Exploiting the Symmetry of \(\mathbb {Z}^n\): Randomization and the Automorphism Problem

Abstract

\(\mathbb {Z}^n\) is one of the simplest types of lattices, but the computational problems on its rotations, such as \(\mathbb {Z}\)SVP and \(\mathbb {Z}\)LIP, have been of great interest in cryptography. Recent advances have been made in building cryptographic primitives based on these problems, as well as in developing new algorithms for solving them. However, the theoretical complexity of \(\mathbb {Z}\)SVP and \(\mathbb {Z}\)LIP are still not well understood.

In this work, we study the problems on rotations of \(\mathbb {Z}^n\) by exploiting the symmetry property. We introduce a randomization framework that can be roughly viewed as ‘applying random automorphisms’ to the output of an oracle, without accessing the automorphism group. Using this framework, we obtain new reduction results for rotations of \(\mathbb {Z}^n\). First, we present a reduction from \(\mathbb {Z}\)LIP to \(\mathbb {Z}\)SCVP. Here \(\mathbb {Z}\)SCVP is the problem of finding the shortest characteristic vectors, which is a special case of CVP where the target vector is a deep hole of the lattice. Moreover, we prove a reduction from \(\mathbb {Z}\)SVP to \(\gamma \)-\(\mathbb {Z}\)SVP for any constant \(\gamma = O(1)\) in the same dimension, which implies that \(\mathbb {Z}\)SVP is as hard as its approximate version for any constant approximation factor. Second, we investigate the problem of finding a nontrivial automorphism for a given lattice, which is called LAP. Specifically, we use the randomization framework to show that \(\mathbb {Z}\)LAP is as hard as \(\mathbb {Z}\)LIP. We note that our result can be viewed as a \(\mathbb {Z}^n\)-analogue of Lenstra and Silverberg’s result in [JoC2017], but with a different assumption: they assume the G-lattice structure, while we assume the access to an oracle that outputs a nontrivial automorphism.

Appendices

Appendix A Proof of the Toy Example

With respect to the oracle \(\mathcal {O}\), the rotated square is determined by the angle \(\theta \) between the line connecting its vertex on the first quadrant to the origin O and the positive direction of the x-axis. Denoted the rotated square by \(\square _{\theta },\theta \in [0,\frac{\pi }{2})\). Note we can regard \(\theta \) as functional of \(\rho \), and write \(\theta [\rho ]=\theta [\rho +\frac{\pi }{2}]\). We’ll show that,

$$\text {Pr}_{\rho \leftarrow G}[\rho ^{-1}\mathcal {O}(\square _{\theta [\rho ]})=i]=\frac{1}{4},\,\forall i\in \mathbb {Z}/4\mathbb {Z}.$$

Proof

For any \(i\in \mathbb {Z}/4\mathbb {Z}\), \(\text {Pr}_{\rho \leftarrow G}[\rho ^{-1}\mathcal {O}(\square _{\theta [\rho ]})=i]\) is a functional about \(\rho \) which is a distribution on \(G=\mathbb {R}/2\pi \mathbb {Z}\). Then we have

$$\begin{aligned} \text {Pr}_{\rho \leftarrow G}[\rho ^{-1}\mathcal {O}(\square _{\theta [\rho ]})=i]&= \text {Pr}_{\rho \leftarrow G}[\mathcal {O}(\square _{\theta [\rho ]})=\rho (i)]\\ &=\text {Pr}_{_{\rho +\frac{\pi }{2} \leftarrow G}}[\mathcal {O}(\square _{\theta [\rho +\frac{\pi }{2}]})=(\rho +\frac{\pi }{2})(i)]\\ &=\text {Pr}_{_{\rho +\frac{\pi }{2} \leftarrow G}}[\mathcal {O}(\square _{\theta [\rho ]})=\rho (i+1)]\\ &=\text {Pr}_{_{\rho \leftarrow G}}[\mathcal {O}(\square _{\theta [\rho ]})=\rho (i+1)]. \end{aligned}$$

This means \(\forall i\in \mathbb {Z}/4\mathbb {Z},\,\text {Pr}_{\rho \leftarrow G}[\rho ^{-1}\mathcal {O}(\square _{\theta [\rho ]})=i]=\frac{1}{4}.\)    \(\square \)

Appendix B Proof of the Property of the Characteristic Vectors

Lemma 2.6. Assume \(\textbf{B}=(\textbf{b}_1,...,\textbf{b}_n)\) is a basis of \(\mathcal {L}\) and \(\textbf{B}^{-\top } = (\textbf{d}_1,...,\textbf{d}_n)\), then it has:

1. 1)

   \(\textbf{w}=\sum _{i=1}^n\left\| \textbf{d}_i\right\| ^2 \textbf{b}_i\) is a characteristic vector of \(\mathcal {L}\).

2. 2)

   \(\chi (\mathcal {L}) = \textbf{w}+2\mathcal {L}\) for any characteristic vector \(\textbf{w} \in \chi (\mathcal {L})\).

3. 3)

   \(\textbf{w}\) is a characteristic vector if and only if \(\langle \textbf{w}, \textbf{b}_i \rangle \equiv \langle \textbf{b}_i, \textbf{b}_i \rangle \mod 2 \) for \(i\in [n]\).

Proof

1. 1)

   Let \(\textbf{v}=\sum _{i=1}^{n} v_i \textbf{d}_i \in \mathcal {L}(\textbf{B})\), then \(\langle \textbf{w},\textbf{v}\rangle =\langle \sum _{i=1}^n\left\| \textbf{d}_i\right\| ^2 \textbf{b}_i, \sum _{i=1}^{n} v_i \textbf{d}_i \rangle \) \(= \sum _{i=1}^{n}v_i \left\| \textbf{d}_i\right\| ^2 \equiv \sum _{i=1}^{n}v^2_i\left\| \textbf{d}_i\right\| ^2 \equiv \langle \textbf{v},\textbf{v}\rangle \text { mod } 2\), we used \(v_i\equiv v^2_i \text { mod } 2\). Thus \(\textbf{w}\) is a characteristic vector.

2. 2)

   Assume \(\textbf{w}\) is a characteristic vector of \(\mathcal {L}\), then for any \(\textbf{x} \in \mathcal {L}\), \(\textbf{w}+2\textbf{x}\) is also a characteristic vector of \(\mathcal {L}\), because \(\langle \textbf{w}+2\textbf{x}, \textbf{v} \rangle = \langle \textbf{w},\textbf{v} \rangle + 2\langle \textbf{x}, \textbf{v} \rangle \equiv \langle \textbf{w},\textbf{v} \rangle \equiv \langle \textbf{v},\textbf{v} \rangle \text { mod } 2\). On the other hand, if \(\textbf{w}'=\sum _{i=1}^{n} a_i \textbf{b}_i \in \chi (\mathcal {L})\), then \(a_i=\langle \textbf{w}',\textbf{d}_i \rangle \equiv \langle \textbf{d}_i,\textbf{d}_i \rangle = \left\| \textbf{d}_i\right\| ^2 \text { mod } 2\), thus for any \(i \in [n]\), \(a_i \equiv \left\| \textbf{d}_i\right\| ^2 \text { mod } 2\) and we know \(\textbf{w}=\sum _{i=1}^n\left\| \textbf{d}_i\right\| ^2 \textbf{b}_i\in \chi (\mathcal {L})\), thus \(\textbf{w}'=\textbf{w}+2\mathcal {L}\). Thus \(\chi (\mathcal {L})\) is a coset of \(\textbf{w}+2\mathcal {L}\), where \(\textbf{w}\) is any element in \(\chi (\mathcal {L})\).

3. 3)

   Obviously, if \(\textbf{w}\in \chi (\mathcal {L})\), \(\forall \, i\in [n],\, \langle \textbf{w}, \textbf{b}_i \rangle \equiv \langle \textbf{b}_i, \textbf{b}_i \rangle \text { mod } 2 \). On the other hand, if \(\textbf{w}\in \mathcal {L}\) satisfying \(\forall \, i\in [n],\, \langle \textbf{w}, \textbf{b}_i \rangle \equiv \langle \textbf{b}_i, \textbf{b}_i \rangle \text { mod } 2 \). Then for any \(\textbf{v}=\sum ^{n}_{i=1} v_i \textbf{b}_i \in \mathcal {L}\), without loss of generality, assume \(v_i \equiv 1 \text { mod } 2\) for \(1 \le i \le k\), and \(v_i \equiv 0 \text { mod } 2\) for \(k+1 \le i \le n\). Thus we have \(\langle \textbf{w}, \textbf{v} \rangle \equiv \langle \textbf{w}, \textbf{b}_1+\ldots + \textbf{b}_k \rangle \equiv \sum _{i=1}^{k}\langle \textbf{w}, \textbf{b}_i \rangle \equiv \sum _{i=1}^{k} \langle \textbf{b}_i, \textbf{b}_i \rangle \equiv \langle \textbf{v}, \textbf{v} \rangle \text { mod } 2 \).   \(\square \)

Lemma 2.7. Suppose \(\mathcal {L} \cong \mathbb {Z}^n \). Assume \(\textbf{B}=\textbf{O}\textbf{U}\) is a basis of \(\mathcal {L}\), where \(\textbf{O}\in {O}_n(\mathbb {R})\) and \(\textbf{U}\in GL_n(\mathbb {Z}^n)\). Then it has:

1. 1)

   \(\chi (\mathcal {L}) =\{\textbf{O}\textbf{z} : \textbf{z}\in \mathbb {Z}^n \text { such that } \textbf{z}_i \equiv 1 \mod 2, \forall i \in [n] \}\).

2. 2)

   The shortest characteristic vectors are exactly \(\{\textbf{O}\textbf{z} : \textbf{z}_i=\pm 1, \forall i \in [n] \}\).

Proof

1. 1)

   Let \(\textbf{O}=(\textbf{v}_1,\ldots ,\textbf{v}_n)\) and \(\textbf{w}=\textbf{B}(\textbf{U}^{-1}\textbf{z})=\textbf{O}\textbf{z}\), where \(\textbf{z}\in \mathbb {Z}^n\) is the vector that \(\forall i\in [n],\, z_i=1\). Note that \(\mathcal {L}=\textbf{O}\cdot \mathbb {Z}^n\). Thus assume \(\textbf{v}=\sum _{i=1}^{n}a_i\textbf{v}_i\), then \(\langle \textbf{w},\textbf{v}\rangle =\sum _{i=1}^{n}a_iz_i\equiv \sum _{i=1}^{n}a^2_i=\langle \textbf{v},\textbf{v}\rangle \text { mod } 2\), where we used \(a^2_i\equiv a_i\text { mod } 2\) and \(z_i\equiv 1 \text { mod } 2\). Thus \(\textbf{w}\in \chi (\mathcal {L})\), so \(\chi (\mathcal {L}) =\{\textbf{O}\textbf{z} : \textbf{z}\in \mathbb {Z}^n \text { such that } \textbf{z}_i \equiv 1 \mod 2, \forall i \in [n] \}\).

2. 2)

   Note that \(\textbf{O}\) is an orthogonal matrix, thus the shortest characteristic vectors are \(\{\textbf{O}\textbf{z} : \textbf{z}_i=\pm 1, \, \forall \,i \in [n] \}\) by 1).   \(\square \)

Appendix C Proof of Lemma 4.6

Proof

Let \(\mathcal {D}\) be the set of \(n \times n\) diagonal matrices whose diagonal entries are \(\pm 1\). Then \(\mathcal {D}\) forms a subgroup of \(\mathcal {S}^{\pm }_n\), and \(\mathcal {S}^{\pm }_n\) is the semidirect product of \(\mathcal {D}\) and \(\mathcal {S}_n\).⁶ For \(\phi _0 \in {{\text {Aut}}(\mathcal {L})}\) and \(\phi _0 \sim \textbf{T}_{k_1,k_2,l}\), let \(\textbf{O} \in \mathcal {O}_n(\mathbb {R})\) such that \(\mathcal {L} = \textbf{O} \mathbb {Z}^n \), then it has \(\mathfrak {C}_{\phi _0} = \{ \textbf{O} \textbf{T} \textbf{T}_{k_1,k_2,l} \textbf{T} ^{-1} \textbf{O} ^{-1} : \textbf{T} \in \mathcal {S}^{\pm }_n \}\). Denote \(\textbf{y} = \textbf{O} ^{-1} \textbf{x} = (x_1,\cdots ,x_n)\).⁷

For \(k = 1\), it has

$$\begin{aligned} g_1(\textbf{x}) = \mathbb {E}[{\langle \phi \textbf{x},\textbf{x} \rangle }] & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{T} \in \mathcal {S}^{\pm }_n} {\langle \textbf{O} \textbf{T} \textbf{T}_{k_1,k_2,l} \textbf{T} ^{-1} \textbf{O} ^{-1} \textbf{x},\textbf{x} \rangle } \\ & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{O} \textbf{P} \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{P} ^{-1} \textbf{O} ^{-1} \textbf{x},\textbf{x} \rangle } \\ & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{P} ^{-1} \textbf{O} ^{-1} \textbf{x}, \textbf{P} ^{-1} \textbf{O} ^{-1}\textbf{x} \rangle } \\ & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{P} ^{-1} \textbf{y}, \textbf{P} ^{-1} \textbf{y} \rangle }. \end{aligned}$$

Denote \(\textbf{W}_{k_1,k_2,l} = {\text {diag}} \{\textbf{0} _{2l}, -\textbf{I}_{k_1}, \textbf{I}_{k_2}\}\), where \(\textbf{0} _{2l}\) is the \(2l \times 2l\) zero matrix. Then it has \(\sum _{D \in \mathcal {D}} \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} = |\mathcal {D}| \cdot \textbf{W}_{k_1,k_2,l}\), and thus

$$\begin{aligned} g_1(\textbf{x}) & = \frac{|\mathcal {D}|}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} {\langle \textbf{W}_{k_1,k_2,l} \textbf{P} ^{-1} \textbf{y}, \textbf{P} ^{-1} \textbf{y} \rangle } \\ & = \frac{1}{|\mathcal {S}_n|} \sum _{\textbf{P} \in \mathcal {S}_n} (-(x_{\textbf{P} (2l+1)}^2+ \cdots + x_{\textbf{P} (2l+k_1)}^2) + (x_{\textbf{P} (2l+k_1 +1)}^2 + \cdots + x_{\textbf{P} (n)}^2)) \\ & = \frac{-k_1 + k_2}{n} (x_1^2 + \cdots + x_n^2) = \frac{k_2-k_1}{n} \left\| \textbf{x} \right\| ^2, \end{aligned}$$

where \(\textbf{P} (i)\) represents the row number of the ‘1’ in \(\textbf{P} \)’s i-th column.

For \(k = 2\), it has

$$\begin{aligned} g_2(\textbf{x}) & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{T} \in \mathcal {S}^{\pm }_n} {\langle \textbf{O} \textbf{T} \textbf{T}_{k_1,k_2,l} \textbf{T} ^{-1} \textbf{O} ^{-1} \textbf{x},\textbf{x} \rangle }^2 \\ & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{P} ^{-1} \textbf{O} ^{-1} \textbf{x}, \textbf{P} ^{-1} \textbf{O} ^{-1}\textbf{x} \rangle }^2 \\ & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{P} ^{-1} \textbf{y}, \textbf{P} ^{-1} \textbf{y} \rangle }^2. \end{aligned}$$

For fixed \(\textbf{P} \in \mathcal {S}_n\) and \(\textbf{D} \in \mathcal {D}\), denote \(\textbf{z} = \textbf{P} ^{-1}y = (z_1,\cdots , z_n)\) and \(\textbf{D} = \textbf{D} ^{-1} = {\text {diag}} \{d_1,\cdots ,d_n\}\), where \(d_i = \pm 1\). Then it has

$$\begin{aligned} \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{z} = (d_1 d_2 z_2, d_1 d_2 z_1, & \dots , d_{2l -1} d_{2l} z_{2l}, d_{2l-1} d_{2l} z_{2l-1}, \\ & -z_{2l+1}, \dots , -z_{2l+k_1}, z_{2l+k_1+1},\dots , z_n), \end{aligned}$$

and \({\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{z}, \textbf{z} \rangle } =\sum _{i=1}^l 2d_{2i-1}d_{2i}z_{2i-1}z_{2i} - \sum _{i=2l+1}^{2l+k_1}z_i^2 + \sum _{i=2l+k_1+1}^n z_i^2\). It follows that

$$\begin{aligned} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{z}, \textbf{z} \rangle }^2 & = |\mathcal {D}| \left( 4 \sum _{i=1}^l z_{2i-1}^2 z_{2i}^2 + \sum _{i=2l+1}^{n}z_i^4 + \sum _{2l+1\le i, j \le 2l+k_1}z_i^2 z_j^2 \right. \\ & \left. - 2 \sum _{\begin{array}{c} 2l+1\le i \le 2l+k_1 \\ 2l+k_1+1 \le j \le n \end{array}}z_i^2 z_j^2 + \sum _{2l+k_1+1\le i, j \le n}z_i^2 z_j^2 \right) . \end{aligned}$$

Observe that \(z_i = x_{\textbf{P} (i)}\) for \(1 \le i \le n\), then it can be deduced that

$$\begin{aligned} g_2(\textbf{x}) & = \frac{1}{|\mathcal {S}^{\pm }_n|} \sum _{\textbf{P} \in \mathcal {S}_n} \sum _{\textbf{D} \in \mathcal {D}} {\langle \textbf{D} \textbf{T}_{k_1,k_2,l} \textbf{D} ^{-1} \textbf{z}, \textbf{z} \rangle }^2 \\ & = \frac{4l + k_1(k_1 - 1) - 2 k_1 k_2 + k_2(k_2 - 1)}{n(n-1)}\sum _{1 \le i,j \le n} x_i^2 x_j^2 + \frac{(n - 2l)}{n} \sum _{1 \le i \le n} x_i^4 \\ & = \frac{6l+(k_1-k_2)^2-n}{n(n-1)}\sum _{1 \le i,j \le n} x_i^2 x_j^2 + \frac{(n - 2l)}{n} \sum _{1 \le i \le n} x_i^4 \\ & = \frac{n^2-2nl-(k_1-k_2)^2-4l}{n(n-1)}\sum _{i=1}^{n} {x_i}^4 + \frac{6l+(k_1-k_2)^2-n}{n(n-1)}(\sum _{i=1}^{n}{x_i}^2)^2. \end{aligned}$$

   \(\square \)

Appendix D Recover the Exact Shortest Vectors in Proposition 4.2

In this appendix, we demonstrate how to recover the exact shortest vectors by using good enough approximations of the shortest vectors of \(\mathcal {L}\) and automorphisms of \({{\text {Aut}}(\mathcal {L})}\), thereby completing Proposition 4.2. In fact, this can be reduced to the following problem.

Problem D.1

Suppose n is odd. Given a basis \(\textbf{B}\) of a lattice \(\mathcal {L} \cong \mathbb {Z}^n\), a polynomial number of automorphisms \(\phi _1,\phi _2,\ldots ,\phi _{p(n)} \in {{\text {Aut}}(\mathcal {L})}\) that are drawn uniformly and independently from a conjugacy class \(\mathfrak {C}_{\phi _0}\), where \(\phi _0 \sim \textbf{T}_{k_1,k_2,l}\) and \(k_1,k_2,l\) are fixed, and an approximation of a set of independent shortest vectors \(\textbf{v}_i\), i.e., \(\{\tilde{\textbf{v}}_1,\ldots ,\tilde{\textbf{v}}_n\}\) such that \(\tilde{\textbf{v}}_i=\textbf{v}_i+\boldsymbol{\epsilon }_i\) and \(\left\| \boldsymbol{\epsilon }_i\right\| \le n^{-c}\). The goal is to find the shortest vectors of \(\mathcal {L}\), i.e., \(\textbf{V}=\{{\textbf{v}}_1,\ldots ,{\textbf{v}}_n\}\).

Note that for any \(\phi \in \mathfrak {C}_{\phi _0}\), it has \(\phi =\textbf{V}\textbf{S}\textbf{V}^{-1}\), where \(\textbf{S} \in {\mathcal {S}^{\pm }_n}\) and \(\textbf{S} \sim \textbf{T}_{k_1,k_2,l}\) (i.e., \(\exists \textbf{T} \in {\mathcal {S}^{\pm }_n}\) such that \(\textbf{S} = \textbf{T}\textbf{T}_{k_1,k_2,l}\textbf{T}^{-1}\)), and \(\phi \) acts on the set of shortest vectors \(\{\pm \textbf{v} _1, \dots , \pm \textbf{v} _n\}\). Then for \(1 \le i,j \le n\), it has \(\left\| \phi \textbf{v}_i \pm \textbf{v}_j\right\| = 0\) or 2 and

$$\begin{aligned} \left| \left\| \phi \tilde{\textbf{v}}_i \pm \tilde{\textbf{v}}_j\right\| - \left\| \phi \textbf{v}_i \pm \textbf{v}_j\right\| \right| \le \left\| \phi \boldsymbol{\epsilon }_i \pm \boldsymbol{\epsilon }_j\right\| \le 2n^{-c}. \end{aligned}$$

(14)

Thus, for any given \(\phi \in \mathfrak {C}_{\phi _0}\), we can decide whether \(\left\| \phi \textbf{v}_i \pm \textbf{v}_j\right\| = 0\), and thus exactly recover the corresponding matrix \(\textbf{S} \in {\mathcal {S}^{\pm }_n}\).

Next, we demonstrate that, for the given automorphisms \(\phi _1,\phi _2,\ldots ,\phi _{p(n)} \in \mathfrak {C}_{\phi _0}\) and the corresponding matrices \(\textbf{S}_i \in {\mathcal {S}^{\pm }_n}, 1 \le i \le p(n)\), such that \(\phi _i=\textbf{V}\textbf{S}_i\textbf{V}^{-1}\), we can efficiently recover \(\textbf{V}\). For \(\phi , \textbf{S} \in \mathbb {R}^{n \times n}\), define \(K{(\phi ,{\textbf {S}})}:=\{{\textbf {X}} \in \mathbb {R}^{n \times n}:{\textbf {XS}}{} {\textbf {X}}^{-1}=\phi \}\). Then clearly, \(K{(\phi ,{\textbf {S}})}\) is an \(\mathbb {R}\)-linear space, and \(\textbf{V} \in K{(\phi _i,{\textbf {S}}_i)}\). Moreover,

$$\begin{aligned} K{(\phi _i,{\textbf {S}}_i)} &=\{{\textbf {X}}:{\textbf {XS}}_i{\textbf {X}}^{-1}={\textbf {VS}}_i\textbf{V}^{-1}\}\\ &=\{{\textbf {X}}:({\textbf {V}}^{-1}{} {\textbf {X}}){\textbf {S}}_i({\textbf {V}}^{-1}{} {\textbf {X}})^{-1}={\textbf {S}}_i\}\\ &=\{{\textbf {VX}}:{\textbf {X}}{} {\textbf {S}}_i{\textbf {X}}^{-1}={\textbf {S}}_i\}\\ &={\textbf {V}}\cdot \{{\textbf {X}}:{\textbf {X}}{} {\textbf {S}}_i{\textbf {X}}^{-1}={\textbf {S}}_i\}\\ &= {\textbf {V}}\cdot K{({\textbf {S}}_i,{\textbf {S}}_i)}. \end{aligned}$$

Therefore, \(\textbf{V} \in {\textbf {V}}\cdot \bigcap _{i=1}^{p(n)} K{({\textbf {S}}_i,{\textbf {S}}_i)}\). Note that \(K{({\textbf {S}}_i,{\textbf {S}}_i)}\) is a subgroup of \(\mathcal {S}^{\pm }_n\). Let \(\textbf{T}_i \in {\mathcal {S}^{\pm }_n}\) such that \(\textbf{S}_i = \textbf{T}_i\textbf{T}_{k_1,k_2,l}\textbf{T}_i^{-1}\). Then it has

$$\begin{aligned} K{({\textbf {S}}_i,{\textbf {S}}_i)} & = \{{\textbf {X}} : {\textbf {X}}{} {\textbf {S}}_i{\textbf {X}}^{-1}={\textbf {S}}_i \} \\ & = \{ {\textbf {X}} :{\textbf {X}}\textbf{T}_i\textbf{T}_{k_1,k_2,l}\textbf{T}_i^{-1}{} {\textbf {X}}^{-1}=\textbf{T}_i\textbf{T}_{k_1,k_2,l}\textbf{T}_i^{-1} \} \\ & = \{ {\textbf {X}} : (\textbf{T}_i^{-1}{} {\textbf {X}}\textbf{T}_i) \textbf{T}_{k_1,k_2,l} (\textbf{T}_i^{-1}{} {\textbf {X}}\textbf{T}_i)^{-1} = \textbf{T}_{k_1,k_2,l} \} \\ & = \textbf{T}_i K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})} \textbf{T}_i^{-1}. \end{aligned}$$

Since \(\phi _i\) is drawn uniformly from the conjugacy class \(\mathfrak {C}_{\phi _0}\), then \(\textbf{S}_i\) is distributed uniformly in the conjugacy class \(\mathfrak {C}_{\textbf{T}_{k_1,k_2,l}}\). Then from the group action perspective, the coset \(\textbf{T}_i K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})}\) is distributed uniformly in the left cosets of \(\textbf{T}_{k_1,k_2,l}\) in \(\mathcal {S}^{\pm }_n\). Equivalently, \(K{({\textbf {S}}_i,{\textbf {S}}_i)} = \textbf{T}_i K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})} \textbf{T}_i^{-1}\) can be viewed as a random subgroup of \(\mathcal {S}^{\pm }_n\) such that \(\textbf{T}_i\) is drawn uniformly at random from \(\mathcal {S}^{\pm }_n\). There are two cases for \(\textbf{T}_{k_1,k_2,l}\).

Case 1. \(l = 0\). In this case, it has \(k_1,k_2 > 0\), and thus there exists \(1 \le a \ne b \le n\) such that \(\textbf{T}_{k_1,k_2,l} \textbf{e} _a = \textbf{e} _a\) and \(\textbf{T}_{k_1,k_2,l} \textbf{e} _b = -\textbf{e} _b\) (we recall that \(\{\textbf{e} _a\}_{a \in [n]}\) is the standard basis). Thus, for an \(\textbf{X} \in K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})}\), we have \(\textbf{e} _a^\top \textbf{X} \textbf{e} _b = - \textbf{e} _a^\top \textbf{X} \textbf{T}_{k_1,k_2,l} \textbf{e} _b = - \textbf{e} _a^\top \textbf{T}_{k_1,k_2,l} \textbf{X} \textbf{e} _b = - \textbf{e} _a^\top \textbf{X} \textbf{e} _b \), i.e., \(\textbf{e} _a^\top \textbf{X} \textbf{e} _b = 0\). Similarly, it can be deduced that \(\textbf{e} _b^\top \textbf{X} \textbf{e} _a = 0\).

Therefore, for any \(\textbf{Y} \in K{({\textbf {S}}_i,{\textbf {S}}_i)}\), we have \(\textbf{T}_i^\top \textbf{Y} \textbf{T}_i \in K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})}\). It follows that \((\textbf{T}_i \textbf{e} _a)^\top \textbf{Y} (\textbf{T}_i \textbf{e} _b) = (\textbf{T}_i \textbf{e} _b)^\top \textbf{Y} (\textbf{T}_i \textbf{e} _a) = 0\). Note that \(\textbf{T}_i\) can be viewed as drawn uniformly at random from \(\mathcal {S}^{\pm }_n\), and \(\mathcal {S}^{\pm }_n\) acts transitively on all the pairs \(\{(\pm \textbf{e} _a, \pm \textbf{e} _b): 1 \le a \ne b \le n\}\). Thus, for a sufficiently large polynomial p(n), it has \(\textbf{e} _a^\top \textbf{Y} \textbf{e} _b = \textbf{e} _b^\top \textbf{Y} \textbf{e} _a = 0\) for all \(1 \le a \ne b \le n\) and \(\textbf{Y} \in \bigcap _{i=1}^{p(n)} K{({\textbf {S}}_i,{\textbf {S}}_i)}\). In other words, \(\bigcap _{i=1}^{p(n)} K{({\textbf {S}}_i,{\textbf {S}}_i)}\) consists of all diagonal matrices in \(\mathbb {R}^{n \times n}\), i.e., \(\bigcap _{i=1}^{p(n)} K{(\phi _i,{\textbf {S}}_i)} = \{ \textbf{V} \cdot {\text {diag}}\{d_1, \dots , d_n\} : d_i \in \mathbb {R} \}\). Then \(\textbf{V}\) can be reconstructed by first computing an \(\mathbb {R}\)-linear basis of the space \(\bigcap _{i=1}^{p(n)} K{(\phi _i,{\textbf {S}}_i)}\) and then recovering each \(\pm \textbf{v} _i\) via vector normalization.

Case 2: \(l \ne 0\). In this case, it has \(k_1 \ne 0\) (or \(k_2 \ne 0\)). Thus we have \(\textbf{T}_{k_1,k_2,l} \textbf{e} _1 = \textbf{e} _2\), \(\textbf{T}_{k_1,k_2,l} \textbf{e} _2 = \textbf{e} _1\), and there exists \(3 \le j \le n\) such that \(\textbf{T}_{k_1,k_2,l} \textbf{e} _j = -\textbf{e} _j\) (or \(\textbf{T}_{k_1,k_2,l} \textbf{e} _j = \textbf{e} _j\) if \(k_2 \ne 0\)). Then, by a similar deduction as in Case 1, we have \(\textbf{e} _1^\top \textbf{X} \textbf{e} _1 = \textbf{e} _2^\top \textbf{X} \textbf{e} _2\), \(\textbf{e} _1^\top \textbf{X} \textbf{e} _2 = \textbf{e} _2^\top \textbf{X} \textbf{e} _1\), and \(\textbf{e} _1^\top \textbf{X} \textbf{e} _j = -\textbf{e} _2^\top \textbf{X} \textbf{e} _j\) (or \(\textbf{e} _1^\top \textbf{X} \textbf{e} _j = \textbf{e} _2^\top \textbf{X} \textbf{e} _j\) if \(k_2 \ne 0\)) for all \(j \in [n]\) and \(\textbf{X} \in K{(\textbf{T}_{k_1,k_2,l},\textbf{T}_{k_1,k_2,l})}\).

Again, due to the transitivity of the action of \(\mathcal {S}^{\pm }_n\) on \(\{(\pm \textbf{e} _a, \pm \textbf{e} _b, \pm \textbf{e} _c)\}\), we can deduce that for a large enough polynomial p(n), it has \(\textbf{e} _a^\top \textbf{Y} \textbf{e} _a = \textbf{e} _b^\top \textbf{Y} \textbf{e} _b\), \(\textbf{e} _a^\top \textbf{Y} \textbf{e} _b = \textbf{e} _b^\top \textbf{Y} \textbf{e} _a\), and \(\textbf{e} _a^\top \textbf{Y} \textbf{e} _c = -\textbf{e} _b^\top \textbf{Y} \textbf{e} _c\), \(\textbf{e} _a^\top \textbf{Y} \textbf{e} _c = \textbf{e} _b^\top \textbf{Y} \textbf{e} _c\) for all \(1 \le a \ne b \ne c \le n\) and \(\textbf{Y} \in \bigcap _{i=1}^{p(n)} K{({\textbf {S}}_i,{\textbf {S}}_i)}\). In other words, \(\bigcap _{i=1}^{p(n)} K{({\textbf {S}}_i,{\textbf {S}}_i)} = \{h\textbf{I}_n: h\in \mathbb {R}\}\). Then \(\textbf{V}\) can be reconstructed by first computing a nonzero matrix in \(\bigcap _{i=1}^{p(n)} K{(\phi _i,{\textbf {S}}_i)}\) and then performing normalization.