Addressing Side-Channel Vulnerabilities in the Discrete Ziggurat Sampler

  • Séamus BranniganEmail author
  • Máire O’Neill
  • Ayesha Khalid
  • Ciara Rafferty
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11348)


Post-quantum cryptography with lattices typically requires high precision sampling of vectors with discrete Gaussian distributions. Lattice signatures require large values of the standard deviation parameter, which poses difficult problems in finding a suitable trade-off between throughput performance and memory resources on constrained devices. In this paper, we propose modifications to the Ziggurat method, known to be advantageous with respect to these issues, but problematic due to its inherent rejection-based timing profile. We improve upon information leakage through timing channels significantly and require: only 64-bit unsigned integers, no floating-point arithmetic, no division and no external libraries. Also proposed is a constant-time Gaussian function, possessing all aforementioned advantageous properties. The measures taken to secure the sampler completely close side-channel vulnerabilities through direct timing of operations and these have no negative implications on its applicability to lattice-based signatures. We demonstrate the improved method with a 128-bit reference implementation, showing that we retain the sampler’s efficiency and decrease memory consumption by a factor of 100. We show that this amounts to memory savings by a factor of almost 5,000, in comparison to an optimised, state-of-the-art implementation of another popular sampling method, based on cumulative distribution tables.


  1. 1.
    Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016). Scholar
  2. 2.
    Micciancio, D., Regev, O.: Worst-case to average-case reductions based on Gaussian measures. In: 45th Annual IEEE Symposium on Foundations of Computer Science, October 2004, pp. 372–381 (2004)Google Scholar
  3. 3.
    Groot Bruinderink, L., Hülsing, A., Lange, T., Yarom, Y.: Flush, gauss, and reload – a cache attack on the BLISS lattice-based signature scheme. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 323–345. Springer, Heidelberg (2016). Scholar
  4. 4.
    Ducas, L., Durmus, A., Lepoint, T., Lyubashevsky, V.: Lattice signatures and bimodal Gaussians. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 40–56. Springer, Heidelberg (2013). Scholar
  5. 5.
    Genise, N., Micciancio, D.: Faster Gaussian sampling for trapdoor lattices with arbitrary modulus. Cryptology ePrint Archive, Report 2017/308 (2017).
  6. 6.
    Chen, L., et al.: Report on post-quantum cryptography. US Department of Commerce, National Institute of Standards and Technology (2016)Google Scholar
  7. 7.
    Hoffstein, J., Pipher, J., Whyte, W., Zhang, Z.: pqNTRUSign: update and recent results (2017).
  8. 8.
    Zhang, Z., Chen, C., Hoffstein, J., Whyte, W.: NTRUEncrypt. Technical report, National Institute of Standards and Technology (2017).
  9. 9.
    Le Trieu Phong, T.H., Aono, Y., Moriai, S.: Lotus. Technical report, National Institute of Standards and Technology (2017).
  10. 10.
    Peikert, C.: An efficient and parallel Gaussian sampler for lattices. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 80–97. Springer, Heidelberg (2010). Scholar
  11. 11.
    Sinha Roy, S., Vercauteren, F., Verbauwhede, I.: High precision discrete gaussian sampling on FPGAs. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 383–401. Springer, Heidelberg (2014). Scholar
  12. 12.
    Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. Technical report 259 (2017).
  13. 13.
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete Ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). Scholar
  14. 14.
    Shoup, V.: Number theory C++ library (NTL) version 10.3.0 (2003).
  15. 15.
    GNU: glibc-2.7 (2018).
  16. 16.
    Marsaglia, G., Tsang, W.W.: The ziggurat method for generating random variables. J. Stat. Softw. 5(1), 1–7 (2000).
  17. 17.
    libsafecrypto: WP6 of the SAFEcrypto project - a suite of lattice-based cryptographic schemes, July 2018, original-date: 2017-10-16T14:56:31Z.
  18. 18.
    Pöppelmann, T., Ducas, L., Güneysu, T.: Enhanced lattice-based signatures on reconfigurable hardware. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 353–370. Springer, Heidelberg (2014). Scholar
  19. 19.
    Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Compact and side channel secure discrete Gaussian sampling. IACR Cryptology ePrint Archive 2014, 591 (2014)Google Scholar
  20. 20.
    Pessl, P.: Analyzing the shuffling side-channel countermeasure for lattice-based signatures. In: Dunkelman, O., Sanadhya, S.K. (eds.) INDOCRYPT 2016. LNCS, vol. 10095, pp. 153–170. Springer, Cham (2016). Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Séamus Brannigan
    • 1
    Email author
  • Máire O’Neill
    • 1
  • Ayesha Khalid
    • 1
  • Ciara Rafferty
    • 1
  1. 1.Centre for Secure Information Technologies (CSIT)Queen’s University BelfastBelfastUK

Personalised recommendations