Technische Universitat Clausthal
Several lattice-based cryptosystems require to sample from a discrete gaussian distribution over the integers. Existing methods to sample from such a distribution either need large amounts of memory or they are very slow. In this paper the authors explore a different method that allows for a flexible time-memory trade-off, offering developers freedom in choosing how much space they can spare to store pre-computed values. They prove that the generated distribution is close enough to a discrete gaussian to be used in lattice-based cryptography.