Falcon signature size and private key's size differ from specifications #395
Replies: 1 comment 2 replies
-
This is correct and explicable as the OpenSSL logic requires a public key to be always available if a private key is operated on (even if no cert is available): OQS-OpenSSL thus appends the public key to the private key. Some of the further variations may be explained by ASN.1 "wrapping" structures. Regarding the falcon-specific differences between spec and implementation I cannot help, unfortunately. Maybe it would be worth while checking with the authors of the algorithm? @dstebila : Any person you'd be considering the best contact for this? |
Beta Was this translation helpful? Give feedback.
-
|
There was some discussion of this somewhere in our repositories, but I can't find it at the moment. We do need to do a Falcon update which I think will resolve the variable length signature size issue. |
Beta Was this translation helpful? Give feedback.
-
|
I will also look for the discussion myself. If it happens you find it and if you could maybe attach a link here, I will be glad to read, thank you so much. The variable length signature and the extra 4 bytes at for private keys (excluding the public key size) would be the questions.
I have thought myself it could have been by ASN1 encoding (it is same 4 bytes difference), but after checking dilithium and seeing that everything is alright there (private key encapsulates exactly the actual private key and the public key with no remainder bytes) I have left this idea behind (maybe it was wrong to make this association). Thank you again for your directions and explanations! |
Beta Was this translation helpful? Give feedback.
-
I am not sure if I should have addressed this topic here, but here is what I have observed:
From the official website of the algorithm I see the signature size should be for falcon512 666 bytes, and for falcon1024 1280 bytes. Also, the public keys are falcon512 - 897 bytes, falcon1024 - 1793 bytes
Also I have read here https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-2/official-comments/FALCON-round2-official-comment.pdf that for the secret key, they assume 1281 bytes for falcon512 and 2305 for falcon1024. After having generated some keys and certificates, for falcon512, my private key has 2182 bytes so extra bytes and my signature has 657 bytes (so 9 bytes less).
About falcon1024, my private key has 4102 bytes (a lot, comparing to the specified size of 2305). Even if I subtracted the public key size from this number (i can see at the end of the actual private key I find the public key concatenated), so if I substract 1793 bytes (pk size), I still get some extra 4 bytes. Also, the signature I have inside my certificate with falcon1024 has 1272 bytes, so 8 bytes less than the specified 1280.
For the public keys inside the certificates everything is fine, same size as specified.
Another unclear thing for me would be the values of the signatures sizes macros in sig_falcon.h inside liboqs, cuz they are larger than the specifications.
#ifdef OQS_ENABLE_SIG_falcon_512
#define OQS_SIG_falcon_512_length_public_key 897
#define OQS_SIG_falcon_512_length_secret_key 1281
#define OQS_SIG_falcon_512_length_signature 690
[...]
#ifdef OQS_ENABLE_SIG_falcon_1024
#define OQS_SIG_falcon_1024_length_public_key 1793
#define OQS_SIG_falcon_1024_length_secret_key 2305
#define OQS_SIG_falcon_1024_length_signature 1330
Again, I don't know if the question is suitable, but if someone has an explanation for this +/- bytes in keys and signatures size it would be great.
Thank you in advance!
Beta Was this translation helpful? Give feedback.
All reactions