The Gaussians Distribution 1 the Real Fourier Transform
Total Page:16
File Type:pdf, Size:1020Kb
CSE 206A: Lattice Algorithms and Applications Winter 2016 The Gaussians Distribution Instructor: Daniele Micciancio UCSD CSE 1 The real fourier transform Gaussian distributions and harmonic analysis play a fundamental role both in the design of lattice-based cryptographic functions, and the theoretical study of lattice problems. For any function f: n ! such that R jf(x)j dx < 1, the fourier transform of f is defined as R C x2R Z fb(y) = f(x) · e−2πihx;yi dx x2 n p R 2πiz z z where i = −1 is the imaginary unit and e = cos( 2π )+i sin( 2π ) the exponential function from the unit interval z 2 R=Z ≈ [0; 1) to the unit circle on the complex plane e2πiz 2 fc 2 C : jcj = 1g. So, the fourier transform is also a function fb: Rn ! C from the euclidean 2 space Rn to the complex numbers. The gaussian function ρ(x) = e−πkxk naturally arises in harmonic analysis as an eigenfunction of the fourier transform operator. −πkxk2 Lemma 1 The gaussian function ρ(x) = e equals its fourier transform ρb(x) = ρ(x). Proof. It is enough to prove the statement in dimension n = 1, as the general statement follows by Z −2πihx;yi ρb(y) = ρ(x)e dx x2Rn Z Y −2πixkyk = ρ(xk)e dx n x2R k Y Z = ρ(x)e−2πixyk dx k x2R Y = ρb(yk) = ρ(y): k So, let ρ(x) = e−πx2 the one-dimensional gaussian. We compute Z −2πixy ρb(y) = ρ(x)e dx x2R Z = e−π(x2+2ixy) dx x2R Z = e−πy2 e−π(x+iy)2 dx y Z = ρ(y) ρ(x) dx: x2R+iy Finally, we observe that R ρ(x) dx = R ρ(x) dx by Cauchy's theorem, and x2R+iy x2R Z sZ Z ρ(x) dx = ρ(x1) dx1 · ρ(x2) dx2 x2R x12R x22R sZ sZ 1 = ρ(x) dx = 2πrρ(r) dr = 1 x2R2 r=0 0 where the last equality follows from the fact that ρ (r) = −2πr · ρ(r). − 1 x2 We note that in other settings the gaussian distribution is often defined as g(x) = e 2 , which is the same as ρ, but with a different scaling factor. Using g(x) corresponds to q R 2 normalizing the standard deviation x g(x) dx = 1, but introduces a scaling factor when taking the fourier transform of g. As we will make extensive use of the fourier transform, in lattice cryptography it is typically preferable to use ρ(x) = e−πx2 as the \standard" gaussian q function, so that ρ = ρ. The standard deviation of ρ is R ρ(x)2 dx = p n . b x2Rn 2π The following properties of the fourier transform easily follow from the definition. Lemma 2 Any function f with R jf(x)j < 1 satisfies the following properties: x2Rn 1. for any nonsingular square matrix T, if h(Tx) = f(x) then bh(y) = det(T) · fb(Tty). 2. if h(x) = f(x + v), then bh(y) = fb(y) · e2πihv;yi. 3. if h(x) = f(x) · e2πihx;vi, then bh(y) = fb(y − v). Proof. For the first property, we have Z Z bh(y) = h(z) · e−2πihz;yi dz = f(T−1z) · e−2πihz;yi dz: z2Rn z2Rn Making a change of variable z = Tx, the last expression equals Z t det(T) f(x) · e−2πihx;T yi dx = det(T)fb(Tty): x2Rn The other two properties are proved similarly, using the definition of the fourier transform, and applying an appropriate change of variable. Less trivial to prove is the following result, known as Poisson summation formula. The theorem requires f to satisfy appropriate regularity conditions. We will apply the theorem only to the gaussian function ρ(x), and other functions obtained from it by the simple change of variables described in Lemma 2. These functions behave in the nicest possible way with respect to the fourier transform, so we do not explicitly state necessary requirements on the function f. Theorem 3 If f( n) = P f(x), and similarly for f( n), then Z x2Zn b Z n n f(Z ) = fb(Z ): Proof. Let f: n ! and define the periodic function '(x) = f(x+ n) = P f(x+y). R C Z y2Zn Notice that '(x) = '(x mod y) for any y 2 Zn, i.e., ' is periodic modulo 1, and can be equivalently described as a function from [0; 1)n to C. The fourier series of a periodic function ': [0; 1)n ! C is defined as Z −2πihx;zi 'b(z) = '(x) · e dx x2[0;1)n for any z 2 Zn. The fourier inversion theorem for periodic functions states that if ' is sufficiently nice, it can be recovered from its fourier series X 2πihz;xi '(x) = 'b(z) · e : z2Zn We will need this inversion formula only to evaluate ' at 0, giving n X 0 n f(Z ) = '(0) = 'b(z) · e = 'b(Z ): z2Zn Next we compute the fourier coefficients Z −2πihx;zi 'b(z) = '(x) · e dx x2[0;1)n Z X = f(x + w) · e−2πihx;zi dx: x2[0;1)n w2Zn Since x 7! e−2πihx;zi is also periodic modulo 1, the last expression equals Z X Z f(x + w) · e−2πihx+w;zi dx = f(x) · e−2πihx;zi dx = fb(z) x2[0;1)n x2 n w2Zn R i.e., the fourier series of the periodic function ' equals the fourier tranform of f at integer n n n n points z 2 Z . So, f(Z ) = 'b(Z ) = fb(Z ). The theorem is easily generalized to arbitrary lattices. Corollary 4 For any lattice Λ, f(Λ) = det(Λ∗)fb(Λ∗) P ∗ where f(Λ) = x2Λ f(x), and similarly for fb(Λ ). Proof. We may assume without loss of generality that Λ is a full dimensional lattice. Let B be a basis of Λ, so that the lattice can be written as BZn, and let h(x) = f(Bx). Then, using the previous theorem, we have n n −1 −t n ∗ ∗ f(Λ) = h(Z ) = h^(Z ) = det(B )h(B Z ) = det(Λ )h(Λ ): R We know from the proof of Lemma 1 that x ρ(x) dx = 1. So, the gaussian function can be interpreted as a probability distribution over Rn. Lattice cryptography uses a discrete version of this probability distribution which selects points from a lattice x 2 Λ with probability proportional to ρ(x). Definition 5 For any lattice Λ, the discrete gaussian probability distribution DΛ is the prob- ability distribution over Λ that selects each lattice point x 2 Λ with probability Prfxg = P ρ(x)/ρ(Λ), where ρ(Λ) = x2Λ ρ(x) is normalization factor. Informally (or even formally, with some effort) one can think of the discrete gaus- sian distribution DΛ as the conditional distribution of the continuous gaussian distribution Prfxg = ρ(x) on Rn, conditioned on the event that x 2 Λ is a lattice point. The reason we state this informally is that the event of picking a lattice point x 2 Λ when choosing x according to a continuous probability distribution has zero probability. So, giving a formal definition of conditional distribution can be tricky. Luckily, none of this is needed, as we will work only with discrete distributions. 2 Fourier analysis of finite groups Harmonic analysis in Rn requires sensible assumptions on the function f to guarantee conver- gence and the validity of the fourier inversion formula. Fortunately, in lattice cryptography, we will deal primarity with discrete probability distributions and the fourier transform over finite groups. This allows for a much simpler treatment, using linear algebra. We start with the simple case of a finite cyclic group Zq = Z=qZ of the integers modulo q. It will be useful to think of Zq in concrete terms as the quotient between Z and its subgroup qZq, and think these two sets as two lattices. Any finite abelian group can be expressed as a quotient Λ=Λ0, where Λ is a lattice and Λ0 is a full rank sublattice of Λ. As 0 we will see, much of what we will prove for Zq applies also to the quotient Λ=Λ between to lattices, and therefore holds for arbitrary abelian groups. Notice that the same group can be expressed as the quotiend of two lattices in different ways. For example the group Zq can 1 also be represented as the quotient between Z and q Z, and sometimes it is convenient to 1 use this other representation. Since Z= q Z is obtained just by scaling both lattices in Z=qZ 1 1 1 by a factor q , we abbreviate it as q Zq. So, q Zq is just the same group as Zq, but with the 1 elements represented as multiples of q in the range [0; 1). The set of functions V = (Zq ! C) is a q-dimensional vector space over the field C of complex numbers. This vector space has an inner product defined as 1 X hf; gi = E [f(x) · g(x)] = f(x) · g(x) x2Zq q x2Zq where a + ib = a − ib 2 C is the complex conjugation operation, for a; b 2 R. 2πxy 1 1 Consider the family of functions χx(y) = e . Notice that if x 2 q Zq = Z= q Z, then χx(y) is periodic modulo q. So, it defines a function from Zq to C. The following lemma shows that this set of functions is an orthonormal basis for Zq ! C.