Exact Coset Sampling for Quantum Lattice Algorithms (2509.12341v2)

Abstract: We give a simple and provably correct replacement for the contested ``domain-extension'' in Step 9 of a recent windowed-QFT lattice algorithm with complex-Gaussian windows~\citep{chen2024quantum}. The published Step 9 suffers from a periodicity/support mismatch. Our drop-in subroutine uses a pair-shift difference to cancel all unknown offsets exactly and to synthesize a uniform cyclic subgroup (zero-offset coset) of order $P$ inside $(\mathbb{Z}_{M_2})^n$. A subsequent QFT enforces the intended modular linear relation. The sole structural assumption is the residue accessibility condition, which enables coherent auxiliary cleanup; no amplitude periodicity is used. The unitary is reversible, uses $\mathrm{poly}(\log M_2)$ gates, and preserves upstream asymptotics.

• The paper presents an exact coset sampling method that overcomes periodicity mismatches in quantum lattice algorithms through a reversible procedure.
• It employs a coherent copy, pair-shift difference, and QFT to enforce a uniform modular relation and cancel unknown offsets efficiently.
• The method achieves efficiency with O(n·poly(log M2)) gates and robustly meets residue accessibility conditions for practical quantum circuit implementation.

Exact Coset Sampling for Quantum Lattice Algorithms

Overview and Motivation

This work addresses a critical subroutine in quantum algorithms for lattice problems, specifically the "domain-extension" step in windowed-QFT lattice algorithms with complex-Gaussian windows. The original approach, as presented in [chen2024quantum], suffers from a periodicity/support mismatch, leading to incorrect support size and failure to enforce the intended modular linear relation. The paper introduces an exact, reversible coset sampling method that synthesizes a uniform cyclic subgroup (zero-offset coset) of order $P$ inside $(\mathbb{Z}_{M_2})^n$, circumventing the pitfalls of amplitude periodicity and offset dependence. The construction is efficient, requiring only $\mathrm{poly}(\log M_2)$ gates, and is robust to unknown offsets.

Technical Contributions

Problem Setting

Let $D, p_1, \dots, p_\kappa$ be odd, pairwise coprime integers, and define $P = \prod_{\eta=1}^\kappa p_\eta$, $M_2 = D^2 P$. The quantum state prior to the contested step is

$$\ket{\phi_{8}.f} = \sum_{j \in \mathbb{Z}} \alpha(j) \ket{2D^2j\,b_1^* \mid 2D^2j\,\bm{b}_{[2..n]}^* + \bm{v}_{[2..n]}^* \bmod M_2}$$

where $\alpha(j)$ is a quadratic phase, $\bm{b}^*$ is a vector of known structure, and $\bm{v}^*$ is an unknown offset vector. The goal is to sample a random vector $\bm{u} \in \mathbb{Z}_{M_2}^n$ satisfying the modular linear relation

$\bm{b}^* \cdot \bm{u} \equiv 0 \pmod{P}$

which is essential for recovering hidden data via linear algebra.

Pair-Shift Difference Subroutine

The proposed replacement for the domain-extension step consists of the following:

1. Coherent Copy: Copy the coordinate registers into an auxiliary block using modular addition (CNOTs), which is reversible and does not violate the no-cloning theorem.
2. Pair-Evaluation Shift: Prepare a uniform superposition over $T \in \mathbb{Z}_P$ and shift the auxiliary registers by $2D^2 T \bm{b}^*$ using the same reversible state-preparation circuit. This step does not require classical knowledge of $\bm{b}^*$ or $\bm{v}^*$.
3. Difference and Offset Cancellation: Compute the difference $\mathbf{Z} = \mathbf{X} - \mathbf{Y} \pmod{M_2}$, which yields $-2D^2 T \bm{b}^*$, exactly canceling the unknown offsets.
4. Auxiliary Cleanup: Under the residue accessibility condition (for each $p_\eta$, some coordinate of $\bm{b}^*$ is a unit mod $p_\eta$), $T$ can be computed from $\mathbf{Z} \bmod P$ and erased coherently. This ensures the formation of a uniform coset superposition on $\mathbf{Z}$.
5. Fourier Sampling: Apply $\mathrm{QFT}_{\mathbb{Z}_{M_2}^{\otimes n}}$ to $\mathbf{Z}$ and measure $\bm{u}$. The outcome is uniformly distributed over the set of solutions to $\bm{b}^* \cdot \bm{u} \equiv 0 \pmod{P}$.

Correctness and Uniformity

The construction leverages character orthogonality on the uniform coset. The amplitude for any $\bm{u}$ after QFT is nonzero if and only if $\bm{b}^* \cdot \bm{u} \equiv 0 \pmod{P}$, and the distribution is exactly uniform over this set. The support size is $M_2^n / P$, matching the intended fiber in the CRT decomposition. The method is robust to unknown offsets and does not rely on amplitude periodicity or phase flattening.

Implementation Details

• Gate Complexity: All steps are implementable with $O(n\,\mathrm{poly}(\log M_2))$ gates. Modular arithmetic, copying, and QFT are standard primitives in quantum circuits.
• Residue Accessibility: The residue accessibility condition is operationally necessary for coherent cleanup. It holds with overwhelming probability for random lattice instances and can be enforced by coordinate permutation.
• No Classical Knowledge Required: The default path requires no classical knowledge of $\bm{b}^*$ or $\bm{v}^*$; all necessary inverses and CRT recombinations are computed reversibly on the fly.
• Variants: If residue accessibility fails for some prime, the method can be adapted by restricting to accessible primes or by changing basis to restore accessibility.

Pseudocode Skeleton

def exact_coset_sampling(X_reg, n, D, p_list, b_star, v_star): # X_reg: n quantum registers in state |X(j)> # D, p_list: modulus parameters # b_star: structure vector (quantum or classical) # v_star: offset vector (unknown) P = prod(p_list) M2 = D**2 * P # Step 1: Copy X_reg to Y_reg Y_reg = copy_registers(X_reg) # Step 2: Prepare uniform superposition over T in Z_P T_reg = uniform_superposition(P) # Step 3: Shift Y_reg by 2D^2 T b_star using reversible evaluator Y_reg = shift_registers(Y_reg, T_reg, D, b_star, M2) # Step 4: Compute Z_reg = X_reg - Y_reg mod M2 Z_reg = subtract_registers(X_reg, Y_reg, M2) # Step 5: Cleanup T using residue accessibility and CRT T_prime = recover_T_from_Z(Z_reg, D, b_star, p_list, M2) Y_reg = unshift_registers(Y_reg, T_prime, D, b_star, M2) clear_registers(Y_reg, T_prime) # Step 6: Apply QFT and measure u u = QFT_and_measure(Z_reg, M2, n) return u

Theoretical and Practical Implications

Theoretical Impact

The construction provides a rigorous, group-theoretic solution to coset sampling in quantum lattice algorithms, ensuring exact support and uniformity. It clarifies the role of CRT cosets and character orthogonality in quantum sampling, and demonstrates the necessity of residue accessibility for coherent interference. The method avoids reliance on amplitude periodicity, which is often fragile and error-prone in quantum algorithms.

Practical Relevance

The subroutine is directly applicable to quantum algorithms for lattice problems, including those relevant to cryptanalysis and post-quantum cryptography. Its efficiency and robustness to unknown offsets make it suitable for practical quantum circuit implementations. The pattern of pair-shift difference and coset synthesis is likely to be broadly useful in other quantum algorithms where offset cancellation and modular relations are required.

Future Directions

Potential future developments include:

• Generalization to other group structures and higher-dimensional coset sampling.
• Integration into full quantum lattice reduction pipelines and cryptanalytic attacks.
• Exploration of alternative cleanup strategies for cases where residue accessibility fails.
• Optimization of gate complexity and resource usage for near-term quantum devices.

Conclusion

The paper presents an exact, efficient, and robust coset sampling subroutine for quantum lattice algorithms, resolving a key technical issue in windowed-QFT pipelines. The method synthesizes a uniform cyclic coset, cancels unknown offsets, and enforces the intended modular linear relation via character orthogonality, all without reliance on amplitude periodicity or classical knowledge of offsets. The construction is theoretically sound, practically implementable, and broadly applicable to quantum algorithms for lattice problems.