Our main result is a reduction from worst-case lattice problems such as GapSVP and SIVP to a certain learning problem. This learning problem is a natural extension of the `learning from parity with error' problem to higher moduli. It can also be viewed as the problem of decoding from a random linear code. This, we believe, gives a strong indication that these problems are hard. Our reduction, however, is quantum. Hence, an efficient solution to the learning problem implies a quantum algorithm for GapSVP and SIVP. A main open question is whether this reduction can be made classical (i.e., non-quantum). We also present a (classical) public-key cryptosystem whose security is based on the hardness of the learning problem. By the main result, its security is also based on the worst-case quantum hardness of GapSVP and SIVP. The new cryptosystem is much more efficient than previous lattice-based cryptosystems: the public key is of size $\tilde{O}(n^2)$ and encrypting a message increases its size by a factor of $\tilde{O}(n)$ (in previous cryptosystems these values are $\tilde{O}(n^4)$ and $\tilde{O}(n^2)$, respectively). In fact, under the assumption that all parties share a random bit string of length $\tilde{O}(n^2)$, the size of the public key can be reduced to $\tilde{O}(n)$.

翻译：我们的主要结果是将最坏情况下的格问题（如GapSVP和SIVP）归约到某个特定的学习问题。该学习问题是"带奇偶校验误差学习"问题在更高模数下的自然扩展，同时也可视为随机线性码的解码问题。我们相信，这有力表明这些问题的困难性。然而，我们的归约是量子化的。因此，该学习问题的有效求解将蕴含解决GapSVP与SIVP的量子算法。一个核心开放问题是该归约能否经典化（即非量子化）。此外，我们提出一个（经典的）公钥密码系统，其安全性基于该学习问题的困难性。根据主要结果，其安全性还依赖于GapSVP与SIVP在最坏情况下的量子困难性。新密码系统比以往基于格的密码系统高效得多：公钥规模为$\tilde{O}(n^2)$，加密消息的规模扩展因子为$\tilde{O}(n)$（而在先前系统中，这些值分别为$\tilde{O}(n^4)$和$\tilde{O}(n^2)$）。实际上，若假设所有参与方共享长度为$\tilde{O}(n^2)$的随机比特串，公钥规模可进一步降至$\tilde{O}(n)$。