The DyLWE (Dynamic Learning With Rounding) state core is PhoenixSig’s deterministic state evolution engine. It maintains and advances the internal system state with each cryptographic operation, providing forward secrecy without depending on external randomness.
This document covers the mathematical foundation, state representation, evolution mechanics, and security properties of DyLWE.
DyLWE operates over a post-quantum lattice structure with NIST-aligned parameters chosen for quantum-resistant hardness. The specific construction ensures efficient computation while maintaining provable security properties.
Instead of relying on random noise (as in classical approaches), DyLWE uses a deterministic rounding technique that:
The key advantage for PhoenixSig: this approach lets us build a one-way state evolution function without any external random number generator.
Each device maintains a compact internal state (a few KB) that tracks its position in a one-way cryptographic trajectory. The state includes an evolution seed, a monotonic epoch identifier, a per-epoch operation counter, and a security state indicator. The epoch and counter provide strict ordering, while the security flag controls signing policy during quarantine.
The state evolution function takes the current state, a context derived from the operation parameters, and the device's hardware-anchored VaultKey. It produces a new state through a sequence of lattice operations that is:
After computing the new state, the previous state must be securely erased (zeroed) from memory. This is what makes forward secrecy real — the one-wayness of the math is necessary but not sufficient; the old state must actually cease to exist.
Given the current state, computing any previous state requires solving a hard lattice problem. This is believed to be intractable for both classical and quantum adversaries with appropriately chosen parameters.
Small differences in input (e.g., different messages) produce large, uncorrelated differences in the output state. This ensures that an attacker observing one signing operation gains no useful information about the keys used in other operations within the same epoch.
DyLWE evolution is deterministic. If an attacker captures the full device state along with the VaultKey, they can compute all future states. Forward secrecy protects the past, but the future is exposed.
PCS requires breaking the attacker’s ability to predict future states. This is achieved by Phoenix injection: rotating the VaultKey with entropy the attacker cannot access. See Phoenix Injection & PCS.
Constant-time operations. All DyLWE computations must be constant-time to prevent side-channel attacks.
Memory management. The previous state must be securely zeroed after evolution. Memory protections prevent swapping sensitive state to disk.
Testing. Because DyLWE is deterministic, it supports exhaustive testing: given known inputs, the output is fully predictable and verifiable against test vectors.
Detailed mathematical parameters, implementation guides, and test vectors are available under NDA.
Request Technical Access