Description
SQIsign is an isogeny-based signature scheme which has recently advanced to round 2 of NIST's call for additional post-quantum signatures. A central operation in SQIsign is lattice reduction of special full-rank lattices in dimension 4. As these input lattices are secret, this computation must be protected against side-channel attacks. However, known lattice reduction algorithms like the famous LLL algorithm are not naturally constant-time.
This talk presents a new, constant-time lattice reduction algorithm, developed in collaboration with Ottó Hanyecz, Alexander Karenin, Elena Kirshanova and Péter Kutas. We first give a short introduction to SQIsign without detailing its inner workings. Then, we analyze different existing lattice reduction algorithms, and present our constant-time version, which is based on the BKZ-2 algorithm. Finally, we explain some implementation choices and discuss the performance using two sets of parameters: one for provable guarantees on its output, and one for speed with a reasonable success rate.
Eprint: https://eprint.iacr.org/2025/027