Which discrete Gaussian sampling algorithm does NFLlib use?

[iF2007]

Thanks.

[carlosaguilarmelchor]

No. Precomputed CDT (Cumulative Distribution Tables). For fixed center sampling over Z^n it is the fastest alternative and it has a reasonable memory usage (typically <100Kbytes and for a constrained device this can be tuned to go around a few Kbytes).

It samples at roughly 1-3 cycles/sample if I remember correctly.

It is not cache-attack resistant though. It is possible to patch it for it, but we have not planned to do it anytime soon ....

[iF2007]

@carlosaguilarmelchor Thanks for your reply. NFLlib is quite efficient. Do you have any further update plans?

[carlosaguilarmelchor]

Not right now. It would be nice to give a constant-time / cache attack resistance compilation flag.

Making the NTT constant time and cache attack resistant should be very easy. On the other hand for the gaussian sampling it will be harder.

Making NFLlib compilable under ARM would be a nice add on too.

But no plans at the moment ...

[iF2007]

Thank you!

[aguinet]

What are the issues with ARM @carlosaguilarmelchor ?

[carlosaguilarmelchor]

I see three issues :

• I know nothing about ARM
• We have not tried
• There will be no SIMD acceleration at all as we have specific SSE/AVX code

Oh and a fourth :

• You are already overwhelmed with a ton of things to do ;)