Cryptography based on the Hardness of Decoding

Public key cryptography is like magic. It allows two people who have never met before to communicate privately over any public channel. Since its conception in the 1970s, public key cryptography has become indispensable for the modern day connected world. Public key cryptography is essential for the https protocol, ecommerce, online auctions, online elections and many more. Computational hardness makes public key cryptography work. However, there is only a handful of hardness assumptions known which suffice for the construction of public key cryptosystems. Early public key cryptosystems like RSA and ElGamal are based on numbertheoretic problems, such as the factoring problem and discrete logarithm problem. By their nature, these problems are highly structured. While it is the structure of these problems that enables the construction of public key cryptosystems in the first place, this structure also gives rise to highly non-trivial attacks. As a consequence, all public key cryptosystems based on number-theoretic assumptions can be efficiently broken by quantum computers and there are very few candidates that resist subexponential-time classical attacks. This fact raised concerns about the hardness of these problems. As a promising alternative to number-theoretic hardness assumptions, coding and lattice-based hardness-assumptions have emerged. Most prominent among these are the learning parity with noise (LPN) and the learning with errors (LWE) problem. Such problems appear naturally in coding-theory and have resisted more than 50 years of algorithmic/cryptanalytic efforts, both classically and quantumly. This thesis provides progress for both LPNand LWE-based cryptography. As main contribution of this thesis, we provide two constructions of adaptively secure public key cryptosystems. Adaptive chosen-ciphertext (IND-CCA2) security is the gold-standard of security definitions for public key cryptography. IND-CCA2 secure cryptosystems must withstand attacks by an adversary having access to a decryption-oracle that decrypts every ciphertext except for a special challengeciphertext, for which the adversary is tasked with guessing its corresponding plaintext. Our first proposal is based on the McEliece assumption and the LPN problem. The second one is based solely based on the hardness of a low noise LPN problem. This construction was the first of its kind and answered a problem that has been open for 9 years. The second contribution of this thesis regards the LWE problem. The most important feature of the LWE problem is its worst-case hardness guarantee. Simply put, this means that almost all instances of the problem are as hard as the hardest instance of the problem. Such a feature is highly desirable in cryptography, as it guarantees that a cryptosystem based on this problem has essentially no weak keys or weak ciphertexts. This worst case guarantee however is established using