Skip to content

Add EIP: Precompile for Falcon support #10560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 44 commits into from
Nov 20, 2025
+2,297 −0
Merged

Add EIP: Precompile for Falcon support #10560

Show file tree
Hide file tree
Changes from 34 commits
Commits
Show all changes
44 commits
Select commit Hold shift + click to select a range
b72c191
Create falcon.md
asanso Sep 16, 2025
de6b879
Improve the EIP
simonmasson Sep 19, 2025
18b9d6e
improve falcon eip
simonmasson Sep 22, 2025
fc826cf
more
simonmasson Sep 22, 2025
0c600a8
P
simonmasson Sep 22, 2025
e6116b3
eip7932
simonmasson Sep 22, 2025
e9a5a35
Update falcon.md - Renaud review
rdubois-crypto Sep 22, 2025
001cf01
Merge pull request #2 from ZKNoxHQ/simon/eip-falcon
rdubois-crypto Sep 22, 2025
8dabd4e
fix typo
simonmasson Oct 13, 2025
03b3929
sed contract function
simonmasson Oct 13, 2025
c1a567c
add h2pETH in cost
simonmasson Oct 13, 2025
76e042b
remove phrase about ecrecover
simonmasson Oct 13, 2025
0202bdc
typo
simonmasson Oct 13, 2025
38520c9
move file
simonmasson Oct 15, 2025
9b4c044
Solidity and python files
simonmasson Oct 15, 2025
5a4279d
remove zkfalcon for now
simonmasson Oct 15, 2025
7cfc3af
remove useless files
simonmasson Oct 15, 2025
e6d02e7
Merge pull request #3 from ethereum/master
simonmasson Oct 15, 2025
7ed6c3b
Merge branch 'ethereum:master' into simon/eip-falcon
simonmasson Oct 17, 2025
cc7f97e
modify header
simonmasson Oct 17, 2025
c91006f
gas cost clearer
simonmasson Oct 17, 2025
ef50bd3
Update EIP-Falcon precompile names and specifications
nconsigny Oct 23, 2025
e8f74a1
add EIP number and discussion link
nconsigny Oct 23, 2025
71a9ad0
minor changes to align precompiles instead of opcodes in prose
nconsigny Oct 23, 2025
895861c
mv file to eip number, modification of the EIP-7932 related section
simonmasson Nov 1, 2025
666ce3f
Modifications related to EIP-8052
simonmasson Nov 1, 2025
cddd205
add eip number
nconsigny Nov 2, 2025
355de2f
Merge nconsigny/eip-falcon-contrib: consolidate EIP-7932 in section 6
nconsigny Nov 5, 2025
b7661bf
Merge branch 'nconsigny-nconsigny/eip-falcon-contrib' into simon/eip-…
nconsigny Nov 5, 2025
726994c
Fix conflicts
nconsigny Nov 5, 2025
1e5adc6
Merge pull request #4 from nconsigny/eip-falcon-contrib
nconsigny Nov 5, 2025
a1285ed
Fix EIP-8052 markdown validation errors
nconsigny Nov 5, 2025
03b6beb
Fix markdown linting errors in EIP-8052
nconsigny Nov 5, 2025
fddcce0
Fix final markdown linting error in EIP-8052
nconsigny Nov 5, 2025
49057be
add github accounts
simonmasson Nov 14, 2025
92b17f7
eXtendable > extendable
simonmasson Nov 14, 2025
841b90e
add todo html
simonmasson Nov 14, 2025
728e7a2
move asset name
simonmasson Nov 14, 2025
82d371f
remove python code
simonmasson Nov 14, 2025
3acb902
ref implementatoin
simonmasson Nov 14, 2025
b294815
clean test files
simonmasson Nov 14, 2025
88aca11
src files for asset
simonmasson Nov 14, 2025
7976c69
only test vectors and no solidity code
simonmasson Nov 15, 2025
27f10b7
reference implementation sentence
simonmasson Nov 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
492 changes: 492 additions & 0 deletions EIPS/eip-8052.md
View file
Open in desktop

Large diffs are not rendered by default.

21 changes: 21 additions & 0 deletions assets/eip-falcon/pythonref/LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2018 Thomas Prest

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
135 changes: 135 additions & 0 deletions assets/eip-falcon/pythonref/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
# Falcon in python

This repository implements the signature scheme Falcon (https://falcon-sign.info/).
Falcon stands for **FA**st Fourier **L**attice-based **CO**mpact signatures over **N**TRU

**Authors: Renaud Dubois and Simon Masson.**

<small>Acknowledgements: Thomas Prest for the originial code, Zhenfei Zhang for the possible optimizations.</small>

:warning: This is an experimental code, not the [reference code](https://falcon-sign.info/) of Falcon.. It is not considered secure or suitable for production.

License: MIT.

## Interface

It is possible to generate a key pair, sign a message and verify a signature in one command-line.

###### Key generation


```
./sign_cli.py genkeys --version='falcon' # or 'ethfalcon'
```
It creates two files `private_key.pem` and `public_key.pem` storing the private and public keys.
It also prints the public key in Solidity format.

###### Signature
```
./sign_cli.py sign --data=deadbeef --privkey=private_key.pem
```
It create a signature file `sig` for the given message and the private key.
The signature is stored in hexadecimal format.
It also prints the signature in Solidity format.

###### Verification
```
./sign_cli.py verify --data=deadbeef --pubkey=public_key.pem --signature='sig'
```
It outputs the validity of the signature with respect to a message and a public key given as input.
The signature needs to be provided as a (large) string.


<!-- ## Profiling

I included a makefile target to performing profiling on the code. If you type `make profile` on a Linux machine, you should obtain something along these lines:

![kcachegrind](https://tprest.github.io/images/kcachegrind_falcon.png)

Make sure you have `pyprof2calltree` and `kcachegrind` installed on your machine, or it will not work. -->

## Tests

Tests of key generation, signing and verification can be done in iterative and recursive NTT. The HashToPoint can be set with the SHAKE256, KeccaXOF (implemented in Tetration), or KeccakPRNG (a PRNG based on Keccak).
```
make test
```
This runs the original tests, and additional tests made in `test_xxx.py`.

## Benchmarks

:warning: This implementation is not optimized.

<table>
<tr>
<th rowspan="2">n</th>
<th colspan="2">Key generation</th>
<th colspan="2">Signature</th>
<th colspan="4">Verification</th>
</tr>
<tr>
<td>NTT iterative</td>
<td>NTT recursive</td>
<td>SHAKE256</td>
<td>KeccaXOF</td>
<td>NTT iterative</td>
<td>NTT recursive</td>
<td>SHAKE256</td>
<td>KeccaXOF</td>
</tr>
<tr>
<td>64</td>
<td>180 ms</td>
<td>96 ms</td>
<td>2.4 ms</td>
<td>2.4 ms</td>
<td>0.3 ms</td>
<td>0.6 ms</td>
<td>0.3 ms</td>
<td>0.4 ms</td>
</tr>
<tr>
<td>128</td>
<td>825 ms</td>
<td>1033 ms</td>
<td>4.7 ms</td>
<td>4.7 ms</td>
<td>0.6 ms</td>
<td>1.4 ms</td>
<td>0.6 ms</td>
<td>0.7 ms</td>
</tr>
<tr>
<td>256</td>
<td>1051 ms</td>
<td>1530 ms</td>
<td>9.7 ms</td>
<td>9.4 ms</td>
<td>1.3 ms</td>
<td>3.0 ms</td>
<td>1.3 ms</td>
<td>1.3 ms</td>
</tr>
<tr>
<td>512</td>
<td>2273 ms</td>
<td>1755 ms</td>
<td>19.2 ms</td>
<td>19.0 ms</td>
<td>3.0 ms</td>
<td>6.6 ms</td>
<td>3.0 ms</td>
<td>3.0 ms</td>
</tr>
<tr>
<td>1024</td>
<td>10256 ms</td>
<td>13652 ms</td>
<td>39.3 ms</td>
<td>39.2 ms</td>
<td>6.4 ms</td>
<td>14.2 ms</td>
<td>6.4 ms</td>
<td>6.2 ms</td>
</tr>
</table>
61 changes: 61 additions & 0 deletions assets/eip-falcon/pythonref/bench_signature.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
from falcon import PublicKey, SecretKey
from falcon_epervier import EpervierPublicKey, EpervierSecretKey
from falcon_recovery import RecoveryModePublicKey, RecoveryModeSecretKey
from scripts.sign_KAT import sign_KAT
from timeit import default_timer as timer


class BenchSignature():
def bench_falcon_recovery_epervier(self):
print("Verification time")
print("n\tFalcon\t\tFalconRec\tEpervier")
for n in [64, 128, 256, 512, 1024]:
print(n, end='\t')
iterations = 100
f = sign_KAT[n][0]["f"]
g = sign_KAT[n][0]["g"]
F = sign_KAT[n][0]["F"]
G = sign_KAT[n][0]["G"]
message = b"abc"
# Falcon
sk = SecretKey(n, [f, g, F, G])
pk = PublicKey(n, sk.h)
sig = sk.sign(message)
assert pk.verify(message, sig)
t00 = timer()
for i in range(iterations):
pk.verify(message, sig)
t0 = timer()
print("{:.1f}ms".format(
(t0-t00)/iterations * 10**3),
end='\t\t'
)
# Falcon Rec
sk = RecoveryModeSecretKey(n, [f, g, F, G])
pk = RecoveryModePublicKey(n, sk.pk)
sig = sk.sign(message)
assert pk.verify(message, sig)
t1 = timer()
for i in range(iterations):
pk.verify(message, sig)
t2 = timer()
print("{:.1f}ms".format(
(t2-t1)/iterations * 10**3),
end='\t\t'
)
# Epervier
sk = EpervierSecretKey(n, [f, g, F, G])
pk = EpervierPublicKey(n, sk.pk)
sig = sk.sign(message)
assert pk.verify(message, sig)
t3 = timer()
for i in range(iterations):
pk.verify(message, sig)
t4 = timer()
print("{:.1f}ms".format(
(t4-t3)/iterations * 10**3)
)


B = BenchSignature()
B.bench_falcon_recovery_epervier()
Loading