A new Gaussian sampling for trapdoor lattices with arbitrary modulus
Gaussian sampling for trapdoor lattices is often the primary bottleneck for bringing advanced lattice-based schemes into practice. Micciancio and Peikert (Eurocrypt 2012) designed a specialized algorithm for sampling small integer solutions preimages using their “strong trapdoors”. Specifically, the...
Gespeichert in:
Veröffentlicht in: | Designs, codes, and cryptography codes, and cryptography, 2019-11, Vol.87 (11), p.2553-2570 |
---|---|
Hauptverfasser: | , |
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | Gaussian sampling for trapdoor lattices is often the primary bottleneck for bringing advanced lattice-based schemes into practice. Micciancio and Peikert (Eurocrypt 2012) designed a specialized algorithm for sampling small integer solutions preimages using their “strong trapdoors”. Specifically, they split this task into two phases: (1) the off-line phase which is paid not much attention, since it is target independent; (2) the on-line phase which is target dependent and is far more critical in applications to concretely improve the efficiency. When modulus
q
is a power of two, the MP12 sampler could be highly optimized and achieved linear complexity in the bitsize
k
of
q
. For arbitrary modulus
q
, however, it had to turn to the general sampling algorithm that operates on the reals with quadratic complexity both in space and time. In this work, we concentrate mainly on the on-line phase of the sampling procedure (i.e., the key part to optimize) and propose an improved algorithm that is capable of handling arbitrary modulus
q
. The new algorithm has linear complexity
O
(
k
) in both time and space, achieving the same level of performance of MP12 sampler for
q
=
2
k
. Besides, it operates mainly on the integers rather than the reals. Finally, the final output has slightly better quality than that of previous samplers for specific parameters. Our experimental results shows that the new algorithm outperforms previous works. Essentially, it can be seen as a natural generalization of the MP12 sampler for
q
=
2
k
to the arbitrary modulus setting. |
---|---|
ISSN: | 0925-1022 1573-7586 |
DOI: | 10.1007/s10623-019-00635-8 |