Hi all, I have some security concerns about a parameter in both the rejection sampling algorithms from (for example) BLOOM: Bimodal Lattice One-Out-of-Many Proofs and Applications.
In Lemma 2.8, the value M is linked to the acceptance probability of the rejection sampling. The algorithm takes z=v+y, where the v's norm is bounded by T and y is sampled from a discrete Gaussian distribution with standard deviation s. Moreover, we have that M=e^{14/\gamma+1/(2\gamma^2)} or M=e^{1/(2\gamma^2)} and hence it depends on the parameter \gamma \in \mathbb{R}, shaping the standard deviation s=\gamma T.
Observe that the higher is \gamma, the higher is the accepting rate, and we have more efficient algorithms.
In the paper A Framework for Practical Anonymous Credentials from Lattices, Lemma 2.4 states that \gamma (called \alpha here) must be O(\sqrt\lambda).
What are the practical instantiations of such \gamma? What are the implications on both efficiency and security if we choose a high \gamma?