CODEWITHSUNDEEP
testingnoncefalconpost-quantum-cryptography
Hiesker Tronco
Hiesker Tronco

Reputation: 1

The size of the test-vector for Falcon pqc are wrong?

"In the Falcon documentation, there is code provided by the authors, and within it, there is an implementation under the 'c' folder where they perform testing on their algorithms. They include a test with vectors; however, it does not match the size that, according to their specifications, it should have. For example, one vector is as follows:

static const char *const KAT_SIG_512[] = {
    "cd3f225a65b2c6e155c2af799308af940212633fa519a4b4ddd22048ff8a7d06",
    "sample 0",
    "0900070058......."};

Where the first element is the nonce, the second is the message, and the third is the signature. In this test vector, the nonce has a length of 32 bytes. However, in the documentation, they state the following: 'nonce string r (40 bytes).' I hope someone can clarify this doubt for me."

Did not find in the documentation the reason why this nonce size can be used.

Upvotes: 0

Views: 52

Answers (1)

Ben Marian
Ben Marian

Reputation: 11

I think that the C version of falcon supports nonces of variable length. If you don't explicitly give a nonce the falcon algorithm will generate one of length 40, but if you explicitly give a nonce, it is up to you how long it is supposed to be. The nonce you showed is of length 32, which is a little less secure than length 40, but still fine. (Using nonces of very small lengths is not recommendable, as this could leak the private key.)

You can test this yourself if you use the falcon implementation of round one of the NIST competition. If you compile and run the code in Extra/c you can sign and verify in the command line and use the -nonce flag to give a nonce in hexadecimal. You can give a nonce of any length you like (at least one byte).

Some more information about how this is in Python:

In Python the length of the nonce is 40, you can not explicitly give a nonce. You could theoretically change the length of the nonce if you change the variable SALT_LEN in falcon.py. I would not recommend this, as the structure of Python signatures is 1 byte information, 40 bytes nonce and the rest is the actual signature. If you change SALT_LEN you would make your signature incompatible with all standard falcon implementations on Python as they would improperly process the nonce and signature. In C you don't encounter this problem, as the signature and nonce are stored separately.

I hope I was able to help :)

Upvotes: 0

Related Questions