Cryptology ePrint Archive: Report 2012/230

On Ideal Lattices and Learning with Errors Over Rings

Vadim Lyubashevsky and Chris Peikert and Oded Regev

Abstract: The ``learning with errors'' (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives).

We resolve this question in the affirmative by introducing an algebraic variant of LWE called \emph{ring-LWE}, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE.

Category / Keywords: foundations / lattices, LWE, rings, algebraic number theory

Publication Info: Full version of paper appearing in Eurocrypt 2010

Date: received 24 Apr 2012, last revised 25 Jun 2013

Contact author: cpeikert at cc gatech edu

Available format(s): PDF | BibTeX Citation

Version: 20130626:004336 (All versions of this report)

Short URL: ia.cr/2012/230

Discussion forum: Show discussion | Start new discussion