Classical hardness of learning with errors

@inproceedings{Brakerski2013ClassicalHO,
  title={Classical hardness of learning with errors},
  author={Zvika Brakerski and Adeline Langlois and Chris Peikert and Oded Regev and Damien Stehl{\'e}},
  booktitle={STOC '13},
  year={2013}
}
We show that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems. Previously this was only known under quantum reductions. Our techniques capture the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem. The proof is inspired by techniques from several recent cryptographic constructions, most notably fully homomorphic encryption schemes. 
View on ACM
arxiv.org
562 Citations
Highly Influential Citations
26
Background Citations
178
Methods Citations
67
Results Citations
11

Figures from this paper

562 Citations

Hardness of SIS and LWE with Small Parameters
The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in lattice-based cryptography, and are provably as hard as approximate lattice
On the Hardness of Learning With Errors with Binary Secrets
TLDR
It is proved that the binary-secret LWE distribution is pseudorandom, under standard worst-case complexity assumptions on lattice problems.
Cryptography based on the Hardness of Decoding
TLDR
This thesis provides progress in the fields of for lattice and coding based cryptography by constructing constructions of IND-CCA2 secure public key cryptosystems from both the McEliece and the low noise learning parity with noise assumption.
Pseudorandomness of ring-LWE for any ring and modulus
TLDR
This work gives a polynomial-time quantum reduction from worst-case (ideal) lattice problems directly to decision (Ring-)LWE, and is the first that works for decision Ring-LWE with any number field and any modulus.
On the concrete hardness of Learning with Errors
TLDR
This work collects and presents hardness results for concrete instances of LWE, and gives concrete estimates for various families of Lwe instances, and highlights gaps in the knowledge about algorithms for solving the LWE problem.
An Improved Compression Technique for Signatures Based on Learning with Errors
TLDR
Signatures are shorter than any previous proposal for provably-secure signatures based on standard lattice problems: at the 128-bit level they improve signature size from (more than) 16500 bits to around 9000 to 12000 bits.
An Experimental Study of the BDD Approach for the Search LWE Problem
TLDR
This manuscript reports the implementation of the Bounded Distance Decoding (BDD) approach for solving the search LWE problem and implements a parallel version of the pruned enumeration method ofThe BDD strategy proposed by Liu and Nguyen.
Learning with Errors in the Exponent
TLDR
This work introduces a new class of intractability problems, called Learning with Errors in the Exponent (LWEE), and gives a tight reduction from Learning with errors in LWE and the Representation Problem in finite groups, two seemingly unrelated problem, to LWEE.
Towards Classical Hardness of Module-LWE: The Linear Rank Case
We prove that the module learning with errors (M-LWE) problem with arbitrary polynomial-sized modulus p is classically at least as hard as standard worst-case lattice problems, as long as the module
Worst-Case Hardness for LPN and Cryptographic Hashing via Code Smoothing
TLDR
This work presents a worst case decoding problem whose hardness reduces to that of solving the Learning Parity with Noise (LPN) problem, in some parameter regime, and notes that LPN with noise already implies symmetric cryptography.
...
...

References

SHOWING 1-10 OF 57 REFERENCES
On Ideal Lattices and Learning with Errors over Rings
TLDR
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.
On lattices, learning with errors, random linear codes, and cryptography
TLDR
A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a <i>quantum</i>, which can be made classical.
Robustness of the Learning with Errors Assumption
TLDR
The main result is that the hardness of the learning with error (LWE) problem implies its hardness with leaky secrets, and it is shown that the standard LWE assumption implies that LWE is secure even if the secret is taken from an arbitrary distribution with sufficient entropy, and even in the presence of hard-to-invert auxiliary inputs.
Public-key cryptosystems from the worst-case shortest vector problem: extended abstract
TLDR
The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.
A public-key cryptosystem with worst-case/average-case equivalence
We present a probabilistic public key cryptosystem which is secure unless the worst case of the following lattice problem can be solved in polynomial time: “Find the shortest nonzero vector in an n
Better Key Sizes (and Attacks) for LWE-Based Encryption
TLDR
A new lattice attack on LWE that combines basis reduction with an enumeration algorithm admitting a time/success tradeoff performs better than the simple distinguishing attack considered in prior analyses.
Efficient Lattice (H)IBE in the Standard Model
TLDR
This work constructs an efficient identity based encryption system based on the standard learning with errors (LWE) problem and extends this basic technique to an adaptively-secure IBE and a Hierarchical IBE.
New lattice-based cryptographic constructions
  • O. Regev
  • Mathematics, Computer Science
    JACM
  • 2004
TLDR
A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.
Trapdoors for hard lattices and new cryptographic constructions
TLDR
A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.
Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems
TLDR
Public-key and symmetric-key cryptosystems that provide security for key-dependent messages and enjoy circular security and a pseudorandom generator that can be computed by a circuit of n ·polylog(n) size are constructed.
...
...