**Simple Lattice Trapdoor Sampling from a Broad Class of Distributions**

*Vadim Lyubashevsky and Daniel Wichs*

**Abstract: **At the center of many lattice-based constructions is an algorithm that samples a short vector $s$, satisfying $[A|AR-HG]s=t\bmod q$ where $A,AR, H, G$ are public matrices and $R$ is a trapdoor. Although the algorithm crucially relies on the knowledge of the trapdoor $R$ to perform this sampling efficiently, the distribution it outputs should be independent of $R$ given the public values. We present a new, simple algorithm for performing this task. The main novelty of our sampler is that the distribution of $s$ does not need to be Gaussian, whereas all previous works crucially used the properties of the Gaussian distribution to produce such an $s$. The advantage of using a non-Gaussian distribution is that we are able to avoid the high-precision arithmetic that is inherent in Gaussian sampling over arbitrary lattices. So while the norm of our output vector $s$ is on the order of $\sqrt{n}$ to $n$ - times larger (the representation length, though, is only a constant factor larger) than in the samplers of Gentry, Peikert, Vaikuntanathan (STOC 2008) and Micciancio, Peikert (EUROCRYPT 2012), the sampling itself can be done very efficiently. This provides a useful time/output trade-off for devices with constrained computing power. In addition, we believe that the conceptual simplicity and generality of our algorithm may lead to it finding other applications.

**Category / Keywords: **public-key cryptography / lattice cryptography, pre-image sampling

**Original Publication**** (in the same form): **IACR-PKC-2015

**Date: **received 31 Dec 2014, last revised 4 Jan 2015

**Contact author: **lyubash at di ens fr

**Available format(s): **PDF | BibTeX Citation

**Note: **Fixed some typos.

**Version: **20150104:082020 (All versions of this report)

**Short URL: **ia.cr/2014/1027

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]