This PR implements a discrete Gaussian sampler based on paper FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers (link). The Gaussian sampler is similar as already implemented, but in addition consists of two parts whose performance is constant-time, meaning that the result is independent of the time needed to calculate it.
Note that this does not make the implementation fully constant-time, since it still uses GMP library with mpz_t and mpf_t structs. Nevertheless, this PR makes a step towards it. To our knowledge, there is no practical attack on timing GMP operations.
This PR implements a discrete Gaussian sampler based on paper FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers (link). The Gaussian sampler is similar as already implemented, but in addition consists of two parts whose performance is constant-time, meaning that the result is independent of the time needed to calculate it. Note that this does not make the implementation fully constant-time, since it still uses GMP library with mpz_t and mpf_t structs. Nevertheless, this PR makes a step towards it. To our knowledge, there is no practical attack on timing GMP operations.