# Classical hardness of learning with errors

@inproceedings{Brakerski2013ClassicalHO, title={Classical hardness of learning with errors}, author={Zvika Brakerski and Adeline Langlois and Chris Peikert and Oded Regev and Damien Stehl{\'e}}, booktitle={STOC '13}, year={2013} }

We show that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems. Previously this was only known under quantum reductions.
Our techniques capture the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem. The proof is inspired by techniques from several recent cryptographic constructions, most notably fully homomorphic encryption schemes.

## Figures from this paper

## 566 Citations

Hardness of SIS and LWE with Small Parameters

- Computer Science, MathematicsCRYPTO
- 2013

The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in lattice-based cryptography, and are provably as hard as approximate lattice…

On the Hardness of Learning With Errors with Binary Secrets

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2018

It is proved that the binary-secret LWE distribution is pseudorandom, under standard worst-case complexity assumptions on lattice problems.

Pseudorandomness of ring-LWE for any ring and modulus

- Mathematics, Computer ScienceSTOC
- 2017

This work gives a polynomial-time quantum reduction from worst-case (ideal) lattice problems directly to decision (Ring-)LWE, and is the first that works for decision Ring-LWE with any number field and any modulus.

Cryptography based on the Hardness of Decoding

- Computer Science, Mathematics
- 2014

This thesis provides progress in the fields of for lattice and coding based cryptography by constructing constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption.

On the concrete hardness of Learning with Errors

- Computer Science, MathematicsJ. Math. Cryptol.
- 2015

This work collects and presents hardness results for concrete instances of LWE, and gives concrete estimates for various families of Lwe instances, and highlights gaps in the knowledge about algorithms for solving the LWE problem.

An Improved Compression Technique for Signatures Based on Learning with Errors

- Computer Science, MathematicsCT-RSA
- 2014

Signatures are shorter than any previous proposal for provably-secure signatures based on standard lattice problems: at the 128-bit level they improve signature size from (more than) 16500 bits to around 9000 to 12000 bits.

An Experimental Study of the BDD Approach for the Search LWE Problem

- Computer Science, MathematicsACNS
- 2017

This manuscript reports the implementation of the Bounded Distance Decoding (BDD) approach for solving the search LWE problem and implements a parallel version of the pruned enumeration method ofThe BDD strategy proposed by Liu and Nguyen.

Learning with Errors in the Exponent

- Computer Science, MathematicsICISC
- 2014

This work introduces a new class of intractability problems, called Learning with Errors in the Exponent (LWEE), and gives a tight reduction from Learning with errors in LWE and the Representation Problem in finite groups, two seemingly unrelated problem, to LWEE.

Towards Classical Hardness of Module-LWE: The Linear Rank Case

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2020

We prove that the module learning with errors (M-LWE) problem with arbitrary polynomial-sized modulus p is classically at least as hard as standard worst-case lattice problems, as long as the module…

Worst-Case Hardness for LPN and Cryptographic Hashing via Code Smoothing

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2018

This work presents a worst case decoding problem whose hardness reduces to that of solving the Learning Parity with Noise (LPN) problem, in some parameter regime, and notes that LPN with noise already implies symmetric cryptography.

## References

SHOWING 1-10 OF 57 REFERENCES

On Ideal Lattices and Learning with Errors over Rings

- Computer Science, MathematicsJACM
- 2013

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.

On lattices, learning with errors, random linear codes, and cryptography

- Computer ScienceSTOC '05
- 2005

A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a <i>quantum</i>, which can be made classical.

Robustness of the Learning with Errors Assumption

- Computer Science, MathematicsICS
- 2010

The main result is that the hardness of the learning with error (LWE) problem implies its hardness with leaky secrets, and it is shown that the standard LWE assumption implies that LWE is secure even if the secret is taken from an arbitrary distribution with sufficient entropy, and even in the presence of hard-to-invert auxiliary inputs.

Public-key cryptosystems from the worst-case shortest vector problem: extended abstract

- Computer Science, MathematicsSTOC '09
- 2009

The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.

A public-key cryptosystem with worst-case/average-case equivalence

- Mathematics, Computer ScienceSTOC '97
- 1997

We present a probabilistic public key cryptosystem which is secure unless the worst case of the following lattice problem can be solved in polynomial time: “Find the shortest nonzero vector in an n…

Better Key Sizes (and Attacks) for LWE-Based Encryption

- Computer Science, MathematicsCT-RSA
- 2011

A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.

Efficient Lattice (H)IBE in the Standard Model

- Computer Science, MathematicsEUROCRYPT
- 2010

This work constructs an efficient identity based encryption system based on the standard learning with errors (LWE) problem and extends this basic technique to an adaptively-secure IBE and a Hierarchical IBE.

New lattice-based cryptographic constructions

- Mathematics, Computer ScienceJACM
- 2004

A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.

Trapdoors for hard lattices and new cryptographic constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2007

A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.

Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems

- Computer Science, MathematicsCRYPTO
- 2009

Public-key and symmetric-key cryptosystems that provide security for key-dependent messages and enjoy circular security and a pseudorandom generator that can be computed by a circuit of n ·polylog(n) size are constructed.