 Hi everyone, I'm Thomas Pito. I'm happy to present you today some new results on the compression of Hash and Sanitis Bay signatures This is joint work with Mehdi Tibushi, Alexandre O'Waley and Young Yu. First, let me present you some of the signatures you can find in the world in 2022. So in this small panorama, I will draw circles, which area is proportional to the size of the signatures itself. So let's start with the hash-based signatures, so Sphinx plus Picnic and XMMS, which are all pretty big. And then the lattice ones, Deletium and Falcons, the finalists to the NIST competition in the lattice case. And for reference, RSA and ECDSA were on Edward's curves, which is very small in comparison. The aim of this talk today is to show you how to take Hash and Sanitis Bay signatures, so Falcons in this case, and to reduce them for almost three. So in order to see how to compress, let me show you first how to sign. And let's go for this one-on-one crash course on Hash and Sanitis Bay over lattices. So what do we do? We take our message M and we first hash it in the ambient space of our lattice. So it's not a lattice point somewhere around, okay? And using the secret key, I will construct a discrete Gaussian sample, which is now a lattice point. So for instance, this lucky point V in here. And my signature will simply be the difference between the sample and the hash of the message. This is a short vector, we're pretty happy with that. Okay, so on specific class of lattices, such as QR-ray lattices, which N true belongs to, we have a very interesting property which allows us to work modulus Q. And if we do so, actually, whatever is that, we can represent the lattice points mod Q only by half of their coordinates, so in dimension to only by the X coordinate, for instance. And this means that in our case, we can simply take the first coordinate and say, oh, that's my signatures. And this is actually sufficient because from that, we can fully reconstruct the signatures, the vector signatures itself. So what do we do is just see which is the lattice points in the cosets mod Q corresponding to my signatures, select it, and do the difference with the hash of the message. Then we retrieve the vector reconstructed at the signing time and we only need to check if this vector is small enough to be accepted as a valid signature. So if we want to assign using these QR-ray lattices, we will have signatures which lies in this orange circle which are on the X axis. So if we want signatures which are smaller, we want to select points which are closer to the origin. Okay, it's pretty easy. So first idea we can have is to unbalance the signatures. So how can we do that? So in the current state, we are sampling a Gaussian point around the hash of the message according to a discrete Gaussian which is spherical. So isotropic, we don't favor any possible direction. But instead, if we start to unbalance the distribution itself to favor points which are aligned on the Y axis, we will of course have signatures which are favored to be closer to the origin. We're happy with that. So equivalently, what we can do if we still want to sample using spherical Gaussians is to unbalance the lattice itself so we can compress it adding more points. And if we want to keep this QR-ray property, we need to preserve the determinant so we need to expand it on the Y axis at the same time. So we'll get this lattice which is the distortion on the X axis and on the Y axis at the same time. Okay. So if we do so and look at what happened with Q as before, we see that we have far more points closer to the origin. So in particular, when we're going to sample spherical discrete Gaussians over this lattice, we will favor more points to be close to zero. Okay, so now we can just replace everything we did by taking this unbalanced lattice as our base lattice to work and nothing else changed. We're happy with that. And then you could say, oh, Thomas, we're working mode Q everywhere. So what about if we just say, I want a smaller Q? And this is actually a very neat idea because if we start here with an example with Q equals 7 replaced by smaller Q, let's say Q equals 5, oh, we get more points closer to the origin and we can do even closer and just reduce Q so that our signature will be of size Q and we're happy with that. So is it a free launch? Can we just reduce everything for free? Can we distort for free? Can you reduce Q as small as you want? Sadly, the answer is a big no. So we need to be careful on the security impact of such choices. We can have still very concrete impact and we can show that we can reduce the size of Falcon 512 to 410 bytes and Falcon 1024 to 780 bytes, which is in any case a gain of around 30%. So these are very concrete impact and start to give signatures with our roughly a size of RSA can preserve security at NIST level 1 and NIST level 5. I'll be very happy to show you more of that and how to deal with the attack and give you more details at the crypto talk in a few days. Thank you very much for your attention and see you in Santa Barbara.