How Practical is Public-Key Encryption Based on LPN and Ring-LPN ?

We conduct a study of public-key cryptosystems based on variants of the Learning Parity with Noise (LPN) problem. The main LPN variant in consideration was introduced by Alekhnovich (FOCS 2003), and we describe several improvements to the originally proposed scheme, inspired by similar existing variants of Regev’s LWE-based cryptosystem. To achieve further efficiency, we propose the first public-key cryptosystem based on the ring-LPN problem, which is a more recently introduced LPN variant that makes for substantial improvement in terms of both time and space. We also introduce a variant of this problem called the transposed Ring-LPN problem. Our public-key scheme based on this problem is even more efficient. For all cases, we compute the parameters required for various security levels in practice, given the best currently known attacks. Our conclusion is that the basic LPN-based scheme is in several respects not competitive with existing practical schemes, as the public key, ciphertexts and encryption time become very large already for 80-bit security. On the other hand, the scheme based on transposed RingLPN is far better in all these respects. Although the public key and ciphertexts are still larger than for, say, RSA at comparable security levels, they are not prohibitively large; moreover, for decryption, the scheme outperforms RSA for security levels of 112 bits or more. The Ring-LPN based scheme is less efficient, however. Thus, LPN-based public-key cryptography seems to be somewhat more promising for practical use than has been generally assumed so far.

[1]  N. S. Barnett,et al.  Private communication , 1969 .

[2]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[3]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[4]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[5]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[6]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[7]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[8]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[9]  Yannick Seurin,et al.  How to Encrypt with the LPN Problem , 2008, ICALP.

[10]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[11]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[12]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.

[13]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[14]  Paul Kirchner Improved Generalized Birthday Attack , 2011, IACR Cryptol. ePrint Arch..

[15]  Nico Döttling,et al.  IND-CCA Secure Cryptography Based on a Variant of the LPN Problem , 2012, ASIACRYPT.

[16]  Tanja Lange,et al.  Never Trust a Bunny , 2012, RFIDSec.

[17]  Christof Paar,et al.  Lapin: An Efficient Authentication Protocol Based on Ring-LPN , 2012, FSE.

[18]  Krzysztof Pietrzak,et al.  Cryptography from Learning Parity with Noise , 2012, SOFSEM.

[19]  Eike Kiltz,et al.  Simple Chosen-Ciphertext Security from Low-Noise LPN , 2014, Public Key Cryptography.