Centered Binomial Distribution vs Fixed Weight Ternary Sampler

Question

Fixed weight ternary polynomial vector sampler randomly selects a polynomial from ${R_q[x]}/{(x^n+1)}$ with coefficients $-1,1,0$. Notable KEMs that uses fixed weight ternary samplers include NTRU, LIZARD SMAUG-T etc.

On the other hand, KEMs such as KYBER, SABER, NEW-HOPE uses Centered Binomial Distribution (CBD). The sampling technique of $CBD_\eta$ is given below. If we set $\eta=1$, it becomes a ternary polynomial sampler with hamming weight 0.5.

Is there any specific advantage of using fixed weight ternary sampler with respect to CBD with $\eta=1$. One advantage fixed weight ternary sampler provides that it gives a freedom to set a hamming weight value as compared to $CBD_1$ where hamming weight is always equal to $0.5$

On the other hand, we noticed that CBD requires fewer hash calls (for random number generation) as compared to fixed weight ternary sampler.

It would be grateful if someone could provide more insight on this.

Answer 1

There are a couple of misconceptions here.

Firstly, the a Centred Binomial Distribution with $\eta=1$ has expected Hamming density 0.5. In particular, it is possible (although unlikely) that the CBD will return the all zeroes polynomial (Hamming weight/density 0). This would lead to a very weak instance of all of the various systems. More generally, very low Hamming weight/density polynomials lead to weaker instances, which fixed Hamming weight solutions avoid.

Secondly, the amount of random number generator calls is an implementation dependent characteristic. Most implementations of fixed Hamming weight methods use inefficient shuffling methods rather than the information theoretically optimal combinatorial number methods. If the best (though arguably more complicated) methods are used, fixed Hamming weight methods with $k$ +1 coefficients and $k$ -1 coefficients requires entropy $$\log\left(\binom nk\binom{n-k}k\right)$$ whereas the CBD with $\eta=1$ would require entropy $$\log 4^n.$$

Another property when working in rings mod $X^n-1$ is that balanced polynomials (such as those returned by fixed Hamming weight, balanced methods) do not reveal any information when projected down to the subring of polynomials mod $X-1$ as they all project to the zero polynomial.