Application of automorphic forms to lattice problems

1.1 Summary of results for ideal lattices

We briefly recall the approach in ref. [17], which we follow in two main aspects with a shift of perspective. A transfer of their results to our framework is sketched in Appendix A.

Geometry of ideal lattices. Let k denote a number field with a ring of integers O k . A first step is to note that the set of ideal lattices can be identified with the Arakelov class group, which is geometrically given as follows:

where r is the number of real and complex embeddings of k up to conjugation, Λ k is the logarithm of the units O k × , and Cl k and h k are the class group and class number of k , respectively. Algebraically, the set of ideal lattices forms a group, called Arakelov class group, which is an extension of Λ k \ R r by the class group Cl k . By Dirichlet’s unit theorem, the unit lattice Λ k has rank r − 1 and lies in the trace 0 subgroup H ≅ R r − 1 . The ideal lattices that correspond to

are lattices with norm 1, see Appendix A or [17] for a rigorous definition. This is the degree 0 subgroup of the Arakelov class group. By the fundamental fact that this space is a compact group, it admits a uniform distribution, which corresponds to choosing uniformly random ideal lattices.

Worst-case distribution. With the geometric perspective in hand, in ref. [17], a worst-case distribution is defined by means of the usual Gaussian distribution on H , which is pushed down to the quotient Λ k \ H and extended by 0 to the whole Pic k 0 (i.e., the connected components different from 1 ∈ Cl k ). A class of Hecke operators on the space of square-integrable functions on Pic k 0 is defined in terms of a finite set of (finite) primes of k . These are translation operators at each prime, averaged over the set of chosen primes. They move the support of the worst-case distribution inside Pic k 0 so quickly that the sequence formed by iteratively applying them to the worst-case distribution converges to the uniform distribution. A technical but crucial feature is that characters of Pic k 0 are eigenfunctions of these operators. This property allows the analysis of the behavior of the worst-case distribution under the operators in terms of their Fourier series decomposition. The worst-case to average-case convergence is analyzed in terms of the Fourier series. Subject to the generalized Riemann hypothesis, this convergence is the main result of ref. [17]. By using this result, they show that, up to a change of constant, the worst-case SVP is as hard as the average-case SVP.

1.2 Summary of our framework

In this work, we attach a geometric structure to the set of module lattices of a fixed rank, which in rank 1 is equivalent to the approach in ref. [17]. Instead of the Arakelov theory, we use adèles, which are one of the basic constructions in algebraic number theory; see Remark 3.3.5 for a more detailed comparison. It turns out that the space of lattices of a fixed rank m is quite similar to Pic k in ideal lattices, i.e., the rank 1 case, namely,

where r 1 and r 2 are the number of real and complex embeddings of k , up to conjugation, respectively, and Γ α is a discrete (arithmetic) subgroup of GL m ( R ) r 1 × GL m ( C ) r 2 . The analog of Pic k 0 is a norm 1 subspace of the above space, which we denote Lat m 1 ( k ) . Of course, for m > 1 , Lat m 1 ( k ) does not acquire a group structure from GL m , but still is a symmetric space as it admits a transitive group action by GL m ( R ) r 1 × GL m ( C ) r 2 . Therefore, Lat m 1 ( k ) admits a right invariant (with respect to the action of GL m ( R ) r 1 × GL m ( C ) r 2 ) measure, which is unique up to scaling. A well-known result tells that the volume of Lat m 1 ( k ) with respect to this invariant measure is finite, see Proposition 3.2.3. In particular, the unique normalized invariant measure takes the role of a uniform distribution on the space of module lattices of rank m .

The next step is to define a worst-case distribution as in our approach we want to mimic [17]. However, the goal of finding suitable worst-case distributions becomes nontrivial for two reasons. First, the space of module lattices for m > 1 is not a torus as it is for m = 1 . Thus, we cannot define a Gaussian distribution in a straightforward manner. Second, even if we find a suitable function that geometrically mimics the properties of the worst-case distribution in rank 1, there is no general tool, which allows to decompose a function into basic components, as does Fourier analysis in rank 1. We take the following approach.

Functions as distributions. We are looking for distributions in the space of functions on the space of lattices. From an abstract viewpoint, the space of distributions is strictly larger than the usual function spaces, e.g., Dirac’s δ -distributions are not represented by functions. In fact, δ -distributions are perfect worst-case distributions. However, applying Hecke operators as in ref. [17] to the δ -distribution will result in distributions with a discrete spectrum, which cannot converge to the uniform distribution.

With this assumption, the functions we consider should satisfy certain properties. Namely, it should be square-integrable, smooth, symmetric, and decay quickly outside of a central point. This motivates the second assumption to look into the space of automorphic forms and more specifically, cusp forms.

Decomposition of automorphic forms and cusp forms. The space of L 2 -functions on Lat m 1 ( k ) is the subject of the study of automorphic forms in algebraic number theory and representation theory. For m > 1 , the space of square-integrable functions admits a decomposition:

where L 0 2 ( Lat m 1 ( k ) ) are cusp forms, L fin 2 ( Lat m 1 ( k ) ) are constant functions, and L Eis 2 ( Lat m 1 ( k ) ) are Eisenstein series. The subspace of cusp forms and constant functions can be analyzed in terms of representation theory. Moreover, in the case m = 1 , all square-integrable functions lie in this subspace. Accordingly, we believe that a worst-case distribution for rank m > 1 ought to be in the space of cusp forms and constant functions.

The space of cusp forms itself decomposes into a (Hilbert space) direct sum of cusp forms with the central character. Each of these terms again splits into irreducible components, which are the basic building blocks of the space of cusp forms, in the same manner as how characters are the basic functions in Fourier analysis. This is also a generalization of the classical theory of modular forms, which is the case of base field Q and rank m = 2 . The decomposition then corresponds to cusp forms, which are simultaneous eigenfunctions of Hecke operators, cf. [18] for the connection between modular forms and automorphic forms for GL 2 over Q .

Worst-case to average-case convergence. Keeping the previous ideas in mind, we define a class of cuspidal distributions in the space of automorphic forms. These contain the uniform distribution, and as described earlier, it can be seen as a source for worst-case distributions. For general cuspidal distributions, we give a criterion for the convergence to the uniform distribution. This is done in terms of the decomposition of cuspidal distributions into irreducible cusp forms plus a constant. As the cusp forms are eigenfunctions of Hecke operators, the condition is mainly a question of convergence of the coefficient series.

Lattices with G -structure. From a theoretical perspective, our approach is not restricted to the case of module lattices. Motivated by the theory of automorphic forms for a more general class of groups, we introduce a new concept of lattices with G structure. These lattices are defined in terms of an affine algebraic group over O k with a (faithful) representation. We exemplify the definitions with commonly used types of structured lattices as well as of lattices with G structure for the symplectic group, which correspond to symplectic lattices. Further, we display how lattices defined in terms of cyclic algebras as in ref. [19] are encapsulated by the given definition. The Jacquet–Langlands correspondence of the theory of automorphic forms allows us to transfer cuspidal distributions on rank 2 module lattices to cyclic lattices in ref. [19], for the case of quaternion algebras.

1.3 Related work

Since [16,20], module lattices are studied for their applications in cryptography. In ref. [16], a worst-case to average-case reduction was proven that reduced worst-case instances of module-LWE to average-case instances. This result opened the door for the application of module lattices to replace unstructured or ideal lattices. More recently, a different type of self-reduction of SVP on module lattices was shown in refs [21,22], where SVP of module lattices is reduced to module lattices of a smaller rank, where the rank of the latter divides the rank of the former. Both are generalizations of the LLL algorithm [23].

2.1 Norms on a number field

In this subsection, we briefly recall the notion of norms on a number field and state their characterization in terms of Ostrowski’s theorem. We exclude the trivial norm in the definition by requiring norms to be nonzero.

We refer to ref. [24, II, Definition 3.2; Proposition 3.3] for a topological definition and their equivalence. There are two distinct classes of norms, which we will exemplify now.

We want to note that the non-Archimedean norms are inherently different from the Archimedean norms, as they satisfy a strong triangle inequality.

For a proof, we refer to ref. [24], although, this follows easily from the analogous statement for the valuation ν p (where max turns to min , and the sign changes), which is an immediate consequence of the definitions. Of course, this strong triangle inequality does not hold in the Archimedean cases, e.g., 2 = ∣ 2 ∣ > ∣ 1 ∣ = 1 , and similarly in the complex case (where ∣ 2 ∣ = 4 ). The strong triangle inequality is usually taken as the definition of a non-Archimedean norm.

Note that Archimedean is defined to be not non-Archimedean. A characterization can be given in terms of the norm restricted to Z . In fact, a norm ∣ _ ∣ is Archimedean, if and only if Z is unbounded with respect to ∣ _ ∣ . The next result classifies all absolute values on a number field.

For a proof, see ref. [24, Chapter II].

The equivalence classes of norms on k are called places of k . The set of all places will be denoted P k . A place is called finite, if it corresponds to a non-Archimedean absolute value. On the other hand, infinite places are the Archimedean ones. We stress that finite places are in natural one-to-one correspondence with (nonzero) primes of O k ; while the infinite places correspond bijectively to embeddings into real and complex numbers up to conjugation. We will write ν ∣ ∞ , if ν is an infinite place, and ν ∤ ∞ , if ν is a finite place.

The product formula is one motivation for the normalizations we chose. However, they are quite natural from a measure theoretic perspective as one can find in ref. [25]. Note that the possibly infinite product is finite. In fact, ν p ( λ ) ≠ 0 , only if p appears in the prime decomposition of λ , which consists of only finitely many factors.

2.2 Adèles

The completions of k introduced in the previous section constitute the factors of the adèles, which we are going to introduce here.

This means that A k ⊆ ∏ ν k ν with x = ( x ν ) ν ∈ A k , if and only if x p ∈ O p for all but finitely many finite places ν p . Recall that we wrote k ∞ for the product of k σ with σ ∣ ∞ . The analog for finite places is the ring A k , f , which is the restricted product of k p with respect to O p , taken over all finite places p . Again, this means that x = ( x p ) p ∈ A k , f , if and only x p ∈ O p for all but finitely many p . It then follows that A k = k ∞ × A k , f . The ring of adèles gets a topology as follows. First, the infinite component k ∞ carries a natural topology as described in Section 2.1.2. The finite part A k , f is given the topology determined by enforcing O ^ k ≔ ∏ p O p to be open. Note that this is not the topology induced from the product of the k p . The field k is itself a subring of A k via the diagonal embedding k ↪ A k , λ ↦ ( λ ) ν .

This theorem has important consequences in the Fourier analysis of number fields, which dates back to the thesis of Tate [26]. Similar to the situation of lattices in Euclidean space, the Pontryagin dual of k is k \ A k . More details can be found in Tate’s thesis [26] itself, as well as refs [25,27].

Another important fact about the ring of adèles is that it satisfies an approximation theorem in the following sense. A proof can be found, for example, in ref. [27, Chapter 5].

A variant for SL 2 will be used implicitly in Section 3.2 where we describe the geometry of the space of module lattices.

Idèles. The idèles of k are defined to be I k = G m ( A k ) , i.e., invertible elements in A k . This group can be described explicitly as x = ( x ν ) ν ∈ A k with x ν ≠ 0 for all ν and x p ∈ O p × for all but finitely many p ∤ ∞ . It becomes a topological group by means of the embedding

Similar to adèles, we regard k × as a subgroup of G m ( A k ) via the diagonal embedding.

So far, the situation for the multiplicative group looks quite similar; however, the approximation theorem does not hold and the k × is not cocompact in G m ( A k ) . A reason can be seen from the adèlic norm

Note that the condition that x p ∈ O p × for all but finitely many p ensures that all but finitely many factors are 1, so that this product is always well defined. The norm map defines a group homomorphism. In fact, each factor is multiplicative, and the unit 1 has norm 1 in all places. We define the component norms

and

The adèlic norm map is surjective, as it is so when restricting to any infinite place. As a consequence of the product formula 2.1.7, we have the following.

Here, we regard λ as an element of G m ( A k ) via the diagonal embedding. In particular, the norm factors through k × \ G m ( A k ) , which shows that this quotient cannot be compact. This, however, can be compensated in some sense. Let G m ( A k ) 1 denote the elements x of G m ( A k ) with ∣ x ∣ = 1 .

We do not go into the proof here. In the next section, we will consider the more general case, where G m is replaced by GL m . The present case is recovered by taking m = 1 . The connection with the class group can be seen in terms of the finite idèles. Let U f ≔ G m ( O ^ k ) = ∏ p G m ( O p ) , where the product is taken over finite places of k .

3.1 Module lattices

Our definition mimics the notion of ideal lattices as defined in ref. [17]. We proceed in two steps, first, we define rank m analogs of fractional ideals and then we add a twist by k ∞ automorphisms of k ∞ m .

This notion corresponds to complete lattices. Given an O k lattice M in k m , we can view it as a subset of k ∞ m via the diagonal embedding. As such, M defines a complete lattice in the usual sense, when we attach to k ∞ the inner product and norm induced by its natural product structure. Let Lat m f ( k ) denote the set of O k lattices of rank m .

We define G ∞ to be G ( k ∞ ) = GL m ( k ∞ ) . This group comes with a natural product structure inherited from k ∞ . Namely, it decomposes as G ∞ = ∏ σ ∣ ∞ G σ with G σ = GL m ( k σ ) .

We denote the set of module lattices of rank m over k by Lat m ( k ) . It can be described in terms of Lat m f ( k ) and G ∞ as follows.

We introduce the inverse for compatibility reasons, as will be seen later. Moreover, G ( k ) acts on G ∞ × Lat m f ( k ) by λ . ( g , M ) = ( λ g , λ M ) .

As a consequence of the previous proposition, we will often write pairs ( g , M ) for the module lattice g − 1 M associated with that pair.

Let K f be the subgroup GL m ( O ^ k ) of G ( A k , f ) . It is a compact and open subgroup and decomposes into an infinite product ∏ p ∤ ∞ K p , with K p = GL m ( O p ) . Each factor K p itself is a compact open subgroup of GL m ( k p ) .

The next theorem can be found in refs [28] and [25, Theorem V.2.2]. We will use this description to define the geometric structure on the set of module lattices over k . Later, we will give a more effective description of the geometric object and the set of module lattices.

3.2 Geometry on the space of module lattices

In this subsection, we will give a more precise description of the geometric structure of the space of lattices. It turns out that the space is disconnected with connected components naturally identified with the class group of k . As in Proposition 2.2.7, we identify Cl k = G m ( k ) \ G m ( A k , f ) / U f .

Forgetting the infinite component extends the determinant to a surjective map

The connected components of G ( k ) \ G ( A k ) / K f are the fibers of this map, see Proposition 3.2.2.

We define G ∞ + to be the connected component of the identity of G ∞ . It consists of all elements g = ( g σ ) σ ∣ ∞ with det ( g σ ) > 0 for all real places σ . Further, set G ( k ) + = G ( k ) ∩ G ∞ + .

For any g ∈ C , the subgroup Γ g of G ∞ + is discrete. The quotient Γ g \ G ∞ + admits a structure of a smooth manifold.

Norm 1 group. The space of lattices comes with a G ( A k ) invariant measure induced from the Haar measure on G ( A k ) . Unfortunately, the invariant measure is not finite. We will describe an analog of the norm 1 subgroup in the one-dimensional case. In general, this will have a finite volume, but be non-compact for m > 1 .

Consider Δ : R > 0 → G ∞ given by

Recall that G = GL m and n is the degree of extension of k over Q . By diag ( z ) , we mean the scalar matrix associated with an element z ∈ R . We stress that Δ ( x ) is constant at all infinite places. By definition, det ( Δ ( x ) ) = x 1 n σ ∈ k ∞ × . Hence, its norm is ∣ det ( Δ ( x ) ) ∣ ∞ = x . Let Z 1 ≔ Z m 1 ≔ im ( Δ ) .

Invariant measures are only unique up to scaling, but we will always work implicitly with the normalized measure, i.e., the unique invariant measure such that the measure of G ( k ) Z 1 \ G ( A k ) / K f is 1. In ref. [17], the measure is chosen to be the induced measure from the Lebesgue measure on the real space, which explains the additional factor vol ( Pic ) − 1 there.

The space G ( k ) Z 1 \ G ( A k ) / K f can be identified with a subspace of G ( k ) \ G ( A k ) / K f , which we want to describe now. Define G ( A k ) 1 to be the subgroup of g such that the adèlic norm

is 1. By the product formula 2.1.7, G ( k ) ⊆ G ( A k ) 1 . Further, it is easy to see that K f ⊆ G ( A k ) 1 .

On the level of module lattices Propositions 3.2.2 and 3.2.3 yield the following.

The lattices in Z 1 \ Lat m ( k ) will be called norm 1 module lattices.

Determinant of modules. As in Lemma 3.2.4, we want to describe a subset of Lat m ( k ) that represents the norm 1 elements in G ( k ) \ G ( A k ) 1 / K f . First, we need the notion of determinant of O k lattices.

Let M be an O k lattice of rank m . If M is free, then M = g O k m for some g ∈ G ( k ) , and we define det ( M ) to be the fractional ideal of O k generated by det ( g ) . Note that this is independent of the choice of g as any other basis would differ by γ ∈ GL m ( O k ) ; hence, the fractional ideal does not change. In general, M will not be free, but for each p , the localization M p is a free O k , p module. Thus, we can associate with each p the multiplicity ν p ( M ) ≔ ν p ( det ( g p ) ) , where g p O k , p m = M p . Then we set det ( M ) ≔ ∏ p p ν p ( M ) . If M is free, the two definitions coincide. The ideal class, defined by det ( M ) will be called determinant class and if it does not cause confusion, we will denote it again by det ( M ) . By construction, we have the following compatibility result of the two notions of determinants.

Recall from Theorem 3.1.4 that we associate with a pair ( g , M ) ∈ Lat m ( k ) the element ( g , ( g p ) p ) ∈ G ( k ) \ G ( A k ) / K f . The proposition is then trivial by construction.