# Towards a Ring Analogue of the Leftover Hash Lemma

Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi

# Abstract

The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems, such as the Regev and Dual-Regev encryption schemes as well as their leakage-resilient counterparts. The LHL does not hold in the ring setting, when the ring is far from a field, which is typical for efficient cryptosystems. Lyubashevsky et al. (Eurocrypt ’13) proved a “regularity lemma,” which can be used instead of the LHL, but applies only for Gaussian inputs. This is in contrast to the LHL, which applies when the input is drawn from any high min-entropy distribution. Our work presents an approach for generalizing the “regularity lemma” of Lyubashevsky et al. to certain conditional distributions. We assume the input was sampled from a discrete Gaussian distribution and consider the induced distribution, given side-channel leakage on the input. We present three instantiations of our approach, proving that the regularity lemma holds for three natural conditional distributions.

MSC 2010: 94A60; 68P25; 03G10

## 1 Introduction

The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems. Specifically, it is often useful to argue that for high-min entropy input xqm and random matrix Aqn×m, Ax is uniform random, given A. The above fact is used in the proof of security for both the Regev and Dual-Regev encryption schemes. More sophisticated proof approaches that utilize the LHL along with the structure of the matrix A have been used to argue leakage resilience of these cryptosystems, such as in [1, 13]. [1]

Analogues of the statement above do not necessarily hold in the ring setting. Specifically, assuming a high min-entropy input x = x1, . . . , xl, setting a1 = 1, and a2, . . . , al chosen uniformly at random from the ring, the uniformity of al+1=i[l]aixi does not follow from the LHL lemma, in cases where the ring is far from a field, which is the typical case for efficient cryptosystems.

Fortunately, Lyubashevsky et al. [25, 26] proved a “regularity lemma” showing that the distribution over al+1 as above is (close to) uniform random, even given a2, . . . , al, but only for the case where the input x is drawn from a discrete Gaussian distribution of sufficiently high standard deviation. While sufficient for proving the security of certain cryptosystems, unlike the more general leftover hash lemma, the statement of

the regularity lemma of [25] implies nothing about uniformity of al+1 in the case that x is a high min-entropy input from another distribution.

The ring setting.

Consider the number field K=[x]/Φm(x). where Φm(x) is the m-th cyclotomic polynomial of degree φ(m). The ring of integers, R ⊂ K, is defined as R=[x]/Φm(x).Rq:=q[x]/Φm(x) denotes the set of polynomials obtained by taking an element of [x]/Φm(x) and reducing each coefficient modulo q. In this paper, we further assume that m is a power of two, so Φm(x)=xn+1 has degree n = m /2, and set q to be a prime such that q ≡ 1 mod m. In this case Φm(x) completely splits into n factors in q[x]. This is the setting favored in practice since it allows for optimizations in the implementation, such as fast arithmetic over the ring Rq.

A Ring Analogue of the LHL.

For rings Rq such as the above, a result analogous to the leftover hash lemma—proving that al+1=i[l]aixi is indistinguishable from random, given a2, . . . , al, as long as x1, . . . , xl has sufficiently high min-entropy— is impossible. For example, if the j-th NTT coordinate of each ring element in x = x1, . . . , xl is leaked, then the j-th NTT coordinate of al+1=i[l]aixi is known [2], and so al+1 is very far from uniform. Yet this is only a 1/n leakage rate! [3]

Nevertheless, Lyubashevsky et al. [25, 26] proved a “regularity lemma” showing that for matrix A= [ IkA¯ ](Rq)k×l, where Ik(Rq)k×k is the identity matrix and A(Rq)k×(lk) is uniformly random, and x chosen from a discrete Gaussian distribution (centered at 0) over Rql, the distribution over Ax is (close to) uniform random. A similar result was proven by Micciancio [28], but requires super-constant dimension l, thus yielding non-compact cryptosystems. In contrast, the regularity lemma of [25] holds even for constant dimension l as small as 2. The fundamental technical question we consider in this work is:

For which distributions Dover xRql, is the distribution over Ax (close to) uniform random, for R, q, A as above and constant l?

### 1.1 Our Results

We prove a “regularity lemma” for three conditional distributions, which we describe next. Only the parameter s–the standard deviation of the discrete Gaussian for sampling each coordinate of x–differs in each setting.

Conditional Distribution I.

We assume a secret key x = (x1, . . . , xl), where each xi ∈ Rq. Moreover, each xi itself is represented as an n-dimensional vector. So in total, x is an l · n-dimensional vector. We consider the conditional distribution on x when the sum of x and e is revealed, where each coordinate of e is a Gaussian random variable with standard deviation at least s. This setting captures leakage on x by an adversary who uses a fast, but inaccurate device to obtain noisy measurements of each sampled coordinate of the secret key (e.g. through a power or timing channel).We prove that it is sufficient to set s22nqk/l+2/(nl). See Theorem 2.1 and Corollary 2.2.

Conditional Distribution II.

We consider the conditional distribution over x = (x1, . . . , xl) when we leak coordinates from each xi , i ∈ [l]. and we set parameters such that the fraction of leaked coordinates– lnl –is constant. The leaked coordinates are arbitrary, but the same coordinates must be leaked from each xi , i ∈ [l]. [4] Low noise is added to each leaked coordinate (only 2n standard deviation, as opposed to 22nqk/l+2/(nl) standard deviation as in Conditional Distribution I). No information at all is leaked about the remaining coordinates. This setting corresponds to a side-channel attack launched during the sampling of x, where the attacker has a slower, but more accurate device which allows it to obtain more accurate measurements for a constant fraction of the coordinates of the secret key, but no information for the remaining coordinates. [5] We prove that it is sufficient to set s2nqkh+2l(n), where · l is the number of leaked coordinates. See Theorem 2.3 and Corollary 2.6.

Conditional Distribution III.

Here, we consider the conditional distribution on x, when the magnitude of x with Gaussian channel error e is revealed (note that e is a scalar). We assume e is sampled from a univariate Gaussian with standard deviation s. A motivation for this type of leakage is that (discrete) Gaussian sampling of x is often implemented via rejection sampling in practice [7, 12]. E.g. a vector could be sampled from a “close” multi-dimensional binomial distribution and rejection sampling then used to obtain a sample from the correct distribution. The rejection condition depends on the weight of x under the target distribution, which in turn depends on the magnitude of x, and so this information is vulnerable to leakage during computation. [6] We prove that it is sufficient to set s14/5(n/n)lnn2nqk/l+2/(nl), where n′ = n · l + 1. See Theorem 2.9 and Corollary 2.10.

Applications to leakage resilience.

Since applications of the LHL/Regularity Lemma in lattice-based cryptography are widespread, a number of Ring-LWE (RLWE) cryptosystems achieve certain leakage resilience properties using our results. Such cryptosystems include the ring analogues of Regev encryption [24], Dual-Regev encryption [25], and identity-based encryption (IBE) based on Dual-Regev encryption [19] (see ring version in [3]). Specifically, by substituting our “regularity lemma" for the original “regularity lemma" in the security proofs, those schemes still enjoy security guarantees even given certain leakage on the randomness for encryption (for Regev) the secret key (for Dual-Regev), and the secret key corresponding to the challenge identity (for IBE).

### 1.2 Our High-Level Approach

For a matrix A=[ IkA¯ ](Rq)k×l, where Ik(Rq)k×k is the identity matrix and A¯(Rq)k×(lk) is uniformly random, we define Λ(A)={ zRl:Az=0modqR }. If [x mod Λ(A)] is uniform random (over cosets of Λ(A)), then the distribution of Ax is also uniform random over cosets of (qR)k. The input/output distributions can then be discretized over the ring R. Therefore, the goal is to show that when x is sampled from continuous distribution 𝒟, we have that [x mod Λ(A)] is uniform random. Consider the case where the distribution 𝒟 is exactly a Gaussian distribution with mean 0 and standard deviation s. In this case, if s is greater than or equal to the smoothing parameter of Λ(A), this by definition ensures that the distribution [x mod Λ(A)] is uniform random. Thus, [25] prove their regularity lemma by showing that with high probability over choice of A, the smoothing parameter, ηε(Λ(A)), is upperbounded by s.

Before presenting our approach to extending the above result, it is instructive to give a high-level recap of how to derive upper bounds on the smoothing parameter.

Let ρS:=eπ x,x s2 and let s (the normalization of ρs) correspond to the probability density function (PDF) of the normalized n-dimensional Gaussian distribution with mean 0 and standard deviation s. In the following, for a function f we concisely represent vf(v) by f (Λ). To show that the distribution over [x mod Λ] is (close to) uniform when x is sampled from a distribution with PDF Ψ s, one needs to show that for every coset (Λ + c) of the lattice, ψs(Λ+c)1det(Λ). Focusing on the zero coset, where c = 0, we can prove this using the Poisson summation formula, which says that for any lattice Λ and integrable function ρs: ψs(Λ)=1det(Δ)ψs^(Λ), where for a function f,f^ denotes the n-dimensional Fourier transform of f and Λ is the dual lattice of Λ (see Appendix A.2). It remains to show that ψs^(Λ) is close to 1 (i.e. is upperbounded by 1 + ").

The proof approach outlined above can be applied to (integrable) normalized PDF Ψ that are not Gaussians centered at 0: To show that the distribution over [x mod Λ] is (close to) uniform when x is sampled from a distribution with PDF Ψ , it is sufficient to show that Ψ^(Λ) is upperbounded by 1 + ".

In this work,we consider PDF’s, Ψ , that correspond to the PDF of x, from the point of view of the adversary, given the leakage. The technical contribution of this work is to show that, for each conditional distribution, (with overwhelming probability over choice of A) Ψ^(Λ(A)) is close to 1. Specifically, for each distribution, our approach requires: (1) Determining the PDF Ψ , (2) Computing (an upper bound for) the multi-dimensional Fourier transform of (denoted Ψ^) (3) Proving that Ψ^((Λ(A))) is upperbounded by 1 + ε (or, equivalently that Ψ^((Λ(A))\{0}) is upperbounded by ").

### 1.3 Related Work

Leakage-resilient cryptography.

There is a significant body of work on leakage-resilient cryptographic primitives, beginning with the work of Dziembowski and Pietrzak [16] on leakage-resilient stream-ciphers. Other constructions include [1, 5, 6, 14, 22, 22, 23, 23, 27, 30, 31]. With the exception of [1], most of these results construct new cryptosystems from the bottom up. In our work, we consider whether we can prove that an existing cryptosystem enjoys leakage resilience, without modification of the scheme.

Lattice-based & leakage-resilient cryptography.

Goldwasser et al. [20] initiated the study of leakage resilience of lattice based cryptosystems. This was followed by series of works [1, 13, 15], all these papers however study leakage resilience of schemes based on standard LWE problem in both symmetric as well as public key setting.

Robustness of Ring-LWE

To the best of our knowledge the ePrint version [10] of this work is the first effort to study the robustness of RLWE based cryptosystems under leakage. Subsequent to the publishing of ePrint [10], interest has sparked in analyzing the RLWE-based schemes and their leakage resilience. Albrecht et al. [2] implemented cold boot attack on RLWE based KEM schemes and compared the number of operations required to mount the attack when secret is stored with different encodings. Recently, Bolboceanu et al. [4] studied the hardness of RLWE problem in cases where the secret is sampled from distributions other than uniform random distribution over the ring. In [11], it is shown that under specific structured leakage on the NTT encoding of secret key, it is possible to recover the entire secret key given multiple RLWE samples and they implement the attack to recover the secret in real world parameter settings.

Other variants of LHL

Stehlé and Steinfeld [34] studied the leftover hash lemma in the ring setting for power of 2 cyclotomics and Rosca et al. [33] generalized their result to non-cyclotomic rings. However, both these results study the case where input is sampled from discrete Gaussian distribution.

## 2 Extending the Regularity Lemma

For a positive integer n, we denote by [n] the set {1, . . . , n}. We denote vectors in boldface x and matrices using capital letters A. For vector x over ℝn or ℂn, define the 2 norm as x2=(i| xi |2)1/2. We write as ‖x‖ for simplicity. Background and standard definitions related to lattices and algebraic number theory are in Appendix A. Our results are applicable when R is the ring of integers in the mth cyclotomic number field K of degree n, m = 2n is a power of 2 and prime q is s.t. q ≡ 1 mod m. We denote by Ik(Rq)k×k the identity matrix.

### 2.1 Conditional Distribution I

Recall that x = (x1, . . . , xl), where each coordinate of each xi ∈ Rq is sampled from a discrete Gaussian with standard deviation s and each xi is represented as a vector in either the polynomial or canonical basis. [7] We assume leakage of all coordinates, with Gaussian noise of standard deviation v = τ · s added. It turns out that this conditional distribution is fairly simple to handle since if X and Y are independent Gaussian random variables, then the distribution of X conditioned on X + Y is also a Gaussian that is not centered at 0. Fortunately, the regularity lemma of [26] straightforwardly extends to Gaussians that are not centered at 0. We discuss formal details next, however, we mainly view Conditional Distribution I as a warm-up to the more difficult Conditional Distributions II and III.

See Appendix D for background on manipulating Gaussian random variables. Specifically, Lemma D.1 shows that, conditioned on leakage, each coordinate xi of the secret key is sampled from a multivariate Gaussian distribution ρσ,ci with mean ci:=(c1i,,cni), where cji:=zjτ2+1 and σ=Sτ2τ2+1. The entire secret key is then sampled from ρ,c, where c=[ ci ]il We have the following theorem:

### Theorem 2.1

For positive integers kl ≤ poly(n), let A=[ IkA¯ ](Rq)k×l, where A¯(Rq)k×(lk) is uniformly random. Then for all σ2nqk/l+2/(nl) and cnl then

ρσ,c^(Λ(A))1+2Ω(n),

except with probability at most 2Ω(n) over choice of Ā.

Proof. The theorem follows from Lemma B.7 and the regularity lemma from [26].  □

The following corollary follows from Lemmas B.12 and B.13 and Theorem 2.1.

### Corollary 2.2

Let R, n, q, k, l, c, σ be as in Theorem 2.1. Assume that A=[ IkA¯ ](Rq)k×l is chosen as in Theorem 2.1. Then, with probability 12Ω(n) over the choice of A, the distribution of AxRqk, where x ∈ Rl is chosen from D Λ,σ,c, the discrete Gaussian probability distribution over Rl with parameter σ and center c, satisfies that the probability of each of the qnk possible outcomes is in the interval (1±2Ω(n))qnk (and in particular is within statistical distance 2Ω(n) of the uniform distribution over Rqk ).

In particular, this means that the standard deviation used to sample x should be increased from 2nqk/l+2/(nl) (as in [26]) to 1+τ2τ22nqk/l+2/(nl). Setting τ = 1, we obtain the parameters described in the introduction.

### 2.2 Conditional Distribution II

Recall that x = (x1, . . . , xl), where each xi ∈ Rq and each xi is represented as a vector in the canonical embedding. We assume leakage of coordinates—with low noise added—of each xi for i ∈ [l] and restrict the coordinates leaked across each xi to be the same. Let S[n], where |S|= denote the set of positions (from each xi) that are leaked. Lemma D.1 shows that, conditioned on leakage, each component xij,i[l],jS, (resp. S) is sampled from Gaussian distribution with mean cij:=nzijn+1s2 (resp. 0), and variance σj24n2 (resp. σj2=s2 ).

### Theorem 2.3

For positive integers kl ≤ poly(n), let A=[ IkA¯ ](Rq)k×l, where A¯(Rq)k×(lk) is uniformly random. Let σ:=(σ1,,σn)>0n and c:=(c1,,cln)ln be vectors, where ℓ positions in σ are set to 2n, and all others are set to s. Let k, l, ℓ be such that lkl · /n > 0 and lk − 1 ≥ 1, and let s2nqkn+2l(n) then ρσl,c^(Λ(A))1+2Ω(n) except with probability at most 2Ω(n) over choice of A¯.

For proving Theorem 2.3, we begin with exposition on the forms of the Ideals qRJR in power-of-two cyclotomics as well as some lemmas.

To generate the set T of ideals J such that qRJR we take each ideal J s.tqRJR and set J:=qJ. Recall from Fact A.3 that ⟨q⟩ splits completely into n distinct ideals of norm q, i.e. qR=Πi[n]pi. Therefore, the set of all ideals J such that qRJR, is exactly the set S:={ ΠiSpiS[n] }. Thus, the number of ideals J such that qRJR (and hence also the number of ideals JT) is exactly 2n. Moreover, note that for each ideal JT,

| J/qR |=| R/qJ |=N(qJ).

Thus, we see that for each JT,1| J/qR |qn.

Let T1 denote the set of ideals JT such that | J/qR |<2n. Let T2 denote the set of ideals J such that | J/qR |2n. Furthermore, let T21 be the set of JT2 such that Sη22n((1gj)) (where η22n denotes the smoothing parameter and s is fixed as above). Let T22:=T2\T21. Let σ:=(σ1,,σn)>0n be a vector with positions are set to 2n, while the other positions are set to value s.

### Lemma 2.4

For ideals JT1,

η22nJq2n.

The proof of Lemma 2.4 can be found in Appendix E.1.

### Lemma 2.5

For ideals JT21

| J/qR |(lk)(ρ1/σ1,,1/σn(1qJ)l)2n(lk),

where ρ1/σ1,,1/σn is an n-dimensional Gaussian function with coordinate-wise standard deviation 1/σi,i [n] and center 0 (see beginning of Appendix B).

The proof of Lemma 2.5 can be found in Appendix E.1. We now conclude the proof of Theorem 2.3.

Proof of Theorem 2.3. Since by Lemma B.7 we have that for any (n · l)-dimensional vectors, c, x and any n-dimensional vector σ=(σ1,,σn):

ρσl,c^(x)ρσl^(x)=ρ(1/σ1,,1/σn)l(x),

then following the proof of [26] step-by-step, it is sufficient to show that

JT| J/qR |(lk)(ρ(1/σ1,,1/σn)(1qj)l1)2Ω(n).

We will show that

(1) JT21| J/qR |(lk)(ρ(1/σ1,,1/σn)(1qJ)l1)2Ω(n),

and that

(2) J(T1T22)| J/qR |(lk)(ρ1/σ1,,1/σn(1qJ)l1)2Ω(n)

To show (2), note that by Lemma 2.4, for ideals JT1 (we have that η22n((Ja))2n. This means that for each i[n],σiη22n, which implies that ρ1/σ1,,1/σn(1qJ)l(1+22n)l.

On the other hand, by definition of T22, for ideals JT22, we have that σi<η22n, for each i ∈ [n]. Thus, by Lemma B.6 we have that ρ1/σ1,,1/σn(1qJ)(η22n((Jq))σ1η22n((Jq))σn)(1+22n). Since η22n((Jq))n| J/qR |ΔK and plugging in the proper values for σ1, . . . , σn,we have that ρ1/σ1,,1/σn(1qJ)l J/qRΔKsn+(2n)l1+22nl. Combining the above, we get that for JT1T22,

ρ1/σ1,,1/σn(1qJ)lmax(1,(| j/qR |ΔKsn+(2n))l)(1+22n)l.

Similarly to [26], using the lower bound of s from Theorem 2.3, we bound

J(T1T22)| J/qR |(lk)(ρ1/σ1,,1/σn(1qJ)l1)J(T1T22)| J/qR |(lk)max(1,(| j/qR |ΔKsn+(2n))l)(1+ε)lJT| J/qR |(lk)max(1,(| j/qR |ΔKsn+(2n))l)(1+ε)l2Ω(n)+2(s/n)nlqkn+2(s2n)l2Ω(n).

Moreover, by Lemma 2.5 and the fact that | T21 ||T|=2n, we can bound

JT21| J/qR |(lk)(ρ1/σ1,,1/σn(1qJ)l1)2n2n(lk)2Ω(n),

where the last line follows from the setting of parameters in Theorem 2.3.

This completes the proof. □

The following corollary follows from Lemmas B.12 and B.13 and Theorem 2.3.

### Corollary 2.6

Let k, l, , σ and c be as in Theorem 2.3. Assume that A= IkA¯ (Ra)k×l is chosen as in Theorem 2.3. Then, with probability 12Ω(n) over the choice of A, the distribution of AxRqk, where x ∈ Rl is chosen from DRl,σl,c, the discrete Gaussian probability distribution over Rl with parameter σl and center c, satisfies that the probability of each of the qnk possible outcomes is in the interval (1±2Ω(n))qnk (and in particular is within statistical distance 2Ω(n) of the uniform distribution over Rqk ).

In particular, this means that the standard deviation used to sample x should be increased from 2n·qk/l+2/(nl) (as in [26]) to 2nqkn+2l(n).

### 2.3 Conditional Distribution III

We slightly change the dimensions so that x is represented by a vector of dimension n′ := l · n +1. When n is a power of two, a spherical Gaussian in the coefficient representation is also a spherical Gaussian in the canonical embedding representation [24]. So we can assume that x is generated using the coefficient representation, where each coordinate is sampled independently from a discrete Gaussian, DZ,s. During sampling of x, an additional coordinate is sampled and stored together with the remainder of the secret. We compute the PDF corresponding to the conditional distribution on x, given z = |r + e|, where r = ‖x‖ as:

(3) FX||X+E=z(X=r)=e(πs2+πr2)(rz2r2+s2)2+e(πs2+πv2)(r+z2v2+s2)2N,

where N is the normalization factor. For details on how the PDF is computed, see Appendix E.2. FX|X+E|=z(X= r) is the sum of two Gaussian functions centered at zs2v2+s2 and zS2v2+s2 respectively with the same standard deviation . Suppose v = s, we have σ=S2.

### Lemma 2.7

Suppose v = s, we bound the center zs2v2+s2 from Equation 3 by Przs2v2+s2sn2Ω(n), where the probability is taken over choice of x and e.

The proof is found in Appendix E.2.

Let Ψσ,c(x):=FX|X+E|=z(X=x) be the normalization of the function f(x):=eπ(xc)2σ2+eπ(x+c)2σ2.

By Lemma 2.7, we have that with all but negligible probability, c:=zs2v2+s22σn.

For the proof, we will require certain properties of the Fourier transform of Ψ σ,c, when c is bounded as above. We state those properties in the following theorem, which is proved in Appendix C.

### Theorem 2.8

Let n:=l2a+1, where l, a are positive integers and a > 2, and c2σn. Let Ψ σ,c denote the normalized pdf corresponding to the non-normalized function f(x):=eπ(xc)2σ2+eπ(x+c)2σ2, where x is a vector over n′ dimensions. and let Ψσ,c^(y) denote the n′-dimensional Fourier transform of Ψ σ,c. Then |Ψσ,c^(y)|nneπy2σ2 for ‖y > 1/σ.

We next present the main theorem of this section.

### Theorem 2.9

For positive integers kl ≤ poly(n), let A=[Ik|A¯](Rq)k×l, where A¯(Rq)k×(lk) is uniformly random. Let c2nσ and let σ75nnlnn2nqk/l+2/(nl). Define Λ(A)+ as a direct product of Λ(A) and, written as Λ(A)+:=Λ(A)×Z. Then Ψσ,cΛ(A)+1det(Λ(A)+)(1+2Ω(n)) except with probability at most 2Ω(n).

Proof. Note that Λ(A) is a lattice of even dimension l · n (where n is a power of two), but Theorem 2.8 holds only for n′ equal to l2a+1. Therefore, we define n:=ln+1, and we have the n′-dimensional lattice Λ(A)+:=Λ(A)×Z. We have the following properties of Λ(A)+, which can be verified by inspection:

(a) (Λ(A)+):=Λ(A)×

(b) the shortest non-zero vector in (Λ(A)+) is at least min(1(Λ(A)), 1), where λ1(Λ(A)) denotes the shortest non-zero vector in Λ(A);

By Poisson summation formula, it is sufficient to show that with probability 12Ω(n) over choice of A, | Ψσ,c^ |(Λ(A)+) )1+2Ω(n), where Ψσ,c^ denotes the Fourier transform of Ψ σ,c over n′ dimensions and the notation | Ψσ,c^ | means the summation of the absolute value of the function over the lattice Λ(A)+).

We first note that, over n′ dimensions, Ψσ.c^(0)=1 This follows due to the fact that by definition of Fourier transform, Ψσ,c^(0):=nΨσ,c(x)dx. Since Ψ σ,c is a normalized PDF, it must be the case that nΨσ,c(x)dx= 1.

Thus, it remains to show that | Ψσ,c^ |((Λ(A)+)\{0})2Ω(n).

Towards showing this, we first let β=2nqk/l+2/(nl) for simplicity, and then use Theorem 2.8 to show that, when κ=|y|n/πβ,

| Ψσ,c^(y) |nne(σ2πx2)nne5(σ2πk2)/7e2(σ2πx2)/7e2(σ2πk2)/7,

where the last line follows since σ:=7n5nlnn2nqk/l+2/(nl)=(7n5n)lnnβ is chosen so that when κn/πβ,e5(σ2πκ2)/7nn=enlnn.

Let Q:=y(Λ(A)+)\{0}e2(σ2πκ2)/7. Combining the above inequalities which hold when κn/πβ, together with (b) and Corollary B.17, which states that with probability 12Ω(n) over choice of A, the shortest non-zero vector in Λ(A) has length κn/πβ, we conclude that an upper bound on Q yields an upper bound on the desired quantity, | Ψσ,c^ |((Λ(A)+)\{0}).

Additionally note that when kn/πβ, then

(4) e2(σ2πκ2)/7=e(σ2πk2)/7e(σ2πK2)/7e1/5nlnne(σ2πκ2)/7,

where the inequality follows since (by above) e5(σ2πκ2)/7nn=enlnn. so e(σ2πk2)/7n1/5n= e1/5nlnn. Moreover, recall that two applications of Poisson summation give:

(5) y(Λ(A)+)e(σ2πκ2)/72ny(Λ(A)+)e2(σ2πx2)/7(5)

Combining the above, we have that

Qy(Λ(A)+)e1/5nlnne(σ2πκ2)/7e1/5nlnn2ny(Λ(A)+)e2(σ2πκ2)/7=e1/5nlnn2n(1+Q),

where the first inequality follows from (4) and the definition of Q, the second inequality from (5), and the final equality from the definition of Q.

Thus we have that (1e1/5nlnn2n)Qe1/5nlnn2n which implies that Q2e1/5nlnn2n 2n+12Ω(n), assuming n′ is at least 210.

### Corollary 2.10

Let k, l, σ and c be as in Theorem 2.9. Assume that A=[ IkA¯ ](Rq)k×l is chosen as in Theorem 2.9. Then, with probability 12Ω(n) over the choice of A¯. the distribution of AxRqk, where (x,xn)Rl×Z is chosen from DRl×Z,Ψσ.c satisfies that the probability of each of the qnk possible outcomes is in the interval (1±2Ω(n))qnk (and in particular is within statistical distance 2Ω(n) of the uniform distribution over Rqk ).

The proof appears in Appendix E.2.

Given the corollary, the analysis of Conditional Distribution III is complete. In particular, this means that the standard deviation used to sample x should be increased from 2nqk/l+2/(nl) (as in [26]) to 1+τ2τ22n qk/l+2/(nl).

## 3 Conclusions and Future Directions

In this work, we present a general approach for analyzing the leakage resilience of RLWE-based cryptosys-tems, by determining and analyzing the explicit PDF resulting from the conditional distribution of the RLWE secret given the leakage. Our approach can be used to provide a security analysis for existing cryptosystems inthe presence of leakage, with appropriate choice of parameters (and without any modifications to the scheme). We instantiate our approach by considering three leakage settings and corresponding conditional distributions I, II and III.

A key technical tool in the analysis of conditional distribution II is extending the regularity lemma of [25]; to cases where x is drawn from a non-spherical Gaussian with standard deviation significantly smaller than the smoothing parameter in a constant fraction of the dimensions and larger than the smoothing parameter in the remaining dimensions. In the analysis of conditional distribution III we find applications of the Radial Fourier Transform to lattice-based cryptography.

Future Directions.

We believe that our approach of generalizing the regularity lemma to conditional distributions can be used as an important tool in the security analysis of RLWE-based cryptosystems. In future work, we plan to extend our analysis to other conditional distributions, with implications for other leakage settings. A first candidate is generalizing conditional distribution II to (certain types of) multivariate Gaussians with covariance matrices that are not diagonal. Such a generalization would allow us to capture leakage of coordinates in the polynomial instead of canonical representation.

# Acknowledgement

This work is supported in part by NSF grants #CNS-1840893, #CNS-1453045 (CAREER), by a research partnership award from Cisco and by financial assistance award 70NANB15H328 from the U.S. Department of Commerce, National Institute of Standards and Technology.

### References

[1] Adi Akavia, Shafi Goldwasser and Vinod Vaikuntanathan, Simultaneous Hardcore Bits and Cryptography against Memory Attacks, in: TCC 2009 (Omer Reingold, ed.), LNCS 5444, pp. 474–495, Springer, Heidelberg, March 2009. Search in Google Scholar

[2] Martin R. Albrecht, Amit Deo and Kenneth G. Paterson, Cold Boot Attacks on Ring and Module LWE Keys Under the NTT, IACR TCHES 2018 (2018), 173–213, https://tches.iacr.org/index.php/TCHES/article/view/7273 Search in Google Scholar

[3] Pauline Bert, Pierre-Alain Fouque, Adeline Roux-Langlois and Mohamed Sabt, Practical Implementation of Ring-SIS/LWE Based Signature and IBE, in: Post-Quantum Cryptography - 9th International Conference, PQCrypto 2018 (Tanja Lange and Rainer Steinwandt, eds.), pp. 271–291, Springer, Heidelberg, 2018. Search in Google Scholar

[4] Madalina Bolboceanu, Zvika Brakerski, Renen Perlman and Devika Sharma, Order-LWE and the Hardness of Ring-LWE with Entropic Secrets Cryptology ePrint Archive, Report 2018/494, 2018, https://eprint.iacr.org/2018/494 Search in Google Scholar

[5] Elette Boyle, Gil Segev and Daniel Wichs, Fully Leakage-Resilient Signatures, Journal of Cryptology 26 (2013), 513–558. Search in Google Scholar

[6] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz and Vinod Vaikuntanathan, Overcoming the Hole in the Bucket: Public-Key Cryptography Resilient to Continual Memory Leakage, in: 51st FOCS pp. 501–510, IEEE Computer Society Press, October 2010. Search in Google Scholar

[7] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev and Damien Stehlé, Classical hardness of learning with errors, in: 45th ACM STOC (Dan Boneh, Tim Roughgarden and Joan Feigenbaum, eds.), pp. 575–584, ACM Press, June 2013. Search in Google Scholar

[8] Dong Pyo Chi, Jeong Woon Choi, Jeong San Kim and Taewan Kim, Lattice Based Cryptography for Beginners Cryptology ePrint Archive, Report 2015/938, 2015, https://eprint.iacr.org/2015/938 Search in Google Scholar

[9] Kai-Min Chung, Daniel Dadush, Feng-Hao Liu and Chris Peikert, On the lattice smoothing parameter problem, in: Computational Complexity (CCC), 2013 IEEE Conference on IEEE, pp. 230–241, 2013. Search in Google Scholar

[10] Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi, On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption Cryptology ePrint Archive, Report 2017/1127, 2017, https://eprint.iacr.org/2017/1127 Search in Google Scholar

[11] Dana Dachman-Soled, Huijing Gong, Mukul Kulkarni and Aria Shahverdi, Partial Key Exposure in Ring-LWE-Based Cryptosys-tems: Attacks and Resilience Cryptology ePrint Archive, Report 2018/1068, 2018, https://eprint.iacr.org/2018/1068 Search in Google Scholar

[12] Luc Devroye, Sample-based non-uniform random variate generation, in: Proceedings of the 18th conference on Winter simulation ACM, pp. 260–265, 1986. Search in Google Scholar

[13] Yevgeniy Dodis, Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Public-Key Encryption Schemes with Auxiliary Inputs, in: TCC 2010 (Daniele Micciancio, ed.), LNCS 5978, pp. 361–381, Springer, Heidelberg, February 2010. Search in Google Scholar

[14] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt and Daniel Wichs, Cryptography against Continuous Memory Attacks, in: 51st FOCS pp. 511–520, IEEE Computer Society Press, October 2010. Search in Google Scholar

[15] Yevgeniy Dodis, Yael Tauman Kalai and Shachar Lovett, On cryptography with auxiliary input, in: 41st ACM STOC (Michael Mitzenmacher, ed.), pp. 621–630, ACM Press, May/June 2009. Search in Google Scholar

[16] Stefan Dziembowski and Krzysztof Pietrzak, Leakage-Resilient Cryptography, in: 49th FOCS pp. 293–302, IEEE Computer Society Press, October 2008. Search in Google Scholar

[17] Wolfgang Ebeling, Lattices and codes Lattices and Codes, Springer, 2013, pp. 1–32. Search in Google Scholar

[18] Thomas Espitau, Pierre-Alain Fouque, Benoit Gerard and Mehdi Tibouchi, Side-Channel Attacks on BLISS Lattice-Based Signatures – Exploiting Branch Tracing Against strongSwan and Electromagnetic Emanations in Microcontrollers Cryptology ePrint Archive, Report 2017/505, 2017, http://eprint.iacr.org/2017/505 Search in Google Scholar

[19] Craig Gentry, Chris Peikert and Vinod Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in: 40th ACM STOC (Richard E. Ladner and Cynthia Dwork, eds.), pp. 197–206, ACM Press, May 2008. Search in Google Scholar

[20] Shafi Goldwasser, Yael Tauman Kalai, Chris Peikert and Vinod Vaikuntanathan, Robustness of the Learning with Errors Assumption, in: ICS 2010 (Andrew Chi-Chih Yao, ed.), pp. 230–240, Tsinghua University Press, January 2010. Search in Google Scholar

[21] Loukas Grafakos and Gerald Teschl, On Fourier Transforms of Radial Functions and Distributions, Journal of Fourier Analysis and Applications 19 (2013), 167–179. Search in Google Scholar

[22] Jonathan Katz and Vinod Vaikuntanathan, Signature Schemes with Bounded Leakage Resilience, in: ASIACRYPT 2009 (Mitsuru Matsui, ed.), LNCS 5912, pp. 703–720, Springer, Heidelberg, December 2009. Search in Google Scholar

[23] Allison B. Lewko, Mark Lewko and Brent Waters, How to leak on key updates, in: 43rd ACM STOC (Lance Fortnow and Salil P. Vadhan, eds.), pp. 725–734, ACM Press, June 2011. Search in Google Scholar

[24] Vadim Lyubashevsky, Chris Peikert and Oded Regev, On Ideal Lattices and Learning with Errors over Rings, J. ACM 60 (2013), 43:1–43:35. Search in Google Scholar

[25] Vadim Lyubashevsky, Chris Peikert and Oded Regev, A Toolkit for Ring-LWE Cryptography, in: EUROCRYPT 2013 (Thomas Johansson and Phong Q. Nguyen, eds.), LNCS 7881, pp. 35–54, Springer, Heidelberg, May 2013. Search in Google Scholar

[26] Vadim Lyubashevsky, Chris Peikert and Oded Regev, A Toolkit for Ring-LWE Cryptography Cryptology ePrint Archive, Report 2013/293, 2013, http://eprint.iacr.org/2013/293 Search in Google Scholar

[27] Tal Malkin, Isamu Teranishi, Yevgeniy Vahlis and Moti Yung, Signatures Resilient to Continual Leakage on Memory and Computation, in: TCC 2011 (Yuval Ishai, ed.), LNCS 6597, pp. 89–106, Springer, Heidelberg, March 2011. Search in Google Scholar

[28] Daniele Micciancio, Generalized Compact Knapsacks, Cyclic Lattices, and Eflcient One-Way Functions, Computational Complexity 16 (2007), 365–411. Search in Google Scholar

[29] Daniele Micciancio and Oded Regev, Worst-case to average-case reductions based on Gaussian measures, SIAM Journal on Computing 37 (2007), 267–302. Search in Google Scholar

[30] Moni Naor and Gil Segev, Public-Key Cryptosystems Resilient to Key Leakage, SIAM J. Comput. 41 (2012), 772–814. Search in Google Scholar

[31] Krzysztof Pietrzak, A Leakage-Resilient Mode of Operation, in: EUROCRYPT 2009 (Antoine Joux, ed.), LNCS 5479, pp. 462–482, Springer, Heidelberg, April 2009. Search in Google Scholar

[32] Oded Regev, On lattices, learning with errors, random linear codes, and cryptography, Journal of the ACM (JACM) 56 (2009), 34. Search in Google Scholar

[33] Miruna Rosca, Damien Stehlé and Alexandre Wallet, On the Ring-LWE and Polynomial-LWE Problems, in: EUROCRYPT 2018, Part I (Jesper Buus Nielsen and Vincent Rijmen, eds.), LNCS 10820, pp. 146–173, Springer, Heidelberg, April/May 2018. Search in Google Scholar

[34] Damien Stehlé and Ron Steinfeld, Making NTRU as Secure as Worst-Case Problems over Ideal Lattices, in: EUROCRYPT 2011 (Kenneth G. Paterson, ed.), LNCS 6632, pp. 27–47, Springer, Heidelberg, May 2011. Search in Google Scholar

[35] G.N. Watson, A Treatise on the Theory of Bessel Functions Cambridge Mathematical Library, Cambridge University Press, 1995. Search in Google Scholar

### A Preliminaries and Definitions

#### A 1 Notation

For a positive integer n, we denote by [n] the set {1, . . . , n}. We denote vectors in boldface x and matrices using capital letters A. For vector x over ℝn or ℂn, define the 2 norm as jx2=(i| xi |2)1/2. We write as x for simplicity.

#### A 2 Lattices and background

Let 𝕋 = ℝ/Zdenote the cycle, i.e. the additive group of reals modulo 1 .We also denote by 𝕋q its cyclic subgroup of order q, i.e., the subgroup given by {0,1/q,,(q1)/q}

Let H be a subspace, defined as HZ¯mx¯ (for some integer m ≥ 2),

H={ xm:xi=χmi¯,im }.

A lattice is a discrete additive subgroup of H. We exclusively consider the full-rank lattices, which are generated as the set of all linear integer combinations of some set of n linearly independent basis vectors B={ bj }H

Λ=(B)={ jzjbj:zj }.

The determinant of a lattice L(B) is defined as |det(B)|, which is independent of the choice of basis B. The minimum distance λ1(Λ) of a lattice Λ (in the Euclidean norm) is the length of a shortest nonzero lattice vector.

The dual lattice of Λ ⊂ H is defined as following, where ·, · denotes the inner product.

Λ={ yH:xΛ,x,y¯=ixiyi }.

Note that, (Λ)=Λ, and det(Λ)=1/det(Λ)

Discretization

Discretization is an important procedure used in applications based on lattices, such as converting continuous Gaussian distribution (defined in Appendix B) into a discrete Gaussian distribution (Definition B.9). Given a lattice Λ=(B) represented by some “good" basis B={ bi }, a point x ∈ H, and a point c ∈ H representing a lattice coset Λ + c, the discretization process outputs a point y ∈ Λ + c such that the length of yx is not too large. This is denoted as y x Λ+c. A discretization procedure is called valid if it is efficient; and depends only on the lattice coset Λ + (cx), not on particular representative used to specify it. Note that for a valid discretization, z + x Λ + c  and  z + x Λ + c are identically distributed for any z ∈ Λ. For more details and actual description of algorithms used for discretization we refer the interested reader to [26].

#### A 3 Algebraic Number Theory

For a positive integer m, the mth cyclotomic number field is a field extension K=(ζm) obtained by adjoining an element ζm of order m (i.e. a primitive mth root of unity) to the rationals. The minimal polynomial of ζm is the mth cyclotomic polynomial

Φm(X)=im*(Xωmi)[X],

where ωm ℂ is any primitive mth root of unity in C.

For every im there is an embedding σi:K, defined as σi(ζm)=ωmi Let n = '(m), the totient of m. The trace Tr : K and norm N:K can be defined as the sum and product, respectively, of the embeddings:

Tr(x)=i[n]σi(x) and N(x)=i[n]σi(x).

For any x ∈ K, the lp norm of x is defined as xp=σ(x)p=(i[n]| σi(x) |p)1/p. We omit p when p = 2. Note that the appropriate notion of norm · is used throughout this paper depending on whether the argument is a vector over ℂn, or whether the argument is an element from K; whenever the context is clear.

#### A 4 Ring of Integers and Its Ideals

Let R ⊂ K denote the set of all algebraic integers in a number field K. This set forms a ring (under the usual addition and multiplication operations in K), called the ring of integers of K. Ring of integers in K is written as R=[ ζm ].

The (absolute) discriminant ΔK of K measures the geometric sparsity of its ring of integers. The discriminant of the mth cyclotomic number field K is

ΔK=(mprime pmp1/(p1))nnn,

in which the product in denominator runs over all the primes dividing m.

An (integral) ideal JR is a non-trivial (i.e. J and J{0}) additive subgroup that is closed under multiplication by R, i,e., raJ for any r ∈ R and aJ. The norm of an ideal JR is the number of cosets of J as an addictive subgroup in R, defined as index of J, i.e., N(J)=|R/I|. Note that N(JJ)=N(J)N(J).

A fractional ideal J in K is defined as a subset such that IR is an integral ideal for some nonzero d ∈ R. Its norm is defined as N(J)=N(dJ)/N(d). An ideal lattice is a lattice σ(J) embedded from a fractional ideal J by σ in H. The determinant of an ideal lattice σ(J) is det( :(σ(J))=N(J)ΔK. For simplicity, however, most often when discussing about ideal lattice, we omit mention of σ since no confusion is likely to arise.

#### Lemma A.1

([26]). For any fractional ideal J in a number field K of degree n,

nN1/n(J)λ1(J)nN1/n(J)ΔK1/n.

For any fractional ideal J in K, its dual ideal is defined as

JV={aK:Tr(aJ)}.

#### Definition A.2

For R=[ ζm ], define g= p(1ζp)R, where p runs over all odd primes dividing m. Also, define t=m^gR, where m^=m2 if m is even, otherwise m^=m.

The dual ideal R of R is defined as R= t1 , satisfying RRm^1R. For any fractional ideal J, its dual is J=J1R. The quotient Rq is defined as Ra=R/qR.

Fact A.3 ([26]). Assume that q is a prime satisfying q = 1 mod m, so that ⟨q⟩ splits completely into n distinct ideals of norm q. The prime ideal factors of ⟨q⟩ are qi=q+ ζmωmi , for im. By Chinese Reminder Theorem, the natural ring homomorphism R/q im*(qn) is an isomorphism.

#### Lemma A.4

[26, Lemma 2.23] Let p and q be positive coprime integers, and · be a valid discretization to (cosets of) pR. There exists an efficient transformation that on input wRp and a pair in (a,b) Rq×(K/qR), outputs a pair (a=pamodqR,b)Rq×Rq with the following guarantees: if the input pair is uniformly distributed then so is the output pair; and if the input pair is distributed according to the RLWE distribution As for some (unknown) sR and distribution Ψ over K, then the output pair is distributed according to As,χ, where χ=pψw+pR.

#### Lemma A.5

[26, Lemma 2.24] Let p and q be positive coprime integers, · be a valid discretization to (cosets of) pR, and w be an arbitrary element in Rp. If R-DLWEq, Ψ is hard given l samples, then so is the variant of R-DLWEq, Ψ in which the secret is sampled from chi:=pψw+pR, given l − 1 samples.

### B Regularity and Fourier Transforms

Let ρs,c denote an n-dimensional Gaussian function with standard deviation s and mean c.

One and Multi-Dimensional Gaussians.

For s>0,c,x, define the Gaussian function ρs,c1:(0,1] as

ρs,c1(x):=eπ(xc)2s2.

When c = 0, we write for simplicity,

ρs1(x):=eπ(x)2s2.

By normalizing this function we obtain the continuous Gaussian probability distribution ψs,c1( respψs1) of parameter s, whose density is given by s1ρs,c1(x)( resps1ρs1(x)).

We denote by ρ(s1,,sn),(c1,,cn) the distribution over ℝn with the following pdf:

Let ρs,c1 denote a one-dimensional Gaussian function as above with standard deviation s and mean c.We denote by ρ(s1,,sn),(c1,,cn) the distribution over ℝn with the following pdf:

ρ(s1,,sn),(c1,,cn)(x1,,xn):=ρs1,c11(x1)ρsn,cn1(xn).

When c = 0, we again write for simplicity, ρ(s1,,sn). Moreover, when s1==sn and the dimension is clear from context we write for simplicity ρS,(c1,,cn) (resp. ρs). Normalizing as above, we obtain the corresponding continuous Gaussian probability distribution ψ(s1,,sn),(c1,,cn) (resp. ψ(s1,,sn),ψs,(c1,,cn),ψs ).

### Definition B.1

(Fourier Transform). Given an integrable function f:n, we denote by f^:n the Fourier transform of f , defined as

f^(y):=nf(x)e2πix,ydx.

### Theorem B.2

(Poisson Summation Formula). :Let Λn be an arbitrary lattice of dimension n, and let f: n be an appropriate function [8] Then

f(Λ)=1det(Λ)f^(Λ),

where Λ is the dual lattice of Λ and f^ is a Fourier transform of f .

### Definition B.3

For an n-dimensional lattice Λ, and positive real ε > 0, we define its smoothing parameter ηε(Λ) to be the smallest s such that ρ1/s(Λ\{0})ε.

### Lemma B.4

[9, 29] For any n-dimensional lattice Λ, we have ln(1/ε)πλ1(Λ)ηε(Λ)nλ(Δ) for ε[ 2n,1 ].

### Claim B.5

( [26]). For any n-dimensional lattice Λ and ε, s > 0,

ρ1/s(Λ)max(1,(ηε(Λ)s)n)(1+ε).

### Lemma B.6

For any n-dimensional lattice Λ and ε > 0, s:=(s1,,sn)>0n, and c:=(c1,,cn)n, if all of s1,,sn<ηε(Λ) then

ρ(1/s1,,1/sn),(c1,,cn)(Λ)(ηε(Λ)s1ηε(Λ)sn)(1+ε).

Proof. Applying Poisson summation formula twice, using the fact that for all vectors xn,ρ^(1/s1,,1/sn),(c1,,cn)(x) (s1)1(sn)1ρ(s1,,sn)(x), and the fact that ρ^ηε(Λ)=ηε(Λ)nρ1/ηε(Λ), we have:

ρ ( 1 / s 1 , , 1 / s n ) , ( c 1 , , c n ) ( Λ ) det ( Λ ) 1 ( s 1 ) 1 ( s n ) 1 ρ ( s 1 , , s n ) ( Λ ) det ( Λ ) 1 ( s 1 ) 1 ( s n ) 1 ρ η ε ( Λ ) ( Λ ) = ( s 1 ) 1 ( s n ) 1 η ε ( Λ ) n ρ 1 / η ε ( Λ ) ( Λ ) η ε ( Λ ) s 1 η ε ( Λ ) s n ( 1 + ε ) .

where the last inequality follows from the definition of ηε(Λ).

### Lemma B.7

[29, Lemma 3.6] For any lattice Λ, positive real s > 0 and a vector c,ρs,c(Λ)ρs(Λ).

### Definition B.8

Let Λ be an n-dimensional lattice and a probability distribution over ℝn. Define the discrete probability distribution of over Λ to be:

DΛ,Ψ(x)=Ψ(x)Ψ(Λ),xΛ.

### Definition B.9

Let Λ be an n-dimensional lattice, define the discrete Gaussian probability distribution over Λ with parameter (s1, . . . , sn) and center (c1, . . . , cn) as

DΛ,(s1,,sn),(c1,,cn)(x)=ρ(s1,,sn),(c1,,cn)(x)ρ(s1,,sn),(c1,,cn)(Λ),xΛ.

### Remark B.10

Whenever is Gaussian with parameter (s1, . . . , sn) and center (c1, . . . , cn) we denote it’s discrete Gaussian probability by DΛ,(s1,,sn),(c1,,cn) . If s=s1==sn (resp. c = c1 = · · · = cn) we write DΛ,s,(c1,,cn)(respDΛ,(s1,,sn),c) If c1 = · · · = cn = 0 we write DΛ,(s1,,sn).

### Lemma B.11

[29, Lemma 4.4] For any n′-dimensional lattice Λ, and reals 0<ε<1,sηε(Λ), we have

Prx~DΛ,ψs(x>sn)1+ε1ε2n.

The following is a modified version of Lemma 3.8 from [32].

### Lemma B.12

Let Λ be an n-dimensional lattice and Ψ a probability distribution over ℝn. If | Ψ ^ | ( Λ { 0 } ) ε then for any cn.Ψ(Λ+c)det(Λ)(1±ε), where |Ψ^|(Λ\{0}) denotes the summation of the absolute value of the function at each point in Λ \ {0}.

Proof. First, since is a pdf, we have that Ψ^(0)=1. We have:

Ψ(Λ+c)=det(Λ)yΛΨ^(y)e2πi<c,y>det(Λ)(1±yΛ{0}| Ψ^(y)e2πi<c,y> |)
det(Λ)(1±yΛ\{0}Ψ^(y))det(Λ)(1±ε),

where the equality follows from properties of the Fourier transform.

The proof of the following lemma proceeds as the proof of Corollary 2.8 in [19].

### Lemma B.13

Let Λ′ be an n-dimensional lattice and a probability distribution over ℝn. Assume that for all c n it is the case that

Ψ(Λ+c)[ 1ε1+ε,1+ε1ε ]Ψ(Λ),

Let Λ be an n-dimensional lattice such that Λ′ ⊆ Λ then the distribution of (DΛ,Ψ mod Λ′) is within statistical distance of at most 4ε of uniform over (Λ mod ).

### Definition B.14

For a matrix ARqk×l we define Λ(A)={ zRl:Az=0modqR } which we identify with a lattice in H l. Its dual lattice (which is again a lattice in H l) is denoted by Λ(A).

### Theorem B.15

[26] Let R be the ring of integers in the mth cyclotomic number field K of degree n, and q ≥ 2 an integer. For positive integers kl ≤ poly(n), let A=[ IkA¯ ](Rq)k×l, where Ik(Rq)k×k is the identity matrix and A¯(Rq)k×(lk) is uniformly random. Then for all s ≥ 2n,

EA¯[ ρ1/s(Λ(A)) ]1+2(s/n)nlqkn+2+2Ω(n).

In particular, if s>2nqk/l+2/(nl) then EÅ[ ρ1/ s(Λ(A)) ]1+2Ω(n), and so by Markov’s inequality, η2Ω(n)(Λ(A))s except with probability at most 2Ω(n).

The following corollary was presented in [26].

Corollary B.16. Let R, n, q, k and l be as in Theorem B.15. Assume that A = [ I k | A ¯ ] ( R q ) k × l is chosen as in Theorem B.15. Then, with probability 1 2 Ω ( n ) over the choice of A ¯ the distribution of A x R q k where each coordinate of x R q l is chosen from a discrete Gaussian distribution of parameter s > 2 n q k / l + 2 / ( n l ) over R, satisfies that the probability of each of the qnk possible outcomes is in the interval ( 1 ± 2 Ω ( n ) ) q n k (and in particular is within statistical distance 2 Ω ( n ) of the uniform distribution over R q k

We next state an additional corollary of the regularity theorem from [26].

Corollary B.17. Let R, n, q, k and l be as in Theorem B.15. Assume that A = [ I k | A ¯ ] ( R q ) k × l is chosen as in Theorem B.15. Then, with probability 1 2 Ω ( n ) over the choice of A ¯ , the shortest non-zero vector in Λ(A) has length at least n / π 2 n q k / l + 2 / ( n l )

### C Proof of Theorem 2.8

In this section, we prove the following theorem, which provides an upper bound on the Fourier transform of a pdf for the analysis of Conditional Distribution III in Section 2.3.

### Theorem 2.8

Let n′ := l · 2a + 1, where l, a are positive integers and a > 2, and c σ 2 n Let Ψ σ,c denote the normalized pdf corresponding to the non-normalized function f ( x ) := e π ( x c ) 2 σ 2 + e π ( x + c ) 2 σ 2 where x is a vector over n′ dimensions. and let Ψ σ , c denote the n′-dimensional Fourier transform of Ψ σ,c. Then | Ψ σ , c ^ ( y ) | n n e π y 2 σ 2 for y > 1/σ.

The following lemma computes a lower bound of the normalization factor of the pdf in Theorem 2.8. Once we prove the lemma, we proceed to the proof of Theorem 2.8.

### Lemma C.1

Let n′ ∈ 𝕅 be odd, x R n c ∈ ℝ. Then

R n e π ( x c ) 2 σ 2 + e π ( x + c ) 2 σ 2 x σ n .

Proof. Let f ( x ) := e π ( x c ) 2 σ 2 + e π ( x + c ) 2 σ 2 Let r = x. Since f is a radial function, we slightly abuse notation and denote by f ( r ) := e π ( r c ) 2 σ 2 + e π ( r + c ) 2 σ 2 Now, we have that

(C1) R n f ( x ) d x = n V n 0 r n 1 f ( r ) r ,

where Vn denotes the volume of n′-dimensional ball V n = π n / 2 Γ ( 1 + n / 2 ) Since f is an even function and n′ is odd, so r n 1 is an even function, we have that r n 1 f ( r ) is even and so

(C2) rn1f(r)dr=1/2rn1f(r)dr.

Let a=π/σ2. Since n′ is odd, we now have that

e a ( r c ) 2 c 2 r n 1 r = e a t 2 ( t + c ) n 1 t = e a t 2 j = 0 n 1 n 1 j c j t n 1 j t = j = 0 n 1 n 1 j c j e a t 2 t n 1 j t = j = 0 n 1 n 1 j c j 1 2 ( 1 ) j ( 1 ) n + 1 + ( 1 ) j a 1 2 ( n + j ) Γ n j 2 = j = 0 n 1 2 n 1 2 j c 2 j a 1 2 ( n + 2 j ) Γ n 2 j 2 a 1 2 n Γ n 2

Combining the above with (C1) and (C2) and substituting for a,we get that Rnf(x)dxσn, which completes the proof of the lemma.

Proof of Theorem 2.8. Let N be the normalization of f (x) over n′ dimensions. We have from Lemma C.1 that Nσn Thus, it remains to show that for n:=l2a+1 and cσ2n,f^(y)σnn5/4eny2o2.

Let r := x, we slightly abuse notation and view f as a function of r, f(r):=eπ(rc)2σ2+eπ(r+c)2σ2. Since Ψσ,c is a radial function, so is its Fourier transform, thus, we again slightly abuse notation and F:=f^ as a function of K := y. We may now use the formula for the radial Fourier transform of an n′-dimensional, radial function f to find F [21]:

(C3) F(κ)=κ(n2)2(2π)0rn22f(r)Jn22(2πκr)rdr,

where Jn22 denotes the Bessel function of the first kind of order n22. The Bessel function of first kind of order V is defined as [35, Page 40]:

(C4) JV(z):= (1)j(12z)ν+2jΓ(v+j+1)j!

For half-integer order v:=n+12, there is a closed-form representation of J. Specifically, it can be expressed as [35, Page 298]:

(C5) Jn+12(z):=Rn,12(z)(2πz)12sinzRn1,32(z)(2πz)12cosz.

where Rn,12(z) and Rn1,32(z) are Lommel polynomials defined as [35, Page 296]:

(C6) Rn,v(z)=j=0[n/2](1)j(nj)!Γ(v+nj)j!(n2j)!Γ(v+j)(z2)2jn,

where the [x] means the largest integer not exceeding x.

We now have:

(C7) | F ( κ ) | = | κ ( n 2 ) 2 ( 2 π ) 0 r n 2 2 f ( r ) J n 2 2 ( 2 π κ r ) r d r | = | κ ( n 2 ) 2 ( 2 π ) ( 0 r n 2 2 f ( r ) ( j = 0 [ n 3 4 ] c j ( 2 π κ r 2 ) 2 j n 3 2 ) ( 2 2 π 2 κ r ) 1 2 s i n ( 2 π κ r ) r d r 0 r n 2 2 f ( r ) ( j = 0 [ n 5 4 ] c j ( 2 π κ r 2 ) 2 j n 5 2 ) ( 2 2 π 2 κ r ) 1 2 c o s ( 2 π κ r ) r d r ) | κ ( n 2 ) 2 ( 2 π ) ( 0 r n 2 2 f ( r ) ( j = 0 [ n 3 4 ] c j ( 2 π κ r 2 ) 2 j n 3 2 ) ( 2 2 π 2 κ r ) 1 2 s i n ( 2 π κ r ) r d r + 0 r n 2 2 f ( r ) ( j = 0 [ n 5 4 ] c j ( 2 π κ r 2 ) 2 j n 5 2 ) ( 2 2 π 2 κ r ) 1 2 c o s ( 2 π κ r ) r d r ) ,

where the first equality follows from (C3), the second equality follows from (C5), (C6) and the settings of c j := ( 1 ) j ( n 3 2 j ) ! Γ ( 1 2 + n 3 2 j ) j ! ( n 3 2 2 j ) ! Γ ( 1 2 + j )

In order to bound (C7), we will individually upper bound

I:| 0rn22f(r)(j=0[ n34 ]cj(2πkr2)2jn32)(22π2κr)12sin(2πκr)rdr |

and

II: | 0rn22f(r)(j=0[ n54 ]cj(2πkr2)2jn52)(22π2κr)12cos(2πκr)rdr |.

Recalling that f(r)=eπ(rc)2σ2+eπ(r+c)2σ2, we have that

(C8) | F ( κ ) | = | κ ( n 2 ) 2 ( 2 π ) 0 r n 2 2 f ( r ) J n 2 2 ( 2 π κ r ) r d r | = | κ ( n 2 ) 2 ( 2 π ) ( 0 r n 2 2 f ( r ) ( j = 0 [ n 3 4 ] c j ( 2 π κ r 2 ) 2 j n 3 2 ) ( 2 2 π 2 κ r ) 1 2 s i n ( 2 π κ r ) r d r 0 r n 2 2 f ( r ) ( j = 0 [ n 5 4 ] c j ( 2 π κ r 2 ) 2 j n 5 2 ) ( 2 2 π 2 κ r ) 1 2 c o s ( 2 π κ r ) r d r ) | κ ( n 2 ) 2 ( 2 π ) ( 0 r n 2 2 f ( r ) ( j = 0 [ n 3 4 ] c j ( 2 π κ r 2 ) 2 j n 3 2 ) ( 2 2 π 2 κ r ) 1 2 s i n ( 2 π κ r ) r d r + 0 r n 2 2 f ( r ) ( j = 0 [ n 5 4 ] c j ( 2 π κ r 2 ) 2 j n 5 2 ) ( 2 2 π 2 κ r ) 1 2 c o s ( 2 π κ r ) r d r ) ,

where the second equality follows since f (r) is an even function, cos(2πĸr) is an even function and for n= l2a+1, all powers of r in the integrand are even, which means that the entire integrand is an even function.

To compute an upper bound on

(C9) | r2j+2(eπ(rc)2σ2+eπ(r+c)2σ2)(ei2πkr+ei2πkr)dr |

as above, we integrate each term separately. Since the analysis is essentially the same for each term, we focus on upper bounding the term A:=| eπ(rc)2σ2ei2πkrdr |=| eπk2σ2+2πikceπσ2(r(c+ikσ2))2dr |:

A = e π κ 2 σ 2 + 2 π i κ c r 2 j + 2 e π σ 2 ( r ( c + i κ σ 2 ) ) 2 r e π κ 2 σ 2 ( σ π r + ( c + i κ σ 2 ) ) 2 j + 2 e r 2 σ π d r = e π κ 2 σ 2 σ 2 j + 2 ( 1 π r + ( c σ + i κ σ ) ) 2 j + 2 e r 2 σ π d r e π κ 2 σ 2 σ 2 j + 2 ( 1 π r + ( c σ + κ σ ) ) 2 j + 2 e r 2 σ π d r e π κ 2 σ 2 ( σ π ) 2 j + 3 ( c σ + κ σ ) 2 j + 2 2 j + 2 j + 1 r 2 j + 2 e r 2 d r e π κ 2 σ 2 ( σ π ) 2 j + 3 ( c σ + κ σ ) 2 j + 2 2 j + 2 j + 1 1 2 ( 1 + ( 1 ) 2 j ) Γ ( 3 2 + j ) e π κ 2 σ 2 ( σ π ) 2 j + 3 ( c σ + κ σ ) 2 j + 2 2 j + 2 j + 1 Γ ( 3 2 + j )

Thus, we have that

(C9)(σπ)2j+3eπk2σ2Γ(32+j)(2j+2j+1)[ 4(cσ+κσ)2j+2 ]

Plugging the above back into (C8), and recalling that | cj |=(n52j)!Γ(12+n32j)j!(n522j)!Γ(12+1+j) we have that

II1/2(14π2κ)12j=0[n54]|cj|(πκ)2jn2+52(σπ)2j+3eπκ2σ2Γ(32+j)2j+2j+12(cσ)2j+2(κσ)2j+21/2(12π)eπκ2σ2j=0[n54](π)jn2+1n52jj2j+2j+12Γ(n21j)σ2j+3c2j+2(κ)4jn2+41/2(12π)eπκ2σ2(n2n2nn2)j=0[n54]σ2j+3c2j+2(κ)4jn2+4

Where the last inequality follows since (ni)2n and n!nn. We now turn to upper-bounding I. Recalling that f(r)=eπ(rc)2σ2+eπ(r+c)2σ2, we have that

(C10) I=| 0rn22f(r)(j=0[ n34 ]cj(2πkr2)2jn32)(22π2kr)12sin(2πκr)rdr |
=1/2rn22f(r)(j=0[n54]cj(2πκr2)2jn52)(22π2κr)12(ei2πκr+ei2πκr2)rdr=1/2(14π2κ)12rn12f(r)(j=0[n54]cj(2πκr2)2jn2+52)(ei2πκr+ei2πκr)dr1/2(14π2κ)12j=0[n54]|cj|(πκ)2jn2+52r2j+2(eπ(rc)2σ2+eπ(r+c)2σ2)(ei2πκr+ei2πκr)dr,

where the second equality follows since f (r) is an even function, sin(2πĸr) is an odd function and for n′ = l · 2a + 1, all powers of r in the integrand are odd, which means that the entire integrand is an even function.

To compute an upper bound on

(C11) r2j+1(eπ(rc)2σ2+eπ(r+c)2σ2)(ei2πκrei2πkr)dr

as above, we integrate each term separately. Since the analysis is essentially the same for each term, we focus on the term ∫ B:=| eπ(rc)2σ2ei2πκrdr |=| eπκ2σ2+i2πκceπσ2(r(c+iκσ2))2dr |:

B = e π κ 2 σ 2 + i 2 π κ c r 2 j + 1 e π σ 2 ( r ( c + i κ σ 2 ) ) 2 d r e π κ 2 σ 2 r 2 j + 1 e π σ 2 ( r ( c + i κ σ 2 ) ) 2 d r = e π κ 2 σ 2 ( σ π r + ( c + i κ σ 2 ) ) 2 j + 1 e r 2 σ π d r e π κ 2 σ 2 ( σ π r + ( c + κ σ 2 ) ) 2 j + 1 e r 2 σ π d r e π κ 2 σ 2 ( σ π ) 2 j + 2 ( c σ + κ σ ) 2 j + 1 2 j + 1 j + 1 r 2 j e r 2 d r e π κ 2 σ 2 ( σ π ) 2 j + 2 ( c σ + κ σ ) 2 j + 1 2 j + 1 j + 1 1 2 ( 1 + ( 1 ) 2 j ) Γ ( 1 2 + j ) e π κ 2 σ 2 ( σ π ) 2 j + 2 ( c σ + κ σ ) 2 j + 1 2 j + 1 j + 1 Γ ( 1 2 + j )

Thus, we have that

(C11)(σπ)2j+2eπκ2σ2Γ(12+j)(2j+1j+1)[ 4(cσ+κσ)2j+1 ]

Plugging the above back into (C10), and recalling that | cj |=(n32j)!Γ(12+n32j)j!(n322j)!Γ(12+j), we have that

I1/2(14π2κ)12j=0[n34]|cj|(πκ)2jn2+32(σπ)2j+2eπκ2σ2Γ(12+j)2j+1j+12(cσ)2j+1(κσ)2j+11/2(12π)eπκ2σ2j=0[n34](π)jn12n32jj2j+1j+12Γ(n21j)σ2j+2c2j+1(κ)4jn2+31/2(12π)eπκ2σ2(n2n2nn2)j=0[n34]σ2j+2c2j+1(κ)4jn2+3

Where the last inequality follows since (ni)2n and n!nn. Finally, plugging into (C7), and recalling that (ni)2n and n!nn. we obtain:

| F ( κ ) | 1 / 2 e π κ 2 σ 2 ( n 2 n 2 n n 2 ) ( j = 0 [ n 5 4 ] σ 2 j + 3 c 2 j + 2 κ 4 j n + 5 + j = 0 [ n 3 4 ] σ 2 j + 2 c 2 j + 1 κ 4 j n + 4 ) σ n n n e π κ 2 σ 2

### D Manipulating Gaussians

We begin by defining some notation, which will be useful in all of the Conditional Distributions when manipulating Gaussian-distributed random variables.We write probability density function of random variable X at value x, sampled from n-dimensional Gaussian distribution with each component of variable pairwise independent, as

ψs,u(X=x)=i[n]1siexp(π(xiui)2si2),

with mean u=(u1,,un) and standard deviation s = (s1, . . . , sn). The probability density function of Y at value y, sampled from n-dimensional Gaussian distribution with each component of variable pairwise independent, can be written as

ψv,μ(Y=y)=i[n]1viexp(π(yiμi)2vi2),

with mean μ=(μ1,,μn) and standard deviation v = (v1, . . . , vn).

We now consider the distribution of X, conditioned on knowledge of X+Y.We proceed with the following straightforward lemma:

### Lemma D.1

Given two independent random variables X and Y. Suppose that the distribution of X is a n-dimensional Gaussian distribution with mean u and standard deviation s, each component of X pairwise independent, and the distribution of Y is a n-dimensional Gaussian distribution with mean μ and standard deviation v, each component of Y pairwise independent. Then the distribution of X conditioned on X + Y is also a n-dimensional Gaussian distribution, where each component of X is pairwise-independent with mean

c := (c1, . . . , cn) where ci:=uisi2μivi2+zivi2(1si2+1vi2) and standard deviation 2σ := (σ1, . . . , σn), where σi:=11si2+1vi2.

Proof. We have F Z|A(Z = b) generically represent the probability density function of random variable Z at value b, conditioned on event A.

We can then derive the density function of X given the value z = (z1, . . . , zn) of X + Y by computing

F X X + Y = Z ( X = x ) = ψ s , u ( X = x ) ψ v , μ ( Y = y ) R n ψ s , u ( X = x ) ψ v , μ ( Y = y ) d x = i [ n ] 1 s i v 1 e π x i u 1 2 v 2 e π z 1 x 1 μ 2 v 1 2 i [ n ] 1 s i v i e π x j u i 2 v 2 e π x i x j μ 2 v 1 2 d x = i [ n ] 1 s i 2 + 1 v i 2 exp π 1 s i 2 + 1 v i 2 x i u i s i 2 μ i v i 2 + z i v i 2 1 s i 2 + 1 v i 2 2

Hence FXX+Y=z(X=x) is also in the form of probability density function of X on value x sampled n-dimensional Gaussian distribution, where each component xi is generated independently with mean uisi2μivi2+zivi2(1si2+1vi2), and variance parameter 11si2+1vi2.

### E Additional Proofs for Section 2

#### Lemma 2.4

For ideals JT1,

η22n((Jq))2n.

Proof.

(E1) η22n((Jq))nλ1((Jq))

NJq1/n

(E2) j/qRnn1/n
(E3) 2nnn1/n=2n

where (E1) follows from Lemma B.4, (E2) follows from Lemma A.1, and (E3) follows from the fact that (N(Jq))1=|J/qR|=| R/R |.||/qR| =ΔK |d/qR (for example, see [8, page. 63]), and (E4) follows from the definition of T1.

#### Lemma 2.5

For ideals JT21

| J/qR |(lk)(ρ1/σ1,,1/σn(1qJ)l)2n(lk)

Proof. Recall that σ:=(σ1,,σn)>0n is defined >as a vector such that positions are set to 2n, while the other positions are set to s. Define z1, . . . , zn in the followingway: For i[n], if σi = s then zi = σi. Otherwise, zi=η22n((1qj)). Applying Poisson summation twice we arrive at:

(E5) ρ1/σ1,,1/σn(1qJ)=1/det(1qJ)(1/σ11/σn)ρσ1,,σn((1qJ))
(E6) 1/det(1qj)(1/σ11/σn)ρz1,,zn((1qJ))
(E7) =(η22n((1qj))2n)ρ1/z1,,1/zn(1qJ)
(E8) (1+22n)(η22n((1qJ))2n),

where (E6) follows from definitions of ρ and zi. To derive (E7), let us first introduce the following claim.

#### Claim E.1

For any lattice L,

ρs1,,sn(L)=s1s2sn1det(L)ρ1/s1,,1/sn(L)

Proof. It can be easily verified by combining Poisson Summation formula and the fact that ρ^S1,,sn= S1snρ1/s1,,1/sn.

By replacing si with 1 / Zi for all i and replacing L with |1qJ , we have

1/det(1qJ)ρz1,,zn((1qj))=z1znρ1/z1,,1/zn(1qj).

By plugging into (E6), we have

(z1σ1znσn)ρ1/z1,,1/zn(1qJ)

By definition of zi,ziσi=1 when σi = s and ziσi=η22n((1qJ))2n, when σi=2n. Since there are positions in σ when σi = 2n, we obtain (E7). Finally (E8) follows by definition of smoothing parameter η22n((1aj)).

Now, using the fact that η22n(ΔK| J/qR |)1/n, the fact that ΔK=nn and the fact that | J/qR |2n, and the set of parameters, we have that

| J/qR |(lk)(ρ1/σ1,,1/σn(1qj)l)| J/qR |(lkl/n)(1+22n)l2l2n(lk)

which completes the proof of the lemma.

#### E 2 Additional Proofs in Conditional Distribution III

Recall that a generic PDF of one dimensional Gaussian distribution is defined as:

ψs,u(x)=1sexp(π(xu)2s2),

where u is mean, and s is standard deviation of the distribution. We write probability density function of secret key X at value x=(x1,,xn), of which each coordinate is independently sampled from a Gaussian distribution with center at 0 and standard deviation s, as

ψs(X=x)=i[ n ]1sexp(πxi2s2)=1snexp(πr2s2)=ψs(X=r),

where r is the magnitude of x. It also can be viewed as probability density function of secret key for its magnitude ‖X‖ = r, denoted as ψs(X=r). The error is sampled from a 1-dimensional Gaussian distribution with center at 0. We write probability density function of error E at value y is

ψv(E=y)=1vexp(πy2v2).

Let F Z|A(f (Z) = b) generically represent the probability density function of random variable Z at value b of f (Z), conditioned on event A.

We now derive the density function of secret key X given the value z of |‖X‖ + E |. The weight placed on a value x=(x1,,xn) by the conditional distribution depends only on the magnitude of x (i.e. r = x) and can be computed as:

(E9) FX||X+Ez(X=r)=FX,E(X=r,X+E=z)FX,E(X+E=z)=ψs(X=r)ψv(E=zr)+ψs(X=r)ψv(E=zr)FX,E(X+E=z)+FX,E(X+E=z)
=ψs(X=r)ψv(E=zr)+ψs(X=r)ψv(E=zr)Rnψs(X=x)ψv(E=zx)+ψs(X=x)ψv(E=zx)dx=e(πs2+πr2)(rzs2r2+s2)2e(π52+πv2)(r+zz2v2+s2)2nVne(πs2+πv2)(rγ52v2+s2)2rn1dr=e(πs2+πv2)(rz2v2+s2)2+e(πs2+πv2)(r+zs2v2+s2)2N

where N is the normalization factor.

#### Lemma E.2

Given a random variable Y chosen from a Gaussian distribution GE(y,v)=1vexp(πy2v2),Y is upper bounded by vn except for negligible probability, written as Pr (Yvn)2Ω(n).

Proof. Pr (Yy) = Pr (Xx), where X=2πYv is a standard normal, χ=2πyv. By using Chernoff bound and calculating exponential moment of standard normal distribution, we have, for any λ > 0.

Pr(Xx)E[ eλX ]eλx=eλ2/2eλx,

Set λ = x and y=vn, then Pr(Yvn)ex2/2=eπn. The lemma follows.

We now restate and prove Lemma 2.7.

#### Lemma 2.7

Suppose v = s, we can bound a center zs2v2+s2 from Equation E9 by Pr (zs2v2+s2sn)2Ω(n).

Proof. Using union bound, we have

Przs2v2+s2sn=Prz2snPrR+E2sn+PrRE2snPrRsn+PrEvn+PrEvn

Note that since s > n, and using the fact that λ 1 ( ( R l × Z ) ) λ 1 ( R ) n N 1 n ( R ) = n ( Δ k 1 ) 1 n n 1 n n 1 n = 1 n (See Lemma A.1), by Lemma B.4, we ensure S>η2n(Rl×). Then by Lemma B.11 and Lemma E.2, we deduce that Pr (zs2v2+s2sn)2Ω(n).

Corollary 2.10. Let k, l, σ and c be as in Theorem 2.9. Assume that A=[ IkA¯ ](Rq)k×l is chosen as in Theorem 2.9. Then, with probability 12Ω(n) over the choice of Ā, the distribution of AxRqk, where (x,xn)Rl×Z is chosen from DRl×Z,Ψσ,c satisfies that the probability of each of the qnk possible outcomes is in the interval (1±2Ω(n))qnk (and in particular is within statistical distance 2−Ω(n) of the uniform distribution over Rqk ).

Proof. Ψσ,c(Λ(A)++(b,b))det((Λ(A)+))(1±2Ω(n)), which means that if we choose a n′-dimensional vector from distribution DRl×Z,Ψσ,c written as x=(x,xn), and let (b,bn)=x mod (Λ⊥(A)+), then the resulting distribution is within statistical distance 2−Ω(n) to uniform distribution over (Rl × Z) modulo (Λ⊥(A)+). Due to the structure of Λ⊥(A)+, this also implies that the marginal distribution over b is uniform over (Rl) modulo (Λ⊥(A)). Moreover, we can easily see that for x=(x,xn), if x mod (Λ(A)+)=(b,bn), then Ax = Ab. Finally, since when b is uniform random over Rl modulo Λ(A), we have that Ab is uniform random over Rqk, the corollary follows.