03 — Trapdoor Sampling

The Core Idea

FN-DSA signatures use a trapdoor — a secret mathematical structure that makes an otherwise hard problem easy.

Without trapdoor: Finding the nearest lattice point is hard (like finding a needle in a 512-dimensional haystack).

With trapdoor: Finding the nearest lattice point is fast (like having a magnet that pulls the needle to you).

The Trapdoor: Short Basis

Recall from NTRU lattices: the private key contains a short basis for the lattice:

$\displaystyle B_{good} = \begin{pmatrix} g & G \\ f & F \end{pmatrix}$

Where:

f, g are the small NTRU secret polynomials
F, G are computed such that the basis is short and has the correct volume

Computing F and G

Using the extended Euclidean algorithm on the polynomials f and g:

Find polynomials a and b such that: a·f + b·g = 1 (Bezout identity)
Compute: F = q·b and G = -q·a
Reduce: Use lattice reduction (LLL or BKZ) to make F and G as short as possible

This gives a basis where both vectors are short — the "trapdoor."

Nearest Lattice Point Problem

Given a target point t (in the same space as the lattice), find the lattice point v closest to t:

$\displaystyle v = \arg\min_{v \in \text{Lattice}} ||t - v||$

Without Trapdoor (Hard)

Try all lattice points near t. In dimension 512, there are exponentially many candidates.

With Trapdoor (Fast: Babai's Rounding)

Express t in the trapdoor basis:

$\displaystyle t = \alpha_1 \cdot b_1 + \alpha_2 \cdot b_2$

Where b₁, b₂ are the short basis vectors.
Round the coefficients to nearest integers:

$\displaystyle v = \lfloor \alpha_1 \rceil \cdot b_1 + \lfloor \alpha_2 \rceil \cdot b_2$
v is a lattice point close to t.

Why it works: When basis vectors are short and nearly orthogonal, rounding gives the nearest lattice point.

Gaussian Sampling (FALCON's Improvement)

Babai rounding works, but the result is not always the closest point, and the distribution of errors leaks information about the trapdoor.

FALCON improves this with discrete Gaussian sampling:

Discrete Gaussian Distribution

A probability distribution over integers where:

$\displaystyle P(x) \propto e^{-x^2 / (2\sigma^2)}$

σ is the standard deviation (width of the bell curve)
Probabilities decrease rapidly as |x| increases
Most samples are small, a few are moderate, rarely large

Sampling Algorithm

Instead of rounding, sample coefficients from a discrete Gaussian centred at the real coefficients:

Compute real coefficients: $\alpha_1, \alpha_2$ (as before)
Sample: $c_1 \sim D_{\mathbb{Z}, \sigma, \alpha_1}$ (discrete Gaussian centred at $\alpha_1$ )
Sample: $c_2 \sim D_{\mathbb{Z}, \sigma, \alpha_2}$ (discrete Gaussian centred at $\alpha_2$ )
Compute: $v = c_1 \cdot b_1 + c_2 \cdot b_2$

Why Gaussian Sampling Is Better

Property	Babai Rounding	Gaussian Sampling
Distribution	Deterministic given t	Probabilistic
Leakage	Can leak trapdoor structure	Provably hides trapdoor
Signature size	Moderate	Smaller (tighter distribution)
Security proof	Heuristic	Provable (GPV framework)
Complexity	Simple	Complex (requires sampling)

The GPV Framework

Gentry, Peikert, and Vaikuntanathan (2008) proved:

If signatures are sampled from a discrete Gaussian with the right parameters, the distribution of signatures is statistically close to an ideal Gaussian over the lattice — independent of the trapdoor.

This means:

An attacker seeing many signatures learns nothing about the trapdoor
The security proof is rigorous (not heuristic)
The signature size is minimised (tight Gaussian = short signatures)

Fast Fourier Transform for Speed

The naive Gaussian sampling over a 512-dimensional lattice is slow. FN-DSA uses the Number Theoretic Transform (NTT) — a fast Fourier transform over finite fields:

NTT Speed-Up

Operation	Naive	With NTT	Speedup
Polynomial multiplication	O(n²)	O(n log n)	~50× for n=512
Coefficient sampling	O(n) per coefficient	O(n log n) batch	~20×
Basis change	O(n³)	O(n² log n)	~10×

How NTT Applies to Sampling

Convert the trapdoor basis to NTT domain
Sample in NTT domain (coefficients are independent after NTT)
Convert back to polynomial domain

Critical insight: In the NTT domain, the covariance matrix of the Gaussian becomes diagonal. Sampling independent Gaussians per coefficient is trivial.

Security Parameters

Parameter	FN-DSA-512	FN-DSA-1024	Meaning
n	512	1,024	Ring dimension
q	12,289	12,289	Modulus
σ	1.17	1.17	Gaussian width (relative)
Signature bound	666 B	1,280 B	Maximum encoded size
Signing failure	< 2⁻¹²⁸	< 2⁻²⁵⁶	Probability of producing oversized signature

Resources

Gentry, Peikert, Vaikuntanathan, "Trapdoors for hard lattices and new cryptographic constructions" (2008), STOC
Ducas et al., "FALCON: Fast-Fourier Lattice-based Compact Signatures over NTRU" (2018), NIST submission
Prest, "Gaussian sampling in lattice-based cryptography" (2017), PhD thesis, École Normale Supérieure
NIST FIPS 206, Section 5: Trapdoor Sampling and FFT