Quantum Algorithms for Lattice Problems

Yilei Chen∗

April 10, 2024

Abstract

We show a polynomial time quantum algorithm for solving the learning with errors problem
(LWE) with certain polynomial modulus-noise ratios. Combining with the reductions from lattice
problems to LWE shown by Regev [J.ACM 2009], we obtain polynomial time quantum algorithms
for solving the decisional shortest vector problem (GapSVP) and the shortest independent vector
problem (SIVP) for all n-dimensional lattices within approximation factors of Ω̃(n4.5 ). Previously,
no polynomial or even subexponential time quantum algorithms were known for solving GapSVP or
SIVP for all lattices within any polynomial approximation factors.
To develop a quantum algorithm for solving LWE, we mainly introduce two new techniques. First,
we introduce Gaussian functions with complex variances in the design of quantum algorithms. In
particular, we exploit the feature of the Karst wave in the discrete Fourier transform of complex
Gaussian functions. Second, we use windowed quantum Fourier transform with complex Gaussian
windows, which allows us to combine the information from both time and frequency domains. Using
those techniques, we first convert the LWE instance into quantum states with purely imaginary
Gaussian amplitudes, then convert purely imaginary Gaussian states into classical linear equations
over the LWE secret and error terms, and finally solve the linear system of equations using Gaussian
elimination. This gives a polynomial time quantum algorithm for solving LWE.

∗
IIIS, Tsinghua University, Shanghai Artificial Intelligence Laboratory, and Shanghai Qi Zhi Institute. Emails:
chenyilei@mail.tsinghua.edu.cn. chenyilei.ra@gmail.com. Supported by Tsinghua University startup funding.

1
Contents
1 Introduction 1
1.1 Main results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Main techniques: Gaussian functions with complex variances . . . . . . . . . . . . . . . . . . . . . 3
1.3 Overview of our algorithm for solving LWE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Preliminary 8
2.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 Quantum computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3 Main Theorem: Quantum Algorithm for Solving LWE 14

3.1 LWE with a few known secret coordinates is as hard as standard LWE . . . . . . . . . . . . . . . . 15
3.2 Convert LWE into a special q-ary lattice with a unique shortest vector . . . . . . . . . . . . . . . . 17
3.3 Parameter selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4 Detailed overview of the main quantum algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 The main quantum subroutine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.5.1 Step 1: Prepare a superposition over L ∩ ZnDq and apply a complex Gaussian window . . . 22
3.5.2 Step 2: Apply QFTZnP on |φ1 ⟩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5.3 Step 3: Apply a complex Gaussian window on |φ2 ⟩, get |φ3 ⟩ and z′ . . . . . . . . . . . . . . 24
3.5.4 Step 4: Apply QFTZnP on |φ3 ⟩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.5.5 Step 5: Split |φ4 ⟩ into higher and lower order bits |h′ ⟩ |h′′ ⟩, then measure |h′′ ⟩ . . . . . . . 26
3.5.6 Step 6: Apply QFTZnM on |φ5 ⟩ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.5.7 Step 7: Extract the centers of |φ6 ⟩ to get a purely imaginary Gaussian state |φ7 ⟩ . . . . . . 28
3.5.8 Step 8: Extract v1′ mod D2 p1 and keep |φ8 ⟩ = |φ7 ⟩ . . . . . . . . . . . . . . . . . . . . . . . 31
3.5.9 Step 9: Extract a linear equation over the secret from v1′ mod D2 p1 and |φ8 ⟩ . . . . . . . . 33
3.6 Detailed proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.6.1 Proof of Lemma 3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.6.2 Detailed proofs in Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.6.3 Detailed proofs in Step 5: the distribution of h∗ . . . . . . . . . . . . . . . . . . . . . . . . 44
3.6.4 Detailed proofs in Step 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.7 Additional discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.7.1 Additional observations from Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

2
1 Introduction

An n-dimensional lattice L is a discrete additive subgroup of Rn . Given n linearly independent basis

vectors B = {b1 , ..., bn ∈ Rn }, the lattice generated by B is
( n )
X
L(B) = L(b1 , ..., bn ) = xi · bi , xi ∈ Z .
i=1

In this article we measure the length of a vector in the ℓ2 norm by default. The minimum distance λ1 (L)
of a lattice L is the length of its shortest non-zero vector: λ1 (L) = minx∈L\{0} ∥x∥. The ith successive
minimum λi (L) is the smallest number r such that L contains i linearly independent vectors of norm
at most r.
The shortest vector problem (SVP) asks to find a lattice vector of length λ1 . More generally, let γ(n) ≥ 1
be an approximation factor, we consider the approximation version of SVP and its close variants.
Definition 1.1 (Approximate SVP). Given a basis B of an n-dimensional lattice L, the SVPγ problem
asks to output a non-zero lattice vector Bx, x ∈ Zn \ {0}, such that ∥Bx∥ ≤ γ(n) · λ1 (L).
Definition 1.2 (GapSVP). Given a basis B of an n-dimensional lattice L and a number d > 0, the
GapSVPγ problem asks to decide whether λ1 (L) ≤ d or λ1 (L) > d · γ(n).
Definition 1.3 (Shortest independent vector problem (SIVP)). Given a basis B of an n-dimensional
lattice L, the SIVPγ problem asks to output a set of n linearly independent vectors of length at most
γ(n) · λn (L).

The celebrated LLL algorithm [LLL82] solves SVP with 2O(n) approximation in poly(n)   time. The 
approximation factor achieved by polynomial time algorithms has been reduced to exp O n log log n
log n ,
which is slightly subexponential [Sch87, AKS01]. For the problem of finding the exact shortest non-
zero vector, algorithms have been improved over the years [Kan87, AKS01, NV08, MV13, ADRS15]
and the best running time is in 2O(n) . A trade-off between the running time and the approximation
c 1−c
factor is given by Schnorr [Sch87], giving roughly 2Õ(n ) time algorithms for solving SVP with 2Õ(n )
approximation, for c ∈ (0, 1). Those are the best asymptotic parameters (without concerning the
constant multiplicative factors in the exponent) for SVPγ and GapSVPγ achieved to date for both
classical and quantum algorithms for general lattices.
Even though the best polynomial time algorithms for SVP achieve only exponential approximation
factors, the capability of finding short vectors of lattices has led to breakthroughs in computation
and number theory, given algorithms for factoring polynomials over Q and diophantine approxima-
tion [LLL82], integer programming [Len83], solving the low-density subset sum problem [Bri84, LO85],
giving approximate solutions for the closest vector problem [Bab86], the first disproof of the Mertens
conjecture [OtR85], and solving various problems in cryptography, e.g., [Sha82, Cop97, NS99].

Lattice and LWE. In the literature, solving short vector problems with polynomial approximation
factors for all lattices has been classically reduced to the short integer solution (SIS) problem by
Ajtai [Ajt96], and quantumly reduced to the dihedral coset problem (DCP, with some caveats) and the
learning with errors problem (LWE) by Regev [Reg04, Reg09]. In this article we focus on the LWE
problem, which essentially asks to learn a secret vector given many noisy linear samples.

1
Definition 1.4 (Learning with errors (LWE) [Reg09]). Let n, m, q be positive integers. Let s ∈ Znq be
a secret vector where each entry is sampled from some distribution DistS. The search LWE problem
LWEn,m,q,DistS,DistE asks to find the secret s given access to an oracle that outputs ai , ⟨s, ai ⟩+ei (mod q)
on its ith query, for i = 1, ..., m. Here each ai is a uniformly random vector in Znq , and each error term
ei is sampled from DistE over Zq .
The decisional LWE problem DLWEn,m,q,DistS,DistE asks to distinguish whether we are given samples
(A, y) ∈ Zn×m
q × Zm
q from the LWE distribution, i.e., A ← U (Zq
n×m ), y = AT s + e ∈ Zm where
q
s ← DistS n , e ← DistE m ; or from the uniformly random distribution over Zqn×m × Zm
q .

Typically, the secret is sampled from the uniform random distribution over Znq , the error is sampled from
√
the discrete Gaussian distribution over Z with standard deviation αq/ 2π for some α ∈ (0, 1), denoted
by DZ,αq . The search and decisional LWE problems are proven to be equivalent for polynomially large
prime moduli [Reg09] and polynomially-smooth moduli [MM11, MP12].
Regev [Reg09] and Peikert, Regev, Stephens-Davidowitz [PRS17] show that to construct an efficient
quantum algorithm for approximate SVP for all lattices, it suffices to construct an efficient quantum
algorithm for solving the search or decisional version of LWE.
√
Lemma 1.5 ([Reg09], [PRS17]). Let n, m, q ∈ N+ , α ∈ (0, 1) satisfy m ≥ Ω(n log q), αq ≥ 2 n. If
there is a poly(n) time algorithm that solves LWEn,m,q,U (Zq ),DZ,αq or DLWEn,m,q,U (Zq ),DZ,αq , then there is
a poly(n) time quantum algorithm that solves SIVPγ and GapSVPγ for all lattices for γ ∈ Õ(n/α).

However, no efficient classical or quantum algorithms have been proposed for solving LWE.
Hard lattice problems (in particular, LWE) are extremely useful in building advanced encryption
schemes such as fully homomorphic encryptions for classical [Gen09, BV11] and quantum computa-
tions [Mah18]. LWE and lattice problems in general (e.g. [HPS98, Reg09]) are also popular can-
didates for the NIST post-quantum cryptography standardization due to their conjectured hardness
against quantum computers. Part of the reasons behind the conjectured quantum hardness of lat-
tice problems is: the existing quantum techniques with (sub)exponential advantages, such as period
finding [Sim97, Sho99], quantum walk [CCD+ 03], Kuperberg’s sieve [Kup05], and others (see more in
https://quantumalgorithmzoo.org/), do not seem to help in creating quantum algorithms for SVP
for general lattices with super-polynomial speedups.
Let us remark that efficient quantum algorithms for finding short vectors for special lattices used in
number theory have been proposed in [EHKS14, BS16, CDPR16]. Recently a quantum filtering tech-
nique was proposed for solving certain variants of SIS and LWE [CLZ22] where no classical algorithm
is known. However, those variants are not known to be as hard as solving approximate SVP for all
lattices. Overall, those quantum algorithms show interesting ideas of tackling (variants of) lattice prob-
lems from different angles. Nevertheless, showing a polynomial (or even subexponential) time quantum
algorithm for SVP with polynomial approximation factors for all lattices remains widely open, and
seems to require dramatically new ideas.

1.1 Main results

We provide a polynomial time quantum algorithm for solving LWE with certain polynomial modulus-
noise ratio.

2
Theorem 1.6 (Theorem 3.1). Let n, m, q ∈ N, α ∈ (0, 1) be such that m ≥ Ω(n log q), q ∈ Ω̃((αq)4 m2 ).
There is a quantum algorithm that solves LWEn,m,q,U (Zq ),DZ,αq in time poly(m, log q, αq).

To get the best approximation factor for solving worst-case lattice problems, we set q ∈ Õ(n4 ), m ∈
Ω(n log q), α ∈ Õ(n−3.5 ). Then, as a corollary of Theorem 1.6 and Lemma 1.5:
Corollary 1.7. There exist poly(n) time quantum algorithms that solve SIVPγ and GapSVPγ for all
n-dimensional lattices for γ ∈ Õ(n4.5 ).

Let us remark that the modulus-noise ratio achieved by our quantum algorithm is still too large to break
the public-key encryption schemes based on (Ring)LWE used in practice. In particular, we have not
broken the NIST PQC standardization candidates. For example, for CRYSTALS-Kyber [BDK+ 18], the
error term is chosen from a small constant range, the modulus is q = 3329, the dimension is n = 256 · k
where k ∈ {3, 4, 5}, so we can think of q as being almost linear in n. For our algorithm, if we set
αq ∈ O(1), then our algorithm applies when q ∈ Ω̃(n2 ), so we are not able to break CRYSTALS-Kyber
yet. We leave the task of improving the approximation factor of our quantum algorithm to future work.

1.2 Main techniques: Gaussian functions with complex variances

Our algorithm uses Gaussian functions with complex variances. Let a, b ∈ R such that a > 0, the
complex Gaussian function and its Fourier transform are [Smi11]:
x2 (a − bi)x2 √
   
, ĝ(y) = a + bi · exp −π(a + bi)y 2 .


g(x) = exp −π = exp −π 2 2
(1)
a + bi a +b

Complex Gaussian function has been used in other areas in mathematics and engineering, as diverse
as analytic number theory [Tit51] and signal analysis [Pap77]. In signal analysis, it is an example of
“sophisticated signals”, which refers to signals where the product of time
q and frequency duration can be
2 2
infinitely large [Pap77, P.275]. Indeed, here the width of g is roughly a +b a , the width of ĝ is roughly
q
1
a , so their product tends to infinity when |b| goes to infinity. There are other interesting properties
and applications of complex Gaussians. However, to the best of our knowledge, we are not aware of any
previous use of complex Gaussian in designing quantum algorithms.
Let r, s > 0, let fr,s (x) := exp −π r12 + si2 x2 . Intuitively, when s ≫ r, fr,s is close to the Gaussian

function with real variance; when s gets smaller, the continuous Fourier transform of fr,s gets wider.
We will crucially use three features of complex Gaussians. First, we can efficiently create a quantum
P √
state with complex Gaussian amplitude |ϕ⟩ := x∈Z P
fr,s (x) |x⟩, where P ≥ r n. To create |ϕ⟩,
 
P x2
we first create a Gaussian state x∈ZP exp −π r2 |x⟩ by the well-known algorithm of Grover and
Rudolph [GR02], then use the phase kickback trick [CEMM98] to insert the phase term as follows:
x2 x2
X −π x2 X −π x2  X −π x2 −πi x2  X −π 1 + i x2
e r 2 |x⟩ 7→ e r 2 |x⟩ 2 7→ e r 2 e s 2 |x⟩ 2 7→ e r2 s2 |x⟩ = |ϕ⟩ .
s s
x∈ZP x∈ZP x∈ZP x∈ZP

The second feature is that the center and phase of a complex Gaussian can be switched to each other,
denoted as “center = phase”. This is most easily seen from the purely imaginary Gaussian, namely, for
(x−c)2 x2 cx c2
f∞,s (x) = e−πi s2 = e−πi s2 e2πi s2 e−πi s2 , (2)

3
 cx
the LHS views c as the center, and the RHS views c as a factor in the phase e2πi s2 . Such a feature is
useful when we use Fourier transform to connect information from time domain and the Fourier domain.
The third feature (the most important one) Pcalled Karst wave appears in the DFT of complex Gaussians.
Suppose we start with a quantum state x∈ZP fr,s (x) |x⟩ and apply quantum Fourier transform over
ZP on it. We get

r2 s2 (s2 − r2 i)
 
−2πi xy
X X X X
2
|ψ⟩ := fr,s (x)e P |y⟩ =
(a) exp −π 2 4 (y + z) |y⟩ ,
P (s + r4 )
y∈ZP x∈ZP y∈ZP z∈P ·Z

where (a) uses the Poisson summation formula (PSF, Lemma 2.4). The real Gaussian width is around
Pr
s2
, so when r > s2 , the width is even larger than P . Therefore, the amplitude of |ψ⟩ looks chaotic in
2 r4
general. However, when 2(ss4 +r 2
4 ) ∈ 2Z (when r ≥ s , this roughly means s
2 is very close to 4Z), we

can show that y concentrates on some numbers near sP2 Z. The proof is as follows: for any y ∈ ZP , the
amplitude of |y⟩ in |ψ⟩ is proportional to

r2 s2 (s2 − r2 i)
X  
2
exp −π 2 4 (y + z)
P (s + r4 )
z∈P ·Z
r2 s4 r4 s2
X    
2 2
= exp −π 2 4 (y + z) exp πi 2 4 (y + z)
P (s + r4 ) P (s + r4 )
z∈P ·Z
r2 s4 r4 s2
X    
2 2


=(a) exp −π 2 4 (y + z) exp πi 2 4 y + 2yz
P (s + r4 ) P (s + r4 )
z∈P ·Z
2 !
P 2 (s4 + r4 ) 4 s2 4 2 4 2
 D E
X
′ r πi 2 r 4s 4 y 2 2πi y,z ′ − 2 r 4s 4 y
=P SF exp −π z − 2 4 y ·e P (s +r ) ·e P (s +r )

′
r2 s4 P (s + r4 )
z ∈Z/P
2 ! D ′
s4 + r4 4 s2 4 2 4 2
 E
X
′ r πi 2 r 4s 4 y 2 2πi y, zP − 2 r 4s 4 y
= exp −π 2 4 z − y ·e P (s +r ) ·e P (s +r )

′
r s P (s4 + r4 )
z ∈Z

s2 r 4
where (a) uses 2(s4 +r4 )
∈ 2Z so that we can erase the z 2 term in the phase since z ∈ P Z. Therefore y
4 4 2 4 4
distributes as Gaussians centered around P (sr4 +r
s2
)
Z ≈ sP2 Z of width √ss4 +r
r
4
· P (sr4 +r
s2
)
≈ Pr . We name
this feature Karst wave because the sharp curve looks like Karst landscapes. See Figure 1 (bottom
right) for an illustration.
Looking ahead, the Gaussian function with complex variance is intuitively useful for designing quantum
algorithms for lattice problems since it has sharp tails in the time domain (like the Gaussian function
with real variance, which has been used in the analysis of lattice problems since [MR07, Reg09]), and
it has the interesting feature of Karst wave in the frequency domain (where we can accurately produce
periodic patterns). However, even given the feature of Karst wave, it is still unclear how to use complex
Gaussian to solve the LWE problem right away. To make use of complex Gaussians, we need another
tool called QFT with windows.

Quantum Fourier P transforms with windows. Let Q P∈ N be a modulus. Given some quantum
state, say |ϕ⟩ := x∈ZQ g(x) |x⟩, and some “window” state y∈ZQ w(y) |y⟩ that can be created efficiently

4
Figure 1: The real parts of fr,s (x − 100) (up) and their DFTs over ZP (bottom), where P = 200,
r = 54, s = 18 (left), 7.5 (middle), 4.0001 (right). The DFTs are narrow (left), wide & chaotic (middle),
2 r4
wide & like the Karst wave (right). When s = 4.0001, 2(ss4 +r 4 ) ≈ 8.00015 ≈ 2Z, the weight of the DFT
200
of fr,s concentrates around 16 Z.

 2
 √
(think of w(y) as a function with bounded domain, say w(y) = exp −π yr2 for |y| < r n < Q
2 ).
Consider the following sequence of operations: first apply the operation
X X X X
g(x) |x⟩ ⊗ w(y) |y⟩ 7→ g(x) |x⟩ ⊗ w(y) |x + y mod Q⟩ ,
x∈ZQ y∈ZQ x∈ZQ y∈ZQ

then measure the last register and denote the result as y ′ = x + y mod Q. Then the residual state is
|φ⟩ := x∈ZQ g(x)w(y ′ − x mod Q) |x⟩. We refer to the whole process that takes |ϕ⟩ to (|φ⟩, y ′ ) as
P

“applying a window on |ϕ⟩”. Typically the window is applied before or after a QFT operation, so as to
extract and combine the information from both the time domain and the Fourier domain. For example,
suppose |ϕ⟩ is in the time domain, then we can think of y ′ as a piece of information extracted from the
time domain, and |φ⟩ is the residual state determined by y ′ . Then if we apply QFT on |φ⟩ and measure
it, we get information in the frequency domain.
For general g and w, the information from the time and frequency domain is not clearly related. But if
g and w are carefully chosen, then the information in the time and frequency domains can be combined
together in a useful way. The quantum wavelet transform [FW98], quantum curvelet transform [Liu09]
in the literature can be viewed as special cases of using QFT with windows, where the windows are
designed carefully for special purposes. For example, in the quantum curvelet transform proposed by
Liu [Liu09], the window is designed specifically so that combing the information from both the time
domain and the frequency domain leads to a precise estimation of the center of the input state |ϕ⟩.
In our quantum algorithm for solving lattice problems, we use QFT with complex Gaussian windows,
where the parameters in the complex Gaussian windows are tuned carefully so that combining the

5
information from both the time domain and the frequency domain allows us to extract the higher order
bits on the “peaks” of Karst waves, which contain information about lattice points.

1.3 Overview of our algorithm for solving LWE

Here is a high level overview of our quantum algorithm for solving LWE. In fact, the entire quantum
algorithm we use just consists of QFTs, complex Gaussian windows, and other standard quantum
computation tools. However, how to combine them together is highly non-trivial, the detail calculations
are very complicated. So here we will only mention the most important ideas. We will provide a more
detailed overview in §3.4 after all parameters used in the algorithm are defined.
Our quantum algorithm runs a quantum subroutine consisting of nine steps for O(n) times. Every time
we run the quantum subroutine, we will obtain a classical linear equation with random coefficients and
the unknown variables are the LWE secrets and error terms. After running the quantum subroutine for
O(n) times we will get a full rank system of linear equations and compute the LWE secret and error
terms by Gaussian elimination.
Now let us explain a bit about the nine quantum steps. We use |φi ⟩ to denote the state obtained at
the end of Step i. See Figure 2 for an example of the states obtained in each step. The first step of the
quantum subroutine applies a complex Gaussian window on a state with uniform superposition over a
lattice related to the LWE instance, obtains a classical string y′ and a complex Gaussian state |φ1 ⟩:
   
X 1 i 2
|φ1 ⟩ = exp −π + ∥kx − y∥ |kx − y⟩ ,
n
r2 s2
k∈Z,kx−y∈(r log n)B∞

where x is the secret vector we want to learn (related to the LWE secret and error terms), y ∈ Zn is an
unknown vector at this moment but its information is carried in y′ . The support of |φ1 ⟩ is on a line in
the same direction with the secret vector x (see Figure 2-(a)).
Note that |φ1 ⟩ looks very similar to a sample in the extrapolated dihedral coset problem (EDCP) [BKSW18].
An instance of EDCP in general looks like
X
f (k) |k⟩ |kx − y mod P ⟩ ,
k∈ZP

for some amplitude function f and modulus P . In our setting |φ1 ⟩ looks like an EDCP instance without
the first coordinate |k⟩ in a separated register, so it is not exactly an EDCP instance but is similar.
Let us remark that previous attempts of transforming lattice problems into EDCP-like states typically
result into EDCP states with unknown terms in the amplitude [CHL+ 23], or with known amplitude but
can only guarantee the correctness for very few amount of EDCP samples [Reg04, BKSW18], therefore
sophisticated quantum algorithms for solving EDCP (such as Kuperberg’s algorithm [Kup05]) won’t
apply there. Likewise, we don’t expect to obtain an efficient quantum algorithm right away from |φ1 ⟩.
We need to work harder to either make the amplitude nicer or learn one coordinate from y (the later
may turn |φ1 ⟩ into an instance of EDCP with known amplitude).
The five steps from Steps 2 to 6 together make sure that the amplitude of |φ6 ⟩ in Step 6 is highly
structural, consisting of small Gaussian balls. Steps 2 to 6 make heavy use of QFT with complex
Gaussian windows and involve complicated calculations related to Fourier transforms – we take QFT,

6
Figure 2: A proof-of-concept demonstration of the quantum states obtained in Steps 1 - 8. All pictures are
depicting the real parts of the amplitudes of the states. The vertical (resp. horizontal) axis represents the
first (resp. second) coordinate. Parameters (defined in §3.3) are set as n = 2, D = 1, x = Db = (−1, 2),
u2 = 5, t2 = 4u2 = 20, M = 2(t2 + u2 ) = 50, P = M 2 /2 = 1250, r = 380.0, s2 = 312.55, σ = 1.645. We
assume z′ = (625, 625), h∗ = (0, 0) for simplicity. The Python code for generating those figures is available at
https://github.com/wildstrawberry/ComplexGaussian.

7
then apply a complex Gaussian window, then take QFT again, then make a partial measurement, then
take QFT again to get |φ6 ⟩ in Step 6. If we think of |φ1 ⟩ as in the time domain, then |φ2 ⟩ , |φ3 ⟩ , |φ6 ⟩
are in the frequency domain, and they should in general look chaotic if we don’t set the parameters
carefully (from Figure 2-(b), (c), we see that |φ2 ⟩, |φ3 ⟩ indeed look chaotic). However, we tune the
parameters carefully so that the amplitude of |φ6 ⟩ is highly structural due to the feature of Karst wave.
|φ6 ⟩ is an important state. From Figure 2-(f), we see that |φ6 ⟩ contains lines of Gaussian balls of
small width σ, aligned in the direction of x. We can then shift those Gaussian balls (using y′ , and
other classical information obtained before Step 6) to make sure their centers are extractable. After
extracting the centers of the Gaussian balls in |φ6 ⟩, we get |φ7 ⟩:

X (2Dj)2 ∥k∥2 M
−2πi 2M 2πi 4 ′
|φ7 ⟩ = e e 2Djx + v + k mod M , (3)
n−1
2
k∈0|Z ,j∈Z

where v′ is an unknown vector, M is the modulus, D is some scaling parameter. As we can see from the
expression of |φ7 ⟩ in Eqn. (3), and Figure 2-(g), now we get an EDCP-like state with purely imaginary
Gaussian amplitudes, which is much easier to work with. We then use the nice property of imaginary
Gaussian (i.e., center = phase) to obtain partial information of v1′ in Step 8 – we use the phase kickback
trick to remove the quadratic term of j in the phase of |φ7 ⟩, see Figure 2-(h), and then take QFT to
get a linear equation about v1′ , see Figure 2-(i). We then obtain more information about v′ using other
tricks in Step 9, and finally get a linear equation about the LWE secret and error terms.

Organization. In the rest of the paper, we will first provide some background of lattice problems and
quantum computation in §2, then provide the main quantum algorithm for solving LWE in §3, including
a detailed overview of the algorithm and all proofs.

2 Preliminary

Notations and terminology. Let C, R, Q, Z, N be the set of complex numbers, real numbers, rational
numbers, integers, and natural numbers (non-negative integers). Let R+ , N+ denote positive reals and
integers. Denote Z/qZ by Zq . By default we represent the elements of Zq by elements in (−q/2, q/2] ∩ Z.
For n ∈ N, let [n] := {1, ..., n}. The rounding operation ⌊a⌉ rounds a real number a to its nearest integer.
For any integer d ≥ 2, ⌊a⌉d rounds a real number a to its nearest integer in dZ.
A vector in Rn (represented in column form by default) is written as a bold lower-case letter, e.g. v.
For a vector v, the ith component of v is denoted by vi . The ith to j th components of v is denoted by
v[i...j] . A matrix is written as a bold capital letter, e.g. A. The ith column vector of A is denoted by
ai .
The length of a vector is the ℓp -norm ∥v∥p := ( vip )1/p , or the infinity norm given by its largest entry
P
∥v∥∞ := maxi {|vi |}. The ℓp norm of a matrix is the norm of its longest column: ∥A∥p := maxi ∥ai ∥p .
Let Bpn (resp. B̄pn ) denote the open (resp. closed) unit ball in Rn in the ℓp norm. By default we use
ℓ2 -norm unless explicitly mentioned. Let x ∈ Rn , we have ∥x∥∞ ≤ ∥x∥2 ≤ ∥x∥1 .

P from the set S we denote as v ← U (S). When a function

When a variable v is drawn uniformly random
f is applied on a set S, it means f (S) := x∈S f (x).

8
In this paper, we use n as the default parameter to parameterize the computational complexity or the
success probability of an algorithm. An algorithm is “efficient” if it runs in quantum polynomial time
in n.

Definition 2.1 (Statistical distance). For two distributions over Rn with probability density functions
f1 and f2 , we define the statistical distance between them as
Z
1
D(f1 , f2 ) = |f1 (x) − f2 (x)|dx.
2 Rn

When D(f1 , f2 ) ∈ negl(n), we say f1 and f2 are statistically close, denoted as f1 ≈s f2 .

Lemma 2.2 (Hoeffding’s inequality). If X1 , ..., Xn are independent random variables such that ai ≤
Xi ≤ bi for all i, then for the sum of those random variables Sn := X1 + ... + Xn ,
!
2t2
Pr[|Sn − E[Sn ]| ≥ t] ≤ 2 exp − P 2
.
i∈[n] (bi − ai )

Fourier transform. The Fourier transform of a function h : Rn → C is defined to be

Z
ĥ(w) = h(x) exp(−2πi ⟨x, w⟩)dx.
Rn

We recall some formulas about Fourier transform (see [Gra08, P.100, Proposition 2.2.11]). If h is defined
by h(x) = g(x + v) for some function g : Rn → C and vector v ∈ Rn , then

ĥ(w) = ĝ(w) · exp(2πi ⟨v, w⟩). (4)

If h is defined by h(x) = g(x) exp(2πi ⟨x, v⟩) for some function g : Rn → C and vector v ∈ Rn , then

ĥ(w) = ĝ(w − v). (5)

As a corollary of Eqns. (4) and (5), if h is defined by h(x) = f (x + v) exp(2πi ⟨x, z⟩) for some function
f : Rn → C and vectors v, z ∈ Rn , then we define g(x) := f (x + v), so h(x) = g(x) exp(2πi ⟨x, z⟩).
Therefore ĝ(w) = fˆ(w) · exp(2πi ⟨v, w⟩), and

ĥ(w) = ĝ(w − z) = fˆ(w − z) · exp(2πi ⟨v, w − z⟩). (6)

As a corollary of Eqn. (6), if h is defined by h(x) = f (x + v) exp(2πi ⟨x + v, z⟩) for some function
f : Rn → C and vectors v, z ∈ Rn , then

ĥ(w) = fˆ(w − z) · exp(2πi ⟨v, w⟩). (7)

Lemma 2.3 (Inversion formula for special matrices (Sherman–Morrison formula)). Let M ∈ Cn×n be
invertible, u ∈ Cn , then M + uuT is invertible iff 1 + uT M−1 u ̸= 0. Furthermore,

−1 M−1 uuT M−1

M + uuT = M−1 − . (8)
1 + uT M−1 u

9
2.1 Lattices

An n-dimensional lattice L of rank k ≤ n is a discrete additive subgroup of Rn . Given k linearly

independent basis vectors B = {b1 , ..., bk ∈ Rn }, the lattice generated by B is
( k )
X
L(B) = L(b1 , ..., bk ) = xi · bi , xi ∈ Z .
i=1

By default we work with full-rank lattices unless explicitly mentioned.

The minimum distance λ1 (L) of a lattice L is the length (in the ℓ2 norm by default) of its shortest
nonzero vector: λ1 (L) = minx∈L\{0} ∥x∥. More generally, the ith successive minimum λi (L) is the
smallest radius r such that L contains i linearly independent vectors of norm at most r. We use λp1 to
denote the minimum distance in the ℓp norm.
The dual of a lattice L ∈ Rn is defined as
L∗ := {y ∈ Rn : ⟨y, x⟩ ∈ Z for all x ∈ L} .
If B is a basis of a full-rank lattice L, then B−T is a basis of L∗ .
The determinant of a full-rank lattice L(B) is det(L(B)) = | det(B)|.
Lemma 2.4 (Poisson Summation Formula). For any full-rank lattice L and any Schwartz function
f : Rn → C, we have f (L) = det(L∗ )fˆ(L∗ ).

Gaussians and lattices. For any s > 0, define the Gaussian function on Rn with width parameter
s as follows (following the convention in [MR07]):
2 /s2
∀x ∈ Rn , ρs (x) = e−π∥x∥ . (9)
For any c ∈ Rn , define ρs,c (x) := ρs (x−c). The subscripts s and c are taken to be 1 and 0 (respectively)
√
when omitted. Note that although we call s the width of ρs , the actual standard deviation of ρs is s/ 2π.
The Fourier transform for Gaussian satisfies ρˆs = sn ρ1/s . From Poisson summation formula we have
ρs (L) = sn · det(L∗ ) · ρ1/s (L∗ ).
For any real s > 0, integer n, define the continuous Gaussian distribution Ds as:
ρs (x)
∀x ∈ Rn , Ds (x) = .
sn
For any c ∈ Rn , s ∈ R+ , and lattice L ⊂ Rn , define the discrete Gaussian distribution DL+c,s as:
ρs (x)
∀x ∈ L + c, DL+c,s (x) = .
ρs (L + c)

The following Gaussian tail bound over lattices is due to Banaszczyk.

Lemma 2.5 (Lemma 1.5 [Ban93]). For any n-dimensional lattice L, and r ≥ √1 , c ∈ Rn ,
2π
√  √ 2 n

ρ(L \ r nB n ) < r 2πe · e−πr ρ(L),
√ n  √ n (10)
−πr2
ρ((L − c) \ r nB ) < 2 r 2πe · e ρ(L).

10
Lemma 2.6 (Lemma 2.10 [Ban95]). For any n-dimensional lattice L, c ∈ Rn , r > 0, one has
 2

n
ρ((L − c) \ rB∞ ) < 2n · e−πr ρ(L).

Claim 2.7 (Adapted from Claim 8.1 [RS17]). For any n ≥ 1, s > 0,
2 2
sn (1 + 2e−πs )n ≤ ρs (Zn ) ≤ sn (1 + (2 + 1/s)e−πs )n .

In particular, when s ≥ log n,

sn ≤ ρs (Zn ) ≤ 2sn .

Smoothing parameter. We recall the definition of smoothing parameter for Gaussian over lattices
and some useful facts.

Definition 2.8 (Smoothing parameter [MR07]). For any lattice L and positive real ϵ > 0, the smoothing
parameter ηϵ (L) is the smallest real s > 0 such that ρ1/s (L∗ \ {0}) ≤ ϵ.

For example, η0.0864348 (Z) ≈ 1.

We use [MR07, Lemma 4.2] which says when s is large enough, then the statistical properties of discrete
Gaussians are very close to continuous Gaussians.

Lemma 2.9. For any n-dimensional lattice L, point c ∈ Rn , unit vector u, and ϵ ∈ (0, 1), s ≥ 2ηϵ (L),
ϵs
Ex←DL,s,c [⟨x − c, u⟩] ≤ ,
1−ϵ
h i s2 ϵs2
Ex←DL,s,c ⟨x − c, u⟩2 − ≤ .
2π 1−ϵ

Other properties of smoothing parameters will be mentioned when needed.

q-ary lattices. Given n < m ∈ N and a modulus q ≥ 2, for A ∈ Zn×m

q , define q-ary lattices as

Lq (A) = x ∈ Zm : ∃s ∈ Zn such that x ∈ AT · s + qZm ;


(11)
L⊥ m
q (A) = {x ∈ Z : A · x ≡ 0 (mod q)} .

Those two lattices are dual of each other up to a factor of q, i.e., Lq (A) = q · L⊥ ∗
q (A) .

Lemma 2.10. Let q ≥ 2, m ≥ 2n log2 q. Let V := {v1 , ..., vℓ } be a set of ℓ distinct vectors in Zm
q . Then
for all but at most ℓ · q −0.16n fraction of A ∈ Zqn×m , we have
q
∀s ∈ Znq \ {0n }, ∀v ∈ V, ∥AT s + v mod q∥∞ ≥ .
4

Proof. The lemma is proven when q is a prime and V = {0m } in [GPV08, Lemma 5.3]. Here we extend
the proof to a general q and a general set of vectors V.

11
For any fixed non-zero s ∈ Znq , wlog assuming s1 is a non-zero entry of s. Then for any a ∈ Znq , for any
v ∈ Zq , y := ⟨a, s⟩ + v mod q can be written as y = s1 a1 + w mod q for some w ∈ Zq . We observe that
for any q ∈ N+ , for any w ∈ Zq , for any non-zero s1 ∈ Zq ,

Pr [ s1 a1 + w mod q ∈ (−q/4, q/4) ∩ Z ] ≤ 2/3,

a1 ∈Zq

here we represent s1 a1 + w mod q by a number in [−q/2, q/2) ∩ Z; “≤ 2/3” holds since for any z ∈ N+ ,
for any w ∈ Z, ℓ ∈ Z, there can be at most z numbers in {w + kℓ mod (2zℓ)}k∈Z2z fitting in the set of
(−(2zℓ)/4, (2zℓ)/4) ∩ Z, there can be at most z + 1 numbers in {w + kℓ mod ((2z + 1)ℓ)}k∈Z2z+1 fitting
n o
z+1
in the set of (−(2z + 1)ℓ/4, (2z + 1)ℓ/4) ∩ Z, and 2/3 is the largest number in 2z+1 | z ∈ N+ ; the
equality holds when q ∈ 3k · N for some k ≥ 1, s1 ∈ (q/3) · Z/qZ, s1 ̸= 0, and for some w ∈ Zq (for
example, when q = 15, s1 = 5, and w = 2).
Therefore, over the randomness of A ∈ Zn×mq , the probability that AT s + v = y mod q holds for some
y ∈ Zm , ∥y∥∞ < q/4 is at most (2/3)m ≤ (3/2)−2n log2 q ≤ q −1.16n . Applying a union bound over all
s ∈ Znq \ {0n } and all v ∈ V completes the proof of Lemma 2.10.

2.2 Quantum computation

We assume readers are familiar with basic concepts of quantum computation. All quantum backgrounds
we need in this paper are available
P in standard textbooks of quantum computation, e.g., [NC16]. When
writing a quantum state as x∈S f (x) |x⟩, we typically omit the normalization factor except when
needed.
1
The trace distance between two quantum states ρ and σ is defined as D(ρ, σ) := 2 tr |ρ − σ|. Note that
when ρ and σ commute they are diagonal in the same basis,
X X
ρ= ri |i⟩ ⟨i| , σ = si |i⟩ ⟨i| ,
i i

1 P 1 P
for some orthonormal basis |i⟩, then D(ρ, σ) = 2 tr | i (ri − si ) |i⟩ ⟨i|| = 2 i |ri − si |.
The trace distance is preserved under unitary transformations, and is contractive under trace-preserving
operations. When the trace distance of two states ρ and σ is negligible in n, we write ρ ≈t σ.
When a state ρ can be approximately constructed within a negligible trace distance, we sometimes say
the state is constructible without mentioning the negligible distance.

Lemma 2.11. Let |ϕ⟩, |ψ⟩ be un-normalized vectors s.t. ∥ |ϕ⟩ ∥ ≥ µ and ∥ |ϕ⟩ − |ψ⟩ ∥ ≤ δ. Then
  s  2 s !
1 1 |⟨ϕ|ψ⟩| δ
D |ϕ⟩ , |ψ⟩ = 1 − ≤O .
∥ |ϕ⟩ ∥ ∥ |ψ⟩ ∥ ∥ |ϕ⟩ ∥∥ |ψ⟩ ∥ µ

We use the following quantum algorithms:

Lemma 2.12 (Quantum Fourier Transform (QFT) [Kit95]). Let q ≥ 2 be an integer. The following
unitary operator QFTZq can be implemented by poly(log q) elementary quantum gates. When QFTZq is

12
 P
applied on a quantum state |ϕ⟩ := x∈Zq f (x) |x⟩, we have
X X 1
QFTZq |ϕ⟩ = √ · e−2πi·xy/q · f (x) |y⟩ .
q
y∈Zq x∈Zq

Lemma 2.13 (Phase kickback [CEMM98]). Let M ∈ N+ , f (x) ∈ ZM . If the transformation |x⟩ 7→
2πif (x)
|x⟩ |f (x)⟩ is computable in time T , then the unitary transformation |x⟩ 7→ e M |x⟩ can be performed
in time poly(T, log(M )).

2poly(n)
P
It is well known that the Gaussian state |σn,R ⟩ := √
y∈Zn ∩R nB2n ρR (y) |y⟩ for some radius R ≤
can be prepared efficiently. Given Lemma 2.5, there is a 2−Ω(n) mass in the tail of ρR (y)
outside
√ n
E can prepare |σn,R ⟩ by generating n independent samples of one-dimensional Gaussian
R nB2 , so we
state σ1,R√n , which can be done efficiently within trace distance 2−Ω(n) [GR02]. Similarly, we can
E
∞
P
efficiently prepare σn,R := y∈Zn ∩R log nB∞ n ρR (y) |y⟩ by generating n independent samples of one-

dimensional Gaussian state |σ1,R log n ⟩. The discussion above is summarized in the following lemma.
c
Lemma 2.14 (Gaussian state preparation). Let n ∈ N, R ∈ R satisfy 1 ≤ R ≤E2n for some constant
n boundaries, |σ
c ≥ 0. Then the Gaussian states with B2n and B∞ ∞
n,R ⟩ and σn,R , can both be prepared

in poly(n) time within trace distance 2−Ω(n) .

In this paper we are interested in preparing complex Gaussian states.

c
Lemma 2.15 (Complex Gaussian state preparation). Let n ∈ N, R ∈ R satisfy 1 ≤ R ≤ 2n for some
−Ω(n)
constant c ≥ 0. Let S > 0 be a number such that S12 can be efficiently computed within 2 R2 n precision,
−Ω(n)
i.e., we can compute S̃12 ∈ S12 ± 2 R2 n and S̃12 is a rational number that can be represented by poly(n)
bits. Then the complex Gaussian states with B2n and B∞ n boundaries,

∥y∥2 ∥y∥2
ρR (y) · e−πi ρR (y) · e−πi
X X
∞
|ζn,R,S ⟩ := S2 |y⟩ , ζn,R,S := S2 |y⟩
√
y∈Zn ∩R nB2n y∈Zn ∩R log nB∞
n

can both be prepared in poly(n) time within trace distances 2−Ω(n) .

E
∞
Proof. We describe how to prepare |ζn,R,S ⟩. The procedure for preparing ζn,R,S is similar.
To prepare |ζn,R,S ⟩ we start from preparing the Gaussian state |σn,R ⟩ using Lemma 2.14, and then apply
Lemma 2.13 to change the phase:
∥y∥2
ρr (y) · e−πi
X X
′
ρR (y) |y⟩ 7→ S̃ 2 |y⟩ =: ζn,R,S .
√ √
y∈Zn ∩R nB2n y∈Zn ∩R nB2n

E E
′
ζn,R,S and |ζn,R,S ⟩ are 2−Ω(n) -close in the ℓ2 distance because the normalization factor of both ′
ζn,R,S

13
 qP
and |ζn,R,S ⟩ is √
y∈Zn ∩R nB2n ρ2R (y), and

∥y∥2 ∥y∥2
 2
−πi 2 −πi 2
X
′
∥ ζn,R,S − |ζn,R,S ⟩ ∥22 = ρR (y) · e S̃ −e S
√
y∈Zn ∩R nB2n

∥y∥2   2
2 −1/S̃ 2 )·∥y∥2
ρR (y) · e−πi
X
= S̃ 2 1 − e−πi·(1/S
√
y∈Zn ∩R nB2n
X
∈(a) ρ2R (y) · 2−Ω(n) ,
√
y∈Zn ∩R nB2n

where (a) holds since ∥y∥2 ≤ R2 · n, so (1/S 2 − 1/S̃ 2 ) · ∥y∥2 ∈ 2−Ω(n) .

We will also use a trick called “domain extension”. Let us first define periodic functions.
Definition 2.16 (Periodic function). Let n, P ∈ N+ . A function f : Zn → C is P -periodic if for all
x, y ∈ Zn such that x ≡ y (mod P ), f (x) = f (y).
Lemma 2.17 (Domain extension). Let n, P, C ∈ N+ . Let f : Zn → C be a P -periodic P function.
Then, there is an efficient reversible operation that given a quantum state |ϕ⟩ := x∈Zn f (x) |x⟩,
P
converts it to |ϕ′ ⟩ := z∈Zn f (z) |z⟩ in time poly(log(C), n). Similarly, we can also convert |ϕ⟩ to
P
CP
|ϕ′′ ⟩ := z1 ∈ZCP ,z[2...n] ∈Zn−1 f (z) |z⟩, where the extension only applies on the first coordinate.
P
P

Proof. We prepare a uniform superposition over ZnC by QFTZnC |0n ⟩ = h∈Zn |h⟩, and interpret it as
P
C
the higher order bits of |ϕ⟩:
X X X X
|h⟩ ⊗ |ϕ⟩ 7→ f (x) |h · P + x⟩ =(a) f (z) |z⟩ = ϕ′ ,
h∈Zn h∈Zn n z∈Zn
C C x∈ZP CP

where (a) holds since f is P -periodic. To get back to |ϕ⟩ from |ϕ′ ⟩, we apply QFT−1
Zn on the higher order
C
′ n
bits of |ϕ ⟩ and get |0 ⟩ |ϕ⟩.
Analogously, to get |ϕ′′ ⟩, we prepare h1 ∈ZC |h1 ⟩ and interpret it as the higher order bits of the first
P
coordinate of |ϕ⟩:
X X X X
|h1 ⟩ ⊗ |ϕ⟩ 7→ |h1 ⟩ f (x) |h1 · P + x1 ⟩ x[2...n] = f (z) |z⟩ = ϕ′′ .
h1 ∈ZC h1 ∈ZC x∈Zn
P z1 ∈ZCP ,z[2...n] ∈Zn−1
P

3 Main Theorem: Quantum Algorithm for Solving LWE

This section is devoted to proving the main theorem:

Theorem 3.1. Let ℓ, m, q ∈ N, β ≥ 2 such that m ≥ Ω(ℓ log2 (q)), q ∈ Ω̃(β 4 m2 ). There is a quantum
algorithm that solves LWEℓ,m,q,U (Zq ),DZ,β in time poly(m, log q, β).

14
The rest of the section is organized as follows. In §3.1 we show LWE with k secret coordinates chosen
by ourselves, denoted as LWEk chosen secret , is as hard as standard LWE (LWEk chosen secret will be solved
quantumly later). In §3.2 we convert LWEk chosen secret into the problem of finding the unique shortest
non-zero vector of a special q-ary lattice. In §3.3 we list the parameters that are used in the main
quantum algorithm. In §3.4 we provide an overview of the main quantum algorithm. In §3.5 we provide
the nine steps in the main quantum algorithm in details, but deferring all proofs that are longer than
three pages to §3.6. In §3.6 we provide all the detailed proofs missed in §3.5.

3.1 LWE with a few known secret coordinates is as hard as standard LWE

We show three variants of LWE that are as hard as standard LWE. The last variant is LWEk chosen secret
(formally defined in Def. 3.4), which our quantum algorithm will eventually solve. All three reductions
in this subsection follow small modifications of existing classical polynomial time reductions from the
standard LWE to their variants.

1: LWE with k error free coordinates. First, we convert the standard LWE into a variant of
it where the first k coordinates of the error term is 0, denoted as LWEk error free . Analogously, for
the decisional version, DLWEk error free , we assume the first k coordinates of the error term is 0 in the
LWE case, and the RANDOM case is still all random. (Although we only need the search version of
LWEk error free in this paper, we present the reduction for the decisional version because it implies the
search version and might be useful elsewhere). Brakerski et al. [BLP+ 13] prove that LWE1 error free is
as hard as standard LWE. We generalize their proof to a larger k. Apparently, for LWEk error free to be
hard, k cannot be larger than the dimension of the secret. In fact, the reduction actually transforms
an n-dimensional LWE instance to an n + k dimensional LWEk error free instance, so having k error free
coordinates do not make the problem simple.
Lemma 3.2. For any k, n, m, q ∈ N such that k ∈ poly(n), q ≤ 2poly(n) , there is a reduction from
DLWEn,m,q,U (Zq ),χ to DLWEkn+k,m+k,q,U
error free
(Zq ),χ that runs in classical poly(k, n, m, log q) time and reduces
the advantage by at most 2−Ω(n) .

Proof. Suppose q = q1c1 ...qhch , where q1 , ..., qh are h distinct primes, c1 , ..., ch ∈ N. Given an instance
k error free
A ∈ Zn×m
q , t ∈ Zm
q from DLWEn,m,q,U (Zq ),χ , we convert it to an instance of DLWEn+k,m+k,q,U (Zq ),χ .

We first sample k vectors u1 , ..., uk ∈ Zn+k

q uniformly random. If u1 , ..., uk are linearly independent
in Zqi for all i ∈ [h], then we continue, otherwise we abort. The following claim says we abort with
probability less than k log2 q · 2−n ∈ 2−Ω(n) .
Claim 3.3. With probability more than 1 − k log2 q · 2−n over the randomness of sampling uniformly
random u1 , ..., uk ∈ Zn+k
q , u1 , ..., uk are linearly independent in Zqi for all i ∈ [h].

Proof. For every i ∈ [h], u1 , ..., uk are linearly independent in Zqi with probability
−(n+k) −(n+k−1) −(n+1)
(1 − qi )(1 − qi )...(1 − qi ) ≥ (1 − 2−n )k .

Note that h ≤ log2 q. So the probability that u1 , ..., uk are linearly independent in Zqi for all i ∈ [h] is
greater than (1 − 2−n )k log2 q ≥ 1 − k log2 q · 2−n .

15
 (n+k)×(n+k)
We then sample a matrix U ∈ Zq that is invertible modulo q, and the first k columns of U
are u1 , ..., uk (U only has to be invertible modulo q, not
random). Such a matrix U exists and can
be sampled efficiently as follows. Let U[1...k] = u1 , ..., uk . For every i ∈ [h], we know there are k
rows from U[1...k] that forms an invertible matrix over Zqci , then we can set U[k+1...n+k] mod qici to be
i
0 in those k rows, and contain an identity matrix besides those k rows, therefore the whole matrix U is
invertible modulo qici (for example, if the first k rows in U[1...k] form an invertible matrix modqici , then
 
0
we let U[k+1...n+k] = mod qici ). Using the Chinese remainder theorem, we get U as an invertible
In
matrix over Zq .
Then, for the j th sample of DLWEkn+k,m,q,U
error free
(Zn+k ),χ
, for j ∈ [k], we output uj , yj , where yj is sampled
q
randomly from Zq . Denote y ∈ Zkq as the concatenation of y1 , ..., yk . For j = k + 1, ..., m + k, we sample
 
k dj
a uniformly random vector dj ∈ Zq , and output U , tj−k + ⟨dj , y⟩.
aj−k
It is easy to verify that the reduction maps a RANDOM instance of DLWEn,m,q,U (Znq ),χ to a RANDOM
instance of DLWEkn+k,m+k,q,U
error free
(Zn+k ),χ
. To verify the LWE case, suppose t = AT s+e, then the secret term
q
 
y
of the new instance is s′ := U−T . So for j ∈ [k], the j th sample is uj , ⟨uj , s′ ⟩ = yj , free of error;
s
 
th ′ dj
for j = k + 1, ..., m + k, the j sample is aj := U , tj−k + ⟨dj , y⟩ = ej−k + ⟨aj−k , s⟩ + ⟨dj , y⟩ =
aj−k
D E
ej−k + a′j , s′ , following the right distribution.

2: LWE with k chosen error terms. Next, we convert LWEk error free into a variant of it where the
first k coordinates of the error terms are chosen by ourselves, instead of being 0. We denote this variant
as LWEk chosen error . This conversion is simple: staring from samples from LWEk error free , denoted by
A ∈ Zn×mq , y = AT s + e, where e[1...k] = 0k . Let z ∈ Zkq be the k error terms chosen by ourselves. We
output A, y + z|0m−k = AT s + z|e[k+1...m] .

3: LWE where the secret follows the error distribution. Third, we apply the reduction of
Applebaum et al. [ACPS09] which transforms LWE samples into new LWE samples where the secret
follows the error distribution. As a result of this transformation, we convert LWEkn,m+n,q,U
chosen error
(Zq ),χ into new
LWE samples where the first k coordinates of the secret is chosen, and the rest of the secret and the error
vectors follows the same error distribution of LWEk chosen error . We call this variant LWEk chosen secret .

Definition 3.4 (LWE with k chosen secrets). Let k < n < m, q be positive integers. Let s ∈ Znq
be a secret vector where the first k entries are chosen to be fixed as (s1 , ..., sk ), and the other entries
(sk+1 , ..., sn ) are sampled from some distribution DistS and unknown. The problem LWEkn,m,q,DistS,DistE
chosen secret

asks to find the secret s given access to an oracle that outputs ai , ⟨s, ai ⟩ + ei (mod q) on its ith query,
for i = 1, ..., m. Here each ai is a uniformly random vector in Znq , and each error term ei is sampled
from DistE over Zq .

Lemma 3.5. There is a classical reduction from LWEkn,m+n,q,U

chosen error k chosen secret
(Zq ),χ to LWEn,m,q,χ,χ that runs in
time poly(n, m, log q).

16
Proof. Given m + n samples from LWEkn,m+n,q,U
chosen error T T T
(Zq ),χ , denoted as A, y := s A + e mod q. Write
n×n n×m
A = [A1 | A2 ] where A1 ∈ Zq , A2 ∈ Zq . Without a loss of generality, assume A1 is invertible
modulo q (we know the first k columns of A1 are part of an invertible matrix back from Lemma 3.2; if
A1 is not invertible, we replace some columns from the last n − k columns of A1 by some columns of A2
until we make A1 invertible; this does not affect our result). Write yT = [y1T | y2T ] where y1 ∈ Znq . Let
Ā := −A−1 T T T T T T −1 T T
1 ·A2 . Let ȳ := y1 · Ā+y2 . Then ȳ = (s A1 +e1 )·(−A1 ·A2 )+(s A2 +e2 ) = e1 · Ā+e2 ,
T T

meaning that Ā, ȳT is an instance of LWEkn,m,q,χ,χ

chosen secret
, i.e., the secret for LWEkn,m,q,χ,χ
chosen secret
is e1 ∈ Znq ,
k chosen error
which is sampled from the first n error coordinates of LWEn,m+n,q,U (Zq ),χ . In particular, the first k secret
terms are chosen by ourselves.

3.2 Convert LWE into a special q-ary lattice with a unique shortest vector

Let κ, ℓ, m, q ∈ N, m ∈ Ω(ℓ log q), n := 1 + ℓ + m, κ ≤ O(log n). Let p1 , p2 , p3 , ..., pκ be odd and pairwise
coprime, such that p1 ∈ O(1), p2 , ..., pκ ≤ log n
p1 . Note that p1 , p2 , ..., pκ don’t have to be primes. Other
conditions of p1 , ..., pκ will be mentioned later in §3.3 (mostly in Cond. C.3).
With the three reductions in §3.1, we know that to solve standard LWEℓ−(κ−1),m+ℓ−(κ−1),q,U (Zq ),DZ,β ,
it suffices to solve LWEκ−1 chosen secret κ−1 chosen secret
ℓ,m,q,DZ,β ,DZ,β . More concretely, let the LWEℓ,m,q,DZ,β ,DZ,β instance be U ←
U (Zℓ×m
q ), t = UT s + e mod q, where the first κ − 1 entries s are chosen to be (p2 , ..., pκ ), and the other
ℓ − (κ − 1) entries of s, s[κ...ℓ] , and all entries of the error term e are sampled independently from DZ,β .
Our goal is to compute the unknown s[κ...ℓ] and e.
Looking ahead, the property that we choose κ − 1 coordinates of the secret to be some known, special
values will only be used at the very last step of our quantum algorithm, so readers on the first pass of
our algorithm can just assume we are solving LWE where the secret and the error terms are all small
entries (i.e., all less than O(β log n)) and not worry about the condition that κ − 1 entries are special
values, until reaching the last step of our quantum algorithm.
We now define a q-ary lattice such that finding the unique shortest vector for this special q-ary lattice
implies solving LWEκ−1 chosen secret
ℓ,m,q,DZ,β ,DZ,β . Let

A := [2p1 t | UT | Im ] ∈ Zm×n
q ,
(12)
b := [−1, 2p1 sT , 2p1 eT ]T = [−1, 2p1 p2 , ..., 2p1 pκ , 2p1 sT[κ...ℓ] , 2p1 eT ]T .

Note that Ab ≡ 0 mod q.

Let us first provide some basic estimations of the length of b.
log n
Lemma 3.6. For β ≥ 2, p1 ∈ O(1), p2 , ..., pκ ≤ p1 , κ ∈ O(log n). With probability 1 − negl(n) over
ℓ−κ+1 m , the vector b = [−1, 2p sT , 2p eT ]T satisfies
the randomness in sampling s[κ...ℓ] ← DZ,β ,e ← DZ,β 1 1
√
(1) ∥b∥ ≤ 3p1 β n, (2) ∥b∥∞ ≤ β log n, and (3) ∥b∥ ∈ 1 + 4p1 (p2 + ... + pκ ) + [0.04, 0.27] · 4p21 β 2 (n − κ).
2 2 2 2

√ √
Proof. From Lemma 2.5, we know ∥b∥ ≤ 2p1 β n − κ+O(log2 n) ≤ 3p1 β n with probability 1−2−Ω(n) .
From Lemma 2.6, we know ∥b∥∞ ≤ β log n with probability 1 − negl(n). So Items (1), (2) are satisfied.
To prove Item (3), given that β ≥ 2, and η0.086434811 (Z) ≥ 1, we derive from Lemma 2.9 that for
b2 β2 b2
i = κ+1, ..., n, E[ (2pi1 )2 ] ∈ 2π ±0.09β 2 ∈ [0.05, 0.26]·β 2 . Also, by Lemma 2.6, 0 ≤ (2pi1 )2 ≤ β 2 log2 (n−κ).

17
 Pn b2i
Then, using Hoeffding inequality (Lemma 2.2), we let Sn−κ := i=κ+1 (2p1 )2 , then

√ 2(n−κ)β 4 log6 (n−κ)

−
Pr |Sn−κ − E[Sn−κ ]| ≥ β 2 log3 (n − κ) n − κ ≤ 2e (β2 log2 (n−κ))2 ·(n−κ) ∈ negl(n).
 

Therefore ∥b∥2 ∈ 1 + 4p21 (p22 + ... + p2κ ) + [0.04, 0.27] · 4p21 β 2 (n − κ) with all but negl(n) probability.

In Lemma 3.7, we prove that b is the unique shortest vector in L⊥ ⊥

q (A), whereas other vectors in Lq (A)
are long. The proof is not hard but a bit tedious so we defer it to §3.6.1. Looking ahead, our quantum
algorithm is essentially trying to compute b, the unique shortest non-zero vector in L⊥q (A).

4 2

For q ≥ Ω̃(β√ m ).∞With
Lemma 3.7. probability 1 − negl(n) over the randomness in sampling U, t,
λ1 Lq (A) = ∥b∥ ≤ 3p1 β n, λ2 L⊥
⊥ n)2 .


q (A) ≥ q/(log

Note that if q ∈ 2p1 Z, then 2pq 1 |0n−1 is a relatively short vector in L⊥

q (A) (not shorter than b though).
q q
But since we set p1 ∈ O(1), so 2p1 > log2 n , which doesn’t violate Lemma 3.7. So we don’t need to avoid
q, p1 such that q ∈ 2p1 Z.

3.3 Parameter selection

Recall that in §3.2 we have defined parameters ℓ, m, q, n = 1 + m + ℓ, p1 , ..., pκ , and the q-ary lattice
A = [2p1 t | UT | Im ] ∈ Zm×n
q , where t = UT s + e mod q where s[1...κ−1] = (p2 , ..., pκ ), s[κ...ℓ] ←
ℓ−κ+1 m . Recall from Eqn. (12) that b = [−1, 2p sT , 2p eT ]T .
DZ,β , e ← DZ,β 1 1

In this subsection we introduce more parameters that will be used in our quantum algorithm. Let
D ∈ N+ be a scaling parameter. Let L := D · L⊥
q (A). Let x := D · b.
We set additional parameters P, M, r, s, t, u ∈ poly(n) such that P, M, t2 , u2 ∈ N+ , s, r ∈ R+ . P , M are
the large and small moduli. The main parameters for complex Gaussian are r, s, t, u. Our algorithm
will first make a guess of ∥b∥2 ∈ N+ and let u2 = ∥x∥2 = D2 ∥b∥2 . There are only O(β 2 n) ∈ poly(n)
possibilities for ∥b∥2 , so from now we assume our guess of ∥b∥2 is correct.
The parameters are set under the following constraints (readers can assume we always use P > r >
M > s > t > u = ∥x∥ = D∥b∥). Looking ahead, there are nine steps in our quantum algorithm, and
each condition below is typically only used in one or few steps. We will mark which condition is used in
which steps, so readers don’t need to load all the conditions in mind at the same time, and just assume
all conditions are satisfiable on the first pass.

cD ∥b∥
2 2 2
t
C.1 t2 = cu2 for some c ∈ 4Z. This ensures that 2D 2 = 2D2
∈ 2Z (only used in Lemma 3.27 in
t √ 3 3
Step 6). For simplicity we set u = c ∈ (64 log n, 65 log n), then C.6, C.7 are easy to satisfy.

C.2 The large and small moduli P , M are chosen as M = 2(t2 + u2 ) = 2(c + 1)∥x∥2 = 2(c + 1)D2 ∥b∥2 ,
2
P = M · (t2 + u2 ) = M2 . This condition is used in many steps.

C.3 (Only used in Steps 8 and 9.) D, p1 , p2 , ..., pκ are odd and pairwise coprime (they don’t have
M 2
to be primes), 2D 2 = (c + 1)∥b∥ = p1 p2 ...pκ , and p2 p3 ...pκ ≡ −1 (mod p1 ). Since M ∈ poly(n),
therefore κ ∈ O(log n) is enough (i.e., M has at most O(log n) different factors).

18
C.4 2r log n ≤ P , 2r log n < Dq/(log n)2 (only used in Step 1). Note that 2r log n < Dq/(log n)2 is
the only constraint on q. In particular, q does not have to be equal to or share prime factors with
P or any other values.
s2 r 4 t2
C.5 The key condition for creating the Karst wave: u2 (s4 +r4 ) (t2 +u2 )2
= 2 (mainly used in Step 6). Since
2 4 4 2 2 )2
 
we always set r > s log n, t ≥ 64u log3 n, we have s2 = 2 u (sr4+r ) (t +u t2 ∈ 2u2 t2 · 1, 1 + 1
log n .
√ 2t
 
4 4 ts2
C.6 Define V := P u rsr2 t+s (only used in Step 3), σ := VP = u√rs
r4 +s4
∈ ur · 1± 1
O(log n) ∈C.5
   
2ut3 1 D
r · 1 ± O(log n) (σ is used in Steps 6 and 7). We need σ ∈ 2 log n, 4 log n .
√
2ut2 √ 1
β n
C.7 r < 4β n log2 n
, needed in Steps 5 and 7. Since u = D∥b∥ ≥Lemma 3.6(3) 4 with all but
u2 t2 1 2ut3
negl(n) probability, it suffices to set r < 32 log 2 . Combining with C.6, where we
n
need r ·
    √
1
1 ± O(log n) ∈ log n, D
4 log n . Since we set ut = c ∈ (64 log3 n, 65 log3 n) in C.1, we can set
ut3 2
r= 4 log n , σ ∈ O(log n), and D ∈ O(log n) so that both C.6, C.7 are satisfied.

We can determine all parameters in the following order: first choose c + 1, p1 , p2 , ..., pκ to make
sure C.3 is satisfiable, namely, (c + 1)∥b∥2 = p1 p2 ...pκ . Note that b[1...κ] = (−1, 2p1 p2 , ..., 2p1 pκ ), and
β2
b[κ+1...n] ∈ 2p1 , so ∥b∥2 = 1 + 4p21 (p22 + p23 + ... + p2κ + a) for some a ∈ Z such that a ≈ 2π (n − κ) (there are
∥b ∥2
only O(β 2 (n−κ)) ∈ poly(n) possibilities of a, so we can guess a to be the most likely value of [κ+1...n]
4p21
,
j 2 m
β
i.e., 2π (n − κ) , then with non-negligible probability over the randomness of b[κ+1...n] , our guess of ∥b∥2
is correct). Also note that ∥b∥2 ∈
/ p1 Z. So the easiest solution is to set p1 to be a factor of c+1, and guess
∥b∥2 has some smooth factors p2 ...pκ . For example, if we guess ∥b∥2 = 7 × 11 × 17 × 19 × 31 = 771001,
and set p1 = 5, then ∥b∥2 = 1 + 100(72 + 112 + 172 + 192 + 312 + a) = 1 + 100(1781 + a) is satisfiable
for some a ∈ Z.
We then pick an odd number D ∈ O(log2 n), and let u2 = D2 ∥b∥2 . Then u2 and (c + 1) determines t2 ,
which then determines M, P, r, and we finally compute s according to C.5 (we don’t need s or s2 to be
rational, we only need to compute s within sufficient precision in order to use Lemma 2.15 to prepare
complex Gaussian states).
Since we assume β ≥ 2, then by Lemma 3.6, the minimum of ∥b∥2 is 0.04 · 4p21 β 2 (n − κ) + 1 with all
but negl(n) probability. We summarize this condition and its implications as follows

√ √ 
log4 n

M
≥C.1 u2 log6 n >∥b∥≥O(√n),C.7 4∥b∥σ n log n, M 1


C.8 ∥b∥ ≥ O( n), so 2 r ∈C.7 O t2
<O n .

To get the best approximation factors for general lattice problems, we aim at solving LWEκ−1 chosen secret
ℓ ,D
ℓ,m,q,DZ,β
√ 4
Z,β

where m ∈ O(ℓ log q), β = 2 ℓ, q ∈ Õ(ℓ ), implying n ∈ O(ℓ log ℓ). Then we set

• u2 = ∥x∥2 ∈ D2 · O(β 2 n) ∈ Õ(n2 ), t2 ∈ O(log6 n) · u2 ∈ Õ(n2 ), M ∈ O(t2 ) ∈ Õ(n2 ),

 4 
• r ∈ O logt 4 n = O u4 log8 n ∈ Õ(n4 ), q ∈ O u4 log9 n ∈ Õ(n4 ), P ∈ O(t4 ) ∈ Õ(n4 ).

19
Then all parameter constraints are satisfiable. Readers on the first pass of the algorithm can keep this
set of parameters in mind. To get quantum algorithms for general lattice problems using Lemma 1.5, we
plug in α = Õ(n−3.5 ), yielding quantum algorithms that solve SIVPγ and GapSVPγ for all n-dimensional
lattices for γ ∈ Õ(n4.5 ).
We would like to mention that some constraints of parameters can be relaxed. For example, we believe
if we use more sophisticated Gaussian tail bound proof techniques to prove Lemma 3.24, then C.7 can
2 √
be relaxed to 2ut 1
r < 4β log2 n , saving another factor of n. But improving this bound would take more
technical effort while not helping improve the approximation factor achieved by our algorithm, so we
leave the loose bound√in Cond. C.7 as it is. Also, most of the log n factors appeared in the parameters
can be changed to ω( log n) because they are the byproduct of Lemma 2.6. But we are not aiming at
optimizing polylog(n) factors, so we simply use log n to keep the write-up clear.

3.4 Detailed overview of the main quantum algorithm

After setting up the parameters as in §3.3, we run a quantum subroutine consisting of nine steps for
O(n) times. Every time we run the quantum subroutine, we will obtain a classical linear equation with
random coefficients over the shortest vector in L⊥ q (A) (related to the LWE secret and error vectors).
Therefore after running it for O(n) times we will get a full rank system of linear equations and compute
the LWE secret and error terms by Gaussian elimination.
Let us first provide a high level description of the nine steps in the quantum subroutine, including the
state and classical information obtained in each step. We use |φi ⟩ to denote the quantum state obtained
at the end of Step i. The classical information obtained in Steps 1, 3, 5, 8 will be used in later steps,
so we mention where they are used to help readers keep track on them.

1. Prepare a uniform superposition over L ∩ ZnDq , and then apply a complex Gaussian window on it.
We obtain a classical string y′ ∈ ZnDq and a quantum state |φ1 ⟩:
   
X 1 i 2
|φ1 ⟩ = exp −π + ∥kx − y∥ |kx − y⟩ , (13)
n
r2 s2
k∈Z,kx−y∈(r log n)B∞

where y ∈ Zn is an unknown vector at this moment but its information is carried in y′ .

2. Compute |φ2 ⟩ = QFTZnP |φ1 ⟩.
3. Apply a complex Gaussian window on |φ2 ⟩, get |φ3 ⟩, z′ ∈ ZnP .
4. Compute |φ4 ⟩ = QFTZnP |φ3 ⟩.
5. Split |φ4 ⟩ into higher and lower order bits, then measure the lower order bits in Znt2 +u2 and get
h∗ ∈ Znt2 +u2 . Denote the residual state (containing the higher order bits in ZnM ) as |φ5 ⟩.
6. Compute |φ6 ⟩ = QFTZnM |φ5 ⟩. (The Karst wave feature is heavily used in the analysis of Step 6.)
7. Extract the centers of the Gaussian ball states in |φ6 ⟩ using y′ , z′ , and h∗ , get

X (2Dj)2 ∥k∥2 M
−2πi 2πi ′
|φ7 ⟩ = e 2M e 4 2Djx + v + k mod M , (14)
2
k∈0|Zn−1 ,j∈Z

20
 where v′ is a vector in L fixed by the previous measurements but unknown at this point.

8. Apply a sequence of small operations to extract v1′ mod D2 p1 , without collapsing the state, and
get |φ8 ⟩ = |φ7 ⟩.

9. From |φ8 ⟩, use the p2 , ..., pκ values planted in the secret vector in the instance of LWEk chosen secret ,
v1′ mod D2 p1 obtained in Step 8, and apply a few operations on |φ8 ⟩ to get a random vector
u ∈ ZnM satisfying
2
D E M
u1 + b∗[2...n] , u[2...n] ≡ 0 (mod ), (15)
2D2
where in b∗[2...n] = b∗[2...κ] |b∗[κ+1...n] , b∗[2...κ] is known and fixed, b∗[κ+1...n] = b[κ+1...n] , which is exactly
the secret term we want to learn.

We summarize the nine steps above in the following statement:

Lemma 3.8. There is a poly(n) time quantum algorithm that takes as input L⊥
q (A), where A is defined
in Eqn. (12), outputs a random vector u ∈ ZnM that satisfies Eqn. (15).
2

M
Since ∥b[κ+1...n] ∥∞ ≤ 2p1 ·β log n < 2D 2 , solving a system of the modular linear equations in Eqn. (15) re-
covers b[κ+1...n] completely. Therefore after collecting O(n) random vectors u ∈ ZnM satisfying Eqn. (15),
2
we recover b[κ+1...n] using Gaussian elimination, thus solving the LWEκ−1 chosen secret
ℓ,m,q,DZ,β ,DZ,β problem, which
completes the proof of Theorem 3.1.
Let us now explain the intuition behind our algorithm, see Fig. 2 for a proof-of-concept example.
The purpose of Step 1 is to obtain a classical string y′ and a complex Gaussian state |φ1 ⟩ in Eqn. (13).
The support of |φ1 ⟩ is on a line in the same direction with the secret shortest vector x. As mentioned
in the introduction in §1.3, |φ1 ⟩ looks very similar to an instance of EDCP, but we are not expecting
to finding out x using existing algorithms for EDCP at this point, so we continue.
The five steps from Steps 2 to 6 together make sure that the amplitude of |φ6 ⟩ in Step 6 is highly struc-
tural, consisting of small Gaussian balls. If we think of |φ1 ⟩ as in the time domain, then |φ2 ⟩ , |φ3 ⟩ , |φ6 ⟩
are in the frequency domain, and they should in general look chaotic if we don’t set the parameters (Con-
dition C.5 in particular) carefully. However, we tune the parameters carefully so that the amplitude of
|φ6 ⟩ is highly structural due to the feature of Karst wave.
The operations from Steps 3 to 5 serve for the purpose of modulus splitting, i.e., we split the large
modulus P into P = M · (t2 + u2 ), and the state in Step 5 only contains the higher order bits from the
state in Step 4. The purpose of modulus splitting can be seen from the Karst wave in Figure 1 (bottom
right): the absolute value of the amplitude of a Karst wave is periodic over a smaller modulus than P .
The intention of splitting the modulus is in fact originally motivated by a failed attempt of solving LWE
directly from Step 2, which is explained later in §3.7.1. Readers who are curious about the motivation
can take a look at §3.7.1, although it is unrelated to the actual algorithm that is working. Splitting the
modulus in a useful way is non-trivial. As we will see in Step 3, where we apply a complex Gaussian
window on |φ2 ⟩. The condition of u2 = ∥x∥2 is used starting from Step 3 (u2 is a parameter in the
complex Gaussian window in Step 3) – only when u2 = ∥x∥2 , we can guarantee that the amplitude of
|φ4 ⟩ splits clearly between its higher order bits in ZnM and lower order bits in Znt2 +u2 .

21
|φ6 ⟩ is an important state to understand so let us give more explanations about the patterns in the
amplitude of |φ6 ⟩. From Figure 2-(f), we see that |φ6 ⟩ contains lines of Gaussian balls of small width σ,
aligned in the direction of x. We can then shift those Gaussian balls to make sure their centers are on
L ∈ DZn , and then use naive rounding to DZn to extract their centers and get |φ7 ⟩ (see Figure 2-(g)).
As we can see from the expression of |φ7 ⟩ in Eqn. (14), now we get an EDCP-like state with purely
imaginary Gaussian amplitudes, which is much easier to work with. Imagine if we can learn one
coordinate of v′ , then we can convert |φ7 ⟩ into a correct EDCP state with a known, “wide” amplitude,
therefore by [CLZ22, Theorem 12], there is a polynomial time quantum algorithm for solving EDCP
with known, wide amplitudes. This is an idea that inspires the design of the actual algorithm, but
our actual algorithm is different, more down-to-earth, and does not rely on the knowledge of EDCP, so
readers who are not familiar with EDCP don’t need to worry about it.
Towards the goal of learning one coordinate of v′ , we first use the nice property of imaginary Gaussian
(i.e., center = phase) to obtain partial information of v1′ in Step 8 – we use the phase kickback trick to
change the phase of |φ7 ⟩, see Figure 2-(h), and then take QFT to get a linear equation and learn about
v1′ mod D2 p1 , see Figure 2-(i). Then in Step 9, we gain more information about v′ using the p2 , ..., pκ
values planted in the secret vector in the instance of LWEk chosen secret . Finally, we are able to extract a
modular linear equation about the LWE secret and error terms.

3.5 The main quantum subroutine

Now we start describing the detailed algorithm.

3.5.1 Step 1: Prepare a superposition over L∩ZnDq and apply a complex Gaussian window

Lemma 3.9. There is a poly(n) time quantum algorithm that takes L = D · L⊥

q (A) as input, outputs
   
X 1 i 2
|φ1 ⟩ = exp −π + ∥kx − y∥ |kx − y⟩ ,
n
r2 s2
k∈Z,kx−y∈(r log n)B∞

and a string y′ ∈ ZnDq such that y′ = v+y (the equation holds over Zn ), where v ∈ L, y ∈ Zn ∩r log nB∞
n .

Proof. Recall that L = D · L⊥ n

q (A). We start from preparing a uniform superposition over v ∈ L ∩ ZDq
and a complex Gaussian state
X X −πi∥y∥2
|v⟩ ⊗ ρr (y) · e s2 |y⟩ . (16)
v∈L∩Zn
Dq y∈Zn ∩(r log n)B∞
n

Here, the second −Ω(n) distance using Lemma 2.15. The

P register can be produced efficiently within 2
first register, v∈L∩Zn |v⟩, can be produced by
Dq

X X X
|v1 ⟩ − t | UT · v1 mod q 7→multiply


|v1 ⟩ |0m ⟩ 7→ by D |v⟩ .
v1 ∈Zqℓ+1 v1 ∈Zℓ+1
q
v∈L∩Zn
Dq

22
From the state in Eqn. (16), we add the first register to the second register:
X X −πi∥y∥2
|v⟩ ρr (y) · e s2 |y + v mod Dq⟩ (17)
v∈L∩Zn
Dq y∈Zn ∩(r log n)B∞
n

We then measure |y + v mod Dq⟩ and denote the result as y′ ∈ ZnDq , then compute |v⟩ 7→ |v − y′ mod Dq⟩
in the first register. Then the residual state can be written by dropping y = y′ −v mod Dq in Eqn. (17):
   
X 1 i ′
|φ1 ⟩ := exp −π 2
+ 2 ∥y − v mod Dq∥ 2
v − y′ mod Dq
r s
v∈L∩Zn ′ n
Dq ,v−y mod Dq∈Z ∩(r log n)B∞
n
   
X 1 i ′
= exp −π 2
+ 2 ∥y − v∥ 2
v − y′ .
′ n
r s
v∈L∩(y +(r log n)B∞ )

Dq
Here we can change the support in the second line because we set Dq > log 2
n
> 4(r log n) (C.4), and
for y ∈ ZDq , represented as y ∈ ((−Dq/2, Dq/2] ∩ Z) , any v ∈ L ∩ ZDq such that v − y′ mod Dq ∈
′ n ′ n n
n can be represented by v ∈ L ∩ (y′ + (r log n)B n ), i.e., there is no need to wrap around
Zn ∩ (r log n)B∞ ∞
mod Dq.
For the analysis of the next few steps, we write y′ as y′ = v + y where v ∈ L, y ∈ Zn ∩ r log nB∞ n (here

the equation holds over Zn , not over ZnDq , which will be important for the use of y′ in later steps because
we will add or subtract y′ over possibly different moduli than Dq; it is possible to write y′ = v + y
where v ∈ L, y ∈ Zn ∩ r log nB∞ n since DqZn ∈ L, so y′ ∈ v + y + DqZn and “+DqZn ” can be pushed

into v ∈ L). Note that we are not able to efficiently compute such a pair of v, y from y′ at this moment
since finding such a pair requires solving an approximate closest vector problem. We just use v, y as
unknown variables in the analysis of our algorithm. Note that there are multiple pairs of v, y that
satisfy y′ = v + y, v ∈ L, y ∈ Zn ∩ r log nB∞ n , we just pick one pair of them (the result of the upcoming

analysis is independent of which pair we pick).

Since λ∞
2 (L) > r log n > λ1 (L), |φ1 ⟩ equals to
   
X 1 i 2
|φ1 ⟩ = exp −π + ∥kx − y∥ |kx − y⟩ .
n
r2 s2
k∈Z,kx−y∈(r log n)B∞

For the convenience of Step 2, we show |φ1 ⟩ is negligibly close to the following state
   
′
X 1 i 2
φ1 := exp −π + ∥kx − y∥ |kx − y mod P ⟩
r2 s2
k∈Z

Lemma 3.10. |φ′1 ⟩ ≈t |φ1 ⟩.

Proof. We treat |φ′1 ⟩, |φ1 ⟩ as unnormalized vectors over CnP . We have ∥|φ1 ⟩∥22 ≤ 2r log n ∈ poly(n)

23
since there are at most 2r log n entries in the support. Also,

∥kx − y∥2
X  
′
φ1 − |φ1 ⟩ 1 ≤ exp −π
n
r2
k∈Z,kx−y∈(r
/ log n)B∞

∥kx − y∥2
X  
∈Lemma 2.6 exp −π · negl(n) ∈ 2r · negl(n) ∈ negl(n).
r2
k∈Z

Therefore, ∥|φ′1 ⟩ − |φ1 ⟩∥2 ≤ ∥|φ′1 ⟩ − |φ1 ⟩∥1 ∈ negl(n) · ∥|φ1 ⟩∥2 . So Lemma 3.10 follows Lemma 2.11.

3.5.2 Step 2: Apply QFTZnP on |φ1 ⟩

In Step 2, we apply QFTZnP on |φ1 ⟩ and get |φ2 ⟩ := QFTZnP |φ1 ⟩.

The expression of |φ2 ⟩ is derived as follows:
 2
s + r2 i
  
∥kx − y∥ e−2πi⟨kx−y, P ⟩ |z⟩
X X z
2
|φ2 ⟩ ≈t exp −π 2 2
s r
z∈Zn
P k∈Z

s2 + r2 i
   
(k ∥x∥ − 2k ⟨x, y⟩ + ∥y∥ ) e−2πi⟨kx−y, P ⟩ |z⟩
X X z
2 2 2
= exp −π 2 2
s r
z∈Zn
P k∈Z
 ! (18)
∥x∥2 (s2 + r2 i) ⟨x, y⟩ 2 −2πi⟨kx, z ⟩ 2πi⟨y, z ⟩
X X 
∝(a) exp −π k− e P e P |z⟩

n
s2 r2 ∥x∥2
z∈ZP k∈Z
 !
s2 r2 (s2 − r2 i) ⟨x, z⟩ 2 −2πi ⟨x,y⟩
  
⟨x,z⟩
j+ P
e2πi⟨y, P ⟩ |z⟩ ,
X X z
2
=(b) exp −π 2 4 4
j+ e ∥x∥

n
∥x∥ (s + r ) P
z∈ZP j∈Z

  2 2     2 
2 2 2
where ≈t follows Lemma 3.10; (a) holds since exp −π s s+r i
∥y∥ 2 and exp −π ∥x∥ (s +r i) ⟨x,y⟩
2 r2 s2 r 2 ∥x∥2
only contribute to global amplitudes so that can dropped (recall that x and y are fixed); (b) uses PSF
(Lemma 2.4) and the Fourier transformation of complex Gaussian (Eqn. (1)).

3.5.3 Step 3: Apply a complex Gaussian window on |φ2 ⟩, get |φ3 ⟩ and z′

Let us denote f2 : Zn 7→ C as the amplitude of |z⟩ in |φ2 ⟩, i.e., |φ2 ⟩ = z∈Zn f2 (z) |z⟩. Note that we
P
P
can naturally define f2 over all Zn , not just ZnP , as f2 (z) = f2 (z mod P ). Setting the domain of f2 to
be Zn will be useful in the proof of Lemma 3.20.
In Step 3, we first prepare the following
√
complex Gaussian state using Lemma 2.15: (recall from
P u r4 +s4
Cond. C.6 that V is defined to be rs2 t
, the width of the real part of the following state)

t2 r2 s2 (s2 − r2 i)
X  
2
|φG ⟩ := exp −π 2 2 4 ∥z G ∥ |zG ⟩ . (19)
P u (s + r4 )
zG ∈Zn ∩V n
log nB∞

24
We then append |φG ⟩ after |φ2 ⟩, and add the first register onto the second register:

t2 r2 s2 (s2 − r2 i)
X X  
2
|φ2 ⟩ ⊗ |φG ⟩ = f2 (z) |z⟩ exp −π 2 2 4 ∥z G ∥ |zG ⟩
n n n
P u (s + r4 )
z∈ZP zG ∈Z ∩V log nB∞
(20)
t2 r2 s2 (s2 − r2 i)
X X  
2
7→ f2 (z) |z⟩ exp −π 2 2 4 ∥zG ∥ |z + zG mod P ⟩ .
n n n
P u (s + r4 )
z∈ZP zG ∈Z ∩V log nB∞

We now measure the register |z + zG mod P ⟩ and denote the measurement result as z′ ∈ ZnP . Then the
residual state can be written by dropping zG = z′ − z mod P into Eqn. (20):

t2 r2 s2 (s2 − r2 i)
X  
′ 2
f2 (z) exp −π 2 2 4 ∥z − z mod P ∥ |z⟩
P u (s + r4 )
z∈Zn
P ,z−z ′ mod P ∈Zn ∩V log nB n
∞

t2 r2 s2 (s2 − r2 i)
X  
= f2 (z) exp −π 2 2 4 4)
∥z − z ∥ |z⟩ =: φ′3
′ 2
(21)
P u (s + r
z∈z′ +(Zn ∩V log nB∞n )

t2 r2 s2 (s2 − r2 i)
X  
′ 2
≈t f2 (z) exp −π 2 2 4 ∥z − z ∥ |z mod P ⟩ =: |φ3 ⟩ .
n
P u (s + r4 )
z∈Z

Here in = we can remove mod P since the support of z is restricted in z′ + (Zn ∩ V log nB∞ n ), and

V > 2 log n (C.6), so there is no need to wrap around mod P ; ≈t is proven in Lemma 3.20 in §3.6.2.
P

From now on we will always assume our guess of u2 = ∥x∥2 is correct, then

s2 r2 (s2 − r2 i) t2 r2 s2 (s2 − r2 i)
XX    
2 ′ 2
|φ3 ⟩ = exp −π 2 (P j + ⟨x, z⟩) exp −π 2 ∥z − z ∥
n
P ∥x∥2 (s4 + r4 ) P ∥x∥2 (s4 + r4 )
z∈Z j∈Z
 
⟨x,y⟩ ⟨x,z⟩
−2πi j+
e2πi⟨y, P ⟩ |z mod P ⟩
z
·e ∥x∥2 P

(22)
s2 r2 (s2 − r2 i)
 
XX
2
=(a) exp −π 2 2 4 4
(z − dj )T Σ−1 (z − dj ) + Cj
P ∥x∥ (s + r )
z∈Zn j∈Z
D E
⟨x,y⟩ ⟨x,y⟩x y
−2πi j −2πi 2 − P ,z
·e ∥x∥2 e ∥x∥ P |z mod P ⟩ ,

where
P j + ⟨x, z′ ⟩ t2
dj := z′ − x , C j := (P j + x, z′ )2 ,
t2 + ∥x∥2 t2 + ∥x∥2
(23)
xxT
 
−1 2 T 1
Σ := t In + xx , Σ =(b) 2 In − 2 ;
t t + ∥x∥2

(a) will be proved in Lemma 3.21 in §3.6.2, (b) is derived from Formula (8).

3.5.4 Step 4: Apply QFTZnP on |φ3 ⟩

We compute |φ4 ⟩ := QFTZnP |φ3 ⟩, which gives

25
 s2 r2 (s2 − r2 i)
  D E
X XX
T −1

2 −2πi ⟨x,y⟩2 j −2πi Ph + ⟨x,y⟩x y
−P ,z
|φ4 ⟩ = exp −π 2 (z − dj ) Σ (z − dj ) + Cj e ∥x∥ e ∥x∥2 P |h⟩
P ∥x∥2 (s4 + r4 )
h∈Zn
P z∈Zn j∈Z

T !
P 2 ∥x∥2 (s2 + r2 i)
 
X X h ⟨x, y⟩ x y h ⟨x, y⟩ x y
=(a) exp −π m+ + − ·Σ· m+ + −
n n
s2 r2 P ∥x∥2 P P P ∥x∥2 P P
h∈ZP m∈Z
s2 r 2 (s2 −r 2 i)
D E
h ⟨x,y⟩x y ⟨x,y⟩
−2πi dj ,m+ P + ∥x∥2 P − P −2πi ∥x∥2 j −π P 2 ∥x∥2 (s4 +r4 ) Cj
X
· e ·e ·e |h⟩
j∈Z
T !
∥x∥2 (s2 + r2 i)
 
X X ⟨x, y⟩ x ⟨x, y⟩ x
= exp −π h+m+ −y ·Σ· h+m+ −y
s2 r2 ∥x∥2 ∥x∥2
h∈Zn
P m∈P Z
n
 
⟨x,y⟩x
dj ,h+m+ −y ⟨x,y⟩ s2 r 2 (s2 −r 2 i)
X ∥x∥2 −2πi ∥x∥2 j −π P 2 ∥x∥2 (s4 +r4 ) Cj
−2πi
· e P ·e ·e |h⟩ ,
j∈Z
(24)

where Σ−1 , Σ, dj , Cj are defined in Eqn. (23); (a) uses PSF from
P P
z∈Zn to m∈Zn .

3.5.5 Step 5: Split |φ4 ⟩ into higher and lower order bits |h′ ⟩ |h′′ ⟩, then measure |h′′ ⟩
P ′ 2 2 ′′
Recall from Condition C.2 that M = t2 +u 2 . We write the variable h in |φ4 ⟩ as h = h · (t + u ) + h ,
′ n ′′ n
where h ∈ ZM represents the higher order bits of h, and h ∈ Zt2 +u2 represents the lower order bits
of h. Therefore |h⟩ can be split into |h′ ⟩ |h′′ ⟩. We then measure the |h′′ ⟩ register and denote the
measurement result as h∗ ∈ Znt2 +u2 , denote the residual state as |φ5 ⟩.
To derive the expression of |φ5 ⟩, we note that |φ4 ⟩ can be equivalently written as
T
∥x∥2 (s2 +r 2 i)
  
⟨x,y⟩x ⟨x,y⟩x
X X X −π h′ ·(t2 +∥x∥2 )+h′′ +m+ −y ·Σ· h′ ·(t2 +∥x∥2 )+h′′ +m+ −y
|φ4 ⟩ = e s2 r 2 ∥x∥2 ∥x∥2

h′ ∈Zn ′′ n
M h ∈Z 2 m∈P Zn
t +∥x∥2

P j+⟨x,z′ ⟩ ′ 2
* +
⟨x,y⟩x
z′ −x 2 ,h ·(t +∥x∥2 )+h′′ +m+ −y
t +∥x∥ 2 ∥x∥2 ⟨x,y⟩ s2 r 2 (s2 −r 2 i)
X
−2πi −2πi j −π C
· e P ·e ∥x∥2 ·e P 2 ∥x∥2 (s4 +r 4 ) j h′ h′′ .
j∈Z
(25)

We then measure the |h′′ ⟩ register and denote the result as h∗ ∈ Znt2 +∥x∥2 . In Lemma 3.24 in §3.6.3,
−Ω(n) ∗
we show
 ∗ that, with probability ′
 1 − 22 √ over the randomness in the measurement, h satisfies
dist t2⟨h+∥x∥
,x⟩ ⟨x,y⟩ ⟨x,z ⟩
2 − ∥x∥2 + t2 +∥x∥2 , Z ≤ 2ut
r
1
n log n <C.7 4β log n.
P
To understand how |φ5 ⟩ looks like, let us take a closer look at the term inside j∈Z in Eqn. (25). In

26
fact, the only term that depends on all h′ , m, and j is
* ∗
+
h′ + 2h +m2
P j+⟨x,z′ ⟩ t +∥x∥
P j+⟨x,z′ ⟩ h′ ·(t2 +∥x∥2 )+h∗ +m −2πi z′ −x 2 ,
 
−2πi z′ −x 2 , t +∥x∥2 M
2
t +∥x∥ P
e = e
* ∗
+ * ∗
+
h′ + 2h +m2 h′ + 2h +m2
⟨x,z′ ⟩ t +∥x∥ t +∥x∥
−2πi z′ −x , −2πi −x 2 P j 2 ,
t2 +∥x∥2 M t +∥x∥ M

= e ·e
* ∗
+
h′ + 2h +m2
⟨x,z′ ⟩ t +∥x∥
−2πi z′ −x 2 ,
t +∥x∥2 M h∗ +m
D E
2πi xj,h′ +
= e ·e t2 +∥x∥2

h∗ +m h∗
D E D E
2πi xj,h′ + 2πi xj,
Since h′ + m
t2 +∥x∥2
∈ Zn , x∈ Zn , j ∈ Z, so e t2 +∥x∥2 =e t2 +∥x∥2 . Therefore, the term
 
Pj ⟨x,y⟩x
−x 2 ,h′ ·(t2 +∥x∥2 )+h′′ +m+ −y ⟨x,y⟩ s2 r 2 (s2 −r 2 i)
t +∥x∥2 ∥x∥2 −2πi j −π C
P −2πi ∥x∥2 P 2 ∥x∥2 (s4 +r 4 ) j
j∈Z e
P ·e ·e in Eqn. (25) is completely
independent of h′ , m, i.e., it merely contributes to the global amplitude of |φ5 ⟩. So

⟨x,y⟩x T 
⟨x,y⟩x
 
h∗ + −y h∗ + −y
(t2 +∥x∥2 )2 ∥x∥2 (s2 +r 2 i)  ′ m ∥x∥2 ∥x∥2
−π 2 2 h+ 2 2 + 2 2
 ·Σ·h′ + 2 m 2 + 
X X s r t +∥x∥ t +∥x∥ t +∥x∥ t +∥x∥2
2
|φ5 ⟩ = e
h′ ∈Zn
M m∈P Zn (26)
* ∗
+
h′ + 2m+h 2
⟨x,z′ ⟩ t +∥x∥
−2πi z′ −x 2 ,
t +∥x∥2 M

·e h′ .

3.5.6 Step 6: Apply QFTZnM on |φ5 ⟩

2t
 
We compute |φ6 ⟩ := QFTZnM |φ5 ⟩. Recall from Cond. C.6 where we define σ = u√rs 4
r +s 4
∈ 2 log n, D
4 log n ,
an important width parameter used in Steps 6 and 7. We show in Lemmas 3.27 and 3.29 in §3.6.4 that
|φ6 ⟩ is negl(n)-close to (we remove the support in |φ6 ⟩ with negligible weight to get |φ′′′
6 ⟩):

T
 2
In − xx 2
∥x∥
(c′ − M2 kc )
e−π
X
φ′′′
6 = σ2

c∈Zn
M, kc ∈0|Zn−1 , j∈Z s.t.
⟨z′ +h∗ ,x⟩
 
M
kc −(z′ +h∗ −y)−x⟨x,k c ⟩+2Djx+x −
⟨y,x⟩
−c ≤σ log n (27)
2 t2 +∥x∥2 ∥x∥2
∞
! 2
−π 1
2Djx−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ x
σx2 ∥x∥2 t2 +∥x∥2
·e · e2πiϕ6 (c,kc ,j) |c⟩ ,
′⟩
   
⟨x,y⟩
where c′ := c + z′ + h∗ − y + x ∥x∥2
− t2⟨x,z
+∥x∥ 2 , σ 2 ∈ C satisfies Re
x
1
σ2
∈ σ12 · (1, 3), ϕ6 (c, kc , j) ∈ R
x
contains phase terms:
2
⟨x,z′ ⟩ x ⟨x,z′ ⟩ x
c+z′ − 2
c+z′ − 2 t +∥x∥2
T t +∥x∥2
e2πiϕ6 (c,kc ,j) := e 2πikc · M · e−2πi M2
!! 2!
(28)
−2πi
⟨(c′ − M2 kc ),x⟩ 2Dj−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ + t2 ⟨(c′ − M2 kc ),x⟩
M ∥x∥2 ∥x∥2 t2 +∥x∥2 M2 ∥x∥4
·e .

27
|φ6 ⟩ is an important state in the whole algorithm, but its detailed proofs are long – the proof of
Lemma 3.27 (the Fourier transform calculation for |φ6 ⟩) alone takes about seven pages, so we defer
them to §3.6.4. Here let us provide some explanations about |φ′′′ ′′′
6 ⟩. For |φ6 ⟩, its support contains
M
2n−1 · 2D 2 elliptical Gaussian balls (see Figure 2-(f)), centered at

 ′
⟨z + h∗ , x⟩ ⟨y, x⟩

M ′ ∗
kc − (z + h − y) − x ⟨x, kc ⟩ + 2Djx + x − , (29)
2 t2 + ∥x∥2 ∥x∥2

for some kc ∈ 0|Zn−1 and j ∈ Z (formally proved in Lemma 3.28). The width of the elliptical Gaussian
balls is σ in the direction orthogonal to x, and is slightly smaller than σ in the direction of x. The
D n
width σ is smaller than 4 log n , indicating that Karst wave appears, and we will use rounding to DZ to
extract the centers of those Gaussian balls in Step 7. Note that kc runs over 0|Zn−1 instead of Zn since
x
we decompose the support into those on the same line with b = D (running over j ∈ Z) and those not
on the same line with b (running over kc ∈ 0|Z n−1 ), and there is a simple bijection between Zn and
0|Z n−1 × bZ, since we know the first coordinate of b is −1.

3.5.7 Step 7: Extract the centers of |φ6 ⟩ to get a purely imaginary Gaussian state |φ7 ⟩

Recall from Eqn. (27) that |φ′′′

6 ⟩ can be written as

T
 2
In − xx 2
∥x∥
(c′ − M2 kc )
e−π
X
φ′′′
6 = σ2

c∈Zn , kc ∈0|Zn−1 ,
 j∈Z s.t.
⟨z′ +h∗ ,x⟩

M ⟨y,x⟩
kc −(z′ +h∗ −y)−x⟨x,k c ⟩+2Djx+x − −c ≤σ log n
2 t2 +∥x∥2 ∥x∥2
∞
! 2
−π 12 2Djx−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ x
σx ∥x∥2 t2 +∥x∥2
·e · e2πiϕ6 (c,kc ,j) |c mod M ⟩ ,

where
2
⟨x,z′ ⟩ x ⟨x,z′ ⟩ x
c+z′ − 2
c+z′ − 2 t +∥x∥2
T t +∥x∥2
e2πiϕ6 (c,kc ,j) := e 2πikc · M · e−2πi M2
!! 2!
−2πi
⟨(c′ − M2 kc ),x⟩ 2Dj−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ 2
+ t2
⟨(c′ − M2 kc ),x⟩
M ∥x∥2 ∥x∥2 t2 +∥x∥2 M ∥x∥4
·e
2
⟨x,z′ ⟩ x− M k
c+z′ − 2
t +∥x∥2 2 c (30)
∥kc ∥2
−2πi 2πi
= |e } ·e
M2 4
{z
=:I1
!!
−2πi
⟨(c′ − M2 kc ),x⟩ ⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ ⟨(c′ − M2 kc ),x⟩
2
2Dj− t2
M ∥x∥2 ∥x∥2 t2 +∥x∥2 −2πi
· e| M2 ∥x∥4
{z } · e| {z }.
=:I2 =:I3

Here we regroup the exponents in the second line for the convenience of the upcoming calculations.
Let us remark that here we write |φ′′′ ′′′
P P
6⟩ = c∈Zn f6 (c) |c mod M ⟩ instead of |φ6 ⟩ = c∈Zn
M
f6 (c) |c⟩
in Eqn. (27). We can do so because the amplitude function f6 is M -periodic. To see why, recall that

28
|φ6 ⟩ = QFTZnM |φ5 ⟩, and we derive the amplitudes in Eqn. (27) without using the fact that c ∈ ZnM , so
that the expression of f6 (c) directly holds for all c ∈ Zn and is M -periodic.
In Step 7 we perform four operations. The main purpose of those operations is to extract the centers
of Gaussian balls in |φ6 ⟩ to get a state where the amplitude is purely imaginary Gaussian.
Lemma 3.11. There is a quantum algorithm that takes as input |φ′′′ ′ ′ ∗
6 ⟩, y , z , h , outputs a state

X (2Dj−⟨kc ,x⟩)2 ∥kc ∥2 M
−2πi 2πi ′
|φ7 ⟩ := e 2M e 4 (2Dj − ⟨kc , x⟩)x + k x − v + kc mod M ,
n−1
2
kc ∈0|Z ,j∈Z

⟨z′ +h∗ ,x⟩

j m
⟨x,y⟩
where k ′ := t2 +∥x∥2
− ∥x∥2
. The running time is in poly(n).

Proof. The first operation takes the register from |c mod M ⟩ to |c + z′ + h∗ − y′ mod M ⟩. Note that
y′ ∈ ZnDq is obtained in Step 1, z′ ∈ ZnP is obtained in Step 3, h∗ ∈ ZnM is obtained in Step 5, so we can
2
perform this operation efficiently. Here we interpret y′ , z′ , h∗ as strings in Zn . Readers may worry that
the modulus of y′ ∈ ZnDq and h∗ ∈ ZnM does not divide M , and it may cause a problem later. Here we
2
will guarantee that the modulus does not cause a problem because the main equation for representing
the centers of Gaussian balls, Eqn. (29), holds over Zn , and recall in Step 1 that we can write y′ = v + y
where the equation also holds over Zn .
Let us move on. The second operation computes the following in the second register:
 ′
⟨z + h∗ , x⟩ ⟨y, x⟩
  
M
⌊c + z′ + h∗ − y′ mod M ⌉D ∈(a) kc − x ⟨x, kc ⟩ + 2Djx + x − − v + σ log nB n
∞ mod M
2 t2 + ∥x∥2 ∥x∥2 D
 ′
⟨z + h∗ , x⟩ ⟨y, x⟩

M
=(b) kc − x ⟨x, kc ⟩ + 2Djx + x − − v mod M,
2 t2 + ∥x∥2 ∥x∥2
(31)
D
where (a) is derived from the formula of the centers of c in Eqn. (29); (b) is derived from σ log n < 4
(C.6), and the fact that M n
2 kc − x ⟨x, kc ⟩ + 2Djx − v ∈ DZ , and the following equation:
⟨z′ + h∗ , x⟩ ⟨y, x⟩ ⟨z′ + h∗ , x⟩ ⟨y, x⟩
 ′
⟨z + h∗ , x⟩ ⟨y, x⟩
    
D n
x − =(c) x − + xe ∈(d) x − + B∞ ,
t2 + ∥x∥2 ∥x∥2 2
t + ∥x∥ 2 ∥x∥ 2 2
t + ∥x∥ 2 ∥x∥ 2 4
′ +h∗ ,x⟩
j ′ ∗ m
where (c) uses Lemma 3.24 which implies ⟨zt2 +∥x∥ 2 − ⟨y,x⟩
∥x∥2
= ⟨z +h ,x⟩
t2 +∥x∥2
− ⟨y,x⟩
∥x∥2
+ e where |e| ≤
2ut2 √ 1
r n log n ≤C.7 4β log n ; (d) uses ∥b∥∞ ≤ β log n in Lemma 3.6. Therefore Eqn. (31) holds.
j ′ ∗ m
⟨z +h ,x⟩ ⟨x,y⟩
From now on we denote k ′ := 2
t +∥x∥2 − ∥x∥ 2 . So after two operations, we get |φ6.b ⟩:

T
 2
In − xx 2 ( c′ − M
2 kc )
∥x∥
e−π
X
|φ6.b ⟩ := σ2

c∈Zn , kc ∈0|Zn−1
, j∈Z s.t.
⟨z′ +h∗ ,x⟩ ⟨y,x⟩

M ′ ∗
2
k c −(z +h −y)−x⟨x,k c ⟩+2Djx+x 2 2 − 2 −c ≤σ log n
t +∥x∥ ∥x∥
∞
! 2
(32)
−π 12 2Djx−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ x
σx ∥x∥2 t2 +∥x∥2
·e · e2πiϕ6 (c,kc ,j)

M
c + z′ + h∗ − y′ mod M ′


kc + 2Dj − ⟨kc , x⟩ + k x − v mod M .
2

29
In the third operation, we subtract (over ZnM ) the first register by the second register and denote the re-
sult as |φ6.c ⟩. To derive the expression of |φ6.c ⟩, we let d := c+z′ +h∗ −y′ − M ′


2 kc + (2Dj − ⟨kc , x⟩ + k ) x − v .
Then we can rewrite the common expressions in Eqn. (32) and Eqn. (30) as
⟨x, z′ ⟩ M ⟨x, z′ ⟩
c + z′ − 2 2
− kc = d − (h∗ − y′ ) + (2Dj − ⟨kc , x⟩ + k ′ ) x − v − 2
t + ∥x∥ 2 t + ∥x∥2
c′ − M


2 kc , x ⟨d, x⟩ ⟨v, x⟩ ′ ⟨z′ , x⟩ ⟨y′ , x⟩
= 2Dj − ⟨k c , x⟩ + − + k − + (33)
∥x∥2 ∥x∥2 ∥x∥2 t2 + ∥x∥2 ∥x∥2
′ M ∗ M



c − 2 kc , x h − 2 kc , x ⟨d, x⟩ ⟨v, x⟩ ′ ⟨z + h , x⟩ ⟨y′ , x⟩
′ ∗
− − 2Dj = − + k − + .
∥x∥2 t2 + ∥x∥2 ∥x∥2 ∥x∥2 t2 + ∥x∥2 ∥x∥2

Therefore |φ6.c ⟩ equals to


T
 2 2
In − xx 2 ⟨z′ +h∗ ,x⟩ ⟨y,x⟩
 
d 1 ⟨d,x⟩
X −π
∥x∥ −π 2 +k′ − 2 + x
σx ∥x∥2 t +∥x∥2 ∥x∥2
|φ6.c ⟩ := e σ2 ·e
d∈Zn , kc ∈0|Zn−1 ,
j∈Z s.t.
⟨z′ +h∗ ,x⟩ ⟨y,x⟩

x − −k ′ −d ≤σ log n
2
t +∥x∥ 2 2∥x∥
∞

M
2πiϕ7 (d,kc ,j)
kc + 2Dj − ⟨kc , x⟩ + k ′ x − v mod M


·e |d⟩ ,
2

where ϕ7 (d, kc , j) ∈ R is the phase term by rewriting c in ϕ6 (c, kc , j) as a function of d, kc , j (the

expression will be given soon in Claim 3.12). Note that the real amplitude in the first line of |φ6.c ⟩ is
independent of j and kc .
After measuring |d⟩ → d′ (d′ is not used anymore so we can throw it away), the residual state |φ7 ⟩ is

X
2πiϕ7 (d′ ,kc ,j) ′

M
|φ7 ⟩ = e (2Dj − ⟨kc , x⟩) x + k x − v + kc mod M . (34)
n−1
2
kc ∈0|Z ,j∈Z

′ (2Dj−⟨kc ,x⟩)2 ∥kc ∥2

Claim 3.12. e2πiϕ7 (d ,kc ,j) ∝ e−2πi 2M e2πi 4 .

Proof. We replace the use of c in e2πiϕ6 (c,kc ,j) in Eqn. (30) by d (see the common replacements in
Eqn. (33)). We check each term of I1 , I2 , I3 carefully (here ∝ hides terms that contribute to the
constant phase of the state, we will only keep terms that depend on j or kc ):

1 ⟨x,z′ ⟩ ⟨x,z′ ⟩ 2
−2πi ∥c+z′ − 2 −M kc ∥2 −2πi 1
∥d−(h∗ −y′ )+(2Dj−⟨kc ,x⟩+k′ )x−v− 2 ∥
I1 = I1 (kc , j) = e M2 t +∥x∥2 2
=e M2 t +∥x∥2

⟨x,z′ ⟩
  
−2πi 12 (2Dj−⟨kc ,x⟩)2 ∥x∥2 +2(2Dj−⟨kc ,x⟩)·xT · d−(h∗ −y′ )+k′ x−v− 2 2
M t +∥x∥
∝ e ,
!!!
⟨( c′ − M ) ⟩
2 kc ,x ⟨( c′ − M
2 kc ,x ) ⟩−⟨ h∗ − M
2 kc ,x ⟩
−2πi 2Dj−
M ∥x∥2 ∥x∥2 t2 +∥x∥2
I2 = I2 (kc , j) = e
⟨z′ ,x⟩ ⟨y′ ,x⟩ ⟨z′ +h∗ ,x⟩ ⟨y′ ,x⟩
  
1 ⟨d,x⟩ ⟨v,x⟩ ⟨d,x⟩ ⟨v,x⟩
2πi M 2Dj−⟨kc ,x⟩+ − +k′ − 2 + − +k′ − 2 +
∥x∥2 ∥x∥2 t +∥x∥2 ∥x∥2 ∥x∥2 ∥x∥2 t +∥x∥2 ∥x∥2
= e
′ ∗ ′
 
1 ⟨d,x⟩ ⟨v,x⟩ ′ ⟨z +h ,x⟩ + ⟨y ,x⟩
2πi M (2Dj−⟨kc ,x⟩) 2− ∥x∥2 +k − 2
∥x∥ 2 2
t +∥x∥ ∥x∥
∝ e ,

30
 2!
−2πi t2 ⟨(c′ − M2 kc ),x⟩
M2 ∥x∥4
I3 = I3 (kc , j) = e
2
⟨z′ ,x⟩ ⟨y′ ,x⟩

t2 ⟨d,x⟩ ⟨v,x⟩ ′
−2πi 2Dj−⟨kc ,x⟩+ 2− 2 +k − 2 2+
M2 ∥x∥ ∥x∥ t +∥x∥ 2 ∥x∥
= e ·
⟨z′ ,x⟩ ⟨y′ ,x⟩
  
2 ⟨d,x⟩ ⟨v,x⟩
−2πi t 2 (2Dj−⟨kc ,x⟩)2 +2(2Dj−⟨kc ,x⟩) 2−
′
2 +k − 2 2+ 2
M ∥x∥ ∥x∥ t +∥x∥ ∥x∥
∝ e .

′ ∥kc ∥2 (2Dj−⟨kc ,x⟩)2 ∥kc ∥2

To verify e2πiϕ7 (d ,kc ,j) = I1 ·I2 ·I3 ·e2πi 4 = e−2πi 2M e2πi 4 , we check every terms. The terms
2
involving (2Dj − ⟨kc , x⟩) only appear in I1 and I3 , where the coefficient is − ∥x∥
2
M
t2 1
2 − M 2 = − 2M . The
′ ,x⟩ ′ ,x⟩
 
terms involving (2Dj − ⟨kc , x⟩) ⟨d,x⟩ ∥x∥2
− ⟨v,x⟩
∥x∥2
+ k ′ − t2⟨z
+∥x∥2
+ ⟨y
∥x∥2
appear in I1 , I2 , and I3 , where
⟨h∗ ,x⟩
2 2
 
the coefficient is − 2∥x∥M 2 + M
1
− M
2t
2 = 0. The terms involving (2Dj − ⟨k c , x⟩) − 2
t +∥x∥ 2 appear in I1
2 +∥x∥2 )
and I2 , where the coefficient is − 2(t M2
+ 1
M = 0. This concludes the proof of Claim 3.12.

This concludes the proof of Lemma 3.11.

For the convenience of the upcoming analysis, we make a few notation changes in |φ7 ⟩. First, since
k ′ x − v is fixed before the end of Step 7, we combine it in one term by denoting it as v′ := k ′ x − v.
Second, since we set b[2...n] ∈ 2Z, we can make sure that ⟨kc , x⟩ ∈ 2DZ for any kc ∈ 0 | Zn−1 , so we
can change the variable 2Dj − ⟨kc , x⟩ to 2Dj ′ for some j ′ (note that without b[2...n] ∈ 2Z, we cannot
make such a change; all calculations in previous steps hold even when b[2...n] ∈ / 2Z). Therefore |φ7 ⟩ can
be equivalently written as:

(2Dj ′ )2 ∥k ∥2 M
2πi c4
X
−2πi 2M ′ ′
|φ7 ⟩ = e e 2Dj x + v + kc mod M
n−1 ′
2
kc ∈0|Z ,j ∈Z
 (35)
X (2Dj)2 ∥k∥2 M
−2πi 2M 2πi 4 ′
= e e 2Djx + v + k mod M ,
n−1
2
k∈0|Z ,j∈Z

where in the second line we keep simplifying notations by changing j ′ to j and changing kc to k (since
now there is no link from kc to c, unlike in Steps 6).

3.5.8 Step 8: Extract v1′ mod D2 p1 and keep |φ8 ⟩ = |φ7 ⟩

In Step 8, we first perform four operations, then make a partial measurement, and finally reverse the
four operations (we will make sure that the four operations are reversible). The goal is to extract
v1′ mod D2 p1 , and in the end get back to |φ7 ⟩. I.e., we will learn v1′ mod D2 p1 without collapsing or
modifying |φ7 ⟩.

Lemma 3.13. There is a poly(n) time quantum algorithm that takes |φ7 ⟩ defined in Eqn. (35) as input,
outputs v1′ mod D2 p1 and |φ8 ⟩ = |φ7 ⟩.

31
Proof. In the first operation, we apply the domain extension trick (Lemma 2.17, which is reversible) to
extend the modulus from M to DM , so as to get

X (2Dj)2 ∥k∥2 M
−2πi 2M 2πi 4 ′
|φ7.a ⟩ = e e 2Djx + v + k mod DM .
n−1
2
k∈0|Z ,j∈Z

In the second operation, we “divide the whole register by D”. We can do so because 2Djx + v′ + M
2 k∈
n n
DZ , so we simply measure the modulo D part of the register (we will always get 0 mod D), and
interpret the remaining register as being divided by D. So the residual state becomes

v′

X (2Dj)2 ∥k∥2 M
−2πi 2M 2πi 4
|φ7.b ⟩ = e e 2Djb + + k mod M .
n−1
D 2D
k∈0|Z ,j∈Z

Note that this operation is also reversible: we just “multiply by D” by creating |0n mod D⟩ and inter-
preting them as the LSBs.
v′
The third operation applies the phase kickback trick on the first coordinate, −2Dj + D mod M , to
v′ v′
((2Dj)·(−1)+ 1 )2 (2Dj)2 −2(2Dj) 1
2πi D 2πi D
multiply e ∝e
2M 2M on the amplitude, so as to remove the quadratic term
of j in the amplitude and get
v′
(2Dj) 1 v′

X D ∥k∥2 M
−2πi 2πi
|φ7.c ⟩ = e M e 4 2Djb + + k mod M .
D 2D
k∈0|Zn−1 ,j∈Z

Let us remark that the first three operations in Step 8 preserve the M -periodicity of the amplitude:
the amplitude remains M -periodic after the first two operations; in the third operation, for any a ∈ Z,
(a+M )2 2 +M 2 a2 ′
2M = a +2aM
2M ∈M ∈2Z 2M + Z, so the “mod M ” in −2Dj + vD mod M can be dropped in
v′
((2Dj)·(−1)+ 1 )2
2πi D
e 2M , and the third operation also preserves M -periodicity.
The fourth operation applies QFTZnM on |φ7.c ⟩ and get

v′
!
v′ ,w
 
(2Dj) ⟨b,w⟩+ 1
 
D ∥k∥2 ⟨k,w⟩
X X D 2πi −
e−2πi e−2πi
4 2D
|φ7.d ⟩ = M M e |w⟩ .
w∈Zn
M k∈0|Z
n−1 ,j∈Z

Before we describe the fifth operation, let us first understand what if we measure the entire |w⟩ now.
v′
Claim 3.14. If we measure |w⟩ in |φ7.d ⟩, then we always get a vector w ∈ ZnM that satisfies ⟨b, w⟩+ D1 ≡
M v1′
0 (mod 2D ), w[2...n] ∈ DZn−1 , and w1 ≡ D (mod Dp1 ).

Proof. Let us first fix any k ∈ 0 | Zn−1 and look! at the only term in the amplitude of |φ7.d ⟩ that
v′
v′ j ⟨b,w⟩+ 1
!
(2Dj) ⟨b,w⟩+ 1 D
D −2πi M
depends on j: e−2πi M =e 2D . Therefore, running over the summation of j ∈ Z,
v′ M
the amplitude on |w⟩ will only be non-zero when ⟨b, w⟩ + D1 ≡ 0 (mod 2D ).

32
Then, to see the impact of the summation over k ∈ 0 | Zn−1 on the amplitude of w, we observe that
 
∥k∥2 ⟨k,w⟩
X 2πi − X ∥k∥2 ⟨k,w⟩
eπi e−2πi
4 2D
e = 2 2D

k∈0|Zn−1 k∈0|Zn−1
D w E
w[2...n] [2...n] w[2...n]
∥2 −2πi l, D −2πi∥ 2D ∥2
X X
−2πi∥l+
= e 2D = e e .
l∈Zn−1 l∈Zn−1

Therefore the amplitude of |φ7.d ⟩ can be written as

v′
!
j ⟨b,w⟩+ 1
v′ ,w
 
D D w E
−2πi D [2...n]
−2πi l, D
w[2...n]
−2πi∥ 2D ∥2
X X M
X
−2πi
|φ7.d ⟩ = e 2D e M e e |w⟩ .
w∈Zn
M j∈Z l∈Zn−1

w[2...n]
Due to the summation over l ∈ Zn−1 , the amplitude on |w⟩ will only be non-zero when D ∈ Zn−1 .
Finally, we recall from Eqn. (12) that b ∈ (−1) | 2p1 Zn−1 , so we always have b[2...n] , w[2...n] ∈ 2Dp1 .
M v1′
Also recall from C.3 that Dp1 is a factor of 2D , therefore w1 ≡ D (mod Dp1 ).

Therefore, in the fifth operation, we compute w1 mod Dp1 in a new register, then measure the new
v′
register |w1 mod Dp1 ⟩ and denote the result as w1′ = D1 mod Dp1 . This measurement does not collapse
the state |φ7.d ⟩, so the residual state is |φ7.e ⟩ = |φ7.d ⟩.
Next we reverse the previous four operations and get back to

X (2Dj)2 ∥k∥2 M
−2πi 2πi ′
|φ8 ⟩ = |φ7 ⟩ = e 2M e 4 2Djx + v + k mod M .
2
k∈0|Zn−1 ,j∈Z

In other words, in Step 8, we learn v1′ mod D2 p1 without affecting the state |φ7 ⟩ at all.

Readers may wonder why are the first two operations necessary, or, can we remove the quadratic
amplitude on j directly from |φ7 ⟩? We may try to use the phase kickback trick on the first coordinate
′ mod M )2
(−2D 2 j+v1
of |φ7 ⟩, −2D2 j + v1′ mod M , to multiply e2πi 2D 2 M on the amplitude of |φ7 ⟩, but the modulo
M sign does not go away in the exponent. If we apply QFTZnM after it, we get a state where the support
does not satisfy a modular linear function, unlike |φ7.d ⟩ in our algorithm. See Figure 3 for a comparison
of |φ7.d ⟩ in our real algorithm, and what we get if apply the phase kick-back trick directly on |φ7 ⟩, and
then apply QFTZnM .

3.5.9 Step 9: Extract a linear equation over the secret from v1′ mod D2 p1 and |φ8 ⟩

In Step 9, our goal is to convert |φ8 ⟩ into a classical linear equation over the secret, which finally gives
a proof of the main lemma (Lemma 3.8). Step 9 uses the information of v1′ mod D2 p1 obtained in Step
8, and the κ − 1 coordinates of known items inserted in the LWE secret.

33
Figure 3: Comparison of the real part of the amplitude in |φ7.d ⟩ (left) and a state obtained after directly
applying phase kickback on |φ7 ⟩, and then applying QFT (right). Parameters are set in the same way as the ones
in Figure 2, except that we set D = 3 here. The left figure is similar to Figure 2 - (i). For the figure on the right,
the amplitude is non-zero almost everywhere (the light blue and light red ones are non-zero).

Proof of Lemma 3.8. Recall from C.3 that M = 2D2 (c+1)∥b∥2 = 2D2 p1 p2 ...pκ , where D, p1 , ..., pk are
(2Dj)2 ∥k∥2
odd and pairwise coprime. Start from |φ8 ⟩ = k∈0|Zn−1 ,j∈Z e−2πi 2M e2πi 4 2Djx + v′ + M
P
2 k mod M ,
we first compute every coordinate into its Chinese remainder theorem (CRT) representation modulo 2
and modulo M 2
2 = D p1 p2 ...pκ , and denote the state as |φ8.a ⟩ (note that computing the CRT represen-
tation is an efficient, reversible operation so it can be efficiently done quantumly):
 
X (2Dj)2 ∥k∥2 M M
|φ8.a ⟩ := e−2πi 2M e2πi 4 2Djx + v′ + k mod D2 p1 p2 ...pκ 2Djx + v′ + k mod 2
2 2
k∈0|Zn−1 ,j∈Z

X (2Dj)2 ∥k∥2 M
−2πi 2M 2πi 4 2 ′ 2 ′
= e e 2D jb + v mod D p1 p2 ...pκ v + k mod 2 .
n−1
2
k∈0|Z ,j∈Z

We then measure the “modulo 2” part and throw it away, which completely collapses k but not affects
j, so that the residual state |φ8.b ⟩ is independent of k:
X (2Dj)2
|φ8.b ⟩ := e−2πi 2M 2D2 jb + v′ mod D2 p1 p2 ...pκ .
j∈Z

34
Next we turn the first κ coordinates of |φ8.b ⟩ into their CRT representations modulo D2 p1 , p2 , ..., pκ :
X (2Dj)2
|φ8.c ⟩ := e−2πi 2M 2D2 jb1 + v1′ mod D2 p1 2D2 jb1 + v1′ mod p2 ... 2D2 jb1 + v1′ mod pκ
j∈Z

2D2 jb2 + v2′ mod D2 p1 2D2 jb2 + v2′ mod p2 ... 2D2 jb2 + v2′ mod pκ
... 2D2 jbκ + vκ′ mod D2 p1 2D2 jbκ + vκ′ mod p2 ... 2D2 jbκ + vκ′ mod pκ
E
′
2D2 jb[κ+1...n] + v[κ+1...n] mod D2 p1 p2 ...pκ
X (2Dj)2
= e−2πi 2M 2D2 jb1 + v1′ mod D2 p1 2D2 jb1 + v1′ mod p2 ... 2D2 jb1 + v1′ mod pκ
j∈Z

2D2 jb2 + v2′ mod D2 p1 v2′ mod p2 ... 2D2 jb2 + v2′ mod pκ
... 2D2 jbκ + vκ′ mod D2 p1 2D2 jbκ + vκ′ mod p2 ... vκ′ mod pκ
E
′
2D2 jb[κ+1...n] + v[κ+1...n] mod D2 p1 p2 ...pκ ,

where the second equality holds since b[1...κ] = (−1, 2p1 p2 , 2p1 p3 , ..., 2p1 pκ ) (see Eqn. (12)), so that the
|v2′ mod p2 ⟩, |v3′ mod p3 ⟩, ..., |vκ′ mod pκ ⟩ registers are independent of j. (In fact, 2D2 jb2 + v2′ mod D2 p1 ,
..., 2D2 jbκ + vκ′ mod D2 p1 are also independent of j, but we will not utilize this fact.)
We then measure |v2′ mod p2 ⟩, |v3′ mod p3 ⟩, ..., |vκ′ mod pκ ⟩ and learn v2′ mod p2 , v3′ mod p3 , ..., vκ′ mod
pκ without collapsing the states (i.e., we can add them in new registers and measure the new registers,
which doesn’t collapse |v2′ mod p2 ⟩, ..., |vκ′ mod pκ ⟩ and others).
Next, for all η ∈ {2, 3, ..., κ}, we swap vη′ mod pη in the η th coordinate with 2D2 jb1 + v1′ mod pη in
the 1st coordinate (swapping is an efficient, reversible operation so it can be efficiently done quantumly),
and get the following state (we use underline to highlight the swapped registers)
X (2Dj)2
|φ8.d ⟩ := e−2πi 2M 2D2 jb1 + v1′ mod D2 p1 v2′ mod p2 ... vκ′ mod pκ
j∈Z

2D2 jb2 + v2′ mod D2 p1 2D2 jb1 + v1′ mod p2 2D2 jb2 + v2′ mod p3 ... 2D2 jb2 + v2′ mod pκ
... 2D2 jbκ + vκ′ mod D2 p1 2D2 jbκ + vκ′ mod p2 ... 2D2 jbκ + vκ′ mod pκ−1 2D2 jb1 + v1′ mod pκ
E
′
2D2 jb[κ+1...n] + v[κ+1...n] mod D2 p1 p2 ...pκ .

Let CRT((a1 )D2 p1 , (a2 )p2 , ..., (aκ )pκ ) denote the mapping from the CRT representation of a number in
ZD2 p1 × Zp2 × ... × Zpκ back to its standard representation in ZD2 p1 ...pκ (the mapping is efficiently
computable). Then, let b∗ ∈ Znp1 ...pκ , v∗ ∈ ZnD2 p1 ...pκ be defined as

2D2 b∗1 := CRT((2D2 b1 )D2 p1 , (0)p2 , ..., (0)pκ ), % known

v1∗ := CRT((v1′ )D2 p1 , (v2′ )p2 , ..., (vκ′ )pκ ), % known
2D2 b∗η := CRT((2D2 bη )D2 p1 , (2D2 bη )p2 , ..., (2D2 b1 )pη , ..., (2D2 bη )pκ ), % known (36)
vη∗ := CRT((vη′ )D2 p1 , (vη′ )p2 , ..., (v1′ )pη , ..., (vη′ )pκ ), ∀η ∈ {2, 3, ..., κ} , % unknown
b∗[κ+1...n] := ∗
b[κ+1...n] , v[κ+1...n] ′
:= v[κ+1...n] . % both unknown

35
Then, in the next operation, we switch the first κ coordinates from the CRT representation back to the
standard representation in ZD2 p1 ...pk . We get
X (2Dj)2
|φ8.e ⟩ := e−2πi 2M 2D2 jb∗ + v∗ mod D2 p1 p2 ...pκ .
j∈Z

Now v1∗ = CRT((v1′ )D2 p1 , (v2′ )p2 , ..., (vκ′ )pκ ) is efficiently computable (recall that we learned v1′ mod D2 p1
in Step 8, and learned v2′ mod p2 , ..., vκ′ mod pκ after obtaining |φ8.c ⟩). So we can subtract v1∗ modulo
D2 p1 ...pκ in the first coordinate and get
(2Dj)2
X E
|φ8.f ⟩ := e−2πi 2M 2D2 jb∗ + 0 | v[2...n]
∗
mod D2 p1 p2 ...pκ . (37)
j∈Z

We can derive from Eqn. (36) and Cond. C.3 that b∗1 = p2 p3 ...pκ · (−(p2 p3 ...pκ )−1 mod p1 ) = p2 p3 ...pκE.
We hope to change |φ8.f ⟩ so that the j in the first coordinate of 2D2 jb∗ + 0 | v[2...n]
∗ mod D2 p1 p2 ...pκ
runs through all j ∈ Zp1 p2 ...pκ , but currently the j in the first coordinate only runs through Zp1 . So we
apply the domain extension trick (Lemma 2.17) on the first coordinate of |φ8.f ⟩ to extend the domain
of the first coordinate from D2 p1 p2 ...pκ to D2 p1 p2 ...pκ · p2 ...pκ , and get
(2Dj)2
X E
|φ8.g ⟩ := e−2πi 2M 2D2 jb∗1 mod D2 p1 p2 ...pκ · p2 ...pκ 2D2 jb∗[2...n] + v[2...n]
∗
mod D2 p1 p2 ...pκ .
j∈Z

To see why applying domain extension gives the desired expression |φ8.g ⟩, we double check the M 2 -
periodicity of the amplitude of |φ8.f ⟩ in Eqn. (37). There are two methods to check it. The first
method is to make sure no operation after Step 7 breaks the M 2 -periodicity: the operations from Step
7 up to Step 8 preserve M -periodicity, and after measuring out the modulo 2 part in the beginning of
Step 9, the rest of operations (such as computing the CRT representation, swapping the same CRT slot
between coordinates) preserve the M M
2 -periodicity. The second method is to verify 2 -periodicity directly:
although the period of j in the first coordinate is p1 , the period of j in the last n − 1 coordinates is
p2 ...pκ since b∗[2...n] ∈ 2p1 Z, and 2 is invertible mod M 2 ∗ ∗ M
2 . So for any z = 2D jb + 0 | v[2...n] mod 2 , if
we want to write z as
M
z = 2D2 (j + j ′ )b∗ + 0 | v[2...n]
∗
mod for some j ′ ∈ Z,
2
then it must be the case that j ′ ∈ p1 p2 ...pκ Z = M
2D2
Z; and for all j ∈ Z, we have
 
2 2 2
(2D)2 j+ M2
( ) (2D)2 j 2 +j M2 + M2 ( ) (2D)2 j 2 +4M j+ M2
2D D 2D D (2D)2 j 2
−2πi −2πi −2πi
e 2M =e 2M =e 2M = M
∈Z e−2πi 2M .
2D 2

M
This verifies the 2 -periodicity of the amplitude of |φ8.f ⟩ in Eqn. (37).
Let us continue working on |φ8.g ⟩. Since b∗1 = p2 p3 ...pκ , we divide the first coordinate by p2 ...pκ (i.e.,
just measure out the first coordinate modulo p2 ...pκ , which will return 0, and then we interpret the

36
remaining first coordinate as being divided by p2 ...pκ ). This gives
(2Dj)2
X E
|φ8.h ⟩ := e−2πi 2M 2D2 j mod D2 p1 p2 ...pκ ∗
2D2 jb∗[2...n] + v[2...n] mod D2 p1 p2 ...pκ
j∈Z
(2Dj)2
X E
= e−2πi 2M 2D2 j mod D2 p1 p2 ...pκ ∗
2D2 jb∗[2...n] + v[2...n] mod D2 p1 p2 ...pκ ,
j∈Zp1 p2 ...pκ

where in the second line we change from j ∈ Z to j ∈ Zp1 p2 ...pκ because now it is more convenient to
work with j over Zp1 p2 ...pκ .
Next we apply the phase kickback trick on the first coordinate of |φ8.h ⟩ to multiply the phase term
(2Dj)2 2 2
e2πi 2M on the amplitude. We can do so since (2Dj) 2M = p1 pj2 ...pκ is efficiently computable from D2 ·
2j mod D2 p1 p2 ...pκ . This gives
X E
|φ8.i ⟩ := 2D2 · j mod D2 p1 p2 ...pκ 2D2 jb∗[2...n] + v[2...n]
∗
mod D2 p1 p2 ...pκ .
j∈Zp1 p2 ...pκ

Finally, we apply QFTZn 2 on |φ8.i ⟩ and get

D p1 p2 ...pκ

   
u1 + b∗ ,u v∗ ,u
[2...n] [2...n] [2...n] [2...n]
X X −2πi·2j· −2πi
|φ9 ⟩ := e p1 p2 ...pκ e D 2 p1 p2 ...pκ |u⟩ .
u∈Zn 2 j∈Zp1 p2 ...pκ
D p1 p2 ...pκ

We measure |u⟩ to get a random u ∈ ZnD2 p1 p2 ...pκ satisfying

D E
u1 + b∗[2...n] , u[2...n] ≡ 0 (mod p1 p2 ...pκ ). (38)

Recall the expression of b∗[2...n] from Eqn. (36), the b∗[2...κ] part is efficiently computable, and b∗[κ+1...n] =
b[κ+1...n] =Eqn. (12) [2p1 sT[κ...ℓ] , 2p1 eT ]T , containing all the unknown secret and error terms we want to
learn. So we return u ∈ ZnM as the coefficient of a linear equation over all the unknown variables we
2
care about.
This completes the proof of Lemma 3.8.

Readers may wonder: given the power of the swapping trick used between |φ8.c ⟩ and |φ8.d ⟩, why can’t
we simply plant a trivial mod p1 slot as well and swap it to the first coordinate, instead of spending
so much effort in learning v1′ mod D2 p1 in Step 8. In fact, why can’t we swap 2D2 jb1 + v1′ mod D2 p1
and 2D2 jb2 + v2′ mod D2 p1 as well, since we know b2 = 2p1 p2 , so v2′ mod D2 p1 can be learned for free.
The reason is: if we use the swap trick to prepare for the mod p1 slot as well, then after swapping, the
first coordinate will be completely independent of j, and then the first coordinate is useless. Therefore,
it is crucial that we learn one of the CRT components of v1′ in a non-trivial way.
Readers may also wonder: given the power of the domain extension trick applied between |φ8.f ⟩ and
|φ8.g ⟩, can we use the domain extension trick to solve the dihedral coset problem (DCP) right away?

37
To answer this question, recall a typical instance of (the vector version of) DCP, where we are given
quantum states like
X X
|j⟩ |jx − y mod P ⟩ = |j⟩ |(j mod 2)x − y mod P ⟩ . (39)
j∈{0,1} j∈{0,1}

Suppose P ∈ 2Z. How about we apply the domain extension trick toP extend the first coordinate to work
over all ZP ? We can do this operation but we Pwill get a state like j∈ZP |j⟩ |(j mod 2)x − y mod P ⟩,
which, for a general x ∈ ZnP , is not equal to j∈ZP |j⟩ |jx − y mod P ⟩. Then applying QFTZn+1 on
P P

j∈ZP |j⟩ |(j mod 2)x − y mod P ⟩ does not seem to give a useful state for extracting x.
In our application of the domain extension trick after |φ8.f ⟩ in Eqn. (37), we note that
(2Dj)2
X E
|φ8.f ⟩ =
̸ e−2πi 2M 2D2 (j mod p1 )b∗ + 0 | v[2...n]
∗
mod D2 p1 p2 ...pκ ,
j∈Z

therefore we will not meet the problem occurred in Eqn. (39). In other words, it is crucial in |φ8.f ⟩ that
the j in the last n − 1 coordinates goes through all Zp2 ...pκ . It is also crucial to check the M
2 -periodicity
of the amplitude of |φ8.f ⟩ before applying domain extension, as we have done in the paragraph after
presenting |φ8.g ⟩.
This concludes the description of all the nine quantum steps.

3.6 Detailed proofs

In this section we provide the detailed proofs missed in Section 3.5. All proofs except for the proof
of Lemma 3.7 are about Fourier transforms and Gaussian tail bounds over discrete supports. Let
us remark that all Gaussian tail bounds here are essentially proven using one of the following two
methods: a sophisticated method from [Reg23, Claim A.5] (adapted to ℓ∞ norm in our paper), which
gives nearly optimal bounds; and a more straightforward method by using ℓ2 , ℓ1 norm inequalities (like
in Lemma 3.10), which gives fairly loose bounds, but is much simpler to calculate. Only the proof of
Lemma 3.20 uses the sophisticated method, because getting an optimal bound there matters to the
quality of our algorithm. The other bounds are proved using the straightforward method for simplicity
because the loose bounds suffice for our purpose.

3.6.1 Proof of Lemma 3.7

ℓ−(κ−1)
Proof. Recall from §3.2 that U ← U (Zqn×m ), t = UT s + e mod q where s[κ...ℓ] ← DZ,β ,e ←
DZ,β . Recall from Eqn. (12) that A = [2p1 t | U | Im ] ∈ Zq , b = [−1, 2p1 s , 2p1 e ]T =
m T m×n T T
√ q
[−1, 2p1 p2 , ..., 2p1 pκ , 2p1 sT[κ...ℓ] , 2p1 eT ]T . Then b ∈ L⊥
q (A) and ∥b∥ ≤ 3p1 β n < (log n)2 due to Lemma 3.6.

It remains to prove the following claim:

Claim 3.15. With probability 1 − negl(n) over the randomness of sampling U, t, for any non-zero
vector z = [−d, zT1 , zT2 ]T ∈ L⊥ ℓ m 2 2
q (A), where z1 ∈ Z , z2 ∈ Z , d ∈ Z ∩ (−q/(log n) , q/(log n) ), we have
either z = bd (in which case z is linearly dependent on b), or ∥z∥∞ ≥ q/(log n) .2

38
Note that we don’t need to consider those d s.t. |d| ≥ q/(log n)2 since that immediately leads to
∥z∥∞ ≥ q/(log n)2 .

Proof of Claim 3.15. Given that z = [−d, zT1 , zT2 ]T ∈ L⊥

q (A), we have

UT z1 + z2 − td ≡ UT (z1 − 2p1 ds) − 2p1 de + z2 ≡ 0 (mod q). (40)

We observe that Eqn. (40) is satisfiable either when z1 − 2p1 ds ≡ 0 (mod q), or z1 − 2p1 ds ̸≡ 0 (mod q).
If z1 − 2p1 ds ̸≡ 0 (mod q), then we can apply Lemma 2.10 with V := {2p1 de}d∈Z∩(−q/(log2 n),q/(log2 n))
(the matrix A in Lemma 2.10 is the matrix U here). This implies that with probability 1 − 2−Ω(n) ,
∥z2 ∥∞ ≥ q/4, so λ∞ ⊥ 2


2 Lq (A) ≥ q/4 ≥ q/(log n) .
If z1 − 2p1 ds ≡ 0 (mod q), then z2 − 2p1 de ≡ 0 (mod q) as well. In this case,

1. either z = bd holds over Zn , without mod q
– then z is linearly dependent on b, so the length of
z does not influence the value of λ∞ ⊥
2 Lq (A) ;

2. or z = bd + qk for some non-zero k ∈
Zn (i.e., z ≡ bd (mod q) must use mod q) – if ∥z∥∞ <
q/(log2 n) in this case then λ∞ ⊥ 2
2 Lq (A) < q/(log n), so we need to handle this case carefully.

The rest of the proof is devoted to proving the following claim:

Claim 3.16. For any n ∈ N+ , any integer q ≥ (log n)2 . For any real number β > 0,
 
n q n n q
Pr ∃z ∈ Z ∩ B s.t. z = bd + qk for some non-zero k ∈ Z , d ∈ Z, |d| < < negl(n),
b (log n)2 ∞ (log n)2
ℓ−(κ−1) m .
where the randomness over b comes from the sampling of s[κ...ℓ] ← DZ,β , e ← DZ,β

Proof. First we observe that Claim 3.16 is true when β ≤ log n, since in this case 2p1 dβ ≤ 2p1 logq n , so
db ≤ q/2 with probability 1 − negl(n) due to Lemma 2.6.
q q
Second, when β > log n, we only need to consider the case where d > β log n (therefore 2p1 dβ > 2p1 log n ),
q
since if d ≤ β log n , then ∥bd∥∞ > q/2 with probability negligible in n due to Lemma 2.6 (this means
z = bd + qk for some non-zero k ∈ Zn happens with negligible probability in n).
q q
So it remains to deal with the case where β log n <d< (log n)2
.
+ 2
Claim
 3.17. For any  n ∈ N , any integer q ≥ (log n) . For any real number β > log n, for any integer
q q
d ∈ β log n , (log n)2 ,
  
q q 1
Pr 2p1 d · y ∈ qZ + − 2
, 2
< .
y←DZ,β (log n) (log n) 4

Proof. If y was sampled from the continuous Gaussian distribution Dβ , then the proof can be done by
just taking integrals. Here since y is sampled from the discrete Gaussian distribution DZ,β , we need
some properties of smoothing parameters. Let us introduce them first.
A special case of [Pei10, Theorem 3.1] shows that when s is large enough, DZ,s is statistically close to
rounding a continuous Gaussian.

39
Lemma 3.18. For any ϵ < 1/8, and s > ηϵ (Z). Then ⌊Ds ⌉ is within statistical distance 8ϵ from DZ,s .

A special case of [MR07, Lemma 4.1] shows that:

Lemma 3.19. For any ϵ, t ∈ R+ , for any s ≥ ηϵ (tZ), the statistical distance between Ds mod t and
U ([0, t)) is within ϵ/2.

Our proof therefore goes through two intermediate steps. First, we consider 2p1 dy ← ⌊D2p1 dβ ⌉2p1 d
instead of 2p1 dy ← 2p1 d ·DZ,β since they are statistically close due to Lemma 3.18. Second, we choose
20q
t ∈ Q such that t ∈ 2p1 (log , 40q
n)2 (log n)2
and qt ∈ N+ (we choose t ∈ Q instead of t ∈ Z since there
   
20q 40q 20q 40q
always exists a t in 2p1 (log 2 ,
n) (log n) 2 ∩ Q, but 2p1 2 ,
(log n) (log n)2 ∩ Z can be empty, e.g., when q
is a prime), and we consider 2p1 dy ← U ([0, t)) instead of ⌊D2p1 dβ ⌉2p1 d mod t since they are statistically
close due to Lemma 3.19. Over U ([0, t)) it is then easy to prove the result we want.
 
Formally, for any integer d < (logqn)2 , for any t ∈ Q such that t ∈ 2p1 (log 20q
2 , 40q
n) (log n)2 and qt ∈ N+ ,
  
q q 1
Pr ⌊z⌉2p1 d ∈ tZ + − , ≤ .
z←U ([0,t)) (log n) (log n)2
2 5
√
Then, since 2p1 dβ > 2p1 logq n ∈ q
(log n)2
· ω( log n), we have
  
q q
Pr ⌊z⌉2p1 d ∈ qZ + − ,
z←D2p1 dβ (log n)2 (log n)2
  
q q
≤(a) Pr ⌊z⌉2p1 d ∈ tZ + − , (41)
z←D2p1 dβ (log n)2 (log n)2
  
q q 1
≤(b) Pr ⌊z⌉2p1 d ∈ tZ + − 2
, 2
+ negl(n) ≤ + negl(n),
z←U ([0,t)) (log n) (log n) 5

where (a) uses q/t ∈ N+ ; (b) uses Lemma 3.19 and the fact that applying rounding does not increase
the statistical distance of the underlying distribution.
√
Then, since β > log(n) ∈ ω( log n), we have
  
q q
Pr 2p1 d · y ∈ qZ + − ,
y←DZ,β (log n)2 (log n)2
  
q q 1 1
≤(a) Pr ⌊z⌉2p1 d ∈ qZ + − 2
, 2
+ negl(n) ≤(b) + negl(n) < ,
z←D2p1 dβ (log n) (log n) 5 4

where (a) follows Lemma 3.18, (b) uses Eqn. (41). This concludes the proof of Claim 3.17.

Therefore, the probability that

n−κ
d · [s[κ...ℓ] , e] ∈ ∪j∈Z ((j − 1/(log n)2 )q, (j + 1/(log n)2 )q)


is smaller than 0.25n−κ . This concludes the proof of Claim 3.16.

This concludes the proof of Claim 3.15.

40
Therefore, with all but negligible probability, λ∞ ⊥ 2


2 Lq (A) ≥ q/(log n) . This concludes the proof of
Lemma 3.7.

3.6.2 Detailed proofs in Step 3

Lemma 3.20. For |φ3 ⟩, |φ′3 ⟩ defined in Eqn. (21), |φ3 ⟩ ≈t |φ′3 ⟩.

Proof. Let H ⊂ R2n be a lattice consisting of vectors (zT1 , zT2 )T such that z1 , z2 ∈ Zn and z1 = z2 mod P .
We first observe that |f2 (z)| (Eqn. (18)) is periodic in the following sense: define

Lx := L⊥ T
P (x ) =Eqn. (11) {z ∈ Zn | ⟨x, z⟩ ≡ 0 mod P } . (42)

Then, for any c ∈Zn , |f2 (z)| is the same for all z ∈ Lx + c, i.e., | {|f2 (z)| | z ∈ Lx + c} | = 1. Denote
f2max := maxz∈Zn |f2 (z)|2 , zmax := arg maxz∈Zn |f2 (z)|2 . Let Lx + cmax be the coset of Lx where
zmax is chosen from. Note that there exist multiple vectors zmax , we just pick one of them. Same for
cmax .
Now we prove |φ3 ⟩ ≈t |φ′3 ⟩. If we treat |φ3 ⟩ and |φ′3 ⟩ as unnormalized vectors, then
2
t2 r2 s2 (s2 − r2 i)
 
2
X X
∥|φ3 ⟩ − |φ′3 ⟩∥2 = f2 (z) exp −π 2 2 4 ∥z − z ′ 2
∥
P u (s + r4 )
zP ∈Zn n ′
P z∈P ·Z +zP ,∥z−z ∥∞ ≥V log n
 2
X X
≤(a)  |f2 (z)|ρV (z − z′ )
zP ∈Zn
P z∈P ·Zn +z P ,∥z−z′ ∥ ∞ ≥V log n
 2
X X
≤ f2max ·  ρV (z − z′ )
zP ∈Zn
P z∈P ·Zn +zP ,∥z−z′ ∥∞ ≥V log n
 2
X X
=(b) f2max ·  ρV (z∗ )
zP ∈Zn
P z∗ ∈P ·Zn +zP −z′ ,∥z∗ ∥∞ ≥V log n (43)
 2
X X
=(c) f2max ·  ρV (z∗ )
zP ∈Zn
P z∗ ∈P ·Zn +zP ,∥z∗ ∥∞ ≥V log n
  
X X X
= f2max ·  ρV (z1 )  ρV (z2 )
zP ∈Zn
P z1 ∈P ·Zn +zP ,∥z1 ∥∞ ≥V log n z2 ∈P ·Zn +zP ,∥z2 ∥∞ ≥V log n
X
= f2max · ρV (z1 ) ρV (z2 )
z1 ,z2 ∈Zn ,z1 =z2 mod P,∥z1 ∥∞ ,∥z2 ∥∞ ≥V log n
X
= f2max · ρV (zH )
zH ∈H,∥zH ∥∞ ≥V log n

≤Lemma 2.6 f2max · negl(n) · ρV (H),

where in (a) we drop all phase terms; in (b) we let z∗ := z − z′ ; in (c) we merge −z′ into the support
of zP .

41
To get a lower bound of ∥|φ′3 ⟩∥22 , we start from
2
X
φ′3 2
= |f2 (z)|2 ρ2V (z − z′ )
z∈z′ +(Zn ∩V log nB∞
n )
X
≥ f2max ρ2V (z − z′ ) (44)
z∈Lx +cmax ∩(z′ +V log nB∞
n )
X
= f2max ρ2V (z).
z∈Lx +cmax −z′ ∩V log nB∞
n

To continue, we define Hx ⊂ R2n as a lattice consisting of vectors (zT1 , zT2 )T such that z1 , z2 ∈ Lx
and z1 = z2 mod P . For Lx = L⊥ T n
P (x ) ⊂ Z defined in Eqn. (42), recall that x = Db. Therefore,
det(Hx ) det(Lx ) P
det(H) = det(Zn ) = D .
Next, we additionally observe that all cosets of Lx , Lx + c, where c ∈ Zn , have “short” representations
P
in the following sense: we can set c = [c1 , 0, ..., 0]T where |c1 | ≤ 2D (this observation will be used
in Eqn. (46), Step (b)). To wit, we observe that each z ∈ Lx + c satisfies ⟨x, z⟩ ≡ ⟨x, c⟩ ≡ c∗
(mod P ) for some c∗ ∈ DZ ∩ [−P/2, P/2). Since the first coordinate of x is −D, we can use Lx −
(c∗ /D, 0, ..., 0)T to represent Lx + c. Following this observation, we choose c′ = (−c′ /D, 0, ..., 0)T where
c′ = ⟨cmax − z′ , x⟩ mod P . Therefore Lx + cmax − z′ = Lx + c′ .
Let c′′ := [c′T | c′T ]T . We have
2
X
φ′3 2
≥Eqn. (44) f2max ρ2V (z)
z∈Lx +c′ ∩V log nB∞
n
 
X X
= f2max ρV (z1 )  ρV (z2 )
z1 ∈Lx +c′ ∩V log nB∞
n z2 ∈Lx +c′ ∩V log nB∞
n ,z =z mod P
2 1
X
= f2max ρV (zH )
zH ∈Hx +c′′ ∩V 2n
log nB∞
  (45)
X
≥Lemma 2.6 f2max  ρV (zH ) − negl(n) · ρV (Hx )
zH ∈Hx +c′′
 
X
≥Hx ⊂H f2max  ρV (zH ) − negl(n) · ρV (H)
zH ∈Hx +c′′
1
≥Eqn. (46) f2max · · ρV (H).
poly(n)

42
The last inequality in (45) is proven as follows
X
ρV (zH )
zH ∈Hx +c′′
1 ′′
ρ1/V (w) · e2πi⟨c ,w⟩
X
=P SF
det(Hx )
w∈Hx∗
 
D ′′ ′′
ρ1/V (w) · e2πi⟨c ,w⟩ + ρ1/V (w) · e2πi⟨c ,w⟩ 
X X
=(a) 
P det(H)
w∈Hx∗ ,∥w∥∞ < log
V
n
w∈Hx∗ ,∥w∥∞ ≥ log
V
n

  (46)
D X X
≥(b) 0.5 · ρ1/V (w) − negl(n) · ρ1/V (w)
P det(H) ∗
log n
w∈Hx∗ ,∥w∥∞ < w∈Hx
V

0.4D X
≥(c) ρ1/V (w)
P det(H)
w∈Hx∗
0.4D X 0.4D 1
≥(d) ρ1/V (w) =P SF ρV (H) ∈ · ρV (H),
P det(H) ∗
P poly(n)
w∈H

P
where in (a) we use det(Hx ) = D ·det(H); in (b), the “∥w∥∞ < log n ′′ 2P log n
V ” part uses | ⟨c , w⟩ | < 2DV < 20
1

for all w ∈ Hx∗ suchPthat ∥w∥∞ < log n log n

V ; the “∥w∥∞ ≥ V ” part P uses Lemma 2.6; (c) uses Lemma 2.6
again to show that w∈H ∗ ,∥w∥∞ < log n ρ1/V (w) ≥ (1 − negl(n)) w∈Hx∗ ρ1/V (w); (d) uses H ∗ ⊂ Hx∗ .
x V

Therefore, combining Eqns. (43) and (45):

2 2
|φ3 ⟩ − φ′3 2
≤ f2max · negl(n) · ρV (H) ∈ negl(n) · φ′3 2
.

Then |φ3 ⟩ ≈t |φ′3 ⟩ follows Lemma 2.11.

Lemma 3.21. For Σ, dj , Cj defined in Eqn. (23), (P j + ⟨x, z⟩)2 +t2 ∥z−z′ ∥2 = (z−dj )T Σ−1 (z−dj )+Cj .

Proof. We use the following formula:

Lemma 3.22. For symmetric matrices Σ−1 −1 −1 −1 −1
1 , Σ2 , and vectors m1 , m2 . Suppose Σ3 = Σ1 + Σ2 is
−1 −1 T −1 T −1 T −1
invertible, then let m3 = Σ3 (Σ1 m1 + Σ2 m2 ), C = m1 Σ1 m1 + m2 Σ2 m2 − m3 Σ3 m3 . Then

(v − m1 )T Σ−1 T −1 T −1
1 (v − m1 ) + (v − m2 ) Σ2 (v − m2 ) = (v − m3 ) Σ3 (v − m3 ) + C. (47)

Proof.

(v − m3 )T Σ−1 T −1 T −1
3 (v − m3 ) − (v − m1 ) Σ1 (v − m1 ) − (v − m2 ) Σ2 (v − m2 )
=(a) vT (Σ−1 −1 T −1 −1 T −1 T −1 T −1 T −1
1 + Σ2 )v − 2v (Σ1 + Σ2 )m3 − v Σ1 v − v Σ2 v + 2v Σ1 m1 + 2v Σ2 m2 − C
= − 2vT (Σ−1 −1 T −1 T −1
1 + Σ2 )m3 + 2v Σ1 m1 + 2v Σ2 m2 − C
= − 2vT (Σ−1 −1 T −1 T −1
1 m1 + Σ2 m2 ) + 2v Σ1 m1 + 2v Σ2 m2 − C
= − C,

where (a) uses the fact that Σ−1 −1

1 and Σ2 are symmetric.

43
 −1
We then apply Lemma 3.22 with v = z, m1 = − ∥x∥ P jx ′
2 , m2 = z , Σ1 = xxT , Σ−1 2 = t2 In . So
1 T
xx
 
xxT
Σ−1 2 T 1 t4 1
3 := t In + xx . From Formula (8) we get Σ3 = t2 In − 1+ 1 ∥x∥2 = t2 In − t2 +∥x∥2 . Then
t2

xxT xP j∥x∥2 xt2 ⟨x, z′ ⟩

   
1 2 ′ 1 2 ′
m 3 = 2 In − 2 (−xP j + t z ) = 2 −xP j + t z + 2 − 2
t t + ∥x∥2 t t + ∥x∥2 t + ∥x∥2
xP j x ⟨x, z′ ⟩ P j + ⟨x, z′ ⟩
= z′ − 2 − = z ′
− x ,
t + ∥x∥2 t2 + ∥x∥2 t2 + ∥x∥2
P j + ⟨x, z′ ⟩
 
T −1 −1 −1 T 2 ′ T ′
m3 Σ3 m3 = (Σ1 m1 + Σ2 m2 ) · m3 = (−P jx + t z ) · z − x 2
t + ∥x∥2
P j∥x∥2 (P j + ⟨x, z′ ⟩) ′
 
2 ′ 2 ′ 2 P j + ⟨x, z ⟩
= t ∥z ∥ + − x, z Pj + t 2 ,
t2 + ∥x∥2 t + ∥x∥2

P j∥x∥2 (P j + ⟨x, z′ ⟩) ′
 
2 2 ′ 2 2 ′ 2 ′ 2 P j + ⟨x, z ⟩
C = (P j) + t ∥z ∥ − t ∥z ∥ − + x, z Pj + t 2
t2 + ∥x∥2 t + ∥x∥2
(P j)2 ∥x∥2 P j∥x∥2 ⟨x, z′ ⟩ ′
   
2 ′ ′ 2 Pj ′ 2 ⟨x, z ⟩
= (P j) − 2 − + x, z P j + x, z t 2 + x, z t 2
t + ∥x∥2 t2 + ∥x∥2 t + ∥x∥2 t + ∥x∥2
!
t2 2P j ⟨x, z′ ⟩ t2 t2 ⟨x, z′ ⟩2 t2
= 2 (P j)2
+ + = (P j + x, z′ )2 .
t + ∥x∥2 t2 + ∥x∥2 t2 + ∥x∥2 t2 + ∥x∥2
Plugging in dj = m3 , Cj = C gives Lemma 3.21.

3.6.3 Detailed proofs in Step 5: the distribution of h∗

To understand the distribution of h∗ obtained in Step 5, we first prove the expression of |φ4 ⟩ (cf.
Eqn. (24)) can be written equivalently as follows:
s2 r 4 t2 s2 r 4 t2
Lemma 3.23. If ∥x∥2 (s4 +r4 ) t2 +∥x∥2
∈ 2Z (implied by Cond. C.5 which says ∥x∥2 (s4 +r4 ) t2 +∥x∥2
= 2(t2 +
′⟩
u2 ) ∈ 2Z), then, let wh,m := t2 +∥x∥2 − ⟨x,y⟩
⟨h+m,x⟩
∥x∥2
+ t2⟨x,z
+∥x∥2
, we have
T !
∥x∥2 (s2 + r2 i)
 
X X ⟨x, y⟩ x ⟨x, y⟩ x
|φ4 ⟩ = exp −π h+m+ −y ·Σ· h+m+ −y
s2 r2 ∥x∥2 ∥x∥2
h∈Zn
P m∈P Z
n

⟨x,z′ ⟩ ,h+m
* +
z′ −x 2
t +∥x∥2 ∥x∥2 (s4 +r 4 )(t2 +∥x∥2 )
(k−wh,m )2 ⟨x,z′ ⟩
e−π
X
· e−2πi P · s4 r 2 t2 · e2πi P
(k−wh,m )
|h⟩ .
k∈Z

s2 r 2 (s2 −r 2 i)
−π C
P 2 ∥x∥2 (s4 +r 4 ) j
P
Proof. We open the term in j∈Z in the expression of |φ4 ⟩ in Eqn. (24). First let us open e :
s2 r2 (s2 − r2 i) t2
 
exp −π 2 (P j + ⟨x, z′ ⟩)2
P ∥x∥2 (s4 + r4 ) t2 + ∥x∥2
s4 r2 t2 s2 r4 i t2
   
′ 2 ′ 2
= exp −π 2 (P j + ⟨x, z ⟩) exp π 2 (P j + ⟨x, z ⟩)
P ∥x∥2 (s4 + r4 ) t2 + ∥x∥2 P ∥x∥2 (s4 + r4 ) t2 + ∥x∥2
s4 r2 t2 t2 + ∥x∥2
   
′ 2 ′ ′ 2
=(a) exp −π 2 (P j + ⟨x, z ⟩) exp 2πi (2P j ⟨x, z ⟩ + ⟨x, z ⟩ ) ,
P ∥x∥2 (s4 + r4 ) t2 + ∥x∥2 P2

44
 2 4 2
where (a) holds given j ∈ Z and Condition C.5 which says ∥x∥2s(sr4 +r4 ) t2 +∥x∥
t 2 2
2 = 2(t + ∥x∥ ) ∈ 2Z, so

we can delete the (P j)2 term in the imaginary part.

P
Therefore, the term in j∈Z in the expression of |φ4 ⟩ equals to
 
⟨x,y⟩x
dj ,h+m+ −y ⟨x,y⟩ s2 r 2 (s2 −r 2 i)
X ∥x∥2 −2πi ∥x∥2 j −π P 2 ∥x∥2 (s4 +r4 ) Cj
−2πi
e P ·e ·e
j∈Z
P j+⟨x,z′ ⟩
* +
⟨x,y⟩x
z′ −x 2 ,h+m+ −y
t +∥x∥2 ∥x∥2 ⟨x,y⟩ 4 2 t2 (t2 +∥x∥2 )·2P j ⟨x,z′ ⟩
−2πi ∥x∥2 j −π P 2 ∥x∥s2 (s
r
(P j+⟨x,z′ ⟩)2
X
∝(a) e−2πi P ·e ·e 4 +r 4 ) t2 +∥x∥2 · e2πi P2

j∈Z
⟨x,z′ ⟩ ,h+m+ ⟨x,y⟩x −y
* +
z′ −x 2
t +∥x∥2 ∥x∥2
= e−2πi P

2
⟨x,z′ ⟩

4 2 2
s r t 2(t2 +∥x∥2 )⟨x,z′ ⟩·j
D E
x ⟨x,y⟩x ⟨x,y⟩ −π ∥x∥2 (s4 +r j+
2πi t2 +∥x∥ 2 ,h+m+ ∥x∥2 −y ·j −2πi ∥x∥2 j
X 4 )(t2 +∥x∥2 )
· e2πi
P
· e ·e ·e P

j∈Z
⟨x,z′ ⟩ ,h+m
* +
z′ −x 2
t +∥x∥2 ∥x∥2 (s4 +r 4 )(t2 +∥x∥2 ) ⟨x,z′ ⟩
(k−wh,m )2
X
∝(b) e−2πi P · e−π s4 r 2 t 2 · e2πi P (k−wh,m )
,
k∈Z

t2 +∥x∥2
⟨x,z′ ⟩2
where ∝(a) omits the global phase of e2πi
P P
P2 ; ∝(b) uses PSF from j∈Z to k∈Z , and omits
⟨x,z′ ⟩ , ⟨x,y⟩x −y
* +
z′ −x 2
t +∥x∥2 ∥x∥2
the global phase of e−2πi P ; wh,m equals to

⟨h + m, x⟩ ⟨x, y⟩ 2(t2 + ∥x∥2 ) ⟨x, z′ ⟩ ⟨h + m, x⟩ ⟨x, y⟩ ⟨x, z′ ⟩

wh,m = − + =C.5,C.2 − + (48)
t2 + ∥x∥2 ∥x∥2 P t2 + ∥x∥2 ∥x∥2 t2 + ∥x∥2

Lemma 3.24. With probability 1 − 2−Ω(n) , the vector h∗ ∈ Znt2 +∥x∥2 obtained from the measurement in
2√
 ∗
⟨x,z′ ⟩

Step 5 satisfies dist t2⟨h+∥x∥
,x⟩
2 − ⟨x,y⟩
∥x∥2
+ t2 +∥x∥2
, Z ≤ 2ut
r n log n.

Proof. Recall that h = h′ (t2 + ∥x∥2 ) + h′′ , so |φ4 ⟩ can be equivalently written as
T
∥x∥2 (s2 +r 2 i)
  
⟨x,y⟩x ⟨x,y⟩x
X X X −π h′ (t2 +∥x∥2 )+m+h′′ + −y ·Σ· h′ (t2 +∥x∥2 )+m+h′′ + −y
|φ4 ⟩ = e s2 r 2 ∥x∥2 ∥x∥2

h′ ∈Zn ′′ n
M h ∈Z 2 m∈P Zn
t +∥x∥2
2
∥x∥2 (s4 +r 4 )(t2 +∥x∥2 )

−π k−wh′ ·(t2 +∥x∥2 )+h′′ ,m ′ ′′ ,m,k)
X
· e 4 2
s r t 2
· e2πiϕ5 (h ,h h′ h′′ ,
k∈Z
(49)

⟨x,z′ ⟩ ,h′ (t2 +∥x∥2 )+m+h′′

* +
z′ −x 2
t +∥x∥2 ⟨x,z′ ⟩
 
′ ′′ −2πi 2πi k−wh′ ·(t2 +∥x∥2 )+h′′ ,m
where e2πiϕ5 (h ,h ,m,k) =e P ·e P
.
P
To understand how |φ5 ⟩ looks like, let us take a closer look in the terms inside k∈Z . Note that
′ ⟨m,x⟩+⟨h′′ ,x⟩ ⟨x,y⟩ ⟨x,z′ ⟩ ′
k − wh′ ·(t2 +∥x∥2 )+h′′ ,m = k − ⟨h , x⟩ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2 . So for all h ∈ ZM , m ∈ P Zn , we
n

45
 ⟨m,x⟩
have ⟨h′ , x⟩ ∈ Z, t2 +∥x∥2
∈ M Z ⊂ Z. Therefore
⟨x,z′ ⟩
2
∥x∥2 (s4 +r 4 )(t2 +∥x∥2 )
  
−π k−wh′ ·(t2 +∥x∥2 )+h′′ ,m 2πi k−wh′ ·(t2 +∥x∥2 )+h′′ ,m
X
e s4 r 2 t2 ·e P

k∈Z

⟨h′′ ,x⟩ ⟨x,z′ ⟩
2
⟨x,z′ ⟩

⟨h′′ ,x⟩ ⟨x,z′ ⟩
 (50)
∥x∥2 (s4 +r 4 )(t2 +∥x∥2 ) ⟨x,y⟩ ⟨x,y⟩
X −π k′ − + − 2 2πi k′ − + − 2
s4 r 2 t2 t2 +∥x∥2 ∥x∥2 t +∥x∥2 P t2 +∥x∥2 ∥x∥2 t +∥x∥2
= e ·e ,
k′ ∈Z

where the k − ⟨h′ , x⟩ − t2⟨m,x⟩

+∥x∥2
∈ Z term is absorbed by k ′ ∈ Z (this provides another proof that the
second line of the expression of |φ4 ⟩ of Eqn. (49) is independent of h′ – the first proof is given in the
paragraph after Eqn. (25)). Therefore, |φ4 ⟩ in Eqn. (50) can be equivalently written as
X X X X
|φ4 ⟩ = f4 (h′ , h′′ ) |h′ ⟩ |h′′ ⟩ = A(h′ , h′′ ) · B(h′ , h′′ ) |h′ ⟩ |h′′ ⟩ , (51)
h′ ∈Zn ′′ n
M h ∈Z 2 h′ ∈Zn ′′ n
M h ∈Z 2
t +∥x∥2 t +∥x∥2

where
T
∥x∥2 (s2 +r 2 i)
  
⟨x,y⟩x ⟨x,y⟩x
−π h′ (t2 +∥x∥2 )+m+h′′ + ∥x∥2 −y ·Σ· h′ (t2 +∥x∥2 )+m+h′′ + ∥x∥2 −y
X
A(h′ , h′′ ) := e s2 r 2

m∈P Zn
⟨x,z′ ⟩ ,h′ (t2 +∥x∥2 )+m+h′′
* +
z′ −x 2
t +∥x∥2
· e−2πi P ,
2
h′′ ,x ⟨x,z′ ⟩ x,z′ ⟨h′′ ,x⟩ ⟨x,z′ ⟩
  
∥x∥2 (s4 +r 4 )(t2 +∥x∥2 ) ⟨ ⟩ ⟨x,y⟩ ⟨ ⟩ ⟨x,y⟩
X −π k′ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2 2πi k′ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2
B(h′ , h′′ ) := s4 r 2 t2 P
e ·e .
k′ ∈Z

To understand the distribution of h∗ obtained by measuring |h′′ ⟩, we observe that the width of the
′′ ,x⟩
Gaussian function for the variable t2⟨h+∥x∥ rts2 s2
2 in Eqn. (50) is less than ur 2 t = ur ≤C.5
2u2 t2 1
ur · 1 + log n =
   
2ut2 1 √ 1 1
r · 1 + log n <C.7 4β n log2 n · 1 + log n ≪ 1, whereas the width of the Gaussian function for the
variable h′′ in the first line of Eqn. (49) is roughly ur ≫ 1. So the tail bound of h∗ is almost determined
by the second line of Eqn. (49).
2ut2 √
 ′′
⟨x,z′ ⟩
n  o
Define the set Sh′′ := h′′ ∈ Znt2 +∥x∥2 dist t2⟨h+∥x∥ ,x⟩
2 − ⟨x,y⟩
∥x∥2
+ t2 +∥x∥2
, Z > r n log n . We can split
|φ4 ⟩ in Eqn. (51) as
X X X X
|φ4 ⟩ = f4 (h′ , h′′ ) h′ h′′ + f4 (h′ , h′′ ) h′ h′′
h′ ∈Zn ′′
M h ∈Sh′′ h′ ∈Zn ′′ n
M h ∈Z 2 \Sh′′
t +∥x∥2
| {z } | {z }
=:|φ∗4 ⟩ =:|φ∗∗
4 ⟩

We prove Lemma 3.24 by showing that ∥|φ∗4 ⟩∥22 ∈ 2−Ω(n) · ∥|φ∗∗ 2

4 ⟩∥2 .
2
Claim 3.25. ∥|φ∗∗
4 ⟩∥2 ≥
1
10 .

Proof. It suffices to show there exists h′ ∈ ZnM , h′′ ∈ Znt2 +∥x∥2 \ Sh′′ such that |f4 (h′ , h′′ )|2 ≥ 1
10 .
Consider the following set T :
t2 + ∥x∥2
   
′ n ′′ n ′ 2 2 ′′ ⟨x, y⟩ n−1
T := h ∈ ZM , h ∈ Zt2 +∥x∥2 h · (t + ∥x∥ ) + h = y − x + a|0 where |a| ≤ .
∥x∥2 D

46
 ′′ ′
Since the first entry of x is −D, we know there exists (h′ , h′′ ) ∈ T such that t2⟨h+∥x∥ ,x⟩ ⟨x,y⟩ ⟨x,z ⟩
2 − ∥x∥2 + t2 +∥x∥2 ∈ Z,

hence h′′ ∈ Znt2 +∥x∥2 \ Sh′′ . For such a pair of h′ , h′′ , the absolute value of its amplitude can be analyzed
as follows. First, for the B part of Eqn. (51), we have
2
⟨h′′ ,x⟩ ⟨x,z′ ⟩

∥x∥2 (s4 +r 4 )(t2 +∥x∥2 ) ⟨x,y⟩
X −π k′ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2
′ ′′ s 4 r 2 t2
|B(h , h )| ≥ 1 − e ≥(a) 1 − negl(n),
⟨h′′ ,x⟩ ⟨x,y⟩ ⟨x,z′ ⟩
k′ ∈Z, k′ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2 ≥1

√ s2 rt 3ut2 1
where (a) uses ≤C.5 r ≤C.7 log n and Lemma 2.6.
∥x∥ (s4 +r4 )(t2 +∥x∥2 )

Second, for the A part of Eqn. (51), we have

√ ∥x∥2 2
∥x∥2 −π h′ (t2 +∥x∥2 )+m+h′′ +
⟨x,y⟩x
−y
n+(t2 +∥x∥2 )/D)2
|A(h′ , h′′ )| ≥(a) e−π r2 t2 (
X
− e r 2 (t2 +∥x∥2 ) ∥x∥2

m∈P Zn ,m̸=0 (52)

√ n
≥(b) 1/2 − ρ r t2 +∥x∥2 (Z ) · negl(n) ≥(c) 1/3,
P ∥x∥

 
1 xxT
where (a) uses Σ = (from Eqn. (23)) and the fact that the eigenvalues of Σ are t12 and
t2
In − t2 +∥x∥2
∥x∥2 √
√
1 t2 −π 2 2 ( n+(t2 +∥x∥2 )/D)2 r t2 +∥x∥2 r r 1
t2 t2 +∥x∥2
; (b) uses e r t ≥ 1/2, and P ∥x∥ =C.2 2(t2 +∥x∥ 2 )1.5 u < ut3 <C.7 log n
2
and Lemma 2.6; (c) uses ρ r√t2 +∥x∥2 (Zn ) < 2. Therefore, ∥|φ∗∗ 2 2 2
4 ⟩∥2 ≥ |AB| ≥ (1 − negl(n)) (1/3) ≥
P ∥x∥
1/10. This completes the proof of Claim 3.25.
2
Claim 3.26. ∥|φ∗4 ⟩∥22 ≤ 2−Ω(n log n) .

Proof. For any (h′ , h′′ ) ∈ ZnM × Sh′′ , the absolute value of the amplitude on |h′ ⟩ |h′′ ⟩ is
|A(h′ , h′′ )B(h′ , h′′ )|
2
⟨h′′ ,x⟩ ⟨x,z′ ⟩

T 2 ⟨x,y⟩
∥x∥2 −π 9ur2 t4 k′ − t2 +∥x∥2 + ∥x∥2 − t2 +∥x∥2
  
⟨x,y⟩x ⟨x,y⟩x
−π h′ (t2 +∥x∥2 )+m+h′′ + −y ·Σ· h′ (t2 +∥x∥2 )+m+h′′ + ∥x∥2 −y
X X
≤(a) e r2 ∥x∥2 · e
m∈P Zn k′ ∈Z
∥x∥2 ⟨x,y⟩x 2
−π r2 (t2 +∥x∥2 ) h′ (t2 +∥x∥2 )+m+h′′ + −y 2
X
≤(b) e ∥x∥2 · 2−Ω(n log n)

m∈P Zn
2 2
≤ ρ r√t2 +∥x∥2 (Zn ) · 2−Ω(n log n)
∈(c) 2−Ω(n log n)
,
P ∥x∥

2
⟨h′′ ,x⟩ ⟨x,z′ ⟩

2 ⟨x,y⟩
∥x∥2 (s4 +r4 )(t2 +∥x∥2 ) 2 −π r2 4 k′ − 2 2 + 2 − 2 2
≥ 9ur2 t4 ; in (b), 9u t t +∥x∥ ∥x∥ t +∥x∥
P
where in (a) we use s4 r2 t2 k′ ∈Z e ≤
2 2
2−Ω(n log n) · ρ 3ut2 (Z) ≤2 −Ω(n log n) ′′ ′
follows from h ∈ Sh′′ and Lemma 2.5 over k ∈ Z; the rest of the
r  
P 1 xxT
expression under m∈P Zn uses Σ = t2
In − t2 +∥x∥2
(from Eqn. (23)) and the fact that the eigenvalues
1 1 t2
of Σ are t2
and t2 t2 +∥x∥2
; (c) uses ρ r√t2 +∥x∥2 (Zn ) < 2 (same as Item (c) in Eqn. (52)).
P ∥x∥
2 2
Therefore, ∥|φ∗4 ⟩∥22 ≤ 2−Ω(n log n) · P n ∈ 2−Ω(n log n) .

Then Lemma 3.24 follows from Claims 3.25 and 3.26.

47
3.6.4 Detailed proofs in Step 6

The entire §3.6.4 is devoted to proving that |φ6 ⟩ is negligibly close to |φ′′′
6 ⟩ in Eqn. (27). We first give
the Fourier transformation calculation in Lemma 3.27, then prove tail bounds in Lemma 3.29.
⟨x,z′ ⟩
 
Lemma 3.27. For any c ∈ Zn , let c′ := c + z′ + h∗ − y + x ⟨x,y⟩ ∥x∥ 2 − 2
t +∥x∥ 2 . Then |φ6 ⟩ =
n n
P
c∈Zn f6 (c) |c⟩ where f6 : Z → C satisfies: for any c ∈ Z ,
M

2

T
 2
⟨x,z′ ⟩ x ⟨x,z′ ⟩ x
c+z′ − 2
In − xx 2 c′ − M
( 2 kc ) c+z′ − 2
∥x∥ t +∥x∥2 t +∥x∥2
T
e−π · e−2πi
X
2πikc ·
f6 (c) = σ 2 e M M2

kc ∈0|Zn−1
! 2
−π 1
2Djx−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ x
X σx2 ∥x∥2 t2 +∥x∥2
· e
j∈Z
!! 2!
−2πi
⟨(c′ − M2 kc ),x⟩ 2Dj−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ 2
+ t2
⟨(c′ − M2 kc ),x⟩
M ∥x∥2 ∥x∥2 t2 +∥x∥2 M ∥x∥4
·e ,
 
1 1
where σx ∈ C satisfies Re σx2
∈ σ2
· (1, 3).

Note that in the proof we give a more accurate expression of σ12 = W +U 1 1 ′′ are
′′ i (2D∥x∥)2 where W, U
  x

defined in Eqns. (70), (64), but the loose bound of Re σ12 ∈ σ12 · (1, 3) suffices for our purpose.
x

Proof. For |φ6 ⟩ = QFTZnM |φ5 ⟩, where |φ5 ⟩ is defined in Eqn. (26), we have

⟨x,y⟩x T 
⟨x,y⟩x
 
h∗ + −y h∗ + −y
(t2 +∥x∥2 )2 ∥x∥2 (s2 +r 2 i)  ′ m ∥x∥2  ·Σ·h′ + m ∥x∥2
−π h + + + 
X X X s2 r 2 t2 +∥x∥2 t2 +∥x∥2 t2 +∥x∥2 t2 +∥x∥2
|φ6 ⟩ = e
c∈Zn ′ n
M h ∈ZM m∈P Z
n
* ∗
+
h′ + 2m+h 2
′ ⟨x,z′ ⟩ t +∥x∥
−2πi z −x 2 ,
t +∥x∥2 M h′
D E
−2πi c, M
·e ·e |c⟩

⟨x,y⟩x T 
⟨x,y⟩x
 
h∗ + −y h∗ + −y
(t2 +∥x∥2 )2 ∥x∥2 (s2 +r 2 i)  ′ m ∥x∥2  ·Σ·h′ + m ∥x∥2
−π h + + + 
X X X s2 r 2 t2 +∥x∥2 t2 +∥x∥2 t2 +∥x∥2 t2 +∥x∥2
=(a) e
c∈Zn
M h′ ∈Zn
M m∈P Zn
h′ + 2 m 2 h′ + 2 m 2
* + * +
⟨x,z′ ⟩ t +∥x∥ t +∥x∥
−2πi z′ −x 2, −2πi c,
t2 +∥x∥ M M
·e ·e |c⟩
T
⟨x,y⟩x ⟨x,y⟩x
  
h∗ + −y h∗ + −y
⟨x,z′ ⟩ ,h′
* +
(t2 +∥x∥2 )2 ∥x∥2 (s2 +r 2 i)  ′ ∥x∥2 ∥x∥2
−π h+ ·Σ·h′ + c+z′ −x 2
t +∥x∥2
 
X X 2
s r 2 t +∥x∥2
2 t +∥x∥2
2
=(b) e · e−2πi M |c⟩ ,
c∈Zn ′
M h ∈Z
n

48
 h′ + 2 m 2
* +
t +∥x∥
h′ −2πi c,
D E
−2πi c, M M
m
where in (a) we use e = e since t2 +∥x∥2
∈ M Zn , and we omit the global
⟨x,z′ ⟩ h∗
 
−2πi z′ −x 2 ,
2 P
phase of e t +∥x∥
; in (b) we merge h′ +
for h′ ∈ ZnM , m ∈ P Zn into h′ ∈ Zn .
m
t2 +∥x∥2
 
xxT −1 = t2 I + xxT . So by
To continue analyzing |φ6 ⟩, recall from Eqn. (23) that Σ = t12 In − t2 +∥x∥ 2 , Σ n
P P
applying PSF from h′ ∈Zn to j∈Zn , we get
T
⟨x,z′ ⟩ ⟨x,z′ ⟩
  
2 2 2 2 c+z′ −x 2 c+z′ −x 2
s r (s −r i) t +∥x∥2 2 T t +∥x∥2
−π 2 j+  ·( t In +xx ·j+ )
   
(t +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) M M 
X X
|φ6 ⟩ = e
c∈Zn
M j∈Z
n

⟨x,z′ ⟩
 
⟨x,y⟩x
h∗ + 2 −y c+z′ −x 2
∥x∥ t +∥x∥2
2πi j+
 
t2 +∥x∥2 M 
·e |c⟩

s2 r 4 t2
Since ∥x∥2 (s4 +r4 ) (t2 +∥x∥2 )2
= 2 (Condition C.5), we have for all j ∈ Zn ,

2
⟨x,z′ ⟩

⟨x,z′ ⟩ ⟨x,z′ ⟩
2
* +
⟨x,z′ ⟩
c+z′ −x 2 c+z′ −x 2 c+z′ −x 2 c+z′ −x 2
t +∥x∥2 t +∥x∥2 t +∥x∥2
s2 r 4 i t +∥x∥2
 
π 2 2
·t j+ 2
2πi j+ , − 
(t +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) M M M M2 
e =e .

In other words, this enables us to erase the quadratic terms of j related to the imaginary part of the
s2 r2 (s2 −r2 i) s2 r2 (s2 −r2 i)
t2 In term in (t2 +∥x∥ 2 T . Therefore,


(t2 +∥x∥2 )2 ∥x∥2 (s4 +r4 ) 2 )2 ∥x∥2 (s4 +r 4 ) t In + xx

T
⟨x,z′ ⟩ ⟨x,z′ ⟩
  
2 2 2 2 c+z′ −x 2 c+z′ −x 2
s r (s −r i) t +∥x∥2 2 T t +∥x∥2
−π 2 j+  ·( t In +xx ·j+ )
   
(t +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) M M 
e
T
⟨x,z′ ⟩ ⟨x,z′ ⟩
  
c+z′ −x 2 c+z′ −x 2
s2 r 2 t +∥x∥2 2 2 2 2 T t +∥x∥2
−π 2 j+  ·( s t In +(s −r i)xx ·j+ )
   
(t +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) M M 
= e
2
⟨x,z′ ⟩

⟨x,z′ ⟩ ⟨x,z′ ⟩
* +
c+z′ −x 2 c+z′ −x 2 c+z′ −x 2
 t +∥x∥2 t +∥x∥2 t +∥x∥2 
2πi
2 j+ , − 
M M M2 
·e

Let R := s2 t2 , T := s2 − r2 i. Then
2
−1 !
T T
2 xx

T −1 R T 1
= T −1 · In + xxT In − R T


RIn + T xx =Eqn. (8) ·
T R 1 + R ∥x∥2 T
! (53)
T
xxT T xxT
 
1 R2 1
= In − T
= · In − .
R 1+ R ∥x∥2 R R + T ∥x∥2

49
 2
⟨x,z′ ⟩ ⟨x,z′ ⟩ ⟨x,z′ ⟩
h∗ +
⟨x,y⟩x
−y c+z′ −x c+z′ −x c+z′ −x
∥x∥2 t2 +∥x∥2 t2 +∥x∥2 t2 +∥x∥2
Therefore, let wc,k := k − t +∥x∥2
2 −2 M , θc,k := kT · M − M2
,
T
⟨x,z′ ⟩ ⟨x,z′ ⟩
  
2 2 c+z′ −x 2 c+z′ −x 2
s r t +∥x∥2 t +∥x∥2
−π 2 j+  ·(s2 t2 In +(s2 −r2 i)xxT )·j+
   
(t +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) M M
 
X X
|φ6 ⟩ = e
c∈Zn
M j∈Zn
2
⟨x,z′ ⟩

⟨x,z′ ⟩ ⟨x,z′ ⟩
* +
c+z′ −x 2 ⟨x,z′ ⟩
 
c+z′ −x 2 c+z′ −x 2 2 h∗ +
⟨x,y⟩x
−y c+z′ −x 2
 t +∥x∥2 t +∥x∥2 t +∥x∥ 
∥x∥2 t +∥x∥2
2πi
2 j+ , − 
2πi j+
 
M M M2  t2 +∥x∥2 M 
·e ·e |c⟩
(t2 +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) T T xxT
 
1
X X −π wc,k · R · In − 2 ·wc,k
=(a) e s2 r 2 R+T ∥x∥ · e2πiθc,k |c⟩
c∈Zn
M k∈Z
n

22 (t2 +∥x∥2 )2 ∥x∥2 (s4 +r 4 ) T xxT

T
 
X X −π ( M2 wc,k ) · In − ·( M wc,k )
= e s2 r 2 RM 2 R+T ∥x∥2 2
· e2πiθc,k |c⟩
c∈Zn
M k∈Zn
∥x∥2 (s4 +r 4 ) T xxT
T
 
X X −π ( M2 wc,k ) · In − ·( M wc,k )
=(b) e s4 r 2 t2 R+T ∥x∥2 2
· e2πiθc,k |c⟩ ,
c∈Zn
M k∈Z
n

(54)

and Eqn. (7); in (b) we use M = 2(t2 + ∥x∥2 ) (C.2)

P P
where in (a) we use PSF from j∈Zn to k∈Zn ,
and drop in R = s2 t2 .
Note that
⟨x, z′ ⟩
 
M ′ ∗ ⟨x, y⟩ x M
− wc,k = c + z − x 2 2
+ h + 2
−y − k
2 t + ∥x∥ ∥x∥ 2
⟨x, z′ ⟩
 
⟨x, y⟩ M
= c + z ′ + h∗ − y + x 2
− 2 2
− k.
∥x∥ t + ∥x∥ 2

To simplify the notations, recall in the statement of Lemma 3.27 where we denote

⟨x, z′ ⟩
 
⟨x, y⟩
c′ := c + z′ + h∗ − y + x − . (55)
∥x∥2 t2 + ∥x∥2
′⟩
 
Therefore c + z′ − t2⟨x,z
+∥x∥2
x = c ′ − h∗ − y + x ⟨x,y⟩ .
∥x∥2
2
Also recall from Condition C.6 that we denote σ = √trs . So we can rewrite |φ6 ⟩ in Eqn. (54) as
u s +r4
4

 
⟨x,y⟩
c′ − h∗ −y+x
T xxT
T
 
−π 12 ( c′ − M k) · In − c′ − M
·( k) ∥x∥2
2πikT ·
X X
|φ6 ⟩ = e σ 2 R+T ∥x∥2 2
·e M · e2πiθc |c⟩ , (56)
c∈Zn
M k∈Zn

2
⟨x,z′ ⟩
c+z′ − x
t2 +∥x∥2
where θc := − M2
. Note that e2πiθc is a phase term that only depends on c, not on k.

50
Next, we reorganize the expression of |φ6 ⟩ in Eqn. (56) by splitting k ∈ Zn into kc +k where kc ∈ 0|Zn−1 ,
k ∈ bZ. Since the first coordinate of b is −1, there is a one-to-one mapping between Zn and 0|Zn−1 ×bZ.
Therefore |φ6 ⟩ can be equivalently written as
X
g c′ , kc · e2πiθc |c⟩ ,


|φ6 ⟩ =
n
(57)
c∈ZM ,kc ∈0|Zn−1

where g(c′ , kc ) is defined as

 
⟨x,y⟩
c′ − h∗ −y+x
T xxT
T
 
−π 1
(c′ − M2 (kc +k)) · In − ·( c ′ − M (kc +k)) ∥x∥2
+k)T ·
X
g(c′ , kc ) = e σ2 R+T ∥x∥2 2
· e2πi(kc M . (58)
k∈ xZ
D

Figure 4: Explaining the support of |φ6 ⟩. In this example, b = (−1, 3).

As illustrated in Fig. 4, for the solid gray ball in the middle, the summation of k ∈ bZ in Eqn. (58)
runs through the points in the triangles; the summation of kc ∈ 0|Zn−1 in Eqn. (57) runs through the
points in the squares.
Next, for any c′ − in Eqn. (58), we write c′ − M
M
2 kc
⊥
2 kc = cx + cx , where

xxT xxT
    
′ M ⊥ ′ M ′ M
cx := µx := c − kc , and cx := c − kc − cx = In − c − kc . (59)
∥x∥2 2 2 ∥x∥2 2

Therefore, g(c′ , kc ) in Eqn. (58) can be written as

 
M k +c⊥ +c − h∗ −y+x ⟨x,y⟩
T xxT 2 c x
T
 
1 M M x ∥x∥2
X −π (c⊥
x +cx − 2 k) · In − ·(c⊥
x +cx − 2 k) T
g(c′ , kc ) = e σ2 R+T ∥x∥2 ·e 2πi(kc +k) · M

k∈ xZ
D
 
M k +c⊥ +c − h∗ −y+x ⟨x,y⟩
∥c⊥ ∥2 2 c x x
∥x∥2
−π x2 T
·
=(a) e σ e2πikc M

T xxT M ∗
T
 
1
(cx − M2 k) ·(cx − M T · 2 kc +cx −h
2 )
X −π · In − k
· e σ2 R+T ∥x∥2 · e2πik M ,
k∈ xZ
D
| {z }
=:h(cx )
(60)

51
 ⟨x,y⟩
y−x
∥x∥2
where (a) holds since k ∈ xZ
D, c⊥ T
x , x = 0, k · M = 0, and
T 
T xxT
   
M M
c⊥
+ cx −
x k · In − ⊥
· cx + cx − k
2 R + T ∥x∥2 2
T  !
T xxT
   
T M M
= c⊥
x + c x − k · I n − · c ⊥
x + c x − k
2 R + T ∥x∥2 2
T 
T xxT
   
M M
= ∥c⊥ 2
x ∥ + cx − k · In − · cx − k .
2 R + T ∥x∥2 2

Let us continue expanding the h(cx ) term by writing it as a function of µ (recall that we define µ =
⟨(c′ − M2 kc ),x⟩
∥x∥2
, cx = µx in Eqn. (59)). Also, we replace k ∈ xZ xk
D by D for k ∈ Z. Then

T xxT ∗ M
T
 
1
(µx− M k
·(µx− M k T · µx−(h − 2 kc )
2D ) 2D )
X −π x · In − x k
h(cx ) = e σ2 R+T ∥x∥2 · e2πi D x M

k∈Z
(61)
T xxT k µ∥x∥2 − h∗ − M
( ⟨ ⟩)
 
1
(µ− M k
·xT x·(µ− M k 2 kc ,x
2D ) 2D )
X −π In − 2πi
= e σ2 R+T ∥x∥2 ·e DM =: A(µ)
k∈Z

 
T xxT
It remains to analyze A(µ). Let us start from estimating xT In − R+T ∥x∥2
x =: S+U i, where S, U ∈ R
denote the real and imaginary parts. First,
T s2 − r2 i s2 − r2 i
= =
R + T ∥x∥2 s2 t2 + ∥x∥2 (s2 − r2 i) s2 (t2 + ∥x∥2 ) − ∥x∥2 r2 i
(s − r i)(s (t + ∥x∥ ) + ∥x∥2 r2 i)
2 2 2 2 2
=
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4
s (t + ∥x∥2 ) + ∥x∥2 r4 + (s2 ∥x∥2 r2 − s2 (t2 + ∥x∥2 )r2 )i
4 2
=
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4
(s (t + ∥x∥ ) + ∥x∥2 r4 ) − (s2 t2 r2 )i
4 2 2
= .
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4

To simplify the denominator of the expression above, we let

s4 (t2 + ∥x∥2 )2 ∥x∥4 t4 (t2 + ∥x∥2 )2 M4
   
ϵ := ∈O ∈O ∈C.8 o(n−3 ). (62)
∥x∥4 r4 ∥x∥4 r4 r4
 
T xxT
Then, the real part of xT In − R+T ∥x∥2
x equals to

∥x∥4 (s4 (t2 + ∥x∥2 ) + ∥x∥2 r4 )

S = ∥x∥2 −
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4
s4 (t2 + ∥x∥2 )2 ∥x∥2 + ∥x∥6 r4 − ∥x∥4 s4 (t2 + ∥x∥2 ) − ∥x∥6 r4
=
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4
s4 ∥x∥2 (t4 + 2t2 ∥x∥2 + ∥x∥4 − t2 ∥x∥2 − ∥x∥4 ) (63)
=
s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4
2 ! 2 ! 2 !
s4 ∥x∥2 t2 (t2 + ∥x∥2 )
 2 2  4
t ∥x∥3
 2
s t ∥x∥ M ∥x∥
= 4 2 ∈O ∈C.5 O ∈C.2 O
s (t + ∥x∥2 )2 + ∥x∥4 r4 r2 ∥x∥2 r2 ∥x∥2 r2

52
 r 2
This means the width in the direction of x is in the order of M 2 , which is larger than M/2.
 
T xxT s t r ∥x∥4
2 2 2
The imaginary part of xT In − R+T ∥x∥2
x is U = s4 (t2 +∥x∥ 2 )2 +∥x∥4 r 4 . Note that U > S.

We will use the following identity later in Eqn. (64):

2 2
∥x∥2 (s4 + r4 ) s2 t2 r2 ∥x∥4
 
U M M
· =
σ2 2D t2 r2 s4 s4 (t2 + ∥x∥2 )2 + ∥x∥4 r4 2D
2
∥x∥2 (s4 + r4 ) ∥x∥4

1 M
= ·
s2 ∥x∥4 r4 1 + ϵ 2D
2
∥x∥2 (s4 + r4 ) r4 t2

M 1
=C.5
r4 2∥x∥2 (s4 + r4 )(t2 + ∥x∥2 )2 2D 1+ϵ
2
t
=C.2 · (1 + O(ϵ)) .
2D2

t2
Given that 2D2
∈ 2Z (Condition C.1), we can write
2
t2 t2 t2 ϵ
  
U M ′ ′′ ′
· = (1 + O(ϵ)) = U + U , where U := ∈ 2Z, U ′′ ∈ O . (64)
σ2 2D 2D2 2D2 D2

Then A(µ) from Eqn. (61) equals to

S+U i k 2 k(µ∥x∥2 −⟨h∗ − M

2 kc ,x⟩)
e−π (µ− M
2D ) · e2πi
X
A(µ) = σ2 DM

k∈Z
k µ∥x∥2 − h∗ − M
( ⟨ ⟩)
  2 2
X −π S
+ U2i M
( 2D ) ( 2D µ−k) 2 kc ,x
= e σ2 σ M
· e2πi DM

k∈Z
k µ∥x∥2 − h∗ − M
( ⟨ ⟩)
 2
 2
 2

S M
( 2D ) +U ′′ i ( 2D µ−k) −πU ′ i k2 −2 2D µk+( 2D 2 kc ,x
M )
−π µ
X
2πi
=(a) e σ2 M
e M
·e DM

k∈Z
k µ∥x∥2 − h∗ − M
( ⟨ ⟩)
 2
 2
S M
( 2D ) +U ′′ i (k− 2D 2 2 kc ,x
M )
−π µ 2πiU ′ 2D µk −πiU ′ ( 2D
M ) (65)
X
µ 2πi
=(b) e σ2 e M e ·e DM

k∈Z
!2
µ∥x∥2 − h∗ − M
⟨ 2 kc ,x ⟩
1
−π j− 2D U ′ µ−
1 X S M
( 2D )
2
+U ′′ i
M DM
=(c) q · e σ2 · e2πiθ(µ,j)
S M 2


σ2 2D + U ′′ i j∈Z
!!2
−π 1 1
j− 2D µ−
⟨h∗ − M2 kc ,x⟩
1 X S M
( 2D )
2
+U ′′ i t2 +∥x∥2
=(d) q · e σ2 · e2πiθ(µ,j)
S M 2


σ2 2D + U ′′ i j∈Z

where (a) uses Eqn. (64); (b) uses U ′ ∈ 2Z; (c) uses PSF and keeps the phase term in θ(µ, j); (d) uses

2D ′ µ∥x∥2 − h∗ − M
2 kc , x 2D t2 µ∥x∥2 − h∗ − M2 kc , x
U µ+ =U ′ = t2
2
µ+
M DM M 2D
2D 2 DM ! (66)
t2 + ∥x∥2 h∗ − M k
2 c , x 1 h∗ − M2 kc , x
=µ − = µ− .
DM DM 2D t2 + ∥x∥2

53
So that θ(µ, j) equals to
2 !
µ∥x∥2 − h∗ − U ′ 2D M

2Dµ 2D ′ 2 kc , x
θ(µ, j) := − j− U µ− − µ
M M DM 2 M
!! 2
h∗ − M t2

2Dµ 1 2 kc , x 2D
=Eqn.(66), U ′ = t2 − j− µ− − µ (67)
2D 2 M 2D t2 + ∥x∥2 4D2 M
!!
µ h∗ − M
2 kc , x t2 µ2
=− 2Dj − µ − 2 2
− .
M t + ∥x∥ M2

Note that in the direction parallel to x,

h∗ − M2 kc , x c′ − M
2 kc , x h∗ − M2 kc , x
µ− = −
t2 + ∥x∥2 ∥x∥2 t2 + ∥x∥2
(68)
⟨c′ , x⟩ ⟨h∗ , x⟩ t2 M2 kc , x ⟨c, x⟩ t2 ⟨z′ + h∗ , x⟩ t2 ⟨kc , x⟩
= − − = + − .
∥x∥2 t2 + ∥x∥2 ∥x∥2 (t2 + ∥x∥2 ) ∥x∥2 ∥x∥2 (t2 + ∥x∥2 ) ∥x∥2

⟨(c′ − M2 kc ),x⟩
To put together the expression of |φ6 ⟩, recall from Eqn. (59) that cx = µx, where µ = ∥x∥2
.
′⟩
 
⟨x,y⟩ ⟨x,z
Also recall from Eqn. (55) that c′ = c + z′ + h∗ − y + x ∥x∥2 − t2 +∥x∥2 . We drop A(µ) (Eqn. (65))
into h(cx ) (Eqn. (61)), then drop h(cx ) in g(c′ , kc ) (Eqn. (58)), then drop g(c′ , kc ) in |φ6 ⟩ (Eqn. (57)),
we get
2

T
 2
⟨x,z′ ⟩ x ⟨x,z′ ⟩ x
c+z′ − 2
In − xx 2
∥x∥
(c′ − M2 kc ) c+z′ − 2
t +∥x∥2 t +∥x∥2
2πikc T ·
e−π · e−2πi
X
|φ6 ⟩ = σ2 e M M2

c∈Zn
M , kc ∈0|Z
n−1
!!2
1 1 ⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩
X −π W +U ′′ i j− 2D
∥x∥2 t2 +∥x∥2 (69)
· e
j∈Z
!! 2!
−2πi
⟨(c′ − M2 kc ),x⟩ 2Dj−
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩ + t2 ⟨(c′ − M2 kc ),x⟩
M ∥x∥2 ∥x∥2 t2 +∥x∥2 M2 ∥x∥4
·e |c⟩ ,
where
2 2
s4 ∥x∥2 t2 (t2 + ∥x∥2 ) 1 ∥x∥2 (s4 + r4 ) M
 
S M
W := 2 · =Eqn. (63)
σ 2D r4 ∥x∥4 1+ϵ t2 r2 s4 2D
4  2 2 4 (70)
2 2 1+ s 2 2 3 1 + rs4
 
(t + ∥x∥ ) r4 M 4(t + ∥x∥ ) 1
= = · .
r2 1 + ϵ 2D r2 2D 1+ϵ
4 (s4 +r 4 )2
 
(t2 +∥x∥2 )4 2 (t2 +∥x∥2 )4
Recall that σ 2 = t2 r2 s4
∥x∥2 (s4 +r4 )
=C.5 t2 r2
∥x∥2 (s4 +r4 )
· 4 ∥x∥ r8 t4
= 4 ∥x∥ r2 t2
· 1+ s4
r4
. So
4
4∥x∥2 (t2 + ∥x∥2 )3 1 + rs4 t2 1
W · (2D · ∥x∥)2 = 2
· = σ2 · 2 · ⇒ W · (2D · ∥x∥)2 ∈ (0.5, 1) · σ 2 . (71)
r 1+ϵ t + ∥x∥2 1 + ϵ
       
U ′′ t2 ϵ r2 D2 t2 M 4 r2 M2
Also, W =(64),(70) O D2
· (t2 +∥x∥2 )3
=(62) O r4
· (t2 +∥x∥2 )3
=O r2
∈C.8 o(n−1 ). So Re 1
W +U ′′ i =
W (2D)2 ∥x∥2
W 2 +U ′′2
∈ σ2
· (1, 3). This concludes the proof of Lemma 3.27.

54
 M
Lemma 3.28. The support of |φ6 ⟩ consists of 2n−1 · 2D elliptical Gaussian balls centered at M
2 kc −
 ′ ∗  2
′ ∗ ⟨z +h ,x⟩ ⟨y,x⟩ n−1
(z + h − y) − x ⟨x, kc ⟩ + 2Djx + x t2 +∥x∥2 − ∥x∥2 , for some kc ∈ 0|Z and some j ∈ Z.

Proof.
 ForT those elliptical Gaussian balls, in the direction orthogonal to x, the width is σ, the center
xx

M ′ ∗

√
is I − ∥x∥2 2 kc − (z + h − y) ; in the direction parallel to x, the width is ≈ W · (2D · ∥x∥),
′ ∗
 2 2

t ⟨z +h ,x⟩ t ⟨kc ,x⟩
the center is 2Dj − ∥x∥ 2 (t2 +∥x∥2 ) + ∥x∥2
x (following Eqn. (68)). Combining both directions, the
centers are
xxT t2 ⟨z′ + h∗ , x⟩ t2 ⟨kc , x⟩
    
M ′ ∗
I− kc − (z + h − y) + 2Dj − + x
∥x∥2 2 ∥x∥2 (t2 + ∥x∥2 ) ∥x∥2
xxT M t2 ⟨z′ + h∗ , x⟩ t2 ⟨kc , x⟩
   
M ′ ∗ ′ ∗
= kc − (z + h − y) − kc − (z + h − y) + 2Dj − + x (72)
2 ∥x∥2 2 ∥x∥2 (t2 + ∥x∥2 ) ∥x∥2
 ′
⟨z + h∗ , x⟩ ⟨y, x⟩

M
= kc − (z′ + h∗ − y) − x ⟨x, kc ⟩ + 2Djx + x − ,
2 t2 + ∥x∥2 ∥x∥2

for some kc ∈ 0|Zn−1 and some j ∈ Z.

Next we prove the tail bounds of the Gaussian balls in the support of |φ6 ⟩. For  W, U ′′ defined in
⟨x,z′ ⟩

Eqns. (70), (64). For c ∈ ZnM , kc ∈ 0|Zn−1 , j ∈ Z, recall that c′ = c + z′ + h∗ − y + x ⟨x,y⟩
∥x∥2
− t2 +∥x∥2
is defined in Eqn. (55). Let
!!2
T 2
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩
 
In − xx 2 c′ − M
( 2 kc ) −π 2 W ′′2 1
j− 2D
∥x∥ ∥x∥2 t2 +∥x∥2
g6 (c, kc , j) := e−π
W +U
σ2 ·e · e2πiϕ6 (c,kc ,j) ,
(73)
−U ′′ i
′ −π ...
where e2πiϕ6 (c,kc ,j) contains the phase terms and the imaginary part of e W 2 +U ′′2 , i.e.,
!!2
⟨x,z′ ⟩ x ⟨x,z′ ⟩ x 2
c+z′ − 2 ′′ ⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩
c+z′ − 2 t +∥x∥2 −π W−U i 1
j− 2D
′ t +∥x∥2 2 +U ′′2 ∥x∥2 t2 +∥x∥2
2πikc T ·
e2πiϕ6 (c,kc ,j) := e M · e−2πi M2 e
2
⟨(c′ − M2 kc ),x⟩ ⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩
!!
⟨(c′ − M2 kc ),x⟩
!
t 2
−2πi M ∥x∥2
2Dj− ∥x∥2 t2 +∥x∥2
+M 2 ∥x∥4
·e .
P
Then |φ6 ⟩ = c∈Zn n−1 ,j∈Z g6 (c, kc , j) |c⟩ .
M ,kc ∈0|Z

In Lemma 3.29 we show that |φ6 ⟩ ≈t |φ′6 ⟩ ≈t |φ′′6 ⟩ ≈t |φ′′′ ′′′

6 ⟩ (our goal is to show |φ6 ⟩ ≈t |φ6 ⟩, but we
introduce two intermediate steps for clarity), where |φ′6 ⟩, |φ′′6 ⟩, |φ′′′
6 ⟩ are defined as follows:

X
φ′6 := g6 (c, kc , j) |c⟩ , (74)
√
c∈Zn
M, kc ∈0|Zn−1 , j∈Z s.t. dist(c′ − M
2
kc ,xR)≤σ n log n

X
φ′′6 := g6 (c, kc , j) |c⟩ , (75)
√
c∈Zn
M, kc ∈0|Zn−1 , j∈Z s.t. dist(c′ − M k ,xR)≤σ n log n
2 c

and
⟨c′ − M2 kc ,x⟩ − ⟨ ∗ M
h − 2 kc ,x ⟩ √
−2Dj ≤ σ ∥x∥
n log n
∥x∥2 t2 +∥x∥2

55
 X
φ′′′
6 := g6 (c, kc , j) |c⟩ , (76)
c∈Zn
M, kc ∈0|Zn−1 , j∈Z s.t.
⟨z′ +h∗ ,x⟩
 
M ⟨y,x⟩
kc −(z′ +h∗ −y)−x⟨x,kc ⟩+2Djx+x − −c ≤σ log n
2 t2 +∥x∥2 ∥x∥2
∞

As illustrated in Fig. 4, for the gradient gray ball on the top, the support of |φ′6 ⟩ is support′ (between
two dashed lines parallel to x), the support of |φ′′6 ⟩ is support′′ , the support of |φ′′′ ′′′
6 ⟩ is support .

Lemma 3.29. |φ6 ⟩ ≈t |φ′6 ⟩ ≈t |φ′′6 ⟩ ≈t |φ′′′

6 ⟩.

Proof. We treat |φ6 ⟩ , |φ′6 ⟩ , |φ′′6 ⟩ , |φ′′′ ′

6 ⟩ as unnormalized vectors. Between |φ6 ⟩ , |φ6 ⟩, it is in fact easier
to use the expression of |φ6 ⟩ from Eqn. (56) and the equal expression of |φ′6 ⟩ as follows:
 
⟨x,y⟩
c′ − h∗ −y+x
T xxT
T
 
1
(c′ − M2 k) ·( c ′ − M ∥x∥2
2 )
X −π · In − k 2πikT ·
φ′6 = e σ2 R+T ∥x∥2 ·e M · e2πiθc |c⟩ .
c∈Zn n,
M , k∈Z √
dist(c′ − M
2
k,xR)≤σ n log n
(77)
Note that the expressions of |φ′6 ⟩
in Eqn. (77) and Eqn. (75) only differ by a normalization
 factor of
1 1 1
√
W +U ′′ i
appeared in Eqn. (65), and we can verify that |√W +U ′′ i| ∈ poly(n) , poly(n) .
Then we have
|φ6 ⟩ − φ′6 1
T xxT
T
 
1
X −π
σ2
(c′ − M2 k) · In −
R+T ∥x∥2
·(c′ − M
2 )
k
≤ e
c∈Zn n,
M , k∈Z √
dist(c′ − M
2
k,xR)>σ n log n
T RxxT
T
  T
 
1
X −π
σ2
(c′ − M2 k) · In − xx 2 ·(c′ − M
2 )
k −π 1
σ2
(c′ − M2 k) ·
∥x∥2 (R+T ∥x∥2 )
·( c ′ − M
2 )
k
=(a) e ∥x∥ ·e
c∈Zn n
M ,k∈Z ,δ∈
Z
t2 +∥x∥2
, ⟨c′ − M2 k,x⟩=δ
√
dist(c′ − M
2
k,xR)>σ n log n
T δ2
T
 
1
X −π
σ2
(c′ − M2 k) · In − xx 2 ·(c′ − M
2 )
k −π
σ 2 ·(10r 2 ∥x∥2 )2
≤(b) e ∥x∥ ·e
c∈Zn n
M ,k∈Z ,δ∈
Z
⟨c′ − M2 k,x⟩=δ
t2 +∥x∥2
,
′ M √
dist(c − 2 k,xR)>σ n log n
δ2
 
X
−πn log2 n M X −π
σ 2 ·(10r 2 ∥x∥2 )2
≤(c) e · ρσ Lassist · e
2
c∈Zn
M δ∈ Z
t2 +∥x∥2
 
−πn log2 n M n 2
≤(d) M · e n
· ρσ Z · poly(n) ≤(e) e−πn log n
· poly(n) ∈ 2−Ω(n) ,
2
(78)
T xxT xxT xxT T xxT xxT RxxT
where in (a) we use In − R+T ∥x∥2
= In − ∥x∥2
+ ∥x∥2
− R+T ∥x∥2
= In − ∥x∥2
+ ∥x∥2 (R+T ∥x∥2 )
, and we
also fix c′ − M
2 k, x to be δ for δ ∈ Z
t2 +∥x∥2
; in (b) we use

s2 t2
   
R 1
Re = Re ≥ ;
∥x∥ (R + T ∥x∥2 )
2 ∥x∥2 (s2 t2 + s2 ∥x∥2 − r2 ∥x∥2 i) (10r2 ∥x∥2 )2

56
in (c) we use an assistant lattice Lassist := {k | k ∈ Zn , ⟨k, x⟩ = 0} ⊂ Zn , and for all δ ∈ Z
t2 +∥x∥2
, for all
c∈ ZnM , let Lassist + d be the coset of Lassist such that for k ∈ Lassist + d, c′ − M
2 k, x = δ, then

xxT
T
 
−π σ12 (c′ − M ′
2 k) · In − ∥x∥2 ·(c − 2 k)
M
X
e
√
2 k,x⟩=δ,dist(c − 2 k,xR)>σ n log n
k∈Zn ,⟨c′ − M ′ M

xxT
T
 
−π σ12 (c′ − M ′
2 k) · In − ∥x∥2 ·(c − 2 k)
M
X
= e
√
k∈Lassist +d,dist(c′ − M
2 k,xR)>σ n log n
2
xxT
 
′
−π σ12 In − ∥x∥ M
2 (c − 2 k)
X
= e

xxT

′ M √
k∈Lassist +d, In − ∥x∥ 2 (c − 2 k) >σ n log n
 
X −π σ12 ∥ M ′
2 k ∥
2
−πn log2 n M
=(∗) e ≤(∗∗) e · ρσ Lassist ,
√ 2
2 k ∥>σ n log n
k′ ∈Lassist +n,∥ M ′

       
xxT ′ − M k) = I − xxT c′ − M I − xxT k, and I − xxT k ∈ L
where (∗) uses In − ∥x∥ 2 (c 2 n ∥x∥2 2 n ∥x∥2 n ∥x∥2 assist +
   
xxT xxT
In − ∥x∥2 d, so we define n := In − ∥x∥ 2 (c′ − M 2 d), then (∗) holds; (∗∗) follows from Lemma 2.5.

In Item (d) of Eqn. (78) we use ρσ M M n 2 2 2 2

2 Lassist ≤ ρσ 2 Z , and t + ∥x∥ , σ · (10r ∥x∥ ) ∈ poly(n) so
δ 2
P −π
that δ∈ Z e σ2 ·(10r2 ∥x∥2 )2 ∈ poly(n); in (e) we use M, σ ∈ poly(n), and Lemma 2.7.
t2 +∥x∥2

Between |φ′6 ⟩ in Eqn. (74) and |φ′′6 ⟩ in Eqn. (75), we have


T
 2
In − xx 2 c′ − M
( 2 kc )
∥x∥
e−π
X
φ′6 − φ′′6 1
≤ σ 2

n−1 , j∈Z s.t. dist(c′ − M k ,xR)≤σ n log n √

c∈Zn
M , kc ∈0|Z 2 c

and
⟨c′ − M2 kc ,x⟩ − ⟨h∗ − M2 kc ,x⟩ −2Dj >σ
√
n log n
∥x∥2 t2 +∥x∥2 ∥x∥

!!2
−π W 1
j− 2D
⟨(c′ − M2 kc ),x⟩ − ⟨h∗ − M2 kc ,x⟩
W 2 +U ′′ 2 ∥x∥2 t2 +∥x∥2
·e
X 2
≤(a) ρW (Z) · 2−Ω(n log n)
√
c∈Zn
M , kc ∈0|Z
n−1 s.t. dist(c′ − M k ,xR)≤σ n log n
2 c
2 2
≤(b) M n · ρW (Z) · 2−Ω(n log n)
∈(c) 2−Ω(n log n)
,
√
⟨c′ − M2 kc ,x⟩ ⟨h∗ − M2 kc ,x⟩ σ n log n
where in (a) we fix c, kc , and apply Lemma 2.5 with ∥x∥2
− t2 +∥x∥2
− 2Dj > ∥x∥ over

T
 2
In − xx 2 c′ − M
( 2 kc )
∥x∥
j ∈ Z; in (a) we lalso use me−π ≤ 1; in (b) we use the fact that for each c ∈ ZnM ,
σ2
√ √
there is at most σ nMlog n ≤ 1 vector kc ∈ 0|Zn−1 such that dist(c′ − M
2 kc , xR) ≤ σ n log n; in (c)
we use M ∈ poly(n), and also W ∈ poly(n) (derived from Eqn. (71)) and Lemma 2.7 to conclude that
ρW (Z) ∈ poly(n).
To get a lower bound for ∥|φ′′6 ⟩∥22 , recall from Lemma 3.28 that the support consists of 2n−1 · 2D
M
2 elliptical

57
Gaussian balls, so
 2
T

In − xx 2 d (⟨d,x⟩)2
2 M ∥x∥ −2π
e−2π
X
φ′′6 2
≥ 2n−1 · · σ2 ·e ∥x∥2 σx2
,
2D2 √
d∈(Zn +u)∩σ nB2n

for some vector u ∈ [−0.5, 0.5)n which takes care of the fact that the centers of the elliptical Gaussian
2 2
balls are not necessarily in Zn ; σx satisfies σx ∈ (0.3, 1)σ, so σ σ−σ
2
x
∈ (0, 11). Note that
x

 2
T

In − xx 2 d (⟨d,x⟩)2
∥x∥ −2π
−2π
X 2
e σ2 ·e ∥x∥2 σx
√
d∈(Zn +u)∩σ nB2n
2
(σ 2 −σx2 )xxT
!
In + 2 ∥x∥2 d
σx
e−2π
X
= σ2
√
d∈(Zn +u)∩σ nB2n (79)
2 2
(σ 2 −σx2 )xxT (σ 2 −σx2 )xxT
! !
In + 2 ∥x∥2 d In + 2 ∥x∥2 d
σx σx
−2π −2π
X X
= e σ2 − e σ2
√
d∈(Zn +u) d∈(Zn +u)\σ nB2n
n n
σ n
   
1 σ 1 −Ω(n) σ
≥(a) √
(1 − negl(n)) − 2 · ∈ √ · (1 − negl(n)) √
12 2 12 2 2
 2 2 T

where (a) is obtained as follows: let Ba := In + (σ σ−σ x )xx
2 ∥x∥2 be the basis of an assistant lattice La .
x
(σ 2 −σx2 )
Then det(La ) = 1 + σx2
∈ (1, 12), λn (La ) ≤ 12, and λ1 (L∗a ) ≥ 1
12 . Let u′ := Ba u. Then
2
(σ 2 −σx2 )xxT
!
In + d
2 ∥x∥2
σ n X √
 
X −2π
σx
′ 1 ′
e σ2 =ρ σ
√ (La + u ) =(b) √ ρ 2 (w) · e2πi⟨w,u ⟩
2 det(La ) 2 σ
d∈(Zn +u) w∈L∗a
 n
1 σ
≥(c) √ (1 − negl(n)),
12 2

where (b) uses PSF and Eqn. (4); (c) uses σ > 2 log n, det(La ) ≤ 12, λ1 (L∗a ) ≥ 1
12 and Lemma 2.6. And
2
(σ 2 −σx2 )xxT
!
In + 2 ∥x∥2 d  n
X −2π
σx X −2π
∥d∥2
−Ω(n) n −Ω(n) σ
e σ2 ≤ e σ2 ≤2 ·ρ σ
√ (Z ) ∈Lemma 2.7 2 · √ .
√
d∈(Zn +u)\σ nB2n
√
d∈(Zn +u)\σ nB2n
2
2

Hence Item (a) in Eqn (79) holds.

 n
So ∥|φ′′6 ⟩∥22 ≥ 2n−1 · 2D
M 1
2 · 12
√σ
2
· (1 ± negl(n)). Therefore,

2
φ′′6 − φ′6 2
≤ φ′′6 − φ′6 1
∈ 2−Ω(n log n)
φ′′6 2
. (80)

Between |φ′′6 ⟩ and |φ′′′

6 ⟩, we use the fact that the Gaussian balls in |φ′′6 ⟩ are separated: in the direction
√
parallel to x, the gap is 2D∥x∥ >C.8 2σ n log n; in the direction orthogonal to x, the gap is at least

58
 M √
2∥b∥ >C.8 2σ n log n. Therefore,

2 M 2
φ′′6 − φ′′′
6 2
≤Lemma 2.6 2n−1 · · negl(n) · ρ √σ (Zn ) ≤ negl(n) · φ′′6 2
.
2D2 2

From Eqn (80), we can also derive that ∥|φ′6 ⟩∥2 ∈ (1 ± negl(n)) ∥|φ′′6 ⟩∥2 . So

|φ6 ⟩ − φ′6 2
≤ |φ6 ⟩ − φ′6 1
∈ negl(n) · φ′6 2
.

Then |φ6 ⟩ ≈t |φ′6 ⟩ ≈t |φ′′6 ⟩ ≈t |φ′′′

6 ⟩ follows Lemma 2.11.

3.7 Additional discussions

3.7.1 Additional observations from Step 2

The state obtained in Step 2 is not completely random (see Figure 2 (b)). The feature of Karst wave
could have already appeared here. There was even an opportunity of solving LWE directly in Step 2,
but our attempt wasn’t successful. However, the feature we observe in Step 2 motivates us to split the
modulus in Step 3 to 5, so let us explain the observations here.
Recall from Eqn. (18) that the expression of |φ2 ⟩ satisfies
 !
s2 r2 (s2 − r2 i) ⟨x, z⟩ 2 −2πi ⟨x,y⟩
  
⟨x,z⟩
2 j+ P
e2πi⟨y, P ⟩ |z⟩ .
X X z
|φ2 ⟩ ≈t exp −π j+ e ∥x∥
∥x∥2 (s4 + r4 ) P
z∈Zn
P j∈Z

s2 r 4
Suppose ∥x∥2 (s4 +r4 )
= 2ν for some ν ∈ Z (this is not necessarily consistent with Cond. C.5, but
s2 r 4
Cond. C.5 is never used before Step 2, so let us just assume ∥x∥2 (s4 +r4 )
∈ 2Z for now), then for j ∈ Z,
2 ! !!
s2 r4 ⟨x, z⟩ ⟨x, z⟩2 ⟨x,z⟩2

⟨x, z⟩ ⟨x,z⟩
exp πi j+ = exp 2πiν 2j + = e2πiν2j P e2πiν P2 .
∥x∥2 (s4 + r4 ) P P P2

This means
2 !
s4 r2

⟨x, z⟩ ⟨x,z⟩ ⟨x,z⟩2 ⟨x,y⟩
−2πi ∥x∥2 (j+
⟨x,z⟩
)
e2πi⟨y, P ⟩ |z⟩
X X z
|φ2 ⟩ ≈t exp −π j+ e2πiν2j P e2πiν P2 e P

∥x∥2 (s4 + r4 ) P
z∈Zn
P j∈Z
2 !
∥x∥2 (s4 + r4 )

X X ⟨x, y⟩ ⟨x, z⟩
=P SF exp −π k+ − 2ν e2πiϕ(k,z) |z⟩ ,
s4 r2 ∥x∥ 2 P
z∈Zn
P k∈Z

where ϕ(k, z) includes all phase terms.

Suppose we measure z now, we get some z ∈ ZnP such that

⟨x, y⟩ ⟨x, z⟩ s2 2ν∥x∥

2
− 2ν ∈ Z + e, where |e| ≤ log n ≈ log n. (81)
∥x∥ P ∥x∥r r

59
 P
If we multiply both sides of Eqn. (81) by 2ν , we get

P ⟨x, y⟩ P ∥x∥
− ⟨x, z⟩ ∈ P Z + e′ , where |e′ | ≤ log n. (82)
2ν∥x∥2 r

P
Although we don’t know the vector y, we can set parameters P, ν so that 2ν∥x∥2
∈ N Z for some integer
P ⟨x,y⟩
N ≥ 2 and P
N ∈ Z, which means 2ν∥x∥2
∈ N Z. Then we get ⟨x, z⟩ ≡ e′ (mod N ). If we can make sure
e′= 0 with probability more than 1 − 1
n,
then we can run Steps 1 to 2 for O(n) times and get O(n)
many vectors {zi }i∈O(n) and solve x by solving modular linear equations with coefficients {zi }i∈O(n) .
P ∥x∥
However, we can only guarantee |e′ | ≤ r log n, where P
r is inherently greater than 1. So the idea
above does not work.
The observation in Step 2 motivates us to work on a smaller modulus – imagine if we don’t need to
P
multiply both sides of Eqn. (81) by 2ν , but by a smaller factor, then the error term e′ may not be that
large. With the motivation of reducing the modulus, we come up with the idea of modulus splitting, as
is done in Steps 3 to 5.

Acknowledgment

I would like to sincerely thank Andrew Yao for his tremendous support, encouragement, and frequent,
insightful discussions about this project. I would like to thank Oded Regev for recommending the paper
of Yi-Kai Liu [Liu09] to me in 2020, and giving me valuable suggestions on an earlier version of this
manuscript. I would also like to thank Zihan Hu, Qipeng Liu, Han Luo, and Yaxin Tu for discussing
other attempts of designing quantum algorithms for solving LWE, and giving me valuable suggestions
on an earlier version of this manuscript. I would also like to thank Zvika Brakerski and Thomas Vidick
for pointing out a bug in one of my previous attempts for solving LWE made in 2022.

References
[ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-
secure encryption based on hard learning problems. In CRYPTO, volume 5677 of Lecture Notes in Computer
Science, pages 595–618. Springer, 2009.
[ADRS15] Divesh Aggarwal, Daniel Dadush, Oded Regev, and Noah Stephens-Davidowitz. Solving the shortest vector
problem in 2n time using discrete gaussian sampling: Extended abstract. In STOC, pages 733–742. ACM,
2015.
[Ajt96] Miklós Ajtai. Generating hard instances of lattice problems (extended abstract). In STOC, pages 99–108,
1996.
[AKS01] Miklós Ajtai, Ravi Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In
STOC, pages 601–610. ACM, 2001.
[Bab86] László Babai. On lovász’ lattice reduction and the nearest lattice point problem. Comb., 6(1):1–13, 1986.
[Ban93] Wojciech Banaszczyk. New bounds in some transference theorems in the geometry of numbers. Mathematische
Annalen, 296(1):625–635, 1993.
[Ban95] Wojciech Banaszczyk. Inequalities for convex bodies and polar reciprocal lattices in Rn . Discrete & Compu-
tational Geometry, 13(2):217–231, 1995.

60
[BDK+ 18] Joppe W. Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M. Schanck, Peter
Schwabe, Gregor Seiler, and Damien Stehlé. CRYSTALS - kyber: A cca-secure module-lattice-based KEM.
In EuroS&P, pages 353–367. IEEE, 2018.
[BKSW18] Zvika Brakerski, Elena Kirshanova, Damien Stehlé, and Weiqiang Wen. Learning with errors and extrapolated
dihedral cosets. In Public Key Cryptography (2), volume 10770 of Lecture Notes in Computer Science, pages
702–727. Springer, 2018.
[BLP+ 13] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. Classical hardness of
learning with errors. In STOC, pages 575–584. ACM, 2013.
[Bri84] Ernest F Brickell. Solving low density knapsacks. In Advances in cryptology, pages 25–37. Springer, 1984.
[BS16] Jean-François Biasse and Fang Song. Efficient quantum algorithms for computing class groups and solving
the principal ideal problem in arbitrary degree number fields. In Proceedings of the Twenty-Seventh Annual
ACM-SIAM Symposium on Discrete Algorithms, pages 893–902. SIAM, 2016.
[BV11] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE.
In FOCS, pages 97–106. IEEE Computer Society, 2011.
[CCD+ 03] Andrew M Childs, Richard Cleve, Enrico Deotto, Edward Farhi, Sam Gutmann, and Daniel A Spielman.
Exponential algorithmic speedup by a quantum walk. In Proceedings of the thirty-fifth annual ACM symposium
on Theory of computing, pages 59–68, 2003.
[CDPR16] Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. Recovering short generators of principal ideals in
cyclotomic rings. In EUROCRYPT (2), volume 9666 of Lecture Notes in Computer Science, pages 559–585.
Springer, 2016.
[CEMM98] Richard Cleve, Artur Ekert, Chiara Macchiavello, and Michele Mosca. Quantum algorithms revisited.
Proceedings of the Royal Society of London. Series A: Mathematical, Physical and Engineering Sciences,
454(1969):339–354, 1998.
[CHL+ 23] Yilei Chen, Zihan Hu, Qipeng Liu, Han Luo, and Yaxin Tu. On the hardness of S|LWE⟩ with gaussian and
other amplitudes. CoRR, abs/2310.00644, 2023.
[CLZ22] Yilei Chen, Qipeng Liu, and Mark Zhandry. Quantum algorithms for variants of average-case lattice problems
via filtering. In EUROCRYPT (3), volume 13277 of Lecture Notes in Computer Science, pages 372–401.
Springer, 2022.
[Cop97] Don Coppersmith. Small solutions to polynomial equations, and low exponent RSA vulnerabilities. J. Cryptol.,
10(4):233–260, 1997.
[EHKS14] Kirsten Eisenträger, Sean Hallgren, Alexei Y. Kitaev, and Fang Song. A quantum algorithm for computing
the unit group of an arbitrary degree number field. In STOC, pages 293–302. ACM, 2014.
[FW98] Amir Fijany and Colin P Williams. Quantum wavelet transforms: Fast algorithms and complete circuits. In
NASA international conference on quantum computing and quantum communications, pages 10–33. Springer,
1998.
[Gen09] Craig Gentry. Fully homomorphic encryption using ideal lattices. In STOC, pages 169–178. ACM, 2009.
[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic
constructions. In STOC, pages 197–206, 2008.
[GR02] Lov Grover and Terry Rudolph. Creating superpositions that correspond to efficiently integrable probability
distributions. arXiv preprint quant-ph/0208112, 2002.
[Gra08] Loukas Grafakos. Classical fourier analysis. Springer, 2008.
[HPS98] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based public key cryptosystem. In
ANTS, volume 1423 of Lecture Notes in Computer Science, pages 267–288. Springer, 1998.
[Kan87] Ravi Kannan. Minkowski’s convex body theorem and integer programming. Mathematics of operations re-
search, 12(3):415–440, 1987.
[Kit95] Alexei Y. Kitaev. Quantum measurements and the abelian stabilizer problem. 1995.
[Kup05] Greg Kuperberg. A subexponential-time quantum algorithm for the dihedral hidden subgroup problem. SIAM
J. Comput., 35(1):170–188, 2005.

61
[Len83] Hendrik Willem Lenstra. Integer programming with a fixed number of variables. Mathematics of operations
research, 8(4):538–548, 1983.
[Liu09] Yi-Kai Liu. Quantum algorithms using the curvelet transform. In STOC, pages 391–400. ACM, 2009.
[LLL82] Arjen K Lenstra, Hendrik Willem Lenstra, and László Lovász. Factoring polynomials with rational coefficients.
Mathematische annalen, 261(ARTICLE):515–534, 1982.
[LO85] Jeffrey C Lagarias and Andrew M Odlyzko. Solving low-density subset sum problems. Journal of the ACM
(JACM), 32(1):229–246, 1985.
[Mah18] Urmila Mahadev. Classical homomorphic encryption for quantum circuits. In FOCS, pages 332–338. IEEE
Computer Society, 2018.
[MM11] Daniele Micciancio and Petros Mol. Pseudorandom knapsacks and the sample complexity of LWE search-to-
decision reductions. In CRYPTO, volume 6841 of Lecture Notes in Computer Science, pages 465–484. Springer,
2011.
[MP12] Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Advances in
Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of
Cryptographic Techniques, Cambridge, UK, April 15-19, 2012. Proceedings, pages 700–718, 2012.
[MR07] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on Gaussian measure. SIAM
Journal on Computing, 37(1):267–302, 2007.
[MV13] Daniele Micciancio and Panagiotis Voulgaris. A deterministic single exponential time algorithm for most
lattice problems based on voronoi cell computations. SIAM J. Comput., 42(3):1364–1391, 2013.
[NC16] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information (10th Anniversary
edition). Cambridge University Press, 2016.
[NS99] Phong Q. Nguyen and Jacques Stern. The hardness of the hidden subset sum problem and its cryptographic
implications. In CRYPTO, volume 1666 of Lecture Notes in Computer Science, pages 31–46. Springer, 1999.
[NV08] Phong Q. Nguyen and Thomas Vidick. Sieve algorithms for the shortest vector problem are practical. J. Math.
Cryptol., 2(2):181–207, 2008.
[OtR85] A. M. Odlyzko and Herman J. J. te Riele. Disproof of the Mertens conjecture. J. Reine Angew. Math.,
357:138–160, 1985.
[Pap77] Athanasios Papoulis. Signal analysis. McGraw-Hill, 1977.
[Pei10] Chris Peikert. An efficient and parallel gaussian sampler for lattices. In CRYPTO, volume 6223 of Lecture
Notes in Computer Science, pages 80–97. Springer, 2010.
[PRS17] Chris Peikert, Oded Regev, and Noah Stephens-Davidowitz. Pseudorandomness of ring-lwe for any ring and
modulus. In STOC, pages 461–473. ACM, 2017.
[Reg04] Oded Regev. Quantum computation and lattice problems. SIAM J. Comput., 33(3):738–760, 2004.
[Reg09] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. J. ACM, 56(6):34:1–
34:40, 2009.
[Reg23] Oded Regev. An efficient quantum factoring algorithm. CoRR, abs/2308.06572, 2023.
[RS17] Oded Regev and Noah Stephens-Davidowitz. A reverse minkowski theorem. In STOC, pages 941–953. ACM,
2017.
[Sch87] Claus-Peter Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms. Theoretical computer
science, 53(2-3):201–224, 1987.
[Sha82] Adi Shamir. A polynomial time algorithm for breaking the basic merkle-hellman cryptosystem. In CRYPTO,
pages 279–288. Plenum Press, New York, 1982.
[Sho99] Peter W Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum
computer. SIAM review, 41(2):303–332, 1999.
[Sim97] Daniel R Simon. On the power of quantum computation. SIAM journal on computing, 26(5):1474–1483, 1997.
[Smi11] Julius O. Smith. Spectral Audio Signal Processing. https://ccrma.stanford.edu/~jos/sasp/Fourier_
Transform_Complex_Gaussian.html, 2011. online book, 2011 edition.
[Tit51] Edward Charles Titchmarsh. The theory of the Riemann zeta-function. Oxford university press, 1951.

62