Evaluating the security of CRYSTALS-Dilithium in the quantum random oracle model
IACR Cryptol. ePrint Arch.(2023)
摘要
In the wake of recent progress on quantum computing hardware, the National
Institute of Standards and Technology (NIST) is standardizing cryptographic
protocols that are resistant to attacks by quantum adversaries. The primary
digital signature scheme that NIST has chosen is CRYSTALS-Dilithium. The
hardness of this scheme is based on the hardness of three computational
problems: Module Learning with Errors (MLWE), Module Short Integer Solution
(MSIS), and SelfTargetMSIS. MLWE and MSIS have been well-studied and are widely
believed to be secure. However, SelfTargetMSIS is novel and, though classically
as hard as MSIS, its quantum hardness is unclear. In this paper, we provide the
first proof of the hardness of SelfTargetMSIS via a reduction from MLWE in the
Quantum Random Oracle Model (QROM). Our proof uses recently developed
techniques in quantum reprogramming and rewinding. A central part of our
approach is a proof that a certain hash function, derived from the MSIS
problem, is collapsing. From this approach, we deduce a new security proof for
Dilithium under appropriate parameter settings. Compared to the only other
rigorous security proof for a variant of Dilithium, Dilithium-QROM, our proof
has the advantage of being applicable under the condition q = 1 mod 2n, where q
denotes the modulus and n the dimension of the underlying algebraic ring. This
condition is part of the original Dilithium proposal and is crucial for the
efficient implementation of the scheme. We provide new secure parameter sets
for Dilithium under the condition q = 1 mod 2n, finding that our public key
sizes and signature sizes are about 2.5 to 2.8 times larger than those of
Dilithium-QROM for the same security levels.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要