| Dear Mr. Agner and Hello everyone, Recently, I tried to read a paper titled with "Rounded Gaussians - Fast and Secure Constant-Time Sampling for Lattice-Based Crypto", which was published by PKC 2018 (The 21st edition of the International Conference on Practice and Theory of Public Key Cryptography). The authors of this paper (Andreas Hülsing, Tanja Lange, and Kit Smeets) suggested that one can use the VCL for the implementation of thier rounded Gaussian sampling algorithm, and they also mentioned that the trigonometric, logarithmic and square-root functions in the VCL have constant runtime, according to the documentation on the VCL (available at https://www.agner.org/optimize/vectorclass.pdf). Therefore, the rounded Gaussian sampling they implemented has constant runtime. However, in the documentation on the VCL, I did not find the explicit information about the mathematical functions they mentioned having constant runtime. I can see that VCL helps enable vector instructions and thus speed up the sampling procedure, but why VCL helps with constant time is not clear for me. People around me had little idea about the VCL. One of authors of "Rounded Gaussians - Fast and Secure Constant-Time Sampling for Lattice-Based Crypto" told me that Mr. Agner stated in person that these functions are implemented in constant time. So, I was wondering how VCL helps with constant time for those functions? Specifically, which functions in the VCL have constant runtime, and which functions have not? Why? Are there some criteria for the judgement of constant runtime. |
VCL allows for constant-time implementations。 - sjing - 2019-02-07
VCL allows for constant-time implementations。 - Agner - 2019-02-08