An Algorithm for Sampling Exactly from Exponential Bernoulli Distributions with Resistance against Timing Attacks

doi:10.3969/j.issn.1671-1122.2024.06.004

Abstract

Abstract:

Discrete Gaussian sampling over the integers is one of the fundamental building blocks of lattice-based cryptography. Rejection sampling is one of the main methods for the discrete Gaussian sampling over the integers. The key of using rejection sampling is to implement a sampling procedure for Bernoulli distributions with exponential functions as parameters, and this sampling procedure is also the key to determine whether the whole sampling algorithm can resist timing attacks. For a real x > 0, based on the isochronous sampling algorithm given by SUN et al. for the “exponential Bernoulli distribution” β_2-_x, an alternative exact sampling algorithm with timing attack resistance is proposed for β_2-_x. It can prevent the leakage of the information on the value of x caused by timing attacks, and does not require (online) floating-point arithmetic, and can also avoid the statistical error in the practical implementation of the sampling algorithm of SUN et al., so as to ensure the exactness of sampling results in practice. Experimental results demonstrate the effectiveness of this exact sampling algorithm.

Key words: lattice-based cryptography, discrete Gaussian sampling, Bernoulli distribution, timing attack

CLC Number:

TP309

DU Yusong, JIANG Siwei, SHEN Jing, ZHANG Jiahao. An Algorithm for Sampling Exactly from Exponential Bernoulli Distributions with Resistance against Timing Attacks[J]. Netinfo Security, 2024, 24(6): 855-862.

Figures/Tables 2

References 24

[1]	WANG Xiaoyun, LIU Mingjie. Survey of Lattice-Based Cryptography[J]. Journal of Cryptologic Research, 2014, 1(1): 13-27.
	王小云, 刘明洁. 格密码学研究[J]. 密码学报, 2014, 1(1): 13-27. doi: 10.13868/j.cnki.jcr.000002
[2]	PEIKERT C. A Decade of Lattice Cryptography[J]. Foundations and Trends in Theoretical Computer Science, 2016, 10(4): 283-424.
[3]	ESPITAU T, WALLET A, YU Y. On Gaussian Sampling, Smoothing Parameter and Application to Signatures[C]// IACR. The 29th International Conference on the Theory and Application of Cryptology and Information Security. Heidelberg: Springer, 2023: 65-97.
[4]	PEIKERT C. An Efficient and Parallel Gaussian Sampler for Lattices[C]// IACR. 30th Annual Cryptology Conference. Heidelberg: Springer, 2010: 80-97.
[5]	DEVEVEY J, PASSELÈGUE A, STEHLÉ D. G+G: A Fiat-Shamir Lattice Signature Based on Convolved Gaussians[C]// IACR. The 29th International Conference on the Theory and Application of Cryptology and Information Security. Heidelberg: Springer, 2023: 37-64.
[6]	MICCIANCIO D, PEIKERT C. Trapdoors for Lattices:Simpler, Tighter, Faster, Smaller[C]// IACR. 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques. Heidelberg: Springer, 2012: 700-718.
[7]	GENISE N, MICCIANCIO D. Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus[C]// IACR. 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Heidelberg: Springer, 2018: 174-203.
[8]	CANONNE C L, KAMATH G, STEINKE T. The Discrete Gaussian for Differential Privacy[C]// Curran Associates. 33rd Annual Conference on Neural Information Processing Systems. New York: Curran Associates, 2020: 15676-15688.
[9]	DWARAKANATH N C, GALBRAITH S D. Sampling from Discrete Gaussians for Lattice-Based Cryptography on a Constrained Device[J]. Applicable Algebra in Engineering, Communication and Computing, 2014, 25(3): 159-180.
[10]	FOLLÁTH J. Gaussian Sampling in Lattice Based Cryptography[J]. Tatra Mountains Mathematical Publications, 2014, 60(1): 1-23.
[11]	BRUINDERINK L G, HÜLSING A, LANGE T, et al. Flush, Gauss, and Reload-A Cache Attack on the BLISS Lattice-Based Signature Scheme[C]// IACR. 18th International Conference on Cryptographic Hardware and Embedded Systems. Heidelberg: Springer, 2016: 323-345.
[12]	ESPITAU T, FOUQUE P-A, GÉRARD B, et al. Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against StrongSwan and Electromagnetic Emanations in Microcontrollers[C]// ACM. 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 1857-1874.
[13]	HOWE J, PREST T, RICOSSET T, et al. Isochronous Gaussian Sampling: From Inception to Implementation[C]// IACR. 11th International Conference on Post-Quantum Cryptography. Heidelberg: Springer, 2020: 53-71.
[14]	SUN Shuo, ZHOU Yongbin, JI Yunfeng, et al. Generic, Efficient and Isochronous Gaussian Sampling over the Integers[J]. Cybersecurity, 2022, 5: 10-22.
[15]	KARMAKAR A, ROY S S, REPARAZ O, et al. Constant-Time Discrete Gaussian Sampling[J]. IEEE Transactions on Computers, 2018, 67(11): 1561-1571.
[16]	ZHAO R K, STEINFELD R, SAKZAD A. FACCT: Fast, Compact, and Constant-Time Discrete Gaussian Sampler over Integers[J]. IEEE Transactions on Computers, 2020, 69(1): 126-137.
[17]	DU Yusong, FAN Baoying, WEI Baodian. A Constant-Time Sampling Algorithm for Binary Gaussian Distribution over the Integers[J]. Information Processing Letters, 2022, 176: 62-76.
[18]	DUCAS L, DURMUS A, LEPOINT T, et al. Lattice Signatures and Bimodal Gaussians[C]// IACR. 33rd Annual Cryptology Conference. Heidelberg: Springer, 2013: 40-56.
[19]	KARNEY C F. Sampling Exactly from the Normal Distribution[J]. ACM Transactions on Mathematical Software, 2016, 42(1): 1-14.
[20]	WANG Jiabo, LING Cong. Polar Sampler: A Novel Bernoulli Sampler Using Polar Codes with Application to Integer Gaussian Sampling[J]. Designs, Codes and Cryptography, 2023, 91(5): 1779-1811.
[21]	BARTHE G, BELAÏD S, ESPITAU T, et al. GALACTICS: Gaussian Sampling for Lattice-Based Constant- Time Implementation of Cryptographic Signatures, Revisited[C]// ACM. The 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 2147-2164.
[22]	BAI S, LEPOINT T, ROUX-LANGLOIS A, et al. Improved Security Proofs in Lattice-Based Cryptography: Using the Renyi Divergence Rather than the Statistical Distance[J]. Journal of Cryptology, 2018, 31(2): 610-640.
[23]	PREST T. Sharper Bounds in Lattice-Based Cryptography Using the Rényi Divergence[C]// Springer. The 23rd International Conference on the Theory and Application of Cryptology and Information Security. Heidelberg: Springer, 2017: 347-374.
[24]	MICCIANCIO D, WALTER M. Gaussian Sampling over the Integers:Efficient, Generic, Constant-Time[C]// IACR. 37th Annual Cryptology Conference. Heidelberg: Springer, 2017: 455-485.

参数x	算法2/ms	算法4/ms
1/5	172	347
2/5	175	367
1/2	157	363
3/5	173	332
4/5	174	346

参数k	算法2/s	算法4/s
215	8.423×10⁶	7.140×10⁶
107	8.008×10⁶	7.201×10⁶
250	7.301×10⁶	6.430×10⁶
271	7.283×10⁶	6.426×10⁶