Gram Root Decomposition over the Polynomial Ring:

Application to Sphericalization of Discrete Gaussian

Hiroki Okada

1,2 a

and Tsuyoshi Takagi

KDDI Research, Inc., Saitama, 356-8502 Japan

The University of Tokyo, Tokyo, 113-8654 Japan

Keywords:

Lattice-Based Cryptography, Polynomial Ring, Discrete Gaussian, Gram Root Decomposition.

Abstract:

Efﬁcient construction of lattice-based cryptography is often based on the polynomial ring. Furthermore, many

advanced lattice-based cryptosystems require the analysis of the discrete Gaussian under convolutions and

linear transformations. In this paper, we present an efﬁcient Gram root decomposition algorithm of the

polynomial ring and an application to sphericalization of the discrete Gaussian. Let r be a polynomial of

spherical discrete Gaussian coefﬁcients and e be a ﬁxed polynomial. Then, the coefﬁcient vector of r ·e

is (statistically close to) non-spherical discrete Gaussian whose (scaled) covariance matrix is G

:= EE

⊺

where E is composed of rotations of the coefﬁcient vector of e. Given G

, our algorithm outputs polynomials

,...,ζ

s.t.

∑

i=1

is a scalar matrix. The objective of this algorithm is similar to the (ring version of)

integral Gram root decomposition proposed by Ducas et al. (Eurocrypt 2020). Notably, our algorithm ensures

the bounds of the norm of ζ

and the minimum eigenvalue of G

, whereas Ducas et al.’s algorithm does not

ensure such bounds. Owing to the bounds, we can obtain a polynomial (r

e +

∑

i=1

) whose coefﬁcients

are spherical discrete Gaussians, where r

are polynomials with discrete Gaussian coefﬁcients; i.e., we can

“cancel out” the dependence between the coefﬁcients.

1 INTRODUCTION

Lattice-based cryptosystems (Kiltz et al., 2018; Bos

et al., 2018; Fouque et al., 2020) have been selected

as NIST post-quantum cryptography (PQC) stan-

dards (Alagic et al., 2022). Lattice-based schemes,

including the PQC standards, are often based on

polynomial rings i.e., NTRU (Hoffstein et al., 1998;

Fouque et al., 2020), Ring-LWE (Stehl

e et al., 2009;

Lyubashevsky et al., 2010) and Module-LWE (Brak-

erski et al., 2011; Langlois and Stehl

e, 2015), to

achieve better efﬁciency.

The discrete Gaussian probability distribution

(Deﬁnition 2.2) is an important object in lattice cryp-

tography, and more generally the mathematical as-

pects of lattices. For example, the analysis of the

computational hardness of lattice problems (Regev,

2005; Micciancio and Regev, 2007; Gentry et al.,

2008; Peikert, 2009; Brakerski et al., 2013) relies on

the useful properties of discrete Gaussians.

In addition, many advanced lattice-based cryp-

tosystems such as identity-based encryption (Gentry

et al., 2008; Agrawal et al., 2010) and functional

https://orcid.org/0000-0002-5687-620X

encryption (Agrawal et al., 2011) require algorithms

to sample discrete Gaussian that are efﬁcient and se-

cure against side-channel attacks, e.g., (Gentry et al.,

2008; Peikert, 2010; Micciancio and Peikert, 2012;

Micciancio and Walter, 2017; Genise and Miccian-

cio, 2018; Ducas et al., 2020). While most works

rely on ﬂoating-point arithmetic (FPA), Ducas et al.

(Ducas et al., 2020) presented an algorithm without

FPA, which is efﬁcient and amenable to side-channel

countermeasures. The core technique of (Ducas et al.,

2020) is the integral matrix Gram root decomposition,

which is an algorithm to obtain an integer matrix A s.t.

G = AA

⊺

for the target covariance matrix G.

Many studies have analyzed the properties (e.g.,

correlation, convolutions, linear transformation) of

discrete Gaussians: (Peikert, 2010; Agrawal et al.,

2013; Aggarwal and Regev, 2016; Genise et al., 2020;

Okada et al., 2023). The discrete Gaussian distribu-

tion is called spherical if its covariance matrix is a

scalar matrix, and ellipsoidal otherwise. Although

lattice-based cryptography usually uses the spherical

discrete Gaussian, some applications rely on the ellip-

soidal discrete Gaussian because of some artifacts of

the proof techniques (Agrawal et al., 2013). As dis-

306

Okada, H. and Takagi, T.

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian.

DOI: 10.5220/0013139700003899

Paper published under CC license (CC BY-NC-ND 4.0)

In Proceedings of the 11th International Conference on Information Systems Secur ity and Privacy (ICISSP 2025) - Volume 2, pages 306-317

ISBN: 978-989-758-735-1; ISSN: 2184-4356

cussed in (Lyubashevsky et al., 2010), an ellipsoidal

discrete Gaussian makes certain applications and their

proofs are more cumbersome than the case with the

spherical discrete Gaussian.

Our Contributions. In this paper, we advance the

research on the properties of ring polynomials whose

coefﬁcients are distributed accordingly to the discrete

Gaussian distribution. Our contributions are 1) an

algorithm for Gram root decomposition over the ring

and 2) its application to the sphericalization of a dis-

crete Gaussian over the ring.

Root Decomposition over the Ring First, we present

an efﬁcient Gram root decomposition algorithm of

polynomials.

Let r be a polynomial over the ring R (deﬁned in

Eq. (1)) whose coefﬁcient vector (Deﬁnition 3.7) is

a multivariate spherical discrete Gaussian, and let e

be a ﬁxed polynomial over R. Then, the coefﬁcient

vector of r ·e is (statistically close to) nonspherical

discrete Gaussian whose (scaled) covariance matrix

is G

:= EE

⊺

, where E is composed of rotations of

the coefﬁcient vector of e. That is, E is the coefﬁcient

matrix of e, and G

is the coefﬁcient Gram matrix of

e, as deﬁned in Deﬁnition 3.7.

Given e (and G

), our Gram root decompo-

sition algorithm outputs polynomials ζ

,.. .,ζ

s.t.

∑

i=1

+ G

become a scalar matrix βI for some

β > 0, where G

is the coefﬁcient Gram matrix of ζ

In other words, the Gram root decomposition algo-

rithm outputs polynomials whose sums of coefﬁcients

Gram matrices can “diagonalize” the given matrix G

Notably, this algorithm also ensures an upper

bound of the norm of ζ

and a lower bound of the

minimum eigenvalue of G

. These bounds are cru-

cial for our second convolution described below. The

objective of our Gram root decomposition algorithm

is similar to that of the integral Gram root decompo-

sition proposed by Ducas et al. (Ducas et al., 2020).

However, their method does not ensure the bounds

on the outputs as does our algorithm; thus, it is not

sufﬁcient for the application that we will explain later.

Application: Sphericalizing the Discrete Gaus-

sian over the Ring. As an application of our root

Gram root decomposition algorithm, we show how

to “sphericalize” ring polynomials with (ellipsoidal)

discrete Gaussian coefﬁcients. Let r

,.. .,r

be poly-

nomials with a spherical discrete Gaussian coefﬁcient

vector. Given a ﬁxed e ∈ R and G

, output poly-

nomials ζ

,.. .,ζ

s.t.

∑

i=1

+ G

= βI by using

our Gram root decomposition algorithm. Then, we

More generally, given e

,...,e

, our algorithm out-

puts ζ

,...,ζ

s.t.

∑

i=1

∑

i=1

. We set m = 1 in

the abstract and Section 1 for simplicity.

show that the coefﬁcient vector of the polynomial

e +

∑

i=1

) ∈ R follows discrete Gaussian dis-

tribution whose covariance is a scalar matrix βI, i.e.,

a spherical discrete Gaussian.

Notably, the above convolution theorem requires a

lower-bound of the minimum eigenvalue of G

. It is

not trivial to obtain a nonnegligibly large lower bound

of the minimum eigenvalue of random matrices, as

analyzed in, e.g., (Tao, 2012; Nguyen and Vu, 2016).

Owing to the bounds ensured by our algorithm, we

can prove the convolution theorem.

Organization. The remainder of this paper is orga-

nized as follows. In Section 2, we provide necessary

deﬁnitions and lemmas. We analyze the basic prop-

erties of the polynomial ring of concern (deﬁned in

Eq. (1)) in Section 3, which are building blocks of

this paper and may be of independent interest. We

propose our Gram root decomposition algorithm in

Section 4. Then, as an application, we show how to

sphericalize discrete Gaussians in Section 5. Finally,

we summarize this paper and discuss future work in

Section 6.

2 PRELIMINARIES

In Section 2.1, we provide the notations used in this

paper. Then, we provide necessary the deﬁnitions and

lemmas of lattices in Section 2.2 and the Gaussian

distribution in Section 2.3.

2.1 Notations

The base 2 logarithm is denoted by log. For N ∈ N,

deﬁne [N] := {1, ..., N}. The size of set S is denoted

by |S|.

We use bold lower-case for vectors and bold

upper-case for matrices. We write the transpose of

x as x

⊺

. The l

-norm and l

∞

-norm of x is denoted by

∥x∥ and ∥x∥

∞

, respectively. We denote the identity

matrix by I

∈ Z

n×n

. We write G ≻ 0 if G is positive

deﬁnite. A square root of G ≻ 0 is a nonsingular

matrix S such that SS

⊺

= G, which is written as S =

√

G. Note that (

√

−1

= S

−1

= (S

−⊺

)

⊺

= (

−1

)

⊺

holds. The largest and smallest singular values of

a matrix S are denoted by σ

max

(S) and σ

min

(S), re-

spectively. We denote by ∥S∥ the matrix norm of S

induced by the l

-norm. Note that we have σ

max

(S) =

∥S∥, and if σ

min

(S) ̸= 0, i.e., S is nonsingular, then

min

(S)

−1

= ∥S

−1

∥ holds. The Frobenius norm of

S is ∥S∥

tr(S

⊺

S). Let ∥S∥

len

= max

i∈[n]

∥s

∥,

where s

is the i-th column vector of S, then we have:

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

307

Fact 2.1. For any matrix S, we have ∥S∥

len

≤ ∥S∥ ≤

∥S∥

, ∥S

∥

len

≤ ∥S

∥∥S

∥

len

≤ ∥S

∥∥S

∥.

2.2 Lattices

A lattice L is the set of all integer linear combinations

of linearly independent vectors b

,···, b

∈ R

, i.e.,

L = {

∑

i=1

| z ∈ Z

}. If we arrange the vectors b

as the columns of a matrix B ∈ R

m×n

, then we have

L := L(B) = {Bz |z ∈Z

} = BZ

The rank of this lattice is n and its dimension is m.

If n = m, then the lattice is called full rank. For

arbitrary c ∈ R

, a coset of lattice L is deﬁned as

L + c := {v + c | v ∈ L}. The dual of a lattice L is

L := {x | ∀y ∈ L,⟨x,y⟩ ∈ Z}. We denote the volume

of the fundamental parallelepiped of L as det(L). We

have det(

L) = 1/ det(L). For a full-rank lattice L(B),

we have det(L(B)) = |det(B)|. For n-rank lattice L

and i = 1,. ..,n, the successive minimum λ

(L) is

deﬁned as the radius of the smallest ball that contains

i linearly independent vectors in L. The integer lattice

L := Z

is the primary focus of this paper.

2.3 Gaussians

The continuous Gaussian distribution with a mean of

0 and a standard deviation σ > 0 is denoted as N

For a rank-n matrix S ∈ R

n×m

, the (centered) el-

lipsoidal Gaussian function on R

with the (scaled)

covariance matrix G = SS

⊺

∈ R

n×n

is deﬁned as:

(x) := exp(−πx

⊺

(SS

⊺

)

−1

x).

Since the function ρ

(x) is determined exactly by G,

we have ρ

= ρ

√

. When S = sI

, we write ρ

as ρ

For any set A ⊆ R

, we deﬁne ρ

(A) :=

∑

x∈A

(x).

We deﬁne the discrete Gaussian distribution over

the lattice L as follows:

Deﬁnition 2.2 (Discrete Gaussian). For a full

column-rank matrix S, the (centered) discrete Gaus-

sian distribution over a lattice L is deﬁned as

∀x ∈ L,D

L,S

(x) = ρ

(x)/ρ

(L).

In particular, when SS

⊺

= s

for some s > 0, we ab-

breviate D

L,S

as D

L,s

and call it the spherical discrete

Gaussian distribution.

The smoothing parameter of lattice L is deﬁned as

(L) = min{s | ρ

1/s

(

L) ≤ 1 + ε} for ε > 0. Unless

otherwise speciﬁed, we set ε to be negligibly small;

ε = negl(λ). An upper-bound of η

(L) is obtained by

the successive minimum

(L):

Although (Gentry et al., 2008, Lemma 3.1) provides a

sharper bound, we rely on Lemma 2.3 for simplicity.

Lemma 2.3 ((Micciancio and Regev, 2007, Lemma

3.3)). Deﬁne η

) :=

ln(2n(1 + 1/ε))/π. For

any rank-n lattice L and any ε > 0, we have η

(L) ≤

(L)η

). In particular, η

) ≤η

) holds.

For simplicity of notation, we also deﬁne

(·) :=

√

2η

(·) and

) :=

√

2η

). Note that we

have

(Z) > η

). The smoothing parameter is

extended to matrices as follows:

Deﬁnition 2.4 ((Peikert, 2010, Deﬁnition 2.3)). Let

G ≻0 be any positive deﬁnite matrix. For any lattice

L, we say that

√

G ≥ η

(L) if η

(

√

−1

L) ≤ 1.

For a full-rank lattice, we obtain a sufﬁcient con-

dition as follows:

Fact 2.5. For any full-rank lattice L(B) and G ≻ 0,

√

G ≥ η

(L) holds if 1 ≥ ∥

√

−1

∥∥B∥

len

i.e., σ

min

(

√

G) ≥ ∥B∥

len

Proof. By Fact 2.1 and Lemma 2.3, we have

(

√

−1

L) ≤ λ

(

√

−1

L)η

) ≤ ∥

√

−1

B∥

len

) ≤ ∥

√

−1

∥∥B∥

len

) ≤ 1.

The linear transformation of a discrete Gaussian is

as follows:

Lemma 2.6 (Special case of (Genise et al., 2020,

Lemma 1)). For any nonsingular matrices S,T ∈

n×n

, we have T ·D

= D

T·Z

,TS

The sum of two ellipsoidal discrete Gaussians is

statistically close to an ellipsoidal discrete Gaussian:

Lemma 2.7 (Special case of (Peikert, 2010, Thm.

3.1)). Let G

≻0 be positive deﬁnite matrices and

deﬁne G

:= (G

−1

+ G

−1

)

−1

. Let L

, L

be full-rank

lattices such that

√

≥η

) and

√

≥η

and let

X := {(x

)|x

←D

√

←x

−x

√

Then, the marginal distribution of x

in X is statisti-

cally close to D

√

In particular, when L

⊆ L

, we can simplify

Lemma 2.7 because the coset L

−x

is equal to L

itself for any x

∈ L

Corollary 2.8. Let G

≻0 be positive deﬁnite ma-

trices and deﬁne G

:= (G

−1

+ G

−1

)

−1

. Let L

, L

be full-rank lattices such that L

⊆L

√

≥η

)

and

√

≥ η

). Then, we have

√

+ D

√

≈

√

ICISSP 2025 - 11th International Conference on Information Systems Security and Privacy

308

3 PROPERTIES OF THE

POLYNOMIAL RING

In this section, we analyze the basic properties of the

polynomial ring deﬁned in Eq. (1). The properties

derived in this section are the building blocks for the

construction of our algorithm presented in Section 5.

3.1 Deﬁnition

Let Z[X] be a set of polynomials with integer coefﬁ-

cients. In this paper, we consider a polynomial ring

R = Z[X]/(X

+ 1) for n a power of 2, (1)

which is often used in lattice-based cryptography,

e.g., (Lyubashevsky et al., 2010; Kiltz et al., 2018;

Bos et al., 2018).

We deﬁne a signed permutation matrix that is use-

ful for analyzing the properties of R.

Deﬁnition 3.1. The signed permutation matrix is de-

ﬁned as

P =



0 −1

n−1



∈ Z

n×n

. (2)

The following facts hold for P:

Fact 3.2 (Properties of P). For P deﬁned in Eq. (2),

we have:



O −I

n−i



n/2



O −I

n/2



for n even (3)

−i



O I

n−i

−I



= (P

)

⊺

(4)

n−i

= P

−i

= −P

−i

= −(P

)

⊺

(5)

We also deﬁne a reverse permutation matrix:

Deﬁnition 3.3. The reverse permutation matrix is de-

ﬁne as

R :=







0 .. . 1

. 1

1 .. . 0







∈ Z

n×n

The following facts hold for R (and P):

Fact 3.4. RR = I, R

⊺

= R

Fact 3.5. P

R = RP

−i

(RP

= P

−i

We deﬁne an outer-product-like operation ⊗:

Deﬁnition 3.6 (⊗). For any m, n ∈ N, A

,.. .,A

∈

n×n

and b ∈ Z

, we deﬁne:

··· A

) ⊗b := (A

b ··· A

b) ∈ Z

n×m

⊺

⊗



















⊺







∈ Z

m×n

Finally, using the P deﬁned in Deﬁnition 3.1 and

the operation ⊗, we deﬁne the coefﬁcient vector, co-

efﬁcient matrix and coefﬁcient Gram matrix for any

polynomial a ∈ R as follows:

Deﬁnition 3.7 (Coefﬁcient vector / matrix / Gram

matrix). Let a =

∑

n−1

i=0

∈R be a polynomial. For

a, we deﬁne the coefﬁcient vector, the coefﬁcient mat-

rix and the coefﬁcient Gram matrix as follows:

a := vec(a) := (a

,.. .,a

n−1

)

⊺

∈ Z

A := mat(a) :=



I P ··· P

n−1



⊗a ∈ Z

n×n

:= Gram(a) := AA

⊺

∈ Z

n×n

We denote the distribution over R as follows:

Deﬁnition 3.8. For the distribution χ over Z

, deﬁne

R(χ) := {a ∈R |vec(a) ∼ χ}.

3.2 Properties of the Coefﬁcient Matrix

In this subsection, we present some basic proper-

ties of the coefﬁcient matrix (mat(a)). By Deﬁni-

tions 3.1, 3.6 and 3.7, for any a ∈ R s.t. vec(a) :=

,.. .,a

n−1

)

⊺

∈ Z

, we have:

mat(a) :=



I P . .. P

n−1



⊗vec(a)



a Pa . .. P

n−1









−a

n−1

... −a

n−1

n−2

... a







(6)

We can see that mat(a) is a matrix composed of

permutations (by P

) of the ﬁrst column vector a =

vec(a). The coefﬁcient matrix mat(a) can also be

seen a matrix composed of permutations of the last

row vector (a

n−1

n−2

n−3

,.. .,a

) = a

⊺

Fact 3.9 (Dual representation of mat(a)). For any

a ∈ R, we have:

mat(a) = a

⊺

R ⊗







n−1







3.3 Properties of the Coefﬁcient Gram

Matrix

In this subsection, we present some basic properties

of the coefﬁcient Gram matrix (mat(a)). We can ex-

plicitly write the coefﬁcient Gram matrix as follows:

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

309

Fact 3.10. Let a ∈R and a := vec(a). Then, we have:

Gram(a)







∥a∥

⊺

Pa ··· a

⊺

n−1

⊺

−1

a ∥a∥

··· a

⊺

n−2

⊺

−(n−1)

a a

⊺

−(n−2)

a ··· ∥a∥







Proof. By Deﬁnition 3.7, Fact 3.4, Fact 3.5 and

Fact 3.9, we have:

Gram(a)

:= mat(a)(mat(a))

⊺

= a

⊺

R ⊗







n−1

...









−(n−1)

... I



⊗Ra

= a

⊺

R ⊗







I P ··· P

n−1

−1

I ··· P

n−2

−(n−1)

−(n−2)

··· I







⊗Ra







∥a∥

⊺

−1

a ··· a

⊺

−(n−1)

⊺

Pa ∥a∥

··· a

⊺

−(n−2)

⊺

n−1

a a

⊺

n−2

a ··· ∥a∥







Thus, the claim follows by subsequent Fact 3.11.

Fact 3.11. a

⊺

a = a

⊺

)

⊺

a = a

⊺

−i

Proof. Follows from Fact 3.2: (P

)

⊺

= P

−i

Furthermore, owing to the properties of P (shown

in Fact 3.2), we show that coefﬁcient Gram matrices

have symmetricity in their elements. To begin with,

we deﬁne the inverse function of mat(·) for simplicity

of notation.

Deﬁnition 3.12 (mat

−1

). For any a ∈ R and A :=

mat(a), we deﬁne mat

−1

(A) := a = vec(a) (the ﬁrst

column vector of A).

Then, we show the symmetricity of the elements

of the coefﬁcient Gram matrices. Note that the co-

efﬁcient Gram matrix of a ∈ R is a coefﬁcient mat-

rix of some b(= aa) ∈ R, as we will show later in

Lemma 3.21.

Lemma 3.13 (Symmetricity of Gram(a)). Let a ∈R,

a := vec(a), G

:= Gram(a) and (σ

,.. .,σ

n−1

) :=

mat

−1

). Then, we have:

= ∥a∥

= −σ

n−i

(1 ≤ i ≤

−1) (7)

= 0 (8)

(Note: Here, n is assumed to be even. This is satisﬁed

by the deﬁnition of Eq. (1).)

Proof. By Fact 3.10, we have:

(

= ∥a∥

= a

⊺

−i

a (i = 1, .. .,n −1)

Then, for (i = 1,. ..,n −1), we have:

−σ

n−i

= −a

⊺

−(n−i)

a = −a

⊺

n−i

)

⊺

a (∵ Eq. (4))

= −a

⊺

n−i

a = a

⊺

a = σ

(∵ Eq. (5))

Thus, Eq. (7) holds. We have Eq. (8) since a

⊺

a = 0

holds any a ∈ Z

by Eq. (3) in Fact 3.2.

Owing to this symmetricity, G

:= Gram(a) is de-

termined only by σ

,.. .,σ

−1

(since A := mat(a) is

determined only by a := vec(a)).

3.4 Rotation

For any a ∈ R, multiplication by X

can be regarded

as “rotation” of the coefﬁcient vector/matrix by the

permutation matrix P

. The coefﬁcient Gram Matrix

is invariant with respect to multiplication by X

Fact 3.14 (Rotation). For any a ∈ R and i ∈ Z,

vec(aX

) = P

mat(aX

) = P

Gram(aX

) = Gram(a).

Proof. Let a =

∑

n−1

i=0

. Then, we have:

aX = −a

n−1

+ a

X +···+ a

n−2

n−1

vec(aX

) = P

mat(aX

) =



I P . .. P

n−1



⊗vec(aX

)



I P . .. P

n−1



⊗P

= P



I P . .. P

n−1



⊗a

= P

Gram(aX

) = AP

(AP

)

⊺

= AA

⊺

(∵ Eq. (4))

3.5 Commutativity

We show an important lemma to analyze the coefﬁ-

cient vector of the product of polynomials over R:

This result is why we deﬁne the coefﬁcient matrix as

in Deﬁnition 3.7.

Lemma 3.15 (Multiplication over R). For a,b ∈R,

vec(ab) = Ab = Ba,

where A := mat(a), a := vec(a), B := mat(b), and

b := vec(b).

ICISSP 2025 - 11th International Conference on Information Systems Security and Privacy

310

Proof. Note that X

n+i

= (X

+ 1)X

− X

≡ −X

holds. We have

a = a

+ a

X +···+ a

n−1

= x

⊺

a and

b = b

+ b

X +···+ b

n−1

= x

⊺

where a := (a

,.. .,a

n−1

)

⊺

and b := (b

,.. .,

n−1

)

⊺

are the coefﬁcient vectors of a and b, and

x := (1,X , X

,.. .,X

n−1

)

⊺

. Then, we have

ab =(a

−a

n−1

−a

n−2

···−a

n−1

)

+ (a

+ a

−a

n−1

···−a

n−1

+ (a

+ a

···−a

n−1

+ ...

⊺







−b

n−1

... −b

n−1

n−2

... b













n−1







⊺

Thus, we have vec(ab) = Ba. We obtain vec(ab) =

Ab in a similar manner.

It is known that the ring R deﬁned in Eq. (1) is

commutative: for any a, b ∈ R, we have ab = ba.

This can also be conﬁrmed by Lemma 3.15: we obtain

vec(ab) = Ab = Ba = vec(ba) by Lemma 3.15, and

vec(·) is isomorphic from R to Z

Importantly, the coefﬁcient matrix also has com-

mutativity:

Theorem 3.16 (Commutativity of the coefﬁcient

matrices). For any A := mat(a), B := mat(b),

mat(ab) = AB = BA

Proof. Let a := vec(a) and b := vec(b). We have:

mat(ab)



I P . .. P

n−1



⊗vec(ab)



I P . .. P

n−1



⊗Ab (∵ Lemma 3.15)



A PA . .. P

n−1



⊗b



A AP . .. AP

n−1



⊗b (∵ Lemma 3.17)

= (A ⊗



I P . .. P

n−1



) ⊗b

= AB

By Lemma 3.15, vec(ab) = Ab = Ba. Thus, similarly,

we also have mat(ab) = BA.

We complete the above proof by presenting the

deferred Lemma 3.17:

Lemma 3.17. For any a ∈R, A := mat(a) and i ∈Z,

we have P

A = AP

Proof. Let a := vec(a). Then, we have

A = P



I P . .. P

n−1



⊗a



I P . .. P

n−1



⊗P

a = mat(P

a), and

= a

⊺

R ⊗







n−1

n−2







·P

= a

⊺

⊗







n−1

n−2







= (P

⊺

R ⊗







n−1

n−2







(∵ Fact 3.5)

= mat(P

a),

where we use the fact that a

⊺

= a

⊺

−i

R =

⊺

R holds.

As a corollary of Lemma 3.15, we obtain the fol-

lowing fact:

Corollary 3.18. For a,b ∈R, ab = 0 holds if and only

if a = 0 or b = 0. Thus, A := mat(a) is nonsingular

for any a ̸= 0.

3.6 Transpose

We ﬁrst deﬁne the transpose of polynomials in R:

Deﬁnition 3.19 (Transpose in the ring). For a :=

a(X) :=

∑

n−1

i=0

∈ R, we deﬁne its transpose as

a := a(X

−1

) ∈ R.

Then, we can derive the coefﬁcient vector, co-

efﬁcient matrix and coefﬁcient Gram matrix of the

transpose polynomials as follows:

Fact 3.20. For any a :=

∑

n−1

i=0

∈ R, we have:

vec(a) = (a

,−a

n−1

,−a

n−2

,.. .,−a

)

⊺

(9)

mat(a) = (mat(a))

⊺

(= A

⊺

) (10)

Gram(a) = (mat(a))

⊺

mat(a)(= A

⊺

A) (11)

Proof. Note that X

+ 1 ≡ 0 ⇔ −1 ≡ X

⇔ X

−i

≡

−X

n−i

holds. Hence, we have

a := a(X

−1

) :=

n−1

∑

i=0

−i

n−1

∑

i=0

(−a

n−i

= a

n−1

∑

i=1

(−a

n−i

Thus, we obtain Eq. (9). We can derive Eq. (10) since

mat(a) =



I P . .. P

n−1



⊗vec(a)

= (mat(a))

⊺

via Eq. (6). We obtain Eq. (11) by deﬁnition.

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

311

Next, we show an important lemma to analyze the

coefﬁcient Gram matrix: for any a ∈ R, the coefﬁ-

cient Gram matrix of a is the coefﬁcient matrix (not

coefﬁcient “Gram” matrix) of the product of a and a:

Lemma 3.21. For any a ∈R, Gram(a) = mat(aa).

Proof. Let A := mat(a) and a := vec(a). Then, we

have

Gram(a)

= AA

⊺

= A

⊺

A (∵ Theorem 3.16)

= A

⊺



I P . .. P

n−1



⊗a



I P . .. P

n−1



⊗A

⊺

a (∵ Lemma 3.17)



I P . .. P

n−1



⊗vec(aa),

where we use the fact mat(a) = A

⊺

(by Fact 3.20) and

Lemma 3.15.

The above lemma implies that each column of

Gram(a) is a rotation (by P

) of its ﬁrst column vector

vec(aa):

Corollary 3.22. For any a ∈ R, we have

mat

−1

(Gram(a)) = mat

−1

(mat(aa)) = vec(aa).

4 OUR ALGORITHM FOR GRAM

ROOT DECOMPOSITION OVER

THE RING

In this section, we present an algorithm for Gram root

decomposition over the ring R.

We present our algorithm for Gram root decom-

position over the ring R in Algorithm 1. The inputs

of the algorithm are “short” polynomials e

,.. .,e

∈

R s.t. ∥e

∥ ≤ B ∈ N for all i ∈ [m]. (Note that we

explained our algorithm with m = 1 in the abstract

and introduction section of this paper for simplic-

ity.) Then, the algorithm outputs ζ = (ζ

,.. .,ζ

)

⊺

∈

s.t.

∑

i=1

∑

i=1

= mnB

I, where G

Gram(ζ

) and G

:= Gram(e

). In other words, the

goal of the algorithm is to “diagonalize” the sum of

the coefﬁcient Gram matrices

∑

i=1

. Furthermore,

the output polynomials ζ

,.. .,ζ

are short (∥ζ

∥ ≤

√

2mB), and the lower-bound of the minimum eigen-

value of G

is given (σ

min

) ≥

). These condi-

tions on the output are necessary for the application

we present in Section 5.

We prove the correctness of Algorithm 1 in Sec-

tion 4.1. We then show that the outputs of Algo-

rithm 1 satisﬁes the bounds (∥ζ

∥ ≤

√

2mB and

min

(mat(ζ

)) ≥

) in Section 4.2.

4.1 Correctness

We show that Algorithm 1 works correctly:

Theorem 4.1. The output ζ

,.. .,ζ

∈ R of Algo-

rithm 1 satisﬁes

∑

i=1

= G and l <

Proof. The ﬁrst part (Algorithms 1 to 1) of the algo-

rithm decomposes the non-diagonal elements of

G := mnB

I −

∑

i=1

i.e., G :=

∑

i=1

. Deﬁne σ := (σ

,.. .,σ

n−1

)

⊺

mat

−1

(G); Then we have σ =

∑

i=1

mat

−1

) =

∑

i=1

vec(e

) via Corollary 3.22. On Algorithm 1,

we ﬁrst decompose |σ

| by four non-negative in-

teger squares c

,.. .,c

. Such integer squares ex-

ist for any natural numbers according to Lagrange’s

four-square theorem, and we efﬁciently calculate

them via the Rabin–Shallit (RS) algorithm in The-

orem 4.2. For z

( j)

:= (c

− sgn(σ

· X

) · X

∈

R on Algorithm 1, let τ

( j)

:= (τ

( j)

,.. .,τ

( j)

n−1

) :=

mat

−1

(Gram(z

( j)

)). Then, by Lemma 4.4, we have:











( j)

= 2c

( j)

= −sgn(σ

( j)

n−i

= sgn(σ

( j)

= 0 (i /∈ {0,i, n −i})

Hence, we have:











∑

j=1

( j)

= 2

∑

j=1

= 2|σ

∑

j=1

( j)

= −sgn(σ

)

∑

j=1

= −σ

∑

j=1

( j)

n−i

= sgn(σ

)

∑

j=1

= σ

Therefore, at Algorithm 1, mat

−1

(

∑

ζ∈S

Gram(ζ)) =

(

∑

−1

i=1

2|σ

|,−σ

,.. .,−σ

n−1

); thus, we have

G −

∑

ζ∈S

Gram(ζ) = mnB

I −(G +

∑

ζ∈S

Gram(ζ))

= mnB

I −γI = βI,

where γ := σ

∑

−1

i=1

2|σ

|as deﬁned on Algorithm 1.

Note that |σ

| ≤ σ

∑

i=1

∥e

∥

≤ mB

holds by

Lemma 4.3; thus, γ ≤(n−1)σ

≤m(n−1)B

. Hence,

we have mB

≤ β.

The second part (Algorithms 1 to 1) of the algo-

rithm decomposes βI. The purpose of Algorithms 1

to 1 is to decompose βI with “short” polynomials:

This is needed only to satisfy ∥ζ

∥ ≤

√

2mB. For the

monomial z :=

√

2mB·X

on Algorithm 1, Gram(z) =

2mB

I holds by Lemma 4.4. Thus, at Algorithm 1,

we have

∑

ζ∈S

Gram(ζ) = l

′

· 2mB

I. The rest of

the algorithm is to decompose (β −l

′

·2mB

)I = δI.

For the monomial z

( j)

:= c

· X

on Algorithm 1,

ICISSP 2025 - 11th International Conference on Information Systems Security and Privacy

312

Algorithm 1: Gram root decomposition over the ring.

Input : e

,.. .,e

∈ R s.t. ∥e

∥ ≤ B for all i ∈[m]

Output : ζ

,.. .,ζ

∈ R s.t.

∑

i=1

= G := mnB

I −

∑

i=1

∈ Z

n×n

, ∥ζ

∥ ≤

√

2mB and

min

) ≥

, where Z

:= mat(ζ

) G

:= Gram(ζ

) and G

:= Gram(e

) for any i.

1 S

0, S

0 // Sets to store ζ

,...,ζ

Decompose non-diagonal elements of G:

2 Deﬁne G :=

∑

i=1

and σ := (σ

,.. .,σ

n−1

)

⊺

:= mat

−1

(G). (c.f., Deﬁnition 3.12)

// |σ

| ≤ σ

∑

i=1

∥e

∥

≤ mB

by Lemma 4.3. σ

= −σ

n−i

for i ∈[1,

−1], σ

= 0 by Lemma 3.13

3 for i = 1 to

−1 do

4 Find c

,.. .,c

∈ N s.t.

∑

j=1

= |σ

| with RS algorithm (Theorem 4.2)

5 for j = 1 to 4 do

6 z

( j)

:= (c

−sgn(σ

·X

) ·X

∈ R for r

← Z

, // ∥z

( j)

∥ =

≤

2|σ

| ≤

√

2mB

7 Update S

:= S

∪{z

( j)

} // σ

min

(mat(z

( j)

)) ≥

≥

by Lemma 4.8

8 end

// mat

−1

(

∑

j=1

Gram(z

( j)

)) = (2|σ

|,0,...,0,−σ

,...)

⊺

by Lemma 4.4

9 end

10 γ := σ

∑

−1

i=1

2|σ

| // ≤ (n −1)σ

≤ (n −1)mB

by Lemma 4.3

Decompose diagonal elements of G:

11 β := mnB

−γ ∈ [mB

,mnB

) // G −

∑

ζ∈S

Gram(ζ) = mnB

I −(G +

∑

ζ∈S

Gram(ζ)) = mnB

I −γI = βI

12 l

′

:= ⌊β/2mB

⌋ (<

)

13 for i = 1 to l

′

14 z :=

√

2mB ·X

∈ R for r

← Z

// Gram(z) = 2mB

I by Lemma 4.4

15 Update S

:= S

∪{z} // σ

min

(mat(z)) =

min

) =

√

2mB > 1 >

, ∥z∥ =

√

2mB

16 end

17 δ := β −l

′

·2mB

∈ [0,2mB

)

18 Find c

,.. .,c

∈ N s.t.

∑

j=1

= δ with RS algorithm (Theorem 4.2)

19 for j = 1 to 4 do

20 z

( j)

:= c

·X

∈ R for r

← Z

// ∥z

( j)

∥ = c

≤

√

δ <

√

2mB

21 Update S

:= S

∪{z

( j)

}

22 end

23 return S := S

∪S

∑

ζ∈S

Gram(ζ) = βI, G =

∑

ζ∈S

Gram(ζ), l := |S| = 4(

−1)+ l

′

+ 4 <

Gram(z

( j)

) = c

I holds by Lemma 4.4. Thus we have

∑

j=1

Gram(z

( j)

) =

∑

j=1

I = δI. Hence, we obtain

∑

ζ∈S

Gram(ζ) = βI

at Algorithm 1. Therefore, the output S of the algo-

rithm satisﬁes

∑

ζ∈S

Gram(ζ) = G. We also have

l := |S| = 4(

−1) + l

′

+ 4 <

We complete the above proof by describing

the deferred facts; Theorem 4.2, Lemma 4.3, and

Lemma 4.4:

Theorem 4.2 (Rabin–Shallit (RS) algorithm (Ra-

bin and Shallit, 1986)). For any N ∈ N, there is a

randomized algorithm for ﬁnding

a,b,c, d ∈ N s.t. a

+ b

+ c

+ d

= N

within O(log

N loglog N) operations on average.

Lemma 4.3 (Bound on |σ

|). Let a ∈ R, a := vec(a),

:= Gram(a) and (σ

,.. .,σ

n−1

) := mat

−1

Then, |σ

| ≤ σ

= ∥a∥

holds for any i.

Proof. By Fact 3.10, we have σ

= a

⊺

−i

a for any i ̸=

0. Then, by the Cauchy–Schwarz inequality, |σ

| =

⊺

−i

a| ≤ ∥a∥∥P

−i

a∥ = ∥a∥

holds.

Lemma 4.4 (Coefﬁcient Gram matrices of binomi-

als and monomials). Let a ∈ R be a binomial: a =

·(a

+ a

) for i ∈ N and r ∈ Z. Let a := vec(a),

:= Gram(a) and

(σ

,.. .,σ

n−1

) := mat

−1

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

313

Then, we have:











= ∥a∥

= a

+ a

= a

, σ

n−i

= −a

= 0 (k /∈ {0, i,n −i})

In particular, for monomial a := a

∈ R for r ∈ Z,

we have G

= a

I, i.e.,

(

= a

= 0 (i ̸= 0)

Proof. Follows from Fact 3.2 and Fact 3.10.

4.2 Bounds on the Outputs

We ﬁrst prove that the outputs of the algorithm are

short polynomials:

Theorem 4.5. The output ζ = (ζ

,.. .,ζ

)

⊺

∈ R

Algorithm 1 satisﬁes ∥ζ

∥ ≤

√

2mB for any i ∈ [l].

Proof. The binomial z

( j)

:= (c

−sgn(σ

·X

) ·X

on Algorithm 1 satisﬁes

∥z

( j)

∥ =

≤

2|σ

| ≤

√

2mB

by Lemma 3.13 and Lemma 4.3. The monomial z :=

√

2mB·X

∈R on Algorithm 1 satisﬁes ∥z∥=

√

2mB.

Finally, z

( j)

:= c

·X

∈ R on Algorithm 1 also satis-

ﬁes ∥z

( j)

∥ = c

≤

√

δ <

√

2mB.

Finally, we show that the minimum singular value

of the coefﬁcient matrices of the outputs are lower-

bounded by

Theorem 4.6. The output ζ = (ζ

,.. .,ζ

)

⊺

∈ R

Algorithm 1 satisﬁes σ

min

(mat(ζ

)) ≥

for any i.

Proof. The binomial z

( j)

:= (c

−sgn(σ

·X

) ·X

on Algorithm 1 satisﬁes σ

min

(mat(z

( j)

)) ≥

≥

Lemma 4.8.

On Algorithm 1, the monomial z :=

√

2mB ·X

satisﬁes σ

min

(mat(z)) =

min

) =

√

2mB > 1 >

. Furthermore, z

( j)

:= c

·X

on Algorithm 1 also

satisﬁes σ

min

(mat(z

( j)

)) ≥ c

≥ 1 ≥

We complete the above proof by presenting a de-

ferred core lemma: Lemma 4.8. We ﬁrst show that

the coefﬁcient matrix of the “inverse” polynomial is

the inverse of the coefﬁcient matrix:

Fact 4.7 (Inverse of coefﬁcient matrix). For any a ∈

R, there exists b ∈R[X ]/(X

+ 1) such that a ·b = 1.

Furthermore, for A := mat(a), we have A

−1

= B =

mat(b). (Thus, such b is sufﬁcient to derive A

−1

Proof. Let A := mat(A) and deﬁne

b := vec(b) := A

−1

(1,0,. ..,0)

⊺

Then, by Lemma 3.15, we have

vec(a ·b) = Ab = (1, 0,... ,0)

⊺

thus, we have a ·b = 1. Furthermore,we have mat(a ·

b) = AB = I via Theorem 3.16; thus, B = A

−1

Then, we derive a lower bound of the singular

value of the coefﬁcient matrix of binomials:

Lemma 4.8 (Inverse of binomials). Let z = c±cX

∈

R for c ∈ N, and let g =

∑

n−1

i=0

∈ R[X]/(X

+ 1)

be such that z ·g = 1 (i.e., the “inverse” of z). Then,

we have ∥g∥

∞

. Furthermore, we have σ

min

(Z) ≥

, where Z := mat(z).

Proof. We let z = c + cX

since the proof for z = c −

is obtained similarly. By Fact 4.7 there exists g

s.t. z ·g = 1. Let z := vec(z) and G := mat(g). Then,

by Fact 4.7 and Lemma 3.15, we have

vec(z ·g) = Gz







−g

n−1

... −g

n−1

n−2

... g































⇔







−g

n−k

k−1

−g

n−1

n−k−1























Therefore, we have:











= g

n−k

| = ···= |g

x·k+ j mod n

for x ∈N,0 ≤ j ≤ k −1

We can analyze the absolute value of g

’s as follows:

• When gcd(k,n) = d > 1, we have

x·d mod n

| =

for x ∈N, and

x·d+ j mod n

= 0 for x ∈N, j ∈ {1, .. .,d −1}.

• When gcd(k,n) = 1, we have

| =

for any i ∈ {0,n −1}.

Thus, in any case, we have ∥g∥

∞

. Furthermore,

we have

min

(Z) = 1/∥Z

−1

∥ = 1/∥G∥

≥ 1/∥G∥

= 1/(

√

n∥g∥)

≥ 1/(

√

)

) ≥ 2c/n.

ICISSP 2025 - 11th International Conference on Information Systems Security and Privacy

314

5 APPLICATION:

SPHERICALIZING THE

DISCRETE GAUSSIAN OVER

THE RING

We apply our Gram root decomposition algorithm

(Algorithm 1) to sphericalize the discrete Gaussian

over the ring: Let r

,.. .,r

m+l

iid

∼ R(D

) (Deﬁni-

tion 3.8), i.e., polynomials with coefﬁcients of the

spherical discrete Gaussian. For given e

,.. .,e

∈

R, we analyze the distribution of (r

∑

i=1

) in

Lemma 5.5. Furthermore, let ζ

,.. .,ζ

be the outputs

of Algorithm 1, then we show that the coefﬁcients

of (r

e +

∑

i=1

∑

i=1

m+i

) follow the spherical

discrete Gaussian distribution in Theorem 5.6.

5.1 Building Blocks

The goal of this subsection is to present Lemma 5.4,

which concerns the convolution of the discrete Gaus-

sian. First, we describe the required basic facts about

the singular values of the Gram matrices:

Fact 5.1. For any G ≻ 0,

√

−1

= (

−1

)

⊺

. Thus,

we have:

max

(

√

−1

) = σ

max

(

−1

)

min

(

√

−1

) = σ

min

(

−1

)

Proof. Let S :=

√

G, then G = SS

⊺

. Thus, G

−1

−⊺

−1

= (S

−⊺

)(S

−⊺

)

⊺

: we have S

−⊺

−1

Hence, we have

max

(

√

−1

) = ∥

√

−1

∥ = ∥

−1

∥ = σ

max

(

−1

Thus, we also have

min

(

√

−1

) = 1/σ

max

(

√

−1

) = 1/σ

max

(

−1

)

= σ

min

(

−1

Lemma 5.2 ((Golub and Van Loan, 1996, Theorem

8.1.5)). If A,B ∈ R

n×n

are symmetric matrices, then

for any i ∈ [n],

(A) + λ

min

(B) ≤ λ

(A + B) ≤ λ

(A) + λ

max

(B)

Fact 5.3. For any G

≻ 0, we have:

max

(

+ G

)

≤

max

(

) + σ

max

(

) (12)

min

(

+ G

)

≥

min

(

) + σ

min

(

)

≥

√

2min{σ

min

(

),σ

min

(

)} (13)

min

(

−1

+ G

−1

)

−1

)

≥

(σ

−2

min

(

) + σ

−2

min

(

))

−1

≥

√

min{σ

min

(

),σ

min

(

)} (14)

Proof. By deﬁnition of singular value and

Lemma 5.2, we have

max

(

+ G

) =

max

+ G

)

≤

max

) + λ

max

), and

min

(

+ G

) =

min

+ G

)

≥

min

) + λ

min

Thus, we obtain Eq. (12) and Eq. (13). By Fact 5.1

and Eq. (12), we obtain (14) as follows:

min

(

−1

+ G

−1

)

−1

)

= (σ

max

(

−1

+ G

−1

))

−1

≥ (σ

max

(

−1

) + σ

max

(

−1

))

−1/2

= (σ

−2

min

(

) + σ

−2

min

(

))

1/2

Then, we prove Lemma 5.4, which is a general-

ization of Corollary 2.8:

Lemma 5.4 (Generalization of Corollary 2.8). Let

,.. .,G

∈ R

n×n

be positive deﬁnite matrices. Let

),.. .,L

) ⊆Z

be full-rank integer lattices

with (nonsingular) basis B

,.. .,B

Let σ

∗

min

:= min

i∈{0,...,m}

min

(

√

) and

∗

:= max

i∈{1,...,m}

∥B

∥

len

. Assume that

∗

min

≥

√

∗

). Then, we have

∑

i=1

√

+ D

√

≈

√

∑

i=1

Proof. We ﬁrst show

√

+ D

√

≈

√

(15)

by using Corollary 2.8. We have

√

≥ η

)

because σ

min

(

√

) ≥ σ

∗

min

≥ η

) according to

Fact 2.5 and the hypothesis. By Fact 5.3, we have

−1

+ G

−1

)

−1

≥ η

)) because we have

min

(

−1

+ G

−1

)

−1

)

≥

√

min{σ

min

(

),σ

min

(

)}

≥

√

∗

min

≥ ∥B

∥

len

)

by the hypothesis (

√

2∥B

∥

len

) ≤σ

∗

min

). There-

fore, we obtain Eq. (15).

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

315

Next, we show

√

+ D

√

≈

√

via Corollary 2.8 again. By Fact 2.5 and Fact 5.3 and

the hypothesis, we have

√

+ G

≥η

) because

min

(

+ G

) ≥ min{σ

min

(

),σ

min

(

)}

≥ σ

∗

min

≥ η

)

holds by the assumption η

) ≤ σ

∗

min

. Further-

more, we have

((G

+ G

)

−1

+ G

−1

)

−1

≥ η

))

because

min

(

((G

+ G

)

−1

+ G

−1

)

−1

)

≥

√

min{σ

min

+ G

),σ

min

)}

≥

√

min{σ

min

),σ

min

),σ

min

)}

≥

√

∗

min

≥ ∥B

∥

len

)

holds by the assumption

√

2∥B

∥

len

) ≤ σ

∗

min

Repeating the above, we obtain the claim.

5.2 Main Theorem

We ﬁrst apply Lemma 5.4 to the discrete Gaussian

over the ring:

Lemma 5.5 (Applying Lemma 5.4 to the discrete

Gaussian over the ring). Let e

,.. .,e

,∈ R and de-

ﬁne E

:= mat(e

) and G

:= Gram(e

). Assume

that ∥e

∥ < B and σ

min

) ≥ c hold for some con-

stant B, c > 0. Let r

,.. .,r

iid

∼ R(D

) for s ≥

√

−1

Bη

), and deﬁne

z := r

∑

i=1

. (16)

Then, we have

vec(z) ≈

√

∑

i=1

Proof. By Lemma 3.15, we have vec(z) = r

∑

i=1

, where r

:= vec(r

) for i = 0,. .. ,m. By

Lemma 2.6, we obtain E

r ∼ D

,sE

for any i.

Let G

:= s

, G

:= s

, B

:= Z

for all i.

Then, B

∈ Z

n×n

is nonsingular according to Corol-

lary 3.18; thus L(B

) = B

⊆ Z

is a full-rank inte-

ger lattice for all i. Let σ

∗

min

:= min

min

(

√

) and

∗

:= max

∥B

∥

len

, then we have

∗

min

= s ·min{1,min

min

)} = c ·s,

∗

:= max

∥E

∥

len

= max

∥e

∥ < B.

Then, we obtain the claim by Lemma 5.4 since σ

∗

min

cs ≥

√

∗

) holds by hypothesis.

Finally, we present the main theorem by adding

∑

i=1

m+i

in Eq. (16), where ζ

,.. .ζ

are the outputs

of Algorithm 1 for given e

,.. .,e

. Then, a polyno-

mial with spherical discrete Gaussian coefﬁcients is

obtained:

Theorem 5.6 (Sphericalize the discrete Gaussian

over the ring). Let e

,.. .,e

∈ R and deﬁne E

mat(e

) and G

:= Gram(e

). Assume that ∥e

∥ < B

and σ

min

) ≥ c hold for some constant B,c > 0.

Given e

,.. .,e

as the inputs, let ζ

,.. .,ζ

be the

outputs of Algorithm 1. Let r

,.. .,r

m+l

iid

∼ R(D

)

for s ≥ 2

√

mBmax{c

−1

}η

), and deﬁne

z := r

∑

i=1

∑

i=1

m+i

Then, we have

vec(z) ≈

√

mnB

Proof. The outputs ζ

,.. .,ζ

of Algorithm 1 satisfy

∥ζ

∥≤

√

2mB and σ

min

(mat(ζ

)) ≥

for any i ∈[l] by

Theorem 4.5 and Theorem 4.6, respectively. Hence,

by Lemma 5.5, we have

vec(z) ≈

∑

i=1

∑

i=1

since s ≥ 2

√

mBmax{c

−1

}η

) by hypothesis.

Furthermore, the outputs ζ

,.. .,ζ

of Algorithm 1

satisfy

∑

i=1

= mnB

I−

∑

i=1

via Theorem 4.1.

Thus, we obtain the claim.

6 CONCLUSION AND FUTURE

WORK

Many advanced lattice-based cryptosystems such as

identity-based encryption and functional encryption

require efﬁcient and secure algorithms to sample dis-

crete Gaussian. The integral Gram root decompo-

sition of (Ducas et al., 2020) was developed in the

context of the discrete Gaussian sampling algorithm.

In this work we proposed an algorithm for Gram

root decomposition over the polynomial ring (Algo-

rithm 1). While the objective of this algorithm is

similar to the (ring version of) integral Gram root

decomposition of (Ducas et al., 2020), our algorithm

ensures the bounds of the norm of the output polyno-

mial ζ

(Theorem 4.5) and the minimum eigenvalue of

the coefﬁcient Gram matrix of ζ

(Theorem 4.6). By

utilizing the bounds, we showed how to sphericalize

discrete Gaussian over the ring (Theorem 5.6).

Our further application would be an efﬁcient

and secure discrete Gaussian sampling algorithm for

ring setting for advanced lattice-based cryptosystems,

which we leave for future work.

ICISSP 2025 - 11th International Conference on Information Systems Security and Privacy

316

REFERENCES

Aggarwal, D. and Regev, O. (2016). A note on discrete

Gaussian combinations of lattice vectors. Chicago

Journal of Theoretical Computer Science, (7).

Agrawal, S., Boneh, D., and Boyen, X. (2010). Efﬁcient

lattice (H)IBE in the standard model. In Gilbert, H.,

editor, EUROCRYPT 2010, pages 553–572. Springer.

Agrawal, S., Freeman, D. M., and Vaikuntanathan, V.

(2011). Functional encryption for inner product pred-

icates from learning with errors. In Lee, D. H. and

Wang, X., editors, ASIACRYPT 2011, pages 21–40.

Springer.

Agrawal, S., Gentry, C., Halevi, S., and Sahai, A. (2013).

Discrete Gaussian leftover hash lemma over inﬁnite

domains. In Sako, K. and Sarkar, P., editors, ASI-

ACRYPT 2013, pages 97–116. Springer.

Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T.,

Kelsey, J., Lichtinger, J., Miller, C., Moody, D., Per-

alta, R., Perlner, R., Robinson, A., and Smith-Tone,

D. (2022). NIST IR 8413-upd1: Status report on the

third round of the NIST post-quantum cryptography

standardization process.

Bos, J., Ducas, L., Kiltz, E., Lepoint, T., Lyubashevsky, V.,

Schanck, J. M., Schwabe, P., Seiler, G., and Stehl

e, D.

(2018). CRYSTALS-Kyber: A CCA-secure module-

lattice-based KEM. In Euro S&P 2018, pages 353–

367.

Brakerski, Z., Gentry, C., and Vaikuntanathan, V. (2011).

Fully homomorphic encryption without bootstrap-

ping. ePrint 2011/277. https://eprint.iacr.org/2011

/277.

Brakerski, Z., Langlois, A., Peikert, C., Regev, O., and

Stehl

e, D. (2013). Classical hardness of learning with

errors. In STOC ’13, page 575–584. ACM.

Ducas, L., Galbraith, S., Prest, T., and Yu, Y. (2020). Inte-

gral matrix Gram root and lattice Gaussian sampling

without ﬂoats. In Canteaut, A. and Ishai, Y., editors,

EUROCRYPT 2020, pages 608–637. Springer.

Fouque, P.-A., Hoffstein, J., Kirchner, P., Lyubashevsky, V.,

Pornin, T., Prest, T., Ricosset, T., Seiler, G., Whyte,

W., and Zhang, Z. (2020). Falcon: Fast-fourier lattice-

based compact signatures over NTRU – speciﬁcations

v1.2. 2020. Technical Report, NIST.

Genise, N. and Micciancio, D. (2018). Faster Gaussian sam-

pling for trapdoor lattices with arbitrary modulus. In

Nielsen, J. B. and Rijmen, V., editors, EUROCRYPT

2018, pages 174–203. Springer.

Genise, N., Micciancio, D., Peikert, C., and Walter, M.

(2020). Improved discrete Gaussian and subGaus-

sian analysis for lattice cryptography. In Kiayias, A.,

Kohlweiss, M., Wallden, P., and Zikas, V., editors,

PKC 2020, pages 623–651. Springer.

Gentry, C., Peikert, C., and Vaikuntanathan, V. (2008).

Trapdoors for hard lattices and new cryptographic

constructions. In STOC ’08, page 197–206. ACM.

Golub, G. H. and Van Loan, C. F. (1996). Matrix Computa-

tions (3rd Ed.). Johns Hopkins University Press.

Hoffstein, J., Pipher, J., and Silverman, J. H. (1998). NTRU:

A ring-based public key cryptosystem. In Buhler, J. P.,

editor, ANTS 1998, pages 267–288. Springer.

Kiltz, E., Lyubashevsky, V., and Schaffner, C. (2018). A

concrete treatment of Fiat-Shamir signatures in the

quantum random-oracle model. In Nielsen, J. B. and

Rijmen, V., editors, EUROCRYPT 2018, pages 552–

586. Springer.

Langlois, A. and Stehl

e, D. (2015). Worst-case to average-

case reductions for module lattices. Des. Codes Cryp-

togr., 75(3):565–599.

Lyubashevsky, V., Peikert, C., and Regev, O. (2010). On

ideal lattices and learning with errors over rings. In

Gilbert, H., editor, EUROCRYPT 2010, pages 1–23.

Springer.

Micciancio, D. and Peikert, C. (2012). Trapdoors for lat-

tices: Simpler, tighter, faster, smaller. In Pointcheval,

D. and Johansson, T., editors, EUROCRYPT 2012,

pages 700–718. Springer.

Micciancio, D. and Regev, O. (2007). Worst-case to

average-case reductions based on Gaussian measures.

SIAM J. Comput., 37(1):267–302.

Micciancio, D. and Walter, M. (2017). Gaussian sampling

over the integers: Efﬁcient, generic, constant-time. In

Katz, J. and Shacham, H., editors, CRYPTO 2017,

pages 455–485. Springer.

Nguyen, H. H. and Vu, V. H. (2016). Normal vector of a

random hyperplane. International Mathematics Re-

search Notices, 2018(6):1754–1778.

Okada, H., Fukushima, K., Kiyomoto, S., and Takagi, T.

(2023). Spherical gaussian leftover hash lemma via

the R

enyi divergence. In Tibouchi, M. and Wang, X.,

editors, ACNS 2023, pages 695–724. Springer Nature

Singapore.

Peikert, C. (2009). Public-key cryptosystems from the

worst-case shortest vector problem: Extended ab-

stract. In STOC ’09, page 333–342. ACM.

Peikert, C. (2010). An efﬁcient and parallel Gaussian sam-

pler for lattices. In Rabin, T., editor, CRYPTO 2010,

pages 80–97. Springer.

Rabin, M. O. and Shallit, J. O. (1986). Randomized algo-

rithms in number theory. Communications on Pure

and Applied Mathematics, 39(S1):S239–S256.

Regev, O. (2005). On lattices, learning with errors, random

linear codes, and cryptography. In STOC ’05, pages

84–93. ACM.

Stehl

e, D., Steinfeld, R., Tanaka, K., and Xagawa, K.

(2009). Efﬁcient public key encryption based on ideal

lattices. In Matsui, M., editor, ASIACRYPT 2009,

pages 617–635. Springer.

Tao, T. (2012). Topics in random matrix theory. Graduate

Studies in Mathematics, 132.

Gram Root Decomposition over the Polynomial Ring: Application to Sphericalization of Discrete Gaussian

317