Discrete Ziggurat: A Time-Memory Trade-off forSampling from a Gaussian Distribution over the

Integers

Johannes Buchmann, Daniel Cabarcas, Florian Gopfert,Andreas Hulsing, Patrick Weiden

Technische Universitat DarmstadtDarmstadt, Germany

Selected Areas in CryptographyAug 16, 2013

1 / 18

Outline

Motivation and Contribution

Discrete Gaussians and Samplers

The Ziggurat Algorithm

Quality of our Sampler and Parameter Choice

Experiments and Results

Conclusion

2 / 18

Motivation and Contribution

I Discrete Gaussians widely used in lattice-based cryptoI E.g. signatures, encryption, (F)HE, multilinear maps

I Critical technical challenge: accurate and efficient sampling ofdiscrete Gaussians

I E.g. sampling ≈ 50% of signing time [WHCB13]

I Existing methods: either large memory or very slowI E.g. Peikert’s sampler about 12MB of storage [GD12]I No flexibility in choice of memory and speedI Memory requirement acceptable on PC, but not on smaller

devices

I Our contribution: alternative sampler for discrete Gaussiansoffering a flexible trade-off between speed and memory

3 / 18

Discrete Gaussians and Samplers

I Discrete Gaussian distribution Dσ for parameter σ assignsx ∈ Z probability proportional to ρσ(x) = exp(−1

2x2/σ2)

I Sufficient for cryptographic applications: bounded supportB := Z ∩ [−tσ, tσ] with tailcut t > 0 large enough [GPV08]

Gauss:

discrete

−tσ tσ

B = ZZ ∩ [−tσ, tσ]

continuous

4 / 18

Discrete Gaussians and Samplers

I Rejection sampling (rejSam)

I Inverse cumulative distribution function (invCDF)

I Knuth-Yao (KY)

I Hybrid variants: rejection sampling with lookup-table, . . .

5 / 18

The Ziggurat Algorithm

I Belongs to class of rejection sampling algorithms

I Introduced by Marsaglia and Tsang for sampling from acontinuous Gaussian distribution [MT00]

I Observation:I Symmetry: sample x ∈ [0, tσ] acc. to PDFI Sample sign s ∈ {−1, 1} and return sxI Attention: case x = 0

tσ

6 / 18

The Ziggurat Algorithm

I Sampling x ∈ [0, tσ]: IntuitionI Given: partition of area into rectangles of equal sizeI Choose rectangle Ri = R l

i ∪ R ri randomly

I Sampling in rectangle Ri :I Sample x ∈ [0, xi ] randomlyI If x ∈ R l

i : accept xI Else sample in R r

i using rejection sampling (restart)

R1

R2

R3

R4

R5

R6 R7

x0 x1 x2 x3 x4 x5 x6 x7

.

.

.

A

Rl3

Rr3

y0

y1

y2

y7

7 / 18

The Ziggurat Algorithm

I Ziggurat = efficient “instantiation” of rejection sampling inenclosing area A (instead of in [0, tσ]× [0, 1])

I Rectangles of equal size: ensures equality of probabilities

I Storage: (xi , yi ) for Ri where i = 1, . . . ,#rectangles

I Expensive part: sampling in R ri

I Trade-off:I Controlled by #rectanglesI More rectangles: R l

i comparatively bigger than R ri

→ acceptance of x without computing ρσ(x) with higherprobability

→ less rejections of x → less ‘restarts’I But: more memory needed

8 / 18

The Ziggurat Algorithm: Discretization

Procedure: same as continuous

Adaptation to discrete case:

I Notion of ‘size’

I Pre-computation of rectanglesI Implementation issues:

I Fix point precisionI Discretizing the height

I Improvement of sampling in R ri : straight line approach

Rri

yixi−1 xi

yi−1

s

ρσ

Rri

yixi−1 xi

yi−1

s

ρσ

The concave-down case The concave-up case9 / 18

Quality of our Sampler and Parameter Choice

TheoremThe statistical distance between the discrete Gaussian distributionDσ and the distribution Dσ output by our algorithm is bounded by

∆(Dσ,Dσ) < te(1−t2)/2 +|B+

0 |ρσ(B+) + 1

2

(2−ω+1 + 2−n).

Proof idea: Hybrid argument using intermediary distributions

10 / 18

Quality of our Sampler and Parameter Choice

I Parameters: Gaussian parameter σ, tailcut t, fix pointprecision n, height precision ω

I Goal: negligible statistical distance, e.g.

te(1−t2)/2︸ ︷︷ ︸l

+|B+

0 |ρσ(B+) + 1

2

(2−ω+1 + 2−n)︸ ︷︷ ︸r

< 2−100

→ Find smallest integer t s.t. l < 2−101: t = 13

→ Choose ω = n + 1 reduces complexity of r

→ Find n such that r < 2−101: n = 106

11 / 18

Experiments and Results

I C++ implementation using Number Theory Library(NTL, [Sho])

I Parameters: n = 106 (ω = 107), t = 13, different σ’s

I σ = 32 maintains worst-to-average-case reduction [Reg05],σ = 1.6 · 105 according to [GD12]

I Algorithms: Ziggurat, ZigguratO, invCDF∗, rejSam∗, KY(∗ = lookup-table)

I Each algorithm queried to output 106 samples

I Measured running time using clock gettime with clockCLOCK PROCESS CPUTIME ID (excluded pre-/post-comps.)

I Computed memory consumption using #fixed variables inregard to their type

12 / 18

Experiments and Results

0

1000000

2000000

3000000

4000000

5000000

6000000

64 256 1024 4096 16384 65536 262144

Speed [sam

ples/s]

Memory [B]

Ziggurat ZigguratO invCDF rejSam KY

0

200000

400000

600000

800000

1000000

1200000

1400000

64 512 4096 32768 262144 209715216777216134217728

Speed [sam

ples/s]

Memory [B]

Different samplers for σ = 1.6 · 105

13 / 18

Experiments and Results

Some numbers. . .I σ = 32:

I rejSam factor 4.2 slower than invCDF, without lookup-tablefactor 558 slower

I Ziggurat factor 1.91 slower than invCDF, 2.19 faster thanrejSam

I KY factor 3.53 faster than invCDF, but doubled memory

I σ = 1.6 · 105:I invCDF factor 4 slower than Ziggurat, factor 64 more memoryI rejSam about factor 6 slower than ZigguratI KY only better than Ziggurat by 4%, but 424 times more

memory

14 / 18

Experiments and Results

Improvement rate of ZigguratO to Ziggurat

-5

0

5

10

15

20

25

30

35

64 256 1024 4096 16384 65536 262144

Impr

ovem

ent [

%]

Memory [B]

15 / 18

Conclusion: Take-Home-Message

Discrete Ziggurat=

Alternative sampler fordiscrete Gaussians offering a

flexible trade-off betweenspeed and memory

16 / 18

Further details. . .

Source code on homepage:https://www.cdc.informatik.tu-darmstadt.de/~pschmidt/

implementations/ziggurat/ziggurat-src.zip

Version of paper with proofs on eprint:https://eprint.iacr.org/2013/510.pdf

17 / 18

Thanks!

18 / 18