 So this joint work is John John from state key laboratory of State key laboratory of cryptology in China Okay, so the this is the outline of the talk So I'll give you a very brief introduction to a pn and then We studied actually these two independent problems at a pn with a hard to invert the extraordinary input and also how to construct a pke from constant noise a pn and then we conclude and we point out some of them problems and a pn is we are known I'm sorry, but this should be some kind of distribution So this is that this is the most noisy distribution, but I don't know somehow so we sample the secret x and sample random matrix which is public and We sample noise distribution and which every every bit is independent biased and it's more biased to zero than one The mu is the noise rate Okay, so the search version of a pn just say that you've given the matrix and you you've given the samples you find out x Essentially, it's like to solve a system of linear equations. So the number of samples is the number of equations of Actually in presence of in presence of noise, which makes this problem very difficult and Decision version just says that the the samples they are they are pieces to random even given the given the matrix And we know that these two versions they are equivalent in the polynomial sense, you know and Actually, we can also use I'm sorry and we can also use Benway distribution for the secret x as well There's no need to use sample x from uniform because the security they are essentially the same which can be seen by a simple reduction okay, so both the secret can be sampled from the Benway distribution and The MP a pn is believed to be hard in the worst in the worst case It represents the whole that the well-known decoding when the linear code So it's it's known to be mp complete and but we know that for for cryptography. We need the average case hardness So there are two settings in a constant noise rate setting so the noise rate the noise rate is fixed and independent of the secret size So in this case the well-known BKW is the best algorithm and I think asymptotically is better algorithm that needs time and Sample complexity, which is almost exponential up to this log again factor And we also have the trade-off So we need more time, but we then we need the last amount of just need a polynomial number of samples so and for for PKE we Will need a stronger assumption So here this noise rate is also a function of n So the noise rate will decrease when n increases Then in this case mu is n to some minus constant and typically this constant is a half in this case under the time complexity is Is super exponential and we need we only needed this low noise airpin to be secure against a linear number of samples to just to construct a public key encryption schemes and we believe that the Low noise airpin is is a a stronger assumption than constant noise I think because we already know last year from last year Pkc paper that the low noise airpin with security against a linear number of samples already implies that constant noise opinion with a security against any polynomial number of samples and The airpin is is also believed to be content secure because we don't know any content average and that has additional advantages and the collects classical ones and solving a pn So related work we have a lot of a symmetric key crypto stuff so post-during and Generators classification schemes and present random functions basically everything can be constructed from one way functions can be done from apn efficiently From constant noise apn except for the last one Okay, and the for public key Cryptography we need a stronger version as we needed a stronger assumption, which is the low noise apn So we have cpa ccs game is from the noise every apn In the literature and in this work We are going to construct pke from from constant noise apn, which is believed to be the standard assumption about the apn Okay, so it's working and the main result is that we can see the actually two problems So the constant noise apn already implies that apn is robust against Hard to invert auxiliary input So in this case this x is not if this x might be uniform, but they are also a leakage So f over x is the leakage. So given the leakage the x remains like to to the power of two minus two minus two lambda hard to invert For all for for all the PPT adversaries Okay, so So we come back to this later actually this problem also also Was also in considered in the stock paper, but they proved that this on the stronger assumption a new assumption and then we show that when this constant noise apn is Super some supers exponentially hard then we can construct the pke and even obelisk transfer protocols Okay, so this was actually this was actually a problem and Then we mentioned that this Subexponential hardness is reasonable because best known attacks on a constant apn Has complexity much beyond much beyond the end to the square root of it It's the precise bond is and the two to the n over log n okay, so some technical tools and Here's a very brief introduction to pke, you know that we have the encryption decryption we have key generation So these are standard definitions Move to the next. Okay So he here's also we have the tech based pke so we have We have it generally attack so encryption can Cypher messages are encrypted on the attack and decryption has to be Performed under the under the same tag so we require the correctness of to be The decryption correctness to be at least overwhelming Okay, so these are the standard definitions about cpa secure pke We have It just says like two messages. They are in the indistinguishable the encryption with the two messages. They are in this English Okay, so These are all the standard definitions and the info cca we The challenge we are on the decryption queries okay, and for the tag based Here the advantage we look for for secure secure cpa and cca scheme We need the advantage of the adversary to be negligible and for tag tag base the cca is Secure scheme so at the beginning the adversary has to commit to a to attack Okay, and then the challenger only answers query decryption queries for other text Okay, so here's the difference and we know that the If we have already a cca secure Tag based the pke then it can be transformed into a standard cca secure pke scheme without attacks using generic transforms So it suffices for us to just build a tag based pke that is cca secure Okay, and before we present the construction We need to understand why previous pke schemes need a low noise airplane assumption Here in this case. We give a very simplified illustration say Bob want to encrypt a single message M a single bit a message M and send it to Alice so that Alice can decrypt with at least noticeable correctness so to do this Alice will sample uniform random uniform random matrix and also She will also sample to secret vectors from the noise distribution Okay, then She will send these two values the airplane samples that the corresponding to this matrix to Bob Which can consider the as a public key and the secret key is actually this this vector This is a vector and T means transpose. So these are the transpose the vectors. They are all real vectors Okay, and Bob will do the same if a sample to column vectors from the noise distribution and compute the samples corresponding to to the To the same matrix and send them back Actually the message is also encrypted Okay, so here The means the inner product between T to M between vectors Okay, so then Alice can actually decrypt the message. She just computes the m prime Which is almost m subject to to to not and the noisy beats Then so that these two noise bits there both the inner product between two to know it to two banley distributions to M bit banley distributions, okay So here give the lower bound of the correctness So here you can see that that is why we need this meal to be n over some like n over square root of n Oh, sorry one over square root of m Okay So that these correctness can be noticeable So this is why the low noise rate is essentially needed the next we are we are going to Do very little modification to this protocol to make these pk also works for constant noise LPN, but before that we need a lemma so in this technical Emma says that This LPN for constant the LPN already implies that it is secure against Subexpansionally hard hard to invert a leakage. Okay, so here this X has You can say that this X has like two leavened up itself presently entropy given the leakage and Still they are they are they are LPN samples are presently random even given the leakage and the matrix and But the difference is that so this is sampled from the when we distribution And but this a is sampled from a random space of dimension lambda So here it's actually the product of between two matrix So V gives the random space and a are the coins random coins for sampling from that random matrix So this a price a prime means that they're sampling from a The random space of dimension lambda Okay, and the proof is very easy because we can write we can consider Vx Vx is essentially posted random Given because we have like two lambda bits of leakage of two lambda bits of entropy and we can just at least Extract the lambda bits of it So so Vx will be present around and even given V and the leakage Okay, so then we can replace this Vx with uniform randomness that is independent of a independent of f over x That's why it reduces to the standard assumption So But we need actually for our pke we need a smaller lambda We need a polylogismic in and lambda to be polynomial lost logarithmic in and but here this lambda is Is like a sublinear polynomial of n This is because that here in this in this in distinguishability game Here the secret parameter is n Not lambda. So we need to set lambda to be a polynomial of n So that any polynomial of n is automatically another polynomial of a lambda But for for lambda to be poly polylogism in and then we need a stronger assumption Namely, we need a need this airpn to be exponentially hard Okay, so for for example for lambda, which is the square The squared log n then we need the above and we need the above airpn assumption to be at least exponential hard For for for for the proof to go through Okay, and this is proof if we just write this term as a function of n Then this will be super polynomial so that this in distinguishability well We hold for all the adversaries with polynomial resources in n Okay, so this way I get some it is we will get some immediate applications the same as that stock paper but which which is not the focus of this paper and then we were used the fact that This airpn is essentially a secure against squared log entropy for in our in our protocol Okay, so we introduce our work. Okay, so this is another distribution participation So this is another distribution which denotes a random distribution With having weight exactly log n Okay, so this and actually is to do the entropy of distribution is squared log Which can be seen by a simple like storing approximation So once we hit with this once with this new distribution, we can just do the modification to the previous protocol Okay, we sample the matrix from a random subspace. So all the difference are highlighted in red but the instead of sample s from From from the binary distribution we sampled from this new distribution Okay, and send this a and b to Bob and Bob would do the same except that to this s1 is also sampled from the new distribution Okay, then you can see the correctness So the so the noise So the noisy bit is still the inner product between these two vectors But now that at least one of these vectors they are sampled from the new distribution and which is very sparse It has like how many went to only log n So so the other vector can be have constant noise rate So that the inner product between the inner product bit being bit between these two They still has like call noticeable correct correlation So actually this is already gives us almost CPA secure a pn so it encrypts one map one bit message and Except that the the correctness is not as only noticeable But to make the correctness overwhelming we can use error correction codes to get a CPA secure public key encryption So everything and they are the same except we can encode more than one bit of message So these are the correctness and the security And for CCA we can using using the using the techniques from from The pkc paper from 24. Sorry, it should be 2014. It's not 20 of 2004 2014 We construct first of all we construct the tag base pk that is ccsq Yeah, and we use like to the double trump door techniques and actually one only one trump door is used for encryption and the other trump door we have used for in the security proof Okay, and I'm not go to the details, but these the proof idea is very similar to To to to the previous works from like these two pkc papers from 2014 and 2015 and Then once we have a ccsq attack base to seek pke We can transform it into a standard ccs Standard ccsq of pke schemes using generic transforms Okay, now to conclude We from from standard the opinion we construct the first ccsq a pke But actually there are some open problems because our our result are mainly feasibility results So it's not very efficient Remains open if we can construct pke from constant noise lpn and Are the other only lid only lid to the open problems are if we can construct the PIFs in constant depths from lpn or even more Crazy stuff like the CI trips and the FHEs from lpn But actually there are some negative results about lpn of constructing FHE from lpn But I would not quite in possibility without but this paper. It's just says like straightforward constructions Straightforward constructions. We are not work for But it does not rule out the possibility that we can make very complicated Candid constructions from lpn Okay Yeah, thank you for the