Abstract:The Learning With Errors ($\mathsf{LWE}$) problem asks to find $\mathbf{s}$ from an input of the form $(\mathbf{A}, \mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}) \in (\mathbb{Z}/q\mathbb{Z})^{m \times n} \times (\mathbb{Z}/q\mathbb{Z})^{m}$, for a vector $\mathbf{e}$ that has small-magnitude entries. In this work, we do not focus on solving $\mathsf{LWE}$ but on the task of sampling instances. As these are extremely sparse in their range, it may seem plausible that the only way to proceed is to first create $\mathbf{s}$ and $\mathbf{e}$ and then set $\mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}$. In particular, such an instance sampler knows the solution. This raises the question whether it is possible to obliviously sample $(\mathbf{A}, \mathbf{A}\mathbf{s}+\mathbf{e})$, namely, without knowing the underlying $\mathbf{s}$. A variant of the assumption that oblivious $\mathsf{LWE}$ sampling is hard has been used in a series of works to analyze the security of candidate constructions of Succinct Non interactive Arguments of Knowledge (SNARKs). As the assumption is related to $\mathsf{LWE}$, these SNARKs have been conjectured to be secure in the presence of quantum adversaries.

What problem does this paper attempt to address?

The core problem that this paper attempts to solve is: **Does there exist an efficient algorithm that can generate LWE (Learning With Errors) samples without knowing the underlying secret?** Specifically, the author focuses on whether, in a quantum - computing environment, a quantum polynomial - time algorithm can be designed to generate LWE instances, while this algorithm itself does not know the secret vector $ \mathbf{s} $ used to generate these instances. ### Background of the Paper The LWE problem is a widely studied problem in cryptography, and its basic form is as follows: Given a pair $(\mathbf{A}, \mathbf{b})$, where $\mathbf{A} \in (\mathbb{Z}/q\mathbb{Z})^{m \times n}$ is a matrix, $\mathbf{b}=\mathbf{A}\mathbf{s}+\mathbf{e} \in (\mathbb{Z}/q\mathbb{Z})^m$ is a vector, $\mathbf{s} \in (\mathbb{Z}/q\mathbb{Z})^n$ is a secret vector, and $\mathbf{e} \in (\mathbb{Z}/q\mathbb{Z})^m$ is a small noise vector. The goal of the LWE problem is to recover the secret vector $\mathbf{s}$ from the input pair $(\mathbf{A}, \mathbf{b})$. In many cryptographic constructions, it is assumed that the LWE problem is difficult, especially in the presence of quantum attackers. However, some LWE - based constructions rely on a stronger assumption: that there is no efficient algorithm that can generate LWE instances without knowing the secret vector $\mathbf{s}$. This assumption is called the "oblivious LWE sampling" assumption. ### Main Contributions 1. **Quantum Polynomial - Time Algorithm**: The author proposes a quantum polynomial - time algorithm that can generate LWE instances without knowing the secret vector $\mathbf{s}$. Specifically, they prove that, under the premise that the LWE problem is difficult, there exists a quantum polynomial - time algorithm that can generate LWE instances, while this algorithm itself does not know the secret vector $\mathbf{s}$ used to generate these instances. 2. **Parameter Range**: This algorithm is applicable to a wide range of LWE parameterization settings, including those used to construct SNARKs (Succinct Non - interactive Arguments of Knowledge). This indicates that, under these parameters, the previous security analysis based on the "oblivious LWE sampling" assumption is invalid. 3. **Application to SNARKs**: The author further discusses the impact of their results on lattice - theory - based SNARKs. In particular, they point out that this result makes the security analysis of some lattice - based SNARKs in the standard model no longer valid, although these constructions themselves are not broken. ### Formula Summary - The form of an LWE instance is: $(\mathbf{A}, \mathbf{b}) \in (\mathbb{Z}/q\mathbb{Z})^{m \times n} \times (\mathbb{Z}/q\mathbb{Z})^m$, where $\mathbf{b}=\mathbf{A}\mathbf{s}+\mathbf{e}$. - The distribution of the noise vector $\mathbf{e}$ is usually the folded integer Gaussian distribution $\vartheta_{\sigma, q}(e)=\sum_{k \in \mathbb{Z}} \exp\left(-\frac{|e + qk|^2}{\sigma^2}\right)$. - The form of the state generated by the quantum algorithm is: $\sum$

Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs

On Quantum Chosen-Ciphertext Attacks and Learning with Errors

LWE with Quantum Amplitudes: Algorithm, Hardness, and Oblivious Sampling

The cool and the cruel: separating hard parts of LWE secrets

Benchmarking Attacks on Learning with Errors

Secure Software Leasing from Standard Assumptions

Hidden-State Proofs of Quantumness

An Efficient Quantum Algorithm for a Variant of the Closest Lattice-Vector Problem

CRYSTALS-Kyber With Lattice Quantizer

SALSA PICANTE: a machine learning attack on LWE with binary secrets

Another Lattice Attack Against ECDSA with the wNAF to Recover More Bits per Signature

The Learning Stabilizers with Noise problem

Salsa Fresca: Angular Embeddings and Pre-Training for ML Attacks on Learning With Errors

SALSA VERDE: a machine learning attack on Learning With Errors with sparse small secrets

On the Security of Lattice-Based Fiat-Shamir Signatures in the Presence of Randomness Leakage

Random Oracles in a Quantum World

A quantum-classical hybrid algorithm with Ising model for the learning with errors problem

Sample Complexity of Robust Learning against Evasion Attacks

Learning with Errors and Extrapolated Dihedral Cosets

New Lattice Based Cryptographic Constructions

Further improvements of the estimation of key enumeration with applications to solving LWE