Keywords

1 Introduction

With the emerging threat of Shor’s quantum polynomial time algorithms for factoring and discrete logarithms [33] on the horizon, cryptographers in the past 20 years have been in desperate search for new cryptographic problems that cannot be solved in polynomial time on classical as well as quantum computers. So far, lattice-based cryptography built on Learning With Errors (LWE) and the Short Integer Solution (SIS) [1] has emerged as most promising candidate for cryptography in the presence of quantum computers.

In this paper we revisit polynomial models to solve the Search-LWE problem via Gröbner basis computations. Solving LWE via a polynomial system was first done by Arora & Ge [6], though they solved the system via linearization not via Gröbner bases. Albrecht et al. [2, 3] studied the complexity of Gröbner basis computations for the Arora-Ge polynomial model under the assumption that the polynomial system is semi-regular [24, 28]. Moreover, for binary error LWE Sun et al. [37] refined the complexity estimates for linearization under the semi-regularity assumption. For a general review of the computational hardness of LWE we refer to [4].

We stress that the complexity estimates of [2, 3, 37] are still hypothetical since both works do not provide a proof that a LWE polynomial system is semi-regular except for very special cases, see e.g. [3, Theorem 11]. Moreover, the complexity bounds rely on asymptotic studies of the Hilbert series of a semi-regular polynomial system. Needless to say that a priori is not guaranteed that these complexity estimates apply for practical LWE instantiations.

In this paper we consider two new approaches to estimate the complexity of Gröbner basis computations. Caminata & Gorla [12] revealed that the solving degree of polynomial system in generic coordinates is always upper bounded by the Castelnuovo-Mumford regularity and henceforth also by the Macaulay bound, see [12, Theorem 10]. For our first approach we prove that any fully determined LWE polynomial system is in generic coordinates. In particular this implies that for any LWE polynomial system there exists a Gröbner basis algorithm in exponential time as well as memory complexity. Semaev & Tenti [32] revealed that the complexity of Gröbner basis algorithms can also be estimated via the degree of regularity of a polynomial system. Though, their bound is only applicable over finite fields and the polynomial system must contain the field equations, see [32, Theorem 2.1] and [38, Theorem 3.65]. We generalize their result to any polynomial system that admits a finite degree of regularity regardless of the underlying field. For a fixed degree of regularity we will determine the minimal number of LWE samples necessary so that the polynomial system could achieve the degree of regularity. Hence, for a designer this implies that there could exist Gröbner basis algorithms in sub-exponential time as well as memory to solve Search-LWE.

In two recent works Dachman-Soled et al. [18, 19] introduced a framework to study the complexity of attacks on Search-LWE in the presence of side information. In Sect. 6 we shortly review their framework and describe how hints can be incorporated into LWE polynomial systems. Moreover, in Example 28 we showcase the complexity impact of hints on Gröbner basis computations.

Finally, Semaev & Tenti [32] also investigated the probability that a uniformly and independently distributed polynomial system \(\mathcal {F} \subset \mathbb {F}_{q}[x_1, \dots , x_n] / (x_1^q - x_1, \dots , x_n^q - x_n)\) achieves a certain degree of regularity. Their proof depends only on combinatorial properties, hence we expect that a similar result can be proven for uniformly and independently distributed polynomial system \(\mathcal {F} \subset \mathbb {F}_{q}[x_1, \dots , x_n] / \big (f (x_1), \dots , f (x_n) \big )\), where f is univariate and \(\deg \left( f \right) \ge 2\) is arbitrary. In Appendix A of the full version [35] we study the related problem whether a LWE polynomial is close to the uniform distribution or not. We find a negative answer for this question, in particular we show that the statistical distance between the highest degree component of a LWE polynomial and the uniform distribution is always \(\ge \frac{1}{2}\) and has limit 1 if the degree of the LWE polynomial goes to infinity. Hence, even if Semaev & Tenti’s analysis generalizes it is not applicable to LWE polynomial systems.

2 Preliminaries

By k we will always denote a field, by \(\bar{k}\) we denote its algebraic closure, and by \(\mathbb {F}_{q}\) we denote the finite field with q elements. Let \(I \subset k [x_1, \dots , x_n]\) be an ideal, then we denote the zero locus of I over \(\bar{k}\) as

$$\begin{aligned} \mathcal {Z} (I) = \left\{ \textbf{x} \in \bar{k}^n \mid f (\textbf{x}) = 0,\ \forall f \in I \right\} \subset \mathbb {A}^{n}_{\bar{k}}. \end{aligned}$$
(1)

If in addition I is homogeneous, then we denote the projective zero locus over \(\bar{k}\) by \(\mathcal {Z}_+ (I) \subset \mathbb {P}^{n - 1}_{\bar{k}}\).

Let \(f \in K [x_1, \dots , x_n]\) be a polynomial, and let \(x_0\) be an additional variable, we call

$$\begin{aligned} f^\text { hom}(x_0, \dots , x_n) = x_0^{\deg \left( f \right) } \cdot f \left( \frac{x_1}{x_0}, \dots , \frac{x_n}{x_0} \right) \in K [x_0, \dots , x_n] \end{aligned}$$
(2)

the homogenization of f with respect to \(x_0\), and analog for the homogenization of ideals \(I^\text { hom}= \left\{ f^\text { hom}\mid f \in I \right\} \) and finite systems of polynomials \(\mathcal {F}^\text { hom}= \left\{ f_1^\text { hom}, \dots , f_m^\text { hom}\right\} \). Further, we will always assume that we can extend a term order on \(k[x_1, \dots , x_n]\) to a term order on \(k[x_0, \dots , x_n]\) according to [12, Definition 8].

For a term order > and an ideal \(I \subset k [x_1, \dots , x_n]\) we denote with

$$\begin{aligned} {{\,\textrm{in}\,}}_> (I) = \{ {{\,\textrm{LT}\,}}_> (f) \mid f \in I \} \end{aligned}$$
(3)

the initial ideal of I, i.e. the ideal of leading terms of I, with respect to >.

Every polynomial \(f \in [x_1, \dots , x_n]\) can be written as \(f = f_d + f_{d - 1} + \ldots + f_0\), where \(f_i\) is homogeneous of degree i. We denote the highest degree component \(f_d\) of f with \(f^\text { top}\), and analog we denote \(\mathcal {F}^\text { top}= \left\{ f_1^\text { top}, \dots , f_m^\text { top}\right\} \).

For a homogeneous ideal \(I \subset P\) and an integer \(d \ge 0\) we denote

$$\begin{aligned} I_d = \left\{ f \in I \mid \deg \left( f \right) = d,\ f \text { homogeneous} \right\} , \end{aligned}$$
(4)

and analog for the polynomial ring P.

Let \(I, J \subset k [x_1, \dots , x_n]\) be ideals, then we denote with

$$\begin{aligned} I : J = \left\{ f \in k [x_1, \dots , x_n] \mid \forall g \in J :f \cdot g \in I \right\} \end{aligned}$$
(5)

the usual ideal quotient, and with \(I : J^\infty = \bigcup _{i \ge 1} I : J^i\) the saturation of I with respect to J.

Let \(I, \mathfrak {m} \in k [x_0, \dots , x_n]\) be homogeneous ideals where \(\mathfrak {m} = (x_0, \dots , x_n)\), then we call \(I^\text { sat}= I : \mathfrak {m}^\infty \) the saturation of I.

We will often encounter the lexicographic and the degree reverse lexicographic term order which we will abbreviate as LEX and DRL respectively.

For \(\textbf{x}, \textbf{y} \in k^n\) we denote the standard inner product as

$$\begin{aligned} \left\langle {\textbf{x}, \textbf{y}}\right\rangle = \textbf{x}^\intercal \textbf{y} = \sum _{i = 1}^{n} x_i \cdot y_i. \end{aligned}$$
(6)

By \(\log \) we denote the natural logarithm and by \(\log _2\) the logarithm in base 2.

2.1 Learning with Errors

Learning With Errors (LWE) was introduced by Ajtai in his seminal work [1]. In its base form it can be formulated as a simple computational linear algebra problem.

Definition 1

(Learning with errors, [1]). Let q be a prime, let \(n \ge 1\) be an integer, and let \(\chi \) be a probability distribution on \(\mathbb {Z}\). For a secret vector \(\textbf{s} \in \mathbb {F}_{q}^{n}\) the LWE distribution \(A_{\textbf{s}, \chi }\) over \(\mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) is sampled by choosing \(\textbf{a} \in \mathbb {F}_{q}^{n}\) uniformly at random, choosing \(e \leftarrow \chi \), and outputting \(\left( \textbf{a}, \left\langle {\textbf{s}, \textbf{a}}\right\rangle + e \in \mathbb {F}_{q}\right) \).

In Search-LWE we are given m LWE samples \((\textbf{a}_i, b_i)\) sampled according to some probability distribution. Our task is then to recover the secret vector \(\textbf{s} \in \mathbb {F}_{q}^{n}\) that has been used to generate the samples.

As probability distribution one typically chooses a discrete Gaussian distribution with mean 0 and standard deviation \(\sigma \). For ease of computation in this paper, we ignore the discretization and assume \(\chi = \mathcal {N} (0, \sigma )\) if not specified otherwise, hence we do not discuss discretization techniques further. Assume that \(X \sim \mathcal {N} (0, \sigma )\), we will utilize the following well-known property of the Gaussian distribution several times in this paper

$$\begin{aligned} {{\,\mathrm{\mathbb {P}}\,}}\left[ \left| X \right| > t \cdot \sigma \right] \le \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) . \end{aligned}$$
(7)

It is well-known that solving Search-LWE for a discrete Gaussian error distribution and \(\sigma \in \mathcal {O} \left( \sqrt{n} \right) \) is at least as hard as solving several computational lattice problems, see e.g. [10, 27, 29, 30].

Moreover, on top of LWE many cryptographic functions can be built, e.g. Regev’s public key cryptosystem [30] as well as a key exchange mechanism [9].

2.2 Gröbner Bases

For an ideal \(I \subset k [x_1, \dots , x_n]\) and a term order > on the polynomial ring, a >- Gröbner basis \(\mathcal {G} = \{ g_1, \dots , g_m \}\) is a finite set of generators such that

$$\begin{aligned} {{\,\textrm{in}\,}}_> (I) = \big ( {{\,\textrm{LT}\,}}_> (g_1), \dots , {{\,\textrm{LT}\,}}_> (g_m) \big ). \end{aligned}$$
(8)

Gröbner bases were introduced by Bruno Buchberger in his PhD thesis [11]. With Gröbner bases one can solve many computational problems on ideals like the ideal membership problem or the computation of the zero locus [17]. For a general introduction to the theory of Gröbner bases we refer to [17].

Today, two classes of Gröbner basis algorithms are known: Buchberger’s algorithm and linear algebra-based algorithms. In this paper we only study the latter family.

Let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset P = k [x_1, \dots , x_n]\) be a homogeneous polynomial system, and let > be a term order on P. The homogeneous Macaulay matrix in degree d, denoted as \(M_d\), has columns indexed by monomials in \(P_d\) sorted from left to right with respect to >. The rows of \(M_d\) are indexed by polynomials \(s \cdot f_i\), where \(s \in P\) is a monomial such that \(\deg \left( s \cdot f_i \right) = d\). The entry of row \(s \cdot f_i\) at column t is the coefficient of \(s \cdot f_i\) at the monomial t. For an inhomogeneous polynomial system \(M_d\) is replaced by \(M_{\le d}\) and the degree equalities by inequalities. By performing Gaussian elimination on \(M_0, \dots , M_d\) respectively \(M_{\le d}\) for d big enough one will produce a >-Gröbner basis of \(\mathcal {F}\). This idea can be traced back to Lazard [26]. Since d determines the complexity of this algorithm in space and time, the least suitable d is of special interest [20].

Definition 2

(Solving degree, [12, Definition 6]). Let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset k[x_1, \dots , x_n]\) and let > be a term order. The solving degree of \(\mathcal {F}\) is the least degree d such that Gaussian elimination on the Macaulay matrix \(M_{\le d}\) produces a Gröbner basis of \(\mathcal {F}\) with respect to >. We denote it by \({{\,\textrm{sd}\,}}_> (\mathcal {F})\).

If \(\mathcal {F}\) is homogeneous, we consider the homogeneous Macaulay matrix \(M_d\) and let the solving degree of \(\mathcal {F}\) be the least degree d such that Gaussian elimination on \(M_0, \dots , M_d\) produces a Gröbner basis of \(\mathcal {F}\) with respect to >.

Today, the most efficient variants of linear algebra-based Gröbner basis algorithms are Faugére’s F4 [22] and Matrix-F5 [23] algorithms. These algorithms utilize efficient selection criteria to avoid redundant rows in the Macaulay matrices. Moreover, they construct the matrices for increasing values of d. Therefore, they also need stopping criteria, though one could artificially stop the computation once the solving degree is reached since then a Gröbner basis must already be contained in the system produced by Gaussian elimination. Hence, we do not discuss termination criteria further.

Let \(\mathcal {F} \subset k [x_1, \dots , x_n]\) be a polynomial system, and let \(\mathcal {F}^\text { hom}\) be its homogenization. We always have that, see [12, Theorem 7],

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F}^\text { hom}\right) . \end{aligned}$$
(9)

Complexity Estimate via the Solving Degree. For a matrix \(\textbf{A} \in k^{n \times m}\) of rank r the reduced row echelon form can be computed in \(\mathcal {O} \left( n \cdot m \cdot r ^{\omega - 2} \right) \) [36, §2.2], where \(2 \le \omega < 2.37286\) is a linear algebra constant [5].

Let \(\mathcal {F} \subset P = k [x_1, \dots , x_n]\) be a system of m homogeneous polynomials, it is well-known that the number of monomials in \(P_d\) is given by \(\left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) \). Moreover, at most \(\left( {\begin{array}{c}n + d - \deg \left( f_i \right) - 1\\ d - \deg \left( f_i \right) \end{array}}\right) \le \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) \) many columns can stem from the polynomial \(f_i\). Therefore, the cost of Gaussian elimination on \(M_0, \dots , M_d\) is bounded by

$$\begin{aligned} \mathcal {O} \left( m \cdot d \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) ^\omega \right) . \end{aligned}$$
(10)

Thus, by estimating the solving degree \({{\,\textrm{sd}\,}}_{DRL} (\mathcal {F})\) we yield a complexity upper bound for linear algebra-based Gröbner basis computations.

2.3 Generic Coordinates and the Solving Degree

For completeness, we shortly recall the definition of the Castelnuovo-Mumford regularity [21, Sect. 4], a well-established invariant from commutative algebra and algebraic geometry. Let \(P = k[x_0, \dots , x_n]\) be the polynomial ring and let

$$\begin{aligned} \textbf{F}: \cdots \rightarrow F_i \rightarrow F_{i - 1} \rightarrow \cdots \end{aligned}$$
(11)

be a graded complex of free P-modules, where \(F_i = \sum _j P(-a_{i, j})\).

Definition 3

The Castelnuovo-Mumford regularity of \(\textbf{F}\) is defined as

$$ {{\,\textrm{reg}\,}}\left( \textbf{F} \right) = \sup _i a_{i,j} - i. $$

By Hilbert’s Syzygy theorem [21, Theorem 1.1] any finitely graded P-module has a finite free graded resolution. I.e., for every homogeneous ideal \(I \subset P\) the regularity of I is computable.

Next we introduce the notion of generic coordinates which first appeared in the seminal work of Bayer & Stillman [8]. Let \(I \subset P\) be an ideal, and let \(r \in P\). We use the shorthand notation “\(r \not \mid 0 \mod I\)” for expressing that r is not a zero-divisor on P/I.

Definition 4

([12, 13, Definition 5]). Let k be an infinite field. Let \(I \subset k [x_0, \dots , x_n]\) be a homogeneous ideal with \(| \mathcal {Z}_+ (I) | < \infty \). We say that I is in generic coordinates if either \(| \mathcal {Z}_+ (I) | = 0\) or \(x_0 \not \mid 0 \mod I^{\text { sat}}\).

Let k be any field, and let \(k \subset K\) be an infinite field extension. I is in generic coordinates over K if \(I \otimes _k K [x_0, \dots , x_n] \subset K [x_0, \dots , x_n]\) is in generic coordinates.

Provided a polynomial system is in generic coordinates, then the solving degree is always upper bounded by the Castelnuovo-Mumford regularity.

Theorem 5

([12, Theorem 9, 10]). Let K be an algebraically closed field, and let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset K [x_1, \dots , x_n]\) be an inhomogeneous polynomial system such that \(\left( \mathcal {F}^\text { hom}\right) \) is in generic coordinates. Then

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le {{\,\textrm{reg}\,}}\left( \mathcal {F}^\text { hom}\right) . \end{aligned}$$

By a classical result one can always bound the regularity of an ideal with the Macaulay bound (see [15, Theorem 1.12.4]).

Corollary 6

(Macaulay bound, [26, Theorem 2], [12, Corollary 2]). Consider a system of equations \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset k[x_1, \dots , x_n]\) with \(d_i = \deg \left( f_i \right) \) and \(d_1 \ge \ldots \ge d_m\). Set \(l = \min \{ n + 1, m \}\). Assume that \(\left| \mathcal {Z}_+ \left( \mathcal {F}^\text { hom}\right) \right| < \infty \) and that \(\left( F^\text { hom}\right) \) is in generic coordinates over \(\bar{k}\). Then

$$ {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le {{\,\textrm{reg}\,}}\left( \mathcal {F}^\text { hom}\right) \le d_1 + \ldots + d_l - l + 1. $$

In particular, if \(m > n\) and \(d = d_1\), then

$$ {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le (n + 1) \cdot (d - 1) + 1. $$

In the proof of [12, Theorem 11] Caminata & Gorla implicitly revealed an efficient criterion to prove that a polynomial system is in generic coordinates. This observation was later formalized by Steiner in terms of the highest degree components of a polynomial system [34].

Theorem 7

([34, Theorem 3.2]). Let k be an algebraically closed field, and let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset k [x_1, \dots , x_n]\) be an inhomogeneous polynomial system such that

  1. (i)

    \((\mathcal {F}) \ne (1)\), and

  2. (ii)

    \(\dim \left( \mathcal {F} \right) = 0\).

Then the following are equivalent.

  1. (1)

    \(\left( \mathcal {F}^\text { hom}\right) \) is in generic coordinates and \(\left| \mathcal {Z}_+ \left( \mathcal {F}^\text { hom}\right) \right| \ne 0\).

  2. (2)

    \(\sqrt{\mathcal {F}^\text { top}} = \left( x_1, \dots , x_n \right) \).

  3. (3)

    \(\left( \mathcal {F}^\text { top}\right) \) is zero-dimensional in \(k [x_1, \dots , x_n]\).

  4. (4)

    For every \(1 \le i \le n\) there exists an integer \(d_i \ge 1\) such that \(x_i^{d_i} \in {{\,\textrm{in}\,}}_{DRL} \left( \mathcal {F}^\text { hom}\right) \).

In particular, implies that every inhomogeneous polynomial system that contains a zero-dimensional DRL Gröbner basis is already in generic coordinates.

2.4 A Refined Solving Degree

In the Gröbner basis complexity literature there is another quantity that is also known as solving degree that refines Definition 2, cf. [14, §1]. Again let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset P = k [x_1, \dots , x_n]\) be a finite set of polynomials, and let > be a term order on P. We start with \(M_{\le d}\) the Macaulay matrix for \(\mathcal {F}\) up to degree d and compute a basis \(\mathcal {B}\) of the row space of \(M_{\le d}\) via Gaussian elimination. Now we construct the Macaulay matrix \(M_{\le d}\) for the polynomial system \(\mathcal {B}\) and again compute the basis \(\mathcal {B}'\) of the row space via Gaussian elimination. We repeat this procedure until \(\mathcal {B} = \mathcal {B}'\), at this point multiplying the polynomials in \(\mathcal {B}'\) with all monomials up to degree \(\le d\) does not add any new elements to the basis after Gaussian elimination. We denote the final Macaulay matrix for \(\mathcal {F}\) with \(\hat{M}_d\), and we also denote \(\hat{M}_d\)’s row space via \({{\,\textrm{rowsp}\,}}\left( \hat{M}_d \right) \). It is clear that

$$\begin{aligned} {{\,\textrm{rowsp}\,}}\left( \hat{M}_d \right) \subset (\mathcal {F})_{\le d} = \left\{ f \in (\mathcal {F}) \mid \deg \left( f \right) \le d \right\} , \end{aligned}$$
(12)

and for d big enough \({{\,\textrm{rowsp}\,}}\left( \hat{M}_d \right) \) will contain a >-Gröbner basis for \(\mathcal {F}\). This motivates the following definition.

Definition 8

(Refined solving degree, see [14, Definition 1.1]). Let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset k[x_1, \dots , x_n]\) and let > be a term order. The refined solving degree of \(\mathcal {F}\) is the least degree d such that \({{\,\textrm{rowsp}\,}}\left( \hat{M}_d \right) \) contains a Gröbner basis of \(\mathcal {F}\) with respect to >. We denote it by \(\overline{{{\,\textrm{sd}\,}}}_> (\mathcal {F})\).

It is clear from the definitions that

$$\begin{aligned} \overline{{{\,\textrm{sd}\,}}}_> \left( \mathcal {F} \right) \le {{\,\textrm{sd}\,}}_> \left( \mathcal {F} \right) , \end{aligned}$$
(13)

but the inequality might be strict.

Complexity Estimate via the Refined Solving Degree. Let \(\mathcal {F} \subset P = k [x_1, \dots , x_n]\) be a system of m homogeneous polynomials, let \(\overline{{{\,\textrm{sd}\,}}}_> (\mathcal {F}) \le d\) for some term order > on P, and let D denote the number of monomials in P of degree \(\le d\). Then the dimensions of the Macaulay matrix \(M_{\le d}\) for \(\mathcal {F}\) are bounded by \(D \cdot m \times D\). Without loss of generality we can assume that \(\mathcal {F}\) does not contain redundant elements, then the row space basis of \(M_{\le d}\) has either at least \(m + 1\) elements or it contains a Gröbner basis with \(\le m\) many elements. In the first case, we have to build a new Macaulay matrix whose size is bounded by \(D \cdot (m + 1) \times D\). Iterating this argument we can build at most \((D - m)\) many Macaulay matrices, and we have to perform Gaussian elimination at most \(D - m\) times. With \(D \le d \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) \) and our estimation from Eq. (10) we obtain the following worst case complexity estimate

$$\begin{aligned} &\mathcal {O} \left( \sum _{i = 0}^{D - m - 1} (m + i) \cdot d \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) ^\omega \right) \end{aligned}$$
(14)
$$\begin{aligned} &\in \mathcal {O} \left( \left( m \cdot D + \frac{(D - m - 1) \cdot (D - m - 2)}{2} \right) \cdot d \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) ^\omega \right) \end{aligned}$$
(15)
$$\begin{aligned} &\in \mathcal {O} \left( m \cdot D^2 \cdot d \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) ^\omega \right) \end{aligned}$$
(16)
$$\begin{aligned} &\in \mathcal {O} \left( m \cdot d^3 \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) ^{\omega + 2} \right) . \end{aligned}$$
(17)

2.5 Approximation of Binomial Coefficients

We recall the following well-known approximation of binomial coefficients.

Lemma 9

([16, Lemma 17.5.1]). For \(0 < p < 1\), \(q = 1 - p\) such that \(n \cdot p\) is an integer

$$\begin{aligned} \frac{1}{\sqrt{8 \cdot n \cdot p \cdot q}} \le \left( {\begin{array}{c}n\\ n \cdot p\end{array}}\right) \cdot 2^{-n \cdot H_2 (p)} \le \frac{1}{\sqrt{\pi \cdot n \cdot p \cdot q}}. \end{aligned}$$

With \(p = \frac{k}{n}\) the inequality then becomes

$$\begin{aligned} \sqrt{\frac{n}{8 \cdot k \cdot \left( n - k \right) }} \le \left( {\begin{array}{c}n\\ k\end{array}}\right) \cdot 2^{-n \cdot H_2 \left( \frac{k}{n} \right) } \le \sqrt{\frac{n}{\pi \cdot k \cdot \left( n - k \right) }}. \end{aligned}$$
(18)

In case the solving degree is an integer polynomial in the number of variables, then we have the following generic estimation for the binomial coefficient.

Proposition 10

Let \(n \ge 2\) be an integer, let \(\alpha \ge 1\), and let \(p \in \mathbb {Z} [x]\).

  1. (1)

    If \(p (n) \ge n - 1\) for all \(n \ge 2\), then

    $$\begin{aligned} \left( \frac{n + p (n) - 1}{p (n) \cdot (n - 1)} \right) ^\alpha \le \frac{2^\alpha }{n - 1}. \end{aligned}$$
  2. (2)

    If \(p (n) \ge 0\) for all \(n \ge 2\), then

    $$\begin{aligned} H_2 \left( \frac{p (n)}{n + p (n) - 1} \right) \le \left( 4 \cdot \frac{(n - 1) \cdot p (n)}{(n + p (n) - 1)^2} \right) ^\frac{1}{\log \left( 4 \right) } \le \left( 4 \cdot \frac{p (n)}{n - 1} \right) ^\frac{1}{\log \left( 4 \right) }. \end{aligned}$$

In particular if \(\alpha \ge 2\) and \(p (n) \ge n - 1\) for all \(n \ge 2\), then

$$\begin{aligned} \left( {\begin{array}{c}n + p (n) - 1\\ p (n)\end{array}}\right) ^\alpha \in \mathcal {O} \left( \frac{1}{n - 1} \cdot 2^{\alpha \cdot \left( \frac{4 \cdot (n - 1) \cdot p (n)}{\big ( n + p (n) - 1 \big )^{2 - \log \left( 4 \right) }} \right) ^\frac{1}{\log \left( 4 \right) }} \right) . \end{aligned}$$

Proof

For (1), since \(\alpha \ge 1\) and \(n \ge 2\) we have that

$$\begin{aligned} \left( \frac{n + p (n) - 1}{p (n) \cdot (n - 1)} \right) ^\alpha = \left( \frac{1}{p (n)} + \frac{1}{n - 1} \right) ^\alpha \le \left( \frac{2}{n - 1} \right) ^\alpha \le \frac{2^\alpha }{n - 1}, \end{aligned}$$

which proves the claim.

For (2), let \(0 < p < 1\) we recall the following inequality for the binary entropy [39, Theorem 1.2]

$$\begin{aligned} H_2 (p) \le \big ( 4 \cdot p \cdot (1 - p) \big )^\frac{1}{\log \left( 4 \right) }. \end{aligned}$$

Then

$$\begin{aligned} H_2 \left( \frac{p (n)}{n + p (n) - 1} \right) \le \left( 4 \cdot \frac{(n - 1) \cdot p (n)}{(n + p (n) - 1)^2} \right) ^\frac{1}{\log \left( 4 \right) }. \end{aligned}$$

Since \(\log \left( 4 \right) \approx 1.3863\) we have that \(n - 1 \le n + p (n) - 1 \Rightarrow (n - 1)^\frac{1}{\log \left( 4 \right) } \le (n + p (n) - 1)^\frac{1}{\log \left( 4 \right) }\), so the second inequality follows.

The last claim follows from Eq. (18) combined with the two inequalities.    \(\square \)

3 Refined Solving Degree and Degree of Regularity

Another measure to estimate the complexity of linear algebra-based Gröbner basis algorithms is the so-called degree of regularity.

Definition 11

(Degree of regularity, [7, Definition 4]). Let k be a field, and let \(\mathcal {F} \subset P = k [x_1, \dots , x_n]\). Assume that \(\left( \mathcal {F}^\text { top}\right) _d = P_d\) for some integer \(d \ge 0\). The degree of regularity is defined as

$$\begin{aligned} d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) = \min \left\{ d \ge 0 \; \left| \; \left( \mathcal {F}^\text { top}\right) _d = P_d\right. \right\} . \end{aligned}$$

Note that by Theorem 7 and the projective weak Nullstellensatz [17, Chapter 8 §3 Theorem 8] \(\mathcal {F}\) is in generic coordinates if and only if \(d_{{{\,\textrm{reg}\,}}} (\mathcal {F}) < \infty \).

Let \(\mathcal {F} = \left\{ f_1, \dots , f_m, x_1^q - x_1, \dots , x_n^q - x_n \right\} \subset \mathbb {F}_{q}[x_1, \dots , x_n]\) be a polynomial system such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \ge \max \{ q, \deg \left( f_1 \right) , \dots , \deg \left( f_m \right) \}\), Semaev & Tenti [32, Theorem 2.1] showed that all S-polynomials appearing in Buchberger’s algorithm have degree \(\le 2 \cdot d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) - 2\). Due to the requirement \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \ge q\) we do not expect that Semaev & Tenti’s bound outperforms the Macaulay bound in practice. On the other hand, the inclusion of the field equations was only made to restrict to the \(\mathbb {F}_{q}\)-valued solutions of a polynomial system, the proof of [32, Theorem 2.1] only requires that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) < \infty \). Moreover, we will see that LWE polynomial systems contain a univariate polynomial \(f_i \mid x_i^q - x_i\) for all variables \(x_i\). Hence, LWE polynomial systems can restrict to the \(\mathbb {F}_{q}\)-valued solutions with polynomials of much smaller degrees than q. Therefore, we will now generalize [32, Theorem 2.1] to the general case \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) < \infty \).

Let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset k [x_1, \dots , x_n]\) be such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) < \infty \). Moreover, let > be a degree compatibleFootnote 1 term order on \(k [x_1, \dots , x_n]\). In principle, we simply repeat the refined analysis presented in [38, §3.4]:

  1. (1)

    Compute the Macaulay matrices \(M_{\le d_{{{\,\textrm{reg}\,}}} (\mathcal {F})}\) of the sequence \(f_1, \dots , f_m\) with respect to >, and put the matrix into row echelon form.

  2. (2)

    Choose a finite set of generators \((\mathcal {B}) = I\) such that every element of \(\mathcal {B}\) has degree \(\le d_{{{\,\textrm{reg}\,}}} (\mathcal {F})\), and every monomial in \(k [x_1, \dots , x_n]\) of degree \(\ge d_{{{\,\textrm{reg}\,}}} (\mathcal {F})\) is divisible by at least one monomial in \(\big ( {{\,\textrm{LM}\,}}_> (\mathcal {B}) \big )\).Footnote 2 Then we perform Buchberger’s algorithm on \(\mathcal {B}\) to obtain a Gröbner basis \(\mathcal {G}\).

  3. (3)

    Compute a reduced Gröbner basis of \((\mathcal {F})\) via \(\mathcal {G}\).

Let us now collect some properties of the basis \(\mathcal {B}\).

Proposition 12

Let k be a field, let > be a degree compatible term order on \(P = k [x_1, \dots , x_n]\), and let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset P\) be such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) < \infty \). There exists a finite generating set \(\mathcal {B}\) for \((\mathcal {F})\) such that

  1. (1)

    \(\max _{f \in \mathcal B} \deg \left( f \right) \le d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \).

  2. (2)

    Every monomial \(m \in k [x_1, \dots , x_n]\) with \(\deg \left( m \right) \ge d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \) is divisible by some \({{\,\textrm{LM}\,}}_> (f)\), where \(f \in \mathcal {B}\).

  3. (3)

    For \(f \in \mathcal {B}\) with \(\deg \left( f \right) = d_{{{\,\textrm{reg}\,}}} (\mathcal {F})\) one has \(\deg \big ( f - {{\,\textrm{LT}\,}}_> (f) \big ) < d_{{{\,\textrm{reg}\,}}} (\mathcal {F})\).

Proof

We abbreviate \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) = d_{{{\,\textrm{reg}\,}}}\). First we construct the Macaulay matrix \(M_{\le d_{{{\,\textrm{reg}\,}}}}\) of \(\mathcal {F}\) with respect to > and denote with \(\mathcal {B}\) basis of the row space of \(M_{\le d_{{{\,\textrm{reg}\,}}}}\). By assumption, we have that \(d_{{{\,\textrm{reg}\,}}} = d_{{{\,\textrm{reg}\,}}} \left( \mathcal {B} \right) \).

For \(f \in \mathcal {F}\), if \(\deg \left( f \right) \le d_{{{\,\textrm{reg}\,}}}\), then by construction \(f \in (\mathcal {B})_{\le d_{{{\,\textrm{reg}\,}}}}\). If \(\deg \left( f \right) > d_{{{\,\textrm{reg}\,}}}\), then we compute the remainder \(r_f\) of f modulo \(\mathcal {B}\) with respect to > and add it to \(\mathcal {B}\). By elementary properties of multivariate polynomial division, see [17, Sect. 2 §3 Theorem 3], and the degree of regularity we then have that \(\deg \left( r_f \right) < d_{{{\,\textrm{reg}\,}}}\).

Obviously, we have that \((\mathcal {B}) = (\mathcal {F})\) and (1) follows by construction, (2) follows from \(d_{{{\,\textrm{reg}\,}}} = d_{{{\,\textrm{reg}\,}}} \left( \mathcal {B} \right) \), and lastly basis elements that satisfy (3) can always be constructed with another round of Gaussian elimination on the elements of \(\mathcal {B}\) of degree \(d_{{{\,\textrm{reg}\,}}}\).    \(\square \)

Now we can prove the generalization of Semaev & Tenti’s bound.

Theorem 13

Let k be a field, let > be a degree compatible term order on \(P = k [x_1, \dots , x_n]\), and let \(\mathcal {F} = \{ f_1, \dots , f_m \} \subset P\) such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) < \infty \). If \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \ge \max \big \{ \deg \left( f_1 \right) , \dots , \deg \left( f_m \right) \big \}\), then

$$\begin{aligned} \overline{{{\,\textrm{sd}\,}}}_> \left( \mathcal {F} \right) \le 2 \cdot d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) - 1. \end{aligned}$$

Proof

We abbreviate \(d_{{{\,\textrm{reg}\,}}} (\mathcal {F}) = d_{{{\,\textrm{reg}\,}}}\). Let \(\mathcal {B} = \{ g_1, \dots , g_t \}\) be the ideal basis from Proposition 12 for \((\mathcal {F})\). By assumption, we have that \(\mathcal {F} \subset (\mathcal {B})_{\le d_{{{\,\textrm{reg}\,}}}}\), and by construction \(\mathcal {B} \subset {{\,\textrm{rowsp}\,}}\big ( M_{d_{{{\,\textrm{reg}\,}}}} (\mathcal {F}) \big )\). Starting from \(\mathcal {B}\) we compute a >-Gröbner basis via Buchberger’s algorithm, see [17, Sect. 2 §7]. Let \(g_i, g_j \in \mathcal {B}\), we consider their >-S-polynomial

$$\begin{aligned} S_> (g_i, g_j) = \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_i)} \cdot g_i - \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_j)} \cdot g_j, \end{aligned}$$

where \(x^\gamma = {{\,\textrm{lcm}\,}}\big ( {{\,\textrm{LM}\,}}_> (g_i), {{\,\textrm{LM}\,}}_> (g_j) \big )\). Note that by [17, Sect. 2 §9 Proposition 4] we only have to consider the pairs with \(\gcd \big ( {{\,\textrm{LM}\,}}_> (g_i), {{\,\textrm{LM}\,}}_> (g_j) \big ) \ne 1\). Since \({{\,\textrm{LM}\,}}_> (g_i)\) and \({{\,\textrm{LM}\,}}_> (g_j)\) must coincide in at least one variable and their degree is \(\le d_{{{\,\textrm{reg}\,}}}\) we can conclude that

$$\begin{aligned} \deg \left( \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_i)} \cdot g_i \right) , \deg \left( \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_j)} \cdot g_j \right) \le 2 \cdot d_{{{\,\textrm{reg}\,}}} - 1. \end{aligned}$$

After performing division by remainder of the S-polynomial with respect to \(\mathcal {B}\) we then also have that the remainder has degree \(< d_{{{\,\textrm{reg}\,}}}\) since \(\big ( {{\,\textrm{LM}\,}}_> (\mathcal {B}) \big )_d = \big ( k [x_1, \dots , x_n] \big )_d\) for all \(d \ge d_{{{\,\textrm{reg}\,}}}\). Therefore, we can construct all S-polynomials within Buchberger’s algorithm with non-trivial remainder via polynomials whose degree is \(\le 2 \cdot d_{{{\,\textrm{reg}\,}}} - 1\). Since Buchberger’s algorithm always produces a >-Gröbner basis we can conclude that \(\overline{{{\,\textrm{sd}\,}}}_> (\mathcal {F}) \le 2 \cdot d_{{{\,\textrm{reg}\,}}} - 1\).    \(\square \)

Corollary 14

In the scenario of Theorem 13, the largest degree of S-polynomials appearing in Buchberger’s algorithm is less than or equal to \(2 \cdot d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) - 2\).

Proof

Let us take another look at the S-polynomial

$$\begin{aligned} S_> (g_i, g_j) &= \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_i)} \cdot g_i - \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_j)} \cdot g_j \\ &= \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_i)} \cdot \tilde{g}_i - \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_j)} \cdot \tilde{g}_j, \end{aligned}$$

where \(x^\gamma = {{\,\textrm{lcm}\,}}\big ( {{\,\textrm{LM}\,}}_> (g_i), {{\,\textrm{LM}\,}}_> (g_j) \big )\) and \(\tilde{g}_l = g_l - {{\,\textrm{LM}\,}}_> (g_l)\) for \(l = i, j\). Since the leading monomials are not coprime we have that

$$\begin{aligned} \deg \left( \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_i)} \right) , \deg \left( \frac{x^\gamma }{{{\,\textrm{LM}\,}}_> (g_j)} \right) \le d_{{{\,\textrm{reg}\,}}} - 1. \end{aligned}$$

Moreover, by Proposition 12 we have that \(\deg \left( \tilde{g}_i \right) , \deg \left( \tilde{g}_j \right) < d_{{{\,\textrm{reg}\,}}}\).    \(\square \)

4 Affine-Derived Polynomial Systems

LWE polynomial systems follow a very special structure. To construct one polynomial one starts with a univariate polynomial f and then substitutes a multivariate affine equation \(\left\langle {\textbf{a}, \textbf{x}}\right\rangle + b\) into f. Many properties of LWE polynomial systems solely stem from this substitution, this motivates the following definition.

Definition 15

(Affine-derived polynomial systems). Let k be a field, let \(n, m \ge 1\) be integers, let \(g_1, \dots , g_m \in k [x]\) be non-constant polynomials, let \(\textbf{a}_1, \dots , \textbf{a}_m \in k^n\), and let \(b_1, \dots , b_m \in k\). In the polynomial ring \(k [x_1, \dots , x_n]\), we call

$$\begin{aligned} g_1 \left( \textbf{a}_1^\intercal \textbf{x} + b_1 \right) &= 0, \\ &\dots \\ g_m \left( \textbf{a}_m^\intercal \textbf{x} + b_m \right) &= 0, \end{aligned}$$

where \(\textbf{x} = \left( x_1, \dots , x_n \right) ^\intercal \), the affine-derived polynomial system of \(g_1, \dots , g_m\) by \((\textbf{a}_1, b_1), \dots , (\textbf{a}_m, b_m)\). We also abbreviate affine-derived polynomial systems as tuple \(\Big ( \big ( g_1, \textbf{a}_1, b_1 \big ), \dots , \big ( g_m, \textbf{a}_m, b_m \big ) \Big )\).

Next let us collect some properties of zero-dimensional affine-derived polynomial systems.

Theorem 16

Let k be a field and let \(\bar{k}\) be its algebraic closure, let \(n \ge 1\) be an integer, and let \(\mathcal {F} = \Big ( \big ( g_1, \textbf{a}_1, b_1 \big ), \dots , \big ( g_n, \textbf{a}_n, b_n \big ) \Big ) \subset k [x_1, \dots , x_n]\) be an affine-derived polynomial system. Assume that the matrix

$$\begin{aligned} \textbf{A} = \begin{pmatrix} \textbf{a}_1 & \dots & \textbf{a}_n \end{pmatrix} ^\intercal \in k^{n \times n} \end{aligned}$$

has rank n. Then

  1. (1)

    LEX and DRL Gröbner bases of \(\mathcal {F}\) can be computed via an affine transformation.

  2. (2)

    \(\mathcal {F}\) is a 0-dimensional polynomial system.

  3. (3)

    \(\dim _k \big ( k [x_1, \dots , x_n] / (\mathcal {F}) \big ) = \prod _{i = 1}^{n} \deg \left( g \right) _i\).

  4. (4)

    Let \(\mathcal {G} \subset \bar{k} [x_1, \dots , x_n]\) be such that \(\mathcal {F} \subset \mathcal {G}\) and \((\mathcal {G}) \ne (1)\). Then \(\left( \mathcal {G}^\text { hom}\right) \) is in generic coordinates.

If in addition k is a finite field with q elements, and \(g_i \mid x^q - x\) for all \(1 \le i \le n\). Then

  1. (5)

    Any ideal \(I \subset k [x_1, \dots , x_n]\) such that \(\mathcal {F} \subset I\) is radical.

Proof

For (1), we define new variables via

$$\begin{aligned} \begin{pmatrix} y_1 \\ \vdots \\ y_n \end{pmatrix} = \begin{pmatrix} \textbf{a}_1 & \dots & \textbf{a}_n \end{pmatrix} ^\intercal \begin{pmatrix} x_1 \\ \vdots \\ x_n \end{pmatrix} + \begin{pmatrix} b_1 \\ \vdots \\ b_n \end{pmatrix} , \end{aligned}$$

and since the matrix \(\textbf{A}\) has full rank this construction is invertible. Then the polynomial system is of the form \(g_1 (y_1) = \ldots = g_n (y_n) = 0\), so under any LEX and DRL term order the leading monomials of the polynomials are pairwise coprime, so by [17, Sect. 2 §9 Theorem 3, Proposition 4] we have found a Gröbner basis.

For (2), follows from [17, Sect. 5 §3 Theorem 6].

For (3), the quotient space dimension can be computed by counting the number of monomials not contained in \(\left( y_1^{\deg \left( g_1 \right) }, \dots , y_n^{\deg \left( g_n \right) } \right) \).

For (4), follows from Theorem 7.

For (5), let \(F = \left( x_1^q - x_1, \dots , x_n^q - x_n \right) \subset k [x_1, \dots , x_n]\) be the ideal of field equations. It is well-known that for any ideal \(I \subset k [x_1, \dots , x_n]\) the ideal \(I + F\) is radical, see for example [25, Lemma 3.1.1]. Since \(g_i \mid x^q - x\) we have for all \(1 \le i \le n\) that

$$\begin{aligned} \begin{aligned} \left( \textbf{a}_i^\intercal \textbf{x} + c_i \right) ^q - \left( \textbf{a}_i^\intercal \textbf{x} + c_i \right) &= \left( \textbf{a}_i^\intercal \textbf{x} \right) ^q - \left( \textbf{a}_i^\intercal \textbf{x} \right) \\ &= \sum _{j = 1}^{n} a_{i, j} \cdot \left( x_j^q - x_j \right) = \textbf{a}_i^\intercal \begin{pmatrix} x_1^q - x_1 \\ \vdots \\ x_n^q - x_n \end{pmatrix} \in (\mathcal {F}). \end{aligned} \end{aligned}$$

So by invertibility \(\textbf{A}\) we have that \(x_i^q - x_i \in (\mathcal {F})\) for all \(1 \le i \le n\) which proves the claim.    \(\square \)

Remark 17

Note that being in generic coordinates also follows from [12, Remark 13].

Corollary 18

Let k be an algebraically closed field, let \(m > n \ge 1\), let \(\mathcal {F} = \Big ( \big ( g_1, \textbf{a}_1, b_1 \big ), \dots , \big ( g_m, \textbf{a}_m, b_m \big ) \Big ) \subset k [x_1, \dots , x_n]\) be an affine-derived polynomial system such that \(\deg \left( g_1 \right) \ge \ldots \ge \deg \left( g_m \right) \). Assume that the matrix

$$\begin{aligned} \textbf{A} = \begin{pmatrix} \textbf{a}_1 & \dots & \textbf{a}_m \end{pmatrix} ^\intercal \in k^{m \times n} \end{aligned}$$

has rank n. Then

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} (\mathcal {F}) \le \sum _{i = 1}^{n + 1} \left( \deg \left( g_i \right) - 1 \right) + 1. \end{aligned}$$

In particular if \(d \ge \deg \left( g_1 \right) \), then

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} (\mathcal {F}) \le \left( n + 1 \right) \cdot \left( d - 1 \right) + 1 \end{aligned}$$

Proof

Follows from Theorem 16 and the Macaulay bound Corollary 6.    \(\square \)

4.1 LWE Polynomial Systems

Arora & Ge proposed a noise-free polynomial system to solve the Search-LWE problem [6]. If the error is distributed via a Gaussian distribution \(\mathcal {N} (0, \sigma )\), then one assumes that the error always falls in the range \([-t \cdot \sigma , t \cdot \sigma ]\) for some \(t \in \mathbb {Z}\) such that \(d = 2 \cdot t + 1 < q\). As we saw in Eq. (7), the probability of falling outside this interval decreases exponentially in t. Therefore, up to some probability, in \(\mathbb {F}_{q}\) the error is then always a root of the polynomial

$$\begin{aligned} f (x) = x \cdot \prod _{i = 1}^{t} \left( x + i \right) \cdot \left( x - i \right) \in \mathbb {F}_{q}[x]. \end{aligned}$$
(19)

Since by construction \(2 \cdot t + 1 < q\) there cannot exist \(1 \le i < j \le t\) such that \(i \equiv -j \mod q\). So f is a square-free polynomial and therefore divides the field equation \(x^q - x\). For LWE samples \((\textbf{a}_i, c_i) = \left( \textbf{a}_i, \textbf{a}_i^\intercal \textbf{s} + e_i \right) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\) one then has that in \(\mathbb {F}_{q}[x_1, \dots , x_n]\)

$$\begin{aligned} f \left( c_i - \textbf{a}_i^\intercal \textbf{x} \right) = 0 \end{aligned}$$
(20)

with probability \(\ge 1 - \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) \). Given m LWE samples one then constructs m polynomials of the form of Eq. (20), we call this polynomial system the LWE polynomial system \(\mathcal {F}_\text {LWE}\). Obviously, the LWE polynomial system is an affine-derived polynomial system. The failure probability, i.e. the probability that at least one error term does not lie in the interval \([-t \cdot \sigma , t \cdot \sigma ]\), can be estimated via the union bound

$$\begin{aligned} p_{fail} = m \cdot {{\,\mathrm{\mathbb {P}}\,}}\left[ \left| X \right| > t \cdot \sigma \right] \le m \cdot \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) . \end{aligned}$$
(21)

Moreover, by Theorem 16 for the polynomial system to be fully determined we have to require that \(m \ge n\) and that n sample vectors are linearly independent.

To devise the complexity of Gröbner basis computations we in principle follow the strategy of [3, §5]. We assume that \(\sigma = n^\epsilon \), where \(0 \le \epsilon \le 1\), and let \(\theta \) be such that \(0 \le \theta \le \epsilon \le 1\). We consider sample numbers of the following form

$$\begin{aligned} m_\text {GB} = e^{\gamma _\theta }, \end{aligned}$$
(22)

where \(\gamma _\theta = 2^{2 \cdot \left( \epsilon - \theta \right) }\).

Lemma 19

([3, Lemma 5]). Let \(q, n, \sigma \) be parameters of an LWE instance. Let \(\left( \textbf{a}_1, b_1 \right) , \dots , \left( \textbf{a}_m, b_m \right) \) be elements of \(\mathbb {Z}_q^n \times \mathbb {Z}\) sampled according to LWE. If \(t = \sqrt{2 \cdot \log \left( m \right) }\), then the LWE polynomial system vanishes with probability at least

$$\begin{aligned} p_g = 1 - \sqrt{\frac{1}{\pi \cdot \log \left( m \right) }}. \end{aligned}$$

By [3, Remark 1] \(m \in \mathcal {O} (n)\) implies that \(p_g \in 1 - o (1)\).

Therefore, we can deduce the degree \(D_{GB}\) required for \(m_\text {GB} = e^{\gamma _\theta }\) equations in the LWE polynomial system. By the previous lemma, we have to fix \(t_\text {GB} = \sqrt{2 \cdot \log \left( m_\text {GB} \right) } = \sqrt{2 \cdot \gamma _\theta }\), so

$$\begin{aligned} \begin{aligned} D_\text {GB} &= 2 \cdot \sqrt{2 \cdot \log \left( m_\text {GB} \right) } \cdot \sigma + 1 \\ &\in \mathcal {O} \left( \sqrt{\log \left( m_\text {GB} \right) \cdot \sigma } \right) = \mathcal {O} \left( \sqrt{\gamma _\theta } \cdot \sigma \right) = \mathcal {O} \left( n^{2 \cdot \epsilon - \theta } \right) = \mathcal {O} \left( \gamma _\theta \cdot n^\theta \right) . \end{aligned} \end{aligned}$$
(23)

Theorem 20

Let \(q, n \ge 2, \sigma = \sqrt{\frac{n}{2 \cdot \pi }}\) be parameters of an LWE instance. Let \(m_\text {GB} = e^\frac{\pi \cdot n}{4}\), and let \(\left( \textbf{a}_i, b_i \right) _{1 \le i \le m_\text {GB}}\) be elements of \(\mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) sampled according to LWE. If the matrix \(\textbf{A} = \begin{pmatrix} \textbf{a}_1 & \dots & \textbf{a}_m \end{pmatrix} ^\intercal \) has rank n, then a linear algebra-based Gröbner basis algorithm that computes a DRL Gröbner basis has time complexity

$$\begin{aligned} \mathcal {O} \left( n \cdot 2^{\omega \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot n^{2 - \frac{1}{\log \left( 4 \right) }} + \frac{\pi \cdot \log _2 \left( e \right) }{4} \cdot n} \right) \end{aligned}$$

and memory complexity

$$\begin{aligned} \mathcal {O} \left( n \cdot 2^{2^{1 + \frac{1}{\log \left( 2 \right) }} \cdot n^{2 - \frac{1}{\log \left( 4 \right) }} + \frac{\pi \cdot \log _2 \left( e \right) }{4} \cdot n} \right) . \end{aligned}$$

The algorithm has success probability \(\ge 1 - \frac{2}{\pi \cdot \sqrt{n}}\).

Proof

As in Lemma 19 let \(t = \sqrt{2 \cdot \log \left( m_\text {GB} \right) }\). By our assumptions and Equation (23) we have that

$$\begin{aligned} D_\text {GB} = 2 \cdot \sqrt{2 \cdot \log \left( m_\text {GB} \right) } \cdot \sigma + 1 = 2 \cdot \sqrt{2 \cdot \frac{\pi \cdot n}{4}} \cdot \sqrt{\frac{n}{2 \cdot \pi }} + 1 = n + 1. \end{aligned}$$

Since the matrix \(\textbf{A}\) has full rank we can apply Corollary 18 to estimate the solving degree of the LWE polynomial system

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F}_\text {LWE} \right) \le \left( n + 1 \right) \cdot \left( D_\text {GB} - 1 \right) + 1 = n^2 + n + 1. \end{aligned}$$

Now we apply Proposition 10 with \(p (n) = n^2 + n + 1\), then we perform the additional estimations

$$\begin{aligned} n^3 - 1 &< n^3, \\ \left( n^2 \right) ^{2 - \log \left( 4 \right) } &\le \left( n^2 + 2 \cdot n \right) ^{2 - \log \left( 4 \right) }, \end{aligned}$$

for all \(n \ge 1\). Also note that \(2 - \log \left( 4 \right) \approx 0.6137\), so we can divide by the expressions in the last inequality without affecting the sign. Therefore,

$$\begin{aligned} \big ( n + p (n) - 1 \big ) \cdot H_2 \left( \frac{p (n)}{n + p (n) - 1} \right) \le 2^\frac{1}{\log \left( 2 \right) } \cdot n^{2 - \frac{1}{\log \left( 4 \right) }}. \end{aligned}$$

The final claim then follows by converting \(m_\text {GB}\) into base 2.    \(\square \)

Numerically we have that \(2 - \frac{1}{\log \left( 4 \right) } \approx 1.2787\).

4.2 LWE with Small Errors

Suppose that the LWE error distribution \(\chi \) can only take values in \(\mathcal {E} \subset \mathbb {F}_{q}\) with \(| \mathcal {E} | = D \ll \sqrt{n}\). Then the error polynomial is

$$\begin{aligned} f (x) = \prod _{e \in \mathcal {E}} (x - e) \end{aligned}$$
(24)

of degree D. Moreover, for any LWE sample \((\textbf{a}, b)\) we have \(f \left( b - \textbf{a}^\intercal \textbf{x} \right) = 0\) with probability 1. Analog to Theorem 20 we can estimate the complexity of a DRL Gröbner basis computation.

Theorem 21

Let q be a prime, and let \(m > n \ge 2\) be integers. Let \(\left( \textbf{a}_i, b_i \right) _{1 \le i \le m}\) be elements of \(\mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) sampled according to a LWE distribution \(A_{\textbf{s}, \chi }\) such that the error distribution that \(\chi \) can take at most D values. If the matrix \(\textbf{A} = \begin{pmatrix} \textbf{a}_1 & \dots & \textbf{a}_m \end{pmatrix} ^\intercal \) has rank n, then a linear algebra-based Gröbner basis algorithm that computes a DRL Gröbner basis has time complexity

$$\begin{aligned} \mathcal {O} \left( m \cdot (D - 1) \cdot n \cdot 2^{\omega \cdot \left( 8 \cdot D^{\log \left( 4 \right) - 1} \right) ^\frac{1}{\log \left( 4 \right) } \cdot n} \right) \end{aligned}$$

and memory complexity

$$\begin{aligned} \mathcal {O} \left( m \cdot (D - 1) \cdot n \cdot 2^{2 \cdot \left( 8 \cdot D^{\log \left( 4 \right) - 1} \right) ^\frac{1}{\log \left( 4 \right) } \cdot n} \right) . \end{aligned}$$

Proof

The LWE polynomial has degree D, therefore by Corollary 18

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} (\mathcal {F}_\text {LWE}) \le (n + 1) \cdot (D - 1) + 1. \end{aligned}$$

We apply Proposition 10 with \(p (n) = (n + 1) \cdot (D - 1) + 1\) and do the estimations

$$\begin{aligned} \frac{(n + 1) \cdot (D - 1) + 1}{n - 1} = \frac{(n - 1) \cdot (D - 1) + 2 \cdot D - 1}{n - 1} \in \mathcal {O} (1), \end{aligned}$$

for all \(n \ge 2\),

$$\begin{aligned} \big ( (n + 1) \cdot (D - 1) + 1 \big ) \cdot (n - 1) &= \left( n^2 - 1 \right) \cdot (D - 1) + n - 1 \le 2 \cdot n^2 \cdot D, \\ \left( n \cdot D \right) ^{2 - \log \left( 4 \right) } &\le \left( n \cdot D + D - 1 \right) ^{2 - \log \left( 4 \right) }, \end{aligned}$$

for all \(n \ge 1\).    \(\square \)

4.3 LWE with Small Secrets

Suppose that the entries of the secret \(\textbf{s}\) of a LWE distribution \(A_{\textbf{s}, \chi }\) can only take values in \(\mathcal {S} \subset \mathbb {F}_{q}\) with \(| \mathcal {S} | = D\). Then for \(1 \le i \le n\) we can add the equations

$$\begin{aligned} f_i (x_i) = \prod _{s \in \mathcal {S}} (x_i - s) \end{aligned}$$
(25)

to the LWE polynomial system. Trivially, \(f_1, \dots , f_n\) is a DRL Gröbner basis, so the monomials \(g \notin {{\,\textrm{in}\,}}_{DRL} (f_1, \dots , f_n)\) have degree \(\le n \cdot (D - 1)\). Moreover, any univariate polynomial is trivially affine-derived.

Theorem 22

Let q be a prime, and let \(m > n \ge 2\) be integers. Let \(\left( \textbf{a}_i, b_i \right) _{1 \le i \le m}\) be elements of \(\mathbb {Z}_q^n \times \mathbb {Z}_q\) sampled according to a LWE distribution \(A_{\textbf{s}, \chi }\) such that the components of the secret can only take values in a set of size D. If the error polynomial f has \(\deg \left( f \right) > D\), then a linear algebra-based Gröbner basis algorithm that computes a DRL Gröbner basis has time complexity

$$\begin{aligned} \mathcal {O} \left( m \cdot (D - 1) \cdot n^2 \cdot 2^{\omega \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (D - 1)^{1 - \frac{1}{\log \left( 4 \right) }} \cdot n^{2 - \frac{1}{\log \left( 4 \right) }}} \right) \end{aligned}$$

and memory complexity

$$\begin{aligned} \mathcal {O} \left( m \cdot (D - 1)^2 \cdot n^3 \cdot 2^{2^{1 + \frac{1}{\log \left( 2 \right) }} \cdot (D - 1)^{1 - \frac{1}{\log \left( 4 \right) }} \cdot n^{2 - \frac{1}{\log \left( 4 \right) }}} \right) . \end{aligned}$$

Proof

Let \(\mathcal {F}_\text {LWE}\) be the affine-derived LWE polynomial system, and let \(\mathcal {F}_\mathcal {S}\) be the polynomials that have all possible values of the secret components as zeros, see Eq. (25). As preprocessing we compute the remainder of all polynomials in \(\mathcal {F}_\text {LWE}\) with respect to \(\mathcal {F}_\mathcal {S}\) and DRL, then the remainder polynomials can at most have degree \(n \cdot (D - 1)\), see [17, Sect. 2 §6 Proposition 1]. Now we join the remainders and \(\mathcal {F}_\mathcal {S}\) in a single system \(\mathcal {F}\) and start the Gröbner basis computation. By Theorem 7 this polynomial system is in generic coordinates, therefore

$$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le (n + 1) \cdot \big ( n \cdot (D - 1) - 1 \big ) + 1. \end{aligned}$$

Now we apply Proposition 10 with \(p (n) = (n + 1) \cdot n \cdot (D - 1) + 1\) and perform the additional estimations

$$\begin{aligned} \frac{(n + 1) \cdot \big ( n \cdot (D - 1) - 1 \big ) + 1}{n - 1} \le \frac{(D - 1) \cdot (n + 1)^2}{n - 1} \in \mathcal {O} \left( (D - 1) \cdot n \right) \end{aligned}$$

for all \(n \ge 2\), and

$$\begin{aligned} \big ( (n + 1) \cdot n \cdot (D - 1) + 1 \big ) \cdot (n - 1) &\le n^3 \cdot (D - 1), \\ n^2 \cdot (D - 1) &\le n + (n + 1) \cdot n \cdot (D - 1), \end{aligned}$$

for all \(n \ge 1\). Then

$$\begin{aligned} \frac{n^3 \cdot (D - 1)}{\big ( n^2 \cdot (D - 1) \big )^{2 - \log \left( 4 \right) }} = n^{2 \cdot \log \left( 4 \right) - 1} \cdot (D - 1)^{\log \left( 4 \right) - 1} \end{aligned}$$

which proves the claim.    \(\square \)

LWE with Small Secrets and Small Errors. Lastly, let us shortly analyze the case of small secret small error LWE. Suppose that the errors are drawn from a set of size \(D_\mathcal {E}\) and that the secrets are drawn from a set of size \(D_\mathcal {S}\). As for Theorem 22 we can compute the DRL remainder of the LWE polynomials with respect to the n univariate polynomials limiting the possible solutions for the secret.

  • If \(D_\mathcal {E} \gg D_\mathcal {S}\), then we can estimate the degrees of the remainders as \(\le n \cdot (D_\mathcal {S} - 1)\), then we obtain the Macaulay bound

    $$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le (n + 1) \cdot n \cdot (D_\mathcal {S} - 1) + 1. \end{aligned}$$
    (26)

  • If \(n \cdot (D_\mathcal {S} - 1) \gg D_\mathcal {E} \ge D_\mathcal {S}\), then we can always estimate the degrees of the remainders as \(\le D_\mathcal {E}\), then

    $$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le (n + 1) \cdot (D_\mathcal {E} - 1) + 1. \end{aligned}$$
    (27)

  • If \(n \cdot (D_\mathcal {S} - 1) \gg D_\mathcal {S} > D_\mathcal {E}\), then we perform a variable transformation so that the LWE polynomials \(\mathcal {F}_\text {LWE}\) include n univariate polynomials, i.e. we exchange the roles of \(\mathcal {F}_\mathcal {S}\) and \(\mathcal {F}_\text {LWE}\). The degrees of the remainders of \(\mathcal {F}_\mathcal {S}\) are then bounded by \(\le D_\mathcal {S}\), and we obtain

    $$\begin{aligned} {{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F} \right) \le n \cdot (D_\mathcal {S} - 1) + D_\mathcal {E}. \end{aligned}$$
    (28)

So the first case reduces to Theorem 22 and the second and the third one to Theorem 21, though the third case has a different constant term in the solving degree bound than small error LWE.

5 Sub-exponential Complexity Estimates via the Refined Solving Degree

In this section we use Theorem 13 to show that in an ideal scenario general LWE, binary secret LWE and binary error LWE admit sub-exponential Gröbner basis algorithms.

5.1 LWE with Exponential Many Samples

For general LWE the lowest achievable degree of regularity is the degree D of the error polynomial. In that degree there exist \(\left( {\begin{array}{c}n + D - 1\\ D\end{array}}\right) \) many monomials, hence to achieve degree of regularity m the number of samples m has to be at least the aforementioned binomial coefficient.

Theorem 23

Let \(q, n, \sigma \) be parameters of an LWE instance, and let \(D = 2 \cdot t \cdot \sigma + 1\) be the degree of the LWE polynomial. Let \(m \in \mathcal {O} \left( \left( {\begin{array}{c}n + D - 1\\ D\end{array}}\right) \right) \) be such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE}^\text { top}\right) = D\). Then a linear algebra-based Gröbner basis algorithm that computes a DRL Gröbner basis has time complexity

$$\begin{aligned} \mathcal {O} \left( D^3 \cdot 2^{(\omega + 3) \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (2 \cdot D - 1)^\frac{1}{\log \left( 4 \right) } \cdot (n - 1)^{1 - \frac{1}{\log \left( 4 \right) }}} \right) \end{aligned}$$

and memory complexity

$$\begin{aligned} \mathcal {O} \left( D^3 \cdot 2^{5 \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (2 \cdot D - 1)^\frac{1}{\log \left( 4 \right) } \cdot (n - 1)^{1 - \frac{1}{\log \left( 4 \right) }}} \right) . \end{aligned}$$

For \(t \rightarrow \infty \) the success probability of the algorithm approaches 1.

Proof

We can use Theorem 13 and Eq. (17) to estimate the complexity of a linear algebra based Gröbner basis algorithm. Then

$$\begin{aligned} \mathcal {O} \left( m \cdot (2 \cdot D - 1)^3 \cdot \left( {\begin{array}{c}n + 2 \cdot D - 2\\ 2 \cdot D - 1\end{array}}\right) ^{\omega + 2} \right) \in \mathcal {O} \left( D^3 \cdot \left( {\begin{array}{c}n + 2 \cdot D - 2\\ 2 \cdot D - 1\end{array}}\right) ^{\omega + 3} \right) . \end{aligned}$$

To estimate the binomial coefficient we use Eq. (18) and [39, Theorem 1.2]. Similar to Proposition 10, the term in the square root is estimated by \(\mathcal {O} \left( 1 \right) \). For the entropy term we have that

$$\begin{aligned} (n + 2 \cdot D - 2) \cdot H_2 \left( \frac{2 \cdot D - 1}{n + 2 \cdot D - 2} \right) \le \left( 4 \cdot \frac{(2 \cdot D - 1) \cdot (n - 1)}{(n + 2 \cdot D - 2)^{2 - \log \left( 4 \right) }} \right) ^\frac{1}{\log \left( 4 \right) }. \end{aligned}$$

Without loss of generality \(D \ge 1\), so \(n - 1 \le n + 2 \cdot D - 2\) which implies the complexity claim.

For the success probability, recall that by Equation (21)

$$\begin{aligned} p_{fail} &\in \mathcal {O} \left( m \cdot \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) \right) \\ &\in \mathcal {O} \left( \left( {\begin{array}{c}n + D - 1\\ D\end{array}}\right) \cdot \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) \right) \\ &\in \mathcal {O} \left( \sqrt{\frac{n + D - 1}{D \cdot (n - 1)}} \cdot 2^{2 \cdot \sqrt{D \cdot n}} \cdot \frac{2}{t \cdot \sqrt{2 \cdot \pi }} \cdot \exp \left( -\frac{t^2}{2} \right) \right) \\ &\in \mathcal {O} \left( \exp \left( 2 \cdot \log \left( 2 \right) \cdot \sqrt{2 \cdot t \cdot \sigma \cdot n} - \frac{t^2}{2} \right) \right) , \end{aligned}$$

which proves the claim.    \(\square \)

In particular, for \(\sigma = \sqrt{n}\) and \(t = \frac{k}{\sqrt{\sigma }}\), where \(k \in \mathbb {Z}\) we obtain the complexity estimate

$$\begin{aligned} \mathcal {O} \left( \left( k \cdot \sqrt{n} \right) ^3 \cdot 2^{(\omega + 3) \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (4 \cdot k + 1)^\frac{1}{\log \left( 4 \right) } \cdot n^{1 - \frac{1}{2 \cdot \log \left( 4 \right) }}} \right) . \end{aligned}$$
(29)

Since \(1 - \frac{1}{2 \cdot \log \left( 4 \right) } \approx 0.6393\) this complexity estimate is sub-exponential.

5.2 Sub-exponential Complexity for Binary Secret LWE

Recall that binary secret LWE is the simplest case of small secret LWE, see Sect. 4.3. Let \(F = (x_1^2 - x_1, \dots , x_n^2 - x_n)\), and let \(\mathcal {F}_\text {LWE} = \{ f_1, \dots , f_m \}\) be a binary secret LWE polynomial system where the (univariate) LWE error polynomial is of degree D. Without loss of generality we can first reduce the polynomials in \(\mathcal {F}_\text {LWE}\) modulo F with respect to the DRL term order. Let \(f \in \mathcal {F}_\text {LWE}\), after the preprocessing step only monomials of the form

$$\begin{aligned} m = x_1^{\alpha _1} \cdots x_n^{\alpha _n}, \end{aligned}$$
(30)

where \(\alpha _i \in \{ 0, 1 \}\) for all i, are present in f and by elementary properties of multivariate polynomial division, see [17, Sect. 2 §3], also \(\deg \left( f \right) \le D\) after the reduction.

Suppose that all \(f \in \mathcal {F}_\text {LWE}\) are of degree D after the reduction, we want to find the minimal achievable degree of regularity \(d_{{{\,\textrm{reg}\,}}} \big ( (\mathcal {F}_\text {LWE}) + F \big )\). Let \(g \in P = \mathbb {F}_{q}[x_1, \dots , x_n]\) be a monomial such that \(x_i^2 \mid g\) for some i. Such a monomial can always be generated by some element in \(F^\text { top}\), therefore we only have to consider monomials as in Eq. (30). Necessarily, these monomials must be generated by the elements in \(\mathcal {F}_\text {LWE}^\text { top}\). Moreover, by elementary combinatorics there exist \(\left( {\begin{array}{c}n\\ d\end{array}}\right) \) many monomials of the form of Eq. (30) in degree d.

To compute \(d_{{{\,\textrm{reg}\,}}} \big ( (\mathcal {F}_\text {LWE}) + F \big )\) one iterates through:

  1. (1)

    Let \(d = 0\), and \(\mathcal {G} = \left( \mathcal {F}_\text {LWE}^\text { top}\right) \).

  2. (2)

    Perform Gaussian elimination on \(\mathcal {G}\) to obtain a minimal generating set. If \(\left| \mathcal {G} \right| = \left( {\begin{array}{c}n\\ D + d\end{array}}\right) \) return \(D + d\), else set \(d = d + 1\).

  3. (3)

    Compute \(\mathcal {G} = \sum _{i = 1}^{n} x_i \cdot (\mathcal {G}) \mod (x_1^2, \dots , x_n^2)\), and return to step (2).

In order to achieve \(d_{{{\,\textrm{reg}\,}}} \big ( (\mathcal {F}_\text {LWE}) + F \big ) \le D + d\), for some \(d \ge 0\), we must require that

$$\begin{aligned} m \cdot \left( {\begin{array}{c}n\\ d\end{array}}\right) &{\mathop {\ge }\limits ^{!}} \left( {\begin{array}{c}n\\ D + d\end{array}}\right) \end{aligned}$$
(31)
$$\begin{aligned} \Leftrightarrow m &{\mathop {\ge }\limits ^{!}} \frac{\left( {\begin{array}{c}n\\ D + d\end{array}}\right) }{\left( {\begin{array}{c}n\\ d\end{array}}\right) } = \prod _{i = 1}^{D} \frac{n - d - i + 1}{d + i}. \end{aligned}$$
(32)

I.e., \(m \in \mathcal {O} \left( n^D \right) \) many samples can be sufficient to achieve \(d_{{{\,\textrm{reg}\,}}} \big ( (\mathcal {F}_\text {LWE}) + F \big ) \le D + 1\).

Provided that \(m \in \mathcal {O} \left( n^D \right) \) and \(d_{{{\,\textrm{reg}\,}}} (\mathcal {F}_\text {LWE}) \le D + 1\), then we obtain analog to Theorem 23 the following complexity estimate

$$\begin{aligned} \mathcal {O} \left( n^D \cdot D^3 \cdot 2^{(\omega + 2) \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (2 \cdot D + 1)^\frac{1}{\log \left( 4 \right) } \cdot (n - 1)^{1 - \frac{1}{\log \left( 4 \right) }}} \right) . \end{aligned}$$
(33)

If \(D = 2 \cdot t \cdot \sigma + 1\) and \(\sigma = \sqrt{n}\), then we can further estimate \(2 \cdot D + 1 \in \mathcal {O} \left( \sqrt{n} \right) \). In particular, the exponent of n then becomes

$$\begin{aligned} \frac{1}{2 \cdot \log \left( 4 \right) } + 1 - \frac{1}{\log \left( 4 \right) } = 1 - \frac{1}{2 \cdot \log \left( 4 \right) } \approx 0.6393, \end{aligned}$$
(34)

so the complexity estimate is indeed sub-exponential.

5.3 Polynomial Complexity for Binary Error LWE

Recall that binary error LWE is the simplest case of small error LWE, see Sect. 4.2. Every polynomial has degree 2. Analog to Theorem 21, we first pick n linearly independent samples \((\textbf{a}_i, b_i)\) and perform a coordinate transformation. So without loss of generality we can assume that \(\textbf{a}_i\) is the ith standard basis vector of \(\mathbb {F}_{q}^{n}\). After the transformation these n LWE equations become \(x_i^2 - x_i = 0\). We allocate them in the ideal \(F = (x_1^2 - x_1, \dots , x_n^2 - x_n)\), the remaining \(m - n\) LWE polynomials we collect in \(\mathcal {F}_\text {LWE}\). Therefore, we can interpret binary error LWE as special case of binary secret LWE, see Sect. 5.2. Suppose that we want to achieve \(d_{{{\,\textrm{reg}\,}}} \big ( (\mathcal {F}_\text {LWE}) + F \big ) \le 2 + d\) for some \(d \ge 0\), then by Equation (32)

$$\begin{aligned} m - n {\mathop {\ge }\limits ^{!}} \frac{(n - d - 1) \cdot (n - d)}{(d + 1) \cdot (d + 2)} \end{aligned}$$
(35)

many LWE samples are necessary. In particular, for \(d = 0\) this reduces to Arora & Ge’s analysis [6]. Analog to Theorem 23 and Eq. (33), for \(m \in \mathcal {O} \left( n^2 \right) \) we then obtain the complexity estimate

$$\begin{aligned} \mathcal {O} \left( n^2 \cdot d^3 \cdot \left( {\begin{array}{c}n + 2 \cdot d + 2\\ 2 \cdot d + 3\end{array}}\right) ^{\omega + 2} \right) \in \mathcal {O} \left( d^3 \cdot n^{(\omega + 2) \cdot (2 \cdot d + 3) + 2} \right) . \end{aligned}$$
(36)

It is easy to see from Eq. (35) that the higher the value of d the fewer samples are necessary to achieve a certain degree of regularity. Let us see an example.

Example 24

Let q be a prime, and let \(n = 256\), and

  1. (1)

    Let \(m = 2 \cdot n\). The minimum \(d \in \mathbb {Z}_{\ge 0}\) such that Equation (35) is satisfied is \(d = 14\). Analog to Equation (36) with \(m = 2 \cdot n\) we yield the complexity of a DRL Gröbner basis computation

    $$\begin{aligned} \mathcal {O} \left( 2 \cdot n \cdot d^3 \cdot \left( {\begin{array}{c}n + 30\\ 31\end{array}}\right) ^{\omega + 2} \right) \in \mathcal {O} \left( n^{31 \cdot \omega + 64} \right) . \end{aligned}$$

    If we use \(\omega \le 3\), then direct evaluation of the left complexity yields 434 bits.

  2. (2)

    Let \(m = n^\frac{3}{2}\). The minimum \(d \in \mathbb {Z}_{\ge 0}\) such that Equation (35) is satisfied is \(d = 3\). Then we yield the complexity of a DRL Gröbner basis computation

    $$\begin{aligned} \mathcal {O} \left( n^\frac{3}{2} \cdot d^3 \cdot \left( {\begin{array}{c}n + 8\\ 9\end{array}}\right) ^{\omega + 2} \right) \in \mathcal {O} \left( n^{9 \cdot \omega + 19.5} \right) . \end{aligned}$$

    If we use \(\omega \le 3\), then direct evaluation of the left complexity yields 178 bits.

5.4 A Conjecture on the Castelnuovo-Mumford Regularity

Experimentally we observed the following property for all LWE polynomial systems studied in this paper.

Conjecture 25

Let \(\mathbb {F}_{q}\) be a finite field, and let \(\mathcal {F}_\text {LWE} \subset \mathbb {F}_{q}[x_1, \dots , x_n]\) be a LWE polynomial system.

  1. (1)

    For small secret LWE where the error is drawn from the interval \([-N, N]\)

    $$\begin{aligned} {{\,\textrm{reg}\,}}\left( \mathcal {F}_\text {LWE}^\text { hom}\right) \le d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE} \right) + N - 1. \end{aligned}$$
  2. (2)

    For binary secret or binary error LWE

    $$\begin{aligned} {{\,\textrm{reg}\,}}\left( \mathcal {F}_\text {LWE}^\text { hom}\right) \le d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE} \right) + 1. \end{aligned}$$

In case the conjecture holds, then the complexity estimates discussed in this section improve significantly since we can utilize the complexity estimate for Gaussian elimination on a single Macaulay matrix (Eq. (10)).

  • The binary error LWE estimate from Eq. (33) improves to

    $$\begin{aligned} \mathcal {O} \left( n^D \cdot D \cdot 2^{\omega \cdot 2^\frac{1}{\log \left( 2 \right) } \cdot (D + 2)^\frac{1}{\log \left( 4 \right) } \cdot (n - 1)^{1 - \frac{1}{\log \left( 4 \right) }}} \right) . \end{aligned}$$
    (37)

  • The binary secret LWE estimate from Eq. (36) improves to

    $$\begin{aligned} \mathcal {O} \left( d \cdot n^{\omega \cdot (d + 3) + 2} \right) . \end{aligned}$$
    (38)

E.g., under the conjecture the numeric complexities of Example 24 improve to 279 bits and 96 bits respectively.

We also note that for the conservative cryptanalyst there is a non-hypothetical alternative to Conjecture 25. By [14, Theorem 5.3] for a polynomial system \(\mathcal {F}^\text { hom}\subset P [x_0]\) in generic coordinates one always has that

$$\begin{aligned} d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F} \right) \le {{\,\textrm{reg}\,}}\left( \mathcal {F}^\text { hom}\right) . \end{aligned}$$
(39)

Thus, one can estimate the lowest achievable complexity estimate for Gaussian elimination on the Macaulay matrix to produce a Gröbner basis of \(\mathcal {F}_\text {LWE}\) as follows:

  1. (1)

    Compute/Estimate the lowest achievable degree of regularity \(\hat{d}\) for \(\mathcal {F}_\text {LWE}\).

  2. (2)

    Use Eq. (10) with \(d = \hat{d}\) and \(\omega = 2\) to estimate the lowest achievable complexity upper bound of a Gröbner basis computation for \(\mathcal {F}_\text {LWE}\).

We also recommend utilizing Eq. (10) itself for numerical computations rather than our complexity estimations. Our estimations are not tight but merely showcase the complexity class, i.e. exponential, sub-exponential & polynomial, for various LWE Gröbner basis computations.

5.5 Complexity Estimation of Kyber768

Finally, let us showcase our complexity estimation methods for a concrete cryptographic example: Kyber768 [31], a selected algorithm in the NIST post-quantum competition. Kyber768 is based on the Module-LWE problem, it has parameters \(q = 3329\), \(n = 3 \cdot 256\), \(m = n\), \(D = 2\) and errors as well as secrets are drawn from the interval \([-D, D]\). I.e., it is an instance of small error and small secret LWE. Thus, it induces a polynomial system of 1536 equations in 768 variables, where 768 polynomials stem from LWE samples. The lowest achievable degree of regularity for Kyber768 is estimated via

$$\begin{aligned} m \cdot \left( {\begin{array}{c}n + d - 1\\ d\end{array}}\right) {\mathop {\ge }\limits ^{!}} \left( {\begin{array}{c}n + (2 \cdot D + 1) + d - 1\\ (2 \cdot D + 1) + d\end{array}}\right) . \end{aligned}$$
(40)

In Table 2 we list our complexity estimates together with estimates for various lattice-based attacks. The complexities for lattice-based attacks have been computed via the lattice estimator toolFootnote 3 by Albrecht et al. [4].

Table 1. Bit complexity estimation for various attack strategies on Kyber768. Complexity of lattice-based attacks are computed via the lattice estimator [4]. For attacks where the lattice estimator provides estimations for multiple steps in an attack the most difficult step is shown in the table. For Gröbner basis attacks, the proven complexity estimate is computed via Eq. (10) and the Macaulay bound (Corollary 6). The optimistic complexity estimate is computed via Eq. (17), Theorem 13 and the lowest achievable degree of regularity. The lowest achievable complexity estimate is computed via Eq. (10) with \({{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F}_\text {Kyber768} \right) \le d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {Kyber768} \right) + (2 \cdot D + 1) - 1\) (Conjecture 25). Gröbner basis complexity estimates are computed with \(\omega = 2\).
Full size table

6 Integrating Hints into LWE Polynomial Models

In two recent works Dachman-Soled et al. [18, 19] introduced a framework for cryptanalysis of LWE in the presence of side information. E.g., in presence of a side-channel the information can come from the power consumption, electromagnetic radiation, sound emission, etc. of a device. Once side information has been obtained it has to be modeled as mathematical hints. Dachman-Soled et al. categorize hints for LWE into four classes [18, §1]:

  • Perfect hints: \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle = l \in \mathbb {F}_{q}\).Footnote 4

  • Modular hints: \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle \equiv l \mod k\).

  • Approximate hints: \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle + e_\sigma = l \in \mathbb {F}_{q}\).

  • Short vector hints: \(\textbf{v} \in \varLambda \), where \(\varLambda \) is the lattice associated to a LWE instance.

Dachman-Soled et al. [18, 19] then discuss how these hints can be incorporated into Distorted Bounded Distance Decoding (DBDD) problems and lattice reduction algorithms to attack LWE. For readers interested how such hints can be obtained in practice we refer to [18, §4, 6]. Except for short vector hints that do not involve the LWE secret, we can incorporate these hints into LWE polynomial models.

Integrating a perfect hint is straight-forward since including an affine equation to the polynomial systems simply eliminates one variable.

If we are given a modular hint, then in principle one can compute a subset \(\varOmega \in \mathbb {F}_{q}\) such that \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle - l \in \varOmega \) (in \(\mathbb {F}_{q}\)). Hence, we can set up a new polynomial with roots in \(\varOmega \), substitute \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle - l\) into the polynomial and add it to the LWE polynomial system. Although this sounds simple, in practice the computation of \(\varOmega \) can be a challenge. In particular, if \(\textbf{s}\) and \(\textbf{v}\) can take all values in \(\mathbb {F}_{q}^n\), then we expect the set \(\varOmega \) to be too big to improve Gröbner basis computations. On the other hand, if \(\textbf{s}, \textbf{v} \in \{ 0, 1 \}^n\) and we have the modular equation \(\left\langle {\textbf{s}, \textbf{v}}\right\rangle \equiv 1 \mod 2\), then only the odd numbers in the interval \(\left[ 0, n \right] \) can be in \(\varOmega \), so the univariate polynomial with roots in \(\varOmega \) is of degree \(\le \left\lceil \frac{n}{2} \right\rceil \).

More interesting are approximate hints. Such hints are obtained from noisy side-channel information. In case the probability distribution of \(e_\sigma \) has smaller width than the one of the LWE error, then we can reduce the degree of a polynomial in the LWE polynomial system. Another class of hints that we interpret as approximate hints are Hamming weight hints. Suppose that the LWE secret entry \(s_1\) is drawn from \(D \subset \mathbb {F}_{q}\) and that we know the Hamming weight \(H (s_1) = k\). Then we can add a univariate polynomial in \(x_1\) to the LWE polynomial system whose roots are exactly the elements of D of Hamming weight k. I.e., Hamming weight hints restrict the number of possible solutions. We illustrate this with an example.

Example 26

Let q be a 16 bit prime number, and let \((\textbf{a}_i, b_i)_{1 \le i \le m} \subset \mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) be a LWE sample generated with secret \(\textbf{s} \subset [-5, 5]^n\). As discussed in Sect. 4.3, for every variable \(x_i\) we can add a polynomial of degree 11 to the polynomial system to restrict the solutions to the interval. Suppose that \(s_i\) is represented by a signed 16 bit integer and that we learned its Hamming weight \(H (s_i) = 2\), then \(s_i \in \{ 3, 5 \}\) and we can replace the degree 11 polynomial by a polynomial of degree 2.

Note that such Hamming weight biases can also persist if one opts for a more efficient memory representation of the secret entries.

Example 27

Let q be a 16 bit prime number, and let \((\textbf{a}_i, b_i)_{1 \le i \le m} \subset \mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) be a LWE sample generated with secret \(\textbf{s} \subset [-2, 2]^n\). As discussed in Sect. 4.3, for every variable \(x_i\) we can add a polynomial of degree 5 to the polynomial system to restrict the solutions to the interval. Assume that the entries of \(\textbf{s}\) are stored as signed integers in the interval \(\left[ -\frac{q}{2}, \frac{q}{2} \right] \), then

  • if \(H (s_i) = 0\), then \(s_1 = 0\),

  • if \(H (s_i) = 1\), then \(s_1 \in \{ 1, 2 \}\), and

  • if \(H (s_i) = 2\), then \(s_1 \in \{ -1, -2 \}\).

So if one can learn the Hamming weight of \(s_i\), then one either obtains a perfect hint or one can replace the degree 5 polynomial by a degree 2 polynomial.

Moreover, modular and approximate hints can be combined in a hybrid manner.

Example 28

Let q be a 16 bit prime number, and let \((\textbf{a}_i, b_i)_{1 \le i \le m} \subset \mathbb {F}_{q}^{n}\times \mathbb {F}_{q}\) be a LWE sample generated with secret \(\textbf{s} \subset [-5, 5]^n\). Assume that the entries of \(\textbf{s}\) are stored as signed integers in the interval \(\left[ -\frac{q}{2}, \frac{q}{2} \right] \). If \(H (s_i) = 2\) and \(s_i \equiv 1 \mod 3\), then \(s_i \in \{ -2, 4 \}\). So we can replace the degree 11 polynomial by a polynomial of degree 2.

In practice this can have devastating consequences. If we can reduce a small secret LWE instance to binary secret LWE or even worse to binary secret binary error LWE, then we expect to achieve a lower degree of regularity with less number of samples necessary compared to the plain polynomial system. We numerically showcase this in the following example.

Example 29

Let q be a 16 bit prime number, assume that we are given small secret small error LWE over \(\mathbb {F}_{q}^{256}\) whose secrets and error are drawn from \([-2, 2]\). Let \(m = 256^\frac{3}{2}\) samples be given, and assume that we have enough Hamming weight hints for the secret and the error terms to transform the LWE polynomial system to either

  1. (i)

    binary secret LWE, or

  2. (ii)

    binary secret binary error LWE.

In Table 2 we record the least integer d such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE} \right) \le D + d\) together with the optimistic complexity estimate from Eq. (17) and the lowest achievable complexity estimate implied by Eq. (39) for various numbers of perfect hints.

Table 2. Complexity estimates for small secret small error LWE, binary secret LWE and binary secret binary error LWE over \(\mathbb {F}_{q}^{256}\) with error polynomial degree \(D = 5\) and \(m = 256^\frac{3}{2}\). The column d lists the least integer such that \(d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE} \right) \le D + d\) for a given number of perfect hints. The optimistic complexity estimate is computed via Equation (17) and the lowest achievable complexity estimate is computed via Equation (10) with \({{\,\textrm{sd}\,}}_{DRL} \left( \mathcal {F}_\text {LWE} \right) = d_{{{\,\textrm{reg}\,}}} \left( \mathcal {F}_\text {LWE} \right) + D - 1\) where \(D = 5, 2\) (Conjecture 25).
Full size table

7 Discussion

In this paper we proved that any fully-determined LWE polynomial system is in generic coordinates. Therefore, bounds for the complexity of DRL Gröbner basis computations can be found via the Castelnuovo-Mumford regularity. In particular, this permits provable complexity estimates without relying on strong but unproven theoretical assumptions like semi-regularity [24, 28].

We also demonstrated how the degree of regularity of a LWE polynomial system can be used to derive complexity estimates. Though, in practice one has to keep in mind that a degree of regularity computation usually requires a non-trivial Gröbner basis computation for the highest degree components. Hence, we interpret complexity bounds based on the lowest achievable degree of regularity as worst-case bounds from a designer’s perspective that could be achievable by an adversary.

Based on the lowest achievable degree of regularity, we discussed that a conservative cryptanalyst should assume that Gaussian elimination on a single Macaulay matrix in the degree of regularity is sufficient to solve Search-LWE.

Moreover, we discussed how side information can be incorporated into LWE polynomial systems, and we showcased how it can affect the complexity of Gröbner basis computations.

Overall, we have presented a new framework to aid algebraic cryptanalysis for LWE-based cryptosystems under minimal theoretical assumptions on the polynomial system.