Background: Lattices and the
Learning-with-Errors problem
China Summer School on Lattices and Cryptography, June 2014
Starting Point: Linear Equations
ο Easy to solve a linear system of equations
A
s = b (πππ π)
ο Given A, b, find s
ο Solved using Gaussian elimination, Cramer rule, etc.
ο [Regev 2005] Hard if we add a little noise
A
s + e = b (πππ π)
ο π is a noise vector, |π| βͺ π
ο Given A, b, find s and/or e
Learning with Errors (LWE) [Rβ05]
ο Parameters:
ο q (modulus), n (dimension), m>n (# of samples)
ο Secret: uniformly random vector π β πππ
ο Input: random matrix π¨ β πππ×π , vector π β πππ
ο Computed as b = A × s + e (πππ π)
ο π chosen from some distribution s.t. |π| βͺ π whp
ο π is close to the columns space of π¨
ο Goal: discover π
Learning with Errors (LWE) [Rβ05]
1. Is it really hard to solve LWE?
ο How hard?
ο For what range of parameters?
2. Is it useful?
ο Can we design cryptosystems with security based on
the hardness of LWE
ο Weβll do #2 first, then #1
Using LWE in Cryptography
The Decision-LWE Problem
ο A more useful variant of LWE:
ο Same parameters q, n, m
ο Input: same A and b
ο A is still a uniform random matrix in πππ×π
ο Either π = π¨ × π + π (πππ π), or π is uniform in πππ×π
ο Goal: distinguish π¨ × π + π from uniform
ο I.e., given A,b, decide if b is βunusually closeβ to
the column space of A
Search vs. Decision LWE
ο Clearly, if we can solve the search problem
then we can also solve the decision problem
ο Try to solve the search problem on A,b
ο If successful then b is close to the column space of A,
otherwise b is random
ο More interesting: If we can solve decision,
then we can also solve the search problem
ο But the complexity grows by a factor of π β
π
ο So this reduction only works for small (polynomial) π
Reducing Search to Decision LWE
ο Assume that we have a distinguisher D that
can tell if π = ππ + π (πππ π) or π is random
ο Say for now that D succeeds with probability close to 1
ο We construct a solver S that finds s
ο For every index π β {1. . π} and every value π£ β ππ ,
S will use D to determine if ππ = π£
Reducing Search to Decision LWE
Given π¨ and π = π¨π + π, test if ππ = π£:
ο Choose π = (π1 , π2 , β¦ , ππ ) β πππ uniformly at random
ο Add π to the πβth column of π¨, this gives a matrix π¨β²
ο π¨β² is uniformly random because π¨ is
π¨β² = π¨ +
π. . ππ . . π
π. . ππ . . π
π. . ππ . . π
ο Note that π¨β² π = π¨π + ππ β
π
Reducing Search to Decision LWE
Given π¨ and π = π¨π + π, test if ππ = π£:
ο Choose π = (π1 , π2 , β¦ , ππ ) β πππ uniformly at random
ο Add π to the πβth column of π¨, this gives a matrix π¨β²
ο π¨β² is uniformly random because π¨ is
ο Add π£ β
π to π, this gives the vector πβ²
πβ² = π + π£ β
ππ
ππ
ππ
Reducing Search to Decision LWE
Given π¨ and π = π¨π + π, test if ππ = π£:
ο Choose π = (π1 , π2 , β¦ , ππ ) β πππ uniformly at random
ο Add π to the πβth column of π¨, this gives a matrix π¨β²
ο π¨β² is uniformly random because π¨ is
ο Add π£ β
π to π, this gives the vector πβ²
ο πβ² = π + π£ β
π
= π¨π + π + π£ β
π = π¨β² π β ππ β
π + π + π£ β
π
= π¨β² π + π + π£ β ππ β
π
Reducing Search to Decision LWE
Given π¨ and π = π¨π + π, test if ππ = π£:
ο Choose random π, compute π¨β² , πβ²
ο Such that πβ² = π¨β² π + π + π£ β ππ β
π
ο If ππ = π£ then we get πβ² = π¨β² π + π
ο Otherwise πβ² is uniform (because π is uniform)
ο Use the distinguisher π·(π¨β² , πβ² ) to tell which case it is
ο This will tell us if ππ = π£
Reducing Search to Decision LWE
ο The reduction assumes that D is always right
ο Can be extended to distinguisher D with polynomially
small advantage
ο The reduction works in time linear in π β
π
ο Can be refined to work in time π β
βππ
ο The ππ βs are the prime factors of π
ο So the reduction can be efficient even for large π,
as long as it is smooth
A Useful Variant of LWE
ο Instead of choosing the secret π uniformly,
choose it from the same distribution as π
ο So π is small
Theorem [ACPSβ09]: Uniform-secret LWE is
equivalent to small-secret LWE
ο Solving one
solving the other
Uniform- vs. Small-secret LWE
Easy direction: If we can solve uniform-secret LWE
then we can solve small-secret LWE
ο We are given π¨ and π = π¨π + π
ο π is a small secret
ο Choose a uniform random π
ο Set πβ² = π¨π + π = π¨ π + π + π (πππ π)
ο πβ² = π + π is uniform (because π is uniform)
ο π¨, πβ² = π¨πβ² + π is instance of uniform-secret LWE
ο Solving it, we get πβ² and can compute π = πβ² β π
Uniform- vs. Small-secret LWE
Hard direction: If we can solve small-secret
LWE then we can solve uniform-secret LWE
ο But the parameter π changes
ο For solving π × π uniform-secret LWE, we would need
to solve πβ² × π small-secret LWE with πβ² = π β π
ο We are given π¨ and π = π¨π + π
ο π is a uniform secret
ο Find π linearly-independent rows of π¨
ο Such rows exist with high probability
ο Assume that these are the first n rows
Uniform- vs. Small-secret LWE
π
π
π¨π
π
π¨ =
π¨π
ππ = π¨π π + ππ
π
πβ²
π=
ππ = π¨π π + ππ
ο Set π¨β² = βπ¨2 π¨1β1 and πβ² = π2 + π¨β² ππ
ο πβ² = π¨2 π + π2 + π¨β² π¨1 π + π1
= π¨2 π + π¨β² π¨1 π + π¨β² π1 + π2 = π¨β² π1 + π2
ο Because π¨β² π¨1 = βπ¨2 π¨1β1 π¨1 = βπ¨2
ο So (π¨β² , πβ² = π¨β² π1 + π2 ) is instance of short-secret LWE
ο The secret is π1 , drawn from the error distribution
ο Solving it we get π1
ο Then compute π = π¨βπ
π (ππ β ππ )
Regevβs Cryptosystem [Rβ05]
Secret key: vector πβ²
Public key: Matrix π¨β², vector π = π¨β²πβ² + π
ο Denote π¨ = (π|π¨β² )
ο If decision-LWE is hard then A is pseudorandom
ο Denote
π = π, βπβ² , then π¨π = π β π¨β² πβ² = π
Encryptπ¨ π β {0,1}
ο Choose a random small vector π β 0,1 π
ο Output the ciphertext π = ππ¨
π
+
2
β
π, 0, β¦ , 0 β πππ
π
Decryptπ(π)
ο Compute the inner product π¦ = π, π¬ (mod q)
ο Output 0 if |π¦| < π/4, else output 1
Regevβs Cryptosystem [Rβ05]
ο Correctness:
ο π¦ = π, π¬ =
ππ¨π +
ο
π
2
π, π <
ππ¨ +
π
π
2
,π =
π0 β¦ 0 , 1, βπ
π
4
β²
π
2
= π, π + β
π
(since π is 0-1 vector and π
π
4
ο¨If π = 0 then π¦ < , if π = 1 then π¦
β <
π
>
4
π
)
4
ο Security:
ο Recall that A is pseudo-random
ο We show that if A was random then π was statistically
close to uniform, regardless of π
Regevβs Cryptosystem [Rβ05]
The Leftover Hash Lemma [HILLβ99] implies the
following corollary:
ο If π > 3π log π then the two distributions
< π¨, ππ¨ : π΄ βπ πππ×π , π βπ 0,1 π >
< π¨, π βΆ π΄ βπ πππ×π ,
π βπ πππ >
are statistically close (upto π βΞ©(π) )
ο¨For a random π΄, ππ΄ is close to uniform
ο Even conditioned on A
ο And therefore so is ππ΄
π
+ π
2
ο¨If π΄ is pseudorandom, so is ππ΄ +
π
π
2
A Useful Variant of the Cryptosystem
Encrypt: π = 2ππ¨ + π
ο instead of π =
π
ππ¨ + π
2
from before
ο Plaintext encoded in the LSB rather than MSB
Decrypt: y = π, π¬ (πππ π), then π = π¦ πππ 2
ο π¦ = 2 π, π + π (πππ π)
ο 2 π, π < π/2, so no mod-π reduction
ο¨ π¦ πππ 2 = π
The Hardness of LWE
Lattices and Hard Problems
0
A lattice is just an additive subgroup of Rn.
Lattices
v2β
v2
0
v1β
v1
Lattice of rank n = set of all integer linear combinations of n
linearly independent basis vectors.
Lattices
ο A Lattice has infinitely many bases
ο They are related by unimodular matrices, π΅ β² = π΅π
ο π is an integer matrix with det π = ±1
ο¨All bases have the same determinant (upto sign)
ο This quantity is the determinant of the lattice
ο Given any set of vectors that span the lattice,
can compute a canonical basis
ο Hermite normal form (HNF)
Lattices
ο A βgood basisβ has all small vectors
ο βclose to orthogonalβ to each other
ο Typically the HNF is a βbadβ basis
ο Minkowskyβs theorems:
A rank-π lattice with determinant π has
ο A non-zero vector of length |π£| β€ π β
π1/π
π/2 β
π
ο π linearly independent π£π βs s.t. π
|π£
|
β€
π
π=1 π
ο Also a basis of vectors of similar sizes
ο Lattice reduction: Given a βbadβ basis,
find a βgoodβ one for the same lattice
Lattices and Hard Problems
v2β
v2
0
v1β
v1
Given some basis of L, may be hard to find good basis of L.
Hard to solve the (approx) shortest/closest vector problems.
Hard Problems
Given a basis π΅ for a lattice πΏ(π΅):
ο Shortest-Vector Problem (SVP)
ο Find the shortest nonzero vector in L(B)
ο Or maybe just compute the size of such vector (π1 πΏ )
ο Shortest Independent-Set Problem (SIVP)
ο Find π linearly independent π£1 , β¦ , π£π minimize max |π£π |
π
π
ο Or maybe just the quantity ππ πΏ = maxπ=1
|π£π |
ο Also approximation versions
ο Find π£ such that π£ β€ πΎ β
shortest
ο Find π£π βs such that max |π£π | β€ πΎ β
smallest-possible
π
Hard Problems: Whatβs Known?
ο The [LLLβ82] algorithm and its variants can
approximate SVP upto πΎ = 2O(π)
log1βπ π
ο NP-hard to approx. SVP upto πΎ = 2
ο πΎ = π(1) but πΎ < ππ for any π
ο Roughly: approximate upto 2π/π takes time 2π(π)
ο Practically we can perhaps approximate SVP upto πΎ =
2π/100 but not upto πΎ = 2π/200
ο At least for moderate πβs (say π < 500)
ο Similar for SIVP
LWE and Lattices
ο Consider the matrix π¨ = ππ β¦ ππ
ο The column space mod-π is a rank-π lattice,
spanned by the columns of π΅ =
ο A discrete additive subgroup of π
π
ο Can compute its HNF basis
π 0
ππ β¦ ππ 0 π
0
0
β±
0 0
ο π = π¨π + π (πππ π) is close to this lattice
ο π = π β π is in the lattice, at distance |π| from π
ο We have a bound π½ βͺ π on |π| whp (say π½ =
ο If we find π, we can solve for π
π)
π
Bounded Distance Decoding (BDD)
ο Input: a basis B, another point π₯, a bound π½
ο Goal: find π£ β πΏ(π΅) such that π₯ β π£ β€ π½
ο Solving BDD ο¨ Solving LWE
Thm [Babaiβ86,GPVβ08]:
ο Solving SIVP ο¨ Solving BDD
ο Given a basis for πΏ with max |π£π | = πΌ,
π
can solve BDD upto distance π½ β πΌ β
poly(π)
LWE and Lattices
Thm [Regβ05, Peiβ09]:
ο Solving LWE ο¨ Solving SIVP, SVP
ο LWE-solver with error-bound π½ < π/π( π)
implies quantum approximation of SIVP
upto a factor poly(π)
ο Or a classical algorithm for approximating
π1 πΏ upto a factor poly(π)
Summary
ο Learning with Errors: π = π¨π + π
ο This is a hard problem
ο For some parameters, can be shown to be
as hard as some well-known lattice problems
ο Even for other settings, we donβt know how to solve it
ο Only known attacks use lattice reduction
ο These only work when π/|π| = exp(π)
ο LWE is useful for cryptography
ο For example for public-key encryption
ο Decryption formula π , π πππ π πππ 2
© Copyright 2026 Paperzz