CSE 206A: Lattice Algorithms and Applications Winter 2016 The Gaussians Distribution Instructor: Daniele Micciancio UCSD CSE 1 The real fourier transform Gaussian distributions and harmonic analysis play a fundamental role both in the design of lattice-based cryptographic functions, and the theoretical study of lattice problems. For any function f: R n C such that f(x) dx <, the fourier transform of f is defined as f(y) = f(x) e 2πi x,y dx n where i = 1 is the imaginary unit and e 2πiz = cos( z z )+i sin( ) the exponential function 2π 2π from the unit interval z R/Z [0, 1) to the unit circle on the complex plane e 2πiz {c C : c = 1}. So, the fourier transform is also a function f: R n C from the euclidean space R n to the complex numbers. The gaussian function ρ(x) = e π x 2 naturally arises in harmonic analysis as an eigenfunction of the fourier transform operator. Lemma 1 The gaussian function ρ(x) = e π x 2 euals its fourier transform ρ(x) = ρ(x). Proof. It is enough to prove the statement in dimension n = 1, as the general statement follows by ρ(y) = ρ(x)e 2πi x,y dx n = ρ(x k )e 2πix ky k dx = k = k n k ρ(x)e 2πixy k dx ρ(y k ) = ρ(y). So, let ρ(x) = e πx2 the one-dimensional gaussian. We compute ρ(y) = ρ(x)e 2πixy dx = e π(x2 +2ixy) dx = e πy2 e π(x+iy)2 dx y = ρ(y) ρ(x) dx. +iy
Finally, we observe that ρ(x) dx = ρ(x) dx by Cauchy s theorem, and +iy ρ(x) dx = = ρ(x 1 ) dx 1 ρ(x 2 ) dx 2 x 1 R x 2 R ρ(x) dx = 2πrρ(r) dr = 1 2 r=0 where the last euality follows from the fact that ρ (r) = 2πr ρ(r). We note that in other settings the gaussian distribution is often defined as g(x) = e 1 2 x2, which is the same as ρ, but with a different scaling factor. Using g(x) corresponds to normalizing the standard deviation x g(x)2 dx = 1, but introduces a scaling factor when taking the fourier transform of g. As we will make extensive use of the fourier transform, in lattice cryptography it is typically preferable to use ρ(x) = e πx2 as the standard gaussian function, so that ρ = ρ. The standard deviation of ρ is n ρ(x) 2 dx = n 2π. The following properties of the fourier transform easily follow from the definition. Lemma 2 Any function f with n f(x) < satisfies the following properties: 1. for any nonsingular suare matrix T, if h(tx) = f(x) then ĥ(y) = det(t) f(t t y). 2. if h(x) = f(x + v), then ĥ(y) = f(y) e 2πi v,y. 3. if h(x) = f(x) e 2πi x,v, then ĥ(y) = f(y v). Proof. For the first property, we have ĥ(y) = h(z) e 2πi z,y dz = z R n f(t 1 z) e 2πi z,y dz. z R n Making a change of variable z = Tx, the last expression euals det(t) f(x) e 2πi x,tty dx = det(t) f(t t y). n The other two properties are proved similarly, using the definition of the fourier transform, and applying an appropriate change of variable. Less trivial to prove is the following result, known as Poisson summation formula. The theorem reuires f to satisfy appropriate regularity conditions. We will apply the theorem only to the gaussian function ρ(x), and other functions obtained from it by the simple change of variables described in Lemma 2. These functions behave in the nicest possible way with respect to the fourier transform, so we do not explicitly state necessary reuirements on the function f.
Theorem 3 If f(z n ) = x Z n f(x), and similarly for f(z n ), then f(z n ) = f(z n ). Proof. Let f: R n C and define the periodic function ϕ(x) = f(x+z n ) = y Z f(x+y). n Notice that ϕ(x) = ϕ(x mod y) for any y Z n, i.e., ϕ is periodic modulo 1, and can be euivalently described as a function from [0, 1) n to C. The fourier series of a periodic function ϕ: [0, 1) n C is defined as ϕ(z) = ϕ(x) e 2πi x,z dx x [0,1) n for any z Z n. The fourier inversion theorem for periodic functions states that if ϕ is sufficiently nice, it can be recovered from its fourier series ϕ(x) = z Z n ϕ(z) e 2πi z,x. We will need this inversion formula only to evaluate ϕ at 0, giving f(z n ) = ϕ(0) = z Z n ϕ(z) e 0 = ϕ(z n ). Next we compute the fourier coefficients ϕ(z) = ϕ(x) e 2πi x,z dx x [0,1) n = f(x + w) e 2πi x,z dx. x [0,1) n w Z n Since x e 2πi x,z is also periodic modulo 1, the last expression euals f(x + w) e 2πi x+w,z dx = f(x) e 2πi x,z dx = f(z) x [0,1) n w Z n n i.e., the fourier series of the periodic function ϕ euals the fourier tranform of f at integer points z Z n. So, f(z n ) = ϕ(z n ) = f(z n ). The theorem is easily generalized to arbitrary lattices. Corollary 4 For any lattice Λ, f(λ) = det(λ ) f(λ ) where f(λ) = x Λ f(x), and similarly for f(λ ).
Proof. We may assume without loss of generality that Λ is a full dimensional lattice. Let B be a basis of Λ, so that the lattice can be written as BZ n, and let h(x) = f(bx). Then, using the previous theorem, we have f(λ) = h(z n ) = ĥ(zn ) = det(b 1 )h(b t Z n ) = det(λ )h(λ ). We know from the proof of Lemma 1 that ρ(x) dx = 1. So, the gaussian function can be x interpreted as a probability distribution over R n. Lattice cryptography uses a discrete version of this probability distribution which selects points from a lattice x Λ with probability proportional to ρ(x). Definition 5 For any lattice Λ, the discrete gaussian probability distribution D Λ is the probability distribution over Λ that selects each lattice point x Λ with probability Pr{x} = ρ(x)/ρ(λ), where ρ(λ) = x Λ ρ(x) is normalization factor. Informally (or even formally, with some effort) one can think of the discrete gaussian distribution D Λ as the conditional distribution of the continuous gaussian distribution Pr{x} = ρ(x) on R n, conditioned on the event that x Λ is a lattice point. The reason we state this informally is that the event of picking a lattice point x Λ when choosing x according to a continuous probability distribution has zero probability. So, giving a formal definition of conditional distribution can be tricky. Luckily, none of this is needed, as we will work only with discrete distributions. 2 Fourier analysis of finite groups Harmonic analysis in R n reuires sensible assumptions on the function f to guarantee convergence and the validity of the fourier inversion formula. Fortunately, in lattice cryptography, we will deal primarity with discrete probability distributions and the fourier transform over finite groups. This allows for a much simpler treatment, using linear algebra. We start with the simple case of a finite cyclic group Z = Z/Z of the integers modulo. It will be useful to think of Z in concrete terms as the uotient between Z and its subgroup Z, and think these two sets as two lattices. Any finite abelian group can be expressed as a uotient Λ/Λ, where Λ is a lattice and Λ is a full rank sublattice of Λ. As we will see, much of what we will prove for Z applies also to the uotient Λ/Λ between to lattices, and therefore holds for arbitrary abelian groups. Notice that the same group can be expressed as the uotiend of two lattices in different ways. For example the group Z can also be represented as the uotient between Z and 1 Z, and sometimes it is convenient to use this other representation. Since Z/ 1 Z is obtained just by scaling both lattices in Z/Z by a factor 1, we abbreviate it as 1Z. So, 1Z is just the same group as Z, but with the elements represented as multiples of 1 in the range [0, 1).
The set of functions V = (Z C) is a -dimensional vector space over the field C of complex numbers. This vector space has an inner product defined as f, g = E x Z [f(x) g(x)] = 1 f(x) g(x) x Z where a + ib = a ib C is the complex conjugation operation, for a, b R. Consider the family of functions χ x (y) = e 2πxy. Notice that if x 1Z = Z/ 1 Z, then χ x (y) is periodic modulo. So, it defines a function from Z to C. The following lemma shows that this set of functions is an orthonormal basis for Z C. Lemma 6 For any x, y 1 Z, χ x, χ y = { 1 if x = y 0 otherwise Proof. By definition χ x, χ y = 1 z Z e 2πi(x y)z. If x = y, then e 2πi(x y)z = e 0 = 1, and χ x, χ y = 1. On the other hand, if x y, then e 2πi(x y) 1 and 1 e 2πi(x y)z = e2πi(x y) 1 = 0 e 2πi(x y) 1 z=0 and χ x, χ y = 0. The functions χ x with x 1 Z are called the characters of the group Z, and, since there are precisely of them, they form an orthonormal basis for V = Z C. In particular, any function can be expressed as a linear combination of the characters f(x) = y f, χ y χ y (x). Notice the similarity between the coefficients f(y) = f, χ y = 1 f(x) e 2πixy x Z and the definition of the real fourier transform of a function. The function f(y) mapping each y 1 Z to the corresponding coefficient f, χ y is called the (discrete) fourier transform of f, and the set of characters χ y is called the fourier basis. Expressing the function f with respect to the fourier basis can be rewritten as f(x) = y f(y)e 2πixy
giving a fourier inversion formula. Everything easily extends to arbitrary abelian groups, but before moving on, it is useful to pay some attention to the way we represented group elements for the index y 1 Z and input x Z of the group characters χ y (x). If we think of G = Λ/Γ as the uotient of two lattices Λ = Z and Γ = Z Λ, then 1 Z is precisely the dual group of G, which can be formally defined as the uotient Ĝ = Γ /Λ between the dual lattices Γ = 1 Z and Λ = Z. (Notice that in order to take the uotient we need also to reverse the position of the two lattices, so that Λ Γ.) Now let us move to the product of cyclic groups G = k Z k = Z n /( k ( k Z)), and the set of functions from G to C. In this more general setting, the fourier basis is given by the characters χ y (x) = e 2πi x,y for y Ĝ = k ( 1 k Z ) = ( k 1 k Z)/Z n. Here x, y = k x k y k is just the usual dot product between vectors. It is only the inner product of functions f, g = E x G [f(x) g(x)] that is normalized by the group size k k, so that the characters have norm χ 2 = χ, χ = 1. As before, characters are mutually orthogonal because χ x, χ y = k χ xk, χ yk and the product vanishes as soon as x k = y k for some k. So, we define the discrete fourier transform of a function f: G C as before f(y) = f, χ y = 1 f(x) e 2πi x,y giving the fourier inversion formula x G f(x) = y Ĝ f, χ y χ y (x) = y Ĝ f(y) e 2πi x,y. Every uotient of two (full rank) lattices G = Λ/Γ with Γ Λ is a finite abelian group, and any abelian group can be represented as a product of cyclic groups. So, this is all we need to deal with uotients between any two arbitrary (full rank) lattices Γ Λ. But it is useful to give a general formulation of everything we have proved so far directly in terms of lattices. In the most general setting, we start from a lattice Λ and a full rank sublattice Γ Λ, which define a finite abelian group G = Λ/Γ and its dual Ĝ = Γ /Λ. The set of all functions G C is a G -dimensional vector space over C with an inner product f, g = E x G [f(x) g(x)] = 1 G f(x) g(x) x G
and orthonormal basis χ y (x) = e 2π x,y for y Ĝ. The discrete fourier transform of f: G C is the function f(y) = f, χ y from Ĝ to C and it satisfies the fourier inversion formula f(x) = f(y) y Ĝ χ y (x). 3 Gaussian sums Poisson summation formula can be used to prove several interesting bounds on gaussian sums over lattices. Lemma 7 For any lattice Λ and real s 1, ρ(λ/s) s n ρ(λ) Proof. By the Poisson summation formula, and using ρ(sx) ρ(x), we get ρ(λ/s) = det(sλ )ρ(sλ ) s n det(λ )ρ(λ ) = s n ρ(λ). Lemma 8 For any lattice coset Λ + u, ρ(λ + u) ρ(λ). Proof. Recall that if f(x) = ρ(x + v) then f(y) = e 2πi y,v ρ(y). Using Poisson summation formula and triangle ineuality we get ρ(λ + u) = det(λ ) ρ(y) exp(2πi y, u ) y Λ det(λ ) y Λ ρ(y) = ρ(λ). An immediate conseuence of the above lemma is that for any lattices Λ Λ, the gaussian probability distribution (D Λ mod Λ) over the uotient group Λ /Λ is maximized at 0 mod Λ. Using these bounds we can easily prove several tail ineualities on the norm of vectors chosen according to a discrete Gaussian distribution. Lemma 9 For any lattice coset Λ + c and halfspace H = {x : x, h h 2 }, ρ((λ + c) H) ρ(h) ρ(λ + c h).
Proof. If I H (x) the indicator function of H, then we have ρ((λ + c) H) = ρ(x) I H (x) x Λ+c x Λ+c ρ(x) = ρ(h) x Λ+c exp(2π x, h ) exp(2π h 2 ) ρ(x h) = ρ(h)ρ(λ + c h) Using a union bound over all standard unit vectors ±e i, gives a tail ineuality on the infinity norm of a vector chosen according to the discrete gaussian distribution from an n-dimensional lattice. Corollary 10 For any n-dimensional lattice Λ, if x D Λ then Pr { x t} 2n exp( πt 2 ). As a special case, using the scaled integer lattice Λ = Z/s, we get a tail bound for gaussian samples from Z. Corollary 11 If x D Z,s, then Pr{ x st} 2 exp( πt 2 ). Theorem 12 For any lattice coset Λ + c and α 1, where B(r) = {x R n : x r}. ρ((λ + u) \ B(α ( ) α 2 n/2 n/(2π))) ρ(λ) exp(α 2 1) Proof. If I r (x) is the characteristic function of B(r), then for any 0 < t < π and r = α n/(2π) we have ρ((λ + u) \ B(r)) = x Λ+c x Λ+c ρ(x)(1 I r (x)) ρ(x) exp(t x 2 ) exp(tr 2 ) = exp( tr 2 )ρ( 1 t/π (Λ + c)) exp( tr 2 )ρ( 1 t/π (Λ)) exp( tr 2 ) (1 t/π) n/2 ρ(λ))
This function is minimized at t = π n/(2r 2 ) 0, which gives the bound in the theorem. Notice that the base α 2 / exp(α 2 1) of the exponential factor in the above theorem is monotonically decreasing for α 1, and euals α 2 / exp(α 2 1) = 1 when α = 1. Corollary 13 For any α 1, if x D Λ then { } ( ) n α 2 n/2 Pr x α. 2π exp(α 2 1) Also this corollary can be used to bound the probability that x D Z,s is bigger than x > st. 4 The smoothing parameter Definition 14 For any lattice Λ, the ɛ-smoothing parameter of a lattice Λ is the smallest s > 0 such that ρ(sλ ) 1 + ɛ. Informally, the smoothing parameter is the amount of (gaussian) noise that needs to be added to a lattice to obtain a uniformly distributed point in space, as formalized in the next theorem. Lemma 15 For any lattice coset Λ + u, if η ɛ (Λ) 1 then ρ(λ + u) [1 ± ɛ] det(λ ). Proof. Assume η ɛ (Λ) 1, or, euivalently, ρ(λ ) 1 + ɛ. Then ρ(λ + u) det(λ ) = det(λ ) ρ(y) exp(2πi y, u ) 1 y Λ = det(λ ) ρ(y) exp(2πi y, u ) y Λ \{0} det(λ ) ρ(y) y Λ \{0} = det(λ ) (ρ(λ ) 1) ɛ det(λ ). It is clear from the definition that for any lattice Λ and scalar c > 0, η ɛ (cλ) = cη ɛ (Λ). Next, we turn to evaluating the smoothing parameter of a lattice. We begin with the integer lattice.
Lemma 16 For any ɛ > 0, we have 1 + 2 exp(πs 2 ) ρ(sz) 1 + 2 exp(πs 2 ) 1 ln(2/ɛ) π ln(1 + 2/ɛ) η ɛ (Z). π Proof. For the lower bound, we restrict the summation to the integers { 1, 0, 1} Z: ρ(sz) ρ(s{ 1, 0, 1}) = 1 + 2ρ(s) = 1 + 2 exp(πs 2 ). For the upper bound, we extend the summation over Z = { n : n Z} Z: ρ(sz) ρ(s Z) = 1 + 2 k 1 exp( πs 2 ) k = 1 + 2 exp(πs 2 ) 1. Setting the bound to 1 + ɛ and solving for s gives upper and lower bounds on η ɛ (Z). In order to bound the smoothing parameter of arbitrary lattices, we look at how the smoothing parameter interacts with orthogonalization. Notice that for any mutually orthogonal lattice Λ 1, Λ 2 = {0}, the dual of the sum (Λ 1 + Λ 2 ) euals the sum of the duals Λ + Λ, and therefore ρ((λ 1 + Λ 2 ) ) = ρ(λ 1 + Λ 2) = ρ(λ 1)ρ(Λ 2). So, if s = η ɛ1 (Λ 1 ) = η ɛ2 (Λ 2 ), then s = η ɛ (Λ 1 + Λ 2 ) for ɛ = ɛ 1 + ɛ 2 + ɛ 1 ɛ 2. This already gives a way to bound the smoothing parameter of lattices that have an orthogonal basis. But most lattices do not have such a basis, so we need one more tool. For the general case, we use the fact that orthogonalizig a lattice can only increase its smoothing parameter. Theorem 17 For any lattice basis B with Gram-Schmidt orthogonalization B and ɛ > 0, η ɛ (L(B)) η ɛ (L(B )). The theorem is proved using Lemma 8, by induction on the dimension, using the relation between the orthogonalization of B and the orthogonalization (in reverse order) of its dual basis. The details of the proof are left as an exercise.