### Don't throw your nonces out with the bathwater: Speeding up Dilithium by reusing the tail of y

Daan Sprenkels and Bas Westerbaan

##### Abstract

We suggest a small change to the Dilithium signature scheme, that allows one to reuse computations between rejected nonces, for a speed-up in signing time. The modification is based on the idea that, after rejecting on a too large $\|\mathbf{r}_0\|_\infty$, not all elements of the nonce $\mathbf{y}$ are spent. We swap the order of the checks; and if this $\mathbf{r}_0$-check fails, we only need to resample $y_1$. We provide a proof that shows that the modification does not affect the security of the scheme. We present measurements of the performance of the modified scheme on AVX2, Cortex M4, and Cortex M3, which show a speed-up ranging from 11% for Dilithium2 on M3 to 22% for Dilithium3 on AVX2.

Note: This version of the paper (16 Dec 2012) is based on our our previous paper from 22 Sep 2020, which was published under the same name.

Available format(s)
Category
Public-key cryptography
Publication info
Preprint. MINOR revision.
Keywords
DilithiumFiat-Shamir with abortslattice-based cryptographyAVX2ARM Cortex-M4ARM Cortex-M3
Contact author(s)
daan @ dsprenkels com
bas @ westerbaan name
History
2021-12-16: revised
See all versions
Short URL
https://ia.cr/2020/1158

CC BY

BibTeX

@misc{cryptoeprint:2020/1158,
author = {Daan Sprenkels and Bas Westerbaan},
title = {Don't throw your nonces out with the bathwater: Speeding up Dilithium by reusing the tail of y},
howpublished = {Cryptology ePrint Archive, Paper 2020/1158},
year = {2020},
note = {\url{https://eprint.iacr.org/2020/1158}},
url = {https://eprint.iacr.org/2020/1158}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.