On lattices, learning with errors, random linear codes, and cryptography

@inproceedings{Regev2005OnLL,
  title={On lattices, learning with errors, random linear codes, and cryptography},
  author={Oded Regev},
  booktitle={STOC '05},
  year={2005}
}
  • O. Regev
  • Published in STOC '05 22 May 2005
  • Computer Science
Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a <i>quantum</i… 
View on ACM
cs.au.dk
2,207 Citations
Highly Influential Citations
280
Background Citations
687
Methods Citations
371
Results Citations
22

Figures from this paper

2,207 Citations

On lattices, learning with errors, random linear codes, and cryptography
  • O. Regev
  • Computer Science, Mathematics
    JACM
  • 2009
TLDR
A (classical) public-key cryptosystem whose security is based on the hardness of the learning problem, which is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem that is quantum.
Learning with Errors Decoding
TLDR
The authors provide the asymptotic analysis of the LindnerPeikert NearestPlanes algorithm, which turned out to be slightly sub-exponential in the lattice dimension m, and provide the complexity estimates for concrete LWE instances, which agree with the theoretical results.
On the Hardness of Learning Parity with Noise over Rings
TLDR
The ring variant of LPN (Ring-LPN) is introduced that enjoys a compact structure and gives rise to significantly more efficient cryptographic schemes, unlike its large-modulus analogue Ring-LWE.
On the Hardness of the Computational Ring-LWR Problem and its Applications
TLDR
This work suggests that decisional R-LWR based schemes, such as Saber, Round2 and Lizard, which are among the most efficient solutions to the NIST post-quantum cryptography competition, stem from a provable secure design.
The Learning Parity with Noise Problem
TLDR
It is seen what are the lower bounds for solving the LPN problem and further, by using proper parameters, to construct a fully-homomorphic encryption scheme based on LPN.
On Ideal Lattices and Learning with Errors over Rings
TLDR
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.
On the Security of Lattice-Based Cryptography Against Lattice Reduction and Hybrid Attacks
TLDR
A theoretical and experimental validation of a success condition for BKZ when solving the uSVP which can be used to determine the minimal required block size, and a quantum version of the hybrid attack which replaces the classical meet-in-the-middle search by a quantum search.
Towards efficient lattice-based cryptography
TLDR
A novel zero-knowledge identification scheme is proposed that beats all competing post-quantum schemes, even those based on other paradigms, and helps to tighten the efficiency gap between lattice encryption schemes that are provably secure and the acclaimed ad-hoc encryption scheme NTRU.
On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography
TLDR
This work provides a worst-case to average-case reduction for search-LIP and distinguishLIP within an isomorphism class, by extending techniques of Haviv and Regev (SODA 2014), and provides a zero-knowledge proof of knowledge (ZKPoK) of an isomorphicism that implies an identification scheme based on search- LIP.
Public-key cryptosystems from the worst-case shortest vector problem: extended abstract
TLDR
The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.
...
...

References

SHOWING 1-10 OF 33 REFERENCES
New lattice-based cryptographic constructions
  • O. Regev
  • Mathematics, Computer Science
    JACM
  • 2004
TLDR
A new public key cryptosystem whose security guarantee is considerably stronger than previous results is provided, and a family of collision resistant hash functions with an improved security guarantee in terms of the unique shortest vector problem is proposed.
Cryptographic Hardness Results for Learning Intersections of Halfspaces
TLDR
The first representation-independent hardness results for PAC learning intersections of halfspaces are given, derived from two public-key cryptosystems due to Regev, which are based on the worst- case hardness of well-studied lattice problems.
More on Average Case vs Approximation Complexity
  • M. Alekhnovich
  • Computer Science, Mathematics
    44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings.
  • 2003
TLDR
Several plausible conjectures about the average case hardness of this problem for some natural distributions on the instances are made, and relate them to several interesting questions in the theory of approximation algorithms and in cryptography.
Noise-tolerant learning, the parity problem, and the statistical query model
TLDR
The algorithm runs in polynomial time for the case of parity functions that depend on only the first O(log n log log n) bits of input, which provides the first known instance of an efficient noise-tolerant algorithm for a concept class that is not learnable in the Statistical Query model of Kearns [1998].
Multi-bit Cryptosystems Based on Lattice Problems
TLDR
It is shown that the multi-bit versions of several single-bit cryptosystems based on lattice problems encrypt O(log n)-bit plaintexts into ciphertexts of the same length as the original ones with reasonable sacrifices of the hardness of the underlying lattICE problems.
Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor
TLDR
A rigorous self-contained proof of results along the lines of Ajtai's seminal work is presented, and it is shown how this reduction implies the existence of collision resistant cryptographic hash functions based on the worst-case inapproximability of the shortest vector problem within the same factors.
Cryptographic Primitives Based on Hard Learning Problems
TLDR
This paper shows how to construct several cryptographic primitives based on certain assumptions on the difficulty of learning by developing further a line of thought introduced by Impagliazzo and Levin.
Worst-case to average-case reductions based on Gaussian measures
TLDR
It is shown that solving modular linear equation on the average is at least as hard as approximating several lattice problems in the worst case within a factor almost linear in the rank of the lattice, and it is proved that the distribution that one obtains after adding Gaussian noise to the lattices has the following interesting property.
On Lovász’ lattice reduction and the nearest lattice point problem
  • L. Babai
  • Mathematics, Computer Science
    Comb.
  • 1986
Answering a question of Vera Sós, we show how Lovász’ lattice reduction can be used to find a point of a given lattice, nearest within a factor ofcd (c = const.) to a given point in Rd. We prove that
Improved cryptographic hash functions with worst-case/average-case connection
TLDR
A new family of collision resistant hash functions whose security is based on the worst case hardness of approximating the covering radius of a lattice within a factor O(n), where π is a value between 1 and √ that depends on the solution of the closest vector problem in certain "almost perfect" lattices.
...
...