Abstract
Several lattice-based cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible time-memory trade-off, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in lattice-based cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.
| Original language | English |
|---|---|
| Title of host publication | Selected Areas in Cryptography - SAC 2013 (20th International Conference, Burnaby BC, Canada, August 14-16, 2013. Revised Selected Papers) |
| Editors | T. Lange, K. Lauter, P. Lisonek |
| Place of Publication | Berlin |
| Publisher | Springer |
| Pages | 402-417 |
| ISBN (Print) | 978-3-662-43413-0 |
| DOIs | |
| Publication status | Published - 2014 |
| Event | 20th International Conference on Selected Areas in Cryptography (SAC 2013) - Burnaby, Canada Duration: 14 Aug 2013 → 16 Aug 2013 Conference number: 20 |
Publication series
| Name | Lecture Notes in Computer Science |
|---|---|
| Volume | 8282 |
| ISSN (Print) | 0302-9743 |
Conference
| Conference | 20th International Conference on Selected Areas in Cryptography (SAC 2013) |
|---|---|
| Abbreviated title | SAC 2013 |
| Country/Territory | Canada |
| City | Burnaby |
| Period | 14/08/13 → 16/08/13 |