Paper 2025/1991

TWFalcon: Triple-Word Arithmetic for Falcon; Giving Falcon the Precision to Fly Securely

Stef Halmans, Ruhr University Bochum
Christine van Vredendaal, NXP (Netherlands)
Tobias Schneider, NXP (Netherlands)
Frank Custers, NXP (Netherlands)
Tim Güneysu, Ruhr University Bochum
Abstract

The post-quantum signature scheme Falcon is an attractive scheme for constrained devices due to its compactness and verification performance. However, it relies on floating-point arithmetic for signature generation, which - alongside physical security concerns - introduces two additional drawbacks: Firstly, if implemented using the standard double-precision format, Falcon does not satisfy the formally proven error bounds required for a secure Gaussian sampler implementation. Although no practical attacks exploiting this limitation are currently known, it does give future attack concerns. Secondly, when looking at constrained devices, 32-bit constrained devices can lack hardware support for high-precision floating-point arithmetic and its use introduces significant performance overhead, as it must be emulated using integers. In this work we present a novel method to address these limitations: We show that Falcon can be implemented using $\textit{single-precision}$ floating-point numbers. Our proposed method uses Triple-Word Floating-Point (TW) arithmetic and achieves a precision of at least 72 bits, compared to the 53 bits of double-precision floating-point arithmetic. We show our implementation achieves error bounds that meet the formal security requirements for a secure Gaussian sampler implementation, while maintaining other security guarantees. This way, Falcon can run on constrained devices equipped only with a single-precision Floating-Point Unit (FPU) without the need for integer emulation. We demonstrate the feasibility of our approach on the Nucleo-L4R5ZI board, which features a Cortex-M4F processor enabled with a single-precision FPU. More precisely, we show the cost of increasing the precision of Falcon in this way only increases the computational effort by a factor of approximately 1.84 compared to the CPU cycles required for an implementation using emulated double-precision arithmetic via integers.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published by the IACR in TCHES 2026
Keywords
FalconFN-DSAtriple-word floating-point arithmeticconstrained devicespost-quantum cryptography
Contact author(s)
stef halmans @ rub de
christine cloostermans @ nxp com
tobias schneider @ nxp com
frank custers_1 @ nxp com
tim gueneysu @ rub de
History
2026-02-11: revised
2025-10-24: received
See all versions
Short URL
https://ia.cr/2025/1991
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/1991,
      author = {Stef Halmans and Christine van Vredendaal and Tobias Schneider and Frank Custers and Tim Güneysu},
      title = {{TWFalcon}: Triple-Word Arithmetic for Falcon; Giving Falcon the Precision to Fly Securely},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/1991},
      year = {2025},
      url = {https://eprint.iacr.org/2025/1991}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.