ABSTRACT
We show that the Learning with Errors (LWE) problem is classically at least as hard as standard worst-case lattice problems. Previously this was only known under quantum reductions.
Our techniques capture the tradeoff between the dimension and the modulus of LWE instances, leading to a much better understanding of the landscape of the problem. The proof is inspired by techniques from several recent cryptographic constructions, most notably fully homomorphic encryption schemes.
- S. Agrawal, D. Boneh, and X. Boyen. Efficient lattice (H)IBE in the standard model. In EUROCRYPT, pages 553--572, 2010. Google ScholarDigital Library
- S. Agrawal, D. Boneh, and X. Boyen. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In CRYPTO, pages 98--115, 2010. Google ScholarDigital Library
- M. Ajtai. Generating hard instances of lattice problems. In Complexity of computations and proofs, volume 13 of Quad. Mat., pages 1--32. Dept. Math., Seconda Univ. Napoli, Caserta, 2004. Preliminary version in STOC 1996. Google ScholarDigital Library
- M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In STOC, pages 284--293, 1997. Google ScholarDigital Library
- A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous hardcore bits and cryptography against memory attacks. In TCC, pages 474--495, 2009. Google ScholarDigital Library
- D. Aldous and P. Diaconis. Strong uniform times and finite random walks. Adv. in Appl. Math., 8(1):69--97, 1987. Google ScholarDigital Library
- J. Alperin-Sheriff and C. Peikert. Circular and KDM security for identity-based encryption. In Public Key Cryptography, pages 334--352, 2012. Google ScholarDigital Library
- B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, pages 595--618, 2009. Google ScholarDigital Library
- W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296(4):625--635, 1993.Google ScholarCross Ref
- D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In N. Koblitz, editor, CRYPTO, volume 1109 of Lecture Notes in Computer Science, pages 129--142. Springer, 1996. Google ScholarDigital Library
- X. Boyen. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Public Key Cryptography, pages 499--517, 2010. Google ScholarDigital Library
- Z. Brakerski. Fully homomorphic encryption without modulus switching from classical GapSVP. In CRYPTO, pages 868--886, 2012.Google ScholarDigital Library
- Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (Leveled) fully homomorphic encryption without bootstrapping. In ITCS, pages 309--325, 2012. Google ScholarDigital Library
- Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In FOCS, pages 97--106, 2011. Google ScholarDigital Library
- D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert. Bonsai trees, or how to delegate a lattice basis. In EUROCRYPT, pages 523--552, 2010. Google ScholarDigital Library
- C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169--178, 2009. Google ScholarDigital Library
- C. Gentry, S. Halevi, C. Peikert, and N. P. Smart. Ring switching in BGV-style homomorphic encryption. In SCN, pages 19--37, 2012. Google ScholarDigital Library
- C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, pages 197--206, 2008. Google ScholarDigital Library
- O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing from lattice problems. Electronic Colloquium on Computational Complexity (ECCC), 3(42), 1996.Google Scholar
- S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan. Robustness of the learning with errors assumption. In ICS, pages 230--240, 2010.Google Scholar
- J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby. A pseudorandom generator from any one-way function. SIAM J. Comput., 28(4):1364--1396, 1999. Google ScholarDigital Library
- A. Kawachi, K. Tanaka, and K. Xagawa. Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In ASIACRYPT, pages 372--389, 2008. Google ScholarDigital Library
- S. Khot. Inapproximability results for computational problems on lattices. In P. Nguyen and B. Vallée, editors, The LLL Algorithm: Survey and Applications. Springer-Verlag, New York, 2010.Google Scholar
- A. R. Klivans and A. A. Sherstov. Cryptographic hardness for learning intersections of halfspaces. In FOCS, pages 553--562, 2006. Google ScholarDigital Library
- G. Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM J. Comput., 35(1):170--188, 2005. Google ScholarDigital Library
- R. Lindner and C. Peikert. Better key sizes (and attacks) for LWE-based encryption. In CT-RSA, pages 319--339, 2011. Google ScholarDigital Library
- V. Lyubashevsky. Lattice-based identification schemes secure under active attacks. In Public Key Cryptography, pages 162--179, 2008. Google ScholarDigital Library
- V. Lyubashevsky. Lattice signatures without trapdoors. In EUROCRYPT, pages 738--755, 2012. Google ScholarDigital Library
- V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collision resistant. In ICALP (2), pages 144--155, 2006. Google ScholarDigital Library
- V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In CRYPTO, pages 577--594, 2009. Google ScholarDigital Library
- V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings. In EUROCRYPT, pages 1--23, 2010. Google ScholarDigital Library
- D. Micciancio and P. Mol. Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. In CRYPTO, pages 465--484, 2011. Google ScholarDigital Library
- D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In EUROCRYPT, pages 700--718, 2012. Google ScholarDigital Library
- D. Micciancio and O. Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput., 37(1):267--302, 2007. Preliminary version in FOCS 2004. Google ScholarDigital Library
- D. Micciancio and S. P. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In CRYPTO, pages 282--298, 2003.Google ScholarCross Ref
- A. O'Neill, C. Peikert, and B. Waters. Bi-deniable public-key encryption. In CRYPTO, pages 525--542, 2011. Google ScholarDigital Library
- C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In STOC, pages 333--342, 2009. Google ScholarDigital Library
- C. Peikert. An efficient and parallel Gaussian sampler for lattices. In CRYPTO, pages 80--97, 2010. Google ScholarDigital Library
- C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In TCC, pages 145--166, 2006. Google ScholarDigital Library
- C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious transfer. In CRYPTO, pages 554--571, 2008. Google ScholarDigital Library
- C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In STOC, pages 187--196, 2008. Google ScholarDigital Library
- O. Regev. New lattice-based cryptographic constructions. J. ACM, 51(6):899--942, 2004. Preliminary version in STOC 2003. Google ScholarDigital Library
- O. Regev. Quantum computation and lattice problems. SIAM J. Comput., 33(3):738--760, 2004. Preliminary version in FOCS 2002. Google ScholarDigital Library
- O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):1--40, 2009. Preliminary version in STOC 2005. Google ScholarDigital Library
- O. Regev. The learning with errors problem. In Proc. of 25th IEEE Annual Conference on Computational Complexity (CCC), pages 191--204, 2010. Google ScholarDigital Library
- O. Regev. On the complexity of lattice problems with polynomial approximation factors. In P. Nguyen and B. Vallée, editors, The LLL Algorithm: Survey and Applications. Springer-Verlag, New York, 2010.Google Scholar
Index Terms
- Classical hardness of learning with errors
Recommendations
(Leveled) Fully Homomorphic Encryption without Bootstrapping
Special issue on innovations in theoretical computer science 2012 - Part IIWe present a novel approach to fully homomorphic encryption (FHE) that dramatically improves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled, fully homomorphic ...
Attribute-Based Encryption for Circuits
In an attribute-based encryption (ABE) scheme, a ciphertext is associated with an ℓ-bit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows decrypting the ciphertext and learning m if and ...
Revocable attribute-based encryption from standard lattices
AbstractAttribute-based encryption (ABE) is an attractive extension of public key encryption, which provides fine-grained and role-based access to encrypted data. In its key-policy flavor, the secret key is associated with an access policy and ...
Highlights- Our scheme is based on the learning with errors (LWE) problem, which is believed to be quantum-resistant.
Comments