Advances in Cryptology – ASIACRYPT 2019: 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8–12, 2019, Proceedings, Part II

The Learning Parity with Noise (LPN) problem has recently found many cryptographic applications such as authentication protocols, pseudorandom generators/functions and even asymmetric tasks including public-key encryption (PKE) schemes and oblivious transfer (OT) protocols. It however remains a long-standing open problem whether LPN implies collision resistant hash (CRH) functions. Inspired by the recent work of Applebaum et al. (ITCS 2017), we introduce a general construction of CRH from LPN for various parameter choices. We show that, just to mention a few notable ones, under any of the following hardness assumptions (for the two most common variants of LPN) 1. constant-noise LPN is 2 0.5+ε -hard for any constant ε > 0; 2. constant-noise LPN is 2 log -hard given q = poly(n) samples; 3. low-noise LPN (of noise rate 1/ √ n) is 2 √ n/ log -hard given q = poly(n) samples. there exists CRH functions with constant (or even poly-logarithmic) shrinkage, which can be implemented using polynomial-size depth-3 circuits with NOT, (unbounded fan-in) AND and XOR gates. Our technical route LPN → bSVP → CRH is reminiscent of the known reductions for the large-modulus analogue, i.e., LWE → SIS → CRH, where the binary Shortest Vector Problem (bSVP) was recently introduced by Applebaum et al. (ITCS 2017) that enables CRH in a similar manner to Ajtai’s CRH functions based on the Short Integer Solution (SIS) problem. c © International Association for Cryptologic Research 2019 S. D. Galbraith and S. Moriai (Eds.): ASIACRYPT 2019, LNCS 11922, pp. 3–24, 2019. https://doi.org/10.1007/978-3-030-34621-8_1

[1]  David Jao,et al.  Towards quantum-resistant cryptosystems from supersingular elliptic curve isogenies , 2011, J. Math. Cryptol..

[2]  Ian F. Blake,et al.  Advances in Elliptic Curve Cryptography: Preface , 2005 .

[3]  Craig Costello,et al.  Efficient Algorithms for Supersingular Isogeny Diffie-Hellman , 2016, CRYPTO.

[4]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[5]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[6]  J. Silverman Advanced Topics in the Arithmetic of Elliptic Curves , 1994 .

[7]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[8]  Reza Azarderakhsh,et al.  Key Compression for Isogeny-Based Cryptosystems , 2016, AsiaPKC '16.

[9]  David Jao,et al.  Efficient Compression of SIDH Public Keys , 2017, EUROCRYPT.

[10]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[11]  Edward F. Schaefer,et al.  How to do a p-descent on an elliptic curve , 2003 .

[12]  Jonathan Katzand,et al.  Parallel and Concurrent Security of the HB and HB + Protocols , 2006 .

[13]  Leonid Reyzin,et al.  Finding Collisions on a Public Road, or Do Secure Hash Functions Need Secret Coins? , 2004, CRYPTO.

[14]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[15]  M. Sudan,et al.  Hardness of approximating the minimum distance of a linear code , 2000, 2000 IEEE International Symposium on Information Theory (Cat. No.00CH37060).

[16]  Tanja Lange,et al.  CSIDH: An Efficient Post-Quantum Commutative Group Action , 2018, IACR Cryptol. ePrint Arch..

[17]  J. Tate Endomorphisms of abelian varieties over finite fields , 1966 .

[18]  Steven D. Galbraith,et al.  Mathematics of Public Key Cryptography , 2012 .

[19]  Craig Costello,et al.  A Simple and Compact Algorithm for SIDH with Arbitrary Degree Isogenies , 2017, ASIACRYPT.

[20]  G. Ballew,et al.  The Arithmetic of Elliptic Curves , 2020, Elliptic Curves.

[21]  Alexander Vardy,et al.  The intractability of computing the minimum distance of a code , 1997, IEEE Trans. Inf. Theory.

[22]  Alexander Rostovtsev,et al.  Public-Key Cryptosystem Based on Isogenies , 2006, IACR Cryptol. ePrint Arch..

[23]  Frederik Vercauteren,et al.  Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM , 2018, IACR Cryptol. ePrint Arch..

[24]  Paul Kirchner Improved Generalized Birthday Attack , 2011, IACR Cryptol. ePrint Arch..

[25]  Ronald L. Rivest,et al.  Indifferentiability of Permutation-Based Compression Functions and Tree-Based Modes of Operation, with Applications to MD6 , 2009, FSE.

[26]  Chris Peikert,et al.  SWIFFT: A Modest Proposal for FFT Hashing , 2008, FSE.

[27]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[28]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[29]  Damien Stehlé,et al.  CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM , 2017, 2018 IEEE European Symposium on Security and Privacy (EuroS&P).

[30]  M. Scott Implementing cryptographic pairings , 2007 .

[31]  Steven D. Galbraith,et al.  On the Security of Supersingular Isogeny Cryptosystems , 2016, ASIACRYPT.

[32]  Craig Costello,et al.  Improved Classical Cryptanalysis of the Computational Supersingular Isogeny Problem , 2019, IACR Cryptol. ePrint Arch..

[33]  Eike Kiltz,et al.  Simple Chosen-Ciphertext Security from Low-Noise LPN , 2014, Public Key Cryptography.

[34]  Benjamin Smith,et al.  qDSA: Small and Secure Digital Signatures with Curve-Based Diffie-Hellman Key Pairs , 2017, ASIACRYPT.

[35]  R. Schoof Journal de Theorie des Nombres de Bordeaux 7 (1995), 219{254 , 2022 .

[36]  S. Lichtenbaum Duality theorems for curves overP-adic fields , 1969 .

[37]  David Cash,et al.  Efficient Authentication from Hard Learning Problems , 2011, Journal of Cryptology.

[38]  Thomas Shrimpton,et al.  Cryptographic Hash-Function Basics: Definitions, Implications, and Separations for Preimage Resistance, Second-Preimage Resistance, and Collision Resistance , 2004, FSE.

[39]  Eike Kiltz,et al.  A Modular Analysis of the Fujisaki-Okamoto Transformation , 2017, TCC.

[40]  Andrew V. Sutherland Isogeny volcanoes , 2012, ArXiv.

[41]  Joost Renes Computing isogenies between Montgomery curves using the action of (0, 0) , 2017, IACR Cryptol. ePrint Arch..

[42]  Michael Naehrig,et al.  Dual Isogenies and Their Application to Public-key Compression for Isogeny-based Cryptography , 2019, IACR Cryptol. ePrint Arch..

[43]  Yevgeniy Dodis,et al.  A New Mode of Operation for Block Ciphers and Length-Preserving MACs , 2008, EUROCRYPT.

[44]  R. Schoof Elliptic Curves Over Finite Fields and the Computation of Square Roots mod p , 1985 .

[45]  Craig Costello,et al.  Fixed Argument Pairings , 2010, LATINCRYPT.

[46]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.