Papers
Topics
Authors
Recent
Search
2000 character limit reached

On Lattices, Learning with Errors, Random Linear Codes, and Cryptography

Published 8 Jan 2024 in cs.CR, cs.CC, and quant-ph | (2401.03703v1)

Abstract: Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the `learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size $\tilde{O}(n2)$ and encrypting a message increases its size by a factor of $\tilde{O}(n)$ (in previous cryptosystems these values are $\tilde{O}(n4)$ and $\tilde{O}(n2)$, respectively). In fact, under the assumption that all parties share a random bit string of length $\tilde{O}(n2)$, the size of the public key can be reduced to $\tilde{O}(n)$.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (38)
  1. D. Aharonov and O. Regev. Lattice problems in NP intersect coNP. Journal of the ACM, 52(5):749–765, 2005. Preliminary version in FOCS’04.
  2. M. Ajtai. Generating hard instances of lattice problems. In Complexity of computations and proofs, volume 13 of Quad. Mat., pages 1–32. Dept. Math., Seconda Univ. Napoli, Caserta, 2004. Preliminary version in STOC 1996.
  3. M. Ajtai. Representing hard lattices with O⁢(n⁢log⁡n)𝑂𝑛𝑛O(n\log n)italic_O ( italic_n roman_log italic_n ) bits. In Proc. 37th Annual ACM Symp. on Theory of Computing (STOC), pages 94–103, 2005.
  4. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proc. 29th Annual ACM Symp. on Theory of Computing (STOC), pages 284–293, 1997.
  5. A sieve algorithm for the shortest lattice vector problem. In Proc. 33rd ACM Symp. on Theory of Computing, pages 601–610, 2001.
  6. Simultaneous hardcore bits and cryptography against memory attacks. In Proc. of 6th IACR Theory of Cryptography Conference (TCC), pages 474–495, 2009.
  7. M. Alekhnovich. More on average case vs approximation complexity. In Proc. 44th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 298–307, 2003.
  8. L. Babai. On Lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica, 6(1):1–13, 1986.
  9. W. Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen, 296(4):625–635, 1993.
  10. Cryptographic primitives based on hard learning problems. In Advances in cryptology—CRYPTO ’93, volume 773 of Lecture Notes in Comput. Sci., pages 278–291. Springer, Berlin, 1994.
  11. Noise-tolerant learning, the parity problem, and the statistical query model. Journal of the ACM, 50(4):506–519, 2003.
  12. J.-Y. Cai and A. Nerurkar. An improved worst-case to average-case connection for lattice problems. In Proc. 38th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 468–477, 1997.
  13. Efficient circular-secure encryption from hard learning problems, 2009. Submitted.
  14. W. Ebeling. Lattices and codes. Advanced Lectures in Mathematics. Friedr. Vieweg & Sohn, Braunschweig, revised edition, 2002. A course partially based on lectures by F. Hirzebruch.
  15. U. Feige. Relations between average case complexity and approximation complexity. In Proc. 34th Annual ACM Symp. on Theory of Computing (STOC), pages 534–543, 2002.
  16. Trapdoors for hard lattices and new cryptographic constructions. In Proc. 40th ACM Symp. on Theory of Computing (STOC), pages 197–206, 2008.
  17. Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Information Processing Letters, 71(2):55–61, 1999.
  18. L. Grover and T. Rudolph. Creating superpositions that correspond to efficiently integrable probability distributions. In quant-ph/0208112, http://xxx.lanl.gov, 2002.
  19. R. Impagliazzo and D. Zuckerman. How to recycle random bits. In Proc. 30th Annual IEEE Symp. on Foundations of Computer Science (FOCS), pages 248–253, 1989.
  20. J. Katz and Y. Lindell. Introduction to modern cryptography. Chapman & Hall/CRC Cryptography and Network Security. Chapman & Hall/CRC, Boca Raton, FL, 2008.
  21. Multi-bit cryptosystems based on lattice problems. In Public Key Cryptography – PKC 2007, volume 4450 of Lecture Notes in Comput. Sci., pages 315–329, Berlin, 2007. Springer.
  22. Cryptographic hardness for learning intersections of halfspaces. J. Comput. System Sci., 75(1):2–12, 2009. Preliminary version in FOCS’06.
  23. R. Kumar and D. Sivakumar. On polynomial approximation to the shortest lattice vector length. In Proc. 12th Annual ACM-SIAM Symp. on Discrete Algorithms, pages 126–127, 2001.
  24. Factoring polynomials with rational coefficients. Math. Ann., 261(4):515–534, 1982.
  25. On bounded distance decoding for general lattices. In International Workshop on Randomization and Computation - Proceedings of RANDOM 2006, volume 4110 of Lecture Notes in Comput. Sci., pages 450–461, Barcelona, Spain, Aug. 2006. Springer.
  26. V. Lyubashevsky and D. Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem, 2009. Manuscript.
  27. D. Micciancio. Almost perfect lattices, the covering radius problem, and applications to Ajtai’s connection factor. SIAM Journal on Computing, 34(1):118–169, 2004. Preliminary version in STOC 2002.
  28. D. Micciancio and S. Goldwasser. Complexity of Lattice Problems: A Cryptographic Perspective, volume 671 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, Massachusetts, Mar. 2002.
  29. D. Micciancio and O. Regev. Worst-case to average-case reductions based on Gaussian measures. SIAM Journal on Computing, 37(1):267–302, 2007.
  30. A classical one-way function to confound quantum adversaries. In quant-ph/0701115, http://xxx.lanl.gov, 2007.
  31. Quantum Computation and Quantum Information. Cambridge University Press, 2000.
  32. C. Peikert. Limits on the hardness of lattice problems in lpsubscript𝑙𝑝l_{p}italic_l start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT norms. Comput. Complexity, 17(2):300–351, 2008. Preliminary version in CCC’07.
  33. C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In Proc. 41st ACM Symp. on Theory of Computing (STOC), 2009.
  34. A framework for efficient and composable oblivious transfer. In Advances in cryptology—CRYPTO ’08, volume 5157 of Lecture Notes in Comput. Sci., pages 554–571. Springer, Berlin, 2008.
  35. C. Peikert and B. Waters. Lossy trapdoor functions and their applications. In Proc. 40th ACM Symp. on Theory of Computing (STOC), pages 187–196, 2008.
  36. O. Regev. New lattice based cryptographic constructions. Journal of the ACM, 51(6):899–942, 2004. Preliminary version in STOC’03.
  37. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Proc. 37th ACM Symp. on Theory of Computing (STOC), pages 84–93, 2005.
  38. C.-P. Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoret. Comput. Sci., 53(2-3):201–224, 1987.
Citations (1,032)
View on Semantic Scholar

Summary

  • The paper shows a reduction from worst-case lattice problems (SVP/SIVP) to the Learning with Errors problem, bridging theoretical and practical cryptography.
  • It presents a public-key cryptosystem with reduced key sizes and message expansion, based on the quantum hardness of lattice problems.
  • The work reveals an equivalence between LWE and decoding random linear codes, highlighting key implications for cryptanalysis and post-quantum security.

An Essay on "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography"

The paper "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography" by Oded Regev explores the relationship between fundamental lattice problems, learning problems with errors, and cryptographic constructs. The paper presents key theoretical advances that draw significant connections between these domains, and it introduces practical cryptographic schemes based on these theoretical underpinnings.

Main Contributions

  1. Reduction from Lattice Problems to Learning Problems: The core contribution of the paper is a reduction from worst-case lattice problems, such as the decision Shortest Vector Problem (SVP) and the Shortest Independent Vectors Problem (SIVP), to the Learning with Errors (LWE) problem. LWE is a natural extension of the Learning from Parity with Error (LPN) problem to higher moduli. This result implies that finding efficient algorithms for LWE under certain parameter choices would advance solutions for SVP and SIVP in the quantum setting.
  2. Public-Key Cryptosystem Based on LWE: The paper proposes a public-key cryptosystem whose security is provably based on the hardness of LWE, and by reduction, on the worst-case quantum hardness of SVP and SIVP. This cryptosystem demonstrates enhanced efficiency compared to previous lattice-based schemes, exhibiting a reduction in both public key size and message expansion factor.
  3. Implications for Random Linear Codes: The equivalence between the LWE problem and decoding random linear codes is highlighted as an important facet of understanding the difficulty of these problems. Specifically, the paper shows that solving LWE implies a solution for decoding in the context of random linear codes, providing evidence for the inherent hardness of such decoding tasks.

Strong Numerical Results and Claims

  • The cryptosystem proposed by Regev achieves a public key size of O~(n2)\tilde{O}(n^2) and an encryption expansion factor of O~(n)\tilde{O}(n), which is significantly better than the O~(n4)\tilde{O}(n^4) and O~(n2)\tilde{O}(n^2) respective factors achieved by prior lattice-based cryptosystems.
  • For the specified parameters, such as α=1/(nlog2n)\alpha = 1/(\sqrt{n} \log^2 n) and p=O(n2)p = O(n^2), the probability of decision errors in the cryptosystem is shown to be negligible, ensuring both correctness and security.

Quantum and Classical Reductions

A remarkable aspect of the work is the quantum nature of the reduction. Specifically, the reduction from SVP and SIVP to LWE is quantum. While this raises questions about whether such quantum reductions could be made classical, proving such would significantly strengthen the foundational assumptions of the cryptosystem. Furthermore, it implies that breakthroughs in quantum computing could potentially disrupt the presumed hardness of these problems.

Implications and Future Directions

Regev's research reveals profound implications for cryptography, particularly in constructing efficient, secure cryptographic systems that rely on hard lattice problems. The equivalence drawn between LWE and problems in coding theory further opens avenues for cross-pollination of techniques and insights between these fields.

Practically, the instantiated cryptosystem provides a promising direction for developing post-quantum cryptographic schemes that resist attacks even in the advent of quantum computers.

Theoretically, this paper suggests several future directions:

  • Investigating whether the quantum reduction from SVP and SIVP to LWE can be rendered classical.
  • Exploring tighter bounds and reductions between other learning problems and lattice problems, potentially uncovering more efficient cryptographic primitives.
  • Understanding the full implications of LWE's hardness on random linear codes, which may influence both cryptanalysis and the development of robust cryptographic protocols.

Conclusion

The paper "On Lattices, Learning with Errors, Random Linear Codes, and Cryptography" lays a comprehensive foundation for the interplay between worst-case lattice problems and average-case LWE problems. Oded Regev's contributions extend from theoretical reductions to practical cryptographic applications, setting a significant milestone in the field of cryptographic research and offering a robust framework for future exploration in both quantum and classical settings.

File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (1)

  1. Oded Regev 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up for Free