On Falcon Signature Algorithm by Top Quantum-Proof Cryptographer, the Founder of FIRST VIRTUAL MUSEUM in the WORLD -- 32nd Anniversary of LIN HSIN HSIN ART MUSEUM -- Digital Art Museum, First Virtual Museum in the World - 1994. Wikipedia, Digital Media Center: Technology, Digital Art, Digital Paintings, Digital Sculptures, Digital Music, Digital Musical Instruments, Sound, , Animated Music, Web-enabled, Interactive, Di0gital Media Poineer

Lin Hsin Hsin Quantum Security Center

Falcon Signature Algorithm Attacks

OVERVIEW

Falcon is a lattice-based post-quantum digital signature algorithm
Selected as a finalist in NIST's PQC standardization process
Its security is based on the hardness of the

Short Integer Solution (SIS) problem over NTRU lattices

While Falcon is designed to resist both classical and quantum attacks, several implementation and side-channel vulnerabilities have been identified, primarily targeting its Gaussian sampling and Number Theoretic Transform (NTT) operations

Falcon Signature Algorithm Security Incidents

Year	Attack Type	Severity	Impact	Description	Reference
2025	Single-Trace Side-Channel	Critical	Full key recovery	"SHIFT SNARE" attack: Single-trace side-channel analysis targeting the NTT and Gaussian sampling in Falcon, achieving full key recovery with a single power trace. This attack is especially effective on embedded systems and highlights the need for robust counter measures in real-world deployments	[arXiv 2025, SHIFT SNARE]4-11
2024	Improved Power Analysis	High	Full key recovery	Improved power analysis attacks on Falcon's base sampler, reducing the number of required signature measurements for key recovery. With 45,000 traces, full key recovery is possible with ≈25% success rate; 12,000 traces can reduce security by 60 bits	[IACR 2023, Improved Power Analysis]6-12
2024	Blind Side-Channel	High	Full key recovery	Blind side-channel attacks on Falcon's NTT and polynomial multiplication, using machine learning to exploit leakage in the decryption procedure	[[IACR 2024, Machine Learning SCA]8-17
2023	Hidden Parallelepiped (Power)	High	Full key recovery	Power analysis attack exploiting the "Hidden Parallelepiped" vulnerability in Falcon's Gaussian sampling, requiring 300,000 signatures and two implementations for key recovery (70–76% success rate)	[ResearchGate 2024, Hidden Parallelepiped]10-16
2022	Fault Injection	High	Full key recovery	Fault injection attacks on Falcon's implementation, targeting the Gaussian sampler and NTT operations. These attacks can recover the secret key by forcing errors during signature generation	[ResearchGate 2022, Fault Attacks]12-10
2021	Side-Channel (Power/EM)	High	Full key recovery	Falcon Down First side-channel attack on NIST's Round-3 Falcon, using power/EM analysis to recover the secret key. The attack targets the NTT and Gaussian sampling, requiring fewer traces than previous methods	[DAC 2021, Falcon Down]14-14
2019	BEARZ Attack	Medium	Partial key or signature leak	Implementation attack targeting the signing algorithm, forcing early termination of the Gaussian sampling process to produce faulty signatures, which can be used to recover the secret key	[IACR 2019, BEARZ Attack]16-19

Key Takeaways

Most Critical Threats

Single-trace and power analysis attacks (2025, 2024, 2023) are the most severe, often leading to full key recovery

Main Vulnerabilities

Gaussian sampling and NTT operations are the primary targets for side-channel and fault injection attacks

Mitigations

Constant-time implementations, side-channel resistant hardware, and careful parameter selection are essential for secure deployment