Abstract
The Regular Syndrome Decoding (RSD) problem, a variant of the Syndrome Decoding problem with a particular error distribution, was introduced almost 20 years ago by Augot et al.. In this problem, the error vector is divided into equally sized blocks, each containing a single noisy coordinate. More recently, the last five years have seen increased interest in this assumption due to its use in MPC and ZK applications. Generally referred to as “LPN with regular noise" in this context, the assumption allows to achieve better efficiency when compared to plain LPN. In all previous works of cryptanalysis, it has not been shown how to exploit the special feature of this problem in an attack.
We present the first algebraic attack on RSD. Based on a careful theoretical analysis of the underlying polynomial system, we propose concrete attacks that are able to take advantage of the regular noise distribution. In particular, we can identify several examples of concrete parameters where our techniques outperform other algorithms.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“ISD is always the most efficient attack and has roughly the same cost when considering SD and RSD" [31, p. 49].
- 2.
The statement in [8, Proposition 5] is only for \(\displaystyle \mathbb {F}_2\), but we note that the same proof also works for the case of \(\displaystyle \mathbb {F}_q\).
- 3.
Even though the weight h is slightly larger than the Gilbert-Varshamov distance, the regular structure is a much stronger requirement.
- 4.
The field equations ensure that the ideal is radical, and the result follows from Hilbert’s Nullstellensatz. In practice, the reliance on field equations can typically be eased for sufficiently overdetermined systems. Thus we will assume that this also holds for Modeling 1, even when the field equations are not explicitly included in \(\displaystyle \mathcal {F}\).
- 5.
There is no loss of generality: this can be seen as choosing a monomial ordering which favors the upper variables and then fixing somehow small variables.
References
Aguilar-Melchor, C., Blazy, O., Deneuville, J.C., Gaborit, P., Zémor, G.: Efficient encryption from random quasi-cyclic codes. IEEE Trans. Inf. Theory 64(5), 3927–3943 (2018). https://doi.org/10.1109/TIT.2018.2804444
Albrecht, M., Cid, C., Faugère, J.C., Fitzpatrick, R., Perret, L.: On the complexity of the arora-ge algorithm against LWE. In: SCC 2012 - Third International Conference on Symbolic Computation and Cryptography, Castro Urdiales, Spain, pp. 93–99 (2012). https://hal.inria.fr/hal-00776434
Albrecht, M.R., Cid, C., Faugère, J.C., Perret, L.: Algebraic Algorithms for LWE. Cryptology ePrint Archive, Paper 2014/1018 (2014). https://eprint.iacr.org/2014/1018
Applebaum, B., Damgård, I., Ishai, Y., Nielsen, M., Zichron, L.: Secure arithmetic computation with constant computational overhead. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 223–254. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_8
Arora, S., Ge, R.: New algorithms for learning in presence of errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22006-7_34
Augot, D., Finiasz, M., Sendrier, N.: A family of fast syndrome based cryptographic hash functions. In: Dwason, E., Vaudenay, S. (eds.) MYCRYPT 2005: First International Conference on Cryptology in Malaysia. Lecture Notes in Computer Science, vol. 3715, pp. 64–83. Springer, Kuala Lumpur (2005). https://doi.org/10.1007/11554868_6, https://hal.inria.fr/inria-00509188
Bardet, M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Theses, Université Pierre et Marie Curie - Paris VI (2004). https://tel.archives-ouvertes.fr/tel-00449609
Bardet, M., Faugère, J.C., Salvy, B., Spaenlehauer, P.J.: On the complexity of solving quadratic Boolean systems. J. Complex. 29(1), 53–75 (2013). https://doi.org/10.1016/j.jco.2012.07.001
Bardet, M., Faugère, J.C., Salvy, B., Yang, B.Y.: Asymptotic behaviour of the index of regularity of quadratic semi-regular polynomial systems. In: Gianni, P. (ed.) The Effective Methods in Algebraic Geometry Conference (MEGA 2005), pp. 1–14 (2005)
Baum, C., Braun, L., Munch-Hansen, A., Razet, B., Scholl, P.: Appenzeller to brie: efficient zero-knowledge proofs for mixed-mode arithmetic and Z2k. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, pp. 192–211. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3460120.3484812
Baum, C., Braun, L., Munch-Hansen, A., Scholl, P.: Mozz2karella: efficient vector-ole and zero-knowledge proofs over z2k. In: Advances in Cryptology - CRYPTO 2022: 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, 15–18 August 2022, Proceedings, Part IV, p. 329–358. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15985-5_12
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Bernstein, D.J., Buchmann, J., Dahmen, E.: Post-Quantum Cryptography. Springer, Dordrecht (2008). https://doi.org/10.1007/978-3-540-88702-7, https://cds.cern.ch/record/1253241
Bernstein, D.J., Lange, T., Peters, C.: Smaller decoding exponents: ball-collision decoding. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 743–760. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_42
Bettale, L.: Cryptanalyse algébrique : outils et applications. Ph.D. thesis, Université Pierre et Marie Curie - Paris 6 (2012)
Bettale, L., Faugère, J.C., Perret, L.: Hybrid approach for solving multivariate systems over finite fields. J. Math. Cryptol. 3(3), 177–197 (2010). https://doi.org/10.1515/jmc.2009.009, https://hal.archives-ouvertes.fr/hal-01148127
Beullens, W.: Improved cryptanalysis of UOV and rainbow. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 348–373. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_13
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, pp. 896–912. Association for Computing Machinery, New York (2018). https://doi.org/10.1145/3243734.3243868
Boyle, E., et al.: Efficient two-round OT extension and silent non-interactive secure computation. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 291–308. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3354255
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators: silent OT extension and more. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 489–518. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_16
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Kohl, L., Scholl, P.: Efficient pseudorandom correlation generators from ring-LPN. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020. LNCS, vol. 12171, pp. 387–416. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_14
Canto Torres, R.: Asymptotic analysis of ISD algorithms for the \(q-\)ary case. In: Proceedings of the Tenth International Workshop on Coding and Cryptography WCC 2017 (2017). http://wcc2017.suai.ru/Proceedings_WCC2017.zip
Carrier, K., Debris-Alazard, T., Meyer-Hilfiger, C., Tillich, J.P.: Statistical decoding 2.0: reducing decoding to LPN. In: Advances in Cryptology-ASIACRYPT 2022: 28th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, 5–9 December 2022, Proceedings, Part IV, pp. 477–507. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22972-5_17
Cheng, C.-M., Chou, T., Niederhagen, R., Yang, B.-Y.: Solving quadratic equations with XL on parallel architectures. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 356–373. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33027-8_21
Coppersmith, D.: Solving homogeneous linear equations over GF(2) via block wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994). https://doi.org/10.2307/2153413
Courtois, N., Klimov, A., Patarin, J., Shamir, A.: Efficient algorithms for solving overdefined systems of multivariate polynomial equations. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 392–407. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_27
Esser, A., Kübler, R., May, A.: LPN decoded. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 486–514. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_17
Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, 6–10 December 2009. Proceedings. Lecture Notes in Computer Science, vol. 5912, pp. 88–105. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_6. https://www.iacr.org/archive/asiacrypt2009/59120082/59120082.pdf
Flajolet, P., Sedgewick, R.: Analytic Combinatorics. Cambridge University Press, Cambridge (2009). https://doi.org/10.1017/CBO9780511801655. http://www.cambridge.org/uk/catalogue/catalogue.asp?isbn=9780521898065
Fröberg, R.: An inequality for Hilbert series of graded algebras. Mathematica Scandinavica 56, 117–144 (1985). https://doi.org/10.7146/math.scand.a-12092. https://www.mscand.dk/article/view/12092
Hazay, C., Orsini, E., Scholl, P., Soria-Vazquez, E.: TinyKeys: a new approach to efficient multi-party computation. In: Advances in Cryptology - CRYPTO 2018. Lecture Notes in Computer Science, vol. 10993, pp. 3–33. Springer, Heidelberg (2018). https://doi.org/10.1007/s00145-022-09423-5
Jabri, A.A.: A statistical decoding algorithm for general linear block codes. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 1–8. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45325-3_1
Le Gall, F.: Powers of tensors and fast matrix multiplication. In: Proceedings of the 39th International Symposium on Symbolic and Algebraic Computation, pp. 296–303 (2014). https://doi.org/10.1145/2608628.2608664
Liu, H., Wang, X., Yang, K., Yu, Y.: The hardness of LPN over any integer ring and field for PCG applications. Cryptology ePrint Archive, Paper 2022/712 (2022). https://eprint.iacr.org/2022/712
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_9
Misoczki, R., Tillich, J.P., Sendrier, N., Barreto, P.S.L.M.: MDPC-McEliece: new McEliece variants from moderate density parity-check codes. In: 2013 IEEE International Symposium on Information Theory, pp. 2069–2073 (2013). https://doi.org/10.1109/ISIT.2013.6620590
Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962). https://doi.org/10.1109/TIT.1962.1057777
Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850
Sun, C., Tibouchi, M., Abe, M.: Revisiting the hardness of binary error LWE. In: Liu, J.K., Cui, H. (eds.) ACISP 2020. LNCS, vol. 12248, pp. 425–444. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-55304-3_22
Thomé, E.: Subquadratic computation of vector generating polynomials and improvement of the block wiedemann algorithm. J. Symb. Comput. 33(5), 757–775 (2002). https://doi.org/10.1006/jsco.2002.0533
Weng, C., Yang, K., Katz, J., Wang, X.: Wolverine: fast, scalable, and communication-efficient zero-knowledge proofs for boolean and arithmetic circuits. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24–27 May 2021, pp. 1074–1091. IEEE (2021). https://doi.org/10.1109/SP40001.2021.00056
Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986). https://doi.org/10.1109/TIT.1986.1057137
Yang, K., Weng, C., Lan, X., Zhang, J., Wang, X.: Ferret: fast extension for Correlated OT with Small Communication. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS 2020, pp. 1607–1626. Association for Computing Machinery, New York (2020). https://doi.org/10.1145/3372297.3417276
Acknowledgments
We express our warm gratitude to the Eurocrypt23’ reviewers for their suggestion to analyze the witness degree. We also thank Geoffroy Couteau for motivating the study of this problem and for insightful discussions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorems 1 and 2
This section contains the proofs of Theorem 1 and Theorem 2. Our main contribution is the strategy of splitting the system into two parts as described above. The structural part requires to compute some Hilbert series \(\displaystyle \mathcal {H}_S(z)\) (resp. \(\displaystyle \mathcal {H}_{S'}(z)\)). On the rest of the equations, most of the technical work as explained in the main text was to state Assumption 1 (resp. Assumption 2) in order to mimick Bardet’s definitions of semi-regularity (resp. semi-regularity over \(\displaystyle \mathbb {F}_{2}\)). From there, this structure of the proof is exactly the same as in [7, §3.3.2,§3.3.3].
1.1 A.1 Proof of Theorem 1
The theorem easily follows from the following lemmata.
Lemma 4
Let S denote the quotient ring \(\displaystyle A/\langle \mathcal {B}^{(h)} \rangle \), where \(\displaystyle \mathcal {B}^{(h)}\) consists of the quadratic parts of the structural equations from Modeling 1. We have
Proof
The quotient S can be seen as the set of polynomials whose monomials involve at most one \(\displaystyle e_{i,j}\) variable in each block \(\displaystyle 1 \le i \le h\). For a given block, admissible monomials have only one variable but their degree can be arbitrary. Therefore, the Hilbert series “for one block" will be \(\displaystyle \textstyle 1+\beta \cdot \frac{z}{1-z}\). Finally, a general d monomial is a product of such monomials for distinct blocks and such that the sum of their degrees is equal to d. Relying on the same symbolic argument as presented in [29] which gives the generating series of a Cartesian product, we finally obtain the series in (15). \(\displaystyle \square \)
Lemma 5
Let I denote the homogeneous ideal associated to Modeling 1. Under Assumption 1, we have
Proof
This may be seen as a particular case of [7, §3.3.2]. We give the proof here for the sake of completeness. To simplify notation, we write \(\displaystyle \lbrace f_1,\dots ,f_{n-k} \rbrace \) for the set of homogeneous parity-check equations \(\displaystyle \mathcal {P}^{(h)}\). For \(\displaystyle 1 \le j \le n-k\), we denote by I(j) the ideal \(\displaystyle \langle \mathcal {B}^{(h)}, f_1,\dots ,f_j \rangle \) in A and \(\displaystyle I(0) = \langle \mathcal {B}^{(h)}\rangle \). For \(\displaystyle 1 \le j \le n-k\) and up to the degree of regularity of I, Assumption 1 states that we have the exact sequence of vector spaces when \(\displaystyle d < d_{\text {reg}}\):
This gives the following equality between Hilbert functions
Consider now the abstract sequence \(\displaystyle h_{d,j}\) defined by \(\displaystyle h_{d,j} = \dim _{\mathbb {F}_{}}(S_d)\) if \(\displaystyle j=0\) or \(\displaystyle d=0\) and the induction relation
Let \(\displaystyle \mathcal {G}_{j}\) denote the generating series for \(\displaystyle (h_{d,j})_{d \ge 0}\). From Eq. (17) and by multiplying by z we easily obtain \(\displaystyle \mathcal {G}_{j}(z) = (1-z)\mathcal {G}_{j-1}(z)\). The generating series for \(\displaystyle (h_{d,0})_{d \ge 0}\) being \(\displaystyle \mathcal {G}_0(z) := \mathcal {H}_S(z)\) we get \(\displaystyle \mathcal {G}_{n-k}(z) = (1-z)^{n-k} \mathcal {H}_S(z)\). As long as the involved quantities are positive, Eq. (16) and Eq. (17) may be seen as the same relation. Therefore, the final Hilbert series is
\(\displaystyle \square \)
1.2 A.2 Proof of Theorem 2
Recall \(\displaystyle A'\) and \(\displaystyle S'\) from Definition 7. Theorem 2 easily follows from the following lemmata.
Lemma 6
We have
Proof
From the set of generators \(\displaystyle \mathcal {G}\) described in Lemma 1, we observe that the admissible monomials of \(\displaystyle S'\) involve at most one variable from each block, with degree at most 1. The result follows by reasoning in a similar way as in the proof of Lemma 4. \(\displaystyle \square \)
Lemma 7
Let I denote the homogeneous ideal associated to Modeling 2. Under Assumption 2, we have
Proof (sketch)
By construction, we clearly have \(\displaystyle \mathcal {H}_{A/I}(z) = \mathcal {H}_{A'/I'}(z)\), for the ideal \(\displaystyle I'\) introduced in Definition 7. As in the proof of Lemma 5, we simplify notation by writing \(\displaystyle \lbrace f_1,\dots ,f_{n-k} \rbrace \) for the set of homogeneous parity-check equations \(\displaystyle \mathcal {L}(\mathcal {P}^{(h)})\), and for \(\displaystyle 1 \le j \le n-k\), we denote by \(\displaystyle I'(j)\) the ideal \(\displaystyle \langle \mathcal {B}',\mathcal {Q}', f_1,\dots ,f_j \rangle \) in \(\displaystyle A'\) and \(\displaystyle I'(0) = \langle \mathcal {B}',\mathcal {Q}'\rangle \). Assumption 2 ensures that the following sequence is exact for \(\displaystyle d<d_{\text {reg}}\).
The rest of the proof now proceeds in the same way as [9, proof of Proposition 9], starting from the equality between Hilbert functions
Similarly, we consider the sequence \(\displaystyle c_{d,j}\) defined by \(\displaystyle c_{d,j} = \dim _{\mathbb {F}_{}}(S'_d)\) if \(\displaystyle j=0\) or \(\displaystyle d=0\) and the recurrent formula
Let \(\displaystyle \mathcal {C}_{j}\) denote the generating series for \(\displaystyle (c_{d,j})_{d \ge 0}\). Multiplying by z in Eq. (20) yields \(\displaystyle (1+z)\mathcal {C}_{j}(z) = \mathcal {C}_{j-1}(z)\) and we have the border condition \(\displaystyle \mathcal {C}_{0}(z) = \mathcal {H}_{A'/I'(0)}(z) = \mathcal {H}_{S'}(z)\). This finally gives
\(\displaystyle \square \)
B Missing Details in Section 4
1.1 B.1 Regularity Assumption for Specialized Modeling 1
For any invertible matrix \(\displaystyle \boldsymbol{P}\), for \(\displaystyle 0 \le f \le h\) and for \(\displaystyle 0 \le u \le \beta \), let \(\displaystyle \overline{\textbf{P}_{u,f}^{-1}}\) denote the map that applies \(\displaystyle \textbf{P}^{-1}\) and then fixes the initial u variables to 0 in the last f blocks of the error.
Assumption 3
Let \(\displaystyle \mathcal {P}\) be the set of parity-check equations from an instance of Modeling 1. For every permutation matrix \(\displaystyle \textbf{P}\) which stabilizes each block of the error, for \(\displaystyle 0 \le f \le h\) and for \(\displaystyle 0 \le u \le \beta \), we assume \(\displaystyle \mathcal {P}^{(h)}\circ \overline{\textbf{P}_{u,f}^{-1}}\) satisfies Assumption 1 with ring \(\displaystyle A \circ \overline{\textbf{P}_{u,f}^{-1}}\) and quotient ring \(\displaystyle S\circ \overline{\textbf{P}_{u,f}^{-1}}\).
We need the full version of this assumption for the approach of Sect. 4.2 while only the particular case \(\displaystyle f=h\) is required for Sect. 4.1.
1.2 B.2 XL Wiedemann Complexity for Modeling 2
The success probability \(\displaystyle \mathcal {P}_{(f,u)} := (1 - u/\beta )^f\) is independent of the algebraic system. Over \(\displaystyle \mathbb {F}_{2}\), we may consider that \(\displaystyle n_{\mu } \approx \textstyle \frac{k}{2} + 1\) in general instead of simply \(\displaystyle n_{\mu } \le k + 1\) for the number of non-zero terms per equation. We leave it to the reader to state the equivalent of Assumption 3 for Modeling 2. All the following results are under this assumption, as well as the assumptions noted in Sect. 4.3. We now give the complexity of the hybrid approach of Sect. 4.2 on Modeling 2. The degree of regularity \(\displaystyle d_{\text {reg},(f,u)}\) is obtained as the index of the first non-positive coefficient in the series
As noted in Sect. 4.3, this series is divided by \(\displaystyle (1-z)\), to derive an upper bound, \(\displaystyle d_{\text {wit},(f,u)}\), on the witness degree. Finally, the analogue of Eq. (11) is
where \(\displaystyle \textstyle \mathcal {H}_{(S',f,u)}(z) := \left( 1+(\beta -1-u)\cdot z \right) ^f \cdot \left( 1+(\beta -1)\cdot z \right) ^{h-f}\).
Proposition 7
The time complexity in \(\displaystyle \mathbb {F}_{2}\) operations of the hybrid approach of Sect. 4.2 on Modeling 2 is estimated by
C Experiments
In this section, we present experiments that we have run on randomly generated instances of the RSD problem in order to check the validity of the assumptions from Sect. 3 and 4.
1.1 C.1 Hilbert Series
We give the parameter sets as \(\displaystyle (h,\beta ,k,f,u)_t\), where \(\displaystyle h,\beta \) and k describe the RSD problem, where f, u are the parameters for the hybrid approach of Sect. 4.2 and where t is the number of times that we have repeated the experiment. For an affine ideal I, we compute the Hilbert series of the ideal \(\displaystyle I^{(h)}\) associated with the homogeneous upper part of I. For some of the hybrid systems, we have also computed the Hilbert series of the homogenized ideal \(\displaystyle I^{(y)}\) (see Sect. 2.1 for the difference between these two notions). The tests have been run using the computer algebra system Magma V2.27-1 and the built-in command \(\displaystyle \texttt{HilbertSeries}\)(\(\displaystyle \cdot \)).
Experiments for Modeling 1. The systems we have tested for Modeling 1 are listed in Table 7, where we also give the associated degree of regularity \(\displaystyle d_{\text {reg}}\). In all tests, the experimentally found Hilbert series is equal to the Hilbert series of Eq. (9), meaning, in particular, that Assumption 1 and 3 have been true in all our experiments. For most of the hybrid systems, we have also computed the Hilbert series of the homogenized ideals \(\displaystyle I^{(y)}\) and given the associated degree of regularity \(\displaystyle d_{\text {reg}}^{(y)}\). The Hilbert series in all of these tests have been equal to (the truncation of) those predicted by Eq. (10).
Experiments for Modeling 2. Table 8 contains tests for Hilbert series on Modeling 2. The experimental Hilbert series of the plain cases (\(\displaystyle f = u = 0\)) are all described by our theory. While the majority of hybrid cases we have tested are accurately described by (21), we have been able to find a few discrepancy with the theoretical values. The systems marked by \(\displaystyle \dagger \) both included a single case where the experimental Hilbert series deviated slightly from (21) in one of its terms. The system marked by \(\displaystyle \ddagger \) was another type of outlier, where the quotient A/I contained a few cubic elements in half of the tested cases. We note that for the system marked by \(\displaystyle \ddagger \), the corresponding (untruncated) series (21) is exactly zero at term \(\displaystyle z^2\). Thus the homogeneous Macaulay matrix of degree 2 will be a square matrix over \(\displaystyle \mathbb {F}_2\) (after removing trivial syzygies), and the quotient A/I will contain cubic terms whenever this matrix fails to be of full rank. For the other tested cases, the series have a negative coefficient at the term corresponding to the degree of regularity, indicating that the homogeneous Macaulay matrices will be rectangular. We believe that this difference explains the peculiar behaviour observed for case \(\displaystyle \ddagger \). Finally, we have performed the same experiments as in Modeling 1 for the ideals \(\displaystyle I^{(y)}\) and we obtained the same conclusive results regarding Eq. (10).
1.2 C.2 Witness Degree for Plain Systems
We have also tested the witness degree for (non-hybrid) systems of Modeling 1. In these tests, we have created the affine Macaulay matrix of degree 2 or 3 and then computed its rank to check if it has a unique solution. The witness degree in all these tests was the same as the value estimated by Eq. (6) in Sect. 3.2. Details are given in Table 9, where the systems are denoted \(\displaystyle (h,\beta ,k)\).
D Proof of Proposition 6
Proof
The starting point is the Cauchy integral
We study the behaviour of this integral when n grows. Using Cauchy’s integral theorem, we can make the path of integration to meet the saddle points so that the integral concentrates in the neighborhood of these saddle points when n tends to \(\displaystyle +\infty \). These saddle points are solutions to the equation
It may be be rewritten as a quadratic equation \(\displaystyle P(z)= p_2 \cdot z^2 + p_1 \cdot z + p_0 = 0\), where
Then, the standard argument is that P must have a double root, i.e. the saddle points have to coalesce (otherwise the integral is exponential, see for example [7, p. 94], [3, A.1.] for details). Writing that the discriminant \(\displaystyle \Delta (P)\) is equal to zero yields a quadratic equation \(\displaystyle A \cdot d^2 + B \cdot d + C = 0\), where
Solving for d gives
where \(\displaystyle \sqrt{\delta } := 2n\sqrt{R\rho ^3 - R\rho ^2 - \rho ^3 + \rho ^2} = 2n\rho \sqrt{1-R}\sqrt{1-\rho }\). We want the smallest positive root which is given by the minus case of \(\displaystyle \pm \sqrt{\delta }\), in the equation above. The end of the proof then consists in studying Eq. (22) in the different regimes:
-
For constant code rate R and \(\displaystyle \rho = o(1)\), we obtain
$$\begin{aligned} -2\sqrt{1-R}\sqrt{1-\rho } + 2 - \rho - R = (2-R) - 2\sqrt{1-R} + o(1), \end{aligned}$$hence \(\displaystyle d_{\text {reg}} \sim \kappa _R h\), where \(\displaystyle \kappa _R := (2-R) - 2\sqrt{1-R} > 0\).
-
For \(\displaystyle R = o(1)\) and \(\displaystyle \rho = o(1)\) we have
$$\begin{aligned} -2\sqrt{1-R}\sqrt{1-\rho }&= -2\left( 1- \textstyle \frac{R}{2} - \frac{R^2}{8} + o(R^2)\right) \left( 1- \textstyle \frac{\rho }{2} - \frac{\rho ^2}{8} + o(\rho ^2)\right) \\&= -2 + R + \rho + \textstyle \frac{R^2}{4} + \textstyle \frac{\rho ^2}{4} - \textstyle \frac{R\rho }{2} + o(R\rho ), \end{aligned}$$hence \(\displaystyle -2\sqrt{1-R}\sqrt{1-\rho } + 2 - \rho - R = \textstyle \frac{R^2}{4} + \textstyle \frac{\rho ^2}{4} - \textstyle \frac{R\rho }{2} + o(R\rho )\). This gives us \(\displaystyle d_{\text {reg}} + 1 \sim \textstyle \frac{R^2}{4} h\) if \(\displaystyle r=o(R)\) and \(\displaystyle d_{\text {reg}} + 1 \sim \textstyle \frac{R^2}{4}(1-\lambda )^2 h\) if \(\displaystyle \rho = \lambda R\) is linear in R with \(\displaystyle \lambda < 1\).
\(\displaystyle \square \)
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Briaud, P., Øygarden, M. (2023). A New Algebraic Approach to the Regular Syndrome Decoding Problem and Implications for PCG Constructions. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14008. Springer, Cham. https://doi.org/10.1007/978-3-031-30589-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-031-30589-4_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30588-7
Online ISBN: 978-3-031-30589-4
eBook Packages: Computer ScienceComputer Science (R0)