Skip navigation links
Bouncy Castle Cryptography Library 1.85

Package org.bouncycastle.pqc.crypto.faest

Lightweight implementation of FAEST — symmetric-primitive digital signature scheme based on AES and the VOLE-in-the-Head proof system.

See: Description

Package org.bouncycastle.pqc.crypto.faest Description

Lightweight implementation of FAEST — symmetric-primitive digital signature scheme based on AES and the VOLE-in-the-Head proof system. Round 3 candidate of NIST's post-quantum additional signatures process.

References

Parameter sets

Twelve parameter sets per the v2.0 spec, identified by BC-arc OIDs declared in BCObjectIdentifiers: The s (small) variants minimise signature size at the cost of slower signing/verification; the f (fast) variants invert the trade-off.

Side-channel posture

All FAEST-specific arithmetic (GF(2^λ) and GF(2^8) field ops, byte-combine helpers, constraint primitives, witness expansion, key schedule, top-level prover/verifier) is strictly constant-time: it uses mask-based bit selection and has no secret-indexed table lookups. The AES used internally for the OWF and Even-Mansour round-key derivation runs through FaestAES, whose S-box is computed via the bit-serial BF8#inv squaring chain rather than a lookup table. The PRG used to expand the BAVC seed tree calls AESEngine for performance reasons; that engine clones its S-box on every init() call, which BC documents as sufficient to defeat cache-line monitoring of the secret seed material.
Skip navigation links
Bouncy Castle Cryptography Library 1.85