Lattices from Codes

Abstract

A natural way of constructing lattices is from error-correcting codes, using the so-called Construction A . It associates a lattice in \(\mathbb {R}^{n}\) to a linear code in \(\mathbb {Z}_{q}^{n}\) (the set \(\mathbb {Z}_{q}\) of integers modulo q will be introduced next). Such lattices are also called q-ary lattices (or modulo-q lattices) and have several applications in information theory and cryptography.

3.1 Construction A

A natural way of constructing lattices is from error-correcting codes, using the so-called Construction A . It associates a lattice in \(\mathbb {R}^{n}\) to a linear code in \(\mathbb {Z}_{q}^{n}\) (the set \(\mathbb {Z}_{q}\) of integers modulo q will be introduced next). Such lattices are also called q-ary lattices (or modulo-q lattices) and have several applications in information theory and cryptography. Lattice-based cryptographic schemes are usually built on q-ary lattices and are linked to the computational difficulty of the shortest and closest vector problems (SVP and CVP, defined respectively in Problems 2.1 and 2.2) in this class [73]. Regarding applications to information theory, Construction A is employed, for instance, in the development of good (capacity-achieving) codes for the Gaussian channel, for some channels with side information [111], as well as for wiretap coding.

The theory of error-correcting codes has been extensively developed (see, e.g., comprehensive books such as [53] and [66]). We will focus here on q-ary codes, that is, codes which have \(\mathbb {Z}_{q}\) as their “alphabet,” and provide a self-contained elementary introduction.

For q ≥ 2 a positive integer, consider the set \(\mathbb {Z}_{q}=\{0,1,\ldots ,q-1\}\) of integers modulo q, where a (mod q) means for a given \(a\in \mathbb {Z}\), the set of integers a + bq, \(b\in \mathbb {Z}\), and by convention a is typically chosen to be between 0 and q − 1. In this set, addition and multiplication modulo q are well defined. For example, in \(\mathbb {Z}_{5},\) 3 + 4 = 2, 2 ⋅ 3 = 1, and  − 3 = 2. There is a significant structural difference between \(\mathbb {Z}_{q}\), where q is a composite number, and \(\mathbb {Z}_{p}\), where p is a prime number. When q is a composite number, say q = m ₁ m ₂, m ₁, m ₂ ≠ 0, then \(\mathbb {Z}_{q}\) contains non-zero elements which are not invertible with respect to multiplication. For instance, m ₁, m ₂ are such elements. Indeed, if m ₁ were invertible, then there would exist an element \(a\in \mathbb {Z}_{q}\) such that m ₁ a = 1, but then m ₂ m ₁ a = m ₂ = qa = 0, a contradiction.When p is a prime, such a behavior cannot happen and \(\mathbb {Z}_{p}\) has a field structure, which \(\mathbb {Z}_{q}\), q = m ₂ m ₁ does not have, and for this reason, we will use also the notation \(\mathbb {F}_{p}\) to denote \(\mathbb {Z}_{p}\) and emphasize this difference.

In the Cartesian product \(\mathbb {Z}_{q}^{n}\), we consider the component-wise sum and multiplication modulo q. If q = p is prime \(\mathbb {Z}_{p}^{n}\)= \(\mathbb {F}_{p}^{n}\) is a vector space over the field \(\mathbb {Z}_{p}=\mathbb {F}_{p}\), which does not hold if q is composite number. A linear code C in \(\mathbb {Z}_{q}^{n}\) is by definition a subset which is an additive subgroup of \(\mathbb {Z}_{q}^{n}\). Vectors in C are called codewords . Note that 0 ∈ C, since it is the identity element of the group, that a, b ∈ C implies a + b ∈ C (this is the closure property for a group) and that c a ∈ C for a ∈ C and c any element of \(\mathbb {Z}_{q}\): this is also a consequence of the closure property: \(\underbrace {\mathbf {a}+\mathbf {a}+\ldots +\mathbf {a}}_{c~times}=c\mathbf {a}\in C\). As an example, \(C=\{a(1,2),a\in \mathbb {Z}_{5}\}=\left \{ (0,0),(1,2),(2,4),(3,1),(4,3)\right \} \) is a linear code in \(\mathbb {Z}_{5}^{2}\). If q = p is prime, a linear code is a subspace of dimension k of the vector space \(\mathbb {Z}_{p}^{n}\)=\(\mathbb {F}_{p}^{n}\) (called an (n, k) code). In this last example, the code C is the subspace of \(\mathbb {Z}_5^2\) of dimension 1 generated by the vector (1, 2), and we use the notation \(C=\left \langle (1,2)\right \rangle \).

Next we establish a connection between linear codes in \(\mathbb {Z}_{q}^{n}\) and lattices. Let

$$\displaystyle \begin{aligned} \rho:\mathbb{Z}\rightarrow\mathbb{Z}_{q}=\{0,1,\ldots,q-1\},~x\mapsto x~(\bmod q), \end{aligned}$$

be the map of reduction modulo q. Given a (mod q), its pre-image ρ ⁻¹(a) is the set of integers that are mapped to a by ρ (see Fig. 3.1a), that is \(\rho ^{-1}(a)=\{a+bq,~b\in \mathbb {Z}\}\).

Fig. 3.1

Preimages ρ ⁻¹(S) for different sets S. (a) The pre-image \(\rho ^{-1}(a)\subset \mathbb {Z}\) of a (mod 5). (b) The pre-image \(\rho ^{-1}((a_{1},a_{2}))\subset \mathbb {Z}^{2}\) of (a ₁ (mod 3), a ₂ (mod 3)). (c) The pre-image \(\rho ^{-1}(S)\subset \mathbb {Z}^{2}\) of S = {(a ₁ (mod 3), a ₂ (mod 3)), (a ₁ + 1 (mod 3), a ₂ + 1 (mod 3))}

Now consider the Cartesian product of integers modulo q, namely, \(\mathbb {Z}_{q}\times \mathbb {Z}_{q}\). An element in this set is a two-dimensional vector (a ₁, a ₂) of integers modulo q. Let

$$\displaystyle \begin{aligned} \rho:\mathbb{Z}\times\mathbb{Z}\rightarrow\mathbb{Z}_{q}\times\mathbb{Z}_{q},~(x_{1},x_{2})\mapsto(x_{1}~(\bmod q),x_{2}~(\bmod q)), \end{aligned}$$

be the map of reduction modulo m component-wise. The pre-image ρ ⁻¹((a ₁, a ₂)) is now the set of 2-dimensional vectors with integer entries that is mapped to a ₁, a ₂ by ρ (see Fig. 3.1b).

One could alternatively consider a set \(S\subset \mathbb {Z}_{q}\times \mathbb {Z}_{q}\) and ρ ⁻¹(S), which is again the set of 2-dimensional vectors which are mapped to elements in S by ρ (see Fig. 3.1c for an example). Geometrically this inverse image spreads the set S from the inside of the [0, q) × [0, q) box into the plane.

The map ρ can be defined component-wise over an arbitrary number n of copies of \(\mathbb {Z}_{q}\):

$$\displaystyle \begin{aligned} \rho:\mathbb{Z}^{n}\rightarrow\mathbb{Z}_{q}^{n},~\mathbf{x}\mapsto\rho(\mathbf{x}) \end{aligned}$$

by taking the reduction modulo q component-wise, over the n components of x. Now one may take any arbitrary subset S of \(\mathbb {Z}_{q}^{n}\) and compute ρ ⁻¹(S), but it is more interesting to start with S a subset that has a structure and to understand how this structure is carried over to ρ ⁻¹(S). We are next interested in ρ ⁻¹(S) where S \(\subset \mathbb {Z}_{q}^{n}\) is a linear code.

We start with a result which relies on the additive group structure of C \(\subset \mathbb {Z}_{q}^{n}\) and thus holds for any q.

Proposition 3.1

Given a subset \(S\subset \mathbb {Z}_{q}^{n}\) , then ρ ⁻¹(S) is a lattice in \(\mathbb {R}^{n}\) if and only if S is a linear code in \(\mathbb {Z}_{q}^{n}\).

Proof

Suppose \(S\subset \mathbb {Z}_{q}^{n}\) is a linear code. We need to check that ρ ⁻¹(C) is a discrete additive subgroup of \(\mathbb {R}^{n}\) (Theorem 2.1). Since \(\rho ^{-1}(C)\subset \mathbb {Z}^{n}\), it is a discrete subset of \(\mathbb {R}^{n}\). We next show that it is an additive subgroup.

Take x, y two arbitrary vectors in ρ ⁻¹(C). To ensure closure under addition, their sum must belong to ρ ⁻¹(C). But x + y ∈ ρ ⁻¹(C) is equivalent to say that ρ(x + y) is a codeword in C. Now (in what follows q could be either prime or composite)

$$\displaystyle \begin{aligned} \begin{array}{rcl} \rho(\mathbf{x}+\mathbf{y}) & = & (x_{1}+y_{1}\pmod q,\ldots,x_{n}+y_{n}\pmod q)\\ & = & (x_{1}\pmod q,\ldots,x_{n}\pmod q)+(y_{1}\pmod q,\ldots,y_{n}\pmod q)\\ & = & \rho(\mathbf{x})+\rho(\mathbf{y}). \end{array} \end{aligned} $$

Since x and y were chosen in ρ ⁻¹(C), this means that ρ(x) and ρ(y) are codewords, and since a code C is closed under addition, ρ(x) + ρ(y) ∈ C, thus ρ(x + y) ∈ C as needed.

Since \(\mathbf {0}\in C \in \mathbb {Z}_q^n\), \(\mathbf {0}\in \rho ^{-1}(C)\in \mathbb {Z}^n\).

We are left to check that  −x ∈ ρ ⁻¹(C) whenever x ∈ ρ ⁻¹(C) or equivalently ρ(−x) ∈ C whenever ρ(x) ∈ C. But

$$\displaystyle \begin{aligned} \rho(-\mathbf{x})=(-x_{1}\pmod q,\ldots,-x_{n}\pmod q)=-\rho(\mathbf{x}), \end{aligned}$$

and it belongs to C since c a ∈ C for any scalar c (here c = −1 (mod q)).

The converse is left as an exercise (see Exercise 3.1), namely, to show that for \(S\subset \mathbb {Z}_{q}^{n}\), if ρ ⁻¹(S) is a lattice in \(\mathbb {R}^{n}\), then S is a linear code.

This proposition is illustrated in Fig. 3.2b. Take C = {(0, 0), (1, 1)} over \(\mathbb {F}_{2}=\mathbb {Z}_{2}\). It is a linear code, because (0, 0) + (0, 0), (0, 0) + (1, 1), and (1, 1) + (1, 1) all belong to C, using vector addition modulo 2. Also (0, 0) ∈ C and since the only two scalars are 0, 1, c(0, 0) and c(1, 1) are both in C, for c ∈{0, 1}. As a linear code, it has dimension 1 and basis given by (1, 1). We can appreciate the nice lattice structure of ρ ⁻¹(C) in the illustration. On the other hand, take S = {(0, 0), (1, 1)} but this time modulo 3. Then (1, 1) + (1, 1) does not belong to S, so S is not a linear code, and ρ ⁻¹(S) is not a lattice either, as is clear from Fig. 3.2a.

Fig. 3.2

Preimages ρ ⁻¹(S) for different sets S. (a) The pre-image \(\rho ^{-1}(S)\subset \mathbb {Z}^{2}\) of S = {(a ₁ (mod 3), a ₂ (mod 3)), (a ₁ + 1 (mod 3), a ₂ + 1 (mod 3))}. (b) The pre-image \(\rho ^{-1}(C)\subset \mathbb {Z}^{2}\) of the linear binary code C = {(0, 0), (1, 1)}

Definition 3.1

Let C be a linear code in \(\mathbb {Z}_{q}^{n}\), the integers modulo a positive integer q ≥ 2, where q is either prime or composite. Let \(\rho :\mathbb {Z}^{n}\rightarrow \mathbb {Z}_{q}^{n}\) be the component-wise reduction modulo q. Then the lattice Λ _C  = ρ ⁻¹(C) is said to have been obtained via Construction A .

The lattice Λ _C is also known as a q-ary lattice or modulo q lattice. Note that, since 0 ∈ C, q e _i  ∈ Λ _C , for all canonical vectors e _i , hence we have that \(q\mathbb {Z}^{n}\) is a sublattice of Λ _C and the lattice inclusions \(q\mathbb {Z}^{n}\subset \varLambda _{C}\subset \mathbb {Z}_{q}^{n}\). On the other hand, any lattice Λ in \(\mathbb {R}{ }^{n}\) satisfying \(q\mathbb {Z}^{n}\subset \Lambda \subset \mathbb {Z}_{q}^{n}\) is obtained from the code C = ρ(Λ) via Construction A, and so this is an equivalent definition of q-ary lattice as it is used in lattice-based cryptography [73]. Other straightforward properties of Construction A lattices are described next:

Proposition 3.2

1. a)

   If Λ _C is the q-ary lattice associated to the code \(C\subseteq \mathbb {Z}_{q}^{n}\) , then: \(\left |{\displaystyle \frac {\varLambda _{C}}{q\mathbb {Z}^{n}}}\right |={\displaystyle \frac {q^{n}}{V(\varLambda _{C})}=|C|,}\) where |C| is the number of codewords of C.

2. b)

   Any full rank integer lattice \(\varLambda \subseteq \mathbb {Z}^{n}\) is q-ary for q = V (Λ).

Proof

The first property is direct, due to the isomorphism between \(\varLambda _{C}/q\mathbb {Z}^{n}\) and C. The second one comes from the fact that since \(\varLambda \subset \mathbb {Z}^{n}\), it follows that its volume \(V(\varLambda )\in \mathbb {Z}\). Taking a generator matrix B for Λ and q = V (Λ) = |det(B)|, the linear system B x = q z has an integer solution for any \(\mathbf {z}\in \mathbb {Z}^{n}\), and therefore \(q\mathbb {Z}^{n}\subset \varLambda \) (Λ is a q-ary lattice).

If q is prime, a code C is a subspace of dimension k ≤ n of \(\mathbb {Z}_{q}^{n}=\mathbb {F}_{q}^{n}\) and hence has q ^k codewords. From the last proposition, we have that V (Λ _C ) = q ^n−k.

A generator matrix (Definition 2.2) is a convenient explicit way to describe a lattice, especially for computations and applications. A generator matrix of the lattice ρ ⁻¹(C) can be obtained from that of C. Let us thus see how to obtain such a generator matrix, for both \(\mathbb {F}_{p}\) and \(\mathbb {Z}_{q}\).

If p is prime, the linear (n, k) code C over \(\mathbb {Z}_{p}=\mathbb {F}_{p}\) is a subspace and has a basis, formed by k vectors. These k vectors can be stacked in a matrix, either as row or column vectors, depending on the convention, to form a generator matrix . Using the column convention adopted here, we get an n × k matrix M with elements in \(\mathbb {Z}_{p}\) such that any codeword of C can be written as M y, where y is a column vector of \(\mathbb {Z}_{p}^{k}\). Note also that in this case, up to coordinate permutation, any code has a generator matrix in the reduced systematic form,

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{k}\\ A \end{bmatrix} \end{aligned}$$

where I _k is the k-dimensional identity matrix, and A is an (n − k) × n matrix.

For C a linear code in \(\mathbb {Z}_{q}^{n}\), where q is a composite number, we also have a generator matrix, which contains vectors that generate C as its columns; however, these vectors do not always form a basis, and we may not have a generator matrix in systematic form. We will illustrate and explain why next.

Example 3.1

Consider the linear codes

$$\displaystyle \begin{aligned} C_{1}=\{(2a,2b,a+b),~a,b\in\mathbb{F}_{3}\},~C_{2}=\{(2a,2b,a+b),~a,b\in\mathbb{Z}_{4}\}. \end{aligned}$$

The code over \(\mathbb {F}_{3}\) has dimension 2, length n = 3, and contains 9 codewords

$$\displaystyle \begin{aligned} (0,0,0),(0,2,1),(0,1,2),(2,0,1),(2,2,2),(2,1,0),(1,0,2),(1,0,2),(1,1,1). \end{aligned}$$

A generator matrix is

$$\displaystyle \begin{aligned} M=\begin{bmatrix}2 & 0\\ 0 & 2\\ 1 & 1 \end{bmatrix} \end{aligned}$$

since a codeword in the column form is this matrix multiplied by \(\left [\begin {array}{cc} a & b\end {array}\right ]^{T}\). Another generator matrix of C ₁ is the reduced echelon form of M, obtained by multiplying both columns by 2:

$$\displaystyle \begin{aligned} R=\begin{bmatrix}1 & 0\\ 0 & 1\\ 2 & 2 \end{bmatrix}. \end{aligned}$$

The code C ₂ over \(\mathbb {Z}_{4}\) has length n = 3 and contains 8 codewords:

$$\displaystyle \begin{aligned} (0,0,0),(2,0,1),(0,0,2),(2,0,3),(0,2,1),(2,2,2),(0,2,3),(2,2,0). \end{aligned}$$

The above matrix M is again a generator matrix for C ₂; only this time, it is not possible to multiply or combine its columns to obtain (1, 0) and (0, 1) as first two rows. The vectors (2, 0, 1) and (0, 2, 1) do not form a basis, because a basis needs to satisfy linear independence. Here

$$\displaystyle \begin{aligned} \lambda_{1}(2,0,1)+\lambda_{2}(0,2,1)=0 \end{aligned}$$

does not imply λ ₁ = λ ₂ = 0 since it could also be λ ₁ = λ ₂ = 2.

Now that we know what generator matrices are for linear codes, let us go back to generator matrices for the lattices obtained via Construction A.

Since C is a linear code, we saw above that each codeword a ∈ C can be written using a set of generators, say \(\mathbf {a}=\sum _{i=1}^{l}a_{i}\mathbf {v}_{i}\), v _i  = (v _i1, …, v _in ) for i = 1, …, l (and l = k for the case of a linear (n, k) code over \(\mathbb {F}_{p}\)). Now

$$\displaystyle \begin{aligned} \mathbf{a}=\sum_{i=1}^{l}a_{i}\mathbf{v}_{i}\in C\iff\rho^{-1}(\mathbf{a})=\sum_{i=1}^{l}a_{i}\mathbf{v}_{i}+\sum_{i=1}^{n}qh_i\mathbf{e}_{i}\in\mathbb{R}^{n} \end{aligned}$$

where 0 ≤ a _i , v _ij  ≤ m − 1 for all i, j, e _i , i = 1, …, n form the canonical basis of \(\mathbb {R}^{n}\) and \(h_{1},\ldots ,h_{n}\in \mathbb {Z}\). In words, ρ ⁻¹(a) is an integral linear combination of v ₁, …, v _l , q e ₁, …, q e _n . An expanded generator matrix B can thus be obtained as follows: stack all the column vectors in an n × (n + l) matrix. Now we would like to obtain a row echelon form for this matrix, except that because we are working with a lattice, only \(\mathbb {Z}\)-linear combinations are allowed, and we can only perform elementary operations on the columns which consist of additions and subtractions (divisions are not allowed, unlike for the echelon form). The notion of reduced echelon form is, over \(\mathbb {Z}\), formally replaced by that of Hermite normal norm (HNF) . We say that an integer matrix of full row rank is in (column) Hermite normal form if it is of the form [H 0] with H = (h _ij ) a square matrix and

1. 1.

   h _ij  = 0 for i < j, which means the matrix H will be lower triangular.

2. 2.

   0 ≤ h _ij  < h _ii for i > j, that is entries are nonnegative, and each row has a maximum entry on the diagonal.

Note that any matrix B with integer entries can be reduced to a column Hermite normal form, B = [H 0]U, where U is a square unimodular matrix. If B is full row rank as it is the case of the expanded generator matrix of Λ _C above, then H is also full rank. For algorithms that compute the HNF, see, e.g., [21, p. 67, 68; algorithm included]. Mathematical software packages such as Mathematica, Maple, MATLAB, Scilab, and Sage also have implemented algorithms. Usually those algorithms appear in the Hermite row form, so for the column form used here, it should be adapted via transposed matrices.

Proposition 3.3

Let v ₁, …, v _l be generators for the linear code C over \(\mathbb {Z}_{q}\) and e ₁, …, e _n be the canonical basis of \(\mathbb {R}^{n}\) . Then a generator matrix for the lattice ρ ⁻¹(C) is given by the n × n full rank matrix H obtained by computing the Hermite normal form [H 0] of [v ₁, …, v _l , q e ₁, …, q e _n ]. If the generator matrix of C can be put in systematic form

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{l}\\ A \end{bmatrix}, \end{aligned}$$

(which, up to coordinate permutation, is always the case for \(\mathbb {Z}_{p}=\mathbb {F}_{p}\) (and l = k) and may or may not be possible otherwise), then a generator matrix of Λ _C is

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{l} & \mathbf{0}_{l\times(n-l)}\\ A & q\mathbf{I}_{n-l} \end{bmatrix}. \end{aligned}$$

Proof

We already know from above that v ₁, …, v _l , q e ₁, …, q e _n generate the lattice, we just need to extract a basis by computing the Hermite normal form out of the n × (n + l) matrix

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{v_{1}},\ldots,\mathbf{v}_{l},q\mathbf{e}_{1},\ldots,q\mathbf{e}_{n}\end{bmatrix}, \end{aligned}$$

which looks like [H 0], and H clearly contains a basis. In the case C has a generator matrix in systematic form, then we need to compute a Hermite normal form out of

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{l} & q\mathbf{I}_{l} & \mathbf{0}_{l\times(n-l)}\\ A & \mathbf{0}_{(n-l)\times l} & q\mathbf{I}_{n-l} \end{bmatrix}. \end{aligned}$$

Multiplying the first l columns by  − q and adding them to the next l columns give

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{l} & \mathbf{0}_{l} & \mathbf{0}_{l\times(n-l)}\\ A & -qA & q\mathbf{I}_{n-l} \end{bmatrix}. \end{aligned}$$

Then multiplying the column containing the ith 1 of I _n−l in turn by a _ij , for j = 1, …, n − l and adding it to the corresponding column in  − qA will give the desired result.

Note that a generator matrix for Λ _C is obtained from B = [v ₁, …, v _l , q e ₁, …, q e _n ] when it is reduced to the form [H 0] even if H does not satisfy all the requirements of the Hermite normal form, but the latter has a kind of canonical format similar to the reduced echelon form.

Example 3.2

For the codes C ₁ and C ₂ in Example 3.1, generator matrices for the lattices \(\varLambda _{C_{1}}\) and \(\varLambda _{C_{2}}\) can be obtained by considering the Hermite normal form of the matrices

$$\displaystyle \begin{aligned} B_{1}=\left[\begin{array}{ccccc} 2 & 0 & 3 & 0 & 0\\ 0 & 2 & 0 & 3 & 0\\ 1 & 1 & 0 & 0 & 3 \end{array}\right]\text{ and {$B_{2}=$}}\left[\begin{array}{ccccc} 2 & 0 & 4 & 0 & 0\\ 0 & 2 & 0 & 4 & 0\\ 1 & 1 & 0 & 0 & 4 \end{array}\right], \end{aligned}$$

respectively, which are

$$\displaystyle \begin{aligned} H_{1}=\left[\begin{array}{ccc} 1 & 0 & 0\\ 0 & 1 & 0\\ 2 & 2 & 3 \end{array}\right]\text{ and {$H_{2}=$}}\left[\begin{array}{ccc} 2 & 0 & 0\\ 0 & 2 & 0\\ 1 & 1 & 2 \end{array}\right]. \end{aligned}$$

Note also that H ₁ is built from the generator matrix of the code C ₁ in systematic form as described in the last proposition. As another example, consider the code C ₃ in \(\mathbb {Z}_{6}^{3}\) generated by the codeword (1, 2, 3). Since it has a generator matrix in systematic form, \(\left [\begin {array}{c} 1\\ 2\\ 3 \end {array}\right ]\), a generator matrix of the lattice \(\varLambda _{C_{3}}\) in \({\mathbb {R}}^{3}\) is \(\left [\begin {array}{ccc} 1 & 0 & 0\\ 2 & 6 & 0\\ 3 & 0 & 6 \end {array}\right ]\).

Example 3.3

Proposition 3.3 always provides a basis and a generator matrix for the lattice Λ _C associated with a code C. In some cases, other generator matrices can be derived from the Hermite matrices to better describe the lattice. For example, consider the code C over \(\mathbb {Z}_{5}\) generated by (1, 2), namely,

$$\displaystyle \begin{aligned} C=\left\langle (1,2)\right\rangle =\left\{ (0,0),(1,2),(2,4),(3,1),(4,3)\right\}\subset\mathbb{Z}_{5}^{2}. \end{aligned}$$

According to the above proposition, a basis for Λ _C is \(\left [\begin {array}{cc} 1 & 0\\ 2 & 5 \end {array}\right ]\). One can verify using Theorem 2.2 that \(\left [\begin {array}{cc} 1 & -2\\ 2 & 1 \end {array}\right ]\) is also a generator matrix for this lattice, whose basis is Minkowski reduced (see Definition 2.15), geometrically revealing a square shape (see Fig. 3.3).

Fig. 3.3

The lattice constructed from the code \( \left \langle (1,2) \right \rangle \subset \mathbb {Z}_{5}^{2}\)

Example 3.4

Consider the linear code \(C=\{(a_{1},\ldots ,a_{n-1},\sum _{i=1}^{n-1}a_{i}),~a_{1},\ldots ,a_{n-1}\in \mathbb {F}_{2}\}\) over \(\mathbb {F}_{2}\). It has length n and dimension n − 1. A systematic generator is

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{n-1}\\ 1\ldots1 \end{bmatrix}. \end{aligned}$$

A generator matrix for Λ _C is thus

$$\displaystyle \begin{aligned} \begin{bmatrix}\mathbf{I}_{n-1} & \mathbf{0}_{(n-1)\times1}\\ 1\ldots1 & 2 \end{bmatrix}. \end{aligned}$$

This means that every vector x ∈ ρ ⁻¹(C) is of the form \(\mathbf {x}=(x_{1},\ldots ,x_{n-1},\sum _{i=1}^{n-1}x_{i}+2x_{n})\), \(x_{i}\in \mathbb {Z}\) for all i. This describes every vector which satisfies that the sum of its entries is even. Indeed, a constraint on the sum means that there are n − 1 degrees of freedom in the first n − 1 entries (they can be chosen to be anything), and to force the sum to be even no matter what is the choice of x ₁, …, x _n−1, the last component must contain \(\sum _{i=1}^{n-1}x_{i}\). But then our constraint is just that the sum is even, so the entry should be able to be anything as long as it is even; thus it is of the form \( \sum\nolimits_{i=1}^{n-1}x_{i} + 2x_{n} \) where x _n can take any value and 2x _n means any even value. This shows that we have just constructed the lattices

$$\displaystyle \begin{aligned} D_{n}=\{(x_{1},\ldots,x_{n}),~\sum_{i=1}^{n}x_{i}\mbox{ is even}\} \end{aligned}$$

presented in Example 2.4.

3.2 Relevant Distances in Codes and Lattices

Since we are studying lattices with interesting parameters, one may wonder how distances defined over codes translate into parameters for lattices via Construction A. Distances are used in linear codes to characterize their error correction capability. We will consider here the widely used Hamming distance and the ℓ _p distances , 1 ≤ p ≤∞, also called p-Lee distances. For p = 1, p = 2, and p = ∞, these are the well-known Lee , Euclidean , and the maximum or Chebyshev distances which are used in applications such as constrained and relay channels [38, 88, 101] (p = 1), physical layer networks [39] (p = 2), rank modulation, and flash memory [94] (p = ∞). General d _p distances 1 ≤ p ≤∞ are considered in [19, 32, 45, 57, 85] and appear while studying the complexity of computational lattice problems [2, 82].

We recall the mathematical definition of a distance.

Definition 3.2

A distance or metric in a set A is a map \(d:A\times A\rightarrow \mathbb {R}\) which satisfies the following three conditions :

1. i)

   d(x, y) ≥ 0 and d(x, y) = 0 if and only if x = y.

2. ii)

   d(x, y) = d(y, x), and

3. iii)

   d(x, z) ≤ d(x, y) + d(y, z), for every x, y, z in A.

In what follows, we treat the Hamming, Lee and p-distances for codes and lattices, and related concepts such as the minimum distance of a set and closed balls

$$\displaystyle \begin{aligned} B_{d}(x,R)=\{y\in A;d(y,x)\leq R\} \end{aligned} $$

(3.1)

in these distances.

The Hamming Distance

For \(A=\mathbb {Z}_{q}^{n}\), particularly for q = 2, corresponding to binary codes, the commonly used distance is the Hamming distance d _H which counts the number of coordinates in which two codewords differ. For x = (x ₁, x ₂,…,x _n ) and y = (y ₁, y ₂,…,y _n ),

$$\displaystyle \begin{aligned} d_{H}(\mathbf{x},\mathbf{y})=\left|\{i;x_{i}\neq y_{i}\right\}|. \end{aligned}$$

For example, in \(\mathbb {Z}_{2}^{4}\),

$$\displaystyle \begin{aligned} d_{H}((1,0,1,1),(0,1,0,1))=3 \end{aligned}$$

and in \(\mathbb {Z}_{5}^{3}\),

$$\displaystyle \begin{aligned} d_{H}((1,0,3),(1,2,0))=2. \end{aligned}$$

The Minimum Hamming Distance

For a linear code C in \(\mathbb {Z}_{q}^{n}\), it is defined as the minimum of all distances between two different vectors in the code. Since d _H (x, y) = d _H (x + k, y + k), for every x, y, k ∈ \(\mathbb {Z}_{q}^{n}\), the minimum Hamming distance is the minimum of d _H (x, 0), (x ∈ C, x ≠ 0 ), that is the minimum weight of a non-zero codeword.

For binary linear codes C ⊂ \(\mathbb {Z}_{2}^{n}\), the minimum Hamming distance d _H (C) is linked to the error correction capability. A code with minimum distance d _H (C) can correct R =  \(\left \lfloor \frac {d_{H}(C)-1}{2}\right \rfloor \) errors. Geometrically this means that the Hamming balls of radius R centered at codewords do not intersect. Hence, any received vector in \(\mathbb {Z}_{2}^{n}\) with no more than r different coordinates (errors) from that of a codeword will be located in just one of these balls and will be decoded as its center.

Definition 3.3

A binary linear code is R-perfect in the Hamming metric if the union of those balls centered in its codewords with the radius R is \(\mathbb {Z}_{2}^{n}\).

The Hamming codes introduced by R.W. Hamming in 1950 and used in several applications are 1-perfect. In \(\mathbb {Z}_{2}^{7}\), a 1-perfect code can be described as \(C=\{(a_{1},a_{2},a_{3},a_{4},a_{2}+a_{3}+a_{4},a_{1}+a_{3}+a_{4},a_{1}+a_{2}+a_{4}),a_{i}\in {\mathbb {Z}}_2\}\).

The relation between the minimum Hamming distance of a code \(C\subset \mathbb {Z}_{2}^{n}\) and the minimum norm (Euclidean distance) of its associated Construction A lattice Λ _C is described in the next proposition [60].

Proposition 3.4

Let C be a linear binary code with minimum distance d _H (C) and λ be the minimum norm (see (2.10)) of its associated lattice Λ _C . Then:

1. i)

   If d _H (C) < 4, \(\lambda =\sqrt {d}\) and the set of minimum norm vectors of Λ _C is composed by the codewords of C with weight d and the vectors obtained from these codewords by replacing one or more coordinates set to 1 by  − 1.

2. ii)

   If d _H (C) = 4, λ =  2 and the set of minimum norm vectors of Λ _C is composed by the codewords of C with weight equal to 4, the vectors obtained from these codewords by replacing one or more coordinates set to 1 by  − 1 and the vector which have  ± 2 for their unique non-zero coordinate.

3. iii)

   If d _H (C) > 4, λ =  2 and the minimum norm vectors of Λ _C are the ones which have  ± 2 for their unique non-zero coordinate.

This result is useful to detect the set of minimum norm vectors of special lattices which may be difficult to find in general. For example, consider the lattice E ₈ (see Chap. 2). A lattice congruent to E ₈ can be obtained via Construction A from the extended Hamming code in \(\mathbb {Z}_{2}^{8}\) given by

$$\displaystyle \begin{aligned} C=\{(a_{1},a_{2},a_{3},a_{4},a_{2}+a_{3}+a_{4},a_{1}+a_{3}+a_{4},a_{1}+a_{2}+a_{4},a_{1}+a_{2}+a_{3}),a_{i}\in\mathbb{Z}_2\} \end{aligned}$$

(see [98, Chap. 5, 2.1]). The code C has minimum Hamming distance 4 and 14 of its codewords have this minimum distance (see Exercise 3.2). By the above proposition, considering all 2⁴ possibilities of sign changes in each codeword of minimum distance plus the lattice vectors on the edges, we get that E ₈ must have 14 ⋅ 2⁴ + 16 = 240 vectors of minimum norm. This number (the kissing number of E ₈) appears also in the theta series of this lattice (see the following section).

The Lee and the ℓ _p Distances Another distance used for q −ary codes is the Lee distance in \(\mathbb {Z}_{q}^{n}\), introduced in [61] for non-binary codes. We consider here the set of integers modulo q in its typical representation, \(\mathbb {Z}_q = \left \{0,1,\ldots ,q-1 \right \}\). For a and b in \(\mathbb {Z}_{q}\), it is the “circular” graph distance (see Fig. 3.4), defined by

$$\displaystyle \begin{aligned} d_{\mathrm{Lee}}(a,b)=min\{\left|a-b\right|,q-\left|a-b\right|\}. \end{aligned}$$

Fig. 3.4

(a) Lee distance in \( \mathbb {Z}_{5}\): the smallest number of edges in the circular graph on the left (e.g., d _Lee(0, 3) = 2). (b) Lee distance in \( \mathbb {Z}_{5}^{2}\): in the integer grid with the parallel board sides identified (flat torus), it is again the graph distance, that is the smallest number of edges connecting two pairs (e.g., d _Lee((1, 1), (3, 2)) = 3 (red path), d _Lee((1, 1), (4, 4)) = 4 (black path)

In the Cartesian product \(\mathbb {Z}_{q}^{n}\), the Lee distance between a = (a ₁, a ₂, …, a _n ) and b = (b ₁, b ₂, …, b _n ) is defined as

$$\displaystyle \begin{aligned} d_{\mathrm{Lee}}(\mathbf{a},\mathbf{b})=\sum_{i=1}^{n}d_{\mathrm{Lee}}(a_{i},b_{i}). \end{aligned}$$

We remark (see Exercise 3.3) that for q = 2 and q = 3, the Lee and the Hamming distances in \(\mathbb {Z}_{q}^{n}\) are the same for all pairs of vectors and these are the only values of q for which both metrics coincide. For instance, in \(\mathbb {Z}_{5}^{3}\) d _Lee((1, 0, 3), (1, 2, 0)) = 5 and d _H ((1, 0, 3), (1, 2, 0)) = 2, as we have seen.

The Lee distance in \(\mathbb {Z}_{q}^{n}\) can be seen as induced by the l ₁ or Manhattan distance in \(\mathbb {Z}^{n}\), \(d_{1}(\mathbf {a},\mathbf {b})=\sum _{i=1}^{n}\left |a_{i}-b_{i}\right |\), into the quotient \(\mathbb {Z}^{n}\)/\(q\mathbb {Z}^{n}\) \(\simeq \mathbb {Z}_{q}^{n}\). We can also consider distances either in \(\mathbb {Z}^{n}\) or in \(\mathbb {Z}_{q}^{n}\) as the ones induced by the well-known l _p metrics in \(\mathbb {R}^{n}\), which are defined for a = (a ₁, a ₂, …, a _n ) and b = (b ₁, b ₂, …, b _n ) in \(\mathbb {Z}^{n}\) and p ∈ \(\mathbb {N},\) p⩾1, as

$$\displaystyle \begin{aligned} d_{p}(\mathbf{a},\mathbf{b})=\left(\sum_{i=1}^{n}\left|a_{i}-b_{i}\right|{}^{p}\right)^{\frac{1}{p}} \end{aligned}$$

and \(d_{\infty }({\boldsymbol {a}},{\mathbf {b}}):=\max \{|a_{i}-b_{i}|;\,\,i=1,\ldots ,n\}.\) Note that for p = 1 and p = 2, we have the Lee distance and the standard Euclidean distance, respectively, whereas for p = ∞, this distance is also known as the maximum or Chebyshev metric. The correspondent induced ℓ _p  − distance for a and b in \(\mathbb {Z}^{n}\)/\(q\mathbb {Z}^{n}\simeq \mathbb {Z}_{q}^{n}\) (also called p-Lee distance) is given by [19]

$$\displaystyle \begin{aligned} d_{p}(\mathbf{a},\mathbf{b})=\left(\sum_{i=1}^{n}(d_{\mathrm{Lee}}(a_{i},b_{i}))^{p}\right)^{\frac{1}{p}}\text{for }p\in\mathbb{N},p\geqslant1,\end{aligned} $$

and

$$\displaystyle \begin{aligned} d_{\infty}({\boldsymbol{a}},{\mathbf{b}}):=\max\{d_{\mathrm{Lee}}(a_{i},b_{i}),i=1,\dots,n\}\,. \end{aligned}$$

Example 3.5

For a = (1, 1) and b = (4, 4) in \(\mathbb {Z}^{2}\), we have

$$\displaystyle \begin{aligned} d_{1}(\mathbf{a},\mathbf{b})=6,~d_{2}(\mathbf{a},\mathbf{b})=6\sqrt{2},~ d_{\infty}(\mathbf{a},\mathbf{b})=3, \end{aligned}$$

whereas for a = (1, 1), b = (4, 4) now considered in \(\mathbb {Z}_{5}^{2}\),

$$\displaystyle \begin{aligned} d_{1}(\mathbf{a},\mathbf{b}{\mathbf{)}}=d_{\mathrm{Lee}}(\mathbf{a},\mathbf{b})=4, ~d_{2}(\mathbf{a},\mathbf{b})=4\sqrt{2},~d_{\infty}(\mathbf{a},\mathbf{b})=2. \end{aligned}$$

Like the Hamming distance, all the p-Lee distances in \(\mathbb {Z}^{n}\) or \(\mathbb {Z}_{q}^{n}\) are invariant by translations (Exercise 3.4):

$$\displaystyle \begin{aligned} d(\mathbf{a},\mathbf{b})=d(\mathbf{a}+\mathbf{c},\mathbf{b}+\mathbf{c}). \end{aligned}$$

As functions we have (see Exercise 3.5) that d ₁ ≥ d ₂ ≥… ≥ d _∞ , which implies the inclusion reversal order for the closed balls of a fixed radius. For p = 1 (Lee) and p = ∞, the p-distances in \(\mathbb {Z}^{n}\) or in \(\mathbb {Z}_{q}^{n}\) are always integers, and there are closed form expressions for the number of points μ _p (n, R) in the closed balls of radius R in \(\mathbb {Z}^{n}\), given by

$$\displaystyle \begin{aligned} \ \mu_{1}(n,R)=\sum_{i=0}^{\min\{n,R\}}2^{i}{n \choose i}{R \choose i} \end{aligned} $$

(3.2)

$$\displaystyle \begin{aligned} \ \mu_{\infty}(n,R)=(2R+1)^{n}. \end{aligned} $$

(3.3)

Note also that, for 2R + 1 ≤ q, the number of points in a closed ball of radius R in \(\mathbb {Z}_{q}^{n}\) either in the Lee or in the infinity metric in \(\mathbb {Z}_{q}^{n}\) is the same as in the ball in \(\mathbb {Z}^{n}\) with the same radius.

Example 3.6

For n = 2, we have from the expressions above that μ ₁(n, R) = R ² + (R + 1)² and μ _∞ (n, R) = (2R + 1)². Thus a closed ball of radius 2 in the d ₁ (Lee) distance either in \(\mathbb {Z}^{2}\) or in \(\mathbb {Z}_{7}^{2}\) has 13 points, whereas in the distance d _∞ a ball with the same radius has 25 points, since 2R + 1 ≤ q. For the distance d ₁, the closed balls with R = 4 in \(\mathbb {Z}^{2}\) and in \(\mathbb {Z}_{7}^{2}\) have 41 and 37 points, respectively. The balls of radius 4 for the distance d _∞ in \(\mathbb {Z}^{2}\) and in \(\mathbb {Z}_{7}^{2}\) have 81 and 49 points (since d _∞ (a, b) ≤ 3, for all \(\mathbf {a},\mathbf {b}\in \mathbb {Z}_{7}^{2}\)), respectively.

The Minimum Distance

d _p (C) For a linear code C in \(\mathbb {Z}_{q}^{n}\) or a lattice Λ in \(\mathbb {Z}^{n}\), it is defined as the minimum of the ℓ _p distances between two different vectors in the code or in the lattice which, due to invariance under translation, is the same as the minimum ℓ _p  −distance from a non-zero vector to the null vector (minimum ℓ _p -norm).

It should be remarked that for a large enough alphabet size, a code and its associated lattice via Construction A have the same minimum ℓ _p -distance [56, 89], since

$$\displaystyle \begin{aligned} d_{p}(\varLambda_{C})=\min\left\{ d_{p}(C),q\right\}. \end{aligned} $$

(3.4)

Like in the Hamming metric, we may use the closest neighbor criterion under the p-distance for decoding by considering disjoint p-balls centered at codewords. We define the d _p -packing radius R of a code \(C\subset \mathbb {Z}_{q}^{n}\) (\(\varLambda \subset \mathbb {Z}^{n}\)) as the greatest R such that the closed balls of radius R in the d _p metric centered at the distinct points of C are disjoint and there is at least one point of \(\mathbb {Z}_{q}^{n}\) (\(\mathbb {Z}^{n}\)) at the boundary of these closed balls. Hence any received vector which is inside these balls will be univocally decoded as the codeword center of its ball.

For p = 1 and p = ∞, the packing radius of a linear code \(C\subset \mathbb {Z}_{q}^{n}\) (\(\varLambda \subset \mathbb {Z}^{n}\)) is an integer given by the expression \(R=\left \lfloor \frac {d_{p}(C)-1}{2}\right \rfloor \). For 1 < p < ∞, a similar expression is not valid [19].

Similarly to the binary case with Hamming distance (recall Definition 3.3), we can consider closed balls (3.1) in \(\mathbb {Z}_q^n\) or \(\mathbb {Z}^n\) with respect to the ℓ _p metric and define:

Definition 3.4

If the union of disjoint closed balls of packing radius R in a p-metric covers \(\mathbb {Z}_{q}^{n}\) (or \(\mathbb {Z}^{n}\)), we say that C (or Λ) is R-perfect in this metric.

For \(R<\frac {q}{2}\), a necessary condition for a code to be R-perfect in the ℓ _p metric is that \(\left |C\right |\mu _{p}(n,R)=q^{n}\). We may use the closed form expression for the number of closed ball points μ _p (n, R) in the cases p = 1 (3.2) and p = ∞ (3.3).

Example 3.7

Consider the linear codes \(C_{1}=\left \langle (1,6)\right \rangle \) and \(C_{2}=\left \langle (2,3)\right \rangle \) in \(\mathbb {Z}_{13}^{2}\) generated by the vectors (2, 3) and (1, 6), respectively. Both codes have 13 codewords, minimum distances in the Lee metric which are d ₁(C ₁) = 3 and d ₁(C ₂) = 5, and hence their packing radii are 1 and 2, respectively. The code C ₂ is 2-perfect in the Lee distance since balls of radius 2 centered at its codewords are disjoint and cover \(\mathbb {Z}_{13}^{2}\), whereas C ₁ is not. Note also that, taking into account the above Example 3.6, the lattice \(\varLambda _{C_{2}}\) is also 2-perfect with respect to the l ₁ distance (see Fig. 3.5). This relation between perfect codes and associated perfect lattices can be extended to all d _p distances.

Fig. 3.5

Codes in \( \mathbb {Z}_{13}^{2}\) with the Lee distance. On the left the code C ₁ = 〈(1, 6)〉 with its packing balls, on the right the perfect code C ₂ = 〈(2, 3)〉 represented inside its associated lattice \(\varLambda _{C_{2}}\)

Proposition 3.5 ([19])

If \(C\subset \mathbb {Z}_{q}^{n}\) is a perfect linear code in the ℓ _p -metric with packing radius \(R<\frac {q}{2}\) , then the lattice Λ _C is also perfect in this metric with the same radius.

Example 3.8

Consider the perfect code given by \(C_{k}=\langle (k,k+1)\rangle \subset \mathbb {Z}_{h}^{2}\), where h = k ² + (k + 1)², in the Lee metric with radius R = k (see Exercise 3.6). Since \(k<\frac {h}{2}\), the associated lattice Λ _C is also perfect in \(\mathbb {Z}^{2}\). This provides, for n = 2, examples of perfect Lee lattices of any radius.

The result of the last example cannot be extended to dimension 3. This is a consequence of the so-called Golomb-Welch conjecture . Introduced in [46], it states that for n ≥ 3, the unique Lee perfect lattices are the ones with radius R = 1. This long-standing conjecture is, up to now, only proved in particular cases and for n ≤ 11 (see [50] and references therein). It is important to note that the condition \(R<\frac {q}{2}\) in the last proposition cannot be removed. A counterexample can be given by the perfect binary code C with radius 7 in the Lee metric, C = {(0, 0, 0, 0, 0, 0, 0), (1, 1, 1, 1, 1, 1, 1)}⊂ \(\mathbb {Z}_{2}^{7}\) since Λ _C is not perfect in \(\mathbb {Z}^{7}\) (see Exercise 3.7).

Note that the trivial codes C = {0} and \(C=\mathbb {Z}_{q}^{n}\) may be considered perfect for any d _p distance. For p = ∞, the existence of perfect codes is fully characterized next.

Proposition 3.6 ([32])

There are nontrivial perfect codes \(C\subset \mathbb {Z}_{q}^{n}\) in the ℓ _∞ metric if and only if q = bm with b > 1 an odd integer and m > 1 an integer.

Example 3.9

Simple examples of perfect codes of packing radius R in the ℓ _∞ metric are, for b = 2R + 1, the Cartesian codes, \(C=\sum _{i=1}^{n}\alpha _{j}b\mathbf {e_{\mathbf {i}}},\subset \mathbb {Z}_{bm}^{n}\), (α _j  = 0, 1, …, m). An example of a non-Cartesian perfect code in the d _∞ metric is \(C=\left \langle (1,7)\right \rangle \subset \mathbb {Z}_{49}^{2}\) (see Fig. 3.6). Its packing radius is 3.

Fig. 3.6

The code \(C= \left \langle \left (1,7 \right ) \right \rangle \subset \mathbb {Z}_{49}^{2}\), which is perfect in the ℓ _∞ distance with its packing balls

The next proposition shows that for each perfect code in the ℓ _∞ metric, there exists p ^∗≥ 1 such that this code is also perfect in the p-Lee metric for all p ≥ p ^∗.

Proposition 3.7 ([32])

Let \(C\subseteq \mathbb {Z}_{q}^{n}\) be a perfect code in the ℓ _∞ metric with packing radius R. If \(p>\frac {\ln (n)}{\ln \left (1+\frac {1}{R}\right )}\) , then C is perfect in the ℓ _p metric, with radius R _p  = Rn ^1/p.

Note that according to the above proposition the ℓ _∞ -perfect code with packing radius 3, \(C=\left \langle \left (1,7\right )\right \rangle \subset \mathbb {Z}_{49}^{2{}}\), from Example 3.7 (Fig. 3.6) is also ℓ _p -perfect with packing radius \(3.2^{\frac {1}{p}}\) for any p ≥ 3.

It may be worth noting that the lattice distances discussed in this chapter were all related to the underlying code distances. Other distances may of course be of interest, e.g., the product distance, discussed in the next chapter.

3.2.1 q-ary Lattice Decoding

We have discussed so far many connections between distances on codes and distances on their associated lattice via Construction A. We next give applications of these connections, in particular to the problem of lattice decoding. We recall (see also Chap. 2) that given a vector in \(\mathbb {R}^{n}\) (obtained through transmission via for example a Gaussian channel), lattice decoding consists of finding a lattice vector which is closest to it. Without the setting of transmission via a communication channel, this becomes the closest vector problem (see Problem 2.2). The case of communication via a Gaussian channel corresponds to the Euclidean distance (p = 2). There is a huge amount of literature on this problem (e.g., [49, 109]). On the other hand, lattice-based cryptographic schemes are usually built upon q-ary lattices and are linked to the computational difficulty of the shortest (see Problem 2.1) and closest vector problems (Problem 2.2). While both problems are difficult in general, for q-ary lattices obtained from codes via Construction A, it is possible to solve them more efficiently by decoding the code.

In the next proposition and example, we denote by \(\overline {\mathbf {x}}\) a codeword of a linear code \(C\subset \mathbb {Z}_{q}^{n}\) and by x an associated vector in Λ _C . Since there is an isomorphism \(\varLambda _{C}/q\mathbb {Z}^{n}\simeq C\), we do not distinguish elements of \(\varLambda _{C}/q\mathbb {Z}^{n}\subseteq \mathbb {R}^{n}/q\mathbb {Z}^{n}\) from the codewords of C.

Proposition 3.8 ([32, 57])

Let Λ _C be a q-ary lattice and \(\boldsymbol {r}=(r_{1},\ldots ,r_{n})\in \mathbb {R}^{n}\) . Let \(\overline {\boldsymbol {r}}\in \mathbb {R}^{n}/q\mathbb {Z}^{n}\) and \({\overline {\boldsymbol {c}}}\in C, \boldsymbol {c}=(c_{1},\ldots ,c_{n}),\) 0 ≤ c _i  < q, a closest codeword to \(\overline {\boldsymbol {r}}\) considering the d _p distance in \(\mathbb {R}^{n}/q\mathbb {Z}^{n}\) . An element z ∈ Λ _C which is closest to r considering the ℓ _p metric in \(\mathbb {R}^{n}\) is z = (z ₁, ⋯ , z _n ), where z _i  = c _i  + qw _i and \(w_{i}=\left \lceil {\displaystyle \frac {r_{i}-x_{i}}{q}}\right \rfloor ,\) for each i = 1, …, n.

Example 3.10

Consider the code \(C=\left \langle (\bar {2},\bar {3})\right \rangle \subset \mathbb {Z}_{13}^{2}\) and its associated lattice Λ _C . For the received vector \(\mathbf {r=}(0,-6)\in \mathbb {R}^{2}\), the closest codeword from \(\overline {\mathbf {r}}=\left (\bar {0},\bar {7}\right )\) is \(\overline {\mathbf {x}}=\left (\overline {12},\overline {8}\right )\). The closest lattice point to r in the distance d ₁ is z = (−1, −5).

3.3 Wiretap Coding and Theta Series

Let us look again at the lattice Λ _C  = ρ ⁻¹(C) obtained from a linear code \(C\subset \mathbb {Z}_q^n\) via Construction A geometrically. It is obtained by considering the lattice \(q\mathbb {Z}^n\) and its translations by the codewords of C. As a first example, in Fig. 3.2b, ρ ⁻¹(C) is the union of \(2\mathbb {Z}^{2}\) and \(2\mathbb {Z}^{2}+(1,1)\). Also, for \(C = \langle (1,2) \rangle \subset \mathbb {Z}_5^2\) (Fig. 3.3), the lattice Λ _C is the union of \(\varLambda = 5\mathbb {Z}^2\) with the four translations of Λ by the nonvanishing codewords of C, (1, 2), (2, 4), (3, 1) and (4, 3) (called gluing vectors). In other words, ρ ⁻¹(C) is the union of cosets of \(q\mathbb {Z}^{n}\), and codewords of C form coset representatives. This makes Construction A particularly suitable for a coding strategy called coset coding , which we will explain next in the context of wiretap coding.

Let us consider Gaussian wiretap coding, and recall from (2.20) that transmission of a vector x over a Gaussian channel is of the form y _B  = x + n _B where n _B is a random vector whose components are independent Gaussian random variables with mean 0 and variance \(\sigma _{B}^{2}\). Suppose now that an eavesdropper (wiretapper) is listening to this transmission (see Fig. 3.7a). Then the eavesdropper will receive y _E  = x + n _E , where the noise n _E has variance \(\sigma _{E}^{2}\). The subscripts B and E refer to Bob and Eve, the standard names of players when security is involved in a protocol. Now the Gaussian wiretap coding problem asks for reliability between the legitimate transmitter (Alice) and receiver (Bob), which is the Gaussian channel coding problem discussed in Chap. 2, but also confidentiality despite the presence of the eavesdropper Eve [62]. This is done via the introduction of randomness at the transmitter, and coset coding gives a practical way to handle this randomness. The secret information is encoded into cosets, while x is then chosen randomly within this coset. If we consider again the code \(\{(0,0), (1,1)\} \subset \mathbb {Z}_2^2\) of Fig. 3.2b, one bit of secret can be transmitted using coset coding: to send 0, choose the coset \(2\mathbb {Z}^{2}\), and to send 1, choose the coset \(2\mathbb {Z}^{2}+(1, 1)\).

Fig. 3.7

Gaussian wiretap channel: channel and intuition. (a) A wiretap channel, where Alice and Bob want to exchange a confidential message in the presence of an eavesdropper Eve. (b) Bob’s noise is such that it can decode the point transmitted via coset coding normally. Eve’s noise is such that two points from the first coset and two points from the second coset are equally possible, and thus she has to decode one of the two at random

The idea behind wiretap coding is probably best understood in the scenario, called wiretap II [81], where Alice and Bob have a noiseless channel, and Eve receives μ symbols out of the n sent by Alice. Alice knows μ, but she does not know which μ positions are known to Eve. In the simplest case, say Alice sends n = 2 bits, and μ = 1. Then Alice can achieve perfect confidentiality by sending (b + r, r) where b is her secret bit, and r is a random bit, chosen uniformly at random. In the Gaussian case, the introduction of random bits is mimicked, but the intuition is different. Since Eve is supposed to have a stronger noise than Bob (as was already assumed in the wiretap II case since Bob has a noiseless channel), the geometric intuition is that when Bob receives a noisy codeword, his channel is such that in the radius around his received point, only the codeword that was sent is present, while Eve will find in her radius points from different cosets, such that each coset is equally likely to have been sent. This is illustrated in Fig. 3.7b. A practical example of the effect of coset coding is shown in Fig. 3.8, where an image has been transmitted, over a USRP testbed [65], using coset coding: on the right, one secret bit is mapped to a coset in \(\mathbb {Z}_2\) (\(\mathbb {Z}\) is partitioned into two cosets), and the coset representative is chosen with 2 bits of randomness. The technical settings of the experiments are found in [65].

Fig. 3.8

The cameraman image transmitted by Alice and received by an eavesdropper: on the left, with no coset coding, in the middle with one bit of randomness, and on the right with two bits of randomness

Coset encoding uses two nested lattices Λ _E  ⊂ Λ _B , where Λ _B is the lattice from which a signal constellation is carved for transmission to Bob, while Λ _E is the sublattice used to partition Λ _B . In the right picture of Fig. 3.8, \(\varLambda _B=2\mathbb {Z}\) and \(\varLambda _E=\mathbb {Z}\). For a general Construction A, as explained above, Λ _B is partitioned using \(\varLambda _{E}=q\mathbb {Z}^{n}\). This suggests two questions:

• Can we apply Construction A with other pairs of nested lattices? The answer is yes, and there are plenty of works and constructions following the same principle: instead of n copies of \(\mathbb {Z}\), take n copies of some commutative ring R, and instead of \(q\mathbb {Z}\), take an ideal I of this ring (see the introduction of the next chapter for a definition). Then use a linear code C which is a subset of (R/I)ⁿ. See, e.g., [33, 59] and references therein.

• Would another choice of nested pairs of lattices Λ _E  ⊆ Λ _B bring more confidentiality, and what would be a design criterion for such a lattice? We will be discussing this criterion next.

As explained above, in wiretap coset coding, one message corresponds to one coset, here of a lattice, instead of one lattice point. Thus, mimicking the probability analysis of Chap. 2, the probability P _c,E that Eve correctly decodes her received message is

$$\displaystyle \begin{aligned} \begin{array}{rcl} P_{c,E}&\leq&\frac{1}{(\sqrt{2\pi}\sigma_E)^n}\sum_{\mathbf{t}\in\varLambda_E} \int_{\mathcal{V}_{\varLambda_B}\left(\mathbf{0}\right)}e^{-\Vert \mathbf{u}+\mathbf{t}\Vert ^2/2\sigma_E^2}\text{d}\mathbf{u}. \end{array} \end{aligned} $$

It was shown in [80] that P _c,E is bounded by

$$\displaystyle \begin{aligned} \begin{array}{rcl} P_{c,E} & \leq & \frac{V(\varLambda_B)}{(\sqrt{2\pi}\sigma_E)^n} \sum_{\mathbf{t}\in\varLambda_E}e^{-||\mathbf{t}||{}^2/2\sigma_E^2}=\frac{V(\varLambda_B)}{(\sqrt{2\pi}\sigma_E)^n} \varTheta_{\varLambda_E}\left( \frac{1}{2\pi\sigma_E^2}\right) \end{array} \end{aligned} $$

where we recall that V (Λ _B ) is the volume of Λ and Θ _Λ is the theta series of Λ [26] defined by

$$\displaystyle \begin{aligned} \varTheta_{\varLambda}(z)= \sum_{\mathbf{x}\in\varLambda}q^{\left\Vert \mathbf{x}\right\Vert ^{2}}, ~q=e^{i\pi z},\mathrm{Im}(z)>0. \end{aligned} $$

(3.5)

In the above upper bound, we set y = −iz and thus consider Θ _Λ (y), for y > 0. In what follows, we will write Θ _Λ (q) whenever it does not matter whether we consider z or y. The theta series of an integral lattice keeps track of the different norms of lattice points. The coefficient N(m) of q ^m in this series tells how many points in the lattice are at squared distance m from the origin. This series always starts with 1, corresponding to the zero vector. The second term corresponds to the squared minimum norm λ ² (see (2.10)), and thus the coefficient N(λ ²) of \(q^{\lambda ^2}\) is the kissing number of the lattice. The theta series of a general lattice is hard to compute, but in special cases, it can be expressed in terms of Jacobi theta functions [26, Chap. 4.1]. For example, it can be easily checked geometrically for \(\mathbb {Z}^2\) that the first terms of its series are \(\varTheta _{\mathbb {Z}^2}(q) = 1 + 4q + 4q^2 + 4q^4 + 8q^5 + \dots \). But it is not straightforward to see the coefficient attached to q ^m, for big m in this series. A computation (that actually uses a Jacobi theta function) is shown in Example 3.11.

In Table 3.1 (extracted from [26]), the first non-zero coefficients of the theta series of the lattices \(\mathbb {Z}^2\), \(A_2^*\), \(\mathbb {Z}^3\), FCC, BCC, and E ₈ are given. Here \(A_2^*\) is the scaled version of the lattice A ₂ (see Example 2.3), with minimum norm one, which is identified to the hexagonal lattice (Example 2.1).

Table 3.1 First non-zero coefficients N(m) of the Θ-series of some lattices studied in Chap. 2 [26, chap. 4]

Example 3.11

Let us compute the theta series of the lattice \(\mathbb {Z}^n\) :

$$\displaystyle \begin{aligned} \varTheta_{\mathbb{Z}^n}(q) = \sum_{\mathbf{x}\in\mathbb{Z}^n}q^{||\mathbf{x}||{}^2} = \sum_{x_1\in\mathbb{Z}}q^{x_1^2}\cdots\sum_{x_n\in\mathbb{Z}}q^{x_n^2} = \left(\sum_{m\in\mathbb{Z}}q^{m^2}\right)^n \end{aligned}$$

$$\displaystyle \begin{aligned}\quad= (1 + 2q + 2q^4 + 2q^9 + \dots)^n = \varTheta_{\mathbb{Z}}(q)^n.\end{aligned}$$

To evaluate the benefit of using a specific lattice Λ _E with respect to using \(\varLambda _E=\nu \mathbb {Z}^n\) (ν is a scaling factor so that \(\mathbb {Z}^{n}\) scaled to the same volume), we compare the behavior of the theta series of \(\nu \mathbb {Z}^n\) with that of Λ _E and consequently define the notion of secrecy gain . This idea of defining a gain (here in terms of secrecy) by comparing the lattice \(\mathbb {Z}^n\) and another lattice is fairly standard. In fact, we already mentioned it in the context of quantization (see the discussion on best quantizers at the end of Sect. 2.5.1).

Definition 3.5

The (strong) secrecy gain χ _Λ, strong of an n-dimensional lattice Λ is defined by

$$\displaystyle \begin{aligned} \chi_{\varLambda,\text{strong}}= \sup_{y>0}\frac{\varTheta_{\nu \mathbb{Z}^{n}}(y)}{\varTheta_{\varLambda}(y)} \end{aligned}$$

defined for y > 0.

The role of the theta series \(\varTheta _{\varLambda _E}\) at the point \(y=\frac {1}{2\pi \sigma _E^2}\) has been independently confirmed in [63], where it was shown for the mod-Λ Gaussian channel that the mutual information I(S;Z), an information theoretic measure of the amount of information that Eve gets about the secret message S by receiving Z, is bounded by a function that depends of the channel parameters and of \(\varTheta _{\varLambda _E}\left ( \frac {1}{2\pi \sigma _E^2}\right )\).

The adjective “strong” in the definition of secrecy gain is motivated by the fact that the above quantity is hard to compute, while for unimodular lattices, the secrecy gain seems to correspond to a multiplicative symmetry point of the function \(\frac {\varTheta _{\nu \mathbb {Z}^{n}}(y)}{\varTheta _{\varLambda }(y)}\), as illustrated in Fig. 3.9 (in log scale) for the E ₈ lattice. The shape of the function is typical of that of a unimodular lattice. The “weak” secrecy gain thus corresponds to this symmetric point, conjectured to be the maximum of the function and thus the secrecy gain. As of now, this conjecture is still under investigation.

Fig. 3.9

The secrecy gain of the 8-dimensional unimodular lattice E ₈ where the x-axis is in decibels (10log₁₀(y))

3. Exercises

Exercise 3.1

Show that for \(S\subset \mathbb {Z}_q^n\), if ρ ⁻¹(S) is a lattice in \(\mathbb {R}^n\), then S is a linear code.

Exercise 3.2

Show that the extended Hamming code in \(\mathbb {Z}_2^8\) has minimum Hamming distance 4 and that 14 of its codewords have this minimum distance.

Exercise 3.3

Show that for q = 2, 3, the Lee distance is the same distance as the Hamming distance.

Exercise 3.4

Prove that the Hamming distance and the p-Lee distances are invariant by translation.

Exercise 3.5

Prove that for the Lee distances d _p , d ₁ ≥ d ₂ ≥… ≥ d _∞ .

Exercise 3.6

As you can see in Figs. 3.3 and 3.5, the codes \(\left \langle (1,2)\right \rangle \subset \) \(\mathbb {Z}_{5}^{2}\) and \(\left \langle (2,3)\right \rangle \subset \) \(\mathbb {Z}_{13}^{2}\) are perfect in the Lee Metric. Prove that this result can be extended: Any code \(C_{k}=\left \langle (k,k+1)\right \rangle \subset \mathbb {Z}_{h}^{2}\) , where h = k ² + (k + 1)², is a perfect code in the Lee metric with packing radius R = k.

Exercise 3.7

Show that the condition \(R<\frac {q}{2}\) in Proposition 3.5 cannot be removed by proving that \(C=\{(0,0,0,0,0,0,0),(1,1,1,1,1,1,1)\}\subset \mathbb {Z}_{2}^{7}\) is perfect with radius 3 in the Lee metric but Λ _C is not perfect in \(\mathbb {Z}^{7}\).