Finding a polytope: A practical fault attack against Dilithium

CryptoDB

Finding a polytope: A practical fault attack against Dilithium

Authors:	Paco Azevedo Oliveira , Laboratoire de Mathématiques de Versailles Andersson Calle Viera , Sorbonne Université, LIP6 Benoît Cogliati , Thales DIS Louis Goubin , Laboratoire de Mathématiques de Versailles
Download:	Search ePrint Search Google
Conference:	PKC 2025
Abstract:	In Dilithium, the rejection sampling step is crucial for the proof of security and correctness of the scheme. However, to our knowledge, there is no attack in the literature that takes advantage of an attacker knowing rejected signatures. The aim of this paper is to create a practical black-box attack against Dilithium with a weakened rejection sampling. We succeed in showing that an adversary with enough rejected signatures can recover Dilithium's secret key in less than half an hour on a desktop computer. There is one possible application for this result: by physically preventing one of the rejection sampling tests from happening, we obtain two fault attacks against Dilithium.

BibTeX

@inproceedings{pkc-2025-35163,
  title={Finding a polytope: A practical fault attack against Dilithium},
  publisher={Springer-Verlag},
  author={Paco Azevedo Oliveira and Andersson Calle Viera and Benoît Cogliati and Louis Goubin},
  year=2025
}

International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Finding a polytope: A practical fault attack against Dilithium

BibTeX

International Association for Cryptologic Research

International Associationfor Cryptologic Research

CryptoDB

Finding a polytope: A practical fault attack against Dilithium

BibTeX

International Association
for Cryptologic Research