Hawk: Module LIP Makes Lattice Signatures Fast, Compact and Simple

• Published in: Advances in Cryptology - ASIACRYPT 2022 Vol. 13794; pp. 65 - 94
• Main Authors: Ducas, Léo, Postlethwaite, Eamonn W., Pulles, Ludo N., Woerden, Wessel van
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer 2023; Springer Nature Switzerland
• Series: Lecture Notes in Computer Science
• Subjects: Concrete Design; Module Lattice Isomorphism Problem; Post-Quantum Cryptography; Quadratic Forms; Signatures
• ISBN: 3031229711; 9783031229718
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-031-22972-5_3

We propose the signature scheme Hawk, a concrete instantiation of proposals to use the Lattice Isomorphism Problem (LIP) as a foundation for cryptography that focuses on simplicity. This simplicity stems from LIP, which allows the use of lattices such as Zn\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb Z^n$$\end{document}, leading to signature algorithms with no floats, no rejection sampling, and compact precomputed distributions. Such design features are desirable for constrained devices, and when computing signatures inside FHE or MPC. The most significant change from recent LIP proposals is the use of module lattices, reusing algorithms and ideas from NTRUSign and Falcon. Its simplicity makes Hawk competitive. We provide cryptanalysis with experimental evidence for the design of Hawk and implement two parameter sets, Hawk-512 and Hawk-1024. Signing using Hawk-512 and Hawk-1024 is four times faster than Falcon on x86 architectures, produces signatures that are about 15% more compact, and is slightly more secure against forgeries by lattice reduction attacks. When floating-points are unavailable, Hawk signs 15 times faster than Falcon. We provide a worst case to average case reduction for module LIP. For certain parametrisations of Hawk this applies to secret key recovery and we reduce signature forgery in the random oracle model to a new problem called the one more short vector problem.