4

The paper “CRYSTALS – Dilithium: Digital Signatures from Module Lattices” (by Léo Ducas, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehlé) introduces a digital signature scheme based on lattices.

However, it worries me for two reasons:

  1. There is no proof of post-quantum security.
  2. There is no proof that the running time does not depend on the secret key.

The first appears to be a technical limitation of the proof technique and unlikely to lead to a practical attack, but the second one is definitely exploitable if my fear is real.

Does the running time actually depend on the secret key?

forest
  • 15,626
  • 2
  • 49
  • 103
Demi
  • 4,853
  • 1
  • 22
  • 40

1 Answers1

2

The running time does not depend on the secret key. All multiplications, additions, and modular reductions can be implemented to be constant-time.

Diving in to the details:

  • The probability of the goto in line 11 of the signing algorithm is independent of $s_1$, $s_2$ (the probability is in equation (4)).
  • The goto in line 13 is also independent of $s_1$, $s_2$ because the use of $s_2$ in line 12 can be replaced with an expression that does not use $s_2$ (as in equation (1) ) in which all variables have distributions independent of $s_1$, $s_2$.
Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240