Efficient Lattice Gadget Decomposition Algorithm with Bounded Uniform Distribution

A gadget decomposition algorithm is commonly used in many advanced lattice cryptography applications which support homomorphic operations over ciphertexts to control the noise growth. For a special structure of a gadget, the algorithm is digit decomposition. If such algorithm samples from a subgaussian distribution, that is, the output is randomized, it gives more benefits on output quality. One of the important advantages is Pythagorean additivity which makes the resulting noise contained in a ciphertext grow much less than naive digit decomposition. Therefore, the error analysis becomes cleaner and tighter than the use of other measures like Euclidean norm and infinity norm. Even though such advantage can also be achieved by use of discrete Gaussian sampling, it is not attractive for practical performance due to a large factor in resulting noise and the complex computation of the exponential function, whereas a more relaxed probability condition is required for a subgaussian distribution. Nevertheless, subgaussian sampling has barely received an attention so far, thus no practical algorithms was implemented before an efficient algorithm is presented by Genis et al., recently. In this paper, we present a practically efficient gadget decomposition algorithm where output follows a subgaussian distribution. We parallelize the existing practical subgaussian gadget decomposition algorithm, using a bounded uniform distribution. Our algorithm is divided into two independent subalgorithms and only one algorithm depends on the input. Therefore, the other algorithm can be considered as precomputation. As an experimental result, our algorithm performs over 50% better than the existing algorithm.