In the KYBER key agreement algorithm, the mathematical condition dictates that $n|q-1$ and for the NTT implementation, the value of $q$ was chosen to be $3329$. In the DILITHIUM digital signature algorithm, the condition $2n|q-1$ must hold. However, there are many cases where $q$ can be chosen that can be much smaller than the value chosen in DILITHIUM, which is $8380417$. Why is the difference in the modulus $q$ in the KYBER and DILITHIUM algorithms so large?
Asked
Active
Viewed 602 times
1 Answers
5
I once asked the CRYSTALS team over Email about this, and Vadim Lyubashevsky replied:
We don't see how to make Dilithium work with a smaller modulus. The reason that the modulus is large is because the size of the coefficients in the signature needs to be significantly larger than those in the public key (He probably meant "private" key, as coefficients in the public key are uniformly random). In encryption schemes, such as NewHope, the coefficients don't grow as much.
(Retro note: NewHope was a ring-lattice key establishment scheme)
I queried further:
As I understood, this is necessary to ensure the rejection sampling doesn't reject too many times.
Is there more reasons to that? It's just a personal opinion of mine that the choice between rejection time and bandwidth is just an arbitrary engineering decision, so if it was me, I'd try to find more justification to favor one over another.
And:
Sure, but if you want to decrease the modulus by a factor of x, then the rejection sampling time increases exponentially in x. So for example, if we're rejecting about 5 times when the modulus is 2^23, then we'll need to reject 5^128 times if the modulus could be shrunk to 2^16.
DannyNiu
- 10,640
- 2
- 27
- 64