Cryptology ePrint Archive: Report 2018/821

Side-channel Assisted Existential Forgery Attack on Dilithium - A NIST PQC candidate

Prasanna Ravi, Mahabir Prasad Jhanwar, James Howe, Anupam Chattopadhyay and Shivam Bhasin

Abstract: The recent lattice-based signature scheme Dilithium, submitted as part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) package, is one of a number of strong candidates submitted for the NIST standardisation process of post-quantum cryptography. The Dilithium signature scheme is based on the Fiat-Shamir paradigm and can be seen as a variant of the Bai-Galbraith scheme (BG) combined with several improvements from previous ancestor lattice-based schemes like GLP and BLISS signature schemes. One of the main features of Dilithium is the compressed public-key, which is a rounded version of the LWE instance. This implies that Dilithium is not breakable with the knowledge of only the secret or the error of the LWE instance, unlike its ancestor lattice-based signature schemes. In this paper, we investigate the security of Dilithium against a combination of side-channel and classical attacks. Side-channel attacks on schoolbook and optimised polynomial multiplication algorithms in the signing procedure are shown to extract the secret component of the LWE instance, which is just one among the multiple components of the secret-key of Dilithium. We then propose an alternative signing procedure, through which it is possible to forge signatures with only the extracted portion of the secret-key, without requiring the knowledge of all its elements. Thus showing that Dilithium too breaks on just knowing the secret portion of the LWE instance, similar to previous lattice-based schemes.

Category / Keywords: Dilithium, Lattice based cryptography, Digital Signatures, post quantum cryptography, side channel attack

Date: received 3 Sep 2018, last revised 15 Sep 2018

Contact author: PRASANNA RAVI at ntu edu sg

Available format(s): PDF | BibTeX Citation

Version: 20180916:023812 (All versions of this report)

Short URL: ia.cr/2018/821


[ Cryptology ePrint archive ]