Skip to content

Commit

Permalink
Improve description of Dilithium
Browse files Browse the repository at this point in the history
  • Loading branch information
kriskwiatkowski committed Jan 26, 2024
1 parent 41b1c39 commit 7650dd3
Showing 1 changed file with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion draft-ietf-pquip-pqc-engineers.md
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,10 @@ informative:
title: "Recommendation for Key-Derivation Methods in Key-Establishment Schemes"
target: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf
date: false
Lyu09:
title: "V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures“, ASIACRYPT 2009"
target: https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf
date: false

--- abstract

Expand Down Expand Up @@ -460,7 +464,23 @@ Understanding EUF-CMA security is essential for individual involved in designing

## Details of FALCON, Dilithium, and SPHINCS+ {#sig-scheme}

Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat Shamir with Aborts" method that leverages rejection sampling to render lattice based FS schemes compact and secure. Additionally, Dilithium offers both deterministic and randomized signing. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}.
Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat-Shamir with Aborts" {{Lyu09}} framework introduced by Lyubashevsky, that leverages rejection sampling to render lattice based FS schemes compact and secure. The public key of Dilithium is essentially a Module‐LWE sample of the
form (A, t:=A·s1 + s2), where A is a matrix and s1 and s2 are (secret) error vectors over Rq = GF(q)[X]/(X^256+1),
where q=8380417. Dilithium uses uniform distribution over small integers for computing coefficients in error
vectors, which makes the scheme easier to implement.

At the core of this approach is a three‐message lattice‐based identification scheme that enables a prover to
convince a verifier that they hold the secret key (s1, s2) without revealing it. This begins with the prover
computing a vector w consisting of the high‐order bits of Ay (for random y) and sending it to the verifier. The
verifier responds with a random challenge polynomial c. The prover then responds with the vector z=y + cs1. The
verifier accepts only if Az ≈ w + ct.

The Dilithium signature scheme is created from the identification scheme described above by applying the
Fiat‐Shamir transform. This amounts to having the prover generate a challenge c by hashing the commitment w
together with the message μ.

Additionally, Dilithium offers both deterministic and randomized signing and is instantiated with 3 parameter sets
providing different security levels. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}.

Falcon [Falcon] is based on the GPV hash-and-sign lattice-based signature framework introduced by Gentry, Peikert and Vaikuntanathan, which is a framework that requires a class of lattices and a trapdoor sampler technique.

Expand Down

0 comments on commit 7650dd3

Please sign in to comment.