In CRYSTALS-Dilithium module lattice-based digital signatures, the secret key vectors $s_1, s_2$ with coefficients in $[-\eta, \eta]$ and the signature masking vector $y$ with coefficients in $(-\gamma_1, \gamma_1)$ are generated using rejection sampling on a stream of uniformly random bytes obtained from a cryptographically-secure pseudo-random number generator.
Since rejection sampling is inherently non-constant-time, why is this not a problem from a timing side-channel leakage point of view?
Protocols using discrete Gaussian distributions need to ensure constant-time sampling to prevent side-channel attacks. Why do similar attacks not work when using rejection sampling?
