## Cryptology ePrint Archive: Report 2019/320

Integral Matrix Gram Root and Lattice Gaussian Sampling without Floats

Léo Ducas and Steven Galbraith and Thomas Prest and Yang Yu

Abstract: Many advanced lattice based cryptosystems require to sample lattice points from Gaussian distributions. One challenge for this task is that all current algorithms resort to floating-point arithmetic (FPA) at some point, which has numerous drawbacks in practice: it requires numerical stability analysis, extra storage for high-precision, lazy/backtracking techniques for efficiency, and may suffer from weak determinism which can completely break certain schemes.

In this paper, we give techniques to implement Gaussian sampling over general lattices without using FPA. To this end, we revisit the approach of Peikert, using perturbation sampling. Peikert's approach uses the Cholesky decomposition $\mathbf{\Sigma} = \mathbf{A} \mathbf{A}^t$ of the target covariance matrix $\mathbf{\Sigma}$, giving rise to a square matrix $\mathbf{A}$ with real (not integer) entries. Our idea, in a nutshell, is to replace this decomposition by an integral one. While there is in general no integer solution if we restrict $\mathbf{A}$ to being a square matrix, we show that such a decomposition can be efficiently found by allowing $\mathbf{A}$ to be wider (say $n \times 9n$). This can be viewed as an extension of Lagrange's four-square theorem to matrices. In addition, we adapt our integral decomposition algorithm to the ring setting: for power-of-2 cyclotomics, we can exploit the tower of rings structure for improved complexity and compactness.

Category / Keywords: public-key cryptography / Lattice based cryptography, Discrete Gaussian sampling, Matrix decomposition

Date: received 22 Mar 2019, last revised 30 Mar 2019

Contact author: ducas at cwi nl,s galbraith@auckland ac nz,thomas prest@pqshield com,yu@cwi nl

Available format(s): PDF | BibTeX Citation

Short URL: ia.cr/2019/320

[ Cryptology ePrint archive ]