Abstract
The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives).
We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE.
- Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010a. Efficient lattice (H)IBE in the standard model. In Proceedings of EUROCRYPT. 553--572. Google ScholarDigital Library
- Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010b. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In Proceedings of CRYPTO. 98--115. Google ScholarDigital Library
- Miklós Ajtai. 2004. Generating hard instances of lattice problems. Quad. Matemat. 13, 1--32.Google Scholar
- Miklós Ajtai, Ravi Kumar, and D. Sivakumar. 2001. A sieve algorithm for the shortest lattice vector problem. In Proceedings of STOC. 601--610. Google ScholarDigital Library
- Adi Akavia, Shafi Goldwasser, and Vinod Vaikuntanathan. 2009. Simultaneous hardcore bits and cryptography against memory attacks. In Proceedings of TCC. 474--495. Google ScholarDigital Library
- Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. 2009. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In Proceedings of CRYPTO. 595--618. Google ScholarDigital Library
- Wojciech Banaszczyk. 1993. New bounds in some transference theorems in the geometry of numbers. Math. Ann. 296, 4, 625--635.Google ScholarCross Ref
- Avrim Blum, Merrick L. Furst, Michael J. Kearns, and Richard J. Lipton. 1993. Cryptographic primitives based on hard learning problems. In Proceedings of CRYPTO. 278--291. Google ScholarDigital Library
- Xavier Boyen. 2010. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Proceedings of Public Key Cryptography. 499--517. Google ScholarDigital Library
- Zvika Brakerski and Vinod Vaikuntanathan. 2011. Efficient fully homomorphic encryption from (standard) LWE. In Proceedings of FOCS. 97--106. Google ScholarDigital Library
- Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. 2012. (Leveled) fully homomorphic encryption without bootstrapping. In Proceedings of ICTS. 309--325. Google ScholarDigital Library
- Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. 2013. Classical hardness of learning with errors. In Proceedings of STOC. 575--584. Google ScholarDigital Library
- David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. 2010. Bonsai trees, or how to delegate a lattice basis. In Proceedings of EUROCRYPT. 523--552. Google ScholarDigital Library
- Henri Cohen. 1993. A Course in Computational Algebraic Number Theory. Springer. Google ScholarDigital Library
- Keith Conrad. 2009. The different ideal. http://www.math.uconn.edu/~kconrad/blurbs/ (last accessed 12 Oct. 2009).Google Scholar
- Whitfield Diffie and Martin E. Hellman. 1976. New directions in cryptography. IEEE Trans. Inf. Theory IT-22, 6, 644--654. Google ScholarDigital Library
- Taher ElGamal. 1984. A public key cryptosystem and a signature scheme based on discrete logarithms. In Proceedings of CRYPTO. 10--18. Google ScholarDigital Library
- Paul Erdős. 1946. On the coefficients of the cyclotomic polynomial. Bull. Amer. Math. Soc. 52, 2, 179--184.Google ScholarCross Ref
- Craig Gentry. 2009. Fully homomorphic encryption using ideal lattices. In Proceedings of STOC. 169--178. Google ScholarDigital Library
- Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. 2008. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of STOC. 197--206. Google ScholarDigital Library
- Oded Goldreich. 2004. Foundations of Cryptography. Vol. II, Cambridge University Press. Google ScholarDigital Library
- Oded Goldreich, Shafi Goldwasser, and Shai Halevi. 1996. Collision-free hashing from lattice problems. Electron. Colloq. Computat. Complex. 3, 42.Google Scholar
- Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert, and Vinod Vaikuntanathan. 2010. Robustness of the learning with errors assumption. In Proceedings of ICS. 230--240.Google Scholar
- Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. 1998. NTRU: A ring-based public key cryptosystem. In Proceedings of ANTS. 267--288. Google ScholarDigital Library
- Akinori Kawachi, Keisuke Tanaka, and Keita Xagawa. 2008. Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In Proceedings of ASIACRYPT. 372--389. Google ScholarDigital Library
- Adeline Langlois and Damien Stehlé. 2013. Worst-case to average-case reductions for module lattices. Submitted.Google Scholar
- Richard Lindner and Chris Peikert. 2011. Better key sizes (and attacks) for LWE-based encryption. In Proceedings of CT-RSA. 319--339. Google ScholarDigital Library
- Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. 2012. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Proceedings of STOC. 1219--1234. Google ScholarDigital Library
- Vadim Lyubashevsky. 2008. Lattice-based identification schemes secure under active attacks. In Proceedings of Public Key Cryptography. 162--179. Google ScholarDigital Library
- Vadim Lyubashevsky. 2009. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Proceedings of ASIACRYPT. 598--616. Google ScholarDigital Library
- Vadim Lyubashevsky. 2012. Lattice signatures without trapdoors. In Proceedings of EUROCRYPT. 738--755. Google ScholarDigital Library
- Vadim Lyubashevsky and Daniele Micciancio. 2006. Generalized compact knapsacks are collision resistant. In Proceedings of ICALP (2). 144--155. Google ScholarDigital Library
- Vadim Lyubashevsky and Daniele Micciancio. 2008. Asymptotically efficient lattice-based digital signatures. In Proceedings of TCC. 37--54. Google ScholarDigital Library
- Vadim Lyubashevsky, Daniele Micciancio, Chris Peikert, and Alon Rosen. 2008. SWIFFT: A modest proposal for FFT hashing. In Proceedings of FSE. 54--72.Google ScholarDigital Library
- Vadim Lyubashevsky, Chris Peikert, and Oded Regev. 2013. A toolkit for ring-LWE cryptography. In Proceedings of EUROCRYPT. 35--54.Google ScholarCross Ref
- Daniele Micciancio. 2007. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Computational Complexity 16, 4, 365--411. Google ScholarDigital Library
- Daniele Micciancio and Chris Peikert. 2012. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Proceedings of EUROCRYPT. 700--718. Google ScholarDigital Library
- Daniele Micciancio and Oded Regev. 2007. Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput. 37, 1, 267--302. Google ScholarDigital Library
- Daniele Micciancio and Oded Regev. 2009. Lattice-based cryptography. In Post Quantum Cryptography, Springer, 147--191.Google Scholar
- Daniele Micciancio and Salil P. Vadhan. 2003. Statistical zero-knowledge proofs with efficient provers: Lattice problems and more. In Proceedings of CRYPTO. 282--298.Google Scholar
- Daniele Micciancio and Panagiotis Voulgaris. 2010. A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. In Proceedings of STOC. 351--358. Google ScholarDigital Library
- Chris Peikert. 2009. Public-key cryptosystems from the worst-case shortest vector problem. In Proceedings of STOC. 333--342. Google ScholarDigital Library
- Chris Peikert and Alon Rosen. 2006. Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In Proceedings of TCC. 145--166. Google ScholarDigital Library
- Chris Peikert and Alon Rosen. 2007. Lattices that admit logarithmic worst-case to average-case connection factors. In Proceedings of STOC. 478--487. Google ScholarDigital Library
- Chris Peikert and Brent Waters. 2008. Lossy trapdoor functions and their applications. In Proceedings of STOC. 187--196. Google ScholarDigital Library
- Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. 2008. A framework for efficient and composable oblivious transfer. In Proceedings of CRYPTO. 554--571. Google ScholarDigital Library
- Oded Regev. 2009. On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 6, 1--40. Google ScholarDigital Library
- Peter Roquette. 1967. On class field towers. In Algebraic Number Theory, John William Scott Cassels and Albrecht Fröhlich Eds., Academic Press, 231--249.Google Scholar
- Victor Shoup. 2009. A Computational Introduction to Number Theory and Algebra. Cambridge University Press. Google ScholarDigital Library
- Damien Stehlé and Ron Steinfeld. 2011. Making NTRU as secure as worst-case problems over ideal lattices. In Proceedings of EUROCRYPT. 27--47. Google ScholarDigital Library
- Damien Stehlé, Ron Steinfeld, Keisuke Tanaka, and Keita Xagawa. 2009. Efficient public key encryption based on ideal lattices. In Proceedings of ASIACRYPT. 617--635. Google ScholarDigital Library
- William Stein. 2004. A brief introduction to classical and adelic algebraic number theory. http://modular.math.washington.edu/papers/ant/ (last accessed 12 Oct. 2009).Google Scholar
Index Terms
- On Ideal Lattices and Learning with Errors over Rings
Recommendations
On lattices, learning with errors, random linear codes, and cryptography
STOC '05: Proceedings of the thirty-seventh annual ACM symposium on Theory of computingOur main result is a reduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the 'learning from parity with error' problem to higher moduli. It can also be viewed as ...
On lattices, learning with errors, random linear codes, and cryptography
Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the “learning from parity with error” problem to higher moduli. It can also be viewed ...
Public-Key encryption from ID-Based encryption without one-time signature
OTM'06: Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part IDesign a secure public key encryption scheme and its security proof are one of the main interests in cryptography In 2004, Canetti, Halevi and Katz [8] constructed a public key encryption (PKE) from a selective identity-based encryption scheme with a ...
Comments