CRYSTALS-Dilithium Digital Signature Algorithm
CRYSTALS-Dilithium is a lattice-based digital signature scheme whose security is based on the hardness of finding short vectors in lattices. The CRYSTALS-Dilithium Digital Signature Algorithm is a member of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. The strength of a CRYSTALS-Dilithium key is represented by the size of its matrix of polynomials. For example, CRYSTALS-Dilithium (6,5) has a matrix size of 6x5. The larger the matrix size, the stronger the key. CRYSTALS-Dilithium keys can only be used for Digital Signature Generation and Verification.
ICSF supports the CRYSTALS-Dilithium Signature Algorithm on both the PKCS#11 and CCA architectures. PKCS#11 CRYSTALS-Dilithium key operations can be performed in hardware or software. CRYSTALS-Dilithium key operations are supported on the IBM z15 or later hardware with a CEX7S or later feature. There is no PKCS#11 C-API for CRYSTALS-Dilithium keys. The abbreviation, LI2, is used to refer to CRYSTALS-Dilithium in character restricted fields.
PKCS#11 callable services that support CRYSTALS-Dilithium key operations are:
- PKCS #11 Generate Key Pair (CSFPGKP and CSFPGKP6).
- PKCS #11 One-Way Hash, Sign, or Verify (CSFPOWH and CSFPOWH6).
- PKCS #11 Private Key Sign (CSFPPKS and CSFPPKS6).
- PKCS #11 Public Key Verify (CSFPPKV and CSFPPKV6).
- PKCS #11 Token Record Create (CSFPTRC and CSFPTRC6).
CCA callable services that support CRYSTALS-Dilithium key operations are:
- Digital Signature Generate (CSNDDSG and CSNFDSG).
- Digital Signature Verify (CSNDDSV and CSNFDSV).
- PKA Key Generate (CSNDPKG and CSNFPKG).
- PKA Key Import (CSNDPKI and CSNFPKI).
- PKA Key Token Build (CSNDPKB and CSNFPKB).
- PKA Key Token Change (CSNDKTC and CSNFKTC).
- PKA Key Translate (CSNDPKT and CSNFPKT).
- PKA Public Key Extract (CSNDPKX and CSNFPKX).
- PKDS Key Record Create (CSNDKRC and CSNFKRC).
- PKDS Key Record Delete (CSNDKRD and CSNFKRD).
- PKDS Key Record Read and PKDS Key Record Read2 (CSNDKRR or CSNDKRR2 and CSNFKRR or CSNFKRR2).
- PKDS Key Record Write (CSNDKRW and CSNFKRW).