CDT-Based Gaussian Sampling: From Multi to Double Precision

The Rényi divergence is a measure of closeness of two probability distributions which has found several applications over the last years as an alternative to the statistical distance in lattice-based cryptography. A tight bound has recently been presented for the Rényi divergence of distributions that have a bounded relative error. We show that it can be used to bound the precision requirement in Gaussian sampling to the IEEE 754 floating-point standard double precision for usual lattice-based signature parameters by using a modified cumulative distribution table (CDT), which reduces the memory needed by CDT-based algorithms and, makes their constant-time implementation faster and simpler. Then, we apply this approach to a variable-center variant of the CDT algorithm which occasionally requires the online computation of the cumulative distribution function. As a result, the amount of costly floating-point operations is drastically decreased, which makes the constant-time and cache-resistant variants of this algorithm viable and efficient. Finally, we provide some experimental results indicating that comparing to rejection sampling our approach increases the GPV signature rate by a factor 4 to 8 depending on the security parameter.

[1]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[2]  Daniele Micciancio Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions , 2007, computational complexity.

[3]  Tim Güneysu,et al.  Enhanced Lattice-Based Signatures on Reconfigurable Hardware , 2014, CHES.

[4]  J. Neumann The General and Logical Theory of Au-tomata , 1963 .

[5]  Peter Harremoës,et al.  Rényi Divergence and Kullback-Leibler Divergence , 2012, IEEE Transactions on Information Theory.

[6]  Chris Peikert,et al.  A Decade of Lattice Cryptography , 2016, Found. Trends Theor. Comput. Sci..

[7]  L. Devroye Non-Uniform Random Variate Generation , 1986 .

[8]  Oded Goldreich,et al.  Public-Key Cryptosystems from Lattice Reduction Problems , 1996, CRYPTO.

[9]  Martin R. Albrecht,et al.  Sampling from Arbitrary Centered Discrete Gaussians for Lattice-Based Cryptography , 2017, ACNS.

[10]  Charles F. F. Karney Sampling Exactly from the Normal Distribution , 2013, ACM Trans. Math. Softw..

[11]  Vincent Lefèvre,et al.  MPFR: A multiple-precision binary floating-point library with correct rounding , 2007, TOMS.

[12]  Robert W. Powell,et al.  The Whole is Less Than the Sum of Its Parts. , 1974 .

[13]  Markku-Juhani O. Saarinen Arithmetic coding and blinding countermeasures for lattice signatures , 2018, Journal of Cryptographic Engineering.

[14]  László Babai,et al.  On Lovász' Lattice Reduction and the Nearest Lattice Point Problem (Shortened Version) , 1985, STACS.

[15]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[16]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather Than the Statistical Distance , 2015, ASIACRYPT.

[17]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[18]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[19]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.

[20]  Daniel J. Bernstein,et al.  The Salsa20 Family of Stream Ciphers , 2008, The eSTREAM Finalists.

[21]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[22]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[23]  Frederik Vercauteren,et al.  Efficient software implementation of ring-LWE encryption , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[24]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[25]  Léo Ducas,et al.  Efficient Identity-Based Encryption over NTRU Lattices , 2014, ASIACRYPT.

[26]  Daniele Micciancio,et al.  Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time , 2017, CRYPTO.

[27]  Tanja Lange,et al.  Flush, Gauss, and reload : a cache attack on the BLISS lattice-based signature scheme , 2016 .

[28]  Daniele Micciancio,et al.  Asymptotically Efficient Lattice-Based Digital Signatures , 2018, Journal of Cryptology.

[29]  Andrew Chi-Chih Yao,et al.  The complexity of nonuniform random number generation , 1976 .

[30]  Jonathan Katz,et al.  Revisiting Square-Root ORAM: Efficient Random Access in Multi-party Computation , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  A. J. Walker New fast method for generating discrete random numbers with arbitrary frequency distributions , 1974 .

[32]  Léo Ducas,et al.  Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic , 2012, ASIACRYPT.

[33]  Johannes A. Buchmann,et al.  Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers , 2013, IACR Cryptol. ePrint Arch..

[34]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[35]  George Marsaglia,et al.  A Fast, Easily Implemented Method for Sampling from Decreasing or Symmetric Unimodal Density Functions , 1984 .

[36]  Eike Kiltz,et al.  A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model , 2018, IACR Cryptol. ePrint Arch..

[37]  Mark Zhandry,et al.  Random Oracles in a Quantum World , 2010, ASIACRYPT.

[38]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[39]  Dominique Unruh,et al.  Post-quantum Security of Fiat-Shamir , 2017, ASIACRYPT.

[40]  Joseph H. Silverman,et al.  NTRU: A Ring-Based Public Key Cryptosystem , 1998, ANTS.

[41]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[42]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[43]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[44]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[45]  Thomas Prest,et al.  Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence , 2017, ASIACRYPT.