Skip to main content
Top

2025 | OriginalPaper | Chapter

Worst-Case to Average-Case Hardness of LWE: An Alternative Perspective

Authors : Aggarwal Divesh, Jin Ming Leong, Veliche Alexandra

Published in: Theory of Cryptography

Publisher: Springer Nature Switzerland

Activate our intelligent search to find suitable subject content or patents.

search-config
loading …

Abstract

In this work, we study the worst-case to average-case hardness of the Learning with Errors problem (LWE) under an alternative measure of hardness − the maximum success probability achievable by a probabilistic polynomial-time (PPT) algorithm. Previous works by Regev (STOC 2005), Peikert (STOC 2009), and Brakerski, Peikert, Langlois, Regev, Stehle (STOC 2013) give worst-case to average-case reductions from lattice problems to LWE, specifically from the approximate decision variant of the Shortest Vector Problem (GapSVP) and the Bounded Distance Decoding (BDD) problem. These reductions, however, are lossy in the sense that even the strongest assumption on the worst-case hardness of GapSVP or BDD implies only mild hardness of LWE. Our alternative perspective gives a much tighter reduction and strongly relates the hardness of LWE to that of BDD. In particular, we show that under a reasonable assumption about the success probability of solving BDD via a PPT algorithm, we obtain a nearly tight lower bound on the highest possible success probability for solving LWE via a PPT algorithm. Furthermore, we show a tight relationship between the best achievable success probability by any PPT algorithm for decision-LWE to that of search-LWE. Our results not only refine our understanding of the computational complexity of LWE, but also provide a useful framework for analyzing the practical security implications.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Literature
[ABGSD21]
go back to reference Aggarwal, D., Bennett, H., Golovnev, A., Stephens-Davidowitz, N.: Fine-grained hardness of CVP(P) – Everything that we can prove (and nothing else) (2021) Aggarwal, D., Bennett, H., Golovnev, A., Stephens-Davidowitz, N.: Fine-grained hardness of CVP(P) – Everything that we can prove (and nothing else) (2021)
[ADRS14]
go back to reference Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling. CoRR, abs/1412.7994 (2014) Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling. CoRR, abs/1412.7994 (2014)
[ADRS15]
go back to reference Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling (2015) Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in \(2^n\) time via discrete gaussian sampling (2015)
[Ajt96]
go back to reference Ajtai, M.: Generating hard instances of lattice problems. Electron. Colloquium Comput. Complex. TR96 (1996) Ajtai, M.: Generating hard instances of lattice problems. Electron. Colloquium Comput. Complex. TR96 (1996)
[ALNSD20]
go back to reference Aggarwal, D., Li, J., Nguyen, P.Q., Stephens-Davidowitz, N.: Slide reduction, revisited—filling the gaps in SVP approximation. In: Annual International Cryptology Conference, pp. 274–295. Springer (2020) Aggarwal, D., Li, J., Nguyen, P.Q., Stephens-Davidowitz, N.: Slide reduction, revisited—filling the gaps in SVP approximation. In: Annual International Cryptology Conference, pp. 274–295. Springer (2020)
[ALS20]
go back to reference Aggarwal, D., Li, Z., Stephens-Davidowitz, N.: A \(2^{n/2}\)-Time Algorithm for \(\sqrt{n}\)-SVP and \(\sqrt{n}\)-Hermite SVP, and an Improved Time-Approximation Tradeoff for (H)SVP. arXiv e-prints (2020) Aggarwal, D., Li, Z., Stephens-Davidowitz, N.: A \(2^{n/2}\)-Time Algorithm for \(\sqrt{n}\)-SVP and \(\sqrt{n}\)-Hermite SVP, and an Improved Time-Approximation Tradeoff for (H)SVP. arXiv e-prints (2020)
[AM11]
go back to reference Aggarwal, D., Maurer, U.: The leakage-resilience limit of a computational problem is equal to its unpredictability entropy. In: Advances in Cryptology–ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, 4-8 December 2011. Proceedings 17, pp. 686–701. Springer (2011) Aggarwal, D., Maurer, U.: The leakage-resilience limit of a computational problem is equal to its unpredictability entropy. In: Advances in Cryptology–ASIACRYPT 2011: 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, 4-8 December 2011. Proceedings 17, pp. 686–701. Springer (2011)
[ASD18]
go back to reference Aggarwal, D., Stephens-Davidowitz, N.: (Gap/S)ETH Hardness of SVP. In: Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, pp. 228–238, New York, NY, USA (2018). Association for Computing Machinery Aggarwal, D., Stephens-Davidowitz, N.: (Gap/S)ETH Hardness of SVP. In: Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, pp. 228–238, New York, NY, USA (2018). Association for Computing Machinery
[Bab86]
[BGS17]
go back to reference Bennett, H., Golovnev, A., Stephens-Davidowitz, N.: On the Quantitative Hardness of CVP. CoRR, abs/1704.03928 (2017) Bennett, H., Golovnev, A., Stephens-Davidowitz, N.: On the Quantitative Hardness of CVP. CoRR, abs/1704.03928 (2017)
[BKW00]
go back to reference Blum, A., Kalai, A., Wasserman, H.; Noise-tolerant learning, the parity problem, and the statistical query model. CoRR, cs.LG/0010022 (2000) Blum, A., Kalai, A., Wasserman, H.; Noise-tolerant learning, the parity problem, and the statistical query model. CoRR, cs.LG/0010022 (2000)
[BLP+13]
go back to reference Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584, New York, NY, USA (2013). Association for Computing Machinery Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, STOC 2013, pp. 575–584, New York, NY, USA (2013). Association for Computing Machinery
[Bri83]
go back to reference Brickell, E.F.: Solving low density knapsacks. In: Advances in Cryptology: Proceedings of CRYPTO 1983, pp. 25–37. Plenum (1983) Brickell, E.F.: Solving low density knapsacks. In: Advances in Cryptology: Proceedings of CRYPTO 1983, pp. 25–37. Plenum (1983)
[BV14]
go back to reference Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS 2014, pp. 1–12, New York, NY, USA (2014). Association for Computing Machinery Brakerski, Z., Vaikuntanathan, V.: Lattice-based FHE as secure as PKE. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS 2014, pp. 1–12, New York, NY, USA (2014). Association for Computing Machinery
[Cai98]
go back to reference Cai, J.-Y.: A relation of primal-dual lattices and the complexity of shortest lattice vector problem. Theoret. Comput. Sci. 207(1), 105–116 (1998)MathSciNetCrossRef Cai, J.-Y.: A relation of primal-dual lattices and the complexity of shortest lattice vector problem. Theoret. Comput. Sci. 207(1), 105–116 (1998)MathSciNetCrossRef
[Din02]
go back to reference Dinur, I.: Approximating SVP\( _{\text{ infinity }}\) to within almost-polynomial factors is NP-hard. Theor. Comput. Sci. 285(1), 55–71 (2002)CrossRef Dinur, I.: Approximating SVP\( _{\text{ infinity }}\) to within almost-polynomial factors is NP-hard. Theor. Comput. Sci. 285(1), 55–71 (2002)CrossRef
[DKRS03]
go back to reference Dinur, I., Kindler, G., Raz, R., Safra, S.: Approximating CVP to within almost-polynomial factors is NP-Hard. Combinatorica 23(2), 205–243 (2003)MathSciNetCrossRef Dinur, I., Kindler, G., Raz, R., Safra, S.: Approximating CVP to within almost-polynomial factors is NP-Hard. Combinatorica 23(2), 205–243 (2003)MathSciNetCrossRef
[FT87]
go back to reference Frank, A., Tardos,É.: An application of simultaneous diophantine approximation in combinatorial optimization. Combinatorica, 7(1), 49–65 (1987) Frank, A., Tardos,É.: An application of simultaneous diophantine approximation in combinatorial optimization. Combinatorica, 7(1), 49–65 (1987)
[Gen09]
go back to reference Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178, New York, NY, USA (2009). Association for Computing Machinery Gentry, C.: Fully Homomorphic Encryption Using Ideal Lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178, New York, NY, USA (2009). Association for Computing Machinery
[GL89]
go back to reference Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, STOC 1989, pp. 25–32, New York, NY, USA (1989). Association for Computing Machinery Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, STOC 1989, pp. 25–32, New York, NY, USA (1989). Association for Computing Machinery
[GMSS99]
go back to reference Goldreich, O., Micciancio, D., Safra, S., Seifert, J.-P.: Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Inf. Process. Lett. 71(2), 55–61 (1999)MathSciNetCrossRef Goldreich, O., Micciancio, D., Safra, S., Seifert, J.-P.: Approximating shortest lattice vectors is not harder than approximating closest lattice vectors. Inf. Process. Lett. 71(2), 55–61 (1999)MathSciNetCrossRef
[GN08]
go back to reference Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 207–216 (2008) Gama, N., Nguyen, P.Q.: Finding short lattice vectors within Mordell’s inequality. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 207–216 (2008)
[GPV08]
go back to reference Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 197–206, New York, NY, USA (2008). Association for Computing Machinery Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, STOC 2008, pp. 197–206, New York, NY, USA (2008). Association for Computing Machinery
[HR18]
go back to reference Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. CoRR, abs/1806.04087 (2018) Haviv, I., Regev, O.: Tensor-based hardness of the shortest vector problem to within almost polynomial factors. CoRR, abs/1806.04087 (2018)
[Kan87]
[Kho05]
[Lev12]
go back to reference Levin, L.A.: Randomness and non-determinism. CoRR, abs/1211.0071 (2012) Levin, L.A.: Randomness and non-determinism. CoRR, abs/1211.0071 (2012)
[LLL82]
go back to reference Lenstra, A., Lenstra, H., László, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 12 (1982)MathSciNetCrossRef Lenstra, A., Lenstra, H., László, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 12 (1982)MathSciNetCrossRef
[LM09]
go back to reference Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Shai Halevi, (ed.) Advances in Cryptology - CRYPTO 2009, pp. 577–594. Springer, Heidelberg (2009) Lyubashevsky, V., Micciancio, D.: On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In: Shai Halevi, (ed.) Advances in Cryptology - CRYPTO 2009, pp. 577–594. Springer, Heidelberg (2009)
[LO85]
[Mic12]
go back to reference Micciancio, D.: Inapproximability of the shortest vector problem: toward a deterministic reduction. Theory Comput. 8(1), 487–512 (2012)MathSciNetCrossRef Micciancio, D.: Inapproximability of the shortest vector problem: toward a deterministic reduction. Theory Comput. 8(1), 487–512 (2012)MathSciNetCrossRef
[MM11]
go back to reference Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. Cryptology ePrint Archive, Paper 2011/521 (2011) Micciancio, D., Mol, P.: Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions. Cryptology ePrint Archive, Paper 2011/521 (2011)
[MR04]
go back to reference Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 372–381 (2004) Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 372–381 (2004)
[MR09]
go back to reference Micciancio, D., Regev, O.: Lattice-based Cryptography, pp. 147–191. Springer, Heidelberg (2009) Micciancio, D., Regev, O.: Lattice-based Cryptography, pp. 147–191. Springer, Heidelberg (2009)
[MV13]
go back to reference Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. SIAM J. Comput. 42(3), 1364–1391 (2013)MathSciNetCrossRef Micciancio, D., Voulgaris, P.: A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations. SIAM J. Comput. 42(3), 1364–1391 (2013)MathSciNetCrossRef
[MW18]
go back to reference Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In Jesper Buus Nielsen and Vincent Rijmen, (eds.) Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I, vol. 10820 LNCS, pp. 3–28. Springer (2018) Micciancio, D., Walter, M.: On the bit security of cryptographic primitives. In Jesper Buus Nielsen and Vincent Rijmen, (eds.) Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I, vol. 10820 LNCS, pp. 3–28. Springer (2018)
[Pei09]
go back to reference Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 333–342 (2009) Peikert, C.: Public-key cryptosystems from the worst-case shortest vector problem. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 333–342 (2009)
[PP10]
go back to reference Paturi, R., Pudlák, P.: On the Complexity of Circuit Satisfiability. In: Proceedings of the Forty-Second ACM Symposium on Theory of Computing, STOC 2010, pp. 241–250, New York, NY, USA (2010). Association for Computing Machinery Paturi, R., Pudlák, P.: On the Complexity of Circuit Satisfiability. In: Proceedings of the Forty-Second ACM Symposium on Theory of Computing, STOC 2010, pp. 241–250, New York, NY, USA (2010). Association for Computing Machinery
[Reg06]
go back to reference Regev, O.: Lattice-based cryptography. In Cynthia Dwork, (ed.) Advances in Cryptology - CRYPTO 2006, pp. 131–141. Springer, Heidelberg (2006) Regev, O.: Lattice-based cryptography. In Cynthia Dwork, (ed.) Advances in Cryptology - CRYPTO 2006, pp. 131–141. Springer, Heidelberg (2006)
[Reg09]
[Sha85]
go back to reference Shamir, A.: Identity-based cryptosystems and signature schemes. In: George Robert Blakley and David Chaum, (eds.) Advances in Cryptology, pp. 47–53. Springer, Heidelberg, (1985) Shamir, A.: Identity-based cryptosystems and signature schemes. In: George Robert Blakley and David Chaum, (eds.) Advances in Cryptology, pp. 47–53. Springer, Heidelberg, (1985)
[vEB81]
go back to reference van Emde Boas, P.: Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report, Department of Mathmatics, University of Amsterdam (1981) van Emde Boas, P.: Another NP-complete problem and the complexity of computing short vectors in a lattice. Technical Report, Department of Mathmatics, University of Amsterdam (1981)
Metadata
Title
Worst-Case to Average-Case Hardness of LWE: An Alternative Perspective
Authors
Aggarwal Divesh
Jin Ming Leong
Veliche Alexandra
Copyright Year
2025
DOI
https://doi.org/10.1007/978-3-031-78017-2_11

Premium Partner