Paper 2024/1709

Do Not Disturb a Sleeping Falcon: Floating-Point Error Sensitivity of the Falcon Sampler and Its Consequences

Xiuhan Lin, Shandong University
Mehdi Tibouchi, NTT Social Informatics Laboratories
Yang Yu, Tsinghua University
Shiduo Zhang, Tsinghua University
Abstract

Falcon is one of the three postquantum signature schemes already selected by NIST for standardization. It is the most compact among them, and offers excellent efficiency and security. However, it is based on a complex algorithm for lattice discrete Gaussian sampling which presents a number of implementation challenges. In particular, it relies on (possibly emulated) floating-point arithmetic, which is often regarded as a cause for concern, and has been leveraged in, e.g., side-channel analysis. The extent to which Falcon's use of floating point arithmetic can cause security issues has yet to be thoroughly explored in the literature. In this paper, we contribute to filling this gap by identifying a way in which Falcon's lattice discrete Gaussian sampler, due to specific design choices, is singularly sensitive to floating-point errors. In the presence of small floating-point discrepancies (which can occur in various ways, including the use of the two almost but not quite equivalent signing procedures ``dynamic'' and ``tree'' exposed by the Falcon API), we find that, when called twice on the same input, the Falcon sampler has a small but significant chance (on the order of once in a few thousand calls) of outputting two different lattice points with a very structured difference, that immediately reveals the secret key. This is in contrast to other lattice Gaussian sampling algorithms like Peikert's sampler and Prest's hybrid sampler, that are stable with respect to small floating-point errors. Correctly generated Falcon signatures include a salt that should in principle prevent the sampler to ever be called on the same input twice. In that sense, our observation has little impact on the security of Falcon signatures per se (beyond echoing warnings about the dangers of repeated randomness). On the other hand, it is critical for derandomized variants of Falcon, which have been proposed for use in numerous settings. One can mention in particular identity-based encryption, SNARK-friendly signatures, and sublinear signature aggregation. For all these settings, small floating point discrepancies have a chance of resulting in full private key exposure, even when using the slower, integer-based emulated floating-point arithmetic of Falcon's reference implementation.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
FalconLattice-Based CryptographyFloating-Point ArithmeticHash-and-Sign SignaturesNTRU
Contact author(s)
xhlin @ mail sdu edu cn
mehdi tibouchi @ ntt com
yu-yang @ mail tsinghua edu cn
zsd @ mail tsinghua edu cn
History
2024-11-19: revised
2024-10-19: received
See all versions
Short URL
https://ia.cr/2024/1709
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1709,
      author = {Xiuhan Lin and Mehdi Tibouchi and Yang Yu and Shiduo Zhang},
      title = {Do Not Disturb a Sleeping Falcon: Floating-Point Error Sensitivity of the Falcon Sampler and Its Consequences},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1709},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1709}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.