Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Good Gottesman-Kitaev-Preskill codes from the NTRU cryptosystem

Jonathan Conrad, Jens Eisert, Jean-Pierre Seifert

TL;DR

The paper presents a randomized, post-quantum cryptography–inspired construction of good Gottesman-Kitaev-Preskill (GKP) codes by leveraging NTRU lattices. The authors show that these codes achieve constant rate with distance scaling $Δ=Ω(\sqrt{n})$ with high probability and that decoding a stochastic displacement channel reduces to decrypting the NTRU cryptosystem, yielding trapdoor-decoding capabilities. They further propose a quantum public-key communication protocol that inherits security from the underlying NTRU problem and discuss decoding complexity, thresholds, and numerical results for NTRU-based GKP lattices. The work bridges classical lattice cryptography, quantum error correction, and post-quantum cryptography, offering a new path to cryptographically flavored quantum information processing and secure quantum communication. Future directions include improving decoders, exploring higher-rank lattices, and rigorously analyzing quantum security of the proposed protocols.

Abstract

We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling $Δ\propto \sqrt{n}$ with high probability, where $n$ is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenating single mode GKP codes into a qubit-quantum error correcting code with linear distance. The derived class of NTRU-GKP codes has the additional property that decoding for a stochastic displacement noise model is equivalent to decrypting the NTRU cryptosystem, such that every random instance of the code naturally comes with an efficient decoder. This construction highlights how the GKP code bridges aspects of classical error correction, quantum error correction as well as post-quantum cryptography. We underscore this connection by discussing the computational hardness of decoding GKP codes and propose, as a new application, a simple public key quantum communication protocol with security inherited from the NTRU cryptosystem.

Good Gottesman-Kitaev-Preskill codes from the NTRU cryptosystem

TL;DR

The paper presents a randomized, post-quantum cryptography–inspired construction of good Gottesman-Kitaev-Preskill (GKP) codes by leveraging NTRU lattices. The authors show that these codes achieve constant rate with distance scaling with high probability and that decoding a stochastic displacement channel reduces to decrypting the NTRU cryptosystem, yielding trapdoor-decoding capabilities. They further propose a quantum public-key communication protocol that inherits security from the underlying NTRU problem and discuss decoding complexity, thresholds, and numerical results for NTRU-based GKP lattices. The work bridges classical lattice cryptography, quantum error correction, and post-quantum cryptography, offering a new path to cryptographically flavored quantum information processing and secure quantum communication. Future directions include improving decoders, exploring higher-rank lattices, and rigorously analyzing quantum security of the proposed protocols.

Abstract

We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling with high probability, where is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenating single mode GKP codes into a qubit-quantum error correcting code with linear distance. The derived class of NTRU-GKP codes has the additional property that decoding for a stochastic displacement noise model is equivalent to decrypting the NTRU cryptosystem, such that every random instance of the code naturally comes with an efficient decoder. This construction highlights how the GKP code bridges aspects of classical error correction, quantum error correction as well as post-quantum cryptography. We underscore this connection by discussing the computational hardness of decoding GKP codes and propose, as a new application, a simple public key quantum communication protocol with security inherited from the NTRU cryptosystem.
Paper Structure (22 sections, 8 theorems, 105 equations, 10 figures)

This paper contains 22 sections, 8 theorems, 105 equations, 10 figures.

Table of Contents

  1. Introduction
  2. The GKP code
  3. Code distance.
  4. Decoding GKP codes via the closest vector problem.
  5. Bounded distance decoding (BDD).
  6. Constructions of GKP codes
  7. Scaled GKP codes
  8. Concatenated GKP codes.
  9. Decoding complexity of GKP codes
  10. GKP codes from NTRU lattices
  11. The NTRU cryptosystem
  12. Symplectic ideal and NTRU lattices
  13. Numerical results
  14. Decoding GKP codes from NTRU lattices
  15. Bounding $\mathtt{BDD}_{\epsilon}$
  16. ...and 7 more sections

Key Result

Lemma 1

($\mathtt{eMLD}\geq \mathtt{MED}$) Given an oracle that evaluates $\mathtt{CVP}\left( \bs{x}, \mathcal{L}^{\perp} \right)$ can be solved efficiently.

Figures (10)

  • Figure 1: Babai's nearest plane algorithm babai.
  • Figure 2: Some notable weakly symplectically self-dual (symplectic) lattices that yield GKP codes. The lower block indicates the concatenation of single mode $\mathcal{L}_{\square}=\sqrt{2}\mathbb{Z}^2$ square GKP and $\mathcal{L}_{\mhexagon}=\sqrt{2}A_2$ hexagonal GKP codes with qubit quantum error correcting- or detecting codes. Note that concatenation with $\mathcal{L}_{\mhexagon}$ does not formally produce a Construction A lattice, but is related by a symplectic transformation $S_{\mhexagon}^n=\oplus_i^n S_{\mhexagon}$, $S_{\mhexagon}=M_{A_2}^T$ to the concatenation with the square GKP code generated by $M_{\mathbb{Z}^2}=I_2$, which in fact is Construction A. The symplectically self-dual root lattices listed in this table and their use as GKP codes have previously been identified in ref. Harrington_Thesis. The re-scaled $L_{\rm NTRU}$ lattices that we use here to to construct NTRU-GKP codes are indicated between those and the "more genuine" lattices corresponding to concatenated codes. The statements about (symplectic) self-duality are generally up to scaling and rotations.
  • Figure 3: Shortest vector lengths computed via full HKZ reduction of $a)$ random cyclic ($\Phi_0=x^n-1$) lattices as generated by the hard lattice generator in sagemath, $b)$ random NTRU lattices with $p=3$ and $d=\lfloor n/3 \rfloor$ and $c)$ random NTRU lattices where $h$ is invertible in $R_q$ for varying $q=2, \dots , 2048$. In $d)$ we sample NTRU lattices generated with the irreducible quotient $\Phi=x^n+1$, where $n$ is a power of 2. For each $n \in [2,24]$ we sample $100$ NTRU lattices and compute the shortest vector by computing the HKZ reduced lattice basis. For reference, we plot the expected shortest vector length from the Gaussian heuristic $\lambda\left( n \right)=\sqrt{nq/\pi e}$ in blue and the expected lower bound $\lambda_0\left( n \right)=\sqrt{0.28 n}$ in red. In panel $d)$, we have also included a green line at $\sqrt{q}$, which is the standard deviation of the discrete Gaussian distribution $f, g$ are sampled from and is related to a probabilistic lower bound for $n\geq 8$ a power of $2$ on the shortest infinity norm $\lambda_1^{\infty}\left( L \right)$ derived in ref. StehleSteinfeld. The sagemathsagemath code as well as all numerical data presented here is available under ref. GitLink. The sagemath functionalities to construct NTRU lattices are partially adapted from ref. LatticeHacks.
  • Figure 4: Outline of the private quantum channel established using the NTRU-GKP code as described in the main text.
  • Figure 5: Parameters of sampled NTRU lattices.
  • ...and 5 more figures

Theorems & Definitions (11)

  • Definition 1: Good GKP codes
  • Lemma 1
  • Lemma 2: ConwaySloane, p. 450
  • Lemma 3
  • Corollary 1
  • Corollary 2: Qi_earchiveJingguo_Qi
  • Proposition 1: Good codes from NTRU lattices
  • Conjecture 1: Good GKP codes
  • Conjecture 2: Good GKP codes
  • Proposition 2
  • ...and 1 more