Description
Dilithium is a signature algorithm, considered post-quantum, and recently standardized under the name ML-DSA by NIST. Due to its security and performance, it is recommended in most use cases.
During this presentation, I will outline the main ideas behind two studies, conducted in collaboration with Andersson Calle-Vierra, Benoît Cogliati, and Louis Goubin, which provide a better understanding of Dilithium's practical security.
I show that by introducing an error during the generation of the Dilithium signature, it is possible to force the signer to provide “incorrect” signatures that reveal information about the secret key in the form of inequalities on its coefficients. We then reformulate the problem of recovering the secret key from incorrect signatures into a linear programming problem.
Among the data in the MLWE instance (A,t), which is at the heart of Dilithium's construction, the least significant part of t—denoted by t0—is not included in the public key and is formally considered part of the secret key. Knowing t_0 has no impact on Dilithium's black box security, but it does allow for much more effective side-channel attacks. I explain the main ideas for constructing an attack that finds t0 from Dilithium signatures, again by twisting linear programming tools.
Both of these results use linear programming techniques that are somewhat deviated from their traditional uses, which is quite unusual for cryptanalysis of public-key algorithms.
Practical infos
Next sessions
-
Attacks and Remedies for Randomness in AI: Cryptanalysis of PHILOX and THREEFRY
Speaker : Yevhen Perehuda - Ruhr-University Bochum
In this work, we address the critical yet understudied question of the security of the most widely deployed pseudorandom number generators (PRNGs) in AI applications. We show that these generators are vulnerable to practical and low-cost attacks. With this in mind, we conduct an extensive survey of randomness usage in current applications to understand the efficiency requirements imposed in[…]-
Cryptography
-
-
Lightweight (AND, XOR) Implementations of Large-Degree S-boxes
Speaker : Marie Bolzer - LORIA
The problem of finding a minimal circuit to implement a given function is one of the oldest in electronics. In cryptography, the focus is on small functions, especially on S-boxes which are classically the only non-linear functions in iterated block ciphers. In this work, we propose new ad-hoc automatic tools to look for lightweight implementations of non-linear functions on up to 5 variables for[…]-
Cryptography
-
Symmetrical primitive
-
Implementation of cryptographic algorithm
-
-
Algorithms for post-quantum commutative group actions
Speaker : Marc Houben - Inria Bordeaux
At the historical foundation of isogeny-based cryptography lies a scheme known as CRS; a key exchange protocol based on class group actions on elliptic curves. Along with more efficient variants, such as CSIDH, this framework has emerged as a powerful building block for the construction of advanced post-quantum cryptographic primitives. Unfortunately, all protocols in this line of work are[…] -
Endomorphisms via Splittings
Speaker : Min-Yi Shen - No Affiliation
One of the fundamental hardness assumptions underlying isogeny-based cryptography is the problem of finding a non-trivial endomorphism of a given supersingular elliptic curve. In this talk, we show that the problem is related to the problem of finding a splitting of a principally polarised superspecial abelian surface. In particular, we provide formal security reductions and a proof-of-concept[…]-
Cryptography
-