Solving LPN Using Covering Codes

Guo, Qian; Johansson, Thomas; Löndahl, Carl

doi:10.1007/s00145-019-09338-8

Cited by 18 publications

(13 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In [12], the algorithm was improved, introducing new concepts like LF2 and the use of the fast Walsh-Hadamard transform (FWHT) for the distinguishing phase. A new distinguisher using subspace hypothesis testing was introduced in [13,14].…”

Section: Related Workmentioning

confidence: 99%

Improvements on Making BKW Practical for Solving LWE

et al. 2021

Self Cite

View full text Add to dashboard Cite

The learning with errors (LWE) problem is one of the main mathematical foundations of post-quantum cryptography. One of the main groups of algorithms for solving LWE is the Blum–Kalai–Wasserman (BKW) algorithm. This paper presents new improvements of BKW-style algorithms for solving LWE instances. We target minimum concrete complexity, and we introduce a new reduction step where we partially reduce the last position in an iteration and finish the reduction in the next iteration, allowing non-integer step sizes. We also introduce a new procedure in the secret recovery by mapping the problem to binary problems and applying the fast Walsh Hadamard transform. The complexity of the resulting algorithm compares favorably with all other previous approaches, including lattice sieving. We additionally show the steps of implementing the approach for large LWE problem instances. We provide two implementations of the algorithm, one RAM-based approach that is optimized for speed, and one file-based approach which overcomes RAM limitations by using file-based storage.

show abstract

Section: Related Workmentioning

confidence: 99%

Improvements on Making BKW Practical for Solving LWE

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…The impact of this parameter (the noise level) on the LPN problem complexity has been considered in a several papers, e.g. [21–26]. Finally, consideration of the linearised model does not assume any restriction on the power of an attacker, i.e.…”

Section: Computational Complexity Security Evaluationmentioning

confidence: 99%

“…Consequently, we will show in our complexity analysis that the hardness of breaking the linearised scheme relies on the LPN problem hardness (see [21–25], for example), and that the identified LPN problem is also equivalent to the problem of secret key recovery under CPA. The analysis will pinpoint which features the homophonic encoding must have to incur an increased complexity of the underlying LPN problem in the average case.…”

Section: Computational Complexity Security Evaluationmentioning

confidence: 99%

“…We assume that encryption scheme 3 is such that Theorem 1 implies

ϵ^{*} = ()(, ()(, 1 - {false(1 - 2 p false)}^{false(m - ℓ false) / 2}) / 2)

. Referring to the best known algorithms for solving the LPN problem [22–25], its hardness heavily depends on the parameter

ϵ

and when it increases, the LPN complexity increases. For the same parameters k , n , encryption scheme 3 provides substantially higher security compared with the previously reported ones with

ϵ = p

.…”

Section: Lpn‐based Encryption With/without Homophonic Codingmentioning

confidence: 99%

See 1 more Smart Citation

Security evaluation and design elements for a class of randomised encryptions

Mihaljević

Oggier

2019

IET Information Security

View full text Add to dashboard Cite

“…Codes of covering radius 2 and codimension 3 are relevant for the degree/diameter problem in graph theory [31,42] and defining sets of block designs [9]. Covering codes can also be used in steganography [7,Chapter 14], [8,29,30], in databases [40], in constructions of identifying codes [28,46], for solving the so-called learning parity with noise (LPN) [34], in an analysis of blocking switches [44], in reduced representations of logic functions [2], in the list decoding of error correcting codes [12], in cryptography [51]. There are connections between covering codes and a popular game puzzle, called "Hats-on-a-line" [1,48].…”

Section: Introductionmentioning

confidence: 99%

Upper bounds on the length function for covering codes with covering radius $ R $ and codimension $ tR+1 $

Davydov¹,

Marcugini²,

Pambianco³

2023

AMC

View full text Add to dashboard Cite

The length function <inline-formula><tex-math id="M3">\begin{document}$ \ell_q(r,R) $\end{document}</tex-math></inline-formula> is the smallest length of a <inline-formula><tex-math id="M4">\begin{document}$ q $\end{document}</tex-math></inline-formula>-ary linear code with codimension (redundancy) <inline-formula><tex-math id="M5">\begin{document}$ r $\end{document}</tex-math></inline-formula> and covering radius <inline-formula><tex-math id="M6">\begin{document}$ R $\end{document}</tex-math></inline-formula>. In this work, new upper bounds on <inline-formula><tex-math id="M7">\begin{document}$ \ell_q(tR+1,R) $\end{document}</tex-math></inline-formula> are obtained in the following forms:<disp-formula> <label/> <tex-math id="FE1"> \begin{document}$ \begin{equation*} \begin{split} &(a)\; \ell_q(r,R)\le cq^{(r-R)/R}\cdot\sqrt[R]{\ln q},\; R\ge3,\; r = tR+1,\; t\ge1,\\ &\phantom{(a)\; } q\;{\rm{ is \;an\; arbitrary \;prime\; power}},\; c{\rm{ \;is\; independent \;of\; }}q. \end{split} \end{equation*} $\end{document} </tex-math></disp-formula><disp-formula> <label/> <tex-math id="FE2"> \begin{document}$ \begin{equation*} \begin{split} &(b)\; \ell_q(r,R)< 3.43Rq^{(r-R)/R}\cdot\sqrt[R]{\ln q},\; R\ge3,\; r = tR+1,\; t\ge1,\\ &\phantom{(b)\; } q\;{\rm{ is \;an\; arbitrary\; prime \;power}},\; q\;{\rm{ is \;large\; enough}}. \end{split} \end{equation*} $\end{document} </tex-math></disp-formula>In the literature, for <inline-formula><tex-math id="M8">\begin{document}$ q = (q')^R $\end{document}</tex-math></inline-formula> with <inline-formula><tex-math id="M9">\begin{document}$ q' $\end{document}</tex-math></inline-formula> a prime power, smaller upper bounds are known; however, when <inline-formula><tex-math id="M10">\begin{document}$ q $\end{document}</tex-math></inline-formula> is an arbitrary prime power, the bounds of this paper are better than the known ones.For <inline-formula><tex-math id="M11">\begin{document}$ t = 1 $\end{document}</tex-math></inline-formula>, we use a one-to-one correspondence between <inline-formula><tex-math id="M12">\begin{document}$ [n,n-(R+1)]_qR $\end{document}</tex-math></inline-formula> codes and <inline-formula><tex-math id="M13">\begin{document}$ (R-1) $\end{document}</tex-math></inline-formula>-saturating <inline-formula><tex-math id="M14">\begin{document}$ n $\end{document}</tex-math></inline-formula>-sets in the projective space <inline-formula><tex-math id="M15">\begin{document}$ \mathrm{PG}(R,q) $\end{document}</tex-math></inline-formula>. A new construction of such saturating sets providing sets of small size is proposed. Then the <inline-formula><tex-math id="M16">\begin{document}$ [n,n-(R+1)]_qR $\end{document}</tex-math></inline-formula> codes, obtained by geometrical methods, are taken as the starting ones in the lift-constructions (so-called "<inline-formula><tex-math id="M17">\begin{document}$ q^m $\end{document}</tex-math></inline-formula>-concatenating constructions") for covering codes to obtain infinite families of codes with growing codimension <inline-formula><tex-math id="M18">\begin{document}$ r = tR+1 $\end{document}</tex-math></inline-formula>, <inline-formula><tex-math id="M19">\begin{document}$ t\ge1 $\end{document}</tex-math></inline-formula>.

show abstract

Solving LPN Using Covering Codes

Cited by 18 publications

References 28 publications

Improvements on Making BKW Practical for Solving LWE

Improvements on Making BKW Practical for Solving LWE

Security evaluation and design elements for a class of randomised encryptions

Upper bounds on the length function for covering codes with covering radius $ R $ and codimension $ tR+1 $

Contact Info

Product

Resources

About