Towards Practical Microcontroller Implementation of the Signature Scheme Falcon

  • Tobias OderEmail author
  • Julian Speith
  • Kira Höltgen
  • Tim Güneysu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11505)


The majority of submissions to NIST’s recent call for Post-Quantum Cryptography are encryption schemes or key encapsulation mechanisms. Signature schemes constitute a much smaller group of submissions with only 21 proposals. In this work, we analyze the practicability of one of the latter category – the signature scheme Falcon with respect to its suitability for embedded microcontroller platforms.

Falcon has a security proof in the QROM in combination with smallest public key and signature sizes among all lattice-based signature scheme submissions with decent performance on common x86 computing architectures. One of the specific downsides of the scheme is, however, that according to its specification it is “non-trivial to understand and delicate to implement”.

This work aims to provide some new insights on the realization of Falcon by presenting an optimized implementation for the ARM Cortex-M4F platform. This includes a revision of its memory layout as this is the limiting factor on such constrained platforms. We managed to reduce the dynamic memory consumption of Falcon by 43% in comparison to the reference implementation. Summarizing, our implementation requires 682 ms for key generation, 479 ms for signing, and only 3.2 ms for verification for the \(n=512\) parameter set.


Ideal lattices Falcon Cortex-M Microcontroller NIST PQC 



We would also like to thank the anonymous reviewers for their very valuable and helpful feedback. The research in this work was supported in part by the European Unions Horizon 2020 program under project number 644729 SAFEcrypto and 780701 PROMETHEUS.

Supplementary material


  1. 1.
    pqm4 - post-quantum crypto library for the ARM cortex-M4. Accessed 13 Nov 2018
  2. 2.
    Albrecht, M.R., Hanser, C., Höller, A., Pöppelmann, T., Virdia, F., Wallner, A.: Learning with errors on RSA co-processors. IACR Cryptology ePrint Archive 2018/425 (2018).
  3. 3.
    Alkim, E., et al.: FrodoKEM learning with errors key encapsulation. Accessed 13 Nov 2018
  4. 4.
    Andrysco, M., Nötzli, A., Brown, F., Jhala, R., Stefan, D.: Towards verified, constant-time floating point operations. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1369–1382. ACM (2018).
  5. 5.
  6. 6.
    Bhattacharya, S., et al.: Round5: compact and fast post-quantum public-key encryption. IACR Cryptology ePrint Archive 2018/725 (2018).
  7. 7.
    Bindel, N., et al.: Submission to NIST’s post-quantum project: lattice-based digital signature scheme qTESLA. Accessed 26 Nov 2018
  8. 8.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005). Scholar
  9. 9.
    Buchmann, J., Cabarcas, D., Göpfert, F., Hülsing, A., Weiden, P.: Discrete ziggurat: a time-memory trade-off for sampling from a Gaussian distribution over the integers. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 402–417. Springer, Heidelberg (2014). Scholar
  10. 10.
    Chen, C., Hoffstein, J., Whyte, W., Zhang, Z.: NIST PQ submission: pqNTRUSign - a modular lattice signature scheme. Accessed 26 Nov 2018
  11. 11.
    D’Anvers, J.P., Karmakar, A., Roy, S.S., Longa, P., Vercauteren, F.: SABER: Mod-LWR based KEM. Accessed 13 Nov 2018
  12. 12.
    Ducas, L., et al.: CRYSTALS-dilithium: a lattice-based digital signature scheme. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(1), 238–268 (2018). Scholar
  13. 13.
    Ducas, L., Lyubashevsky, V., Prest, T.: Efficient identity-based encryption over NTRU lattices. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 22–41. Springer, Heidelberg (2014). Scholar
  14. 14.
    Dwarakanath, N.C., Galbraith, S.D.: Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Appl. Algebra Eng. Commun. Comput. 25(3), 159–180 (2014). Scholar
  15. 15.
    Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Accessed 26 Nov 2018
  16. 16.
    Fouque, P.A., et al.: Falcon: Fast-Fourier lattice-based compact signatures over NTRU. Accessed 26 Nov 2018
  17. 17.
    Garcia-Morchon, O., et al.: Round2: KEM and PKE based on GLWR. Accessed 30 Nov 2018
  18. 18.
    Güneysu, T., Krausz, M., Oder, T., Speith, J.: Evaluation of lattice-based signature schemes in embedded systems. In: 25th IEEE International Conference on Electronics Circuits and Systems (2018)Google Scholar
  19. 19.
    Howe, J.: PQCzoo. Accessed 13 Nov 2018
  20. 20.
    Howe, J., Oder, T., Krausz, M., Güneysu, T.: Standard lattice-based key encapsulation on embedded devices. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 372–393 (2018). Scholar
  21. 21.
  22. 22.
    Kannwischer, M.J., Rijneveld, J., Schwabe, P.: Faster multiplication in \({\mathbb{z}}_2{}^{\text{m}}[x]\) on cortex-M4 to speed up NIST PQC candidates. IACR Cryptology ePrint Archive 2018/1018 (2018).
  23. 23.
    Karmakar, A., Mera, J.M.B., Roy, S.S., Verbauwhede, I.: Saber on ARM cca-secure module lattice-based key encapsulation on ARM. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018(3), 243–266 (2018). Scholar
  24. 24.
    Karmakar, A., Roy, S.S., Reparaz, O., Vercauteren, F., Verbauwhede, I.: Constant-time discrete Gaussian sampling. IEEE Trans. Comput. 67(11), 1561–1571 (2018). Scholar
  25. 25.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). Scholar
  26. 26.
    Micciancio, D., Walter, M.: Gaussian sampling over the integers: efficient, generic, constant-time. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 455–485. Springer, Cham (2017). Scholar
  27. 27.
    National Institute of Standards and Technology: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. Accessed 14 Nov 2018
  28. 28.
    Plantard, T., Sipasseuth, A., Dumondelle, C., Susilo, W.: DRS: diagonal dominant reduction for lattice-based signature. Accessed 26 Nov 2018
  29. 29.
    Rane, A., Lin, C., Tiwari, M.: Secure, precise, and fast floating-point operations on x86 processors. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, Austin, TX, USA, 10–12 August 2016, pp. 71–86. USENIX Association (2016).
  30. 30.
  31. 31.
    Saarinen, M.J.O., Bhattacharya, S., García-Morchón, Ó., Rietman, R., Tolhuizen, L., Zhang, Z.: Shorter messages and faster post-quantum encryption with Round5 on Cortex M. IACR Cryptology ePrint Archive 2018/723 (2018).
  32. 32.
    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev. 41(2), 303–332 (1999). Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Tobias Oder
    • 1
    Email author
  • Julian Speith
    • 1
  • Kira Höltgen
    • 1
  • Tim Güneysu
    • 1
    • 2
  1. 1.Ruhr -University BochumBochumGermany
  2. 2.DFKIBremenGermany

Personalised recommendations