Conference Paper

An Efficient and Parallel Gaussian Sampler for Lattices

DOI: 10.1007/978-3-642-14623-7_5 Conference: Advances in Cryptology - CRYPTO 2010, 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 15-19, 2010. Proceedings
Source: DBLP


At the heart of many recent lattice-based cryptographic schemes is a polynomial-time algorithm that, given a 'high-quality' basis, generates a lattice point according to a Gaussian-like distribution. Unlike most other operations in lattice-based cryptography, however, the known algorithm for this task (due to Gentry, Peikert, and Vaikuntanathan; STOC 2008) is rather inefficient, and is inherently sequential. We present a new Gaussian sampling algorithm for lattices that is efficient and highly parallelizable. At a high level, the algorithm resembles the "perturbation" heuristic proposed as part of NTRUSign (Hoffstein et al., CT-RSA 2003), though the details are quite different. To our knowledge, this is the first algorithm and rigorous analysis demonstrating the security of a perturbation-like technique.

10 Reads
  • Source
    • ". Peikert [36] proposed to use this method to sample discrete Gaussians. His exact method was to precompute and store the values of F (X) in a table and solve the inequality (3) through performing a binary search in the table. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Modern lattice-based cryptosystems require sampling from discrete Gaussian distributions. We review lattice based schemes and collect their requirements for sampling from discrete Gaussians. Then we survey the algorithms implementing such sampling and assess their practical performance. Finally we draw some conclusions regarding the best candidates for implementation on different platforms in the typical parameter range
    Tatra Mountains Mathematical Publications 09/2014; 60(1):1-23. DOI:10.2478/tmmp-2014-0022
  • Source
    • "However, in contrast to sampling from the continuous Gaussian distribution, it is not at all straightforward to sample from a discrete Gaussian distribution over a lattice. At present, the default sampling algorithm for lattices is due to Klein, originally proposed for boundeddistance decoding [11] (see also [12], [13] for variations and [4] for an algorithm for lattices of Construction A). It was shown in [10] that Klein's algorithm samples within a negligible statistical distance from the lattice Gaussian distribution only if the standard deviation σ ≥ ω( √ log n)·max 1≤i≤n b i , where n is the lattice dimension and b i 's are the Gram- Schmidt vectors of the lattice basis. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Sampling from a lattice Gaussian distribution is emerging as an important problem in various areas such as coding and cryptography. The default sampling algorithm --- Klein's algorithm yields a distribution close to the lattice Gaussian only if the standard deviation is sufficiently large. In this paper, we propose the Markov chain Monte Carlo (MCMC) method for lattice Gaussian sampling when this condition is not satisfied. In particular, we present a sampling algorithm based on Gibbs sampling, which converges to the target lattice Gaussian distribution for any value of the standard deviation. To improve the convergence rate, a more efficient algorithm referred to as Gibbs-Klein sampling is proposed, which samples block by block using Klein's algorithm. We show that Gibbs-Klein sampling yields a distribution close to the target lattice Gaussian, under a less stringent condition than that of the original Klein algorithm.
Show more

Preview (3 Sources)

10 Reads
Available from