Abstract
We present a general framework for polynomial-time lattice Gaussian sampling. It revolves around a systematic study of the discrete Gaussian measure and its samplers under extensions of lattices; we first show that given lattices \(\varLambda '\subset \varLambda \) we can sample efficiently in \(\varLambda \) if we know how to do so in \(\varLambda '\) and the quotient \(\varLambda /\varLambda '\), regardless of the primitivity of \(\varLambda '\). As a direct application, we tackle the problem of domain extension and restriction for sampling and propose a sampler tailored for lattice filtrations, which can be seen as a broad generalization of the celebrated Klein’s sampler. Then, we demonstrate how to sample using a change of bases, or even switching the ambient space, even when the target lattice is not represented as full-rank in the ambient space. We show how to correct the induced distortion with the “convolution-like” technique of Peikert (Crypto 2010) (which we encompass as a byproduct). Since our framework aims at modularity and leverage the combinations of smaller samplers to build new ones, we also propose ad-hoc samplers for the so-called root lattices \(\textsf{A}_n, \textsf{D}_n, \textsf{E}_n\) as base cases, extending the state-of-the-art for root lattice sampling, which was limited to \(\textbf{Z}^n\). We also show how our framework blends with the so-called king construction and provides a sampler for the remarkable Leech and Barnes-Wall lattices.
As a by-product, we obtain novel, quasi-linear samplers for prime and smooth conductor (as \(2^\ell 3^k\)) cyclotomic rings, achieving essentially optimal Gaussian width. In a practice-oriented application, we showcase the impact of our work on hash-and-sign signatures over ntru lattices. In the best case, we can gain around 200 bytes (which corresponds to an improvement greater than 20%) on the signature size. We also improve the new gadget-based constructions (Yu, Jia, Wang, Crypto 2023) and gain up to 110 bytes for the resulting signatures.
Lastly, we sprinkle our exposition with several new estimates for the smoothing parameter of lattices, stemming from our algorithmic constructions and by novel methods based on series reversion.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Generally, the quotient is a product of the torsion part, which is a finite abelian group and its free part, which corresponds to a lattice too. Even when the quotient is torsion-free, \(\varLambda \) does not identify to \(\varLambda '\oplus \varLambda /\varLambda '\) as lattices in general.
- 2.
Of course, change of basis works very well for continuous Gaussians: it simply amounts to matrix-vector multiplication.
- 3.
What matters for proofs is that the perturbation distribution has good convolution properties with Gaussian kernels.
- 4.
Most of the prior literature uses s or \(\sqrt{\varSigma }\), that is, an analog of standard deviation instead of the covariance.
- 5.
We highlight that this is a short sequence of groups and not necessarily of lattices.
- 6.
The important catch here is about which orthogonality we are considering: in our proof, the orthogonality must be with respect to the norm induced by the covariance matrix of the target Gaussian, that is, \(\textbf{x} \mapsto \textbf{x}^t\varSigma ^{-1}\textbf{x}\). This allows us to use that \(\textbf{x},\textbf{y}\in \varLambda _\textbf{R}\) such that \(\textbf{x}^t\varSigma ^{-1} \textbf{y} = 0\), we have \(\rho _\varSigma (\textbf{x}+\textbf{y}) = \rho _\varSigma (\textbf{x}) \cdot \rho _\varSigma (\textbf{y})\).
- 7.
Such a map always exists: indeed, as \(\overline{\varLambda '}\) is primitive, one can always find a sublattice \(\varLambda _0\) such that \(\varLambda = \varLambda _0\oplus \overline{\varLambda '}\) and the section can be defined by identifying the vectors of a basis of \(\varLambda _0\) with their projections by \(\overline{\pi }\).
- 8.
In the same way that Klein/GPV sampler is a randomized version of Babai’s nearest plane algorithm, our technique can be interpreted as a randomized version of the nearest-colattice algorithm of Espitau and Kirchner [16].
- 9.
What matters in the proof is that \(\prod _i (1+\varepsilon _i) \leqslant 1+\varepsilon \), where \(\varepsilon _i\) is a given smoothing quality for \(\varLambda _i/\varLambda _{i-1}\) and \(\varepsilon \) is the target quality for \(\varLambda \).
- 10.
In its usual form for a fixed basis, the bound is \(\eta _\varepsilon (\varLambda )\leqslant \max _{1\leqslant i\leqslant n} \Vert \textbf{b}_i^*\Vert \cdot \eta _{\varepsilon }(\textbf{Z}^n)\).
- 11.
We make a slight abuse of notations here by silently identifying a submodule with the corresponding sublattice of the lattice attached to the module. To be perfectly formal, we shall understand the elements of the filtration as viewed under the canonical embedding map, see also the full version.
- 12.
Indeed, similarly to the Klein sampler being inherently sequential and Peikert sampler being parallelizable, our filtered tensor sampler of Sect. 4.3 requires to wait for the result of each sample in the filtration, while this linear sampler allows performing all operations in parallel.
- 13.
One can also sample in \(\textsf{A}_n = \textbf{Z}^{n+1}\cap \textbf{1}^\perp \), checking when the sum of coordinates vanishes. This is clearly inefficient when n grows. In the next section, we propose a far more efficient algorithm, when \(n\geqslant 9\).
- 14.
The parameters \(\kappa _2\) and \(n_2\) are placeholders for the number \(\kappa _2\) of vectors of norm \(n_2\), the smallest possible norm in the lattice that is larger than \(\lambda _1\).
- 15.
From e.g. [24, Lemma 3.5], we have \(\eta _\varepsilon (\varLambda ) \leqslant \lambda _1^{\infty }(\varLambda ^\vee )^{-1} \cdot \eta _\varepsilon (\textbf{Z}^n)\) for all rank n lattices. While out of the scope of the present paper, it is possible to give a bound depending on \(\lambda _1(\varLambda ^\vee )\) in the \(\ell _2\)-norm instead, without a \(\sqrt{n}\) loss as in [24, Lemma 3.5], unconditionnally on \(\varepsilon \) contrary to [26, Lemma 2.6], but involving the kissing number of the dual.
- 16.
Due to space constraints, the Gram matrices of the standard bases for \(\textsf{A}_n\) and its dual are moved to the full version for space savings.
- 17.
We don’t describe the construction of the Nebe here as it will not be used in the following practical applications. However, we point out that it is based also on 3-ing construction upon the Leech lattice, and as such our framework readily applies.
- 18.
In practice, this second call is encoded by the orthogonalization \(\textbf{b}_1^*\) of \(\textbf{b}_1\) in the cyclotomic field; such details are not our focus here, we let the interested reader refer to the full version of this paper for a complete presentation.
- 19.
It is also known as (a scaling of) the co-different ideal.
- 20.
falcon showcased an FFO-style sampler over cyclotomic rings of conductor \(3\cdot 2^\ell \) in the round 1 of the NIST call. It was abandoned because of its high technicality. Such rings are also the focus of the implementation in [21].
- 21.
See the full version.
- 22.
References
Aggarwal, D., Stephens-Davidowitz, N.: Just take the average! an embarrassingly simple 2\(\hat{\,}\) n-time algorithm for SVP (and CVP). In: 1st Symposium on Simplicity in Algorithms (SOSA 2018). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Agrawal, S.: Stronger security for reusable garbled circuits, general definitions and attacks. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. Part I, volume 10401 of LNCS, pp. 3–35. Springer, Heidelberg (2017)
Babai, L.: On lovasz’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020)
Conway, J., Sloane, N.: Fast quantizing and decoding and algorithms for lattice quantizers and codes. IEEE Trans. Inf. Theory 28(2), 227–232 (1982)
Conway, J., Sloane, N.: A fast encoding method for lattice codes and quantizers. IEEE Trans. Inf. Theory 29(6), 820–824 (1983)
Conway, J., Sloane, N.J.A.: Sphere Packings, Lattices and Groups. Grundlehren der Mathematischen Wissenschaften 290. Springer-Verlag, New York (1988). https://doi.org/10.1007/978-1-4757-6568-7
Corlay, V., Boutros, J.J., Ciblat, P., Brunel, L.: On the decoding of lattices constructed via a single parity check. IEEE Trans. Inf. Theory 68, 2961–2963 (2022)
Léo Ducas, E.K., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR TCHES. 2018(1), 238–268 (2018). https://tches.iacr.org/index.php/TCHES/article/view/839
Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. Part II, volume 8874 of LNCS, pp. 22–41. Springer, Heidelberg (2014)
Ducas, L., Postlethwaite, E.W., Pulles, L.N., van Woerden, W.P.J.: Hawk: Module LIP makes lattice signatures fast, compact and simple. IACR Cryptol. ePrint Arch., p. 1155 (2022)
Ducas, L., Prest, T.: Fast Fourier Orthogonalization. In: ISSAC 2016, pp. 191–198 (2016)
Ducas, L., van Woerden, W.P.J.: The closest vector problem in tensored root lattices of type a and in their duals. Des. Codes Crypt. 86(1), 137–150 (2018)
Ducas, L., Espitau, T., Postlethwaite, E.W.: Finding short integer solutions when the modulus is small. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology. CRYPTO 2023. LNCS, vol. 14083, pp. 150–176. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38548-3_6
Espitau, et al.: MITAKA: a simpler, parallelizable, maskable variant of FALCON. In: Dunkelman, O., Dziembowski, S. (eds.) Advances in Cryptology. EUROCRYPT 2022. Lecture Notes in Computer Science, vol. 13277, pp. 222–223. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-07082-2_9
Espitau, T., Kirchner, P.: The nearest-colattice algorithm. ANTS 2020 (2020)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M., (ed.) 41st ACM STOC, pp. 169–178. ACM Press, May/June 2009
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C., (ed.) 40th ACM STOC, pp. 197–206. ACM Press, May 2008
Gover, M.J.C.: The eigenproblem of a tridiagonal 2-Toeplitz matrix. Linear Algebra Appl. 198, 63–78 (1994)
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Lyubashevsky, V., Seiler, G.: NTTRU: truly fast NTRU using NTT. IACR TCHES. 2019(3), 180–201 (2019). https://tches.iacr.org/index.php/TCHES/article/view/8293
Martinet, J.: Perfection and Eutaxy, pp. 67–108 (2003)
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012)
Peikert, C.: Limits on the hardness of lattice problems in \(l_p\) norms (2008)
Peikert, C.: An efficient and parallel gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_5
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: Hatami, H., McKenzie, P., King, V., (ed.) 49th ACM STOC, pp. 461–473. ACM Press, June 2017
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. Part I, volume 11692 of LNCS, pp. 89–114. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Prest, T.: Gaussian Sampling in Lattice-Based Cryptography. Ph.D. thesis, École Normale Supérieure, Paris, France (2015)
Prest, T., et al.: Falcon: Submission to the NIST’s post-quantum cryptography standardization process. https://csrc.nist.gov/Projects/post-quantum-cryptography/round-3-submissions
van Woerden, W.P.J.: The closest vector problem in cyclotomic lattices. Ph.D. thesis, Leiden University (2016)
Yu, Y., Jia, H., Wang, X.: Compact lattice gadget and its applications to hash-and-sign signatures. In: Handschuh, H., Lysyanskaya, A. (eds.) Advances in Cryptology. CRYPTO 2023. LNCS, vol. 14085, pp. 390–420. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38554-4_13
Acknowledgements
We thank anonymous reviewers for numerous comments and suggestions for improvement.
Yang Yu is supported by the National Natural Science Foundation of China (No. 62102216), the Mathematical Tianyuan Fund of the National Natural Science Foundation of China (Grant No. 12226006), the National Key Research and Development Program of China (Grant No. 2018YFA0704701, 2022YFB2702804), the Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008), Major Scientific and Technological Innovation Project of Shandong Province, China (Grant No. 2019JZZY010133), and Shandong Key Research and Development Program (Grant No. 2020ZLYS09). Alexandre Wallet was supported by PEPR quantique France 2030 programme (ANR-22-PETQ-0008) and by the ANR ASTRID project AMIRAL (ANR-21-ASTR-0016).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Espitau, T., Wallet, A., Yu, Y. (2023). On Gaussian Sampling, Smoothing Parameter and Application to Signatures. In: Guo, J., Steinfeld, R. (eds) Advances in Cryptology – ASIACRYPT 2023. ASIACRYPT 2023. Lecture Notes in Computer Science, vol 14444. Springer, Singapore. https://doi.org/10.1007/978-981-99-8739-9_3
Download citation
DOI: https://doi.org/10.1007/978-981-99-8739-9_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8738-2
Online ISBN: 978-981-99-8739-9
eBook Packages: Computer ScienceComputer Science (R0)