A New Algebraic Approach to the Regular Syndrome Decoding Problem and Implications for PCG Constructions

Abstract

The Regular Syndrome Decoding (RSD) problem, a variant of the Syndrome Decoding problem with a particular error distribution, was introduced almost 20 years ago by Augot et al.. In this problem, the error vector is divided into equally sized blocks, each containing a single noisy coordinate. More recently, the last five years have seen increased interest in this assumption due to its use in MPC and ZK applications. Generally referred to as “LPN with regular noise" in this context, the assumption allows to achieve better efficiency when compared to plain LPN. In all previous works of cryptanalysis, it has not been shown how to exploit the special feature of this problem in an attack.

We present the first algebraic attack on RSD. Based on a careful theoretical analysis of the underlying polynomial system, we propose concrete attacks that are able to take advantage of the regular noise distribution. In particular, we can identify several examples of concrete parameters where our techniques outperform other algorithms.

Appendices

A Proof of Theorems 1 and 2

This section contains the proofs of Theorem 1 and Theorem 2. Our main contribution is the strategy of splitting the system into two parts as described above. The structural part requires to compute some Hilbert series \(\displaystyle \mathcal {H}_S(z)\) (resp. \(\displaystyle \mathcal {H}_{S'}(z)\)). On the rest of the equations, most of the technical work as explained in the main text was to state Assumption 1 (resp. Assumption 2) in order to mimick Bardet’s definitions of semi-regularity (resp. semi-regularity over \(\displaystyle \mathbb {F}_{2}\)). From there, this structure of the proof is exactly the same as in [7, §3.3.2,§3.3.3].

1.1 A.1 Proof of Theorem 1

The theorem easily follows from the following lemmata.

Lemma 4

Let S denote the quotient ring \(\displaystyle A/\langle \mathcal {B}^{(h)} \rangle \), where \(\displaystyle \mathcal {B}^{(h)}\) consists of the quadratic parts of the structural equations from Modeling 1. We have

$$\begin{aligned} \mathcal {H}_{S}(z) = \textstyle \left( 1+\beta \cdot \frac{z}{1-z} \right) ^h. \end{aligned}$$

(15)

Proof

The quotient S can be seen as the set of polynomials whose monomials involve at most one \(\displaystyle e_{i,j}\) variable in each block \(\displaystyle 1 \le i \le h\). For a given block, admissible monomials have only one variable but their degree can be arbitrary. Therefore, the Hilbert series “for one block" will be \(\displaystyle \textstyle 1+\beta \cdot \frac{z}{1-z}\). Finally, a general d monomial is a product of such monomials for distinct blocks and such that the sum of their degrees is equal to d. Relying on the same symbolic argument as presented in [29] which gives the generating series of a Cartesian product, we finally obtain the series in (15).    \(\displaystyle \square \)

Lemma 5

Let I denote the homogeneous ideal associated to Modeling 1. Under Assumption 1, we have

$$\begin{aligned} \mathcal {H}_{A/I}(z) = \left[ (1-z)^{n-k} \cdot \mathcal {H}_S(z) \right] ^{+}. \end{aligned}$$

Proof

This may be seen as a particular case of [7, §3.3.2]. We give the proof here for the sake of completeness. To simplify notation, we write \(\displaystyle \lbrace f_1,\dots ,f_{n-k} \rbrace \) for the set of homogeneous parity-check equations \(\displaystyle \mathcal {P}^{(h)}\). For \(\displaystyle 1 \le j \le n-k\), we denote by I(j) the ideal \(\displaystyle \langle \mathcal {B}^{(h)}, f_1,\dots ,f_j \rangle \) in A and \(\displaystyle I(0) = \langle \mathcal {B}^{(h)}\rangle \). For \(\displaystyle 1 \le j \le n-k\) and up to the degree of regularity of I, Assumption 1 states that we have the exact sequence of vector spaces when \(\displaystyle d < d_{\text {reg}}\):

$$\begin{aligned} 0 \rightarrow (A/I(j-1))_{d - 1} \rightarrow (A/I(j-1))_d \rightarrow (A/I(j))_d \rightarrow 0 \end{aligned}$$

This gives the following equality between Hilbert functions

$$\begin{aligned} \mathcal{H}\mathcal{F}_{A/I(j-1)}(d - 1) - \mathcal{H}\mathcal{F}_{A/I(j-1)}(d) + \mathcal{H}\mathcal{F}_{A/I(j)}(d) = 0. \end{aligned}$$

(16)

Consider now the abstract sequence \(\displaystyle h_{d,j}\) defined by \(\displaystyle h_{d,j} = \dim _{\mathbb {F}_{}}(S_d)\) if \(\displaystyle j=0\) or \(\displaystyle d=0\) and the induction relation

$$\begin{aligned} h_{d,j} = h_{d,j-1} - h_{d-1,j-1}. \end{aligned}$$

(17)

Let \(\displaystyle \mathcal {G}_{j}\) denote the generating series for \(\displaystyle (h_{d,j})_{d \ge 0}\). From Eq. (17) and by multiplying by z we easily obtain \(\displaystyle \mathcal {G}_{j}(z) = (1-z)\mathcal {G}_{j-1}(z)\). The generating series for \(\displaystyle (h_{d,0})_{d \ge 0}\) being \(\displaystyle \mathcal {G}_0(z) := \mathcal {H}_S(z)\) we get \(\displaystyle \mathcal {G}_{n-k}(z) = (1-z)^{n-k} \mathcal {H}_S(z)\). As long as the involved quantities are positive, Eq. (16) and Eq. (17) may be seen as the same relation. Therefore, the final Hilbert series is

$$\begin{aligned} \mathcal {H}_{A/I}(z) = \left[ (1-z)^{n-k} \cdot \mathcal {H}_S(z) \right] _{+}. \end{aligned}$$

   \(\displaystyle \square \)

1.2 A.2 Proof of Theorem 2

Recall \(\displaystyle A'\) and \(\displaystyle S'\) from Definition 7. Theorem 2 easily follows from the following lemmata.

Lemma 6

We have

$$\begin{aligned} \mathcal {H}_{S'}(z) = \textstyle \left( 1+(\beta -1) \cdot z \right) ^h. \end{aligned}$$

(18)

Proof

From the set of generators \(\displaystyle \mathcal {G}\) described in Lemma 1, we observe that the admissible monomials of \(\displaystyle S'\) involve at most one variable from each block, with degree at most 1. The result follows by reasoning in a similar way as in the proof of Lemma 4.    \(\displaystyle \square \)

Lemma 7

Let I denote the homogeneous ideal associated to Modeling 2. Under Assumption 2, we have

$$\begin{aligned} \mathcal {H}_{A/I}(z) = \left[ \mathcal {H}_{S'}(z)/(1+z)^{n-k} \right] _{+}. \end{aligned}$$

Proof (sketch)

By construction, we clearly have \(\displaystyle \mathcal {H}_{A/I}(z) = \mathcal {H}_{A'/I'}(z)\), for the ideal \(\displaystyle I'\) introduced in Definition 7. As in the proof of Lemma 5, we simplify notation by writing \(\displaystyle \lbrace f_1,\dots ,f_{n-k} \rbrace \) for the set of homogeneous parity-check equations \(\displaystyle \mathcal {L}(\mathcal {P}^{(h)})\), and for \(\displaystyle 1 \le j \le n-k\), we denote by \(\displaystyle I'(j)\) the ideal \(\displaystyle \langle \mathcal {B}',\mathcal {Q}', f_1,\dots ,f_j \rangle \) in \(\displaystyle A'\) and \(\displaystyle I'(0) = \langle \mathcal {B}',\mathcal {Q}'\rangle \). Assumption 2 ensures that the following sequence is exact for \(\displaystyle d<d_{\text {reg}}\).

$$\begin{aligned} 0 \rightarrow (A'/I'(j))_{d - 1} \xrightarrow {\times f_j} (A'/I'(j-1))_d \xrightarrow {\pi } (A'/I'(j))_d \rightarrow 0. \end{aligned}$$

The rest of the proof now proceeds in the same way as [9, proof of Proposition 9], starting from the equality between Hilbert functions

$$\begin{aligned} \mathcal{H}\mathcal{F}_{A'/I'(j)}(d - 1) - \mathcal{H}\mathcal{F}_{A'/I'(j-1)}(d) + \mathcal{H}\mathcal{F}_{A'/I'(j)}(d) = 0. \end{aligned}$$

(19)

Similarly, we consider the sequence \(\displaystyle c_{d,j}\) defined by \(\displaystyle c_{d,j} = \dim _{\mathbb {F}_{}}(S'_d)\) if \(\displaystyle j=0\) or \(\displaystyle d=0\) and the recurrent formula

$$\begin{aligned} c_{d,j} = c_{d,j-1} - c_{d-1,j}. \end{aligned}$$

(20)

Let \(\displaystyle \mathcal {C}_{j}\) denote the generating series for \(\displaystyle (c_{d,j})_{d \ge 0}\). Multiplying by z in Eq. (20) yields \(\displaystyle (1+z)\mathcal {C}_{j}(z) = \mathcal {C}_{j-1}(z)\) and we have the border condition \(\displaystyle \mathcal {C}_{0}(z) = \mathcal {H}_{A'/I'(0)}(z) = \mathcal {H}_{S'}(z)\). This finally gives

$$\begin{aligned} \mathcal {H}_{A/I}(z) = \mathcal {H}_{A'/I'}(z) = \left[ \frac{\mathcal {H}_{S'}(z)}{{(1+z)^{n-k}}} \right] _{+}. \end{aligned}$$

   \(\displaystyle \square \)

B Missing Details in Section 4

1.1 B.1 Regularity Assumption for Specialized Modeling 1

For any invertible matrix \(\displaystyle \boldsymbol{P}\), for \(\displaystyle 0 \le f \le h\) and for \(\displaystyle 0 \le u \le \beta \), let \(\displaystyle \overline{\textbf{P}_{u,f}^{-1}}\) denote the map that applies \(\displaystyle \textbf{P}^{-1}\) and then fixes the initial u variables to 0 in the last f blocks of the error.

Assumption 3

Let \(\displaystyle \mathcal {P}\) be the set of parity-check equations from an instance of Modeling 1. For every permutation matrix \(\displaystyle \textbf{P}\) which stabilizes each block of the error, for \(\displaystyle 0 \le f \le h\) and for \(\displaystyle 0 \le u \le \beta \), we assume \(\displaystyle \mathcal {P}^{(h)}\circ \overline{\textbf{P}_{u,f}^{-1}}\) satisfies Assumption 1 with ring \(\displaystyle A \circ \overline{\textbf{P}_{u,f}^{-1}}\) and quotient ring \(\displaystyle S\circ \overline{\textbf{P}_{u,f}^{-1}}\).

We need the full version of this assumption for the approach of Sect. 4.2 while only the particular case \(\displaystyle f=h\) is required for Sect. 4.1.

1.2 B.2 XL Wiedemann Complexity for Modeling 2

The success probability \(\displaystyle \mathcal {P}_{(f,u)} := (1 - u/\beta )^f\) is independent of the algebraic system. Over \(\displaystyle \mathbb {F}_{2}\), we may consider that \(\displaystyle n_{\mu } \approx \textstyle \frac{k}{2} + 1\) in general instead of simply \(\displaystyle n_{\mu } \le k + 1\) for the number of non-zero terms per equation. We leave it to the reader to state the equivalent of Assumption 3 for Modeling 2. All the following results are under this assumption, as well as the assumptions noted in Sect. 4.3. We now give the complexity of the hybrid approach of Sect. 4.2 on Modeling 2. The degree of regularity \(\displaystyle d_{\text {reg},(f,u)}\) is obtained as the index of the first non-positive coefficient in the series

$$\begin{aligned} \frac{\left( 1+(\beta -1-u)\cdot z \right) ^f \cdot \left( 1+(\beta -1)\cdot z \right) ^{h-f}}{(1+z)^{n-k}} \end{aligned}$$

(21)

As noted in Sect. 4.3, this series is divided by \(\displaystyle (1-z)\), to derive an upper bound, \(\displaystyle d_{\text {wit},(f,u)}\), on the witness degree. Finally, the analogue of Eq. (11) is

$$\begin{aligned} \mathcal {M}^{(f,u)}_{\le d_{\text {wit},(f,u)}} = \sum _{j=0}^{d_{\text {wit},(f,u)}} [z^j]\left( \mathcal {H}_{(S',f,u)}(z)\right) , \end{aligned}$$

where \(\displaystyle \textstyle \mathcal {H}_{(S',f,u)}(z) := \left( 1+(\beta -1-u)\cdot z \right) ^f \cdot \left( 1+(\beta -1)\cdot z \right) ^{h-f}\).

Proposition 7

The time complexity in \(\displaystyle \mathbb {F}_{2}\) operations of the hybrid approach of Sect. 4.2 on Modeling 2 is estimated by

$$\begin{aligned} \mathcal {O} \left( \min _{\begin{array}{c} 0 \le f \le h \\ 0 \le u \le \beta \end{array}}\left( \mathcal {P}_{(f,u)}^{-1} \cdot 3 \cdot n_{\mu ,(f,u)} \cdot \left( \mathcal {M}^{(f,u)}_{\le d_{\textrm{wit},(f,u)}}\right) ^{2} \right) \right) . \end{aligned}$$

C Experiments

In this section, we present experiments that we have run on randomly generated instances of the RSD problem in order to check the validity of the assumptions from Sect. 3 and 4.

1.1 C.1 Hilbert Series

We give the parameter sets as \(\displaystyle (h,\beta ,k,f,u)_t\), where \(\displaystyle h,\beta \) and k describe the RSD problem, where f, u are the parameters for the hybrid approach of Sect. 4.2 and where t is the number of times that we have repeated the experiment. For an affine ideal I, we compute the Hilbert series of the ideal \(\displaystyle I^{(h)}\) associated with the homogeneous upper part of I. For some of the hybrid systems, we have also computed the Hilbert series of the homogenized ideal \(\displaystyle I^{(y)}\) (see Sect. 2.1 for the difference between these two notions). The tests have been run using the computer algebra system Magma V2.27-1 and the built-in command \(\displaystyle \texttt{HilbertSeries}\)(\(\displaystyle \cdot \)).

Experiments for Modeling 1. The systems we have tested for Modeling 1 are listed in Table 7, where we also give the associated degree of regularity \(\displaystyle d_{\text {reg}}\). In all tests, the experimentally found Hilbert series is equal to the Hilbert series of Eq. (9), meaning, in particular, that Assumption 1 and 3 have been true in all our experiments. For most of the hybrid systems, we have also computed the Hilbert series of the homogenized ideals \(\displaystyle I^{(y)}\) and given the associated degree of regularity \(\displaystyle d_{\text {reg}}^{(y)}\). The Hilbert series in all of these tests have been equal to (the truncation of) those predicted by Eq. (10).

Table 7. Tested Hilbert Series from Hybrid Modeling 1 systems over \(\displaystyle \mathbb {F}_{101}\).

Experiments for Modeling 2. Table 8 contains tests for Hilbert series on Modeling 2. The experimental Hilbert series of the plain cases (\(\displaystyle f = u = 0\)) are all described by our theory. While the majority of hybrid cases we have tested are accurately described by (21), we have been able to find a few discrepancy with the theoretical values. The systems marked by \(\displaystyle \dagger \) both included a single case where the experimental Hilbert series deviated slightly from (21) in one of its terms. The system marked by \(\displaystyle \ddagger \) was another type of outlier, where the quotient A/I contained a few cubic elements in half of the tested cases. We note that for the system marked by \(\displaystyle \ddagger \), the corresponding (untruncated) series (21) is exactly zero at term \(\displaystyle z^2\). Thus the homogeneous Macaulay matrix of degree 2 will be a square matrix over \(\displaystyle \mathbb {F}_2\) (after removing trivial syzygies), and the quotient A/I will contain cubic terms whenever this matrix fails to be of full rank. For the other tested cases, the series have a negative coefficient at the term corresponding to the degree of regularity, indicating that the homogeneous Macaulay matrices will be rectangular. We believe that this difference explains the peculiar behaviour observed for case \(\displaystyle \ddagger \). Finally, we have performed the same experiments as in Modeling 1 for the ideals \(\displaystyle I^{(y)}\) and we obtained the same conclusive results regarding Eq. (10).

Table 8. Tested Hilbert Series from Hybrid Modeling 2 systems over \(\displaystyle \mathbb {F}_{2}\).

1.2 C.2 Witness Degree for Plain Systems

We have also tested the witness degree for (non-hybrid) systems of Modeling 1. In these tests, we have created the affine Macaulay matrix of degree 2 or 3 and then computed its rank to check if it has a unique solution. The witness degree in all these tests was the same as the value estimated by Eq. (6) in Sect. 3.2. Details are given in Table 9, where the systems are denoted \(\displaystyle (h,\beta ,k)\).

Table 9. Witness degree for Modeling 1 systems over \(\displaystyle \mathbb {F}_{101}\).

D Proof of Proposition 6

Proof

The starting point is the Cauchy integral

$$\begin{aligned} \mathcal {I}_d(n) := \frac{1}{2i \pi }\int \underbrace{\frac{1}{z^{d+1}}\frac{(1+(\beta -1) \cdot z)^h}{(1+z)^{n-k}}}_{=e^{n \cdot f(z)}}dz, \end{aligned}$$

$$\begin{aligned} \text {where we set }f(z) := -\frac{d+1}{n} \cdot \text {log}(z) - \left( 1-R \right) \cdot \text {log}(1+z) + \rho \cdot \text {log}(1+(\rho ^{-1}-1) \cdot z). \end{aligned}$$

We study the behaviour of this integral when n grows. Using Cauchy’s integral theorem, we can make the path of integration to meet the saddle points so that the integral concentrates in the neighborhood of these saddle points when n tends to \(\displaystyle +\infty \). These saddle points are solutions to the equation

$$\begin{aligned} zf'(z) = -\frac{d+1}{n} - \left( 1-R \right) \cdot \frac{z}{1+z} + \left( 1-\rho \right) \frac{z}{1+(\rho ^{-1}-1)\cdot z} = 0. \end{aligned}$$

It may be be rewritten as a quadratic equation \(\displaystyle P(z)= p_2 \cdot z^2 + p_1 \cdot z + p_0 = 0\), where

$$\begin{aligned} p_2&:= (\rho -1) \cdot \left( d+1 + (1-R-\rho )n \right) , \\ p_1&:= \rho R n - n\rho ^2 - d - 1,\\ p_0&:= -\rho \cdot (d+1). \end{aligned}$$

Then, the standard argument is that P must have a double root, i.e. the saddle points have to coalesce (otherwise the integral is exponential, see for example [7, p. 94], [3, A.1.] for details). Writing that the discriminant \(\displaystyle \Delta (P)\) is equal to zero yields a quadratic equation \(\displaystyle A \cdot d^2 + B \cdot d + C = 0\), where

$$\begin{aligned} A&:= (2\rho -1)^2, \\ B&:= -4R\rho ^2 n - 4\rho ^3 n + 2R\rho n + 10 n\rho ^2 - 4\rho n + 8 \rho ^2 - 8\rho +2,\\ C&:= R^2 \rho ^2 n^2 +\rho ^4 n^2 - 2R\rho ^3 n^2 - 4R\rho ^2 n - 4\rho ^3 n + 2R\rho n + 10n\rho ^2 - 4n\rho + (2\rho - 1)^2. \end{aligned}$$

Solving for d gives

$$\begin{aligned} d&= \frac{-R\rho n - \rho ^2 n + 2n\rho - 2\rho + 1 \pm \sqrt{\delta }}{1-2\rho } \nonumber \\&= - 1 + \frac{\rho n \left( \pm 2 \sqrt{1-R}\sqrt{1-\rho } + 2 - \rho - R \right) }{1-2\rho }, \end{aligned}$$

(22)

where \(\displaystyle \sqrt{\delta } := 2n\sqrt{R\rho ^3 - R\rho ^2 - \rho ^3 + \rho ^2} = 2n\rho \sqrt{1-R}\sqrt{1-\rho }\). We want the smallest positive root which is given by the minus case of \(\displaystyle \pm \sqrt{\delta }\), in the equation above. The end of the proof then consists in studying Eq. (22) in the different regimes:

• For constant code rate R and \(\displaystyle \rho = o(1)\), we obtain

  $$\begin{aligned} -2\sqrt{1-R}\sqrt{1-\rho } + 2 - \rho - R = (2-R) - 2\sqrt{1-R} + o(1), \end{aligned}$$

  hence \(\displaystyle d_{\text {reg}} \sim \kappa _R h\), where \(\displaystyle \kappa _R := (2-R) - 2\sqrt{1-R} > 0\).

• For \(\displaystyle R = o(1)\) and \(\displaystyle \rho = o(1)\) we have

  $$\begin{aligned} -2\sqrt{1-R}\sqrt{1-\rho }&= -2\left( 1- \textstyle \frac{R}{2} - \frac{R^2}{8} + o(R^2)\right) \left( 1- \textstyle \frac{\rho }{2} - \frac{\rho ^2}{8} + o(\rho ^2)\right) \\&= -2 + R + \rho + \textstyle \frac{R^2}{4} + \textstyle \frac{\rho ^2}{4} - \textstyle \frac{R\rho }{2} + o(R\rho ), \end{aligned}$$

  hence \(\displaystyle -2\sqrt{1-R}\sqrt{1-\rho } + 2 - \rho - R = \textstyle \frac{R^2}{4} + \textstyle \frac{\rho ^2}{4} - \textstyle \frac{R\rho }{2} + o(R\rho )\). This gives us \(\displaystyle d_{\text {reg}} + 1 \sim \textstyle \frac{R^2}{4} h\) if \(\displaystyle r=o(R)\) and \(\displaystyle d_{\text {reg}} + 1 \sim \textstyle \frac{R^2}{4}(1-\lambda )^2 h\) if \(\displaystyle \rho = \lambda R\) is linear in R with \(\displaystyle \lambda < 1\).

   \(\displaystyle \square \)