Applied Cryptography and Network Security 2017 pdf pdf
Dieter Gollmann · Atsuko Miyaji
(Eds.)
Hiroaki Kikuchi Applied Cryptography LNCS 10355 and Network Security 15th International Conference, ACNS 2017 Kanazawa, Japan, July 10–12, 2017 Proceedings
Lecture Notes in Computer Science 10355
Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison Lancaster University, Lancaster, UK
Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler University of Surrey, Guildford, UK
Jon M. Kleinberg Cornell University, Ithaca, NY, USA
Friedemann Mattern ETH Zurich, Zurich, Switzerland
John C. Mitchell Stanford University, Stanford, CA, USA
Moni Naor Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan Indian Institute of Technology, Madras, India
Bernhard Steffen TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos University of California, Los Angeles, CA, USA
Doug Tygar University of California, Berkeley, CA, USA
Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany More information about this series at
- • Dieter Gollmann Atsuko Miyaji Hiroaki Kikuchi (Eds.)
Applied Cryptography and Network Security
15th International Conference, ACNS 2017 Kanazawa, Japan, July 10–12, 2017 Proceedings Editors Dieter Gollmann Hiroaki Kikuchi Hamburg University of Technology Department of Frontier Media Science Hamburg Meiji University Germany Tokyo Japan Atsuko Miyaji Graduate School of Engineering Osaka University Suita, Osaka Japan
ISSN 0302-9743
ISSN 1611-3349 (electronic) Lecture Notes in Computer Science
ISBN 978-3-319-61203-4
ISBN 978-3-319-61204-1 (eBook) DOI 10.1007/978-3-319-61204-1 Library of Congress Control Number: 2017944358 LNCS Sublibrary: SL4 – Security and Cryptology © Springer International Publishing AG 2017
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations. Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG
Preface
The 15th International Conference on Applied Cryptography and Network Security (ACNS2017) was held in Kanazawa, Japan, during July 10–12, 2017. The previous conferences in the ACNS series were successfully held in Kunming, China (2003), Yellow Mountain, China (2004), New York, USA (2005), Singapore (2006), Zhuhai, China (2007), New York, USA (2008), Paris, France (2009), Beijing, China (2010), Malaga, Spain (2011), Singapore (2012), Banff, Canada (2013), Lausanne, Switzerland (2014), New York, USA (2015), and London, UK (2016).
ACNS is an annual conference focusing on innovative research and current developments that advance the areas of applied cryptography, cyber security, and privacy. Academic research with high relevance to real-world problems as well as developments in industrial and technical frontiers fall within the scope of the conference.
This year we have received 149 submissions from 34 different countries. Each submission was reviewed by 3.7 Program Committee members on average. Papers submitted by Program Committee members received on average 4.4 reviews. The committee decided to accept 34 regular papers. The broad range of areas covered by the high-quality papers accepted for ACNS 2107 attests very much to the fulfillment of the conference goals.
The program included two invited talks given by Dr. Karthikeyan Bhargavan (Inria Paris) and Prof. Doug Tygar (UC Berkeley). The decisions of the best student paper award was based on a vote among the
Program Committee members. To be eligible for selection, the primary author of the paper has to be a full-time student who is present at the conference. The winner was Carlos Aguilar-Melchor, Martin Albrecht, and Thomas Ricosset from Université de Toulouse, Toulouse, France, Royal Holloway, University of London, UK, and Thales Communications & Security, Gennevilliers, France. The title of the paper is “Sampling From Arbitrary Centered Discrete Gaussians For Lattice-Based Cryptography.”
We are very grateful to our supporters and sponsors. The conference was co-organized by Osaka University, Japan Advanced Institute of Science and Tech- nology (JAIST), and the Information-technology Promotion Agency (IPA); it was supported by the Committee on Information and Communication System Security (ICSS), IEICE, Japan, the Technical Committee on Information Security (ISEC),
IEICE, Japan, and the Special Interest Group on Computer SECurity (CSEC) of IPSJ, Japan; it and was co-sponsored by the National Institute of Information and Com- munications Technology (NICT) International Exchange Program, Mitsubishi Electric Corporation, Support Center for Advanced Telecommunications Technology Research (SCAT), Foundation Microsoft Corporation, Fujitsu Hokuriku Systems Limited, Nippon Telegraph and Telephone Corporation (NTT), and Hokuriku Telecommuni- cation Network Co., Inc. VI Preface
We would like to thank the authors for submitting their papers to the conference. The selection of the papers was a challenging and dedicated task, and we are deeply grateful to the 48 Program Committee members and the external reviewers for their reviews and discussions. We also would like to thank EasyChair for providing a user-friendly interface for us to manage all submissions and proceedings files. Finally, we would like to thank the general chair, Prof. Hiroaki Kikuchi, and the members of the local Organizing Committee.
July 2017 Dieter Gollmann
Atsuko Miyaji ACNS 2017 The 15th International Conference on Applied Cryptography and Network Security
Jointly organized by Osaka University and
Japan Advanced Institute of Science and Technology (JAIST) and Information-technology Promotion Agency (IPA)
General Chair
Hiroaki Kikuchi Meiji University, Japan
Program Co-chairs
Dieter Gollmann Hamburg University of Technology, Germany Atsuko Miyaji Osaka University / JAIST, Japan
Program Committee
Diego Aranha University of Campinas, Brazil Giuseppe Ateniese Stevens Institute of Technology, USA Man Ho Au Hong Kong Polytechnic University, Hong Kong,
SAR China Carsten Baum Bar-Ilan University, Israel Rishiraj Bhattacharyya NISER Bhubaneswar, India Liqun Chen University of Surrey, UK Chen-Mou Chen Osaka University, Japan Céline Chevalier Université Panthéon-Assas, France Sherman S.M. Chow Chinese University of Hong Kong, Hong Kong,
SAR China Mauro Conti University of Padua, Italy Alexandra Dmitrienko ETH Zurich, Switzerland Michael Franz University of California, Irvine, USA Georg Fuchsbauer ENS, France Sebastian Gajek FUAS, Germany
VIII ACNS 2017
Swee-Huay Heng Multimedia University, Malaysia Francisco Rodrguez
Henrquez CINVESTAV-IPN, Mexico
Xinyi Huang Fujian Normal University, China Michael Huth Imperial College London, UK Tibor Jager Paderborn University, Germany Aniket Kate Purdue University, USA Stefan Katzenbeisser TU Darmstadt, Germany Kwangjo Kim KAIST, Korea Kwok-yan Lam NTU, Singapore Mark Manulis University of Surrey, UK Tarik Moataz Brown University, USA Ivan Martinovic University of Oxford, UK Jörn Müller-Quade Karlsruhe Institute of Technology, Germany David Naccache École normale supérieure, France Michael Naehrig Microsoft Research Redmond, USA Hamed Okhravi MIT Lincoln Laboratory, USA Panos Papadimitratos KTH Royal Institute of Technology, Sweden Jong Hwan Park Sangmyung University, Korea Thomas Peyrin Nanyang Technological University, Singapore Bertram Poettering Ruhr-Universität Bochum, Germany Christina Pöpper NYU, United Arab Emirates Bart Preneel KU Leuven, Belgium Thomas Schneider TU Darmstadt, Germany Michael Scott Dublin City University, Ireland Vanessa Teague University of Melbourne, Australia Somitra Kr. Sanadhya Ashoka University, India Mehdi Tibouchi NTT Secure Platform Laboratories, Japan Ivan Visconti University of Salerno, Italy Bo-Yin Yang Academia Sinica, Taiwan Kan Yasuda NTT Secure Platform Laboratories, Japan Fangguo Zhang Sun Yat-sen University, China Jianying Zhou SUTD, Singapore
Organizing Committee
Local Arrangements Akinori Kawachi Tokushima University, Japan Co-chairs Kazumasa Omote University of Tsukuba, Japan Shoichi Hirose University of Fukui, Japan Kenji Yasunaga Kanazawa University, Japan Yuji Suga
IIJ, Japan Finance Co-chairs Masaki Fujikawa Kogakuin University, Japan Yuichi Futa JAIST, Japan Natsume Matsuzaki University of Nagasaki, Japan Takumi Yamamoto Mitsubishi Electric, Japan Publicity Co-chairs Noritaka Inagaki
IPA, Japan Masaki Hashimoto
IISEC, Japan Naoto Yanai Osaka University, Japan Kaitai Liang Manchester Metropolitan University, UK Liaison Co-chairs Keita Emura NICT, Japan Eiji Takimoto Ritsumeikan University, Japan Toru Nakamura KDDI Research, Japan System Co-chairs Atsuo Inomata Tokyo Denki University/NAIST, Japan Masaaki Shirase Future University Hakodate, Japan Minoru Kuribayashi Okayama University, Japan Toshihiro Yamauchi Okayama University, Japan Shinya Okumura Osaka University, Japan Publication Co-chairs Takeshi Okamoto Tsukuba University of Technology, Japan Takashi Nishide University of Tsukuba, Japan Ryo Kikuchi NTT, Japan Satoru Tanaka JAIST, Japan Registration Co-chairs Hideyuki Miyake Toshiba, Japan Dai Watanabe Hitachi, Japan Chunhua Su Osaka University, Japan
Additional Reviewers
Alesiani, Francesco Aminanto, Muhamad Erza Andaló, Fernanda Armknecht, Frederik
Ashur, Tomer Auerbach, Benedikt Azad, Muhammad Ajmal Bai, Shi
ACNS 2017
IX Barrera, David Bauer, Balthazar Beierle, Christof Beunardeau, Marc Blazy, Olivier Bost, Raphael Bourse, Florian Broadnax, Brandon Chakraborti, Avik Chi-Domínguez, Jesús Javier Chin, Ji-Jian Choi, Rakyong Choi, Suri Ciampi, Michele Connolly, Aisling Coon, Ralph A.C.
Costello, Craig Couteau, Geoffroy Crane, Stephen Culnane, Chris Dargahi, Tooska Datta, Nilanjan Davies, Gareth T.
Del Pino, Rafael Demmler, Daniel Dirksen, Alexandra Dominguez Perez, Luis J.
Dong, Xinshu Dowling, Benjamin Eom, Jieun Faust, Sebastian Ferradi, Houda Frederiksen, Tore Gay, Romain Geraud, Remi Germouty, Paul Gochhayat, Sarada Prasad Hartung, Gunnar Herzberg, Amir Huang, Yi Iovino, Vincenzo Jap, Dirmanto Jati, Arpan Jiang, Jiaojiao Kairallah, Mustafa
Karvelas, Nikolaos Keller, Marcel Kim, Hyoseung Kim, Jonghyun Kim, Joonsik Kim, Taechan Kiss, Ágnes Kitagawa, Fuyuki Kohls, Katharina Kuo, Po-Chun Kurek, Rafael Lai, Junzuo Lai, Russell W.F.
Lain, Daniele Lal, Chhagan Lee, Kwangsu Lee, Youngkyung Li, Huige Li, Wen-Ding Li, Yan Liebchen, Christopher Liu, Jianghua Liu, Yunwen Longa, Patrick Lu, Jingyang Lu, Jiqiang Luykx, Atul Lyubashevsky, Vadim Ma, Jack P.K.
Mainka, Christian Mancillas-López, Cuauhtemoc Masucci, Barbara Matsuda, Takahiro Mazaheri, Sogol Mechler, Jeremias Meier, Willi Meng, Weizhi Mohamad, Moesfa Soeheila Moonsamy, Veelasha Nagel, Matthias Nielsen, Michael Nishimaki, Ryo O’Neill, Adam Ochoa-Jiménez, José Eduardo Oliveira, Thomaz
X ACNS 2017
Pereira, Hilder Vitor Lima Perrin, Léo Poh, Geong Sen Puddu, Ivan Ramanna, Somindu C.
Ramchen, Kim Renes, Joost Reparaz, Oscar Resende, Amanda Rill, Jochen Roy, Arnab Ruffing, Tim Rupp, Andy Sakai, Yusuke Sasaki, Yu Schuldt, Jacob Sen Gupta, Sourav Seo, Hwajeong Seo, Minhye Shahandashti, Siamak Shin, Seonghan Siniscalchi, Luisa Spolaor, Riccardo Stebila, Douglas Su, Chunhua Tai, Raymond K.H.
Tan, Syhyuan Thillard, Adrian Tosh, Deepak Vannet, Thomas Vergnaud, Damien Volckaert, Stijn Wang, Ding Wang, Jiafan Wang, Xiuhua Weinert, Christian Wong, Harry W.H.
Xagawa, Keita Xie, Shaohao Yamada, Shota Yamakawa, Takashi Yang, Rupeng Yang, Shaojun Yang, Xu Yu, Zuoxia Zaverucha, Greg Zhang, Huang Zhang, Tao Zhang, Yuexin Zhang, Zheng Zhao, Yongjun Zhou, Peng
ACNS 2017
XI
Contents
Applied Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Carlos Aguilar-Melchor, Martin R. Albrecht, and Thomas Ricosset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Britta Hale, Tibor Jager, Sebastian Lauer, and Jörg Schwenk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . .
Yutaro Kiyomura, Akiko Inoue, Yuto Kawahara, Masaya Yasuda, Tsuyoshi Takagi, and Tetsutaro Kobayashi
Data Protection and Mobile Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Riccardo Spolaor, Laila Abudahi, Veelasha Moonsamy, Mauro Conti, and Radha Poovendran
Xiaopeng Li, Wenyuan Xu, Song Wang, and Xianshan Qu
Bruce Berg, Tyler Kaczmarek, Alfred Kobsa, and Gene Tsudik
Weizhi Meng, Wenjuan Li, Wang Hao Lee, Lijun Jiang, and Jianying Zhou
Security Analysis XIV Contents
Marco Cianfriglia, Stefano Guarino, Massimo Bernaschi, Flavio Lombardi, and Marco Pedicini
Ralph Ankele, Subhadeep Banik, Avik Chakraborti, Eik List, Florian Mendel, Siang Meng Sim, and Gaoli Wang
Marcel Keller, Emmanuela Orsini, Dragos Rotaru, Peter Scholl, Eduardo Soria-Vazquez, and Srinivas Vivek
Cryptographic Primitives
Rui Xu, Sze Ling Yeo, Kazuhide Fukushima, Tsuyoshi Takagi, Hwajung Seo, Shinsaku Kiyomoto, and Matt Henricksen
Akshayaram Srinivasan and Chandrasekaran Pandu Rangan
San Ling, Khoa Nguyen, Huaxiong Wang, and Yanhong Xu
Ronghai Yang, Wing Cheong Lau, and Shangcheng Shi
David Bernhard, Ngoc Khanh Nguyen, and Bogdan Warinschi
Kaoru Kurosawa and Rie Habuka
Cody Freitag, Rishab Goyal, Susan Hohenberger, Venkata Koppula, Eysa Lee, Tatsuaki Okamoto, Jordan Tran, and Brent Waters
Side Channel Attack
Claude Carlet, Annelie Heuser, and Stjepan Picek
Contents
XV
Chenyang Tu, Lingchen Zhang, Zeyi Liu, Neng Gao, and Yuan Ma
Alex Biryukov, Daniel Dinu, and Yann Le Corre
Cryptographic Protocol
Dan Boneh, Sam Kim, and Valeria Nikolaenko
Russell W.F. Lai and Sherman S.M. Chow
Jason H.M. Ying and Noboru Kunihiro
Sze Ling Yeo, Zhen Li, Khoongming Khoo, and Yu Bin Low
Ignacio Cascudo and Bernardo David
David Chaum, Debajyoti Das, Farid Javani, Aniket Kate, Anna Krasnova, Joeri De Ruiter, and Alan T. Sherman
Olivier Blazy, Céline Chevalier, and Paul Germouty
Daniel Demmler, Marco Holz, and Thomas Schneider Data and Server Security
Giuseppe Ateniese, Michael T. Goodrich, Vassilios Lekakis, Charalampos Papamanthou, Evripidis Paraskevas, and Roberto Tamassia
Matteo Maffei, Giulio Malavolta, Manuel Reinert, and Dominique Schröder
John Henry Castellanos, Daniele Antonioli, Nils Ole Tippenhauer, and Martín Ochoa
Erik-Oliver Blass, Travis Mayberry, and Guevara Noubir Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XVI Contents
Applied Cryptography
Sampling from Arbitrary Centered Discrete
Gaussians for Lattice-Based Cryptography
1 2 1,3( )B
Carlos Aguilar-Melchor , Martin R. Albrecht , and Thomas Ricosset 1 INP ENSEEIHT, IRIT-CNRS, Universit´e de Toulouse, Toulouse, France 2
{carlos.aguilar,thomas.ricosset}@enseeiht.fr
Information Security Group, Royal Holloway, University of London, London, UK
3martin.albrecht@royalholloway.ac.uk
Thales Communications & Security, Gennevilliers, France
Abstract.
Non-Centered Discrete Gaussian sampling is a fundamental
building block in many lattice-based constructions in cryptography, such
as signature and identity-based encryption schemes. On the one hand, the
center-dependent approaches, e.g. cumulative distribution tables (CDT),
Knuth-Yao, the alias method, discrete Zigurat and their variants, are the
fastest known algorithms to sample from a discrete Gaussian distribu-
tion. However, they use a relatively large precomputed table for each
possible real center in [0, 1) making them impracticable for non-centered
discrete Gaussian sampling. On the other hand, rejection sampling allows
to sample from a discrete Gaussian distribution for all real centers with-
out prohibitive precomputation cost but needs costly floating-point arith-
metic and several trials per sample. In this work, we study how to reduce
the number of centers for which we have to precompute tables and pro-
pose a non-centered CDT algorithm with practicable size of precomputed
tables as fast as its centered variant. Finally, we provide some experimen-
tal results for our open-source C++ implementation indicating that our
sampler increases the rate of Peikert’s algorithm for sampling from arbi-
trary lattices (and cosets) by a factor 3 with precomputation storage
up to 6.2 MB.1 Introduction
Lattice-based cryptography has generated considerable interest in the last decade due to many attractive features, including conjectured security against quantum attacks, strong security guarantees from worst-case hardness and constructions of fully homomorphic encryption (FHE) schemes (see the survey
). More-
over, lattice-based cryptographic schemes are often algorithmically simple and efficient, manipulating essentially vectors and matrices or polynomials modulo relatively small integers, and in some cases outperform traditional systems.
M.R. Albrecht—The research of this author was supported by EPSRC grant “Bit
Security of Learning with Errors for Post-Quantum Cryptography and Fully Homo-
morphic Encryption” (EP/P009417/1) and the EPSRC grant “Multilinear Maps in
4
C. Aguilar-Melchor et al.
Modern lattice-based cryptosystems are built upon two main average-case problems over general lattices: Short Integer Solution (SIS)
and Learning
With Errors (LWE)
]
and ring-LWE
. The hardness of these problems can be related to the one
of their worst-case counterpart, if the instances follow specific distributions and parameters are choosen appropriately
].
In particular, discrete Gaussian distributions play a central role in lattice- based cryptography. A natural set of examples to illustrate the importance of Gaussian sampling are lattice-based signature and identity-based encryption (IBE) schemes
. The most iconic example is the signature algorithm proposed
in
(hereafter GPV), as a secure alternative to the well-known (and broken)
GGH signature scheme
. In this paper, the authors use the Klein/GPV algo-
rithm
]. In this
algorithm, the rounding step is replaced by randomized rounding according to a discrete Gaussian distribution to return a lattice point (almost) independent of a hidden basis. The GPV signature scheme has also been combined with LWE to obtain the first identity-based encryption (IBE) scheme
] conjectured to
be secure against quantum attacks. Later, a new Gaussian sampling algorithm for arbitrary lattices was presented in
]. It is a randomized variant of Babai’s
rounding-off algorithm, is more efficient and parallelizable, but it outputs longer vectors than Klein/GPV’s algorithm.
Alternatively to the above trapdoor technique, lattice-based signatures
,
]. Note
that in contrast to the algorithms outlined above which sample from a discrete Gaussian distribution for any real center not known in advance, the schemes devel- oped in
] only need to sample from a discrete Gaussian centered at zero.
1.1 Our Contributions We develop techniques to speed-up discrete Gaussian sampling when the center is not known in advance, obtaining a flexible time-memory trade-off comparing favorably to rejection sampling. We start with the cumulative distribution table (CDT) suggested in
] and lower the computational cost of the precomputa-
tion phase and the global memory required when sampling from a non-centered discrete Gaussian by precomputing the CDT for a relatively small number of
3
), and by computing the cdf when needed, i.e. when for a given centers, in O(λ uniform random input, the values returned by the CDTs for the two closest pre- computed centers differ. Second, we present an adaptation of the lazy technique described in
] to compute most of the cdf in double IEEE standard double
precision, thus decreasing the number of precomputed CDTs. Finally, we pro- pose a more flexible approach which takes advantage of the information already present in the precomputed CDTs. For this we use a Taylor expansion around the precomputed centers and values instead of this lazy technique, thus enabling to reduce the number of precomputed CDTs to a ω(λ).
We stress, though, that our construction is not constant time, which limits
Sampling from Arbitrary Centered Discrete Gaussians
5
1.2 Related Work Many discrete Gaussian samplers over the Integers have been proposed for lattice- based cryptography. Rejection Sampling
, Inversion Sampling with a Cumu-
lative Distribution Table (CDT)
,
Bernoulli Sampling
.
The optimal method will of course depend on the setting in which it is used. In this work, we focus on what can be done on a modern computer, with a comfortable amount of memery and hardwired integer and floating-point opera- tions. This is in contrast to the works
] which focus on circuits or embedded
devices. We consider exploring the limits of the usual memory and hardwired operations in commodity hardware as much an interesting question as it is to consider what is feasible in more constrained settings. Rejection Sampling and Variants.
Straightforward rejection sampling
is a
classical method to sample from any distribution by sampling from a uniform distribution and accept the value with a probability equal to its probability in the target distribution. This method does not use pre-computed data but needs floating-point arithmetic and several trials by sample. Bernoulli sampling
introduces an exponential bias from Bernoulli variables, which can be efficiently sampled specially in circuits. The bias is then corrected in a rejection phase based on another Bernouilli variable. This approach is particularly suited for embed- ded devices for the simplicity of the computation and the near-optimal entropy consumption. Kahn-Karney sampling is another variant of rejection sampling to sample from a discrete Gaussian distribution which does not use floating- point arithmetic. It is based on the von Neumann algorithm to sample from the exponential distribution
, requires no precomputed tables and consumes a smaller amount of random bits than Bernoulli sampling, though it is slower.
Currently the fastest approach in the computer setting uses a straightforward rejection sampling approach with “lazy” floating-point computations
] using IEEE standard double precision floating-point numbers in most cases.
Note that none of these methods requires precomputation depending on the distribution’s center c. In all the alternative approaches we present hereafter, there is some center-dependent precomputation. When the center is not know this can result in prohibitive costs and handling these becomes a major issue around which most of our work is focused. Center-Dependent Approaches.
The cumulative distribution table algorithm is based on the inversion method
. All non-negligible cumulative probabilities are
stored in a table and at sampling time one generates a cumulative probability in [0, 1) uniformly at random, performs a binary search through the table and returns the corresponding value. Several alternatives to straightforward CDT are possible. Of special interest are: the alias method
which encodes CDTs
in a more involved but more efficient approach; BAC Sampling
which uses
arithmetic coding tables to sample with an optimal consumption of random bits; and Discrete Ziggurat
for a flexible
6
C. Aguilar-Melchor et al.
time-memory trade-off. Knuth-Yao sampling
uses a random bit generator to
traverse a binary tree formed from the bit representation of the probability of each possible sample, the terminal node is labeled by the corresponding sample. The main advantage of this method is that it consumes a near-optimal amount of random bits. A block variant and other practical improvements are suggested in
]. This method is center-dependent but clearly designed for circuits and on a computer setting it is surpassed by other approaches.
Our main contribution is to show how to get rid of the known-center con- straint with reasonable memory usage for center-dependent approaches. As a consequence, we obtain a performance gain with respect to rejection sam- pling approaches. Alternatively, any of the methods discussed above could have replaced our straightforward CDT approach. This, however, would have made our algorithms, proofs, and implementations more involved. On the other hand, further performance improvements could perhaps be achieved this way. This is an interesting problem for future work.
2 Preliminaries
Throughout this work, we denote the set of real numbers by R and the Integers by Z. We extend any real function f (·) to a countable set A by defining f(A) = f (x). We denote also by U I the uniform distribution on I.
x∈A
2.1 Discrete Gaussian Distributions on Z The discrete Gaussian distribution on Z is defined as the probability distribution whose unnormalized density function is
ρ : Z → [0, 1) −x 2 2 x → e
- If s ∈ R and c ∈ R, then we extend this definition to x − c
ρ (x) := ρ
s,c
s
- and denote ρ (x) by ρ
we can
s,0 s (x). For any mean c ∈ R and parameter s ∈ R
now define the discrete Gaussian distribution D as
s,c
ρ (x)
s,c
(x) := ∀x ∈ Z, D s,c
ρ (Z)
s,c
√ Note that the standard deviation of this distribution is σ = s/ 2π. We also define cdf s,c as the cumulative distribution function (cdf) of D s,c
x s,c (x) := D s,c (i)
∀x ∈ Z, cdf
i=−∞ Sampling from Arbitrary Centered Discrete Gaussians
7
Smoothing Parameter. The smoothing parameter η (Λ) quantifies the minimal
ǫ
discrete Gaussian parameter s required to obtain a given level of smoothness on the lattice Λ. Intuitively, if one picks a noise vector over a lattice from a discrete Gaussian distribution with radius at least as large as the smoothing parameter, and reduces this modulo the fundamental parallelepiped of the lattice, then the resulting distribution is very close to uniform (for details and formal definition see
]).
Gaussian Measure.
An interesting property of discrete Gaussian distributions with a parameter s greater than the smoothing parameter is that the Gaussian measure, i.e. ρ s,c (Z) for D s,c , is essentially the same for all centers. Lemma 1 (From the proof of
ǫ (Z)
Lemma 4.4]). For any ǫ ∈ (0, 1), s > η and c ∈ R we have
ρ s,c (Z) 1 − ǫ Δ measure := , 1
∈ ρ (Z) 1 + ǫ
s,0 Tailcut Parameter.
To deal with the infinite domain of Gaussian distributions, algorithms usually take advantage of their rapid decay to sample from a finite domain. The next lemma is useful in determining the tailcut parameter τ . Lemma 2 (
, Lemma 4.2]). For any ǫ > 0, s > η (Z) and τ > 0, we have ǫ 2
1 + ǫ tailcut := Pr −πτ E [|X − c| > τs] < 2e ·
X∼D Z,s,c
1 − ǫ
2.2 Floating-Point Arithmetic We recall some facts from
about floating-point arithmetic (FPA) with m
bits of mantissa, which we denote by FP m . A floating-point number is a triplet m ¯
2 −1 which represents the real
x = (s, e, v) where s ∈ {0, 1}, e ∈ Z and v ∈ N
s e−m 1−m
number ¯ the floating-point precision. x = (−1) · 2 · v. Denote by ǫ = 2
Every FPA-operation ¯ +, ¯ ◦ ∈ { ¯ −, ¯ ×, ¯/} and its respective arithmetic operation on R, ◦ ∈ {+, −, ×, /} verify
∀¯x, ¯y ∈ FP m , |(¯x ¯◦ ¯y) − (¯x ◦ ¯y)| ≤ (x ◦ y)ǫ Moreover, we assume that the floating-point implementation of the exponential function ¯ exp(·) verifies exp(¯
∀¯x ∈ FP m , | ¯ x) − exp(¯x)| ≤ ǫ.
2.3 Taylor Expansion Taylor’s theorem provides a polynomial approximation around a given point for any function sufficiently differentiable.
8
C. Aguilar-Melchor et al.
- and let the function
Theorem 1 (Taylor’s theorem). Let d ∈ Z f : R → R be d times differentiable in some neighborhood U of a ∈ R. Then for any x ∈ U
(x) f (x) = T d,f,a (x) + R d,f,a where
d (i)
f (a)
i
(x) = T d,f,a (x − a) i!
i=0
and
x (d+1)
f (t)
d
(x) = dt R d,f,a (x − t) d!
a
3 Variable-Center with Polynomial Number of CDTs
We consider the case in which the mean is variable, i.e. the center is not know before the online phase, as it is the case for lattice-based hash-and-sign signa- tures. The center can be any real number, but without loss of generality we will only consider centers in [0, 1). Because CDTs are center-dependent, a first naive option would be to precompute a CDT for each possible real center in [0, 1) in accordance with the desired accuracy. Obviously, this first option has the same time complexity than the classical CDT algorithm, i.e. O(λ log sλ) for λ the
λ
security parameter. However, it is completely impractical with 2 precomputed
1.5
). An opposite trade-off is to compute the CDT on-the- CDTs of size O(sλ fly, avoiding any precomputation storage, which increase the computational cost
3.5
) assuming that the computation of the exponential function run in to O(sλ
3 ) (see Sect. for a justification of this assumption).
O(λ An interesting question is can we keep the time complexity of the classical
CDT algorithm with a polynomial number of precomputed CDTs. To answer this question, we start by fixing the number n of equally spaced centers in [0, 1) and precompute the CDTs for each of these. Then, we apply the CDT algorithm to the two precomputed centers closest to the desired center for the same cumulative probability uniformly draw. Assuming that the number of precomputed CDTs is sufficient, the values returned from both CDTs will be equal most of the time, in this case we can conclude, thanks to a simple monotonic argument, that the returned value would have been the same for the CDT at the desired center and return it as a valid sample. Otherwise, the largest value will immediately follow the smallest and we will then have to compute the cdf at the smallest value for the desired center in order to know if the cumulative probability is lower or higher than this cdf. If it is lower then the smaller value will be returned as sample, else it will be the largest.
3.1 Twin-CDT Algorithm As discussed above, to decrease the memory required by the CDT algorithm when the distribution center is determined during the online phase, we can pre-
Sampling from Arbitrary Centered Discrete Gaussians
9
phase of the Twin-CDT algorithm. Algorithm
precomputes CDTs, up to
a precision m that guarantees the λ most significant bits of each cdf, and store them with λ-bits of precision as a matrix T, where the i-th line is the CDT corresponding to the i-th precomputed center i/n. To sample from D ,
s,c
Algorithm
searches the preimages by the cdf of a cumulative probability p,
, in both CDTs corresponding draw from the uniform distribution on [0, 1) ∩ FP λ to the center ⌊n(c − ⌊c⌋)⌋/n (respectively ⌈n(c − ⌊c⌋)⌉/n) which return a value v (resp. v ). If the same value is returned from the both CDTs (i.e. v = v ),
1
2
1
2
then this value added the desired center integer part is a valid sample, else it computes cdf (v ) and returns v (v ) and v
s,c−⌊c⌋
1 1 + ⌊c⌋ if p < cdf s,c
1 2 + ⌊c⌋ else.
Algorithm 1. Twin-CDT Algorithm: Offline Phase
Input: a Gaussian parameter s and a number of centers n Output: a precomputed matrix T
n×2⌈τ s⌉+3
1: initialize an empty matrix T ∈ FP λ 2: for i ← 0, . . . , n − 1 do 3: for j ← 0, . . . , 2⌈τ s⌉ + 2 do 4: T i,j ← FP m : cdf (j − ⌈τ s⌉ − 1) s,i/nAlgorithm 2. Twin-CDT Algorithm: Online Phase
Input: a center c and a precomputed matrix T Output: a sample x that follows D s,c 1: p ← U
[0,1)∩FP λ 2: v ← i − ⌈τ s⌉ − 1 s.t. T ≤ p < T 1 ⌊n(c−⌊c⌋)⌋,i−1 ⌊n(c−⌊c⌋)⌋,i 3: v ← j − ⌈τ s⌉ − 1 s.t. T ≤ p < T 2 ⌈n(c−⌊c⌋)⌉,j−1 ⌈n(c−⌊c⌋)⌉,j 4: if v = v then 1 2 5: return v + ⌊c⌋ 1 6: else
7: if p < FP m : cdf (v s,c−⌊c⌋ 1 ) then 8: return v 1 + ⌊c⌋ 9: else 10: return v 2 + ⌊c⌋ Correctness.
We establish correctness in the lemma below. Lemma 3. Assuming that m is large enough to ensure λ correct bits during the cdf computation, the statistical distance between the output distribution of m m −λ
Algorithm instantiated to sample from and is bounded by .
D D
2 Z ,σ,c Z ,σ,c Proof. First note that from the discrete nature of the considered distribution we have D = D
s,c s,c−⌊c⌋ + ⌊c⌋. Now recall that the probability integral transform
10
C. Aguilar-Melchor et al.
function cdf, then cdf(X) has a uniform distribution on [0, 1]. Hence the inversion
−1
method: cdf (U ) has the same distribution as X. Finally by noting that for
[0,1] −1 −1 s,c (p) is monotonic in c, if cdf (p) = cdf (p) := v, then
all s, p ∈ R, cdf s,c 1 s,c 2
−1
cdf , c (p) = v for all c ∈ [c
1 2 ], and as a consequence, for all v ∈ [−⌈τs⌉ − s,c
: cdf : 1, ⌈τs⌉ + 1], the probability of outputting v is equal to FP m s,c (v) − FP m
−λ cdf -close to D (v). s,c (v − 1) which is 2 s,c ⊔ ⊓
The remaining issue in the correctness analysis of Algorithm
is to determine
the error occurring during the m-precision cdf computation. Indeed, this error allows us to learn what precision m is needed to correctly compute the λ most significant bits of the cdf. This error is characterized in Lemma
1−m
. Let be ¯ c, ¯ s, ¯
Lemma 4. Let m ∈ Z be a positive integer and ε = 2 h ∈ FP m at distance respectively at most , and from δ δ δ (Z).
c c h
c, s, h ∈ R and h = 1/ρ s,c Let
Δf (x) := |FP m : f (x) − f(x)|. We also assume that the following inequalities
2
hold: s ≥ 4, τ ≥ 10, sδ s ≤ 0.01, δ c ≤ 0.01, s ε ≤ 0.01, (τs + 1)ε ≤ 1/2. We have the following error bound on
Δcdf
s,c (x) for any integer x such that |x| ≤ τs + 2
3
2
Δcdf s ε
s,c (x) ≤ 3.5τ
Proof.We derive the following bounds using ⎡ ⎤ Facts 6.12, 6.14, 6.22]:
⌈τ s⌉+1 ⎣ ⎦
1 Δcdf ρ (i) + 3.6sε + 3.6sε
s,c (x) ≤ Δ s,c
s ⎡ ⎤ i=−⌈τ s⌉−1 ⌈τ s⌉+1 ⎣ ⎦
3
3
Δ ρ (i) s ε
s,c ≤ 3.2τ i=−⌈τ s⌉−1
⊔ ⊓ For the sake of readability the FPA error bound of Lemma
is fully simplified
and is therefore not tight. For practical implementation, one can derive a better bound using an ad-hoc approach such as done in
].
Efficiency.
On average, the evaluation of the cdf requires ⌈τs⌉ + 1.5 evalua- tions of the exponential function. For the sake of clarity, we assume that the exponential function is computed using a direct power series evaluation with
3
). We refer the reader schoolbook multiplication, so its time complexity is O(λ to
for a discussion of different ways to compute the exponential function in high-precision.
Lemma
establishes that the time complexity of Algorithm
is O(λ log sλ +
4
3
λ ) it has asymptotically the same computational cost /n), so with n = O(λ than the classical CDT algorithm. cdf be the probability of computing the cdf during the execution
Lemma 5. Let P of Algorithm
assuming that
τ s ≥ 10, we have 1 .25τ
− sn
P cdf Δ measure ≤ 2.2τs 1 − e
Sampling from Arbitrary Centered Discrete Gaussians
11
Proof. ⎛ ⎞ ⎝ ⎠ ⌈τ s⌉+1 1 P cdf s,c (i) ≤ max cdf (i) − cdf s,c+ n
c∈[0,1) i=−⌈τ s⌉−1
Assuming that τ s ≥ 10, we have 1 .25τ
− sn 1
e Δ measure cdf s,c s,c (i) (i) ≤ cdf s,c+ (i) ≤ cdf n Hence the upper bound.
⊔ ⊓ On the other hand, the precomputation matrix generated by Algorithm
take n
1.5
). Note that times the size of one CDT, hence the space complexity is O(nsλ for n sufficiently big to make the cdf computational cost negligible, the memory space required by this algorithm is about 1 GB for the parameters considered in cryptography and thus prohibitively expensive for practical use.
3.2 Lazy-CDT Algorithm A first idea to decrease the number of precomputed CDTs is to avoid costly cdf evaluations by using the same lazy trick as in
for rejection sampling. Indeed,
a careful analysis of Algorithm
shows most of the time many of the computed
cdf bits are not used. This gives us to a new strategy which consists of computing the bits of cdf s,c (v
1 ) lazily. When the values corresponding to the generated
probability for the two closest centers are different, the Lazy-CDT algorithm
′
first only computes the cdf at a precision m to ensure k < λ correct bits. If the comparison is decided with those k bits, it returns the sample. Otherwise, it recomputes the cdf at a precision m to ensure λ correct bits. Correctness.
In addition to the choice of m, discussed in Sect.
to achieve λ
bits of precision, the correctness of Algorithm
also requires to know k which is
the number of correct bits after the floating-point computation of the cdf with
′ ′
m bits of mantissa. For this purpose, given m Lemma
provides a theoretical lower bound on k.
Efficiency.
As explained in
the precision used for floating-point arithmetic
has non-negligible impact, because fp-operation become much expensive when the precision goes over the hardware precision. For instance, modern processors typically provide floating-point arithmetic following the double IEEE standard double precision (m = 53), but quad-float FPA (m = 113) is usually about 10–20 times slower for basic operations, and the overhead is much more for mul- tiprecision FPA. Therefore the maximal hardware precision is a natural choice
′ ′
for m . However this choice for m in Algorithm
is a strong constraint for cryp-
tographic applications, where the error occurring during the floating-point cdf computation is usually greater than 10 bits, making the time-memory tradeoff of Algorithm
inflexible. Note that the probability of triggering high precision q−k
12
C. Aguilar-Melchor et al.
Algorithm 3. Lazy-CDT Algorithm: Online Phase