Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Espitau, Thomas; Fouque, Pierre-Alain; Gérard, François; Rossi, Mélissa; Takahashi, Akira; Tibouchi, Mehdi; Wallet, Alexandre; Yu, Yang

doi:10.1007/978-3-031-07082-2_9

Cited by 29 publications

(7 citation statements)

References 38 publications

(79 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the third NIST PQC Standardisation Conference, two independent Falcon variants, that is, Mitaka [112] by Espitau et al and Zalcon [113] by Fouque et al, were proposed to overcome the issues of Falcon implementations. They replaced Falcon sampler with simpler ones: Mitaka used the hybrid sampler [114] while Zalcon used a variant of Peikert sampler [115] based on approximate Gram-Schmidt orthogonalisation and integral Gram decomposition [116].…”

Section: Falcon Variantsmentioning

confidence: 99%

“…Two works also refined the trapdoor generation to achieve higher security and gave provable masked implementations. Very recently, they are merged into [117]. In addition, Chuengsatiansup et al studied the optimal trapdoor construction over Module-NTRU of larger module ranks in ref.…”

Section: Falcon Variantsmentioning

confidence: 99%

“…In the third NIST PQC Standardisation Conference, two independent Falcon variants, that is, Mitaka [112] by Espitau et al. and Zalcon [113] by Fouque et al., were proposed to overcome the issues of Falcon implementations.…”

Section: Lattice‐based Signaturesmentioning

confidence: 99%

See 2 more Smart Citations

Lattice‐based cryptosystems in standardisation processes: A survey

Wang

Xiao

2022

IET Information Security

Self Cite

View full text Add to dashboard Cite

The current widely used public‐key cryptosystems are vulnerable to quantum attacks. To prepare for cybersecurity in the quantum era, some projects have been launched to call for post‐quantum alternatives. Due to solid security and desirable performance, lattice‐based cryptosystems are viewed as promising candidates in the upcoming standardisation of post‐quantum cryptography. This study surveys the lattice‐based cryptosystems in the post‐quantum standardisation processes including the NIST Post‐Quantum Cryptography Standardisation and the Chinese Cryptographic Algorithm Design Competition, from both design and security aspects. We present generic design paradigms of lattice‐based schemes and describe several representative proposals and recent progress. We also recap some main cryptanalytic results and methods for estimating the concrete security of lattice‐based schemes.

show abstract

Section: Falcon Variantsmentioning

confidence: 99%

Section: Falcon Variantsmentioning

confidence: 99%

See 1 more Smart Citation

Lattice‐based cryptosystems in standardisation processes: A survey

Wang

Xiao

2022

IET Information Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…The recent variant of Falcon named Mitaka [23] also aims to make the signing procedure simpler and free from floating-point arithmetic. They achieve this with some loss in the signing quality compared to Falcon which makes signature forgeries somewhat easier, but their floating-point implementation signs twice as fast.…”

Section: Introductionmentioning

confidence: 99%

“…In fact, we hope that Hawk or a variant of Hawk may be simple enough to be implemented within a Fully Homomorphic Encryption scheme for applications such as blind or threshold signatures [2]. It might also be easier to mask against side-channel attacks, similarly to how the lack of floatingpoints in the sampler simplifies the masking of Mitaka Z [23,Sec. 7.3].…”

Section: Introductionmentioning

confidence: 99%

Hawk: Module LIP Makes Lattice Signatures Fast, Compact and Simple

Ducas

Postlethwaite

Pulles

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We propose the signature scheme Hawk, a concrete instantiation of proposals to use the Lattice Isomorphism Problem (LIP) as a foundation for cryptography that focuses on simplicity. This simplicity stems from LIP, which allows the use of lattices such as Z n , leading to signature algorithms with no floats, no rejection sampling, and compact precomputed distributions. Such design features are desirable for constrained devices, and when computing signatures inside FHE or MPC. The most significant change from recent LIP proposals is the use of module lattices, reusing algorithms and ideas from NTRUSign and Falcon. Its simplicity makes Hawk competitive. We provide cryptanalysis with experimental evidence for the design of Hawk and implement two parameter sets, Hawk-512 and Hawk-1024. Signing using Hawk-512 and Hawk-1024 is four times faster than Falcon on x86 architectures, produces signatures that are about 15% more compact, and is slightly more secure against forgeries by lattice reduction attacks. When floating-points are unavailable, Hawk signs 15 times faster than Falcon. We provide a worst case to average case reduction for module LIP. For certain parametrisations of Hawk this applies to secret key recovery and we reduce signature forgery in the random oracle model to a new problem called the one more short vector problem.

show abstract

Shorter Hash-and-Sign Lattice-Based Signatures

Espitau

Tibouchi

Wallet

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Lattice-based digital signature schemes following the hash-and-sign design paradigm of Gentry, Peikert and Vaikuntanathan (GPV) tend to offer an attractive level of efficiency, particularly when instantiated with structured compact trapdoors.In particular, NIST postquantum finalist Falcon is both quite fast for signing and verification and quite compact: NIST notes that it has the smallest bandwidth (as measured in combined size of public key and signature) of all round 2 digital signature candidates. Nevertheless, while Falcon-512, for instance, compares favorably to ECDSA-384 in terms of speed, its signatures are well over 10 times larger. For applications that store large number of signatures, or that require signatures to fit in prescribed packet sizes, this can be a critical limitation.In this paper, we explore several approaches to further improve the size of hashand-sign lattice-based signatures, particularly instantiated over NTRU lattices like Falcon and its recent variant Mitaka. In particular, while GPV signatures are usually obtained by sampling lattice points according to some spherical discrete Gaussian distribution, we show that it can be beneficial to sample instead according to a suitably chosen ellipsoidal discrete Gaussian: this is because only half of the sampled Gaussian vector is actually output as the signature, while the other half is recovered during verification. Making the half that actually occurs in signatures shorter reduces signature size at essentially no security loss (in a suitable range of parameters). Similarly, we show that reducing the modulus q with respect to which signatures are computed can improve signature size as well as verification key size almost "for free"; this is particularly true for constructions like Falcon and Mitaka that do not make substantial use of NTT-based multiplication (and rely instead on transcendental FFT). Finally, we show that the Gaussian vectors in signatures can be represented in a more compact way with appropriate coding-theoretic techniques, improving signature size by an additional 7 to 14%. All in all, we manage to reduce the size of, e.g., Falcon signatures by 30-40% at the cost of only 4-6 bits of Core-SVP security.

show abstract

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Cited by 29 publications

References 38 publications

Lattice‐based cryptosystems in standardisation processes: A survey

Lattice‐based cryptosystems in standardisation processes: A survey

Hawk: Module LIP Makes Lattice Signatures Fast, Compact and Simple

Shorter Hash-and-Sign Lattice-Based Signatures

Contact Info

Product

Resources

About