Designs, Codes and Cryptography

, Volume 79, Issue 2, pp 261–302 | Cite as

Polly Cracker, revisited

  • Martin R. Albrecht
  • Jean-Charles Faugère
  • Pooya Farshim
  • Gottfried Herold
  • Ludovic Perret


We formally treat cryptographic constructions based on the hardness of deciding ideal membership in multivariate polynomial rings. Of particular interest to us is a class of schemes known as “Polly Cracker.” We start by formalising and studying the relation between the ideal membership problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the negative side, we define a symmetric Polly Cracker encryption scheme and prove that this scheme only achieves bounded \(\mathsf {CPA}\) security under the hardness of the ideal membership problem. Furthermore, we show that a large class of algebraic transformations cannot convert this scheme to a fully secure Polly Cracker-style scheme. On the positive side, we formalise noisy variants of the ideal-theoretic problems. These problems can be seen as natural generalisations of the learning with errors (\(\mathsf {LWE}\)) and the approximate GCD problems over polynomial rings. After formalising and justifying the hardness of the noisy assumptions, we show that noisy encoding of messages results in a fully \(\mathsf {IND}{\text {-}}\mathsf {CPA}\)-secure and somewhat homomorphic encryption scheme. Together with a standard symmetric-to-asymmetric transformation for additively homomorphic schemes, we provide a positive answer to the long-standing open problem of constructing a secure Polly Cracker-style cryptosystem reducible to the hardness of solving a random system of equations. Indeed, our results go beyond this and also provide a new family of somewhat homomorphic encryption schemes based on generalised hard problems. Our results also imply that Regev’s \(\mathsf {LWE}\)-based public-key encryption scheme is (somewhat) multiplicatively homomorphic for appropriate choices of parameters.


Cryptography Multivariable systems Computational difficulty of problems 

Mathematics Subject Classification

94A60 93C35 68Q17 



We would like to thank Carlos Cid for valuable feedback and discussions on this work. We would also like to thank Frederik Armknecht for helpful discussions on an earlier draft of this work. The work described in this paper has been supported by the Royal Society Grant JP090728 and by the Commission of the European Communities through the ICT program under contract ICT-2007-216676 (ECRYPT-II). Martin R. Albrecht, Jean-Charles Faugère, and Ludovic Perret are also supported by the French ANR under the Computer Algebra and Cryptography (CAC) Project (ANR-09-JCJCJ-0064-01) and the EXACTA Project (ANR-09-BLAN-0371-01).


  1. 1.
    Albrecht M., Perry J.: F4/5. CoRR, arXiv:1006.4933v2 (2010).
  2. 2.
    Albrecht M.R., Farshim P., Faugère J.-C., Perret L.: Polly Cracker, revisited. In: Advances in Cryptology-ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 179–196. Springer, Berlin (2011).Google Scholar
  3. 3.
    Applebaum B., Cash D., Peikert C., Sahai A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Advances in Cryptography-CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 595–618. Springer, Berlin (2009).Google Scholar
  4. 4.
    Arora S., Ge R.: New algorithms for learning in presence of errors. In: Aceto L., Henzinger M., Sgall J. (eds.) ICALP (1). Lecture Notes in Computer Science, vol. 6755, pp. 403–415. Springer, Berlin (2011).Google Scholar
  5. 5.
    Ars G.: Applications des bases de Gröbner à la cryptographie. Ph.D. thesis, Universitè de Rennes I (2005).Google Scholar
  6. 6.
    Bard G.V., Courtois N.T., Jefferson C.: Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over GF(2) via SAT-solvers. Cryptology ePrint Archive, Report 2007/024 (2007).
  7. 7.
    Bardet M.: Étude des systèmes algébriques surdéterminés. Applications aux codes correcteurs et à la cryptographie. Ph.D. thesis, Université Paris VI (2004).Google Scholar
  8. 8.
    Bardet M., Faugère J.-C., Salvy B.: On the complexity of Gröbner basis computation of semi-regular overdetermined algebraic equations. In: International Conference on Polynomial System Solving—ICPSS, pp. 71–75 (2004).Google Scholar
  9. 9.
    Bardet M., Faugère J.-C., Salvy B., Yang B.-Y.: Asymptotic expansion of the degree of regularity for semi-regular systems of equations. In: Gianni P. (ed.) The Effective Methods in Algebraic Geometry Conference, Mega 2005, pp. 1–14 (2005).Google Scholar
  10. 10.
    Barkee B., Can D.C., Ecks J., Moriarty T., Ree R.F.: Why you cannot even hope to use Gröbner bases in public key cryptography: an open letter to a scientist who failed and a challenge to those who have not yet failed. J. Symb. Comput. 18(6), 497–501 (1994).Google Scholar
  11. 11.
    Bayer D., Stillman M.: On the complexity of computing syzygies. In: Computational Aspects of Commutative Algebra, pp. 1–13. Academic Press, New York (1988).Google Scholar
  12. 12.
    Becker T., Weispfenning V.: Gröbner Bases—A Computational Approach to Commutative Algebra. Springer, Berlin (1991).Google Scholar
  13. 13.
    Bellare M., Rogaway P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Advances in Cryptology-EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 4004, pp. 409–426. Springer, Berlin (2006).Google Scholar
  14. 14.
    Bellare M., Ristenpart T., Tessaro S.: Multi-instance security and its application to password-based cryptography. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology-CRYPTO 2012—Proceedings of the 32nd Annual Cryptology Conference, Santa Barbara, CA, August 19–23, 2012. Lecture Notes in Computer Science, vol. 7417, pp. 312–329. Springer, Berlin (2012).Google Scholar
  15. 15.
    Berbain C., Gilbert H., Patarin J.: QUAD: a multivariate stream cipher with provable security. J. Symb. Comput. 44(12), 1703–1723 (2009).Google Scholar
  16. 16.
    Brakerski Z.: When homomorphism becomes a liability. Cryptology ePrint Archive, Report 2012/225. (2012).
  17. 17.
    Brakerski Z., Gentry C., Vaikuntanathan V.: (Leveled) fully homomorphic encryption without bootstrapping. In: Goldwasser S. (ed.) ITCS, pp. 309–325. ACM, New York (2012).Google Scholar
  18. 18.
    Brakerski Z., Vaikuntanathan V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky R. (ed.) IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 97–106. IEEE (2011).Google Scholar
  19. 19.
    Buchberger B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenrings nach einem nulldimensionalen Polynomideal. Ph.D. thesis, Universität Innsbruck (1965).Google Scholar
  20. 20.
    Buchberger B.: Gröbner bases: an algorithmic method in polynomial ideal theory. In: Bose N.K. (ed.) Multidimensional Systems Theory. Reidel Publishing Company, Dordrecht (1985).Google Scholar
  21. 21.
    Buchberger B.: An algorithm for finding the basis elements of the residue class ring of a zero dimensional polynomial ideal. J. Symb. Comput. 41(3–4), 475–511 (2006).Google Scholar
  22. 22.
    Bulygin S.: Chosen-ciphertext attack on noncommutative Polly Cracker. CoRR, arXiv:abs/cs/0508015 (2005).
  23. 23.
    Caboara M., Caruso F., Traverso C.: Lattice Polly Cracker cryptosystems. J. Symb. Comput. 46, 534–549 (2011).Google Scholar
  24. 24.
    Chen Y., Nguyen P.Q.: Faster algorithms for approximate common divisors: breaking fully-homomorphic-encryption challenges over the integers. In: Pointcheval D., Johansson T. (eds.) EUROCRYPT. Lecture Notes in Computer Science, vol. 7237, pp. 502–519. Springer, Berlin (2012).Google Scholar
  25. 25.
    Cohn H., Heninger N.: Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437. (2011).
  26. 26.
    Coron J.-S., Mandal A., Naccache D., Tibouchi M.: Fully homomorphic encryption over the integers with shorter public keys. In: Rogaway P. (ed.) CRYPTO. Lecture Notes in Computer Science, vol. 6841, pp. 487–504. Springer, Berlin (2011).Google Scholar
  27. 27.
    Coron J.-S., Naccache D., Tibouchi M.: Public key compression and modulus switching for fully homomorphic encryption over the integers. Cryptology ePrint Archive, Report 2011/440. (2011).
  28. 28.
    Courtois N.T., Pieprzyk J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng Y. (ed.) Advances in Cryptology-ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 267–287. Springer, Berlin (2002).Google Scholar
  29. 29.
    Cox D., Little J., O’Shea D.: Ideals, Varieties, and Algorithms, 3rd edn. Springer, Berlin (2005).Google Scholar
  30. 30.
    Cramer R., Shoup V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33, 167–226 (2003).Google Scholar
  31. 31.
    Dickenstein A., Fitchas N., Giusti M., Sessa C.: The membership problem for unmixed polynomial ideals is solvable in single exponential time. Discret. Appl. Math. 33(1–3), 73–94 (1991).Google Scholar
  32. 32.
    dit Vehel F.L., Marinari M.G., Perret L., Traverso C.: A survey on Polly Cracker systems. In: Sala M., Mora T., Perret L., Sakata S., Traverso C. (eds.) Gröbner Bases. Coding and Cryptography, pp. 285–305. Springer, Berlin (2009).Google Scholar
  33. 33.
    Faugère J.-C.: A new efficient algorithm for computing Gröbner basis (F4). J. Pure Appl. Algebra 139(1–3), 61–88 (1999).Google Scholar
  34. 34.
    Faugère J.-C.: A new efficient algorithm for computing Gröbner bases without reduction to zero (F5). In: Proceedings of the 2002 International Symposium on Symbolic and Algebraic Computation, pp. 75–83. ACM, New York (2002).Google Scholar
  35. 35.
    Faugère J.-C., Gianni P.M., Lazard D., Mora T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. J. Symb. Comput. 16, 329–344 (1993).Google Scholar
  36. 36.
    Faugère J.-C., Joux A.: Algebraic cryptanalysis of hidden field equation (HFE) cryptosystems using Gröbner bases. In: Boneh D. (ed.) Advances in Cryptology-CRYPTO 2003. Lecture Notes in Computer Science, vol. 2729. Springer, Berlin (2003).Google Scholar
  37. 37.
    Faugère J.-C., Rahmany S.: Solving systems of polynomial equations with symmetries using SAGBI-Gröbner bases. In: ISSAC ’09: Proceedings of the 2009 International Symposium on Symbolic and Algebraic Computation, ISSAC ’09, pp. 151–158. ACM, New York (2009).Google Scholar
  38. 38.
    Fellows M., Koblitz N.: Combinatorial cryptosystems galore! In: Mullen G.L., Shiue P.J.-S. (eds.) Finite Fields: Theory, Applications, and Algorithms. Contemporary Mathematics, vol. 168, pp. 51–61. AMS, New York (1994).Google Scholar
  39. 39.
    Gentry C.: A Fully Homomorphic Encryption Scheme. Ph.D. thesis, Stanford University. (2009).
  40. 40.
    Gentry C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher M. (ed.) STOC, pp. 169–178. ACM, New York (2009).Google Scholar
  41. 41.
    Gentry C., Halevi S.: Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. In: Ostrovsky R. (ed.) FOCS, pp. 107–109. IEEE (2011).Google Scholar
  42. 42.
    Gentry C., Halevi S.: Implementing Gentry’s fully-homomorphic encryption scheme. In: Paterson K. (ed.) Advances in Cryptology-EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6632, pp. 129–148. Springer, Berlin (2011).Google Scholar
  43. 43.
    Gentry C., Halevi S., Smart N.P.: Better bootstrapping in fully homomorphic encryption. In: Fischlin M., Buchmann J., Manulis M. (eds.) Public Key Cryptography-PKC 2012. Lecture Notes in Computer Science, vol. 7293. Springer, Berlin (2012).Google Scholar
  44. 44.
    Gentry C., Halevi S., Smart N.P.: Homomorphic evaluation of the AES circuit. In: Safavi-Naini R., Canetti R. (eds.) Advances in Cryptology-CRYPTO 2012—Proceedings of the 32nd Annual Cryptology Conference, Santa Barbara, CA, 19–23 August, 2012. Lecture Notes in Computer Science, vol. 7417, pp. 850–867. Springer, Berlin (2012).Google Scholar
  45. 45.
    Håstad J., Phillips S., Safra S.: A well-characterized approximation problem. Inf. Process. Lett. 47, 301–305 (1993).Google Scholar
  46. 46.
    Herold G.: Polly cracker, revisited, revisited. In: Public Key Cryptography-PKC 2012. Lecture Notes in Computer Science, vol. 7293, pp. 17–33. Springer, Berlin (2012).Google Scholar
  47. 47.
    Koblitz N., Menezes A.J., Yi-Hong W., Zuccherato R.J.: Algebraic Aspects of Cryptography. Springer, Berlin (1998).Google Scholar
  48. 48.
    Lazard D.: Gröbner-bases, Gaussian elimination and resolution of systems of algebraic equations. In: Proceedings of the European Computer Algebra Conference on Computer Algebra. Lecture Notes in Computer Science, vol. 162. Springer, Berlin (1983).Google Scholar
  49. 49.
    Lindner R., Peikert C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias A. (ed.) CT-RSA. Lecture Notes in Computer Science, vol. 6558, pp. 319–339. Springer, Berlin (2011).Google Scholar
  50. 50.
    Lyubashevsky V., Peikert C., Regev O.: On ideal lattices and learning with errors over rings. In: Gilbert H. (ed.) Advances in Cryptology-EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110. Springer, Berlin (2010).Google Scholar
  51. 51.
    Melchor C.A., Gaborit P., Herranz J.: Additively homomorphic encryption with \(d\)-operand multiplications. In: Advances in Cryptology-CRYPTO 2010. Lecture Notes in Computer Science, vol. 6223, pp. 138–154. Springer, Berlin (2010).Google Scholar
  52. 52.
    Micciancio D., Regev O.: Lattice-based cryptography. In: Bernstein D.J., Buchmann J., Dahmen E. (eds.) Post-quantum Cryptography, pp. 147–191. Springer, Berlin (2009).Google Scholar
  53. 53.
    Mora F.: De Nugis Groebnerialium 2: applying Macaulay’s trick in order to easily write a Gröbner basis. Appl. Algebra Eng. Commun. Comput. 13(6), 437–446 (2003).Google Scholar
  54. 54.
    Naehrig M., Lauter K., Vaikuntanathan V.: Can homomorphic encryption be practical? In: Cachin C., Ristenpart T. (eds.) CCSW, pp. 113–124. ACM, New York (2011).Google Scholar
  55. 55.
    Peikert C., Vaikuntanathan V., Waters B.: A framework for efficient and composable oblivious transfer. In: Advances in Cryptology-CRYPTO 2008, pp. 554–571. Springer, Berlin (2008).Google Scholar
  56. 56.
    Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 34:1–34:40 (2009).Google Scholar
  57. 57.
    Regev O.: The learning with errors problem. In: IEEE Conference on Computational Complexity 2010, pp. 191–204 (2010).Google Scholar
  58. 58.
    Rothblum R.: Homomorphic encryption: From private-key to public-key. In: Ishai Y. (ed.) TCC. Lecture Notes in Computer Science, vol. 6597, pp. 219–234. Springer, Berlin (2011).Google Scholar
  59. 59.
    Sala M., Mora T., Perret L., Sakata S., Traverso C.: Gröbner Bases, Coding, and Cryptography. Springer, Berlin (2009).Google Scholar
  60. 60.
    Smart N.P., Vercauteren F.: Fully homomorphic encryption with relatively small key and ciphertext sizes. In: Nguyen P.Q., Pointcheval D. (eds.) Public Key Cryptography. Lecture Notes in Computer Science, vol. 6056, pp. 420–443. Springer, Berlin (2010).Google Scholar
  61. 61.
    Stein W. et al.: SAGE Mathematics Software. The Sage Development Team (Version 4.7.0). (2011).
  62. 62.
    Stothers A.J.: On the complexity of matrix multiplication. Ph.D. thesis, University of Edinburgh (2010).Google Scholar
  63. 63.
    van Dijk M., Gentry C., Halevi S., Vaikuntanathan V.: Fully homomorphic encryption over the integers. In: Gilbert H. (ed.) EUROCRYPT. Lecture Notes in Computer Science, vol. 6110, pp. 24–43. Springer, Berlin (2010).Google Scholar
  64. 64.
    von zur Gathen J., Gerhard J.: Modern Computer Algebra, 2nd edn. Cambridge University Press, Cambridge (2003).Google Scholar
  65. 65.
    Williams V.V.: Multiplying matrices faster than Coppersmith–Winograd. In: Karloff H.J., Pitassi T. (eds.) Proceedings of STOC, pp. 887–898. ACM, New York (2012).Google Scholar
  66. 66.
    Zhao S.-W., Gao X.-S.: Minimal achievable approximation ratio for MAX-MQ in finite fields. Theor. Comput. Sci. 410(21–23), 2285–2290 (2009).Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Martin R. Albrecht
    • 1
  • Jean-Charles Faugère
    • 2
    • 3
    • 6
  • Pooya Farshim
    • 4
  • Gottfried Herold
    • 5
  • Ludovic Perret
    • 2
    • 3
    • 6
  1. 1.Information Security Group, Royal HollowayUniversity of LondonEghamUK
  2. 2.Sorbonne UniversitésUPMC Univ Paris 06, POLSYS, UMR 7606, LIP6ParisFrance
  3. 3.CNRS, UMR 7606, LIP6ParisFrance
  4. 4.Queen’s University BelfastBelfast, Northern IrelandUK
  5. 5.Horst Görtz Institut für IT-SicherheitRuhr-Universität BochumBochumGermany
  6. 6.INRIA, Paris-Rocquencourt CenterParisFrance

Personalised recommendations