On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial

Antonio J. Di Scala; Carlo Sanna; Edoardo Signorini

doi:10.1515/jmc-2020-0009

Open Access Published by De Gruyter November 25, 2020

On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial

Antonio J. Di Scala , Carlo Sanna and Edoardo Signorini

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2020-0009

Abstract

Recently, Blanco-Chacón proved the equivalence between the Ring Learning With Errors and Polynomial Learning With Errors problems for some families of cyclotomic number fields by giving some upper bounds for the condition number Cond(V_n) of the Vandermonde matrix V_n associated to the nth cyclotomic polynomial. We prove some results on the singular values of V_n and, in particular, we determine Cond(V_n) for n = 2^kp^ℓ, where k, ℓ ≥ 0 are integers and p is an odd prime number.

Keywords: cyclotomic polynomial; Vandermonde matrix; condition number; RLWE; PLWE

MSC 2010: Primary: 11C99; Secondary: 15A12, 15B05

1 Introduction

Ring Learning With Errors (RLWE) was introduced by Lyubashevsky, Peikert, and Regev [1] in order to speed up cryptographic constructions based on the Learning With Errors problem [2]. Before RLWE, Stehlé, Steinfeld, Tanaka, and Xagawa [3] introduced what is now known as Polynomial Ring Learning With Errors (PLWE). The equivalence between RLWE and PLWE is studied and proved for certain families of polynomials [4, 5]. Let K = ℚ(α) be a number field of degree m and let 𝒪_K be its ring of integers. The definition of short elements in K plays an essential role in RLWE and PLWE. This geometric notion derives from an appropriate choice of a norm on K by embedding the number field in a vector space. On the one hand, RLWE makes use of the canonical embedding σ, which maps each x ∈ 𝒪_K to (σ₁(x), . . . , σ_m(x)), where σ₁, . . . , σ_m are the injective homomorphisms from K to ℂ. On the other hand, PLWE uses the coefficient embedding, which maps each x ∈ 𝒪_K to the vector (x₀, . . . , x_m₋₁) ∈ ℤ^m of its coefficients with respect to the power basis 1, α, . . . , α^m⁻¹. As a linear map, the canonical embedding σ admits a matrix representation V ∈ ℂ^m^×m; so that, for each x ∈ 𝒪_K, we have σ(x) = V · (x₀, . . . , x_m₋₁)^|. For the equivalence between RLWE and PLWE, it is important to determine when, whether ‖x‖ is small, then so is ‖σ(x)‖, and vice versa. This notion is quantified by V having a small condition number Cond(V):=‖V‖‖ V−1 ‖,where ‖V‖:=Tr(V⋆V) is the Frobenius norm of V and V^* is the conjugate transpose of V.

When K is the nth cyclotomic number field, V = V_n is the Vandermonde matrix associated with the nth cyclotomic polynomial, that is,

Vn:=(1ζ1ζ12⋯ζ1m−11ζ2ζ22⋯ζ2m−11ζ3ζ32⋯ζ3m−1⋮⋮⋮⋱⋮1ζmζm2⋯ζmm−1),

where ζ₁, . . . , ζ_m are the primitive nth roots of unity, and m = φ(n) is the Euler’s totient function of n.

Recently, Blanco-Chacón [4] gave some upper bounds for the condition number of V_n, proving the equivalence between the RLWE and PLWE problems for some infinite families of cyclotomic number fields.

Our first result is the following.

Theorem 1.1

For every positive integer n, we have

Cond(Vn)=nrad(n)Cond(Vrad(n)),

where rad(n) denotes the product of all prime factors of n.

Our second result is a formula for the condition number of V_n when n is a prime power or a power of 2 times an odd prime power.

Theorem 1.2

If n = p^k, where k is a positive integer and p is a prime number, or if n = 2^kp^ℓ, where k, ℓ are positive integers and p is an odd prime number, then

Cond(Vn)=φ(n)2(1−1p).

In particular, Theorem 1.2 improves the upper bound Cond(V_n) ≤ 4(p −1)φ(n) given by Blanco-Chacón in the case in which n = p^k is a prime power [4, Theorem 4.1].

Our proofs of Theorems 1.1 and 1.2 are based on the study of the Gram matrix Gn:=Vn⋆Vn. Regarding that, we give also the following result.

Theorem 1.3

For every positive integer n, the matrix nGn−1 has integer entries.

From a number-theoretic point of view, it might be of some interest trying to describe the entries of nGn−1 explicitely, or at least understand the integer sequence Tr(nGn−1)n≥1 (which is related to Cond(V_n) by (3) below).

2 Proofs

For every positive integer n, the Ramanujan’s sums modulo n are defined by

cn(t):=∑i=1mζit,

for all integers t. It is easy to check that c_n(·) is an even periodic function with period n. Moreover, the following formula holds [6, Theorem 272]

(1) cn(t)=μ(n(n,t))φ(n)φ(n(n,t)),

where μ is the Möbius function and (n, t) denotes the greatest common divisor of n and t.

Let Gn:=Vn⋆Vn be the Gram matrix of V_n. By the previous considerations, we have

(2) Gn=(cn(0)cn(1)cn(2)⋯cn(m−1)cn(1)cn(0)cn(1)⋯cn(m−2)cn(2)cn(1)cn(0)⋯cn(m−3)⋮⋮⋮⋱⋮cn(m−1)cn(m−2)cn(m−3)⋯cn(0))=(cn(i−j))1≤i,j≤m .

In particular, G_n is a symmetric Toeplitz matrix with integer entries.

Let λ₁, . . . , λ_s be the distinct eigenvalues of G_n, which are real and positive, since G_n is the Gram matrix of an invertible matrix, and let μ₁, . . . , μ_s be their respective multiplicities. We have

(3) Cond(Vn)=‖ Vn ‖‖ Vn−1 ‖=mTr(Gn−1)=m∑i=1sμiλi.

Therefore, the study of Cond(V_n) is equivalent to the study of the eigenvalues of G_n.

The next lemma relates the characteristic polynomials of G_n and G_rad(n).

Lemma 2.1

For every positive integer n, we have

det(Gn−xIdm)=hmdet(Gn′−xhIdm′)h,

where n′ := rad(n), m′ := φ(n′), and h := n/n′.

Proof

We know from(2) that G_n = (c_n(i−j))_0≤i,j<m, where we shifted the indices i, j to the interval [0, m) since this does not change the differences i − j and simplifies the next arguments. Write the integers i, j ∈ [0, m) in the form i = hi′ + i′′ and j = hj′ + j′′, where i′ , j′ ∈ [0, m′) and i′′ , j′′ ∈ [0, h) are integers. By (1) we have that c_n(i − j) ≠ 0 if and only if h divides i − j (otherwise, n/(n, i − j) is not squarefree), which in turn happens if and only if i′′ = j′′. In such a case, we have (n, i − j) = h(n′ , i′ − j′) and, again by (1), it follows that

cn(i−j)=μ(n(n,i−j))φ(n)φ(n(n,i−j))=μ(n′(n′,i′−j′))hφ(n′)φ(n′(n′,i′−j′))=hcn′(i′−j′).

Therefore, we have found that G_n consists of m′ × m′ diagonal blocks of sizes h × h. Precisely,

Gn=h(cn′(i′−j′)Idh)0≤i′,j′<m′=hGn′⊗Idh,

where ⊗ denotes the Kronecker product. Consequently, the characteristic polynomial of G_n is

det(Gn−xIdm)=hmdet(Gn′⊗Idh−xhIdm) =hmdet((Gn′−xhIdm′)⊗Idh) =hmdet(Gn′−xhIdm′)h,

as claimed. □

Now we are ready to prove the first result.

2.1 Proof of Theorem 1.1

Let n′ := rad(n), m′ := φ(n′), and h := n/n′. Furthermore, let λ1′,…,λs′′ be the distinct eigenvalues of G_n′ , with respective multiplicities μ1′,…,μs′′. It follows from Lemma 2.1 that s′ = s and that the eigenvalues of G_n are hλ1′,…,hλs′, with respective multiplicities hμ1′,…,hμs′. Hence, (3) yields

Cond (Vn)=m∑i=1sμiλi=m∑i=1sμi′λi′=mm′Cond(Vn′)=nn′Cond(Vn′),

as claimed. □

We need a couple of preliminary lemmas to the proof of Theorem 1.2.

Lemma 2.2

For every odd positive integer n, the matrices G_2n and G_n have the same eigenvalues (with the same multiplicities).

Proof

It is known [6, Theorem 67] that Ramanujan’s sums are multiplicative functions respect to their moduli, that is, c_ab(t) = c_a(t) c_b(t) for all coprime positive integers a, b. Moreover, it is easy to check that c₂(t) = (−1)^t. Thus, (2) gives

G2n=(c2n(i−j))1≤i,j≤m=((−1)i−jcn(i−j))1≤i,j≤m=J−1GnJ,

where J is the m × m matrix alternating +1 and −1 on its diagonal and having zeros in all the other entries. Therefore, G_n and G_2n are similar and consequently they have the same eigenvalues. □

Lemma 2.3

Given two complex numbers a and b, the determinant of the k × k matrix

(abb⋯bbab⋯bbba⋯b⋮⋮⋮⋱⋮bbb⋯a)

is equal to (a − b)^k⁻¹(a + (k − 1)b).

Proof

Subtracting the last row from all the other rows, and then adding to the last column all the other columns, the matrix becomes

(a−b0⋯000a−b⋯00⋮⋮⋱⋮⋮000a−b0bbbba+b(k−1)).

Laplace expansion along the last column gives the desired result. □

2.2 Proof of Theorem 1.2

First, let us consider n = p^k, where k is a positive integer and p is a prime number. It follows from (1) that c_p(t) = p − 1 if p divides t, while c_p(t) = −1 otherwise. Hence, using Lemma 2.3, we have

det G p − x Id p − 1 = p − 1 − x − 1 ⋯ − 1 − 1 p − 1 − x ⋯ − 1 ⋮ ⋮ ⋱ ⋮ − 1 − 1 ⋯ p − 1 − x = ( p − x ) p − 2 ( 1 − x ) ,

so that the eigenvalues of G_p are p and 1, with respective multiplicities p − 2 and 1.

As a consequence, (3) gives

(4) Cond(Vp)=(p−1)2(1−1p),

and, thanks to Theorem 1.1, we obtain

Cond(Vpk)=pk−1Cond(Vp)=pk−1(p−1)2(1−1p)=φ(n)2(1−1p),

as claimed.

Now assume that n = 2^kp^ℓ, where k, ℓ are positive integers and p is an odd prime number. From Lemma 2.2 and (3) it follows at once that Cond(V_2p) = Cond(V_p). Hence, Theorem 1.1 and (4) yield

Cond V 2 k p ℓ = 2 k − 1 p ℓ − 1 Cond V 2 p = 2 k − 1 p ℓ − 1 ( p − 1 ) 2 1 − 1 p = φ ( n ) 2 1 − 1 p ,

as claimed. □

The next lemma is the well known orthogonality relation between the roots of unity.

Lemma 2.4

We have

∑ ℓ = 1 n ζ k ζ ¯ h ℓ = n i f k = h , 0 i f k ≠ h ,

for k, h = 1, . . . , m.

2.3 Proof of Theorem 1.3

Let Vn−1=(wi,j)1≤i,j≤m and define

Si, ℓ :=∑k=1mwi,kζk ℓ ,

for all integers i, ℓ with 1 ≤ i ≤ m and ℓ ≥ 0. On the one hand, since Vn−1Vn=Idm, for ℓ < m we have that S_i,ℓ = δ_i,ℓ₊₁ (Kronecker delta). On the other hand, since ζ₁, . . . , ζ_k are conjugate algebraic integers with minimal polynomial of degree m, for ℓ ≥ m there exist integers b₀, . . . , b_m₋₁ such that ζkℓ=b0+b1ζk+⋯+bm−1ζkm−1 for k = 1, . . . , m, and consequently Si,ℓ=b0Si,0+b1Si,1+⋯+bm−1Si,m−1. Hence, S_i,ℓ is always an integer.

Recalling that Gn=Vn⋆Vn, we have Gn−1=Vn−1(Vn−1)⋆. Hence, also *using Lemma 2.4, the (i, j) entry of nGn−1 is equal to

n∑k=1mwi,kwj,k¯=∑k=1m∑h=1mwi,kwj,h¯∑ℓ=1n(ζkζ¯h)ℓ=∑ℓ=1n(∑k=1mwi,kζkℓ)(∑h=1mwj,hζhℓ)¯=∑ℓ=1nSi,ℓSj,ℓ,

which is an integer. □

Acknowledgement

A. J. Di Scala and C. Sanna are members of GNSAGA of INdAM and of CrypTO, the group of Cryptography and Number Theory of Politecnico di Torino. A. J. Di Scala is a member of DISMA Dipartimento di Eccellenza MIUR 2018-2022. E. Signorini is a cryptographer at Telsy S.p.A.

References

[1] V. Lyubashevsky, C. Peikert, and O. Regev, On ideal lattices and learning with errors over rings, Advances in cryptology—EUROCRYPT 2010, Lecture Notes in Comput. Sci., vol. 6110, Springer, Berlin, 2010, pp. 1–23.Search in Google Scholar

[2] O. Regev, On lattices, learning with errors, random linear codes, and cryptography, J. ACM 56 (2009), no. 6, Art. 34, 40.10.1145/1060590.1060603Search in Google Scholar

[3] D. Stehlé, R. Steinfeld, K. Tanaka, and K. Xagawa, Efficient public key encryption based on ideal lattices (extended abstract), Advances in cryptology—ASIACRYPT 2009, Lecture Notes in Comput. Sci., vol. 5912, Springer, Berlin, 2009, pp. 617–635.Search in Google Scholar

[4] I. Blanco-Chacón, On the RLWE/PLWE equivalence for cyclotomic number fields, Appl. Algebra Engrg. Comm. Comput. (accepted).10.1007/s00200-020-00433-zSearch in Google Scholar

[5] M. Rosca, D. Stehlé, and A. Wallet, On the ring-LWE and polynomial-LWE problems, Advances in cryptology—EUROCRYPT 2018. Part I, Lecture Notes in Comput. Sci., vol. 10820, Springer, Cham, 2018, pp. 146–173.Search in Google Scholar

[6] G. H. Hardy and E. M. Wright, An introduction to the theory of numbers, sixth ed., Oxford University Press, Oxford, 2008, Revised by D. R. Heath-Brown and J. H. Silverman, With a foreword by Andrew Wiles.Search in Google Scholar

Received: 2020-03-01

Accepted: 2020-05-06

Published Online: 2020-11-25

This work is licensed under the Creative Commons Attribution 4.0 International License.

On the condition number of the Vandermonde matrix of the nth cyclotomic polynomial

Abstract

1 Introduction

Theorem 1.1

Theorem 1.2

Theorem 1.3

2 Proofs

Lemma 2.1

Proof

2.1 Proof of Theorem 1.1

Lemma 2.2

Proof

Lemma 2.3

Proof

2.2 Proof of Theorem 1.2

Lemma 2.4

2.3 Proof of Theorem 1.3

Acknowledgement

References

Journal and Issue

Articles in the same Issue