Abstract
Discrete Gaussian sampling over the integers is one of fundamental operations in lattice-based cryptography. The binary Gaussian distribution DZ+,σ2 is a special discrete Gaussian distribution with σ2=1/(2ln2) and μ=0 over the set of non-negative integers Z+, and a sampling algorithm for DZ+,σ2 can be used as the base sampler in a generic algorithm based on rejection sampling for any discrete Gaussian distribution over the integers. We present a constant-time algorithm for sampling from the binary Gaussian distribution DZ+,σ2. It requires no precomputation storage and mainly relies on bitwise operations, which could be more hardware-friendly. Its computational complexity is lower than that of the algorithm based on the full-tree Knuth-Yao method, and its entropy consumption is smaller than that of the full-table access algorithm based on a cumulative distribution table. The Rényi-divergence based security analysis of our constant-time algorithm can also be simplified.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
