On the geometry of cyclic lattices

On the geometry of cyclic lattices

Lenny Fukshansky  and  Xun Sun Department of Mathematics, 850 Columbia Avenue, Claremont McKenna College, Claremont, CA 91711 lenny@cmc.edu School of Mathematical Sciences, Claremont Graduate University, Claremont, CA 91711 foxfur_32@hotmail.com
Abstract.

Cyclic lattices are sublattices of that are preserved under the rotational shift operator. Cyclic lattices were introduced by D. Micciancio in [16] and their properties were studied in the recent years by several authors due to their importance in cryptography. In particular, Peikert and Rosen [19] showed that on cyclic lattices in prime dimensions, the shortest independent vectors problem SIVP reduces to the shortest vector problem SVP with a particularly small loss in approximation factor, as compared to general lattices. In this paper, we further investigate geometric properties of cyclic lattices. Our main result is a counting estimate for the number of well-rounded cyclic lattices, indicating that well-rounded lattices are more common among cyclic lattices than generically. We also show that SVP is equivalent to SIVP on a positive proportion of Minkowskian well-rounded cyclic lattices in every dimension. As an example, we demonstrate an explicit construction of a family of such lattices on which this equivalence holds. To conclude, we introduce a class of sublattices of closed under the action of subgroups of the permutation group , which are a natural generalization of cyclic lattices, and show that our results extend to all such lattices closed under the action of any -cycle.

Key words and phrases:
cyclic lattices, well-rounded lattices, shortest vector problem
2010 Mathematics Subject Classification:
Primary: 11H06, 11H55; Secondary: 68Q17
The first author was partially supported by NSA Young Investigator Grant #1210223 and Simons Foundation grants #208969, 279155.

1. Introduction

Define the rotational shift operator on , , by

for every . We will write for iterated application of times for each (then is just the identity map, and ). It is also easy to see that (and hence each iteration ) is a linear operator. A sublattice of is called cyclic if , i.e. if for every , . Clearly, itself is a cyclic lattice. In fact, cyclic lattices come from ideals in the quotient polynomial ring . Let , then for some . Define a -module isomorphism given by

then for any ideal , is a sublattice of . Notice that for every ,

and so

and for any ,

since . In other words, is a cyclic lattice if and only if for some ideal . Cyclic lattices were introduced by D. Micciancio in [16] and [17] in the context of cryptographic algorithms and were further studied in [12], [19], among other sources. In fact, cyclic lattices are used in the well known NTRU cryptosystem [10], [9] (also see, for instance [22] and [23] for some details) and are further discussed in the context of post-quantum cryptography [3].

On the other hand, given a lattice of rank , we define its successive minima by

where is a unit ball centered at the origin in , and so

Let us write for the usual Euclidean norm on . There exists a collection of linearly independent vectors in such that for each ; we will refer to them as vectors corresponding to successive minima. When , there exists a basis for consisting of vectors corresponding to successive minima, which is a Minkowski reduced basis for ; this is not necessarily true for (see for instance [20]), but there are many lattices in higher dimensions as well for which it is true; following J. Martinet, we call such lattices Minkowskian. Notice also that  is the minimal norm of nonzero vectors in  and define the set of minimal vectors

The lattice  is called well-rounded (abbreviated WR) if , which is equivalent to saying that spans a subspace of  of dimension . A strictly stronger condition in general is: ; we will refer to it by saying that is . WR lattices are important in discrete optimization, in particular in the investigation of sphere packing, sphere covering, and kissing number problems (see [14]), as well as in coding theory (see [1]). Properties of WR lattices have also been investigated in [15] in connection with Minkowski’s conjecture and in [8] in connection with the linear Diophantine problem of Frobenius.

Let be the set of full-rank cyclic sublattices of . In this paper we discuss some geometric properties of lattices from , in particular establishing the following counting estimate on the number of well-rounded cyclic lattices.

Theorem 1.1.

Let , then there exists a constant depending only on dimension such that

(1)

as .

Remark 1.1.

By Minkowski Successive Minima Theorem (see, for instance Theorem 2.6.8 on p. 50 of [14]),

Hence

and analogously for subsets of consisting of or lattices.

When a direct argument can be applied to obtain a more explicit bound.

Theorem 1.2.

Let , then

(2)
Remark 1.2.

The estimate of Theorems 1.1 and 1.2 is of the same order of magnitude as the number of all (not only WR) ideal lattices from polynomial rings for irreducible polynomials under the same map as above (see [4]). On the other hand, the number of all cyclic lattices with successive minima grows like as , where is the number of divisors of : this is a special case of an estimate of the number of ideal lattices in a forthcoming paper by S. Kühnlein and the first author.

Lattice-based cryptographic algorithms heavily rely on the fact that the problem of finding , given an arbitrary basis matrix for , is NP-hard. For most lattices, the problem of finding all successive minima is strictly harder, however if the lattice is WR then the two problems are the same. On the other hand, the set of WR lattices has measure zero in the space of all lattices in a given dimension . The advantage of using cyclic lattices is that many of them can be constructed from a single vector (using its rotations), and hence the size of the input for a basis matrix of the lattice reduces from  to . While it is not clear whether the problem of finding still remains NP-hard, there are reasons to expect that for many cyclic lattices this problem is the same as that of finding all successive minima, i.e. many cyclic lattices are WR. In particular, in [19] the authors proved that in prime dimensions , the shortest independent vectors problem SIVP on cyclic lattices reduces to (a slight variant of) the shortest vector problem SVP by a polynomial-time algorithm with only a factor of 2 loss in approximation factor (compare to the factor of loss on general lattices; see Figure 1 on p. 140 of [18]). As a corollary of our proof of Theorem 1.1, we show that SVP and SIVP are equivalent on a positive proportion of Minkowskian well-rounded cyclic lattices in every dimension and exhibit a construction of a family of such lattices for which this equivalence holds. These results are given by Lemma 3.4, Remark 3.4 and Corollary 3.5.

The paper is organized as follows. In Section 2 we establish some preliminary results on distribution properties of cyclic lattices. In Section 3 we give a lower bound on the number of cyclic lattices with bounded successive minima, proving Theorem 1.1. Among WR cyclic lattices spanned by their shortest vectors, we specifically focus on those that are in fact spanned by rotations of a single shortest vector: for many such lattices all rotations of any shortest vector are linearly independent, and hence SIVP on these lattices is solved by taking a solution to SVP and all of its rotations. We prove Theorem 1.2 in Section 4. Here we follow the tactic of Section 3, but make the estimates more precise in dimension 2.

In Section 5 we extend our results to a more general class of lattices. Specifically, let be the group of permutations on elements. We can define an action of on by

(3)

for each and . We say that a lattice is -invariant (or invariant under ) for a fixed if . In particular, cyclic lattices are precisely the full-rank sublattices of invariant under the -cycle . The following statement about lattices invariant under arbitrary -cycles follows from our Theorem 1.1.

Corollary 1.3.

Let , let be an -cycle, and let be the set of all -invariant full-rank sublattices of . Then

(4)

as , for the same value of as in (1).

We prove Corollary 1.3 in Section 5 and conclude with some further questions about more general permutation invariant lattices. We are now ready to proceed.

2. Basic properties of cyclic lattices

Let be the set of full-rank cyclic sublattices of  spanned by vectors corresponding to their successive minima (when , ). In this section we start out by looking at the cyclic lattices generated by rotations of a single vector. Notice that for every , , therefore if is a cyclic lattice and , then for every (clearly ). Therefore cyclic lattices have large sets of minimal vectors, and so it is natural to expect that they are WR fairly often. In fact, it is clear that if and are linearly independent, then is WR. To state our first observation in this direction, we need some more notation.

Let , and define to be the polynomial of degree in whose coefficient vector is . Let also

be an matrix. Consider the lattice

and define the cyclic order of , denoted , to be the rank of . This means that precisely of the vectors are linearly independent, and so is a matrix of rank . While not every is necessarily generated by the vectors corresponding to its successive minima, lattices of the form  for are very common among cyclic lattices.

Lemma 2.1.

The vectors are linearly independent if and only if the polynomial does not have any common factors with .

Proof.

In this case is an circulant matrix corresponding to a vector . It is a well-known fact (see for instance [24]) that

where is an -th root of unity. Hence if and only if for some , which happens if and only if is divisible by the minimal polynomial of – that is, by some cyclotomic polynomial dividing . ∎

Remark 2.1.

An immediate consequence of Lemma 2.1 is that when  is prime, the vectors are linearly independent if and only if is not a multiple of or . See Section 2 of [19] for further results of this kind.

Let

for every , i.e., is a cube of side-length centered at the origin in . Recall that -th cyclotomic polynomial divides if and only if is a divisor of . For each divisor of , define the -th cyclotomic subspace to be

(5)

By Lemmas 2.3 and 2.4 of [19], is a subspace of of dimension

where is Euler’s -function. Then is a sublattice of of rank . Therefore

(6)

The lattice has rank if and only if the vectors are linearly independent, which happens if and only if the polynomial is not divisible by any cyclotomic polynomial for any , by Lemma 2.1. How often does this happen?

Lemma 2.2.

Let , then

(7)

where probability is with respect to the uniform distribution among all points in the set .

Proof.

By Lemma 2.1,

and the statement of the lemma follows by (6) combined with the observation that . ∎


3. General cyclic lattices

The main goal of this section is to prove Theorem 1.1. Recall that is the set of all cyclic full-rank sublattices of , while is the subset consisting of all lattices in which are spanned by the vectors corresponding to successive minima. Naturally, every lattice has a sublattice which is spanned by the vectors corresponding to successive minima of ; it is called a Minkowskian sublattice of . While Minkowskian sublattice may not be unique, there can only be finitely many of them, where an upper bound on this number depends only on . On the other hand, the index of a Minkowskian sublattice is also bounded above by a constant depending only on , and hence a given lattice in can be a Minkowskian sublattice for only finitely many lattices in  (see [13] and subsequent works of J. Martinet and his co-authors for more information on the index of Minkowskian sublattices). This means that the numbers of WR lattices in and have the same asymptotic order. Here we will construct large families of WR lattices in .

For a subspace which is closed under the rotational shift operator, define the set

(8)

and let us write for .

Lemma 3.1.

A lattice is of rank with if and only if . Moreover, for only finitely many  with an upper bound on their number, call it , depending only on the dimension of ; we will write for .

Proof.

The first assertion is clear from the definition of . The second assertion follows from a well known fact in the reduction theory of positive definite quadratic forms (see, for instance, Theorems 1.1-1.2 in Chapter 12 of [5]). ∎

For each , let be a ball of radius centered at the origin in , and let

It is easy to notice that if and only if , and hence is a homogeneously expanding domain. Moreover, is a symmetric bounded star body, and hence is Jordan-measurable. We write for , where is a ball of radius centered at the origin in .

Given a vector with , let be some fixed ordering of the vectors . Define the angle sequence of this ordering as follows: for each , let be the angle between and the subspace spanned by .

Lemma 3.2.

Let be an -dimensional subspace closed under the rotational shift operator. Assume that contains a vector with such that some ordering of its linearly independent rotations has the corresponding angle sequence satisfying the condition

(9)

for each , for some . Then , where the constant in the -notation depends on , , and .

Proof.

Let be the ordering of linearly independent rotations of with the corresponding angle sequence as in (9). Notice that , and so Theorem 1 of [2] guarantees that are minimal vectors in , hence .

Let and let

be the closed ball of radius centered at the origin in . Let and . Let be the rotations of corresponding to the rotations of . There exists a , depending on , small enough so that for every the angle sequence of still satisfies (9) with replaced by some . Then, as above, Theorem 1 of [2] guarantees that , i.e., , and so must have positive -dimensional volume. Since is a homogeneously expanding domain, we must have

which completes the proof of the lemma. ∎

Remark 3.1.

We will apply Lemma 3.2 to . Notice that the angle sequence of the rotations of the first standard basis vector satisfies the assumption of Lemma 3.2. Hence for every , by Lemma 3.2.

Remark 3.2.

There is also another way to look at the set with as in the statement of Lemma 3.2. For each , all rotations of have to be in , and so . Let

(10)

and notice that when . Define the corresponding Gram matrix

and let us write for the entires of this matrix, then

Notice that

(11)

and so all the distinct entries are represented in the first row. Furthermore,

(12)

for each , and hence the total number of distinct off-diagonal entries in the matrix  is at most ; all the diagonal entries . Now, if and only if is in the corresponding Minkowski reduction domain, which is known to be a convex polyhedral cone in  with a finite number of facets (see, for instance, Chapter 12 of [5] or [21]), and conditions (10), (11), (12) imply that would have to be in a specific section of this cone. On the other hand, given a Gram matrix , the basis matrix such that is uniquely determined up to an orthogonal transformation.

Lemma 3.3.

Let , and define

(13)

then

(14)

where the constants in the -notation depend only on .

Proof.

Let be as in Lemma 3.1, then

(15)

by Lemma 3.1. Theorem 2 on p. 128 of [11] asserts that

(16)

and so (14) follows by combining (16) with Lemma 3.2 and (15). ∎

Remark 3.3.

The boundary of the set is Lipschitz parameterizable, however that is not important for the application of Theorem 2 on p. 128 of [11] in the argument above, since we are only using the main term of the asymptotic formula in our inequalities, and Lemma 3.2 implies that there exist sets , with Lipschitz parameterizable boundaries (in fact, convex sets) such that for all .

Proof of Theorem 1.1.

The theorem now follows from the estimates of Lemma 3.3. ∎

Now we comment on the connection of our results to the equivalence of SVP and SIVP. Let

and let . Suppose that are linearly independent for every , then SIVP is equivalent to SVP on . In the next lemma we prove that this is true for a positive proportion of lattices in . Specifically, let

and define

for any .

Lemma 3.4.

As , we have

where the constant in -notation depends only on .

Proof.

Let , and suppose that is such that . Then for some . In other words, if and only if

(17)

Then

and since (17) is given by finitely many polynomial conditions, we have . ∎

Remark 3.4.

Lemma 3.4 then guarantees that

(18)

By our observation above, SVP and SIVP are equivalent on , and so the two problems are equivalent on a positive proportion of cyclic lattices in .

In fact, we can use the idea in the proof of Lemma 3.2 and Remark 3.1 to explicitly construct full-rank WR lattices of the form in  on which SVP and SIVP are equivalent.

Corollary 3.5.

Let be nonzero integers, , and

There exists a sufficiently large positive integer , depending only on the dimension , such that whenever , the lattice .

Proof.

Let be a positive integer, the choice of which is to be specified below, and let the rest of the notation be as in the statement of the corollary. Let , where

Taking sufficiently large, we can ensure that the angle sequence of the rotations of the vector  satisfies condition (9) for some , in which case  is a lattice of rank  with minimal norm equal to  by the same argument as in the proof of Lemma 3.2 and Remark 3.1.

We can assume that so that . We will now show that

(19)

Indeed, suppose

where , not all zero. Let , so for each

Then , the -th coordinate of , satisfies the inequalities

and so we have

Assume first that , then we have

Therefore we must have . If for only one , then . Hence assume there exist such that , then

which establishes (19). Then , and hence

meaning that each vector in has cyclic order . Thus . ∎

Remark 3.5.

To summarize, the main idea of Corollary 3.5 is to pick a rational vector  from a small ball centered at . Then the set of minimal vectors of  will consist only of rotations of  due to the fact that one coordinate of  strongly dominates others. Hence SVP and SIVP are equivalent on , and is similar to some full-rank WR cyclic sublattice of  because coordinates of are rational. Since a ball of positive radius centered at contains infinitely many rational points, infinitely many mutually non-similar lattices with this equivalence property can be constructed this way.


4. Cyclic lattices in the plane

In this section we prove Theorem 1.2. Recall that every planar cyclic lattice is spanned by vectors corresponding to its successive minima. Furthermore, for a sublattice of , or 4, and is WR if and only if . If is not WR, then and the vectors corresponding to first and second successive minima are unique (up to sign): this follows, for instance, from the second Theorem and discussion after it on p. 203 of [6].

Lemma 4.1.

A lattice is WR if and only if either for some or for some . On the other hand, is not WR if and only if for some distinct positive integers .

Proof.

If for some , then and the vectors are linearly independent. If for some , then

In both cases, it is clear that is WR.

Suppose then that is WR, then and contains a basis for . Let . First assume has rank 2, then are linearly independent, and hence form a basis for . Therefore . Next suppose that has rank 1, then for some , which easily implies that , and so for some . Since is WR, there must exist such that . Then is also in , and since , we must have and , meaning that . Then , and so

This completes the proof of the first statement.

The second statement follows immediately from the observation that  has precisely two cyclotomic subspaces:

For , let be as in (13) for , and define

We can now use Lemma 4.1 to estimate the functions  and .

Lemma 4.2.

Let , then

(20)
(21)
Proof.

First assume for some . Notice that we can assume without loss of generality that . The condition that form a Minkowski reduced basis amounts to satisfying the following condition (see, for instance, Note 1 on p. 257 of [5]):

This means that either

(22)

or

(23)

First consider the (22) situation, then there are the following two options:

  1. ,

  2. .

Notice that satisfy option (1) if and only if satisfy option (2), hence they correspond to the same lattice . Next consider the (23) situation, then there are the following two options:

  1. ,

  2. .

Again, satisfy option (3) if and only if satisfy option (4), hence they correspond to the same lattice . Notice also that for each pair satisfying options (1) and (2), there is precisely one pair satisfying options (3) and (4). Hence we will only count vectors with satisfying (1) and multiply this number by 2. Therefore:

(24)

where

Using (24), we now give quick estimates on . A higher degree of precision is easily possible here, but we choose in favor of simplicity. Notice that

(25)

On the other hand,

(26)