Paper 2024/1931

On White-Box Learning and Public-Key Encryption

Abstract

We consider a generalization of the Learning With Error problem, referred to as the white-box learning problem: You are given the code of a sampler that with high probability produces samples of the form $$ where is small, and $$ is computable in polynomial-size, and the computational task consist of outputting a polynomial-size circuit $$ that with probability, say, $$ over a new sample $$? according to the same distributions, approximates $$ (i.e., $$ is small). This problem can be thought of as a generalizing of the Learning with Error Problem (LWE) from linear functions $$ to polynomial-size computable functions. We demonstrate that worst-case hardness of the white-box learning problem, conditioned on the instances satisfying a notion of computational shallowness (a concept from the study of Kolmogorov complexity) not only suffices to get public-key encryption, but is also necessary; as such, this yields the first problem whose worst-case hardness characterizes the existence of public-key encryption. Additionally, our results highlights to what extent LWE “overshoots” the task of public-key encryption. We complement these results by noting that worst-case hardness of the same problem, but restricting the learner to only get black-box access to the sampler, characterizes one-way functions.