Recall the decoding procedure: if Λ is a known fixed lattice and x ∈ H is an unknown short vector, the goal is to recover x, given t = x mod Λ. Choose {vi} ⊂ Λ∨ a set of
n-linearly independent vectors, not necessarily a basis, which are rather short and let
{bi}be a dual basis of {vi}, which generates a super lattice Λ0 containing Λ.
Express t mod Λ0 in the basis {bi} asPcibi, ci ∈R/Z(so ci =hx,v¯ii mod 1), then
outputP
JciKbi ∈H. Then the output equalsxif and only if all the coefficientsai =hx,v¯ii
in the expansionx=P
aibi are in [−1/2,1/2). Since (R∨)∨ =Rand everypj of powerful
basis ofR haskτ(pj)k2 =
√
n, we could use the decoding basisd~for decodingR∨ because the dual ofd~isp~and pj is rather short. But for decodingK/I, whereI = (R∨)k =
t−k, if we use the Z-basis t1−kd~of I, some elements of the dual of (t1−kd~), which is tk−1τ(~p),
might be much longer than the shortest nonzero elements of I∨ =tk−1. (Remark: Let
t= m
g, where m prime, and σ(g) = (1−ω
1
m,1−ωm2, . . . ,1−ω m−2
m ). 1−ωm is very small
when m is large. Hence, t is very large.) Instead, we use ˆm1−kd~, which generates the
super ideal J = ˆm1−kR∨ = t1−kg1−kR∨ ⊇ I, whose dual elements are ˆmk−1τ(p) ⊂ I∨. Note that kmˆk−1τ(~p)k2 λ1(I∨) = mˆ k−1√n λ1(I∨) <( Y odd primep|m pp−11)k−1. (9.6)
The last inequality follows from
Decoding Iq to I, where I = (R∨)k for some k ≥1
For an input ¯a ∈ Iq, write ¯a =
D
ˆ
m1−kd,~ ¯aE modqJ for some ¯a over
Zq, where J = ˆ m1−kR∨ ⊃ I. Define J¯aK := D ˆ m1−kd,~ J¯aK E
if this is in I, otherwise the decoding fails. Note if a ∈ I, a = Dmˆ1−kd,~ aE, and aj ∈ [−q/2, q/2), where aj is jth component of a,
then the decoding succeeds. Hence, if every aj is δ-subgaussian with parameter s, then
by lemma 5.2.1,Ja modqIK=a except with probability at most 2nexp(δ−πq2/(2s)2).
Writinga=
D
ˆ
m1−kd,~ a
E
fora∈I with integral vectora, we have|aj| ≤mˆk−1
√
nkak2,
because |aj|=|Tr(amˆk−1τ(pj))| ≤ kak2mˆk−1
√
n by Schwarz inequality.
If a is δ-subgaussian with parameter s and b ∈ (R∨)l for some l ≥ 0, we write
ab=Dmˆ1−k−ld, c~ E for some integral vectorc. Then
cj = Tr( ˆmk+l−1τ(pj)ab) (9.8)
= mˆk+l−1Tr(τ(pj)ba), (9.9)
which is δ-subgaussian with parameter ˆ
mk+l−1kτ(pj)bk2s ≤mˆk+l−1kτ(pj)k∞kbk2s= ˆmk+l−1kbk2s. (9.10)
9.2.1
Implementation of Decoding Operation
The goal is to recover an unknown element a ∈ I = (R∨)k given ¯a = a mod qI. We
assume that the input ¯a∈Iqis given in the form of a coefficient vector ¯aoverZq satisfying
¯
a =Dt1−k~b,¯aE modqI, where~b is some given
Zq-basis ofR∨q. Output will be given as
a coefficient vector a overZ with respect to the decoding basis t1−kd~of I. Case 1) k = 1. If ¯a = D ~ d,a¯ E mod qR∨, output a= D ~ d,a E where a=J¯aK. Case 2) I = (R∨)k,k > 1.
1. Compute the representation ¯a0 = ¯a mod qJ in the
Zq-basis ˆm1−k~b of Jq (recall
that J = ˆm1−kR∨ ⊇I).
2. Decode it as in the case k = 1 to an element a0 ∈ J (which will be equal to a if successful).
3. Compute the representation of a0 in the Z-basis t1−kd~of I.
Forstep 1, we want to find ¯asuch that
¯
a=Dmˆ1−k~b,¯aE mod qJ. (9.11) We claim that this ¯a is the coefficient of gk−1¯a with respect to the basis t1−k~b modqI, because Dt1−k~b,¯aE=gk−1Dmˆ1−k~b,a¯E=gk−1¯a.
For step 2, rewrite the output of step 1 with respect to the basis ˆm1−kd~ so that
¯
a0 =Dmˆ1−kd,~ a¯0E. Then output J¯a
0
K over Z and leta
0 =Dmˆ1−kd,~ Ja 0 K E ∈ J. If it is in I,
we succeed. If not, we fail. (Remark: In general, it is easy to decide the membership of a given lattice.)
For step 3, we convert the representation of a0 in the Z-basis ˆm1−kd~of J to a repre- sentation in aZ-basis of I, namelyt1−kd~. Assumingstep 2 succeeds, i.e., a0 ∈I, we want
to find an integer vector asuch that a0 =Dt1−kd,~ aE. For the samea,
D
ˆ
m1−kd,~ aE=g1−kDt1−kd,~ aE=g1−ka0,
i.e., a is the coefficient of g1−ka0 in the basis ˆm1−kd~.
Note that the multiplication by g and the division by g can be computed efficiently. For example when m =p,
m ~dT = (· · · ,(ζj0 p −ζ p−1 p ),· · ·), j0 = 0,· · · , p−2, (9.12) mg ~dT = (2−ζp −ζpp−1,1 +ζp−ζp2−ζ p−1 p ,· · · , 1 +ζpp−2−ζpp−1−ζpp−1), (9.13) m ~dTA = (1−ζpp−1, ζp−ζpp−1,· · · , ζ p−2 p −ζ p−1 p ) × 2 1 1 · · · 1 −1 1 −1 1 . .. −1 1 (9.14) = (2−ζp −ζpp−1,· · ·), (9.15) i.e., g ~dT =d~TA.