Abstract
A gadget decomposition algorithm is commonly used in many advanced lattice cryptography applications which support homomorphic operations over ciphertexts to control the noise growth. For a special structure of a gadget, the algorithm is digit decomposition. If such algorithm samples from a subgaussian distribution, that is, the output is randomized, it gives more benefits on output quality. One of the important advantages is Pythagorean additivity which makes the resulting noise contained in a ciphertext grow much less than naive digit decomposition. Therefore, the error analysis becomes cleaner and tighter than the use of other measures like Euclidean norm and infinity norm. Even though such advantage can also be achieved by use of discrete Gaussian sampling, it is not attractive for practical performance due to a large factor in resulting noise and the complex computation of the exponential function, whereas a more relaxed probability condition is required for a subgaussian distribution. Nevertheless, subgaussian sampling has barely received an attention so far, thus no practical algorithms was implemented before an efficient algorithm is presented by Genis et al. , recently. In this paper, we present a practically efficient gadget decomposition algorithm where output follows a subgaussian distribution. We parallelize the existing practical subgaussian gadget decomposition algorithm, using a bounded uniform distribution. Our algorithm is divided into two independent subalgorithms and only one algorithm depends on the input. Therefore, the other algorithm can be considered as precomputation. As an experimental result, our algorithm performs over 50% better than the existing algorithm.
Highlights
Acryptosystem requires an efficiently computable function of which the inverse function is hard to be computed without secret information called trapdoor
A function fA(x) = Ax is used for Short Integer Solution (SIS) or Inhomogeneous Short Integer Solution (ISIS) and gA(x, e) = xt A + et is used for Learning With Error (LWE) with a proper random matrix A
We show that the output follows a subgaussian distribution in the section
Summary
Acryptosystem requires an efficiently computable function of which the inverse function is hard to be computed without secret information called trapdoor. Thanks to the first practical implementation of subgaussian sampling with a triangular distribution recently proposed by Genise et al [3], the deterministic algorithms used in many HE schemes can be replaced by their algorithm with small computation time overhead and without heuristic independence assumption Such digit decomposition algorithm can be used for many of other lattice based cryptographic primitives which support homomorphic operations such as GSW-style HE [10]–[13], homomorphic signature scheme [14], Attribute-Based Encryption (ABE) schemes [15], [16], homomorphic identity-based encryption [17] and more.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
