Cryptology ePrint Archive: Report 2018/1234

FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers

Raymond K. Zhao and Ron Steinfeld and Amin Sakzad

Abstract: The discrete Gaussian sampler is one of the fundamental tools in implementing lattice-based cryptosystems. However, a naive discrete Gaussian sampling implementation suffers from side-channel vulnerabilities, and the existing countermeasures usually introduce significant overhead in either the running speed or the memory consumption.

In this paper, we propose a fast, compact, and constant-time implementation of the binary sampling algorithm, originally introduced in the BLISS signature scheme. Our implementation adapts the Renyi divergence and the transcendental function polynomial approximation techniques. The efficiency of our scheme is independent of the standard deviation, and we show evidence that our implementations are either faster or more compact than several existing constant-time samplers. In addition, we show the performance of our implementation techniques applied to and integrated with two existing signature schemes: qTesla and Falcon. On the other hand, the convolution theorems are typically adapted to sample from larger standard deviations, by combining samples with much smaller standard deviations. As an additional contribution, we show better parameters for the convolution theorems.

Category / Keywords: implementation / Lattice-based crypto, discrete Gaussian sampling, constant-time, implementation, efficiency

Date: received 24 Dec 2018, last revised 28 Jan 2019

Contact author: raymond zhao at monash edu

Available format(s): PDF | BibTeX Citation

Note: Change the FACCT relative error analysis by considering the floating-point arithmetic error.

Version: 20190129:065621 (All versions of this report)

Short URL: ia.cr/2018/1234


[ Cryptology ePrint archive ]