Hint-LPN Assumption in Cryptography

• Hint-LPN is a computational hardness assumption that generalizes the standard LPN by incorporating correlated hint noise, crucial for modeling adversarial leakage.
• It is defined through parameters including a prime q, secret dimension k, sample dimension n, and distinct noise rates, enabling a formal reduction from standard LPN.
• Its application in KAHE-based secure aggregation demonstrates its role in ensuring post-quantum security and tight reductions even under adversarial collusion.

The Hint-LPN assumption is a code-based computational hardness assumption generalizing the well-known Learning Parity with Noise (LPN) assumption, introduced to model adversarial indistinguishability in cryptographic constructions where additional “hint” information is correlated with the LPN noise. It formalizes the infeasibility of distinguishing samples containing both standard LPN structure and a noisy “hint,” and is central to the security analysis of code-based homomorphic encryption schemes for secure aggregation. The equivalence of Hint-LPN and standard LPN for suitable parameters plays a critical role in post-quantum secure aggregation, enabling tight reductions and facilitating security proofs even under extensive adversarial leakage of secret keys (Bitzer et al., 19 Jan 2026).

1. Formal Definition and Parameterization

The Hint-LPN assumption is parameterized by a prime $q$, secret dimension $k$, sample dimension $n$, LPN noise rate $p_e\in(0,1)$, and hint noise rate $p_f\in(0,1)$. The product noise distribution, Bern$(p)^n$ on $\mathbb{F}_q^n$, is defined by flipping each coordinate to a uniformly random nonzero element of $\mathbb{F}_q\setminus\{0\}$ with probability $p$; otherwise, the output is $0$. The challenge samples in the Hint-LPN problem are described as follows:

$$\text{HintLPN}^{k,n,p_e}_{p_f} := \left\{ (A, b, h)\in \mathbb{F}_q^{k\times n} \times \mathbb{F}_q^n \times \mathbb{F}_q^n \mid \begin{array}{l} A \leftarrow_R \mathbb{F}_q^{k \times n}, \ s \leftarrow_R \mathbb{F}_q^k,\ e \leftarrow_R \mathrm{Bern}(p_e)^n,\ f \leftarrow_R \mathrm{Bern}(p_f)^n,\ b = s\cdot A + e,\ h = e + f \end{array} \right\}$$

The Hint-LPN assumption posits that no efficient adversary (PPT) can distinguish samples of $\text{HintLPN}^{k,n,p_e}_{p_f}$ from samples $(A, u, h)$, where $u\leftarrow_R \mathbb{F}_q^n$ is uniformly random and $h \leftarrow_R \mathrm{Bern}(p_f)^n$, except with negligible advantage [(Bitzer et al., 19 Jan 2026), Def. 7].

2. Equivalence to Standard LPN: Reductions and Statistical Analysis

The equivalence between Hint-LPN and standard LPN is established through carefully constructed reductions, exploiting noise parameter manipulation. For $p<1/q$, define

$T := \frac{(q-1)^2(1-p)^2 + (q-1)p^2}{q}$

The statistical preimage lemma (Lemma 2) shows there exists a distribution $D_h$ on $\mathbb{F}_q$ (explicitly determined by $p$, $T$) such that the joint distribution $(e'+t, h)$ for $e' \leftarrow_R \mathrm{Bern}(T)^n$, $h\leftarrow_R \mathrm{Bern}(p)^n$, $t\leftarrow_R D_h^n$ matches exactly the joint distribution $(e, e+f)$ for $e, f \leftarrow_R \mathrm{Bern}(p)^n$.

Theorem 3 (LPN $\Rightarrow$ Hint-LPN) formalizes the reduction: for $p<1/q$ and $T$ as above, an efficient algorithm can map LPN samples $(A, b)$ (where $b = sA + e, e\leftarrow_R \mathrm{Bern}(T)^n$) or uniform samples $(A, u)$ to triples $(A, b', h)$ such that

• In the LPN case: $(A, b', h) \sim \text{HintLPN}^{k,n,p}_{p}$
• In the uniform case: $b'$ uniform in $\mathbb{F}_q^n$

Thus, distinguishing Hint-LPN samples is at least as hard as distinguishing standard LPN for the derived parameter $T$ [(Bitzer et al., 19 Jan 2026), Lemma 2, Thm. 3].

3. Application in KAHE-Based Secure Aggregation

The key-and-message additive homomorphic encryption (KAHE) is central to the protocol for secure aggregation. In KAHE, encryption is defined as:

$$\text{Encrypt}(m;s) = sA + e + \mathsf{C}.\text{enc}(m)$$

where security under leakage of all but one secret key $s_j$ is analyzed. The proof leverages a hybrid argument to transition real ciphertexts $s_jA+e_j$ to random $b_j$ supplemented with a correlated hint, matching the Hint-LPN distribution. By the established reduction, this variant is as hard as LPN distinguishing, allowing for semantic security proofs under leakage [(Bitzer et al., 19 Jan 2026), Sec. IV, Def. 5, 6].

4. Collusion, Noise Amplification, and Tightness of Reduction

Security of the aggregation scheme under user collusion is tightly characterized. When up to $z$ users collude, the "effective" LPN noise increases, with explicit formula:

$$T' = \frac{p\cdot p'}{(q-1)^2(1-p)(1-p') + (q-1)p\cdot p'}$$

where $p' = 1-(1-p)^{N-z-1}$ for $N$ users. Notably, for $z = N-2$, $p' = p$ and $T' = T$, giving a tight reduction: security under $z = N-2$ collusion is provably as hard as standard LPN$_{k,n,T}$. For smaller $z$, the effective noise $T'$ always increases, further strengthening the reduction for modest collusion [(Bitzer et al., 19 Jan 2026), Thm. 2].

5. Role in Post-Quantum Cryptographic Protocols

The Hint-LPN assumption is motivated by the need for post-quantum secure aggregation protocols that avoid lattice-based hardness, relying instead on code-based complexity. Its formulation enables the practical instantiation of secure aggregation algorithms with committee-based decryption and CRT-based communication optimizations. The tight parameter reduction to LPN ensures that code-based homomorphic encryption schemes can robustly withstand adversarial leakage and collusion, preserving semantic security under concrete choices of $(q,p,n)$ as inherited from LPN hardness (Bitzer et al., 19 Jan 2026).

6. Implications and Generalizations

The equivalence to standard LPN for suitable noise parameters suggests that protocols analyzed under Hint-LPN inherit the well-established post-quantum security guarantees of code-based LPN constructions. A plausible implication is that similar "hint" generalizations may support security proofs in other cryptographic primitives, for scenarios involving partial exposure or correlated noise. The Hint-LPN approach formalizes adversarial uncertainty in the presence of auxiliary hints, offering avenues for finely quantified reductions and analysis in future post-quantum cryptography research (Bitzer et al., 19 Jan 2026).