Discrete Ziggurat: A Time-Memory Trade-off for Sampling ...sac2013.irmacs.sfu.ca/slides/s22.pdf ·...
Transcript of Discrete Ziggurat: A Time-Memory Trade-off for Sampling ...sac2013.irmacs.sfu.ca/slides/s22.pdf ·...
Discrete Ziggurat: A Time-Memory Trade-off forSampling from a Gaussian Distribution over the
Integers
Johannes Buchmann, Daniel Cabarcas, Florian Gopfert,Andreas Hulsing, Patrick Weiden
Technische Universitat DarmstadtDarmstadt, Germany
Selected Areas in CryptographyAug 16, 2013
1 / 18
Outline
Motivation and Contribution
Discrete Gaussians and Samplers
The Ziggurat Algorithm
Quality of our Sampler and Parameter Choice
Experiments and Results
Conclusion
2 / 18
Motivation and Contribution
I Discrete Gaussians widely used in lattice-based cryptoI E.g. signatures, encryption, (F)HE, multilinear maps
I Critical technical challenge: accurate and efficient sampling ofdiscrete Gaussians
I E.g. sampling ≈ 50% of signing time [WHCB13]
I Existing methods: either large memory or very slowI E.g. Peikert’s sampler about 12MB of storage [GD12]I No flexibility in choice of memory and speedI Memory requirement acceptable on PC, but not on smaller
devices
I Our contribution: alternative sampler for discrete Gaussiansoffering a flexible trade-off between speed and memory
3 / 18
Discrete Gaussians and Samplers
I Discrete Gaussian distribution Dσ for parameter σ assignsx ∈ Z probability proportional to ρσ(x) = exp(−1
2x2/σ2)
I Sufficient for cryptographic applications: bounded supportB := Z ∩ [−tσ, tσ] with tailcut t > 0 large enough [GPV08]
Gauss:
discrete
−tσ tσ
B = ZZ ∩ [−tσ, tσ]
continuous
4 / 18
Discrete Gaussians and Samplers
I Rejection sampling (rejSam)
I Inverse cumulative distribution function (invCDF)
I Knuth-Yao (KY)
I Hybrid variants: rejection sampling with lookup-table, . . .
5 / 18
The Ziggurat Algorithm
I Belongs to class of rejection sampling algorithms
I Introduced by Marsaglia and Tsang for sampling from acontinuous Gaussian distribution [MT00]
I Observation:I Symmetry: sample x ∈ [0, tσ] acc. to PDFI Sample sign s ∈ {−1, 1} and return sxI Attention: case x = 0
tσ
6 / 18
The Ziggurat Algorithm
I Sampling x ∈ [0, tσ]: IntuitionI Given: partition of area into rectangles of equal sizeI Choose rectangle Ri = R l
i ∪ R ri randomly
I Sampling in rectangle Ri :I Sample x ∈ [0, xi ] randomlyI If x ∈ R l
i : accept xI Else sample in R r
i using rejection sampling (restart)
R1
R2
R3
R4
R5
R6 R7
x0 x1 x2 x3 x4 x5 x6 x7
.
.
.
A
Rl3
Rr3
y0
y1
y2
y7
7 / 18
The Ziggurat Algorithm
I Ziggurat = efficient “instantiation” of rejection sampling inenclosing area A (instead of in [0, tσ]× [0, 1])
I Rectangles of equal size: ensures equality of probabilities
I Storage: (xi , yi ) for Ri where i = 1, . . . ,#rectangles
I Expensive part: sampling in R ri
I Trade-off:I Controlled by #rectanglesI More rectangles: R l
i comparatively bigger than R ri
→ acceptance of x without computing ρσ(x) with higherprobability
→ less rejections of x → less ‘restarts’I But: more memory needed
8 / 18
The Ziggurat Algorithm: Discretization
Procedure: same as continuous
Adaptation to discrete case:
I Notion of ‘size’
I Pre-computation of rectanglesI Implementation issues:
I Fix point precisionI Discretizing the height
I Improvement of sampling in R ri : straight line approach
Rri
yixi−1 xi
yi−1
s
ρσ
Rri
yixi−1 xi
yi−1
s
ρσ
The concave-down case The concave-up case9 / 18
Quality of our Sampler and Parameter Choice
TheoremThe statistical distance between the discrete Gaussian distributionDσ and the distribution Dσ output by our algorithm is bounded by
∆(Dσ,Dσ) < te(1−t2)/2 +|B+
0 |ρσ(B+) + 1
2
(2−ω+1 + 2−n).
Proof idea: Hybrid argument using intermediary distributions
10 / 18
Quality of our Sampler and Parameter Choice
I Parameters: Gaussian parameter σ, tailcut t, fix pointprecision n, height precision ω
I Goal: negligible statistical distance, e.g.
te(1−t2)/2︸ ︷︷ ︸l
+|B+
0 |ρσ(B+) + 1
2
(2−ω+1 + 2−n)︸ ︷︷ ︸r
< 2−100
→ Find smallest integer t s.t. l < 2−101: t = 13
→ Choose ω = n + 1 reduces complexity of r
→ Find n such that r < 2−101: n = 106
11 / 18
Experiments and Results
I C++ implementation using Number Theory Library(NTL, [Sho])
I Parameters: n = 106 (ω = 107), t = 13, different σ’s
I σ = 32 maintains worst-to-average-case reduction [Reg05],σ = 1.6 · 105 according to [GD12]
I Algorithms: Ziggurat, ZigguratO, invCDF∗, rejSam∗, KY(∗ = lookup-table)
I Each algorithm queried to output 106 samples
I Measured running time using clock gettime with clockCLOCK PROCESS CPUTIME ID (excluded pre-/post-comps.)
I Computed memory consumption using #fixed variables inregard to their type
12 / 18
Experiments and Results
0
1000000
2000000
3000000
4000000
5000000
6000000
64 256 1024 4096 16384 65536 262144
Speed [sam
ples/s]
Memory [B]
Ziggurat ZigguratO invCDF rejSam KY
0
200000
400000
600000
800000
1000000
1200000
1400000
64 512 4096 32768 262144 209715216777216134217728
Speed [sam
ples/s]
Memory [B]
Different samplers for σ = 1.6 · 105
13 / 18
Experiments and Results
Some numbers. . .I σ = 32:
I rejSam factor 4.2 slower than invCDF, without lookup-tablefactor 558 slower
I Ziggurat factor 1.91 slower than invCDF, 2.19 faster thanrejSam
I KY factor 3.53 faster than invCDF, but doubled memory
I σ = 1.6 · 105:I invCDF factor 4 slower than Ziggurat, factor 64 more memoryI rejSam about factor 6 slower than ZigguratI KY only better than Ziggurat by 4%, but 424 times more
memory
14 / 18
Experiments and Results
Improvement rate of ZigguratO to Ziggurat
-5
0
5
10
15
20
25
30
35
64 256 1024 4096 16384 65536 262144
Impr
ovem
ent [
%]
Memory [B]
15 / 18
Conclusion: Take-Home-Message
Discrete Ziggurat=
Alternative sampler fordiscrete Gaussians offering a
flexible trade-off betweenspeed and memory
16 / 18
Further details. . .
Source code on homepage:https://www.cdc.informatik.tu-darmstadt.de/~pschmidt/
implementations/ziggurat/ziggurat-src.zip
Version of paper with proofs on eprint:https://eprint.iacr.org/2013/510.pdf
17 / 18
Thanks!
18 / 18