Maskaglia: A New, Efficient Approach to Masked Discrete Gaussian Sampling (以英文演講)
- 講者Clément Hoffmann 博士 (NTT, Japan)
邀請人:楊柏因 - 時間2026-05-08 (Fri.) 10:00 ~ 12:00
- 地點新館101會議室
摘要
Discrete Gaussian sampling is a core component of many lattice-based cryptosystems, yet protecting it against side-channel attacks like Correlation Power Analysis (CPA) remains a significant performance bottleneck. Current state-of-the-art countermeasures rely on masking comparison-based samplers (CDT), which are computationally expensive due to the complexity of masked comparison circuits.
In this work, we propose a radically different approach:
- New Sampling Method: We introduce a rejection-based sampler derived from a discretization of Marsaglia’s algorithm (1963).
- Masking-Friendly Design: By expressing the sampler in terms of uniform and geometric distributions, we create a structure that is naturally suited for masking and bitslicing, avoiding costly comparisons.
- Performance Impact: When applied to the NIST signature candidate HAWK, our gadget requires 20 times fewer masked AND gates than the current state-of-the-art (Eid et al., eprint 2025). Our approach outperforms the current state-of-the-art by around a factor of 20, and remains 4 to 5 times more efficient even after applying significant optimizations to existing techniques.