Mike Hamburg <mi...@shiftleft.org>: Sep 12 12:00PM +0200
Hi all,
It’s worth noting that although FALCON and HAWK are both named after birds, and both use structured lattices, they are very different schemes otherwise and are based on different hard
...more
|
Al Martin <nit...@gmail.com>: Sep 12 08:12AM -0700
(just joined this group)
Regarding "constant time" hardware implementations of divide:
Both integer and floating-point divide (and the associated remainder and
square root operations) can be
...more
|
Sophie Schmieg <ssch...@google.com>: Sep 12 11:21AM -0700
One thing to note here is that those same operations are, if anything, have
even more pronounced performance differences in software: when implemented
with two integers, add is a min, shift, and
...more
|
Samuel Lee <samue...@microsoft.com>: Sep 12 12:52PM -0700
Just to +1 what folks are already saying and add my own two cents.
To be clear I have not tried to implement FN-DSA yet.
I think reliance on floating point for implementation of FN-DSA is highly
...more
|
Al Martin <nit...@gmail.com>: Sep 12 12:52PM -0700
I'm not trying to pass the buck. The point I'm trying to make is that
hardware generally executes significantly faster than software. * But there
are limitations *which software needs to be aware
...more
|
Watson Ladd <watso...@gmail.com>: Sep 12 01:19PM -0700
On Fri, Sep 12, 2025 at 12:52 PM 'Samuel Lee' via pqc-forum
> Intel: Data Operand Independent Timing ISA Guidance and Data Operand Independent Timing Instructions
> Arm: Arm A-profile Architecture
...more
|
Thomas Pornin <por...@bolet.org>: Sep 12 03:17PM -0700
For Falcon/FN-DSA, the required floating-point operations are add, sub,
mul, div, and sqrt. You also need round, floor and trunc (i.e. conversion
to 32-bit integers, with rounding to nearest,
...more
|
Taylor R Campbell <campbell+ni...@mumble.net>: Sep 13 12:48AM
> Writing robust floating-point routines is particularly hard, having to deal
> with special numbers (signed zero, subnormals, infinity, NaN), rounding
> errors, and loss of significance.
...more
|
Taylor R Campbell <campbell+ni...@mumble.net>: Sep 13 02:18AM
> values are constant time today, relying on this in a software
> implementation of any cryptographic routine handling secrets is a really
> bad idea.
Would CPU designers have bothered with DIT
...more
|