Add Dilithium Documentation #13
Conversation
|
|
||
| **Polynomial Operations** | ||
|
|
||
| Operations between polynomials, polynomial vectors, and polynomial matrices are provided in ``src/lib/pubkey/dilithium/dilithium_common/dilithium_polynomials.h``, including NTT, multiplication, and Montgomery reduction. |
There was a problem hiding this comment.
(Sorry for asking off-topic questions again) Question: why is there not a shared codebase for Kyber and Dilithium?
|
Applied the suggestions (except for off-topic comment and the one referring #71) |
cryptodoc/src/08_signatures.rst
Outdated
| In order to take care of this, Dilithium computes a "hint". | ||
| The corresponding simple algorithm is :math:`\mathsf{MakeHint}_q` specified in Figure 3 of [Dilithium-R3]_. | ||
|
|
||
| To see that Botan's hint computation on inputs ``(w0 - c*s2 + c*t0, w1)`` is equivalent to the specification of [Dilithium-R3]_, we look at the hint creation in Figure 3, L. 23 of [Dilithium-R3]_. |
There was a problem hiding this comment.
But now I think we need to mention here that Botan's implementation dffers from Figure 3 in the spec and mention the Dilithium reference implementation as well.
There was a problem hiding this comment.
Done in 5382773
cryptodoc/src/08_signatures.rst
Outdated
| Dilithium uses a simple technique to reduce the size of the public key. | ||
| Given the public matrix :math:`A` and :math:`t = As_1 + s_2`, the public key only contains the "low order" bits of :math:`t`. | ||
| However, when computing with :math:`t`, a carry can occur, influencing the high order bits. | ||
| In order to take care of this, Dilithium computes a "hint". |
There was a problem hiding this comment.
| Dilithium uses a simple technique to reduce the size of the public key. | |
| Given the public matrix :math:`A` and :math:`t = As_1 + s_2`, the public key only contains the "low order" bits of :math:`t`. | |
| However, when computing with :math:`t`, a carry can occur, influencing the high order bits. | |
| In order to take care of this, Dilithium computes a "hint". | |
| Dilithium uses a simple technique to reduce the size of the public key. | |
| Given the public matrix :math:`A` and :math:`t = As_1 + s_2`, the public key only contains the "high-order" bits t_1 of :math:`t`. When computing the high bits of the sum Az-ct within the verification algorithm, t_1 and a hint vector h is sufficient. This hint vector contains the carry bits describing how the lower bits t_0 of t affect the high bits of the computed sum. |
IMO the current description is a little bit unclear. My description is also not very clean, though. Maybe we just want to write something like: "Section 2.4 of [Dilithium-R3]_ describes Dilithium's public key compression using 1-bit hints."
There was a problem hiding this comment.
I think your description is nice, I may just polish it a bit.
There was a problem hiding this comment.
Polished in e9acce5. The intro is now a bit more detailed, but so is the section.
reneme
dismissed
sehlen-bsi’s stale review
Changes were addressed. Dismiss to unblock. Feel free to open a ticket if further changes are required.
Co-Authored-By: Fabian Albert <[email protected]>
|
Solved conflicts, rebased an squashed. Waiting for CI, then @FAlbertDev may merge. |
No description provided.