a590003

• Preimage sampling for f G (x) = Gx mod q with Gaussian parameter s ≥ ‖˜S‖ · ω( √ log n) can
be performed in quasilinear O(n · log c n) time, or parallel polylogarithmic O(log c n) time using n
processors. When q = 2 k , the polylogarithmic term is essentially just the cost of k additions and shifts
on k-bit integers, plus the (offline) generation of about m random integers drawn from D Z,s .
More generally, for any integer b ≥ 2, all of the above statements hold with k = ⌈log b q⌉, ‖˜S‖ ≤ √ b 2 + 1,
and ‖S‖ ≤ max{ √ b 2 + 1, (b − 1) √ k}; and when q = b k , we have ˜S = bI and ‖S‖ = √ b 2 + 1.
The rest of this section is dedicated to the proof of Theorem 4.1. In the process, we also make several
important observations regarding the implementation of the inversion and sampling algorithms associated
with G, showing that our algorithms are not just asymptotically fast, but also quite practical.
Let q ≥ 2 be an integer modulus and k ≥ 1 be an integer dimension. Our construction starts with a
primitive vector g ∈ Z k q , i.e., a vector such that gcd(g 1 , . . . , g k , q) = 1. The vector g defines a k-dimensional
lattice Λ ⊥ (g t ) ⊂ Z k having determinant |Z k /Λ ⊥ (g t )| = q, because the residue classes of Z k /Λ ⊥ (g t ) are
in bijective correspondence with the possible values of 〈g, x〉 mod q for x ∈ Z k , which cover all of Z q
since g is primitive. Concrete primitive vectors g will be described in the next subsections. Notice that
when q = poly(n), we have k = O(log q) = O(log n) and so Λ ⊥ (g t ) is a very low-dimensional lattice. Let
S k ∈ Z k×k be a basis of Λ ⊥ (g t ), that is, g t · S k = 0 ∈ Z 1×k
q and |det(S k )| = q.
The primitive vector g and associated basis S k are used to define the parity-check matrix G and basis
S ∈ Z q as G := I n ⊗ g t ∈ Z n×nk
q and S := I n ⊗ S k ∈ Z nk×nk . That is,
⎡
· · · g t ⎤
⎡
⎤
· · ·
S k · · · g t · · ·
G := ⎢
⎣
. ..
⎥
⎦ ∈ S k Zn×nk q , S := ⎢
⎣
. ..
⎥
⎦ ∈ Znk×nk .
· · · g t · · ·
S k
Equivalently, G, Λ ⊥ (G), and S are the direct sums of n copies of g t , Λ ⊥ (g t ), and S k , respectively. It follows
that G is a primitive matrix, the lattice Λ ⊥ (G) ⊂ Z nk has determinant q n , and S is a basis for this lattice. It
also follows (and is clear by inspection) that ‖S‖ = ‖S k ‖ and ‖˜S‖ = ‖˜S k ‖.
By this direct sum construction, it is immediate that inverting g G (s, e) and sampling preimages of
f G (x) can be accomplished by performing the same operations n times in parallel for g g t and f g t on the
corresponding portions of the input, and concatenating the results. For preimage sampling, if each of the f g t
preimages has Gaussian parameter √ Σ, then by independence, their concatenation has parameter I n ⊗ √ Σ.
Likewise, inverting g G will succeed whenever all the n independent g g t-inversion subproblems are solved
correctly.
In the next two subsections we study concrete instantiations of the primitive vector g, and give optimized
algorithms for inverting g g t and sampling preimages for f g t. In both subsections, we consider primitive
lattices Λ ⊥ (g t ) ⊂ Z k defined by the vector
g t := [ 1 2 4 · · · 2 k−1] ∈ Z 1×k
q , k = ⌈log 2 q⌉, (4.1)
whose entries form a geometrically increasing sequence. (We focus on powers of 2, but all our results
trivially extend to other integer powers, or even mixed-integer products.) The only difference between
the two subsections is in the form of the modulus q. We first study the case when the modulus q = 2 k
is a power of 2, which leads to especially simple and fast algorithms. Then we discuss how the results
can be generalized to arbitrary moduli q. Notice that in both cases, the syndrome 〈g, x〉 ∈ Z q of a binary
17
4. Trapdoors for Lattices