Welcome to the resource topic for 2024/1373
Title:
Uncompressing Dilithium’s public key
Authors: Paco Azevedo Oliveira, Andersson Calle Viera, Benoît Cogliati, Louis Goubin
Abstract:To be competitive with other signature schemes, the MLWE instance \bf (A,t) on which Dilithium is based is compressed: the least significant bits of \bf t, which are denoted \textbf{t}_0, are considered part of the secret key. Knowing \bf t_0 does not provide any information about the other data in the secret key, but it does allow the construction of much more efficient side-channel attacks. Yet to the best of our knowledge, there is no kown way to recover \bf t_0 from Dilithium signatures. In this work, we show that each Dilithium signature leaks information on \bf t_0, then we construct an attack that retrieves the vector \bf t_0 from Dilithium signatures. Experimentally, for Dilithium-2, 4\,000\,000 signatures and 2 hours are sufficient to recover \textbf{t}_0 on a desktop computer.
ePrint: https://eprint.iacr.org/2024/1373
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .