Random Integer Lattice Generation via the Hermite Normal Form

Lattices used in cryptography are integer lattices. Defining and generating a “random integer lattice” are interesting topics. A generation algorithm for a random integer lattice can be used to serve as a random input of all the lattice algorithms. In this paper, we recall the definition of the random integer lattice given by G. Hu et al. and present an improved generation algorithm for it via the Hermite normal form. It can be proven that with probability ≥0.99, this algorithm outputs an n-dim random integer lattice within O(n2) operations.


Introduction
Lattices are discrete subgroups in R n . Since Ajtai's discovery of the average-case/worstcase connection in lattice problems [1], lattice-based cryptography has attracted much attention [2][3][4][5]. Up to now, lattice-based cryptographic schemes have been considered to be a promising alternative to more traditional ones based on the factoring and discrete logarithm problems since lattice-based schemes can be resistant to efficient quantum algorithms [6]. Lattice algorithms such as LLL [7] and BKZ [8,9] are commonly used in analyzing these lattice-based schemes' security. The lattices used in cryptography and lattice algorithms are integer lattices (discrete subgroups of Z n ). Thus, the problem of suitably defining and generating a random integer lattice is a meaningful topic. In [10], P. Q. Nguyen found that for dimensions up to 50, LLL almost outputs the shortest lattice vector, while in theory, LLL's output is just an approximately short vector. Once we are able to generate a random integer lattice, such a generation algorithm can be used to serve as a random input for all lattice algorithms to obtain their output qualities on average.
In [1], M. Ajtai defined a family of "random integer lattices" in terms of the worst-case to average-case connection and showed how to generate one from this lattice family. For uniform A ∈ Z n×m q , the lattice family is defined as Λ ⊥ (A) = {Ax ∈ Z m : Ax = 0 ∈ Z n q }. In [10], P. Q. Nguyen and D. Stehle gave a definition of the "random integer lattice" in the sense of the Haar measure, which was approximated by the Goldstein-Mayer method [11]. For large number N, this "random integer lattice" is uniformly chosen from the set of all n × n Hermite normal forms with the determinant equal to N. When N is prime, to generate such a random integer lattice, one only needs to set h nn = N, h in ∈ [0, N) uniformly and h ii = 1 for i < n. This type of "random integer lattice" is used in many cryptographic applications. From the perspective of mathematics, studying whether the requirement that N be a prime can be removed is also a meaningful issue.
In [12], G. Maze studied the probabilistic distribution of the random HNF with a special diagonal structure, where the randomness was derived from a random square matrix whose elements were all chosen uniformly from [−B, B] for large enough B. In [13], G. Hu et al. introduced a different definition of randomness, in which the definition "random integer lattice" means the lattice's HNF is chosen uniformly from all n × n HNFs whose determinants are upper bounded by a large number M. In the same paper [13], G. Hu et al. also presented a complete random integer lattice generation algorithm. In this algorithm, the first step is to generate a determinant. To make the final output uniform, it is necessary to compute the total number of HNFs with fixed determinant N. Since the total number can be figured out only in the case that the factorization of N is known, a subroutine to factor integers is necessary in this algorithm. In this paper, we improved this algorithm with the help of the diagonal elements' distribution in the random HNF. This improved algorithm first generates the diagonal elements h 11 , · · · , h n−1,n−1 without computing the total number of HNFs with a fixed determinant, then it uses the reverse sampling method to generate the final diagonal element h nn . Thus, the factorization subroutine is no longer needed in this improved algorithm, which makes it more efficient.
The remainder of the paper is organized as follows. In Section 2, we give some necessary preliminaries. In Section 3, we recall the definition of the random integer lattice given by G. Hu et al. and discuss the distribution of all the diagonal elements in the random integer lattice's HNF. For the next section, we present our improved algorithm to generate the random integer lattice via the HNF. Finally, we give our conclusion in Section 5.

Preliminaries
We denote by Z the integer ring and R the real number field. We use GL n (Z) to denote the general linear group over Z. For convenience, we denote the set of all n × n nonsingular integer matrices by GL n (R) ∩ Z n×n .

Lattice and the HNF
Given a matrix B = (b ij ) ∈ R n×m with rank n, the lattice L(B) spanned by the rows of B is: where b i is the i-th row of B. We call m the dimension of L(B) and n its rank. The determinant of L(B), say det(L(B)), is defined as det(B T B). It is easy to see that when B is full-rank (n = m), its determinant becomes | det(B)|.
Two lattices L(B 1 ) and L(B 2 ) are exactly the same when there exists a matrix U ∈ GL n (Z) s.t. B 1 = UB 2 . Lattices used in cryptography are usually "integer lattices", whose basis matrices are over Z instead of R. Thus, the space of all full-rank integer lattices is actually (GL n (R) ∩ Z n×n )/GL n (Z).
The Hermite Normal Form (HNF) is a useful tool to study integer matrices: Definition 1. A square nonsingular integer matrix H ∈ Z n×n is called in the HNF if: • H is upper triangular, i.e., h ij = 0 for all i > j; • All diagonal elements are positive, i.e., h ii > 0 for all i; • All nondiagonal elements are reduced modulo the corresponding diagonal element at the same column, i.e., 0 ≤ h ij < h jj for all i < j.
There exists a famous result for the HNF [14] (Chapter 2, page 66): Theorem 1. For every A ∈ GL n (R) ∩ Z n×n , there exists a unique n × n matrix B ∈ S n,Z (HNF) of the form B = U A with U ∈ GL n (Z).
By this theorem, an integer lattice corresponds to its unique HNF, implying that generating an integer lattice is actually equivalent to generating an HNF.

Definition
In this part, we refer to [13] to recall some results related to the random integer lattice. First, for M, N ∈ Z + , Gruber [15] counted the size of |H n (N)|: If N has prime decomposition N = p r 1 1 . . . p r t t , then: There exists an asymptotic estimation for |H ≤ n (M)| in [13]: H is called an n-dim random nonsingular HNF if for large integer M > 0, H is chosen from H ≤ n (M) uniformly, and the lattice L(H) generated by such an H is called a random integer lattice.

Diagonal Distribution
In [13], Hu et al. studied the expectation and variance of every entry and the probability distribution of every diagonal entry: Theorem 4. Let H = (h ij ) be an n-dim random nonsingular HNF with the determinant bounded by M > 0 and t be an integer in [1, n − 1], given an increasing subset {i 1 , · · · , i t } of {1, · · · , n} and its increasing complementary subset {j 1 , · · · , j n−t }, for positive integers b 1 · · · b t ; when M → +∞, we have: If we take t = 1, a one-element set T = {i}(i ∈ [1, n − 1]), and positive integers b, then the increasing complementary subset of T in {1, 2, · · · , n} is {1, · · · , i − 1, i + 1, · · · , n}. We apply the above theorem and obtain the following corollary: Corollary 1. Let H = (h ij ) be an n-dim random nonsingular HNF with the determinant bounded by M > 0, then for i ∈ [1, n − 1] and positive integer b, when M → +∞, we have: We denote this distribution of h ii by D(n, i).

Remark 1.
Notice that in Theorem 4, when i t < n and M → ∞, both cases: t = 1 and 1 < t < n are valid conditions, which corresponds to the joint distribution of h i k ,i k (k = 1, · · · , t) for 1 < t < n or a marginal distribution of the single variable h i 1 ,i 1 for t = 1 as in Corollary 1. Considering Theorem 4 and Corollary 1, it can be deduced that when M → ∞, the first n − 1 diagonal elements h 11 , · · · , h n−1,n−1 are independent variables.

Generating the Random Integer Lattice via the HNF
In this section, we present our random integer lattice generation algorithm via the HNF. Firstly, we introduce the inverse sampling method in probability theory to generate all the diagonal elements. Then, we generate all the nondiagonal elements accordingly.

Inverse Sampling Method
Given a distribution D over some ordered set A, we can use the inverse sampling method to generate a random variable according to the distribution D. We present two versions of the inverse sampling method: continuous-ISM and discrete-ISM.
, choose a random y uniformly from [0, 1] and compute z s.t. F(z) = y, then the resulting variable Z has distribution D.
Proof. Our goal is to prove Z has F X as its cumulative distribution function. Namely, for any x ∈ [a, b], we have to prove P(Z ≤ x) = F X (x). Since F is a monotonically increasing function, we have: where the second equality comes from F(z) = y and the last one is a direct result of y's uniformity in [0, 1]. Thus, the cumulative distribution function of Z is actually F X , which completes the proof. Theorem 6. (Discrete-ISM) For distribution D over finite-ordered set A = {a k } n k=1 ⊆ Z with corresponding density f k = P(X = a k ), choose a random number y uniformly from [0, 1] and compute the minimum j s.t. ∑ j k=1 f k ≥ y; then, we let Z = a j , and Z will have distribution D.
Proof. For any a j ∈ A, we need to prove P(Z = a j ) = f j . Since j is the minimum value s.t.
∑ j k=1 f k ≥ y, we know that ∑ j−1 k=1 f k < y. Then, we have:

Generating the Random Integer Lattice via the HNF
From Section 3.1, we can generate a random integer lattice by equivalently generating a random nonsingular HNF. To begin with, we generate the first n − 1 diagonal elements h 11 , h 22 , · · · , h n−1,n−1 . Then, we generate the last diagonal element h nn . Finally, all the nondiagonal elements are generated, and we output the matrix H as a lattice basis for our random integer lattice. 4.2.1. Generating h 11 , h 22 , · · · , h n−1,n−1 From Corollary 1, we know that for an n-dim nonsingular HNF, when i ∈ [1, n − 1], the distribution of h ii is: Therefore, we generate these diagonal elements h 11 , h 22 , · · · , h n−1,n−1 according to D(n, i) by discrete-ISM (Theorem 6). For i ∈ [1, n − 1], we choose y uniformly randomly from [0, 1] and increasingly iterate j i starting from 1 until it satisfies Then, we set h ii = j i . By Theorem 6, each diagonal h ii has distribution D(n, i), which is what we need.

Generating h nn
After generating the first n − 1 diagonal elements h ii , we set D n−1 ∏ n−1 i=1 h ii . Since the determinant upper bound is M, the last diagonal element h nn should be in [1, M D n−1 ]. We point out that D n−1 is a small number compared to M with high probability. More specifically, the following theorem can be proven.

Theorem 7.
Let H = (h ij ) be an n-dim random nonsingular HNF with the determinant bounded by M > 0; for D n−1 ∏ n−1 i=1 h ii , we have: Moreover, by Markov's inequality, we find that: To prove Theorem 7, the following lemma from [13] is needed. 1 · · · a s n n , we have the following Table 1 on asymptotic formulas for S(M, s 1 . . . s n ).

S(M, s 1 . . . s n ) If
i −s is the well-known Riemann zeta function and the constant in the O notation is only relevant to n. Now, we start to prove Theorem 7.
Proof. For the expectation of D n−1 = ∏ n−1 i=1 h ii , we find that: which completes the first part of Theorem 7. For the second part, recall that for any non-negative random variable X, Markov's inequality tells us that: P(X ≥ a) ≤ E(X)/a.
Since D n−1 is non-negative, we apply Markov's inequality to it by setting a = (log M) 2 and obtain: which completes the second part of the proof. From Theorem 7, we know that D n−1 is small compared to M with high probability; thus, M D n−1 is still large enough for us to obtain a similar result for h nn . We think this is a relatively reasonable way to describe the distribution of h nn . Thus, for the random nonsingular HNF with the determinant bounded by M, on the condition that ∏ n−1 i=1 h ii = D n−1 , the distribution of h nn is the following: Moreover, the corresponding cumulative distribution function is: Since M D n−1 is still super large, we know that: As a result, G X (x) is a rather good estimation for F X (x). In fact, if we define the distributionD 0 (n, M, D n−1 ) by the cumulative distribution function G X (x) as follows: then we have the following theorem.
We choose y uniformly randomly from [0, 1] and compute z ∈ R + s.t.: Then, we set h nn = z . By Theorems 6 and 8, the diagonal h nn has distributionD 0 (n, M, D n−1 ), which is close enough toD(n, M, D n−1 ).

Generating h ij (i = j)
This part is relatively easier. For i, j = 1, . . . , n, let h ij be chosen from [0, h jj ) uniformly randomly if i < j and let h ij = 0 if i > j.

Correctness
By the discussion above, for large enough M > 0, the distribution of the diagonal h 11 , · · · , h nn generated by this algorithm is close enough to its distribution as a random nonsingular HNF. For i < j ∈ [1, n], since a random nonsingular HNF's h ij is uniform in [0, h jj ) and h ij is generated in the same way, we know that the output of this algorithm is also close enough to a real random nonsingular HNF, which implies the correctness of this algorithm.

Algorithm 1: Generate Random Integer Lattice
Now we present the Algorithm 1 to generate a random integer lattice.

Algorithm 1 Random Integer Lattice Generation
Require: Dimension n, large integer M Ensure: n-dim random integer lattice L with det(L) ≤ M Step 1: Generate h 11 , · · · , h n−1,n−1 D 0 = 1 for i = 1 to n − 1 do in the i-th while iteration by T(i). Notice that: since ζ(s) converges to one quite fast as s grows, the majority of h ii will be set to one. In fact, by the numerical results, we have following result: Fact 1: For any integer n ≥ 10, By this fact, for i ≤ n − 10, all the h ii are very likely to be set to one, implying that T(1), T(2), · · · , T(n − 10) = 0 with probability ≥ 0.999. Then, we consider T(n − 9), T(n − 8), · · · , T(n − 1). If we set the probability bound for each T(i) to be 0.999, then by accurate numerical results, we have the following Table 2:

T(i) Upper Bound
Thus, we have the following theorem: Theorem 9. The number of floating-point operations performed in Algorithm 1 is bounded by 1300 with probability ≥ 0.99.
Proof. By the above table, ∑ n−1 i=n−9 T(i) is bounded by 640 with probability ≥ 0.999 9 . Since T(1), T(2), · · · , T(n − 10) = 0 with probability ≥ 0.999, we know that ∑ n−1 i=1 T(i) is bounded by 640 with probability ≥ 0.999 10 ≥ 0.99. Notice that each s i = s i + j −(n+1−i) i needs two floating-point operations, and it also needs another four floating-point operations to generate h nn in Step 2; thus, with probability ≥ 0.99, the total number of floatingpoint operations performed in Algorithm 1 is bounded by 640 × 2 + 4 = 1284 < 1300, which completes the proof. It is not hard to see that in Algorithm 1, besides the floating-point operations, the remaining parts of Step 1, Step 2, and Step 3 take O(n 2 ), O(1), and O(n 2 ) operations, respectively. Combining this with Theorem 9, we have the following result: Theorem 10. Algorithm 1 outputs a random integer lattice within O(n 2 ) operations with probability ≥ 0.99.

Conclusions
In this paper, we presented an improved algorithm for generating random integer lattices and discussed its time complexity. We proved that with probability ≥0.99, this algorithm outputs an n-dim random integer lattice within O(n 2 ) operations. We pointed out that there is still space for improvement of our algorithm, and we leave this as an open problem.