Sampling Algorithms for Lattice Gaussian Codes based on joint work - PowerPoint PPT Presentation

Lattice Coding & Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with 
 J.-C. Belfiore (Huawei Technologies France)

Discrete Gaussian Measures f : R n → R + D : Λ → [0 , 1] Λ is a discrete set �k x k 2 �k x k 2 D ( x ) ∝ e f ( x ) ∝ e 2 σ 2 2 σ 2 e − k x k 2 2 σ 2 1 2 πσ 2 ) n e − k x k 2 D ( x ) = f ( x ) = 2 σ 2 e − k x k 2 √ ( P 2 σ 2 x ∈ Λ Lattice Coding and Crypto Meeting

Discrete Gaussian Measures In Computer Science (lattice-based crypto): decoding algorithms [Klein ‘2000], homomorphic encryption, identity-based encryption [Regev ’05], complexity reductions In Mathematics: discrete Fourier analysis, transference theorems ([Banaszczyk ’92], [Cai ’03]), theta series,… 
 In Communications: non-uniform signaling [Kschischang and Pasupathy ’93], semantically secure codes [Ling et al. ’15], capacity achieving in the AWGN [Ling and Belfiore ’15], compound and ergodic fading channels , [Campello, Ling and Belfiore ’16] 
 In Mechanical Statistics: Maxwell-Boltzmann distribution 
 … Lattice Coding and Crypto Meeting

Discrete Gaussian Measures In Computer Science (lattice-based crypto): decoding algorithms [Klein ‘2000], homomorphic encryption, identity-based encryption [Regev ’05], complexity reductions In Mathematics: discrete Fourier analysis, transference theorems ([Banaszczyk ’92], [Cai ’03]), theta series,… 
 In Communications: non-uniform signaling [Kschischang and Pasupathy ’93], semantically secure codes [Ling et al. ’15], capacity achieving in the AWGN [Ling and Belfiore ’15], compound and ergodic fading channels , [Campello, Ling and Belfiore ’16] 
 In Mechanical Statistics: Maxwell-Boltzmann distribution 
 … Lattice Coding and Crypto Meeting


 
 
 
 
 
 
 
 
 
 
 
 Lattice Gaussian Sampling Problem A lattice is a discrete subgroup of . 
 R n Sampling Algorithm x ∈ Λ Given a lattice and a parameter ,outputs a point with probability 
 Λ σ > 0 e − k x k 2 2 σ 2 D Λ , σ ( x ) = e − k x k 2 P 2 σ 2 x ∈ Λ Non-centered version: 
 e − k x + c k 2 2 σ 2 D Λ + c , σ ( x ) = e − k x + c k 2 P 2 σ 2 x ∈ Λ Lattice Coding and Crypto Meeting


 
 
 Motivation: Simulating Probabilistic Shaping Lattice codes for the Gaussian channel: 
 - Transmitter maps a « message » to a lattice point 
 x ∈ Λ - Receiver observes a distorted version 
 N (0 , σ 2 c ) y = x + z P (ˆ x 6 = x ) and guesses in order to minimize error probability ˆ x Messages are constrained (power-constraint) 1 h k x k 2 i  P nE Lattice Coding and Crypto Meeting

Motivation: Simulating Probabilistic Shaping Messages are constrained (power-constraint) 1 h k x k 2 i  P nE Deterministic Shaping: Choose a shaping region and a S ⊂ R n code - e.g. cube, ball, or Voronoi region of sub-lattice S ∩ Λ Probabilistic Shaping: Pick (and adjust variance) x ∼ D Λ , σ [Forney ’89] Coding gain versus shaping gain How to sample the lattices with best coding gain ? (known in low dimensions) Lattice Coding and Crypto Meeting

Lattice Gaussian Sampling Problem Hardness: In general, as hard as finding the shortest vector in a lattice [Aggarwal et al ’14] and [Stephens-Davidowitz ’15]. Universal algorithms (the Metropolis-Hastings-Klein algorithm) perform slow √ σ = 1 / over specific lattices. E.g.: 24-dim Leech lattice and requires 2 π 24 × 13434 = 322416 calls of an uni-dimensional sampler [Wang, Ling ’14] 
 In Communications: sampling from special lattices (constructed from error correcting codes, having decomposition as union of cosets, etc…). Applications: towards Gaussian shaping, lattice decoding. 
 Insights between lattice Gaussian codes and theta series Lattice Coding and Crypto Meeting

Gaussian Measures: 
 One Dimensional 0.15 0.10 0.05 0.00 - 6 - 4 - 2 0 2 4 6 σ = 2 . 5 Lattice Coding and Crypto Meeting

Gaussian Measures: 
 One Dimensional 0.25 0.20 0.15 0.10 0.05 0.00 - 6 - 4 - 2 0 2 4 6 σ = 1 . 5 Lattice Coding and Crypto Meeting

Gaussian Measures: 
 One Dimensional 0.8 0.6 0.4 0.2 0.0 - 6 - 4 - 2 0 2 4 6 σ = 0 . 5 Lattice Coding and Crypto Meeting

Gaussian Measures: 
 One Dimensional 1.0 0.8 0.6 0.4 0.2 0.0 - 6 - 4 - 2 0 2 4 6 σ = 0 . 1 Lattice Coding and Crypto Meeting

Gaussian Measures: 
 One Dimensional 0.00015 0.00010 0.00005 0.00000 - 6 - 4 - 2 0 2 4 6 σ = 5 × 10 3 Lattice Coding and Crypto Meeting

One Dimensional Sampler (not so fast…) x ∼ N (0 , σ 2 ) b x e Wrong Idea: Generate and output 0.8 0.6 0.4 0.2 - 4 - 2 2 4 Lattice Coding and Crypto Meeting

One Dimensional Sampler Rejection Algorithm [Brakerski et al. ’13] I = { c − l, c − ( l − 1) , . . . , 1 − c, c, . . . , c + l } Set and calculate p I = D σ 2 , Z + c ( I ) p 0 ( i ) = D σ 2 , Z + c ( i ) /p I , i ∈ I 1) With probability sample on the finite distribution in I p I (1 − p I ) 2) With probability sample on by a rejection principle: I c Sampling on : 
 I c Choose between positive or negative side. Ex: 1.00 [ c + l, + ∞ ] (+) Generate continuous Gaussian in y 0.95 x = d y � c e + c Output with prob. � ( σ � �� � ) 0.90 � � � e − x 2 / 2 σ 2 � � � 0.85 � � � 0.80 e − y 2 / 2 σ 2 � � � 
 0.75 Otherwise Repeat 0 2 4 6 8 σ Lattice Coding and Crypto Meeting


 Lattices and Theta Series Definition: q k y k 2 X Θ Λ + c ( q ) := y 2 Λ + c e � πτ k y k 2 = e � πτ k x + c k 2 . X X Θ Λ + c ( τ ) := y 2 Λ + c x 2 Λ Important easily numerically calculated one-dimensional theta series: ∞ ∞ q ( m +1 / 2) 2 , θ 3 ( τ ) := q m 2 . X X θ 2 ( τ ) := m = −∞ m = −∞ ∞ ∞ e − πτ ( m + c ) 2 = τ − 2 e 2 π imc − π m 2 / τ = τ − 2 θ 3 ( π c | i τ − 1 ) X X Θ Z + c ( τ ) = m = −∞ m = −∞ Lattice Coding and Crypto Meeting

Lattices and Theta Series Important properties: Θ Λ 1 ⊕ Λ 2 ( τ ) = Θ Λ 1 ( τ ) Θ Λ 2 ( τ ) Θ α Λ ( τ ) = Θ Λ ( α 2 τ ) Θ Λ 1 ∪ Λ 2 ( τ ) = Θ Λ 1 ( τ ) + Θ Λ 2 ( τ ) Example: Theta Series of Z n Θ Z n ( τ ) = Θ Z ( τ ) n = θ 3 ( τ ) n Lattice Coding and Crypto Meeting


 
 
 
 From Theta Series to Sampling Hexagonal lattice ✓ 1 0 ⇢ ◆ � A 2 = ( x 1 , x 2 ) : x 1 , x 2 ∈ Z √ 1 3 2 2 Θ A 2 ( τ ) = θ 3 ( τ ) θ 3 (3 τ ) + θ 2 ( τ ) θ 2 (3 τ ) Lattice Coding and Crypto Meeting


 
 
 
 From Theta Series to Sampling Hexagonal lattice √ ⌘ [ !! √ √ 1 3 ⇣ A 2 = 2 , Z ⊕ 3 Z Z ⊕ 3 Z + 2 Θ A 2 ( τ ) = θ 3 ( τ ) θ 3 (3 τ ) + θ 2 ( τ ) θ 2 (3 τ ) Lattice Coding and Crypto Meeting


 
 
 
 
 
 
 
 
 From Theta Series to Sampling Hexagonal lattice 
 1 3 θ 3 ( 2 πσ 2 ) θ 3 ( 2 πσ 2 ) √ p = D A 2 , σ ( Z ⊕ 3 Z ) = 1 3 1 3 θ 3 ( 2 πσ 2 ) θ 3 ( 2 πσ 2 ) + θ 2 ( 2 πσ 2 ) θ 2 ( 2 πσ 2 ) Algorithm 1) Throw a biased coin with probability p of heads 2) If heads, sample in the blue coset 3) If tails, sample in the red coset Sampling in each coset is possible by invoking the -sampler twice. 
 Z Lattice Coding and Crypto Meeting


 
 Coset Decompositions Generalization to more general coset decompositions. Construction A lattices Λ = 2 Z n + C the coset corresponding of a codeword of weight has theta series 
 w θ 2 (4 τ ) w θ 3 (4 τ ) n − w Suppose there are codewords of given weight . The probability that a A w w discrete distribution falls in some coset of a codeword of weight is w θ 2 (4 τ ) w θ 3 (4 τ ) n − w A w Θ Λ ( τ ) General Idea 1) Pick a weight with probability p w 2) Pick a word of weight uniformity at random w 2 Z n + c 3) Sample in the coset Lattice Coding and Crypto Meeting


 
 
 
 
 
 The lattice Dn Construction A lattices (best coding gains dimensions 3,4,5), D n = 2 Z n + P n where is a parity check code P n { ( x 1 , . . . , x n ) ∈ F n 2 : x 1 + . . . + x n ≡ 0 mod 2 } ✓ n ◆ There are vectors of weight . 
 2 l 2 l The probability of picking such a coset is 
 2 (4 τ ) 2 l Θ Z + 1 2 (4 τ ) n − 2 l ◆ Θ Z + 1 ✓ n p 2 l = 2 l Θ D n ( τ ) Lattice Coding and Crypto Meeting


 The lattice Dn Algorithm 
 1) Pick a number with probability . l 2 { 1 , . . . , b n/ 2 c } p 2 l J ⊂ { 1 , . . . , n } 2) Pick a subset with size 2 l 3) For j ∈ J x j ← Sampler Z + 1 2 (2 τ ) j / ∈ J 4) For x j ← Sampler Z (2 τ ) Generalizations to shifts by vectors of type ( α , β , β , . . . , β ) Lattice Coding and Crypto Meeting


 
 
 
 
 
 
 
 
 Coset Decompositions Real Constructions (A and B) 
 Λ A ( C ) = 2 Z n + C and Λ B ( C ) = 4 Z n + 2 P n + C . Λ B ( C ) = 2 D n + C , where D n = Λ A ( P n ) Complex Constructions (A and B) Λ A ( C ) = θ Z [ ω ] n + C and Λ B ( C ) = θ 2 Z [ ω ] n + θ P n + C , Z [ ω ] = { a + b ω : a, b ∈ Z } where , and is a prime of norm θ p Lattice Coding and Crypto Meeting