Abstract
This work shows how \(\textsf{FALCON}\) can achieve the Beyond UnForgeability Features (BUFF) introduced by Cremers et al. (S&P’21) more efficiently than by applying the generic BUFF transform. Specifically, we show that applying a transform of Pornin and Stern (ACNS’05), dubbed \(\textsf{PS}\text {-}3\) transform, already suffices for \(\textsf{FALCON}\) to achieve BUFF security. For \(\textsf{FALCON}\), this merely means to include the public key in the hashing step in signature generation and verification, instead of hashing only the nonce and the message; the other signature computation steps and the signature output remain untouched. In comparison to the BUFF transform, which appends a hash value to the final signature, the \(\textsf{PS}\text {-}3\) transform therefore achieves shorter signature sizes, without incurring additional computations.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Here, \(\varGamma (m + 1) > \sqrt{2 \pi m} \left( \tfrac{m}{e} \right) ^m e^{1/(12\,m + 1)} \ge \sqrt{2 \pi m} \left( \tfrac{m}{e} \right) ^m\).
- 2.
If such an s exists, then the adversary indeed may have a good chance to mount a successful attack: the public keys may be chosen so that a trapdoor of \(\varLambda _{h_i,h_j}\) is known, and if a solution exists, the trapdoor may allow to compute a solution. The proof shows that under the randomness of the hash function, which the adversary cannot control, it is infeasible to find such instances in the first place.
- 3.
For k independent Bernoulli variables \(X_i\) with \(\operatorname {Pr}\left[ X_i \right] =p\) and \(\delta \in (0,1]\) it holds \(\operatorname {Pr}\left[ \sum X_i\ge (1+\delta ) pk \right] \le \exp (-\delta ^2pk/3)\).
References
Alagic, G., et al.: Status report on the third round of the NIST post-quantum cryptography standardization process (2022)
Aulbach, T., Düzlü, S., Meyer, M., Struck, P., Weishäupl, M.: Hash your keys before signing: Buff security of the additional nist pqc signatures. Cryptology ePrint Archive, Paper 2024/591 (2024). https://eprint.iacr.org/2024/591
Boyer, M., Brassard, G., Høyer, P., Tapp, A.: Tight bounds on quantum searching. Fortschr. Phys. 46(4–5), 493–505 (1998)
Cremers, C., Düzlü, S., Fiedler, R., Fischlin, M., Janson, C.: Buffing signature schemes beyond unforgeability and the case of post-quantum signatures. In: 2021 IEEE Symposium on Security and Privacy (SP) (2021)
Cremers, C., Düzlü, S., Fiedler, R., Fischlin, M., Janson, C.: BUFFing signature schemes beyond unforgeability and the case of post-quantum signatures. Cryptology ePrint Archive, Paper 2020/1525 (2023). https://eprint.iacr.org/2020/1525, version 1.4
Don, J., Fehr, S., Huang, Y.H., Struck, P.: On the (in)security of the buff transform. Cryptology ePrint Archive, Paper 2023/1634 (2023). https://eprint.iacr.org/2023/1634
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 197–206. ACM Press (2008)
Hsiao, C.-Y., Chi-Jen, L., Reyzin, L.: Conditional computational entropy, or toward separating pseudoentropy from compressibility. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 169–186. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_10
Hülsing, A., et al.: SPHINCS+. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Lyubashevsky, V., et al.: CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
NIST: Post-quantum cryptography (2017). https://csrc.nist.gov/projects/post-quantum-cryptography-standardization
NIST: Call for additional digital signature schemes for the post-quantum cryptography standardization process (2022)
NIST: Module-lattice-based digital signature standard, August 2023. FIPS 204 (draft) (2023). https://doi.org/10.6028/NIST.FIPS.204.ipd
NIST: Stateless hash-based digital signature standard, August 2023. FIPS 205 (draft) (2023). https://doi.org/10.6028/NIST.FIPS.205.ipd
Pornin, T., Stern, J.P.: Digital signatures do not guarantee exclusive ownership. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 05. LNCS, vol. 3531, pp. 138–150. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_10
Pornin, T., et al.: FALCON. Technical report, National Institute of Standards and Technology (2022). https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022
Acknowledgements
S.D. was funded by the Deutsche Forschungsgemeinschaft (DFG) – SFB 1119 – 236615297. R.F. was supported by the German Federal Ministry of Education and Research and the Hessian Ministry of Higher Education, Research, Science and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Düzlü, S., Fiedler, R., Fischlin, M. (2025). BUFFing FALCON Without Increasing the Signature Size. In: Eichlseder, M., Gambs, S. (eds) Selected Areas in Cryptography – SAC 2024. SAC 2024. Lecture Notes in Computer Science, vol 15516. Springer, Cham. https://doi.org/10.1007/978-3-031-82852-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-82852-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-82851-5
Online ISBN: 978-3-031-82852-2
eBook Packages: Computer ScienceComputer Science (R0)