Do Not Disturb a Sleeping Falcon: Floating-Point Error Sensitivity of the Falcon Sampler and Its Consequences

Xiuhan Lin; Mehdi Tibouchi; Yang Yu; Shiduo Zhang

Paper 2024/1709

Do Not Disturb a Sleeping Falcon: Floating-Point Error Sensitivity of the Falcon Sampler and Its Consequences

Xiuhan Lin

, Shandong University

Mehdi Tibouchi

, NTT Social Informatics Laboratories

Yang Yu

, Tsinghua University

Shiduo Zhang

, Tsinghua University

Abstract

Falcon is one of the three postquantum signature schemes already selected by NIST for standardization. It is the most compact among them, and offers excellent efficiency and security. However, it is based on a complex algorithm for lattice discrete Gaussian sampling which presents a number of implementation challenges. In particular, it relies on (possibly emulated) floating-point arithmetic, which is often regarded as a cause for concern, and has been leveraged in, e.g., side-channel analysis. The extent to which Falcon's use of floating point arithmetic can cause security issues has yet to be thoroughly explored in the literature. In this paper, we contribute to filling this gap by identifying a way in which Falcon's lattice discrete Gaussian sampler, due to specific design choices, is singularly sensitive to floating-point errors. In the presence of small floating-point discrepancies (which can occur in various ways, including the use of the two almost but not quite equivalent signing procedures ``dynamic'' and ``tree'' exposed by the Falcon API), we find that, when called twice on the same input, the Falcon sampler has a small but significant chance (on the order of once in a few thousand calls) of outputting two different lattice points with a very structured difference, that immediately reveals the secret key. This is in contrast to other lattice Gaussian sampling algorithms like Peikert's sampler and Prest's hybrid sampler, that are stable with respect to small floating-point errors. Correctly generated Falcon signatures include a salt that should in principle prevent the sampler to ever be called on the same input twice. In that sense, our observation has little impact on the security of Falcon signatures per se (beyond echoing warnings about the dangers of repeated randomness). On the other hand, it is critical for derandomized variants of Falcon, which have been proposed for use in numerous settings. One can mention in particular identity-based encryption, SNARK-friendly signatures, and sublinear signature aggregation. For all these settings, small floating point discrepancies have a chance of resulting in full private key exposure, even when using the slower, integer-based emulated floating-point arithmetic of Falcon's reference implementation.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: Falcon Lattice-Based Cryptography Floating-Point Arithmetic Hash-and-Sign Signatures NTRU
Contact author(s): xhlin @ mail sdu edu cn
mehdi tibouchi @ ntt com
yu-yang @ mail tsinghua edu cn
zsd @ mail tsinghua edu cn
History: 2024-10-21: approved; 2024-10-19: received; See all versions
Short URL: https://ia.cr/2024/1709
License: CC BY

BibTeX

@misc{cryptoeprint:2024/1709,
      author = {Xiuhan Lin and Mehdi Tibouchi and Yang Yu and Shiduo Zhang},
      title = {Do Not Disturb a Sleeping Falcon: Floating-Point Error Sensitivity of the Falcon Sampler and Its Consequences},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1709},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1709}
}