Mitaka: Faster, Simpler, Parallelizable and Maskable Hash-and-Sign Signatures on NTRU Lattices

This talk introduces the Mitaka signature scheme: a new hash-and-sign signature scheme over NTRU lattices which can be seen as a variant of NIST finalist Falcon. It achieves comparable efficiency but is considerably simpler and easier to parallelize and protect against side-channels, thus offering significant advantages from an implementation standpoint. We obtain this signature scheme by replacing the FFO lattice Gaussian sampler in Falcon by the "hybrid" sampler of Prest, for which we carry out a detailed and corrected security analysis. In principle, such a change can result in a substantial security loss, but we show that this loss can be largely mitigated using new techniques in key generation that allow us to construct much higher quality lattice trapdoors for the hybrid sampler relatively cheaply. We also provide a provably secure higher-order masking of Mitaka at much lower cost that previous masking techniques for Gaussian sampling-based signature schemes.