CN-121986461-A - Method for protecting the execution of a verification of a quantum signature after CRYSTALS-DILITHIUM from fault attacks

Abstract

The invention relates to a method for protecting the execution of a validation of a crystal-Dilithium post-quantum digital signature sigma of a message M from fault attacks, the crystal-Dilithium post-quantum digital signature comprising a challenge seed A test vector z and a polynomial hint vector h, generated with a secret key sk= (ρ, K, tr, s 1 ,s 2 ,t 0 ), the digital signature verification taking as input the digital signature σ, the message M and a public key pk= (ρ, t 1 ), and comprising the steps of ensuring that a fault attack aimed at verifying one of the conditions P1, P2 and P3 does not lead to accepting a forged signature, where p1:ct 1 .2 d =0, And , 。

Inventors

• A. belzati
• A. Kalevieira
• D. Vigilant

Assignees

• 泰雷兹数字安全法国简易股份公司

Dates

Publication Date

20260505

Application Date

20241106

Priority Date

20231109

Claims (14)

1. 1. A method for protecting the execution of a validation of a crystal-Dilithium post-quantum digital signature σ of a message M from fault attacks, said crystal-Dilithium post-quantum digital signature comprising a challenge seed Test vector z and polynomial hint vector h, i.e Generated using secret key sk= (ρ, K, tr, s 1 , s 2 , t 0 ), wherein: The key values p, K are 256-bit binary values, S 1 and s 2 are secret vectors of length l and length k, respectively, of elements of coefficient Z q [X]/(X n +1) below a first predetermined value η, where k, l, q and n are positive integers greater than zero, T 0 is a polynomial vector of length k equal to the centered reduction modulo 2 d of the polynomial vector t modulo q, where d is an integer and t=as 1 + s 2 , a is a matrix of size k x l, the elements of which are all polynomials generated from the key value p using scalable output function ExpandA in Z q [X]/ (X n + 1), And tr is a hash of the key value ρ and t 1 , where t 1 =((t-t 0 )/2 d The crystal-Dilithium post quantum digital signature verification takes as input the digital signature σ, the message M, and a public key pk= (ρ, t 1 ), and includes: -a) generating said matrix a, B) generating a value mu from the public key values ρ and t 1 and from the message M using a hash function, -C) using SampleInBall functions from the challenge seed of the digital signature σ A challenge c is generated and the challenge c, D) generating a polynomial vector w 1 ' using UseHint q function that uses the hint vector h of the digital signature to subtract an intermediate value ct 1 .2 d from a value Az to recover the high order bits of Az-ct, w 1 ' = UseHint q (h, Az-ct 1 .2 d , 2γ 2 ), where gamma 2 is a determined parameter, -E) testing the digital signature Whether z, h satisfies a predetermined condition includes: Checking whether the absolute value of the centralised reduction modulo q for each coefficient of each polynomial of the test vector z of the digital signature is below gamma 1 -beta, where gamma 1 and beta are determined parameters, -Checking the challenge seed of the digital signature Whether or not to equal the generated hash of the value mu concatenated with the polynomial vector w 1 ', -Checking if the number of 1's in the polynomial vector h of the digital signature is smaller than a predetermined integer , And rejecting the digital signature when at least one of the conditions is not met, otherwise accepting the signature, The method is performed by a cryptographic device (100) comprising a processor (101) and a memory (103), Wherein said verification of said signature further comprises the step of ensuring that a fault attack aimed at verifying one of the conditions P1, P2 and P3 does not lead to accepting a forged signature, Wherein: , And , 。
2. 2. The method of claim 1, wherein ensuring that a fault attack intended to verify one of conditions P1, P2, and P3 does not result in accepting a forged signature comprises detecting that the fault attack has occurred and rejecting the digital signature.
3. 3. The method of claim 2, wherein detecting that the fault attack has occurred comprises checking a distribution of the intermediate values ct 1 2 d before generating the polynomial vector w 1 '.
4. 4. A method according to claim 2 or 3, wherein detecting that the fault attack has occurred comprises verifying the correctness of the value d before generating the polynomial vector w 1 '.
5. 5. The method of claim 4, wherein verifying the correctness of the value d comprises checking for Whether or not it is equal to 1 in the mode q.
6. 6. The method according to any of claims 2 to 5, wherein detecting that the fault attack has occurred comprises checking whether an infinity norm of the intermediate value ct 1 2 d is higher than the determined parameter γ 2 before generating the polynomial vector w 1 '.
7. 7. The method of any of claims 2-6, wherein detecting that the fault attack has occurred comprises comparing high order bits of vector Az with UseHint q (h, Az-ct 1 .2 d ,2γ 2 ).
8. 8. The method of claim 7, wherein: Generating a polynomial vector w 1 ' using the UseHint q functions includes: Generating a first temporary value temp1 equal to said vector Az, Generating a second temporary value temp2: temp2 = HighBits q (temp1, 2γ 2 using a HighBits q function that recovers the high order bits of the first temporary value, Generating the polynomial vector w 1 ' using the UseHint q function that uses the hint vector h of the digital signature to recover the high-order bits of Az-ct from the result of subtracting the intermediate value ct 1 .2 d from the first temporary value, w 1 ' = UseHint q (h, temp1-ct 1 .2 d , 2γ 2 ), -Comparing the high order bits of the vector Az with UseHint q (h, Az-ct 1 .2 d , 2γ 2 ) comprises checking whether the generated polynomial vector w 1 ' is equal to the generated second temporary value temp2.
9. 9. The method of claim 1, wherein ensuring that a fault attack intended to verify one of the conditions P1, P2 and P3 does not result in accepting a forged signature comprises the step of ensuring that UseHint q (h, Az-ct 1 .2 d , 2γ 2 ) is not equal to HighBits q (Az,2γ 2 when the fault attack occurs.
10. 10. The method of claim 9, wherein ensuring UseHint q (h, Az-ct 1 2 d , 2γ 2 ) is not equal to HighBits q (Az,2γ 2 when the fault attack occurs comprises setting d 1 > 3 and d 2 > 3 such that d = d 1 + d 2 , and in the step of generating the polynomial vector w 1 ', calculating the intermediate value ct 1 .2 d by calculating ct 1 .2^d 1 , and then multiplying the result by 2^d 2 , where a is an exponential sign.
11. 11. The method of claim 9, wherein ensuring UseHint q (h, Az-ct 1 .2 d , 2γ 2 ) that is not equal to HighBits q (Az,2γ 2 when the fault attack occurs comprises, in the step of generating the polynomial vector w 1 ', calculating by Generating a second test vector And calculate 。
12. 12. The method of any one of claims 1 to 11, wherein n = 256 and q = 2 23 -2 13 +1.
13. 13. A computer program product directly loadable into the memory of at least one computer, comprising software code instructions for performing the steps of any of claims 1 to 12 when the product is run on the computer.
14. 14. A cryptographic device (100) comprising a processor (101) and a memory (103) configured for performing the steps of any of claims 1 to 12.

Description

Method for protecting the execution of a verification of a quantum signature after CRYSTALS-DILITHIUM from fault attacks Technical Field The present invention relates to the field of cryptographic schemes and associated cryptographic devices, and more particularly to improvements to a grid-based computing scheme Dilithium. Background The increasing computational power of quantum computers is an increasing threat to the security of classical cryptographic schemes such as RSA or ECDSA. Such a scheme would ultimately be completely immune to attacks performed using a quantum computer. Accordingly, work is being done to develop new efficient schemes that will resist such attacks. Lattice-based schemes have proven to be resistant to quantum computer attacks. Among such schemes Dillithium and Kyber have been chosen by NIST as post quantum cryptography standards for supporting signing and encryption, respectively. For any other public key cryptographic scheme, the Dillithium scheme includes a verification algorithm that enables the public key to be used to verify that the signature of the message has been signed by the owner of the corresponding secret key. However, the verification algorithm may be susceptible to fault attacks. Accordingly, improvements to the Dillithium algorithm are needed that enable detection of fault attacks during execution of the signature verification process, or enable the signature verification algorithm to reject counterfeit signatures even when fault attacks are performed by an attacker during execution of the signature verification process. Disclosure of Invention To this end and according to a first aspect, the invention thus relates to a method for protecting against fault attacks the execution of the verification of a crystal-Dilithium post-quantum digital signature σ of a message M, the crystal-Dilithium post-quantum digital signature comprising a challenge seedTest vector z and polynomial hint vector h, i.eGenerating with secret key sk= (ρ, K, tr, s 1, s2, t0) Wherein: The key values p, K are 256-bit binary values, S 1 and s 2 are secret vectors of length l and length k, respectively, of elements of coefficient Z q[X]/(Xn +1) below a first predetermined value η, where k, l, q and n are positive integers greater than zero, T 0 is a polynomial vector of length k equal to the centered reduction modulo 2 d of the polynomial vector t modulo q, where d is an integer and t=as 1 + s2, a is a matrix of size k x l, the elements of which are all polynomials generated from the key value p using scalable output function ExpandA in Z q[X]/ (Xn + 1), And tr is a hash of the key value p and t 1, where t 1=((t-t0)/2d), The crystal-Dilithium post quantum digital signature verification takes as input the digital signature σ, the message M, and a public key pk= (ρ, t 1), and includes: -a) generating said matrix a, B) generating a value mu from the public key values ρ and t 1 and from the message M using a hash function, -C) challenge seed from digital signature σ using SampleInBall functionA challenge c is generated and the challenge c, D) generating a polynomial vector w 1' using UseHint q function that uses said hint vector h of the digital signature to subtract an intermediate value ct 1.2d from the value Az to recover the high order bits of Az-ct, w 1' = UseHintq(h, Az-ct1.2d, 2γ2), where y 2 is a determined parameter, -E) testing digital signaturesWhether z, h satisfies a predetermined condition includes: Checking whether the absolute value of the centralised reduction modulus q of each coefficient of each polynomial of the test vector z of the digital signature is lower than gamma 1 -beta, where gamma 1 and beta are determined parameters, -Checking challenge seed of digital signatureWhether or not the generated value mu is equal to a hash of the polynomial vector w 1' concatenation, Checking if the number of 1's in the polynomial vector h of the digital signature is smaller than a predetermined integer, And rejecting the digital signature when at least one of the conditions is not met, otherwise accepting the signature, The method is performed by a cryptographic device (100) comprising a processor (101) and a memory (103), Wherein said verification of the signature further comprises the step of ensuring that a fault attack aimed at verifying one of the conditions P1, P2 and P3 does not lead to accepting a forged signature, Wherein: , And , 。 Such a method enables to prevent an attacker from accepting a forged signature by a crystal-Dilithium signature verification process due to a successful fault attack (causing any of the conditions P1, P2 or P3 to be verified) of the computation of the polynomial vector w 1'. As a first example, ensuring that a fault attack intended to verify one of the conditions P1, P2 and P3 does not result in accepting a forged signature may include detecting that the fault attack has occurred and rejecting the digital signature. In so doing, even if a successful fault