本論文我們會先介紹CRYSTALS-Dilithium，這是NIST後量子密碼標準第三輪候選者之一。它由三個晶格類問題所構成：MLWE、MSIS以及SelfTargetMSIS。然後我們會試著使用Ruck¨uert和Schneider所發表的模型來估計其安全性。然而，Dilithium在設計上有不少跟常見假設不同的地方，比如說它使用ℓ∞-norm而不是ℓ2-norm，以及它的LWE假設使用均勻分布，而一般而言高斯分布是更為廣泛使用。除了提出前述問題的解決方法外，我們修改了Ruck¨ uert和Schneider的原始模型。原文中LWE問題被轉成SIS問題，但為了因應新型的Dual attack，我們將LWE轉成ISIS問題，以讓LWE類問題的安全性估計更為符合當下的發展。

We introduce one of the 3rd round candidates of the NIST PQC Standardization: CRYSTALS-Dilithium, which has three underlying lattice problems: MLWE, MSIS, and SelfTargetMSIS. Then we try to estimate its security via Ruck¨uert and Schneider’s framework. The Dilithium signature scheme is well designed in parameter choice, performance, and security. But there are many differences compared to common primitives. For example, Dilithium uses ℓ∞-norm, while ℓ2-norm is more common. This would lead to vector lengths beyond the ring size q. Besides, the error term in LWE is uniformly sampled, rather than Gaussian. We discussed how to deal with these troubles, improve the original framework, and modify its procedure when estimating LWE. While the original framework uses the dual attack to interpret LWE into the SIS, we interpret it into ISIS problem, which is more frequently applied in recent papers.

Declaration of Authorship i
Abstract ii
Acknowledgements iii
1 Introduction 1
1.1 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2 Preliminaries 3
2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Lattices and Its Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3 NTT Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Fiat-Shamir Heuristic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4.1 Example: Ed25519 . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.5 Falcon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Dilithium Signature Scheme 11
3.1 Basic Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Key Size Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.1 Bit String Division . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.2 Hint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Complete Dilithium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.4 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4.1 Mathematical Assumptions . . . . . . . . . . . . . . . . . . . . . 18
3.4.2 Security Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4.3 UF-CMA Security Sketch . . . . . . . . . . . . . . . . . . . . . . 19
3.4.4 Security Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.5 Dilithium-QROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4 Framework of Estimating the Average-case Lattice Problems 25
4.1 Reductions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.1.1 SIS to HSVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.1.2 LWE to SIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.2 Lenstra’s Heuristic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5 Application 29
5.1 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.1.1 LWE to ISIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
A Results 37

[1] Martin R. Albrecht. “On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL”. In: Cryptology ePrint Archive, Report 2017/047 (2017).
[2] Erdem Alkim, L´ eo Ducas, Thomas P¨oppelmann, and Peter Schwabe. “Postquantum key exchange – a new hope”. In: Cryptology ePrint Archive, Report 2015/1092 (2015).
[3] Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor Seiler, and Damien Stehlé. “CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation”. In: Round 3 submission to the NIST Post-Quantum Cryptography Standardization Project. (2020).
[4] Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. “High-speed high-security signatures”. In: Journal of Cryptographic Engineering 2 (2012), 77–89 (2011).
[5] Lei Bi, Xianhui Lu, Junjie Luo, Kunpeng Wang, and Zhenfei Zhang. “Hybrid Dual Attack on LWE with Arbitrary Secrets”. In: Cryptology ePrint Archive, Report 2021/152 (2021).
[6] Jacqueline Brendel, Cas Cremers, Dennis Jackson, and Mang Zhao. “The Provable Security of Ed25519: Theory and Practice”. In: Cryptology ePrint Archive, Report 2020/823 (2011).
[7] Yilei Chen, Nicholas Genise, and Pratyay Mukherjee. “Approximate Trapdoors for Lattices and Smaller Hash-and-Sign Signatures”. In: Cryptology ePrint Archive, Report 2019/1029 (2019).
[8] Jelle Don, Serge Fehr, Christian Majenz, and Christian Schaffner. “Security of the Fiat-Shamir Transformation in the Quantum Random-Oracle Model”. In: Advances in Cryptology - CRYPTO 2019. Lecture Notes in Computer Science, vol 11693. Springer, Cham (2019).
[9] Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky, Thomas Pornin, Thomas Prest, Thomas Ricosset, Gregor Seiler,William Whyte, and Zhenfei Zhang. “Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU”. In: Round 3 submission to the NIST Post-Quantum Cryptography Standardization Project. (2020).
[10] Nicolas Gama, Nick Howgrave-Graham, Henrik Koy, and Phong Q. Nguyen. “Rankin’s constant and blockwise lattice reduction”. In: Advances in Cryptology - CRYPTO 2006. Springer (2006).
[11] Nicolas Gama and Phong Q. Nguyen. “Finding short lattice vectors within Mordell’s inequality”. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing. ACM (2008).
[12] Nicolas Gama, Phong Q. Nguyen, and Oded Regev. “Lattice Enumeration Using Extreme Pruning”. In: Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer (2010).
[13] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. “How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions”. In: Cryptology ePrint Archive, Report 2007/432 (2008).
[14] Qian Guo and Thomas Johansson. “Faster Dual Lattice Attacks for Solving LWE – with applications to CRYSTALS”. In: ASIACRYPT 2021. (2021).
[15] Eike Kiltz, Vadim Lyubashevsky, and Christian Schaffner. “A Concrete Treatment of Fiat-Shamir Signatures in the Quantum Random-Oracle Model”. In: IACR-EUROCRYPT-2018 (2018).
[16] Arjen Lenstra. “Key Lengths”. In: The Handbook of Information Security, Chapter 14. Wiley (2005).
[17] MATZOV. “Report on the Security of LWE: Improved Dual Lattice Attack”. In: Israel Defence Force. (2022).
[18] Daniele Micciancio and Oded Regev. “Lattice-based cryptography”. In: Post-Quantum Cryptography. Springer (2008).
[19] Markus R¨ uckert and Michael Schneider. “Estimating the Security of Lattice-based Cryptosystems”. In: Cryptology ePrint Archive, Report 2010/137 (2010).
[20] P.W. Shor. “Algorithms for quantum computation: discrete logarithms and factoring”. In: Proceedings 35th Annual Symposium on Foundations of Computer Science (1994).