Discrete Ziggurat: A Time-Memory Trade-Off for Sampling from a Gaussian Distribution over the Integers

  • Johannes Buchmann
  • Daniel Cabarcas
  • Florian Göpfert
  • Andreas Hülsing
  • Patrick Weiden
Conference paper

DOI: 10.1007/978-3-662-43414-7_20

Volume 8282 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Buchmann J., Cabarcas D., Göpfert F., Hülsing A., Weiden P. (2014) Discrete Ziggurat: A Time-Memory Trade-Off for Sampling from a Gaussian Distribution over the Integers. In: Lange T., Lauter K., Lisoněk P. (eds) Selected Areas in Cryptography -- SAC 2013. SAC 2013. Lecture Notes in Computer Science, vol 8282. Springer, Berlin, Heidelberg

Abstract

Several lattice-based cryptosystems require to sample from a discrete Gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper we explore a different method that allows for a flexible time-memory trade-off, offering developers freedom in choosing how much space they can spare to store precomputed values. We prove that the generated distribution is close enough to a discrete Gaussian to be used in lattice-based cryptography. Moreover, we report on an implementation of the method and compare its performance to existing methods from the literature. We show that for large standard deviations, the Ziggurat algorithm outperforms all existing methods.

Keywords

Lattice-based cryptography Gaussian sampling  Practicality Implementation 

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Johannes Buchmann
    • 1
  • Daniel Cabarcas
    • 1
  • Florian Göpfert
    • 1
  • Andreas Hülsing
    • 1
  • Patrick Weiden
    • 1
  1. 1.Technische Universität DarmstadtDarmstadtGermany