Learning with Errors and Extrapolated Dihedral Cosets

Abstract

The hardness of the learning with errors (LWE) problem is one of the most fruitful resources of modern cryptography. In particular, it is one of the most prominent candidates for secure post-quantum cryptography. Understanding its quantum complexity is therefore an important goal.

We show that under quantum polynomial time reductions, LWE is equivalent to a relaxed version of the dihedral coset problem (DCP), which we call extrapolated DCP (eDCP). The extent of extrapolation varies with the LWE noise rate. By considering different extents of extrapolation, our result generalizes Regev’s famous proof that if DCP is in BQP (quantum poly-time) then so is LWE (FOCS 02). We also discuss a connection between eDCP and Childs and Van Dam’s algorithm for generalized hidden shift problems (SODA 07).

Our result implies that a BQP solution for LWE might not require the full power of solving DCP, but rather only a solution for its relaxed version, eDCP, which could be easier.

Z. Brakerski—Supported by the Israel Science Foundation (Grant No. 468/14) and Binational Science Foundation (Grants No. 2016726, 2014276) and ERC Project 756482 REACT.

E. Kirshanova, D. Stehlé and W. Wen—Supported by ERC Starting Grant ERC-2013-StG-335086-LATTAC.

1 Introduction

The Learning With Errors problem LWE\(_{n,q,\alpha }\) with parameters \(n,q \in \mathbb {Z}\) and \(\alpha \in (0,1)\) consists in finding a vector \({\mathbf s} \in \mathbb {Z}_{q}^{n}\) from arbitrarily many samples \(({\mathbf a}_i, \langle {\mathbf a}_i, {\mathbf s}\rangle + e_i) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\), where \({\mathbf a}_i\) is uniformly sampled in \(\mathbb {Z}_q^n\) and \(e_i\) is sampled from \(\mathcal {D}_{\mathbb {Z}, \alpha q}\), the discrete Gaussian distribution of standard deviation parameter \(\alpha q\) (i.e., the distribution such that \(\mathcal {D}_{\mathbb {Z}, \alpha q}(k) \sim \exp (-\pi k^2/(\alpha q)^2)\) for all \(k \in \mathbb {Z}\)). Since its introduction by Regev [28, 29], LWE has served as a security foundation for numerous cryptographic primitives (see e.g. an overview in [24]). The cryptographic attractiveness of LWE stems from two particularly desirable properties. First, its algebraic simplicity enables the design of primitives with advanced functionalities, such as fully homomorphic encryption [8], attribute-based encryption for all circuits [14] and (single key) functional encryption [13]. Second, LWE is conjectured hard even in the context of quantum computations, making it one of the most appealing candidate security foundations for post-quantum cryptography [5]. Current quantum algorithms for LWE do not outperform classical ones, but it is not clear whether this is inherent (for example, it is known that LWE is easier than the Dihedral Coset Problem under polynomial-time reductions, see below). In this work, we characterize the quantum hardness of LWE under polynomial-time reductions and show that it is computationally equivalent (up to small parameter losses) to a quantum problem closely related to the aforementioned Dihedral Coset Problem.

\(\mathrm{LWE}\), Lattices and the Dihedral Coset Problem. LWE is tightly connected to worst-case approximation problems over Euclidean lattices. In particular, LWE is an (average-case) instance of the Bounded Distance Decoding problem (BDD) (see, e.g., [21, Section 5.4]), but is also known to be as hard as worst-case BDD (with some polynomial loss in parameters) [29]. BDD is the problem of finding the closest lattice vector to a given target point which is promised to be very close to the lattice (formally, closer than \(\lambda _1/\gamma \) where \(\lambda _1\) is the length of the shortest non-zero vector). Classical and quantum connections between BDD and other problems such as SIVP, GapSVP, uSVP are also known [7, 20, 23, 29].

Regev [25, 27] showed that uSVP, and therefore also BDD and LWE, are no harder to solve than the quantumly-defined Dihedral Coset Problem (DCP). An instance of DCP\(_{N, \ell }\), for integer parameters N and \(\ell \), consists of \(\ell \) quantum registers in superposition \(\mathinner {|{0,x_k}\rangle } + \mathinner {|{1, x_k+s}\rangle }\), with a common \(s \in \mathbb {Z}_N\) and random and independent \(x_k\in \mathbb {Z}_N\) for \(k \in [\ell ]\). The goal is to find s (information theoretically \(\ell = \mathcal {O}(\log N)\) is sufficient for this task [10]). We note that Regev considered a variant with unbounded number of registers, but where a fraction of them is faulty (a faulty state is of the form \(\mathinner {|{b, x_k}\rangle }\) for arbitrary \(b \in \{0,1\}, x_k \in {\mathbb Z}_N\)). In our work, we assume a non-faulty formulation of DCP.

Still, it is quite possible that DCP is in fact much harder to solve than LWE. The best known algorithm for DCP, due to Kuperberg [17], runs in time \(2^{\mathcal {O}(\log \ell + \log N/ \log \ell )}\) which does not improve upon classical methods for solving LWE. Other variants of the problem were explored in [10, 11], and of particular relevance to this work is a “vector” variant of the problem where \(\mathbb {Z}_N\) is replaced with \(\mathbb {Z}^n_{q}\) (i.e. s and \(x_k\) are now vectors). These problems behave similarly to DCP with \(N=q^n\).

Finally, Regev showed that DCP can be solved given efficient algorithms for the subset-sum problem (which is classically defined), however in a regime of parameters that appears harder to solve than LWE itself.

Extrapolated DCP. The focus of this work is a generalization of the DCP problem, i.e. rather than considering registers containing \(\mathinner {|{0,x_k}\rangle } + \mathinner {|{1, x_k+s}\rangle }\), we allow (1) \(x_i\)’s and s be n-dimensional vectors, and (2) other than non-uniform distribution for amplitudes. We name this problem Extrapolated DCP (\(\mathrm{EDCP}\)) as its input registers has more extrapolated states. To be more precise, \(\mathrm{EDCP}_{n,N,f}^{\ell }\), with parameters three integers \(n,N,\ell \) and a function \(f: \mathbb {Z}\mapsto \mathbb {C}\) with \(\sum _{j\in \mathbb {Z}} j \cdot |f(j)|^2 < +\infty \), consists in recovering \(\mathbf s\in \mathbb {Z}_N^n\) from the following \(\ell \) states over \(\mathbb {Z}\times \mathbb {Z}_N^n\):

$$ \left\{ \frac{1}{\sqrt{\sum _{j \in \mathbb {Z}} |f(j)|^2}} \cdot \sum _{j \in \mathbb {Z}} f(j) \mathinner {|{j,\mathbf x_k + j \cdot \mathbf s}\rangle } \right\} _{k \le \ell }, $$

where the \(\mathbf x_k\)’s are arbitrary in \(\mathbb {Z}_N^n\).¹ Note that DCP is the special case of \(\mathrm{EDCP}\) for \(n=1\) and f being the indicator function of \(\{0, 1\}\).

In [9], Childs and van Dam consider a special case of \(\mathrm{EDCP}\) where f is the indicator function of \(\{0,\ldots ,M-1\}\) for some integer M, which we will refer to as uniform \(\mathrm{EDCP}\) (or, \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\)).

Our Main Result. We show that up to polynomial loss in parameters, \(\mathrm{U} - \mathrm{EDCP}\) is equivalent to LWE. Thus we provide a formulation of the hardness assumption underlying lattice-based cryptography in terms of the (generalized) Dihedral Coset Problem.

Theorem 1

(Informal). There exists a quantum polynomial-time reduction from \(\mathrm{LWE}_{n,q,\alpha }\) to \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\), with \(N = q\), \(\ell = \mathrm{poly}(n\log q)\) and \(M = \frac{\mathrm{poly}(n\log q)}{\alpha }\). Conversely, there exists a polynomial-time reduction from \(\mathrm{U} - \mathrm{EDCP}\) to \(\mathrm{LWE}\) with the same parameter relationships, up to \(\mathrm{poly}(n\log q)\) factors.

Our proof crucially relies on a special case of \(\mathrm{EDCP}\) where f is a Gaussian weight function with standard deviation parameter r. We call this problem Gaussian \(\mathrm{EDCP}\) (\(\mathrm{G} - \mathrm{EDCP}\)). We show that \(\mathrm{G} - \mathrm{EDCP}\) and \(\mathrm{U} - \mathrm{EDCP}\) are equivalent up to small parameter losses.

\(\mathrm{EDCP}\) is analogous to \(\mathrm{LWE}\) in many aspects. The decisional version of \(\mathrm{LWE}\) (\(\mathrm{dLWE}\)) asks to distinguish between \(\mathrm{LWE}\) samples and random samples of the form \((\mathbf a,b)\in \mathbb {Z}_q^n\times \mathbb {Z}_q\) where both components are chosen uniformly at random. Similarly, we also consider the decisional version of \(\mathrm{EDCP}\), denoted by \(\mathrm{dEDCP}\). In \(\mathrm{dEDCP}_{n,N,f}\), we are asked to distinguish between an \(\mathrm{EDCP}\) state and a state of the form

$$ \left| j\right\rangle \left| \mathbf x \bmod N\right\rangle , $$

where j is distributed according to the function \(|f|^2\), and \(\mathbf x\in \mathbb {Z}_N^n\) is uniformly chosen. \(\mathrm{EDCP}\) enjoys a reduction between its search and decisional variants via \(\mathrm{LWE}\).

Related work. In [9], Childs and van Dam show that \(\mathrm{U} - \mathrm{EDCP}_{1, N, M}^{\ell }\) reduces to the problem of finding all the solutions \(\mathbf b \in \{0,\ldots ,M-1\}^k\) to the equation \(\langle \mathbf b,\mathbf x \rangle = w \bmod N\), where \(\mathbf x\) and w are given and uniformly random modulo N. They interpret this as an integer linear program and use lattice reduction, within Lenstra’s algorithm [19], to solve it. This leads to a polynomial-time algorithm for \(\mathrm{U} - \mathrm{EDCP}_{1, N, M}^{\ell }\) when \(M = \lfloor N^{1/k} \rfloor \) and \(\ell \ge k\), for any \(k\ge 3\). Interestingly, finding small solutions to the equation \(\langle \mathbf b,\mathbf x \rangle = w \bmod N\) is a special case of the Inhomogeneous Small Integer Solution problem [12] (ISIS), which consists in finding a small-norm \(\mathbf x\) such that \(\mathbf B \mathbf x = \mathbf w \bmod q\), with \(\mathbf B \in \mathbb {Z}_q^{n \times m}\) and \(\mathbf w \in \mathbb {Z}_q^n\) uniform (where q, n, m are integer parameters). A reduction from the homogeneous SIS (i.e., with \(\mathbf w = \mathbf 0\) and \(\mathbf x\ne \mathbf 0\)) to LWE was provided in [31]. It does not seem possible to derive from it a reduction from \(\mathrm{EDCP}\) to LWE via the Childs and van Dam variant of ISIS, most notably because the reduction from [31] does not provide a way to compute all ISIS solutions within a box \(\{0,1,\ldots ,M-1\}^k\).

It is not hard to see that, at least so long as M is polynomial, a solution to DCP implies a solution to \(\mathrm{EDCP}_{n,N,M}^{\ell }\). Therefore our result implies [25] as a special case. On the other extreme, our result also subsumes [9] since the LLL algorithm [18] can be used to solve \(\mathrm{LWE}_{n,q,\alpha }\) in polynomial time when \(1/\alpha \) and q are \(2^{\Theta (n)}\), which implies a polynomial-time algorithm for \(\mathrm{EDCP}\) for \(M = 2^{\Theta (\sqrt{n\log N})}\), significantly improving Childs and van Dam’s \(M= 2^{\varepsilon n\log N}\).

Finally, we observe that the \(\mathrm{LWE}\) to \(\mathrm{U} - \mathrm{EDCP}\) reduction (and the uSVP to DCP reduction from [27]) can be adapted to a uSVP to \(\mathrm{U} - \mathrm{EDCP}\) reduction, as explained below. Combining this adaptation with the reduction from \(\mathrm{U} - \mathrm{EDCP}\) to LWE (via \(\mathrm{G} - \mathrm{EDCP}\)) provides a novel quantum reduction from worst-case lattice problems to \(\mathrm{LWE}\). However, it does not seem to have advantages compared to [29].

1.1 Technical Overview

As mentioned above, the hardness of \(\mathrm{LWE}\) is essentially invariant so long as \(n \log q\) is preserved, and therefore we restrict our attention in this overview to the one-dimensional setting. A crucial ingredient in our reduction is a weighted version of \(\mathrm{EDCP}\), denoted by \(\mathrm{G} - \mathrm{EDCP}\) and quantified by a Gaussian weight function \(f_r(j) =~\rho _r(j)=\exp (-\pi j^2/r^2)\), for some standard deviation parameter r. We refer to this problem as Gaussian \(\mathrm{EDCP}\) (\(\mathrm{G} - \mathrm{EDCP}\)).

Fig. 1.

Graph of reductions between the \(\mathrm{LWE}\) problem (upper-left), worst-case lattice problems (upper-right), combinatorial problems (lower-right) and the Extrapolated Dihedral Coset problems (lower-left). Parameters \(\alpha \) are given up to \(\mathrm{poly}(n)\)-factors, where n is the dimension of the \(\mathrm{LWE}\) problem. The same n stands for the lattice-dimension considered in problems of the upper-right corner. The subset-sum problem stated in the lower-right corner is of density \(\approx \)1 (in particular, the expected number of solutions is constant).

Reducing \(\mathrm{G} - \mathrm{EDCP}\) to \(\mathrm{LWE}\). Given an \(\mathrm{G} - \mathrm{EDCP}\) state as input, our reduction efficiently transforms it into a classical \(\mathrm{LWE}\) sample with constant success probability. Thus, making only one query to the \(\mathrm{LWE}\) oracle, we are able to solve \(\mathrm{G} - \mathrm{EDCP}\). More precisely, the reduction input consists of a normalized state corresponding to \(\sum _{j\in \mathbb {Z}_N} \rho _r(j)\mathinner {|{j}\rangle } \mathinner {|{x + j \cdot s \bmod N}\rangle }\), for some integers \(r \ll N\). One can think of N as the \(\mathrm{LWE}\) modulus and of r as the standard deviation parameter of the \(\mathrm{LWE}\) error.

Our first step is to apply a quantum Fourier transform over \(\mathbb {Z}_N\) to the second register. This gives us a quantum superposition of the form:

$$\begin{aligned} \sum _{a\in \mathbb {Z}_N} \sum _{j\in \mathbb {Z}_N} \omega _N^{a\cdot (x+j\cdot s)}\cdot \rho _{r}(j)\left| j\right\rangle \left| a\right\rangle . \end{aligned}$$

where \(\omega _N = \exp (2i\pi / N)\). We then measure the second register and obtain a value \(\widehat{a} \in \mathbb {Z}_N\). This leaves us with the state:

$$\begin{aligned} \sum _{j\in \mathbb {Z}_N} \omega _N^{j\cdot \widehat{a}\cdot s}\cdot \rho _{r}(j) \left| j\right\rangle \left| \widehat{a}\right\rangle . \end{aligned}$$

Note that \(\widehat{a}\) is uniformly random over \(\mathbb {Z}_N\), which at the end serves as the first component of LWE sample. The exponent of relative phase in current state has a form similar to the second component of LWE sample but without noise. Now we can benefit from the first register, which stores a superposition corresponding to a Gaussian distribution over \(\mathbb {Z}_N\) with standard deviation r. Applying a second quantum Fourier transform over \(\mathbb {Z}_N\) to the first register gives us a quantum superposition of the form:

$$\begin{aligned} \sum _{b\in \mathbb {Z}_N}\sum _{j\in \mathbb {Z}_N} \omega _N^{j\cdot (\widehat{a}\cdot s + b)}\cdot \rho _{r}(j) \left| b\right\rangle . \end{aligned}$$

Now the second component of the \(\mathrm{LWE}\) sample \(\widehat{a}\cdot s + b\) is stored in the phase (up to a factor j). Omitting the exponentially small Gaussian tail, we assume the summation for j is taken over the integers. An application of the Poisson summation formula transfers \(\widehat{a}\cdot s + b\) into a shift of the Gaussian distribution defined over \(\mathbb {Z}\). In other words, the received state is exponentially close to the superposition:

$$\begin{aligned} \sum _{e\in \mathbb {Z}_N}\rho _{1/r}\Big (\frac{e}{N}\Big ) \left| -\widehat{a}\cdot s + e\right\rangle . \end{aligned}$$

Once we measure the state above, we obtain a value \(-\widehat{a}\cdot s +e\), where \(e \hookleftarrow \mathcal {D}_{\mathbb {Z},N/r}\). Together with already known \(\widehat{a}\), this gives us an \(\mathrm{LWE}\) sample:

$$ \left( -\widehat{a}, -\widehat{a}\cdot s +e\right) . $$

In case the input state is of the form \(\left| j\right\rangle \left| x \bmod N\right\rangle \), where j is distributed according to the function \(\rho _{r}^2\), and \(x\in \mathbb {Z}_N\) is uniformly chosen (the decisional case), the reduction outlined above outputs a uniform random pair (a, b) from \(\mathbb {Z}_N \times \mathbb {Z}_N\). This gives a reduction from decisional version of \(\mathrm{G} - \mathrm{EDCP}\) to decisional version of \(\mathrm{LWE}\).

Reducing \(\mathrm{LWE}\) to \(\mathrm{G} - \mathrm{EDCP}\). Our reduction from LWE to \(\mathrm{G} - \mathrm{EDCP}\) follows the general design of Regev’s reduction from uSVP to DCP [27], with several twists that enable simplifications and improvements. We note that this reduction is folklore,² although we could not find it described explicitly.

First, the use of LWE rather than uSVP allows us to avoid Regev’s initial sub-reduction from uSVP to BDD, as LWE is a randomized variant of BDD. Indeed, if we consider m samples \((a_i, a_i \cdot s + e_i)\) from LWE\(_{n,q,\alpha }\), then we have a BDD instance for the lattice \(\varLambda = \mathbf A \mathbb {Z}_q + q \mathbb {Z}^m\) and the target vector \(\mathbf t = \mathbf b + \mathbf e \in \mathbb {Z}^m\) with \(\mathbf b \in \varLambda \) satisfying \(\mathbf b = \mathbf A \cdot s \bmod q\).

As Regev’s, our reduction proceeds by subdividing the ambient space \(\mathbb {R}^m\) with a coarse grid, setting the cell width between \(\Vert \mathbf e\Vert \) and \(\lambda _1(\varLambda )\). We map each point \(\mathbf y \in \mathbb {R}^m\) to a cell \(\phi (\mathbf y)\). By choice of the cell width, we have \(\phi (\mathbf c_1) \ne \phi (\mathbf c_2)\) for any \(\mathbf c_1 \ne \mathbf c_2\) in \(\varLambda \). Also for any \(\mathbf c \in \mathbb {R}^m\), the vectors \(\mathbf c\) and \(\mathbf c+\mathbf e\) are most likely mapped to the same cell, as \(\mathbf e\) is short. This intuition fails if a border between two cells falls close to \(\mathbf c\). This (rare but non-negligibly so) event is the source of the limitation on the number \(\ell \) of DCP/\(\mathrm{EDCP}\) states produced by the reduction. The space subdivision by a grid is illustrated in Fig. 2.

Fig. 2.

A visualization of the space subdivision. Each radially shaded disk has width r, the upper bound of the error \(\Vert \mathbf e\Vert \). Each cell has width d, chosen to be between \(\Vert \mathbf e\Vert \) and \(\lambda _1(L)/\sqrt{m}\). Note that the grid intersects the left-most disk, potentially leading to an error in the reduction.

Regev’s reduction and ours differ in the way the grid is used to create the DCP/\(\mathrm{EDCP}\) states. Let us first briefly recall the core of Regev’s reduction. Let \(\mathbf B = (\mathbf b_1,\ldots ,\mathbf b_m)\) be a basis of \(\varLambda \) and subtract an appropriate combination of the \(\mathbf b_i\)’s from \(\mathbf t\) to get \(\mathbf t'\) so that the coordinates \(\mathbf x'\) of the closest vector \(\mathbf b' \in \varLambda \) to \(\mathbf t'\)with respect to the \(\mathbf b_i\)’s are \(\le 2^{m}\) (this may be achieved using LLL [18] and Babai’s nearest plane algorithm [1]). The first step is the creation of a superposition

$$\begin{aligned} &\sum _{\begin{array}{c} \mathbf x \in \mathbb {Z}^m \\ \Vert \mathbf x\Vert _{\infty } \le 2^{2m} \end{array}} \left( \mathinner {|{0, \mathbf x, \phi (\mathbf B \mathbf x)}\rangle } + \mathinner {|{1, \mathbf x, \phi (\mathbf B \mathbf x-\mathbf t')}\rangle } \right) = \\&\mathinner {|{0}\rangle } \sum _{\begin{array}{c} \mathbf x \in \mathbb {Z}^m \\ \Vert \mathbf x\Vert _{\infty } \le 2^{2m} \end{array}} \mathinner {|{\mathbf x, \phi (\mathbf B\mathbf x)}\rangle } + \mathinner {|{1}\rangle } \sum _{\begin{array}{c} \mathbf x \in \mathbb {Z}^m\\ \Vert \mathbf x+\mathbf x'\Vert _{\infty } \le 2^{2m} \end{array}} \mathinner {|{\mathbf x+\mathbf x', \phi (\mathbf B \mathbf x -\mathbf e)}\rangle }, \end{aligned}$$

where the equality holds by a change of variable. By measuring the last register, with overwhelming probability this collapses to \(\mathinner {|{0}\rangle } \mathinner {|{\mathbf x_k}\rangle } + \mathinner {|{1}\rangle } \mathinner {|{\mathbf x_k +\mathbf x'}\rangle }\), which corresponds to an m-dimensional DCP input state with modulus \(2^{\mathcal {O}(m)}\). The whole process can be repeated multiple times using the same input vector \(\mathbf t\), and results in different \(\mathbf x_k\)’s but a common \(\mathbf x'\). Each iteration may fail because of an ill-placed cell delimitation, or if \(\mathbf x_k + \mathbf x'\) has a coordinate whose magnitude is larger than \(2^{2m}\). This leads to a bounded number of correct DCP input states. Finally, m-dimensional DCP can be reduced to 1-dimensional DCP, with a significant modulus increase: the resulting modulus N is \(2^{\mathcal {O}(m^2)}\).

Instead of using a superposition based on the coordinates with respect to a basis, we exploit the special form of \(\varLambda = \mathbf a \mathbb {Z}_q +q \mathbb {Z}^m\) (w.l.o.g., assume 1-dimensional \(\mathrm{LWE}\), [7]). We start with the following superposition:

$$ \sum _{x \in \mathbb {Z}_q} \mathinner {|{0, x, \phi (\mathbf a x)}\rangle } + \mathinner {|{1, x, \phi (\mathbf a x-\mathbf t)}\rangle } = \mathinner {|{0}\rangle } \sum _{x\in \mathbb {Z}_q} \mathinner {|{x, \phi (\mathbf a x)}\rangle } + \mathinner {|{1}\rangle }\sum _{x\in \mathbb {Z}_q} \mathinner {|{x +s, \phi (\mathbf a x - \mathbf e)}\rangle }. $$

We then measure the last register (classically known and omitted) and hopefully obtain a superposition \(\mathinner {|{0}\rangle } \mathinner {|{x}\rangle } + \mathinner {|{1}\rangle } \mathinner {|{x + s}\rangle }\). This approach has several notable advantages. First, by using a grid over the torus \(\mathbb {R}^m / q \mathbb {R}^m\), the only source of failure is the position of the cell delimitation (coordinates cannot spill over, they wrap around). Second, we directly end up with a DCP state, not a vectorial variant thereof. Third, and most importantly, the DCP modulus N is only q and not \(2^{\mathcal {O}(m^2)}\). Note that m should be set as \(\varOmega (\log q)\) for s to be uniquely determined by the LWE samples. This improvement results in a much tighter reduction.

The improvement stems from the use of a small modulus q rather than large integer coordinates. It is possible to obtain such a small DCP modulus while starting from BDD (rather than LWE), by modifying Regev’s reduction as follows. One may first reduce BDD to a variant thereof that asks to find the coordinates of the BDD solution modulo a small modulus q rather than over the integers. Such a reduction is presented in [29, Lemma 3.5]. One may then reduce this BDD variant to DCP as we proceed for LWE. Note that this transformation makes the BDD to DCP reduction from [27] iterative: the DCP oracle is called several times, and the input of an oracle call depends on the output of the previous oracle calls. This is akin to the phenomenon described in the open questions paragraph from [7].

A further difference between our reduction and the one from [27] is that we consider larger multiples of s in the input superposition to obtain a state of the form \(\sum _j \rho _r(j)\mathinner {|{j}\rangle } \mathinner {|{x +j s}\rangle }\), with \(r\approx 1/\alpha \) (up to polynomial factors). This does not lead to any extra complication, but leads us to \(\mathrm{G} - \mathrm{EDCP}\) rather than DCP, which we crucially need to allow for a converse reduction. We conjecture that \(\mathrm{G} - \mathrm{EDCP}\) is strictly easier than DCP.

As Regev [26], we can also improve the resulting deviation parameter r of \(\mathrm{G} - \mathrm{EDCP}\) by a factor of \(\sqrt{m}\) using balls’ intersections rather than cube separation. We consider intersections of balls drawn around \(\mathbf a\cdot s\) and its noisy shifts. The radius R of each ball is set to be the largest value such that the balls arising from different s (and their shifts) do not intersect. We are interested in the intersection area the balls drawn around \(\pm s, \pm 2s\), etc. Following Regev [26], this area is large enough to guarantee that once we measure, we hit a point from the intersection of all the balls (see grey areas in Fig. 3).

Fig. 3.

A visualization of the balls’ intersections. The lattice points (black dots) are of distance first minimum of lattice \(\mathbf a\mathbb {Z}_q+q\mathbb {Z}\) to each other. The distance between the two furthest shifts \(\Vert j\mathbf e\Vert \) (red dots) has an upper bound, denoted by d. Each ball has a radius R chosen to be (approximately) \(\lambda _1(\varLambda _q(\mathbf a))/2\), where \(\varLambda _q(\mathbf a) = \mathbf a\mathbb {Z}_q+q\mathbb {Z}\). Note that once the shaded gray area is measured, the reduction succeeds in outputting an \(\mathrm{G} - \mathrm{EDCP}\) sample. For the reduction to work with a constant success probability, the shaded area has to have a large enough proportion compared to the volume of the balls. (Color figure online)

The same algorithm provides a reduction from \(\mathrm{dLWE}\) to \(\mathrm{dG} - \mathrm{EDCP}\). Given a random sample \((\mathbf a,\mathbf b) \in \mathbb {Z}_q^m \times \mathbb {Z}_q^m\), it suffices to show that all the balls centered at \(\mathbf as+j\mathbf b\) for \(s\in \mathbb {Z}_q\) and \(j\in \mathbb {Z}\), do not intersect with each other. All the points considered above form the lattice \((\mathbf a|\mathbf b)\mathbb {Z}_q+q\mathbb {Z}\), We argue analogously using the upper-bound on the minima of this lattice. As a result, the superposition collapses exactly to one of the balls, which gives a random sample of \(\mathrm{dG} - \mathrm{EDCP}\).

1.2 Open Problems

Towards an alternative reduction from \(\mathrm{EDCP}\) to \(\mathrm{LWE}\). In [9], Childs and van Dam obtain a state of the form

$$ \sum _{a \in {\mathbb Z}_N} \sum \limits _{\begin{array}{c} \mathbf j \in \{0, \ldots , M-1\}^{\ell } \\ \langle \mathbf j,\mathbf y \rangle = a \bmod N \end{array}} \omega _N^{a \cdot s} \left| \mathbf j\right\rangle . $$

for some uniform \(\mathbf y \in {\mathbb Z}_N^{\ell }\). Note the uniform distribution of weights for \(\mathbf j\). To recover s, the authors use the Pretty Good Measurement technique from [16] as was done in [2, 3] for similar problems. Implementing this general technique to this particular setup requires the construction of a POVM with operators corresponding to superpositions of all the \(\mathbf j\)’s in \(\{0,\ldots ,M-1\}^{\ell }\) such that \(\langle \mathbf j, \mathbf y \rangle = a \bmod N\). As we already mentioned, a unitary operator that realizes such a POVM, uses a lattice-reduction technique as its main subroutine and, hence, works efficiently only for large values of M.

The question we do not address here is the interpretation of the POVM technique (and, possibly, a different reduction to \(\mathrm{LWE}\)) for Gaussian-weighted superpositions. It might be simpler to obtain Gaussian \(\mathbf j\)’s rather than uniform from a cube, and hence it is possible that such a technique may lead to an improved reduction to \(\mathrm{LWE}\).

Hardness of \(\mathrm{EDCP}\) with more input states. We show in this work that LWE and \(\mathrm{U} - \mathrm{EDCP}\) are computationally equivalent up to small parameter losses, when the number of \(\mathrm{U} - \mathrm{EDCP}\) states \(\ell \) is polynomial. In these reductions, the \(\mathrm{U} - \mathrm{EDCP}\) bound M is within a polynomial factor of the LWE noise rate \(1/\alpha \). When more states are available, \(\mathrm{U} - \mathrm{EDCP}\) is likely to become easier. For instance, with \(M=2\), the best known algorithms when \(\ell \) is polynomially bounded are exponential. Oppositely, Kuperberg’s algorithm [17] runs in time \(2^{\widetilde{O}(\sqrt{\log N})}\) when \(\ell = 2^{\widetilde{O}(\sqrt{\log N})}\). This suggests that there may be a \(\mathrm{U} - \mathrm{EDCP}\) self-reduction allowing to trade \(\ell \) for M: Is it possible to reduce \(\mathrm{EDCP}_{N,\ell ,M}\) to \(\mathrm{EDCP}_{N,\ell ',M'}\) with \(\ell ' \le \ell \), while allowing for \(M' \ge M\)?

Fig. 4.

Graph of reductions between the extrapolated Dihedral Coset Problem instantiated with uniform distribution over \(\{0, 1, \ldots , r-1\}\) (the first and the third problems from the left) and \(\ell \)-sample Gaussian \(\mathrm{EDCP}\) with parameter r (the middle problem). We assume all the parameters n (the dimension), q (the modulus) and r are functions of a common parameter \(\kappa \). The most relevant choice of such a relation one can keep in mind is when \(n, \ell , q\) and r are \(\mathrm{poly}(\kappa )\). One can trace the losses in the parameters (with respect to the number of samples \(\ell \) and to r) once we move from one problem to another. Notice that some reductions may be performed in two ways. For example, using the self-reducibility property of \(\mathrm{EDCP}\) (Lemma 10), we can bypass Gaussian \(\mathrm{EDCP}\) and have a more sample-efficient reduction from \(\mathrm{EDCP}\) with large r to an \(\mathrm{EDCP}\) with smaller r. Similarly, Gaussian \(\mathrm{EDCP}\) can be reduced to \(\mathrm{DCP}\) either directly (Lemma 11) or via uniform \(\mathrm{EDCP}\).

The two central reductions that show equivalence between \(\mathrm{LWE}\) and \(\mathrm{EDCP}\) problems are on the vertical line. As for \(\mathrm{EDCP}\), the \(\mathrm{LWE}\) parameters n, q, and \(\alpha \) are functions of \(\kappa \). We present two reductions from \(\mathrm{LWE}\) to \(\mathrm{EDCP}\), the stronger one gives a tighter result for the error-parameter by a factor of \(\sqrt{m}\).

2 Prerequisites

Notations. We use lower case bold letters to denote vectors and upper case bold to denote matrices. For a vector \(\mathbf x\), we let \(\Vert \mathbf x\Vert _\infty \) denote its \(\ell _{\infty }\) norm and \(\Vert \mathbf x \Vert \) denote its \(\ell _2\) norm. We let \(\mathbb {Z}_N\) denote the cyclic group \(\{0,1,\cdots ,N-1\}\) with addition modulo N. We assume we can compute with real numbers. All the arguments are valid if a sufficiently accurate approximation is used instead. For a distribution D, the notation \(x \hookleftarrow D\) means that x is sampled from D. For a set S, we let \(x \hookleftarrow S\) denote that x is a uniformly random element from S.

For any \(r>0\), we let \(\rho _r(\mathbf x)\) denote \(\exp (-\pi \Vert \mathbf x\Vert ^2/r^2)\), where \(\mathbf x\in \mathbb {R}^n\) for a positive integer n. We let \(\mathcal {D}_{\mathbb {Z}, r}\) denote a Gaussian distribution over the integers with density function proportional to \(\rho _r(\cdot )\). We let \(\mathcal {D}_{\varLambda ,r,\mathbf c}\) denote the Gaussian distribution over the n-dimensional lattice \(\varLambda \) (for a positive integer n), with standard deviation parameter \(r\in \mathbb {R}\) and center \(\mathbf c\in \mathbb {R}^{n}\). If \(\mathbf c = \mathbf 0\), we omit it. We let \(\mathcal {B}_n(\mathbf c, R)\) denote the n-dimensional Euclidean ball of radius R centered at \(\mathbf c \in {\mathbb R}^n\) and \(\mathcal {B}_n\) denotes the n-dimensional Euclidean unit ball centered at \(\mathbf 0\). We use \(\omega _N\) as a short-hand for \(\exp (2 \pi i/N)\).

For a lattice \(\varLambda \) with a basis \(\mathbf B\), the parallelepiped \(\mathcal {P}(\mathbf B) = \{\mathbf B\mathbf x: 0\le x_i\le 1\}\) is a fundamental domain of \(\varLambda \). We let \(\lambda _1(\varLambda )\) (resp. \(\lambda _1^{\infty }(\varLambda )\)) denote the \(\ell _2\)-norm (\(\ell _{\infty }\)-norm) of a shortest vector of \(\varLambda \). We let \(\varLambda ^\star = \{\mathbf y \in \mathbb {R}^n: \forall \mathbf x \in \varLambda , \langle \mathbf x,\mathbf y\rangle \in \mathbb {Z}\}\) denote the dual of a lattice \(\varLambda \). We define the smoothing parameter \(\eta _{\varepsilon }(\varLambda )\) as be the smallest r such that \(\rho _{1/r}(\varLambda ^\star \backslash \{\mathbf 0\}) \le \varepsilon \) for an n-dimensional lattice \(\varLambda \) and positive \(\varepsilon > 0\).

For \(\mathbf A \in {\mathbb Z}_q^{m \times n}\), we define two lattices \(\varLambda _q(\mathbf A) = \{ \mathbf A\mathbf x \bmod q :\mathbf x \in {\mathbb Z}_q^n \}\) and \(\varLambda _q^{\perp }(\mathbf A) = \{\mathbf y \in {\mathbb Z}_q^{n} \; \text {s.t. } \mathbf A\mathbf y = \mathbf 0 \bmod q\}\).

We introduce a variable \(\kappa \) to relate all the parameters involved in the definitions below. Namely, n, q, etc. are actually functions in \(\kappa \): \(n(\kappa )\), \(q(\kappa )\). We omit the variable \(\kappa \) for clarity.

Definition 1

(Search LWE). Given a parameter \(\kappa \), the input to the search \(\mathrm{LWE}_{n,q,\chi }^m\) with dimension \(n \ge 1\), modulus \(q\ge 2\) and distribution \(\chi \) over \(\mathbb {Z}\), consists of \(m \ge n\) many samples of the form \((\mathbf a, b) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\), with \(\mathbf a\hookleftarrow \mathbb {Z}_q^n\), \(b = \langle \mathbf a,\mathbf s\rangle + e\) and \(e \hookleftarrow \chi \), where \(s\in \mathbb {Z}_{q}^{n}\) is uniformly chosen. We say that an algorithm solves the search \(\mathrm{LWE}_{n,q,\chi }^m\) if it outputs \(\mathbf s\) with probability \(\mathrm{poly}(1/(n\log q))\) in time \(\mathrm{poly}(n\log q)\).

Definition 2

(Decision LWE). Given a parameter \(\kappa \), the decisional \(\mathrm{LWE}_{n,q,\chi }^m\) with dimension \(n \ge 1\), modulus \(q\ge 2\) and distribution \(\chi \) over \(\mathbb {Z}\), asks to distinguish between \(m \ge n\) many \(\mathrm{LWE}\) samples and random samples of the form \((\mathbf a, b) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\), with \(\mathbf a\hookleftarrow \mathbb {Z}_q^n\), \(b \hookleftarrow \mathbb {Z}_q\). We say that an algorithm solves the decisional \(\mathrm{LWE}_{n,q,\chi }^m\) if it succeeds in distinguishing with probability \(\mathrm{poly}(1/(n\log q))\) in time \(\mathrm{poly}(n\log q)\).

We let \(\mathrm{LWE}_{n,q,\alpha }^m\) (resp. \(\mathrm{dLWE}_{n,q,\alpha }^m\)) denote search (resp. decisional) \(\mathrm{LWE}\) problem with m samples of dimension n, modulus q, error distributed as \(\mathcal {D}_{\mathbb {Z},\alpha q}\).

Definition 3

(Dihedral Coset Problem). Given a parameter \(\kappa \), the input to the \(\mathrm{DCP}_{N}^{\ell }\) with modulus N consists of \(\ell \) states. Each state is of the form (normalization is omitted)

$$\begin{aligned} \left| 0\right\rangle \left| x\right\rangle \ + \ \left| 1\right\rangle \left| (x+s) \bmod N\right\rangle , \end{aligned}$$

(1)

stored on \(1+\lceil \log _2 N\rceil \) qubits, where \(x \in \mathbb {Z}_{N}\) is arbitrary and \(s\in \mathbb {Z}_{N}\) is fixed throughout all the states. We say that an algorithm solves \(\mathrm{DCP}_{N}^{\ell }\) if it outputs s with probability \(\mathrm{poly}(1/\log N)\) in time \(\mathrm{poly}(\log N)\).

Note that Regev in [25] defines the Dihedral Coset problem slightly differently. Namely, he introduces a failure parameter \(f(\kappa )\), and with probability \(\le 1/(\log N(\kappa )^{f(\kappa )})\), we have a state of the form \(\left| b\right\rangle \left| x\right\rangle \) for arbitrary \(b \in \{0,1\}^n\) and \(x \in {\mathbb Z}_N\). Such a state does not contain any information on s. Our definition takes 0 for the failure parameter. Conversely, Regev’s definition is our Definition 3 with a reduced number of input states.

Now we define the problem which can be viewed as an extension of \(\mathrm{DCP}\). Analogous to \(\mathrm{LWE}\), it has two versions: search and decisional.

Definition 4

(Search Extrapolated Dihedral Coset Problem). Given a parameter \(\kappa \), the input to the search Extrapolated Dihedral Coset Problem (\(\mathrm{EDCP}_{n, N, D}^{\ell }\)) with dimension n, modulus N and a discrete distribution D, consists of \(\ell \) input states of the form (normalization is omitted)

$$\begin{aligned} \sum _{j\in \mathrm{supp}(D)} D(j)\left| j\right\rangle \left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle , \end{aligned}$$

(2)

where \(\mathbf x \in \mathbb {Z}_{N}^n\) is arbitrary and \(\mathbf s\in \mathbb {Z}_{N}^n\) is fixed for all \(\ell \) states. We say that an algorithm solves search \(\mathrm{EDCP}_{n, N, D}^{\ell }\) if it outputs \(\mathbf s\) with probability \(\mathrm{poly}(1/(n\log N))\) in time \(\mathrm{poly}(n\log N)\).

Definition 5

(Decisional Extrapolated Dihedral Coset Problem). Given a parameter \(\kappa \), the decisional Extrapolated Dihedral Coset Problem \((\mathrm{dEDCP}_{n, N, D}^{\ell })\) with modulus N and a discrete distribution D, asks to distinguish between \(\ell \) many \(\mathrm{EDCP}\) samples and \(\ell \) many random samples of the form

$$\begin{aligned} \left| j_k\right\rangle \left| \mathbf x_k \bmod N\right\rangle , \end{aligned}$$

(3)

where \(j_k \hookleftarrow D^2\) and \(\mathbf x_k \in \mathbb {Z}_{N}^n\) is uniformly chosen for \(1 \le k \le \ell \). We say that an algorithm solves \(\mathrm{dEDCP}_{n, N, D}^{\ell }\) if it distinguishes the two cases with probability \(\mathrm{poly}(1/(n\log N))\) in time \(\mathrm{poly}(n\log N)\).

Different choices of D give rise to different instantiations of \(\mathrm{EDCP}\). The two interesting ones are: (1) D is uniform over \({\mathbb Z}_M\) for some \(M \in {\mathbb Z}\), which we further denote as \(\mathrm{U} - \mathrm{EDCP}_{n, N, M}^{\ell }\) and (2) D is Gaussian \(\mathcal {D}_{\mathcal {{\mathbb Z}},r}\), which we further denote as \(\mathrm{G} - \mathrm{EDCP}_{n, N, r}^{\ell }\). The former, named the generalized hidden shift problem, was already considered in [9]. The latter is central in our reductions. Correspondingly, we call the decisional version of \(\mathrm{G} - \mathrm{EDCP}\) by \(\mathrm{dG} - \mathrm{EDCP}\).

Gaussian distribution on lattices. In the following, we recall some important properties of discrete Gaussian distribution.

Lemma 1

For any \(\kappa , r>0\), we have \(\rho _r(\mathbb {Z}\backslash [-\sqrt{\kappa }r,\sqrt{\kappa }r]) < 2^{-\varOmega (\kappa )} \rho _r(\mathbb {Z})\).

A proof can be found in Appendix A in the full version [6].

From Lemma 1, we can see that the tail of Gaussian distribution has only negligible proportion compared to the whole sum. We use this fact within a quantum superposition state. For a quantum superposition state with Gaussian amplitudes, the superposition corresponding to Gaussian distribution over full lattice and the one without Gaussian tail have exponentially small \(\ell _2\) distance.

Lemma 2

([4, Lemma 1.5(ii)]). For any n-dimensional lattice \(\varLambda \) and \(\mathbf u\in \mathbb {R}^n\), it holds that

$$ \rho _r(\varLambda +\mathbf u \backslash \mathcal {B}(\mathbf 0,\sqrt{n}r)) < 2^{-\varOmega (n)} \rho _r(\varLambda ). $$

Lemma 3

(Poisson Summation Formula). For any n-dimensional lattice \(\varLambda \) and vector \(\mathbf u\in \mathbb {R}^n\), it holds that

$$ \rho _r(\varLambda +\mathbf u) = \mathrm {det}(\varLambda ^\star )\cdot r^n\cdot \sum _{\mathbf x\in \varLambda ^\star }e^{2\pi i\langle \mathbf x,\mathbf u\rangle }\rho _{1/r}(\mathbf x). $$

The following Lemma is originally due to Grover-Rudolph [15] and was adapted to Gaussian distribution in [29].

Lemma 4

(Adapted from [29, Lemma 3.12]). Given a parameter \(\kappa \) and an integer r, there exists an efficient quantum algorithm that outputs a state that is within \(\ell _2\) distance \(2^{-\varOmega (\kappa )}\) of the normalized state corresponding to

$$ \sum _{x\in \mathbb {Z}}\rho _r(x)\left| x\right\rangle . $$

The following two lemmata are well-known facts about lower-bounds on minimum of q-ary lattices.

Lemma 5

Given a uniformly chosen matrix \({\mathbf A}\in \mathbb {Z}_q^{m\times n}\) for some positive integers q, m and n such that \(m \ge n\), then we have \(\lambda _1^{\infty }(\varLambda _q({\mathbf A})) \ge q^{(m-n)/m}/2\) and \(\lambda _1^{\infty }(\varLambda _q^{\bot }({\mathbf A})) \ge q^{n/m}/2\) both with probability \(1-2^{-m}\).

Lemma 6

Given a uniformly chosen matrix \(\mathbf A\in \mathbb {Z}_q^{m\times n}\) for some positive integer q, m and n such that \(m \ge n\), then we have \(\smash {\lambda _1(\varLambda _q(\mathbf A)) \ge \min \{q, \frac{\sqrt{m} q^{(m-n)/m}}{2\sqrt{2\pi e}}\}}\) with probability \(1-2^{-m}\).

Reductions between \(\mathrm{EDCP}\) variants. In the following, we show that the \(\mathrm{EDCP}\) problem is analogue to the \(\mathrm{LWE}\) problem in many aspects: (1) Gaussian-\(\mathrm{EDCP}\) (\(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell '}\)) and uniform-\(\mathrm{EDCP}\) (\(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\)) are equivalent, up to small parameter losses; (2) \(\mathrm{EDCP}\) enjoys the self-reduction property as we show in Lemma 10. The main ingredient in both proofs is quantum rejection sampling due to Ozols et al. [22].

Lemma 7

([22, Sect. 4]). There is a quantum rejection sampling algorithm, which given as input

$$ \sum _{k=1}^n \pi _k \left| k\right\rangle \left| \eta _k\right\rangle , $$

for some probability \(\pi _k\), outputs

$$ \frac{1}{\Vert \mathbf p\Vert }\sum _{k=1}^n p_k \left| k\right\rangle \left| \eta _k\right\rangle . $$

for some \(p_k \le \pi _k\), with probability \(\Vert \mathbf p\Vert ^2 = \sum _{k=1}^n p_k^2\).

Lemma 8

(G-EDCP \(\le \) U-EDCP). Let N, n and \(\ell \) be integers greater than 1, r be any real number, and let \(M = c\cdot r\) for some constant c such that M is an integer. Then there is a probabilistic reduction with run-time polynomial in \(\kappa \), from \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell }\) to \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\mathcal {O}(\ell /\kappa )}\).

Proof

We are given as input \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell }\) states:

$$ \left\{ \sum _{j\in \mathbb {Z}}\rho _r(j)\left| j\right\rangle \left| (\mathbf x_k+j\cdot \mathbf s) \bmod N\right\rangle \right\} _{k\le \ell }. $$

Our aim is to find \(\mathbf s\), given access to a \(\mathrm{U} - \mathrm{EDCP}_{n,N,cr}^{\mathcal {O}(\ell /\kappa )}\) oracle for some constant c.

For each \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}\) sample, we proceed as follows. We let sign(x) to denote the sign of x, its output is either 1 (for ) or 0 (for ). We first compute the sign of the first register and store it in a new register:

$$ \sum _{j\in \mathbb {Z}}\rho _r(j)\left| j\right\rangle \left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle \left| sign(j)\right\rangle .$$

Second, we measure the third register. Note that we observe 1 with probability at least 1 / 2, independently over all k’s. If the observed value is 0, we discard the state. From states with the observed value 1, we obtain (up to normalization):

$$ \sum _{j\in {\mathbb Z}_+}\rho _r(j)\left| j\right\rangle \left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle . $$

Using quantum rejection sampling (Lemma 7), we transform a \(\mathrm{G} - \mathrm{EDCP}_{N,\ell ,r}\) state into a \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}\) state of the form

$$ \sum _{j\in [0,M-1]}\left| j\right\rangle \left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle $$

with probability \(\varOmega (M\rho _r^2(c\cdot r)/r) = \varOmega (1)\).

We repeat the above procedure until we obtain \(\mathcal {O}(\ell /\kappa )\) many \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}\) states, which happens with probability \(\ge 1-2^{-\varOmega (\kappa )}\). We call the \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\mathcal {O}(\ell /\kappa )}\) oracle to recover the secret \(\mathbf s\) as the solution for the input \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell }\) instance.

Lemma 9

(U-EDCP \(\le \) G-EDCP). Let N, M, n and \(\ell \) be integers greater than 1, r be any real number, such that \(M = \sqrt{\kappa }\cdot r = \mathrm{poly}(\kappa )\) is an integer. Then there is a probabilistic reduction with run-time polynomial in \(\kappa \), from \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\) to \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\mathcal {O}(\ell /\kappa ^{1.5})}\).

Proof

We are given as input \(\ell \) many \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\) states:

$$ \left\{ \sum _{j\in [0,M-1]}\left| j\right\rangle \left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle \right\} _{k\le \ell }. $$

Our aim is to find \(\mathbf s\), given access to a \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\mathcal {O}(\ell /\kappa ^{1.5})}\) oracle where \(r = M/\sqrt{\kappa }\).

For each \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}\) state we proceed as follows. First, we symmetrize the uniform distribution by applying the function \(f(x) = x-\lfloor (M-1)/2\rfloor \) to the first register:

$$ \sum _{j\in [0,M-1]}\mathinner {|{j-\lfloor (M-1)/2\rfloor }\rangle }\left| (\mathbf x+j\cdot \mathbf s) \bmod N\right\rangle = \sum _{j'\in \big [-\lfloor \frac{M-1}{2}\rfloor ,\lceil \frac{M-1}{2}\rceil \big ]} \left| j'\right\rangle \left| (\mathbf x'+j'\cdot \mathbf s) \bmod N\right\rangle , $$

where \(j' = j-\lfloor (M-1)/2\rfloor \), \(\mathbf x' = \mathbf x+\lceil (M-1)/2\rceil \cdot \mathbf s\).

Using rejection sampling (Lemma 7), with probability \(\varOmega (r/M) = \varOmega (1/\sqrt{\kappa })\) we transform each \(\mathrm{U} - \mathrm{EDCP}_{n,N,\lceil \frac{M-1}{2}\rceil }\) state into a \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}\) state:

$$ \sum _{j'\in \big [-\lfloor \frac{M-1}{2}\rfloor ,\lceil \frac{M-1}{2}\rceil \big ]} \rho _r(j')\left| j'\right\rangle \left| (\mathbf x'+j'\cdot \mathbf s) \bmod N\right\rangle . $$

According to Lemma 1, the latter is within the \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from the state

$$ \sum _{j'\in \mathbb {Z}}\rho _{r}(j')\left| j'\right\rangle \left| (\mathbf x'+j'\cdot \mathbf s) \bmod N\right\rangle . $$

We repeat the above procedure until we obtain \(\mathcal {O}(\ell /\kappa ^{1.5})\) many \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}\) states, which happens with probability \(\ge 1-2^{-\varOmega (\kappa )}\). Then we can use the \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\mathcal {O}(\ell /\kappa ^{1.5})}\) oracle to recover the secret \(\mathbf s\) as the solution to \(\mathrm{U} - \mathrm{EDCP}_{n,N,M}^{\ell }\).

Next, we show the self-reducibility property for \(\mathrm{EDCP}\). We refer the reader to Appendix B in the full version [6] for the proof.

Lemma 10

( \(\mathrm{EDCP}\) self-reduction). Let N, n, and \(\ell \) be integers greater than 1, \(r_1\) and \(r_2\) be such that \(r_1 > r_2\) and \(r_1/r_2 = \mathcal {O}(\kappa ^c)\) for any constant c. Then there is a probabilistic reduction with run-time polynomial in \(\kappa \), from \(\mathrm{G} - \mathrm{EDCP}_{n,N,r_1}^{\ell }\) (resp. \(\mathrm{U} - \mathrm{EDCP}_{n,N,r_1}^{\ell }\)) to \(\mathrm{G} - \mathrm{EDCP}_{n,N,r_2}^{\mathcal {O}(\ell /\kappa ^{c+1})}\) (resp. \(\mathrm{U} - \mathrm{EDCP}_{n,N,r_2}^{\mathcal {O}(\ell /\kappa ^{c+1})}\)).

In the following, we give a reduction from Gaussian-\(\mathrm{EDCP}\) to \(\mathrm{DCP}\). Thus uniform-\(\mathrm{EDCP}\) can also be reduced to \(\mathrm{DCP}\) in two ways: either via self-reduction, or via Gaussian-\(\mathrm{EDCP}\) as the next lemma shows. This result is especially interesting when the parameter r (or M for the uniform-\(\mathrm{EDCP}\)) is super-polynomially large, as in this case, Lemma 10 cannot be applied. Lemma below works with 1-dimensional \(\mathrm{EDCP}\). This is without loss of generality as we can combine our main result (equivalence of \(\mathrm{LWE}\) and \(\mathrm{EDCP}\)) with the result of Brakerski et al. [7] (equivalence of \(\mathrm{LWE}_{n, q, \alpha }\) and \(\mathrm{LWE}_{1, q^n, \alpha }\)).

Lemma 11

(Gaussian-EDCPto DCP). Let N and \(\ell \) be arbitrary integers. Then there is a probabilistic reduction with run-time polynomial in \(\kappa \), from \(\mathrm{G} - \mathrm{EDCP}_{1,N,r}^{\ell }\) to \(\mathrm{DCP}_{N}^{\mathcal {O}(\ell /(\log r\cdot \kappa ^2))}\) if \(r \ge 3\log N\), and from \(\mathrm{G} - \mathrm{EDCP}_{1,N,r}^{\ell }\) to \(\mathrm{DCP}_{N}^{\mathcal {O}(\ell /(r\cdot \kappa ))}\) otherwise.

Proof

We are given as input \(\ell \) many \(\mathrm{G} - \mathrm{EDCP}_{1,N,r}\) states:

$$ \left\{ \sum _{j\in \mathbb {Z}}\rho _r(j)\left| j\right\rangle \left| (x_k+j\cdot s) \bmod N\right\rangle \right\} _{k\le \ell }.$$

We show how to find s if we are given access to a \(\mathrm{DCP}_{N}^{\mathcal {O}(\ell /(r\cdot \kappa ))}\) oracle for \(r < 3\log N\), and a \(\mathrm{DCP}_{N}^{\mathcal {O}(\ell /(\log r\cdot \kappa ^2))}\) oracle otherwise.

\(\bullet \) Case \(r \ge 3\log N\).

According to Lemma 8, we can transform \(\ell \) many \(\mathrm{G} - \mathrm{EDCP}_{1,N,r}\) states into \(\ell /\kappa \) many \(\mathrm{U} - \mathrm{EDCP}_{1, N, M'}\) states with \(M' = 2 c\cdot r + 1\) for some constant c losing a factor of \(\kappa \) samples. Assume we obtain \(\ell /\kappa \) many \(\mathrm{U} - \mathrm{EDCP}_{1,N,M'}\) samples. For each such state, we symmetrize the interval \([0, M']\) as in the proof of Lemma 9. Then we receive a uniform distribution over \([-M, M]\) for \(M = (M'-1)/2\). We compute the absolute value of the first register and store it in a new register:

$$\begin{aligned} \sum _{j\in [-M,M]}\left| j\right\rangle \left| (\hat{x}_k+j\cdot s) \bmod N\right\rangle \left| |j|\right\rangle , \end{aligned}$$

(4)

where \(\hat{x}_k = x_k - M\cdot s\). We measure the third register and denote the observed value by \(v_k\).

We make use of the two well-known facts from number theory. For proofs, the reader may consult [30, Chap. 5]. First, there exist more than \(M/\log M\) many primes that are smaller than M. Second, N has at most \(2 \log N/ \log \log N\) prime factors. Thus there are at least \(M/\log M - 2\log N / \log \log N\) many numbers smaller than M that are co-prime with all prime factors of N.

From the above, with probability \(\varOmega (1/\log M) = \varOmega (1/\log r)\), the observed value \(v_k\) is non-zero and co-prime with N. If this is not the case, we discard the state. Otherwise, we obtain (up to normalization):

$$ \left| -v_k\right\rangle \left| (\hat{x}_k-v_k\cdot s) \bmod N\right\rangle + \left| v_k\right\rangle \left| (\hat{x}_k+v_k\cdot s) \bmod N\right\rangle . $$

We multiply the value in the second register by \(v_k^{-1} \bmod N\):

$$ \left| -v_k\right\rangle \left| (x_k'-s) \bmod N\right\rangle + \left| v_k\right\rangle \left| (x_k'+s) \bmod N\right\rangle , $$

where \(x_k' = \hat{x}_k\cdot v_k^{-1}\).

Let \(\bar{x}_k = x_k'-s \bmod N\) and \(\bar{s} = 2 \cdot s \bmod N\). Rewrite the above state as:

$$ \left| -v_k\right\rangle \left| \bar{x}_k\right\rangle + \left| v_k\right\rangle \left| (\bar{x}_k+\bar{s}) \bmod N\right\rangle . $$

As we know \(v_k\) classically, we uncompute the first register and obtain a \(\mathrm{DCP}\) state:

$$\begin{aligned} \left| 0\right\rangle \left| \bar{x}_k\right\rangle + \left| 1\right\rangle \left| (\bar{x}_k+\bar{s}) \bmod N\right\rangle . \end{aligned}$$

(5)

We repeat the above procedure until we obtain \(\mathcal {O}(\ell /(\log r \cdot \kappa ^2))\) many \(\mathrm{DCP}_{N}\) states with probability \(\ge 1-2^{-\varOmega (\kappa )}\).

\(\bullet \) Case that \(r < 3\log N\).

The first steps are identical to the proof for the case \(r\ge 3 \log N\): Compute the absolute value of the first register to get a state as in (4) and measure the third register. Denote the observed value by \(v_k\). Now we keep only those states, for which \(v_k=1\) was observed. Otherwise, we do not use the state. In case \(v_k=1\), we can easily transform the result to the state given in (5) analogously to the proof for \(r \ge 3 \log N\).

Now we show that \(v_k= 1\) occurs with probability \(\varOmega (1/r)\) independently over all k’s. Indeed,

$$ \Pr [v_k=1] = \frac{\rho _r(1)^2 + \rho _r(-1)^2}{\sum _{j\in \mathbb {Z}}\rho _r(j)^2} \ge \frac{2\cdot \rho _r(1)^2}{\int _{\mathbb {R}}\rho _r(x)^2 \mathrm {d}x + 1} = \frac{2\cdot \exp (-\frac{2\pi }{r^2})}{\frac{r}{\sqrt{2}}+1} = \varOmega \Big (\frac{1}{r}\Big ). $$

We repeat the above procedure until we obtain \(\mathcal {O}(\ell /(r\cdot \kappa ))\) many \(\mathrm{DCP}_{N}\) states, which happens with probability \(\ge 1-2^{-\varOmega (\kappa )}\).

In both cases considered in this lemma, we can use the \(\mathrm{DCP}_{N}^{\mathcal {O}(\ell /(r\cdot \kappa ))}\) oracle and get the secret \(\bar{s}\). There are at most 2 possible values s such that \(\bar{s} = 2s\bmod N\): if there are 2 possibilities, we uniformly choose either, which decreases the success probability by at most a factor of 2.

3 Reduction from \(\mathrm{LWE}\) to \(\mathrm{EDCP}\)

In this section, we reduce \(\mathrm{LWE}_{n,q,\alpha }^{m}\) to \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\), where \(r \approx 1/\alpha \) up to a factor of \(\mathrm {poly}(n \log q)\). Analogous to Regev’s reductions from \(\mathrm {\textsc {u}SVP}\) to \(\mathrm{DCP}\), we present two versions of the reduction from \(\mathrm{LWE}\) to \(\mathrm{G} - \mathrm{EDCP}\). The second one is tighter with respect to the parameter losses. At the end of the section we show that using the same algorithm, one can reduce the decisional version of \(\mathrm{LWE}\) to the decisional version of \(\mathrm{EDCP}\) (see Definition 5).

3.1 First Reduction: Using Cube Separation

The main result of this section is the following theorem.

Theorem 2

(LWE \(\le \) EDCP). Let \((n, q, \alpha )\) be \(\mathrm{LWE}\) parameters and (n, q, r) be \(\mathrm{EDCP}\) parameters. Given \(m = n\log q = \varOmega (\kappa )\) many \(\mathrm {LWE}_{n,q,\alpha }\) samples, there exists a probabilistic quantum reduction, with run-time polynomial in \(\kappa \), from \(\mathrm {LWE}_{n,q,\alpha }^{m}\) to \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\), where \(r < 1/(32m\kappa \alpha \ell q^{n/m})\).

The main step of our reduction is to partition the ambient space \({\mathbb R}^m\) with an appropriately chosen grid (cubes). This is analogous to Regev’s reduction from \(\mathrm {\textsc {u}SVP}\) to \(\mathrm{DCP}\) [25]. Lemma 12 shows how we choose the width of the cell in our grid. Figure 2 gives a 2-dimensional example of such a grid.

Lemma 12

For a constant \(c \ge 8\), a matrix \(\mathbf A \in \mathbb {Z}_q^{m\times n}\) is randomly chosen for integers q, n, \(m = n\log q\), and \(k\ge m\), consider a function

$$ g: (x_1, \cdots , x_m) \rightarrow (\lfloor x_1/z-w_1 \bmod \bar{q}\rfloor , \cdots , \lfloor x_m/z-w_m \bmod \bar{q}\rfloor ), $$

where \(z = q/c\) and \(z \in [1/c,1/2]\cdot \lambda _1^{\infty }(\varLambda _q(\mathbf A))\), \(w_1,\ldots ,w_m\) are uniformly chosen from [0, 1), and \(\bar{q}= q/z\). Then for any \(\mathbf x\in \mathbb {Z}_q^{n}\), we have the following two statements.

• For any \(\mathbf u = \mathbf A \mathbf x + \mathbf e_1, \mathbf v = \mathbf A \mathbf x + \mathbf e_2\) where \(\Vert \mathbf e_1\Vert _{\infty }, \Vert \mathbf e_2\Vert _{\infty } \le \lambda _1^{\infty }(\varLambda _q(\mathbf A))/(2ck)\), with probability \((1-1/k)^m\), over the randomness of \(w_1,\cdots ,w_m\), we have \(g(\mathbf u) = g(\mathbf v)\).

• For any \(\mathbf u = \mathbf A \mathbf x + \mathbf e_1, \mathbf v = \mathbf A \widehat{\mathbf x} + \mathbf e_2\), where \(\Vert \mathbf e_1\Vert _{\infty }, \Vert \mathbf e_2\Vert _{\infty } \le \lambda _1^{\infty }(\varLambda _q(\mathbf A))/(2ck)\) and \(\mathbf x \ne \widehat{\mathbf x} \in \mathbb {Z}_q^{n}\), we have \(g(\mathbf u) \ne g(\mathbf v)\).

Proof

\(\bullet \) Proof for the first claim.

Write \(\mathbf u = \mathbf A \mathbf x+\mathbf e_1 \bmod q\) and \(\mathbf v = \mathbf A \mathbf x+\mathbf e_2 \bmod q\) for some \(\mathbf x\in \mathbb {Z}_q^{n}\) and \(\Vert \mathbf e_1\Vert _{\infty }, \Vert \mathbf e_2\Vert _{\infty } \le \lambda _1^{\infty }(\varLambda _q(\mathbf A))/(2ck)\).

Let \(\textsc {diff}\) denote the event that \(g(\mathbf u) \ne g(\mathbf v)\), and, for all \(i \le m\), let \(\textsc {diff}_i\) denote the event that the \(i^{\mathrm {th}}\) coordinates of \(g(\mathbf u)\) and \(g(\mathbf v)\) differ. Since we choose \(w_1, \ldots , w_m\) independently and uniformly from [0, 1), we can consider each of m dimension separately and view each \(e_{1, i}/z+w_i\) and \(e_{2, i}/z+w_i\) as random 1-dim. real points inside an interval of length 1. We have

$$ \Pr _{w_i}[\textsc {diff}_i] = \frac{|e_{1,i}-e_{2,i}|}{z} \le \frac{z/k}{z} = \frac{1}{k}, $$

where the inequality follows from the lower-bound on z. This implies

$$ \Pr _{\mathbf w}[\textsc {no diff}] = \prod _{i\le m}\left( 1-\Pr _{w_i}[\textsc {diff}_i]\right) \ge \left( 1-\frac{1}{k}\right) ^m. $$

\(\bullet \) Proof for the second claim.

Write \(\mathbf u = \mathbf A \mathbf x+\mathbf e_1\bmod q\) and \(\mathbf v = \mathbf A \widehat{\mathbf x}+\mathbf e_2\bmod q\) for \(\mathbf x \ne \widehat{\mathbf x} \in \mathbb {Z}_q^{n}\) and \(\Vert \mathbf e_1\Vert _{\infty }, \Vert \mathbf e_2\Vert _{\infty } \le \lambda _1^{\infty }(\varLambda _q(\mathbf A))/(2ck)\). Then we have

$$\begin{aligned} g(\mathbf u)= & {} \Big \lfloor \frac{1}{z}\cdot (\mathbf A \mathbf x) + \frac{1}{z}\cdot \mathbf e_1 + \mathbf w \bmod \bar{q}\Big \rfloor , \\ g(\mathbf v)= & {} \Big \lfloor \frac{1}{z}\cdot (\mathbf A \widehat{\mathbf x}) + \frac{1}{z}\cdot \mathbf e_2 + \mathbf w \bmod \bar{q}\Big \rfloor . \end{aligned}$$

Now we show that \(g(\mathbf u)\) and \(g(\mathbf v)\) differ in at least 1 coordinate. This is the case if the arguments of the floor function differ by 1 in at least one coordinate, i.e., \(\Vert \tfrac{1}{z} \mathbf A\cdot (\mathbf x-\hat{\mathbf x}) + \tfrac{1}{z} (\mathbf e_1 - \mathbf e_2) \bmod \bar{q} \Vert _{\infty } \ge 1\).

Assume the contrary is the case. Note that due to our choice of \(\mathbf e_i\) and \(\bar{q}\), \(\Vert \tfrac{1}{z} (\mathbf e_1 - \mathbf e_2) \bmod \bar{q} \Vert _{\infty }\) is either at most 1 / k or at least \(\bar{q}-1/k\). Either way we have \(\Vert \tfrac{1}{z} \mathbf A (\mathbf x-\hat{\mathbf x}) \bmod \bar{q} \Vert _{\infty } < 1 + 1/k\) or \(\Vert \tfrac{1}{z} \mathbf A (\mathbf x-\hat{\mathbf x}) \bmod \bar{q} \Vert _{\infty } > \bar{q} - 1 + 1/k\). Due to the bounds on z and c, the former case is equivalent to

$$ \Vert \mathbf A(\mathbf x-\hat{\mathbf x}) \bmod \bar{q} \Vert _{\infty } < z + z/k \le \lambda _1^{\infty }(\varLambda _{\bar{q}}(\mathbf A)) \Big (\tfrac{1}{2} + \tfrac{1}{2k} \Big ) \le \lambda _1^{\infty }(\varLambda _{\bar{q}}(\mathbf A)). $$

Hence, we have just found a vector in the lattice \(\varLambda _{\bar{q}}(\mathbf A)\) shorter than the minimum of the lattice. In the latter case when \(\Vert \tfrac{1}{z} \mathbf A\cdot (\mathbf x-\hat{\mathbf x}) \bmod \bar{q} \Vert _{\infty } >\bar{q} -1/k+1\), we obtain the same contradiction by noticing that \(\varLambda _{\bar{q}}\) contains \(\bar{q}\)-ary vectors.

Fig. 5.

Quantum circuit for our reduction \(\mathrm{LWE}\) \(\le \) \(\mathrm{EDCP}\). All the global phases are omitted. The input registers are assumed to have the required number of qubits. Function f is defined as \(U_f\mathinner {|{j}\rangle }\mathinner {|{s}\rangle }\mathinner {|{0}\rangle } \rightarrow \mathinner {|{j}\rangle }\mathinner {|{\mathbf s}\rangle }\mathinner {|{\mathbf A \mathbf s-j\mathbf b \bmod q}\rangle }\). Function \(U_g\) is the embedding of function g described in Lemma 12, i.e. \(U_g\mathinner {|{\mathbf x}\rangle }\mathinner {|{0}\rangle } \rightarrow \mathinner {|{\mathbf x}\rangle }\mathinner {|{\lfloor \mathbf x/z - \mathbf w \bmod \bar{q} \rfloor }\rangle }\) for appropriately chosen \(z, \mathbf w, \bar{q}\).

Proof (of Theorem 2)

Assume we are given an \(\mathrm{LWE}_{n,q,\alpha }^{m}\) instance \((\mathbf A,\mathbf b_0)\) with \(\mathbf b_0=\mathbf A\cdot \mathbf s_0+\mathbf e_0 \bmod q\). Our aim is to find \(\mathbf s_0\) given access to a \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\) oracle.

We first prepare a necessary number of registers in the state \(\left| 0\right\rangle \) and transform them to the state of the form (normalization omitted)

$$\begin{aligned} \sum _{\mathbf s \in \mathbb {Z}_q^{n}} \left| 0\right\rangle \left| \mathbf s\right\rangle \left| 0\right\rangle . \end{aligned}$$

(6)

We use Lemma 4 to obtain a state within \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from

$$\begin{aligned} \sum _{\mathbf s \in \mathbb {Z}_q^{n}} \Big (\sum _{j \in \mathbb {Z}}\rho _{r}(j)\left| j\right\rangle \Big )\left| \mathbf s\right\rangle \left| 0\right\rangle . \end{aligned}$$

(7)

According to Lemma 1, the state above is within \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from³

$$ \sum _{\begin{array}{c} \mathbf s \in \mathbb {Z}_q^{n} \\ j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r] \end{array}} \rho _{r}(j)\left| j\right\rangle \left| \mathbf s\right\rangle \left| 0\right\rangle . $$

We evaluate the function \(f(j,\mathbf s) \mapsto \mathbf A \mathbf s - j\cdot \mathbf b \bmod q\) and store the result in the third register. The next equality follows from a change of variable on s

$$\begin{aligned} \sum _{\begin{array}{c} \mathbf s \in \mathbb {Z}_q^{n} \\ j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r] \end{array}} \rho _{r}(j)\left| j\right\rangle \left| \mathbf s\right\rangle \left| \mathbf A \mathbf s-j \cdot \mathbf A \mathbf s_0-j \mathbf e_0\right\rangle \ = \sum _{\begin{array}{c} \mathbf s \in \mathbb {Z}_q^{n} \\ j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r] \end{array}} \rho _{r}(j)\left| j\right\rangle \left| \mathbf s+j \mathbf s_0\right\rangle \left| \mathbf A \mathbf s-j \mathbf e_0\right\rangle . \end{aligned}$$

Sample \(w_1,\ldots ,w_m\) uniformly from [0, 1). Set \(z = q/c\) for some constant \(c\ge 8\), thus we have \(z \in [1/c,1/2]\cdot \lambda _1^{\infty }(\varLambda _q(\mathbf A))\), where the upper bound holds with probability \(1-2^{-m} = 1-2^{-\varOmega (\kappa )}\) (see Lemma 5).

For \(\mathbf x \in \mathbb {Z}_q^m\), we define

$$ g(\mathbf x) = (\lfloor (x_1/z-w_1) \bmod \bar{q}\rfloor ,\ldots ,\lfloor (x_m/z-w_m) \bmod \bar{q}\rfloor ), $$

where \(\bar{q}=q/z=c\). We evaluate the function g on the third register and store the result on a new register. We obtain

$$\begin{aligned} \sum _{\begin{array}{c} \mathbf s \in \mathbb {Z}_q^n \\ j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r] \end{array}} \rho _{r}(j)\left| j\right\rangle \left| \mathbf s+j\cdot \mathbf s_0\right\rangle \left| \mathbf A \mathbf s-j\cdot \mathbf e_0\right\rangle \left| g(\mathbf A \mathbf s-j\cdot \mathbf e_0)\right\rangle . \end{aligned}$$

(8)

We measure the fourth register and do not consider it further. According to Lemma 1, we have \(\Vert \mathbf e_0\Vert _\infty \le \sqrt{\kappa }\alpha q\) with probability \(\ge 1-2^{-\varOmega (m)} = 1-2^{-\varOmega (\kappa )}\). Recall that \(r < 1/(32m\ell \kappa \alpha q^{n/m}) \le 1/(4ck\kappa \alpha q^{n/m})\) for \(c = 8\) and \(k = m\ell \). Therefore, we have \(\Vert \sqrt{\kappa }r\cdot \mathbf e_0\Vert _\infty \le \lambda _1^{\infty }(\varLambda _q(\mathbf A))/(2ck)\). Then by Lemma 12, we obtain

$$ \sum _{j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r]} \rho _r(j)\left| j\right\rangle \left| \mathbf s+j\cdot \mathbf s_0\right\rangle \left| \mathbf A \mathbf s-j\cdot \mathbf e_0\right\rangle $$

for some \(\mathbf s \in \mathbb {Z}_q^{n}\), with probability \((1-1/k)^m\) over the randomness of \(\mathbf A\) and \(w_1, \cdots , w_m\).

Finally, we evaluate the function \((j,\mathbf s,\mathbf b) \mapsto \mathbf b-\mathbf A \mathbf s+j\cdot \mathbf b_0\) on the first three registers, which gives \(\mathbf 0\). Discarding this \(\mathbf 0\)-register, the state is of the form

$$ \sum _{j \in \mathbb {Z}\cap [-\sqrt{\kappa } \cdot r,\sqrt{\kappa }\cdot r]} \rho _{r}(j)\left| j\right\rangle \left| \mathbf s+j\cdot \mathbf s_0\right\rangle . $$

According to Lemma 1, the above state is within \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from

$$\begin{aligned} \sum _{j\in \mathbb {Z}}\rho _{r}(j)\left| j\right\rangle \left| \mathbf s+j\cdot \mathbf s_0\right\rangle . \end{aligned}$$

We repeat the above procedure \(\ell \) times, and with probability \((1-\frac{1}{k})^{m \ell }\), we obtain \(\ell \) many \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\) states

$$ \left\{ \sum _{j\in \mathbb {Z}}\rho _{r}(j)\left| j\right\rangle \left| \mathbf x_k+j\cdot \mathbf s_0\right\rangle \right\} _{k\le \ell }, $$

where \(\mathbf x_k \in \mathbb {Z}_q^n\).

Now we can call the \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\) oracle with the above states as input and obtain \(\mathbf s_0\) as output of the oracle.

3.2 An Improved Reduction: Using Balls’ Intersection

Here we give an improved reduction from \(\mathrm{LWE}\) to \(\mathrm{EDCP}\). Following the idea of Regev [25, Sect. 3.3], instead of separating the ambient space \({\mathbb Z}^m\) by cubes, we consider intersections of balls drawn around the points \(\mathbf A\mathbf s\) and its shifts. Note that with this reduction we improve the upper-bound on r essentially by the factor of \(\sqrt{m}\).

Theorem 3

( \(\mathrm{LWE}\le \mathrm{EDCP}\) ). Let \((n, q, \alpha )\) be \(\mathrm{LWE}\) parameters and (n, q, r) be \(\mathrm{EDCP}\) parameters. Given \(m = \varOmega (\kappa )\) many \(\mathrm {LWE}_{n,q,\alpha }\) samples, there exists a quantum reduction, with run-time polynomial in \(\kappa \), from \(\mathrm {LWE}_{n,q,\alpha }^m\) to \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\), where \(r < 1/(6\sqrt{2\pi e}\sqrt{m \kappa }\ell \alpha q^{n/m})\).

We give an intuitive idea of how the reduction works. All the necessary lemmata and the full proof are given in Appendix B in the full version [6].

Informally, the reduction works as follows. Given an \(\mathrm{LWE}\) instance \((\mathbf A, \mathbf b = \mathbf A\mathbf s_0+\mathbf e_0) \in {\mathbb Z}_q^{m \times n} \times {\mathbb Z}_q^m\), for each \(\mathbf s \in {\mathbb Z}_q^n\), we consider (in a superposition over all such \(\mathbf s\)) a lattice point \(\mathbf A\mathbf s\) together with its small shifts of \(\mathbf A\mathbf s - j \mathbf e_0\), where j’s are drawn from a small interval symmetric around 0. So far this is exactly what we did in the first (weaker) reduction. Note that we receive a configuration of points in \({\mathbb Z}_q^m\) as depicted in Fig. 3. Note that contrary to Regev’s reduction, where there is only one shift (i.e., the DCP case), our extrapolated version considers \(\mathrm{poly}(\kappa )\) shifts thus leading us to the \(\mathrm{EDCP}\) case.

Let us fix some \(\mathbf A\mathbf s\) together with its shifts. Draw a ball around each shift of a maximal radius R such that there is no intersection between the shifts coming from different lattice points, i.e. there is no \(j, j'\) s.t. \(\mathcal {B}(\mathbf A\mathbf s - j \mathbf e_0, R) \cap \mathcal {B}(\mathbf A\mathbf s' - j' \mathbf e_0, R) \ne \emptyset \) for any two \(\mathbf s, \mathbf s'\) such that \(\mathbf s\ne \mathbf s'\). To satisfy this condition, we can take R almost as large as the first minimum of the lattice \(\varLambda _q(\mathbf A)\) (again, see Fig. 3). With such an R, due to the fact that the shifts are small, the intersection of the balls drawn around the shifts is large enough (see Lemma 13 in Appendix B of the full version [6]). Hence, once we measure the register that ‘stores’ our balls, the resulting state collapses (with large enough probability) to a superposition of some \(\mathbf A\mathbf s\) for one \(\mathbf s\) and all its shifts. Informally, the higher this probability is, the tighter the parameters achieved by the reduction.

3.3 Reduction from \(\mathrm{dLWE}\) to \(\mathrm{dEDCP}\)

As a corollary to the above theorem, we show that the decisional \(\mathrm{LWE}\) can be reduced to decisional \(\mathrm{EDCP}\). In fact, to establish the reduction, we use the same algorithm as for Theorem 3 (a weaker reduction given in Theorem 2 will work as well). Recall that in the proof, starting from an \(\mathrm{EDCP}\) sample, we obtain an \(\mathrm{LWE}\) sample with non-negligible probability. Corollary 1 below shows that in case we are given a tuple \((\mathbf A, \mathbf b)\) drawn uniformly at random from \({\mathbb Z}_q^{m \times n} \times {\mathbb Z}_q^m\), the procedure described in Theorem 3 outputs a state of the form \(\left| j\right\rangle \left| \mathbf x \bmod N\right\rangle \), a uniform counterpart to \(\mathrm{EDCP}\) in the sense of Definition 5. A proof of the following corollary is given in Appendix B of the full version [6].

Corollary 1

( \(\mathrm{dLWE}\le \mathrm{dEDCP}\) ). Let \((n, q, \alpha )\) be valid \(\mathrm{dLWE}\) parameters and (n, q, r) be valid \(\mathrm{dEDCP}\) parameters. Given \(m = \varOmega (\kappa )\) many \(\mathrm {LWE}_{n,q,\alpha }\) samples, there exists a quantum reduction, with run-time polynomial in \(\kappa \), from \(\mathrm {LWE}_{n,q,\alpha }^m\) to \(\mathrm{G} - \mathrm{EDCP}_{n,q,r}^{\ell }\), where \(r < 1/(6\sqrt{2\pi e}\sqrt{m\kappa }\ell \alpha q^{(n+1)/m})\).

4 Reduction from \(\mathrm{EDCP}\) to \(\mathrm{LWE}\)

In this section, we reduce \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell }\) to \(\mathrm{LWE}_{n,N,\alpha }^{\ell }\), where \(r \approx 1/\alpha \) up to a factor of \(\mathrm {poly}(n\log N)\). Combined with the result of the previous section, this gives us equivalence between the two problems: \(\mathrm{LWE}\) and \(\mathrm{EDCP}\), for both search and decisional variants.

Fig. 6.

Reduction from \(\mathrm{G} - \mathrm{EDCP}\) to \(\mathrm{LWE}\)

Theorem 4

( \(\mathrm{EDCP}\le \mathrm{LWE}\) ). Let (n, N, r) be valid \(\mathrm{EDCP}\) parameters and \((n, N, \alpha )\) with \(r = \varOmega (\sqrt{\kappa })\) be valid \(\mathrm{LWE}\) parameters. Given \(\ell = \varOmega (\kappa )\) many \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}\) samples, there exists a quantum reduction, with run-time polynomial in \(\kappa \), from \(\mathrm{G} - \mathrm{EDCP}_{n,N,r}^{\ell }\) to \(\mathrm {LWE}_{n,N,\alpha }^{\ell }\), where \(\alpha = 1/r\).

Proof

Assume we are given \(\ell \) many \(\mathrm{EDCP}_{n,N,r}\) instances

$$ \left\{ \sum _{j\in \mathbb {Z}} \rho _r(j) \left| j\right\rangle \left| \mathbf x_k+j\cdot \mathbf s_0 \bmod N\right\rangle \right\} _{k\in [\ell ]}. $$

Our aim is to find \(\mathbf s_0\) given access to an \(\mathrm{LWE}_{n,N,\alpha }^{\ell }\) oracle.

For each input state, the quantum Fourier transform over \(\mathbb {Z}_N^n\) is applied to the second register, which yields (without loss of generality, consider the \(k^{\mathrm {th}}\) sample)

$$\begin{aligned} \sum _{\mathbf a\in \mathbb {Z}_N^n} \sum _{j\in \mathbb {Z}} \omega _N^{\langle \mathbf a,(\mathbf x_k+j\cdot \mathbf s_0)\rangle }\cdot \rho _{r}(j)\left| j\right\rangle \left| \mathbf a\right\rangle . \end{aligned}$$

(9)

Then we measure the second register and let \(\mathbf a_k\) denote the observed value. Note that each element of \(\mathbb {Z}_N^n\) is measured with probability \(1/N^n\) and that the distributions for different k’s are independent. Omitting the global phase of each state, we obtain

$$\begin{aligned} \sum _{j\in \mathbb {Z}} \omega _N^{\langle \mathbf a_k, (j\cdot \mathbf s_0) \rangle }\cdot \rho _{r}(j) \left| j\right\rangle \left| \mathbf a_k\right\rangle . \end{aligned}$$

(10)

We omit the second register as we know each \(\mathbf a_k\) classically. Since \(N \gg r\), from Lemma 1 it follows that the resulting state is within \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from the state (note the change in the range for j)

$$\begin{aligned} \sum _{j \in \mathbb {Z}_N} \omega _N^{j\cdot \langle \mathbf a_k,\mathbf s_0\rangle }\cdot \rho _{r}(j) \left| j\right\rangle . \end{aligned}$$

(11)

For each such an input state, the quantum Fourier transform over \(\mathbb {Z}_N\) yields

$$\begin{aligned} \sum _{b\in \mathbb {Z}_N}\sum _{j\in \mathbb {Z}_N} \omega _N^{j\cdot ( \langle \mathbf a_k, \mathbf s_0\rangle + b)}\cdot \rho _{r}(j) \left| b\right\rangle . \end{aligned}$$

(12)

Once again we use Lemma 1 to argue that the state above is within \(\ell _2\) distance of \(2^{-\varOmega (\kappa )}\) away from the state

$$\begin{aligned} \sum _{b\in \mathbb {Z}_N}\sum _{j\in \mathbb {Z}} \omega _N^{j\cdot ( \langle \mathbf a_k, \mathbf s_0\rangle + b)}\cdot \rho _{r}(j) \left| b\right\rangle . \end{aligned}$$

Using the Poisson summation formula (Lemma 3) and changing the summation variable to \(e \leftarrow N \cdot j + \langle \mathbf a_k, \mathbf s_0 \rangle +b\), the above state can be rewritten as

$$\begin{aligned} \sum _{b\in \mathbb {Z}_N}\sum _{j\in \mathbb {Z}} \rho _{1/r}\Big (j + \frac{\langle \mathbf a_k, \mathbf s_0 \rangle + b}{N}\Big ) \left| b\right\rangle =&\sum _{e \in {\mathbb Z}} \rho _{1/r}\Big (\frac{e}{N}\Big ) \left| \langle \mathbf a_k', \mathbf s_0\rangle + e \bmod N\right\rangle \end{aligned}$$

where \(\mathbf a_k' = -\mathbf a_k \bmod N\). Since \(r= \varOmega (\sqrt{\kappa })\), we can apply Lemma 1 to the above state (for a scaled \({\mathbb Z}\)-lattice), and instead of the above state, consider the state that is within a \(2^{-\varOmega (\kappa )}\) \(\ell _2\)-distance from it, namely:

$$\begin{aligned} \sum _{e\in \mathbb {Z}_N}\rho _{1/r}\Big (\frac{e}{N}\Big ) \left| \langle \mathbf a_k', \mathbf s_0\rangle + e\right\rangle . \end{aligned}$$

(13)

Once we measure the state above, we obtain an LWE sample

$$ \left( \mathbf a_k', \langle \mathbf a_k', \mathbf s_0\rangle + e_k\right) , $$

where \(e_k \hookleftarrow \mathcal {D}_{\mathbb {Z},N/r}\).

Now we can call the \(\mathrm{LWE}_{n,N,\alpha }\) oracle for \(\alpha = 1/r\) with the above states as input and obtain \(\mathbf s_0\) as output of the oracle.

4.1 Reduction from \(\mathrm{dEDCP}\) to \(\mathrm{dLWE}\)

Similar to the previous section where as a corollary we show that \(\mathrm{dLWE}\) can be reduced to \(\mathrm{dEDCP}\), we finish this section by a reverse reduction. Again we use exactly the same reduction algorithm as for the search versions (see Fig. 6). Thus it remains to show that we can obtain a uniform random sample \((\mathbf a, b) \in {\mathbb Z}_N^n \times {\mathbb Z}_N\) given as input a state of the form \(\left| j\right\rangle \left| \mathbf x \bmod N\right\rangle \).

Corollary 2

( \(\mathrm{dEDCP}\le \mathrm{dLWE}\) ). Let (n, N, r) be valid \(\mathrm{dG} - \mathrm{EDCP}\) parameters and \((n, N, \alpha )\) be valid \(\mathrm{dLWE}\) parameters. Given \(\ell = \varOmega (\kappa )\) many \(\mathrm{EDCP}_{n,N,r}\) samples, there exists a quantum reduction, with run-time polynomial in \(\kappa \), from \(\mathrm{dG} - \mathrm{EDCP}_{n,N,r}^{\ell }\) to \(\mathrm{dLWE}_{n,N,\alpha }^{\ell }\), where \(\alpha = 1/r\).

Proof

Assume we are given \(\ell \) many samples of \(\mathrm{EDCP}_{n,N,r}\) either of the form

$$ \left\{ \sum _{j\in \mathbb {Z}} \rho _r(j) \left| j\right\rangle \left| \mathbf x_k+j\cdot \mathbf s_0\right\rangle \bmod N\right\} _{k\in [\ell ]} $$

or of the form

$$ \left\{ \left| j_k\right\rangle \left| \mathbf x_k \bmod N\right\rangle \right\} _{k\in [\ell ]}, $$

where \(j_k \hookleftarrow \mathcal {D}^2_{\mathbb {Z},r}\) and \(\mathbf x_k \in \mathbb {Z}_N^n\) is uniform. Our aim is to distinguish between the above two forms given access to a \(\mathrm{dLWE}_{n,N,\alpha }\) oracle.

As explained above, we assume that random samples of \(\mathrm{EDCP}\) are given. For each input state, after the quantum Fourier transform over \(\mathbb {Z}_N^n\) on the second register, we obtain

$$\begin{aligned} \sum _{a\in \mathbb {Z}_N^n} \omega _N^{\langle \mathbf x_k,\mathbf a\rangle } \left| j_k\right\rangle \left| \mathbf a\right\rangle . \end{aligned}$$

Then we measure the second register and let \(\mathbf a_k\) denote the observed value. Note that each element of \(\mathbb {Z}_N^n\) is measured with probability \(1/N^n\) and that the distributions for different k’s are independent. Up to a global phase, we have

$$\begin{aligned} \left| j_k\right\rangle \left| \mathbf a_k\right\rangle . \end{aligned}$$

We omit the second register which is known to us. According to Lemma 1, with probability \(1-2^{-\varOmega (\kappa )}\), the value stored in the first register is in the range \([-\lfloor N/2 \rfloor , \lceil N/2 \rceil -1]\). Applying QFT over \(\mathbb {Z}_N\) to the first register, we obtain

$$\begin{aligned} \sum _{b\in \mathbb {Z}_N}\omega _N^{j_k\cdot b}\left| b\right\rangle . \end{aligned}$$

Once we measure the state above and let \(b_k\) denote the observed value. Note that each element of \(\mathbb {Z}_N\) is measured with probability 1 / N and that the distributions for different k’s are independent. We obtain a sample

$$ \left( \mathbf a_k, b_k\right) , $$

where \((\mathbf a_k, b_k)\) are uniformly random from \({\mathbb Z}_N^n \times \mathbb {Z}_N\).