M-SIS: Module Short Integer Solution

• M-SIS is the generalization of the SIS problem to module lattices over cyclotomic rings, providing a framework to construct symplectic lattices.
• It underpins a randomized, trapdoor-free algorithm that transforms M-SIS lattices into q-symplectic lattices for optimal Gottesman-Kitaev-Preskill (GKP) code design.
• Efficient FFT-based ring arithmetic and carefully chosen parameter regimes ensure near-linear decoding time and high-probability distance guarantees for robust error correction.

Module Short Integer Solution (M-SIS) is the generalization of the classical SIS (Short Integer Solution) problem to module lattices defined over cyclotomic integer rings. M-SIS forms the basis of efficient, randomized constructions of symplectic lattices, which in turn yield Gottesman-Kitaev-Preskill (GKP) quantum error-correcting codes achieving optimal asymptotic distance properties, without requiring trapdoors for efficient decoding. This approach underlies recent advances in lattice-based cryptography and the theory of symplectic lattices used for fault-tolerant quantum information processing (Blömer et al., 12 Sep 2025).

1. Formal Definition of the M-SIS Problem and Associated Lattice

The M-SIS problem is parameterized by:

• A cyclotomic ring $R = \mathbb{Z}[X]/(\Phi(X))$, where $\Phi(X) = X^n + 1$ for the main constructions,
• A finite ring $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$ for integer modulus $q$,
• Module rank $k \in \mathbb{N}$.

An M-SIS instance consists of a uniformly random matrix $H \in R_q^{k \times k}$ (often symmetric: $H^T = H$), with the objective to find a nonzero vector $z = (z_1, z_2) \in R^k \times R^k$ satisfying $H z_1 \equiv z_2 \pmod{qR}$ and $\|z\|$ (in the coefficient embedding $\Phi(X) = X^n + 1$0) "short," meaning $\Phi(X) = X^n + 1$1.

• M-SIS Lattice: For such $\Phi(X) = X^n + 1$2, the lattice is

$\Phi(X) = X^n + 1$3

Identified via the coefficient map $\Phi(X) = X^n + 1$4, $\Phi(X) = X^n + 1$5 is a full-rank lattice embedded in $\Phi(X) = X^n + 1$6.

• Explicit $\Phi(X) = X^n + 1$7-basis: The augmented matrix $\Phi(X) = X^n + 1$8 defines the lattice as the set of $\Phi(X) = X^n + 1$9 such that $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$0. By block-circulant lifting, the integer matrix $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$1 is built using the mapping of ring multiplications to $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$2 (negacyclic, circulant) matrices.

2. Randomized Symplectic Lattice Construction from M-SIS

A constructive algorithm, SYMP-FROM-M-SIS, transforms an M-SIS lattice $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$3 into a $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$4-symplectic lattice in $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$5 real dimensions, and thence (via scaling) into a $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$6-symplectic lattice appropriate for use as a GKP code lattice.

Let $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$7, and $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$8 be as above. The steps are:

1. Build the block-circulant matrix $R_q = (\mathbb{Z}/q\mathbb{Z})[X]/(\Phi(X))$9 from $q$0.
2. Form the integer block matrix:

$q$1

1. Define $q$2, with $q$3 (symmetrizing).
2. Compute $q$4, which is $q$5-symplectic: $q$6.
3. Set the symplectic-basis $q$7. The resulting symplectic lattice is $q$8.

All steps use only uniform sampling in $q$9 and ring/matrix arithmetic mod $k \in \mathbb{N}$0.

3. Minimal Distance and GKP Code Parameters

The minimal vector length $k \in \mathbb{N}$1 is analyzed to ensure robust error correction.

• Distance Guarantee: With high probability over random $k \in \mathbb{N}$2, for parameters $k \in \mathbb{N}$3 chosen appropriately,

$k \in \mathbb{N}$4

where $k \in \mathbb{N}$5 is the volume of the $k \in \mathbb{N}$6-dimensional unit ball.

A key technical argument bounds the probability that a short nonzero $k \in \mathbb{N}$7 lies in $k \in \mathbb{N}$8 by $k \in \mathbb{N}$9, where $H \in R_q^{k \times k}$0 depends on the support of $H \in R_q^{k \times k}$1's projections across ring-factor blocks. Volume arguments and union bounds then show that, for $H \in R_q^{k \times k}$2 at least polynomial in $H \in R_q^{k \times k}$3, the inclusion probability vanishes exponentially in $H \in R_q^{k \times k}$4, yielding high-probability optimal lattice distance.

• GKP Code Parameters: Given a symplectic lattice $H \in R_q^{k \times k}$5, a GKP code encoding $H \in R_q^{k \times k}$6 logical qubits has code distance $H \in R_q^{k \times k}$7. For scaled lattices $H \in R_q^{k \times k}$8, the distance obeys

$H \in R_q^{k \times k}$9

when encoding $H^T = H$0 qubits in $H^T = H$1 modes.

4. Efficient Bounded-Distance Decoding Algorithm

The decoding algorithm operates by Babai-style rounding in the coefficient embedding. For $H^T = H$2, and with symplectic lattice basis derived from $H^T = H$3, the algorithm proceeds:

1. For $H^T = H$4 to $H^T = H$5, set $H^T = H$6.
2. Compute $H^T = H$7.
3. Compute $H^T = H$8 (ring-multiplication in $H^T = H$9).
4. For $z = (z_1, z_2) \in R^k \times R^k$0 to $z = (z_1, z_2) \in R^k \times R^k$1, set $z = (z_1, z_2) \in R^k \times R^k$2.
5. Output $z = (z_1, z_2) \in R^k \times R^k$3.

For $z = (z_1, z_2) \in R^k \times R^k$4 within distance $z = (z_1, z_2) \in R^k \times R^k$5 of $z = (z_1, z_2) \in R^k \times R^k$6, the algorithm returns the closest lattice point. The naive computational cost is $z = (z_1, z_2) \in R^k \times R^k$7, as $z = (z_1, z_2) \in R^k \times R^k$8 multiplication dominates. For $z = (z_1, z_2) \in R^k \times R^k$9 with $H z_1 \equiv z_2 \pmod{qR}$0 power of 2, each ring-multiplication admits $H z_1 \equiv z_2 \pmod{qR}$1 via FFT, yielding overall decoding in $H z_1 \equiv z_2 \pmod{qR}$2: near-linear in the real dimension $H z_1 \equiv z_2 \pmod{qR}$3 when $H z_1 \equiv z_2 \pmod{qR}$4 is constant.

5. Parameter Regimes for Code Construction

Concrete regimes realize optimal or near-optimal GKP code distances with high probability:

• Case A ($H z_1 \equiv z_2 \pmod{qR}$5 power of 2, $H z_1 \equiv z_2 \pmod{qR}$6, $H z_1 \equiv z_2 \pmod{qR}$7):
  • If $H z_1 \equiv z_2 \pmod{qR}$8, then $H z_1 \equiv z_2 \pmod{qR}$9 with probability at least $\|z\|$0.
  • For $\|z\|$1, the guarantee strengthens: $\|z\|$2.
• Case B ($\|z\|$3, $\|z\|$4 odd primes, $\|z\|$5, $\|z\|$6 primitive-$\|z\|$7 root of $\|z\|$8):
  • If $\|z\|$9 and $\Phi(X) = X^n + 1$00: $\Phi(X) = X^n + 1$01.
  • If $\Phi(X) = X^n + 1$02 and $\Phi(X) = X^n + 1$03: $\Phi(X) = X^n + 1$04.
• Case C ($\Phi(X) = X^n + 1$05, $\Phi(X) = X^n + 1$06, $\Phi(X) = X^n + 1$07 prime): See (Blömer et al., 12 Sep 2025), Theorem 4.7 for analogous $\Phi(X) = X^n + 1$08-bounds.

Scaling yields $\Phi(X) = X^n + 1$09 GKP codes with distance as above. For $\Phi(X) = X^n + 1$10 (R-SIS case), decoding is $\Phi(X) = X^n + 1$11. For larger $\Phi(X) = X^n + 1$12, arbitrary $\Phi(X) = X^n + 1$13 is supported at $\Phi(X) = X^n + 1$14.

6. Applications and Significance

The M-SIS to symplectic lattice pipeline supplies the first efficient randomized construction of multi-mode GKP codes from standard lattice-cryptographic assumptions, using only uniform sampling without secret trapdoors.

Notably:

• The code distances match (up to constants) the information-theoretic optimum $\Phi(X) = X^n + 1$15.
• The decoding algorithm is both trapdoor-free and near-linear time, enabled for $\Phi(X) = X^n + 1$16 by efficient FFT-based ring arithmetic.
• Useful parameter regimes correspond to cases where $\Phi(X) = X^n + 1$17 splits into a small number of large factors over $\Phi(X) = X^n + 1$18 (e.g., $\Phi(X) = X^n + 1$19 a power of two).

A plausible implication is that such cryptographic-lattice-based constructions can serve as practical, scalable GKP code sources for extended quantum computation and error correction, bridging cryptography and quantum information (Blömer et al., 12 Sep 2025).