Zhiyong Zheng¹, Fengxia Liu^2*, Yunfan Lu¹, Kun Tian^1
1Engineering Research Center of Ministry of Education for Financial Computing and Digital Engineering, Renmin University of China, Beijing, China.
²Artificial Intelligence Research Institute, Beihang University of China, Beijing, China.
DOI: 10.4236/jis.2022.134015   PDF    HTML   XML   105 Downloads   558 Views   Citations

Abstract

In this article, we introduce the discrete subgroup in ℝⁿ as preliminaries first. Then we provide some theories of cyclic lattices and ideal lattices. By regarding the cyclic lattices and ideal lattices as the correspondences of finitely generated R-modules, we prove our main theorem, i.e. the correspondence between cyclic lattices in ℝⁿ and finitely generated R-modules is one-to-one. Finally, we give an explicit and countable upper bound for the smoothing parameter of cyclic lattices.

Keywords

Cyclic Lattice, Ideal Lattice, Finitely Generated R-Module, Smoothing Parameter

Share and Cite:

1. Introduction

Cyclic lattices and ideal lattices were introduced by Micciancio in [1], Lyubashevsky and Micciancio in [2] respectively, which play an efficient role in Ajtai’s construction of a collision-resistant Hash function (see [3] and [4]) and in Gentry’s construction of fully homomorphic encryption (see [5]). Let $R=\mathbb{Z}\left[x\right]/\langle \varphi \left(x\right)\rangle$ be a quotient ring of the integer coefficients polynomials ring, Lyubashevsky and Micciancio regarded an ideal lattice as the correspondence of an ideal of R, but they don’t explain how to extend this definition to whole Euclidean space ${ℝ}^n$. Many researchers have presented some results in their works about cyclic lattices and ideal lattices, however, none of them exhibit the relationship between cyclic lattices and ideal lattices.

In this paper, we regard the cyclic lattices and ideal lattices as the correspondences of finitely generated R-modules, so that we may show that ideal lattices are actually a special subclass of cyclic lattices, namely, cyclic integer lattices. In fact, there is a one-to-one correspondence between cyclic lattices in ${ℝ}^n$ and finitely generated R-modules (see Theorem 4.9 below). On the other hand, since R is a Noether ring, each ideal of R is a finitely generated R-module, so it is natural and reasonable to regard ideal lattices as a special subclass of cyclic lattices (see Corollary 4.11 below). It is worth noting that we use a more general rotation matrix here, so our definition and results on cyclic lattices and ideal lattices are more general forms. In application, we provide a cyclic lattice with an explicit and countable upper bound for the smoothing parameter (see Theorem 5.5 below). It is an open problem that is the shortest vector problem on cyclic lattice NP-hard (see [1]). Our results may be viewed as substantial progress in this direction.

2. Discrete Subgroup in ${ℝ}^n$

Let $ℝ$ be the real numbers field, $\mathbb{Z}$ be the integers ring and ${ℝ}^n$ be Euclidean space of which is an n-dimensional linear space over $ℝ$ with the Euclidean norm $\left|x\right|$ given by

$\left|x\right|={\left({\displaystyle \underset{i=1}{\overset{n}{\sum }}{x}_i^2}\right)}^{\frac{1}{2}},\text{where}{x}^{\prime }=\left(x_1,x_2,\cdots ,x_n\right)\in {ℝ}^n.$

We use column vector notation for ${ℝ}^n$ throughout this paper, and $x^{\prime }=\left(x_1,x_2,\cdots ,x_n\right)$ is transpose of x, which is called row vector of ${ℝ}^n$.

Definition 2.1 Let $L\subset {ℝ}^n$ be a non-trivial additive subgroup, it is called a discrete subgroup if there is a positive real number $\lambda >0$ such that

$\underset{x\in L,x\ne 0}{\text{min}}\left|x\right|\ge \lambda >0.$ (2.1)

As usual, a ball of center $x_0$ with radius $\delta$ is defined by

$b\left(x_0,\delta \right)=\left\{x\in {ℝ}^n|\left|x-x_0\right|\le \delta \right\}.$

If L is a discrete subgroup of ${ℝ}^n$, then there are only finitely many vectors of L lie in every ball $b\left(0,\delta \right)$, thus we always find a vector $\alpha \in L$ such that

$\left|\alpha \right|=\underset{x\in L,x\ne 0}{\text{min}}\left|x\right|=\lambda >0,\alpha \in L.$ (2.2)

$\alpha$ is called one of shortest vector of L and $\lambda$ is called the minimum distance of L.

Let $B=\left[{\beta }_1,{\beta }_2,\cdots ,{\beta }_m\right]\in {ℝ}^{n\times m}$ be a $n\times m$ dimensional matrix with $\text{rank}\left(B\right)=m\le n$, it means that ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ are m linearly independent vectors in ${ℝ}^n$. The lattice $L\left(B\right)$ generated by B is defined by

$L\left(B\right)={\displaystyle \underset{i=1}{\overset{m}{\sum }}{x}_i{\beta }_i}=\left\{Bx|x\in {\mathbb{Z}}^m\right\},\forall x_i\in \mathbb{Z}.$ (2.3)

which is all linear combinations of ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ over $\mathbb{Z}$. If $m=n$, $L\left(B\right)$ is called a full-rank lattice.

It is a well-known conclusion that a discrete subgroup L in ${ℝ}^n$ is just a lattice $L\left(B\right)$. Firstly, we give a detail proof here by making use of the simultaneous Diophantine approximation theory in real number field $ℝ$ (see [6] and [7]).

Lemma 2.1 Let $L\subset {ℝ}^n$ be a discrete subgroup, ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_m\in L$ be m vectors of L. Then ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_m$ are linearly independent over $ℝ$, if and only if which are linearly independent over $\mathbb{Z}$.

Proof: If ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_m$ are linearly independent over $ℝ$, trivially which are linearly independent over $\mathbb{Z}$. Suppose that ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_m$ are linearly independent over $\mathbb{Z}$, we consider arbitrary linear combination over $ℝ$. Let

$a_1{\alpha }_1+a_2{\alpha }_2+\cdots +a_m{\alpha }_m=0,\forall a_i\in ℝ.$ (2.4)

We should prove (2.4) is equivalent to $a_1=a_2=\cdots =a_m=0$, which implies that ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_m$ are linearly independent over $ℝ$.

By Minkowski’s Third Theorem (see Theorem VII of [7]), for any sufficiently large $N>1$, there are a positive integer $q\ge 1$ and integers $p_1,p_2,\cdots ,p_m\in \mathbb{Z}$ such that

$\underset{1\le i\le m}{\text{max}}\left|q{a}_i-p_i\right|<N^{-\frac{1}{m}},\text{and}1\le q\le N.$ (2.5)

By (2.4), we have

$\begin{array}{l}\left|p_1{\alpha }_1+p_2{\alpha }_2+\cdots +p_m{\alpha }_m\right|\\ =\left|\left(q{a}_1-p_1\right){\alpha }_1+\left(q{a}_2-p_2\right){\alpha }_2+\cdots +\left(q{a}_m-p_m\right){\alpha }_m\right|\\ \le m{N}^{-\frac{1}{m}}\underset{1\le i\le m}{\text{max}}\left|{\alpha }_i\right|.\end{array}$ (2.6)

Let $\lambda$ be the minimum distance of L, $\epsilon >0$ be any positive real number. We select N such that

$N>\text{max}\left\{{\left(\frac{m}{\epsilon }\right)}^m,{\left(\frac{m}{\lambda }\right)}^m\underset{1\le i\le m}{\text{max}}{\left|{\alpha }_i\right|}^m\right\}.$

It follows that $m{N}^{-\frac{1}{m}}<\epsilon$ and

$m{N}^{-\frac{1}{m}}\underset{1\le i\le m}{\text{max}}\left|{\alpha }_i\right|<\lambda .$

By (2.6) we have

$\left|p_1{\alpha }_1+p_2{\alpha }_2+\cdots +p_m{\alpha }_m\right|<\lambda .$

Since $p_1{\alpha }_1+p_2{\alpha }_2+\cdots +p_m{\alpha }_m\in L$, thus we have $p_1{\alpha }_1+p_2{\alpha }_2+\cdots +p_m{\alpha }_m=0$,

and $p_1=p_2=\cdots =p_m=0$. By (2.5) we have $q\left|a_i\right|<\frac{1}{m}\epsilon$ for all i, $1\le i\le m$.

Since $\epsilon$ is sufficiently small positive number, we must have $a_1=a_2=\cdots =a_m=0$. We complete the proof of lemma.

口

Suppose that $B\in {ℝ}^{n\times m}$ is an $n\times m$ -dimensional matrix and $\text{rank}\left(B\right)=m$, $B^{\prime }$ is the transpose of B. It is easy to verify

$\text{rank}\left(B^{\prime }B\right)=\text{rank}\left(B\right)=m\Rightarrow \text{det}\left(B^{\prime }B\right)\ne 0,$

which implies that $B^{\prime }B$ is an invertible square matrix of $m\times m$ dimension, here $\text{det}\left(B^{\prime }B\right)$ is the determinant of the matrix $B^{\prime }B$. Since $B^{\prime }B$ is a positive defined symmetric matrix, then there is an orthogonal matrix $P\in {ℝ}^{m\times m}$ such that

$P^{\prime }{B}^{\prime }BP=\text{diag}\left\{{\delta }_1,{\delta }_2,\cdots ,{\delta }_m\right\},$ (2.7)

where ${\delta }_i>0$ are the characteristic value of $B^{\prime }B$, and $\text{diag}\left\{{\delta }_1,{\delta }_2,\cdots ,{\delta }_m\right\}$ is the diagonal matrix of $m\times m$ dimension.

Lemma 2.2 Suppose that $B\in {ℝ}^{n\times m}$ with $\text{rank}\left(B\right)=m$, ${\delta }_1,{\delta }_2,\cdots ,{\delta }_m$ are m characteristic values of $B^{\prime }B$, and $\lambda \left(L\left(B\right)\right)$ is the minimum distance of lattice $L\left(B\right)$, then we have

$\lambda \left(L\left(B\right)\right)=\underset{x\in {\mathbb{Z}}^m,x\ne 0}{\text{min}}\left|Bx\right|\ge \sqrt{\delta },$ (2.8)

where $\delta =\min \left\{{\delta }_1,{\delta }_2,\cdots ,{\delta }_m\right\}$.

Proof: Let $A=B^{\prime }B$, by (2.7), there exists an orthogonal matrix $P\in {ℝ}^{m\times m}$ such that

$P^{\prime }AP=\text{diag}\left\{{\delta }_1,{\delta }_2,\cdots ,{\delta }_m\right\}.$

If $x\in {\mathbb{Z}}^m$, $x\ne 0$, we have

$\begin{array}{c}{\left|Bx\right|}^2=x^{\prime }Ax=x^{\prime }P\left(P^{\prime }AP\right)P^{\prime }x\\ ={\left(P^{\prime }x\right)}^{\prime }\text{diag}\left\{{\delta }_1,{\delta }_2,\cdots ,{\delta }_m\right\}{P}^{\prime }x\\ \ge \delta {\left|P^{\prime }x\right|}^2=\delta {\left|x\right|}^2.\end{array}$

Since $x\in {\mathbb{Z}}^m$ and $x\ne 0$, we have ${\left|x\right|}^2\ge 1$, it follows that

$\underset{x\in {\mathbb{Z}}^m,x\ne 0}{\text{min}}\left|Bx\right|\ge \sqrt{\delta }\left|x\right|\ge \sqrt{\delta .}$

We have Lemma 2.2 immediately.

口

Another application of Lemma 2.2 is to give a countable upper bound for smoothing parameter (see Theorem 5.5 below). Combining Lemma 2.1 and Lemma 2.2, we show that the following assertion.

Theorem 2.3 Let $L\subset {ℝ}^n$ be a subset, then L is a discrete subgroup if and only if there is an $n\times m$ dimensional matrix $B\in {ℝ}^{n\times m}$ with $\text{rank}\left(B\right)=m$ such that

$L=L\left(B\right)=\left\{Bx|x\in {\mathbb{Z}}^m\right\}.$ (2.9)

Proof: If $L\subset {ℝ}^n$ is a discrete subgroup, then L is a free $\mathbb{Z}$ -module. By Lemma 2.1, we have ${\text{rank}}_{\mathbb{Z}}\left(L\right)=m\le n$. Let ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ be a $\mathbb{Z}$ -basis of L, then

$L=\left\{{\displaystyle \underset{i=1}{\overset{m}{\sum }}{a}_i{\beta }_i}|a_i\in \mathbb{Z}\right\}.$

Writing $B={\left[{\beta }_1,{\beta }_2,\cdots ,{\beta }_m\right]}_{n\times m}$, then the rank of matrix B is m, and

$L=\left\{Bx|x\in {\mathbb{Z}}^m\right\}=L\left(B\right).$

Conversely, let $L\left(B\right)$ be arbitrary lattice generated by B, obviously, $L\left(B\right)$ is an additive subgroup of ${ℝ}^n$, by Lemma 2.2, $L\left(B\right)$ is also a discrete subgroup, we have Theorem 2.3 at once.

口

Corollary 2.4 Let $L\subset {ℝ}^n$ be a lattice and $G\subset L$ be an additive subgroup of L, then G is a lattice of ${ℝ}^n$.

Corollary 2.5 Let $L\subset {\mathbb{Z}}^n$ be an additive subgroup, then L is a lattice of ${ℝ}^n$. These lattices are called integer lattices.

According to above Theorem 2.3, a lattice $L\left(B\right)$ is equivalent to a discrete subgroup of ${ℝ}^n$. Suppose $L=L\left(B\right)$ is a lattice with generated matrix $B\in {ℝ}^{n\times m}$, and $\text{rank}\left(B\right)=m$, we write $\text{rank}\left(L\right)=\text{rank}\left(B\right)$, and

$d\left(L\right)=\sqrt{\text{det}\left(B^{\prime }B\right)}.$ (2.10)

In particular, if $\text{rank}\left(L\right)=n$ is a full-rank lattice, then $d\left(L\right)=\left|\text{det}\left(B\right)\right|$ as usual. A sublattice N of L means a discrete additive subgroup of L, the quotient group is written by L/N and the cardinality of L/N is denoted by |L/N|.

Lemma 2.6 Let $L\subset {ℝ}^n$ be a lattice and $N\subset L$ be a sublattice. If $\text{rank}\left(N\right)=\text{rank}\left(L\right)$, then the quotient group L/N is a finite group.

Proof: Let $\text{rank}\left(L\right)=m$, and $L=L\left(B\right)$, where $B\in {ℝ}^{n\times m}$ with $\text{rank}\left(B\right)=m$. We define a mapping $\sigma$ from L to ${\mathbb{Z}}^m$ by $\sigma \left(Bx\right)=x$. Clearly, $\sigma$ is an additive group isomorphism, $\sigma \left(N\right)\subset {\mathbb{Z}}^m$ is a full-rank lattice of ${\mathbb{Z}}^m$, and $L/N\cong {\mathbb{Z}}^m/\sigma \left(N\right)$. It is a well-known result that

$\left|{\mathbb{Z}}^m/\sigma \left(N\right)\right|=d\left(\sigma \left(N\right)\right).$

It follows that

$\left|L/N\right|=\left|{\mathbb{Z}}^m/\sigma \left(N\right)\right|=d\left(\sigma \left(N\right)\right).$

Lemma 2.6 follows.

口

Suppose that $L_1\subset {ℝ}^n$, $L_2\subset {ℝ}^n$ are two lattices of ${ℝ}^n$, we define $L_1+L_2=\left\{a+b|a\in L_1,b\in L_2\right\}$. Obviously, $L_1+L_2$ is an additive subgroup of ${ℝ}^n$, but generally speaking, $L_1+L_2$ is not a lattice of ${ℝ}^n$ again.

Lemma 2.7 Let $L_1\subset {ℝ}^n$, $L_2\subset {ℝ}^n$ be two lattices of ${ℝ}^n$. If $\text{rank}\left(L_1\cap L_2\right)=\text{rank}\left(L_1\right)$ or $\text{rank}\left(L_1\cap L_2\right)=\text{rank}\left(L_2\right)$, then $L_1+L_2$ is again a lattice of ${ℝ}^n$.

Proof: To prove $L_1+L_2$ is a lattice of ${ℝ}^n$, by Theorem 2.3, it is sufficient to prove $L_1+L_2$ is a discrete subgroup of ${ℝ}^n$. Suppose that $\text{rank}\left(L_1\cap L_2\right)=\text{rank}\left(L_1\right)$, for any $x\in L_1$, we define a distance function $\rho \left(x\right)$ by

$\rho \left(x\right)=\inf \left\{\left|x-y\right||y\ne x,y\in L_2\right\}.$

Here the function inf(A) is the infimum of a set A. Since there are only finitely many vectors in $L_2\cap b\left(x,\delta \right)$, where $b\left(x,\delta \right)$ is any a ball of center x with radius $\delta$. Therefore, we have

$\rho \left(x\right)=\min \left\{\left|x-y\right||y\ne x,y\in L_2\right\}={\lambda }_x>0.$ (2.11)

On the other hand, if $x_1\in L_1$, $x_2\in L_1$ and $x_1-x_2\in L_2$, then there is $y_0\in L_2$ such that $x_1=x_2+y_0$, and we have $\rho \left(x_1\right)=\rho \left(x_2\right)$. It means that $\rho \left(x\right)$ is defined over the quotient group $L_1+L_2/L_2$. Because we have the following group isomorphic theorem

$L_1+L_2/L_2\cong L_1/L_1\cap L_2.$

By Lemma 2.6, it follows that

$\left|L_1+L_2/L_2\right|=\left|L_1/L_1\cap L_2\right|<\infty .$

In other words, $L_1+L_2/L_2$ is also a finite group. Let $x_1,x_2,\cdots ,x_k$ be the representative elements of $L_1+L_2/L_2$, we have

$\underset{x\in L_1,y\in L_2,x\ne y}{\text{min}}\left|x-y\right|=\underset{1\le i\le k}{\text{min}}\rho \left(x_i\right)\ge \text{min}\left\{{\lambda }_{x_1},{\lambda }_{x_2},\cdots ,{\lambda }_{x_k}\right\}>0.$

Therefore, $L_1+L_2$ is a discrete subgroup of ${ℝ}^n$, thus it is a lattice of ${ℝ}^n$ by Theorem 2.3.

口

Remark 2.8 The condition $\text{rank}\left(L_1\cap L_2\right)=\text{rank}\left(L_1\right)$ or $\text{rank}\left(L_1\cap L_2\right)=\text{rank}\left(L_2\right)$ in Lemma 2.7 seems to be necessary. As a counterexample, we see the real line $ℝ$, let $L_1=\mathbb{Z}$ and $L_2=\sqrt{2}\mathbb{Z}$, then $L_1+L_2$ is not a discrete subgroup of $ℝ$, thus $L_1+L_2$ is not a lattice in $ℝ$. Because $L_1+L_2=\left\{n+\sqrt{2}m|n\in \mathbb{Z},m\in \mathbb{Z}\right\}$ is dense in $ℝ$ by Dirichlet’s Theorem (see Theorem I of [7]).

As a direct consequence, we have the following generalized form of Lemma 2.7.

Corollary 2.9 Let $L_1,L_2,\cdots ,L_m$ be m lattices of ${ℝ}^n$ and

$\text{rank}\left(L_1\cap L_2\cap \cdots \cap L_m\right)=\text{rank}\left(L_j\right)\text{forsome}1\le j\le m.$

Then $L_1+L_2+\cdots +L_m$ is a lattice of ${ℝ}^n$.

Proof: Without loss of generality, we assume that

$\text{rank}\left(L_1\cap L_2\cap \cdots \cap L_m\right)=\text{rank}\left(L_m\right).$

Let $L_1+L_2+\cdots +L_{m-1}=L^{\prime }$, then

$L^{\prime }+L_m/L^{\prime }\cong L_m/L^{\prime }\cap L_m.$

Since $\text{rank}\left(L^{\prime }\cap L_m\right)=\text{rank}\left(L_m\right)$, by Lemma 2.7, we have $L^{\prime }+L_m=L_1+L_2+\cdots +L_m$ is a lattice of ${ℝ}^n$ and the corollary follows.

口

3. Ideal Matrices

Let $ℝ\left[x\right]$ and $\mathbb{Z}\left[x\right]$ be the polynomials rings over $ℝ$ and $\mathbb{Z}$ with variable x respectively. Suppose that

$\varphi \left(x\right)=x^n-{\varphi }_{n-1}{x}^{n-1}-\cdots -{\varphi }_{1}x-{\varphi }_0\in \mathbb{Z}\left[x\right],{\varphi }_0\ne 0,$ (3.1)

is a polynomial with integer coefficients of which has no multiple roots in complex numbers field $ℂ$. Let $w_1,w_2,\cdots ,w_n$ be the n different roots of $\varphi \left(x\right)$ in $ℂ$, the Vandermonde matrix $V_{\varphi }$ is defined by

$V_{\varphi }=\left(\begin{array}{cccc}1& 1& \cdots & 1\\ w_1& w_2& \cdots & w_n\\ ⋮& ⋮& & ⋮\\ w_1^{n-1}& w_2^{n-1}& \cdots & w_n^{n-1}\end{array}\right),\text{anddet}\left(V_{\varphi }\right)\ne 0.$ (3.2)

According to the given polynomial $\varphi \left(x\right)$, we define a rotation matrix $H=H_{\varphi }$ by

$H=H_{\varphi }={\left(\begin{array}{cccc}0& \cdots & 0& {\varphi }_0\\ & & & {\varphi }_1\\ & I_{n-1}& & ⋮\\ & & & {\varphi }_{n-1}\end{array}\right)}_{n\times n}\in {\mathbb{Z}}^{n\times n},$ (3.3)

where $I_{n-1}$ is the $\left(n-1\right)\times \left(n-1\right)$ unit matrix. Obviously, the characteristic polynomial of H is just $\varphi \left(x\right)$.

We use column notation for vectors in ${ℝ}^n$, for any $f=\left(\begin{array}{c}{f}_0\\ f_1\\ ⋮\\ f_{n-1}\end{array}\right)\in {ℝ}^n$, the ideal matrix generated by vector f is defined by

$H^{*}\left(f\right)={\left[f,Hf,H^{2}f,\cdots ,H^{n-1}f\right]}_{n\times n}\in {ℝ}^{n\times n},$ (3.4)

which is a block matrix in terms of each column $H^{k}f\left(0\le k\le n-1\right)$. Sometimes, f is called an input vector. It is easily seen that $H^{*}\left(f\right)$ is a more general form of the classical circulant matrix (see [8]) and r-circulant matrix (see [9] and [10]). In fact, if $\varphi \left(x\right)=x^n-1$, then $H^{*}\left(f\right)$ is the ordinary circulant matrix generated by f. If $\varphi \left(x\right)=x^n-r$, then $H^{*}\left(f\right)$ is the r-circulant matrix.

By (3.4), it follows immediately that

$H^{*}\left(f+g\right)=H^{*}\left(f\right)+H^{*}\left(g\right),\text{and}{H}^{*}\left(\lambda f\right)=\lambda H^{*}\left(f\right),\forall \lambda \in ℝ.$ (3.5)

Moreover, $H^{*}\left(f\right)=0$ is a zero matrix if and only if $f=0$ is a zero vector, thus one has $H^{*}\left(f\right)=H^{*}\left(g\right)$ if and only if $f=g$. Let $M^{*}$ be the set of all ideal matrices, namely

$M^{*}=\left\{H^{*}\left(f\right)|f\in {ℝ}^n\right\}.$ (3.6)

We may regard $H^{*}$ as a mapping from ${ℝ}^n$ to $M^{*}$ of which is a one to one correspondence.

In [11], we have shown that some basic properties for ideal matrix, most of them may be summarized as the following theorem.

Theorem 3.1 Suppose that $\varphi \left(x\right)\in \mathbb{Z}\left[x\right]$ is a fixed polynomial with no multiple roots in $ℂ$, then for any two column vectors f and g in ${ℝ}^n$, we have

1) $H^{*}\left(f\right)=f_0{I}_n+f_{1}H+\cdots +f_{n-1}{H}^{n-1}$ ;

2) $H^{*}\left(f\right)H^{*}\left(g\right)=H^{*}\left(H^{*}\left(f\right)g\right)$ and $H^{*}\left(f\right)H^{*}\left(g\right)=H^{*}\left(g\right)H^{*}\left(f\right)$ ;

3) $H^{*}\left(f\right)=V_{\varphi }^{-1}\text{diag}\left\{f\left(w_1\right),f\left(w_2\right),\cdots ,f\left(w_n\right)\right\}{V}_{\varphi }$ ;

4) $\text{det}\left(H^{*}\left(f\right)\right)={\displaystyle \underset{i=1}{\overset{n}{\prod }}f\left(w_i\right)}$ ;

5) $H^{*}\left(f\right)$ is an invertible matrix if and only if $\left(\varphi \left(x\right),f\left(x\right)\right)=1$ in $ℝ\left[x\right]$.

where $V_{\varphi }$ is the Vandermonde matrix given by (2.2), $w_i\left(1\le i\le n\right)$ are all roots of $\varphi \left(x\right)$ in $ℂ$, and $\text{diag}\left\{f\left(w_1\right),f\left(w_2\right),\cdots ,f\left(w_n\right)\right\}$ is the diagonal matrix.

Proof: See Theorem 2 of [11].

口

Let $e_1,e_2,\cdots ,e_n$ be unit vectors of ${ℝ}^n$, that is

$e_1=\left(\begin{array}{c}1\\ 0\\ ⋮\\ 0\end{array}\right),e_2=\left(\begin{array}{c}0\\ 1\\ ⋮\\ 0\end{array}\right),\cdots ,e_n=\left(\begin{array}{c}0\\ 0\\ ⋮\\ 1\end{array}\right).$

It is easy to verify that

$H^{*}\left(e_1\right)=I_n,\text{and}{H}^{*}\left(e_k\right)=H^{k-1},1\le k\le n.$ (3.7)

This means that the unit matrix $I_n$ and rotation matrices $H^k\left(\text{1}\le k\le n-1\right)$ are all the ideal matrices.

Let $\varphi \left(x\right)ℝ\left[x\right]$ and $\varphi \left(x\right)\mathbb{Z}\left[x\right]$ be the principal ideals generated by $\varphi \left(x\right)$ in $ℝ\left[x\right]$ and $\mathbb{Z}\left[x\right]$ respectively, we denote the quotient rings R and $\bar{R}$ by

$R=\mathbb{Z}\left[x\right]/\varphi \left(x\right)\mathbb{Z}\left[x\right],\text{and}\bar{R}=ℝ\left[x\right]/\varphi \left(x\right)ℝ\left[x\right].$ (3.8)

There is a one to one correspondence between $\bar{R}$ and ${ℝ}^n$ given by

$f\left(x\right)=f_0+f_{1}x+\cdots +f_{n-1}{x}^{n-1}\in \bar{R}\stackrel{t}{\to }f=\left(\begin{array}{c}{f}_0\\ f_1\\ ⋮\\ f_{n-1}\end{array}\right)\in {ℝ}^n.$

We denote this correspondence by t, that is

$t\left(f\left(x\right)\right)=f\text{and}{t}^{-1}\left(f\right)=f\left(x\right),\forall f\left(x\right)\in \bar{R},\text{and}f\in {ℝ}^n.$ (3.9)

If we restrict t in the quotient ring R, then which gives a one to one correspondence between R and ${\mathbb{Z}}^n$. First, we show that t is also a ring isomorphism.

Definition 3.2 For any two column vectors f and g in ${ℝ}^n$, we define the $\varphi$ -convolutional product $f*g$ by $f*g=H^{*}\left(f\right)g$.

By Theorem 3.1, it is easy to see that

$f*g=g*f,\text{and}{H}^{*}\left(f*g\right)=H^{*}\left(f\right)H^{*}\left(g\right).$ (3.10)

Lemma 3.3 For any two polynomials $f\left(x\right)$ and $g\left(x\right)$ in $\bar{R}$, we have

$t\left(f\left(x\right)g\left(x\right)\right)=H^{*}\left(f\right)g=f*g.$

Proof: Let $g\left(x\right)=g_0+g_{1}x+\cdots +g_{n-1}{x}^{n-1}\in \bar{R}$, then

$xg\left(x\right)={\varphi }_0{g}_{n-1}+\left(g_0+{\varphi }_1{g}_{n-1}\right)x+\cdots +\left(g_{n-2}+{\varphi }_{n-1}{g}_{n-1}\right)x^{n-1}.$

It follows that

$t\left(xg\left(x\right)\right)=Ht\left(g\left(x\right)\right)=Hg.$ (3.11)

Hence, for any $0\le k\le n-1$, we have

$t\left(x^{k}g\left(x\right)\right)=H^{k}t\left(g\left(x\right)\right)=H^{k}g,0\le k\le n-1.$ (3.12)

Let $f\left(x\right)=f_0+f_{1}x+\cdots +f_{n-1}{x}^{n-1}\in \bar{R}$, by (i) of Theorem 3.1, we have

$t\left(f\left(x\right)g\left(x\right)\right)={\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{f}_{i}t\left(x^{i}g\left(x\right)\right)}={\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{f}_i{H}^{i}g}=H^{*}\left(f\right)g.$

The lemma follows.

口

Theorem 3.4 Under $\varphi$ -convolutional product, ${ℝ}^n$ is a commutative ring with identity element $e_1$ and ${\mathbb{Z}}^n\subset {ℝ}^n$ is its subring. Moreover, we have the following ring isomorphisms

$\bar{R}\cong {ℝ}^n\cong M^{*},\text{and}R\cong {\mathbb{Z}}^n\cong M_{\mathbb{Z}}^{*},$

where $M^{*}$ is the set of all ideal matrices given by (3.6), and $M_{\mathbb{Z}}^{*}$ is the set of all integer ideal matrices.

Proof: Let $f\left(x\right)\in \bar{R}$ and $g\left(x\right)\in \bar{R}$, then

$t\left(f\left(x\right)+g\left(x\right)\right)=f+g=t\left(f\left(x\right)\right)+t\left(g\left(x\right)\right),$

and

$t\left(f\left(x\right)g\left(x\right)\right)=H^{*}\left(f\right)g=f*g=t\left(f\left(x\right)\right)*t\left(g\left(x\right)\right).$

This means that t is a ring isomorphism. Since $f*g=g*f$ and $e_1*g=H^{*}\left(e_1\right)g=I_{n}g=g$, then ${ℝ}^n$ is a commutative ring with $e_1$ as the identity elements. Noting $H^{*}\left(f\right)$ is an integer matrix if and only if $f\in {\mathbb{Z}}^n$ is an integer vector, the isomorphism of subrings follows immediately.

口

According to property (v) of Theorem 3.1, $H^{*}\left(f\right)$ is an invertible matrix whenever $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$, we show that the inverse of an ideal matrix is again an ideal matrix.

Lemma 3.5 Let $f\left(x\right)\in \bar{R}$ and $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$, then

${\left(H^{*}\left(f\right)\right)}^{-1}=H^{*}\left(u\right)，$

where $u\left(x\right)\in \bar{R}$ is the unique polynomial such that $u\left(x\right)f\left(x\right)\equiv 1$ (mod ( $\varphi \left(x\right)$ )).

Proof: By Lemma 3.3, we have $u*f=e_1$, it follows that

$H^{*}\left(u\right)H^{*}\left(f\right)=H^{*}\left(e_1\right)=I_n.$

Thus we have ${\left(H^{*}\left(f\right)\right)}^{-1}=H^{*}\left(u\right)$. It is worth to note that if $H^{*}\left(f\right)$ is an invertible integer matrix, then ${\left(H^{*}\left(f\right)\right)}^{-1}$ is not an integer matrix in general.

口

Sometimes, the following lemma may be useful, especially, when we consider an integer matrix.

Lemma 3.6 Let $f\left(x\right)\in \mathbb{Z}\left[x\right]$ and $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $\mathbb{Z}\left[x\right]$, then we have $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$.

Proof: Let $\mathbb{Q}$ be the rational number field. Since $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $\mathbb{Z}\left[x\right]$, then $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $\mathbb{Q}\left[x\right]$. We know that $\mathbb{Q}\left[x\right]$ is a principal ideal domain, thus there are two polynomials $a\left(x\right)$ and $b\left(x\right)$ in $\mathbb{Q}\left[x\right]$ such that

$a\left(x\right)f\left(x\right)+b\left(x\right)\varphi \left(x\right)=1.$

This means that $\left(f\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$.

口

4. Cyclic Lattices and Ideal Lattices

As we know that cyclic code play a central role in algebraic coding theorem (see Chapter 6 of [12]). In [11], we extended ordinary cyclic code to more general forms, namely $\varphi$ -cyclic codes. To obtain an analogous concept of $\varphi$ -cyclic code in ${ℝ}^n$, we note that every rotation matrix H defines a linear transformation of ${ℝ}^n$ by $x\to Hx$.

Definition 4.1 A linear subspace $C\subset {ℝ}^n$ is called a $\varphi$ -cyclic subspace if $\forall \alpha \in C\Rightarrow H\alpha \in C$. A lattice $L\subset {ℝ}^n$ is called a $\varphi$ -cyclic lattice if $\forall \alpha \in L\Rightarrow H\alpha \in L$.

In other words, a $\varphi$ -cyclic subspace C is a linear subspace of ${ℝ}^n$, of which is closed under linear transformation H. A $\varphi$ -cyclic lattice L is a lattice of ${ℝ}^n$ of which is closed under H. If $\varphi \left(x\right)=x^n-1$, then H is the classical circulant matrix and the corresponding cyclic lattice was first appeared in Micciancio [1], but he do not discuss the further property for these lattices. To obtain the explicit algebraic construction of $\varphi$ -cyclic lattice, we first show that there is a one to one correspondence between $\varphi$ -cyclic subspaces of ${ℝ}^n$ and the ideals of $\bar{R}$.

Lemma 4.2 Let t be the correspondence between $\bar{R}$ and ${ℝ}^n$ given by (3.9), then a subset $C\subset {ℝ}^n$ is a $\varphi$ -cyclic subspace of ${ℝ}^n$, if and only if $t^{-1}\left(C\right)\subset \bar{R}$ is an ideal.

Proof: We extend the correspondence t to subsets of $\bar{R}$ and ${ℝ}^n$ by

$C\left(x\right)\subset \bar{R}\stackrel{t}{\to }C=\left\{c|c\left(x\right)\in C\left(x\right)\right\}\subset {ℝ}^n.$ (4.1)

Let $C\left(x\right)\subset \bar{R}$ be an ideal, it is clear that $C\subset t\left(C\left(x\right)\right)$ is a linear subspace of ${ℝ}^n$. To prove C is a $\varphi$ -cyclic subspace, we note that if $c\left(x\right)\in C\left(x\right)$, then by (3.11)

$xc\left(x\right)\in C\left(x\right)\iff Ht\left(c\left(x\right)\right)=Hc\in C.$

Therefore, if $C\left(x\right)$ is an ideal of $\bar{R}$, then $t\left(C\left(x\right)\right)=C$ is a $\varphi$ -cyclic subspace of ${ℝ}^n$. Conversely, if $C\subset {ℝ}^n$ is a $\varphi$ -cyclic subspace, then for any $k\ge 1$, we have $H^{k}c\in C$ whenever $c\in C$, it implies

$\forall c\left(x\right)\in C\left(x\right)\Rightarrow x^{k}c\left(x\right)\in C\left(x\right),0\le k\le n-1,$

which means that $C\left(x\right)$ is an ideal of $\bar{R}$. We complete the proof.

口

By above lemma, to find a $\varphi$ -cyclic subspace in ${ℝ}^n$, it is enough to find an ideal of $\bar{R}$. There are two trivial ideals $C\left(x\right)=0$ and $C\left(x\right)=\bar{R}$, the corresponding $\varphi$ -cyclic subspace are $C=0$ and $C={ℝ}^n$. To find non-trivial $\varphi$ -cyclic subspaces, we make use of the homomorphism theorems, which is a standard technique in algebra. Let $\pi$ be the natural homomorphism from $ℝ\left[x\right]$ to $\bar{R}$, $\ker \pi =\varphi \left(x\right)ℝ\left[x\right]$. We write $\varphi \left(x\right)ℝ\left[x\right]$ by $\langle \varphi \left(x\right)\rangle$. Let N be an ideal of $ℝ\left[x\right]$ satisfying

$\langle \varphi \left(x\right)\rangle \subset N\subset ℝ\left[x\right]\stackrel{\pi }{\to }\bar{R}=ℝ\left[x\right]/\langle \varphi \left(x\right)\rangle .$ (4.2)

Since $ℝ\left[x\right]$ is a principal ideal domain, then $N=\langle g\left(x\right)\rangle$ is a principal ideal generated by a monic polynomial $g\left(x\right)\in ℝ\left[x\right]$. It is easy to see that

$\langle \varphi \left(x\right)\rangle \subset \langle g\left(x\right)\rangle \iff g\left(x\right)|\varphi \left(x\right)\text{in}ℝ\left[x\right].$

It follows that all ideals N satisfying (4.2) are given by

$\left\{\langle \varphi \left(x\right)\rangle |g\left(x\right)\in ℝ\left[x\right]\text{ismonicand}g\left(x\right)|\varphi \left(x\right)\right\}.$

We write by $\langle g\left(x\right)\rangle$ mod $\varphi \left(x\right)$, the image of $\langle g\left(x\right)\rangle$ under $\pi$, i.e.

$\langle g\left(x\right)\rangle \mathrm{mod}\varphi \left(x\right)=\pi \left(\langle g\left(x\right)\rangle \right).$

It is easy to check

$\langle g\left(x\right)\rangle \mathrm{mod}\varphi \left(x\right)=\left\{a\left(x\right)g\left(x\right)|a\left(x\right)\in ℝ\left[x\right]\text{and}\mathrm{deg}a\left(x\right)+\mathrm{deg}g\left(x\right)<n\right\},$ (4.3)

more precisely, which is a representative elements set of $\langle g\left(x\right)\rangle$ mod $\varphi \left(x\right)$. By homomorphism theorem in ring theory, all ideals of $\bar{R}$ given by

$\left\{\langle g\left(x\right)\rangle \mathrm{mod}\varphi \left(x\right)|g\left(x\right)\in ℝ\left[x\right]\text{ismonicand}g\left(x\right)|\varphi \left(x\right)\right\}.$ (4.4)

Let d be the number of monic divisors of $\varphi \left(x\right)$ in $ℝ\left[x\right]$, we have the following corollary.

Corollary 4.3 The number of $\varphi$ -cyclic subspace of ${ℝ}^n$ is d.

Next, we discuss $\varphi$ -cyclic lattice, which is the geometric analogy of cyclic code. The $\varphi$ -cyclic subspace of ${ℝ}^n$ maybe regarded as the algebraic analogy of cyclic code. Let the quotient rings R and $\bar{R}$ given by (3.8). A R-module is an Abel group $\Lambda$ such that there is an operator $\lambda \alpha \in \Lambda$ for all $\lambda \in R$ and $\alpha \in \Lambda$, satisfying $1\cdot \alpha =\alpha$ and $\left({\lambda }_1{\lambda }_2\right)\alpha ={\lambda }_1\left({\lambda }_2\alpha \right)$. It is easy to see that $\bar{R}$ is a R-module, if $\Lambda \subset \bar{R}$ and $\Lambda$ is a R-module, then $\Lambda$ is called a R-submodule of $\bar{R}$. All R-modules we discuss here are R-submodule of $\bar{R}$. On the other hand, if $I\subset R$, then I is an ideal of R, if and only if I is a R-module. Let $\alpha \in \bar{R}$, the cyclic R-module generated by $\alpha$ be defined by

$R\alpha =\left\{\lambda \alpha |\lambda \in R\right\}.$ (4.5)

If there are finitely many polynomials ${\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_k$ in $\bar{R}$ such that $\Lambda =R{\alpha }_1+R{\alpha }_2+\cdots +R{\alpha }_k$, then $\Lambda$ is called a finitely generated R-module, which is a R-submodule of $\bar{R}$.

Now, if $L\subset {ℝ}^n$ is a $\varphi$ -cyclic lattice, $g\in {ℝ}^n$, $H^{*}\left(g\right)$ is the ideal matrix generated by vector g, and $L\left(H^{*}\left(g\right)\right)$ is the lattice generated by $H^{*}\left(g\right)$. It is easy to show that any $L\left(H^{*}\left(g\right)\right)$ is a $\varphi$ -cyclic lattice and

$L\left(H^{*}\left(g\right)\right)\subset L,\text{whenever}g\in L,$ (4.6)

which implies that $L\left(H^{*}\left(g\right)\right)$ is the smallest $\varphi$ -cyclic lattice of which contains vector g. Therefore, we call $L\left(H^{*}\left(g\right)\right)$ is a minimal $\varphi$ -cyclic lattice in ${ℝ}^n$.

Lemma 4.4 There is a one to one correspondence between the minimal $\varphi$ -cyclic lattice in ${ℝ}^n$ and the cyclic R-submodule in $\bar{R}$, namely,

$t\left(Rg\left(x\right)\right)=L\left(H^{*}\left(g\right)\right),\text{forall}g\left(x\right)\in \bar{R}$

and

$t^{-1}\left(L\left(H^{*}\left(g\right)\right)\right)=Rg\left(x\right),\text{forall}g\in {ℝ}^n.$

Proof: Let $b\left(x\right)\in R$, by Lemma 3.3, we have

$t\left(b\left(x\right)g\left(x\right)\right)=H^{*}\left(b\right)g=H^{*}\left(g\right)b\in L\left(H^{*}\left(g\right)\right),$

and $t\left(Rg\left(x\right)\right)\subset L\left(H^{*}\left(g\right)\right)$. Conversely, if $\alpha \in L\left(H^{*}\left(g\right)\right)$, and $\alpha =H^{*}\left(g\right)b$ for some integer vector b, by Lemma 3.3 again, we have $b\left(x\right)g\left(x\right)\in Rg\left(x\right)$, and $t\left(b\left(x\right)g\left(x\right)\right)=\alpha$. This implies that $L\left(H^{*}\left(g\right)\right)\subset t\left(Rg\left(x\right)\right)$, and

$t\left(Rg\left(x\right)\right)=L\left(H^{*}\left(g\right)\right).$

The lemma follows immediately.

口

Suppose $L=L\left({\beta }_1,{\beta }_2,\cdots ,{\beta }_m\right)$ is arbitrary $\varphi$ -cyclic lattice, where $B={\left[{\beta }_1,{\beta }_2,\cdots ,{\beta }_m\right]}_{n\times m}$ is the generated matrix of L. L may be expressed as the sum of finitely many minimal $\varphi$ -cyclic lattices, in fact, we have

$L=L\left(H^{*}\left({\beta }_1\right)\right)+L\left(H^{*}\left({\beta }_2\right)\right)+\cdots +L\left(H^{*}\left({\beta }_m\right)\right).$ (4.7)

To state and prove our main results, first, we give a definition of prime spot in ${ℝ}^n$.

Definition 4.5 Let $g\in {ℝ}^n$, and $g\left(x\right)=t^{-1}\left(g\right)\in \bar{R}$. If $\left(g\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$, we call g is a prime spot of ${ℝ}^n$.

By (v) of Theorem 3.1, $g\in {ℝ}^n$ is a prime spot if and only if $H^{*}\left(g\right)$ is an invertible matrix, thus the minimal $\varphi$ -cyclic lattice $L\left(H^{*}\left(g\right)\right)$ generated by a prime spot is a full-rank lattice.

Lemma 4.6 Let g and f be two prime spots of ${ℝ}^n$, then $L\left(H^{*}\left(g\right)\right)+L\left(H^{*}\left(f\right)\right)$ is a full-rank $\varphi$ -cyclic lattice.

Proof: According to Lemma 2.7, it is sufficient to show that

$\text{rank}\left(L\left(H^{*}\left(g\right)\right)\cap L\left(H^{*}\left(f\right)\right)\right)=\text{rank}\left(L\left(H^{*}\left(g\right)\right)\right)=n.$ (4.8)

In fact, we should prove in general

$L\left(H^{*}\left(g\right)\cdot H^{*}\left(f\right)\right)\subset L\left(H^{*}\left(g\right)\right)\cap L\left(H^{*}\left(f\right)\right).$ (4.9)

Since $H^{*}\left(g\right)\cdot H^{*}\left(f\right)$ is an invertible matrix, then $\text{rank}\left(L\left(H^{*}\left(g\right)\cdot H^{*}\left(f\right)\right)\right)=n$, and (4.8) follows immediately.

To prove (4.9), we note that

$L\left(H^{*}\left(g\right)\cdot H^{*}\left(f\right)\right)=L\left(H^{*}\left(g*f\right)\right).$

It follows that

$t^{-1}\left(L\left(H^{*}\left(g\right)\cdot H^{*}\left(f\right)\right)\right)=Rg\left(x\right)f\left(x\right).$

It is easy to see that

$Rf\left(x\right)g\left(x\right)\subset Rg\left(x\right)\cap Rf\left(x\right).$

Therefore, we have

$L\left(H^{*}\left(g\right)\cdot H^{*}\left(f\right)\right)=t\left(Rg\left(x\right)f\left(x\right)\right)\subset L\left(H^{*}\left(g\right)\right)\cap L\left(H^{*}\left(f\right)\right).$

This is the proof of Lemma 4.6.

口

It is worth to note that (4.9) is true for more general case, do not need the condition of prime spot.

Corollary 4.7 Let ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ be arbitrary m vectors in ${ℝ}^n$, then we have

$\begin{array}{l}L\left(H^{*}\left({\beta }_1\right)H^{*}\left({\beta }_2\right)\cdots H^{*}\left({\beta }_m\right)\right)\\ \subset L\left(H^{*}\left({\beta }_1\right)\right)\cap L\left(H^{*}\left({\beta }_2\right)\right)\cap \cdots \cap L\left(H^{*}\left({\beta }_m\right)\right).\end{array}$ (4.10)

Proof: If ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ are integer vectors, then (4.10) is trivial. For the general case, we write

$L\left(H^{*}\left({\beta }_1\right)H^{*}\left({\beta }_2\right)\cdots H^{*}\left({\beta }_m\right)\right)=L\left(H^{*}\left({\beta }_1*{\beta }_2*\cdots *{\beta }_m\right)\right),$

where ${\beta }_1*{\beta }_2*\cdots *{\beta }_m$ is the $\varphi$ -convolutional product, then

$t^{-1}\left(L\left(H^{*}\left({\beta }_1\right)H^{*}\left({\beta }_2\right)\cdots H^{*}\left({\beta }_m\right)\right)\right)=R{\beta }_1\left(x\right){\beta }_2\left(x\right)\cdots {\beta }_m\left(x\right).$

Since

$R{\beta }_1\left(x\right){\beta }_2\left(x\right)\cdots {\beta }_m\left(x\right)\subset R{\beta }_1\left(x\right)\cap R{\beta }_2\left(x\right)\cap \cdots \cap R{\beta }_m\left(x\right).$

It follows that

$\begin{array}{l}L\left(H^{*}\left({\beta }_1\right)H^{*}\left({\beta }_2\right)\cdots H^{*}\left({\beta }_m\right)\right)\\ \subset L\left(H^{*}\left({\beta }_1\right)\right)\cap L\left(H^{*}\left({\beta }_2\right)\right)\cap \cdots \cap L\left(H^{*}\left({\beta }_m\right)\right).\end{array}$

We have this corollary.

口

By Lemma 4.6, we also have the following assertion.

Corollary 4.8 Let ${\beta }_1,{\beta }_2,\cdots ,{\beta }_m$ be m prime spots of ${ℝ}^n$, then $L\left(H^{*}\left({\beta }_1\right)\right)+L\left(H^{*}\left({\beta }_2\right)\right)+\cdots +L\left(H^{*}\left({\beta }_m\right)\right)$ is a full-rank $\varphi$ -cyclic lattice.

Proof: It follows immediately from Corollary 2.9.

口

Our main result in this paper is to establish the following one to one correspondence between $\varphi$ -cyclic lattices in ${ℝ}^n$ and finitely generated R-modules in $\bar{R}$.

Theorem 4.9 Let $\Lambda =R{\alpha }_1\left(x\right)+R{\alpha }_2\left(x\right)+\cdots +R{\alpha }_m\left(x\right)$ be a finitely generated R-module in $\bar{R}$, then $t\left(\Lambda \right)$ is a $\varphi$ -cyclic lattice in ${ℝ}^n$. Conversely, if $L\subset {ℝ}^n$ is a $\varphi$ -cyclic lattice in ${ℝ}^n$, then $t^{-1}\left(L\right)$ is a finitely generated R-module in $\bar{R}$, that is a one to one correspondence.

Proof: If $\Lambda$ is a finitely generated R-module, by Lemma 4.4, we have

$\begin{array}{c}t\left(\Lambda \right)=t\left(R{\alpha }_1\left(x\right)+\cdots +R{\alpha }_m\left(x\right)\right)\\ =L\left(H^{*}\left({\alpha }_1\right)\right)+L\left(H^{*}\left({\alpha }_2\right)\right)+\cdots +L\left(H^{*}\left({\alpha }_m\right)\right).\end{array}$

The main difficult is to show that $t\left(\Lambda \right)$ is a lattice of ${ℝ}^n$, we require a surgery to embed $t\left(\Lambda \right)$ into a full-rank lattice. To do this, let $\left({\alpha }_i\left(x\right),\varphi \left(x\right)\right)=d_i\left(x\right)$, $d_i\left(x\right)\in \mathbb{Z}\left[x\right]$, and ${\beta }_i\left(x\right)={\alpha }_i\left(x\right)/d_i\left(x\right)$, $1\le i\le m$. Since $\varphi \left(x\right)$ has no multiple roots by assumption, then $\left({\beta }_i\left(x\right),\varphi \left(x\right)\right)=1$ in $ℝ\left[x\right]$. In other words, each $t\left({\beta }_i\left(x\right)\right)={\beta }_i$ is a prime spot. It is easy to verify $R{\alpha }_i\left(x\right)\subset R{\beta }_i\left(x\right)\left(1\le i\le m\right)$, thus we have

$t\left(\Lambda \right)\subset L\left(H^{*}\left({\beta }_1\right)\right)+L\left(H^{*}\left({\beta }_2\right)\right)+\cdots +L\left(H^{*}\left({\beta }_m\right)\right).$

By Corollary 4.8 and Corollary 2.4, we have $t\left(\Lambda \right)$ is $\varphi$ -cyclic lattice. Conversely, if $L\subset {ℝ}^n$ is a $\varphi$ -cyclic lattice of ${ℝ}^n$, and $L=L\left({\beta }_1,{\beta }_2,\cdots ,{\beta }_m\right)$, by (4.7), we have

$t^{-1}\left(L\right)=R{\beta }_1\left(x\right)+R{\beta }_2\left(x\right)+\cdots +R{\beta }_m\left(x\right),$

which is a finitely generated R-module in $\bar{R}$. We complete the proof of Theorem 4.9.

口

As we introduced in abstract, since R is a Noether ring, then $I\subset R$ is an ideal if and only if I is a finitely generated R-module. On the other hand, if $I\subset R$ is an ideal, then $t\left(I\right)\subset {\mathbb{Z}}^n$ is a discrete subgroup of ${\mathbb{Z}}^n$, thus $t\left(I\right)$ is a lattice.

Definition 4.10 Let $I\subset R$ be an ideal, $t\left(I\right)$ is called the $\varphi$ -ideal lattice.

Ideal lattice was first appeared in [2] (see Definition 3.1 of [2]). As a direct consequences of Theorem 4.9, we have the following corollary.

Corollary 4.11 Let $L\subset {ℝ}^n$ be a subset, then L is a $\varphi$ -cyclic lattice if and only if

$L=L\left(H^{*}\left({\beta }_1\right)\right)+L\left(H^{*}\left({\beta }_2\right)\right)+\cdots +L\left(H^{*}\left({\beta }_m\right)\right),$

where ${\beta }_i\in {ℝ}^n$ and $m\le n$. Furthermore, L is a $\varphi$ -ideal lattice if and only if every ${\beta }_i\in {\mathbb{Z}}^n$, $1\le i\le m$.

Corollary 4.12 Suppose that $\varphi \left(x\right)$ is an irreducible polynomial in $\mathbb{Z}\left[x\right]$, then any non-zero ideal I of R defines a full-rank $\varphi$ -ideal lattice $t\left(I\right)\subset {\mathbb{Z}}^n$.

Proof: Let $I\subset R$ be a non-zero ideal, then we have $I=R{\alpha }_1\left(x\right)+\cdots +R{\alpha }_m\left(x\right)$, where ${\alpha }_i\left(x\right)\in R$ and $\left({\alpha }_i\left(x\right),\varphi \left(x\right)\right)=1$. It follows that

$t\left(I\right)=L\left(H^{*}\left({\alpha }_1\right)\right)+L\left(H^{*}\left({\alpha }_2\right)\right)+\cdots +L\left(H^{*}\left({\alpha }_m\right)\right).$

Since each ${\alpha }_i$ is a prime spot, we have $\text{rank}\left(t\left(I\right)\right)=n$ by Corollary 4.8, and the corollary follows at once.

口

According to Definition 3.1 of [2], we have proved that any an ideal of R corresponding to a $\varphi$ -ideal lattice, which just is a $\varphi$ -cyclic integer lattice under the more general rotation matrix $H=H_{\varphi }$. Cyclic lattice and ideal lattice were introduced in [1] and [2] respectively to improve the space complexity of lattice based cryptosystems. Ideal lattices allow to represent a lattice using only two polynomials. Using such lattices, class lattice based cryptosystems can diminish their space complexity from $O\left(n^2\right)$ to $O\left(n\right)$. Ideal lattices also allow to accelerate computations using the polynomial structure. The original structure of Micciancio’s matrices uses the ordinary circulant matrices and allows for an interpretation in terms of arithmetic in polynomial ring $\mathbb{Z}\left[x\right]/\langle x^n-1\rangle$. Lyubashevsky and Micciancio [2] latter suggested to change the ring to $\mathbb{Z}\left[x\right]/\langle \varphi \left(x\right)\rangle$ with an irreducible $\varphi \left(x\right)$ over $\mathbb{Z}\left[x\right]$. Our results here suggest to change the ring to $\mathbb{Z}\left[x\right]/\langle \varphi \left(x\right)\rangle$ with any a polynomial $\varphi \left(x\right)$. There are many works are subsequent to Micciancio [1] and Lyubashevsky and Micciancio [2], such as [13] - [19].

Example 4.13 It is interesting to find some examples of $\varphi$ -cyclic lattices in an algebraic number field K. Let $\mathbb{Q}$ be rational number field, without loss of generality, an algebraic number field K of degree n is just $K=\mathbb{Q}\left(w\right)$, where $w=w_i$ is a root of $\varphi \left(x\right)$. If all $\mathbb{Q}\left(w_i\right)\subset ℝ$ ( $1\le i\le n$ ), then K is called a totally real algebraic number field. Let $O_K$ be the ring of algebraic integers of K, and $I\subset O_K$ be an ideal, $I\ne 0$. Since there is an integral basis $\left\{{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_n\right\}\subset I$ such that

$I=\mathbb{Z}{\alpha }_1+\mathbb{Z}{\alpha }_2+\cdots +\mathbb{Z}{\alpha }_n.$

We may regard every ideal of $O_K$ as a lattice in ${\mathbb{Q}}^n$, our assertion is that every nonzero ideal of $O_K$ is corresponding to a full-rank $\varphi$ -cyclic lattice of ${\mathbb{Q}}^n$. To see this example, let

$\mathbb{Q}\left[w\right]=\left\{{\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{a}_i{w}^i}|a_i\in \mathbb{Q}\right\}.$

It is known that $K=\mathbb{Q}\left[w\right]$, thus every $\alpha \in K$ corresponds to a vector $\bar{\alpha }\in {\mathbb{Q}}^n$ by

$\alpha ={\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{a}_i{w}^i}\stackrel{\tau }{\to }\bar{\alpha }=\left(\begin{array}{c}{a}_0\\ a_1\\ ⋮\\ a_{n-1}\end{array}\right)\in {\mathbb{Q}}^n.$

If $I\subset O_K$ is an ideal of $O_K$ and $I=\mathbb{Z}{\alpha }_1+\mathbb{Z}{\alpha }_2+\cdots +\mathbb{Z}{\alpha }_n$, let $B=\left[\overline{{\alpha }_1},\overline{{\alpha }_2},\cdots ,\overline{{\alpha }_n}\right]\in {\mathbb{Q}}^{n\times n}$, which is full-rank matrix. We have $\tau \left(I\right)=L\left(B\right)$ is a full-rank lattice. It remains to show that $\tau \left(I\right)$ is a $\varphi$ -cyclic lattice, we only prove that if $\alpha \in I\Rightarrow H\bar{\alpha }\in \tau \left(I\right)$. Suppose that $\alpha \in I$, then $w\alpha \in I$. It is easy to verify that $\tau \left(w\right)=e_2$ (see (3.7)) and

$\tau \left(w\alpha \right)=\tau \left(w\right)*\tau \left(\alpha \right)=H\bar{\alpha }\in \tau \left(I\right).$

This means that $\tau \left(I\right)$ is a $\varphi$ -cyclic lattice of ${\mathbb{Q}}^n$, which is a full-rank lattice.

5. Smoothing Parameter

As application of the algebraic structure of $\varphi$ -cyclic lattice, we show that an explicit upper bound of the smoothing parameter for the $\varphi$ -cyclic lattices. Firstly, we introduce some basic notations.

A Gauss function ${\rho }_{s,c}\left(x\right)$ in ${ℝ}^n$ is given by

${\rho }_{s,c}\left(x\right)={\text{e}}^{-\pi {\left|x-c\right|}^2/s^2},$ (5.1)

where $x\in {ℝ}^n$, $c\in {ℝ}^n$ and $s>0$ is a positive real number. ${\rho }_{s,c}\left(x\right)$ is called the Gauss function around original point c with parameter s. It is easy to see that

${\displaystyle {\int }_{{ℝ}^n}{\rho }_{s,c}\left(x\right)\text{d}x}=s^n.$

Thus we may define a probability density function $D_{s,c}\left(x\right)$ by

$D_{s,c}\left(x\right)={\rho }_{s,c}\left(x\right)/{\displaystyle {\int }_{{ℝ}^n}{\rho }_{s,c}\left(x\right)\text{d}x}={\rho }_{s,c}\left(x\right)/s^n.$ (5.2)

Suppose $L\subset {ℝ}^n$ is a lattice, let

$D_{s,c}\left(L\right)={\displaystyle \underset{x\in L}{\sum }{D}_{s,c}}\left(x\right),{\rho }_{s,c}\left(L\right)={\displaystyle \underset{x\in L}{\sum }{\rho }_{s,c}}\left(x\right).$ (5.3)

The discrete Gauss distribution over L is a probability distribution $D_{L,s,c}$ over L given by

$D_{L,s,c}\left(x\right)=\frac{D_{s,c}\left(x\right)}{D_{s,c}\left(L\right)}=\frac{{\rho }_{s,c}\left(x\right)}{{\rho }_{s,c}\left(L\right)}.$ (5.4)

If $c=0$ is the zero vector of ${ℝ}^n$, we write ${\rho }_{s,0}\left(x\right)={\rho }_s\left(x\right)$, ${\rho }_{s,0}\left(L\right)={\rho }_s\left(L\right)$, $D_{s,0}\left(x\right)=D_s\left(x\right)$ and $D_{s,0}\left(L\right)=D_s\left(L\right)$. Suppose that L is a full-rank lattice and $L^{*}$ is its dual lattice, we define the smoothing parameter ${\eta }_{\epsilon }\left(L\right)$ of L to be the smallest s such that ${\rho }_{1/s}\left(L^{*}\right)\le 1+\epsilon$, more precisely,

${\eta }_{\epsilon }\left(L\right)=\text{min}\left\{s:s>0\text{and}{\rho }_{1/s}\left(L^{*}\right)\le 1+\epsilon \right\},$ (5.5)

where $\epsilon >0$ is a positive number. Notice that ${\rho }_{1/s}\left(L^{*}\right)$ is a continuous and strictly decreasing function of s, thus the smoothing parameter ${\eta }_{\epsilon }\left(L\right)$ is a continuous and strictly decreasing function of $\epsilon$.

Let $L=L\left({\beta }_1,{\beta }_2,\cdots ,{\beta }_n\right)\subset {ℝ}^n$ be a full-rank lattice with a basis ${\beta }_1,{\beta }_2,\cdots ,{\beta }_n$, the fundamental region $P\left(L\right)$ is given by

$P\left(L\right)=\left\{{\displaystyle \underset{i=1}{\overset{n}{\sum }}{a}_i{\beta }_i}|0\le a_i<1,1\le i\le n\right\}.$ (5.6)

Suppose that X and Y are two discrete random variables on ${ℝ}^n$, the statistical distance between X and Y over L is defined by

$\Delta \left(X,Y\right)=\frac{1}{2}{\displaystyle \underset{a\in L}{\sum }\left|P\left\{X=a\right\}-P\left\{Y=a\right\}\right|}.$ (5.7)

If X and Y are continuous random variables with probability density function $T_1$ and $T_2$ respectively, then $\Delta \left(X,Y\right)$ is defined by

$\Delta \left(X,Y\right)=\frac{1}{2}{\displaystyle {\int }_{{ℝ}^n}\left|T_1\left(z\right)-T_2\left(z\right)\right|\text{d}z.}$ (5.8)

The smoothing parameter was introduced by Micciancio and Regev in [20], which plays an important role in the statistical information of lattices. An important property of smoothing parameter is for any lattice $L=L\left(B\right)$ and any $\epsilon >0$, the statistical distance between $D_s$ mod L and the uniform distribution over the fundamental region $P\left(L\right)$ is at most ${\rho }_{1/s}\left(L{\left(B\right)}^{*}\right)/2$. More precisely, for any $\epsilon >0$ and any $s\ge {\eta }_{\epsilon }\left(L\left(B\right)\right)$, the statistical distance is at most $\epsilon /2$, namely

$\Delta \left(D_{s,c}\mathrm{mod}L,U\left(P\left(L\right)\right)\right)\le \frac{\epsilon }{2}.$ (5.9)

Lemma 5.1 Let $L\subset {ℝ}^n$ be a full-rank lattice, we have

${\eta }_{2^{-n}}\left(L\right)\le \sqrt{n}/{\lambda }_1\left(L^{*}\right),$ (5.10)

where $L^{*}$ is the dual lattice of L, and ${\lambda }_1\left(L^{*}\right)$ is the minimum distance of $L^{*}$.

Proof: See Lemma 3.2 of [20] [21].

Lemma 5.2 Suppose that $L_1$ and $L_2$ are two full-rank lattices in ${ℝ}^n$, and $L_1\subset L_2$, then for any $\epsilon >0$, we have

${\eta }_{\epsilon }\left(L_2\right)\le {\eta }_{\epsilon }\left(L_1\right).$ (5.11)

Proof: Let ${\eta }_{\epsilon }\left(L_1\right)=s$, we are to show that ${\eta }_{\epsilon }\left(L_2\right)\le s$. Since

${\rho }_{1/s}\left(L_1^{*}\right)=1+\epsilon ,\text{and}{\displaystyle \underset{x\in L_1^{*}}{\sum }{\text{e}}^{-\pi s^2{\left|x\right|}^2}}=1+\epsilon .$

It is easy to check that $L_2^{*}\subset L_1^{*}$, it follows that

$1+\epsilon ={\displaystyle \underset{x\in L_1^{*}}{\sum }{\text{e}}^{-\pi s^2{\left|x\right|}^2}}\ge {\displaystyle \underset{x\in L_2^{*}}{\sum }{\text{e}}^{-\pi s^2{\left|x\right|}^2}},$

which implies

${\rho }_{1/s}\left(L_2^{*}\right)\le 1+\epsilon ,$

and ${\eta }_{\epsilon }\left(L_2\right)\le s={\eta }_{\epsilon }\left(L_1\right)$, thus we have Lemma 5.2.

According to (3.4), the ideal matrix $H^{*}\left(f\right)$ with input vector $f\in {ℝ}^n$ is just the ordinary circulant matrix when $\varphi \left(x\right)=x^n-1$. Next lemma shows that the transpose of a circulant matrix is still a circulant matrix. For any

$g=\left(\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right)\in {ℝ}^n$, we denote $\bar{g}=\left(\begin{array}{c}{g}_{n-1}\\ g_{n-2}\\ ⋮\\ g_0\end{array}\right)$, which is called the conjugation of g.

Lemma 5.3 Let $\varphi \left(x\right)=x^n-1$, then for any $g=\left(\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right)\in {ℝ}^n$, we have

${\left(H^{*}\left(g\right)\right)}^{\prime }=H^{*}\left(H\bar{g}\right).$ (5.12)

Proof: Since $\varphi \left(x\right)=x^n-1$, then $H=H_{\varphi }$ (see(3.3)) is an orthogonal matrix, and we have $H^{-1}=H^{n-1}=H^{\prime }$. We write $H_1=H^{\prime }=H^{-1}$. The following identity is easy to verify

$H^{*}\left(g\right)=\left(\begin{array}{c}{\bar{g}}^{\prime }{H}_1\\ {\bar{g}}^{\prime }{H}_1^2\\ ⋮\\ {\bar{g}}^{\prime }{H}_1^n\end{array}\right).$

It follows that

${\left(H^{*}\left(g\right)\right)}^{\prime }=\left[H\bar{g},H\left(H\bar{g}\right),\cdots ,H^{n-1}\left(H\bar{g}\right)\right]=H^{*}\left(H\bar{g}\right),$

and we have the lemma.

Lemma 5.4 Suppose that $g\in {ℝ}^n$ and the circulant matrix $H^{*}\left(g\right)$ is invertible. Let $A={\left(H^{*}\left(g\right)\right)}^{\prime }{H}^{*}\left(g\right)$, then all characteristic values of A are given by

$\left\{{\left|g\left({\theta }_1\right)\right|}^2,{\left|g\left({\theta }_2\right)\right|}^2,\cdots ,{\left|g\left({\theta }_n\right)\right|}^2\right\},$

where ${\theta }_i^n=1\left(1\le i\le n\right)$ are the n-th roots of unity.

Proof: By Lemma 5.3 and (ii) of Theorem 3.1, we have

$A=H^{*}\left(H\bar{g}\right)H^{*}g=H^{*}\left(H^{*}\left(H\bar{g}\right)g\right)=H^{*}\left(g^{″}\right),$

where $g^{″}=H^{*}\left(H\bar{g}\right)g$. Let $g^{″}\left(x\right)=t^{-1}\left(g^{″}\right)$ is the corresponding polynomial of $g^{″}$. By (iii) of Theorem 3.1 all characteristic values of A are given by

$\left\{g^{″}\left({\theta }_1\right),g^{″}\left({\theta }_2\right),\cdots ,g^{″}\left({\theta }_n\right)\right\},{\theta }_i^n=1,1\le i\le n.$ (5.13)

Let $g=\left(\begin{array}{c}{g}_0\\ g_1\\ ⋮\\ g_{n-1}\end{array}\right)\in {ℝ}^n$. It is easy to see that

$g^{″}\left(x\right)={\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{g}_i^2}+\left({\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{g}_i{g}_{1-i}}\right)x+\cdots +\left({\displaystyle \underset{i=0}{\overset{n-1}{\sum }}{g}_i{g}_{\left(n-1\right)-i}}\right)x^{n-1}={\left|g\left(x\right)\right|}^2,$

where $g_{-i}=g_{n-i}$ for all $1\le i\le n-1$, then the lemma follows at once.

By definition 4.5, if $g\in {ℝ}^n$ is a prime spot, then there is a unique polynomial $u\left(x\right)\in \bar{R}$ such that $u\left(x\right)g\left(x\right)\equiv 1$ (mod $\varphi \left(x\right)$ ). We define a new vector $T_g$ and its corresponding polynomial $T_g\left(x\right)$ by

$T_g=H\bar{u},\text{and}{T}_g\left(x\right)=t^{-1}\left(H\bar{u}\right).$ (5.14)

If $g\in {\mathbb{Z}}^n$ is an integer vector, then $T_g\in {\mathbb{Z}}^n$ is also an integer vector, and $T_g\left(x\right)\in \mathbb{Z}\left[x\right]$ is a polynomial with integer coefficients. Our main result on smoothing parameter is the following theorem.

Theorem 5.5 Let $\varphi \left(x\right)=x^n-1$, $L\subset {ℝ}^n$ be a full-rank $\varphi$ -cyclic lattice, then for any prime spots $g\in L$, we have

${\eta }_{2^{-n}}\left(L\right)\le \sqrt{n}{\left(\text{min}\left\{\left|T_g\left({\theta }_1\right)\right|,\left|T_g\left({\theta }_2\right)\right|,\cdots ,\left|T_g\left({\theta }_n\right)\right|\right\}\right)}^{-1},$ (5.15)

where ${\theta }_i^n=1,1\le i\le n$, and $T_g\left(x\right)$ is given by (5.14).

Proof: Let $g\in L$ be a prime spot, by Lemma 5.2, we have

$L\left(H^{*}\left(g\right)\right)\subset L\Rightarrow {\eta }_{\epsilon }\left(L\right)\le {\eta }_{\epsilon }\left(L\left(H^{*}\left(g\right)\right)\right),\forall \epsilon >0.$ (5.16)

To estimate the smoothing parameter of $L\left(H^{*}\left(g\right)\right)$, the dual lattice of $L\left(H^{*}\left(g\right)\right)$ is given by

$L{\left(H^{*}\left(g\right)\right)}^{*}=L\left({\left(H^{*}\left(u\right)\right)}^{\prime }\right)=L\left(H^{*}\left(H\bar{u}\right)\right)=L\left(H^{*}\left(T_g\right)\right),$

where $u\left(x\right)\in \bar{R}$ and $u\left(x\right)g\left(x\right)\equiv 1$ (mod $x^n-1$ ), and $T_g$ is given by (5.14). Let $A={\left(H^{*}\left(T_g\right)\right)}^{\prime }{H}^{*}\left(T_g\right)$, by Lemma 5.4, all characteristic values of A are

$\left\{{\left|T_g\left({\theta }_1\right)\right|}^2,{\left|T_g\left({\theta }_2\right)\right|}^2,\cdots ,{\left|T_g\left({\theta }_n\right)\right|}^2\right\}.$

By Lemma 2.2, the minimum distance ${\lambda }_1\left(L{\left(H^{*}\left(g\right)\right)}^{*}\right)$ is bounded by

${\lambda }_1\left(L{\left(H^{*}\left(g\right)\right)}^{*}\right)\ge \text{min}\left\{\left|T_g\left({\theta }_1\right)\right|,\left|T_g\left({\theta }_2\right)\right|,\cdots ,\left|T_g\left({\theta }_n\right)\right|\right\}.$ (5.17)

Now, Theorem 5.5 follows from Lemma 5.1 immediately.

Let $L=L\left(B\right)$ be a full-rank lattice and $B=\left[{\beta }_1,{\beta }_2,\cdots ,{\beta }_n\right]$. We denote by $B^{*}=\left[{\beta }_1^{*},{\beta }_2^{*},\cdots ,{\beta }_n^{*}\right]$ the Gram-Schmidt orthogonal vectors $\left\{{\beta }_i^{*}\right\}$ of the ordered basis $B=\left\{{\beta }_i\right\}$. It is a well-known conclusion that

${\lambda }_1\left(L\right)\ge \left|B^{*}\right|=\underset{1\le i\le n}{\text{min}}\left|{\beta }_i^{*}\right|,$

which yields by Lemma 5.1 the following upper bound

${\eta }_{2^{-n}}\left(L\right)\le \sqrt{n}{\left|B_0^{*}\right|}^{-1},$ (5.18)

where $B_0^{*}$ is the orthogonal basis of dual lattice $L^{*}$ of L.

For a $\varphi$ -cyclic lattice L, we observe that the upper bound (5.17) is always better than (5.18) by numerical testing, we give two examples here.

Example 5.6 Let $n=3$ and $\varphi \left(x\right)=x^3-1$, the rotation matrix H is

$H=\left(\begin{array}{ccc}0& 0& 1\\ 1& 0& 0\\ 0& 1& 0\end{array}\right).$

We select a $\varphi$ -cyclic lattice $L=L\left(B\right)$, where

$B=\left(\begin{array}{ccc}1& 1& 1\\ 0& 1& 1\\ 0& 0& 1\end{array}\right).$

Since $L={\mathbb{Z}}^3$, thus L is a $\varphi$ -cyclic lattice. It is easy to check

$\left|B_0^{*}\right|=\underset{1\le i\le 3}{\text{min}}\left|{\beta }_i^{*}\right|=\frac{\sqrt{3}}{3}.$

On the other hand, we randomly find a prime spot $g=\left(\begin{array}{c}0\\ 0\\ 1\end{array}\right)\in L$ and $g\left(x\right)=x^2$. Since $xg\left(x\right)\equiv 1$ (mod $x^3-1$ ), we have $T_g\left(x\right)=x^2$, it follows that $\left|T_g\left({\theta }_1\right)\right|=\left|T_g\left({\theta }_2\right)\right|=\left|T_g\left({\theta }_3\right)\right|=1$, and

$\underset{1\le i\le 3}{\text{min}}{\left|T_g\left({\theta }_i\right)\right|}^{-1}\le {\left|B_0^{*}\right|}^{-1}=\sqrt{3}.$

Example 5.7 Let $n=4$ and $\varphi \left(x\right)=x^4-1$, the rotation matrix H is

$H=\left(\begin{array}{cccc}0& 0& 0& 1\\ 1& 0& 0& 0\\ 0& 1& 0& 0\\ 0& 0& 1& 0\end{array}\right).$

We select a $\varphi$ -cyclic lattice $L=L\left(B\right)$, where

$B=\left(\begin{array}{cccc}1& 1& 1& 1\\ 0& 1& 1& 1\\ 0& 0& 1& 1\\ 0& 0& 0& 1\end{array}\right).$

Since $L={\mathbb{Z}}^4$, thus L is a $\varphi$ -cyclic lattice. It is easy to check

$\left|B_0^{*}\right|=\underset{1\le i\le 4}{\text{min}}\left|{\beta }_i^{*}\right|=\frac{1}{2}.$

On the other hand, we randomly find a prime spot $g=\left(\begin{array}{c}-2\\ 1\\ 0\\ 0\end{array}\right)\in L$ and $g\left(x\right)=x-2$. Since

$\left(\frac{1}{7}{x}^3-\frac{1}{7}{x}^2-\frac{2}{7}x-\frac{5}{7}\right)g\left(x\right)\equiv 1\mathrm{mod}{x}^4-1,$

we have

$T_g\left(x\right)=-\frac{2}{7}{x}^3-\frac{1}{7}{x}^2+\frac{1}{7}x-\frac{5}{7}.$

It follows that $\left|T_g\left({\theta }_1\right)\right|=1$, $\left|T_g\left({\theta }_2\right)\right|=\left|T_g\left({\theta }_3\right)\right|=\left|T_g\left({\theta }_4\right)\right|=\frac{5}{7}$, and

$\underset{1\le i\le 4}{\text{min}}{\left|T_g\left({\theta }_i\right)\right|}^{-1}=\frac{7}{5}\le {\left|B_0^{*}\right|}^{-1}=2.$

6. Conclusion

In this study, we show that ideal lattices are actually a special subclass of cyclic lattices, and prove that there is a one-to-one correspondence between cyclic lattices in ${ℝ}^n$ and finitely generated R-modules. Here, we use a more general rotation matrix so that our definition and results on cyclic lattices and ideal lattices are more general forms. Finally, we give a more explicit and countable upper bound for the smoothing parameter of cyclic lattices.