From 7650dd3511bb06a2321d4d335ed96733ed9f7a1b Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Fri, 26 Jan 2024 22:16:06 +0000 Subject: [PATCH] Improve description of Dilithium --- draft-ietf-pquip-pqc-engineers.md | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/draft-ietf-pquip-pqc-engineers.md b/draft-ietf-pquip-pqc-engineers.md index 21d675e..3e318e1 100644 --- a/draft-ietf-pquip-pqc-engineers.md +++ b/draft-ietf-pquip-pqc-engineers.md @@ -177,6 +177,10 @@ informative: title: "Recommendation for Key-Derivation Methods in Key-Establishment Schemes" target: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf date: false + Lyu09: + title: "V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures“, ASIACRYPT 2009" + target: https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf + date: false --- abstract @@ -460,7 +464,23 @@ Understanding EUF-CMA security is essential for individual involved in designing ## Details of FALCON, Dilithium, and SPHINCS+ {#sig-scheme} -Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat Shamir with Aborts" method that leverages rejection sampling to render lattice based FS schemes compact and secure. Additionally, Dilithium offers both deterministic and randomized signing. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}. +Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat-Shamir with Aborts" {{Lyu09}} framework introduced by Lyubashevsky, that leverages rejection sampling to render lattice based FS schemes compact and secure. The public key of Dilithium is essentially a Module‐LWE sample of the + form (A, t:=A·s1 + s2), where A is a matrix and s1 and s2 are (secret) error vectors over Rq = GF(q)[X]/(X^256+1), + where q=8380417. Dilithium uses uniform distribution over small integers for computing coefficients in error + vectors, which makes the scheme easier to implement. + +At the core of this approach is a three‐message lattice‐based identification scheme that enables a prover to + convince a verifier that they hold the secret key (s1, s2) without revealing it. This begins with the prover + computing a vector w consisting of the high‐order bits of Ay (for random y) and sending it to the verifier. The + verifier responds with a random challenge polynomial c. The prover then responds with the vector z=y + cs1. The + verifier accepts only if Az ≈ w + ct. + +The Dilithium signature scheme is created from the identification scheme described above by applying the + Fiat‐Shamir transform. This amounts to having the prover generate a challenge c by hashing the commitment w + together with the message μ. + +Additionally, Dilithium offers both deterministic and randomized signing and is instantiated with 3 parameter sets + providing different security levels. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}. Falcon [Falcon] is based on the GPV hash-and-sign lattice-based signature framework introduced by Gentry, Peikert and Vaikuntanathan, which is a framework that requires a class of lattices and a trapdoor sampler technique.