Dear all,
I hope you’re doing well.
We would like to thank the community for the feedback on the potential change in the keygen of Falcon (NIST FIPS 206 – FN-DSA) that we received in the email thread about this, and during our 5th Standardization Conference in Rockville, Maryland.
From this feedback and our internal discussions, we have decided to accept the change which consists of replacing a part of Falcon keygen with the equivalent part of Hawk’s keygen to avoid using floating-point arithmetic. Namely, we will change only the Reduce() algorithm in NTRUSolve() which will allow implementations to use fixed-point instead of floating-point as described in [1]. Please note that using fixed-point in the signing process would require too much memory (roughly 256 bits per value), thus it will not be considered.
In addition to this change, after extensive internal discussions and communications with the Falcon team, we decided to allow the use of emulated floating-point as specified in the Falcon reference implementation and in [2]. More precisely, it means that FIPS 206 will allow one to use native or emulated floating-point for the signing algorithm. Please note that the fixed-point (as previously mentioned) for the keygen will be a possibility, not a requirement. This means that one could generate the key AND sign using only emulated or native floating-point.
This choice was made to give more freedom to the implementers with respect to the side-channel resistance since emulated floating-point does have disadvantages, but unlike native floating-point it is more likely to be constant time as noted in [2].
However, we encourage the community to keep researching ways to implement side-channel-resistant floating-point.
Last but not least, in FIPS 206, the generation of the Falcon’s tree will be part of the signing process by default, but we will also allow it to be precomputed / stored with the private key as an option.
While this is our current plan for FIPS 206, we encourage feedback from the community.
Sincerely,
Dr. Maxime BROS
(on behalf of the NIST FIPS 206 - FN-DSA Team)
[1] “Improved Key Pair Generation for Falcon, BAT and Hawk”, Thomas Pornin, 2023,
https://eprint.iacr.org/2023/290.pdf
[2] “New Efficient, Constant-Time Implementations of Falcon”, Thomas Pornin, 2019,
You note that you could use either floating point or fixed point in the key generation.
Does that mean that they both define the same transform “random coins -> public/private key pair”. Or, there are essentially two different key generation algorithms (and both are acceptable)?
--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
pqc-forum+...@list.nist.gov.
To view this discussion on the web visit
https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/SJ0PR09MB96039CA15DE8C0A38E891C699DDB2%40SJ0PR09MB9603.namprd09.prod.outlook.com.
--
Hello all!
We implemented the calculation of the digital signature using a fixed point representation (total data size of 64 bits, consisting of: 1 bit for the sign, 37 bits for the integer part, and 26 bits for the fractional part).
We applied this implementation to the first 100 keys of the author's implementation for n=1024. All signatures were successfully verified for both calculation options (dynamic and pre-tree calculation).
The size of the digital signature after packing, excluding the nonce, message for the signature, and additional two bytes for the length, varies as follows:
The increase in the length of the digital signature does not exceed 7%. Since 64 bits were used for the polynomial coefficient assignment, the memory size for the polynomial assignment does not depend on the data type (double or fixed point).
To create the digital signature, the author's algorithm was used, which excludes arithmetic for data with a fixed point, thus not requiring additional memory when using a fixed point representation.
Thanks
Olena Kachko
Yuri Gorbenko
To view this discussion on the web visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/b4c2b872-a72a-43ea-9b30-9d412a59e374n%40list.nist.gov.