Abstract
We extend and consolidate the security justification for the Dilithium signature scheme. In particular, we identify a subtle but crucial gap that appears in several ROM and QROM security proofs for signature schemes that are based on the Fiat-Shamir with aborts paradigm, including Dilithium. The gap lies in the CMA-to-NMA reduction and was uncovered when trying to formalize a variant of the QROM security proof by Kiltz, Lyubashevsky, and Schaffner (Eurocrypt 2018). The gap was confirmed by the authors, and there seems to be no simple patch for it. We provide new, fixed proofs for the affected CMA-to-NMA reduction, both for the ROM and the QROM, and we perform a concrete security analysis for the case of Dilithium to show that the claimed security level is still valid after addressing the gap. Furthermore, we offer a fully mechanized ROM proof for the CMA-security of Dilithium in the EasyCrypt proof assistant. Our formalization includes several new tools and techniques of independent interest for future formal verification results.
Authors are listed in alphabetical order; see https://www.ams.org/profession/leaders/culture/JointResearchandItsPublicationfinal.pdf.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is necessary for a large class of lattice-based IDS, to avoid leaking the secret key via biased responses z.
- 2.
We note that for simplicity, we consider ordinary unforgeability. It is not too hard to extend our results to strong unforgeability if the considered IDS satisfies the additional property of having computational unique-responses.
- 3.
Support for QROM in EasyCrypt is still under active development [16], and the existing features do not yet allow to formally verify the QROM proof.
- 4.
This was done in collaboration with Oskar Goldhahn and has now been merged into the EasyCrypt standard library.
- 5.
Throughout the paper, when clear from the context, we often omit the dependence on pk and sk in our notation.
- 6.
For simplicity, and since this is sufficient for out main application (Dilithium), we consider statistical indistinguishability of the simulated transcript. Our results extend to a computational variant in the obvious way.
- 7.
Also note that, at the cost of an increased simulation error, an expected poly-time simulator can always be turned into a strict poly-time one by cutting the runtime.
- 8.
The acronym EF-NMA (resp. EF-CMA) stands for existential unforgeability against no (resp. chosen) message attacks.
- 9.
Or, if H got reprogrammed on (m, w) already during a prior call to \(\textsf {{Prog}} \).
- 10.
We may actually allow \(O_1,\ldots ,O_r,\) to be stateful, all having access to the same state, but for the propose of “switching” from O to \(O'\) for any \(\mathcal{A} \), this state can always be maintained and provided by \(\mathcal{A} \).
- 11.
This includes calls to reprogram H.
- 12.
See [1] for a discussion on how these parameters are set in practice.
References
Ducas, L., et al.: CRYSTALS-Dilithium - algorithm specifications and supporting documentation (version 3.1). Technical report (February 2021). Specification document
Ducas, L., et al.: CRYSTALS-Dilithium: A lattice-based digital signature scheme. IACR Trans. Cryptographic Hardware Embedded Syst., 238–268 (2018)
Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_35
Lyubashevsky, V.: Lattice signatures without trapdoors. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 738–755. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_43
Kiltz, E., Lyubashevsky, V., Schaffner, C.: A concrete treatment of Fiat-Shamir signatures in the quantum random-oracle model. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10822, pp. 552–586. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78372-7_18
Barbosa, M., et al.: Sok: Computer-aided cryptography. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24–27 May 2021, pp. 777–795. IEEE (2021)
Bhargavan, K., Blanchet, B., Kobeissi, N.: Verified models and reference implementations for the TLS 1.3 standard candidate. In: IEEE Symposium on Security and Privacy (S &P), pp. 483–502. IEEE Computer Society (2017)
Delignat-Lavaud, A., et al.: Implementing and proving the TLS 1.3 record layer. In: IEEE Symposium on Security and Privacy (S &P), pp. 463–482. IEEE Computer Society (2017)
Cremers, C., Horvat, M., Scott, S., van der Merwe, T.: Automated analysis and verification of TLS 1.3: 0-rtt, resumption and delayed authentication. In: IEEE Symposium on Security and Privacy (S &P), pp. 470–485. IEEE Computer Society (2016)
Cremers, C., Horvat, M., Hoyland, J., Scott, S., van der Merwe, T.: A comprehensive symbolic analysis of TLS 1.3. In: ACM Conference on Computer and Communications Security (CCS), pp. 1773–1788. ACM (2017)
Lyubashevsky, V., Nguyen, N.K., Plancon, M.: Lattice-based zero-knowledge proofs and applications: Shorter, simpler, and more general. Cryptology ePrint Archive (2022)
De Feo, L., Galbraith, S.D.: SeaSign: compact isogeny signatures from class group actions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 759–789. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_26
Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16
Beullens, W., Dobson, S., Katsumata, S., Lai, Y,-F., Pintore, F.: Group signatures and more from isogenies and lattices: Generic, simple, and efficient. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 95–126. Springer (2022). https://doi.org/10.1007/s10623-023-01192-x
Zhandry, M.: How to record quantum queries, and applications to quantum indifferentiability. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 239–268. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_9
Barbosa, M.: EasyPQC: Verifying post-quantum cryptography. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS 2021, pp. 2564–2586. Association for Computing Machinery, New York (2021)
Avanzini, M., Barthe, G., Grégoire, B., Moser, G., Vanoni, G.: A mechanisation of the complexity analysis of skiplists. Unpublished manuscript (2023)
Kozen, D.: A probabilistic pdl. In: Proceedings of the Fifteenth Annual ACM Symposium on Theory of Computing, STOC 1983, pp. 291–297. Association for Computing Machinery, New York (1983)
Devevey, J., Fallahpour, P., Passelègue, A., Stehlé, D.: A detailed analysis of Fiat-Shamir with aborts. Cryptology ePrint Archive, Paper 2023/245 (2023). https://eprint.iacr.org/2023/245
Barbosa, M.: Fixing and mechanizing the security proof of Fiat-Shamir with aborts and Dilithium. Cryptology ePrint Archive, Paper 2023/246 (2023). https://eprint.iacr.org/2023/246
Grilo, A.B., Hövelmanns, K., Hülsing, A., Majenz, C.: Tight adaptive reprogramming in the QROM. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13090, pp. 637–667. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92062-3_22
Acknowledgments
Jelle Don is supported by the ERC-ADG project ALGSTRONGCRYPTO (Project No. 740972). Benjamin Grégoire is supported by the Agence Nationale de la Recherche (French National Research Agency) as part of the France 2030 programme - ANR-22-PECY-0006. Yu-Hsuan Huang is supported by the Dutch Research Agenda (NWA) project HAPKIDO (Project No. NWA.1215.18.002), which is financed by the Dutch Research Council (NWO). Andreas Hülsing is supported by an NWO VIDI grant (Project No. VI.Vidi.193. 066). Xiaodi Wu is supported by AFOSR Young Investigator Program (YIP) Award (FA95502110094) and NSF CAREER Award (NSF-CCF-1942837).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Barbosa, M. et al. (2023). Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14085. Springer, Cham. https://doi.org/10.1007/978-3-031-38554-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-38554-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38553-7
Online ISBN: 978-3-031-38554-4
eBook Packages: Computer ScienceComputer Science (R0)
