Optimization of LPN Solving Algorithms Sonia Bogos Serge Vaudenay - - PowerPoint PPT Presentation

Optimization of LPN Solving Algorithms

Sonia Bogos Serge Vaudenay

EPFL

08 December 2016

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 1 / 27

Now Hiring!

mailto: job_lasec@epfl.ch

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 2 / 27

Now Hiring!

mailto: job_lasec@epfl.ch

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 2 / 27

Motivation

LPN can be defined as a noisy system of linear equations in the binary domain

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27

Motivation

LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27

Motivation

LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27

Motivation

LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems special case of LWE, but its hardness is not proven so far

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27

Motivation

LPN can be defined as a noisy system of linear equations in the binary domain believed to be quantum resistant used in authentication protocols and cryptosystems special case of LWE, but its hardness is not proven so far

Best way to study its hardness is by improving the algorithms that solve it

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 3 / 27

Our Results

analyse the existing LPN algorithms and study its building blocks improve the theory behind the covering code reduction

• ptimise the order and the parameters used in LPN solving algorithms

improve the best existing algorithms from ASIACRYPT’14 and EUROCRYPT’16

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 4 / 27

Outline

1

LPN

2

Code Reduction

3

Our Algorithm

4

Results

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 5 / 27

Outline

1

LPN

2

Code Reduction

3

Our Algorithm

4

Results

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 6 / 27

Learning Parity with Noise (LPN)

LPN Oracle

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s c1 = v1,s⊕ d1

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s c1 = v1,s⊕ d1 random vector

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s c1 = v1,s⊕ d1 random vector noise

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s c1 = v1,s⊕ d1 random vector noise

(v1,c1)

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s random vector noise

(v2,c2)

c2 = v2,s⊕ d2

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s random vector noise

(vi,ci)

ci = vi,s⊕ di

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

Learning Parity with Noise (LPN)

LPN Oracle secret random vector s random vector noise

(vi,ci)

ci = vi,s⊕ di

Definition (LPN)

Given independent queries from the LPN oracle, find the secret s.

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 7 / 27

LPN Solving Algorithm

Definition (LPN solving algorithm)

We say that an algorithm M solves the LPN problem if Pr[M recovers the secret s] ≥ 1 2, The performance of M is measured by the running time t, memory m and number of queries n from the LPN oracle Define δ = Pr[di = 0]− Pr[di = 1] as the noise bias

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 8 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits recover the secret s′ update the queries & repeat the steps

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits through reduction techniques recover the secret s′ update the queries & repeat the steps

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits through reduction techniques recover the secret s′ through solving techniques update the queries & repeat the steps

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits through reduction techniques recover the secret s′ through solving techniques update the queries & repeat the steps until the entire s is recovered

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits through reduction techniques recover the secret s′ through solving techniques update the queries & repeat the steps until the entire s is recovered LPNs

reduction

LPNs1

...

LPNsi

solve si

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

General Structure

To recover a secret s of k bits: reduce to a secret s′ of k′ ≤ k bits through reduction techniques recover the secret s′ through solving techniques update the queries & repeat the steps until the entire s is recovered LPNs

reduction

LPNs1

...

LPNsi

solve si

Optimise the use of the reduction techniques

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 9 / 27

Reduction Techniques

sparse-secret partition-reduce(b) xor -reduce(b) drop-reduce(b) code-reduce(k,k′,params) guess-secret(b,w)

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27

Reduction Techniques

sparse-secret partition-reduce(b) xor -reduce(b) drop-reduce(b) code-reduce(k,k′,params) guess-secret(b,w)

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27

Reduction Techniques

sparse-secret partition-reduce(b) xor -reduce(b) drop-reduce(b) code-reduce(k,k′,params) guess-secret(b,w)

Keep track of the: secret size number of queries noise bias secret bias

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 10 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

vn cn vn−1 cn-1 vn−2 cn-2

...........................

v6 c6 v5 c5 v4 c2 v3 c3 v2 c2 v1 c1

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

vn cn vn−1 cn-1 vn−2 cn-2

...........................

v6 c6 v5 c5 v4 c2 v3 c3 v2 c2 v1 c1 n

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

vn cn vn−1 cn-1 vn−2 cn-2

...........................

v6 c6 v5 c5 v4 c2 v3 c3 v2 c2 v1 c1 n k

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

vn cn vn−1 cn-1 vn−2 cn-2

...........................

v6 c6 v5 c5 v4 c2 v3 c3 v2 c2 v1 c1 n k ci = vi,s⊕ di

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Change the distribution of the secret

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Change the distribution of the secret from s being uniformly distributed to an s where each bit has the same distribution as the noise

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction sparse-secret

... ... ... ... ... ... ... ... ...

k 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 c′

i = v′ i ,s′⊕ di

n− k Change the distribution of the secret from s being uniformly distributed to an s where each bit has the same distribution as the noise Complexity: O(minχ∈N(k(n − k)⌈ k

χ⌉+ k3 + kχ2χ))

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 11 / 27

Reduction xor -reduce

n k

... ... ... ... ... ... ... ... ...

ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Find collisions on a window of b bits

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 12 / 27

Reduction xor -reduce

n k

... ... ... ... ... ... ... ... ...

ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Find collisions on a window of b bits group queries in equivalence classes xor each pair of queries from the same equivalence class

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 12 / 27

Reduction xor -reduce

... ... ... ... ... ... ... ... ...

0 0 0 1 1 0 0 1 0 0 0 0 0 1 1 1 0 0 0 0 0 1 0

...........................

0 0 0 0 1 1 0 0 0 0 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1

n(n−1) 2b+1

k − b ci ⊕ cj = vi ⊕ vj,s⊕ di ⊕ dj Find collisions on a window of b bits group queries in equivalence classes xor each pair of queries from the same equivalence class Complexity: O(k · max(n, n(n−1)

2b+1 ))

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 12 / 27

Reduction xor -reduce

... ... ... ... ... ... ... ... ...

0 0 0 1 1 0 0 1 0 0 0 0 0 1 1 1 0 0 0 0 0 1 0

...........................

0 0 0 0 1 1 0 0 0 0 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1

n(n−1) 2b+1

k − b ci ⊕ cj = vi ⊕ vj,s⊕ di ⊕ dj Find collisions on a window of b bits group queries in equivalence classes xor each pair of queries from the same equivalence class Complexity: O(k · max(n, n(n−1)

2b+1 ))

When n ≈ 1+ 2b+1, the number of queries stay constant

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 12 / 27

Reduction drop-reduce

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Keep only the queries with 0 on a window of b bits

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 13 / 27

Reduction drop-reduce

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Keep only the queries with 0 on a window of b bits

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 13 / 27

Reduction drop-reduce

... ... ... ... ... ... ... ... ...

n k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1 1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0

...........................

Keep only the queries with 0 on a window of b bits

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 13 / 27

Reduction drop-reduce

... ... ... ... ... ... ... ... ...

ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1 1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 1 1 1 0 1 0 0 1 0 1 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0

...........................

n 2b

k − b Keep only the queries with 0 on a window of b bits Complexity: O(n(1+ 1

2 +...+ 1 2b−1 ))

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 13 / 27

Reduction code-reduce

n

... ... ... ... ... ... ... ... ...

k ci = vi,s⊕ di 1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Introduced at ASIACRYPT’14 [GJL] Use a linear code C[k,k′,D] with generator matrix G, where g = g′G ∈ C Approximate each vector vi to the nearest neighbour in the code C

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 14 / 27

Reduction code-reduce

n

... ... ... ... ... ... ... ... ...

k ci = vi,s⊕ di

= g,s⊕vi − g,s⊕ di = g′G,s⊕vi − g,s⊕ di = g′,sGT⊕vi − g,s⊕ di

1 0 0 1 1 0 0 1 1 0 1 0 1 1 0 1 0 0 1 1 0 1 1

...........................

1 0 1 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 1 0 1 0 0 0 1 1 1 0 1 1 1 0 1 0 0 1 0 1 0 1 0 1 Introduced at ASIACRYPT’14 [GJL] Use a linear code C[k,k′,D] with generator matrix G, where g = g′G ∈ C Approximate each vector vi to the nearest neighbour in the code C

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 14 / 27

Reduction code-reduce

n

... ... ... ... ... ... ... ... ...

k′

= g,s⊕vi − g,s⊕ di = g′G,s⊕vi − g,s⊕ di = g′,sGT⊕vi − g,s⊕ di

ci = vi,s⊕ di 0 0 1 0 1 1 0 1 1 1 1 1 0 1

.....................

0 0 1 1 0 0 1 0 1 1 0 1 0 1 0 1 1 1 0 1 0 0 1 1 0 1 Introduced at ASIACRYPT’14 [GJL] Use a linear code C[k,k′,D] with generator matrix G, where g = g′G ∈ C Approximate each vector vi to the nearest neighbour in the code C Complexity: O(k · n)

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 14 / 27

Solving Technique

Define f(x) = ∑

i

1vi=x(−1)vi,s⊕di and apply the Walsh Hadamard Transform (WHT) to obtain

ˆ

f(ν) = ∑

x

(−1)ν,xf(x) = ∑

i

(−1)vi,s+ν⊕di |ˆ

f(s)| is large; In order to be the largest value in the table of ˆ f, we require certain amount of queries Complexity: O(k2k log2 n+1

2

+ kn), when WHT is applied for a secret of k bits on

n queries

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 15 / 27

Outline

1

LPN

2

Code Reduction

3

Our Algorithm

4

Results

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 16 / 27

Bias of the Code Reduction

For code-reduce we have ci = vi,s⊕ di = g′,s′⊕vi − g,s⊕ di

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 17 / 27

Bias of the Code Reduction

For code-reduce we have ci = vi,s⊕ di = g′,s′⊕vi − g,s ⊕ di bc = E((−1)vi−g,s) = ∑

e∈{0,1}k

Pr[vi − g = e]E((−1)e,s)

= E

• δ

HW(vi−g) s

• ,

where δs is the secret bias

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 17 / 27

Bias of the Code Reduction

For code-reduce we have ci = vi,s⊕ di = g′,s′⊕vi − g,s ⊕ di bc = E((−1)vi−g,s) = ∑

e∈{0,1}k

Pr[vi − g = e]E((−1)e,s)

= E

• δ

HW(vi−g) s

• ,

where δs is the secret bias We analyse: perfect codes quasi-perfect codes random codes

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 17 / 27

Perfect Codes

Repetition code [k,1, k−1

2 ] with k odd

bc =

k−1 2

∑

w=0

1 2k−1

• k

w

• δw

s

Golay code [23,12,7] bc = 2−11

3

∑

w=0

• 23

w

• δw

s

Hamming code [2ℓ − 1,2ℓ −ℓ,3] bc = 2−ℓ

1

∑

w=0

• 2ℓ − 1

w

• δw

s

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 18 / 27

Optimal Concatenated Code

Not every code C[k,k′,D] is perfect or quasi-perfect

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 19 / 27

Optimal Concatenated Code

Not every code C[k,k′,D] is perfect or quasi-perfect

⇓

Concatenate codes

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 19 / 27

Optimal Concatenated Code

Not every code C[k,k′,D] is perfect or quasi-perfect

⇓

Concatenate codes Take the C [k,k′,D] code as the concatenation of C1 [k −ℓ,k′ −ℓ′,D1] and

C2 [ℓ,ℓ′,D2] with bc = bc1 · bc2

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 19 / 27

Optimal Concatenated Code

Not every code C[k,k′,D] is perfect or quasi-perfect

⇓

Concatenate codes Take the C [k,k′,D] code as the concatenation of C1 [k −ℓ,k′ −ℓ′,D1] and

C2 [ℓ,ℓ′,D2] with bc = bc1 · bc2

Computation: compute the biases for perfect, quasi-perfect and random codes for each [k,k′,D], check if bc[k,k′,D] < bc[k −ℓ,k′ −ℓ′,D1]· bc[ℓ,ℓ′,D2]

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 19 / 27

Outline

1

LPN

2

Code Reduction

3

Our Algorithm

4

Results

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 20 / 27

LPN Solving Automaton

LPN solving algorithms = chains of reductions + WHT LPNs

reduction

LPNs1

...

LPNsi

solve si

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 21 / 27

LPN Solving Automaton

LPN solving algorithms = chains of reductions + WHT LPNs

reduction

LPNs1

...

LPNsi

solve si

initial state

1 3 4 2

accepting state WHT WHT WHT WHT

code-reduce drop-reduce drop-reduce xor -reduce drop-reduce xor -reduce xor -reduce sparse-secret xor -reduce

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 21 / 27

Graph of Reduction Chains

Construct a graph of all possible reduction chains the vertex stores the secret size and the number of queries the edge stores the bias change for a reduction

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 22 / 27

Graph of Reduction Chains

Construct a graph of all possible reduction chains the vertex stores the secret size and the number of queries the edge stores the bias change for a reduction Find the reductions that optimize the bias

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 22 / 27

Graph of Reduction Chains

Construct a graph of all possible reduction chains the vertex stores the secret size and the number of queries the edge stores the bias change for a reduction Find the reductions that optimize the bias The time complexity of a chain is the sum of the complexities of each reduction step + cost of WHT

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 22 / 27

Graph of Reduction Chains

Construct a graph of all possible reduction chains the vertex stores the secret size and the number of queries the edge stores the bias change for a reduction Find the reductions that optimize the bias The time complexity of a chain is the sum of the complexities of each reduction step + cost of WHT Use max-complexity as an approximation for the time complexity

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 22 / 27

Graph of Reduction Chains

Construct a graph of all possible reduction chains the vertex stores the secret size and the number of queries the edge stores the bias change for a reduction Find the reductions that optimize the bias The time complexity of a chain is the sum of the complexities of each reduction step + cost of WHT Use max-complexity as an approximation for the time complexity Find the chain with the smallest max-complexity and compute its total time complexity

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 22 / 27

Graph of Reduction Chains

Find the chain with the smallest max-complexity and compute its total time complexity

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 23 / 27

Outline

1

LPN

2

Code Reduction

3

Our Algorithm

4

Results

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 24 / 27

Results

(k,τ)

ASIACRYPT’14 [GJL] EUROCRYPT’16 [ZJW] our results

(512,0.125) 81.90

80.09 78.84

(532,0.125) 88.62

82.17 81.02

(592,0.125) 97.71

89.32 87.57

Table: Logarithmic time complexity to solve LPN (in bit operations)

k - secret size

τ - noise level

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 25 / 27

Results

τ

k 32 48 64 100 256 512 768 0.05 13.89 14.52 16.04 20.47 36.75 57.77 76.63 0.1 15.04 18.58 21.58 27.61 46.75 73.68 98.97 0.125 15.66 19.29 22.94 28.91 49.90 78.85 105.89 0.2 17.01 21.25 24.42 32.06 56.31 89.04 121.04 0.25 18.42 22.34 26.86 32.94 59.47 94.66 127.35

Table: Logarithmic time complexity to solve LPN

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 26 / 27

Results

τ

k 32 48 64 100 256 512 768 0.05 13.89 14.52 16.04 20.47 36.75 57.77 76.63 0.1 15.04 18.58 21.58 27.61 46.75 73.68 98.97 0.125 15.66 19.29 22.94 28.91 49.90 78.85 105.89 0.2 17.01 21.25 24.42 32.06 56.31 89.04 121.04 0.25 18.42 22.34 26.86 32.94 59.47 94.66 127.35

Table: Logarithmic time complexity to solve LPN

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 26 / 27

Conclusion

Create an algorithm that automatizes the LPN solving algorithms Improve the best existing results New reduction techniques can be integrated later on

Thank you for your kind attention!

Sonia Bogos, Serge Vaudenay Optimization of LPN Solving Algorithms 08.12.2016 27 / 27