 I am glad to introduce our paper, Smoothing Out Binary Linear Codes and Worst Case Sub-Exponential Hardness for ALPN. This is joint work with Zhang Zhang that appears at Crypto 2021. At the core of this work is Worst Case to Average Case Reductions for ALPN, which is in turn based on Smoothing Lemma for Binary Linear Codes. This is the outline of this talk. We will start with the preliminaries. First of all, Binary Linear Codes. Linear means that we encode a message x by multiplying with a m by n matrix called the generator matrix. Binary means it's over gf2, namely every entry of the matrix of ecta is either 0 or 1. And m is the length of the codeword. In general, a good code has some non trivial amount of minimum distance, which is defined as the smallest hamming distance between all possible pairs of codewords. Some previous work consider a strong version of hamming distance requirement called balanced code, where this hamming distance has both upper bound and lower bound. In other words, the codewords has almost the same number of zeros and ones up to a beta fraction. In this work, we also consider the so-called independent code, where the generator matrix has ky's independent rows. We mentioned that the MDS code, maximum distance separatable code, is a special case of the independent code for k equals n. The search version of the decoding problem is that given the generator matrix and the noisy codeword to find out the original x in the presence of noise vector e, the average case version of the problem is called learning parity with noise, where the matrix and secret is sampled uniformly at random. And the noise follows from the coordinate-wise independent distribution, namely the Bernoulli distribution. The worst case of the problem is called the nearest codeword problem, ncp in short. And we consider the promised version of ncp, where the noise vector is guaranteed to have an exact amount of hamming weight. We particularly interested in the worst case to average case reduction for these two versions of the problems. We mentioned that some known attacks on the two forms of decoding problems. For the standard LPN, where the noise rate is constant, which means independent of the dimension, the best known attacks are bkw, that has a slightly sub-exponential time complexity. The promised ncp is known to be NP-hard in the high-noise region. When the noise rate is sub-constant, the best known attacks for ncp at LPN has the complexity of roughly to the power of the product of the noise rate at the dimension n. In other words, in the known noise region, we do not know any algorithm that solves the LPN better than ncp. Let's take a look at the reduction from ncp to LPN. Suppose we have an ncp instance, and for our convenience, suppose it's in the transposed form, where this s transpose and x transpose denote a row vector. We know from previous work that how to transform the ncp instance into a single LPN sample. That is, we sample a random r from the sparse distribution that has length m and roughly hamming weight d. And we also sample a uniformly random row vector y. Then we multiply the noisy code word with the sparse vector r, such that hopefully cr will be uniformly random and xr will be the biased noisy bit as in the LPN. And finally, the original message of the ncp s has no entropy at all, so it needs to be xr with the random mask y. We can do this many times to get as many LPN samples as needed. At Eurocrypt 2019, at Eurocrypt 2019, Branksky et al. gives a smoothing lemma to show that this kind of approach actually works. As long as the underlying binary linear code is a balanced code, and r is sampled from a special sparse distribution, they prove this through the so-called binary Fourier transform. Here we offer, in this paper, we offer alternative proof via the, using the Vaserani's xr lemma. I would like to elaborate a bit more about the sparse distribution that r is sampled from. So this is the distribution that has length m and of weight, roughly d. As shown previously during the reduction, xr will become the noise of the LPN, where r is the m-bit error vector that has a fixed hamming weight. And this results into a biased bits that has roughly 2 to the wd over m close to uniform. There are a few candidates about this sparse distribution. Quite naturally, we can sample it from all strings of length m and hamming weight d. More alternatively, we can take d random strings, each of them has hamming weight exactly 1, and we then take their xr sum. Another option is that we can sample it from an m-fold binary distribution of rate d over m, such that the expected hamming weight of r is d. Now we can take a closer look at the BRVW quantitatively. First we look at their smoothing lemma for balanced codes. There is some lower bound on the ncp noise rate due to the known attacks. There is also the Gepert-Vasermov type bound on beta to guarantee that the balanced code actually exists. Finally, the problem can be seen as extracting n random bits from source r in presence of noise. So there is a lower bound on the sparsity of the random distribution. The nth result of BRVW is that it assumes a quancy polynomial worst case hardness for ncp on extremely low noise balanced code. We get the quancy polynomial hardness for LPN in the high noise region, where this noise is inverse polynomially close to uniform. So this is more or less a feasibility result. There remains space for further improvement. As we can see, the range of lambda is quite limited. It needs to be at least super constant, otherwise there will be polynomial attacks for ncp. And lambda is upper bounded by O log n at the same time, because any larger lambda would make LPN noise negligibly close to uniform and making the result less meaningful. Now we introduce our work on how to get tighter reductions for smoothing lemma and better results for LPN. We would start with a probabilistic analysis and give a non-constructive form of the smoothing lemma. That is, there exists at least a certain fraction of the code that for any error vector of weight w and sparsity distribution r, cr is statistically close to uniform even given the noise xr. The proof follows three steps. First, given a uniformly random c, we have that inequality code by the leftover hash lemma. Then by a Markov inequality, for every error vector x, there exists a certain bounded fraction of the code that fares the randomness extraction. Finally, take into account that there are m true k different possibilities for the error vector x, we sum up all the fraction of the bad code by a union bound. So the end goal is to prove that the hardness for the standard LPN, whose noise rate is constant, and we recall the entropy requirement. Then the bad fraction of the code will be exceeding 1, which is useless. Put it differently, it seems not possible to get a worst case to average case reduction for standard LPN unless more tighter techniques are employed. We may in particularly avoid the union bound or any other inequality that incurs a huge security loss. So here we have an important observation about the smoothing lemma, which is key to obtain tighter result. It is easy to prove unconditional case that cr is statistically close to uniform, but proving the conditional case that cr is close to uniform given leakage xr is much less efficient. This one has to take into account all possible values for the error vectors, which leads to much worse bound. What we prove is the following. If r is drawn from a coordinate wise sparse distribution, namely the Bernoulli distribution, then the statistical distance in the conditional case can be bounded by that of the unconditional case, paying reasonable cost. And this bound is almost tight with respect to the sparse distribution r is sampled from. Therefore, this reduced problem to bond the statistical distance between cr and uniform distribution for a very specific code in consideration, such as the balanced code and the independent code we considered in this paper. We will omit the proofs, which is not trivial but not so surprising. Now we state our main result that assumes that the NCP problem is hard in the worst case, then it implies the LPM problem is hard for certain parameter choices. First we get the similar result as BLVW by setting the parameters to appropriate values. In this case, our result looks asymptotically the same as BLVW. If we want to compare more quantitatively, then as tabulated, for most value of M, our result in the right hand is slightly worse. But when M increase to polynomials of higher orders, then our result in terms of the LPM's noise rate becomes much better and it keeps improving. In contrast, the result of BLVW sees to improve for M equals to N cubic and beyond. This is because in their smoothing lemma, the bond consists of two terms. So the second term, when it is sufficiently small, the first term will become dominant. Namely, we don't get a better bond, no matter how large the value of M is. An advantage of our result is that we can actually trade a larger M for better noise rate. More importantly, we obtain our result that was not known before. For instance, by setting the noise rate of the NCP to N2-C and assume that it has almost optimum hardness, namely, it nearly matches known attacks up to a constant in the exponent. Then we get the desired result that sub-exponential hardness for standard LPM. The proof is quite straightforward by setting the values for the parameters accordingly. Note that the success probability here consists of two terms, which is why we need to consider two cases for the different range of the values of C. We try to find some applications for our result beyond what is proven, which is not very successful, but it's worth mentioning. For example, we wonder if collision-resistant hash functions and public key encryptions can be constructed from the worst-case hardness of the decoding problem. As said, we prove the sub-exponential hardness of our standard LPM, and we also know from previous work that the standard LPM with sufficient sub-exponential hardness implies public key encryption and the collision-resistant hash functions. Unfortunately, the hardness of the LPM we prove is not as strong as what is needed for PKE and CIH, up to a lowercase omega factor, as we can see as I highlighted on the slide. Another wish for thinking is whether we can have a sub-exponential algorithm to solve NCP with constant error rate, which will be a counterpart to the BKW in solving standard LPM. We know by Liu Bagyshevsky's BKW variant that the LPM can be solved with polynomial many samples, with noise moderately close to uniform. Another colliery of our result is that if there exists an algorithm that solves LPM whose noise is inversely polynomial close to uniform, then it implies another algorithm that solves the NCP with constant error rate. Unfortunately, these two results cannot be connected, again due to another small gap. In the above, the data lies in between the open interval of 0 and 1. While in our colliery, the data has to be 1. Next we will present another cute result about reducing LWE to large field LPM. In general, there are two ways to generalize LPM to a large modulus P. As we used generalized binary distribution for the noise, namely, E is either 0 or uniformly distributed over GFP, then it becomes the so-called large field LPM. Alternatively, if we use discrete Gaussian for the noise, then the problem is called LWE. We show that LWE implies LPM over the same prime modulus in the high-noise region. The proof is very simple, that is, we can transfer every LWE sample into an LPM sample using a random mask M and multiplying M with the LPM sample. As we can see, MA is the product of a scalar and a vector multiplication, which is always uniformly random. And for any nonzero E, ME is uniformly distributed over FP, excluding 0. And otherwise, ME is 0. This means that ME follows the generalized binary distribution over GFP. And therefore, the right-hand sample after the transform is exactly the LPM sample over GFP. QED. Finally, a short summary of this work. We present two worst-case-to-average case reductions for different types of LPM. First, large field LPM can be reducible from LWE of the same modulus, and thus reducible from worst-case lattice problems such as GAP SVP. Second, we generalize the reductions of BLVW from promised NCP to LPM. The underlying NCP problem we consider includes not only the balanced code, but also independent code. In addition to what is approved in BLVW, we also show that under the nearly optimum hardness assumption about low-noise NCP, it implies the desired end result, namely sub-exponential hardness for standard LPM. There remain a few open questions such as how we can base the hardness of LPM on promised NCP of any code with non-trivial amount of minimum hamming distance. How to construct public key encryption and collision-resistant harsh functions from the worst-case decoding problems? And find out more efficient and useful relations between LWE and LPM. That concludes my talk. Thank you for your attention.