这篇论文介绍了从最坏情况下的格问题(如SVP、SIVP)到学习错误问题(LWE)的量子归约。LWE问题与随机线性码解码等价,提出的新公钥密码系统的效率远高于前人工作,其安全性基于SVP和SIVP的量子难度。主要挑战在于证明这一归约是否可转化为经典算法。
On Lattices, Learning with Errors,Random Linear Codes, and Cryptography
格上的LWE、随机线性码和密码学
Oded Regev
Department of Computer Science, Tel-Aviv University, Tel-Aviv 69978, Israel
摘要
Our main result is areduction from worst-case lattice problems such as SVP and SIVP to a certain learning problem. This learning problem is a natural extension of the ‘learning from parity with error’ problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe,gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies aquantumalgorithm for SVP and SIVP. A main open question is whether this reduction can be made classical.
主要成果:一个从最坏情况下的格问题(如SVP\SIVP)到一类学习性问题的归约。这类学习性问题是learning from parity with error(从奇偶错误校验中自学习?不好翻,意会就行)到更高模量的一个自然延伸。这也可以被视为线性随机码解码问题。
我们的归约是量子性的。这意味着这类问题的有效解决方法是SVP\SIVP的量子算法。
一个开放性问题是这种归约是否可作为经典。
Using the main result, we obtain a public key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP. Previous lattice-based public key cryptosystems such as the one by Ajtaiand Dwork were only based on unique-SVP, a special case of SVP. The new cryptosystemis much more efficient than previous cryptosystems: the public key is of size O˜(n2) and encrypting a message increases its size byO˜(n) (in previous cryptosystems these values are O˜(n4) and O˜(n2), respectively). In fact, under the assumption that all parties share a random bit string of lengthO˜(n2), the size of the public key can be reduced toO˜(n).
我们得到一个公钥系统(拥有最坏情况下SVP\SIVP的量子困难性)。
之前的基于格的公钥系统仅依赖 unique-SVP。而新系统显然更加高效:
最低0.47元/天 解锁文章
扫一扫
477
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
