Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures

Carsten Baum; Ward Beullens; Lennart Braun; Cyprien Delpech de Saint Guilhem; Michael Klooß; Christian Majenz; Shibam Mukherjee; Emmanuela Orsini; Sebastian Ramacher; Christian Rechberger; Lawrence Roy; Peter Scholl

doi:10.1007/978-3-032-01887-8_5

Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures

Carsten Baum
, Ward Beullens
, Lennart Braun
, Cyprien Delpech de Saint Guilhem
, Michael Klooß
, Christian Majenz
, Shibam Mukherjee
, Emmanuela Orsini
, Sebastian Ramacher
, Christian Rechberger
, Lawrence Roy
, Peter Scholl

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In the past decade and largely in response to the NIST standardization effort for post-quantum cryptography, many new designs for digital signatures have been proposed. Among those, the FAEST digital signature scheme (Baum et al., CRYPTO 2023) stands out due to its interesting security-performance trade-off. It only relies on well-tested symmetric-key cryptographic primitives, as it constructs a digital signature from a zero-knowledge (ZK) proof of knowledge of an AES key. To achieve this, it uses the VOLE-in-the-Head ZK proof system which relies only on pseudorandom generator (PRG) and hash function calls. FAEST simultaneously has relatively small signature size and competitive sign and verify times. In this work, we improve both the security and practical efficiency of FAEST. We improve the main computational bottleneck of the original construction by replacing hash function calls in the underlying vector commitment scheme with calls to an AES-based PRG. At the same time, we also improve the signature size by revisiting the evaluation of the AES block cipher in ZK. We use observations from Galois Theory to compress the size of the witness (and thus signature), due to the algebraic nature of the AES S-Box. We implemented our new construction, and our benchmarks show that its sign and verify times reduce up to 50% over the state-of-the-art while achieving the same security and smaller signatures. Finally, we analyze our resulting signature scheme both in the Quantum Random Oracle Model (QROM) and its classical analogue. To achieve concretely good security bounds, we devise a new classical proof for FAEST based on Renyi divergence techniques. We construct a QROM analogue and present a new Fiat-Shamir transform which is applicable to VOLE-in-the-Head-based signature schemes.

Original language	English
Title of host publication	Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings
Editors	Yael Tauman Kalai, Seny F. Kamara
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	124-156
Number of pages	33
ISBN (Print)	9783032018861
DOIs	https://doi.org/10.1007/978-3-032-01887-8_5
State	Published - 2025
Externally published	Yes
Event	45th Annual International Cryptology Conference, CRYPTO 2025 - Santa Barbara, United States Duration: 17 Aug 2025 → 21 Aug 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16005 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	45th Annual International Cryptology Conference, CRYPTO 2025
Country/Territory	United States
City	Santa Barbara
Period	17/08/25 → 21/08/25

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2025.

Access to Document

10.1007/978-3-032-01887-8_5

Cite this

Baum, C., Beullens, W., Braun, L., Delpech de Saint Guilhem, C., Klooß, M., Majenz, C., Mukherjee, S., Orsini, E., Ramacher, S., Rechberger, C., Roy, L., & Scholl, P. (2025). Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures. In Y. Tauman Kalai, & S. F. Kamara (Eds.), Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings (pp. 124-156). (Lecture Notes in Computer Science; Vol. 16005 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-01887-8_5

Baum, Carsten ; Beullens, Ward ; Braun, Lennart et al. / Shorter, Tighter, FAESTer : Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures. Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings. editor / Yael Tauman Kalai ; Seny F. Kamara. Springer Science and Business Media Deutschland GmbH, 2025. pp. 124-156 (Lecture Notes in Computer Science).

@inproceedings{2ba3747b0dda443cae123bf1856d08fb,

title = "Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures",

abstract = "In the past decade and largely in response to the NIST standardization effort for post-quantum cryptography, many new designs for digital signatures have been proposed. Among those, the FAEST digital signature scheme (Baum et al., CRYPTO 2023) stands out due to its interesting security-performance trade-off. It only relies on well-tested symmetric-key cryptographic primitives, as it constructs a digital signature from a zero-knowledge (ZK) proof of knowledge of an AES key. To achieve this, it uses the VOLE-in-the-Head ZK proof system which relies only on pseudorandom generator (PRG) and hash function calls. FAEST simultaneously has relatively small signature size and competitive sign and verify times. In this work, we improve both the security and practical efficiency of FAEST. We improve the main computational bottleneck of the original construction by replacing hash function calls in the underlying vector commitment scheme with calls to an AES-based PRG. At the same time, we also improve the signature size by revisiting the evaluation of the AES block cipher in ZK. We use observations from Galois Theory to compress the size of the witness (and thus signature), due to the algebraic nature of the AES S-Box. We implemented our new construction, and our benchmarks show that its sign and verify times reduce up to 50\% over the state-of-the-art while achieving the same security and smaller signatures. Finally, we analyze our resulting signature scheme both in the Quantum Random Oracle Model (QROM) and its classical analogue. To achieve concretely good security bounds, we devise a new classical proof for FAEST based on Renyi divergence techniques. We construct a QROM analogue and present a new Fiat-Shamir transform which is applicable to VOLE-in-the-Head-based signature schemes.",

author = "Carsten Baum and Ward Beullens and Lennart Braun and \{Delpech de Saint Guilhem\}, Cyprien and Michael Kloo{\ss} and Christian Majenz and Shibam Mukherjee and Emmanuela Orsini and Sebastian Ramacher and Christian Rechberger and Lawrence Roy and Peter Scholl",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2025.; 45th Annual International Cryptology Conference, CRYPTO 2025 ; Conference date: 17-08-2025 Through 21-08-2025",

year = "2025",

doi = "10.1007/978-3-032-01887-8\_5",

language = "אנגלית",

isbn = "9783032018861",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "124--156",

editor = "\{Tauman Kalai\}, Yael and Kamara, \{Seny F.\}",

booktitle = "Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings",

address = "גרמניה",

}

Baum, C, Beullens, W, Braun, L, Delpech de Saint Guilhem, C, Klooß, M, Majenz, C, Mukherjee, S, Orsini, E, Ramacher, S, Rechberger, C, Roy, L & Scholl, P 2025, Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures. in Y Tauman Kalai & SF Kamara (eds), Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings. Lecture Notes in Computer Science, vol. 16005 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 124-156, 45th Annual International Cryptology Conference, CRYPTO 2025, Santa Barbara, United States, 17/08/25. https://doi.org/10.1007/978-3-032-01887-8_5

Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures. / Baum, Carsten; Beullens, Ward; Braun, Lennart et al.
Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings. ed. / Yael Tauman Kalai; Seny F. Kamara. Springer Science and Business Media Deutschland GmbH, 2025. p. 124-156 (Lecture Notes in Computer Science; Vol. 16005 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Shorter, Tighter, FAESTer

T2 - 45th Annual International Cryptology Conference, CRYPTO 2025

AU - Baum, Carsten

AU - Beullens, Ward

AU - Braun, Lennart

AU - Delpech de Saint Guilhem, Cyprien

AU - Klooß, Michael

AU - Majenz, Christian

AU - Mukherjee, Shibam

AU - Orsini, Emmanuela

AU - Ramacher, Sebastian

AU - Rechberger, Christian

AU - Roy, Lawrence

AU - Scholl, Peter

PY - 2025

Y1 - 2025

N2 - In the past decade and largely in response to the NIST standardization effort for post-quantum cryptography, many new designs for digital signatures have been proposed. Among those, the FAEST digital signature scheme (Baum et al., CRYPTO 2023) stands out due to its interesting security-performance trade-off. It only relies on well-tested symmetric-key cryptographic primitives, as it constructs a digital signature from a zero-knowledge (ZK) proof of knowledge of an AES key. To achieve this, it uses the VOLE-in-the-Head ZK proof system which relies only on pseudorandom generator (PRG) and hash function calls. FAEST simultaneously has relatively small signature size and competitive sign and verify times. In this work, we improve both the security and practical efficiency of FAEST. We improve the main computational bottleneck of the original construction by replacing hash function calls in the underlying vector commitment scheme with calls to an AES-based PRG. At the same time, we also improve the signature size by revisiting the evaluation of the AES block cipher in ZK. We use observations from Galois Theory to compress the size of the witness (and thus signature), due to the algebraic nature of the AES S-Box. We implemented our new construction, and our benchmarks show that its sign and verify times reduce up to 50% over the state-of-the-art while achieving the same security and smaller signatures. Finally, we analyze our resulting signature scheme both in the Quantum Random Oracle Model (QROM) and its classical analogue. To achieve concretely good security bounds, we devise a new classical proof for FAEST based on Renyi divergence techniques. We construct a QROM analogue and present a new Fiat-Shamir transform which is applicable to VOLE-in-the-Head-based signature schemes.

AB - In the past decade and largely in response to the NIST standardization effort for post-quantum cryptography, many new designs for digital signatures have been proposed. Among those, the FAEST digital signature scheme (Baum et al., CRYPTO 2023) stands out due to its interesting security-performance trade-off. It only relies on well-tested symmetric-key cryptographic primitives, as it constructs a digital signature from a zero-knowledge (ZK) proof of knowledge of an AES key. To achieve this, it uses the VOLE-in-the-Head ZK proof system which relies only on pseudorandom generator (PRG) and hash function calls. FAEST simultaneously has relatively small signature size and competitive sign and verify times. In this work, we improve both the security and practical efficiency of FAEST. We improve the main computational bottleneck of the original construction by replacing hash function calls in the underlying vector commitment scheme with calls to an AES-based PRG. At the same time, we also improve the signature size by revisiting the evaluation of the AES block cipher in ZK. We use observations from Galois Theory to compress the size of the witness (and thus signature), due to the algebraic nature of the AES S-Box. We implemented our new construction, and our benchmarks show that its sign and verify times reduce up to 50% over the state-of-the-art while achieving the same security and smaller signatures. Finally, we analyze our resulting signature scheme both in the Quantum Random Oracle Model (QROM) and its classical analogue. To achieve concretely good security bounds, we devise a new classical proof for FAEST based on Renyi divergence techniques. We construct a QROM analogue and present a new Fiat-Shamir transform which is applicable to VOLE-in-the-Head-based signature schemes.

UR - https://www.scopus.com/pages/publications/105014147403

U2 - 10.1007/978-3-032-01887-8_5

DO - 10.1007/978-3-032-01887-8_5

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:105014147403

SN - 9783032018861

T3 - Lecture Notes in Computer Science

SP - 124

EP - 156

BT - Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings

A2 - Tauman Kalai, Yael

A2 - Kamara, Seny F.

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 17 August 2025 through 21 August 2025

ER -

Baum C, Beullens W, Braun L, Delpech de Saint Guilhem C, Klooß M, Majenz C et al. Shorter, Tighter, FAESTer: Optimizations and Improved (QROM) Analysis for VOLE-in-the-Head Signatures. In Tauman Kalai Y, Kamara SF, editors, Advances in Cryptology – CRYPTO 2025 - 45th Annual International Cryptology Conference, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. p. 124-156. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-01887-8_5