Cryptanalysis of RLWE-Based One-Pass Authenticated Key Exchange

Abstract

Authenticated key exchange (AKE) plays a fundamental role in modern cryptography. Up to now, the HMQV protocol family is among the most efficient provably secure AKE protocols, which has been widely standardized and in use. Given recent advances in quantum computing, it would be desirable to develop lattice-based analogue of HMQV for the possible upcoming post-quantum era. Towards this goal, a family of AKE schemes from ideal lattice was recently proposed at Eurocrypt 2015 [ZZD+15], which could be seen as an HMQV-analogue based on the ring-LWE (RLWE) problem. It consists a two-pass variant \(\Uppi _2\) and a one-pass variant \(\Uppi _1\).

As a supplement to its security analysis, we propose an efficient attack against \(\Uppi _1\), which is referred to as the small field attack (SFA) since it fully utilizes the algebraic structure of the ring \(\mathcal {R}_{q}^{}\) in RLWE. The SFA attack can efficiently recover the static private key of the victim party in \(\Uppi _1\), provided adversaries are allowed to register their own public keys. Such an assumption is reasonable in practice, but may not be allowed in the security model of \(\Uppi _1\) [ZZD+15]. We also show that it is hard for the victim party to even detect the attack in practice.

The full version of this work appears at Cryptology ePrint Archive, 2016/913. This research was supported in part by NSFC (Grant Nos. 61472084 and U1536205), Shanghai innovation action project No. 16DZ1100200, and Shanghai science and technology development funds No. 16JC1400801.

Appendices

A Lemma 8 and Its Proof

Below we present a lemma that is essential both for the correctness/efficiency of \(\mathcal {A}_{1}\) and for those of \(\mathcal {A}_{1}'\), as indicated in Sects. 4.3 and 5.1.

Lemma 8

Let \(g\in \mathbb {F}_q^{\times }\) denote a primitive element of \(\mathbb {F}_q\), \(S_g \triangleq \{g^r\,|\,r\in [d]\}\) and \(d\triangleq {q_0}/n\). Let \(\emptyset \ne H\subseteq \mathbb {F}_q\) and \(\beta \ge 0\). For the (fixed) \(\tilde{s_i}\in \mathbb {F}_q\), define

$$ \mathcal {Q}_i(\tilde{s_i}) = \left\{ \left( k\mathbf c _i\text {+}{} \mathbf h _k\text {+}2\mathbf e _k, [w_{k,j}]_{j\in [n]}, [z_{k,j}]_{j\in [n]} \right) \left| \begin{array}{c} k\in S_g, \ j\in [n], \ h_{k,1},\cdots , h_{k,i-1}\leftarrow H, \\ \mathbf h _k = \sum _{r\in [i-1]}^{}{h_{k,r}{} \mathbf c _r}, \mathbf e _k\leftarrow \mathbb {Z}_{1+2\beta \sqrt{n}}^n,\\ u_{k,j} = \tilde{s_i}\cdot k c_{i,j}+\sum _{r\in [i-1]}^{}{s_r h_{k,r}c_{r,j}}, \\ w_{k,j}\text {=}\mathsf {Cha}\left( u_{k,j} \right) , z_{k,j}\text {=}{\mathsf {Mod}}_{}\left( u_{k,j}, w_{k,j} \right) \\ \end{array} \right\} \right. $$

If \(q > 1+ \max \left( 8(\theta +n\alpha \beta ), 2\alpha \sqrt{n} \right) \), then except with negligible probability, \({s_i} = \tilde{s_i}\) if and only if \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q}'_i(\tilde{s_i})\).

Proof

Let \(\varDelta {s_i}\triangleq s_i - \tilde{s_i}\in \mathbb {F}_q\). Moreover, for \(\mathbf s \leftarrow D_{\mathbb {Z}^n, \alpha }\) and \(\mathbf e _k\leftarrow \mathbb {Z}_{1+2\beta \sqrt{n}}^n\), define \(\varepsilon '_k\triangleq \mathbf s \cdot \mathbf e _k\in \mathcal {R}_{q}^{}\);By Lemma 1, the inequality \({\Vert \varepsilon '_k \Vert }_{\infty }\le n\alpha \beta \) holds w.o.p. Moreover, by assumption there exists a \(t\in [2n]\) such that \(g^{d}=\omega _i^t,\gcd (t,d)=1\). For the query \(Q_k\text {=}\left( \mathbf x _k=k\mathbf c _i + \mathbf h _k + 2\mathbf e _k,\mathbf {w} _k = [w_{k,j}]_{j\in [n]},\mathbf z _k = [z_{k,j}]_{j\in [n]} \right) \in \mathcal {Q}_i(\tilde{s_i}), \) \({\mathcal {M}_{1}}\) first generates \(\varepsilon _k\leftarrow \mathbb {Z}_{1+2\theta }^n = \left\{ -\theta , \cdots , \theta \right\} ^n\), and then computes

$$\begin{aligned} \mathbf{v _k}\triangleq & {} \mathbf s \cdot \mathbf x _k + {q_0}\mathbf {w} _k +2\varepsilon _k\\ {}= & {} \mathbf s \cdot (k\mathbf c _i+\mathbf h _k+2\mathbf e _k) + {q_0}\mathbf {w} _k + 2\varepsilon _k \\ {}= & {} k \varDelta {s_i}{} \mathbf c _i + \left( k\tilde{s_i}{} \mathbf c _i + \sum _{r\in [i-1]}^{}{s_r h_{k,r}{} \mathbf c _r}+{q_0}\mathbf {w} _k \right) + 2(\mathbf s {} \mathbf e _k + \varepsilon _k) \\ {}\sim & {} \left[ {\begin{array}{*{20}c}\varDelta {s_i} k c_{i,1} + \left( k \tilde{s_i}c_{i,1}+\sum _{r\in [i-1]}^{}{s_r h_{k,r}c_{r,1}}+{q_0}w_{k,1} \right) \\ \vdots \\ \varDelta {s_i} k c_{i,n} + \left( k \tilde{s_i}c_{i,n}+\sum _{r\in [i-1]}^{}{s_r h_{k,r}c_{r,n}}+{q_0}w_{k,n} \right) \\ \end{array} }\right] +\left[ {\begin{array}{*{20}c}2(\varepsilon '_{k,1}+ \varepsilon _{k,1})\\ \vdots \\ 2(\varepsilon '_{{k,n}}+ \varepsilon _{k,n}) \end{array} }\right] \\ {}= & {} \left[ {\begin{array}{*{20}c}\varDelta {s_i}\cdot k c_{i,1} + u_{k,1}+\mathsf {Cha}\left( u_{k,1} \right) \cdot {q_0}\\ \vdots \\ \varDelta {s_i}\cdot k c_{i,n} + u_{k,n}+\mathsf {Cha}\left( u_{k,n} \right) \cdot {q_0}\end{array} }\right] +\left[ {\begin{array}{*{20}c}2(\varepsilon '_{k,1}+ \varepsilon _{k,1})\\ \vdots \\ 2(\varepsilon '_{{k,n}}+ \varepsilon _{k,n})\end{array} }\right] , \end{aligned}$$

where \(\varepsilon _{k,j}\triangleq \mu _j(\varepsilon _k)\) and \(\varepsilon '_{k,j}\triangleq \mu _j(\mathbf s {} \mathbf e _k)\). Finally, if every \(\mathsf {Parity}\left( v_{k,j} \right) = z_{k,j}\) where \(v_{k,j}\triangleq \mu _j(\mathbf v _k)\), then \({\mathcal {M}_{1}}\) returns 1; Otherwise, \({\mathcal {M}_{1}}\) returns 0.

Notice that \(u_{k,j}+\mathsf {Cha}\left( u_{k,j} \right) \cdot {q_0}\in \left\{ -{q_0}/2,\cdots , +{q_0}/2\right\} \) by Lemma 4(a). And by assumption, it is routine to see \(|\varepsilon _{k,j}' + \varepsilon _{k,j}|<{q_0}/4\) for every \(j\in [n]\).

First consider the case when \(\varDelta {s_i=0}\). Since \(|2(\varepsilon _{k,j}' + \varepsilon _{k,j})|< {q_0}/2\), by Lemma 4(b), it is routine to see \({\mathcal {M}_{1}}\) returns 1 on every \(Q_k\in \mathcal {Q}_i(\tilde{s_i})\).

In the sequel, we assume \(\varDelta {s_i} \ne 0\). We claim that \(\left\{ -1, 1\right\} \cap \mathsf {offset}(\varDelta {s_i})\ne \emptyset \), where \(\mathsf {offset}(\varDelta {s_i}) \triangleq \{\varDelta {s_i}\cdot k c_{i,j}\,|\,k\in S_g, j\in [n]\}, \) Since \(c_{i,j} = c_{i,n}\cdot \omega _i^{n-j}\) by Lemma 3, we have \(\varDelta {s_i}\cdot k\cdot c_{i,j} =\varDelta {s_i} c_{i,n} \cdot k\cdot \omega _i^{n-j}.\) Let \(\varDelta {s_i} c_{i,n} = g^{e^*}\) where \(e^*\in [q-1]\). Clearly there exists a \(r^*\in [d]\) such that \(d\mid (e^*+r^*)\), and \((e^*+r^*)/d\in [2n]\). Let \(k^*\triangleq g^{r^*}\in S_g\). Then

$$ \varDelta {s_i} c_{i,n}\cdot k^* \cdot \omega _i^{n-j} = g^{e^*+r^*}\cdot \omega _i^{n-j} = \omega _i^{t(e^*+r^*)/d + n-j}. $$

It is easy to see there exists a \(j^*\in [n]\) such that either \(t(e^*+r^*)/d + n-j^*\equiv n \pmod {2n}\) or \(t(e^*+r^*)/d + n-j^*\equiv 0 \pmod {2n}\); Equivalently, either \(\varDelta {s_i}\cdot c_{i,n}\cdot k^* \cdot \omega _i^{n-j^*} = \omega _i^{n} = -1\in \mathbb {F}_q\) or \(\varDelta {s_i}\cdot c_{i,n}\cdot k^* \cdot \omega _i^{n-j^*} = \omega _i^{0} = 1\in \mathbb {F}_q\).

When \(\varDelta {s_i}\cdot k^* \cdot c_{i,j^*}=\pm 1\), it is easy to verify that \(z_{k^*, j^*}\ne \mathsf {Parity}\left( v_{k^*, j^*} \right) \) by Lemma 4(c). Equivalently, the associated \(j^*\)-th equality of \(Q_{k^*}\) does not hold, and \({\mathcal {M}_{1}}\) returns 0 on the query \(Q_{k^*}\in \mathcal {Q}_i(\tilde{s_i})\).    \(\square \)

B Construction of \(\mathcal {V}\)

As indicated in Sect. 5.2, we shall construct in this appendix an efficient algorithm \(\mathcal {V}\) for the problem \(\mathcal {P}_2\). To simplify the following discussion, we only consider the special case where \(I=[n]\), and it can be easily generalized to the more general case where \(I\ne \emptyset \) is a proper subset of [n].

First come some notations. Let \(\varDelta {s_i}\triangleq s_i-\tilde{s_i}\) for every \(i\in [n]\). For every \(j\in [n]\), define \(\mathbf a _{j}\triangleq \left[ \tilde{s_i}\cdot c_{i,j}\right] _{i\in [n]}\in \mathbb {F}_q^n\), and \(\mathbf b _{j}\triangleq \left[ \varDelta {s_i}\cdot c_{i,j}\right] _{i\in [n]}\in \mathbb {F}_q^n\); Moreover, define \(A_j(\mathbf u )\triangleq \left\langle \mathbf u , \mathbf a _{j} \right\rangle \in \mathbb {F}_q\), and \(B_j(\mathbf u )\triangleq \left\langle \mathbf u , \mathbf b _{j} \right\rangle \in \mathbb {F}_q\), where \(\mathbf u \in \mathbb {F}_q^n\). Choose \(k\leftarrow [n]\) randomly. Define the \(\mathbb {F}_q\)-vector space \({U}_{k}\triangleq \{r\cdot \mathbf a _{k}\,|\,r\in \mathbb {F}_q\}\subseteq \mathbb {F}_q^n\). By definition, every \({U}_{k}\) is a 1-dimensional subspace of \(\mathbb {F}_q^n\), and its orthogonal complement is the \((n-1)\)-dimensional subspace . Choose an \(\mathbb {F}_q\)-basis for \({{U}}_{k}^{\bot }\) randomly, say \(\mathbf F _k\triangleq \left\{ \mathbf f _{k,1},\cdots , \mathbf f _{k, n-1}\right\} \subseteq {{U}}_{k}^{\bot }\), such that each entry of \(\mathbf f _{k,\ell }\) is non-zero for every \(\ell \in [n-1]\). With \({{U}}_{k}\), the set \(\mathbb {F}_q^n\) is partitioned into three parts: \(S_1\triangleq \mathbb {F}_q^n\setminus {{U}}_{k}\), \(S_2\triangleq {{U}}_{k}\setminus \left\{ \mathbf 0 \right\} \), and \(S_3\triangleq \left\{ \mathbf 0 \right\} \). Finally, for every \((t, \mathbf u )\in \mathbb {F}_q\times \mathbb {F}_q^n\), let \(\tau (t, \mathbf u )\) denote \(\sum _{i\in [n]}^{}{t \mu _i(\mathbf u ) \cdot \mathbf c _i}\in \mathcal {R}_{q}^{}\).

Some remarks are in order. First, notice that for every \(i,j\in [n]\), \(s_i\), \(\varDelta {s_i}\) and \(\mathbf b _{j}\) are unknown to us. Moreover, although the map \(A_j(\cdot )\) is efficiently computable, this is not true for \(B_j(\cdot )\). Finally, recall that every \(c_{i,j}\ne 0\) by Lemma 3, so the equality \([s_i]_{i\in [n]}=[\tilde{s_i}]_{i\in [n]}\) holds if and only if \(\mathbf b _k=\mathbf 0 \in \mathbb {F}_q^n\). Since \(\mathbf 0 \in S_3\subseteq {{U}}_{k}\) trivially, a necessary yet insufficient condition for \(\mathbf b _{k}=\mathbf 0 \) is: \(\mathbf b _{k}\in {{U}}_{k}=S_2 \cup S_3\), or equivalently, \(0=\left\langle \mathbf f _{k,\ell }, \mathbf b _{k} \right\rangle = B_k\left( \mathbf f _{k,\ell } \right) \) for every \(\ell \in [n-1]\).

The general idea behind \(\mathcal {V}\) is simple: it first makes the guess, i.e., \([s_i]_{i\in [n]} = [\tilde{s_i}]_{i\in [n]}\), and then verifies the correctness of the guess via a set \(\mathcal {Q}\triangleq \mathcal {Q}_1\cup \mathcal {Q}_2\) of queries to \({\mathcal {M}_{1}}\) such that except with negligible probability, the guess is correct if and only if \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q}\).

In more detail, \(\mathcal {V}\) consists of two consecutive phases: Phase 1 and Phase 2.

• By issuing a set \(\mathcal {Q}_1\) of queries to \({\mathcal {M}_{1}}\), Phase 1 is devoted to deciding whether \(\mathbf b _{k}\in {{U}}_{k}=S_2\cup S_3\) or not;

• Conditioned on \(\mathbf b _{k}\in {{U}}_{k}\) and hence \(\mathbf b _{k}=r_0\cdot \mathbf a _{k}\) for some \(r_0\in \mathbb {F}_q\), Phase 2 is to decide whether \(r_0=0\) or not, by a set \(\mathcal {Q}_2\) of queries to \({\mathcal {M}_{1}}\).

It remains to design \(\mathcal {Q} = \mathcal {Q}_1\cup \mathcal {Q}_2\). Jumping ahead, for every query \((\mathbf x , \mathbf {w} ,\mathbf z )\) in \(\mathcal {Q}\), the \(\mathbf x \)-entry is always of the form \(\mathbf x _0 + 2\mathbf e \), where \(\mathsf {Dim}\left( \mathbf x _0 \right) = I = [n]\), and \(\mathbf e \leftarrow \mathbb {Z}_{1+2\alpha '\sqrt{n}}^n\). Similar to that of \(\mathcal {A}_{1}'\), the \(\mathbf e \)-part is introduced here to make those queries made by \(\mathcal {V}\) as “random-looking” as possible.

Design of Phase 1. Jumping ahead, the query set \(\mathcal {Q}_1 = \mathcal {Q}_1(\mathbf F _k)\) is

$$ \mathcal {Q}_1(\mathbf F _k) \text {=} \left\{ Q_{t,\ell }\text {=}(\tau (t, \mathbf f _{k,\ell })\text {+}2\mathbf e _{t,\ell }, \mathbf {w} _{t,\ell }, \mathbf z _{t,\ell }) \,\bigg |\,t\in [{q_0}], \ell \in [n-1], \mathbf e _{t,\ell }\leftarrow \mathbb {Z}_{1+2\alpha '\sqrt{n}}^n \right\} . $$

It remains to set the \(\mathbf {w} _{t,\ell }\)- and \(\mathbf z _{t,\ell }\)-entries.

Observe that for the query \(\left( \tau (t, \mathbf f _{k,\ell })+2\mathbf e _{t,\ell }, \mathbf {w} _{t,\ell }=[w_{t,\ell ,j}]_{j\in [n]}, \mathbf z _{t,\ell } \right) \in \mathcal {Q}_1(\mathbf F _k)\), \({\mathcal {M}_{1}}\) first generates \(\varepsilon _{t,\ell }\leftarrow \mathbb {Z}_{1+2\theta }^n\), and then computes

$$\begin{aligned} \mathbf v _{t,\ell }\triangleq & {} \mathbf s \cdot (\tau (t, \mathbf f _{k,\ell })+2\mathbf e _{t,\ell }) + {q_0}\cdot \mathbf {w} _{t,\ell } + 2\varepsilon _{t,\ell } \\ {}= & {} \mathbf s \cdot \tau (t, \mathbf f _{k,\ell }) + {q_0}\cdot \mathbf {w} _{t,\ell } + 2(\varepsilon _{t,\ell } + \varepsilon _{t,\ell }') \quad (\varepsilon _{t,\ell }'\triangleq \mathbf s \cdot \mathbf e _{t,\ell } \sim [\varepsilon _{t,\ell ,j}']_{j\in [n]}) \\ {}\sim & {} \left[ {\begin{array}{*{20}c} t\cdot A_1(\mathbf f _{k,\ell }) + t\cdot B_1(\mathbf f _{k,\ell }) + {q_0}\cdot w_{t,\ell ,1}\\ \vdots \\ t\cdot A_k(\mathbf f _{k,\ell }) + t\cdot B_k(\mathbf f _{k,\ell }) +{q_0}\cdot w_{t,\ell ,k}\\ \vdots \\ t\cdot A_n(\mathbf f _{k,\ell }) + t\cdot B_n(\mathbf f _{k,\ell }) +{q_0}\cdot w_{t,\ell ,n}\\ \end{array} }\right] + \left[ {\begin{array}{*{20}c} 2(\varepsilon _{t,\ell ,1} + \varepsilon '_{t,\ell ,1})\\ \vdots \\ 2(\varepsilon _{t,\ell ,k} + \varepsilon '_{t,\ell ,k})\\ \vdots \\ 2(\varepsilon _{t,\ell ,n} + \varepsilon '_{t,\ell ,n})\\ \end{array} }\right] . \end{aligned}$$

Notice that when \(q>1+8(\theta +n\alpha \alpha ')\), the noise \((\varepsilon _{t,\ell }+\varepsilon _{t,\ell }')\) is “short” in the sense that \({\Vert \varepsilon _{t,\ell }+\varepsilon '_{t,\ell } \Vert }_{\infty }< {q_0}/4\) holds w.o.p. With this in mind, we can define the aforementioned query set

And this choice of \(\mathcal {Q}_1(\mathbf F _k)\) is justified by the following lemma.

Lemma 9

With the notations defined previously, if \(q>1+8(\theta +n\alpha \alpha ')\), then except with negligible probability, we have

1. (a)

   If \({\mathcal {M}_{1}}\) returns 0 on some queries in \(\mathcal {Q}_1(\mathbf F _k)\), then \(\mathbf b _k\ne \mathbf 0 \);

2. (b)

   If \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q}_1(\mathbf F _k)\), then \(\mathbf b _k\in {{U}}_k=S_2\cup S_3\).

Proof

First, if \(\mathbf b _k\in S_3\text {=}\left\{ \mathbf 0 \right\} \), then our guess is correct, every \(\mathbf b _j\text {=}{} \mathbf 0 \) and hence every \(B_{j}(\cdot )=0\); By Lemma 4(b), \({\mathcal {M}_{1}}\) returns 1 w.o.p. for every query in \(\mathcal {Q}_1(\mathbf F _k)\).

Moreover, if \(\mathbf b _k\in S_1=\mathbb {F}_q^n\setminus {{U}}_k\), then there exists \(\mathbf f _{k, \ell ^*}\in \mathbf F _k\) such that \(B_k(\mathbf f _{k, \ell ^*})\ne 0\); Moreover, there exists a \(t^*\in [{q_0}]\) such that \(t^*\cdot B_k(\mathbf f _{k, \ell ^*})=\pm 1\). By Lemma 4(c), for the specific query \(Q_{t^*,\ell ^*}\in \mathcal {Q}_1(\mathbf F _k)\), its associated k-th equality does not hold w.o.p., and hence \({\mathcal {M}_{1}}\) returns 0 w.o.p. on \(Q_{t^*,\ell ^*}\).   \(\square \)

It should be stressed that in Phase 1, it is not easy to analyze the distribution of those query replies when \(\mathbf b _k\in S_2\), which explains the necessity of Phase 2.

Design of Phase 2. In Phase 2, conditioned on the hypothesis \(\mathbf b _k\in {{U}}_k=S_2\cup S_3\), it remains to consider whether \(\mathbf b _k\in S_2\) or \(\mathbf b _k\in S_3=\left\{ \mathbf 0 \right\} \). By hypothesis, we have \(\mathbf b _{k}\in U_k=\{r\cdot \mathbf a _{k}\,|\,r\in \mathbb {F}_q\}\); Hence, we can assume \(\mathbf b _{k} = r_0\cdot \mathbf a _{k}\) for some \(r_0\in \mathbb {F}_q\). Then \(B_k(\mathbf u )=r_0\cdot A_k(\mathbf u )\) for every \(\mathbf u \in \mathbb {F}_q^n\). Moreover, the question now could be expressed in terms of \(r_0\), i.e., whether \(r_0=0\) or not.

Choose \(\mathbf u ^*\leftarrow \mathcal {R}_{q}^{}\) randomly such that \(A_k(\mathbf u ^*)=1\) and every entry of \(\mathbf u ^*\) is non-zero. It follows \(t\cdot A_k(\mathbf u ^*) + t\cdot B_k(\mathbf u ^*) = t(1+r_0)\) for every \(t\in \mathbb {F}_q\). Jumping ahead, the set \(\mathcal {Q}_2=\mathcal {Q}_2(\mathbf u ^*)\) is

It remains to set the \(\mathbf {w} _t\)- and \(\mathbf z _t\)-entries.

Observe that for every query \(Q'_t=(\tau (t, \mathbf u ^*)+2\mathbf e _t, \mathbf {w} _t=[w_{t,j}]_{j\in [n]}, \mathbf z _t=[z_{t,j}]_{j\in [n]})\), \({\mathcal {M}_{1}}\) first generates \(\varepsilon _t\leftarrow \mathbb {Z}_{1+2\theta }^n\), and then computes

$$\begin{aligned} \mathbf v _t'\triangleq & {} \mathbf s \cdot (\tau (t, \mathbf u ^*)+2\mathbf e _t) + {q_0}\cdot \mathbf {w} _t + 2\varepsilon _t\\ {}= & {} \mathbf s \cdot \tau (t, \mathbf u ^*) + {q_0}\cdot \mathbf {w} _t + 2(\varepsilon _t + \varepsilon '_t)\\ {}\sim & {} \left[ {\begin{array}{*{20}c} t\cdot A_1(\mathbf u ^*) + t\cdot B_1(\mathbf u ^*) +{q_0}w_{t,1}\\ \vdots \\ t + t\cdot r_0 + {q_0}w_{t,k}\\ \vdots \\ t\cdot A_n(\mathbf u ^*) + t\cdot B_n(\mathbf u ^*) +{q_0}w_{t,n}\\ \end{array} }\right] + \left[ {\begin{array}{*{20}c} 2(\varepsilon _{t,1} + \varepsilon '_{t,1})\\ \vdots \\ 2(\varepsilon _{t,k} + \varepsilon '_{t,k})\\ \vdots \\ 2(\varepsilon _{t,n} + \varepsilon '_{t,n})\\ \end{array} }\right] , \end{aligned}$$

where \(\varepsilon '_t\triangleq \mathbf s \cdot \mathbf e _t \sim [\varepsilon _{t,j}']_{j\in [n]}\). Again, when \(q>1+8(\theta +n\alpha \alpha ')\), the inequality \({\Vert \varepsilon _{t}+\varepsilon '_{t} \Vert }_{\infty }< {q_0}/4\) holds w.o.p. With this in mind, we can define

$$\begin{aligned} \mathcal {Q}_2(\mathbf u ^*) \triangleq \left\{ \left( \begin{array}{c} \tau (t, \mathbf u ^*)+2\mathbf e _t,\\ \left[ w_{t,j}\right] _{j\in [n]}, \left[ z_{t,j}\right] _{j\in [n]}\\ \end{array} \right) \left| \begin{array}{c} t\in [{q_0}], j\in [n], \mathbf e _t\leftarrow \mathbb {Z}_{1+2\alpha '\sqrt{n}}^n, u_{t,j} = tA_j(\mathbf u ^*), \\ w_{t,j} = \mathsf {Cha}\left( {u_{t,j}} \right) , z_{t,j} = {\mathsf {Mod}}_{}\left( u_{t,j}, w_{t,j} \right) \\ \end{array} \right\} \right. \end{aligned}$$

And this choice of \(\mathcal {Q}_2(\mathbf u ^*)\) is justified by the following lemma.

Lemma 10

With the notations defined previously, if \(q>1+8(\theta +n\alpha \alpha ')\) and \(\mathbf b _k\in U_k\) are guaranteed, then except with negligible probability, we have \([s_i]_{i\in [n]}= [\tilde{s_i}]_{i\in [n]}\) if and only if \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q}_2(\mathbf u ^*)\).

Proof

First, if \([s_i]_{i\in [n]}= [\tilde{s_i}]_{i\in [n]}\), then our guess is correct, \(r_0=0\), and every \(B_j(\cdot )=0\). By Lemma 4(b), \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q}_2(\mathbf u ^*)\).

Conversely, if \(r_0\ne 0\), then there exists a \(t^*\in [{q_0}]\) such that \(t^* r_0=\pm 1\). Similarly, by Lemma 4(c), \({\mathcal {M}_{1}}\) returns 0 w.o.p. on this specific query \(Q_{t^*}'=(\tau (t^*, \mathbf u ^*)+2\mathbf e _{t^*}, \mathbf {w} _{t^*}, \mathbf z _{t^*})\in \mathcal {Q}_2(\mathbf u ^*)\).    \(\square \)

This finishes the construction of \(\mathcal {V}\), as well as its correctness analysis, for the special case when the index set \(I=[n]\). Clearly it takes at most \(n\cdot {q_0}=\mathrm {poly}(\lambda )\) queries for \(\mathcal {V}\) to solve this special case of \(\mathcal {P}_2\), indicating that \(\mathcal {V}\) runs in polynomial time. Also, computer experiments have justified the correctness of \(\mathcal {V}\).

Moreover, it is easy to generalize the foregoing construction such that \(\mathcal {V}\) could be applied to solve the more general case of \(\mathcal {P}_2\), i.e., \(\emptyset \ne I\subsetneqq [n]\). In general, the number of queries made by \(\mathcal {V}\) is upper-bounded by \({q_0}\cdot |I|=\mathrm {poly}(\lambda )\).

Theorem 5

When \(q>1+8(\theta +n\alpha \alpha ')\), it takes at most \({q_0}\cdot |I|\) queries for \(\mathcal {V}\) to decide whether \([s_i]_{i\in I} = [\tilde{s_i}]_{i\in I}\) or not: except with negligible probability, the equality holds if and only if \({\mathcal {M}_{1}}\) returns 1 on every query in \(\mathcal {Q} = \mathcal {Q}_1\cup \mathcal {Q}_2\). In particular, for every query in \(\mathcal {Q}\), its \(\mathbf x \)-entry could be written as \(\mathbf x = \mathbf x _0 +2\mathbf e \) satisfying \(\mathsf {Dim}\left( \mathbf x _0 \right) = I\) and \(\mathbf{e }\in \mathbb {Z}_{1+2\alpha '\sqrt{n}}^n\).    \(\square \)