Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [dilithium]

Dilithium is a digital signature algorithm based which uses the Fiat-Shamir with aborts technique based on the Decisional Compact Knapsack (DCK) and Short Integer Solution (SIS) problems in module lattices. It is an example of lattice-based cryptography and is part of the Crystals family together with the KEM scheme Kyber.

Dilithium is a digital signature algorithm based which uses the Fiat-Shamir with aborts technique based on the Decisional Compact Knapsack (DCK) and Short Integer Solution (SIS) problems in module lattices. It is an example of lattice-based cryptography and is part of the Crystals family together with the KEM scheme Kyber. It has been standardized and published as FIPS-204.

37 questions
17
votes
4 answers

Kyber and Dilithium explained to primary school students?

Kyber and Dilithium are post-quantum cryptographic designs, but the resources are hard to understand. Is it possible to explain those ciphers to children?
Flan1335
  • 381
  • 2
  • 6
13
votes
1 answer

Why did NIST select Kyber and Dilithium?

NIST selected Kyber for key agreement and Dilithium for digital signature applications some days ago. But IDF's MATZOV group, in their paper, broke Kyber and Dilithium and brought the security levels of these schemes below the thresholds defined by…
Daniel
  • 131
  • 1
  • 3
8
votes
1 answer

Are rejected Dilithium commitments secret?

On 6 March, Yi Lee sent over the NIST mailing list an announcement of their submitted paper that found a flaw in the original security proof for Dilithium. In their manuscript, they fix the proof on paper, and they also verified whole proof using…
dusk
  • 1,185
  • 10
  • 27
6
votes
1 answer

Do we need the quantum random oracle model (QROM)?

I am currently studying the proof of the Dilithium signature in the quantum random oracle model (QROM). I am curious to hear if anyone have any thoughts on the importance of having proofs in the QROM or if proofs in the standard random oracle model…
Rory
  • 353
  • 2
  • 12
5
votes
0 answers

Why is it safe to generate the secret key and masking vectors using rejection sampling in CRYSTALS-Dilithium?

In CRYSTALS-Dilithium module lattice-based digital signatures, the secret key vectors $s_1, s_2$ with coefficients in $[-\eta, \eta]$ and the signature masking vector $y$ with coefficients in $(-\gamma_1, \gamma_1)$ are generated using rejection…
Naruto999
  • 448
  • 3
  • 9
5
votes
1 answer

Why was the value of modulus (q) chosen small in KYBER and large in DILITHIUM?

In the KYBER key agreement algorithm, the mathematical condition dictates that $n|q-1$ and for the NTT implementation, the value of $q$ was chosen to be $3329$. In the DILITHIUM digital signature algorithm, the condition $2n|q-1$ must hold. However,…
R_Jalaei
  • 515
  • 2
  • 12
5
votes
3 answers

How to reconstruct low order bits of $t$ of CRYSTALS-Dilithium from a small number of signatures?

In FIPS 204 (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf): "The vector $\textbf{t}$ is compressed in the actual public key by dropping the $d$ least significant bits from each coefficient, thus producing the polynomial vector…
Jong Hyeok Lee
  • 51
  • 1
4
votes
1 answer

Basic explanation of Falcon and Dilithium

I've been trying to search for toy examples of the round 3 digital signatures Rainbow, Falcon and Dilithium. Not a lot of actual implementation examples are out there. What I'm searching for are actual examples with numbers that explain how the two…
mikrim
  • 41
  • 1
4
votes
0 answers

Which parts of CRYSTALS-Kyber and CRYSTALS-Dilithium are compatible?

The papers CRYSTALS-Kyber and CRYSTALS-Dilithium both have been written by quite different authors. It seems that at least the key generation is very different from each other. CRYSTALS mainly seems to be a suite of algorithms based on the hardness…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
4
votes
1 answer

Dilithium signature scheme and timing attacks – Does the running time actually depend on the secret key?

The paper “CRYSTALS – Dilithium: Digital Signatures from Module Lattices” (by Léo Ducas, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehlé) introduces a digital signature scheme based on lattices. However, it…
Demi
  • 4,853
  • 1
  • 22
  • 40
4
votes
0 answers

Why Dilithium has options starting from security level 2 and not 1?

I am a newbie to PQC, so forgive my gaps in understanding. Most of the NIST PQC standardization selections have 3 levels of security 1, 3 and 5. It is not the case for Dilithium. IS there any specific reason why that is the case?
Aegon0612
  • 51
  • 1
3
votes
1 answer

Multiplication in ML-DSA

I am trying to understand ML-DSA PQC and the cs1 multiplication done in ML-DSA-44 signature generation Printed value of s1 after unpacking and get the values(for s1.vec[0] few values) s1[0] = -2 s1[1] = 2 s1[2] = 2 s1[3] = -2 s1[4] = 1 s1[5] =…
gabbar
  • 105
  • 4
3
votes
2 answers

SIS on Dillithium

I was reading the Dillithium spec : https://pq-crystals.org/dilithium/data/dilithium-specification-round3-20210208.pdf#equation.6.13 And in the specification, they mention using LWE for key recovery and SIS for forgery. From my understanding, the…
t3st12
  • 85
  • 7
3
votes
1 answer

Are there weaknesses other than existential forgery to using Fiat-Shamir type signatures without a hash?

I am a college professor interested in using post-quantum cryptosystems like Dilithium in my linear algebra classes. The mathematics is not a problem, but these are mostly not computer science students so I am wondering if I could avoid talking…
Joshua Holden
  • 33
  • 2
3
votes
1 answer

In dilithium (post quantum signature algorithm), how have the authors precomputed the table of zetas for NTT?

I am trying to understand the design rationale of in place NTT in Dilithium. I know that how the splitting of polynomials is done but I cant seem to map this approach to the precomputed table of zetas that is present in the authors code. I have…
smith
  • 105
  • 2
1
2 3