Table of contents

Description

  • Speaker

    Paco AZEVEDO OLIVEIRA - Thales & UVSQ

Dilithium is a signature algorithm, considered post-quantum, and recently standardized under the name ML-DSA by NIST. Due to its security and performance, it is recommended in most use cases.

 

During this presentation, I will outline the main ideas behind two studies, conducted in collaboration with Andersson Calle-Vierra, Benoît Cogliati, and Louis Goubin, which provide a better understanding of Dilithium's practical security.

 

I show that by introducing an error during the generation of the Dilithium signature, it is possible to force the signer to provide “incorrect” signatures that reveal information about the secret key in the form of inequalities on its coefficients. We then reformulate the problem of recovering the secret key from incorrect signatures into a linear programming problem.

 

Among the data in the MLWE instance (A,t), which is at the heart of Dilithium's construction, the least significant part of t—denoted by t0—is not included in the public key and is formally considered part of the secret key. Knowing t_0 has no impact on Dilithium's black box security, but it does allow for much more effective side-channel attacks. I explain the main ideas for constructing an attack that finds t0 from Dilithium signatures, again by twisting linear programming tools.

 

Both of these results use linear programming techniques that are somewhat deviated from their traditional uses, which is quite unusual for cryptanalysis of public-key algorithms.

Practical infos

  • Date

    November 07, 2025 (13:45 - 14:45)

  • Location

    IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes Amphi Lebesgue
    Locate on Google Maps

  • Add this presentation to my calendar

  • Video meet

    The seminar is systematically visible by videoconference

    Access the meeting

Next sessions

  • Dual attacks in code-based (and lattice-based) cryptography

    • September 19, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Charles Meyer-Hilfiger - Inria Rennes

    The hardness of the decoding problem and its generalization, the learning with errors problem, are respectively at the heart of the security of the Post-Quantum code-based scheme HQC and the lattice-based scheme Kyber. Both schemes are to be/now NIST standards. These problems have been actively studied for decades, and the complexity of the state-of-the-art algorithms to solve them is crucially[…]

    • Cryptography

  • Design of fast AES-based Universal Hash Functions and MACs

    • October 10, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Augustin Bariant - ANSSI

    Ultra-fast AES round-based software cryptographic authentication/encryption primitives have recently seen important developments, fuelled by the authenticated encryption competition CAESAR and the prospect of future high-profile applications such as post-5G telecommunication technology security standards. In particular, Universal Hash Functions (UHF) are crucial primitives used as core components[…]

    • Cryptography

  • Lie algebras and the security of cryptosystems based on classical varieties in disguise

    • November 07, 2025 (13:45 - 14:45)

    • IRMAR - Université de Rennes - Campus Beaulieu Bat. 22, RDC, Rennes - Amphi Lebesgue

    Speaker : Mingjie Chen - KU Leuven

    In 2006, de Graaf et al. proposed a strategy based on Lie algebras for finding a linear transformation in the projective linear group that connects two linearly equivalent projective varieties defined over the rational numbers. Their method succeeds for several families of “classical” varieties, such as Veronese varieties, which are known to have large automorphism groups.   In this talk, we[…]

    • Cryptography

Show previous sessions
Page top