Is Constant-Time Uniform Sampling in $[-3, 3]\cap \mathbb{Z}$ Feasible?

Question

I've been looking into private key sampling and noticed most use Gaussian or centered binomial distributions.Is it possible to achieve constant-time perfectly uniform sampling in $[-3, 3] \cap \mathbb{Z}$(with 7 elements)? If not, why is it theoretically impossible?

Answer 1

I assume you have access to independent fair coin tosses, since that is the usual premise in cryptography.

If by constant-time you mean time independent of the output, then yes: you can use rejection sampling. For example, sample three independent fair coin tosses, interpreted as the bits of an integer $x \in [0,8)$, start over if $x = 0$, and otherwise return $x - 4 %extra crud to exceed 6char limit $. Since the coin tosses are all independent, the time this takes is independent of the output. But the time it takes to return an output may be unbounded.

If by constant-time you mean time with a constant upper bound, i.e., a bounded finite number of coin tosses (and computation), then, well, your coin toss events are limited to rational probabilities with denominators that are powers of two, and you want a rational probability with a denominator that is seven, which you cannot get by any finite sums and products of ratios with power-of-two denominators.

Answer 2

The problem with constant-time perfectly uniform sampling in $[-3,3] \cap \mathbb{Z}$, i.e. the set $\{-3,-2,-1,0,+1,+2,+3\}$, is that the set's cardinality $7$ is a not a power of two.

When a program generates random outputs from at most $s$ uniformly random bits in $\{0,1\}$ (which I assume), then each possible outcome $x$ (including terminating with a certain output value, and the special case of not terminating with output) has some probability $p_x=k_x/2^s$ with $k_x\in\mathbb N$ and $2^s=\sum k_x$, or equivalently $1=\sum p_x$. Proof can be made by induction.

Any constant-time program terminates, and can only process at most a finite number $s$ of random bits, hence none of it's outcomes can have probability exactly $p_x=k_x/2^s=1/7$, or more generally $p_x=1/m$ unless $m$ is a power of two.

---

We can use rejection sampling to generate the desired distribution in variable and unbounded time, but with that time independent of the value generated and thus leaking no information about that value, and the probability of exceeding a fixed time decreasing exponentially with time.

The algorithm can be to group $3$ uniformly random bits to form an integer in $[0,7]$ until that integer is not $7$; then subtract $3$ to get the final result.

This method is quite practical when generating a key, but does not answer the question as worded, which asks for "constant time".

---

We know how to generate in constant time a distribution indistinguishable from the desired distribution. One way is

• $v\gets0$
• repeat some fixed amount of times $n$ (e.g. $n=132$)
  ^{here $v\in[0,6]$}
  • $v\gets v+v+r$ where $r$ is a random bit
    ^{here $v\in[0,13]$}
  • $v\gets v-7$ iff $v\ge7$ in constant time, e.g. as $v\gets v-(8-(((v+1)\gg3))\&7)$
    ^{here $v\in[0,6]$}
• $v\gets v-3$
  ^{here $v\in[-3,3]$}
• output $v$.

The probability of each outcome is either $\left\lfloor2^n/7\right\rfloor/2^n$ or $\left\lceil2^n/7\right\rceil/2^n$, in the uniquely defined way such that the probability is nonincreasing with the outcome, and the probabilities sum to $1$. Proof can be made by induction. It follows the advantage of any distinguisher can't exceed $2^{\left\lceil\log_2(7)\right\rceil-n}$ or something similar.

---

We also know how to generate in constant time the desired distribution when there is a result, but with some rare combination of the random input bits such that there is no result. The probability of that failure can decrease exponentially with the constant computation time, down to well below the probability of failure of the computing device, thus that can be entirely practical.

The above code can be slightly modified for that: we ensure that $n$ is a multiple of $3$, so that $2^n\bmod 7=1$. We compute the OR of the $n$ bits $r$ used for the generation, and we output the final result selectively when that's $0$, which has probability $1-2^{-n}$.

Alternatively, rather than producing no output, we can retry from the start at the expense of not being constant-time. That's a variation of the rejection sampling method of the second section, lowering the probability to exceed some maximum number of random bits used, at the expense of a higher average number.