Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs
CoRR(2024)
摘要
The Learning With Errors (𝖫𝖶𝖤) problem asks to find 𝐬
from an input of the form (𝐀, 𝐛 =
𝐀𝐬+𝐞) ∈ (ℤ/qℤ)^m × n× (ℤ/qℤ)^m, for a vector 𝐞 that has
small-magnitude entries. In this work, we do not focus on solving
𝖫𝖶𝖤 but on the task of sampling instances. As these are extremely
sparse in their range, it may seem plausible that the only way to proceed is to
first create 𝐬 and 𝐞 and then set 𝐛 =
𝐀𝐬+𝐞. In particular, such an instance sampler knows
the solution. This raises the question whether it is possible to obliviously
sample (𝐀, 𝐀𝐬+𝐞), namely, without knowing
the underlying 𝐬. A variant of the assumption that oblivious
𝖫𝖶𝖤 sampling is hard has been used in a series of works constructing
Succinct Non-interactive Arguments of Knowledge (SNARKs) in the standard model.
As the assumption is related to 𝖫𝖶𝖤, these SNARKs have been
conjectured to be secure in the presence of quantum adversaries.
Our main result is a quantum polynomial-time algorithm that samples
well-distributed 𝖫𝖶𝖤 instances while provably not knowing the
solution, under the assumption that 𝖫𝖶𝖤 is hard. Moreover, the
approach works for a vast range of 𝖫𝖶𝖤 parametrizations, including
those used in the above-mentioned SNARKs.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要