Generating a Random String with a Fixed Weight

Abstract

Generating, uniformly at random, a binary or a ternary string with a fixed length \(L\) and a prescribed weight W, is a step in several quantum safe cryptosystems (e. g., BIKE, NTRUEncrypt, NTRU LPrime, Lizard, McEliece).

This fixed weight vector selection generation is often implemented via a shuffling method or a rejection method, but not always in “constant time” side channel protected flow. A recently suggested constant time algorithm for this problem, uses Network Sorting and turns out to be quite efficient. This paper proposes a new method for this computation, with a side channel protected implementation. We compare it to the other methods for different combinations of \(L\) and W values. Our method turns out to be the fastest approach for the cases where \(L\) is (relatively) short and \(0.1 < W/L\le 0.5\). For example, this range falls within the parameters of NTRU LPrime, where our method achieves a \(3\times \) speedup in the string generation. This leads to an overall \(1.14 \times \) speedup for the NTRU LPrime key generation.

Appendices

A A variant of the RepeatedAND method

Step 13 of Algorithm 4 (\(\bar{A} = \bar{A} \wedge A_j\)) can be replaced with \(\bar{A} = \bar{A} \wedge \lnot A_j\) without affecting the correctness or the performance characteristics of the algorithm. This is because

$$\begin{aligned} wt(\bar{A} \wedge A_j) \approx wt(\bar{A} \wedge \lnot A_j) \approx \dfrac{wt(\bar{A})}{2} \end{aligned}$$

(2)

and

$$\begin{aligned} \mathop {\mathbb {E}}\left[ wt(\bar{A} \wedge A_j)\right] = \mathop {\mathbb {E}}\left[ wt(\bar{A} \wedge \lnot A_j\right] = \mathop {\mathbb {E}}\left[ wt(\bar{A})/2\right] \end{aligned}$$

(3)

Algorithm 6 is a variant of Algorithm 4 that leverages this fact. It replaces Step 13 in Algorithm 4 with Steps 13–19. The following example illustrates this optimization.

Example 6

Let \(L=2,048\), \(W=500\), and assume that \(wt(A_0)=1,024\) and \(wt(A_0) \wedge wt(A_1) = 524\). Then \(wt(A_0) \wedge \lnot wt(A_1) = 1,024 - 524 = 500 = W\). Therefore, Algorithm 6 ends after one round, while Algorithm 4 will ends after at least two rounds.

Algorithm 6 is only one example of a greedy algorithm that uses (2) to optimize Algorithm 4. Other optimizations may apply for specific choices of L and W. For example, when \(L=2,048\) and \(W=200\) a sequence \({\bar{A}}_{i \ge 0} = \{\ldots , 800, 400, 200\}\) will probably lead to a smaller number of rounds compared to the expected sequence \({\bar{A}}_{i \ge 0} = \{\ldots , 512, 256, 128\}\).

B Bounding the probability that the RepeatedAND algorithm does not stop

In theory, Algorithm 4 can enter an infinite loop if wt(A) does not change for an infinite number of times at (a) Step 13 ; (b) Step 15.

We first explain (heuristically) the claim in Lemma 1 that Algorithm 4 stops almost surely (i. e., the probability that it does not stops is negligible). We start by calculating the probability that the loop in Steps 10–14 ends after \(L-w\) iterations. Suppose that the vector A with weight \(x=wt(A)\) is converted to the vector \(A'\) with \(y=wt(A')\) at the end of a single iteration. If \(y \le w\) the loop ends. We consider the Markov chain that corresponds to transition from x to y, where we label the \(L+1\) weights (states) by \(0, \ldots , L\). The transition matrix \(P_{x,y}\) is:

$$ P_{x,y} = {\left\{ \begin{array}{ll} \dfrac{1}{2^{x}} \cdot \left( {\begin{array}{c}x\\ y\end{array}}\right) &{} w < x \le L,~0 \le y \le x,\\ 1 &{} 0 \le x=y \le w \\ 0 &{} \text {otherwise} \end{array}\right. } $$

In particular, \(P_{x,x} = \frac{1}{2^x} < \frac{1}{2^w}\) for \(x > w\). Denote by \(X\sim Geo(1-P_{x,x})\) the geometric random variable that counts the number of iterations until a state change occurs (\(y \ne x\)). Then for some k

$$ P\left( X \le k\right) = 1-\left( 1-\left( 1-P_{x,x}\right) \right) ^{k} = 1-P_{x,x}^{k} = 1 - \frac{1}{2^{kx}} > 1 - \frac{1}{2^{kw}} $$

If \(x > y\) in at least \(L-w\) iterations we get \(y < w\) (because every iteration reduces the weight by at least 1). Since the loop iterations are independent, after at most \(k(L-w)\) iterations we get (if \(2^{kw}\ge 5\))

$$\begin{aligned} P\left( wt(A) \le w\right)&> \left( 1 - \frac{1}{2^{kw}}\right) ^{L-w} \\&= \left( \left( 1 - \frac{1}{2^{kw}}\right) ^{2^{kw}}\right) ^{\frac{L-w}{2^{kw}}} \\&> \left( \frac{1}{e} - 0.05\right) ^{\frac{L-w}{2^{kw}}} > \left( \frac{1}{2}\right) ^{\frac{L-w}{2^{(kw-1)}}} = \left( \frac{1}{2}\right) ^{\delta _{L, w, k}} \end{aligned}$$

where \(\delta _{L, w, k} = \frac{L-w}{2^{(kw-1)}}\). For example, in the first round of NTRU LPrime, \(L=761\), \(w=250\), we get \(\delta _{761, 250, 1} = \dfrac{511}{2^{250-1}}\) \(\approx \dfrac{1}{2^{239}}\). Consequently, the probability that the loop ends after at most \(k(L-w)=511\) iterations is almost 1. To bound the number of iterations when \(\delta _{L, w, k} > 1\), we first choose some \(1< w_1 < w\) such that \(\delta _{L, w_1, 1} < 1\) then continue recursively. For example, if \(L=761\), \(w=1\), we choose \(w_1 = 21\), and get \(\delta _{761, 21, 1} = \dfrac{740}{2^{20}} < \dfrac{1}{2^{10}}\). Thus, after \(L-w_1\) iterations \(P(wt(A) \le 20) > \root 2^{10} \of {0.5} \approx 0.999\). Subsequently, we set \(k_2=16\) such that with \(k_2(w_1 - w) = k_2(21 - 1) = 20 k_2\) additional iterations we get \(\delta _{w_1, w, k_2} = \dfrac{20}{2^{k_2-1}} < \dfrac{1}{2^{10}}\) and the probability \(P(wt(A) \le w) > \root 2^{10} \of {0.5} \approx 0.999\). Consequently, the loop ends with \((L-w_1) + 20 k_2\) iterations with probability at least 0.999. Obviously, a different choice of parameters can lead to a probability that is closer to 1.

Case (b) is the case where \(y=0\) for an infinite number of rounds of the external loop (Steps 6–17), i. e., the Markov chain hits the absorbing state with weight 0 an infinite number of times. The probability to hit this absorbing state is \(0< h_{n,0} < \frac{1}{2^w}\) (for every \(x < w\), \(P_{x,0} = \frac{1}{2^x} < \frac{1}{2^w}\)) and by the same reasoning as above, the probability to avoid it in a bounded number of rounds/attempts is close to 1.