Simple Chosen-Ciphertext Security from Low-Noise LPN

Abstract: Abstract. Recently, Döttling et al. (ASIACRYPT 2012) proposed the first chosen-ciphertext (IND-CCA) secure public-key encryption scheme from the learning parity with noise (LPN) assumption. In this work we give an alternative scheme which is conceptually simpler and more efficient. At the core of our construction is a trapdoor technique originally proposed for lattices by Micciancio and Peikert (EUROCRYPT 2012), which we adapt to the LPN setting. The main technical tool is a new double-trapdoor mechanism, tog… Show more

“…We remark that while this scheme bears strong resemblances with (and is inspired by) the LWE based scheme of [10], it is rather incomparable to the (high noise) LPN based private key encryption schemes of [10,9] or previous low-noise LPN public key encryption schemes [6,21,33]. Notice that standard IND-CPA security of this scheme follows directly from the fact that y is pseudorandom and thus also (RA, Ry) is pseudorandom given the public key (A, y), by using the dual formulation of the decisional LPN problem (i.e.…”

“…The eDLPN problem can be seen as a special case for q = 2 of the extended LWE problem introduced O'Neill, Peikert and Waters [37] and proven hard under standard LWE by Alperin-Sheriff and Peikert [7]. The binary version we use in this work was first discussed by Kiltz, Masny and Pietrzak [33].…”

“…However, in the extended decisional LPN problem, the adversary obtains an extra advice Re about a secret matrix R, where the vector e can have any distribution. Kiltz, Masny and Pietrzak [33] observed that in the LPN case, this advice can be extremely useful to enable reductions to simulate faithfully. In particular, the eDLPN problem can effectively be used as a computational substitute for the (generalized) leftover hash lemma [31,19] or gaussian regularity lemmata for lattices [26].…”

“…Then there exists a PPT adversary A that breaks LPN(n, m, ρ) with advantage 2 8k 2 . Following Kiltz et al [33] and Alperin-Sheriff and Peikert [7], we provide a definition of the extended LPN problem. We only define the extended LPN problem for Bernoulli error distributions.…”

“…Alekhnovich [6] provided a construction of a public key encryption scheme based on LPN for noise rates ρ = O(1/ √ n). Recently, more complex cryptographic primitives have been constructed from low noise LPN such as chosen ciphertext secure public key encryption [21,33] and composable oblivious transfer [18]. In the original formulation of the LPN problem, the search algorithm/adversary may demand an unbounded number of samples whereas the bounded…”

Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification

“…We remark that while this scheme bears strong resemblances with (and is inspired by) the LWE based scheme of [10], it is rather incomparable to the (high noise) LPN based private key encryption schemes of [10,9] or previous low-noise LPN public key encryption schemes [6,21,33]. Notice that standard IND-CPA security of this scheme follows directly from the fact that y is pseudorandom and thus also (RA, Ry) is pseudorandom given the public key (A, y), by using the dual formulation of the decisional LPN problem (i.e.…”

“…The eDLPN problem can be seen as a special case for q = 2 of the extended LWE problem introduced O'Neill, Peikert and Waters [37] and proven hard under standard LWE by Alperin-Sheriff and Peikert [7]. The binary version we use in this work was first discussed by Kiltz, Masny and Pietrzak [33].…”

“…However, in the extended decisional LPN problem, the adversary obtains an extra advice Re about a secret matrix R, where the vector e can have any distribution. Kiltz, Masny and Pietrzak [33] observed that in the LPN case, this advice can be extremely useful to enable reductions to simulate faithfully. In particular, the eDLPN problem can effectively be used as a computational substitute for the (generalized) leftover hash lemma [31,19] or gaussian regularity lemmata for lattices [26].…”

“…Then there exists a PPT adversary A that breaks LPN(n, m, ρ) with advantage 2 8k 2 . Following Kiltz et al [33] and Alperin-Sheriff and Peikert [7], we provide a definition of the extended LPN problem. We only define the extended LPN problem for Bernoulli error distributions.…”

“…Alekhnovich [6] provided a construction of a public key encryption scheme based on LPN for noise rates ρ = O(1/ √ n). Recently, more complex cryptographic primitives have been constructed from low noise LPN such as chosen ciphertext secure public key encryption [21,33] and composable oblivious transfer [18]. In the original formulation of the LPN problem, the search algorithm/adversary may demand an unbounded number of samples whereas the bounded…”

Low Noise LPN: KDM Secure Public Key Encryption and Sample Amplification

CCA Secure Multi-recipient KEM from LPN

Simpler CCA Secure PKE from LPN Problem Without Double-Trapdoor