Linear Congruence and Reduction on the Learning with Errors Problem

: We propose an algorithm to solve general linear Diophantine equations and an algorithm to solve linear congruence problems efficiently using LU decomposition, which means unsafety of cryptography systems based on linear congruence equations. Thus, we focus on the generalization of the argument for a specific reduction of the Learning with Error (LWE) problem established in a previous work ([BLP13]) so that LWE can accommodate for more general choices of matrices. More specifically, we relaxed [BLP13]'s constraint on the choice of the identity matrix to general diagonal matrices. Two examples are presented here to show the validity of our results further.


Introduction
Many classic cryptography systems rely on the hardness to solve certain problems, such as large integer factorization, discrete logarithm, and elliptic curves to ensure information security.One of such problems of topic in our paper is solving the linear congruence equation  ≡ () for large values of .Linear congruence serves as the basis of many cryptographic algorithms, including the Rivest Shamir Adleman (RSA) encryption and decryption algorithms.
As a result, it is of interest for mathematicians to develop efficient algorithms for solving linear congruence.Some existing methods of solving linear congruence include root testing on the residue classes  , finding  −1 () , and converting the equation to the corresponding linear Diophantine equation  +  =  and then applying the Euclidean Algorithm.In 1980 John R. Silvester also describes a novel method of combining matrix elementary row-operation with solutions to linear congruence equations. [1]owever, all these methods fell short when it comes to a system of linear congruence equations, namely those  ≡ () with  being a -dimensional full rank matrix, having significantly large values of  and .For these cases, we propose an algorithm that utilizes LU decomposition, taking advantage of the known efficient algorithms for calculating LU decomposition.With more and more efficient algorithms for computing linear congruence, it is essential for mathematicians to devise new problems with a hardness level stronger than the current problems.Following the introduction of quantum computers, lattice-based cryptography has become increasingly important for post-quantum cryptography.Different from the classic encryption methods such as RSA and Diffie-Hellman, lattice-based cryptography is currently believed to be theoretically not breakable by quantum computers-that is, under the assumption that specific computational lattice problems have no polynomial time algorithm solutions.
In our paper, we will focus on a fundamental problem which most lattice-based cryptographic systems are based upon: the learning with error (LWE) problem.Two distributions are concerned in the problem: ((  , <   ,  > +  ))  ((  ,   )) where the  and   are chosen uniformly at random from ℤ   ,   uniformly at random fromℤ  , and   ∈ ℤ from an error distribution which is typically a discrete Gaussian distribution.The decision variant of LWE aims to distinguish between the two distributions, while the search version aims to find the secret .
Regev's groundbreaking work in 2005 shows a reduction from lattice problems such as finding relatively short vectors in general lattices to LWE, proving that the latter is a hard problem. [2]More specifically, it turns out a solving algorithm for -dimensional LWE implies an efficient quantum algorithm to find short enough vectors in n-dimensional lattices.
However, since Regev's work only suggests the existence of an efficient quantum algorithm from any, even non-quantum, algorithms for LWE, this reduction is not the end point of such reductions.Other works thus succeed Regev's work in an attempt to find a better, namely classical (non-quantum) reductions.C. Perkert's 2005 work shows exponential modulus LWE can be classically reduced to standard lattice problems. [3]Z. Brakerski et al.'s 2013 work establishes a classical reduction on polynomial modulus LWE. [4]More importantly, it shows that the existence of an efficient classical algorithm for LWE implies an efficient algorithm for worst-case standard lattice problems.
In short, many reductions upon different versions of LWE have been established thus far, all with their own strengths and weak points.They all however, aim to either study the hardness of LWE or to adjust the problem to be more practical in the actual applications of cryptography.
The main contribution of this paper is that we provided an algorithm for solving linear congruence equations using LU decomposition and justify its efficiency by running the algorithm on large matrices and modules on MATLAB.
For the reduction on LWE, we provide here a more general result based on the conclusions reached in Z. Brakerski et al.'s 2013 work.The results can accommodate more matrices than corresponding results as stated by Brakerski et al.
Our algorithm for solving linear congruence will be preceded by a method of solving general linear Diophantine equations, some illustrations of that method, and will then be followed by three examples of linear congruence equations solved using our algorithm that will demonstrate the amount of efficiency our algorithm can achieve.
In order to obtain our results for the reduction on LWE, we used the same idea as the one in the proof of Corollary 3.4 by Brakerski et al.Moreover integer diagonal matrices other than the identity matrix which is used in the corollary 3.4 are also employed here.At last, the results that more generalized matrices can be used here are done in this paper.

Preliminaries
In this section, some useful preliminaries are presented.

Linear Diophantine Equation
The general solvable linear Diophantine equation has form: Where  1 ,  2 ,⋅⋅⋅,   and  being integers, with ( 1 ,  2 ,⋅⋅⋅,   )| being the necessary and sufficient condition for which there exist integer solutions for the equation.We call a linear Diophantine equation solvable if and only if there exist integer solutions, since those are the only solutions of interest.

Linear Congruence Equations
For  a -dimensional full rank matrix,  and  -dimensional vectors, and  an integer.The linear congruence equation of interest in this paper is denoted: Where the necessary and sufficient condition for there to exist integer solutions is for ((), )|.For convenience sake we will denote the determinant of  (commonly denoted as ()) only as || from now on.

LU Decomposition
For any given full rank -dimensional matrix , the LU decomposition of it finds  =  where ,  are lower triangular matrix and upper triangular matrix respectively.The decomposition can be achieved efficiently by repeatedly adding a multiple of one row of  to another.

Lattice
An -dimensional lattice Λ is a subgroup of ℝ  , and is the set of all integer coefficient linear combinations of some  linearly independent vectors called the set of basis vectors :
Then the continuous Gaussian distribution   is defined to be the distribution with density function proportional to   .Also define for -dimensional lattice  and vector  ∈ ℝ  ,  +, to be the discrete distribution with support on coset  +  with probability mass function proportional to   .

Linear Diophantine Equations
The main result of this section is Theorem 3.1, which is a method of solving general solvable linear Diophantine Equations using integral elementary row operations.Elementary row operations include swapping rows, scalar multiplication on rows, and row sum, which is the act of adding multiples of one row to another.For our case, we will be using integral row sums, which is when the multiples of the row is strictly an integral multiple.We use  ⋅  for vectors  and  to denote the dot product of these two vectors.Proof.Note that for each step of the integral row sum,  is multiplied by a  × matrix with determinant equating 1.Thus, the matrix after the operation is  ⋅  for a  × matrix  with || =

LU Decomposition Method for Linear Congruence Equations
The main theorem of this section which utilizes LU decomposition to solve linear congruence equations is listed below.Denote the adjoint matrix of any matrix  to be , for which = || ⋅  −1 .then the general solution for  is unique:

Numerical Tests
In this section we will provide three cases of the application of Theorem 4.1, the first case with a small value of  where  is the dimension of matrix , the second case with large value of but still with || coprime with , while the last case is most complicated, with (||, ) ≠ 1.
In order to test the efficiency of our algorithm presented in Theorem 4.1, we do these tests on MATLAB to demonstrate its level of efficiency, and the corresponding computer is equipped with 8core cpu and 8GB memory.The following three examples each have different levels of complexity yet are all based on our algorithm.
Example 5.1.For small values of  where  is the dimension of matrix  in the linear congruence equation  ≡ (), we restrict || to be coprime to , and base our example upon the results of Corollary 4.2.
For runtime efficiency testing purposes, we build the equations as follows.We first assign the solution  to be the -dimensional vectors of all ones.Then we construct  by first constructing matrices ,  that are lower and upper triangular matrices such that  ⋅  = .Let the main diagonal of  be of all ones except for the last element, which for our case we set it equal to 7. Then let the main diagonal of  be of all ones, Lastly we let the other possible nonzero elements of both  and  be integers uniformly selected at random from [0,3].This selection was made possible by first selecting those elements randomly from the real numbers between 0 and 1, then multiplying each element by 3 and rounding them to the nearest integer.Note that since the determinant of triangular matrices is just the product of the elements of the diagonal, || = 7, || = 1, giving || = 7.In fact, our choice for the matrices  and  is to ensure we know the determinant of  and we can control the condition number of .In our tests, let  = 5 where  is the modules in  ≡ ().
We run this code 1000 times and saved the runtime, condition number of , and the norm of the difference between the achieved answer  and the expected answer  of each run.The latter data set consists of small real numbers > 0, specifically for our run the range of the data set is [6.5034 ⋅ 10 −11 , 0.0590], with a mean of 3.6 ⋅ 10 −4 .Although those numbers are not exactly 0, as it is supposed to be, we are only concerned about integer solutions, and these errors are small enough to be all rounding to 0 instead of 1. Keeping this in mind, we also save the norm of the difference between the rounded version of  and the expected answer .This resulting data set is unsurprisingly of all 0s.
The datasets for runtime and condition numbers of  for different values of  (each for 1000 tests) can be seen in the table below(Table 1).As shown, values for runtime are small enough for us to deem our algorithm efficient for small dimensions of  such as in this example.
Regarding the condition number of .Since  is a relatively small matrix with minimum  = 10 and maximum  = 25 , these condition numbers are high enough to deem  to be a very illconditioned matrix in every value of .However, the resulting norm of the difference of the achieved solution  and the expected solution  is still low enough to be acceptable under the condition that we only care about the discrete integer solutions.This shows the stability of our algorithm, as it remains accurate when a small matrix  is very ill-conditioned.
Example 5.2.For this example matrix  of higher dimensions are concerned, namely matrices of dimension  = 30000.Again for this example we restrict || to be coprime with the module , so this example is still based on the results of Corollary 4.2, but on a larger scale.Similar to the previous example, we build this example as follows.The expected solution for  is still the -dimensional vector of all 1s.Then  is constructed to have main diagonal with all 1 entries and the diagonal immediately under the main diagonal with also all 1 entries. on the other hand is the matrix with main diagonal with all 1s except the last entry, which is assigned to be 5, and the diagonal immediately above the main diagonal has all 1 entries. is then  ⋅ .Consequently, we have || = 1, || = 5 ⇒ || = || ⋅ || = 5 .Again we assign  and  this way so that the determinant of  is known.Next we set  = 7 and calculate  ≡ ().This time we ask the code to find || −1 (), and since  = 7 has a relatively small multiplicative group, we simply run the code to traverse through all residue classes 7 to find that 3 ⋅ || ≡ 1().Finally we conclude that  ≡ 3 ⋅ 5 ⋅  −1 ⋅ ().
We run this code 1000 times again, saving the runtime, condition number of , and the norm of the difference between the achieved solution  and the expected solution .This time since  and  are completely determined, the latter data is the same each run, and for our run the result is 2.1755 ⋅ 10 −13 .This is again a small number concerning the fact that we only care about integer solutions.
Therefore, we again calculate the rounded value of  and is not surprised to see that it is 0 every test.1.40 ⋅ 10 5 3.14 ⋅ 10 5 3.15 ⋅ 10 9 Although we see quite a significant increase in average runtime from the previous example to this example, it is acceptable considering the drastic increase in .Thus, we conclude that the algorithm is still efficient when it comes to sizes of  as large as  = 30000.Note that although  is larger in this example, the norm of the difference between the achieved solution  and the expected solution  is smaller in this example than the previous, this is due to the fact that the previous example involved randomly generated  and  while this example has known simple cases of  and .
As shown above, the condition numbers for each case are not that large of numbers considering  having dimension up to  = 30000.Thus, we are working with a well-conditioned matrix here.
Example 5.3.In this example we work with the most complicated case, with a large dimension of , namely  = 30000, and moreover (||, ) > 1.As a result we will be employing Theorem 4.1 directly for this example.
The buildup process for this example is almost identical to the previous example.The solution  is again assigned to be the -dimensional vector of all 1s,  is the same matrix as in the previous example with the main diagonal and the diagonal immediately under it being of all 1s and everything else being 0, whilst  is the matrix with the main diagonal having all 1 entries except for the last entry being 6 and the diagonal immediately above it having all 1 entries.In this example we assign  = 8.Note that || = || ⋅ || = 6, and (||, ) = 2 > 1. Lastly we compute  ≡ ().This code is runned 1000 times again, saving runtime and the norm of the difference between the achieved solution  and the expected solution .The latter is a set value just as in the previous example, and for our run the value turns out to be 1.6316 ⋅ 10 −13 .Again this value is low enough to be rounded to 0 since we only care about integer solutions.

Then we calculate
The datasets for runtime and condition numbers of  for different values of  (each for 1000 tests) can be seen in the table below(table 3).The results for runtime in this example is similar to the result in the previous example, so it's safe to conclude that the algorithm is also efficient for large values of  and (||, ) > 1.
The condition numbers for  as can be seen above are also not large considering  has dimension  = 30000.Thus, in this example  is also well-conditioned.

Discussion of Results.
As we have shown, the algorithm works for cases of small and large  regardless of the value of (||, ).However, for all these above examples, note that we forcefully manipulated  and  so that || is a known small value.However, the algorithm fails when || is a random large value, large values of || enlarges any existing error.When || is on the level of 10 11 , which can easily happen when the diagonals of both  and  are randomly generated, errors that were insignificant and negligible in cases of small || become enlarged to a significantly large error.Other things that can affect the accuracy of the algorithm are the dimension of  and the condition number of .Namely, the accuracy of the algorithm decreases when  is a significantly illconditioned matrix.Our algorithm is decently stable though since Example 5.3 shows it to be resistant to very ill-conditioned matrices as long as the dimensions of  is small enough.When high dimensions of  is combined with large condition numbers of , the algorithm succumbs and returns high error.For example, we twist the code for Example 5.3 slightly and increase the dimension to  = 300.One run shows the condition number to be 6.4582 ⋅ 10 18 , which means  is very illconditioned in this case.Under the condition that  is a high dimension ill-conditioned matrix, the norm of the difference between the achieved solution  and the expected solution  is as high as 36.0918,meaning the algorithm fails short in this case.
In conclusion, our algorithm works in cases of  with small determinants, and either having a small dimension or being well-conditioned.It fails however, when  has a large determinant or when it is both large and ill-conditioned.

Reduction
As our algorithm to solve linear congruence equations in the previous sections shows, problems previously thought to have strong hardness levels for which classical cryptography systems were based are starting to become increasingly breakable.Thus, it is of high importance for researchers to devise new problems that are currently unbreakable, especially under the circumstances that we are entering the post-quantum world.

Conclusion
This paper first establishes an algorithm to solve general solvable linear Diophantine equations, then proposes an algorithm to solve the linear congruence equation  ≡ () which works for  with a small determinant and either a small dimension or the property of being well-conditioned.
Next the paper generalizes the corollary 3.4 in Brakerski et al.'s 2013 paper by using a general diagonal matrix other than the identity matrix.
This generalization makes more types of matrices useful in the reduction.It is helpful for us to understand the hardness of LWE.
Open questions.As discussed in Section 5, our algorithm for solving linear congruence problems fails short when it comes to matrices with large determinant or with both a large dimension and the property of being ill-conditioned.Thus, we wonder if it is possible to overcome those problems and improve our proposed algorithm so that it accommodates these situations where our original algorithm fails in.Our first instinct is to use some sort of iterative method such as the Jacobi method, but we do notice that the Jacobi method on its own is also not sufficient since it only works for diagonally dominant matrices.
Additionally, as we expand Brakerski et al.'s Corollary 3.4 from only discussing the case for which the matrix is the identity to discussing it for any diagonal matrix, we could not help but wonder if it is possible to extend the argument further and have meaningful results for other choices of matrices.We do not know what results will the expanding of argument bring us regarding our understanding of the hardness of LWE, which is a crucial motivation for any types of reduction upon LWE, but it is certainly satisfactory to extend the proof simply for the purpose of making it more general.
The datasets for runtime and condition numbers of  for different values of  (each for 1000 tests) can be seen in the table below (table 2).