Keywords

1 Discrete Subgroup in \(\mathbb {R}^n\)

Let \(\mathbb {R}\) be the real numbers field, \(\mathbb {Z}\) be the integers ring, and \(\mathbb {R}^n\) be Euclidean space of which is an n-dimensional linear space over \(\mathbb {R}\) with the Euclidean norm |x| given by

$$\begin{aligned} |x|= \left( \sum _{i=1}^{n} x_i^2 \right) ^{\frac{1}{2}},\quad \text {where}\ x'=( x_1,x_1, \cdots , x_{n}) \in \mathbb {R}^n. \end{aligned}$$

We use column vector notation for \(\mathbb {R}^n\) through out this chapter, and \(x'=(x_1,x_2, \dots ,x_n)\) is transpose of x, which is called row vector of \(\mathbb {R}^n\).

Definition 1

Let \(L\subset \mathbb {R}^n\) be a non-trivial additive subgroup, it is called a discrete subgroup if there is a positive real number \(\lambda >0\) such that

$$\begin{aligned} \min \limits _{x\in L,x\ne 0} |x|\geqslant \lambda >0. \end{aligned}$$
(1)

As usual, a ball of center \(x_0\) with radius \(\delta \) is defined by

$$\begin{aligned} b(x_0,\delta )=\{x\in \mathbb {R}^n\ \Big |\ |x-x_0|\leqslant \delta \}. \end{aligned}$$

If L is a discrete subgroup of \(\mathbb {R}^n\), then there are only finitely many vectors of L lie in every ball \(b(0,\delta )\), thus we always find a vector \(\alpha \in L\) such that

$$\begin{aligned} |\alpha |=\min \limits _{x\in L,x\ne 0} |x|=\lambda >0,\quad \alpha \in L. \end{aligned}$$
(2)

\(\alpha \) is called one of shortest vector of L and \(\lambda \) is called the minimum distance of L.

Let \(B=[\beta _1,\beta _2,\dots ,\beta _m]\in \mathbb {R}^{n\times m}\) be a \(n\times m\) dimensional matrix with rank\((B) = m\leqslant n\), it means that \(\beta _1,\beta _2,\dots ,\beta _m\) are m linearly independent vectors in \(\mathbb {R}^n\). The lattice L(B) generated by B is defined by

$$\begin{aligned} L(B)=\sum _{i=1}^{m} x_i \beta _i =\{Bx\ |\ x\in \mathbb {Z}^m\},\quad \forall x_i\in \mathbb {Z}, \end{aligned}$$
(3)

which is all linear combinations of \(\beta _1,\beta _2,\dots ,\beta _m\) over \(\mathbb {Z}\). If \(m=n\), L(B) is called a full-rank lattice.

It is a well-known conclusion that a discrete subgroup L in \(\mathbb {R}^n\) is just a lattice L(B). Firstly, we give a detailed proof here by making use of the simultaneous Diophantine approximation theory in real number field \(\mathbb {R}\) (see Cassels (1971) and Cassels (1963)).

Lemma 1

Let \(L\subset \mathbb {R}^n\) be a discrete subgroup, \(\alpha _1,\alpha _2,\dots ,\alpha _m \in L\) be m vectors of L. Then \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\), if and only if which are linearly independent over \(\mathbb {Z}\).

Proof

If \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\), trivially which are linearly independent over \(\mathbb {Z}\). Suppose that \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {Z}\), we consider arbitrary linear combination over \(\mathbb {R}\). Let

$$\begin{aligned} a_1 \alpha _1+a_2 \alpha _2+\cdots +a_m \alpha _m=0,\quad \forall a_i\in \mathbb {R}. \end{aligned}$$
(4)

We should prove (1.4) is equivalent to \(a_1=a_2=\cdots =a_m=0\), which implies that \(\alpha _1,\alpha _2,\dots ,\alpha _m\) are linearly independent over \(\mathbb {R}\).

By Minkowski’s Third Theorem (see Theorem VII of Cassels (1963)), for any sufficiently large \(N>1\), there are a positive integer \(q\geqslant 1\) and integers \(p_1,p_2,\dots ,p_m \in \mathbb {Z}\) such that

$$\begin{aligned} \max \limits _{1\leqslant i\leqslant m} |qa_i-p_i|<N^{-\frac{1}{m}},\ \text {and}\ 1\leqslant q\leqslant N. \end{aligned}$$
(5)

By (1.4), we have

$$\begin{aligned} |p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m|=|(qa_1-p_1)\alpha _1+(qa_2-p_2)\alpha _2+\cdots +(qa_m-p_m)\alpha _m| \end{aligned}$$
$$\begin{aligned} \leqslant mN^{-\frac{1}{m}} \max \limits _{1\leqslant i\leqslant m}|\alpha _i|.\qquad \end{aligned}$$
(6)

Let \(\lambda \) be the minimum distance of L, \(\varepsilon >0\) be any positive real number. We select N such that

$$\begin{aligned} N>\max \{(\frac{m}{\varepsilon })^m,\ (\frac{m}{\lambda })^m \max \limits _{1\leqslant i\leqslant m} |\alpha _i|^m\}. \end{aligned}$$

It follows that \(mN^{-\frac{1}{m}}<\varepsilon \) and

$$\begin{aligned} mN^{-\frac{1}{m}} \max \limits _{1\leqslant i\leqslant m} |\alpha _i|<\lambda . \end{aligned}$$

By (1.6) we have

$$\begin{aligned} |p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m|<\lambda . \end{aligned}$$

Since \(p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m \in L\), thus we have \(p_1 \alpha _1+p_2 \alpha _2+\cdots +p_m \alpha _m=0\), and \(p_1=p_2=\cdots =p_m=0\). By (1.5) we have \(q|a_i|<\frac{1}{m} \varepsilon \) for all i, \(1\leqslant i\leqslant m\). Since \(\varepsilon \) is a sufficiently small positive number, we must have \(a_1=a_2=\cdots =a_m=0\). We complete the proof of lemma.

Suppose that \(B\in \mathbb {R}^{n\times m}\) is an \(n\times m\)-dimensional matrix and rank\((B) = m\), \(B'\) is the transpose of B. It is easy to verify

$$\begin{aligned} \text {rank}(B'B) = \text {rank}(B) = m\Rightarrow \ \text {det}(B'B)\ne 0, \end{aligned}$$

which implies that \(B'B\) is an invertible square matrix of \(m\times m\) dimension. Since \(B'B\) is a positive defined symmetric matrix, then there is an orthogonal matrix \(P\in \mathbb {R}^{m\times m}\) such that

$$\begin{aligned} P'B'BP=\text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}, \end{aligned}$$
(7)

where \(\delta _i>0\) are the characteristic value of \(B'B\), and diag\(\{\delta _1,\delta _2,\dots ,\delta _m\}\) is the diagonal matrix of \(m\times m\) dimension.

Lemma 2

Suppose that \(B\in \mathbb {R}^{n\times m}\) with rank\((B) = m\), \(\delta _1,\delta _2,\dots ,\delta _m\) are m characteristic values of \(B'B\), and \(\lambda (L(B))\) is the minimum distance of lattice L(B), then we have

$$\begin{aligned} \lambda (L(B))=\min \limits _{x\in \mathbb {Z}^m,\ x\ne 0} |Bx|\geqslant \sqrt{\delta }, \end{aligned}$$
(8)

where \(\delta =\min \{\delta _1,\delta _2,\dots ,\delta _m\}\).

Proof

Let \(A=B'B\), by (1.7), there exists an orthogonal matrix \(P\in \mathbb {R}^{m\times m}\) such that

$$\begin{aligned} P'AP=\text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}. \end{aligned}$$

If \(x\in \mathbb {Z}^m\), \(x\ne 0\), we have

$$\begin{aligned} |Bx|^2=x'Ax=x'P(P'AP)P'x \end{aligned}$$
$$\begin{aligned} \qquad \qquad \quad \ \ =(P'x)'\ \text {diag}\{\delta _1,\delta _2,\dots ,\delta _m\}P'x \end{aligned}$$
$$\begin{aligned} \geqslant \delta |P'x|^2=\delta |x|^2.\ \ \end{aligned}$$

Since \(x\in \mathbb {Z}^m\) and \(x\ne 0\), we have \(|x|^2\geqslant 1\), it follows that

$$\begin{aligned} \min \limits _{x\in \mathbb {Z}^m,\ x\ne 0} |Bx|\geqslant \sqrt{\delta } |x| \geqslant \sqrt{\delta }. \end{aligned}$$

We have Lemma 2 immediately.

Another application of Lemma 2 is to give a countable upper bound for smoothing parameter (see Theorem 5). Combining Lemmas 1 and 2, we show the following assertion.

Theorem 1

Let \(L\subset \mathbb {R}^n\) be a subset, then L is a discrete subgroup if and only if there is an \(n\times m\) dimensional matrix \(B\in \mathbb {R}^{n\times m}\) with rank\((B) = m\) such that

$$\begin{aligned} L=L(B)=\{Bx\ |\ x\in \mathbb {Z}^m\}. \end{aligned}$$
(9)

Proof

If \(L \subset \mathbb {R}^n\) is a discrete subgroup, then L is a free \(\mathbb {Z}\)-module. By Lemma 1, we have \(\text {rank}_{\mathbb {Z}}(L) = m\leqslant n\). Let \(\beta _1,\beta _2,\dots ,\beta _m\) be a \(\mathbb {Z}\)-basis of L, then

$$\begin{aligned} L= \left\{ \sum _{i=1}^{m} a_i \beta _i\ |\ a_i\in \mathbb {Z} \right\} . \end{aligned}$$

Writing \(B=[\beta _1,\beta _2,\dots ,\beta _m]_{n\times m}\), then the rank of matrix B is m, and

$$\begin{aligned} L=\{Bx\ |\ x\in \mathbb {Z}^m\}=L(B). \end{aligned}$$

Conversely, let L(B) be arbitrary lattice generated by B, obviously, L(B) is an additive subgroup of \(\mathbb {R}^n\), by Lemma 2, L(B) is also a discrete subgroup, we have Theorem 1 at once.

Corollary 1

Let \(L\subset \mathbb {R}^n\) be a lattice and \(G\subset L\) be an additive subgroup of L, then G is a lattice of \(\mathbb {R}^n\).

Corollary 2

Let \(L\subset \mathbb {Z}^n\) be an additive subgroup, then L is a lattice of \(\mathbb {R}^n\). These lattices are called integer lattices.

According to above Theorem 1, a lattice L(B) is equivalent to a discrete subgroup of \(\mathbb {R}^n\). Suppose \(L=L(B)\) is a lattice with generated matrix \(B\in \mathbb {R}^{n\times m}\), and rank\((B) = m\), we write rank\((L) = \)rank(B), and

$$\begin{aligned} d(L)=\sqrt{\text {det}(B'B)}. \end{aligned}$$
(10)

In particular, if rank\((L) = n\) is a full-rank lattice, then \(d(L)=|\text {det}(B)|\) as usual. A sublattice N of L means a discrete additive subgroup of L, the quotient group is written by L/N, and the cardinality of L/N is denoted by |L/N|.

Lemma 3

Let \(L\subset \mathbb {R}^n\) be a lattice and \(N\subset L\) be a sublattice. If rank\((N) = \)rank(L), then the quotient group L/N is a finite group.

Proof

Let rank\((L) = m\), and \(L=L(B)\), where \(B\in \mathbb {R}^{n\times m}\) with rank\((B) = m\). We define a mapping \(\sigma \) from L to \(\mathbb {Z}^m\) by \(\sigma (Bx)=x\). Clearly, \(\sigma \) is an additive group isomorphism, \(\sigma (N)\subset \mathbb {Z}^m\) is a full-rank lattice of \(\mathbb {Z}^m\), and \(L/N \cong \mathbb {Z}^m/\sigma (N)\). It is a well-known result that

$$\begin{aligned} |\mathbb {Z}^m/\sigma (N)|=d(\sigma (N)). \end{aligned}$$

It follows that

$$\begin{aligned} |L/N|=|\mathbb {Z}^m/\sigma (N)|=d(\sigma (N)). \end{aligned}$$

Lemma 3 follows.

Suppose that \(L_1\subset \mathbb {R}^n\), \(L_2\subset \mathbb {R}^n\) are two lattices of \(\mathbb {R}^n\), we define \(L_1+L_2=\{a+b|a\in L_1,b\in L_2\}\). Obviously, \(L_1+L_2\) is an additive subgroup of \(\mathbb {R}^n\), but generally speaking, \(L_1+L_2\) is not a lattice of \(\mathbb {R}^n\) again.

Lemma 4

Let \(L_1\subset \mathbb {R}^n\), \(L_2\subset \mathbb {R}^n\) be two lattices of \(\mathbb {R}^n\). If rank\((L_1 \cap L_2) = \)rank\((L_1)\) or rank\((L_1 \cap L_2) = \)rank\((L_2)\), then \(L_1+L_2\) is again a lattice of \(\mathbb {R}^n\).

Proof

To prove \(L_1+L_2\) is a lattice of \(\mathbb {R}^n\), by Theorem 1, it is sufficient to prove \(L_1+L_2\) is a discrete subgroup of \(\mathbb {R}^n\). Suppose that rank\((L_1 \cap L_2) = \)rank\((L_1)\), for any \(x\in L_1\), we define a distance function \(\rho (x)\) by

$$\begin{aligned} \rho (x)=\inf \{|x-y|\ \Big |\ y\ne x,\ y\in L_2\}. \end{aligned}$$

Since there are only finitely many vectors in \(L_2\cap b(x,\delta )\), where \(b(x,\delta )\) is any a ball of center x with radius \(\delta \). Therefore, we have

$$\begin{aligned} \rho (x)=\min \{|x-y|\ \Big |\ y\ne x,\ y\in L_2\}=\lambda _x>0. \end{aligned}$$
(11)

On the other hand, if \(x_1\in L_1\), \(x_2\in L_1\), and \(x_1-x_2\in L_2\), then there is \(y_0\in L_2\) such that \(x_1=x_2+y_0\), and we have \(\rho (x_1)=\rho (x_2)\). It means that \(\rho (x)\) is defined over the quotient group \(L_1+L_2/L_2\). Because we have the following group isomorphic theorem

$$\begin{aligned} L_1+L_2/L_2\cong L_1/L_1\cap L_2. \end{aligned}$$

By Lemma 3, it follows that

$$\begin{aligned} |L_1+L_2/L_2|=|L_1/L_1\cap L_2|<\infty . \end{aligned}$$

In other words, \(L_1+L_2/L_2\) is also a finite group. Let \(x_1,x_2,\dots ,x_k\) be the representative elements of \(L_1+L_2/L_2\), we have

$$\begin{aligned} \min \limits _{x\in L_1,y\in L_2,x\ne y} |x-y|=\min \limits _{1\leqslant i\leqslant k} \rho (x_i)\geqslant \min \{\lambda _{x_1},\lambda _{x_2},\dots ,\lambda _{x_k}\}>0. \end{aligned}$$

Therefore, \(L_1+L_2\) is a discrete subgroup of \(\mathbb {R}^n\), thus it is a lattice of \(\mathbb {R}^n\) by Theorem 1.

Remark 1

The condition rank\((L_1 \cap L_2) = \)rank\((L_1)\) or rank\((L_1 \cap L_2) = \)rank\((L_2)\) in Lemma 4 seems to be necessary. As a counterexample, we see the real line \(\mathbb {R}\), let \(L_1=\mathbb {Z}\) and \(L_2=\sqrt{2}\mathbb {Z}\), then \(L_1+L_2\) is not a discrete subgroup of \(\mathbb {R}\), thus \(L_1+L_2\) is not a lattice in \(\mathbb {R}\). Because \(L_1+L_2=\{n+\sqrt{2}m\big | n\in \mathbb {Z},m\in \mathbb {Z}\}\) is dense in \(\mathbb {R}\) by Dirichlet’s Theorem (see Theorem I of Cassels (1963)).

As a direct consequence, we have the following generalized form of Lemma 4.

Corollary 3

Let \(L_1,L_2,\dots ,L_m\) be m lattices of \(\mathbb {R}^n\) and

$$\begin{aligned} \text {rank}(L_{1}\cap L_{2}\cap \cdots \cap L_{m})=\text {rank}(L_{j})\ \text {for some}\ 1\leqslant j\leqslant m. \end{aligned}$$

Then \(L_1+L_2+\cdots +L_m\) is a lattice of \(\mathbb {R}^n\).

Proof

Without loss of generality, we assume that

$$\begin{aligned} \text {rank}(L_{1}\cap L_{2}\cap \cdots \cap L_{m})=\text {rank}(L_m). \end{aligned}$$

Let \(L_1+L_2+\cdots +L_{m-1}=L'\), then

$$\begin{aligned} L'+L_m/L'\cong L_m/L'\cap L_m. \end{aligned}$$

Since rank\((L'\cap L_m) = \)rank\((L_m)\), by Lemma 4, we have \(L'+L_m=L_1+L_2+\cdots +L_m\) is a lattice of \(\mathbb {R}^n\) and the corollary follows.

2 Ideal Matrices

Let \(\mathbb {R}[x]\) and \(\mathbb {Z}[x]\) be the polynomials rings over \(\mathbb {R}\) and \(\mathbb {Z}\) with variable x, respectively. Suppose that

$$\begin{aligned} \phi (x)=x^n-\phi _{n-1}x^{n-1}-\cdots -\phi _1x-\phi _0\in \mathbb {Z}[x],\ \phi _0\ne 0, \end{aligned}$$
(12)

is a polynomial with integer coefficients of which has no multiple roots in complex numbers field \(\mathbb {C}\). Let \(w_1,w_2,\dots ,w_n\) be the n different roots of \(\phi (x)\) in \(\mathbb {C}\), the Vandermonde matrix \(V_{\phi }\) is defined by

$$\begin{aligned} V_{\phi }= \begin{pmatrix} 1 &{} 1 &{} \cdots &{} 1 \\ w_1 &{} w_2 &{} \cdots &{} w_n \\ \vdots &{} \vdots &{} &{} \vdots \\ w_1^{n-1} &{} w_2^{n-1} &{} \cdots &{} w_n^{n-1} \end{pmatrix},\quad \text {\ and\ \ \ det}(V_{\phi })\ne 0. \end{aligned}$$
(13)

According to the given polynomial \(\phi (x)\), we define a rotation matrix \(H=H_{\phi }\) by

$$\begin{aligned} H=H_{\phi }= \left( \begin{array}{ccc|c} 0 &{} \cdots &{} 0 &{} \phi _0\\ \hline &{} &{} &{} \phi _1\\ &{} I_{n-1} &{} &{} \vdots \\ &{} &{} &{} \phi _{n-1} \\ \end{array} \right) _{n\times n}\in \mathbb {Z}^{n\times n}, \end{aligned}$$
(14)

where \(I_{n-1}\) is the \((n-1)\times (n-1)\) unit matrix. Obviously, the characteristic polynomial of H is just \(\phi (x)\).

We use column notation for vectors in \(\mathbb {R}^n\), for any \(f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n\), the ideal matrix generated by vector f is defined by

$$\begin{aligned} H^*(f)=[f,Hf,H^2 f,\dots ,H^{n-1}f]_{n\times n}\in \mathbb {R}^{n\times n}, \end{aligned}$$
(15)

which is a block matrix in terms of each column \(H^k f\ (0\leqslant k\leqslant n-1)\). Sometimes, f is called an input vector. It is easily seen that \(H^*(f)\) is a more general form of the classical circulant matrix (see Davis (1994)) and r-circulant matrix (see Shi (2018), Yasin and Taskara (2013)). In fact, if \(\phi (x)=x^n-1\), then \(H^*(f)\) is the ordinary circulant matrix generated by f. If \(\phi (x)=x^n-r\), then \(H^*(f)\) is the r-circulant matrix.

By (2.4), it follows immediately that

$$\begin{aligned} H^*(f+g)=H^*(f)+H^*(g),\ \text {and}\ H^*(\lambda f)=\lambda H^*(f),\ \forall \lambda \in \mathbb {R}. \end{aligned}$$
(16)

Moreover, \(H^*(f)=0\) is a zero matrix if and only if \(f=0\) is a zero vector, thus one has \(H^*(f)=H^*(g)\) if and only if \(f=g\). Let \(M^*\) be the set of all ideal matrices, namely

$$\begin{aligned} M^*=\{H^*(f)\ |\ f\in \mathbb {R}^n\}. \end{aligned}$$
(17)

We may regard \(H^*\) as a mapping from \(\mathbb {R}^n\) to \(M^*\) of which is a one to one correspondence.

In Zheng et al. (2023), we have shown some basic properties of ideal matrix, most of them may be summarized as the following theorem.

Theorem 2

Suppose that \(\phi (x)\in \mathbb {Z}[x]\) is a fixed polynomial with no multiple roots in \(\mathbb {C}\), then for any two column vectors f and g in \(\mathbb {R}^n\), we have

  1. (i)

    \(H^*(f)=f_0 I_n+f_1 H+\cdots +f_{n-1}H^{n-1}\);

  2. (ii)

    \(H^*(f)H^*(g)=H^*(H^*(f)g)\) and \(H^*(f)H^*(g)=H^*(g)H^*(f)\);

  3. (iii)

    \(H^*(f)=V_{\phi }^{-1}\ \text {diag}\{f(w_1),f(w_2),\dots ,f(w_n)\}V_{\phi }\);

  4. (iv)

    det \((H^*(f))=\Pi _{i=1}^n f(w_i)\);

  5. (v)

    \(H^*(f)\) is an invertible matrix if and only if \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\),

where \(V_{\phi }\) is the Vandermonde matrix given by (2.2), \(w_i\ (1\leqslant i\leqslant n)\) are all roots of \(\phi (x)\) in \(\mathbb {C}\), and diag\(\{f(w_1),f(w_2),\dots ,f(w_n)\}\) is the diagonal matrix.

Proof

See Theorem 2 of Zheng et al. (2023).

Let \(e_1,e_2,\dots ,e_n\) be unit vectors of \(\mathbb {R}^n\), that is

$$\begin{aligned} e_1= \begin{pmatrix} 1 \\ 0 \\ \vdots \\ 0 \end{pmatrix}, e_2= \begin{pmatrix} 0 \\ 1 \\ \vdots \\ 0 \end{pmatrix},\cdots , e_n= \begin{pmatrix} 0 \\ 0 \\ \vdots \\ 1 \end{pmatrix}. \end{aligned}$$

It is easy to verify that

$$\begin{aligned} H^*(e_1)=I_n,\ \text {and}\ H^*(e_k)=H^{k-1},\ 1\leqslant k\leqslant n. \end{aligned}$$
(18)

This means that the unit matrix \(I_n\) and rotation matrices \(H^k\ (1\leqslant k\leqslant n-1)\) are all the ideal matrices.

Let \(\phi (x)\mathbb {R}[x]\) and \(\phi (x)\mathbb {Z}[x]\) be the principal ideals generated by \(\phi (x)\) in \(\mathbb {R}[x]\) and \(\mathbb {Z}[x]\), respectively, we denote the quotient rings R and \(\overline{R}\) by

$$\begin{aligned} R=\mathbb {Z}[x]/\phi (x)\mathbb {Z}[x],\ \text {and}\ \overline{R}=\mathbb {R}[x]/\phi (x)\mathbb {R}[x]. \end{aligned}$$
(19)

There is a one to one correspondence between \(\overline{R}\) and \(\mathbb {R}^n\) given by

$$\begin{aligned} f(x)=f_0+f_1 x+\cdots +f_{n-1}x^{n-1}\in \overline{R} \xrightarrow {\quad t\quad } f=\begin{pmatrix} f_0 \\ f_1 \\ \vdots \\ f_{n-1} \end{pmatrix}\in \mathbb {R}^n. \end{aligned}$$

We denote this correspondence by t, that is

$$\begin{aligned} t(f(x))=f\ \text {and}\ t^{-1}(f)=f(x),\ \forall f(x)\in \overline{R},\ \text {and}\ f\in \mathbb {R}^n. \end{aligned}$$
(20)

If we restrict t in the quotient ring R, then which gives a one to one correspondence between R and \(\mathbb {Z}^n\). First, we show that t is also a ring isomorphism.

Definition 2

For any two column vectors f and g in \(\mathbb {R}^n\), we define the \(\phi \)-convolutional product \(f*g\) by \(f*g=H^*(f)g\).

By Theorem 2, it is easy to see that

$$\begin{aligned} f*g=g*f,\ \text {and}\ H^*(f*g)=H^*(f)H^*(g). \end{aligned}$$
(21)

Lemma 5

For any two polynomials f(x) and g(x) in \(\overline{R}\), we have

$$\begin{aligned} t(f(x)g(x))=H^*(f)g=f*g. \end{aligned}$$

Proof

Let \(g(x)=g_0+g_1 x+\cdots +g_{n-1}x^{n-1}\in \overline{R}\), then

$$\begin{aligned} xg(x)=\phi _0 g_{n-1}+(g_0+\phi _1 g_{n-1})x+\cdots +(g_{n-2}+\phi _{n-1}g_{n-1})x^{n-1}. \end{aligned}$$

It follows that

$$\begin{aligned} t(xg(x))=Ht(g(x))=Hg. \end{aligned}$$
(22)

Hence, for any \(0\leqslant k\leqslant n-1\), we have

$$\begin{aligned} t(x^k g(x))=H^k t(g(x))=H^k g,\ 0\leqslant k\leqslant n-1. \end{aligned}$$
(23)

Let \(f(x)=f_0+f_1 x+\cdots +f_{n-1}x^{n-1}\in \overline{R}\), by (i) of Theorem 2, we have

$$\begin{aligned} t(f(x)g(x))=\sum _{i=0}^{n-1} f_i t(x^i g(x))=\sum _{i=0}^{n-1} f_i H^i g=H^*(f)g. \end{aligned}$$

The lemma follows.

Theorem 3

Under \(\phi \)-convolutional product, \(\mathbb {R}^n\) is a commutative ring with identity element \(e_1\) and \(\mathbb {Z}^n\subset \mathbb {R}^n\) is its subring. Moreover, we have the following ring isomorphisms:

$$\begin{aligned} \overline{R}\cong \mathbb {R}^n \cong M^*,\ \text {and}\ R\cong \mathbb {Z}^n\cong M_{\mathbb {Z}}^{*}, \end{aligned}$$

where \(M^*\) is the set of all ideal matrices given by (2.6), and \(M_{\mathbb {Z}}^{*}\) is the set of all integer ideal matrices.

Proof

Let \(f(x)\in \overline{R}\) and \(g(x)\in \overline{R}\), then

$$\begin{aligned} t(f(x)+g(x))=f+g=t(f(x))+t(g(x)), \end{aligned}$$

and

$$\begin{aligned} t(f(x)g(x))=H^*(f)g=f*g=t(f(x))*t(g(x)). \end{aligned}$$

This means that t is a ring isomorphism. Since \(f*g=g*f\) and \(e_1*g=H^*(e_1)g=I_n g=g\), then \(\mathbb {R}^n\) is a commutative ring with \(e_1\) as the identity elements. Noting \(H^*(f)\) is an integer matrix if and only if \(f\in \mathbb {Z}^n\) is an integer vector, the isomorphism of subrings follows immediately.

According to property (v) of Theorem 2, \(H^*(f)\) is an invertible matrix whenever \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\), we show that the inverse of an ideal matrix is again an ideal matrix.

Lemma 6

Let \(f(x)\in \overline{R}\) and \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\), then

$$\begin{aligned} (H^*(f))^{-1}=H^*(u), \end{aligned}$$

where \(u(x)\in \overline{R}\) is the unique polynomial such that \(u(x)f(x)\equiv 1\) (mod \(\phi (x)\)).

Proof

By Lemma 5, we have \(u*f=e_1\), it follows that

$$\begin{aligned} H^*(u)H^*(f)=H^*(e_1)=I_n. \end{aligned}$$

Thus we have \((H^*(f))^{-1}=H^*(u)\). It is worth to note that if \(H^*(f)\) is an invertible integer matrix, then \((H^*(f))^{-1}\) is not an integer matrix in general.

Sometimes, the following lemma may be useful, especially, when we consider an integer matrix.

Lemma 7

Let \(f(x)\in \mathbb {Z}[x]\) and \((f(x),\phi (x))=1\) in \(\mathbb {Z}[x]\), then we have \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\).

Proof

Let Q be the rational number field. Since \((f(x),\phi (x))=1\) in \(\mathbb {Z}[x]\), then \((f(x),\phi (x))=1\) in \(\mathbb {Q}[x]\). We know that \(\mathbb {Q}[x]\) is a principal ideal domain, thus there are two polynomials a(x) and b(x) in \(\mathbb {Q}[x]\) such that

$$\begin{aligned} a(x)f(x)+b(x)\phi (x)=1. \end{aligned}$$

This means that \((f(x),\phi (x))=1\) in \(\mathbb {R}[x]\).

3 Cyclic Lattices and Ideal Lattices

As we know that cyclic code plays a central role in the algebraic coding theorem (see Chap. 6 of Lint (1999)). In Zheng et al. (2023), we extended ordinary cyclic code to more general forms, namely \(\phi \)-cyclic codes. To obtain an analogous concept of \(\phi \)-cyclic code in \(\mathbb {R}^n\), we note that every rotation matrix H defines a linear transformation of \(\mathbb {R}^n\) by \(x\rightarrow Hx\).

Definition 3

A linear subspace \(C\subset \mathbb {R}^n\) is called a \(\phi \)-cyclic subspace if \(\forall \alpha \in C\Rightarrow H\alpha \in C\). A lattice \(L\subset \mathbb {R}^n\) is called a \(\phi \)-cyclic lattice if \(\forall \alpha \in L\Rightarrow H\alpha \in L\).

In other words, a \(\phi \)-cyclic subspace C is a linear subspace of \(\mathbb {R}^n\), of which is closed under linear transformation H. A \(\phi \)-cyclic lattice L is a lattice of \(\mathbb {R}^n\) of which is closed under H. If \(\phi (x)=x^n-1\), then H is the classical circulant matrix and the corresponding cyclic lattice first appeared in Micciancio (2002), but he does not discuss the further property for these lattices. To obtain the explicit algebraic construction of \(\phi \)-cyclic lattice, we first show that there is a one to one correspondence between \(\phi \)-cyclic subspaces of \(\mathbb {R}^n\) and the ideals of \(\overline{R}\).

Lemma 8

Let t be the correspondence between \(\overline{R}\) and \(\mathbb {R}^n\) given by (2.9), then a subset \(C\subset \mathbb {R}^n\) is a \(\phi \)-cyclic subspace of \(\mathbb {R}^n\), if and only if \(t^{-1}(C)\subset \overline{R}\) is an ideal.

Proof

We extend the correspondence t to subsets of \(\overline{R}\) and \(\mathbb {R}^n\) by

$$\begin{aligned} C(x)\subset \overline{R} \xrightarrow {\quad t\quad } C=\{c|c(x)\in C(x)\}\subset \mathbb {R}^n. \end{aligned}$$
(24)

Let \(C(x)\subset \overline{R}\) be an ideal, it is clear that \(C\subset t(C(x))\) is a linear subspace of \(\mathbb {R}^n\). To prove C is a \(\phi \)-cyclic subspace, we note that if \(c(x)\in C(x)\), then by (2.11)

$$\begin{aligned} xc(x)\in C(x)\Leftrightarrow Ht(c(x))=Hc\in C. \end{aligned}$$

Therefore, if C(x) is an ideal of \(\overline{R}\), then \(t(C(x))=C\) is a \(\phi \)-cyclic subspace of \(\mathbb {R}^n\). Conversely, if \(C\subset \mathbb {R}^n\) is a \(\phi \)-cyclic subspace, then for any \(k\geqslant 1\), we have \(H^k c\in C\) whenever \(c\in C\), it implies

$$\begin{aligned} \forall c(x)\in C(x)\Rightarrow x^k c(x)\in C(x),\ 0\leqslant k\leqslant n-1, \end{aligned}$$

which means that C(x) is an ideal of \(\overline{R}\). We complete the proof.

By the above lemma, to find a \(\phi \)-cyclic subspace in \(\mathbb {R}^n\), it is enough to find an ideal of \(\overline{R}\). There are two trivial ideals \(C(x)=0\) and \(C(x)=\overline{R}\), the corresponding \(\phi \)-cyclic subspace are \(C=0\) and \(C=\mathbb {R}^n\). To find non-trivial \(\phi \)-cyclic subspaces, we make use of the homomorphism theorems, which is a standard technique in algebra. Let \(\pi \) be the natural homomorphism from \(\mathbb {R}[x]\) to \(\overline{R}\), ker\(\pi =\phi (x)\mathbb {R}[x]\). We write \(\phi (x)\mathbb {R}[x]\) by \(<\phi (x)>\). Let N be an ideal of \(\mathbb {R}[x]\) satisfying

$$\begin{aligned}<\phi (x)>\subset N \subset \mathbb {R}[x] \xrightarrow {\quad \pi \quad } \overline{R}=\mathbb {R}[x] / <\phi (x)>. \end{aligned}$$
(25)

Since \(\mathbb {R}[x]\) is a principal ideal domain, then \(N=<g(x)>\) is a principal ideal generated by a monic polynomial \(g(x)\in \mathbb {R}[x]\). It is easy to see that

$$\begin{aligned}<\phi (x)>\subset <g(x)>\Leftrightarrow g(x)|\phi (x)\ \text {in}\ \mathbb {R}[x]. \end{aligned}$$

It follows that all ideals N satisfying (2) are given by

$$\begin{aligned} \{<g(x)>\Big |\ g(x)\in \mathbb {R}[x]\ \text {is monic and}\ g(x)|\phi (x)\}. \end{aligned}$$

We write by \(<g(x)>\) mod \(\phi (x)\), the image of \(<g(x)>\) under \(\pi \), i.e.

$$\begin{aligned}<g(x)>\ \text {mod}\ \phi (x)=\pi (<g(x)>). \end{aligned}$$

It is easy to check

$$\begin{aligned}<g(x)>\ \text {mod}\ \phi (x)=\{a(x)g(x)\ |\ a(x)\in \mathbb {R}[x] \text {\ and deg} a(x)+\text {deg}g(x)<n\}, \end{aligned}$$
(26)

more precisely, which is a representative elements set of \(<g(x)>\) mod \(\phi (x)\). By homomorphism theorem in ring theory, all ideals of \(\overline{R}\) are given by

$$\begin{aligned} \{<g(x)> \text {\ mod\ } \phi (x) \ \Big |\ g(x) \in \mathbb {R}[x] \text {\ is monic and\ } g(x)|\phi (x)\}. \end{aligned}$$
(27)

Let d be the number of monic divisors of \(\phi (x)\) in \(\mathbb {R}[x]\), we have the following.

Corollary 4

The number of \(\phi \)-cyclic subspace of \(\mathbb {R}^n\) is d.

Next, we discuss \(\phi \)-cyclic lattice, which is the geometric analogy of cyclic code. The \(\phi \)-cyclic subspace of \( \mathbb {R}^{n}\) may be regarded as the algebraic analogy of cyclic code. Let the quotient rings R and \(\overline{R}\) be given by (2.8). A R-module is an Abel group \(\wedge \) such that there is an operator \(\lambda \alpha \in \wedge \) for all \(\lambda \in R\) and \(\alpha \in \wedge \), satisfying \(1\cdot \alpha =\alpha \) and \((\lambda _1 \lambda _2)\alpha =\lambda _1 (\lambda _2 \alpha )\). It is easy to see that \(\overline{R}\) is a R-module, if \(\wedge \subset \overline{R}\) and \(\wedge \) is a R-module, then \(\wedge \) is called a R-submodule of \(\overline{R}\). All R-modules we discuss here are R-submodule of \(\overline{R}\). On the other hand, if \(I\subset R\), then I is an ideal of R, if and only if I is a R-module. Let \(\alpha \in \overline{R}\), the cyclic R-module generated by \(\alpha \) be defined by

$$\begin{aligned} R\alpha =\{\lambda \alpha \ |\ \lambda \in R\}. \end{aligned}$$
(28)

If there are finitely many polynomials \(\alpha _1,\alpha _2,\dots ,\alpha _k\) in \(\overline{R}\) such that \(\wedge =R\alpha _1+R\alpha _2+\cdots +R\alpha _k\), then \(\wedge \) is called a finitely generated R-module, which is a R-submodule of \(\overline{R}\).

Now, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice, \(g\in \mathbb {R}^n\), \(H^*(g)\) is the ideal matrix generated by vector g, and \(L(H^*(g))\) is the lattice generated by \(H^*(g)\). It is easy to show that any \(L(H^*(g))\) is a \(\phi \)-cyclic lattice and

$$\begin{aligned} L(H^*(g))\subset L,\ \text {whenever}\ g\in L, \end{aligned}$$
(29)

which implies that \(L(H^*(g))\) is the smallest \(\phi \)-cyclic lattice of which contains vector g. Therefore, we call \(L(H^*(g))\) is a minimal \(\phi \)-cyclic lattice in \(\mathbb {R}^n\).

Lemma 9

There is a one to one correspondence between the minimal \(\phi \)-cyclic lattice in \(\mathbb {R}^n\) and the cyclic R-submodule in \(\overline{R}\), namely,

$$\begin{aligned} t(Rg(x))=L(H^*(g)),\ \text {for all}\ g(x)\in \overline{R} \end{aligned}$$

and

$$\begin{aligned} t^{-1}(L(H^*(g)))=Rg(x),\ \text {for all}\ g\in \mathbb {R}^n. \end{aligned}$$

Proof

Let \(b(x)\in R\), by Lemma 5, we have

$$\begin{aligned} t(b(x)g(x))=H^*(b)g=H^*(g)b\in L(H^*(g)), \end{aligned}$$

and \(t(Rg(x))\subset L(H^*(g))\). Conversely, if \(\alpha \in L(H^*(g))\), and \(\alpha =H^*(g)b\) for some integer vector b, by Lemma 5 again, we have \(b(x)g(x)\in Rg(x)\), and \(t(b(x)g(x))=\alpha \). This implies that \(L(H^*(g))\subset t(Rg(x))\), and

$$\begin{aligned} t(Rg(x))=L(H^*(g)). \end{aligned}$$

The lemma follows immediately.

Suppose \(L=L(\beta _1,\beta _2,\dots ,\beta _m)\) is arbitrary \(\phi \)-cyclic lattice, where \(B=[\beta _1,\beta _2, \dots ,\beta _m]_{n\times m}\) is the generated matrix of L. L may be expressed as the sum of finitely many minimal \(\phi \)-cyclic lattices, in fact, we have

$$\begin{aligned} L=L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)). \end{aligned}$$
(30)

To state and prove our main results, first, we give a definition of prime spot in \(\mathbb {R}^n\).

Definition 4

Let \(g\in \mathbb {R}^n\), and \(g(x)=t^{-1}(g)\in \overline{R}\). If \((g(x),\phi (x))=1\) in \(\mathbb {R}[x]\), we call g is a prime spot of \(\mathbb {R}^n\).

By (v) of Theorem 2, \(g\in \mathbb {R}^n\) is a prime spot if and only if \(H^*(g)\) is an invertible matrix, thus the minimal \(\phi \)-cyclic lattice \(L(H^*(g))\) generated by a prime spot is a full-rank lattice.

Lemma 10

Let g and f be two prime spots of \(\mathbb {R}^n\), then \(L(H^*(g))+L(H^*(f))\) is a full-rank \(\phi \)-cyclic lattice.

Proof

According to Lemma 4, it is sufficient to show that

$$\begin{aligned} \text {rank}\big (L(H^*(g))\cap L(H^*(f))\big )=\text {rank}\big (L(H^*(g))\big )=n. \end{aligned}$$
(31)

In fact, we should prove in general

$$\begin{aligned} L(H^*(g)\cdot H^*(f))\subset L(H^*(g))\cap L(H^*(f)). \end{aligned}$$
(32)

Since \(H^*(g)\cdot H^*(f)\) is an invertible matrix, then rank\(\big (L(H^*(g)\cdot H^*(f))\big ) = n\), and (8) follows immediately.

To prove (9), we note that

$$\begin{aligned} L(H^*(g)\cdot H^*(f))=L(H^*(g*f)). \end{aligned}$$

It follows that

$$\begin{aligned} t^{-1}\big (L(H^*(g)\cdot H^*(f))\big )=Rg(x)f(x). \end{aligned}$$

It is easy to see that

$$\begin{aligned} Rg(x)f(x)\subset Rg(x)\cap Rf(x). \end{aligned}$$

Therefore, we have

$$\begin{aligned} L(H^*(g)\cdot H^*(f))=t(Rg(x)f(x))\subset L(H^*(g))\cap L(H^*(f)). \end{aligned}$$

This is the proof of Lemma 10.

It is worth to note that (9) is true for the more general case and does not need the condition of prime spot.

Corollary 5

Let \(\beta _1,\beta _2,\dots ,\beta _m\) be arbitrary m vectors in \(\mathbb {R}^n\), then we have

$$\begin{aligned} L(H^*(\beta _1) H^*(\beta _2)\cdots H^*(\beta _m))\subset L(H^*(\beta _1))\cap L(H^*(\beta _2))\cap \cdots \cap L(H^*(\beta _m)). \end{aligned}$$
(33)

Proof

If \(\beta _1,\beta _2,\dots ,\beta _m\) are integer vectors, then (10) is trivial. For the general case, we write

$$\begin{aligned} L(H^*(\beta _1)\cdot H^*(\beta _2)\cdots H^*(\beta _m))=L(H^*(\beta _1 *\beta _2 *\cdots *\beta _m)), \end{aligned}$$

where \(\beta _1 *\beta _2 *\cdots *\beta _m\) is the \(\phi \)-convolutional product, then

$$\begin{aligned} t^{-1}\big (L(H^*(\beta _1)\cdots H^*(\beta _m))\big )=R \beta _1(x)\beta _2(x)\cdots \beta _m(x). \end{aligned}$$

Since

$$\begin{aligned} R \beta _1(x)\beta _2(x)\cdots \beta _m(x)\subset R\beta _1(x)\cap R\beta _2(x)\cap \cdots \cap R\beta _m(x). \end{aligned}$$

It follows that

$$\begin{aligned} L(H^*(\beta _1) H^*(\beta _2)\cdots H^*(\beta _m))\subset L(H^*(\beta _1))\cap L(H^*(\beta _2))\cap \cdots \cap L(H^*(\beta _m)). \end{aligned}$$

We have this corollary.

By Lemma 10, we also have the following assertion.

Corollary 6

Let \(\beta _1,\beta _2,\dots ,\beta _m\) be m prime spots of \(\mathbb {R}^n\), then \(L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m))\) is a full-rank \(\phi \)-cyclic lattice.

Proof

It follows immediately from Corollary 3.

Our main result in this chapter is to establish the following one to one correspondence between \(\phi \)-cyclic lattices in \(\mathbb {R}^n\) and finitely generated R-modules in \(\overline{R}\).

Theorem 4

Let \(\wedge =R\alpha _1(x)+R\alpha _2(x)+\cdots +R\alpha _m(x)\) be a finitely generated R-module in \(\overline{R}\), then \(t(\wedge )\) is a \(\phi \)-cyclic lattice in \(\mathbb {R}^n\). Conversely, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice in \(\mathbb {R}^n\), then \(t^{-1}(L)\) is a finitely generated R-module in \(\overline{R}\), that is a one to one correspondence.

Proof

If \(\wedge \) is a finitely generated R-module, by Lemma 9, we have

$$\begin{aligned} t(\wedge )&= t(R\alpha _1(x)+\cdots +R\alpha _m(x))=L(H^*(\alpha _1))\nonumber \\ {}&+ L(H^*(\alpha _2))+\cdots +L(H^*(\alpha _m)). \end{aligned}$$

The main difficulty is to show that \(t(\wedge )\) is a lattice of \(\mathbb {R}^n\), we require a surgery to embed \(t(\wedge )\) into a full-rank lattice. To do this, let \((\alpha _i(x),\phi (x))=d_i(x)\), \(d_i(x)\in \mathbb {Z}[x]\), and \(\beta _i(x)=\alpha _i(x)/d_i(x)\), \(1\leqslant i\leqslant m\). Since \(\phi (x)\) has no multiple roots by assumption, then \((\beta _i(x),\phi (x))=1\) in \(\mathbb {R}[x]\). In other words, each \(t(\beta _i(x))=\beta _i\) is a prime spot. It is easy to verify \(R\alpha _i(x)\subset R\beta _i(x)\ (1\leqslant i\leqslant m)\), thus we have

$$\begin{aligned} t(\wedge )\subset L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)). \end{aligned}$$

By Corollaries 6 and 1, we have \(t(\wedge )\) is \(\phi \)-cyclic lattice. Conversely, if \(L\subset \mathbb {R}^n\) is a \(\phi \)-cyclic lattice of \(\mathbb {R}^n\), and \(L=L(\beta _1,\beta _2,\dots ,\beta _m)\), by (7), we have

$$\begin{aligned} t^{-1}(L)=R\beta _1(x)+R\beta _2(x)+\cdots +R\beta _m(x), \end{aligned}$$

which is a finitely generated R-module in \(\overline{R}\). We complete the proof of Theorem 4.

As we introduced in abstract, since R is a Noether ring, then \(I\subset R\) is an ideal if and only if I is a finitely generated R-module. On the other hand, if \(I\subset R\) is an ideal, then \(t(I)\subset \mathbb {Z}^n\) is a discrete subgroup of \(\mathbb {Z}^n\), thus t(I) is a lattice, we define the following.

Definition 5

Let \(I\subset R\) be an ideal, t(I) is called the \(\phi \)-ideal lattice.

Ideal lattice first appeared in Lyubashevsky and Micciancio (2006) (see Definition 3.1 of Lyubashevsky and Micciancio (2006)). As a direct consequence of Theorem 4, we have the following.

Corollary 7

Let \(L\subset \mathbb {R}^n\) be a subset, then L is a \(\phi \)-cyclic lattice if and only if

$$\begin{aligned} L=L(H^*(\beta _1))+L(H^*(\beta _2))+\cdots +L(H^*(\beta _m)), \end{aligned}$$

where \(\beta _i\in \mathbb {R}^n\) and \(m\leqslant n\). Furthermore, L is a \(\phi \)-ideal lattice if and only if every \(\beta _i\in \mathbb {Z}^n\), \(1\leqslant i\leqslant m\).

Corollary 8

Suppose that \(\phi (x)\) is an irreducible polynomial in \(\mathbb {Z}[x]\), then any non-zero ideal I of R defines a full-rank \(\phi \)-ideal lattice \(t(I)\subset \mathbb {Z}^n\).

Proof

Let \(I\subset R\) be a non-zero ideal, then we have \(I=R\alpha _1(x)+R\alpha _2(x)+\cdots +R\alpha _m(x)\), where \(\alpha _i(x)\in R\) and \((\alpha _i(x),\phi (x))=1\). It follows that

$$\begin{aligned} t(I)=L(H^*(\alpha _1))+L(H^*(\alpha _2))+\cdots +L(H^*(\alpha _m)). \end{aligned}$$

Since each \(\alpha _i\) is a prime spot, we have rank\((t(I))=n\) by Corollary 6, and the corollary follows at once.

According to Definition 3.1 of Lyubashevsky and Micciancio (2006), we have proved that any an ideal of R corresponding to a \(\phi \)-ideal lattice, which just is a \(\phi \)-cyclic integer lattice under the more general rotation matrix \(H=H_{\phi }\). Cyclic lattice and ideal lattice were introduced in Lyubashevsky and Micciancio (2006), Micciancio (2002), respectively, to improve the space complexity of lattice-based cryptosystems. Ideal lattices allow to represent a lattice using only two polynomials. Using such lattices, class lattice-based cryptosystems can diminish their space complexity from \(O(n^2)\) to O(n). Ideal lattices also allow to accelerate computations using the polynomial structure. The original structure of Micciancio’s matrices uses the ordinary circulant matrices and allows for an interpretation in terms of arithmetic in polynomial ring \(\mathbb {Z}[x]/<x^n-1>\). Lyubashevsky and Micciancio (2006) later suggested to change the ring to \(\mathbb {Z}[x]/<\phi (x)>\) with an irreducible \(\phi (x)\) over \(\mathbb {Z}[x]\). Our results here suggest to change the ring to \(\mathbb {Z}[x]/<\phi (x)>\) with any polynomial \(\phi (x)\). There are many works subsequent to Micciancio (2002, Lyubashevsky and Micciancio (2006), such as (Feige & Micciancio, 2004; Micciancio & Regev, 2009; Peikert, 2016; Plantard & Schneider, 2013; Pradhan et al., 2019; Stehle & Steinfeld, 2011).

Example 1

It is interesting to find some examples of \(\phi \)-cyclic lattices in an algebraic number field K. Let Q be a rational number field, without loss of generality, an algebraic number field K of degree n is just \(K=Q(w)\), where \(w=w_i\) is a root of \(\phi (x)\). If all \(Q(w_i)\subset \mathbb {R}\ (1\leqslant i\leqslant n)\), then K is called a totally real algebraic number field. Let \(O_K\) be the ring of algebraic integers of K, and \(I\subset O_K\) be an ideal, \(I\ne 0\). Since there is an integral basis \(\{\alpha _1,\alpha _2,\dots ,\alpha _n\}\subset I\) such that

$$\begin{aligned} I=\mathbb {Z}\alpha _1+\mathbb {Z}\alpha _2+\cdots +\mathbb {Z}\alpha _n. \end{aligned}$$

We may regard every ideal of \(O_K\) as a lattice in \(Q^n\), and our assertion is that every non-zero ideal of \(O_K\) is corresponding to a full-rank \(\phi \)-cyclic lattice of \(Q^n\). To see this example, let

$$\begin{aligned} Q[w]= \left\{ \sum _{i=0}^{n-1} a_i w^i\ |\ a_i\in Q \right\} . \end{aligned}$$

It is known that \(K=Q[w]\), thus every \(\alpha \in K\) corresponds to a vector \(\overline{\alpha }\in Q^n\) by

$$\begin{aligned} \alpha =\sum _{i=0}^{n-1} a_i w^i \xrightarrow {\quad \tau \quad } \overline{\alpha }=\begin{pmatrix} a_0 \\ a_1 \\ \vdots \\ a_{n-1} \end{pmatrix}\in \mathbb {Q}^n. \end{aligned}$$

If \(I\subset O_K\) is an ideal of \(O_K\) and \(I=\mathbb {Z}\alpha _1+\mathbb {Z}\alpha _2+\cdots +\mathbb {Z}\alpha _n\), let \(B=[\overline{\alpha _1},\overline{\alpha _2},\dots ,\overline{\alpha _n}]\in Q^{n\times n}\), which is full-rank matrix. We have \(\tau (I)=L(B)\) as a full-rank lattice. It remains to show that \(\tau (I)\) is a \(\phi \)-cyclic lattice, we only prove that if \(\alpha \in I\Rightarrow H\overline{\alpha }\in \tau (I)\). Suppose that \(\alpha \in I\), then \(w\alpha \in I\). It is easy to verify that \(\tau (w)=e_2\) (see (2.7)) and

$$\begin{aligned} \tau (w\alpha )=\tau (w)*\tau (\alpha )=H\overline{\alpha }\in \tau (I). \end{aligned}$$

This means that \(\tau (I)\) is a \(\phi \)-cyclic lattice of \(Q^n\), which is a full-rank lattice.

4 Smoothing Parameter

As an application of the algebraic structure of \(\phi \)-cyclic lattice, we show an explicit upper bound of the smoothing parameter for the \(\phi \)-cyclic lattices. Firstly, we introduce some basic notations.

A Gauss function \(\rho _{s,c}(x)\) in \(\mathbb {R}^n\) is given by

$$\begin{aligned} \rho _{s,c}(x)=e^{-\pi |x-c|^2/s^2}, \end{aligned}$$
(34)

where \(x\in \mathbb {R}^n\), \(c\in \mathbb {R}^n\), and \(s>0\) is a positive real number. \(\rho _{s,c}(x)\) is called the Gauss function around original point c with parameter s. It is easy to see that

$$\begin{aligned} \int \limits _{\mathbb {R}^n} \rho _{s,c}(x)\textrm{d} x=s^n. \end{aligned}$$

Thus, we may define a probability density function \(D_{s,c}(x)\) by

$$\begin{aligned} D_{s,c}(x)=\rho _{s,c}(x)/ \int \limits _{\mathbb {R}^n} \rho _{s,c}(x)\textrm{d} x=\rho _{s,c}(x)/s^n. \end{aligned}$$
(35)

Suppose \(L\subset \mathbb {R}^n\) is a lattice, let

$$\begin{aligned} D_{s,c}(L)=\sum \limits _{x\in L} D_{s,c}(x),\ \rho _{s,c}(L)=\sum \limits _{x\in L} \rho _{s,c}(x). \end{aligned}$$
(36)

The discrete Gauss distribution over L is a probability distribution \(D_{L,s,c}\) over L given by

$$\begin{aligned} D_{L,s,c}(x)=\frac{D_{s,c}(x)}{D_{s,c}(L)}=\frac{\rho _{s,c}(x)}{\rho _{s,c}(L)}. \end{aligned}$$
(37)

If \(c=0\) is the zero vector of \(\mathbb {R}^n\), we write \(\rho _{s,0}(x)=\rho _{s}(x)\), \(\rho _{s,0}(L)=\rho _{s}(L)\), \(D_{s,0}(x)=D_{s}(x)\), and \(D_{s,0}(L)=D_{s}(L)\). Suppose that L is a full-rank lattice and \(L^*\) is its dual lattice, we define the smoothing parameter \(\eta _{\varepsilon }(L)\) of L to be the smallest s such that \(\rho _{1/s}(L^*)\leqslant 1+\varepsilon \), more precisely,

$$\begin{aligned} \eta _{\varepsilon }(L)=\min \{s:\ s>0\ \text {and}\ \rho _{1/s}(L^*)\leqslant 1+\varepsilon \}, \end{aligned}$$
(38)

where \(\varepsilon >0\) is a positive number. Notice that \(\rho _{1/s}(L^*)\) is a continuous and strictly decreasing function of s, thus the smoothing parameter \(\eta _{\varepsilon }(L)\) is a continuous and strictly decreasing function of \(\varepsilon \).

Let \(L=L(\beta _1,\beta _2,\dots ,\beta _n)\subset \mathbb {R}^n\) be a full-rank lattice with a basis \(\beta _1,\beta _2,\dots ,\beta _n\), the fundamental region P(L) is given by

$$\begin{aligned} P(L)= \left\{ \sum \limits _{i=1}^{n} a_i \beta _i | 0\leqslant a_i< 1,\ 1\leqslant i\leqslant n \right\} . \end{aligned}$$
(39)

Suppose that X and Y are two discrete random variables on \(\mathbb {R}^n\), the statistical distance between X and Y over L is defined by

$$\begin{aligned} \triangle (X,Y)=\frac{1}{2} \sum \limits _{a\in L}|P\{X=a\}-P\{Y=a\}|. \end{aligned}$$
(40)

If X and Y are continuous random variables with probability density function \(T_1\) and \(T_2\), respectively, then \(\triangle (X,Y)\) is defined by

$$\begin{aligned} \triangle (X,Y)=\frac{1}{2}\int \limits _{\mathbb {R}^n} |T_1(z)-T_2(z)| \textrm{d} z. \end{aligned}$$
(41)

The smoothing parameter was introduced by Micciancio and Regev (2007), which plays an important role in the statistical information of lattices. An important property of smoothing parameter is for any lattice \(L=L(B)\) and any \(\varepsilon >0\), the statistical distance between \(D_s\) mod L and the uniform distribution over the fundamental region P(L) is at most \(\frac{1}{2}(\rho _{1/s}(L(B)^*))\). More precisely, for any \(\varepsilon >0\) and any \(s\geqslant \eta _{\varepsilon } (L(B))\), the statistical distance is at most \(\frac{1}{2}\varepsilon \), namely

$$\begin{aligned} \triangle \big (D_{s,c}\ \text {mod}\ L,\ U(P(L)) \big )\leqslant \frac{\varepsilon }{2}. \end{aligned}$$
(42)

Lemma 11

Let \(L\subset \mathbb {R}^n\) be a full-rank lattice, we have

$$\begin{aligned} \eta _{2^{-n}} (L)\leqslant \sqrt{n}/\lambda _1 (L^*), \end{aligned}$$
(43)

where \(L^*\) is the dual lattice of L, and \(\lambda _1 (L^*)\) is the minimum distance of \(L^*\).

Proof

See Lemma 3.2 of Micciancio and Regev (2007), or Banaszczyk (1993).

Lemma 12

Suppose that \(L_1\) and \(L_2\) are two full-rank lattices in \(\mathbb {R}^n\), and \(L_1 \subset L_2\), then for any \(\varepsilon >0\), we have

$$\begin{aligned} \eta _{\varepsilon }(L_2)\leqslant \eta _{\varepsilon }(L_1). \end{aligned}$$
(44)

Proof

Let \(\eta _{\varepsilon }(L_1)=s\), we are to show that \(\eta _{\varepsilon }(L_2)\leqslant s\). Since

$$\begin{aligned} \rho _{1/s}(L_1^*)=1+\varepsilon ,\ \text {and}\ \sum \limits _{x\in L_1^*}e^{-\pi s^2 |x|^2}=1+\varepsilon . \end{aligned}$$

It is easy to check that \(L_2^*\subset L_1^*\), it follows that

$$\begin{aligned} 1+\varepsilon =\sum \limits _{x\in L_1^*}e^{-\pi s^2 |x|^2}\geqslant \sum \limits _{x\in L_2^*}e^{-\pi s^2 |x|^2}, \end{aligned}$$

which implies

$$\begin{aligned} \rho _{1/s}(L_2^*)\leqslant 1+\varepsilon , \end{aligned}$$

and \(\eta _{\varepsilon }(L_2)\leqslant s=\eta _{\varepsilon }(L_1)\), thus we have Lemma 12.

According to (2.4), the ideal matrix \(H^*(f)\) with input vector \(f\in \mathbb {R}^n\) is just the ordinary circulant matrix when \(\phi (x)=x^n-1\). Next lemma shows that the transpose of a circulant matrix is still a circulant matrix. For any \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\), we denote \(\overline{g}=\begin{pmatrix} g_{n-1} \\ g_{n-2} \\ \vdots \\ g_{0} \end{pmatrix}\), which is called the conjugation of g.

Lemma 13

Let \(\phi (x)=x^n-1\), then for any \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\), we have

$$\begin{aligned} (H^*(g))'=H^*(H\overline{g}). \end{aligned}$$
(45)

Proof

Since \(\phi (x)=x^n-1\), then \(H=H_{\phi }\) (see (2.3)) is an orthogonal matrix, and we have \(H^{-1}=H^{n-1}=H'\). We write \(H_1=H'=H^{-1}\). The following identity is easy to verify

$$\begin{aligned} H^*(g)=\begin{pmatrix} \overline{g}'H_1 \\ \overline{g}'H_1^2 \\ \vdots \\ \overline{g}'H_1^n \end{pmatrix} \end{aligned}$$

It follows that

$$\begin{aligned} (H^*(g))'=[H\overline{g},H(H\overline{g}),\dots ,H^{n-1}(H\overline{g})]=H^*(H\overline{g}), \end{aligned}$$

and we have the lemma.

Lemma 14

Suppose that \(g\in \mathbb {R}^n\) and the circulant matrix \(H^*(g)\) is invertible. Let \(A=(H^*(g))'H^*(g)\), then all characteristic values of A are given by

$$\begin{aligned} \{|g(\theta _1)|^2,|g(\theta _2)|^2,\dots ,|g(\theta _n)|^2\}, \end{aligned}$$

where \(\theta _i^n=1\ (1\leqslant i\leqslant n)\) are the n-th roots of unity.

Proof

By Lemma 13 and (ii) of Theorem 2, we have

$$\begin{aligned} A=H^*(H\overline{g})H^*{g}=H^*(H^*(H\overline{g})g)=H^*(g''), \end{aligned}$$

where \(g''=H^*(H\overline{g})g\). Let \(g''(x)=t^{-1}(g'')\) be the corresponding polynomial of \(g''\). By (iii) of Theorem 2, all characteristic values of A are given by

$$\begin{aligned} \{g''(\theta _1),g''(\theta _2),\dots ,g''(\theta _n)\},\ \theta _i^n=1,\ 1\leqslant i\leqslant n. \end{aligned}$$
(46)

Let \(g=\begin{pmatrix} g_0 \\ g_1 \\ \vdots \\ g_{n-1} \end{pmatrix}\in \mathbb {R}^n\). It is easy to see that

$$\begin{aligned} g''(x)=\sum \limits _{i=0}^{n-1}g_i^2+ \left( \sum \limits _{i=0}^{n-1}g_i g_{1-i} \right) x+\cdots + \left( \sum \limits _{i=0}^{n-1}g_i g_{(n-1)-i} \right) x^{n-1}=|g(x)|^2, \end{aligned}$$

where \(g_{-i}=g_{n-i}\) for all \(1\leqslant i\leqslant n-1\), then the lemma follows at once.

By definition 4, if \(g\in \mathbb {R}^n\) is a prime spot, then there is a unique polynomial \(u(x)\in \overline{R}\) such that \(u(x)g(x)\equiv 1\) (mod \(\phi (x)\)). We define a new vector \(T_g\) and its corresponding polynomial \(T_g(x)\) by

$$\begin{aligned} T_g=H\overline{u},\ \text {and}\ T_g(x)=t^{-1}(H\overline{u}). \end{aligned}$$
(47)

If \(g\in \mathbb {Z}^n\) is an integer vector, then \(T_g\in \mathbb {Z}^n\) is also an integer vector, and \(T_g(x)\in \mathbb {Z}[x]\) is a polynomial with integer coefficients. Our main result on smoothing parameter is the following theorem.

Theorem 5

Let \(\phi (x)=x^n-1\), \(L\subset \mathbb {R}^n\) be a full-rank \(\phi \)-cyclic lattice, then for any prime spots \(g\in L\), we have

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n} (\min \{|T_g(\theta _1)|,|T_g(\theta _2)|,\dots ,|T_g(\theta _n)|\})^{-1}, \end{aligned}$$
(48)

where \(\theta _i^n=1\), \(1\leqslant i\leqslant n\), and \(T_g(x)\) is given by (4.14).

Proof

Let \(g\in L\) be a prime spot, by Lemma 12, we have

$$\begin{aligned} L(H^*(g))\subset L\Rightarrow \eta _{\varepsilon }(L)\leqslant \eta _{\varepsilon }(L(H^*(g))),\ \forall \varepsilon >0. \end{aligned}$$
(49)

To estimate the smoothing parameter of \(L(H^*(g))\), the dual lattice of \(L(H^*(g))\) is given by

$$\begin{aligned} L(H^*(g))^*=L((H^*(u))')=L(H^*(H\overline{u}))=L(H^*(T_g)), \end{aligned}$$

where \(u(x)\in \overline{R}\) and \(u(x)g(x)\equiv 1\) (mod \(x^n-1\)), and \(T_g\) is given by (4.14). Let \(A=(H^*(T_g))'H^*(T_g)\), by Lemma 14, all characteristic values of A are

$$\begin{aligned} \{|T_g(\theta _1)|^2,|T_g(\theta _2)|^2,\dots ,|T_g(\theta _n)|^2\}. \end{aligned}$$

By Lemma 2, the minimum distance \(\lambda _1 (L(H^*(g))^*)\) is bounded by

$$\begin{aligned} \lambda _1 (L(H^*(g))^*)\geqslant \min \{|T_g(\theta _1)|,|T_g(\theta _2)|,\dots ,|T_g(\theta _n)|\}. \end{aligned}$$
(50)

Now, Theorem 5 follows from Lemma 11 immediately.

Let \(L=L(B)\) be a full-rank lattice and \(B=[\beta _1,\beta _2,\dots ,\beta _n]\). We denote by \(B^*=[\beta _1^*,\beta _2^*,\dots ,\beta _n^*]\) the Gram-Schmidt orthogonal vectors \(\{\beta _i^*\}\) of the ordered basis \(B=\{\beta _i\}\). It is a well-known conclusion that

$$\begin{aligned} \lambda _1(L)\geqslant |B^*|=\min \limits _{1\leqslant i\leqslant n} |\beta _i^*|, \end{aligned}$$

which yields by Lemma 11 the following upper bound

$$\begin{aligned} \eta _{2^{-n}}(L)\leqslant \sqrt{n} |B_0^*|^{-1}, \end{aligned}$$
(51)

where \(B_0^*\) is the orthogonal basis of dual lattice \(L^*\) of L.

For a \(\phi \)-cyclic lattice L, we observe that the upper bound (4.17) is always better than (4.18) by numerical testing, we give two examples here.

Example 2

Let \(n=3\) and \(\phi (x)=x^3-1\), the rotation matrix H is

$$\begin{aligned} H=\begin{pmatrix} 0 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 \end{pmatrix}. \end{aligned}$$

We select a \(\phi \)-cyclic lattice \(L=L(B)\), where

$$\begin{aligned} B=\begin{pmatrix} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 1 \\ 0 &{} 0 &{} 1 \end{pmatrix}. \end{aligned}$$

Since \(L=\mathbb {Z}^3\), thus L is a \(\phi \)-cyclic lattice. It is easy to check

$$\begin{aligned} |B_0^*|=\min \limits _{1\leqslant i\leqslant 3}|\beta _i^*|=\frac{\sqrt{3}}{3}. \end{aligned}$$

On the other hand, we randomly find a prime spot \(g=\begin{pmatrix} 0\\ 0\\ 1 \end{pmatrix}\in L\) and \(g(x)=x^2\). Since \(xg(x)\equiv 1\) (mod \(x^3-1\)), we have \(T_g(x)=x^2\), it follows that \(|T_g(\theta _1)|=|T_g(\theta _2)|=|T_g(\theta _3)|=1\), and

$$\begin{aligned} \min \limits _{1\leqslant i\leqslant 3}|T_g(\theta _i)|^{-1}\leqslant |B_0^*|^{-1}=\sqrt{3}. \end{aligned}$$

Example 3

Let \(n=4\) and \(\phi (x)=x^4-1\), the rotation matrix H is

$$\begin{aligned} H=\begin{pmatrix} 0 &{} 0 &{} 0 &{} 1 \\ 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 1 &{} 0 \end{pmatrix}. \end{aligned}$$

We select a \(\phi \)-cyclic lattice \(L=L(B)\), where

$$\begin{aligned} B=\begin{pmatrix} 1 &{} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 1 &{} 1 \\ 0 &{} 0 &{} 1 &{} 1 \\ 0 &{} 0 &{} 0 &{} 1 \end{pmatrix}. \end{aligned}$$

Since \(L=\mathbb {Z}^4\), thus L is a \(\phi \)-cyclic lattice. It is easy to check

$$\begin{aligned} |B_0^*|=\min \limits _{1\leqslant i\leqslant 4}|\beta _i^*|=\frac{1}{2}. \end{aligned}$$

On the other hand, we randomly find a prime spot \(g=\begin{pmatrix} -2 \\ 1 \\ 0 \\ 0 \end{pmatrix}\in L\) and \(g(x)=x-2\). Since \((\frac{1}{7}x^3-\frac{1}{7}x^2-\frac{2}{7}x-\frac{5}{7})g(x)\equiv 1\) (mod \(x^4-1\)), we have \(T_g(x)=-\frac{2}{7}x^3-\frac{1}{7}x^2+\frac{1}{7}x-\frac{5}{7}\), it follows that \(|T_g(\theta _1)|=1\), \(|T_g(\theta _2)|=|T_g(\theta _3)|=|T_g(\theta _4)|=\frac{5}{7}\), and

$$\begin{aligned} \min \limits _{1\leqslant i\leqslant 4}|T_g(\theta _i)|^{-1}=\frac{7}{5}\leqslant |B_0^*|^{-1}=2. \end{aligned}$$