### Abstract

Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n^{2}) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n^{4}) and Õ(n^{2}), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n^{2}), the size of the public key can be reduced to Õ(n).

Original language | English (US) |
---|---|

Title of host publication | Proceedings of the Annual ACM Symposium on Theory of Computing |

Pages | 84-93 |

Number of pages | 10 |

DOIs | |

State | Published - 2005 |

Event | 13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications - Scottsdale, AZ, United States Duration: Nov 7 2005 → Nov 11 2005 |

### Other

Other | 13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications |
---|---|

Country | United States |

City | Scottsdale, AZ |

Period | 11/7/05 → 11/11/05 |

### Fingerprint

### Keywords

- Computational learning theory
- Cryptography
- Lattices
- Public key encryption
- Quantum computing
- Statistical queries

### ASJC Scopus subject areas

- Computer Vision and Pattern Recognition

### Cite this

*Proceedings of the Annual ACM Symposium on Theory of Computing*(pp. 84-93) https://doi.org/10.1145/1060590.1060603

**On lattices, learning with errors, random linear codes, and cryptography.** / Regev, Oded.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

*Proceedings of the Annual ACM Symposium on Theory of Computing.*pp. 84-93, 13th Color Imaging Conference: Color Science, Systems, Technologies, and Applications, Scottsdale, AZ, United States, 11/7/05. https://doi.org/10.1145/1060590.1060603

}

TY - GEN

T1 - On lattices, learning with errors, random linear codes, and cryptography

AU - Regev, Oded

PY - 2005

Y1 - 2005

N2 - Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n2) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n4) and Õ(n2), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n2), the size of the public key can be reduced to Õ(n).

AB - Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical. Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size Õ(n2) and encrypting a message increases its size by Õ(n) (in previous cryptosystems these values are Õ(n4) and Õ(n2), respectively). In fact, under the assumption that all parties share a random bit string of length Õ(n2), the size of the public key can be reduced to Õ(n).

KW - Computational learning theory

KW - Cryptography

KW - Lattices

KW - Public key encryption

KW - Quantum computing

KW - Statistical queries

UR - http://www.scopus.com/inward/record.url?scp=33745571012&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33745571012&partnerID=8YFLogxK

U2 - 10.1145/1060590.1060603

DO - 10.1145/1060590.1060603

M3 - Conference contribution

AN - SCOPUS:33745571012

SP - 84

EP - 93

BT - Proceedings of the Annual ACM Symposium on Theory of Computing

ER -