Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

New bounds of the smoothing parameter for lattices

  • Heng Guo,

    Roles Methodology, Validation, Writing – original draft, Writing – review & editing

    Current address: School of Mathematics, Renmin University of China, Beijing, China

    Affiliations School of Mathematics, Renmin University of China, Beijing, China, School of Interdisciplinary Studies, Renmin University of China, Beijing, China

  • Fengxia Liu,

    Roles Methodology, Validation, Writing – review & editing

    Current address: Great Bay University, Dongguan, Guangdong, China

    Affiliation Great Bay University, Dongguan, Guangdong, China

  • Linlin Wang,

    Roles Methodology, Validation, Writing – review & editing

    Current address: Institute of Mathematics, Henan Academy of Sciences, Zhengzhou, Henan, China

    Affiliation Institute of Mathematics, Henan Academy of Sciences, Zhengzhou, Henan, China

  • Kun Tian

    Roles Methodology, Validation, Writing – review & editing

    tkun19891208@ruc.edu.cn

    Current address: School of Mathematics, Renmin University of China, Beijing, China

    Affiliation School of Mathematics, Renmin University of China, Beijing, China

Abstract

The smoothing parameter on lattices is crucial for lattice-based cryptographic design. In this study, we establish a new upper bound for the lattice smoothing parameter, which represents an improvement over several significant classical findings. For one-dimensional integer lattices, under specific and optimized conditions, we have achieved a more precise upper bound compared to previous research. Regarding general high-dimensional lattices, when the lattice dimension is large enough and the error parameter is within a particular range, we have derived a new upper bound. In the practical applications of lattice-based cryptography, where the lattice dimension is typically large, our new bound enables a more natural and smaller setting for the error parameter, thereby improving the upper bounds on all known smoothing parameters.

Citation: Guo H, Liu F, Wang L, Tian K (2025) New bounds of the smoothing parameter for lattices. PLoS One 20(7): e0328688. https://doi.org/10.1371/journal.pone.0328688

Editor: Yun Shang, Chinese Academy of Sciences Academy of Mathematics and Systems Science, CHINA

Received: September 15, 2024; Accepted: July 5, 2025; Published: July 24, 2025

Copyright: © 2025 Guo et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All data are in the manuscript and/or Supporting information files.

Funding: This work was supported by Information Security School-Enterprise Joint Laboratory (Dongguan Institute for Advanced Study, Great Bay University, No. H24120002) and Major Project of Henan Province (No. 225200810036). The funders had no role in the study design, data collection, or manuscript preparation.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

In recent decades, the concept of a lattice has played a crucial role in post-quantum cryptography [1]. An n-dimensional (full-rank) lattice can be regarded as a discrete additive subgroup of or a -module. Specifically, a lattice can be written as

where is a matrix composed of n linearly independent vectors, known as the generating matrix of lattice , and is called a basis for the lattice. The dual lattice of a lattice is defined as:

Lattice-based cryptography relies on the assumption that certain problems on lattices in are hard, which serves as the cornerstone of secure cryptographic systems. Two of the most typical hard problems are the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP). It is currently believed that hard problems on lattices can effectively withstand quantum attacks. As a result, public-key cryptosystems based on lattice-based hard problems have become fundamental approaches and technologies in the field of post-quantum cryptography.

In lattice-based cryptography research, the discrete Gaussian measure defined on lattices is a highly important analytical tool. The discrete Gaussian measure was first used for this purpose by Regev and Micciancio [2,3] and was also developed on the basis of Banaszczyk’s proof of the transference theorems [46]. In [3], Micciancio and Regev defined an important concept related to the discrete Gaussian measure: the smoothing parameter . For any arbitrary n-dimensional lattice and any given , the smoothing parameter of lattice is defined as:

where is the discrete Gaussian distribution, which is defined formally in Definition 4. With the advancement of lattice cryptography, the smoothing parameter plays an increasingly crucial role in lattice sampling and hardness reductions (for details, see [3,710]). It can be argued that the concept of the smoothing parameter is equally important to the shortest vector, the successive minima of a lattice, and the covering radius.

In the study of smoothing parameters, one of the most important tasks is the estimation of bounds for the smoothing parameter. This is because, in lattice-based cryptography, improving the upper bound of the smoothing parameter generally enhances the security proofs of cryptographic systems and optimizes parameter settings, thereby improving the efficiency of cryptographic schemes (for details, see [3,7,8,10]). The originators of the smoothing parameter, Regev and Micciancio, first provided two estimation results in [3]. The first one is: for any lattice ,

where . In [11] (see Chapter 1), Zheng and Tian provided two tighter results under the same conditions:

where . Regev and Micciancio provided the second non-trivial but very important conclusion in [3]:

(1)

where is the n-th successive minimum. Subsequently, in [12], Peikert combined the conclusion from Banaszczyk [5] to provide a tighter bound for under the -norm:

(2)

Let be a basis of , is the Gram-Schmidt orthogonalization of Define as :

In [8], Gentry, Peikert, and Vaikuntanathan established the result

thus, they derived a new bound:

(3)

Among (1), (2), and (3), it is evident that (2) provides the best estimate.

In recent research [13], Zhongxiang Zheng, Guangwu Xu, and Chunhuan Zhao derived an estimate of the smoothing parameter for the one-dimensional integer lattice :

(4)

with . Next, they established a relationship between the one-dimensional integer lattice and a general lattice , achieving significant improvements when :

(5)

In other works [10,1417], Kai-Min Chung et al. approximated the complexity of the smoothing parameter within a constant factor [15]. Thomas Espitau et al. [10], Wei et al. [14], Elena Kirshanova et al. [16], and Zheng Zhiyong et al. [17] provided corresponding bounds for the smoothing parameter for certain special lattices. Each of these results has had a significant impact in its respective article.

Contributions. In this paper, we obtain a new upper bound. First, for the one-dimensional integer lattice , when , where , we have:

Secondly, for a general n-dimensional lattice , when n is sufficiently large such that , we have:

Our results outperform those in [8] and [13], and a detailed discussion will be presented in the section entitled "Comparative Analysis of Smoothness Parameter Bounds".

It is worth noting that, in our proof process, we can derive the following relationship between a general n-dimensional lattice and the n-dimensional integer lattice :

Furthermore, we can prove that for the smoothing parameter of the n-dimensional integer lattice , under the same conditions,

Organization. The rest of the paper is organized as follows. In the second section, we introduce the necessary basic concepts and preliminary knowledge. In Sect 3, we present the new upper bounds for the smoothing parameter of the one-dimensional integer lattice, of the n-dimensional integer lattice, and of the general n-dimensional lattice. Sect 4 presents a comparison of numerical results. The final part is a summary.

2 Preliminaries

2.1 General notation

The bold capital represents the integer ring. The symbol denotes the n-dimensional real linear space. Lowercase letters in bold, such as and b, represent vectors in . The standard inner product in is denoted by . The Euclidean norm of a vector is

For any , if denote its columns, then we define

Let denote the unit ball in , that is . A lattice is a discrete geometry in , in other words, there is a positive constant , and a nonzero vector such that

We call the ith successive minimum distance of lattice if

For any lattice with basis matrix B whose columns are , the set

is the basic neighborhood of the lattice . Therefore, a basic neighborhood of a lattice is the set of representative elements of the additive quotient group , and any basic neighborhood of an arbitrary lattice forms an additive group . Let the determinant of the lattice be and the volume of basic neighborhood be , then . If f(x) is a function defined on and is a countable set, denote

2.2 Discrete Gaussian measure and related conclusions

In this subsection, we will directly provide the definition and related properties of the discrete Gaussian measure, which will play an important role in the third section.

Definition 1. Let s>0 be a given positive real number, be a given vector. With c as the center, the Gaussian function with parameter s is defined as:

Definition 2. If , the Fourier transform of is defined as:

The following are some of the most commonly used and basic properties of the Fourier transform [11].

Lemma 3. If , , and , then

(1)

(2) If , then

(3) If , , then

Therefore, the Fourier transform of the Gaussian functions and is: and , respectively.

Definition 4. Let and s>0 be a given positive real number, be a given vector. The discrete Gaussian measure defined on lattice is:

In other words, represents the probability of a single lattice point. Below we provide two very useful lemmas, which are proved in detail in [11].

Lemma 5. If , and the following two conditions are satisfied:

(1) converges uniformly with respect to c in any closed region of ;

(2) Assume that the series converges. Then we have

Lemma 6. For any n-dimensional lattice , s>0, , there is .

3 New upper bound on smoothing parameter

In this section, we will prove the new upper bound on smoothing parameters. Following [13], we begin with the one-dimensional integer lattice and then extend to the general lattice .

3.1 New upper bound on the smoothing parameter for the integer lattice

In [13], Zheng et al. provide the relationship between for general lattices and for the one-dimensional integer lattice , emphasizing the importance of determining an upper bound for . Additionally, in lattice sampling, the one-dimensional integer lattice serves as a basis for sampling higher-dimensional lattices, as detailed in [10,1822]. Therefore, achieving a more accurate computation of will be of considerable importance.

Let’s start with a few lemmas.

Lemma 7. If , then . Furthermore, if , then .

Proof: Since is a self-dual lattice, according to the definition of the smoothing parameter, . If

then, , which implies . Furthermore, if , then , which means , and thus .

Lemma 8. If x>0, then

Proof: To prove that for x>0 is equivalent to proving that . We define the function f(x) = exex for x>0. Taking the derivative of f(x), we get:

Thus, when x>1, , and when , . This shows that f(x) is decreasing for and increasing for x>1, which implies that f(x) attains its minimum value at x = 1. Therefore, , which leads to the conclusion that for x>0, .

Lemma 9. If , and , then

(6)

Proof: To prove (6), it is equivalent to proving

which means proving:

According to Lemma 8, when x > 0, it holds that . Therefore,

The last equality holds because, by the assumption , we have , which implies . This completes the proof.

We will now directly prove our result. Compared to the method in [13], our proof is more optimized and concise.

Theorem 10. Let . When , we have:

Proof: Let . It is evident that . When , we have . Let . We will now prove that

(7)

Substitute into the expression, and let , where . Then,

When , we have

Therefore,

Note that the coefficient of the term on the right side of the inequality is exactly 64. Therefore, (7) holds.

According to Lemma 9, when , it follows that

Therefore,

Proof complete.

Remark 1.

(1) Compared to (4), our conclusions improve for the same choice of when m>44.

(2) Additionally, since m can vary, our results also have a broader applicability in the estimation of one-dimensional integer lattice smoothing parameters.

As an application of Theorem 10, we derive a new upper bound for the smoothing parameter of a general one-dimensional lattice .

Corollary 11. Let , and . For with , then for any one-dimensional lattice , we have

Proof: The dual lattice of a one-dimensional lattice is . By the definition of the smoothing parameter,

By following the proof process of Theorem 10, we obtain

At the end of this subsection, we note that the formal upper bound of the smoothing parameter for the n-dimensional integer lattice can be derived from Theorem 10, and which provides a basis for finding a more precise upper bound for in the next section.

Corollary 12. Let , then:

where

Proof: In Theorem 10, by setting m = 3, and for , we have

Note that is also self-dual, and the series appearing in the following equations are all absolutely convergent. Therefore,

Let then . When , then , Therefore

3.2 The new upper bound on the smoothing parameter for the n-dimensional integer lattice and general lattice

This subsection mainly presents two results. Firstly, it provides a new upper bound for the smoothing parameter of the n-dimensional integer lattice (Theorem 15). Secondly, we obtain that and satisfy a certain inequality (Lemma 16), which allows us to derive a new upper bound for the smoothing parameter of a general lattice (Theorem 17).

For readability, we will reintroduce some of the notation.

Let be a basis for the lattice . represents the Gram-Schmidt orthogonalization of this basis, i.e.,

Then, there exists an upper triangular matrix

such that

Define as

Before proving the result, let us first present some necessary lemmas.

Lemma 13. If , k is a positive integer, and , then

Proof: Let , Then,

Since , then , hence , thus .

Note that , thus,

So, is monotonically decreasing. Furthermore, since , it follows that , thus f(x) is also monotonically decreasing. Since , it follows that . That is, we have:

Lemma 14. If , n is a positive integer, then

Proof: Please note that the following equation holds true:

Therefore, combining the equation and Lemma 13, we have:

Next, we can provide a more precise upper bound for the smoothing parameter of the n-dimensional integer lattice .

Theorem 15. When n is sufficiently large such that , then

Proof: In Theorem 10, let m = 8. Then, when , we have

According to the definition of the smoothing parameter, then

Let . Then, according to Lemma 14, we have . Next, we will prove that when , we have .

Therefore, if

then

Therefore,

The following lemma shows the relationship between the smoothing parameter of an n-dimensional integer lattice and the smoothing parameter of a general lattice .

Lemma 16. If is n-dimensional full-rank lattice, then

Proof: Assume , where , and

Let . By the definition of a lattice, there exist integers , such that . Combining the equation , we obtain

Let , then

Therefore, according to Lemma 6, we conclude that:

According to Lemma 5, we have

Let i0 be such that . Then,

When , it follows that . Therefore, when , we have

Thus, we have . The proof is complete

Theorem 17. Let be a full-rank lattice. When n is sufficiently large such that , then

(8)

Proof: According to Lemma 16, it directly follows that

4 Comparative analysis of smoothness parameter bounds

In this section, we will illustrate, through some numerical comparisons, that the upper bound on the smoothing parameter (Eq (8)) obtained by us is superior to the results in References [8] and [13] (that is, Eqs (3) and (5)).

Theoretically, when and , all three values will approach . Therefore, the differences among them can be neglected at this time.

In lattice-based cryptographic constructions, the parameter n typically takes values within [512,8192] (see [10,2325]). Since most practical schemes require and to minimize (where ), we focus specifically on n is equal to 2048, 4096, and 8192. This selection is also practically motivated.

As shown in Table 1 (the numerical results are provided in detail in Supporting Information S1_Table), after removing a common factor , when is set to 0.11, 0.22 and 0.33 respectively, our results outperform those in [13] and [8] in terms of numerical precision. Specifically, compared with [8], our results exhibit a more pronounced -sensitivity at fixed values of n—as the error increases, the performance advantage grows. This implies that our results are more applicable in scenarios where higher errors are tolerable. Although in comparison with [13], our method does not maintain a significant advantage across all combinations of parameters and n it has achieved a systematic improvement in numerical precision. Based on this, our results can serve as an effective alternative estimator to [13] for the parameter configuration requirements of high-dimensional lattice-based cryptosystems.

thumbnail
Download:
Table 1. Comparison of smoothing parameter bounds.

https://doi.org/10.1371/journal.pone.0328688.t001

In summary, for the common parameter range () in high-dimensional lattice-based cryptographic systems, our method significantly outperforms Reference [8] in terms of numerical precision and achieves systematic improvements compared with Reference [13]. It provides better theoretical support for practical applications.

5 Conclusion

The smoothing parameter was proposed by Micciancio and Regev[3] as a technical tool useful for proving reductions between hard problems on lattices. Since then, it has played a central role in the analysis of lattice-based cryptographic constructions. In this paper, we derive new upper bounds for the smoothing parameter on lattices.

We first consider the case of the one-dimensional integer lattice , and under certain conditions, we present a more refined upper bound for the smoothing parameter of the one-dimensional integer lattice (see Theorem 10). Then, by establishing an inequality relationship between the smoothing parameters of general n-dimensional lattices and n-dimensional integer lattices, we extend this result to general n-dimensional lattices, and obtain an improved upper bound for the smoothing parameter of general lattices (see Theorem 17). Our results improve upon prior results in the regime of parameters relevant for lattice-based cryptography.

There is still much work that can be attempted regarding the estimation of the upper bounds of the smoothing parameter of lattices. For example, in this paper, how to make the value of not be restricted by n without relaxing the bounds. Secondly, how to obtain a more refined upper bound for the smoothing parameter of general n-dimensional lattices through other mathematical methods. Or whether better results can be obtained on some special lattices, such as integer lattice .

Supporting information

S1 Table. MATLAB code for calculating the data in Table 1.

https://doi.org/10.1371/journal.pone.0328688.s001

(PDF)

Acknowledgments

The authors express their gratitude for the support of the School of Interdisciplinary Studies, Renmin University of China in proposing this work.

References

  1. 1. Peikert C. A decade of lattice cryptography. FNT Theor Comput Sci. 2016;10(4):283–424.
  2. 2. Regev O. New lattice-based cryptographic constructions. J ACM. 2004;51(6):899–942.
  3. 3. Micciancio D, Regev O. Worst-case to average-case reductions based on Gaussian measures. SIAM J Comput. 2007;37(1):267–302.
  4. 4. Banaszczyk W. New bounds in some transference theorems in the geometry of numbers. Mathematische Annalen. 1993;296:625–35.
  5. 5. Banaszczyk W. Inequalities for convex bodies and polar reciprocal lattices in R n. Discrete Comput Geom. 1995;13(2):217–31.
  6. 6. Banaszczyk W. Inequalities for convex bodies and polar reciprocal lattices in R n II: application of K-convexity. Discrete Comput Geom. 1996;16(3):305–11.
  7. 7. Regev O. On lattices, learning with errors, random linear codes, and cryptography. J ACM. 2009;56(6):1–40.
  8. 8. Gentry C, Peikert C, Vaikuntanathan V. Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing. 2008. p. 197–206. https://doi.org/10.1145/1374376.13744
    • 9. Gentry C. Toward basing fully homomorphic encryption on worst-case hardness. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer; 2010. p. 116–37. https://doi.org/10.1007/978-3-642-14623-7_7
      • 10. Espitau T, Wallet A, Yu Y. On gaussian sampling, smoothing parameter and application to signatures. In: International Conference on the Theory and Application of Cryptology and Information Security. Singapore: Springer; 2023. p. 65–97. https://doi.org/10.1007/978-981-99-8739-9_3
        • 11. Zheng Z, Liu F, Tian K. Modern cryptography volume 2– A classical introduction to informational and mathematical principle. Singapore: Springer; 2023.
          • 12. Peikert C. Limits on the Hardness of Lattice Problems in p Norms. Comput Complex. 2008;17(2):300–51.
          • 13. Zheng Z, Zhao C, Xu G. Discrete Gaussian measures and new bounds of the smoothing parameter for lattices. AAECC. 2020;32(5):637–50.
          • 14. Wei W, Tian C, Wang X. New transference theorems on lattices possessing n-unique shortest vectors. Discrete Math. 2014;315–316:144–55.
          • 15. Chung K-M, Dadush D, Liu F-H, Peikert C. On the lattice smoothing parameter problem. In: 2013 IEEE Conference on Computational Complexity. 2013. p. 230–41. https://doi.org/10.1109/ccc.2013.31
            • 16. Kirshanova E, Nguyen H, Stehlé D, Wallet A. On the smoothing parameter and last minimum of random orthogonal lattices. Des Codes Cryptogr. 2020;88(5):931–50.
            • 17. Zheng Z, Liu F, Lu Y, et al. Cyclic lattices, ideal lattices, and bounds for the smoothing parameter. International forum on financial mathematics and financial technology. Singapore: Springer; 2021. p. 129–53.
              • 18. Peikert C. An efficient and parallel Gaussian sampler for lattices. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer; 2010. p. 80–97. https://doi.org/10.1007/978-3-642-14623-7_5
                • 19. Micciancio D, Walter M. Gaussian sampling over the integers: efficient, generic, constant-time. Lecture Notes in Computer Science. Springer; 2017. p. 455–85. https://doi.org/10.1007/978-3-319-63715-0_16
                  • 20. Pöppelmann T, Ducas L, Güneysu T. Enhanced lattice-based signatures on reconfigurable hardware. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer; 2014. p. 353–70. https://doi.org/10.1007/978-3-662-44709-3_20
                    • 21. Zheng Z, Wang X, Xu G, Zhao C. Error estimation of practical convolution discrete Gaussian sampling with rejection sampling. Sci China Inf Sci. 2021;64(3):139104.
                    • 22. Bennett H, Ganju A, Peetathawatchai P. Just how hard are rotations of Zn? Algorithms and cryptography with the simplest lattice. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2023. p. 252–81. https://doi.org/10.1007/978-3-031-30589-4_9
                      • 23. Espitau T, Fouque PA, Rossi M, et al. MITAKA: a simpler, parallelizable, maskable variant of FALCON. Annual International Conference on the Theory and Applications of Cryptographic Techniques. Cham: Springer; 2022: 222–53. https://doi.org/10.1007/978-3-031-07082-2_9
                        • 24. Ducas L, Postlethwaite EW, Pulles LN, et al. Hawk: module LIP makes lattice signatures fast, compact and simple. International Conference on the Theory and Application of Cryptology and Information Security. Cham: Springer; 2022. p. 65–94. https://doi.org/10.1007/978-3-031-22972-5_3
                          • 25. Espitau T, Niot G, Sun C. Square unstructured integer euclidean lattice signature. In: Submission to the NIST’s post-quantum cryptography standardization process. 2023. https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/Squirrels-spec-web.pdf