Skip to main content
SpringerLink
Log in

A new Gaussian sampling for trapdoor lattices with arbitrary modulus

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Gaussian sampling for trapdoor lattices is often the primary bottleneck for bringing advanced lattice-based schemes into practice. Micciancio and Peikert (Eurocrypt 2012) designed a specialized algorithm for sampling small integer solutions preimages using their “strong trapdoors”. Specifically, they split this task into two phases: (1) the off-line phase which is paid not much attention, since it is target independent; (2) the on-line phase which is target dependent and is far more critical in applications to concretely improve the efficiency. When modulus q is a power of two, the MP12 sampler could be highly optimized and achieved linear complexity in the bitsize k of q. For arbitrary modulus q, however, it had to turn to the general sampling algorithm that operates on the reals with quadratic complexity both in space and time. In this work, we concentrate mainly on the on-line phase of the sampling procedure (i.e., the key part to optimize) and propose an improved algorithm that is capable of handling arbitrary modulus q. The new algorithm has linear complexity O(k) in both time and space, achieving the same level of performance of MP12 sampler for \(q=2^k\). Besides, it operates mainly on the integers rather than the reals. Finally, the final output has slightly better quality than that of previous samplers for specific parameters. Our experimental results shows that the new algorithm outperforms previous works. Essentially, it can be seen as a natural generalization of the MP12 sampler for \(q=2^k\) to the arbitrary modulus setting.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. Theoretically, we only need to ensure that \(\varSigma _{\mathbf {p}}\) is positive definite. However, for convenience when sampling from \(D_{\mathbb Z^m,r\sqrt{\varSigma _{\mathbf {p}}}}\) (see Remark 1 in Sect. 4.2), we need to choose s large enough such that \(\varSigma _{\mathbf {p}}-\mathbf {I}\) is positive definite.

  2. Of course, one can equivalently use \(\mathcal O'(\mathbf {v})=\mathcal O(\mathbf {v})+\mathcal O(\mathbf {0})\). Note that this can still be faster than the sampler in [19], even although \(\mathcal O\) is invoked twice, since our sampler is more than twice as fast as that in [19], and \(\mathcal O(\mathbf {0})\) will be faster than \(\mathcal O(\mathbf {v})\) for \(\mathbf {v}\ne \mathbf {0}\).

References

  1. Agrawal S.: Stronger security for reusable garbled circuits, general definitions and attacks. In: CRYPTO 2017, pp. 3–35 (2017).

    Chapter  Google Scholar 

  2. Agrawal S., Boneh D., Boyen X.: Efficient lattice (H)IBE in the standard model. In: EUROCRYPT 2010, pp. 553–572 (2010).

    Chapter  Google Scholar 

  3. Agrawal S., Boneh D., Boyen X.: Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In: CRYPTO 2010, pp. 98–115, (2010).

    Chapter  Google Scholar 

  4. Agrawal S., Boyen X., Vaikuntanathan V., Voulgaris P., Wee H.: Functional encryption for threshold functions (or fuzzy IBE) from lattices. In: PKC 2012, pp. 280–297 (2012).

    Chapter  Google Scholar 

  5. Ajtai M.: Generating hard instances of lattice problems. Quaderni di Matematica 13, 1–32 (2004). Preliminary version in STOC (1996).

  6. Bansarkhani R.E., Buchmann J.A.: Improvement and efficient implementation of a lattice-based signature scheme. In: SAC 2013, pp. 48–67 (2013).

  7. Bellare M., Kiltz E., Peikert C., Waters B.: Identity-based (lossy) trapdoor functions and applications. In: EUROCRYPT 2012, pp. 228–245 (2012).

    Chapter  Google Scholar 

  8. Bendlin R., Krehbieland S., Peikert C.: How to share a lattice trapdoor: threshold protocols for signatures and (H)IBE. In: ACNS 2013, pp. 218–236 (2013).

    Chapter  Google Scholar 

  9. Boneh D., Freeman D.M.: Homomorphic signatures for polynomial functions. In: EUROCRYPT 2011, pp. 149–168 (2011).

    Chapter  Google Scholar 

  10. Boneh D., Freeman D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: PKC 2011, pp. 1–16 (2011).

    Google Scholar 

  11. Boneh D., Gentry C., Gorbunov S., Halevi S., Nikolaenko V., Segev G., Vaikuntanathan V., Vinayagamurthy D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: EUROCRYPT 2014, pp. 533–556 (2014).

    Chapter  Google Scholar 

  12. Boyen X., Li Q.: Towards tightly secure lattice short signature and id-based encryption. In: ASIACRYPT 2016, pp. 404–434 (2016).

    Chapter  Google Scholar 

  13. Brakerski Z., Vaikuntanathan V.: Circuit-abe from LWE: unbounded attributes and semi-adaptive security. In: CRYPTO 2016, pp. 363–384 (2016).

    Chapter  Google Scholar 

  14. Brakerski Z., Langlois A., Peikert C., Regev O., Stehlé D.: Classical hardness of learning with errors. In: STOC 2013, pp. 575–584 (2013).

  15. Brakerski Z., Vaikuntanathan V., Wee H., Wichs D.: Obfuscating conjunctions under entropic ring LWE. In: ITCS 2016, pp. 147–156 (2016).

  16. Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. J. Cryptol. 25(4), 601–639 (2012).

    Article  MathSciNet  Google Scholar 

  17. Clear M., McGoldrick C.: Multi-identity and multi-key leveled FHE from learning with errors. In: CRYPTO 2015, pp. 630–656 (2015).

    Google Scholar 

  18. Dai W., Doröz Y., Polyakov Y., Rohlff K., Sajjadpour H., Savas E., Sunar B.: Implementation and evaluation of a lattice-based key-policy ABE scheme. IACR Cryptology ePrint Archive, p. 601 (2017).

  19. Genise N., Micciancio D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. In: EUROCRYPT 2018, pp. 174–203 (2018).

    Chapter  Google Scholar 

  20. Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206 (2008).

  21. Gentry C., Sahai A., Waters B.: Homomorphic encryption from learning with errors: Conceptually simpler, asymptotically-faster, attribute-based. In: CRYPTO 2013, pp. 75–92 (2013).

    Chapter  Google Scholar 

  22. Gorbunov S., Vaikuntanathan V., Wee H.: Attribute-based encryption for circuits. J. ACM 62(6), 45:1–45:33 (2015). Preliminary version in STOC (2013).

    Article  MathSciNet  Google Scholar 

  23. Gorbunov S., Vaikuntanathan V., Wichs D.: Leveled fully homomorphic signatures from standard lattices. In: STOC 2015, pp. 469–477 (2015).

  24. Gorbunov S., Vaikuntanathan V., Wee H.: Predicate encryption for circuits from LWE. In: CRYPTO 2015, pp. 503–523 (2015).

    Google Scholar 

  25. Gordon S.D., Katz J., Vaikuntanathan V.: A group signature scheme from lattice assumptions. In: ASIACRYPT 2010, pp. 395–412 (2010).

    Chapter  Google Scholar 

  26. Gür K.D., Polyakov Y., Rohlff K., Ryan G.W., Savas E.: Implementation and evaluation of improved Gaussian sampling for lattice trapdoors. IACR Cryptology ePrint Archive, p. 285 (2017).

  27. Kim S., Wu D.J.: Watermarking cryptographic functionalities from standard lattice assumptions. In: CRYPTO 2017, pp. 503–536 (2017).

    Chapter  Google Scholar 

  28. Klein P.N.: Finding the closest lattice vector when it’s unusually close. In: SODA 2000, pp. 937–941 (2000).

  29. Laguillaumie F., Langlois A., Libert B., Stehlé D.: Lattice-based group signatures with logarithmic signature size. In: ASIACRYPT 2013, pp. 41–61 (2013).

    Chapter  Google Scholar 

  30. Langlois A., Ling S., Nguyen K., Wang H.: Lattice-based group signature scheme with verifier-local revocation. In: PKC 2014, pp. 345–361 (2014).

    Chapter  Google Scholar 

  31. Ling S., Nguyen K., Stehlé D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: PKC 2013, pp. 107–124 (2013).

    Chapter  Google Scholar 

  32. Lyubashevsky V., Micciancio D., Peikert C., Rosen A.: SWIFFT: a modest proposal for FFT hashing. In: FSE 2008, pp. 54–72 (2008).

  33. Lyubashevsky V., Peikert C., Regev O.: A toolkit for ring-LWE cryptography. In: EUROCRYPT 2013, pp. 35–54 (2013).

    Chapter  Google Scholar 

  34. Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: EUROCRYPT 2012, pp. 700–718 (2012).

    Chapter  Google Scholar 

  35. Micciancio D., Regev O.: Worst-case to average-case reductions based on Gaussian measure. SIAM J. Comput. 37(1), 267–302 (2007). Preliminary version in FOCS 2004.

    Article  MathSciNet  Google Scholar 

  36. Nguyen P.Q., Zhang J., Zhang Z.: Simpler efficient group signatures from lattices. In: PKC 2015, pp. 401–426 (2015).

    Google Scholar 

  37. O’Neill A., Peikert C., Waters B.: Bi-deniable public-key encryption. In: CRYPTO 2011, pp. 525–542 (2011).

    Chapter  Google Scholar 

  38. Peikert C.: An efficient and parallel Gaussian sampler for lattices. In: CRYPTO 2010, pp. 80–97 (2010).

    Chapter  Google Scholar 

  39. Peikert C., Vaikuntanathan V.: Noninteractive statistical zero-knowledge proofs for lattice problems. In: CRYPTO 2008, pp. 536–553 (2008).

  40. Peikert C., Vaikuntanathan V., Waters B.: A framework for efficient and composable oblivious transfer. In: CRYPTO 2008, pp. 554–571 (2008).

  41. Regev O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 1–40 (2009). Preliminary version in STOC (2005).

    Article  MathSciNet  Google Scholar 

  42. Rückert M.: Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles. In: PQCrypto 2010, pp. 182–200 (2010).

  43. Rückert M.: Adaptively secure identity-based identification from lattices without random oracles. In: SCN 2010, pp. 345–362 (2010).

    Google Scholar 

  44. Zhang J., Chen Y., Zhang Z.: Programmable hash functions from lattices: short signatures and IBEs with small key sizes. In: CRYPTO 2015, pp. 303–332 (2015).

    Chapter  Google Scholar 

Download references

Acknowledgements

We thank Genise for sharing the C++ source code for the implementation of the G-lattice sampling algorithms in [19], and the anonymous reviewers for helpful comments and suggestions. Funding: This work was supported by the National Key R&D Program of China [Grant No. 2017YFB0802000]; the Foundation of National Natural Science of China [Grant Nos. 61802075, 61472309, 61572390, 61672412, 61772147, U1736111, 61802241]; the National Cryptography Development Fund [Grant Nos. MMJJ20170104, MMJJ20170117, MMJJ20180111]; the Guangdong Province Natural Science Foundation of major basic research and Cultivation project [Grant No. 2015A030308016]; the Project of Ordinary University Innovation Team Construction of Guangdong Province [Grant No. 2015KCXTD014]; the Collaborative Innovation Major Projects of Bureau of Education of Guangzhou City [Grant No. 1201610005]; the Plan For Scientific Innovation Talent of Henan Province [Grant No. 184100510012]; the Program for Science & Technology Innovation Talents in Universities of Henan Province [Grant No. 18HASTIT022]; and the Innovation Scientists and Technicians Troop Construction Projects of Henan Province.

Author information

Authors and Affiliations

  1. State Key Laboratory of Integrated Service Networks, Xidian University, No. 2 South Taibai Road, Xi’an, 710071, People’s Republic of China

    Yupu Hu

  2. Key Laboratory of Information Security, School of Mathematics and Information Science, Guangzhou University, Guangzhou, 510006, People’s Republic of China

    Huiwen Jia

Authors
  1. Yupu Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Huiwen Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Huiwen Jia.

Additional information

Communicated by C. Boyd.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

The authors report no conflicts of interest. The authors alone are responsible for the content and writing of this article.

Appendix

Appendix

1.1 A Values of \(\big (E(T_i), D(T_i)\big )\) for \(\mathbf {R}\in \mathcal {P}^{w\times w}\) and \(\mathbf {R}\in D_{\mathbb {Z},s}^{2n\times w}\)

Table 2 \(\big (E(T_1), D(T_1)\big )\) for \(\mathbf {R}\in \mathcal {P}^{w\times w}\)
Full size table
Table 3 \(\big (E(T_2), D(T_2)\big )\) for \(\mathbf {R}\in D_{\mathbb {Z},s}^{2n\times w}\)
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hu, Y., Jia, H. A new Gaussian sampling for trapdoor lattices with arbitrary modulus. Des. Codes Cryptogr. 87, 2553–2570 (2019). https://doi.org/10.1007/s10623-019-00635-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-019-00635-8

Keywords

Mathematics Subject Classification

Search

Navigation