On Solving LPN using BKW and Variants Implementation and Analysis

The Learning Parity with Noise problem (LPN) is appealing in cryptography as it is considered to remain hard in the post-quantum world. It is also a good candidate for lightweight devices due to its simplicity. In this paper we provide a comprehensive analysis of the existing LPN solving algorithms, both for the general case and for the sparse secret scenario. In practice, the LPN-based cryptographic constructions use as a reference the security parameters proposed by Levieil and Fouque. But, for these parameters, there remains a gap between the theoretical analysis and the practical complexities of the algorithms we consider. The new theoretical analysis in this paper provides tighter bounds on the complexity of LPN solving algorithms and narrows this gap between theory and practice. We show that for a sparse secret there is another algorithm that outperforms BKW and its variants. Following from our results, we further propose practical parameters for different security levels.

[1]  H. Chernoff A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the sum of Observations , 1952 .

[2]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[3]  J. Tukey,et al.  An algorithm for the machine calculation of complex Fourier series , 1965 .

[4]  Jacques Stern,et al.  A method for finding codewords of small weight , 1989, Coding Theory and Applications.

[5]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[6]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[7]  Adam Tauman Kalai,et al.  Noise-tolerant learning, the parity problem, and the statistical query model , 2000, STOC '00.

[8]  Klaus Jansen,et al.  Approximation, Randomization and Combinatorial Optimization, Algorithms and Techniques, 8th International Workshop on Approximation Algorithms for Combinatorial Optimization Problems, APPROX 2005 and 9th InternationalWorkshop on Randomization and Computation, RANDOM 2005, Berkeley, CA, USA, August 2 , 2005, APPROX-RANDOM.

[9]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[10]  Vadim Lyubashevsky,et al.  The Parity Problem in the Presence of Noise, Decoding Random Linear Codes, and the Subset Sum Problem , 2005, APPROX-RANDOM.

[11]  Hideki Imai,et al.  An Algorithm for Solving the LPN Problem and Its Application to Security Evaluation of the HB Protocols for RFID Authentication , 2006, INDOCRYPT.

[12]  Julien Bringer,et al.  HB^+^+: a Lightweight Authentication Protocol Secure against Some Attacks , 2006, Second International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU'06).

[13]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[14]  Yannick Seurin,et al.  HB#: Increasing the Security and Efficiency of HB+ , 2008, EUROCRYPT.

[15]  Hideki Imai,et al.  A Novel Probabilistic Passive Attack on the Protocols HB and HB+ , 2008, IACR Cryptol. ePrint Arch..

[16]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[17]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[18]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[19]  Tanja Lange,et al.  Smaller decoding exponents: ball-collision decoding , 2011, IACR Cryptol. ePrint Arch..

[20]  Jonathan Katz,et al.  Parallel and Concurrent Security of the HB and HB+ Protocols , 2006, Journal of Cryptology.

[21]  Santosh S. Vempala,et al.  On Noise-Tolerant Learning of Sparse Parities and Related Problems , 2011, ALT.

[22]  Alexander Meurer,et al.  Decoding Random Linear Codes in $\tilde{\mathcal{O}}(2^{0.054n})$ , 2011, ASIACRYPT.

[23]  Sanjeev Arora,et al.  New Algorithms for Learning in Presence of Errors , 2011, ICALP.

[24]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[25]  Paul Kirchner Improved Generalized Birthday Attack , 2011, IACR Cryptol. ePrint Arch..

[26]  Nico Döttling,et al.  IND-CCA Secure Cryptography Based on a Variant of the LPN Problem , 2012, ASIACRYPT.

[27]  Is Public-Key Encryption Based on LPN Practical? , 2012, IACR Cryptol. ePrint Arch..

[28]  Gregory Valiant,et al.  Finding Correlations in Subquadratic Time, with Applications to Learning Parities and Juntas , 2012, 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science.

[29]  Tanja Lange,et al.  Never Trust a Bunny , 2012, RFIDSec.

[30]  Christof Paar,et al.  Lapin: An Efficient Authentication Protocol Based on Ring-LPN , 2012, FSE.

[31]  Vadim Lyubashevsky,et al.  Man-in-the-Middle Secure Authentication Schemes from LPN and Weak PRFs , 2013, IACR Cryptol. ePrint Arch..

[32]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[33]  Serge Vaudenay,et al.  HELEN: A Public-Key Cryptosystem Based on the LPN and the Decisional Minimal Distance Problems , 2013, AFRICACRYPT.

[34]  Thomas Johansson,et al.  Solving LPN Using Covering Codes , 2014, ASIACRYPT.

[35]  Martin R. Albrecht,et al.  Lazy Modulus Switching for the BKW Algorithm on LWE , 2014, Public Key Cryptography.

[36]  Robert Fitzpatrick Some algorithms for learning with errors , 2014 .

[37]  H. Krawczyk Public-key cryptography - PKC 2014 : 17th International Conference on Practice and Theory in Public-Key Cryptography Buenos Aires, Argentina, March 26-28, 2014 : proceedings , 2014 .

[38]  Eike Kiltz,et al.  Simple Chosen-Ciphertext Security from Low-Noise LPN , 2014, Public Key Cryptography.

[39]  Thomas Johansson,et al.  A New Algorithm for Solving Ring-LPN With a Reducible Polynomial , 2015, IEEE Transactions on Information Theory.

[40]  Martin R. Albrecht,et al.  On the complexity of the BKW algorithm on LWE , 2012, Des. Codes Cryptogr..

[41]  Serge Vaudenay,et al.  Better Algorithms for LWE and LWR , 2015, EUROCRYPT.

[42]  David Cash,et al.  Efficient Authentication from Hard Learning Problems , 2011, Journal of Cryptology.