The Gaussians Distribution 1 the Real Fourier Transform

Home , Gaussian function

CSE 206A: Lattice Algorithms and Applications Winter 2016 The Gaussians Distribution Instructor: Daniele Micciancio UCSD CSE

1 The real fourier transform

Gaussian distributions and harmonic analysis play a fundamental role both in the design of lattice-based cryptographic functions, and the theoretical study of lattice problems. For any function f: n → such that R |f(x)| dx < ∞, the fourier transform of f is deﬁned as R C x∈R Z fb(y) = f(x) · e−2πihx,yi dx x∈ n √ R 2πiz z z where i = −1 is the imaginary unit and e = cos( 2π )+i sin( 2π ) the exponential function from the unit interval z ∈ R/Z ≈ [0, 1) to the unit circle on the complex plane e2πiz ∈ {c ∈ C : |c| = 1}. So, the fourier transform is also a function fb: Rn → C from the euclidean 2 space Rn to the complex numbers. The gaussian function ρ(x) = e−πkxk naturally arises in harmonic analysis as an eigenfunction of the fourier transform operator. −πkxk2 Lemma 1 The gaussian function ρ(x) = e equals its fourier transform ρb(x) = ρ(x). Proof. It is enough to prove the statement in dimension n = 1, as the general statement follows by Z −2πihx,yi ρb(y) = ρ(x)e dx x∈Rn Z Y −2πixkyk = ρ(xk)e dx n x∈R k Y Z = ρ(x)e−2πixyk dx k x∈R Y = ρb(yk) = ρ(y). k So, let ρ(x) = e−πx2 the one-dimensional gaussian. We compute Z −2πixy ρb(y) = ρ(x)e dx x∈R Z = e−π(x2+2ixy) dx x∈R Z = e−πy2 e−π(x+iy)2 dx y Z = ρ(y) ρ(x) dx. x∈R+iy Finally, we observe that R ρ(x) dx = R ρ(x) dx by Cauchy’s theorem, and x∈R+iy x∈R Z sZ Z ρ(x) dx = ρ(x1) dx1 · ρ(x2) dx2 x∈R x1∈R x2∈R sZ sZ ∞ = ρ(x) dx = 2πrρ(r) dr = 1 x∈R2 r=0

0 where the last equality follows from the fact that ρ (r) = −2πr · ρ(r).

− 1 x2 We note that in other settings the gaussian distribution is often defined as g(x) = e 2 , which is the same as ρ, but with a different scaling factor. Using g(x) corresponds to q R 2 normalizing the standard deviation x g(x) dx = 1, but introduces a scaling factor when taking the fourier transform of g. As we will make extensive use of the fourier transform, in lattice cryptography it is typically preferable to use ρ(x) = e−πx2 as the “standard” gaussian q function, so that ρ = ρ. The standard deviation of ρ is R ρ(x)2 dx = p n . b x∈Rn 2π The following properties of the fourier transform easily follow from the definition.

Lemma 2 Any function f with R |f(x)| < ∞ satisﬁes the following properties: x∈Rn 1. for any nonsingular square matrix T, if h(Tx) = f(x) then bh(y) = det(T) · fb(Tty).

2. if h(x) = f(x + v), then bh(y) = fb(y) · e2πihv,yi.

3. if h(x) = f(x) · e2πihx,vi, then bh(y) = fb(y − v). Proof. For the ﬁrst property, we have Z Z bh(y) = h(z) · e−2πihz,yi dz = f(T−1z) · e−2πihz,yi dz. z∈Rn z∈Rn Making a change of variable z = Tx, the last expression equals

Z t det(T) f(x) · e−2πihx,T yi dx = det(T)fb(Tty). x∈Rn The other two properties are proved similarly, using the deﬁnition of the fourier transform, and applying an appropriate change of variable.

Less trivial to prove is the following result, known as Poisson summation formula. The theorem requires f to satisfy appropriate regularity conditions. We will apply the theorem only to the gaussian function ρ(x), and other functions obtained from it by the simple change of variables described in Lemma 2. These functions behave in the nicest possible way with respect to the fourier transform, so we do not explicitly state necessary requirements on the function f. Theorem 3 If f( n) = P f(x), and similarly for f( n), then Z x∈Zn b Z

n n f(Z ) = fb(Z ).

Proof. Let f: n → and define the periodic function ϕ(x) = f(x+ n) = P f(x+y). R C Z y∈Zn Notice that ϕ(x) = ϕ(x mod y) for any y ∈ Zn, i.e., ϕ is periodic modulo 1, and can be equivalently described as a function from [0, 1)n to C. The fourier series of a periodic function ϕ: [0, 1)n → C is defined as Z −2πihx,zi ϕb(z) = ϕ(x) · e dx x∈[0,1)n for any z ∈ Zn. The fourier inversion theorem for periodic functions states that if ϕ is sufficiently nice, it can be recovered from its fourier series

X 2πihz,xi ϕ(x) = ϕb(z) · e . z∈Zn We will need this inversion formula only to evaluate ϕ at 0, giving

n X 0 n f(Z ) = ϕ(0) = ϕb(z) · e = ϕb(Z ). z∈Zn Next we compute the fourier coeﬃcients Z −2πihx,zi ϕb(z) = ϕ(x) · e dx x∈[0,1)n Z X = f(x + w) · e−2πihx,zi dx. x∈[0,1)n w∈Zn Since x 7→ e−2πihx,zi is also periodic modulo 1, the last expression equals

Z X Z f(x + w) · e−2πihx+w,zi dx = f(x) · e−2πihx,zi dx = fb(z) x∈[0,1)n x∈ n w∈Zn R i.e., the fourier series of the periodic function ϕ equals the fourier tranform of f at integer n n n n points z ∈ Z . So, f(Z ) = ϕb(Z ) = fb(Z ).

The theorem is easily generalized to arbitrary lattices.

Corollary 4 For any lattice Λ,

f(Λ) = det(Λ∗)fb(Λ∗)

P ∗ where f(Λ) = x∈Λ f(x), and similarly for fb(Λ ). Proof. We may assume without loss of generality that Λ is a full dimensional lattice. Let B be a basis of Λ, so that the lattice can be written as BZn, and let h(x) = f(Bx). Then, using the previous theorem, we have

n n −1 −t n ∗ ∗ f(Λ) = h(Z ) = hˆ(Z ) = det(B )h(B Z ) = det(Λ )h(Λ ).

R We know from the proof of Lemma 1 that x ρ(x) dx = 1. So, the gaussian function can be interpreted as a probability distribution over Rn. Lattice cryptography uses a discrete version of this probability distribution which selects points from a lattice x ∈ Λ with probability proportional to ρ(x).

Deﬁnition 5 For any lattice Λ, the discrete gaussian probability distribution DΛ is the probability distribution over Λ that selects each lattice point x ∈ Λ with probability Pr{x} = P ρ(x)/ρ(Λ), where ρ(Λ) = x∈Λ ρ(x) is normalization factor.

Informally (or even formally, with some eﬀort) one can think of the discrete gaussian distribution DΛ as the conditional distribution of the continuous gaussian distribution Pr{x} = ρ(x) on Rn, conditioned on the event that x ∈ Λ is a lattice point. The reason we state this informally is that the event of picking a lattice point x ∈ Λ when choosing x according to a continuous probability distribution has zero probability. So, giving a formal deﬁnition of conditional distribution can be tricky. Luckily, none of this is needed, as we will work only with discrete distributions.

2 Fourier analysis of ﬁnite groups

Harmonic analysis in Rn requires sensible assumptions on the function f to guarantee conver- gence and the validity of the fourier inversion formula. Fortunately, in lattice cryptography, we will deal primarity with discrete probability distributions and the fourier transform over finite groups. This allows for a much simpler treatment, using linear algebra. We start with the simple case of a finite cyclic group Zq = Z/qZ of the integers modulo q. It will be useful to think of Zq in concrete terms as the quotient between Z and its subgroup qZq, and think these two sets as two lattices. Any finite abelian group can be expressed as a quotient Λ/Λ0, where Λ is a lattice and Λ0 is a full rank sublattice of Λ. As 0 we will see, much of what we will prove for Zq applies also to the quotient Λ/Λ between to lattices, and therefore holds for arbitrary abelian groups. Notice that the same group can be expressed as the quotiend of two lattices in different ways. For example the group Zq can 1 also be represented as the quotient between Z and q Z, and sometimes it is convenient to 1 use this other representation. Since Z/ q Z is obtained just by scaling both lattices in Z/qZ 1 1 1 by a factor q , we abbreviate it as q Zq. So, q Zq is just the same group as Zq, but with the 1 elements represented as multiples of q in the range [0, 1). The set of functions V = (Zq → C) is a q-dimensional vector space over the field C of complex numbers. This vector space has an inner product defined as

1 X hf, gi = E [f(x) · g(x)] = f(x) · g(x) x∈Zq q x∈Zq

where a + ib = a − ib ∈ C is the complex conjugation operation, for a, b ∈ R. 2πxy 1 1 Consider the family of functions χx(y) = e . Notice that if x ∈ q Zq = Z/ q Z, then χx(y) is periodic modulo q. So, it deﬁnes a function from Zq to C. The following lemma shows that this set of functions is an orthonormal basis for Zq → C.

1 Lemma 6 For any x, y ∈ q Z,

1 if x = y hχ , χ i = x y 0 otherwise

Proof. By deﬁnition hχ , χ i = 1 P e2πi(x−y)z. If x = y, then e2πi(x−y)z = e0 = 1, and x y q z∈Zq 2πi(x−y) hχx, χyi = 1. On the other hand, if x 6= y, then e 6= 1 and

q−1 X e2πi(x−y)q − 1 e2πi(x−y)z = = 0 e2πi(x−y)−1 z=0 and hχx, χyi = 0.

1 The functions χx with x ∈ q Zq are called the characters of the group Zq, and, since there are precisely q of them, they form an orthonormal basis for V = Zq → C. In particular, any function can be expressed as a linear combination of the characters X f(x) = hf, χyi · χy(x). y

Notice the similarity between the coeﬃcients

1 X −2πixy fb(y) = hf, χyi = f(x) · e q x∈Zq

and the deﬁnition of the real fourier transform of a function. The function fb(y) mapping 1 each y ∈ q Zq to the corresponding coeﬃcient hf, χyi is called the (discrete) fourier transform of f, and the set of characters χy is called the fourier basis. Expressing the function f with respect to the fourier basis can be rewritten as X f(x) = fb(y)e−2πixy y giving a fourier inversion formula. Everything easily extends to arbitrary abelian groups, but before moving on, it is useful 1 to pay some attention to the way we represented group elements for the index y ∈ q Zq and input x ∈ Zq of the group characters χy(x). If we think of G = Λ/Γ

1 as the quotient of two lattices Λ = Z and Γ = qZ ⊆ Λ, then q Zq is precisely the dual group of G, which can be formally deﬁned as the quotient

Gb = Γ∗/Λ∗ ∗ 1 ∗ between the dual lattices Γ = q Z and Λ = Z. (Notice that in order to take the quotient we need also to reverse the position of the two lattices, so that Λ∗ ⊆ Γ∗.) Q n Q Now let us move to the product of cyclic groups G = k Zqk = Z /( k(qk · Z)), and the set of functions from G to C. In this more general setting, the fourier basis is given by the characters 2πihx,yi χy(x) = e Q 1 Q 1 n P for y ∈ G = ( q) = ( )/ . Here hx, yi = xk ·yk is just the usual dot product b k qk Z k qk Z Z k between vectors. It is only the inner product of functions hf, gi = Ex∈G[f(x) · g(x)] that is Q 2 normalized by the group size k qk, so that the characters have norm kχk = hχ, χi = 1. As before, characters are mutually orthogonal because Y hχx, χyi = hχxk , χyk i k and the product vanishes as soon as xk = yk for some k. So, we deﬁne the discrete fourier transform of a function f: G → C as before

1 X −2πihx,yi fb(y) = hf, χyi = f(x) · e q x∈G giving the fourier inversion formula

X X −2πihx,yi f(x) = hf, χyi · χy(x) = fb(y) · e . y∈Gb y∈Gb Every quotient of two (full rank) lattices G = Λ/Γ with Γ ⊆ Λ is a finite abelian group, and any abelian group can be represented as a product of cyclic groups. So, this is all we need to deal with quotients between any two arbitrary (full rank) lattices Γ ⊆ Λ. But it is useful to give a general formulation of everything we have proved so far directly in terms of lattices. In the most general setting, we start from a lattice Λ and a full rank sublattice Γ ⊆ Λ, which define a finite abelian group G = Λ/Γ and its dual Gb = Γ∗/Λ∗. The set of all functions G → C is a |G|-dimensional vector space over C with an inner product 1 X hf, gi = E [f(x) · g(x)] = f(x) · g(x) x∈G |G| x∈G 2πhx,yi and orthonormal basis χy(x) = e for y ∈ Gb. The discrete fourier transform of f: G → C is the function fb(y) = hf, χyi from Gb to C and it satisfies the fourier inversion formula f(x) = P f(y) · χ (x). y∈Gb b y

3 Gaussian sums

Poisson summation formula can be used to prove several interesting bounds on gaussian sums over lattices.

Lemma 7 For any lattice Λ and real s ≥ 1,

ρ(Λ/s) ≤ snρ(Λ)

Proof. By the Poisson summation formula, and using ρ(sx) ≤ ρ(x), we get

ρ(Λ/s) = det(sΛ∗)ρ(sΛ∗) ≤ sn det(Λ∗)ρ(Λ∗) = snρ(Λ).

Lemma 8 For any lattice coset Λ + u,

ρ(Λ + u) ≤ ρ(Λ).

Proof. Recall that if f(x) = ρ(x + v) then fb(y) = e2πihy,vi · ρ(y). Using Poisson summation formula and triangle inequality we get

∗ X ρ(Λ + u) = det(Λ ) ρ(y) · exp(2πi hy, ui) y∈Λ∗ X ≤ det(Λ∗) ρ(y) = ρ(Λ). y∈Λ∗

An immediate consequence of the above lemma is that for any lattices Λ ⊂ Λ0, the 0 gaussian probability distribution (DΛ0 mod Λ) over the quotient group Λ /Λ is maximized at 0 mod Λ. Using these bounds we can easily prove several tail inequalities on the norm of vectors chosen according to a discrete Gaussian distribution.

Lemma 9 For any lattice coset Λ + c and halfspace H = {x : hx, hi ≥ khk2},

ρ((Λ + c) ∩ H) ≤ ρ(h) · ρ(Λ + c − h). Proof. If IH (x) the indicator function of H, then we have X ρ((Λ + c) ∩ H) = ρ(x) · IH (x) x∈Λ+c X exp(2π hx, hi) ≤ ρ(x) · exp(2πkhk2) x∈Λ+c X = ρ(h) ρ(x − h) x∈Λ+c = ρ(h)ρ(Λ + c − h)

Using a union bound over all standard unit vectors ±ei, gives a tail inequality on the inﬁnity norm of a vector chosen according to the discrete gaussian distribution from an n-dimensional lattice.

Corollary 10 For any n-dimensional lattice Λ, if x ← DΛ then

2 Pr {kxk∞ ≥ t} ≤ 2n exp(−πt ).

As a special case, using the scaled integer lattice Λ = Z/s, we get a tail bound for gaussian samples from Z.

2 Corollary 11 If x ← DZ,s, then Pr{|x| ≥ st} ≤ 2 exp(−πt ).

Theorem 12 For any lattice coset Λ + c and α ≥ 1,

α2 n/2 ρ((Λ + u) \ B(αpn/(2π))) ≤ ρ(Λ) exp(α2 − 1) where B(r) = {x ∈ Rn : kxk ≤ r}.

Proof. If Ir(x) is the characteristic function of B(r), then for any 0 < t < π and r = αpn/(2π) we have X ρ((Λ + u) \ B(r)) = ρ(x)(1 − Ir(x)) x∈Λ+c X exp(tkxk2) ≤ ρ(x) exp(tr2) x∈Λ+c = exp(−tr2)ρ(p1 − t/π · (Λ + c)) ≤ exp(−tr2)ρ(p1 − t/π · (Λ)) ≤ exp(−tr2) · (1 − t/π)−n/2 · ρ(Λ)) This function is minimized at t = π − n/(2r2) ≥ 0, which gives the bound in the theorem.

Notice that the base α2/ exp(α2 − 1) of the exponential factor in the above theorem is monotonically decreasing for α ≥ 1, and equals α2/ exp(α2 − 1) = 1 when α = 1.

Corollary 13 For any α ≥ 1, if x ← DΛ then

r n α2 n/2 Pr kxk ≥ α ≤ . 2π exp(α2 − 1)

Also this corollary can be used to bound the probability that x ← DZ,s is bigger than |x| > st.

4 The smoothing parameter

Deﬁnition 14 For any lattice Λ, the -smoothing parameter of a lattice Λ is the smallest s > 0 such that ρ(sΛ∗) ≤ 1 + .

Informally, the smoothing parameter is the amount of (gaussian) noise that needs to be added to a lattice to obtain a uniformly distributed point in space, as formalized in the next theorem.

Lemma 15 For any lattice coset Λ + u, if η(Λ) ≤ 1 then

ρ(Λ + u) ∈ [1 ± ] · det(Λ∗).

∗ Proof. Assume η(Λ) ≤ 1, or, equivalently, ρ(Λ ) ≤ 1 + . Then

∗ ∗ X |ρ(Λ + u) − det(Λ )| = det(Λ ) ρ(y) · exp(2πi hy, ui) − 1 y∈Λ∗

∗ X = det(Λ ) ρ(y) · exp(2πi hy, ui)

y∈Λ∗\{0} X ≤ det(Λ∗) ρ(y) y∈Λ∗\{0} = det(Λ∗) · (ρ(Λ∗) − 1) ≤ · det(Λ∗).

It is clear from the deﬁnition that for any lattice Λ and scalar c > 0, η(cΛ) = cη(Λ). Next, we turn to evaluating the smoothing parameter of a lattice. We begin with the integer lattice. Lemma 16 For any > 0, we have 2 2 1 + ≤ ρ(s ) ≤ 1 + exp(πs2) Z exp(πs2) − 1 r r ln(2/) ln(1 + 2/) ≤ η ( ) ≤ . π Z π

Proof. For the lower bound, we restrict the summation to the integers {−1, 0, 1} ⊂ Z: 2 ρ(s ) ≥ ρ(s{−1, 0, 1}) = 1 + 2ρ(s) = 1 + . Z exp(πs2) √ √ For the upper bound, we extend the summation over Z = { n : n ∈ Z} ⊃ Z: √ X 2 ρ(s ) ≤ ρ(s ) = 1 + 2 exp(−πs2)k = 1 + . Z Z exp(πs2) − 1 k≥1

Setting the bound to 1 + and solving for s gives upper and lower bounds on η(Z).

In order to bound the smoothing parameter of arbitrary lattices, we look at how the smoothing parameter interacts with orthogonalization. Notice that for any mutually orthog- ∗ onal lattice hΛ1, Λ2i = {0}, the dual of the sum (Λ1 + Λ2) equals the sum of the duals Λ∗ + Λ∗, and therefore

∗ ∗ ∗ ∗ ∗ ρ((Λ1 + Λ2) ) = ρ(Λ1 + Λ2) = ρ(Λ1)ρ(Λ2).

So, if s = η1 (Λ1) = η2 (Λ2), then s = η(Λ1 + Λ2) for = 1 + 2 + 12. This already gives a way to bound the smoothing parameter of lattices that have an orthogonal basis. But most lattices do not have such a basis, so we need one more tool. For the general case, we use the fact that orthogonalizig a lattice can only increase its smoothing parameter.

Theorem 17 For any lattice basis B with Gram-Schmidt orthogonalization B∗ and > 0,

∗ η(L(B)) ≤ η(L(B )).

The theorem is proved using Lemma 8, by induction on the dimension, using the relation between the orthogonalization of B and the orthogonalization (in reverse order) of its dual basis. The details of the proof are left as an exercise.