Classical hardness of learning with errors

  title={Classical hardness of learning with errors},
  author={Zvika Brakerski and Adeline Langlois and Chris Peikert and Oded Regev and Damien Stehl{\'e}},
  booktitle={STOC '13},
We show that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems. Previously this was only known under quantum reductions. Our techniques capture the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem. The proof is inspired by techniques from several recent cryptographic constructions, most notably fully homomorphic encryption schemes. 

Figures from this paper

Hardness of SIS and LWE with Small Parameters
The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in lattice-based cryptography, and are provably as hard as approximate lattice
On the Hardness of Learning With Errors with Binary Secrets
It is proved that the binary-secret LWE distribution is pseudorandom, under standard worst-case complexity assumptions on lattice problems.
Cryptography based on the Hardness of Decoding
This thesis provides progress in the fields of for lattice and coding based cryptography by constructing constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption.
Pseudorandomness of ring-LWE for any ring and modulus
This work gives a polynomial-time quantum reduction from worst-case (ideal) lattice problems directly to decision (Ring-)LWE, and is the first that works for decision Ring-LWE with any number field and any modulus.
On the concrete hardness of Learning with Errors
This work collects and presents hardness results for concrete instances of LWE, and gives concrete estimates for various families of Lwe instances, and highlights gaps in the knowledge about algorithms for solving the LWE problem.
An Improved Compression Technique for Signatures Based on Learning with Errors
Signatures are shorter than any previous proposal for provably-secure signatures based on standard lattice problems: at the 128-bit level they improve signature size from (more than) 16500 bits to around 9000 to 12000 bits.
An Experimental Study of the BDD Approach for the Search LWE Problem
This manuscript reports the implementation of the Bounded Distance Decoding (BDD) approach for solving the search LWE problem and implements a parallel version of the pruned enumeration method ofThe BDD strategy proposed by Liu and Nguyen.
Learning with Errors in the Exponent
This work introduces a new class of intractability problems, called Learning with Errors in the Exponent (LWEE), and gives a tight reduction from Learning with errors in LWE and the Representation Problem in finite groups, two seemingly unrelated problem, to LWEE.
Towards Classical Hardness of Module-LWE: The Linear Rank Case
We prove that the module learning with errors (M-LWE) problem with arbitrary polynomial-sized modulus p is classically at least as hard as standard worst-case lattice problems, as long as the module
Worst-Case Hardness for LPN and Cryptographic Hashing via Code Smoothing
This work presents a worst case decoding problem whose hardness reduces to that of solving the Learning Parity with Noise (LPN) problem, in some parameter regime, and notes that LPN with noise already implies symmetric cryptography.


On Ideal Lattices and Learning with Errors over Rings
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.
On lattices, learning with errors, random linear codes, and cryptography
A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a <i>quantum</i>, which can be made classical.
Robustness of the Learning with Errors Assumption
The main result is that the hardness of the learning with error (LWE) problem implies its hardness with leaky secrets, and it is shown that the standard LWE assumption implies that LWE is secure even if the secret is taken from an arbitrary distribution with sufficient entropy, and even in the presence of hard-to-invert auxiliary inputs.
Public-key cryptosystems from the worst-case shortest vector problem: extended abstract
The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.
A public-key cryptosystem with worst-case/average-case equivalence
We present a probabilistic public key cryptosystem which is secure unless the worst case of the following lattice problem can be solved in polynomial time: “Find the shortest nonzero vector in an n
Better Key Sizes (and Attacks) for LWE-Based Encryption
A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.
Efficient Lattice (H)IBE in the Standard Model
This work constructs an efficient identity based encryption system based on the standard learning with errors (LWE) problem and extends this basic technique to an adaptively-secure IBE and a Hierarchical IBE.
New lattice-based cryptographic constructions
  • O. Regev
  • Mathematics, Computer Science
  • 2004
A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.
Trapdoors for hard lattices and new cryptographic constructions
A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.
Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
Public-key and symmetric-key cryptosystems that provide security for key-dependent messages and enjoy circular security and a pseudorandom generator that can be computed by a circuit of n ·polylog(n) size are constructed.