On the Quantum Complexity of the Continuous Hidden Subgroup Problem

Abstract

The Hidden Subgroup Problem (HSP) aims at capturing all problems that are susceptible to be solvable in quantum polynomial time following the blueprints of Shor’s celebrated algorithm. Successful solutions to this problems over various commutative groups allow to efficiently perform number-theoretic tasks such as factoring or finding discrete logarithms.

The latest successful generalization (Eisenträger et al. STOC 2014) considers the problem of finding a full-rank lattice as the hidden subgroup of the continuous vector space \(\mathbb {R}^m\), even for large dimensions m. It unlocked new cryptanalytic algorithms (Biasse-Song SODA 2016, Cramer et al. EUROCRYPT 2016 and 2017), in particular to find mildly short vectors in ideal lattices.

The cryptanalytic relevance of such a problem raises the question of a more refined and quantitative complexity analysis. In the light of the increasing physical difficulty of maintaining a large entanglement of qubits, the degree of concern may be different whether the above algorithm requires only linearly many qubits or a much larger polynomial amount of qubits.

This is the question we start addressing with this work. We propose a detailed analysis of (a variation of) the aforementioned HSP algorithm, and conclude on its complexity as a function of all the relevant parameters. Our modular analysis is tailored to support the optimization of future specialization to cases of cryptanalytic interests. We suggest a few ideas in this direction.

All three authors were supported by the European Union H2020 Research and Innovation Program Grant 780701 (PROMETHEUS). Additionally, K.d.B. was supported by the ERC Advanced Grant 740972 (ALGSTRONGCRYPTO) and L.D. was supported by the Veni Innovational Research Grant from NWO under project number 639.021.645.

1 Introduction

The Hidden Subgroup Problem. Among all quantum algorithms, Shor’s algorithm [32] for factoring and finding discrete logarithms stands out as demonstrating the largest complexity gap between classical and quantum computing. It is also singular by its cryptanalytic implications, and, due to progress toward the realization of large quantum computers, this celebrated algorithm is now motivating the standardization of quantum-resistant schemes [23], in preparation of a global update of widely deployed encryption and authentication protocols.

The core idea of quantum period finding from [32] is not limited to factoring and discrete logarithm, and the Hidden Subgroup Problem formalized in [22] serves as a convenient interface between the quantum-algorithmic techniques for period finding, and applications to solve other computational problems, in particular problems arising from number theory. We will here discuss only the case of commutative groups. The cases of non-abelian groups such as dihedral groups are very interesting as well and have fascinating connections with lattice problems [29]; however, no polynomial time algorithm is known for those cases, and the best known algorithm has sub-exponential complexity [19], using very different techniques.

The simplest version of the Hidden Subgroup Problem consists of finding a hidden subgroup H in a finite abelian group G, when given access to a strictly H-periodic function \(\varvec{f}:G \rightarrow R\). Here, in the language of representation theory, the off-the-shelf period-finding quantum algorithm finds a uniformly random character \(\chi \in \hat{G}\) that acts trivially on H. Shor’s original algorithm [32] for integer factoring finds a hidden subgroup H in the ambient group \(\mathbb {Z}\). The infiniteness of \(\mathbb {Z}\) induces some “cut-off” error; nevertheless, the distribution of the algorithm’s output is still concentrated around the multiples of the inverse period.

A generalization to the real line \(H = \mathbb {R}\) was given by Hallgren [16] and allows to solve Pell’s equation. The case of real vector space of constant dimension \(H = \mathbb {R}^c\) has also been studied in [15, 31], and permits the computation of unit groups of number fields of finite degree.

The Continuous Hidden Subgroup Problem in Large Dimension. The latest generalization of the HSP algorithm, given by Eisenträger, Hallgren, Kitaev and Song in an extended abstract [11], targets the ambient group \(G = \mathbb {R}^m\) (for a non-constant dimension m) with a hidden discrete subgroup \(H = \varLambda \), i.e. a lattice. Next to the ambient group \(\mathbb {R}^m\) being continuous, an additional special feature is that the \(\varLambda \)-periodic function \(\varvec{f}\) is assumed to produce a “quantum output”. More formally, \(\varvec{f}:\mathbb {R}^m \rightarrow \mathcal {S}\), \(x \mapsto | \varvec{f}(x) \rangle \), where \(\mathcal {S}\) is the state space of a quantum system, and the HSP algorithm is given access to a unitary that maps \(| x \rangle | 0 \rangle \) to \(| x \rangle | \varvec{f}(x) \rangle \). A crucial observation here is that \(| \varvec{f}(x) \rangle \) and \(| \varvec{f}(y) \rangle \) are not necessarily orthogonal (or even distinct) for distinct x and y modulo \(\varLambda \). In other words, it is not assumed that \(\varvec{f}\) is strictly periodic, but merely that \(| \varvec{f}(x) \rangle \) and \(| \varvec{f}(y) \rangle \) are “somewhat orthogonal” for x and y that are “not too close” modulo \(\varLambda \), and that \(\varvec{f}\) is Lipschitz continuous.

More specifically they consider a variation of the standard HSP algorithm in order to tackle the Continuous Hidden Subgroup Problem (CHSP). In order to deal with the continuous nature of the domain \(\mathbb {R}^m\) of \(\varvec{f}\), the given HSP algorithm acts on a bounded “grid” of points within \(\mathbb {R}^m\). Additionally, the algorithm is modified in the following ways: (1) The initial state is not a uniform superposition (over the considered grid points in \(\mathbb {R}^n\)) but follows a trigonometric distribution, and (2) the quantum Fourier transform is done “remotely”, i.e., rather than applying it to the actual register, the register is entangled with an ancilla and the quantum Fourier transform is then applied to the ancilla instead. According to [11], applying the quantum Fourier transform directly would make the resulting approximation errors difficult to analyze.

As an application, the work of [11] also gave a quantum polynomial time algorithm for computing the unit group of a number field in their article [11]. This was generalized by Biasse and Song [2] to the computation of S-unit groups, and therefore to the computation of class groups and to finding a generator of a principal ideals. This led to solving the short vector problem in certain ideal lattices for non-trivial approximation factors [7, 8, 27]. While the cryptanalytic consequences for ideal-lattice based cryptography seems limited so far [10], these results demonstrate a hardness gap between ideal lattices and general ones.

The algorithm of [11] has proved itself to be a key tool in quantum cryptanalysis, and, as such, the question of its precise range of application, and of its practical efficiency are therefore of cryptographic interest. Unfortunately, [11] offers only an informal treatment of the algorithm, both in terms of the analysis and in terms of the formulation of the result. Also, at the time of preparing this article, there was no full version publicly available.¹

The extended abstract [11] explains convincingly that in the limit of choosing an unbounded and infinitely fine grid in \(\mathbb {R}^m\) the algorithm does what it is supposed to do; however, the “rate of convergence” and thus the quantitative aspects of their result are not provided. Furthermore, it was not clear to us what “polynomial-time” formally meant when the input is an oracle, specified by various parameters. For example, in an application of the Continuous HSP algorithm it may be critical to know whether the running time grows polynomially in the Lipschitz constant of f (which is one of the 3 parameters of the Continuous HSP), or polynomially in its logarithm.

In an email from September 2018, Fang Song [33] partially answered early questions we had; technically his comments corresponds to a claim on the error term \(\epsilon _{\text {lip}}\) in Part 2 Step 2 of our analysis of the Dual Lattice Sampling step (Sect. 5.2). We found that this claim could be related to Yudin-Jackson Theorem [37]. To make the analysis tighter, we found it preferable to generalize Yudin-Jackson Theorem to multi-dimensional ranges (see Appendix D of the full version [3]).

The urge to understand the security post-quantum cryptography motivates the elevation of the powerful result of [11] into an open and lively research topic.

Our Work. The goal of this paper is to provide a complete, modular, and quantitative analysis of (a slightly modified version of) the Continuous HSP quantum algorithm given by [11]. More concretely, we provide an explicit bound on the number of qubits needed by the algorithm, clarifying the dependency on the parameters of the Continuous HSP instance and on the required precision and success probability. This shows explicitly in what parameters the algorithm is polynomial time and with what exponent.

The algorithm that we consider and analyze differs from the one considered [11] in the following points:

• First, we specify the initial state of the algorithm to have Gaussian amplitudes, while [11, Sec. 6.2] suggests to use a cropped trigonometric function; as far as we can see, our choice makes the analysis simpler and tighter thanks to the well known tail-cut and smoothness bounds of Banaszczyk [1] and Micciancio and Regev [20].

• Secondly, we do not make use of a “remote” Fourier transform but instead follow the blueprint of Shor’s original algorithm in that respect; the claimed advantage of the “remote” Fourier transform is unclear to us.

These modifications simplify the algorithm and its analysis. Due to the lack of details given in [11], we can not state a complexity comparison, but we think this variation is at least as efficient as the original algorithm.

Our analysis is divided into four parts, each summarized by a formal statement given in Sects. 2.3 to 2.6, leading to the main theorem (Sect. 2.2). We insist on this modular presentation, so as to enable future work on optimization and specialization of this algorithm to instances of interests; specific suggestions follow.

In the first part (Dual Lattice Sampling), which is the technically more involved one, we show that the appropriately discretized and finitized, but otherwise (almost) standard HSP quantum algorithm produces sample points in \(\mathbb {R}^m\) that lie close to the dual lattice \(\varLambda ^*\) with high probability. More precisely, and more technically speaking, we show that the algorithm’s output is a sample point close to \(\ell ^* \in \varLambda ^*\) with probability close to \( \langle c_{\ell ^*} | c_{\ell ^*} \rangle \), where the vectors \(| c_{\ell ^*} \rangle \) are the Fourier coefficients of the function \(\varvec{f}\). This is in line with the general HSP approach, where for instance Shor’s algorithm for period finding over \(\mathbb {Z}\) produces a point that is close to a random multiple of the inverse period, except with bounded probability.

In this first part (Sect. 4 and Sect. 5), we bound the complexity of the core algorithm in terms of the error that we allow in the above context of a sampling algorithm, and depending on the Lipschitz constant of \(\varvec{f}\). In particular, we show that the number of qubits grows as mQ, where Q, the “number of qubits per dimension”, grows linearly in the logarithm of the Lipschitz constant of \(\varvec{f}\), the logarithm of the inverse of the error probability and the logarithm of the inverse of the (absolute) precision, and quasi-linearly in m. The running time of the algorithm is then bounded² by \(O(m^2Q^2)\).

In the second part (Full Dual Recovery, Sect. 6), we then relate the parameters of the Continuous HSP instance to the number of sample points, and thus to how often the core algorithm needs to be repeated, necessary in order to have an approximation of the entire dual lattice \(\varLambda ^*\).

In the third part (Primal Basis Reconstruction, see Appendix B of the full version [3]), we study the numerical stability of reconstructing an approximate basis of the primal lattice \(\varLambda \) from a set of approximate generators of the dual lattice \(\varLambda ^*\). This is based on the Buchmann-Pohst algorithm [4] already mentioned in [11]. The claim of [11] involves intricate quantities related to sublattices of \(\varLambda \), making the final complexity hard to derive; we provide a simpler statement with a detailed proof.

Finally, in the last part (see Appendix C of the full version [3]), we revisit the quantum poly-time algorithm for Gaussian State Preparation [13, 18] used as a black-box in our first part, and provide its precise complexity.

These four parts leads to our formal and quantitative version of the informal CHSP Theorem of [11, Theorem 6.1], stated as Theorem 1 in Sect. 2.2.

Conclusion and Research Directions. Our conclusion is that, in its generic form, the Continuous Hidden Subgroup Problem is rather expensive to solve; not accounting for other parameters than the dimension m, it already requires \(\tilde{O}(m^3)\) qubits and \(\tilde{O}(m^7)\) quantum gates (or, \(\tilde{O}(m^4)\) quantum gates if an approximate quantum Fourier transform is used). However, this inefficiency seems to be a consequence of its genericness. In particular, the core algorithm for Dual Lattice Sampling would only need \(\tilde{O}(m^2)\) qubits, if it wasn’t for accommodating for the terrible numerical stability of the Primal Basis Reconstruction step. Similarly, we expect the number of samples needed to generate the dual lattice to be significantly smaller for smoother oracle functions.

All in all, our modular analysis of the generic steps of the CHSP algorithm sets the stage for analyzing and optimizing its specializations, in particular to cryptanalytic applications [7, 8]. We propose as few research directions towards this objective:

• Study the costs (qubits, quantum gates) and the parameters of the oracle functions from [2, 11, 34] for solving the Unit Group Problem, the Principal Ideal Problem (PIP), and for the computation of the class-group.

• Find stronger hypotheses satisfied by the above oracle functions (or by variant thereof) that improve this generic analysis of the CHSP algorithm; or resort to an ad-hoc analysis of the Full Dual Recovery step by directly studying the spectrum of these oracle functions.

• Explore the possibility of a trade-off between the (classical) Primal Basis Reconstruction step and the (quantum) Dual Lattice Sampling step, possibly up to small sub-exponential classical complexity. More specifically, does replacing LLL by BKZ with an medium block-size substantially improve the numerical stability of Buchmann-Pohst algorithm?

• Exploit prior knowledge of sublattices (potentially close to full-rank) of the hidden lattice to accelerate or skip the Full Dual Recovery and Primal Basis Reconstruction steps. This is for example the case when solving PIP [2] while already knowing the unit group and the class group of a given number field. This would be applicable in the context of [7, 8].

• Exploit known symmetries of the hidden sublattice to improve the Full Dual Recovery and Primal Basis Reconstruction steps. Such symmetries are for example induced by the Galois action on the log-unit lattice and the lattice of class relation, in particular in the case of the cyclotomic number fields. This would again be applicable in the context of [7, 8].

2 Problem Statements and Results

2.1 Notation and Set-Up

Here and throughout the paper, \(\mathcal {H}\) is a complex Hilbert space of dimension \(N = 2^n\), and \(\mathcal {S}\) is the unit sphere in \(\mathcal {H}\); thus, a vector in \(\mathcal {S}\) describes the state of a system of n qubits. For an arbitrary positive integer m, we consider a function

$$ \varvec{f}: \mathbb {R}^m \rightarrow \mathcal {S}\subset \mathcal {H}\,, \, x \mapsto | \varvec{f}(x) \rangle $$

that is periodic with respect to a full rank lattice \(\varLambda \subset \mathbb {R}^m\); hence, \(\varvec{f}\) may be understood as a function \(\mathbb {R}^m/\varLambda \rightarrow \mathcal {S}\). The function \(\varvec{f}\) is assumed to be Lipschitz continuous with Lipschitz constant

$$\begin{aligned} {\text {Lip}}(\varvec{f}) = \inf \{ L > 0 ~|~ \left\Vert | \varvec{f}(x) \rangle - | \varvec{f}(y) \rangle \right\Vert _\mathcal {H}\le L \left\Vert x-y\right\Vert _{2,\mathbb {T}^m} \}. \end{aligned}$$

Later, we will also require \(\varvec{f}\) to be “sufficiently non-constant”. One should think of \(\varvec{f}\) as an oracle that maps a classical input x to a quantum state over n qubits, which is denoted \(| \varvec{f}(x) \rangle \).

We write \(\varLambda ^*\) for the dual lattice of \(\varLambda \). By \(\lambda _1(\varLambda )\) we denote the length of a shortest non-zero vector of \(\varLambda \), and correspondingly for \(\lambda _1(\varLambda ^*)\). Since \(\varLambda \) is typically clear from the context, we may just write \(\lambda _1\) and \(\lambda _1^*\) instead of \(\lambda _1(\varLambda )\) and \(\lambda _1(\varLambda ^*)\).

We denote by \(\mathcal {B}_r(x) = \{ y \in \mathbb {R}^m ~|~ \Vert y - x\Vert < r \}\) the open Euclidean ball with radius r around x, and by \(B_{r}(x) = \mathcal {B}_r(x) \cap \mathbb {Z}^m\) its integer analogue. For the open ball around 0 we just denote \(\mathcal {B}_r\), and for a set \(X \subset \mathbb {R}^m\) we write \(\mathcal {B}_r(X) = \bigcup _{x} \mathcal {B}_r(x)\) and \(B_r(X) = \bigcup _{x} B_r(x)\) where the union is over all \(x \in X\).

Definition 1

(Definition 1.1 from [11]). A function \(\varvec{f}: \mathbb {R}^m \rightarrow \mathcal {S}\subset \mathcal {H}\) is said to be an \((a, r, \epsilon )\)-HSP oracle of the full-rank lattice \(\varLambda \subset \mathbb {R}^m\) if

• \(\varvec{f}\) is \(\varLambda \)-periodic,

• \(\varvec{f}\) is a-Lipschitz: \({\text {Lip}}(f) \le a\),

• For all \(x, y \in \mathbb {R}^m\) such that \(d_{\mathbb {R}^m/\varLambda }(x, y) \ge r\), it holds that \(|\langle \varvec{f}(x) | \varvec{f}(y) \rangle | \le \epsilon \),

where \(d_{\mathbb {R}^m/\varLambda }(x, y) = \min _{v \in \varLambda } \Vert x - y - v\Vert \) denotes the distance induced by the Euclidean distance of \(\mathbb {R}^n\) modulo \(\varLambda \).

2.2 Main Theorem: Continuous Hidden Subgroup Problem

Theorem 1

There exists a quantum algorithm that, given access to an \((a,r,\epsilon )\)-HSP oracle with period lattice \(\varLambda \), \(r < \lambda _1(\varLambda )/6\) and \(\epsilon < 1/4\), computes, with constant success probability, an approximate basis \(\tilde{B}= B + \varDelta _B\) of this lattice \(\varLambda \), satisfying \(\Vert \varDelta _B\Vert < \tau \).

This algorithm makes k quantum oracle calls to the \((a,r,\epsilon )\)-HSP oracle, and uses \(mQ + n\) qubits, \(O(k m^2 Q^2)\) quantum gates and \(poly(m, \log \frac{a}{\lambda _1^*}, \log \frac{a}{\tau })\) classical bit operations, where

$$\begin{aligned} Q&= O(mk) + O\left( \log \frac{a}{\lambda _1^*}\right) + O\left( \log \frac{1}{\lambda _1^* \cdot \tau }\right) , \end{aligned}$$

(1)

$$\begin{aligned} k&= O\left( m \cdot \log \left( \sqrt{m} \cdot a \cdot (\det \varLambda )^{1/m}\right) \right) \end{aligned}$$

(2)

Remark 1

The quantum gate complexity in this theorem can be lowered to \(O(k m Q \log (kmQ))\) if we approximate the quantum Fourier transform [14] over \(\mathbb {Z}/q^m\mathbb {Z}\). For example, an approximation that is \(1/k^2\)-close in the induced matrix norm – which is sufficient for our purposes – can be computed using \(O(mQ \log (kmQ))\) quantum gates (where \(Q = \log q\)). Repeating this approximate Fourier transform k times, one arrives at the complexity \(O(k m Q \log (kmQ))\).

Remark 2

Note that the quantities inside logarithms are homogeneous. In particular, scaling the lattice \(\varLambda \) by a factor f, also scales \(\tau \), 1/a and \(1/\lambda _1^*\) by the same factor f, leaving the complexity parameters Q and k unaffected.

Remark 3

The expert reader may expect the “distortion” parameter \(\lambda _1 \cdot \lambda ^*_1\) of the lattice \(\varLambda \) to have a bearing on the complexity of this algorithm. It is indeed implicitly the case: the assumption the HSP definition implies that \(a r \ge 1 - \epsilon ^2\), and therefore the theorem’s hypothesis requires \(a \ge \frac{45}{8\lambda _1}\).

Proof

This is obtained by instantiating Theorems 2 to 5. First, we obtain k samples close to the dual lattice by invoking k times Algorithm 1, whose correctness and complexity is given in Theorem 2. Samples whose Euclidean length exceed a certain threshold R are rejected. The approximate samples are collected into a matrix \(\tilde{G}\).

The above step requires to prepare Gaussian states with parameter s over a grid of granularity q; this is obtained by k calls to Algorithm 1, whose cost and correctness is stated in Theorem 5. The cost of this subroutine is dominated by the cost of Algorithm 1.

According to Theorem 3, the approximated dual samples generate the dual lattice \(\varLambda ^*\) with constant probability. Finally, one applies the Buchmann-Pohst algorithm [4, 5] and matrix inversion to \(\tilde{G}\), in order to recover an approximate basis of the primal lattice \(\varLambda \). The loss of precision induced by this computation is given in Theorem 4. The parameters are instantiated as follows:

• the failure probability \(\eta \) of dual lattice sampling is set to \(\eta = 1/k^2\),

• the parameter \(\alpha \) driving the success of dual reconstruction is set to \(\alpha = 1\),

• the relative error on dual lattice sample is set to

  $$\begin{aligned} \delta = \frac{(\lambda _1^*)^2 \cdot \det (\varLambda ^*) }{2^{O(mk)} \cdot \Vert \tilde{G}\Vert _\infty ^{m+1}} \cdot \tau , \end{aligned}$$

• the maximal entry size of the dual samples is \(\Vert \tilde{G}\Vert _\infty \le R\) where \(R = \sqrt{m} \cdot a\),

• the discretization granularity is set to \(q = 2^Q\),

• the Gaussian windowing parameter s is set to \(s = O(\sqrt{m \log (\eta ^{-1})})\).

We defer the detailed bookkeeping for deriving the parameters Q and k to Appendix A of the full version [3].    \(\square \)

2.3 Dual Lattice Sampling Problem

Following our modular approach as outlined in the introduction, we first consider the following Dual Lattice Sampling Problem instead. Informally, the task is to sample points in \(\mathbb {R}^m\) that are respectively close to points \(\ell ^* \in \varLambda ^*\) that follow the distribution \(\mathcal {D}_{ideal}(\ell ^*) = \langle c_{\ell ^*} | c_{\ell ^*} \rangle \), where \(| c_{\ell ^*} \rangle \) are the vectorial Fourier coefficients of \(\varvec{f}:\mathbb {R}^m/\varLambda \rightarrow \mathcal {S}\) (see Sect. 3).

Problem 1 (Dual Lattice Sampling Problem)

Given error parameter \(\eta > 0\) and a relative distance parameter \(\frac{1}{2}> \delta > 0\), and given oracle access to an HSP oracle \(\varvec{f}\) as above, sample according to a (finite) distribution \(\mathcal {D}\) on \(\mathbb {R}^m\) that satisfies, for any \(S \subseteq \varLambda ^*\),

$$\begin{aligned} p_S := \mathcal {D}\bigl (\mathcal {B}_{\delta \lambda _1^*}(S)\bigr ) \ge \left( \sum _{\ell ^* \in S} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \right) - \eta \, . \end{aligned}$$

(3)

In the problem statement above, \(\mathcal {D}\bigl (\mathcal {B}_{\delta \lambda _1^*}(S)\bigr )\) denotes the cumulative weight of the set \(\mathcal {B}_{\delta \lambda _1^*}(S)\) with respect to the distribution \(\mathcal {D}\).

Theorem 2

Algorithm 1 solves the Dual Lattice Sampling Problem with parameters \(\eta \) and \(\delta \); it uses m calls to the Gaussian superposition subroutine (see Theorem 5), one quantum oracle call to \(\varvec{f}\), \(mQ + n\) qubits, and \(O(m^2 Q^2)\) quantum gates, where

$$\begin{aligned} Q = O\left( m\log \left( m \log \frac{1}{\eta }\right) \right) + O\left( \log \left( \frac{{\text {Lip}}(\varvec{f})}{\eta \cdot \delta \lambda _1^*}\right) \right) . \end{aligned}$$

(4)

Remark 4

Note that this step only requires smoothness of the HSP oracle (via the Lipchitz constant), but does not rely on the “separability” assumption (third item of Definition 1). Indeed this third assumption will only play a role to ensure that those samples are actually non-trivial and usable.

2.4 Full Dual Lattice Recovery

Recovering the full lattice (or equivalently its dual) requires an extra assumption on the oracle function \(\varvec{f}\), as captured by the third condition in the following definition, reformatted from Definition 1.1 of [11].

According to Eisenträger et al. [11], for (some undetermined) adequate parameters, Definition 1 ensures that the distribution on the dual lattice \(\varLambda ^*\) is not concentrated on any proper sublattice, hence sufficiently many samples will generate the lattice fully. We formalize and quantify this proof strategy, and obtain the following quantitative conclusion. We note that the constraints on r and \(\epsilon \) are milder that one could think, for example \(\epsilon \) does not need to tend to 0 as a function of n or m.

Theorem 3

Let \(\varvec{f} : \mathbb {R}^m \rightarrow \mathcal {S}\) be an \((a, r, \epsilon )\)-HSP oracle with \(r \le \lambda _1(\varLambda )/6\) and \(\epsilon \in [0, 1/3)\), and let \(\mathcal D_{{\text {ideal}}}\) be the distribution described above, given by \(\mathcal D_{{\text {ideal}}}(\ell ^*) = \langle c_{\ell ^*} | c_{\ell ^*} \rangle \) for \(\ell ^* \in \varLambda ^*\). Furthermore, denote by S the random variable defined by the number of samples that need to be drawn from \(\mathcal D_{{\text {ideal}}}\) such that the samples together generate \(\varLambda ^*\) as a lattice. Then, for any \(\alpha > 0\),

$$\begin{aligned} \Pr \left[ S > (2 + \alpha )\frac{t + m }{\frac{1}{2} - \frac{1}{4 \pi ^2} - \epsilon } \right] \le \exp (-\alpha (t + m)/2 ) \end{aligned}$$

where \(t = m\log _2(\sqrt{m} \cdot a) + \log _2(\det (\varLambda ))\).

The above Theorem is obtained by combining Lemmata 5 and 8 from Sect. 6, instantiating the parameter R to \(R^2 = ma^2\). This choice is somewhat arbitrary and given for concreteness, however it does not have a critical quantitative impact.

2.5 Primal Basis Reconstruction

Theorem 4

There exists a polynomial time algorithm, that, for any matrix \(G\in \mathbb {R}^{k \times m}\) of k generators of a (dual) lattice \(\varLambda ^*\), and given an approximation \(\tilde{G}= G+ \varDelta _G\in \mathbb Q^{k \times n}\), computes an approximation \(\tilde{B}= B+ \varDelta _B\) of a basis \(B\) of the primal lattice \(\varLambda \), such that

$$\begin{aligned} \Vert \varDelta _B\Vert _\infty \le \frac{2^{O(mk)} \cdot \Vert \tilde{G}\Vert _\infty ^{m+1}}{(\lambda _1^*)^3 \cdot \det (\varLambda ^*) } \cdot \Vert \varDelta _G\Vert _\infty , \end{aligned}$$

under the assumption that \( \Vert \varDelta _G\Vert _\infty < \frac{\min (1, (\lambda _1^*)^2) \cdot \det (\varLambda ^*)}{2^{O(km)} \cdot \Vert \tilde{G}\Vert _\infty ^{m+1} }\).

Remark 5

More specifically, the algorithm from Theorem 4 essentially consists of the Buchmann-Pohst algorithm [4, 5] and a matrix inversion. Its complexity is dominated by two calls to LLL on matrices of dimension \((m + k) \times k\) and entry bitsize \(O(k^2 \log (\Vert \tilde{G}\Vert /\lambda _1^*))\) (see the discussion before [4, Cor. 4.1]). One can optimize the final running time by choosing the adequate variant of LLL [24, 26] depending on the relative dimension and bitsizes of these inputs.

Our contribution on this step is merely a completed numerical analysis, with the help of a theorem from [6]. A claim with a similar purpose is given in [11], yet involves more intricate lattice quantities.

2.6 Gaussian State Preparation

The main algorithm of this paper requires the preparation of a multidimensional Gaussian initial state, which can be obtained by generating the one-dimensional Gaussian state on m parallel quantum registers. This task is known to be polynomial time [13, 18], and we provide a quantitative analysis in Appendix C of the full version [3]. The precise running time of preparing this Gaussian state is summarized below.

Theorem 5

For any positive integers q, p and for any \(s> 1\), there exists a quantum algorithm that prepares the one-dimensional Gaussian state

$$\begin{aligned} \frac{1}{\sqrt{\rho _{1/s}(\frac{1}{q}[q]_c)}} \sum _{x \in \frac{1}{q} [q]_c} \sqrt{\rho _{1/s}(x)} | x \rangle \end{aligned}$$

(5)

up to trace distance \(se^{-\pi s^2/8} + Q \cdot 2^{-p}\) using \(O(Q + p)\) qubits and \(O(Q \cdot p^{3/2} \cdot {{\,\mathrm{polylog}\,}}(p))\) quantum gates, where \(Q = \log (q)\) and \(\frac{1}{q} [q]_c = [-\frac{1}{2}, \frac{1}{2}) \cap \frac{1}{q} \mathbb {Z}\).

The above theorem is obtained by instantiating Theorem 12 in Appendix C of the full version [3] with parameters \(\mu = q/2\), \(k = p\) and \(\sigma = \sqrt{2}q/s\) and relabeling the basis states. Whenever above theorem is used as a subroutine in Theorem 2, choosing \(p = \log (mQ/\eta ^2)\) is sufficient, causing merely an extra error of \(\eta ^2\).

Remark 6

In Theorem 1, we chose \(\eta \) to be \(1/k^2\), yielding \(p = \log (mk^4Q)\). Therefore, one call to the one-dimensional Gaussian state preperation with the parameters of Theorem 1 takes O(Q) qubits and \(O(Q \log (kmQ))\) quantum gates. As Theorem 1 requires k subsequent preparations of the m-dimensional Gaussian state, the total costs of the Gaussian state preparation steps are O(mQ) qubits and \(\tilde{O}(kmQ)\) quantum gates. As this is negligible to the overall complexity of Theorem 1, we can ignore these costs.

3 Preliminaries

We start with a brief introduction to Fourier analysis over arbitrary locally compact Abelian groups. Our general treatment allows us to then apply the general principles to the different groups that play a role in this work. For the reader that is unfamiliar with such a general treatment, it is useful—and almost sufficient—to think of \(\mathbb {R}\), of \(\mathbb {T} = \mathbb {R}/\mathbb {Z}\), and a finite group. For more details and for the proofs we refer to [9].

3.1 Groups

Here and below we consider a locally compact Abelian group G. Such a group admits a Haar measure \(\mu \) that is unique up to a normalization factor. The crucial property of such a Haar measure is that it is invariant under the group action. Simple examples are \(G = \mathbb {R}\) with \(\mu \) the Lebesgue measure \(\lambda \), or a finite group G with \(\mu \) the counting measure \(\#\).

The dual group \(\hat{G}\), consisting of the continuous group homomorphisms \(\chi \) from G into the multiplicative group of complex numbers of absolute value 1, is again a locally compact Abelian group. As we shall see soon, for a fixed choice of the normalization factor of the Haar measure \(\mu \) for G, there is a natural choice for the normalization factor of the Haar measure \(\hat{\mu }\) for \(\hat{G}\).

Examples of locally compact Abelian groups that play an important role in this work are: the m-dimensional real vector space \(\mathbb {R}^m\); the m-fold torus \(\mathbb {T}^m:= \mathbb {R}^m/\mathbb {Z}^m\) and more generally \(\mathbb {R}^m/\varLambda \) for an arbitrary lattice \(\varLambda \) in \(\mathbb {R}^m\); and the finite group \({\mathbb {D}^m}:= \frac{1}{q}\mathbb {Z}^m/\mathbb {Z}^m \subset \mathbb {T}^m\) (which is isomorphic to \(\mathbb {Z}^m/q\mathbb {Z}^m\)) for a positive integer q. Figure 1 below shows the corresponding dual groups as well as the respective (dual) Haar measures as used in this paper.

Fig. 1.

Some groups G and their respective dual groups \(\hat{G}\), plus the considered (dual) Haar measures \(\mu \) and \(\hat{\mu }\). Here, \(\lambda \) denotes the Lebesgue and \(\#\) the counting measure.

In some cases it will be useful to identify the quotient groups \(\mathbb {T}^m= \mathbb {R}^m/\mathbb {Z}^m\) and \({\mathbb {D}^m}= \frac{1}{q}\mathbb {Z}^m/\mathbb {Z}^m\) with the respective representing sets

$$ \mathbb {T}^m_{\mathrm {rep}}:= [\textstyle -\frac{1}{2},\frac{1}{2})^m \subset \mathbb {R}^m \qquad \text {and}\qquad \mathbb {D}^m_{\mathrm {rep}}:= \frac{1}{q}\mathbb {Z}^m \cap \mathbb {T}^m_{\mathrm {rep}}, $$

and similarly \({\hat{\mathbb {D}}^m}\simeq \mathbb {Z}^m/q\mathbb {Z}^m\) with

$$ \hat{\mathbb {D}}^m_{\mathrm {rep}}:= [q]_c^m := \mathbb {Z}^m \cap [\textstyle -\frac{q}{2},\frac{q}{2})^m. $$

It will be useful to understand that if \(H \subset G\) is a closed subgroup then G/H and H have dual groups that satisfy the following natural isomorphisms.

$$ \widehat{G/H} \simeq H^\perp := \{\chi \in \hat{G} ~|~ \chi (h) = 1 \, \forall \, h \in H \} \subset \hat{G} \quad \text {and}\quad \hat{H} \simeq \hat{G}/H^\perp . $$

As we shall see soon, for any choice of the Haar measure \(\mu _H\) for H there is a natural choice for the Haar measure \(\mu _{G/H}\) for G/H, and vice versa.

3.2 Norms and Fourier Transforms

Let G be as above with a fixed choice for the Haar measure \(\mu \). For any \(p \in [1,\infty ]\), \(L_p(G)\) denotes the vector space of measurable functions \(f: G \rightarrow \mathbb {C}\) with finite norm \(\left\Vert f\right\Vert _{p}\) (modulo the functions with vanishing norm), where

$$\begin{aligned} \left\Vert f\right\Vert _{p}^p := \int _{g \in G} |f(g)|^p d\mu \, ~~~ \text{ for } p < \infty , \end{aligned}$$

and

$$\begin{aligned} \left\Vert f\right\Vert _\infty := \underset{g \in G}{{{\,\mathrm{ess~sup}\,}}} ~ |f(g)|, \end{aligned}$$

the essential supremum of |f|. We write \(\left\Vert f\right\Vert _{p,G}\) if we want to make G explicit. For any function \(f \in L^1(G)\), the Fourier transform of f is the function

$$\begin{aligned} \mathcal {F}_G\{f \} : \hat{G} \rightarrow \mathbb {C}, \; \chi \mapsto \int _{g \in G} f(g) \bar{\chi }(g) d\mu , \end{aligned}$$

also denoted by \(\hat{f}\) when G is clear from the context. The Fourier transform of \(f \in L^1(G)\) is continuous, but not necessarily in \(L^1(\hat{G})\).

For example, for the group \({\mathbb {D}^m}:= \frac{1}{q}\mathbb {Z}^m/\mathbb {Z}^m\) with the Haar measure as fixed in Fig. 1, the \(L_2\)-norm and the Fourier transform are respectively given by

$$ \left\Vert f\right\Vert ^2_{2} = \frac{1}{q^m} \sum _{x \in {\mathbb {D}^m}} |f(x)|^2 \qquad \text {and}\qquad \mathcal {F}\{ f \}(y) = \frac{1}{q^{m}}\sum _{x \in {\mathbb {D}^m}} f(x) e^{-2\pi i \langle x,y \rangle } \, . $$

We note that we use a different convention on the scaling than what is common in the context of the quantum Fourier transform.

Given the Haar measure \(\mu \) for G, there exists a unique dual Haar measure \(\hat{\mu }\) for \(\hat{G}\) with the property that, for any \(f \in L^1(G)\), if \(\hat{f} = \mathcal {F}_G\{ f \} \in L^1(\hat{G})\), then \(f = \mathcal {F}_G^{-1}\{\hat{f} \}\), where

$$\begin{aligned} \mathcal {F}^{-1}_G\{\hat{f} \} : G \rightarrow \mathbb {C}, \; g \mapsto \int _{\chi \in \hat{G}} \hat{f}(\chi ) \chi (g) d\hat{\mu }\end{aligned}$$

is the inverse Fourier transform. From now on it is always understood that the Haar measure of the dual group is chosen to be the dual of the Haar measure of the primal group. With this choice, we also have the following well known fact [9, Thm. 3.4.8].

Theorem 6 (Plancherel’s Identity)

For all \(f \in L^1(G) \cap L^2(G)\),

$$\begin{aligned} \left\Vert f\right\Vert _{2,G} = \left\Vert \mathcal {F}_G\{f\} \right\Vert _{2, \hat{G}}. \end{aligned}$$

Finally, we recall the convolution theorem, which states that \(\widehat{f g} = \hat{f} \star \hat{g} = \int _{x \in G} \hat{f}(x) \hat{g}(\cdot ~-x) d\mu (x)\) for all functions \(f,g \in L^1(G)\) that have Fourier transforms \(\hat{f}, \hat{g} \in L^1(G)\). This extends to functions \(f \in L^1(G/H)\) and \(g \in L^1(G)\), with f understood as an H-periodic function on G. Tailored to \(G = \mathbb {R}^m\) and \(H = \varLambda \), where \(\mathbb {R}^m/\varLambda \) has dual group \(\varLambda ^*\), it then states that

$$ \mathcal {F}_{\mathbb {R}^m}\{f g\}(y) = \mathcal {F}_{\mathbb {R}^m/\varLambda }\{f\} \star \mathcal {F}_{\mathbb {R}^m} \{ g \}(y) = \sum _{\ell ^* \in \varLambda ^*} \! \mathcal {F}_{\mathbb {R}^m/\varLambda }\{f\}(\ell ^*) \, \mathcal {F}_{\mathbb {R}^m} \{ g \}(y-\ell ^*) $$

for any \(y \in \mathbb {R}^m\).

3.3 The Poisson Summation Formula

Poisson summation formula is well-known for the group \(G = \mathbb {R}\), where it states that \(\sum _{k \in \mathbb {Z}} \hat{f}(k) = \sum _{x \in \mathbb {Z}} f(x)\). In the case \(G = \mathbb {Z}/N\mathbb {Z}\), it states that

$$ \sum _{i=0}^{N/s} \hat{f}(i s) = \sum _{j=1}^s f(\textstyle j \frac{N}{s}) $$

for any integer s that divides N. In order to formulate the Poisson summation formula for an arbitrary locally compact Abelian group G, we need to introduce the notion of restriction and periodization of functions.

Definition 2 (Restriction)

Let \(H \subseteq G\) be a subset or a subgroup. For any continuous function \(f: G \rightarrow \mathbb {C}\) we define .

Definition 3 (Periodization)

Let H be a closed subgroup of G with Haar measure \(\mu _H\). For any function \(f \in L^1(G)\), we define

$$\begin{aligned} { \left. f \right| ^{G/H} }: G/H \rightarrow \mathbb {C}, \; g + H \, \mapsto \int _{h \in H} f(g + h) d\mu _H. \end{aligned}$$

For any closed subgroup of G with some fixed Haar measure \(\mu \) and any choice of the Haar measure \(\mu _H\) for H, there exists a Haar measure \(\mu _{G/H}\) for G/H such that the quotient integral formula

$$\begin{aligned} \int _{G/H} \left( \int _H f(g + h) d\mu _H(h) \right) d\mu _{G/H}(g+H) = \int _G f(g) d\mu (g) \end{aligned}$$

(6)

holds for any continuous function \(f: G \rightarrow \mathbb {C}\) with compact support (see [9, Section 1.5]).

Fig. 2.

Informal illustration of Theorem 7 by means of a diagram that commutes whenever the maps are well defined.

With this choice of Haar measure for G/H, and with the dual measures for the respective dual groups, we are ready to state the general form of the Poisson summation formula (obtained from [9, Section 3.6], see also Fig. 2).

Theorem 7 (Poisson Summation Formula)

For continuous \(f \in L^1(G)\),

Applied to \(G = \mathbb {R}^m\) and \(H = \mathbb {Z}^m\), so that \(G/H = \mathbb {T}^m\) and \(\widehat{G/H} \simeq \mathbb {Z}^m\); and applied to \(G = \mathbb {T}^m\) and \(H = {\mathbb {D}^m}\) below, we obtain the following.

Corollary 1

For continuous \(h \in L^1(\mathbb {R}^m)\), we have .

Corollary 2

For continuous \(t \in L^1(\mathbb {T}^m)\), we have .

3.4 The Fourier Transform of Vector-Valued Functions

The Fourier transform as discussed above generalizes to vector-valued functions \(\varvec{f}: G \rightarrow \mathbb {C}^N\) simply by applying \(\mathcal {F}\) to the N coordinate functions, resulting in a function \(\mathcal {F}\{ \varvec{f} \}: \hat{G} \rightarrow \mathbb {C}^N\). By fixing an orthonormal basis, this extends to functions \(\varvec{f}: G \rightarrow \mathcal {H}\) for an arbitrary finite-dimensional complex Hilbert space, where, by linearity of the Fourier transform, \(\mathcal {F}\{ \varvec{f} \}: \hat{G} \rightarrow \mathcal {H}\) is independent of the choice of the basis.

The norm \(\left\Vert \cdot \right\Vert _{2,G}\) on functions \(G \rightarrow \mathbb {C}\) generalizes to vector-valued functions \(\varvec{f}: G \rightarrow \mathcal {H}\), as well, by defining \(\left\Vert \varvec{f}\right\Vert _{2,G}\) to be the norm of the scalar function \(x \mapsto \left\Vert \varvec{f}(x)\right\Vert _\mathcal {H}= \sqrt{ \langle \varvec{f}(x) | \varvec{f}(x) \rangle }\). The vectorial Fourier transforms and norms are compatible with each other, in the sense that Plancherel’s identity (see Theorem 6) still holds; that is,

$$\begin{aligned} \left\Vert \varvec{f}\right\Vert _{2,G} = \left\Vert \mathcal {F}_{G}\{ \varvec{f} \}\right\Vert _{2,\hat{G}}. \end{aligned}$$

Also the Poisson summation formula (see Theorem 7) is still valid, as well as the convolution theorem whenever one of the functions in the product is scalar:

$$\begin{aligned} \mathcal {F}_{G}\{ \varvec{f} g \} = \mathcal {F}_{G}\{ \varvec{f} \} \star \mathcal {F}_{G}\{ g \}. \end{aligned}$$

An important example is the case \(\varvec{f}:\mathbb {R}^m/\varLambda \rightarrow \mathcal {H}\). Spelling out the above, we get

$$ \mathcal {F}_{\mathbb {R}^m/\varLambda } \{ \varvec{f} \}: \varLambda ^* \rightarrow \mathcal {H}, \, \ell ^* \mapsto | c_{\ell ^*} \rangle := \frac{1}{\det \varLambda } \int _{x \in \mathbb {R}^m/\varLambda } | \varvec{f}(x) \rangle e^{-2\pi i \langle x,\ell ^* \rangle } dx, $$

where the vectors \(| c_{\ell ^*} \rangle \) are also referred to as the (vectorial) Fourier coefficients of \(\varvec{f}\). The Parseval-Plancherel identity then becomes

$$ \sum _{\ell ^* \in \varLambda ^*} \langle c_{\ell ^*} | c_{\ell ^*} \rangle = \left\Vert \varvec{f} \right\Vert _{2, \mathbb {R}^m/\varLambda }^2 := \frac{1}{\det \varLambda } \int _{x \in \mathbb {R}^m/\varLambda } \langle \varvec{f}(x) | \varvec{f}(x) \rangle dx. $$

3.5 Trigonometric Approximation

As another application of the Poisson summation formula, we derive a relation between the Lipschitz constant of a function on \(\mathbb {T}^m\) and the ‘error of discretization’ in the Fourier transform when restricting the function to \({\mathbb {D}^m}\).

Theorem 8

For any Lipschitz function \(\varvec{h}:\mathbb {T}^m\rightarrow \mathcal {H}\) with Lipschitz constant \({\text {Lip}}(\varvec{h})\), and any subset \(C\subseteq {\hat{\mathbb {D}}^m}\), we have

$$\begin{aligned} \big | \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} - \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m} \big | \le \frac{4 \pi \sqrt{m} {\text {Lip}}(\varvec{h})}{q} \end{aligned}$$

Here and below, we slightly abuse notation and use \(1_C\) as indicator function acting on \({\hat{\mathbb {D}}^m}\) and on \(\mathbb {Z}^m\), justified by identifying \({\hat{\mathbb {D}}^m}\) with \(\hat{\mathbb {D}}^m_{\mathrm {rep}}= [q]_c^m \subset \mathbb {Z}^m\). Also, we write \(\mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \) instead of \(\mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h}|_{\mathbb {D}^m} \right\} \), taking it as understood that \(\varvec{h}\) is restricted to \({\mathbb {D}^m}\) when applying \(\mathcal{F}_{\mathbb {D}^m}\).

Proof

Using a result of Yudin ([37, Example I after Theorem 2], see also³ Appendix D of the full version [3]), there exists a trigonometric approximation \(\varvec{t}\) of \(\varvec{h}\), i.e. a function \(\varvec{t}: \mathbb {T}^m\rightarrow \mathbb {C}\) with \(\hat{ \varvec{t}}(x) := \mathcal {F}_{\mathbb {T}^m} \{ \varvec{t} \}(x) = 0\) for all \(x \not \in [q]_c^m\) so that \(\left\Vert \varvec{h}-\varvec{t}\right\Vert _\infty \le \pi \sqrt{m} {\text {Lip}}(\varvec{h})/q\). Recalling that \({\hat{\mathbb {D}}^m}\simeq \mathbb {Z}^m/q\mathbb {Z}^m\), the fact that \(\hat{\varvec{t}}: \mathbb {Z}^m \rightarrow \mathbb {C}\) vanishes outside of \([q]_c^m\) implies for all \(x \in [q]_c^m\) that

$$ \hat{\varvec{t}}(x) = \sum _{d \in q\mathbb {Z}^m} \hat{ \varvec{t}}(x+d) = \hat{ \varvec{t}}|^{{\hat{\mathbb {D}}^m}}(x+q\mathbb {Z}^m) = \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{t} \right\} (x+q\mathbb {Z}^m), $$

where the last equality holds by Corollary 2 (and our convention of omitting the restriction to \({\mathbb {D}^m}\)). In particular, we have \(\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{t} \right\} \Vert _{2,{\hat{\mathbb {D}}^m}} = \Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ \varvec{t} \}\Vert _{2,\mathbb {Z}^m}\). Therefore, by the (reverse) triangle inequality and the linearity of the Fourier transform, one obtains

$$\begin{aligned} \big |&\left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} - \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m} \big | \\&\qquad \le \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h}-\varvec{t} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} + \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ \varvec{h}-\varvec{t} \} \right\Vert _{2,\mathbb {Z}^m}. \end{aligned}$$

We now observe that

$$\begin{aligned} \left\Vert 1_C\cdot \mathcal {F}_{G}\{ \varvec{h}-\varvec{t} \}\right\Vert _{2,\hat{G}} \le \left\Vert \mathcal {F}_{G}\{ \varvec{h}-\varvec{t} \}\right\Vert _{2,\hat{G}} = \left\Vert \varvec{h}-\varvec{t}\right\Vert _{2,G} \le \sqrt{\mu (G)} \left\Vert \varvec{h}-\varvec{t}\right\Vert _{\infty } \end{aligned}$$

where \(\mu (G) = {\int _G d\mu }\) denotes the total measure of G. We conclude by noting that \(\mu (G)=1\) for both groups at hand \(G = {\mathbb {D}^m}\) and \(G = \mathbb {T}^m\).    \(\square \)

3.6 The Gaussian Function and Smoothing Errors

Let m be a fixed positive integer. For any parameter \(\sigma > 0\), we consider the m-dimensional Gaussian function

$$ \rho _{\sigma }: \mathbb {R}^m \rightarrow \mathbb {C}, \, x \mapsto e^{-\frac{\pi \left\Vert x\right\Vert ^2}{\sigma ^2}}, $$

which is well known to satisfy the following basic properties.

Lemma 1

For all \(\sigma > 0\), \(m \in \mathbb {N}\) and \(x,y \in \mathbb {R}^m\), we have \(\int _{z \in \mathbb {R}^m} \rho _\sigma (z) dz = \sigma ^m\), \(\mathcal {F}_{\mathbb {R}^m} \{ \rho _\sigma \} = \sigma ^m \rho _{1/\sigma }\), \(\sqrt{\rho _\sigma (x)} = \rho _{\sqrt{2}\sigma }(x)\) and \(\rho _\sigma (x)\rho _\sigma (y) = \rho _{\frac{\sigma }{\sqrt{2}}}(\frac{x + y}{2}) \rho _{\frac{\sigma }{\sqrt{2}}} (\frac{x - y}{2})\).

Remark 7

From these properties it follows that the integral of the \(L_2\)-norm of \(x \mapsto \sigma ^{m/2} \cdot \sqrt{ \rho _{1/\sigma }(x)}\) equals 1, i.e., \(\left\Vert \sigma ^{m/2} \cdot \sqrt{\rho _{1/\sigma }(x)} \right\Vert _{2,\mathbb {R}^m}^2 = 1\).

The following two results (and the variations we discuss below) will play an important role and will be used several times in this paper: Banaszczyk’s bound, originating from [1], and the smoothing error⁴ , as introduced by Micciancio and Regev [20]. They allow us to control

$$ \rho _\sigma (X) := \sum _{x \in X} \rho _\sigma (x), $$

for certain discrete subsets \(X \subseteq \mathbb {R}^m\). For ease of notation, we let

$$ \beta ^{(m)}_{z} := \left( \frac{2 \pi e z^2}{m } \right) ^{m/2} e^{-\pi z^2}, $$

which decays super-exponentially in z (for fixed m). The following formulation of Banaszczyk’s lemma is obtained from [21, Equation (1.1)].

Lemma 2 (Banaszczyk’s Bound)

Whenever \({r}/\sigma \ge \sqrt{\frac{m}{2\pi }}\),

$$ \rho _{\sigma } \bigl ( ( \varLambda + t) \setminus \mathcal {B}_{r}\bigr ) \le \beta ^{(m)}_{{r}/\sigma } \cdot \rho _\sigma (\varLambda ) \, , $$

where \(\mathcal {B}_{r}= \mathcal {B}_{r}(0) = \{ x \in \mathbb {R}^m ~ \big | ~ |x| < {r}\}\).

Imitating techniques from [20, Lemma 3.2], we have:

Lemma 3

Let \(\sigma \ge \frac{\sqrt{m}}{ \lambda _1(\varLambda ^*)}\). Then \(\rho _{1/\sigma }(\varLambda ^* \backslash 0) \le 2 \cdot \beta ^{(m)}_{\sigma \lambda _1(\varLambda ^*)}\).

As a direct corollary, we have the following result.

Corollary 3

Let \(\sigma \ge 2 \sqrt{m}\), and let \(x \in \mathbb {R}^m\) with \(\Vert x\Vert _\infty \le 1/2\). Then

$$\begin{aligned} \rho _{1/\sigma }\bigl (\mathbb {Z}^m \backslash \{0\} + x\bigr ) \le 2\beta ^{(m)}_{\sigma /2}. \end{aligned}$$

Proof

We have \(\rho _{1/\sigma }\bigl (\mathbb {Z}^m \backslash \{0\} + x\bigr ) \le \rho _{1/\sigma }\bigl ((\mathbb {Z}^m \!+\! x) \backslash \mathcal {B}_{\frac{1}{2}} \bigr ) \le \beta ^{(m)}_{\sigma /2} \rho _{1/\sigma }(\mathbb {Z}^m)\), where the second inequality follows from Lemma 2. Using Lemma 3 to argue that \(\rho _{1/\sigma }(\mathbb {Z}^m) = 1 + \rho _{1/\sigma }(\mathbb {Z}^m \backslash 0) \le 1 + 2\beta ^{(m)}_{\sigma }\le 2\) then proves the claim.    \(\square \)

The following lemma, which combines [20, Lemma 4.1] and [20, Lemma 3.2], controls the fluctuation of the sum \(\rho _s(\varLambda + t)\) for varying \(t \in \mathbb {R}^m\).

Lemma 4 (Smoothing Error)

Let \(\varLambda \in \mathbb {R}^m\) be a full rank lattice, and let \(\sigma \ge \sqrt{m}/\lambda _1(\varLambda ^*)\). Then, for any \(t \in \mathbb {R}^m\),

$$\begin{aligned} (1-2\beta ^{(m)}_{\sigma \lambda _1(\varLambda ^*)}) \frac{\sigma ^m}{\det \varLambda } \le \rho _\sigma (\varLambda + t) \le (1+2\beta ^{(m)}_{\sigma \lambda _1(\varLambda ^*)}) \frac{\sigma ^m}{\det \varLambda }. \end{aligned}$$

(7)

Corollary 4

For \(\sigma \ge \frac{\sqrt{m}}{ \lambda _1(\varLambda ^*)}\) and for any \(t \in \mathbb {R}^m\), we have \(\rho _\sigma (\varLambda + t) \le 2 \frac{\sigma ^m}{\det \varLambda }\).

Proof

Using Lemma 4 and noticing \(2\beta ^{(m)}_{\sigma \lambda _1(\varLambda ^*)} \le 2\beta ^{(m)}_{\sqrt{m}}\le 1\) yields the result.    \(\square \)

3.7 Lipschitz Condition

Theorem 9 (Rademacher’s theorem)

A Lipschitz function \(\varvec{f}:\mathbb {R}^m/\varLambda \rightarrow \mathcal {H}\) has weak partial derivatives \(\partial _{x_j} \varvec{f}:\mathbb {R}^m/\varLambda \rightarrow \mathcal {H}\) lying in \(L_2(\mathbb {R}^m/\varLambda )\). In particular, \( \sum _{j = 1}^m \left\Vert \partial _{x_j} \varvec{f}\, \right\Vert _{2, \mathbb {R}^m/\varLambda }^2 \le {\text {Lip}}(\varvec{f})^2.\)

Proof

Combining the proof of [17, Theorem 4.1 and 4.9] and [35, Theorem 2] on measures of compact sets, we obtain this result.    \(\square \)

Corollary 5

Let \(\varvec{f}:\mathbb {R}^m/\varLambda \rightarrow \mathcal {H}\) be a Lipschitz-continuous function, and denote by \(| c_{\ell ^*} \rangle \) the vectorial Fourier coefficients of \(\varvec{f}\). Then,

$$\begin{aligned} \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ \left\Vert \ell ^*\right\Vert \ge B \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \le \frac{{\text {Lip}}(\varvec{f})^2}{4\pi ^2 B^2}. \end{aligned}$$

Proof

Since \(\varvec{f}\) is Lipschitz, we can apply Theorem 9. Furthermore, the identity \(| \varvec{f}(x) \rangle = \sum _{\ell ^* \in \varLambda ^*} | c_{\ell ^*} \rangle e^{2\pi i \langle x,\ell ^* \rangle }\) implies \(| \partial _{x_j} \varvec{f}(x) \rangle = 2 \pi i \sum _{\ell ^* \in \varLambda ^*} \ell ^*_j | c_{\ell ^*} \rangle e^{2\pi i \langle x,\ell ^* \rangle }\) almost everywhere ([36, Lemma V.2.11] or [30, Lemma 2.16]). Finally, given that \(\sum _{j=1}^m \left\Vert \partial _{x_j}\varvec{f} \right\Vert _{2, \mathbb {R}^m/\varLambda }^2 \le {\text {Lip}}(\varvec{f})^2\), Plancherel’s identity implies that

$$\begin{aligned} {\text {Lip}}(\varvec{f})^2 \ge \sum _{j = 1}^m \left\Vert \partial _{x_j}\varvec{f} \right\Vert _{2, \mathbb {R}^m/\varLambda }^2 = 4 \pi ^2 \sum _{\ell ^* \in \varLambda ^*} \left\Vert \ell ^*\right\Vert _2^2 \langle c_{\ell ^*} | c_{\ell ^*} \rangle \\ \ge 4 \pi ^2 \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ \left\Vert \ell ^*\right\Vert _2 \ge B \end{array}} \left\Vert \ell ^*\right\Vert _2^2 \langle c_{\ell ^*} | c_{\ell ^*} \rangle \ge 4 B^2 \pi ^2 \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ \left\Vert \ell ^*\right\Vert _2 \ge B \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle , \end{aligned}$$

from which the claim follows.    \(\square \)

4 Algorithm

4.1 The Algorithm

Given a \(\varLambda \)-periodic function \(\varvec{f}: \mathbb {R}^m \rightarrow \mathcal {S}\) as discussed in Sect. 2, which maps a classical input x to a quantum state \(| \varvec{f}(x) \rangle \), we consider the following quantum algorithm (see Fig. 3). The algorithm has oracle access to \(\varvec{f}\), meaning that it has access to a unitary that maps \(| x \rangle | 0 \rangle \) to \(| x \rangle | \varvec{f}(x) \rangle \). As a matter of fact, we may obviously assume the algorithm to have oracle access to a unitary that maps \(| x \rangle | 0 \rangle \) to \(| x \rangle | \varvec{f}(Vx) \rangle \) for a parameter \(V \in \mathbb {R}\) chosen by the algorithm. Per se, x may be arbitrary in \(\mathbb {R}^m\); for any concrete algorithm it is of course necessary to restrict x to some finite subset of \(\mathbb {R}^m\).

The algorithm we consider follows the blueprint of the standard hidden-subgroup algorithm. Notable differences are that we need to discretize (and finitize) the continuous domain \(\mathbb {R}^m\) of the function, and the algorithm starts off with a superposition that is not uniform but follows a (discretized and finitized) Gaussian distribution. The reason for the latter choice is that Gaussian distributions decay very fast and behave nicely under the Fourier transform (as they are eigenfunctions of the Fourier transform).

The algorithm is given in Fig. 3 below. It uses two quantum registers, each one consisting of a certain number of qubits. Associated to the first register are orthonormal bases \(\{| x \rangle _{\mathbb {D}^m}\}_{x \in {\mathbb {D}^m}}\) and \(\{| y \rangle _{\hat{\mathbb {D}}^m}\}_{y \in {\hat{\mathbb {D}}^m}}\) where the basis vectors are labeled by \(x \in {\mathbb {D}^m}\) and \(y \in {\hat{\mathbb {D}}^m}\), respectively, which we identify with elements \(x \in \mathbb {D}^m_{\mathrm {rep}}\) and \(y \in \hat{\mathbb {D}}^m_{\mathrm {rep}}\) (see Sect. 3.1). The second register has state space \(\mathcal {H}\). The algorithm is parameterized by \(q \in \mathbb {N}\) (which determines \({\mathbb {D}^m}\)), \(s> 0\) and \(V> 0\). Intuitively, the fraction \(\frac{s}{V}\) is tightly related to the absolute precision of the output, whereas q is connected with the number of qubits needed.

Fig. 3.

The continuous-hidden-subgroup quantum algorithm.

The description and Analysis of Step 1 is deferred to Appendix C of the full version [3]. It will be shown (as summarized in Theorem 5) that its cost is negligible compared to the main cost of Algorithm 1, while contributing an error of at most \(o(\eta )\) in the trace distance.

4.2 The Figure of Merit

Recall that \(N = \dim \mathcal {H}= 2^n\). Then the state after step (2) of Algorithm 1 equals, up to normalization,

$$ | \psi \rangle := s^{m/2}\sum _{x \in {\mathbb {D}^m}} \sqrt{\rho _{1/s}(x)} \, | x \rangle _{\mathbb {D}^m}| \varvec{f}(Vx) \rangle $$

which we can rewrite as

$$\begin{aligned} | \psi \rangle = \sum _{x \in {\mathbb {D}^m}} | x \rangle _{\mathbb {D}^m}| \varvec{h} (x) \rangle \end{aligned}$$

where

$$ \varvec{h}(x) := s^{m/2} \sqrt{\rho _{1/s}(x)} \cdot | \varvec{f}(Vx) \rangle . $$

Applying the quantum Fourier transform in step (3) maps this to

$$\begin{aligned} | \hat{\psi } \rangle = q^{-m/2}\sum _{x \in {\mathbb {D}^m}} \sum _{y \in {\hat{\mathbb {D}}^m}} e^{-2\pi i \langle x,y \rangle } | y \rangle _{\hat{\mathbb {D}}^m}| \varvec{h} (x) \rangle = q^{m/2} \sum _{y \in {\hat{\mathbb {D}}^m}} | y \rangle _{\hat{\mathbb {D}}^m}| \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} (y) \rangle , \end{aligned}$$

where the factor \(q^{m/2}\) comes from the fact that, by our convention, the Fourier transform \(\mathcal {F}_{{\mathbb {D}^m}}\) is scaled with the factor \(q^{-m}\), while the quantum Fourier transform comes with a scaling factor \(q^{-m/2}\).

Up to normalization, the probability to observe outcome y in step (4) thus is

$$ \langle \hat{\psi } |(| y \rangle \!\langle y| \otimes \mathbb {I})| \hat{\psi } \rangle = q^m \left\Vert \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} (y)\right\Vert ^2_\mathcal {H}, $$

and so, for any “target” subset \(C\subset {\hat{\mathbb {D}}^m}\), the probability for the algorithm to produce an outcome \(y \in C\) equals

$$\begin{aligned} \mathcal {D}(C) = \sum _{y \in C} \frac{\langle \hat{\psi } |(| y \rangle \!\langle y| \otimes \mathbb {I})| \hat{\psi } \rangle }{ \langle \psi _\circ | \psi _\circ \rangle } = \frac{ \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 }{\frac{s^m}{q^m}\sum _{x \in {\mathbb {D}^m}} \rho _{{1/s}}(x)}. \end{aligned}$$

(8)

Intuitively, in the limit \(q \rightarrow \infty \), the grid \(\frac{1}{q}\mathbb {Z}^m\) becomes \(\mathbb {R}^m\); thus, neglecting constant factors, the function \(\mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \) is expected to converge to

$$ \mathcal {F}_{\mathbb {R}^m} \{ \rho _{\sqrt{2}/s} \varvec{f}(V \cdot ) \} = \rho _{s/\sqrt{2}} \star \mathcal {F}_{\mathbb {R}^m} \{ \varvec{f}(V \cdot ) \}. $$

Furthermore, when V is large enough compared to s then, relative to the dual lattice \(V \varLambda ^*\), the Gaussian function behaves as a Dirac delta function. Thus, the above function is then supported by \(V \varLambda ^*\) and takes on the values \(| c_{\ell ^*} \rangle \). Hence, by taking square norms, we get the claimed \( \langle c_{\ell ^*} | c_{\ell ^*} \rangle \).

Below, we prove that this intuition is indeed correct, and we work out the actual “rate of convergence”.

5 Analysis

5.1 Proof Overview

In the overview here and in the formal analysis in the next section, we consider the case \(V= 1\). This is without loss of generality; in order to deal with an arbitrary V we simply apply our analysis to the function \(\varvec{f}_V := \varvec{f}(V\cdot )\), with the effect that in the error term, \(\varLambda ^*\) becomes \(V \varLambda ^*\) and \({\text {Lip}}(\varvec{f}_V)\) becomes \(V\,{\text {Lip}}(\varvec{f})\).

The error analysis (for \(V = 1\)) is divided into three parts. The first part consists of showing that the denominator from Eq. (8) satisfies

$$ \frac{s^m}{q^m} \sum _{x \in {\mathbb {D}^m}} \rho _{{1/s}}(x) \approx 1. $$

In the second part, which is the most technical one, we show that for any \(C\subset {\hat{\mathbb {D}}^m}\), also understood as a subset of \(\hat{\mathbb {D}}^m_{\mathrm {rep}}= [q]_c^m \subset \mathbb {Z}^m\),

$$\begin{aligned} \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 \gtrsim \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ B_{\delta \lambda _1^*}(\ell ^*) \subseteq C \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle . \end{aligned}$$

(9)

We recall that \(| c_{\ell ^*} \rangle \) are the vectorial Fourier coefficients of \(\varvec{f}\) and \(B_{\delta \lambda _1^*}(\ell ^*) = \mathcal {B}_{\delta \lambda _1^*}(\ell ^*) \cap \mathbb {Z}^m\). This approximation (9) is divided into the following five steps:

$$\begin{aligned}&\left\Vert 1_C\mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} ^2 {\mathop {\approx }\limits ^{(1)}} \left\Vert 1_C\mathcal {F}_{{\mathbb {D}^m}} \left\{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 {\mathop {\approx }\limits ^{(2)}} \left\Vert 1_C\mathcal {F}_{\mathbb {T}^m} \{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \} \right\Vert _{2,\mathbb {Z}^m} ^2 \\&\qquad {\mathop {=}\limits ^{(3)}} \left\Vert 1_C\mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m} ^2 {\mathop {\approx }\limits ^{(4)}} \sum _{\ell ^* \in \varLambda ^*} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \cdot \iota _C(\ell ^*) {\mathop {\ge }\limits ^{(5)}} \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ B_{\delta \lambda _1^*}(\ell ^*) \subseteq C \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle . \end{aligned}$$

It thus follows that

$$ \mathcal {D}(C) \gtrsim \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ B_{\delta \lambda _1^*}(\ell ^*) \subseteq C \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle , $$

and therefore, applied to \(C:= B_{\delta \lambda _1^*}(S)\), that for any \(S \subset \varLambda ^*\) for which \(B_{\delta \lambda _1^*}(S) \subset [q]_c^m\), requirement (3) is satisfied.

The third part of the analysis is to show that (3) is satisfied also for \(S \subset \varLambda ^*\) for which \(B_{\delta \lambda _1^*}(S)\) is not fully contained in \([q]_c^m\). For such S, it is then sufficient to show that \(\sum _{\ell ^* \in S \backslash S_0} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \approx 0\) then, where \(S_0 = \{ \ell ^* \in S ~| ~B_{\delta \lambda _1^*}(\ell ^*) \subseteq [q]_c^m\}\). We prove this by means of Corollary 5.

We emphasize that in the formal proof below, we explicitly follow this 3-part structure of the proof, with part 2 being divided into 5 steps as indicated above.

5.2 Formal Analysis

Part 1. By Lemma 4, we have (whenever \(q/s \ge \sqrt{m}\)),

$$\begin{aligned} \frac{s^m}{q^m} \sum _{x \in {\mathbb {D}^m}} \rho _{{1/s}}(x) \le \frac{s^m}{q^m} \cdot \rho _{{1/s}}\left( \frac{1}{q} \mathbb {Z}^m\right) \le 1 + 2 \beta ^{(m)}_{q/s}.\end{aligned}$$

(10)

Therefore,

$$\begin{aligned} \frac{ \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 }{\frac{s^m}{q^m}\sum _{x \in {\mathbb {D}^m}} \rho _{{1/s}}(x)} \ge \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 - \varepsilon _{\mathrm {denom}}\end{aligned}$$

(11)

with \(\varepsilon _{\mathrm {denom}}= 2 \beta ^{(m)}_{q/s}\).

Part 2. Recall that \(\varvec{h} = s^{m/2} \cdot \varvec{f} \cdot \rho _{\sqrt{2}/s}\) is a function \(\varvec{h}: \mathbb {R}^m \rightarrow \mathcal {H}\). In the following, by slightly abusing notation, we also understand \(\varvec{h}\) as a function \(\varvec{h}: \mathbb {T}^m\rightarrow \mathcal {H}\) by considering the restriction of \(\varvec{h}\) to \(\mathbb {T}^m_{\mathrm {rep}}= [-\frac{1}{2},\frac{1}{2})^m\). Similarly, we understand \(\varvec{h}\) as a function \(\varvec{h}: {\mathbb {D}^m}\rightarrow \mathcal {H}\) by considering its restriction to \(\mathbb {D}^m_{\mathrm {rep}}= \mathbb {T}^m_{\mathrm {rep}}\cap \frac{1}{q}\mathbb {Z}^m\).

Step 1. Observe that

$$ \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} - 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} \le \left\Vert \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} - { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} = \left\Vert { \left. \varvec{h} \right| ^{\mathbb {T}^m} } - \varvec{h} \right\Vert _{2,{\mathbb {D}^m}}. $$

Writing out the definition of \({ \left. \varvec{h} \right| ^{\mathbb {T}^m} }\) and \(\varvec{h}\), we obtain (provided that \(\frac{s}{2\sqrt{2}} \ge \sqrt{m}\))

$$ \left\Vert { \left. \varvec{h} \right| ^{\mathbb {T}^m} } - \varvec{h} \right\Vert _{2,{\mathbb {D}^m}}^2 = \frac{1}{q^m} \sum _{x \in {\mathbb {D}^m}} \left\Vert \sum _{z \in \mathbb {Z}^m \backslash 0} \varvec{h}(x + z) \right\Vert _\mathcal {H}^2 $$

$$\le \frac{\left\Vert \varvec{f}\right\Vert _\infty ^2 s^m}{q^m} \sum _{x \in {\mathbb {D}^m}} \Bigg (\sum _{z \in \mathbb {Z}^m \backslash 0} \rho _{\sqrt{2}/s}(x + z) \Bigg )^2 \le 4s^m (\beta ^{(m)}_{\frac{s}{2\sqrt{2}}})^2 , $$

as \(\rho _{\sqrt{2}/s}\bigl (\mathbb {Z}^m \backslash \{0\} + x\bigr ) \le 2\beta ^{(m)}_{\frac{s}{2 \sqrt{2}}}\), from Corollary 3, combining with the fact that \(\left\Vert f\right\Vert _\infty = 1\). Taking square roots and using the reverse triangle inequality yields

$$ \left| \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} - \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} \right| \le 2 s^{m/2} \beta ^{(m)}_{\frac{s}{2 \sqrt{2}}} =: \varepsilon _{\mathrm {per}}$$

Step 2. Using Theorem 8 with \({ \left. \varvec{h} \right| ^{\mathbb {T}^m} }\), one obtains

$$ \left| \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} - \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \} \right\Vert _{2,\mathbb {Z}^m} \right| \le \varepsilon _{\mathrm {lip}}, $$

where \(\varepsilon _{\mathrm {lip}}= \frac{4 \pi \sqrt{m} {\text {Lip}}({ \left. \varvec{h} \right| ^{\mathbb {T}^m} })}{q}\). Recall that we use \(1_C\) as indicator function acting on \(\mathbb {Z}^m\) and on \({\hat{\mathbb {D}}^m}\simeq \mathbb {Z}^m/q\mathbb {Z}^m\) in the obvious way.

The Lipschitz constant of \({ \left. \varvec{h} \right| ^{\mathbb {T}^m} }\) can be obtained by taking the maximum value of the absolute value of the derivative.

$$ \frac{\partial }{\partial x_j} \left( { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right) = s^{m/2} \sum _{z \in \mathbb {Z}^m} \left( \frac{\partial }{\partial x_j} \varvec{f}(x+z) \cdot \rho _{\sqrt{2}/s}(x + z) + \varvec{f}(x+z) \frac{\partial }{\partial x_j} \rho _{\sqrt{2}/s}(x + z)\right) $$

The norm of \(\nabla \left( { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \right) \) is therefore bounded by

$$ s^{m/2}\left( {\text {Lip}}(\varvec{f}) \rho _{\sqrt{2}/s}(x + \mathbb {Z}^m) + \pi s^2 \left\Vert \varvec{f}\right\Vert _\infty \sum _{z \in \mathbb {Z}^m} \left\Vert x + z\right\Vert \rho _{\sqrt{2}/s}(x + z)\right) $$

$$ \le s^{m/2}\left( 2 {\text {Lip}}(\varvec{f}) + 2\pi s^2 \right) $$

where we used \(\left\Vert \nabla \varvec{f}\right\Vert = \sqrt{\sum _{j = 1}^m \left\Vert \frac{\partial }{\partial x_j} \varvec{f} \right\Vert _\mathcal {H}^2}\le {\text {Lip}}(\varvec{f})\), \(\left\Vert \varvec{f}\right\Vert _\infty \le 1\), \(\nabla \rho _{\sqrt{2}/s}(x) = \pi s^2x \cdot \rho _{\sqrt{2}/s}(x)\), \(\rho _{\sqrt{2}/s}(x+ \mathbb {Z}^m) \le 2\) and \(\sum _{z \in \mathbb {Z}^m} \left\Vert x + z\right\Vert \rho _{\sqrt{2}/s}(x + z) \le 2\). The second last inequality follows from \(\rho _{\sqrt{2}/s}(x+ \mathbb {Z}^m) \le 1 + \rho _{\sqrt{2}/s}(\mathbb {Z}^m \backslash \{0 \} + x) \le 1 + 2 \beta ^{(m)}_{\frac{s}{2\sqrt{2}}} \le 2\), see Corollary 3. The last inequality can be obtained by the fact that \(\left\Vert x + z\right\Vert \rho _{\sqrt{2}/s}(x + z) \le \rho _{\sqrt{2}/(s-1)}(x + z)\), and repeating the former argument.

Step 3. Apply Corollary 1 to conclude that

$$ \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {T}^m} \{ { \left. \varvec{h} \right| ^{\mathbb {T}^m} } \} \right\Vert _{2,\mathbb {Z}^m} = \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m}, $$

where we continue to abuse notation here by identifying \(\mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \}\) with its restriction to \(\mathbb {Z}\).

Using \(|a^2 - b^2| = |a+b||a-b| \le (|a-b|+2|a|)|a-b|\) and the fact that \(\left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}} \le 2\) (which follows from Eq. (8) and Eq. (10)), we conclude that

$$ \left| \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 - \left\Vert 1_C\cdot \mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m}^2 \right| \le 5(\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}}), $$

where we assume that \(\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}}< 1\).

Step 4. By applying the convolution theorem as outlined in Sect. 3.2, we see that

$$ \mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} [y] = \mathcal {F}_{\mathbb {R}^m/\varLambda }\{\varvec{f}\} \star \mathcal {F}_{\mathbb {R}^m} \{ s^{m/2} \rho _{s/\sqrt{2}} \}(y) = \left( \frac{2}{s}\right) ^{\! m/2} \!\!\!\sum _{\ell ^* \in \varLambda ^*} | c_{\ell ^*} \rangle \rho _{s/\sqrt{2}}(y - \ell ^*) $$

where \(| c_{\ell ^*} \rangle \) are the vectorial Fourier coefficients of \(\varvec{f}\). Therefore,

$$\begin{aligned} \left\Vert \mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \}[y]\right\Vert _\mathcal {H}^2&= \left( \frac{2}{s}\right) ^{m} \sum _{k^* \in \varLambda ^*}\sum _{\ell ^* \in \varLambda ^*} \langle c_{\ell ^*} | c_{k^*} \rangle \rho _{s/\sqrt{2}}(y - \ell ^*) \rho _{s/\sqrt{2}}(y - k^*) \\&= \left( \frac{2}{s}\right) ^{m} \sum _{u^* \in \frac{1}{2} \varLambda ^*} \sum _{v^* \in u^* + \varLambda ^*} \langle c_{v^* + u^*} | c_{v^* - u^*} \rangle \rho _{s/2}(u^*) \rho _{s/2}(y - v^*), \end{aligned}$$

where the latter is obtained by the variable substitution \(u^* = \frac{\ell ^* - k^*}{2}\), \(v^* = \frac{\ell ^* + k^*}{2}\), and using Lemma 1. Summing over \(y \in C\), setting

$$ \iota _C(\ell ^*) := \left( \frac{2}{s}\right) ^{m} \sum _{y \in C} \rho _{s/2}(y -\ell ^*), $$

and splitting into \(u^* = 0\) and \(u^* \ne 0\), we obtain

$$\begin{aligned} \left\Vert 1_C\mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m}^2&= \sum _{v^* \in \varLambda ^*} \langle c_{v^*} | c_{v^*} \rangle \cdot \iota _C(v^*) \\&\qquad + \sum _{u^* \in \frac{1}{2} \varLambda ^* \backslash 0} \rho _{s/2}(u^*) \sum _{v^* \in u^* + \varLambda ^*} \langle c_{v^* + u^*} | c_{v^* - u^*} \rangle \cdot \iota _C(v^*) \end{aligned}$$

We now bound the second term. Assuming \(s\ge \sqrt{m}\), we have that \(\iota _C(v^*) \le \left( \frac{2}{s}\right) ^{m} \rho _{s/2}(\mathbb {Z}^m + t) \le 2\) (see Corollary 4). Furthermore, by the Cauchy-Schwartz inequality,

$$ \left| \sum _{v^* \in u^* + \varLambda ^*} \langle c_{v^* + u^*} | c_{v^* - u^*} \rangle \right| \le \sum _{v^* \in \varLambda ^*} \sqrt{ \langle c_{v^* + 2u^*} | c_{v^* + 2u^*} \rangle \langle c_{v^*} | c_{v^*} \rangle } $$

$$ \le \sum _{v^* \in \varLambda ^*} \left( \langle c_{v^* + 2u^*} | c_{v^* + 2u^*} \rangle + \langle c_{v^*} | c_{v^*} \rangle \right) = 2 \left\Vert \varvec{f} \right\Vert _{2, \mathbb {R}^m/\varLambda }^2 = 2 $$

Finally, using Lemma 3, we have

$$ \sum _{u^* \in \frac{1}{2} \varLambda ^* \backslash 0} \rho _{s/2}(u^*) = \rho _{s} \left( \varLambda ^*~\backslash ~ 0 \right) \le 2 \cdot \beta ^{(m)}_{\frac{\lambda _1^*}{s}}. $$

Putting all together, we obtain that

$$ \left| \left\Vert 1_C\mathcal {F}_{\mathbb {R}^m} \{ \varvec{h} \} \right\Vert _{2,\mathbb {Z}^m}^2 - \sum _{\ell ^* \in \varLambda ^*} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \iota _C(\ell ^*) \right| \le \varepsilon _{\mathrm {diag}}\,, $$

where \(\varepsilon _{\mathrm {diag}}= 8 \cdot \beta ^{(m)}_{\lambda _1^*/s}\).

Step 5. Recall the notation \(B_{\delta \lambda _1^*}(\ell ^*) = \{ x \in \mathbb {Z}^m ~| ~ |x - \ell ^* | < \delta \lambda _1^*\}\). Whenever \(B_{\delta \lambda _1^*}(\ell ^*) \subseteq C\), it obviously holds that

$$ \iota _C(\ell ^*) = \left( \frac{2}{s}\right) ^{m} \sum _{y \in C} \rho _{s/2}(y -v^*) \ge \left( \frac{2}{s}\right) ^{m} \sum _{y \in B_{\delta \lambda _1^*}(\ell ^*)} \rho _{s/2}(y - \ell ^*) $$

$$ \ge \left( \frac{2}{s}\right) ^{m} \rho _{s/2}(\mathbb {Z}^m) \left( 1 - \beta ^{(m)}_{2\delta \lambda _1^*/s} \right) \ge (1 - 2\cdot \beta ^{(m)}_{s/2}) (1 - \beta ^{(m)}_{2\delta \lambda _1^*/s}), $$

where the second inequality follows from Banaszczyk’s bound (see Lemma 2) and the last from Lemma 4. It follows then that

$$ \sum _{\ell ^* \in \varLambda ^*} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \iota (\ell ^*) \ge (1 - \varepsilon _{\mathrm {smooth}}) \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ B_{V\delta }(V\ell ^*) \subseteq C \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle . $$

where \(\varepsilon _{\mathrm {smooth}}= 2\cdot \beta ^{(m)}_{s/2} + \beta ^{(m)}_{2 \delta \lambda _1^*/s}\)

Finalizing. By collecting all the error terms, we obtain that

$$ \left\Vert 1_C\cdot \mathcal {F}_{{\mathbb {D}^m}} \left\{ \varvec{h} \right\} \right\Vert _{2,{\hat{\mathbb {D}}^m}}^2 $$

$$ \ge \sum _{\begin{array}{c} \ell ^* \in \varLambda ^* \\ B_{ \delta \lambda _1^*}(\ell ^*) \subseteq C \end{array}} \langle c_{\ell ^*} | c_{\ell ^*} \rangle - \varepsilon _{\mathrm {smooth}}- \varepsilon _{\mathrm {diag}}- 5(\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}}) $$

whenever \(s, \delta \) and \(\lambda _1^*\) satisfy the following:

$$\begin{aligned} \frac{2 \delta \lambda _1^*}{s} \ge \sqrt{m}~~ \text{ and } ~~ \frac{s}{2 \sqrt{2}} \ge \sqrt{m}. \end{aligned}$$

(12)

Part 3. Let \(\mathcal {D}\) be the distribution defined by the output y of Algorithm 1 (recall that we assumed \(V= 1\)); note that \(\mathcal {D}\) has support only on \([q]_c^m\). Throughout this part of the analysis, S denotes a subset of \(\varLambda ^*\).

By above analysis, we can conclude that whenever \(B_{\delta \lambda _1^*}(S)\subseteq [q]_c^m\), we have (putting \(C = B_{\delta \lambda _1^*}(S)\)),

$$ p_S := \mathcal {D}(B_{\delta \lambda _1^*}(S)) \ge \sum _{\ell ^* \in S} \langle c_{\ell ^*} | c_{\ell ^*} \rangle - \eta ', $$

where \(\eta ' = \varepsilon _{\mathrm {smooth}}+ \varepsilon _{\mathrm {diag}}+ \varepsilon _{\mathrm {denom}}+ 5 (\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}})\).

For general \(S \subseteq \varLambda ^*\), write \(S = S_0 \cup S_1\) as a disjoint union, where \(S_0 = \{ \ell ^* \in S ~|~ B_{\delta \lambda _1^*}(\ell ^*) \subseteq [q]_c^m\}\). Then it is evident that \(S_1 \subseteq \varLambda ^* \backslash [-\frac{q}{4},\frac{q}{4}]^m\). Then, putting \(\varepsilon _{\mathrm {tail}}= \frac{4m{\text {Lip}}(\varvec{f})^2}{\pi ^2 q^2} \ge \sum _{\ell ^* \in \varLambda ^* \backslash [-\frac{q}{4},\frac{q}{4}]^m } \langle c_{\ell ^*} | c_{\ell ^*} \rangle \ge \sum _{\ell ^* \in S_1} \langle c_{\ell ^*} | c_{\ell ^*} \rangle \), (see Corollary 5), we have

$$\begin{aligned} \mathcal {D}(B_{\delta \lambda _1^*}(S)) \ge \mathcal {D}(B_{\delta \lambda _1^*}(S_0)) \ge \sum _{\ell ^* \in S_0} \langle c_{\ell ^*} | c_{\ell ^*} \rangle - \eta ' \ge \sum _{\ell ^* \in S} \langle c_{\ell ^*} | c_{\ell ^*} \rangle -\varepsilon _{\mathrm {tail}}- \eta ', \end{aligned}$$

$$\begin{aligned} = \sum _{\ell ^* \in S} \langle c_{\ell ^*} | c_{\ell ^*} \rangle - \varepsilon _{\mathrm {smooth}}- \varepsilon _{\mathrm {diag}}- \varepsilon _{\mathrm {denom}}-5 (\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}}) - \varepsilon _{\mathrm {tail}}\end{aligned}$$

(13)

5.3 Tuning Parameters

The left hand side of the table in Fig. 4 collects the different error terms obtained above, considering \(V = 1\). The general case is obtained simply by applying the above analysis to the function \(\varvec{f}_V:= \varvec{f}(V\cdot )\). The hidden lattice of \(\varvec{f}_V\) is \(\frac{1}{V} \varLambda \), which has \(V\varLambda ^*\) as its dual, and the Lipschitz constant of \(\varvec{f}_V\) is \(V{\text {Lip}}(\varvec{f})\). Thus, the requirements on the parameters (see Eq. (12)) change to

$$\begin{aligned} \frac{2 \delta V\lambda _1^*}{s} \ge \sqrt{m}~~ \text{ and } ~~ \frac{s}{2 \sqrt{2}} \ge \sqrt{m}, \end{aligned}$$

(14)

and the different error terms become as listed in the table in Fig. 4.

Fig. 4.

Change of the errors when applying the analysis to \(f_V\)

Recall that \(\beta ^{(m)}_{z} := \bigl (\frac{2 \pi e z^2}{m }\bigr )^{m/2} e^{-\pi z^2}\) and \(N= 2^n\). We can now choose the parameters s, V and q of the algorithm appropriately to enforce all the error terms to be small. In detail, we can select:

• \(s\in O(\sqrt{m \log (\eta ^{-1}}))\) so that \(5\varepsilon _{\mathrm {per}}\le \eta /6\), and \(2 \beta ^{(m)}_{s/2} \le \eta /12\) in \(\varepsilon _{\mathrm {smooth}}\).

• \(V\in O(\frac{\sqrt{m\log (\eta ^{-1})}s}{\delta \lambda _1^*}) = O(\frac{m\log (\eta ^{-1})}{\delta \lambda _1^*})\) so that \(\varepsilon _{\mathrm {smooth}},\varepsilon _{\mathrm {diag}}\le \eta /6\).

• \(Q = \log (q) \in O(m\log (s) + \log (V) + \log ({\text {Lip}}(f)) + \log (\eta ^{-1}))\) so that \(5\varepsilon _{\mathrm {lip}}\le \eta /6\) and \(\varepsilon _{\mathrm {tail}}\le \eta /6\).

With the above choice of parameters, \(\varepsilon _{\mathrm {smooth}}+ \varepsilon _{\mathrm {diag}}+ \varepsilon _{\mathrm {denom}}+5 (\varepsilon _{\mathrm {per}}+ \varepsilon _{\mathrm {lip}}) + \varepsilon _{\mathrm {tail}}\le \eta \) in Eq. (13). Unrolling the expression of \(Q = \log (q)\) and recalling that the quantum Fourier transform requires a quadratic number of gates [25, Ch. 5], we obtain the main theorem.

Theorem 10

Algorithm 1 solves the Dual Lattice Sampling Problem with parameters \(\eta \) and \(\delta \); it uses m calls to the Gaussian superposition subroutine (see Theorem 5), one quantum oracle call to \(\varvec{f}\), \(mQ + n\) qubits, and \(O(m^2 Q^2)\) quantum gates, where

$$\begin{aligned} Q = O\left( m\log \left( m \log \frac{1}{\eta }\right) \right) + O\left( \log \left( \frac{{\text {Lip}}(\varvec{f})}{\eta \cdot \delta \lambda _1^*}\right) \right) . \end{aligned}$$

(4)

6 From Sampling to Full Dual Lattice Recovery

We have so far focused on approximate sampling dual lattice points following weights \( \langle c_{\ell ^*} | c_{\ell ^*} \rangle \) for \(\ell ^* \in \varLambda ^*\), regardless of how useful this distribution may be. Indeed, until now, it could be that the function \(\varvec{f}: \mathbb {R}^m/\varLambda \rightarrow \mathcal {S}\) is constant, and therefore that the weight is concentrated on \(0 \in \varLambda ^*\). We would like now make sure we can reconstruct (approximately) \(\varLambda ^*\) from such samples, i.e., that a sufficient number of sampled vectors from \(\varLambda ^*\) will generate it. Informally, an equivalent condition is that the weight \( \langle c_{\ell ^*} | c_{\ell ^*} \rangle \) is not concentrated on any proper sublattice \(M^* \subsetneq \varLambda ^*\). More formally, we give the following sufficient conditions.

Definition 4

Let \(L \subseteq \mathbb {R}^m\) be a full-rank lattice. A distribution \(\mathcal D\) on L is called p-evenly distributed whenever \(\Pr _{v \leftarrow \mathcal {D}}[v \in L'] \le p\) for any proper sublattice \(L' \subsetneq L\).

Definition 5

Let \(L \subseteq \mathbb {R}^m\) be a full-rank lattice. A distribution \(\mathcal D\) on L is called (R, q)-concentrated whenever \(\Pr _{v \leftarrow \mathcal {D}}[\left\Vert v\right\Vert \ge R] \le q\).

Lemma 5

Let \(L \subseteq \mathbb {R}^m\) be a full-rank lattice with a p-evenly distributed and (R, q)-concentrated distribution \(\mathcal D\). Denote by S the random variable defined by the number of samples that needs to be drawn from \(\mathcal D\) such that the samples together generate L as a lattice. Then, for all \(\alpha > 0\),

$$\begin{aligned} \Pr \left[ S > (2+\alpha ) \cdot \frac{(t + m)}{1 - p- q} \right] \le \exp (-\alpha (t + m)/2) \end{aligned}$$

where \(t = m\log _2(R) - \log _2(\det (L))\).

Proof

First, we define the following sublattices of L, for any \(v_1,\ldots ,v_{j-1} \in L\).

Consider a sequence of samples \((v_i)_{i > 0}\) (from \(\mathcal D\)). We call \(v_j\) ‘good’ whenever \(\left\Vert v_j\right\Vert \le R\) and \(v_j \notin L_{v_1,\ldots ,v_{j-1}}\). We argue that we need at most \(m + t\) good vectors to generate L.

Denote \(L'\) for the lattice generated by the \(m + t\) good vectors. Then the first m good vectors ensure that \(L'\) is of rank m, whereas the last t good vectors will reduce the index of the \(L'\) lattice in L. Calculating determinants, using the fact that all good vectors are bounded by R, we have \(\det (L') \le R^m/2^t \le \det (L)\). This yields \(L' = L\).

Denote by X the random variable having the negative binomial distribution with success probability \(p+q\) and number of ‘failures’ \(m + t\). That is, X is the number of independent samples from a \((p+q)\)-Bernoulli distribution until \(m+t\) ‘failures’⁵ are obtained. We argue that the random variable S is dominated by the random variable X, i.e., \(\Pr [S> x] \le \Pr [X > x]\) for every \(x \in \mathbb {N}\).

Again, consider a sequence of samples \((v_i)_{i > 0}\) (from \(\mathcal D\)). The probability of \(v_j\) being a ‘good’ vector is at least \(1 - p - q\), by the fact that \(\mathcal D\) is (R, q)-concentrated and p-evenly distributed. Because at most \(m + t\) ‘good’ vectors are needed to generate the whole lattice, S is indeed dominated by X. Therefore, for any \(k \in \mathbb {N}\),

$$\begin{aligned} \Pr \left[ S> \frac{t + m + k}{1 - p- q} \right] \le \Pr \left[ X > \frac{t + m + k}{1 - p- q} \right] \le \Pr \left[ B < m + t \right] \end{aligned}$$

(15)

$$\begin{aligned} \le \exp \left( -\frac{1}{2} \frac{k^2}{t + m + k}\right) \end{aligned}$$

where B is binomially distributed with \(\lfloor \frac{t + m + k}{1 - p- q} \rfloor \) trials and success probability \(1 - p -q\). The first inequality follows from the fact that S is upper bounded by X. The second inequality comes from the close relationship between the negative binomial distribution and the binomial distribution [12, Ch. 8, Ex. 17]. The last inequality follows from Chernoff’s bound. Putting \(k = (1+\alpha )(t + m)\) into Eq. (15) yields the claim.    \(\square \)

We conclude by relating the parameters \((a, r, \epsilon )\) of the HSP oracle (Definition 1) \(\varvec{f}: \mathbb {R}^m/\varLambda \rightarrow \mathcal {S}\) and the assumption used in the above Lemma 5.

Lemma 6

Let \(\varLambda \) be a lattice, and let \(M \supsetneq \varLambda \) a proper super-lattice of \(\varLambda \). Then there exists a \(v \in M\) such that \(d(v,\varLambda ) \ge \lambda _1(\varLambda )/3\).

Proof

Let \(w \in M\) be the shortest non-zero vector in M and write \(\left\Vert w\right\Vert = \alpha \lambda _1(\varLambda )\) for \(\alpha < 1\). We show that \(v = \lceil \frac{1}{3\alpha } \rceil \cdot w \in M\) suffices. If \(\alpha \ge 1/3\) this is certainly true. For \(\alpha < 1/3\) it is clear that \(\left\Vert v\right\Vert \ge \lambda _1(\varLambda )/3\) and \(\left\Vert v\right\Vert \le \lambda _1(\varLambda )/3 + \left\Vert w\right\Vert \le \frac{2}{3} \lambda _1(\varLambda )\). In particular, for any \(\ell \in \varLambda \setminus \{0\}\), \(\Vert v - \ell \Vert \ge \lambda _1(\varLambda ) - \left\Vert v\right\Vert \ge \lambda _1(\varLambda )/3\). Therefore, \(d(v,\varLambda ) \ge \lambda _1(\varLambda )/3\).    \(\square \)

Lemma 7

Let \(\varLambda \) be a lattice and \(M \supsetneq \varLambda \) a proper super-lattice of \(\varLambda \). Then the number \(N = \left| \left\{ c \in M/\varLambda \mid d(c, \varLambda ) < \frac{1}{6} \lambda _1(\varLambda )\right\} \right| \) of close cosets is at most \(\frac{1}{2} \cdot |M/\varLambda |\).

Proof

By Lemma 6 there exists a \(v \in M\) such that \(d(v,\varLambda ) \ge \frac{1}{3} \lambda _1(\varLambda )\). Denoting \(T = \left\{ c \in M/\varLambda \mid d(c, \varLambda ) < \frac{1}{6} \lambda _1(\varLambda )\right\} \), we can deduce that \(T \cup (T + v)\) is a disjoint union in \(M/\varLambda \). Indeed, elements \(c \in T\) satisfy \(d(c,\varLambda ) \le \frac{1}{6} \lambda _1(\varLambda )\), whereas \(c' \in T + v\) satisfy \(d(c',\varLambda ) \ge d(v,\varLambda ) - \frac{1}{6} \lambda _1(\varLambda ) \ge \frac{1}{6} \lambda _1(\varLambda )\). Therefore \(N = |T| \le \frac{1}{2} |M/\varLambda |\).    \(\square \)

Lemma 8

Let \(\varvec{f} : \mathbb {R}^m \rightarrow \mathcal {S}\) be an \((a, r, \epsilon )\)-HSP oracle of the full-rank lattice \(\varLambda \subset \mathbb {R}^m\), with \(r \le \lambda _1(\varLambda )/6\). Let \(\mathcal D_{{\text {ideal}}}\) be the distribution supported by \(\varLambda ^*\), with weight \( \langle c_{\ell ^*} | c_{\ell ^*} \rangle \) at \(\ell ^* \in \varLambda ^*\), where \(| c_{\ell ^*} \rangle \) are the vectorial Fourier coefficients of the function \(\varvec{f}\). Then \(\mathcal D_{{\text {ideal}}}\) is both \((\frac{1}{2} + \epsilon )\)-evenly distributed and \((R,\frac{ma^2}{4\pi ^2R^2})\)-concentrated for any \(R>0\).

Proof

The distribution \(\mathcal D_{{\text {ideal}}}\) being \((R,\frac{ma^2}{4\pi ^2R^2})\)-concentrated for any \(R> 0\) is a direct consequence of Corollary 5. For the \((\frac{1}{2} + \epsilon )\)-evenly distributed part, we argue as follows. Let \(M^*\) be any strict sublattice of \(\varLambda ^*\), and let M be its dual, which is then a superlattice of \(\varLambda \). Put \({ \left. \varvec{f} \right| ^{\mathbb {R}^m/M} }(x) = \frac{1}{|M/\varLambda |} \sum _{v \in M/\varLambda } \varvec{f}(x + v)\), the periodization of \(\varvec{f}\) with respect to \(\mathbb {R}^m/M\) (c.f. Definition 3). We have the following sequence of equalities, of which the first follows from the Poisson summation formula (see Theorem 7).

$$\begin{aligned} \sum _{v^* \in M^*} \langle c_{v^*} | c_{v^*} \rangle&= \left\Vert { \left. \varvec{f} \right| ^{\mathbb {R}^m/M} } \right\Vert _{2, \mathbb {R}^m/M} = \frac{1}{\det M} \int _{x \in \mathbb {R}^m/M} \big \langle { \left. \varvec{f} \right| ^{\mathbb {R}^m/M} } \big | { \left. \varvec{f} \right| ^{\mathbb {R}^m/M} } \big \rangle dx, \\&= \frac{1}{|M/\varLambda |^2} \sum _{v,w \in M/\varLambda } \underbrace{\frac{1}{\det M} \int _{x \in \mathbb {R}^m/M}\left\langle \varvec{f}(x + v) \right| \left. \varvec{f}(x+w) \right\rangle dx}_{I_{v,w}} \\&= \frac{1}{|M/\varLambda |^2} \sum _{\begin{array}{c} v,w \in M/\varLambda \\ d_{\mathbb {R}^m/\varLambda }(v,w) < r \end{array}} I_{v,w} + \frac{1}{|M/\varLambda |^2}\sum _{\begin{array}{c} v,w \in M/\varLambda \\ d_{\mathbb {R}^m/\varLambda }(v,w) \ge r \end{array}} I_{v,w} \end{aligned}$$

By the definition of an \((a,r,\epsilon )\)-oracle, we have that \(|I_{v,w}| \le \epsilon \) whenever \(d_{\mathbb {R}^m/\varLambda }(v,w) \ge r\). In the rest of the cases we have \(|I_{v,w}| \le 1\), because f maps to the unit sphere. Above expression is therefore bounded by \( \frac{ |M/\varLambda ~ \cap ~ \mathcal {B}_r | }{|M/\varLambda |} + \epsilon \), where \(\mathcal {B}_r\) is the open unit ball with radius r. By Lemma 7, we have \(\frac{ |M/\varLambda ~ \cap ~r \mathcal {B}| }{|M/\varLambda |} \le \frac{1}{2}\) for \(r \le \lambda _1(\varLambda )/6\). Summarizing all results, we conclude that

$$\begin{aligned} \sum _{v^* \in M^*} \langle c_{v^*} | c_{v^*} \rangle \le \frac{1}{2} + \epsilon . \end{aligned}$$

Since \(M^*\) was chosen arbitrarily, we can conclude that \(\mathcal D_{{\text {ideal}}}\) is \((\frac{1}{2} + \epsilon )\)-evenly distributed.    \(\square \)

Remark 8

A similar reasoning happens in [28, Lecture 12], though it specifically targets the discrete Gaussian distribution on lattices. Despite being not general enough for our purposes, it may well be helpful for optimizing a future specialization.