a590003

vector x = (x 0 , . . . , x k−1 ) ∈ {0, 1} k is just the positive integer with binary expansion x. In general, for
arbitrary x ∈ Z k the syndrome 〈g, x〉 ∈ Z q can be computed very efficiently by a sequence of k additions
and binary shifts, and a single reduction modulo q, which is also trivial when q = 2 k is a power of 2. The
syndrome computation is also easily parallelizable, leading to O(log k) = O(log log n) computation time
using O(k) = O(log n) processors.
4.1 Power-of-Two Modulus
Let q = 2 k be a power of 2, and let g be the geometric vector defined in Equation (4.1). Define the matrix
⎡
⎤
2
−1 2
S k :=
⎢ −1 . . . ∈ Z k×k .
⎥
⎣
2 ⎦
−1 2
This is a basis for Λ ⊥ (g t ), because g t · S k = 0 mod q and det(S k ) = 2 k = q. Clearly, all the basis vectors
are short. Moreover, by orthogonalizing S k in reverse order, we have ˜S k = 2 · I k . This construction is
summarized in the following proposition. (It generalizes in the obvious way to any integer base, not just 2.)
Proposition 4.2. For q = 2 k and g = (1, 2, . . . , 2 k−1 ) ∈ Z k q, the lattice Λ ⊥ (g t ) has a basis S such that
˜S = 2I and ‖S‖ ≤ √ 5. In particular, η ɛ (Λ ⊥ (g t )) ≤ 2r = 2 · ω( √ log n) for some ɛ(n) = negl(n).
Using Proposition 4.2 and known generic algorithms [Bab85, Kle00, GPV08], it is possible to invert
g g t(s, e) correctly whenever e ∈ P 1/2 ((q/2) · I), and sample preimages under f g t with Gaussian parameter
s ≥ 2r = 2 · ω( √ log n). In what follows we show how the special structure of the basis S leads to simpler,
faster, and more practical solutions to these general lattice problems.
Inversion. Here we show how to efficiently find an unknown scalar s ∈ Z q given b t = [b 0 , b 1 , . . . , b k−1 ] =
s · g t + e t = [s + e 0 , 2s + e 1 , . . . , 2 k−1 s + e k−1 ] mod q, where e ∈ Z k is a short error vector.
An iterative algorithm works by recovering the binary digits s 0 , s 1 , . . . , s k−1 ∈ {0, 1} of s ∈ Z q , from
least to most significant, as follows: first, determine s 0 by testing whether
b k−1 = 2 k−1 s + e k−1 = (q/2)s 0 + e k−1 mod q
is closer to 0 or to q/2 (modulo q). Then recover s 1 from b k−2 = 2 k−2 s + e k−2 = 2 k−1 s 1 + 2 k−2 s 0 +
e k−2 mod q, by subtracting 2 k−2 s 0 and testing proximity to 0 or q/2, etc. It is easy to see that the algorithm
produces correct output if every e i ∈ [ − q 4 , q 4)
, i.e., if e ∈ P1/2 (q · I k /2) = P 1/2 (q · (˜S k ) −t ). It can also be
seen that this algorithm is exactly Babai’s “nearest-plane” algorithm [Bab85], specialized to the scaled dual
q(S k ) −t of the basis S k of Λ ⊥ (g t ), which is a basis for Λ(g).
Formally, the iterative algorithm is: given a vector b t = [b 0 , . . . , b k−1 ] ∈ Z 1×k
q , initialize s ← 0.
1. For i = k −1, . . . , 0: let s ← s+2 k−1−i ·[b
i − 2 i · s ∉ [ − q 4 , q 4)
mod q
]
, where [E] = 1 if expression
E is true, and 0 otherwise. Also let e i ← b i − 2 i · s ∈ [ − q 4 , q 4)
.
2. Output s ∈ Z q and e = (e 0 , . . . , e k−1 ) ∈ [ − q 4 , q 4) k ⊂ Z k .
18
4. Trapdoors for Lattices