research-article

Classical hardness of learning with errors

Authors:
Zvika Brakerski

Stanford University, Stanford, USA

Stanford University, Stanford, USA
View Profile

,
Adeline Langlois

LIP, ENS Lyon, Lyon, France

LIP, ENS Lyon, Lyon, France
View Profile

,
Chris Peikert

Georgia Institute of Technology, Atlanta, USA

Georgia Institute of Technology, Atlanta, USA
View Profile

,
Oded Regev

Courant Institute, New York University, New York, USA

Courant Institute, New York University, New York, USA
View Profile

,
Damien Stehlé

LIP, ENS Lyon, Lyon, France

LIP, ENS Lyon, Lyon, France
View Profile

STOC '13: Proceedings of the forty-fifth annual ACM symposium on Theory of ComputingJune 2013Pages 575–584https://doi.org/10.1145/2488608.2488680

Published:01 June 2013Publication History

STOC '13: Proceedings of the forty-fifth annual ACM symposium on Theory of Computing

Pages 575–584

ABSTRACT

We show that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems. Previously this was only known under quantum reductions.

Our techniques capture the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem. The proof is inspired by techniques from several recent cryptographic constructions, most notably fully homomorphic encryption schemes.

References

S. Agrawal, D. Boneh, and X. Boyen. Efficient lattice (H)IBE in the standard model. In EUROCRYPT, pages 553--572, 2010. Google ScholarDigital Library
S. Agrawal, D. Boneh, and X. Boyen. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In CRYPTO, pages 98--115, 2010. Google ScholarDigital Library
M. Ajtai. Generating hard instances of lattice problems. In Complexity of computations and proofs, volume 13 of Quad. Mat., pages 1--32. Dept. Math., Seconda Univ. Napoli, Caserta, 2004. Preliminary version in STOC 1996. Google ScholarDigital Library
M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In STOC, pages 284--293, 1997. Google ScholarDigital Library
A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In TCC, pages 474--495, 2009. Google ScholarDigital Library
D. Aldous and P. Diaconis. Strong uniform times and finite random walks. Adv. in Appl. Math., 8(1):69--97, 1987. Google ScholarDigital Library
J. Alperin-Sheriff and C. Peikert. Circular and KDM security for identity-based encryption. In Public Key Cryptography, pages 334--352, 2012. Google ScholarDigital Library
B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, pages 595--618, 2009. Google ScholarDigital Library
W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296(4):625--635, 1993.Google ScholarCross Ref
D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In N. Koblitz, editor, CRYPTO, volume 1109 of Lecture Notes in Computer Science, pages 129--142. Springer, 1996. Google ScholarDigital Library
X. Boyen. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Public Key Cryptography, pages 499--517, 2010. Google ScholarDigital Library
Z. Brakerski. Fully homomorphic encryption without modulus switching from classical GapSVP. In CRYPTO, pages 868--886, 2012.Google ScholarDigital Library
Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In ITCS, pages 309--325, 2012. Google ScholarDigital Library
Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In FOCS, pages 97--106, 2011. Google ScholarDigital Library
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert. Bonsai trees, or how to delegate a lattice basis. In EUROCRYPT, pages 523--552, 2010. Google ScholarDigital Library
C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169--178, 2009. Google ScholarDigital Library
C. Gentry, S. Halevi, C. Peikert, and N. P. Smart. Ring switching in BGV-style homomorphic encryption. In SCN, pages 19--37, 2012. Google ScholarDigital Library
C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, pages 197--206, 2008. Google ScholarDigital Library
O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Electronic Colloquium on Computational Complexity (ECCC), 3(42), 1996.Google Scholar
S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan. Robustness of the learning with errors assumption. In ICS, pages 230--240, 2010.Google Scholar
J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364--1396, 1999. Google ScholarDigital Library
A. Kawachi, K. Tanaka, and K. Xagawa. Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In ASIACRYPT, pages 372--389, 2008. Google ScholarDigital Library
S. Khot. Inapproximability results for computational problems on lattices. In P. Nguyen and B. Vallée, editors, The LLL Algorithm: Survey and Applications. Springer-Verlag, New York, 2010.Google Scholar
A. R. Klivans and A. A. Sherstov. Cryptographic hardness for learning intersections of halfspaces. In FOCS, pages 553--562, 2006. Google ScholarDigital Library
G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput., 35(1):170--188, 2005. Google ScholarDigital Library
R. Lindner and C. Peikert. Better key sizes (and attacks) for LWE-based encryption. In CT-RSA, pages 319--339, 2011. Google ScholarDigital Library
V. Lyubashevsky. Lattice-based identification schemes secure under active attacks. In Public Key Cryptography, pages 162--179, 2008. Google ScholarDigital Library
V. Lyubashevsky. Lattice signatures without trapdoors. In EUROCRYPT, pages 738--755, 2012. Google ScholarDigital Library
V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collision resistant. In ICALP (2), pages 144--155, 2006. Google ScholarDigital Library
V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In CRYPTO, pages 577--594, 2009. Google ScholarDigital Library
V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In EUROCRYPT, pages 1--23, 2010. Google ScholarDigital Library
D. Micciancio and P. Mol. Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In CRYPTO, pages 465--484, 2011. Google ScholarDigital Library
D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In EUROCRYPT, pages 700--718, 2012. Google ScholarDigital Library
D. Micciancio and O. Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput., 37(1):267--302, 2007. Preliminary version in FOCS 2004. Google ScholarDigital Library
D. Micciancio and S. P. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In CRYPTO, pages 282--298, 2003.Google ScholarCross Ref
A. O'Neill, C. Peikert, and B. Waters. Bi-deniable public-key encryption. In CRYPTO, pages 525--542, 2011. Google ScholarDigital Library
C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In STOC, pages 333--342, 2009. Google ScholarDigital Library
C. Peikert. An efficient and parallel Gaussian sampler for lattices. In CRYPTO, pages 80--97, 2010. Google ScholarDigital Library
C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In TCC, pages 145--166, 2006. Google ScholarDigital Library
C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious transfer. In CRYPTO, pages 554--571, 2008. Google ScholarDigital Library
C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In STOC, pages 187--196, 2008. Google ScholarDigital Library
O. Regev. New lattice-based cryptographic constructions. J. ACM, 51(6):899--942, 2004. Preliminary version in STOC 2003. Google ScholarDigital Library
O. Regev. Quantum computation and lattice problems. SIAM J. Comput., 33(3):738--760, 2004. Preliminary version in FOCS 2002. Google ScholarDigital Library
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):1--40, 2009. Preliminary version in STOC 2005. Google ScholarDigital Library
O. Regev. The learning with errors problem. In Proc. of 25th IEEE Annual Conference on Computational Complexity (CCC), pages 191--204, 2010. Google ScholarDigital Library
O. Regev. On the complexity of lattice problems with polynomial approximation factors. In P. Nguyen and B. Vallée, editors, The LLL Algorithm: Survey and Applications. Springer-Verlag, New York, 2010.Google Scholar

Index Terms

Classical hardness of learning with errors
1. Theory of computation
  1. Randomness, geometry and discrete structures

Recommendations

(Leveled) Fully Homomorphic Encryption without Bootstrapping
Special issue on innovations in theoretical computer science 2012 - Part II

We present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled, fully homomorphic ...
Read More
Attribute-Based Encryption for Circuits

In an attribute-based encryption (ABE) scheme, a ciphertext is associated with an ℓ-bit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows decrypting the ciphertext and learning m if and ...
Read More
Revocable attribute-based encryption from standard lattices
Abstract
Attribute-based encryption (ABE) is an attractive extension of public key encryption, which provides fine-grained and role-based access to encrypted data. In its key-policy flavor, the secret key is associated with an access policy and ...
Highlights
- Our scheme is based on the learning with errors (LWE) problem, which is believed to be quantum-resistant.
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
STOC '13: Proceedings of the forty-fifth annual ACM symposium on Theory of Computing
June 2013
998 pages
ISBN:9781450320290
DOI:10.1145/2488608
General Chairs:
Dan Boneh
Stanford University, USA
,
Tim Roughgarden
Stanford University, USA
,
Program Chair:
Joan Feigenbaum
Yale University, USA
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 June 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
lattices
learning with errors
Qualifiers
- research-article
Conference

Acceptance Rates
STOC '13 Paper Acceptance Rate100of360submissions,28%Overall Acceptance Rate1,469of4,586submissions,32%
More
Upcoming Conference
STOC '24

Sponsor:

sigact

56th Annual ACM Symposium on Theory of Computing (STOC 2024)

June 24 - 28, 2024

Vancouver , BC , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 394
  Total Citations
  View Citations
- 1,271
  Total Downloads
- Downloads (Last 12 months)162
- Downloads (Last 6 weeks)20
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Classical hardness of learning with errors

STOC '13: Proceedings of the forty-fifth annual ACM symposium on Theory of Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

(Leveled) Fully Homomorphic Encryption without Bootstrapping

Attribute-Based Encryption for Circuits

Revocable attribute-based encryption from standard lattices