Falcon Post-Quantum Signature Scheme Proposal

In a recent discussion on the Bitcoin Development Mailing List, the complexities and challenges of implementing Falcon (FN-DSA) in post-quantum cryptography schemes were highlighted. Falcon's reliance on discrete Gaussian sampling with constant-time floating point arithmetic for signers presents significant implementation challenges. Despite these complexities, Falcon offers only a modest improvement in the size of signatures and public keys, approximately a factor of two compared to ML-DSA. This has led to a decision against including FN-DSA in the upcoming PQ signature opcode BIP, following BIP360. Further research into Falcon, particularly its weaknesses and adaptability to various cryptographic schemes like CISA, BIP32, and multisignatures, is deemed necessary before considering its integration.

The conversation also touched upon alternative cryptographic methods, such as SQIsign and XMSS, along with Jonas Nick's SHRINCS proposal for those seeking smaller signatures within post-quantum cryptography. SQIsign, utilizing isogeny-based cryptography, produces notably small signatures and public keys through complex mathematical operations. However, similar to Falcon, SQIsign is still in the early stages of development, requiring more research to enhance its verification process and address potential vulnerabilities.

For immediate applications requiring small signatures, XMSS was recommended. It allows for the generation of 272-byte signatures through the configuration of an unbalanced XMSS tree, with the possibility of further reduction by adjusting the parameters. A notable drawback of XMSS is its stateful nature, which could complicate its use in certain contexts. These discussions underscore the ongoing efforts and challenges in developing secure, efficient cryptographic standards suitable for the quantum computing era, as outlined in the comprehensive analysis shared on Cloudflare's blog.