Paper 2024/1373

Uncompressing Dilithium's public key

Paco Azevedo Oliveira, Thales DIS, France, Laboratoire de Mathématiques de Versailles, UVSQ, CNRS, Université Paris-Saclay, 78035 Versailles, France
Andersson Calle Viera, Thales DIS, France, Sorbonne Université, CNRS, Inria, LIP6, F-75005 Paris, France
Benoît Cogliati, Thales DIS, France
Louis Goubin, Laboratoire de Mathématiques de Versailles, UVSQ, CNRS, Université Paris-Saclay, 78035 Versailles, France
Abstract

The Dilithium signature scheme – recently standardized by NIST under the name ML-DSA – owes part of its success to a specific mechanism that allows an optimizaion of its public key size. Namely, among the data of the MLWE instance $\bf (A,\bf{t})$, which is at the heart of the construction of Dilithium, the least significant part of $\bf{t}$ -- denoted by $\bf{t}_0$ -- is not included in the public key. The verification algorithm had been adapted accordingly, so that it should not require the knowledge of $\bf{t}_0$. However, since it is still required to compute valid signatures, it has been made part of the secret key. The knowledge of $\bf{t}_0$ has no impact on the black-box cryptographic security of Dilithium, as can be seen in the security proof. Nevertheless, it does allow the construction of much more efficient side-channel attacks. Whether it is possible to recover $\bf{t}_0$ thus appears to be a sensitive question. In this work, we show that each Dilithium signature leaks information on $\bf{t}_0$, then we construct an attack that retrieves it from Dilithium signatures. Experimentally, depending on the Dilithium security level, between $200\,000$ and $500\,000$ signatures are sufficient to recover $\bf{t}_0$ on a desktop computer.

Note: Minor revision: New practical results have been included.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
DilithiumPublic KeyPartial Key Recovery
Contact author(s)
paco azevedo-oliveira @ thalesgroup com
andersson calle-viera @ thalesgroup com
benoit-michel cogliati @ thalesgroup com
louis goubin @ uvsq fr
History
2025-02-14: revised
2024-09-02: received
See all versions
Short URL
https://ia.cr/2024/1373
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1373,
      author = {Paco Azevedo Oliveira and Andersson Calle Viera and Benoît Cogliati and Louis Goubin},
      title = {Uncompressing Dilithium's public key},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1373},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1373}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.