Proof of Lemma 4.10: Let (Fq, Gq) = (Fq, Gq)∗+ (Fq, Gq)pro, here (Fq, Gq)∗ denotes
the projection of (Fq, Gq) orthogonally to the plain SpanK{(f, g)} = SpanQ{(f · −
→p 1, g· −
→p1),· · · ,(f·−→p
n, g·−→pn)}and (Fq, Gq)prodenotes the projection of (Fq, Gq) into SpanK{(f, g)}.
Then, (F, G) = (Fq, Gq)−r(f, g) := (Fq, Gq)∗+ (ef, eg) for some r ∈ R and ||(F, G)||2 =
||(Fq, Gq)∗||2+||(ef, eg)||2.
We first bound||(Fq, Gq)∗||. Note that||(Fq, Gq)∗|| ≤minr∈K||(Fq, Gq)−r(f, g)||, taking
r = f−1F
q (here f−1 is the inverse of f in K) shows that ||(Fq, Gq)∗|| ≤ ||(0, qf−1)|| =
q||f−1||. Here, we have used the fact Gq =qf−1+g(f−1Fq). By using Lemma 2.13 with
t=ω√(n) 2 , we have Prf←-DR,σ(||f −1|| ≥ ω(n 3 2) σ )≤o(1).
This remains the case when conditioning on (f, g) =R, since the probability that (f, g) =R
is bounded from below by a constant. Overall, we have||(Fq, Gq)∗|| ≤ q·ω
(n32)
σ holds except
To bound||(ef, eg)||, note that||(ef, eg)|| ≤ √
nl
2 · ||(f, g)||. By using Lemma 2.7, we can deduce that Prf,g←-DR,σ(||(f, g)|| ≤
√
2nσ)≥1−22−n. For the same reason as above, this
remains the case when conditioning on (f, g) =R. Overall, we get||(ef, eg)|| ≤ n √
l √
2σexcept with probability ≤o(1). The proof is finished.
Proof of Lemma4.11: We only need to bound the rejection probability of the algorithm by 1−cfor an absolute constantc for sufficient largen. Fori∈ {3,4,7}, we usepito represent
the rejection probability in Stepi, i.e. • p3is the probability that||f|| ≥
√
nσor||g|| ≥√nσwithf, g←- D×R,σ. • p4is the probability that (f, g)6=Rand||f||,||g||<
√
nσwithf, g←- D×R,σ. • p7 is the probability that ||(F, G)|| > nσ
√
l, (f, g) = R and ||f||,||g|| < √nσ with
f, g←- D×R,σ.
For i ∈ {3,4,7}, we define pi0 as pi except that f and g are independently sampled from
DR,σrather thanD×R,σ. Letpdenote the rejeciton probability in Step 1, then, by the union
bound, we have the rejection probability of Step 1 and 2 is≤2p. Hence, fori∈ {3,4,7}, we have pi≤
p0i
1−2p.
By Lemma 3.7 and the choice ofσ, we havep≤ 1
32ζk(2) for sufficient largen. Lemma 2.9 imply thatp03≤21−2n. The choice ofσ and Lemma 4.6 shows that p04≤1−2ζK1(2)+o(1). Finally, Lemma 4.10 impliesp07=o(1). Therefore, for sufficient largen, we havep03+p04+p07≤ 1− 1
4ζK(2). The total rejection probability satisfiesp3+p4+p7≤
p03+p04+p07 1−2p ≤1− 1 8ζK(2), as required.
E
Proof of Theorem
5.2
The setsDn andRn are obviously recognizable. Note thatη2−2n(R2)≤
q ln(4n(1+22n)) π · λn(R2) and λn(R2) =λ1(R2)≤ √ 2n·det21n(R2) = √ 2n·(|∆K|) 1 2n ≤ √ 2·n, we haves≥
η2−2n(R2) and Theorem 2.5 implies that such azcan be efficiently sampled inSampleDom. Further, Lemma 2.9 shows that||z||< s·√2nwith probability 1−2−4n.
To show property 2 of Definition 5.1, we apply Theorem 3.5 with δ = n−ω(1) to con- clude that except for a fraction ≤27n·q−2nε of (a
1, a2) ←- U((Rq×)2), we have ∆(a1z1−
a2z2;U(Rq)) ≤ 2δ with (z1, z2) ←- DR2,s. Since the map f : x 7→ a−21x is a bijection of Rq to itself, we have ∆(a1a−21z1 −z2;U(Rq)) = ∆(a1z1−a2z2;U(Rq)) ≤ 2δ. More-
over, when a1, a2 ←- U(R×q) are chosen independently, h = a −1
2 a1 ←- U(Rq×). We have
∆(hz1−z2;U(Rq))≤ 2δ with (z1, z2) ←- DR2,s, except for a fraction of ≤ 27n ·q−2εn of
h ∈ Rq×. Finally, by Theorem 4.12, the h generated by TrapGen is obtained by rejec- tion with constant rejection probability c <1 from a distribution within statistical distance 28nq−bεnc of U(R×q). It follows that ∆(hz1−z2;U(Rq))≤2δ with (z1, z2)←- DR2,a except
with probability ≤ 1 1−c ·(2
7nq−2εn+ 28nq−bεnc) =q−Ω(n) over the choice of the public key
h, as required.
To show properties 3 and 5 of Definition 5.1, we first observe that, for any fixed t∈Rq,
ρs(z)
ρs(Λqh+c)
= DΛqh+c,s(z) with c = (1, h−t). Second, sample a vector z ←- DΛqh+c,s is
equivalent to sample a vector z0 ←- D
Λqh,s,−c and add a vector c. One of Z-bases of Λ
q h is
(f, g)−→p1,· · ·,(f, g)−→pn; (F, G)−→p1,· · ·,(F, G)−→pn. Moreover, since for any i ∈ [n], we have
||−→pi||∞= 1,||(f, g)−→pi|| ≤ ||−→pi||∞· ||(f, g)||<
√
2n·σand||(F, G)−→pi|| ≤n·σ·
√
l. Theorem 2.5 implies we can efficiently get a sample from DΛqh+c,s for any s ≥ n
3
2 ·σ·ω(logn).
This proved the property 3. Note that η2−2n(Λqh) ≤
q ln(2n(1+22n)) π · √ 2n·det21n(Λq h) ≤
n1.5·q12 ·ln0.5n≤s forn≥500. Lemma 2.11 indicates thatDΛq
h,s,−c(x)≤ 1+2−2n 1−2−2n ·2−
2n
for anyx∈Λqh. Property 5 is also satisfied except with probability q−Ω(n)over the choice of the public keyhby Theorem 4.12 and the proof of property 2.
At the end, we show property 6 of Definition 5.1. LetAbe a collision-finding algorithm for NTRUCRPSF with running time poly(n) and has advantageδ=poly(1n)over the choice of the public keyhand the randomness ofA. By Theorem 4.12, the success probability ofAover the the choice ofh←- U(R×q) and the randomness ofAis at leastδ0 = (1−c)δ−28nq−bεnc=
1
poly(n). We construct an algorithm for R-SISq,2,β with β = 2
√
2n·s. It works as follows: on input (a1, a2) ←- U(R2q), if (a1, a2) ∈/ (R×q)
2, aborts. Otherwise, B calls A on input
h=a−21a1. IfAsucceeds, it outputs (z1, z2)6= (z01, z20) with||(z1, z2)||,||(z10, z20)||< √
2n·s
such thata1(z1−z10) +a2(z20−z2) = 0 modqR. ThenBoutputsw= (z1−z10, z02−z2). Note thatw is a valid solution of R-SISq,2,β. Condition on (a1, a2)∈(R×q)2, the distribution ofh
given toAisU(R×q) and thusAsucceeds with probability≥δ0. Since (a1, a2)∈(R×q)2 with
probability ≥1−2n
q , it follows thatBsucceeds with probability≥(1−
2n q )δ
0 = 1