The paper presents a reduction from worst-case lattice problems such as GAPSVP and SIVP to a learning problem, which is a natural extension of the 'learning from parity with error' problem to higher moduli. This reduction is quantum, implying that an efficient solution to the learning problem would imply a quantum algorithm for these lattice problems. The authors also present a classical public-key cryptosystem whose security is based on the hardness of the learning problem, which is more efficient than previous lattice-based cryptosystems. The cryptosystem's security is based on the worst-case quantum hardness of GAPSVP and SIVP, and the public key size is significantly reduced compared to previous constructions. The main open question is whether the reduction can be made classical, i.e., non-quantum. The paper discusses the implications of the reduction for lattice-based cryptography and provides a detailed proof of the main theorem, including an iterative construction and a quantum component.The paper presents a reduction from worst-case lattice problems such as GAPSVP and SIVP to a learning problem, which is a natural extension of the 'learning from parity with error' problem to higher moduli. This reduction is quantum, implying that an efficient solution to the learning problem would imply a quantum algorithm for these lattice problems. The authors also present a classical public-key cryptosystem whose security is based on the hardness of the learning problem, which is more efficient than previous lattice-based cryptosystems. The cryptosystem's security is based on the worst-case quantum hardness of GAPSVP and SIVP, and the public key size is significantly reduced compared to previous constructions. The main open question is whether the reduction can be made classical, i.e., non-quantum. The paper discusses the implications of the reduction for lattice-based cryptography and provides a detailed proof of the main theorem, including an iterative construction and a quantum component.