On Rejection Sampling Algorithms for Centered Discrete Gaussian Distribution over Integers

Lattice-based cryptography has been accepted as a promising candidate for public key cryptography in the age of quantum computing. Discrete Gaussian sampling is one of fundamental operations in many lattice-based cryptosystems. In this paper, we discuss a sub-problem of discrete Gaussian sampling, which is to sample from a centered discrete Gaussian distribution DZ,σ,c over the integers Z with parameter σ > 0 and center c = 0. We propose three alternative rejection sampling algorithms for centered discrete Gaussian distributions with parameter σ in two specific forms. The first algorithm is designed for the case where σ is an positive integer, and it requires neither pre-computation storage nor floating-point arithmetic. While the other two algorithms are fit for parameter σ = k · √ 1/(2 · ln 2) with a positive integer k, and they require fixed look-up tables of very small size (e.g. 128 bits and 320 bits respectively) but are much more efficient than the first algorithm. The experimental results show that our algorithms have better performance than that of two rejection sampling algorithms proposed by Karney in 2016 and by Ducas et al. in 2013 respectively. The expected numbers of random bits used in our algorithms are significantly smaller than that of random bits used in Karney’s rejection sampling algorithm.