a590003

strictly necessary.) Let h t = [1, 2, . . . , 2 l−1 ] ∈ Z 1×l
2 l be a parity-check matrix defining the 2 l -ary lattice
Λ ⊥ (h t ) ⊆ Z l , and observe that g t = [h t , 2 l · h t , . . . , 2 k−l · h t ]. The hybrid algorithm then works as follows:
1. For i = 0, . . . , k/l−1, choose (x il , . . . , x (i+1)l−1 ) ← D Λ ⊥
u mod 2 l(ht ),s and let u ← (u−x)/2l , where
x = ∑ l−1
j=0 x il+j · 2 j ∈ Z.
2. Output x = (x 0 , . . . , x k−1 ).
As above, we can precompute samples x ← D Z l ,s and store them in a lookup table having 2 l buckets,
indexed by the value 〈h, x〉 ∈ Z 2 l, thereby making the algorithm deterministic in its online phase.
4.2 Arbitrary Modulus
For a modulus q that is not a power of 2, most of the above ideas still work, with slight adaptations. Let
k = ⌈lg(q)⌉, so q < 2 k . As above, define g t := [1, 2, . . . , 2 k−1 ] ∈ Z 1×k
q , but now define the matrix
⎡
⎤
2 q 0
−1 2 q 1
−1 q 2
S k :=
. .. ∈ Z k×k
⎢
.
⎥
⎣
2 q k−2
⎦
−1 q k−1
where (q 0 , . . . , q k−1 ) ∈ {0, 1} k is the binary expansion of q = ∑ i 2i · q i . Again, S is a basis of Λ ⊥ (g t )
because g t · S k = 0 mod q, and det(S k ) = q. Moreover, the basis vectors have squared length ‖s i ‖ 2 = 5
for i < k and ‖s k ‖ 2 = ∑ i q i ≤ k. The next lemma shows that S k also has a good Gram-Schmidt
orthogonalization.
Lemma 4.3. With S = S k defined as above and orthogonalized in forward order, we have ‖˜s i ‖ 2 = 4−4−i
1−4 −i
(4, 5] for 1 ≤ i < k, and ‖ ˜s k ‖ 2 = 3q2
4 k −1 < 3.
Proof. Notice that the the vectors s 1 , . . . , s k−1 are all orthogonal to g k = (1, 2, 4, . . . , 2 k−1 ) ∈ Z k . Thus,
the orthogonal component of s k has squared length
‖ ˜s k ‖ 2 = 〈s k, g k 〉 2
‖g k ‖ 2 =
q 2
∑
j