CCKK 2015
CCKK 2015
Dong Pyo Chi1,2 , Jeong Woon Choi3 , Jeong San Kim4 and Taewan Kim5
1
Division of General Studies, UNIST
[email protected]
2
Department of Mathematics, Seoul National University
[email protected]
3
Fusion Technology R&D Center, SK Telecom
jw [email protected]
4
Department of Applied Mathematics, Kyung Hee University
[email protected]
5
Institute of Mathematical Sciences, Ewha Womans University
[email protected]
Abstract
The purpose of this lecture note is to introduce lattice based cryptography, which is
thought to be a cryptosystem of post-quantum age. We have tried to give as many details
possible specially for novice on the subject. Something may be trivial to an expert but
not to a novice.
Many fundamental problems about lattice are thought to be hard even against quan-
tum computer, compared to factorization problem which can be solved easily with quan-
tum computer, via the celebrated Shor factorization quantum algorithm. The first part of
our presentation is based on slides of Christ Peikert 2013 Bonn lecture (crypt@b-it2013).
We, more or less, give somewhat detailed explanation of Professor Peikert’s lecture slides.
We unfortunately could not attend his Bonn class. We are afraid that there are many
mistakes in this note; if any, they are due to our misunderstanding of the material. Part
II of our lecture note is on ring LWE, based on the paper “A tool-kit for Ring-LWE
Cryptography” by Lyubashevsky, Peikert and Regev. Part III is about multilinear maps
together with cryptanalysis of GGH map due to Hu and Jia. Our presentation follows
professor Steinfeld’s lecture slides on GGHLite, and the paper by Yupu Hu and Huiwen
Jia. When you read this lecture note, the corresponding original paper should be ac-
companied. We thank professor Jung Hee Cheon for introducing the subject and asking
Dong Pyo Chi to give a lecture on the subject at the department of mathematics in
Seoul National University. We also thank Hyeongkwan Kim for many helps, especially
many corrections and improvements of the manuscript during the 2015 Summer session
at UNIST. We also thank the students who took the classes at SNU and UNIST. The
lecture was given by a novice for novice, so many mistakes are unavoidable. If the reader
lets us know any errors, we will very much appreciate it.
i
ii
Contents
Abstract
II Introduction to Ring-LWE 27
5 Preliminaries for Ring-LWE cryptography 29
5.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.2 Gaussians and Subgaussian Random Variables . . . . . . . . . . . . . . . 30
iii
5.3 Lattice Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.3.1 Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.4 Algebraic Number Theory Background . . . . . . . . . . . . . . . . . . . 34
5.4.1 A key fact from algebraic number theory . . . . . . . . . . . . . . 35
5.4.2 Canonical Embedding and Geometry . . . . . . . . . . . . . . . . 35
5.4.3 The Ring of Integers and Its Ideals . . . . . . . . . . . . . . . . . 36
5.4.4 Duality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.4.5 Prime Splitting and Chinese Remainder Theorem . . . . . . . . . 40
5.5 Ring-LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Powerful basis 47
7.1 Powerful basis p⃗ of K = Q(ζm ) and R = Z[ζm ] . . . . . . . . . . . . . . . 47
7.2 Gram-Schmidt orthogonalization of CRTm . . . . . . . . . . . . . . . . . 49
9 Decoding Basis of R∨ 53
9.1 Relation to the Powerful Basis . . . . . . . . . . . . . . . . . . . . . . . . 53
9.2 Decoding R∨ and its Powers . . . . . . . . . . . . . . . . . . . . . . . . . 54
9.2.1 Implementation of Decoding Operation . . . . . . . . . . . . . . . 55
9.3 Gaussian sampling in the Decoding Basis . . . . . . . . . . . . . . . . . . 56
10 Regularity 59
11 Cryptosystems 65
11.1 Dual-Style Cryptosystem [GPV08] . . . . . . . . . . . . . . . . . . . . . . 65
11.2 Compact Public-key Cryptosystem . . . . . . . . . . . . . . . . . . . . . 66
11.3 Homomorphic Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . 67
11.3.1 Modulus Reduction and Key Switching . . . . . . . . . . . . . . . 68
iv
A Hermite Normal Form of Ideal Lattices (following Ding and
Lindner, Smart and Vercauteren) 95
v
vi
Part I
vii
Chapter 1
1.1.1 Definitions
Lattice
A lattice L of Rn is by definition a discrete subgroup of Rn . In this note we only deal
with full-rank lattice, i.e., L spans Rn with real coefficients. Moreover, we consider only
integer lattices, i.e., L ⊆ Zn .
√
Remark 1.1.1. Z + 2Z is not a lattice. Note that when α is irrational, nα mod 1 is
uniformly dense in S 1 = [0, 1]/0 ∼ 1 (Weyl theorem).
Bases
A basis of L is an ordered set B = (b1 , b2 , . . . , bn ) such that
{ n }
∑
L = L(B) = B · Zn = ci bi : ci ∈ Z . (1.1)
i=1
Note that P (B) depends not only on lattice but also on the choice of basis B. A “good”
basis of L gives rather a square-like parallelepiped, while a ‘bad’ basis gives a very thin
parallelepiped. It is trivial to see the following lemma.
1
Lemma 1.1.2. ∪
Rn = (v + P (B)), (1.4)
v∈L
that is, parallel translation by lattice vectors of parallelepiped covers Rn without overlap.
where ⌈a⌋ means rounding off. For example, ⌈2.7⌋ = 3, ⌈2.5⌋ = 3, and ⌈2.1⌋ = 2.
Therefore,
1 1
− ≤ a − ⌈a⌋ < . (1.7)
2 2
∑ ∑ ∪
Hence, ⌈xi ⌋bi ∈ L and (xi − ⌈xi ⌋)bi ∈ P (B). This shows that Rn = v∈L (v +
i i
P (B)).
If (v1 + P (B)) ∩ (v2 + P (B)) ̸= ∅ for some v1 ̸= v2 ∈ L, then v1 + α = v2 + β for
some α, β ∈ P (B), so v1 − v2 = β − α. Since v1 − v2 is a Z-linear combination of bi
while β − α is a (−1, 1)-linear combination of bi , so v1 − v2 = 0 = β − α.
BU is also basis for any U ∈ GL(n : Z), i.e., U is an n × n integer matrix with
determinant ±1. Note that, for example,
( )
1 1023
∈ GL(2 : Z). (1.8)
0 1
v + L = (v − w) + L, (1.9)
v1 + L = v2 + L, (1.10)
2
where
∑ 1 1
v1 = c1j bj , − ≤ c1j < , (1.11)
2 2
∑ 1 1
v2 = c2j bj , − ≤ c2j < , (1.12)
2 2
then ∑
v1 − v2 = (c1j − c2j )bj ∈ L, (1.13)
i.e., c1j − c2j ∈ Z for all j. Note that if − 12 ≤ a < 12 and − 21 ≤ b < 1
2
, then then
−1 ≨ a − b ≨ 1. Hence, c1j − c2j = 0 for j = 1, 2, . . . , n.
By definition,
det(L) := |Zn /L| = | det B| = vol(P (B)) (1.14)
for any basis B of L.
• Z
[ 1+ 1 )·n covers R without overlap, where · means the half closed unit cube
n n
−2, 2 .
Thus,
L + P (B) = Rn (1.15)
= Zn + · (1.16)
∪
= (c + L + · ). (1.17)
c ∈ Zn/L
Successive Minima
Successive minima of linearly independent vectors are defined as follows:
Example 1.1.1. Let L ⊂ Zn be spanned by 2e1 , . . . , 2en , (1, 1, . . . , 1), where n > 4.
Then v = (v1 , . . . , vn ) ∈ L if and only if v1 = v2 = · · · = vn mod 2. Then
But {2e1 , . . . , 2en } is not a basis of L. (1, 1, . . . , 1) or its variation should be an element
of any basis of L.
3
1.1.2 Two simple bounds on the minimum distance
Gram-Schmidt Orthogonalization and Lower Bounding λ1
e of a basis B of L is given by
The Gram-Schmidt orthogonalization B
B = QR (1.19)
f1 ∥
∥b ∗
..
= Q . (1.20)
0 fn ∥
∥b
1 ∗
e
= B ..
.
, (1.21)
0 1
where
f1 ∥
∥b 0
e = Q
B ...
,
0 fn ∥
∥b
and Q is an orthonormal basis reduced from B, e and R is a representation of B with
respect to this basis.
[ )
Lemma 1.1.5. P (B) e =B e · − 1 , 1 n is a fundamental domain of L. That is, L + P (B) e
2 2
covers R without overlap.
n
4
It is easy to see that λ1 (L) ≥ min ∥bei ∥ from Bc = Q(Rc) for c ∈ Zn .
i
It follows that √ 1
vol(B(0, n(det L) n )) > 2n det L.
Remark 1.1.8. We could obtain a more refined inequality if we use the exact formula
for vol(B(0, R)). Choose R such that vol(B(0, R)) = 2n det L. Then λ1 (L) ≤ R.
∏ 1 √ 1
Theorem 1.1.9 (Minkowski Theorem 2). ( ni=1 λi (L)) n ≤ n(det L) n .
Proof. We may assume ∥bi ∥ = λi (L) for i = 1, . . . , n, and consider a lattice generated by
b1 , . . . , bn , possibly a sublattice of L.
⟨ ⟩ 2
e
∑n y, bi
T := y ∈ R : n <1 . (1.35)
∥ ei ∥λi
b
i=1
Claim: The ellipsoid T does not contain any nonzero lattice point.
Let 0 ̸= y ∈ L, and 1 ≤ k ≤ n maximal such that
5
We claim y ∈ span{b1 , . . . , bk } = span{b̃1 , . . . , b̃k }. If not, b1 , . . . , bk , y are k+1 linearly
independent and their norms are less than λk+1 , a contradiction. Hence,
⟨ ⟩ 2 ⟨ ⟩ 2
∑ n y, b̃i ∑ k y, b̃i
= (1.37)
i=1
∥ b̃i ∥λ i i=1
∥ b̃i ∥λ i
⟨ ⟩ 2
∑ k
1 y, b̃i
≥ (1.38)
i=1
λ 2
k ∥ b̃ i ∥
∥y∥2
= ≥ 1, (1.39)
λ2k
so y ∈
/ T , i.e., T does not contain any nonzero lattice vector. Hence,
( n ) ( n )( )n
∏ ∏ 2
2 det(L) ≥ vol(T ) =
n
λi vol(B(0 : 1)) ≥ λi √ , (1.40)
i=1 i=1
n
so ( ) n1
∏
n
√ 1
λi ≤ n(det L) n . (1.41)
i=1
6
LLL (Lenstra-Lenstra-Lovaz) algorithm
B = (b1 , . . . , bn ) is a δ − LLL reduced basis if
where
⟨ ⟩
bi , b̃j
µi,j = , (1.43)
∥b̃j ∥2
∑i−1
b̃i = bi − µi,j b̃j . (1.44)
j=1
Hence,
∥b1 ∥ = ∥b̃1 ∥ ≤ 2(n−1)/2 min ∥b̃i ∥ ≤ 2(n−1)/2 λ1 (L).
(We choose δ = 43 .)
7
LLL-algorithm
• Reduction Step:
for i = 2 to n do
for j = i − 1 to 1 do ⌈
⟨bi ,b̃j ⟩ ⌋
bi ← bi − cij bj , where cij = .
⟨b̃j ·b̃j ⟩
• Swap Step:
If ∃ i such that δ∥b̃i ∥2 > ∥µi+1,i b̃i + b̃i+1 ∥2
bi ↔ bi+1
goto start.
• Output: b1 , . . . , bn .
8
Chapter 2
= {x ∈ Zm : Ax = u mod q}.
Then fA covers Zqn almost uniformly. (Note that since m > n log q, the number of
elements in the domain, 2m , is much larger than the number of elements in the range,
q n .)
We say collision x, x′ ∈ {0, 1}m when Ax = Ax′ .
9
• A syndrome u ∈ Znq defines a coset
L⊥
u (A) = {x ∈ Z : Ax = u mod q}
m
of L⊥ (A).
Remark 2.1.1. We are assuming that A has n-linearly independent columns. Hence,
A : Zm → Znq is onto, so |Zm /L⊥ (A)| = q n , i.e., det L⊥ (A) = q n .
10
Lattice interpretation of LWE
L(A) := {z ∈ Zm : zt = st A mod q for some s ∈ Znq } = π −1 (im A)
Zm
π
Znq
A / Zm
s7→st A q
• SIS ≥ LWE:
If we find short z such that Az = 0, then from bt = st A + et , we find bt z = 0 + et z;
if (A, bt ) is LWE, then bt Z is short; if (A, bt ) is not LWE, then bt z rather well
spread.
b = ⟨s, ⃗a⟩ + e
⟨ ⟩
= s, a⃗′ + (r, 0, . . . , 0) + e
⟨ ⟩
= s, a⃗′ + s1 r + e,
⟨ ⟩
we see that if s1 = 0, then b = s, a + e is LWE, and if s1 ̸= 0, then b is uniform.
⃗′
11
Decision-LWE with ‘Short’ Secret
We may assume that the secret is short, i.e., drawn from the error distribution χn . In
this case, we say that our LWE is in Hermite Normal Form (HNF of LWE).
1. Draw samples to get (Ā, b̄t = st Ā + ēt ) for square invertible Ā.
(a⃗′ , b′ ) is LWE with secret ē. Then we obtain s from b̄t = st Ā + ēt .
2.2 Cryptosystems
2.2.1 Public-Key Cryptosystem using LWE
(Due to Regev)
A ← Zn×m
q (i.e., uniformly random n × m matrix over Zq ) open public.
s ← Zq Alice secret.
n
bt = st A + et . (2.9)
x ← {0, 1}m Bob secret.
Bob sends to Alice
u = Ax, (2.10)
u′ = bt x + bit · q/2. (2.11)
12
(by LHL, uniform if m ≥ n log q.)
Bob chooses a secret s ← Znq .
Bob sends
bt = st A + et , (2.13)
b′ = st u + e′ + bit · q/2. (2.14)
b = Ar + x (2.16)
b′ = ut r + x′ + bit · q/2. (2.17)
13
14
Chapter 3
Hence,
∫
ρ̂s (y) = ρs (x)e−2πix·y dx (3.4)
R n
∫ (
∥x∥2
)
−π +2ix·y
s2
= e dx (3.5)
∫R
n
∑ x 2
−π i ( si +iyi s) −π(∥y∥s)2
= e e dx (3.6)
Rn
= sn ρ 1 (y). (3.7)
s
Hence, if ρs (x) rather steep, then ρˆs is rather flat, and vice versa.
Remark 3.1.1.
∫
e−πx dx = 1,
2
(3.8)
∫ R
x 2
e−π( s ) dx = s. (3.9)
R
15
Poisson summation formula
Let
f (x) : R → C (3.10)
∑
F (θ) := f (θ + n) : S 1 → C, (3.11)
n∈Z
where
∫ 1
an = F (θ)e−2πinθ dθ (3.13)
∫ 1 (∑ )
0
= f (θ + k) e−2πinθ dθ (3.14)
0
∫ ∞
k
= f (θ)e−2πinθ dθ (3.15)
−∞
= fˆ(n), (3.16)
∑ˆ
i.e., F (θ) = f (n)e2πinθ .
In particular, we obtain Poisson Summation Formula
∑ ∑
F (0) = f (n) = fˆ(n). (3.17)
n∈Z n∈Z
In general, for h : Rn → C,
ĥ(Zn ) = h(Zn ). (3.18)
L∗ = {x ∈ Rn : x · y ∈ Z, ∀y ∈ L} (3.20)
16
by Poisson summation formula. Let’s compute
∫
f[◦ A(y) = e−2πi⟨x,y⟩ (f ◦ A)(x)dx (3.23)
R n
putting Ax =: x′
∫
1
e−2πi⟨A x ,y⟩ f (x′ )dx′
−1 ′
= (3.24)
det A R n
∫
1 −2πi⟨x′ ,A−1 y⟩
T
= e f (x′ )dx′ (3.25)
det A R n
1
= · fˆ(A−T y). (3.26)
det A
Hence,
1 ˆ −T n
f[
◦ A(Zn ) = f (A Z ) (3.27)
det A
= det L∗ fˆ(L∗ ), (3.28)
because in general,
17
[ ]
• ∃ε ≤ 2e−πs such that ρs (c + Z) ∈ 1 ± s for all c ∈ R. Just we compute (note
2 ε
1−ε
that ρs (c + Z) ≤ ρs (Z))
∑
∞
2e−πs ε
2
e−π(sn) <
2
2 < (3.37)
n=1
1 − e−πs 2
1−ε
√ i
Especially if s > log nM , then ρs (c + L) ∈ (1 ± ε) poly(n)
1
.
Remark 3.1.3.
π∥x∥2
• ρs (x) = e− = ρs (x1 ) · · · ρs (xn )
s2
∏ n ( )
e < ε i
• ρs (L(B)) ≤ ρs (L(B)) 1+ sn for some ε1 , . . . , εn , where
i=1
1 − εi
( )2
s
εi < 2 exp −π . (3.38)
∥Bei ∥
e follows from
ρs (L(B)) ≤ ρs (L(B))
f1 ∥
∥b ∗
..
B = Q . , (3.39)
0 fn ∥
∥b
where Q is orthogonal.
Discrete Gaussians
Definition 1. Discrete Gaussian distribution over coset c + L is defined as
ρs (x)
Dc+L,s (x) = (3.40)
ρs (c + L)
for all x ∈ c + L.
Note that if s is sufficiently large √
(e.g., s > ηε (L)), then the denominator is very close
to sn det L∗ (e.g., with ε = 2−n , s > n/λ1 (L∗ )), and the numerator is the restriction of
ρs (x) on c + L. Hence, we only√ obtain∗ exponentially small information about c + L when
sampled from Dc+L,s if s ∼ n/λ1 (L ).
Choose x ∈ Zn from DZn ,s , where s > ηε (L). Reveal the coset x + L. Then every
coset c + L is almost equally likely, i.e., the distribution is almost uniform over Zn /L.
Given x ∈ c + L, it has the conditional distribution Dc+L,s .
Let
A ← Zn×m
q , i.e., uniformly (3.41)
x ← DZm ,s (3.42)
18
define fA (x) := Ax(= u) ∈ Znq . Then, inverting fA ⇔ decoding uniform syndrome u ⇔
solving SIS for A. (Solving Ax = u is equivalent to solving [A|u] [ −1x ] = 0.)
Conditional distribution when Ax = u is DL⊥u (A),s , where
L⊥
u = {x ∈ Z |Ax = u mod q}.
n
3.1.2 Sampling
Algorithms of Gaussian Sampling of DL⊥u (A),s
(As remarked before, DL⊥u (A),s sample does not reveal syndrome u if
√
log m max ∥bei ∥ ≤ s,
Remark 3.1.4. Gaussian nearest plane algorithm for sampling DL⊥u (A),s is not efficient
and inherently sequential. We need a more efficient Gaussian sampling.
19
Note that the sum of the Gaussian distribution is again Gaussian with the sum of the
covariances as its covariance. (The probability distribution of the sum of two random
variables X1 and X2 is
∫
PX1 +X2 (y) = PX1 (x)PX2 (y − x)dx.
Hence, P̂X1 +X2 = PbX1 P̂X2 . In particular, if PX1 and PX2 are Gaussian with covariances
s21 and s22 , respectively, then PX1 +X2 is Gaussian with covariance s21 + s22 .)
∑ ∑ ∑
1. Generate perturbation p with covariance 2 = σ 2 I − 1 , where 1 = SS t , and
σ > s1 (S), the largest singular value of S.
2. Randomly round off c + p to obtain a random sample
S · f rac(S −1 (c + p)) + L⊥ (A).
3.2 Applications
3.2.1 Identity Based Encryption
Identity Based Encryption
• A: n × m matrix, master public key.
• u = H(Alice): hashed identity of Alice, public.
Master finds a Gaussian short element in fA−1 (u), i.e., x ← fA−1 (u) (Master has a short
basis of L⊥ (A)), and give Alice x as her secret key.
I want to send a message bit to Alice so that only Alice can decode. Choose Gaussian
short s, e ∈ Znq , e′ ∈ Zq
bt := st A + et (3.45)
q
b′ = st u + e′ + bit · (3.46)
2
Alice decodes: b′ − bt x ≈ bit · 2q .
(Note that this protocol is just a little modification of dual LWE cryptosystem.)
It seems that it is required to have a lattice together with a short basis when we apply
SIS or LWE to cryptography. But it is not a simple job to generate a lattice together
with a short basis.
The following signature protocol is a typical application of a lattice together with a
short basis.
• pk = A, sk = short basis of L⊥ (A).
• H : {0, 1}∗ → Znq random oracle.
20
Chapter 4
21
where s ∈ Zq , small ei ∈ Z.
Get least significant bit from 2k−1 s + ek−1 , i.e., write s = s0 + s1 2 + · · · + sk−1 2k−1 ,
then
2k−1 s + ek−1 mod q = 2k−1 s0 + ek−1 . (4.4)
Hence, s0 = 0 if 2k−1 s + ek−1 is short and s0 = 1 if 2k−1 s + ek−1 is not short. Then
consider 2nd to the last, i.e.
Define
···g···
···g···
G = In ⊗ g = ... ∈ Zqn×nk , (4.7)
···g···
where k =⌈ log q⌉ as before. Now fG−1 , gG
−1
reduce to n parallel calls to fg−1 , gg−1 .
Also applies to HG for any invertible H ∈ Zn×n
q by considering fG−1 ◦ H−1 or H−1 ◦ gG −1
.
22
To obtain random matrix A, choose short Gaussian R ← Zm̄×n⌈log q⌉ and
( )
I −R
A := (Ā|G) (4.10)
0 I
= (Ā|G − ĀR). (4.11)
A is uniform if ĀR is uniform. If m̄ ≈ n log q, ĀR is uniform, since R → ĀR is
n×n⌈log q⌉
uniform from Zm̄×n⌈log q⌉ → Z(q ) , and left over hash lemma applies if 2 ≈ q ,
m̄ n
SeA = T
g B, (4.16)
( ) ( ) ( )
I 0 I R e I 0 e = ∥S∥.
e
where B = and T = . B= , hence ∥B∥
W S 0 I 0 Se
g
Now we prove ∥T e
B∥ ≤ s1 (T )∥B∥.
Let
B = QDU, T B = Q′ D′ U ′ (4.17)
by the Gram-Schmidt decomposition of B and T B, respectively, where Q is orthogonal,
D is positive diagonal, and U is upper triangular.
T QDU = Q′ D′ U ′ ⇒ T ′ D = D′ U ′′ , (4.18)
23
where T ′ = Q′−1 T Q and U ′′ = U ′ U −1 . Then
g
∥T e = s1 (T )∥B∥
B∥ = ∥D′ ∥ ≤ ∥D′ U ′′ ∥ = ∥T ′ D∥ ≤ s1 (T ′ )∥B∥ e = s1 (T )∥S∥,
e (4.19)
since the ith row of D′ U ′′ has the norm at least d′i,i , the i-th diagonal of D′ .
Since ( ) ( )
I 0 0 R
T = +
0 I 0 0
and s1 (T ) ≤ s1 (R) + 1, it follows that
24
(R)
Suppose that A I
= G.
bt = st A + et , (4.21)
∑
Choose s > s1 (R) and let 2 = s2 I − RRt >
∑0.
Generate perturbation p with covariance
( ) 2 . Sample a spherical z such that
Gz = u − Ap. Output x = p + RI z. This algorithm generates a spherical
discrete Gaussian over L⊥
u (A).
4.2 Applications
Efficient IBE
1. Choose A = (Ā| − ĀR). Let mpk = (A, u), msk = R (A has trapdoor R with tag
0).
25
26
Part II
Introduction to Ring-LWE
27
Chapter 5
5.1 Notations
In Part II, we use the notations in [LPR13].
∩ [ 1 1)
• ∀ā ∈ R/Z, JāK ∈ R denotes the unique representative, where a ∈ (ā + Z) −2, 2 .
∩
• ∀ā ∈ Zq , JāK denotes the unique representative a ∈ (ā + qZ) [−q/2, q/2).
• Zm = Z/mZ.
• H∼
= R[n] , n = φ(m).
( √ )
• B= √1
I √−1J unitary basis of H, where
2 J − −1I
1 1
1 1
I= .. , J = . ,
. ..
1 1
√
+ em−i ) for i < m/2 and i ∈ Z∗m ,
√1 (ei √−1 (ei − em−i ) for i > m
and i ∈ Z∗m . We
2 2 2
read B as a Z∗m -by-[n] matrix.
29
5.2 Gaussians and Subgaussian Random Variables
We follow [LPR13] as before, giving some details.
Example
√ 5.2.1. If E(X) = 0 and |X| ≤ B, then X is 0-subgaussian with parameter
B 2π.
∫B ∫B
where E(x) = −B xp(x)dx = 0 and −B p(x) = 1. Simplex method says that the max-
∫B
imum of −B exp(2πtx)p(x)dx occurs when p(x) is a boundary point of the simplex of
the probability space satisfying the given conditions, i.e., p(x) = (δB (x) + δ−B (x))/2, and
2πtB −2πtB
its value is e +e = cosh(2πtB) ≤ exp(2π 2 B 2 t2 ). Hence, X is 0-subgaussian with
√ 2
parameter B 2π.
( )
Lemma 5.2.4. Let X be δ-subgaussian with parameter s. Then for any t ∈ 0, 2s12 ,
( )−1
1
E(exp(2πtX )) ≤ 1 + 2 exp(δ) ·
2
−1 . (5.6)
2ts2
∫∞ ∫∞
1
For any positive and increasing function f , E(f (X)) = −∞
f (x)p(x)dx ≥ α
f (x)p(x)dx ≥
f (α)P r(X > α), so P r(X > α) ≤ E(f (X))/f (α).
30
Proof. By Lemma 5.2.1,
31
Letting x = 2s2 t and A = πr/(s2 k ′ ) (note that 0 < x < 1 and A > 1 by assumption), the
expression inside the exponent can be written as
(( )−1 )
1
2k exp(δ) −1 − Ax . (5.20)
x
√
The minimum of ( x1 − 1)−1 − Ax is 2 A − A − 1, obtained at x = 1 − √1 .
A
Note that if the coordinates of X are independent and all are δ-subgaussian with
parameter s, then X is nδ-subgaussian with the same parameter s. (If u = (u1 , . . . , un )
and u21 + · · · + u2n = 1, then ui Xi is δ-subgaussian with parameter |ui |s.)
Remark 5.3.1.
32
1. ρs
sn
is a probability distribution on Rn . Hence, ρssn|Λ det Λ is almost a probability
distribution on the lattice Λ. In particular, ρss(Λ)
n det Λ ≈ 1. More precisely, if
s ≥ ηε (Λ), where ηε (Λ) is the smoothing parameter defined earlier, then ρs (Λ + c) ∈
(1 + ε)sn det(Λ)−1 ([Reg05]).
2. For any n-dimensional lattice Λ and s > 0, a point sampled from DΛ,s = ρsρ(Λ)
s
has
√ −2n
the Euclidean norm of at most s n except with probability at most 2 ([Ban93]).
5.3.1 Decoding
Λ ⊂ H: a fixed lattice.
x ∈ H: an unknown short vector.
We are given t such that t = x mod Λ. The goal is to recover x.
First attempt
∑ ∑
A basis B = (b1 , . . . , bn ) is known, t = ci bi , and claim x = (ci − ⌈ci ⌋)bi , i.e.,
Babai’s round off algorithm with respect to the basis B [Bab85].
∑
Problem: If the basis B are not short, then (ci − ⌈ci ⌋)bi not short in general. Hence,
in that case it couldn’t be x, because x is rather short. This algorithm succeeds when
|x| ≤ d, where the ball of radius d is in P (B).
Second attempt
Choose {vi }, a fixed set of n linearly independent and typically short vectors in the dual
lattice Λ∨ ({vi } need not be a basis of Λ∨ ). Denote the dual basis of {vi } by {b′i }, and
let Λ′ ⊃ Λ be the super lattice generated by {b′i }. Given ∑an input t = x mod Λ, we
′ ′ ′
re-express
∑ t in mod Λ with respect to the basis {bi } as c b
i i , c i ∈ R/Z, and output
′
i Jci Kbi ∈ H (Note that ci = ⟨x, v̄i ⟩ mod 1). Hence, the∑ output is equal to x if and
only if all the coefficients ai = ⟨x, v̄i ⟩ in the expansion x = ai b′i are in [− 21 , 12 ). (Note
that in general, b′i ∈ Λ′ is small but not necessarily in Λ.) Hence, the second attempt
works when x ∈ P (B ′ ). In general, the radius of the ball enclosed in P (B ′ ) is larger
than the radius of the ball enclosed in P (B) with the given basis B = (b1 , · · · , bn ) even
though Λ′ ⊃ Λ, because of the choice of {vi }.
Example 5.3.1. Define a lattice by
∑
x = (x1 , . . . , xn ) ∈ Λ ⊂ Zn if xi = 0 mod 2.
i
33
Then
1
Λ∨ = Zn ∪ (Zn + (1, 1, . . . , 1)).
2
A basis of Λ is
{(1, 1, 0, . . . , 0), (1, 0, 1, 0, . . .), (1, 0, . . . , 0, 1), (2, 0, . . . , 0)},
and a basis of Λ∨ is
{(1, 0, . . . , 0), · · · , (0, . . . , 0, 1, 0), 21 (1, . . . , 1)}.
Since
{vi } = {(1, 0, . . . , 0), · · · , (0, . . . , 0, 1, 0), (0, . . . , 0, 1)},
Λ ⊃ L({vi }). But ∥vi ∥ = 1 for i = 1, . . . , n, and Λ′ = L({vi })∨ = Zn ⊃ Λ.
∨
Discretization
Input Λ = L(B) with a good basis B = {bi }, x ∈ H, c ∈ H.
The goal is to discretize x to a point y ∈ Λ + c written y ← ⌊x⌉Λ+c , so that y − x is
not too large. Hence, it suffices to find a relatively short offset vector f from the coset
Λ + c′ = Λ + (c − x) and output y = x + f . Note that ⌊z + x⌉Λ+c and z + ⌊x⌉Λ+c are
identically distributed for any z ∈ Λ if our algorithm depends only on the coset Λ + c′ ,
and not on the particular representative. In this case, it is called valid discretization.
where ωm = e2πi/m .
Since n = |Z∗m | = φ(m) := degree of Φm , we can view K as a vector space of dimension
n over Q, which has a basis (ζm
j n−1
)j∈[n] = (1, ζm , . . . , ζm ), called the power basis.
34
∏
Remark 5.4.1. X m − 1 = d|m Φd (X), where d runs over all the positive divisors of m,
because an mth root of unity is a primitive dth root of unity for some divisor d of m, and
conversely a primitive dth root of unity is an mth root of unity if d divides m. (Another
remark: Decompose {0, 1, 2, . . . . , m − 1} according to gcd(j, m).) In particular,
Φp (X) = 1 + X + X 2 + · · · + X p−1
where rad(m) is the product of all distinct primes dividing m. If m′ divides m, we can
m/m′
view K ′ = Q(ζm′ ) as a subfield of K = Q(ζm ) by identifying ζm′ with ζm . In general
Φpq (X) is not of simple form for distinct primes p and q, even though
Q(ζm ) ∼
= ⊗Kl ,
⊗ ∏
where Kl = Q(ζml ), via the correspondence l al ↔ l al , where on the right we embed
each al ∈ Kl into K as a subfield.
35
The map ∏
N : K → Q, a 7→ σi (a)
i∈Z∗m
for the mth cyclotomic number field and n =√φ(m). ∆K ≤ nn follows from σ(R) =
1
span{σ(1), σ(ζm n−1
), . . . , σ(ζm )} and ∥σ(ζm
i
)∥ = n. Note that
∆K = | det(σi (ζm
j
))|2 (5.33)
= | det(Tr(ζm i j
ζm ))|, (5.34)
because ∑ ∑
Tr(xi xj ) = σk (xi xj ) = σk (xi )σk (xj ) = H T H,
k k
i
where xi = ζm and H = (σi (xj )).
I ⊂ K is called a fractional ideal if ∃d ∈ R such that dI ⊂ R is an integral ideal. It
is principal if I = uR for some u ∈ K. σ(I) ⊂ H called an ideal lattice. For an I ⊂ R,
define the norm as N (I) = |R/I| (= the number of cosets of I in R).
Note the following:
• Consider the lattices σ(R) ⊃ σ(I). Then N (I) = |σ(R)/σ(I)|, and σ(R) is the Z-
1 n−1 1 n−1
span of σ(1), σ(ζm ), . . . , σ(ζm ). σ(⟨a⟩) is spanned by σ(a), σ(aζm ), . . . , σ(aζm ).
i i
The j-th coordinate σj (aζm ) = σj (a)σj (ζm ) is stretched by σj (a). Hence, N (⟨a⟩) =
|N (a)|.
36
• N (aI) = N (I)N (⟨a⟩) because |R/aI| = | RI ∥ aII | = N (I)N (⟨a⟩) and | aII | = | aR
R
|.
a1 b1 + · · · + al bl for ai ∈ I, bj ∈ J. (5.35)
Lemma 5.4.2. √
√ 1/n √ 1/n 1/n
nN (I) < λ1 (I) ≤ nN (I) ∆K (5.36)
Proof. The upper bound is just Minkowski’s inequality. To prove the lower bound, let
v ∈ I such that ∥v∥ = λ1 (I). Since ⟨v⟩ ⊂ I,
∏
N(I) ≤ |N (v)| = σi (v) .
i
∑
Note that ∥v∥2 = |σi (v)|2 by the definition of the metric on H. Also,
( ) n1
∏ 1∑
|σi (v)|2 ≤ |σi (v)|2 . (5.37)
i
n i
√ 1
Hence, nN (I) n ≤ ∥v∥.
5.4.4 Duality
For more details, see [Con09].
Then σ(T ∨ ) is a dual lattice (more precisely, a conjugate dual lattice) of σ(I), because
the inner product in H is defined by Tr.
Definition 7. For any Q-basis B = {bj } of K, define a dual basis B ∨ = {b∨j }, where
Tr(bi b∨j ) = δij .
37
Note that R∨ ⊃ R from the definition of integral elements, because Tr(r) ∈ Z for all
r ∈ R.
Lemma 5.4.4. I ∨ = I −1 R∨ (R∨ is called the codifferent, (R∨ )−1 the different).
Proof.
2) Note that
R
∨
N(I ) = (5.39)
I∨
∨ −1
I
= (5.40)
R
∨ −1 ∨ −1
I R
= (5.41)
R∨ R
−1
R
= ∆−1 (5.42)
I K
= N (I)−1 ∆−1
K , (5.43)
∨
because I ⊂ R ⊂ R∨ ⊂ I ∨ , | JI | = det σ(J)
, | JI ∨ | = | JI |−1 , det I ∨ = (det I)−1 , and
√ det σ(I)
det(σ(R)) = ∆K . Note also
because N (IJ) = N (I)N (J) holds for general fractional ideals I, J ⊂ K. Hence,
I ∨ = I −1 R∨ .
38
Note that Z∗m → Z∗m̃ is d-fold onto map when m = dm̃. Also note that
∑ {
i −1 if m = p,
ωm = (5.48)
∗
0 if m = pk , k ≥ 2,
i∈Zm
where m′ = pk−1 . The lemma follows, because ζm̃ is a primitive m̃-th root of unity.
j/d
Lemma 5.4.6.
⟨ g ⟩Let m be a power of a prime p, m′ = m/p, and let g = 1−ζp ∈ R = Z[ζm ].
Then R = m , p/g ∈ R, and ⟨g⟩ and ⟨p ⟩ are coprime for every prime integer p′ ̸= p.
∨ ′
′
(ϕ(p) + 1)m (= m) if j = 0 mod m,
′
j
Tr(ζm − ζm
j+m
) = (−m′ ) − (−m′ ) = 0 if j = 0 mod m′ and j ̸= 0 mod m,
0 otherwise.
Note that in the second case, j ∈ [φ(m)], i.e., j = 0, · · · , m′ (p − 1) − 1, hence not only j
but also j + m satisfies j = 0 mod m′ and j ̸= 0 mod m.
We therefore have {
j 1 for j = 0,
Tr(ζm g/m) = (5.52)
0 otherwise.
To show R∨ = ⟨g/m⟩, we compute N (R∨ ) and N (g/m). Let m = pl .
N(R∨ ) = ∆−1
K (by Eq. (5.44)) (5.53)
( 1 )pl−1 (p−1) l−1
p p−1 pp pm/p
= = = (5.54)
pl mφ(m) mφ(m)
(5.55)
φ(m)
N(m) = m (5.56)
(5.57)
N(g) = N(1 − ζp ) = [NQ(ζp )/Q (1 − ζp )]m/p (5.58)
= [(1 − ζp )(1 − ζp2 ) · · · (1 − ζpp−1 )]m/p (5.59)
m/p
= p (5.60)
since
Φp (x) = (x − ζp ) · · · (x − ζpp−1 ) = 1 + x + · · · + xp−1 ,
and letting x = 1, we obtain (1 − ζp )(1 − ζp2 ) · · · (1 − ζpp−1 ) = p. Hence
39
⟨ ⟩
i.e., R∨ = mg .
To prove p/g ∈ R, note that
Remark 5.4.7.
R R ⟨g⟩
⟨g⟩ + ⟨p′ ⟩ = ⟨g⟩ ⟨g⟩ + ⟨p′ ⟩ (5.65)
R ⟨g⟩ + ⟨p′ ⟩ −1
= (5.66)
⟨g⟩ ⟨g⟩
R
Hence, it is a factor of ⟨g⟩ = pm/p , i.e., a power of p.
On the other hand,
R R ⟨p′ ⟩
⟨g⟩ + ⟨p′ ⟩ = ⟨p′ ⟩ ⟨g⟩ + ⟨p′ ⟩ (5.67)
R ⟨g⟩ + ⟨p′ ⟩ −1
= ′ , (5.68)
⟨p ⟩ ⟨p′ ⟩
so it is a factor of ⟨pR′ ⟩ = p′φ(m) .
∏
Definition
∏ 8. If m = l ml is a product of powers of distinct primes,
⊗define g =
p (1 − ζp ), where p is an odd prime factor of m. For R = Z[ζm ] = l Z[ζml ], let
t = m̂/g ∈ R, where m̂ = m/2 if m even, and m̂ = m otherwise.
∏
Note that m̂/g ∈ R because (1 − ζ2 ) = 2, so m̂/g = m/ p (1 − ζp ) ∈ R, where p runs
over all primes dividing m.
Corollary 5.4.8. R∨ = ⟨g/m̂⟩ = ⟨t−1 ⟩, and ⟨g⟩ is coprime with ⟨p′ ⟩ for every prime
integer p′ except the odd primes dividing m.
⊗
Proof. Just note that R ∼= l Rl , where Rl = Z[ζml ] and g = ⊗gl , where gl = 1 − ζpl .
gl g
R∨ = ⊗l Rl∨ = ⊗l Rl = ⊗l Rl . (5.69)
ml m̂
40
primes in R, each of norm pf . (n = φ(m) = φ(pd )φ(m′ ), m′ = m/pd , pf = 1 mod m′ .
Hence, f |φ(m′ )(= n/h). Also, N (⟨p⟩) = pn and N (ph1 · · · phg ) = pf gh = pn .) In particular,
if prime q = 1 mod m, so that q is larger than m, then h = 1 and f = 1, hence ⟨q⟩
splits completely into n distinct prime ideals of norm q in R. Notice that the field Zq
has a primitive mth root of unity, ωm , because the multiplicative subgroup of Zq is cyclic
with order q − 1, which is a multiple of m. Note that ωm i
∈ Zq , where i ∈ Z∗m , are also
distinct mth roots of unity. Then the prime ideal factors of ⟨q⟩ are qi = ⟨q⟩ + ⟨ζm − ωm i
⟩.
Hence, each quotient ring R/qi is isomorphic to Zq via the map ζm 7→ ωm , which confirms
i
∏ Zq [x]
(Note that Φm (x) = i∈Z∗m (x − ωm
i i
), where ωm ∈ Zq , and x−ωm i ≈ Zq for each i ∈ Z∗m ,
because Zq + ωm Zq = Zq .)
i
5.5 Ring-LWE
The formal definition of the ring-LWE problem is provided and the worst-case hardness
result in [LPR10] is shown as follows.
Definition 9 (Ring-LWE Distribution). For a secret s ∈ Rq∨ (or R∨ ) and a distribution
ψ over KR = K ⊗ R, which is isomorphic to H via σ, a sample from the ring-LWE
distribution, As,ψ , over Rq × (KR /qR∨ ) is generated by choosing a ← Rq uniformly at
random, choosing e ← ψ and outputting (a, b = a · s + e mod qR∨ ).
Definition 10 (Ring-LWE, Average-Case Decision). The average-case decision version
of the ring-LWE problem, denoted R − DLW Eq,ψ , is to distinguish with nonnegligible
advantage between independent samples from As,ψ , where s ← Rq∨ uniformly random, and
the same number of uniformly random and independent samples from Rq × (KR /qR∨ ).
Theorem 5.5.1. Let K be the mth cyclotomic number field having dimension n = φ(m),
and R its ring of integers. Let α = α(n) > √0 and let q = q(n) ≥ 2, q = 1 mod m be
a poly(n)-bounded prime such that αq ≥ ω( log n). (Note that √ f = ω(g) if g = o(f ).)
Then there is a polynomial-time quantum reduction from Õ( n/α)-approximate SVIP
(or SVP) on ideal lattices in K to the problem of solving R − DLW Eq,ψ given only l
samples, where ψ is the Gaussian distribution Dξq for ξ = α · (nl/ log(nl))1/4 .
Lemma 5.5.2 (Discretization). Let p and q be positive coprime integers, and ⌊⌉ a valid
discretization, defined earlier, to cosets of pR∨ . Let w ∈ Rp∨ and (a′ , b′ ) ∈ Rq × KR /qR∨ .
Output (a = pa′ mod qR, b) ∈ Rq × Rq∨ , where b = ⌊pb′ ⌉w+pR∨ mod qR∨ . If (a′ , b′ ) ∈
As,ψ , then (a, b) ∈ As,χ where the error distribution χ is ⌊pψ⌉w+pR∨ . If (a′ , b′ ) is uniformly
random, then so is (a, b).
We show that the following variant of ring-LWE is as hard as the original one, closely
following the technique of [ACPS09].
Lemma 5.5.3 (Normal form of R − LW E). Let p and q be positive coprime integers, ⌊⌉
a valid discretization to cosets of pR∨ , and w ∈ Rp∨ . If R − LW Eq,ψ is hard given some
number l of samples, then so is the variant of R − LW Eq,ψ in which the secret is sampled
from χ := ⌊pψ⌉w+pR∨ , given l − 1 samples.
41
Proof. Start by drawing one sample and apply discretization to obtain 0th sample (a0 , b0 ).
Let us assume that the 0th sample (a0 , b0 ) ∈ Rq × Rq∨ is such that a0 is invertible i.e.,
a0 ∈ Rq∗ . From l − 1 samples (ai , bi ) ∈ Rq × KR /qR∨ , (i = 1, . . . , l − 1), output
(a′i = −a−1 ′ ′ ∨
0 ai , bi = bi + ai b0 ) ∈ Rq × KR /qR . (5.70)
This is the same kind of reduction we used to obtain the normal form of standard LWE.
If (ai , bi ) is uniform, so is (a′i , b′i ). If (ai , bi ) ∈ As,ψ , then for each i,
R ⊕ R
= .
⟨q⟩ ⟨plp ⟩
prime p|q
R R
Note that the fraction of noninvertible elements in is equal to that of ⟨p⟩ . Since
⟨plp ⟩
⟨p⟩ = ph1 · · · phg in R, where h = φ(pd ), f the multiplicative order of p modulo m/pd , pd
the largest power of p that divides m, g = n/(hf ), R = Z[ζm ], n = φ(m), and N (pi ) = pf .
Hence,
∏ n ∏ n
(1 − p−fp ) fp φ(p p ) ≥ (1 − p−fp ) φ(pdp ) .
d
(5.73)
prime p|q prime p|q
using (1 − 1+x ) > e−1 when x > 0. Note that the number of primes diving m is less
1 x
than log2 m. (∵ Let m = pl11 · · · plkk , then log2 m = l1 log2 p1 + · · · + lk log2 pk > k since
li ≥ 1, log2 pi > 1.) Hence, the above product restricted to p which divides both m and
( )log m
q is greater than 1e 2 = poly(m) 1
. If the prime p does not divide m, dp = 0. Hence,
∏
in this case, we compute (1 − p−fp )n because φ(pdp ) = 1. Since pfp are distinct for
p|q,p∤m
42
distinct p and pfp ≡ 1 modulo m, it is bounded below by
log2 q ( )n ( )
∏ 1 ∏
log2 q
1
−n/km
≥ e− α
1
1− ≥ e ∵1− (5.77)
k=1
km + 1 k=1
α+1
∏
log2 q
≥ e−1/k (∵ n = φ(m) < m) (5.78)
k=1
log2 q (
)
∏ 1
−1
≥ e 1− (5.79)
k
k=2
( )
−1 1 2 l−1 1
= (e log2 q) . ∵ · ··· = (5.80)
2 3 l l
1
Thus we have shown that the fraction of invertible elements is greater than poly(n,log q)
.
43
44
Chapter 6
• m: prime power.
√
Remark 6.0.5. DFT is unitary up to scaling by n, while CRT not unitary even up to
scaling.
i0 i1
where Tm is a “diagonal” matrix having ωm in the ((i0 , i1 ), (i0 , i1 ))th diagonal entry.
Note that diagonal in this new setting is not diagonal in the standard convention. But
Tm is at least unitary. Also, the matrix multiplication
∑m′ −1 ∑p−1 is defined with respect to the new
(j0 ,j1 ) (α,β) (j0 ,j1 )
column-row index system, i.e., (AB)(i0 ,i1 ) = β=0 α=0 A(i0 ,i1 ) B(α,β) .
45
Proof. Let I[p] ⊗ DF Tm′ = A, Tm = B, and DF Tp ⊗ I[m′ ] = C. Then it suffices to show
that
(j ,j ) (i ,j ) (i ,j ) (j ,j )
(DF Tm )(i00,i11) = A(i00 ,i11) B(i00,j11) C(i00,j11) (6.3)
because of the definitions of A, B, C. Just note that
i1 j1 i0 j1 i0 j0 ′
m i0 j0 +i0 j1 +pi1 j1 ′
(pi1 +i0 )(m j0 +j1 )
ωm ′ ωm ωp = ωm = ωm . (6.4)
Similarly, we have
CRTm is the submatrix of DF Tm restricted to the rows Z∗p × [m′ ] and the columns
[φ(p)] × [m′ ], because Z∗m ∼
= Z∗p × [m′ ] and φ(m) = φ(p) · m′ .
• Z∗p × [m′ ] ↔ i = pi1 + i0 ∈ Z∗m since i0 = 1, · · · , p − 1, and i ∈ Z∗m if and only if i is
not a multiple of p.
46
Chapter 7
Powerful basis
(m/ml )jl
Remark 7.1.1. Note that for p(jl ) = ⊗l ζm
jl
l
, we have, from ζml = ζm ,
∏
p(jl ) ↔ (m/ml )jl
ζm . (7.1)
l
For example, when m = 15, ζ = ζ15 for (j1 , j2 ) ∈ [φ(3) ] × [φ(5) ] ↔ ζ15
5j1 +3j2
, [φ(3)] = {0, 1},
[φ(5) = {0, 1, 2, 3}], the powerful basis consists of
which is nothing but CRTm , i.e., σ(⃗pT ) = CRTm when m is a prime power.
√ √
Claim: ∥pj ∥∞ = 1 and ∥pj ∥2 = φ(m) = n for all pj .
If m = pk ,
k−1 (p−1)−1
p⃗T = (1, ζm , ζm
2
, · · · , ζm
p
), (7.5)
47
and σ(⃗pT ) is a Z∗m × [φ(m)] matrix such that
1 ωm ···
1 ω2
m
σ(⃗pT ) = ... ... = CRTm , (7.6)
1
1
ωm
..
.
because σ(ζm ) = i , where i ∈ Z∗m .
ωm
..
.
Remark 7.1.2. σ(⃗pT ) is not unitary even up to scaling because σ(pj )s are not orthogonal
to each other, which is same as saying that CRTm is not unitary. Remember that DF Tm
is unitary up to scaling.
T
√
Lemma 7.1.3. The largest √ singular value of σ(⃗
p ) is s1 (⃗
p) = m̂ and the smallest
m
singular value is sn (⃗p) = rad(m) .
Remark
√ 7.1.4.√m̂ = m/2 if m∏is even, otherwise
√ m̂ = m. Note that the ratio of s1 (⃗p) to
φ(m) is just m̂/φ(m) = ( p p−1 ) = O( log log m), where the product runs over
p 1/2
∏ ∑ 1 ∑ 1
log2 m ∫ log2 m
p 1
≈1+ ≤1+ ≈1+ dx ≈ log(log m), (7.7)
p−1 p n=1
n 1 x
p|m p|m
prime prime
1
1 √
and that (det R) n = ∆K2φ(m) ≤ φ(m). Hence, p⃗ is a relatively good basis, since s1 (⃗
p)
∥pj ∥
is
√
O( log log m).
48
√
because the columns of DF Tp are orthogonal to each other and has length p. Also note
that
( ) ( )
1 1 ··· 1 0 0 ··· 0
A= + . (7.11)
0 CRTp
Then
pI[φ(p)] = A∗ A = CRTp∗ CRTp + 1 · 1T . (7.12)
√
CRTm = Qm ( m′ Dp ⊗ I[m′ ] )(Up ⊗ I[m′ ] ), (7.13)
√
where Qm is unitary, Dp is a real diagonal [φ(p)]-by-[φ(p)] matrix with (p − 1) − j/(p − j)
in its j-th diagonal entry, and Up is an upper unitriangular [φ(p)]-by-[φ(p)] matrix with
−1/(p − i − 1) in its (i, j)th entry 0 ≤ i < j < φ(p).
for some unitary Q′ . Thus, it suffices to show that CRTp = Qp Dp Up for some unitary
Qp . We compute
G = CRTp∗ CRTp = (pI[φ(p)] − 1 · 1T ). (7.15)
G has diagonal entries p − 1, and −1 elsewhere. From the uniqueness of Cholesky de-
composition of G, it suffices to show that G = UpT Dp2 Up , where
.
.. 0
√
Dp = p − 1 − j/p − j , (7.16)
..
0 .
1 − p−1
1
− p−1
1
· · · − p−1
1
0 1 − p−2
1
· · · − p−2
1
Up = 0 0 1 . (7.17)
..
.
49
Let us compute the ith (i ∈ [φ(p)]) diagonal entry in UpT Dp2 Up , which is
∑
(Up )ji (Dp2 )jj (Up )ji (7.18)
j
∑
= (Up )2ji (Dp2 )jj , (7.19)
j
and because of triangularity of Up , we obtain
∑
i−1 ( )
i 1 k
= p−1− + p−1− (7.20)
p − i k=0 (p − k − 1)2 p−k
i ∑
i−1
1
= p−1− +p (7.21)
p−i k=0
(p − k)(p − k − 1)
i
= p−1− + p(T (p) − T (p − i)) (7.22)
p−i
( )
1 1 1 1
where T (k) := + + ··· + =1−
1·2 2·3 (k − 1)k k
i 1 1
= p−1− + p(1 − − 1 − ) (7.23)
p−i p p−i
= p − 1. (7.24)
Computation of the off-diagonal entries is more complicated, but can be done in essentially
the same way.
50
Chapter 8
• Note that σ(⃗pT ) = CRTm , hence if a = ⟨⃗p, a⟩, then σ(a) = CRTm a.
R ⊕ R
• Now assume that q is a prime integer = 1 mod m. In this case, = ,
⟨q⟩ i∈Z∗
⟨qi ⟩
m
where qi = ⟨q⟩ + ⟨ζm − ωm
i
⟩ and ωm is some fixed element of order m in Zq .
For any power I = (R∨ )k of R∨ = ⟨t−1 ⟩, we define t−k⃗c as the CRT Zq -basis of Iq .
Note that the ring operation can be done componentwise if the elements are repre-
sented in the CRT basis, i.e., if a = ⟨⃗c, a⟩ and b = ⟨⃗c, b⟩ ∈ Rq , then the coefficient vector
of a · b with respect to the CRT basis is componentwise multiplication a ⊙ b over Zq by
the defining property of ⃗c. When m is a prime power, the CRT basis ⃗c and the powerful
j
basis p⃗ = (ζm )i∈[φ(m)] are related by
51
52
Chapter 9
Decoding Basis of R∨
−1 m−1
Let τ be an automorphism of R that maps ζm to ζm = ζm . τ is called the conjugation
−1
map since σ(τ (a)) = σ(a). For example, if ζm → e2πi/m
, then ζm 7→ e−2πi/m = e2πi/m .
Note that τ (⃗p) is also a Z-basis of R.
Definition 12. The decoding basis of R∨ is d⃗ = τ (⃗p)∨ , the dual of the conjugate of the
powerful basis p⃗.
because σ(pj ) is the jth column of CRTm . Since d⃗ is the dual of τ (⃗p), which embeds as
σ(τ (⃗p)) = CRTm , we have σ(d⃗T ) = (CRTm∗ )−1 .
− 1 1
(det R∨ ) n = ∆K 2n ≈ √ ,
1
which may be thought as the average length of a good basis. The decoding basis is
still good choice for discretizing a continuous ring-LWE error, √ because the input error
distribution needs to have Gaussian parameter of at least ω( log n)(≫ 1) for provable
φ(m)−1
worst-case hardness. If d⃗ were defined as the dual of the power basis {1, ζm , · · · , ζm },
then the spectral norm of d⃗ could be much larger: e.g., for m = 1155 = 3 · 5 · 7 · 11,
⃗ ≈ 22.6.
s1 (d)
53
Lemma 9.1.1. Let m be a power of a prime p, and let m′ = m/p, so that φ(m) = φ(p)m′ .
Then
d⃗T = t−1 p⃗T (Lp ⊗ I[m′ ] ), (9.2)
where Lp ∈ Z[φ(p)]×[φ(p)] is the lower triangular matrix with 1s throughout its lower-left
triangle, i.e., its (i, j) entry is 1 for i ≥ j, and 0 otherwise.
Proof. First reindex the conjugate power basis using the index set [φ(p)] × [m′ ], as
i.e., the trace of the product of the right hand side with τ (p(j0′ ,j1′ ) ) is 1 if and only if
(j0′ , j1′ ) = (j0 , j1 ). We compute the trace of
1 j0 −j0′ ′ j1 −j1′
(ζp − ζpp−1−j0 )ζm . (9.5)
m
From an earlier computation of Tr(ζm j
), the trace of this is 0 if j1 ̸= j1′ (because j1 −j1′ ̸= 0
mod m′ ), and 0 if j0 ̸= j0′ (because j0 − j0′ , p − 1 − j0′ ̸= 0 mod p. Note that j0 , j0′ =
0, 1, · · · , p − 2.), and otherwise it is m1 (φ(p)m′ − (−m′ )) = m1 (φ(p) + 1)m′ = 1.
54
Decoding Iq to I, where I = (R∨ )k for some k ≥ 1
⟨ ⟩
For an input ā ∈ Iq , write ā = m̂1−k d, ⃗ ā mod qJ for some ā over Zq , where J =
⟨ ⟩
1−k ∨ 1−k ⃗
m̂ R ⊃ I. Define JāK := m̂ d, JāK if this is in I, otherwise the decoding fails.
⟨ ⟩
Note if a ∈ I, a = m̂1−k d, ⃗ a , and aj ∈ [−q/2, q/2), where aj is jth component of a,
then the decoding succeeds. Hence, if every aj is δ-subgaussian with parameter s, then
by lemma 5.2.1, ⟨Ja mod qIK ⟩ = a except with probability at most 2n exp(δ − πq √/(2s) ).
2 2
Writing a = m̂1−k d, ⃗ a for a ∈ I with integral vector a, we have |aj | ≤ m̂k−1 n∥a∥2 ,
√
because |aj | = |Tr(am̂k−1 τ (pj ))| ≤ ∥a∥2 m̂k−1 n by Schwarz inequality.
If ⟨a is δ-subgaussian
⟩ with parameter s and b ∈ (R∨ )l for some l ≥ 0, we write
ab = m̂1−k−l d,⃗ c for some integral vector c. Then
m̂k+l−1 ∥τ (pj )b∥2 s ≤ m̂k+l−1 ∥τ (pj )∥∞ ∥b∥2 s = m̂k+l−1 ∥b∥2 s. (9.10)
k−1 1−k⃗
We claim⟨ that this ⟩ of g ā with respect to the basis t b mod qI,
⟩ ā is the⟨ coefficient
because t1−k⃗b, ā = g k−1 m̂1−k⃗b, ā = g k−1 ā.
1−k ⃗
For
⟨ step 2, ⟩rewrite the output of step 1 with respect⟨ to the basis⟩ m̂ d so that
⃗ ā′ . Then output Jā′ K over Z and let a′ = m̂1−k d,
ā′ = m̂1−k d, ⃗ Ja′ K ∈ J . If it is in I,
55
we succeed. If not, we fail. (Remark: In general, it is easy to decide the membership of
a given lattice.)
For step 3, we convert the representation of a′ in the Z-basis m̂1−k d⃗ of J to a repre-
⃗ Assuming step 2 succeeds, i.e., a′ ∈ I, we want
sentation in a Z-basis of I, namely t1−k d. ⟨ ⟩
to find an integer vector a such that a′ = t1−k d,
⃗ a . For the same a,
⟨ ⟩ ⟨ ⟩
⃗ a = g 1−k a′ ,
⃗ a = g 1−k t1−k d,
m̂1−k d,
Note that the multiplication by g and the division by g can be computed efficiently.
For example when m = p,
⊗ √ ⊗
CRTm∗ = (CRTp∗ ⊗ I[m′l ] ) m/ rad(m) Ql . (9.16)
l
l l
∗
Since a spherical Gaussian distribution over H ⊂ CZm is changed into a spherical Gaussian
∗
over H ′ = QH √ ⊂ CZm under the unitary transform Q, it suffices to generate a Gaussian
of parameter s m/ rad(m) over H ′ and then left multiply the result by
⊗
C ∗ := CRTp∗ ⊗ I[m′l ] = CRTrad(m)
∗
⊗ I[m/ rad(m)] . (9.17)
l
l
Since CRTm∗ sends the elements in H to the real vector space of coefficient vectors with
⃗ H ′ ⊂ CZ∗m can be characterized as follows
respect to the decoding basis d,
∗
H ′ = {x ∈ CZm : C ∗ x ∈ R[φ(m)] }. (9.18)
56
For the Gaussian sampling, we have to find a unitary matrix B ′ made up of the elements of
H ′ such that C ∗ B ′ is real. Such B ′ is given in the form Bp′ ⊗Im , since C ∗ = CRTp∗ ⊗I[ml ] .
l l
We show that ( √ )
√−1J
1 I
Bp′ = √ (9.19)
l
2 J − −1I
is one. We check that
( √ )
1 I −1J
√ ∗
B=√ ∈ CZm ×[φ(m)] . (9.24)
2 J − −1I
Even though the Bp′ part looks the same, B ′ is a basis of H ′ , not H.
l
Remark 9.3.1. The final vector of the decoding basis coefficients is C ∗ B ′ c for a real
Gaussian c.
57
58
Chapter 10
Regularity
ρ1/r (Λ) = (det Λ)−1 r−n ρr (Λ∨ ) (by Poisson summation formula) (10.2)
( η )n
< (det Λ)−1 r−n ρη (Λ∨ ) = ρ1/η (Λ). (10.3)
r
In particular,
ρ1/r (I) ≤ max(1, N (I)−1 r−n )(1 + 2−2n ), (10.4)
√
since η2−2n (I ∨ ) ≤ n/λ1 (I) ≤ (N (I))−1/n .
Lemma 10.0.3. In the mth cyclotomic number field of degree n, for any q, k ≥ 1,
∑
N (J )k ≤ exp(3c)q kn ≤ q kn+5 , (10.5)
J |⟨q⟩
59
Proof. Since c ≤ log2 q and e3c ≤ e3 log2 q < q 5 , the second inequality is trivial. For the
first inequality, we may assume q = pe . Indeed, if q1 and q2 are coprime, then
∑ ∑ ∑
N (J )k = N (J )k N (J )k , (10.6)
J |⟨q1 q2 ⟩ J |⟨q1 ⟩ J |⟨q2 ⟩
since when q1 and q2 are coprime, any J | ⟨q1 q2 ⟩ is of the form J = J1 J2 , where J1 | ⟨q1 ⟩,
J2 | ⟨q2 ⟩, and N (J1 J2 ) = N (J1 )N (J2 ), because the ring of integers R is a UFD. Now
⟨p⟩ = ph1 · · · phg in R, where h = φ(pd ), d ≥ 0 is the largest integer such that pd divides
m, each pi is of norm pf , where f ≥ 1 is the multiplicative order of p modulo m/pd , and
g = n/hf , so we have ⟨q⟩ = peh 1 · · · pg , and
eh
∑ ∏
g
N (J ) k
= (1 + N (pi )k + · · · + N (pi )ehk ) (10.7)
J |⟨q⟩ i=1
= (1 + pf k + · · · + pehf k )g (10.8)
≤ pehf kg (1 − p−f k )−g (10.9)
≤ q nk exp(3gp−f k ). (10.10)
Remark 10.0.4.
1 (3x)2
= 1 + x + x2 + · · · < e3x = 1 + 3x + + ··· (10.11)
1−x 2
when x < 12 .
Observe that pf > m/pd , since pf = 1 mod m/pd and pf > 1.
m
g ≤ n/φ(pd ) = φ(m/pd ) < d ,
p
hence gp−f k ≤ gp−f < 1, which proves
∑
N (J )k ≤ q nk e3 . (10.12)
J |⟨q⟩
60
Corollary 10.0.6. Let R, n, q, k and l as above. Assume A = [I[k] |Ā] ∈ (Rq )[k]×[l] is
chosen as above. Then with probability 1 − 2−Ω(n) over the choice of Ā, the distribution
[k] [l]
of A⃗x ∈ Rq , where each coordinate of ⃗x ∈ Rq is chosen from a discrete Gaussian
distribution of parameter r > 2nq k/l+5/nl over R, satisfies that the probability of each of
the q nk possible outcomes is almost uniform, i.e., is in the interval (1 ± 2−Ω )q −nk .
Proof. Since in this case
η2−Ω(n) (Λ⊥ (A)) ≤ r (10.16)
except with probability at most 2−Ω(n) ,
A ∈ Zn×m
q , Λ⊥ (A) = {y ∈ Zm : Ay = 0 mod q}. (10.19)
Then { }
⊥ ∨
Λ (A) ⊃ Z + m 1 T
q
A s :s∈ Znq . (10.20)
Zm + 1q AT s = Zm + 1q AT s′ , s, s′ ∈ Znq . (10.21)
where ⃗a represents a typical column vector of Ā, since ∥x∥2 = ∥x1 ∥2 + ∥x2 ∥2 for x =
(x1 , x2 ) ∈ (R∨ )[k] × (R∨ )[l−k] , and
61
In Eq. (10.22), note that 1q AT ⃗s ̸= 1q AT s⃗′ if ⃗s ̸= s⃗′ in (Rq∨ )[k] , since A is onto, hence AT is
injective.
For any given ⃗s = (s1 , . . . , sk ) ∈ (Rq∨ )[k] , define the ideal
I⃗s = s1 R + · · · + sk R + qR∨ ⊆ R∨ .
Then (Rq )[k] ∋ ⃗a → ⟨⃗a, ⃗s⟩ uniformly random over I⃗s /qR∨ , since ⃗a, which is a column of
⊔ 1 1
Ā, is uniformly random. Since R∨ + ⟨⃗a, ⃗s⟩ = I⃗s ,
∨
q q
⃗a∈I⃗s /qR
∑ ( ) ( )
∨ 1 1
ρ 1 R + ⟨⃗a, ⃗s⟩ = ρ 1 I⃗s , (10.25)
∨
r q r q
⃗a∈I⃗s /qR
( )
∑ ( )l−k ∑ ( )
|J /qR∨ |−(l−k) · ρ1/r 1
q
J · ρ1/r (R∨ )[k] + 1q ⃗s
J ∈T ⃗s s.t.I⃗s =J
∑ ( )l−k ( ( )k )
∨ l ∨ −(l−k)
≤ ρ 1 (R )(s=0) + |J /qR | · ρ1 1
q
J · ρ 1 q J − 1 . (10.28)
1
r r r
J ∈T \{qR∨ }
so
62
where (10.32) follows from
(( )∨ ) √ ( ( ))−1/n
J n J
η2−2n ≤ (( ) ) ≤ N
q ∨ q
J
λ1 q
and ( )−1 ∨ /
J J R J
N = = · R∨ = ∆K |J /qR∨ |.
q qR R q
Hence,
∑ J k
(10.31) < 1 + 2 −Ω(n)
+ 2∆lK r−nl (10.34)
qR∨
J ∈T
−Ω(n) −nl kn+5
≤ 1+2 + 2(r/n) q , (10.35)
since ∆K ≤ nn and ∑ ∑
|J /qR∨ |k = N (J )k ≤ q kn+5 . (10.36)
J ∈T J |⟨q⟩
J ∨
Note that | qR ∨ | = | qJ ∨ | and qJ
R
⊃ qR.
qR∨ ⊂ J ⊂ R∨ (10.37)
1
q
R ⊃ J∨ ⊃ R (10.38)
R ⊃ qJ ∨ ⊃ qR (10.39)
Conversely,
R ⊃ I ⊃ qR (10.40)
R∨ ⊂ I ∨ ⊂ 1q R∨ (10.41)
qR∨ ⊂ qI ∨ ⊂ R∨ (10.42)
Hence,
( ) (( )[k] )
∑ 1 1
ρ 1 (R∨ )k + ⃗s ⊂ ρ1 J −1 (10.44)
q q r q
⃗s s.t.Is̄ =J
( )k
1
= ρ1 J − 1. (10.45)
r q
63
Remark 10.0.8. Another computation:
( ) ∏
k
∨ [k]
ρ 1 (R ) + 1
q
⃗s = ρ 1 (R∨ + 1q si ) (10.46)
r r
i=1
( )
≤ ρ 1 ( 1q J )k−1 · ρ 1 ( 1q J ) − 1 (10.47)
r r
≤ ρ 1 ( 1q J )k − 1, (10.48)
r
where (10.47) follows since si ̸= 0 for some i and R∨ + 1q si ⊂ 1q J , and (10.48) follows
from ρ 1 ( 1q J ) > 1.
r
64
Chapter 11
Cryptosystems
(q should be larger than p, but the smaller the better for the efficiency)
l-samples of Ring-LWE.
If r > 2n · q 1/l+2/nl , then (a1 , a2 , . . . , al ) approximating uniform and the above cryp-
tosystem is secure under the hardness R-LWE because ciphertext ⃗c = e0⃗a + ⃗e is a Ring-
LWE with proper security.
Theorem 11.1.1. Suppose that for any c ∈ Rq∨ , ⌊pψ⌉c+pR∨ is δ-subgaussian with pa-
√ √
rameter s for some δ = O( 1l ), and q ≥ s (r2 l + 1)n · ω( log n). Then the decryption
is correct with probability 1 − negl(n) over all the randomness of key generation and
encryption.
Remark 11.1.2. If ψ is continuous Gaussian with parameter
√ s′ > 1 and if we use
⃗ =
coordinate-wise randomized rounding, then since s1 (d) rad(m)
and the sum of two
m
independent Gaussians is again Gaussian with the sum√of variances as the new vari-
ance, ⌊pψ⌉c+pR∨ is 0-subgaussian with parameter s = p s′2 + 2π rad(m)/m = O(ps′ ).
65
(2π rad(m)
m
comes from discretization by coordinate-wise randomized rounding and multi-
plication by d, ⃗ since if E(X) = 0 and |X| ≤ B, then X is 0-subgaussian with parameter
√
B 2π.)
⟨ ⟩
Proof. By construction, ⟨⃗c, ⃗x⟩ = e0 z0 +⟨⃗e, ⃗x⟩ = e , x ⃗′ ⃗′ mod qR∨ , where e⃗′ = (e0 , e1 , . . . , el ),
⟨ ⟩
x⃗′ = (x0 , x1 , . . . , xl = 1), and e⃗′ , x⃗′ = t−1 µ mod pR∨ , so decryption is correct as long
as ⟨ ⟩ ⟨ ⟩
J e⃗′ , x⃗′ mod qR∨ K = e⃗′ , x⃗′ ∈ R∨ . (11.1)
√ √
With high probability, ∥xi ∥2 ≤ r n, ∥xl ∥ = ∥1∥2 = n. Therefore each √ coefficient of
ei xi with respect to decoding basis is δ-subgaussian with parameter sr n, and ⟨ el x⟩l is
√
δ-subgaussian with parameter s n. Hence, each decoding basis coefficient of e⃗′ , x⃗′ is
√
δ(l + 1)-subgaussian with parameters s (r2 l + 1) + n. By decoding Iq to I lemma, this
proves the theorem.
(a, b) is uniform and (u, v) has the same distribution as the one generated by Enc(a,b) (µ).
This means that if we can distinguish random (a, b, u, v) and (a, b, Enca,b (µ)), we can
distinguish uniform distribution and Az,ψ over Rq × KR /qR∨ , which is a contradiction to
the R-LWE assumption. This completes the proof.
66
Lemma 11.2.2. Suppose that ⌊ψ⌉R∨ outputs elements having l2 norm bounded by l
with 1 − negl(n) probability,
√that ⌊pψ⌉e+pR√ ∨ is δ-subgaussian with parameters s for some
δ = O(1), and that q ≥ s 2(m̂l) + nω( log n). Then the decryption is correct with
2
probability 1 − negl(n) over all the randomness of key generation and encryption.
Proof. e, e′ ∈ pR∨ and x, z ∈ R∨ , hence m̂(e·z −e′ ·x) ∈ pR∨ , because m̂ = tg. Therefore
E := m̂(ez −e′ x)+e′′ ∈ R∨ satisfies E = t−1 µ mod pR∨ . So decryption is correct as long
as JE mod qR∨ K = E. By assumption, ∥x∥2 , ∥z∥2 ≤ l with probability 1 − negl(n), and
e, e′ , e′′ are δ-subgaussian with parameter s. Hence, each coefficient of m̂ · ez, m̂ · e′ x ∈ R∨
when represented in the decoding basis√ is δ-subgaussian with parameter sm̂l and √ those of
′′
e are δ-subgaussian with parameter s n (∵ b = 1 in this case, and ∥1∥2 = n). Since
e, e′ , e′′ are mutually
√ independent, each decoding basis coefficient of E is 3δ-subgaussian
with parameter s 2(m̂l)2 + n. The statement follows from decoding Iq to I lemma.
• Decs (c(S)) for c of degree k: compute c(s) ∈ (Rq∨ )k and decode it to e = Jc(s)K ∈
R∨ . Output µ = tk e mod pR.
Lemma 11.3.2. The above cryptosystem is secure assuming the hardness of R−DLW Eq,ψ .
67
Proof. We have access to two distributions over Rq × KR /qR∨ , either LWE distribution
As′ ,ψ where s′ ← ⌊ψ⌉R∨ or the uniform distribution. Draw a sample from (a′ , b′ ) ∈
Rq ×KR /qR∨ from the unknown distribution. Let a = pa′ mod qR and b = ⌊pb′ ⌉t−1 µ+pR∨
to obtain (a, b) ∈ Rq ×Rq∨ . Let c1 = −t−1 a ∈ Rq , c0 = b, and output c(S) = c0 +c1 S. If the
unknown distribution is As′ ,ψ , then c(S) is distributed exactly according to Encs (µ). If the
unknown distribution is the uniform distribution, then (a, b) is uniform and independent
of µ. Hence, c(S) uniform. Therefore, if somebody distinguishes the ciphertext c(S)
and the uniform c(S), then he can solve R − DLW E, which contradicts the hardness
assumption of R − DLW E.
Let J be a fractional ideal, something like (R∨ )k , and q, q ′ , p integers with both q
and q ′ coprime to p. Let v ∈ Zp be v = q ′ q −1 mod p. Define a randomized function
FJ : Jq → K as follows. Assume that a good basis of J is given and x ∈ Jq . Then FJ (x)
is a short subgaussian element from the coset (v −q ′ /q)x+pJ . Note that (v −q ′ /q)x+pJ
is well defined because (v − q ′ /q)qJ ⊂ pJ . Also observe that for all x ∈ Jq , we have
(q ′ /q)x + FJ (x) ∈ Jq′ up to zero message, i.e., up to a multiple of p. (∵ If x ∈ qJ then
vx = vqJ ⊆ q ′ J , but note that v is defined up to a multiple of p.) It is trivial to see
that qFJ (x) ∈ pJ .
68
always if we use coordinate-wise randomized rounding to a coset of pR∨ (respectively,
pR) using the basis pd⃗ (respectively, p⃗p) because of the definition of∑coordinatewise ran-
domized rounding defined at discretization, and the fact that if f = fi bi is the output,
then |fi | ≤ 1.
Key Switching
c(S): degree-k ciphertext,
I = (R∨ )k , d = k + 1,
⃗s = (s0 , . . . , sk ) ∈ R[d] ,
[d]
⃗c ∈ Iq : coefficient vector of a valid degree-k ciphertext c(S), where decryption c(s) =
⟨⃗c, ⃗s⟩ = e mod qI for some short e ∈ t−k µ + pI.
[d]
Let ⃗y = tm̂k−1⃗c ∈ Rq , l = ⌈log2 q⌉, and define
[d]
Find short ⃗x ∈ R[dl] such that G⃗x = ⃗y ∈ Rq . (To find such short ⃗x, we do need a good
basis for Λ⊥ (G), which we have; see lemma 23.) We have
⟨ ⟩ ⟨ ⟩
m̂k−1 e = ⃗y , t−1⃗s = ⃗x, t−1 GT ⃗s mod qR∨ . (11.11)
i.e., we generate degree −1 encryptions of 0 and simply add entries of t−1 GT ⃗s to their
constant terms.
hi (S ′ ) = fi + t−1 (GT ⃗s)i (11.13)
Claim: If all the entries fj ∈ R∨ are δ-subgaussian with parameter s for some δ = O(1),
then √ √
F ≤ Cs · max( dl, ω( log n)) (11.15)
except with negl(n) probability.
69
Proof.
( )
∑
dl
max
∗
|σi (fj )|2 (11.16)
i∈Zm
j=1
( )
∑
dl ∑
dl
= max
∗
Re(σi (fj ))2 + Im(σi (fj ))2 (11.17)
i∈Zm
j=1 j=1
{ dl }
∑ ∑
dl
≤ 2 max
∗
max Re(σi (fj ))2 , Im(σi (fj ))2 . (11.18)
i∈Zm
j=1 j=1
∑
Then previous estimation on P r( i x2i > r) √ implies the claim, since Re(σi (fj )) and
Im(σi (fj )) are δ-subgaussian with parameter s/ 2.
√ √
Remark 11.3.3. √12 (xi + xm−i ) = 2Re(xi ) and similarly for 2Im(xi ), and B =
( √ )
I −1J √ √
√1 √ is unitary basis of H, so 2Re(σ(·)) and 2Im(σ(·)) are Gaussian
2 J − −1I
with parameter s.
Then
∑
c′ (s′ ) = xi (fi + t−1 (GT ⃗s)i ) (11.20)
⟨ ⟩ ⟨ ⟩
= ⃗x, f⃗ + ⃗x, t−1 GT ⃗s (11.21)
⟨ ⟩
= ⃗x, f⃗ + m̂k−1 e mod qR∨ . (11.22)
⟨ ⟩
Hence, the noise term is e′ = ⃗x, f⃗ + m̂k−1 e. Note that e′ = m̂k−1 e modulo pR∨ , since
fi ∈ pR∨ . e′ is a relatively short element of R∨ , since e was short in m̂1−k R∨ , and ⃗x and
f⃗ are also short in R∨ by construction. To choose a short ⃗x such that G⃗x = ⃗y for a given
⃗y ∈ Rq , it suffices to find a short basis of Λ⊥ (G).
[d]
70
Define Sg ∈ Z[l]×[l] as
2
−1 2
.
Sg = −1 . . (11.24)
2
−1 2
if q = 2l , and otherwise
2 q0
−1 2 q1
.. .. ..
Sg = . . . , (11.25)
. .. 2 ql−2
−1 ql−1
∑
where q = i∈[l] qi 2i is the binary representation of q, with qi ∈ {0, 1}. The columns
of Sq form a basis of L⊥ (g T ), since the columns of Sq are linearly independent and
det Sg = 2l = det(L⊥ (g T )) if q = 2l , and also det Sg = q in general if we consider the
expansion of det Sg with respect to the last column.
4i 4 − 4−i
∥Sei ∥2 = 1 + ∑ = (< 5) for i = 1, . . . , l − 1, (11.27)
j<i 4j 1 − 4−i
3q 2
∥Sel ∥2 = < 3. (11.28)
4l − 1
By definition,
∥Au∥
s1 (A) = max . (11.30)
u̸=0 u
When q = 2l ,
2 0
2 −1 0
Sg = ... (= A1 ) + ... ... (= A2 ).
2 −1 0
71
Sg (u) = A1 u + A2 u, where ∥u∥ = 1. Hence,
∥Sg u∥ ≤ ∥A1 u∥ + ∥A2 u∥ ≤ 2 + 1 = 3.
When q ̸= 2l , we consider SgT .
2 −1 u0
2 −1 u1
.. ..
. . (11.31)
2 −1 ul−2
q0 q1 ··· ql−2 ql−1 ul−1
2u0 − u1
2u1 − u2
..
= . (11.32)
2ul−2 − ul−1
q0 u0 + · · · + ql−1 ul−1
u0 u1 0
u1 u2 0
.. .. ..
= 2 . − . + . , (11.33)
ul−2 ul−1 0
0 0 q0 u0 + · · · + ql−1 ul−1
Then
a1j
∑ a2j ∑
⃗z = bj .. = b j · aj ,
.
akj
72
a1j
a2j
= aj . Hence, A⃗z = 0 implies Aaj = 0 ∈ Zq , i.e., aj ∈ L⊥ (A), so aj can
[h]
where ..
.
akj
be written uniquely as a Z-linear combination of basis elements in B, i.e., B ⊗ ⃗bT forms
a basis of Λ⊥ (A) ⊆ R[k] .
73
74
Part III
Multilinear map
75
Chapter 12
Multilinear maps
• Publish a cyclic group G (i.e., generator g of order q) where discrete log problem is
hard.
Wish to have an N -multiparty version: G, GT are groups where Discrete log is hard,
and there is an efficient (N − 1)-linear map e : GN −1 → GT such that
for all x1 , . . . , xN −1 ∈ Zq .
Then we obtain N -party NIKE:
• Publish cyclic groups G and GT (with generators g and gT , of order q), where
DL-problem is hard, and an efficient (N − 1) linear map e.
77
12.2 Grag-Gentry-Halevi (GGH) Graded Encoding
Scheme
High level description
• We require
and
x · Enck (par, z : ρ) = Enck (par, x · z : ρ). (12.4)
• Sample z ←- U (Rg ).
78
• Sample a level 1 encoding of 1, i.e., set y = [a · z −1 ]q with a ←- D1+I,σ′ .
• Sample mr level-1 encodings of 0, i.e., set sj = [bj · z −1 ]q with bj ←- DI,σ′ for all
j ≤ mr .
Remark 12.2.1.
R = Z[x]/⟨xn + 1⟩ ↔ Zn (12.11)
∑
n−1
ai xi ↔ (a0 , · · · , an−1 ) (12.12)
i=0
I(ideal) ⊂ R ↔ sublattice of Zn (12.13)
• poly(n)-ideal lattice SVP is assumed to be still difficult even against quantum com-
puter. But note that Gap-SVP for ideal lattice is trivial.
79
Level-1 encoding Enc1 (par, e)
• Given level-0 e ∈ R: e ←- DR,σ′ , u′ = [ey]q , hence u′ = [c′ /z]q with c′ ∈ e + I (Note
that e = [e]⟨g⟩ + geH for some eH ∈ R, where [e]g is the unique coset representative
∑
in Pg , and Pg = { n−1
i=0 ci x g : ci ∈ [− 2 , 2 )}. Also note that (g, xg, · · · , x
i 1 1 n−1
g) is a
short Z-basis of the ideal lattice ⟨g⟩.)
• Rerandomize:
∑mr Sample small ρj ←- DZ,σ1∗ for j ≤ mr , ∑ and return u = [u′ +
′
j=1 ρj xj ]q . Hence, u = [c/z]q with c ∈ e + I and c = c + ρj bj .
Multiplying encodings
Given a level-k1 encoding u1 = [c1 /z1k ]q of e1 and a level-k2 encoding u2 = [c2 /z k2 ]q of e2 ,
u = [u1 · u2 ]q is a level-(k1 + k2 ) encoding of [c1 · c2 ]g . Note that u1 · u2 = [c1 c2 /z k1 +k2 ]q
and c1 · c2 ∈ e1 · e2 + I.
1
v = up to lth most significant bit of [pzt u]q with l < ( − ε) log q
4
=: M SBl ([pzt · u]q ).
Correctness of extraction
• At level 1: if c = [c]g + gr for some small r ∈ R, then
( ) ( )
h h
v = M SBl ([c]g + gr) = M SBl [c]g + hr ,
g g
√
which is equal to M SBl ( hg [c]g ) with high probability if q > ∥r∥8 . Since h ∼ q,
√ √ 1 1 5
∥hr∥ ∼ q∥r∥. If q > ∥r∥8 , then q∥r∥ < q 2 + 8 = q 8 . Hence, the noise term
5
hr does not contribute to the most significant lth bit if l < ( 41 − ε) log q, since q 8
contributes up to 58 log q least significant bits.
80
Security of GDH for GGH scheme
Known attacks need a small multiple of g, dg (∥dg∥ < q).
Note: From public parameters, it is easy to compute a basis for the ideal ⟨g⟩, even
though g is a secret. But usually the bases thus found are rather long, so it is difficult to
find a short element dg in ⟨g⟩.
[ x+rg ]
Attack on Graded Discrete Log problem. Given u = Enc1 (par, x) = z q
for small r.
• Using a basis for ⟨g⟩ obtained from public parameters, it is easy to compute a (in
general very large) representation x′ ∈ R, where x′ = u′′ y ′′−1 mod ⟨g⟩, so x′ = x
mod ⟨g⟩ since u′′ y ′′−1 = x mod ⟨g⟩.
• Compute a small representation x′′ = x′ mod ⟨dg⟩. Then x′′ = x mod ⟨g⟩.
Note: ⟨dg⟩ is a sublattice of ⟨g⟩, and we have a short basis for the ideal lattice ⟨dg⟩, but
in general not for the ideal lattice ⟨g⟩.
81
82
Chapter 13
• Sample z ∈ U (Rq ).
rot B : R × R → R (13.1)
(x, y) → xb1 + yb2 (13.2)
83
Formalizing Re-randomization Security
Informal requirement: Prevent correlation of statistical properties of re-randomized
encoding with encoded element.
Formal requirement: Breaking Ext-GCDH problem is as hard as breaking canonical
Ext-GCDH problem.
Remark 13.0.2. The difference between Ext-GCDH and canonical Ext-GCDH is that
sampling in Ext-GCDH is from a shifted Gaussian (shifted by ei · y), while sampling in
canonical Ext-GCDH is from a fixed origin centered Gaussian, but with a shifted lattice
(by ei ).
• vi distribution is a shifted Gaussian DI+ei ,σ1∗ B T ,c′i with small shifted center c′i = ei y.
The original strong GCDH requirement was based on the statistical distance (SD) ∆:
They required
∑
∆(D1 , D2 ) := |D1 (x) − D2 (x)| < 2−λ . (13.6)
x
84
F1, Gaussian F2, Gaussian
shifted by c
σ
(c)
∆(F1 , F2 ) = O . (13.9)
σ
Hint:
Note that
(∫ )2 ∫
P (x)dx P 2 (x)
∫ A
< dx < R(P ∥Q). (13.11)
A
Q(x)dx A Q(x)
(For a general subset√A, the first inequality follows2 from the Cauchy-Schwarz inequality
since P (x) = √P (x)
Q(x).) Hence, Q(A) ≥ P (A) /R(P ∥Q).
Q(x)
85
Security analysis of GGHLite based on Renyi divergence
Any adversary A with success probability ε against Ext-GCDH problem has success
probability ε′ against canonical Ext-GCDH problem with
ε′ ≥ ε2 /R(D1 ∥D2 )2 . (13.12)
Hence, we require only that R(D1 ∥D2 ) is poly(λ). Then ϵ′ ∼ 2−λ implies ε ∼ 2−λ .
Lemma 13.0.4. For any n-dimensional lattice Λ ⊂ Rn and rank n matrix S ∈ Rm×n , let
P be the center-shifted Gaussian distribution DΛ,S,w , and Q the center-shifted Gaussian
distribution DΛ,S,z for some w, z ∈ Rn . If w, z ∈ Λ, let ε = 0. Otherwise fix ε ∈ (0, 1)
and assume that σn (S) ≥ ηε (Λ). Then
[( )2 ( )2 ]
1−ε 1+ε
R(P ∥Q) ∈ , exp(2π∥S −T (w − z)∥2 ) (13.13)
1+ε 1−ε
[( )2 ( )2 ] ( )
1−ε 1+ε 2π∥(w − z)∥2
⊂ , exp (13.14)
1+ε 1−ε σn (S)2
(refer the paper [LSS14] on GGHLite for the proof.)
Hence, the lemma implies that
( )
2π∥c′1 ∥2
R(D1 ∥D2 ) ≤ exp . (13.15)
σn (σ1∗ B T )2
σ1∗
For the requirement R(D1 ∥D2 ) ≤ poly(λ), we can use c′1
= O(1/| log λ|).
which is ζ(2)−1 .)
Remark 13.0.6. [t1 , t2 ]R2 ̸= R is non-negligible for R = Z[x]/⟨xn + 1⟩, where n
is even, since each random element of R falls in the ideal ⟨x + 1⟩ with probability
1
2
, hence both t1 , t2 get stuck in ⟨x + 1⟩ with probability 14 . (h = a0 + a1 x + · · · +
an−1 xn−1 ∈ R is defined up to a multiple of (xn + 1), i.e., if h̃ = h + f (x)(xn + 1)
in R for some polynomial f (x), then h̃ = h in R. Hence, h ∈ ⟨x + 1⟩ if and only if
h(−1) = 0 for some f (x), i.e., there exists f (x) such that
a0 − a1 + · · · ± an−1 + f (−1)2 = 0, (13.17)
that is, if a0 − a1 + · · · ± an−1 is even.)
• Step 2. Let AT = {V ∈ R2 : T V = [t1 , t2 ]V = 0}. If σ1∗ > ηε (AT ), then ρ1 t1 + ρ2 t2 is
within SD 2ε of DR,σ1∗ T t , which comes from discrete Gaussian leftover hash lemma.
86
Chapter 14
We follow the notations in Steinfeld’s lecture slides. We only explain essential parts of
the cryptanalysis due to Yupu Hu and Huiwen Jia [Hu15].
∏
K+1
′′′ K −1
η = (h(1 + ag) g ) v (k) + ξ ′′ (1 + ag) mod q,
k=1
where ξ ′′ (1 + ag) short. Hence, the higher order bits of η ′′′ are what we want to
obtain.
87
⟨ ⟩
From W (mod Y ), X (1) (mod Y ), and X (2) (mod Y ), obtain W ′ ∈ X (1) , X (2) such that
W − W ′ (mod Y ) = 0.
Denote W ′ = u′(1) X (1) + u′(2) X (2) .
v (0) := (W − W ′ )/Y (14.8)
= v + ((u(1) X (1) + u(2) X (2) ) − W ′ )/Y (14.9)
= v + ((u(1) − u′(1) )X (1) + (u(2) − u′(2) )X (2) )/Y (14.10)
/
= v + ((u(1) − u′(1) )b(1) + (u(2) − u′(2) )b(2) g) (1 + ag). (14.11)
Since g and 1 + ag are coprime,
v (0) − v ∈ ⟨g⟩ .
v (0) is called the equivalent secret of v.
∏
K+1 ∏
K+1
(0,k)
η := v = v (k) + ξg (14.12)
k=1 k=1
∏
K+1
′
η := Y η = Y v (k) + ξ ′ b(1) g (14.13)
k=1
′′ ′ (1)
η := η (mod X ) (14.14)
∏
K+1
η ′′ = Y v (k) + ξ ′′ b(1) g (14.15)
k=1
(∵ η ′′ is the sum of η ′ and a multiple of X (1) , and X (1) is a multiple of b(1) g.) Note that
√ (1) ∏
K+1
′′ (1)
η has size nX by the definition (mod X ), and that Y v (k) also small. Hence,
k=1
∏
K+1
ξ ′′ b(1) g = η ′′ − Y v (k) is small.
k=1
∏
K+1
′′ K −1
Note that ξ (1 + ag) is small and that (h(1 + ag) g ) v (k) (mod q) is the decoded
k=1
message, so its high order bits are what we want to obtain.
88
collection of K pieces without intersection is called a 3–exact cover of {1, 2, . . . , 3K}.
The 3–exact cover problem is that, for randomly given N (K) different pieces with
a hidden 3–exact cover, find it. If N (K) = O(K), it easy. If N (K) = O(K 2 ), it is
hard.
• Encryption:
V {i1 ,i2 ,i3 } = v (i1 ) v (i2 ) v (i3 ) y + (u({i1 ,i2 ,i3 },1) x(1)
+u({i1 ,i2 ,i3 },2) x(2) ) (mod q). (14.18)
∏
• Decryption: If one knows EC, compute pzt V (i1 ,i2 ,i3 ) (mod q). Then
{i1 ,i2 ,i3 }∈EC
EKEY is its high-order bits.
89
as shown below. Hence, from the random K 2 pieces, we obtain about (1 − e−1 )C33K
different subsets of {1, 2, . . . , 3K} which are pieces or combined pieces. There are about
e−1 C33K left over 3-element subsets of {1, 2, . . . , 3K} which are neither pieces nor combined
pieces. Choose one {i1 , i2 , i3 } from them. We show that
90
(3–2) Similarly for {k1 , k2 , k3 }.
(3–3) If {l1 , l2 , l3 } is a piece given, count −1.
If {l1 , l2 , l3 } is a combined piece, count
{l1 , l2 , l3 } = {ϵ1 , ϵ2 , ϵ3 } ∪ {δ1 , δ2 , δ3 } − {ξ1 , ξ2 , ξ3 }.
−1 −1 +1
Remark 14.5.1. N P F − N N F = K.
Since there are about K 2 pieces with factors (+1), there are (1 − e−2 )C33K − K 2
combined pieces with factors (+, +, −), and e−2 C33K second-order combined pieces with
factors at most (+ + + + +, − − − −). Hence, for a randomly chosen combined 3–exact
cover, it is almost certain that N P F ≤ 3K, hence N N F ≤ 2K.
( )
K2 K2
(∵ 5e + 2 · 1 − e · 3K + 1 · 3K ≤ 2 + 3e−2 < 3)
−2 −2
C3 C3
Breaking WE
Randomly take a combined 3–exact cover → Obtain CP F and CN F .
For a positive factor (pf ) = {i1 , i2 , i3 }, denote the secret of (pf ) as v (pf ) = v (i1 ) v (i2 ) v (i3 ) ,
and the equivalent secret of v(pf ) as v ′(pf ) .
∏
P P F := v ′(pf ) (14.19)
pf ∈CP F
∏
P N F := v ′(nf ) (14.20)
nf ∈CN F
∏
3K
P T S := v (k) (14.21)
k=1
Then
∏ ∏
1. v (pf ) = P T S × v (nf )
pf ∈CP F nf ∈CN F
∏
2. P P F − v (pf ) ∈ ⟨g⟩
pf ∈CP F
∏
3. P N F − v (nf ) ∈ ⟨g⟩
nf ∈CN F
91
4. P P F − P N F × P T S ∈ ⟨g⟩
If P T S ′ is an equivalent secret of P T S, then P P F − P N F × P T S ′ ∈ ⟨g⟩, since P T S ′ −
P T S ∈ ⟨g⟩. Conversely, if P N F and g are coprime, and if P P F − P N F × P T S ′ ∈ ⟨g⟩,
then P T S ′ is an equivalent secret of P T S, since in this case P N F × (P T S ′ − P T S) ∈ ⟨g⟩
implies (P T S ′ − P T S) ∈ ⟨g⟩.
Note that the Hermite normal form of
g0 g1 · · · gn−1
−gn−1 g0 · · · gn−2
g= .. .. ... .. , (14.22)
. . .
−g1 −g2 · · · g0
where G0 is the absolute value of det g, and Gi (mod G0 ) = Gi . This can be obtained by
Gauss elimination once the basis of ⟨g⟩ is formed. Hence,
P P F − P N F × P T S ′ ∈ ⟨g⟩ (14.24)
⇔ P P F G−1 − P T S ′ × P N F × G−1 ∈ R, (14.25)
where
P N F0 P N F1 · · · P N Fn−1
−P N Fn−1 P N F0 · · · P N Fn−2
PNF = .. .. .. . (14.26)
. . .
−P N F1 −P N F2 · · · P N F0
Let lcm be the least common multiple of all denominators of the entries of P P F G−1
and P N F × G−1 . Then
Note that there is at least one solution, namely P T S, which we do not know. Obtain a
solution P T S ′ . Let η = P T S ′ , and compute η ′ = Y η. Let η ′′ = η ′ (mod X (1) ), and again
compute η ′′′ = y(x(1) )−1 η ′′ (mod q). The high-order bits of η ′′′ is then what we wanted.
Remark 14.5.2. We must obtain the Hermite normal form of ⟨g⟩ for an unknown
small
⟨ g, when Y ,⟩ X (1) ,⟨X (2) are public. ⟩First we obtain the Hermite normal
⟨ ⟩forms
⟨ of⟩
h(1 + ag)K−2 b(1) and h(1 + ag)K−2 b(1) g when the principal ideals ⟨Y ⟩, X (1) , X (2)
are known. Note that if the Hermite normal form of the principal ideal ⟨g ′ ⟩ is
G′0
G′ 1
1
.. .
. ..
′
Gn−1 1
92
and g is a factor g ′ , then the Hermite normal form of ⟨g⟩ is
G0
G′ (mod G0 ) 1
1
.. .. ,
. .
′
Gn−1 (mod G0 ) 1
2. Compute
⟨ Z ′ = Z mod⟩ X (1) . Then Z ′ is uniformly distributed over the intersection
area h(1 + ag)K−2 b(1) ∩ P P (X (1) ). (Since 1 + ag and b(1) g are coprime, multipli-
cation (or division) by 1 + ag preserves the uniformity over P P (X (1) ).)
Remark 14.6.1. Recently a quantum algorithm was found that can compute small
generators of principal ideals in the cyclotomic ring. (In particular, Soliloquy; Campbell,
Groves, Shepherd. [Cam14]) That is, small generators themselves of ⟨g⟩ are found, not
only the secrets of multipartite NIKE or WE. But the cryptanalysis of Hu and Jia are
classical analysis.
93
94
Appendix A
for some integral matrix T , because it corresponds to the invariance of I under the
multiplication by x. If B is the HNF-basis of L, then the diagonal entries form a division
chain
B(n,n) | B(n−1,n−1) | · · · | B(1,1) ,
0
∗ ∗
B(i,i)
B(i,i)
because when the ith column 0 is multiplied by x, it becomes 0 , and
..
. ..
.
0
0
0
∗
B(i,i)
it should be a linear combination of B over integers, i.e., 0 = Bt for some
..
.
0
integral vector t. Comparing both sides, especially the (i + 1)th component, we have
B(i+1,i+1) ti+1 = B(i,i) , showing that B(i+1,i+1) | B(i,i) .
When I = ⟨p, x − α⟩, two element representation of I, where p is the norm of I and α
is a root of f (x) modulo p, the corresponding HNF representation is very simple. Since
95
are all in the ideal I and span I, we obtain HNF of the ideal lattice L,
p −α −α2 · · · −αn−1
0
0
,
.. In−1
.
0
where all integers in the first row, and in the second column and onward, are taken
modulo p. But it is a bad basis of ideal lattice I, in general.
96
Appendix B
so n := φ(m) = |Z∗m | = 2k .
Cyclotomic number fields & ring of integers The minimal polynomial over Q of
a primitive mth root of unity is called the mth cyclotomic polynomial, and it is denoted
by Φm (x). Since Φm (x) | xm − 1, the coefficients of Φm (x) are in Z by Gauss’s Lemma,
i.e., Φm (x) ∈ Z[x].
When m = 2k+1 , it is given by
k
Φm (x) = x2 + 1,
97
Examples
• m=4
– Z∗m = {1, 3}
– n=2
– Q(ζm ) = Q[x]/(x2 + 1) = Q(i)
– R = Z[x]/(x2 + 1) = Z[i]
– Power basis: {1, i}
• m=8
– Z∗m = {1, 3, 5, 7}
– n=4
( )
– Q(ζm ) = Q[x]/(x4 + 1) = Q 1+i √
2
[ ]
– R = Z[x]/(x4 + 1) = Z 1+i√
2
{ }
√ , i, −1+i
– Power basis: 1, 1+i √
2 2
Note that Q ⊆ Q(ζ4 ) ⊆ Q(ζ8 ). This is because ζ82 is a 4th root of unity. (For example,
( )2
m/m′
1+i
√ = i.) More generally, if m′ | m, then ζm is an m′ th root of unity, so Q(ζm
′
)⊆
2 ∏
Q(ζm ). If m = ℓ mℓ is a prime power factorization, i.e., the mℓ are powers of distinct
primes, then Q(ζmℓ ) ⊆ Q(ζm ), and there is an isomorphism
⊗ ∼
Q(ζmℓ ) −
→ Q(ζm )
ℓ
∏ ∼
such that ⊗ℓ aℓ 7→ ℓ aℓ . For example, 72 = 23 32 , so Q(ζ23 ) ⊗ Q(ζ32 ) − → Q(ζ72 ) via
a ⊗ b 7→ ab. The inclusion Z[ζmℓ ] ,→ Q(ζmℓ ) induces an injective1 ring homomorphism
⊗ ⊗
Z[ζmℓ ] ,→ Q(ζmℓ ),
ℓ ℓ
⊗ ∼
which can be shown to be integral. Hence, ℓ Z[ζmℓ ] −
→ Z[ζm ].
98
∗ ∗
H ⊆ CZm is a real subspace of dimension n. In fact, the C-inner product on CZm induces
∼
an R-inner product on H, and there is an R-inner product space isomorphism Rn − →H
via the n-by-n unitary matrix
1 i
..
..
.
.
1 1 i
U=√ .
2 1 −i
..
. . ..
1 −i
Examples
{ }
• m = 4 : H = (a + ib, a − ib) ∈ C{1,3} | a, b ∈ R ≃ R2 via
( )
1 1 i
U=√ .
2 1 −i
Q[x] → C
such that x 7→ ωm i i
. The kernel is generated by the minimal polynomial of ωm , which
is Φm (x). Hence, there is an injective Q-algebra homomorphism Q[x]/Φm (x) ,→ C such
that x̄ 7→ ωm
i
, i.e.,
σi : Q(ζm ) ,→ C
99
such that ζm 7→ ωm
i
. σi are none other that the n Galois automorphisms on Q(ζm ) fixing
Q. In particular, they are independent, up to a permutation, of the choices of ζm and
ωm . Since R = Z[ζm ], σi is also an automorphism on R fixing Z.
The canonical embedding is the function
∗
σ : Q(ζm ) → CZm , a 7→ (σi (a))i∈Z∗m .
It is an injective Q-algebra homomorphism. Since ωm
m−i i
= ω̄m , the image of σ lies in H.
Hence, the columns of the matrix (σi (xj )) are linearly dependent over Q, so det σi (xj ) = 0.
Note the following:
∑
• If x0 , . . . , xn−1 , y0 , . . . , yn−1 ∈ Q(ζm ) and yj = k Mjk xk , where Mjk ∈ Q, then
det σi (yj ) = (det M )(det σi (xj )).
Examples
• m=4: ( ) ( )
σ1 (1) σ1 (ζ4 ) 1 i
S= =
σ3 (1) σ3 (ζ4 ) 1 −i
det S = −2i, so det σ(R) = | − 2i| = 2.
• m=8:
σ1 (1) σ1 (ζ8 ) σ1 (ζ82 ) σ1 (ζ83 ) 1 ζ8 ζ82 ζ83
σ3 (1) σ3 (ζ8 ) σ3 (ζ82 ) σ3 (ζ83 ) ζ83 −ζ82
S= 1
3 =
ζ8
σ5 (1) σ5 (ζ8 ) σ5 (ζ82 ) σ5 (ζ8 ) 1 −ζ8 ζ82 −ζ83
σ7 (1) σ7 (ζ8 ) σ7 (ζ82 ) σ7 (ζ83 ) 1 −ζ83 −ζ82 −ζ8
det S = −16, so det σ(R) = | − 16| = 16.
100
Trace and norm For a ∈ Q(ζm ), define
∑ ∏
Tr(a) := σi (a), N(a) := σi (a).
i∈Z∗m i∈Z∗m
Being separable, a0 , . . . , ad−1 ∈ Q(ζm ) are distinct, and there are exactly d embeddings
of Q(a) into Q(ζm ) fixing Q (corresponding to a 7→ ai ), each of which extends to exactly
n/d automorphisms (Q ⊆ Q(ζm ) being normal) of Q(ζm ) fixing Q. It follows that
( )n/d
∑ n∑ ∏ ∏
σi (a) = ai , σi (a) = ai .
i∈Z∗
d i i∈Z∗ i
m m
101
Corollary B.2.2. i. If a ∈ Q(ζm ), then Tr(a) ∈ Q and N(a) ∈ Q.
Tr(a), N(a) ∈ R ∩ Q = Z,
Proof. Any Z-basis of R is a Q-basis of Q(ζm ), and with respect to this basis, the mul-
r r
tiplication maps Q(ζm ) − → Q(ζm ) and φ : R − → R are represented by the same matrix A
with integer entries. Now r is a unit in R if and only if φ is an isomorphism if and only
if det A ∈ Z is a unit, i.e., det A = ±1. Since det A = N(r), the result follows.
Proposition B.2.4. If x0 , . . . , xn−1 ∈ Q(ζm ), then det Tr(xi xj ) = (det σi (xj ))2 .
Proof. ∑ ∑
Tr(xi xj ) = σk (xi xj ) = σk (xi )σk (xj ) = (AT A)ij ,
k∈Z∗m k∈Z∗m
where A is the matrix (σi (xj )). Hence, det Tr(xi xj ) = (det A)2 .
∑
Remark B.2.5. Note that If x0 , . . . , xn−1 , y0 , . . . , yn−1 ∈ Q(ζm ) and yj = k Mjk xk ,
where Mjk ∈ Q, then
det Tr(yi yj ) = (det M )2 det Tr(xi xj ).
Examples
• m = 4 : If ω4 = i, then
σ : Q(ζ4 ) → C{1,3} ,
q0 + q1 ζ4 7→ (q0 + iq, q0 − iq1 )
where q0 , q1 ∈ Q. Hence,
Tr(q0 + q1 ζ4 ) = 2q0 ∈ Q,
N(q0 + q1 ζ4 ) = q02 + q12 ∈ Q.
102
Since ζ42 = −1,
Note that
Tr A = 2q0 = Tr(q0 + q1 ζ4 ),
det A = q02 + q12 = N(q0 + q1 ζ4 ).
• m = 8 : If ω8 = 1+i
√ ,
2
then
σ : Q(ζ8 ) → C{1,3,5,7} ,
q0 + q1 ζ8 + q2 ζ82 + q3 ζ83 7→ (q0 + q1 ζ8 + q2 ζ82 + q3 ζ83 ,
q0 + q3 ζ8 − q2 ζ82 + q1 ζ83 ,
q0 − q1 ζ8 + q2 ζ82 − q3 ζ83 ,
q0 − q3 ζ8 − q2 ζ82 − q1 ζ83 )
where q0 , q1 , q2 , q3 ∈ Q. Hence,
It is easy to see that in terms of the basis 1, ζ8 , ζ82 , ζ83 , the multiplication map
q0 +q1 ζ8 +q2 ζ 2 +q3 ζ 3
Q(ζ8 ) −−−−−−−−8−−−→
8
Q(ζ8 )
Note that
Tr A = 4q0 = Tr(q0 + q1 ζ8 + q2 ζ82 + q3 ζ83 ).
One can also verify that
103
B.3 Discriminant
The discriminant of Q(ζm ) is defined by
∆Q(ζm ) := (det σ(R))2 .
Hence, if b0 , . . . , bn−1 ∈ R is any integral basis, then
∆Q(ζm ) = | det σi (bj )|2 = | det Tr(bi bj )|.
In particular,
∆Q(ζm ) = | det S|2 .
Since (det S)2 ∈ Z (Corollary B.2.7), ∆Q(ζm ) is a positive integer.2
∑
If x0 , . . . , xn−1 ∈ Q(ζm ), then xj = i Mji bi for some Mji ∈ Q, so (see Remark B.2.5)
| det Tr(xi xj )| = (det M )2 ∆Q(ζm ) . (B.3)
j
Relationship with polynomial discriminant Since S = (σi (ζm )) is a Vandermonde
matrix, ∏ ∏
det S = (σi (ζm ) − σj (ζm )) = i
(ωm − ωm
j
).
i<j i<j
∏
Hence, in terms of ∆Φm := i
i<j (ωm − j 2
ωm ), we have
∆Q(ζm ) = |∆Φm |.
Examples
• m = 4 : We know that det S = −2i, so ∆Q(ζm ) = | det S|2 = 4. On the other hand,
( )
i j Tr(ζ40 ζ40 ) Tr(ζ40 ζ41 )
Tr(ζ4 ζ4 ) =
Tr(ζ41 ζ40 ) Tr(ζ41 ζ41 )
( )
Tr(1) Tr(i)
=
Tr(i) Tr(−1)
( )
1+1 i−i
=
i − i −1 − 1
( )
2 0
= ,
0 −2
so
∆Q(ζm ) = | det Tr(ζ4i ζ4j )| = | − 4| = 4.
104
B.4 Ideals
If I ⊆ R is an ideal, define N(I) := |R/I|. Note that N(I) ≥ 1, where equality holds if
and only if I = R.
Proof. Let I ⊆ R be a nonzero ideal. Then there exists a nonzero element a ∈ I, and
∏
N(a) = a σi (a) ̸= 0.
i∈Z∗m ,
ωmi ̸=ζ
m
∏
Since a ∈ R, σi (a) ∈ R for all i ∈ Z∗m , so ζm ̸=ωm
i σi (a) ∈ R. Since a ∈ I, it follows that
Remark B.4.2. It follows that N(I) is a positive integer for every nonzero ideal I ⊆ R.
Proof. Let N(I) = k ∈ Z. Since |R/I| = k, for 1̄ ∈ R/I, we must have k · 1̄ = 0 ∈ R/I,
i.e., k ∈ I.
N(I) = | det M |.
105
Proof. There exists an integral basis b′0 , . . . , b′n−1 ∈ R such that k0 b′0 , . . . , kn−1 b′n−1 is a
Z-basis of I for some k0 , . . . , kn−1 ∈ Z. Then clearly N(I) = |k0 · · · kn−1 |, so N(I) =
| det M ′ |, where ′
∑ M′ is the n-by-n diagonal matrix with diagonal entris k′ 0 , . . . , kn−1 , so
that kj bj = i Mji bi . More generally, change of bases corresponds to M 7→ U M ′ V for
some unimodular matrices U and V , so | det M ′ | remains unchanged.
Hence,
(det σ(I))2 = | det σi (cj )|2 = | det Tr(ci cj )| = N(I)2 ∆Q(ζm ) .
| det σi (rbj )|2 = N(r)2 | det σi (bj )|2 = N(r)2 ∆Q(ζm ) . (B.5)
Proof. Since R is a Dedekind domain, P I and I are distinct ideals, and there is no ideal
between P I and I. Hence, I/P I is an R/P -module with no intermediate submodule, so
it is generated by a single nonzero element. Since P ⊆ R is a maximal ideal, this means
that I/P I ≃ R/P .
106
N(J) = 1 · N(J), which is obviously true. So we may assume that I ̸= R, and it suffices
to show that N(P J) = N(P ) N(J) for every nonzero prime ideal P ⊆ R.
From the ring isomorphism
R/P J
≃ R/J,
J/P J
we have |R/P J| = |J/P J| · |R/J|, i.e., N(P J) = |J/P J| · N(J). (Note that all three
quantities are finite by Proposition B.4.1.) By Lemma B.4.12, |J/P J| = |R/P | = N(P ),
so N(P J) = N(P ) N(J), as desired.
R/IJ
≃ R/I,
I/IJ
we have |R/IJ| = |R/I| · |I/IJ|, i.e., N(IJ) = N(I) · |I/IJ|. On the other hand, N(IJ) =
N(I) N(J) by Proposition B.4.13. Since all quantities here are finite and N(I) ̸= 0, we
have |I/IJ| = N(J).
107
where d ∈ R is a nonzero element such that dI ⊆ R. This is well-defined: if e ∈ R
is another nonzero element such that eI ⊆ R, then by Proposition B.4.10 and Proposi-
tion B.4.13,
| N(e)| N(dI) = N(⟨e⟩) N(dI) = N(edI) = N(deI) = N(⟨d⟩) N(eI) = | N(d)| N(eI).
For nonzero integral ideals, this definition of norm agrees with the earlier definition
of norm. Note that the norm of a nonzero fractional ideal is a positive rational number.
• Let i1 , i2 ∈ I. Since dI is an abelian group, di1 + di2 ∈ dI, i.e., d(i1 + i2 ) ∈ dI.
Since d ̸= 0, this implies that i1 + i2 ∈ I.
• Let i ∈ I and r ∈ R. Since dI ⊆ R is an ideal, rdi ∈ dI, i.e., d(ri) ∈ dI. Since
d ̸= 0, this implies that ri ∈ I.
Proof. Since Q(ζm ) is a field of fractions for R, dx ∈ R for some nonzero d ∈ R. Then
d⟨x⟩ ⊆ R, so
Proposition B.4.18. If I, J ⊆ Q(ζm ) are fractional ideals, then N(IJ) = N(I) N(J).
108
Proposition B.4.19. If I ⊆ Q(ζm ) is a nonzero fractional ideal, then
det σ(dI) = | det σi (dbj )| = | N(d)| · | det σi (bj )| = | N(d)| det σ(I).
Acknowledgments
This research was supported by Fusion Technology R&D Center of SK Telecom and
UNIST.
109
110
Bibliography
[Bab85] L. Babai. On Lovasz lattice reduction and the nearest lattice point problem.
Combinatorica, 6(1):1–13, 1986. Preliminary version in STACS 1985.
[GPV08] C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and
new cryptographic constructions. In STOC, pages 197–206. 2008.
[LPR10] V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with
errors over rings. J. ACM, 2013. To appear. Preliminary version in Eurocrypt 2010.
[LPR13] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. A toolkit for ring-LWE
cryptography. In EUROCRYPT, 35–54. 2013.
[LSS14] Adeline Langlois, Damien Stehle, Ron Steinfeld. GGHLite: More Efficient Mul-
tilinear Maps from Ideal Lattices. In EUROCRYPT, 239–256. 2014.
111
[MP12] D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster,
smaller. In EUROCRYPT, 700–718. 2012.
[P13] C. Peikert. Tutorials from crypt@b-it 2013 summer school at Bonn University.
http://www.cc.gatech.edu/~cpeikert, 2013.
[Reg05] O. Regev. On lattices, learning with errors, random linear codes, and cryptog-
raphy. J. ACM, 56(6):1–40, 2009. Preliminary version in STOC 2005.
[Sma09] N.P. Smart and F. Vercauteren. Fully Homomorphic Encryption with Relatively
Small Key and Ciphertext Sizes, 2009.
https://eprint.iacr.org/2009/571
112