**Financial Mathematics and Fintech**

Zhiyong Zheng Kun Tian Fengxia Liu

# Modern Cryptography Volume 2

A Classical Introduction to Informational and Mathematical Principle

# **Financial Mathematics and Fintech**

#### **Series Editors**

Zhiyong Zheng, Renmin University of China, Beijing, Beijing, China Alan Peng, University of Toronto, Toronto, ON, Canada

This series addresses the emerging advances in mathematical theory related to finance and application research from all the fintech perspectives. It is a series of monographs and contributed volumes focusing on the in-depth exploration of financial mathematics such as applied mathematics, statistics, optimization, and scientific computation, and fintech applications such as artificial intelligence, block chain, cloud computing, and big data. This series is featured by the comprehensive understanding and practical application of financial mathematics and fintech. This book series involves cutting-edge applications of financial mathematics and fintech in practical programs and companies.

The Financial Mathematics and Fintech book series promotes the exchange of emerging theory and technology of financial mathematics and fintech between academia and financial practitioner. It aims to provide a timely reflection of the state of art in mathematics and computer science facing to the application of finance. As a collection, this book series provides valuable resources to a wide audience in academia, the finance community, government employees related to finance and anyone else looking to expand their knowledge in financial mathematics and fintech.

The key words in this series include but are not limited to:


Zhiyong Zheng · Kun Tian · Fengxia Liu

# Modern Cryptography Volume 2

A Classical Introduction to Informational and Mathematical Principle

Zhiyong Zheng School of Mathematics Renmin University of China Beijing, China

Henan Academy of Sciences Zhengzhou, China

Fengxia Liu Artificial Intelligence Research Institute Beihang University Beijing, China

Kun Tian School of Mathematics Renmin University of China Beijing, China

ISSN 2662-7167 ISSN 2662-7175 (electronic) Financial Mathematics and Fintech ISBN 978-981-19-7643-8 ISBN 978-981-19-7644-5 (eBook) https://doi.org/10.1007/978-981-19-7644-5

© The Editor(s) (if applicable) and The Author(s) 2023. This book is an open access publication.

**Open Access** This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors, and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd. The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721, Singapore

# **Preface**

For integer factorization and discrete logarithm calculation, P.W.Shor published an effective quantum calculation in *SIAM Journal on Computing* in 1997, which is called the Shor algorithm in academic circles. Classical public key cryptosystems such as RSA, ECC and so on could not resist the attack of the Shor algorithm, so the major security risks of public key cryptosystems are completely exposed to the Shor algorithm and quantum computer.

In the past 20 years, the rise and development of post-quantum cryptography have close relation with the lattice cryptosystems. The academic community believes that the hard problems on lattice, such as the shortest vector problem (SVP), the continuous shortest vector problem (SIVP) and the determination of the shortest vector problem (GapSVP) can resist quantum computing effectively, so the public key cryptosystems based on the hard problems on lattice become the core theory and technology of the post-quantum cryptography. At present, there are six kinds of published post-quantum cryptosystems:


calculation speed and small storage space. In 2009, the National Institute of Standards and Technology wrote a survey report: there is no cryptosystem could consider both public key encryption and digital signature, and resist the Shor algorithm simultaneously. The NTRU encryption algorithm seems to be the most likely choice among many lattice-based encryption schemes. The PQCRYPTO program (Horizon 2020 ICT-645622) by European Union hopes to develop a new European encryption standard based on the NTRU improved by Stehle-Steinfeld.


In the book *Modern Cryptography*, we give a detailed introduction to the basic theory of lattice and the first four kinds of lattice-based cryptosystems. The main purpose of this book is to discuss the computational complexity theory of lattice cryptosystems, especially Ajtai's reduction principle, and fill the gap that postquantum cryptography focuses on the encryption and decryption algorithms, and the theoretical proof is insufficient. In Chaps. 3, 4 and 6, we introduce the LWE distribution, LWE cryptosystem and fully homomorphic encryption in detail. When using stochastic analysis tools, there are many 'ambiguity' problems in terms of definitions and algorithms, such as the '≈' notation appeared in a large number of papers and books, which is unprecise mathematically. The biggest characteristic of this book is to use probability distribution to provide rigorous mathematical definitions and proofs for various unclear expressions, making it a rigorous theoretical system to facilitate teaching and dissemination in class. Chapters 5 and 7 are based on two papers published by the authors in the journal *Journal of Information Security* (see references [63, 64]). These materials can be regarded as some important topics, such as the further extension and improvement of cyclic lattices, ideal lattices and generalized NTRU cryptosystems.

This book contains the most cutting-edge and hottest research topics in postquantum cryptography. Reading all the chapters requires a lot of mathematical knowledge and a good mathematical foundation. Therefore, this book can be used as a textbook for graduate students in mathematics and cryptography, or a reference book for researchers in cryptography area. Due to the rush of time, all the materials are summarized from domestic and foreign research papers in the last 20 years, and shortcomings and mistakes are inevitable. We welcome readers to criticize and correct them.

Zhengzhou, China September 2022

Zhiyong Zheng

# **Contents**



# **Notations**


# **Chapter 1 Random Lattice Theory**

Let <sup>R</sup>*<sup>n</sup>* be the Euclidean space of dimension *<sup>n</sup>*, *<sup>x</sup>* <sup>=</sup> ⎛ ⎜ ⎝ *x*1 . . . *xn* ⎞ ⎟ ⎠, *<sup>y</sup>* <sup>=</sup> ⎛ ⎜ ⎝ *y*1 . . . *yn* ⎞ ⎟ ⎠ are two vectors

of R*<sup>n</sup>*, the inner product of *x* and *y* is defined as

$$\mathbf{x} \cdot \mathbf{y} = \mathbf{x}\_1 \mathbf{y}\_1 + \mathbf{x}\_2 \mathbf{y}\_2 + \dots + \mathbf{x}\_n \mathbf{y}\_n = \mathbf{x}^\mathsf{T} \mathbf{y}.\tag{1.0.1}$$

The Euclidean norm |*x*| of vector *x* (also called the *l*<sup>2</sup> norm) is defined as

$$|\mathbf{x}| = (\mathbf{x}\_1^2 + \mathbf{x}\_2^2 + \dots + \mathbf{x}\_n^2)^{\frac{1}{2}} = \sqrt{\mathbf{x} \cdot \mathbf{x}}.\tag{1.0.2}$$

Let *<sup>B</sup>* <sup>=</sup> (*bi j*)*<sup>n</sup>*×*<sup>n</sup>* <sup>∈</sup> <sup>R</sup>*n*×*<sup>n</sup>* be an invertible square matrix of order *<sup>n</sup>*, a full-rank lattice *L* in *R<sup>n</sup>* is defined as

$$L = L(B) = \{ B \ge | \ge \mathbb{Z}^n \}.\tag{1.0.3}$$

A lattice *L* is a discrete geometry in R*<sup>n</sup>*, in other words, there is a positive constant λ<sup>1</sup> = λ1(*L*) > 0 and a vector α ∈ *L* satisfying α = 0, such that

$$|\alpha| = \min\_{\mathbf{x} \in L, x \neq 0} |\mathbf{x}| = \lambda\_1(L). \tag{1.0.4}$$

λ<sup>1</sup> is called the shortest distance in *L*, α is the shortest vector in *L*. A sphere in *n* dimensional Euclidean space R*<sup>n</sup>* with center *x*<sup>0</sup> and radius *r* is defined as

$$N(\mathbf{x}\_0, r) = \{ \mathbf{x} \in \mathbb{R}^n \mid |\mathbf{x} - \mathbf{x}\_0| \le r \}, \ \mathbf{x}\_0 \in \mathbb{R}^n. \tag{1.0.5}$$

© The Author(s) 2023

Z. Zheng et al., *Modern Cryptography Volume 2*, Financial Mathematics and Fintech, https://doi.org/10.1007/978-981-19-7644-5\_1

1

In particular, *N*(0,*r*) represents a sphere with origin as the center of the circle and radius *r*. The discretization of a lattice is equivalent to the fact that the intersection of *L* with any sphere *N*(*x*0,*r*) is a finite set, i.e.

$$\#\{L \cap N(\mathbf{x}\_0, r)\} < \infty. \tag{1.0.6}$$

Let *L* = *L*(*B*) be a lattice, *B* is the generated matrix of *L*. Block *B* by each column vector as *B* = [β1, β2,...,β*n*], the basic neighborhood *F*(*B*) of *L* is defined as

$$F(B) = \{ \sum\_{i=1}^{n} x\_i \beta\_i \mid 0 \le x\_i < 1 \}. \tag{1.0.7}$$

Clearly the basic neighborhood *F*(*B*) is related to the generated matrix *B* of *L*, which is actually a set of representative elements of the additive quotient group R*<sup>n</sup>*/*L*. *F*∗(*B*) is also a set of representative elements of the quotient group R*<sup>n</sup>*/*L*, where

$$F^\*(B) = \{ \sum\_{i=1}^n x\_i \beta\_i \mid -\frac{1}{2} \le x\_i < \frac{1}{2} \},$$

therefore, *F*∗(*B*) can also be a basic neighborhood of the lattice *L*. The following property is easy to prove [see Lemma 2.6 in Chap. 7 in Zheng (2022)]

$$\text{Vol}(F(B)) = |\text{det}(B)| = \text{det}(L). \tag{1.0.8}$$

That is, the volume of the basic neighborhood of *L* is an invariant and does not change with the choice of the generated matrix *B*. We denote det(*L*) = |det(*B*)| as the determinant of the lattice *L*.

The basic properties of lattice can be found in Chap. 7 of Zheng (2022). The main purpose of this chapter is to establish the random theory of lattice. If a lattice *L* is the space of values of a random variable (or random vector), it is called a random lattice. Random lattice is a new research topic in lattice theory, and the works of Micciancio and Regev (2004), Regev (2004), Micciancio and Regev (2004), Micciancio and Regev (2009) are pioneering. In this way, the study of random lattice is no more than ten years. For technical reasons, only a special class of random lattices can be defined and studied. That is, consider a random variable ξ defined in R*<sup>n</sup>* from a Gauss distribution, and limit the discretization of ξ to *L* so that *L* becomes a random lattice. It is a special kind of random lattice, which we call the Gauss lattice. The main purpose of this chapter is to introduce Gauss lattice, define the smoothing parameter on Gauss lattice and calculate the statistical distance based on the smoothing parameter. The mathematical technique used in this chapter is high dimensional Fourier transform.

#### **1.1 Fourier Transform**

A complex function *<sup>f</sup>* (*x*) on <sup>R</sup>*<sup>n</sup>* is a mapping of <sup>R</sup>*<sup>n</sup>* <sup>→</sup> <sup>C</sup>, where <sup>C</sup> is the complex field. We define the function space *L*1(R) and *L*2(R):

$$L^1(\mathbb{R}) = \{ f : \mathbb{R}^n \to \mathbb{C} \mid \int\_{\mathbb{R}^n} |f(\mathbf{x})| \mathrm{d}\mathbf{x} < \infty \} \tag{1.1.1}$$

and

$$L^2(\mathbb{R}) = \{ f : \mathbb{R}'' \to \mathbb{C} \mid \int\_{\mathbb{R}^n} |f(\mathbf{x})|^2 d\mathbf{x} < \infty \}. \tag{1.1.2}$$

If *<sup>f</sup>* (*x*), *<sup>g</sup>*(*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*), define the convolution of *<sup>f</sup>* with *<sup>g</sup>* as

$$f \ast g(\mathbf{x}) = \int\_{\mathbb{R}^n} f(\mathbf{x} - \xi) g(\xi) d\xi. \tag{1.1.3}$$

We have the following properties about convolution.

**Lemma 1.1.1** *Suppose f* (*x*), *<sup>g</sup>*(*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*)*, then (i) f* ∗ *g*(*x*) = *g* ∗ *f* (*x*)*. (ii)* R*n f* ∗ *g*(*x*)d*x* = R*n f* (*x*)d*x* · R*n g*(*x*)d*x.*

*Proof* By the definition of convolution (1.1.3), we have

$$\operatorname{g} \ast f(\mathbf{x}) = \int\_{\mathbb{R}^n} \operatorname{g}(\mathbf{x} - \boldsymbol{\xi}) f(\boldsymbol{\xi}) d\boldsymbol{\xi} = \int\_{\mathbb{R}^n} \operatorname{g}(\mathbf{y}) f(\mathbf{x} - \mathbf{y}) d\mathbf{y} = f \ast \operatorname{g}(\mathbf{x}).$$

Property (i) holds. To obtain the second result (ii), we have

$$\int\_{\mathbb{R}^{n}} f \ast g(\mathbf{x}) \mathrm{d}x = \int\_{\mathbb{R}^{n}} (\int\_{\mathbb{R}^{n}} f(\mathbf{x} - \boldsymbol{\xi}) g(\boldsymbol{\xi}) \mathrm{d}\boldsymbol{\xi}) \mathrm{d}x$$

$$= \int\_{\mathbb{R}^{n}} \int\_{\mathbb{R}^{n}} f(\mathbf{y}) g(\boldsymbol{\xi}) \mathrm{d}y \mathrm{d}\boldsymbol{\xi} = \int\_{\mathbb{R}^{n}} f(\mathbf{y}) \mathrm{d}y \cdot \int\_{\mathbb{R}^{n}} g(\boldsymbol{\xi}) \mathrm{d}\boldsymbol{\xi} \mathrm{d}\boldsymbol{\xi}$$

The lemma is proved.

**Definition 1.1.1** If *<sup>f</sup>* (*x*) <sup>∈</sup> *<sup>L</sup>*1(R*<sup>n</sup>*), define the Fourier transform of *<sup>f</sup>* (*x*) as

$$\hat{f}(\mathbf{x}) = \int\_{\mathbb{R}^n} f(\xi) \mathbf{e}^{-2\pi i x \cdot \xi} d\xi,\ \mathbf{x} \in \mathbb{R}^n. \tag{1.1.4}$$

Note that *<sup>f</sup>* <sup>→</sup> <sup>ˆ</sup>*<sup>f</sup>* is an operator of the function space defined on *<sup>L</sup>*1(R*<sup>n</sup>*), which is called the Fourier operator. If *f* (*x*) = *f*1(*x*1) *f*2(*x*2)··· *fn*(*xn*), then the high dimensional Fourier operator can be reduced to the product of one dimensional Fourier operators, i.e.

$$
\hat{f}(\mathbf{x}) = \Pi\_{i=1}^{\boldsymbol{\pi}} \hat{f}\_i(\mathbf{x}\_i). \tag{1.1.5}
$$

The following are some of the most common and fundamental properties of Fourier transform.

**Lemma 1.1.2** *Suppose f* (*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*), *<sup>g</sup>*(*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*)*, then (i) f* ∗ *g*(*x*) = ˆ*f* (*x*)*g*ˆ(*x*)*. (ii) a* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> is a given vector, denote* <sup>τ</sup>*<sup>a</sup> f as the coordinate translation function, i.e.* <sup>τ</sup>*<sup>a</sup> <sup>f</sup>* (*x*) <sup>=</sup> *<sup>f</sup>* (*<sup>x</sup>* <sup>+</sup> *<sup>a</sup>*)*,* <sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*n. Then we have*τ*<sup>a</sup> f* (*x*) = *e*2π*i x*·*<sup>a</sup>* ˆ*f* (*x*)*. (iii) Let h*(*x*) = *e*2π*i x*·*<sup>a</sup> f* (*x*)*, thus h*ˆ(*x*) = ˆ*f* (*x* − *a*)*. (iv) Let* <sup>δ</sup> = <sup>0</sup> *be he real number, f*<sup>δ</sup> (*x*) <sup>=</sup> *<sup>f</sup>* ( <sup>1</sup> <sup>δ</sup> *x*)*, then* ˆ*f*<sup>δ</sup> (*x*) = |δ| *<sup>n</sup>* ˆ*f*<sup>δ</sup>−<sup>1</sup> (*x*) = |δ| *<sup>n</sup>* ˆ*f* (δ*x*)*. (v) Let A be an invertible real matrix of order n, namely A* <sup>∈</sup> *G Ln*(R)*, define f* ◦ *<sup>A</sup>*(*x*) <sup>=</sup> *<sup>f</sup>* (*Ax*)*. Then<sup>f</sup>* ◦ *<sup>A</sup>*(*x*) = |*A*<sup>|</sup> <sup>−</sup><sup>1</sup> ˆ*f* ◦ (*A*−<sup>1</sup>)*<sup>T</sup>* (*x*) = |*A*| <sup>−</sup><sup>1</sup> ˆ*f* ((*A*−<sup>1</sup>)*<sup>T</sup> x*)*, where A<sup>T</sup> is the transpose matrix of A.*

*Proof* By definition, we have

$$
\widehat{f \ast g}(\mathbf{x}) = \int\_{\mathbb{R}^n} f \ast g(\xi) \mathbf{e}^{-2\pi i x \cdot \xi} \, \mathrm{d}\xi
$$

$$
= \int\_{\mathbb{R}^n} (\int f(\xi - \mathbf{y}) g(\mathbf{y}) \mathrm{d}\mathbf{y}) \mathbf{e}^{-2\pi i x \cdot \xi} \, \mathrm{d}\xi
$$

Taking variable substitution ξ − *y* = *y* , then ξ = *y* + *y* , and dξ = d*y* , so we have

$$\widehat{f \ast g}(\mathbf{x}) = \int\_{\mathbb{R}^\bullet} g(\mathbf{y}) \mathbf{e}^{-2\pi i \mathbf{x} \cdot \mathbf{y}} \mathbf{d}\mathbf{y} \cdot \int\_{\mathbb{R}^\bullet} f(\mathbf{y}') \mathbf{e}^{-2\pi i \mathbf{x} \cdot \mathbf{y}'} \mathbf{d}\mathbf{y}' = \hat{f}(\mathbf{x}) \hat{g}(\mathbf{x}),$$

property (i) is proved. Based on the definition of Fourier transform, we have

$$\begin{aligned} \widehat{\tau\_a f}(\mathbf{x}) &= \int\_{\mathbb{R}^n} f(\xi + a) \mathbf{e}^{-2\pi i x \cdot \xi} \mathbf{d}\xi = \int\_{\mathbb{R}^n} f(\mathbf{y}) \mathbf{e}^{-2\pi i x \cdot (\mathbf{y} - a)} \mathbf{d}\mathbf{y}, \\\\ &= \mathbf{e}^{2\pi i x \cdot a} \int\_{\mathbb{R}^n} f(\mathbf{y}) \mathbf{e}^{-2\pi i x \cdot \mathbf{y}} \mathbf{d}\mathbf{y} = \mathbf{e}^{2\pi i x \cdot a} f(\mathbf{x}), \end{aligned}$$

property (ii) gets proved. Similarly, we can obtain (iii). Next, we give the proof of (iv). Since <sup>δ</sup> = 0, and *<sup>f</sup>*<sup>δ</sup> (*x*) <sup>=</sup> *<sup>f</sup>* ( <sup>1</sup> <sup>δ</sup> *x*), so

$$
\hat{f}\_{\delta}(\mathbf{x}) = \int\_{\mathbb{R}^{n}} f(\frac{1}{\delta}\xi) \mathbf{e}^{-2\pi i \mathbf{x} \cdot \xi} \, \mathrm{d}\xi = \int\_{\mathbb{R}^{n}} f(\mathbf{y}) \mathbf{e}^{-2\pi i \mathbf{x} \cdot \delta \mathbf{y}} |\delta|^{n} \mathbf{d}\mathbf{y}.
$$

$$
= \int\_{\mathbb{R}^{n}} f(\mathbf{y}) \mathbf{e}^{-2\pi i (\delta \mathbf{x} \cdot \mathbf{y})} |\delta|^{n} \mathbf{d}\mathbf{y} = |\delta|^{n} \hat{f}\_{\delta^{-1}}(\mathbf{x}).
$$

By the condition *<sup>A</sup>* <sup>∈</sup> *G Ln*(R), *<sup>f</sup>* ◦ *<sup>A</sup>*(*x*) <sup>=</sup> *<sup>f</sup>* (*Ax*), then

$$\widehat{f \circ A}(\mathbf{x}) = \int\_{\mathbb{R}^n} f(A\xi) \mathbf{e}^{-2\pi i x \cdot \xi} \, \mathrm{d}\xi.$$

Taking variable substitution, *y* = *A*ξ , then *A*−<sup>1</sup> *y* = ξ , and dξ = |*A*| <sup>−</sup>1d*y*, so

$$\begin{aligned} \widehat{f \circ A}(\mathbf{x}) &= \int\_{\mathbb{R}^\circ} f(\mathbf{y}) \mathbf{e}^{-2\pi i \mathbf{x} \cdot \mathbf{A}^{-1} \mathbf{y}} |A|^{-1} \mathbf{d} \mathbf{y} = |A|^{-1} \int\_{\mathbb{R}^\circ} f(\mathbf{y}) \mathbf{e}^{-2\pi i ((A^{-1})^T \mathbf{x} \cdot \mathbf{y})} \mathbf{d} \mathbf{y} \\\\ &= |A|^{-1} \hat{f}((A^{-1})^T \mathbf{x}) = |A|^{-1} \hat{f} \circ (A^{-1})^T (\mathbf{x}). \end{aligned}$$

Lemma 1.1.2 is proved.

Finally, we give some examples of the Fourier transform.

*Example 1.1* Let *<sup>n</sup>* <sup>=</sup> 1, *<sup>a</sup>* <sup>∈</sup> <sup>R</sup>, *<sup>a</sup>* <sup>&</sup>gt; 0, define the characteristic function 1[−*a*,*a*](*x*) of the closed interval [−*a*, *a*] as

$$1\_{[-a,a]}(x) = \begin{cases} 1, & x \in [-a,a], \\ 0, & x \notin [-a,a]. \end{cases}$$

Then

$$
\hat{1}\_{[-a,a]}(\mathbf{x}) = \frac{\sin 2\pi a \mathbf{x}}{\pi \mathbf{x}}.\tag{1.1.6}
$$

For *<sup>n</sup>* <sup>&</sup>gt; 1, let *<sup>a</sup>* <sup>=</sup> (*a*1, *<sup>a</sup>*2,..., *an*) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, the square [−*a*, *<sup>a</sup>*] is defined as

$$[-a,a] = [-a\_1,a\_1] \times [-a\_2,a\_2] \times \cdots \times [-a\_n,a\_n].$$

Define the characteristic function 1[−*a*,*a*](*x*) of the square [−*a*, *a*], then

$$\hat{1}\_{[-a,a]}(\mathbf{x}) = \Pi\_{i=1}^n \frac{\sin 2\pi a\_i \mathbf{x}\_i}{\pi \mathbf{x}\_i}. \tag{1.1.7}$$

*Proof* For the general *n*, it is clear that

$$1\_{\left[ -a, a \right]}(\mathbf{x}) = \Pi\_{i=1}^{n} 1\_{\left[ -a\_{i}, a\_{i} \right]}(\mathbf{x}\_{i}) .$$

Based on Eq. (1.1.5), we only need to prove Eq. (1.1.6). *<sup>n</sup>* <sup>=</sup> 1, *<sup>a</sup>* <sup>∈</sup> <sup>R</sup>, so

$$\hat{1}\_{[-a,a]}(\mathbf{x}) = \int\_{\mathbb{R}} \mathbf{1}\_{[-a,a]}(\xi) \mathbf{e}^{-2\pi i x \xi} d\xi = \int\_{-a}^{a} \mathbf{e}^{-2\pi i x \xi} d\xi = \frac{1}{\pi x} \sin 2\pi a x.$$

*Example 1.2* Let *f* (*x*) = e−π|*x*<sup>|</sup> 2 , *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, then *<sup>f</sup>* (*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*), and <sup>ˆ</sup>*<sup>f</sup>* (*x*) <sup>=</sup> *<sup>f</sup>* (*x*), namely *f* (*x*) is a fixed point of Fourier operator, which is also called a dual function.

*Proof* Clearly, *<sup>f</sup>* (*x*) <sup>∈</sup> *<sup>L</sup>*<sup>1</sup>(R*<sup>n</sup>*). To prove the fixed point property of *<sup>f</sup>* (*x*), by definition

$$\hat{f}(\mathbf{x}) = \int\_{\mathbb{R}^n} \mathbf{e}^{-\pi|\xi|^2 - 2\pi i \mathbf{x} \cdot \xi} \mathbf{d}\xi = \mathbf{e}^{-\pi|\mathbf{x}|^2} \int\_{\mathbb{R}^n} \mathbf{e}^{-\pi|\xi + i\mathbf{x}|^2} \mathbf{d}\xi = \mathbf{e}^{-\pi|\mathbf{x}|^2} \int\_{\mathbb{R}^n} \mathbf{e}^{-\pi|\mathbf{y}|^2} \mathbf{d}\mathbf{y} \dots$$

By one dimensional Poisson integral,

$$\int\_{-\infty}^{+\infty} \mathbf{e}^{-\pi y^2} \mathbf{d}y = 1,\tag{1.1.8}$$

we have the following high dimensional Poisson integral,

$$\int\_{\mathbb{R}^n} \mathbf{e}^{-\pi \left| \mathbf{y} \right|^2} \mathbf{d} \mathbf{y} = 1. \tag{1.1.9}$$

So we get ˆ*f* (*x*) = *f* (*x*).

#### **1.2 Discrete Gauss Measure**

From the property of *f* (*x*) = e−π|*x*<sup>|</sup> 2 under the Fourier operator introduced in the last section, and high dimensional Poisson integral formula (1.1.9), we can generalize *f* (*x*) as the density function of a random variable from the normal Gauss distribution to a general Gauss distribution in R*<sup>n</sup>*. We first discuss the Gauss function on R*<sup>n</sup>*.

**Definition 1.2.1** Let *<sup>s</sup>* <sup>&</sup>gt; 0 be a given positive real number, *<sup>c</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a vector. The Gauss function ρ*<sup>s</sup>*,*<sup>c</sup>*(*x*) centered on *c* with parameter *s* is defined as

$$\rho\_{s,c}(\mathbf{x}) = \mathbf{e}^{-\frac{\pi}{\lambda^2}|\mathbf{x}-c|^2}, \ \mathbf{x} \in \mathbb{R}^n \tag{1.2.1}$$

and

$$
\rho\_{\mathbf{x}}(\mathbf{x}) = \rho\_{\mathbf{x},0}(\mathbf{x}), \ \rho(\mathbf{x}) = \rho\_{\mathbf{l}}(\mathbf{x}) = \mathbf{e}^{-\pi \left| \mathbf{x} \right|^{2}}.\tag{1.2.2}
$$

From the definition we have

$$\rho\_s(\mathbf{x}) = \rho(\frac{1}{s}\mathbf{x}) = \mathbf{e}^{-\pi|\frac{s}{x}|^2}$$

and

$$
\rho\_s(\mathbf{x}) = \rho\_s(\mathbf{x}\_1) \dots \rho\_s(\mathbf{x}\_n) .
$$

It can be obtained from Poisson integral formula (1.1.9)

$$\int\_{\mathbb{R}^n} \rho\_s(\mathbf{x}) d\mathbf{x} = \int\_{\mathbb{R}^n} \rho\_{s,c}(\mathbf{x}) d\mathbf{x} = s^n. \tag{1.2.3}$$

**Lemma 1.2.1** *The Fourier transform of Gauss functions* ρ*s*(*x*) *and* ρ*<sup>s</sup>*,*<sup>c</sup>*(*x*) *are*

$$
\hat{\rho}\_s(\mathbf{x}) = \mathbf{s}^n \rho\_{1/s}(\mathbf{x}) = \mathbf{s}^n e^{-\pi \left| \mathbf{x} \mathbf{x} \right|^2} \tag{1.2.4}
$$

*and*

$$
\hat{\rho}\_{\mathbf{s},\mathbf{c}}(\mathbf{x}) = e^{-2\pi i \mathbf{x} \cdot \mathbf{c}} \mathbf{s}^{n} \rho\_{1/\mathbf{s}}(\mathbf{x}).\tag{1.2.5}
$$

*Proof* By property (iv) of Lemma 1.1.2 and *s* > 0, we have

$$
\hat{\rho}\_s(\mathbf{x}) = \mathbf{s}'' \\
\hat{\rho}\_{1/s}(\mathbf{x}) = \mathbf{s}'' \\
\hat{\rho}(\mathbf{s}\mathbf{x}) = \mathbf{s}'' \\
\rho(\mathbf{s}\mathbf{x}) .
$$

The last equation follows from Example 2 in the previous section, therefore, (1.2.4) holds. By the property (ii) of Lemma 1.1.2, we have

$$
\widehat{\rho}\_{\mathbf{s},\mathbf{c}}(\mathbf{x}) = \widehat{\tau\_{-c}\rho\_{\mathbf{s}}}(\mathbf{x}) = \mathbf{e}^{-2\pi i \mathbf{x} \cdot \mathbf{c}} \widehat{\rho}\_{\mathbf{s}}(\mathbf{x}) = \mathbf{s}^n \mathbf{e}^{-2\pi i \mathbf{x} \cdot \mathbf{c}} \rho\_{\mathbf{l}/\mathbf{s}}(\mathbf{x}) .
$$

Lemma 1.2.1 is proved.

**Lemma 1.2.2** ρ*<sup>s</sup>*,*<sup>c</sup>*(*x*) *is uniformly continuous in* R*n, i.e. for any* > 0*, there is* <sup>δ</sup> <sup>=</sup> δ()*, when* <sup>|</sup>*<sup>x</sup>* <sup>−</sup> *<sup>y</sup>*<sup>|</sup> < δ *for x* <sup>∈</sup> <sup>R</sup>*n, y* <sup>∈</sup> <sup>R</sup>*n, we have*

$$|\rho\_{\mathbf{s},c}(\mathbf{x}) - \rho\_{\mathbf{s},c}(\mathbf{y})| < \epsilon.$$

*Proof* By definition, 0 < ρ*<sup>s</sup>*,*<sup>c</sup>*(*x*) - 1, hence ρ*<sup>s</sup>*,*<sup>c</sup>*(*x*) is uniformly bounded in R*<sup>n</sup>*, we will prove ρ *<sup>s</sup>*,*<sup>c</sup>*(*x*) is also uniformly bounded in <sup>R</sup>*<sup>n</sup>*. We only prove the case of *<sup>c</sup>* <sup>=</sup> 0. Since <sup>ρ</sup>*s*(*x*) <sup>=</sup> <sup>ρ</sup>*s*(*x*1) =···= <sup>ρ</sup>*s*(*xn*), without loss of generality, let *<sup>n</sup>* <sup>=</sup> 1, *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>, then

$$\rho\_s'(t) = -\frac{2\pi}{s^2} t \mathbf{e}^{-\frac{\pi}{s^2}t^2}.$$

When |*t*| *M*, it is clear

$$\mathbf{e}^{-\frac{\pi}{t^2}r^2} \le \frac{1}{|t|^2}.$$

Hence, when |*t*| *M*, we have

$$|\rho\_s'(t)| \le \frac{2\pi}{s^2|t|} \le \frac{2\pi}{s^2M}.$$

For |*t*| < *M*, By the continuity of ρ *<sup>s</sup>*(*t*) we have ρ *<sup>s</sup>*(*t*) is bounded. This gives the proof that ρ *<sup>s</sup>*,*<sup>c</sup>*(*x*) is uniformly continuous in <sup>R</sup>*<sup>n</sup>*. Let <sup>|</sup><sup>ρ</sup> *<sup>s</sup>*,*<sup>c</sup>*(*x*)| - *<sup>M</sup>*0, <sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*. By the differential mean value theorem, we have

$$|\rho\_{s,c}(\mathbf{x}) - \rho\_{s,c}(\mathbf{y})| = |\rho\_{s,c}^{'}(\xi)| \cdot |\mathbf{x} - \mathbf{y}| \lesssim M\_0|\mathbf{x} - \mathbf{y}|.$$


Let <sup>δ</sup> <sup>=</sup> *M*<sup>0</sup> , then

We finish the proof of the lemma.

**Definition 1.2.2** For *<sup>s</sup>* <sup>&</sup>gt; 0, *<sup>c</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, define the continuous Gauss density function *Ds*,*<sup>c</sup>*(*x*) as

$$D\_{s,c}(\mathbf{x}) = \frac{1}{s^n} \rho\_{s,c}(\mathbf{x}), \quad \forall \mathbf{x} \in \mathbb{R}^n. \tag{1.2.6}$$

The definition gives that

$$\int\_{\mathbb{R}^n} D\_{s,c}(\mathbf{x}) \mathrm{d}x = \frac{1}{s^n} \int\_{\mathbb{R}^n} \rho\_{s,c}(\mathbf{x}) \mathrm{d}x = 1.$$

Thus, a continuous Gauss density function *Ds*,*<sup>c</sup>*(*x*) corresponds to a continuous random vector of from Gauss distribution in R*<sup>n</sup>*, and this correspondence is one-toone.

**Definition 1.2.3** Suppose *<sup>f</sup>* (*x*) : <sup>R</sup>*<sup>n</sup>* <sup>→</sup> <sup>C</sup> is an *<sup>n</sup>*-elements function, *<sup>A</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* is a finite or countable set in R*<sup>n</sup>*, define *f* (*A*) as

$$f(A) = \sum\_{\mathbf{x} \in A} f(\mathbf{x}).\tag{1.2.7}$$

The continuous Gauss density function *Ds*,*<sup>c</sup>*(*x*)is also called the continuous Gauss measure. In order to implement the transformation from continuous measure to discrete measure and define random variables on discrete geometry in R*<sup>n</sup>*, the following lemma is an important theoretical support.

**Lemma 1.2.3** *Let L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a full-rank lattice, then*

$$D\_{s,c}(L) = \sum\_{\mathbf{x} \in L} D\_{s,c}(\mathbf{x}) < \infty.$$

*Proof* From definition,

$$D\_{s,c}(L) = \frac{1}{s^n} \sum\_{\mathbf{x} \in L} \rho\_{s,c}(\mathbf{x}) = \frac{1}{s^n} \sum\_{\mathbf{x} \in L} \mathbf{e}^{-\frac{\pi}{s^2} |\mathbf{x} - c|^2}.$$

By the property of the exponential function e*<sup>t</sup>* , there exists a constant *M*<sup>0</sup> > 0, when |*x* − *c*| > *M*0,

$$\mathbf{e}^{-\frac{\pi}{s^2}|\mathbf{x}-\mathbf{c}|^2} \lessapprox \frac{\mathbf{s}^2}{\pi|\mathbf{x}-\mathbf{c}|^2}. \tag{1.2.8}$$

Thus, we can divide the points on the lattice *L* into two sets. Let

$$A\_1 = L \cap \{ \mathbf{x} \in \mathbb{R}^n \mid |\mathbf{x} - \mathbf{c}| \lesssim M\_0 \} = L \cap N(\mathbf{c}, M\_0).$$

and

$$A\_2 = L \cap \{ \mathbf{x} \in \mathbb{R}^n \mid |\mathbf{x} - \mathbf{c}| > M\_0 \}.$$

From (1.0.6) we have

$$\sum\_{\mathbf{x}\in A\_1} \mathbf{e}^{-\frac{\pi}{r^2}|\mathbf{x}-\mathbf{c}|^2} \lesssim \sum\_{\mathbf{x}\in A\_1} 1 = \mathbf{''} \text{ } A\_1 < \infty.$$

Based on (1.2.8),

$$\sum\_{\mathbf{x}\in A\_2} \mathbf{e}^{-\frac{\pi}{r^2}|\mathbf{x}-\mathbf{c}|^2} \lesssim \sum\_{\mathbf{x}\in A\_2} \frac{\mathbf{s}^2}{\pi|\mathbf{x}-\mathbf{c}|^2} < \infty. \tag{1.2.9}$$

Since *A*<sup>2</sup> is a countable set, the right hand side of the above inequality is clearly a convergent series. Combining the above two estimations, we have *Ds*,*<sup>c</sup>*(*L*) < ∞, the lemma is proved.

To give a clearer explanation of (1.2.9), we provide another proof of Lemma 1.2.3. First we prove the following lemma.

**Lemma 1.2.4** *Let A* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>n</sup> be an invertible square matrix of order n, T* <sup>=</sup> *<sup>A</sup><sup>T</sup> <sup>A</sup> is a positive definite real symmetric matrix. Let* δ *be the smallest eigenvalue of T ,* δ<sup>∗</sup> *is the biggest eigenvalue of T , we have* 0 < δ δ∗*, and*

$$
\sqrt{\delta} \lesssim |A\mathbf{x}|\_{x \in S} \lesssim \sqrt{\delta^\*},\tag{1.2.10}
$$

*where S* = {*<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* | |*x*| = <sup>1</sup>} *is the unit sphere in* <sup>R</sup>*n.*

*Proof* Since *T* is a positive definite real symmetric matrix, so all eigenvalues δ1, δ2,...,δ*<sup>n</sup>* of *T* are positive, and there is an orthogonal matrix *P* such that

$$P^T T P = \text{diag}\{\delta\_1, \delta\_2, \dots, \delta\_n\}.$$

Hence,

$$|Ax|^2 = x^T Tx = x^T P(P^T T P) P^T x.$$

Since *P<sup>T</sup> T P* is a diagonal matrix, we have

$$\delta |P^T \mathbf{x}|^2 \lesssim |A\mathbf{x}|^2 \lesssim \delta^\* |P^T \mathbf{x}|^2.$$

If *<sup>x</sup>* <sup>∈</sup> *<sup>S</sup>*, then <sup>|</sup>*P<sup>T</sup> <sup>x</sup>*|=|*x*| = 1, so we have <sup>√</sup><sup>δ</sup> - |*Ax*| -<sup>√</sup>δ∗.

By Lemma 1.2.4, and *S* is a compact set, |*Ax*| is a continuous function on *S*, so |*Ax*| can achieve the maximum value on *S*. This maximum value is defined as ||*A*||,

$$||A|| = \max\{|Ax| \: \mid \: |x| = 1\}.\tag{1.2.11}$$

We call *A* for the matrix norm of *A*, and Lemma 1.2.4 shows that

$$
\sqrt{\delta} \leqslant ||A|| \leqslant \sqrt{\delta^\*}, \quad \forall A \in GL\_n(\mathbb{R}).\tag{1.2.12}
$$

**Another proof of Lemma** 1.2.3: Let *L* = *L*(*B*) be any full-rank lattice, *B* is the generated matrix of *L*. By definition we have

$$D\_{\mathbf{s},\mathbf{c}}(L) = \sum\_{\mathbf{x} \in L} D\_{\mathbf{s},\mathbf{c}}(\mathbf{x}) = \frac{1}{s^n} \sum\_{\mathbf{x} \in L} \mathbf{e}^{-\frac{\mathbf{x}}{s^2}|\mathbf{x}-\mathbf{c}|^2} = \frac{1}{s^n} \sum\_{\mathbf{x} \in \mathbb{Z}^n} \mathbf{e}^{-\frac{\mathbf{x}}{s^2}|B\mathbf{x}-\mathbf{c}|^2}. \tag{1.2.13}$$

#### 1.2 Discrete Gauss Measure 11

From Lemma 1.2.4,

$$\frac{|\mathcal{B}^{-1}\boldsymbol{x}|}{|\boldsymbol{x}|} \leqslant ||\mathcal{B}^{-1}|| \Rightarrow |\mathcal{B}^{-1}\boldsymbol{x}| \leqslant ||\mathcal{B}^{-1}|| \, |\boldsymbol{x}|, \,\forall \boldsymbol{x} \in \mathbb{R}^{n}.$$

Let *x* = *By*, δ<sup>∗</sup> is the biggest eigenvalue of (*B*−1)*<sup>T</sup> B*−1, we have

$$|\mathbf{y}| \lesssim ||\mathcal{B}^{-1}|| \, |\, \mathcal{B}\mathbf{y}| \Rightarrow |\mathcal{B}\mathbf{y}| \gtrsim \frac{1}{||\mathcal{B}^{-1}||} |\mathbf{y}| \gtrsim |\mathbf{y}| / \sqrt{\delta^\*}, \, \forall \mathbf{y} \in \mathbb{R}^n. \tag{1.2.14}$$

The property of the exponential function implies that,

$$\sum\_{x \in \mathbb{Z}^n, |Bx - c| > M} \mathbf{e}^{-\frac{\pi}{r^2} |Bx - c|^2} \lesssim \sum\_{x \in \mathbb{Z}^n, |Bx - c| \neq 0} \frac{s^{2n}}{\pi^n |Bx - c|^{2n}}.\tag{1.2.15}$$

Since

$$|Bx - c|^{2n} = |B(\mathbf{x} - B^{-1}c)|^{2n} \geqslant |\mathbf{x} - B^{-1}c|^{2n}/(\delta^\*)^n.$$

Denote *x* = (*x*1,..., *xn*), *B*−1*c* = (*u*1,..., *un*), then

$$|\mathbf{x} - \mathbf{B}^{-1}\mathbf{c}|^{2n} = (\sum\_{i=1}^{n} (\mathbf{x}\_i - \boldsymbol{\mu}\_i)^2)^n \geqslant (n\sqrt[n]{\Pi\_{i=1}^n (\mathbf{x}\_i - \boldsymbol{\mu}\_i)^2})^n = n^n \Pi\_{i=1}^n (\mathbf{x}\_i - \boldsymbol{\mu}\_i)^2.$$

By (1.2.15),

$$\sum\_{\mathbf{x}\in\mathbb{Z}^{n},|\mathcal{B}\mathbf{x}-\mathbf{c}|\neq 0} \frac{\mathbf{s}^{2n}}{\pi^{n}|\mathcal{B}\mathbf{x}-\mathbf{c}|^{2n}} \leqslant \sum\_{\mathbf{x}\in\mathbb{Z}^{n},|\mathcal{B}\mathbf{x}-\mathbf{c}|\neq 0} \frac{\mathbf{s}^{2n}(\boldsymbol{\delta}^{\*})^{n}}{\pi^{n}n^{n}} \cdot \frac{1}{\Pi\_{i=1}^{n}(\mathbf{x}\_{i}-\boldsymbol{\mu}\_{i})^{2}},$$

$$=\frac{\mathbf{s}^{2n}(\boldsymbol{\delta}^{\*})^{n}}{\pi^{n}n^{n}}\sum\_{\mathbf{x}\_{1}\in\mathbb{Z}}\frac{1}{(\mathbf{x}\_{1}-\boldsymbol{\mu}\_{1})^{2}}\sum\_{\mathbf{x}\_{2}\in\mathbb{Z}}\frac{1}{(\mathbf{x}\_{2}-\boldsymbol{\mu}\_{2})^{2}}\cdot\dots\sum\_{\mathbf{x}\_{n}\in\mathbb{Z}}\frac{1}{(\mathbf{x}\_{n}-\boldsymbol{\mu}\_{n})^{2}},$$

every infinite series on the right hand side of the above equation converges, hence, *Ds*,*<sup>c</sup>*(*L*) < ∞.

By Lemma 1.2.3, we define the discrete Gauss density function *DL*,*s*,*<sup>c</sup>*(*x*) as

$$D\_{L,s,c}(\mathbf{x}) = \frac{D\_{s,c}(\mathbf{x})}{D\_{s,c}(L)} = \frac{\rho\_{s,c}(\mathbf{x})}{\rho\_{s,c}(L)}.\tag{1.2.16}$$

Trivially, we have

$$\sum\_{x \in L} D\_{L,x,c}(x) = 1.$$

So *DL*,*s*,*<sup>c</sup>*(*x*) corresponds to a random variable from Gauss distribution defined on the lattice *L* (discrete geometry) with parameters *s* and *c*.

**Definition 1.2.4** Let *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a lattice with full rank, *<sup>s</sup>* <sup>&</sup>gt; 0 is a given positive real number, *<sup>c</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a given vector, define the discrete Gauss measure function *gL*,*s*,*<sup>c</sup>*(*x*) as a function defined on the basic neighborhood *F*(*B*) of *L*,

$$g\_{L, \mathbf{s}, \mathbf{c}}(\mathbf{x}) = D\_{\mathbf{s}, \mathbf{c}}(\overline{\mathbf{x}}) = \frac{1}{\mathbf{s}^n} \sum\_{\mathbf{y} \in L} \rho\_{\mathbf{s}, \mathbf{c}}(\mathbf{x} + \mathbf{y}), \ \mathbf{x} \in F(\mathcal{B}). \tag{1.2.17}$$

By Definition and (1.2.3), it is clear that

$$\int\_{F(\mathcal{B})} \mathcal{g}\_{L,\mathbf{s},\mathbf{c}}(\mathbf{x}) d\mathbf{x} = \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \int\_{F(\mathcal{B})} \rho\_{\mathbf{s},\mathbf{c}}(\mathbf{x} + \mathbf{y}) d\mathbf{x} = \frac{1}{s^n} \int\_{\mathbb{R}^n} \rho\_{\mathbf{s},\mathbf{c}}(\mathbf{x}) d\mathbf{x} = 1. \tag{1.2.18}$$

Thus, the density function *gL*,*s*,*<sup>c</sup>*(*x*) defined on the basic neighborhood *F*(*B*) corresponds to a continuous random variable on *F*(*B*), denoted as *Ds*,*<sup>c</sup>*mod*L*.

**Lemma 1.2.5** *The random variable Ds*,*cmodL is actually defined in the additive quotient group* R*<sup>n</sup>*/*L.*

*Proof F*(*B*) is a set of representative elements of the additive quotient group R*<sup>n</sup>*/*L*, and we only prove that for any set of representative elements of R*<sup>n</sup>*/*L*, the discrete Gauss function *gL*,*s*,*<sup>c</sup>*(*x*) remains constant, then *Ds*,*<sup>c</sup>* mod *L* can be regarded as a random variable on the additive quotient group <sup>R</sup>*<sup>n</sup>*/*L*. Actually, if *<sup>x</sup>*1, *<sup>x</sup>*<sup>2</sup> <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, *x*<sup>1</sup> ≡ *x*<sup>2</sup> (mod *L*), we have *gL*,*s*,*<sup>c</sup>*(*x*1) = *gL*,*s*,*<sup>c</sup>*(*x*2). To obtain the result, by definition

$$g\_{L, \mathbf{s}, \mathbf{c}}(\mathbf{x}\_1) = D\_{\mathbf{s}, \mathbf{c}}(\tilde{\mathbf{x}}\_1) = \frac{1}{\mathbf{s}^n} \sum\_{\mathbf{y} \in L} \rho\_{\mathbf{s}, \mathbf{c}}(\mathbf{x}\_1 + \mathbf{y}).$$

Since *x*<sup>1</sup> = *x*<sup>2</sup> + *y*0, where *y*<sup>0</sup> ∈ *L*, so

$$\begin{aligned} g\_{L,s,c}(\mathbf{x}\_1) &= \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \rho\_{s,c}(\mathbf{x}\_1 + \mathbf{y}) = \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \rho\_{s,c}(\mathbf{x}\_2 + \mathbf{y}\_0 + \mathbf{y}) \\\\ &= \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \rho\_{s,c}(\mathbf{x}\_2 + \mathbf{y}) = D\_{s,c}(\bar{\mathbf{x}}\_2) = \mathbf{g}\_{L,s,c}(\mathbf{x}\_2). \end{aligned}$$

By *x*<sup>1</sup> ≡ *x*<sup>2</sup> (mod *L*), then *x*¯<sup>1</sup> = ¯*x*<sup>2</sup> are the same additive cosets in the quotient group R*<sup>n</sup>*/*L*. Thus, the discrete Gauss measure *gL*,*s*,*<sup>c</sup>*(*x*) can be defined on any basic neighborhood of *L*, and the corresponding random variable *Ds*,*<sup>c</sup>* mod *L* is actually defined on the quotient group R*<sup>n</sup>*/*L*.

#### **1.3 Smoothing Parameter**

For a given full-rank lattice *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, in the previous section we defined the discrete Gauss measure *gL*,*s*,*<sup>c</sup>*(*x*), and the corresponding continuous random variable *Ds*,*<sup>c</sup>* mod *L* on the basic neighborhood *F*(*B*) of *L*. In this section, we discuss an important parameter on Gauss lattice—the smoothing parameter. The concept of smooth parameters was introduced by Micciancio and Regev in 2007 Micciancio and Regev (2004). For a given vector *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, we have the following lemma.

**Lemma 1.3.1** *For a given lattice L* <sup>⊂</sup> <sup>R</sup>*n, we have*

$$\lim\_{s \to \infty} \sum\_{\mathbf{x} \in L} \rho\_{\mathbf{l}/s}(\mathbf{x}) = 1$$

*or equally*

$$\lim\_{s \to \infty} \sum\_{x \in L \backslash \{0\}} \rho\_{1/s}(x) = 0.$$

*Proof* By the property of the exponential function, when |*x*| > *M*<sup>0</sup> (*M*<sup>0</sup> is a positive constant) then

$$\mathbf{e}^{-\pi x^2 |x|^2} \le \frac{1}{\pi s^2 |x|^2}.$$

So

$$\sum\_{\mathbf{x}\in L} \rho\_{1/\mathbf{s}}(\mathbf{x}) = \sum\_{\mathbf{x}\in L} \mathbf{e}^{-\pi s^2 |\mathbf{x}|^2} \lesssim \sum\_{|\mathbf{x}| \lesssim M\_0, \mathbf{x} \in L} \mathbf{e}^{-\pi s^2 |\mathbf{x}|^2} + \frac{1}{\pi s^2} \sum\_{|\mathbf{x}| > M\_0, \mathbf{x} \in L} \frac{1}{|\mathbf{x}|^2}.$$

The first part of the equation above only has a finite number of terms, so

$$\lim\_{s \to \infty} \sum\_{|\boldsymbol{x}| \lesssim M\_0, \boldsymbol{x} \in L} \mathbf{e}^{-\pi s^2 |\boldsymbol{x}|^2} = 1.$$

The second part of the above equation is a convergent series, therefore,

$$\lim\_{s \to \infty} \frac{1}{\pi s^2} \sum\_{|\boldsymbol{x}| > M\_0, \boldsymbol{x} \in L} \frac{1}{|\boldsymbol{x}|^2} = 0.$$

Here, we get the proof.

By Definition 1.2.3, we have ρ<sup>1</sup>/*<sup>s</sup>*(*L*) = *x*∈*L* ρ<sup>1</sup>/*<sup>s</sup>*(*x*), then ρ<sup>1</sup>/*<sup>s</sup>*(*L*) is a monotone decreasing function of *s*. When *s* → ∞, ρ<sup>1</sup>/*<sup>s</sup>*(*L*) monotonically decreasing to 1. So we give the definition of smoothing parameter.

**Definition 1.3.1** Let *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a lattice with full rank, *<sup>L</sup>*<sup>∗</sup> is the dual lattice of *<sup>L</sup>*, define the smoothing parameter η (*L*) of *L*: For any > 0, define

$$\eta\_{\epsilon}(L) = \min\{s \mid s > 0, \ \rho\_{1/s}(L^\*) < 1 + \epsilon\}.\tag{1.3.1}$$

Equally,

$$\eta\_{\epsilon}(L) = \min\{s \mid s > 0, \ \rho\_{1/s}(L^\* \backslash \{0\}) < \epsilon\}.\tag{1.3.2}$$

By definition, the smoothing parameter η (*L*) of *L* is a monotone decreasing function of , namely

$$
\eta\_{\epsilon\_1}(L) \lesssim \eta\_{\epsilon\_2}(L), \quad \text{if } 0 < \epsilon\_2 < \epsilon\_1.
$$

**Definition 1.3.2** Let *<sup>A</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a finite or countable set, *<sup>X</sup>* and *<sup>Y</sup>* are two discrete random variables on *A*, the statistical distance between *X* and *Y* is defined as

$$\Delta(X,Y) = \frac{1}{2} \sum\_{a \in A} |\Pr\{X = a\} - \Pr\{Y = a\}|.\tag{1.3.3}$$

If *A* is a continuous region in R*<sup>n</sup>*, *X* and *Y* are continuous random variables on *A*, *T*1(*x*) and *T*2(*x*) are the density functions of *X* and *Y* , respectively, then the statistical distance between *X* and *Y* is defined as

$$\Delta(X,Y) = \frac{1}{2} \int\_{A} |T\_1(\mathbf{x}) - T\_2(\mathbf{x})| \mathrm{d}x. \tag{1.3.4}$$

It can be proved that for any function *f* defined on *A*, we have

$$
\Delta(f(X), f(Y)) \lesssim \Delta(X, Y).
$$

From (1.2.17) in the last section, *Ds*,*<sup>c</sup>* mod *L* is a continuous random variable defined on the basic neighborhood *F*(*B*) of the lattice *L* with the density function *gL*,*s*,*<sup>c</sup>*(*x*). Let *U*(*F*(*B*)) be a uniform random variable defined on *F*(*B*) with the density function *<sup>d</sup>*(*x*) <sup>=</sup> <sup>1</sup> det(*L*). The main result of this section is that the statistical distance between *Ds*,*<sup>c</sup>* mod *L* and the uniform distribution *U*(*F*(*B*)) can be arbitrarily small.

**Theorem 1.1** *For any s* <sup>&</sup>gt; <sup>0</sup>*, given a lattice with full rank L* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*n, L*<sup>∗</sup> *is the dual lattice of L, then the statistical distance between the discrete Gauss distribution and the uniform distribution on the basic neighborhood F*(*B*) *satisfies*

$$
\Delta(D\_{s,c} \bmod L, \, U(F(B))) \lesssim \frac{1}{2} \rho\_{1/s}(L^\* \backslash \{0\}).\tag{1.3.5}
$$

*Particularly, for any* > 0*, and any s* η (*L*)*, we have*

$$
\Delta(D\_{s,c} \bmod L, U(F(\mathcal{B}))) \leqslant \frac{1}{2}\epsilon. \tag{1.3.6}
$$

*To prove Theorem 1.1, we first introduce the following lemma.*

**Lemma 1.3.2** *Suppose f* (*x*) <sup>∈</sup> *<sup>L</sup>*1(R*<sup>n</sup>*) *and satisfies the following two conditions: (i) x*∈*L* <sup>|</sup> *<sup>f</sup>* (*<sup>x</sup>* <sup>+</sup> *<sup>u</sup>*)<sup>|</sup> *uniformly converges in any bounded closed region of* <sup>R</sup>*<sup>n</sup> (about u);*

*(ii) y*∈*L*<sup>∗</sup> | ˆ*f* (*y*)| *converges. Then*

$$\sum\_{\mathbf{x}\in L} f(\mathbf{x}) = \frac{1}{\det(L)} \sum\_{\mathbf{y}\in L^\*} \hat{f}(\mathbf{y}),$$

*where L* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is a full-rank lattice, L*<sup>∗</sup> *is the dual lattice, det*(*L*) = |*det*(*B*)<sup>|</sup> *is the determinant of the lattice L.*

*Proof* We first consider the case of *<sup>B</sup>* <sup>=</sup> *In*, here *<sup>L</sup>* <sup>=</sup> <sup>Z</sup>*<sup>n</sup>*, *<sup>L</sup>*<sup>∗</sup> <sup>=</sup> <sup>Z</sup>*<sup>n</sup>*. By condition (i), let *F*(*u*) be

$$F(\boldsymbol{\mu}) = \sum\_{\boldsymbol{\chi} \in \mathbb{Z}^n} f(\boldsymbol{\chi} + \boldsymbol{\mu}), \quad \boldsymbol{\mu} \in \mathbb{R}^n.$$

Since *<sup>F</sup>*(*u*) is a periodic function of the lattice <sup>Z</sup>*<sup>n</sup>*, namely *<sup>F</sup>*(*<sup>u</sup>* <sup>+</sup> *<sup>x</sup>*) <sup>=</sup> *<sup>F</sup>*(*u*), for <sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, we have the following Fourier expansion

$$F(u) = \sum\_{\mathbf{y} \in \mathbb{Z}^d} a(\mathbf{y}) \mathbf{e}^{2\pi i u \cdot \mathbf{y}}.\tag{1.3.7}$$

Integrating *F*(*u*)e−2π*iu*·*<sup>x</sup>* for *u* ∈ [0, 1] *n*:

$$\int\_{\{0,1\}^\mathbf{e}} F(\mathbf{u}) \mathbf{e}^{-2\pi i \mathbf{u} \cdot \mathbf{x}} \mathbf{d}u = \sum\_{\mathbf{y} \in \mathbb{Z}^n} \int\_{\{0,1\}^\mathbf{e}} a(\mathbf{y}) \mathbf{e}^{2\pi i \mathbf{u} \cdot (\mathbf{y} - \mathbf{x})} \mathbf{d}u = a(\mathbf{x}), \ \forall \mathbf{x} \in \mathbb{Z}^n.$$

Hence, we have the following Fourier inversion formula:

$$a(\mathbf{y}) = \int\_{[0,1]^\mathbf{r}} F(\mathbf{u}) \mathbf{e}^{-2\pi i \mathbf{u} \cdot \mathbf{y}} \mathbf{d}\mathbf{u} = \sum\_{\mathbf{x} \in \mathbb{Z}^\*} \int\_{[0,1]^\mathbf{r}} f(\mathbf{x} + \mathbf{u}) \mathbf{e}^{-2\pi i (\mathbf{u} + \mathbf{x}) \cdot \mathbf{y}} \mathbf{d}\mathbf{u}$$

$$= \sum\_{\mathbf{x} \in \mathbb{Z}^\*} \int\_{[0,1]^\mathbf{r}} f(\mathbf{z}) \mathbf{e}^{-2\pi i \mathbf{z} \cdot \mathbf{y}} \mathbf{d}\mathbf{z} = \int\_{\mathbb{R}^\*} f(\mathbf{z}) \mathbf{e}^{-2\pi i \mathbf{z} \cdot \mathbf{y}} \mathbf{d}\mathbf{z} = \hat{f}(\mathbf{y}).$$

From the above equation and (1.3.7),

$$F(\boldsymbol{\mu}) = \sum\_{\mathbf{y} \in \mathbb{Z}^n} \hat{f}(\mathbf{y}) \mathbf{e}^{2\pi i \boldsymbol{\mu} \cdot \mathbf{y}}.$$

Take *u* = 0, we have

$$F(0) = \sum\_{\mathbf{x} \in \mathbb{Z}^n} f(\mathbf{x}) = \sum\_{\mathbf{y} \in \mathbb{Z}^n} \hat{f}(\mathbf{y}),$$

the lemma is proved for *<sup>L</sup>* <sup>=</sup> <sup>Z</sup>*<sup>n</sup>*. For the general case *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*), since *<sup>L</sup>*<sup>∗</sup> <sup>=</sup> *L*((*B*−<sup>1</sup>) ), then

$$\sum\_{\mathbf{x}\in L} f(\mathbf{x}) = \sum\_{\mathbf{x}\in \mathbb{Z}^n} f(B\mathbf{x}) = \sum\_{\mathbf{x}\in \mathbb{Z}^n} (f \circ B)(\mathbf{x}),$$

where *f* ◦ *B*(*x*) = *f* (*Bx*). Replace *f* (*x*) with *f* ◦ *B*, then *f* ◦ *B* still satisfies the conditions of this lemma, so

$$\sum\_{\mathbf{x}\in\mathbb{Z}^{\mathfrak{s}}} f \diamond B(\mathbf{x}) = \sum\_{\mathbf{y}\in\mathbb{Z}^{\mathfrak{s}}} \widehat{f \diamond B}(\mathbf{y}).$$

From the definition of Fourier transform,

$$\widehat{f \circ B}(\mathbf{y}) = \int\_{\mathbb{R}^n} f(Bt) \mathbf{e}^{-2\pi i \mathbf{y} \cdot t} \, \mathbf{d}t.$$

Take variable substitution *t* = *B*−1*x*, then

$$\begin{split} \widehat{f \circ B}(\mathbf{y}) &= \frac{1}{|\det(B)|} \int\_{\mathbb{R}^{\boldsymbol{\alpha}}} f(\mathbf{x}) \mathbf{e}^{-2\pi i \mathbf{y} \cdot B^{-1} \mathbf{x}} \mathbf{d} \mathbf{x} \\\\ &= \frac{1}{|\det(B)|} \int\_{\mathbb{R}^{\boldsymbol{\alpha}}} f(\mathbf{x}) \mathbf{e}^{-2\pi i (B^{-1})' \mathbf{y} \cdot \mathbf{x}} \mathbf{d} \mathbf{x} \\\\ &= \frac{1}{|\det(B)|} \hat{f}((B^{-1})' \mathbf{y}). \end{split}$$

Above all,

$$\sum\_{\mathbf{x}\in L} f(\mathbf{x}) = \sum\_{\mathbf{y}\in \mathbb{Z}^n} \widehat{f\diamond B}(\mathbf{y}) = \frac{1}{|\det(B)|} \sum\_{\mathbf{y}\in \mathbb{Z}^n} \widehat{f}((B^{-1})'\mathbf{y}) = \frac{1}{|\det(B)|} \sum\_{\mathbf{y}\in L^\*} \widehat{f}(\mathbf{y}).$$

We finish the proof of this lemma.

**The proof of Theorem** 1.1 The density function of the continuous random variable *Ds*,*<sup>c</sup>* mod *L* defined on the basic neighborhood *F*(*B*) of *L* is *gL*,*s*,*<sup>c</sup>*(*x*), from Eq. (1.2.17) and Lemma 1.3.2, we have

$$g\_{L,s,c}(\mathbf{x}) = \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \rho\_{s,c}(\mathbf{x} + \mathbf{y}) = \frac{1}{s^n} \sum\_{\mathbf{y} \in L} \rho\_{s,c-x}(\mathbf{y}).$$

By (1.2.5), the Fourier transform of ρ*<sup>s</sup>*,*c*−*<sup>x</sup>* (*y*) is

$$
\hat{\rho}\_{\mathbf{s}, \mathbf{c} - \mathbf{x}}(\mathbf{y}) = \mathbf{e}^{-2\pi i \mathbf{y} \cdot (\mathbf{c} - \mathbf{x})} \mathbf{s}^n \rho\_{1/\mathbf{s}}(\mathbf{y}).
$$

Combining with Lemma 1.3.2, we obtain

$$g\_{L,s,c}(\mathbf{x}) = \frac{1}{|\det(B)|} \sum\_{\mathbf{y} \in L^\*} \mathbf{e}^{2\pi i \mathbf{y} \cdot (\mathbf{x} - \mathbf{c})} \rho\_{1/s}(\mathbf{y}).\tag{1.3.8}$$

The density function of the uniformly distributed random variable *U*(*F*(*B*)) on *F*(*B*) is <sup>1</sup> |det(*B*)| , based on the definition of statistical distance,

$$\begin{split} \Delta(D\_{s,c} \bmod L, \, U(F(B))) &= \frac{1}{2} \int\limits\_{F(B)} |g\_{L,s,c}(\mathbf{x}) - \frac{1}{|\text{det}(B)|} |\text{dx} \\ &= \frac{1}{2} \int\limits\_{F(B)} |\frac{1}{|\text{det}(B)|} \sum\_{\mathbf{y} \in L^\*, \mathbf{y} \neq \mathbf{0}} \text{e}^{2\pi i \mathbf{y} \cdot (\mathbf{x} - c)} \rho\_{1/s}(\mathbf{y}) |\text{dx} \\ &\leqslant \frac{1}{2} \text{Vol}(F(B)) \text{det}(L^\*) \max\_{\mathbf{x} \notin F(B)} |\sum\_{\mathbf{y} \in L^\* \backslash \{0\}} \text{e}^{2\pi i \mathbf{y} \cdot (\mathbf{x} - c)} \rho\_{1/s}(\mathbf{y})| \\ &\leqslant \frac{1}{2} \sum\_{\mathbf{y} \in L^\* \backslash \{0\}} \rho\_{1/s}(\mathbf{y}) = \frac{1}{2} \rho\_{1/s}(L^\* \backslash \{0\}). \end{split}$$

So (1.3.5) in Theorem 1.1 is proved. From the definition of smoothing parameter η (*L*), when *s* η (*L*), we have

$$
\rho\_{1/s}(L^\*\backslash\{0\}) < \epsilon.
$$

Therefore, if *s* η (*L*), we have

$$
\Delta(D\_{\mathfrak{s},\mathfrak{c}} \bmod L, \, U(F(B))) \leqslant \frac{1}{2}\epsilon.
$$

Thus, Theorem 1.1 is proved.

Another application of Lemma 1.3.2 is to prove the following inequality.

**Lemma 1.3.3** *Let a* 1 *be a given positive real number, then*

$$\sum\_{\mathbf{x}\in L} e^{-\frac{\pi}{a}|\mathbf{x}|^{2}} \lesssim a^{\frac{q}{2}} \sum\_{\mathbf{x}\in L} e^{-\pi |\mathbf{x}|^{2}}.\tag{1.3.9}$$

*Proof* By Definition 1.2.1, the left hand side of the sum in the above inequality can be written as

$$\rho\_{\sqrt{a}}(\mathbf{x}) = \mathbf{e}^{-\frac{\pi}{a}|\mathbf{x}|^{2}}, \ s = \sqrt{a}.$$

Since ρ*s*(*x*) satisfies the conditions of Lemma 1.3.2, we have

$$\sum\_{\mathbf{x}\in L} \rho\_{\mathbf{s}}(\mathbf{x}) = \det(L^\*) \sum\_{\mathbf{x}\in L^\*} \hat{\rho}\_{\mathbf{s}}(\mathbf{x}) = \det(L^\*) \sum\_{\mathbf{x}\in L^\*} \mathbf{s}^n \rho\_{1/\mathbf{s}}(\mathbf{x}) .$$

Obviously <sup>ρ</sup>*s*(*x*) is a monotone increasing function of *<sup>s</sup>*, take *<sup>s</sup>* <sup>=</sup> <sup>√</sup>*<sup>a</sup>* 1, then

$$\sum\_{x \in L} \rho\_{\sqrt{a}}(x) = a^{\frac{\pi}{2}} \det(L^\*) \sum\_{x \in L^\*} \rho\_{\frac{1}{\sqrt{a}}}(x) \leqslant a^{\frac{\pi}{2}} \det(L^\*) \sum\_{x \in L^\*} \rho(x),$$

$$= a^{\frac{\pi}{2}} \sum\_{x \in L} \rho(x) = a^{\frac{\pi}{2}} \sum\_{x \in L} \mathbf{e}^{-\pi |x|^2}.$$

We complete the proof of Lemma 1.3.3.

Let *<sup>N</sup>* <sup>=</sup> *<sup>N</sup>*(0, <sup>1</sup>) be the unit sphere in <sup>R</sup>*<sup>n</sup>*, namely

$$N = \{ \mathbf{x} \in \mathbb{R}^n \mid |\mathbf{x}| \le 1 \}.$$

**Lemma 1.3.4** *Suppose L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is a lattice with full rank, c* <sup>&</sup>gt; <sup>√</sup> 1 <sup>2</sup><sup>π</sup> *is a positive real number, C* = *c* <sup>√</sup>2π*<sup>e</sup>* · *<sup>e</sup>*−π*c*<sup>2</sup> *,* <sup>v</sup> <sup>∈</sup> <sup>R</sup>*n, then*

$$
\rho(L \backslash c\sqrt{n}N) < C^n \rho(L), \text{ and } \rho((L+v)\backslash c\sqrt{n}N) < 2C^n \rho(L).
$$

*That is,*

$$\sum\_{\boldsymbol{x}\in L,\boldsymbol{x}\notin\mathcal{E}\sqrt{n}N} e^{-\pi|\boldsymbol{x}|^{2}} < C^{n} \sum\_{\boldsymbol{x}\in L} e^{-\pi|\boldsymbol{x}|^{2}},\tag{1.3.10}$$

$$\sum\_{\boldsymbol{x}\in L+\boldsymbol{v},\boldsymbol{x}\notin\mathcal{E}\sqrt{n}N} e^{-\pi|\boldsymbol{x}|^{2}} < 2C^{n} \sum\_{\boldsymbol{x}\in L} e^{-\pi|\boldsymbol{x}|^{2}}.$$

*Proof* We will prove the first inequality, ler *t* be a positive real number, 0 < *t* < 1, then

$$\begin{aligned} \sum\_{\boldsymbol{x}\in L} \mathbf{e}^{-\pi t \|\boldsymbol{x}\|^2} &= \sum\_{\boldsymbol{x}\in L} \mathbf{e}^{\pi(1-t)\|\boldsymbol{x}\|^2} \cdot \mathbf{e}^{-\pi \|\boldsymbol{x}\|^2} \\ &> \sum\_{\boldsymbol{x}\in L, \, \|\boldsymbol{x}\|^2 \geqslant c^2 n} \mathbf{e}^{\pi(1-t)\|\boldsymbol{x}\|^2} \cdot \mathbf{e}^{-\pi \|\boldsymbol{x}\|^2} \\ &\ge \mathbf{e}^{\pi(1-t)c^2 n} \sum\_{\boldsymbol{x}\in L, \, \|\boldsymbol{x}\|^2 \geqslant c^2 n} \mathbf{e}^{-\pi \|\boldsymbol{x}\|^2} .\end{aligned}$$

In Lemma 1.3.3, take *<sup>a</sup>* <sup>=</sup> <sup>1</sup> *<sup>t</sup>* , then *a* > 1, we get

$$\sum\_{\mathbf{x}\in L} \mathbf{e}^{-\pi t \left|\mathbf{x}\right|^2} \lesssim t^{-\frac{\mathfrak{q}}{2}} \sum\_{\mathbf{x}\in L} \mathbf{e}^{-\pi \left|\mathbf{x}\right|^2}.$$

Hence,

$$\sum\_{\mathbf{x}\in L, |\mathbf{x}|^2 \geqslant c^2n} \mathbf{e}^{-\pi|\mathbf{x}|^2} < \mathbf{e}^{-\pi(1-t)c^2n} \sum\_{\mathbf{x}\in L} \mathbf{e}^{-\pi t|\mathbf{x}|^2} \leqslant \mathbf{e}^{-\pi(1-t)c^2n} t^{-\frac{n}{2}} \sum\_{\mathbf{x}\in L} \mathbf{e}^{-\pi|\mathbf{x}|^2}.$$

It implies that

$$
\rho(L \backslash c\sqrt{n}N) < (t^{-\frac{1}{2}}e^{-\pi(1-t)c^2})^n \rho(L).
$$

Let *<sup>t</sup>* <sup>=</sup> <sup>1</sup> <sup>2</sup>π*c*<sup>2</sup> , then

$$
\rho(L \backslash c\sqrt{n}N) < (c \cdot \sqrt{2\pi e} \cdot \mathbf{e}^{-\pi c^2})^n \rho(L),
$$

The second inequality can be proved in the same way. Lemma 1.3.4 holds.

Based on the above inequality, we can give an upper bound estimation of the smoothing parameter on lattice, which is a very important result about the smoothing parameter.

**Theorem 1.2** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n, we have*

$$
\eta\_{2^{-\*}}(L) \lesssim \sqrt{n} / \lambda\_1(L^\*). \tag{1.3.11}
$$

*where* λ1(*L*∗) *is the minimal distance of the dual lattice L*<sup>∗</sup> *(see (1.0.4)).*

*Proof* Take *c* = 1 in Lemma 1.3.4, we first prove

$$\mathbf{C} = \sqrt{2\pi e} \cdot \mathbf{e}^{-\pi} < \frac{1}{4}.\tag{1.3.12}$$

If we take the logarithm of both sides, then

$$
\log(32\pi) + 1 < 2\pi.
$$

Since we have the following inequality,

$$
\log(32\pi) + 1 < \log 128 + 1 < 2\pi.
$$

So (1.3.12) holds. By Lemma 1.3.4, we have

$$
\rho(L^\*\backslash\sqrt{n}N) < C^\*\rho(L^\*) = C^\*(\rho(L^\*\backslash\sqrt{n}N) + \rho(L^\*\cap\sqrt{n}N)).
$$

From the both sides, we get

$$
\rho(L^\* \backslash \sqrt{n}N) < \frac{C^n}{1 - C^n} \rho(L^\* \cap \sqrt{n}N).
$$

If *<sup>s</sup>* <sup>&</sup>gt; <sup>√</sup>*n*/λ1(*L*∗), for all *<sup>x</sup>* <sup>∈</sup> *<sup>L</sup>*∗\{0},

$$s|sx| \geqslant s \cdot \lambda\_1(L^\*) \geqslant \sqrt{n} \Rightarrow sL^\* \cap \sqrt{n}N = \{0\}.$$

Hence,

$$
\rho\_{1/s}(L^\*) = \rho(sL^\*) = 1 + \rho(sL^\* \backslash \sqrt{n}N)
$$

$$
< 1 + \frac{C^n}{1 - C^n} \rho(sL^\* \cap \sqrt{n}N)
$$

$$
= 1 + \frac{C^n}{1 - C^n} < 1 + \frac{2^{-2n}}{2^{-n}} = 2^{-n} + 1.
$$

Take = 2−*<sup>n</sup>*, then

$$
\eta\_{2^{-\*}}(L) \le \sqrt{n}/\lambda\_1(L^\*).
$$

Theorem 1.2 is obtained.

According to the proof of Theorem 1.2, we can further improve the upper bound estimation of the smoothing parameter.

#### **Corollary 1.3.1** *Let*

$$r = \sqrt{\frac{1}{2\pi} + \frac{\log 2\pi}{2\pi} + \frac{1}{n\pi} \log(1 + 2^n)}\quad(<0.82)\tag{1.3.13}$$

*Then for any full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n, we obtain*

$$
\eta\_{2^{-n}}(L) \lesssim r\sqrt{n}/\lambda\_1(L^\*).\tag{1.3.14}
$$

*Proof* Take *c* > *r* in Lemma 1.3.4, then *c* > <sup>√</sup> 1 <sup>2</sup><sup>π</sup> , and

$$C = c \cdot \sqrt{2\pi e} \cdot \mathbf{e}^{-\pi c^2} \Rightarrow \frac{C^n}{1 - C^n} < \frac{1}{2^n}.\tag{1.3.15}$$

By Lemma 1.3.4, for any full-rank lattice *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, we have

$$
\rho(L^\*\backslash c\sqrt{n}N) < \frac{C^n}{1 - C^n} \rho(L^\*\cap c\sqrt{n}N).
$$

If *s* > *c* <sup>√</sup>*n*/λ1(*L*∗), for any *<sup>x</sup>* <sup>∈</sup> *<sup>L</sup>*∗\{0},

$$|sx| \geqslant s\lambda\_1(L^\*) > c\sqrt{n}.$$

Hence,

$$\text{s}L^\* \cap c\sqrt{n}N = \{0\}.$$

Therefore,

$$
\rho\_{1/s}(L^\*) = \rho(sL^\*) = 1 + \rho(L^\* \backslash c\sqrt{n}N) \\
< 1 + \frac{C^n}{1 - C^n} < 1 + \frac{1}{2^n}.
$$

Finally we have (let *c* → *r*)

$$
\eta\_{2^{-n}}(L) \le r\sqrt{n}/\lambda\_1(L^\*).
$$

Corollary 1.3.1 is proved.

**Corollary 1.3.2** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n, we have*

$$
\eta\_{2^{-s}}(L) \lesssim \frac{4}{5} \sqrt{n} / \lambda\_1(L^\*). \tag{1.3.16}
$$

*Proof* Take *<sup>c</sup>* <sup>=</sup> <sup>4</sup> <sup>5</sup> in Lemma 1.3.4, then *c* > <sup>√</sup> 1 <sup>2</sup><sup>π</sup> , and

$$C = c \cdot \sqrt{2\pi e} \cdot \text{e}^{-\pi c^2} \Rightarrow \frac{C''}{1 - C''} < \frac{1}{2^n}.$$

Lemma 1.3.4 implies that for any full-rank lattice *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, we have

$$
\rho(L^\*\backslash c\sqrt{n}N) < \frac{C^n}{1 - C^n} \rho(L^\*\cap c\sqrt{n}N).
$$

If *s* > *c* <sup>√</sup>*n*/λ1(*L*∗), for any *<sup>x</sup>* <sup>∈</sup> *<sup>L</sup>*∗\{0},

$$|sx| \geqslant s\lambda\_1(L^\*) > c\sqrt{n}.$$

Hence,

$$sL^\* \cap c\sqrt{n}N = \{0\}.$$

We get

$$
\rho\_{1/s}(L^\*) = \rho(sL^\*) = 1 + \rho(L^\* \backslash c\sqrt{n}N) \\
< 1 + \frac{C^n}{1 - C^n} < 1 + \frac{1}{2^n},
$$

which implies that

$$
\eta\_{2^{-s}}(L) \le \frac{4}{5} \sqrt{n} / \lambda\_1(L^\*).
$$

Corollary 1.3.2 is proved.

In the following, we give another classical upper bound estimation for the smoothing parameter. For any *<sup>n</sup>* dimensional full-rank lattice *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, we have introduced the definition of minimal distance λ1(*L*) on lattice, which can actually be generalized to the general case. For 1 *i n*,

$$\lambda\_i(L) = \min\{r \mid \dim(L \cap rN(0, 1)) \gg i\}.\tag{1.3.17}$$

λ*i*(*L*) is also called the *i*-th continuous minimal distance of lattice *L*. To give an upper bound estimation of the smoothing parameter, we first prove the following lemma.

**Lemma 1.3.5** *For any n dimensional full-rank lattice L, s* <sup>&</sup>gt; <sup>0</sup>*, c* <sup>∈</sup> <sup>R</sup>*n, then*

$$
\rho\_{\mathbf{s},\mathbf{c}}(L) \leqslant \rho\_{\mathbf{s}}(L). \tag{1.3.18}
$$

*Proof* According to Lemma 1.3.2, we have

$$\begin{aligned} \rho\_{\mathbf{s},\mathbf{c}}(L) &= \det(L^\*) \hat{\rho}\_{\mathbf{s},\mathbf{c}}(L^\*) \\ &= \det(L^\*) \sum\_{\mathbf{y} \in L^\*} \hat{\rho}\_{\mathbf{s},\mathbf{c}}(\mathbf{y}) \\ &= \det(L^\*) \sum\_{\mathbf{y} \in L^\*} \mathbf{e}^{-2\pi i \mathbf{c} \cdot \mathbf{y}} \hat{\rho}\_{\mathbf{s}}(\mathbf{y}) \\ &\le \det(L^\*) \sum\_{\mathbf{y} \in L^\*} \hat{\rho}\_{\mathbf{s}}(\mathbf{y}) = \rho\_{\mathbf{s}}(L), \end{aligned}$$

where we have used ρˆ*<sup>s</sup>*,*<sup>c</sup>*(*y*) = e−2π*ic*·*<sup>y</sup>*ρˆ*s*(*y*), the lemma gets proved.

**Theorem 1.3** *For any n dimensional full-rank lattice L,* > 0*, we have*

$$
\eta\_{\epsilon}(L) \leqslant \sqrt{\frac{\ln(2n(1 + 1/\epsilon))}{\pi}} \lambda\_n(L), \tag{1.3.19}
$$

*where* λ*n*(*L*) *is the N -th continuous minimal distance of the lattice L defined by (1.3.17).*

*Proof* Let

$$s = \sqrt{\frac{\ln(2n(1 + 1/\epsilon))}{\pi}} \lambda\_n(L),$$

we need to prove ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗\{0}) - . From the definition of λ*n*(*L*), there are *n* linearly independent vectors v1, v2,...,v*<sup>n</sup>* in *L* satisfying |v*i*| λ*n*(*L*), and for any positive integer *k* > 1, we have v*<sup>i</sup>* /*k* ∈/ *L*, 1 *i n*. The main idea of the proof is to take a segregation of *L*∗, for any integer *j*, let

$$S\_{i,j} = \{ \mathbf{x} \in L^\* \mid \mathbf{x} \cdot \mathbf{v}\_i = j \} \subset L^\*,$$

for any *y* ∈ *L*∗\{0}, there is v*<sup>i</sup>* that satisfies *y* · v*<sup>i</sup>* = 0 (otherwise we have *y* = 0), which implies *y* ∈/ *Si*,0, i.e. *y* ∈ *L*∗\*Si*,0, so we have

$$L^\*\backslash\{0\} = \cup\_i^n(L^\*\backslash S\_{i,0}).\tag{1.3.20}$$

To estimate ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗\*Si*,<sup>0</sup>), we need some preparations. Let *ui* = v*i*/|v*i*| 2, then |*ui*| = <sup>1</sup>/|v*i*<sup>|</sup> <sup>1</sup>/λ*n*(*L*). <sup>∀</sup> *<sup>j</sup>* <sup>∈</sup> <sup>Z</sup>, <sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> *Si*,*<sup>j</sup>* ,

$$(\mathbf{x} - ju\_i) \cdot ju\_i = j\mathbf{x} \cdot u\_i - j^2 u\_i \cdot u\_i = \frac{j^2}{|v\_i|^2} - \frac{j^2}{|v\_i|^2} = 0.1$$

Therefore,

$$|\mathbf{x}|^2 = |\mathbf{x} - j\mu\_i|^2 + |j\mu\_i|^2.$$

So

$$\rho\_{1/s}(S\_{i,j}) = \sum\_{\mathbf{x} \in S\_{i,j}} \mathbf{e}^{-\pi s^2 |\mathbf{x}|^2}$$

$$= \mathbf{e}^{-\pi s^2 |ju\_i|^2} \sum\_{\mathbf{x} \in S\_{i,j}} \mathbf{e}^{-\pi s^2 |\mathbf{x} - ju\_i|^2}$$

$$= \mathbf{e}^{-\pi s^2 |ju\_i|^2} \rho\_{1/s}(S\_{i,j} - ju\_i). \tag{1.3.21}$$

Since the inner product of any vector in *Si*,*<sup>j</sup>* − *jui* with v*<sup>i</sup>* is 0, then *Si*,*<sup>j</sup>* − *jui* is actually a translation of *Si*,0, namely there is a vector w satisfying *Si*,*<sup>j</sup>* − *jui* = *Si*,<sup>0</sup> − w. In fact, for any *x <sup>j</sup>* ∈ *Si*,*<sup>j</sup>* , *x*<sup>0</sup> ∈ *Si*,0, w = *x*<sup>0</sup> − *x <sup>j</sup>* + *jui* satisfies the equality *Si*,*<sup>j</sup>* − *jui* = *Si*,<sup>0</sup> − w. By Lemma 1.3.5, we have

$$
\rho\_{1/s}(\mathcal{S}\_{i,j} - ju\_i) = \rho\_{1/s}(\mathcal{S}\_{i,0} - w) = \rho\_{1/s,w}(\mathcal{S}\_{i,0}) \lesssim \rho\_{1/s}(\mathcal{S}\_{i,0}).\tag{1.3.22}
$$

Combine (1.3.21) with (1.3.22),

$$
\rho\_{1/s}(\mathcal{S}\_{i,j}) \lesssim \mathbf{e}^{-\pi s^2 |j u\_i|^2} \rho\_{1/s}(\mathcal{S}\_{i,0}) \lesssim \mathbf{e}^{-\pi (s/\lambda\_u(L))^2 j^2} \rho\_{1/s}(\mathcal{S}\_{i,0}).
$$

When *x* > 1, it follows that

$$\sum\_{j\neq 0} x^{-j^2} \ll 2 \sum\_{j>0} x^{-j} = \frac{2}{x-1}.$$

Next, we will estimate ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗\*Si*,<sup>0</sup>),

$$\begin{aligned} \rho\_{1/s}(L^\* \backslash S\_{i,0}) &= \sum\_{j \neq 0} \rho\_{1/s}(S\_{i,j}) \\ &\lesssim \sum\_{j \neq 0} \mathbf{e}^{-\pi \left(s/\lambda\_a(L)\right)^2 j^2} \rho\_{1/s}(S\_{i,0}) \\ &\lesssim \frac{2}{\mathbf{e}^{\pi \left(s/\lambda\_a(L)\right)^2} - 1} \rho\_{1/s}(S\_{i,0}) \\ &= \frac{2}{\mathbf{e}^{\pi \left(s/\lambda\_a(L)\right)^2} - 1} (\rho\_{1/s}(L^\*) - \rho\_{1/s}(L^\* \backslash S\_{i,0})). \end{aligned}$$

So we get

$$
\rho\_{1/s}(L^\*\backslash\mathcal{S}\_{i,0}) \leqslant \frac{2}{\mathbf{e}^{\pi(s/\lambda\_n(L))^2} + 1} \rho\_{1/s}(L^\*).
$$

From (1.3.20),

$$\rho\_{1/s}(L^\*\backslash\{0\}) \lesssim \sum\_{i=1}^n \rho\_{1/s}(L^\*\backslash S\_{i,0}) \lesssim \frac{2n}{\mathfrak{e}^{\pi(s/\lambda\_n(L))^2} + 1} \rho\_{1/s}(L^\*).$$

Together with ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗) = 1 + ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗\{0}), we have

$$\rho\_{1/s}(L^\* \backslash \{0\}) \le \frac{2n}{\mathbf{e}^{\pi \left(\mathbf{s}/\lambda\_{\pi}(L)\right)^2} + 1 - 2n} < \frac{2n}{\mathbf{e}^{\pi \left(\mathbf{s}/\lambda\_{\pi}(L)\right)^2} - 2n} = \epsilon.$$

In the last equality, we have used that

$$s = \sqrt{\frac{\ln(2n(1 + 1/\epsilon))}{\pi}} \lambda\_n(L).$$

Based on the definition of the smoothing parameter,

$$
\eta\_{\epsilon}(L) \leqslant \sqrt{\frac{\ln(2n(1 + 1/\epsilon))}{\pi}} \lambda\_n(L).
$$

Theorem 1.3 is proved.

At the end of this section, we present an inequality for the minimal distance on lattice, which will be used in the next chapter when we prove that the LWE problem is polynomial equivalent with the hard problems on lattice.

**Lemma 1.3.6** *For any n dimensional lattice L,* > 0*, we have*

$$\eta\_{\epsilon}(L) \ge \sqrt{\frac{\ln 1/\epsilon}{\pi}} \frac{1}{\lambda\_1(L^\*)} \ge \sqrt{\frac{\ln 1/\epsilon}{\pi}} \frac{\lambda\_n(L)}{n}.\tag{1.3.23}$$

*Proof* Let v ∈ *L*<sup>∗</sup> and |v| = λ1(*L*∗), *s* = η (*L*), from the definition of smoothing parameter, we have

$$\epsilon = \rho\_{1/s}(L^\*\backslash\{0\}) \geqslant \rho\_{1/s}(v) = \mathbf{e}^{-\pi s^2 \lambda\_1^2(L^\*)}.$$

Hence,

$$s \geqslant \sqrt{\frac{\ln 1/\epsilon}{\pi}} \frac{1}{\lambda\_1(L^\*)}.$$

That is, the first inequality in this lemma holds. For the second inequality, Theorem 2.1 in Banaszczyk (1993) implies that

$$1 \leqslant \lambda\_1(L^\*)\lambda\_n(L) \leqslant n,\tag{1.3.24}$$

so we immediately get the second inequality. The lemma holds.

#### **1.4 Some Properties of Discrete Gauss Distribution**

In this section we introduce some properties about the discrete Gauss distribution. First we give the definition of the expectation of discrete Gauss distribution.

**Definition 1.4.1** Let *<sup>m</sup>*, *<sup>n</sup>* be two positive integers, *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be an *<sup>n</sup>* dimensional fullrank lattice, *<sup>c</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*,*<sup>s</sup>* <sup>&</sup>gt; 0, <sup>ξ</sup> is a random variable from the discrete Gauss distribution *DL*,*s*,*<sup>c</sup>*, and *<sup>f</sup>* : <sup>R</sup>*<sup>n</sup>* <sup>→</sup> <sup>R</sup>*<sup>m</sup>* is a given function, we denote

$$E[\xi] = \sum\_{\xi = x \in L} x D\_{L,s,c}(x) \tag{1.4.1}$$

as the expectation of ξ , and denote

$$E[f(\xi)] = \sum\_{\xi = x \in L} f(\mathbf{x}) D\_{L, x, c}(\mathbf{x}) \tag{1.4.2}$$

as the expectation of *f* (ξ ).

**Lemma 1.4.1** *For any n dimensional full-rank lattice, L* <sup>⊂</sup> <sup>R</sup>*n, c*, *<sup>u</sup>* <sup>∈</sup> <sup>R</sup>*n,* <sup>|</sup>*u*| = <sup>1</sup>*,* 0 << 1*, s* 2η (*L*)*,* ξ *is a random variable from the discrete Gauss distribution DL*,*s*,*c, then we have*

$$|E[(\xi - c) \cdot u]| \lesssim \frac{\epsilon s}{1 - \epsilon},\tag{1.4.3}$$

*and*

$$|E[( (\xi - c) \cdot u)^2] - \frac{s^2}{2\pi}| \lesssim \frac{\epsilon s^2}{1 - \epsilon}. \tag{1.4.4}$$

*Proof* Let *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*/*<sup>s</sup>* = { *<sup>x</sup> <sup>s</sup>* | *x* ∈ *L*}, *c* = *c*/*s*, ξ is a random variable from the discrete Gauss distribution *DL* ,*<sup>c</sup>* , for any *x* ∈ *L* , we have

$$\Pr\{\xi'=x\} = \frac{\rho\_{c'}(x)}{\rho\_{c'}(L')} = \frac{\rho\_{s,c}(sx)}{\rho\_{s,c}(L)} = \Pr\{\xi = sx\}.$$

That is, *Pr*{ <sup>ξ</sup> *<sup>s</sup>* = *x*} = *Pr*{ξ = *x*}, ∀*x* ∈ *L* , therefore,

$$E[(\xi - c) \cdot \mu] = sE[(\frac{\xi}{s} - c') \cdot \mu] = sE[(\xi' - c') \cdot \mu],$$

the inequality (1.4.3) is equivalent to

$$|E[(\xi'-c')\cdot u]| \ll \frac{\epsilon}{1-\epsilon}.\tag{1.4.5}$$

Similarly, the inequality (1.4.4) is equivalent to

$$|E[\left(\left(\xi'-c'\right)\cdot\mu\right)^2]-\frac{1}{2\pi}|\leqslant\frac{\epsilon}{1-\epsilon}.\tag{1.4.6}$$

So we only need to prove the two inequalities for*s* = 1. Denote ξ as a random variable from the discrete Gauss distribution *DL*,*<sup>c</sup>*, the condition *s* 2η (*L*) in Lemma 1.4.1 becomes η (*L*) - 1 <sup>2</sup> . We prove that the two inequalities (1.4.5) and (1.4.6) hold if *u* = (1, 0,..., 0) firstly. For any positive integer *j*, let

$$g\_j(\mathbf{x}) = (\mathbf{x}\_1 - c\_1)^j \rho\_c(\mathbf{x}),$$

where *x* = (*x*1, *x*2,..., *xn*), *c* = (*c*1, *c*2,..., *cn*). Let ξ = (ξ1, ξ2,...,ξ*n*), then

$$E[( (\xi - c) \cdot u)^j ] = E[(\xi\_1 - c\_1)^j] = \frac{g\_j(L)}{\rho\_c(L)}.$$

Based on Lemma 1.3.2,

$$E[( (\xi - c) \cdot u)^j ] = \frac{g\_j(L)}{\rho\_c(L)} = \frac{\det(L^\*) \hat{g}\_j(L^\*)}{\det(L^\*) \hat{\rho}\_c(L^\*)} = \frac{\hat{g}\_j(L^\*)}{\hat{\rho}\_c(L^\*)}.\tag{1.4.7}$$

In order to estimate ρˆ*c*(*L*∗), from Lemma 1.2.1 we get ρˆ*c*(*x*) = e−2π*i x*·*<sup>c</sup>*ρ(*x*), thus, | ˆρ*c*(*x*)| = ρ(*x*), note that η (*L*) - 1 <sup>2</sup> < 1,

$$|\widehat{\rho}\_c(L^\*)| = |1 + \sum\_{\mathbf{x} \in L^\* \backslash \{0\}} \widehat{\rho}\_c(\mathbf{x})| \geqslant 1 - \sum\_{\mathbf{x} \in L^\* \backslash \{0\}} |\widehat{\rho}\_c(\mathbf{x})| = 1 - \rho(L^\* \backslash \{0\}) \geqslant 1 - \epsilon. \tag{1.4.8}$$

To estimate *<sup>g</sup>*ˆ*j*(*L*∗), assume <sup>ρ</sup>(*j*) *<sup>c</sup>* (*x*) is the *<sup>j</sup>* order partial derivative of <sup>ρ</sup>*c*(*x*) about the first variable *x*1, i.e.

$$
\rho\_c^{(j)}(\mathbf{x}) = (\frac{\partial}{\partial \mathbf{x}\_1})^j \rho\_c(\mathbf{x}).
$$

If *j* = 1, 2, it is easy to get

$$
\rho\_c^{(1)}(\mathbf{x}) = -2\pi (\mathbf{x}\_1 - c\_1)\rho\_c(\mathbf{x}).
$$

$$
\rho\_c^{(2)}(\mathbf{x}) = (4\pi^2 (\mathbf{x}\_1 - c\_1)^2 - 2\pi)\rho\_c(\mathbf{x}).
$$

It follows that

$$\mathbf{g}\_1(\mathbf{x}) = -\frac{1}{2\pi} \rho\_c^{(1)}(\mathbf{x}).$$

$$\mathbf{g}\_2(\mathbf{x}) = \frac{1}{4\pi^2} \rho\_c^{(2)}(\mathbf{x}) + \frac{1}{2\pi} \rho\_c(\mathbf{x}).$$

Since ρ (*j*) *<sup>c</sup>* (*x*) <sup>=</sup> (2π*i x*1)*<sup>j</sup>* ρˆ*c*(*x*), we have

$$
\hat{\mathbf{g}}\_1(\mathbf{x}) = -i\mathbf{x}\_1 \hat{\rho}\_c(\mathbf{x}).
$$

$$
\hat{\mathbf{g}}\_2(\mathbf{x}) = (\frac{1}{2\pi} - \mathbf{x}\_1^2)\hat{\rho}\_c(\mathbf{x}).
$$

According to the inequality |*x*1| - |*x*| <sup>2</sup> e |*x*| 2 <sup>2</sup> and η (*L*) - 1 2 ,

$$|\hat{g}\_1(L^\*)| \lesssim \sum\_{\mathbf{x} \in L^\*} |\mathbf{x}\_1| \cdot |\hat{\rho}\_\epsilon(\mathbf{x})| = \sum\_{\mathbf{x} \in L^\* \backslash \{0\}} |\mathbf{x}\_1| \rho(\mathbf{x}) \leqslant \sum\_{\mathbf{x} \in L^\* \backslash \{0\}} \mathbf{e}^{\frac{|\mathbf{x}|^2}{2}} \mathbf{e}^{-\pi |\mathbf{x}|^2}$$

$$\leqslant \sum\_{\mathbf{x} \in L^\* \backslash \{0\}} \mathbf{e}^{-\frac{\pi}{4} |\mathbf{x}|^2} = \rho\_2(L^\* \backslash \{0\}) \leqslant \epsilon. \tag{1.4.9}$$

Combining (1.4.7), (1.4.8) and (1.4.9) together,

$$|E[(\xi - c) \cdot u]| = \frac{|\hat{\varrho}\_1(L^\*)|}{|\hat{\rho}\_c(L^\*)|} \lesssim \frac{\epsilon}{1 - \epsilon}.$$

For a general unit vector *<sup>u</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, there exists an orthogonal matrix *<sup>M</sup>* <sup>∈</sup> <sup>R</sup>*n*×*<sup>n</sup>* such that *Mu* = (1, 0,..., 0). Denote η as a random variable from the discrete Gauss distribution *DM*−1*L*,*M*−1*c*, for any *x* ∈ *L*,

$$\Pr\{\eta = M^{-1}\mathbf{x}\} = \frac{\rho\_{M^{-1}c}(M^{-1}\mathbf{x})}{\rho\_{M^{-1}c}(M^{-1}L)} = \frac{\mathbf{e}^{-\pi|M^{-1}\mathbf{x} - M^{-1}c|^2}}{\rho\_{M^{-1}c}(M^{-1}L)}$$

$$= \frac{\mathbf{e}^{-\pi|\mathbf{x} - \mathbf{c}|^2}}{\rho\_{\mathbf{c}}(L)} = \Pr\{\xi = \mathbf{x}\} = \Pr\{M^{-1}\xi = M^{-1}\mathbf{x}\},$$

which implies that the distributions of η and *M*−<sup>1</sup>ξ are the same, hence,

$$|E[(\xi - c) \cdot u]| = |E[M^{-1}(\xi - c) \cdot Mu]| = |E[(\eta - M^{-1}c) \cdot Mu]| \lesssim \frac{\epsilon}{1 - \epsilon}.$$

Above all the inequality (1.4.3) holds, and inequality (1.4.4) could be proved in the same way. We complete the proof of Lemma 1.4.1.

**Lemma 1.4.2** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n, c* <sup>∈</sup> <sup>R</sup>*n,* <sup>0</sup> << <sup>1</sup>*, s* 2η (*L*)*,* ξ *is a random variable from the discrete Gauss distribution DL*,*s*,*c, then we have*

$$\left|E[\xi - c]\right|^2 \leqslant (\frac{\epsilon}{1-\epsilon})^2 s^2 n,\tag{1.4.10}$$

*and*

$$E[|\xi - c|^2] \ll (\frac{1}{2\pi} + \frac{\epsilon}{1 - \epsilon})s^2 n. \tag{1.4.11}$$

*Proof* Let *u*1, *u*2,..., *un* be the *n* unit column vectors of *n* × *n* matrix *In*, by Lemma 1.4.1,

$$\left| E[\xi - c] \right|^2 = \sum\_{i=1}^n (E[(\xi - c) \cdot u\_i])^2 \lesssim (\frac{\epsilon}{1 - \epsilon})^2 s^2 n.$$

$$E[|\xi - c|^2] = \sum\_{i=1}^{n} E[( (\xi - c) \cdot u\_i )^2 ] \lesssim (\frac{1}{2\pi} + \frac{\epsilon}{1 - \epsilon}) s^2 n.$$

Lemma 1.4.2 holds.

**Lemma 1.4.3** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n,* <sup>v</sup> <sup>∈</sup> <sup>R</sup>*n,* <sup>0</sup> << <sup>1</sup>*, s* η (*L*)*,* ξ *is a random variable from the discrete Gauss distribution DL*,*s*,v*, then we have*

$$\Pr\{ |\xi - v| > s\sqrt{n} \} \ll \frac{1 + \epsilon}{1 - \epsilon} 2^{-n}.\tag{1.4.12}$$

*Proof* From the proof of Lemma 1.4.1, here we only need to prove for the case *s* = 1. Since

$$\Pr\{ |\xi - v| > \sqrt{n} \} = \sum\_{x \in L, |x - v| > \sqrt{n}} \frac{\rho\_v(\mathbf{x})}{\rho\_v(L)}$$

$$=\sum\_{\mathbf{x}\in L, |\mathbf{x}-\boldsymbol{v}|\succ\sqrt{n}} \frac{\rho(\mathbf{x}-\boldsymbol{v})}{\rho\_{\boldsymbol{v}}(L)} = \frac{\rho((L-\boldsymbol{v})\backslash\sqrt{n}N)}{\rho\_{\boldsymbol{v}}(L)},$$

take *c* = 1 in Lemma 1.3.4 and get

$$
\rho((L-v)\sqrt{n}N) < 2^{-n}\rho(L).
$$

That is,

$$\Pr\{ |\xi - v| > \sqrt{n} \} < 2^{-n} \frac{\rho(L)}{\rho\_v(L)}.\tag{1.4.13}$$

Based on Lemma 1.3.2, Lemma 1.2.1 and η (*L*) -1,

$$\begin{aligned} \left| \rho\_v(L) = |\rho\_v(L)| &= |\det(L^\*)\widehat{\rho}\_v(L^\*)| = |\det(L^\*)\sum\_{x \in L^\*} \mathsf{e}^{-2\pi ix \cdot v} \rho(x)| \\\\ &\geqslant |\det(L^\*)| (1 - \sum\_{x \in L^\* \backslash \{0\}} |\mathsf{e}^{-2\pi ix \cdot v} \rho(x)|) = |\det(L^\*)| (1 - \sum\_{x \in L^\* \backslash \{0\}} \rho(x)) \\\\ &\longmapsto |\det(L^{\oplus \wedge 1})| (1 - \rho(x)) \rho(x)| = |\det(L^\*)| (1 - \rho(x)) \end{aligned}$$

$$= |\det(L^\*)|(1 - \rho(L^\*\backslash\{0\})) \gtrless |\det(L^\*)|(1 - \epsilon). \tag{1.4.14}$$

Similarly,

$$\rho(L) = |\rho(L)| = |\det(L^\*)\hat{\rho}(L^\*)|$$

$$= |\det(L^\*)\sum\_{x \in L^\*} \rho(x)| = |\det(L^\*)|(1 + \sum\_{x \in L^\* \backslash \{0\}} \rho(x))$$

$$= |\det(L^\*)|(1 + \rho(L^\* \backslash \{0\})) \leqslant |\det(L^\*)|(1 + \epsilon). \tag{1.4.15}$$

Combining (1.4.13), (1.4.14) and (1.4.15) together, it follows that

$$\Pr\{ |\xi - v| > \sqrt{n} \} \le \frac{1 + \epsilon}{1 - \epsilon} 2^{-n}.$$

This lemma holds.

For *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* and a set *<sup>A</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, we define the distance from *<sup>x</sup>* to *<sup>A</sup>* as dist(*x*, *<sup>A</sup>*) <sup>=</sup> min *<sup>y</sup>*∈*<sup>A</sup>* <sup>|</sup>*<sup>x</sup>* <sup>−</sup> *<sup>y</sup>*|.

**Lemma 1.4.4** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n, c*, v <sup>∈</sup> <sup>R</sup>*n,* <sup>0</sup> << 1*, s* η (*L*)*,* ξ *is a random variable from the discrete Gauss distribution DL*,*s*,*c, dist*(v, *<sup>L</sup>*∗) <sup>√</sup>*<sup>n</sup> <sup>s</sup> , then*

$$|E[e^{2\pi i \xi \cdot v}]| \lesssim \frac{1+\epsilon}{1-\epsilon} 2^{-n}.\tag{1.4.16}$$

*Proof* From the proof of Lemma 1.4.1, we only need to prove for the case *s* = 1. Let

$$\mathbf{g}(\mathbf{x}) = \mathbf{e}^{2\pi i x \cdot v} \rho\_c(\mathbf{x}).$$

By Lemma 1.3.2,

$$E[\mathbf{e}^{2\pi i \xi \cdot v}] = \frac{\mathbf{g}(L)}{\rho\_c(L)} = \frac{\det(L^\*)\hat{\mathbf{g}}(L^\*)}{\det(L^\*)\hat{\rho}\_c(L^\*)} = \frac{\hat{\mathbf{g}}(L^\*)}{\hat{\rho}\_c(L^\*)}.$$

We have proved that | ˆρ*c*(*L*∗)| 1 − in Lemma 1.4.1, based on (iii) of Lemma 1.1.2 and Lemma 1.2.1,

$$
\hat{\mathbf{g}}(\mathbf{x}) = \hat{\rho}\_c(\mathbf{x} - \boldsymbol{\upsilon}) = \rho(\mathbf{x} - \boldsymbol{\upsilon}) \mathbf{e}^{-2\pi i(\mathbf{x} - \boldsymbol{\upsilon}) \cdot \mathbf{c}},
$$

therefore,

$$|\widehat{g}(L^\*)| = |\sum\_{x \in L^\*} \rho(x - v) \mathbf{e}^{-2\pi i (x - v) \cdot c}| \lesssim \sum\_{x \in L^\*} \rho(x - v) = \rho(L^\* - v).$$

Since dist(v, *<sup>L</sup>*∗) <sup>√</sup>*n*, we know

$$
\rho(L^\*-v) = \rho((L^\*-v)\backslash\sqrt{n}N).
$$

Take *c* = 1 in Lemma 1.3.4 and get

$$
\rho((L^\*-v)\backslash\sqrt{n}N) < 2^{-n}\rho(L^\*) = 2^{-n}(1+\rho(L^\*\backslash\{0\})) \lesssim 2^{-n}(1+\epsilon).
$$

Above all,

$$|E[\mathbf{e}^{2\pi i \xi \cdot v}]| = |\frac{\hat{\mathbf{g}}(L^\*)}{\hat{\rho}\_c(L^\*)}| \lesssim \frac{1+\epsilon}{1-\epsilon} 2^{-n}.\ $$

We complete the proof of Lemma 1.4.4.

**Lemma 1.4.5** *For any n dimensional full-rank lattice L* <sup>⊂</sup> <sup>R</sup>*n,* w, *<sup>c</sup>*, v <sup>∈</sup> <sup>R</sup>*n,* <sup>0</sup> <sup>&</sup>lt; < 1*, s* η (*L*)*,* ξ *is a random variable from the discrete Gauss distribution DL*,*s*,*c, dist*(v, *<sup>L</sup>*∗) <sup>√</sup>*<sup>n</sup> <sup>s</sup> , then*

$$|E[\cos(2\pi(\xi+w)\cdot v)]| \lesssim \frac{1+\epsilon}{1-\epsilon} 2^{-n}.\tag{1.4.17}$$

*Proof* By Lemma 1.4.4 we have

$$|E[\cos(2\pi(\xi+w)\cdot v)]| \lesssim |E[\mathbf{e}^{2\pi i(\xi+w)\cdot v}]| = |E[\mathbf{e}^{2\pi i\xi\cdot v}]| \lesssim \frac{1+\epsilon}{1-\epsilon} 2^{-n}.$$

Lemma 1.4.5 holds.

Finally, we give a lemma which will be used in the next chapter.

**Lemma 1.4.6** *Let* v1, v2,...,v*<sup>m</sup> be m independent random variables on* R*<sup>n</sup> such that E*[|v*i*| <sup>2</sup>] *l and* |*E*[v*i*]|<sup>2</sup> - *for i* = 1, 2,..., *m. Then for any z* = (*z*1,*z*2,..., *zm*)*<sup>T</sup>* <sup>∈</sup> <sup>R</sup>*m,*

$$E[|\sum\_{i=1}^{m} z\_i v\_i|^2] \lesssim (l + m\epsilon)|z|^2. \tag{1.4.18}$$

*Proof* By Cauchy inequality we get *<sup>m</sup> <sup>i</sup>*=<sup>1</sup> |*zi*| -<sup>√</sup>*m*|*z*|, so

$$E[|\sum\_{i=1}^{m} z\_i v\_i|^2] = \sum\_{i,j} z\_i z\_j E[v\_i \cdot v\_j] = \sum\_i z\_i^2 E[|v\_i|^2] + \sum\_{i \neq j} z\_i z\_j E[v\_i] \cdot E[v\_j]. \tag{1.4.19}$$

The first term of the right hand side in (1.4.19) has the estimation

$$\sum\_{i} z\_i^2 E\{|v\_i|^2\} \le \sum\_{i} z\_i^2 l = l|z|^2.$$

The second term of the right hand side in (1.4.19) has the estimation

$$
\sum\_{i \neq j} z\_i z\_j E[v\_i] \cdot E[v\_j] \lesssim \sum\_{i \neq j} |z\_i| |z\_j| \cdot \frac{1}{2} (|E[v\_i]|^2 + |E[v\_j]|^2)
$$

$$
\lesssim \sum\_{i \neq j} \epsilon |z\_i| |z\_j| \lesssim \epsilon (\sum\_i |z\_i|)^2 \lesssim m\epsilon |z|^2.
$$

From (1.4.19) it follows that

$$E[|\sum\_{i=1}^{m} z\_i v\_i|^2] \lesssim (l + m\epsilon)|z|^2.$$

This lemma holds.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 2 Reduction Principle of Ajtai**

In 1996, the famous scholar Ajtai proposed the reduction principle from the worst case to the average case at the 28th Summer Symposium of the American Computer Society (ACM), named the Ajtai reduction principle [see Ajtai (1996), Ajtai (1999) and Ajtai and Dwork (1997)]. Subsequently, Ajtai and Dwork presented the first lattice-based cryptosystem, which is called the Ajtai-Dwork cryptosystem in the academic circles. The proof of this cryptosystem resisting Shor's quantum computing is to apply Ajtai reduction principle to transform searching for collision points of the Hash function into the SIS problem, and Ajtai reduction principle proves that the difficulty of solving the SIS problem is polynomially equivalent to the shortest vector problem on lattice. The main purpose of this chapter is to prove the Ajtai reduction principle.

#### **2.1 Random Linear System**

Let *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* be an *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* matrix on <sup>Z</sup>*<sup>q</sup>* , if each element of *<sup>A</sup>* is a random variable on <sup>Z</sup>*<sup>q</sup>* , and the *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* random variables are independent and identically distributed, then *A* is called a random matrix on Z*<sup>q</sup>* . We give the definition of random linear system

$$\mathbf{y} \equiv A\mathbf{x} + \mathbf{z} \pmod{q}, \ \mathbf{x} \in \mathbb{Z}\_q^m, \ \mathbf{y} \in \mathbb{Z}\_q^n, \ \mathbf{z} \in \mathbb{Z}\_q^n,\tag{2.1.1}$$

where *x*, *y*,*z* are random variables on Z*<sup>m</sup> <sup>q</sup>* and Z*<sup>n</sup> <sup>q</sup>* , respectively. This random linear system plays an important role in modern cryptography. We prove some basic properties in this section.

**Lemma 2.1.1** *Let A* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup> be an invertible square matrix of order n, y* <sup>≡</sup> *Ax* (*mod q*)*, then y is uniformly at random on* Z*<sup>n</sup> <sup>q</sup> if and only if x is uniformly distributed.*

*Proof* If *x* is uniformly distributed on Z*<sup>n</sup> <sup>q</sup>* , then for any *<sup>x</sup>*<sup>0</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we have

$$\Pr\{\mathbf{x} = \mathbf{x}\_0\} = \frac{1}{q^n}.$$

Since there is only one *<sup>y</sup>*<sup>0</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* ⇒ *Ax*<sup>0</sup> ≡ *y*<sup>0</sup> (mod *q*), therefore,

$$\Pr\{\mathbf{y} = \mathbf{y}\_0\} = \Pr\{\mathbf{x} = \mathbf{x}\_0\} = \frac{1}{q^n}.$$

Because *A* is an invertible matrix, there is a one-to-one correspondence between *y*<sup>0</sup> and *x*0. In other words, when *x*<sup>0</sup> traverses all the vectors in Z*<sup>n</sup> <sup>q</sup>* , *y*<sup>0</sup> also traverses all the vectors in Z*<sup>n</sup> <sup>q</sup>* , which means *y* is also uniformly at random on Z*<sup>n</sup> <sup>q</sup>* . On the other hand, if *y* is uniformly distributed on Z*<sup>n</sup> <sup>q</sup>* , so is *x* on Z*<sup>n</sup> <sup>q</sup>* by *x* ≡ *A*−<sup>1</sup> *y* (mod *q*). -

*Remark 2.1.1* In fact, for the above linear system, *x* and *y* are random variables with the same distribution when *A* is an invertible square matrix. However, this property doesn't hold if *A* is not a square matrix.

Let *<sup>a</sup>* <sup>∈</sup> <sup>R</sup> be a real number, [*a*] be the greatest integer no more than *<sup>a</sup>*, i.e. [*a*] is the only integer satisfying the following inequality,

$$[a] \lessdot a < [a] + 1.$$

If *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is an *<sup>n</sup>* dimensional vector, *<sup>x</sup>* <sup>=</sup> (*x*1, *<sup>x</sup>*2,..., *xn*), we define [*x*] as follows

$$\mathbf{f}\_{\mathbf{l}}[\mathbf{x}] = (\mathbf{[x\_1]}, \mathbf{[x\_2]}, \dots, \mathbf{[x\_n]}) \in \mathbb{Z}^n.$$

[*x*] is called the integer vector of *x*. We say *x* is a random vector, which means each element *x <sup>j</sup>* is a random variable, and the *n* random variables are mutually independent.

**Lemma 2.1.2** *If x* ∈ [0, 1)*<sup>n</sup> is a continuous random variable uniformly distributed on the unit cube, then* [*qx*] *is a discrete random variable uniformly on* <sup>Z</sup>*<sup>n</sup> q .*

*Proof* Since all the components of *x* are independent, we only prove for *n* = 1. If *a* ∈ [0, 1) is a continuous random variable uniformly distributed, then for any *i* = 0, 1,..., *q* − 1, we have

$$\Pr\{ [qa] = i \} = \Pr\{ i \leqslant qa < i+1 \} = \Pr\{ \frac{i}{q} \leqslant a < \frac{i+1}{q} \} = \frac{1}{q}.$$

This indicates [*qa*] is a discrete random variable uniformly distributed on <sup>Z</sup>*<sup>q</sup>* . -

**Lemma 2.1.3** *Let L* = *L*(*B*) *be a n dimensional full-rank lattice, F*(*B*) *is the basic neighbourhood of L. If x is a random variable uniformly distributed on F*(*B*)*, then* [*q B*−1*x*] *is a discrete random variable uniformly on* <sup>Z</sup>*<sup>n</sup> q .*

*Proof* <sup>∀</sup>*<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we have

$$\Pr\{ [qB^{-1}x] = a \} = \Pr\{ \frac{Ba}{q} \leqslant x < \frac{B(a+1)}{q} \}.$$

Since the volume of basic neighbourhood *F*(*B*)is det(*L*) = |det(*B*)|, the probability density function of *x* is <sup>1</sup> det(*L*), thus,

$$\Pr\{\frac{Ba}{q} \le x < \frac{B(a+1)}{q}\} = \int\_{\frac{\frac{B(a+1)}{q}}{\frac{Ba}{q}}}^{\frac{\frac{B(a+1)}{q}}{1}} \frac{1}{\det(L)} \mathrm{d}y = \int\_{\frac{a}{q}}^{\frac{a+1}{q}} \frac{|\det(B)|}{\det(L)} \mathrm{d}u = \frac{1}{q^n}.$$

We set *y* = *Bu* in the above equality, and get

$$\Pr\{ [qB^{-1}x] = a \} = \frac{1}{q^n}.$$

So [*q B*−1*x*] is uniformly distributed on <sup>Z</sup>*<sup>n</sup>*

#### **2.2 SIS Problem**

The SIS problem plays a very important role in modern lattice cryptography, which is to find the shortest nonzero integer solution in a class of random linear systems.

**Definition 2.2.1** Let *<sup>n</sup>*, *<sup>m</sup>*, *<sup>q</sup>* be positive integers, *<sup>m</sup> <sup>n</sup>*, *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* is a uniformly distributed random matrix on <sup>Z</sup>*<sup>q</sup>* , <sup>β</sup> <sup>∈</sup> <sup>R</sup>, 0 <β< *<sup>q</sup>*. The SIS problem is to find the shortest nonzero integer vector *<sup>z</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>* such that

$$Az \equiv 0 \pmod{q}, \text{ and } z \neq 0, \ |z| \ll \beta. \tag{2.2.1}$$

We call the above SIS problem with parameters *n*, *m*, *q*, *A*, β as SIS*<sup>n</sup>*,*q*,β,*<sup>m</sup>*, and *A* is called as the coefficient matrix of SIS problem.

*Remark 2.2.1* If *m* < *n*, since the number of variables is less than equations, (2.2.1) is not guaranteed to have a nonzero solution, so we suppose that *m n*. If β *q*, let

*<sup>q</sup>* . -

$$z = \begin{pmatrix} q \\ 0 \\ \vdots \\ 0 \end{pmatrix} \in \mathbb{Z}^m \text{, we have } \\ Az \equiv 0 \pmod{q} \text{, and } |z| = q < \beta. \text{ This solution is trivial}$$

so that we always assume that β < *q* in Definition 2.2.1.

*Remark 2.2.2* The difficulty of SIS problem decreases when *m* becomes larger, while it increases as *n* becomes larger. In fact, if *z* is a solution of SIS*<sup>n</sup>*,*q*,β,*<sup>m</sup>*, *m* > *m*,

[*A*, *A* ] is the coefficient matrix of SIS*<sup>n</sup>*,*q*,β,*m* . Let *z* = *z* 0 , then

$$[A, A']z' = [Az, 0] \equiv 0 \pmod{q}.$$

So *z* is a solution of SIS*<sup>n</sup>*,*q*,β,*m* . If a solution satisfies *n* + 1 equations of SIS problem, it also satisfies *n* equations of SIS problem. Therefore, the difficulty of SIS problem increases when *n* becomes larger.

**Lemma 2.2.1** *For any positive integer q, any A* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup> , and* <sup>β</sup> <sup>√</sup>*mq <sup>n</sup> <sup>m</sup> , the SIS problem has a nonzero solution; i.e. there exists a vector z* <sup>∈</sup> <sup>Z</sup>*m, z* = <sup>0</sup>*, such that*

$$Az \equiv 0 \pmod{q}, \text{ and } |z| \ll \beta.$$

*Proof* Let *z* = ⎛ ⎜ ⎝ *z*1 . . . *zm* ⎞ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*, we consider the value of coordinate *zi* in 0 *zi <sup>q</sup> <sup>n</sup> m* .

It's easy to check that there are more than *q<sup>n</sup>* such integer vectors. Thus, we can find *z* and *z* such that *z* = *z*, *Az* ≡ *Az* (mod *q*), i.e.

$$A(z'-z'') \equiv 0 \pmod{q}, \text{ and } |z'-z''| \lesssim \sqrt{m}q^{\frac{n}{m}} \lesssim \beta.$$

We complete the proof. -

By the above Lemma and Remark 2.2.1, in order to guarantee there is a nontrivial solution of the SIS problem, we always assume the following conditions of parameters

$$m < m, \ \sqrt{m}q^{\frac{\kappa}{m}} \leqslant \beta < q. \tag{2.2.2}$$

Since the difficulty of SIS problem decreases when β becomes larger, we always suppose that

$$
\beta = \sqrt{m}q^{\frac{\kappa}{m}}.\tag{2.2.3}
$$

Furthermore, we call *n* as the security parameter of SIS problem, *m* = *m*(*n*), *q* = *q*(*n*), β = β(*n*) are functions of *n*. By (2.2.2) and (2.2.3), if *m* and *q* are polynomial

$$\blacksquare$$

functions of *n* written as *m* = poly(*n*), *q* = poly(*n*), then β is also a polynomial function of *<sup>n</sup>*, i.e. <sup>β</sup> <sup>=</sup> poly(*n*). Let *<sup>U</sup>*(Z*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* ) be all the *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* random matrices uniformly distributed on Z*<sup>q</sup>* , we call all the possible SIS problems as SIS*<sup>q</sup>*,*<sup>m</sup>*, i.e.

$$\text{SIS}\_{q,m} = \{q(n), U(\mathbb{Z}\_q^{n \times m}), \beta(n)\}\_{n \times m}$$

SIS*<sup>q</sup>*,*<sup>m</sup>* problem is called the total SIS problem, which plays an 'average case' role in the Ajtai reduction principle. The parameters are selected as

$$\rho m = \text{poly}(n), \ q = \text{poly}(n), \ q^{\frac{n}{\overline{m}(n)}} = O(1) \Rightarrow \beta = O(\sqrt{m}).\tag{2.2.4}$$

**Definition 2.2.2** Let *<sup>A</sup>* <sup>∈</sup> *<sup>U</sup>*(Z*n*×*<sup>m</sup> <sup>q</sup>* ), SIS'*<sup>n</sup>*,*q*,β,*<sup>m</sup>* problem is to find *<sup>z</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, *<sup>z</sup>* <sup>∈</sup>/ <sup>2</sup>Z*<sup>n</sup>*, such that

$$Az \equiv 0 \pmod{q}, \text{ and } |z| \ll \beta.$$

In fact the goal of SIS' problem is to find a solution of SIS problem with at least one odd integer of all the coordinates. The relation between solutions of the two problems could be summarized in the following lemma.

**Lemma 2.2.2** *Suppose q is an odd integer, then there is a polynomial time algorithm from the solution of SIS problem to SIS' problem.*

*Proof* If *z* = ⎛ ⎜ ⎝ *z*1 . . . *zn* ⎞ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* is a solution of SIS problem, then there exists an integer

*<sup>k</sup>* 0, such that 2−*<sup>k</sup> <sup>z</sup>* <sup>∈</sup>/ <sup>2</sup>Z*<sup>n</sup>*. Let *<sup>z</sup>* <sup>=</sup> <sup>2</sup>−*<sup>k</sup> <sup>z</sup>*, since *<sup>q</sup>* is an odd integer, based on *Az* ≡ 0 (mod *q*), we have

$$Az'=2^{-k}Az \equiv 0 \pmod{q},$$

and |*z* | = 2−*<sup>k</sup>* |*z*| 2−*<sup>k</sup>*β. This means *z* is a solution of SIS' problem. The complexity of calculating *z* from *z* is polynomial (polynomial function of *n*), and this is because

$$\text{Time} \{ \text{compute } z' \} = O(n \log^2 q) = \text{poly}(n).$$

The above formula also holds even if *q* is an exponential function of *n*. -

SIS problem and Ajtai-Dwork cryptosystem have close relation. Let *f <sup>A</sup>*(*z*) = *Az* be Hash function, *z* and *z* be the collision points of *f <sup>A</sup>*(*z*), then

$$f\_A(z') \equiv f\_A(z'') \pmod{q} \Rightarrow A(z'-z'') \equiv 0 \pmod{q}.$$

It's easy to obtain a solution of SIS problem if we can find two collision points of *f <sup>A</sup>*. In this sense, Hash function *f <sup>A</sup>*(*z*) is strongly collision resisted. The security of Ajtai-Dwork cryptosystem mainly depends on the difficulty of solving SIS problem.

SIS problem could be regarded as the shortest vector problem in the average case. Let

$$\Lambda\_q^\perp(A) = \{ z \in \mathbb{Z}^m \mid Az \equiv 0 \pmod{q} \}.$$

Then <sup>⊥</sup> *<sup>q</sup>* (*A*) is an *m* dimensional *q*-ary integer lattice. In fact, solving SIS problem is equivalent to find the shortest vector of <sup>⊥</sup> *<sup>q</sup>* (*A*).

If *<sup>A</sup>* <sup>∈</sup> *<sup>U</sup>*(Z*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* ) is the coefficient matrix of SIS problem, we can discuss SIS problem by transforming it to Hermite form. Let rank*<sup>A</sup>* <sup>=</sup> *<sup>n</sup>*, the matrix *<sup>A</sup>*<sup>1</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup>* constructed by the first *n* column vectors of *A* is an invertible matrix. Suppose *<sup>A</sup>* = [*A*1, *<sup>A</sup>*2], replace *<sup>A</sup>* with *<sup>A</sup>*−<sup>1</sup> <sup>1</sup> *A*, we have

$$A\_1^{-1}A = [I\_n, \bar{A} = A\_1^{-1}A\_2].\tag{2.2.5}$$

Since *A*<sup>2</sup> is a random matrix uniformly distributed, by Lemma 2.1.1, *A*¯ is also a uniform random matrix with dimension *n* × (*m* − *n*).

**Lemma 2.2.3** *The solution set of SIS problem with coefficient matrix A is the same as that of coefficient matrix A*−<sup>1</sup> <sup>1</sup> *A.*

*Proof* Let *<sup>z</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>* such that

$$Az \equiv 0 \pmod{q}, \text{ and } 0 < |z| \le \beta.$$

Then *A*−<sup>1</sup> <sup>1</sup> *Az* ≡ 0 (mod *q*), *z* is the solution of SIS problem with coefficient matrix *A*−<sup>1</sup> <sup>1</sup> *A*. On the other hand, if *A*−<sup>1</sup> <sup>1</sup> *Az* ≡ 0 (mod *q*) ⇒ *Az* ≡ 0 (mod *q*), Lemma 2.2.3 holds. -

We call the coefficient matrix *A*−<sup>1</sup> <sup>1</sup> *A* determined by (2.2.5) as the normal form of SIS problem.

Finally, we define some hard problems on lattice.We always suppose *L* = *L*(*B*) ⊂ R*<sup>n</sup>* is a full-rank lattice, λ1, λ2,...,λ*<sup>n</sup>* are the lengths of the continuous shortest vectors in lattice *L*, λ<sup>1</sup> is the length of shortest vector in *L*, γ = γ (*n*) 1 is a positive function of *n*.

**Definition 2.2.3** (1) SVP<sup>γ</sup> : find a nonzero vector *x* in lattice *L* such that

$$|\mathbf{x}| \lessapprox \mathcal{y}(n)\lambda\_1(L). \tag{2.2.6}$$

(2) GapSVP<sup>γ</sup> : determine the minimal distance λ<sup>1</sup> = λ1(*L*) of lattice *L*,

$$
\lambda\_1(L) \lesssim 1,\text{ or } \lambda\_1(L) > \gamma(n). \tag{2.2.7}
$$

(3) SIVP<sup>γ</sup> : find a set of *n* linearly independent lattice vectors *S* = {*si*} ⊂ *L*, such that

$$|S| = \max |s\_i| \leqslant \chi(n)\lambda\_n(L). \tag{2.2.8}$$

(4) BDD<sup>γ</sup> : let *d* = λ1(*L*)/2γ (*n*) be the decoding distance of lattice *L*. For any target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, if

$$\text{dis}(t, L) = \min\_{x \in L} |x - t| < d = \lambda\_1(L) / 2\gamma(n), \tag{2.2.9}$$

then there exists only one lattice vector v ∈ *L* ⇒ |v − *t*| < *d*. The bounded decoding distance problem BDD<sup>γ</sup> is to find the only lattice point v.

The above Definition 2.2.3 gives four kinds of hard problems on lattice. SVP<sup>γ</sup> is called the approximation problem of the shortest vector. GapSVP<sup>γ</sup> is called the determination problem of the shortest vector. SIVP<sup>γ</sup> is called the approximation problem of the shortest linearly independent group. BDD<sup>γ</sup> is called the approximation problem of bounded decoding distance problem.

Since parameter γ (*n*) 1, the bounded decoding distance *d* satisfies

$$d = \lambda\_1(L) / 2\boldsymbol{\gamma}(n) \lessapprox \frac{1}{2}\lambda\_1(L).$$

If the target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* satisfies the above decoding distance, i.e. dis(*t*, *<sup>L</sup>*) < *<sup>d</sup>*, it is easy to see there is only one lattice vector v ∈ *L* ⇒ |v − *t*| < *d*. In fact, if v<sup>1</sup> ∈ *L*, v<sup>2</sup> ∈ *L* ⇒ |v<sup>1</sup> − *t*| < *d*, |v<sup>2</sup> − *t*| < *d*, by triangle inequality

$$|v\_1 - v\_2| \lesssim |v\_1 - t| + |v\_2 - t| < 2d \lesssim \lambda\_1(L).$$

This has a contradiction with that the minimal distance of lattice *L* is λ1(*L*).

The Ajtai reduction principle is said that the above SIVP<sup>γ</sup> and GapSVP<sup>γ</sup> problems are polynomial equivalent with average case SIS problem. We will prove this in the next section.

#### **2.3 INCGDD Problem**

Let *<sup>S</sup>* = {α*i*} ⊂ <sup>R</sup>*<sup>n</sup>* be a set of vectors in <sup>R</sup>*<sup>n</sup>*, we define

$$|S| = \max\_{i} |\alpha\_{i}|. \tag{2.3.1}$$

**Definition 2.3.1** Let *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a full-rank lattice, *<sup>S</sup>* = {α1, α2,...,α*n*} ⊂ *<sup>L</sup>* be a set of any *<sup>n</sup>* linearly independent vectors in *<sup>L</sup>*, *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* be the target vector, *r* > γ(*n*)φ(*B*) be a real number. INCGDD problem is to find a lattice vector α ∈ *L* such that

$$|\alpha - t| \leqslant \frac{1}{\mathfrak{g}}|S| + r,\tag{2.3.2}$$

where *g*, γ (*n*) and φ(*B*) are parameters. Under the given parameter system, INCGDD problem could be written as INCGDD<sup>φ</sup> γ ,*<sup>g</sup>*.

*Remark 2.3.1* The key of the INCGDD problem is that for the set *S* of any given *<sup>n</sup>* linearly independent vectors and any target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, to find a lattice point <sup>α</sup> <sup>∈</sup> *<sup>L</sup>*, such that the distance between <sup>α</sup> and the target vector is no more than <sup>1</sup> *<sup>g</sup>* |*S*| + *r*. By the nearest plane algorithm of Babai, for any *S* and *t*, there exists a polynomial algorithm finding

$$|\alpha - t| \leqslant \frac{1}{2}\sqrt{n}|S|.\tag{2.3.3}$$

In general, the above formula cannot be improved. We can give a counterexample. Let *<sup>L</sup>* <sup>=</sup> <sup>Z</sup>*<sup>n</sup>*, *<sup>S</sup>* <sup>=</sup> *In* be an identity matrix, the target vector *<sup>t</sup>* <sup>=</sup> ( <sup>1</sup> 2 , 1 <sup>2</sup> ,..., <sup>1</sup> <sup>2</sup> ), then <sup>∀</sup><sup>α</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, we have

$$|\alpha - t| \geqslant \sqrt{\frac{n}{4}} = \frac{1}{2}\sqrt{n} = \frac{1}{2}\sqrt{n}|S|.$$

So there is no lattice point α with the distance no more than <sup>1</sup> <sup>4</sup> |*S*| from *t*.

Based on the above counterexample, the parameter selection for INCGDD problem is generally *g* = 4. *r* in (2.3.2) is called the controlled remainder, which could guarantee the existence of lattice vector α. Under given parameter system, the INCGDD problem can be transformed into the SIS problem of the corresponding parameter system. This transformation is the key idea of Ajtai reduction principle. We call this transformation algorithm the oracle algorithm, written as *A*(*B*, *S*, *t*).

#### **oracle algorithm** *A*(*B*, *B*, 0).

We first explain how the oracle algorithm works in a very special case. Let *S* = *B* be the generated matrix of *L*, the target vector *t* = 0, parameters of corresponding SIS problem are as follows

$$q(n) = n^4, \ m(n) = n \log n, \ \beta(n) = n. \tag{2.3.4}$$

Since <sup>β</sup> <sup>√</sup>*mq <sup>n</sup> <sup>m</sup>* , by Lemma 2.2.1, the total SIS problem SIS*<sup>q</sup>*,*<sup>m</sup>* has a solution.

The oracle sampling algorithm that converts the INCGDD problem into the SIS problem is actually a probabilistic algorithm, which can be divided into the following four steps.

The first step: let *F*(*B*) be the basic neighbourhood of *L* = *L*(*B*), defined by

$$F(B) = \{ Bx \mid x \in [0, 1)^n \}.$$

We select a point *c* ∈ *F*(*B*) uniformly in *F*(*B*). Let *y* ∈ *L* be the nearest lattice vector to *c*, we obtain a pair of vectors (*c*, *y*). Repeat this process independently *m* times and get *m* pairs of vectors (*c*1, *y*1), (*c*2, *y*2), . . . , (*cm*, *ym*), here *m* > *n*.

The second step: for each *ci* (1 *i m*), we define *c*ˆ*<sup>i</sup>* ,

$$
\hat{c}\_i = B \{ q B^{-1} c\_i \} / q, \ 1 \lessapprox i \lessapprox m. \tag{2.3.5}
$$

Let *ci* = *Bxi* , where *xi* = (*xi*<sup>1</sup> , *xi*<sup>2</sup> ,..., *xin* )*<sup>T</sup>* ∈ [0, 1)*<sup>n</sup>*, so we have

$$\frac{1}{q}[q\,\,B^{-1}c\_i] = (\frac{1}{q}[q\,\chi\_{i\_1}], \frac{1}{q}[q\,\chi\_{i\_2}], \dots, \frac{1}{q}[q\,\chi\_{i\_n}]).$$

Each coordinate satisfies

$$0 \leqslant \frac{1}{q} [qx\_{i\_j}] \leqslant x\_{i\_j} < 1, \ j = 1, 2, \dots, n.$$

Thus, *c*ˆ*<sup>i</sup>* ∈ *F*(*B*). Let *ci* − ˆ*ci* = *B*v*<sup>i</sup>* , v*<sup>i</sup>* = (v*<sup>i</sup>*<sup>1</sup> , v*<sup>i</sup>*<sup>2</sup> ,...,v*in* )*<sup>T</sup>* , then

$$0 \le v\_{i\_j} = x\_{i\_j} - \frac{1}{q} [q x\_{i\_j}] < \frac{1}{q}. \tag{2.3.6}$$

Therefore, the distance between *c*ˆ*<sup>i</sup>* and *ci* has the following estimation. Suppose *B* = [β1,...,β*n*], it follows that

$$|\hat{c}\_i - c\_i| = |\sum\_{k=1}^n \beta\_k v\_{i\_k}| \le \sum\_{k=1}^n |v\_{i\_k}| |\beta\_k|$$

$$\le \frac{n}{q} |B| = \frac{1}{n^3} |B|. \text{ (since } q = n^4)$$

The above formula holds for all 1 *i m*. We can give a geometric interpretation of *<sup>c</sup>*ˆ*<sup>i</sup>* . Divide the basic neighbourhood *<sup>F</sup>*(*B*) into *<sup>q</sup><sup>n</sup>* polyhedra with side length <sup>1</sup> *q* , and each polyhedron is denoted as *<sup>i</sup>* , where

$$\Delta\_i = \{ Bx \mid x = (x\_1, x\_2, \dots, x\_n)^T, \ \frac{k-1}{q} \leqslant x\_k < \frac{k}{q}, \ 1 \leqslant k \leqslant q \}.$$

Since {*ci*} *m <sup>i</sup>*=<sup>1</sup> are uniformly distributed in *F*(*B*), each polyhedron *<sup>i</sup>* contains at least one *<sup>c</sup>* point under positive probability, written as *ci* . Based on Vol(*<sup>i</sup>*) <sup>=</sup> <sup>1</sup> *qn* det(*L*), so

$$\Pr\{c\_i \in \Delta\_i\} = \frac{1}{q^n} > 0.\tag{2.3.7}$$

According to (2.3.5), both *c*ˆ*<sup>i</sup>* and *ci* are contained in the polyhedron *<sup>i</sup>* , and *c*ˆ*<sup>i</sup>* is the point at the bottom left corner of *<sup>i</sup>* . From Lemma 2.1.3, since {*ci*} is uniformly at random in *F*(*B*), then <sup>1</sup> *<sup>q</sup>* [*q B*−<sup>1</sup>*ci*] is uniformly distributed. Based on Lemma 2.1.1, { ˆ*ci*} is also uniformly distributed at random. Let

$$\begin{cases} \mathcal{C} = [c\_1, c\_2, \dots, c\_m]\_{n \times m}. \\ Y = [\mathbf{y}\_1, \mathbf{y}\_2, \dots, \mathbf{y}\_m]\_{n \times m}. \\ \mathcal{C} = [\hat{c}\_1, \hat{c}\_2, \dots, \hat{c}\_m]\_{n \times m}. \end{cases} \tag{2.3.8}$$

We get three *n* × *m* matrices.

The third step: now we define *m n* dimensional vectors *ai* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , 1 *i m* in Z*<sup>q</sup>*

$$a\_i \equiv [qB^{-1}c\_i] \pmod{q}, \ l \lesssim i \lesssim m.$$

Then

$$A = [a\_1, a\_2, \dots, a\_m]\_{n \times m} \in \mathbb{Z}\_q^{n \times m}.\tag{2.3.9}$$

According to Lemma 2.1.3, *A* is a random matrix uniformly distributed. Suppose *z* is a solution of SIS*<sup>q</sup>*,*m*,β problem, i.e.

$$Az \equiv 0 \pmod{q}, \text{ and } 0 < |z| \lesssim \beta, \ z \in \mathbb{Z}^m.$$

Combining *z* and { ˆ*ci*},

$$\hat{C}z = [B[q\,B^{-1}c\_1]/q, \dots, B[q\,B^{-1}c\_m]/q]z = B \cdot \frac{1}{q}Az \in L(B).$$

Since *Az* <sup>≡</sup> <sup>0</sup> (mod *<sup>q</sup>*) <sup>⇒</sup> <sup>1</sup> *<sup>q</sup> Az* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, we get a lattice vector *Cz*<sup>ˆ</sup> <sup>∈</sup> *<sup>L</sup>*.

The four step: Similarly, combining *z* and {*ci*} *m <sup>i</sup>*=<sup>1</sup>, {*yi*} *m <sup>i</sup>*=<sup>1</sup>, we get two vectors *Y z* and *Cz*. Let *z* = (*z*1,*z*2,...,*zm*)*<sup>T</sup>* , then

$$Yz = [\mathbf{y}\_1, \mathbf{y}\_2, \dots, \mathbf{y}\_m] \begin{bmatrix} z\_1 \\ z\_2 \\ \vdots \\ z\_m \end{bmatrix} = \sum\_{i=1}^m z\_i \mathbf{y}\_i \in L.$$

Both *Cz*ˆ and *Y z* are lattice vectors, let α = *Cz*ˆ − *Y z* = (*C*ˆ − *Y* )*z* ∈ *L*. We are to prove that α is a solution of INCGDD problem. Denote |*z*|<sup>1</sup> as the *l*<sup>1</sup> norm of *z*, it follows that

$$|z|\_1 = \sum\_{i=1}^{m} |z\_i| \leqslant \sqrt{m}|z|. \tag{2.3.10}$$

The major part of the length of α = *Cz*ˆ − *Y z* is|*Cz* − *Cz*ˆ |, which could be estimated as follows

$$|Cz - \hat{C}z| = |\sum\_{i=1}^{m} (c\_i - \hat{c}\_i)z\_i| \lesssim \frac{n}{q}|B||z|\_1 \lesssim \frac{n\sqrt{m}\beta}{q}|B|.\tag{2.3.11}$$

Select the parameters *m* = *n*log*n*, *q* = *n*4, β = *n*, when *n* is sufficiently large we have,

$$|Cz - \hat{C}z| \le \frac{1}{4}|B|.$$

The minor part of length |*Cz* − *Y z*| of α could be calculated by the nearest plane algorithm of Babai [see (2.3.3)]:

$$|Cz - Yz| \leqslant \frac{1}{2}\sqrt{n}|B|.$$

Let φ(*B*) = |*B*|, γ (*n*) <sup>=</sup> <sup>1</sup> 2 <sup>√</sup>*n*, then

$$|\alpha| = |\hat{C}z - Yz| \leqslant |Cz - \hat{C}z| + |Cz - Yz| \leqslant \frac{1}{4}|B| + r,$$

where *r* γ (*n*)φ(*B*). In other words, based on a solution *z* of the SIS*<sup>q</sup>*,*m*,β problem, we can get a solution of the INCGDD<sup>φ</sup> γ ,*<sup>g</sup>* problem for generated matrix *B* and the target vector *t* = 0 by a probabilistic polynomial oracle algorithm. Here the parameters are chosen as *<sup>g</sup>* <sup>=</sup> 4, γ (*n*) <sup>=</sup> <sup>1</sup> 2 <sup>√</sup>*n*, φ(*B*) = |*B*|.

The above oracle algorithm is a simple simulation of the reduction principle for INCGDD problem by setting *S* = *B* and the target vector *t* = 0. Given any *n* linearly independent vectors *<sup>S</sup>* = {α1, α2,...,α*n*} ⊂ *<sup>L</sup>* and target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, general oracle algorithm *A*(*B*, *S*, *t*) will complete the whole technical process of transforming the INCGDD problem into the SIS problem, which is the core idea of Ajtai reduction principle. We begin from two lemmas.

**Lemma 2.3.1** (Sampling lemma) *Let L* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a full-rank lattice, F*(*B*) *be the basic neighbourhood, t* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> be the target vector, s* η (*L*) *be a positive real number. Then there exists a probabilistic polynomial time algorithm T* (*B*, *t*,*s*) *to find a pair of vectors* (*c*, *y*) ∈ *F*(*B*) × *L*(*B*) *such that*

*(i) The distribution of vector c* <sup>∈</sup> *<sup>F</sup>*(*B*) *is within statistical distance* <sup>1</sup> <sup>2</sup> *from the uniform distribution over F*(*B*)*.*

*(ii) The conditional distribution of y* ∈ *L given c is discrete Gauss distribution DL*,*s*,(*t*+*c*)*.*

*Proof* The process of sampling algorithm *T* (*B*, *t*,*s*) could be proved as follows:

1. Since the density function of Gauss distribution *Ds*,*<sup>t</sup>*(*x*) is

$$D\_{s,t}(\mathbf{x}) = \frac{1}{s^n} e^{-\frac{\pi}{s^2}|\mathbf{x}-t|^2},$$

the corresponding random variable is denoted as *Ds*,*<sup>t</sup>* . Let *<sup>r</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* comes from distribution *Ds*,*<sup>t</sup>* , and *r* is called the noise vector.

2. Let *c* ∈ *F*(*B*), *c* ≡ −*r* (mod *L*), *y* = *c* + *r* ∈ *L* be output vectors, (*c*, *y*) be the output result.

Since *r* is generated by Gauss distribution in R*<sup>n</sup>*, it follows that *c* has the distribution −*Ds*,*<sup>t</sup>* mod *L* in the basic neighbourhood *F*(*B*). We can prove

$$-D\_{\mathfrak{s},t} \bmod L = D\_{\mathfrak{s},-t} \bmod L. \tag{2.3.12}$$

Then the statistical distance between the *c* and the uniform distribution on *F*(*B*) is

$$\Delta(c, U(F(B))) = \Delta(-D\_{\mathfrak{s},l} \operatorname{mod} L, \operatorname{U}(F(B))) = \Delta(D\_{\mathfrak{s},-l} \operatorname{mod} L, \operatorname{U}(F(B))) \lesssim \frac{1}{2}\epsilon.$$

On the other hand, *y* = *c* + *r* ∈ *L*, if *c* is fixed, the distribution of *y* ∈ *L* is the discrete Gauss distribution *DL*,*s*,(*t*+*c*). We complete the proof. -

**Lemma 2.3.2** (Combining lemma) *Let q be a positive integer, L* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a full-rank lattice, F*(*B*) *be the basic neighbourhood. For any full-rank subset L*(*S*) ⊂ *L*(*B*)*, where S* = [α1, α2,...,α*n*]*, there is a probabilistic polynomial time algorithm T*1(*B*, *S*)*, for m vectors C* = [*c*1, *c*2,..., *cm*] *uniformly at random in F*(*B*)*, we can find a random matrix A* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup> uniformly distributed and a lattice vector x* <sup>∈</sup> *<sup>L</sup>*(*B*)*, such that*

$$|x - Cz| \lesssim \frac{1}{q} n\sqrt{m}|S||z|,\tag{2.3.13}$$

*where z* <sup>∈</sup> <sup>Z</sup>*m, and Az* <sup>≡</sup> <sup>0</sup> (*mod q*)*.*

*Proof* Suppose {α1, α2,...,α*n*} ⊂ *L* are *n* linearly independent lattice vectors, and *S* = [α1, α2,...,α*n*] generates the full-rank lattice *L*(*S*) ⊂ *L*(*B*). Let *F*(*S*) be the basic neighbourhood of lattice *L*(*S*). It is easy to see that *F*(*B*) ⊂ *F*(*S*). For any *m* vectors {*ci*} *m <sup>i</sup>*=<sup>1</sup> uniformly distributed in *F*(*B*), we can choose *m* lattice vectors {v1, v2,...,v*m*} ⊂ *L*(*B*) by sampling lemma. The corresponding vector in the basic neighbourhood *F*(*S*) is denoted as v*<sup>i</sup>* mod *L*(*S*), such that

> {v*<sup>i</sup>* mod *L*(*S*)} *m <sup>i</sup>*=<sup>1</sup> ⊂ *F*(*S*) are uniformly distributed.

In other words {v*i*} is selected from the quotient group *L*(*B*)/*L*(*S*), satisfying v*<sup>i</sup>* ≡ v*<sup>j</sup>* (mod *L*(*S*)), and {v*<sup>i</sup>* mod *L*(*S*)} *m <sup>i</sup>*=<sup>1</sup> are uniformly distributed in *F*(*S*). We still write v*<sup>i</sup>* (mod *L*(*S*)) as v*<sup>i</sup>* , and let

$$w\_i = c\_i + v\_i \bmod L(\mathcal{S}), \ i = 1, 2, \dots, m.$$

It follows that {w*i*} is uniformly at random in *F*(*S*). For 1 *i* = *j m*, we have

$$
v\_i \not\equiv v\_j \pmod{L(\mathbb{S})} \Rightarrow v\_i + F(B) \not\equiv v\_j + F(B) \pmod{L(\mathbb{S})},
$$

so {v*<sup>i</sup>* + *F*(*B*)} *m <sup>i</sup>*=<sup>1</sup> forms a split of *F*(*S*)with the same volume.We get{w*i*} ⊂ *F*(*S*)is uniformly distributed according to {v*i*}is uniformly at random. Suppose the following two matrices *C* and *W* are

$$C = [c\_1, c\_2, \dots, c\_m], \ W = [w\_1, w\_2, \dots, w\_m]. \tag{2.3.14}$$

Define *m* vectors uniformly distributed in Z*<sup>n</sup> <sup>q</sup>* as

$$a\_i \equiv [qS^{-1}w\_i] \pmod{q}, \ i = 1, 2, \ldots, m. \tag{2.3.15}$$

By Lemma 2.1.3, since {w*i*}is uniformly at random in *F*(*S*), then *A* = [*a*1, *a*2,..., *am*] is an *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* dimensional uniform matrix, *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* . Let *<sup>z</sup>* ∈ ∧<sup>⊥</sup> *<sup>q</sup>* (*A*), then

$$z \in \mathbb{Z}\_q^m, \text{ and } Az \equiv 0 \pmod{q}.$$

Define the vector *x*

$$
\lambda x = (C - W + \frac{1}{q}SA)z. \tag{2.3.16}
$$

We first prove *x* ∈ *L*(*B*) is a lattice vector. From the definition of vector *x*, we have

$$\chi = (C - W + \frac{1}{q}SA)z = \sum\_{i=1}^{m} (c\_i - w\_i)z\_i + \frac{1}{q}SAz.$$

Note that

$$c\_i - w\_i = ((c\_i + v\_i) - w\_i) - v\_i, \ 1 \leqslant i \leqslant m, i$$

since *ci* + v*<sup>i</sup>* ≡ w*<sup>i</sup>* (mod *L*(*S*)) ⇒

$$c\_i + v\_i - w\_i \in L(\mathbb{S}) \subset L(\mathcal{B}),$$

and each v*<sup>i</sup>* satisfies v*<sup>i</sup>* ∈ *L*, it follows that *ci* − w*<sup>i</sup>* ∈ *L*, 1 *i m*. On the other hand <sup>1</sup> *<sup>q</sup> Az* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, we get <sup>1</sup> *<sup>q</sup> SAz* ∈ *L*(*S*). Thus, we confirm that *x* ∈ *L*. Finally, we estimate the distance between *x* and *Cz*.

$$|x - Cz| = |\sum\_{i=1}^{m} (w\_i - \frac{S}{q}a\_i)z\_i| = \frac{1}{q}|S\sum\_{i=1}^{m}(u\_i - [u\_i])z\_i|,\tag{2.3.17}$$

where *ui* = *q S*−<sup>1</sup>w*<sup>i</sup>* . It is easy to see, for any *d* = ⎛ ⎜ ⎜ ⎜ ⎝ *d*1 *d*2 . . . *dn* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, 46 2 Reduction Principle of Ajtai

$$|Sd| = |\sum\_{i=1}^{n} d\_i s\_i| \lesssim \sum\_{i=1}^{n} |d\_i||s\_i| \lesssim |S||d|\_1. \tag{2.3.18}$$

Since

$$n\sum\_{i=1}^{m}(u\_i - \lceil u\_i \rceil)z\_i|\_1 \leqslant \sum\_{i=1}^{m}|z\_i|\lvert u\_i - \lceil u\_i \rceil\rvert\_1 \leqslant n\sum\_{i=1}^{m}|z\_i| \leqslant n\sqrt{m}|z|\_1$$

by (2.3.17) and (2.3.18) we get

$$|x - Cz| \leqslant \frac{1}{q} n\sqrt{m}|S||z|.$$

So we finish the proof. -

#### **2.4 Reduction Principle**

The Ajtai reduction principle is to solve hard problems on lattice in general case. For example, SVP, SIVP and GapSVP problems can be transformed to SIS problem by a polynomial algorithm with positive probability, so the difficulty of SIS problem is polynomial equivalent with that of lattice problems. This principle from general to average case is called Ajtai reduction principle from the worst case to the average case in academic circles.

We start by proving that the INCGDD problem could be transformed to the SIS problem. Denote the INCGDD<sup>φ</sup> γ ,*<sup>g</sup>* problem with parameters as {*B*, *S*, *t*,*r*}. For any *n* linearly independent vectors *S* in a full-rank lattice *L* = *L*(*B*) and any target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, our goal is to solve a lattice vector *<sup>s</sup>* <sup>∈</sup> *<sup>L</sup>* such that

$$|s - t| \leqslant \frac{1}{g}|S| + r,\tag{2.4.1}$$

where *g* > 0 is a positive real number, *r* > γ(*n*)φ(*B*).

**Theorem 2.4.1** (From INCGDD to SIS) *Given parameters g* = *g*(*n*) > 0*, m*, β *are polynomial functions of n, i.e. m* = *n<sup>O</sup>*(1) *,* β = *n<sup>O</sup>*(1) *,* = (*n*)*is a negligible function of n, i.e.* < <sup>1</sup> *nk* (*k* > 0)*,* φ(*B*) = η (*L*)*, and*

$$
\gamma(n) = \beta(n)\sqrt{n},\ q = q(n) \ge \operatorname{g}(n)n\sqrt{m}\beta(n). \tag{2.4.2}
$$

*Under the above parameter system, there is a probabilistic polynomial algorithm, which could transform the INCGDD*<sup>φ</sup> γ ,*<sup>g</sup> problem to the SIS problem.*

*Proof* The probabilistic polynomial algorithm in Theorem 2.4.1 is called the oracle algorithm, written as *A*(*B*, *S*, *t*). In the last section, we introduce the oracle algorithm detailedly in special case with *S* = *B* and the target vector *t* = 0. Now we give the work procedure of general oracle algorithm *A*(*B*, *S*, *t*) by sampling Lemma 2.3.1 and combining Lemma 2.3.2:

1. Select two integers *j* and α uniformly at random, such that

$$j \in \{1, 2, \ldots, m\}, \ -\beta \le \alpha \le \beta, \ \alpha \ne 0.$$

For a given target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, and positive integer *<sup>j</sup>*, we define *<sup>m</sup>* vectors *ti* (<sup>1</sup> *i m*) as

$$t\_i = \begin{cases} -\frac{1}{a}t, & \text{if } i = j. \\ 0, & \text{if } i \neq j. \end{cases} \tag{2.4.3}$$

2. For each *<sup>i</sup>* <sup>=</sup> <sup>1</sup>, <sup>2</sup>,..., *<sup>m</sup>*, according to the sampling algorithm *<sup>T</sup>* (*B*, *ti*, <sup>2</sup>*<sup>r</sup>* <sup>γ</sup> ) in Lemma 2.3.1, i.e. let *<sup>t</sup>* <sup>=</sup> *ti* , *<sup>s</sup>* <sup>=</sup> <sup>2</sup> <sup>γ</sup> *r*, we get

$$(c\_i, \mathbf{y}\_i) \in F(B) \times L(B).$$

Note that *r* γ (*n*)φ(*B*), so

$$s = \frac{2r}{\nu} \geqslant 2\phi(B) = 2\eta\_{\epsilon}(L).$$

3. Define two matrices

$$C = [c\_1, c\_2, \dots, c\_m], \ Y = [\mathbf{y}\_1, \mathbf{y}\_2, \dots, \mathbf{y}\_m].$$

4. Based on the given matrices *S* ⊂ *L*(*B*), *C* ∈ *F*(*B*)*<sup>m</sup>* and the parameter *q*, we can find a uniform random matrix *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* , a solution *<sup>z</sup>* of the corresponding SIS problem, and a lattice vector *x* ∈ *L*(*B*) by the combining algorithm in Lemma 2.3.2 satisfying

$$|x - Cz| \lesssim \frac{1}{q} n\sqrt{m}|S||z| \lesssim \frac{|S|}{\mathcal{g}}.\tag{2.4.4}$$

5. Let *s* = *x* − *Y z*, then *s* ∈ *L*(*B*) is a solution of the INCGDD problem, such that

$$|s - t| \leqslant \frac{1}{g}|S| + r \tag{2.4.5}$$

holds with a positive probability. The above oracle algorithm *A*(*B*, *S*, *t*) could be represented in the following graph

$$\mathfrak{m} \in \mathbb{R}^{H} \xrightarrow[\text{Algorithm}]{\text{Sampling}} \left| \begin{array}{c} t\_{1} \rightarrow (c\_{1}, \text{y}\_{1}) \\ \vdots \\ t\_{m} \rightarrow (c\_{m}, \text{y}\_{m}) \end{array} \right| \\ \left| \begin{array}{c} C \in F(\mathcal{B})^{m} \\ \hline Y \in L(\mathcal{B})^{m} \end{array} \xrightarrow[\text{J}]{\text{C} \in F(\mathcal{S})^{m}} \xrightarrow[\text{J}]{\text{Combining}} \left[ \begin{array}{c} \text{Combining} \\ \text{J} \in \mathbb{Z}\_{q}^{m \times m} \end{array} \right] \xrightarrow[\text{J}]{\text{Cmatrix}} \mathfrak{s} \\ \left| \begin{array}{c} \text{Cmatrix} \\ \text{U} \end{array} \begin{array}{c} \text{Cmatrix} \\ \text{U} \end{array} \begin{array}{c} \text{Cmatrix} \\ \text{U} \end{array} \begin{array}{c} \text{U} \end{array} \right| \begin{array}{c} \\ \text{U} \end{array} \right| \begin{array}{c} \\ \text{U} \end{array} \xrightarrow{\text{J}} \mathfrak{s} \\ \left| \begin{array}{c} \text{U} \in \mathbb{Z}\_{q}^{m} \\ \text{U} \in \mathbb{Z}\_{q}^{m \times m} \end{array} \xrightarrow[\text{J}] \begin{array}{c} \text{Cmatrix} \\ \text{U} \in \mathbb{Z}\_{q}^{m \times m} \end{array} \xrightarrow[\text{J}] \begin{array}{c} \text{U} \in \mathbb{Z}\_{q}^{m \times m} \end{array} \xrightarrow[\text{J}] \begin{array}{c} \text{U} \in \mathbb{Z}\_{q}^{m \times m} \end{array} \xrightarrow[\text{J}] \begin{array}{c} \text{U}$$

Since *x*, *Y z* ∈ *L*(*B*), it follows that *s* = *x* − *Y z* ∈ *L*(*B*). Next we are to estimate the probability that the inequality <sup>|</sup>*<sup>s</sup>* <sup>−</sup> *<sup>t</sup>*<sup>|</sup> <sup>1</sup> *<sup>g</sup>* |*S*| + *r* holds. We write δ > 0 as the positive probability when solving the SIS problem successfully. The event *Hj*,α denotes getting a solution *z* = (*z*1,*z*2,...,*zm*)*<sup>T</sup>* of the SIS problem with *zj* = α, and its probability is δ *<sup>j</sup>*,α, where 1 *j m*, −β α β, α = 0. If we obtain a solution *z* of the SIS problem successfully, then at least one of these 2*m*β events *Hj*,α occurs. Therefore,

$$\sum\_{j,a} \delta\_{j,a} \geqslant \delta,$$

there is a pair of *<sup>j</sup>*, α such that *Pr*{*Hj*,α} = <sup>δ</sup> *<sup>j</sup>*,α <sup>δ</sup> <sup>2</sup>*m*<sup>β</sup> > 0. We assume that the event *Hj*,α occurs and estimate the conditional probability of <sup>|</sup>*<sup>s</sup>* <sup>−</sup> *<sup>t</sup>*<sup>|</sup> <sup>1</sup> *<sup>g</sup>* |*S*| + *r*. Let *T* = [*t*1, *t*2,..., *tm*], then *T z* = *tjzj* = −*t*. By the triangle inequality,

$$|s - t| \leqslant |\mathbf{x} - C\mathbf{z}| + |(C - Y)\mathbf{z} - t| \leqslant \frac{|S|}{\mathbf{g}} + |(Y - C - T)\mathbf{z}|.$$

We have

$$\Pr\{|s-t| \leqslant \frac{1}{g}|S|+r\} \geqslant \Pr\{|(Y-C-T)z| \leqslant r\}.$$

Based on the sampling Lemma 2.3.1, *yi* has discrete Gauss distribution *DL*(*B*), <sup>2</sup>*<sup>r</sup>* <sup>γ</sup> ,*ci*+*ti* . According to Lemma 2.4.2 in Sect. 1.4, it follows that

$$E[|\mathbf{y}\_i - (c\_i + t\_i)|^2] \lesssim (\frac{1}{2\pi} + \frac{\epsilon}{1 - \epsilon})(\frac{2r}{\chi})^2 n\_+$$

and

$$\left| E[\mathbf{y}\_i - (c\_i + t\_i)] \right|^2 \leqslant (\frac{\epsilon}{1 - \epsilon})^2 (\frac{2r}{\chi})^2 n.$$

Since *y*1, *y*2,..., *ym* are independent, by Lemma 4.6 in section 1.4,

$$E[|\sum\_{l=1}^{m} (\mathbf{y}\_l - (c\_l + t\_l))z\_l|^2] \lesssim (\frac{1}{2\pi} + \frac{\epsilon}{1 - \epsilon} + m(\frac{\epsilon}{1 - \epsilon})^2)(\frac{2r}{\varkappa})^2 n|z|^2 \lesssim \frac{1}{6}(\frac{2r}{\varkappa})^2 n|z|^2.$$

Combining |*z*| β and γ = β <sup>√</sup>*n*, we get

$$E[\left| (Y - C - T)z \right|^2] \lesssim \frac{1}{6} (\frac{2r}{\chi})^2 n |z|^2 \lesssim \frac{2}{3} r^2.$$

Using Chebyshev inequality,

$$\Pr\{| (Y - C - T)z| > r \} \leqslant \frac{1}{r^2} E[| (Y - C - T)z |^2] \leqslant \frac{2}{3}.$$

By (4.6),

$$\Pr\{|s-t| \leqslant \frac{1}{g}|S|+r\} \geqslant \Pr\{|(Y-C-T)z| \leqslant r\} \geqslant \frac{1}{3}$$

Note that the above inequality holds under the assumption *Hj*,α, i.e.

$$\Pr\{|\mathbf{s} - t| \leqslant \frac{1}{\mathbf{g}}|\mathcal{S}| + r \mid H\_{j, \alpha} \} \geqslant \frac{1}{3}.$$

Finally, we have the estimation

$$\Pr\{|s-t| \leqslant \frac{1}{g}|S|+r\} \geqslant \Pr\{|s-t| \leqslant \frac{1}{g}|S|+r, \ H\_{j,a}\}$$

$$= \Pr\{|s-t| \leqslant \frac{1}{g}|S|+r \mid H\_{j,a}\} \cdot \Pr\{H\_{j,a}\} \geqslant \frac{1}{3} \cdot \frac{\delta}{2m\beta} > 0.$$

This means <sup>|</sup>*<sup>s</sup>* <sup>−</sup> *<sup>t</sup>*<sup>|</sup> <sup>1</sup> *<sup>g</sup>* |*S*| + *r* holds with a positive probability, so we complete the proof of Theorem 2.4.1. -

In the above proof, we have completed the whole process of transforming the INCGDD problem to the SIS problem, and prove that the difficulty of the INCGDD problem is polynomial equivalent with that of the SIS problem. This realizes the reduction principle from the worst case to the average case, which is the main result we introduce in this section. For hard problems on lattice, such as SIVP and GapSVP problems, based on Theorems 5.19, 5.22 and 5.23 in Micciancio and Regev (2004), we can transform them to the SIS problem equivalently. By Theorem 2.4.1, the difficulty of hard problem on lattice is polynomial equivalently with that of the SIS problem. In addition, the following Theorem 2.4.2 provides another way of reduction from SIVP to SIS problem.

**Theorem 2.4.2** (From SIVP to SIS) *Let the parameter m be a polynomial function of n, i.e. m* = *n<sup>O</sup>*(1) *,* β > 0*, q* 2β*n<sup>O</sup>*(1) *,* γ = β*n<sup>O</sup>*(1) *, then the difficulty of solving the SISn*,*q*,β,*<sup>m</sup> problem by a probabilistic polynomial algorithm is not lower than that of the SIVP*<sup>γ</sup> *problem.*

*Proof* We are to prove that if there is a positive probability polynomial algorithm to get the solution of the SIS*<sup>n</sup>*,*q*,β,*<sup>m</sup>* problem, so is the SIVP<sup>γ</sup> problem. In other words, we can find *n* linearly independent vectors *S* = {*si*} ⊂ *L*, such that |*S*| = max |*si*|

.

γ (*n*)λ*n*(*L*). Based on a set of linearly independent lattice vectors *S* ⊂ *L* (*S* is initially the generated matrix *B* of lattice *L*), the idea of the reduction algorithm is using the oracle algorithm to obtain a set of new linearly independent lattice vectors *S* ⊂ *L* satisfying |*S* | |*S*|/2. Repeating this process and we can finally get the solution of the SIVP<sup>γ</sup> problem. Let *q* 2β *f* (*n*), *f* (*n*) be a polynomial function of *n*. We give the work process of this reduction algorithm.

1. According to the sampling lemma and combining lemma, generate *m* short vectors v*<sup>i</sup>* ∈ *L* in the basic neighbourhood of lattice *L*(*S*) such that |v*i*| |*S*| *f* (*n*), *i* = 1, 2,..., *m*, *V* = [v1, v2,...,v*m*].

2. Let *A* = *B*−1*V* (mod *q*), by the combining lemma we know *A* is uniformly distributed in <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* . Solve the SIS problem *Az* <sup>=</sup> <sup>0</sup> (mod *<sup>q</sup>*) with <sup>|</sup>*z*<sup>|</sup> <sup>β</sup> and obtain a solution *z*.

3. Let *s* = *V z*/*q*. Repeat these three steps and generate enough vectors *s* so that there are *n* linearly independent vectors, denoted as*s*1,*s*2,...,*sn*. Suppose the matrix *S* is *S* = [*s*1,*s*2,...,*sn*].

We are to prove that |*S* | |*S*|/2. Firstly, note that *s* ∈ *L*. This is because

$$Vz = B(Az), \ Az = 0 \pmod{q},$$

so *B*(*Az*) ∈ *q L* and *s* = *V z*/*q* = *B*(*Az*)/*q* ∈ *L*. Secondly,

$$|\mathbf{s}| = |Vz|/q \leqslant |V|\beta/q \leqslant |S|f(n)\beta/(2\beta f(n)) = |S|/2.$$

This means |*S* | |*S*|/2. Replace *S* with *S* and repeat the above three steps until |*S* | γ (*n*)λ*n*(*L*), then we confirm that *S* is a solution of the SIVP<sup>γ</sup> problem. -

At the end of this section, we show that the difficulty of some other hard problems on lattice are polynomial equivalently with that of the SIS problems. We give another two definitions about hard problems on lattice.

**Definition 2.4.1** (1) GIVP<sup>φ</sup> <sup>γ</sup> : find a set of *n* linearly independent vectors *S* = {*si*} ⊂ *L*, such that

$$|S| = \max |\mathbf{s}\_i| \lesssim \chi(n)\phi(B),\tag{2.4.6}$$

where γ (*n*) 1 is a positive function of *n*, *B* is the generated matrix of *L*, and φ is a real function of *B*.

(2) GDD<sup>φ</sup> <sup>γ</sup> : let *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* be a target vector, find a vector *<sup>x</sup>* <sup>∈</sup> *<sup>L</sup>*, such that

$$|x - t| \leqslant \gamma(n)\phi(B),\tag{2.4.7}$$

where *B* is the generated matrix of *L*, and φ is a real function of *B*.

If <sup>φ</sup> <sup>=</sup> <sup>λ</sup>*<sup>n</sup>* is the *<sup>n</sup>*th continuous minimal distance of lattice *<sup>L</sup>*, the GIVP<sup>φ</sup> <sup>γ</sup> problem in the above definition becomes the SIVP<sup>γ</sup> problem in Definition 2.2.3. Here we give two lemmas to show that the above two problems could be reduced to the SIS problem.

**Lemma 2.4.1** *For any function* γ (*n*) 1 *and* φ*, there is a polynomial reduction algorithm from GIVP*<sup>φ</sup> <sup>8</sup><sup>γ</sup> *to INCGDD*<sup>φ</sup> γ ,<sup>8</sup> *problem.*

*Proof* Suppose *B* is a generated matrix of lattice *L*, our goal is to find a set of *n* linearly independent vectors *S* = {*si*} ⊂ *L* such that

$$|S| = \max |s\_i| \leqslant 8\wp(n)\phi(B).$$

We use the idea of iteration to achieve this goal. Initially, let *S* = *B*. If *S* satisfies the above condition, then the solution has been found. If *S* does not satisfy the above inequality, assume *S* = [*s*1,*s*2,...,*sn*], and suppose that

$$|\mathbf{s}\_n| = \max\_{1 \le i \le n} |\mathbf{s}\_i|,$$

i.e. *sn* is the longest vector among *s*1,*s*2,...,*sn*. Let *t* be a vector orthogonal to *s*1,*s*2,...,*sn*−1, and |*t*|=|*S*|/2 = |*sn*|/2. Here the vector *t* can be constructed by the Schmidt orthogonalization method. Based on the reduction algorithm in Theorem 2.4.1, we solve the INCGDD problem with parameters {*B*, *S*, *t*, |*S*|/8}. If the algorithm fails, then we have

$$r = \frac{|S|}{8} \leqslant \mathcal{\nu}(n)\phi(B) \Rightarrow |S| \leqslant 8\mathcal{\nu}(n)\phi(B).$$

This implies *S* is a solution of the GIVP<sup>φ</sup> <sup>8</sup><sup>γ</sup> problem. If the reduction algorithm solves the INCGDD problem successfully, then we get a vector *u*, such that

$$|u - t| \ll \frac{|S|}{\text{g}} + r = \frac{|S|}{4}.$$

It follows that

$$|\mu| \lesssim |\mathfrak{t}| + \frac{|\mathfrak{S}|}{4} = \frac{\mathfrak{Z}|\mathfrak{S}|}{4}.$$

It is easy to verify *u*,*s*1,*s*2,...,*sn*−<sup>1</sup> are linearly independent. Otherwise, *u* is orthogonal to *t* since *t* is orthogonal to *s*1,*s*2,...,*sn*−1. Thus,

$$\frac{|S|^2}{16} \geqslant |\mu - t|^2 = |\mu|^2 + |t|^2 \geqslant |t|^2 = \frac{|S|^2}{4}.$$

It is a contradiction. So *u*,*s*1,*s*2,...,*sn*−<sup>1</sup> are linearly independent. Let *S* = [*s*1,*s*2,...,*sn*−<sup>1</sup>, *u*], |*S* | < |*S*|, repeat the above process for *S* and we get a solution of the GIVP<sup>φ</sup> <sup>8</sup><sup>γ</sup> problem finally. Lemma 2.4.1 holds. - **Lemma 2.4.2** *For any function* γ (*n*) 1 *and* φ*, there is a polynomial reduction algorithm from GDD*<sup>φ</sup> <sup>3</sup><sup>γ</sup> *to INCGDD*<sup>φ</sup> γ ,<sup>8</sup> *problem.*

*Proof* Assume *<sup>B</sup>* is a generated matrix of lattice *<sup>L</sup>*, *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is the target vector. Our goal is to find *x* ∈ *L*, such that

$$|x - t| \leqslant 3\gamma(n)\phi(B).$$

According to Lemma 2.4.1, we can find a set of *n* linearly independent vectors *S* = {*si*} ⊂ *L* such that |*S*| 8γ (*n*)φ(*B*). Let *r* be a real number satisfying the INCGDD problem with parameters {*B*, *S*, *t*,*r*/2} fails, and {*B*, *S*, *t*,*r*} successfully solves a solution *x*. In fact, the real number *r* in this range *r*/2 γ (*n*)φ(*B*) *r* could satisfy the above condition. It follows that

$$|x - t| \leqslant \frac{|S|}{g} + r \leqslant \frac{|S|}{8} + 2\gamma(n)\phi(B) \leqslant 3\gamma(n)\phi(B).$$

So we get a solution of the GDD<sup>φ</sup> <sup>3</sup><sup>γ</sup> problem. We complete the proof. -

In Lemma 2.4.1 and Lemma 2.4.2, we transform the GIVP<sup>φ</sup> <sup>γ</sup> and GDD<sup>φ</sup> <sup>γ</sup> problems to the INCGDD<sup>φ</sup> γ ,*<sup>g</sup>* problem. While Theorem 2.4.1 tells us the difficulty of the INCGDD<sup>φ</sup> γ ,*<sup>g</sup>* problem is polynomial equivalent with that of the SIS problem. So we have proved that the GIVP<sup>φ</sup> <sup>γ</sup> and GDD<sup>φ</sup> <sup>γ</sup> problems are polynomial equivalent with the SIS problem.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 3 Learning with Error**

Learning with error was proposed by O. Regev in 2005 (see Regev, 2009), which can be regarded as a dual form of SIS problem. LWE has very important applications in modern cryptography, such as LWE-based fully homomorphic encryption. The main purpose of this chapter is to explain the mathematical principles of the LWE problem in detail, especially the polynomial equivalence between the average LWE problem and the hard problems on lattice, which is one generalization of the Ajtai reduction principle and solves the computational complexity of the LWE problem effectively.

#### **3.1 Circulant Matrix**

Circulant matrix is a kind of simple and beautiful special matrix in mathematics, which has important applications in many fields of engineering technology. In Sect. 7.7 of 'Modern Cryptography', we explain and demonstrate the basic properties of circulant matrix in detail. See the monograph Zheng (2022) on circulant matrices for more details.

Let *T* be a square matrix of order *n*,

$$T = \begin{pmatrix} 0 & \cdots & 0 \mid 1 \\ \hline & & \begin{bmatrix} 0 \\ \vdots \\ 0 \end{bmatrix}\_{n \times n} \\ \end{pmatrix}\_{n \times n}, \tag{3.1.1}$$

where *In*−<sup>1</sup> is the *n* − 1 dimensional unit matrix. Obviously, we can define a linear transformation *<sup>x</sup>* <sup>→</sup> *T x*, *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* of <sup>R</sup>*<sup>n</sup>* <sup>→</sup> <sup>R</sup>*<sup>n</sup>* by *<sup>T</sup>* . The characteristic polynomial of *<sup>T</sup>* is *<sup>f</sup>* (*x*) <sup>=</sup> *<sup>x</sup> <sup>n</sup>* <sup>−</sup> 1, so *<sup>T</sup> <sup>n</sup>* <sup>=</sup> *In*. We use column notation for vectors in <sup>R</sup>*<sup>n</sup>*, and {*e*0, *<sup>e</sup>*1,..., *en*−<sup>1</sup>} is the standard basis of <sup>R</sup>*<sup>n</sup>*, i.e.

54 3 Learning with Error

$$e\_0 = \begin{pmatrix} 1 \\ 0 \\ 0 \\ \vdots \\ 0 \end{pmatrix}, \ e\_1 = \begin{pmatrix} 0 \\ 1 \\ 0 \\ \vdots \\ 0 \end{pmatrix}, \ \dots, \ e\_{n-1} = \begin{pmatrix} 0 \\ 0 \\ \vdots \\ 0 \\ 1 \end{pmatrix}. \tag{3.1.2}$$

Denote *em* as *ek* , if *m* ≡ *k* (mod *n*), and 0 *k n* − 1, it is easy to see

$$T e\_k = e\_{k+1}, \text{ and } T^k(e\_0) = e\_k, \ 0 \le k \le n-1. \tag{3.1.3}$$

**Definition 3.1.1** Let α = ⎛ ⎜ ⎝ α0 . . . α*<sup>n</sup>*−<sup>1</sup> ⎞ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, the circulant matrix *<sup>T</sup>* <sup>∗</sup>(α) generated by

α is defined by

$$T^\*(\alpha) = [\alpha, T\alpha, \dots, T^{n-1}\alpha]\_{n \times n} \in \mathbb{R}^{n \times n}.\tag{3.1.4}$$

It is easy to verify that the circulant matrix *B* generated by the linear combination vector is the linear combination of the corresponding circulant matrices, i.e.

$$T^\*(a\alpha + b\beta) = aT^\*(\alpha) + bT^\*(\beta). \tag{3.1.5}$$

Specially, for any α = ⎛ ⎜ ⎝ α0 . . . α*<sup>n</sup>*−<sup>1</sup> ⎞ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, the circulant matrix *<sup>T</sup>* <sup>∗</sup>(α) generated by <sup>α</sup>

could be written as

$$T^\*(\alpha) = T^\*\left(\sum\_{i=0}^{n-1} \alpha\_i e\_i\right) = \sum\_{i=0}^{n-1} \alpha\_i T^\*(e\_i),\tag{3.1.6}$$

therefore, any circulant matrix is the linear combination of circulant matrices generated by the standard basis vectors *ei* . It is easy to verify that

$$T^\*(e\_k) = T^k, \ 0 \le k \le n - 1. \tag{3.1.7}$$

In particular, the unit matrix *In* is a circulant matrix generated by the vector *e*0. The basis properties about the circulant matrix are summarized in the following lemma, and the corresponding proofs could be found in Sect. 7.7 in Zheng (2022).

$$\textbf{Lemma 3.1.1 }\text{ Let } \alpha = \begin{pmatrix} \alpha\_0 \\ \alpha\_1 \\ \vdots \\ \alpha\_{n-1} \end{pmatrix}, \beta = \begin{pmatrix} \beta\_0 \\ \beta\_1 \\ \vdots \\ \beta\_{n-1} \end{pmatrix} \text{ be two vectors in } \mathbb{R}^n, \text{ then we have}$$


We take the characteristic polynomial *x <sup>n</sup>* − 1 as modulo and construct the one-toone correspondence between polynomial quotient rings and *n* dimensional vectors, which is called the geometric theory of polynomial rings. We consider the following three polynomial quotient rings. Let <sup>R</sup>[*x*], <sup>Z</sup>[*x*] and <sup>Z</sup>*<sup>q</sup>* [*x*] be the polynomial rings of one variable on R, Z and Z*<sup>q</sup>* respectively, defined by

$$\overline{R} = \mathbb{R}[\mathbf{x}]/<\mathbf{x}^n - 1> = \left\{ \sum\_{i=0}^{n-1} a\_i \mathbf{x}^i \mid a\_i \in \mathbb{R} \right\},\tag{3.1.8}$$

$$R = \mathbb{Z}[\mathbf{x}]/<\mathbf{x}^n - 1> = \left\{ \sum\_{i=0}^{n-1} a\_i \mathbf{x}^i \mid a\_i \in \mathbb{Z} \right\},\tag{3.1.9}$$

and

$$R\_q = \mathbb{Z}\_q[\mathbf{x}]/<\mathbf{x}"-1> = \left\{ \sum\_{i=0}^{n-1} a\_i \mathbf{x}^i \mid a\_i \in \mathbb{Z}\_q \right\}.\tag{3.1.10}$$

In fact, the right hand side of the above formula is a set of representative elements of the polynomial quotient ring.

For any α(*x*) = α<sup>0</sup> + α1*x* +···+ α*<sup>n</sup>*−1*x <sup>n</sup>*−<sup>1</sup> ∈ *R*, we construct the following correspondence

$$\alpha(\mathbf{x}) = \alpha\_0 + \alpha\_1 \mathbf{x} + \dots + \alpha\_{n-1} \mathbf{x}^{n-1} \in \overline{R} \longleftrightarrow \alpha = \begin{pmatrix} \alpha\_0 \\ \alpha\_1 \\ \vdots \\ \alpha\_{n-1} \end{pmatrix} \in \mathbb{R}^n,\tag{3.1.11}$$

written as α(*x*) ←→ α or α ←→ α(*x*). Then (3.1.11) gives a one-to-one correspondence between *<sup>R</sup>* and <sup>R</sup>*<sup>n</sup>*. In the same way, α(*x*) ←→ <sup>α</sup> also gives the one-to-one correspondences of *<sup>R</sup>* <sup>→</sup> <sup>Z</sup>*<sup>n</sup>* and *Rq* <sup>→</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* . It is not hard to see that the above correspondence is an Abel group isomorphism. To establish ring isomorphism, we introduce the concept of convolution multiplication of vectors.

**Definition 3.1.2** For any two vectors α, β in R*<sup>n</sup>*, Z*<sup>n</sup>* or Z*<sup>n</sup> <sup>q</sup>* , we define the convolution α ⊗ β by

$$
\alpha \otimes \beta = T^\*(\alpha) \cdot \beta. \tag{3.1.12}
$$

Under the above definition, R*<sup>n</sup>*, Z*<sup>n</sup>* and Z*<sup>n</sup> <sup>q</sup>* become a commutative ring with unit element, respectively. Obviously, the convolution defined by (3.1.12) is closed on Z*<sup>n</sup>* or Z*<sup>n</sup> <sup>q</sup>* . If <sup>α</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, then *<sup>T</sup>* <sup>∗</sup>(α) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup>*, thus, <sup>α</sup> <sup>⊗</sup> <sup>β</sup> <sup>=</sup> *<sup>T</sup>* <sup>∗</sup>(α)β <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, so is <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* . Based on the property (iii) of lemma 3.1.1,

$$T^\*(\alpha \otimes \beta) = T^\*(T^\*(\alpha)\beta) = T^\*(\alpha)T^\*(\beta) = T^\*(\beta)T^\*(\alpha) = T^\*(\beta \otimes \alpha),$$

so we have α ⊗ β = β ⊗ α. On the other hand,

$$(\alpha + \alpha') \otimes \beta = T^\*(\alpha + \alpha')\beta = T^\*(\alpha)\beta + T^\*(\alpha')\beta = \alpha \otimes \beta + \alpha' \otimes \beta,$$

hence, R*<sup>n</sup>*, Z*<sup>n</sup>* and Z*<sup>n</sup> <sup>q</sup>* are commutative rings with the same unit element *e*0. Since *T* <sup>∗</sup>(*e*0) = *In*, then

$$e\_0 \otimes \beta = T^\*(e\_0)\beta = I\_n\beta = \beta.$$

**Lemma 3.1.2** *Suppose R, R and Rq are defined by (3.1.8), (3.1.9) and (3.1.10), then we have the following three ring isomorphisms:*

$$
\overline{\mathcal{R}} \cong \mathbb{R}^n, \; \mathcal{R} \cong \mathbb{Z}^n \; \text{and} \; \mathcal{R}\_q \cong \mathbb{Z}\_q^n.
$$

*Proof* We only prove *<sup>R</sup>* ∼= <sup>R</sup>*<sup>n</sup>*, the other two conclusions could be proved in the same way. <sup>∀</sup>α(*x*) <sup>∈</sup> *<sup>R</sup>*, α(*x*) ←→ <sup>α</sup> <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a one-to-one correspondence and an Abel group isomorphism. We are to prove

$$
\alpha(\mathbf{x})\beta(\mathbf{x}) \longleftrightarrow \alpha \otimes \beta,\ \forall \alpha(\mathbf{x}), \beta(\mathbf{x}) \in \overline{R}.\tag{3.1.13}
$$

Let β(*x*) = β<sup>0</sup> + β1*x* +···+ β*<sup>n</sup>*−1*x <sup>n</sup>*−1, then

$$\begin{aligned} \alpha \boldsymbol{\beta}(\mathbf{x}) &= \beta\_0 \mathbf{x} + \beta\_1 \mathbf{x}^2 + \dots + \beta\_{n-2} \mathbf{x}^{n-1} + \beta\_{n-1} \mathbf{x}^n, \\ &= \beta\_{n-1} + \beta\_0 \mathbf{x} + \dots + \beta\_{n-2} \mathbf{x}^{n-1}, \end{aligned}$$

so *x*β(*x*) ←→ *T*β. For all *k*, 0 *k n* − 1, we know

$$x^k \beta(x) \longleftrightarrow T^k \beta.$$

Let α(*x*) = α<sup>0</sup> + α1*x* +···+ α*<sup>n</sup>*−<sup>1</sup>*x <sup>n</sup>*−1, it follows that

$$\alpha(\alpha)\beta(\alpha) = \sum\_{k=0}^{n-1} \alpha\_k \pi^k \beta(\alpha) \longleftrightarrow \sum\_{k=0}^{n-1} \alpha\_k T^k \beta = T^\*(\alpha)\beta = \alpha \otimes \beta.$$

Therefore, we prove that *<sup>R</sup>* ∼= <sup>R</sup>*<sup>n</sup>*. Similarly, we have *<sup>R</sup>* ∼= <sup>Z</sup>*<sup>n</sup>* and *Rq* ∼= <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* .

Since R*<sup>n</sup>* is Euclidean space, the Euclidean distances in Z*<sup>n</sup>* and Z*<sup>n</sup> <sup>q</sup>* could also be defined as the Euclidean distance in R*<sup>n</sup>*, which is called the embedding of Euclidean distance in Z*<sup>n</sup>* and Z*<sup>n</sup> <sup>q</sup>* . By Lemma 3.1.2, we treat *R*, *R*, *Rq* and R*<sup>n</sup>*, Z*<sup>n</sup>*, Z*<sup>n</sup> <sup>q</sup>* as the same and write *<sup>R</sup>* <sup>=</sup> <sup>R</sup>*<sup>n</sup>*, *<sup>R</sup>* <sup>=</sup> <sup>Z</sup>*<sup>n</sup>*, *Rq* <sup>=</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* . Therefore, the polynomial rings *R*, *R* and *Rq* also have Euclidean distance, which constructs the geometry of the polynomial ring. For any polynomial α(*x*) ∈ *R*, we define

$$|\alpha(\mathbf{x})| = |\alpha|, \text{ if } \alpha(\mathbf{x}) \longleftrightarrow \alpha. \tag{3.1.14}$$

**Lemma 3.1.3** *For any* α(*x*)*,* β(*x*) ∈ *R (or R, Rq ), we have*

$$|\alpha(\mathbf{x})\beta(\mathbf{x})| \lesssim \sqrt{n}|\alpha(\mathbf{x})| \cdot |\beta(\mathbf{x})|.$$

*Proof* To prove this lemma, we only prove that for any <sup>α</sup>, <sup>β</sup> <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* (the same as <sup>Z</sup>*<sup>n</sup>* or Z*<sup>n</sup> <sup>q</sup>* ), we have

$$|\alpha \otimes \beta| \leqslant \sqrt{n}|\alpha| \cdot |\beta|. \tag{3.1.15}$$

By Definition 3.1.2,

$$\alpha \otimes \beta = T^\*(\alpha)\beta = [\alpha, T\alpha, \dots, T^{n-1}\alpha]\beta = \begin{pmatrix} b\_1 \\ b\_2 \\ \vdots \\ b\_n \end{pmatrix} \in \mathbb{R}^n.$$

Let α be the conjugation vector of α, i.e.

$$
\alpha = \begin{pmatrix} \alpha\_0 \\ \alpha\_1 \\ \vdots \\ \alpha\_{n-1} \end{pmatrix} \Rightarrow \overline{\alpha} = \begin{pmatrix} \alpha\_{n-1} \\ \alpha\_{n-2} \\ \vdots \\ \alpha\_0 \end{pmatrix},
$$

then, the circulant matrix *T* <sup>∗</sup>(α) generated by α can be divided into rows

$$T^\*(\alpha) = \begin{pmatrix} \overline{\alpha}^T T^T \\ \overline{\alpha}^T (T^T)^2 \\ \vdots \\ \overline{\alpha}^T (T^T)^n \end{pmatrix},$$

where *<sup>T</sup> <sup>T</sup>* is the transposed matrix of *<sup>T</sup>* . So *bi* <sup>=</sup> <sup>α</sup>*<sup>T</sup>* (*<sup>T</sup> <sup>T</sup>* )*<sup>i</sup>* β (1 *i n*) and we get

$$|b\_i| \lesssim |\alpha| \cdot |\beta|, \ 1 \leqslant i \leqslant n.$$

It follows that

$$|\alpha \otimes \beta| = \left(\sum\_{i=1}^n b\_i^2\right)^{\frac{1}{2}} \le \sqrt{n}|\alpha| \cdot |\beta|.$$

We complete the proof.

Finally we discuss the relation between circulant matrix and lattice. Let *<sup>B</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>n</sup>* be a square matrix of order *<sup>n</sup>*, the lattice *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* generated by *<sup>B</sup>* is defined by

$$L(B) = \{ Bx \mid x \in \mathbb{Z}^n \}.$$

If *B* is an invertible matrix, then *L*(*B*) is called an *n* dimensional full rank lattice.

**Definition 3.1.3** Let *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a lattice, we call *<sup>L</sup>*(*B*) a cyclic lattice, if *<sup>L</sup>*(*B*)is closed under the linear transformation *T* , i.e. for any α ∈ *L*(*B*) we have *T* α ∈ *L*(*B*). If *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>Z</sup>*<sup>n</sup>* is a cyclic lattice, then *<sup>L</sup>*(*B*) is called a cyclic integer lattice.

**Lemma 3.1.4** *Let* <sup>α</sup> <sup>∈</sup> <sup>R</sup>*n, then the lattice L*(*<sup>T</sup>* <sup>∗</sup>(α)) *generated by the circulant matrix T* <sup>∗</sup>(α) *is a cyclic lattice, which is the smallest cyclic lattice containing* α*.*

*Proof* Based on the definition *T* <sup>∗</sup>(α) = [α, *T* α, . . . , *T <sup>n</sup>*−<sup>1</sup>α], we get

$$L(T^\*(\alpha)) = \left\{ \sum\_{i=0}^{n-1} a\_i \, T^i \alpha \mid a\_i \in \mathbb{Z} \right\}.$$

For any β ∈ *L*(*T* <sup>∗</sup>(α)),

$$\beta = \sum\_{i=0}^{n-1} b\_i T^i \alpha \Rightarrow T\beta \in L(T^\*(\alpha)), \ b\_i \in \mathbb{Z},$$

so *L*(*T* <sup>∗</sup>(α))is a cyclic lattice. Assume *L* is a cyclic lattice containing α, since α ∈ *L*, *T* α ∈ *L*,..., *T <sup>n</sup>*−<sup>1</sup>α ∈ *L*, then any linear combination of integer coefficients

$$\sum\_{i=0}^{n-1} a\_i T^i \alpha \in L \Rightarrow L(T^\*(\alpha)) \subset L.$$

This means that *L*(*T* <sup>∗</sup>(α)) is the smallest cyclic lattice containing α.

**Lemma 3.1.5** *Let L*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a cyclic lattice,* <sup>α</sup> <sup>∈</sup> *<sup>L</sup>*(*B*) *be a lattice vector, then there is an integer matrix D* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> such that*

$$T^\*(\alpha) = BD.\tag{3.1.16}$$

*Proof* Since α ∈ *L*(*B*), *L*(*B*) is a cyclic lattice, then *T* α ∈ *L*(*B*), *T* <sup>2</sup>α ∈ *L*(*B*), . . . , *T <sup>n</sup>*−<sup>1</sup>α ∈ *L*(*B*). Let (0 *k n* − 1)

$$T^k \alpha = Bd\_k, \ d\_k \in \mathbb{Z}^n, \ D = [d\_0, d\_1, \dots, d\_{n-1}]\_{n \times n} \in \mathbb{Z}^{n \times n},$$

the circulant matrix *T* <sup>∗</sup>(α) generated by α could be written as

$$T^\*(\alpha) = [\alpha, T\alpha, \dots, T^{n-1}\alpha] = [Bd\_0, Bd\_1, \dots, Bd\_{n-1}] = BD.$$

Lemma 3.1.5 holds.

Let *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a lattice, for any *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, there exists *ux* <sup>∈</sup> *<sup>L</sup>* <sup>⇒</sup>

$$|\mathbf{x} - \boldsymbol{u}\_{\mathbf{x}}| = \min\_{\boldsymbol{\alpha} \in L, \boldsymbol{\alpha} \neq \mathbf{x}} |\boldsymbol{\alpha} - \boldsymbol{x}| = |\mathbf{x} - L|. \tag{3.1.17}$$

*ux* is called the nearest lattice vector of *x*. We define the covering radius ρ(*L*) of *L* by

$$\rho(L) = \max\_{x \in \mathbb{R}^n} |x - \mu\_x| = \max\_{x \in \mathbb{R}^n} |x - L|. \tag{3.1.18}$$

Obviously, the covering radius ρ(*L*) satisfies that any sphere *N*(*x*,ρ(*L*)) with radius ρ(*L*) contains at least one lattice vector. If *L*<sup>1</sup> ⊂ *L* is a sublattice, then for any *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*,

$$|\mathbf{x} - L| \lessapprox |\mathbf{x} - L\_1| \Rightarrow \rho(L) \lessapprox \rho(L\_1). \tag{3.1.19}$$

If *L* = *L*(*B*), we write ρ(*L*) = ρ(*B*). The final goal of this section is to prove the existence of the covering radius and give an upper bound estimate of ρ(*L*) using Babai's nearest plane algorithm.

Let *L* = *L*(*B*), *S* = {*s*1,*s*2,...,*sn*} ⊂ *L* be *n* linearly independent lattice vectors. *S*<sup>∗</sup> = {*s*<sup>∗</sup> <sup>1</sup> ,*s*<sup>∗</sup> <sup>2</sup> ,...,*s*<sup>∗</sup> *<sup>n</sup>* } is the orthogonal basis corresponding to *S* by the Gram-Schmidt method. We define

$$\sigma(S) = \left(\sum\_{i=1}^{n} |s\_i^\*|^2\right)^{\frac{1}{2}}.\tag{3.1.20}$$

**Lemma 3.1.6** *(Babai) Let L* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a full rank lattice, S* <sup>⊂</sup> *L be the set of n linearly independent lattice vectors, then for any t* <sup>∈</sup> <sup>R</sup>*n, there exists a lattice vector* w ∈ *L* ⇒

$$|t - w| \leqslant \frac{1}{2}\sigma(\mathbb{S}).\tag{3.1.21}$$

*Specially, the covering radius* ρ(*L*) *of L exists and satisfies* ρ(*L*) - 1 <sup>2</sup>σ (*S*)*.*

*Proof* Without loss of generality, we only prove for the case *S* = *B*. Since *L*(*S*) ⊂ *L*(*B*) is a full rank sublattice, by (3.1.21) w ∈ *L*(*S*) ⇒ w ∈ *L*(*B*) and ρ(*L*) - ρ(*S*) - 1 <sup>2</sup>σ (*S*). Let *B* = [β1, β2,...,β*n*], the corresponding orthogonal basis is *B*<sup>∗</sup> = [β<sup>∗</sup> <sup>1</sup> , β<sup>∗</sup> <sup>2</sup> ,...,β<sup>∗</sup> *<sup>n</sup>* ]. Babai's algorithm is based on the following two techniques:

(1) Rounding off (see Theorem 7 of Chap. 7 in Zheng (2022))

<sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, let *<sup>x</sup>* <sup>=</sup> *<sup>n</sup> <sup>i</sup>*=<sup>1</sup> *xi*β<sup>∗</sup> *<sup>i</sup>* , where *xi* <sup>∈</sup> <sup>R</sup>. Define <sup>δ</sup>*<sup>i</sup>* <sup>∈</sup> <sup>Z</sup> is the nearest integer of *xi* , and

$$\{x\}\_B = \sum\_{i=1}^n \delta\_i \beta\_i^\*, \ \{x\}\_B = \sum\_{i=1}^n a\_i \beta\_i^\*, \ -\frac{1}{2} < a\_i \leqslant \frac{1}{2}, \ 1 \leqslant i \leqslant n.$$

It is easy to see *x* = [*x*]*<sup>B</sup>* + {*x*}*B*, where [*x*]*<sup>B</sup>* ∈ *L* is a lattice vector.

#### (2) Nearest plane

Let *<sup>U</sup>* <sup>=</sup> *<sup>L</sup>*(β1, β2,...,β*<sup>n</sup>*−<sup>1</sup>) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be an *<sup>n</sup>* <sup>−</sup> 1 dimensional subspace,

$$L' = \sum\_{i=1}^{n-1} \mathbb{Z}\beta\_i \subset L \text{ is a sublattice of } L.$$

After *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is given, let <sup>v</sup> <sup>∈</sup> *<sup>L</sup>*, such that *<sup>U</sup>* <sup>+</sup> <sup>v</sup> is the nearest plane of *<sup>x</sup>*. Let *<sup>x</sup>* be the orthographic projection of *x* in *U* + v, *y* ∈ *L* be the nearest lattice vector of *x* − v, w = *y* + v be an approximation of the nearest lattice vector of *x* in *L*. Based on the above definitions, we can prove that (see (7.82) of Chap. 7 in Zheng (2022))

$$\begin{cases} U = L(\beta\_1, \beta\_2, \dots, \beta\_{n-1}) = L(\beta\_1^\*, \beta\_2^\*, \dots, \beta\_{n-1}^\*) \\ v = \delta\_n \beta\_n \in L \\ \mathbf{x}' = \sum\_{i=1}^{n-1} \mathbf{x}\_i \beta\_i^\* + \delta\_n \theta\_n^\* \\ \mathbf{y} \text{ is the nearest lattice vector of } \mathbf{x} - \boldsymbol{\upsilon} \text{ in } L' \\ w = \mathbf{y} + \boldsymbol{\upsilon} \in L \end{cases} (3.1.22)$$

Since <sup>v</sup> <sup>=</sup> <sup>δ</sup>*n*β*n*, *<sup>x</sup>* <sup>=</sup> *<sup>n</sup>*−<sup>1</sup> *<sup>i</sup>*=<sup>1</sup> *xi*β<sup>∗</sup> *<sup>i</sup>* + δ*n*β<sup>∗</sup> *n* ,

$$|x - x'| = |x\_n - \delta\_n| |\beta\_n^\*| \lesssim \frac{1}{2} |\beta\_n^\*|.$$

The distance between any two planes in {*U* + *z* | *z* ∈ *L*} is at least |β<sup>∗</sup> *<sup>n</sup>* |, and |*x* − *x* | is the distance of *x* from the nearest plane, so we have

$$|x - x'| \lesssim |x - u\_x|.$$

Let w = *y* + v = *y* + δ*n*β*<sup>n</sup>* ∈ *L*, we are to prove

$$\left|\mathbf{x} - w\right|^2 = \left|\mathbf{x} - \mathbf{x}'\right|^2 + \left|\mathbf{x}' - w\right|^2. \tag{3.1.23}$$

This is because

$$
\infty - \mathbf{x}' = (\mathbf{x}\_n - \delta\_n)\beta\_n^\*, \ \mathbf{x}' - w = \mathbf{x}' - v - \mathbf{y} \in U,
$$

therefore,

$$(\mathbf{x} - \mathbf{x'})\perp(\mathbf{x'} - \mathbf{w}),$$

and (3.1.23) holds. Based on the assumption:

$$|x'-w|^2 \lesssim \frac{1}{4} \left( |\beta\_1^\*|^2 + \dots + |\beta\_{n-1}^\*|^2 \right).$$

It follows that

$$\left| |\mathbf{x} - w|^2 \right|^2 \leqslant \frac{1}{4} (|\beta\_1^\*|^2 + \dots + |\beta\_{n-1}^\*|^2 + |\beta\_n^\*|^2) = \left(\frac{1}{2}\sigma(B)\right)^2 \dots$$

Let *<sup>x</sup>* <sup>=</sup> *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, we get <sup>w</sup> <sup>∈</sup> *<sup>L</sup>* such that

$$|t - w| \le \frac{1}{2}\sigma(\mathcal{B}).$$

This lemma holds.

The calculation of the covering radius on lattice is also a kind of hard problem. We define the covering radius problem (CDP<sup>γ</sup> ) based on parameter approximation.

**Definition 3.1.4** (CDP<sup>γ</sup> ) Let *L* be a full rank lattice, γ (*n*) be a parameter, CDP<sup>γ</sup> problem is to find an *r* such that

$$
\rho(L) \leqslant r \leqslant \nu(n)\rho(L). \tag{3.1.24}
$$

#### **3.2 SIS and Knapsack Problem on Ring**

Let *<sup>q</sup>* be a positive integer, <sup>Z</sup>*<sup>q</sup>* be the residue class ring mod *<sup>q</sup>*, and <sup>Z</sup>*<sup>q</sup>* [*x*] be the polynomial ring of one variable on Z*<sup>q</sup>* . By (3.1.10), we define a quotient ring *Rq* on <sup>Z</sup>*<sup>q</sup>* [*x*]

$$R\_q = \mathbb{Z}\_q[\mathbf{x}]/<\mathbf{x}^n - 1> \cong (\mathbb{Z}\_q^n, +, \otimes). \tag{3.2.1}$$

To define the SIS problem on *Rq* , for any *m* polynomials *A* = {*a*1(*x*), . . . , *am*(*x*)} ⊂ *Rq* , *A* could be regarded as an *m* dimensional vector in *Rq* , i.e. *A* = (*a*1(*x*), . . . , *am*(*x*)) ∈ *R<sup>m</sup> <sup>q</sup>* , with the norm |*A*| defined by

$$|A| = \left(\sum\_{i=1}^{m} |a\_i(\chi)|^2\right)^{\frac{1}{2}} = \left(\sum\_{i=1}^{m} |a\_i|^2\right)^{\frac{1}{2}},\tag{3.2.2}$$

where *ai*(*x*) ←→ *ai* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> q* . **Definition 3.2.1** Let β > 0 be a positive real number, *n*, *m*, *q* be positive integers. The SIS problem on *Rq* is defined as follows: for any given uniformly distributed vector *A* = (*a*1(*x*), . . . , *am*(*x*)) ∈ *R<sup>m</sup> <sup>q</sup>* , find an *m* dimensional vector *z* = (*z*1(*x*),*z*2(*x*), . . . ,*zm*(*x*)) ∈ *R<sup>m</sup> <sup>q</sup>* such that

$$\begin{cases} f\_A(z) = \sum\_{i=1}^m a\_i(\mathbf{x}) z\_i(\mathbf{x}) = 0\\ 0 < |z| = \left(\sum\_{i=1}^m |z\_i(\mathbf{x})|^2\right)^{\frac{1}{2}} \ll \beta \end{cases} \tag{3.2.3}$$

This problem is denoted as *Rq* − SIS*<sup>q</sup>*,β,*<sup>m</sup>*.

**Remark 3.2.1** By the above definition, *f <sup>A</sup>*(*z*) ∈ *Rq* , so *f <sup>A</sup>*(*z*) = 0 is equivalent to

$$f\_A(z) = \sum\_{i=1}^{m} a\_i(\mathbf{x}) z\_i(\mathbf{x}) \equiv 0 \pmod{x^n - 1},$$

here 0 < |*z*| β is computed in the real number field R.

**Remark 3.2.2** In order to guarantee the *Rq* − SIS*<sup>q</sup>*,β,*<sup>m</sup>* problem has solution, we only need *m* > log2*q*, which has big difference from the requirement *m* > *n*log*q* of the classical SIS problem (see Sect. 2.2 in the last chapter). In fact, if *A* = (*a*1(*x*), *a*2(*x*), . . . , *am*(*x*)) is given, the selection of *z* = (*z*1(*x*), . . . ,*zm*(*x*)) could be considered in Z*<sup>n</sup> <sup>q</sup>* . For each *zi*(*x*) ←→ *zi* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , choose each coordinate of *zi* as 0 or 1 so that the *n* dimensional vector *zi* has a short length. There are about 2*<sup>n</sup>* such short vectors *zi* , so there are about 2*mn* choices of *z* in total. If 2*mn* > *q<sup>n</sup>*, i.e. *mn* > *n*log2*q*, *m* > log2*q*, then *z* ∈ *R<sup>m</sup> <sup>q</sup>* , *z* ∈ *R<sup>m</sup> q* ⇒

$$f\_A(z') = f\_A(z'') \Rightarrow f\_A(z' - z'') = 0.1$$

So *z* = *z* − *z* is the solution satisfying (3.2.3).

#### **Geometric definition of** *Rq* − SIS*<sup>q</sup>*,β,*<sup>m</sup>*:

Given *<sup>m</sup>* vectors *<sup>A</sup>* <sup>=</sup> (*a*1, *<sup>a</sup>*2,..., *am*) uniformly distributed on <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , *ai* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , solve a group of nonzero short vectors *<sup>z</sup>* <sup>=</sup> (*z*1,*z*2,...,*zm*), *zi* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , such that

$$\begin{cases} f\_A(z) = \sum\_{i=1}^m a\_i \otimes z\_i = 0\\ |z\_i| \ll \sqrt{n}, \ 1 \ll i \ll n \end{cases} . \tag{3.2.4}$$

Obviously, *Rq* − SIS problem is a special case of the knapsack problem on ring.

**Definition 3.2.2** (Knapsack problem on ring) Let *R* be a commutative ring with identity, *a*1,..., *am* be *m* nonzero elements in *R*, *X* ⊂ *R*, |*X*| = 2*<sup>n</sup>*, *b* ∈ *R* is called the target element. Knapsack problem on ring is to solve *m* elements *z*1,*z*2,...,*zm* ∈ *X* in *X* such that

$$f\_A(z) = \sum\_{i=1}^m a\_i z\_i = b,\ \forall z\_i \in X. \tag{3.2.5}$$

If *<sup>R</sup>* <sup>=</sup> <sup>Z</sup> is a ring of integers, *<sup>X</sup>* = {0, <sup>1</sup>}, or *<sup>X</sup>* = {0, <sup>1</sup>,..., <sup>2</sup>*<sup>n</sup>* <sup>−</sup> <sup>1</sup>}, then the above problem is the classical knapsack problem. It has been proved that the computational complexity of solving the knapsack problem on Z is subexponential, such as the super increasing sequence is polynomial. If *R* = *Rq* , *b* = 0, then the above problem becomes the SIS problem on *Rq* . The main result in this section is the following theorem:

**Theorem 3.2.1** *Let m* <sup>=</sup> *<sup>O</sup>*(log *<sup>n</sup>*)*, k* <sup>=</sup> *<sup>O</sup>*˜(log *<sup>n</sup>*)*, q* <sup>4</sup>*mkn* <sup>5</sup> <sup>2</sup> *, and* γ 16*mkn*3*, if we can solve the knapsack problem (3.2.6) on Rq , then there exists a probabilistic polynomial algorithm solving the covering radius problem CDP*<sup>γ</sup> *for any n dimensional full rank cyclic lattice.*

The knapsack problem on *Rq* in Theorem 3.2.1 is the more general case of (3.2.4), which is summarized in the following definition.

**Knapsack problem on** *Rq* : Choose *m* vectors *A* = (*a*1, *a*2,..., *am*) uniformly distributed on Z*<sup>n</sup> <sup>q</sup>* randomly and any target vector *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , find a set of short vectors *z* = (*z*1,*z*2,...,*zm*) such that

$$f\_A(z) = \sum\_{i=1}^m a\_i \otimes z\_i = b, \ |z\_i| \le \sqrt{n}, \ 1 \le i \le m. \tag{3.2.6}$$

From Theorem 3.2.1, the knapsack problem on *Rq* on the average case has a more difficult computational complexity than the covering radius problem on any full rank cyclic lattice under positive probability, which is another reduction principle from the worst case to the average case by Ajtai.

The core idea of the proof of Theorem 3.2.1 is to approximate the covering radius ρ(*L*) of *L* by <sup>1</sup> <sup>2</sup>σ (*S*) for any cyclic lattice *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* under the assumption that (3.2.6) is solvable, where *S* = {*s*1,*s*2,...,*sn*} ⊂ *L* is a set of *n* linearly independent vectors, and

$$\sigma(S) = \left(\sum\_{i=1}^{n} |s\_i^\*|^2\right)^{\frac{1}{2}}.$$

{*s*∗ <sup>1</sup> ,*s*<sup>∗</sup> <sup>2</sup> ,...,*s*<sup>∗</sup> *<sup>n</sup>* } is the corresponding orthogonal basis of *S* using Gram-Schmidt algorithm. Since |*s*<sup>∗</sup> *<sup>i</sup>* | - |*si*| (1 *i n*), we have

64 3 Learning with Error

$$\sigma(S) = \left(\sum\_{i=1}^{n} |s\_i^\*|^2\right)^{\frac{1}{2}} \lessdot \left(\sum\_{i=1}^{n} |s\_i|^2\right)^{\frac{1}{2}}.\tag{3.2.7}$$

By Lemma 3.1.6, ρ(*L*) - 1 <sup>2</sup>σ (*S*). The core steps of approximating ρ(*L*) by <sup>1</sup> <sup>2</sup>σ (*S*) is summarized as follows.

#### **(1) Reduced algorithm**

Randomly choose *S* = {*s*1,*s*2,...,*sn*} ⊂ *L* is a set of *n* linearly independent lattice vectors, assume that

$$|S| = |s\_n| = \max\_{1 \le i \le n} |s\_i|.$$

If <sup>1</sup> <sup>2</sup>σ (*S*) γρ(*L*), then the CDP<sup>γ</sup> problem on *L* is solved. If σ (*S*) > 2γρ(*L*), we can find a lattice vector *s* ∈ *L*, such that

$$|\mathbf{s'}| \lesssim \frac{1}{2}|\mathbf{s}\_n| = \frac{1}{2}|\mathbf{S}|,$$

and *s*1,*s*2,...,*sn*−<sup>1</sup>,*s* are linearly independent. Replace *S* with the new set of vectors *S* = {*s*1,*s*2,...,*sn*−<sup>1</sup>,*s* }, that is, replace *sn* with *s* in *S*. Repeat this process *n* times and we can get

$$|S'| \ll \frac{1}{2}|S|.\tag{3.2.8}$$

Repeat the above reduced algorithm, and find a set of linearly independent vectors *S* ⊂ *L*, such that

$$|S| \ll \frac{2\gamma}{\sqrt{n}} \rho(L),\tag{3.2.9}$$

and the computational complexity of the algorithm is polynomial. Based on (3.2.9), we have

$$
\rho(L) \lesssim \frac{1}{2}\sigma(\mathcal{S}) \lesssim \frac{\sqrt{n}}{2}|\mathcal{S}| \lesssim \chi\rho(L).
$$

So we complete solving the CDP<sup>γ</sup> problem.

#### **(2) Approximation of standard orthogonal basis**

Let {*e*0, *<sup>e</sup>*1,..., *en*−<sup>1</sup>} ⊂ <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be a standard orthogonal basis, *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*) <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* be a given cyclic lattice. Define the parameter

$$\beta = \left(\frac{4nq}{\nu} + \frac{\sqrt{n}}{2}\right) \sigma(\mathcal{S}),\tag{3.2.10}$$

where *S* = {*s*1,*s*2,...,*sn*} ⊂ *L* is a set of *n* linearly independent vectors, such that

$$
\sigma(\mathbb{S}) \succ 2\gamma\rho(L). \tag{3.2.11}
$$

To find *s* in the reduced algorithm, by Lemma 3.1.6, there is a lattice vector *c* ∈ *L* ⇒

$$|c - \beta e\_0| \leqslant \frac{1}{2}\sigma(\mathcal{S}).\tag{3.2.12}$$

Since *T* is an orthogonal matrix, it is an orthogonal linear transformation in R*<sup>n</sup>*, i.e.

$$|T\alpha| = |\alpha|, \,\forall \alpha \in \mathbb{R}^n.$$

Therefore, for any 0 *k n* − 1,

$$|T^k(c - \beta e\_0)| = |c - \beta e\_0| \lesssim \frac{1}{2}\sigma(S).$$

Note that *T <sup>k</sup> e*<sup>0</sup> = *ek* , so

$$|T^k c - \beta e\_k| \lesssim \frac{1}{2} \sigma(S).$$

Because *c* ∈ *L* and *L* is a cyclic lattice, then *T <sup>k</sup> c* ∈ *L* (0 *k n* − 1). The circulant matrix *T* <sup>∗</sup>(*c*) = [*c*, *T c*,..., *T <sup>k</sup>*−1*c*] implements the approximation of standard orthogonal basis.

In order to give a complete proof of theorem 3.2.1, we denote

$$B' = q(T^\*(c))^{-1}B.\tag{3.2.13}$$

**Lemma 3.2.1** *The lattice L*(*B* ) *generated by B satisfies q*Z*<sup>n</sup>* <sup>⊂</sup> *<sup>L</sup>*(*B* )*.*

*Proof* By Lemma 3.1.5, since *c* ∈ *L* and *L* is a cyclic lattice, there exists an integer matrix *<sup>D</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup>* such that

$$T^\*(c) = BD \Rightarrow B^{-1}T^\*(c) \in \mathbb{Z}^{n \times n},$$

thus,

$$B'(B^{-1}T^\*(c)) = q(T^\*(c))^{-1} \cdot B \cdot B^{-1}T^\*(c) = qI\_n.$$

Each column of the above matrix *qe <sup>j</sup>* (0 *j n* − 1) ∈ *L*(*B* ) <sup>⇒</sup> *<sup>q</sup>*Z*<sup>n</sup>* <sup>⊂</sup> *L*(*B* ).

Based on Lemma 3.2.1, *q*Z*<sup>n</sup>* is an additive subgroup in *L*(*B* ). Randomly choose *mk* vectors *x i j* ∈ *G* (1 *i m*, 1 *j k*) in the quotient group *G* = *L*(*B* )/*q*Z*<sup>n</sup>*, the integral vectors w *i j* of *x i j* is defined by

$$w\_{ij}^{'} = [\boldsymbol{\chi}\_{ij}^{'}] \in \mathbb{Z}^{n}, \ 1 \leqslant i \leqslant m, \ 1 \leqslant j \leqslant k.$$

Let

$$a\_{\boldsymbol{i}} \equiv \sum\_{j=1}^{k} w\_{ij}^{'} \pmod{q} \Rightarrow a\_{\boldsymbol{i}} \in \mathbb{Z}\_q^n,\tag{3.2.14}$$

*<sup>A</sup>* <sup>=</sup> (*a*1, *<sup>a</sup>*2,..., *am*) contains the above *<sup>m</sup>* vectors in <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , consider the knapsack problem on *Rq* <sup>=</sup> (Z*<sup>n</sup> <sup>q</sup>* , +, ⊗),

$$f\_A(z) = \sum\_{i=1}^m a\_i \otimes z\_i, \ \forall z\_i \in \mathbb{Z}\_q^n, \ |z\_i| \le \sqrt{n}.$$

If we can solve the knapsack problem on *Rq* , then *f <sup>A</sup>*(*z*) collision is also solvable. So there are integral vectors *y* = (*y*1, *y*2,..., *ym*), *y*ˆ = (*y*ˆ1, *y*ˆ2,..., *y*ˆ*m*) such that

$$f\_A(\mathbf{y} - \hat{\mathbf{y}}) = \sum\_{i=1}^{m} a\_i \otimes (\mathbf{y}\_i - \hat{\mathbf{y}}\_i) = 0,\ \forall |\mathbf{y}\_i| \leqslant \sqrt{n},\ |\hat{\mathbf{y}}\_i| \leqslant \sqrt{n},\tag{3.2.15}$$

where

$$\mathbf{y} = (\mathbf{y}\_1, \mathbf{y}\_2, \dots, \mathbf{y}\_m), \ \hat{\mathbf{y}} = (\hat{\mathbf{y}}\_1, \hat{\mathbf{y}}\_2, \dots, \hat{\mathbf{y}}\_m). \tag{3.2.16}$$

Based on the vector clusters *<sup>y</sup>* and *<sup>y</sup>*<sup>ˆ</sup> in <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we define

$$\begin{cases} \mathbf{x}\_{ij} = \frac{1}{q} T^\*(c) \mathbf{x}\_{ij}^{'} \text{ and } w\_{ij} = \frac{1}{q} T^\*(c) w\_{ij}^{'}\\\mathbf{s}^{'} = \sum\_{i=1}^{m} \sum\_{j=1}^{k} (\mathbf{x}\_{ij} - w\_{ij}) \otimes (\mathbf{y}\_i - \hat{\mathbf{y}}\_i) \end{cases} \tag{3.2.17}$$

The *s* defined by the above formula is just the *s* in the reduced algorithm. First, we prove the following lemma.

**Lemma 3.2.2** *xi j* ∈ *L*(*B*) *is a lattice vector in the given cyclic lattice L (*1 *i* - *m*, 1 *j k), and if f <sup>A</sup>*(*y*) = *f <sup>A</sup>*(*y*ˆ)*, s* ∈ *L*(*B*) *is also a lattice vector.*

*Proof* Since *x i j* ∈ *L*(*B* ), there is <sup>α</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* such that *<sup>x</sup> i j* = *B* α, we get

$$\alpha\_{ij} = \frac{1}{q} T^\*(c) B' \alpha = \frac{1}{q} T^\*(c) \cdot q(T^\*(c))^{-1} \cdot B \alpha = B \alpha \in L(B).$$

To prove *s* ∈ *L*(*B*), by (3.2.17) and the property of circulant matrix (see (3.1.5))

$$\begin{split} s' &= \sum x\_{ij} \otimes (\mathbf{y}\_{ij} - \hat{\mathbf{y}}\_{ij}) - \sum w\_{ij} \otimes (\mathbf{y}\_{ij} - \hat{\mathbf{y}}\_{ij}) \\ &= \sum T^\*(\mathbf{x}\_{ij})(\mathbf{y}\_{ij} - \hat{\mathbf{y}}\_{ij}) - \sum T^\*(w\_{ij})(\mathbf{y}\_{ij} - \hat{\mathbf{y}}\_{ij}) \\ &= \sum\_{i=1}^m T^\*(\sum\_{j=1}^k \mathbf{x}\_{ij})(\mathbf{y}\_i - \hat{\mathbf{y}}\_i) - \sum\_{i=1}^m T^\*(\sum\_{j=1}^k w\_{ij})(\mathbf{y}\_i - \hat{\mathbf{y}}\_i). \end{split} \tag{3.2.18}$$

Based on the first conclusion, *xi j* <sup>∈</sup> *<sup>L</sup>*(*B*) <sup>⇒</sup> *<sup>k</sup> <sup>j</sup>*=<sup>1</sup> *xi j* ∈ *L*(*B*), since *yi* and *y*ˆ*<sup>i</sup>* are integral vectors in Z*<sup>n</sup> <sup>q</sup>* , it follows that

$$T^\* \left(\sum\_{j=1}^k x\_{ij}\right) (\mathbf{y}\_i - \hat{\mathbf{y}}\_i) \in L(B).$$

Next we prove the second term of (3.2.18) is also a lattice vector. By the definition of w*i j* ,

$$w\_{ij} = \frac{1}{q} T^\*(c) w\_{ij}^{'}, \text{ then } \sum\_{j=1}^{k} w\_{ij} = \frac{1}{q} T^\*(c) \left(\sum\_{j=1}^{k} w\_{ij}^{'}\right).$$

Hence,

$$T^\*\left(\sum\_{j=1}^k w\_{ij}\right) = \frac{1}{q} T^\*(c) T^\*\left(\sum\_{j=1}^k w\_{ij}^{'}\right).$$

The second term of (3.2.18) could be written as

$$\begin{split} \sum\_{i=1}^{m} T^\*(\sum\_{j=1}^{k} w\_{ij})(\mathbf{y}\_i - \hat{\mathbf{y}}\_i) &= \frac{1}{q} T^\*(c) \sum\_{i=1}^{m} T^\*(\sum\_{j=1}^{k} w\_{ij}')(\mathbf{y}\_i - \hat{\mathbf{y}}\_i) \\ &= \frac{1}{q} T^\*(c) \sum\_{i=1}^{m} \sum\_{j=1}^{k} w\_{ij}' \otimes (\mathbf{y}\_i - \hat{\mathbf{y}}\_i). \end{split} \tag{3.2.19}$$

Since

$$\sum\_{i=1}^{m} \sum\_{j=1}^{k} w\_{ij}^{'} \otimes (\mathbf{y}\_{i} - \hat{\mathbf{y}}\_{i}) \equiv \sum\_{i=1}^{m} a\_{i} \otimes (\mathbf{y}\_{i} - \hat{\mathbf{y}}\_{i}) \bmod q \equiv f\_{A}(\mathbf{y}) - f\_{A}(\hat{\mathbf{y}}) \bmod q,$$

by *f <sup>A</sup>*(*y*) = *f <sup>A</sup>*(*y*ˆ), we know the second term of (3.2.18) is in *L*(*B*), i.e.

$$\sum\_{i=1}^{m} T^\*(\sum\_{j=1}^{k} w\_{ij})(\mathbf{y}\_i - \hat{\mathbf{y}}\_i) \in L(B).$$

Finally we have *s* ∈ *L*(*B*) based on (3.2.18).

**Lemma 3.2.3** *The lattice vector s defined in (3.2.17) satisfies*

$$|s'| \ll \frac{1}{2}|s\_n| = \frac{1}{2}|S|.\tag{3.2.20}$$

#### 68 3 Learning with Error

*Proof* We only prove |*s* | σ (*S*)/2 <sup>√</sup>*n*, since

$$\sigma(S) \lesssim \left(\sum\_{i=1}^n |s\_i|^2\right)^{\frac{1}{2}} \lesssim \sqrt{n}|S| = \sqrt{n}|s\_n|,$$

we can get |*s* | - 1 <sup>2</sup> |*sn*|, and the lemma is proved. Based on the definition of *s* ,

$$|s'| \ll \sum\_{i=1}^{m} \sum\_{j=1}^{k} |(\mathbf{x}\_{ij} - w\_{ij}) \otimes (\mathbf{y}\_i - \hat{\mathbf{y}}\_i)|. \tag{3.2.21}$$

It follows that

$$x\_{ij} - w\_{ij} = \frac{1}{q} T^\*(c)(\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}) = \frac{1}{q} c \otimes (\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}).$$

Let α = *c* − β*e*0, then |α| - 1 <sup>2</sup>σ (*S*) (see (3.2.12)), and

$$\begin{split} \boldsymbol{x}\_{ij} - \boldsymbol{w}\_{ij} &= \frac{1}{q} (\boldsymbol{\alpha} + \beta \boldsymbol{e}\_{0}) \otimes (\boldsymbol{\alpha'\_{ij}} - \boldsymbol{w'\_{ij}}) = \frac{1}{q} \boldsymbol{T^\*} (\boldsymbol{\alpha} + \beta \boldsymbol{e}\_{0}) (\boldsymbol{\alpha'\_{ij}} - \boldsymbol{w'\_{ij}}) \\ &= \frac{1}{q} \beta \boldsymbol{T^\*} (\boldsymbol{e}\_{0}) (\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}) + \frac{1}{q} \boldsymbol{T^\*} (\boldsymbol{\alpha}) (\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}) \\ &= \frac{\beta}{q} (\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}) + \frac{1}{q} \boldsymbol{T^\*} (\boldsymbol{\alpha}) (\boldsymbol{x'\_{ij}} - \boldsymbol{w'\_{ij}}). \end{split}$$

Since

$$|\boldsymbol{x}\_{ij}^{'} - \boldsymbol{w}\_{ij}^{'}| \leqslant \frac{1}{2}\sqrt{n},$$

combine with (3.1.15) in the last section, we have (β is determined by (3.2.10))

$$\begin{split} |x\_{ij} - w\_{ij}| &\leqslant \frac{\beta}{q} |x\_{ij}^{'} - w\_{ij}^{'}| + \frac{1}{q} |\alpha \otimes (x\_{ij}^{'} - w\_{ij}^{'})| \\ &\leqslant \frac{\beta}{q} \cdot \frac{1}{2} \sqrt{n} + \frac{1}{q} \cdot \frac{\sqrt{n}}{2} \cdot \sqrt{n} \cdot \frac{1}{2} \sigma(S) \\ &= \frac{\beta}{q} \cdot \frac{\sqrt{n}}{2} + \frac{1}{q} \sqrt{n} \cdot \frac{\sigma(S)}{2} \cdot \frac{\sqrt{n}}{2} \\ &= \sigma(S) \left( \frac{2n^{\frac{3}{2}}}{\mathcal{Y}} + \frac{n}{2q} \right) \\ &\leqslant \sigma(S) \left( \frac{1}{8} \cdot \frac{1}{mkn^{\frac{1}{2}}} + \frac{1}{8} \cdot \frac{1}{mkn^{\frac{1}{2}}} \right) \\ &= \frac{1}{4} \sigma(S) \frac{1}{mkn^{\frac{1}{2}}}. \end{split}$$

Based on (3.2.21), we get

$$\begin{aligned} |\mathbf{s'}| &\leqslant mk\sqrt{n} \max\_{i,j} |\mathbf{x}\_{ij} - w\_{ij}| \cdot \max\_{i} |\mathbf{y}\_i - \hat{\mathbf{y}}\_i| \\\\ &\leqslant mk\sqrt{n} \cdot 2\sqrt{n} \max\_{i,j} |\mathbf{x}\_{ij} - w\_{ij}| \leqslant \frac{\sigma(S)}{2\sqrt{n}}.\end{aligned}$$

So we complete the proof of Lemma 3.2.3.

From the above lemma, the reduced algorithm required in Theorem3.2.1 is proved. However, we must prove that {*ai*} *m <sup>i</sup>*=<sup>1</sup> <sup>⊂</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* determined by (3.2.14) is uniformly distributed, so that the knapsack problem on *Rq* is solved in the average case. Next we prove that{*ai*} *m <sup>i</sup>*=<sup>1</sup> is almost uniformly distributed in <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , that is, the statistical distance between the distribution of {*ai*} and the uniform distribution is sufficiently small. We first prove the following lemma.

**Lemma 3.2.4** *Let B* = *q*(*T* <sup>∗</sup>(*c*))−1*B, then the covering radius* ρ(*B* ) *of L*(*B* ) *satisfies*

$$
\rho(B') \le \frac{1}{8n},
$$

*where L*(*B*) *is a full rank cyclic lattice, c* ∈ *L*(*B*) *is given by (3.2.12).*

*Proof* Based on the definition of covering radius,

$$\rho(B') = \max\_{\mathbf{x} \in \mathbb{R}^n} |\mathbf{x} - \boldsymbol{\mu}\_x| = \max\_{\mathbf{x} \in \mathbb{R}^n} |\mathbf{x} - L(B')|.$$

Let *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* be the vector achieving the maximum value above, i.e. <sup>|</sup>*t* <sup>−</sup> *<sup>L</sup>*(*B* )| ρ(*B* ), and

$$|t' - B'z| \geqslant \rho(B'), \ \forall \ z \in \mathbb{Z}^n.$$

Denote

$$t = \frac{1}{q} T^\*(c)t'.$$

Suppose *Bz*<sup>0</sup> ∈ *L*(*B*) is the nearest lattice vector of *t*, then we have

$$\begin{split} \rho(B) &\geqslant \text{dist}(t, L(B)) = |t - Bz\_0| \\ &= |\frac{1}{q}T^\*(c)t' - Bz\_0| = |\frac{1}{q}T^\*(c)(t' - B'z\_0)| \\ &\geqslant \frac{1}{q}|t' - B'z\_0| \min\_d \frac{|c \otimes d|}{|d|} \\ &\geqslant \frac{1}{q}\rho(B') \min\_{d \in \mathbb{R}^n, d \neq 0} \frac{|c \otimes d|}{|d|}. \end{split} \tag{3.2.22}$$

For any *<sup>d</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, *<sup>d</sup>* = 0, we estimate the value of *<sup>c</sup>* <sup>⊗</sup> *<sup>d</sup>*. Since *<sup>c</sup>* <sup>=</sup> <sup>β</sup>*e*<sup>0</sup> <sup>+</sup> <sup>α</sup>, where |α| - 1 <sup>2</sup>σ (*S*), so

$$\begin{aligned} |c \otimes d| &= |(\beta e\_0 + \alpha) \otimes d| \\ &\ge |d|(\beta - \frac{1}{2}\sqrt{n}\sigma(S)) \\ &\ge \beta |d| - \sqrt{n}|\alpha||d| \\ &= |d|\frac{4nq}{\mathcal{Y}}\sigma(S). \end{aligned}$$

By (3.2.22), we have (see (3.2.11))

$$
\begin{aligned}
\rho(B) &\geqslant \frac{1}{q} \rho(B') \cdot \frac{4nq}{\nu} \sigma(S), \\
&\geqslant 8n\rho(B')\rho(B).
\end{aligned}
$$

This implies ρ(*B* ) - 1 <sup>8</sup>*<sup>n</sup>* . Lemma 3.2.4 holds.

**Lemma 3.2.5** *Let* <sup>=</sup> *<sup>L</sup>*(*B*) *be a lattice, Q* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is convex and contains a ball with the radius r* ρ( )*. Then the number of lattice vectors of L*(*B*) *contained in Q satisfies*

$$\frac{\text{Vol}(\mathcal{Q})}{\det(\Lambda)}(1-\frac{\rho(\Lambda)n}{\chi}) \lesssim |L(\mathcal{B}) \cap \mathcal{Q}| \lesssim \frac{\text{Vol}(\mathcal{Q})}{\det(\Lambda)}(1+\frac{2\rho(\Lambda)n}{\chi}).$$

*Proof* See Lyubashevsky and Micciancio (2006) or Lyubashevsky (2010).

Based on the above lemma, let = *L*(*B* ), we estimate the distribution of vectors {*ai j*} in <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* . From the definition

$$a\_{ij} \equiv w\_{ij}^{'} \pmod{q}, \ a\_i \equiv \sum\_{j=1}^{k} a\_{ij} \pmod{q},\tag{3.2.23}$$

where w *i j* is the rounding vector of *x i j* ∈ *G* = *L*(*B* )/*q*Z*<sup>n</sup>*. The ball taking w *i j* as the center with radius <sup>1</sup> <sup>2</sup> is contained in the cube centered as w *i j* with the side length 1 <sup>2</sup> . Since ρ(*L*(*B* )) - 1 <sup>8</sup>*<sup>n</sup>* <sup>&</sup>lt; <sup>1</sup> <sup>2</sup> , from lemma 3.2.4, the number *N* of lattice vectors of *L*(*B* ) in this cube satisfies

$$\frac{1}{\det(B')} \left(1 - \frac{1}{4}\right) \leqslant N \leqslant \frac{1}{\det(B')} (1 + \frac{1}{2}).$$

For any *<sup>a</sup>* <sup>∈</sup> *Rq* <sup>=</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , because *x i j* is uniformly selected in *L*(*B* )/*q*Z*<sup>n</sup>*, there are

$$|L(B')/q\mathbb{Z}^n|^{-1} = \frac{q^n}{\det(B')}$$

possible choices, therefore,

$$\left| \Pr\{a\_{ij} = a\} - \frac{1}{q^n} \right| \leqslant \frac{1}{2q^n}.\tag{3.2.24}$$

Now we estimate the probability distribution of {*ai*} *m <sup>i</sup>*=1.

**Lemma 3.2.6** *Let G be a finite Abel group, A*1, *A*2,..., *Ak be k independent random variables on G, such that for any element x* ∈ *G,*

$$\left| \Pr\{A\_i = x\} - \frac{1}{|G|} \right| \leqslant \frac{1}{2|G|}.$$

*Then the statistical distance between* <sup>ξ</sup> <sup>=</sup> *<sup>k</sup> <sup>i</sup>*=<sup>1</sup> *Ai and the uniform distribution on G is*

$$
\Delta(\xi, U(G)) \lesssim 2^{-(k+1)}.
$$

*Proof* We use mathematical induction to prove that the following inequality holds for any positive integer *k*,

$$\left| \Pr\{\xi = x\} - \frac{1}{|G|} \right| \leqslant \frac{1}{2^k |G|}, \ \forall x \in G.$$

If *<sup>k</sup>* <sup>=</sup> 1, the inequality above holds. Assume it holds for *<sup>k</sup>* <sup>−</sup> 1, denote <sup>ξ</sup> <sup>=</sup> *<sup>k</sup>*−<sup>1</sup> *<sup>i</sup>*=<sup>1</sup> *Ai* , ξ = ξ + *Ak* , we have

$$\begin{split} \left| \Pr\{\xi = x\} - \frac{1}{|G|} \right| &= \left| \sum\_{a \in G} \Pr\{\xi' = a, A\_k = x - a\} - \frac{1}{|G|} \right| \\ &= \left| \sum\_{a \in G} \Pr\{\xi' = a\} \Pr\{A\_k = x - a\} - \frac{1}{|G|} \right| \\ &= \left| \sum\_{a \in G} \left( \Pr\{\xi' = a\} - \frac{1}{|G|} \right) \left( \Pr\{A\_k = x - a\} - \frac{1}{|G|} \right) \right| \\ &\leqslant \sum\_{a \in G} \frac{1}{2^{k-1}|G|} \cdot \frac{1}{2|G|} = \frac{1}{2^k|G|} . \end{split}$$

Thus,

$$\Delta(\xi, U(G)) = \frac{1}{2} \sum\_{x \in G} \left| \Pr\{\xi = x\} - \frac{1}{|G|} \right| \leqslant \frac{1}{2} \sum\_{x \in G} \frac{1}{2^k |G|} = 2^{-(k+1)}.$$

This lemma holds.

From (3.2.23), (3.2.24) and Lemma 3.2.5, we know that each *ai* <sup>=</sup> *<sup>k</sup> <sup>j</sup>*=<sup>1</sup> *ai j* is almost uniformly distributed on Z*<sup>n</sup> <sup>q</sup>* , i.e. the statistical distance between *ai* and the uniform distribution is sufficiently small. Therefore, the knapsack problem on *Rq* sampled by *f <sup>A</sup>*(*z*) is in the average case. So far, we have completed the proof of Theorem 3.2.1.

#### **3.3 LWE Problem**

The LWE problem is to solve a kind of random linear equations under a given probability distribution. To better understand the LWE problem, let's start with the checking learning problem (LPE) with errors. Let <sup>Z</sup><sup>2</sup> = {0, <sup>1</sup>} be a finite field with 2 elements, *n* 1 and ε 0 be a given parameter. The distribution of ξ with parameter ε on Z<sup>2</sup> is

$$\Pr\{\xi=0\} = 1 - \varepsilon, \Pr\{\xi=1\} = \varepsilon.$$

If *<sup>a</sup>*, *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>2, the probability that *<sup>a</sup>* and *<sup>b</sup>* having the same parity is 1 <sup>−</sup> <sup>ε</sup>, i.e.

$$\Pr\{a \equiv b \pmod{2}\} = 1 - \varepsilon,$$

denoted as *a* ≡<sup>ε</sup> *b*. The checking learning problem with errors LPE is: given *m* independent vectors {*a*1, *<sup>a</sup>*2,..., *am*}, *ai* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* <sup>2</sup> uniformly distributed on <sup>Z</sup>*<sup>n</sup>* 2, and *<sup>b</sup>* <sup>=</sup> <sup>⎛</sup> *b*1 ⎞

⎜ ⎝ . . . *bm* ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>* <sup>2</sup> , to solve a vector*<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* 2, such that the following *m* random congruence

equations hold simultaneously

$$\begin{cases} b\_1 \equiv\_\ell < a\_1, s > \pmod{2} \\ b\_2 \equiv\_\ell < a\_2, s > \pmod{2} \\ \vdots \\ b\_m \equiv\_\ell < a\_m, s > \pmod{2} \end{cases} \tag{3.3.1}$$

where < *ai*,*s* > is the inner product of two vectors in Z*<sup>n</sup>* 2. If ε = 0, then the distribution ξ becomes the trivial distribution, and (3.3.1) becomes *m* deterministic congruence equations. At this time, the LPE problem could be solved by Gauss elimination method with only *n* equations, and the computational complexity is a polynomial of *n*. If ε > 0, the LPE problem is nontrivial, and its computational complexity is exponential of *n*. For example, the likelihood algorithm requires *O*(*n*) random congruence equations with computational complexity 2*<sup>O</sup>*(*n*) . In 2003, Blum et al. (2003) proposed a subexponential algorithm whose computational complexity and the number of random congruence equations are both 2*<sup>O</sup>*(*n*/ log *<sup>n</sup>*) , which is the best result of the LPE question so far.

#### 3.3 LWE Problem 73

Generalizing the LPE problem from mod 2 to the general case mod *q*, it becomes the LWE problem. Due to the important role of the LWE problem in modern antiquantum computing cryptosystems, we will introduce the related concepts and results in detail in this section. First, we define the random congruence equation with error on the integer ring Z. Let *n* 1, *q* 2 be two positive integers, Z*<sup>q</sup>* be the residue class ring of mod *q*, and χ be a probability distribution on Z*<sup>q</sup>* .

**Definition 3.3.1** Let *<sup>a</sup>*, *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>, *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , if

$$\Pr\{a \equiv b + e \pmod{q}\} = \chi(e),\tag{3.3.2}$$

we call *a* and *b* are congruential mod *q* under the distribution χ, denoted as

$$a \equiv\_{\chi} b + e \pmod{q}, \text{ or } a =\_{\chi} b + e. \tag{3.3.3}$$

The above formula is called a random congruence equation with error under χ, and it is abbreviated as *a* = *b* + *e* sometimes.

Based on the above random congruence equation, we give the definition of the LWE distribution *As*,χ .

**Definition 3.3.2** Let *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , χ be a given distribution on Z*<sup>q</sup>* , the LWE distribution *As*,χ <sup>=</sup> (*a*, *<sup>b</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>q</sup>* generated by *<sup>s</sup>* and <sup>χ</sup> satisfies:


Under the LWE distribution *As*,χ <sup>=</sup> (*a*, *<sup>b</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>q</sup>* , for a given error *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , the essence of finding the private key *<sup>s</sup>* <sup>=</sup> (*s*1,*s*2,...,*sn*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is solving the random knapsack problem on the ring Z*<sup>q</sup>* :

$$b \equiv a\_1 s\_1 + a\_2 s\_2 + \dots + a\_n s\_n \pmod{q},$$

solve *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* under the probability distribution χ (*e*). Next, we give the definition of LWE problem LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* with the parameters *n* 1, *q* 2, *m* 1 and χ.

**Definition 3.3.3** For any *<sup>m</sup>* independent samples (*ai*, *bi*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>q</sup>* (<sup>1</sup> *i m*) of *As*,χ , and randomly selected samples of the error distribution *e* = ⎛ ⎜ ⎝ *e*1 . . . *em* ⎞ ⎟ <sup>⎠</sup>, *ei* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , *ei* <sup>←</sup> <sup>χ</sup>, the LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* problem is to solve the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* with high probability (larger than 1 <sup>−</sup> <sup>δ</sup>). In other words, solve *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* satisfying

$$\begin{cases} b\_1 =\_\chi < a\_1, s > +e\_1 \\ b\_2 =\_\chi < a\_2, s > +e\_2 \\ \vdots \\ b\_m =\_\chi < a\_m, s > +e\_m \end{cases} \tag{3.3.4}$$

.

**Remark 3.3.1** If χ is the trivial distribution, i.e. χ (0) = 1, χ (*k*) = 0 for 1 *k* < *q*, then the samples of χ are *e* = ⎛ ⎜ ⎝ 0 . . . 0 ⎞ ⎟ ⎠, (3.4) becomes *<sup>m</sup>* deterministic congruence

equations

$$\begin{cases} b\_1 \equiv  \pmod{q} \\ b\_2 \equiv  \pmod{q} \\ \vdots \\ b\_m \equiv  \pmod{q} \end{cases}$$

Based on the Gauss elimination, we can calculate the only private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* from *n* congruence equations, and the computational complexity is polynomial.

**Remark 3.3.2** Let *<sup>q</sup>* <sup>=</sup> 2, <sup>χ</sup> be the two point distribution with parameter <sup>ε</sup> on <sup>Z</sup>2, then the LWE problem on Z<sup>2</sup> is just the LPE problem. For any error distribution

$$e = \begin{pmatrix} e\_1 \\ \vdots \\ e\_m \end{pmatrix}, \text{ if } e\_i = 1 \text{, from } i$$

Pr{*bi* ≡< *ai*,*s* > +1 (mod 2)} = ε,

we can get

$$\Pr\{b\_i \equiv < a\_i, \, s > \pmod{2}\} = 1 - \varepsilon.$$

**Matrix representation of the** LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* **problem**

Let *<sup>A</sup>* = [*a*1, *<sup>a</sup>*2,..., *am*]*<sup>n</sup>*×*<sup>m</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* be a random matrix uniformly distributed, *<sup>b</sup>* <sup>=</sup> ⎛ ⎜ ⎜ ⎜ ⎝ *b*1 *b*2 . . . *bm* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* , *e* = ⎛ ⎜ ⎜ ⎜ ⎝ *e*1 *e*2 . . . *em* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* be the errors, and *e* ← χ*<sup>m</sup>*, solve the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , such that *b* ≡<sup>χ</sup> *A s* + *e* (mod *q*), (3.3.5)

where *A* is the transpose matrix of *A*, and (3.3.5) is a set of random congruence equations with errors. The probability that the *i*th congruence equation holds is χ (*ei*), so

$$\Pr\{b \equiv\_{\chi} A's + e \pmod{q}\} = \Pi\_{i=1}^{m} \chi(e\_i) = \chi(e). \tag{3.3.6}$$

Let *<sup>q</sup>* (*A*) and <sup>⊥</sup> *<sup>q</sup>* (*A*) be *q* ary integral lattices (see Sect. 7.3 of Chap. 7 in Zheng (2022)), defined by:

$$\begin{cases} \Lambda\_q(A) = \{A^\prime x \mid x \in \mathbb{Z}\_q^n\} + q\mathbb{Z}\_q^n\\ \Lambda\_q^\perp(A) = \{x \in \mathbb{Z}\_q^m \mid Ax \equiv 0 \pmod{q}\} \end{cases} \tag{3.3.7}$$

Since *<sup>q</sup>* (*A*) = *q* <sup>⊥</sup> *<sup>q</sup>* (*A*)∗, *A s* ∈ *<sup>q</sup>* (*A*), the geometric meaning of LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* is to solve a lattice vector *A <sup>s</sup>* near from *<sup>b</sup>* for any *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* , such that the distance *b* − *A s* has the distribution χ*<sup>m</sup>*, which is dual to the SIS problem.

**Lemma 3.3.1** *Suppose A* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup> is a random matrix uniformly distributed, A* <sup>=</sup> [*A*1, *<sup>A</sup>*2]*, where A*<sup>1</sup> <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup> <sup>q</sup> is an invertible matrix, let <sup>A</sup>* <sup>=</sup> *<sup>A</sup>*−<sup>1</sup> <sup>1</sup> *<sup>A</sup>* = [*In*, *<sup>A</sup>*−<sup>1</sup> <sup>1</sup> *A*2]*, then As*,χ *and As*,χ *have the same probability distribution.*

*Proof* From Lemma 2.1.1 in Chap. 2, if *A* is uniformly distributed, then *A* is also a uniform random matrix. Assume *b* = *b*1 *b*2 , *e* = *e*1 *e*2 , *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* satisfy

$$b \equiv\_{\chi} A's + e \pmod{q},$$

that is,

$$\begin{cases} b\_1 \equiv\_\chi A\_1^\prime s + e\_1 \pmod{q} \\ b\_2 \equiv\_\chi A\_2^\prime s + e\_2 \pmod{q} \end{cases} .$$

Let *A*<sup>∗</sup> <sup>1</sup> = (*A* <sup>1</sup>)−1, and

$$
\overline{b} = \begin{pmatrix} A\_1^\* b\_1 \\ A\_1^\* b\_2 \end{pmatrix}, \ \overline{e} = \begin{pmatrix} A\_1^\* e\_1 \\ A\_1^\* e\_2 \end{pmatrix}.
$$

Obviously, *b* and *b* have the same probability distribution, so are *e* and *e*,

$$\begin{aligned} \overline{b} &\equiv\_{\mathbb{X}} A\_1^\* \binom{b\_1}{b\_2} \pmod{q} \equiv\_{\mathbb{X}} A\_1^\* (A's + e) \pmod{q} \\\\ &\equiv\_{\mathbb{X}} A\_1^\* A's + A\_1^\* e \pmod{q} \equiv\_{\mathbb{X}} \overline{A'}s + e \pmod{q}. \end{aligned}$$

The lemma holds.

The above *<sup>A</sup>* = [*In*, *<sup>A</sup>*−<sup>1</sup> <sup>1</sup> *A*2] is called the normal form of the LWE problem.

**Lemma 3.3.2** *Let x*, *y*,*z be three random variables on* Z*<sup>q</sup> , x and y are independent, <sup>z</sup>* <sup>≡</sup> *<sup>x</sup>* <sup>+</sup> *<sup>y</sup>* (*mod q*)*. If x is uniformly distributed on* <sup>Z</sup>*<sup>q</sup> , so is z.*

*Proof* For any integer 0 *i q* − 1, we compute the probability that *z* takes the value *i*.

$$\begin{split} \Pr\{z=i\} &= \sum\_{j=0}^{q-1} \Pr\{\mathbf{x}=j, \mathbf{y}=i-j\} \\ &= \sum\_{j=0}^{q-1} \Pr\{\mathbf{x}=j\} \Pr\{\mathbf{y}=i-j\} \\ &= \frac{1}{q} \sum\_{j=0}^{q-1} \Pr\{\mathbf{y}=i-j\} = \frac{1}{q} .\end{split}$$

**Lemma 3.3.3** *In the LWE distribution As*,χ = (*a*, *b*)*, b is uniformly distributed if and only if b*− < *a*,*s* > *is uniformly distributed.*

*Proof* If *b*− < *a*,*s* > is uniformly distributed, from *b* = (*b*− < *a*,*s* >)+ < *a*,*s* > and Lemma 3.3.2, we get *b* is uniform. On the other hand, if *b* is uniform, from *b*− < *a*,*s* >= *b* + (− < *a*,*s* >) and Lemma 3.3.2 again, *b*− < *a*,*s* > is also uniformly distributed.

According to Definition 3.3.1, the above lemma gives an equivalent condition that *As*,χ is a uniform LWE distribution. An equivalent form of the LWE problem is the decision LWE problem, which we call the D-LWE problem.

**Definition 3.3.4** (D-LWE problem) Given *<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is uniformly distributed, *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> q* , *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* with the distribution <sup>χ</sup>, decide whether <sup>&</sup>lt; *<sup>a</sup>*,*<sup>s</sup>* <sup>&</sup>gt; <sup>+</sup>*<sup>e</sup>* is uniform under positive probability of *s*.

The D-LWE problem seems easy, however, the difficulty of it is equivalent to that of the LWE problem. We will prove this equivalence in detail in Sect. 3.4. Here we focus on the probability distribution χ of the LWE problem. Usually, χ takes the discrete Gauss distribution on Z*<sup>q</sup>* . In Chapter 1, we discussed the discretization of continuous random variable with Gauss distribution in R*<sup>n</sup>* on lattice in detail. The discrete Gauss distribution on Z*<sup>q</sup>* is actually the discretization of Gauss distribution on Z*<sup>q</sup>* .

Recall the definition of Gauss function ρ*s*(*x*) in Chap. 1 (see (3.2.1),

$$\rho\_s(\mathbf{x}) = e^{-\frac{\pi}{r^2}|\mathbf{x}|^2}, \ \mathbf{x} \in \mathbb{R}^n. \tag{3.3.8}$$

If *<sup>n</sup>* <sup>=</sup> 1, <sup>ρ</sup>*s*(*x*) is a density function of continuous random variable on <sup>R</sup>. We convert the corresponding random variable of ρ*s*(*x*) to mod 1, which becomes a continuous random variable defined on <sup>T</sup> ≡ [0, <sup>1</sup>) (mod 1) of length 1, with the density function

#### 3.3 LWE Problem 77

$$\psi\_{\beta}(\mathbf{x}) = \sum\_{k=-\infty}^{+\infty} \frac{1}{\beta} e^{-\frac{\pi}{\beta^2}(x-k)^2}, \ x \in \mathbb{T}. \tag{3.3.9}$$

It is easy to see that

$$\int\_{\mathbb{T}} \psi\_{\beta}(\mathbf{x}) \mathrm{d}x = \int\_{0}^{1} \psi\_{\beta}(\mathbf{x}) \mathrm{d}x = \int\_{\mathbb{R}} \frac{1}{\beta} \rho\_{\beta}(\mathbf{x}) \mathrm{d}x = 1.1$$

In order to estimate the statistical distance between random variables defined by different β, we first prove the following two lemmas.

**Lemma 3.3.4** *Let t and l be positive real numbers, x*, *<sup>y</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> satisfy*

$$|x| \ll t, \text{ and } |x - y| \ll l.$$

*Then*

$$
\rho\_s(\mathbf{y}) \geqslant \left(1 - \frac{\pi}{s^2}(2tl + l^2)\right) \rho\_s(\mathbf{x}).\tag{3.3.10}
$$

*Proof* For any *<sup>z</sup>* <sup>∈</sup> <sup>R</sup>, we have

$$e^{-z} \gg 1 - z, \ z \in \mathbb{R}.$$

Therefore,

$$\begin{aligned} \rho\_s(\mathbf{y}) &= e^{-\frac{\pi}{r^2}|\mathbf{y}|^2} \ge e^{-\frac{\pi}{r^2}(|\mathbf{x}| + |\mathbf{y} - \mathbf{x}|)^2} \\ &\ge e^{-\frac{\pi}{r^2}(|\mathbf{x}|^2 + 2l|\mathbf{x}| + l^2)} \\ &\ge e^{-\frac{\pi}{r^2}(|\mathbf{x}|^2 + 2tl + l^2)} \\ &\ge (1 - \frac{\pi}{s^2}(2tl + l^2))\rho\_s(\mathbf{x}). \end{aligned}$$

**Lemma 3.3.5** *Let* 0 <α<β - 2α*, then the statistical distance between* ψα *and* ψβ *satisfies*

$$
\Delta(\psi\_a, \psi\_\beta) \lessapprox \frac{9}{2} (\frac{\beta}{\alpha} - 1). \tag{3.3.11}
$$

*Proof* Based on

$$\int\_0^1 \psi\_\beta(x) dx = 1,$$

it follows that

$$\begin{split} &\int\_{0}^{1} |\psi\_{\beta}(\mathbf{x}) - \psi\_{\alpha}(\mathbf{x})| \mathbf{dx} \\ &= \int\_{0}^{1} \left| \sum\_{k=-\infty}^{+\infty} \left( \frac{1}{\beta} e^{-\frac{\pi}{\beta^{\*}} |k-\mathbf{x}|^{2}} - \frac{1}{\alpha} e^{-\frac{\pi}{\alpha^{\*}} |k-\mathbf{x}|^{2}} \right) \right| \mathbf{dx} \\ &\leq \sum\_{k=-\infty}^{+\infty} \int\_{0}^{1} \left| \frac{1}{\beta} e^{-\frac{\pi}{\beta^{\*}} |\mathbf{x}-\mathbf{k}|^{2}} - \frac{1}{\alpha} e^{-\frac{\pi}{\alpha^{\*}} |\mathbf{x}-\mathbf{k}|^{2}} \right| \mathbf{dx} \\ &= \int\_{-\infty}^{+\infty} \left| \frac{1}{\beta} e^{-\frac{\pi}{\beta^{\*}} |\mathbf{x}|^{2}} - \frac{1}{\alpha} e^{-\frac{\pi}{\alpha^{\*}} |\mathbf{x}|^{2}} \right| \mathbf{dx} . \end{split}$$

Let *x* = α*y*, we get

$$\int\_0^1 |\psi\_\beta(\mathbf{x}) - \psi\_\alpha(\mathbf{x})| \mathrm{d}\mathbf{x} \lesssim \int\_{-\infty}^{+\infty} \left| \frac{1}{\beta/\alpha} e^{-\frac{\pi}{(\beta/\alpha)^2} |\mathbf{y}|^2} - e^{-\pi |\mathbf{y}|^2} \right| \mathrm{d}\mathbf{y}.\tag{3.3.12}$$

Without loss of generality, assume α = 1, β = 1 + ε, where 0 < ε - 1, we estimate the right hand of (3.3.12)

$$\begin{split} &\int\_{\mathbb{R}} \left| e^{-\pi |x|^{2}} - \frac{1}{1+\varepsilon} e^{-\frac{\pi}{(1+\varepsilon)^{2}} |x|^{2}} \right| \mathrm{d}x \\ &\leqslant \int\_{\mathbb{R}} \left| e^{-\pi |x|^{2}} - e^{-\frac{\pi}{(1+\varepsilon)^{2}} |x|^{2}} \right| \mathrm{d}x + \int\_{\mathbb{R}} (1 - \frac{1}{1+\varepsilon}) e^{-\frac{\pi}{(1+\varepsilon)^{2}} |x|^{2}} \mathrm{d}x \\ &= \int\_{\mathbb{R}} \left| e^{-\pi |x|^{2}} - e^{-\frac{\pi}{(1+\varepsilon)^{2}} |x|^{2}} \right| \mathrm{d}x + \varepsilon \\ &= \int\_{\mathbb{R}} \left| 1 - e^{-\pi (1 - \frac{1}{(1+\varepsilon)^{2}}) \mathbf{x}^{2}} \right| \cdot e^{-\frac{\pi}{(1+\varepsilon)^{2}} \mathbf{x}^{2}} \mathrm{d}x + \varepsilon. \end{split}$$

For ∀*z* 0, we have

$$1 - z \leqslant e^{-z} \leqslant 1 \Rightarrow 0 \leqslant 1 - e^{-z} \leqslant z,$$

and

$$\left| e^{-\pi (1 - \frac{1}{(1+\varepsilon)^2}) \mathbf{x}^2} - 1 \right| \leqslant \pi (1 - \frac{1}{(1+\varepsilon)^2}) \mathbf{x}^2$$

$$= \frac{\pi}{(1+\varepsilon)^2} (2\varepsilon + \varepsilon^2) \mathbf{x}^2 \leqslant 2\pi \varepsilon \mathbf{x}^2.$$

Finally,

$$\int\_0^1 |\psi\_\alpha(\mathbf{x}) - \psi\_\beta(\mathbf{x})| \mathbf{dx} \lesssim 2\pi\varepsilon \int\_{\mathbb{R}} \mathbf{x}^2 e^{-\frac{\pi}{(1+\varepsilon)^2} \mathbf{x}^2} \mathbf{dx} + \varepsilon = \varepsilon + \varepsilon(1+\varepsilon)^3 \lesssim 9\varepsilon.$$

Since <sup>ε</sup> <sup>=</sup> <sup>β</sup> <sup>α</sup> − 1, based on (3.3.12),

$$
\Delta(\psi\_{\alpha}, \psi\_{\beta}) = \frac{1}{2} \int\_0^1 |\psi\_{\alpha}(\mathbf{x}) - \psi\_{\beta}(\mathbf{x})| \mathrm{d}x \leqslant \frac{9}{2} (\frac{\beta}{\alpha} - 1).
$$

We complete the proof of this lemma.

In order to obtain the discrete Gauss distribution on Z*<sup>q</sup>* , we construct a discrete processing technique for continuous random variables. Let T be any interval with length 1 on R, denoted as

$$\mathbb{T} \equiv [0, 1) \pmod{1}.$$

If ϕ(*x*) is the density function of a continuous random variable ϕ on T, we define a discrete random variable ϕ on Z*<sup>q</sup>* by

$$\overline{\varphi} = \lfloor q\varphi \rceil,\tag{3.3.13}$$

that is, if <sup>ϕ</sup> takes a value *<sup>x</sup>* <sup>∈</sup> <sup>T</sup>, then <sup>ϕ</sup> takes the value *qx* mod *<sup>q</sup>*, where *x* is the closest integer to *<sup>x</sup>*. When *<sup>x</sup>* runs over [0, <sup>1</sup>), obviously *qx* runs over <sup>Z</sup>*<sup>q</sup>* , so ϕ defined in (3.3.13) is indeed a discrete random variable on Z*<sup>q</sup>* . We call ϕ the discretization of ϕ.

**Lemma 3.3.6** *If* ϕ *is a continuous random variable on* T *with the density function* ϕ(*x*)*, then* ϕ *is a discrete random variable on* Z*<sup>q</sup> , and its probability distribution* ϕ(*k*) *is*

$$\Pr\{\overline{\varphi} = k\} = \overline{\varphi}(k) = \int\_{(k-\frac{1}{2})/q}^{(k+\frac{1}{2})/q} \varphi(\mathbf{x})d\mathbf{x}, \ k \in \mathbb{Z}\_q.$$

*Proof*

$$\Pr\{\overline{\varphi} = k\} = \Pr\{ |q\varphi\overline{\rho}| = k \} = \Pr\left\{ k - \frac{1}{2} \le q\varphi < k + \frac{1}{2} \right\}$$

$$= \Pr\left\{ \left( k - \frac{1}{2} \right) / q \le \varphi < \left( k + \frac{1}{2} \right) / q \right\} = \int\_{\frac{(k - \frac{1}{2}) / q}{(k - \frac{1}{2}) / q}}^{(k + \frac{1}{2}) / q} \varphi(\mathbf{x}) d\mathbf{x}.$$

**Definition 3.3.5** The discrete Gauss distribution ψβ on Z*<sup>q</sup>* is defined by

$$\overline{\psi}\_{\beta}(k) = \int\_{(k-\frac{1}{2})/q}^{(k+\frac{1}{2})/q} \psi\_{\beta}(\mathbf{x})d\mathbf{x},\tag{3.3.14}$$

where ψβ (*x*) is the continuous Gauss distribution on T in (3.3.9) and β is called the parameter of discrete Gauss distribution.

In the LWE problem, usually we suppose χ = ψβ is a discrete Gauss distribution. The main result in this chapter is the following theorem.

**Theorem 3.3.1** *Let m* = *Poly*(*n*)*, q* - 2*Poly*(*n*) *,* χ = ψα *be the discrete Gauss distribution with parameter* α*, where* 0 <α< 1*, and* α*q* 2 <sup>√</sup>*n. Then the difficulty of solving the D-LWEn*,*q*,χ ,*<sup>m</sup> problem is at least as hard as that of GapSVP*<sup>γ</sup> *or SIVP*<sup>γ</sup> *problem on any n dimensional full rank lattice L based on quantum algorithm, where* <sup>γ</sup> <sup>=</sup> *<sup>O</sup>*˜( *<sup>n</sup>* α )*.*

*The proof of Theorem 3.3.1will be given in the next section. Here we only introduce the idea of this proof. The proof of Theorem 3.3.1 is mainly divided into the following two steps:*


#### **3.4 Proof of the Main Theorem**

In this section, we mainly prove that the difficulty of solving D-LWE problem is not lower than that of the hard problem on lattice, that is, if there is a quantum algorithm for solving the D-LWE problem, then there exists a quantum algorithm to solve the hard problem on lattice. The whole proof could be divided into three parts. In order to better understand the three parts of proof, we first introduce the definition of the DGS problem.

**Fig. 3.1** The flowchart of the proof of Theorem 3.3.1

**Definition 3.4.1** DGSφ: given an *n* dimensional lattice *L* with generated matrix *B*, a real number *r* > φ(*B*), where φ is a real function of *B*. The goal is to output a sample from the discrete Gauss distribution *DL*,*<sup>r</sup>*.

The DGS problem is also called the discrete Gauss sampling problem. We will see that the difficulty of the DGS problem is polynomial equivalent to that of the hard problem on lattice after this proof. Next we introduce the idea of proving that the D-LWE problem is at least as difficult as the hard problem on lattice. This proof could be divided into three parts, which are given in Sects. 3.4.1, 3.4.2 and 3.4.3. In Sect. 3.4.1, we prove that if there is a quantum algorithm to solve the LWE problem, then there is also a quantum algorithm to solve the DGS<sup>√</sup>2*n*ηε (*L*)/α problem. In Sect. 3.4.2, we give a reduction algorithm from the GIVP2 <sup>√</sup>*n*<sup>φ</sup> problem to the DGS<sup>φ</sup> problem, so that we have completed the proof that the LWE problem is not less difficult than the hard problem on lattice. In Sect. 3.4.3, we further prove that the D-LWE problem D-LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* can be reduced to the LWE*<sup>n</sup>*,*q*,χ ,*<sup>m</sup>* problem and complete the proof of Theorem 3.3.1. The flowchart of the whole proof is shown in Fig. 3.1.

#### *3.4.1 From LWE to DGS*

In this subsection, we will solve the DGS<sup>√</sup>2*n*ηε (*L*)/α problem by the algorithm of LWE*<sup>n</sup>*,*q*,ψα,*<sup>m</sup>* problem. The main conclusion is the following Lemma 3.4.1 , and its proof depends on Lemmas 3.4.2 and 3.4.3. We give these three lemmas first.

**Lemma 3.4.1** *Let m* = *Poly*(*n*)*,* ε = ε(*n*) *be a negligible function of n, q* = *q*(*n*) *be a positive integer,* α = α(*n*) ∈ (0, 1)*,* α*q* 2 <sup>√</sup>*n,* <sup>χ</sup> <sup>=</sup> ψα*. Assume that we have an algorithm W that solves the LWEn*,*q*,ψα,*<sup>m</sup> problem given a polynomial number of samples, then there exists an efficient quantum algorithm for the DGS*<sup>√</sup>2*n*ηε (*L*)/α *problem.*

**Lemma 3.4.2** *For any n dimensional lattice L and a real number r* > 22*<sup>n</sup>*λ*n*(*L*)*, there exists an efficient algorithm that outputs a sample from a distribution that is within statistical distance* 2−(*n*) *of the discrete Gauss distribution DL*,*r, where* (*n*) *is a polynomial function or exponential function of n.*

**Lemma 3.4.3** *Let m* = *Poly*(*n*)*,* ε = ε(*n*) *be a negligible function of n, q* = *q*(*n*) 2 *be a positive integer,* α = α(*n*) ∈ (0, 1)*. Assume that we have an algorithm W that solves the LWEn*,*q*,ψα,*<sup>m</sup> problem given a polynomial number of samples, then there exists a constant c* > 0 *and an efficient quantum algorithm that, given any n dimensional lattice L, a real number r* <sup>&</sup>gt; <sup>√</sup>2*q*ηε(*L*) *and n<sup>c</sup> samples from DL*,*r, outputs a sample from DL*,*<sup>r</sup>* <sup>√</sup>*n*/(α*q*)*.*

**Proof of Lemma** √ 3.4.1: Given an *n* dimensional lattice *L* and a real number *r* > 2*n*ηε(*L*)/α, our goal is to output a sample from the discrete Gauss distribution *DL*,*<sup>r</sup>*. The idea of this proof is to use iteration steps. Let

$$r\_i = r(\alpha q / \sqrt{n})^i, \quad i = 1, 2, \dots, 3n.$$

Based on Lemma 1.3.6 in Chap. 1,

$$r\_{3n} > 2^{3n}r > 2^{3n} \sqrt{2n} \eta\_{\varepsilon}(L)/\alpha \\ \geqslant 2^{3n} \sqrt{2n} \sqrt{\frac{\ln 1/\varepsilon}{\pi}} \frac{\lambda\_n(L)}{n} \\ > 2^{2n} \lambda\_n(L).$$

By Lemma 3.4.2, we can produce samples from the discrete Gauss distribution *DL*,*r*3*<sup>n</sup>* . Suppose *c* is the constant from Lemma 3.4.3, we output *n<sup>c</sup>* samples from *DL*,*r*3*<sup>n</sup>* . According to Lemma 3.4.3, we can get samples from the distribution *DL*,*r*3*<sup>n</sup>* <sup>√</sup>*n*/(α*q*), i.e. *DL*,*r*3*n*−<sup>1</sup> . Repeat this process, since

$$r\_1 = r\alpha q / \sqrt{n} > \sqrt{2n} \eta\_\ell(L) / \alpha \cdot \alpha q / \sqrt{n} = \sqrt{2} q \eta\_\ell(L),$$

which satisfies the condition of Lemma 3.4.3, finally we can output a sample from *DL*,*r*<sup>1</sup> <sup>√</sup>*n*/(α*q*) = *DL*,*<sup>r</sup>*. The lemma holds.

**Proof of Lemma** 3.4.2: By the LLL algorithm (Lenstra et al. (1982)), we can choose the generated matrix *B* = [*b*1, *b*2,..., *bn*] of *L* satisfying *bi* - 2*<sup>n</sup>*λ*n*(*L*), 1 *i n*. Suppose *F*(*B*) is the basic neighborhood of lattice *L*. The algorithm in Lemma 3.4.2 can be achieved by the following steps. First we generate a sample *y* from the discrete Gauss distribution *Dr*, where

$$D\_r(\mathbf{x}) = \frac{\rho\_r(\mathbf{x})}{r^n}, \ \forall \mathbf{x} \in \mathbb{R}^n.$$

We get *y* = *y* mod *L* ∈ *F*(*B*), and *x* = *y* − *y* ∈ *L*. Denote the distribution of *x* as ξ , next we prove the statistical distance between ξ and *DL*,*<sup>r</sup>* is exponentially small. Note that

$$|y'| \lesssim \text{diam}(F(\mathcal{B})) \lesssim \sum\_{i=1}^n |b\_i| \lesssim n 2^n \lambda\_n(L),$$

where

$$\text{diam}(F(B)) = \max\{|\mu - v| \mid \mu, v \in F(B)\}.$$

Based on Lemma 1.3.4 in Chap. 1,

$$
\rho(L \backslash \sqrt{n} \, N) < (r \sqrt{2\pi e} e^{-\pi r^2})^n \rho(L),
$$

here *N* is the unit ball. This means ρ(*L*\ <sup>√</sup>*nr N*) is exponentially small, so we can always assume *x* - <sup>√</sup>*nr*. By Lemma 3.3.4, let *<sup>t</sup>* <sup>=</sup> <sup>√</sup>*nr*, *<sup>l</sup>* <sup>=</sup> *<sup>n</sup>*2*<sup>n</sup>*λ*n*(*L*), by some simple calculations we get

$$\begin{aligned} \Pr\{\xi = \mathbf{x}\} &= \int\_{\mathbf{x} + F(\mathcal{B})} D\_r(\mathbf{y}) d\mathbf{y} \geqslant \int\_{\mathbf{x} + F(\mathcal{B})} (1 - 2^{-\Omega(n)}) D\_r(\mathbf{x}) d\mathbf{y} \\ &= (1 - 2^{-\Omega(n)}) D\_r(\mathbf{x}) \det(L). \end{aligned}$$

On the other hand, from Lemma 1.3.2 in Chap. 1,

$$\Pr\{D\_{L,r} = \mathbf{x}\} = \frac{\rho\_r(\mathbf{x})}{\rho\_r(L)} = \frac{\rho\_r(\mathbf{x})}{\det(L^\*)r^n\rho\_{1/r}(L^\*)} \lessgtr \frac{\rho\_r(\mathbf{x})}{\det(L^\*)r^n} = D\_r(\mathbf{x})\det(L).$$

So we have

$$\Pr\{\xi = x\} \geqslant (1 - 2^{-\Omega(n)}) \Pr\{D\_{L,r} = x\}.$$

Summing *x* ∈ *L* on both sides, we get the statistical distance between ξ and *DL*,*<sup>r</sup>* is exponentially small. The lemma holds.

**Definition 3.4.2** (1) CVP*<sup>L</sup>*,*<sup>d</sup>* : given an *<sup>n</sup>* dimensional lattice *<sup>L</sup>*, a target vector*<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, a real number *d*, dist(*t*, *L*) *d*, find *u* ∈ *L* such that

$$|u - t| = \min\_{x \in L, |x - t| \lesssim d} |x - t|.$$

(2) CVP(*q*) *<sup>L</sup>*,*<sup>d</sup>* : given an *n* dimensional lattice *L* with generated matrix *B*, a target vector *<sup>t</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, a real number *<sup>d</sup>*, dist(*t*, *<sup>L</sup>*) *d*, denote *KL* (*t*) = {*u* ∈ *L* | |*u* − *t*| = min *x*∈*L* |*x* − *t*|}, i.e. *KL* (*t*) is the closest vector to *t* in the lattice *L*, output *<sup>B</sup>*−<sup>1</sup>*KL* (*t*) mod *<sup>q</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> q* .

The CVP problem is also called the closest vector problem. In order to prove Lemma 3.4.3, we need the following two lemmas, Lemmas 3.4.4 and 3.4.14. In Lemma 3.4.4, we use the samples of *DL*,*<sup>r</sup>* to solve the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem, and Lemma 3.4.14 shows that we can generate a sample of *DL*,*<sup>r</sup>* <sup>√</sup>*n*/α*<sup>q</sup>* from the algorithm of solving the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem so that we complete the proof of Lemma 3.4.3. The following content is divided into two parts. In the first part, we use Lemmas 3.4.5 to 3.4.11 to prove Lemma 3.4.4, which is to solve the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem based on the samples of *DL*,*<sup>r</sup>*. In the second part, we prove Lemma 3.4.14 according to Lemmas 3.4.12 and 3.4.13, and achieve the transition from solving CVP*<sup>L</sup>*∗,α*q*/(√2*r*) to *DL*,*<sup>r</sup>* <sup>√</sup>*n*/α*<sup>q</sup>* .

**Lemma 3.4.4** *Let m* = *Poly*(*n*)*,* ε = ε(*n*) *be a negligible function of n, q* = *q*(*n*) 2 *be a positive integer,* α = α(*n*) ∈ (0, 1)*. Assume that we have an algorithm W that solves LWEn*,*q*,ψα,*<sup>m</sup> given a polynomial number of samples, then there exists a constant c* > 0 *and an efficient algorithm that, given any n dimensional lattice L, a real number r* <sup>&</sup>gt; <sup>√</sup>2*q*ηε(*L*)*, and n<sup>c</sup> samples from DL*,*r, solves the CVPL*∗,α*q*/(√2*r*) *problem.*

*Proof* This lemma is proved directly by the following Lemmas 3.4.5 to 3.4.11.

Lemma 3.4.5 shows the relationship of difficulty between the CVP and CVP(*q*) problems.

**Lemma 3.4.5** *Given an n dimensional lattice L, a real number d* < λ1(*L*)/2*, q* 2 *is a positive integer. There exists an efficient algorithm to solve the CVPL*,*<sup>d</sup> problem based on the algorithm for CVP*(*q*) *<sup>L</sup>*,*<sup>d</sup> .*

*Proof* Let *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* satisfying dist(*x*, *<sup>L</sup>*) *d* be the target vector, define vectors {*xn*} and {*an*} as follows: *x*<sup>1</sup> = *x*,

$$a\_i = B^{-1} K\_L(\mathfrak{x}\_i) \in \mathbb{Z}^n, \ i \gg 1, 2$$

which is the coefficient vector of the closest vector to *xi* in lattice *L*,

$$
\alpha\_{i+1} = (\alpha\_i - B(a\_i \bmod q))/q, \ i \ge 1,
$$

it is easy to prove

$$a\_{i+1} = (a\_i - (a\_i \bmod q))/q, i$$

and

$$|x\_{i+1} - Ba\_{i+1}| \lesssim \frac{d}{q^i}.$$

That is, the distance from *xn*+<sup>1</sup> to lattice *<sup>L</sup>* is no more than *<sup>d</sup> qn* . Note that *<sup>d</sup> qn* could be sufficiently small if *n* becomes lager enough. Based on the nearest plane algorithm by Babai (1985), we can find *y* ∈ *L* such that *y* is the closest vector to *xn*+<sup>1</sup> in lattice *L*. Let *y* = *Ba*, then *an*+<sup>1</sup> = *a*, combine with

$$a\_{i+1} = (a\_i - (a\_i \bmod q))/q,$$

we get *an*, *an*−1,..., *a*1, and complete the process of solving the CVP*<sup>L</sup>*,*<sup>d</sup>* problem. This lemma holds.

We introduce the definition of the LWE distribution *As*,χ in Definition 3.3.2, where <sup>χ</sup> is a distribution on <sup>Z</sup>*<sup>q</sup>* . If the value space of <sup>χ</sup> is changed to <sup>T</sup> = [0, <sup>1</sup>), we can give another definition of LWE distribution.

**Definition 3.4.3** Let *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , *e* be a random variable on T with density function φ. The LWE distribution *As*,φ <sup>=</sup> (*a*, *<sup>b</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>T</sup> generated by *<sup>s</sup>* and <sup>φ</sup> satisfies:

(1) *<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is uniformly distributed.

(2) *b* = *a* · *s*/*q* + *e* mod 1.

The LWE distribution we discuss later in this section is always *As*,φ.

**Lemma 3.4.6** *Let q* <sup>=</sup> *<sup>q</sup>*(*n*) <sup>1</sup> *be a positive integer, given s* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup> and samples from As*,ψα *for some unknown s* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup> ,* α < 1*. There exists an efficient algorithm that determines whether s* = *s with probability exponentially close to* 1*.*

*Proof* Let (*a*, *<sup>x</sup>*) be a sample from the LWE distribution *As*,ψα , <sup>T</sup> = [0, <sup>1</sup>), <sup>ξ</sup> be a random variable on T with density function *p*(*y*) such that

$$
\xi = x - a \cdot s' / q = e + a \cdot (s - s') / q. \tag{3.4.1}
$$

The steps of the algorithm are as follows. Generate *n* samples *y*1, *y*2,..., *yn* of ξ and compute

$$z = \frac{1}{n} \sum\_{i=1}^{n} \cos(2\pi y\_i).$$

If *z* > 0.02, then we confirm *s* = *s* , otherwise, we decide *s* = *s* . Next we prove the correctness of this algorithm.

If*s* = *s* , by (3.4.1) we get ξ = *e* with the distribution ψα. On the other hand, if*s* = *s* , then there is 1 *j n*, such that *sj* = *s <sup>j</sup>* , where *sj* and *s <sup>j</sup>* are the *j*th coordinates of *s* and *s* , respectively. Let *g* = gcd(*q*,*sj* − *s <sup>j</sup>*), *k* = *q*/gcd(*q*,*sj* − *s <sup>j</sup>*), *aj* be the *j*th coordinate of *a*, it is not hard to see the distribution of *aj*(*sj* − *s <sup>j</sup>*) mod *q* has period *g*, i.e. the distribution of *aj*(*sj* − *s <sup>j</sup>*)/*q* mod 1 has period *g*/*q* = 1/*k*, *k* 2. Since ξ is regarded as the sum of *aj*(*sj* − *s <sup>j</sup>*)/*q* mod 1 and an independent random variable, therefore, the distribution of ξ also has period 1/*k*. Assume *z*˜ is the expectation of cos(2πξ),

86 3 Learning with Error

$$\tilde{z} = E[\cos(2\pi\xi)] = \int\_0^1 \cos(2\pi\chi) p(\mathbf{y}) d\mathbf{y} = \text{Re}\int\_0^1 e^{2\pi i \mathbf{y}} p(\mathbf{y}) d\mathbf{y}.$$

When *s* = *s* , the distribution of ξ is ψα, the right hand of the above formula could be computed as *<sup>z</sup>*˜ <sup>=</sup> *<sup>e</sup>*−πα<sup>2</sup> . When *s* = *s* , the distribution of ξ is periodic with period 1/*k*, note that the integral of the periodic function *e*2π*iy p*(*y*) with period 1 is fixed in any interval of length 1, then

$$\begin{aligned} \int\_0^1 e^{2\pi i \mathbf{y}} p(\mathbf{y}) \mathrm{d}\mathbf{y} &= \int\_{\frac{1}{t}}^{1+\frac{1}{t}} e^{2\pi i \mathbf{y}} p(\mathbf{y}) \mathrm{d}\mathbf{y} \\ &= \int\_0^1 e^{2\pi i (\mathbf{y} + \frac{1}{t})} p(\mathbf{y}) \mathrm{d}\mathbf{y} \\ &= e^{\frac{2\pi i}{t}} \int\_0^1 e^{2\pi i \mathbf{y}} p(\mathbf{y}) \mathrm{d}\mathbf{y} .\end{aligned}$$

From *k* 2 we know *z*˜ = 0, by the Chebyshev inequality,

$$\Pr\{|z-\tilde{z}| \leqslant 0.01\} \geqslant 1 - \frac{\text{Var}[\cos(2\pi\xi)]}{0.01^2 n}.$$

The probability of |*z* − ˜*z*| - 0.01 is exponentially close to 1 when *n* is large enough. Thus, we confirm *s* = *s* with probability exponentially close to 1 if *z* - 0.02. We complete the proof.

Based on Lemma 3.4.6 and the algorithm for LWE*<sup>n</sup>*,*q*,ψα,*<sup>m</sup>*, for any β α and samples from *As*,ψβ , the following Lemma 3.4.7 gives an algorithm to solve *s* with probability close to 1.

**Lemma 3.4.7** *Let q* = *q*(*n*) 2 *be a positive integer,* α = α(*n*) ∈ (0, 1)*. Assume that we have an algorithm W that solves LWEn*,*q*,ψα,*<sup>m</sup> with a polynomial number of samples, then there exists an efficient algorithm W to solve s with probability exponentially close to* 1 *for some samples from As*,ψβ *, where* β α *and* β *is unknown.*

*Proof* Assume we need *n<sup>c</sup>* samples in the algorithm *W*, *c* > 0 is a constant. Let the set *Z* be

$$Z = \{ \boldsymbol{\gamma} \mid \boldsymbol{\gamma} = \delta \boldsymbol{n}^{-2c} \boldsymbol{\alpha}^2 \in [0, \boldsymbol{\alpha}^2], \ \delta \in \mathbb{Z} \}.$$

The steps of algorithm *W* are as follows. For each γ ∈ *Z*, we repeat the following process *n* times. Each time we get *n<sup>c</sup>* samples from *As*,ψβ and add samples from ψ<sup>√</sup><sup>γ</sup> to the second component of each sample from *As*,ψβ , so we obtain *n<sup>c</sup>* samples from *As*,ψ√β2+<sup>γ</sup> . We solve *s* by algorithm *W* and determine whether *s* = *s*. If *s* = *s*, output *s* and we complete the algorithm. Next we prove that the above algorithm could achieve the goal of solving *s* with probability exponentially close to 1. Assume

$$
\Gamma = \min \{ \gamma \in Z, \,\,\chi \geqslant \alpha^2 - \beta^2 \}.
$$

From the definition of the set *Z*

$$
\Gamma \lesssim \alpha^2 - \beta^2 + n^{-2c} \alpha^2.
$$

Let α = β<sup>2</sup> + , we have

$$
\alpha \leqslant \alpha' \leqslant \sqrt{\alpha^2 + n^{-2c}\alpha^2} \leqslant (1 + n^{-2c})\alpha.
$$

Based on lemma 3.3.5,

$$
\Delta(\psi\_{\alpha}, \psi\_{\alpha'}) \lesssim \frac{9}{2} \left( \frac{\alpha'}{\alpha} - 1 \right) \lesssim \frac{9}{2} n^{-2c}.
$$

Therefore, the statistical distance between the *n<sup>c</sup>* samples from ψα and *n<sup>c</sup>* samples from ψα is no more than 9*n*−*<sup>c</sup>*, which means the probability that the algorithm *<sup>W</sup>* solves *<sup>s</sup>* successfully is at least 1 <sup>−</sup> <sup>9</sup>*n*−*<sup>c</sup>* <sup>1</sup> <sup>2</sup> . It follows that the probability of solving *s* unsuccessfully *n* times is no more than 2−*<sup>n</sup>*. The lemma holds.

To prove our main result, we need two properties about the Gauss function and statistical distance.

**Lemma 3.4.8** *For any n dimensional lattice L, c* <sup>∈</sup> <sup>R</sup>*n,* ε > <sup>0</sup>*, r* ηε(*L*)*, we have*

$$
\rho\_r(L+c) \in r^n \det(L^\*) (1 \pm \varepsilon). \tag{3.4.2}
$$

*Proof* Based on Lemma 1.3.2 in Chap. 1,

$$\begin{aligned} \rho\_r(L+c) &= \sum\_{x \in L} \rho\_{r, -c}(\mathbf{x}) = \det(L^\*) \sum\_{\mathbf{y} \in L^\*} \hat{\rho}\_{r, -c}(\mathbf{y}) \\ &= r^n \det(L^\*) \sum\_{\mathbf{y} \in L^\*} e^{2\pi i c \cdot \mathbf{y}} \rho\_{1/r}(\mathbf{y}) \\ &= r^n \det(L^\*) (1 + \sum\_{\mathbf{y} \in L^\* \backslash \{0\}} e^{2\pi i c \cdot \mathbf{y}} \rho\_{1/r}(\mathbf{y})). \end{aligned}$$

From *r* ηε(*L*), it follows that ρ<sup>1</sup>/*<sup>r</sup>*(*L*∗\{0}) ε, and

#### 88 3 Learning with Error

$$\left| \sum\_{\mathbf{y} \in L^\*\backslash\{0\}} e^{2\pi i c \cdot \mathbf{y}} \rho\_{1/r}(\mathbf{y}) \right| \leqslant \sum\_{\mathbf{y} \in L^\*\backslash\{0\}} \rho\_{1/r}(\mathbf{y}) \leqslant \varepsilon. \square$$

We get

$$\rho\_r(L+c) = r^n \det(L^\*) \left( \mathbf{l} + \sum\_{\mathbf{y} \in L^\* \backslash \{0\}} e^{2\pi i c \cdot \mathbf{y}} \rho\_{1/r}(\mathbf{y}) \right) \in r^n \det(L^\*) (\mathbf{l} \pm \varepsilon).$$

The proof is complete.

 

**Lemma 3.4.9** *For any n dimensional lattice L, u* <sup>∈</sup> <sup>R</sup>*n,* ε < <sup>1</sup> <sup>2</sup> *, r*,*s are two positive real numbers, t* <sup>=</sup> <sup>√</sup> *r* <sup>2</sup> + *s*2*, assume r s*/*t* = 1/ 1/*r* <sup>2</sup> + 1/*s*<sup>2</sup> ηε(*L*)*, let* ξ *be the sum of a discrete Gauss distribution DL*+*u*,*<sup>r</sup> and a noise distribution Ds, then*

$$
\Delta(\xi, D\_t) \lessapprox 2\varepsilon. \tag{3.4.3}
$$

*Proof* Let the density function of ξ be *Y* (*x*), then

$$\begin{split} Y(\mathbf{x}) &= \frac{1}{s^n \rho\_r(L+u)} \sum\_{\mathbf{y} \in L+u} \rho\_r(\mathbf{y}) \rho\_s(\mathbf{x} - \mathbf{y}) \\ &= \frac{1}{s^n \rho\_r(L+u)} \sum\_{\mathbf{y} \in L+u} \exp\left(-\pi \left( \left| \frac{\mathbf{y}}{r} \right|^2 + \left| \frac{\mathbf{x} - \mathbf{y}}{s} \right|^2 \right) \right) \\ &= \frac{1}{s^n \rho\_r(L+u)} \sum\_{\mathbf{y} \in L+u} \exp\left(-\pi \left( \frac{r^2 + s^2}{r^2 s^2} \left| \mathbf{y} - \frac{r^2}{r^2 + s^2} \mathbf{x} \right|^2 + \frac{1}{r^2 + s^2} |\mathbf{x}|^2 \right) \right) \\ &= \exp\left(-\frac{\pi}{r^2 + s^2} |\mathbf{x}|^2 \right) \frac{1}{s^n \rho\_r(L+u)} \\ &\sum\_{\mathbf{y} \in L+u} \exp\left(-\pi \left( \frac{r^2 + s^2}{r^2 s^2} \left| \mathbf{y} - \frac{r^2}{r^2 + s^2} \mathbf{x} \right|^2 \right) \right) \\ &= \frac{\rho\_1(\mathbf{x})}{s^n} \frac{\rho\_{rJ\_1(\mathbf{y}) \hat{\rho}\_r^\* z - u}(L)}{\rho\_{r^n - u}(L)} \\ &= \frac{\rho\_1(\mathbf{x})}{s^n} \frac{\hat{\rho}\_{rJ\_1(\mathbf{y}) \hat{\rho}\_{rJ\_1}^\* z - u}(L^\*)}{\hat{\rho}\_{r^n - u}(L^\*)}. \end{split}$$

Based on the Fourier transform property of Gauss function in Lemma 1.2.1 in Chap. 1, we get

$$
\hat{\rho}\_{rs/t, (r/t)^2 \mathbf{x} - u}(w) = \exp(-2\pi i ((r/t)^2 \mathbf{x} - u) \cdot w) (rs/t)^n \rho\_{t/rs}(w),
$$

and

$$
\hat{\rho}\_{r,-u}(w) = \exp(2\pi i \boldsymbol{u} \cdot w) r^n \rho\_{1/r}(w).
$$

Since *r r s <sup>t</sup>* ηε(*L*),

$$|1 - (t/rs)^n \hat{\rho}\_{rs/t, (r/t)^2 x - u}(L^\*)| \leqslant \rho\_{t/rs}(L^\* \backslash \{0\}) \leqslant \varepsilon,$$

$$|1 - (1/r)^n \hat{\rho}\_{r, -u}(L^\*)| \leqslant \rho\_{1/r}(L^\* \backslash \{0\}) \leqslant \varepsilon.$$

It follows that

$$1 - 2\varepsilon \lesssim \frac{1 - \varepsilon}{1 + \varepsilon} \lesssim \frac{(t/rs)^n \widehat{\rho}\_{rs/t, (r/t)^2 x - u}(L^\*)}{(1/r)^n \widehat{\rho}\_{r, -u}(L^\*)} \lesssim \frac{1 + \varepsilon}{1 - \varepsilon} \lesssim 1 + 4\varepsilon.$$

By (3.4.4),

$$|Y(\mathbf{x}) - \frac{\rho\_t(\mathbf{x})}{t^n}| \le 4\varepsilon \frac{\rho\_t(\mathbf{x})}{t^n}.$$

Integrate for *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*,

$$\Delta(\xi, D\_t) = \frac{1}{2} \int\_{\mathbb{R}^n} |Y(\mathbf{x}) - \frac{\rho\_t(\mathbf{x})}{t^n}| \mathbf{dx} \lesssim 2\varepsilon.$$

We complete the proof.

**Lemma 3.4.10** *For any n dimensional lattice L, vectors z*, *<sup>u</sup>* <sup>∈</sup> <sup>R</sup>*n, real numbers r*,α > 0*,* ε < <sup>1</sup> <sup>2</sup> *,* ηε(*L*) - 1/ 1/*r* <sup>2</sup> + (|*z*|/α)<sup>2</sup>*, let* v *be a random variable of the discrete Gauss distribution DL*+*u*,*r, e be a random variable of Gauss distribution with mean* <sup>0</sup> *and standard deviation* α/√2π*,* <sup>ξ</sup> *be a random variable of Gauss distribution with mean* 0 *and standard deviation* (*r*|*z*|)<sup>2</sup> + α<sup>2</sup>/ <sup>√</sup>2π*, then*

$$
\Delta(z \cdot v + e, \xi) \lessapprox 2\varepsilon. \tag{3.4.5}
$$

*In particular,*

$$
\Delta(z \cdot v + e \mod 1, \psi \sqrt{\_{(r|z|)^2 + a^2}}) \lesssim 2\varepsilon. \tag{3.4.6}
$$

*Proof* Let the random variable *h* has distribution *D*α/|*z*|, then the standard deviation of *h* is α/(|*z*| <sup>√</sup>2π ), and the standard deviation of *<sup>z</sup>* · *<sup>h</sup>* is|*z*| · α/(|*z*<sup>|</sup> <sup>√</sup>2π ) <sup>=</sup> α/√2<sup>π</sup> which is the same as that of *e*. Since both of them have Gauss distributions, we get the distributions of *z* · *h* and *e* are the same, i.e. *z* · v + *e* and *z* · (v + *h*) have the same distribution. Based on Lemma 3.4.9, let *s* = α/|*z*|, it follows that the statistical distance between <sup>v</sup> <sup>+</sup> *<sup>h</sup>* and *<sup>D</sup>*√*<sup>r</sup>* <sup>2</sup>+(α/|*z*|)<sup>2</sup> is no more than 2ε,

$$\Delta(v+h, D\sqrt{r^2+(a/|z|)^2}) \lesssim 2\varepsilon.$$

By the property of statistical distance,

$$\Delta(z \cdot (v+h), z \cdot D\_{\sqrt{r^2 + (\alpha/|z|)^2}}) \lesssim 2\varepsilon.$$

Here the standard deviation of *<sup>z</sup>* · *<sup>D</sup>*√*<sup>r</sup>* <sup>2</sup>+(α/|*z*|)<sup>2</sup> is

$$|z| \cdot \sqrt{r^2 + (\alpha/|z|)^2} / \sqrt{2\pi} = \sqrt{(r|z|)^2 + \alpha^2} / \sqrt{2\pi},$$

which is the same as that of ξ . Note that both of the two random variables have Gauss distributions; therefore, *<sup>z</sup>* · *<sup>D</sup>*√*<sup>r</sup>* <sup>2</sup>+(α/|*z*|)<sup>2</sup> and <sup>ξ</sup> have the same distribution, i.e.

$$
\Delta(z \cdot v + e, \xi) \leqslant 2\varepsilon,
$$

mod 1 for both of the two random variables,

$$\Delta(z \cdot v + e \bmod 1, \psi \sqrt{(r|z|)^2 + a^2}) \lesssim 2\varepsilon.$$

The lemma holds.

**Lemma 3.4.11** *Let* ε = ε(*n*) *be a negligible function of n, q* = *q*(*n*) 2 *be a positive integer,* α = α(*n*) ∈ (0, 1)*. Assume we have an algorithm W to solve s given a polynomial number of samples from As*,ψβ *for any* β α *(*β *is unknown), then there exists an efficient algorithm that given an n dimensional lattice L, a real number r* <sup>&</sup>gt; <sup>√</sup>2*q*ηε(*L*) *and a polynomial number of samples from DL*,*r, to solve the CVP*(*q*) *<sup>L</sup>*∗,α*q*/(√2*r*) *problem.*

*Proof* For a given *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, dist(*x*, *<sup>L</sup>*∗) <sup>α</sup>*q*/(√2*r*), denote the generated matrix of *L* is *B*, and the generated matrix of *L*<sup>∗</sup> is (*B<sup>T</sup>* )−1, our goal is to solve *s* = *B<sup>T</sup> KL*<sup>∗</sup> (*x*) mod *q*. The idea of algorithm *W* is to generate a polynomial number of samples from *As*,ψβ , and solve *s* according to the algorithm *W*.

The steps of algorithm *W* are as follows: let v ∈ *L* be a sample from the discrete Gauss distribution *DL*,*<sup>r</sup>*, *a* = *B*−<sup>1</sup>v mod *q*, *e* be random variable of Gauss distribution with mean 0 and standard deviation α/(2 <sup>√</sup>π ), then there is <sup>β</sup> α such that the statistical distance between (*a*, *x* · v/*q* + *e* mod 1) and *As*,ψβ is negligible. Next we prove the correctness of this algorithm.

Firstly, note that the distribution of *a* is almost uniform, i.e. the statistical distance between *<sup>a</sup>* and the uniform distribution is negligible. This is because for any *<sup>a</sup>*<sup>0</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> q* , we have

$$\Pr\{a = a\_0\} = \rho\_r(qL + Ba\_0) = \rho\_{r/q}(L + Ba\_0/q).$$

Since *q*ηε(*L*) < *r*, based on Lemma 3.4.8,

$$\Pr\{a = a\_0\} = \rho\_{r/q}(L + Ba\_0/q) \in (r/q)^n \det(L^\*) (1 \pm \varepsilon), \ \forall a\_0 \in \mathbb{Z}\_q^n.$$

This implies *a* is almost uniformly distributed.

Secondly, we consider the distribution of *x* · v/*q* + *e* mod 1. Let *x* = *x* − *KL*<sup>∗</sup> (*x*), from dist(*x*, *L*∗) <sup>α</sup>*q*/(√2*r*) we get <sup>|</sup>*x* | <sup>α</sup>*q*/(√2*r*) and

$$1\,\mathrm{x}\cdot\upsilon/q + e\bmod{1} = (\mathrm{x}'/q)\cdot\upsilon + e + K\_{L^\*}(\mathrm{x})\cdot\upsilon/q \text{ mod } 1. \tag{3.4.7}$$

We compute the distributions of *KL*<sup>∗</sup> (*x*) · v/*q* mod 1 and (*x* /*q*) · v + *e* , respectively. It is easy to see

$$K\_{L^\ast}(\mathfrak{x}) \cdot v = (\boldsymbol{B}^\mathsf{T} K\_{L^\ast}(\mathfrak{x})) \cdot (\boldsymbol{B}^{-1} v),$$

therefore,

$$K\_{L^\ast}(\mathbf{x}) \cdot v \bmod q = (\boldsymbol{B}^T K\_{L^\ast}(\mathbf{x})) \cdot (\boldsymbol{B}^{-1} v) \bmod q = \boldsymbol{s} \cdot \boldsymbol{a} \bmod q.$$

This means *KL*<sup>∗</sup> (*x*) · v/*q* mod 1 and *s* · *a*/*q* mod 1 have the same distribution. In order to get the distribution of (*x* /*q*) · v + *e*, note that v has discrete Gauss distribution *Dq L*+*Ba*,*<sup>r</sup>*, and *e* has Gauss distribution with mean 0 and standard deviation α/(2 <sup>√</sup>π ), let β = (*r*|*x* |/*q*)<sup>2</sup> + α<sup>2</sup>/2 α,

$$1/\sqrt{1/r^2 + (\sqrt{2}|\mathbf{x'}|/aq)^2} \ge r/\sqrt{2} > q\eta\_\epsilon(L) = \eta\_\epsilon(qL)$$

satisfies the condition of Lemma 3.4.10. By Lemma 3.4.10,(*x* /*q*) · v + *e* almost has the distribution ψβ and the statistical distance of them is negligible. From (3.4.7), *x* · v/*q* + *e* mod 1 and ψβ + *s* · *a*/*q* mod 1 have the same distribution. Above all, we get the statistical distance between (*a*, *x* · v/*q* + *e* mod 1) and *As*,ψβ is negligible so that the algorithm *W* is correct. We complete the proof.

Combining the above Lemmas 3.4.5, 3.4.7 and 3.4.11, we obtain the conclusion of Lemma 3.4.4 immediately, which shows that we can solve the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem by the samples of *DL*,*<sup>r</sup>*. In order to prove Lemma 3.4.3 completely, we introduce the technique of quantum computation to prove there is an efficient quantum algorithm to generate a sample from *DL*,*<sup>r</sup>* <sup>√</sup>*n*/α*<sup>q</sup>* based on the algorithm for the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem.

**Definition 3.4.4** For a real number *<sup>a</sup>* <sup>∈</sup> <sup>R</sup> and a vector *<sup>x</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, we define the Dirac notation *<sup>a</sup>*|*x* = *ax*. Let *<sup>A</sup>* be a finite or countable set in <sup>R</sup>*<sup>n</sup>*, *<sup>f</sup>* be a function from R*<sup>n</sup>* to R, a quantum state is defined by

$$\sum\_{\mathbf{x}\in A} f(\mathbf{x})|\mathbf{x}\rangle = \sum\_{\mathbf{x}\in A} f(\mathbf{x})\mathbf{x},\tag{3.4.8}$$

if *<sup>x</sup>*∈*<sup>A</sup> f* (*x*)*x* converges.

The knowledge about Dirac notation and quantum state is an important part of quantum physics. Since it involves too much content beyond the scope of this book, we will not introduce it in detail. We only provide the Lemmas 3.4.12, 3.4.13 and 3.4.14 here. The readers could refer to Nielsen and Chuang (2000), Shor (1997) for details. The following Lemma 3.4.12 gives the discrete Gauss quantum state on lattice, where the lattice *<sup>L</sup>* satisfies *<sup>L</sup>* <sup>⊂</sup> <sup>Z</sup>*<sup>n</sup>*.

**Lemma 3.4.12** *Given an n dimensional lattice L* <sup>⊂</sup> <sup>Z</sup>*n, r* <sup>&</sup>gt; <sup>2</sup><sup>2</sup>*n*λ*n*(*L*)*, there exists an efficient quantum algorithm to output a state within negligible l*<sup>2</sup> *distance from the following state*

$$\sum\_{\mathbf{x}\in L} \sqrt{\rho\_r(\mathbf{x})} |\mathbf{x}\rangle = \sum\_{\mathbf{x}\in L} \rho\_{\sqrt{2}r}(\mathbf{x}) |\mathbf{x}\rangle. \tag{3.4.9}$$

*Let L be an n dimensional lattice, R be a positive number, L*/*R* = {*x*/*R* | *x* ∈ *L*} *be a lattice obtained by scaling down L by a factor of R. The following lemma 3.4.13 claims that the quantum state on lattice is on points of norm at most* <sup>√</sup>*n.*

**Lemma 3.4.13** *Let R be a positive integer, L be an n dimensional lattice such that* λ1(*L*) > 2 <sup>√</sup>*n, F be the basic neighborhood of L.* <sup>v</sup><sup>1</sup> *and* <sup>v</sup><sup>2</sup> *are defined by*

$$v\_1 = \sum\_{\mathbf{x} \in L/\mathbb{R}, |\mathbf{x}| < \sqrt{n}} \rho(\mathbf{x}) |\mathbf{x} \bmod L\rangle. \tag{3.4.10}$$

*and*

$$\begin{split} v\_2 &= \sum\_{\mathbf{x} \in L/\mathbb{R}} \rho(\mathbf{x}) |\mathbf{x} \bmod L\rangle \\ &= \sum\_{L/\mathbb{R} \cap F} \sum\_{\mathbf{y} \in L} \rho(\mathbf{x} - \mathbf{y}) |\mathbf{x}\rangle. \end{split} \tag{3.4.11}$$

*Then the l*<sup>2</sup> *distance between* <sup>v</sup><sup>1</sup> <sup>|</sup>v1<sup>|</sup> *and* <sup>v</sup><sup>2</sup> <sup>|</sup>v2<sup>|</sup> *is negligible.*

The following Lemma 3.4.14 gives an algorithm to generate a sample from *DL*, <sup>√</sup>*n*/(√2*d*) based on the algorithm for the CVP*<sup>L</sup>*∗,*<sup>d</sup>* problem.

**Lemma 3.4.14** *Given an n dimensional lattice L, a real number d* < λ1(*L*∗)/2*, if there exists an algorithm to solve the CVPL*∗,*<sup>d</sup> problem, then there is an efficient quantum algorithm to generate a sample from the discrete Gauss distribution DL*, <sup>√</sup>*n*/(√2*d*)*.*

According to Lemma 1.3.6 in Chap. 1, when *<sup>r</sup>* <sup>&</sup>gt; <sup>√</sup>2*q*ηε(*L*), we have

$$
\frac{\alpha q}{\sqrt{2}r} < \frac{\alpha}{2\eta\_\varepsilon(L)} \le \frac{\alpha}{2} \sqrt{\frac{\pi}{\ln(1/\varepsilon)}} \lambda\_1(L^\*) < \frac{\lambda\_1(L^\*)}{2},
$$

replace *<sup>d</sup>* in Lemma 3.4.14 with <sup>α</sup>*q*/(√2*r*), then there exists a quantum algorithm to generate a sample from the discrete Gauss distribution *DL*,*<sup>r</sup>* <sup>√</sup>*n*/α*<sup>q</sup>* given the algorithm for the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem.

Combine Lemma 3.4.4 with Lemma 3.4.14, for *<sup>r</sup>* <sup>&</sup>gt; <sup>√</sup>2*q*ηε(*L*), we have proved that one can solve the CVP*<sup>L</sup>*∗,α*q*/(√2*r*) problem given the algorithm for the LWE*<sup>n</sup>*,*q*,ψα,*<sup>m</sup>* problem and a polynomial number of samples from *DL*,*<sup>r</sup>*, and further to generate a sample from *DL*,*<sup>r</sup>* <sup>√</sup>*n*/α*<sup>q</sup>* , which is the whole proof of Lemma 3.4.3. So far, we get the main Lemma 3.4.1 in this subsection and finish the first part of proof for Theorem 3.3.1, i.e. from the algorithm for LWE*<sup>n</sup>*,*q*,ψα,*<sup>m</sup>* problem to solve the DGS<sup>√</sup>2*n*ηε (*L*)/α problem.

#### *3.4.2 From DGS to Hard Problems on Lattice*

In this subsection, we are to prove that if there is an algorithm to solve the DGS problem, then there exists a probabilistic polynomial algorithm to solve the hard problems on lattice. Take the GIVP problem as an example, that is, find a set *S* = {*si*} ⊂ *L* of *n* linearly independent vectors in *L*, such that

$$|S| = \max |s\_i| \leqslant \wp(n)\phi(B),$$

where γ (*n*) 1 is a function of *n*, *B* is the generated matrix of *L*, φ(*B*) is a real function of *B*. Specially, if φ = λ*n*, then the GIVP problem becomes the SIVP problem. In order to complete the proof of reduction algorithm from the hard problems on lattice to the DGS problem, we introduce the following two lemmas first. Lemma 3.4.15 shows that with a positive probability, the samples from discrete Gauss distribution are not all contained in a given plane with dimension no more than *n*.

**Lemma 3.4.15** *Given an n dimensional lattice L* <sup>⊂</sup> <sup>R</sup>*n,* <sup>ε</sup> - 1 <sup>10</sup> *, r* <sup>√</sup>2ηε(*L*)*, let H be a plane in* <sup>R</sup>*<sup>n</sup> with dimension no more than n* <sup>−</sup> <sup>1</sup>*, x be a sample from the discrete Gauss distribution DL*,*r, then*

$$\Pr\{\mathbf{x} \notin H\} \ge \frac{1}{10}.$$

*Proof h* = (*h*1, *h*2,..., *hn*) ∈ *H*, without loss of generality, we suppose that *H* is *h*<sup>1</sup> = 0, i.e. the plane of all points with the first coordinate 0, let *x* = (*x*1, *x*2,..., *xn*). Consider the expectation *<sup>E</sup>*[*e*−π(*x*1/*r*)<sup>2</sup> ], based on Lemma 1.3.2 in Chap. 1, we have

#### 94 3 Learning with Error

$$\begin{split} & \quad \underset{x \sim D\_{L,r}}{E} \left[ e^{-\pi \left(x\_{1}/r\right)^{2}} \right] \\ & = \frac{1}{\rho\_{r}(L)} \sum\_{x \in L} e^{-\pi \left(\sqrt{2}x\_{1}/r\right)^{2}} e^{-\pi \left(x\_{2}/r\right)^{2}} \dots e^{-\pi \left(x\_{n}/r\right)^{2}} \\ & = \frac{\det(L^{\*})r^{n}}{\sqrt{2}\rho\_{r}(L)} \sum\_{\mathbf{y} \in L^{\*}} e^{-\pi \left(r\mathbf{y}\_{1}/\sqrt{2}\right)^{2}} e^{-\pi \left(r\mathbf{y}\_{2}\right)^{2}} \dots e^{-\pi \left(r\mathbf{y}\_{n}\right)^{2}} \\ & \leq \frac{\det(L^{\*})r^{n}}{\sqrt{2}\rho\_{r}(L)} \rho\_{\sqrt{2}/r}(L^{\*}), \end{split}$$

where *y* = (*y*1, *y*2,..., *yn*) ∈ *L*∗. Since *r*/ <sup>√</sup><sup>2</sup> ηε(*L*), we get

$$
\rho\_{\sqrt{2}/r}(L^\*) = 1 + \rho\_{\sqrt{2}/r}(L^\*\backslash\{0\}) \lessapprox 1 + \varepsilon.
$$

It follows that

$$\lim\_{\chi \sim D\_{L,r}} [e^{-\pi (x\_{\mathbb{L}}/r)^2}] \lesssim \frac{\det(L^\*)r^n}{\sqrt{2}\rho\_r(L)}(1+\varepsilon).$$

By Lemma 1.3.2 in Chap. 1 again,

$$
\rho\_r(L) = \det(L^\*) r^n \rho\_{1/r}(L^\*) \geqslant \det(L^\*) r^n,
$$

therefore,

$$\,\_{x \sim D\_{L,r}} [e^{-\pi (x\_1/r)^2}] \ll \frac{1+\varepsilon}{\sqrt{2}} < \frac{9}{10}.$$

On the other hand,

$$\begin{aligned} \sideset{}{^{E}}{}{\mathop{E}}\_{D\_{L,r}}[e^{-\pi(\mathbf{x}\_{1}/r)^{2}}] & \geqslant \sum\_{\mathbf{x} \in H, \mathbf{x} \sim D\_{L,r}} \frac{\rho\_{r}(\mathbf{x})}{\rho\_{r}(L)} [e^{-\pi(\mathbf{x}\_{1}/r)^{2}}] \\ &= \sum\_{\mathbf{x} \in H, \mathbf{x} \sim D\_{L,r}} \frac{\rho\_{r}(\mathbf{x})}{\rho\_{r}(L)} = Pr\{\mathbf{x} \in H\}. \end{aligned}$$

According to the above two inequalities,

$$\Pr\{\mathbf{x} \in H\} \leqslant \frac{9}{10},$$

that is,

$$\Pr\{\mathbf{x} \notin H\} \gg \frac{1}{10}.$$

The lemma holds.

Based on Lemma 3.4.15, the following lemma shows that it is possible to find *n* linearly independent vectors from *n*<sup>2</sup> independent samples of the discrete Gauss distribution *DL*,*<sup>r</sup>* with probability close to 1, which provides a guarantee for solving the GIVP problem later.

**Lemma 3.4.16** *Given an n dimensional lattice L* <sup>⊂</sup> <sup>R</sup>*n,* <sup>ε</sup> - 1 <sup>10</sup> *, r* <sup>√</sup>2ηε(*L*)*, then the probability that a set of n*<sup>2</sup> *vectors chosen independently from DL*,*<sup>r</sup> contain no n linearly independent vectors is exponentially small.*

*Proof* Let *x*1, *x*2,..., *xn*<sup>2</sup> be *n*<sup>2</sup> independent samples from *DL*,*<sup>r</sup>*, for *i* = 1, 2,..., *n* − 1, let *Bi* be the event that

$$\dim \text{span}(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_{in}) = \dim \text{span}(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_{(i+1)n}) < n\dots$$

If none of the events *B*1, *B*2,..., *Bn*−<sup>1</sup> happens, then

$$\dim \text{span}(\mathfrak{x}\_1, \mathfrak{x}\_2, \dots, \mathfrak{x}\_{n^2}) = n,$$

i.e. there exists *n* linearly independent vectors in these *n*<sup>2</sup> samples. Next we estimate the probability of *Bi* , by Lemma 3.4.15,

$$\Pr\{\mathbf{x}\_j \in \text{span}(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_{in})\} \leqslant \frac{9}{10}, \text{ } \forall in + 1 \leqslant j \leqslant (i+1)n.$$

Thus,

$$\Pr\{\mathbf{x}\_{in+1}, \mathbf{x}\_{in+2}, \dots, \mathbf{x}\_{(i+1)n} \in \text{span}(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_{in})\} \lesssim \left(\frac{9}{10}\right)^n,$$

that is,

$$\Pr\{B\_i\} \leqslant \left(\frac{9}{10}\right)^n, \forall i = 1, 2, \dots, n-1.$$

It follows that

$$\Pr\{\overline{B\_1} \cap \overline{B\_2} \cap \dots \cap \overline{B\_{n-1}}\} = 1 - \Pr\{B\_1 \cup \dots \cup B\_{n-1}\} \geqslant 1 - (n - 1)\left(\frac{9}{10}\right)^n,$$

this means the probability that none of *B*1, *B*2,..., *Bn*−<sup>1</sup> happens is close to 1, i.e. the probability that there are *n* linearly independent vectors in these *n*<sup>2</sup> independent samples from *DL*,*<sup>r</sup>* is close to 1. We complete the proof.

Based on the above preparations, let's prove the main conclusion in this subsection.

**Lemma 3.4.17** *Given an n dimensional lattice L,* ε = ε(*n*) - 1 <sup>10</sup> *,*φ(*L*) <sup>√</sup>2ηε(*L*)*, if there exists an algorithm for the DGS*<sup>φ</sup> *problem, then there is a probabilistic polynomial algorithm to solve the GIVP*<sup>2</sup> <sup>√</sup>*n*<sup>φ</sup> *problem.*

*Proof* By the LLL algorithm we choose the generated matrix *S* = [*s*1,*s*2,...,*sn*] of lattice *L* such that *si* - 2*<sup>n</sup>*λ*n*(*L*), 1 *i n*. Let

$$\lambda\_n = |\mathcal{S}| = \max\_{1 \le i \le n} |s\_i|$$

be the length of the longest column vector in *S*, then

$$
\lambda\_n(L) \lesssim \bar{\lambda}\_n \lesssim 2^n \lambda\_n(L).
$$

For each *i* ∈ {0, 1,..., 2*n*}, let *ri* = 2−*<sup>i</sup>* λ˜ *<sup>n</sup>*, we generate *n*<sup>2</sup> independent samples from *DL*,*ri* based on the algorithm of the DGS<sup>φ</sup> problem, and the corresponding sets of *n*<sup>2</sup> vectors are denoted as *S*0, *S*1,..., *S*2*<sup>n</sup>*. If λ˜ *<sup>n</sup>* φ(*L*), we have

$$
\tilde{\lambda}\_n = |\mathcal{S}| \le 2\sqrt{n}\phi(L),
$$

so *S* is a solution of the GIVP2 <sup>√</sup>*n*<sup>φ</sup> problem. If φ(*L*) < λ˜ *<sup>n</sup>*, then there exists *i* ∈ {0, 1,..., 2*n*} such that φ(*L*) *ri* -2φ(*L*) according to Lemma 1.3.6 in Chap. 1,

$$
\tilde{\lambda}\_n \lesssim \mathcal{Z}^n \lambda\_n(L) \lesssim \mathcal{Z}^n n \sqrt{\frac{\pi}{\ln(1/\varepsilon)}} \eta\_\varepsilon(L) \\
< \mathcal{Z}^{2n+1} \phi(L),
$$

combine *r*<sup>0</sup> = λ˜ *<sup>n</sup>* > φ(*L*) with *r*2*<sup>n</sup>* = 2−2*<sup>n</sup>*λ˜ *<sup>n</sup>* < 2φ(*L*), we know there is*ri* satisfying φ(*L*) *ri* - 2φ(*L*). By Lemma 3.4.16, the probability that *Si* contains *n* linearly independent vectors v1, v2,...,v*<sup>n</sup>* is close to 1. Based on Lemma 1.3.4 in Chap. 1, the probability each <sup>v</sup>*<sup>i</sup>* no more than <sup>√</sup>*nri* - 2 <sup>√</sup>*n*φ(*L*) is close to 1. Let *<sup>V</sup>* <sup>=</sup> [v1, v2,...,v*n*], we get |*V*| - 2 <sup>√</sup>*n*φ(*L*), so we find a solution of the GIVP2 <sup>√</sup>*n*<sup>φ</sup> problem. This lemma holds.

In Chap. 2, we have proved that the hard problems on lattice such as the GIVP and GapSIVP problems can be reduced to the SIS problem, so the difficulties of solving the hard problems on lattice are the same. In Lemma 3.4.17, we prove that if there is an algorithm for the DGS problem, then there is a probabilistic polynomial algorithm to solve the GIVP problem with positive probability, which can also solve the other hard problems on lattice. So far we have completed the second part of the proof of Theorem 3.3.1. In the first part, we have proved that if there is an algorithm for the LWE problem, then there exists a quantum algorithm to solve the DGS problem. Combining the two parts of the proof, we get the feasibility to solve the hard problems on lattice based on the algorithm for solving the LWE problem, that is, the difficulty of solving the LWE problem is not lower than that of the hard problems on lattice.

#### *3.4.3 From D-LWE to LWE*

In this subsection, we will finish the third part of the proof for Theorem 3.3.1, i.e. the difficulty of the D-LWE problem is at least as high as that of the LWE problem, which is given in the following Theorem 3.4.1.

**Theorem 3.4.1** *Let n* 1 *be a positive integer,* 2 *q* - *Poly*(*n*) *be a prime number,* χ *be a distribution on* Z*<sup>q</sup> . Assume that we have an algorithm W to determine a sample from the LWE distribution As*,χ *or the uniform distribution U with probability close to* 1*, then there exists an algorithm W to solve s given some samples from the LWE distribution As*,χ *with probability close to* 1*.*

*Proof* Let *<sup>s</sup>* <sup>=</sup> (*s*1,*s*2,...,*sn*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we give the steps for solving *s*<sup>1</sup> of the algorithm *W* , and *<sup>s</sup>*2,...,*sn* could be solved in the same way. For *<sup>k</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , consider the following transformation of the LWE sample (*a*, *b*), where *a* is uniformly distributed on Z*<sup>n</sup> <sup>q</sup>* , *b* = *a* · *s* + *e*, *e* ← χ,

$$(a,b)\longrightarrow(a+(l,0,\ldots,0),b+lk),$$

here *<sup>l</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* is uniformly distributed. If *<sup>k</sup>* <sup>=</sup> *<sup>s</sup>*1, then

$$b + lk = a \cdot s + e + ls\_1 = (a + (l, 0, \dots, 0)) \cdot s + e,$$

note that *<sup>a</sup>* <sup>+</sup> (*l*, <sup>0</sup>,..., <sup>0</sup>) is also uniform on <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , therefore, (*a* + (*l*, 0,..., 0), *b* + *lk*) has the LWE distribution *As*,χ .

On the other hand, if *k* = *s*1, at this time *lk* and *b* are independent, based on *l* is uniform on Z*<sup>q</sup>* , it follows that *lk* is also uniform on Z*<sup>q</sup>* . By Lemma 3.3.2, we get *<sup>b</sup>* <sup>+</sup> *lk* is uniform on <sup>Z</sup>*<sup>q</sup>* , so (*<sup>a</sup>* <sup>+</sup> (*l*, <sup>0</sup>,..., <sup>0</sup>), *<sup>b</sup>* <sup>+</sup> *lk*) is uniform. By the algorithm *W*, we determine (*a* + (*l*, 0,..., 0), *b* + *lk*)is from the LWE distribution *As*,χ or the uniform distribution, and check whether*s*<sup>1</sup> is equal to *k*. Since the number of possible values of *k* is *q*, we can always find the solution of *s*1. After solving *s*2,*s*3,...,*sn* in the same way, we get the solution *s*. The lemma holds.

In Theorem 3.4.1, we prove that the difficulty of the D-LWE problem is not lower than that of the LWE problem and complete the whole proof of Theorem 3.3.1. The difficulty from solving the D-LWE problem to the LWE problem, then to the hard problems on lattice does not increase. We will further discuss the LWE cryptosystem with the probability of decryption error in the next chapter.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 4 LWE Public Key Cryptosystem**

In 2005, O.Regev proposed the first LWE public key cryptosystem at Tel Aviv University in Israel based on LWE distribution *As*,χ . Because of this paper, Regev won the highest award for theoretical computer science in 2018—the Godel Award. The size of public key is *O*˜(*n*<sup>2</sup>) bits, and the size of private key *s* and ciphertext is *O*˜(*n*) bits. The plaintext encrypted each time is 1 bit. In fact, the LWE public key cryptosystem is a probabilistic cryptosystem, which depends on a high probability algorithm. Since the security of LWE problem has been clearly proved (see Chap. 3), the LWE cryptosystem has received extensive attention as soon as it was proposed, and it becomes the most cutting-edge research topic in the lattice-based cryptosystem study.

#### **4.1 LWE Cryptosystem of Regev**

Let *n* - 1, *q* - 2 be positive integers, χ be a given probability distribution in Z*<sup>q</sup>* . By Definition 4.3.1 in Chap. 3, the LWE distribution *As*,χ is

$$\begin{cases} A\_{s,\chi} = (a,b) \in \mathbb{Z}\_q^n \times \mathbb{Z}\_q, \\ b \equiv\_{\chi} < a, s > +e \pmod{q}, \end{cases} \tag{4.1.1}$$

where *<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is uniformly distributed, *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is the private key chosen at random, *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , *<sup>e</sup>* <sup>←</sup> <sup>χ</sup> is called error distribution. LWE cryptosystem depends on LWE distribution *As*,χ , and its workflow has the following three steps:

(1) Public key.

First we choose *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* at random as the private key, let *m* = *O*(*n*log*q*). Then we choose *<sup>m</sup>* samples distributed from *As*,χ , (*ai*, *bi*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>q</sup>* , *ei* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , *ei* <sup>←</sup> <sup>χ</sup>, 1 *i m*. Let

$$\overline{A} = [a\_1, a\_2, \dots, a\_m]\_{n \times m} \in \mathbb{Z}\_q^{n \times m},$$

© The Author(s) 2023

Z. Zheng et al., *Modern Cryptography Volume 2*, Financial Mathematics and Fintech, https://doi.org/10.1007/978-981-19-7644-5\_4

99

$$b = \begin{pmatrix} b\_1 \\ b\_2 \\ \vdots \\ b\_m \end{pmatrix}, \ e = \begin{pmatrix} e\_1 \\ e\_2 \\ \vdots \\ e\_m \end{pmatrix}, \ e \leftarrow \chi^m, \ $$

where *A* is a matrix uniformly at random, *e* ← χ*<sup>m</sup>* indicates the *m* samples are independent. The public key of LWE cryptosystem is the following (*n* + 1) × *m* matrix

$$A = \begin{pmatrix} \overline{A} \\ b' \end{pmatrix} \in \mathbb{Z}\_q^{(n+1)\times m}.\tag{4.1.2}$$

If the uniformly random matrix *A* is given and saved for all the users of LWE

cryptosystem, then the true public key is *b* = ⎛ ⎜ ⎜ ⎜ ⎝ *b*1 *b*2 . . . *bm* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* with size *O*(*m*) = *O*˜(*n*).

The public key and private key satisfy the following equation:

$$(-s', 1)A \equiv\_\chi e' \pmod{q}.\tag{4.1.3}$$

(2) Encryption.

In order to encrypt plaintext of 1 bit *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>2, let *<sup>x</sup>* ∈ {0, <sup>1</sup>}*<sup>m</sup>* be an uniformly distributed *<sup>m</sup>* dimensional vector with each entry 0 or 1. The ciphertext *<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*n*+<sup>1</sup> *<sup>q</sup>* is an (*<sup>n</sup>* <sup>+</sup> <sup>1</sup>) dimensional vector in <sup>Z</sup>*<sup>q</sup>* , defined by

$$f\_A(\mu) = c = Ax + \begin{pmatrix} 0 \\ \mu \cdot \lfloor \frac{q}{2} \rceil \end{pmatrix} \in \mathbb{Z}\_q^{n+1},\tag{4.1.4}$$

where 0 = ⎛ ⎜ ⎜ ⎜ ⎝ 0 0 . . . 0 ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , *<sup>u</sup> <sup>q</sup>* <sup>2</sup> ∈ <sup>Z</sup>*<sup>q</sup>* , *<sup>q</sup>* <sup>2</sup> is the nearest integer to *<sup>q</sup>* <sup>2</sup> . We call *f <sup>A</sup>* the

encryption algorithm of LWE. In order to understand the encryption algorithm better, we give another definition of *f <sup>A</sup>*.

The following set {1, 2,..., *m*} has 2*<sup>m</sup>* subsets. We choose a subset *S* ⊂ {1, 2,..., *m*} uniformly at random which is called the index set. Then the encryption algorithm *<sup>f</sup> <sup>A</sup>*(*u*) for plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup><sup>2</sup> is

$$c = f\_A(u) = \begin{pmatrix} \sum\_{i \in S} a\_i \\ \sum\_{i \in S} b\_i + \mu \lfloor \frac{q}{2} \rfloor \end{pmatrix} \in \mathbb{Z}\_q^{n+1}.\tag{4.1.5}$$

In fact, the subset *S* is corresponding to the uniformly chosen vector *x* ∈ {0, 1}*<sup>m</sup>*. The above algorithm (4.1.5) was proposed by Regev originally.

#### (3) Decryption.

We use the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* for decryption of the ciphertext *c*. Actually we only need to decrypt for the last entry of vector *c*. We have

$$\,\_1f\_A^{-1}(c) = (-s', 1)c = (-s', 1)Ax + \mu \lfloor \frac{q}{2} \rfloor \equiv\_\chi e'x + \mu \lfloor \frac{q}{2} \rfloor \pmod{q}.\tag{4.1.6}$$

The error samples are much smaller than *q*, namely

$$\sum\_{i \in S} e\_i = e' \ge \lnot \frac{q}{2} \mathbb{I}/2. \tag{4.1.7}$$

Therefore, by comparing the distances between the right side of (4.1.6) and 0 or *<sup>q</sup>* 2 , one can decrypt successfully:

$$f\_A^{-1}(c) = \begin{cases} 0, \text{ if } (-s', 1)c \text{ is closer to } 0, \\ 1, \text{ if } (-s', 1)c \text{ is closer to } \lfloor \frac{q}{2} \rfloor, \end{cases} \tag{4.1.8}$$

finally we have *f* <sup>−</sup><sup>1</sup> *<sup>A</sup>* (*c*) = *u* and finish the whole workflow of LWE cryptosystem.

Both of the encryption algorithm and decryption algorithm of LWE are probabilistic algorithms, so we should verify the correctness, namely

$$\Pr\{f\_A^{-1}(c) = \mu\} \geqslant 1 - \delta(n). \tag{4.1.9}$$

Here δ(*n*) is a negligible function of *n*, i.e. δ(*n*) = *o* 1 log*n* , ∀ > 0, more precisely:

$$\lim\_{n \to \infty} \delta(n) \log^{\epsilon} n = 0, \; \forall \epsilon > 0.$$

We prove (4.1.9) with given discrete Gauss distribution <sup>χ</sup> <sup>=</sup> ψα. For *<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , <sup>Z</sup>*<sup>q</sup>* = {0, <sup>1</sup>,..., *<sup>q</sup>* <sup>−</sup> <sup>1</sup>},

$$|a| = \begin{cases} a, \text{ if } 0 < a \leqslant \lfloor \frac{q}{2} \rceil, \\ q - a, \text{ if } \lfloor \frac{q}{2} \rceil < a \leqslant q - 1. \end{cases} \tag{4.1.10}$$

For *<sup>x</sup>* <sup>∈</sup> <sup>T</sup> = [0, <sup>1</sup>), we define

$$|\mathbf{x}| = \begin{cases} \mathbf{x}, & \text{if } 0 \le \mathbf{x} < \frac{1}{2}, \\ 1 - \mathbf{x}, & \text{if } \frac{1}{2} \le \mathbf{x} < 1. \end{cases} \tag{4.1.11}$$

**Lemma 4.1.1** *Let* δ > 0*,* 0 *k m, if the distribution* χ*<sup>k</sup> satisfies*

$$\Pr\_{e \sim \chi^k} \left\{ |e| < \lfloor \frac{q}{2} \rceil / 2 \right\} > 1 - \delta,\tag{4.1.12}$$

*then (4.1.9) holds, i.e.*

$$\Pr\left\{f\_A^{-1}(c) = \mu\right\} > 1 - \delta.$$

*Proof* When we choose the error samples *ei* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , *ei* <sup>←</sup> <sup>χ</sup>, we can always guarantee *ei* = |*ei*| without changing the probability distribution. By (4.1.7), suppose that |*S*| = *k*, the corresponding sample

$$e = \begin{pmatrix} e\_1 \\ e\_2 \\ \vdots \\ e\_k \end{pmatrix}, \ |e| = \sum\_{i=1}^k |e\_i| = \sum\_{i=1}^k e\_i.$$

As long as (4.1.7) holds, i.e.

$$|e| < \lfloor \frac{q}{2} \rfloor / 2 \Rightarrow f\_A^{-1}(c) = \mu,$$

then

$$\Pr\left\{f\_A^{-1}(c) = u\right\} \geqslant \Pr\left\{|e| < \lfloor \frac{q}{2} \rceil/2\right\} \geqslant 1 - \delta.$$

Next we prove (4.1.12) holds for discrete Gauss distribution ψα in Z*<sup>q</sup>* . The following assumptions are made for the selection of parameters:

$$\begin{cases} n \geqslant 1, \ q \geqslant 2, \ n^2 \leqslant q \leqslant 2n^2, \\ m = (1+\epsilon)(n+1)\log q, \ \epsilon > 0 \text{ is any positive real number}, \\ \chi = \overline{\psi}\_{a(n)}, \ \alpha(n) = o(\frac{1}{\sqrt{n\log n}}), \end{cases} \tag{4.1.13}$$

where the symbol *o* indicates

$$\lim\_{n \to 0} \alpha(n)\sqrt{n}\log n = 0.$$

For example, we can choose α(*n*) <sup>=</sup> <sup>1</sup> <sup>√</sup>*n*log2*<sup>n</sup>* , or

$$\alpha(n) = \left(\sqrt{n}\log^{1+\epsilon}n\right)^{-1}, \ \forall \epsilon > 0.1$$

**Lemma 4.1.2** *Under the condition for parameters of (4.1.13), for any* 0 *k m, we have*

$$\Pr\_{e \sim \overline{\mathcal{V}}\_{a(n)}^k} \left\{ |e| < \lfloor \frac{q}{2} \rceil / 2 \right\} > 1 - \delta(n), \tag{4.1.14}$$

*where* δ(*n*) = *o* <sup>1</sup> *logn ,* ∀ > 0*, is a negligible function.* *Proof* Based on (4.1.13), when *n n*0, it is easy to see that

$$0 \le k \le m \le 4(1+\epsilon)(n+1)\log n < \frac{n^2}{32} \le \frac{q}{32}.$$

The *k* samples *e* = ⎛ ⎜ ⎝ *e*1 . . . *ek* ⎞ ⎟ ⎠ distributed as ψ*<sup>k</sup>* <sup>α</sup> could be obtained from the *k* samples

*x*1, *x*2,..., *xk* of distribution ψα, where

$$x\_i \in \left[0, \frac{1}{2}\right), \ e\_i = \lfloor qx\_i \rceil \bmod q, \ 1 \le i \le k.$$

Here the set of representative elements of Z*<sup>q</sup>* is

$$\mathbb{Z}\_q = \left\{ a \in \mathbb{Z} \mid -\frac{q}{2} \leqslant a < \frac{q}{2} \right\}.$$

So we have

$$|e| = \sum\_{i=1}^{k} |e\_i| = \sum\_{i=1}^{k} |qx\_i| \bmod q.$$

Note that

$$\sum\_{i=1}^k \left( \lfloor qx\_i \rceil - qx\_i \right) \bmod q \le k \le \frac{q}{32}.$$

Therefore,

$$\sum\_{i=1}^k q x\_i \bmod q \lessapprox \frac{q}{16} \Rightarrow \left(\sum\_{i=1}^k x\_i\right) \bmod 1 \lessapprox \frac{1}{16},$$

we have <sup>|</sup>*e*<sup>|</sup> <sup>&</sup>lt; *<sup>q</sup>* <sup>2</sup> /2. Since *<sup>k</sup> <sup>i</sup>*=<sup>1</sup> *xi* mod 1 distributed as ψ<sup>√</sup>*k*α, where <sup>√</sup>*<sup>k</sup>* · <sup>α</sup> <sup>=</sup> *<sup>o</sup>* √ 1 log*n* , so

$$\Pr\left\{\sum\_{i=1}^{k} x\_i \bmod 1 < \frac{1}{16}\right\} = 1 - \delta(n),$$

where δ(*n*) <sup>=</sup> <sup>√</sup>*<sup>k</sup>* · <sup>α</sup> <sup>=</sup> *<sup>o</sup>* √ 1 log*n* . We complete the proof.

#### **4.2 The Proof of Security**

To prove the security of Regev's cryptosystem, we first prove some general properties for the probability distribution of Abel group by Impagliazzo and Zurkerman Impagliazzo and Zuckerman (1989).

Let *G* be a finite Abel group, *k* - 1 be a positive integer. For any *l* elements *g*1, *g*2,..., *gl* ∈ *G*, suppose *x* ∈ {0, 1} *l* , *g* = (*g*1, *g*2,..., *gl*), then

$$\lg x = \sum\_{i=1}^{l} x\_i g\_i, \ x\_i = 0 \text{ or } 1$$

is called a subsum of {*g*1, *g*2,..., *gl*}. Randomly choose *x* ∈ {0, 1} *l* , let *gx* denote the distribution of subsum, and let *U*(*G*) denote the uniformly distribution on *G*.

**Lemma 4.2.1** *For any l elements* {*g*1, *g*2,..., *gl*} *uniformly at random, the expectation of statistical distance between the distribution of subsum and the uniformly distribution on U*(*G*) *is*

$$E(\Delta(\mathbf{g}x, U(G))) \lesssim (|G|/2^l)^{\frac{1}{2}}.$$

*Specially, the probability that the statistical distance is larger than* (|*G*|/2*<sup>l</sup>* ) 1 <sup>4</sup> *is no more than* (|*G*|/2*<sup>l</sup>* ) 1 <sup>4</sup> *, i.e.*

$$\Pr\left\{\Delta(\text{gx}, U(G)) \geqslant (|G|/2^l)^{\frac{1}{4}}\right\} \leqslant (|G|/2^l)^{\frac{1}{4}}.$$

*Proof* Let *g* = (*g*1, *g*2,..., *gl*) be *l* group elements chosen at random, *h* ∈ *G* is a given group element. Define *Pg*(*h*)

$$P\_{\mathbf{g}}(h) = \frac{1}{2^l} \left| \left\{ \mathbf{x} \in \{0, 1\}^l \mid \mathbf{g}\mathbf{x} = \sum\_{i=1}^l \mathbf{x}\_i \mathbf{g}\_i = h \right\} \right|,$$

we call *Pg*(*h*) the distribution of subsum for *g*. In order to prove *Pg*(*h*) is close to uniformly distribution, we first prove the *l*<sup>2</sup> norm between *Pg*(*h*) and the uniformly distribution is very small. In fact, we have:

$$\sum\_{h \in G} P\_{\mathbf{g}}(h)^2 = \Pr\_{\mathbf{x}, \mathbf{x}'} \{ \mathbf{g}\mathbf{x} = \mathbf{g}\mathbf{x}' \} = \frac{1}{2^l} + \Pr\_{\mathbf{x}, \mathbf{x}'} \{ \mathbf{g}\mathbf{x} = \mathbf{g}\mathbf{x}', \ \mathbf{x} \neq \mathbf{x}' \}.$$

Note that for any *x* = *x* ,

$$\Pr\_{\mathbf{g}}\{\mathbf{g}\mathbf{x}=\mathbf{g}\mathbf{x}'\}=\frac{1}{|G|}.$$

So the expectation of *l*<sup>2</sup> norm for *g* satisfy

$$E\left[\sum\_{h\in G} P\_{\mathfrak{g}}(h)^2\right] \le \frac{1}{2^l} + \frac{1}{|G|}.$$

Finally, we have the following estimation

$$\begin{split} &E\left[\sum\_{h\in G} \left| P\_{\mathcal{S}}(h) - \frac{1}{|G|} \right|^{\frac{1}{2}} \right] \\ &\leqslant E\left[|G|^{\frac{1}{2}} \left(\sum\_{h\in G} \left(P\_{\mathcal{S}}(h) - \frac{1}{|G|}\right)^2\right)^{\frac{1}{2}}\right] \\ &= |G|^{\frac{1}{2}} \,\_{\mathcal{S}} E\left[\left(\sum\_{h\in G} P\_{\mathcal{S}}(h)^2 - \frac{1}{|G|}\right)^{\frac{1}{2}}\right] \\ &= |G|^{\frac{1}{2}} \left[E\left(\sum\_{\mathcal{S}} P\_{\mathcal{S}}(h)^2\right) - \frac{1}{|G|}\right]^{\frac{1}{2}} \\ &\leqslant (|G|/2^{l})^{\frac{1}{2}}. \end{split}$$

We complete the proof.

The security of LWE public key cryptosystem by Regev is ascribed to the following theorem, which is the most important result in this chapter.

**Theorem 4.2.1** *For any* > 0*, m* - (1 + )(*n* + 1)*logq, if there is a probabilistic polynomial time algorithm W which distinguishes the plaintext u* = 0 *or u* = 1 *from the ciphertext c, then there exists a polynomial time algorithm solving the D-LWEn*,*q*,χ ,*<sup>m</sup> problem.*

*Proof* The public key of LWE cryptosystem is *A* = *A b* , where *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* is a

matrix uniformly at random, *b* = ⎛ ⎜ ⎝ *b*1 . . . *bm* ⎞ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* is an *m* dimensional vector chosen

uniformly. The encryption function *f <sup>A</sup>*(*u*) is

$$c = f\_A(u) = Ax + \begin{pmatrix} 0 \\ u \lfloor \frac{q}{2} \rfloor \end{pmatrix} \in \mathbb{Z}\_q^{n+1}, \ x \in \{0, 1\}^m.$$

Since *W* is a probabilistic polynomial time algorithm, suppose *P*0(*W*) is the probability that decrypting *u* = 0 from *f <sup>A</sup>*(0) by *W*, and *P*1(*W*) is the probability that decrypting *u* = 1 from *f <sup>A</sup>*(1), i.e.

$$\begin{cases} P\_0(W) = \Pr\{W(f\_A(0)) = 0\}. \\ P\_1(W) = \Pr\{W(f\_A(1)) = 1\}. \end{cases} \tag{4.2.1}$$

If *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* is uniformly at random, then LWE distribution *As*,χ is uniformly LWE distribution. Let *Pu* (*W*) be the probability of decryption successfully by *W* under the condition of uniformly distribution *As*,χ . Suppose that

$$|P\_0(W) - P\_1(W)| \geqslant \frac{1}{n^{\delta}}, \ \delta \text{ > 0.}\tag{4.2.2}$$

Under the assumption of (4.2.2), we will construct a new algorithm *W* satisfying

$$|P\_0(W') - P\_u(W')| \gtrsim \frac{1}{2n^\delta}.\tag{4.2.3}$$

By (4.2.2), we have

$$|P\_0(W) - P\_u(W)| \geqslant \frac{1}{2n^\delta}, \text{ or } |P\_1(W) - P\_u(W)| \geqslant \frac{1}{2n^\delta}.$$

If the first inequality of the above formula holds, let *W* = *W*. If the second inequality of the above formula holds, then construct *W* as follows. Let the function σ be *f <sup>A</sup>*(*u*) → *f <sup>A</sup>*(*u*) + 0 *q*−1 2 .

Thus, <sup>σ</sup> maps the LWE distribution (*A*, *<sup>b</sup>*) to (*A*, *<sup>b</sup>* <sup>+</sup> *<sup>q</sup>*−<sup>1</sup> <sup>2</sup> ). If *b* is uniformly at random, so is *<sup>b</sup>* <sup>+</sup> *<sup>q</sup>*−<sup>1</sup> <sup>2</sup> . We define *W* to be the decryption on LWE distribution (*A*, *<sup>b</sup>* <sup>+</sup> *<sup>q</sup>*−<sup>1</sup> <sup>2</sup> ) by *W*. According to (4.1.5),

$$P\_0(W) = P\_1(W'), \ P\_1(W) = P\_0(W'),$$

so *W* is the algorithm which satisfies (4.2.3).

Let *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , the public key sample satisfies distribution of (*A*, *<sup>b</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* = *As*,χ . Let *P*0(*s*) be the probability of decryption *u* = 0 successfully by *W* , i.e.

$$P\_0(\mathbf{s}) = \Pr\{W'(f\_A(\mathbf{0})) = 0\}.$$

Similarly, let *Pu*(*s*) be the probability of decryption successfully by *W* if (*A*, *b*) is uniformly at random. Suppose

$$|\, \_E[P\_0(s)] - \, \_E[P\_u(s)]| \geqslant \frac{1}{2n^\delta},\tag{4.2.4}$$

we define

$$Y = \left\{ \mathbf{s} \in \mathbb{Z}\_q^n \mid \left| P\_0(\mathbf{s}) - P\_u(\mathbf{s}) \right| \geqslant \frac{1}{4n^\delta} \right\}.\tag{4.2.5}$$

It's easy to prove: if *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is uniformly distributed, then we have

$$|Y|/q^n \geqslant \frac{1}{4n^\delta}.$$

Therefore, in order to prove Theorem 4.2.1, we need to find an algorithm *Z* to determine whether the LWE distribution *As*,χ is uniformly at random for any *s* ∈ *Y* . The construction of algorithm *Z*: let *R* be a probability distribution on Z*<sup>n</sup> <sup>q</sup>* which is uniform LWE distribution or general LWE distribution when *s* ∈ *Y* , i.e.

*R* = uniform LWE distribution, or *R* = *As*,χ , *s* ∈ *Y*.

$$\text{Let } \overline{A} = [a\_1, \dots, a\_m] \in \mathbb{Z}\_q^{n \times m}, \, b = \begin{pmatrix} b\_1 \\ \vdots \\ b\_m \end{pmatrix} \in \mathbb{Z}\_q^m \text{ be } m \text{ random samples from disjunction.} $$

tribution *R*. Let *P*0(*R*) be the probability of decryption *u* = 0 successfully by *W* , where (*a*, *b*) = *As*,χ , *s* ∈ *Y* . In the same way, suppose *Pu* (*R*) is the probability of decryption *u* = 0 successfully by *W* if *R* is uniform LWE distribution. We estimate *P*0(*R*) and *Pu* (*R*) by using the algorithm *W* polynomial times so that the error could be controlled within <sup>1</sup> <sup>64</sup>*n*<sup>δ</sup> . If |*P*0(*R*) − *Pu* (*R*)| - 1 <sup>16</sup>*n*<sup>δ</sup> , then the algorithm *Z* is effective, otherwise it is noneffective.

We first confirm: if *R* is uniform LWE distribution, then *Z* is noneffective with high probability. Because in this case,(*A*, *<sup>b</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* , *b* is uniformly at random. According to Lemma 4.2.1, the Abel group *<sup>G</sup>* <sup>=</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>×</sup> <sup>Z</sup>*<sup>q</sup>* , we have

$$|P\_0(R) - P\_\mathfrak{u}(R)| \leqslant 2^{-\Omega(n)},$$

In this case, *Z* is noneffective.

If *R* = *As*,χ , where *s* ∈ *Y* , we are to prove the algorithm *Z* is effective with probability <sup>1</sup> Poly(*n*); i.e. one can distinguish *s* ∈ *Y* from uniform distribution. Since |*P*0(*R*) − *Pu*(*R*)| - 1 <sup>4</sup>*n*<sup>δ</sup> , in the average sense we get

$$\Pr\left\{|P\_0(R) - P\_u(R)| \geqslant \frac{1}{8n^\delta}\right\} \geqslant \frac{1}{8n^\delta}.$$

Thus, the algorithm *Z* is effective for *As*,χ , *s* ∈ *Y* with positive probability. We complete the proof of Theorem 4.2.1.

#### **4.3 Properties of Rounding Function**

The public key of LWE cryptosystem by Regev is *A* = *A b* <sup>∈</sup> <sup>Z</sup>(*n*+1)×*<sup>m</sup> <sup>q</sup>* , where ⎛ ⎞

*<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* is a matrix uniformly at random, *<sup>b</sup>* <sup>=</sup> ⎜ ⎝ *b*1 . . . *bm* ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* is a uniform sample

vector (see 4.1.2). In this section we will discuss the sampling technique of public key *A* based on rounding function.

For <sup>∀</sup>*<sup>x</sup>* <sup>∈</sup> <sup>R</sup>, let {*x*} be the fractional part of *<sup>x</sup>*, *x* be the closest integer to *<sup>x</sup>*, i.e.

$$\mathbb{I}\left[x\right] = \begin{cases} x - \{x\}, \text{ if } 0 \leqslant \{x\} \leqslant \frac{1}{2}.\\ x + 1 - \{x\}, \text{ if } \frac{1}{2} < \{x\} < 1. \end{cases} \tag{4.3.1}$$

In fact, *x* is the only integer satisfying

$$\{x = \lfloor x \rfloor + r, \ -\frac{1}{2} < r \leqslant \frac{1}{2}, \text{ if } r = \frac{1}{2} \Leftrightarrow \{x\} = \frac{1}{2}.\tag{4.3.2}$$

We call *x* rounding function, and its properties could be summarized as the following two lemmas.

$$\begin{array}{ll}\textbf{Lemma 4.3.1} & (i)\ \lfloor x+n \rfloor = n+\lfloor x \rceil, n \in \mathbb{Z}, x \in \mathbb{R}.\\ & (ii)\ \lfloor -x \rfloor = \begin{cases} -\lfloor x \rfloor, \text{ if } \{x\} \neq \frac{1}{2}.\\ -1-\lfloor x \rfloor, \text{ if } \{x\} = \frac{1}{2}.\\ \text{(iii)} \text{ For any integers } a, b \in \mathbb{Z}, \ b \neq 0, \text{ we have the following division:}\\ a = \lfloor \frac{a}{n} \rfloor b+r, \text{ where } -\frac{b}{2} < r \le \frac{b}{2}.\\ & (iv)\ \lfloor x \rfloor + \lfloor y \rfloor - 1 \leqslant \lfloor x+y \rfloor \leqslant \lfloor x \rfloor + \lfloor y \rfloor + 1, \forall x, y \in \mathbb{R}.\\ & (v)\ \lfloor \frac{\lfloor x \rfloor}{n} \rfloor = \lfloor \frac{x}{n} \rfloor, \forall n \in \mathbb{Z}, n \geqslant 1, x \in \mathbb{R}.\end{array}$$

*Proof* By (4.3.2),

$$
\lfloor x+n \rceil = \lfloor \lfloor x \rceil + r + n \rfloor = n + \lfloor x \rfloor,
$$

so (i) holds. If {*x*} = <sup>1</sup> <sup>2</sup> , then *<sup>r</sup>* = <sup>1</sup> <sup>2</sup> , and <sup>−</sup><sup>1</sup> <sup>2</sup> <sup>&</sup>lt; *<sup>r</sup>* <sup>&</sup>lt; <sup>1</sup> <sup>2</sup> , we have

$$
\lfloor -x \rceil = \lfloor -\lfloor x \rceil - r \rceil = -\lfloor x \rfloor.
$$

If *<sup>r</sup>* <sup>=</sup> <sup>1</sup> , then {*x*} = <sup>1</sup> , and 1 <sup>−</sup> *<sup>r</sup>* <sup>=</sup> <sup>1</sup> , so that

$$
\lfloor -x \rceil = \lfloor -\lfloor x \rceil - 1 + 1 - r \rceil = -1 - \lfloor x \rceil,
$$

we have (ii). Property (iii) and (iv) can be proved similarly. To prove (v), let *x* = *x* + *<sup>r</sup>*, then <sup>−</sup> <sup>1</sup> <sup>2</sup>*<sup>n</sup>* <sup>&</sup>lt; *<sup>r</sup> <sup>n</sup>* <sup>1</sup> <sup>2</sup>*<sup>n</sup>* , thus,

$$\lfloor \frac{x}{n} \rceil = \lfloor \frac{\lfloor x \rceil}{n} + \frac{r}{n} \rceil = \frac{\lfloor x \rfloor}{n}.$$

Lemma 4.3.1 holds.

**Definition 4.3.1** Let *<sup>t</sup>* and *<sup>q</sup>* be two positive integers, we define function *<sup>f</sup>* : <sup>Z</sup> <sup>→</sup> <sup>Z</sup> as

$$f(a) = \lfloor \frac{q}{t} a \rfloor, \ \forall a \in \mathbb{Z}. \tag{4.3.3}$$

**Lemma 4.3.2** *Let a*, *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*, then*

$$a \equiv b \pmod{t} \Rightarrow f(a) \equiv f(b) \pmod{q} .$$

*Proof* Since *a* ≡ *b* (mod *t*), we write *a* = *st* + *b*, therefore

$$\mathbb{E}[f(a) = \lfloor \frac{q}{t}(st + b) \rceil] = \lfloor sq + \frac{q}{t}b \rceil = sq + \lfloor \frac{q}{t}b \rceil = sq + f(b).$$

So we have *f* (*a*) ≡ *f* (*b*) (mod *q*).

By the above lemma, *f* is a function from Z*<sup>t</sup>* to Z*<sup>q</sup>* , we can define its 'inverse function' *<sup>f</sup>* <sup>−</sup><sup>1</sup> : <sup>Z</sup>*<sup>q</sup>* <sup>→</sup> <sup>Z</sup>*<sup>t</sup>* as follows

$$f^{-1}(b) = \lfloor \frac{tb}{q} \rfloor, \ \forall b \in \mathbb{Z}\_q. \tag{4.3.4}$$

**Lemma 4.3.3** *(i) If t q, then* <sup>∀</sup>*<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*, we have*

$$f^{-1}f(a) = a.$$

*(ii) If t* <sup>&</sup>gt; *q, and a* <sup>∈</sup> <sup>Z</sup> *is uniformly chosen at random, we have*

$$\Pr\{f^{-1}f(a)\neq a\} = 1 - \frac{q}{t}.\tag{4.3.5}$$

*Proof* We first prove (i). If *t* = *q*, then

$$\{f(a) = \lfloor \frac{q}{t} a \rceil = \lfloor a \rceil = a \Rightarrow f^{-1}f(a) = f^{-1}(a) = \lfloor \frac{t}{q} a \rfloor = \lfloor a \rfloor = a, \ \forall a \in \mathbb{Z}.\}$$

If *t* < *q*, then *<sup>q</sup>* <sup>2</sup>*<sup>t</sup>* <sup>&</sup>gt; <sup>1</sup> <sup>2</sup> , based on the definition of rounding function,

$$
\frac{q}{t}a - \frac{1}{2} \leqslant \lfloor \frac{q}{t}a \rceil < \frac{q}{t}a + \frac{1}{2},
$$

it follows that

$$
\frac{q}{t}a - \frac{q}{2t} < \frac{q}{t}a - \frac{1}{2} \leqslant \lfloor \frac{q}{t}a \rceil < \frac{q}{t}a + \frac{1}{2} < \frac{q}{t}a + \frac{q}{2t}.
$$

So we can get

$$
\frac{q}{t}a - \frac{q}{2t} < \lfloor \frac{q}{t}a \rfloor < \frac{q}{t}a + \frac{q}{2t},
$$

this is equivalent to

$$a - \frac{1}{2} < \frac{t}{q} \lfloor \frac{q}{t} a \rfloor < a + \frac{1}{2},$$

$$-\frac{1}{2} < \frac{t}{q} \lfloor \frac{q}{t} a \rfloor - a < \frac{1}{2}.$$

Thus,

$$\lfloor \frac{t}{q} \lfloor \frac{q}{t}a \rceil - a \rceil = 0 \Rightarrow \lfloor \frac{t}{q} \lfloor \frac{q}{t}a \rceil \rceil = a.$$

This means that

$$f^{-1}f(a) = a, \ \forall a \in \mathbb{Z}.$$

Next we prove (ii), at this time *q* < *t*. By Lemma 4.3.2, we only need to consider how many elements *<sup>a</sup>* in <sup>Z</sup>*<sup>t</sup>* that satisfies *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>f</sup>* (*a*) = *<sup>a</sup>*. By (i) we get

$$\lfloor \frac{q}{t} \lfloor \frac{t}{q}b \rceil \rfloor = b, \ \forall b \in \mathbb{Z}\_q.$$

This is equivalent to

$$f\left(\lfloor \frac{t}{q}b \rceil\right) = b, \ \forall b \in \mathbb{Z}\_q.$$

So we have

$$f^{-1}f\left(\lfloor \frac{t}{q}b \rceil\right) = f^{-1}(b) = \lfloor \frac{t}{q}b \rceil, \ \forall b \in \mathbb{Z}\_q.$$

Here 0, % *t q* & , % 2*t q* & ,..., % (*q*−1)*t q* & are different from each other in Z*<sup>t</sup>* . Next we prove that the number of *<sup>a</sup>* in <sup>Z</sup>*<sup>t</sup>* satisfying *<sup>f</sup>* <sup>−</sup><sup>1</sup>( *<sup>f</sup>* (*a*)) <sup>=</sup> *<sup>a</sup>* is no more than *<sup>q</sup>*. Let *<sup>A</sup>* be the set containing all the elements satisfying *<sup>f</sup>* <sup>−</sup><sup>1</sup>( *<sup>f</sup>* (*a*)) <sup>=</sup> *<sup>a</sup>* in <sup>Z</sup>*<sup>t</sup>* . <sup>∀</sup>*a*1, *<sup>a</sup>*<sup>2</sup> <sup>∈</sup> *<sup>A</sup>*, *<sup>a</sup>*<sup>1</sup> = *<sup>a</sup>*<sup>2</sup> inZ*<sup>t</sup>* , then we have *<sup>f</sup>* (*a*1) ≡ *<sup>f</sup>* (*a*2) (mod *<sup>q</sup>*), i.e. *<sup>f</sup>* (*a*1) = *<sup>f</sup>* (*a*2)inZ*<sup>q</sup>* . This means the number of *A* is no more than *q*. Above all, it shows that 0, % *t q* & , % 2*t q* & ,..., % (*q*−1)*t q* & are just all the numbers in <sup>Z</sup>*<sup>t</sup>* such that *<sup>f</sup>* <sup>−</sup><sup>1</sup>( *<sup>f</sup>* (*a*)) <sup>=</sup> *<sup>a</sup>*. Based on *<sup>a</sup>* is uniformly chosen in Z*<sup>t</sup>* , then

$$\Pr\{f^{-1}f(a)\neq a\} = 1 - \frac{q}{t}.$$

We complete the proof.

In order to generalize the function *f* and *f* <sup>−</sup><sup>1</sup> from one dimension to high dimension, we give the following definition.

**Definition 4.3.2** Let *<sup>t</sup>*, *<sup>q</sup>*,*<sup>l</sup>* be positive integers, we define function *<sup>F</sup>* : <sup>Z</sup>*<sup>l</sup> <sup>t</sup>* <sup>→</sup> <sup>Z</sup>*<sup>l</sup> <sup>q</sup>* as

$$F(a) = \left( \lfloor \frac{q}{t} a\_1 \rceil, \lfloor \frac{q}{t} a\_2 \rceil, \dots, \lfloor \frac{q}{t} a\_l \rceil \right) \in \mathbb{Z}\_q^l, \ \forall a = (a\_1, a\_2, \dots, a\_l) \in \mathbb{Z}\_t^l,\tag{4.3.6}$$

and the 'inverse function' *<sup>F</sup>*−<sup>1</sup> : <sup>Z</sup>*<sup>l</sup> <sup>q</sup>* <sup>→</sup> <sup>Z</sup>*<sup>l</sup> <sup>t</sup>* as

$$F^{-1}(b) = \left( \lfloor \frac{t}{q} b\_1 \rceil, \lfloor \frac{t}{q} b\_2 \rceil, \dots, \lfloor \frac{t}{q} b\_l \rceil \right) \in \mathbb{Z}\_t^l, \ \forall b = (b\_1, b\_2, \dots, b\_l) \in \mathbb{Z}\_q^l. \tag{4.3.7}$$

**Lemma 4.3.4** <sup>∀</sup>*<sup>a</sup>* <sup>=</sup> (*a*1, *<sup>a</sup>*2,..., *al*) <sup>∈</sup> <sup>Z</sup>*<sup>l</sup> <sup>t</sup> , if a is uniformly at random and a*1, *a*2,..., *al are mutually independent, we have*

$$\Pr\{F^{-1}F(a)\neq a\} = \max\left\{0, 1 - \left(\frac{q}{t}\right)^l\right\}.\tag{4.3.8}$$

*Proof* If *t q*, from Lemma 4.3.3,

$$f^{-1}f(a\_i) = a\_i, \ \forall a\_i \in \mathbb{Z}\_t, \ \forall 1 \leqslant i \leqslant l.$$

So

$$F^{-1}F(a) = a, \ \forall a \in \mathbb{Z}\_{\prime}^{l}.$$

$$\Pr\{F^{-1}F(a) \neq a\} = 0 = \max\left\{0, 1 - \left(\frac{q}{t}\right)^{l}\right\}.$$

If *t* > *q*, from Lemma 4.3.3,

$$\Pr\{f^{-1}f(a\_i) = a\_i\} = \frac{q}{t}, \ a\_i \in \mathbb{Z}\_t, \ \forall 1 \leqslant i \leqslant l.$$

Since *a*1, *a*2,..., *al* are independent, therefore,

$$\Pr\{F^{-1}F(a) = a\} = \left(\frac{q}{t}\right)^l, \ a \in \mathbb{Z}\_t^l.$$

$$\Pr\{F^{-1}F(a)\neq a\} = 1 - \left(\frac{q}{t}\right)^l = \max\{0, 1 - (\frac{q}{t})^l\}.$$

We finish the proof.

#### **4.4 General LWE-Based Cryptosystem**

We introduced the LWE cryptosystem proposed by Regev in Sect. 4.1 and proved its security in Sect. 4.2. However, it could only encrypt a single bit of plaintext and the efficiency is low. Based on the definition and properties of rounding function given in Sect. 4.3, Regev presented a general LWE cryptosystem in 2009 Regev (2010), which could encrypt multiple bits of plaintext *<sup>v</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>l</sup> <sup>t</sup>* with size *O*(*t l* ) and improve the efficiency signally. In this section, we introduce general LWE cryptosystem first. Then we discuss the probability of decryption error for this cryptosystem and prove that it could be sufficiently small with suitable parameters. So we verify our core result that the LWE cryptosystem could have high security.

Let *t*, *q*, *m*, *n*,*l*,*r* be positive integers, *q* > *t*, function *F* and its 'inverse function' are defined in 3.2. The workflow of general LWE cryptosystem is as follows:

(1) Selection of private key *<sup>S</sup>*: *<sup>S</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>l</sup> <sup>q</sup>* is an *n* × *l* matrix uniformly at random in Z*<sup>q</sup>* .

In the LWE cryptosystem introduced in Sect. 4.1, the private key is an *n* dimensional randomly chosen vector *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* . To encrypt more general plaintext *<sup>v</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>l</sup> <sup>t</sup>* , we randomly select *<sup>l</sup>* private keys *<sup>s</sup>*1,*s*2,...,*sl* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* independently and form an *n* × *l* matrix *S* = [*s*1,*s*2,...,*sl*]. This is the private key *S* for general LWE cryptosystem.

(2) Public key.

When the private key *<sup>S</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>l</sup> <sup>q</sup>* is fixed, in order to choose samples from LWE distribution, we first select *<sup>m</sup>* uniform *<sup>n</sup>* dimensional vectors *<sup>a</sup>*1, *<sup>a</sup>*2,..., *am* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* in Z*<sup>n</sup> <sup>q</sup>* and form a uniform random matrix

$$A = [a\_1, a\_2, \dots, a\_m]\_{n \times m} \in \mathbb{Z}\_q^{n \times m}.$$

Then we generate *m* × *l* noise matrix samples *E* = (*Ei j*)*<sup>m</sup>*×*<sup>l</sup>* from distribution ψα, where ψα is defined by (4.4.1) and (3.3.13), i.e. *Ei j* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , *Ei j* <sup>←</sup> ψα, 1 *<sup>i</sup> <sup>m</sup>*, 1 *j l*, and the *m* × *l* samples are mutually independent. Finally we get an *m* × *l* matrix *P*

$$P = A^T S + E = \begin{pmatrix}  +E\_{11} & \cdots &  +E\_{ll} \\ \vdots & \ddots & \vdots \\  +E\_{m1} & \cdots &  +E\_{ml} \end{pmatrix}\_{m \times 1}$$

.

The public key of LWE cryptosystem is (*A*, *P*), which is similar to that in Sect. 4.1. Here we only change the public key from *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* to *<sup>m</sup>* <sup>×</sup> *<sup>l</sup>* matrix *<sup>P</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*×*<sup>l</sup> <sup>q</sup>* . If the uniformly random matrix *A* is given and saved for all the users of LWE cryptosystem, then the true public key is the matrix *P*, and the public key and private key satisfy the following equation

$$P - A^T S \equiv\_{\overline{\psi\_a}} E \pmod{q} .$$

(3) Encryption.

To encrypt multiple bits of plaintext *<sup>v</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>l</sup> <sup>t</sup>* , let *a* ∈ {−*r*, −*r* + 1,...,*r*}*<sup>m</sup>* be an *m* dimensional vector with each entry selected uniformly in {−*r*, −*r* + 1,...,*r*}, i.e. *a* is uniformly distributed. Ciphertext *u c* is an *n* + *l* dimensional vector, defined by

$$g\_{A,P}(\upsilon) = \binom{\mu}{c}, \ u = Aa, \ c = P^T a + F(\upsilon),$$

where *F* is defined in (4.3.6), and *gA*,*<sup>P</sup>* is called the encryption algorithm of LWE cryptosystem.

(4) Decryption.

Given ciphertext(*u*, *c*) and the private key *S*, we compute *F*−<sup>1</sup>(*c* − *S<sup>T</sup> u*) as the result of decryption. We have

$$\begin{aligned} F^{-1}(c - S^T u) &= F^{-1}(P^T a + F(\upsilon) - S^T u) \\ &= F^{-1}((A^T S + E)^T a + F(\upsilon) - S^T A a), \\ &= F^{-1}(E^T a + F(\upsilon)). \end{aligned}$$

Next we calculate the probability of decryption error for this cryptosystem, namely the probability of *F*−<sup>1</sup>(*E<sup>T</sup> a* + *F*(*v*)) = *v*. The following Theorem 4.4.1 gives an estimation for this probability, which is the main result of this section.

**Theorem 4.4.1** *Suppose q* > *t, we have the following inequality of the probability of decryption error*

$$\Pr\{F^{-1}(E^T a + F(\nu)) \neq \nu\} \lesssim 2l \left(1 - \Phi(\frac{q - t}{2\alpha t q} \sqrt{\frac{6\pi}{mr(r + 1)}})\right). \tag{4.4.1}$$

*Here is the cumulative distribution function of the standard normal distribution, i.e.* (*x*) <sup>=</sup> ( *<sup>x</sup>* −∞ <sup>√</sup> 1 <sup>2</sup><sup>π</sup> *<sup>e</sup>*<sup>−</sup> *<sup>t</sup>*<sup>2</sup> <sup>2</sup> d*t.*

*Proof* Denote *v*=(*v*1, *v*2,..., *vl*), *Em*×*<sup>l</sup>* = (*E*1, *E*2,..., *El*), where *E*1, *E*2,..., *El* are all *m* dimensional column vectors. Let *f* <sup>−</sup><sup>1</sup>(*E<sup>T</sup> <sup>i</sup> a* + *f* (*vi*)) be the *i*th coordinate of *F*−<sup>1</sup>(*E<sup>T</sup> a* + *F*(*v*)), 1 *i l*. According to the definition of rounding function,

$$-\frac{1}{2} < \frac{q}{t}\nu\_i - \lfloor \frac{q}{t}\nu\_i \rceil \leqslant \frac{1}{2},$$

$$-\frac{t}{2q} \leqslant \frac{t}{q}\lfloor \frac{q}{t}\nu\_i \rceil - \nu\_i < \frac{t}{2q}.$$

So if *t q ET i a* < <sup>1</sup> <sup>2</sup> <sup>−</sup> *<sup>t</sup>* <sup>2</sup>*<sup>q</sup>* , we get

$$\left| \frac{t}{q} E\_i^T a + \frac{t}{q} \lfloor \frac{q}{t} \nu\_i \rceil - \nu\_i \right| < \frac{1}{2} - \frac{t}{2q} + \frac{t}{2q} = \frac{1}{2}.$$

It follows that

$$\lfloor \frac{t}{q} E\_i^T a + \frac{t}{q} \lfloor \frac{q}{t} \nu\_i \rceil - \nu\_i \rceil = 0,$$

this means

$$\begin{aligned} \lfloor \frac{t}{q} E\_i^T a + \frac{t}{q} \lfloor \frac{q}{t} \nu\_i \rceil &= \nu\_i, \\\\ f^{-1} \left( E\_i^T a + f(\nu\_i) \right) &= \nu\_i. \end{aligned}$$

namely if <sup>|</sup> *<sup>t</sup> q ET <sup>i</sup> <sup>a</sup>*<sup>|</sup> <sup>&</sup>lt; <sup>1</sup> <sup>2</sup> <sup>−</sup> *<sup>t</sup>* <sup>2</sup>*<sup>q</sup>* , we can get *<sup>f</sup>* <sup>−</sup><sup>1</sup>(*E<sup>T</sup> <sup>i</sup> a* + *f* (*vi*)) = *vi* . Equivalently, if *f* <sup>−</sup><sup>1</sup> *ET <sup>i</sup> a* + *f* (*vi*) = *vi* , i.e. the decryption error occurs in the *i*th letter, then *t q ET i a* - 1 <sup>2</sup> <sup>−</sup> *<sup>t</sup>* <sup>2</sup>*<sup>q</sup>* . So the probability of decryption error in one letter is no more than the probability of *t q ET i a* - 1 <sup>2</sup> <sup>−</sup> *<sup>t</sup>* <sup>2</sup>*<sup>q</sup>* , i.e.

$$\Pr\left\{f^{-1}\left(E\_i^T a + f(\mathbf{v}\_i)\right) \neq \mathbf{v}\_i\right\} \leqslant \Pr\left\{\left|\frac{t}{q}E\_i^T a\right| \geqslant \frac{1}{2} - \frac{t}{2q}\right\}.$$

The next step we estimate the probability of <sup>|</sup> *<sup>t</sup> q ET <sup>i</sup> a*| - 1 <sup>2</sup> <sup>−</sup> *<sup>t</sup>* 2*q* . Since each coordinate of *Ei* is chosen independently from the Gaussian distribution with mean 0 and standard deviation α*q*/ <sup>√</sup>2<sup>π</sup> and the sum of independent Gaussian variables is still a Gaussian variable, *E<sup>T</sup> <sup>i</sup> a* is also a Gaussian distribution variable. Let *a* = (*a*1, *a*2,..., *am*) and each *ai* is chosen from {−*r*, −*r* + 1, ··· ,*r*} uniformly at random, then

$$E(a\_i) = \frac{-r + (-r+1) + \dots + r}{2r+1} = 0,$$

$$Var(a\_i) = \frac{(-r)^2 + (-r+1)^2 + \dots + r^2}{2r+1} = \frac{r(r+1)}{3}.$$

$$E(E\_i^T a) = 0.$$

4.5 Probability of Decryption Error for General Disturbance 115

$$\operatorname{Var}\left(E\_i^T a\right) = \left(\frac{\alpha q}{\sqrt{2\pi}}\right)^2 \cdot \frac{r(r+1)}{3} m = \frac{\alpha^2 q^2 \operatorname{mr}(r+1)}{6\pi}.$$

Therefore *E<sup>T</sup> <sup>i</sup> a* is treated as a normal distribution with mean 0 and standard deviation α*q* <sup>√</sup>*mr*(*<sup>r</sup>* <sup>+</sup> <sup>1</sup>)/√6π. We have

$$\Pr\left\{ \left| \frac{t}{q} E\_i^T a \right| \geqslant \frac{1}{2} - \frac{t}{2q} \right\} = P\left\{ \left| E\_i^T a \right| \geqslant \frac{q-t}{2t} \right\}$$

$$= \Pr\left\{ \left| E\_i^T a \right| / \left( \alpha q \sqrt{\frac{mr(r+1)}{6\pi}} \right) \geqslant \frac{q-t}{2t} / (\alpha q \sqrt{\frac{mr(r+1)}{6\pi}}) \right\}$$

$$= \Pr\left\{ \left| E\_i^T a \right| / \left( \alpha q \sqrt{\frac{mr(r+1)}{6\pi}} \right) \geqslant \frac{q-t}{2\alpha t q} \sqrt{\frac{6\pi}{mr(r+1)}} \right\}$$

$$= 2 \left( 1 - \Phi(\frac{q-t}{2\alpha t q} \sqrt{\frac{6\pi}{mr(r+1)}}) \right).$$

So we get the following inequality for probability of decryption error of the LWE cryptosystem

$$\Pr\{F^{-1}(E^T a + F(\nu)) \neq \nu\}$$

$$\leq l! \Pr\left\{ f^{-1}\left(E\_i^T a + f(\nu\_i)\right) \neq \nu\_i \right\}$$

$$\leq l! \Pr\left\{ \left| \frac{t}{q} E\_i^T a \right| \geqslant \frac{1}{2} - \frac{t}{2q} \right\}$$

$$= 2l \left( 1 - \Phi\left(\frac{q-t}{2\alpha tq} \sqrt{\frac{6\pi}{mr(r+1)}}\right) \right).$$

The upper bound could be as closed as 0 if we choose α small enough. It means that the probability of decryption error for the LWE cryptosystem could be made very small with an appropriate setting of parameters.

#### **4.5 Probability of Decryption Error for General Disturbance**

In this section we estimate the probability of decryption error for the LWE cryptosystem when the noise matrix *E* = (*Ei j*)*<sup>m</sup>*×*<sup>l</sup>* is chosen independently from a general common variable, rather than Gauss distribution. We have the following theorem. **Theorem 4.5.1** *q* > *t, E* = (*Ei j*)*<sup>m</sup>*×*<sup>l</sup> , each element Ei j is selected independently from a common random variable of mean* 0 *and standard deviation* β*. For any* δ > 0*, we can find positive integer m, such that the following inequality of the probability of decryption error holds,*

$$\Pr\{F^{-1}(E^T a + F(\nu)) \neq \nu\} \leqslant 2l \left(1 - \Phi\left(\frac{q - t}{2\beta t} \sqrt{\frac{3}{mr(r + 1)}}\right) + l\delta,\quad(4.5.1)\right)$$

*Here is the cumulative distribution function of the standard normal distribution, i.e.* (*x*) <sup>=</sup> ( *<sup>x</sup>* −∞ <sup>√</sup> 1 <sup>2</sup><sup>π</sup> *<sup>e</sup>*<sup>−</sup> *<sup>t</sup>*<sup>2</sup> <sup>2</sup> d*t.*

*Proof* Similarly as the proof of Theorem 4.4.1, we need to estimate the probability of <sup>|</sup> *<sup>t</sup> q ET <sup>i</sup> a*| - 1 <sup>2</sup> <sup>−</sup> *<sup>t</sup>* 2*q* . Since the coordinates of *E<sup>T</sup> <sup>i</sup>* are independent identically distributed, *E<sup>T</sup> <sup>i</sup>* and *a* are also independent. By central limit theorem Riauba (1975), *E<sup>T</sup> <sup>i</sup> a* is approximately normal distribution with mean 0 and standard deviation *d* = \**mV ar*(*Ei j*)*V ar*(*ai*) = β +*mr*(*r*+1) <sup>3</sup> . Thus, for any sufficiently small δ > 0, there is a positive integer *m* such that

$$P\left\{\left|\frac{t}{q}E\_i^T a\right| \geqslant \frac{1}{2} - \frac{t}{2q}\right\} = P\left\{\left|E\_i^T a\right| \geqslant \frac{q-t}{2t}\right\}$$

$$= P\left\{\left|E\_i^T a\right| / \left(\beta \sqrt{\frac{mr(r+1)}{3}}\right) \geqslant \frac{q-t}{2t} / \left(\beta \sqrt{\frac{mr(r+1)}{3}}\right)\right\}$$

$$= P\left\{\left|E\_i^T a\right| / \left(\beta \sqrt{\frac{mr(r+1)}{3}}\right) \geqslant \frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right\}$$

$$= 2\left(1 - \Phi\left(\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}}\right)\right) + \varepsilon,$$

Here |ε| δ. Then we get the following inequality for probability of decryption error of the LWE cryptosystem for general disturbance

$$\begin{aligned} ⪻\{F^{-1}(E^T a + F(\nu)) \neq \nu\} \\ &\leqslant l! Pr\left\{f^{-1}\left(E\_i^T a + f(\nu\_i)\right) \neq \nu\_i\right\} \\ &\leqslant l! Pr\left\{\left|\frac{t}{q}E\_i^T a\right| \geqslant \frac{1}{2} - \frac{t}{2q}\right\} \end{aligned}$$

$$\begin{aligned} &=2l\left(1-\Phi\left(\frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}}\right)\right)+l\varepsilon. \\\\ &\leqslant 2l\left(1-\Phi\left(\frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}}\right)\right)+l\delta. \end{aligned}$$

This probability could be also closed to 0 if we choose the parameter β <sup>√</sup>*<sup>m</sup>* and <sup>δ</sup> small enough. Therefore the probability of decryption error of the LWE cryptosystem for general disturbance could be made very small, which leads to high security.

**Example 4.5.1** Let *<sup>t</sup>* <sup>=</sup> 2, *<sup>q</sup>* <sup>=</sup> 5, *<sup>l</sup>* <sup>=</sup> 1, *<sup>m</sup>* <sup>=</sup> 1,*<sup>r</sup>* <sup>=</sup> 1, <sup>δ</sup> <sup>=</sup> <sup>10</sup>−3, <sup>β</sup> <sup>=</sup> <sup>10</sup>−3, *<sup>v</sup>* <sup>∈</sup> <sup>Z</sup><sup>2</sup> is uniformly chosen at random, the disturbance *E* is a random variable with the distribution ψβ such that *<sup>P</sup>*{*<sup>E</sup>* <sup>=</sup> *<sup>k</sup>*} = <sup>β</sup>*<sup>k</sup>* 2·*k*! *e*−<sup>β</sup> for positive integer *k* and *Pr*{*E* = 0} = *e*−<sup>β</sup> , *a* ∈ {−1, 0, 1} is uniformly chosen at random. Then the probability of decryption error

$$\Pr\{F^{-1}(Ea + F(\nu)) \neq \nu\} = \Pr\left\{ \lfloor \frac{2}{5} \left( Ea + \lfloor \frac{5}{2} \nu \right) \rceil \neq \nu \right\} \right\}$$

$$= \frac{1}{2} \Pr\left\{ \lfloor \frac{2}{5} Ea \rfloor \neq 0 \right\} + \frac{1}{2} \Pr\left\{ \lfloor \frac{2}{5} (Ea + 2) \rfloor \neq 1 \right\}$$

$$\leq \frac{1}{2} \Pr\{E \neq 0\} + \frac{1}{2} \Pr\{E \neq 0\}$$

$$= 1 - \Pr\{E = 0\} = 1 - e^{-0.001} < 10^{-3}.$$

On the other hand,

$$2l\left(1-\Phi\left(\frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}}\right)\right)+l\delta>10^{-3}.$$

So it follows that

$$\Pr\{F^{-1}(Ea+F(\mathbb{v})) \neq \mathbb{v}\} < 2l \Big(1 - \Phi(\frac{q-t}{2\beta t} \sqrt{\frac{3}{mr(r+1)}})\Big) + l\delta,$$

The inequality in Theorem 4.5.1 holds.

**Example 4.5.2** Let *<sup>t</sup>* <sup>=</sup> 2, *<sup>q</sup>* <sup>=</sup> 5, *<sup>l</sup>* <sup>=</sup> 1, *<sup>m</sup>* <sup>=</sup> 1, *<sup>r</sup>* <sup>=</sup> 1, <sup>δ</sup> <sup>=</sup> <sup>10</sup>−4, <sup>λ</sup> <sup>=</sup> <sup>0</sup>.05, *<sup>v</sup>* <sup>∈</sup> <sup>Z</sup><sup>2</sup> is uniformly chosen at random, the disturbance *E* is a Laplace distribution variable with probability density function *<sup>f</sup>* (*x*) <sup>=</sup> <sup>1</sup> <sup>2</sup><sup>λ</sup> *<sup>e</sup>*<sup>−</sup> <sup>|</sup>*x*<sup>|</sup> <sup>λ</sup> rounding to the nearest integer, *a* ∈ {−1, 0, 1}is uniformly chosen at random. Similarly as Example 4.5.1, the probability of decryption error

$$\begin{split} \Pr\{F^{-1}(Ea+F(\upsilon)) \neq \upsilon\} &= \Pr\left\{ \lfloor \frac{2}{5} \left( Ea + \lfloor \frac{\mathfrak{s}}{2} \upsilon \rfloor \right) \! \right\} \neq \upsilon \right\} \\ &\leqslant 1 - \Pr\{E = 0\} = 1 - \int\_{-\frac{1}{2}}^{\frac{1}{2}} \frac{1}{2\lambda} e^{-\frac{|\underline{x}|}{\lambda}} \mathrm{d}x = e^{-10} < 10^{-4}. \end{split}$$

On the other hand,

$$2l\left(1-\Phi\left(\frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}}\right)\right)+l\delta>10^{-4}.$$

We have

$$\Pr\{F^{-1}(Ea+F(\nu)) \neq \nu\} < 2l \left(1 - \Phi(\frac{q-t}{2\beta t}\sqrt{\frac{3}{mr(r+1)}})\right) + l\delta,$$

The inequality in Theorem 4.5.1 holds.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 5 Cyclic Lattices and Ideal Lattices**

Cyclic lattices and ideal lattices were introduced by Micciancio (2002), Lyubashevsky and Micciancio (2006), respectively, which play an efficient role in Ajtai's construction of a collision-resistant Hash function and in Gentry's construction of fully homomorphic encryption (Gentry, 2009a). Let *<sup>R</sup>* <sup>=</sup> <sup>Z</sup>[*x*]/ < φ(*x*) > be a quotient ring of the integer coefficients polynomials ring, Lyubashevsky and Micciancio regarded an ideal lattice as the correspondence of an ideal of *R*, but they neither explain how to extend this definition to whole Euclidean space R*<sup>n</sup>*, nor exhibit the relationship of cyclic lattices and ideal lattices. In this chapter, we regard the cyclic lattices and ideal lattices as the correspondences of finitely generated *R*-modules, so that we may show that ideal lattices are actually a special subclass of cyclic lattices, namely cyclic integer lattices. It is worth noting that we use more general rotation matrix here, so our definition and results on cyclic lattices and ideal lattices are more general forms. As application, we provide cyclic lattice with an explicit and countable upper bound for the smoothing parameter. Our results may be viewed as a substantial progress in this direction.

#### **5.1 Some Basic Properties of Lattice**

At the beginning of Chap. 1, we have introduced the definition of lattice in R*<sup>n</sup>*. A lattice is actually a discrete additive subgroup. In this section, we mainly give some properties of lattice that will be used later in this chapter.

**Lemma 5.1.1** *Let L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a lattice,* <sup>α</sup>1, α2,...,α*<sup>m</sup>* <sup>∈</sup> *L be m vectors of L. Then* α1, α2,...,α*<sup>m</sup> are linearly independent over* R*, if and only if they are linearly independent over* Z*.*

*Proof* If α1, α2,...,α*<sup>m</sup>* are linearly independent over R, trivially which are linearly independent over Z. Suppose that α1, α2,...,α*<sup>m</sup>* are linearly independent over Z, we consider arbitrary linear combination over R. Let

$$a\_1\alpha\_1 + a\_2\alpha\_2 + \cdots + a\_m\alpha\_m = 0,\tag{5.1.1}$$

119

© The Author(s) 2023

Z. Zheng et al., *Modern Cryptography Volume 2*, Financial Mathematics and Fintech, https://doi.org/10.1007/978-981-19-7644-5\_5

We should prove (5.1.1) is equivalent to *a*<sup>1</sup> = *a*<sup>2</sup> =···= *am* = 0, which implies that α1, α2,...,α*<sup>m</sup>* are linearly independent over R.

By Minkowski's Third theorem (see theorem VII of Cassels (1963)), for any sufficiently large *N* > 1, there are a positive integer *q* - 1 and integers *p*1, *p*2,..., *pm* ∈ Z such that

$$\max\_{1 \le i \le m} |qa\_i - p\_i| < N^{-\frac{1}{m}}, \ 1 \le q \le N. \tag{5.1.2}$$

By (5.1.1), we have

$$\begin{aligned} |p\_1\alpha\_1 + p\_2\alpha\_2 + \dots + p\_m\alpha\_m| \\ = |(qa\_1 - p\_1)\alpha\_1 + (qa\_2 - p\_2)\alpha\_2 + \dots + (qa\_m - p\_m)\alpha\_m| \\ \lesssim mN^{-\frac{1}{n}} \max\_{1 \le i \le m} |\alpha\_i|. \end{aligned} \tag{5.1.3}$$

Let λ be the minimum distance of *L*, > 0 be any positive real number. We select *N* such that

$$N \succ \max \left\{ \left( \frac{m}{\epsilon} \right)^m, \left( \frac{m}{\lambda} \right)^m \max\_{1 \le i \le m} |\alpha\_i|^m \right\},$$

It follows that *mN* <sup>−</sup> <sup>1</sup> *<sup>m</sup>* < and

$$mN^{-\frac{1}{m}}\max\_{1\le i\le m}|\alpha\_i| < \lambda.$$

By (5.1.3) we have

$$|p\_1\alpha\_1 + p\_2\alpha\_2 + \dots + p\_m\alpha\_m| < \lambda\dots$$

Since *p*1α<sup>1</sup> + *p*2α<sup>2</sup> +···+ *pm*α*<sup>m</sup>* ∈ *L*, thus we have *p*1α<sup>1</sup> + *p*2α<sup>2</sup> +···+ *pm*α*<sup>m</sup>* = 0, and *<sup>p</sup>*<sup>1</sup> <sup>=</sup> *<sup>p</sup>*<sup>2</sup> =···= *pm* <sup>=</sup> 0. By (5.1.2) we have *<sup>q</sup>*|*ai*<sup>|</sup> <sup>&</sup>lt; <sup>1</sup> *<sup>m</sup>* ε for all *i*, 1 *i m*. Since ε is sufficiently small positive number, we must have *a*<sup>1</sup> = *a*<sup>2</sup> =···= *am* = 0. We complete the proof of lemma.

Suppose that *<sup>B</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>m</sup>* is an *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* dimensional matrix and rank(*B*) <sup>=</sup> *<sup>m</sup>*, *<sup>B</sup><sup>T</sup>* is the transpose of *B*. It is easy to verify

$$\text{rank}(B^T B) = \text{rank}(B) = m \Rightarrow \det(B^T B) \neq 0,$$

which implies that *B<sup>T</sup> B* is an invertible square matrix of *m* × *m* dimension. Since *B<sup>T</sup> B* is a positive defined symmetric matrix, then there is an orthogonal matrix *<sup>P</sup>* <sup>∈</sup> <sup>R</sup>*<sup>m</sup>*×*<sup>m</sup>* such that

$$P^T B^T B P = \text{diag}\{\delta\_1, \delta\_2, \dots, \delta\_m\},\tag{5.1.4}$$

where δ*<sup>i</sup>* > 0 are the characteristic value of *B<sup>T</sup> B*, and diag{δ1, δ2,...,δ*m*} is the diagonal matrix of *m* × *m* dimension.

**Lemma 5.1.2** *Suppose that B* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>m</sup> with rank*(*B*) <sup>=</sup> *m,* <sup>δ</sup>1, δ2,...,δ*<sup>m</sup> are m characteristic values of B<sup>T</sup> B, and* λ(*L*(*B*)) *is the minimum distance of lattice L*(*B*)*, then we have*

$$\lambda(L(B)) = \min\_{\mathbf{x} \in \mathbb{Z}^n, \ x \neq 0} |B\mathbf{x}| \gg \sqrt{\delta},\tag{5.1.5}$$

*where* δ = min{δ1, δ2,...,δ*m*}*.*

*Proof* Let *<sup>A</sup>* <sup>=</sup> *<sup>B</sup><sup>T</sup> <sup>B</sup>*, by (5.1.4), there exists an orthogonal matrix *<sup>P</sup>* <sup>∈</sup> <sup>R</sup>*m*×*<sup>m</sup>* such that

$$P^\top A P = \text{diag}\{\delta\_1, \delta\_2, \dots, \delta\_m\}.$$

If *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*, *<sup>x</sup>* = 0, we have

$$\begin{aligned} |Bx|^2 &= x^T A x = x^T P (P^T A P) P^T x \\ &= (P^T x)^T \text{diag}\{\delta\_1, \delta\_2, \dots, \delta\_m\} P^T x \\ &\ge \delta |P^T x|^2 = \delta |x|^2. \end{aligned}$$

Since *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>* and *<sup>x</sup>* = 0, we have <sup>|</sup>*x*<sup>|</sup> <sup>2</sup> -1, it follows that

$$\min\_{\mathbf{x}\in\mathbb{Z}^n,\ \mathbf{x}\neq \mathbf{0}} |B\mathbf{x}| \geqslant \sqrt{\delta}|\mathbf{x}| \geqslant \sqrt{\delta}.$$

We have lemma 5.1.2 immediately.

Another application of lemma 5.1.2 is to give a countable upper bound for smoothing parameters in Sect. 5.4. A sublattice *N* of *L* means a discrete additive subgroup of *L*, the quotient group is written by *L*/*N* and the cardinality of *L*/*N* is denoted by |*L*/*N*|.

**Lemma 5.1.3** *Let L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a lattice and N* <sup>⊂</sup> *L be a sublattice. If rank*(*N*) <sup>=</sup>*rank* (*L*)*, then the quotient group L*/*N is a finite group.*

*Proof* Let rank(*L*) <sup>=</sup> *<sup>m</sup>*, and *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(*B*), where *<sup>B</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*×*<sup>m</sup>* with rank(*B*) <sup>=</sup> *<sup>m</sup>*. We define a mapping <sup>σ</sup> from *<sup>L</sup>* to <sup>Z</sup>*<sup>m</sup>* by σ (*Bx*) <sup>=</sup> *<sup>x</sup>*. Clearly, <sup>σ</sup> is an additive group isomorphism, σ (*N*) <sup>⊂</sup> <sup>Z</sup>*<sup>m</sup>* is a full-rank lattice of <sup>Z</sup>*<sup>m</sup>*, and *<sup>L</sup>*/*<sup>N</sup>* ∼= <sup>Z</sup>*<sup>m</sup>*/σ (*N*). It is a well-known result that

$$|\mathbb{Z}^m/\sigma(N)| = \det(\sigma(N)),$$

It follows that

$$|L/N| = |\mathbb{Z}^m/\sigma(N)| = \det(\sigma(N)).$$

Lemma 5.1.3 follows.

Suppose that *<sup>L</sup>*<sup>1</sup> <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>*, *<sup>L</sup>*<sup>2</sup> <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* are two lattices of <sup>R</sup>*<sup>n</sup>*, we define *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> = {*<sup>a</sup>* <sup>+</sup> *<sup>b</sup>*|*<sup>a</sup>* <sup>∈</sup> *<sup>L</sup>*1, *<sup>b</sup>* <sup>∈</sup> *<sup>L</sup>*2}. Obviously, *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is an additive subgroup of <sup>R</sup>*<sup>n</sup>*, but generally speaking, *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is not a lattice of <sup>R</sup>*<sup>n</sup>* again.

**Lemma 5.1.4** *Let L*<sup>1</sup> <sup>⊂</sup> <sup>R</sup>*n, L*<sup>2</sup> <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be two lattices of* <sup>R</sup>*n. If rank*(*L*<sup>1</sup> <sup>∩</sup> *<sup>L</sup>*2) <sup>=</sup>*rank* (*L*1) *or rank*(*L*<sup>1</sup> <sup>∩</sup> *<sup>L</sup>*2) <sup>=</sup>*rank*(*L*2)*, then L*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> *is again a lattice of* <sup>R</sup>*n.*

*Proof* To prove *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is a lattice of <sup>R</sup>*<sup>n</sup>*, it is sufficient to prove *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is a discrete subgroup of <sup>R</sup>*<sup>n</sup>*. Suppose that rank(*L*<sup>1</sup> <sup>∩</sup> *<sup>L</sup>*2) <sup>=</sup>rank(*L*1), for any *<sup>x</sup>* <sup>∈</sup> *<sup>L</sup>*1, we define a distance function ρ(*x*) by

$$\rho(\mathbf{x}) = \inf \{ |\mathbf{x} - \mathbf{y}| \, \Big| \, \mathbf{y} \neq \mathbf{x}, \, \mathbf{y} \in L\_2 \}.$$

Since there are only finitely many vectors in *L*<sup>2</sup> ∩ *N*(*x*, δ), where *N*(*x*, δ) is any a ball of center *x* with radius δ. Therefore, we have

$$\rho(\mathbf{x}) = \min \{ |\mathbf{x} - \mathbf{y}| \, \Big| \, \mathbf{y} \neq \mathbf{x}, \, \mathbf{y} \in L\_2 \} = \lambda\_x > 0. \tag{5.1.6}$$

On the other hand, if *x*<sup>1</sup> ∈ *L*1, *x*<sup>2</sup> ∈ *L*<sup>1</sup> and *x*<sup>1</sup> − *x*<sup>2</sup> ∈ *L*2, then there is *y*<sup>0</sup> ∈ *L*<sup>2</sup> such that *x*<sup>1</sup> = *x*<sup>2</sup> + *y*0, and we have ρ(*x*1) = ρ(*x*2). It means that ρ(*x*) is defined over the quotient group *L*<sup>1</sup> + *L*2/*L*2. Because we have the following group isomorphic theorem

$$L\_1 + L\_2/L\_2 \cong L\_1/L\_1 \cap L\_2,$$

By lemma 5.1.3, it follows that

$$|L\_1 + L\_2/L\_2| = |L\_1/L\_1 \cap L\_2| < \infty,$$

In other words, *L*<sup>1</sup> + *L*2/*L*<sup>2</sup> is also a finite group. Let *x*1, *x*2,..., *xk* be the representative elements of *L*<sup>1</sup> + *L*2/*L*2, we have

$$\min\_{\mathbf{x}\in L\_1, \mathbf{y}\in L\_2, \mathbf{x}\neq \mathbf{y}} |\mathbf{x} - \mathbf{y}| = \min\_{1 \le i \le k} \rho(\mathbf{x}\_i) \ge \min\{\lambda\_{x\_1}, \lambda\_{x\_2}, \dots, \lambda\_{x\_k}\} > 0.$$

Therefore, *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is a discrete subgroup of <sup>R</sup>*<sup>n</sup>*, thus it is a lattice of <sup>R</sup>*<sup>n</sup>*.

**Remark 5.1.1** The condition rank(*L*<sup>1</sup> ∩ *L*2) = rank(*L*1) or rank(*L*<sup>1</sup> ∩ *L*2) = rank (*L*2) in lemma 5.1.4 seems to be necessary. As a counterexample, we see the real line <sup>R</sup>, let *<sup>L</sup>*<sup>1</sup> <sup>=</sup> <sup>Z</sup> and *<sup>L</sup>*<sup>2</sup> <sup>=</sup> <sup>√</sup>2Z, then *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is not a discrete subgroup of <sup>R</sup>, thus *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> is not a lattice in <sup>R</sup>. Because *<sup>L</sup>*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> = {*<sup>n</sup>* <sup>+</sup> <sup>√</sup>2*<sup>m</sup> <sup>n</sup>* <sup>∈</sup> <sup>Z</sup>, *<sup>m</sup>* <sup>∈</sup> <sup>Z</sup>} is dense in R by Dirichlet's theorem (see theorem I of Cassels (1963)).

As a direct consequence, we have the following generalized form of lemma 5.1.4.

**Lemma 5.1.5** *Let L*1, *L*2,..., *Lm be m lattices of* R*<sup>n</sup> and*

$$\text{rank}(L\_1 \cap L\_2 \cap \dots \cap L\_m) = \text{rank}(L\_j) \text{ for some } 1 \leqslant j \leqslant m.$$

*Then L*<sup>1</sup> <sup>+</sup> *<sup>L</sup>*<sup>2</sup> +···+ *Lm is a lattice of* <sup>R</sup>*n.*

*Proof* Without loss of generality, we assume that

$$\text{rank}(L\_1 \cap L\_2 \cap \dots \cap L\_m) = \text{rank}(L\_m).$$

Let *L*<sup>1</sup> + *L*<sup>2</sup> +···+ *Lm*−<sup>1</sup> = *L* , then

$$L' + L\_m / L' \cong L\_m / L' \cap L\_m \dots$$

Since rank(*L* ∩ *Lm*) =rank(*Lm*), by lemma 5.1.4, we have *L* + *Lm* = *L*<sup>1</sup> + *L*<sup>2</sup> + ···+ *Lm* is a lattice of <sup>R</sup>*<sup>n</sup>* and lemma 5.1.5 follows.

#### **5.2 Ideal Matrices**

In Chap. 3 we introduced the concept of circulant matrix and some related properties. In this section, we generalize them to general ideal matrix and introduce the properties of ideal matrix. By using the characteristic polynomial φ(*x*) as modulo and the definition of φ-convolutional product, we establish the ring isomorphism one-to-one correspondence between polynomial quotient rings and *n* dimensional vectors in R*<sup>n</sup>*.

Let <sup>R</sup>[*x*] and <sup>Z</sup>[*x*] be the polynomial rings over <sup>R</sup> and <sup>Z</sup> with variable *<sup>x</sup>*, respectively. Suppose that

$$\phi(\mathbf{x}) = \mathbf{x}^n - \phi\_{n-1}\mathbf{x}^{n-1} - \dots - \phi\_1\mathbf{x} - \phi\_0 \in \mathbb{Z}[\mathbf{x}], \ \phi\_0 \neq 0 \tag{5.2.1}$$

is a polynomial with integer coefficients of which has no multiple roots in complex number field C. Let w1, w2,...,w*<sup>n</sup>* be the *n* different roots of φ(*x*) in C, the Vandermonde matrix *V*<sup>φ</sup> is defined by

$$V\_{\phi} = \begin{pmatrix} 1 & 1 & \cdots & 1 \\ w\_1 & w\_2 & \cdots & w\_n \\ \vdots & \vdots & & \vdots \\ w\_1^{n-1} & w\_2^{n-1} & \cdots & w\_n^{n-1} \end{pmatrix}, \quad \det(V\_{\phi}) \neq 0. \tag{5.2.2}$$

According to the given polynomial φ(*x*), we define a rotation matrix *H* = *H*<sup>φ</sup> by

$$H = H\_{\phi} = \begin{pmatrix} 0 & \cdots & 0 \mid \phi\_0 \\ \hline & & \phi\_1 \\ & I\_{n-1} & \\ & & \vdots \\ & & & \phi\_{n-1} \end{pmatrix}\_{n \times n} \in \mathbb{Z}^{n \times n},\tag{5.2.3}$$

where *In*−<sup>1</sup> is the (*n* − 1) × (*n* − 1) unit matrix. Obviously, the characteristic polynomial of *H* is just φ(*x*). We use column notation for vectors in R*<sup>n</sup>*. Let {*e*0, *<sup>e</sup>*1,..., *en*−<sup>1</sup>} be the standard basis of <sup>R</sup>*<sup>n</sup>*, see (5.1.2) in Chap. 3.

**Definition 5.2.1** For any *f* = ⎛ ⎜ ⎜ ⎜ ⎝ *f*0 *f*1 . . . *fn*−<sup>1</sup> ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, the ideal matrix generated by vector

*f* is defined by

$$H^\*(f) = [f, Hf, H^2f, \dots, H^{n-1}f]\_{n \times n} \in \mathbb{R}^{n \times n},\tag{5.2.4}$$

which is a block matrix in terms of each column *H<sup>k</sup> f* (0 *k n* − 1). Sometimes, *f* is called an input vector. In Chap. 3, we introduced the definition of circulant matrix. It is easily seen that *H*∗( *f* )is a more general form of the classical circulant matrix and *r*-circulant matrix (Shi, 2018; Yasin and Taskara, 2013). In fact, if φ(*x*) = *x <sup>n</sup>* − 1, then *H*∗( *f* ) is the ordinary circulant matrix generated by *f* . If φ(*x*) = *x <sup>n</sup>* − *r*, then *H*∗( *f* ) is the *r*-circulant matrix.

By (5.2.4), it follows immediately that

$$H^\*(f+\mathbf{g}) = H^\*(f) + H^\*(\mathbf{g}),\tag{5.2.5}$$

and

$$H^\*(\lambda f) = \lambda H^\*(f), \ \forall \lambda \in \mathbb{R}.\tag{5.2.6}$$

Specially, for any *f* = ⎛ ⎜ ⎝ *f*0 . . . *fn*−<sup>1</sup> ⎞ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, the ideal matrix *<sup>H</sup>*∗( *<sup>f</sup>* ) generated by *<sup>f</sup>* could

be written as

$$H^\*(f) = H^\*\left(\sum\_{i=0}^{n-1} f\_i e\_i\right) = \sum\_{i=0}^{n-1} f\_i H^\*(e\_i),$$

which means that any ideal matrix is the linear combination of ideal matrices generated by the standard basis vectors *ei* . It is easy to verify that

$$H^\*(e\_0) = I\_n, \; H^\*(e\_k) = H^k, \; 1 \le k \le n - 1, \; \mu$$

So the unit matrix *In* and rotation matrices *H<sup>k</sup>* (1 *k n* − 1) are all the ideal matrices.

Moreover, *H*∗( *f* ) = 0 is a zero matrix if and only if *f* = 0 is a zero vector, thus one has *H*∗( *f* ) = *H*∗(*g*) if and only if *f* = *g*. Let *M*<sup>∗</sup> be the set of all ideal matrices, namely

$$M^\* = \{ H^\*(f) \mid f \in \mathbb{R}^n \}.\tag{5.2.7}$$

We may regard *H*<sup>∗</sup> as a mapping from R*<sup>n</sup>* to *M*<sup>∗</sup> of which is a one-to-one correspondence. Next we show some basic properties for ideal matrix, and more contents could be found in Zheng et al. (2022a).

**Lemma 5.2.1** *For any f* <sup>∈</sup> <sup>R</sup>*n, we have*

$$H \cdot H^\*(f) = H^\*(f) \cdot H. \tag{5.2.8}$$

*Proof* Since φ(*x*) = *x <sup>n</sup>* − φ*<sup>n</sup>*−<sup>1</sup>*x <sup>n</sup>*−<sup>1</sup> −···− φ1*x* − φ<sup>0</sup> is the characteristic polynomial of *H*, by Hamilton–Cayley theorem, we have

$$H^n = \phi\_0 I\_n + \phi\_1 H + \dots + \phi\_{n-1} H^{n-1}.$$

Let

$$b = \begin{pmatrix} \phi\_1 \\ \phi\_2 \\ \vdots \\ \phi\_{n-1} \end{pmatrix} \text{ and } H = \begin{pmatrix} 0 & \phi\_0 \\ I\_{n-1} & b \end{pmatrix}.$$

By (5.2.4) we have

$$\begin{aligned} (H^\*(f)H &= [f, Hf, \dots, H^{n-1}f] \begin{pmatrix} 0 & \phi\_0 \\ I\_{n-1} & b \end{pmatrix} \\ &= [Hf, H^2f, \dots, H^{n-1}f, \phi\_0f + \phi\_1Hf + \dots + \phi\_{n-1}H^{n-1}f] \\ &= [Hf, H^2f, \dots, H^{n-1}f, H^nf] \\ &= H[f, Hf, \dots, H^{n-1}f] = H \cdot H^\*(f), \end{aligned}$$

The lemma follows.

$$\text{Lemma 5.2.2 }\text{ For any } f = \begin{pmatrix} f\_0 \\ f\_1 \\ \vdots \\ f\_{n-1} \end{pmatrix} \in \mathbb{R}^n \text{ we have}$$

$$H^\*(f) = f\_0 I\_n + f\_1 H + \dots + f\_{n-1} H^{n-1}.\tag{5.2.9}$$

*Proof* We use induction on *n* to show this conclusion. If *n* = 1, it is trivial. Suppose it is true for *n*, we consider the case of *n* + 1. For this purpose, we write *H* = *Hn*, *<sup>e</sup>*0, *<sup>e</sup>*1, ..., *en*−<sup>1</sup> the *<sup>n</sup>* column vectors of unit in <sup>R</sup>*<sup>n</sup>*, namely

$$e\_0 = \begin{pmatrix} 1 \\ 0 \\ \vdots \\ 0 \end{pmatrix}, e\_1 = \begin{pmatrix} 0 \\ 1 \\ \vdots \\ 0 \end{pmatrix} \cdot \cdots \cdot e\_{n-1} = \begin{pmatrix} 0 \\ 0 \\ \vdots \\ 1 \end{pmatrix} \cdot \mathbf{1}$$

and

$$H\_{n+1} = \begin{pmatrix} 0 & A\_0 \\ e\_0 & Hn \end{pmatrix},$$

where *<sup>A</sup>*<sup>0</sup> <sup>=</sup> (0, <sup>0</sup>, ..., φ0) <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a row vector. For any *<sup>k</sup>*, 1 *<sup>k</sup> <sup>n</sup>* <sup>−</sup> 1, it is easy to check that

$$\begin{aligned} H\_n e\_{k-1} &= e\_k, \ H\_n^k e\_0 = e\_k \text{ and } H\_{n+1}^k = \begin{pmatrix} 0 & A\_0 H\_n^{k-1} \\ e\_{k-1} & H\_n^k \end{pmatrix} . \end{aligned}$$
 
$$\begin{pmatrix} f\_0 \end{pmatrix}$$

$$\begin{aligned} \text{Let } f = \begin{pmatrix} f\_1 \\ f\_1 \\ \vdots \\ f\_{n-1} \\ f\_n \end{pmatrix} \in \mathbb{R}^{n+1}, \text{we denote } f' \text{ by} \\\\ f' = \begin{pmatrix} f\_1 \\ f\_2 \\ \vdots \\ f\_n \end{pmatrix} \in \mathbb{R}^n, \ f = \begin{pmatrix} f\_0 \\ f' \end{pmatrix} \end{aligned}$$

By the assumption of induction, we have

$$H\_n^\*(f') = [f', H\_n f', \dots, H\_n^{n-1} f'] = f\_1 I\_n + f\_2 H\_n + \dots + f\_n H\_n^{n-1},$$

it follows that

$$\begin{aligned} H\_{n+1}^\*(f) &= \left[ \binom{f\_0}{f'}, H\_{n+1} \binom{f\_0}{f'}, \dots, H\_{n+1}^n \binom{f\_0}{f'} \right] \\ &= f\_0 I\_n + f\_1 H\_{n+1} + \dots + f\_n H\_{n+1}^n. \end{aligned}$$

We complete the proof of lemma 5.2.2.

**Lemma 5.2.3** *Let f* (*x*) <sup>=</sup> *<sup>f</sup>*<sup>0</sup> <sup>+</sup> *<sup>f</sup>*1*<sup>x</sup>* +···+ *fn*−<sup>1</sup>*<sup>x</sup> <sup>n</sup>*−<sup>1</sup> <sup>∈</sup> <sup>R</sup>[*x*]*, then we have*

$$H^\*(f) = V\_\phi^{-1} \text{diag}\{f(w\_1), f(w\_2), \dots, f(w\_n)\} V\_\phi,\tag{5.2.10}$$

.

*where diag*{ *f* (w1), *f* (w2), ..., *f* (w*n*)} *is the diagonal matrix.*

*Proof* By theorem 3.2.5 of Davis (1994), for *H*, we have

$$H = V\_{\phi}^{-1} \text{diag}\{w\_1, w\_2, \dots, w\_n\} V\_{\phi},$$

By lemma 5.2.2, it follows that

$$H^\*(f) = V\_\phi^{-1} \text{diag}\left\{ f(w\_1), f(w\_2), \dots, f(w\_n) \right\} V\_\phi.$$

Now, we summarize some basic properties for ideal matrix as follows.

**Lemma 5.2.4** *Suppose* φ(*x*) <sup>∈</sup> <sup>Z</sup>[*x*] *is a polynomial of which has no multiple roots in complex number field* <sup>C</sup>*. f* <sup>∈</sup> <sup>R</sup>*n, g* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> be two column vectors, we have*


*Proof* (i) and (ii) follow from lemma 5.2.2 immediately, (iii) and (iv) follow from lemma 5.2.3.

In Sect. 3.1, we took the characteristic polynomial *x <sup>n</sup>* − 1 as modulo and constructed the one-to-one correspondence between polynomial quotient rings and *n* dimensional vectors. Now we can generalize it to the general case using characteristic polynomial φ(*x*) as modulo. Let φ(*x*)R[*x*] and φ(*x*)Z[*x*] be the principal ideals generated by φ(*x*) in <sup>R</sup>[*x*] and <sup>Z</sup>[*x*], respectively, we denote the quotient rings *<sup>R</sup>* and *R* by

$$R = \mathbb{Z}[\boldsymbol{x}]/\phi(\boldsymbol{x})\mathbb{Z}[\boldsymbol{x}],\ \overline{R} = \mathbb{R}[\boldsymbol{x}]/\phi(\boldsymbol{x})\mathbb{R}[\boldsymbol{x}].\tag{5.2.11}$$

There is a one-to-one correspondence between *R* and R*<sup>n</sup>* given by

$$f(\mathbf{x}) = f\_0 + f\_1 \mathbf{x} + \dots + f\_{n-1} \mathbf{x}^{n-1} \in \overline{\mathbb{R}} \longleftrightarrow f = \begin{pmatrix} f\_0 \\ f\_1 \\ \vdots \\ f\_{n-1} \end{pmatrix} \in \mathbb{R}^n. \tag{5.2.12}$$

We denote this correspondence by *t*, that is

$$t(f(\mathbf{x})) = f, \ t^{-1}(f) = f(\mathbf{x}).\tag{5.2.13}$$

If we restrict *t* in the quotient ring *R*, then which gives a one-to-one correspondence between *R* and Z*<sup>n</sup>*. First, we show that *t* is also a ring isomorphism.

**Definition 5.2.2** For any two column vectors *f* and *g* in R*<sup>n</sup>*, we define the φconvolutional product *f* ∗ *g* by

$$f \ast \mathbf{g} = H^\*(f)\mathbf{g}.\tag{5.2.14}$$

128 5 Cyclic Lattices and Ideal Lattices

By lemma 5.2.4, it is easy to see that

$$f \ast \mathbf{g} = \mathbf{g} \ast f,\text{ and } H^\*(f \ast \mathbf{g}) = H^\*(f)H^\*(\mathbf{g}).$$

**Lemma 5.2.5** *For any two polynomials f* (*x*) *and g*(*x*) *in R, we have*

$$\operatorname{tr}(f(\mathbf{x})\mathbf{g}(\mathbf{x})) = H^\*(f)\mathbf{g} = f \ast \mathbf{g}.\tag{5.2.15}$$

*Proof* Let *g*(*x*) = *g*<sup>0</sup> + *g*1*x* +···+ *gn*−1*x <sup>n</sup>*−<sup>1</sup> ∈ *R*, then

$$\log(\mathbf{x}) = \phi\_0 \mathbf{g}\_{n-1} + (\mathbf{g}\_0 + \phi\_1 \mathbf{g}\_{n-1})\mathbf{x} + \dots + (\mathbf{g}\_{n-2} + \phi\_{n-1} \mathbf{g}\_{n-1})\mathbf{x}^{n-1},$$

it follows that

$$\operatorname{tr}(\operatorname{xg}(\alpha)) = \operatorname{Ht}(\operatorname{g}(\alpha)) = \operatorname{Hg}.\tag{5.2.16}$$

Hence, for any 0 *k n* − 1, we have

$$t\left(\mathbf{x}^k \mathbf{g}(\mathbf{x})\right) = H^k t\left(\mathbf{g}(\mathbf{x})\right) = H^k \mathbf{g},\ 0 \le k \le n-1.$$

Let *f* (*x*) = *f*<sup>0</sup> + *f*1*x* +···+ *fn*−1*x <sup>n</sup>*−<sup>1</sup> ∈ *R*, by lemma 5.2.2, we have

$$t(f(\mathbf{x})\mathbf{g}(\mathbf{x})) = \sum\_{i=0}^{n-1} f\_i t(\mathbf{x}^i \mathbf{g}(\mathbf{x})) = \sum\_{i=0}^{n-1} f\_i H^i \mathbf{g} = H^\*(f)\mathbf{g}.$$

The lemma follows.

**Lemma 5.2.6** *Under* φ*-convolutional product,* R*<sup>n</sup> is a commutative ring with identity element e*<sup>0</sup> *and* <sup>Z</sup>*<sup>n</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is its subring. Moreover, we have the following ring isomorphisms*

$$
\overline{\mathcal{R}} \cong \mathbb{R}^n \cong M^\*, \; \mathcal{R} \cong \mathbb{Z}^n \cong M^\*\_{\mathbb{Z}},
$$

*where M*<sup>∗</sup> *is the set of all ideal matrices given by (5.2.7), and M*<sup>∗</sup> <sup>Z</sup> *is the set of all integer ideal matrices.*

*Proof* Let *f* (*x*) ∈ *R* and *g*(*x*) ∈ *R*, then

$$t(f(\mathbf{x}) + \mathbf{g}(\mathbf{x})) = f + \mathbf{g} = t(f(\mathbf{x})) + t(\mathbf{g}(\mathbf{x})),$$

and

$$t(f(\mathbf{x})\mathbf{g}(\mathbf{x})) = H^\*(f)\mathbf{g} = f \ast \mathbf{g} = t(f(\mathbf{x})) \ast t(\mathbf{g}(\mathbf{x})),$$

this means that *t* is a ring isomorphism. Since *f* ∗ *g* = *g* ∗ *f* and *e*<sup>0</sup> ∗ *g* = *H*∗(*e*0)*g* = *In <sup>g</sup>* <sup>=</sup> *<sup>g</sup>*, then <sup>R</sup>*<sup>n</sup>* is a commutative ring with *<sup>e</sup>*<sup>0</sup> as the identity elements. Noting *<sup>H</sup>*∗( *<sup>f</sup>* ) is an integer matrix if and only if *<sup>f</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* is an integer vector, the isomorphism of subrings follows immediately.

$$\bot$$

According to property (iv) of lemma 5.2.4, *H*∗( *f* )is an invertible matrix whenever ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> 1 in <sup>R</sup>[*x*], we show that the inverse of an ideal matrix is again an ideal matrix.

**Lemma 5.2.7** *Let f* (*x*) <sup>∈</sup> *R and* ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> <sup>1</sup> *in* <sup>R</sup>[*x*]*, then*

$$(H^\*(f))^{-1} = H^\*(u),$$

*where u*(*x*) ∈ *R is the unique polynomial such that u*(*x*) *f* (*x*) ≡ 1 *(mod* φ(*x*)*).*

*Proof* By lemma 5.2.5, we have *u* ∗ *f* = *e*0, it follows that

$$H^\*(\mu)H^\*(f) = H^\*(e\_0) = I\_n,$$

thus we have (*H*∗( *f* ))−<sup>1</sup> = *H*∗(*u*). It is worth to note that if *H*∗( *f* ) is an invertible integer matrix, then (*H*∗( *f* ))−<sup>1</sup> is not an integer matrix in general.

Sometimes, the following lemma may be useful, especially, when we consider an integer matrix.

**Lemma 5.2.8** *Let f* (*x*) <sup>∈</sup> <sup>Z</sup>[*x*] *and* ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> <sup>1</sup> *in* <sup>Z</sup>[*x*]*, then we have* ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> <sup>1</sup> *in* <sup>R</sup>[*x*]*.*

*Proof* Let <sup>Q</sup> be the rational number field. Since ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> 1 in <sup>Z</sup>[*x*], then ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> 1 in <sup>Q</sup>[*x*]. We know that <sup>Q</sup>[*x*] is a principal ideal domain, thus there are two polynomials *<sup>a</sup>*(*x*) and *<sup>b</sup>*(*x*) in <sup>Q</sup>[*x*] such that

$$a(\mathbf{x})f(\mathbf{x}) + b(\mathbf{x})\phi(\mathbf{x}) = 1.$$

This means that ( *<sup>f</sup>* (*x*), φ(*x*)) <sup>=</sup> 1 in <sup>R</sup>[*x*].

#### **5.3** *φ***-Cyclic Lattice**

As we know that cyclic code plays a central role in algebraic coding theorem (see Chap. 6 of Lint (1999)). In Zheng et al. (2022a), we extended ordinary cyclic code to more general forms, namely φ-cyclic codes, which will be introduced in Chap. 7. To obtain an analogous concept of φ-cyclic code in R*<sup>n</sup>*, we note that every rotation matrix *<sup>H</sup>* defines a linear transformation of <sup>R</sup>*<sup>n</sup>* by *<sup>x</sup>* <sup>→</sup> *H x*.

**Definition 5.3.1** *H* is the rotation matrix defined in (5.2.3). A linear subspace *C* ⊂ <sup>R</sup>*<sup>n</sup>* is called a <sup>φ</sup>-cyclic subspace if <sup>∀</sup><sup>α</sup> <sup>∈</sup> *<sup>C</sup>* <sup>⇒</sup> *<sup>H</sup>*<sup>α</sup> <sup>∈</sup> *<sup>C</sup>*. A lattice *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* is called a φ-cyclic lattice if ∀α ∈ *L* ⇒ *H*α ∈ *L*.

In other words, a φ-cyclic subspace *C* is a linear subspace of R*<sup>n</sup>*, of which is closed under linear transformation *H*. A φ-cyclic lattice *L* is a lattice of R*<sup>n</sup>* of which

is closed under *H*. If φ(*x*) = *x <sup>n</sup>* − 1, then *H* is the classical circulant matrix and the corresponding cyclic lattice was first appeared in Micciancio Micciancio (2002), but he does not discuss the further property for these lattices. To obtain the explicit algebraic construction of φ-cyclic lattice, we first show that there is a one-to-one correspondence between φ-cyclic subspaces of R*<sup>n</sup>* and the ideals of *R*.

**Lemma 5.3.1** *Let t be the correspondence between R and* R*<sup>n</sup> given by (5.2.13), then a subset C* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is a* <sup>φ</sup>*-cyclic subspace of* <sup>R</sup>*n, if and only if t*−1(*C*) <sup>⊂</sup> *R is an ideal.*

*Proof* We extend the correspondence *t* to subsets of *R* and R*<sup>n</sup>* by

$$C(\mathbf{x}) \subset \overline{R} \xrightarrow{f} C = \{ c \mid c(\mathbf{x}) \in C(\mathbf{x}) \} \subset \mathbb{R}''. \tag{5.3.1}$$

Let *<sup>C</sup>*(*x*) <sup>⊂</sup> *<sup>R</sup>* be an ideal, it is clear that *<sup>C</sup>* <sup>⊂</sup> *<sup>t</sup>*(*C*(*x*)) is a linear subspace of <sup>R</sup>*<sup>n</sup>*. To prove *C* is a φ-cyclic subspace, we note that if *c*(*x*) ∈ *C*(*x*), then by (5.2.16)

$$\text{succ}(\mathfrak{x}) \in C(\mathfrak{x}) \Leftrightarrow Ht(c(\mathfrak{x})) = Hc \in \mathbb{C}.$$

Therefore, if *<sup>C</sup>*(*x*) is an ideal of *<sup>R</sup>*, then *<sup>t</sup>*(*C*(*x*)) <sup>=</sup> *<sup>C</sup>* is a <sup>φ</sup>-cyclic subspace of <sup>R</sup>*<sup>n</sup>*. Conversely, if *<sup>C</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* is a <sup>φ</sup>-cyclic subspace, then for any *<sup>k</sup>* - 1, we have *H<sup>k</sup> c* ∈ *C* whenever *c* ∈ *C*, it implies

$$\forall c(\mathbf{x}) \in C(\mathbf{x}) \Rightarrow \mathbf{x}^k c(\mathbf{x}) \in C(\mathbf{x}), \ 0 \lessgtr k \lessgtr n-1, \dots$$

which means that *C*(*x*) is an ideal of *R*. We complete the proof.

By the above lemma, to find a φ-cyclic subspace in R*<sup>n</sup>*, it is enough to find an ideal of *R*. There are two trivial ideals *C*(*x*) = 0 and *C*(*x*) = *R*, the corresponding <sup>φ</sup>-cyclic subspace are *<sup>C</sup>* <sup>=</sup> 0 and *<sup>C</sup>* <sup>=</sup> <sup>R</sup>*<sup>n</sup>*. To find non-trivial <sup>φ</sup>-cyclic subspaces, we make use of the homomorphism theorems, which is a standard technique in algebra. Let <sup>π</sup> be the natural homomorphism from <sup>R</sup>[*x*] to *<sup>R</sup>*, ker<sup>π</sup> <sup>=</sup> φ(*x*)R[*x*]. We write φ(*x*)R[*x*] by < φ(*x*) >. Let *<sup>N</sup>* be an ideal of <sup>R</sup>[*x*] satisfying

$$<\phi(\mathbf{x}) > \subset N \subset \mathbb{R}[\mathbf{x}] \xrightarrow{\pi} \overline{R} = \mathbb{R}[\mathbf{x}]/<\phi(\mathbf{x})>. \tag{5.3.2}$$

Since <sup>R</sup>[*x*] is a principal ideal domain, then *<sup>N</sup>* <sup>=</sup><sup>&</sup>lt; *<sup>g</sup>*(*x*) > is a principal ideal generated by a monic polynomial *<sup>g</sup>*(*x*) <sup>∈</sup> <sup>R</sup>[*x*]. It is easy to see that

$$<\phi(\alpha)>\subset\Leftrightarrow g(\alpha)|\phi(\alpha)\text{ in }\mathbb{R}[\chi].$$

It follows that all ideals *N* satisfying (5.3.2) are given by

$$\{\prec g(\alpha)>\mid g(\alpha)\in\mathbb{R}[\mathcal{X}]\text{ is monic and }g(\alpha)|\phi(\alpha)|\}.$$

We write by < *g*(*x*) > mod φ(*x*), the image of < *g*(*x*) > under π, i.e.

$$\mathbb{I}$$

$$\bmod\phi(\boldsymbol{\chi})=\pi(\boldsymbol{\varsigma}\,\boldsymbol{g}(\boldsymbol{\chi})>).$$

It is easy to check

$$<\mathbf{g}(\mathbf{x}) > \text{mod }\phi(\mathbf{x}) = \{a(\mathbf{x})\mathbf{g}(\mathbf{x}) \mid a(\mathbf{x}) \in \mathbb{R}[\mathbf{x}] \text{ and } \deg a(\mathbf{x}) + \deg \mathbf{g}(\mathbf{x}) < n\}. \tag{5.3.3}$$

more precisely, which is a representative elements set of < *g*(*x*) > mod φ(*x*). By homomorphism theorem in ring theory, all ideals of *R* given by

$$\{<\mathbf{g}(\mathbf{x})>\bmod\phi(\mathbf{x})\mid\mathbf{g}(\mathbf{x})\in\mathbb{R}[\mathbf{x}]\text{ is monic and }\mathbf{g}(\mathbf{x})|\phi(\mathbf{x})\}.\tag{5.3.4}$$

Let *<sup>d</sup>* be the number of monic divisors of φ(*x*)in <sup>R</sup>[*x*], we have the following lemma.

#### **Lemma 5.3.2** *The number of* φ*-cyclic subspace of* R*<sup>n</sup> is d.*

*Proof* By lemma 5.3.1, the correspondence between φ-cyclic subspace of R*<sup>n</sup>* and ideal of *R* is one-to-one. Based on (5.3.4), the number of ideal of *R* is equal to the number of divisors of φ(*x*) in <sup>R</sup>[*x*], i.e. *<sup>d</sup>*. So the number of <sup>φ</sup>-cyclic subspace of R*<sup>n</sup>* is *d*.

Next, we discuss φ-cyclic lattice, which is the geometric analogy of cyclic code. The φ-cyclic subspace of R*<sup>n</sup>* maybe regarded as the algebraic analogy of cyclic code. Let the quotient rings *R* and *R* given by (5.2.11). A *R*-module is an Abel group  such that there is an operator λα ∈  for all λ ∈ *R* and α ∈ , satisfying 1 · α = α and (λ1λ2)α = λ1(λ2α). It is easy to see that *R* is a *R*-module, if  ⊂ *R* and  is a *R*-module, then  is called a *R*-submodule of *R*. All *R*-modules we discuss here are *R*-submodule of *R*. On the other hand, if *I* ⊂ *R*, then *I* is an ideal of *R*, if and only if *I* is a *R*-module. Let α ∈ *R*, the cyclic *R*-module generated by α be defined by

$$R\alpha = \{\lambda\alpha \mid \lambda \in R\}.\tag{5.3.5}$$

If there are finitely many polynomials α1, α2,...,α*<sup>k</sup>* in *R* such that

$$
\Lambda = R\alpha\_1 + R\alpha\_2 + \dots + R\alpha\_k,
$$

then  is called a finitely generated *R*-module, which is a *R*-submodule of *R*.

Now, if *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* is a <sup>φ</sup>-cyclic lattice, *<sup>g</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, *<sup>H</sup>*∗(*g*) is the ideal matrix generated by vector *g*, and *L*(*H*∗(*g*))is the lattice generated by *H*∗(*g*). In the following lemma, we prove that any *L*(*H*∗(*g*)) is a φ-cyclic lattice and

$$\text{gg} \in L \Rightarrow L(H^\*(\text{g})) \subset L,\tag{5.3.6}$$

which implies that *L*(*H*∗(*g*)) is the smallest φ-cyclic lattice of which contains vector *g*. Therefore, we call *L*(*H*∗(*g*)) is a minimal φ-cyclic lattice in R*<sup>n</sup>*.

**Lemma 5.3.3** *For any vector g* <sup>∈</sup> <sup>R</sup>*n, then L*(*H*∗(*g*))*is a* <sup>φ</sup>*-cyclic lattice. Moreover, if L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is a* <sup>φ</sup>*-cyclic lattice and g* <sup>∈</sup> *L, then we have L*(*H*∗(*g*)) <sup>⊂</sup> *L.*

*Proof* Let <sup>α</sup> <sup>∈</sup> *<sup>H</sup>*∗(*g*), then there is an integer vector *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* such that <sup>α</sup> <sup>=</sup> *<sup>H</sup>*∗(*g*)*b*. By lemma 5.2.2, we have

$$\alpha = \mathbf{g}\_0 I\_n b + \mathbf{g}\_1 H b + \dots + \mathbf{g}\_{n-1} H^{n-1} b$$

and

$$Ha = (\mathbf{g}\_0 I\_n + \mathbf{g}\_1 H + \dots + \mathbf{g}\_{n-1} H^{n-1}) Hb = H^\*(\mathbf{g}) Hb.$$

Since *H b* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*, it follows that *<sup>H</sup>*<sup>α</sup> <sup>∈</sup> *<sup>L</sup>*(*H*∗(*g*)). This means that *<sup>L</sup>*(*H*∗(*g*)) is a <sup>φ</sup>cyclic lattice. If *L* is a φ-cyclic lattice and *g* ∈ *L*, then *Hkg* ∈ *L* for 0 *k n* − 1, and

$$b\_0 I\_n g + b\_1 H g + \dots + b\_{n-1} H^{n-1} g \in L, \text{ for all } b = \begin{pmatrix} b\_0 \\ b\_1 \\ \vdots \\ b\_{n-1} \end{pmatrix} \in \mathbb{Z}^n.$$

It follows that

$$H^\*(b)g = H^\*(\mathbf{g})b \in L, \ b \in \mathbb{Z}^n.$$

Thus we have *L*(*H*∗(*g*)) ⊂ *L*, and lemma 5.3.3 holds.

**Lemma 5.3.4** *There is a one-to-one correspondence between the minimal* φ*-cyclic lattice in* R*<sup>n</sup> and the cyclic R-submodule in R, namely*

$$\operatorname{tr}(\operatorname{Rg}(\chi)) = L(H^\*(\operatorname{g})), \text{ for all } \operatorname{g}(\chi) \in \mathcal{R}$$

*and*

$$\operatorname{tr}^{-1}(L(H^\*(\mathbf{g}))) = \operatorname{Rg}(\mathbf{x}), \text{ for all } \mathbf{g} \in \mathbb{R}^n.$$

*Proof* Let *b*(*x*) ∈ *R*, by lemma 5.2.5, we have

$$t(b(\mathbf{x})\mathbf{g}(\mathbf{x})) = H^\*(b)\mathbf{g} = H^\*(\mathbf{g})b \in L(H^\*(\mathbf{g})),$$

and *t*(*Rg*(*x*)) ⊂ *L*(*H*∗(*g*)). Conversely, if α ∈ *L*(*H*∗(*g*)), and α = *H*∗(*g*)*b* for some integer vector *b*, by lemma 5.2.5 again, we have *b*(*x*)*g*(*x*) ∈ *Rg*(*x*), and *t*(*b*(*x*)*g*(*x*)) = α. This implies that

$$L(H^\*(\mathfrak{g})) \subset \mathfrak{t}(\mathrm{Rg}(\mathfrak{x})),$$

and

$$t(\mathcal{R}g(\mathbf{x})) = L(H^\*(\mathbf{g})).$$

The lemma follows immediately.

Suppose *L* = *L*(β1, β2,...,β*m*) is arbitrary φ-cyclic lattice, where *B* = [β1, β2,...,β*m*]*<sup>n</sup>*×*<sup>m</sup>* is the generated matrix of *L*. *L* may be expressed as the sum of finitely many minimal φ-cyclic lattices, in fact, we have

$$L = L(H^\*(\beta\_1)) + L(H^\*(\beta\_2)) + \dots + L(H^\*(\beta\_m)).\tag{5.3.7}$$

To state and prove our main results, first, we give a definition of prime spot in R*<sup>n</sup>*.

**Definition 5.3.2** Let *<sup>g</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, and *<sup>g</sup>*(*x*) <sup>=</sup> *<sup>t</sup>*−<sup>1</sup>(*g*) <sup>∈</sup> *<sup>R</sup>*. If (*g*(*x*), φ(*x*)) <sup>=</sup> 1 in <sup>R</sup>[*x*], we call *g* is a prime spot of R*<sup>n</sup>*.

By (iv) of lemma 5.2.4, *<sup>g</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a prime spot if and only if *<sup>H</sup>*∗(*g*) is an invertible matrix, thus the minimal φ-cyclic lattice *L*(*H*∗(*g*)) generated by a prime spot is a full-rank lattice.

**Lemma 5.3.5** *Let g and f be two prime spots of* <sup>R</sup>*n, then L*(*H*∗(*g*)) <sup>+</sup> *<sup>L</sup>*(*H*∗( *<sup>f</sup>* )) *is a full-rank* φ*-cyclic lattice.*

*Proof* According to lemma 5.1.4, it is sufficient to show that

$$\text{rank}\{L(H^\*(\mathcal{g})) \cap L(H^\*(f))\} = \text{rank}\{L(H^\*(\mathcal{g}))\} = n. \tag{5.3.8}$$

In fact, we should prove in general

$$L(H^\*(\mathcal{g}) \cdot H^\*(f)) \subset L(H^\*(\mathcal{g})) \cap L(H^\*(f)).\tag{5.3.9}$$

If (5.3.9) holds, since *H*∗(*g*) · *H*∗( *f* ) is invertible matrix, then

rank *L*(*H*∗(*g*) · *H*∗( *f* )) = *n*,

(5.3.8) holds. To prove (5.3.9), we note that

*t*

$$L(H^\*(\mathbf{g}) \cdot H^\*(f)) = L(H^\*(\mathbf{g} \* f)),$$

It follows that

$$\left(^{-1}\left(L(H^\*(g)\cdot H^\*(f))\right)\right) = \mathcal{Rg}(\mathfrak{x})f(\mathfrak{x}),$$

It is easy to see that

$$
\mathcal{R}\mathbf{g}(\mathbf{x})f(\mathbf{x}) \subset \mathcal{R}\mathbf{g}(\mathbf{x}) \cap \mathcal{R}f(\mathbf{x})\,.
$$

Therefore, we have

$$L(H^\*(\mathcal{g}) \cdot H^\*(f)) = t(R\mathfrak{g}(\mathfrak{x})f(\mathfrak{x})) \subset L(H^\*(\mathcal{g})) \cap L(H^\*(f)).$$

This is the proof of lemma 5.3.5.

It is worth to note that (5.3.9) is true for more general case and does not need the condition of prime spot. We have the following lemma.

**Lemma 5.3.6** *Let* β1, β2,...,β*<sup>m</sup> be arbitrary m vectors in* R*n, then we have*

$$L(H^\*(\beta\_1)H^\*(\beta\_2)\cdots H^\*(\beta\_m)) \subset L(H^\*(\beta\_1)) \cap L(H^\*(\beta\_2)) \cap \cdots \cap L(H^\*(\beta\_m)).\tag{5.3.10}$$

*Proof* If β1, β2,...,β*<sup>m</sup>* are integer vectors, then (5.3.10) is trivial. For the general case, we write

$$L(H^\*(\beta\_1)\cdot H^\*(\beta\_2)\cdot \cdots H^\*(\beta\_m)) = L(H^\*(\beta\_1 \* \beta\_2 \* \cdots \* \beta\_m)),$$

where β<sup>1</sup> ∗ β<sup>2</sup> ∗···∗ β*<sup>m</sup>* is the φ-convolutional product defined in (5.2.14), then

$$t^{-1}\left(L(H^\*(\beta\_1)\cdots H^\*(\beta\_m))\right) = R\beta\_1(\chi)\beta\_2(\chi)\cdots\beta\_m(\chi).$$

Since

$$R\beta\_1(\mathbf{x})\beta\_2(\mathbf{x})\cdots\beta\_m(\mathbf{x}) \subset R\beta\_1(\mathbf{x}) \cap R\beta\_2(\mathbf{x}) \cap \cdots \cap R\beta\_m(\mathbf{x}),$$

It follows that

$$L(H^\*(\beta\_1)H^\*(\beta\_2)\cdots H^\*(\beta\_m)) \subset L(H^\*(\beta\_1)) \cap L(H^\*(\beta\_2)) \cap \cdots \cap L(H^\*(\beta\_m)).$$

We have this lemma.

By lemma 5.3.5, we also have the following corollary.

**Corollary 5.3.1** *Let* <sup>β</sup>1, β2,...,β*<sup>m</sup> be m prime spots of* <sup>R</sup>*n, then L*(*H*∗(β1)) <sup>+</sup> *L*(*H*∗(β2)) +···+ *L*(*H*∗(β*m*)) *is a full-rank* φ*-cyclic lattice.*

*Proof* Based on lemma 5.1.5, it follows immediately from lemma 5.3.5.

Our main result in this paper is to establish the following one-to-one correspondence between φ-cyclic lattices in R*<sup>n</sup>* and finitely generated *R*-modules in *R*.

**Theorem 5.3.1** *Let*  = *R*α1(*x*) + *R*α2(*x*) +···+ *R*α*m*(*x*) *be a finitely generated R-module in R, then t*() *is a* <sup>φ</sup>*-cyclic lattice in* <sup>R</sup>*n. Conversely, if L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> is a* <sup>φ</sup>*cyclic lattice in* R*n, then t*−<sup>1</sup>(*L*) *is a finitely generated R-module in R, that is a one-to-one correspondence.*

*Proof* If  is a finitely generated *R*-module, by lemma 5.3.4, we have

$$\begin{aligned} t(\Lambda) &= t(R\alpha\_1(\mathbf{x}) + \dots + R\alpha\_m(\mathbf{x})) \\ &= L(H^\*(\alpha\_1)) + L(H^\*(\alpha\_2)) + \dots + L(H^\*(\alpha\_m)). \end{aligned}$$

The main difficult is to show that *t*()is a lattice of R*<sup>n</sup>* , we require a surgery to embed *<sup>t</sup>*() into a full-rank lattice. To do this, let (α*i*(*x*), φ(*x*)) <sup>=</sup> *di*(*x*), *di*(*x*) <sup>∈</sup> <sup>Z</sup>[*x*], and

$$\square$$

β*i*(*x*) = α*i*(*x*)/*di*(*x*), 1 *i m*. Since φ(*x*) has no multiple roots by assumption, then (β*i*(*x*), φ(*x*)) <sup>=</sup> 1 in <sup>R</sup>[*x*]. In other words, each *<sup>t</sup>*(β*i*(*x*)) <sup>=</sup> <sup>β</sup>*<sup>i</sup>* is a prime spot. It is easy to verify *R*α*i*(*x*) ⊂ *R*β*i*(*x*) (1 *i m*), thus we have

$$\forall (\Lambda) \subset L(H^\*(\beta\_1)) + L(H^\*(\beta\_2)) + \dots + L(H^\*(\beta\_m)).$$

By corollary 5.3.1, we have *<sup>t</sup>*() is <sup>φ</sup>-cyclic lattice. Conversely, if *<sup>L</sup>* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup>* is a <sup>φ</sup>-cyclic lattice of <sup>R</sup>*<sup>n</sup>*, and *<sup>L</sup>* <sup>=</sup> *<sup>L</sup>*(β1, β2,...,β*m*), by (5.3.7), we have

$$t^{-1}(L) = R\beta\_1(\mathbf{x}) + R\beta\_2(\mathbf{x}) + \dots + R\beta\_m(\mathbf{x}),$$

which is a finitely generated *R*-module in *R*. We complete the proof of theorem 5.3.1. 

Since *R* is a Noether ring, then *I* ⊂ *R* is an ideal if and only if *I* is a finitely generated *<sup>R</sup>*-module. On the other hand, if *<sup>I</sup>* <sup>⊂</sup> *<sup>R</sup>* is an ideal, then *<sup>t</sup>*(*I*) <sup>⊂</sup> <sup>Z</sup>*<sup>n</sup>* is a discrete subgroup of Z*<sup>n</sup>*, thus *t*(*I*) is a lattice. We give the following definition.

**Definition 5.3.3** Let *I* ⊂ *R* be an ideal, *t*(*I*) is called the φ-ideal lattice.

Ideal lattice was first appeared in Lyubashevsky and Micciancio (2006), and more contents could be found in Zheng et al. (2022a). As a direct consequence of theorem 5.3.1, we have the following corollary.

**Corollary 5.3.2** *Let L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a subset, then L is a* <sup>φ</sup>*-cyclic lattice if and only if*

$$L = L(H^\*(\beta\_1)) + L(H^\*(\beta\_2)) + \dots + L(H^\*(\beta\_m)),$$

*where* <sup>β</sup>*<sup>i</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> and m n. Furthermore, L is a* <sup>φ</sup>*-ideal lattice if and only if every* <sup>β</sup>*<sup>i</sup>* <sup>∈</sup> <sup>Z</sup>*n,* <sup>1</sup> *<sup>i</sup> m.*

**Corollary 5.3.3** *Suppose that* φ(*x*) *is an irreducible polynomial in* <sup>Z</sup>[*x*]*, then any nonzero ideal I of R defines a full-rank* <sup>φ</sup>*-ideal lattice t*(*I*) <sup>⊂</sup> <sup>Z</sup>*n.*

*Proof* Let *I* ⊂ *R* be a nonzero ideal, then we have *I* = *R*α1(*x*) + *R*α2(*x*) +···+ *R*α*m*(*x*), where α*i*(*x*) ∈ *R* and (α*i*(*x*), φ(*x*)) = 1. It follows that

$$\text{tr}(I) = L(H^\*(\alpha\_1)) + L(H^\*(\alpha\_2)) + \dots + L(H^\*(\alpha\_m)).$$

Since each α*<sup>i</sup>* is a prime spot, we have rank(*t*(*I*)) = *n* by corollary 5.3.1, and the corollary follows at once.

We have proved that any an ideal of *R* corresponding to a φ-ideal lattice, which just is a φ-cyclic integer lattice under the more general rotation matrix *H* = *H*φ. Cyclic lattice and ideal lattice were introduced in Lyubashevsky and Micciancio (2006) and Micciancio (2002), respectively, to improve the space complexity of lattice-based cryptosystems. Ideal lattices allow to represent a lattice using only two polynomials. Using such lattices, class lattice-based cryptosystems can diminish their space complexity from *O*(*n*2) to *O*(*n*). Ideal lattices also allow to accelerate computations using the polynomial structure. The original structure of Micciancio's matrices uses the ordinary circulant matrices and allows for an interpretation in terms of arithmetic in polynomial ring <sup>Z</sup>[*x*]/ < *<sup>x</sup> <sup>n</sup>* <sup>−</sup> <sup>1</sup> <sup>&</sup>gt;. Lyubashevsky and Micciancio latter suggested to change the ring to <sup>Z</sup>[*x*]/ < φ(*x*) > with an irreducible φ(*x*) over <sup>Z</sup>[*x*]. Our results here suggest to change the ring to <sup>Z</sup>[*x*]/ < φ(*x*) > with any a polynomial φ(*x*). There are many works subsequent to Lyubashevsky and Micciancio, such as Micciancio and Regev (2009); Peikert (2016).

*Example 5.1* It is interesting to find some examples of φ-cyclic lattices in an algebraic number field K. Let Q be rational number field, without loss of generality, an algebraic number field <sup>K</sup> of degree *<sup>n</sup>* is just <sup>K</sup> <sup>=</sup> <sup>Q</sup>(w), where <sup>w</sup> <sup>=</sup> <sup>w</sup>*<sup>i</sup>* is a root of φ(*x*). If all <sup>Q</sup>(w*i*) <sup>⊂</sup> <sup>R</sup> (<sup>1</sup> *<sup>i</sup> <sup>n</sup>*), then <sup>K</sup> is called a totally real algebraic number field. Let *<sup>O</sup>*<sup>K</sup> be the ring of algebraic integers of <sup>K</sup>, and *<sup>I</sup>* <sup>⊂</sup> *<sup>O</sup>*<sup>K</sup> be an ideal, *<sup>I</sup>* = 0. Since there is an integral basis {α1, α2,...,α*n*} ⊂ *I* such that

$$I = \mathbb{Z}\alpha\_1 + \mathbb{Z}\alpha\_2 + \dots + \mathbb{Z}\alpha\_n,$$

We may regard every ideal of *O*<sup>K</sup> as a lattice in Q*<sup>n</sup>*, our assertion is that every nonzero ideal of *O*<sup>K</sup> is corresponding to a full-rank φ-cyclic lattice of Q*<sup>n</sup>*. To see this example, let

$$\mathbb{Q}[w] = \left\{ \sum\_{i=0}^{n-1} a\_i w^i \mid a\_i \in \mathbb{Q} \right\},$$

It is known that <sup>K</sup> <sup>=</sup> <sup>Q</sup>[w], thus every <sup>α</sup> <sup>∈</sup> <sup>K</sup> corresponds to a vector <sup>α</sup> <sup>∈</sup> <sup>Q</sup>*<sup>n</sup>* by

$$\alpha = \sum\_{i=0}^{n-1} a\_i w^i \xrightarrow{\mathfrak{r}} \overline{\alpha} = \begin{pmatrix} a\_0 \\ a\_1 \\ \vdots \\ a\_{n-1} \end{pmatrix} \in \mathbb{Q}^n.$$

If *<sup>I</sup>* <sup>⊂</sup> *<sup>O</sup>*<sup>K</sup> is an ideal of *<sup>O</sup>*<sup>K</sup> and *<sup>I</sup>* <sup>=</sup> <sup>Z</sup>α<sup>1</sup> <sup>+</sup> <sup>Z</sup>α<sup>2</sup> +···+ <sup>Z</sup>α*n*, let *<sup>B</sup>* = [α1, <sup>α</sup>2,..., <sup>α</sup>*n*] ∈ <sup>Q</sup>*<sup>n</sup>*×*<sup>n</sup>*, which is full-rank matrix. We have τ (*I*) <sup>=</sup> *<sup>L</sup>*(*B*) is a fullrank lattice. It remains to show that τ (*I*) is a φ-cyclic lattice, we only prove that if α ∈ *I* ⇒ *H*α ∈ τ (*I*). Suppose that α ∈ *I*, then wα ∈ *I*. It is easy to verify that τ (w) = *e*<sup>1</sup> and

$$
\tau(w\alpha) = \tau(w) \* \tau(\alpha) = H\overline{\alpha} \in \mathfrak{r}(I).
$$

This means that τ (*I*) is a φ-cyclic lattice of Q*<sup>n</sup>*, which is a full-rank lattice.

#### **5.4 Improved Upper Bound for Smoothing Parameter**

As application of the algebraic structure of φ-cyclic lattice, we show that an explicit upper bound of the smoothing parameter for the φ-cyclic lattices. The definition of smoothing parameter was introduced in Chap. 1. Suppose that *L* is a full-rank lattice and *L*<sup>∗</sup> is its dual lattice, for any > 0, we define the smoothing parameter η (*L*) of *L* to be the smallest *s* such that ρ1/*<sup>s</sup>*(*L*∗) 1 + , here ρ is the Gauss function,

$$\rho\_{s,c}(\mathbf{x}) = e^{-\frac{\pi}{x^2}|\mathbf{x} - c|^2}, \ \rho\_s(\mathbf{x}) = \rho\_{s,0}(\mathbf{x}), \ \mathbf{x} \in \mathbb{R}^n.$$

Notice that ρ<sup>1</sup>/*<sup>s</sup>*(*L*∗) is a continuous and strictly decreasing function of *s*, thus the smoothing parameter η (*L*) is a continuous and strictly decreasing function of , i.e.

$$
\eta\_{\epsilon\_1}(L) \lesssim \eta\_{\epsilon\_2}(L), \quad \text{if } 0 < \epsilon\_2 < \epsilon\_1.
$$

The following lemma shows the relation of smoothing parameters between a lattice and its sublattice.

**Lemma 5.4.1** *Suppose that L*<sup>1</sup> *and L*<sup>2</sup> *are two full-rank lattices in* <sup>R</sup>*n, and L*<sup>1</sup> <sup>⊂</sup> *<sup>L</sup>*2*, then for any* > 0*, we have*

$$
\eta\_{\epsilon}(L\_2) \lesssim \eta\_{\epsilon}(L\_1). \tag{5.4.1}
$$

*Proof* Let η (*L*1) = *s*, we are to show that η (*L*2) *s*. Since

$$
\rho\_{1/s}(L\_1^\*) = 1 + \epsilon,
$$

i.e.

$$\sum\_{\mathbf{x}\in L\_1^\*} e^{-\pi s^2 |\mathbf{x}|^2} = 1 + \epsilon.$$

It is easy to check that *L*<sup>∗</sup> <sup>2</sup> ⊂ *L*<sup>∗</sup> 1, it follows that

$$1 + \epsilon = \sum\_{\mathbf{x} \in L\_1^\*} e^{-\pi s^2 |\mathbf{x}|^2} \geqslant \sum\_{\mathbf{x} \in L\_2^\*} e^{-\pi s^2 |\mathbf{x}|^2},$$

which implies

$$
\rho\_{1/s}(L\_2^\*) \le 1 + \epsilon,
$$

and η (*L*2) *s* = η (*L*1), thus we have lemma 5.4.1.

According to (5.2.4), the ideal matrix *<sup>H</sup>*∗( *<sup>f</sup>* ) with input vector *<sup>f</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is just the ordinary circulant matrix when φ(*x*) = *x <sup>n</sup>* − 1. Next lemma shows that the transpose of a circulant matrix is still a circulant matrix. For any *g* = ⎛ ⎜ ⎜ ⎜ ⎝ *g*0 *g*1 . . . *gn*−<sup>1</sup> ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*<sup>n</sup>*, we denote

$$
\overline{\mathbf{g}} = \begin{pmatrix} \mathbf{g}\_{n-1} \\ \mathbf{g}\_{n-2} \\ \vdots \\ \mathbf{g}\_0 \end{pmatrix}, \text{ which is called the conjugation of } \mathbf{g}.
$$

**Lemma 5.4.2** *Let* φ(*x*) = *x <sup>n</sup>* − 1*, then for any g* = ⎛ ⎜ ⎜ ⎜ ⎝ *g*0 *g*1 . . . *gn*−<sup>1</sup> ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>R</sup>*n, we have*

$$\left(H^\*(\mathbf{g})\right)^T = H^\*(H\overline{\mathbf{g}}).\tag{5.4.2}$$

*Proof* Since φ(*x*) = *x <sup>n</sup>* − 1, then *H* = *H*<sup>φ</sup> is an orthogonal matrix, and we have *H*−<sup>1</sup> = *Hn*−<sup>1</sup> = *H<sup>T</sup>* . We write *H*<sup>1</sup> = *H<sup>T</sup>* = *H*−1. The following identity is easy to verify

$$H^\*(\mathcal{g}) = \begin{pmatrix} \overline{\mathcal{g}}^T H\_1 \\ \overline{\mathcal{g}}^T H\_1^2 \\ \vdots \\ \overline{\mathcal{g}}^T H\_1^n \end{pmatrix}.$$

It follows that

$$\left(H^\*(\mathbf{g})\right)^T = [H\overline{\mathbf{g}}, H(H\overline{\mathbf{g}}), \dots, H^{n-1}(H\overline{\mathbf{g}})] = H^\*(H\overline{\mathbf{g}}),$$

and we have the lemma.

**Lemma 5.4.3** *Let* φ(*x*) <sup>=</sup> *<sup>x</sup> <sup>n</sup>* <sup>−</sup> <sup>1</sup>*, suppose that g* <sup>∈</sup> <sup>R</sup>*<sup>n</sup> and the circulant matrix H*∗(*g*) *is invertible. Let A* = (*H*∗(*g*))*<sup>T</sup> H*∗(*g*)*, then all characteristic values of A are given by*

$$\{ \left| \lg(\theta\_1) \right|^2, \left| \lg(\theta\_2) \right|^2, \dots, \left| \lg(\theta\_n) \right|^2 \},$$

*where* θ *<sup>n</sup> <sup>i</sup>* = 1 (1 *i n*) *are the n-th roots of unity.*

*Proof* By lemma 5.4.2 and (ii) of lemma 5.2.4, we have

$$A = H^\*(H\overline{\mathfrak{g}})H^\*\mathfrak{g} = H^\*(H^\*(H\overline{\mathfrak{g}})\mathfrak{g}) = H^\*(\mathfrak{g}''),$$

where *g* = *H*∗(*Hg*)*g*. Let *g* (*x*) = *t*−1(*g* ) is the corresponding polynomial of *g* . By lemma 5.2.3, all characteristic values of *A* are given by

$$\{g''(\theta\_1), g''(\theta\_2), \dots, g''(\theta\_n)\}, \ \theta\_i^n = 1, \ 1 \le i \le n.$$

$$\text{Let } \mathbf{g} = \begin{pmatrix} \mathbf{g}\_0 \\ \mathbf{g}\_1 \\ \vdots \\ \mathbf{g}\_{n-1} \end{pmatrix} \in \mathbb{R}^n. \text{ It is easy to see that}$$

$$\mathbf{g}^{\prime\prime}(\mathbf{x}) = \sum\_{i=0}^{n-1} \mathbf{g}\_i^2 + \left(\sum\_{i=0}^{n-1} \mathbf{g}\_i \mathbf{g}\_{1-i}\right) \mathbf{x} + \dots + \left(\sum\_{i=0}^{n-1} \mathbf{g}\_i \mathbf{g}\_{(n-1)-i}\right) \mathbf{x}^{n-1} = |\mathbf{g}(\mathbf{x})|^2,$$

where *g*−*<sup>i</sup>* = *gn*−*<sup>i</sup>* for all 1 *i n* − 1, then the lemma follows at once.

By the definition of prime spot, if *<sup>g</sup>* <sup>∈</sup> <sup>R</sup>*<sup>n</sup>* is a prime spot, then there is a unique polynomial *u*(*x*) ∈ *R* such that *u*(*x*)*g*(*x*) ≡ 1 (mod φ(*x*)). We define a new vector *Tg* and its corresponding polynomial *Tg*(*x*) by

$$T\_{\mathfrak{g}} = H\overline{u},\ T\_{\mathfrak{g}}(\mathfrak{x}) = t^{-1}(H\overline{u}).\tag{5.4.3}$$

If *<sup>g</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* is an integer vector, then *Tg* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>* is also an integer vector, and *Tg*(*x*) <sup>∈</sup> <sup>Z</sup>[*x*] is a polynomial with integer coefficients. Our main result on smoothing parameter is the following theorem.

**Theorem 5.4.1** *Let* φ(*x*) <sup>=</sup> *<sup>x</sup> <sup>n</sup>* <sup>−</sup> <sup>1</sup>*, L* <sup>⊂</sup> <sup>R</sup>*<sup>n</sup> be a full-rank* <sup>φ</sup>*-cyclic lattice, then for any prime spots g* ∈ *L, we have*

$$\eta\_{2^{-n}}(L) \lesssim \sqrt{n} \left( \min \{ |T\_{\mathfrak{g}}(\theta\_1)|, |T\_{\mathfrak{g}}(\theta\_2)|, \dots, |T\_{\mathfrak{g}}(\theta\_n)| \} \right)^{-1},\tag{5.4.4}$$

*where* θ *<sup>n</sup> <sup>i</sup>* = 1*,* 1 *i n, and Tg*(*x*) *is given by (5.4.3).*

*Proof* Let *g* ∈ *L* be a prime spot, by lemma 5.4.1, we have

$$L(H^\*(\mathcal{g})) \subset L \Rightarrow \eta\_\epsilon(L) \lesssim \eta\_\epsilon(L(H^\*(\mathcal{g}))), \ \forall \epsilon > 0.$$

To estimate the smoothing parameter of *L*(*H*∗(*g*)), the dual lattice of *L*(*H*∗(*g*)) is given by

$$L(H^\*(\mathcal{g}))^\* = L((H^\*(\mu))^T) = L(H^\*(H\overline{\mu})) = L(H^\*(T\_{\mathfrak{g}})),$$

where *u*(*x*) ∈ *R* and *u*(*x*)*g*(*x*) ≡ 1 (mod *x <sup>n</sup>* − 1), and *Tg* is given by (5.4.3). Let *A* = (*H*∗(*Tg*))*<sup>T</sup> H*∗(*Tg*), by lemma 5.4.3, all characteristic values of *A* are

$$\{|T\_{\mathcal{g}}(\theta\_1)|^2, |T\_{\mathcal{g}}(\theta\_2)|^2, \dots, |T\_{\mathcal{g}}(\theta\_n)|^2\}.$$

By lemma 5.1.2, the minimum distance λ1(*L*(*H*∗(*g*))∗) is bounded by

$$\lambda\_1(L(H^\*(\mathcal{g}))^\*) \geqslant \min\{|T\_{\mathcal{g}}(\theta\_1)|, |T\_{\mathcal{g}}(\theta\_2)|, \dots, |T\_{\mathcal{g}}(\theta\_n)|\}.\tag{5.4.5}$$

According to the classical estimation of upper bound of smoothing parameter

$$
\eta\_{2^{-s}}(L) \leqslant \sqrt{n}/\lambda\_1(L^\*),
$$

we see that theorem 5.4.1 holds.

Let *L* = *L*(*B*) be a full-rank lattice and *B* = [β1, β2,...,β*n*]. We denote by *B*<sup>∗</sup> = [β<sup>∗</sup> <sup>1</sup> , β<sup>∗</sup> <sup>2</sup> ,...,β<sup>∗</sup> *<sup>n</sup>* ] the Gram-Schmidt orthogonal vectors {β<sup>∗</sup> *<sup>i</sup>* } of the ordered basis *B* = {β*i*}. It is a well-known conclusion that

$$\lambda\_1(L) \gg |B^\*| = \min\_{1 \le i \le n} |\beta\_i^\*|,$$

and

$$
\eta\_{2^{-s}}(L) \leqslant \sqrt{n}/\lambda\_1(L^\*),
$$

so we get the following upper bound

$$
\eta\_{2^{-n}}(L) \lesssim \sqrt{n} |B\_0^\*|^{-1},\tag{5.4.6}
$$

where *B*<sup>∗</sup> <sup>0</sup> is the orthogonal basis of dual lattice *L*<sup>∗</sup> of *L*.

For a φ-cyclic lattice *L*, we observe that the upper bound (5.4.5) is always better than (5.4.6) by numerical testing, we give two examples here.

*Example 5.2* Let *n* = 3 and φ(*x*) = *x* <sup>3</sup> − 1, the rotation matrix *H* is

$$H = \begin{pmatrix} 0 \ 0 \ 1 \\ 1 \ 0 \ 0 \\ 0 \ 1 \ 0 \end{pmatrix}.$$

We select a φ-cyclic lattice *L* = *L*(*B*), where

$$B = \begin{pmatrix} 1 \ 1 \ 1 \\ 0 \ 1 \ 1 \\ 0 \ 0 \ 1 \end{pmatrix}.$$

Since *<sup>L</sup>* <sup>=</sup> <sup>Z</sup>3, thus *<sup>L</sup>* is a <sup>φ</sup>-cyclic lattice. It is easy to check

$$|B\_0^\*| = \min\_{1 \le i \le 3} |\beta\_i^\*| = \frac{\sqrt{3}}{3}.$$

On the other hand, we randomly find a prime spot

$$\mathbf{g} = \begin{pmatrix} 0 \\ 0 \\ 1 \end{pmatrix} \in L$$

and *g*(*x*) = *x* 2, since

$$\arg(x) \equiv 1 \pmod{x^3 - 1},$$

we have

$$T\_{\mathfrak{g}}(x) = x^2,$$

it follows that

$$|T\_{\mathfrak{g}}(\theta\_1)| = |T\_{\mathfrak{g}}(\theta\_2)| = |T\_{\mathfrak{g}}(\theta\_3)| = 1, 2$$

and

$$\left(\min\_{1\le i\le 3}|T\_{\mathfrak{g}}(\theta\_i)|\right)^{-1} \lesssim |\mathcal{B}\_0^\*|^{-1} = \sqrt{3}.$$

*Example 5.3* Let *n* = 4 and φ(*x*) = *x* <sup>4</sup> − 1, the rotation matrix *H* is

$$H = \begin{pmatrix} 0 \ 0 \ 0 \ 1 \\ 1 \ 0 \ 0 \ 0 \\ 0 \ 1 \ 0 \ 0 \\ 0 \ 0 \ 1 \ 0 \end{pmatrix}.$$

We select a φ-cyclic lattice *L* = *L*(*B*), where

$$B = \begin{pmatrix} 1 & 1 & 1 & 1 \\ 0 & 1 & 1 & 1 \\ 0 & 0 & 1 & 1 \\ 0 & 0 & 0 & 1 \end{pmatrix}.$$

Since *<sup>L</sup>* <sup>=</sup> <sup>Z</sup>4, thus *<sup>L</sup>* is a <sup>φ</sup>-cyclic lattice. It is easy to check

$$|B\_0^\*| = \min\_{1 \le i \le 4} |\beta\_i^\*| = \frac{1}{2}.$$

On the other hand, we randomly find a prime spot

$$\mathbf{g} = \begin{pmatrix} -2 \\ 1 \\ 0 \\ 0 \end{pmatrix} \in L$$

and *g*(*x*) = *x* − 2, since

$$
\left(\frac{1}{7}x^3 - \frac{1}{7}x^2 - \frac{2}{7}x - \frac{5}{7}\right)g(x) \equiv 1 \pmod{x^4 - 1},
$$

we have

$$T\_{\mathfrak{g}}(\mathbf{x}) = -\frac{2}{7}\mathbf{x}^3 - \frac{1}{7}\mathbf{x}^2 + \frac{1}{7}\mathbf{x} - \frac{\mathfrak{s}}{7}.$$

it follows that

$$|T\_{\mathfrak{g}}(\theta\_1)| = 1,\ |T\_{\mathfrak{g}}(\theta\_2)| = |T\_{\mathfrak{g}}(\theta\_3)| = |T\_{\mathfrak{g}}(\theta\_4)| = \frac{\mathfrak{g}}{7}.$$

and

$$\left(\min\_{1\le i\le 4}|T\_{\mathfrak{g}}(\theta\_i)|\right)^{-1} = \frac{7}{5} \le |\mathcal{B}\_0^\*|^{-1} = 2.$$

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 6 Fully Homomorphic Encryption**

In 1978, Rivest et al. (1978) proposed the concepts of data bank and fully homomorphic encryption. Some individuals and organizations encrypt the original data and store them in the data bank for privacy protection. Data bank is also called data cloud. Therefore, the cloud stores a large amount of original data, which is obviously a huge wealth. How to use these data effectively? First of all, we must solve the problem of calculation of these encrypted data, which is called a privacy calculation problem. Rivest, Adleman and Dertouzos conjecture that if all data is fully homomorphic encryption, that is, the addition and multiplication of ciphertext are homomorphic to the corresponding addition and multiplication of plaintext, then the encrypted data can be effectively computed by elementary calculation without changing the structure of the plaintext data (under the condition of homomorphism). The RAD conjecture has been proposed for more than 30 years, but no one could solve this problem since the cryptographic structure of the fully homomorphic encryption system is too complicated. In 2009, C. Gentry, a computer scholar at Stanford University, first proposed a fully homomorphic encryption scheme in Gentry (2009b) based on ideal lattice, for which he won the 2022 highest award in theoretical computer science—the Godel Award. Based on Gentry's work, the second and third fully homomorphic encryption schemes based on LWE distribution and trapdoor matrix technology have also been proposed; see Brakerski and Vaikuntanathan (2011a), (2011b), (2012), (2014), (2015) and Gentry et al. (2013) in 2013. The main purpose of this chapter is to systematically analyze and discuss the above three fully homomorphic encryption techniques, in order to understand the latest research trends of the post-quantum cryptography.

#### **6.1 Definitions and Examples**

Let *R*<sup>1</sup> be the plaintext space, *R*<sup>2</sup> be the ciphertext space, *R* be the keyspace. For *s* ∈ *R*,

$$\mathcal{R}\_1 \xrightarrow{f\_s} \mathcal{R}\_2 \xrightarrow{f\_s^{-1}} \mathcal{R}\_1, \text{ s} \in \mathcal{R}\_1$$

we call *fs* the encryption function under the key *s*, and *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* is called the decryption function. In mathematical cryptosystem, *fs* is injective so that *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* is the left inverse mapping of *fs*, i.e. *f* <sup>−</sup><sup>1</sup> *<sup>s</sup> fs* = 1*<sup>R</sup>*<sup>1</sup> , which guarantees decrypting plaintext successfully with probability 100%. However, in probabilistic cryptosystem, *fs* is not an injective mapping, while the probability of *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* being a left inverse mapping should be close enough to 1, i.e.

$$\Pr\{f\_s^{-1}f\_s = 1\_{\mathcal{R}\_\perp}\} \geqslant 1 - \delta,\ \forall \delta > 0.$$

Hash function is a classic probabilistic cryptosystem. The phenomenon that two plaintexts are encrypted into the same ciphertext, in other words, one ciphertext could be decrypted into two plaintexts, is called a collision. If the probability of collision is small enough, then it is called an anti-collision Hash function. The cryptosystem constructed by the anti-collision Hash function is the mainstream algorithm of probabilistic cryptography. No matter mathematical or probabilistic cryptosystem, we treat the decryption transformation *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* as the left inverse mapping of *fs*, but it is only an equality with high probability.

**Definition 6.1.1** Let *R*<sup>1</sup> *fs* −−−→ *R*<sup>2</sup> *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* −−−−→ *R*1, *R* be the keyspace, *s* ∈ *R*, suppose *R*<sup>1</sup> and *R*<sup>2</sup> are additive groups.

1. If there is *s* ∈ *R* such that

$$f\_s^{-1}(c\_1 + c\_2) = f\_s^{-1}(c\_1) + f\_s^{-1}(c\_2), \ \forall c\_1, c\_2 \in \mathcal{R}\_2,\tag{6.1.1}$$

we call *fs* the additive homomorphic encryption function.

2. If 'multiplication' is defined in *R*<sup>1</sup> and *R*2, and there is *s* ∈ *R* such that

$$f\_{s^\*}^{-1}(c\_1c\_2) = f\_s^{-1}(c\_1) \cdot f\_s^{-1}(c\_2), \ \forall c\_1, c\_2 \in \mathcal{R}\_2,\tag{6.1.2}$$

we call *fs* the multiplicative homomorphic encryption function, where *s*<sup>∗</sup> is the corresponding key of *s* under multiplication.

3. If *fs* is both additive and multiplicative homomorphic encryption function, then *fs* is called the fully homomorphic encryption function.

*Remark 6.1.1* The multiplication defined in the ciphertext space *R*<sup>2</sup> is not closed, i.e. there are *c*1, *c*<sup>2</sup> ∈ *R*2, *c*1*c*<sup>2</sup> ∈/ *R*2. We denote the result of the multiplication as *R*<sup>2</sup> ⊗ *R*2, i.e.

$$
\forall c\_1, c\_2 \in \mathcal{R}\_2 \Rightarrow c\_1 \cdot c\_2 \in \mathcal{R}\_2 \otimes \mathcal{R}\_2,
$$

then the corresponding key in *R*<sup>2</sup> ⊗ *R*<sup>2</sup> is *s*<sup>∗</sup> = *s* ⊗ *s*.

*Remark 6.1.2* By (6.1.1), *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*<sup>1</sup> + *c*2) is the plaintext *u* corresponding to the ciphertext *c*<sup>1</sup> + *c*2, *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*1) and *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*2) are the plaintexts *u*1, *u*<sup>2</sup> corresponding to the ciphertexts *c*<sup>1</sup> and *c*2. (6.1.1) is equivalent to:

$$f\_s^{-1}(c\_1 + c\_2) = \mu = \mu\_1 + \mu\_2,$$

that is, ciphertext addition is homomorphic to plaintext addition, so is multiplication homomorphism. If *fs* is fully homomorphic encryption, then we can perform polynomial calculations and rational function calculations on ciphertexts. By Taylor expansion, any elementary operation (exponential function, logarithmic function, trigonometric function, etc.) can be approximated by polynomials. Therefore, for fully homomorphic encrypted data *c*, we can do any elementary operation without changing the structure of the plaintext.

We give a few examples to further understand the Definition 6.1.1.

*Example 6.1* Homogeneous Affine Hill Cryptosystem (see Chap. 4, Sect. 4.7 in Zheng 2022) is additive homomorphic encryption.

Let *q* - 1 be a positive integer, <sup>Z</sup>*<sup>q</sup>* be the residue class ring mod *<sup>q</sup>*, *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup> <sup>q</sup>* be an invertible *n* dimensional matrix. The Homogeneous Affine Hill encryption function is *<sup>f</sup> <sup>A</sup>*: <sup>∀</sup>*<sup>m</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is a plaintext, then

$$c = f\_A(m) = A \cdot m \in \mathbb{Z}\_q^n, \ c \text{ is the ciphertext}, \ $$

it follows that *f* <sup>−</sup><sup>1</sup> *<sup>A</sup>* (*c*) <sup>=</sup> *<sup>A</sup>*−1*<sup>c</sup>* <sup>=</sup> *<sup>m</sup>*. For any *<sup>c</sup>*1, *<sup>c</sup>*<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we have

$$f\_A^{-1}(c\_1 + c\_2) = A^{-1}(c\_1 + c\_2) = A^{-1}c\_1 + A^{-1}c\_2 = f\_A^{-1}(c\_1) + f\_A^{-1}(c\_2),$$

so *f <sup>A</sup>* is additive homomorphic encryption.

*Example 6.2* The public key cryptography RSA (see Chap. 4, Sect. 4.7 in Zheng 2022) is multiplicative homomorphic encryption.

Let *n* > 1 be the product of two prime numbers, ϕ(*n*) be the Euler function, 1 *e* < ϕ(*n*), (*e*, ϕ(*n*)) = 1, *e* be the public key, *d* = *e*−<sup>1</sup> mod ϕ(*n*), 1 *d* < ϕ(*n*), *d* be the private key, i.e.

$$ed \equiv 1 \pmod{\varphi(n)}, \text{ } 1 \le d < \varphi(n).$$

We define the encryption function of RSA *fe* : <sup>Z</sup>*<sup>n</sup>* <sup>→</sup> <sup>Z</sup>*<sup>n</sup>* which is a one-to-one correspondence,

$$c = f\_\epsilon(m) \equiv m^\epsilon \pmod{n}, \ \forall m \in \mathbb{Z}\_n,$$

the decryption function is

$$f\_e^{-1}(c) \equiv c^d \pmod{n}.$$

Obviously, for any two ciphertexts *<sup>c</sup>*1, *<sup>c</sup>*<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*n*, it follows that

$$f\_{\epsilon}^{-1}(c\_1 c\_2) \equiv (c\_1 c\_2)^d \pmod{n}$$

$$\equiv c\_1^d \cdot c\_2^d \pmod{n}$$

$$\equiv f\_{\epsilon}^{-1}(c\_1) f\_{\epsilon}^{-1}(c\_2) \pmod{n}.$$

Thus, we have *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>e</sup>* (*c*1*c*2) <sup>=</sup> *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>e</sup>* (*c*1) · *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>e</sup>* (*c*2) in <sup>Z</sup>*n*, and we confirm that RSA is multiplicative homomorphic encryption.

Based on Examples 6.1 and 6.2, to construct a fully homomorphic encryption system, which is essentially a ring homomorphism between two rings in algebra, let's look at the following Example 6.3 first.

*Example 6.3* Let *R*<sup>1</sup> and *R*<sup>2</sup> be two commutative rings, encryption function *f* : *R*<sup>1</sup> → *R*<sup>2</sup> be a single ring homomorphism. The *f* is fully homomorphic encryption.

In fact, since *f* is a single homomorphism and *R*<sup>1</sup> is the plaintext space, then *f* (*R*1) ⊂ *R*<sup>2</sup> is a subring of *R*2, that is, the plaintext space is embedded into the ciphertext space. Let *c*1, *c*<sup>2</sup> ∈ *R*<sup>2</sup> be any two ciphertexts, there exist *u*1, *u*<sup>2</sup> ∈ *R*<sup>1</sup> ⇒ *f* (*u*1) = *c*1, *f* (*u*2) = *c*2, thus,

$$f^{-1}(c\_1 + c\_2) = f^{-1}(f(u\_1) + f(u\_2))$$

$$= f^{-1}(f(u\_1 + u\_2)) = u\_1 + u\_2 = f^{-1}(c\_1) + f^{-1}(c\_2).$$

Similarly,

$$f^{-1}(c\_1c\_2) = f^{-1}(f(u\_1) \cdot f(u\_2))$$

$$= f^{-1}(f(u\_1u\_2)) = u\_1 \cdot u\_2 = f^{-1}(c\_1) \cdot f^{-1}(c\_2).$$

Hence, *f* is fully homomorphic encryption.

Next, we use the Chinese Remainder Theorem to construct an example of fully homomorphic encryption.

*Example 6.4* Let *N* = *n*1*n*<sup>2</sup> ... *nk* , where {*ni*} are mutually coprime positive integers. Denote the plaintext spaces *R*<sup>1</sup> and *R*<sup>2</sup> as

$$\mathcal{R}\_1 = \mathbb{Z}\_{n\_1} \oplus \mathbb{Z}\_{n\_2} \cdot \cdot \cdot \oplus \mathbb{Z}\_{n\_k}, \ R\_2 = \mathbb{Z}\_n, \ $$

here *<sup>R</sup>*<sup>1</sup> is the direct sum of *<sup>k</sup>* rings <sup>Z</sup>*ni* . Let *<sup>a</sup>* <sup>=</sup> (*a*1, *<sup>a</sup>*2,..., *ak* ) <sup>∈</sup> *<sup>R</sup>*<sup>1</sup> be a plaintext, based on the Chinese Remainder Theorem, there is only one *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>N</sup>* such that

$$x \equiv a\_i \pmod{n\_i}, \ 1 \le i \le k.$$

We define the encryption function *f* : *R*<sup>1</sup> → *R*<sup>2</sup> as *f* (*a*) = *x*. Now we prove that *f* is fully homomorphic encryption. Let *f* (*a*) = *x*1, *f* (*b*) = *x*2, then

$$x\_1 + x\_2 \equiv a\_i + b\_i \pmod{n\_i}, \ \forall i = 1, 2, \dots, k.$$

So we have

$$f^{-1}(\mathbf{x}\_1 + \mathbf{x}\_2) = a + b = f^{-1}(\mathbf{x}\_1) + f^{-1}(\mathbf{x}\_2).$$

Similarly, 
$$x\_1 x\_2 \equiv a\_i b\_i \pmod{n\_i}, \ \forall i = 1, 2, \dots, k.$$

Therefore,

$$f^{-1}(\mathbf{x}\_1 \mathbf{x}\_2) = a \cdot b = f^{-1}(\mathbf{x}\_1) \cdot f^{-1}(\mathbf{x}\_2).$$

This means that *f* is fully homomorphic encryption. By Chinese Remainder Theorem, the computing complexity of *x* is *O*(*k*log*kN*), we have the simplest fully homomorphic encryption in this example.

From Example 6.4, it can be seen that it is not difficult to construct symmetric fully homomorphic encryption, but the data bank envisaged by Rivest, Adleman and Dertouzos are all data encrypted by public key cryptography. So RAD conjecture is to construct an asymmetric fully homomorphic encryption system.When the encryption key and the decryption key are separated, it becomes a very difficult work to satisfy the fully homomorphic property. The work of Gentry in 2009 or later only solve part of the RAD conjecture. They can construct a fully homomorphic encryption system under a bounded condition, while under the unbounded condition, the RAD problem is still an unsolved open problem.

Fully homomorphic encryption is similar to ring homomorphism.When constructing an asymmetric fully homomorphic encryption system, because the problem is too difficult, Gentry decomposed the decryption transformation into a composite of two mappings in Gentry (2010). The fully homomorphic properties are discussed separately for each composite factor, thus forming the current technology of bounded fully homomorphic encryption.

Let *R*<sup>1</sup> *fs* −→ *R*<sup>2</sup> *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* −−→ *R*<sup>1</sup> be a cryptosystem, assume that *R*<sup>1</sup> is a ring. Decompose *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* into *R*<sup>2</sup> σ1 −→ *R*<sup>3</sup> σ2 −→ *R*1, where *R*<sup>3</sup> is a ring, *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* = σ<sup>2</sup> ◦ σ1. If both σ<sup>1</sup> and σ<sup>2</sup> are homomorphism of rings, then

$$f\_s^{-1}(c\_1 + c\_2) = \sigma\_2(\sigma\_1(c\_1 + c\_2)) = \sigma\_2(\sigma\_1(c\_1) + \sigma\_1(c\_2))$$

$$= \sigma\_2\sigma\_1(c\_1) + \sigma\_2\sigma\_1(c\_2) = f\_s^{-1}(c\_1) + f\_s^{-1}(c\_2).$$

**Definition 6.1.2** Under the above assumptions, if there is a set *M* such that

1. If *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*1) + *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*2) ∈ *M* ∩ *R*3, then

$$f\_s^{-1}(c\_1 + c\_2) = f\_s^{-1}(c\_1) + f\_s^{-1}(c\_2).$$

2. If *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*1) · *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* (*c*2) ∈ *M* ∩ *R*3, then

$$f\_{s^\*}^{-1}(c\_1c\_2) = f\_s^{-1}(c\_1)f\_s^{-1}(c\_2).$$

Generally, a bounded fully homomorphic can only perform a finite number of homomorphic calculations. Because after repeated addition and multiplication of the ciphertext, the corresponding plaintext may run out of the boundary, so the homomorphic property cannot be guaranteed.

#### **6.2 Gadget Matrix and Gadget Technique**

Gadget technique is developed from the work of Ajtai in 1999 (Ajtai, 1999), see Agrawal et al. (2010), Alperin-Sheriff and Peikert (2013), Alwen and Peikert (2009), Peikert and Waters (2008) and which plays an important role in bounded fully homomorphic encryption. To better understand gadget matrix and gadget technique, we start with the classical short integer solution problem (SIS).

Let *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* be a given *<sup>n</sup>* <sup>×</sup> *<sup>m</sup>* dimensional matrix, *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be the target vector. Find the shortest integer vector *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup> <sup>q</sup>* such that

$$Ax \equiv \mu \pmod{q}, \ |x| \ll \beta. \tag{6.2.1}$$

The shortest integer solution *x* in (6.2.1) is actually the shortest vector in the following *q* ary lattice

$$L\_{\mu}^{\perp}(A) = \{ \mathbf{x} \in \mathbb{Z}\_q^m \mid \mathbf{A}\mathbf{x} \equiv \mu \pmod{q} \} \cup q\mathbb{Z}\_q^m,\tag{6.2.2}$$

which is the general form of the SIS problem. If *u* = 0, the above problem becomes the classic SIS problem. For general matrix *A*, the SIS problem is difficult, but for some special matrices, such as the gadget matrix we will introduce later, the exact shortest integer solution is easy to find.

We begin from *n* = 1, if *A* is an *l* dimensional row vector (1 × *l* dimensional matrix), where *l* = log2*q*, i.e. *l* is the largest integer such that 2*<sup>l</sup>*−<sup>1</sup> *q* < 2*<sup>l</sup>* , let

$$g = \begin{pmatrix} 1 \\ 2 \\ 4 \\ \vdots \\ 2^{\ell - 1} \end{pmatrix} \in \mathbb{Z}\_q^l. \tag{6.2.3}$$

**Lemma 6.2.1** *Let A* = *g be anl dimensional vector, then the shortest vector in the q ary lattice L*<sup>⊥</sup> *<sup>u</sup>* (*g* ) *could be accurately calculated. Suppose the binary representation of u* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup> is*

$$u = (a\_0 a\_1 \dots a\_{l-1})\_2 \Rightarrow a = \begin{pmatrix} a\_0 \\ a\_1 \\ \vdots \\ a\_{l-1} \end{pmatrix} \in L\_u^\perp(g') \tag{6.2.4}$$

*is the shortest vector. In other words, the smallest integer solution of g x* ≡ *u* (*mod q*) *is x* = α*.*

*Proof <sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , 0 *<sup>u</sup>* <sup>&</sup>lt; *<sup>q</sup>*, since 2*<sup>l</sup>*−<sup>1</sup> *<sup>q</sup>* <sup>&</sup>lt; <sup>2</sup>*<sup>l</sup>* , *u* could be represented as

$$u = a\_0 + a\_1 \cdot 2 + \dots + a\_{l-1} 2^{l-1}, \ a\_i = 0 \text{ or } 1.$$

Based on the definition of *g* in (6.2.3) and the definition of α in (6.2.4), we have *g* α = *u*, it follows that α is the smallest integer solution of *g x* ≡ 0 (mod *q*). Lemma 2.1 holds.

The gadget vector defined by (6.2.3) can also be used as a sample of the one dimensional LWE distribution, so that the solution of the LWE distribution can be

easily solved. Let *<sup>A</sup>* <sup>=</sup> *<sup>g</sup>* <sup>∈</sup> <sup>Z</sup>1×*<sup>l</sup> <sup>q</sup>* , *b* = ⎛ ⎜ ⎜ ⎜ ⎝ *b*1 *b*2 . . . *bl* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>l</sup> <sup>q</sup>* , we get the LWE1,*q*,χ ,*<sup>l</sup>* problem

(see Definition 3.3.3 in Chap. 3)

$$b\_i \equiv\_\chi 2^i s\_i + e\_i \pmod{q}, \; e = \begin{pmatrix} e\_1 \\ e\_2 \\ \vdots \\ e\_l \end{pmatrix} \gets \chi^l, \; 1 \leqslant i \leqslant l.$$

If the LWE distribution *As*,χ = (*i*, *b*) is given, we can get the following relations with high probability

$$s\_i \equiv\_\chi 2^{-i} b\_i \pmod{q}, \ 1 \le i \le l.$$

In order to generalize the above gadget technique to high dimensions, i.e. *n* > 1, we need to replace the gadget vector *g* defined in (6.2.3) with the gadget matrix. Let *A* = (*ai j*)*<sup>n</sup>*1×*n*<sup>2</sup> , *B* = (*bi j*)*<sup>m</sup>*1×*m*<sup>2</sup> , the Kronecker product *A* ⊗ *B* (see Chap. 2 in Zheng 2022) of the matrices *A* and *B* is defined as

$$A \otimes B = \begin{pmatrix} a\_{11}B & a\_{12}B & \cdots & a\_{1n\_2}B \\ a\_{21}B & a\_{22}B & \cdots & a\_{2n\_2}B \\ \vdots & \vdots & & \vdots \\ a\_{n\_11}B & a\_{n\_12}B & \cdots & a\_{n\_1n\_2}B \end{pmatrix}\_{n\_1m\_1 \times n\_2m\_2} \tag{6.2.5}$$

**Definition 6.2.1** Assume *n* > 1, *In* is the *n* dimensional identity matrix. We define the *n* × *nl* dimensional gadget matrix *G* as the following block diagonal matrix,

$$G = I\_n \otimes \mathbf{g'} = \text{diag}\{\mathbf{g'}, \mathbf{g'}, \dots, \mathbf{g'}\} \in \mathbb{Z}\_q^{n \times nl},\tag{6.2.6}$$

where *g* is the gadget vector defined in (6.2.3).

**Lemma 6.2.2** *Let G be a gadget matrix, u* <sup>∈</sup> <sup>Z</sup>*nl <sup>q</sup> be the target vector. Then the shortest integer solution x* <sup>∈</sup> <sup>Z</sup>*nl <sup>q</sup> of the SIS problem Gx* ≡ *u* (*mod q*) *could be uniquely determined by lemma 2.1.*

*Proof* Let *u* = ⎛ ⎜ ⎝ *u*1 . . . *un* ⎞ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be a given target vector, *x* be an *nl* dimensional column

vector divided into

$$\boldsymbol{x} = \begin{pmatrix} \boldsymbol{x}\_1 \\ \boldsymbol{x}\_2 \\ \vdots \\ \boldsymbol{x}\_n \end{pmatrix}, \text{ where } \boldsymbol{x}\_i \in \mathbb{Z}^l, \ 1 \le i \le n.$$

Based on the definition of gadget matrix *G*, the SIS problem *Gx* ≡ *u* (mod *q*) is equivalent to the following *n* equations:

$$g' x\_i \equiv u\_i \pmod{q}, \ 1 \le i \le n.$$

By lemma 2.1, the shortest integer solution of each equation could be uniquely

$$\begin{aligned} \text{Determined as } \mathbf{x}\_i &= \boldsymbol{\alpha}\_i \in \mathbb{Z}^l \text{, so } \mathbf{x} = \begin{pmatrix} \alpha\_1\\ \alpha\_2\\ \vdots\\ \alpha\_n \end{pmatrix} \text{ is the shortest integer solution of } G\boldsymbol{x} &\equiv \begin{pmatrix} \alpha\_1\\ \vdots\\ \alpha\_n \end{pmatrix} \\ \text{in } (\text{mod } q). \end{aligned}$$

**Definition 6.2.2** For any *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we define function: Z*<sup>n</sup> q G*−<sup>1</sup> −−→ <sup>Z</sup>*nl* as *<sup>G</sup>*−<sup>1</sup>(*u*) <sup>=</sup> *<sup>x</sup>*, where *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*nl* is the shortest integer solution of *Gx* <sup>≡</sup> *<sup>u</sup>* (mod *<sup>q</sup>*).

Lemma 6.2.2 guarantees the existence of the function *G*−<sup>1</sup> and gives the way to compute the vector *x*. By Definition 6.2.2, we have

$$GG^{-1}(\mu) \equiv \mu \pmod{q},\tag{6.2.7}$$

the above function *<sup>G</sup>*−<sup>1</sup> : <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* <sup>→</sup> <sup>Z</sup>*nl* could be regarded as the 'inverse' matrix of the gadget matrix *G*.

When using the gadget matrix *G* as the LWE distribution sample to solve the

LWE problem, notice that for any *n* dimensional vector *s* = ⎛ ⎜ ⎜ ⎜ ⎝ *s*1 *s*2 . . . *sn* ⎞ ⎟ ⎟ ⎟ ⎠ <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we have

$$s'G = (s\_1g', s\_2g', \dots, s\_ng') \in \mathbb{Z}\_q^{nl}.\tag{6.2.8}$$

For the LWE distribution *As*,χ <sup>=</sup> (*G*, *<sup>b</sup>*), where *<sup>b</sup>* <sup>∈</sup> <sup>Z</sup>*nl <sup>q</sup>* , to solve the private key *s*,

$$b' = \mathbf{s'}G, \quad b \in \mathbb{Z}\_q^{nl}, \quad \mathbf{s} \in \mathbb{Z}\_q^n,$$

based on (6.2.8), it can be transformed into *n* one dimensional LWE distribution problems, which has been discussed above.

The solutions of the SIS problem and the LWE problem discussed above are easy to compute because these problems are based on specific gadget vectors and gadget matrices. To get more general results, we need the trapdoor matrix, the tag matrix (tag) and the Gauss matrix. An integer matrix *R* is called a Gauss matrix, if all of its components are independent and have the discrete Gauss distribution. Since the Gauss distribution has the greatest probability near 0, a random Gauss matrix is also called a short integer vector matrix in the sense of high probability.

**Definition 6.2.3** Let *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* be a given matrix, *<sup>R</sup>* <sup>∈</sup> <sup>Z</sup>*m*×*nl* be a Gauss matrix, *<sup>H</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup> <sup>q</sup>* be an invertible *<sup>n</sup>* dimensional square matrix, *<sup>G</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*nl <sup>q</sup>* be a gadget matrix, if

$$AR \equiv HG \pmod{q},\tag{6.2.9}$$

then we call *R* as the trapdoor matrix of *A*, and *H* is the tag matrix.

Generally, *A* is called the check matrix, and *R* satisfying (6.2.9) is called the trapdoor matrix of the check matrix *A* with the tag *H*. To better understand the Definition 6.2.2, by Lemma 6.2.2, the SIS problem generated by the gadget matrix *G* can be easily calculated. If *<sup>H</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup>* is an invertible matrix, then the SIS or LWE problems generated by *H G* are also easy to compute. In fact, for any target vector *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup>* ,

$$HGx \equiv u \pmod{q} \Leftrightarrow Gx \equiv H^{-1}u \pmod{q}.$$

The shortest integer solution of the SIS problem in the right hand is *G*−<sup>1</sup>(*H*−<sup>1</sup>*u*); therefore, the shortest integer solution of *HGx* ≡ *u* (mod *q*) is *x* = *G*−<sup>1</sup>(*H*−<sup>1</sup>*u*), where the target vector is replaced by *H*−<sup>1</sup>*u*. We can discuss the LWE problem generated by *H G* in the same way. Next we generalize the results to a general matrix *A*.

**Lemma 6.2.3** *For any check matrix A* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>m</sup> <sup>q</sup> , the shortest integer solution of the SIS problem Ax* ≡ *u* (*mod q*) *generated by A could be approximated as*

$$\mathbf{x} = Rw, \quad \text{where } w = G^{-1}(H^{-1}u), \tag{6.2.10}$$

*R is the trapdoor matrix of A with tag H.*

*Proof* If the trapdoor matrix *R* of *A* exists, let *x* = *R*w in the SIS problem *Ax* <sup>≡</sup> *<sup>u</sup>* (mod *<sup>q</sup>*) (*<sup>x</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*, the target vector *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* ) generated by *<sup>A</sup>*, where <sup>w</sup> <sup>∈</sup> <sup>Z</sup>*nl* , therefore,

$$Ax \equiv \mu \pmod{q} \Rightarrow ARw \equiv \mu \pmod{q},$$

we have

$$HGw \equiv u \pmod{q} \Rightarrow w = G^{-1}(H^{-1}u). \tag{6.2.11}$$

Since w is the shortest integer solution of (6.2.11), and the trapdoor matrix *R* is a Gauss matrix, so *x* = *R*w = *RG*−<sup>1</sup>(*H*−1*u*) is a short integer solution of the SIS problem generated by *A*, i.e. we can regard *RG*−<sup>1</sup>(*H*−1*u*) as an approximation of the SIS problem.

To quantify the efficiency of the approximation of (6.2.10), we define the mass *s*1(*R*) of the trapdoor matrix *R*

$$s\_1(R) = \max\_{z \in \mathbb{Z}^{n!}, |z|=1} |Rz|. \tag{6.2.12}$$

By (6.2.10),

$$|\mathbf{x}| = |Rw| \lessapprox s\_1(R)|w|,\tag{6.2.13}$$

thus, the smaller *s*1(*R*) is, the shorter |*x*| is, and the approximation of the solution of the SIS problem is more accurate. So we can say that the smaller *s*1(*R*), the higher mass of the trapdoor matrix *R*.

Finally, let's discuss the generation of trapdoor matrix. For any uniformly distributed random matrix *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* , suppose *<sup>R</sup>* <sup>∈</sup> <sup>Z</sup>*m*×*nl <sup>q</sup>* is a Gauss matrix, let

$$A = [\overline{A}, HG - \overline{A}\,\overline{R}] \in \mathbb{Z}\_q^{n \times m}, \; m = \overline{m} + nl,\tag{6.2.14}$$

where *<sup>H</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup>* is a given invertible matrix, *<sup>G</sup>* is the gadget matrix.

**Lemma 6.2.4** *If A is given by (6.2.14), then the trapdoor matrix of A with the tag H is*

$$R = \begin{pmatrix} \overline{R} \\ I\_n \end{pmatrix} \in \mathbb{Z}\_q^{m \times nl}, \ m = \overline{m} + nl. \tag{6.2.15}$$

*Proof* From the definition of *A* and *R*

$$AR = [\overline{A}, HG - \overline{A}\,\overline{R}] \begin{pmatrix} \overline{R} \\ I\_n \end{pmatrix}$$

$$\begin{aligned} & \equiv \overline{A} \; \overline{R} + HG - \overline{A} \; \overline{R} \; (\text{mod } q) \\\\ & \equiv HG \; (\text{mod } q), \end{aligned}$$

so the trapdoor matrix of *<sup>A</sup>* with the tag *<sup>H</sup>* is *R In* .

The mass *s*1(*R*) of the Gauss matrix *R* can be estimated using classical random matrix theory. The following result is referred from R.Vershynin's monograph 'Compressed Sensing, Theory and Applications' Chap. 5, p. 210–268, Cambridge University Press, 2012.

**Lemma 6.2.5** *Suppose R* = *R In is given by (6.2.15), R is a Gauss matrix with parameter s in the Gauss distribution. Then we have the following relation with high probability*

$$s\_l(R) = O\left(\varsigma(\sqrt{m} + \sqrt{nl})\right).$$

*Proof* Based on the definition of trapdoor matrix,

$$\begin{aligned} \operatorname{Res}\_{z \in \mathbb{Z}^{d^{\mathbb{L}}}, |z|=1} \max\_{z \in \mathbb{Z}^{d^{\mathbb{L}}}, |z|=1} |\mathcal{R}z| &= \max\_{z \in \mathbb{Z}^{d^{\mathbb{L}}}, |z|=1} \left| \begin{pmatrix} \overline{R} \\ I\_n \end{pmatrix} z \right| \\\ &= \max\_{z \in \mathbb{Z}^{d^{\mathbb{L}}}, |z|=1} \left| \begin{pmatrix} \overline{R}z \\ z \end{pmatrix} \right| = \max\_{z \in \mathbb{Z}^{d^{\mathbb{L}}}, |z|=1} \sqrt{|\overline{R}z|^2 + |z|^2}, \end{aligned}$$

denote *R* = (*ri j*)*<sup>m</sup>*×*nl* , where *ri j* has the discrete Gauss distribution with parameter *s*. By Chebyshev inequality, for any positive integer *k*,

$$\Pr\{|r\_{ij}| \leqslant ks\} \geqslant 1 - \frac{\text{Var}(r\_{ij})}{k^2 s^2} \geqslant 1 - \frac{s^2}{2\pi k^2 s^2} = 1 - \frac{1}{2\pi k^2}.$$

It follows that the probability of all the *m* · *nl* variables *ri j* satisfying |*ri j*| *ks* is at least (<sup>1</sup> <sup>−</sup> <sup>1</sup> <sup>2</sup>π*k*<sup>2</sup> )*mnl* . We choose *k* large enough so that this probability is sufficiently close to 1, thus,

$$s\_1(R) = \max\_{z \in \mathbb{Z}^{l\,\,\,}, \vert z \vert =1} \sqrt{|\overline{R}z|^2 + \vert z \vert^2} \leqslant \sqrt{\sum\_{i=1}^{\overline{m}} \sum\_{j=1}^{nl} r\_{ij}^2 + 1},$$

$$\leqslant \sqrt{1 + \overline{m}nl^2 s^2} \leqslant Ks(\sqrt{\overline{m}} + \sqrt{nl}),$$

where *K* = (*k* + 1) <sup>√</sup>*mnl* / (√*<sup>m</sup>* <sup>+</sup> <sup>√</sup>*nl*), so we have

$$\Pr\{\mathbf{s}\_1(R) \leqslant Ks(\sqrt{\overline{m}} + \sqrt{nl})\} \geqslant (1 - \frac{1}{2\pi k^2})^{\overline{m}nl}.$$

i.e. in the sense of high probability

$$s\_l(R) = O(s(\sqrt{\overline{m}} + \sqrt{nl})).\tag{7}$$

#### **6.3 Bounded Fully Homomorphic Encryption**

In 2009, C. Gentry of Stanford University in the USA first proposed a bounded fully homomorphic encryption based on ideal lattices, which has a great influence in the field of theoretical computer science, and a number of improved works have been proposed one after another. Brakerski and Vaikuntanathan proposed a fully homomorphic encryption system based on the LWE cryptography in 2011 (see Brakerski & Vaikuntanathan, 2011a, 2011b, 2014, 2015), which we call BV fully homomorphic encryption. Another improvement is the fully homomorphic encryption using trapdoor matrix proposed by Gentry, Sahai and Waters in 2013, which we call GSW fully homomorphic encryption. BV and GSW cryptosystems are currently the most active and cutting-edge research. The main purpose of this section is to introduce these two fully homomorphic encryption systems.

#### **1. BV fully homomorphic encryption**

Review the LWE cryptosystem by Regev introduced in Chap. 4. Let *n* - 2, *q* - 2, <sup>χ</sup> is a given distribution on <sup>Z</sup>*<sup>q</sup>* . The (*<sup>n</sup>* <sup>−</sup> <sup>1</sup>) dimensional LWE distribution obtained by random sampling is (see Definition 3.3.2 in Chap. 3)

$$\begin{cases} A\_{s,\chi} = (\overline{a}, b) \in \mathbb{Z}\_q^{n-1} \times \mathbb{Z}\_q, \\ b \equiv\_{\chi} < \overline{a}, \overline{s} > +e \, (\text{mod } q), \end{cases} \tag{6.3.1}$$

where *<sup>a</sup>* <sup>∈</sup> <sup>Z</sup>*n*−<sup>1</sup> *<sup>q</sup>* is uniformly distributed, *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*n*−<sup>1</sup> *<sup>q</sup>* is the randomly chosen private key, *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* has the distribution <sup>χ</sup>. Generally, <sup>χ</sup> is chosen as the discrete Gauss distribution on Z*<sup>q</sup>* . Let

$$a = \begin{pmatrix} \overline{a} \\ b \end{pmatrix} \in \mathbb{Z}\_q^n, \quad s = \begin{pmatrix} -\overline{s} \\ 1 \end{pmatrix} \in \mathbb{Z}\_q^n,$$

*a* is the public key and *s* is the private key. The key equality of the LWE cryptosystem (*m* = 1) encryption and decryption algorithm is:

$$ = (-\overline{s}',1)\begin{pmatrix} \overline{a} \\ b \end{pmatrix}$$

$$= b \circ \overline{a}, \overline{s} \succeq\_{\chi} e \pmod{q},\tag{6.3.2}$$

*<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* has the discrete Gauss distribution, and *<sup>e</sup>* is very close to 0 with high probability, so it is also called the error term.

To better understand the fully homomorphic encryption technology based on the above LWE cryptosystem, we rewrite it into the form of symmetric encryption by formula (6.3.2).

#### **Most significant bit**

Let *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be a private key, *<sup>q</sup>* <sup>&</sup>gt; 2 be an odd number, *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup><sup>2</sup> be the plaintext. The most significant bit of plaintext *u* by the LWE distribution *A* is *c* = *f <sup>A</sup>*(*u*), where *<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* is the ciphertext, satisfying

$$<\text{s.c>}\ \equiv\_{\chi} u \left\lfloor \frac{q}{2} \right\rfloor (\text{mod } q), \ c \in \mathbb{Z}\_q^n,\tag{6.3.3}$$

where <*s*, *c*> is inner product. Equation (6.3.3) is not an exact congruence equation, but a congruence equation with error which has small probability. It should be noted that the encryption function *f <sup>A</sup>* is only formal, and its specific algorithm depends on the samples of the LWE distribution (see Chap. 4).

Using the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , the decryption of the ciphertext *c* is defined by

$$f\_A^{-1}(c) \equiv\_\chi \left\lfloor \frac{2}{q} < s, \, c > \right\rfloor \pmod{q}$$

$$\equiv\_\chi \left\lfloor \frac{2}{q} \lfloor \frac{q}{2} \mu \right\rfloor (\bmod q)$$

≡<sup>χ</sup> *u*(mod *q*) (see Lemma 3.3 in Chap. 4). (6.3.4)

In order to better understand the fully homomorphic property (bounded) of the LWE cryptosystem, we write the most significant bit as the following equivalent least significant bit.

#### **Least significant bit**

Assume *<sup>q</sup>* <sup>&</sup>gt; 2 is an odd number, let *<sup>m</sup>* <sup>≡</sup> *<sup>u</sup>* (mod 2), and <sup>−</sup>*<sup>q</sup>* <sup>2</sup> <sup>&</sup>lt; *<sup>m</sup> <sup>q</sup>* <sup>2</sup> , *u* be a given plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>2, i.e.

$$m \in \{\mu + 2\mathbb{Z}\} \cap \left( -\frac{q}{2}, \frac{q}{2} \right]. \tag{6.3.5}$$

The least significant bit of *<sup>u</sup>* is *<sup>f</sup> <sup>A</sup>*(*u*) <sup>=</sup> *<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , where the ciphertext *c* satisfies

$$<\text{s}, c>\equiv m \pmod{q},\tag{6.3.6}$$

(6.3.6) is an exact congruence equation.

The decryption of the ciphertext *<sup>c</sup>* still uses the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , which is divided into the following two steps:

1. There exists only one *<sup>m</sup>* satisfying *<sup>m</sup>* <sup>≡</sup> <sup>&</sup>lt;*s*, *<sup>c</sup>*> (mod *<sup>q</sup>*), and <sup>−</sup>*<sup>q</sup>* <sup>2</sup> *<sup>m</sup>* <sup>&</sup>lt; *<sup>q</sup>* 2 . 2. *<sup>u</sup>* <sup>≡</sup> *<sup>m</sup>* (mod 2), then we get the plaintext *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>A</sup>* (*c*) = *u*.

We will prove that the most significant bit and the least significant bit are actually equivalent for multibit plaintext in the general case. First, we look at the difference between the two encryptions in the case of *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>2. Write Eq. (6.3.3) in the error form,

$$~~, \, c> \equiv e + \mu \left\lfloor \frac{q}{2} \right\rfloor \pmod{q},~~$$

then

$$f\_A^{-1}(c) \equiv \left\lfloor \frac{2}{q}e \right\rceil + \mu \pmod{q}.$$

For a real number *<sup>x</sup>*, *x* = <sup>0</sup> ⇔ −<sup>1</sup> <sup>2</sup> <sup>&</sup>lt; *<sup>x</sup>* <sup>1</sup> <sup>2</sup> , so <sup>−</sup>*<sup>q</sup>* <sup>4</sup> <sup>&</sup>lt; *<sup>e</sup> <sup>q</sup>* <sup>4</sup> . Compared with (4.1.7) in Chap. 4, the decryption of the Regev's cryptosystem is actually Eq. (6.3.4) here. This observation enables us to construct corresponding cryptosystem for multibit plaintext.

Let 1 <sup>&</sup>lt; *<sup>p</sup>* <sup>&</sup>lt; *<sup>q</sup>* be two positive integers, (*p*, *<sup>q</sup>*) <sup>=</sup> 1, <sup>Z</sup>*<sup>p</sup>* be the plaintext space, <sup>Z</sup>*<sup>n</sup> q* be the ciphertext, *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be the randomly chosen private key.

Most significant bit: for a given plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*p*, we define the most significant bit of *<sup>u</sup>* as *<sup>M</sup>*(*u*) <sup>=</sup> <sup>w</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* satisfying

$$
\left\lfloor \frac{p}{q} w \right\rfloor \equiv u \pmod{p},\tag{6.3.7}
$$

in fact, based on w = <*s*, *c*>, we can write the ciphertext as,

$$M(\mu) = w \equiv \left\lfloor \frac{q}{p} \mu \right\rceil \pmod{q},\tag{6.3.8}$$

the decryption function

$$M^{-1}(w) \equiv \left\lfloor \frac{p}{q} w \right\rceil \equiv u \pmod{p},$$

we can get the plaintext *u*.

Least significant bit: the least significant bit for a given plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>p</sup>* is <sup>v</sup>, i.e. *<sup>L</sup>*(*u*) <sup>=</sup> <sup>v</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* satisfies

$$v \equiv e \pmod{q}, \; e \equiv \mu \pmod{p}, \; -\frac{q}{2} \leqslant e < \frac{q}{2},$$

the decryption for the ciphertext <sup>v</sup>: there exists only one *<sup>e</sup>* ∈ [−*<sup>q</sup>* 2 , *q* <sup>2</sup> ) ⇒ v ≡ *e* (mod *q*), let *u* ≡ *e* (mod *p*), then *M*−<sup>1</sup>(v) = *u*. In fact the v here is <*s*, *c*>.

**Lemma 6.3.1** *If* 1 < *p* < *q,* (*p*, *q*) = 1*, then the most significant bit and the least significant bit are equivalent.*

*Proof* Since (*p*, *<sup>q</sup>*) <sup>=</sup> 1, then there are integers *cp* <sup>∈</sup> <sup>Z</sup>, *cq* <sup>∈</sup> <sup>Z</sup> <sup>⇒</sup>

$$c\_p \cdot p + c\_q \cdot q = 1.$$

Actually *cp* is the multiplicative inverse of *p* under mod *q*, *cq* is the multiplicative inverse of *q* under mod *p*. Denote *cp* = *p*−<sup>1</sup> and *cq* = *q*−1.

Assume <sup>v</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* is the least significant bit of the plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*p*, i.e. *<sup>L</sup>*(*u*) <sup>=</sup> <sup>v</sup>. We are to prove that the most significant bit of the plaintext <sup>−</sup>*q*−1*<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>p</sup>* is *<sup>p</sup>*−1<sup>v</sup> <sup>∈</sup> Z*<sup>q</sup>* , i.e.

$$M(-q^{-1}u) = p^{-1}v.$$

Based on <sup>v</sup> <sup>≡</sup> *<sup>e</sup>* (mod *<sup>q</sup>*), *<sup>e</sup>* ∈ {*<sup>u</sup>* <sup>+</sup> *<sup>p</sup>*Z} ∩ [−*<sup>q</sup>* 2 , *q* <sup>2</sup> ), so we have

$$
\left\lfloor \frac{p}{q} p^{-1} v \right\rceil = \left\lfloor \frac{p}{q} e \frac{1 - c\_q q}{p} \right\rfloor
$$

$$
= \left\lfloor \frac{e}{q} - e c\_q \right\rfloor
$$

$$
= -c\_q e \equiv -q^{-1} u \pmod{p},
$$

this means *M*(−*q*−1*u*) = *p*−<sup>1</sup>v. On the other hand, if w = *M*(*u*), i.e. w is the most significant bit of the plaintext *u*, we confirm that the least significant bit of −*qu* is just *<sup>p</sup>*<sup>w</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* , i.e.

$$L(-qu) = pw \in \mathbb{Z}\_q,$$

by the definition of the most significant bit,

$$
\left\lfloor \frac{p}{q} w \right\rfloor = \frac{p}{q} w - r \equiv \mu \pmod{p},
$$

where <sup>−</sup><sup>1</sup> <sup>2</sup> *<sup>r</sup>* <sup>&</sup>lt; <sup>1</sup> <sup>2</sup> , so (since (*p*, *q*) = 1)

$$pw - qr \equiv q\mu \pmod{p}.$$

Let *qr* = *e*, we get

$$pw - e \equiv qu \pmod{pq}, \ -\frac{q}{2} \le e < \frac{q}{2},$$

it follows that *p*w ≡ *e* (mod *q*), and *e* ≡ −*qu* (mod *p*), namely *L*(−*qu*) = *p*w.

Above all, there is a one-to-one correspondence between the most significant bit and the least significant bit for a plaintext, so the two forms of encryption are equivalent.

Finally, we discuss the fully homomorphic property of the BV encryption system, which is summarized in the following theorem.

**Theorem 6.3.1** *Let p* = 2*, q* > 2 *be an odd number, then the BV encryption system is bounded fully homomorphic encryption, and its fully homomorphic boundary is*

$$M = \left(-\frac{q}{2}, \frac{q}{2}\right].$$

*Proof* Based on the least significant bit of the BV encryption system, its decryption function *<sup>f</sup>* <sup>−</sup><sup>1</sup> *<sup>s</sup>* can be divided into two parts: *<sup>R</sup>*<sup>3</sup> <sup>=</sup> <sup>Z</sup>*<sup>q</sup>* , <sup>Z</sup>*<sup>q</sup>* σ2 −→ <sup>Z</sup><sup>2</sup> <sup>=</sup> *<sup>R</sup>*<sup>1</sup> is natural homomorphism, then *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>* could be decomposed into

$$
\mathbb{Z}\_q^n \xrightarrow{\sigma\_1} M \cap \mathbb{Z}\_q \xrightarrow{\sigma\_2} \mathbb{Z}\_2,
$$

where <sup>σ</sup><sup>1</sup> is defined for any ciphertext *<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , *<sup>c</sup>* <sup>σ</sup><sup>1</sup> −→ *<sup>m</sup>* <sup>∈</sup> *<sup>M</sup>* <sup>∩</sup> <sup>Z</sup>*<sup>q</sup>* satisfying

<*s*, *c*> ≡ *m* (mod *q*).

Since there exists only one *m* satisfying the above formula, σ<sup>1</sup> is well-defined. It follows that

$$ =  + $$

$$\equiv m\_1 + m\_2 \pmod{q},\tag{6.3.9}$$

i.e. <sup>σ</sup>1(*c*<sup>1</sup> <sup>+</sup> *<sup>c</sup>*2) <sup>=</sup> *<sup>m</sup>*<sup>1</sup> <sup>+</sup> *<sup>m</sup>*2, if *<sup>m</sup>*<sup>1</sup> <sup>+</sup> *<sup>m</sup>*<sup>2</sup> <sup>∈</sup> *<sup>M</sup>* <sup>∩</sup> <sup>Z</sup>*<sup>q</sup>* , then

$$\begin{aligned} f\_s^{-1}(c\_1 + c\_2) &= \sigma\_2(\sigma\_1(c\_1) + \sigma\_1(c\_2)) \\ &= \sigma\_2(m\_1 + m\_2) \\ &\equiv \mu\_1 + \mu\_2 \pmod{2}, \end{aligned}$$

so we have

$$f\_s^{-1}(c\_1 + c\_2) = \mu\_1 + \mu\_2 = f\_s^{-1}(c\_1) + f\_s^{-1}(c\_2),$$

*fs* is additive fully homomorphic encryption.

To introduce the multiplicative homomorphism, we define the Kronecker convolution for two vectors in Z*<sup>n</sup> <sup>q</sup>* . Let *<sup>c</sup>*<sup>1</sup> <sup>=</sup> (*c*11, *<sup>c</sup>*12,..., *<sup>c</sup>*1*<sup>n</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , *c*<sup>2</sup> = (*c*21, *c*22,..., *c*2*<sup>n</sup>*) <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be two row vectors, we define the Kronecker convolution of *c*<sup>1</sup> and *c*<sup>2</sup> as *c*<sup>1</sup> ⊗ *c*2,

$$c\_1 \otimes c\_2 = (c\_{1i} \cdot c\_{2j})\_{1 \le i,j \le n} \in \mathbb{Z}\_q^{n^2}.\tag{6.3.10}$$

Obviously, for any four vectors *<sup>a</sup>*, *<sup>b</sup>*, *<sup>c</sup>*, *<sup>d</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we have

$$$$

In fact, let *a* = (*a*1, *a*2,..., *an*), *b* = (*b*1, *b*2,..., *bn*), *c* = (*c*1, *c*2,..., *cn*), *d* = (*d*1, *d*2,..., *dn*), by (6.3.10),

$$= \sum\\_{i=1}^{n} \sum\\_{j=1}^{n} a\\_i b\\_j c\\_i d\\_j$$

$$= \left(\sum\_{i=1}^{n} a\_i c\_i \right) \left(\sum\_{j=1}^{n} b\_j d\_j \right)$$

$$=  \cdot ,$$

thus, (6.3.11) holds.

Let *<sup>c</sup>*1, *<sup>c</sup>*<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be two ciphertexts, *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* be the private key, we define the multiplication as Kronecker convolution in the ciphertext space Z*<sup>n</sup> <sup>q</sup>* . Suppose *s*<sup>∗</sup> = *s* ⊗ *s*, then the decryption function *f* <sup>−</sup><sup>1</sup> *<sup>s</sup>*<sup>∗</sup> is a mapping of Z*n*<sup>2</sup> *<sup>q</sup>* <sup>→</sup> <sup>Z</sup>2. Based on (6.3.11), we have

$$\begin{aligned} \text{} &= \text{} \cdot \text{} \\\\ &\equiv m\_1 \cdot m\_2 \pmod{q} .\end{aligned}$$

If *<sup>m</sup>*1*m*<sup>2</sup> <sup>∈</sup> *<sup>M</sup>* <sup>∩</sup> <sup>Z</sup>*<sup>q</sup>* , then

$$m\_1 \equiv \mu\_1 \pmod{2}, \ m\_2 \equiv \mu\_2 \pmod{2} \implies m\_1 m\_2 \equiv \mu\_1 \mu\_2 \pmod{2},$$

namely

$$f\_{s^\*}^{-1}(c\_1 \otimes c\_2) = f\_s^{-1}(c\_1) \cdot f\_s^{-1}(c\_2),$$

i.e. *fs* satisfies the multiplicative homomorphism. So we prove the bounded fully homomorphic property of the BV encryption system, and its fully homomorphic boundary is *<sup>M</sup>* <sup>=</sup> (−*<sup>q</sup>* 2 , *q* <sup>2</sup> ].

The above Theorem 6.3.1 can be generalized to the multibit case, that is, plaintext *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*p*, ciphertext *<sup>c</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , (*p*, *q*) = 1. Under these assumptions, the BV multibit fully homomorphic encryption system can be constructed, and we leave it as a question for the readers. Note that the dimensions of the ciphertext space and key space grow from *n* to *n*<sup>2</sup> by the Kronecker convolution. The dimension could be reduced by using the gadget technique in Sect. 6.2. This reduction technique is called key conversion.

#### **Key conversion**

Let *c*in = *c*<sup>1</sup> ⊗ *c*<sup>2</sup> be an *n*in dimensional ciphertext, where *c*in and *n*in represent the input ciphertext and the dimension of the ciphertext. By the most significant bit of BV fully homomorphic encryption, then

$$ = s'\_{\rm in} \cdot c\_{\rm in} \equiv\_{\chi} \mu \left\lfloor \frac{q}{2} \right\rfloor \pmod{q}.\tag{6.3.12}$$

The above formula is obtained from (6.3.3), where *s*in is the private key with dimension *n*in. In order to reduce the dimension *n*in, we construct a private key *s*out with lower dimension and convert the input ciphertext *c*in into the output ciphertext *c*out encrypted by *s*out. Of course, the dimension *n*out of the output ciphertext *c*out and the key *s*out is much smaller than the input dimension *n*in. To do this, let *G* be the gadget matrix,

$$G = I\_{n\_{\rm in}} \otimes c\_{\rm in}^{'} = \text{diag}\{c\_{\rm in}^{'}, c\_{\rm in}^{'}, \dots, c\_{\rm in}^{'}\}\_{n\_{\rm in} \times n\_{\rm in}^{2}}.\tag{6.3.13}$$

*G* is the *n*in × *n*<sup>2</sup> in gadget matrix generated by the *n*in dimensional vector *c*in. By (6.2.7) and (6.3.12), we have

$$<\text{s}\_{\text{in}}, \text{c}\_{\text{in}} > = \text{s}\_{\text{in}}^{\prime} \cdot c\_{\text{in}} \equiv (\text{s}\_{\text{in}}^{\prime} G) \cdot G^{-1}(c\_{\text{in}}) \equiv\_{\text{X}} \mu \left\lfloor \frac{q}{2} \right\rfloor \pmod{q},\tag{6.3.14}$$

where *G*−<sup>1</sup>(*c*in) = *x* is the shortest integer solution of *Gx* ≡ *c*in (mod *q*). Based on (6.2.8), *s* in · *G* is an *n*<sup>2</sup> in dimensional vector.

**Lemma 6.3.2** *For any n* <sup>&</sup>lt; *nin, then there exist a matrix K* <sup>∈</sup> <sup>Z</sup>*n*×*n*<sup>2</sup> *in <sup>q</sup> and an n dimensional private key sout with high probability such that*

$$s\_{out}' \cdot K \equiv\_{\chi} s\_{in}' \cdot G \pmod{q}.\tag{6.3.15}$$

*Proof* The construction of the matrix *K* and the transformed private key *s*out are related to the resampling technique (Bootstrapping) of the LWE distribution. For a given vector *b* = *s* in*<sup>G</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*<sup>2</sup> in *<sup>q</sup>* , we can take a sample *<sup>s</sup>*out <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* for very small error distribution *<sup>e</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*<sup>2</sup> in *<sup>q</sup>* (with high probability) and

$$A = [a\_1, a\_2, \dots, a\_{n\_{\text{in}}}], \ \forall a\_i \in \mathbb{Z}\_q^n$$

satisfying (see 4.1.3 in Chap. 4)

$$(s'\_{\text{out}}, -1) \begin{pmatrix} A \\ b' \end{pmatrix} \equiv\_{\chi} e \pmod{q} .$$

Since *e* is a very small error term, the above equation can be written as the form of random congruence

$$s'\_{\rm out} A \equiv\_{\chi} b' = s'\_{\rm in} G \pmod{q}.$$

Let *<sup>K</sup>* <sup>=</sup> *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*n*<sup>2</sup> in *<sup>q</sup>* , we have

$$s'\_{\text{out}} K \equiv s'\_{\text{in}} G \pmod{q} .$$

Lemma 6.3.2 holds.

*Remark 6.3.1 K* is the public key which could be made public, the security of the private key *s*out will not be affected based on the security of the LWE distribution.

By (6.3.14) in Lemma 6.3.2, the input ciphertext *c*in is converted into a new output ciphertext *c*out = *K G*−<sup>1</sup>(*c*in). *c*out is obtained by using the key *s*out, this is because

$$s'\_{\rm out}c\_{\rm out} = s'\_{\rm out}(K\,G^{-1}(c\_{\rm in}))$$

$$\equiv\_{\chi} s'\_{\rm in} \, G \cdot G^{-1}(c\_{\rm in}) \equiv\_{\chi} \mu \left\lfloor \frac{q}{2} \right\rfloor \pmod{q}.$$

We replace *c*in = *c*<sup>1</sup> ⊗ *c*<sup>2</sup> and *s*in = *s* ⊗ *s* with the new ciphertext *c*out and the converted key *s*out, which significantly reduces the dimension of the ciphertext.

#### **2. GSW fully homomorphic encryption**

In 2013, Gentry et al. (2013) further improved BV fully homomorphic encryption by using gadget matrix and gadget technology. The greatest advantage is that fully homomorphic multiplication does not require the key conversion introduced in the previous subsection.

First, we select a random matrix *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* , with the number of columns *<sup>m</sup>* large enough. Define the following two matrices by *A*

$$A\_i = x\_i G - \overline{A} R\_i \in \mathbb{Z}\_q^{n \times nl}, \ i = 1, 2,\tag{6.3.16}$$

where *<sup>x</sup>*1, *<sup>x</sup>*<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* are two integers, *<sup>G</sup>* is the gadget matrix,

$$G = \text{diag}\{\mathbf{g}', \mathbf{g}', \dots, \mathbf{g}'\}\_{n \times nl}, \text{ g}' \in \mathbb{Z}\_q^l,$$

here *<sup>l</sup>* = log2*q*, *Ri* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*×*nl <sup>q</sup>* is the Gauss matrix.

**Lemma 6.3.3** *1. The trapdoor matrix of* [*A*, *<sup>A</sup>*<sup>1</sup> <sup>+</sup> *<sup>A</sup>*2] *is R*<sup>1</sup> + *R*<sup>2</sup> *In , the tag matrix is x*<sup>1</sup> *In* + *x*<sup>2</sup> *In.*

*2. The trapdoor matrix of* [*A*, *<sup>A</sup>*1*G*−<sup>1</sup>(*A*2)] *is <sup>R</sup> In , the tag matrix is x*1*x*<sup>2</sup> *In, where*

$$R = x\_1 R\_2 + R\_1 G^{-1}(A\_2). \tag{6.3.17}$$

*Proof* By (6.3.16), it is easy to get

$$A\_1 + A\_2 = (\mathbf{x}\_1 + \mathbf{x}\_2)G - \overline{A}(R\_1 + R\_2). \tag{6.3.18}$$

We regard each column vector of *A*<sup>2</sup> as the target vector *u* in Lemma 2.2, then the inverse matrix *<sup>G</sup>*−<sup>1</sup> in Definition2.2 can be generalized to *<sup>G</sup>*−1(*A*2) <sup>∈</sup> <sup>Z</sup>*nl*×*nl <sup>q</sup>* , here *G*−1(*A*2) = *x* is the shortest integer solution of (because each column of the matrix *x* is the shortest integer solution)

$$G\mathfrak{x} \equiv A\_2 \pmod{q}.\tag{6.3.19}$$

Thus, (6.2.7) generalizes to

$$(G \cdot (G^{-1}(A\_2)) \equiv A\_2 \pmod{q},\tag{6.3.20}$$

so we have

$$A\_1 G^{-1}(A\_2) = (\mathbf{x}\_1 G - \overline{A} R\_1) G^{-1}(A\_2)$$

$$= \mathbf{x}\_1 A\_2 - \overline{A} R\_1 G^{-1}(A\_2)$$

$$= \mathbf{x}\_1 \mathbf{x}\_2 G - \mathbf{x}\_1 \overline{A} R\_2 - \overline{A} R\_1 G^{-1}(A\_2)$$

$$= \mathbf{x}\_1 \mathbf{x}\_2 G - \overline{A} (\mathbf{x}\_1 R\_2 + R\_1 G^{-1}(A\_2)).\tag{6.3.21}$$

Let *A* = [*A*, *A*<sup>1</sup> + *A*2], *R* = *R*<sup>1</sup> + *R*<sup>2</sup> *In* , by (6.3.18), we get

$$AR = A\_1 + A\_2 + \overline{A}(R\_1 + R\_2) = (\mathbf{x}\_1 + \mathbf{x}\_2)I\_nG,$$

therefore, *R* is the trapdoor matrix of *A*, and the tag matrix is *H* = *x*<sup>1</sup> *In* + *x*<sup>2</sup> *In*. We have proved (i) in this lemma. To prove (ii), let

$$A = [\overline{A}, A\_1 G^{-1}(A\_2)], \ \overline{R} = \begin{pmatrix} R \\ I\_n \end{pmatrix},$$

where

$$R = \alpha\_1 R\_2 + R\_1 G^{-1}(A\_2).$$

Based on (6.3.21),

$$\begin{aligned} A\overline{R} &= \overline{A}R + A\_1 G^{-1}(A\_2) \\\\ &= \overline{A}x\_1 R\_2 + \overline{A}R\_1 G^{-1}(A\_2) + A\_1 G^{-1}(A\_2) \\\\ &= x\_1 x\_2 G, \end{aligned}$$

this implies *R* = *R In* is the trapdoor matrix of *A*, and the tag matrix is *H* = *x*1*x*<sup>2</sup> *In*. So (ii) in this lemma holds.

In order to fully prove the conclusion of lemma 3.3 , it is also necessary to prove that the corresponding trapdoor matrix is a Gauss matrix, which is summarized in the following lemma.

**Lemma 6.3.4** *If R is a Gauss matrix, then <sup>R</sup> In is also a Gauss matrix. If R*<sup>1</sup> *and R*<sup>2</sup> *are independent Gauss matrices, then R*<sup>1</sup> + *R*<sup>2</sup> *is a Gauss matrix.*

*Proof* Since 0 and 1 can be regarded as discrete Gauss distributions with parameter*s* close enough to 0, then*<sup>R</sup> In* is also a Gauss matrix. On the other hand, the sum of two independent random variables with Gauss distribution still has Gauss distribution, so *R*<sup>1</sup> + *R*<sup>2</sup> is a Gauss matrix. The lemma holds.

Now we discuss the workflow of the GSW fully homomorphic encryption. Key: the public key is *<sup>A</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>m</sup> <sup>q</sup>* , *<sup>m</sup>* <sup>=</sup> *<sup>n</sup>* <sup>+</sup> *nl*, each column of *<sup>A</sup>* is an independent sample of the LWE distribution *As*,χ under the private key *<sup>s</sup>* <sup>∈</sup> <sup>Z</sup>*n*−1. Let*<sup>s</sup>* <sup>=</sup> −*s* 1 ∈ Z*n <sup>q</sup>* , if χ has discrete Gauss distribution, we have (see 4.1.3 in Chap. 4)

$$s'\overline{A} \equiv\_{\chi} 0 \pmod{q},\tag{6.3.22}$$

with the private key *s* = −*s* 1 <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> q* .

Encryption: let *<sup>x</sup>* <sup>∈</sup> <sup>Z</sup> be a plaintext, *<sup>f</sup>* (*x*) be an *<sup>n</sup>* <sup>×</sup> *nl* dimensional matrix *<sup>A</sup>* encrypted for *x*,

$$f(\mathbf{x}) = A = \mathbf{x}G - \overline{A}R,\tag{6.3.23}$$

i.e. *<sup>A</sup>* is the ciphertext, *<sup>G</sup>* is the *<sup>n</sup>* <sup>×</sup> *nl* gadget matrix, *<sup>R</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*nl <sup>q</sup>* is a Gauss matrix.

Decryption: based on (6.3.22), decrypt *A* with the private key *s* = −*s* 1 ,

$$\begin{aligned} \text{s'}A &= \text{xs'}G - \text{s'}\overline{A}R \\\\ \equiv\_{\chi} \text{xs'}G \pmod{q}. \end{aligned} \tag{6.3.24}$$

Correctness: since *s A* is a given ciphertext matrix, and *G* is the gadget matrix, by (6.2.8),

$$\text{xs}'G \equiv\_{\chi} \text{s}'A \pmod{q},$$

we can solve the only one solution *xs* with high probability, and get *f* <sup>−</sup><sup>1</sup>(*A*) = *x*.

**Theorem 6.3.2** *The GSW encryption system is bounded fully homomorphic encryption, where the addition and multiplication of the ciphertexts are defined as if A*<sup>1</sup> = *f* (*x*1)*, A*<sup>2</sup> = *f* (*x*2)*, then A*<sup>1</sup> + *A*<sup>2</sup> *is the matrix addition, and*

$$A\_1 A\_2 = A\_1 G^{-1}(A\_2) \in \mathbb{Z}\_q^{n \times nl} \tag{6.3.25}$$

*is the matrix multiplication.*

*Proof* The conclusion of theorem 2 is actually implied in lemma 3.3. Let *<sup>x</sup>*1, *<sup>x</sup>*<sup>2</sup> <sup>∈</sup> <sup>Z</sup>*<sup>q</sup>* be two plaintexts,

$$\begin{cases} A\_1 = f(\mathbf{x}\_1) = \mathbf{x}\_1 G - \overline{A} \mathbf{R}\_1, \\ A\_2 = f(\mathbf{x}\_2) = \mathbf{x}\_2 G - \overline{A} \mathbf{R}\_2, \end{cases}$$

then

$$A\_1 + A\_2 = (x\_1 + x\_2)G - \overline{A}(R\_1 + R\_2),$$

so we have (with high probability)

$$f^{-1}(A\_1 + A\_2) = x\_1 + x\_2 = f^{-1}(A\_1) + f^{-1}(A\_2).$$

Let

$$R = \mathbf{x}\_1 \mathbf{R}\_2 + R\_1 \mathbf{G}^{-1}(A\_2),\tag{6.3.26}$$

according to (6.3.21),

$$A\_1 A\_2 = A\_1 G^{-1}(A\_2) = \alpha\_1 \alpha\_2 G - \overline{A} R,$$

therefore,

$$f^{-1}(A\_1 A\_2) = x\_1 x\_2 = f^{-1}(A\_1) f^{-1}(A\_2).$$

Since GSW encryption system is based on Gauss distribution, the Gauss matrix in (6.3.23) has errors. The error will be larger by adding and multiplying the ciphertext matrix many times. GSW encryption system is bounded fully homomorphic encryption, so it is necessary to control the error when adding and multiplying the ciphertexts in order to ensure high probability. This is because the larger the error of Gauss distribution, the smaller the probability, and the probability that the above equation holds also decreases.

To complete the proof of Theorem 6.3.2, we need the following lemma.

**Lemma 6.3.5** *If R*<sup>1</sup> *and R*<sup>2</sup> *are Gauss matrices, then the matrix defined by (6.3.26) is also a Gauss matrix.*

*Proof* Since both *R*<sup>1</sup> and *R*<sup>2</sup> are Gauss matrices, then *x*1*R*<sup>2</sup> and *R*1*G*−<sup>1</sup>(*A*2) are Gauss matrices, based on lemma 3.4,

$$\mathcal{R} = \mathbf{x}\_1 \mathbf{R}\_2 + \mathcal{R}\_1 \mathbf{G}^{-1}(\mathbf{A}\_2)$$

is a Gauss matrix. Lemma 3.5 holds.

Finally, we emphasize that the advantage of GSW fully homomorphic encryption is that the dimension of ciphertext multiplication does not increase. The ciphertext multiplication defined by (6.3.25), in fact, *A*<sup>1</sup> *A*<sup>2</sup> and *A*1, *A*<sup>2</sup> are in the same ciphertext space.

#### **6.4 Construction of Gentry**

In 2009, C. Gentry first proposed a bounded algorithm for fully homomorphic encryption, which partially answered the RAD problem. The work by Gentry is an abstract description of fully homomorphic encryption (Garg et al., 2013a, 2013b; Gentry, 2009a, 2009b, 2010; Gentry et al., 2012a, 2012b, 2013a, 2015; Gentry & Halevi, 2011). It is difficult to understand the ideas and technologies by Gentry since there are many linguistic concepts. On the basis of BV fully homomorphic encryption and GSW fully homomorphic encryption in the previous section, it is possible for us to better understand Gentry's ideas and methods.

Recall the working principle of the most representative public key cryptography RSA. Suppose *N* is the product of two different prime numbers, *pk* denotes the public key, and the public key of RSA is *pk* = (*N*, *e*), where 1 *e* < ϕ(*N*),(*e*, ϕ(*N*)) = 1, ϕ(*N*) is the Euler function of *<sup>N</sup>*. For any plaintext <sup>π</sup>*<sup>i</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>N</sup>* (<sup>0</sup> <sup>π</sup>*<sup>i</sup>* <sup>&</sup>lt; *<sup>N</sup>*), the encryption algorithm of RSA is <sup>ψ</sup>*<sup>i</sup>* <sup>≡</sup> <sup>π</sup>*<sup>e</sup> <sup>i</sup>* (mod *N*), we write

$$\{\psi\_i \leftarrow \pi\_i^{\epsilon} \bmod N\} \tag{6.4.1}$$

as the cryptosystem of the ciphertext ψ*<sup>i</sup>* encrypted by the plaintext π*<sup>i</sup>* using the public key *pk*. If there are *t* ciphertexts {ψ1, ψ2,...,ψ*t*}, obviously,

$$\prod\_{i=1}^{\ell} \psi\_i \equiv \left(\prod\_{i=1}^{\ell} \pi\_i\right)^{\epsilon} \pmod{N},$$

so we have

$$\left\{ \prod\_{i=1}^{l} \psi\_i \prec \left( \prod\_{i=1}^{l} \pi\_i \right)^{\epsilon} \bmod N \right\},$$

this shows that the product ψ*<sup>i</sup>* of*t* ciphertexts ψ*<sup>i</sup>* is encrypted by the product *t <sup>i</sup>*=<sup>1</sup> π*<sup>i</sup>* of the corresponding *t* plaintexts π*<sup>i</sup>* . In other words, the plaintext corresponding to the product of the *t* ciphertexts is the product of the *t* plaintexts π*<sup>i</sup>* . In section 6.1, we use the decryption algorithm to describe this multiplicative homomorphism as

$$f^{-1}\left(\prod\_{i=1}^{\ell}\psi\_i\right) = \prod\_{i=1}^{\ell}f^{-1}(\psi\_i).$$

In order to define homomorphic encryption more generally, we first introduce the concept of circuit, which is widely used in the computer field.

**Definition 6.4.1** A circuit *C* on the set *A* is a multivariate mapping defined on *A*. For any *t* elements *a*1, *a*2,..., *at* ∈ *A*, *C*(*a*1, *a*2,..., *at*) is the image of the mapping *C*. From the perspective of computer work, we can take (*a*1, *a*2,..., *at*) as an input, and *C*(*a*1, *a*2,..., *at*) is regarded as one output. Multiple input and output can be viewed as a circuit. If there are multiple circuits *C* on *A*, the set of these circuits is written as *CA*.

In a public key cryptosystem *E*, we use *pk* and *sk* to represent the public key and the private key respectively. Of course, *pk* and *sk* are not just one element, there may be many public and private keys.

**Definition 6.4.2** A public key cryptosystem *E* with the circuit set *CE* is called a fully homomorphic encryption system, if *E* contains the following four algorithms:


For any public key *pk*, and any circuit*C* ∈ *CE* on the plaintext space, any *t* ciphertexts ψ1, ψ2,...,ψ*<sup>t</sup>* , where

$$
\psi\_i \leftarrow E\_{nE}(pk, \pi\_i), \ 1 \lessapprox i \lessapprox t,\tag{6.4.2}
$$

the ciphertext algorithm *E*v*alE* is to compute

$$\psi \leftarrow Eval\_E(pk, \mathcal{C}, \psi\_1, \psi\_2, \dots, \psi\_t),$$

where ψ is the encryption of *C*(π1, π2,...,π*t*) under the public key *pk*, i.e.

$$
\psi \leftarrow E\_{nE}(pk, C(\pi\_1, \pi\_2, \dots, \pi\_l)).\tag{6.4.3}
$$

*Remark 6.4.1* The number of elements of a circuit is denoted as |*C*|, which is called the boundary of the circuit. Usually the computational complexities of *K GE* , *EnE* , *DnE* and *E*v*alE* are polynomial of the security parameter λ and the circuit boundary |*C*|.

*Remark 6.4.2* An equivalent form of (6.4.3) is

$$C(\pi\_1, \pi\_2, \dots, \pi\_l) = D\_{nE}(\psi),\tag{6.4.4}$$

that is, the plaintext corresponding to the calculation result ψ under the ciphertext algorithm *E*v*alE* by the *t* ciphertexts ψ1, ψ2,...,ψ*<sup>t</sup>* is the output in the circuit *C*(π1, π2,...,π*t*) by π1, π2,...,π*<sup>t</sup>* . Therefore, in a fully homomorphic encryption system, the plaintext circuit *C* actually defines the ciphertext circuit *D*, where

$$D(\psi\_1, \psi\_2, \dots, \psi\_l) = E\operatorname{val}\_E(pk, C, \psi\_1, \psi\_2, \dots, \psi\_l)$$

satisfying

$$D\_{nE}(D(\psi\_1, \psi\_2, \dots, \psi\_l)) = C(\pi\_1, \pi\_2, \dots, \pi\_l). \tag{6.4.5}$$

The basic idea of Gentry is to construct fully homomorphic encryption on a general ring. In order to prove the security, the ideal of a quotient ring on the rounding function ring <sup>Z</sup>[*x*] is corresponding to an ideal lattice in <sup>Z</sup>*<sup>n</sup>* (see Chap. 5), so the construction of Gentry is called fully homomorphic encryption based on ideal lattice now.

Let *R* be a commutative ring with identity, *I* and *J* are two coprime nonzero ideals in *R*, i.e. *I* + *J* = *R*, *R*/*I* and *R*/*J* denote the quotient rings. The construction of Gentry can be divided into the following steps:


Samp(*x*, *BI* , *R*, *BJ* ) = a representative element of additive coset *x* + *I* = *x*.


$$KG(R, B\_I) = (B\_J^{sk}, B\_J^{pk}) \leftarrow \text{IdealGen}(R, B\_I),$$

the plaintext space is a representative element set of the quotient ring *R*/*I*.

The public key contains *R*, *BI* , *Bpk <sup>J</sup>* and the sampling algorithm.

The private key *sk* contains *Bsk J* .

The encryption algorithm: the plaintext space is *R*/*I*, for any plaintext *u* ∈ *R*/*I*, based on the sampling algorithm we have Samp(*u*, *BI* , *R*, *Bpk <sup>J</sup>* ) → ψ , the encryption algorithm *En*(*pk*, *u*) is defined as

$$En(pk, \mu) = \psi = \psi' \bmod{B\_J^{pk}}$$

The decryption algorithm *De*(*sk*,ψ) is defined as

$$\mu \leftarrow (\psi \bmod B\_J^{sk}) \bmod B\_I \dots$$

The ciphertext algorithm: if ψ1, ψ<sup>2</sup> are two ciphertexts, then the addition and multiplication are defined as

$$\begin{aligned} Add(pk, \psi\_1, \psi\_2) &= \psi\_1 + \psi\_2 = (\psi\_1 + \psi\_2) \bmod B\_J^{pk}, \\\\ Mut(pk, \psi\_1, \psi\_2) &= \psi\_1 \psi\_2 = (\psi\_1 \psi\_2) \bmod B\_J^{pk}. \end{aligned}$$

The key of Gentry's construction is to verify the correctness of encryption and decryption and the homomorphism property of the ciphertext algorithm. We call the above public key generation algorithm, encryption algorithm, decryption algorithm and ciphertext algorithm as the fully homomorphic encryption system of Gentry, denoted as *E*. In order to prove the fully homomorphic property of *E*, we observe that there are two kinds of circuits in *E*. First, the circuit *C* used for encryption is defined by the addition and multiplication in the quotient ring *R*/*I*. The other circuit used in the ciphertext algorithm is defined by the addition and multiplication in *R* itself, which is called the generating circuit.

**Definition 6.4.3** Given a circuit *C* in the plaintext space, we call *g*(*C*) its generating circuit if the operation of mod *BI* in *C* is replaced by the original addition and multiplication.

**Definition 6.4.4** Let *Xenc* be the image of *R*/*I* under the sampling algorithm Samp, i.e. *Xenc* is a set of representative elements of *R*/*I*, and *Xenc* is a plaintext space, so the ciphertext space is {*Xenc* <sup>+</sup> *<sup>J</sup>* }. Define *<sup>X</sup> Dec* as *<sup>R</sup>* mod *<sup>B</sup>sk <sup>J</sup>* , i.e. the representation of the elements in *R*/*J* under mod *Bsk J* .

**Definition 6.4.5** The circuit satisfying the following condition in the circuit set *CE* is called an allowable circuit set,

$$\mathcal{C}'\_{E} = \{ \mathcal{C} : \forall (\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_l) \in X^T\_{enc} \Rightarrow \text{g}(\mathcal{C})(\mathbf{x}\_1, \mathbf{x}\_2, \dots, \mathbf{x}\_l) \in X\_{Dec} \}. \quad (6.4.6)$$

On the basis of the above definitions and notations, the main conclusion of Gentry is that for any ciphertext [see (6.4.3)] in any allowable circuit, it has the fully homomorphic property.

**Theorem 6.4.1** *Let CE be an allowable circuit set, then the ciphertext encrypted by any allowable circuit C in CE has the fully homomorphic property.*

*Proof* Let*C* ∈ *CE* , ψ = {ψ1, ψ2,...,ψ*t*}, where each ψ*<sup>i</sup>* is the encrypted ciphertext of the allowable circuit, so each ciphertext ψ*<sup>k</sup>* could be written as

$$
\psi\_k = \pi\_k + i\_k + j\_k, \ \pi\_k \in \mathcal{R}/I, \ i\_k \in I, \ j\_k \in J, \ j\_k
$$

and π*<sup>k</sup>* + *ik* ∈ *Xenc*. We have

$$Eval(pk, C, \psi) = \operatorname{g}(C)(\psi) \bmod B\_J^{pk}$$

$$t \in g(C)(\pi\_1 + i\_1, \pi\_2 + i\_2, \dots, \pi\_t + i\_t) + J.$$

If *C* ∈ *CE* , then

*g*(*C*)(*Xenc*, *Xenc*,..., *Xenc*) ∈ *X Dec*,

therefore,

$$\begin{array}{c} \text{Decrypt}(sk, Eval(pk, C, \psi)) \\\\ = g(C)(\pi\_1 + i\_1, \pi\_2 + i\_2, \dots, \pi\_l + i\_l) \text{ mod } B\_I \\\\ = g(C)(\pi\_1 + \pi\_2 + \dots + \pi\_l) \text{ mod } B\_I \\\\ = C(\pi\_1, \pi\_2, \dots, \pi\_l). \end{array}$$

Applying the above conclusion to the addition circuit and the multiplication circuit respectively, we get the fully homomorphic property in the allowable circuit.

We choose *<sup>R</sup>* <sup>=</sup> <sup>Z</sup>[*x*] / < *<sup>f</sup>* (*x*)>, where *<sup>f</sup>* (*x*) <sup>∈</sup> <sup>Z</sup>[*x*] is a monic polynomial of degree *n*. Each polynomial in the quotient ring *R* corresponds to a vector in Z*<sup>n</sup>*:

$$\alpha(\mathbf{x}) = a\_0 + a\_1 \mathbf{x} + \dots + a\_{n-1} \mathbf{x}^{n-1} \in \mathcal{R} \longleftrightarrow \alpha = \begin{pmatrix} a\_0 \\ a\_1 \\ \vdots \\ a\_{n-1} \end{pmatrix} \in \mathbb{Z}^n.$$

Furthermore, the correspondence between the ideal in *R* and the ideal lattice in Z*<sup>n</sup>* is one-to-one (see Chap. 5). For example, *I* = <α(*x*)> is the principal ideal generated by α(*x*) ∈ *R*, then

$$<\alpha(\alpha)> = I \longleftrightarrow L(H^\*(\alpha)),$$

where *H*∗(α) is the ideal matrix generated by α, *L*(*H*∗(α)) is the integral lattice generated by *H*∗(α). For *I* ⊂ *R*, *I* is not a principal ideal, based on Chap. 5 we know

$$L(I) = \{ \alpha \mid \alpha(\mathbf{x}) \in I \} \subset \mathbb{Z}^n$$

is an integral lattice. Denote *BI* as the generating matrix of *L*(*I*), then *BI* is the basis of ideal *I* in the construction of Gentry. In the key generation algorithm constructed by Gentry, the public key is *Bpk <sup>J</sup>* . We select an ideal *J* ⊂ *R* such that (*I*, *J* ) = 1 with the basis *BJ* , i.e. *J* is the generating matrix of the corresponding ideal lattice *L*(*J* ). For convenience,

$$B\_J^{pk} = \text{the HNF basis of } L(J).$$

is the Hermite normal basis of *L*(*J* ). The private key is *Bsk <sup>J</sup>* , we choose an ideal *J*<sup>1</sup> larger than *J* , i.e. *J* ⊂ *J*<sup>1</sup> ⊂ *R*, *J*<sup>1</sup> = *J* , so

$$B\_J^{sk} = \text{the generating matrix of the ideal lattice } L(J\_1).$$

Since *J* ⊂ *J*1, by the homomorphism theorem of ring we have

$$J\_1/J \cong (R/J)/(R/J\_1).$$

Here *R*/*J*<sup>1</sup> is a subring of *R*/*J* , so in the sampling algorithm, for any *a* ∈ *R*/*J* , we can find only one *aJ*<sup>1</sup> ∈ *R*/*J*1.

Above all, we can take *<sup>R</sup>* as a specific quotient ring <sup>Z</sup>[*x*] / < *<sup>f</sup>* (*x*)> of the integer coefficient polynomial ring <sup>Z</sup>[*x*] to realize the construction of fully homomorphic encryption by Gentry. Since the correspondence between the ideal in *R* and the ideal lattice in Z*<sup>n</sup>* is one-to-one, Gentry's construction is widely known as a fully homomorphic encryption system based on the ideal lattice. Because the conclusion is only valid on the set of allowable circuit, it is only a bounded fully homomorphic encryption.

#### **6.5 Attribute-Based Encryption**

Fully homomorphic digital signature is a research hotspot at present, among which attribute-based encryption is a relatively mature topic. Attribute-based encryption (ABE) is a generalized form of identity-based encryption which is proposed in Goyal et al. (2006) and Sahai and Waters (2005) first. In this section we will briefly introduce ABE.

**Lemma 6.5.1** *Let q be a prime number, Fq be a finite field with q elements, Fqn be an extension of degree n of Fq , then Fqn is isomorphic to a subring <sup>H</sup> of* <sup>Z</sup>*<sup>n</sup>*×*<sup>n</sup> <sup>q</sup> , where a*, *b* ∈ *H* ⇒ *a* − *b* ∈ *G Ln*(*Fq* )*, i.e. a* − *b is an invertible matrix.*

*Proof Fqn* / *Fq* is an *n* dimensional linear space, let {α1, α2,...,α*n*} ⊂ *Fqn* be a basis. For any α ∈ *Fqn* , we define a linear transformation τα on *Fqn*

$$
\pi\_{\alpha}(\mathbf{x}) = \alpha \mathbf{x}, \ \mathbf{x} \in F\_{q^n}. \tag{6.5.1}
$$

Obviously τα is a linear transformation on *Fqn* . Under the given basis{α1, α2,...,α*n*}, let *A*<sup>α</sup> be the corresponding matrix of τα, that is,

$$
\tau\_a(\alpha\_1, \alpha\_2, \dots, \alpha\_n) = (a\alpha\_1, a\alpha\_2, \dots, a\alpha\_n) = (\alpha\_1, \alpha\_2, \dots, \alpha\_n) A\_a.
$$

Let

$$\mathcal{H} = \{ A\_{\alpha} \mid \alpha \in F\_{q^n} \} \subset \mathbb{Z}\_q^{n \times n},$$

we have

$$A\_{\alpha+\beta} = A\_{\alpha} + A\_{\beta}, \ A\_{\alpha \cdot \beta} = A\_{\alpha} \cdot A\_{\beta},$$

so *Fqn* → *H* is a ring isomorphism. Note that if α = 0, then τα is an invertible linear transformation on *Fqn* , and the corresponding matrix *A*<sup>α</sup> of τα is an invertible matrix. If *a*, *b* ∈ *Fqn* , *a* = *b*, it follows that *Aa*−*<sup>b</sup>* ∈ *G Ln*(*Fq* ), in other words, the difference of any two different matrices in the matrix ring *H* is an invertible matrix.

*Remark 6.5.1* The trace function and determinant of the matrix *A*<sup>α</sup> corresponding to the linear transformation τα are called the trace and norm of α, i.e.

$$\operatorname{tr}(\alpha) = \operatorname{tr}(A\_{\alpha}), \ N(\alpha) = \det(A\_{\alpha}),$$

where tr(α) is an additive homomorphism of *Fqn* → *Fq* , and *N*(α) is a multiplicative Homomorphism of *Fqn* → *Fq* .

Let *Fqn* be an *n* dimensional linear space of *Fq* . Given a basis, *Fqn* and *F<sup>n</sup> <sup>q</sup>* are isomorphic as the linear spaces of *Fq* . For any elements α1, α2,...,α*<sup>l</sup>* ∈ *Fqn* in *Fqn* , we can define the inner product based on Lemma 6.5.1.

**Definition 6.5.1** For any α, β ∈ *Fqn* , let α → *H*α ∈ *H*, β → *H*<sup>β</sup> ∈ *H*, we define the inner product of α and β by

$$
\lambda \prec \alpha, \beta \succ = H\_{\alpha} \cdot H\_{\beta}. \tag{6.5.2}
$$

*Remark 6.5.2* Since *H*<sup>α</sup> · *H*<sup>β</sup> ∈ *Fn*×*<sup>n</sup> <sup>q</sup>* is a square matrix of order *n*, the inner product of two field elements is a vector. If *H*<sup>α</sup> · *H*<sup>β</sup> ∈ *H*, based on lemma 5.1, there exists γ ∈ *Fqn* ⇒ *r* → *H*<sup>α</sup> · *H*<sup>β</sup> . However, we cannot get γ = α · β, which means that (6.5.2) and the one-to-one correspondence of lemma 5.1 are not commutative.

ABE encryption technique is a very complex matrix encryption method. The basic principle is to use the gadget matrix to generate encryption and decryption algorithms based on the LWE distribution. It involves the encryption public key of LWE cryptosystem, and a private key system based on the attribute vector and the dependent vector, which are the keys in the digital signature. In order to fully understand the workflow of ABE, we start with some basic matrices.

Let *q* be a prime number, Z*<sup>q</sup>* is equivalent to a finite field with *q* elements, and Z*<sup>n</sup> <sup>q</sup>* is equivalent to an extension of degree *n* of Z*<sup>q</sup>* . Let *G* be a gadget matrix of order *n* [see (6.2.6)], i.e.

$$G = I\_n \otimes \mathbf{g'} = \text{diag}\{\mathbf{g'}, \mathbf{g'}, \dots, \mathbf{g'}\} \in \mathbb{Z}\_q^{n \times nl},$$

where *l* = log2*q*, define *A* and *A* by

$$\begin{cases} \overline{A} \in \mathbb{Z}\_q^{n \times \overline{m}} \text{ is a uniformly random matrix},\\ A = [A\_1, A\_2, \dots, A\_l] \in \mathbb{Z}\_q^{n \times ml},\\ \overline{m} = n + nl, \quad w = nl, \end{cases} \tag{6.5.3}$$

where each *Ai* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup>*×*nl <sup>q</sup>* has the same dimension with the gadget matrix *G*. Let *A* be the private key, *<sup>R</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>m</sup>*×*nl <sup>q</sup>* be the trapdoor matrix of *A* with tag *H*, i.e.

$$AR \equiv HG \pmod{q} .$$

Based on Lemma 6.5.1, we define the attribute vector −→*n* by

$$
\overrightarrow{\mathcal{H}} = [H\_1, H\_2, \dots, H\_l] \in \mathcal{H}^l,\tag{6.5.4}
$$

where each *Hi* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup> <sup>q</sup>* is an invertible matrix, so −→*<sup>n</sup>* <sup>∈</sup> <sup>Z</sup>*n*×*nl <sup>q</sup>* , let

$$\begin{cases} G\_{\overrightarrow{\pi}} = [H\_1G, H\_2G, \dots, H\_lG] \in \mathbb{Z}\_q^{n \times wl},\\ A\_{\overrightarrow{\pi}} = A + G\_{\overrightarrow{\pi}} \in \mathbb{Z}\_q^{n \times wl}, \end{cases} \tag{6.5.5}$$

the dependent vector −→*<sup>p</sup>* <sup>∈</sup> *<sup>H</sup><sup>l</sup>* defined by the attribute vector −→*<sup>n</sup>* satisfies

$$<\overline{n}",\ \overrightarrow{p}> = 0 \Leftrightarrow \sum\_{i=1}^{l} H\_i P\_i = 0,$$

where −→*<sup>p</sup>* = [*P*1, *<sup>P</sup>*2,..., *Pl*] ∈ <sup>Z</sup>*n*×*nl <sup>q</sup>* , and each *Pi* <sup>∈</sup> <sup>Z</sup>*n*×*<sup>n</sup> <sup>q</sup>* .

In order to discuss the generated private key by the dependent vector −→*p* , let *S*−→*<sup>p</sup>* be

$$S\_{\overrightarrow{\mathcal{P}}} = \begin{pmatrix} G^{-1}(P\_1 G) \\ G^{-1}(P\_2 G) \\ \vdots \\ G^{-1}(P\_l G) \end{pmatrix},\tag{6.5.6}$$

here *G*−<sup>1</sup>(*PiG*) is an integer matrix given by Definition 2.2.

**Lemma 6.5.2** *Under the above notations, we have*

$$G\_{\overrightarrow{n}} \cdot S\_{\overrightarrow{p'}} = \prec \overrightarrow{n'}, \; \overrightarrow{p'} \circ G = 0.$$

*Proof* Combining (6.5.5), (6.5.6) and (6.2.7), it follows that

$$G\_{\overrightarrow{\pi}} \cdot S\_{\overrightarrow{\rho}} = [H\_1 G, H\_2 G, \dots, H\_l G] \begin{pmatrix} G^{-1}(P\_1 G) \\ \vdots \\ G^{-1}(P\_l G) \end{pmatrix}$$

$$= H\_1 G G^{-1}(P\_1 G) + \dots + H\_l G G^{-1}(P\_l G)$$

$$= H\_1 P\_1 G + H\_2 P\_2 G + \dots + H\_l P\_l G$$

$$\begin{aligned} &= (H\_1P\_1 + H\_2P\_2 + \cdots + H\_lP\_l)G \\\\ &= <\overrightarrow{n}\ ,\ \overrightarrow{p} \rhd G = 0. \end{aligned}$$

Encryption: based on the above definitions, let *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup>*<sup>n</sup> <sup>q</sup>* , we encrypt a single bit *<sup>u</sup>* <sup>∈</sup> <sup>Z</sup><sup>2</sup> by the LWE cryptosystem, and the ciphertext {*c*, *<sup>c</sup>*−→*<sup>n</sup>* , *<sup>c</sup>*} satisfies

$$\begin{cases} \overline{c} \equiv\_{\chi} s' \cdot \overline{A} \pmod{q}, \\ c \underset{\overline{n}}{\equiv} \equiv\_{\chi} s' \cdot A \underset{\overline{n}}{\pmod{q}}, \\ c \equiv\_{\chi} s' \cdot u + u \left\lfloor \frac{q}{2} \right\rfloor, \end{cases} \tag{6.5.7}$$

where *s* is the private key of the LWE cryptosystem.

We write {*c*, *c*−→*<sup>n</sup>* , *c*} as the following form

$$[\overline{c}', c\_{\overline{\pi}}', c] \equiv\_{\times} s'[\overline{A}, A\_{\overline{\pi}}, \mu] + \begin{pmatrix} 0\\ \mu \left\lfloor \frac{q}{2} \right\rfloor \end{pmatrix} \pmod{q}.$$

Decryption: generate the private key vector *x*−→*<sup>p</sup>* satisfying the following equalities by the dependent vector −→*p* ,

$$\begin{cases} [\overline{A}, B\_{\overline{\mathcal{P}}}] \chi\_{\overline{\mathcal{P}}} = \mu, \\ B\_{\overline{\mathcal{P}}} = A \cdot S\_{\overline{\mathcal{P}}}, \end{cases} \tag{6.5.8}$$

use *x*−→*<sup>p</sup>* as the private key to decrypt the ciphertext {*c*, *c*−→*<sup>n</sup>* , *c*} as follows

$$\left[\overrightarrow{c}', c\_{\overrightarrow{\pi}}' \cdot \mathcal{S}\_{\overrightarrow{\mathcal{P}}}\right] \cdot x\_{\overrightarrow{\mathcal{P}}},$$

by (6.5.7), we replace the congruence with equality, then (based on Lemma 5.2)

$$\begin{aligned} \mathbf{c}'\_{\overrightarrow{\pi}} \cdot \mathbf{S}\_{\overrightarrow{\mathcal{P}}} &= \mathbf{s}' A\_{\overrightarrow{\pi}} \cdot \mathbf{S}\_{\overrightarrow{\mathcal{P}}} &= \mathbf{s}' (A + G\_{\overrightarrow{\pi}}) S\_{\overrightarrow{\mathcal{P}}}, \\ &= \mathbf{s}' B\_{\overrightarrow{\mathcal{P}}} + \mathbf{s}' G\_{\overrightarrow{\pi}} \cdot \mathbf{S}\_{\overrightarrow{\mathcal{P}}} &= \mathbf{s}' B\_{\overrightarrow{\mathcal{P}}}, \end{aligned}$$

therefore,

$$[\overline{c}', c\_{\overline{\pi}}' \cdot S\_{\overline{\rho}}] \cdot x\_{\overline{\rho}} \equiv\_{\chi} s'[A', B\_{\overline{\rho}}] \cdot x\_{\overline{\rho}} \pmod{q}$$

$$\equiv\_{\chi} s'u \pmod{q}$$

$$\equiv c - u \left\lfloor \frac{q}{2} \right\rfloor \pmod{q}$$

$$= u.$$

Both *x*−→*<sup>p</sup>* and *S*−→*<sup>p</sup>* are the shortest integer solutions.

We will not verify the fully homomorphic property of ABE here, and leave it to the readers as an exercise. Constructing fully homomorphic digital signature by the ABE encryption technology is a popular research topic at present, and we suggest readers to follow up it further.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

# **Chapter 7 A Generalization of NTRUencrypt**

NTRU cryptosystem is a new public key cryptosystem based on lattice hard problem proposed in 1996 by three digit theorists Hoffstein, Piper and Silverman of Brown University in the United States. The essence of NTRU cryptographic design is the generalization of RSA on polynomials, so it is called the cryptosystem based on polynomial rings. Its main feature is that the key generation is very simple, and the encryption and decryption algorithm is much faster than the commonly used RSA and elliptic curve cryptography. In particular, NTRU can resist quantum computing attacks and is considered to be a potential public key cryptography that can replace RSA in the post-quantum cryptography era.

Many researchers have presented some variations of NTRU by changing its algebraic structure. In 2002, Gaborit introduced an NTRU-like cryptosystem called CTRU by replacing the base ring of the NTRU with a polynomial ring over a binary field *F*2[*x*] (Gaborit et al., 2002). They proved that their system is successfully decrypted. In 2005, Kouzmenko showed that CTRU is weak under a time attack and proposed the GNTRU cryptosystem based on Gaussian integers (Kouzmenko 2006). In the same year, Coglianese introduced an analog to the NTRU cryptosystem called MaTRU (Coglianese & Goi, 2005). MaTRU is based on a ring of all square matrices with polynomial entries. In 2009, Malekian introduced the QTRU cryptosystem based on quaternion algebra (Malecian et al., 2011). They also introduced the OTRU cryptosystem in 2010 based on Octonion algebra (Malecian & Zakerolhsooeini, 2010). In 2016, Alsaidi proposed a public key cryptosystem BITRU based on binary algebra (Alsaidi & Yassein, 2016). However, all of the above variations of NTRU have limitations. The purpose of this chapter is extending the theory of circulant matrix to general ideal matrix, and constructing more general NTRU cryptosystem combining with the φ-cyclic code. The motivation of this research is to adapt the distributed scenario of blockchain architecture and apply the post-quantum cryptography in it.

#### **7.1** *φ***-Cyclic Code**

Let *Fq* be a finite field with *q* elements and *q* be a power of a prime number, *Fq* [*x*] be the polynomial ring of *Fq* with variable *x*. Let *F<sup>n</sup> <sup>q</sup>* be the *n* dimensional linear space over *Fq* , and φ = (φ0, φ1,...,φ*<sup>n</sup>*−1) ∈ *F<sup>n</sup> <sup>q</sup>* be a fixed vector in *F<sup>n</sup> <sup>q</sup>* with φ<sup>0</sup> = 0, the associated polynomial of φ given by

$$\phi(\mathbf{x}) = \mathbf{x}^n - \phi\_{n-1}\mathbf{x}^{n-1} - \dots - \phi\_1 \mathbf{x} - \phi\_0 \in F\_q[\mathbf{x}], \ \phi\_0 \neq 0. \tag{7.1.1}$$

Let <φ(*x*)> be the principal ideal generated by φ(*x*) in *Fq* [*x*]. There is a one-to-one correspondence between *F<sup>n</sup> <sup>q</sup>* and the quotient ring *R* = *Fq* [*x*] / <φ(*x*)>, given by

$$c = (c\_0, c\_1, \dots, c\_{n-1}) \in F\_q^n \xleftarrow{} c(\mathbf{x}) = c\_0 + c\_1 \mathbf{x} + \dots + c\_{n-1} \mathbf{x}^{n-1} \in \mathcal{R}. \tag{7.1.2}$$

In fact, this correspondence is also an isomorphism of Abel groups. One may extend this correspondence to subsets of *F<sup>n</sup> <sup>q</sup>* and *R* by

$$\mathcal{C} \subset F\_q^n \rightleftharpoons \mathcal{C}(\mathfrak{x}) = \{c(\mathfrak{x}) | c \in \mathcal{C}\} \subset \mathcal{R}.\tag{7.1.3}$$

If *C* ⊂ *F<sup>n</sup> <sup>q</sup>* is a linear subspace of *F<sup>n</sup> <sup>q</sup>* of dimension *k*, then *C* is called a linear code in coding theory and written by *C* = [*n*, *k*] as usual. Each vector *c* = (*c*0, *c*1,..., *cn*−<sup>1</sup>) ∈ *C* is called a codeword of length *n*. Obviously, *C* = [*n*, 0] and *C* = [*n*, *n*] are two trivial codes. Another one is called constant codes, of which is almost trivial given by

$$C = \{ (b, b, \ldots, b) | b \in F\_q \}, \text{ and } C = [n, 1].$$

According to the given polynomial φ(*x*) in (7.1.1), we may define a linear transformation τφ in *F<sup>n</sup> q* ,

$$\tau\_{\phi}(c) = \tau\_{\phi}((c\_0, c\_1, \dots, c\_{n-1})) = (\phi\_0 c\_{n-1}, c\_0 + \phi\_1 c\_{n-1}, c\_1 + \phi\_2 c\_{n-1}, \dots, c\_{n-2} + \phi\_{n-1} c\_{n-1}).\tag{7.1.4}$$

It is easily seen that τφ : *F<sup>n</sup> <sup>q</sup>* → *F<sup>n</sup> <sup>q</sup>* is a linear transformation.

**Definition 7.1.1** Let *C* ⊂ *F<sup>n</sup> <sup>q</sup>* be a linear code. It is called a φ-cyclic code, if

$$
\forall c \in \mathcal{C} \Rightarrow \mathfrak{r}\_{\phi}(c) \in \mathcal{C}.\tag{7.1.5}
$$

In other words, a linear code *C* is a φ-cyclic code, if and only if *C* is closed under linear transformation τφ. Clearly, if φ = (1, 0,..., 0), and φ(*x*) = *x <sup>n</sup>* − 1, then the φ-cyclic code is precisely the ordinary cyclic code (Lopez-Permouth et al., 2009).

*Remark 7.1.1* The φ-cyclic code we give here is polycyclic code in fact, which firstly appeared in Lopez-Permouth et al. (2009), but we mainly concern for its application to McEliece and Niederriter's cryptosystems. We first show that there is a one-to-one correspondence between φ-cyclic codes in *F<sup>n</sup> <sup>q</sup>* and ideals in *R* = *Fq* [*x*] / <φ(*x*)>.

**Lemma 7.1.1** *Let C* ⊂ *F<sup>n</sup> <sup>q</sup> be a subset, then C is a* φ*-cyclic code, if and only if C*(*x*) *is an ideal of R.*

*Proof* We use column notation for vector in *F<sup>n</sup> <sup>q</sup>* , then linear transformation τφ may be written as

$$\pi\_{\phi} \begin{pmatrix} c\_0 \\ c\_1 \\ \vdots \\ c\_{n-1} \end{pmatrix} = \begin{pmatrix} \phi\_0 c\_{n-1} \\ c\_0 + \phi\_1 c\_{n-1} \\ \vdots \\ c\_{n-2} + \phi\_{n-1} c\_{n-1} \end{pmatrix}, \ \forall c = \begin{pmatrix} c\_0 \\ c\_1 \\ \vdots \\ c\_{n-1} \end{pmatrix} \in F\_q''.$$

Let *T*<sup>φ</sup> be a *n* × *n* square matrix over *Fq* ,

$$T\_{\phi} = \begin{pmatrix} 0 & \cdots & 0 \\ \hline & & \phi\_1 \\ & I\_{n-1} & \\ & & \vdots \\ & & & \phi\_{n-1} \end{pmatrix} \in F\_q^{n \times n},\tag{7.1.6}$$

where *In*−<sup>1</sup> is the (*n* − 1) × (*n* − 1) unit matrix. The matrix expression of τφ as follows

$$\pi\_{\phi} \begin{pmatrix} c\_0 \\ c\_1 \\ \vdots \\ c\_{n-1} \end{pmatrix} = T\_{\phi} \begin{pmatrix} c\_0 \\ c\_1 \\ \vdots \\ c\_{n-1} \end{pmatrix} = \begin{pmatrix} \phi\_0 c\_{n-1} \\ c\_0 + \phi\_1 c\_{n-1} \\ \vdots \\ c\_{n-2} + \phi\_{n-1} c\_{n-1} \end{pmatrix}. \tag{7.1.7}$$

Suppose *C* ⊂ *F<sup>n</sup> <sup>q</sup>* and *C*(*x*) is an ideal of *R*, it is clear that *C* is a linear code of *F<sup>n</sup> q* . To prove *C* is a φ-cyclic code, we note that for any polynomial *c*(*x*) ∈ *C*(*x*), then *xc*(*x*) ∈ *C*(*x*) if and only if τφ(*c*) ∈ *C*, namely, if *c*(*x*) ∈ *C*(*x*), then

$$\text{succ}(\mathbf{x}) \in C(\mathbf{x}) \Leftrightarrow \mathsf{r}\_{\phi}(c) \in C \Leftrightarrow T\_{\phi}c \in C. \tag{7.1.8}$$

Therefore, if *C*(*x*) is an ideal of *R*, then we have immediately that *C* is a φ-cyclic code of *F<sup>n</sup> q* .

Conversely, if *C* ⊂ *F<sup>n</sup> <sup>q</sup>* is a φ-cyclic code, then for all *k* 1, we have

$$\forall c \in C \Rightarrow T^k\_\phi c \in C.$$

It follows that

$$\forall c(\mathbf{x}) \in C(\mathbf{x}) \Rightarrow \mathbf{x}^k c(\mathbf{x}) \in C(\mathbf{x}), \ 0 \lessgtr k \lessgtr n-1, \ i$$

which implies *C*(*x*) is an ideal of *R*. This is the proof of Lemma 7.1.1.

By Lemma 7.1.1, to find a φ-cyclic code, it is enough to find an ideal of *R*. There are two trivial ideals *C*(*x*) = 0 and *C*(*x*) = *R*, the corresponding φ-cyclic codes are *C* = [*n*, 0] and *C* = *F<sup>n</sup> <sup>q</sup>* , respectively, which are called trivial φ-cyclic code. To find non-trivial φ-cyclic codes, we make use of homomorphic theorems, which is a standard technique in Algebra. Let π be the natural homomorphism from *Fq* [*x*] to its quotient ring *R* = *Fq* [*x*] / <φ(*x*)>, kerπ = <φ(*x*)>,

$$<\phi(\mathbf{x})>\subset N\subset F\_q[\mathbf{x}] \xrightarrow{\pi} R = F\_q[\mathbf{x}] / \lhd \phi(\mathbf{x})>,\tag{7.1.9}$$

where *N* is an ideal of *Fq* [*x*], of which is containing kerπ = <φ(*x*)>. Since *Fq* [*x*] is a principal ideal domain, then *N* = <*g*(*x*)> is a principal ideal generated by a monic polynomial *g*(*x*) ∈ *Fq* [*x*]. It is easy to see that

$$<\phi(\alpha)> \subset \prec g(\alpha)> \Leftrightarrow g(\alpha)|\phi(\alpha).$$

It follows that all ideals *N* satisfying (7.1.9) are given by

{<*g*(*x*)> | *g*(*x*) ∈ *Fq* [*x*] is monic and *g*(*x*)|φ(*x*)}.

We write by <*g*(*x*)> mod φ(*x*), the image of <*g*(*x*)> under π, it is easy to check

$$\vdash \mathbf{g}(\mathbf{x}) \succ \mathbf{mod} \, \phi(\mathbf{x}) = \{ h(\mathbf{x}) \mathbf{g}(\mathbf{x}) \mid h(\mathbf{x}) \in F\_q[\mathbf{x}] \text{ and } \deg h(\mathbf{x}) + \deg \mathbf{g}(\mathbf{x}) < n \},\tag{7.1.10}$$

more precisely, which is a representative elements set of <*g*(*x*)> mod φ(*x*), by homomorphism theorem in ring theory, all ideals of *R* given by

$$\{\cdot \in \mathcal{g}(\mathbf{x}) \colon \text{mod } \phi(\mathbf{x}) \mid \mathbf{g}(\mathbf{x}) \in F\_q[\mathbf{x}] \text{ is monic and } \mathbf{g}(\mathbf{x}) | \phi(\mathbf{x})\}.\tag{7.1.11}$$

Let *d* be the number of monic divisors of φ(*x*) in *Fq* [*x*], we can get the following corollary immediately.

#### **Lemma 7.1.2** *The number of* φ*-cyclic code in F<sup>n</sup> <sup>q</sup> is d.*

*To compare the* φ*-cyclic code and ordinary cyclic code, we see a simple example.*

*Example 7.1* Constant code *C* is always a cyclic code for 1 + *x* +···+ *x <sup>n</sup>*−<sup>1</sup>|*x <sup>n</sup>* − 1, and its generated polynomial is just 1 + *x* +···+ *x <sup>n</sup>*−1. But constant code *C* in *Fn <sup>q</sup>* is not always a φ-cyclic code, it is a φ-cyclic code if and only if 1 + *x* +···+ *x <sup>n</sup>*−<sup>1</sup>|φ(*x*), an equivalent condition for 1 + *x* +···+ *x <sup>n</sup>*−<sup>1</sup>|φ(*x*) is

$$
\phi\_{n-1} = \phi\_{n-2} = \dots = \phi\_1 = b, \text{ and } \phi\_0 = 1 + b.
$$

**Definition 7.1.2** Let *C* be a φ-cyclic code and *C*(*x*) = *g*(*x*) mod φ(*x*). We call *g*(*x*) is the generated polynomial of *C*, where *g*(*x*) is monic and *g*(*x*)|φ(*x*).

**Lemma 7.1.3** *Let g*(*x*) = *g*<sup>0</sup> + *g*1*x* +···+ *gn*−*k*−1*x <sup>n</sup>*−*k*−<sup>1</sup> + *x <sup>n</sup>*−*<sup>k</sup> be the generated polynomial of a* φ*-cyclic code C, where* 1 *k n* − 1*, and g*(*x*)|φ(*x*)*, then C* = [*n*, *k*] *and a generated matrix for C is the following block matrix*

$$G = \begin{pmatrix} g \\ \tau\_{\phi}(g) \\ \tau\_{\phi}^{2}(g) \\ \vdots \\ \tau\_{\phi}^{k-1}(g) \end{pmatrix}\_{k \times n},\tag{7.1.12}$$

*where g* = (*g*0, *g*1,..., *gn*−*k*−<sup>1</sup>, 1, 0,..., 0) ∈ *C is the corresponding codeword of g*(*x*)*, and* τ *<sup>i</sup>* φ(*g*) <sup>=</sup> <sup>τ</sup> *<sup>i</sup>*−<sup>1</sup> <sup>φ</sup> (τφ(*g*)) *for* 1 *i n* − 1*.*

*Proof* By assumption, *<sup>C</sup>*(*x*) <sup>=</sup> <sup>&</sup>lt;*g*(*x*)> mod φ(*x*), then {*g*, τφ(*g*), . . . , τ *<sup>k</sup>*−<sup>1</sup> <sup>φ</sup> (*g*)} ⊂ *C*, we are to prove it is a basis of *C*. First, these vectors are linearly independent. Otherwise, we have

$$\sum\_{i=0}^{k-1} b\_i \pi\_\phi^i(\mathbf{g}) = 0, \ b\_i \in F\_q,\tag{7.1.13}$$

and the corresponding polynomial is zero, namely

$$\left(\sum\_{i=0}^{k-1} b\_i x^i\right) \mathbf{g}(\mathbf{x}) = \mathbf{0}.$$

It follows that

$$\sum\_{i=0}^{k-1} b\_i x^i = 0 \Rightarrow b\_i = 0 \text{ for all } 0 \le i \le k - 1.$$

Next, if *c* ∈ *C*, and *c*(*x*) ∈ *C*(*x*), by (7.1.10), there is a polynomial *b*(*x*) = *b*<sup>0</sup> + *b*1*x* +···+ *bk*−<sup>2</sup>*x<sup>k</sup>*−<sup>2</sup> + *x<sup>k</sup>*−<sup>1</sup> such that

$$c(\mathbf{x}) = b(\mathbf{x}) \\ \mathbf{g}(\mathbf{x}) = \left(\sum\_{i=0}^{k-1} b\_i \mathbf{x}^i\right) \mathbf{g}(\mathbf{x}), \ \ b\_{k-1} = 1, 2$$

Thus we have the corresponding codeword of *C*(*x*)

$$c = \sum\_{i=0}^{k-1} b\_i \pi\_\phi^i(\mathbf{g}).$$

This shows that {*g*, τφ(*g*), . . . , τ *<sup>k</sup>*−<sup>1</sup> <sup>φ</sup> (*g*)} is a basis of *C*, and a generated matrix for *C* is

$$G = \begin{pmatrix} \mathbf{g} \\ \tau\_{\phi}(\mathbf{g}) \\ \tau\_{\phi}^2(\mathbf{g}) \\ \vdots \\ \tau\_{\phi}^{k-1}(\mathbf{g}) \end{pmatrix}\_{k \times m}$$

.

We have Lemma 7.1.3 at once.

To describe a parity check matrix for a φ-cyclic code, for any *c* = (*c*0, *c*1,..., *cn*−<sup>1</sup>) ∈ *F<sup>n</sup> <sup>q</sup>* , we write

$$\overline{c} = (c\_{n-1}, c\_{n-2}, \dots, c\_1, c\_0) \in F\_q^n.$$

**Lemma 7.1.4** *Suppose C is a* φ*-cyclic code with generated polynomial g*(*x*)*, where g*(*x*)|φ(*x*) *and degg*(*x*) = *n* − *k. Let h*(*x*)*g*(*x*) = φ(*x*)*, where h*(*x*) = *h*<sup>0</sup> + *h*1*x* + ···+ *hk*−1*xk*−<sup>1</sup> + *x<sup>k</sup> . Then a parity check matrix for C is*

$$H = \begin{pmatrix} \overline{h} \\ \tau\_{\phi}(\overline{h}) \\ \vdots \\ \tau\_{\phi}^{n-k-1}(\overline{h}) \end{pmatrix}\_{(n-k)\times n}.\tag{7.1.14}$$

*Proof* Since *h*(*x*)*g*(*x*) = φ(*x*), it means that *h*(*x*)*g*(*x*) = 0 in *R* = *Fq* [*x*] / <φ(*x*)>; thus we have

$$g\_0 h\_i + g\_1 h\_{i-1} + \dots + g\_{n-k} h\_{i-n+k} = 0, \ \forall 0 \le i \le n-1, \ i$$

It follows that *G H* = 0, where *G* is a generated matrix for *C* given by (7.1.12). Therefore, *H* is a parity check matrix for *C*.

A separable polynomial in Algebra means that it has no multiple roots in its splitting field. The following lemma shows that there is an unit element in any nonzero ideal of *R*, when φ(*x*) is a separable polynomial.

**Lemma 7.1.5** *Suppose* φ(*x*)*is a separable polynomial of Fq , and C*(*x*) = *g*(*x*) *mod* φ(*x*)*is an ideal of R with degg*(*x*) *n* − 1*, then there exists an element d*(*x*) ∈ *C*(*x*) *such that*

$$c(\mathfrak{x})d(\mathfrak{x}) = c(\mathfrak{x}), \ \forall c(\mathfrak{x}) \in C(\mathfrak{x}).$$

*Proof* Let *h*(*x*)*g*(*x*) = φ(*x*). Since φ(*x*) is a separable polynomial, then gcd(*g*(*x*), *h*(*x*)) = 1, and there are two polynomial *a*(*x*) and *b*(*x*) in *Fq* [*x*] such that

$$a(\mathbf{x})g(\mathbf{x}) + b(\mathbf{x})h(\mathbf{x}) = 1.$$

Let

$$d(\mathbf{x}) = a(\mathbf{x})g(\mathbf{x}) = 1 - b(\mathbf{x})h(\mathbf{x}) \in C(\mathbf{x}).$$

If *c*(*x*) ∈ *C*(*x*), by (7.1.10), we write *c*(*x*) = *g*(*x*)*g*1(*x*), it follows that

$$c(\mathbf{x})d(\mathbf{x}) \equiv a(\mathbf{x})g(\mathbf{x})g(\mathbf{x})g\_1(\mathbf{x}) \equiv (1 - b(\mathbf{x})h(\mathbf{x}))g(\mathbf{x})g\_1(\mathbf{x}),$$

$$\equiv g(\mathbf{x})g\_1(\mathbf{x}) \equiv c(\mathbf{x})(\text{mod }\phi(\mathbf{x})).$$

Thus we have *c*(*x*)*d*(*x*) = *c*(*x*) in *R*.

Next, we discuss maximal φ-cyclic code. Let *C*(*x*) = *g*(*x*) mod φ(*x*), and *g*(*x*) be an irreducible polynomial in *Fq* [*x*], we call the corresponding φ-cyclic code *C* a maximal φ-cyclic code, because <*g*(*x*)> is a maximal ideal in *Fq* [*x*].

**Lemma 7.1.6** *Let C be a maximal* φ*-cyclic code with generated polynomial g*(*x*)*,* β *be a root of g*(*x*) *in some extensions of Fq , then*

$$C(\mathbf{x}) = \{ a(\mathbf{x}) \mid a(\mathbf{x}) \in R \text{ and } a(\boldsymbol{\beta}) = \mathbf{0} \}. \tag{7.1.15}$$

*Proof* If *a*(*x*) ∈ *C*(*x*), by (7.1.10) we have *a*(β) = 0 immediately. Conversely, if *a*(*x*) ∈ *Fq* [*x*] and *a*(β) = 0, since *g*(*x*) is irreducible, thus we have *g*(*x*)|*a*(*x*), and (7.1.15) follows at once.

An important application of maximal φ-cyclic code is to construct an errorcorrecting code, so that we may obtain a modified McEliece-Niederriter's cryptosystem. To do this, let 1 *<sup>m</sup>* <sup>&</sup>lt; <sup>√</sup>*n*, and *Fqm* be an extension field of *Fq* of degree *<sup>m</sup>*. Suppose *Fqm* = *Fq* (θ ), where θ is a primitive element of *Fqm* and *Fq* (θ ) is the simple extension containing *Fq* and θ. Let *g*(*x*) ∈ *Fq* [*x*] be the minimum polynomial of θ, then *g*(*x*)is an irreducible polynomial of degree *m* of *Fq* [*x*]. It is well known that *Fqm* is a Galois extension of *Fq* , so that all roots of *g*(*x*) are in *Fqm* . Let β1, β2,...,β*<sup>m</sup>* be all roots of *g*(*x*), the Vandermonde matrix *V*(β1, β2,...,β*m*) defined by

$$H = V(\boldsymbol{\beta}\_1, \boldsymbol{\beta}\_2, \dots, \boldsymbol{\beta}\_m) = \begin{pmatrix} 1 \ \boldsymbol{\beta}\_1 \ \boldsymbol{\beta}\_1^2 \ \cdots \ \boldsymbol{\beta}\_1^{n-1} \\ 1 \ \boldsymbol{\beta}\_2 \ \boldsymbol{\beta}\_2^2 \ \cdots \ \boldsymbol{\beta}\_2^{n-1} \\ \vdots \ \vdots \ \vdots \\ 1 \ \boldsymbol{\beta}\_m \ \boldsymbol{\beta}\_m^2 \ \cdots \ \boldsymbol{\beta}\_m^{n-1} \end{pmatrix}\_{m \times n},\tag{7.1.16}$$

where β<sup>1</sup> = θ and each β*<sup>i</sup>* is a vector of (*Fq* )*<sup>m</sup>*. For arbitrary monic polynomial *h*(*x*) ∈ *Fq* [*x*], deg*h*(*x*) = *n* − *m*, let φ(*x*) = *h*(*x*)*g*(*x*) and *C* be a maximal φ-cyclic code generated by *g*(*x*). It is easy to verify that

$$c \in C \Leftrightarrow cH' = 0.$$

Therefore, *H* is a parity check matrix for *C*. If we choose the primitive element θ, so that any *d* − 1 columns in *H* are linearly independent, then the minimum distance of *<sup>C</sup>* is greater than *<sup>d</sup>*, and *<sup>C</sup>* is a t-error-correcting code, where *<sup>t</sup>* = [ *<sup>d</sup>* 2 ].

The public key cryptosystems based on algebraic coding theory were created by Lyubashevsky and Micciancio (2006), and Micciancio and Regev (2009) a suitable t-error-correcting code plays a key role in their construction. The error-correcting code *C* should satisfy the following requirements:


Our results supply a different way to choose an error-correcting code by selecting arbitrary irreducible polynomials *g*(*x*) ∈ *Fq* [*x*] of degree *m* and roots of *g*(*x*) rather than an irreducible factor of *x <sup>n</sup>* − 1 and the roots of unit.

In fact, for any positive integer *m*, there is at least an irreducible polynomial *g*(*x*) ∈ *Fq* [*x*] with degree *m*. Let *Nq* (*m*) be the number of irreducible polynomials of degree *m* in *Fq* [*x*], then we have (see Theorem 3.25 of Lidl & Niederreiter, 1983)

$$N\_q(m) = \frac{1}{m} \sum\_{d|m} \mu(\frac{m}{d}) q^d = \frac{1}{m} \sum\_{d|m} \mu(d) q^{\frac{m}{d}},$$

where *u*(*d*) is Mobi*u*¨s function.

Assuming one has selected two monic and irreducible polynomials *g*(*x*) and *h*(*x*) with deg*g*(*x*) = *m* and deg*h*(*x*) = *n* − *m*, let φ(*x*) = *g*(*x*)*h*(*x*), then one may obtain φ-cyclic code *C* generated by *g*(*x*) or *h*(*x*), which is more convenient and more flexible than the ordinary methods.

It's difficult to compare the error-correcting capability between φ-cyclic code with existing cyclic codes of the same length and dimension. However, we believe that the advantages of φ-cyclic code will become more clear when *q* increases.

#### **7.2 A Generalization of NTRUencrypt**

The public key cryptosystem NTRU proposed in 1996 by Hoffstein, Pipher and Silverman is the fastest known lattice-based encryption scheme; although its description relies on arithmetic over polynomial quotient ring *Z*[*x*] / <*x <sup>n</sup>* − 1>, it was easily observed that it could be expressed as a lattice-based cryptosystem (see IEEE, 2000). For the background materials, we refer to Hoffstein et al. (1998), Lint (1999), McEliece (1978). Our strategy in this section is to replace *Z*[*x*] / <*x <sup>n</sup>* − 1> by more general polynomial ring *Z*[*x*] / <φ(*x*)> and obtain a generalization of NTRUEncrypt, where φ(*x*) is a monic polynomial of degree *n* with integer coefficients.

In this section, we denote φ(*x*) and *R* by

$$\phi(\mathbf{x}) = \mathbf{x}^n - \phi\_{n-1}\mathbf{x}^{n-1} - \dots - \phi\_1\mathbf{x} - \phi\_0 \in \mathbb{Z}[\mathbf{x}], \ R = \mathbb{Z}[\mathbf{x}] / < \phi(\mathbf{x})> , \ \phi\_0 \neq \mathbf{0}. \tag{7.2.1}$$

Let *H*<sup>φ</sup> ∈ *Z<sup>n</sup>*×*<sup>n</sup>* be a square matrix given by

$$H = H\_{\phi} = \begin{pmatrix} 0 & \cdots & 0 & \phi\_0 \\ \hline & & \phi\_1 \\ & I\_{n-1} & \begin{pmatrix} \vdots \\ \vdots \\ \phi\_{n-1} \end{pmatrix}\_{n \times n} \end{pmatrix}\_{n \times n},\tag{7.2.2}$$

where *In*−<sup>1</sup> is (*n* − 1) × (*n* − 1) unit matrix. As described in Chap. 5, φ(*x*) is the characteristic polynomial of *<sup>H</sup>*, and *<sup>H</sup>* defines a linear transformation of <sup>R</sup>*<sup>n</sup>* <sup>→</sup> <sup>R</sup>*<sup>n</sup>* by *<sup>x</sup>* <sup>→</sup> *H x*, where *<sup>x</sup>* is a column vector of <sup>R</sup>*<sup>n</sup>*. We may extend this transformation to R2*<sup>n</sup>* and denote σ by

$$
\sigma \begin{pmatrix} \alpha \\ \beta \end{pmatrix} = \begin{pmatrix} H\alpha \\ H\beta \end{pmatrix}, \text{ where } \begin{pmatrix} \alpha \\ \beta \end{pmatrix} \in \mathbb{R}^{2n}. \tag{7.2.3}
$$

Of course, <sup>σ</sup> is again a linear transformation of <sup>R</sup>2*<sup>n</sup>* <sup>→</sup> <sup>R</sup>2*<sup>n</sup>*.

A *q*-ary lattice is a lattice *L* such that *q Z<sup>n</sup>* ⊂ *L* ⊂ *Z<sup>n</sup>*, where *q* is a positive integer. We give the following definition of convolutional modular lattice.

**Definition 7.2.1** A *q*-ary lattice *L* is called convolutional modular lattice, if *L* is in even dimension 2*n* satisfying

$$\forall \begin{pmatrix} \alpha \\ \beta \end{pmatrix} \in L \Rightarrow \sigma \begin{pmatrix} \alpha \\ \beta \end{pmatrix} = \begin{pmatrix} H\alpha \\ H\beta \end{pmatrix} \in L,\tag{7.2.4}$$

here α and β are column vectors in R*<sup>n</sup>*. In other words, a convolutional modular lattice is a *q*-ary lattice in even dimension and is closed under the linear transformation σ.

Recalling the secret key *<sup>f</sup> g* of NTRU is a pair of polynomials of degree *n* − 1, we may regard *f* and *g* as column vectors in *Z<sup>n</sup>*. To obtain a convolutional modular lattice containing *<sup>f</sup> g* , we need some help of ideal matrices. In Chap. 5, we introduce the definition of ideal matrix generated by a vector *f* ,

$$H^\*(f) = H^\*\_\phi(f) = [f, Hf, H^2f, \dots, H^{n-1}f]\_{n \times n},\tag{7.2.5}$$

which is a block matrix in terms of each column *H<sup>k</sup> f* (0 *k n* − 1). It is easily seen that *H*∗( *f* ) is a generalization of the classical circulant matrices. In fact, if

$$
\phi(\mathbf{x}) = \mathbf{x}^n - 1, \ f(\mathbf{x}) = f\_0 + f\_1 \mathbf{x} + \dots + f\_{n-1} \mathbf{x}^{n-1} \in \mathbb{Z}[\mathbf{x}],
$$

the ideal matrix *H*<sup>∗</sup> <sup>φ</sup> ( *f* ) generated by *f* is given by

$$H^\*(f) = \begin{pmatrix} f\_0 & f\_{n-1} \cdots & f\_1 \\ f\_1 & f\_0 & \cdots & f\_2 \\ \vdots & \vdots & & \vdots \\ f\_{n-1} & f\_{n-2} & \cdots & f\_0 \end{pmatrix}, \ \phi(\mathbf{x}) = \mathbf{x}^n - 1,$$

which is known as a circulant matrix. On the other hand, ideal matrix and ideal lattice play an important role in Ajtai's construction of a collision-resistant Hash function, the related materials we refer to Ajtai and Dwork (1997), Ajtai (1996), Lint (1999).

We have given some properties of ideal matrix from Lemmas 5.2.1–5.2.4 in Chap. 5. Based on these lemmas, next we construct a convolutional modular lattice containing vector *<sup>f</sup> g* . Let *<sup>f</sup> g* ∈ *Z*2*<sup>n</sup>*, (*H*∗( *f* ))*<sup>T</sup>* be the transpose of *H*∗( *f* ), and

$$A = [(H^\*(f))^T, (H^\*(g))^T] = \begin{pmatrix} f^T & g^T \\ f^T H^T & g^T H^T \\ f^T (H^T)^2 & g^T (H^T)^2 \\ \vdots & \vdots \\ f^T (H^T)^{n-1} & g^T (H^T)^{n-1} \end{pmatrix}\_{n \times 2n},\tag{7.2.6}$$

$$A^T = \begin{pmatrix} H^\*(f) \\ H^\*(g) \end{pmatrix} = \begin{pmatrix} f \ Hf \cdots \neg H^{n-1} f \\ g \ H g \cdots \cdots \neg H^{n-1} g \end{pmatrix}\_{2n \times n}.\tag{7.2.7}$$

We consider *A* and *A<sup>T</sup>* as matrices over *Zq* , i.e. *A* ∈ *Zn*×2*<sup>n</sup> <sup>q</sup>* , *A<sup>T</sup>* ∈ *Z*2*n*×*<sup>n</sup> <sup>q</sup>* , a *q*-ary lattice *<sup>q</sup>* (*A*) is defined by

$$\Lambda\_q(A) = \{ \mathbf{y} \in \mathbb{Z}^{2n} \mid \text{there exists } \mathbf{x} \in \mathbb{Z}^n \Rightarrow \mathbf{y} \equiv A^T \mathbf{x} \pmod{q} \}. \tag{7.2.8}$$

Under the above notations, we prove that *<sup>q</sup>* (*A*) is the convolutional modular lattice containing *<sup>f</sup> g* .

**Theorem 7.2.1** *For any column vectors f* ∈ *Z<sup>n</sup> and g* ∈ *Zn, <sup>q</sup>* (*A*) *is a convolutional modular lattice, and*

$$
\binom{f}{g} \in \Lambda\_q(A).
$$

*Proof* It is known that *<sup>q</sup>* (*A*) is a *q*-ary lattice, i.e.

$$q \mathbb{Z}^{2n} \subset \Lambda\_q(A) \subset \mathbb{Z}^{2n}.$$

We only prove that *<sup>q</sup>* (*A*) is fixed under the linear transformation σ given by (7.2.4). If *y* ∈ *<sup>q</sup>* (*A*), then *y* ≡ *A<sup>T</sup> x* (mod *q*) for some *x* ∈ *Z<sup>n</sup>*, by Lemma 5.2.1 in Chap. 5, we have

$$\sigma(\mathbf{y}) \equiv \begin{pmatrix} HH^\*(f)\mathbf{x} \\ HH^\*(\mathbf{g})\mathbf{x} \end{pmatrix} = \begin{pmatrix} H^\*(f)H\mathbf{x} \\ H^\*(\mathbf{g})H\mathbf{x} \end{pmatrix} \equiv A^T H \mathbf{x} \pmod{q} .$$

It means that σ (*y*) ∈ *<sup>q</sup>* (*A*) whenever *y* ∈ *<sup>q</sup>* (*A*). Let

$$e = \begin{pmatrix} 1 \\ 0 \\ \vdots \\ 0 \end{pmatrix} \in \mathbb{Z}^n \Rightarrow H^\*(f)e = f, \text{ and } H^\*(g)e = g.$$

We have

$$
\binom{f}{g} \in \Lambda\_q(A).
$$

Theorem 7.2.1 follows.

Since *<sup>q</sup>* (*A*) ⊂ *Z*2*<sup>n</sup>*, then there is a unique Hermite Normal Form of basis *N*, which is a upper triangular matrix given by

$$N = \begin{pmatrix} I\_n \ H^\*(h) \\ 0 & qI\_n \end{pmatrix}, \text{ where } h \equiv \left( H^\*(f) \right)^{-1} \text{g (mod } q \text{)}. \tag{7.2.9}$$

Next, we consider parameters system of NTRU. To choose the parameters of NTRU, let *d <sup>f</sup>* be a positive integer and {*p*, 0, −*p*}*<sup>n</sup>* ⊂ *Z<sup>n</sup>* be a subset of *Z<sup>n</sup>*, of which has exactly *d <sup>f</sup>* + 1 positive entries and *d <sup>f</sup>* negative ones, the remaining *n* − 2*d <sup>f</sup>* − 1 entries will be zero. We take some assumption conditions for choice of parameters as follows:


$$f - 1 \in \{p, 0, -p\}'', \quad \text{g} \in \{p, 0, -p\}''.$$


Under the above conditions, by Lemma 5.2.2 in Chap. 5 we have

$$H^\*(f) \equiv I\_n \pmod{p}, \text{ and } H^\*(g) \equiv 0 \pmod{p}. \tag{7.2.10}$$

Now, we state a generalization of NTRU as follows.


*r* ∈ {1, 0, −1}2*<sup>n</sup>*. Let

$$
\begin{pmatrix} c \\ 0 \end{pmatrix} = N \begin{pmatrix} m \\ r \end{pmatrix} \equiv \begin{pmatrix} m + H^\*(h)r \\ 0 \end{pmatrix} \pmod{q},\tag{7.2.11}
$$

where *h* is given by (7.2.9). Then, the *n* dimensional vector *c*

$$c \equiv m + H^\*(h)r \pmod{q}$$

is the ciphertext.

4. Decryption. Suppose the entries of *n* dimensional vector *c* are belong to interval [−*<sup>q</sup>* 2 , *q* <sup>2</sup> ], then ciphertext *c* is decrypted by multiplying it by the secret matrix *H*∗( *f* ) mod *q*, it follows that

$$H^\*(f)c \equiv H^\*(f)m + H^\*(f)H^\*(h)r \equiv H^\*(f)m + H^\*(g)r \pmod{q}.\tag{7.2.12}$$

Here, we use (ii) of lemma 5.2.4 in Chap. 5, namely,

$$H^\*(f)H^\*(\mathbf{g}) = H^\*(H^\*(f)\mathbf{g}),$$

If the above four conditions are satisfied, it is easily seen that the coordinates of vector *<sup>H</sup>*∗( *<sup>f</sup>* )*<sup>m</sup>* <sup>+</sup> *<sup>H</sup>*∗(*g*)*<sup>r</sup>* are all bounded by *<sup>q</sup>* <sup>2</sup> in absolute value, or, with high probability, even for larger value of *d <sup>f</sup>* . The decryption process is completed by reducing (7.2.12) modulo *p*, to obtain

$$H^\*(f)m + H^\*(g)r \equiv mI\_n \pmod{p}.$$

Thus one gets plaintext *m* from ciphertext *c*. We finish the procedure of our general NTRU cryptography.

At the end of this section, we give an example to show the correctness of decryption of general NTRU cryptography.

*Example 7.2* Let *n* = 3, *p* = 3, *q* = 7, φ(*x*) = *x* <sup>3</sup> + *x* <sup>2</sup> + *x* + 1, *f* (*x*) = 3*x* <sup>2</sup> + 1, *<sup>g</sup>*(*x*) <sup>=</sup> <sup>3</sup>*<sup>x</sup>* 2, i.e. the private key is *<sup>f</sup> g* with

$$f = \begin{pmatrix} 1 \\ 0 \\ 3 \end{pmatrix}, \text{ g} = \begin{pmatrix} 0 \\ 0 \\ 3 \end{pmatrix}.$$

It is easy to get

$$H^\*(f) = \begin{pmatrix} 1 & -3 \ 3 \\ 0 & -2 \ 0 \\ 3 & -3 \ 1 \end{pmatrix}$$

and

$$H^\*(\mathbf{g}) = \begin{pmatrix} 0 \ -3 \ 3 \\ 0 \ -3 \ 0 \\ 3 \ -3 \ 0 \end{pmatrix}.$$

By (7.2.9), we compute *h* and *H*∗(*h*) as follows

$$h \equiv (H^\*(f))^{-1}g \pmod{q} = \begin{pmatrix} 2 \\ 0 \\ -3 \end{pmatrix},$$

$$H^\*(h) = \begin{pmatrix} 2 & 3 & -3 \\ 0 & 5 & 0 \\ -3 & 3 & 2 \end{pmatrix},$$

then the public key *N* is

$$N = \begin{pmatrix} I\_3 \ H^\*(h) \\ 0 & \Im I\_3 \end{pmatrix}.$$

Assume the input message and random vector are

$$m = \begin{pmatrix} 1 \\ 0 \\ 0 \end{pmatrix}, \ r = \begin{pmatrix} 0 \\ 1 \\ 0 \end{pmatrix}.$$

we get the ciphertext by (7.2.11)

$$c \equiv m + H^\*(h)r \equiv \begin{pmatrix} -3 \\ -2 \\ 3 \end{pmatrix} \pmod{7}.$$

From (7.2.12) we have

$$H^\*(f)c \equiv \begin{pmatrix} -2 \\ -3 \\ 0 \end{pmatrix} \pmod{7}.$$

Since

$$
\begin{pmatrix} -2 \\ -3 \\ 0 \end{pmatrix} \equiv \begin{pmatrix} 1 \\ 0 \\ 0 \end{pmatrix} \pmod{3},
$$

one can get the plaintext *m* from ciphertext *c*,

$$m = \begin{pmatrix} 1 \\ 0 \\ 0 \end{pmatrix}.$$

So we verify the correctness and effectiveness of the general NTRU cryptography.

**Open Access** This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

### **References**


© The Editor(s) (if applicable) and The Author(s) 2023

Z. Zheng et al., *Modern Cryptography Volume 2*, Financial Mathematics and Fintech, https://doi.org/10.1007/978-981-19-7644-5

189

Davis, P. (1994). *Circulant matrices* (2nd ed.). Chelsea Publishing.

