CRYSTALS-Dilithium: Lattice-Based PQC Signature

• CRYSTALS-Dilithium is a lattice-based signature scheme that secures digital communications by leveraging the hard M-LWE and M-SIS problems over polynomial rings.
• It employs efficient NTT-based polynomial arithmetic and hardware vectorization (AVX2/AVX-512) to achieve superior speed and scalability in cryptographic operations.
• The scheme supports multiple NIST-aligned parameter sets, balancing security and performance, and is deployed in high-demand sectors like telecommunications and cloud computing.

CRYSTALS-Dilithium is a lattice-based digital signature scheme selected by NIST as the principal post-quantum signature standard, leveraging the intractability of the Module Learning With Errors (M-LWE) and Module Short Integer Solution (M-SIS) problems defined over the polynomial ring $R_q = \mathbb{Z}_q[x]/(x^n+1)$, with $n = 256$ and $q = 8{,}380{,}417$. It is designed for strong security against both classical and quantum adversaries, with efficient polynomial arithmetic via the Number-Theoretic Transform (NTT). Its parameter sets map to NIST classical security levels 2, 3, and 5, aligning with the needs of practical cryptographic deployments and providing quantum-safe signatures for applications ranging from telecommunications to large-scale cloud systems (Demir et al., 17 Mar 2025, Shen et al., 2022).

1. Mathematical Structure and Algorithmic Workflow

Dilithium operates in the module lattice setting over $R_q$, where keys and signatures are tuples of polynomials with bounded coefficients. Key generation involves sampling small secrets $s_1 \in S_\eta^l$ and $s_2 \in S_\eta^k$ (typically, $\eta=2$ or 4) and constructing the public key $t = A s_1 + s_2$ for a public, hash-expanded matrix $A \in R_q^{k\times l}$. The keypair is rounded and partitioned into $(t_1, t_0)$, with $t_1$ retaining only the high bits for the published public key.

The signature protocol follows a “Fiat–Shamir with aborts” paradigm:

• The signer computes $z = y + c \cdot s_1$ for random $y \in S_{\gamma_1}^l$ and challenge $c$ derived by hashing the transcript.
• The signature tuple $(z, h, \widetilde{c})$ is only accepted if two rejection sampling norms, $\|z\|_\infty < \gamma_1 - \beta$ and $\|r_0\|_\infty < \gamma_2 - \beta$ (with $r_0 = \mathrm{LowBits}(w - c s_2, 2 \gamma_2)$), are satisfied.
• Verification reconstructs the challenge, checks the signature’s consistency, and ensures all norms and hint sizes remain below thresholds.

This structure ensures strong unforgeability under chosen-message attack (sEUF-CMA) within the quantum random oracle model, with all parameters precisely chosen to maintain small statistical gaps and tight security reductions (Jackson et al., 2023, Shen et al., 2022).

2. Security Foundations and Quantum Resistance

CRYSTALS-Dilithium bases security on the hardness of M-LWE, M-SIS, and the newly formalized SelfTargetMSIS, all over $R_q$ (Jackson et al., 2023). The recent quantum security analysis establishes a full reduction from MLWE to SelfTargetMSIS in the QROM, leveraging techniques such as quantum reprogramming/rewinding and ensuring that critical hash functions exhibit the collapsing property—a quantum analog of collision-resistance, essential for soundness in the Fiat–Shamir transform.

Concretely, the reduction achieves the following: if a quantum adversary makes $T$ oracle queries and forges signatures with advantage $\epsilon$, then a quantum MLWE or MSIS solver can be constructed with comparable running time and with success probability $\approx \epsilon^2/O(Q^4)$. The scheme remains unconditionally secure as long as M-LWE and M-SIS are quantum intractable, with exact security reductions provided for modulus values $q \equiv 1 \pmod{2n}$—directly relevant for fast NTT-based implementations. Recommended parameter sets provide Core-SVP security orders of magnitude beyond required NIST levels, albeit at the cost of increased key and signature sizes compared to earlier, less rigorously proved variants (Jackson et al., 2023).

3. Implementation Optimizations: Vectorization and Hardware Acceleration

Dilithium benefits from extensive hardware-aware optimization:

• Parallel Small Polynomial Multiplication with Tailored Early Evaluation (PSPM-TEE): This method exploits the low Hamming weight of challenges to pack multiple independent polynomial multiplications in large-radix accumulators, performing early norm checks to discard invalid signatures with minimal work. PSPM-TEE further accelerates signing by 3–6% beyond baseline PSPM (Zheng et al., 2023).
• Tailored Modular Reduction: For $|z|\leq 2^{40}$, a specialized reduction (based on right-shifts and a single subtraction) replaces Montgomery reduction, halving per-coefficient cycle costs on AVX-512IFMA (6 vs. 12 cycles).
• Full AVX2 and AVX-512 Vectorization: Core routines—the NTT, SHAKE-based sampling, rejection sampling, packing/unpacking—are fully vectorized. The NTT uses a 16$\times$32 lane zmm register representation, highly aligned memory accesses, and a carefully organized butterfly/shuffle structure to maximize memory throughput and minimize branching. Rejection sampling is vectorized via mask registers, compress-stores, and population count.
• Measured performance gains: AVX-512 implementations reduce keygen, sign, and verify cycle counts by 39–66% (depending on security level), outperforming AVX2 refcode by factors up to 1.7–2 for core multiplications (Zheng et al., 2023).

Memory trade-offs are modest: PSPM tables add 4–8 KiB (security-level dependent), and AVX-512 removes the need for 1 MiB precomputed tables. All hot paths are heavily branch-avoiding to retain constant-time properties.

4. Side-Channel and Fault Resistance

CRYSTALS-Dilithium’s resistance to practical side-channel and fault attacks is an active area of research:

• Signature Correction Attack: This attack utilizes single-bit faults in the secret key $s_1$—induced by Rowhammer or similar mechanisms—to recover significant portions of secret key bits by iteratively correcting faulty signatures through verification oracle calls. For example, 1,851 out of 3,072 secret key bits can be recovered in Dilithium-2, degrading lattice security from $2^{128}$ (quantum) to $2^{81}$ and from $2^{141}$ (classical) to $2^{89}$ (Islam et al., 2022). Remediation requires both hardware DRAM hardening (to thwart Rowhammer) and algorithmic measures such as “verify-after-sign” and spatial/temporal redundancy in signer implementations. Nonce randomization alone is insufficient; constant-time code is not a panacea against these active fault models.
• Electromagnetic Fault Injection (EMFI) and Bit-Slicing Countermeasures: Bit-sliced, dual-data–redundant NTT implementations detect the majority (≈62%) of exploitable arithmetic-topath faults in the NTT by comparing original and redundant slices after each step. On ARM Cortex-A9, this approach can prevent the leakage of faulty signatures under EMFI at the expense of significant performance overhead (up to $\approx50\times$ for signing), with ≈38% of exploitable faults (typically in control-flow/memory) remaining undetected unless further measures are added (Singh et al., 2022).

5. Hardware and Software Implementation Techniques

Dilithium is highly amenable to software and hardware acceleration:

• FPGA Architectures: Unified NTT cores compatible with both Kyber and Dilithium utilize radix-2 butterfly units and conflict-free memory mapping. Three main architectures (1, 2, or 4 Dilithium BFUs) trade area for latency, with the lowest-latency 4-BFU design processing eight coefficients per cycle. These unified architectures achieve better area-delay product and energy per multiplication than prior designs, and pipeline memory accesses to allow full utilization of FPGA BRAM resources without conflicts (Mandal et al., 2023).
• GPU Parallelism: Batch-oriented, warp-scheduled kernels for NVIDIA hardware achieve $>100\times$ speedups over single-threaded CPU/AVX2 implementations, with task-level memory pooling, dynamic scheduler logic, and explicit kernel fusion for high occupancy. Throughputs on A100 hardware reach $>0.5$ million signatures per second, with $\mu$s-level latency for signing and verification in real-world cryptosystem deployments (Shen et al., 2022).
• AVX2/AVX-512 Software Paths: On general-purpose CPUs, AVX2 and especially AVX-512 (with IFMA) provide 3–6$\times$ speedup for keygen, sign, and verify operations, making Dilithium signing faster than ECDSA at equivalent security, despite larger signature sizes (Demir et al., 17 Mar 2025).

6. Deployment Scenarios and Industrial Applications

CRYSTALS-Dilithium’s adoption in industry, especially telecommunications, demonstrates its practical viability:

• Telecom Integration: PQC-protected subscriber identity modules (USIM) and 5G network infrastructure already deploy Dilithium for signature and authentication purposes. AVX2-enabled network elements (e.g., AUSF, SEAF) report sub-millisecond end-to-end signature verification, supporting high-volume connection setups with low CPU overhead (Demir et al., 17 Mar 2025).
• Deployment Challenges: Signature size (2.4–4.6 kB) and key size (1.3–2.6 kB) are larger than ECDSA, which can challenge legacy infrastructure (e.g., some RAN elements reject $>$1 kB signatures). Hybrid modes (ECC+PQC), phased rollout from non-customer-facing segments, and dynamic crypto-agility are recommended strategies.
• Regulatory and Standardization Considerations: 3GPP and IETF continue to refine PQC cipher suite identifiers for 5G/6G, while operators coordinate firmware/hardware updates across the stack for future-proof integration.

7. Parameter Sets, Performance, and Scalability

Dilithium provides three NIST-aligned parameter sets: | Level | (k, l) | $\eta$ | $\tau$ | $\gamma_1$ | Public Key | Signature | Security | |---------------|--------|--------|--------|---------------|------------|-----------|-----------------| | Dilithium-2 | (4, 4) | 2 | 39 | $2^{17}$ | 1,312 B | 2,420 B | $\approx$128 b | | Dilithium-3 | (6, 5) | 4 | 49 | $2^{19}$ | 1,952 B | 3,293 B | $\approx$192 b | | Dilithium-5 | (8, 7) | 2 | 60 | $2^{19}$ | 2,592 B | 4,595 B | $\approx$256 b |

Execution times on modern CPUs for each operation are as follows (AVX2-optimized, ms): | Level | KeyGen | Sign | Verify | |----------------|--------|--------|--------| | Dilithium-2 | 0.026 | 0.077 | 0.028 | | Dilithium-3 | 0.045 | 0.120 | 0.045 | | Dilithium-5 | 0.070 | 0.144 | 0.071 |

Compared to classical ECDSA, Dilithium signing/verification is 1.7–1.8× faster at corresponding security levels (Demir et al., 17 Mar 2025, Shen et al., 2022). For large-batch deployments, GPU and AVX-512 implementations push signature throughput into the millions per second, with sub-10 µs amortized times per operation.

• (Zheng et al., 2023) Optimized Vectorization Implementation of CRYSTALS-Dilithium
• (Demir et al., 17 Mar 2025) Performance Analysis and Industry Deployment of Post-Quantum Cryptography Algorithms
• (Shen et al., 2022) High-Throughput GPU Implementation of Dilithium Post-Quantum Digital Signature
• (Mandal et al., 2023) KiD: A Hardware Design Framework Targeting Unified NTT Multiplication for CRYSTALS-Kyber and CRYSTALS-Dilithium on FPGA
• (Singh et al., 2022) An End-to-End Analysis of EMFI on Bit-sliced Post-Quantum Implementations
• (Islam et al., 2022) Signature Correction Attack on Dilithium Signature Scheme
• (Jackson et al., 2023) Evaluating the security of CRYSTALS-Dilithium in the quantum random oracle model