Arbitrary-Centered Discrete Gaussian Sampling over the Integers

Abstract

Discrete Gaussian sampling over the integers, which is to sample from a discrete Gaussian distribution \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) over the integers \(\mathbb {Z}\) with parameter \(\sigma >0\) and center \(\mu \in \mathbb {R}\), is one of fundamental operations in lattice-based cryptography. The sampling algorithm should support a varying center \(\mu \) and even a varying parameter \(\sigma \), when it is used as one of the subroutines in an algorithm for sampling trapdoor lattices, or sampling from Gaussian distributions over a general n-dimensional lattice \(\varLambda \). In this paper, combining the techniques in Karney’s algorithm for exactly sampling the standard normal distribution, we present an exact sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with an integer-valued parameter \(\sigma \). This algorithm requires no pre-computation storage, uses no floating-point arithmetic, supports centers of arbitrary precision, and does not have any statistical discrepancy. Applying the convolution-like property of discrete Gaussian distributions, we also present an approximated sampling algorithm for \(\mathcal {D}_{\mathbb {Z},\sigma ,\mu }\) with a real-valued parameter \(\sigma \). It also supports centers of arbitrary precision, and we show that the distribution it produces has a smaller max-log distance to the ideal distribution, as compared to Micciancio-Walter sampling algorithm, which was introduced by Micciancio et al. in Crypto 2017 for discrete Gaussian distributions with varying \(\sigma \) and \(\mu \) over the integers.