Is FALCON-512 the same as FN-DSA?

Yes. FALCON is the algorithm; FN-DSA is the NIST standardization name under Draft FIPS 206.

How many signatures can a FALCON-512 key produce?

Unlimited. FALCON is stateless — no key tree, no one-time signature index, no state to track. A single key can safely produce more than 2^64 signatures.

What is the security level of FALCON-512?

NIST Security Level 1, equivalent to AES-128 against quantum attacks. The classical best attack requires 2^113+ operations. Tidecoin also supports Falcon-1024 at NIST Level 5.

Which other blockchains use FALCON?

Algorand uses Falcon-1024 for state proofs (since 2023). Tidecoin has used Falcon-512 for all transaction signing since December 2020.

Can FALCON-512 be used with hardware wallets?

Hardware wallet support (Ledger/Trezor) for Falcon-512 is planned for Phase 3 of Tidecoin's roadmap.

FALCON-512 — Tidecoin's Post-Quantum Signature

Lattice-based digital signature scheme selected by NIST for standardization as FN-DSA (Draft FIPS 206). Live on Tidecoin since genesis (December 27, 2020) — over 2.4 million blocks signed.

// how it works

How does FALCON-512 work?

FALCON combines NTRU lattices and the GPV hash-then-sign framework [Gentry, Peikert, Vaikuntanathan, STOC 2008]. Three stages: key generation, signing, verification.

Key Generation

offline · one-time

01Sample short polynomials f, g overR_q = Z_q[x] / (x^512 + 1), q = 12,289
02Compute the public key ash = g · f^(-1) mod q
03Solve the NTRU equation for secret basisB = [[g, −f], [G, −F]]

Signing

with secret key

01Generate a random 40-byte noncenonce ← rand(40 bytes)
02Hash the message to a target point in the latticec = H(nonce ‖ message)
03Use Fast Fourier Sampling with the secret basissig = ffSampling(B, c)
04Output the compressed short vectorsig_compressed ≈ 666 bytes

Verification

public key only

01Recompute the hash-to-point targetc = H(nonce ‖ message)
02Recover the first half of the signatures1 = c − s2 · h mod q
03Accept if the norm is within bound‖(s1, s2)‖² ≤ bound
04Integer-only arithmetic — no floating-point~28,000 verifications/sec

// comparison

Why is FALCON-512 ideal for blockchain?

FALCON-512 has the smallest combined PK + signature size of any NIST post-quantum standard — critical for blockchain where every byte is stored forever and replicated across all nodes.

Property	FALCON-512	ML-DSA-44	XMSS (QRL)	ECDSA (BTC)
Signature size	666 B	2,420 B	~2,500 B	71 B
Public key	897 B	1,312 B	~1,300 B	33 B
PK + Sig	1,563 B	3,732 B	~3,800 B	104 B
Stateless
NIST standard	Draft FIPS 206	FIPS 204	RFC 8391	—
Quantum-safe
Verification speed	~28,000/s	Fast	Moderate	~10,000/s

// side-channel protection

Constant-time implementation

FALCON's signing normally requires high-precision floating-point arithmetic — vulnerable to side-channel leaks through power, electromagnetic or timing channels. Tidecoin uses PQClean integer emulation: no FP, no branches on secrets, no timing leaks.

// known attacks addressed

FALCON DOWN

2021

Full key recovery through electromagnetic emanation measurements.

ePrint 2021/772

SHIFT SNARE

2025

100% key recovery from a single power trace on ARM Cortex-M4 devices.

arXiv 2504.00320

// pqclean mitigations

Emulated floating-point

All FP arithmetic computed via uint64_t integer operations. The C double type is never used.

Constant-time shifts

Custom barrel-shifter emulation for shifts with secret shift counts.

No secret-dependent branching

Table lookups read every element. Zero timing correlation with key material.

Portable implementation

Identical behavior on 32-bit, 64-bit, little-endian and big-endian platforms.

Formal correctness of the emulated floating-point verified [Becker & Howe, ePrint 2024/321].

// verification modes

What are Tidecoin's legacy and strict Falcon modes?

Existing wallets require no key migration — the same keys produce tighter signatures after AuxPoW activation.

Property	Legacy	Strict
When	Pre-AuxPoW (current mainnet)	Post-AuxPoW (upcoming)
Norm bound	43,533,782 (relaxed)	34,034,726 (standard PQClean)
Max signature size	690 bytes	752 bytes (padded 666)
Verification	Backward-compatible with early signatures	Tighter security margins

The legacy norm bound is a relaxed threshold adopted for backward compatibility during Tidecoin's early operation — it is not the pre-2019-fix value (the 2019 sampler bug affected the lookup table and rejection formula, not the norm bound). Keys are identical in both modes; only signature creation and verification bounds differ.

// 2019 sampler bug

Was Tidecoin affected by the 2019 Falcon bug?

No. In August 2019, Markku-Juhani O. Saarinen discovered two severe bugs in the Falcon Gaussian sampler. A 2025 retrospective [ACM CCS 2025] demonstrated that ~50 million buggy signatures could enable full key recovery.

Thomas Pornin published the fix on September 18, 2019. Tidecoin's genesis block was mined on December 27, 2020 — over 15 months after the fix. Tidecoin has always used the post-fix PQClean implementation.

// falcon faq

FALCON-512 FAQ

All FAQ