Analysis of pseudorandom number generation processes in EP CRYSTALS-Dilithium

Abstract

The paper provides an analysis of pseudorandom number generation processes in the Crystals-Dilithium post-quantum electronic signature scheme, a finalist in the NIST PQC post-quantum cryptography competition. The main focus is on the pseudo-random number generator based on the AES block cipher in counter mode. A formal model was built for this pseudo-random number generator that meets the requirements of the latest version of the AIS 31 standard, containing requirements for secure pseudorandom number generators. A pseudo-random number generator based on the AES block cipher in counter mode is shown to satisfy the requirements of functional class DRG.3, provided that the initial value for the generator is obtained from a truly random number source (either a physically truly random or a non-physical truly random source) or another generator of pseudo-random numbers having a security class not lower than the DRG class.3. In addition, the use of shake128/256 for the generation of pseudorandom sequences in Crystals-Dilithium will be analyzed. Based on the results of the analysis, recommendations are given regarding the compilation parameters depending on the conditions of use. Namely, it is concluded that an AES-based generator is more vulnerable to side-channel attacks, from which it follows that it is not recommended to use the DILITHIUM_USE_AES flag unless there are additional guarantees to protect the machine from side-channel attacks. If the operating system's cryptographic API is trusted, it is recommended to use the DILITHIUM_RANDOMIZED_SIGNING compilation flag. In systems with low trust in the cryptographic API of the operating system, it is possible to use a variant with deterministic signature generation.