Abstract
Discrete Gaussian sampling over the integers, which is to sample from a discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) over the integers \(\mathbb {Z}\) with parameter \(\sigma >0\) and center \(\mu \in \mathbb {R}\), is one of fundamental operations in lattice-based cryptography. The sampling algorithm should support a varying center \(\mu \) and even a varying parameter \(\sigma \), when it is used as one of the subroutines in an algorithm for sampling trapdoor lattices, or sampling from Gaussian distributions over a general n-dimensional lattice \(\varLambda \). In this paper, combining the techniques in Karney’s algorithm for exactly sampling the standard normal distribution, we present an exact sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with an integer-valued parameter \(\sigma \). This algorithm requires no pre-computation storage, uses no floating-point arithmetic, supports centers of arbitrary precision, and does not have any statistical discrepancy. Applying the convolution-like property of discrete Gaussian distributions, we also present an approximated sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with a real-valued parameter \(\sigma \). It also supports centers of arbitrary precision, and we show that the distribution it produces has a smaller max-log distance to the ideal distribution, as compared to Micciancio-Walter sampling algorithm, which was introduced by Micciancio et al. in Crypto 2017 for discrete Gaussian distributions with varying \(\sigma \) and \(\mu \) over the integers.
This work was supported by National Key R&D Program of China (2017YFB0802500), National Natural Science Foundations of China (Grant Nos. 61672550, 61972431), Guangdong Major Project of Basic and Applied Research (2019B030302008), Guangdong Basic and Applied Basic Research Foundation (No. 2020A1515010687) and the Fundamental Research Funds for the Central Universities (Grant No. 19lgpy217).
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Lattice-based cryptography
- Discrete Gaussian distribution
- Rejection sampling
- Exact sampling
- Max-log distance
1 Introduction
Lattice-based cryptography has been accepted as a promising candidate for public key cryptography in the age of quantum computing. Discrete Gaussian sampling, which is to sample from a discrete Gaussian distribution \(\mathcal {D}_{\varLambda ,\sigma ,\mathbf {c}}\) with parameter \(\sigma >0\) and center \(\mathbf {c}\in \mathbb {R}^n\) over an n-dimensional lattice \(\varLambda \), plays a fundamental role in lattice-based cryptography. Discrete Gaussian sampling is not only one of the fundamental operations in many lattice-based cryptosystems but is also at the core of security proofs of these cryptosystems [10, 18, 21]. It has been considered by the cryptography research community as one of the fundamental building blocks of lattice-based cryptography [19, 20, 22, 24].
An important sub-problem of discrete Gaussian sampling, which is denoted by \(\mathrm {Sample}\mathbb {Z}\), is to sample from a discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) over the integers \(\mathbb {Z}\) with parameter \(\sigma >0\) and center \(\mu \in \mathbb {R}\). Since \(\mathrm {Sample}\mathbb {Z}\) is much more efficient and simpler than sampling from discrete Gaussian sampling over a general lattice, the operations involving discrete Gaussian sampling in some lattice-based cryptosystems such as [6, 23, 27] are nothing but \(\mathrm {Sample}\mathbb {Z}\). A good sampling algorithm for a discrete Gaussian distribution (not necessarily over the integers \(\mathbb {Z}\)) should not only be efficient, but also have a negligible statistical discrepancy with the target distribution. Therefore, how to design and implement good sampling algorithms for discrete Gaussian distributions over the integers has received a lot of attentions in recent years.
The commonly used methods (techniques) for \(\mathrm {Sample}\mathbb {Z}\) are the inversion sampling (using a cumulative distribution table, CDT) [24], the Knuth-Yao method (using a discrete distribution generating (DDG) tree) [7, 28], the rejection sampling [6, 10, 16], and the convolution technique [22, 25] (based on the convolution-like properties of discrete Gaussian distributions developed by Peikert in [24]).
The first \(\mathrm {Sample}\mathbb {Z}\) algorithm, which was given by Gentry et al. in [10], uses rejection sampling. Although this algorithm supports varying parameters (including \(\mu \) and \(\sigma \)), it is not very efficient, since it requires about 10 trials on average before outputting an integer in order to get a negligible statistical distance to the target discrete Gaussian distribution.Footnote 1
Most of improved \(\mathrm {Sample}\mathbb {Z}\) algorithms are designed only for the case where center \(\mu \) is fixed in advance, such as [6, 11, 14, 15, 28, 29]. It is necessary to consider generic \(\mathrm {Sample}\mathbb {Z}\) algorithms that support varying parameters. Sampling from discrete Gaussian distributions over the integers is also usually one of the subroutines in discrete Gaussian sampling algorithms for distributions over a general n-dimensional lattice \(\varLambda \). Examples include the \(\mathrm {Sample}\mathbb {D}\) algorithm [10] for distributions over an n-dimensional lattice of a basis \(\mathbf {B}\in \mathbb {R}^n\), Peikert’s algorithm for distributions over a q-ary integer lattice \(\varLambda \subseteq \mathbb {Z}^n\) [24], and Gaussian sampling algorithms for trapdoor lattices [9, 20]. A \(\mathrm {Sample}\mathbb {Z}\) algorithm should support a varying center \(\mu \), and even a varying parameter \(\sigma \), if it is used in these cases.
1.1 Related Work
In 2016, Karney proposed an algorithm for sampling exactly (without statistical discrepancy) from a discrete Gaussian distribution over the integers \(\mathbb {Z}\) [16]. This algorithm uses no floating-point arithmetic and does not need any precomputation storage. It allows the parameters (including \(\sigma \) and \(\mu \)) to be arbitrary rational numbers of finite precision. This may be the second generic \(\mathrm {Sample}\mathbb {Z}\) algorithm since the one given by Gentry et al. in [10].
In 2017, Micciancio and Walter developed a new \(\mathrm {Sample}\mathbb {Z}\) algorithm [22]. We call this algorithm Micciancio-Walter sampling algorithm. It extends and generalizes the techniques that were used in the sampler proposed by Pöeppelmann et al. [25]. Micciancio-Walter algorithm is also generic, i.e., it can be used to sample from discrete Gaussian distributions with arbitrary and varying parameters of specified (finite) precision. Moreover, Aguilar-Melchor et al. also designed a non-centered CDT algorithm with reduced size of precomputation tables [1].
More recently, it was suggested that the Bernoulli sampling, introduced by Ducas et al. in [6] for centered discrete Gaussian distributions over the integers, could be improved by using the polynomial approximation technique. Specifically, the rejection operation in the Bernoulli sampling can be performed very efficiently by using an approximated polynomial [3, 32]. The polynomial (its coefficients) can be determined in advance, and it also allows us to sample from Gaussian distributions with a varying center \(\mu \in [0,1)\). Combining the convolution-like property of discrete Gaussian distributions [22, 24, 25], a non-centered Bernoulli sampling could be further extended to a generic sampling algorithm for any discrete Gaussian distribution over the integers. Howe et al. further presented a modular framework [12] for generating discrete Gaussians with arbitrary and varying parameters, which incorporates rejection sampling, the polynomial approximation technique, and the sampling technique used in Falcon signature [27].
Another alternative method of discrete Gaussian sampling over the integers is to sample from the (continuous) standard normal distribution, and then obtain the samples of discrete Gaussian distributions by rejection sampling [31]. This method is very efficient and supports discrete Gaussian distributions with arbitrary and varying parameters, although it relies on floating-point arithmetic (even involving logarithmic function and trigonometric function due to sampling from the standard normal distribution). In fact, a more simple and efficient method is to replace discrete Gaussians with rounded Gaussians [13], which are the nearest integers of sample values from the continuous normal distribution, but the security analysis of rounded Gaussians is only confined to the cryptosystems like Bliss signature.
Except Karney’s sampling algorithm, the existing algorithms for sampling from \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with varying parameters, either rely on floating-point arithmetic, such as the algorithms in [10, 32], or require a large amount of precomputation storage, such as Micciancio-Walter sampling algorithm [22] and the one given by Aguilar-Melchor et al. [1]. The sampler presented by Barthe et al. in [3] supports a varying \(\mu \in \mathbb {R}\) but not a varying parameters \(\sigma \). It needs to perform another polynomial approximation procedure for the new \(\sigma \).
Furthermore, except Karney’s sampling algorithm, those algorithms mentioned above are all the approximated algorithms, which only produce samples approximately from the target distribution. They usually involve complicated and careful security analysis based on statistical measures (e.g. Rényi divergence [2, 26], max-log distance [22], relative error [30]), since attaining a negligible statistical measure to the ideal Gaussian distribution may be crucial for lattice-based cryptography, especially for signatures [17] and lattice trapdoors [10], to provide zero-knowledgeness. Therefore, it is interesting to consider exact sampling algorithms in lattice-based cryptography. The security analysis based on statistical measures for exact algorithms can be simplified or even be omitted.
1.2 Our Contribution
On one hand, we note that Karney’s sampling algorithm [16] is exact sampling algorithm, but it allows only the case where \(\sigma \) and \(\mu \) are rational numbers of specified (finite) precision. In this paper, for an integer-valued parameter \(\sigma \), we present an exact sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\). This algorithm requires no pre-computation storage, uses no floating-point arithmetic and supports a varying \(\mu \) of arbitrary precision. On the other hand, although Micciancio-Walter sampling algorithm [22] supports varying parameters (including \(\mu \) and \(\sigma \)) with specified (finite) precision, its base sampler requires a large amount of precomputation storage. Based on our proposed exact algorithm, applying the convolution-like property of discrete Gaussian distributions we give an approximated sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with a real-valued parameter \(\sigma \). It requires no pre-computation storage, and supports a varying \(\mu \) of arbitrary precision. We show that the distribution it produces has a smaller max-log distance to the ideal distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\), as compared to the distribution produced by Micciancio-Walter sampling algorithm.
1.3 Techniques
Let \(\sigma \) be a positive integer, \(\mu \in [0,1)\) be a real number of arbitrary precision, and x be a non-negative integer. We give an algorithm for exactly generating a Bernoulli random value which is true with probability
where t is in the form of \((y-s\mu )/{\sigma }\), \(s\in \{-1,1\}\), and y is an integer taken uniformly from \([(1+s)/2,\sigma +(1+s)/2)\). In our exact sampling algorithm for discrete Gaussian distributions, which is based on the rejection sampling, we show that the rejection operation can be performed by repeatedly using this algorithm of generating the Bernoulli random value.
In fact, this algorithm is adapted from Karney’s algorithm for exactly generating the Bernoulli random value (see Algorithm B in [16]). Karney also used it as the rejection operation in his algorithm for standard normal distribution as well as discrete Gaussian distributions over the integers. However, t is only regarded as a random deviate from [0, 1) in Karney’s algorithm. The value of t corresponds exactly to the fraction part of the prospective output and can be obtained directly as a random number in case of standard normal distribution, while the determination of the value of t in the case of discrete Gaussian distributions needs the computation with respect to the parameters \(\sigma \) and \(\mu \). In order to maintain the exactness, \(\mu \) is only allowed to be a rational number for sampling from discrete Gaussian distributions, which limits the functionality of Karney’s algorithm.
2 Preliminaries
2.1 Notation
We denote the set of real numbers by \(\mathbb {R}\), the set of integers by \(\mathbb {Z}\), and the set of non-negative integers by \(\mathbb {Z}^{+}\). We extend any real function \(f(\cdot )\) to a countable set A by defining \(f(A)=\sum _{x\in A}f(x)\) if it exists. The Gaussian function on \(\mathbb {R}\) with parameter \(\sigma >0\) and \(\mu \in \mathbb {R}\) evaluated at \(x\in \mathbb {R}\) can be defined by \(\rho _{\sigma ,\mu }(x)=\exp {\left( -\frac{(x-\mu )^2}{2\sigma ^2}\right) }\). For real \(\sigma >0\) and \(\mu \in \mathbb {R}\), the discrete Gaussian distribution over \(\mathbb {Z}\) is defined by \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }(x)={\rho _{\sigma ,\mu }(x)}/{\rho _{\sigma ,\mu }(\mathbb {Z})}\) for \(x\in \mathbb {Z}\). Similarly, a discrete Gaussian distribution over \(\mathbb {Z}^+\) is defined by \(\mathcal {D}_{\mathbb {Z}^+,\sigma }(x)={\rho _{\sigma ,\mu }(x)}/{\rho _{\sigma ,\mu }(\mathbb {Z}^+)}\). By convention, the subscript \(\mu \) is omitted when it is taken to be 0.
2.2 Rejection Sampling
Rejection sampling is a basic method (technique) used to generate observations from a distribution [5]. It generates sampling values from a target distribution X with arbitrary probability density function f(x) by using a proposal distribution Y with probability density function g(x). The basic idea is that one generates a sample value from X by instead sampling from Y and accepting the sample from Y with probability
repeating the draws from Y until a value is accepted, where M is a constant such that \(f(x)\le Mg(x)\) for all values of x in the support of X. If \(f(x)\le Mg(x)\) for all x then the rejection sampling procedure produces exactly, with enough replicates, the distribution of X. In fact, f(x) is allowed to be only a relative probability density function. Rejection sampling can be used to sample from a distribution X whose normalizing constant is unknown as long as the support of Y includes the support of x.
2.3 Karney’s Algorithm
Karney’s exact sampling algorithm for discrete Gaussian distributions, which is described as Algorithm 1, uses rejection sampling, and it is a discretization of his algorithm for sampling exactly from the normal distribution. Here, parameter \(\sigma \) and \(\mu \) are in the set of rational numbers \(\mathbb {Q}\).
From the perspective of rejection sampling, in Algorithm 1, we can see that step 1 and step 2 together form a rejection sampling procedure, which generates \(k\in \mathbb {Z}^+\) according to
which is a discrete Gaussian distribution over the set of non-negative integers \(\mathbb {Z}^+\). Then, the proposal distribution for the whole algorithm can be written as
with \(z=s(\lceil k\sigma +s\mu \rceil +j)\). The algorithm accepts z as the returned value with probability \(e^{-\frac{1}{2}x(2k+x)}\), where \(x=(\lceil k\sigma +s\mu \rceil -(k\sigma +s\mu )+j)/\sigma <1\). It is not hard to see that
which guarantees the correctness of Algorithm 1.
In Algorithm 1, in order to exactly sample \(k\in \mathbb {Z}^{+}\) with (relative) probability density \(\rho _{1}(k)=\exp ({-k^2}/{2})\), Karney also gave an algorithm for exactly generating a Bernoulli random value which is true with probability \(1/\sqrt{e}\). Specifically, one needs \((k+1)\) Bernoulli random values from \(\mathcal {B}_{1/\sqrt{e}}\) to select an integer \(k\ge 0\) with probability \(\exp (-k/2)\cdot (1-\exp (-1/2))\) (step 1), then continues to generate \(k(k-1)\) Bernoulli random values from \(\mathcal {B}_{1/\sqrt{e}}\) to accept k with probability \(\exp \left( -\frac{1}{2}k(k-1)\right) \) (step 2). Karney’s algorithm for exactly generating a Bernoulli random value which is true with probability \(1/\sqrt{e}\) is adapted from Von Neummann’s algorithm for exactly sampling from the exponential distribution \(e^{-x}\) for real \(x > 0\) (see Algorithm V and Algorihtm H in [16]).
In Algorithm 1, step 8 is implemented by using a specifically designed algorithm so that it produces no any statistical discrepancy, and we will discuss this algorithm in Sect. 3.
3 Sampling from Arbitrary-Centered Discrete Gaussians
Algorithm 2 is our proposed algorithm for sampling from arbitrary-centered discrete Gaussian distributions. We give the proof of its correctness.
Theorem 1
The integer \(z\in \mathbb {Z}\) output by Algorithm 2 is exactly from the discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with an integer-valued \(\sigma \) and a real-valued \(\mu \) of arbitrary precision, if the probability
can be calculated exactly.
Proof
From the perspective of rejection sampling, following Karney’s approach (step 1 and 2 in Algorithm 1), we generate an integer x exactly from \(\mathcal {D}_{\mathbb {Z}^+,1}(x)=\rho _{1}(x)/\rho _{1}(\mathbb {Z}^+)\), and use \(\mathcal {D}_{\mathbb {Z}^+,1}\) as the proposal distribution. For a given positive integer \(\sigma \), any \(z\in \mathbb {Z}\) can be uniquely written as
where \(s\in \{-1,1\}\), and x, y are integers such that \(x\ge 0\) and \(y\in [0,\sigma )\). This guarantees that the support of the distribution produced by Algorithm 2 is the set of all the integers. For simplicity, we set \(y\leftarrow y+1\) if \(s=1\). Then, \(z=s(\sigma x+y)\) and the target distribution density function f(z) for \(z\in \mathbb {Z}\) can be written as
In Algorithm 2, for a given integer x exactly from \(\mathcal {D}_{\mathbb {Z}^+,1}\), we sample \(s\leftarrow \pm 1\) with equal probabilities, take \(z=s(\sigma x+y)\), and then accept the value of z as the returned value with probability \(\exp \left( -((y-s\mu )^2+2\sigma x(y-s\mu ))/(2\sigma ^2)\right) \). It is not hard to see that
which is proportional to the desired (relative) probability density. This implies that the probability of Algorithm 2 going back to step 1 is equal to a constant,
We denote by \(Q_\infty \) this constant and let \(q(z)=(1-\exp (-1/2))\cdot \rho _{\sigma ,\mu }(z)\). Then, the probability that Algorithm 2 outputs an integer \(z\in \mathbb {Z}\) can be given by
which shows the correctness of Algorithm 2. Since all the operations, including computing the value of probability
can be performed without any statistical discrepancy, and thus Algorithm 2 produces exactly the discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma , \mu }\). \(\square \)
The most important problem of Algorithm 2 is to compute exaclty the value of the exponential function for a real-valued \(\mu \) of arbitrary precision, and get a Bernoulli random value which is true with probability of this value. Addressing this problem is based on the following observation.
where \(\tilde{y}=(y-s\mu )/\sigma \) and \(0\le \tilde{y}<1\). Therefore, we can repeatedly sample from the Bernoulli distribution \(\mathcal {B}_p\) a total of \(x+1\) times to obtain a Bernoulli random value which is true with our desired probability, where
Sampling the Bernoulli distribution \(\mathcal {B}_p\) can be accomplished by using Algorithm 3, which was proposed by Karney in [16]. The function C(m) with \(m=2x+2\) in Algorithm 3 is a random selector that outputs \(-1\), 0 and 1 with probability 1/m, 1/m and \(1-2/m\) respectively.
The main idea is to sample two sets of uniform deviates \(v_1, v_2, \ldots \) and \(w_1, w_2, \ldots \) from [0, 1), and to determine the maximum value \(n\ge 0\) such that
If n is even, it returns true, and the probability is exactly equal to
This follows from the Taylor expansion of the exponential function. Then, applying this procedure at most \(k+1\) times, one can obtain a Bernoulli random value which is true with probability \(\exp \left( -\frac{1}{2}t(2x+t)\right) \) for given x and t. Taking
and applying Algorithm 3, we can sample from the Bernoulli distribution \(\mathcal {B}_{p}\) with \(p=\exp \left( -\tilde{y}\left( (2x+\tilde{y})/(2x+2)\right) \right) \).
The remaining issue is that we need to compare \(\tilde{y}\) with a randomly generated deviate in [0, 1), but do not use floating-point arithmetic. This can guarantee the exactness. We observe that any real \(u\in [0,1)\) of arbitrary precision can be represented by
with given \(\sigma \) and s, where j is an integer from \([(1+s)/2,\sigma +(1+s)/2)\) and \(r\in [0,1)\) is a real number of arbitrary precision. Then, we can do the comparison as follows.
To obtain a randomly generated deviate in the form of \(u=(j-sr)/\sigma \in [0,1)\), we sample j uniformly in \(\{0,1,2,\cdots ,\sigma -1\}\), sample a uniform deviate \(r\in [0,1)\) and set \(j=j+1\) if \(s=1\). To compare a randomly generated deviate \(u=(j-sr)/\sigma \) with a given \((y-s\mu )/\sigma \), we compare j with y firstly and return the result if they are not equal. Otherwise, we compare r with \(\mu \) to complete the whole procedure. Figure 1 shows the above idea in the case of \(s=1\). We summarize the whole procedure of comparison in Algorithm 4.
Note that comparing r with \(\mu \) can be realized without floating-point arithmetic through bitwise operations. This implies that Algorithm 4 allows \(\mu \) to be a real number of arbitrary precision and there is no case where \(r=\mu \). Specifically, following the implementation of Karney’s algorithm for random numbers of arbitrary precision, the comparison of two deviates is realized digit-by-digit, and each digit of a deviate is generated online according to the actual needs. To determine the relation between r and \(\mu \), we take the first digit of r and \(\mu \), respectively, denoted by \(r_{1}\) and \(\mu _{1}\). If \(r_{1}\) or \(\mu _{1}\) does not exist, then we generate it uniformly online. If \(r_{1}\) and \(\mu _{1}\) are equal, then we take the second digit of r and \(\mu \), namely \(r_{2}\) and \(\mu _{2}\), and continue to compare them. In fact, one digit could consist of only one bit or a small number of bits, such as 4 bits, 8 bits or 16 bits. We call the number of bits in each digit the digit size, which can be specified in the source code in advance.
Finally, if each random deviate in [0, 1) used in Algorithm 3 is handled in the form of \(u=(j-sr)/\sigma \), then Algorithm 3 allows \(\mu \) to be a real number of arbitrary precision, and we can implement it without floating-point arithmetic.
4 Applying the Convolution-Like Property
In this section, we try to extend Algorithm 2 to the case of discrete Gaussian distributions with arbitrary parameters (including \(\sigma \) and \(\mu \)) by using the convolution-like property of discrete Gaussian distributions.
Informally, for a Gaussian distribution with a relatively large standard deviation \(\sigma \), we compute two samples \(x_1\) and \(x_2\) with smaller variances \(\sigma _1^2\) and \(\sigma _2^2\). We hope that their combination \(x_1+c\cdot x_2\) with a constant c is Gaussian with variance \(\sigma _1^2+c\cdot \sigma _2^2\). Although this is not generally the case for discrete Gaussian distributions, Peikert showed that the distribution of \(x_1+c\cdot x_2\) is statistically close to discrete Gaussian distribution with variance \(\sigma _1^2+c\cdot \sigma _2^2\) under certain conditions with respect to the smoothing parameter of lattices [24]. This observation was called by Peikert the convolution-like property of discrete Gaussian distributions.
Definition 1
(a special case of [21], Definition 3.1). Let \(\epsilon >0\) be a positive real. The smoothing parameter of lattice \(\mathbb {Z}\), denoted by \(\eta _\epsilon (\mathbb {Z})\), is defined to be the smallest real s such that \(\rho _{1/s}(\mathbb {Z}\setminus \{0\})\le \epsilon \).
Lemma 1
(Adapted from Lemma 3.3 [21]). For any real \(\epsilon >0\), the smoothing parameter of lattice \(\mathbb {Z}\) satisfiesFootnote 2 \(\eta _\epsilon (\mathbb {Z})\le \sqrt{\ln (2(1+1/\epsilon ))/2}/\pi \).
Here, we apply the conclusion described by Micciancio and Walter in [22] about the convolution-like property, since it deals with non-centered discrete Gaussian over the integers \(\mathbb {Z}\) and uses a more cryptographically efficient measure of closeness between probability distributions, named the max-log distance.
Definition 2
[22]. The max-log distance between two distributions \(\mathcal {P}\) and \(\mathcal {Q}\) over the same support S is \(\varDelta _\mathrm {ML}(\mathcal {P},\mathcal {Q})=\max _{x\in S}|\ln \mathcal {P}(x)-\ln \mathcal {Q}(x)|\).
Lemma 2
(Corollary 4.2 in [22]). Let \(\sigma _1, \sigma _2>0\), \(\sigma ^2=\sigma _1^2+\sigma _2^2\) and \(\sigma _3^{-2}=\sigma _1^{-2}+\sigma _2^{-2}\). Let \(\varLambda =h\cdot \mathbb {Z}\) be a copy of the integer lattice \(\mathbb {Z}\) scaled by a constant h. For any \(\mu _1\) and \(\mu _2\in \mathbb {R}\), we denote by \(\tilde{\mathcal {D}}_{\mu _1+\mathbb {Z},\sigma }\) the distribution of
If \(\sigma _1\ge \eta _\epsilon (\mathbb {Z})\), \(\sigma _3\ge \eta _\epsilon (\varLambda )=h\cdot \eta _\epsilon (\mathbb {Z})\), \(\varDelta _\mathrm {ML}(\mathcal {D}_{\mu _2+\varLambda ,\sigma _2},\tilde{\mathcal {D}}_{\mu _2+\varLambda ,\sigma _2})\le \epsilon _2\) and \(\varDelta _\mathrm {ML}(\mathcal {D}_{\mu +\mathbb {Z},\sigma _1},\tilde{\mathcal {D}}_{\mu +\mathbb {Z},\sigma _1})\le \epsilon _1\) for any \(\mu \in \mathbb {R}\), then
where \(\epsilon _1\) and \(\epsilon _2\) are positive real numbers.
Definition 3
(Randomized rounding operator \(\lfloor \cdot \rceil _\lambda \) [22]). For \(\mu \in [0,1)\) and a positive integer \(\lambda \), the randomized rounding operator \(\lfloor \mu \rceil _\lambda \) is defined by
with a Bernoulli random variable \(B_\alpha \) of parameter \(\alpha =2^\lambda \mu -\lfloor 2^\lambda \mu \rfloor \). In particular, if \(\mu >1\) then
where \(\lfloor \mu \rfloor \) and \(\{\mu \}\) is the integer part and the fractional part of \(\mu \) respectively.
Lemma 3
(Adapted from Lemma 5.3 in [22]). Let \(\lambda >\log _2{4\pi }\) be a positive integer and \(b=2^\lambda \). If \(\sigma \ge \eta _\epsilon (\mathbb {Z})\), then
where \(\lfloor \cdot \rceil _\lambda \) is the randomized rounding operator as defined above.
Combining our proposed exact algorithm (Algorithm 2), and applying the convolution-like property, namely Lemma 2, we give Algorithm 5.
Theorem 2 gives the correctness of Algorithm 5 and estimates the (theoretical) max-log distance between the distribution \(\tilde{\mathcal {D}}_{\mathbb {Z},\sigma , \mu }\) produced by Algorithm 5 and the ideal distribution \(\mathcal {D}_{\mathbb {Z},\sigma , \mu }\). The equation that
for any \(\sigma >0\) and \(\mu \in \mathbb {R}\) will be repeatedly used in the proof.
Theorem 2
Let \(\lambda >\log _2{4\pi }\) be a positive integer and \(b=2^\lambda \). Denote by \(\tilde{\mathcal {D}}_{\mathbb {Z},\sigma , \mu }\) the probability distribution of integers that are output by Algorithm 5. If \(\lfloor \sigma \rfloor >\eta _\epsilon (\mathbb {Z})\) and \(\eta _\epsilon (\mathbb {Z})\) is taken to be a rational number, then we have
by using Algorithm 1 in step 1, and using Algorithm 2 in step 4.
Proof
Let \(\sigma _1=\lfloor \sigma \rfloor \) and \(\sigma _2=2h\eta _\epsilon (\mathbb {Z})\). Then, we have \(\sigma ^2=\sigma _1^2+\sigma _2^2\) and
This is due to the fact that \(\sigma _1/\sigma =\lfloor \sigma \rfloor /\sigma \ge 1/2\) for \(\sigma >1\). With the notation of Lemma 2, taking \(\mu _1=-\mu \), \(\mu _2=0\), \(\varLambda =h\mathbb {Z}\), \(x_2=hx\) and \(x_1\leftarrow x_2+\tilde{\mathcal {D}}_{\mu _1-x_2+\mathbb {Z},\sigma _1}\), we have \(x_2=hx\leftarrow \tilde{\mathcal {D}}_{\mu _2+\varLambda ,\sigma _2}=\tilde{\mathcal {D}}_{h\mathbb {Z},h(2\eta _\epsilon (\mathbb {Z}))}=h\cdot \tilde{\mathcal {D}}_{\mathbb {Z},2\eta _\epsilon (\mathbb {Z})}\) and
Since \(\eta _\epsilon (\mathbb {Z})\) is a rational number, in Algorithm 5, \(\tilde{\mathcal {D}}_{\mathbb {Z},2\eta _\epsilon (\mathbb {Z})}\) can be exactly sampled (without any statistical discrepancy) via Algorithm 1, which implies that
In contrast, \(\tilde{\mathcal {D}}_{\mathbb {Z},\lfloor \sigma \rfloor ,\mu +hx}\) can be only realized by sampling from \(\mathcal {D}_{\mathbb {Z},\lfloor \sigma \rfloor ,\lfloor \mu +hx\rceil _\lambda }\) with max-log distance \(\varDelta _\mathrm {ML}\le (\pi /b)^2+2\epsilon \). Applying Lemma 2, we obtain that
where ‘\(\approx \)’ means that \(\varDelta _\mathrm {ML}(hx+\mathcal {D}_{-\mu -hx+\mathbb {Z},\lfloor \sigma \rfloor },\mathcal {D}_{-\mu +\mathbb {Z},\sigma })\) is not more than
This completes the proof. \(\square \)
The distribution produced by Algorithm 5 has a smaller max-log distance to the ideal distribution, as compared to one produced by Micciancio-Walter sampling algorithm, since both step 1 and step 4 can be implemented exactly, and do not lead to any statistical discrepancy. In contrast, the two corresponding steps in Micciancio-Walter algorithm are approximated ones (see Sect. 5 in [22]). The statistical discrepancy they produce must be counted in the total statistical discrepancy.
For instance, we take \(\epsilon =2^{-112}\) and \(\eta _\epsilon (\mathbb {Z})=2\), as \(\sqrt{\ln (2(1+1/\epsilon ))/2}/\pi \le 2\) when \(\epsilon =2^{-112}\). We take \(\lambda =30\) and \(b=2^{30}\), which results in \((\pi /b)^2\le 2^{-56}\). Then, we have \(\varDelta _\mathrm {ML}(\mathcal {D}_{\mathbb {Z},\sigma , \mu },\tilde{\mathcal {D}}_{\mathbb {Z},\sigma , \mu })\le 2^{-56}+6\cdot 2^{-112}\). The practical max-log distance should also include the statistical discrepancy due to the floating-point operations in step 2. One can just follow the argument at the end of Sect. 5.3 in [22].
Moreover, the first step in Micciancio-Walter algorithm requires sampling from a centered discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma _\mathrm {max}}\) with a possible varying parameter \(\sigma _\mathrm {max}\), which should be determined before sampling according to the desired distribution. In Algorithm 5, however, step 1 is just to sample from a centered discrete Gaussian distribution with a fixed parameter \(2\eta _\epsilon (\mathbb {Z})=4\). This means that Algorithm 5 has a simpler form than Micciancio-Walter algorithm.
5 Experimental Results
Karney’s sampling algorithm for discrete Gaussian distributions over the integers \(\mathbb {Z}\) can be realized by using C++ library ‘RandomLib’Footnote 3, in which the source code of his algorithm is encapsulated as a .hpp file named “DiscreteNormal.hpp”. “RandomLib” also supports the generation and some basic operations of random numbers of arbitrary precision.
On a laptop computer (Intel i7-6820 hq, 8 GB RAM), using the g++ compiler and enabling -O3 optimization option, we tested our Algorithm 2. The source code was based on the adaptation of ‘DiscreteNormal.hpp’ as well as the runtime environment provided by ‘RandomLib’. For discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with \(\sigma \) from 4 to \(2^{20}\) and \(\mu \) uniformly from [0, 1) of precision 128 bits, combining Algorithms 3 and 4, one could get about \(5.0\times 10^6\) samples per second by using Algorithm 2. It has almost the same performance as Karney’s algorithm.
We also tested the performance of the Micciancio-Walter algorithm with the same parameters. Using this algorithm, one could get about \(1.3\times 10^6\) integers per second. We implemented its base sampler with the CDT-based method, which required an amount of extra memory, and took \(\lambda =8\) and \(b=16\). This guarantees the max-log distance to the ideal distribution is not more than \(2^{-52}\).
We note that Micciancio-Walter algorithm has a constant execution time for given parameters if its base sampler is a constant-time algorithm. However, our Algorithm 2 as well as Algorithm 5 is not a constant-time one, and it seems to be inherently costly to turn into a constant-time one due to the fact that Algorithm 2 is always probabilistically rejecting samples. Therefore, an open question is how to make Algorithm 2 constant-time and be protected against side-channel attacks [4, 8].
6 Conclusion
For an integer-valued parameter \(\sigma \), there exists an exact sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\). It requires no precomputation storage, uses no floating-point arithmetic, supports a varying \(\mu \) of arbitrary precision, and does not have any statistical discrepancy. Applying the convolution-like property of discrete Gaussian distributions, it can be further extended to an approximated sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with a real-valued parameter \(\sigma \). The extended algorithm also supports centers of arbitrary precision and it produces a distribution with a smaller max-log distance to the ideal distribution, as compared to Micciancio-Walter sampling algorithm.
Notes
- 1.
- 2.
It allows to decrease the smoothing condition by a factor of \(\sqrt{2\pi }\) since the Gaussian function is defined to be \(\exp (-\frac{(x-\mu )^2}{2\sigma ^2})\) but not \(\exp (-\pi \frac{(x-\mu )^2}{\sigma ^2})\).
- 3.
‘RandomLib’ is available at http://randomlib.sourceforge.net/.
References
Aguilar-Melchor, C., Albrecht, M.R., Ricosset, T.: Sampling from arbitrary centered discrete Gaussians for lattice-based cryptography. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 3–19. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_1
Bai, S., Lepoint, T., Roux-Langlois, A., Sakzad, A., Stehlé, D., Steinfeld, R.: Improved security proofs in lattice-based cryptography: using the rényi divergence rather than the statistical distance. J. Cryptol. 31(2), 610–640 (2018)
Barthe, G., Belaïd, S., Espitau, T., Fouque, P., Rossi, M., Tibouchi, M.: GALACTICS: Gaussian sampling for lattice-based constant- time implementation of cryptographic signatures, revisited. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) Proceedings of the 2019 ACM SIGSAC CCS, pp. 2147–2164. ACM, New York (2019)
Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53140-2_16
Devroye, L.: Non-Uniform Random Variate Generation. Springer, New York (1986)
Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_3
Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput 25(3), 159–180 (2014)
Espitau, T., Fouque, P.A., Gérard, B., Tibouchi, M.: Side-channel attacks on bliss lattice-based signatures: exploiting branch tracing against strongswan and electromagnetic emanations in microcontrollers. In: Thuraisingham, B., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC CCS, pp. 1857–1874. ACM, New York (2017)
Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 174–203. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_7
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R., Dwork, C. (eds.) Proceedings of the 2008 ACM SIGACT STOC, pp. 197–206. ACM, New York (2008)
Howe, J., Khalid, A., Rafferty, C., Regazzoni, F., O’Neill, M.: On practical discrete Gaussian samplers for lattice-based cryptography. IEEE Trans. Comput. 67(3), 322–334 (2018)
Howe, J., Prest, T., Ricosset, T., Rossi, M.: Isochronous Gaussian sampling: from inception to implementation. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 53–71. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_4
Hülsing, A., Lange, T., Smeets, K.: Rounded Gaussians. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 728–757. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76581-5_25
Karmakar, A., Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Constant-time discrete Gaussian sampling. IEEE Trans. Comput. 67(11), 1561–1571 (2018)
Karmakar, A., Roy, S.S., Vercauteren, F., Verbauwhede, I.: Pushing the speed limit of constant-time discrete Gaussian sampling. A case study on the falcon signature scheme. In: Aitken, R. (ed.) Proceedings of the 56th DAC, pp. 1–6. ACM, New York (2019)
Karney, C.F.: Sampling exactly from the normal distribution. ACM Trans. Math. Softw. 42(1), 3:1–3:14 (2016)
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)
Lyubashevsky, V., Prest, T.: Quadratic time, linear space algorithms for Gram-Schmidt orthogonalization and gaussian sampling in structured lattices. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 789–815. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_30
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_16
Naehrig, M., et al.: Frodokem learning with errors key encapsulation. https://frodokem.org/files/FrodoKEM-specification-20171130.pdf. Accessed 28 Feb 2020
Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_20
Prest, T.: Sharper bounds in lattice-based cryptography using the Rényi divergence. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 347–374. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_13
Prest, T., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU. https://falcon-sign.info/. Accessed 20 Feb 2020
Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: High precision discrete Gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43414-7_19
Saarinen, M.J.O.: Arithmetic coding and blinding countermeasures for lattice signatures. J. Cryptogr. Eng. 8, 71–84 (2018)
Walter, M.: Sampling the integers with low relative error. In: Buchmann, J., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2019. LNCS, vol. 11627, pp. 157–180. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-23696-0_9
Zhao, R.K., Steinfeld, R., Sakzad, A.: COSAC: COmpact and Scalable Arbitrary-Centered discrete Gaussian sampling over integers. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 284–303. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_16
Zhao, R.K., Steinfeld, R., Sakzad, A.: FACCT: fast, compact, and constant-time discrete Gaussian sampler over integers. IEEE Trans. Comput. 69(1), 126–137 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Du, Y., Fan, B., Wei, B. (2020). Arbitrary-Centered Discrete Gaussian Sampling over the Integers. In: Liu, J., Cui, H. (eds) Information Security and Privacy. ACISP 2020. Lecture Notes in Computer Science(), vol 12248. Springer, Cham. https://doi.org/10.1007/978-3-030-55304-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-55304-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-55303-6
Online ISBN: 978-3-030-55304-3
eBook Packages: Computer ScienceComputer Science (R0)