Semidoc    About    Archive

Learning with Errors- based Cryptography

Hi! The current blog post has been written by Timo Zijlstra, who is doing an internship at the IRIF, and gave a talk at the seminar a few weeks ago.


Cryptographic primitives such as encryption and signature schemes rely on computationally hard problems. A good scheme is constructed in such a way that any method that breaks the scheme automatically yields an algorithm that solves the underlying hard problem. The RSA encryption scheme, for example, relies on the fact that there is no known algorithm that efficiently factorizes large integers. If someone would be able to break RSA, then this would imply a method to factorize large integers. This would be a major breakthrough in mathematics, since the factorization problem has been intensively studied. Therefore, it is safe to assume that RSA cannot be broken. Most of implemented cryptography relies on the hardness of the factorization problem (RSA) or the discrete logarithm problem (Elliptic Curve Cryptography). However, Shor’s quantum algorithm can be applied to both of these problems, making the cryptosystems unsafe against quantum adversaries.

This is the reason why we need to find mathematical problems that are computationally hard even for quantum computers. The best candidates for use in post-quantum cryptography are lattice problems such as the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). There is currently no known (quantum) algorithm that solves these problems efficiently.

One lattice problem that is particularly adaptable for cryptographic applications is the Learning With Errors (LWE) problem. It consists of solving a system of approximate linear equations over the integers modulo some prime $q$. Let be a secret vector and vectors taken from the uniformly random distribution over . Given the system of approximate equations:

where the approximation is ‘close’ in a sense that will be made clear later, the LWE-problem is to find . Note that if the approximations were equalities, then it would be easy to solve the system using Gaussian elimination. This method does not work for LWE though, because we cannot obtain a new approximation by adding an arbitrary number of multiples of approximate equations. The cumulative approximation error would grow so large that there is no information left in the ‘approximation’ obtained by summation and scalar multiplication. It is shown by Regev1, that a (quantum) algorithm that solves LWE would imply a quantum algorithm that solves several believed to be hard lattice problems, among which SVP.

More formally, the LWE-distribution is defined as follows.

Definition Let be a secret vector and an error distribution over . The LWE distribution is sampled by taking a vector and an integer and outputting the pair .

This distribution is pseudorandom: given $m$ independent samples from either (1) the uniform distribution, or (2) the LWE- distribution, we cannot determine which is the case. To distinguish between the uniform and the LWE- distribution is equally hard as solving the LWE-problem, that is, finding the secret vector $\textbf{s}$. This makes the construction of LWE-based semantically secure cryptosystems possible, such as Regev’s encryption scheme:

that is, we take a subset of the row vectors and encrypt the bit in the subset sum of the samples.


  1. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):1–40, 2009. Preliminary version in STOC 2005.