Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs
Thomas Debris-Alazard, Inria Saclay - Île-de-France Research Centre, Computer Science Laboratory of the École Polytechnique
Pouria Fallahpour, École Normale Supérieure de Lyon
Damien Stehlé, École Normale Supérieure de Lyon, Cryptolab Inc.
Abstract
The Learning With Errors () problem asks to find from an input of the form , for a vector that has small-magnitude entries. In this work, we do not focus on solving but on the task of sampling instances. As these are extremely sparse in their range, it may seem plausible that the only way to proceed is to first create and and then set . In particular, such an instance sampler knows the solution. This raises the question whether it is possible to obliviously sample , namely, without knowing the underlying . A variant of the assumption that oblivious sampling is hard has been used in a series of works to analyze the security of candidate constructions of Succinct Non interactive Arguments of Knowledge (SNARKs). As the assumption is related to , these SNARKs have been conjectured to be secure in the presence of quantum adversaries.
Our main result is a quantum polynomial-time algorithm that
samples well-distributed instances while provably not knowing the solution, under the assumption that is hard. Moreover, the approach works for a vast range of parametrizations, including those used in the above-mentioned SNARKs. This invalidates the assumptions used in their security analyses, although it does not yield attacks against the constructions themselves.
@misc{cryptoeprint:2024/030,
author = {Thomas Debris-Alazard and Pouria Fallahpour and Damien Stehlé},
title = {Quantum Oblivious {LWE} Sampling and Insecurity of Standard Model Lattice-Based {SNARKs}},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/030},
year = {2024},
url = {https://eprint.iacr.org/2024/030}
}
Note: In order to protect the privacy of readers, eprint.iacr.org
does not use cookies or embedded third party content.