From da8160db328ee31de65ce0830f5c2bd9fa3bfd31 Mon Sep 17 00:00:00 2001 From: Kris Kwiatkowski Date: Fri, 26 Jan 2024 22:16:06 +0000 Subject: [PATCH] Improve description of Dilithium --- draft-ietf-pquip-pqc-engineers.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/draft-ietf-pquip-pqc-engineers.md b/draft-ietf-pquip-pqc-engineers.md index 21d675e..af0d778 100644 --- a/draft-ietf-pquip-pqc-engineers.md +++ b/draft-ietf-pquip-pqc-engineers.md @@ -177,6 +177,10 @@ informative: title: "Recommendation for Key-Derivation Methods in Key-Establishment Schemes" target: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf date: false + Lyu09: + title: "V. Lyubashevsky, “Fiat-Shamir With Aborts: Applications to Lattice and Factoring-Based Signatures“, ASIACRYPT 2009" + target: https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf + date: false --- abstract @@ -460,7 +464,13 @@ Understanding EUF-CMA security is essential for individual involved in designing ## Details of FALCON, Dilithium, and SPHINCS+ {#sig-scheme} -Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat Shamir with Aborts" method that leverages rejection sampling to render lattice based FS schemes compact and secure. Additionally, Dilithium offers both deterministic and randomized signing. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}. +Dilithium [Dilithium] is a digital signature algorithm (part of the CRYSTALS suite) based on the hardness lattice problems over module lattices (i.e., the Module Learning with Errors problem (MLWE)). The design of the algorithm is based on the "Fiat-Shamir with Aborts" {{Lyu09}} framework introduced by Lyubashevsky, that leverages rejection sampling to render lattice based FS schemes compact and secure. The public key of Dilithium is essentially a Module‐LWE sample of the form (A, t:=A·s1 + s2), where A is a matrix and s1 and s2 are (secret) error vectors over Rq = GF(q)[X]/(X^256+1), where q=8380417. Dilithium uses uniform distribution over small integers for computing coefficients in error vectors, which makes the scheme easier to implement. + +At the core of this approach is a three‐message lattice‐based identification scheme that enables a prover to convince a verifier that they hold the secret key (s1, s2) without revealing it. This begins with the prover computing a vector w consisting of the high‐order bits of Ay (for random y) and sending it to the verifier. The verifier responds with a random challenge polynomial c. The prover then responds with the vector z=y + cs1. The verifier accepts only if Az ≈ w + ct. + +The Dilithium signature scheme is created from the identification scheme described above by applying the Fiat‐Shamir transform. This amounts to having the prover generate a challenge c by hashing the commitment w together with the message μ. + +Additionally, Dilithium offers both deterministic and randomized signing and is instantiated with 3 parameter sets providing different security levels. Security properties of Dilithium are discussed in Section 9 of {{?I-D.ietf-lamps-dilithium-certificates}}. Falcon [Falcon] is based on the GPV hash-and-sign lattice-based signature framework introduced by Gentry, Peikert and Vaikuntanathan, which is a framework that requires a class of lattices and a trapdoor sampler technique.