CRYSTALS-Dilithium Digital Signature Algorithm

CRYSTALS-Dilithium is a lattice-based digital signature scheme whose security is based on the hardness of finding short vectors in lattices. The CRYSTALS-Dilithium Digital Signature Algorithm is a member of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. The strength of a CRYSTALS-Dilithium key is represented by the size of its matrix of polynomials. For example, CRYSTALS-Dilithium (6,5) has a matrix size of 6x5. The larger the matrix size, the stronger the key. CRYSTALS-Dilithium keys can only be used for Digital Signature Generation and Verification.

ICSF supports the CRYSTALS-Dilithium Signature Algorithm on both the PKCS#11 and CCA architectures. PKCS#11 CRYSTALS-Dilithium key operations can be performed in hardware or software. CRYSTALS-Dilithium key operations are supported on the IBM z15 or later hardware with a CEX7S or later feature. There is no PKCS#11 C-API for CRYSTALS-Dilithium keys. The abbreviation, LI2, is used to refer to CRYSTALS-Dilithium in character restricted fields.

PKCS#11 callable services that support CRYSTALS-Dilithium key operations are:

  • PKCS #11 Generate Key Pair (CSFPGKP and CSFPGKP6).
  • PKCS #11 One-Way Hash, Sign, or Verify (CSFPOWH and CSFPOWH6).
  • PKCS #11 Private Key Sign (CSFPPKS and CSFPPKS6).
  • PKCS #11 Public Key Verify (CSFPPKV and CSFPPKV6).
  • PKCS #11 Token Record Create (CSFPTRC and CSFPTRC6).

CCA callable services that support CRYSTALS-Dilithium key operations are:

  • Digital Signature Generate (CSNDDSG and CSNFDSG).
  • Digital Signature Verify (CSNDDSV and CSNFDSV).
  • PKA Key Generate (CSNDPKG and CSNFPKG).
  • PKA Key Import (CSNDPKI and CSNFPKI).
  • PKA Key Token Build (CSNDPKB and CSNFPKB).
  • PKA Key Token Change (CSNDKTC and CSNFKTC).
  • PKA Key Translate (CSNDPKT and CSNFPKT).
  • PKA Public Key Extract (CSNDPKX and CSNFPKX).
  • PKDS Key Record Create (CSNDKRC and CSNFKRC).
  • PKDS Key Record Delete (CSNDKRD and CSNFKRD).
  • PKDS Key Record Read and PKDS Key Record Read2 (CSNDKRR or CSNDKRR2 and CSNFKRR or CSNFKRR2).
  • PKDS Key Record Write (CSNDKRW and CSNFKRW).