Cyclic Lattices and Ideal Lattices

Abstract

Cyclic lattices and ideal lattices were introduced by Micciancio in [45], Lyubashevsky and Micciancio in [40], respectively, which play an efficient role in Ajtai’s construction of a collision-resistant Hash function and in Gentry’s construction of fully homomorphic encryption [22]. Let \(R=\mathbb {Z}[x]/<\phi (x)>\) be a quotient ring of the integer coefficients polynomials ring, Lyubashevsky and Micciancio regarded an ideal lattice as the correspondence of an ideal of R, but they neither explain how to extend this definition to whole Euclidean space \(\mathbb {R}^n\), nor exhibit the relationship of cyclic lattices and ideal lattices. In this chapter, we regard the cyclic lattices and ideal lattices as the correspondences of finitely generated R-modules, so that we may show that ideal lattices are actually a special subclass of cyclic lattices, namely cyclic integer lattices. It is worth noting that we use more general rotation matrix here, so our definition and results on cyclic lattices and ideal lattices are more general forms. As application, we provide cyclic lattice with an explicit and countable upper bound for the smoothing parameter. Our results may be viewed as a substantial progress in this direction.

Cyclic lattices and ideal lattices were introduced by Micciancio (2002), Lyubashevsky and Micciancio (2006), respectively, which play an efficient role in Ajtai’s construction of a collision-resistant Hash function and in Gentry’s construction of fully homomorphic encryption (Gentry, 2009a). Let \(R=\mathbb {Z}[x]/<\phi (x)>\) be a quotient ring of the integer coefficients polynomials ring, Lyubashevsky and Micciancio regarded an ideal lattice as the correspondence of an ideal of R, but they neither explain how to extend this definition to whole Euclidean space \(\mathbb {R}^n\), nor exhibit the relationship of cyclic lattices and ideal lattices. In this chapter, we regard the cyclic lattices and ideal lattices as the correspondences of finitely generated R-modules, so that we may show that ideal lattices are actually a special subclass of cyclic lattices, namely cyclic integer lattices. It is worth noting that we use more general rotation matrix here, so our definition and results on cyclic lattices and ideal lattices are more general forms. As application, we provide cyclic lattice with an explicit and countable upper bound for the smoothing parameter. Our results may be viewed as a substantial progress in this direction.

5.1 Some Basic Properties of Lattice

At the beginning of Chap. 1, we have introduced the definition of lattice in \(\mathbb {R}^n\). A lattice is actually a discrete additive subgroup. In this section, we mainly give some properties of lattice that will be used later in this chapter.

Lemma 5.1.1

Let \(L\subset \mathbb {R}^n\) be a lattice, \(\alpha _1,\alpha _2,\dots ,\alpha _m \in L\) be m vectors of L. Then \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\), if and only if they are linearly independent over \(\mathbb {Z}\).

Proof

If \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\), trivially which are linearly independent over \(\mathbb {Z}\). Suppose that \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {Z}\), we consider arbitrary linear combination over \(\mathbb {R}\). Let

$$\begin{aligned} a_1 \alpha _1+a_2 \alpha _2+\cdots +a_m \alpha _m=0, \end{aligned}$$

(5.1.1)

We should prove (5.1.1) is equivalent to \(a_1=a_2=\cdots =a_m=0\), which implies that \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\).

By Minkowski’s Third theorem (see theorem VII of Cassels (1963)), for any sufficiently large \(N>1\), there are a positive integer \(q\geqslant 1\) and integers \(p_1,p_2,\dots ,p_m \in \mathbb {Z}\) such that

$$\begin{aligned} \max \limits _{1\leqslant i\leqslant m} |qa_i-p_i|<N^{-\frac{1}{m}},\ 1\leqslant q\leqslant N. \end{aligned}$$

(5.1.2)

By (5.1.1), we have

$$\begin{aligned}&|p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m| \\ {}&\quad =|(qa_1-p_1)\alpha _1+(qa_2-p_2)\alpha _2+\cdots +(qa_m-p_m)\alpha _m| \end{aligned}$$

$$\begin{aligned} \leqslant mN^{-\frac{1}{m}} \max \limits _{1\leqslant i\leqslant m}|\alpha _i|. \end{aligned}$$

(5.1.3)

Let \(\lambda \) be the minimum distance of L, \(\epsilon >0\) be any positive real number. We select N such that

$$\begin{aligned} N>\max \left\{ \left( \frac{m}{\epsilon }\right) ^m,\ \left( \frac{m}{\lambda }\right) ^m \max \limits _{1\leqslant i\leqslant m} |\alpha _i|^m \right\} , \end{aligned}$$

It follows that \(mN^{-\frac{1}{m}}<\epsilon \) and

$$\begin{aligned} mN^{-\frac{1}{m}} \max \limits _{1\leqslant i\leqslant m} |\alpha _i|<\lambda . \end{aligned}$$

By (5.1.3) we have

$$\begin{aligned} |p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m|<\lambda . \end{aligned}$$

Since \(p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m \in L\), thus we have \(p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m=0\), and \(p_1=p_2=\cdots =p_m=0\). By (5.1.2) we have \(q|a_i|<\frac{1}{m} \varepsilon \) for all i, \(1\leqslant i\leqslant m\). Since \(\varepsilon \) is sufficiently small positive number, we must have \(a_1=a_2=\cdots =a_m=0\). We complete the proof of lemma.    \(\square \)

Suppose that \(B\in \mathbb {R}^{n\times m}\) is an \(n\times m\) dimensional matrix and rank\((B)=m\), \(B^T\) is the transpose of B. It is easy to verify

$$\begin{aligned} \text {rank}(B^T B)=\text {rank}(B)=m\Rightarrow \ \text {det}(B^T B)\ne 0, \end{aligned}$$

which implies that \(B^T B\) is an invertible square matrix of \(m\times m\) dimension. Since \(B^T B\) is a positive defined symmetric matrix, then there is an orthogonal matrix \(P\in \mathbb {R}^{m\times m}\) such that

$$\begin{aligned} P^T B^T BP=\text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}, \end{aligned}$$

(5.1.4)

where \(\delta _i>0\) are the characteristic value of \(B^T B\), and diag\(\{\delta _1,\delta _2,\dots ,\delta _m\}\) is the diagonal matrix of \(m\times m\) dimension.

Lemma 5.1.2

Suppose that \(B\in \mathbb {R}^{n\times m}\) with rank\((B)=m\), \(\delta _1,\delta _2,\dots ,\delta _m\) are m characteristic values of \(B^T B\), and \(\lambda (L(B))\) is the minimum distance of lattice L(B), then we have

$$\begin{aligned} \lambda (L(B))=\min \limits _{x\in \mathbb {Z}^m,\ x\ne 0} |Bx|\geqslant \sqrt{\delta }, \end{aligned}$$

(5.1.5)

where \(\delta =\min \{\delta _1,\delta _2,\dots ,\delta _m\}\).

Proof

Let \(A=B^T B\), by (5.1.4), there exists an orthogonal matrix \(P\in \mathbb {R}^{m\times m}\) such that

$$\begin{aligned} P^T AP=\text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}. \end{aligned}$$

If \(x\in \mathbb {Z}^m\), \(x\ne 0\), we have

$$\begin{aligned} |Bx|^2&=x^T Ax=x^T P(P^T AP)P^T x \\ {}&=(P^T x)^T\ \text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}P^T x \\ {}&\quad \geqslant \delta |P^T x|^2=\delta |x|^2. \end{aligned}$$

Since \(x\in \mathbb {Z}^m\) and \(x\ne 0\), we have \(|x|^2\geqslant 1\), it follows that

$$\begin{aligned} \min \limits _{x\in \mathbb {Z}^m,\ x\ne 0} |Bx|\geqslant \sqrt{\delta } |x| \geqslant \sqrt{\delta }. \end{aligned}$$

We have lemma 5.1.2 immediately.    \(\square \)

Another application of lemma 5.1.2 is to give a countable upper bound for smoothing parameters in Sect. 5.4. A sublattice N of L means a discrete additive subgroup of L, the quotient group is written by L/N and the cardinality of L/N is denoted by |L/N|.

Lemma 5.1.3

Let \(L\subset \mathbb {R}^n\) be a lattice and \(N\subset L\) be a sublattice. If rank\((N)=\)rank(L), then the quotient group L/N is a finite group.

Proof

Let rank\((L)=m\), and \(L=L(B)\), where \(B\in \mathbb {R}^{n\times m}\) with rank\((B)=m\). We define a mapping \(\sigma \) from L to \(\mathbb {Z}^m\) by \(\sigma (Bx)=x\). Clearly, \(\sigma \) is an additive group isomorphism, \(\sigma (N)\subset \mathbb {Z}^m\) is a full-rank lattice of \(\mathbb {Z}^m\), and \(L/N \cong \mathbb {Z}^m/\sigma (N)\). It is a well-known result that

$$\begin{aligned} |\mathbb {Z}^m/\sigma (N)|=\text {det}(\sigma (N)), \end{aligned}$$

It follows that

$$\begin{aligned} |L/N|=|\mathbb {Z}^m/\sigma (N)|=\text {det}(\sigma (N)). \end{aligned}$$

Lemma 5.1.3 follows.    \(\square \)

Suppose that \(L_1\subset \mathbb {R}^n\), \(L_2\subset \mathbb {R}^n\) are two lattices of \(\mathbb {R}^n\), we define \(L_1+L_2=\{a+b|a\in L_1,b\in L_2\}\). Obviously, \(L_1+L_2\) is an additive subgroup of \(\mathbb {R}^n\), but generally speaking, \(L_1+L_2\) is not a lattice of \(\mathbb {R}^n\) again.

Lemma 5.1.4

Let \(L_1\subset \mathbb {R}^n\), \(L_2\subset \mathbb {R}^n\) be two lattices of \(\mathbb {R}^n\). If rank\((L_1 \cap L_2)=\)rank\((L_1)\) or rank\((L_1 \cap L_2)=\)rank\((L_2)\), then \(L_1+L_2\) is again a lattice of \(\mathbb {R}^n\).

Proof

To prove \(L_1+L_2\) is a lattice of \(\mathbb {R}^n\), it is sufficient to prove \(L_1+L_2\) is a discrete subgroup of \(\mathbb {R}^n\). Suppose that rank\((L_1 \cap L_2)=\)rank\((L_1)\), for any \(x\in L_1\), we define a distance function \(\rho (x)\) by

$$\begin{aligned} \rho (x)=\inf \{|x-y|\ \Big |\ y\ne x,\ y\in L_2\}. \end{aligned}$$

Since there are only finitely many vectors in \(L_2\cap N(x,\delta )\), where \(N(x,\delta )\) is any a ball of center x with radius \(\delta \). Therefore, we have

$$\begin{aligned} \rho (x)=\min \{|x-y|\ \Big |\ y\ne x,\ y\in L_2\}=\lambda _x>0. \end{aligned}$$

(5.1.6)

On the other hand, if \(x_1\in L_1\), \(x_2\in L_1\) and \(x_1-x_2\in L_2\), then there is \(y_0\in L_2\) such that \(x_1=x_2+y_0\), and we have \(\rho (x_1)=\rho (x_2)\). It means that \(\rho (x)\) is defined over the quotient group \(L_1+L_2/L_2\). Because we have the following group isomorphic theorem

$$\begin{aligned} L_1+L_2/L_2\cong L_1/L_1\cap L_2, \end{aligned}$$

By lemma 5.1.3, it follows that

$$\begin{aligned} |L_1+L_2/L_2|=|L_1/L_1\cap L_2|<\infty , \end{aligned}$$

In other words, \(L_1+L_2/L_2\) is also a finite group. Let \(x_1,x_2,\dots ,x_k\) be the representative elements of \(L_1+L_2/L_2\), we have

$$\begin{aligned} \min \limits _{x\in L_1,y\in L_2,x\ne y} |x-y|=\min \limits _{1\leqslant i\leqslant k} \rho (x_i)\geqslant \min \{\lambda _{x_1},\lambda _{x_2},\dots ,\lambda _{x_k}\}>0. \end{aligned}$$

Therefore, \(L_1+L_2\) is a discrete subgroup of \(\mathbb {R}^n\), thus it is a lattice of \(\mathbb {R}^n\).    \(\square \)

Remark 5.1.1

The condition rank\((L_1 \cap L_2)=\) rank\((L_1)\) or rank\((L_1 \cap L_2)=\) rank\((L_2)\) in lemma 5.1.4 seems to be necessary. As a counterexample, we see the real line \(\mathbb {R}\), let \(L_1=\mathbb {Z}\) and \(L_2=\sqrt{2}\mathbb {Z}\), then \(L_1+L_2\) is not a discrete subgroup of \(\mathbb {R}\), thus \(L_1+L_2\) is not a lattice in \(\mathbb {R}\). Because \(L_1+L_2=\{n+\sqrt{2}m\big | n\in \mathbb {Z},m\in \mathbb {Z}\}\) is dense in \(\mathbb {R}\) by Dirichlet’s theorem (see theorem I of Cassels (1963)).

As a direct consequence, we have the following generalized form of lemma 5.1.4.

Lemma 5.1.5

Let \(L_1,L_2,\dots ,L_m\) be m lattices of \(\mathbb {R}^n\) and

$$\begin{aligned} \text {rank}(L_{1}\cap L_{2}\cap \cdots \cap L_{m})=\text {rank}(L_{j})\ \text {for some}\ 1\leqslant j\leqslant m. \end{aligned}$$

Then \(L_1+L_2+\cdots +L_m\) is a lattice of \(\mathbb {R}^n\).

Proof

Without loss of generality, we assume that

$$\begin{aligned} \text {rank}(L_{1}\cap L_{2}\cap \cdots \cap L_{m})=\text {rank}(L_m). \end{aligned}$$

Let \(L_1+L_2+\cdots +L_{m-1}=L'\), then

$$\begin{aligned} L'+L_m/L'\cong L_m/L'\cap L_m. \end{aligned}$$

Since rank\((L'\cap L_m)=\)rank\((L_m)\), by lemma 5.1.4, we have \(L'+L_m=L_1+L_2+\cdots +L_m\) is a lattice of \(\mathbb {R}^n\) and lemma 5.1.5 follows.    \(\square \)

5.2 Ideal Matrices

In Chap. 3 we introduced the concept of circulant matrix and some related properties. In this section, we generalize them to general ideal matrix and introduce the properties of ideal matrix. By using the characteristic polynomial \(\phi (x)\) as modulo and the definition of \(\phi \)-convolutional product, we establish the ring isomorphism one-to-one correspondence between polynomial quotient rings and n dimensional vectors in \(\mathbb {R}^n\).

Let \(\mathbb {R}[x]\) and \(\mathbb {Z}[x]\) be the polynomial rings over \(\mathbb {R}\) and \(\mathbb {Z}\) with variable x, respectively. Suppose that

$$\begin{aligned} \phi (x)=x^n-\phi _{n-1}x^{n-1}-\cdots -\phi _1x-\phi _0\in \mathbb {Z}[x],\ \phi _0\ne 0 \end{aligned}$$

(5.2.1)

is a polynomial with integer coefficients of which has no multiple roots in complex number field \(\mathbb {C}\). Let \(w_1,w_2,\dots ,w_n\) be the n different roots of \(\phi (x)\) in \(\mathbb {C}\), the Vandermonde matrix \(V_{\phi }\) is defined by

$$\begin{aligned} V_{\phi }= \begin{pmatrix} 1 &{} 1 &{} \cdots &{} 1 \\ w_1 &{} w_2 &{} \cdots &{} w_n \\ \vdots &{} \vdots &{} &{} \vdots \\ w_1^{n-1} &{} w_2^{n-1} &{} \cdots &{} w_n^{n-1} \end{pmatrix},\quad \text {det}(V_{\phi })\ne 0. \end{aligned}$$

(5.2.2)

According to the given polynomial \(\phi (x)\), we define a rotation matrix \(H=H_{\phi }\) by

$$\begin{aligned} H=H_{\phi }= \left( \begin{array}{ccc|c} 0 &{} \cdots &{} 0 &{} \phi _0\\ \hline &{} &{} &{} \phi _1\\ &{} I_{n-1} &{} &{} \vdots \\ &{} &{} &{} \phi _{n-1} \\ \end{array} \right) _{n\times n}\in \mathbb {Z}^{n\times n}, \end{aligned}$$

(5.2.3)

where \(I_{n-1}\) is the \((n-1)\times (n-1)\) unit matrix. Obviously, the characteristic polynomial of H is just \(\phi (x)\). We use column notation for vectors in \(\mathbb {R}^n\). Let \(\{e_0,e_1,\dots ,e_{n-1}\}\) be the standard basis of \(\mathbb {R}^n\), see (5.1.2) in Chap. 3.

Definition 5.2.1

For any \(f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n\), the ideal matrix generated by vector f is defined by

$$\begin{aligned} H^*(f)=[f,Hf,H^2 f,\dots ,H^{n-1}f]_{n\times n}\in \mathbb {R}^{n\times n}, \end{aligned}$$

(5.2.4)

which is a block matrix in terms of each column \(H^k f\ (0\leqslant k\leqslant n-1)\). Sometimes, f is called an input vector. In Chap. 3, we introduced the definition of circulant matrix. It is easily seen that \(H^*(f)\) is a more general form of the classical circulant matrix and r-circulant matrix (Shi, 2018; Yasin and Taskara, 2013). In fact, if \(\phi (x)=x^n-1\), then \(H^*(f)\) is the ordinary circulant matrix generated by f. If \(\phi (x)=x^n-r\), then \(H^*(f)\) is the r-circulant matrix.

By (5.2.4), it follows immediately that

$$\begin{aligned} H^*(f+g)=H^*(f)+H^*(g), \end{aligned}$$

(5.2.5)

and

$$\begin{aligned} H^*(\lambda f)=\lambda H^*(f),\ \forall \lambda \in \mathbb {R}. \end{aligned}$$

(5.2.6)

Specially, for any \(f=\begin{pmatrix} f_0 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n\), the ideal matrix \(H^*(f)\) generated by f could be written as

$$\begin{aligned} H^*(f)=H^*\left( \sum \limits _{i=0}^{n-1} f_i e_i\right) =\sum \limits _{i=0}^{n-1} f_i H^*(e_i), \end{aligned}$$

which means that any ideal matrix is the linear combination of ideal matrices generated by the standard basis vectors \(e_i\). It is easy to verify that

$$\begin{aligned} H^*(e_0)=I_n,\ H^*(e_k)=H^{k},\ 1\leqslant k\leqslant n-1, \end{aligned}$$

So the unit matrix \(I_n\) and rotation matrices \(H^k\ (1\leqslant k\leqslant n-1)\) are all the ideal matrices.

Moreover, \(H^*(f)=0\) is a zero matrix if and only if \(f=0\) is a zero vector, thus one has \(H^*(f)=H^*(g)\) if and only if \(f=g\). Let \(M^*\) be the set of all ideal matrices, namely

$$\begin{aligned} M^*=\{H^*(f)\ |\ f\in \mathbb {R}^n\}. \end{aligned}$$

(5.2.7)

We may regard \(H^*\) as a mapping from \(\mathbb {R}^n\) to \(M^*\) of which is a one-to-one correspondence. Next we show some basic properties for ideal matrix, and more contents could be found in Zheng et al. (2022a).

Lemma 5.2.1

For any \(f\in \mathbb {R}^n\), we have

$$\begin{aligned} H\cdot H^*(f)=H^*(f)\cdot H. \end{aligned}$$

(5.2.8)

Proof

Since \(\phi (x)=x^n-\phi _{n-1}x^{n-1}-\cdots -\phi _1 x-\phi _0\) is the characteristic polynomial of H, by Hamilton–Cayley theorem, we have

$$\begin{aligned} H^n=\phi _0 I_n+\phi _1 H+\cdots +\phi _{n-1}H^{n-1}. \end{aligned}$$

Let

$$\begin{aligned} b=\begin{pmatrix} \phi _1 \\ \phi _2 \\ \vdots \\ \phi _{n-1} \end{pmatrix}\ \text {and}\ H= \begin{pmatrix} 0 &{} \phi _0 \\ I_{n-1} &{} b \end{pmatrix}. \end{aligned}$$

By (5.2.4) we have

$$\begin{aligned} H^*(f)H&=[f,Hf,...,H^{n-1}f] \begin{pmatrix} 0 &{} \phi _0 \\ I_{n-1} &{} b \end{pmatrix} \\ {}&=[Hf,H^2f,...,H^{n-1}f,\phi _0 f+\phi _1 Hf+\cdots +\phi _{n-1}H^{n-1}f] \\ {}&=[Hf,H^2f,...,H^{n-1}f,H^nf] \\ {}&=H[f,Hf,...,H^{n-1}f]=H\cdot H^*(f), \end{aligned}$$

The lemma follows.   \(\square \)

Lemma 5.2.2

For any \(f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n\) we have

$$\begin{aligned} H^*(f)=f_0 I_n+f_1 H+\cdots +f_{n-1}H^{n-1}. \end{aligned}$$

(5.2.9)

Proof

We use induction on n to show this conclusion. If \(n=1\), it is trivial. Suppose it is true for n, we consider the case of \(n+1\). For this purpose, we write \(H=H_n\), \(e_0,e_1,...,e_{n-1}\) the n column vectors of unit in \(\mathbb {R}^n\), namely

$$\begin{aligned} e_0= \begin{pmatrix} 1 \\ 0 \\ \vdots \\ 0 \end{pmatrix}, e_1= \begin{pmatrix} 0 \\ 1 \\ \vdots \\ 0 \end{pmatrix}\cdots e_{n-1}= \begin{pmatrix} 0 \\ 0 \\ \vdots \\ 1 \end{pmatrix}. \end{aligned}$$

and

$$\begin{aligned} H_{n+1}= \begin{pmatrix} 0 &{} A_0 \\ e_0 &{} Hn \end{pmatrix}, \end{aligned}$$

where \(A_0=(0,0,...,\phi _0)\in \mathbb {R}^n\) is a row vector. For any k, \(1\leqslant k\leqslant n-1\), it is easy to check that

$$\begin{aligned} H_n e_{k-1}=e_k,\ H_n^k e_0=e_k\ \text {and}\ H_{n+1}^k= \begin{pmatrix} 0 &{} A_0 H_n^{k-1} \\ e_{k-1} &{} H_n^k \end{pmatrix}. \end{aligned}$$

Let \(f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \\ f_n \end{pmatrix}\in \mathbb {R}^{n+1}\), we denote \(f'\) by

$$\begin{aligned} f'=\begin{pmatrix} f_1 \\ f_2 \\ \vdots \\ f_n \end{pmatrix} \in \mathbb {R}^n,\ f=\begin{pmatrix} f_0 \\ f' \end{pmatrix}. \end{aligned}$$

By the assumption of induction, we have

$$\begin{aligned} H_n^*(f')=[f',H_nf',...,H_n^{n-1}f']=f_1 I_n+f_2 H_n+\cdots +f_n H_n^{n-1}, \end{aligned}$$

it follows that

$$\begin{aligned} H_{n+1}^*(f)&=\left[ \begin{pmatrix} f_0 \\ f' \end{pmatrix}, H_{n+1}\begin{pmatrix} f_0 \\ f' \end{pmatrix},\dots ,H_{n+1}^n \begin{pmatrix} f_0 \\ f' \end{pmatrix} \right] \\ {}&=f_0 I_n+f_1 H_{n+1}+\cdots +f_n H_{n+1}^n. \end{aligned}$$

We complete the proof of lemma 5.2.2.    \(\square \)

Lemma 5.2.3

Let \(f(x)=f_0+f_1 x+\cdots +f_{n-1}x^{n-1}\in \mathbb {R}[x]\), then we have

$$\begin{aligned} H^*(f)=V_{\phi }^{-1}\text {diag}\{f(w_1),f(w_2),...,f(w_n)\}V_{\phi }, \end{aligned}$$

(5.2.10)

where diag\(\{f(w_1),f(w_2),...,f(w_n)\}\) is the diagonal matrix.

Proof

By theorem 3.2.5 of Davis (1994), for H, we have

$$\begin{aligned} H=V_{\phi }^{-1}\text {diag}\{w_1,w_2,...,w_n\}V_{\phi }, \end{aligned}$$

By lemma 5.2.2, it follows that

$$\begin{aligned} H^*(f)=V_{\phi }^{-1}\text {\ diag\ }\{f(w_1),f(w_2),...,f(w_n)\}V_{\phi }. \end{aligned}$$

   \(\square \)

Now, we summarize some basic properties for ideal matrix as follows.

Lemma 5.2.4

Suppose \(\phi (x)\in \mathbb {Z}[x]\) is a polynomial of which has no multiple roots in complex number field \(\mathbb {C}\). \(f\in \mathbb {R}^n\), \(g\in \mathbb {R}^n\) be two column vectors, we have

1. (i)

   \(H^*(f)H^*(g)=H^*(g)H^*(f)\);

2. (ii)

   \(H^*(f)H^*(g)=H^*(H^*(f)g)\);

3. (iii)

   \(\text {det}(H^*(f))=\Pi _{i=1}^n f(w_i)\);

4. (iv)

   \(H^*(f)\) is an invertible matrix if and only if \(\phi (x)\) and f(x) are coprime, i.e. gcd \((\phi (x),f(x))=1\).

Proof

(i) and (ii) follow from lemma 5.2.2 immediately, (iii) and (iv) follow from lemma 5.2.3.    \(\square \)

In Sect. 3.1, we took the characteristic polynomial \(x^n-1\) as modulo and constructed the one-to-one correspondence between polynomial quotient rings and n dimensional vectors. Now we can generalize it to the general case using characteristic polynomial \(\phi (x)\) as modulo. Let \(\phi (x)\mathbb {R}[x]\) and \(\phi (x)\mathbb {Z}[x]\) be the principal ideals generated by \(\phi (x)\) in \(\mathbb {R}[x]\) and \(\mathbb {Z}[x]\), respectively, we denote the quotient rings R and \(\overline{R}\) by

$$\begin{aligned} R=\mathbb {Z}[x]/\phi (x)\mathbb {Z}[x],\ \overline{R}=\mathbb {R}[x]/\phi (x)\mathbb {R}[x]. \end{aligned}$$

(5.2.11)

There is a one-to-one correspondence between \(\overline{R}\) and \(\mathbb {R}^n\) given by

$$\begin{aligned} f(x)=f_0+f_1 x+\cdots +f_{n-1}x^{n-1}\in \overline{R} \longleftrightarrow f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n. \end{aligned}$$

(5.2.12)

We denote this correspondence by t, that is

$$\begin{aligned} t(f(x))=f,\ t^{-1}(f)=f(x). \end{aligned}$$

(5.2.13)

If we restrict t in the quotient ring R, then which gives a one-to-one correspondence between R and \(\mathbb {Z}^n\). First, we show that t is also a ring isomorphism.

Definition 5.2.2

For any two column vectors f and g in \(\mathbb {R}^n\), we define the \(\phi \)-convolutional product \(f*g\) by

$$\begin{aligned} f*g=H^*(f)g. \end{aligned}$$

(5.2.14)

By lemma 5.2.4, it is easy to see that

$$\begin{aligned} f*g=g*f,\ \text {and}\ H^*(f*g)=H^*(f)H^*(g). \end{aligned}$$

Lemma 5.2.5

For any two polynomials f(x) and g(x) in \(\overline{R}\), we have

$$\begin{aligned} t(f(x)g(x))=H^*(f)g=f*g. \end{aligned}$$

(5.2.15)

Proof

Let \(g(x)=g_0+g_1 x+\cdots +g_{n-1}x^{n-1}\in \overline{R}\), then

$$\begin{aligned} xg(x)=\phi _0 g_{n-1}+(g_0+\phi _1 g_{n-1})x+\cdots +(g_{n-2}+\phi _{n-1}g_{n-1})x^{n-1}, \end{aligned}$$

it follows that

$$\begin{aligned} t(xg(x))=Ht(g(x))=Hg. \end{aligned}$$

(5.2.16)

Hence, for any \(0\leqslant k\leqslant n-1\), we have

$$\begin{aligned} t(x^k g(x))=H^k t(g(x))=H^k g,\ 0\leqslant k\leqslant n-1. \end{aligned}$$

Let \(f(x)=f_0+f_1 x+\cdots +f_{n-1}x^{n-1}\in \overline{R}\), by lemma 5.2.2, we have

$$\begin{aligned} t(f(x)g(x))=\sum _{i=0}^{n-1} f_i t(x^i g(x))=\sum _{i=0}^{n-1} f_i H^i g=H^*(f)g. \end{aligned}$$

The lemma follows.    \(\square \)

Lemma 5.2.6

Under \(\phi \)-convolutional product, \(\mathbb {R}^n\) is a commutative ring with identity element \(e_0\) and \(\mathbb {Z}^n\subset \mathbb {R}^n\) is its subring. Moreover, we have the following ring isomorphisms

$$\begin{aligned} \overline{R}\cong \mathbb {R}^n \cong M^*,\ R\cong \mathbb {Z}^n\cong M_{\mathbb {Z}}^{*}, \end{aligned}$$

where \(M^*\) is the set of all ideal matrices given by (5.2.7), and \(M_{\mathbb {Z}}^{*}\) is the set of all integer ideal matrices.

Proof

Let \(f(x)\in \overline{R}\) and \(g(x)\in \overline{R}\), then

$$\begin{aligned} t(f(x)+g(x))=f+g=t(f(x))+t(g(x)), \end{aligned}$$

and

$$\begin{aligned} t(f(x)g(x))=H^*(f)g=f*g=t(f(x))*t(g(x)), \end{aligned}$$

this means that t is a ring isomorphism. Since \(f*g=g*f\) and \(e_0*g=H^*(e_0)g=I_n g=g\), then \(\mathbb {R}^n\) is a commutative ring with \(e_0\) as the identity elements. Noting \(H^*(f)\) is an integer matrix if and only if \(f\in \mathbb {Z}^n\) is an integer vector, the isomorphism of subrings follows immediately.    \(\square \)

According to property (iv) of lemma 5.2.4, \(H^*(f)\) is an invertible matrix whenever \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\), we show that the inverse of an ideal matrix is again an ideal matrix.

Lemma 5.2.7

Let \(f(x)\in \overline{R}\) and \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\), then

$$\begin{aligned} (H^*(f))^{-1}=H^*(u), \end{aligned}$$

where \(u(x)\in \overline{R}\) is the unique polynomial such that \(u(x)f(x)\equiv 1\) (mod \(\phi (x)\)).

Proof

By lemma 5.2.5, we have \(u*f=e_0\), it follows that

$$\begin{aligned} H^*(u)H^*(f)=H^*(e_0)=I_n, \end{aligned}$$

thus we have \((H^*(f))^{-1}=H^*(u)\). It is worth to note that if \(H^*(f)\) is an invertible integer matrix, then \((H^*(f))^{-1}\) is not an integer matrix in general.    \(\square \)

Sometimes, the following lemma may be useful, especially, when we consider an integer matrix.

Lemma 5.2.8

Let \(f(x)\in \mathbb {Z}[x]\) and \((f(x),\phi (x))=1\) in \(\mathbb {Z}[x]\), then we have \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\).

Proof

Let \(\mathbb {Q}\) be the rational number field. Since \((f(x),\phi (x))=1\) in \(\mathbb {Z}[x]\), then \((f(x),\phi (x))=1\) in \(\mathbb {Q}[x]\). We know that \(\mathbb {Q}[x]\) is a principal ideal domain, thus there are two polynomials a(x) and b(x) in \(\mathbb {Q}[x]\) such that

$$\begin{aligned} a(x)f(x)+b(x)\phi (x)=1. \end{aligned}$$

This means that \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\).   \(\square \)

5.3 \(\phi \)-Cyclic Lattice

As we know that cyclic code plays a central role in algebraic coding theorem (see Chap. 6 of Lint (1999)). In Zheng et al. (2022a), we extended ordinary cyclic code to more general forms, namely \(\phi \)-cyclic codes, which will be introduced in Chap. 7. To obtain an analogous concept of \(\phi \)-cyclic code in \(\mathbb {R}^n\), we note that every rotation matrix H defines a linear transformation of \(\mathbb {R}^n\) by \(x\rightarrow Hx\).

Definition 5.3.1

H is the rotation matrix defined in (5.2.3). A linear subspace \(C\subset \mathbb {R}^n\) is called a \(\phi \)-cyclic subspace if \(\forall \alpha \in C\Rightarrow H\alpha \in C\). A lattice \(L\subset \mathbb {R}^n\) is called a \(\phi \)-cyclic lattice if \(\forall \alpha \in L\Rightarrow H\alpha \in L\).

In other words, a \(\phi \)-cyclic subspace C is a linear subspace of \(\mathbb {R}^n\), of which is closed under linear transformation H. A \(\phi \)-cyclic lattice L is a lattice of \(\mathbb {R}^n\) of which is closed under H. If \(\phi (x)=x^n-1\), then H is the classical circulant matrix and the corresponding cyclic lattice was first appeared in Micciancio Micciancio (2002), but he does not discuss the further property for these lattices. To obtain the explicit algebraic construction of \(\phi \)-cyclic lattice, we first show that there is a one-to-one correspondence between \(\phi \)-cyclic subspaces of \(\mathbb {R}^n\) and the ideals of \(\overline{R}\).

Lemma 5.3.1

Let t be the correspondence between \(\overline{R}\) and \(\mathbb {R}^n\) given by (5.2.13), then a subset \(C\subset \mathbb {R}^n\) is a \(\phi \)-cyclic subspace of \(\mathbb {R}^n\), if and only if \(t^{-1}(C)\subset \overline{R}\) is an ideal.

Proof

We extend the correspondence t to subsets of \(\overline{R}\) and \(\mathbb {R}^n\) by

$$\begin{aligned} C(x)\subset \overline{R} \xrightarrow {\quad t\quad } C=\{c\ |\ c(x)\in C(x)\}\subset \mathbb {R}^n. \end{aligned}$$

(5.3.1)

Let \(C(x)\subset \overline{R}\) be an ideal, it is clear that \(C\subset t(C(x))\) is a linear subspace of \(\mathbb {R}^n\). To prove C is a \(\phi \)-cyclic subspace, we note that if \(c(x)\in C(x)\), then by (5.2.16)

$$\begin{aligned} xc(x)\in C(x)\Leftrightarrow Ht(c(x))=Hc\in C. \end{aligned}$$

Therefore, if C(x) is an ideal of \(\overline{R}\), then \(t(C(x))=C\) is a \(\phi \)-cyclic subspace of \(\mathbb {R}^n\). Conversely, if \(C\subset \mathbb {R}^n\) is a \(\phi \)-cyclic subspace, then for any \(k\geqslant 1\), we have \(H^k c\in C\) whenever \(c\in C\), it implies

$$\begin{aligned} \forall c(x)\in C(x)\Rightarrow x^k c(x)\in C(x),\ 0\leqslant k\leqslant n-1, \end{aligned}$$

which means that C(x) is an ideal of \(\overline{R}\). We complete the proof.    \(\square \)

By the above lemma, to find a \(\phi \)-cyclic subspace in \(\mathbb {R}^n\), it is enough to find an ideal of \(\overline{R}\). There are two trivial ideals \(C(x)=0\) and \(C(x)=\overline{R}\), the corresponding \(\phi \)-cyclic subspace are \(C=0\) and \(C=\mathbb {R}^n\). To find non-trivial \(\phi \)-cyclic subspaces, we make use of the homomorphism theorems, which is a standard technique in algebra. Let \(\pi \) be the natural homomorphism from \(\mathbb {R}[x]\) to \(\overline{R}\), ker\(\pi =\phi (x)\mathbb {R}[x]\). We write \(\phi (x)\mathbb {R}[x]\) by \(<\phi (x)>\). Let N be an ideal of \(\mathbb {R}[x]\) satisfying

$$\begin{aligned}<\phi (x)>\subset N \subset \mathbb {R}[x] \xrightarrow {\quad \pi \quad } \overline{R}=\mathbb {R}[x] / <\phi (x)>. \end{aligned}$$

(5.3.2)

Since \(\mathbb {R}[x]\) is a principal ideal domain, then \(N=<g(x)>\) is a principal ideal generated by a monic polynomial \(g(x)\in \mathbb {R}[x]\). It is easy to see that

$$\begin{aligned}<\phi (x)>\subset <g(x)>\Leftrightarrow g(x)|\phi (x)\ \text {in}\ \mathbb {R}[x]. \end{aligned}$$

It follows that all ideals N satisfying (5.3.2) are given by

$$\begin{aligned} \{<g(x)>\ |\ g(x)\in \mathbb {R}[x]\ \text {is monic and}\ g(x)|\phi (x)\}. \end{aligned}$$

We write by \(<g(x)>\) mod \(\phi (x)\), the image of \(<g(x)>\) under \(\pi \), i.e.

$$\begin{aligned}<g(x)>\text {mod}\ \phi (x)=\pi (<g(x)>). \end{aligned}$$

It is easy to check

$$\begin{aligned}<g(x)>\text {mod}\ \phi (x)=\{a(x)g(x)\ |\ a(x)\in \mathbb {R}[x]\ \text {and}\ \text {deg}a(x)+\text {deg}g(x)<n\}. \end{aligned}$$

(5.3.3)

more precisely, which is a representative elements set of \(<g(x)>\) mod \(\phi (x)\). By homomorphism theorem in ring theory, all ideals of \(\overline{R}\) given by

$$\begin{aligned} \{<g(x)>\text {mod}\ \phi (x)\ |\ g(x) \in \mathbb {R}[x]\ \text {is monic and}\ g(x)|\phi (x)\}. \end{aligned}$$

(5.3.4)

Let d be the number of monic divisors of \(\phi (x)\) in \(\mathbb {R}[x]\), we have the following lemma.

Lemma 5.3.2

The number of \(\phi \)-cyclic subspace of \(\mathbb {R}^n\) is d.

Proof

By lemma 5.3.1, the correspondence between \(\phi \)-cyclic subspace of \(\mathbb {R}^n\) and ideal of \(\overline{R}\) is one-to-one. Based on (5.3.4), the number of ideal of \(\overline{R}\) is equal to the number of divisors of \(\phi (x)\) in \(\mathbb {R}[x]\), i.e. d. So the number of \(\phi \)-cyclic subspace of \(\mathbb {R}^n\) is d.    \(\square \)

Next, we discuss \(\phi \)-cyclic lattice, which is the geometric analogy of cyclic code. The \(\phi \)-cyclic subspace of \( \mathbb {R}^{n}\) maybe regarded as the algebraic analogy of cyclic code. Let the quotient rings R and \(\overline{R}\) given by (5.2.11). A R-module is an Abel group \(\Lambda \) such that there is an operator \(\lambda \alpha \in \Lambda \) for all \(\lambda \in R\) and \(\alpha \in \Lambda \), satisfying \(1\cdot \alpha =\alpha \) and \((\lambda _1 \lambda _2)\alpha =\lambda _1 (\lambda _2 \alpha )\). It is easy to see that \(\overline{R}\) is a R-module, if \(\Lambda \subset \overline{R}\) and \(\Lambda \) is a R-module, then \(\Lambda \) is called a R-submodule of \(\overline{R}\). All R-modules we discuss here are R-submodule of \(\overline{R}\). On the other hand, if \(I\subset R\), then I is an ideal of R, if and only if I is a R-module. Let \(\alpha \in \overline{R}\), the cyclic R-module generated by \(\alpha \) be defined by

$$\begin{aligned} R\alpha =\{\lambda \alpha \ |\ \lambda \in R\}. \end{aligned}$$

(5.3.5)

If there are finitely many polynomials \(\alpha _1,\alpha _2,\dots ,\alpha _k\) in \(\overline{R}\) such that

$$\begin{aligned} \Lambda =R\alpha _1+R\alpha _2+\cdots +R\alpha _k, \end{aligned}$$

then \(\Lambda \) is called a finitely generated R-module, which is a R-submodule of \(\overline{R}\).

Now, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice, \(g\in \mathbb {R}^n\), \(H^*(g)\) is the ideal matrix generated by vector g, and \(L(H^*(g))\) is the lattice generated by \(H^*(g)\). In the following lemma, we prove that any \(L(H^*(g))\) is a \(\phi \)-cyclic lattice and

$$\begin{aligned} g\in L\Rightarrow L(H^*(g))\subset L, \end{aligned}$$

(5.3.6)

which implies that \(L(H^*(g))\) is the smallest \(\phi \)-cyclic lattice of which contains vector g. Therefore, we call \(L(H^*(g))\) is a minimal \(\phi \)-cyclic lattice in \(\mathbb {R}^n\).

Lemma 5.3.3

For any vector \(g\in \mathbb {R}^n\), then \(L(H^*(g))\) is a \(\phi \)-cyclic lattice. Moreover, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice and \(g\in L\), then we have \(L(H^*(g))\subset L\).

Proof

Let \(\alpha \in H^*(g)\), then there is an integer vector \(b\in \mathbb {Z}^n\) such that \(\alpha =H^*(g)b\). By lemma 5.2.2, we have

$$\begin{aligned} \alpha =g_0 I_n b+g_1 H b+\cdots +g_{n-1}H^{n-1}b \end{aligned}$$

and

$$\begin{aligned} H\alpha =(g_0 I_n+g_1 H+\cdots +g_{n-1}H^{n-1})Hb=H^*(g)Hb. \end{aligned}$$

Since \(Hb\in \mathbb {Z}^n\), it follows that \(H\alpha \in L(H^*(g))\). This means that \(L(H^*(g))\) is a \(\phi \)-cyclic lattice. If L is a \(\phi \)-cyclic lattice and \(g\in L\), then \(H^k g\in L\) for \(0\leqslant k\leqslant n-1\), and

$$\begin{aligned} b_0 I_n g+b_1 Hg+\cdots +b_{n-1}H^{n-1}g\in L,\ \text {for all}\ b=\begin{pmatrix} b_0 \\ b_1 \\ \vdots \\ b_{n-1} \end{pmatrix}\in \mathbb {Z}^n. \end{aligned}$$

It follows that

$$\begin{aligned} H^*(b)g=H^*(g)b\in L,\ \text {}\ b\in \mathbb {Z}^n. \end{aligned}$$

Thus we have \(L(H^*(g))\subset L\), and lemma 5.3.3 holds.    \(\square \)

Lemma 5.3.4

There is a one-to-one correspondence between the minimal \(\phi \)-cyclic lattice in \(\mathbb {R}^n\) and the cyclic R-submodule in \(\overline{R}\), namely

$$\begin{aligned} t(Rg(x))=L(H^*(g)),\ \text {for all}\ g(x)\in \overline{R} \end{aligned}$$

and

$$\begin{aligned} t^{-1}(L(H^*(g)))=Rg(x),\ \text {for all}\ g\in \mathbb {R}^n. \end{aligned}$$

Proof

Let \(b(x)\in R\), by lemma 5.2.5, we have

$$\begin{aligned} t(b(x)g(x))=H^*(b)g=H^*(g)b\in L(H^*(g)), \end{aligned}$$

and \(t(Rg(x))\subset L(H^*(g))\). Conversely, if \(\alpha \in L(H^*(g))\), and \(\alpha =H^*(g)b\) for some integer vector b, by lemma 5.2.5 again, we have \(b(x)g(x)\in Rg(x)\), and \(t(b(x)g(x))=\alpha \). This implies that

$$\begin{aligned} L(H^*(g))\subset t(Rg(x)), \end{aligned}$$

and

$$\begin{aligned} t(Rg(x))=L(H^*(g)). \end{aligned}$$

The lemma follows immediately.    \(\square \)

Suppose \(L=L(\beta _1,\beta _2,\dots ,\beta _m)\) is arbitrary \(\phi \)-cyclic lattice, where \(B=[\beta _1,\beta _2,\dots ,\beta _m]_{n\times m}\) is the generated matrix of L. L may be expressed as the sum of finitely many minimal \(\phi \)-cyclic lattices, in fact, we have

$$\begin{aligned} L=L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)). \end{aligned}$$

(5.3.7)

To state and prove our main results, first, we give a definition of prime spot in \(\mathbb {R}^n\).

Definition 5.3.2

Let \(g\in \mathbb {R}^n\), and \(g(x)=t^{-1}(g)\in \overline{R}\). If \((g(x),\phi (x))=1\) in \(\mathbb {R}[x]\), we call g is a prime spot of \(\mathbb {R}^n\).

By (iv) of lemma 5.2.4, \(g\in \mathbb {R}^n\) is a prime spot if and only if \(H^*(g)\) is an invertible matrix, thus the minimal \(\phi \)-cyclic lattice \(L(H^*(g))\) generated by a prime spot is a full-rank lattice.

Lemma 5.3.5

Let g and f be two prime spots of \(\mathbb {R}^n\), then \(L(H^*(g))+L(H^*(f))\) is a full-rank \(\phi \)-cyclic lattice.

Proof

According to lemma 5.1.4, it is sufficient to show that

$$\begin{aligned} \text {rank}\big (L(H^*(g))\cap L(H^*(f))\big )=\text {rank}\big (L(H^*(g))\big )=n. \end{aligned}$$

(5.3.8)

In fact, we should prove in general

$$\begin{aligned} L(H^*(g)\cdot H^*(f))\subset L(H^*(g))\cap L(H^*(f)). \end{aligned}$$

(5.3.9)

If (5.3.9) holds, since \(H^*(g)\cdot H^*(f)\) is invertible matrix, then

$$\begin{aligned} \text {rank}\big (L(H^*(g)\cdot H^*(f))\big )=n, \end{aligned}$$

(5.3.8) holds. To prove (5.3.9), we note that

$$\begin{aligned} L(H^*(g)\cdot H^*(f))=L(H^*(g*f)), \end{aligned}$$

It follows that

$$\begin{aligned} t^{-1}\big (L(H^*(g)\cdot H^*(f))\big )=Rg(x)f(x), \end{aligned}$$

It is easy to see that

$$\begin{aligned} Rg(x)f(x)\subset Rg(x)\cap Rf(x). \end{aligned}$$

Therefore, we have

$$\begin{aligned} L(H^*(g)\cdot H^*(f))=t(Rg(x)f(x))\subset L(H^*(g))\cap L(H^*(f)). \end{aligned}$$

This is the proof of lemma 5.3.5.    \(\square \)

It is worth to note that (5.3.9) is true for more general case and does not need the condition of prime spot. We have the following lemma.

Lemma 5.3.6

Let \(\beta _1,\beta _2,\dots ,\beta _m\) be arbitrary m vectors in \(\mathbb {R}^n\), then we have

$$\begin{aligned} L(H^*(\beta _1) H^*(\beta _2)\cdots H^*(\beta _m))\subset L(H^*(\beta _1))\cap L(H^*(\beta _2))\cap \cdots \cap L(H^*(\beta _m)). \end{aligned}$$

(5.3.10)

Proof

If \(\beta _1,\beta _2,\dots ,\beta _m\) are integer vectors, then (5.3.10) is trivial. For the general case, we write

$$\begin{aligned} L(H^*(\beta _1)\cdot H^*(\beta _2)\cdots H^*(\beta _m))=L(H^*(\beta _1 *\beta _2 *\cdots *\beta _m)), \end{aligned}$$

where \(\beta _1 *\beta _2 *\cdots *\beta _m\) is the \(\phi \)-convolutional product defined in (5.2.14), then

$$\begin{aligned} t^{-1}\big (L(H^*(\beta _1)\cdots H^*(\beta _m))\big )=R \beta _1(x)\beta _2(x)\cdots \beta _m(x). \end{aligned}$$

Since

$$\begin{aligned} R \beta _1(x)\beta _2(x)\cdots \beta _m(x)\subset R\beta _1(x)\cap R\beta _2(x)\cap \cdots \cap R\beta _m(x), \end{aligned}$$

It follows that

$$\begin{aligned} L(H^*(\beta _1) H^*(\beta _2)\cdots H^*(\beta _m))\subset L(H^*(\beta _1))\cap L(H^*(\beta _2))\cap \cdots \cap L(H^*(\beta _m)). \end{aligned}$$

We have this lemma.    \(\square \)

By lemma 5.3.5, we also have the following corollary.

Corollary 5.3.1

Let \(\beta _1,\beta _2,\dots ,\beta _m\) be m prime spots of \(\mathbb {R}^n\), then \(L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m))\) is a full-rank \(\phi \)-cyclic lattice.

Proof

Based on lemma 5.1.5, it follows immediately from lemma 5.3.5.    \(\square \)

Our main result in this paper is to establish the following one-to-one correspondence between \(\phi \)-cyclic lattices in \(\mathbb {R}^n\) and finitely generated R-modules in \(\overline{R}\).

Theorem 5.3.1

Let \(\Lambda =R\alpha _1(x)+R\alpha _2(x)+\cdots +R\alpha _m(x)\) be a finitely generated R-module in \(\overline{R}\), then \(t(\Lambda )\) is a \(\phi \)-cyclic lattice in \(\mathbb {R}^n\). Conversely, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice in \(\mathbb {R}^n\), then \(t^{-1}(L)\) is a finitely generated R-module in \(\overline{R}\), that is a one-to-one correspondence.

Proof

If \(\Lambda \) is a finitely generated R-module, by lemma 5.3.4, we have

$$\begin{aligned} t(\Lambda )&=t(R\alpha _1(x)+\cdots +R\alpha _m(x)) \\ {}&=L(H^*(\alpha _1))+L(H^*(\alpha _2))+\cdots +L(H^*(\alpha _m)). \end{aligned}$$

The main difficult is to show that \(t(\Lambda )\) is a lattice of \(\mathbb {R}^n\), we require a surgery to embed \(t(\Lambda )\) into a full-rank lattice. To do this, let \((\alpha _i(x),\phi (x))=d_i(x)\), \(d_i(x)\in \mathbb {Z}[x]\), and \(\beta _i(x)=\alpha _i(x)/d_i(x)\), \(1\leqslant i\leqslant m\). Since \(\phi (x)\) has no multiple roots by assumption, then \((\beta _i(x),\phi (x))=1\) in \(\mathbb {R}[x]\). In other words, each \(t(\beta _i(x))=\beta _i\) is a prime spot. It is easy to verify \(R\alpha _i(x)\subset R\beta _i(x)\ (1\leqslant i\leqslant m)\), thus we have

$$\begin{aligned} t(\Lambda )\subset L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)). \end{aligned}$$

By corollary 5.3.1, we have \(t(\Lambda )\) is \(\phi \)-cyclic lattice. Conversely, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice of \(\mathbb {R}^n\), and \(L=L(\beta _1,\beta _2,\dots ,\beta _m)\), by (5.3.7), we have

$$\begin{aligned} t^{-1}(L)=R\beta _1(x)+R\beta _2(x)+\cdots +R\beta _m(x), \end{aligned}$$

which is a finitely generated R-module in \(\overline{R}\). We complete the proof of theorem 5.3.1.    \(\square \)

Since R is a Noether ring, then \(I\subset R\) is an ideal if and only if I is a finitely generated R-module. On the other hand, if \(I\subset R\) is an ideal, then \(t(I)\subset \mathbb {Z}^n\) is a discrete subgroup of \(\mathbb {Z}^n\), thus t(I) is a lattice. We give the following definition.

Definition 5.3.3

Let \(I\subset R\) be an ideal, t(I) is called the \(\phi \)-ideal lattice.

Ideal lattice was first appeared in Lyubashevsky and Micciancio (2006), and more contents could be found in Zheng et al. (2022a). As a direct consequence of theorem 5.3.1, we have the following corollary.

Corollary 5.3.2

Let \(L\subset \mathbb {R}^n\) be a subset, then L is a \(\phi \)-cyclic lattice if and only if

$$\begin{aligned} L=L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)), \end{aligned}$$

where \(\beta _i\in \mathbb {R}^n\) and \(m\leqslant n\). Furthermore, L is a \(\phi \)-ideal lattice if and only if every \(\beta _i\in \mathbb {Z}^n\), \(1\leqslant i\leqslant m\).

Corollary 5.3.3

Suppose that \(\phi (x)\) is an irreducible polynomial in \(\mathbb {Z}[x]\), then any nonzero ideal I of R defines a full-rank \(\phi \)-ideal lattice \(t(I)\subset \mathbb {Z}^n\).

Proof

Let \(I\subset R\) be a nonzero ideal, then we have \(I=R\alpha _1(x)+R\alpha _2(x)+\cdots +R\alpha _m(x)\), where \(\alpha _i(x)\in R\) and \((\alpha _i(x),\phi (x))=1\). It follows that

$$\begin{aligned} t(I)=L(H^*(\alpha _1))+L(H^*(\alpha _2))+\cdots +L(H^*(\alpha _m)). \end{aligned}$$

Since each \(\alpha _i\) is a prime spot, we have rank\((t(I))=n\) by corollary 5.3.1, and the corollary follows at once.    \(\square \)

We have proved that any an ideal of R corresponding to a \(\phi \)-ideal lattice, which just is a \(\phi \)-cyclic integer lattice under the more general rotation matrix \(H=H_{\phi }\). Cyclic lattice and ideal lattice were introduced in Lyubashevsky and Micciancio (2006) and Micciancio (2002), respectively, to improve the space complexity of lattice-based cryptosystems. Ideal lattices allow to represent a lattice using only two polynomials. Using such lattices, class lattice-based cryptosystems can diminish their space complexity from \(O(n^2)\) to O(n). Ideal lattices also allow to accelerate computations using the polynomial structure. The original structure of Micciancio’s matrices uses the ordinary circulant matrices and allows for an interpretation in terms of arithmetic in polynomial ring \(\mathbb {Z}[x]/<x^n-1>\). Lyubashevsky and Micciancio latter suggested to change the ring to \(\mathbb {Z}[x]/<\phi (x)>\) with an irreducible \(\phi (x)\) over \(\mathbb {Z}[x]\). Our results here suggest to change the ring to \(\mathbb {Z}[x]/<\phi (x)>\) with any a polynomial \(\phi (x)\). There are many works subsequent to Lyubashevsky and Micciancio, such as Micciancio and Regev (2009); Peikert (2016).

Example 5.1

It is interesting to find some examples of \(\phi \)-cyclic lattices in an algebraic number field \(\mathbb {K}\). Let \(\mathbb {Q}\) be rational number field, without loss of generality, an algebraic number field \(\mathbb {K}\) of degree n is just \(\mathbb {K}=\mathbb {Q}(w)\), where \(w=w_i\) is a root of \(\phi (x)\). If all \(\mathbb {Q}(w_i)\subset \mathbb {R}\ (1\leqslant i\leqslant n)\), then \(\mathbb {K}\) is called a totally real algebraic number field. Let \(O_\mathbb {K}\) be the ring of algebraic integers of \(\mathbb {K}\), and \(I\subset O_\mathbb {K}\) be an ideal, \(I\ne 0\). Since there is an integral basis \(\{\alpha _1,\alpha _2,\dots ,\alpha _n\}\subset I\) such that

$$\begin{aligned} I=\mathbb {Z}\alpha _1+\mathbb {Z}\alpha _2+\cdots +\mathbb {Z}\alpha _n, \end{aligned}$$

We may regard every ideal of \(O_\mathbb {K}\) as a lattice in \(\mathbb {Q}^n\), our assertion is that every nonzero ideal of \(O_\mathbb {K}\) is corresponding to a full-rank \(\phi \)-cyclic lattice of \(\mathbb {Q}^n\). To see this example, let

$$\begin{aligned} \mathbb {Q}[w]=\left\{ \sum _{i=0}^{n-1} a_i w^i\ |\ a_i\in \mathbb {Q}\right\} , \end{aligned}$$

It is known that \(\mathbb {K}=\mathbb {Q}[w]\), thus every \(\alpha \in \mathbb {K}\) corresponds to a vector \(\overline{\alpha }\in \mathbb {Q}^n\) by

$$\begin{aligned} \alpha =\sum _{i=0}^{n-1} a_i w^i \xrightarrow {\quad \tau \quad } \overline{\alpha }=\begin{pmatrix} a_0 \\ a_1 \\ \vdots \\ a_{n-1} \end{pmatrix}\in \mathbb {Q}^n. \end{aligned}$$

If \(I\subset O_\mathbb {K}\) is an ideal of \(O_\mathbb {K}\) and \(I=\mathbb {Z}\alpha _1+\mathbb {Z}\alpha _2+\cdots +\mathbb {Z}\alpha _n\), let \(B=[\overline{\alpha _1},\overline{\alpha _2},\dots ,\overline{\alpha _n}]\in \mathbb {Q}^{n\times n}\), which is full-rank matrix. We have \(\tau (I)=L(B)\) is a full-rank lattice. It remains to show that \(\tau (I)\) is a \(\phi \)-cyclic lattice, we only prove that if \(\alpha \in I\Rightarrow H\overline{\alpha }\in \tau (I)\). Suppose that \(\alpha \in I\), then \(w\alpha \in I\). It is easy to verify that \(\tau (w)=e_1\) and

$$\begin{aligned} \tau (w\alpha )=\tau (w)*\tau (\alpha )=H\overline{\alpha }\in \tau (I). \end{aligned}$$

This means that \(\tau (I)\) is a \(\phi \)-cyclic lattice of \(\mathbb {Q}^n\), which is a full-rank lattice.

5.4 Improved Upper Bound for Smoothing Parameter

As application of the algebraic structure of \(\phi \)-cyclic lattice, we show that an explicit upper bound of the smoothing parameter for the \(\phi \)-cyclic lattices. The definition of smoothing parameter was introduced in Chap. 1. Suppose that L is a full-rank lattice and \(L^*\) is its dual lattice, for any \(\epsilon >0\), we define the smoothing parameter \(\eta _{\epsilon }(L)\) of L to be the smallest s such that \(\rho _{1/s}(L^*)\leqslant 1+\epsilon \), here \(\rho \) is the Gauss function,

$$\begin{aligned} \rho _{s,c}(x)=e^{-\frac{\pi }{s^2} |x-c|^2},\ \rho _s(x)=\rho _{s,0}(x),\ x\in \mathbb {R}^n. \end{aligned}$$

Notice that \(\rho _{1/s}(L^*)\) is a continuous and strictly decreasing function of s, thus the smoothing parameter \(\eta _{\epsilon }(L)\) is a continuous and strictly decreasing function of \(\epsilon \), i.e.

$$\begin{aligned} \eta _{\epsilon _1}(L)\leqslant \eta _{\epsilon _2}(L),\quad \text {if}\ 0<\epsilon _2<\epsilon _1. \end{aligned}$$

The following lemma shows the relation of smoothing parameters between a lattice and its sublattice.

Lemma 5.4.1

Suppose that \(L_1\) and \(L_2\) are two full-rank lattices in \(\mathbb {R}^n\), and \(L_1 \subset L_2\), then for any \(\epsilon >0\), we have

$$\begin{aligned} \eta _{\epsilon }(L_2)\leqslant \eta _{\epsilon }(L_1). \end{aligned}$$

(5.4.1)

Proof

Let \(\eta _{\epsilon }(L_1)=s\), we are to show that \(\eta _{\epsilon }(L_2)\leqslant s\). Since

$$\begin{aligned} \rho _{1/s}(L_1^*)=1+\epsilon , \end{aligned}$$

i.e.

$$\begin{aligned} \sum \limits _{x\in L_1^*}e^{-\pi s^2 |x|^2}=1+\epsilon . \end{aligned}$$

It is easy to check that \(L_2^*\subset L_1^*\), it follows that

$$\begin{aligned} 1+\epsilon =\sum \limits _{x\in L_1^*}e^{-\pi s^2 |x|^2}\geqslant \sum \limits _{x\in L_2^*}e^{-\pi s^2 |x|^2}, \end{aligned}$$

which implies

$$\begin{aligned} \rho _{1/s}(L_2^*)\leqslant 1+\epsilon , \end{aligned}$$

and \(\eta _{\epsilon }(L_2)\leqslant s=\eta _{\epsilon }(L_1)\), thus we have lemma 5.4.1.    \(\square \)

According to (5.2.4), the ideal matrix \(H^*(f)\) with input vector \(f\in \mathbb {R}^n\) is just the ordinary circulant matrix when \(\phi (x)=x^n-1\). Next lemma shows that the transpose of a circulant matrix is still a circulant matrix. For any \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\), we denote \(\overline{g}=\begin{pmatrix} g_{n-1} \\ g_{n-2} \\ \vdots \\ g_{0} \end{pmatrix}\), which is called the conjugation of g.

Lemma 5.4.2

Let \(\phi (x)=x^n-1\), then for any \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\), we have

$$\begin{aligned} (H^*(g))^T=H^*(H\overline{g}). \end{aligned}$$

(5.4.2)

Proof

Since \(\phi (x)=x^n-1\), then \(H=H_{\phi }\) is an orthogonal matrix, and we have \(H^{-1}=H^{n-1}=H^T\). We write \(H_1=H^T=H^{-1}\). The following identity is easy to verify

$$\begin{aligned} H^*(g)=\begin{pmatrix} \overline{g}^T H_1 \\ \overline{g}^T H_1^2 \\ \vdots \\ \overline{g}^T H_1^n \end{pmatrix}. \end{aligned}$$

It follows that

$$\begin{aligned} (H^*(g))^T=[H\overline{g},H(H\overline{g}),\dots ,H^{n-1}(H\overline{g})]=H^*(H\overline{g}), \end{aligned}$$

and we have the lemma.    \(\square \)

Lemma 5.4.3

Let \(\phi (x)=x^n-1\), suppose that \(g\in \mathbb {R}^n\) and the circulant matrix \(H^*(g)\) is invertible. Let \(A=(H^*(g))^T H^*(g)\), then all characteristic values of A are given by

$$\begin{aligned} \{|g(\theta _1)|^2,|g(\theta _2)|^2,\dots ,|g(\theta _n)|^2\}, \end{aligned}$$

where \(\theta _i^n=1\ (1\leqslant i\leqslant n)\) are the n-th roots of unity.

Proof

By lemma 5.4.2 and (ii) of lemma 5.2.4, we have

$$\begin{aligned} A=H^*(H\overline{g})H^*{g}=H^*(H^*(H\overline{g})g)=H^*(g''), \end{aligned}$$

where \(g''=H^*(H\overline{g})g\). Let \(g''(x)=t^{-1}(g'')\) is the corresponding polynomial of \(g''\). By lemma 5.2.3, all characteristic values of A are given by

$$\begin{aligned} \{g''(\theta _1),g''(\theta _2),\dots ,g''(\theta _n)\},\ \theta _i^n=1,\ 1\leqslant i\leqslant n. \end{aligned}$$

Let \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\). It is easy to see that

$$\begin{aligned} g''(x)=\sum \limits _{i=0}^{n-1}g_i^2+\left( \sum \limits _{i=0}^{n-1}g_i g_{1-i}\right) x+\cdots +\left( \sum \limits _{i=0}^{n-1}g_i g_{(n-1)-i}\right) x^{n-1}=|g(x)|^2, \end{aligned}$$

where \(g_{-i}=g_{n-i}\) for all \(1\leqslant i\leqslant n-1\), then the lemma follows at once.    \(\square \)

By the definition of prime spot, if \(g\in \mathbb {R}^n\) is a prime spot, then there is a unique polynomial \(u(x)\in \overline{R}\) such that \(u(x)g(x)\equiv 1\) (mod \(\phi (x)\)). We define a new vector \(T_g\) and its corresponding polynomial \(T_g(x)\) by

$$\begin{aligned} T_g=H\overline{u},\ T_g(x)=t^{-1}(H\overline{u}). \end{aligned}$$

(5.4.3)

If \(g\in \mathbb {Z}^n\) is an integer vector, then \(T_g\in \mathbb {Z}^n\) is also an integer vector, and \(T_g(x)\in \mathbb {Z}[x]\) is a polynomial with integer coefficients. Our main result on smoothing parameter is the following theorem.

Theorem 5.4.1

Let \(\phi (x)=x^n-1\), \(L\subset \mathbb {R}^n\) be a full-rank \(\phi \)-cyclic lattice, then for any prime spots \(g\in L\), we have

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n} (\min \{|T_g(\theta _1)|,|T_g(\theta _2)|,\dots ,|T_g(\theta _n)|\})^{-1}, \end{aligned}$$

(5.4.4)

where \(\theta _i^n=1\), \(1\leqslant i\leqslant n\), and \(T_g(x)\) is given by (5.4.3).

Proof

Let \(g\in L\) be a prime spot, by lemma 5.4.1, we have

$$\begin{aligned} L(H^*(g))\subset L\Rightarrow \eta _{\epsilon }(L)\leqslant \eta _{\epsilon }(L(H^*(g))),\ \forall \epsilon >0. \end{aligned}$$

To estimate the smoothing parameter of \(L(H^*(g))\), the dual lattice of \(L(H^*(g))\) is given by

$$\begin{aligned} L(H^*(g))^*=L((H^*(u))^T)=L(H^*(H\overline{u}))=L(H^*(T_g)), \end{aligned}$$

where \(u(x)\in \overline{R}\) and \(u(x)g(x)\equiv 1\) (mod \(x^n-1\)), and \(T_g\) is given by (5.4.3). Let \(A=(H^*(T_g))^T H^*(T_g)\), by lemma 5.4.3, all characteristic values of A are

$$\begin{aligned} \{|T_g(\theta _1)|^2,|T_g(\theta _2)|^2,\dots ,|T_g(\theta _n)|^2\}. \end{aligned}$$

By lemma 5.1.2, the minimum distance \(\lambda _1 (L(H^*(g))^*)\) is bounded by

$$\begin{aligned} \lambda _1 (L(H^*(g))^*)\geqslant \min \{|T_g(\theta _1)|,|T_g(\theta _2)|,\dots ,|T_g(\theta _n)|\}. \end{aligned}$$

(5.4.5)

According to the classical estimation of upper bound of smoothing parameter

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n}/\lambda _1(L^*), \end{aligned}$$

we see that theorem 5.4.1 holds.    \(\square \)

Let \(L=L(B)\) be a full-rank lattice and \(B=[\beta _1,\beta _2,\dots ,\beta _n]\). We denote by \(B^*=[\beta _1^*,\beta _2^*,\dots ,\beta _n^*]\) the Gram-Schmidt orthogonal vectors \(\{\beta _i^*\}\) of the ordered basis \(B=\{\beta _i\}\). It is a well-known conclusion that

$$\begin{aligned} \lambda _1(L)\geqslant |B^*|=\min \limits _{1\leqslant i\leqslant n} |\beta _i^*|, \end{aligned}$$

and

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n}/\lambda _1(L^*), \end{aligned}$$

so we get the following upper bound

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n} |B_0^*|^{-1}, \end{aligned}$$

(5.4.6)

where \(B_0^*\) is the orthogonal basis of dual lattice \(L^*\) of L.

For a \(\phi \)-cyclic lattice L, we observe that the upper bound (5.4.5) is always better than (5.4.6) by numerical testing, we give two examples here.

Example 5.2

Let \(n=3\) and \(\phi (x)=x^3-1\), the rotation matrix H is

$$\begin{aligned} H=\begin{pmatrix} 0 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 \end{pmatrix}. \end{aligned}$$

We select a \(\phi \)-cyclic lattice \(L=L(B)\), where

$$\begin{aligned} B=\begin{pmatrix} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 1 \\ 0 &{} 0 &{} 1 \end{pmatrix}. \end{aligned}$$

Since \(L=\mathbb {Z}^3\), thus L is a \(\phi \)-cyclic lattice. It is easy to check

$$\begin{aligned} |B_0^*|=\min \limits _{1\leqslant i\leqslant 3}|\beta _i^*|=\frac{\sqrt{3}}{3}. \end{aligned}$$

On the other hand, we randomly find a prime spot

$$\begin{aligned} g=\begin{pmatrix} 0\\ 0\\ 1 \end{pmatrix}\in L \end{aligned}$$

and \(g(x)=x^2\), since

$$\begin{aligned} xg(x)\equiv 1\ (\text {mod}\ x^3-1), \end{aligned}$$

we have

$$\begin{aligned} T_g(x)=x^2, \end{aligned}$$

it follows that

$$\begin{aligned} |T_g(\theta _1)|=|T_g(\theta _2)|=|T_g(\theta _3)|=1, \end{aligned}$$

and

$$\begin{aligned} \left( \min \limits _{1\leqslant i\leqslant 3}|T_g(\theta _i)|\right) ^{-1}\leqslant |B_0^*|^{-1}=\sqrt{3}. \end{aligned}$$

Example 5.3

Let \(n=4\) and \(\phi (x)=x^4-1\), the rotation matrix H is

$$\begin{aligned} H=\begin{pmatrix} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 0 \end{pmatrix}. \end{aligned}$$

We select a \(\phi \)-cyclic lattice \(L=L(B)\), where

$$\begin{aligned} B=\begin{pmatrix} 1 &{} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 1 &{} 1 \\ 0 &{} 0 &{} 1 &{} 1 \\ 0 &{} 0 &{} 0 &{} 1 \end{pmatrix}. \end{aligned}$$

Since \(L=\mathbb {Z}^4\), thus L is a \(\phi \)-cyclic lattice. It is easy to check

$$\begin{aligned} |B_0^*|=\min \limits _{1\leqslant i\leqslant 4}|\beta _i^*|=\frac{1}{2}. \end{aligned}$$

On the other hand, we randomly find a prime spot

$$\begin{aligned} g=\begin{pmatrix} -2 \\ 1 \\ 0 \\ 0 \end{pmatrix}\in L \end{aligned}$$

and \(g(x)=x-2\), since

$$\begin{aligned} \left( \frac{1}{7}x^3-\frac{1}{7}x^2-\frac{2}{7}x-\frac{5}{7}\right) g(x)\equiv 1\ (\text {mod}\ x^4-1), \end{aligned}$$

we have

$$\begin{aligned} T_g(x)=-\frac{2}{7}x^3-\frac{1}{7}x^2+\frac{1}{7}x-\frac{5}{7}, \end{aligned}$$

it follows that

$$\begin{aligned} |T_g(\theta _1)|=1,\ |T_g(\theta _2)|=|T_g(\theta _3)|=|T_g(\theta _4)|=\frac{5}{7}, \end{aligned}$$

and

$$\begin{aligned} \left( \min \limits _{1\leqslant i\leqslant 4}|T_g(\theta _i)|\right) ^{-1}=\frac{7}{5}\leqslant |B_0^*|^{-1}=2. \end{aligned}$$