On lattices, learning with errors, random linear codes, and cryptography

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n2) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n4) and Õ(n2), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n2), the size of the public key can be reduced to Õ(n).

Original languageEnglish (US)
Title of host publicationProceedings of the Annual ACM Symposium on Theory of Computing
Pages84-93
Number of pages10
DOIs
StatePublished - 2005
Event13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications - Scottsdale, AZ, United States
Duration: Nov 7 2005Nov 11 2005

Other

Other13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications
CountryUnited States
CityScottsdale, AZ
Period11/7/0511/11/05

Fingerprint

Random errors
Cryptography
Hardness
Decoding

Keywords

  • Computational learning theory
  • Cryptography
  • Lattices
  • Public key encryption
  • Quantum computing
  • Statistical queries

ASJC Scopus subject areas

  • Computer Vision and Pattern Recognition

Cite this

Regev, O. (2005). On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the Annual ACM Symposium on Theory of Computing (pp. 84-93) https://doi.org/10.1145/1060590.1060603

On lattices, learning with errors, random linear codes, and cryptography. / Regev, Oded.

Proceedings of the Annual ACM Symposium on Theory of Computing. 2005. p. 84-93.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Regev, O 2005, On lattices, learning with errors, random linear codes, and cryptography. in Proceedings of the Annual ACM Symposium on Theory of Computing. pp. 84-93, 13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications, Scottsdale, AZ, United States, 11/7/05. https://doi.org/10.1145/1060590.1060603
Regev O. On lattices, learning with errors, random linear codes, and cryptography. In Proceedings of the Annual ACM Symposium on Theory of Computing. 2005. p. 84-93 https://doi.org/10.1145/1060590.1060603
Regev, Oded. / On lattices, learning with errors, random linear codes, and cryptography. Proceedings of the Annual ACM Symposium on Theory of Computing. 2005. pp. 84-93
@inproceedings{e005563693974815ac103322112ef5d2,
title = "On lattices, learning with errors, random linear codes, and cryptography",
abstract = "Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size {\~O}(n2) and encrypting a message increases its size by {\~O}(n) (in previous cryptosystems these values are {\~O}(n4) and {\~O}(n2), respectively). In fact, under the assumption that all parties share a random bit string of length {\~O}(n2), the size of the public key can be reduced to {\~O}(n).",
keywords = "Computational learning theory, Cryptography, Lattices, Public key encryption, Quantum computing, Statistical queries",
author = "Oded Regev",
year = "2005",
doi = "10.1145/1060590.1060603",
language = "English (US)",
pages = "84--93",
booktitle = "Proceedings of the Annual ACM Symposium on Theory of Computing",

}

TY - GEN

T1 - On lattices, learning with errors, random linear codes, and cryptography

AU - Regev, Oded

PY - 2005

Y1 - 2005

N2 - Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n2) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n4) and Õ(n2), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n2), the size of the public key can be reduced to Õ(n).

AB - Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n2) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n4) and Õ(n2), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n2), the size of the public key can be reduced to Õ(n).

KW - Computational learning theory

KW - Cryptography

KW - Lattices

KW - Public key encryption

KW - Quantum computing

KW - Statistical queries

UR - http://www.scopus.com/inward/record.url?scp=33745571012&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745571012&partnerID=8YFLogxK

U2 - 10.1145/1060590.1060603

DO - 10.1145/1060590.1060603

M3 - Conference contribution

AN - SCOPUS:33745571012

SP - 84

EP - 93

BT - Proceedings of the Annual ACM Symposium on Theory of Computing

ER -