Maskaglia: A New, Efficient Approach to Masked Discrete Gaussian Sampling (Delivered in English)
- LecturerDr. Clément Hoffmann (NTT, Japan)
Host: Bo-Yin Yang - Time2026-05-08 (Fri.) 10:00 ~ 12:00
- LocationAuditorium101 at IIS new Building
Abstract
Discrete Gaussian sampling is a core component of many lattice-based cryptosystems, yet protecting it against side-channel attacks like Correlation Power Analysis (CPA) remains a significant performance bottleneck. Current state-of-the-art countermeasures rely on masking comparison-based samplers (CDT), which are computationally expensive due to the complexity of masked comparison circuits.
In this work, we propose a radically different approach:
- New Sampling Method: We introduce a rejection-based sampler derived from a discretization of Marsaglia’s algorithm (1963).
- Masking-Friendly Design: By expressing the sampler in terms of uniform and geometric distributions, we create a structure that is naturally suited for masking and bitslicing, avoiding costly comparisons.
- Performance Impact: When applied to the NIST signature candidate HAWK, our gadget requires 20 times fewer masked AND gates than the current state-of-the-art (Eid et al., eprint 2025). Our approach outperforms the current state-of-the-art by around a factor of 20, and remains 4 to 5 times more efficient even after applying significant optimizations to existing techniques.