COSAC: COmpact and Scalable Arbitrary-Centered Discrete Gaussian Sampling over Integers

Zhao, Raymond K.; Steinfeld, Ron; Sakzad, Amin

doi:10.1007/978-3-030-44223-1_16

Cited by 11 publications

(9 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…, then L ≤ 2 bits of security are lost overall for our finite arithmetic precision p f p LATTE implementation versus the infinite precision implementation. To compute B T ≤ B M Z , we use the RD bound B on the COSAC Z sampler RD from the ideal Z sampler distribution derived in [21] corresponding to the COSAC sampler precision p D used in our COSAC implementation (see Sec. V-B for the discussions).…”

Section: Statistical Model For Ffsampling Precisionmentioning

confidence: 99%

“…Then, we discuss the integer discrete Gaussian sampling techniques in Sec. V-B, including the adoption of FACCT [19] and COSAC [20], [21] samplers in our LATTE implementation.…”

Section: Id-ow-cpa Security Of Improved Lattementioning

confidence: 99%

“…In addition, the proposed LATTE specification [13] did not discuss the integer discrete Gaussian sampling techniques suitable for the needed standard deviations. We integrate efficient sampling techniques, including FACCT [19] and the variant [20] of COSAC [21] in our optimised LATTE implementation.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Quantum-Safe HIBE: Does It Cost a Latte?

Zhao,

McCarthy,

Steinfeld

et al. 2024

IEEE Trans.Inform.Forensic Secur.

Self Cite

View full text Add to dashboard Cite

The United Kingdom (UK) government is considering advanced primitives such as identity-based encryption (IBE) for adoption as they transition their public-safety communications network from TETRA to an LTE-based service. However, the current LTE standard relies on elliptic-curve-based IBE, which will be vulnerable to quantum computing attacks, expected within the next 20-30 years. Lattices can provide quantumsafe alternatives for IBE. These schemes have shown promising results in terms of practicality. To date, several IBE schemes over lattices have been proposed, but there has been little in the way of practical evaluation. This paper provides the first complete optimised practical implementation and benchmarking of LATTE, a promising Hierarchical IBE (HIBE) scheme proposed by the UK National Cyber Security Centre (NCSC) in 2017 and endorsed by European Telecommunications Standards Institute (ETSI). We propose optimisations for the KeyGen, Delegate, Extract and Gaussian sampling components of LATTE, to increase attack costs, reduce decryption key lengths by 2x-3x, ciphertext sizes by up to 33%, and improve speed. In addition, we conduct a precision analysis, bounding the Rényi divergence of the distribution of the real Gaussian sampling procedures from the ideal distribution in corroboration of our claimed security levels. Our resulting implementation of the Delegate function takes 0.4 seconds at 80-bit security level on a desktop machine at 4.2GHz, significantly faster than the order of minutes estimated in the ETSI technical report. Furthermore, our optimised LATTE Encrypt/Decrypt implementation reaches speeds up to 9.7x faster than the ETSI implementation.Index Terms-lattice-based cryptography, hierarchical identity-based encryption, advanced primitives, software design, post-quantum I. INTRODUCTIONT HE UK Government anticipates the migration of its mission-critical communications network from Airwave TETRA to LTE-based Emergency Services Network (ESN) [1] will be complete by 2026 [2]. However, the current standard [3] relies on Elliptic Curve (ECC)-based IBE scheme MIKEY-SAKKE for securing messages. The first such device authorised for ESN is the Panasonic Toughbook Tablet which runs on Intel i5 and transmits data via EM7511 Band 14 mobile broadband. An IBE scheme removes the need for a certificate repository by deriving a user's public key from their already established public identity. This provides a low latency setup with instantaneous communication capabilities, hence is ideal for this use-case. However, ECC will be rendered insecure under quantum computing attacks, as acknowledged by

show abstract

Section: Statistical Model For Ffsampling Precisionmentioning

confidence: 99%

“…Then, we discuss the integer discrete Gaussian sampling techniques in Sec. V-B, including the adoption of FACCT [19] and COSAC [20], [21] samplers in our LATTE implementation.…”

Section: Id-ow-cpa Security Of Improved Lattementioning

confidence: 99%

See 1 more Smart Citation

Quantum-Safe HIBE: Does It Cost a Latte?

Zhao,

McCarthy,

Steinfeld

et al. 2024

IEEE Trans.Inform.Forensic Secur.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Verifiable encryption needs to sample vectors according to a discrete Gaussian distribution. For an R q element with standard deviation σ E ≈ 2 15.7 (for the encryption scheme), the implementation from COSAC [ZSS20] made available for σ = 2 17 samples 1024 integers in 0.12 ms using very small precomputation tables. Each encryption iteration takes 69 ms and, because we expect to need 3 attempts to generate one valid encryption (line 8 in Figure 3), the total time of encryption is around 208 ms. For verification, 39 ms are necessary to execute a test; and 6 ms are required for the actual decryption.…”

Section: Timingsmentioning

confidence: 99%

Lattice-Based Proof of Shuffle and Applications to Electronic Voting

Aranha

Baum

Gjøsteen

et al. 2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A verifiable shuffle of known values is a method for proving that a collection of commitments opens to a given collection of known messages, without revealing a correspondence between commitments and messages. We propose the first practical verifiable shuffle of known values for lattice-based commitments. Shuffles of known values have many applications in cryptography, and in particular in electronic voting. We use our verifiable shuffle of known values to build a practical lattice-based cryptographic voting system that supports complex ballots. Our scheme is also the first construction from candidate post-quantum secure assumptions to defend against compromise of the voter's computer using return codes. We implemented our protocol and present benchmarks of its computational runtime. The size of the verifiable shuffle is 22τ KB and takes time 33τ ms for τ voters. This is around 5 times faster and 40 % smaller per vote than the lattice-based voting scheme by del Pino et al. (ACM CCS 2017), which can only handle yes/no-elections.

show abstract

“…e noise with normal distribution makes the model have many elegant mathematical properties. Although the discrete Laplace noise mechanism and the discrete Gaussian noise mechanism cannot be compared in the same model, since they are used in different privacy mechanisms, we are still willing to use the discrete Gaussian noise in order to obtain aesthetic mathematical conclusions [10][11][12][13].…”

Section: Discrete Gaussianmentioning

confidence: 99%

The Discrete Gaussian Expectation Maximization (Gradient) Algorithm for Differential Privacy

2021

Computational Intelligence and Neuroscience

View full text Add to dashboard Cite

In this paper, we give a modified gradient EM algorithm; it can protect the privacy of sensitive data by adding discrete Gaussian mechanism noise. Specifically, it makes the high-dimensional data easier to process mainly by scaling, truncating, noise multiplication, and smoothing steps on the data. Since the variance of discrete Gaussian is smaller than that of the continuous Gaussian, the difference privacy of data can be guaranteed more effectively by adding the noise of the discrete Gaussian mechanism. Finally, the standard gradient EM algorithm, clipped algorithm, and our algorithm (DG-EM) are compared with the GMM model. The experiments show that our algorithm can effectively protect high-dimensional sensitive data.

show abstract

COSAC: COmpact and Scalable Arbitrary-Centered Discrete Gaussian Sampling over Integers

Cited by 11 publications

References 17 publications

Quantum-Safe HIBE: Does It Cost a Latte?

Quantum-Safe HIBE: Does It Cost a Latte?

Lattice-Based Proof of Shuffle and Applications to Electronic Voting

The Discrete Gaussian Expectation Maximization (Gradient) Algorithm for Differential Privacy

Contact Info

Product

Resources

About