arxiv: v1 [quant-ph] 21 Nov 2016

Transcription

1 An Efficient Quantum Algorithm for a Variant of the Closest Lattice-Vector Problem Lior Eldar Peter W. Shor arxiv: v [quant-ph] 2 Nov 206 June 8, 208 Abstract The Systematic Normal Form (SysNF) is a canonical form of lattices introduced in [ES], in which the basis entries satisfy a certain co-primality condition. Using a smooth analysis of lattices by SysNF lattices we design a quantum algorithm that can efficiently solve the following variant of the bounded-distance-decoding problem: given a lattice L, a vector v, and numbers b = λ (L)/n 7, a = λ (L)/n 3 decide if v s distance from L is in the range [a/2, a] or at most b, where λ (L) is the length of L s shortest non-zero vector. Improving these parameters to a = b = λ (L)/ n would invalidate one of the security assumptions of the Learning-with- Errors (LWE) crypto-system against quantum attacks. Introduction. General A lattice is a discrete set of points in Euclidean space, that are spaced in a regular fashion. One usually thinks of a lattice as the set of all integer combinations of a linearly-independent set of vectors b,..., b n R n. Lattices give rise to an immensely important family of associated problems, predominantly of which is the shortest-vector problem (or SVP for short) and the closest-vector problem (CVP for short). The study of both of these problems in the last decades has unearthed deep connections to subjects as diverse as integer programming, algorithmic number theory (via the celebrated LLL algorithm [LLL82]), and cryptanalysis. In particular, the latter of the aforementioned subjects, cryptanalysis, has seen an explosive growth in the context of lattices, as researchers have discovered that one can base cryptographic primitives on the hardness of approximating SVP in the worst-case, to some polynomial factors [Ajt96, MR07, Reg09, BLP + 3]. In other words, the security of these cryptographic schemes is based on the assumption that even a modest (polynomial) approximation of the baseline problems, namely SVP / CVP is hard, and requires exponential time. To give a sense of why lattice problems are at least intuitively hard it is sufficient to consider even the simplest forms of lattices, namely an arbitrary rotation of the integer lattice Z n. For such lattices, instead of providing the natural basis of vectors of length, one can provide adversarially, as input, a lattice basis {b,..., b n } that forms a very skewed parallelotope, where each vector has length which is exponential in n, i.e. b i = 2 Ω(n). In such a scenario it seems that even providing a linear combination v = i z ib i, with z i Z, with v = poly(n) entails a brute-force traversal of a very large set of possible coefficients, and would hence require time which is exponential in the size of the input. Center for Theoretical Physics, MIT Department of Mathematics and Center for Theoretical Physics, MIT

2 Currently there is no evidence that undermines these assumptions: asymptotically, the best approximation achievable by a classical poly-time algorithm for SVP/CVP is the LLL algorithm [LLL82] for CVP, and subsequent nearest-plane algorithm [Bab86], both running in time 2 Ω(n). If one is interested in polynomial approximation of these problems, the best-known classical algorithms still require almost exponential time, 2 O(nloglog(n)/log(n)) due to Schnorr, and Ajtai et. al. [Sch87, AKS0]. However, in terms of complexity theory we do believe that some polynomial approximation of these problems is not NP-complete. In this context, the strongest result is by Aharonov and Regev [AR05] who showed that approximation of both SVP and CVP to a factor at least n is in NP conp, and hence unlikely to be NPcomplete. Actual NP-hardness results for SVP and CVP only exist for some factors which are sub-polynomial [ABSS97, DKS98, GMSS99, HR2, Kho06, Mic0], some of which are under standard complexity-theoretic assumptions. Hence approximate versions of SVP, CVP, namely SVP γ, CVP γ where we are required to produce a solution (lattice-vector) whose length is at most γ times larger than an optimal solution - these problems are in an awkward position, for γ = poly(n). On one hand, complexity theory predicts these problems are not NP-hard, but on the other hand we have no algorithms for solving these problems that run in polynomial, or even sub-exponential time. To further aggravate matters, one should consider the importance of SVP γ, CVP γ for γ = poly(n) in the context of Ajtai s famous worst-to-average case reductions. Ajtai s work [Ajt96] provided a reduction from a worst-case instance of SVP, to an average case instance of SVP, such that if one was able to approximate the shortest vector problem for a non-negligible fraction of the output instances to factor γ, then one would be able to approximate the shortest vector of the original lattice to a moderately worse factor γ n. This result and subsequent improvements were then used to design a variety of cryptographic primitives. Essentially, it allows to mass produce instances of SVP which are hard to approximate, assuming that worst-case SVP is hard to approximate even to polynomial factors..2 A Quantum Perspective The discussion above is confined to our theoretical understanding of lattice problems in the regime of classical computers. But how about quantum computers? Quantum computers are, for the time being, hypothetical objects, that describe a well-controlled computational abstraction of quantum-mechanics. They have been shown to be able to solve several problems exponentially faster than the best known classical-computer algorithms for these problems, most prominently of which is the integer factoring problem due to Shor [Sho97]. In particular, their strength has been shown to be manifested most strongly in problems in which the object of interest is an Abelian subgroup. Given that this structure is trivially present in lattices, a natural question is to ask whether or not one can provide a good approximation of SVP, CVP efficiently on a quantum computer. Until now, no such algorithm was found. Furthermore, in [Reg09] where the celebrated encryption scheme Learning-With-Errors was invented, Regev based the security of this scheme against quantum attacks on the assumption that quantum computers are unable to efficiently solve SVP γ, CVP γ for some γ = poly(n). In this work show that certain lattice problems, not known to be efficiently solvable using classical computers, can in fact be solved efficiently by quantum computers. We consider a gapped decision version of the Bounded-Distance-Decoding problem BDD defined as follows: Definition. Gapped bounded-distance decoding: gapbdd γ,γ 2 Given is a lattice L R n, a vector v R n and two numbers a = λ (L)/γ, b = λ (L)/γ 2, where γ 2 2γ. Decide whether or YES( very close to the lattice ) : (v, L) b. NO( somewhat close to the lattice ) : (v, L) [a/2, a], provided that v belongs to one of these categories. 2

3 We then show a quantum circuit, whose size scales polynomially in n that solves this problem for certain parameters: Theorem. Fix any α > 0. The problem gapbdd γ,γ 2 BQP for all γ n 3+2α and γ 2 γ n 4 α..3 Previous work It is natural to relate to the well-known problem of Bounded-Distance-Decoding (BDD). In the BDD problem we are given a lattice L, a vector v, for which (L, v) αλ (L) and asked to find a closest lattice vector to v. It is known that for α /2 the search problem BDD α is NP-hard [LM09]. However, it is unknown whether for α < /2 the problem BDD α still remains NPhard. In fact, there is indication that this problem is actually not NP-hard in [LLM06] where the authors showed that a pre-processing version of BDD α called BDDP can be efficiently computed, for certain parameters. In terms of decision problems, in [LLM06] it was also shown how to reduce the search version of BDD α to the decision version of BDD α for sufficiently small polynomial factors α / n. Thus for sufficiently small α the search and decision versions of BDD α are equivalent. With respect to other lattice problems, it is known that the decision problem gapsvp γ where we are asked to decide whether the shortest vector in L has length d or length at least dγ is reducible to BDD /γ for γ = γ n/log(n) (see [LM09]). Finally, in the work of Regev that introduced the Learning-With-Errors problem [Reg09] it was shown that LWE is hard assuming that the search version BDD / n is hard. Hence, the problem gapbdd γ,γ 2 defined above is a somewhat weaker version of the decision version BDD γ because it has an additional margin of error γ /γ 2, within the already bounded radius around the target lattice. Using the result of Liu et al. it then follows that improving the parameters of Theorem to γ = γ 2 = / n would invalidate the aforementioned security assumption of LWE against quantum computers..4 The Systematic Normal Form of Lattices Our algorithm makes crucial use of the Systematic Normal Form of lattices (SysNF) introduced in [ES]. SysNF lattices can be characterized by a basis matrix of the following canonical form: N b 2 b 3... b n B = ().... where N is a prime number, b i s are integers, all unspecified entries are 0, and in addition n b 2 i 0(mod N). i=2 A lattice L is a SysNF lattice if L = {Bx, x Z n }, and B is of the form above. It is important to point out that without the last condition above, such lattices are wellknown in literature, as they correspond to solutions to a single homogeneous linear equation modulo a prime number N, and hence can be considered as a special case of the random lattice ensemble of Ajtai [Ajt96]. In addition, such lattices have been shown to form a uniformly dense set in a well-defined way [GM03]. The first important property of SysNF lattices is that a sufficient density of prime numbers (via GRH) gives rise to a similar density of SysNF lattices, in an efficiently-computable fashion: Given any lattice L, one can efficiently find a nearby SysNF lattice L : For any ε > 0 there exists an efficiently computable linear map σ = σ(ε) and a large integer T, such that x L, σ(x) L and x σ(x)/t ε. 3

4 This allows one to translate computational problems on an arbitrary lattice to a computational problem on a nearby SysNF lattice, and translate back the result to the original instance, with a negligible loss to the precision of the result. This property of efficiently-computable density of canonical lattices is not a new phenomenon, and it has been observed by Paz and Schnorr [PS87] that such a property exists for other types of canonical lattices. The second important property of this form, arises from the structure of B. Specifically, the SysNF structure allows one to consider the lattice L as a sub-lattice of F n N - i.e. of the n- dimensional vector space over the finite prime-number field F N. The quotient F n N /L N is cyclic, because N is prime, and is bijective with the set of all dual lattice points NL contained in F n N. Furthermore, both L and NL are periodic in N, so Ne i L, NL. Hence, when we consider the lattice and its dual, our objects of interest will be and L N := L F n N (NL ) N := (N L ) F n N. In the algorithm, we crucially use a bijection from [ES] Φ 3 : F n N/L N (NL ) N, This bijection implies that given any x F n N, there exists a unique dual lattice point y (NL ) N, such that x + y L N = L F n N. This is discussed in Claim, where it is also shown that this map is efficiently computable. Consider the action of applying the map x x + Φ 3 (x) to some short vector x F n N. Then x + Φ 3(x) is a lattice vector, that has distance exactly x from (NL ) N - specifically from the point Φ 3 (x) (NL ) N. In the context of quantum computing, by applying Φ 3 to a super-position on F n N corresponding to, say, the discrete Gaussian on F n N, we can efficiently generate the following quantum state (up to normalization), for polynomially small s > 0: e π x y y (NL ) N x L N 2 /s 2 x y. This allows us, by measuring the second register of the state above - to collapse to a superposition on L N that is very tightly concentrated around some dual lattice point y (NL ) N. A similar state will be used as the starting state of our quantum algorithm..5 Overview of the algorithm We assume here for simplicity, that we are given a SysNF lattice L, and interested in solving the gapped version of BDD on the scaled dual of L, namely NL, i.e. to determine some information about the distance of a given vector v from NL. This assumption is without loss of generality and removed in the full algorithm - see Section 4. In concrete terms: we are given a SysNF lattice L, a vector v L, N = det(l), and asked to decide whether YES : dist(v, NL ) λ (NL )/n 7, or NO : dist(v, NL ) [λ (NL )/(2n 3 ), λ (NL )/n 3 ]. Following is a high-level description of the core of our algorithm: we fix some parameter s so that N/s λ (NL )/n. We define a Hilbert space of 3 registers H = H a H b H c. All arithmetic operations are defined on the prime number field F N.. Generate the quantum state ψ 0 = sinc F n N,s,0, where sinc s,y (x) is the n-th fold product of the function sin(x/s)/(x/s) sampled on F n N, and centered at y (see Definition 4 and Figure 3) 4

5 v Figure : The two distributions in case v is far from the lattice: the blue circles indicate n-balls of radius, say λ (L)/ n, and the red circles are the same distributions shifted by v. Since v is far, the statistical distance between these two distributions is large. v Figure 2: The two distributions in case v is close to the lattice: the blue circles indicate n-balls of radius, say λ (L)/ n, and the red circles are the same distributions shifted by v. Since v is close to L, the statistical distance between these two distributions is very small. 2. Recall that Φ 3 : F n N (NL ) N is the map that sends each x F n N to its coset representative in F n N /L N (NL ) N (see Claim ). Apply the map Φ 3 (x) unitarily: denote the state by ψ. x a 0 b x + Φ 3 (x) a Φ 3 (x) b 0 c, 3. For each x on H a, compute (unitarily) the inner product x, v to H c, denote by ψ Measure the register H b of ψ 2 in the computational basis, and post-select on H c so that x, v [ N/(2π n), N/(2π n)]. Un-compute x, v on H c. Denote the state by ψ Apply the n-th fold tensor-product Quantum Fourier Transform - F n N - to ψ 3, denote by ψ Apply the Hadamard test to ψ 4 w.r.t. the unitary U v : U v : x x + v and accept if and only if the test passes..5. The Hadamard Test It is perhaps easier to understand the algorithm, working backward from the final step, which is essentially the auto-correlation test due to [GG00]. The auto-correlation protocol in [GG00] demonstrates an AM (and in fact SZK) protocol for solving cogapcvp n. In that problem we are given a lattice L and a vector v, and asked to determine if (v, L) = or (v, L) n. The protocol reduces the lattice problem to a problem of distinguishing between two distributions: ρ - the periodic uniform distribution on n-dimensional balls of radius n around the points of L, and ρ 2 is a shifted version of ρ by the input vector v. The verifier picks one distribution at random, and sends samples of this distribution to the prover, who is then asked to decide if the samples emanated from ρ or ρ 2. It is then easy to see that if v is close to L, then the statistical overlap between ρ, ρ 2 is large and so the prover would not be able to tell them apart with probability better than /2, whereas if v is far - she can do so w.p. that exceeds /2 non-negligibly - see Figures, 2: 5

6 Figure 3: The function sinc(x) on Z n. In the proposed algorithm above we generate a quantum super-position similar to ρ and compute the overlap between ρ and its v-shifted version, namely ρ 2. Denoting ρ as the quantum state that encodes the function ρ, i.e. ρ = x L N ρ (x) x, essentially we are computing ρ U v ρ, were U v x (x + v)(mod N). Readers familiar with this protocol are aware that the above scheme has been essentially the natural scheme to attempt to solve gapped versions of lattice problems for several years now, using quantum computers. However, the major hurdle so far has been to actually generate ρ for interesting ranges of parameters. In particular, sampling from ρ with variance approximately λ (L)/p for some p = poly(n) was observed by Regev [Reg09] to be reducible to a gapped version of the closest-vector problem. On the other hand, attempting to start from the Fourier Series of the function ρ and then apply FT, even quantumly, would entail sampling short vectors from the dual lattice, which is equivalent to SVP γ for certain γ = poly(n), which is yet another hard lattice problem..5.2 The Quantum States Keeping the high-level strategy of the auto-correlation test in mind, we now follow the evolution of the quantum states throughout the algorithm. The first state ψ 0 is a trivial product super-position on the integer lattice (restricted to F n N ) - it is easy to generate, for any parameter s, even if it is quite small. See Figure 3. The next state, ψ partitions this super-position among orthogonal subspaces of H b, corresponding to the cosets of the F n N /L N (NL ) N. By shifting each x F n N by its coset representative in (NL ) N we get the following state: ψ y (NL ) N x L N sinc s,y (x) x y. We note that the distribution induced by measuring this state can be simulated classically. This, by sampling from sinc Zn,s,0 and applying the map x x + Φ 3 (x) to the sampled vector. Next, we compute for each x L N its inner product with the target vector v: ψ 2 x L N sinc s,y (x) x a y b x, v (mod N) c, We note that this state too can be simulated classically as a distribution. Next, we measure the registers b, c. Since these measurements are on separate registers, they commute, and can be carried out in any order. So suppose first we only measure the 6

7 register H b containing y (NL ) N. This collapses the quantum state (after uncomputing H c ) to a single discrete sinc-function around some point y (NL ) N, where this point is chosen approximately uniformly at random from (NL ) N..5.3 The Case of y = 0 At this point, we note that if y = 0, i.e. the 0-centered replica was measured, we achieve essentially our desired goal: by applying the QFT map F n N to H a we get the quantum state φ sq N/s,y (x) x a 0 b 0 c, y (NL ) N,x F n N where sq N/s,y (x) is the n-th dimensional hypercube indicator function of side-length N/s, centered at y (NL ) N. Since N/s is generically much larger than the covering radius of the lattice F n N, then it is as though we have a hypercube indicator on the full real space R n that is periodic (convolved) around the dual lattice (NL ) N, with side-length (N/s) which is comparable to λ (NL )/n. Since we assume a BDD-type scenario, then it is the case that any point in F n N receives a nonzero contribution from at most a single indicator function (replica) centered around some dual lattice point. Also, the lattice NL is periodic in N e i for each i [n]. Therefore, to determine the distance of v to NL it is sufficient to test the overlap between this state and its v-shifted version (modulo F n N ) which can be easily accomplished by the Hadamard test. The acceptance probability of the Hadamard test is known to be given by the following expression: R( φ U v φ ), where U v x = (x + v)(mod N). Since the quadratic form above is comparable to the overlap O v = ρ U v ρ 2, then our work is complete..5.4 General Case Of course, generally, we sample y = 0 only very rarely. In fact, when s is sufficiently large, then the distribution over the values of y is approximately uniform over (NL ) N which is a cyclic group of order N, so the probability of sampling y = 0 is O(/N). Hence, it is unreasonable to expect such behavior. So now, consider an arbitrary value y (NL ) N measured at register H b of ψ 2. The collapsed state in this case is a super-position of the sinc function centered around some point y (NL ) N. We refer to this state as the y-th replica. One can check that for non-zero y (NL ) N the acceptance probability is given up to negligible error by R( φ U v φ ) = O v cos(2π y cv, v /N), (2) where y cv is a closest L-lattice point to the dual lattice point y (NL ) N, and O v is the realvalued auto-correlation defined above. Since y is approximately uniform on (NL ) N it turns out that y cv, v /N is uniform on [0, ) which then implies that the average acceptance probability is identical for both YES / NO cases - i.e. /2: O v cos(2πθ)dθ = [0,) 2. (3) 7

8 x, v = ɛ x, v = ɛ F n N Figure 4: The post-selection process filters out the section of space that lies between two hyperplanes defined by x, v /N = ε and x, v /N = ε. If ε is too small, it may not leave even a single function replica intact..5.5 Phase Filtering Thus, if we only measure the register H b we wouldn t be able to distinguish between the YES and NO cases. To provide an advantage for the YES case over the NO case, we further condition the fractional inner product x, v (mod N)/N of lattice vectors x L N in the support of ψ 3, i.e. before QFT, to be almost 0, i.e. within a window of O(/ n). This happens with nonnegligible probability and on the face of it reduces almost to the case of y = 0. The question immediately arises then why not measure the register H c to a single value, and then apply the Hadamard test in a way that compensates for the measured phase, i.e. compute R( φ e 2πi x,v /N U v φ ), which can be done efficiently, given the measured value x, v from H c. The problem with this approach is that the collapsed state is the restriction of the previous (NL -periodic) quantum state to some hyperplane {x, x, v = Θ} as follows: φ sinc s,y (x) x y x, v, (4) x L N, x,v =Θ which may not be a proper coherent sinc replica around y (NL ) N. Rather, it could be some thin slice thereof, and this happens in general whenever the uncertainty on the inner product is too small - see e.g. Figure 4. Consider what happens when applying QFT to such a thin slice of a single replica around a dual point y (NL ) N. By the uncertainty of the FT, the DFT of this function would have a much larger variance. Hence, the output quantum state may have variance which is much larger than the desired N/s - thereby causing the algorithm to return a wrong answer. Thus, we strike a balance between two opposing forces: on one hand, we condition the pre-qft quantum state ψ 3 to be supported on vectors x L N for which x, v N [ ε, ε]. This implies that after QFT and the Hadamard test the acceptance probability of equation 3 is determined by an integral over a much tighter interval: O v ε [ ε,ε] cos(2πθ)dθ 2ε 2 /3. (5) Yet on the other hand, we want ε to be sufficiently large, as to leave enough uncertainty in the inner product so that we don t damage the measured sinc replica around y (NL ) N at the state ψ 3 before QFT, as demonstrated in the extreme case of a hyper-plane in Equation 4. The ability to strike such a balance stems from the observation in Fact 6 that lattice points x, x 2, v L, N = det(l) that are relatively close compared to v s distance to NL, i.e. (v, NL ) x x 2 Nc have very similar inner-products with v, i.e.: ( x, v x 2, v )(mod N) Nc. 8

9 P( x, v /N) Deviation from uniform: statistical distance = O(/s). ɛ ɛ x x 2, v /N for close v s. x x 2, v /N for far v s. Figure 5: The distribution of the inner product x, v in the interval [ ε, ε]. The deviation from uniform is negligible. The brackets sketch the relative deviation of the inner product between the furthermost lattice points in a ball containing almost all measure from a single replica of the discrete periodic sinc function, given v that is near/far from NL. We parametrize the window range of the measurement of ε = x, v /N so that even when v is at maximal allowable distance from NL, i.e. (v, NL ) = λ (NL )/γ then w.h.p. the sampled replica is complete, up to negligible error. See Figure 5 describing the measured interval, and the typical spreads of inner-products in the YES/NO cases. To dwell on this point a little further, it is crucial for the algorithm that the input vector v is a-priori somewhat close to the lattice, (i.e. at distance at most (N/s)/γ ) so that reasonably adjacent lattices points x, x 2 will have similar inner-product with v. Otherwise - we may lose control of whether or not we can filter a complete replica around some y (NL ) N, and simultaneously condition on x, v N[ ε, ε]..6 Discussion and Open Questions In this study we present an algorithm that solves a gapped version of the decision version of the bounded-distance-decoding problem. This problem has only exponential-time classical algorithms to the best of our knowledge. However, we believe this is only a very initial step in what could be a much larger regime of quantum algorithms. We list here several of the numerous open problems that we believe can be of interest:.6. Cryptography Lattice problems have received enormous attention in recent years, mainly because of their algebraic structure has allowed constructions of cryptographic primitives, culminating in the Learning-with-Errors (LWE) encryption scheme due to Regev [Reg09]. Our algorithm does not invalidate the security assumption of LWE against quantum attacks, yet. To do that, one would have to improve the performance of the algorithm to solve gapbdd γ,γ 2 for γ = γ 2 = n, which would make it equivalent to say, solving gapsvpõ( n). We point out, that even achieving such an algorithm would not break LWE per-se. To do that - one would have to actually find a quantum algorithm that solves the full version of gapcvp to some polynomial factor. Such a task, we believe, would require adding new techniques to the ones suggested here: see next item. 9

10 .6.2 gapbdd gapcvp Our proposed algorithm falls short of solving the full version of gapped-cvp and requires an additional promise that the input vector is at least somewhat close to the lattice. We believe that this is not an artifact of the proof, but goes to the core of the scheme: we require crucially, that if we consider adjacent lattice points, and test their inner-product w.r.t. some vector v, then these vectors would have similar inner-product with that vector. That can only happen if v is close to a dual lattice, the extreme point of which is that v NL in which case both of these inner products are by definition 0. Removing the assumption on v would hence entail a completely different scheme, we believe. As an additional example of this difference, we note that an instance of gapcvp, like that of gapbdd also includes two numbers a, b, where b/a = poly(n), and we are asked to distinguish whether or not a vector is within distance at most a or at least b from L. Yet for gapbdd the knowledge that both of these numbers are some relative fraction of λ yields some implicit information about the length of the shortest vector of the input lattice..6.3 Quantum Implementation Our main theorem states that our algorithm corresponds to a quantum circuit of size which is polynomial in the dimension of the lattice n. One can also ask whether or not this algorithm can be implemented in log(n)-depth. The Quantum Fourier Transform (and so its n-th fold tensor product) is known to be implementable to error /ε in log(n) by the work of Cleve and Watrous [CW00]. The Hadamard test can be implemented in O()-depth, and so the entire circuit can be implemented in O(log(n)) depth if the map Φ 3 : F n N NL can be implemented in O(log(n)) depth. Clearly, the inner-product part of this map can be parallelized to logarithmic depth but we do not know how to implement the inversion modulo N in log(n) depth. Several works have shown that if N = p t for some small prime number p, then indeed this can be done. However, in our algorithm we crucially require N to be prime (see next section), so it is not clear immediately how to do better than Euclid s algorithm which is serial in nature..6.4 Number-theoretic conjectures Our algorithm, and specifically the reduction to SysNF requires a certain assumption on the density of prime numbers. We assume the Generalized Riemann Hypothesis, namely that any number n has a prime number between n and n + log(n), to claim that the density of SysNF lattices in terms of the mapping error σ(x) x is O(log(N)/N). Hence weaker density assumptions like Bertrand-Chebyshev that imply only linear density would not suffice. However, we note that there is one relaxation that can be made, which is that we don t crucially need N to be prime, only that the sum of squares n i=2 b2 i has an inverse in the ring modulo N. Can it be that given this value of sum of squares, and a number N, one can find N near N for which this value has an inverse modulo N? This would amount to a GRH type statement for rings with an inverse for a specific value, and we are not aware that such statements exist. That would allow to remove the GRH assumption, and possibly pave the way for improved depth complexity. 2 Preliminaries 2. Notation The n-dimensional Euclidean space is denoted by R n. The Euclidean norm of a vector x R n is x = n i= x i 2. A Euclidean lattice L is written as L = L(B) where B is some basis of L. N is used to denote a prime number, and F N the prime number field corresponding to N. When we write F N as a set we refer to the numbers [( N + )/2,..., (N )/2], and x(mod N) means the unique value x such that x = x + k N for integer k, and x F N. 0

11 We define as the statistical distance between distributions (p, Ω), (q, Ω), i.e. (p, q) = Ω p(x) q(x) dx. Given a set S, U(S) is the uniform distribution on S. For any v Rn define: v = max i v i. For real number s > 0 and vector c R n, Bs (c) is the closed Euclidean ball of radius s around c. For integer n, the notation [n] stands for the set of indices {,..., n}. Given a set S R n, and a vector v R n, we denote dist(v, S) := min x S v x. For a positive odd integer M, we denote by [M] as the 0-centered interval of integers [ (M )/2,..., (M )/2]. For functions f, g we write f(x) g(x) if there exists a constant c independent of x such that f(x) = c g(x). 2.2 Background on Lattices We start by stating some standard facts about lattices. Definition 2. Euclidean Lattice A Euclidean lattice L R n is the set of all integer linear combinations of a set of linearly independent vectors b,..., b m : { m } L = z i b i, z i Z, R n i= This set {b i } n i= is called the basis of the lattice. We denote by L = L(B), where B is the matrix whose columns are b,..., b m. In this paper, we will always assume that L is full-dimensional, i.e. m = n. For lattice L = L(B), P(B) is the basic parallelotope of L according to B: P(B) := v = x i b i, x i [0, ). Sometimes, it will be more convenient to use P(L) when B is clear from the context. i [n] Definition 3. The Dual Lattice The dual of a lattice is the lattice generated by the columns of B T. Definition 4. Successive minima of a lattice Given a lattice L of rank n, its successive minima λ i (L) for all i [n] are defined as follows: λ i (L) = inf { r dim(span(l B r (0))) i }. Definition 5. Unimodular matrix The group of unimodular matrices GL n (Z) is the set of n n integer matrices with determinant or. Unimodular matrices preserve a lattice: L(B) = L(B ) if and only if B = B A, for some unimodular matrix A. Definition 6. The determinant of a lattice For a lattice L = L(B) we define det(l) = det(b), and denote by N. The determinant of a lattice is well-defined, since if L(B ) = L(B), then by the above B = B A for some unimodular matrix A, in which case det(b ) = det(b) det(a) = det(b). The lattice L is periodic modulo N. In other words, if we add N to any coordinate of a lattice point, we reach another lattice point. Thus, a cube of side length N gives a subset of the lattice which generates the whole lattice when acted on by translations by N in any direction. We let L N denote the lattice restricted to a cube of side length N. In particular, if L = L(B) is an integer lattice, with det(l) = N, for prime N, this implies that L N is a finite additive sub-group, or lattice, of F n N : Proposition. Let F n N denote the additive group of n-dimensional vectors of integers, where in each coordinate summation is carried out modulo N. Then L N is an additive sub-group of F n N, that contains the 0 point. In particular L N is a lattice of F n N, with L N = N n.

12 A canonical representation of integer lattices is called the Hermite normal form (HNF): Definition 7. Hermite Normal Form An integer matrix A Z n n is said to be in Hermite normal form (HNF) if A is upper-triangular, and a i,i > a i,j 0 for all j > i, and all i [n]. It is well-known that every integer matrix can be efficiently transformed into HNF: Fact. Unique, efficiently-computable, Hermite normal form For every full-rank integer matrix A Z n n, there exists a unique unimodular matrix U GL n (Z), such that H = U A, and H is HNF. U can be computed efficiently. Definition 8. Lattice covering radius Let L R n be some lattice. The covering radius of L, ρ(l) is the minimal number such that any x R n is at distance at most ρ(l) from L. It is easy to check that the covering radius is controlled by the n-th minima, up to polynomial factors: Proposition 2. For any L R n we have ρ(l) λ n n. The work of Banaszczyk [Ban93] established an important connection between the successive minima of a lattice and its dual: Fact 2. For any lattice L R n we have 2.3 Lattice Problems i [n], λ i λ n i+ n There are by now many different lattice problems that are not known to be equivalent. However, all of them can be stated as a variant of one of two major problems, namely the shortestvector problem, and the closest-vector problem: Definition 9. Closest-vector problem / Shortest-vector problem: SVP, CVP The closest-vector problem is defined as follows: Given is a lattice L = L(B), and a vector v R n. Find a lattice vector w for which v w = dist(v, L). The shortest-vector problem is defined as follows: Given L = L(B) find a non-zero lattice vector of minimal length. Since solving these problems exactly turned out to be NP-hard, it is then natural to consider the approximate versions of these problems: Definition 0. Approximate shortest/closest-vector: CVP γ, SVP γ The approximate closest-vector problem CVP β is the following problem: given a lattice L, and a vector v R n return w L such that dist(v, w) β dist(v, L). Similarly, the approximate shortestvector problem SVP β is the following problem: given a lattice L, find a vector v L, v 0 such that v βλ (L). One can also think about decision versions of these problems called gapcvp, gapsvp: Definition. Gapped approximate shortest/closest-vector: gapcvp β,γ, gapsvp β,γ The approximate gapped closest-vector problem gapcvp β,γ is the following problem: given a lattice L, and a vector v R n decide whether dist(v, L) β or dist(v, L) γβ. Similarly, the gapped approximate shortest-vector problem gapsvp β,γ is defined as follows: Given a lattice L, decide whether λ (L) β or λ (L) γβ. Often, it is the case that one would like to find a closest lattice vector to a point v R n, given that v is close to L. This is called bounded-distance decoding or BDD for short: Definition 2. Bounded-distance decoding: BDD γ Given a lattice L R n and v R n, such that dist(v, L) λ (L)/γ find a lattice vector closest to v. In this paper we introduce a variant of a decision version of BDD denoted by gapbdd β,γ as defined above in definition. 2

13 2.4 Fourier Transform and Lattices Definition 3. Fourier Transform / Inverse Fourier Transform Let L R n be some lattice, and f be some function periodic in P(L) of bounded l -norm. The Fourier Transform on L is defined as follows on each point of the dual lattice L : z L, F(z) = det(l) P(L) f(x)e 2πi x,z dx. Likewise, we can define the Inverse-Fourier-Transform as follows: let f : L R n be some l -bounded function on L. Then: x R n F (x) = f(z)e 2πi z,x z L In particular, for any such function f : L R n, its IFT F f is periodic on L. Definition 4. Sinc-Square transform pair Let sinc,a (x) denote the function which is sinc,a (x) = sin(x/a)/(x/a) for all x 0 and otherwise. When defining sinc as a real-function on R n we refer to the product sinc a (x) = n sinc,a (x i ) Similarly, let sq,a (x) denote the function which is whenever x a and 0 otherwise. We define sq a (x) = i= n sq,a (x i ) i= We denote by sinc LN,s,0 the quantum state in which the amplitude of x L N is proportional to sinc s,0 (x). We denote by sq LN,s,0 the quantum state corresponding to the function sq s,0. The following fact is standard in signal processing literature: Fact 3. FT of sinc The Inverse Fourier transform of sinc,s is proportional to sq,/s, and hence the IFT of sinc s is sq /s. 2.5 Quantum Primitives Definition 5. Phase-shift, lattice-shift Given a SysNF lattice L, and v L N, define and Lattice-shift: x L N, U v x (x + v)(mod N) Phase-shift: x L N, W v x e 2πi x,v /N x. It is easy to check that for every v we have: U v F n N = F n N W v. Definition 6. Discrete distributions on lattices Let f = f(s) : R n R + be some non-negative real-valued function on R n, parameterized by s. For a SysNF lattice L, N = det(l), the notation f L,s,c is the discrete distribution formed by sampling each x L N with probability proportional to a shifted version of f(s): x L N, f L,s,c (x) f(s)(x c) 3

14 Definition 7. Quantum states on lattices Let f = f(s) : R n R + be some non-negative real-valued function on R n, parameterized by s. For a SysNF lattice L, N = det(l), the notation f L,s,c denotes the quantum state where f 2 L,s,c (L) = x L N f L,s,c (x) 2. f L,s,c = f(s)(x c) x fl,s,c 2 (L) x L N Definition 8. The Quantum Fourier Transform Let N > 0 be some integer. There exists an efficient quantum circuits that implements the following unitary map: x [N] : x e 2πi x,z /N z. N z [N] One of the main pillars of quantum speed-up relies on an efficient quantum circuit implementation of the QFT, see e.g. [NC] Fact 4. One can efficiently compute, for any integer N, a description of a quantum circuit of size poly(n) that implements F N. Fact 5. QFT of functions on L Let L = L(B) be a SysNF lattice, N = det(b). Let f be some real-valued function supported on F n N,and f x L N f(x) x. Then F n N f = (F f)(z/n) z. z F n N Proof. By definition of the n-th fold tensor-product QFT each x L N is mapped to a summation on all z F n N, using the character of x: e 2πi x,z /N. Hence by definition for each z F n N, the amplitude of z is proportional to: x L N f(x)e 2πi x,z /N = x L N f(x)e 2πi x,z/n By definition, the above is equal to F f evaluated at point z/n. Definition 9. The Hadamard Test Let U be some unitary map U U(H). Let ψ H be some quantum state. The Hadamard isometry H U w.r.t. U is the following isometry H H anc H ψ 2 ( 0 anc ψ + anc U ψ ) The Hadamard test on a state ψ is then defined as the application of H U to ψ and then the measurement of H anc in the Hadamard basis. The test succeeds if and only if the measured qubit is 0. The following fact is standard: Proposition 3. Success probability of the Hadamard Test Let U be some unitary. Then the probability of measuring 0 in the ancilla system after applying H U to ψ is given by: P(success) = R ( ψ U ψ ). 4

15 3 The Systematic Normal Form (SysNF) Definition 20. Systematic Normal Form (SysNF) A matrix B is said to be SysNF if B i,i = for all i >, and B, = N where N is a prime number, and in addition, for all i > B i,j = 0 for all i j. In addition i> B2,i 0(mod N) This form is called suggestively systematic because for every v L(B), the last n coordinates, are in fact the last n coefficients of the vector under the basis B, which in error-correcting terminology can be considered as the message to be encoded by the matrix B. The following facts will be useful later on: Proposition 4. If B is in SysNF form, then NB T, i.e. the matrix spanning the scaled dual of L(B) assumes the following form: N B T = b 2 b 3. b n N Proposition 5. There are N n points of L = L(B SysNF ) in F n N, and there are N lattice points of NL in that cube. Hence there are N points of F n N inside P(L), and N n points in P(NL ). Both L, NL are periodic in N - i.e. Ne i L, Ne i (NL ) N for every i [n]. Claim. Compute dual vector for any vector There exists an efficiently-computable bijection Φ 3 : F n N /L N (NL ) N. In particular, for every x F n N, x + Φ 3(x) L N. Proof. Let x F n N. We would like to find (the unique) y = Φ 3(x) for which x + y L N. Each point in y (NL ) N is characterized uniquely by an element a F N as follows: N... y = (a, b 2 a(mod N),..., b n a(mod N)). (7) Thus, to find y we would like to solve the following vector equality over a, z 2,..., z n F N : ( n ) T (x,..., x n ) T + (a, b 2 a(mod N),..., b n a(mod N)) T = b i z i (mod N), z 2,..., z n (8) Consider the first coordinate. We have: x + a = N i=2 n b i z i (mod N). (9) i=2 Substituting in the above z i = x i ab i (mod N) for all i 2 implies: ( n n ) x x i b i = a b 2 i + (mod N). (0) i=2 i=2 Since N is prime, and the number n i=2 b2 i + is not equal to 0(mod N) then it has an inverse modulo N. Thus, the parameter a can be computed uniquely from the equation above, which implies that y can be determined uniquely and efficiently. (6) 5

16 3. Reduction to SysNF In this section we provide an efficient reduction from an arbitrary lattice to a lattice in SysNF form, that preserves all important properties of the lattice. Specifically - it allows the reduction of any computational problem on an arbitrary lattice L to another problem on an SysNF lattice L SysNF such that any solution to the reduced problem allows to find efficiently a solution to the original problem on L. Lemma. Efficient reduction to SysNF There exists an efficient algorithm that for any L = L(B) and numbers a > 0, ε > 0, computes a tuple B, σ, T, where B is in SysNF, T = poly(det(b)/ε) is a positive integer and σ is a linear map σ : L L(B ) such that for any v L we have σ(v)/t v v ε. The lemma above immediately implies that one can reduce standard lattice problems, given for an arbitrary lattice, to the same problem on a lattice in SysNF, and then translate the output solution efficiently to a solution for the original lattice. For example: Corollary. Reducing lattice problems to SysNF Let L = L(B), and v some vector. Let B, σ, T denote the tuple returned by the SysNF reduction, for parameter ε. Suppose that for some vector v and γ we find x L such that (v, x) γλ (L ). Then x = σ (x) L and in addition (x, v/t ) (γ + ε)λ (L). 3.2 Properties of the Systematic Normal Form The next fact is central to the algorithm: it shows that if two lattice points are close, then their inner-product with some vector v are also very close, if v is close to the dual lattice: Fact 6. Smoothness of inner-product Let L be some integer lattice, N = det(l), and let x, y, v L N be some lattice vectors, such that for some c /2 we have: (v, NL ) x y Nc. Then Proof. Write ( x, v y, v )(mod N) Nc, ( x, v y, v )(mod N) = x y, v (mod N) () v = v + ε, where v (NL ) N, and ε is minimal length. Then by assumption x y ε Nc. Since x, y L then x y L, hence x y, v = 0(mod N). Thus x y, v (mod N) = x y, ε (mod N) x y, ε x y ε (2) where the inequality is by Cauchy-Schwartz. So by assumption ( x, v y, v )(mod N) Nc. (3) 6

17 4 An Efficient Quantum Algorithm for gapbdd γ,γ 2 4. Algorithm for the dual SysNF lattice In this section we show a quantum algorithm, that given a SysNF lattice L and a vector v can approximate the distance between v and NL. Algorithm. Input: B, u, s, ε : SysNF basis B, N = det(b), a vector u F n N, and parameter s = poly(n). Define the Hilbert space: H = H a H b H c, with each register has log(n) qubits. Define the interval: W 0 := [ ε, ε] N/(2π). Denote {Π v, I Π v } the orthogonal projection onto the subspace of H c where the value is in W 0. Execute the following steps N = 40πε 2 times, and accept if and only if the number of unsuccessful runs is at most log(n):. Sample a U[(NL ) N ]. 2. Generate an approximation of the quantum state sinc F n N,s,0, as ψ 0 = φ... φ n, where each φ i is computed as φ i = F N N/s, and N/s is the uniform super-position on the interval [ N/(2s), N/(2s)] F N. 3. Apply the map Φ 3 (x) unitarily: x a 0 b x + Φ 3 (x) a Φ 3 (x) b, denote by ψ. 4. For each x on H a, write the inner product x, v + a to H c, denote by ψ Measure H b in the computational basis. 6. Measure H c and post-select on the measurement collapsing to im(π v ). Uncompute the register H c. Denote the state by ψ Apply F n N to ψ 3, denote by ψ Apply the Hadamard test H Uv+a : (a) Add an ancilla qubit in initial state q anc = 2 ( 0 + ). (b) Apply a controlled version of e 2πi Φ3(x),v+a /N U v+a to ψ 4, controlled by q anc. (c) Measure q anc in the Hadamard basis. (d) Declare success if q anc is in state 0, and otherwise fail. Lemma 2. Algorithm decides gapbdd γ,γ 2 on dual of SysNF lattice Fix a small constant α > 0 as a parameter of the instance. Let u be some vector in FN n matrix B with N = det(b), λ (L(B)) n. Given are input parameters Fix a = λ (NL )/n 3+2α, b = λ (NL )/n 7+α. s = Nδ/(an +α ), ε = n /2 α. Upon input B, u, s, ε the algorithm has the following behavior: and B be a SysNF YES : (u, NL ) b P YES (accept) 3 8 ε2 and NO : (u, NL ) [a/2, a] P NO (accept) δε 2 n α /20 7

18 4.2 Proof of lemma Parameters: Define the following polynomials: Let q n = n, q y = n 4 ε, p = n 2+α. Set δ = /(4π). Since s = Nδ/(an +α ) then s = pδ/(λ ). Under the definition of the parameters above, we have: YES : (u, NL ) (N/s) εδ/q y = b (4) Efficient Computation NO : (u, NL ) [(N/s) εδ/(2q n ), (N/s) εδ/q n ] = [a/2, a] (5) Proposition 6. algorithm runs in polynomial time. Proof. Consider the computational steps of the algorithm: Step 3: Φ 3 is computed efficiently by Claim. Step 7 and step 2: The n-th fold tensor product Quantum Fourier Transform F n N is computed efficiently by taking n copies of the -dimensional QFT, and each is efficiently computable by Fact 4. Next, it is sufficient to show that the algorithm post-selects w.h.p. in Step 6. Consider the initial quantum state, and let sinc 2 (F n N ) = x F sinc 2 n s (x). By construction at step 2 we can N write it, up to exponentially small error, as: ψ 0 = sinc2 (F n N ) sinc F n N,s,0 a 0 b 0 c, Then the state ψ is proportional to: ψ = Hence we can re-write ψ as: ψ = sinc2 (F n N ) sinc2 (F n N ) x F n N sinc s,0 (x) x + Φ 3 (x) a Φ 3 (x) b 0 c. y (NL ) N,x L N sinc s,y (x) x a y b 0 c. and so ψ 2 = sinc2 (F n N ) y (NL ) N,x L N sinc s,y (x) x a y b x, v + a c. (6) By Fact 0 the state ψ 2 has projection at least 2ε O(/s) on lattice vectors x for which x, v + a W 0. Hence w.p. at least /(3ε) the orthogonal measurement {Π v, I Π v } collapses ψ onto im(π v ) Very Close Vectors Are Accepted Proposition 7. Let v L, and suppose that (v, NL ) (N/s)(εδ)/q y. Then w.p. at least 3ε 2 /4 the algorithm accepts. Proof. Consider state ψ 3. By Equation 6 it is equal to: ψ 3 x L N, x,v W 0 sinc s,y (x) x a y a 0 c, y (NL ) N. 8

19 Since registers b, c are constant from this point on, we will omit them from the representation. Consider the set of all lattice vectors x L N in tensor with a dual lattice point y (NL ) N, in the state above ψ 3. Let t = t (n) = n 2, t 2 = t 2 (n) = 3n 3 denote the multiplicative factor in Fact 7 such that the projection of sinc F n N,s,0 on x F n N, x s n is at least t 2. For any y (NL ) N and x, x 2 B s t (y) L we have by assumption of the YES case: This implies by Fact 6 that (v, NL ) x x 2 Nεδ sq y 2st 2N(εδ)t /q y, (7) ( x, v x 2, v )(mod N) 2N(εδ)t /q y (8) Since q y 4πδt we can consider the following shrunk window: W := W 0 ( 4πδt /q y ). In addition, for any y (NL ) N let y cv L N denote a closest vector to y in L N : y cv (y) = argmin x LN y x. Suppose that y cv, v W. Then by Equation 8 and the triangle inequality: x B s t (y) L, x, v W 0. (9) Let D 2 denote the classical probability distribution of measuring the registers of ψ 2. By concentration of measure of the sinc 2 function in Fact 7 we have: P (x,y) D2 (x B s t (y)) = t 2. (20) Thus, together with Equation 9, and conditioned on y cv, v W, we can approximate the post-selected quantum state (on which we un-compute H c ) by the sinc function centered at the dual-lattice point y (NL ) N : ψ 3 x L N sinc s,y (x) x + E, y cv, v W, E 2 t 2, (2) We now upper bound the distance dist(y cv, NL ). We have y y cv ρ(l) λ n n n n λ = sn.5 /p, where the first inequality is by definition, the second one is by proposition 2, and the third is by the transference Fact 2. Hence, by the triangle inequality for any x L N : x y cv = x y + O(sn.5 /p). Hence, by Fact 8 ψ 3 is at l 2 -distance O(t 2 + 8n 2.5 p /3 + ρ/s) close to a state in which is a sinc function centered at y cv L N : ψ 3 x L N sinc s,ycv (x) x + E, y cv, v W, E 2 = O(t 2 + 8n 2.5 p /3 + ρ/s). (22) We shall now disregard E from now to avoid clutter, and account for it at the end of the analysis. Since y cv L N we can express ψ 3 as an approximately shifted origin-centered distribution on L N as follows: ψ 3 = U ycv sinc LN,s,0, y cv, v W, (23) 9

20 and so Hence, by standard shift-phase DFT duality: ψ 4 = F n N ψ 3 = F n N U y cv sinc LN,s,0 (24) Denote: ψ 4 = F n N U y cv sinc LN,s,0 = W ycv F n N sinc L N,s,0 (25) F n N sinc L N,s,0 = g(x) x, (26) x F n N By Fact 5 g is the P(NL )-periodic function: x F n N, g(x) = F (sinc LN,s,0)(x/N), (27) namely the IFT of sinc LN,s,0 (sinc function supported on L N ) evaluated at point x/n. Since s/n = 2 Ω(n) then g(x) = F (sinc L,s,0 + E)(x/N), x L E(x) 2 = 2 Ω(n). (28) By Parseval s theorem then: g(x) = F (sinc L,s,0 )(x/n) + E (x), (29) where So by Fact 3 det(p(nl E (x) 2 dx = 2 Ω(n). )) P(NL ) x P(NL ) g(x) = sq /s (x/n) + E (x) = sq N/s (x) + E (x), (30) which implies that up to exponentially small error we have: ψ 4 W ycv sq /s,w (x/n) x (3) = W ycv = w NL x F n N w NL x F n N w NL x F n N sq N/s,w (x) x (32) sq N/s,w (x)e 2πi x,ycv /N x (33) Consider the Hadamard test of step 8, and the probability of sampling 0 at the ancilla qubit. Since the value of the H b register is y, then the probability of acceptance is given by Proposition 3 as: R( ψ 4 e 2πi y,v+a /N U v+a ψ 4 ). (34) We can write the argument of the real part R() as: e 2πi y,v+a /N sq N/s,w (z)sq N/s,w2 (z + (v + a))e 2πi z,ycv /N e 2πi z+(v+a),ycv /N w,w 2 NL z F n N = e 2πi v+a,ycv y /N w,w 2 NL z F n N (35) sq N/s,w (z)sq N/s,w2 (z + (v + a)) (36) 20