Questions tagged [reject-sampling]
6 questions
2
votes
0 answers
Security of Rejection Sampling parameters in Lattice-based cryptography
I have some security concerns about a parameter in both the rejection sampling algorithms from (for example) BLOOM: Bimodal Lattice One-Out-of-Many Proofs and Applications.
In Lemma 2.8, the value $M$ is linked to the acceptance probability of the…
gdalc
- 21
- 1
2
votes
2 answers
Is Constant-Time Uniform Sampling in $[-3, 3]\cap \mathbb{Z}$ Feasible?
I've been looking into private key sampling and noticed most use Gaussian or centered binomial distributions.Is it possible to achieve constant-time perfectly uniform sampling in $[-3, 3] \cap \mathbb{Z}$(with 7 elements)? If not, why is it…
Terry Yu
- 55
- 4
2
votes
1 answer
Centered Binomial Distribution vs Fixed Weight Ternary Sampler
Fixed weight ternary polynomial vector sampler randomly selects a polynomial from ${R_q[x]}/{(x^n+1)}$ with coefficients $-1,1,0$. Notable KEMs that uses fixed weight ternary samplers include NTRU, LIZARD SMAUG-T etc.
On the other hand, KEMs such…
Swaminathan V
- 161
- 8
1
vote
0 answers
Doubts regarding the ternary vector sampler in SMAUG-T KEM
SMAUG-T is an efficient post-quantum key encapsulation mechanism (KEM). It is the winner of Korean PQC Competition.
SMAUG-T uses a Hamming Weight Sampler $HWT_h$ to sample secret polynomial vectors $s, r$ with hamming weight $h_s$ and $h_r$…
Swaminathan V
- 161
- 8
1
vote
1 answer
Reject sampling of lattice ZKP, why need factor of M
I am watching the video https://www.youtube.com/live/N5nKGtugxYY?si=ejLqW8Pk0jD9lVMn&t=2098
Or particularly this slide:
May I ask why does the reject sampling output by $f(x)/g(x)*M$ probability? Why not just $f(x)/g(x)$?
Or, in other words, why…
js wang
- 381
- 1
- 10
0
votes
1 answer
Efficiently Sample Non-Zero element in Constant Time
Say I have a field $\mathbb{F}_q$ for prime modulus $q$, and I have a function random() that yields a uniformly random element of $\mathbb{F}_q$ in constant time.
How would you efficiently build a function random_non_zero() that yields a uniformly…
ibarrond
- 101
- 3