (5) this implies in turn that e satisfies (6) with probability at least $1 - \sqrt{\epsilon }$. Furthermore, since $\mu _{{\mathrm{sk}}}$ is $(n,k,\rho )$-sparse with probability at least $\rho $ we have that $e \in \bigcup _{i=1}^k A_i$. So with probability at least $\rho - \sqrt{\epsilon }$ we have that e satisfies (6) and in addition $e \in A_i$ for some $i \in [k]$. Finally, the matrix $L_i G$ is non-singular with probability at least 1 / 10 (say), independently of the above.

Conditioned on all the above, in the i-th iteration we have that

$$\begin{aligned} e' = b - G x' = b - G \cdot (L_i G)^{-1} (L_i b- L_i(A_i)) = b - G \cdot (L_i G)^{-1} \cdot (L_i b- L_ie) = e. \end{aligned}$$

Consequently we have that the attack finds $e'$ which satisfies (6) with probability at least $(\rho - \sqrt{\epsilon })/10$.

Next we show that if the attack finds $e' $ which satisfies (6) then the advantage of guessing the correct message bit using $e'$ is high. Since $e' = b-Gx' $ we have that

$$\begin{aligned} \langle e' \circ (-1), c \rangle= & {} \langle (b-Gx' ) \circ (-1), \tilde{w} \rangle + \langle (b-Gx' ) \circ (-1), \tilde{e} \rangle \\= & {} \langle b \circ (-1), \tilde{w} \rangle - \langle x', G^T \cdot P_m(\tilde{w}) \rangle + \langle (b-Gx' ) \circ (-1), \tilde{e} \rangle \\= & {} 0 - 0 + \langle e' \circ (-1), \tilde{e} \rangle \\= & {} \langle e' \circ (-1), \tilde{e} \rangle . \end{aligned}$$

Furthermore, since $e'$ satisfies (6), by (5) we have that

$$ \Pr [\langle e' \circ (-1), \mu _1 \rangle = 1] - \Pr [\langle e' \circ (-1), \mu _0 \rangle = 1] \ge 1 -3\sqrt{\epsilon }, $$

so the advantage of the attack in this case is $1 - 3\sqrt{\epsilon }$.

6.2 Attack Based on Combinatorial Properties of $\mu _0,\mu _1$

Lemma 2

(Attack Based on Combinatorial Properties of $\mu _0,\mu _1$ ). Let $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ be with $q=2$ and ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1- \epsilon $ and suppose that there exists $\xi \in \left\{ {0,1}\right\} $ such that the distribution $\mu _{\xi }$ is $(m+1-n+r,k,\rho )$-sparse. Then there exists a non-uniform attack $\mathcal {A} _{\xi }$ on $\varPi $ running in time $k \cdot {\mathrm{poly}}(m)$ with $ {\mathrm{Adv}}^{\mathcal {A} _{\xi }}(n) \ge \rho /2 - \epsilon - 2k 2^{-r}.$

Proof

By Claim 2 it suffices to prove the lemma for $\varPi ={\varPi _{\mathrm{GPV}}} $ and by symmetry we may further assume that $\xi =0$. Without loss of generality we may assume that g is the identity function over ${\mathbb {F}}_2$. Since $\mu _0$ is $(m+1-n+r,k,\rho )$-sparse there exist k subsets $A_1,\ldots ,A_{k} \subseteq {\mathbb {F}}_2^{m+1}$ and k full rank linear transformations $L_1,\ldots ,L_{k}: {\mathbb {F}}_2^{m+1} \rightarrow {\mathbb {F}}_2^{m+1-n+r}$ such that $\Pr _{\mu _{0}} \big (\bigcup _{i=1}^{k} A_{i} \big ) \ge \rho $ and $L_i(A_i)$ is constant for every $i \in [k]$. For every $i \in [k]$ let $ V_i=\left\{ {v \in {\mathbb {F}}_2^{m+1} \mid L_i(v)= L_i(A_i) }\right\} $ and let $S = \bigcup _{i=1}^k V_i$ . Since ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1- \epsilon $, by averaging there exists $e^{({\mathrm{sk}})} \in {\mathrm{supp}}(\mu _{{\mathrm{sk}}})$ such that

$$ \Pr [\langle e^{({\mathrm{sk}})} \circ (-1), \mu _1 \rangle = 1] - \Pr [\langle e^{({\mathrm{sk}})} \circ (-1), \mu _0 \rangle = 1] \ge 1 -\epsilon . $$

Our main observation is that since S is not too large, with high probability over the choice of the matrix $\tilde{H}$, there is no $e' \in S \setminus \left\{ {\tilde{e}}\right\} $ such that $c = \tilde{H} x' +e'$ for some $x' \in {\mathbb {F}}_2^{m-n}$. This implies in turn that by enumerating over all $i \in [k]$ and solving a corresponding system of linear equations, with high probability one can verify whether $\tilde{e} \in S$ and if this is the case one can also find $\tilde{e}$. It thus suffices to be able to distinguish between $\tilde{e} \sim \mu _0$ and $\tilde{e} \sim \mu _1$, conditioned on the event that $\tilde{e} \in S$. Assuming that $\epsilon $ is sufficiently small compared to $\rho $, this can be done by computing the inner product $\langle e^{(sk)} \circ (-1), \tilde{e} \rangle $.

Inspection reveals that the attack above can be implemented using a non-uniform circuit of size $k \cdot {\mathrm{poly}}(m)$. Next we analyze the advantage of the attack in guessing the message bit $\sigma $.

We say that $\tilde{H}$ is S -good for $\tilde{e}$ if there is no $z \in S \setminus \left\{ {\tilde{e}}\right\} $ such that $z - \tilde{e} \in {\mathrm{Image}}(\tilde{H})$. We will show that for every $\tilde{e}$ the probability that $\tilde{H}$ is S-good for $\tilde{e}$ is at least $1 - k \cdot 2^{-r}$. Consequently, for every $\tilde{e}$ there exists a collection $\mathcal {H}_{\tilde{e}}$ of S-good matrices for $\tilde{e}$ such that ${\mathrm{Pr}}[\tilde{H} \in \mathcal {H}_{\tilde{e}}] = 1 - k \cdot 2^{-r}$. We will then show that conditioned on the event that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$ the attack outputs 0 with probability at least $(1+\rho - \epsilon )/2$ when c is an encryption of 0 and it outputs 1 with probability at least $(1-\epsilon )/2$ when c is an encryption of 1. This will imply in turn that the advantage of the attack is at least $(1- k 2^{-r}) (\rho /2 - \epsilon ) - k2^{-r} \ge \rho /2 - \epsilon - 2 k 2^{-r}$.

We start by showing that for every $\tilde{e}$ the probability that $\tilde{H}$ is S-good for $\tilde{e}$ is at least $1 - k \cdot 2^{-r}$. For this note that for every $i \in [k]$ the subspace $V_i$ has co-dimension $m+1 -n +r$ and hence $|V_i| = 2^{n-r}$ and consequently $|S| \le k 2^{n-r}$. Thus by union bound it suffices to show that for every $ z \in S\setminus \left\{ {\tilde{e}}\right\} $ it holds that $z- \tilde{e} \in {\mathrm{Image}}(\tilde{H})$ with probability at most $2^{-n}$. To see this fix $ z \in S\setminus \left\{ {\tilde{e}}\right\} $ and suppose that $z- \tilde{e} \in {\mathrm{Image}}(\tilde{H})$. Since $\tilde{H} = \left( \begin{array}{c} H \\ u^T \end{array}\right) $ this implies in turn that $P_m(z - \tilde{e}) \in {\mathrm{Image}}(H)$. Furthermore, since $z-\tilde{e} \ne 0$ and H is full rank we also have that $P_m(z - \tilde{e}) \ne 0$. So we obtained that $P_m(z - \tilde{e})$ is a non-zero point contained in ${\mathrm{Image}}(H)$, a uniform random ($m-n$)-dimensional space, which happens with probability at most $2^{-n}$.

Next we show a lower bound on the probability that the attack outputs 0 when c is an encryption of 0, conditioned on the event that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$. Since the event $\tilde{H} \in \mathcal {H}_{\tilde{e}}$ is independent of the choice of $\tilde{e}$, by union bound we have that the events $\tilde{e} \in \bigcup _{i=1}^kA_i$ and $\langle e^{({\mathrm{sk}})} \circ (-1), \tilde{e} \rangle = 0$ hold simultaneously with probability at least $\rho -\epsilon $. We will show that if these two events hold then the attack outputs 0. This will imply in turn that in the case in which c is an encryption of 0, conditioned on the event that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$, the attack outputs 0 with probability at least $\rho - \epsilon $ and it outputs a random bit otherwise. So it outputs 0 in this case with probability at least $(1+ \rho - \epsilon )/2$.

Suppose that $\tilde{e} \in \bigcup _{i=1}^kA_i$ and $\langle e^{({\mathrm{sk}})} \circ (-1), \tilde{e} \rangle = 0$. Then in this case we have that

$$L_i c= L_i \tilde{w} + L_i \tilde{e} = L_i \tilde{H} \tilde{x} + L_i(A_i),$$

where $i \in [k]$ is such that $\tilde{e} \in A_i$ and $\tilde{x}$ is such that $\tilde{w} = \tilde{H} \tilde{x}$. Consequently, the attack will find a solution for (7). Furthermore, we claim that if the attack finds a solution $x'$ to (7) for some $j \in [k]$ then $e' = c - \tilde{H x}' = \tilde{e}$. To see this note that $L_j e' = L_jc - L_j \tilde{H x'} = L_j (A_j)$ and therefore $e' \in S$. Furthermore, we have that $e' - \tilde{e} = (c- \tilde{H x'}) - (c- \tilde{H} \tilde{x}) = \tilde{H}(\tilde{x} - \tilde{x'})$ and so $e' - \tilde{e} \in {\mathrm{Image}}(\tilde{H})$. But due to our assumption that $\tilde{H}$ is S-good for $\tilde{e}$ this implies in turn that $\tilde{e} = e'$. So we have that $\tilde{e} = e'$ and due to our assumption that $\langle e^{({\mathrm{sk}})} \circ (-1), \tilde{e} \rangle = 0$ this implies in turn that the attack will output 0.

Finally, we show a lower bound on the probability that the attack outputs 1 when c is an encryption of 1, conditioned on the event that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$. Since the event $\tilde{H} \in \mathcal {H}_{\tilde{e}}$ is independent of the choice of $\tilde{e}$, we have that $\langle e^{({\mathrm{sk}})} \circ (-1), \tilde{e} \rangle =1$ with probability at least $1-\epsilon $. Suppose that this latter event holds. If there is no solution for (7) for every $j \in [k]$ the attack outputs a random bit. Otherwise if the attack finds a solution $x'$ for (7) for some $j \in [k]$ then similarly to the above the assumption that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$ implies that $e' = c- \tilde{H x}'= \tilde{e}$. Due to our assumption that $\langle e^{({\mathrm{sk}})} \circ (-1), \tilde{e} \rangle =1$ this implies in turn that the attack will output a random bit. Concluding, we obtained that in the case in which c is an encryption of 1, conditioned on the event that $\tilde{H} \in \mathcal {H}_{\tilde{e}}$, the attack outputs 1 with probability at least $(1- \epsilon )/2$.

7 Attacks Based on the Approximate Duality Conjecture

Recall the definition of the duality measure given in (1). All results presented in this section assume that the following conjecture holds.

Conjecture 1

(Approximate duality conjecture [8]). For every constant $\epsilon >0$ there exists a constant c which depends only on $\epsilon $ such that the following holds. If $A,B\subseteq {\mathbb {F}}_2^m$ have $D(A,B) \ge \epsilon $ then there exist subsets $A'\subseteq A$ and $B'\subseteq B$ such that $|A'| \ge 2^{-c \sqrt{m}}|A|$, $|B'| \ge 2^{-c \sqrt{m}}|B|$ and $D(A',B')=1$.

Our main result in this section is the following.

Theorem 3

Assuming the approximate duality conjecture (Conjecture 1) there exist constants $\epsilon , \gamma >0$ such that the following holds. Let $\varPi \in \left\{ {{{\varPi _{\mathrm{Alek}}},{\varPi _{\mathrm{Reg}}},{\varPi _{\mathrm{GPV}}}}}\right\} $ be with $q=2$ and ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1-\epsilon $. Then there exists a non-uniform attack $\mathcal {A} $ on $\varPi $ running in time $2^{O(\sqrt{m})}$ with ${\mathrm{Adv}}^{\mathcal {A}}(n) \ge \gamma $.

For the proof of the above theorem we first prove two consequences of Conjecture 1. The first consequence is a generalized form of this conjecture that applies to arbitrary distributions, not necessarily uniform over subsets A, B. For a pair of distributions $\mu _1,\mu _2$ over ${\mathbb {F}}_2^m$ we define their duality measure as

$$\begin{aligned} D(\mu _1, \mu _2) = {\mathbb {E}}\left[ (-1)^{\langle {\mu _1,\mu _2}\rangle }\right] . \end{aligned}$$

Note that in the special case where $\mu _1,\mu _2$ are uniform distributions over subsets $A,B \subseteq {\mathbb {F}}_2^m$ respectively then $D(\mu _1,\mu _2) = D(A,B)$.

Lemma 3

Assuming Conjecture 1, for every constant $\epsilon >0$ there exists a constant c which depends only on $\epsilon $ such that the following holds. If a pair of distributions $\mu _1, \mu _2$ over ${\mathbb {F}}_2^m$ have $D(\mu _1, \mu _2) \ge \epsilon $ then there exist subsets $A' , B' \subseteq {\mathbb {F}}_2^m$ such that $\Pr _{\mu _1}(A') \ge 2^{-c \sqrt{m}}$, $\Pr _{\mu _2}(B') \ge 2^{-c \sqrt{m}}$ and $D(A',B')=1$.

The proof of the above lemma is given in Sect. 7.1. Note that the probability of being contained in the sets $A'$ and $B'$ in the above lemma is $2^{-c \sqrt{m}}$ and so using this lemma one can only obtain an attack on the abstract encryption scheme in the case in which the decryption error of a single encryption is $2^{-\varOmega (\sqrt{m})}$. However, we are interested in an attack that works in the case in which the decryption error of a single encryption is a sufficiently small constant. For this we apply Lemma 3 iteratively to obtain $t \approx 2^{c \sqrt{m}}$ pairs of subsets $A_i,B_i$ such that $D(A_i,B_i)=1$ for all $1 \le i \le t$ and such that the probability of being contained in the union of $\varOmega (t)$ of these subsets is $\varOmega (\epsilon )$.

Lemma 4

Assuming Conjecture 1, for every constant $\epsilon >0 $ there exists a constant c which depends only on $\epsilon $ such that the following holds for every integer $t \le 2^{c \sqrt{m}}\epsilon /4$. If a pair of distributions $\mu _1, \mu _2$ over ${\mathbb {F}}_2^m$ have $D(\mu _1, \mu _2) \ge \epsilon $, then there exist subsets $A_1,\ldots ,A_t \subseteq {\mathbb {F}}_2^m$ and $B_1,\ldots ,B_t \subseteq {\mathbb {F}}_2^m$ such that $D(A_i,B_i)=1$ for all $i \in [t]$, and in addition for every $I \subseteq [t]$ it holds that $\Pr _{\mu _1}(\bigcup _{i \in I}A_i) \ge |I| \cdot 2^{-c \sqrt{m}}/4 $ and $\Pr _{\mu _2}(\bigcup _{i \in I}B_i) \ge |I| \cdot 2^{-c \sqrt{m}}/4$.

Note that the sets $A_1,\ldots ,A_t$ and $B_1,\ldots ,B_t$ in the above lemma may have non-empty intersections and in particular are not required to be distinct. The proof of the above lemma is omitted due to space limitations.

In what follows we present the proof of our main Theorem 3 based on Lemma 4.

Proof

(Proof of Theorem 3 ). We will show that assuming Conjecture 1 we have that the conditions of either Lemmas 1 or 2 hold. Let c be the constant guaranteed by Lemma 4 for the constant $1-2\epsilon $. We shall show that the conclusion of the theorem holds for

$$\gamma = \min \big \{ (1-4\sqrt{\epsilon })/10, ((1-2\epsilon )/32- 4\sqrt{\epsilon })/10,(1-2\epsilon )/64 - \epsilon - 2 \cdot 2^{-c \sqrt{m}}\big \}.$$

If $n \le 2c \sqrt{m}$ we clearly have that the distribution $\mu _{{\mathrm{sk}}}$ is $(n,2^{2c \sqrt{m}},1)$-sparse and consequently Lemma 1 implies an attack in time $2^{O(\sqrt{m})}$ with advantage $(1-4\sqrt{\epsilon })/10$. Hence from now on we shall assume that $n > 2c \sqrt{m}$.

Let $\xi \in \left\{ {0,1}\right\} $ be such that the decryption function g satisfies $g(0)= \xi $. Our main observation is that the assumption that ${\mathrm{Adv}}^{{\mathrm{Dec}}}(n) \ge 1-\epsilon $ implies that $\Pr [ \langle \mu _{{\mathrm{sk}}} \circ (-1), \mu _{\xi } \rangle =0] \ge 1 - \epsilon $ and consequently $D(\mu _{{\mathrm{sk}}} \circ (-1), \mu _{\xi }) \ge 1 - 2\epsilon $. Thus we may apply Lemma 4 to the distributions $\mu _{{\mathrm{sk}}} \circ (-1) $ and $\mu _\xi $ and conclude the existence of $t = 2^{c \sqrt{m}} (1-2 \epsilon )/4$ subsets $A_1,\ldots ,A_t \subseteq {\mathbb {F}}_2^{m+1}$ and $B_1,\ldots ,B_t \subseteq {\mathbb {F}}_2^{m+1}$ such that $D(A_i,B_i)=1$ for all $i \in [t]$, and in addition for every $I \subseteq [t]$ it holds that $\Pr _{\mu _{{\mathrm{sk}}} \circ (-1)}(\bigcup _{i \in I}A_i) \ge |I| \cdot 2^{-c \sqrt{m}}/4 $ and $\Pr _{\mu _\xi }(\bigcup _{i \in I}B_i) \ge |I| \cdot 2^{-c \sqrt{m}}/4$.

Fix $i \in [t]$. The fact that $D(A_i,B_i) =1$ implies in turn that $\dim ({\mathrm{span}}\left( A_i\right) )+\dim ({\mathrm{span}}\left( B_i\right) ) \le m+2$ and in particular we have that either $\dim ({\mathrm{span}}\left( A_i\right) ) \le m +2 -n + 2c \sqrt{m}$ or $\dim ({\mathrm{span}}\left( B_i\right) ) \le n- 2c \sqrt{m}$. Let $I \subseteq [t]$ be the set of all indices i for which $\dim ({\mathrm{span}}\left( A_i\right) ) \le m+2 -n +2c\sqrt{m}$. We shall show that if $|I| \ge t/2$ the conditions of Lemma 1 hold while if $|I| < t/2$ the conditions of Lemma 2 hold.

We start with the case in which $|I| \ge t/2$. Fix $i \in I$ and let $v_1,\ldots ,v_{m+1}$ be a basis for ${\mathbb {F}}_2^{m+1}$ such that the subspace spanned by $v_1,\ldots ,v_{m+2-n + 2c \sqrt{m}}$ contains ${\mathrm{span}}\left( A_i\right) $. Let $L_i: {\mathbb {F}}_2^{m+1} \rightarrow {\mathbb {F}}_2^n$ be the linear transformation which satisfies $L_i(\sum _{j=1}^{m+1} \alpha _j v_j) =(\alpha _{m-n+2}, \ldots , \alpha _{m+1})$ for every $\alpha _1,\ldots ,\alpha _{m+1} \in {\mathbb {F}}_2$. Then $L_i(A_i)$ is supported only on the first $2c \sqrt{m} +1$ bits and consequently $|L_i(A_i)| \le 2^{2c \sqrt{m}+1} $. Furthermore, we have that $|I| \le t = 2^{c \sqrt{m}} (1-2 \epsilon )/4$ and $\Pr _{\mu _{{\mathrm{sk}}} \circ (-1)}(\bigcup _{i \in I}A_i) \ge (t/2) \cdot 2^{-c \sqrt{m}}/4 = (1-2 \epsilon )/32 $. This implies in turn that the distribution $\mu _{{\mathrm{sk}}} \circ (-1)$, and consequently also $\mu _{{\mathrm{sk}}}$, are $\big (n,2^{3c \sqrt{m} +1} (1-2 \epsilon )/4,(1-2 \epsilon )/32)$-sparse. Lemma 1 implies in turn that the encryption scheme can be attacked in time $2^{O(\sqrt{m})}$ with advantage $((1-2\epsilon )/32- 4\sqrt{\epsilon })/10$.

Next we deal with the case in which $|I| < t/2$. Similarly to the previous case for every $i \notin I$ there exists a full rank linear transformation $L_i: {\mathbb {F}}_2^{m+1} \rightarrow {\mathbb {F}}_2^{m+1-n+2c \sqrt{m}}$ such that $L_i(B_i) \equiv 0$ and $\Pr _{\mu _\xi }(\bigcup _{i \notin I}B_i) \ge (1-2 \epsilon )/32 $. This implies in turn that $\mu _\xi $ is $\big (m+1-n+2c \sqrt{m},2^{c \sqrt{m}} (1-2 \epsilon )/4 ,(1-2 \epsilon )/32 )$-sparse. So by Lemma 2 we have that the encryption scheme can be attacked in time $2^{O(\sqrt{m})}$ with advantage $(1-2\epsilon )/64 - \epsilon - 2 \cdot 2^{-c \sqrt{m}} $.

7.1 From Uniform to General Distributions – Proof of Lemma 3

We start with the following lemma which says that every distribution can be approximated by a distribution which is a convex combination of not too many uniform distributions.

Lemma 5

Let $\mu $ be a distribution with support S, $|S| = N$, and let $t =\log (2N/\epsilon )/\log (1+ \epsilon /2)$. Then there exist a partition of S into at most $t+2$ subsets $S_0, \ldots ,S_{t+1}$ and a distribution $\chi $ which is a convex combination of uniform distributions on $S_0, \ldots , S_t$ such that $\mu $ is $\epsilon $-close to $\chi $.

Proof

Choose an arbitrary element $\beta \in S$. Let

$$\begin{aligned} S_0 = \left\{ {\alpha \in S\setminus \left\{ {\beta }\right\} \bigg | \mathrm{Pr}_{\mu }(\alpha ) \le \frac{\epsilon }{2 N}}\right\} , \end{aligned}$$

for all $1 \le i \le t$ let

$$\begin{aligned} S_i = \left\{ {\alpha \in S\setminus \left\{ {\beta }\right\} \bigg | \frac{\epsilon }{2N}\cdot (1+\epsilon /2)^{i-1} < \mathrm{Pr}_{\mu }(\alpha ) \le \frac{\epsilon }{2N}\cdot (1+\epsilon /2)^{i} }\right\} \end{aligned}$$

and let $S_{t+1} = \left\{ {\beta }\right\} $.

Let $\chi $ be the distribution which satisfies

$$ \mathrm{Pr}_{\chi }(\alpha )={\left\{ \begin{array}{ll} 0, &{} \alpha \in S_0\\ \frac{\epsilon }{2N}\cdot (1+\epsilon /2)^{i-1}, &{} \alpha \in S_i\; \text {for} \; 1 \le i \le t\\ 1 -\sum \nolimits _{\gamma \in S\setminus \left\{ {\beta }\right\} } \Pr _{\chi }(\gamma ), &{} \alpha = \beta . \end{array}\right. }$$

We clearly have that $S_0,\ldots ,S_{t+1}$ is a partition of S and that $\chi $ is a convex combination of uniform distributions on $S_0,\ldots ,S_{t+1}$.

It remains to show that $\mu $ is $\epsilon $-close to the distribution $\chi $. For this we compute

$$ | \mu - \chi | = \frac{1}{2}\sum _{\alpha \in S} | \mathrm {Pr}_{\mu }(\alpha ) - \mathrm {Pr}_{\chi }(\alpha ) | = \sum _{\alpha \in S \setminus \left\{ {\beta }\right\} } (\mathrm {Pr}_{\mu }(\alpha ) - \mathrm {Pr}_{\chi }(\alpha )) $$

$$ \le \sum _{\alpha \in S_0} \frac{\epsilon }{2N} + \sum _{i=1}^t \sum _{\alpha \in S_i} \frac{\epsilon }{2} \mathrm {Pr}_{\mu }(\alpha ) \le \frac{\epsilon }{2N} \cdot N + \frac{\epsilon }{2} \sum _{\alpha \in S} \mathrm {Pr}_{\mu }(\alpha ) = \epsilon . $$

We shall also use the definition of the spectrum given below.

Definition 2

(Spectrum). For a distribution $\mu $ over ${\mathbb {F}}_2^m$ and $\epsilon \in [0,1]$ let the $\epsilon $ -spectrum of $\mu $ be the set

Note that if ${\mathrm{supp}}(\mu _1) \subseteq {\mathrm{Spec}}_{\epsilon }(\mu _2)$ then $D(\mu _1,\mu _2)\ge \epsilon $. Conversely, a standard probabilistic argument shows that if $D(\mu _1, \mu _2) \ge \epsilon $ then $\Pr _{\mu _1} ({\mathrm{Spec}}_{\epsilon /2}(\mu _2)) \ge \epsilon /2$.

Proof

(Proof of Lemma 3 ). Let $c'$ be the constant guaranteed by Conjecture 1 for the constant $\epsilon /4$.

Let $\mu _1' = \mu _1| {\mathrm{Spec}}_{\epsilon /2}(\mu _2)$ and note that the fact that $D(\mu _1,\mu _2) \ge \epsilon $ implies that $\Pr _{ \mu _1}( {\mathrm{Spec}}_{\epsilon /2}(\mu _2)) \ge \epsilon /2$. By Lemma 5 there exists a partition of ${\mathrm{supp}}(\mu _1')$ into $t+2$ subsets $A_0,\ldots ,A_{t+1} \subseteq {\mathbb {F}}_2^m$ for $t=\log (2 \cdot 2^m/\delta )/\log (1+\delta /2)$ such that $\mu _1'$ is $\delta $-close to a distribution $\chi _1$ which is a convex combination of uniform distributions on $A_0,\ldots ,A_{t+1}$. Since ${\mathrm{supp}}(\mu _1') \subseteq {\mathrm{Spec}}_{\epsilon /2}(\mu _2)$ we have that $A_i \subseteq {\mathrm{Spec}}_{\epsilon /2}(\mu _2)$ for all $0 \le i \le t+1$ and so $D(A_i, \mu _2) \ge \epsilon /2$ for all $0 \le i \le t+1$.

Fix $0 \le i \le t+1$. Similarly to the above, let $ \mu _2^{(i)} = \mu _2 | {\mathrm{Spec}}_{\epsilon /4}(A_i)$ and note that the fact that $D(A_i, \mu _2) \ge \epsilon /2$ implies that $\Pr _{\mu _2}( {\mathrm{Spec}}_{\epsilon /4}( A_i)) \ge \epsilon /4$. By Lemma 5 there exists a partition of ${\mathrm{supp}}(\mu _2^{(i)})$ into $t+2$ subsets $B_0^{(i)}, \ldots , B_{t+1}^{(i)} \subseteq {\mathbb {F}}_2^m $ for $t=\log (2 \cdot 2^m/\delta )/\log (1+\delta /2)$ such that $\mu _2^{(i)}$ is $\delta $-close to a distribution $\chi _2^{(i)}$ which is a convex combination of uniform distributions on $B_0^{(i)}, \ldots , B_{t+1}^{(i)}$. Since ${\mathrm{supp}}(\mu _2^{(i)}) \subseteq {\mathrm{Spec}}_{\epsilon /4}(A_i)$ we have that $B_j^{(i)} \subseteq {\mathrm{Spec}}_{\epsilon /4}(A_i)$ for all $0 \le j \le t+1$ and so $D(A_i,B_j^{(i)}) \ge \epsilon /4$ for all $0 \le j \le t+1$.

Summarizing, so far we found a collection of subsets $\{A_i\}_{0 \le i \le t+1}$ and a collection $\{B_j^{(i)}\}_{0 \le i,j \le t+1}$ such that:

$\mu '_1 = \mu _1|{\mathrm{Spec}}_{\epsilon /2}(\mu _2)$ is close to a convex combination of uniform distributions on $A_0,\ldots ,A_{t+1}$.
$\mu _2^{(i)} = \mu _2|{\mathrm{Spec}}_{\epsilon /4}(A_i)$ is close to a convex combination of uniform distributions on $B_0^{(i)}, \ldots , B_{t+1}^{(i)}$ for all $0 \le i \le t+1$.
$D(A_i,B_j^{(i)}) \ge \epsilon /4$ for all $0 \le i,j \le t+1$.

For every $0 \le i,j \le t+1$ we can apply Conjecture 1 to the sets $A_i,B_j^{(i)}$ and conclude the existence of subsets $\tilde{A}_j^{(i)} \subseteq A_i$, $\tilde{B}_j^{(i)} \subseteq B_j^{(i)}$ such that $D( \tilde{A}_j^{(i)}, \tilde{B}_j^{(i)})=1$ and $|\tilde{A}_j^{(i)} |\ge 2^{-c' \sqrt{m}}|A_i |$, $|\tilde{B}_j^{(i)} | \ge 2^{-c' \sqrt{m}}|B_j^{(i)} |$. So in order to prove the lemma it suffices to show the existence of a constant c and indices $0 \le k, \ell \le t+1$ for which $\Pr _{\mu _1}(\tilde{A}_\ell ^{(k)}) \ge 2^{-c \sqrt{m}}$ and $\Pr _{\mu _2}(\tilde{B}_\ell ^{(k)}) \ge 2^{-c \sqrt{m}}$.

By the pigeonhole principle, for every $0 \le i \le t+1$ there exists an index $0 \le j_i \le t+1$ such that

$$ \mathrm{Pr}_{\mu _{2}}\bigg (\tilde{B}_{j_{i}}^{(i)}\bigg ) \ge \frac{\mathrm{Pr}_{\mu _{2}}\bigg (\bigcup _{j=0}^{t+1} \tilde{B}_{j}^{(i)}\bigg )}{t+2}. $$

Similarly, there exists $0 \le k \le t+1$ such that

$$ \mathrm{Pr}_{\mu _{1}}\bigg (\tilde{A}_{j_{k}}^{(k)}\bigg ) \ge \frac{\mathrm{Pr}_{\mu _{1}}\bigg (\bigcup _{i=0}^{t+1} \tilde{A}_{j_{i}}^{(i)}\bigg )}{t+2}.$$

Let $A' = \tilde{A}_{j_{k}}^{(k)}$ and $B' = \tilde{B}_{j_{k}}^{(k)}$. Then we have that $D(A',B')=1$ and in order to bound the probabilities $\Pr _{\mu _1}(A')$ and $\Pr _{\mu _2}(B')$ from below it suffices to bound the probabilities $\mathrm{Pr}_{\mu _{2}}\bigg (\bigcup _{j=0}^{t+1} \tilde{B}_j^{(k)}\bigg )$ and $\mathrm{Pr}_{\mu _{1}}\bigg (\bigcup _{i=0}^{t+1} \tilde{A}_{j_{i}}^{(i)}\bigg )$ from below. For this we compute

$$\begin{aligned} \mathrm{Pr}_{\mu _2}\bigg (\bigcup _{j=0}^{t+1} \tilde{B}_j^{(k)}\bigg )\ge & {} {\frac{\epsilon }{4}} \cdot \mathrm{Pr}_{\mu _{2}^{(k)}}\bigg (\bigcup _{j=0}^{t+1} \tilde{B}_j^{(k)}\bigg ) \;\;\ (\text {Since} \; \mathrm{Pr}_{ \mu _{2}}( {\mathrm{Spec}}_{\epsilon /4}(A_k)) \ge \epsilon /4) \\\ge & {} {\frac{\epsilon }{4}} \cdot \bigg (\mathrm{Pr}_{\chi _2^{(k)}}\bigg (\bigcup _{j=0}^{t+1} \tilde{B}_j^{(k)}\bigg ) - \delta \bigg ) \;\;(\text {Since} \mu _{2}^{(k)}~\text {and}~\chi _{2}^{(k)}~\text {are}~\delta \text {-close}) \\\ge & {} {\frac{\epsilon }{4}} \cdot \big (2^{-c' \sqrt{m}}- \delta \big ), \end{aligned}$$

where the last inequality follows since $\chi _{2}^{(k)}$ is a convex combination of uniform distributions on $ B_0^{(k)}, \ldots , B_{t+1}^{(k)}$ and $|\tilde{B}_j^{(k)}| \ge 2^{-c' \sqrt{m}} |B_j^{(k)}|$ for all $0 \le j \le t+1$.

Similarly, we have that

$$ \mathrm {Pr}_{\mu _1}\bigg (\bigcup _{i=0}^{t+1} \tilde{A}_{j_i}^{(i)}\bigg ) {\ge } \frac{\epsilon }{2} \cdot \mathrm {Pr}_{\mu _1'}\bigg (\bigcup _{i=0}^{t+1} \tilde{A}_{j_i}^{(i)}\bigg ) {\ge } \frac{\epsilon }{2} \cdot \bigg (\mathrm {Pr}_{\chi _1'}\bigg (\bigcup _{i=0}^{t+1} \tilde{A}_{j_i}^{(i)} \bigg ) - \delta \bigg ) {\ge } \frac{\epsilon }{2} \cdot \big (2^{-c' \sqrt{m}}- \delta \big ). $$

Concluding, we have found subsets $A',B' $ such that $D(A',B')=1$ and such that both $\mathrm{Pr}_{\mu _1}(A')$ and $\mathrm{Pr}_{\mu _2}(B')$ are bounded from below by $\frac{\epsilon }{4(t+2)} \cdot \big (2^{-c' \sqrt{m}}- \delta \big )$. The proof is completed by letting $\delta = 2^{-c'\sqrt{m}}/2$ and $t = \frac{\log (2 \cdot 2^{m}/\delta )}{\log (1+\delta /2)}$ and noting that with this setting of parameters there exists a constant c which depends only on $\epsilon $ such that ${\frac{\epsilon }{4(t+2)}} \cdot \bigg (2^{-c' \sqrt{m}} - \delta \bigg ) \ge 2^{-c \sqrt{m}}$ for a sufficiently large m.

Notes

1.
We view the code specification as a global public parameter and do not count it towards the public key size. This is justified by the possibility of picking the code pseudorandomly or using special classes of codes that can be succinctly described (cf. [12, 30]).
2.
Recall that we do not include global public parameters, such as the specification of a random linear code, in the public key size. Currently, the only plausible candidates for public key encryption schemes that are optimally succinct in the above sense are based on special families of elliptic curves. Unlike typical code-based constructions, these schemes are inherently susceptible to quantum attacks. The work of Sahai and Waters [43] shows that public key encryption with optimally succinct ciphertexts can be based on indistinguishability obfuscation and an exponentially strong one-way function. However, obfuscation-based constructions have large public keys and their known instances are currently quite far from being practical.
3.
A different unified view of the schemes of Regev and Alekhnovich was previously given by Lindner and Peikert [26] who suggested to add an additional noise vector in the encryption process of Regev’s scheme. This allowed them to argue about the security of Regev’s scheme using Alekhnovich-style security proof and consequently reduce key sizes in Regev’s scheme.
4.
Note that we do not claim that the original encryption schemes of Alekhnovich, Regev and GPV are equivalent to each other in terms of security but rather that for each pair of schemes $E,E' \in \left\{ {\text {Alekhnovich, Regev, GPV}}\right\} $ one can change the field size and noise distributions in E (but not the syntactics of E!) to obtain an encryption scheme that is equivalent to $E'$ in terms of security.

References

Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing (STOC), pp. 99–108. ACM Press (1996)
Google Scholar
Ajtai, M., Dwork, C.: A public-key cryptosystem with worst-case/average-case equivalence. In: Proceedings of the Twenty-Ninth Annual ACM Symposium on the Theory of Computing (STOC), pp. 284–293. ACM Press (1997)
Google Scholar
Alekhnovich, M.: More on average case vs approximation complexity. Comput. Complex. 20(4), 755–786 (2011). Preliminary version in Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS 2003)
Article MathSciNet MATH Google Scholar
Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)
Chapter Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography with constant input locality. J. Cryptology 22(4), 429–469 (2009)
Article MathSciNet MATH Google Scholar
Ben-Sasson, E., Ben-Tov, I., Damgård, I., Ishai, Y., Ron-Zewi, N.: On public key encryption from noisy codewords. IACR Cryptology ePrint Archive, 2015:572 (2015)
Google Scholar
Ben-Sasson, E., Lovett, S., Ron-Zewi, N.: An additive combinatorics approach relating rank to communication complexity. J. ACM (2013) (to appear)
Google Scholar
Ben-Sasson, E., Zewi, N.: From affine to two-source extractors via approximate duality. In: Proceedings of the 43rd Annual ACM Symposium on Theory of Computing (STOC), pp. 177–186. ACM Press (2011)
Google Scholar
Bhowmick, A., Dvir, Z., Lovett, S.: New bounds for matching vector families. In: Proceedings of the 47th ACM Symposium on Theory of Computing (STOC), pp. 823–832. ACM Press (2013)
Google Scholar
Blum, A., Furst, M.L., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994)
Chapter Google Scholar
Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, the statistical query model. J. ACM 50(4), 506–519 (2003)
Article MathSciNet Google Scholar
Damgård, I., Park, S.: Is public-key encryption based on LPN practical? IACR Cryptology ePrint Archive, 2011:699 (2012)
Google Scholar
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Article MathSciNet MATH Google Scholar
Dvir, Z., Gopalan, P., Yekhanin, S.: Matching vector codes. SIAM J. Comput. 40(4), 1154–1178 (2011). Preliminary version in Proceedings of the IEEE 51st Annual Symposium on Foundations of Computer Science (FOCS 2011)
Article MathSciNet MATH Google Scholar
Dwork, C., Naor, M., Reingold, O.: Immunizing encryption schemes from decryption errors. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 342–360. Springer, Heidelberg (2004)
Chapter Google Scholar
Efremenko, K.: 3-query locally decodable codes of subexponential length. SIAM J. Comput. 41(6), 1694–1703 (2012). Preliminary version in Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC 2009)
Article MathSciNet MATH Google Scholar
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Article MathSciNet MATH Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC). ACM Press (2008)
Google Scholar
Goldreich, O., Goldwasser, S., Halevi, S.: Public-key cryptosystems from lattice reduction problems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 112–131. Springer, Heidelberg (1997)
Google Scholar
Green, B.: Finite field models in additive combinatorics. In London Mathematical Society Lecture Note Series, vol. 324. Cambridge University Press, Cambridge (2005)
Google Scholar
Grolmusz, V.: Superpolynomial size set-systems with restricted intersections mod 6 and explicit ramsey graphs. Combinatorica 20, 71–86 (2000)
Article MathSciNet MATH Google Scholar
Hoffstein, J., Pipher, J., Silverman, J.H.: NTRU: a ring-based public key cryptosystem. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 267–288. Springer, Heidelberg (1998)
Chapter Google Scholar
Hopper, N.J., Blum, M.: Secure human identification protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)
Chapter Google Scholar
Kalai, A.T., Mansour, Y., Verbin, E.: On agnostic boosting and parity learning. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC), pp. 629–638. ACM Press (2008)
Google Scholar
Kopparty, S., Saraf, S.: Local list-decoding and testing of random linear codes from high error. SIAM J. Comput. 42(3), 1302–1326 (2013)
Article MathSciNet MATH Google Scholar
Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)
Chapter Google Scholar
Lovett, S.: Additive combinatorics and its applications in theoretical computer science (2013)
Google Scholar
Lovett, S.: Communication is bounded by root of rank. In: Proceedings of the 46th ACM Symposium on Theory of Computing (STOC). ACM Press (2014)
Google Scholar
Lyubashevsky, V.: The parity problem in the presence of noise, decoding random linear codes, and the subset sum problem. In: Chekuri, C., Jansen, K., Rolim, J.D.P., Trevisan, L. (eds.) APPROX 2005 and RANDOM 2005. LNCS, vol. 3624, pp. 378–389. Springer, Heidelberg (2005)
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43 (2013)
Article MathSciNet Google Scholar
McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. JPL DSN Progress Report (1978)
Google Scholar
Micciancio, D.: Improving lattice based cryptosystems using the hermite normal form. In: Silverman, J.H. (ed.) CaLC 2001. LNCS, vol. 2146, pp. 126–145. Springer, Heidelberg (2001)
Chapter Google Scholar
Micciancio, D.: Duality in lattice-based cryptography. In Public Key Cryptography (invited talk) (2010)
Google Scholar
Micciancio, D., Mol, P.: Pseudorandom Knapsacks and the sample complexity of LWE search-to-decision reductions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 465–484. Springer, Heidelberg (2011)
Chapter Google Scholar
Micciancio, D., Regev, O.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Post-Quantum Cryptography, pp. 147–192. Springer, Heidelberg (2009)
Google Scholar
Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Prob. Control Inf. Theory (Problemy Upravlenija i Teorii Informacii) 15, 159–166 (1986)
MathSciNet MATH Google Scholar
Pietrzak, K.: Cryptography from learning parity with noise. In: Bieliková, M., Friedrich, G., Gottlob, G., Katzenbeisser, S., Turán, G. (eds.) SOFSEM 2012. LNCS, vol. 7147, pp. 99–114. Springer, Heidelberg (2012)
Chapter Google Scholar
Rabin, M.: Digitalized signatures and public-key functions as intractable as factorization. MIT LCS TR-212 (1979)
Google Scholar
Regev, O.: New lattice-based cryptographic constructions. J. ACM 51(6), 899–942 (2004)
Article MathSciNet MATH Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009). Preliminary version in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC 2005)
Article MathSciNet Google Scholar
Regev, O.: The learning with errors problem (invited survey). In: IEEE Conference on Computational Complexity, pp. 191–204 (2010)
Google Scholar
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems (reprint). Commun. ACM 26(1), 96–99 (1983)
Article Google Scholar
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Proceedings of the 46th Annual ACM Symposium on the Theory of Computing (STOC), pp. 475–484. ACM Press (2014)
Google Scholar
Stehlé, D., Steinfeld, R., Tanaka, K., Xagawa, K.: Efficient public key encryption based on ideal lattices. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 617–635. Springer, Heidelberg (2009)
Chapter Google Scholar

Download references

Acknowledgements

We thank Parikshit Gopalan, Elad Haramaty, Swastik Kopparty, Shachar Lovett, Oded Regev, Amir Shpilka, Shubhangi Saraf and Ben Lee Volk for useful discussions, and the anonymous reviewers for helpful comments and pointers.

The research of the first two authors was supported by ERC grant no. 240258 (PaC) and ISF grant 1501/14.The research of the third author was supported by the CFEM center funded by the Danish Council for Strategic Research, the FP7 EU-project PRACTICE, the MPCPRO project funded by ERC and the CTIC center funded by the Danish National Research Foundation. The research of the fourth author was supported by ERC grant no. 259426 CaC, ISF grant 1709/14, and BSF grant 2012378. His research is also supported from a DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1228984, 1136174, 1118096, and 1065276. This material is based upon work supported by the Defense Advanced Research Projects Agency through the ARL under Contract W911NF-15-C-0205. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense, the National Science Foundation, or the U.S. Government. The research of fifth author was partially supported by NSF grants CCF-1412958 and CCF-1445755 and the Rothschild fellowship.

Author information

Authors and Affiliations

Department of Computer Science, Technion, Haifa, Israel
Eli Ben-Sasson, Iddo Ben-Tov & Yuval Ishai
Department of Computer Science, Aarhus University, Aarhus, Denmark
Ivan Damgård
UCLA, Los Angeles, CA, USA
Yuval Ishai
School of Mathematics, Institute for Advanced Study, Princeton, NJ, USA
Noga Ron-Zewi
DIMACS, Rutgers University, Piscataway, NJ, USA
Noga Ron-Zewi

Authors

Eli Ben-Sasson
View author publications
You can also search for this author in PubMed Google Scholar
Iddo Ben-Tov
View author publications
You can also search for this author in PubMed Google Scholar
Ivan Damgård
View author publications
You can also search for this author in PubMed Google Scholar
Yuval Ishai
View author publications
You can also search for this author in PubMed Google Scholar
Noga Ron-Zewi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eli Ben-Sasson .

Editor information

Editors and Affiliations

National Taiwan University, Taipei, Taiwan
Chen-Mou Cheng
Academia Sinica, Taipei, Taiwan
Kai-Min Chung
Università di Salerno, Fisciano, Italy
Giuseppe Persiano
Academia Sinica, Taipei, Taiwan
Bo-Yin Yang

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ben-Sasson, E., Ben-Tov, I., Damgård, I., Ishai, Y., Ron-Zewi, N. (2016). On Public Key Encryption from Noisy Codewords. In: Cheng, CM., Chung, KM., Persiano, G., Yang, BY. (eds) Public-Key Cryptography – PKC 2016. PKC 2016. Lecture Notes in Computer Science(), vol 9615. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49387-8_16

Download citation

DOI: https://doi.org/10.1007/978-3-662-49387-8_16
Published: 18 February 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49386-1
Online ISBN: 978-3-662-49387-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

On Public Key Encryption from Noisy Codewords

Abstract

Similar content being viewed by others

An Asymptotically Optimal Method for Converting Bit Encryption to Multi-Bit Encryption

Entropically secure encryption with faster key expansion

Symbolic Encryption with Pseudorandom Keys

Keywords

1 Introduction

1.1 Overview of Contribution

1.2 Learning Parity with Noise

1.3 Alekhnovich’s Public Key Encryption Scheme

1.4 Learning with Errors

1.5 Public Key Encryption Based on Learning with Errors

1.6 Related Work

2 Our Results in More Detail

2.1 Unconditional Negative Result

2.2 Conditional Negative Results

2.3 Perfectly Correct Decryption

2.4 Open Problems

2.5 Paper Organization

3 Preliminaries

3.1 Public Key Encryption

4 Unified Encryption Scheme

Claim 1

Claim 2

5 Unconditional Attack

Theorem 1

Theorem 2

Corollary 1

Proof

6 Attacks Based on Combinatorial Properties of \(\mu _{{\mathrm{sk}}}, \mu _0, \mu _1\)

Definition 1

6.1 Attack Based on Combinatorial Properties of \(\mu _{{\mathrm{sk}}}\)

Lemma 1

Proof

6.2 Attack Based on Combinatorial Properties of \(\mu _0,\mu _1\)

Lemma 2

Proof

7 Attacks Based on the Approximate Duality Conjecture

Conjecture 1

Theorem 3

Lemma 3

Lemma 4

Proof

7.1 From Uniform to General Distributions – Proof of Lemma 3

Lemma 5

Proof

Definition 2

Proof

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation