Solving LPN Using Covering Codes

Similar documents
How to Encrypt with the LPN Problem

Faster Algorithms for Solving LPN

Improved Generalized Birthday Attack

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

A Novel Algorithm for Solving the LPN Problem and its Application to Security Evaluation of the HB Protocol for RFID Authentication

Coded-BKW: Solving LWE Using Lattice Codes

Cryptography and Security Final Exam

Practical Attacks on HB and HB+ Protocols

On Solving LPN using BKW and Variants

Cryptography and Security Final Exam

The LPN Problem in Cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

BEFORE presenting the LPN problem together with its

On Stream Ciphers with Small State

Lecture 1: Introduction to Public key cryptography

Lecture 3: Error Correcting Codes

On error distributions in ring-based LWE

Notes on Alekhnovich s cryptosystems

Solving LWE with BKW

Stream Ciphers: Cryptanalytic Techniques

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

CS Topics in Cryptography January 28, Lecture 5

NOTICE WARNING CONCERNING COPYRIGHT RESTRICTIONS: The copyright law of the United States (title 17, U.S. Code) governs the making of photocopies or

Quantum Differential and Linear Cryptanalysis

Decoding One Out of Many

Cryptanalysis of Achterbahn

Lecture 14: Cryptographic Hash Functions

An intro to lattices and learning with errors

Lecture Introduction. 2 Formal Definition. CS CTT Current Topics in Theoretical CS Oct 30, 2012

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

Correlation Attack to the Block Cipher RC5. and the Simplied Variants of RC6. 3 Fujitsu Laboratories LTD.

Solving LWE problem with bounded errors in polynomial time

An average case analysis of a dierential attack. on a class of SP-networks. Distributed Systems Technology Centre, and

Cryptology. Scribe: Fabrice Mouhartem M2IF

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

GENERALIZED NONLINEARITY OF S-BOXES. Sugata Gangopadhyay

Fast Correlation Attacks: an Algorithmic Point of View

Lattice Cryptography

A Fuzzy Sketch with Trapdoor

Weaknesses in Ring-LWE

Higher Order Universal One-Way Hash Functions from the Subset Sum Assumption

6.892 Computing on Encrypted Data October 28, Lecture 7

How to improve information set decoding exploiting that = 0 mod 2

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems

Lecture Notes on Secret Sharing

Post-Quantum Cryptography

APPLYING QUANTUM SEARCH TO A KNOWN- PLAINTEXT ATTACK ON TWO-KEY TRIPLE ENCRYPTION

Short Exponent Diffie-Hellman Problems

Optimization oflpn Solving Algorithms

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

Fast Correlation Attacks: An Algorithmic Point of View

Errors, Eavesdroppers, and Enormous Matrices

Breaking the F-FCSR-H Stream Cipher in Real Time

Side-channel analysis in code-based cryptography

Communication-efficient and Differentially-private Distributed SGD

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

1 Cryptographic hash functions

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Better Algorithms for LWE and LWR

Cryptanalysis of the Stream Cipher ABC v2

Proving Hardness of LWE

Public-Key Encryption Based on LPN

1 Cryptographic hash functions

Lecture 21: P vs BPP 2

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

2 Message authentication codes (MACs)

1 Number Theory Basics

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Differential Attack on Five Rounds of the SC2000 Block Cipher

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

On Multiple Linear Approximations

Public Key Cryptography

Division Property: a New Attack Against Block Ciphers

Attribute-based Encryption & Delegation of Computation

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

Channel Coding for Secure Transmissions

Classical hardness of Learning with Errors

Pruning and Extending the HB + Family Tree

Breaking Symmetric Cryptosystems Using Quantum Algorithms

On the Security of Some Cryptosystems Based on Error-correcting Codes

QC-MDPC: A Timing Attack and a CCA2 KEM

arxiv: v2 [cs.cr] 14 Feb 2018

Lazy Modulus Switching for the BKW Algorithm on LWE

Ball-collision decoding

Lecture 11: Key Agreement

Solution of Exercise Sheet 7

On Everlasting Security in the Hybrid Bounded Storage Model

Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security

Hash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34

Know the meaning of the basic concepts: ring, field, characteristic of a ring, the ring of polynomials R[x].

Cryptographic Hash Functions

Lecture 12: Block ciphers

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Block Ciphers/Pseudorandom Permutations

On related-key attacks and KASUMI: the case of A5/3

Never trust a bunny. University of Illinois at Chicago, Chicago, IL , USA

CRYPTANALYSIS OF COMPACT-LWE

Lattice Cryptography

Transcription:

Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT '14 Dec 8th, 2014

Outline 1 Introduction The LPN Problem Motivation Related Works 2 A New Algorithm Linear Approximation Using Covering Codes Subspace Hypothesis Testing 3 Results Complexity Applications 4 Conclusions and Discussions Qian Guo, Thomas Johansson, Carl Löndahl, 2 / 23

Outline 1 Introduction The LPN Problem Motivation Related Works 2 A New Algorithm Linear Approximation Using Covering Codes Subspace Hypothesis Testing 3 Results Complexity Applications 4 Conclusions and Discussions Qian Guo, Thomas Johansson, Carl Löndahl, 3 / 23

Learning Parity with Noise(LPN) We have access to an oracle (LPN oracle): The LPN oracle with parameters (k, η): 1 Picks a secret s in Z k 2 2 Randomly picks r from Z k 2 3 Picks a 'noise' e Ber η (ie e = 0 wp 1 η and 1 wp η) 4 Outputs the pair (r, v = r, s + e) as a sample Qian Guo, Thomas Johansson, Carl Löndahl, 3 / 23

Learning Parity with Noise(LPN) We have access to an oracle (LPN oracle): The LPN oracle with parameters (k, η): 1 Picks a secret s in Z k 2 2 Randomly picks r from Z k 2 3 Picks a 'noise' e Ber η (ie e = 0 wp 1 η and 1 wp η) 4 Outputs the pair (r, v = r, s + e) as a sample The goal (informal): Find s after collecting enough samples Qian Guo, Thomas Johansson, Carl Löndahl, 3 / 23

Motivation Fundamental in theory 1 Central problem in learning theory 2 A special case of the learning with errors (LWE) problem 3 A close connection to the problem of decoding binary random linear codes 4 Believed to be hard: no polynomial time algorithm is known Qian Guo, Thomas Johansson, Carl Löndahl, 4 / 23

Motivation Fundamental in theory 1 Central problem in learning theory 2 A special case of the learning with errors (LWE) problem 3 A close connection to the problem of decoding binary random linear codes 4 Believed to be hard: no polynomial time algorithm is known Many cryptographic applications in practice 1 User authentication, encryption, MACs, etc 2 Suitable for light-weight crypto: easy to implement, fast to evaluate, hard to break 3 Post-quantum cryptography Qian Guo, Thomas Johansson, Carl Löndahl, 4 / 23

Key Parameters Three important parameters: 1 Dimension k 2 Noise rate η 3 # of samples n A very common LPN instance The LPN instance with k = 512, η = 1/8 and unbounded number of samples (Widely adopted for achieving 80-bit security) Qian Guo, Thomas Johansson, Carl Löndahl, 5 / 23

Related Works (1) The BKW (Blum, Kalai, and Wasserman) algorithm: Qian Guo, Thomas Johansson, Carl Löndahl, 6 / 23

Related Works (1) The BKW (Blum, Kalai, and Wasserman) algorithm: The best asymptotic algorithm with sub-exponential complexity 2 O(k/ log(k)) Qian Guo, Thomas Johansson, Carl Löndahl, 6 / 23

Related Works (1) The BKW (Blum, Kalai, and Wasserman) algorithm: The best asymptotic algorithm with sub-exponential complexity 2 O(k/ log(k)) Goal: recover the rst bit of s Qian Guo, Thomas Johansson, Carl Löndahl, 6 / 23

Related Works (1) The BKW (Blum, Kalai, and Wasserman) algorithm: The best asymptotic algorithm with sub-exponential complexity 2 O(k/ log(k)) Goal: recover the rst bit of s Main idea: Divide the length k vector into a parts, each with size b = k/a Merge and Sort (called one BKW step)a trade-o: v 1 = [r1, r0], s + e 1 v 2 = [r2, r0], s + e 2 v 1 + v 2 = [r1 + r2, 0], s + e 1 + e 2 Do a 1 BKW steps to zero out the bottom a 1 blocks With certain probability, nd an output sample with r = [1, 0,, 0], and then iterate with fresh LPN samples Qian Guo, Thomas Johansson, Carl Löndahl, 6 / 23

Related Works (2) The Levieil and Fouque (LF) algorithm: Test on the last block by Fast Walsh-Hadamard Transform Qian Guo, Thomas Johansson, Carl Löndahl, 7 / 23

Related Works (2) The Levieil and Fouque (LF) algorithm: Test on the last block by Fast Walsh-Hadamard Transform Two concepts about the realization of the BKW step in practice: LF1 (inherited from the BKW paper) and LF2 Sort and partition the samples Instance: Suppose in a partition, that we have three samples (r 1, v 1 ),(r 2, v 2 ),(r 3, v 3 ) LF1: In each partition, choose one sample and then add it to the rest in the same partition Output (r2 + r1, v 2 + v 1 ),(r3 + r1, v 3 + v 1 ) The number of samples reduces about 2 b after each BKW step LF2: In each partition, add any pair in the same partition Output (r2 + r1, v 2 + v 1 ),(r3 + r1, v 3 + v 1 ), (r3 + r2, v 3 + v 2 ) The number of samples is preserved if we set it to be 3 2 b Qian Guo, Thomas Johansson, Carl Löndahl, 7 / 23

Related Works (3) Kirchner; Bernstein and Lange (BL): Kirchner: Transform the distribution of the secret by Gaussian Elimination: Collecting all n samples and representing them in the matrix form v = sr + e, where we choose the rst k columns of R (denoted by R 0 ) to be invertible Let ŝ = sr 0 + [ v 1 v 2 v k ] and ˆv = v + [ v 1 v 2 v k ] R 1 0 R Then, ˆv = [ ] 0 ˆv k+1 ˆv k+2 ˆv n = ŝr 1 0 R + e (1) Since R 1 0 R is in systematic form, ŝ is then the same as the rst k entries of e Qian Guo, Thomas Johansson, Carl Löndahl, 8 / 23

Related Works (3) Kirchner; Bernstein and Lange (BL): Bernstein and Lange (BL): A Ring-LPN solving algorithm (Easily applied to general LPN) Combine partial guessing and Fast Walsh-Hadamard Transform Advantage: Improves the query and memory complexity Until now it is the best-known method to solve the LPN problem Qian Guo, Thomas Johansson, Carl Löndahl, 8 / 23

Outline 1 Introduction The LPN Problem Motivation Related Works 2 A New Algorithm Linear Approximation Using Covering Codes Subspace Hypothesis Testing 3 Results Complexity Applications 4 Conclusions and Discussions Qian Guo, Thomas Johansson, Carl Löndahl, 9 / 23

New Algorithm Main Steps: 1 Gaussian Elimination 2 The BKW step 3 Partial secret guessing Try every vector with weight less than w 0 4 Decoding a covering code 5 Subspace hypothesis testing Rows [1, k] Guessing part k k Code length k BKW part, length tb Qian Guo, Thomas Johansson, Carl Löndahl, 9 / 23

New Algorithm Main Steps: 1 Gaussian Elimination 2 The BKW step 3 Partial secret guessing Try every vector with weight less than w 0 4 Decoding a covering code 5 Subspace hypothesis testing Rows [1, k] Guessing part k k Code length k BKW part, length tb Length k vector r (r, v) Length k vector g (g, z) Qian Guo, Thomas Johansson, Carl Löndahl, 9 / 23

Linear Approximation Using Covering Codes Covering Coding Methods: Use a [k, l] linear code C with covering radius d C to group the columns g i That is, we rewrite g i = ci + e i, where ci is the nearest codeword in C, and wt(e i ) d C The code is characterized by a systematic generator matrix F Use syndrome decoding by a lookup table Qian Guo, Thomas Johansson, Carl Löndahl, 10 / 23

Linear Approximation Using Covering Codes Covering Coding Methods: Use a [k, l] linear code C with covering radius d C to group the columns g i That is, we rewrite g i = ci + e i, where ci is the nearest codeword in C, and wt(e i ) d C The code is characterized by a systematic generator matrix F Use syndrome decoding by a lookup table A Concatenated Construction: Due to the memory limit (the size of the syndrome table), we use a concatenation of two [l 1, l 2 ] linear codes Thus, here k = 2l 1 and l = 2l 2 Qian Guo, Thomas Johansson, Carl Löndahl, 10 / 23

Subspace Hypothesis Testing Group the samples (g i, z i ) in sets L(c i ) according to their nearest codewords and dene the function f L (c i ) as f L (c i ) = ( 1) z i (g i,z i ) L(ci ) Dene a new function g(u) = f L (c i ), where u is the information part of c i and exhausts all the vectors in Z l 2 The Walsh transform of g is dened as G(y) = u Z l 2 g(u)( 1) y,u Here we exhaust all candidates of y Z l 2 by computing the Walsh transform Qian Guo, Thomas Johansson, Carl Löndahl, 11 / 23

Subspace Hypothesis Testing Group the samples (g i, z i ) in sets L(c i ) according to their nearest codewords and dene the function f L (c i ) as f L (c i ) = ( 1) z i (g i,z i ) L(ci ) Dene a new function g(u) = f L (c i ), where u is the information part of c i and exhausts all the vectors in Z l 2 The Walsh transform of g is dened as G(y) = u Z l 2 g(u)( 1) y,u Here we exhaust all candidates of y Z l 2 by computing the Walsh transform Observation: Given the candidate y, G(y) is the dierence between the number of predicted 0 and the number of predicted 1 for the bit z i + y, u Qian Guo, Thomas Johansson, Carl Löndahl, 11 / 23

Subspace Hypothesis Testing (Cont'd) Lemma There exits a unique vector y Z l 2 st, y, u = s, c i, u Z l 2 Sketch of Proof As c i = uf, we obtain that s, c i = sf T u T = sf T, u Observation: Given the candidate y, G(y) is the dierence between the number of predicted 0 and the number of predicted 1 for the bit z i + y, u Qian Guo, Thomas Johansson, Carl Löndahl, 12 / 23

Subspace Hypothesis Testing (Cont'd) Lemma There exits a unique vector y Z l 2 st, y, u = s, c i, u Z l 2 Sketch of Proof As c i = uf, we obtain that s, c i = sf T u T = sf T, u Observation': Given the candidate y, G(y) is the dierence between the number of predicted 0 and the number of predicted 1 for the bit z i + s, c i Qian Guo, Thomas Johansson, Carl Löndahl, 12 / 23

A Graphic Illustration z i + e i T = s 1 s k T }{{} Secret s g 1,i g k,i }{{} Query matrix = s 1 s k T (uf + e i ) 1 (uf + e i ) k Rewrite gi as codeword ci = uf and discrepancy e i Qian Guo, Thomas Johansson, Carl Löndahl, 13 / 23

A Graphic Illustration z i + e i T = s 1 s k T }{{} Secret s g 1,i g k,i }{{} Query matrix = s 1 s k T (uf + e i ) 1 (uf + e i ) k Rewrite gi as codeword ci = uf and discrepancy e i We can separate the discrepancy e i from uf, which yields s 1 s k T (uf) 1 (uf) k = z i + e i + s, e i Qian Guo, Thomas Johansson, Carl Löndahl, 13 / 23

A Graphic Illustration (Cont'd) Finally, we note that sf T Z l 2, where l < k A simple transformation yields, (sf T ) 1 (sf T ) l T u 1 u l = z i + e i + s, e i Qian Guo, Thomas Johansson, Carl Löndahl, 14 / 23

A Graphic Illustration (Cont'd) Finally, we note that sf T Z l 2, where l < k A simple transformation yields, (sf T ) 1 (sf T ) l T u 1 u l = z i + e i + s, e i If right guess, then z i + s, c i is equal to e i + s, e i Distinguishable when the bias of s, e i is large enough Otherwise: random Qian Guo, Thomas Johansson, Carl Löndahl, 14 / 23

A Graphic Illustration (Cont'd) Finally, we note that sf T Z l 2, where l < k A simple transformation yields, (sf T ) 1 (sf T ) l T u 1 u l = z i + e i + s, e i If right guess, then z i + s, c i is equal to e i + s, e i Distinguishable when the bias of s, e i is large enough Otherwise: random Advantage: l < k Qian Guo, Thomas Johansson, Carl Löndahl, 14 / 23

Outline 1 Introduction The LPN Problem Motivation Related Works 2 A New Algorithm Linear Approximation Using Covering Codes Subspace Hypothesis Testing 3 Results Complexity Applications 4 Conclusions and Discussions Qian Guo, Thomas Johansson, Carl Löndahl, 15 / 23

Complexity The complexity consists of three parts: 1 Inner complexity C one iteration Adding the complexity of each step 2 Guessing factor F g Knowing the probability that w 0 ones occur in the top k k dimensional vector 3 Testing factor F t Knowing the probability that the subspace hypothesis testing succeeds for all dierent information patterns, after presetting a bias ɛ set Guessing part k k Code length k BKW part, length tb Qian Guo, Thomas Johansson, Carl Löndahl, 15 / 23

Complexity Formula 1 C one iteration = log 2 (C 1 + C 2 + C 3 + C 4 + C 5 ); C1 is the complexity of Gaussian Elimination C2 is the complexity of t BKW steps C3 is the complexity of partial guessing C 4 is the complexity of syndrome decoding C 5 is the complexity of subspace hypothesis testing 2 F g = log 2 (P(w 0, k k )); 1 1 Let P(w, m) be the probability of having at most w errors in m positions, ie, w ( P(w, m) = (1 η) m i η i m i i=0 ) Qian Guo, Thomas Johansson, Carl Löndahl, 16 / 23

Complexity Formula (Cont'd) F t = log 2 (P(c, k )), where c is the largest weight of s that the bias 2 ɛ(c) is not smaller than ɛ set 2 In the proceeding's version, we estimate ɛ(c) as ɛ c, where ɛ = 1 2dc k Assume for a code with optimal covering, then we compute the bias accurately as follows ([Vaudenay] Private communication): [ Pr s, e ] i = 1 wt(s) = c = 1 S(k, d C ) i d C,i odd ( c i ) S(k c, d C i), where S(k, d C ) is the number of k -bit strings with weight at most d C This exact value is 4 5 times larger on the instance (512, 1/8) Qian Guo, Thomas Johansson, Carl Löndahl, 17 / 23

Complexity Formula (Cont'd) Theorem The bit complexity (in log 2 ) of the new algorithm is, under the condition that 3 N C = C one iteration + F g + F t (1) 4 ln 2 l (ɛ BKW ɛ set ), 2 where ɛ BKW = (1 2η) 2 t Here N is the number of samples after the t BKW steps Using this setting, the error probability P e is less than 2 10 ([Selçuk08] 4 ) 3 In our proceeding's version, we use a too optimistic estimation on N, ie, using a constant factor before the term 1/ɛ 2 This rough estimation also appears in the previous works 4 [Selçuk08] Ali Aydin Selçuk, On Probability of Success in Linear and Dierential Cryptanalysis, Journal of cryptology, 2008 Qian Guo, Thomas Johansson, Carl Löndahl, 18 / 23

Complexity Formula for Concatenated Construction C one iteration = log 2 (C 1 + C 2 + C 3 + C 4 5 + C 5 ) Formula F g is the same Formula F t changes Accumulate the probability of all the good pair 6, denoted by Pr t Important: wt(s 1) and wt(s 2) Pr t = (s1,s2) Z k 2,good (1 η) The testing factor F t is equal to log 2 (Pr t ) l 1 wt(s1) η wt(s 1) (1 η) l 1 wt(s2) η wt(s 2) 5 Since we use a concatenated code, the complexity formula of the syndrome decoding step diers and we use C4 to denote the new complexity of this step 6 For a possible secret vector (s1, s2) in Z2 k, if the corresponding ɛ (s 1,s 2 ) is larger than a preset bias ɛ set, then we call the pair (s 1, s 2 ) a good pair Qian Guo, Thomas Johansson, Carl Löndahl, 19 / 23

Results Complexity in bit operation of the LPN instance with parameters (512, 1/8): Algorithm Queries Memory Time Levieil-Fouque 757 7 848 875 Bernstein-Lange 696 786 858 New algorithm(lf1) 650 740 807 New algorithm(lf2) 8 636 726 797 7 The complexity is measured by log2 8 It is the complexity of the following instance: t = 5, b = 62, using the concatenation of two [90, 30] linear codes,w 0 = 2, ɛ BKW = 2 1328, ɛ set = 2 1478, C one iteration = 7608, F g = 109 and F t = 255 Qian Guo, Thomas Johansson, Carl Löndahl, 20 / 23

Applications 1 We have proposed a new algorithm to solve the (512, 1/8) LPN instance in 2 797 bit operations (2 74 word operations with word length 128) Thus, we recommend that the cryptographic schemes employing this instance for 80-bit security to use larger parameters HB family (HB +, HB #, etc) LPN-C Others 9 The reducible case of Lapin designed for 80-bit security is broken within about 2 70 bit operations: [GJL14] Qian Guo, Thomas Johansson, Carl Löndahl: A New Algorithm for Solving Ring-LPN with a Reducible Polynomial CoRR abs/14090472 (2014) Qian Guo, Thomas Johansson, Carl Löndahl, 21 / 23

Applications 1 We have proposed a new algorithm to solve the (512, 1/8) LPN instance in 2 797 bit operations (2 74 word operations with word length 128) Thus, we recommend that the cryptographic schemes employing this instance for 80-bit security to use larger parameters HB family (HB +, HB #, etc) LPN-C Others 2 Better attack for Lapin authentication protocol The irreducible 9 Ring-LPN instance (532, 1/8) employed in Lapin can be solved within 2 82 bit operations using this generic algorithm 9 The reducible case of Lapin designed for 80-bit security is broken within about 2 70 bit operations: [GJL14] Qian Guo, Thomas Johansson, Carl Löndahl: A New Algorithm for Solving Ring-LPN with a Reducible Polynomial CoRR abs/14090472 (2014) Qian Guo, Thomas Johansson, Carl Löndahl, 21 / 23

Outline 1 Introduction The LPN Problem Motivation Related Works 2 A New Algorithm Linear Approximation Using Covering Codes Subspace Hypothesis Testing 3 Results Complexity Applications 4 Conclusions and Discussions Qian Guo, Thomas Johansson, Carl Löndahl, 22 / 23

Conclusions and Discussions Conclusions and Future Works: 1 Having introduced two novel techniqueslinear approximation employing covering codes together with a subspace hypothesis testing techniqueto form a new generalized-bkw-type LPN solving algorithm The new algorithm beats the best-known algorithm in query, memory and time complexity 2 The novel idea inside may also be helpful to solve some other similar problems (eg, LWE, ISD, etc) Qian Guo, Thomas Johansson, Carl Löndahl, 22 / 23

Conclusions and Discussions Conclusions and Future Works: 1 Having introduced two novel techniqueslinear approximation employing covering codes together with a subspace hypothesis testing techniqueto form a new generalized-bkw-type LPN solving algorithm The new algorithm beats the best-known algorithm in query, memory and time complexity 2 The novel idea inside may also be helpful to solve some other similar problems (eg, LWE, ISD, etc) An Open Problem: Improve the asymptotic behavior of the BKW algorithm using the covering coding idea Qian Guo, Thomas Johansson, Carl Löndahl, 22 / 23

Conclusions and Discussions Conclusions and Future Works: 1 Having introduced two novel techniqueslinear approximation employing covering codes together with a subspace hypothesis testing techniqueto form a new generalized-bkw-type LPN solving algorithm The new algorithm beats the best-known algorithm in query, memory and time complexity 2 The novel idea inside may also be helpful to solve some other similar problems (eg, LWE, ISD, etc) Acknowledgement: We would like to thank Prof Serge Vaudenay for his helpful comments that improve our work Qian Guo, Thomas Johansson, Carl Löndahl, 22 / 23

Thank you Thank you for your attention! Questions? Qian Guo, Thomas Johansson, Carl Löndahl, 23 / 23

Testing Using Soft-Information A Soft-Testing Version: Changing the formula: Hard Version f L (c i ) = ( 1) z i (gi,z i ) L(ci ) Soft Version f s L (c i) = (gi,z i ) L(ci ) What is ɛ wt(e i )? ɛ wt(e i ) ( 1) zi ɛ wt(e i ) A Taylor approximation of Log-likelihood ratio (LLR) testing The complexity changes little Qian Guo, Thomas Johansson, Carl Löndahl, 24 / 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback