# Rounded Gaussians - Fast and Secure Constant-Time Sampling for Lattice-Based Crypto

@article{Hlsing2017RoundedG, title={Rounded Gaussians - Fast and Secure Constant-Time Sampling for Lattice-Based Crypto}, author={Andreas H{\"u}lsing and Tanja Lange and Kit Smeets}, journal={IACR Cryptol. ePrint Arch.}, year={2017}, volume={2017}, pages={1025} }

This paper suggests to use rounded Gaussians in place of discrete Gaussians in rejection-sampling-based lattice signature schemes like BLISS or Lyubashevsky’s signature scheme. We show that this distribution can efficiently be sampled from while additionally making it easy to sample in constant time, systematically avoiding recent timing-based side-channel attacks on lattice-based signatures. We show the effectiveness of the new sampler by applying it to BLISS, prove analogues of the security…

## 17 Citations

GALACTICS: Gaussian Sampling for Lattice-Based Constant- Time Implementation of Cryptographic Signatures, Revisited

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

This paper presents careful implementation techniques that allow for an implementation of BLISS with complete timing attack protection, achieving the same level of efficiency as the original unprotected code, without resorting on floating point arithmetic or platform-specific optimizations like AVX intrinsics.

Isochronous Gaussian Sampling: From Inception to Implementation With Applications to the Falcon Signature Scheme

- Computer Science, Mathematics
- 2019

This work presents a modular framework for generating discrete Gaussians with arbitrary center and standard deviation and provides a statistical testing suite for discrete Gaussian called SAGA (Statistically Acceptable GAussian), which takes a step towards trustable and robust Gaussian sampling real-world implementations.

Generic, efficient and isochronous Gaussian sampling over the integers

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

A secure, efficient exponential Bernoulli sampling algorithm that can securely sample from Gaussian distributions with different standard deviations and arbitrary centers and is developed an isochronous Gaussian sampler based on rejection sampling.

Isochronous Gaussian Sampling: From Inception to Implementation

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work presents a modular framework for generating discrete Gaussians with arbitrary center and standard deviation and provides a statistical testing suite for discrete Gaussian called SAGA (Statistically Acceptable GAussian), which takes a step towards trustable and robust Gaussian sampling real-world implementations.

Error Samplers for Lattice-Based Cryptography -Challenges, Vulnerabilities and Solutions

- Computer Science, Mathematics2018 IEEE Asia Pacific Conference on Circuits and Systems (APCCAS)
- 2018

The practicality of LBC is explored by surveying one of the critical components, the error samplers, and highlighting the challenges associated with their efficient, secure implementation, to aid the practicality, security and future widespread deployment of L BC.

Uprooting the Falcon Tree ? How to Recover Secret Keys from Gram – Schmidt Norms

- Computer Science, Mathematics
- 2019

In this paper, we initiate the study of side-channel leakage in hash-and-sign lattice-based signatures, with particular emphasis on the two efficient implementations of the original GPV…

A Simpler Construction of Identity-Based Ring Signatures from Lattices

- Computer Science, MathematicsProvSec
- 2018

This paper presents a new identity-based ring signature scheme from lattices that has the advantages of higher computational efficiency and lower storage overhead and proves the security of the construction in the random oracle model under the short integer solution assumption.

Polar Sampler: Discrete Gaussian Sampling over the Integers Using Polar Codes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2019

This work proposes a new integer Gaussian sampler based on polar codes, dubbed “polar sampler”, which is asymptotically information theoretically optimum in the sense that the number of uniformly random bits it uses approaches the entropy bound.

Simple , Fast and Constant-Time Gaussian Sampling over the Integers for Falcon

- Computer Science, Mathematics
- 2019

The efficiency loss in the resulting implementation is reasonably low compared to the non constant-time, reference implementation, and even with this penalty, Falcon remains one of the fastest signature scheme candidates.

Key Recovery from Gram-Schmidt Norm Leakage in Hash-and-Sign Signatures over NTRU Lattices

- Computer Science, MathematicsEUROCRYPT
- 2020

In this paper, we initiate the study of side-channel leakage in hash-and-sign lattice-based signatures, with particular emphasis on the two efficient implementations of the original GPV…

## References

SHOWING 1-10 OF 26 REFERENCES

Gaussian Sampling Precision and Information Leakage in Lattice Cryptography

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2015

It is argued that such precision is excessive and given precise theoretical arguments why half of the precision of the security parameter is almost always sufficient, which leads to faster and more compact implementations; almost halving implementation size in both hardware and software.

Lattice Signatures and Bimodal Gaussians

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

A construction of a lattice-based digital signature scheme that represents an improvement over today’s most efficient lattice schemes and has shorter signature and public key sizes than all previously proposed lattice signature schemes.

Gaussian Sampling over the Integers: Efficient, Generic, Constant-Time

- Computer Science, MathematicsCRYPTO
- 2017

This work presents new algorithms for discrete Gaussian sampling that are both generic (application independent), efficient, and more easily implemented in constant time without incurring a substantial slow-down, making them more resilient to side-channel attacks.

Sampling from discrete Gaussians for lattice-based cryptography on a constrained device

- Computer Science, MathematicsApplicable Algebra in Engineering, Communication and Computing
- 2014

The paper surveys algorithms to implement such sampling efficiently, with particular focus on the case of constrained devices with small on-board storage and without access to large numbers of external random bits.

Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

It is proved that the generated distribution is close enough to a discrete Gaussian to be used in lattice-based cryptography, and it is shown that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.

Lattice Signatures Without Trapdoors

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This work provides an alternative method for constructing lattice-based digital signatures which does not use the "hash-and-sign" methodology, and shows that by slightly changing the parameters, one can get even more efficient signatures that are based on the hardness of the Learning With Errors problem.

Enhanced Lattice-Based Signatures on Reconfigurable Hardware

- Computer Science, MathematicsCHES
- 2014

Techniques for an efficient Cumulative Distribution Table CDT based Gaussian sampler on reconfigurable hardware involving Peikert's convolution lemma and the Kullback-Leibler divergence and a first Bliss architecture for Xilinx Spartan-6 FPGAs that integrates fast FFT/NTT-based polynomial multiplication, sparse multiplication, and a Keccak hash function are presented.

Efficient implementation of ideal lattice-based cryptography

- Computer Science, Mathematicsit Inf. Technol.
- 2016

Lattice-based cryptography is proposed which allows the construction of asymmetric public-key encryption and signature schemes that offer a good balance between security, performance, and key as well as ciphertext sizes.

To BLISS-B or not to be: Attacking strongSwan's Implementation of Post-Quantum Signatures

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2017

A new side-channel key-recovery algorithm is presented against both the original BLISS and the BLISS-B variant, and it is shown that cache attacks on post-quantum cryptography are not only possible, but also practical.

Flush, Gauss, and Reload - A Cache Attack on the BLISS Lattice-Based Signature Scheme

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2016

This work presents the first side-channel attack on a lattice-based signature scheme, using the Flush+Reload cache-attack, targeted at the discrete Gaussian sampler in the Bimodal Lattice Signature Schemes (BLISS).