Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time

Micciancio, Daniele; Walter, Michael

doi:10.1007/978-3-319-63715-0_16

Cited by 85 publications

(108 citation statements)

References 41 publications

Supporting

Mentioning

107

Contrasting

Order By: Relevance

“…Our implementation also supports a gadget matrix with an arbitrary base, which is computationally and spatially much more efficient than the classical binary gadget matrix. 2) Generic integer Gaussian samplers, including recent Karney's rejection [45] and constant-time [46] samplers. These samplers can be used for any integer Gaussian sampling operation in lattice-based cryptography.…”

Section: A Our Contributionsmentioning

confidence: 99%

“…For instance, the optimal values of base t lead to distribution parameters up to 2 20 for G-sampling and even larger values for perturbation generation. This implies that conventional Gaussian sampling techniques such as the inversion sampling developed in [64] and rejection sampling proposed in section 4.1 of [65] are not practical for trapdoor sampling, as described in detail in [46].…”

Section: F Integer Gaussian Samplingmentioning

confidence: 99%

“…To this end, we implement two recently proposed generic samplers: Karney's rejection sampler [45] and constant-time sampler [46].…”

Section: F Integer Gaussian Samplingmentioning

confidence: 99%

“…The generic sampler [46], on the other hand, uses a constanttime algorithm that breaks down sampling for large distribution parameters into multiple runs for much smaller distribution parameters. It also utilizes multiple cosets to support varying-center requirements, with the number of cosets being an adjustable parameter.…”

Section: F Integer Gaussian Samplingmentioning

confidence: 99%

“…When the center c does not change and distribution parameter is small (as in directed encoding or Ring-LWE trapdoor construction), our SampleZ implementation uses the inversion sampling method developed in [64]. In all other cases (trapdoor sampling), we use either Karney's rejection sampler [45] or constant-time sampler [46].…”

Section: B Integer Samplingmentioning

confidence: 99%

See 4 more Smart Citations

Implementing Conjunction Obfuscation Under Entropic Ring LWE

Cousins

Crescenzo

Gür

et al. 2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Abstract-We address the practicality challenges of secure program obfuscation by implementing, optimizing, and experimentally assessing an approach to securely obfuscate conjunction programs proposed in [1]. Conjunction programs evaluate functions f (x1, . . . , xL) = i∈I yi, where yi is either xi or ¬xi and I ⊆ [L], and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable.Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment. Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 53 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are applicable to obfuscating more general compute-and-compare programs and can also be used for many cryptographic schemes based on lattice trapdoors.

show abstract

Section: A Our Contributionsmentioning

confidence: 99%