Paper 2023/1654

On Gaussian sampling, smoothing parameter and application to signatures

Thomas Espitau, PQShield
Alexandre Wallet, Université de Rennes
Yang Yu, Tsinghua University
Abstract

We present a general framework for polynomial-time lattice Gaussian sampling. It revolves around a systematic study of the discrete Gaussian measure and its samplers under extensions of lattices; we first show that given lattices $\Lambda'\subset \Lambda$ we can sample efficiently in $\Lambda$ if we know how to do so in $\Lambda'$ and the quotient $\Lambda/\Lambda'$, \emph{regardless} of the primitivity of $\Lambda'$. As a direct application, we tackle the problem of domain extension and restriction for sampling and propose a sampler tailored for lattice \emph{filtrations}, which can be seen as a broad generalization of the celebrated Klein's sampler. Then, we demonstrate how to sample using a change of bases, or even switching the ambient space, even when the target lattice is not represented as full-rank in the ambient space. We show how to correct the induced distortion with the ``convolution-like'' technique of Peikert (Crypto 2010) (which we encompass as a byproduct). Since our framework aims at modularity and leverage the combinations of smaller samplers to build new ones, we also propose ad-hoc samplers for the so-called \emph{root lattices} $\mathsf{A}_n, \mathsf{D}_n, \mathsf{E}_n$ as base cases, extending the state-of-the-art for root lattice sampling, which was limited to $\mathbb{Z}^n$. We also show how our framework blends with the so-called $k$ing construction and provides a sampler for the remarkable Leech and Barnes-Wall lattices. As a by-product, we obtain novel, quasi-linear samplers for prime and smooth conductor (as $2^\ell 3^k$) cyclotomic rings, achieving essentially optimal Gaussian width. In a practice-oriented application, we showcase the impact of our work on hash-and-sign signatures over \textsc{ntru} lattices. In the best case, we can gain around 200 bytes (which corresponds to an improvement greater than 20\%) on the signature size. We also improve the new gadget-based constructions (Yu, Jia, Wang, Crypto 2023) and gain up to 110 bytes for the resulting signatures. Lastly, we sprinkle our exposition with several new estimates for the smoothing parameter of lattices, stemming from our algorithmic constructions and by novel methods based on series reversion.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in ASIACRYPT 2023
Keywords
gaussian samplinglatticediscrete gaussianssignatures
Contact author(s)
t espitau @ gmail com
alexandre wallet @ inria fr
yang yu0986 @ gmail com
History
2023-10-26: approved
2023-10-25: received
See all versions
Short URL
https://ia.cr/2023/1654
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2023/1654,
      author = {Thomas Espitau and Alexandre Wallet and Yang Yu},
      title = {On Gaussian sampling, smoothing parameter and application to signatures},
      howpublished = {Cryptology ePrint Archive, Paper 2023/1654},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/1654}},
      url = {https://eprint.iacr.org/2023/1654}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.