Smoothing Codes and Lattices:
Systematic Study and New Bounds

In either a code or a lattice, smoothing refers to fact that, as an error distribution grows wider and wider, the associated syndrome distribution tends towards a uniform distribution. In other words, the error distribution, reduced modulo the code or the lattice, becomes essentially flat. This phenomenon is pivotal in arguing security of cryptosystems [MR07, GPV08, DST19]. In information theoretic literature, it is also sometimes referred to as flatness [LLBS14]. Informally, by a “smoothing bound” we are referring to a result which lower bounds the amount of noise which needs to be added so that the smoothed distribution “looks” flat.

To be more concrete, by a “flat distribution”, we are referring to a uniform distribution over the ambient space modulo the group of interest. For a (linear) code $\mathscr{C}\subseteq\mathbb{F}_{2}^{n}$, this quotient space is $\mathbb{F}_{2}^{n}/\mathscr{C}$; for a lattice $\Lambda\subseteq\mathbb{R}^{n}$, it is $\mathbb{R}^{n}/\Lambda$. We then consider some “noise” vector $\mathbf{e}$ distributed over the ambient space $\mathbb{F}_{2}^{n}$ (resp. $\mathbb{R}^{n}$), and attempt to prove that $\mathbf{e}\mod\mathscr{C}$ (resp. $\mathbf{e}\mod\Lambda$) is “close” to the uniform distribution over the quotient space $\mathbb{F}_{2}^{n}/\mathscr{C}$ (resp. $\mathbb{R}^{n}/\Lambda$). To quantify “closeness” between distributions, we will use the standard choice of statistical distance.

An important question to be addressed is the choice of distribution for the noise vector $\mathbf{e}$. In lattice-based cryptography (where such smoothing bounds originated [MR07]), the literature ubiquitously uses Gaussian distributions for errors, and smoothness is guaranteed for an error growing as the inverse of the minimum distance of the dual lattice. The original chain [MR07] of argument goes as follows:

• •

  Apply the Poisson summation formula (PSF);

• •

  Bound variations via the triangle inequality (TI) over all non-zero dual lattice points;

• •

  Bound the absolute sum above via the Banaszczyk tail bound [Ban93] for discrete Gaussian (BT).

An intermediate quantity called the smoothing parameter introduced by [MR07] before the last step is also often used in the lattice-based cryptographic literature. Each bounding step is potentially non-tight, and indeed more recent works have replaced the last step by the following [ADRS15]:

• •

  Bound the number of lattice points in balls of a given radius via the Linear Programming bound [Lev79] (LP) and “sum over all radii” (with care).

With this LP strategy, it is in principle possible to also compute a smoothing bound for spherically symmetric distributions of errors other than the Gaussian; however, we are not aware of prior work doing this explicitly. A very natural choice would be uniform distributions over Euclidean balls.

For codes, there are also two natural distributions of errors: Bernoulli noise, i.e. flip each bit independently with some probability $p$ (a.k.a. the binary symmetric $\mathrm{BSC}_{p}$ channel), and a uniform noise over a Hamming sphere of a fixed radius. The latter is typically preferred for the design of concrete and practical cryptosystems [McE78, Ale11, MTSB13, DST19], while the former appears more convenient in theoretical works ⁽¹⁾⁽¹⁾(1)A third choice of distribution, described as a discrete-time random walk, also made an appearance for a complexity theoretic result [BLVW19]. The expert reader may note that the Bernoulli distribution can also be treated as a continuous-time random walk, and both can be analysed via the heat kernel formalism  [Chu97, Chap. 10].. Cryptographic interest for code smoothing has recently arisen [BLVW19, YZ21], but results are so far limited to codes with extreme parameters and specific “balancedness” constraints. However we note that the question is not entirely new in the coding literature (see for instance  [Klø07]). In particular, an understanding of the smoothing properties of Bernoulli noise is intimately connected to the undetected error probability of a code transmitted through the $\mathrm{BSC}_{p}$.

In this light, it is interesting to revisit and systematize our understanding of smoothing bounds, unencumbered by direct application concerns. We find it enlightening to do this exploration in parallel between codes and lattices, transferring techniques back and forth between both areas whenever possible.

Furthermore, we keep our arguments agnostic to the specific choice of error distribution, allowing us to apply them with different error distributions and compare the results. To compare different (symmetric) distributions, we advocate parametrizing them by the expected weight/norm of a vector. That is, we quantify the magnitude of a noise vector $\mathbf{e}$ by $t=\mathbb{E}(|\mathbf{e}|)$ (where $|\cdot|$ denotes either the Hamming weight or the Euclidean norm of the vector). Our smoothing bounds will depend on this parameter, and we consider a smoothing bound to be more effective if for the smoothed distribution to be close to uniform we require a smaller lower-bound on $t$.

In this work, we collect the techniques that have been used for smoothing, both in the code and lattice contexts. We view individual steps as modular components of arguments, and consider all permissible combinations of steps, thereby determining the most effective arguments. In the following, we outline our systematization efforts, describing the various proof frameworks that we tried before settling on the most effective argument.

The notation $x\stackrel{{\scriptstyle\text{def}}}{{=}}y$ means that $x$ is defined as being equal to $y$. Given a set $\mathscr{S}$, its indicator function will be denoted $1_{\mathscr{S}}$. For a finite set $\mathscr{S}$, we will denote by $\sharp\mathscr{S}$ its cardinality. Vectors will be written with bold letters (such as $\mathbf{x}$). Furthermore, we denotes by $\llbracket a,b\rrbracket$ the set of integers $\{a,a+1,\dots,b\}$.

The statistical distance between two discrete probability distributions $f$ and $g$ over a same space $\mathscr{S}$ is defined as:

Similarly, for two continuous probability density functions $f$ and $g$ over a same measure space $\mathscr{E}$, the statistical distance is defined as

We give here some basic definitions and notation about linear codes and lattices.

Linear codes. In the whole paper, we will deal exclusively with binary linear codes, namely subspaces of $\mathbb{F}_{2}^{n}$ for some positive integer $n$. The space $\mathbb{F}_{2}^{n}$ will be embedded with the Hamming weight $|\cdot|$, namely

We will denote by $\mathscr{S}_{w}$ the sphere with center $\mathbf{0}$ and radius $w$; its size is given by $\binom{n}{w}$ and we have $\frac{1}{n}\log_{2}\binom{n}{w}=h(w/n)+o(1)$ where $h$ denotes the binary-entropy, namely $h(x)\stackrel{{\scriptstyle\text{def}}}{{=}}-x\log_{2}(x)-(1-x)\log_{2}(1-x)$.

An $[n,k]$-code $\mathscr{C}$ is defined as a dimension $k$ subspace of $\mathbb{F}_{2}^{n}$. The rate of $\mathscr{C}$ is $\frac{k}{n}$. Its minimal distance is given by

The number of codewords of $\mathscr{C}$ of weight $t$ will be denoted by $N_{t}(\mathscr{C})$, namely

The dual of a code $\mathscr{C}$ is defined as $\mathscr{C}^{*}\stackrel{{\scriptstyle\text{def}}}{{=}}\left\{\mathbf{c}^{*}\in\mathbb{F}_{2}^{n}\mbox{ : }\forall\mathbf{c}\in\mathscr{C},\mbox{ }\mathbf{c}\cdot\mathbf{c}^{*}=0\right\}$ where $\cdot$ denotes the standard inner product on $\mathbb{F}_{2}^{n}$.

Lattices. We will consider lattices of $\mathbb{R}^{n}$ which is embedded with the Euclidean norm $|\cdot|_{2}$, namely

We will denote by $\mathscr{B}_{w}$ the ball with center $\mathbf{0}$ and radius $w$; its volume is given by

An $n$-dimension lattice $\Lambda$ is defined as a discrete subgroup of $\mathbb{R}^{n}$. The covolume $|\Lambda|\stackrel{{\scriptstyle\text{def}}}{{=}}\textup{vol}\left(\mathbb{R}^{n}/\Lambda\right)$ of $\Lambda$ is the volume of any fundamental parallelotope. The minimal distance of $\Lambda$ is given by $\lambda_{1}(\Lambda)\stackrel{{\scriptstyle\text{def}}}{{=}}\min\left\{|\mathbf{x}|_{2}\mbox{ : }\mathbf{x}\in\Lambda\mbox{ and }\mathbf{x}\neq\mathbf{0}\right\}.$ The number of lattice points of $\Lambda$ of weight $\leq t$ will be denoted by $N_{\leq t}(\Lambda)$, namely

We give here a brief introduction to Fourier analysis over arbitrary locally compact Abelian groups. Our general treatment will allow us to apply directly some basic results in a code and lattice context, obviating the need in each case to introduce essentially the same definitions and to provide the same proofs.

Corollary 2.4 at the end of this subsection is the starting point of our smoothing bounds: all of our results are obtained by using different facts to bound the right hand side of the inequality.

Groups and Their Duals. In what follows $G$ will denote a locally compact Abelian group. Such a group admits a Haar measure $\mu$. For instance $G=\mathbb{R}$ with $\mu$ the Lebesgue measure $\lambda$, or $G=\mathbb{F}_{2}^{n}$ with $\mu$ the counting measure $\sharp$.

The dual group $\widehat{G}$ is given by the continuous group homomorphisms $\chi$ from $G$ into the multiplicative group of complex numbers of absolute value $1$, and it is again a locally compact Abelian group. In Figure 2 we give groups, their duals as well as their associated Haar measures that will be considered in this work.

It is important to note that if $H\subseteq G$ is a closed subgroup, then $G/H$ and $H$ are also locally compact groups. Furthermore, $G/H$ has a dual group that satisfies the following isomorphism

Norms and Fourier Transforms. For any $p\in[1,\infty[$, $L_{p}(G)$ will denote the space of measurable functions $f:G\rightarrow\mathbb{C}$ (up to functions which agree almost everywhere) with finite norm $\|f\|_{p}$ which is defined as

The Fourier transform of $f\in L_{1}(G)$ is defined as

We omitted here the dependence on $G$. It will be clear from the context.

Poisson Formula. Given $H\subseteq G$ and any function $f:G\rightarrow\mathbb{C}$, its restriction over $H$ is defined as $f_{|H}:h\in H\mapsto f(h)\in\mathbb{C}$. We define its periodization as follows.

There always exists a Haar measure $\mu_{G/H}$ such that for any continuous function with compact support $f:G\rightarrow\mathbb{C}$ the quotient integral formula holds

The following corollary is a simple consequence of the Cauchy-Schwarz inequality, Parseval identity and the Poisson formula. Our results on smoothing bounds are all based on this corollary.

In this work we will choose $G=\mathbb{R}^{n}$ and $H=\Lambda$ or $G=\mathbb{F}_{2}^{n}$ and $H=\mathscr{C}$. Haar measures associated to $G,G/H$ and $\widehat{G/H}$ for which the corollary holds are given in Figure 2. Furthermore, we will use Fourier transforms over $\widehat{G}$ and $\widehat{G/H}$. We describe in Figure 3 these dual groups that we will consider.

The probabilistic model ${\pazocal C}_{n,k}$ that we use for our random code of length $n$ is defined by sampling uniformly at random a generator matrix $\mathbf{G}\in\mathbb{F}_{2}^{k\times n}$ for it, i.e.

It is straightforward to check that the expected number of codewords of weight $t$ in the dual $\mathscr{C}^{*}$ is given by:

This estimation combined with Proposition 3.3 enables us to upper-bound $\mathbb{E}_{\mathscr{C}}\left(\Delta(u,f^{\mathscr{C}})\right)$.

It remains now to choose the distribution $f$. A natural choice in code-based cryptography is the uniform distribution $u_{w}$ over the sphere ${\mathscr{S}}_{w}$ of radius $w$ centered around $\mathbf{0}$.

Uniform Distribution over a Sphere. The Fourier transform of $u_{w}$ is intimately connected to Krawtchouk polynomials. The Krawtchouk polynomial of order $n$ and degree $w\in\{0,\dots,n\}$ is defined as

To simplify notation, since $n$ is clear here from context, we will drop the dependency on $n$ and simply write $K_{w}(X)$. The following fact allows to relate $K_{w}$ with $\widehat{u_{w}}$ (see for instance [vL99, Lem. 3.5.1, §3.5])

This leads us to

By plugging this in Equation (5) of Proposition 3.5 we obtain

In other words, if one wants to smooth a random code with target distance $2^{-\Omega(n)}$ via the uniform distribution over a sphere, one has to choose its radius $w\leq n/2$ such that $\binom{n}{w}=2^{\Omega(n)}\;2^{n-k}$. It is readily seen that for fixed code rate $R\stackrel{{\scriptstyle\text{def}}}{{=}}\frac{k}{n}$, choosing any fixed ratio $\omega\stackrel{{\scriptstyle\text{def}}}{{=}}\frac{w}{n}$ such that $\omega>\omega_{\textup{GV}}(R)$ is enough, where $\omega_{\textup{GV}}(R)$ corresponds to the asymptotic relative Gilbert-Varshamov (GV) bound

with $h^{-1}:[0,1]\to[0,1/2]$ being the inverse of the binary entropy function $h(p)=-p\log_{2}(p)-(1-p)\log_{2}(1-p)$. The GV bound $\omega_{\textup{GV}}(R)$ appears ubiquitously in the coding-theoretic literature: amongst other contexts, it arises as the (expected) relative minimum distance of a random code of dimension $Rn$, or as the maximum relative minimum error weight for which decoding over the binary symmetric channel can be successful with non-vanishing error probability.

This value of radius $n\omega_{\textup{GV}}(R)$ is optimal: clearly, the support size of an error distribution smoothing a code $\mathscr{C}$ must exceed $\sharp\mathbb{F}_{2}^{n}/\mathscr{C}$. Thus, we cannot expect to smooth a code $\mathscr{C}$ with errors in the sphere $\mathscr{S}_{w}$ if its volume is smaller than $2^{n-k}=\sharp\mathbb{F}_{2}^{n}/\mathscr{C}$.

Therefore the uniform distribution over a sphere is optimal for random codes. By this, we mean that it leads to the smallest amount of possible noise (when it is concentrated on a ball) to smooth a random code. Notice that we obtained this result after applying the chain of arguments Cauchy-Schwarz, Parseval and Poisson to bound the statistical distance.

About the original chain of arguments of Micciancio and Regev. It can be verified that by coming back to the original steps of [MR07, ADRS15], namely the Poisson summation formula and then the triangle inequality, we would obtain

By using that $a^{2}+b^{2}\leq(a+b)^{2}$ (when $a,b\geq 0$) we see that our bound (Proposition 3.3) is sharper. It turns out that our bound is exponentially sharper for random codes (and even in the worst case) when choosing $f$ as the uniform distribution over a sphere of radius $w$, namely $f=u_{w}$. In this case the Micciancio-Regev argument yields the following computation

To carefully estimate this upper-bound (and to compare with (8)) we are going to use the following proposition, which gives the asymptotic behaviour of $K_{w}$ (see for instance [IS98, DT17]).

We let,

In Figure 4 we compare the asymptotic values of $\omega_{0}$ and $\omega_{1}$ as functions of $R$. Notice that $\omega_{0}=\omega_{\textup{GV}}(R)$. We see that $\omega_{1}$ is undefined for a rate $R<1/2$. In other words, it is impossible to show that $\mathbb{E}_{\mathscr{C}}\left(\Delta(u,u_{w}^{\mathscr{C}})\right)\leq 2^{-\Omega(n)}$ with the standard approach of [MR07, ADRS15] when $R<1/2$. Furthermore, for larger rates (and sufficiently large $n$), $\omega_{0}$ is much smaller than $\omega_{1}$.

Bernoulli Distribution. Another natural distribution to consider when dealing with codes is the so-called “Bernoulli” distribution $f_{\textup{ber},p}$, which is defined for $p\in[0,1/2]$ as

This choice leads to simpler computations compared to the uniform distribution over a sphere. For instance we have $\widehat{f_{\textup{ber},p}}(\mathbf{x})=\frac{1}{2^{n}}(1-2p)^{|\mathbf{x}|}$. By plugging this in Equation (5) of Proposition 3.5 we obtain

Thus, if one wants to smooth a random code at target distance $2^{-\Omega(n)}$ with the Bernoulli distribution, the above argument says that one has to choose $p>p_{0}\stackrel{{\scriptstyle\text{def}}}{{=}}\frac{1}{2}\left(1-\sqrt{2^{R}-1}\right)$ where $R=k/n$. As $\mathbb{E}_{f_{\textup{ber},p}}(|\mathbf{x}|)=pn$, it is meaningful to compare $p_{0}$ and $\omega_{0}$. It is readily seen that $\omega_{0}=\omega_{\textup{GV}}(R)=h^{-1}(1-R)<\frac{1}{2}\left(1-\sqrt{2^{R}-1}\right)=p_{0}$. In other words, this time the upper-bound given by Proposition 3.5 does not give what would be optimal, namely the Gilbert-Varshamov relative distance $\omega_{\textup{GV}}(R)$, but a quantity which is bigger. However, it is expected that the average amount of noise to smooth a random code is the same in both cases, since a Bernoulli distribution of parameter $p$ is extremely concentrated over words of Hamming weight $pn$ and that therefore $\Delta(u,f_{\textup{ber},p}^{\mathscr{C}})\approx\Delta(u,u_{pn}^{\mathscr{C}})$. This suggests that Proposition 3.5 is not tight in this case. This is indeed the case, we can prove that we can smooth a random code with the Bernoulli noise as soon as $p>\omega_{\textup{GV}}(R)$. This follows from the following proposition.