LPN (learning parity with noise) problem is a good candidate for post-quantum cryptography which enjoys simplicity and suitability for weak-power devices. Döttling et al. (ASIACRYPT 2012) initiated the first secure public key encryption (PKE) under the low-noise LPN assumption. Kiltz et al. (PKC 2014) proposed a simpler and more efficient scheme using double-trapdoor technique from the same assumption. Both schemes abide the decoding failure rate (DFR) $2^{-\mathrm{\Theta }(k)}$ (k is the security parameter) and there exists CPA/CCA2-secure PKE with squared-exponential DFR $2^{-\mathrm{\Theta }(k^2)}$ from constant-noise LPN (Yu and Zhang, CRYPTO 2016). In this work, we give a positive answer with squared-exponential DFR in the low-noise setting.

More precisely, we first introduce a variant (VxLPN) of the low-noise Exact LPN (xLPN, proposed by Jain et al. at ASIACRYPT 2012 and used as building block in commitments and zero-knowledge proofs), where the coefficient matrix A follows the uniform distribution over ${\{0,1\}}^{q\times n}$ ($n=\mathrm{\Theta }(k^2),q=\mathrm{\Theta }(n)$), the secret x is sampled from ${\mathcal{B}}_{\mu }^n$ (${\mathcal{B}}_{\mu }$ is the Bernoulli distribution with noise rate $\mu =\mathrm{\Theta }(\frac{1}{\sqrt{q}})$), and the noise e follows a column vector distribution uniform over $\{\mathbf{z}\in {\{0,1\}}^q:|\mathbf{z}|=q\mu \}$. A series of reductions show that VxLPN is at least as hard as the standard LPN for the same noise rate μ. We then construct from the VxLPN CPA/CCA2 secure PKE schemes with squared-exponential DFR $2^{-\mathrm{\Theta }(k^2)}$ which share the common structure extrinsically with Kiltz et al. and Yu-Zhang schemes. The secret key(s) in our schemes are simply sampled from the Bernoulli distribution, and comparatively, the secret key(s) in Yu-Zhang schemes must be chosen from a tailored version of Bernoulli distribution (along with the coefficient matrix A that follows a distribution ${\mathcal{D}}_{\lambda }^{n\times n}=U_{n\times \lambda }\cdot U_{\lambda \times n}$ induced by multiplying two random matrices in the public key, $\lambda =\mathrm{\Theta }({\log }^{2}n)$) in order to guarantee the correctness of their schemes. Consider the performance on 128-bit security level, our CCA2-secure scheme only holds 117.79 MB public keys, 67.31 MB secret keys and 10.15 KB ciphertexts, and thus is more efficient than the schemes of Döttling et al. and Kiltz et al. ((14.53 GB, 14.48 GB, 14.06 KB) and (161.78 MB, 92.45 MB, 13.60 KB) respectively).

LPN（与噪声学习奇偶校验）问题是后量子密码学的一个很好的候选者，它具有简单性和适用于弱功率设备的特点。多特林等人。(ASIACRYPT 2012) 在低噪声 LPN 假设下发起了第一个安全公钥加密 (PKE)。基尔茨等人。(PKC 2014) 根据相同的假设，使用双陷门技术提出了一种更简单、更有效的方案。两种方案都遵守解码失败率（DFR）$2^{-\mathrm{\Theta }(克)}$（k是安全参数）并且存在具有平方指数 DFR 的 CPA/CCA2-secure PKE$2^{-\mathrm{\Theta }({克}^2)}$来自恒定噪声 LPN（Yu 和 Zhang，CRYPTO 2016）。在这项工作中，我们在低噪声设置中使用平方指数 DFR 给出了肯定的答案。

更准确地说，我们首先介绍了低噪声精确 LPN（xLPN，由 Jain 等人在 2012 年 ASIACRYPT 上提出并用作承诺和零知识证明的构建块）的变体 (VxLPN)，其中系数矩阵A如下均匀分布${\{0,1\}}^{q\times n}$ ($n=\mathrm{\Theta }({克}^2),q=\mathrm{\Theta }(n)$)，秘密x是从${\mathcal{乙}}_{\mu }^n$ (${\mathcal{乙}}_{\mu }$ 是具有噪声率的伯努利分布 $\mu =\mathrm{\Theta }(\frac{1}{\sqrt{q}})$)，并且噪声e遵循均匀的列向量分布$\{\mathbf{z}\in {\{0,1\}}^q：|\mathbf{z}|=q\mu \}$. 一系列降低表明，对于相同的噪声率μ，VxLPN 至少与标准 LPN 一样难。然后，我们从具有平方指数 DFR 的 VxLPN CPA/CCA2 安全 PKE 方案构建$2^{-\mathrm{\Theta }({克}^2)}$与 Kiltz 等人在外在共享共同的结构。和玉章计划。在我们的方案中的密钥（S）是简单地从伯努利分布采样，比较，密钥（收费）玉章方案必须选择从伯努利分布的定制版本（连同系数矩阵一个跟随一个分布${\mathcal{D}}_{\lambda }^{n\times n}={你}_{n\times \lambda }\cdot {你}_{\lambda \times n}$ 通过将公钥中的两个随机矩阵相乘得出， $\lambda =\mathrm{\Theta }({\mathrm{日志}}^{2}n)$) 以保证其方案的正确性。考虑 128 位安全级别的性能，我们的 CCA2 安全方案仅保存 117.79 MB 公钥、67.31 MB 秘密密钥和 10.15 KB 密文，因此比 Döttling 等人的方案更有效。和基尔茨等人。（分别为（14.53 GB、14.48 GB、14.06 KB）和（161.78 MB、92.45 MB、13.60 KB））。