Fixing and Mechanizing the Analysis of Dilithium
419 views
Skip to first unread message
Yi Lee
Mar 5, 2023, 1:20:30 PM3/5/23
to pqc-forum, m...@fc.up.pt, gilles...@mpi-sp.org, Christian Doczkal, Jelle Don, serge...@cwi.nl, bgregoir, Yu-Hsuan Huang, and...@huelsing.net, Yi Lee, Xiaodi Wu
Hi all,
Our recent paper [1] has been uploaded to eprint. We identified and fixed a flaw in the analysis of Dilithium, or more generally, of the Fiat-Shamir with Aborts (FSwA) paradigm. The flaw lies in the CMA-to-NMA reduction of prior analyses considering both classical and quantum attackers, and we provide new, fixed proofs for both cases. Furthermore, we formally verified the classical proof using EasyCrypt, and we have restored the same level of security guarantee via an improved concrete analysis, without changing the parameters of Dilithium. A concurrent work [2] also located this flaw and fixed it, by different means, in the scope of Lyubashevsky-style signatures.
Given that the above concerns the FSwA paradigm in general, many more papers are potentially affected, and we encourage authors that made use of FSwA to check their work.
Best,
Manuel Barbosa, Gilles Barthe, Christian Doczkal, Jelle Don, Serge Fehr, Benjamin Grégoire, Yu-Hsuan Huang, Andreas Hülsing, Yi Lee, Xiaodi Wu
[1] Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium. eprint: ia.cr/2023/246
[2] A Detailed Analysis of Fiat-Shamir with Aborts. eprint: ia.cr/2023/245
Our recent paper [1] has been uploaded to eprint. We identified and fixed a flaw in the analysis of Dilithium, or more generally, of the Fiat-Shamir with Aborts (FSwA) paradigm. The flaw lies in the CMA-to-NMA reduction of prior analyses considering both classical and quantum attackers, and we provide new, fixed proofs for both cases. Furthermore, we formally verified the classical proof using EasyCrypt, and we have restored the same level of security guarantee via an improved concrete analysis, without changing the parameters of Dilithium. A concurrent work [2] also located this flaw and fixed it, by different means, in the scope of Lyubashevsky-style signatures.
Given that the above concerns the FSwA paradigm in general, many more papers are potentially affected, and we encourage authors that made use of FSwA to check their work.
Best,
Manuel Barbosa, Gilles Barthe, Christian Doczkal, Jelle Don, Serge Fehr, Benjamin Grégoire, Yu-Hsuan Huang, Andreas Hülsing, Yi Lee, Xiaodi Wu
[1] Fixing and Mechanizing the Security Proof of Fiat-Shamir with Aborts and Dilithium. eprint: ia.cr/2023/246
[2] A Detailed Analysis of Fiat-Shamir with Aborts. eprint: ia.cr/2023/245
Reply all
Reply to author
Forward
0 new messages