Optimization of LPN Solving Algorithms Sonia Bogos Serge Vaudenay EPFL 08 December 2016 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 1 / 27
Now Hiring! mailto: job_lasec@epfl.ch Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 2 / 27
Now Hiring! mailto: job_lasec@epfl.ch Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 2 / 27
Motivation LPN can be defined as a noisy system of linear equations in the binary domain Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27
Motivation LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27
Motivation LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27
Motivation LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems special case of LWE, but its hardness is not proven so far Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27
Motivation LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems special case of LWE, but its hardness is not proven so far Best way to study its hardness is by improving the algorithms that solve it Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27
Our Results analyse the existing LPN algorithms and study its building blocks improve the theory behind the covering code reduction optimise the order and the parameters used in LPN solving algorithms improve the best existing algorithms from ASIACRYPT’14 and EUROCRYPT’16 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 4 / 27
Outline LPN 1 2 Code Reduction Our Algorithm 3 Results 4 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 5 / 27
Outline LPN 1 2 Code Reduction Our Algorithm 3 Results 4 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 6 / 27
Learning Parity with Noise (LPN) LPN Oracle Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s c 1 = � v 1 , s �⊕ d 1 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s c 1 = � v 1 , s �⊕ d 1 random vector Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s c 1 = � v 1 , s �⊕ d 1 noise random vector Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s ( v 1 , c 1 ) c 1 = � v 1 , s �⊕ d 1 noise random vector Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s ( v 2 , c 2 ) c 2 = � v 2 , s �⊕ d 2 noise random vector Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s ( v i , c i ) c i = � v i , s �⊕ d i noise random vector Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
Learning Parity with Noise (LPN) LPN Oracle secret random vector s ( v i , c i ) c i = � v i , s �⊕ d i noise random vector Definition (LPN) Given independent queries from the LPN oracle, find the secret s . Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27
LPN Solving Algorithm Definition (LPN solving algorithm) We say that an algorithm M solves the LPN problem if Pr [ M recovers the secret s ] ≥ 1 2 , The performance of M is measured by the running time t , memory m and number of queries n from the LPN oracle Define δ = Pr [ d i = 0 ] − Pr [ d i = 1 ] as the noise bias Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 8 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits recover the secret s ′ update the queries & repeat the steps Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits through reduction techniques recover the secret s ′ update the queries & repeat the steps Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits through reduction techniques recover the secret s ′ through solving techniques update the queries & repeat the steps Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits through reduction techniques recover the secret s ′ through solving techniques update the queries & repeat the steps until the entire s is recovered Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits through reduction techniques recover the secret s ′ through solving techniques update the queries & repeat the steps until the entire s is recovered s i LPN s 1 ... LPN s i LPN s reduction solve Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
General Structure To recover a secret s of k bits: reduce to a secret s ′ of k ′ ≤ k bits through reduction techniques recover the secret s ′ through solving techniques update the queries & repeat the steps until the entire s is recovered s i LPN s 1 ... LPN s i LPN s reduction solve Optimise the use of the reduction techniques Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27
Reduction Techniques sparse - secret partition - reduce ( b ) xor - reduce ( b ) drop - reduce ( b ) code - reduce ( k , k ′ , params ) guess - secret ( b , w ) Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27
Reduction Techniques sparse - secret partition - reduce ( b ) xor - reduce ( b ) drop - reduce ( b ) code - reduce ( k , k ′ , params ) guess - secret ( b , w ) Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27
Reduction Techniques Keep track of the: sparse - secret secret size partition - reduce ( b ) number of queries xor - reduce ( b ) noise bias drop - reduce ( b ) secret bias code - reduce ( k , k ′ , params ) guess - secret ( b , w ) Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27
Reduction sparse - secret v 1 c 1 ... v 2 ... c 2 v 3 ... c 3 v 4 c 2 ... v 5 c 5 ... v 6 c 6 ... ........................... v n − 2 ... c n-2 v n − 1 c n-1 ... v n c n ... Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27
Reduction sparse - secret v 1 c 1 ... v 2 ... c 2 v 3 ... c 3 v 4 c 2 ... v 5 c 5 ... v 6 c 6 n ... ........................... v n − 2 ... c n-2 v n − 1 c n-1 ... v n c n ... Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27
Reduction sparse - secret k v 1 c 1 ... v 2 ... c 2 v 3 ... c 3 v 4 c 2 ... v 5 c 5 ... v 6 c 6 n ... ........................... v n − 2 ... c n-2 v n − 1 c n-1 ... v n c n ... Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27
Reduction sparse - secret k c i = � v i , s �⊕ d i v 1 c 1 ... v 2 ... c 2 v 3 ... c 3 v 4 c 2 ... v 5 c 5 ... v 6 c 6 n ... ........................... v n − 2 ... c n-2 v n − 1 c n-1 ... v n c n ... Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27
Reduction sparse - secret k c i = � v i , s �⊕ d i ... 1 0 1 0 1 0 1 0 ... 1 1 1 0 1 0 0 0 ... 0 0 0 1 1 1 0 0 ... 0 0 0 0 0 1 0 1 ... 0 0 1 1 0 0 1 1 n ... 1 0 1 0 0 1 1 0 ........................... ... 0 0 1 1 0 1 1 0 ... 1 0 1 0 1 1 0 1 ... 1 0 0 1 1 0 0 1 Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27
Recommend
More recommend