Count-then-Permute: A Precision-Free Alternative to Inversion Sampling

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)

Abstract

The sampling from a discrete probability distribution on computers is an old problem having a wide variety of applications. The inversion sampling which uses the cumulative probability table is quite popular method for discrete distribution sampling. One drawback of inversion sampling (and most of other generic methods) is that it’s table size and sampling time depends on the precision we require. This can be problematic, since the precision can be quite high, e.g., 256 bits or even more, in particular for cryptographic purpose. In this paper, we present a novel sampling method which we call counter-then-permute (CP) sampler. Our proposal has a unique feature that its time and memory for on-line sampling phase does not depend on the precision, and can be faster and smaller than inversion sampling, which was often the most efficient one, depending on the relationship between the precision and the number of samples we want. Our proposal uses a block cipher as an efficient, computationally-secure instantiation of uniform sampling without replacement, also known as a pseudorandom permutation (PRP) in the cryptographic terminology, and pre-processing based on a recent polynomial-time exact sampling for binomial distribution. We also show some experimental results of CP sampler for discrete Gaussian distributions, which are typically used by lattice-based cryptographic schemes.

Keywords

Discrete probability distribution Inversion sampling Block cipher 

Notes

Acknowledgements

The authors would like to thank the anonymous reviewers for their helpful comments.

References

  1. [BBI+15]
    Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 411–436. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48800-3_17 CrossRefGoogle Scholar
  2. [BCG+12]
    Borghoff, J., et al.: PRINCE – a low-latency block cipher for pervasive computing applications. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 208–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_14 CrossRefGoogle Scholar
  3. [BCG+13]
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete Ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43414-7_20 CrossRefGoogle Scholar
  4. [BDJR97]
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Symposium on Foundations of Computer Science - FOCS 1997, pp. 394–403. IEEE Computer Society (1997)Google Scholar
  5. [BG14]
    Bai, S., Galbraith, S.D.: An improved compression technique for signatures based on learning with errors. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 28–47. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04852-9_2 CrossRefGoogle Scholar
  6. [BKL+07]
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J.B., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74735-2_31 CrossRefGoogle Scholar
  7. [BKP+14]
    Bringmann, K., Kuhn, F., Panagiotou, K., Peter, U., Thomas, H.: Internal DLA: efficient simulation of a physical growth model. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014. LNCS, vol. 8572, pp. 247–258. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43948-7_21 Google Scholar
  8. [BP15]
    Biryukov, A., Perrin, L.: Lightweight Cryptography Lounge (2015). http://cryptolux.org/index.php/Lightweight_Cryptography
  9. [BRRS09]
    Bellare, M., Ristenpart, T., Rogaway, P., Stegers, T.: Format-preserving encryption. In: Jacobson, M.J., Rijmen, V., Safavi-Naini, R. (eds.) SAC 2009. LNCS, vol. 5867, pp. 295–312. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-05445-7_19 CrossRefGoogle Scholar
  10. [BSS+14]
    Beaulieu, R., Shors, D., Smith, J., Treatman-Clark, S., Weeks, B., Wingers, L.: The Simon and Speck block ciphers on AVR 8-bit microcontrollers. In: Eisenbarth, T., Öztürk, E. (eds.) LightSec 2014. LNCS, vol. 8898, pp. 3–20. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-16363-5_1 Google Scholar
  11. [CDK09]
    De Cannière, C., Dunkelman, O., Knežević, M.: KATAN and KTANTAN - a family of small and efficient hardware-oriented block ciphers. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 272–288. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-04138-9_20 CrossRefGoogle Scholar
  12. [DDLL13]
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40041-4_3 CrossRefGoogle Scholar
  13. [Dev86]
    Devroye, L.: Non-Uniform Random Variate Generation. Springer, Heidelberg (1986).  https://doi.org/10.1007/978-1-4613-8643-8 CrossRefMATHGoogle Scholar
  14. [DG14]
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014)MathSciNetCrossRefMATHGoogle Scholar
  15. [DPU+16]
    Dinu, D., Perrin, L., Udovenko, A., Velichkov, V., Großschädl, J., Biryukov, A.: Design strategies for ARX with provable bounds: Sparx and LAX. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 484–513. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53887-6_18 CrossRefGoogle Scholar
  16. [Fel71]
    Fellerl, W.: An Introduction to Probability Theory and Its Applications. Wiley, London (1971)Google Scholar
  17. [FT15]
    Farach-Colton, M., Tsai, M.-T.: Exact sublinear binomial sampling. Algorithmica 73(4), 637–651 (2015)MathSciNetCrossRefMATHGoogle Scholar
  18. [Gol99]
    Goldreich, O.: Modern Cryptography, Probabilistic Proofs and Pseudorandomnes. Springer, Heidelberg (1999).  https://doi.org/10.1007/978-3-662-12521-2 CrossRefMATHGoogle Scholar
  19. [GP07]
    Granboulan, L., Pornin, T.: Perfect block ciphers with small blocks. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 452–465. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74619-5_28 CrossRefGoogle Scholar
  20. [GPPR11]
    Guo, J., Peyrin, T., Poschmann, A., Robshaw, M.: The LED block cipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 326–341. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_22 CrossRefGoogle Scholar
  21. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008)Google Scholar
  22. [HMR12]
    Hoang, V.T., Morris, B., Rogaway, P.: An enciphering scheme based on a card shuffle. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 1–13. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_1 CrossRefGoogle Scholar
  23. [Kar16]
    Karney, C.F.F.: Sampling exactly from the normal distribution. ACM Trans. Math. Softw. 42(1), 3:1–3:14 (2016)MathSciNetCrossRefMATHGoogle Scholar
  24. [Lyu12]
    Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_43 CrossRefGoogle Scholar
  25. [Mic11]
    Micciancio, D.: Lattice-based cryptography. In: Bernstein, D.J., Buchmann, J., Dahmen, E. (eds.) Encyclopedia of Cryptography and Security, 2nd edn, pp. 713–715. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-540-88702-7_5 Google Scholar
  26. [MN98]
    Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. 8(1), 3–30 (1998)CrossRefMATHGoogle Scholar
  27. [MPF]
    The GNU MPFR Library. http://www.mpfr.org/. Accessed 29 Sep 2017
  28. [MRS09]
    Morris, B., Rogaway, P., Stegers, T.: How to encipher messages on a small domain. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 286–302. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_17 CrossRefGoogle Scholar
  29. [Pei10]
    Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14623-7_5 CrossRefGoogle Scholar
  30. [Riv94]
    Rivest, R.L.: The RC5 encryption algorithm. In: Preneel, B. (ed.) FSE 1994. LNCS, vol. 1008, pp. 86–96. Springer, Heidelberg (1995).  https://doi.org/10.1007/3-540-60590-8_7 CrossRefGoogle Scholar
  31. [SIH+11]
    Shibutani, K., Isobe, T., Hiwatari, H., Mitsuda, A., Akishita, T., Shirai, T.: Piccolo: an ultra-lightweight blockcipher. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 342–357. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-23951-9_23 CrossRefGoogle Scholar
  32. [SMMK12]
    Suzaki, T., Minematsu, K., Morioka, S., Kobayashi, E.: \(\mathit{TWINE}\): a lightweight block cipher for multiple platforms. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 339–354. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-35999-6_22 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.NEC CorporationKawasakiJapan

Personalised recommendations