On Lattices, Learning with Errors, Random Linear Codes, and Cryptography

TL;DR

This work establishes a quantum reduction from worst-case lattice problems to the Learning with Errors (LWE) problem for higher moduli, connecting LWE to decoding random linear codes and implying hardness under quantum assumptions. It uses an iterative, Fourier-analytic approach with discrete Gaussian sampling and a quantum CVP-based subroutine to build samples from a lattice's discrete Gaussian distribution, thereby solving short-vector related problems. The authors also construct a classical public-key cryptosystem whose security follows from LWE and, by extension, from the worst-case quantum hardness of GapSVP and SIVP, achieving improved efficiency over prior lattice-based schemes. The paper leaves open the possibility of dequantizing the reduction and extending hardness to smaller moduli, while subsequent work has both refined the cryptosystem and extended LWE-based protocols across secure computation and cryptographic primitives.

Abstract

Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the `learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size $\tilde{O}(n^2)$ and encrypting a message increases its size by a factor of $\tilde{O}(n)$ (in previous cryptosystems these values are $\tilde{O}(n^4)$ and $\tilde{O}(n^2)$, respectively). In fact, under the assumption that all parties share a random bit string of length $\tilde{O}(n^2)$, the size of the public key can be reduced to $\tilde{O}(n)$.

Figures (5)

• Figure 1: $\bar{\Psi}_\alpha$ for $p=127$ with $\alpha=0.05$ (left) and $\alpha=0.1$ (right). The elements of ${\mathbb{Z}}_p$ are arranged on a circle.
• Figure 2: $D_{L,2}$ (left) and $D_{L,1}$ (right) for a two-dimensional lattice $L$. The $z$-axis represents probability.
• Figure 3: Two iterations of the algorithm
• Figure 4: $f_{1/r}$ for a two-dimensional lattice
• Figure 5: The Fourier transform of $D_{L+L\mathbf{a}/p, r/p}$ with $n=2$, $p=2$, $\mathbf{a}=(0,0)$ (left), $\mathbf{a}=(1,1)$ (right).

Theorems & Definitions (43)

• Theorem 1.1: Informal
• Claim 2.1
• Claim 2.2
• Lemma 2.3: Banaszczyk, Theorem 2.1
• Lemma 2.4: Banaszczyk, Lemma 1.4(i)
• Lemma 2.5: Banaszczyk, Lemma 1.5(i)
• Definition 2.6
• Definition 2.7
• Definition 2.8
• Definition 2.9