Learning with Errors in the Exponent

We initiate the study of a novel class of group-theoretic intractability problems. Inspired by the theory of learning in presence of errors [Regev, STOC'05] we ask if noise in the exponent amplifies intractability. We put forth the notion of Learning with Errors in the Exponent (LWEE) and rather surprisingly show that various attractive properties known to ex- clusively hold for lattices carry over. Most notably are worst-case hardness and post-quantum resistance. In fact, LWEE's "diprosopus" is due to the reducibility to two seemingly orthogonal assumptions: Learning with errors and the representation problem [Brands, Crypto'93]. For suitable parameter choices one obtains double-hard assumptions superposing properties from each individual assumption. The argument holds in the classical and quantum model of computation, and makes LWEE an appealing provisioner of strong security and robustness guarantees. We give the very first construction of a semantically secure public-key encryption system in the standard model. The heart of our construction is an "error recovery" technique to tame the crucial propagation of noise in the exponent which is of independent interest.