### Citations

99 |
The complexity of nonuniform random number generation. Algorithms and complexity
- Knuth, Yao
- 1976
(Show Context)
Citation Context ...random sampling is a classic problem [13]. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling =-=[6, 15]-=-, The Ziggurat Method [1, 16, 17, 18], Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see [20]. 4. Dist... |

90 |
The ziggurat method for generating random variables
- Marsaglia, Tsang
(Show Context)
Citation Context ...problem [13]. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling [6, 15], The Ziggurat Method =-=[1, 16, 17, 18]-=-, Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see [20]. 4. Distinguishing Distributions When determi... |

46 | An efficient and parallel Gaussian sampler for lattices.
- Peikert
- 2010
(Show Context)
Citation Context ...n non-uniform continuous random sampling is a classic problem [13]. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling =-=[14]-=-, Knuth-Yao Sampling [6, 15], The Ziggurat Method [1, 16, 17, 18], Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic... |

44 | Lattice Signatures without Trapdoors
- Lyubashevsky
- 2012
(Show Context)
Citation Context ...e sampling procedure represents the biggest performance bottleneck due to its memory or computational requirements. This is especially the case for embedded or lightweight targets such as smart cards =-=[1, 2, 3, 4, 5]-=-. Structure of this paper and our contributions. In Sections 2 and 3 we discuss the discrete Gaussian distribution, sampling, and precision. In Section 4 we argue that the common requirements for prec... |

34 |
A fast, easily implemented method for sampling from decreasing or symmetric unimodal density functions
- Marsaglia, Tsang
- 1984
(Show Context)
Citation Context ...problem [13]. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling [6, 15], The Ziggurat Method =-=[1, 16, 17, 18]-=-, Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see [20]. 4. Distinguishing Distributions When determi... |

24 | Gaussian random number generators
- Thomas, Luk, et al.
(Show Context)
Citation Context ...pling [6, 15], The Ziggurat Method [1, 16, 17, 18], Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see =-=[20]-=-. 4. Distinguishing Distributions When determining the appropriate sampling precision , we are led to ask “What is the minimum statistical distance or precision that can be detected by an adversary... |

23 | Lattice signatures and bimodal Gaussians.
- DUCAS, DURMUS, et al.
- 2013
(Show Context)
Citation Context ...e sampling procedure represents the biggest performance bottleneck due to its memory or computational requirements. This is especially the case for embedded or lightweight targets such as smart cards =-=[1, 2, 3, 4, 5]-=-. Structure of this paper and our contributions. In Sections 2 and 3 we discuss the discrete Gaussian distribution, sampling, and precision. In Section 4 we argue that the common requirements for prec... |

16 | Post-quantum key exchange for the TLS protocol from the ring learning with errors problem.
- BOS, COSTELLO, et al.
- 2015
(Show Context)
Citation Context ...stribution being sampled and the theoretical distribution (as used in the security proof) is negligible, say around 290 to 2128. This is also the precision typically now being implemented (See e.g. =-=[7, 8, 9, 10]-=-). In this paper we set out to show that such precision is essentially unnecessary since no algorithm will be able to detect the difference from the non-tail portion of samples; only about half of thi... |

15 |
Enhanced lattice-based signatures on reconfigurable hardware.
- PÖPPELMANN, DUCAS, et al.
- 2014
(Show Context)
Citation Context ...stribution being sampled and the theoretical distribution (as used in the security proof) is negligible, say around 290 to 2128. This is also the precision typically now being implemented (See e.g. =-=[7, 8, 9, 10]-=-). In this paper we set out to show that such precision is essentially unnecessary since no algorithm will be able to detect the difference from the non-tail portion of samples; only about half of thi... |

14 | Sampling from Discrete Gaussians for Lattice-based Cryptography on a Constrained Device,” Applicable Algebra
- Dwarakanath, Galbraith
- 2014
(Show Context)
Citation Context ... wheres is the tail cutting bound. Required distance. It has been widely assumed that for cryptographic applications the sampling distance should be roughly the inverse of the security parameter =-=[6]-=-: It is necessary for the rigorous security analysis that the statistical difference between the actual distribution being sampled and the theoretical distribution (as used in the security proof) is n... |

8 |
An automatic inequality prover and instance optimal identity testing.
- Valiant, Valiant
- 2014
(Show Context)
Citation Context ...stribution with reasonable effort, there should not be any reason not to use it. Tight bounds for distribution identity testing. We quote the following definitions and a recent result (Theorem 1 from =-=[21, 22]-=-) which offers very tight asymptotic bounds for the sample complexity of distribution identity testing: Definition 1. For a distribution P , let Pmax denote the vector of probabilities obtained by re... |

7 | High Precision Discrete Gaussian Sampling on FPGAs
- Roy, Vercauteren, et al.
- 2014
(Show Context)
Citation Context ...e sampling procedure represents the biggest performance bottleneck due to its memory or computational requirements. This is especially the case for embedded or lightweight targets such as smart cards =-=[1, 2, 3, 4, 5]-=-. Structure of this paper and our contributions. In Sections 2 and 3 we discuss the discrete Gaussian distribution, sampling, and precision. In Section 4 we argue that the common requirements for prec... |

6 | Discrete ziggurat: A time-memory trade-off for sampling from a Gaussian distribution over the integers
- Buchmann, Cabarcas, et al.
- 2013
(Show Context)
Citation Context |

6 | I.: Efficient software implementation of Ring-LWE encryption
- Clercq, Roy, et al.
(Show Context)
Citation Context ...stribution being sampled and the theoretical distribution (as used in the security proof) is negligible, say around 290 to 2128. This is also the precision typically now being implemented (See e.g. =-=[7, 8, 9, 10]-=-). In this paper we set out to show that such precision is essentially unnecessary since no algorithm will be able to detect the difference from the non-tail portion of samples; only about half of thi... |

6 | Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance,” IACR Cryptology ePrint Archive: Report 2015/483, to appear at Asiacrypt
- Bai, Langlois, et al.
- 2015
(Show Context)
Citation Context ...les; only about half of this precision is actually required in almost all cases. Other metrics and related work. Recently, proofs of some Lattice based schemes have been reworked using Rényi distance =-=[11, 12]-=- to require less precision in implementations. Furthermore, Pöppelmann, Ducas, and Güneysu used the Kullback-Leibler divergence to reduce storage requirements in a hardware sampler implementation [10]... |

6 |
Accuracy in random number generation
- Monahan
- 1985
(Show Context)
Citation Context ...utting” probability). This approach is widely used in real-life implementations [7, 10]. Other Gaussian Sampling Algorithms. High precision non-uniform continuous random sampling is a classic problem =-=[13]-=-. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling [6, 15], The Ziggurat Method [1, 16, 17, ... |

5 | Beyond ECDSA and RSA: Lattice-based Digital Signatures on Constrained Devices
- Oder, Pöppelmann, et al.
(Show Context)
Citation Context |

3 | Efficient Ring-LWE encryption on 8-bit AVR processors.
- LIU, SEO, et al.
- 2015
(Show Context)
Citation Context |

3 | Sampling exactly from the normal distribution. arXiv preprint arXiv:1303.6257
- Karney
- 2013
(Show Context)
Citation Context ...f the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling [6, 15], The Ziggurat Method [1, 16, 17, 18], Kahn-Karney Sampling =-=[19]-=-, and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see [20]. 4. Distinguishing Distributions When determining the appropriate sampli... |

2 |
Hardwareoptimized ziggurat algorithm for high-speed gaussian random number generators, in
- Edrees, Cheung, et al.
(Show Context)
Citation Context ...problem [13]. Many of the algorithms of the continuous case also apply to discrete cryptographic applications. Methods such as Inversion Sampling [14], Knuth-Yao Sampling [6, 15], The Ziggurat Method =-=[1, 16, 17, 18]-=-, Kahn-Karney Sampling [19], and “Bernoulli” sampling [2] have also been proposed for lattice cryptography. For more (non-cryptographic) methods, see [20]. 4. Distinguishing Distributions When determi... |

2 |
Instance-by-instance optimal identity testing
- Valiant, Valiant
(Show Context)
Citation Context ...stribution with reasonable effort, there should not be any reason not to use it. Tight bounds for distribution identity testing. We quote the following definitions and a recent result (Theorem 1 from =-=[21, 22]-=-) which offers very tight asymptotic bounds for the sample complexity of distribution identity testing: Definition 1. For a distribution P , let Pmax denote the vector of probabilities obtained by re... |

1 | Tighter security for efficient lattice cryptography via the Rényi divergence of optimized orders
- Takashima, Takayasu
- 2015
(Show Context)
Citation Context ...les; only about half of this precision is actually required in almost all cases. Other metrics and related work. Recently, proofs of some Lattice based schemes have been reworked using Rényi distance =-=[11, 12]-=- to require less precision in implementations. Furthermore, Pöppelmann, Ducas, and Güneysu used the Kullback-Leibler divergence to reduce storage requirements in a hardware sampler implementation [10]... |