TY - GEN
T1 - Worst-Case Hardness for LPN and Cryptographic Hashing via Code Smoothing
AU - Brakerski, Zvika
AU - Lyubashevsky, Vadim
AU - Vaikuntanathan, Vinod
AU - Wichs, Daniel
N1 - Our proof relies on a smoothing lemma for codes which we show to have further implications: We show that (n, m, w)-NCP with the afore-mentioned parameters lies in the complexity class Search-BPPSZK (i.e. reducible to a problem that has a statistical zero knowledge protocol) implying that it is unlikely to be NP-hard. We then show that the hardness of LPN with very low noise rate log2(n)/n implies the existence of Z. Brakerski—Supported by the Israel Science Foundation (Grant No. 468/14), Binational Science Foundation (Grants No. 2016726, 2014276), and by the European Union Horizon 2020 Research and Innovation Program via ERC Project REACT (Grant 756482) and via Project PROMETHEUS (Grant 780701). V. Lyubashevsky—Supported by the SNSF ERC Transfer Grant CRETP2-166734 – FELICITY. D. Wichs—Research supported by NSF grants CNS1314722, CNS-1413964. The first author wishes to thank Ben Berger and Noga Ron-Zewi for discussions on the hardness of decoding problems. We also thank Yu Yu and anonymous Eurocrypt reviewers for their helpful feedback.
PY - 2019
Y1 - 2019
N2 - We present a worst case decoding problem whose hardness reduces to that of solving the Learning Parity with Noise (LPN) problem, in some parameter regime. Prior to this work, no worst case hardness result was known for LPN (as opposed to syntactically similar problems such as Learning with Errors). The caveat is that this worst case problem is only mildly hard and in particular admits a quasi-polynomial time algorithm, whereas the LPN variant used in the reduction requires extremely high noise rate of 1/2 - 1/poly(n). Thus we can only show that "very hard" LPN is harder than some "very mildly hard" worst case problem. We note that LPN with noise 1/2 - 1/poly(n) already implies symmetric cryptography.Specifically, we consider the (n, m, w)-nearest codeword problem ((n, m, w)-NCP) which takes as input a generating matrix for a binary linear code in m dimensions and rank n, and a target vector which is very close to the code (Hamming distance at most w), and asks to find the codeword nearest to the target vector. We show that for balanced (unbiased) codes and for relative error w/m approximate to log(2) n/n, (n, m, w)-NCP can be solved given oracle access to an LPN distinguisher with noise ratio 1/2 -1/poly(n).Our proof relies on a smoothing lemma for codes which we show to have further implications: We show that (n, m, w)-NCP with the aforementioned parameters lies in the complexity class Search-BPPSZK (i.e. reducible to a problem that has a statistical zero knowledge protocol) implying that it is unlikely to be NP-hard. We then show that the hardness of LPN with very low noise rate log(2)(n)/n implies the existence of collision resistant hash functions (our aforementioned result implies that in this parameter regime LPN is also in BPPSZK).
AB - We present a worst case decoding problem whose hardness reduces to that of solving the Learning Parity with Noise (LPN) problem, in some parameter regime. Prior to this work, no worst case hardness result was known for LPN (as opposed to syntactically similar problems such as Learning with Errors). The caveat is that this worst case problem is only mildly hard and in particular admits a quasi-polynomial time algorithm, whereas the LPN variant used in the reduction requires extremely high noise rate of 1/2 - 1/poly(n). Thus we can only show that "very hard" LPN is harder than some "very mildly hard" worst case problem. We note that LPN with noise 1/2 - 1/poly(n) already implies symmetric cryptography.Specifically, we consider the (n, m, w)-nearest codeword problem ((n, m, w)-NCP) which takes as input a generating matrix for a binary linear code in m dimensions and rank n, and a target vector which is very close to the code (Hamming distance at most w), and asks to find the codeword nearest to the target vector. We show that for balanced (unbiased) codes and for relative error w/m approximate to log(2) n/n, (n, m, w)-NCP can be solved given oracle access to an LPN distinguisher with noise ratio 1/2 -1/poly(n).Our proof relies on a smoothing lemma for codes which we show to have further implications: We show that (n, m, w)-NCP with the aforementioned parameters lies in the complexity class Search-BPPSZK (i.e. reducible to a problem that has a statistical zero knowledge protocol) implying that it is unlikely to be NP-hard. We then show that the hardness of LPN with very low noise rate log(2)(n)/n implies the existence of collision resistant hash functions (our aforementioned result implies that in this parameter regime LPN is also in BPPSZK).
UR - http://www.scopus.com/inward/record.url?scp=85065902083&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-030-17659-4_21
DO - https://doi.org/10.1007/978-3-030-17659-4_21
M3 - منشور من مؤتمر
SN - 978-3-030-17658-7
T3 - Lecture Notes in Computer Science
SP - 619
EP - 635
BT - Advances in Cryptology – EUROCRYPT 2019, PT III
A2 - Ishai, Yuval
A2 - Rijmen, Vincent
PB - Springer Basel AG
CY - Cham
T2 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT)
Y2 - 19 May 2019 through 23 May 2019
ER -