On Practical Discrete Gaussian Samplers for Lattice-Based Cryptography

James Howe, Ayesha Khalid, Ciara Rafferty, Francesco Regazonni, Maire O'Neill

Research output: Contribution to journalArticlepeer-review

23 Citations (Scopus)
1344 Downloads (Pure)


Lattice-based cryptography is one of the most promising branches of quantum resilient cryptography, offering versatility and efficiency. Discrete Gaussian samplers are a core building block in most, if not all, lattice-based cryptosystems, and optimised samplers are desirable both for high-speed and low-area applications. Due to the inherent structure of existing discrete Gaussian sampling methods, lattice-based cryptosystems are vulnerable to side-channel attacks, such as timing analysis. In this paper, the first comprehensive evaluation of discrete Gaussian samplers in hardware is presented, targeting FPGA devices. Novel optimised discrete Gaussian sampler hardware architectures are proposed for the main sampling techniques. An independent-time design of each of the samplers is presented, offering security against side-channel timing attacks, including the first proposed constant-time Bernoulli, Knuth-Yao, and discrete Ziggurat sampler hardware designs. For a balanced performance, the Cumulative Distribution Table (CDT) sampler is recommended, with the proposed hardware CDT design achieving a throughput of 59.4 million samples per second for encryption, utilising just 43 slices on a Virtex 6 FPGA and 16.3 million samples per second for signatures with 179 slices on a Spartan 6 device.
Original languageEnglish
Number of pages14
JournalIEEE Transactions on Computers
Early online date21 Dec 2016
Publication statusEarly online date - 21 Dec 2016


Dive into the research topics of 'On Practical Discrete Gaussian Samplers for Lattice-Based Cryptography'. Together they form a unique fingerprint.

Cite this