Collision Resistant Hashing from Learning Parity with Noise

The Learning Parity with Noise (LPN) problem has recently found many cryptographic applications such as authentication protocols, pseudorandom generators/functions and even asymmetric tasks including public-key encryption (PKE) schemes and oblivious transfer (OT) protocols. It however remains a long-standing open problem whether LPN implies collision resistant hash (CRH) functions. Based on the recent work of Applebaum et al. (ITCS 2017), we introduce a general framework for constructing CRH from LPN for various parameter choices. We show that, just to mention a few notable ones, under any of the following hardness assumptions (for the two most common variants of LPN) 1. constant-noise LPN is 2 0.5+ε -hard for any constant ε > 0; 2. constant-noise LPN is 2 -hard given q = poly(n) samples; 3. low-noise LPN (of noise rate 1/ √ n) is 2 √ n/ -hard given q = poly(n) samples. there exists CRH functions with constant (or even poly-logarithmic) shrinkage, which can be implemented using polynomial-size depth-3 circuits with NOT, (unbounded fan-in) AND and XOR gates. Our technical route LPN→bSVP→CRH is reminiscent of the known reductions for the large-modulus analogue, i.e., LWE→SIS→CRH, where the binary Shortest Vector Problem (bSVP) was recently introduced by Applebaum et al. (ITCS 2017) that enables CRH in a similar manner to Ajtai’s CRH functions based on the Short Integer Solution (SIS) problem. Furthermore, under certain additional (arguably minimal) idealized assumptions, such as small-domain random functions or that a block cipher (keyed by a public random string) behaves like a random permutation, we obtain more efficient and polynomially shrinking CRH functions from 2 0.5+ε -hard constant-noise LPN or 2 0.25+ε -hard low-noise LPN. In particular, the construction of hash functions follows a conceptually simple approach: it divides its input into many equal-length blocks, evaluates random functions (or blockciphers) on them independently and in parallel, and then produces their XOR sum as output.