#### DMCA

## Sampling from discrete Gaussians for lattice-based cryptography on a constrained device

Venue: | Appl. Algebra Eng. Commun. Comput |

Citations: | 14 - 0 self |

### Citations

1015 | Non-Uniform Random Variate Generation
- Devroye
- 1986
(Show Context)
Citation Context ...uation (3). Solving cm exp(m(1 − c2)/2) < 1/2k gives the result. 2.1. Sampling Methods. There are standard methods in statistical computing for sampling from such distributions. The book by Devroye =-=[5]-=- gives a thorough survey. Two basic methods are rejection sampling and the inversion method. Rejection sampling (Section II.3 of [5]) from a set S involves sampling x ∈ S from some easy distribution (... |

361 | On Lattices, learning with errors, random linear codes, and cryptography
- Regev
- 2009
(Show Context)
Citation Context ...se on constrained devices. 3.1. Learning with errors and encryption schemes. As a first example we recall the learning with errors problem (LWE) and the basic LWE encryption scheme, invented by Regev =-=[23, 24]-=-. Let q, n ∈ N, where q is an odd integer. We represent Z/qZ using the set {−(q − 1)/2, . . . , (q − 1)/2}. We represent the set (Z/qZ)n using column vectors of length n with entries in Z/qZ. The entr... |

248 |
Elementary Functions, Algorithms and Implementation
- Muller
- 1997
(Show Context)
Citation Context ...ng power series or tables. This approach gives a tradeoff between running time and storage requirements. A related method, using the arithmetic-geometric mean, is presented in Section 5.5.3 of Muller =-=[20]-=-. To summarise, there are several methods in the literature to compute high-precision floating-point approximations to exp(x). All use either large precomputed tables or else a large number of floatin... |

188 | Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert, et al.
- 2008
(Show Context)
Citation Context ...s natural to study how practical these schemes might be on such devices. We briefly recall some of these proposals. 3.2.1. Gentry-Peikert-Vaikuntanathan Signatures. Gentry, Peikert and Vaikuntanathan =-=[10]-=- presented a signature scheme based on lattices. The scheme fits into the “hash-and-sign” paradigm. We do not give all the details, but the basic scheme is as follows. The public key consists of a mat... |

99 |
The complexity of nonuniform random number generation. Algorithms and complexity
- Knuth, Yao
- 1976
(Show Context)
Citation Context ... remains good enough. If σ is small then to sample from Dσ,c one needs to compute a close approximation to the value Sσ,c, for example as 12σ∑ x=−12σ ρσ,c(x). 5. THE KNUTH-YAO ALGORITHM Knuth and Yao =-=[13]-=- developed an algorithm to sample from non-uniform distributions using as few uniform input bits as possible. In other words, the aim of the Knuth-Yao algorithm is to sample using a number of input bi... |

71 | Better key sizes (and attacks) for LWE-based encryption.
- LINDNER, PEIKERT
- 2011
(Show Context)
Citation Context ... matrix over Zq with rows ai, and b is a length m column vector with entries bi = ais + e (mod q) such that e is sampled from the error distribution (with mean 0 and parameter σ). Lindner and Peikert =-=[14]-=- suggest (n,m, q, σ) = (256, 640, 4093, 2.8). This value for n is probably considered too small nowadays for most applications. To encrypt a message x ∈ {0, 1} to a user one chooses a row vector uT ∈ ... |

66 |
Trapdoors for lattices
- Micciancio, Peikert
- 2012
(Show Context)
Citation Context ...results is to be able to sample from a distribution whose statistical difference with the desired distribution is around 2−90 to 2−100. We take some parameters from Figure 2 of Micciancio and Peikert =-=[19]-=- (the parameters for GPV-signatures would be at least as bad as these, so our calculation will be a lower bound on the actual size of the table). They suggest n = 13812 and “s = 418” (which correspond... |

46 | An efficient and parallel Gaussian sampler for lattices.
- Peikert
- 2010
(Show Context)
Citation Context ...e reasons, and others, we believe the signature scheme using this approach is completely impractical on constrained devices (or perhaps almost any device). 3.2.2. The improvements by Peikert. Peikert =-=[22]-=- has given an alternative method to address the closest vector problem. He proposes a variant of the Babai rounding algorithm, again choosing the integers from a discrete Gaussian distribution. One cr... |

44 | Lattice Signatures without Trapdoors
- Lyubashevsky
- 2012
(Show Context)
Citation Context .../(2σ2)) and DL,σ,c is the distribution on L given by Pr(x) = ρL,σ,c(x)/ρL,σ,c(L). We write DL,σ for DL,σ,0. We now mention some tail bounds for discrete Gaussians. Lemma 4.4(1) of the full version of =-=[18]-=- states that (2) Pr z←Dσ (|z| > 12σ) ≤ 2 exp(−122/2) < 2−100. For the lattice distribution, Lemma 4.4(3) of the full version of [18] states that if v is sampled from DZm,σ then (3) Pr z←DZm,σ (‖v‖ > c... |

39 | New algorithms for learning in presence of errors.
- ARORA, GE
- 2011
(Show Context)
Citation Context ...able that translates sampling from the required distribution into sampling from a uniform distribution on a different set. The formulation in [5] is to have a continuous distribution function F : S → =-=[0, 1]-=- such that if U is a uniform random variable on [0, 1] then F−1(U) is a random variable on S of the required form. When S is a finite set this can be implemented as a table of values F (x) ∈ [0, 1] ov... |

33 | Table-based polynomials for fast hardware function evaluation
- Detrey, Dinechin
- 2005
(Show Context)
Citation Context ... and z = e − y so that |z| ≤ 1/2 and computes an approximation to the binary expansion of 2z . This can be done by using precomputed tables with linear interpolation (for a survey of such methods see =-=[4, 6]-=-). The trick to computing floating-point approximations to exp(x) for x ∈ R is to note that exp(x) = 2x/ ln(2), where ln(2) is the log to base e of 2. Hence, to compute exp(x) one first computes y = x... |

28 | Multipartite table methods. - Dinechin, Tisserand - 2005 |

28 | T.: Practical lattice-based cryptography: A signature scheme for embedded systems
- Güneysu, Lyubashevsky, et al.
(Show Context)
Citation Context ...e only 7 bits are needed to represent each entry of the vector and the storage can be reduced to about 0.3Gb. 10 NAGARJUN C. DWARAKANATH AND STEVEN D. GALBRAITH Güneysu, Lyubashevsky and Pöppelmann =-=[11]-=- gave a signature scheme that only requires uniform distributions, and for which signatures are around 9,000 bits. The scheme is easily implemented on a constrained device, however its security is bas... |

24 | Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures
- Lyubashevsky
- 2009
(Show Context)
Citation Context ...s independent of the private key. The distributions used are sometimes Gaussians and sometimes uniform distributions. We briefly recall some of their schemes now. The signature scheme of Lyubashevsky =-=[17]-=- does not seem to require sampling from discrete normal distributions. Instead, the signing algorithm requires sampling coefficients of a ring element from a uniform distribution. This scheme is there... |

23 | Lattice signatures and bimodal Gaussians.
- DUCAS, DURMUS, et al.
- 2013
(Show Context)
Citation Context ...Galbraith [2] have given a provably secure scheme that can be implemented using uniform distributions and has signatures of size between 9,000 and 12,000 bits. Ducas, Durmus, Lepoint and Lyubashevsky =-=[9]-=- have given a new scheme with several further tricks to reduce the signature size. Their scheme uses discrete Gaussian distributions (indeed, bimodal distributions) and the signing algorithm requires ... |

21 | A Toolkit for Ring-LWE Cryptography
- Lyubashevsky, Regev
(Show Context)
Citation Context ...re a is uniformly chosen in Rq and where e ∈ R is a “small” ring element (having entries chosen from some discrete Gaussian), to compute s. For details on Ring-LWE see Lyubashevsky, Peikert and Regev =-=[15, 16]-=-. It is crucial, to maintain the difficulty of the LWE problem, that the error values can occasionally be large. For example, Arora and Ge [1] and Ding [7] give approaches to attack LWE cryptosystems ... |

17 | Faster Gaussian Lattice Sampling Using Lazy Floating-Point Arithmetic
- Ducas, Nguyen
- 2012
(Show Context)
Citation Context ...ables are still required. (2) Sinha Roy, Vercauteren and Verbauwhede [25] build on our work, giving some improvements to the storage and a low-level implementation of the method. (3) Ducas and Nguyen =-=[8]-=- discuss sampling from discrete Gaussians on lattices using m-bit floatingpoint precision. Their approach uses rejection sampling to sample from a discrete Gaussian on Z and assumes a floating-point i... |

12 | An improved compression technique for signatures based on learning with errors.
- BAI, GALBRAITH
- 2014
(Show Context)
Citation Context ...eme is easily implemented on a constrained device, however its security is based on non-standard assumptions and a full proof of security is not given in [11]. Following their work, Bai and Galbraith =-=[2]-=- have given a provably secure scheme that can be implemented using uniform distributions and has signatures of size between 9,000 and 12,000 bits. Ducas, Durmus, Lepoint and Lyubashevsky [9] have give... |

7 | High Precision Discrete Gaussian Sampling on FPGAs
- Roy, Vercauteren, et al.
- 2014
(Show Context)
Citation Context ...ad, one just needs to store the probabilities and a single column of the table; from this information it is simple to construct the next column of the table (more details of this process are given in =-=[25]-=-). The Knuth-Yao algorithm can be organised so that the random walk down the tree only makes use of this “local” information. 5.1. The Knuth-Yao method for sampling discrete Gaussians. We consider usi... |

6 | Discrete ziggurat: A time-memory trade-off for sampling from a Gaussian distribution over the integers
- Buchmann, Cabarcas, et al.
- 2013
(Show Context)
Citation Context ...e entropy calculations in Section 2. 7. RECENT LITERATURE Subsequent to the submission of our paper, several authors have worked on this problem: (1) Buchmann, Cabarcas, Göpfert, Hülsing and Weiden =-=[3]-=- give a different approach to sampling, based on the ziggurat method, that combines precomputed tables and rejection sampling. However, the rejection sampling can be made very efficient. Large precomp... |

6 | Solving LWE problem with bounded errors in polynomial time, eprint 2010/558
- Ding
- 2010
(Show Context)
Citation Context ...LWE see Lyubashevsky, Peikert and Regev [15, 16]. It is crucial, to maintain the difficulty of the LWE problem, that the error values can occasionally be large. For example, Arora and Ge [1] and Ding =-=[7]-=- give approaches to attack LWE cryptosystems if the errors are known to be bounded. Hence, when one is sampling error values from the Gaussian distribution one must ensure that the tail is not truncat... |

3 | Sampling exactly from the normal distribution. arXiv preprint arXiv:1303.6257
- Karney
- 2013
(Show Context)
Citation Context ... more than two iterations of the idea. For example, suppose σ = 50 and we are sampling from [0, 40σ]. Taking t = 10 we find the following intervals all having similar weight in the distribution: A1 = =-=[0, 12]-=-, A2 = [13, 25], A3 = [26, 39], A4 = [40, 54], A5 = [55, 70], A6 = [71, 88], A7 = [89, 109], A8 = [110, 136], A9 = [137, 180], A10 = [181, 2000]. For example, we have Pr(A1) ≈ 0.102647 (this is normal... |

3 |
On Ideal Lattices and Learning with Errors over
- Lyubashevsky, Peikert, et al.
- 2010
(Show Context)
Citation Context ...re a is uniformly chosen in Rq and where e ∈ R is a “small” ring element (having entries chosen from some discrete Gaussian), to compute s. For details on Ring-LWE see Lyubashevsky, Peikert and Regev =-=[15, 16]-=-. It is crucial, to maintain the difficulty of the LWE problem, that the error values can occasionally be large. For example, Arora and Ge [1] and Ding [7] give approaches to attack LWE cryptosystems ... |

3 | A class of algorithms for ln(x), exp(x), sin(x), cos(x), tan \Gamma1 (x) and cot \Gamma1 (x - Specker - 1965 |