5

In lattice cryptography, we always face the probem of discrete gaussian sampling. To the beginners, it is a bit complex. However, gaussian sampling from a continous space is much easier to understand, and a lot of tools are available. Say, we can use MATLAB to do gaussian sampling very efficiently. So, I want to know what is the difference between the following to process:

(1) discrete-then-gaussian: Just as required is many lattice cryptography papers.

(2) gaussian-then-discrete: At first, get continous gaussian samples, say by using MATLAB, and then perform nearest rounding operations, i.e., discrete to the nearest integers.

Licheng Wang
  • 313
  • 1
  • 7
  • 1
    The resulting distributions of (1) and (2) are not quite the same, and in some applications even a tiny difference in these distributions can be fatal for proving/guaranteeing security. – TMM Apr 18 '19 at 01:11
  • @TMM Thanks! Can you give me more references or explanations on the differences? – Licheng Wang Apr 18 '19 at 06:10
  • 1
    Simply from looking at both definitions you should be able to see there is no immediate reason for the two distributions to be equivalent - sure, they both mimic a continuous Gaussian on a discrete set, but the probability mass function is different. – TMM Apr 18 '19 at 23:53
  • 1
    @TMM But in Regev05, what is proven secure (i.e. reduces to GapSVP) is the use of the "gaussian-then-discrete" version. I started this thread to talk about the security of the discrete-then-gaussian approach https://crypto.stackexchange.com/questions/88685/lwe-round-a-continuous-gaussian-to-a-true-discrete-gaussian/88686?noredirect=1#comment195330_88686 – Léo Colisson Mar 07 '21 at 07:38
  • Thanks for your wonderful answer! – Licheng Wang Sep 21 '23 at 02:49

1 Answers1

1

I've seen a paper that may be related to this question. In following a short paragraph of this paper, explains about $\color{blue}{discrete}$ Gaussian distribution and the $\color{blue}{discretized}$ Gaussian distribution.

Reference: [Daniele Micciancio, Petros Mol. "Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to-Decision Reductions," In Crypto 2011, IACR 2011/521]

enter image description here

user1035648
  • 438
  • 3
  • 11