Journal of Cryptology

, Volume 30, Issue 4, pp 1238–1275 | Cite as

Efficient Authentication from Hard Learning Problems

  • Eike Kiltz
  • Krzysztof Pietrzak
  • Daniele VenturiEmail author
  • David Cash
  • Abhishek Jain


We construct efficient authentication protocols and message authentication codes (MACs) whose security can be reduced to the learning parity with noise (LPN) problem. Despite a large body of work—starting with the \({\mathsf {HB}}\) protocol of Hopper and Blum in 2001—until now it was not even known how to construct an efficient authentication protocol from LPN which is secure against man-in-the-middle attacks. A MAC implies such a (two-round) protocol.


Authentication protocols Message authentication Hard learning problems 



Krzysztof would like to thank Vadim Lyubashevsky for many interesting discussions on LPN while being in Tel Aviv and Eyjafjallajökull for making this stay possible.


  1. 1.
    S. Agrawal, D. Boneh, X. Boyen, Efficient lattice (H)IBE in the standard model, in EUROCRYPT 2010, volume 6110 of LNCS, ed. by H. Gilbert (Springer, May 2010), pp. 553–572Google Scholar
  2. 2.
    Z. Bai, J. Demmel, J. Dongarra, A. Ruhe, H. van der Vorst, Templates for the Solution of Algebraic Eigenvalue Problems: A Practical Guide (SIAM, Philadelphia, 2000)Google Scholar
  3. 3.
    E. Berlekamp, R. McEliece, H. van Tilborg, On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory, 24(3), 384–386 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    O. Blazy, E. Kiltz, J. Pan, (Hierarchical) identity-based encryption from affine message authentication, in In CRYPTO 2014, volume 8616 of LNCS, ed. by J.A. Garay, R. Gennaro (Springer, Aug 2014), pp. 408–425Google Scholar
  5. 5.
    A. Blum, M.L. Furst, M.J. Kearns, R.J. Lipton, Cryptographic primitives based on hard learning problems, in CRYPTO’93, volume 773 of LNCS, ed. by D.R. Stinson (Springer, Aug 1994), pp. 278–291Google Scholar
  6. 6.
    A. Blum, A. Kalai, H. Wasserman, Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM, 50(4), 506–519 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    S. Bogos, F. Tramèr, S. Vaudenay, On solving LPN using BKW and variants—implementation and analysis. Cryptogr. Commun. 8(3), 331–369 (2016)Google Scholar
  8. 8.
    S. Bogos, S. Vaudenay, Observations on the LPN solving algorithm from Eurocrypt’16. Cryptology ePrint Archive, Report 2016/437 (2016).
  9. 9.
    S. Bogos, S. Vaudenay, Optimization of LPN solving algorithms. Cryptology ePrint Archive, Report 2016/288 (2016).
  10. 10.
    X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in PKC 2010, volume 6056 of LNCS, ed. by P.Q. Nguyen, D. Pointcheval (Springer, May 2010), pp. 499–517Google Scholar
  11. 11.
    J. Bringer, H. Chabanne, E. Dottax, \({\sf HB}^{++}\): a lightweight authentication protocol secure against some attacks, in SecPerU 2006 (IEEE Computer Society, June 2006), pp. 28–33Google Scholar
  12. 12.
    D. Cash, E. Kiltz, S. Tessaro, Two-round man-in-the-middle security from LPN, in TCC 2016-A, volume 9562 of LNCS, ed. by E. Kushilevitz, T. Malkin (Springer, Jan 2016), pp. 225–248Google Scholar
  13. 13.
    J. Chen, H. Wee, Fully, (almost) tightly secure IBE and dual system groups, in CRYPTO 2013, volume 8043 of LNCS, ed. by R. Canetti, J.A. Garay (Springer, Aug 2013), pp. 435–460Google Scholar
  14. 14.
    R. Cramer, I. Damgård, On the amortized complexity of zero-knowledge protocols, in CRYPTO 2009, volume 5677 of LNCS, ed. by S. Halevi (Springer, Aug 2009), pp. 177–191Google Scholar
  15. 15.
    Y. Dodis, E. Kiltz, K. Pietrzak, D. Wichs, Message authentication, revisited, in EUROCRYPT 2012, volume 7237 of LNCS, ed. by D. Pointcheval, T. Johansson (Springer, April 2012), pp. 355–374Google Scholar
  16. 16.
    D.N. Duc, K. Kim, Securing \({\sf HB}^{+}\) against GRS man-in-the-middle attack, in 2007 symposium on cryptography and information security, Jan 2007Google Scholar
  17. 17.
    J.-B. Fischer, J. Stern, An efficient pseudo-random generator provably as secure as syndrome decoding, in EUROCRYPT’96, volume 1070 of LNCS, ed. by U.M. Maurer (Springer, May 1996), pp. 245–255Google Scholar
  18. 18.
    M. Fürer, Faster integer multiplication. SIAM J. Comput. 39(3), 979–1005 (2009)Google Scholar
  19. 19.
    L. Gaspar, G. Leurent, F.-X. Standaert, Hardware implementation and side-channel analysis of Lapin, in CT-RSA 2014, LNCS (Springer, 2014), pp. 206–226Google Scholar
  20. 20.
    H. Gilbert, M. Robshaw, H. Sibert, An active attack against \({\sf HB}^{+}\)—a provably secure lightweight authentication protocol. Cryptology ePrint Archive, Report 2005/237 (2005).
  21. 21.
    H. Gilbert, M.J.B. Robshaw, Y. Seurin, Good variants of HB+ are hard to find, in FC 2008, volume 5143 of LNCS, ed. by G. Tsudik (Springer, Jan 2008), pp. 156–170Google Scholar
  22. 22.
    H. Gilbert, M.J.B. Robshaw, Y. Seurin, HB\(^\sharp \): increasing the security and efficiency of HB\(^+\), in EUROCRYPT 2008, volume 4965 of LNCS, ed. by N.P. Smart (Springer, April 2008), pp. 361–378Google Scholar
  23. 23.
    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Q. Guo, T. Johansson, C. Löndahl, Solving LPN using covering codes, in ASIACRYPT 2014, volume 8873 of LNCS, ed. by P. Sarkar, T. Iwata (Springer, Dec 2014), pp. 1–20Google Scholar
  25. 25.
    S. Heyse, E. Kiltz, V. Lyubashevsky, C. Paar, K. Pietrzak, Lapin: an efficient authentication protocol based on Ring-LPN, in FSE 2012, volume 7549 of LNCS, ed. by A. Canteaut (Springer, March 2012), pp. 346–365Google Scholar
  26. 26.
    W. Hoeffding, Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)Google Scholar
  27. 27.
    N.J. Hopper, M. Blum, Secure human identification protocols, in ASIACRYPT 2001, volume 2248 of LNCS, ed. by C. Boyd (Springer, Dec 2001), pp. 52–66Google Scholar
  28. 28.
    A. Juels, S.A. Weis, Authenticating pervasive devices with human protocols, inCRYPTO 2005, volume 3621 of LNCS, ed. by V. Shoup (Springer, Aug 2005), pp. 293–308Google Scholar
  29. 29.
    T. Kailath, A.H. Sayed, Fast Reliable Algorithms for Matrices with Structure (SIAM, Philadelphia, 1999)Google Scholar
  30. 30.
    J. Katz, J.S. Shin, Parallel and concurrent security of the HB and HB+ protocols, in EUROCRYPT 2006, volume 4004 of LNCS, ed. by S. Vaudenay (Springer, May/June 2006), pp. 73–87Google Scholar
  31. 31.
    J. Katz, J.S. Shin, A. Smith, Parallel and concurrent security of the HB and HB+ protocols. J. Cryptol. 23(3), 402–421 (2010)Google Scholar
  32. 32.
    M.J. Kearns, Efficient noise-tolerant learning from statistical queries. J. ACM 45(6), 983–1006 (1998)Google Scholar
  33. 33.
    E. Kiltz, K. Pietrzak, D. Cash, A. Jain, D. Venturi, Efficient authentication from hard learning problems, in EUROCRYPT 2011, volume 6632 of LNCS, ed. by K.G. Paterson (Springer, May 2011), pp. 7–26.Google Scholar
  34. 34.
    É. Levieil, P.-A. Fouque, An improved LPN algorithm, in SCN 06, volume 4116 of LNCS, ed. by R. De Prisco, M. Yung (Springer, Sept 2006), pp. 348–359Google Scholar
  35. 35.
    V. Lyubashevsky, D. Masny, Man-in-the-middle secure authentication schemes from LPN and weak PRFs, in CRYPTO 2013, volume 8043 of LNCS, ed. by R. Canetti, J.A. Garay (Springer, Aug 2013), pp. 308–325Google Scholar
  36. 36.
    V. Lyubashevsky, C. Peikert, O. Regev, On ideal lattices and learning with errors over rings, in EUROCRYPT 2010, volume 6110 of LNCS, ed. by H. Gilbert (Springer, June 2010), pp. 1–23Google Scholar
  37. 37.
    J. Munilla, A. Peinado, \({\sf HB\sf -\sf MP}\): a further step in the HB-family of lightweight authentication protocols. Comput. Netw. 51(9), 2262–2267 (2007)Google Scholar
  38. 38.
    K. Ouafi, R. Overbeck, S. Vaudenay, On the security of HB# against a man-in-the-middle attack, in ASIACRYPT 2008, volume 5350 of LNCS, ed. by J. Pieprzyk (Springer, Dec 2008), pp. 108–124Google Scholar
  39. 39.
    C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: extended abstract, in 41st ACM STOC, ed. by M. Mitzenmacher (ACM Press, May/June 2009), pp. 333–342Google Scholar
  40. 40.
    K. Pietrzak, Subspace LWE, in TCC 2012, volume 7194 of LNCS, ed. by R. Cramer (Springer, March 2012), pp. 548–563Google Scholar
  41. 41.
    O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in 37th ACM STOC, ed. by H.N. Gabow, R. Fagin (ACM Press, May 2005), pp. 84–93Google Scholar
  42. 42.
    Schönhage, V. Strassen, Schnelle multiplikation grosser zahlen. Computing 7, 281–292 (1971)Google Scholar
  43. 43.
    J. Van De Graaf, Towards a formal definition of security for quantum protocols. PhD thesis, Universite de Montreal, Monreal, P.Q., Canada, Canada, AAINQ35648, 1998Google Scholar
  44. 44.
    B.R. Waters, Efficient identity-based encryption without random oracles, in EUROCRYPT 2005, volume 3494 of LNCS, ed. by R. Cramer (Springer, May 2005), pp. 114–127Google Scholar
  45. 45.
    J. Watrous, Zero-knowledge against quantum attacks. SIAM J. Comput. 39(1), 25–58 (2009)Google Scholar
  46. 46.
    B. Zhang, L. Jiao, M. Wang, Faster algorithms for solving LPN, in EUROCRYPT 2016, volume 9665 of LNCS, ed. by M. Fischlin, J.-S. Coron (Springer, May 2016), pp. 168–195Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  • Eike Kiltz
    • 1
  • Krzysztof Pietrzak
    • 2
  • Daniele Venturi
    • 3
    Email author
  • David Cash
    • 4
  • Abhishek Jain
    • 5
  1. 1.Ruhr-Universität BochumBochumGermany
  2. 2.IST AustriaKlosterneuburgAustria
  3. 3.University of TrentoTrentoItaly
  4. 4.Rutgers UniversityNew BrunswickUSA
  5. 5.Johns Hopkins UniversityBaltimoreUSA

Personalised recommendations