Modern Cryptography Volume 2: A Classical Introduction To Informational and Mathematical Principle 1st Edition Zhiyong Zheng

Modern Cryptography Volume 2: A
Classical Introduction To Informational

And Mathematical Principle 1st Edition
Zhiyong Zheng
Visit to download the full and correct content document:
https://ebookmeta.com/product/modern-cryptography-volume-2-a-classical-introductio
n-to-informational-and-mathematical-principle-1st-edition-zhiyong-zheng/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
A Modern Introduction to Classical Electrodynamics 1st

Edition Michele Maggiore
https://ebookmeta.com/product/a-modern-introduction-to-classical-
electrodynamics-1st-edition-michele-maggiore/
A Modern Introduction to Mathematical Analysis 1st

Edition Alessandro Fonda
https://ebookmeta.com/product/a-modern-introduction-to-
mathematical-analysis-1st-edition-alessandro-fonda/
Classical and Modern Cryptography for Beginners

Rajkumar Banoth Rekha Regar
https://ebookmeta.com/product/classical-and-modern-cryptography-
for-beginners-rajkumar-banoth-rekha-regar/
Classical Mechanics Volume 2 Kinematics and Uniformly

Accelerated Motion Gregory A. Dilisi
https://ebookmeta.com/product/classical-mechanics-
volume-2-kinematics-and-uniformly-accelerated-motion-gregory-a-
dilisi/
California Studies in Classical Antiquity Volume 2
https://ebookmeta.com/product/california-studies-in-classical-
antiquity-volume-2/
Modern App Development with Dart and Flutter 2 A

Comprehensive Introduction to Flutter 1st Edition
Meiller
https://ebookmeta.com/product/modern-app-development-with-dart-
and-flutter-2-a-comprehensive-introduction-to-flutter-1st-
edition-meiller/
Introduction to Classical and Quantum Computing 1st

Edition Thomas Wong
https://ebookmeta.com/product/introduction-to-classical-and-
quantum-computing-1st-edition-thomas-wong/
Introduction to Classical Legal Rhetoric A Lost

Heritage 1st Edition Michael H. Frost
https://ebookmeta.com/product/introduction-to-classical-legal-
rhetoric-a-lost-heritage-1st-edition-michael-h-frost/
A Modern Introduction to Dynamical Systems Richard

Brown
https://ebookmeta.com/product/a-modern-introduction-to-dynamical-
systems-richard-brown/
Financial Mathematics and Fintech
Zhiyong Zheng
Kun Tian
Fengxia Liu
Modern
Cryptography
Volume 2
A Classical Introduction to Informational
and Mathematical Principle
Series Editors
Zhiyong Zheng, Renmin University of China, Beijing, Beijing, China
Alan Peng, University of Toronto, Toronto, ON, Canada
This series addresses the emerging advances in mathematical theory related to
finance and application research from all the fintech perspectives. It is a series of
monographs and contributed volumes focusing on the in-depth exploration of
financial mathematics such as applied mathematics, statistics, optimization, and
scientific computation, and fintech applications such as artificial intelligence, block
chain, cloud computing, and big data. This series is featured by the comprehensive
understanding and practical application of financial mathematics and fintech. This
book series involves cutting-edge applications of financial mathematics and fintech
in practical programs and companies.
The Financial Mathematics and Fintech book series promotes the exchange of
emerging theory and technology of financial mathematics and fintech between
academia and financial practitioner. It aims to provide a timely reflection of the state
of art in mathematics and computer science facing to the application of finance. As a
collection, this book series provides valuable resources to a wide audience in
academia, the finance community, government employees related to finance and
anyone else looking to expand their knowledge in financial mathematics and
fintech.
The key words in this series include but are not limited to:
a) Financial mathematics
b) Fintech
c) Computer science
d) Artificial intelligence
e) Big data
Zhiyong Zheng · Kun Tian · Fengxia Liu
Modern Cryptography
Volume 2
A Classical Introduction to Informational
and Mathematical Principle
Zhiyong Zheng Kun Tian
School of Mathematics School of Mathematics
Renmin University of China Renmin University of China
Beijing, China Beijing, China
Henan Academy of Sciences
Zhengzhou, China
Fengxia Liu
Artificial Intelligence Research Institute
Beihang University
Beijing, China
ISSN 2662-7167 ISSN 2662-7175 (electronic)

ISBN 978-981-19-7643-8 ISBN 978-981-19-7644-5 (eBook)
https://doi.org/10.1007/978-981-19-7644-5
© The Editor(s) (if applicable) and The Author(s) 2023. This book is an open access publication.
Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International
License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribu-
tion and reproduction in any medium or format, as long as you give appropriate credit to the original
author(s) and the source, provide a link to the Creative Commons license and indicate if changes were
made.
The images or other third party material in this book are included in the book’s Creative Commons license,
unless indicated otherwise in a credit line to the material. If material is not included in the book’s Creative
Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted
use, you will need to obtain permission directly from the copyright holder.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Singapore Pte Ltd.
The registered company address is: 152 Beach Road, #21-01/04 Gateway East, Singapore 189721,
Singapore
Preface
For integer factorization and discrete logarithm calculation, P.W.Shor published an

effective quantum calculation in SIAM Journal on Computing in 1997, which is
called the Shor algorithm in academic circles. Classical public key cryptosystems
such as RSA, ECC and so on could not resist the attack of the Shor algorithm, so the
major security risks of public key cryptosystems are completely exposed to the Shor
algorithm and quantum computer.
In the past 20 years, the rise and development of post-quantum cryptography have
close relation with the lattice cryptosystems. The academic community believes
that the hard problems on lattice, such as the shortest vector problem (SVP), the
continuous shortest vector problem (SIVP) and the determination of the shortest
vector problem (GapSVP) can resist quantum computing effectively, so the public
key cryptosystems based on the hard problems on lattice become the core theory
and technology of the post-quantum cryptography. At present, there are six kinds of
published post-quantum cryptosystems:
1. Ajtai-Dwork cryptosystem (1997). Ajtai constructed a collision-resistant Hash
function by the circulant matrix and ideal matrix, and converted the collision point
into the shortest vector problem on q-ary integer lattice. Ajtai first proposed the
concept of random lattice (Gauss lattice) in 1996, and established the famous
reduction principle ‘from the worst case to the average case’. The security of
Ajtai-Dwork cryptosystem could be fully proved by this reduction principle.
2. GGH/HNF cryptosystem (1997). In 1997, Goldereich, Goldwasser and Halevi
constructed a public key cryptosystem based on the closest vector problem on
the q-ary integer lattice, which was further improved by Micciancio using the
Hermite normal basis in 2005. The idea of Micciancio is very simple. Since the
HNF basis of any lattice can be easily computed from its generated matrix, the
GGH cryptosystem uses the HNF basis as the public key directly.
3. NTRU cryptosystem (1998). Number Theory Research Unit (NTRU) is a
quantum-resistant computing public key cryptosystem developed by J. Hoffstein,
J. Pipher and J. H. Silverman in Brown University in 1998, which has become
the most attractive post-quantum cryptosystem due to its simple algorithm, fast
v
vi Preface
calculation speed and small storage space. In 2009, the National Institute of
Standards and Technology wrote a survey report: there is no cryptosystem could
consider both public key encryption and digital signature, and resist the Shor
algorithm simultaneously. The NTRU encryption algorithm seems to be the most
likely choice among many lattice-based encryption schemes. The PQCRYPTO
program (Horizon 2020 ICT-645622) by European Union hopes to develop a new
European encryption standard based on the NTRU improved by Stehle-Steinfeld.
4. MacElience/Niderreiter cryptosystem (1998). Linear codes are the earliest error-
correcting codes in coding theory. Later, algebraic coding developed based on
the ideal theory greatly enriched and improved the linear coding theory. Cycle
code and Goppa code are the most important error-correcting codes in algebraic
coding. MacElience and Niderreiter constructed a new public key cryptosystem
by using the asymmetry of encoding algorithm and decoding algorithm of the
error-correcting code independently, which we call MacElience/Niderreiter cryp-
tosystem. Since a code (linear code or algebraic code) can be regarded as a lattice
on a finite field, the security of this cryptosystem is closely related to the closest
vector problem on the q-ary integer lattice. Recent studies have shown that coding
theory plays an important role in lattice-based cryptosystems.
5. LWE cryptosystem (2005). In 2005, O. Regev of Tel Aviv University in Israel
proposed the famous LWE cryptosystem based on the LWE distribution. Because
of this work, Regev won the highest award in the theoretical computer science
in 2018—the Godel Award. The LWE distribution (Learning With Errors) is
a random linear system with errors having Gauss distribution. Regev’s cryp-
tosystem encrypts a single bit of plaintext each time. Since the security of the LWE
problem has been clearly proved (see Chap. 3 of this book), LWE cryptosystem
is currently the most active and mainstream research topic.
6. Fully homomorphic encryption (FHE). In 1985, R.Rivest, C.Adleman and
M.Dertouzos first proposed the concept of data bank and the conjecture of fully
homomorphic encryption. Some individuals and organizations encrypt the orig-
inal data and store them in the data bank for privacy protection, which is obviously
a huge wealth. How to compute these encrypted data effectively? R. Rivest, C.
Adleman and M. Dertouzos presented the fully homomorphic encryption conjec-
ture. In 2009, C. Gentry of Stanford University partially solved the RAD conjec-
ture. Gentry’s work is based on the ideal lattice, that is, an integer lattice which
has a one-to-one correspondence to the ideal of polynomial ring. But the cryp-
tosystem of Gentry is a finite-time fully homomorphic encryption, and infinite
fully homomorphic encryption is still an unsolved public problem. In 2012 and
2013, the second and third fully homomorphic encryption algorithms based on
the LWE distribution were proposed one after another. Gentry won the 2022
Godel Award for his contributions.
In the book Modern Cryptography, we give a detailed introduction to the basic
theory of lattice and the first four kinds of lattice-based cryptosystems. The main
purpose of this book is to discuss the computational complexity theory of lattice
Preface vii
cryptosystems, especially Ajtai’s reduction principle, and fill the gap that post-
quantum cryptography focuses on the encryption and decryption algorithms, and
the theoretical proof is insufficient. In Chaps. 3, 4 and 6, we introduce the LWE
distribution, LWE cryptosystem and fully homomorphic encryption in detail. When
using stochastic analysis tools, there are many ‘ambiguity’ problems in terms of
definitions and algorithms, such as the ‘≈’ notation appeared in a large number of
papers and books, which is unprecise mathematically. The biggest characteristic of
this book is to use probability distribution to provide rigorous mathematical defi-
nitions and proofs for various unclear expressions, making it a rigorous theoretical
system to facilitate teaching and dissemination in class. Chapters 5 and 7 are based
on two papers published by the authors in the journal Journal of Information Security
(see references [63, 64]). These materials can be regarded as some important topics,
such as the further extension and improvement of cyclic lattices, ideal lattices and
generalized NTRU cryptosystems.
This book contains the most cutting-edge and hottest research topics in post-
quantum cryptography. Reading all the chapters requires a lot of mathematical
knowledge and a good mathematical foundation. Therefore, this book can be used
as a textbook for graduate students in mathematics and cryptography, or a reference
book for researchers in cryptography area. Due to the rush of time, all the mate-
rials are summarized from domestic and foreign research papers in the last 20 years,
and shortcomings and mistakes are inevitable. We welcome readers to criticize and
correct them.
Zhengzhou, China Zhiyong Zheng

September 2022
Contents
1 Random Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Fourier Transform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Discrete Gauss Measure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Smoothing Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 Some Properties of Discrete Gauss Distribution . . . . . . . . . . . . . . . . . 25
2 Reduction Principle of Ajtai . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.1 Random Linear System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.2 SIS Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3 INCGDD Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.4 Reduction Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3 Learning with Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.1 Circulant Matrix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.2 SIS and Knapsack Problem on Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3 LWE Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.4 Proof of the Main Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
3.4.1 From LWE to DGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.4.2 From DGS to Hard Problems on Lattice . . . . . . . . . . . . . . . . . 93
3.4.3 From D-LWE to LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
4 LWE Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.1 LWE Cryptosystem of Regev . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
4.2 The Proof of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.3 Properties of Rounding Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4.4 General LWE-Based Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.5 Probability of Decryption Error for General Disturbance . . . . . . . . . 115
5 Cyclic Lattices and Ideal Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.1 Some Basic Properties of Lattice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.2 Ideal Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
ix
x Contents
5.3 φ-Cyclic Lattice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

5.4 Improved Upper Bound for Smoothing Parameter . . . . . . . . . . . . . . . 137
6 Fully Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
6.1 Definitions and Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.2 Gadget Matrix and Gadget Technique . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.3 Bounded Fully Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . 154
6.4 Construction of Gentry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
6.5 Attribute-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
7 A Generalization of NTRUencrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7.1 φ-Cyclic Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.2 A Generalization of NTRUencrypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Notations
Rn n dimensional Euclidean space

Zn Integer points in Rn
Zq Residue class ring mod q
C Complex field
R[x] Polynomial ring of one variable on R
Z[x] Polynomial ring of one variable on Z
Zq [x] Polynomial ring of one variable on Zq
|x| l2 norm of vector x
N (x0 , r ) Sphere with center x0 and radius r in Rn
[a] The largest integer no more than real number a
{a} The fractional part of real number a
a The nearest integer to real number a
fˆ Fourier transform of function f
(ξ, η) Statistical distance of random variable ξ and η
E(ξ ) Expectation of random variable ξ
V ar (ξ ) Variance of random variable ξ
Pr {A} Probability of random event A
U (G) Uniform distribution on G
(x) Cumulative distribution of standard normal distribution
poly(n) Polynomial function of n
L = L(B) Lattice L with generated matrix B
L(B)⊥ Dual lattice of L with generated matrix (B T )−1
F(B) Basic neighborhood of lattice with generated matrix B
λ1 (L) Minimal distance of lattice L
ρ(L) Covering radius of lattice L
η (L) Smoothing parameter of lattice L
a|x Product of real number a and vector x
x·y Inner product of vector x and y
A⊗B Kronecker product of matrix A and B
(n) Negligible function of n
g(n) = Õ( f (n)) g(n) = O( f (n)loglog| f (n)|)
xi
Chapter 1
Random Lattice Theory
⎛ ⎞ ⎛ ⎞
x1 y1
⎜ .. ⎟ ⎜ .. ⎟
Let R be the Euclidean space of dimension n, x = ⎝ . ⎠, y = ⎝ . ⎠ are two vectors
n
xn yn
of Rn , the inner product of x and y is defined as
x · y = x1 y1 + x2 y2 + · · · + xn yn = x T y. (1.0.1)
The Euclidean norm |x| of vector x (also called the l2 norm) is defined as
1 √
|x| = (x12 + x22 + · · · + xn2 ) 2 = x · x. (1.0.2)
Let B = (bi j )n×n ∈ Rn×n be an invertible square matrix of order n, a full-rank

lattice L in R n is defined as
L = L(B) = {Bx | x ∈ Zn }. (1.0.3)
A lattice L is a discrete geometry in Rn , in other words, there is a positive constant

λ1 = λ1 (L) > 0 and a vector α ∈ L satisfying α = 0, such that
|α| = min |x| = λ1 (L). (1.0.4)

x∈L ,x=0
λ1 is called the shortest distance in L, α is the shortest vector in L. A sphere in n

dimensional Euclidean space Rn with center x0 and radius r is defined as
N (x0 , r ) = {x ∈ Rn | |x − x0 | r }, x0 ∈ Rn . (1.0.5)
© The Author(s) 2023 1

Z. Zheng et al., Modern Cryptography Volume 2, Financial Mathematics and Fintech,
https://doi.org/10.1007/978-981-19-7644-5_1
2 1 Random Lattice Theory
In particular, N (0, r ) represents a sphere with origin as the center of the circle and
radius r . The discretization of a lattice is equivalent to the fact that the intersection
of L with any sphere N (x0 , r ) is a finite set, i.e.
#
{L ∩ N (x0 , r )} < ∞. (1.0.6)
Let L = L(B) be a lattice, B is the generated matrix of L. Block B by each column

vector as B = [β1 , β2 , . . . , βn ], the basic neighborhood F(B) of L is defined as

n
F(B) = { xi βi | 0 xi < 1}. (1.0.7)
i=1
Clearly the basic neighborhood F(B) is related to the generated matrix B of L,

which is actually a set of representative elements of the additive quotient group
Rn /L. F ∗ (B) is also a set of representative elements of the quotient group Rn /L,
where
n
1 1
F ∗ (B) = { xi βi | − xi < },
i=1
2 2
therefore, F ∗ (B) can also be a basic neighborhood of the lattice L. The following
property is easy to prove [see Lemma 2.6 in Chap. 7 in Zheng (2022)]
Vol(F(B)) = |det(B)| = det(L). (1.0.8)
That is, the volume of the basic neighborhood of L is an invariant and does not
change with the choice of the generated matrix B. We denote det(L) = |det(B)| as
the determinant of the lattice L.
The basic properties of lattice can be found in Chap. 7 of Zheng (2022). The main
purpose of this chapter is to establish the random theory of lattice. If a lattice L is the
space of values of a random variable (or random vector), it is called a random lattice.
Random lattice is a new research topic in lattice theory, and the works of Micciancio
and Regev (2004), Regev (2004), Micciancio and Regev (2004), Micciancio and
Regev (2009) are pioneering. In this way, the study of random lattice is no more
than ten years. For technical reasons, only a special class of random lattices can be
defined and studied. That is, consider a random variable ξ defined in Rn from a Gauss
distribution, and limit the discretization of ξ to L so that L becomes a random lattice.
It is a special kind of random lattice, which we call the Gauss lattice. The main purpose
of this chapter is to introduce Gauss lattice, define the smoothing parameter on Gauss
lattice and calculate the statistical distance based on the smoothing parameter. The
mathematical technique used in this chapter is high dimensional Fourier transform.
1.1 Fourier Transform 3
1.1 Fourier Transform
A complex function f (x) on Rn is a mapping of Rn → C, where C is the complex

field. We define the function space L 1 (R) and L 2 (R):
L 1 (R) = { f : Rn → C | | f (x)|dx < ∞} (1.1.1)

Rn
and
L 2 (R) = { f : Rn → C | | f (x)|2 dx < ∞}. (1.1.2)
Rn
If f (x), g(x) ∈ L 1 (Rn ), define the convolution of f with g as
f ∗ g(x) = f (x − ξ )g(ξ )dξ. (1.1.3)

Rn
We have the following properties about convolution.
Lemma 1.1.1 Suppose f (x), g(x) ∈ L 1 (Rn ), then

(i) f ∗ g(x) = g ∗ f (x).
(ii) f ∗ g(x)dx = f (x)dx · g(x)dx.
Rn Rn Rn
Proof By the definition of convolution (1.1.3), we have
g ∗ f (x) = g(x − ξ ) f (ξ )dξ = g(y) f (x − y)dy = f ∗ g(x).

Rn Rn
Property (i) holds. To obtain the second result (ii), we have
f ∗ g(x)dx = ( f (x − ξ )g(ξ )dξ )dx

Rn Rn Rn
= f (y)g(ξ )dydξ = f (y)dy · g(ξ )dξ.

Rn Rn Rn Rn
The lemma is proved.

Definition 1.1.1 If f (x) ∈ L 1 (Rn ), define the Fourier transform of f (x) as
fˆ(x) = f (ξ )e−2πi x·ξ dξ, x ∈ Rn . (1.1.4)

Rn
Note that f → fˆ is an operator of the function space defined on L 1 (Rn ), which is

called the Fourier operator. If f (x) = f 1 (x1 ) f 2 (x2 ) · · · f n (xn ), then the high dimen-
sional Fourier operator can be reduced to the product of one dimensional Fourier
operators, i.e.
fˆ(x) = i=1
n
fˆi (xi ). (1.1.5)
The following are some of the most common and fundamental properties of Fourier
transform.
Lemma 1.1.2 Suppose f (x) ∈ L 1 (Rn ), g(x) ∈ L 1 (Rn ), then

(i) f ∗ g(x) = fˆ(x)ĝ(x).
(ii) a ∈ Rn is a given vector, denote τa f as the coordinate translation function, i.e.
τa f (x) = f (x + a), ∀x ∈ Rn . Then we have τa f (x) = e2πi x·a fˆ(x).
(iii) Let h(x) = e 2πi x·a ˆ
f (x), thus ĥ(x) = f (x − a).
(iv) Let δ = 0 be he real number, f δ (x) = f ( 1δ x), then fˆδ (x) = |δ|n fˆδ−1 (x) =
|δ|n fˆ(δx).
(v) Let A be an invertible real matrix of order n, namely A ∈ G L n (R), define f ◦
A(x) = f (Ax). Then f ◦ A(x) = |A|−1 fˆ ◦ (A−1 )T (x) = |A|−1 fˆ((A−1 )T x), where
T
A is the transpose matrix of A.
Proof By definition, we have

f ∗ g(x) = f ∗ g(ξ )e−2πi x·ξ dξ
Rn
= ( f (ξ − y)g(y)dy)e−2πi x·ξ dξ.

Rn Rn
Taking variable substitution ξ − y = y , then ξ = y + y , and dξ = dy , so we have

f ∗ g(x) = g(y)e−2πi x·y dy · f (y )e−2πi x·y dy = fˆ(x)ĝ(x),
Rn Rn
1.1 Fourier Transform 5
property (i) is proved. Based on the definition of Fourier transform, we have

τa f (x) = f (ξ + a)e−2πi x·ξ dξ = f (y)e−2πi x·(y−a) dy
Rn Rn
= e2πi x·a f (y)e−2πi x·y dy = e2πi x·a fˆ(x),

Rn
property (ii) gets proved. Similarly, we can obtain (iii). Next, we give the proof of
(iv). Since δ = 0, and f δ (x) = f ( 1δ x), so
1
fˆδ (x) = f ( ξ )e−2πi x·ξ dξ = f (y)e−2πi x·δy |δ|n dy
δ
Rn Rn
= f (y)e−2πi(δx·y) |δ|n dy = |δ|n fˆδ−1 (x).

Rn
By the condition A ∈ G L n (R), f ◦ A(x) = f (Ax), then

f ◦ A(x) = f (Aξ )e−2πi x·ξ dξ.
Rn
Taking variable substitution, y = Aξ , then A−1 y = ξ , and dξ = |A|−1 dy, so

f ◦ A(x) = f (y)e−2πi x·A
−1
y
|A|−1 dy = |A|−1 f (y)e−2πi((A
−1 T
) x·y)
dy
Rn Rn
= |A|−1 fˆ((A−1 )T x) = |A|−1 fˆ ◦ (A−1 )T (x).
Lemma 1.1.2 is proved.
Finally, we give some examples of the Fourier transform.
Example 1.1 Let n = 1, a ∈ R, a > 0, define the characteristic function 1[−a,a] (x)
of the closed interval [−a, a] as
1, x ∈ [−a, a],
1[−a,a] (x) =
0, x ∈
/ [−a, a].
Then
sin 2πax
1̂[−a,a] (x) = . (1.1.6)
πx
For n > 1, let a = (a1 , a2 , . . . , an ) ∈ Rn , the square [−a, a] is defined as
[−a, a] = [−a1 , a1 ] × [−a2 , a2 ] × · · · × [−an , an ].
Define the characteristic function 1[−a,a] (x) of the square [−a, a], then
sin 2πai xi
1̂[−a,a] (x) = i=1
n
. (1.1.7)
π xi
Proof For the general n, it is clear that
1[−a,a] (x) = i=1

n
1[−ai ,ai ] (xi ).
Based on Eq. (1.1.5), we only need to prove Eq. (1.1.6). n = 1, a ∈ R, so

a
−2πi xξ 1
1̂[−a,a] (x) = 1[−a,a] (ξ )e dξ = e−2πi xξ dξ = sin 2πax.
πx
R −a
Example 1.2 Let f (x) = e−π|x| , x ∈ Rn , then f (x) ∈ L 1 (Rn ), and fˆ(x) = f (x),
2
namely f (x) is a fixed point of Fourier operator, which is also called a dual function.
Proof Clearly, f (x) ∈ L 1 (Rn ). To prove the fixed point property of f (x), by defi-
nition
fˆ(x) = e−π|ξ | −2πi x·ξ

dξ = e−π|x| e−π|ξ +i x| dξ = e−π|x| e−π|y| dy.
2 2 2 2 2
Rn Rn Rn
By one dimensional Poisson integral,
+∞
e−π y dy = 1,
2
(1.1.8)
−∞
we have the following high dimensional Poisson integral,
e−π|y| dy = 1.
2
(1.1.9)
Rn
So we get fˆ(x) = f (x).

1.2 Discrete Gauss Measure 7
1.2 Discrete Gauss Measure
From the property of f (x) = e−π|x| under the Fourier operator introduced in the last
2
section, and high dimensional Poisson integral formula (1.1.9), we can generalize
f (x) as the density function of a random variable from the normal Gauss distribution
to a general Gauss distribution in Rn . We first discuss the Gauss function on Rn .
Definition 1.2.1 Let s > 0 be a given positive real number, c ∈ Rn is a vector. The
Gauss function ρs,c (x) centered on c with parameter s is defined as
π
ρs,c (x) = e− s2 |x−c| , x ∈ Rn
2
(1.2.1)
and
ρs (x) = ρs,0 (x), ρ(x) = ρ1 (x) = e−π|x| .
2
(1.2.2)
From the definition we have

1
ρs (x) = ρ( x) = e−π| s |
x 2
s
and
ρs (x) = ρs (x1 ) . . . ρs (xn ).
It can be obtained from Poisson integral formula (1.1.9)
ρs (x)dx = ρs,c (x)dx = s n . (1.2.3)

Rn Rn
Lemma 1.2.1 The Fourier transform of Gauss functions ρs (x) and ρs,c (x) are
ρ̂s (x) = s n ρ1/s (x) = s n e−π|sx|

2
(1.2.4)
and
ρ̂s,c (x) = e−2πi x·c s n ρ1/s (x). (1.2.5)
Proof By property (iv) of Lemma 1.1.2 and s > 0, we have
ρ̂s (x) = s n ρ̂1/s (x) = s n ρ̂(sx) = s n ρ(sx).
The last equation follows from Example 2 in the previous section, therefore, (1.2.4)
holds. By the property (ii) of Lemma 1.1.2, we have
−2πi x·c
ρ̂s,c (x) = τ
−c ρs (x) = e ρ̂s (x) = s n e−2πi x·c ρ1/s (x).
Lemma 1.2.1 is proved.

Lemma 1.2.2 ρs,c (x) is uniformly continuous in Rn , i.e. for any > 0, there is
δ = δ( ), when |x − y| < δ for x ∈ Rn , y ∈ Rn , we have
|ρs,c (x) − ρs,c (y)| < .
Proof By definition, 0 < ρs,c (x) 1, hence ρs,c (x) is uniformly bounded in Rn , we
will prove ρs,c (x) is also uniformly bounded in Rn . We only prove the case of c = 0.
Since ρs (x) = ρs (x1 ) = · · · = ρs (xn ), without loss of generality, let n = 1, t ∈ R,
then
2π π 2
ρs (t) = − 2 te− s2 t .
s
When |t| M, it is clear
π 1
e− s 2 t
2
.
|t|2
Hence, when |t| M, we have
2π 2π
|ρs (t)| 2 .
s |t|
2 s M
For |t| < M, By the continuity of ρs (t) we have ρs (t) is bounded. This gives the
proof that ρs,c (x) is uniformly continuous in Rn . Let |ρs,c (x)| M0 , ∀x ∈ Rn . By
the differential mean value theorem, we have
|ρs,c (x) − ρs,c (y)| = |ρs,c (ξ )| · |x − y| M0 |x − y|.
Let δ = M0
, then
|ρs,c (x) − ρs,c (y)| < , if |x − y| < δ.
We finish the proof of the lemma.
Definition 1.2.2 For s > 0, c ∈ Rn , define the continuous Gauss density function
Ds,c (x) as
1
Ds,c (x) = n ρs,c (x), ∀x ∈ Rn . (1.2.6)
s
The definition gives that
1
Ds,c (x)dx = ρs,c (x)dx = 1.
sn
Rn Rn
Thus, a continuous Gauss density function Ds,c (x) corresponds to a continuous

random vector of from Gauss distribution in Rn , and this correspondence is one-to-
one.
Definition 1.2.3 Suppose f (x) : Rn → C is an n-elements function, A ⊂ Rn is a

finite or countable set in Rn , define f (A) as

f (A) = f (x). (1.2.7)
x∈A
The continuous Gauss density function Ds,c (x) is also called the continuous Gauss
measure. In order to implement the transformation from continuous measure to dis-
crete measure and define random variables on discrete geometry in Rn , the following
lemma is an important theoretical support.
Lemma 1.2.3 Let L ⊂ Rn be a full-rank lattice, then

Ds,c (L) = Ds,c (x) < ∞.
x∈L
Proof From definition,
1 1 − π2 |x−c|2
Ds,c (L) = ρs,c (x) = e s .
s n x∈L s n x∈L
By the property of the exponential function et , there exists a constant M0 > 0, when
|x − c| > M0 ,
π s2
e− s2 |x−c|
2
. (1.2.8)
π |x − c|2
Thus, we can divide the points on the lattice L into two sets. Let
A1 = L ∩ {x ∈ Rn | |x − c| M0 } = L ∩ N (c, M0 ).
and
A2 = L ∩ {x ∈ Rn | |x − c| > M0 }.
From (1.0.6) we have

π
e− s2 |x−c|
2
1 =# A1 < ∞.
x∈A1 x∈A1
Based on (1.2.8),
π s2
e− s2 |x−c|
2
< ∞. (1.2.9)
x∈A2 x∈A2
π |x − c|2
Since A2 is a countable set, the right hand side of the above inequality is clearly a
convergent series. Combining the above two estimations, we have Ds,c (L) < ∞, the
lemma is proved.
To give a clearer explanation of (1.2.9), we provide another proof of Lemma 1.2.3.

First we prove the following lemma.
Lemma 1.2.4 Let A ∈ Rn×n be an invertible square matrix of order n, T = A T A

is a positive definite real symmetric matrix. Let δ be the smallest eigenvalue of T , δ ∗
is the biggest eigenvalue of T , we have 0 < δ δ ∗ , and
√ √
δ |Ax|x∈S δ ∗ , (1.2.10)
where S = {x ∈ Rn | |x| = 1} is the unit sphere in Rn .
Proof Since T is a positive definite real symmetric matrix, so all eigenvalues

δ1 , δ2 , . . . , δn of T are positive, and there is an orthogonal matrix P such that
P T T P = diag{δ1 , δ2 , . . . , δn }.
Hence,
|Ax|2 = x T T x = x T P(P T T P)P T x.
Since P T T P is a diagonal matrix, we have
δ|P T x|2 |Ax|2 δ ∗ |P T x|2 .

√ √
If x ∈ S, then |P T x| = |x| = 1, so we have δ |Ax| δ ∗ .
By Lemma 1.2.4, and S is a compact set, |Ax| is a continuous function on S, so

|Ax| can achieve the maximum value on S. This maximum value is defined as ||A||,
||A|| = max{|Ax| |x| = 1}. (1.2.11)
We call A for the matrix norm of A, and Lemma 1.2.4 shows that
√ √
δ ||A|| δ ∗ , ∀A ∈ G L n (R). (1.2.12)
Another proof of Lemma 1.2.3: Let L = L(B) be any full-rank lattice, B is the
generated matrix of L. By definition we have
1 − π2 |x−c|2 1 − π2 |Bx−c|2
Ds,c (L) = Ds,c (x) = n
e s = n e s . (1.2.13)
x∈L
s x∈L s n x∈Z
From Lemma 1.2.4,
|B −1 x|
||B −1 || ⇒ |B −1 x| ||B −1 || |x|, ∀x ∈ Rn .
|x|
Let x = By, δ ∗ is the biggest eigenvalue of (B −1 )T B −1 , we have
1 √
|y| ||B −1 || |By| ⇒ |By| −1
|y| |y|/ δ ∗ , ∀y ∈ Rn . (1.2.14)
||B ||
The property of the exponential function implies that,
π s 2n
e− s2 |Bx−c|
2
. (1.2.15)
π n |Bx − c|2n
x∈Zn ,|Bx−c|>M x∈Zn ,|Bx−c|=0
Since
|Bx − c|2n = |B(x − B −1 c)|2n |x − B −1 c|2n /(δ ∗ )n .
Denote x = (x1 , . . . , xn ), B −1 c = (u 1 , . . . , u n ), then

n
|x − B −1 c|2n = ( (xi − u i )2 )n (n n i=1
n
(xi − u i )2 )n = n n i=1
n
(xi − u i )2 .
i=1
By (1.2.15),
s 2n s 2n (δ ∗ )n 1
· n
x∈Zn ,|Bx−c|=0
π n |Bx − c| 2n
x∈Zn ,|Bx−c|=0
π nn n i=1 (xi − u i )2
s 2n (δ ∗ )n 1 1 1
= ··· ,
π nn n (x1 − u 1 ) 2 (x2 − u 2 ) 2 (xn − u n )2
x1 ∈Z x2 ∈Z xn ∈Z
every infinite series on the right hand side of the above equation converges, hence,
Ds,c (L) < ∞.
By Lemma 1.2.3, we define the discrete Gauss density function D L ,s,c (x) as
Ds,c (x) ρs,c (x)

D L ,s,c (x) = = . (1.2.16)
Ds,c (L) ρs,c (L)
Trivially, we have
D L ,s,c (x) = 1.
x∈L
So D L ,s,c (x) corresponds to a random variable from Gauss distribution defined

on the lattice L (discrete geometry) with parameters s and c.
Definition 1.2.4 Let L = L(B) ⊂ Rn be a lattice with full rank, s > 0 is a given
positive real number, c ∈ Rn is a given vector, define the discrete Gauss measure
function g L ,s,c (x) as a function defined on the basic neighborhood F(B) of L,
1
g L ,s,c (x) = Ds,c (x̄) = ρs,c (x + y), x ∈ F(B). (1.2.17)
s n y∈L
By Definition and (1.2.3), it is clear that
1 1
g L ,s,c (x)dx = ρs,c (x + y)dx = ρs,c (x)dx = 1. (1.2.18)
s n y∈L sn
F(B) F(B) Rn
Thus, the density function g L ,s,c (x) defined on the basic neighborhood F(B) corre-
sponds to a continuous random variable on F(B), denoted as Ds,c modL.
Lemma 1.2.5 The random variable Ds,c modL is actually defined in the additive
quotient group Rn /L.
Proof F(B) is a set of representative elements of the additive quotient group Rn /L,
and we only prove that for any set of representative elements of Rn /L, the discrete
Gauss function g L ,s,c (x) remains constant, then Ds,c mod L can be regarded as
a random variable on the additive quotient group Rn /L. Actually, if x1 , x2 ∈ Rn ,
x1 ≡ x2 (mod L), we have g L ,s,c (x1 ) = g L ,s,c (x2 ). To obtain the result, by definition
1
g L ,s,c (x1 ) = Ds,c (x¯1 ) = ρs,c (x1 + y).
s n y∈L
Since x1 = x2 + y0 , where y0 ∈ L, so
1 1
g L ,s,c (x1 ) = n
ρs,c (x1 + y) = n ρs,c (x2 + y0 + y)
s y∈L s y∈L
1
= ρs,c (x2 + y) = Ds,c (x¯2 ) = g L ,s,c (x2 ).
s n y∈L
By x1 ≡ x2 (mod L), then x¯1 = x¯2 are the same additive cosets in the quotient
group Rn /L. Thus, the discrete Gauss measure g L ,s,c (x) can be defined on any basic
neighborhood of L, and the corresponding random variable Ds,c mod L is actually
defined on the quotient group Rn /L.
1.3 Smoothing Parameter 13
1.3 Smoothing Parameter
For a given full-rank lattice L ⊂ Rn , in the previous section we defined the dis-
crete Gauss measure g L ,s,c (x), and the corresponding continuous random variable
Ds,c mod L on the basic neighborhood F(B) of L. In this section, we discuss an
important parameter on Gauss lattice—the smoothing parameter. The concept of
smooth parameters was introduced by Micciancio and Regev in 2007 Micciancio
and Regev (2004). For a given vector x ∈ Rn , we have the following lemma.
Lemma 1.3.1 For a given lattice L ⊂ Rn , we have

lim ρ1/s (x) = 1
s→∞
x∈L
or equally
lim ρ1/s (x) = 0.
s→∞
x∈L\{0}
Proof By the property of the exponential function, when |x| > M0 (M0 is a positive
constant) then
1
e−πs |x|
2 2
.
π s 2 |x|2
So
1 1
e−πs |x|2
e−πs |x|2
2 2
ρ1/s (x) = + .
x∈L x∈L |x|M0 ,x∈L
π s2 |x|>M0 ,x∈L
|x|2
The first part of the equation above only has a finite number of terms, so

e−πs |x|2
2
lim = 1.
s→∞
|x|M0 ,x∈L
The second part of the above equation is a convergent series, therefore,
1 1
lim = 0.
s→∞ π s2 |x|>M0 ,x∈L
|x|2
Here, we get the proof.

By Definition 1.2.3, we have ρ1/s (L) = ρ1/s (x), then ρ1/s (L) is a monotone
x∈L
decreasing function of s. When s → ∞, ρ1/s (L) monotonically decreasing to 1. So
we give the definition of smoothing parameter.
Definition 1.3.1 Let L ⊂ Rn be a lattice with full rank, L ∗ is the dual lattice of L,
define the smoothing parameter η (L) of L: For any > 0, define
η (L) = min{s | s > 0, ρ1/s (L ∗ ) < 1 + }. (1.3.1)
Equally,
η (L) = min{s | s > 0, ρ1/s (L ∗ \{0}) < }. (1.3.2)
By definition, the smoothing parameter η (L) of L is a monotone decreasing function

of , namely
η 1 (L) η 2 (L), if 0 < 2 < 1 .
Definition 1.3.2 Let A ⊂ Rn be a finite or countable set, X and Y are two discrete
random variables on A, the statistical distance between X and Y is defined as
1
(X, Y ) = |Pr {X = a} − Pr {Y = a}|. (1.3.3)
2 a∈A
If A is a continuous region in Rn , X and Y are continuous random variables on A,

T1 (x) and T2 (x) are the density functions of X and Y , respectively, then the statistical
distance between X and Y is defined as
1
(X, Y ) = |T1 (x) − T2 (x)|dx. (1.3.4)
2
A
It can be proved that for any function f defined on A, we have
( f (X ), f (Y )) (X, Y ).
From (1.2.17) in the last section, Ds,c mod L is a continuous random variable
defined on the basic neighborhood F(B) of the lattice L with the density function
g L ,s,c (x). Let U (F(B)) be a uniform random variable defined on F(B) with the
density function d(x) = det(L)
1
. The main result of this section is that the statistical
distance between Ds,c mod L and the uniform distribution U (F(B)) can be arbitrar-
ily small.
Theorem 1.1 For any s > 0, given a lattice with full rank L = L(B) ⊂ Rn , L ∗ is the
dual lattice of L, then the statistical distance between the discrete Gauss distribution
and the uniform distribution on the basic neighborhood F(B) satisfies
1
(Ds,c mod L , U (F(B))) ρ1/s (L ∗ \{0}). (1.3.5)
2
Particularly, for any > 0, and any s η (L), we have
1
(Ds,c mod L , U (F(B))) . (1.3.6)
2
To prove Theorem 1.1, we first introduce the following lemma.
1.3.2 Suppose f (x) ∈ L (R ) and satisfies the following two conditions:

1 n
Lemma
(i) | f (x + u)| uniformly converges in any bounded closed region of Rn (about
x∈L
u);
(ii) | fˆ(y)| converges. Then
y∈L ∗
1 ˆ
f (x) = f (y),
x∈L
det(L) y∈L ∗
where L = L(B) ⊂ Rn is a full-rank lattice, L ∗ is the dual lattice, det(L) = |det(B)|

is the determinant of the lattice L.
Proof We first consider the case of B = In , here L = Zn , L ∗ = Zn . By condition

(i), let F(u) be
F(u) = f (x + u), u ∈ Rn .
x∈Zn
Since F(u) is a periodic function of the lattice Zn , namely F(u + x) = F(u), for
∀x ∈ Zn , we have the following Fourier expansion

F(u) = a(y)e2πiu·y . (1.3.7)
y∈Zn
Integrating F(u)e−2πiu·x for u ∈ [0, 1]n :

F(u)e−2πiu·x du = a(y)e2πiu·(y−x) du = a(x), ∀x ∈ Zn .
[0,1]n y∈Zn [0,1]n
Hence, we have the following Fourier inversion formula:

a(y) = F(u)e−2πiu·y du = f (x + u)e−2πi(u+x)·y du
[0,1]n x∈Zn[0,1]n

= f (z)e−2πi z·y dz = f (z)e−2πi z·y dz = fˆ(y).
x∈Zn x+[0,1]n Rn
From the above equation and (1.3.7),

F(u) = fˆ(y)e2πiu·y .
y∈Zn
Take u = 0, we have
F(0) = f (x) = fˆ(y),
x∈Zn y∈Zn
the lemma is proved for L = Zn . For the general case L = L(B), since L ∗ =
L((B −1 ) ), then
f (x) = f (Bx) = ( f ◦ B)(x),
x∈L x∈Zn x∈Zn
where f ◦ B(x) = f (Bx). Replace f (x) with f ◦ B, then f ◦ B still satisfies the
conditions of this lemma, so

f ◦ B(x) = f ◦ B(y).
x∈Zn y∈Zn
From the definition of Fourier transform,

f ◦ B(y) = f (Bt)e−2πi y·t dt.
Rn
Take variable substitution t = B −1 x, then
1 −1
f ◦ B(y) = f (x)e−2πi y·B x
dx
|det(B)|
Rn
1 −1
= f (x)e−2πi(B ) y·x
dx
|det(B)|
Rn
1
= fˆ((B −1 ) y).
|det(B)|
Above all,
1 1
f (x) =
f ◦ B(y) = fˆ((B −1 ) y) = fˆ(y).
|det(B)| |det(B)| y∈L ∗
x∈L y∈Zn n y∈Z
We finish the proof of this lemma.

The proof of Theorem 1.1 The density function of the continuous random variable
Ds,c mod L defined on the basic neighborhood F(B) of L is g L ,s,c (x), from Eq.
(1.2.17) and Lemma 1.3.2, we have
1 1
g L ,s,c (x) = n
ρs,c (x + y) = n ρs,c−x (y).
s y∈L s y∈L
By (1.2.5), the Fourier transform of ρs,c−x (y) is
ρ̂s,c−x (y) = e−2πi y·(c−x) s n ρ1/s (y).
Combining with Lemma 1.3.2, we obtain
1
g L ,s,c (x) = e2πi y·(x−c) ρ1/s (y). (1.3.8)
|det(B)| y∈L ∗
The density function of the uniformly distributed random variable U (F(B)) on F(B)
1
is |det(B)| , based on the definition of statistical distance,
1 1
(Ds,c mod L , U (F(B))) = |g L ,s,c (x) − |dx
2 |det(B)|
F(B)
1 1
= | e2πi y·(x−c) ρ1/s (y)|dx
2 |det(B)| y∈L ∗ ,y=0
F(B)
1
Vol(F(B))det(L ∗ ) max | e2πi y·(x−c) ρ1/s (y)|
2 x∈F(B)
y∈L ∗ \{0}
1 1
ρ1/s (y) = ρ1/s (L ∗ \{0}).
2 y∈L ∗ \{0}
2
So (1.3.5) in Theorem 1.1 is proved. From the definition of smoothing parameter

η (L), when s η (L), we have
ρ1/s (L ∗ \{0}) < .
Therefore, if s η (L), we have
1
(Ds,c mod L , U (F(B))) .
2
Thus, Theorem 1.1 is proved.
Another application of Lemma 1.3.2 is to prove the following inequality.
Lemma 1.3.3 Let a 1 be a given positive real number, then

π

e− a |x| a 2 e−π|x| .
2 n 2
(1.3.9)
x∈L x∈L
Proof By Definition 1.2.1, the left hand side of the sum in the above inequality can
be written as √
π
ρ√a (x) = e− a |x| , s = a.
2
Since ρs (x) satisfies the conditions of Lemma 1.3.2, we have

ρs (x) = det(L ∗ ) ρ̂s (x) = det(L ∗ ) s n ρ1/s (x).
x∈L x∈L ∗ x∈L ∗
√
Obviously ρs (x) is a monotone increasing function of s, take s = a 1, then

ρ√a (x) = a 2 det(L ∗ ) ρ √1 (x) a 2 det(L ∗ )
n n
ρ(x)
a
x∈L x∈L ∗ x∈L ∗

e−π|x| .
n n 2
= a2 ρ(x) = a 2
x∈L x∈L
We complete the proof of Lemma 1.3.3.
Let N = N (0, 1) be the unit sphere in Rn , namely
N = {x ∈ Rn | |x| 1}.
Lemma 1.3.4 Suppose L ⊂ Rn is a lattice with full rank, c > √1 is a positive real
√ 2π
number, C = c 2π e · e−πc , v ∈ Rn , then
2
√ √
ρ(L\c n N ) < C n ρ(L), and ρ((L + v)\c n N ) < 2C n ρ(L).
That is,
e−π|x| < C n e−π|x| ,
2 2
(1.3.10)
√
x∈L ,x ∈c
/ nN x∈L

e−π|x| < 2C n e−π|x| .
2 2
√
x∈L+v,x ∈c
/ nN x∈L
Proof We will prove the first inequality, ler t be a positive real number, 0 < t < 1,
then
e−πt|x| = eπ(1−t)|x| · e−π|x|
2 2 2
x∈L x∈L

eπ(1−t)|x| · e−π|x|
2 2
>
x∈L ,|x|2 c2 n

eπ(1−t)c e−π|x| .
2 2
n
x∈L ,|x|2 c2 n
In Lemma 1.3.3, take a = 1t , then a > 1, we get

e−πt|x| t − 2 e−π|x| .
2 n 2
x∈L x∈L
Hence,

e−π|x| < e−π(1−t)c e−πt|x| e−π(1−t)c n t − 2 e−π|x| .
2 2 2 2 n 2
n
x∈L ,|x|2 c2 n x∈L x∈L
It implies that
√
ρ(L\c n N ) < (t − 2 e−π(1−t)c )n ρ(L).
1 2
Let t = 1
2πc2
, then
√ √
ρ(L\c n N ) < (c · 2π e · e−πc )n ρ(L),
2
The second inequality can be proved in the same way. Lemma 1.3.4 holds.
Based on the above inequality, we can give an upper bound estimation of the
smoothing parameter on lattice, which is a very important result about the smoothing
parameter.
Theorem 1.2 For any n dimensional full-rank lattice L ⊂ Rn , we have
√
η2−n (L) n/λ1 (L ∗ ). (1.3.11)
where λ1 (L ∗ ) is the minimal distance of the dual lattice L ∗ (see (1.0.4)).
Proof Take c = 1 in Lemma 1.3.4, we first prove

√ 1
C= 2π e · e−π < . (1.3.12)
4
If we take the logarithm of both sides, then
log(32π ) + 1 < 2π.
Since we have the following inequality,
log(32π ) + 1 < log128 + 1 < 2π.
So (1.3.12) holds. By Lemma 1.3.4, we have

√ √ √
ρ(L ∗ \ n N ) < C n ρ(L ∗ ) = C n (ρ(L ∗ \ n N ) + ρ(L ∗ ∩ n N )).
From the both sides, we get
√ Cn √
ρ(L ∗ \ n N ) < ρ(L ∗ ∩ n N ).
1−C n
√
If s > n/λ1 (L ∗ ), for all x ∈ L ∗ \{0},
√ √
|sx| s · λ1 (L ∗ ) > n ⇒ s L ∗ ∩ n N = {0}.
Hence, √
ρ1/s (L ∗ ) = ρ(s L ∗ ) = 1 + ρ(s L ∗ \ n N )
Cn √
<1+ ρ(s L ∗ ∩ n N )
1−C n
Cn 2−2n
=1+ < 1 + = 2−n + 1.
1 − Cn 2−n
Take = 2−n , then √

η2−n (L) n/λ1 (L ∗ ).
Theorem 1.2 is obtained.
According to the proof of Theorem 1.2, we can further improve the upper bound
estimation of the smoothing parameter.
Corollary 1.3.1 Let

1 log2π 1
r= + + log(1 + 2n ). (< 0.82) (1.3.13)
2π 2π nπ
Then for any full-rank lattice L ⊂ Rn , we obtain

√
η2−n (L) r n/λ1 (L ∗ ). (1.3.14)
Proof Take c > r in Lemma 1.3.4, then c > √1 ,

2π
and
√ Cn 1
2π e · e−πc ⇒
2
C =c· < n. (1.3.15)
1−C n 2
By Lemma 1.3.4, for any full-rank lattice L ⊂ Rn , we have
√ Cn √
ρ(L ∗ \c n N ) < ρ(L ∗ ∩ c n N ).
1−C n
√
If s > c n/λ1 (L ∗ ), for any x ∈ L ∗ \{0},
√
|sx| sλ1 (L ∗ ) > c n.
Hence, √
s L ∗ ∩ c n N = {0}.
Therefore,
√ Cn 1
ρ1/s (L ∗ ) = ρ(s L ∗ ) = 1 + ρ(L ∗ \c n N ) < 1 + < 1+ n.
1 − Cn 2
Finally we have (let c → r )

√
η2−n (L) r n/λ1 (L ∗ ).
Corollary 1.3.1 is proved.
Corollary 1.3.2 For any n dimensional full-rank lattice L ⊂ Rn , we have
4√
η2−n (L) n/λ1 (L ∗ ). (1.3.16)
5
Proof Take c = 4
5
in Lemma 1.3.4, then c > √1 ,
2π
and
√ Cn 1
2π e · e−πc ⇒
2
C =c· < n.
1−C n 2
Lemma 1.3.4 implies that for any full-rank lattice L ⊂ Rn , we have
√ Cn √
ρ(L ∗ \c n N ) < ρ(L ∗ ∩ c n N ).
1−C n
√
If s > c n/λ1 (L ∗ ), for any x ∈ L ∗ \{0},
√
|sx| sλ1 (L ∗ ) > c n.
Hence, √
s L ∗ ∩ c n N = {0}.
We get
√ Cn 1
ρ1/s (L ∗ ) = ρ(s L ∗ ) = 1 + ρ(L ∗ \c n N ) < 1 + < 1+ n,
1 − Cn 2
which implies that

4√
η2−n (L) n/λ1 (L ∗ ).
5
Corollary 1.3.2 is proved.
In the following, we give another classical upper bound estimation for the smooth-
ing parameter. For any n dimensional full-rank lattice L ⊂ Rn , we have introduced
the definition of minimal distance λ1 (L) on lattice, which can actually be generalized
to the general case. For 1 i n,
λi (L) = min{r | dim(L ∩ r N (0, 1)) i}. (1.3.17)
λi (L) is also called the i-th continuous minimal distance of lattice L. To give an
upper bound estimation of the smoothing parameter, we first prove the following
lemma.
Lemma 1.3.5 For any n dimensional full-rank lattice L, s > 0, c ∈ Rn , then
ρs,c (L) ρs (L). (1.3.18)
Proof According to Lemma 1.3.2, we have
ρs,c (L) = det(L ∗ )ρ̂s,c (L ∗ )

= det(L ∗ ) ρ̂s,c (y)
y∈L ∗

= det(L ∗ ) e−2πic·y ρ̂s (y)
y∈L ∗

det(L ∗ ) ρ̂s (y) = ρs (L),
y∈L ∗
where we have used ρ̂s,c (y) = e−2πic·y ρ̂s (y), the lemma gets proved.
Theorem 1.3 For any n dimensional full-rank lattice L, > 0, we have

ln(2n(1 + 1/ ))
η (L) λn (L), (1.3.19)
π
where λn (L) is the N -th continuous minimal distance of the lattice L defined by
(1.3.17).
Proof Let
ln(2n(1 + 1/ ))
s= λn (L),
π
we need to prove ρ1/s (L ∗ \{0}) . From the definition of λn (L), there are n linearly
independent vectors v1 , v2 , . . . , vn in L satisfying |vi | λn (L), and for any positive
integer k > 1, we have vi /k ∈ / L, 1 i n. The main idea of the proof is to take a
segregation of L ∗ , for any integer j, let
Si, j = {x ∈ L ∗ | x · vi = j} ⊂ L ∗ ,
for any y ∈ L ∗ \{0}, there is vi that satisfies y · vi = 0 (otherwise we have y = 0),

which implies y ∈ / Si,0 , i.e. y ∈ L ∗ \Si,0 , so we have
L ∗ \{0} = ∪in (L ∗ \Si,0 ). (1.3.20)
To estimate ρ1/s (L ∗ \Si,0 ), we need some preparations. Let u i = vi /|vi |2 , then |u i | =

1/|vi | 1/λn (L). ∀ j ∈ Z, ∀x ∈ Si, j ,
j2 j2
(x − ju i ) · ju i = j x · u i − j 2 u i · u i = − = 0.
|vi |2 |vi |2
Therefore,
|x|2 = |x − ju i |2 + | ju i |2 .
So
e−πs |x|2
2
ρ1/s (Si, j ) =
x∈Si, j

= e−πs | ju i |2
e−πs |x− ju i |2
2 2
x∈Si, j
= e−πs | ju i |2
2
ρ1/s (Si, j − ju i ). (1.3.21)
Since the inner product of any vector in Si, j − ju i with vi is 0, then Si, j − ju i
is actually a translation of Si,0 , namely there is a vector w satisfying Si, j − ju i =
Si,0 − w. In fact, for any x j ∈ Si, j , x0 ∈ Si,0 , w = x0 − x j + ju i satisfies the equality

Si, j − ju i = Si,0 − w. By Lemma 1.3.5, we have
ρ1/s (Si, j − ju i ) = ρ1/s (Si,0 − w) = ρ1/s,w (Si,0 ) ρ1/s (Si,0 ). (1.3.22)
Combine (1.3.21) with (1.3.22),
ρ1/s (Si, j ) e−πs | ju i |2

ρ1/s (Si,0 ) e−π(s/λn (L))
2 2 2
j
ρ1/s (Si,0 ).
When x > 1, it follows that

2
x−j 2 x−j =
2
.
j=0 j>0
x −1
Next, we will estimate ρ1/s (L ∗ \Si,0 ),

ρ1/s (L ∗ \Si,0 ) = ρ1/s (Si, j )
j=0

e−π(s/λn (L))
2 2
j
ρ1/s (Si,0 )
j=0
2
ρ1/s (Si,0 )
eπ(s/λn (L))2 −1
2
= (ρ1/s (L ∗ ) − ρ1/s (L ∗ \Si,0 )).
eπ(s/λn (L))2 − 1
So we get
2
ρ1/s (L ∗ \Si,0 ) ρ1/s (L ∗ ).
eπ(s/λn (L))2 +1
From (1.3.20),

n
2n
∗
ρ1/s (L \{0}) ρ1/s (L ∗ \Si,0 ) ρ1/s (L ∗ ).
i=1
eπ(s/λn (L))2 + 1
Together with ρ1/s (L ∗ ) = 1 + ρ1/s (L ∗ \{0}), we have
2n 2n
ρ1/s (L ∗ \{0}) < π(s/λ (L))2 = .
eπ(s/λn (L))2 + 1 − 2n e n − 2n
1.4 Some Properties of Discrete Gauss Distribution 25
In the last equality, we have used that

ln(2n(1 + 1/ ))
s= λn (L).
π
Based on the definition of the smoothing parameter,

ln(2n(1 + 1/ ))
η (L) λn (L).
π
Theorem 1.3 is proved.
At the end of this section, we present an inequality for the minimal distance on
lattice, which will be used in the next chapter when we prove that the LWE problem
is polynomial equivalent with the hard problems on lattice.
Lemma 1.3.6 For any n dimensional lattice L, > 0, we have

ln 1/ 1 ln 1/ λn (L)
η (L) . (1.3.23)
π λ1 (L ∗ ) π n
Proof Let v ∈ L ∗ and |v| = λ1 (L ∗ ), s = η (L), from the definition of smoothing

parameter, we have
λ1 (L ∗ )
= ρ1/s (L ∗ \{0}) ρ1/s (v) = e−πs
2 2
.
Hence,
ln 1/ 1
s .
π λ1 (L ∗ )
That is, the first inequality in this lemma holds. For the second inequality, Theorem
2.1 in Banaszczyk (1993) implies that
1 λ1 (L ∗ )λn (L) n, (1.3.24)
so we immediately get the second inequality. The lemma holds.
1.4 Some Properties of Discrete Gauss Distribution
In this section we introduce some properties about the discrete Gauss distribution.
First we give the definition of the expectation of discrete Gauss distribution.
Definition 1.4.1 Let m, n be two positive integers, L ⊂ Rn be an n dimensional full-

rank lattice, c ∈ Rn , s > 0, ξ is a random variable from the discrete Gauss distribution
D L ,s,c , and f : Rn → Rm is a given function, we denote

E[ξ ] = x D L ,s,c (x) (1.4.1)
ξ =x∈L
as the expectation of ξ , and denote

E[ f (ξ )] = f (x)D L ,s,c (x) (1.4.2)
ξ =x∈L
as the expectation of f (ξ ).
Lemma 1.4.1 For any n dimensional full-rank lattice, L ⊂ Rn , c, u ∈ Rn , |u| = 1,
0 < < 1, s 2η (L), ξ is a random variable from the discrete Gauss distribution
D L ,s,c , then we have
s
|E[(ξ − c) · u]| , (1.4.3)
1−
and
s2 s2
|E[((ξ − c) · u)2 ] − | . (1.4.4)
2π 1−
Proof Let L = L/s = { xs | x ∈ L}, c = c/s, ξ is a random variable from the dis-
crete Gauss distribution D L ,c , for any x ∈ L , we have
ρc (x) ρs,c (sx)

Pr {ξ = x} = = = Pr {ξ = sx}.
ρc (L ) ρs,c (L)
That is, Pr { ξs = x} = Pr {ξ = x}, ∀x ∈ L , therefore,
ξ
E[(ξ − c) · u] = s E[( − c ) · u] = s E[(ξ − c ) · u],
s
the inequality (1.4.3) is equivalent to
|E[(ξ − c ) · u]| . (1.4.5)

1−
Similarly, the inequality (1.4.4) is equivalent to
1
|E[((ξ − c ) · u)2 ] − | . (1.4.6)
2π 1−
So we only need to prove the two inequalities for s = 1. Denote ξ as a random variable
from the discrete Gauss distribution D L ,c , the condition s 2η (L) in Lemma 1.4.1
becomes η (L) 21 . We prove that the two inequalities (1.4.5) and (1.4.6) hold if
u = (1, 0, . . . , 0) firstly. For any positive integer j, let
g j (x) = (x1 − c1 ) j ρc (x),
where x = (x1 , x2 , . . . , xn ), c = (c1 , c2 , . . . , cn ). Let ξ = (ξ1 , ξ2 , . . . , ξn ), then
g j (L)
E[((ξ − c) · u) j ] = E[(ξ1 − c1 ) j ] = .
ρc (L)
Based on Lemma 1.3.2,
g j (L) det(L ∗ )ĝ j (L ∗ ) ĝ j (L ∗ )

E[((ξ − c) · u) j ] = = = . (1.4.7)
ρc (L) det(L ∗ )ρ̂c (L ∗ ) ρ̂c (L ∗ )
In order to estimate ρ̂c (L ∗ ), from Lemma 1.2.1 we get ρ̂c (x) = e−2πi x·c ρ(x), thus,
|ρ̂c (x)| = ρ(x), note that η (L) 21 < 1,

|ρ̂c (L ∗ )| = |1 + ρ̂c (x)| 1 − |ρ̂c (x)| = 1 − ρ(L ∗ \{0}) 1 − .
x∈L ∗ \{0} x∈L ∗ \{0}
(1.4.8)
( j)
To estimate ĝ j (L ∗ ), assume ρc (x) is the j order partial derivative of ρc (x) about
the first variable x1 , i.e.
∂ j
ρc( j) (x) = ( ) ρc (x).
∂ x1
If j = 1, 2, it is easy to get
ρc(1) (x) = −2π(x1 − c1 )ρc (x).
ρc(2) (x) = (4π 2 (x1 − c1 )2 − 2π )ρc (x).
It follows that
1 (1)
g1 (x) = − ρ (x).
2π c
1 (2) 1
g2 (x) = ρ (x) + ρc (x).
4π 2 c 2π
( j)
Since ρc (x) = (2πi x1 ) j ρ̂c (x), we have
ĝ1 (x) = −i x1 ρ̂c (x).
1
ĝ2 (x) = ( − x12 )ρ̂c (x).
2π
|x|2
According to the inequality |x1 | |x|2 e 2 and η (L) 21 ,
|x|2
|ĝ1 (L ∗ )| e−π|x|
2
|x1 | · |ρ̂c (x)| = |x1 |ρ(x) e 2
x∈L ∗ x∈L ∗ \{0} x∈L ∗ \{0}
π
e− 4 |x| = ρ2 (L ∗ \{0}) .
2
(1.4.9)
x∈L ∗ \{0}
Combining (1.4.7), (1.4.8) and (1.4.9) together,
|ĝ1 (L ∗ )|
|E[(ξ − c) · u]| = .
|ρ̂c (L ∗ )| 1−
For a general unit vector u ∈ Rn , there exists an orthogonal matrix M ∈ Rn×n such
that Mu = (1, 0, . . . , 0). Denote η as a random variable from the discrete Gauss
distribution D M −1 L ,M −1 c , for any x ∈ L,
−1 −1
ρ M −1 c (M −1 x) e−π|M x−M c|
2
−1
Pr {η = M x} = =
ρ M −1 c (M −1 L) ρ M −1 c (M −1 L)
e−π|x−c|
2
= = Pr {ξ = x} = Pr {M −1 ξ = M −1 x},
ρc (L)
which implies that the distributions of η and M −1 ξ are the same, hence,
|E[(ξ − c) · u]| = |E[M −1 (ξ − c) · Mu]| = |E[(η − M −1 c) · Mu]| .

1−
Above all the inequality (1.4.3) holds, and inequality (1.4.4) could be proved in the
same way. We complete the proof of Lemma 1.4.1.
Lemma 1.4.2 For any n dimensional full-rank lattice L ⊂ Rn , c ∈ Rn , 0 < < 1,

s 2η (L), ξ is a random variable from the discrete Gauss distribution D L ,s,c , then
we have
|E[ξ − c]|2 ( )2 s 2 n, (1.4.10)
1−
and
1
E[|ξ − c|2 ] ( + )s 2 n. (1.4.11)
2π 1−
Proof Let u 1 , u 2 , . . . , u n be the n unit column vectors of n × n matrix In , by Lemma

1.4.1,
n
|E[ξ − c]|2 = (E[(ξ − c) · u i ])2 ( )2 s 2 n.
i=1
1 −

n
1
E[|ξ − c|2 ] = E[((ξ − c) · u i )2 ] ( + )s 2 n.
i=1
2π 1−
Lemma 1.4.2 holds.
Lemma 1.4.3 For any n dimensional full-rank lattice L ⊂ Rn , v ∈ Rn , 0 < < 1,

s η (L), ξ is a random variable from the discrete Gauss distribution D L ,s,v , then
we have
√ 1 + −n
Pr {|ξ − v| > s n} 2 . (1.4.12)
1−
Proof From the proof of Lemma 1.4.1, here we only need to prove for the case
s = 1. Since
√ ρv (x)
Pr {|ξ − v| > n} =
√ ρv (L)
x∈L ,|x−v|> n
√
ρ(x − v) ρ((L − v)\ n N )
= = ,
√ ρv (L) ρv (L)
x∈L ,|x−v|> n
take c = 1 in Lemma 1.3.4 and get

√
ρ((L − v)\ n N ) < 2−n ρ(L).
That is,
√ ρ(L)
Pr {|ξ − v| > n} < 2−n . (1.4.13)
ρv (L)
Based on Lemma 1.3.2, Lemma 1.2.1 and η (L) 1,

ρv (L) = |ρv (L)| = |det(L ∗ )ρ̂v (L ∗ )| = |det(L ∗ ) e−2πi x·v ρ(x)|
x∈L ∗

|det(L ∗ )|(1 − |e−2πi x·v ρ(x)|) = |det(L ∗ )|(1 − ρ(x))
x∈L ∗ \{0} x∈L ∗ \{0}
= |det(L ∗ )|(1 − ρ(L ∗ \{0})) |det(L ∗ )|(1 − ). (1.4.14)
Similarly,
ρ(L) = |ρ(L)| = |det(L ∗ )ρ̂(L ∗ )|

= |det(L ∗ ) ρ(x)| = |det(L ∗ )|(1 + ρ(x))
x∈L ∗ x∈L ∗ \{0}
= |det(L ∗ )|(1 + ρ(L ∗ \{0})) |det(L ∗ )|(1 + ). (1.4.15)

Combining (1.4.13), (1.4.14) and (1.4.15) together, it follows that
√ 1 + −n
Pr {|ξ − v| > n} 2 .
1−
This lemma holds.

For x ∈ R and a set A ⊂ R , we define the distance from x to A as dist(x, A) =
n n
min |x − y|.
y∈A
Lemma 1.4.4 For any n dimensional full-rank lattice L ⊂ Rn , c, v ∈ Rn , 0 < <

1, s η (L), √
ξ is a random variable from the discrete Gauss distribution D L ,s,c ,
∗
dist(v, L ) sn , then
1 + −n
|E[e2πiξ ·v ]| 2 . (1.4.16)
1−
Proof From the proof of Lemma 1.4.1, we only need to prove for the case s = 1.
Let
g(x) = e2πi x·v ρc (x).
By Lemma 1.3.2,
g(L) det(L ∗ )ĝ(L ∗ ) ĝ(L ∗ )

E[e2πiξ ·v ] = = = .
ρc (L) det(L ∗ )ρ̂c (L ∗ ) ρ̂c (L ∗ )
We have proved that |ρ̂c (L ∗ )| 1 − in Lemma 1.4.1, based on (iii) of Lemma

1.1.2 and Lemma 1.2.1,
ĝ(x) = ρ̂c (x − v) = ρ(x − v)e−2πi(x−v)·c ,
therefore,

|ĝ(L ∗ )| = | ρ(x − v)e−2πi(x−v)·c | ρ(x − v) = ρ(L ∗ − v).
x∈L ∗ x∈L ∗
√
Since dist(v, L ∗ ) n, we know
√
ρ(L ∗ − v) = ρ((L ∗ − v)\ n N ).
Take c = 1 in Lemma 1.3.4 and get

√
ρ((L ∗ − v)\ n N ) < 2−n ρ(L ∗ ) = 2−n (1 + ρ(L ∗ \{0})) 2−n (1 + ).
Above all,
ĝ(L ∗ ) 1 + −n
|E[e2πiξ ·v ]| = | | 2 .
ρ̂c (L ∗ ) 1−
We complete the proof of Lemma 1.4.4.
Lemma 1.4.5 For any n dimensional full-rank lattice L ⊂ Rn , w, c, v ∈ Rn , 0 <

< 1, s η (L),
√
ξ is a random variable from the discrete Gauss distribution D L ,s,c ,
∗ n
dist(v, L ) s , then
1 + −n
|E[cos(2π(ξ + w) · v)]| 2 . (1.4.17)
1−
Proof By Lemma 1.4.4 we have
1 + −n
|E[cos(2π(ξ + w) · v)]| |E[e2πi(ξ +w)·v ]| = |E[e2πiξ ·v ]| 2 .
1−
Lemma 1.4.5 holds.
Finally, we give a lemma which will be used in the next chapter.
Lemma 1.4.6 Let v1 , v2 , . . . , vm be m independent random variables on Rn such

that E[|vi |2 ] l and |E[vi ]|2 for i = 1, 2, . . . , m. Then for any z = (z 1 , z 2 , . . . ,
z m )T ∈ Rm ,
m
E[| z i vi |2 ] (l + m )|z|2 . (1.4.18)
i=1
m √
Proof By Cauchy inequality we get i=1 |z i | m|z|, so

m
E[| z i vi |2 ] = z i z j E[vi · v j ] = z i2 E[|vi |2 ] + z i z j E[vi ] · E[v j ].
i=1 i, j i i= j
(1.4.19)
The first term of the right hand side in (1.4.19) has the estimation

z i2 E[|vi |2 ] z i2 l = l|z|2 .
i i
The second term of the right hand side in (1.4.19) has the estimation
1
z i z j E[vi ] · E[v j ] |z i ||z j | · (|E[vi ]|2 + |E[v j ]|2 )
i= j i= j
2

|z i ||z j | ( |z i |)2 m |z|2 .
i= j i
From (1.4.19) it follows that

m
E[| z i vi |2 ] (l + m )|z|2 .
i=1
This lemma holds.
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0
International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing,
adaptation, distribution and reproduction in any medium or format, as long as you give appropriate
credit to the original author(s) and the source, provide a link to the Creative Commons license and
indicate if changes were made.
The images or other third party material in this chapter are included in the chapter’s Creative
Commons license, unless indicated otherwise in a credit line to the material. If material is not
included in the chapter’s Creative Commons license and your intended use is not permitted by
statutory regulation or exceeds the permitted use, you will need to obtain permission directly from
the copyright holder.
Chapter 2
Reduction Principle of Ajtai
In 1996, the famous scholar Ajtai proposed the reduction principle from the worst
case to the average case at the 28th Summer Symposium of the American Computer
Society (ACM), named the Ajtai reduction principle [see Ajtai (1996), Ajtai (1999)
and Ajtai and Dwork (1997)]. Subsequently, Ajtai and Dwork presented the first
lattice-based cryptosystem, which is called the Ajtai-Dwork cryptosystem in the
academic circles. The proof of this cryptosystem resisting Shor’s quantum computing
is to apply Ajtai reduction principle to transform searching for collision points of
the Hash function into the SIS problem, and Ajtai reduction principle proves that the
difficulty of solving the SIS problem is polynomially equivalent to the shortest vector
problem on lattice. The main purpose of this chapter is to prove the Ajtai reduction
principle.
2.1 Random Linear System
Let A ∈ Zqn×m be an n × m matrix on Zq , if each element of A is a random variable

on Zq , and the n × m random variables are independent and identically distributed,
then A is called a random matrix on Zq . We give the definition of random linear
system
y ≡ Ax + z (mod q), x ∈ Zqm , y ∈ Zqn , z ∈ Zqn , (2.1.1)
where x, y, z are random variables on Zqm and Zqn , respectively. This random lin-
ear system plays an important role in modern cryptography. We prove some basic
properties in this section.
Lemma 2.1.1 Let A ∈ Zqn×n be an invertible square matrix of order n, y ≡ Ax (mod

q), then y is uniformly at random on Zqn if and only if x is uniformly distributed.
© The Author(s) 2023 33

Z. Zheng et al., Modern Cryptography Volume 2, Financial Mathematics and Fintech,
https://doi.org/10.1007/978-981-19-7644-5_2
34 2 Reduction Principle of Ajtai
Proof If x is uniformly distributed on Zqn , then for any x0 ∈ Zqn , we have
1
Pr {x = x0 } = .
qn
Since there is only one y0 ∈ Zqn ⇒ Ax0 ≡ y0 (mod q), therefore,
1
Pr {y = y0 } = Pr {x = x0 } = .
qn
Because A is an invertible matrix, there is a one-to-one correspondence between y0

and x0 . In other words, when x0 traverses all the vectors in Zqn , y0 also traverses all
the vectors in Zqn , which means y is also uniformly at random on Zqn . On the other
hand, if y is uniformly distributed on Zqn , so is x on Zqn by x ≡ A−1 y (mod q).
Remark 2.1.1 In fact, for the above linear system, x and y are random variables with
the same distribution when A is an invertible square matrix. However, this property
doesn’t hold if A is not a square matrix.
Let a ∈ R be a real number, [a] be the greatest integer no more than a, i.e. [a] is
the only integer satisfying the following inequality,
[a] a < [a] + 1.
If x ∈ Rn is an n dimensional vector, x = (x1 , x2 , . . . , xn ), we define [x] as follows
[x] = ([x1 ], [x2 ], . . . , [xn ]) ∈ Zn .
[x] is called the integer vector of x. We say x is a random vector, which means each
element x j is a random variable, and the n random variables are mutually indepen-
dent.
Lemma 2.1.2 If x ∈ [0, 1)n is a continuous random variable uniformly distributed

on the unit cube, then [q x] is a discrete random variable uniformly on Zqn .
Proof Since all the components of x are independent, we only prove for n = 1.
If a ∈ [0, 1) is a continuous random variable uniformly distributed, then for any
i = 0, 1, . . . , q − 1, we have
i i +1 1
Pr {[qa] = i} = Pr {i qa < i + 1} = Pr { a< }= .
q q q
This indicates [qa] is a discrete random variable uniformly distributed on Zq .

Another random document with
no related content on Scribd:
similar in form to other species of the genus. We represent the
development of this larva in Fig. 237. We may call attention to the fact
that this figure illustrates the large size of the paunch, which is so
extraordinary in some of the states of the Termitidae.
It will be recollected that the genus Calotermes is destitute of workers.

There is another genus, Anoplotermes, in which the reverse condition
prevails, and the soldier is absent; this is the only case yet known in
which such a state of affairs exists. The species is called A. pacificus by
Fritz Müller; it differs from other Termitidae in possessing a proventriculus
destitute of triturating ridges. The nests of this species are utilised by a
little Eutermes (E. inquilinus Müller) for its own advantage; whether by
first destroying the Anoplotermes or whether by merely taking possession
of the nests abandoned by their owners is not known. It is a most
remarkable fact that the Eutermes resembles the Anoplotermes so
extremely that the two can scarcely be distinguished, though anatomically
they are quite different. The resemblance is indeed so great that it
deceived Von Jhering into supposing that the two genera were alternate
generations of a single species, one generation possessing soldiers, the
other being without them. Subsequently, by anatomical investigation, he
recognised[299] the error into which he had fallen—an error that, under
such peculiar circumstances, was quite pardonable.
Fig. 237.—Changes in external form of the young larva of Calotermes

rugosus. A, Newly hatched with nine joints in antennae, × 8; B, older
larva with ten joints, × 8; C, next stage with eleven joints, × 8; D, larva
with twelve joints; the position of the parts of the alimentary canal are
shown—v, crop; m, stomach; b, paunch; e, intestine; r, dorsal vessel, ×
16⁄3 (After Fritz Müller.)
Hagen has suggested[300] that Hodotermes japonicus never produces
winged forms. Very little, however, is actually known as to this species.
Marching and Harvesting Termites.—Smeathman alluded to a

remarkable Termes seen by him in Africa, giving it the name of T. viarum.
Nothing further is known of this Insect, which, according to Smeathman's
account, may possibly be the most remarkable of the family. T. viarum is
said to be larger than T. bellicosus, and was discovered issuing in large
numbers from a hole in the ground and marching in columns consisting of
workers directed by soldiers of enormous size, some of whom climbed up
plants and gave audible signals to the army, which immediately
responded with a hissing noise and by increasing their pace with the
utmost hurry; they continued marching by the spot where Smeathman
observed them for upwards of an hour. He was not able to find their
nests, and no specimens have been preserved; both soldiers and workers
possessed eyes. Marching in this way by daylight is contrary to the nature
of ordinary Termites, and some doubt has existed as to the correctness of
Smeathman's observation, which has in fact remained for upwards of a
century without confirmation.
Fig. 238.—Eyed, grass-cutting Termite, Hodotermes havilandi, A, soldier; B,

worker. South Africa. In life the head is carried horizontally, so the
piece of grass sticks up like a flag-pole.
Mr. G. D. Haviland has, however, this year discovered in Natal a Termite

which shows that there are species in Africa of the kind described by
Smeathman, the workers and soldiers being possessed of facetted eyes.
Mr. Haviland states that the workers of this species issue from holes in
the ground during the heat of the day and cut grass both dead and green.
They carry it, in lengths of about two inches, to the mouths of the holes,
often leaving it there and going at once to fetch more. Under acacia
bushes they carry acacia leaflets as well as grass. In the middle of the
day more grass accumulates at the entrance to the holes than can be
taken in, but as the heat of the day diminishes the workers cease to
forage and take in the accumulation. When the grass is all in they
sometimes close the mouth of the hole with moistened pellets of earth
brought in their mouths. The soldiers remain in the holes; when disturbed
they jerk themselves like soldiers of other species to frighten away the
intruder; when they bite, their grip is very tenacious. The holes are about
⅓ of an inch in diameter, and there are usually several of them a few
yards apart; around each of them is a patch over which the grass has
been cut quite short. Mr. Haviland followed these holes by digging for a
distance of 20 feet and to a depth of 5½ feet; they remain uniform in size
except that near the entrance there may be one or two chambers in which
the grass is temporarily stored, but these do not hold more than would be
collected in an hour or two. As the burrow descends it is occasionally
joined by another, and at the point of junction there is usually a
considerable widening. Sometimes they run straight for 6 or 7 feet,
sometimes they curve abruptly, sometimes they are nearly horizontal, but
near the mouth may be almost vertical in direction. These Termites are
very local, but the specimens are numerous when found. Mr. Haviland
dug for these Insects at two places on the Tugela river, one of them being
at Colenso. It is much to be regretted that he was unable to reach the
nest. We figure a soldier selected from specimens sent by Mr. Haviland to
the Cambridge University Museum. This Insect is apparently much
smaller than Smeathman's T. viarum. Other species of Termitidae have
been described[301] as forming underground tunnels in Africa, but none of
the species have yet been satisfactorily identified.
It was stated by Smeathman that some species of Termites had

chambers in their habitations in which grew a kind of fungus used by the
Insects for food; Mr. Haviland is able to confirm Smeathman in this
particular; he having found fungus-chambers in the nests of more than
one species both in Singapore and South Africa (Fig. 240).
Habitations.—In nothing do Termites differ more than in the habitations

they form. Sometimes, as we have mentioned in the case of Calotermes,
there is no real structure formed; only a few barriers being erected in
burrows or natural hollows in wood. In other cases very extensive
structures are formed, so that the work of the Termites becomes a
conspicuous feature in the landscape. This is of course only the case in
regions that are not much interfered with by man; the great dwellings
spoken of by Smeathman and others soon disappear from the
neighbourhood of settlements, but in parts of Africa and in Australia large
dwellings are still formed by these creatures. In the latter part of the world
there exists a very remarkable one, formed by an undetermined species
called by the officers and crew of her Majesty's ship Penguin the
"compass ant." The outline of one of the structures formed by this Termite
we represent in Fig. 239. Mr. J. J. Walker, to whom we are indebted for
the sketch from which this figure is taken, has also favoured us with the
following extract from his diary, of date 4th August 1890: "The most
interesting feature in the scenery (about forty miles inland from Port
Darwin) was the constant succession of huge mounds raised by the
Termites, of which I had seen some comparatively small examples in my
rambles near Port Darwin; but these exceeded in dimensions all I had
ever seen. The most frequent as well as the largest kind was usually of a
reddish or ferruginous colour outside, and generally almost cylindrical in
shape with obtusely-pointed top, but nearly always more or less weather-
worn, with great irregular buttresses and deep ruts down the sides; many
of them look like ruined towers in miniature. Their usual height was from 8
to 10 feet, but many were much higher, and some attained an (estimated)
elevation of at least 20 feet. Another kind, seen only in one or two places
along the line, was of a much more singular character; they averaged
only 4 to 5 feet high, were built of a dark-gray mud, and in shape were
like thin flat wedges set upright (see Fig. 239), reminding one of
tombstones in a churchyard. But the most remarkable feature about these
mounds was that they had all the same orientation, viz. with the long
faces of the wedge pointing nearly north and south. Why this is so I am
quite at a loss to imagine, and I much regret that I had no opportunity of
closely examining these most singular structures. A third kind of mound,
usually not exceeding 2 feet in height, was of a simple, acute, conical
figure, and generally of a gray colour somewhat paler than the last."
Fig. 239.—Termitarium of compass or meridian Termite of North Australia.

A, face extending south and north; B, cross-section.
The material used for the construction of the dwellings is either earth,
wood, or the excrement of the Termites. The huge edifices mentioned by
Smeathman are composed of earth cemented together so as to look like
stone or brick, and the buildings appear to be almost as strong as if they
were actually constructed with these materials. In many cases the
substance used is comminuted wood that has passed one or more times
through the alimentary canal of the Insects, and may therefore be called
excrement. Whether the stone-like material is made from earth that has
passed through the alimentary canal or from grains gathered for the
purpose has not been well ascertained. In any case the material is
cemented together by means of the secretions of glands. Dudley and
Beaumont have described the process of construction, in a species
observed by them, saying that earth is brought and placed in position by
the mandibles, and cemented by liquid from the abdomen.[302] Von
Jhering says[303] that some species form the exterior walls of their
dwellings of stone-like material, but make use of woody matter for the
construction of the interior. Smeathman has described the nest of Termes
bellicosus. The whole of the very strong external wall consists of clay-like
material, cemented by the secretions of the Termites to a very firm
consistence. The royal cell is built of the same material as the framework
of the nest; whilst the nurseries in which the young are chiefly found are
built of woody material, and are always covered with a kind of mould—the
mycelium of a fungus—and plentifully sprinkled with small white bodies,
which, under the microscope, are found to be filled with a number of
oblong, spore-like cells.
Fig. 240.—Fragment of Termitarium of Termes angustatus, S. Africa,

showing fungus chambers and orifices of communication.
These nurseries rest on the clay-like framework of the nest, but are not
attached thereto; they in no way support it, or one another, indeed they
have the appearance of being constantly added to on their upper margins
and constantly eaten away on their under parts. Fig. 240 represents the
appearance of the upper boundary of a nursery taken from a nest of
Termes angustatus. The small white bodies, mentioned above, have
disappeared: the mycelium of the fungus, though not shown in the figure,
is still visible on the specimen from which it was drawn, and gives rise to a
whitish, glaucous appearance.
In various parts of the world nests formed on trees by Termites are to be

seen; these tree nests are, it would appear, in some cases only parts of a
community, and are connected with the main body by galleries. In other
cases nests are formed in various positions of advantage; Messrs.
Hubbard and Hagen have given us an account[304] of some of these—
probably the work of Eutermes ripperti—as seen in Jamaica. They
describe the nests as spherical or conical masses, looking externally as if
composed of loamy earth; they are placed on trees, fences, or walls; they
vary in size from that of a man's fist to that of a hogshead; they appear to
be composed of finely comminuted wood fastened together by saliva.
These nests are formed on the same principle as those of the wasps that
make nests hanging to trees and bushes, as they consist of an external
protecting envelope covering a comb-like mass in the interior. At the
bottom of the nest there is a covered gallery leading to the earth, where
the main nest appears to be situate; galleries also are constructed so as
to lead to the tops of trees and other places, in such a manner that the
Termite can still keep up its peculiarity of working and travelling in tunnels
and yet roam over a large area; the activity of these Termites continues
day and night. In each nest there is a queen, who lays eggs that are
removed by the worker Termites to the bottom of the nest. The young are
fed on a prepared food, consisting apparently of comminuted vegetable
matter, of which considerable masses are laid in store. Some of the nests
are rich in containing many pounds' weight of this material, while others
are apparently quite destitute of it. There is a soldier form and at least two
kinds of workers. Some species of true ant frequently shares the nest of
these white ants, but on what terms the two kinds of Insects live together
is not stated.
Termite Ravages.—In countries whose climate is favourable to their

constitutions certain kinds of Termites become of great importance to our
own species. Owing to their taste for woody matter and to their habit of
working in concealment, it is no uncommon thing for it to be discovered
that Termites have obtained access to a building and have practically
destroyed the wooden materials used in its construction; all the interior of
the wood being eaten away and only a thin outer shell left intact. A
Termite, T. tenuis, was introduced—in what manner is not certainly
known[305]—to the Island of St. Helena, and committed such extensive
ravages there that Jamestown, the capital, was practically destroyed and
new buildings had to be erected. Other such cases are on record.
Destructive species can sometimes be destroyed by placing in the nests
a portion of arsenicated food. This is eaten by some individuals, who
perish in consequence; and their dead bodies being consumed by their
comrades, the colony becomes checked if not exterminated.
The number of described species of Termitidae does not much exceed

100, but this is certainly only a small portion of those existing, the total of
which may probably reach 1000 species.
Termitidae are classed by some naturalists with the Orthoptera, and they
have a great deal in common with some of the cursorial division of that
Order, more particularly Forficulidae and Blattidae; but they differ from
Orthoptera in the nature and form of the wings. They are also classed by
some, with a few other forms, as a separate Order of Pseudo-Neuroptera
called Corrodentia, but this is not a very satisfactory course, as the
Termitidae do not agree closely with the forms associated with them,
while the aggregate so formed is far from being very distinct from other
forms of Neuroptera. On the whole the best plan appears to be to treat
the Termitidae as forming a distinct family of the Order Neuroptera, or to
make it a distinct Order, as proposed by Grassi. Packard now associates
Termites in an Order with the biting-lice, and calls it Platyptera.
Fossil Termites.—Termitidae were very abundant in Tertiary times, and

the genera appear to have been then much the same as at present. In
Mesozoic strata the remains of true Termitidae apparently exist in the Lias
in Europe, but farther back than this the family has not been satisfactorily
traced. It was formerly supposed that Termitidae existed in the
Carboniferous strata, but this appears to be very doubtful; and the fossil
remains of that epoch, which were presumed to be those of Termites, are
now referred by Scudder and others to the Neuropteroid division of the
Order Palaeodictyoptera, an Order which is formed entirely of Palaeozoic
fossil remains.
CHAPTER XVII
NEUROPTERA CONTINUED—PSOCIDAE (BOOK-LICE AND DEATH-WATCHES)—

THE FIRST FAMILY OF AMPHIBIOUS NEUROPTERA (PERLIDAE, STONE-FLIES).
Fam. IV. Psocidae—Book-Lice, Death-Watches.
Minute Insects with slender, thread-like, or hair-like antennae; four

delicate membranous wings, the front pair of which are the larger;
their neuration is not abundant and is irregular, so that the cells are
also irregularly arranged; the transverse nervules are only one or two
in number.[306] Prothorax very small, in the winged forms quite
concealed between the head and the large mesothorax; this latter
closely connected with, or fused with, the metathorax. Species quite
wingless, or with wings unfitted for flight, exist; in them the prothorax
is not so extremely small, while the mesothorax is smaller than in the
winged forms. Tarsi of two or three segments. Metamorphosis slight,
marked chiefly by the development of wings and ocelli.
Fig. 241.—Psocus fasciatus, England. (After M‘Lachlan.)
The Psocidae are without exception small and soft-bodied Insects, and
are only known to those who are not entomologists by the wingless forms
that run about in uninhabited or quiet apartments, and are called dust-lice
or book-lice. They are perhaps more similar to Termitidae than to any
other Insects, but the two families differ much in the structure of their
wings, and are totally dissimilar in the nature of their lives.
Fig. 242.—Transverse horizontal section of head of Psocus: f, fork or pick; t,

lingua; mx, left maxilla; c, cardo; p, stipes; m.m, muscles; m.s, socket
of mandible.
Fig. 243.—A, Front of head of Psocus heteromorphus; cl, post-clypeus; g,

epicranium: B, transverse horizontal section of post-clypeus of Psocus:
cl, post-clypeus; c.m, clypeal muscles; g, epicranium; t, tendons; l.m,
labial muscle in section; oe, oesophagus; oe.b, oesophageal bone.
(After Burgess and Bertkau.)
The antennae consist of eleven to twenty-five joints, or even more, about

thirteen being the usual number; the basal two are thicker than the others,
and are destitute of setae or pubescence such as the others possess.
The maxillae and labium are remarkable. The former possesses a
peculiar hard pick or elongate rod; this is considered by many naturalists
to be the inner lobe, but Burgess thinks it more probably an independent
organ,[307] as it has no articulation of any kind with the outer lobe. The
latter is remarkably thick and fleshy; the palpus is 5-jointed. Other
authorities consider the pick to be certainly the inner lobe; if it be not, the
latter is quite wanting. Hagen agrees with Burgess in stating that the pick
slides in the outer lobe as in a sheath. The labium has a large mentum
and a ligula divided anteriorly into two lobes; at each outer angle in front
there is a globular projection, which is doubtless the labial palpus;
reposing on the labium there is a large free lingua. The labrum is large,
attached to a distinct clypeus, behind which there is a remarkable post-
clypeus, which is usually prominent as if inflated; to its inner face are
attached several muscles which converge to be inserted on a plate
placed below the anterior part of the oesophagus, and called by Burgess
the oesophageal bone; under or within the lingua there is a pair of lingual
glands. Judging from Grosse's study of the mouth of Mallophaga, we may
conclude that the oesophageal bone will prove to be a sclerite of the
hypopharynx. The eyes of the winged forms are frequently remarkably
convex, and there are also three ocelli, triangularly placed on the vertex.
The head is free and very mobile. The coxae are rather small, exserted,
contiguous; the sterna small. The abdomen has usually ten segments,
though sometimes only nine can be detected.
The thorax in Psocidae usually looks as if it consisted of only two

segments. This is due to two opposite conditions: (1) that in the winged
forms the prothorax is reduced to a plate concealed in the fissure
between the head and the mesothorax bearing the first pair of wings; (2)
that in the wingless forms (Fig. 247), though the prothorax is distinct, the
meso- and metathorax are fused into one segment.
Fig. 244.—Reproductive organs of Clothilla pulsatoria. A, Male; a, vesiculae

seminales; b, testes; c, vasa deferentia; d, ejaculatory duct. B, Female;
a, b, egg-tubes; c, oviduct; d, uterus, containing egg; e, accessory
gland (the enveloping sac in section); f, its duct. (After Nitzsch.)
The internal anatomy is only very incompletely known. Nitzsch[308] has,

however, described the alimentary canal and the reproductive organs of
Clothilla pulsatoria. The former is remarkably simple: no proventriculus or
crop was found; the stomach is very elongate, and consists of a sac-like
anterior portion and an elongate, tubular posterior part. There are four
Malpighian tubes. The posterior part of the canal is remarkably short, the
small intestine being scarcely as long as the rectum. The ovaries (Fig.
244, B) consist of five egg-tubes on each side; connected with the oviduct
there is a peculiar accessory gland consisting of a sac containing other
small sacs each with an elongate efferent duct; the number of the
secondary sacs varies from one to four according to the individual. The
testis (Fig. 244, A, b) is a simple capsule; connected with the base of the
ejaculatory duct there is a pair of elongate accessory glands or vesiculae
seminales.
The life-history has never been satisfactorily sketched. The young greatly
resemble the old, but have no ocelli or wings, and sometimes the tarsi are
of two joints, while in the adult they have three. The antennae have also
in these cases a less number of joints in the young stage. The food is
animal or vegetable refuse substances; many live on fungoid matter of
various kinds, mouldy chaff being, it is said, a favourite pabulum; the
mould on palings is a source of food to many; others live on the rust-fungi
of leaves, and many frequent the bark of trees. They are able to spin
webs, probably by the aid of the lingual glands; the eggs are deposited, in
some cases, on leaves and covered with a web. Hagen says that a
peculiar organ, possibly a gland—he calls it a hose[309]—exists at the
base of the tarsal claws. In our climate most of the species pass the
winter in the egg-state. There may be two generations in a year, perhaps
more.
The nomenclature of the wing-veins of Psocidae has given rise to much

discussion.[310] The system shown in the accompanying figure is
probably the most convenient; the subcostal vein (2) is always obscure,
and sometimes can only be detected by very minute examination. Some
interesting information as to the minute structure and mode of formation
of the wings and their nervures has been given by Hagen.[311]
Fig. 245.—Anterior wing of Elipsocus brevistylus. (After Reuter.) 1, Costal

vein; 2, subcostal; 3, radial; 4, cubitus; 4a, branches of cubitus; 5,
sector of the radius; 5a, forks thereof.
In the young the wings first appear as buds, or outgrowths of the sides of
the meso- and meta-thorax; afterwards the prothorax decreases, while
the other two thoracic segments and the wing-rudiments attached to them
increase. The wings from their very origin appear to be different from
those of the Orthoptera, and the changes that take place in the thoracic
segments in the course of the development, differ from those that occur in
Orthoptera.
Fig. 246.—Micropterous form of Mesopsocus unipunctatus. a, a, Wings.
(After Bertkau.)
There are several peculiarities connected with the wings. Frequently they
exist, though of no use for flight; some Psocidae that have perfectly-
formed wings are so reluctant to use them that, M‘Lachlan says, they will
allow themselves to be crushed without seeking to escape by flight. At
certain periods, however, some Psocidae float on the wing in
considerable numbers, especially in a moist still atmosphere, and then
drift about like the winged Aphididae, which are frequently found with
them. There is evidence that individuals, or generations, of some of the
winged species occur with only rudimentary wings; although this has
been denied by Kolbe, there can be no doubt about it. The form figured
above (Fig. 246) was described by Bertkau[312] as a distinct genus, but
was afterwards recognised by him[313] to be a short-winged form of
Mesopsocus unipunctatus. It is probable that the adult female of this
species has the wings always micropterous, while the male has these
organs of the full size. In other species the condition of the rudimentary
wings seems to be quite constant. The facts concerning the wings of
Psocidae are so peculiar that Kolbe came to the conclusion that the
organs exist not because they are of use for flight, so much as because it
is the nature of an Insect to develop wings.[314]
Some of the species of Psocidae have never any trace of wings. These
apterous forms are mostly included in the division Atropinae, and are
usually very minute; it has been again and again erroneously stated that
they are the young state of winged forms. Hagen kept a large colony of
Atropos divinatoria for some years in confinement, so that he saw
numerous generations as well as many specimens. He found the
apterous condition quite constant.
The association of ocelli with wings is nearly constant in Psocidae. The

genus Clothilla—allied to Atropos—possesses very rudimentary wings but
no ocelli. Hagen, however, found[315] that in a certain locality no less than
12 per cent of the individuals of this species were provided with ocelli,—a
most extraordinary variation.
In some of these apterous forms there is found on each side of the
prothorax a tubercular prominence which, according to Hagen, can be
considered only as the rudiment of a wing that never develops. Though
no existing Insect is known to possess rudimentary wings on the
prothorax, we have previously mentioned (p. 344) that in the
Carboniferous epoch appendages of the nature alluded to were not very
rare.
A genus of living forms—Hyperetes—in which the three thoracic

segments are well developed, but in which there are no alar appendages
or rudiments, is considered by Hagen to be more primitive than the
Psocidae found in amber to which we shall subsequently allude.
The number of described species of Psocidae does not reach two

hundred; we have, however, thirty species or more in Britain.[316] Nietner
observed about the same number in the immediate vicinity of his house in
Ceylon. The isolated and remote Hawaiian group of islands is remarkably
rich in Psocidae. Two thousand is a moderate estimate of the number of
existing species. The largest forms yet discovered belong to the Brazilian
genus Thyrsophorus; they attain, however, a breadth of only about one
inch with the wings fully expanded. The Cuban genus Embidopsocus is
said to be of great interest from its approximation to Embiidae. It is at
present very inadequately known.
One (or more) very minute Insects of this family—Clothilla pulsatoria

according to Hagen, Atropos[317] divinatoria according to some other
authors—is widely known under the name of the death-watch, owing to its
being believed to make a peculiar ticking noise, supposed to be prophetic
of the decease of some individual—a human being we fancy, not a death-
watch. It is difficult to believe that so minute and soft an Insect can
produce a sound audible to human ears, and many entomologists are of
opinion that the sound in question is really produced by a beetle—of the
genus Anobium—which lives in wood, and that as the beetle may be
concealed in a hole, while the Clothilla is seen running about, the sound
is naturally, though erroneously, attributed to the latter. But the rapping of
the Anobium is well known, is produced while the Insect is at large, and is
said to be a different noise from that of the Psocid; evidence too has been
given as to the production of the sound in a workbox when the Psocid
was certainly present, and the most careful search failed to reveal any
beetle.
Fig. 247.—A, Atropos divinatoria; B, Clothilla pulsatoria. (After M‘Lachlan.)
The Rev. W. Derham, who two hundred years ago was Rector of
Upminster, in Essex, and was well known as a distinguished writer and
philosopher, gave an account of the ticking of death-watches to the Royal
Society.[318] This gentleman was a most accurate and minute observer;
he was well acquainted with the ticking of the greater death-watch—
Anobium—which he describes very accurately, as well as the acts
accompanying it, the details he mentions being exactly such as occur at
the present time. He not only heard the ticking of the Psocid or lesser
death-watch, but repeatedly witnessed it. He says: "I am now so used to,
and skilful in the matter as to be able to see, and show them, beating
almost when I please, by having a paper with some of them in it
conveniently placed and imitating their pulsation, which they will readily
answer." He also states that he could only hear them beating when it was
done on paper, and that this death-watch will tick for some hours together
without intermission, with intervals between each beat, so that it much
resembles the ticking of a watch. The act of ticking was accompanied by
rapping the front of the head on the paper, but Mr. Derham could not be
sure that the sound was produced in that manner, because each stroke
was also accompanied by a peculiar shudder, or recoil. After a prolonged
ticking he observed that another individual of the other sex made its
appearance. The species figured by Mr. Derham more resembles a
Hyperetes than it does either of our two known book-lice, Atropos and
Clothilla.
Fig. 248.—The lesser death-watch of Upminster. (After Derham.) A,
magnified; B, natural size.
Fig. 249.—Sphaeropsocus kunowii. From amber. × 30. (After Hagen.)
Numerous species of Psocidae are preserved in amber; Hagen[319] has

made a careful study, based on a considerable number of specimens, of
about thirteen such species. They belong to no less than nine genera and
five sub-families. Sphaeropsocus is the most remarkable; this Insect has
a well-developed prothorax, as is the case in the wingless Psocids, and a
pair of large wings or tegmina meeting by a straight suture along the
back, as is usual in beetles, though quite unknown in existing Psocidae.
Another species, Amphientomum paradoxum, has the body and
appendages covered with scales like a butterfly or moth; other species,
found in gum-copal or still living, have scales on various parts of the body,
but not to so great an extent as this amber species. The genus
Amphientomum is still represented in Ceylon and elsewhere by living
forms; Packard has figured some of the scales;[320] they appear to be
extremely similar to those of Lepidoptera or Thysanura. The facts
connected with this fauna of amber Psocidae would seem to show that
the family was formerly more extensive and important than it is at present;
we should therefore expect to find numerous fossil forms in strata of date
anterior to that of the amber; but this is not the case, all that is known as
to fossil Psocidae being that Scudder has recently ascribed traces of an
Insect found in the Tertiary rocks of Utah to this family as a distinct genus.
Fam. V. Perlidae.
Insects of moderate or large size, furnished with four membranous
wings; these are usually complexly reticulate; the hind pair are much
the larger, and have a large anal area of more simple venation, which
becomes plicate when folded. The coxae are small, the legs widely
separated. The larvae are aquatic in habits; the metamorphosis is
slight.
Fig. 250.—Pteronarcys frigida, male. (After Gerstaecker.)
The Perlidae form a small family of Insects unattractive in their general

appearance. The life-history of each individual consists of two abruptly
contrasted portions; the earlier stage being entirely aquatic, the later
aerial. Hence the Perlidae come into the amphibious division of
Neuroptera. The definition we have given above would, except as regards
the texture of the front wings and the aquatic habits of the larvae, apply to
many Insects of the Order Orthoptera. The Phryganeidae, another family
of Neuroptera, have aquatic larvae and wings somewhat similar in form to
those of the Perlidae, but the members of the two families cannot be
confounded, as the Phryganeidae have hairy front wings and large and
contiguous coxae.
The antennae of the Perlidae are long, very flexible, and composed of a
very large number of joints. The parts of the mouth vary a good deal. The
mandibles and maxillae are usually rather small, and all the parts of the
mouth are of feeble consistence or even membranous; the maxillary palpi
are, however, well developed and exserted from the mouth, five-jointed.
The labium is short and but little conspicuous. The mandibles in some
forms are almost membranous, but in other genera they are firmer and
are toothed. The labium is composed of a very large mentum, beyond
which is a large piece, usually undivided, bearing the four terminal lobes;
the three-jointed palpus is seated on the side of the large middle sclerite,
which is no doubt of composite nature. Considerable variety as to the
lower lip prevails. The head is broad and flat; there is an indistinctly-
indicated clypeus, three—more rarely two—ocelli, and on each side an
eye neither very large nor perfect. The prothorax is free, and has a flat,
margined notum. The meso- and the meta-thorax are large, equal
segments. The pro-, meso-, and meta-sternum are large pieces; between
the first and second, and between the second and third there is an
intervening membrane. The metasternum is much prolonged backwards,
and has on each side a peculiar slit; similar orifices exist on the other
sterna (Fig. 254, o). Newport, who has examined them in Pteronarcys,
says that they are blind invaginations of the integument; he calls them the
sternal or furcal orifices.[321] According to this naturalist these very
peculiar openings pass into the body "as strong bone-like tubes, diverging
from the axis to the periphery of the body in the immediate vicinity of
some of the principal tracheae, but that they do not in any way
communicate with them, as they terminate abruptly as caecal structures."
He thinks them analogous with the endo-skeleton of other Insects; a view
which cannot be considered sufficiently established. Laboulbène
states[322] that when Perla parisina is seized and placed on its back, it
does not move, but emits a liquid at the base of the articulation of the
legs. This suggests that it may come from these sternal orifices. The
abdomen consists of ten dorsal plates, the first being short, and of nine
ventral; the dorsal plates are much more ample transversely than the
ventral. Frequently the hind body is terminated by two long, many-jointed
cerci, looking like antennae. The coxae are small, not prominent, and are
directed outwards. The legs are slender, the tibiae often grooved. The
tarsi are three-jointed, terminating in two claws and a more or less distinct
pad. In the genus Isopteryx an auditory organ has been described as
existing in the legs, in a position similar to that of the analogous structures
in Termitidae and Blattidae. The wings when closed repose flat on the
back, and fold and overlap so that only one is seen (Fig. 251); in this state
the costal portion of each front wing is turned downwards, so as to protect
to some extent, the sides of the body.
Fig. 251.—Perla maxima. (After Pictet.)
Fig. 252.—Perla sp., nymph, showing tracheal gills. Pyrénées orientales.
The early stages are known, but have not been described minutely, and
there appears to be very little information as to the youngest life. All the
species are, when immature, aquatic in their habits; the larvae greatly
resemble the perfect Insects in form, though differing in not possessing
wings and in the ocelli being merely opaque spaces. They have rather
large compound eyes; the future wings are represented by lobe-like
prolongations—varying in length according to age—of the meso- and
meta-notum. In the Nemourae the cerci are absent in the imago though
present in the young. The larvae of Perlidae are carnivorous and are able
to swim well, the legs being provided with abundant swimming hairs; they,
however, as a rule, prefer to walk at the bottom of the pool, or on rocks or
boulders in the water they live in.
One of the most peculiar features of the Perlidae is their respiratory

system. Unfortunately the greatest differences of opinion have prevailed
on various matters in connexion with this subject, and there are several
points about which it is not possible at present to express a decided
opinion.
Fig. 253.—Tracheal gill and portion of a trachea of Pteronarcys. (After
Newport.)
The larvae have no stigmata; it appears to be generally agreed that there

is in them no means of admitting air to the tracheal system by means of
orifices. Some breathe entirely through the integument, the process being
aided by the accumulation of tracheae at the spots where the breathing
orifices should be, and where the integument is more delicate. Others,
however, possess gills in the form of protruded bunches of filaments,
connected with tracheae in the manner shown in Fig. 253. These
filamentous branchiae occur in numerous species of the family, and are
situate on various parts of the body, but many species are destitute of
them in genera, other members of which possess the filaments. In some
Nemourae instead of bunches of filaments there are tubular projections
on the prothoracic segment; and in Dictyopteryx signata similar structures
occur even in the cephalic region, Hagen stating[323] that there exists a
pair on the submentum and another on the membrane between the head
and the thorax. In the imago state, stigmata are present in the normal
fashion, there being two thoracic and six abdominal pairs. In several
species the filaments persist in the imago, so that in these cases we meet
with the curious condition of the coexistence of branchiae with a well-
developed and functionally active system of spiracles; this is the more
curious because the creatures usually have then nothing to do with the
water, it having been ascertained that in these cases the species live out
of the water as other terrestrial and aerial Insects do. These instances of
persistence of branchiae during the aerial life have been the source of
some perplexity; the condition was shown to exist in Pteronarcys by
Newport, and has since been demonstrated in various other forms.
Newport believed that the imago of Pteronarcys breathes by means of the
gills, although it lives out of the water and possesses spiracles; and he
informs us that Mr. Barnston observed the Insect when on the wing
"constantly dipping on the surface of the water." Hence Newport
concluded that Pteronarcys in the winged state is "an amphibious animal."
That a winged Insect should live in the air and yet breathe by means of
gills would be truly extraordinary, and there can be little doubt that
Newport's idea was erroneous. Hagen[324] was able to examine living
imagos of the species in question. He found that they avoided the water,
and though he placed some individuals therein, yet they did not use the
gills. He also informs us that the branchiae have, during life, a shrivelled
appearance, indicating that they are not functionally active, but are merely
useless organs carried over to the imago from the previous instar, in
which they were truly the means of obtaining air. Hagen also ascertained
that the spiracles of the imago are in a normal state, being adapted for
breathing, even as far back as the seventh abdominal segment.
Fig. 254.—Under side of body of Pteronarcys regalis, imago. (After

Newport.) g, Tracheal gills; o, sternal orifices.
Great difference of opinion has prevailed as to the relations of the

branchiae to the stigmata, it having been contended that the falling off of
some of the branchiae left the stigmatic orifices. The facts appear to be
only consistent with the conclusion that the two are totally independent
organs. This subject has been investigated by Palmén,[325] who finds that
in Perlidae—contrary to what occurs in may-flies—the species are either
entirely destitute of gills, or these organs are persistent throughout life. It
is not to be inferred from this that the gills in the perennibranchiate
Perlidae are as conspicuous as they are in the exceptional Pteronarcys:
for it appears that at the final moult the gills usually become very much
contracted and concealed by the new integument; in some cases they
merely appear as slight prominences in the neighbourhood of the
stigmata.
Pictet, Dufour, Newport, and Imhof[326] have studied the internal anatomy.
The alimentary canal is remarkable for the enormous oesophagus; there
is no distinction between this and the crop. A proventriculus is quite

Modern Cryptography Volume 2: A Classical Introduction To Informational and Mathematical Principle 1st Edition Zhiyong Zheng

Uploaded by

Copyright:

Available Formats

You might also like

Modern Cryptography Volume 2: A Classical Introduction To Informational and Mathematical Principle 1st Edition Zhiyong Zheng

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Modern Cryptography Volume 2: A Classical Introduction To Informational and Mathematical Principle 1st Edition Zhiyong Zheng

Uploaded by

Copyright:

Available Formats

Modern Cryptography Volume 2: A

Classical Introduction To Informational

A Modern Introduction to Classical Electrodynamics 1st

A Modern Introduction to Mathematical Analysis 1st

Classical and Modern Cryptography for Beginners

Classical Mechanics Volume 2 Kinematics and Uniformly

Modern App Development with Dart and Flutter 2 A

Introduction to Classical and Quantum Computing 1st

Introduction to Classical Legal Rhetoric A Lost

A Modern Introduction to Dynamical Systems Richard

ISSN 2662-7167 ISSN 2662-7175 (electronic)

For integer factorization and discrete logarithm calculation, P.W.Shor published an

Zhengzhou, China Zhiyong Zheng

1 Random Lattice Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

5.3 φ-Cyclic Lattice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Rn n dimensional Euclidean space

Let B = (bi j )n×n ∈ Rn×n be an invertible square matrix of order n, a full-rank

L = L(B) = {Bx | x ∈ Zn }. (1.0.3)

A lattice L is a discrete geometry in Rn , in other words, there is a positive constant

|α| = min |x| = λ1 (L). (1.0.4)

λ1 is called the shortest distance in L, α is the shortest vector in L. A sphere in n

© The Author(s) 2023 1

Let L = L(B) be a lattice, B is the generated matrix of L. Block B by each column

Clearly the basic neighborhood F(B) is related to the generated matrix B of L,

Vol(F(B)) = |det(B)| = det(L). (1.0.8)

1.1 Fourier Transform

A complex function f (x) on Rn is a mapping of Rn → C, where C is the complex

L 1 (R) = { f : Rn → C | | f (x)|dx < ∞} (1.1.1)

If f (x), g(x) ∈ L 1 (Rn ), define the convolution of f with g as

f ∗ g(x) = f (x − ξ )g(ξ )dξ. (1.1.3)

We have the following properties about convolution.

Lemma 1.1.1 Suppose f (x), g(x) ∈ L 1 (Rn ), then

Proof By the definition of convolution (1.1.3), we have

g ∗ f (x) = g(x − ξ ) f (ξ )dξ = g(y) f (x − y)dy = f ∗ g(x).

Property (i) holds. To obtain the second result (ii), we have

f ∗ g(x)dx = ( f (x − ξ )g(ξ )dξ )dx

= f (y)g(ξ )dydξ = f (y)dy · g(ξ )dξ.

The lemma is proved.

Definition 1.1.1 If f (x) ∈ L 1 (Rn ), define the Fourier transform of f (x) as

fˆ(x) = f (ξ )e−2πi x·ξ dξ, x ∈ Rn . (1.1.4)

Note that f → fˆ is an operator of the function space defined on L 1 (Rn ), which is

Lemma 1.1.2 Suppose f (x) ∈ L 1 (Rn ), g(x) ∈ L 1 (Rn ), then

Proof By definition, we have

= ( f (ξ − y)g(y)dy)e−2πi x·ξ dξ.

Taking variable substitution ξ − y = y , then ξ = y + y , and dξ = dy , so we have

property (i) is proved. Based on the definition of Fourier transform, we have

= e2πi x·a f (y)e−2πi x·y dy = e2πi x·a fˆ(x),

= f (y)e−2πi(δx·y) |δ|n dy = |δ|n fˆδ−1 (x).

By the condition A ∈ G L n (R), f ◦ A(x) = f (Ax), then

Taking variable substitution, y = Aξ , then A−1 y = ξ , and dξ = |A|−1 dy, so

= |A|−1 fˆ((A−1 )T x) = |A|−1 fˆ ◦ (A−1 )T (x).

Lemma 1.1.2 is proved.

Finally, we give some examples of the Fourier transform.

For n > 1, let a = (a1 , a2 , . . . , an ) ∈ Rn , the square [−a, a] is defined as

[−a, a] = [−a1 , a1 ] × [−a2 , a2 ] × · · · × [−an , an ].

Proof For the general n, it is clear that

1[−a,a] (x) = i=1

Based on Eq. (1.1.5), we only need to prove Eq. (1.1.6). n = 1, a ∈ R, so

1[−a,a] (x) = i=1

1.3.2 Suppose f (x) ∈ L (R ) and satisfies the following two conditions: