Table of contents

  • This session has been presented November 14, 2025 (13:45 - 14:45).

Description

  • Speaker

    Paco AZEVEDO OLIVEIRA - Thales & UVSQ

Dilithium is a signature algorithm, considered post-quantum, and recently standardized under the name ML-DSA by NIST. Due to its security and performance, it is recommended in most use cases.

 

During this presentation, I will outline the main ideas behind two studies, conducted in collaboration with Andersson Calle-Vierra, Benoît Cogliati, and Louis Goubin, which provide a better understanding of Dilithium's practical security.

 

I show that by introducing an error during the generation of the Dilithium signature, it is possible to force the signer to provide “incorrect” signatures that reveal information about the secret key in the form of inequalities on its coefficients. We then reformulate the problem of recovering the secret key from incorrect signatures into a linear programming problem.

 

Among the data in the MLWE instance (A,t), which is at the heart of Dilithium's construction, the least significant part of t—denoted by t0—is not included in the public key and is formally considered part of the secret key. Knowing t_0 has no impact on Dilithium's black box security, but it does allow for much more effective side-channel attacks. I explain the main ideas for constructing an attack that finds t0 from Dilithium signatures, again by twisting linear programming tools.

 

Both of these results use linear programming techniques that are somewhat deviated from their traditional uses, which is quite unusual for cryptanalysis of public-key algorithms.

Practical infos

Next sessions

  • Verification of Rust Cryptographic Implementations with Aeneas

    • February 13, 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Aymeric Fromherz - Inria

    From secure communications to online banking, cryptography is the cornerstone of most modern secure applications. Unfortunately, cryptographic design and implementation is notoriously error-prone, with a long history of design flaws, implementation bugs, and high-profile attacks. To address this issue, several projects proposed the use of formal verification techniques to statically ensure the[…]

  • On the average hardness of SIVP for module lattices of fixed rank

    • March 06, 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Radu Toma - Sorbonne Université

    In joint work with Koen de Boer, Aurel Page, and Benjamin Wesolowski, we study the hardness of the approximate Shortest Independent Vectors Problem (SIVP) for random module lattices. We use here a natural notion of randomness as defined originally by Siegel through Haar measures. By proving a reduction, we show it is essentially as hard as the problem for arbitrary instances. While this was[…]

  • Journées C2: pas de séminaire

    • April 03, 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

  • Endomorphisms via Splittings

    • April 10, 2026 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Min-Yi Shen - No Affiliation

    One of the fundamental hardness assumptions underlying isogeny-based cryptography is the problem of finding a non-trivial endomorphism of a given supersingular elliptic curve. In this talk, we show that the problem is related to the problem of finding a splitting of a principally polarised superspecial abelian surface. In particular, we provide formal security reductions and a proof-of-concept[…]

    • Cryptography

Show previous sessions
Page top