High-performance software implementation of discrete Gaussian sampling for lattice-based cryptography

Lattice-based cryptography is an important candidate for post-quantum cryptography. Many lattice-based cryptosystems need to sample vectors from discrete Gaussian distributions. This paper shows a high-performance and high-precision software implementation of discrete Gaussian sampler, which is based on the inverse cumulative distribution function. We exploit multi-level fast lookup tables to speed up the sampler and reduce the required random-bits. The multithreading technique is also applied to speed up the sampler. Experimental results on an Intel Core i7-4771 processor shows that our sampler costs on average 6.48 random-bits to get a Gaussian sample and the throughput of our implementation is as high as 265.322 Mega samples per second.

[1]  Chaohui Du,et al.  Towards efficient discrete Gaussian sampling for lattice-based cryptography , 2015, 2015 25th International Conference on Field Programmable Logic and Applications (FPL).

[2]  Steven D. Galbraith,et al.  Sampling from discrete Gaussians for lattice-based cryptography on a constrained device , 2014, Applicable Algebra in Engineering, Communication and Computing.

[3]  Daniel J. Bernstein,et al.  Introduction to post-quantum cryptography , 2009 .

[4]  Wayne Luk,et al.  Gaussian random number generators , 2007, CSUR.

[5]  Vadim Lyubashevsky,et al.  Lattice Signatures Without Trapdoors , 2012, IACR Cryptol. ePrint Arch..

[6]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[7]  George Cox,et al.  Intel's digital random number generator (DRNG) , 2011, 2011 IEEE Hot Chips 23 Symposium (HCS).

[8]  Peter W. Shor,et al.  Algorithms for quantum computation: discrete logarithms and factoring , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[9]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[10]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.