365 Architect

FIPS 206 — FN-DSA (Compact Lattice Signatures)

What It Is in One Sentence

FN-DSA creates digital signatures that are much smaller than ML-DSA (~666–1,280 bytes vs ~2,400–4,600 bytes) with equally fast verification — but requires careful implementation due to floating-point arithmetic.

The Problem ML-DSA Doesn't Solve

ML-DSA signatures are large (~3.3 KB for the recommended ML-DSA-65). In bandwidth-constrained environments:

Environment Typical budget ML-DSA-65 impact
TLS handshake 2–4 KB total +3.3 KB = 80% larger
IoT sensor (LoRaWAN) 51 bytes payload +3.3 KB = impossible
Blockchain transaction 250 bytes +3.3 KB = 13× larger
Smart card (NFC) 8 KB total +3.3 KB = 40% consumed

FN-DSA solves this with signatures 4–6× smaller than ML-DSA.

How It Works (High Level)

FN-DSA is based on the NTRU lattice problem (different from ML-DSA's Module-LWE):

NTRU Problem: Given h = g/f mod q where f and g are small secret polynomials, recover f and g.

The signature is a short vector in an NTRU lattice, computed using fast Fourier transforms over the ring of polynomials.

Core Idea: Gaussian Sampling

FN-DSA uses discrete Gaussian sampling to create signatures:

  • Sample from a narrow Gaussian distribution (bell curve)
  • The "width" of the bell curve is determined by a public parameter
  • The signature is a lattice point close to a target, where "close" means sampled from this Gaussian

This is mathematically elegant but computationally complex — it requires floating-point arithmetic and fast Fourier transforms.

Quick Reference

FN-DSA-512 FN-DSA-1024
NIST Security Level Level 1 (~AES-128) Level 5 (~AES-256)
Public key 897 B 1,793 B
Private key 1,281 B 2,305 B
Signature 666 B 1,280 B
Sign time ~0.5 ms ~1.2 ms
Verify time ~0.1 ms ~0.2 ms

Articles in This Section

Resources

Share on LinkedIn