research-article

Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs

Authors:

Thomas Debris-Alazard,

Pouria Fallahpour,

Damien StehléAuthors Info & Claims

STOC 2024: Proceedings of the 56th Annual ACM Symposium on Theory of Computing

Pages 423 - 434

https://doi.org/10.1145/3618260.3649766

Published: 11 June 2024 Publication History

Abstract

The Learning With Errors (LWE) problem asks to find ‍s from an input of the form (A, b = As+e) ∈ (ℤ/qℤ)^{m × n} × (ℤ/qℤ)^m, for a vector ‍e that has small-magnitude entries. In this work, we do not focus on solving ‍LWE but on the task of sampling instances. As these are extremely sparse in their range, it may seem plausible that the only way to proceed is to first create ‍s and ‍e and then set ‍b = As+e. In particular, such an instance sampler knows the solution. This raises the question whether it is possible to obliviously sample (A, As+e), namely, without knowing the underlying ‍s. A variant of the assumption that oblivious ‍LWE sampling is hard has been used in a series of works to analyze the security of candidate constructions of Succinct Non-interactive Arguments of Knowledge (SNARKs). As the assumption is related to ‍LWE, these SNARKs have been conjectured to be secure in the presence of quantum adversaries.

Our main result is a quantum polynomial-time algorithm that samples well-distributed ‍LWE instances while provably not knowing the solution, under the assumption that ‍LWE is hard. Moreover, the approach works for a vast range of LWE parametrizations, including those used in the above-mentioned SNARKs. This invalidates the assumptions used in their security analyses, although it does not yield attacks against the constructions themselves.

References

[1]

Martin R. Albrecht, Valerio Cini, Russell W. F. Lai, Giulio Malavolta, and Sri Aravinda Krishnan Thyagarajan. 2022. Lattice-Based SNARKs: Publicly Verifiable, Preprocessing, and Recursively Composable. In CRYPTO.

[2]

Martin R. Albrecht, Giacomo Fenzi, Oleksandra Lapiha, and Ngoc Khanh Nguyen. 2023. SLAP: Succinct Lattice-Based Polynomial Commitments from Standard Assumptions. Available at https://eprint.iacr.org/2023/1469

[3]

Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. 2016. Interactive Oracle Proofs. In TCC-B.

[4]

Nir Bitansky, Ran Canetti, Omer Paneth, and Alon Rosen. 2016. On the Existence of Extractable One-Way Functions. SIAM J. Comput.

[5]

Nir Bitansky, Alessandro Chiesa, Yuval Ishai, Rafail Ostrovsky, and Omer Paneth. 2013. Succinct Non-interactive Arguments via Linear Interactive Proofs. In TCC.

[6]

Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu. 2017. Lattice-Based SNARGs and Their Application to More Efficient Obfuscation. In EUROCRYPT.

[7]

Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) fully homomorphic encryption without bootstrapping. In ITCS.

[8]

Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. 2013. Classical hardness of learning with errors. In STOC.

[9]

André Chailloux and Jean-Pierre Tillich. 2023. The Quantum Decoding Problem. Available at https://eprint.iacr.org/2023/1686

[10]

Anthony Chefles and Stephen M. Barnett. 1998. Optimum unambiguous discrimination between linearly independent symmetric states. Phys. Lett. A.

[11]

Yilei Chen, Qipeng Liu, and Mark Zhandry. 2022. Quantum Algorithms for Variants of Average-Case Lattice Problems via Filtering. In EUROCRYPT.

[12]

Heewon Chung, Dongwoo Kim, Jeong Han Kim, and Jiseung Kim. 2023. Amortized efficient zk-SNARK from linear-only RLWE encodings. J. Comm. Netw.

[13]

Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. 2016. Recovering Short Generators of Principal Ideals in Cyclotomic Rings. In EUROCRYPT.

[14]

Ronald Cramer, Léo Ducas, and Benjamin Wesolowski. 2021. Mildly Short Vectors in Cyclotomic Ideal Lattices in Quantum Polynomial Time. J. ACM.

[15]

Ivan Damgård. 1991. Towards practical public key systems secure against chosen ciphertext attacks. In CRYPTO.

[16]

Thomas Debris-Alazard, Maxime Remaud, and Jean-Pierre Tillich. 2023. Quantum Reduction of Finding Short Code Vectors to the Decoding Problem. preprint (v2). June, arxiv:2106.02747 arXiv:2106.02747

[17]

Chaya Ganesh, Anca Nitulescu, and Eduardo Soria-Vazquez. 2023. Rinocchio: SNARKs for Ring Arithmetic. J. Cryptol.

[18]

Rosario Gennaro, Michele Minelli, Anca Nitulescu, and Michele Orrù. 2018. Lattice-Based ZK-SNARKs from Square Span Programs. In CCS.

[19]

Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. 2008. Trapdoors for hard lattices and new cryptographic constructions. STOC ’08. Association for Computing Machinery.

[20]

Craig Gentry and Daniel Wichs. 2011. Separating Succinct Non-Interactive Arguments from All Falsifiable Assumptions. In STOC.

[21]

Gottfried Herold, Elena Kirshanova, and Alexander May. 2018. On the asymptotic complexity of solving LWE. Des. Codes and Cryptogr.

[22]

Yuval Ishai, Hang Su, and David J. Wu. 2021. Shorter and Faster Post-Quantum Designated-Verifier zkSNARKs from Lattices. In CCS.

[23]

Adeline Langlois and Damien Stehlé. 2015. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr.

[24]

Jiahui Liu, Hart Montgomery, and Mark Zhandry. 2023. Another Round of Breaking and Making Quantum Money: How to Not Build It from Lattices, and More. In EUROCRYPT.

[25]

Jake Loftus, Alexander May, Nigel P. Smart, and Frederik Vercauteren. 2012. On CCA-Secure Somewhat Homomorphic Encryption. In SAC.

[26]

Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2010. On Ideal Lattices and Learning with Errors over Rings. In EUROCRYPT.

[27]

Daniele Micciancio and Petros Mol. 2011. Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions. In CRYPTO.

[28]

Ken Naganuma, Masayuki Yoshino, Atsuo Inoue, Yukinori Matsuoka, Mineaki Okazaki, and Noboru Kunihiro. 2020. Post-Quantum zk-SNARK for Arithmetic Circuits using QAPs. In AsiaJCIS.

[29]

Moni Naor. 2003. On cryptographic assumptions and challenges. In CRYPTO.

[30]

Michael A. Nielsen and Isaac L. Chuang. 2011. Quantum Computation and Quantum Information: 10th Anniversary Edition. Cambridge University Press.

Digital Library

[31]

Chris Peikert. 2009. Public-key cryptosystems from the worst-case shortest vector problem. In STOC.

[32]

Oded Regev. 2009. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. J. ACM.

[33]

Damien Stehlé, Ron Steinfeld, Keisuke Tanaka, and Keita Xagawa. 2009. Efficient Public Key Encryption Based on Ideal Lattices. In ASIACRYPT.

[34]

Ron Steinfeld, Amin Sakzad, Muhammed F. Esgin, and Veronika Kuchta. 2022. Private Re-Randomization for Module LWE and Applications to Quasi-Optimal ZK-SNARKs. Available at https://eprint.iacr.org/2022/1690

[35]

John Watrous. 2018. The Theory of Quantum Information. Cambridge University Press. https://doi.org/10.1017/9781316848142

[36]

Hoeteck Wee and David J. Wu. 2023. Lattice-based functional commitments: Fast verification and cryptanalysis. In ASIACRYPT.

Cited By

Amirkhanova DIavich MMamyrbayev O(2024)Lattice-Based Post-Quantum Public Key Encryption Scheme Using ElGamal’s PrinciplesCryptography10.3390/cryptography80300318:3(31)Online publication date: 8-Jul-2024
https://doi.org/10.3390/cryptography8030031
Nguyen NSeiler G(2024)Greyhound: Fast Polynomial Commitments from LatticesAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68403-6_8(243-275)Online publication date: 16-Aug-2024
https://doi.org/10.1007/978-3-031-68403-6_8

Index Terms

Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
2. Theory of computation
  1. Computational complexity and cryptography
    1. Cryptographic protocols

Recommendations

Lattice-Based HRA-secure Attribute-Based Proxy Re-Encryption in Standard Model
Computer Security – ESORICS 2021
Abstract
Proxy re-encryption (PRE), introduced by Blaze, Bleumer, and Strauss at EUROCRYPT 98, offers delegation of decryption rights, i.e., it securely enables the re-encryption of ciphertexts from one key to another, without relying on trusted parties. ...
KDM and Selective Opening Secure IBE Based on the LWE Problem
APKC '17: Proceedings of the 4th ACM International Workshop on ASIA Public-Key Cryptography

Based on the learning with errors (LWE) problem, we construct an identity-based encryption (IBE) scheme in the standard-model which is secure against the key dependent message (KDM) attacks and the selective opening (SO) attacks. KDM security, which ...
Post-quantum Insecurity from LWE
Theory of Cryptography
Abstract
We show that for many fundamental cryptographic primitives, proving classical security under the learning-with-errors (LWE) assumption, does not imply post-quantum security. This is despite the fact that LWE is widely believed to be post-quantum ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

STOC 2024: Proceedings of the 56th Annual ACM Symposium on Theory of Computing

June 2024

2049 pages

ISBN:9798400703836

DOI:10.1145/3618260

General Chairs:
Bojan Mohar
Simon Fraser University, Canada
,
Igor Shinkar
Simon Fraser University, Canada
,
Program Chair:
Ryan O'Donnell
Carnegie Mellon University, USA

Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGACT: ACM Special Interest Group on Algorithms and Computation Theory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2024

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Agence Nationale de la Recherche

Conference

STOC '24

Sponsor:

SIGACT

STOC '24: 56th Annual ACM Symposium on Theory of Computing

June 24 - 28, 2024

BC, Vancouver, Canada

Acceptance Rates

Overall Acceptance Rate 1,469 of 4,586 submissions, 32%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
60
Total Downloads

Downloads (Last 12 months)60
Downloads (Last 6 weeks)20

Reflects downloads up to 15 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Amirkhanova DIavich MMamyrbayev O(2024)Lattice-Based Post-Quantum Public Key Encryption Scheme Using ElGamal’s PrinciplesCryptography10.3390/cryptography80300318:3(31)Online publication date: 8-Jul-2024
https://doi.org/10.3390/cryptography8030031
Nguyen NSeiler G(2024)Greyhound: Fast Polynomial Commitments from LatticesAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68403-6_8(243-275)Online publication date: 16-Aug-2024
https://doi.org/10.1007/978-3-031-68403-6_8

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents