Modular Lattices from a Variation of Construction A over Number Fields

We consider a variation of Construction A of lattices from linear codes based on two classes of number fields, totally real and CM Galois number fields. We propose a generic construction with explicit generator and Gram matrices, then focus on modular and unimodular lattices, obtained in the particular cases of totally real, respectively, imaginary, quadratic fields. Our motivation comes from coding theory, thus some relevant properties of modular lattices, such as minimal norm, theta series, kissing number and secrecy gain are analyzed. Interesting lattices are exhibited.


INTRODUCTION
Let K be a Galois number field of degree n which is either totally real or a CM field. Let O K be the ring of integers of K and p be a prime ideal of O K above the prime p. We have O K /p ∼ = F p f , where f is the inertia degree of p. Define ρ to be the map of reduction modulo p componentwise as follows: (1) ρ : . , x N ) → (x 1 mod p, . . . , x N mod p) for some positive integer N . Let C ⊆ F N p f be a linear code over F N p f , that is a k-dimensional subspace of F N p f . As ρ is a Z−module homomorphism, ρ −1 (C) is a submodule of O N K . Since O K is a free Z−module of rank n, ρ −1 (C) is a free Z−module of rank nN . Let b α : O N K × O N K → R be the symmetric bilinear form defined by (2) b α (x, y) where α ∈ K ∩ R andȳ i denotes the complex conjugate of y i if K is CM (andȳ i is understood to be y i if K is totally real). If α is furthermore totally positive, i.e., σ i (α) > 0, for σ 1 (the identity), σ 2 , . . . , σ n all elements of the Galois group of K over Q, then b is positive definite: x nonzero. If we take α in the codifferent D −1 K = {x ∈ K : Tr (xy) ∈ Z ∀y ∈ O K } of K, then Tr (αx iȳi ) ∈ Z.
X. Hou is supported by a Nanyang President Graduate Scholarship. The research of F. Oggier for this work is supported by Nanyang Technological University under Research Grant M58110049. 1 The pair (ρ −1 (C), b α ) thus forms a lattice of rank (or dimension) nN , which is integral when α ∈ D −1 K but also in other cases, depending on the choice of C, as we will see several times next.
This method of constructing lattices from linear codes is usually referred to as Construction A [9]. The principle is well known, albeit not using the exact above formulation. The original binary Construction A, due to Forney [15], uses K = Q, O K = Z, p = 2 and typically α = 1/2 (sometimes α is chosen to be 1). The binary Construction A can also be seen as a particular case of the cyclotomic field approach proposed by Ebeling [12], which in turn is a particular case of the above construction. For p a prime, take for K the cyclotomic field Q(ζ p ), where ζ p is a primitive pth root of unity, and note that O K = Z[ζ p ]. Take p = (1 − ζ p ) the prime ideal above p, and α = 1/p. Since O K /p ∼ = F p , this construction involves linear codes over F p . The case p = 2 is the binary Construction A. The generalization from cyclotomic fields to either CM fields or totally real number fields was suggested in [17] for the case where p is totally ramified. The motivation to revisit Construction A using number fields came from coding theory for wireless communication, for which lattices built over totally real numbers fields and CM fields play an important role [27]. In particular, Construction A over number fields enables lattice coset encoding for transmission over wireless channels, and wireless wiretap channels [17]. It is also useful in the context of physical network coding [29].
The main interest in constructing lattices from linear codes is to take advantage of the code properties to obtain lattices with nice properties, modularity and large shortest vector (or minimal norm) being two of them, both mathematically but also for coding applications.
Given an arbitrary lattice (L, b) where L is a Z−module and b is a symmetric bilinear form which is positive definite, then the dual lattice of (L, b) is the pair (L * , b), where L * = {x ∈ L ⊗ Z R : b(x, y) ∈ Z ∀y ∈ L}, • unimodular if (L, b) ∼ = (L * , b), i.e., there exists a Z−module homomorphism τ : L → L * such that b(τ (x), τ (y)) = b(x, y) for all x, y ∈ L, and • d−modular (or modular of level d) if it is integral and (L, b) ∼ = (L * , db) for some positive integer d.
Given a linear code C ⊂ F N q of dimension k, q a prime power, its dual code C ⊥ is defined by x i y i = 0 ∀y ∈ C} and C is called It is well known for the binary Construction A that C ⊆ F N 2 is self-dual if and only if (ρ −1 (C), b 1 2 ) is unimodular [12,9]. More generally, for K = Q(ζ p ), if C ⊆ F N p is self-dual, then (ρ −1 (C), b 1 p ) is unimodular [12]. We will prove a converse of this statement for totally real number fields and CM fields with a totally ramified prime in Section 2. Self-dual codes thus provide a systematic way to obtain modular lattices. This was used for example in [7], where K = Q( √ −2), p = (3) and self-dual codes over the ring O K /p were used to construct 2−modular lattices. Similarly, in [8], it was shown that by taking K = Q(ζ 3 ), where ζ 3 is the 3rd primitive root of unity, p = (4), and self-dual codes over the ring O K /p, 3−modular lattices can be constructed. In [1], the quadratic fields Q( √ −7) with p = (2), Q(i) with p = (2) and Q(ζ 3 ) with p = (2) or p = (3), as well as totally definite quaternion algebras ramified at either 2 or 3 with p = (2), were used to construct modular lattices from self-dual codes. An even more generalized version of Construction A is introduced in [35], where O K is replaced by any lattice L ⊂ R n and p by pL for a prime p. It is then applied to construct unimodular lattices from self-dual linear codes.
Apart from modularity, large minimal norm is another classical property which has been well studied. This is normally achieved via Construcion A by exploiting the dualities between the linear codes and the resulting lattices. For example, in [1], the association between MacWilliams identities for linear codes and theta series for lattices are established for the cases listed above to construct extremal lattices, lattices with the largest possible minimal norm. Other duality relations also include the relation between the minimum weight of linear codes and the minimal norm of the corresponding lattices [7], or the connection between the weight enumerator of linear codes and the theta series of lattices [8], shown in both cases for the cases listed above. One classical motivation for finding lattices with the biggest minimum is to find the densest sphere packings, which can be applied to coding over Gaussian channels [35].
In Section 2, generator and Gram matrices are computed for the generic case of Construction A over Galois number fields, either totally real or CM. Knowledge of these matrices is important for applications, such as lattice encoding, or if one needs to compute the theta series of the lattice, as we will do in Section 4. It also gives one way to verify modularity, as will be shown both in Section 3 and 5. From the generic construction, examples of lattices are obtained by considering specific number fields. We investigate the two most natural ones, namely totally real quadratic fields in Section 3, and totally imaginary quadratic fields in Section 5. Our techniques could be applied to other number fields, such as cyclotomic fields, or cyclic fields, but these directions are left open. Section 4 provides examples of lattices and of their applications: we construct modular lattices and compute their theta series (and their kissing number in particular), but also their minimal norm. The theta series allows to compute the secrecy gain of the lattice [28], a lattice invariant studied in the context of wiretap coding. Interesting examples are founda new extremal lattice or new constructions of known extremal lattices, modular lattices with large minimal norm -and numerical evidence gives new insight on the behaviour of the secrecy gain.

GENERATOR AND GRAM MATRICES FOR CONSTRUCTION A
As above, we consider the nN -dimensional lattice (ρ −1 (C), b α ). Let ∆ be the absolute value of the discriminant of K. We will adopt the row convention, meaning that a lattice generator matrix contains a basis as row vectors. The Gram matrix contains as usual the inner product between the basis vectors. The volume of a lattice is the absolute value of the determinant of a generator matrix, while the discriminant of a lattice is the determinant of its Gram matrix. .
Let {v 1 , . . . , v n } be a Z−basis for O K and let {ω 1 , . . . , ω n } be a Z−basis for p. Suppose C admits a generator matrix in the standard (systematic) form and let A be a matrix such that (I k (A mod p)) is a generator matrix of C.
Proof. Note that det (M ) = ∆ 1 2 is the volume of (O K , b 1 ) [5] and similarly, det (M p ) = ∆ 1 2 p f is the volume of (p, b 1 ). The volume of the lattice generated by M C is which agrees with the volume Then it suffices to prove that For j = 1, 2, . . . , N , let u j = (u j1 , . . . , u jn ) ∈ Z n . Then x ∈ Z nN can be written as .
Thus where Tr = Tr K/Q is taken componentwise and M p,1 denotes the first column of the matrix M p .
Proof. LetD α = D α D T α be the diagonal matrix with diagonal entries given by σ 1 (α), . . . , σ n (α). For M C in (4), a direct computation gives Similarly, let M p,i denote the ith column of M p , then using σ i (M p,1 ) = M p,i (1 ≤ i ≤ n), we have Moreover, When K is a CM number field, n is even and all embeddings of K into C are complex embeddings. Assume σ i+1 is the conjugate of σ i for i = 1, 3, 5, . . . , n − 1.

Lemma 2.5.
Let K be a CM number field of degree n. Then For i, j = 1, 2, . . . , n, i = j, The determinant of M is then given by the volume of (O K , b 1 ).
Then similarly M p is a generator matrix for (p, b 1 ) and has determinant ∆ 1 2 p f . As α is totally positive, all σ i (α) ∈ R. Let D α be a diagonal matrix whose diagonal entries are σ i (α), i = 1, . . . , n. Proposition 2.6. Let K be a CM field with degree n and Galois group {σ 1 , σ 2 , . . . , σ n }, where σ i+1 is the conjugate of σ i (i = 1, 3, . . . , n − 1). A generator matrix for (ρ −1 (C), b α ) is given by where M and M p are defined in (6) and (7) respectively. A is a matrix such that (I k (A mod p)) is a generator matrix of C and where we denote the columns of the matrices M, A by M i , i = 1, . . . , n, A j , j = 1, 2, . . . , N − k, Re and Im are understood componentwise.
Proof. The volume of the lattice generated by M C is Then it suffices to prove For j = 1, 2, . . . , N , let u j = (u j1 , . . . , u jn ) ∈ Z n . Then x ∈ Z nN can be written as Then 2. When p is totally ramified, the entries of A mod p are in F p and hence A ⊗ M = A ⊗ M .
Proof. LetD α = D α D T α be the diagonal matrix with diagonal entries given by (8), a direct computation gives By Remark 2.7, Furthermore, Next, it can be computed that which also gives . So the Gram Matrix is given by (9).
In Sections 3 and 5, we will consider particular cases when α = 1/p or 1/2p for K a real quadratic field with p inert and K an imaginary quadratic field with p totally ramified. As we are interested in constructions of modular lattices, which are integral lattices, the following proposition justifies why we will focus on selforthogonal codes in the future.
is not an integral lattice for any α ∈ p −1 ∩ Q when 1. K is totally real, or 2. K is a CM field and p is totally ramified.
By the definition of the codifferent For K totally real, this is the same as c i1 · c i2 ∈ p. For K CM, as p is totally ramified, by the proof from [17], β ≡β mod p for all β ∈ O K . It goes as follows: As Since p is the only prime above p,p = p and we haveβ ′′ ∈ p. Thus Then we can conclude c i1 · c i2 ∈ p. For both cases, we get a contradiction with the choice of c i1 and c i2 .

MODULAR LATTICES FROM TOTALLY REAL QUADRATIC FIELDS
Let d be a positive square-free integer. Let K = Q( √ d) be a totally real quadratic field with Galois group {σ 1 , σ 2 } and discriminant ∆ given by [22]: Assume p ∈ Z is a prime which is inert in K, and consider the lattice Let α = 1/p when d ≡ 1 mod 4 and let α = 1/2p when d ≡ 2, 3 mod 4. We will give two proofs that if C is self-dual (i.e., C = C ⊥ ), then the lattice (ρ −1 (C), b α ) is a d-modular lattice. Note that the results in [16] are corollaries from results in this section by taking d = 5.
By the discussion from Section 2, a generator matrix for (ρ −1 (C), b α ) is (see (4)) Also, the Gram matrix for (ρ −1 (C), b α ) is given by (see (5)) Note that since p is inert, M p = pM . Proof. An equivalent definition of integral lattice is that its Gram matrix has integral coefficients, which is the case: M M T has integral coefficients, both A and I + AA As C is self-orthogonal and (I k A mod (p)) is a generator matrix for C, I k + AA T ≡ 0 mod (p). Lemma 3.2) and Finally, for the case d ≡ 2, 3 mod 4, any entry in α −1 G C is an element of O K .
We can tell the duality properties of a linear code from its generator matrix [20]: Let C be a linear code over F q , let B be a generator matrix for C.
Hence if C is self-dual and (I k (A mod pO K )) is a generator matrix of C, then ((−A T mod pO K ) I k ) is also a generator matrix of C and N − k = k.
We propose next two approaches to discuss the modularity of lattices obtained via the above method.
3.1. Approach I. We will use the knowledge of a generator matrix of the lattice. We get another generator matrix for (ρ −1 (C), b α ): with M as in (11), A such that (I k (A mod pO K )) is a generator matrix of C. . Let x j = u j1 + u j2 v for 1 ≤ j ≤ N . Using the formula for Schur complement, we can check that this matrix has the right determinant. We are left to show that lattice points are indeed mapped to codewords in C by ρ, i.e.
{ρ(ψ(xM C )) : x ∈ Z 2N } ⊆ C, By a similar argument as in Proposition 2.3, we have where x ′ 1 , . . . , x ′ k are in the ideal (p). Since x ′ i reduces to zero mod (p), we have To continue, we need the following lemma, which can be proved by direct computation (see Remark 3.3): Proof. Case 1: d ≡ 1 mod 4. By Remark 3.3, a generator matrix for the dual of ρ −1 (C) with respect to the bilinear form (x, y) → 1 where M C is given in (10). This can be computed using Schur complement: By a change of basis, we get another generator matrix for the dual as By Lemma 3.5, we get the following generator matrix (note that I ⊗ (U M * ) = (I ⊗ U )(I ⊗ M * )) can be seen to be another generator matrix, it suffices now to prove By a change of basis and Lemma 3.5, we get another generator matrix for the dual as can be seen to be another generator matrix, it suffices now to prove which can be checked by direct computations.

Approach II.
In this subsection, let C ⊆ F N p 2 be a linear code not necessarily having a generator matrix in the standard form. We consider the lattice (ρ −1 (C), b α ), where α = 1/p if d ≡ 1 mod 4 and α = 1/2p if d ≡ 2, 3 mod 4. Thus b α is the following bilinear form (see (2) Then the dual of ρ −1 (C) is given by We have the following relation between the dual of ρ −1 (C) and the lattice constructed from the dual of C: Proof. Take any x ∈ ρ −1 (C ⊥ ) and y ∈ ρ −1 (C), we have where the last equality follows from the definition of C ⊥ (see (3)). Then In the case d ≡ 2, 3 mod 4, any element in O K has even trace. In conclusion, we have b α (x, y) ∈ Z and hence ρ −1 (C ⊥ ) ⊆ ρ −1 (C) * by definition. Corollary 3.8. Let C be a self-orthogonal linear code, then ρ −1 (C) is integral.
Proof. We first prove 1 By the same argument as in the proof of Lemma 3.7, Similarly we have On the other hand, and [12] vol By the above, h is a Z−linear bijection. Take any x, y ∈ ρ −1 (C), The proof is completed.

INTERESTING LATTICES FROM TOTALLY REAL QUADRATIC FIELDS
The previous section gave generic methods to construct modular lattices, out of which we now would like to find lattices with good properties in terms of minimal norm or secrecy gain. The following definitions hold for integral lattices. Let thus (L, b) be an integral lattice with generator matrix M L . We further assume that the lattice is embedded in R n , and that b is the natural inner product. We will then denote the lattice by L for short. Definition 4.1. [9,12] The minimum, or minimal norm, of L in R n , is (14) µ L := min{ which is the length of the shortest nonzero vector.
The theta series of the lattice L is the function where the second equality holds because we took L to be integral and A m = |{x : x ∈ L, x 2 = m}|.
The coefficient of q in the second term of Θ L is called the kissing number of L, and the power of q in the second term gives its minimum. The theta series helps in determining bounds for the minimum [34] as well as classifying lattices [2]. It has also been used recently to define the notion of secrecy gain.

Definition 4.3.
Let L be an n−dimensional d−modular lattice. The weak secrecy gain of L, denoted by χ W L , is given by [28]: noting that the volume of a d−modular lattice is vol(L) = d The secrecy gain characterizes the amount of confusion that a wiretap lattice code brings [28]. The weak secrecy gain χ W L is conjectured to be the secrecy gain itself. This conjecture is still open, but for large classes of unimodular lattices, it is known to be true [14,30]. This motivates the study of the relationship between d and χ W L for d−modular lattices [16,18,19]. Up to now, no clear conclusion has been drawn. We will construct some examples of d−modular lattices in Section 4 to gain more information regarding this problem.
obtained from a self-dual code C ⊆ F N p 2 , where p a prime inert in K = Q( √ d), for d a square free positive integer. A generator matrix M C is given by (10).
We thus consider next the following properties of those d−modular lattices: • whether the lattice constructed is even or odd; recall that an integral lattice for all x ∈ L and odd otherwise.
• the minimum of the lattice; • the theta series and secrecy gain of the lattice. The computations in this section are mostly done by using SAGE [40] and Magma [39].

Even/Odd Lattices and Minimum.
We will give general results for the first two properties in this subsection. By observing the Gram matrices, we have the following results Proposition 4.4. The lattice (ρ −1 (C), b α ) is even iff d ≡ 5 mod 8, p = 2 and the diagonal entries of I + AA T are elements from (4).
The left upper corner of the Gram Matrix is Let {c 1 , . . . , c t } be the rows of (I A mod (2)), i.e. they form a basis for C. Let As d ≡ 1 mod 4, 1 + exactly the diagonal entries of I + AA T and the proof is completed.
Next we look at the minimum of some of those lattices. Consider d ≡ 2, 3 mod 4. Let p be a prime such that d where ω satisfies the polynomial x 2 − d = 0 mod p. Let C ⊆ F N p 2 be a self-dual linear code. Then each codeword c ∈ C can be written as s + tω for some s, t ∈ F N p . For each coordinate of c, we have Proof. Take any c ∈ C, then any x ∈ ρ −1 (c) is of the form x =ĉ + py for some Then . . , −1, 0, 1, . . . , p−1 2 }, the minimum value for (s i + pa i ) 2 is s 2 i . Similarly, the minimum value for (t i + pb i ) 2 is t 2 i . For c = 0, minimum value for Tr x 2 i is 2s 2 i + 2t 2 i d and we have Tr ĉ 2 i = b α (ĉ,ĉ).
which has minimum value p (x = 0). We have

Construction of Existing Lattices.
We present a construction from codes of some well known lattices.
We get the unique 3−modular odd lattice of dimension 12 and minimum 3 (O (3) in Table 1 of [34]).  (5)). A mod (5)  where ω ∈ F 25 satisfies ω 2 = 2. Taking √ 2 to be the preimage of ω, we have the unique odd 2-modular lattice of dimension 16 with minimum 3 (Odd Barnes-Wall lattice O (2) in Table 1 of [34]). 4.4. Some Lattices with Large Minimum. We next present two lattices which, though not extremal, achieve a large minimum. "Large" means close to the bound that extremal lattices achieve. We also compute their theta series, so we can later on compute their weak secrecy gain. Evidence from unimodular lattices [18] suggests that a large minimum induces a large weak secrecy gain.

Modular Lattices and their Weak Secrecy Gain.
We are now interested in the relationship between the level d and the weak secrecy gain χ W L (see Definition 4.3). We list the weak secrecy gain of some lattices we have constructed for dimensions 8 (Table 1), 12 (Table 2) and 16 (Table 3)   determined by the kissing number, and the lattice with the best secrecy gain is the one with the smallest kissing number; 4. Fixing dimension, minimum µ L , kissing number, a smaller level d gives a bigger χ W L . For example, in Table 4 we list some 16−dimensional lattices obtaining minimum 3 and kissing number 16, with χ W L in descending order. 5. Lattices with high level d are more likely to have a large minimum, this is more obvious when the dimension increases (see [34], where the upper bounds for bigger d are also bigger for higher dimensions), and results in bigger χ W L . For example, see rows 13,14,48,76-78.
Some of those observations can be reasoned by calculating the value of χ W L : by (16) and (15), take τ = i √ d , the numerator of χ W L is given by which is a constant. The denominator of χ W L is given by where A m is the number of vectors in L with norm m. Hence the denominator can be viewed as a polynomial in e − π √ d , which is less than 1. Then the following will be preferable for achieving a large weak secrecy gain.
1. Large minimum, which determines the lowest power of e − π √ d in the polynomial.
2. Small value of A m , i.e., small kissing number. 3. Small value of d, so that e − π √ d is small. However, from the three tables, the minimum seems to be more dominant than other factors, and as we mentioned in Remark 4.12 point 5, large d can still be preferable for high dimensions since it may result in large minima.

IMAGINARY QUADRATIC FIELD
Let d be a positive square-free integer. Let K = Q( √ −d) be an imaginary quadratic field with Galois group {σ 1 , σ 2 }, where σ 1 is the identity map and σ 2 : The absolute value of the discriminant of K, denoted by ∆, is given by [22]: Assume p ∈ Z is a prime which is totally ramified in K and let p be the unique O K −ideal above p. Then O K /p ∼ = F p . Consider the lattice (ρ −1 (C), b α ) where C is a linear (N, k) code over F p . Let α = 1/p when d ≡ 3 mod 4 and let α = 1/2p when d ≡ 1, 2 mod 4. Similarly to Section 3, we will give two proofs that if C is self-orthogonal (i.e., C ⊆ C ⊥ ), then the lattice (ρ −1 (C), b α ) is integral and furthermore we will prove that for C self-dual and for d a prime, we get unimodular lattices. 5.1. Approach I. By the discussion from Section 2, a generator matrix for (ρ −1 (C), b α ) is (see (8) Proof. To prove (ρ −1 (C), b α ) is integral, it suffices to prove all entries of its Gram matrix G C in (21) has integral entries.
Take any x ∈ p, as p is the only prime ideal above p, we have σ 2 (x) ∈ p and hence Tr (x) ∈ p ∩ Z = pZ. As vω † ,ωv T , ωω T all have entries in p, αA ⊗ Tr vω † , αA T ⊗ Tr ωv T and αI N −k ⊗ Tr ωω T all have entries in Z. Furthermore, by Lemma 3.2, as C is self-orthogonal, I k + AA T mod p ≡ 0 mod p and hence I k + AA T has entries in pZ. We have α(I + AA T ) ⊗ Tr vv † has integral entries.
When d ≡ 1, 2 mod 4, Tr (x) is even for all x ∈ O K . The proof is completed.

Proposition 5.2.
If C is self-dual and d = p is a prime, the lattice (ρ −1 (C), b α ) is unimodular.
As p is totally ramified, by the same argument as in Proposition 2.9, β ≡β mod p for all β ∈ O K . Then we can conclude x ·ȳ ≡ x · y mod p =⇒ x ·ȳ ∈ p.