The Learning With Errors ($\mathsf{LWE}$) problem asks to find $\mathbf{s}$ from an input of the form $(\mathbf{A}, \mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}) \in (\mathbb{Z}/q\mathbb{Z})^{m \times n} \times (\mathbb{Z}/q\mathbb{Z})^{m}$, for a vector $\mathbf{e}$ that has small-magnitude entries. In this work, we do not focus on solving $\mathsf{LWE}$ but on the task of sampling instances. As these are extremely sparse in their range, it may seem plausible that the only way to proceed is to first create $\mathbf{s}$ and $\mathbf{e}$ and then set $\mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}$. In particular, such an instance sampler knows the solution. This raises the question whether it is possible to obliviously sample $(\mathbf{A}, \mathbf{A}\mathbf{s}+\mathbf{e})$, namely, without knowing the underlying $\mathbf{s}$. A variant of the assumption that oblivious $\mathsf{LWE}$ sampling is hard has been used in a series of works to analyze the security of candidate constructions of Succinct Non interactive Arguments of Knowledge (SNARKs). As the assumption is related to $\mathsf{LWE}$, these SNARKs have been conjectured to be secure in the presence of quantum adversaries. Our main result is a quantum polynomial-time algorithm that samples well-distributed $\mathsf{LWE}$ instances while provably not knowing the solution, under the assumption that $\mathsf{LWE}$ is hard. Moreover, the approach works for a vast range of $\mathsf{LWE}$ parametrizations, including those used in the above-mentioned SNARKs. This invalidates the assumptions used in their security analyses, although it does not yield attacks against the constructions themselves.

翻译：学习带错误（$\mathsf{LWE}$）问题要求从输入形式$(\mathbf{A}, \mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}) \in (\mathbb{Z}/q\mathbb{Z})^{m \times n} \times (\mathbb{Z}/q\mathbb{Z})^{m}$（其中$\mathbf{e}$是条目幅度较小的向量）中找出$\mathbf{s}$。在本文中，我们不关注求解$\mathsf{LWE}$问题，而是关注实例采样的任务。由于这些实例在值域中极为稀疏，唯一可行的方式似乎就是先构造$\mathbf{s}$和$\mathbf{e}$，然后计算$\mathbf{b} = \mathbf{A}\mathbf{s}+\mathbf{e}$。特别地，此类实例采样器已知解的结构。这引发了一个问题：是否可能在不了解底层$\mathbf{s}$的情况下，不经意地采样$(\mathbf{A}, \mathbf{A}\mathbf{s}+\mathbf{e})$？一系列工作已采用"不经意$\mathsf{LWE}$采样是困难的"这一假设变体，来分析候选的简洁非交互知识论证（SNARKs）的安全性。由于该假设与$\mathsf{LWE}$相关，这些SNARKs被推测在面对量子 adversaries 时是安全的。我们的主要成果是提出一种量子多项式时间算法，该算法能在假设$\mathsf{LWE}$困难的前提下，采样分布良好的$\mathsf{LWE}$实例，同时可以证明其未知解。此外，该方法适用于广泛的$\mathsf{LWE}$参数化设定，包括上述SNARKs中所使用的参数。尽管这并未对这些构造本身产生攻击，但它否定了其安全性分析中所采用的假设。