Paper 2023/1968

Evaluating the security of CRYSTALS-Dilithium in the quantum random oracle model

Kelsey A. Jackson, University of Maryland, College Park
Carl A. Miller, University of Maryland, College Park, National Institute of Standards and Technology
Daochen Wang, University of Maryland, College Park, University of British Columbia
Abstract

In the wake of recent progress on quantum computing hardware, the National Institute of Standards and Technology (NIST) is standardizing cryptographic protocols that are resistant to attacks by quantum adversaries. The primary digital signature scheme that NIST has chosen is CRYSTALS-Dilithium. The hardness of this scheme is based on the hardness of three computational problems: Module Learning with Errors (MLWE), Module Short Integer Solution (MSIS), and SelfTargetMSIS. MLWE and MSIS have been well-studied and are widely believed to be secure. However, SelfTargetMSIS is novel and, though classically as hard as MSIS, its quantum hardness is unclear. In this paper, we provide the first proof of the hardness of SelfTargetMSIS via a reduction from MLWE in the Quantum Random Oracle Model (QROM). Our proof uses recently developed techniques in quantum reprogramming and rewinding. A central part of our approach is a proof that a certain hash function, derived from the MSIS problem, is collapsing. From this approach, we deduce a new security proof for Dilithium under appropriate parameter settings. Compared to the previous work by Kiltz, Lyubashevsky, and Schaffner (EUROCRYPT 2018) that gave the only other rigorous security proof for a variant of Dilithium, our proof has the advantage of being applicable under the condition $q = 1 \text{ mod } 2n$, where $q$ denotes the modulus and $n$ the dimension of the underlying algebraic ring. This condition is part of the original Dilithium proposal and is crucial for the efficient implementation of the scheme. We provide new secure parameter sets for Dilithium under the condition $q = 1 \text{ mod } 2n$, finding that our public key size and signature size are about $2.9\times$ and $1.3\times$ larger, respectively, than those proposed by Kiltz et al. at the same security level.

Note: 23 pages; v2: added description of CRYSTALS-Dilithium, improved analysis of concrete parameters

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published by the IACR in EUROCRYPT 2024
Keywords
post-quantum cryptographyquantum cryptographyCRYSTALS-Dilithiumlattices
Contact author(s)
kaj22475 @ umd edu
camiller @ umd edu
wdaochen @ gmail com
History
2024-03-07: revised
2023-12-29: received
See all versions
Short URL
https://ia.cr/2023/1968
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/1968,
      author = {Kelsey A. Jackson and Carl A. Miller and Daochen Wang},
      title = {Evaluating the security of {CRYSTALS}-Dilithium in the quantum random oracle model},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1968},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1968}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.