Cryptology ePrint Archive: Report 2011/289

Polly Cracker, Revisited

Martin R. Albrecht and Pooya Farshim and Jean-Charles Faugère and Ludovic Perret

Abstract: In this paper we initiate the formal treatment of cryptographic constructions - commonly known as "Polly Cracker" – based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. This work is motivated by the observation that the Ideal Remainder (IR) problem is one of the most natural candidates to build homomorphic encryption schemes. To this end, we start by formalising and studying the relation between the ideal remainder problem and the problem of computing a Gröbner basis.

We show both positive and negative results.

On the negative side, we define a symmetric Polly Cracker encryption scheme and prove that this scheme only achieves bounded CPA security under the hardness of the IR problem. Furthermore, using results from computational commutative algebra we show that a large class of algebraic transformations cannot convert this scheme to a fully secure Polly Cracker-type scheme.

On the positive side, we formalise noisy variants of the ideal membership, ideal remainder, and Gröbner basis problems. These problems can be seen as natural generalisations of the LWE problem and the approximate GCD problem over polynomial rings. After formalising and justifying the hardness of the noisy assumptions we show – following the recent progress on homomorphic encryption – that noisy encoding of messages results in a fully IND-CPA secure somewhat homomorphic encryption scheme. Together with a standard symmetric-to-asymmetric transformation for additively homomorphic schemes, we provide a positive answer to the long standing open problem proposed by Barkee et al. (and later also by Gentry) of constructing a secure Polly Cracker-type cryptosystem reducible to the hardness of solving a random system of equations. Indeed, our results go beyond that by also providing a new family of somewhat homomorphic encryption schemes based on new, but natural, hard problems.

Our results also imply that Regev’s LWE-based public-key encryption scheme is (somewhat) multiplicatively homomorphic for appropriate choices of parameters. Finally, we estimate the parameters which define our cryptosystem and give a proof-of-concept implementation.

Category / Keywords: foundations / Polly Cracker, Gröbner bases, Learning with errors, Noisy encoding, Homomorphic encryption, Public-key encryption, Provable security

Date: received 1 Jun 2011, last revised 9 Nov 2011

Contact author: malb at lip6 fr

Available formats: PDF | BibTeX Citation

Note: Corrected statement of 2b vs. b Lemma and typos in proof thereof.

Version: 20111109:122239 (All versions of this report)

Discussion forum: Show discussion | Start new discussion