Quantum Oblivious LWE Sampling and Insecurity of Standard Model Lattice-Based SNARKs
Thomas Debris-Alazard, Pouria Fallahpour, Damien Stehlé
TL;DR
The paper demonstrates a polynomial-time quantum sampler for LWE instances that operates obliviously to the hidden secret, under the assumption that LWE is hard and under mild parameter constraints. By formulating the problem as generating a C$|$LWE state and measuring, and by improving the measurement via a CB98 POVM and phase-augmented amplitude functions, the authors achieve efficient sampling for a broad range of LWE parametrizations, including MLWE variants used in SNARKs. This yields a quantum attack on witness-oblivious sampling assumptions frequently used to analyze lattice-based SNARKs, thereby undermining certain security analyses in the standard-model lattice setting while not attacking the constructions themselves. The work also develops a detailed algorithm for constructing and using C$|$LWE states, derives runtime guarantees, and discusses implications for knapsack-LWE and encoding-based SNARK frameworks. Overall, it highlights a potential quantum vulnerability in hardness assumptions underpinning several SNARK security proofs, emphasizing the need to reassess such assumptions in post-quantum contexts.
Abstract
The Learning With Errors ($\mathsf{LWE}$) problem asks to find $\mathbf{s}$ from an input of the form $(\mathbf{A}, \mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}) \in (\mathbb{Z}/q\mathbb{Z})^{m \times n} \times (\mathbb{Z}/q\mathbb{Z})^{m}$, for a vector $\mathbf{e}$ that has small-magnitude entries. In this work, we do not focus on solving $\mathsf{LWE}$ but on the task of sampling instances. As these are extremely sparse in their range, it may seem plausible that the only way to proceed is to first create $\mathbf{s}$ and $\mathbf{e}$ and then set $\mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}$. In particular, such an instance sampler knows the solution. This raises the question whether it is possible to obliviously sample $(\mathbf{A}, \mathbf{A}\mathbf{s}+\mathbf{e})$, namely, without knowing the underlying $\mathbf{s}$. A variant of the assumption that oblivious $\mathsf{LWE}$ sampling is hard has been used in a series of works to analyze the security of candidate constructions of Succinct Non interactive Arguments of Knowledge (SNARKs). As the assumption is related to $\mathsf{LWE}$, these SNARKs have been conjectured to be secure in the presence of quantum adversaries. Our main result is a quantum polynomial-time algorithm that samples well-distributed $\mathsf{LWE}$ instances while provably not knowing the solution, under the assumption that $\mathsf{LWE}$ is hard. Moreover, the approach works for a vast range of $\mathsf{LWE}$ parametrizations, including those used in the above-mentioned SNARKs. This invalidates the assumptions used in their security analyses, although it does not yield attacks against the constructions themselves.