Polly Cracker, Revisited

  • Martin R. Albrecht
  • Pooya Farshim
  • Jean-Charles Faugère
  • Ludovic Perret
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


We initiate the formal treatment of cryptographic constructions (“Polly Cracker”) based on the hardness of computing remainders modulo an ideal over multivariate polynomial rings. We start by formalising the relation between the ideal remainder problem and the problem of computing a Gröbner basis. We show both positive and negative results. On the negative side, we define a symmetric Polly Cracker encryption scheme and prove that this scheme only achieves bounded CPA security. Furthermore, we show that a large class of algebraic transformations cannot convert this scheme to a fully secure Polly-Cracker-style scheme. On the positive side, we formalise noisy variants of the ideal membership, ideal remainder, and Gröbner basis problems. These problems can be seen as natural generalisations of the LWE problem and the approximate GCD problem over polynomial rings. We then show that noisy encoding of messages results in a fully IND-CPA-secure somewhat homomorphic encryption scheme. Our results provide a new family of somewhat homomorphic encryption schemes based on new, but natural, hard problems. Our results also imply that Regev’s LWE-based public-key encryption scheme is (somewhat) multiplicatively homomorphic for appropriate choices of parameters.


Polly Cracker Gröbner bases LWE Noisy encoding Homomorphic encryption Public-key encryption Provable security 


  1. 1.
    Albrecht, M.R., Farshim, P., Faugère, J.-C., Perret, L.: Polly Cracker, revisited. Cryptology ePrint Archive, Report 2011/289 (2011)Google Scholar
  2. 2.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  3. 3.
    Arora, S., Ge, R.: New Algorithms for Learning in Presence of Errors. In: Aceto, L., Henzinger, M., Sgall, J. (eds.) ICALP 2011, Part I. LNCS, vol. 6755, pp. 403–415. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Bard, G.V., Courtois, N.T., Jefferson, C.: Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over GF(2) via SAT-solvers. Cryptology ePrint Archive, Report 2007/024 (2007)Google Scholar
  5. 5.
    Barkee, B., Can, D.C., Ecks, J., Moriarty, T., Ree, R.F.: Why you cannot even hope to use Gröbner bases in public key cryptography: An open letter to a scientist who failed and a challenge to those who have not yet failed. J. of Symbolic Computations 18(6), 497–501 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Berbain, C., Gilbert, H., Patarin, J.: QUAD: A multivariate stream cipher with provable security. J. Symb. Comput. 44(12), 1703–1723 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  7. 7.
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. To appear in FOCS 2011 (2011)Google Scholar
  8. 8.
    Buchberger, B.: Ein Algorithmus zum Auffinden der Basiselemente des Restklassenrings nach einem nulldimensionalen Polynomideal. PhD thesis, Universität Innsbruck (1965)Google Scholar
  9. 9.
    Caboara, M., Caruso, F., Traverso, C.: Lattice Polly Cracker cryptosystems. Journal of Symbolic Computation 46, 534–549 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  10. 10.
    Cox, D., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms, 3rd edn. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. of Computing, 167–226 (2003)Google Scholar
  12. 12.
    Dickenstein, A., Fitchas, N., Giusti, M., Sessa, C.: The membership problem for unmixed polynomial ideals is solvable in single exponential time. Discrete Appl. Math. 33(1-3), 73–94 (1991)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    van Dijk, M., Gentry, C., Halevi, S., Vaikuntanathan, V.: Fully Homomorphic Encryption Over the Integers. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 24–43. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Ding, J., Yang, B.-Y.: Multivariate public key cryptography. In: Post-Quantum Cryptography, pp. 193–234. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    dit Vehel, F.L., Marinari, M.G., Perret, L., Traverso, C.: A survey on Polly Cracker systems. In: Gröbner Bases. Coding and Cryptography, pp. 285–305. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Faugère, J.-C., Gianni, P.M., Lazard, D., Mora, T.: Efficient computation of zero-dimensional Gröbner bases by change of ordering. Journal of Symbolic Computation 16, 329–344 (1993)Google Scholar
  17. 17.
    Fellows, M., Koblitz, N.: Combinatorial cryptosystems galore! In: Finite Fields: Theory, Applications, and Algorithms. Contemporary Mathematics, vol. 168, pp. 51–61. AMS (1994)Google Scholar
  18. 18.
    Gentry, C.: A fully homomorphic encryption scheme. PhD thesis, Stanford University (2009)Google Scholar
  19. 19.
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing, pp. 169–178 (2009)Google Scholar
  20. 20.
    Gentry, C., Halevi, S.: Implementing Gentry’s Fully-Homomorphic Encryption Scheme. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 129–148. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  21. 21.
    Gouget, A., Patarin, J.: Probabilistic Multivariate Cryptography. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 1–18. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  22. 22.
    Lindner, R., Peikert, C.: Better Key Sizes (and Attacks) for LWE-Based Encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Melchor, C.A., Gaborit, P., Herranz, J.: Additively Homomorphic Encryption with d-Operand Multiplications. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 138–154. Springer, Heidelberg (2010)Google Scholar
  24. 24.
    Micciancio, D., Regev, O.: Lattice-based cryptography. In: Post-Quantum Cryptography, pp. 147–191. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  25. 25.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM 56, 34:1–34:40 (2009)Google Scholar
  26. 26.
    Regev, O.: The learning with errors problem. In: IEEE Conference on Computational Complexity 2010, pp. 191–204 (2010)Google Scholar
  27. 27.
    Rothblum, R.: Homomorphic Encryption: From Private-Key to Public-Key. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 219–234. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  28. 28.
    Rückert, M., Schneider, M.: Estimating the security of lattice-based cryptosystems. Cryptology ePrint Archive, Report 2010/137 (2010)Google Scholar
  29. 29.
    Smart, N.P., Vercauteren, F.: Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 420–443. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Stein, W.A., et al.: Sage Mathematics Software. The Sage Development Team, Version 4.7.0 (2011),

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Martin R. Albrecht
    • 1
    • 2
  • Pooya Farshim
    • 3
  • Jean-Charles Faugère
    • 1
    • 2
  • Ludovic Perret
    • 1
    • 2
  1. 1.INRIA, Paris-Rocquencourt Center, SALSA Project, UPMC Univ Paris 06, UMR 7606, LIP6ParisFrance
  2. 2.CNRS, UMR 7606, LIP6ParisFrance
  3. 3.Department of Computer ScienceDarmstadt University of TechnologyGermany

Personalised recommendations