Applied Cryptography and Network Security 2017 pdf pdf

  Dieter Gollmann · Atsuko Miyaji

(Eds.)

  Hiroaki Kikuchi Applied Cryptography LNCS 10355 and Network Security 15th International Conference, ACNS 2017 Kanazawa, Japan, July 10–12, 2017 Proceedings

  

Lecture Notes in Computer Science 10355

  Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

  Editorial Board

  David Hutchison Lancaster University, Lancaster, UK

  Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA

  Josef Kittler University of Surrey, Guildford, UK

  Jon M. Kleinberg Cornell University, Ithaca, NY, USA

  Friedemann Mattern ETH Zurich, Zurich, Switzerland

  John C. Mitchell Stanford University, Stanford, CA, USA

  Moni Naor Weizmann Institute of Science, Rehovot, Israel

  C. Pandu Rangan Indian Institute of Technology, Madras, India

  Bernhard Steffen TU Dortmund University, Dortmund, Germany

  Demetri Terzopoulos University of California, Los Angeles, CA, USA

  Doug Tygar University of California, Berkeley, CA, USA

  Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at

  • Dieter Gollmann Atsuko Miyaji Hiroaki Kikuchi (Eds.)

  Applied Cryptography and Network Security

15th International Conference, ACNS 2017 Kanazawa, Japan, July 10–12, 2017 Proceedings Editors Dieter Gollmann Hiroaki Kikuchi Hamburg University of Technology Department of Frontier Media Science Hamburg Meiji University Germany Tokyo Japan Atsuko Miyaji Graduate School of Engineering Osaka University Suita, Osaka Japan

ISSN 0302-9743

  ISSN 1611-3349 (electronic) Lecture Notes in Computer Science

ISBN 978-3-319-61203-4

  ISBN 978-3-319-61204-1 (eBook) DOI 10.1007/978-3-319-61204-1 Library of Congress Control Number: 2017944358 LNCS Sublibrary: SL4 – Security and Cryptology © Springer International Publishing AG 2017

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the

material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,

broadcasting, reproduction on microfilms or in any other physical way, and transmission or information

storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now

known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication

does not imply, even in the absence of a specific statement, that such names are exempt from the relevant

protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are

believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors

give a warranty, express or implied, with respect to the material contained herein or for any errors or

omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in

published maps and institutional affiliations. Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG

  

Preface

  The 15th International Conference on Applied Cryptography and Network Security (ACNS2017) was held in Kanazawa, Japan, during July 10–12, 2017. The previous conferences in the ACNS series were successfully held in Kunming, China (2003), Yellow Mountain, China (2004), New York, USA (2005), Singapore (2006), Zhuhai, China (2007), New York, USA (2008), Paris, France (2009), Beijing, China (2010), Malaga, Spain (2011), Singapore (2012), Banff, Canada (2013), Lausanne, Switzerland (2014), New York, USA (2015), and London, UK (2016).

  ACNS is an annual conference focusing on innovative research and current developments that advance the areas of applied cryptography, cyber security, and privacy. Academic research with high relevance to real-world problems as well as developments in industrial and technical frontiers fall within the scope of the conference.

  This year we have received 149 submissions from 34 different countries. Each submission was reviewed by 3.7 Program Committee members on average. Papers submitted by Program Committee members received on average 4.4 reviews. The committee decided to accept 34 regular papers. The broad range of areas covered by the high-quality papers accepted for ACNS 2107 attests very much to the fulfillment of the conference goals.

  The program included two invited talks given by Dr. Karthikeyan Bhargavan (Inria Paris) and Prof. Doug Tygar (UC Berkeley). The decisions of the best student paper award was based on a vote among the

  Program Committee members. To be eligible for selection, the primary author of the paper has to be a full-time student who is present at the conference. The winner was Carlos Aguilar-Melchor, Martin Albrecht, and Thomas Ricosset from Université de Toulouse, Toulouse, France, Royal Holloway, University of London, UK, and Thales Communications & Security, Gennevilliers, France. The title of the paper is “Sampling From Arbitrary Centered Discrete Gaussians For Lattice-Based Cryptography.”

  We are very grateful to our supporters and sponsors. The conference was co-organized by Osaka University, Japan Advanced Institute of Science and Tech- nology (JAIST), and the Information-technology Promotion Agency (IPA); it was supported by the Committee on Information and Communication System Security (ICSS), IEICE, Japan, the Technical Committee on Information Security (ISEC),

  IEICE, Japan, and the Special Interest Group on Computer SECurity (CSEC) of IPSJ, Japan; it and was co-sponsored by the National Institute of Information and Com- munications Technology (NICT) International Exchange Program, Mitsubishi Electric Corporation, Support Center for Advanced Telecommunications Technology Research (SCAT), Foundation Microsoft Corporation, Fujitsu Hokuriku Systems Limited, Nippon Telegraph and Telephone Corporation (NTT), and Hokuriku Telecommuni- cation Network Co., Inc. VI Preface

  We would like to thank the authors for submitting their papers to the conference. The selection of the papers was a challenging and dedicated task, and we are deeply grateful to the 48 Program Committee members and the external reviewers for their reviews and discussions. We also would like to thank EasyChair for providing a user-friendly interface for us to manage all submissions and proceedings files. Finally, we would like to thank the general chair, Prof. Hiroaki Kikuchi, and the members of the local Organizing Committee.

  July 2017 Dieter Gollmann

  Atsuko Miyaji ACNS 2017 The 15th International Conference on Applied Cryptography and Network Security

  Jointly organized by Osaka University and

  Japan Advanced Institute of Science and Technology (JAIST) and Information-technology Promotion Agency (IPA)

  General Chair

  Hiroaki Kikuchi Meiji University, Japan

  Program Co-chairs

  Dieter Gollmann Hamburg University of Technology, Germany Atsuko Miyaji Osaka University / JAIST, Japan

  Program Committee

  Diego Aranha University of Campinas, Brazil Giuseppe Ateniese Stevens Institute of Technology, USA Man Ho Au Hong Kong Polytechnic University, Hong Kong,

  SAR China Carsten Baum Bar-Ilan University, Israel Rishiraj Bhattacharyya NISER Bhubaneswar, India Liqun Chen University of Surrey, UK Chen-Mou Chen Osaka University, Japan Céline Chevalier Université Panthéon-Assas, France Sherman S.M. Chow Chinese University of Hong Kong, Hong Kong,

  SAR China Mauro Conti University of Padua, Italy Alexandra Dmitrienko ETH Zurich, Switzerland Michael Franz University of California, Irvine, USA Georg Fuchsbauer ENS, France Sebastian Gajek FUAS, Germany

VIII ACNS 2017

  Swee-Huay Heng Multimedia University, Malaysia Francisco Rodrguez

  Henrquez CINVESTAV-IPN, Mexico

  Xinyi Huang Fujian Normal University, China Michael Huth Imperial College London, UK Tibor Jager Paderborn University, Germany Aniket Kate Purdue University, USA Stefan Katzenbeisser TU Darmstadt, Germany Kwangjo Kim KAIST, Korea Kwok-yan Lam NTU, Singapore Mark Manulis University of Surrey, UK Tarik Moataz Brown University, USA Ivan Martinovic University of Oxford, UK Jörn Müller-Quade Karlsruhe Institute of Technology, Germany David Naccache École normale supérieure, France Michael Naehrig Microsoft Research Redmond, USA Hamed Okhravi MIT Lincoln Laboratory, USA Panos Papadimitratos KTH Royal Institute of Technology, Sweden Jong Hwan Park Sangmyung University, Korea Thomas Peyrin Nanyang Technological University, Singapore Bertram Poettering Ruhr-Universität Bochum, Germany Christina Pöpper NYU, United Arab Emirates Bart Preneel KU Leuven, Belgium Thomas Schneider TU Darmstadt, Germany Michael Scott Dublin City University, Ireland Vanessa Teague University of Melbourne, Australia Somitra Kr. Sanadhya Ashoka University, India Mehdi Tibouchi NTT Secure Platform Laboratories, Japan Ivan Visconti University of Salerno, Italy Bo-Yin Yang Academia Sinica, Taiwan Kan Yasuda NTT Secure Platform Laboratories, Japan Fangguo Zhang Sun Yat-sen University, China Jianying Zhou SUTD, Singapore

  Organizing Committee

  Local Arrangements Akinori Kawachi Tokushima University, Japan Co-chairs Kazumasa Omote University of Tsukuba, Japan Shoichi Hirose University of Fukui, Japan Kenji Yasunaga Kanazawa University, Japan Yuji Suga

  IIJ, Japan Finance Co-chairs Masaki Fujikawa Kogakuin University, Japan Yuichi Futa JAIST, Japan Natsume Matsuzaki University of Nagasaki, Japan Takumi Yamamoto Mitsubishi Electric, Japan Publicity Co-chairs Noritaka Inagaki

  IPA, Japan Masaki Hashimoto

  IISEC, Japan Naoto Yanai Osaka University, Japan Kaitai Liang Manchester Metropolitan University, UK Liaison Co-chairs Keita Emura NICT, Japan Eiji Takimoto Ritsumeikan University, Japan Toru Nakamura KDDI Research, Japan System Co-chairs Atsuo Inomata Tokyo Denki University/NAIST, Japan Masaaki Shirase Future University Hakodate, Japan Minoru Kuribayashi Okayama University, Japan Toshihiro Yamauchi Okayama University, Japan Shinya Okumura Osaka University, Japan Publication Co-chairs Takeshi Okamoto Tsukuba University of Technology, Japan Takashi Nishide University of Tsukuba, Japan Ryo Kikuchi NTT, Japan Satoru Tanaka JAIST, Japan Registration Co-chairs Hideyuki Miyake Toshiba, Japan Dai Watanabe Hitachi, Japan Chunhua Su Osaka University, Japan

  Additional Reviewers

  Alesiani, Francesco Aminanto, Muhamad Erza Andaló, Fernanda Armknecht, Frederik

  Ashur, Tomer Auerbach, Benedikt Azad, Muhammad Ajmal Bai, Shi

  ACNS 2017

  IX Barrera, David Bauer, Balthazar Beierle, Christof Beunardeau, Marc Blazy, Olivier Bost, Raphael Bourse, Florian Broadnax, Brandon Chakraborti, Avik Chi-Domínguez, Jesús Javier Chin, Ji-Jian Choi, Rakyong Choi, Suri Ciampi, Michele Connolly, Aisling Coon, Ralph A.C.

  Costello, Craig Couteau, Geoffroy Crane, Stephen Culnane, Chris Dargahi, Tooska Datta, Nilanjan Davies, Gareth T.

  Del Pino, Rafael Demmler, Daniel Dirksen, Alexandra Dominguez Perez, Luis J.

  Dong, Xinshu Dowling, Benjamin Eom, Jieun Faust, Sebastian Ferradi, Houda Frederiksen, Tore Gay, Romain Geraud, Remi Germouty, Paul Gochhayat, Sarada Prasad Hartung, Gunnar Herzberg, Amir Huang, Yi Iovino, Vincenzo Jap, Dirmanto Jati, Arpan Jiang, Jiaojiao Kairallah, Mustafa

  Karvelas, Nikolaos Keller, Marcel Kim, Hyoseung Kim, Jonghyun Kim, Joonsik Kim, Taechan Kiss, Ágnes Kitagawa, Fuyuki Kohls, Katharina Kuo, Po-Chun Kurek, Rafael Lai, Junzuo Lai, Russell W.F.

  Lain, Daniele Lal, Chhagan Lee, Kwangsu Lee, Youngkyung Li, Huige Li, Wen-Ding Li, Yan Liebchen, Christopher Liu, Jianghua Liu, Yunwen Longa, Patrick Lu, Jingyang Lu, Jiqiang Luykx, Atul Lyubashevsky, Vadim Ma, Jack P.K.

  Mainka, Christian Mancillas-López, Cuauhtemoc Masucci, Barbara Matsuda, Takahiro Mazaheri, Sogol Mechler, Jeremias Meier, Willi Meng, Weizhi Mohamad, Moesfa Soeheila Moonsamy, Veelasha Nagel, Matthias Nielsen, Michael Nishimaki, Ryo O’Neill, Adam Ochoa-Jiménez, José Eduardo Oliveira, Thomaz

  X ACNS 2017

  Pereira, Hilder Vitor Lima Perrin, Léo Poh, Geong Sen Puddu, Ivan Ramanna, Somindu C.

  Ramchen, Kim Renes, Joost Reparaz, Oscar Resende, Amanda Rill, Jochen Roy, Arnab Ruffing, Tim Rupp, Andy Sakai, Yusuke Sasaki, Yu Schuldt, Jacob Sen Gupta, Sourav Seo, Hwajeong Seo, Minhye Shahandashti, Siamak Shin, Seonghan Siniscalchi, Luisa Spolaor, Riccardo Stebila, Douglas Su, Chunhua Tai, Raymond K.H.

  Tan, Syhyuan Thillard, Adrian Tosh, Deepak Vannet, Thomas Vergnaud, Damien Volckaert, Stijn Wang, Ding Wang, Jiafan Wang, Xiuhua Weinert, Christian Wong, Harry W.H.

  Xagawa, Keita Xie, Shaohao Yamada, Shota Yamakawa, Takashi Yang, Rupeng Yang, Shaojun Yang, Xu Yu, Zuoxia Zaverucha, Greg Zhang, Huang Zhang, Tao Zhang, Yuexin Zhang, Zheng Zhao, Yongjun Zhou, Peng

  ACNS 2017

  XI

  

Contents

  Applied Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

   Carlos Aguilar-Melchor, Martin R. Albrecht, and Thomas Ricosset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

   Britta Hale, Tibor Jager, Sebastian Lauer, and Jörg Schwenk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  . . . . . . . . . . . . . . . . .

   Yutaro Kiyomura, Akiko Inoue, Yuto Kawahara, Masaya Yasuda, Tsuyoshi Takagi, and Tetsutaro Kobayashi

  Data Protection and Mobile Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

   Riccardo Spolaor, Laila Abudahi, Veelasha Moonsamy, Mauro Conti, and Radha Poovendran

   Xiaopeng Li, Wenyuan Xu, Song Wang, and Xianshan Qu

   Bruce Berg, Tyler Kaczmarek, Alfred Kobsa, and Gene Tsudik

   Weizhi Meng, Wenjuan Li, Wang Hao Lee, Lijun Jiang, and Jianying Zhou

  Security Analysis XIV Contents

  

  Marco Cianfriglia, Stefano Guarino, Massimo Bernaschi, Flavio Lombardi, and Marco Pedicini

   Ralph Ankele, Subhadeep Banik, Avik Chakraborti, Eik List, Florian Mendel, Siang Meng Sim, and Gaoli Wang

  

  Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl, Eduardo Soria-Vazquez, and Srinivas Vivek

  Cryptographic Primitives

  Rui Xu, Sze Ling Yeo, Kazuhide Fukushima, Tsuyoshi Takagi, Hwajung Seo, Shinsaku Kiyomoto, and Matt Henricksen

   Akshayaram Srinivasan and Chandrasekaran Pandu Rangan

   San Ling, Khoa Nguyen, Huaxiong Wang, and Yanhong Xu

   Ronghai Yang, Wing Cheong Lau, and Shangcheng Shi

  

  David Bernhard, Ngoc Khanh Nguyen, and Bogdan Warinschi

  Kaoru Kurosawa and Rie Habuka

  Cody Freitag, Rishab Goyal, Susan Hohenberger, Venkata Koppula, Eysa Lee, Tatsuaki Okamoto, Jordan Tran, and Brent Waters

  Side Channel Attack

  Claude Carlet, Annelie Heuser, and Stjepan Picek

  Contents

  XV

   Chenyang Tu, Lingchen Zhang, Zeyi Liu, Neng Gao, and Yuan Ma

   Alex Biryukov, Daniel Dinu, and Yann Le Corre

  Cryptographic Protocol

  Dan Boneh, Sam Kim, and Valeria Nikolaenko

  Russell W.F. Lai and Sherman S.M. Chow

  Jason H.M. Ying and Noboru Kunihiro

  Sze Ling Yeo, Zhen Li, Khoongming Khoo, and Yu Bin Low

  Ignacio Cascudo and Bernardo David

  David Chaum, Debajyoti Das, Farid Javani, Aniket Kate, Anna Krasnova, Joeri De Ruiter, and Alan T. Sherman

   Olivier Blazy, Céline Chevalier, and Paul Germouty

  

  Daniel Demmler, Marco Holz, and Thomas Schneider Data and Server Security

  Giuseppe Ateniese, Michael T. Goodrich, Vassilios Lekakis, Charalampos Papamanthou, Evripidis Paraskevas, and Roberto Tamassia

   Matteo Maffei, Giulio Malavolta, Manuel Reinert, and Dominique Schröder

  

  John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer, and Martín Ochoa

  Erik-Oliver Blass, Travis Mayberry, and Guevara Noubir Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  XVI Contents

  Applied Cryptography

  

Sampling from Arbitrary Centered Discrete

Gaussians for Lattice-Based Cryptography

1 2 1,3( )

  B

  Carlos Aguilar-Melchor , Martin R. Albrecht , and Thomas Ricosset 1 INP ENSEEIHT, IRIT-CNRS, Universit´e de Toulouse, Toulouse, France 2

{carlos.aguilar,thomas.ricosset}@enseeiht.fr

Information Security Group, Royal Holloway, University of London, London, UK

3

martin.albrecht@royalholloway.ac.uk

Thales Communications & Security, Gennevilliers, France

  Abstract.

  Non-Centered Discrete Gaussian sampling is a fundamental

building block in many lattice-based constructions in cryptography, such

as signature and identity-based encryption schemes. On the one hand, the

center-dependent approaches, e.g. cumulative distribution tables (CDT),

Knuth-Yao, the alias method, discrete Zigurat and their variants, are the

fastest known algorithms to sample from a discrete Gaussian distribu-

tion. However, they use a relatively large precomputed table for each

possible real center in [0, 1) making them impracticable for non-centered

discrete Gaussian sampling. On the other hand, rejection sampling allows

to sample from a discrete Gaussian distribution for all real centers with-

out prohibitive precomputation cost but needs costly floating-point arith-

metic and several trials per sample. In this work, we study how to reduce

the number of centers for which we have to precompute tables and pro-

pose a non-centered CDT algorithm with practicable size of precomputed

tables as fast as its centered variant. Finally, we provide some experimen-

tal results for our open-source C++ implementation indicating that our

sampler increases the rate of Peikert’s algorithm for sampling from arbi-

trary lattices (and cosets) by a factor 3 with precomputation storage

up to 6.2 MB.

1 Introduction

  Lattice-based cryptography has generated considerable interest in the last decade due to many attractive features, including conjectured security against quantum attacks, strong security guarantees from worst-case hardness and constructions of fully homomorphic encryption (FHE) schemes (see the survey

  ). More-

  over, lattice-based cryptographic schemes are often algorithmically simple and efficient, manipulating essentially vectors and matrices or polynomials modulo relatively small integers, and in some cases outperform traditional systems.

  

M.R. Albrecht—The research of this author was supported by EPSRC grant “Bit

Security of Learning with Errors for Post-Quantum Cryptography and Fully Homo-

morphic Encryption” (EP/P009417/1) and the EPSRC grant “Multilinear Maps in

  4

C. Aguilar-Melchor et al.

  Modern lattice-based cryptosystems are built upon two main average-case problems over general lattices: Short Integer Solution (SIS)

  and Learning

  With Errors (LWE)

   ]

  and ring-LWE

  . The hardness of these problems can be related to the one

  of their worst-case counterpart, if the instances follow specific distributions and parameters are choosen appropriately

  

].

  In particular, discrete Gaussian distributions play a central role in lattice- based cryptography. A natural set of examples to illustrate the importance of Gaussian sampling are lattice-based signature and identity-based encryption (IBE) schemes

  . The most iconic example is the signature algorithm proposed

  in

  (hereafter GPV), as a secure alternative to the well-known (and broken)

  GGH signature scheme

  . In this paper, the authors use the Klein/GPV algo-

  rithm

   ]. In this

  algorithm, the rounding step is replaced by randomized rounding according to a discrete Gaussian distribution to return a lattice point (almost) independent of a hidden basis. The GPV signature scheme has also been combined with LWE to obtain the first identity-based encryption (IBE) scheme

   ] conjectured to

  be secure against quantum attacks. Later, a new Gaussian sampling algorithm for arbitrary lattices was presented in

   ]. It is a randomized variant of Babai’s

  rounding-off algorithm, is more efficient and parallelizable, but it outputs longer vectors than Klein/GPV’s algorithm.

  Alternatively to the above trapdoor technique, lattice-based signatures

   ,

  

  

]. Note

  that in contrast to the algorithms outlined above which sample from a discrete Gaussian distribution for any real center not known in advance, the schemes devel- oped in

   ] only need to sample from a discrete Gaussian centered at zero.

  1.1 Our Contributions We develop techniques to speed-up discrete Gaussian sampling when the center is not known in advance, obtaining a flexible time-memory trade-off comparing favorably to rejection sampling. We start with the cumulative distribution table (CDT) suggested in

   ] and lower the computational cost of the precomputa-

  tion phase and the global memory required when sampling from a non-centered discrete Gaussian by precomputing the CDT for a relatively small number of

  3

  ), and by computing the cdf when needed, i.e. when for a given centers, in O(λ uniform random input, the values returned by the CDTs for the two closest pre- computed centers differ. Second, we present an adaptation of the lazy technique described in

   ] to compute most of the cdf in double IEEE standard double

  precision, thus decreasing the number of precomputed CDTs. Finally, we pro- pose a more flexible approach which takes advantage of the information already present in the precomputed CDTs. For this we use a Taylor expansion around the precomputed centers and values instead of this lazy technique, thus enabling to reduce the number of precomputed CDTs to a ω(λ).

  We stress, though, that our construction is not constant time, which limits

  Sampling from Arbitrary Centered Discrete Gaussians

  5

  1.2 Related Work Many discrete Gaussian samplers over the Integers have been proposed for lattice- based cryptography. Rejection Sampling

  , Inversion Sampling with a Cumu-

  lative Distribution Table (CDT)

  ,

  Bernoulli Sampling

  .

  The optimal method will of course depend on the setting in which it is used. In this work, we focus on what can be done on a modern computer, with a comfortable amount of memery and hardwired integer and floating-point opera- tions. This is in contrast to the works

  

] which focus on circuits or embedded

  devices. We consider exploring the limits of the usual memory and hardwired operations in commodity hardware as much an interesting question as it is to consider what is feasible in more constrained settings. Rejection Sampling and Variants.

  Straightforward rejection sampling

  is a

  classical method to sample from any distribution by sampling from a uniform distribution and accept the value with a probability equal to its probability in the target distribution. This method does not use pre-computed data but needs floating-point arithmetic and several trials by sample. Bernoulli sampling

  

  introduces an exponential bias from Bernoulli variables, which can be efficiently sampled specially in circuits. The bias is then corrected in a rejection phase based on another Bernouilli variable. This approach is particularly suited for embed- ded devices for the simplicity of the computation and the near-optimal entropy consumption. Kahn-Karney sampling is another variant of rejection sampling to sample from a discrete Gaussian distribution which does not use floating- point arithmetic. It is based on the von Neumann algorithm to sample from the exponential distribution

  , requires no precomputed tables and consumes a smaller amount of random bits than Bernoulli sampling, though it is slower.

  Currently the fastest approach in the computer setting uses a straightforward rejection sampling approach with “lazy” floating-point computations

   ] using IEEE standard double precision floating-point numbers in most cases.

  Note that none of these methods requires precomputation depending on the distribution’s center c. In all the alternative approaches we present hereafter, there is some center-dependent precomputation. When the center is not know this can result in prohibitive costs and handling these becomes a major issue around which most of our work is focused. Center-Dependent Approaches.

  The cumulative distribution table algorithm is based on the inversion method

  . All non-negligible cumulative probabilities are

  stored in a table and at sampling time one generates a cumulative probability in [0, 1) uniformly at random, performs a binary search through the table and returns the corresponding value. Several alternatives to straightforward CDT are possible. Of special interest are: the alias method

  which encodes CDTs

  in a more involved but more efficient approach; BAC Sampling

  which uses

  arithmetic coding tables to sample with an optimal consumption of random bits; and Discrete Ziggurat

  for a flexible

  6

C. Aguilar-Melchor et al.

  time-memory trade-off. Knuth-Yao sampling

  uses a random bit generator to

  traverse a binary tree formed from the bit representation of the probability of each possible sample, the terminal node is labeled by the corresponding sample. The main advantage of this method is that it consumes a near-optimal amount of random bits. A block variant and other practical improvements are suggested in

   ]. This method is center-dependent but clearly designed for circuits and on a computer setting it is surpassed by other approaches.

  Our main contribution is to show how to get rid of the known-center con- straint with reasonable memory usage for center-dependent approaches. As a consequence, we obtain a performance gain with respect to rejection sam- pling approaches. Alternatively, any of the methods discussed above could have replaced our straightforward CDT approach. This, however, would have made our algorithms, proofs, and implementations more involved. On the other hand, further performance improvements could perhaps be achieved this way. This is an interesting problem for future work.

2 Preliminaries

  Throughout this work, we denote the set of real numbers by R and the Integers by Z. We extend any real function f (·) to a countable set A by defining f(A) = f (x). We denote also by U I the uniform distribution on I.

  x∈A

  2.1 Discrete Gaussian Distributions on Z The discrete Gaussian distribution on Z is defined as the probability distribution whose unnormalized density function is

  ρ : Z → [0, 1) −x 2 2 x → e

  • If s ∈ R and c ∈ R, then we extend this definition to x − c

  ρ (x) := ρ

  s,c

  s

  • and denote ρ (x) by ρ

  we can

  s,0 s (x). For any mean c ∈ R and parameter s ∈ R

  now define the discrete Gaussian distribution D as

  s,c

  ρ (x)

  s,c

  (x) := ∀x ∈ Z, D s,c

  ρ (Z)

  s,c

  √ Note that the standard deviation of this distribution is σ = s/ 2π. We also define cdf s,c as the cumulative distribution function (cdf) of D s,c

  x s,c (x) := D s,c (i)

  ∀x ∈ Z, cdf

  i=−∞ Sampling from Arbitrary Centered Discrete Gaussians

  7

  Smoothing Parameter. The smoothing parameter η (Λ) quantifies the minimal

  ǫ

  discrete Gaussian parameter s required to obtain a given level of smoothness on the lattice Λ. Intuitively, if one picks a noise vector over a lattice from a discrete Gaussian distribution with radius at least as large as the smoothing parameter, and reduces this modulo the fundamental parallelepiped of the lattice, then the resulting distribution is very close to uniform (for details and formal definition see

   ]).

  Gaussian Measure.

  An interesting property of discrete Gaussian distributions with a parameter s greater than the smoothing parameter is that the Gaussian measure, i.e. ρ s,c (Z) for D s,c , is essentially the same for all centers. Lemma 1 (From the proof of

   ǫ (Z)

  Lemma 4.4]). For any ǫ ∈ (0, 1), s > η and c ∈ R we have

  ρ s,c (Z) 1 − ǫ Δ measure := , 1

  ∈ ρ (Z) 1 + ǫ

  s,0 Tailcut Parameter.

  To deal with the infinite domain of Gaussian distributions, algorithms usually take advantage of their rapid decay to sample from a finite domain. The next lemma is useful in determining the tailcut parameter τ . Lemma 2 (

   , Lemma 4.2]). For any ǫ > 0, s > η (Z) and τ > 0, we have ǫ 2

  1 + ǫ tailcut := Pr −πτ E [|X − c| > τs] < 2e ·

  X∼D Z,s,c

  1 − ǫ

  2.2 Floating-Point Arithmetic We recall some facts from

  about floating-point arithmetic (FPA) with m

  bits of mantissa, which we denote by FP m . A floating-point number is a triplet m ¯

  2 −1 which represents the real

  x = (s, e, v) where s ∈ {0, 1}, e ∈ Z and v ∈ N

  s e−m 1−m

  number ¯ the floating-point precision. x = (−1) · 2 · v. Denote by ǫ = 2

  Every FPA-operation ¯ +, ¯ ◦ ∈ { ¯ −, ¯ ×, ¯/} and its respective arithmetic operation on R, ◦ ∈ {+, −, ×, /} verify

  ∀¯x, ¯y ∈ FP m , |(¯x ¯◦ ¯y) − (¯x ◦ ¯y)| ≤ (x ◦ y)ǫ Moreover, we assume that the floating-point implementation of the exponential function ¯ exp(·) verifies exp(¯

  ∀¯x ∈ FP m , | ¯ x) − exp(¯x)| ≤ ǫ.

  2.3 Taylor Expansion Taylor’s theorem provides a polynomial approximation around a given point for any function sufficiently differentiable.

  8

C. Aguilar-Melchor et al.

  • and let the function

  Theorem 1 (Taylor’s theorem). Let d ∈ Z f : R → R be d times differentiable in some neighborhood U of a ∈ R. Then for any x ∈ U

  (x) f (x) = T d,f,a (x) + R d,f,a where

  d (i)

  f (a)

  i

  (x) = T d,f,a (x − a) i!

  i=0

  and

  x (d+1)

  f (t)

  d

  (x) = dt R d,f,a (x − t) d!

  a

3 Variable-Center with Polynomial Number of CDTs

  We consider the case in which the mean is variable, i.e. the center is not know before the online phase, as it is the case for lattice-based hash-and-sign signa- tures. The center can be any real number, but without loss of generality we will only consider centers in [0, 1). Because CDTs are center-dependent, a first naive option would be to precompute a CDT for each possible real center in [0, 1) in accordance with the desired accuracy. Obviously, this first option has the same time complexity than the classical CDT algorithm, i.e. O(λ log sλ) for λ the

  λ

  security parameter. However, it is completely impractical with 2 precomputed

  1.5

  ). An opposite trade-off is to compute the CDT on-the- CDTs of size O(sλ fly, avoiding any precomputation storage, which increase the computational cost

  3.5

  ) assuming that the computation of the exponential function run in to O(sλ

  3 ) (see Sect. for a justification of this assumption).

  O(λ An interesting question is can we keep the time complexity of the classical

  CDT algorithm with a polynomial number of precomputed CDTs. To answer this question, we start by fixing the number n of equally spaced centers in [0, 1) and precompute the CDTs for each of these. Then, we apply the CDT algorithm to the two precomputed centers closest to the desired center for the same cumulative probability uniformly draw. Assuming that the number of precomputed CDTs is sufficient, the values returned from both CDTs will be equal most of the time, in this case we can conclude, thanks to a simple monotonic argument, that the returned value would have been the same for the CDT at the desired center and return it as a valid sample. Otherwise, the largest value will immediately follow the smallest and we will then have to compute the cdf at the smallest value for the desired center in order to know if the cumulative probability is lower or higher than this cdf. If it is lower then the smaller value will be returned as sample, else it will be the largest.

  3.1 Twin-CDT Algorithm As discussed above, to decrease the memory required by the CDT algorithm when the distribution center is determined during the online phase, we can pre-

  Sampling from Arbitrary Centered Discrete Gaussians

  9

  phase of the Twin-CDT algorithm. Algorithm

   precomputes CDTs, up to

  a precision m that guarantees the λ most significant bits of each cdf, and store them with λ-bits of precision as a matrix T, where the i-th line is the CDT corresponding to the i-th precomputed center i/n. To sample from D ,

  s,c

  Algorithm

   searches the preimages by the cdf of a cumulative probability p,

  , in both CDTs corresponding draw from the uniform distribution on [0, 1) ∩ FP λ to the center ⌊n(c − ⌊c⌋)⌋/n (respectively ⌈n(c − ⌊c⌋)⌉/n) which return a value v (resp. v ). If the same value is returned from the both CDTs (i.e. v = v ),

  1

  2

  1

  2

  then this value added the desired center integer part is a valid sample, else it computes cdf (v ) and returns v (v ) and v

  s,c−⌊c⌋

  1 1 + ⌊c⌋ if p < cdf s,c

  1 2 + ⌊c⌋ else.

  Algorithm 1. Twin-CDT Algorithm: Offline Phase

  Input: a Gaussian parameter s and a number of centers n Output: a precomputed matrix T

n×2⌈τ s⌉+3

1: initialize an empty matrix T ∈ FP λ 2: for i ← 0, . . . , n − 1 do 3: for j ← 0, . . . , 2⌈τ s⌉ + 2 do 4: T i,j ← FP m : cdf (j − ⌈τ s⌉ − 1) s,i/n

  Algorithm 2. Twin-CDT Algorithm: Online Phase

  Input: a center c and a precomputed matrix T Output: a sample x that follows D s,c 1: p ← U

  [0,1)∩FP λ 2: v ← i − ⌈τ s⌉ − 1 s.t. T ≤ p < T 1 ⌊n(c−⌊c⌋)⌋,i−1 ⌊n(c−⌊c⌋)⌋,i 3: v ← j − ⌈τ s⌉ − 1 s.t. T ≤ p < T 2 ⌈n(c−⌊c⌋)⌉,j−1 ⌈n(c−⌊c⌋)⌉,j 4: if v = v then 1 2 5: return v + ⌊c⌋ 1 6: else

  7: if p < FP m : cdf (v s,c−⌊c⌋ 1 ) then 8: return v 1 + ⌊c⌋ 9: else 10: return v 2 + ⌊c⌋ Correctness.

  We establish correctness in the lemma below. Lemma 3. Assuming that m is large enough to ensure λ correct bits during the cdf computation, the statistical distance between the output distribution of m m −λ

  Algorithm instantiated to sample from and is bounded by .

  D D

  2 Z ,σ,c Z ,σ,c Proof. First note that from the discrete nature of the considered distribution we have D = D

  s,c s,c−⌊c⌋ + ⌊c⌋. Now recall that the probability integral transform

  10

C. Aguilar-Melchor et al.

  function cdf, then cdf(X) has a uniform distribution on [0, 1]. Hence the inversion

  −1

  method: cdf (U ) has the same distribution as X. Finally by noting that for

  [0,1] −1 −1 s,c (p) is monotonic in c, if cdf (p) = cdf (p) := v, then

  all s, p ∈ R, cdf s,c 1 s,c 2

  −1

  cdf , c (p) = v for all c ∈ [c

  1 2 ], and as a consequence, for all v ∈ [−⌈τs⌉ − s,c

  : cdf : 1, ⌈τs⌉ + 1], the probability of outputting v is equal to FP m s,c (v) − FP m

  −λ cdf -close to D (v). s,c (v − 1) which is 2 s,c ⊔ ⊓

  The remaining issue in the correctness analysis of Algorithm

   is to determine

  the error occurring during the m-precision cdf computation. Indeed, this error allows us to learn what precision m is needed to correctly compute the λ most significant bits of the cdf. This error is characterized in Lemma

  1−m

  . Let be ¯ c, ¯ s, ¯

  Lemma 4. Let m ∈ Z be a positive integer and ε = 2 h ∈ FP m at distance respectively at most , and from δ δ δ (Z).

  c c h

  c, s, h ∈ R and h = 1/ρ s,c Let

  Δf (x) := |FP m : f (x) − f(x)|. We also assume that the following inequalities

  2

  hold: s ≥ 4, τ ≥ 10, sδ s ≤ 0.01, δ c ≤ 0.01, s ε ≤ 0.01, (τs + 1)ε ≤ 1/2. We have the following error bound on

  Δcdf

  s,c (x) for any integer x such that |x| ≤ τs + 2

  3

  2

  Δcdf s ε

  

s,c (x) ≤ 3.5τ

Proof.

  We derive the following bounds using ⎡ ⎤ Facts 6.12, 6.14, 6.22]:

  ⌈τ s⌉+1 ⎣ ⎦

  1 Δcdf ρ (i) + 3.6sε + 3.6sε

  s,c (x) ≤ Δ s,c

  s ⎡ ⎤ i=−⌈τ s⌉−1 ⌈τ s⌉+1 ⎣ ⎦

  3

  3

  Δ ρ (i) s ε

  s,c ≤ 3.2τ i=−⌈τ s⌉−1

  ⊔ ⊓ For the sake of readability the FPA error bound of Lemma

   is fully simplified

  and is therefore not tight. For practical implementation, one can derive a better bound using an ad-hoc approach such as done in

   ].

  Efficiency.

  On average, the evaluation of the cdf requires ⌈τs⌉ + 1.5 evalua- tions of the exponential function. For the sake of clarity, we assume that the exponential function is computed using a direct power series evaluation with

  3

  ). We refer the reader schoolbook multiplication, so its time complexity is O(λ to

  for a discussion of different ways to compute the exponential function in high-precision.

  Lemma

   establishes that the time complexity of Algorithm

  

  is O(λ log sλ +

  4

  3

  λ ) it has asymptotically the same computational cost /n), so with n = O(λ than the classical CDT algorithm. cdf be the probability of computing the cdf during the execution

  Lemma 5. Let P of Algorithm

  assuming that

  τ s ≥ 10, we have 1 .25τ

  − sn

  P cdf Δ measure ≤ 2.2τs 1 − e

  Sampling from Arbitrary Centered Discrete Gaussians

  11

  Proof. ⎛ ⎞ ⎝ ⎠ ⌈τ s⌉+1 1 P cdf s,c (i) ≤ max cdf (i) − cdf s,c+ n

  c∈[0,1) i=−⌈τ s⌉−1

  Assuming that τ s ≥ 10, we have 1 .25τ

  − sn 1

  e Δ measure cdf s,c s,c (i) (i) ≤ cdf s,c+ (i) ≤ cdf n Hence the upper bound.

  ⊔ ⊓ On the other hand, the precomputation matrix generated by Algorithm

   take n

  1.5

  ). Note that times the size of one CDT, hence the space complexity is O(nsλ for n sufficiently big to make the cdf computational cost negligible, the memory space required by this algorithm is about 1 GB for the parameters considered in cryptography and thus prohibitively expensive for practical use.

  3.2 Lazy-CDT Algorithm A first idea to decrease the number of precomputed CDTs is to avoid costly cdf evaluations by using the same lazy trick as in

  for rejection sampling. Indeed,

  a careful analysis of Algorithm

   shows most of the time many of the computed

  cdf bits are not used. This gives us to a new strategy which consists of computing the bits of cdf s,c (v

  1 ) lazily. When the values corresponding to the generated

  probability for the two closest centers are different, the Lazy-CDT algorithm

  ′

  first only computes the cdf at a precision m to ensure k < λ correct bits. If the comparison is decided with those k bits, it returns the sample. Otherwise, it recomputes the cdf at a precision m to ensure λ correct bits. Correctness.

  In addition to the choice of m, discussed in Sect.

  to achieve λ

  bits of precision, the correctness of Algorithm

   also requires to know k which is

  the number of correct bits after the floating-point computation of the cdf with

  ′ ′

  m bits of mantissa. For this purpose, given m Lemma

   provides a theoretical lower bound on k.

  Efficiency.

  As explained in

  the precision used for floating-point arithmetic

  has non-negligible impact, because fp-operation become much expensive when the precision goes over the hardware precision. For instance, modern processors typically provide floating-point arithmetic following the double IEEE standard double precision (m = 53), but quad-float FPA (m = 113) is usually about 10–20 times slower for basic operations, and the overhead is much more for mul- tiprecision FPA. Therefore the maximal hardware precision is a natural choice

  ′ ′

  for m . However this choice for m in Algorithm

   is a strong constraint for cryp-

  tographic applications, where the error occurring during the floating-point cdf computation is usually greater than 10 bits, making the time-memory tradeoff of Algorithm

   inflexible. Note that the probability of triggering high precision q−k

  12

C. Aguilar-Melchor et al.

  Algorithm 3. Lazy-CDT Algorithm: Online Phase