This paper presents a public-key cryptosystem based on the worst-case hardness of approximating the shortest vector problem (SVP) in n-dimensional lattices. The system is secure under the assumption that approximating the length of the shortest nonzero vector in a lattice to within a small polynomial factor is computationally hard. This is a significant improvement over previous cryptosystems that relied on special lattice problems or conjectured hardness for quantum algorithms. The main technical contribution is a classical reduction from certain lattice problems to the learning with errors (LWE) problem. This is the first classical reduction of this type, and it shows that the search version of LWE is at least as hard as approximating SVP in the worst case. The reduction also demonstrates that for moduli as small as q ≥ ω(√n), the search version of LWE is at least as hard as approximating a novel variant of SVP on general lattices. The paper constructs new cryptosystems based on the search version of LWE, including a chosen-ciphertext-secure system with a simpler description and tighter worst-case approximation factor than previous constructions. The system has public key size O(n² log² q) and ciphertext expansion factor O(log q), which matches the efficiency of known lattice-based cryptosystems. The paper also discusses the classical hardness of LWE and provides a reduction from the worst-case hardness of SVP to the average-case hardness of LWE. This reduction is based on the idea of sampling from the dual lattice and using the properties of Gaussian distributions to hide the secret key. The reduction shows that the search version of LWE is at least as hard as solving SVP in the worst case. The paper concludes with a discussion of open problems, including the possibility of iterative reductions and the design of reductions that solve the search version of SVP. It also highlights the importance of studying the complexity of new variants of SVP and related lattice problems.This paper presents a public-key cryptosystem based on the worst-case hardness of approximating the shortest vector problem (SVP) in n-dimensional lattices. The system is secure under the assumption that approximating the length of the shortest nonzero vector in a lattice to within a small polynomial factor is computationally hard. This is a significant improvement over previous cryptosystems that relied on special lattice problems or conjectured hardness for quantum algorithms. The main technical contribution is a classical reduction from certain lattice problems to the learning with errors (LWE) problem. This is the first classical reduction of this type, and it shows that the search version of LWE is at least as hard as approximating SVP in the worst case. The reduction also demonstrates that for moduli as small as q ≥ ω(√n), the search version of LWE is at least as hard as approximating a novel variant of SVP on general lattices. The paper constructs new cryptosystems based on the search version of LWE, including a chosen-ciphertext-secure system with a simpler description and tighter worst-case approximation factor than previous constructions. The system has public key size O(n² log² q) and ciphertext expansion factor O(log q), which matches the efficiency of known lattice-based cryptosystems. The paper also discusses the classical hardness of LWE and provides a reduction from the worst-case hardness of SVP to the average-case hardness of LWE. This reduction is based on the idea of sampling from the dual lattice and using the properties of Gaussian distributions to hide the secret key. The reduction shows that the search version of LWE is at least as hard as solving SVP in the worst case. The paper concludes with a discussion of open problems, including the possibility of iterative reductions and the design of reductions that solve the search version of SVP. It also highlights the importance of studying the complexity of new variants of SVP and related lattice problems.