Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Symplectic Lattices and GKP Codes -- Simple Randomized Constructions from Cryptographic Lattices

Johannes Blömer, Yinzi Xiao, Zahra Raissi, Stanislaw Soltan

Abstract

We construct good GKP (Gottesman-Kitaev-Preskill) codes (in the sense of Conrad, Eisert and Seifert proposed) from standard short integer solution lattices (SIS) as well as from ring SIS and module SIS lattices, R-SIS and M-SIS lattices, respectively. These lattice are crucial for lattice-based cryptography. Our construction yields GKP codes with distance $\sqrt{n/πe}$. This compares favorably with the NTRU-based construction by Conrad et al. that achieves distance $Ω(\sqrt{n/q}),$ with $n\le q^2/0.28$. Unlike their codes, our codes do not have secret keys that can be used to speed-up the decoding. However, we present a simple decoding algorithm that, for many parameter choices, experimentally yields decoding results similar to the ones for NTRU-based codes. Using the R-SIS and M-SIS construction, our simple decoding algorithm runs in nearly linear time. Following Conrad, Eisert and Seifert's work, our construction of GKP codes follows directly from an explicit, randomized construction of symplectic lattices with (up to constants $\approx 1$) minimal distance $(1/σ_{2n})^{1/2n}\approx \sqrt{\frac{n}{πe}}$, where $σ_{2n}$ is the volume of the 2n-dimensional unit ball. Before this result, Buser and Sarnak gave a non-constructive proof for the existence of such symplectic lattices.

Symplectic Lattices and GKP Codes -- Simple Randomized Constructions from Cryptographic Lattices

Abstract

We construct good GKP (Gottesman-Kitaev-Preskill) codes (in the sense of Conrad, Eisert and Seifert proposed) from standard short integer solution lattices (SIS) as well as from ring SIS and module SIS lattices, R-SIS and M-SIS lattices, respectively. These lattice are crucial for lattice-based cryptography. Our construction yields GKP codes with distance . This compares favorably with the NTRU-based construction by Conrad et al. that achieves distance with . Unlike their codes, our codes do not have secret keys that can be used to speed-up the decoding. However, we present a simple decoding algorithm that, for many parameter choices, experimentally yields decoding results similar to the ones for NTRU-based codes. Using the R-SIS and M-SIS construction, our simple decoding algorithm runs in nearly linear time. Following Conrad, Eisert and Seifert's work, our construction of GKP codes follows directly from an explicit, randomized construction of symplectic lattices with (up to constants ) minimal distance , where is the volume of the 2n-dimensional unit ball. Before this result, Buser and Sarnak gave a non-constructive proof for the existence of such symplectic lattices.

Paper Structure

This paper contains 37 sections, 36 theorems, 144 equations, 3 figures.

Table of Contents

  1. Introduction
  2. Organization
  3. Basic definitions and results
  4. Lattices
  5. Symplectic matrices and symplectic lattices
  6. A simple geometric lemma
  7. Some useful bounds
  8. Constructing symplectic matrices from $\textrm{SIS}$ lattices
  9. Analysis of minimal distance
  10. Analyzing the probability
  11. Bounding the minimal distance
  12. Main results
  13. Symplectic lattices with large minimal distance
  14. GKP codes with large distance
  15. Upper bounds for minimal distance and covering radius and
  16. ...and 22 more sections

Key Result

Theorem 1

Let ${\cal L}$ be a lattice of dimension $n$. Then for lattice ${\cal L}$ and its dual ${\cal L}^\dagger$,

Figures (3)

  • Figure 1: Code distance of GKP code generated from SIS lattice, (a) with $q=256$ fixed, vary $n$ as horizontal axis; (b) with $n=7$ fixed, vary $q$ as horizontal axis.
  • Figure 2: Decoding under Gaussian displacement noise. (a) Trivial decoder at $n=11$ for $q\in\{4,5,7,8,16\}$. (b) Trivial decoder at $q=4$ for $n\in\{7,11,17,23,31\}$. (c–d) NTRU decoder, Babai decoder, and trivial decoder ($\textsc{Bdd}_{\text{triv}}$) at $n=7$ with $q=4$ and $q=8$. Curves show error rate $p_{\mathrm{err}}$ versus physical standard deviation $\sigma$. For each $(n,q)$, we select the code with the largest distance from 100 random candidates and estimate $p_{\mathrm{err}}$ using $10^{4}$ error samples per $\sigma$. For (c–d), codes are generated from NTRU lattices to enable the NTRU decoder.
  • Figure 3: Simulations of minimal distance for symplectic R-SIS and M-SIS lattices. (a) $n=4$, $m\in [1,5]$, $q=701$. (b) $n=2^e$, $m=1$, $q=3$. (c) $n=2^ep_1p_2$. (d) $n=2^ep$.

Theorems & Definitions (59)

  • Theorem 1: Banaszczyk
  • Lemma 2
  • Definition 3
  • Lemma 4
  • Lemma 5
  • proof
  • Theorem 6
  • proof
  • Lemma 7
  • proof
  • ...and 49 more