ModFalcon: compact signatures based on module NTRU

lattices

Chitchanok Chuengsatiansup1 , Thomas Prest2 , Damien Stehlé3,4 , Alexandre Wallet5 ,

and Keita Xagawa5
1
University of Adelaide, Australia [email protected]
2
PQ Shield, Oxford, UK [email protected]
3
Univ. Lyon, EnsL, UCBL, CNRS, Inria, LIP, F-69342 Lyon Cedex 07, France
[email protected]
4
Institut Universitaire de France
5
NTT Secure Platform Laboratories, Tokyo, Japan
[alexandre.wallet.th,keita.xagawa.zv]@hco.ntt.co.jp

Abstract. Lattices lead to promising practical post-quantum digital signatures, com-

bining asymptotic efficiency with strong theoretical security guarantees. However, tuning
their parameters into practical instantiations is a delicate task. On the one hand, NIST
round 2 candidates based on Lyubashevsky’s design (such as DILITHIUM and qTESLA)
allow several tradeoffs between security and efficiency, but at the expense of a large band-
width consumption. On the other hand, the hash-and-sign Falcon signature is much
more compact and is still very efficient, but it allows only two security levels, with large
compactness and security gaps between them. We introduce a new family of signature
schemes based on the Falcon design, which relies on module lattices. Our concrete in-
stantiation enjoys the compactness and efficiency of Falcon, and allows an intermediate
security level. It leads to the most compact lattice-based signature achieving a quantum
security above 128 bits.

1 Introduction

Many candidates to the NIST call for post-quantum standardization rely on Euclidean
lattices. Indeed, lattice problems seem to be quantum-resistant, and at the same time
sufficiently malleable to lead to the construction of cryptographic primitives, rang-
ing from basic to advanced (such as homomorphic encryption). Moreover, relying on
structured lattices originating from algebraic number theory has led to very efficient
schemes, as showcased by the performance of the candidates still running in the sec-
ond round of the NIST call: LAC [LLJ+ 19], KYBER [SAB+ 19], NewHope [PAA+ 19],
NTRU [ZCH+ 19], NTRU Prime [BCLv19], Round5 [GZB+ 19], SABER [DKRV19],
and Three Bears [Ham19] for public-key encryption and DILITHIUM [LDK+ 19],
Falcon [PFH+ 19], and qTESLA [BAA+ 19] for signatures.
For signatures schemes, a well-known approach is Gentry, Peikert and Vaikun-
tanathan’s hash-and-sign paradigm upon collision-resistant preimage sampleable func-
tion ([GPV08] (hereafter denoted as GPV), and its instantiation over the so-called
NTRU lattices [HPS98]. The GPV framework enjoys tight and strong security proofs
in the quantum random oracle model (QROM) [BDF+ 11], and its security stems from
the hardness of computing a short basis of a large rank lattice. At a high level, the
idea is to rely on trapdoor Gaussian sampling in a lattice using a secret basis com-
posed of short vectors to generate signatures, while the verification key could be any
basis. One particularly promising and interesting candidate based on the GPV setting
is Falcon [PFH+ 19], built upon [HHP+ 03] and [DLP14]. This scheme ranks among
the best in term of efficiency of its operations without sacrificing on its security and
while managing compact signatures and verifications keys, which is usually a drawback
of lattice-based signature schemes. In a nutshell, three main features of Falcon are:
– short signatures;
– an efficient key generation algorithm to compute a full short basis of an NTRU
lattice;
– an efficient and secure Gaussian sampler.
From the point of view of practical security and side-channel attacks, Gaussian sam-
plers have been known to be a potential weak point (e.g., with respect to timing at-
tacks [BDE+ 18,TW19,FKT+ 19]). However, the one used in Falcon was provided with
a fully constant-time implementation with only minor losses in efficiency [PRR19].
A caveat of Falcon comes from its complicated implementation, as its efficiency
relies on several technical routines and the deep exploitation of the structures of the
underlying mathematical objects. In particular, the NTRU lattices can be seen as rank
2 modules lattices over towers of rings of algebraic integers: this tower structure (rem-
iniscent of the fast Fourier transform) is at the core of Falcon’s performance. More
precisely, the rings used in practice are cyclotomic rings R = Z[x]/(xd + 1) whose degree
d is a power of 2. They are a common choice for structured lattice-based cryptography,
as they enjoy well-understood algebraic properties and lead to efficient implementations.
A drawback of this choice is that powers of 2 are sparse and the bit security mostly
depends on d. This implies that if the security level of an implemented scheme must be
increased, it is very likely that the updated parameters will incur a significant loss in
efficiency while becoming an overkill in term of the reached security level. This is best
illustrated with Falcon: taking d = 512 leads to an estimated quantum security 103
bits, while d = 1024 reaches 230 quantum bit-security, without any intermediate step.
At the same time, the signature length jumps from 617 Bytes to 1233 Bytes. Should one
wish to achieve a better compromise between security and efficiency, then one would
need to select an appropriate “intermediate” ring and redo a full implementation from
scratch as there are few to no tower structure among number rings as convenient as
the power of two case. In fact, the NIST round 1 version of Falcon proposed an im-
plementation over an appropriate intermediate ring with d = 768, reaching 172 bits of
quantum security for a signature of 994 Bytes [PFH+ 17]. But it was considered way too
technical and was therefore removed from round 2.
For lattice-based public-key encryption and the other signature paradigm based on
the lattice adaptation to Schnorr signatures, this issue was successfully addressed by re-
lying on structured lattices of a larger module rank, that is, the rank when seen as a mod-
ule over R instead of a “plain” lattice. This led to the DILITHIUM [DKL+ 18,LDK+ 19]
signature, and the KYBER [BDK+ 18,SAB+ 19] and SABER [DKRV18,DKRV19] en-
cryption schemes, all competitive candidates in the second round of NIST’s call. How-
ever, no such module variant was known for NTRU schemes either for key encapsulation
or signatures, although there were approaches toward the former with the MaTRU de-
sign [CG05].

Contributions In this work, we introduce ModFalcon, a family of efficient signature

schemes. More precisely, our main contributions are the following:

2
 – We provide a general instantiation of the hash-and-sign paradigm to NTRU lattices
of larger module ranks, extending the Falcon design to wider ranges of parameter
sets;
– We explain how to generalize in an efficient way the key generation and signature
algorithms of Falcon (the extension of the verification algorithm is direct);
– We give a complete security analysis against known attack avenues, which encom-
passes the analysis of Falcon, and we provide light and documented scripts that
compute the bit-security levels from a set of parameters following our analysis.

Enjoying the extra flexibility in the choice of parameters, we obtain compact sig-
natures for different security levels than Falcon. In particular, we obtain the smallest
lattice-based signature that enjoys at least 128 bits of quantum security: it is about
25% smaller than Falcon-1024, and almost three times smaller than DILITHIUM-
III, which moreover only gets close to this level of quantum security. If one wants to
minimize the sum of the signature and public key lengths, then the comparison is even
more favorable. See Table 1.
Our design only mildly tweaks the existing description of Falcon, as it focuses on
module lattices over the same core cyclotomic rings. This eases the task of the implemen-
tors since they can rely on the existing building blocks. This argument, already used as
a motivation for DILITHIUM, KYBER and SABER, is even more pressing for Fal-
con, as the key generation and signature algorithms are significantly more involved. To
illustrate this modularity, we provide a proof-of-concept python implementation. Since
we build upon the existing core features of Falcon without additional manipulation
on secret data, our scheme is natively given as much resistance against timing attacks
as the implementation of Falcon provides.

Table 1. Comparison between NIST round 2 lattice-based signature schemes and our new proposal
ModFalcon. |vk| and |sig| are the sizes in Bytes of the public key and signature, respectively. λQ and λC
stand for the quantum and classical bit security estimates, respectively. For Falcon and ModFalcon,
KR and SR refer to the key and signature recovery modes.

|vk| |sig| λQ λC
DILITHIUM-I 896 1387 53 58
DILITHIUM-II 1184 2044 91 100
Falcon-512 (SR) 897 658
109 120
Falcon-512 (KR) 28 1276
DILITHIUM-III 1472 2701 125 138
qTESLA-p-I 14880 2592 140 151
DILITHIUM-IV 1760 3366 158 174
Falcon-1024 (SR) 1793 1274
252 277
Falcon-1024 (KR) 63 2508
qTESLA-p-III 38432 12352 279 305

ModFalcon-2-512 (SR) 1792 972

174 192
ModFalcon-2-512 (KR) 940 1438

3
 As an additional contribution, we also describe how to design a public-key encryption
scheme similar in spirit to NTRUEncrypt [HPS98], relying again on module lattices
of larger ranks. This encryption scheme can be converted into an adaptively secure
key encapsulation mechanism by means of the SXY conversion [SXY18], leading to
a tight security proof in the QROM. With this description, we could achieve similar
performance as the NTRU [ZCH+ 19] and (streamline) NTRU Prime [BCLv19] round-
2 NIST proposals, though not better. For this reason, we chose to limit ourselves to the
description of the scheme and provide the interested readers with details on different
approaches in the concrete instantiation of the scheme.
Finally, we extend the results of [SS11,SS13] to show that the verification keys is
statistically close to uniform, under some parameter constraints. Note that the concrete
parameters that we choose do not satisfy these constraints. If the verification key is close
to uniform, then one obtains signature scheme that enjoys strong EUF-CMA security in
the QROM, under the Module-SIS hardness assumption [LS15]. This result is deduced
from a new matrix version of the leftover hash lemma over number fields, and relies
on techniques that may be of independent interest. As this requires additional number
theory material, and is somewhat disjoint from the above contributions, this contribution
is postponed to the appendix.

2 Preliminaries

For a distribution D, we write x ← D to express that x is sampled from D. For x

in the support of D, we write D(x) to denote the probability of x ← D. For a finite
set X, we let U (X) denote the uniform distribution over X. All our vectors are row
vectors. Vectors and matrices are written in bold letters, and we additionally use upper
case letters for matrices. The line concatenation of two matrices A, B is denoted by
  A
A B and the column concatenation is denoted by . For any integer n, we write
B
In resp. 0n for the identity matrix resp. the zero vector of size n.

2.1 Gaussian measures over lattices

A lattice is a discrete subgroup L of some Rn . All our lattices will be full-rank. In

practice, it is described as the set of integer linear combinations of the rows of some
basis B ∈ Rn×n . The volume of the lattice is Vol L := |det B|, for any basis B of L.
The spherical Gaussian function on Rd centered at c and with standard deviation
s > 0 is defined as ρs,c (x) = exp(−∥x − c∥2 /(2s2 )). If c = 0, we often drop c. For
any rank-d lattice L, the discrete Gaussian distribution with support L and parameters
s > 0 and c is defined as
ρs,c (x)
∀ x ∈ L, Ds,L,c (x) = .
ρs,c (L)

Given ϵ > 0, the smoothing parameter ηϵ (L) is the smallest real s > 0 such that
ρ1/s (L∗ ) ≤ 1 + ϵ, where L∗ is the dual lattice. In a sense, it quantifies the standard
deviation parameter needed to “smooth out” the discreteness of the lattice. We omit
the definition of the dual, as it is not needed further in this work. Rather, we recall the

4
following standard upper bound6 on the smoothing parameter, which we will use for
instantiating practical parameters.

Lemma 2.1 (Adapted from [GPV08]). Let L be any rank d lattice with basis B,
and let ϵ > 0. We have:

1p
ηϵ (L) ≤ ∥B∥GS · log(2d(1 + 1/ϵ))/2.
π

The quantity ∥B∥GS is the norm of the largest vector in the Gram-Schmidt Orthogo-
nalization of B (see also Section 2.3).

2.2 Cyclotomic fields and NTRU lattices

We let d be a power of 2 and write K = Q[x]/(xd +1) the corresponding cyclotomic field.
In this setup, R = Z[x]/(xd + 1) is the ring of integers of K, and for any prime integer q,
we define Rq = R/qR ≃ Zq [x]/(xd +1). There are several ways of embedding this number
field in a normed vector space. In thisP work, we use two of them. An element in K can
be embedded by its coefficients: a = i ai xi ∈ K gives (a0 , . . . , ad−1 ) ∈ Qd . Abusing
notations, we will write a to denote both the element in K and its vector of coefficients.
We can then consider the ℓ∞ -norm of elements of K as ∥a∥∞ = maxi∈[d−1] |ai |, and
p
their Euclidean norm is ∥a∥ = ⟨a, a⟩ = ( i |ai |2 )1/2 , where ⟨, ⟩ is the standard inner
P
product over Rd . Observe that ∥xi a∥ = ∥a∥ for all i ∈ [d]. For all a ∈ K we let
a⋆ := a(x−1 ) = (a0 , −ad−1 , . . . , −a1 ).
Elements in K can also be represented by their nega-circulant matrix of multiplica-
tion, when seeing K as a Q-linear space with basis 1, x, . . . , xd−1 . In other words, the
matrix M(a) has rows the coefficient vectors of a, xa, . . . , xd−1 a, and we have M(ab) =
M(a) M(b). It can be seen that M(a⋆ ) = M(a)t . Thus for all a, b ∈ K, we have ⟨a, b⟩ =
⟨ab⋆ , 1⟩, so that ∥a∥2 is the constant coefficient of aa⋆ .
These notions can be extended to the linear space K n by concatenating the coef-
ficient vectors of an element . , an ). The norms over Qd extends as ∥a∥∞ =
Pa = (a1 , .2. 1/2
maxi∈[n] ∥ai ∥∞ and ∥a∥ = ( i∈[n] ∥ai ∥ ) . WeP extend the ⋆ operator component-wise,
and consider the K-bilinear form ⟨a, b⟩K = ⋆
i ai bi . The latter corresponds to the
Euclidean norm, in the sense that
X X
∥a∥2 = ∥ai ∥2 = ⟨ ai a⋆i , 1⟩ = ⟨⟨a, a⟩K , 1⟩,
i i

or, in other words, ∥a∥2 is the constant coefficient of ⟨a, a⟩K . We also extend the matrix
representation to vectors over K:

M(a) = [M(a1 )| . . . | M(an )] ∈ Qd×nd ,

which can also be used for matrices over K.

6
Our formulation takes into account a different normalization for the Gaussian function than [GPV08].

5
NTRU module lattices We call a module in K m a subset of the form M=Rb1 +· · ·+Rbn
and such that SpanK (b1 , . . ., bn ) has dimension n.7 Observe that for all x ∈ R and all
a ∈ M, we have xa ∈ M. Let now F ∈ Rn×n be invertible modulo some prime integer
q, and g ∈ Rn . We also let ht = F−1 gt mod q ∈ Rn , and define the NTRU module as

LNTRU := {(u, v) ∈ Rn+1 : u + vht = 0 mod q}.

It contains qRn+1 so it is in particular of full rank n + 1. Recall that for any invertible
F ∈ Rn×n , the adjugate of F is the unique matrix adj(F) satisfying adj(F) · F =
F · adj(F) = (detK F) · In . If there exists g0 ∈ R and f0 ∈ Rn such that g0 · detK F − f0 ·
adj(F) · gt = q ∈ R, then LNTRU admits bases in K n+1 in the form of
 t   t 
−h In g −F
BNTRU = and BF,g = ,
q 0n g0 −f0
since Schur’s
  complement formula shows that detK BF,g = q and one can check that
1
BF,g · t = 0 mod q. As any module, LNTRU can be seen as a Z-lattice in Q(n+1)d by
h
concatenation of the coefficient vectors. We can see that M(BF,g ) ∈ Z(n+1)d×(n+1)d is a
basis of the underlying lattice, so an NTRU lattice has volume q d .

2.3 Gram-Schmidt orthogonalization

Let n ≤ m, and F be a field (either R or K = Q[x]/(xd + 1)). Let ⟨, ⟩ be a non
degenerate F-bilinear form, i.e., such that having ⟨a, a⟩ = 0 implies that a = 0 ∈ Fm .
When F = R the form P ⟨, ⟩ is the standard inner product, and when F = K, we will
consider ⟨a, b⟩K = i∈[m] ai b⋆i . We say that a, b ∈ Fm are orthogonal if ⟨a, b⟩ = 0. For
any B ∈ Fn×m of rank n with rows bi ’s, the Gram-Schmidt Orthogonalization (GSO)
with respect to ⟨, ⟩ builds F-linearly independent bei ’s by the formula
X ⟨bi , b
fj ⟩
b e i = bi −
e 1 = b1 and b ·b
f for i > 1.
⟨b fj ⟩ j
fj , b
j<i

We have Span(b e1, · · · , b

e i ) = Span(b1 , · · · , bi ) for all i ∈ [n]. The formula also describes
that bei is the orthogonal projection of bi onto the space spanned by b e1, · · · , b
e i−1 . The
GSO amounts to writing B = L · B, such that L is lower triangular with 1’s on its
e
diagonal, and the rows b e are pairwise orthogonal for ⟨·, ·⟩. This decomposition
e i ’s of B
is unique, and we have det(BB⋆ ) = det(B eB e ⋆) = Q
i∈[n] ⟨bi , bi ⟩. We define the Gram-
e e
Schmidt norm of B ∈ Rn×m as ∥B∥GS := maxi∈[n] ∥b e i ∥.
If B ∈ K n×m , observe that M(B) in Qnd×md is not the standard GSO of M(B),
as the former matrix has a block structure while the latter one has not in general.
However, the operator M allows to relate several interesting properties from the GSO
over K to the GSO over R, that we gather in the next lemma. Its proof is inspired
from [DLP14,DP16].
Lemma 2.2. Let B = [b1 , . . . , bn ] of K n and M(B) = [r1 , . . . , rnd ]. The following holds
for all i ∈ [n]:
7
Formally, these are free and finitely generated R-modules in K m .

6
 – the coefficient vector of bei is e
r(i−1)d+1 ;
⋆
Qnd 2
– det(M(BB )) = i=1 ∥e ri ∥ ;
– ∥M(B)∥GS = max{∥e r1 ∥, ∥e
rd+1 ∥, . . . , ∥e
r(n−1)d+1 ∥}.

Proof. Let Vi = SpanK (b1 , . . . , bi ). With an abuse of notation, write M(Vi ) = RowSpan([M(b1 )| . . . | M(bi )])
For every i, we have dimQ M(Vi ) = d · dimK Vi . By definition, we know that bei is orthog-
onal to Vi−1 . This means that M(⟨bei , b fj ⟩K ) = P e t
k∈[n] M(bik ) M(bj k ) is the zero matrix
e
in Qd×d for all j ≤ i − 1. Said differently, the space RowSpan(M(bei )) is orthogonal to
M(Vi−1 ). By definition of the GSO, this implies that (the coefficient vector of) bei is
orthogonal to SpanQ (r1 , . . . , r(i−1)d ). By unicity of the GSO, we see that bei = e r(i−1)d+1 .
e e t
Next, the orthogonality in K implies that M(B) M(B) is a block-diagonal matrix,
with blocks M(⟨bei , bei ⟩K ) for i ≤ n. This gives

Y nd
Y
det(M(BB⋆ )) = det(M(B
eBf⋆ )) = det(M(⟨bei , bei ⟩K )) = ri ∥2 .
∥e
i∈[n] i=1

For the last statement, note that for every i and j, the vector rid+j is a projection
of a vector that has the same norm as rid+1 .

3 ModFalcon

Our construction of a Module-NTRU signature scheme is based on the GPV frame-

work [GPV08]. The public key is a pseudorandom matrix A, whereas the private key is
some trapdoor information about A: typically (and is the case for our scheme too),
it consists of a short basis B of the module lattice “orthogonal modulo q” to the
lattice generated by A. Previous works [SS13,DLP14,PFH+ 19] have instantiated the
GPV framework with NTRU lattices for n = 1. Here we describe instantiations for
n ≥ 2. This provides us extra flexibility in setting the parameters compared to e.g. Fal-
con [PFH+ 19], and allows to reach more levels of security.
During the signing procedure, the signer hashes the message to a point µ ∈ Rq
and uses the trapdoor information in conjunction with an algorithm called a trapdoor
sampler in order to compute a short preimage of µ, i.e., a short vector s such that
s · A = µ. For the trapdoor sampler, there exist a few possibilities, with different
trade-offs in terms of speed, simplicity, and security (the shorter vectors a trapdoor
sampler outputs, the more security it provides). We use the fast Fourier sampler used in
Falcon [DP16]. This can be done in O(d log d) arithmetic operations (by exploiting the
tower structure of R = Z[x]/(xd + 1)), while achieving a high level of security. Indeed,
the GPV framework enjoys the tight QROM security proof of [BDF+ 11]. As most of
the aspects of our design are inspired from Falcon, we call our module generalization
ModFalcon.
To allow for an efficient multiplication in Rq via the Number Theoretic Transform,
we choose a prime integer q such that q = 1 mod 2d. We could alternatively use a
prime q satisfying q = 3 mod 8, which is a parameter condition for the statistical study
of the verification key of Section A. Let n ≥ 1 be an integer, and let Df and Dg be
distributions over Rn×n and Rn , respectively. Let H : {0, 1}∗ → Rq be a cryptographic
hash function modeled as a random oracle. Finally, let Compress : Rn+1 → {0, 1}∗ and

7
Decompress : {0, 1}∗ → Rn+1 be efficient maps such that Decompress ◦ Compress is the
identity.
Our key generation, signature and verification algorithms follow closely the descrip-
tion of Falcon, however some steps do not readily generalize. Below, we describe the
modifications in details.

3.1 On key generation

Key generation
1: repeat
2: Sample F ←- Df and g ←- Dg
1/(n+1)
3: until F invertible
 t  mod q and ∥M(BF,g )∥GS ≤ gs slack · q
4: Complete g −F into a basis BF,g of LNTRU
5: Compute ht = F−1gt mod q
1
6: return (vk = , sk = BF,g )
ht

The most important differences between Falcon and ModFalcon are in the key
generation; since we generate different, more generic lattices, our methods and choice
of parameters need to be generalized as well.

The Gram-Schmidt slack. Using Lemma 2.2 and the fact that the NTRU lattice has
determinant q d , one checks that ∥B∥GS ≥ q 1/(n+1) . In [DLP14], it is experimentally
shown that for n = 1, one can carefully select Df and Dg so that one can get close to
√
that optimal lower bound q by a factor 1.17. By performing our own experiments, we
extend this approach to higher values of n. We found that with constant probability,
one can get ∥B∥GS ≤ gs slack · q 1/(n+1) , where gs slack ≥ 1 is some “slack” which
quantifies the gap between the lower bound of ∥B∥GS and what we can achieve in
practice. Concretely, we take:

For n = 1, gs slack = 1.17;

For n = 2, gs slack = 1.17; (1)
For n = 3, gs slack = 1.24.

The distributions Df and Dg . For the security of trapdoor sampling procedure in the
GPV framework, it is needed to sample discrete Gaussians in R with a standard de-
viation parameter above the GS-norm of the trapdoor basis. To maximize security, we
would like this GS-norm to be as small as possible (this makes signature forgery harder).
Thanks to Lemma 2.2, we can control ∥BF,g ∥GS by careful sampling of the rows of BF,g .
In particular, we can try to have all rows of essentially the same norm.
To do so, we notice that orthogonalizing a random vector over a random subspace q of
n+1 n+1
dimension n + 1 − i of K typically shrinks its Euclidean norm by a factor n+1−i .
This effect can be compensated by sampling each row [fi1 , . . . , fin , gi ] according to a
discrete Gaussian with standard deviation gs slack · √ 1 · q 1/(n+1) (the factor
d(n+2−i)
d comes from the fact that the Euclidean norms are for vectors in Rd(n+1) ). Overall,

8
we expect that ∥B∥GS ≤ gs slack · q 1/(n+1) with constant probability (if n is bounded
from above by a constant).

Completing the trapdoor basis. A full basis of theNTRU  lattice is needed to perform
trapdoor sampling. Hence we need an extra vector g −f ∈ Rn+1 to complete gt −F
into BF,g . When n = 1, this boils down to solving a “Bézout”-like equation over R, which
can be done efficiently by a recursive approach [PP19] exploiting the tower structure
of R = Z[x]/(xd + 1). We show how to reduce our current situation to the case n = 1.
From Schur’s complement formula, we have:

detK (BF,g ) = detK (F) · detK (g − f · F−1 · gt )

= detK (F) · g − f · adj(F) · gt .

We let f = (f, 0, . . . , 0), so that this equation becomes g · detK (F) − A · f = q ∈ R, where
det(F) ∈ R, A ∈ R is the first coordinate of adj(F) · gt and can be computed once F
and g have been generated. Then we can solve for f, g using [PP19].

Implicit computation of ∥M(BF,g )∥GS . The matrix BF,g is entirely resampled if its
Gram-Schmidt norm is larger than a certain threshold,
 thus it might be resampled a
few times; on the other hand, computing g −f (following the trapdoor completion pro-
cedure described in the previous paragraph) is somewhat computationally expensive so
we only want to do it once. Recall from Lemma 2.2 that ∥M(BF,g )∥GS = maxi∈[n] {∥b e i ∥},
and that we have Yn+1
q 2 = detK (BF,g · BF,g ⋆ ) = ⟨b e i ⟩K .
ei, b
i=1

Once gt −F has been sampled, we can apply Lemma 2.2 to compute all the ⟨b
 
e i ⟩K ’s
ei, b
for i ≤ n and deduce the remaining ⟨b e n+1 ⟩K , of which ∥b
e n+1 , b 2
e n+1 ∥ is the constant
coefficient. We can hence compute ∥M(BF,g )∥GS before completing M(BF,g ), allowing
us to make only one single call to the trapdoor completion procedure.

3.2 Signature and verification

As in the original Falcon scheme, the signature is a pair (r, S), where r is a hashing
salt and S encodes a short vector s such that s · vk = H(r∥msg). The core technical part
of the signing procedure is, once H(r∥msg) has been computed, to use the secret key
BF,g to sample a proper s. This is done via a technique known as fast Fourier sampling,
developed in [DP16,PFH+ 19].

Signature: (sk, msg) → (r, S)

Require: A standard deviation parameter σ
1: Get r ←- U ({0, 1})λr
2: µ ← H(r∥msg) ∈ Rq and let c = (µ, 0, · · · , 0)
3: Compute t = c · B−1F,g
4: Compute z ∈ Rn+1 such that s := (t − z) · BF,g ←- Dσ,LNTRU ,c
5: S = Compress(s)
6: return the signature (r, S).

9
Verification: (vk, msg, (r, S)) → accept or reject
Require: A fixed bound ρ on the length of the signature
1: s ← Decompress(S)
2: If ∥s∥ > ρ, return reject
3: If s · vk ̸= H(r∥msg), return reject
4: return accept

The procedures Compress and Decompress. Our compression and decompression pro-
cedures are identical to the ones used in Falcon [PFH+ 19, Section 3.11.2]: for each
integer coefficient, the sign as well as the ⌊log2 (σ)⌋ − 1 least significant bits are naively
encoded (i.e., copy-pasted), whereas the remaining most significant bits are encoded
following a unary encoding.

The standard deviation parameter σ. This parameter should be large enough so that the
output distribution of the fast Fourier sampler is close to a prefect discrete Gaussian. To
apply the Rényi divergence arguments of [Pre17, Section 3.3 and Lemma 6], it suffices
1
to take σ ≥ ηϵ (Rn+1 ) · ∥M(BF,g )∥GS with ϵ = 4√λQ , where Qs is a given upper bound
s
on the total number of signatures generated using a single key pair, and λ := 256 is
an upper bound of the bit security we are aiming at (we could optimize the value of λ
for specific bit-security targets, but this has negligible impact).Concretely, the standard
deviation parameter σ is set using the bound on ηϵ given by Lemma 2.1.

Fast Fourier sampling for module NTRU Lattices An in-depth description of Fourier
sampling is outside of the scope of this work, and we refer the interested reader to [PFH+ 19].
Here, we outline the main operations and how they can be modified to fit our design.
The sampler uses a well-designed tree representation of the trapdoor basis BF,g . Re-
call that the LDL decomposition of a symmetric positive definite matrix G writes it
uniquely as G = LDL⋆ , where L is lower triangular with 1’s on its diagonal, and D is
diagonal with positive entries. The tree is built using successive LDL decompositions
over K of the Gram matrix G = BF,g · B⋆F,g .
The root of the tree is labeled the lower corner of the first L factor, and the leaves
corresponds to the entries in the diagonal matrix D. The next level of the tree is obtained
recursively by repeating the procedure on the diagonal blocks, using the fact that K has
a tower structure of quadratic extensions over Q. At the bottom of the tree, the leaves
are labeled with rationals describing the needed standard deviations for the sampler to
output signatures with the correct distribution.
For Falcon, with n = 1, the first level of the tree contains two entries, as G ∈ K 2×2 .
In our design, and more generally for an input basis in K n×n , the first level is labeled by
the n(n−1)/2 entries in the lower corner of L, and there are n leaves each corresponding
to an non-zero entry of D. This is the only modification for building the tree as, starting
at the next level, the same procedure as in Falcon is used to complete the tree.

The rejection bound ρ. For security, we want ρ to be small. However, the normpof a Gaus-
sian of standard deviation σ will have a median and an expected value of σ d(n + 1),
so if we do not want to restart the signing procedure too many times, we should take ρ
larger than this value. One can explicitly bound the rejection probability using [Lyu12,

10
Lemma 4.4]; for example taking
p
ρ = ⌊1.1 · σ d(n + 1)⌉. (2)
ensures, for all parameter sets in this paper, that less than 1 % of the signatures will be
rejected. This is clearly sufficient for our purposes.

The salt r. Outputting two different signatures s ̸= s′ for the same hash µ allows to get
a short vector in the NTRU lattice and is therefore highly undesirable. If the salt r does
not have enough entropy, an adversary may query signatures for the same message msg
until H(r∥msg) = H(r′ ∥msg) for r ̸= r′ . We require that:
λr ≥ λ + log2 Qs , (3)
where λ is as above. Taking r ← U ({0, 1}λr ) and applying the birthday paradox, an
adversary making Qs signature queries will find colliding hashes with a probability
upper bounded by about 1 − exp(−Q2s /2λr +1 ) ≈ Q2s /2λr +1 .

Key-recovery and signature-recovery modes. The scheme can be instantiated in signature-

recovery mode. Writing s = (s1 , s′ ) ∈ R × Rn , we have
s1 = H(r∥msg) − s′ · ht , (4)
therefore s1 can be deduced from the rest of the signature and does not need to be
sent. This optimization is used in [DLP14,PFH+ 19] to reduce the signature size and it
applies here too. This shrinks the signature size by a factor roughly (n + 1)/n.
The scheme can also be instantiated in key-recovery mode. A special case of this idea
is proposed in [PFH+ 19, Section 3.13]. We generalize it here. Observe that if n−1 entries
of h and a hash of h are known, then this is enough to recover h entirely. Indeed, the
public key h satisfies the linear equation (4). Hence, upon reception of a signature, one
can recompute a candidate h∗ from this equation and check whether its hash matches
the one in the public key. This allows to replace the public key by a hash thereof.

Asymptotic security of ModFalcon A signature scheme based on the GPV frame-

work can be shown to be enjoy (strongly) existential unforgeability against adapta-
tively chosen message attacks (also abbreviated as sEUF-CMA security) in the classical
random oracle model, when the verification key is statistically close to uniformly ran-
dom [GPV08]. It was showed in [BDF+ 11] that sEUF-CMA security also holds in the
quantum random oracle model, in which the adversary can make quantum superposi-
tion queries to the random oracle. For the case n = 1, the distribution of the public
key is almost uniform if the entries of f , g are discrete Gaussian of standard deviation
√
around q (see [SS13]). The next statement extends this result to larger ranges of n. It
is adapted from a more general new result presented and proved in Appendix A.
Theorem 3.1. Let n ≥ 1 be an integer and q = 3 mod 8 be a prime. Let s ≥ 2dq 1/(n+1)+2/(d(n+1)) ,
and Es be the distribution of F−1 gt mod q, when F ←- Ds,Rn×n is invertible modulo q
and g ←- Ds,Rn . Then the statistical distance between Es and the uniform distribution
over Rqn is 2−Ω(d) .
Note that our concrete scheme parameters are not compatible with the above, be-
cause they do not satisfy the assumptions of Theorem 3.1. Nevertheless, we believe they
increase our confidence in the soundness of the design rationale.

11
4 Concrete instantiation

In this section, we explain how to instantiate the various parameters of ModFalcon, to

optimize the sizes of the signatures and public keys, under the correctness and security
constraints.

4.1 Setting the scheme variables

We briefly summarize how we obtain the scheme variables. The maximal number of
signature queries is Qs = 264 ; this is the number specified in the NIST call for post-
quantum cryptography standardization [NIS16]. The value gs slack ≥ 1 is deduced
from extensive experiments and given in (1). The salt bitsize λr shall verify (3); just
like Falcon did, we simply take λr = 320 (for the bit security that we achieve, λr = 256
would actually be sufficient).Finally, the rejection bound ρ on the Euclidean norm of
signatures is given in (2). Table 2 lists scheme variables for various parameter sets of
Falcon and ModFalcon. All the parameter sets we consider use the same modulus
q = 12289, as efficient code for the arithmetic in the resulting ring Rq is available.

Table 2. Variables for Falcon and ModFalcon parameter sets

Scheme n d gs slack ρ λr
Falcon-512 1 512 1.17 6598 320
Falcon-1024 1 1024 1.17 9331 320
ModFalcon-2-512 2 512 1.17 1512 320

4.2 Security analysis of ModFalcon

Our signature scheme follows the design of Falcon [PFH+ 19], and the applicable at-
tacks are similar. The most notable difference is the use of sublattices to produce sig-
nature forgeries: this attack strategy does not seem fruitful in the case of Falcon, but it
actually drives the concrete security in the module setup.
The most efficient attacks against schemes based on NTRU-type cryptosystems typ-
ically rely on lattice reduction [Sch87,SE94]. The lattices to be reduced correspond to
Z[x]/(xd +1)-modules of (module) rank ≥ 2. There exist algorithms [CDPR16,CDW17,PHS19]
to compute short vectors in rank-1 Z[x]/(xd + 1)-modules (a.k.a. ideal lattices), which
outperform algorithms for generic lattices such as [SE94] for some ranges of approxima-
tion factors. No such improvement over all-purpose lattice reduction algorithms is known
for modules of rank ≥ 2. For example, the recent module-LLL algorithm from [LPSW19]
relies on an oracle for solving the Closest Vector Problem for lattices of very high di-
mensions. It is possible to use automorphisms (multiplying a given short polynomial by
x modulo xd + 1 to create another short polynomial), but this is not known to bring
more than a small polynomial improvement that is negligible compared to the overall
exponential cost. For such module lattices or rank n ≥ 2, the approach so far is to
view them as Z-lattices of dimension nd. This is the approach used to analyze the se-
curity of all 11 candidates of the 2nd round of the NIST post-quantum standardization

12
process that rely on algebraic lattices. Our analysis thus focuses on Z-lattice reduction
algorithms, and follows standard works on NTRU schemes [ZCH+ 19,BCLv19].

Lattice reduction attacks As is now standard in lattice-based cryptography, we fol-

low the core SVP hardness methodology put forward in [ADPS16]. The attack is viewed
as an instance of a lattice problem, which is solved by the BKZ algorithm [SE94]. At
a high level, the BKZ algorithm calls an SVP oracle in dimension β as a subroutine,
where β is the selected block-size. The analysis determines the minimal β that allows
to break the scheme, and the cost of the attack is bounded from below by the asymp-
totic cost of the best known algorithm for classically [BDGL16] or quantumly solving
the Shortest Vector Problem with this block-size [Laa15]. This strategy is typically
viewed as conservative, as BKZ in fact calls the SVP-solver more than once, the asymp-
totic cost of the SVP-solver hides polynomial factors and SVP-solvers typically require
the management of a large amount of (potentially quantum) memory. The algorithm
from [BDGL16] (resp. [Laa15]) returns a shortest non-zero vector in a lattice of dimen-
sion β in 20.292β(1+o(1)) classical operations (resp. 20.265β(1+o(1)) quantum operations).
The classical bit-security and quantum bit-security are hence defined as λC := 0.292β
and λQ := 0.265β, respectively.
Going into more details, BKZ with block-size β is assumed to return a basis of the
input lattice whose vectors have Gram-Schmidt norms that decrease geometrically.

Heuristic 1 (Geometric Series Assumption (GSA), [Sch03]) Let L be a full-rank

lattice with basis B ∈ Rr×r with rows bi ’s. After execution of BKZ with block-size β
on B, the norms of the Gram-Schmidt vectors satisfy
!1/(2(β−1))
−2(i−1)+r (πβ)1/β · β
∥b
ei∥ = δβ · Vol(L)1/r , where δβ = .
2πe

The GSA has been backed-up by extensive experimental results [GN08,Che13,AGVW17,YD17,BSW18],

and it has been found to be very accurate for large block-sizes.

Key recovery In this scenario, the attacker is given the basis BNTRU of LNTRU , and
aims at finding the first dn rows of BF,g . For this purpose, it runs BKZ in block-size β
on M(BNTRU ). We consider that it wins if it finds any of these dn rows.
The LNTRU has volume q d and rank d(n + 1). Following the specifications of our
scheme, we expect all rows of B]F,g to have essentially the same
q Euclidean norm around
gs slack·q 1/(n+1) . As this is less than the expected norm d(n+1)
2πe q
1/(n+1) of a shortest

non-zero vector of a lattice with the same volume as LNTRU , we expect these vectors to
be the shortest non-zero vectors in LNTRU . We hence rely on the GSA-based analysis
from [ADPS16,AGVW17] to quantify the hardness of finding these unexpectedly short
vectors with BKZ. Concretely, BKZ with block-size β is expected to find such a vector
when s
β 2β−d(n+1)
gs slack · ≤ δβ . (5)
d(n + 1)

13
Signature forgery A signature forgery corresponds to finding a point of LNTRU at dis-
tance at most ρ from a vector c of the ambient space derived from the message and the
signature salt. As ρ is significantly above the norms gs slack · q 1/(n+1) of the vectors of
LNTRU corresponding to the secret key, this is an instance of the Approximate Closest
Vector Problem (CVP). To solve it, the first step is to apply BKZ to M(BNTRU ) with
a large block-size β (to be determined below). Then one takes c and uses Babai’s near-
est plane algorithm to shorten it, using the obtained BKZ-reduced basis B of L NTRU .
′ ′ ′e
P
The resulting vector t := t − b for some b ∈ LNTRU can be written t = i ti bi
′
with |ti | ≤ 1/2 for every i, and hence, under the GSA:

1 2 X
∥t′ ∥2 ≤ q n+1 · (δβ2 )−2(i−1)+d(n+1) .
4
i≤d(n+1)

This attack strategy can be improved in two ways, and these improvements actually
lead to the best known attacks against ModFalcon. The first improvement consists
in modifying Babai’s nearest-plane algorithm so that it calls an exact CVP solver for
the lattice spanned by the first β vectors of the BKZ-reduced basis B. The sieve al-
gorithms [BDGL16,Laa15] can be (heuristically) adapted for this, for the same cost as
solving SVP in dimension β. As a result, this adaptation of Babai’s algorithm is not
more costly than the call to BKZ in block-size β. On the other hand, it allows to find
a vector t′ satisfying:
 
d(n+1)
β 1 X 2
∥t′ ∥2 ≤  · (δβ2 )d(n+1)−(β−1) + (δβ2 )−2(i−1)+d(n+1)  q n+1 .
2πe 4
i=β+1

Let us explain how we obtain the first summand8 . First, we assume that the lattice Lβ
spanned by the first β vectors of B behaves as a random lattice. Then, the (squared)
expected distance between this lattice and a random vector in its span is the same as
the expected minimum for that lattice. Assuming GSA, we can compute the volume
V of Lβ and thus estimate its minimum thanks to the Gaussian heuristic as λ1 (Lβ ) =
p
β/(2πe) · V 1β : this gives precisely the first summand. For the values of β that we
consider, the first term is larger than the second one, and we will just delete the second
one, resulting in the inequality
r
β d(n+1)−(β−1) 1
∥t′ ∥ ≤ · δβ · q n+1 .
2πe
The second improvement relies on the observation that one can consider a subset of
the rows of M(BNTRU ) rather than the full matrix M(BNTRU ). There does not seem to
be an advantage considering another subset then those obtained by erasing the first k
rows, for k ≤ nd (as h is essentially uniform modulo q). The volume remains q d , but the
dimension decreases to d(n + 1) − k. In the equation above, this allows to decrease the
d(n+1) d(n+1)−k
term δβ to δβ , at the expense of increasing the term q 1/(n+1) to q d/(d(n+1)−k) .
8
It was incorrectly derived in previous versions of this paper. Interestingly, while the new estimate is
better for the attacker, the improvement is too small to be noticeable on the resulting blocksizes and
security level for our scheme.

14
Overall, we obtain the following success condition for a signature forgery:
d
 
d(n+1)−k d(n+1)−k
ρ ≥ min δβ q . (6)
k≤dn

Interestingly, optimizing over k does not help for Falcon but does for ModFalcon.

Combinatorial and hybrid attacks Described in [How07], these attacks combine

lattice reduction and a meet-in-the-middle approach, and can be used to recover a line
of the trapdoor basis (which we again assume is a win for an attacker). The idea is to
decompose a line as b = (g, f1 , . . . , fn ) = s1 + s2 (where s1 , resp. s2 , is the vector of first,
resp. last, coordinates). The meet-and-the-middle phase makes a guess for s2 and checks  
1 1
for collision using that plausible candidates for (s1 , s2 ) should satisfy s1 · t ≈ s2 · t ,
h h
as b is short. For our parameters, it will be less efficient than a direct attack without
improvements.
To further improve the efficiency, the attacker can perform lattice reduction on a
suitably chosen sublattice of LNTRU . The efficiency of the approach is then obtained by
assessing the trade-off between the dimension of the lattice and the size of the remaining
“guess-space” (see, e.g.,[BCLv19,HPS+ 17]). However, even with such trade-offs, these
types of attacks do not affect our scheme, as we now explain.
Hybrid attacks are mostly considered for secret keys with entries in {−1, 0, 1}, be-
cause their efficiency decreases drastically when the size of the entries increases: indeed,
the space of possible guesses grows exponentially with the size of the entries. Also, in
some NTRU-based encryption schemes, it can happen that the keys are really “sparse”
(with a lot of coefficients equal to 0), to increase the scheme efficiency. The efficiency of
hybrid attacks also relies crucially on the sparseness of the vector to be recovered, as it
also conditions the size of the guess space.
One could argue that the speed-up due to rotations and the number of lines could
play a role. However it can be seen (borrowing for example the analysis in [BCLv19])
that the speed-up is overall negligible due to the lack of sparseness of the keys, which
means we can focus on discussing sparseness. In
 particular, it can be observed in our
scheme that the vector which completes gt −F into a basis is sparser than the others,


since d(n − 2) entries are 0’s while the others rows are Gaussians. Yet the remaining 2d
entries are not small, nor are the corresponding fields elements sparse in general.

Other attacks As observed in [ABD16,KF17], when the modulus q is sufficiently large

compared to the magnitudes of the NTRU secret key coefficients, the attack on the key
based on lattice reduction recovers the secret key better than described in Section 4.2. In
the case of the NTRU signatures, the magnitudes of the secret key coefficients are of the
√
order of q, which is far too large compared to q for the attack to be applicable. More
generally, this attack was considered irrelevant by all the NTRU-based submissions to
the NIST standardization process. The same applies to our concrete proposal, which
relies on a fairly small modulus q.
Finally, as the signing algorithm of Falcon is admittedly rather complex, an imple-
mentation thereof could potentially be vulnerable to timing attacks. Nevertheless, an
efficient constant-time implementation was recently proposed [PRR19]. In our case, this

15
existing code can be reused inside the ModFalcon signature algorithm. This would
allow to obtain a constant time implementation of the latter.

Conclusion After a detailed analysis of known attacks, the best attacks we found
are based on lattice reduction (Section 4.2). The success condition of the best known
attacks for key recovery and signature forgery are given by (5) and (6), respectively.
The security levels implied by these best known attacks are given in Table 3. These are
computed by light python scripts, available at https://gofile.io/?c=ANXatH.

Table 3. Bit security estimates. β is the BKZ blocksize, k is the optimal sublattice dimension in (6)
and λQ is the quantum bit security level.

Key recovery (5) Signature forgery (6)

Scheme
β λQ λC β k λQ λC
Falcon-512 504 134 147 411 1024109 120
Falcon-1024 998 264 291 952 2048252 277
ModFalcon-2-512 717 190 209 658 1293174 192

4.3 Implementation and performance

Table 4. Performance comparison between Falcon and ModFalcon. |vk| and |sig| denote the size in
bytes of the public key (exactly) and signature (on average), respectively. All the schemes use the same
modulus q = 12289.

The first table is for the signature-recovery mode.

Scheme n d |vk| |sig| λQ λC

Falcon-512 1 512 897 658 109 120
Falcon-1024 1 1024 1793 1274 252 277
ModFalcon-2-512 2 512 1792 972 174 192

The second table is for the key-recovery mode.

Scheme n d |vk| |sig| λQ λC

Falcon-512 1 512 28 1276 109 120
Falcon-1024 1 1024 63 2508 252 277
ModFalcon-2-512 2 512 940 1438 174 192

We implemented a complete proof-of-concept implementation of ModFalcon in

Python: it can be found at https://gofile.io/?c=YnCEPM. The sizes given in the ta-
bles above are directly obtained from this implementation, which is provided as supple-
mentary material. As it is an un-optimized Python implementation, the running times
are not meaningful. In practice, an optimized implementation would obtain timings close

16
to those of Falcon: the running times of the signature and verification procedures grow
with n, but n remains small in our case.
We observe that ModFalcon-2-512 achieves quantum bit security above 128, but
has signature size significantly smaller than that of Falcon-1024.

5 Public Key Encryption and Encapsulation

In this section we describe an extension of the well-known NTRU encryption schemes to

NTRU lattices of larger ranks. There are several approaches regarding the management
of the noise involved in the scheme. However, as ultimately this design did not allow us
to improve upon other NTRU-type schemes [ZCH+ 19,BCLv19]), we merely stay at a
high-level description. The following subsections deal with security matters and discuss
parameters choices.

5.1 A public key encryption scheme

Let n ≥ m be integers, and q > p be coprime odd integers. Let DF and DG be distri-
butions over Rn×n and Rn×m , respectively. We assume that the infinity norms of the
samples are bounded by some constants, i.e., for any F=(fij )←-DF and G=(gij )←-DG ,
we have ∥fij ∥∞ ≤BF and ∥gij ∥∞ ≤BG for some integers BF and BG .

Key-Generation
1: repeat
2: Sample F ←- DF
3: until F is invertible mod q and mod p
4: Sample G ←- DG
5: H ← pF−1 G mod q in Rqn×m
6: return (pk = H, sk = F)

Encryption: (pk = H, (r, e) ∈ Rm × Rn )) → c ∈ Rqn

1: return ct ← Hrt + et mod q

Decryption: ((pk = H, sk = F), c) → (r, e) ∈ Rqm × Rpn

1: dt ← Fct mod q
2: zt ← dt mod p
3: et ← F−1 zt mod p
4: rt ← (Ht H)−1 Ht (ct − et ) mod q
5: return (r, e)

Key generation is defined similarly to ModFalcon key generation, except that there
is no need for a trapdoor basis. Encryption and decryption are matrix generalizations

17
of NTRU encryption and decryption. Note that decryption can be accelerated by com-
puting H+ = (Ht H)−1 Ht mod q and F−1 mod p in the key generation algorithm and
storing them along with F.

Arguments for security The security relies on adaptations of two well-known assump-
tions. The first states that it is impossible for an adversary to distinguish the public key
from a uniformly random matrix modulo q. This is sometimes referred to as “the NTRU
assumption” or “the DSPR (decisional short polynomial ratio) assumption” and can ac-
tually be shown to hold for certain ranges of parameters [SS11] when n = m = 1. Outside
these parameter ranges, it is assumed to hold (see for example [LTV12,SHRS17]). The
second assumption is known as Module-LWE, which (informally) states that an attacker
is unable to distinguish between (H, Hrt + et mod q) ∈ Rqn×m × Rqn and a pair of ran-
dom elements [BGV12,LS15]. Under these assumptions, the presented scheme provides
pseudorandom ciphertexts, for random plaintexts (it is OW-CPA).

5.2 Toward a practical key encapsulation mechanism

By [SXY18], a pseudorandom PKE can be generically converted into an adaptively
secure KEM in the QROM, if the PKE decryption never fails and the valid ciphertexts
are few in the ciphertext space. Moreover, this conversion is tight. Our scheme enjoys
these two properties for suitably chosen parameters. Informally, perfect correctness is
obtained by requiring that ∥r∥∞ and ∥e∥∞ are no larger than (p − 1)/2 and that p is
small compared to q. Sparseness also follows from the largeness of q compared to ∥r∥∞
and ∥e∥∞ .

Lemma 5.1 (Correctness). If ∥e∥∞ , ∥r∥∞ ≤ (p − 1)/2 and (nBF + pmBG )d(p − 1) <
q, then the scheme is perfectly correct.

Proof. The decryption algorithm first computes dt = F·ct mod q ∈ Rqn . For c generated
using the encryption algorithm, we have, modulo q:

dt = F(et + Hrt ) = Fet + pGrt .

Now, thanks to the assumption, we obtain that the equality above also holds over R
since:

∥Fet + pGrt ∥∞ ≤ ∥Fet ∥∞ + p∥Grt ∥∞

≤ n · dBF (p − 1)/2 + p · m · dBG (p − 1)/2
= (nBG + pmBG )d(p − 1)/2 < q/2.

Therefore, modulo p, we have that zt = dt = Fet + pGrt = Fet . From this, we obtain
that et := F−1 · zt mod p in fact holds over R. The vector r can then be recovered by
Gaussian elimination.

Parameter choices There are several ways to instantiate the final KEM. The first con-
sideration is the moduli p and q. With the standard choice of p = 3, perfect correctness
can be achieved even for q’s that are used by other schemes (such as KYBER [SAB+ 19]
and NewHope [PAA+ 19]) as long as the entries of F and G are sufficiently small. The

18
reason to opt for such q’s is that they allow a fast multiplication based on the Number
Theoretic Transform, as already mentioned when presenting ModFalcon.
A second consideration is the distribution of F and G. By taking them sufficiently
large (and taking a prime q satisfying q = 3 mod 8, contrarily to the above), one can
guarantee that the distribution of the public key is within exponentially small statistical
distance from uniform (as showed in appendix). Nevertheless, this forces to take a
much larger q, and makes the scheme quite uncompetitive in terms of performance. For
this reason, we would rather recommend taking F and G with very small entries, as
is typically done for practical NTRU encryption. There is no known attack for such
parameter choices, for NTRU-based NIST candidates.
The next concern is the way in which the vectors r and e are sampled for each key
encapsulation. A possibility is to rely on discrete Gaussians of a large enough standard
deviation. However, because of the wide support, using them while guaranteeing perfect
correctness via Lemma 5.1 would require a large modulus q. To avoid this caveat, the
usual choice of NTRU variants is to have r and e take values in a small interval, such as
{−1, 0, 1}, and possibly require that there are few non-zero entries. Another approach is
to choose e deterministically, by rounding the random vector Hrt to the “closest mul-
tiple” of some other modulus γ, like NTRU Prime [BCLv19] and SABER [DKRV19].
With careful tuning of all parameters, we obtained ciphertexts of bitlengths roughly
equivalent to those of NTRU Prime, NTRU [ZCH+ 19] and several other lattice-based
round-2 NIST key encapsulation schemes, for similar security levels. As we did not man-
age to make them strictly advantageous from some angle, we considered that this did
not justify a full description.

Acknowledgments. The authors thank the Falcon team for helpful discussions. This
work was supported in part by BPI-France in the context of the French national project
RISQ (P141580), by the European Union PROMETHEUS project (Horizon 2020 Re-
search and Innovation Program, grant 780701). Part of this work was done while Damien
Stehlé was visiting the Simons Institute for the Theory of Computing.

References

ABD16. Martin R. Albrecht, Shi Bai, and Léo Ducas. A subfield lattice attack on overstretched
NTRU assumptions - cryptanalysis of some FHE and graded encoding schemes. In Matthew
Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS, pages
153–178. Springer, Heidelberg, August 2016.
ADPS16. Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post-quantum key
exchange - A new hope. In Thorsten Holz and Stefan Savage, editors, USENIX Security
2016, pages 327–343. USENIX Association, August 2016.
AGVW17. Martin R. Albrecht, Florian Göpfert, Fernando Virdia, and Thomas Wunderer. Revisiting
the expected cost of solving uSVP and applications to LWE. In Tsuyoshi Takagi and Thomas
Peyrin, editors, ASIACRYPT 2017, Part I, volume 10624 of LNCS, pages 297–322. Springer,
Heidelberg, December 2017.
BAA+ 19. Nina Bindel, Sedat Akleylek, Erdem Alkim, Paulo S. L. M. Barreto, Johannes Buch-
mann, Edward Eaton, Gus Gutoski, Juliane Kramer, Patrick Longa, Harun Polat, Jef-
ferson E. Ricardini, and Gustavo Zanon. qTESLA. Technical report, National Insti-
tute of Standards and Technology, 2019. available at https://csrc.nist.gov/projects/
post-quantum-cryptography/round-2-submissions.

19
BCLv19. Daniel J. Bernstein, Chitchanok Chuengsatiansup, Tanja Lange, and Christine van Vre-
dendaal. NTRU Prime. Technical report, National Institute of Standards and Technol-
ogy, 2019. available at https://csrc.nist.gov/projects/post-quantum-cryptography/
round-2-submissions.
BDE+ 18. Jonathan Bootle, Claire Delaplace, Thomas Espitau, Pierre-Alain Fouque, and Mehdi Ti-
bouchi. LWE without modular reduction and improved side-channel attacks against BLISS.
In Thomas Peyrin and Steven Galbraith, editors, ASIACRYPT 2018, Part I, volume 11272
of LNCS, pages 494–524. Springer, Heidelberg, December 2018.
BDF+ 11. Dan Boneh, Özgür Dagdelen, Marc Fischlin, Anja Lehmann, Christian Schaffner, and Mark
Zhandry. Random oracles in a quantum world. In Dong Hoon Lee and Xiaoyun Wang,
editors, ASIACRYPT 2011, volume 7073 of LNCS, pages 41–69. Springer, Heidelberg, De-
cember 2011.
BDGL16. Anja Becker, Léo Ducas, Nicolas Gama, and Thijs Laarhoven. New directions in nearest
neighbor searching with applications to lattice sieving. In Robert Krauthgamer, editor, 27th
SODA, pages 10–24. ACM-SIAM, January 2016.
BDK+ 18. Joppe W. Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, John M.
Schanck, Peter Schwabe, Gregor Seiler, and Damien Stehlé. CRYSTALS - kyber: A cca-
secure module-lattice-based KEM. In 2018 IEEE European Symposium on Security and
Privacy, EuroS&P 2018, London, United Kingdom, April 24-26, 2018, pages 353–367, 2018.
BGV12. Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fully homomorphic
encryption without bootstrapping. In Shafi Goldwasser, editor, ITCS 2012, pages 309–325.
ACM, January 2012.
BSW18. Shi Bai, Damien Stehlé, and Weiqiang Wen. Measuring, simulating and exploiting the
head concavity phenomenon in BKZ. In Thomas Peyrin and Steven Galbraith, editors,
ASIACRYPT 2018, Part I, volume 11272 of LNCS, pages 369–404. Springer, Heidelberg,
December 2018.
CDPR16. Ronald Cramer, Léo Ducas, Chris Peikert, and Oded Regev. Recovering short generators
of principal ideals in cyclotomic rings. In Marc Fischlin and Jean-Sébastien Coron, editors,
EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 559–585. Springer, Heidelberg,
May 2016.
CDW17. Ronald Cramer, Léo Ducas, and Benjamin Wesolowski. Short stickelberger class relations
and application to ideal-SVP. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors,
EUROCRYPT 2017, Part I, volume 10210 of LNCS, pages 324–348. Springer, Heidelberg,
April / May 2017.
CG05. Michael Coglianese and Bok-Min Goi. MaTRU: A new NTRU-based cryptosystem. In
Subhamoy Maitra, C. E. Veni Madhavan, and Ramarathnam Venkatesan, editors, IN-
DOCRYPT 2005, volume 3797 of LNCS, pages 232–243. Springer, Heidelberg, December
2005.
Che13. Yuanmi Chen. Réduction de réseau et sécurité concrète du chiffrement complètement ho-
momorphe. PhD thesis, 2013.
DKL+ 18. Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim Lyubashevsky, Peter Schwabe, Gregor
Seiler, and Damien Stehlé. Crystals-dilithium: A lattice-based digital signature scheme.
IACR Trans. Cryptogr. Hardw. Embed. Syst., 2018(1):238–268, 2018.
DKRV18. Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren.
Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM.
In Antoine Joux, Abderrahmane Nitaj, and Tajjeeddine Rachidi, editors, AFRICACRYPT
18, volume 10831 of LNCS, pages 282–305. Springer, Heidelberg, May 2018.
DKRV19. Jan-Pieter D’Anvers, Angshuman Karmakar, Sujoy Sinha Roy, and Frederik Vercauteren.
SABER. Technical report, National Institute of Standards and Technology, 2019. available at
https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions.
DLP14. Léo Ducas, Vadim Lyubashevsky, and Thomas Prest. Efficient identity-based encryption
over NTRU lattices. In Palash Sarkar and Tetsu Iwata, editors, ASIACRYPT 2014, Part II,
volume 8874 of LNCS, pages 22–41. Springer, Heidelberg, December 2014.
DP16. Léo Ducas and Thomas Prest. Fast fourier orthogonalization. In Sergei A. Abramov,
Eugene V. Zima, and Xiao-Shan Gao, editors, Proceedings of the ACM on International
Symposium on Symbolic and Algebraic Computation, ISSAC 2016, Waterloo, ON, Canada,
July 19-22, 2016, pages 191–198. ACM, 2016.

20
FKT+ 19. Pierre-Alain Fouque, Paul Kirchner, Mehdi Tibouchi, Alexandre Wallet, and Yang Yu. Up-
rooting the falcon tree? IACR Cryptology ePrint Archive, 2019:1180, 2019.
GN08. Nicolas Gama and Phong Q. Nguyen. Predicting lattice reduction. In Nigel P. Smart, editor,
EUROCRYPT 2008, volume 4965 of LNCS, pages 31–51. Springer, Heidelberg, April 2008.
GPV08. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and
new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, 40th
ACM STOC, pages 197–206. ACM Press, May 2008.
GZB+ 19. Oscar Garcia-Morchon, Zhenfei Zhang, Sauvik Bhattacharya, Ronald Rietman, Ludo Tol-
huizen, Jose-Luis Torre-Arce, Hayo Baan, Markku-Juhani O. Saarinen, Scott Fluhrer,
Thijs Laarhoven, and Rachel Player. Round5. Technical report, National Institute
of Standards and Technology, 2019. available at https://csrc.nist.gov/projects/
post-quantum-cryptography/round-2-submissions.
Ham19. Mike Hamburg. Three Bears. Technical report, National Institute of Standards and Technol-
ogy, 2019. available at https://csrc.nist.gov/projects/post-quantum-cryptography/
round-2-submissions.
HHP+ 03. Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H. Silverman, and William
Whyte. NTRUSIGN: Digital signatures using the NTRU lattice. In Marc Joye, editor,
CT-RSA 2003, volume 2612 of LNCS, pages 122–140. Springer, Heidelberg, April 2003.
How07. Nick Howgrave-Graham. A hybrid lattice-reduction and meet-in-the-middle attack against
NTRU. In Alfred Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 150–169.
Springer, Heidelberg, August 2007.
HPS98. Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based public key
cryptosystem. In Algorithmic Number Theory, Third International Symposium, ANTS-III,
Portland, Oregon, USA, June 21-25, 1998, Proceedings, pages 267–288, 1998.
HPS+ 17. Jeffrey Hoffstein, Jill Pipher, John M. Schanck, Joseph H. Silverman, William Whyte, and
Zhenfei Zhang. Choosing parameters for NTRUEncrypt. In Helena Handschuh, editor,
CT-RSA 2017, volume 10159 of LNCS, pages 3–18. Springer, Heidelberg, February 2017.
KF17. Paul Kirchner and Pierre-Alain Fouque. Revisiting lattice attacks on overstretched NTRU
parameters. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, EUROCRYPT 2017,
Part I, volume 10210 of LNCS, pages 3–26. Springer, Heidelberg, April / May 2017.
Laa15. Thijs Laarhoven. Search problems in cryptography. PhD thesis, 2015.
LDK+ 19. Vadim Lyubashevsky, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor
Seiler, and Damien Stehlé. CRYSTALS-DILITHIUM. Technical report, National Insti-
tute of Standards and Technology, 2019. available at https://csrc.nist.gov/projects/
post-quantum-cryptography/round-2-submissions.
LLJ+ 19. Xianhui Lu, Yamin Liu, Dingding Jia, Haiyang Xue, Jingnan He, Zhenfei Zhang, Zhe
Liu, Hao Yang, Bao Li, and Kunpeng Wang. LAC. Technical report, National Insti-
tute of Standards and Technology, 2019. available at https://csrc.nist.gov/projects/
post-quantum-cryptography/round-2-submissions.
LPR10. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with
errors over rings. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages
1–23. Springer, Heidelberg, May / June 2010.
LPR13. Vadim Lyubashevsky, Chris Peikert, and Oded Regev. A toolkit for ring-LWE cryptography.
In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of
LNCS, pages 35–54. Springer, Heidelberg, May 2013.
LPSW19. Changmin Lee, Alice Pellet-Mary, Damien Stehlé, and Alexandre Wallet. An LLL algorithm
for module lattices. In Steven D. Galbraith and Shiho Moriai, editors, ASIACRYPT 2019,
Part II, volume 11922 of LNCS, pages 59–90. Springer, Heidelberg, December 2019.
LS15. Adeline Langlois and Damien Stehlé. Worst-case to average-case reductions for module
lattices. Designs, Codes and Cryptography, 75(3):565–599, Jun 2015.
LTV12. Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. On-the-fly multiparty com-
putation on the cloud via multikey fully homomorphic encryption. In Howard J. Karloff
and Toniann Pitassi, editors, 44th ACM STOC, pages 1219–1234. ACM Press, May 2012.
Lyu12. Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and
Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 738–755.
Springer, Heidelberg, April 2012.

21
NIS16. NIST. Submission requirements and evaluation criteria for the post-quantum cryp-
tography standardization process, 2016. https://csrc.nist.gov/CSRC/media/Projects/
Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf.
PAA+ 19. Thomas Poppelmann, Erdem Alkim, Roberto Avanzi, Joppe Bos, Léo Ducas, Antonio de la
Piedra, Peter Schwabe, Douglas Stebila, Martin R. Albrecht, Emmanuela Orsini, Valery
Osheter, Kenneth G. Paterson, Guy Peer, and Nigel P. Smart. NewHope. Technical report,
National Institute of Standards and Technology, 2019. available at https://csrc.nist.
gov/projects/post-quantum-cryptography/round-2-submissions.
PFH+ 17. Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky,
Thomas Pornin, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. FAL-
CON. Technical report, National Institute of Standards and Technology, 2017. available at
https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.
PFH+ 19. Thomas Prest, Pierre-Alain Fouque, Jeffrey Hoffstein, Paul Kirchner, Vadim Lyubashevsky,
Thomas Pornin, Thomas Ricosset, Gregor Seiler, William Whyte, and Zhenfei Zhang. FAL-
CON. Technical report, National Institute of Standards and Technology, 2019. available at
https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions.
PHS19. Alice Pellet-Mary, Guillaume Hanrot, and Damien Stehlé. Approx-SVP in ideal lattices with
pre-processing. In Yuval Ishai and Vincent Rijmen, editors, EUROCRYPT 2019, Part II,
volume 11477 of LNCS, pages 685–716. Springer, Heidelberg, May 2019.
PP19. Thomas Pornin and Thomas Prest. More efficient algorithms for the NTRU key generation
using the field norm. In Dongdai Lin and Kazue Sako, editors, PKC 2019, Part II, volume
11443 of LNCS, pages 504–533. Springer, Heidelberg, April 2019.
Pre17. Thomas Prest. Sharper bounds in lattice-based cryptography using the Rényi divergence.
In Tsuyoshi Takagi and Thomas Peyrin, editors, ASIACRYPT 2017, Part I, volume 10624
of LNCS, pages 347–374. Springer, Heidelberg, December 2017.
PRR19. Thomas Prest, Thomas Ricosset, and Melissa Rossi. Simple, fast and constant-time gaussian
sampling over the integers for Falcon. Second PQC Standardization Conference, 2019.
RSW18. Miruna Rosca, Damien Stehlé, and Alexandre Wallet. On the ring-LWE and polynomial-
LWE problems. In Jesper Buus Nielsen and Vincent Rijmen, editors, EUROCRYPT 2018,
Part I, volume 10820 of LNCS, pages 146–173. Springer, Heidelberg, April / May 2018.
SAB+ 19. Peter Schwabe, Roberto Avanzi, Joppe Bos, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Vadim
Lyubashevsky, John M. Schanck, Gregor Seiler, and Damien Stehlé. CRYSTALS-KYBER.
Technical report, National Institute of Standards and Technology, 2019. available at https:
//csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions.
Sch87. Claus-Peter Schnorr. A hierarchy of polynomial time lattice basis reduction algorithms.
Theor. Comput. Sci., 53:201–224, 1987.
Sch03. Claus-Peter Schnorr. Lattice reduction by random sampling and birthday methods. In
STACS 2003, 20th Annual Symposium on Theoretical Aspects of Computer Science, Berlin,
Germany, February 27 - March 1, 2003, Proceedings, pages 145–156, 2003.
SE94. Claus-Peter Schnorr and M. Euchner. Lattice basis reduction: Improved practical algorithms
and solving subset sum problems. Math. Program., 66:181–199, 1994.
SHRS17. John M. Schanck, Andreas Hulsing, Joost Rijneveld, and Peter Schwabe. NTRU-HRSS-
KEM. Technical report, National Institute of Standards and Technology, 2017. available at
https://csrc.nist.gov/projects/post-quantum-cryptography/round-1-submissions.
SS11. Damien Stehlé and Ron Steinfeld. Making NTRU as secure as worst-case problems over
ideal lattices. In Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS,
pages 27–47. Springer, Heidelberg, May 2011.
SS13. Damien Stehlé and Ron Steinfeld. Making NTRUEncrypt and NTRUSign as secure as stan-
dard worst-case problems over ideal lattices. Cryptology ePrint Archive, Report 2013/004,
2013. http://eprint.iacr.org/2013/004.
SXY18. Tsunekazu Saito, Keita Xagawa, and Takashi Yamakawa. Tightly-secure key-encapsulation
mechanism in the quantum random oracle model. In Jesper Buus Nielsen and Vincent
Rijmen, editors, EUROCRYPT 2018, Part III, volume 10822 of LNCS, pages 520–551.
Springer, Heidelberg, April / May 2018.
TW19. Mehdi Tibouchi and Alexandre Wallet. One bit is all it takes: A devastating timing attack
on bliss’s non-constant time sign flips. IACR Cryptology ePrint Archive, 2019:898, 2019.

22
YD17. Yang Yu and Léo Ducas. Second order statistical behavior of LLL and BKZ. In Carlisle
Adams and Jan Camenisch, editors, SAC 2017, volume 10719 of LNCS, pages 3–22. Springer,
Heidelberg, August 2017.
ZCH+ 19. Zhenfei Zhang, Cong Chen, Jeffrey Hoffstein, William Whyte, John M. Schanck, Andreas
Hulsing, Joost Rijneveld, Peter Schwabe, and Oussama Danba. NTRUEncrypt. Technical
report, National Institute of Standards and Technology, 2019. available at https://csrc.
nist.gov/projects/post-quantum-cryptography/round-2-submissions.

A Almost uniformity of ModFalcon’s verification keys

The purpose of this section is to extend the proof of uniformity of NTRU public keys
from [SS11] to larger n. We show that F−1 gt mod q is pseudorandom as long as the
entries are of standard deviation essentially q 1/(n+1) , which is the case in our scheme.
In fact, we obtain a more general result, as we are able to also handle matrices for the
“g component”. For n ≥ m, F ∈ Rn×n invertible modulo q and G ∈ Rn×m , our result
essentially states that if the entries in F, G are discrete Gaussians of standard deviation
essentially q m/(n+m) , then F−1 G mod q is pseudorandom. This can be seen as a general
Leftover Hash Lemma over number rings handling also matrices.
More precisely, the statement is proved only for primes q = 3 mod 8. The reason is
that our proof technique relies on an inclusion-exclusion argument to handle sublattices
of some LNTRU ; these sublattices come in two layers, one corresponding to the ideal
factors of q and one to enumerate all the possible nullspaces of the matrix F−1 G in
Rqn×m . Such q’s have a small splitting pattern in R, which means that the “ideal factor”
layer of the inclusion-exclusion can be managed by a probability overestimate. This
overestimate becomes too loose when the splitting pattern involves more ideals. We
leave it for further work to overcome the increased technicality of the proof technique
to handle all q’s.
For s > 0, we let DRn×m ,s denote the distribution over Rn×m whose entries are
distributed from DR,s , and DGLn (R,q),s be the restriction of DRn×n ,s to the set GLn (R, q)
of matrices in Rn×n that are invertible modulo q. Lastly, we define the distribution Es as
the distribution of F−1 G mod q when F is sampled from DGLn (R,q),s and G is sampled
from DRn×m ,s . The following theorem is the main result of this section.

Theorem A.1. Let K be a cyclotomic number field of degree d and maximal order R.
Let n ≥ m ≥ 1. Let q be a prime integer which factors as qR = p1 p2 , where the pi ’s
have algebraic norm q d/2 . For s ≥ 2dq m/(n+m)+2/(d(n+m)) , we have:

∆ Es , U (Rqn×m ) ≤ 2−Ω(d) .

A.1 Additional notations and lemmas

The expectation of a (function of a) random vector X is denoted by E[f (X)]. If two

distributions D1 and D2 are over the same countable support Ω, their statistical distance
is
1X X
∆(D1 , D2 ) = |D1 (ω) − D2 (ω)| = [D1 (ω) − D2 (ω)].
2
ω∈Ω ω:D1 (ω)>D2 (ω)

23
 P
For any countable set S and function f defined over S, we let f (S) = s∈S f (s). For
any lattice L, the Poisson summation formula gives

ρs (L) = (Vol L)−1 · sd · ρ1/s (L∗ ).

We will need the next lemma, which essentially motivates the definition of the smoothing
parameter.
Lemma A.2. Let L be a rank d lattice, and ϵ ∈ (0, 1). For any s ≥ ηϵ (Λ), we have
ρs (L) ∈ [1 ± ϵ] · sd (Vol L)−1 .
The proof will use results and tools from algebraic number theory that are now
considered as standard. We refer to e.g. [LPR10] and [RSW18] for further details on
ideals in number rings, and provide below only some notation and lemmas that will be
used. The discriminant of a number field K is written ∆K . The algebraic norm of an
ideal I is denoted by N(I).
Lemma A.3 ([LPR13, Th. 7.2]). For any ideal I ⊂ R and s > 0, we have:

ρ1/s (I) ≤ max(1, N(I)−1 s−d )(1 + 2−2d ).

The proof also uses some results on (finitely generated) modules over number rings
(see also [LS15]). The dual of a R-module M ⊂ K n is M∨ := {y ∈ K n : ∀ x ∈
M, Tr(⟨x, y⟩K ) ∈ Z}, where Tr denotes the field trace (equivalently, the trace of the
multiplication matrix). By linearity of the trace, we see that Tr(⟨x, y⟩K ) = d⟨x, y⋆ ⟩,
where we implicitely consider coefficient vectors in the right inner product. This shows
that L(M)∗ = L((dM∨ )⋆ ).
For any v ∈ Rn , any ideal I of R and any k ≥ 1, we will consider modules lattices
of the form
Λ⊥k
I (v) = {X ∈ R
k×n
: X · vt ≡ 0 mod I},
The next result is known for other types of module lattices ([SS13,RSW18]). Its proof
is standard and given for the sake of completeness.

Lemma A.4. Let K be a number field with maximal order R, and I be an ideal in R.
Let k, n ≥ 1. Then, for any v ∈ (R/I)n \ {0}, we have
∨ n k
Λ⊥k ∨ ∨ ∨


I (v) = (I /R ) · v + (R ) .

Proof. It suffices to prove the result for k = 1, as Λ⊥k I (v) is the direct sum of k copies
of Λ⊥1
I (v). Let L = (I ∨ /R∨ ) · v + (R∨ )1×n . We proceed by double inclusion, starting

with L ⊆ Λ⊥1 ∨ ⊥1 ∨ ∨
I (v) . Let x ∈ ΛI (v) and y ∈ L. There are λ ∈ I /R and r ∈ (R )
∨ 1×n

such that y = λ · v + r. Therefore, we have ⟨x, y⟩ = λ⟨x, v⟩ + ⟨x, r⟩. By definition

of Λ⊥1 ∨
I (v) , we have ⟨x, v⟩ ∈ I so that the trace of the first term is an integer. The
second term is in R∨ so it also has an integer trace, and the first inclusion is proven.
By duality, the second inclusion is equivalent to L∨ ⊆ Λ⊥1 ∨
I (v). Let x ∈ L . A vector
∨ ∨
y in its dual is of the form y = λ · v + r with λ ∈ I /R and r ∈ (R ) ∨ 1×n . Consider
λ = 0 and let r vary across vectors with all but one entries being 0: the fact that the
trace of ⟨x, y⟩ is an integer implies that x ∈ Rn . Now, consider r = 0 and let λ vary in
I ∨ /R∨ : the integrality of the trace implies that ⟨x, v⟩ is in I.

24
A.2 Gaussian mass of matrices invertible modulo q

We now show that the Gaussian mass of GLn (R, q) is essentially the full Gaussian mass
of Rn×n , for q prime such that the prime factor ideals of qR have large algebraic norms.
This will prove useful as the trapdoor matrix F is sampled in Rn×n conditioned on
being invertible modulo q, More precisely, we obtain the following result.

Theorem A.5. Let K be a cyclotomic number field of degree d and maximal order R.
Let n ≥ 1 and let q an unramified prime integer such that each prime factor p of qR
n−1
has algebraic norm 2Ω(d) . Assume that s ≥ 2(∆K N(p) 2n−1 )1/d . Then
2
sn d 4d
ρs (Rn×n \ GLn (R, q)) ≤ 2d n2 ≤ ρs (Rn×n ).
∆K N(p) N(p)

Observe that being non-invertible modulo q is equivalent to being non-invertible

modulo at least one prime factor of qR. Let p be such a prime ideal. By the union
bound and the fact that for our choice of R the prime factors of qR are isometric, we
have
ρs (Rn×n \ GLn (R, q)) ≤ d · ρs (Rn×n \ GLn (R, p)).
At this stage, it is worth recalling that R/p is a finite field of characteristic q. Being
non-invertible in (R/p)n×n is hence equivalent to having a non-zero vector in the kernel.
Since any two non-zero colinear vectors generate the same line, we can write

1 X
ρs (Rn×n \ GLn (R, q)) ≤ d · · ρs (Λ⊥n
p (v))
N(p) − 1
v∈(R/p)n \0
N(p)n−1
≤ d· · Ev←U ((R/p)n \0) [ρs (Λ⊥n
p (v))].
N(p) − 1

We are hence reduced to studying E[ρs (Λ⊥n p (v))] for v uniformly distributed in
(R/p)n \ 0. For this, we will use the Poisson summation formula, which will involve the
dual of Λ⊥n
p (v). The following technical lemma holds for an arbitrary number field K
and an arbitrary prime ideal p. Note that it implies Theorem A.5.

Lemma A.6. Let K be a number field of degree d and maximal order R. Let n, k ≥ 1
and q ≥ 2 be an unramified prime integer. Let p ⊆ R be a prime factor of qR. For any
k−1
s ≥ 2(∆K N(p) n+k−1 )1/d , we have:

Ev←-U ((R/p)n \0) ρs (Λ⊥k

 
p (v))

k − 1 ≤ 8nk · 2−d .
nd
s / N(p)

Proof. Let v ∈ (R/p)n \ 0. The lattice Λ⊥k ⊥1

p (v) is the direct sum of k copies of Λp (v).
n
The latter has index N(p) in R (using the fact that p is prime and v is non-zero).
Hence det(Λ⊥k k
p (v)) = N(p) . By the Poisson summation formula and Lemma A.4, we
have:
 snd k
ρs (Λ⊥k · ρ1/s (p∨ /R∨ )k×1 · vt + (R∨ )k×n .


p (v)) =
N(p)

25
We focus on the expectation of the latter Gaussian sum, and aim at showing that it is
very close to ρ1/s (R∨ )nk ≈ 1. We have:

Ev ρ1/s (p∨ /R∨ )k×1 · vt + (R∨ )k×n − ρ1/s (R∨ )nk



X  Y
ρ1/s (xi vj + R∨ )

= Ev
x∈(p∨ /R∨ )k \0 i∈[k]
j∈[n]
nk X Y
≤ ρ1/s (xi vj + R∨ ).
N(p)n − 1
x∈(p∨ /R∨ )k i∈[k]
v∈(R/p)n j∈[n]
x1 ,v1 ̸=0

used the facts that that (p∨ /R∨ )k \ 0 = i∈[k] {x ∈ (p∨ /R∨ )k :
S
For the inequality, we S
xi ̸= 0}, (R/p)n \ 0 = j∈[n] {v ∈ (R/p)n : vj ̸= 0}, and that each set in these unions
has the same Gaussian mass.
We now provide some intuition on how the sum above will be handled. We aim at
separating the variables andswapping the order of the sum and the product. However,
the function being summed is not a product of functions of independent variables.
Indeed, in the sum over x and v, there are n + k independent variable (over p∨ /R∨
and R/p, which are two representations of the same finite field FN(p) ). On the other
hand, the product consists of nk terms involving the non-independent variables xi vj . In
what follows, we restrict the product to i = 1 or j = 1, to have n + k − 1 independent
quadratic terms. Concretely, we write:
Y Y Y
ρ1/s (xi vj + R∨ ) = ρ1/s (xi vj + R∨ ) · ρ1/s (xi vj + R∨ )
i∈[k] i=1 or j=1 i,j>1
j∈[n]
Y
≤ ρ1/s (R∨ )(n−1)(k−1) · ρ1/s (xi vj + R∨ ).
i=1 or j=1

The inequality holds because the Gaussian sum of a lattice coset is maximized for the
zero coset.Next, we apply a change of variable over the summand (x, v). Concretely, we
(bijectively) map (x, v) ∈ (p∨ /R∨ )k × (R/p)n with x1 , v1 ̸= 0 to (x′ , v′ ) with x′1 = x1 ,
x′i = xi v1 ∈ p∨ /R∨ for i > 1 and vj′ = vj x1 ∈ p∨ /R∨ for j ≥ 1. Overall, we have
X Y
ρ1/s (xi vj + R∨ )
x∈(p∨ /R∨ )k i∈[n]
v∈(R/p)n j∈[k]
x1 ,v1 ̸=0
X Y Y
≤ ρ1/s (R∨ )(n−1)(k−1) · ρ1/s (x′i + R∨ ) ρ1/s (vj′ + R∨ )
x′ ∈(p∨ /R∨ )n 1<i≤k 1≤j≤n
v′ ∈(p∨ /R∨ )k
x′1 ,v1′ ̸=0
X
n+k−2 X
= ρ1/s (R∨ )(n−1)(k−1) · ρ1/s (x + R∨ ) · ρ1/s (x + R∨ )
x∈p∨ /R∨ x∈p∨ /R∨ \0
∨ (n−1)(k−1) ∨ n+k−2 ∨
≤ ρ1/s (R ) · ρ1/s (p ) · (ρ1/s (p ) − 1).

26
From Lemma A.3, we have

ρ1/s (p∨ ) ≤ max(1, ∆K N(p)s−d )(1 + 2−2d ).

Similarly, since s ≥ η2−2d (R), we have ρ1/s (R∨ ) ≤ 1 + 2−2d .We hence obtain:

X Y
ρ1/s (xi vj + R∨ ) ≤ 2 · max 2−2d , (∆K N(p)s−d )n+k−1 .

x∈(p∨ /R∨ )k i∈[k]

v∈(R/p)n j∈[n]
x1 ,v1 ̸=0

This leads to the following bound:

Ev ρ1/s ((p∨ /R∨ )k×1 · vt + (R∨ )k×n ) − 1

 

4nk
· max 2−2d , (∆K N(p)s−d )n+k−1 + 2nk2−d


≤ n
N(p)
≤ 4nk · 2−d + (∆K s−d )n+k−1 N(p)k−1 .

The assumption on s gives the result.

A.3 Proof of Theorem A.1

For H ∈ Rqn×m , the q-ary orthogonal lattice associated to H is

   
Im
Λ⊥
q (H) := x∈R n+m
: x· = 0m mod q ,
H

and NTRU lattices corresponds to m = 1. We have Vol Λ⊥ q (H) = q

md . In terms of

lattices, taking the direct sum of n copies of this module amounts to considering

   
Im
Λ⊥n
q (H) := X ∈ R n×(n+m)
: X· = 0n×m mod q
H

for which we have Vol Λ⊥,n

q (H) = q
mnd . The next result holds for any finite number of

copies.

Lemma A.7 ([LPR13, Th. 7.4]). Let K be a cyclotomic number field of degree d
and maximal order R. n ≥ 1 and q ≥ 2.

Let m,m/(n+m)+2/(d(n+m))
Then η2−Ω(d) Λ⊥ q (H) < 2dq , except with probability at most 2−Ω(d)
over the choice of H ← U (Rqn×m ).

27
 We now show that for a fraction 1 − 2−Ω(d) of H ∈ Rqn×m , the quantity Es [H] −
|Rqn×m |−1 is smaller than q −mnd · 2−Ω(d) .We have:9
   
 Im

Es [H] = P(F,G)←DGLn (R,q),s ×DRn×m ,s GF · = 0 mod q
H
   
  Im
= P(F,G)←D n×(n+m) GF · = 0|F ∈ GLn (R, q)
R ,s H
G F ∈ Λ⊥n
  
P(F,G)←D n×(n+m) q (H)
R ,s
≤  
PF←DRn×n ,s F ∈ GLn (R, q)
ρs Λ⊥n


q (H)
= .
ρs (GLn (R, q)) · ρs (R)n·m

We first consider the term ρs (Λ⊥,n

q (H)). To handle it, we use Lemma A.2 and
Lemma A.7. We obtain that for a fraction 1 − 2−Ω(d) of H ∈ Rqn×m , we have:

sd(m+n) sd(m+n) −Ω(d)

ρs Λ⊥n
q (H) − ≤ 2 .
q mnd q mnd
Similarly, we have with Lemma A.2 again:

ρs (R) − sd ≤ sd 2−Ω(d)

Finally, by Theorem A.5, we have:

2 4d
ρs (GLn (R, q)) ≥ sn d (1 − ).
N(p)

This provides the result.

9
Note that not much is lost in the inequality only if most matrices in Rn×n are invertible modulo q.
This is the case for example when the rational integer q does not split too much in R.

28