Falcon Lattice-Based Digital Signatures

• Falcon lattice-based digital signatures are quantum-resistant schemes leveraging NTRU lattices and fast Fourier-based Gaussian sampling to securely sign messages.
• They offer efficient verification and compact key sizes ideal for IoT, despite the computational intensity of the signature generation process.
• Recent hardware enhancements like the Bi-SamplerZ architecture reduce sampling cycles, significantly improving signing efficiency and energy consumption.

Falcon lattice-based digital signatures are cryptographically robust schemes standardized for quantum resistance, distinguished by compact signatures and public keys, leveraging the hardness of lattice problems on NTRU polynomial rings. The Falcon design is characterized by fast Fourier-based Gaussian sampling, supporting secure and efficient signing and verification. While verification exhibits exceptional efficiency—making Falcon especially attractive for constrained environments such as IoT—signature generation is computationally intensive due to demanding high-precision sampling and rejection tests. Recent advancements include hardware optimizations such as the Bi-SamplerZ architecture to accelerate Falcon’s signature process (Zhao et al., 30 May 2025, Chiano et al., 2021, Hattenbach, 2021).

1. Mathematical Foundations: NTRU Lattices and Gaussian Sampling

Falcon signatures are constructed over NTRU lattices defined by polynomials in the ring $R_q = \mathbb{Z}_q[X]/(X^n + 1)$ with $n$ a power of two and $q$ prime. The security relies on the intractability of finding short vectors in the NTRU lattice, given only the public key $h = g \cdot f^{-1} \bmod q$, where $f, g$ are small secret polynomials. The Falcon keypair involves four polynomials $f, g, F, G \in R$ satisfying $fG - gF \equiv q \mod \phi$, with $\phi(x) = x^n + 1$. The key innovation is the deployment of discrete Gaussian sampling in the Fourier domain to generate signatures that mask the trapdoor structure and achieve statistical indistinguishability (Chiano et al., 2021, Hattenbach, 2021).

2. Core Algorithms: Key Generation, Signing, Verification

The Falcon scheme employs the following three fundamental routines:

• Key Generation: Sample small $f, g$ from a discrete Gaussian. Compute $h = g \cdot f^{-1} \bmod q$. Build the “short” basis and its Gram–Schmidt orthogonalization in the Fourier domain, constructing the so-called Falcon tree for recursive sampling.
• Signing: Given a message $m$ and a nonce $r$, compute $c = H(r \| m \| q \| n) \in R_q$. Solve $\overline{B} t = c$ via FFT; sample $z$ from the discrete Gaussian around $t$ using the Falcon tree. Set $s = (t-z) \cdot \overline{B}$. If $\|s\|^2 > \beta^2$, restart sampling. Split and compress $s$ for the signature output.
• Verification: Recreate $c$ from signature and message. Decompress and reconstruct $s_2$, compute $s_1 = c - s_2 h \bmod q$, and check $\|(s_1, s_2)\|^2 \leq \beta^2$. Accept or reject accordingly (Chiano et al., 2021).

These algorithms optimize signature size and verification speed by exploiting FFT-friendly structures and recursive LDL decomposition of the lattice basis.

3. Signature Generation Complexity and Rejection Sampling

Signature generation in Falcon is dominated by the requirement of sampling from a high-precision discrete Gaussian in the Fourier domain, completed recursively. This process, essential for security against both classical and quantum attacks, uses rejection sampling where the acceptance probability per sample is tuned to ensure negligible leakage. For each coefficient, SamplerZ draws from $D_\sigma(x) = S^{-1} \exp(-x^2/(2\sigma^2))$, with center $\mu$ and standard deviation $\sigma$. The rejection rate, engineered to be close to 1, mandates multiple retries per signature, resulting in a computational cost far exceeding verification (Zhao et al., 30 May 2025, Hattenbach, 2021). On ARM Cortex-M4, for FALCON-512, signature generation requires $\approx 0.98$ s and verification just $6$ ms.

4. Hardware Acceleration: Bi-SamplerZ Architecture

The Bi-SamplerZ implementation accelerates discrete Gaussian sampling central to Falcon signing by deploying a dual-datapath architecture. SamplerZ is invoked twice per recursion leaf, motivating concurrent generation of two scalar samples with minimal area overhead. Instead of duplicating logic, shared modules (Pre_samp, BaseSampler) handle preparatory computations, while dedicated branches process the parallel sampling (Bef_loop, For_loop, CMP stages).

Resource sharing, fine-grained pipelining, and a cross-datapath assistance mechanism reduce average cycle latency by enabling “one succeeds” cases to propagate partial progress between datapaths, with assistance switching reducing retries. This results in a $54.1\%$ reduction in sampling cycles compared to FalconSign, and a best-known area-time product (ATP) among hardware Falcon samplers, as summarized below (Zhao et al., 30 May 2025).

Design	Area	Freq	Cycles	Latency Norm	ATP Norm
Bi-SamplerZ (FPGA)	14,327/10,841/85	150 MHz	59	1.00×	1.00×
FalconSign (FPGA)	14,710/10,731/76	185 MHz	137	1.88×	2.45×
Bi-SamplerZ (ASIC)	68.7 kμm²	1.5 GHz	59	1.00×	1.00×
FalconSign (ASIC)	58.4 kμm²	0.5 GHz	137	6.97×	5.92×

These optimizations render Falcon suitable for integration into high-throughput cryptographic modules and real-time environments (Zhao et al., 30 May 2025).

5. Practical Parameters, Performance Metrics, and Deployment Context

Falcon’s standardized security levels correspond to the following parameters:

• FALCON-512: $n=512$, $q=12289$, $\sigma\approx1.17$, $\beta\approx110.8$, signature $\approx666$ bytes, public key $\approx1,345$ bytes.
• FALCON-1024: $n=1024$, $q=12289$, $\sigma\approx1.26$, $\beta\approx121.4$, signature $\approx1,700$ bytes, public key $\approx1,605$ bytes (Chiano et al., 2021).

Falcon is highly competitive for environments requiring minimal signature bandwidth, such as firmware/authentication in IoT, due to its small cryptographic footprint and extremely efficient verification. For applications needing frequent signing, alternatives like Dilithium may offer lower signing cost but with larger signatures.

6. Security Analysis and Side-Channel Considerations

Falcon’s security reduces to short integer solution (SIS) instances on NTRU lattices, with quantum security proven under random-oracle assumptions. The discrete Gaussian rejection sampler ensures statistical hiding of private keys. Known attacks require at least $2^{128}$ operations for FALCON-512 and $2^{256}$ for FALCON-1024 (Chiano et al., 2021). Side-channel mitigation is critical: Gaussian sampling and FFT must be implemented in constant-time and with masking to prevent timing and power leakage. This remains an active area for further architectural hardening and cryptanalytic review (Hattenbach, 2021).

7. Comparative Perspective and Future Directions

Among NIST round 3 finalists, Falcon achieves the smallest signatures at its security level, with verification times and public key sizes optimized for bandwidth-sensitive deployments. Continued research targets improved side-channel resilience (e.g., ZALCON variants), memory optimization via table precomputation, and further hardware acceleration. Future directions include formal analysis of hardware implementations, tuning for low-power devices, and cryptographic hardening against advanced attacks. Falcon’s distinctive blend of compactness and verification speed positions it as a core primitive in post-quantum secure digital communications (Chiano et al., 2021, Zhao et al., 30 May 2025, Hattenbach, 2021).