2

The common modulus methods are standard modulus (the result is confined to the range $[0, q-1]$) and centered modulus (the result is confined to the range $[- \lfloor q/2 \rfloor, \lceil q/2 \rceil)$).

My questions is:In lattice-based cryptography, should we use standard modulus or centered modulus? Or are they equivalent?
For example, given a matrix $ \mathbf{A} \in \mathbb{Z}_q^{n \times m} $ and a short vector $ \mathbf{x} \in D_{\sigma}^{m} $ drawn from a discrete Gaussian distribution with center 0 and standard deviation $\sigma$, should we use standard modulus or centered modulus when computing $ \mathsf{A} \cdot \mathbf{x} $?

The norm $\|\mathsf{x}\|_{\infty}$ seems to be defined on a centered modulus, so I suspect that a centered modulus can be chosen, but I'm not entirely sure.

Thank you in advance for your help.

user109993
  • 135
  • 5

1 Answers1

1

It doesn't really matter. You're right that if you use the "standard modulus", then you need a different formula for $\lVert \vec x\rVert_\infty$. But this is easy to provide, namely

$$ \lVert \vec x\rVert_\infty = \max_{i\in[n]} |x_i|', $$ where $|x_i|' := \max(x_i, q - x_i)$. Note that this quantity is natural to consider, independently of lattice-based cryptography. In particular, it is the "quotient metric on $\mathbb{Z}/q\mathbb{Z}$", and has appeared in coding theory in the definition of the Lee metric.

Note that for implementations on resource-constrained devices (that may not have 64-bit multiplication, for example), some algorithms development has been only for signed arithmetic initially (corresponding to your "centered modulus"), or unsigned arithmetic (corresponding to your "standard modulus"). In general though, for anything I've looked at other authors are able to port the other techniques over to the other type of arithmetic fairly easily, e.g. there doesn't seem to be some fundamental difference between the two.

Mark Schultz-Wu
  • 15,089
  • 1
  • 22
  • 53