research-article

On Ideal Lattices and Learning with Errors over Rings

Authors:

Vadim Lyubashevsky,

Oded RegevAuthors Info & Claims

Journal of the ACM (JACM), Volume 60, Issue 6

Article No.: 43, Pages 1 - 35

https://doi.org/10.1145/2535925

Published: 01 November 2013 Publication History

Abstract

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives).

We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE.

References

[1]

Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010a. Efficient lattice (H)IBE in the standard model. In Proceedings of EUROCRYPT. 553--572.

Digital Library

[2]

Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010b. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In Proceedings of CRYPTO. 98--115.

Digital Library

[3]

Miklós Ajtai. 2004. Generating hard instances of lattice problems. Quad. Matemat. 13, 1--32.

[4]

Miklós Ajtai, Ravi Kumar, and D. Sivakumar. 2001. A sieve algorithm for the shortest lattice vector problem. In Proceedings of STOC. 601--610.

Digital Library

[5]

Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. 2009. Simultaneous hardcore bits and cryptography against memory attacks. In Proceedings of TCC. 474--495.

Digital Library

[6]

Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. 2009. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Proceedings of CRYPTO. 595--618.

Digital Library

[7]

Wojciech Banaszczyk. 1993. New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296, 4, 625--635.

[8]

Avrim Blum, Merrick L. Furst, Michael J. Kearns, and Richard J. Lipton. 1993. Cryptographic primitives based on hard learning problems. In Proceedings of CRYPTO. 278--291.

Digital Library

[9]

Xavier Boyen. 2010. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Proceedings of Public Key Cryptography. 499--517.

Digital Library

[10]

Zvika Brakerski and Vinod Vaikuntanathan. 2011. Efficient fully homomorphic encryption from (standard) LWE. In Proceedings of FOCS. 97--106.

Digital Library

[11]

Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) fully homomorphic encryption without bootstrapping. In Proceedings of ICTS. 309--325.

Digital Library

[12]

Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. 2013. Classical hardness of learning with errors. In Proceedings of STOC. 575--584.

Digital Library

[13]

David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. 2010. Bonsai trees, or how to delegate a lattice basis. In Proceedings of EUROCRYPT. 523--552.

Digital Library

[14]

Henri Cohen. 1993. A Course in Computational Algebraic Number Theory. Springer.

Digital Library

[15]

Keith Conrad. 2009. The different ideal. http://www.math.uconn.edu/~kconrad/blurbs/ (last accessed 12 Oct. 2009).

[16]

Whitfield Diffie and Martin E. Hellman. 1976. New directions in cryptography. IEEE Trans. Inf. Theory IT-22, 6, 644--654.

Digital Library

[17]

Taher ElGamal. 1984. A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO. 10--18.

Digital Library

[18]

Paul Erdős. 1946. On the coefficients of the cyclotomic polynomial. Bull. Amer. Math. Soc. 52, 2, 179--184.

[19]

Craig Gentry. 2009. Fully homomorphic encryption using ideal lattices. In Proceedings of STOC. 169--178.

Digital Library

[20]

Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. 2008. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of STOC. 197--206.

Digital Library

[21]

Oded Goldreich. 2004. Foundations of Cryptography. Vol. II, Cambridge University Press.

Digital Library

[22]

Oded Goldreich, Shafi Goldwasser, and Shai Halevi. 1996. Collision-free hashing from lattice problems. Electron. Colloq. Computat. Complex. 3, 42.

[23]

Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. 2010. Robustness of the learning with errors assumption. In Proceedings of ICS. 230--240.

[24]

Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 1998. NTRU: A ring-based public key cryptosystem. In Proceedings of ANTS. 267--288.

Digital Library

[25]

Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa. 2008. Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In Proceedings of ASIACRYPT. 372--389.

Digital Library

[26]

Adeline Langlois and Damien Stehlé. 2013. Worst-case to average-case reductions for module lattices. Submitted.

[27]

Richard Lindner and Chris Peikert. 2011. Better key sizes (and attacks) for LWE-based encryption. In Proceedings of CT-RSA. 319--339.

Digital Library

[28]

Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. 2012. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of STOC. 1219--1234.

Digital Library

[29]

Vadim Lyubashevsky. 2008. Lattice-based identification schemes secure under active attacks. In Proceedings of Public Key Cryptography. 162--179.

Digital Library

[30]

Vadim Lyubashevsky. 2009. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Proceedings of ASIACRYPT. 598--616.

Digital Library

[31]

Vadim Lyubashevsky. 2012. Lattice signatures without trapdoors. In Proceedings of EUROCRYPT. 738--755.

Digital Library

[32]

Vadim Lyubashevsky and Daniele Micciancio. 2006. Generalized compact knapsacks are collision resistant. In Proceedings of ICALP (2). 144--155.

Digital Library

[33]

Vadim Lyubashevsky and Daniele Micciancio. 2008. Asymptotically efficient lattice-based digital signatures. In Proceedings of TCC. 37--54.

Digital Library

[34]

Vadim Lyubashevsky, Daniele Micciancio, Chris Peikert, and Alon Rosen. 2008. SWIFFT: A modest proposal for FFT hashing. In Proceedings of FSE. 54--72.

Digital Library

[35]

Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2013. A toolkit for ring-LWE cryptography. In Proceedings of EUROCRYPT. 35--54.

[36]

Daniele Micciancio. 2007. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16, 4, 365--411.

Digital Library

[37]

Daniele Micciancio and Chris Peikert. 2012. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of EUROCRYPT. 700--718.

Digital Library

[38]

Daniele Micciancio and Oded Regev. 2007. Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37, 1, 267--302.

Digital Library

[39]

Daniele Micciancio and Oded Regev. 2009. Lattice-based cryptography. In Post Quantum Cryptography, Springer, 147--191.

[40]

Daniele Micciancio and Salil P. Vadhan. 2003. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In Proceedings of CRYPTO. 282--298.

[41]

Daniele Micciancio and Panagiotis Voulgaris. 2010. A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In Proceedings of STOC. 351--358.

Digital Library

[42]

Chris Peikert. 2009. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of STOC. 333--342.

Digital Library

[43]

Chris Peikert and Alon Rosen. 2006. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In Proceedings of TCC. 145--166.

Digital Library

[44]

Chris Peikert and Alon Rosen. 2007. Lattices that admit logarithmic worst-case to average-case connection factors. In Proceedings of STOC. 478--487.

Digital Library

[45]

Chris Peikert and Brent Waters. 2008. Lossy trapdoor functions and their applications. In Proceedings of STOC. 187--196.

Digital Library

[46]

Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. 2008. A framework for efficient and composable oblivious transfer. In Proceedings of CRYPTO. 554--571.

Digital Library

[47]

Oded Regev. 2009. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 6, 1--40.

Digital Library

[48]

Peter Roquette. 1967. On class field towers. In Algebraic Number Theory, John William Scott Cassels and Albrecht Fröhlich Eds., Academic Press, 231--249.

[49]

Victor Shoup. 2009. A Computational Introduction to Number Theory and Algebra. Cambridge University Press.

Digital Library

[50]

Damien Stehlé and Ron Steinfeld. 2011. Making NTRU as secure as worst-case problems over ideal lattices. In Proceedings of EUROCRYPT. 27--47.

Digital Library

[51]

Damien Stehlé, Ron Steinfeld, Keisuke Tanaka, and Keita Xagawa. 2009. Efficient public key encryption based on ideal lattices. In Proceedings of ASIACRYPT. 617--635.

Digital Library

[52]

William Stein. 2004. A brief introduction to classical and adelic algebraic number theory. http://modular.math.washington.edu/papers/ant/ (last accessed 12 Oct. 2009).

Cited By

Villena RTerada R(2024)Recovery of the secret on Binary Ring-LWE problem using random known bits - Extended VersionJournal of Internet Services and Applications10.5753/jisa.2024.387115:1(39-45)Online publication date: 29-Apr-2024
https://doi.org/10.5753/jisa.2024.3871
Korichi SMihoubi D(2024)On the reduction of cyclic lattice in dimension two and threeSTUDIES IN ENGINEERING AND EXACT SCIENCES10.54021/seesv5n2-7925:2(e12200)Online publication date: 16-Dec-2024
https://doi.org/10.54021/seesv5n2-792
Parmar HSharma VSingh S(2024)Blockchain and SteganographyEnhancing Steganography Through Deep Learning Approaches10.4018/979-8-3693-2223-9.ch012(267-292)Online publication date: 12-Jul-2024
https://doi.org/10.4018/979-8-3693-2223-9.ch012
Show More Cited By

Index Terms

On Ideal Lattices and Learning with Errors over Rings
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

On lattices, learning with errors, random linear codes, and cryptography
STOC '05: Proceedings of the thirty-seventh annual ACM symposium on Theory of computing

Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as ...
On lattices, learning with errors, random linear codes, and cryptography

Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the “learning from parity with error” problem to higher moduli. It can also be viewed ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I

Design a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...

Comments

Information & Contributors

Information

Published In

cover image Journal of the ACM

Journal of the ACM Volume 60, Issue 6

November 2013

239 pages

ISSN:0004-5411

EISSN:1557-735X

DOI:10.1145/2555516

Editor:
Victor Vianu
University of California, San Diego

Issue’s Table of Contents

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2013

Accepted: 01 July 2013

Revised: 01 June 2013

Received: 01 May 2012

Published in JACM Volume 60, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

401
Total Citations
View Citations
2,183
Total Downloads

Downloads (Last 12 months)227
Downloads (Last 6 weeks)29

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Villena RTerada R(2024)Recovery of the secret on Binary Ring-LWE problem using random known bits - Extended VersionJournal of Internet Services and Applications10.5753/jisa.2024.387115:1(39-45)Online publication date: 29-Apr-2024
https://doi.org/10.5753/jisa.2024.3871
Korichi SMihoubi D(2024)On the reduction of cyclic lattice in dimension two and threeSTUDIES IN ENGINEERING AND EXACT SCIENCES10.54021/seesv5n2-7925:2(e12200)Online publication date: 16-Dec-2024
https://doi.org/10.54021/seesv5n2-792
Parmar HSharma VSingh S(2024)Blockchain and SteganographyEnhancing Steganography Through Deep Learning Approaches10.4018/979-8-3693-2223-9.ch012(267-292)Online publication date: 12-Jul-2024
https://doi.org/10.4018/979-8-3693-2223-9.ch012
Lee Y(2024)LMKCDEY Revisited: Speeding Up Blind Rotation with Signed Evaluation KeysMathematics10.3390/math1218290912:18(2909)Online publication date: 18-Sep-2024
https://doi.org/10.3390/math12182909
Jiang S(2024)Quantum Security of a Compact Multi-SignatureCryptography10.3390/cryptography80400508:4(50)Online publication date: 28-Oct-2024
https://doi.org/10.3390/cryptography8040050
Behera SPrathuri J(2024)FPGA-Based Acceleration of K-Nearest Neighbor Algorithm on Fully Homomorphic Encrypted DataCryptography10.3390/cryptography80100088:1(8)Online publication date: 27-Feb-2024
https://doi.org/10.3390/cryptography8010008
Junquera-Sánchez JHernando-Ramiro CGamallo-Palomares, OGómez-Sánchez J(2024)Assessment of Cryptographic Approaches for Quantum-Resistant Galileo OSNMANAVIGATION: Journal of the Institute of Navigation10.33012/navi.64871:2(navi.648)Online publication date: 31-May-2024
https://doi.org/10.33012/navi.648
Blindenbach JKang JHong SKaram CLehner TGürsoy G(2024)SQUiD: ultra-secure storage and analysis of genetic data for the advancement of precision medicineGenome Biology10.1186/s13059-024-03447-925:1Online publication date: 18-Dec-2024
https://doi.org/10.1186/s13059-024-03447-9
Zuo ZSu NLi BZhang T(2024)Pack: Towards Communication-Efficient Homomorphic Encryption in Federated LearningProceedings of the 2024 ACM Symposium on Cloud Computing10.1145/3698038.3698557(470-486)Online publication date: 20-Nov-2024
https://dl.acm.org/doi/10.1145/3698038.3698557
Di Crescenzo GKhodjaeva MMorales Caro DKahrobaei DFournaris APalmieri P(2024)Single-Server Delegation of NTT with Application to Crystals-KyberProceedings of the 2024 on Cloud Computing Security Workshop10.1145/3689938.3694777(29-42)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689938.3694777
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents