Good Gottesman-Kitaev-Preskill codes from the NTRU cryptosystem

We introduce a new class of random Gottesman-Kitaev-Preskill (GKP) codes derived from the cryptanalysis of the so-called NTRU cryptosystem. The derived codes are good in that they exhibit constant rate and average distance scaling $\Delta \propto \sqrt{n}$ with high probability, where $n$ is the number of bosonic modes, which is a distance scaling equivalent to that of a GKP code obtained by concatenating single mode GKP codes into a qubit-quantum error correcting code with linear distance. The derived class of NTRU-GKP codes has the additional property that decoding for a stochastic displacement noise model is equivalent to decrypting the NTRU cryptosystem, such that every random instance of the code naturally comes with an efficient decoder. This construction highlights how the GKP code bridges aspects of classical error correction, quantum error correction as well as post-quantum cryptography. We underscore this connection by discussing the computational hardness of decoding GKP codes and propose, as a new application, a simple public key quantum communication protocol with security inherited from the NTRU cryptosystem.


Introduction
In recent years, notions of bosonic quantum-error correction with the Gottesman-Kitaev-Preskill (GKP) code [1] have seen a rapid increase of interest both in theory and in experiment, primarily due to the perspective of them contributing to a viable route towards large scale quantum computing using integrated photonic [2,3] and superconducting platforms [4].Such codes have highly attractive features for systems in which quantum information is encoded in continuous variable degrees of freedom and are specifically suitable to accommodate photon loss [5,6,7,8].
Jonathan Conrad: j.conrad1005@gmail.comWhile much research has been dedicated to obtain effective qubits from single-mode systems that are to be integrated into larger qubit-based networks [9,10], this approach is arguably only scratching the surface of the potential quantum computing with the GKP code offers compared to the toolbox offered by the more general, lattice theoretic perspective on this class of codes [11,12,13,14].
To corroborate this claim, in this work, we construct random good GKP codes derived from a cryptographic attack on the NTRU cryptosystem [15].We define and discuss a goodness property for GKP codes in the lattice theoretic framework analogous to the notion of goodness in conventional quantum-and classical error correcting codes as a stepping stone towards scalable codes.We investigate the decoding problem of this class of codes and show how the native decryption routine of the NTRU cryptosystems with access to its secret key can serve as decoder for the corresponding GKP code.
We investigate the complexity of decoding general GKP codes and highlight how our NTRU-GKP codes can be viewed as a trapdoor decodable quantum error correcting code, where decoding of the associated quantum error correcting code is expected to by computationally hard in general but becomes significantly easier when supplemented with additional (secret) information about the structure of the code.We consider this a first step towards cryptographic protocols built on the decoding problem of GKP codes which we believe can have wide application for secure quantum communication and cloud-based quantum computing and hope that this article stimulates interest in this new direction of research.
This article is structured as follows.In Section 2, we introduce basic principles of the GKP code, describe relevant aspects of the general decoding problem for the GKP code and define goodness of a GKP code family.In Section 3, we discuss a selection of notable examples of GKP codes and summarize their properties.The NTRU cryptosystem and GKP codes built on this are discussed in Section 4 where we provide evidence that they form a family of good random-ized GKP codes.We discuss the decoding problem for the NTRU-GKP codes in Section 5 and discuss a quantum public key cryptosystem (PKC) designed around the NTRU-GKP codes.Finally, we conclude and provide outlook in Section 6.

The GKP code
We build our framework on our recent exposition [12] which we refer to for an in-depth discussion; see also the original work [1] as well as refs.[11,16,13,14].The GKP code [1] is a stabilizer code acting on the Hilbert space of n bosonic modes, where stabilizers are given by displacement operators where is the symplectic form, ξ ∈ R 2n , and x = (q 1 , q2 , . . ., pn−1 , pn ) T is the generalized quadrature operator.Its stabilizer group is specified by fixing 2n linearly independent vectors ξ i , i = 1, . . ., 2n, S = D (ξ 1 ) . . .D (ξ 2n ) = e iφ M (ξ) D (ξ) , ξ ∈ L , (3) where M = (ξ 1 , . . ., ξ 2n ) T is a generator for the lattice L = Z 2n M1 and we have to denote the phase-sector when we have chosen M to be the basis for which each associated displacement operator is fixed to eigenvalue +1 by eq.(3).A = M JM T denotes the symplectic Gram matrix and A its left lower triangle.While the stabilizer group S ∼ L is isomorphic to the lattice L, its centralizer within the displacements C (S) ∼ L ⊥ -i.e. the set of displacement operators that commute with every element in Sis isomorphic to its symplectic dual lattice Code distance.The (Euclidean) code distance of the GKP code is defined as ∆ = min x∈L ⊥ \L x , the length of the shortest vector in L ⊥ not in L. The distance as defined here is a meaningful indicator for the code performance in a stochastic displacement error model if the probability that a certain displacement is realized scales inversely with its length.
The distance is also the smallest power of q in the complex polynomial where q = e iπz , z ∈ H = {z ∈ C, Im z > 0} and is the theta function of the lattice L and N ∆2 in Q L (z) counts the number of lattice points in L ⊥ \ L of squared length ∆ 2 .It is expected that the relative scaling of N ∆ 2 with ∆ 2 significantly impacts the existence and scale of the threshold of a GKP code family and is responsible for the entropic contribution to the decoding problem [9,17].We comment on this further in Appendix A. The theta function and distance are by construction symmetric under orthogonal transformations O ∈ O (2n) of the lattice L → OL, while N ∆ 2 scales with the number of orthogonal automorphisms of the lattice.
Decoding GKP codes via the closest vector problem.Upon measuring the stabilizers on displacement error D (e) and obtaining the syndromes s = M Je mod 1, one strategy is to correct back to the code space by applying a displacement in phase space with η = (M J) −1 s.Since the choice of the generator M is ambiguous, it is generally necessary to append this initial correction by a logical post-correction to minimize the probabilty of imposing a logical error.Algorithms finding the correction that minimizes logical errors given the syndromes are called decoders in this context.Assuming a Gaussian displacement error model with variance σ 2 2 , one derives the optimal post-correction [12] to be applied after an initial correction η to be given by maximum likelihood decoding (MLD) For small error rates σ → 0, the most likely coset as computed in MLD is given by the most likely individual error consistent with the syndrome.We refer to decoding based on the most likely individual error consistent with the syndrome as minimum energy decoding (MED) [9], to which the solution is presented by [18].

Bounded distance decoding (BDD)
. By nature of the Gaussian error model, it is unlikely to sample an error larger than e > √ 2nσ 2 [16,11].Hence, it is reasonable to restrict the decoding problem to bounded-distance-decoding (BDD η, L ⊥ ), which is CVP with an additional promise that dist η, L ⊥ ≤ .Given that typical Gaussian errors will be overwhelmingly of length e ≤ √ 2nσ 2 we expect to decode successfully by solving BDD η, L ⊥ with = √ 2nσ 2 .Provided a lattice basis M and its Gram-Schmidt orthogonalization M = ( ξ1 , . . ., ξ2n ) T it is known that Babai's nearest plane algorithm solves BDD when < min i ξi /2 =: M /2 [18,19], that is when we are in possession of a lattice basis such that its Gram-Schmidt reduced vectors are sufficiently long M ≥ √ 8nσ 2 .When considering code families with growing dimension 2n, errors up to the typical length √ 2nσ 2 are correctible via CVP decoding only if ∆ = O ( √ n).The scaling ∆ ∝ √ n is the distance scaling of a GKP code obtained by concatenating fixed singlemode GKP codes with a qubit quantum error correcting code with linear distance d ∝ n.Such scaling is predicted to exist by the quantum Gilbert-Varshamov bound [20,21] and explicit or randomized constructions exhibiting such scaling have been investigated in the literature, see, e.g., refs.[22,23,24,25] and references therein.We define the analogous goodness property for families of GKP codes.

Definition 1 (Good GKP codes). A GKP code family L n ⊂ R 2n parametrized by lattice dimension 2n with asymptotically non-vanishing rate
and distance scaling is good.
The existence of such a family of good GKP codes has been established by Harrington and Preskill in refs.[16,11].Their proof, based on the existence of good GKP codes obtained from re-scaling symplectically self-dual lattices with shortest vector length λ 1 (L) ≥ O ( √ n), whose existence had been shown by Buser and Sarnak [26], however, is non-constructive.In the following, we will review this construction of GKP codes, which we have called scaled GKP codes in ref. [12], list some notable examples and show how the NTRU scheme [15] yields a randomized construction of good GKP codes.

Constructions of GKP codes
Scaled GKP codes Central to the construction of GKP codes are the class of scaled GKP codes, first introduced and analysed in refs.[1,11], where a GKP code is obtained by scaling a symplectically self-dual lattice (which we will refer to as symplectic lattice) by a factor √ λ, λ ∈ N. Let L 0 = L (M 0 ) be such a 2n−dimensional lattice, where we choose M 0 as the symplectic basis [27], i.e., M 0 is such that Clearly, A 0 is integer.Hence the scaled lattice M = √ λM 0 , λ ∈ N, also retains a symplectically integral Gram matrix Such lattices are sometimes also called q-symplectic [28] with q = λ.The total encoded dimension and distance are where λ 1 (L 0 ) is the length of the shortest vector in the symplectic lattice L 0 .The sympletic dual lattice is generated by If M 0 is stated in the symplectic basis one can immediately read off pairs of vectors with symplectic inner product and symplectic inner product 0 with any other row in M 0 .The corresponding displacement operators anticommute up to phase ω λ = e i 2π λ and commute with each displacement associated to every other row of M ⊥ , such that they form the logical generalized Pauli group Some examples of symplectically self-dual lattices are well known in the literature and also have been re-derived by exhaustive numerical search in ref. [11], which we list in fig. 2 along with other symplectically integral lattices that produce notable GKP codes.The smallest GKP lattices in that table include • The Z 2 lattice with basis This is also the symplectic basis [27] for Z 2 , i.e., it is such that M Z 2 JM T Z 2 = J.We refer to the scaling of this lattice or its N -fold direct sum by the factor √ λ = √ 2 as the square GKP code It has already been noticed in ref. [1] that all Clifford operation for this code can be performed by means of symplectic operations.Furthermore, ref. [29] noticed that performing stabilizer measurements and corrective shifts on the vaccum produces the logical |H+ magic state vector.This is due to the fact that J 2 is a symplectic orthogonal automorphism (the logical Hadamard) of the lattice.This is by far the most simple and most popular GKP code discussed in the literature, which also is also owed to the fact the lattice is orthogonal such that decoding via CVP becomes a simple one-dimensional rounding protocol [18].
• The hexagonal A 2 lattice with symplectic basis This lattice is one of the root lattices in 2 dimensions and is known to yield the densest sphere packing there, capable of tightly packing spheres of radius λ 1 (A 2 ) /2 = 1 which is the highest distance one can obtain for a single-mode GKP code encoding a single qubit as it is the densest lattice packing in two dimensions [30].Interestingly, code states of the hexagonal GKP code have also been rederived in a numerical search for the most robust encoding of a qubit into an oscillator under photon loss [6].
Other high dimensional GKP codes built by scaling symplectic self-dual root lattices become increasingly complex and interesting, such as the GKP code built upon the dihedral root system D 4 examined in ref. [13], the Gosset lattice obtained from the exceptional Lie algebra E 8 or the Leech lattice Λ 24 , and warrant much further investigation in the future.

Concatenated GKP codes.
Once a logical qubit is obtained by means of a scaled GKP code, one can concatenate it with a quantum error correcting-or quantum error detecting code (QECC/QEDC) Q = [ [N, k, d]] to obtain a GKP lattice with larger minimum distance.If Q is the set of symplectic vectors representing the stabilizers of a QECC/QEDC or generally, any set of (binary) vectors such that ∀p, q ∈ Q : p T Jq = 0 mod 2, we can construct a GKP lattice by means of Construction A [30,12], which yields This lattice can be interpreted as the full-rank embedding of Q into R 2n and inherits its main properties immediately from the code properties of Q including decoding algorithms.In refs.[32,33,9,34,35], known decoding algorithms for quantum error correcting codes such as minimum-weight-perfectmatching (MWPM, which is an MED decoder) have been adapted to decode diverse concatenations of the single mode square GKP code with the popular surface, toric, color, and quantum low-densityparity-check (QLDPC) codes, where the corresponding GKP-lattices can all be understood as Construction A lattices.As noted previously, we denote the underlying multi-mode square-GKP code as L N and the full lattice corresponding to the concatenated code as L = Λ (Q), such that we have L N ⊆ L and reversely L ⊥ ⊆ L ⊥ N .These procedures have in common that one decodes in two steps provided the syndrome and a generic correction η: 1. Solve CVP on the superlattice L ⊥ N , perform the corresponding correction.This step returns one to L ⊥ N and the residual syndrome is a genuine binary syndrome for Q. 2. The qubit-level decoder solves some version of (approximate) CVP on L ⊥ provided that one starts out from L ⊥ N .Before applying this decoder one computes a metric from the syndrome on L N to take advantage of the continuous information held by the full GKP syndrome.Finally one applies the qubit-level decoder with the amended metric.In total, this decoder can be pictured as a sequence It is also known that one can solve CVP exactly on any Construction A lattice provided a soft decoder for the underlying binary code Q, see ref. [30, p. 450].This observation has, e.g., been used to construct CVP algorithms for the E 8 , which can also be understood as a Construction A lattice on the H 8 = [8,4,4] Hamming code.

Decoding complexity of GKP codes
Due to the lattice theoretic nature of GKP codes and their respective decoding problems and the well developed literature on lattice problems, it is interesting to investigate the computational complexity of decoding GKP codes from this perspective.Before we continue to construct GKP codes from a cryptosystem proposed for post-quantum cryptography in the next Figure 2: Some notable weakly symplectically self-dual (symplectic) lattices that yield GKP codes.The lower block indicates the concatenation of single mode L = √ 2Z 2 square GKP and L = √ 2A2 hexagonal GKP codes with qubit quantum error correcting-or detecting codes.Note that concatenation with L does not formally produce a Construction A lattice, but is related by a symplectic transformation S n = ⊕ n i S , S = M T A 2 to the concatenation with the square GKP code generated by M Z 2 = I2, which in fact is Construction A. The symplectically self-dual root lattices listed in this table and their use as GKP codes have previously been identified in ref. [11].The re-scaled L NTRU lattices that we use here to to construct NTRU-GKP codes are indicated between those and the "more genuine" lattices corresponding to concatenated codes.The statements about (symplectic) self-duality are generally up to scaling and rotations.
section, we show that 1. for GKP codes, MLD decoding is at least as hard as MED decoding and 2. MED decoding a concatenated (qubit-) GKP code implies a decoder for the corresponding qubit-code.
We include these statments here because we find the proofs illustrative and wish to highlight that decoding complexity of GKP codes is an interesting question deserving of our attention.Denote by eMLD the problem of evaluating the MLD probabilty given by the theta function on the RHS in eq. ( 7) CVP x, L ⊥ can be solved efficiently.
Proof.Denote by DecCVP (x, L, r) the decisional CVP problem that outputs True if dist (x, L) ≤ r.This is polynomially equivalent to the optimization-and search variants of CVP [36].First notice that we generally have If DecCVP (x, L, r) is true, then we further have for all σ ∈ R, and hence we can solve DecCVP x, L ⊥ , r by checking if above condition is true for sufficiently small σ < r.Alternatively, w.l.o.g.assume that L ⊂ Z n and x ∈ Z.Given access to we can compute to evaluate {a m } for m = 1, . . ., M , where M can be bounded by Mikowskis convex body theorem, to find the smallest non-zero coefficient a m .This solves optimization-CVP which is polynomially equivalent to its search version.
Note that here we did not show that the full MLD problem is hard.
In ref. [30, p. 450], it has (constructively) been shown that given a soft decoder for a binary code C, we can always solve CVP on the corresponding Construction A lattice Λ (C).We explain this point, which also clarifies the geometric picture on decoding concatenated codes presented in eq. ( 21).
Proof.C is embedded in Z n by identifying the (scaled and shifted In this representation we consecutively solve CVP (•, 4Z n ) and then apply the soft decoder for C, which finds the closest transformed code word c ∈ 1 As both decoders are exact, with a little care (see ref. [30, p. 450]), this solves CVP exactly.Note that the reverse direction is trivially true via the embedding of C into R n provided by Construction A and taking modulo 4Z n .A hard decoder, that solves arg min on binary input x ∈ {−1, 1} n is also derived from a soft decoder by noticing that c − x 2 2 = 4d H (c b , x b ), where x b represents the binary {0, 1} representation of x and d H is the Hamming distance.
It is known that decoding classical error correcting codes, as specified in eq. ( 27) is a computationally hard problem in general [37,38].Hardness of decoding qubit-based quantum error correcting codes has previously been investigated by reduction to the related problem on classical codes [39] to show its NPcompleteness, and by showing its relationship to computing weight enumerators of a linear code, ref. [40] has even shown its #P -hardness in worst case complexity.
By a similar line of argumentation, one notes that the coefficients of the shifted lattice theta function with counting the number of lattice vectors such that dist (x, L) 2 = m are hard to compute in general.While we do not attempt to complete such a proof here, we expect a theta-function based analysis of the decoding complexity of quantum error correcting codes using concatenation with single-mode GKP codes to yield similar results as refs.[39,40].

GKP codes from NTRU lattices
Random lattices and variations of lattice problems SVP and CVP play a prominent role in classicaland post-quantum cryptography due to their assumed hardness even for quantum computers in the worstcase, as well as due to the feature of worst-case to average-case average case reductions for such problems [41].The proof of existence of what we termed good GKP codes provided by ref. [16] can in essence be formulated using a Haar average over the moduli space of all symplectic lattices [26].The analogous heuristic to lower bound the shortest vector in a general lattice is given by the Gaussian heuristic.
Proposition 1 (Gaussian heuristic (GH)).Let L ⊂ R n be a sufficiently random full rank lattice with large n, then we expect the smallest non-zero vector in the lattice will satisfy "Proof" [42,43]: The moduli space of full rank lattices in R n with unit covolume is given by L n = SL 2n (Z) \ SL 2n (R), where the left3 quotient SL 2n (Z) indicates the equivalence up to changes of basis.There is a Haar measure µ n over L n , normalized to µ n (L n ) = 1, such that for Lebesque-integrable functions f : R n → R, we have that [44] L∈Ln where where θ is the Heaviside function.Eq. ( 32) yields (33) where We hence have that if lattices L are sampled from a random distribution close µ n in the moduli space of all lattices with det (L) = 1, the average number of non-zero lattice points of length at most R is given by the volume of the n-ball, V n (R).Similarly, it is reasonable to expect that the average number of non-zero lattice points of length at most R, when the lattice has det (L) = 1 and is sampled from an approximation to the Haar measure is given by V n (R) / det (L).
Using Stirling's approximation, the smallest R for which this number becomes non-zero is given by R ≈ n/2πe det (L) 1 n .The Gaussian heuristic motivates that lattices with λ 1 = O ( √ n) can be found amongst sufficiently random sets of lattices.Buser and Sarnak [26] showed that there is also a Haar measure over the moduli space of symplectic lattices, using which Harrington and Preskill identified the existence of good GKP codes by a similar calculation as presented above [16].
The construction of random lattices is a crucial ingredient to lattice based cryptography.
In this section we introduce the NTRU cryptosystem and show that random NTRU lattices obtained from variations of the NTRU cryptosystem are in fact symplectic, such that they allow to construct GKP codes as scaled GKP codes.We discuss scenarios where NTRU lattices are sufficiently random to follow the Gaussian heuristic or, at least, can be shown to admit a lower bound λ 1 ≥ O( √ n) with high probability.
The so-derived GKP codes share characteristics of both scaled-and concatenated GKP codes.These NTRU lattices have been originally formulated in the cryptanalysis of attacks on the NTRU cryptosystem [15,45,46,47] and their symplecticity has been motivation to further the study of lattice reduction algorithms for symplectic lattices [28].As GKP codes, these lattices are particularly interesting as they can be understood as certain generalization of cyclic quantum error correcting codes such as the well known XZZX − [ [5,1,3]] quantum error correcting code [48] or the repetition code and have a similar algebraic basis as the recently introduced lifted product codes [23].

The NTRU cryptosystem
We describe the NTRU cryptosystem to the degree necessary to understand the structure of the corresponding lattices and GKP codes constructed here.For more detail we refer the reader to the cited literature.The presentation here is largely derived from the presentations in refs.[15,46,47,49,50,51].
The NTRU cryptosystem is most natively formulated using polynomial rings R = Z [x] /Φ, where we will take the quotient Φ = x n + Φ n−1 x n−1 + . . .+ Φ 0 as Φ = Φ 0 := x n − 1 in the bulk of this paper, as used in the original description of the (heuristically secure) NTRU cryptosystem [15].We will keep Φ general whenever possible to be able to discuss the provably secure version of the NTRU cryptosystem [50] with irreducible Φ = x n + 1 later.We denote R q = R/qR with a typically large modulus parameter q and R p = R/pR with a typically small p coprime with q.Whenever we take the modulus, mod q or mod p, we refer to the (coefficient-wise) reduction into the centered fundamental domains − q 2 , q 2 resp.− p 2 , p 2 .We denote multiplication in R as f g mod Φ, f, g ∈ R, where we assume the reduction mod Φ ( mod q/p) to be implicit by specifying the image and use a bold f = coeff(f ) to refer to the coefficient vector f = (f 0 , f 1 , . . ., f n−1 ) of f ∈ R (note that any polynomial in R can be represented with n − 1 coefficients, for that every power x n can be replaced by x n − Φ when working over mod Φ.
Denote the uniform distribution of polynomials p ∈ R q with d 1 coefficients +1, Further denote the set of invertible elements in R q , i.e., elements f for which f −1 ∈ R q exists, as R × q .The NTRU cryptosystem, specified by parameters (n, Φ, d, q, p) operates as follows: Return the secret key pair (f, g), and the public key h = gf −1 ∈ R q .
2. Encryption: Given the public key h ∈ R q and a message m ∈ R p , sample a random polynomial r ∈ R p and compute the ciphertext c = hr + m ∈ R q .
3. Decryption: Given the ciphertext c and secret key f , compute cf mod q mod p = gr + f m mod q mod p = m ∈ R p .
The secret key polynomials (f, g) ∈ R × q × R q are by construction such that f mod p = 1 and g mod p = 0. Decryption is guaranteed to be successful whenever all the coefficients involved are sufficiently small, such that cf = gr + f m holds as equality in R, and not just merely in R q [42].

Symplectic ideal and NTRU lattices
The security assumption underlying this cryptosystem as the in-retrievability of the secret key is the hardness of the polynomial factorization problem in R q and secret key retrieval attacks have been formulated already in early analyses of the NTRU cryptosystem [15,45,47].
Assumption 1 (Polynomial factorization problem [47]).Given a polynomial h = f −1 g ∈ R q where the coefficients are small compared to q.For suitable parameter settings it is intractable to find to small polynomials f , g ∈ R q such that f h = g ∈ R q .
Under the premise that the coefficient vectors of the secret key (f, g) are short, a typical attack is formulated as the task of finding short polynomials (f , g ) ∈ R 2 q such that f h = g ∈ R q , where the length of the polynomial pair is defined as the norm of their joined coefficient vectors (f , g ) l = (f T , g T ) l .We will use the l = 2 norm unless specified otherwise.The attack is carried out by defining the NTRU lattice as an R-module L R ⊆ R 2 , which admits a basis in its Hermite normal form Elements of the R-lattice are of the form each of which represent admissible solutions to the equation f h = g ∈ R q , such that short vectors in L R are expected to correspond to the NTRU secret key pair.In a more general classification, one can view the R-lattice L R = L R (h) as an rank-2 ideal lattice [52] , corresponding to the principal ideal H R is, in fact, also a q-symplectic matrix in R 2×2 , with respect to the symplectic form with because h is a scalar in R.
Analyses of lattices and associated algorithms are typically formulated over Z-lattices, where linear combinations of basis vectors are taken with integer coefficients.We map the rank-2 R-lattice L R to a rank-2n Z-lattice L ⊆ Z 2n×2n by defining a homomorphism onto a Z n×n matrix where the rows are given by the vectors T Φ f and implements the map f → xf mod Φ ∈ R on the coefficient vector f of f by left multiplication.C Φ is linear over Z, such that we can express the homomorphism on every polynomial f ∈ R as where we have used that C Φ (1) = I n ∀Φ.In this representation, it is evident that C Φ (f ) acts via right action (44) and that indeed represents a homomorphism.When Φ = Φ 0 = x n − 1, C Φ (f ) is simply the (row) circulant matrix of the coefficient vector f .Circulant matrices are not symmetric, but have a mirror symmetry along the anti-diagonal, We also define a related map where Since A Φ is also Z-linear, here we have where, for Φ = Φ 0 = x n − 1, we have that is the orthogonal coefficient mirror σ = σ T that maps the coefficient vector The so-defined maps allow us to define map the earlier defined R-lattice L R onto a lattice L = L(h) ⊆ Z 2n by applying the corresponding homomorphism on the entries of the basis It can be checked that the lattice spanned by the basis contains all secret key pairs (f T g T ) corresponding to solutions f h = g ∈ R q .It is however not symplectic.For Φ = Φ 0 we, however, have that is indeed symplectic and corresponds to a rotation of the lattice L, since (σ ⊕I n ) is unimodular.This is the basis used by Coppersmith and Shamir in their attack on the NTRU cryptosystem [45,47].We generalize this observation to the following statement.
Lemma 3.An NTRU lattice L ⊆ Z 2n ⊂ R 2n given by generator is equivalent to a q-symplectic lattice L ⊂ R 2n for all h if there exists a signed permutation matrix is symmetric.
Proof.A lattice generated by M with is equivalent to a lattice generated by M , such that det M = det M if and only if there exists a unimodular matrix U and an orthogonal matrix O such that M = U M O [30].
Corollary 1. NTRU lattices over Φ = Φ 0 and Φ = x n + 1 are equivalent to q-symplectic lattices Proof.For Φ = Φ 0 we already saw earlier that σ Φ0 = σ provides a symmetric matrix σC Φ (h) for all h.For Φ = x n + 1 this is also the case, with and A Φ (1) C Φ (h) = A Φ (h) is such that the first row is h T and every other row is generated by permuting the first element around the "periodic boundary" on the right to the left while adding a −1 factor.This matrix is clearly symmetric and σ, σ Φ are signed permutations.
Finally, the fact that these NTRU lattices L corresponds to ideals I = h ⊆ R equips them with the symmetry L = (T Φ ⊕ T Φ )L.When Φ = Φ 0 we have that the symmetry is n-fold, T n Φ0 = I and similarly for Φ = x n + 1 we have T n Φ = −I.Henceforth we will default to Φ = Φ 0 unless otherwise specified and omit the corresponding Φ 0 index from C Φ0 and A Φ0 .The anti-circulant matrix A (h) = σC (h) implements a homorphism from R with respect to a modified matrix multiplication We denote A (f ) σ =: On Z n , ciphertexts produced by the NTRU encryption with secret key pair (f, g) and public key h take the form and decryption is carried out by left-multiplying with A σ (f ) and reducing mod q and mod p.
The corresponding q-symplectic generator of the underlying lattice is given by which is already a q-symplectic basis for the weakly symplectically self-dual lattice L.
We use this lattice as starting point to define a scaled GKP-code by taking L = (λ/q)L with generator M = (λ/q)H.Similar to the discussion earlier, the GKP code built this way will encode D = λ n logical dimensions with symplectic dual and distance For randomly chosen f, g ∈ R, the Gaussian heuristic gives an estimate for the shortest vector length and has been used in the original NTRU work to argue about the security of the scheme [15].If the Gaussian heuristic were to hold, the so-constructed NTRU lattices would attain parameters which are good.However, the Gaussian heuristic does not always hold for NTRU lattices with arbitrary parameters.Due to the the sub-lattice qZ 2n ⊂ L there always exist trivial vectors qe i , i ∈ [1, 2n] of length q in L which yield logically non-trival vectors of length q/λ.A shortest vector length λ 1 (L) growing with √ n can however be maintained by choosing suitably large q scaling with n.Furthermore, NTRU lattices (with Φ 0 ) are constrained by 1. being cyclic lattices and 2. having an existing inverse of f ∈ R q and 3. having a fixed number 2d of non-zero coefficients in the vector corresponding to the secret key (σ (f ) T , g T ) T ∈ L, which on the one hand make it not immediately clear if they would be sufficiently random for the Gaussian heuristic to hold, and on the other already present short vectors of length ≤ O( √ d).These points have been addressed in refs.[53,54], where the authors show the following statement.This statement gives us confidence to claim that random NTRU lattice based GKP codes as constructed above can be expected to be good when the parameters are chosen properly, as summarized by the following.
Proposition 2 (Good codes from NTRU lattices).A GKP code with L = (2/q)L, where L is the NTRU lattice over Φ 0 specified in the basis eq. ( 59) qubits and has with probability greater than 1 − 2 −0.1n a distance given by For sufficiently large constant q and n ≤ q 2 /0.28 this defines a randomized family of good GKP codes.
Proof.Follows immediately from corollary 2 and the GKP-code construction laid out in the main text.

Numerical results
In fig.3, we have computed the shortest vector lengths for N sample = 100 randomly sampled NTRU lattices for varying q and n with p = 3, which are put in comparison with samples over (less constrained) random cyclic lattices, where h is sampled randomly from R q and (more constrained) NTRU lattices with f invertible in R q and bounded non-zero entries d = n/3 (in panel b)) and with even more constrained NTRU lattices where we also required the public key h to be invertible in R q .In this case we obtain g from the amended distribution g ∼ pD(d+1, d) since otherwise g -and thus h -would have a trivial root g(1) = 0 rendering the polynomial non-invertible.
In our statistics we observe that random cyclic lattices appear to agree well with the Gaussian heuristic, while the growth of the shortest vector length of the NTRU lattices degrades with increasing q, but adheres well to the bound given in Corollary 2. Based on our numerics, we also conjecture the following.

Conjecture 1 (Good GKP codes).
A GKP code with L = λ/qL, where L is specified by the basis in (59) and h is selected at random from R q = Z q [x] / x n −1 , is likely a good code with k = n and Conjecture 2 (Good GKP codes).A GKP code with L = λ/qL, where L with det L = q n is equivalent to NTRU lattice specified by the basis in (59) and h = g/f ← f, g are sampled at random from a Gaussian distribution with variance σ 2 = q in R q = Z q [x] / x n + 1 , q ≥ poly(n) and n ≥ 8 a power of 2 is likely a good code with k = n and In contrast to the previous statement, these distance bounds do not suffer from choosing larger modulus q, but we can pick it arbitrarily large to obtain high distances.In particular, conjecture 2 references the version of the NTRU crptosystem discussed in ref. [50].
The trivial sub-lattice L q = qZ 2n ⊆ L which enforces the q modularity in the cryptographic setup is analogue to the structure of concatenated (hypercubic) GKP codes L triv = √ λqZ 2n ⊆ L, such that the lattices L defined above may be interpreted as a concatenated (qudit) GKP code where L triv defines the underlying single mode qudit-code with D = λq.It is interesting that this class of NTRU-GKP codes thus shares characteristics of both scaled-as well as concatenated GKP codes.

Decoding GKP codes from NTRU lattices
A code state that (either through a natural error process or by deliberate modification) undergoes a displacement by gives rise to trivial syndrome Due to the simple orthogonal structure of L triv a first step of the correction is easily carried out by applying the correction η = −s triv / √ λq.After correcting for the trivial syndrome (associated to the underlying hypercubic GKP code) the remaining error is the unknown, but likely short, vector The residual error can be considered as living on the scaled q-ary lattice . (72) The remaining syndrome is In the first block of the syndrome qs 1 = v − A (h) u mod q we recognize the structure of the NTRU ciphertext.The position of the message is taken by m = v and the random vector is replaced by r = −σ(u).Following the standard NTRU decryption process now allows to obtain v mod q mod p as well as when h is also chosen to by invertible in R q with inverse h −1 .When p is not prime, we can instead obtain u mod q mod p i for each prime factor p i of p and estimate u mod q via the Chinese remainder theorem.We refer to this decoding routine as NTRUDecode and provide some small scale numerical tests in appendix B.
Alternatively, we can decompose the remaining syndrome as invertible mod q g ← pDZ, √ q invertible mod q h = g/f mod q q = 4 q = 16 q = 64 q = 256 q = 1024 q = 167 q = 367 q = 509 q = 1021 q = 2027 where h is invertible in Rq for varying q = 2, . . ., 2048.In d) we sample NTRU lattices generated with the irreducible quotient Φ = x n + 1, where n is a power of 2. For each n ∈ [2,24] we sample 100 NTRU lattices and compute the shortest vector by computing the HKZ reduced lattice basis.For reference, we plot the expected shortest vector length from the Gaussian heuristic λ (n) = nq/πe in blue and the expected lower bound λ0 (n) = √ 0.28n in red.In panel d), we have also included a green line at √ q, which is the standard deviation of the discrete Gaussian distribution f, g are sampled from and is related to a probabilistic lower bound for n ≥ 8 a power of 2 on the shortest infinity norm λ ∞ 1 (L) derived in ref. [50].
where the vector on the RHS is element of the flipped NTRU lattice generated by the public basis Equation ( 75) shows that a likely, i.e., small, error vector v −u can indeed be obtained by solving CVP L J , qs .In appendix B, we implement an approximation of this CVP instance using Babai's nearest plane algorithm with the HKZ reduced flipped public basis as BabaiDecode again only for small parameters n.
We recognize that the solving CVP or BDD on the respective NTRU lattices provides a viable route to decoding.To analyze how well decoding can be carried out efficiently when provided only the publicvs.the secret basis, we analyze the radius , up to which BDD can be implemented given the respective bases.

Bounding BDD
The maximum BDD -radius achieved by using Babai's nearest plane algorithm using this basis where we write B = ( bT 1 , . . ., b * T 2n ) T for the Gram-Schmidt orthogonalization of B.
The secret key pair (f, g) can be extended to a full rank secret basis [55,56,50] which constitutes an equivalent lattice basis in is symplectic in R 2 .The vector (F, G) ∈ R 2 is typically chosen to be the minimal representative modulo multiples of (f, g) in R and can be approximated efficiently using Babai's algorithm [55,56,50].By applying the circulant homomorphism, this secret basis is mapped to a secret basis for the lattice in Z 2n on which the GKP-NTRU lattice is defined -note that the symplectic basis obtained from the public key, eq. ( 59) is obtained from this by a rotation and change of basis using σ Φ .Due to this simple relationship, we perform the following analysis in the nonrotated basis w.l.o.g. .By leveraging symplecticity, we can derive lower bounds on the BDD-radius achieved using this secret basis.By comparing this to solving BDD when the input public basis is δ-LLL reduced, we obtain an almost exponential separation between the BDD radius provided by the public and private basis.Proposition 3. Let q ≥ n.Using the secret basis Babai's algorithm solves BDD with which is at worst on a scale of O (1/poly(n)), while using the δ-LLL reduced public basis obtained from we have which is on a scale of o(e − √ n ln n ln (1/δ) ).
Proof.We define the conjugation of polynomials R → R : Using the homomorphism to circulants we have that where the last line is obtained using the defining operation f G − gF = q ∈ R. We will from now on omit the subscript Z .This equation identifies the canonical symplectic dual of the basis B Z as which is related to the canonical euclidean dual by a J−rotation [12] the Gram-Schmidt diagonalization of the canonical euclidean dual B * in reverse order, where R i,j = δ n−i,j and such that min The Gram-Schmidt norm is trivially upper bounded by (94) such that we obtain (95) This lower bound on the Gram-Schmidt norm of the secret basis is large, when the secret key pairs (f, g), (F, G), with length on a scale of O ( √ n) are short relative to q ≥ n, which is expected to be the case by construction of the cryptosystem.More concretely, for Φ = x n +1, the NTRUSign construction in [50,Lemma 4.6] asserts that (F, G) can be found such that (F, G) ≤ σn, where σ ≈ n c √ q is the standard deviation of the discrete Gaussian distribution used to sample the discrete Gaussians.This bound yields a BDD radius not smaller than B ∼ O (1/poly(n)).
We compare this to the bound obtained from the public basis, when the input basis H is δ-LLL reduced [57].Building on an argument by Eldar and Hallgreen, Ducas and van Woerden [58,59] have shown that for a q-ary lattice (for q = c n ), Babai's algorithm can solve BDD up to which has also been extended to general q in ref. [60].

Quantum public key communication from NTRU-GKP codes
In addition to its usual use as a QECC, the fact that the NTRU-GKP codes have the additional property that decoding for a stochastic displacement noise model is tightly related to decrypting the NTRU cryptosystem suggests that the NTRU-GKP codes presented here may be used for both, quantum error correction and a new kind of quantum public key communication scheme at the same time.One may interpret NTRU-GKP codes as trapdoor decodable quantum error correcting codes.That is, while stabilizer measurements can be performed and code states prepared using only access to the public key h, knowledge of the corresponding secret keys (f, g) of the NTRU cryptosystem is necessary for reliable and efficient decoding.In the following we outline how instances of the NTRU-GKP code can be used to set up a private quantum channel [61] with quantum information being sent from Bob to Alice, in that quantum information is transmitted in a fashion that is oblivious to an eavesdropper with limited computational power who has access to the physical quantum channel used for transmission.The workings of the here proposed cryptosystem is similar to that of a one time pad (OTP), where every OTP instance corresponds to a random displacement error applied to an NTRU-GKP code instance such that the syndrome of the random displacement error encodes a ciphertext of the NTRU scheme.The security of this scheme under the assumption that decoding a quantum error correcting code -i.e., finding small errors that are consistent with the syndrome -is necessary to retrieve its logical content is then immediately inherited from the corresponding classical NTRU cryptosystem.While we have carried out most of our exposition with the only heuristically secure version of the NTRU cryptosystem originally presented in ref. [15] with quotient Φ 0 = x n − 1 and secret key sampling from the uniform binary distributions n , we have also shown that NTRU-GKP codes can be constructed using irreducible quotients Φ = x n + 1, n a power of 2, and q ≥ poly(n) while secret key pairs are sampled from discrete Gaussian distributions.This is the setting chosen for a provably secure version of the NTRU cryptosystem discussed in ref. [50], where the public key is shown to be pseudorandom and security is inherited from the (average case) hardness of the ring based R − SIS and R − LWE problem.
The public key protocol, also described in fig. 4 is sketched as follows: 1. Alice samples a secret key pair (f, g) and computes the public key h, which is communicated to Bob.
2. Bob produces a code state described by the GKP code using the basis (λ/q)H(h) and samples an error corresponding to a random message e 0 = (−r, m)/ √ λq, according to the specifications of the NTRU cryptosystem, by which he displaces the state.He transmits the state to Alice.

Alice measures the stabilizers and decodes the
state, e.g., via the NTRU decryption routine or by employing Babai's algorithm as outlined before using the secret key pair (f, g).She has hence received the to her unknown state from Bob through the error corrected private quantum channel.• Compute public key pk = h = g/f mod q.
• Measure stabilizers in basis M = H (h).
• Error correct state and decode using secret key sk = (f, g).

Bob
• Produce code state stabilized by NTRU-GKP code with public key pk = h.
• Send state to Alice.To our knowledge, this setup presents a new paradigm of quantum cryptographic protocols.We summarize points in support of its security.
Necessity to decode.In order to unambiguously obtain the logical code state, it is necessary to find a correction e consistent with the syndrome such that e 0 + e ≤ ∆/2.Since e 0 ∞ ≤ 1/ √ λq and the smallest element in L ⊥ is of length ∆, this amounts to decrypting the NTRU ciphertext in the syndrome to identify e 0 .Towards a first cryptanalysis, we examine to which degree an adversary is able to distinguish a quantum ciphertext.Let |ψ be a logical code state vector specified by a GKP-NTRU code with lattice L. We examine the eigenvalue of logical Pauli observables obtained when the initial code state is encrypted by applying the random displacement D (e 0 ), a syndrome s (e 0 ) = M Je 0 mod 1 is obtained and a generic correction via η = (M J) −1 s (e 0 ) is applied.With this yields a generic correction where c = m + A Φ (h)r mod q is the associated NTRU ciphertext.The total remaining error after correction thus is We compute which shows that for an input code state vector |ψ , after encoding and generic correction, the eigenvalues of logical Pauli operators corresponding to rows i = n + 1, . . ., 2n in M ⊥ obtain a random phase e i 2π λ ri−n .This observation suggests that, for λ = 2, without access to the random string r embedded in the NTRU ciphertext in every instance, the quantum state is effectively projected onto a state that is diagonal in the logical Pauli-Z basis and quantum superpositions are washed out.This situation is similar to that of half a quantum OTP, where only one type (either X or Z) of Pauli operators is used in the encryption.
Orthogonality.For a fixed quantum state vector |ψ , different error realizations D (e 0 ) where e 0 < ∆/2 map the state to mutually orthogonal states (sectors of the QECC).This is guaranteed by the quantum error correction conditions.Without applying suitable corrections, separate encodings of the same logical quantum state vector D (e i ) |ψ are expected to appear uncorrelated.
We leave a further study of the degree of quantum security of this scheme as challenge for future work.It is important to stress that the security of this scheme is not based on information theoretic arguments, but on computational limitations of an eavesdropper, giving rise to a new situation in quantum cryptography.For a practical security analysis it would be furthermore meaningful to study how potential security claims can sustain when also considering the finite squeezing error present in physical GKP states [7,62].
In addition to the possibility of obtaining a classical public key private quantum channel by this construction, this scheme is also expected to be tolerant against additional errors imposed by the channel.Ad-ditional displacement errors would effectively change the "quantum encoded" NTRU ciphertext as encoded in the syndrome, but as long as the additional error together with the initial random displacement implemented by Bob are sufficiently smaller than the euclidean code distance, the transmitted logical quantum state is still expected to be decoded correctly.
As computation and transmission of quantum information encoded in GKP codes using photonics and integrated optics is becoming technologically ever more developed, this setup is interesting for the reason that to transmit quantum information one would potentially use a (bosonic) quantum error correcting codes anyways.Our construction highlights that this can be done with in-built security options without explicitly concatenating the encoded qubits into a separate cryptographic protocol.

Conclusion and outlook
In this work, we have introduced the randomized construction of good GKP codes using the NTRU cryptosystem and discussed how a decoder for these codes can be obtained from variations of the NTRU decryption process.
We have discussed the use of these codes in a public key quantum communication scheme where we expect to inherit a conditional security guarantee from the original cryptosystem.This defines a trapdoor decodable quantum error correcting code for which the core idea is that we can provide "bad" bases for suitably chosen GKP codes that allow an agent to prepare code states and measure stabilizers but -without access to a "good" secret basis -require exponential overhead to decode the syndrome.We leave as open challenge to either prove or disprove the quantum security of our scheme.More broadly, this idea also opens the door to potential client-server schemes where a client requests a server -capable of preparing GKP states and carry out Gaussian operations -to carry out computations on client-specified GKP codes and measure stabilizer syndromes without giving the server the power to decode efficiently to apply logical corrections.
It is also worth mentioning that the NTRU cryptosystem has multi-key homomorphic properties with respect to adding and multiplying the message-and random bit-strings [63].Beyond the scope of this work, we expect it to be possible to leverage these homomorphic properties to design more advanced NTRU-GKP codes for the secure and error corrected transmission of quantum states.Effective NTRUlattices derived from products of public/secret keys correspond to non-principal ideals of the underlying ring, which makes for an interesting generalization of our setting.Alternatively, it would also be interesting to examine symplecticity for higher rank module lattices.Higher rank module lattices over polynomial rings have previously found application in quantum error correction, e.g., in the work of Pantaleev and Kalachev [24] to construct high distance quantum LDPC codes, who consider binary polynomial rings with quotient Φ 0 = x l − 1 and where the element-wise homomorphism of basis elements of the R-module basis to circulants is termed lift.
On the hardware level, we also expect that the cyclic structure of these codes can be helpful in the design of modular stabilizer-measurement architectures with a fixed stabilizer-measurement gadget that is coupled to the data modes with shifted mode-index and at alternating delay.The short length of the corresponding displacements when the stabilizers generators are measured in the secret basis implies a reduced overhead in required interaction time/strength when the required connectivity is present and further highlights a physical advantage in having access to the secret basis for several meaningful physical platforms.
For future work, it would be interesting to improve on the decoders, such as adapting our proposition of BabaiDecode by adapting Babai's nearest plane algorithm to include information about the biased input error distribution eq.( 72), to design a better approximation to MLD decoding NTRU-GKP codes and provide numerical studies for large n.
We have highlighted the complexity of decoding GKP codes as an interesting subject to study and we expect that, using concatenation, computational complexity questions on the GKP-lattice level can be put into tighter relationships with corresponding problems in qubit-codes and equivalent questions in classical error correction.It would further be interesting to identify other ideal lattices that can be used to construct GKP codes.
Finally, it is worth mentioning that the relationship between GKP quantum error correction and cryptography runs even deeper.Physical, i.e., normalizable, realizations of GKP states obey a phase-space probability distribution very similar to that of a discrete lattice Gaussian distribution.Quantum states as such, and the ability to produce and sample from them, play a central role in the quantum reduction from SVP to the learning with errors problem [64].Given the ability to efficiently prepare approximate GKP-state by measuring its stabilizers, we leave as final open question in how far it is possible to sample from discrete lattice Gaussian distributions using physically preparable GKP states.and Nathan Walk for many helpful comments on a later version.JC thanks the Joint Center for Quantum Information and Computer Science (QuICS) at the University of Maryland for their kind hospitality during the final preparation stages of this project and many stimulating discussions.During preparation of this manuscript JC was also temporarily affiliated with the AWS CQC and Caltech, which he also thanks for their hospitality.
We gratefully acknowledge support from the BMBF (RealistiQ, MUNIQC-Atoms, PhoQuant, QPIC-1, and QSolid), the DFG (CRC 183, project B04, on entangled states of matter), the Munich Quantum Valley (K-8), as well as the Einstein Research Unit on quantum devices, for which this is an inter-node joint project.

A Thresholds of GKP codes
In this section, we sketch how the existence and value of a threshold for a GKP code family can be analyzed using the lattice theta function.For simplicity, assume a zero syndrome s = 0 on a lattice L n that is part of a family of lattices scaling with n.The probability for the state to be in the ξ ⊥ n = 0 coset is given by P denotes the probability to be in any logical coset and z = i/(2πσ 2 ).A necessary condition for a GKP code family to exhibit a threshold is satisfied if there exists z * ∈ iR such that for any |z| We write where we have n corresponds to a shortest representative of the logical coset given by ξ ⊥ n , such that the threshold condition becomes where ∆ is the Euclidean code distance of the code L n as defined in previous sections that we assume to grow with increasing n.Since each term in the sum is positive, a necessary condition for asymptotic error suppression becomes Hence, under negligence of all higher order terms we can upper bound the threshold as which shows the impact of the entropic contribution N ∆ 2 (L n , ξ ⊥ n ) on the potential threshold.

B Numerical results on decoding NTRU-HPS
In this section we report some small scale numerical experiments we have conducted on decoding the NTRU-GKP code (with Φ 0 = x n − 1) in the small n regime, where numerical experiments where feasible within the scope of this work.The following codes are obtained as the NTRU lattice with the largest shortest vector length amongst 100 samples of NTRU key pairs (f, g), where each instance of the SVP problem is solved by full HKZ reduction.We aim at correcting errors up to a standard deviation σ * = σ * / √ 2π with physical standard deviation of σ * = 0.1.By solving for n, q in ∆/2 ≥ √ 2nσ 2 using the bound in theorem 2, we trial q = 8 as a reasonable parameter.
The parameters of the codes we obtained are summarized in fig. 5.For comparison, notice that a standard square GKP code concatenated with a small [[n, 1,3]] qubit code has distance ∆ = 3/2 = 1.22 using typically n = 5 to 9 qubits to encode a single logical qubit while here a similar distance is achieved while encoding k = n logical qubits.Using these codes we simulate the error correction process on N samples = 10 5 Gaussian distributed errors with physical variance σ 2 = 2πσ 2 .The data displayed in fig.6 shows σ 2 = 2πσ 2 on the x-axis denoting the physical variance of Gaussian displacements and p err as the logical error rate conditioned on successful decoding in the sense that the decoder successfully undid the syndrome.We also plot p check , denoting the rate of decoding failures, i.e., the rate by which the decoder fails to output an error with the correct syndrome that is input to the decoder.The standard deviation on the estimates for p given by p = p err (1 − p err )/N sample is included in the plots but due to the sample number of N sample = 10 5 is of negligible size.For comparison, we also plot in black In total, we make the following observations.
• BabaiDecode has a rate of decoding failures matching p(n, q, σ), suggesting that decoding fails whenever the original error lies outside of the Voronoi Cell of L ⊥ triv = Z/ √ 2q.When decoding is successful, the logical error rate is negligible.
• NTRUDecode consistently corrects successfully, i.e., returns the state to code space, and has a conditional logical error rate that is smaller than p(n, q, σ).The logical error rate is however consistently larger than that of n square GKP codes, which is negligible in this parameter range.For σ ≈ 1.13 we observe a "threshold"-like behaviour in the transition between the sampled n = 17 and n = 23 code.
• There appears to be no significant difference which p we choose.
The performance of these codes appears to be relatively poor when compared to more conventional multimode codes, such as the toric-GKP code [9], which we expect to be mainly the case due to the extremely small n, q parameter regime we have simulated.
Further contributing factors to this observation may be that by decoding via essentially MED decoders, we ignore a significant entropic contribution to the optimal MLD problem.We have a number of minimal logical shifts N ∆ 2 ≥ n since the lattice L is invariant under the cyclic shift T : T n = I, which is expected to be a relevant factor in the full MLD decoding problem.Another factor is that the NTRU decryption process used in NTRUDecode is in fact not tailored to a Gaussian distribution of random bits, but rather is originally set up to decrypt a message hidden away using random strings r sampled from an uniform distribution.BabaiDecode improves upon this fact in spirit by employing the nearest plane algorithm in the decryption process, but ignores the biasing of the error distribution, eq. ( 72), from the first step of the decoding routine which is a necessary step in order to interpret the decryption process as a CVP.
It is interesting to observe that BabaiDecode consistently displays a negligible logical error rate but quickly rises to high decoding failure rate, which worsens as the code is scaled up and that for NTRUDecode we do observe a parameter range where the decoder displays a lower logical error rate than p(n, q, σ).This shows that  the decoder indeed non-trivially decodes errors.Overall, it appears necessary to perform larger scale numerical studies at large n, q to examine the possibility of a threshold.The sagemath [65] and python code as well as all numerical data presented here is publicly available under ref.[66].sagemath functionalities to construct NTRU lattices are partially adapted from ref. [67].
which is equivalent to L ⊆ L ⊥ and A being integer.Compactly, GKP codes are represented by weakly symplectically self-dual lattices L ⊆ L ⊥ where the elements in the symplectic dual quotient L ⊥ /L label the group of logical Pauli-operations of the code encoding D dimensions, which has size | det (A) | = D 2 .When we encode collections of qubits, k = log 2 (D) = log 2 (| det (M ) |) = log 2 (| det (L) |) denotes the number of encoded logical qubits, which grows logarithmically with the determinant of the stabilizer lattice.
trivial stabilizer lattice and has a probability distribution induced by the trivial syndrome and correction P (e ) ∝ t∈Ltriv e − (e +s triv +t) 2 2σ 2

Figure 3 :
Figure 3: Shortest vector lengths computed via full HKZ reduction of a) random cyclic (Φ0 = x n − 1) lattices as generated by the hard lattice generator in sagemath, b) random NTRU lattices with p = 3 and d = n/3 and c) random NTRU latticeswhere h is invertible in Rq for varying q = 2, . . ., 2048.In d) we sample NTRU lattices generated with the irreducible quotient Φ = x n + 1, where n is a power of 2. For each n ∈[2,24] we sample 100 NTRU lattices and compute the shortest vector by computing the HKZ reduced lattice basis.For reference, we plot the expected shortest vector length from the Gaussian heuristic λ (n) = nq/πe in blue and the expected lower bound λ0 (n) = √ 0.28n in red.In panel d), we have also included a green line at √ q, which is the standard deviation of the discrete Gaussian distribution f, g are sampled from and is related

Figure 4 :
Figure 4: Outline of the private quantum channel established using the NTRU-GKP code as described in the main text.
logical error probability of n qudits with d = 2q encoded into the trivial sub-lattice L triv = √ 2qZ 2n corresponding to a hypercubic GKP code as well as in grey p(n, 1, σ), corresponding to the logical error probability of n square GKP codes each encoding a single logical qubit.We further provide results for simulations of NTRU-GKP codes separately sampled from distributions b) and c) as denoted in fig.3.The parameters listed below in fig.7reflect the codes simulated in figs.8, 9, 10.

Figure 7 :
Figure7: Lattice parameters for random NTRU lattices.The table on the right summarizes the results when additionally h is required to be invertible.
Figure6: Numerical results for the NTRU-GKP codes using the NTRU decryption routine NTRUDecode (left) and BabaiDecode (right) for NTRU-GKP lattices where h is invertible.Here, the parameters q = 8 and p = 3 are fixed.perr (dots) denotes the the logical error rate conditioned on successful decoding and p check (stars) denotes the rate of decoding failures.