Cryptography from Learning Parity with Noise

The Learning Parity with Noise (LPN) problem has recently found many applications in cryptography as the hardness assumption underlying the constructions of “provably secure” cryptographic schemes like encryption or authentication protocols. Being provably secure means that the scheme comes with a proof showing that the existence of an efficient adversary against the scheme implies that the underlying hardness assumption is wrong. LPN based schemes are appealing for theoretical and practical reasons. On the theoretical side, LPN based schemes offer a very strong security guarantee. The LPN problem is equivalent to the problem of decoding random linear codes, a problem that has been extensively studied in the last half century. The fastest known algorithms run in exponential time and unlike most number-theoretic problems used in cryptography, the LPN problem does not succumb to known quantum algorithms. On the practical side, LPN based schemes are often extremely simple and efficient in terms of code-size as well as time and space requirements. This makes them prime candidates for light-weight devices like RFID tags, which are too weak to implement standard cryptographic primitives like the AES block-cipher. This talk will be a gentle introduction to provable security using simple LPN based schemes as examples. Starting from pseudorandom generators and symmetric key encryption, over secret-key authentication protocols, and, if time admits, touching on recent constructions of public-key identification, commitments and zero-knowledge proofs. 1 Learning Parity with Noise and Related Problems The search version of the learning parity with noise problem with parameters ∈ N (the length of the secret), τ ∈ R where 0 < τ < 0.5 (the noise rate) and q ∈ N (the numbers of samples) asks to find a fixed random bit secret s ∈ Z 2 from q samples of the form a, 〈a, s〉 ⊕ e where a ∈ Z 2 is random and e ∈ Z2 has Bernoulli distribution with parameter τ (we denote this distribution with Berτ ), i.e. Pr[e = 1] = τ . The decisional LPN problem is defined similarly, except that we require that one cannot even distinguish noisy inner products from random. The distinction between the search and the decisional version of a problem is often made for problems used in cryptography. Typically, assuming the decisional version of a problem allows for much simpler and more efficient constructions This survey paper accompanies an invited talk at SOFSEM 2012. M. Bieliková et al. (Eds.): SOFSEM 2012, LNCS 7147, pp. 99–114, 2012. c © Springer-Verlag Berlin Heidelberg 2012