Table of contents

  • This session has been presented November 14, 2025 (13:45 - 14:45).

Description

  • Speaker

    Paco AZEVEDO OLIVEIRA - Thales & UVSQ

Dilithium is a signature algorithm, considered post-quantum, and recently standardized under the name ML-DSA by NIST. Due to its security and performance, it is recommended in most use cases.

 

During this presentation, I will outline the main ideas behind two studies, conducted in collaboration with Andersson Calle-Vierra, Benoît Cogliati, and Louis Goubin, which provide a better understanding of Dilithium's practical security.

 

I show that by introducing an error during the generation of the Dilithium signature, it is possible to force the signer to provide “incorrect” signatures that reveal information about the secret key in the form of inequalities on its coefficients. We then reformulate the problem of recovering the secret key from incorrect signatures into a linear programming problem.

 

Among the data in the MLWE instance (A,t), which is at the heart of Dilithium's construction, the least significant part of t—denoted by t0—is not included in the public key and is formally considered part of the secret key. Knowing t_0 has no impact on Dilithium's black box security, but it does allow for much more effective side-channel attacks. I explain the main ideas for constructing an attack that finds t0 from Dilithium signatures, again by twisting linear programming tools.

 

Both of these results use linear programming techniques that are somewhat deviated from their traditional uses, which is quite unusual for cryptanalysis of public-key algorithms.

Practical infos

Next sessions

  • Predicting Module-Lattice Reduction

    • December 19, 2025 (13:45 - 14:45)

    • Batiment 22-23 salle 14 (en face de l'amphi Lebesgue)

    Speaker : Paola de Perthuis - CWI

    Is module-lattice reduction better than unstructured lattice reduction? This question was highlighted as `Q8' in the Kyber NIST standardization submission (Avanzi et al., 2021), as potentially affecting the concrete security of Kyber and other module-lattice-based schemes. Foundational works on module-lattice reduction (Lee, Pellet-Mary, Stehlé, and Wallet, ASIACRYPT 2019; Mukherjee and Stephens[…]

    • Cryptography

  • Séminaire C2 à INRIA Paris

    • January 16, 2026 (10:00 - 17:00)

    • INRIA Paris

    Emmanuel Thomé et Pierrick Gaudry Rachelle Heim Boissier Épiphane Nouetowa Dung Bui Plus d'infos sur https://seminaire-c2.inria.fr/ 

  • Attacking the Supersingular Isogeny Problem: From the Delfs–Galbraith algorithm to oriented graphs

    • January 23, 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Arthur Herlédan Le Merdy - COSIC, KU Leuven

    The threat of quantum computers motivates the introduction of new hard problems for cryptography.One promising candidate is the Isogeny problem: given two elliptic curves, compute a “nice’’ map between them, called an isogeny.In this talk, we study classical attacks on this problem, specialised to supersingular elliptic curves, on which the security of current isogeny-based cryptography relies. In[…]

    • Cryptography

Show previous sessions
Page top