research-article

On lattices, learning with errors, random linear codes, and cryptography

Author:

Oded RegevAuthors Info & Claims

Journal of the ACM (JACM), Volume 56, Issue 6

Article No.: 34, Pages 1 - 40

https://doi.org/10.1145/1568318.1568324

Published: 08 September 2009 Publication History

Abstract

Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the “learning from parity with error” problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., nonquantum).

We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size Õ(n²) and encrypting a message increases its size by a factor of Õ(n) (in previous cryptosystems these values are Õ(n⁴) and Õ(n²), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n²), the size of the public key can be reduced to Õ(n).

References

[1]

Aharonov, D. and Regev, O. 2005. Lattice problems in NP intersect coNP. J. ACM 52, 5, 749--765. (Preliminary version in FOCS'04.)

Digital Library

[2]

Ajtai, M. 2004. Generating hard instances of lattice problems. In Complexity of Computations and Proofs. Quad. Mat., vol. 13. Dept. Math., Seconda Univ. Napoli, Caserta, 1--32. (Preliminary version in STOC 1996.)

Digital Library

[3]

Ajtai, M. 2005. Representing hard lattices with O(n log n) bits. In Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC). ACM, New York, 94--103.

Digital Library

[4]

Ajtai, M., and Dwork, C. 1997. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 29th Annual ACM Symposium on Theory of Computing (STOC). ACM, New York, 284--293.

Digital Library

[5]

Ajtai, M., Kumar, R., and Sivakumar, D. 2001. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the 33rd Annual ACM Symposium on Theory of Computing (STOC). ACM, New York, 601--610.

Digital Library

[6]

Akavia, A., Goldwasser, S., and Vaikuntanathan, V. 2009. Simultaneous hardcore bits and cryptography against memory attacks. In Proceedings of the 6th IACR Theory of Cryptography Conference (TCC). Springer-Verlag, Berlin, Germany, 474--495.

Digital Library

[7]

Alekhnovich, M. 2003. More on average case vs approximation complexity. In Proceedings of the 44th Annual IEEE Symposium on Foundations of Computer Science (FOCS). IEEE Computer Society Press, Los Alamitos, CA, 298--307.

Digital Library

[8]

Babai, L. 1986. On Lovasz' lattice reduction and the nearest lattice point problem. Combinatorica 6, 1, 1--13.

Digital Library

[9]

Banaszczyk, W. 1993. New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296, 4, 625--635.

[10]

Blum, A., Furst, M., Kearns, M., and Lipton, R. J. 1994. Cryptographic primitives based on hard learning problems. In Advances in cryptology—CRYPTO '93. Lecture Notes in Computer Science, vol. 773. Springer-Verlag, Berlin, Germany, 278--291.

Digital Library

[11]

Blum, A., Kalai, A., and Wasserman, H. 2003. Noise-tolerant learning, the parity problem, and the statistical query model. J. ACM 50, 4, 506--519.

Digital Library

[12]

Cai, J.-Y., and Nerurkar, A. 1997. An improved worst-case to average-case connection for lattice problems. In Proceedings of the 38th Annual IEEE Symposium on Foundations of Computer Science (FOCS). IEEE Computer Society Press, Los Alamitos, CA, 468--477.

Digital Library

[13]

Cash, D., Peikert, C., and Sahai, A. 2009. Efficient circular-secure encryption from hard learning problems. Submitted.

[14]

Ebeling, W. 2002. Lattices and Codes, revised ed. Advanced Lectures in Mathematics. Friedr. Vieweg&Sohn, Braunschweig, Germany. (A course partially based on lectures by F. Hirzebruch.)

[15]

Feige, U. 2002. Relations between average case complexity and approximation complexity. In Proceedings of the 34th Annual ACM Symposium on Theory of Computing (STOC). ACM, New York, 534--543.

Digital Library

[16]

Gentry, C., Peikert, C., and Vaikuntanathan, V. 2008. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th ACM Symposium on Theory of Computing (STOC). ACM, New York, 197--206.

Digital Library

[17]

Goldreich, O., Micciancio, D., Safra, S., and Seifert, J.-P. 1999. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Inf. Proc. Lett. 71, 2, 55--61.

Digital Library

[18]

Grover, L., and Rudolph, T. 2002. Creating superpositions that correspond to efficiently integrable probability distributions. In quant-ph/0208112, http://xxx.lanl.gov.

[19]

Impagliazzo, R., and Zuckerman, D. 1989. How to recycle random bits. In Proceedings of the 30th Annual IEEE Symposium on Foundations of Computer Science (FOCS). IEEE Computer Society Press, Los Alamitos, CA, 248--253.

Digital Library

[20]

Katz, J., and Lindell, Y. 2008. Introduction to modern cryptography. Chapman&Hall/CRC Cryptography and Network Security. Chapman&Hall/CRC, Boca Raton, FL.

Digital Library

[21]

Kawachi, A., Tanaka, K., and Xagawa, K. 2007. Multi-bit cryptosystems based on lattice problems. In Public Key Cryptography -- PKC 2007. Lecture Notes in Comput. Sci., vol. 4450. Springer, Berlin, 315--329.

Digital Library

[22]

Klivans, A. R., and Sherstov, A. A. 2009. Cryptographic hardness for learning intersections of halfspaces. J. Comput. System Sci. 75, 1, 2--12. (Preliminary version in FOCS'06.)

Digital Library

[23]

Kumar, R., and Sivakumar, D. 2001. On polynomial approximation to the shortest lattice vector length. In Proceedings of the 12th Annual ACM-SIAM Symposium on Discrete Algorithms. ACM, New York, 126--127.

Digital Library

[24]

Lenstra, A. K., Lenstra, Jr., H. W., and Lovász, L. 1982. Factoring polynomials with rational coefficients. Math. Ann. 261, 4, 515--534.

[25]

Liu, Y.-K., Lyubashevsky, V., and Micciancio, D. 2006. On bounded distance decoding for general lattices. In International Workshop on Randomization and Computation - Proceedings of RANDOM 2006. Lecture Notes in Computer Science, vol. 4110. Springer-Verlag, Berlin, Germany, 450--461.

Digital Library

[26]

Lyubashevsky, V., and Micciancio, D. 2009. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. Manuscript.

[27]

Micciancio, D. 2004. Almost perfect lattices, the covering radius problem, and applications to Ajtai's connection factor. SIAM Journal on Computing 34, 1, 118--169. (Preliminary version in STOC 2002.)

Digital Library

[28]

Micciancio, D., and Goldwasser, S. 2002. Complexity of Lattice Problems: A Cryptographic Perspective. The Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Boston, MA.

Digital Library

[29]

Micciancio, D., and Regev, O. 2007. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37, 1, 267--302.

Digital Library

[30]

Moore, C., Russell, A., and Vazirani, U. 2007. A classical one-way function to confound quantum adversaries. In quant-ph/0701115, http://xxx.lanl.gov.

[31]

Nielsen, M. A., and Chuang, I. L. 2000. Quantum Computation and Quantum Information. Cambridge University Press, Cambridge, MA.

Digital Library

[32]

Peikert, C. 2008. Limits on the hardness of lattice problems in l<sub>p</sub> norms. Comput. Complexity 17, 2, 300--351. (Preliminary version in CCC'07.)

Digital Library

[33]

Peikert, C. 2009. Public-key cryptosystems from the worst-case shortest vector problem. In Proc. 41st ACM Symp. on Theory of Computing (STOC). ACM, New York, 333--342.

Digital Library

[34]

Peikert, C., Vaikuntanathan, V., and Waters, B. 2008. A framework for efficient and composable oblivious transfer. In Advances in cryptology—CRYPTO '08. Lecture Notes in Computer Science, vol. 5157. Springer-Verlag, Berlin, Germany, 554--571.

Digital Library

[35]

Peikert, C., and Waters, B. 2008. Lossy trapdoor functions and their applications. In Proceedings of the 40th ACM Symposium on Theory of Computing (STOC). ACM, New York, 187--196.

Digital Library

[36]

Regev, O. 2004. New lattice based cryptographic constructions. J. ACM 51, 6, 899--942. (Preliminary version in STOC'03.)

Digital Library

[37]

Regev, O. 2005. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the 37th ACM Symposium on Theory of Computing (STOC). ACM, New York, 84--93.

Digital Library

[38]

Schnorr, C.-P. 1987. A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci. 53, 2-3, 201--224.

Cited By

Alagic GBai CPoremba AShi K(2024)On the Two-sided Permutation Inversion ProblemIACR Communications in Cryptology10.62056/a0qj89n4eOnline publication date: 9-Apr-2024
https://doi.org/10.62056/a0qj89n4e
Pandey S(2024)Neutrosophic Analysis of Rejection Sampling in Post Quantum Cryptography (PQC)Multi-Criteria Decision Making Models and Techniques10.4018/979-8-3693-2085-3.ch003(51-66)Online publication date: 27-Sep-2024
https://doi.org/10.4018/979-8-3693-2085-3.ch003
Jain NCherukuri AKamalov F(2024)Revisiting Fully Homomorphic Encryption Schemes for Privacy-Preserving ComputingEmerging Technologies and Security in Cloud Computing10.4018/979-8-3693-2081-5.ch012(276-294)Online publication date: 14-Feb-2024
https://doi.org/10.4018/979-8-3693-2081-5.ch012
Show More Cited By

Index Terms

On lattices, learning with errors, random linear codes, and cryptography

Recommendations

New lattice-based cryptographic constructions

We introduce the use of Fourier analysis on lattices as an integral part of a lattice-based construction. The tools we develop provide an elegant description of certain Gaussian distributions around lattice points. Our results include two cryptographic ...
On lattices, learning with errors, random linear codes, and cryptography
STOC '05: Proceedings of the thirty-seventh annual ACM symposium on Theory of computing

Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as ...
On Ideal Lattices and Learning with Errors over Rings

The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent ...

Comments

Information & Contributors

Information

Published In

cover image Journal of the ACM

Journal of the ACM Volume 56, Issue 6

September 2009

190 pages

ISSN:0004-5411

EISSN:1557-735X

DOI:10.1145/1568318

Issue’s Table of Contents

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2009

Accepted: 01 May 2009

Revised: 01 May 2009

Received: 01 September 2007

Published in JACM Volume 56, Issue 6

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1,309
Total Citations
View Citations
7,478
Total Downloads

Downloads (Last 12 months)1,201
Downloads (Last 6 weeks)129

Reflects downloads up to 10 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Alagic GBai CPoremba AShi K(2024)On the Two-sided Permutation Inversion ProblemIACR Communications in Cryptology10.62056/a0qj89n4eOnline publication date: 9-Apr-2024
https://doi.org/10.62056/a0qj89n4e
Pandey S(2024)Neutrosophic Analysis of Rejection Sampling in Post Quantum Cryptography (PQC)Multi-Criteria Decision Making Models and Techniques10.4018/979-8-3693-2085-3.ch003(51-66)Online publication date: 27-Sep-2024
https://doi.org/10.4018/979-8-3693-2085-3.ch003
Jain NCherukuri AKamalov F(2024)Revisiting Fully Homomorphic Encryption Schemes for Privacy-Preserving ComputingEmerging Technologies and Security in Cloud Computing10.4018/979-8-3693-2081-5.ch012(276-294)Online publication date: 14-Feb-2024
https://doi.org/10.4018/979-8-3693-2081-5.ch012
Sabani MSavvas IGarani G(2024)Learning with Errors: A Lattice-Based Keystone of Post-Quantum CryptographySignals10.3390/signals50200125:2(216-243)Online publication date: 13-Apr-2024
https://doi.org/10.3390/signals5020012
Aziz MTamal MMohammed N(2024)Secure Genomic String Search with Parallel Homomorphic EncryptionInformation10.3390/info1501004015:1(40)Online publication date: 11-Jan-2024
https://doi.org/10.3390/info15010040
Park HSon SPark YPark Y(2024)Provably Quantum Secure Three-Party Mutual Authentication and Key Exchange Protocol Based on Modular Learning with ErrorElectronics10.3390/electronics1319393013:19(3930)Online publication date: 4-Oct-2024
https://doi.org/10.3390/electronics13193930
Liu YYang CLiu QXu MZhang CCheng LWang W(2024)PDPHE: Personal Data Protection for Trans-Border Transmission Based on Homomorphic EncryptionElectronics10.3390/electronics1310195913:10(1959)Online publication date: 16-May-2024
https://doi.org/10.3390/electronics13101959
Chen JDeng HSu HYuan MRen Y(2024)Lattice-Based Threshold Secret Sharing Scheme and Its Applications: A SurveyElectronics10.3390/electronics1302028713:2(287)Online publication date: 8-Jan-2024
https://doi.org/10.3390/electronics13020287
Tang YGuo MHuo YZhao ZYu JQin B(2024)An MLWE-Based Cut-and-Choose Oblivious Transfer ProtocolEntropy10.3390/e2609079326:9(793)Online publication date: 16-Sep-2024
https://doi.org/10.3390/e26090793
Fitzgibbon GOttaviani C(2024)Constrained Device Performance Benchmarking with the Implementation of Post-Quantum CryptographyCryptography10.3390/cryptography80200218:2(21)Online publication date: 23-May-2024
https://doi.org/10.3390/cryptography8020021
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents