On lattices, learning with errors, random linear codes, and cryptography

Our main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a <i>quantum</i> algorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.Using the main result, we obtain a public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public-key cryptosystems such as the one by Ajtai and Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystem is much more efficient than previous cryptosystems: the public key is of size <i>Õ</i>(<i>n</i><sup>2</sup>) and encrypting a message increases its size by <i>Õ</i>(<i>n</i>)(in previous cryptosystems these values are <i>Õ</i>(<i>n</i><sup>4</sup>) and <i>Õ</i>(<i>n</i><sup>2</sup>), respectively). In fact, under the assumption that all parties share a random bit string of length <i>Õ</i>(<i>n</i><sup>2</sup>), the size of the public key can be reduced to <i>Õ</i>(<i>n</i>).

[1]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[2]  Keisuke Tanaka,et al.  Multi-bit Cryptosystems Based on Lattice Problems , 2007, Public Key Cryptography.

[3]  Ravi Kumar,et al.  A sieve algorithm for the shortest lattice vector problem , 2001, STOC '01.

[4]  Dorit Aharonov,et al.  Lattice Problems in NP cap coNP , 2004, FOCS.

[5]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[6]  W. Ebeling,et al.  Lattices and Codes: A Course Partially Based on Lectures by F. Hirzebruch , 1994 .

[7]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[8]  Jean-Pierre Seifert,et al.  Approximating Shortest Lattice Vectors is Not Harder Than Approximating Closest Lattice Vectors , 1999, Electron. Colloquium Comput. Complex..

[9]  W. Banaszczyk New bounds in some transference theorems in the geometry of numbers , 1993 .

[10]  Daniele Micciancio,et al.  On Bounded Distance Decoding for General Lattices , 2006, APPROX-RANDOM.

[11]  Jin-Yi Cai,et al.  An improved worst-case to average-case connection for lattice problems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[12]  Richard J. Lipton,et al.  Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[13]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[14]  Cynthia Dwork,et al.  A public-key cryptosystem with worst-case/average-case equivalence , 1997, STOC '97.

[15]  Miklós Ajtai,et al.  Representing hard lattices with O(n log n) bits , 2005, STOC '05.

[16]  I. Chuang,et al.  Quantum Computation and Quantum Information: Introduction to the Tenth Anniversary Edition , 2010 .

[17]  Daniele Micciancio Improved cryptographic hash functions with worst-case/average-case connection , 2002, STOC '02.

[18]  Ravi Kumar,et al.  On polynomial approximation to the shortest lattice vector length , 2001, SODA '01.

[19]  Oded Regev,et al.  New lattice based cryptographic constructions , 2003, STOC '03.

[20]  Uriel Feige,et al.  Resolution lower bounds for the weak pigeon hole principle , 2002, Proceedings 17th IEEE Annual Conference on Computational Complexity.

[21]  Daniele Micciancio Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor , 2003, SIAM J. Comput..

[22]  Wolfgang Ebeling,et al.  Lattices and Codes: A Course Partially Based on Lectures by Friedrich Hirzebruch , 1994 .

[23]  Russell Impagliazzo,et al.  How to recycle random bits , 1989, 30th Annual Symposium on Foundations of Computer Science.

[24]  Miklós Ajtai,et al.  Generating Hard Instances of Lattice Problems , 1996, Electron. Colloquium Comput. Complex..

[25]  Alexander A. Sherstov,et al.  Cryptographic Hardness Results for Learning Intersections of Halfspaces , 2006, Electron. Colloquium Comput. Complex..

[26]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[27]  Shafi Goldwasser,et al.  Complexity of lattice problems , 2002 .

[28]  Lov K. Grover,et al.  Creating superpositions that correspond to efficiently integrable probability distributions , 2002, quant-ph/0208112.