Heuristics and rigor in lattice-based cryptography

Cryptographic schemes based on lattices first emerged in the mid-1990s, and have developed rapidly in the past few years. At the outset, works in this area fell into two very distinct types: - Heuristic proposals such as NTRU, which lacked any formal security justification but were very practical; - Schemes building on Ajtai's breakthrough work, which were highly impractical but came with provable 'worst-case' security guarantees. More recently, the line between efficiency and rigorous security has been blurred significantly (though not yet obliterated completely). This talk will survey several examples of early proposals that lacked any rigorous security analysis -- and in some cases, turned out to be completely insecure -- but which later inspired theoretically sound and efficient solutions. Even better, these solutions have opened the door to unexpected and far more advanced cryptographic applications than were originally envisioned.