Sampling Algorithms for Lattice Gaussian Codes based on joint work - - PowerPoint PPT Presentation
Lattice Coding & Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore (Huawei Technologies France) Discrete Gaussian Measures f : R n R + D : [0 , 1] is a
Lattice Coding & Crypto Meeting based on joint work with J.-C. Belfiore (Huawei Technologies France)
f(x) = 1 ( √ 2πσ2)n e− kxk2
2σ2
D(x) = e− kxk2
2σ2
P
x∈Λ
e− kxk2
2σ2
Λ is a discrete set
D(x) ∝ e
kxk2 2σ2
f(x) ∝ e
kxk2 2σ2
D : Λ → [0, 1]
f : Rn → R+
Lattice Coding and Crypto Meeting
In Computer Science (lattice-based crypto): decoding algorithms [Klein ‘2000], homomorphic encryption, identity-based encryption [Regev ’05], complexity reductions In Mathematics: discrete Fourier analysis, transference theorems ([Banaszczyk ’92], [Cai ’03]), theta series,… In Communications: non-uniform signaling [Kschischang and Pasupathy ’93], semantically secure codes [Ling et al. ’15], capacity achieving in the AWGN [Ling and Belfiore ’15], compound and ergodic fading channels , [Campello, Ling and Belfiore ’16] In Mechanical Statistics: Maxwell-Boltzmann distribution …
Lattice Coding and Crypto Meeting
In Computer Science (lattice-based crypto): decoding algorithms [Klein ‘2000], homomorphic encryption, identity-based encryption [Regev ’05], complexity reductions In Mathematics: discrete Fourier analysis, transference theorems ([Banaszczyk ’92], [Cai ’03]), theta series,… In Communications: non-uniform signaling [Kschischang and Pasupathy ’93], semantically secure codes [Ling et al. ’15], capacity achieving in the AWGN [Ling and Belfiore ’15], compound and ergodic fading channels , [Campello, Ling and Belfiore ’16] In Mechanical Statistics: Maxwell-Boltzmann distribution …
Lattice Coding and Crypto Meeting
A lattice is a discrete subgroup of . Non-centered version:
Rn
Given a lattice and a parameter ,outputs a point with probability
DΛ+c,σ(x) = e− kx+ck2
2σ2
P
x∈Λ
e− kx+ck2
2σ2
Λ σ > 0
DΛ,σ(x) = e− kxk2
2σ2
P
x∈Λ
e− kxk2
2σ2
Lattice Coding and Crypto Meeting
Lattice Coding and Crypto Meeting
N(0, σ2
c)
Lattice Coding and Crypto Meeting
Hardness: In general, as hard as finding the shortest vector in a lattice [Aggarwal et al ’14] and [Stephens-Davidowitz ’15]. Universal algorithms (the Metropolis-Hastings-Klein algorithm) perform slow
24 × 13434 = 322416 calls of an uni-dimensional sampler [Wang, Ling ’14] In Communications: sampling from special lattices (constructed from error correcting codes, having decomposition as union of cosets, etc…). Applications: towards Gaussian shaping, lattice decoding. Insights between lattice Gaussian codes and theta series
σ = 1/ √ 2π
Lattice Coding and Crypto Meeting
2 4 6 0.00 0.05 0.10 0.15
Lattice Coding and Crypto Meeting
Lattice Coding and Crypto Meeting
2 4 6 0.00 0.05 0.10 0.15 0.20 0.25
2 4 6 0.0 0.2 0.4 0.6 0.8
Lattice Coding and Crypto Meeting
2 4 6 0.0 0.2 0.4 0.6 0.8 1.0
Lattice Coding and Crypto Meeting
2 4 6 0.00000 0.00005 0.00010 0.00015
Lattice Coding and Crypto Meeting
Wrong Idea: Generate and output
x ∼ N(0, σ2) bxe
2 4 0.2 0.4 0.6 0.8
Lattice Coding and Crypto Meeting
Rejection Algorithm [Brakerski et al. ’13] Set and calculate 1) With probability sample on the finite distribution in 2) With probability sample on by a rejection principle: Sampling on : Choose between positive or negative side. Ex: (+) Generate continuous Gaussian in Output with prob. Otherwise Repeat
I = {c − l, c − (l − 1), . . . , 1 − c, c, . . . , c + l} I pI p0(i) = Dσ2,Z+c(i)/pI, i ∈ I pI = Dσ2,Z+c(I) (1 − pI) Ic Ic
2 4 6 8 0.75 0.80 0.85 0.90 0.95 1.00
σ (σ )
[c + l, +∞] y x = dy ce + c e−x2/2σ2 e−y2/2σ2
Lattice Coding and Crypto Meeting
Definition: Important easily numerically calculated one-dimensional theta series:
ΘΛ+c(τ) := X
y2Λ+c
eπτkyk2 = X
x2Λ
eπτkx+ck2. θ2(τ) :=
∞
X
m=−∞
q(m+1/2)2, θ3(τ) :=
∞
X
m=−∞
qm2. ΘΛ+c(q) := X
y2Λ+c
qkyk2 ΘZ+c(τ) =
∞
X
m=−∞
e−πτ(m+c)2 = τ −2
∞
X
m=−∞
e2πimc−πm2/τ = τ −2θ3(πc|iτ −1)
Lattice Coding and Crypto Meeting
Important properties: Example: Theta Series of
ΘΛ1⊕Λ2(τ) = ΘΛ1(τ)ΘΛ2(τ) ΘαΛ(τ) = ΘΛ(α2τ) ΘΛ1∪Λ2(τ) = ΘΛ1(τ) + ΘΛ2(τ) Zn ΘZn(τ) = ΘZ(τ)n = θ3(τ)n
Lattice Coding and Crypto Meeting
Hexagonal lattice
A2 = ⇢ (x1, x2) ✓ 1
1 2 √ 3 2
◆ : x1, x2 ∈ Z
ΘA2(τ) = θ3(τ)θ3(3τ) + θ2(τ)θ2(3τ)
Lattice Coding and Crypto Meeting
Hexagonal lattice
A2 = ⇣ Z ⊕ √ 3Z ⌘ [ Z ⊕ √ 3Z + 1 2, √ 3 2 !! ΘA2(τ) = θ3(τ)θ3(3τ) + θ2(τ)θ2(3τ)
Lattice Coding and Crypto Meeting
Hexagonal lattice Sampling in each coset is possible by invoking the -sampler twice.
p = DA2,σ(Z ⊕ √ 3Z) = θ3(
1 2πσ2 )θ3( 3 2πσ2 )
θ3(
1 2πσ2 )θ3( 3 2πσ2 ) + θ2( 1 2πσ2 )θ2( 3 2πσ2 )
1) Throw a biased coin with probability p of heads 2) If heads, sample in the blue coset 3) If tails, sample in the red coset
Z
Lattice Coding and Crypto Meeting
Generalization to more general coset decompositions. Construction A lattices the coset corresponding of a codeword of weight has theta series Suppose there are codewords of given weight . The probability that a discrete distribution falls in some coset of a codeword of weight is
Λ = 2Zn + C w θ2(4τ)wθ3(4τ)n−w
1) Pick a weight with probability 2) Pick a word of weight uniformity at random 3) Sample in the coset
pw w 2Zn + c w Aw θ2(4τ)wθ3(4τ)n−w ΘΛ(τ) Aw w
Lattice Coding and Crypto Meeting
There are vectors of weight . The probability of picking such a coset is
2 : x1 + . . . + xn ≡ 0 mod 2}
2 (4τ)2lΘZ+ 1 2 (4τ)n−2l
Lattice Coding and Crypto Meeting
Lattice Coding and Crypto Meeting
1) Pick a number with probability . 2) Pick a subset with size 3) For 4) For l 2 {1, . . . , bn/2c} p2l
J ⊂ {1, . . . , n} 2l j ∈ J xj ← SamplerZ+ 1
2 (2τ)
j / ∈ J xj ← SamplerZ(2τ) (α, β, β, . . . , β)
Real Constructions (A and B) Complex Constructions (A and B) where , and is a prime of norm
ΛB(C) = 2Dn + C, where Dn = ΛA(Pn) ΛA(C) = θZ[ω]n + C and ΛB(C) = θ2Z[ω]n + θPn + C, Z[ω] = {a + bω : a, b ∈ Z} θ p ΛA(C) = 2Zn + C and ΛB(C) = 4Zn + 2Pn + C.
Lattice Coding and Crypto Meeting
Construction Theta Series of a Coset A θ2(4τ)wθ3(4τ)nw B (1/2)θ2(4τ)wθ3(4τ)nw w ≥ 1 (1/2)θ3(4τ)n + (1/2)θ4(4τ)n w = 0 Ac, θ = 2 φ1(4τ)wφ0(4τ)nw Ac, θ = √−3 φ2(3τ)wφ0(3τ)nw Bc, θ = √−3 (1/3)φ2(3τ)wφ0(3τ)nw w ≥ 1 (1/3)(φ0(3τ)n + 2(φ0(9τ) − φ2(9τ))n) w = 0 TABLE I THETA SERIES OF A COSET Λ0 + c, WT(c) = w, FOR SEVERAL
CONSTRUCTIONS
we form the be Pr
Lattice Coding and Crypto Meeting
Claim: For the aforementioned constructions, the theta series of each coset depends only on the Hamming weight of each codeword.
Extremal even unimodular lattice in dimension 24. Theta series:
1 8
16θ2(0, τ)8θ3(0, τ)8θ4(0, τ)8
Lattice Coding and Crypto Meeting
Consider the construction B lattice , where is the Golay code. The Leech lattice is where Theta series of « first » half is already known (Construction B) For the second half: All cosets have same theta series given by
Extremal even unimodular lattice in dimension 24. Theta series:
H24 = 2D24 + G24 G24 (24, 12, 8)F2 Λ24 = H24 ∪ (H24 + a) a = ((−3/2)1, (1/2)23) 2D24 + c + a β(q4)24 − α(q4)24 2
Lattice Coding and Crypto Meeting
Properties of Golay code for Cons. B sampler Uses 24 calls of a uni-dimensional sampler for any .
1) Throw a biased coin with probability of heads. 2) if the output is heads Sample from the Construction B sampler 3) else Choose uniformly at random Draw using Dn sampler Output
σ DΛ24,σ(H24) x ∈ H24 c ∈ G24 x ∈ 2D24 + a + c x
Lattice Coding and Crypto Meeting
[Ling and Belfiore ’15]. Gaussian Shaping. Choose a « good » lattice for coding Choose a point to be transmitted over a Gaussian channel. Rate is maximized in the center distribution Relations to modular forms
P = −1 nπ Θ0
Λ+c(τ)
ΘΛ+c(τ) and R = −τ n Θ0
Λ+c(τ)
ΘΛ+c(τ) + 1 n ln ΘΛ+c(τ)
The power and rate of a lattice Gaussian code is
x ∼ DΛ+c,σ2
Lattice Coding and Crypto Meeting
Leech Lattice Sampler: discrete Gaussian versus cubic constellation
■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■
◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆ ◆
■
Cubic Constellation
◆
Union Bound
8 9 10 11 12 13 14
()
Sampling algebraic Construction A lattices (wireless channels): E.g.: Ring of integers of Basis for ideal lattice: Has rectangular sub-lattice of index generated by embedding of and decomposes (up to rotation) as
Lattice Coding and Crypto Meeting
Q( √ d), d ≥ 5, d ≡ 1 mod 4 ✓ 1 1
1+ √ d 2 1− √ d 2
◆ Z[ √ d] 2 Λ = ⇣√ 2Z ⊕ √ 2dZ ⌘ [ √ 2Z ⊕ √ 2dZ + √ 2 2 , √ 2d 2 !!
How to use symmetries between well-known lattices to deriving fast discrete sampling algorithms New insights between lattice Gaussian codes and theta series Open: sampling other algebraic lattices Probabilistic shaping models: from a sampler to an encoder
Lattice Coding and Crypto Meeting
Lattice Coding and Crypto Meeting