Hi,
including the public key into the hash also provides BUFF security. You 
can find the mailing list post introducing our results at [1] and the 
full paper at [2].
Best regards,
Samed, Rune, and Marc
[1] 
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/b55cfa29-fb22-4cc6-954e-9f15f95e1f65%40cryptoplexity.de
[2] 
https://eprint.iacr.org/2024/710
Am 30/10/2024 um 16.46 schrieb Phillip Gajland:
> Hi everyone,
> 
> 
> We’d like to share results from our formal security analysis of the 
> Falcon signature scheme. For a full description, please refer to our 
> paper: 
https://ia.cr/2024/1769.
> 
> 
 > *Executive Summary:
> *We recommend two small modifications to Falcon:
> 
> 1. Salt sampling: In the signing procedure, we recommend sampling the 
> salt and computing the hash within the signing loop, rather than 
> outside. This allows us to provide the first formal proof of Falcon in 
> the random oracle model.
> 
> 2. Hashing the public key: The public key should be included in the 
> hash. This is standard engineering practice and has also been discussed 
> in this forum for its security benefits. Additionally, we provide 
> another reason for including it: it enables tight multi-user security.
> 
> 
> *Details:
> *Unfortunately, our analysis shows that despite our modifications to 
> Falcon-512 and Falcon-1024 we cannot prove \emph{strong unforgeability} 
> for either scheme. For comparison, schemes like Dilithium already 
> satisfy strong unforgeability.
> 
> For /plain unforgeability/ we are able to show that our modifications to 
> Falcon-512 achieve only 100 bits of provable security. By reducing the 
> number of allowed signing queries from 2^{64} to 2^{57}, we can increase 
> this to 118 bits, nearing the claimed security level. For Falcon-1024, 
> we prove that it meets 256 bits of security for /plain unforgeability/.
> 
> We argue that the recommended changes are minor and can be incorporated 
> at this stage of standardisation. Specifically, we suggest the following 
> changes to the signing procedure (Algorithm 10 in the Falcon specification):
> 
>   * Move the steps of sampling the salt, hashing the message and salt,
>     and computing the FFT of the hash (Lines 1-3) inside the do while
>     loop (Line 5-8). This modification incurs minimal additional cost
>     since the loop is executed only once or twice in expectation. The
>     costs associated with Gaussian sampling within the loop far outweigh
>     the hashing and FFT costs, even for large messages.
>   * As an alternative for very large messages, one could hash the
>     message M = H’(pk,m) once outside the loop and then compute the
>     salt, an additional hash H(M, r) and the FFT inside. However, we
>     recommend the former suggestion for its efficiency (hashing is
>     cheaper than FFT) and simplicity.
> 
> 
> Importantly, we do not present concrete attacks against Falcon, nor do 
> we claim that a better security proof is impossible. Rather, we show 
> that our tools combined with currently known proof techniques are 
> insufficient to fully justify the target security claims of Falcon and 
> our modified versions. In fact, Falcon in its current state has no 
> provable security.
> 
> 
> For further details, please refer to the paper linked above.
> 
> Regards,
> 
> Eike, Jonas and Phillip
> 
> -- 
> You received this message because you are subscribed to the Google 
> Groups "pqc-forum" group.
> To unsubscribe from this group and stop receiving emails from it, send 
> an email to 
pqc-forum+...@list.nist.gov <mailto:
pqc- 
> 
forum+un...@list.nist.gov>.
> To view this discussion visit 
https://groups.google.com/a/list.nist.gov/ 
> d/msgid/pqc-forum/d1ff5a62-6a5e-41f6-9540-290a497e6c27n%
40list.nist.gov 
> <
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/ 
> d1ff5a62-6a5e-41f6-9540-290a497e6c27n%
40list.nist.gov? 
> utm_medium=email&utm_source=footer>.