Paper 2024/1373
Uncompressing Dilithium's public key
Abstract
To be competitive with other signature schemes, the MLWE instance $\bf (A,t)$ on which Dilithium is based is compressed: the least significant bits of $\bf t$, which are denoted $\textbf{t}_0$, are considered part of the secret key. Knowing $\bf t_0$ does not provide any information about the other data in the secret key, but it does allow the construction of much more efficient side-channel attacks. Yet to the best of our knowledge, there is no kown way to recover $\bf t_0$ from Dilithium signatures. In this work, we show that each Dilithium signature leaks information on $\bf t_0$, then we construct an attack that retrieves the vector $\bf t_0$ from Dilithium signatures. Experimentally, for Dilithium-2, $4\,000\,000$ signatures and $2$ hours are sufficient to recover $\textbf{t}_0$ on a desktop computer.
Metadata
- Available format(s)
-
PDF
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- DilithiumPublic KeyPartial Key Recovery
- Contact author(s)
-
paco azevedo-oliveira @ thalesgroup com
andersson calle-viera @ thalesgroup com
benoit-michel cogliati @ thalesgroup com
louis goubin @ uvsq fr - History
- 2024-09-04: approved
- 2024-09-02: received
- See all versions
- Short URL
- https://ia.cr/2024/1373
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1373,
author = {Paco Azevedo Oliveira and Andersson Calle Viera and Benoît Cogliati and Louis Goubin},
title = {Uncompressing Dilithium's public key},
howpublished = {Cryptology {ePrint} Archive, Paper 2024/1373},
year = {2024},
url = {https://eprint.iacr.org/2024/1373}
}
