All-Blockchains
diff --git a/‎EIPS/eip-8052.md‎
Lines changed: 39 additions & 42 deletions b/‎EIPS/eip-8052.md‎
Lines changed: 39 additions & 42 deletions
@@ -32,14 +32,14 @@ Quantum computers pose a long-term risk to classical cryptographic algorithms. I
 
 Integrating post-quantum signature schemes is crucial to future-proof Ethereum and other EVM-based environments. It shall be noted that infrastructure for post-quantum signatures should be deployed *before* quantum adversaries are known to be practical because it takes on the order of years for existing applications to integrate.
 
-Falcon, a lattice-based scheme standardized by NIST, offers high security against both classical and quantum adversaries. Its compact signature size (~666 bytes for Falcon-512) and its efficient verification algorithm make it well-suited for blockchain applications, where gas usage and transaction throughput are critical considerations.
-<!-- When the public key is also stored together with the signature, it leads to 666 + 897 = 1563 bytes.
+Falcon, a lattice-based scheme standardized by NIST, offers high security against both classical and quantum adversaries. Its compact signature size (666 bytes for Falcon-512) and its efficient verification algorithm make it well-suited for blockchain applications, where gas usage and transaction throughput are critical considerations.
+<!-- When the public key is also stored together with the signature, it leads to 666 + 896 = 1562 bytes.
 Using the recovery mode, it can be reduced to 1292 + 32 = 1324 bytes. -->
 <!--
 For Falcon,
     σ=666 (40 bytes of salt, ~626 bytes for s2)
-    pk = 897,
-    TOTAL=1563
+    pk = 896,
+    TOTAL=1562
 For FalconRec,
     σ=1292 (40 bytes of salt, ~626 bytes for s1, ~626 bytes for s2),
     pk = 32,
@@ -67,7 +67,7 @@ This setting leads to the following size for signatures and keys:
 | **n** (lattice dimension)     | `512`     |
 | **q** (modulus)     | `12289`     | 
 | Padded signature size      | `666` bytes     | 
-| Public Key size     | `897` bytes     |
+| Public Key size     | `896` bytes     |
 | Private key size     | `1281` bytes     | 
 
 
@@ -79,14 +79,12 @@ From a high level, a signature verification can be decomposed in two steps:
 The following pseudo-code highlights how these two algorithms are involved in a Falcon verification, and how the modularity of the challenge computation opens up to two version of Falcon:
 
 ```python
-def falcon512_verify(message: bytes, signature: Tuple[bytes, bytes], pubkey: bytes) -> bool:
+def falcon512_verify(message: bytes, signature: bytes, pubkey: bytes) -> bool:
     """
     Verify a Falcon Signature following NIST standard
     Args:
         message (bytes): The message to sign.
-        signature (Tuple[bytes, bytes]): A tuple (r, s), where:
-            - r (bytes): The salt.
-            - s (bytes): The signature vector.
+        signature (666 bytes): The signature containing 40 bytes of salt and 626 bytes of compressed signature.
         pubkey (bytes): The Falcon public key.
     Returns:
         bool: True if the signature is valid, False otherwise.
@@ -100,14 +98,12 @@ def falcon512_verify(message: bytes, signature: Tuple[bytes, bytes], pubkey: byt
 ```
 
 ```python
-def ethfalcon512_verify(message: bytes, signature: Tuple[bytes, bytes], pubkey: bytes) -> bool:
+def ethfalcon512_verify(message: bytes, signature: bytes, pubkey: bytes) -> bool:
     """
     Verify a Falcon Signature (EVM-friendly mode)
     Args:
         message (bytes): The message to sign.
-        signature (Tuple[bytes, bytes]): A tuple (r, s), where:
-            - r (bytes): The salt.
-            - s (bytes): The signature vector.
+        signature (666 bytes): The signature containing 40 bytes of salt and 626 bytes of compressed signature.
         pubkey (bytes): The Falcon public key.
     Returns:
         bool: True if the signature is valid, False otherwise.
@@ -180,14 +176,14 @@ The hash-to-point function computes extendable Output from a hash Function (XOF)
 Using one of the XOFs above (SHAKE256 or Keccak-PRNG), it is possible to instantiate two (precompiles) algorithms for hashing into points:
 
 ```python
-def FALCON_HASH_TO_POINT_SHAKE256(message: bytes32, signature: Tuple[bytes, bytes]) -> bool:
+def FALCON_HASH_TO_POINT_SHAKE256(message: bytes32, signature: bytes) -> bool:
     """
     Compute the Hash To Point Falcon Challenge.
     Args:
         message (bytes32): The original message (hash).
-        signature (Tuple[bytes, bytes]): A tuple (r, s), where:
-            - r (bytes): The salt.
-            - s (bytes): The signature vector.
+        signature (666 bytes): containing:
+            - r (40 bytes): The salt.
+            - s (626 bytes): The compressed signature vector.
     Returns:
         c: The Hash To Point polynomial challenge as a vector.
     """
@@ -196,7 +192,7 @@ def FALCON_HASH_TO_POINT_SHAKE256(message: bytes32, signature: Tuple[bytes, byte
     q = 12289  # Falcon modulus
 
     # Step 1: Parse Input Data
-    r, s2_compressed = signature  # Extract salt and compressed signature vector
+    r, s2_compressed = signature[:40], signature[40:]  # Extract salt and compressed signature vector
 
     # Step 2: Verify Well-formedness
     if not is_valid_signature_format(s2_compressed, pubkey):
@@ -216,14 +212,14 @@ def FALCON_HASH_TO_POINT_SHAKE256(message: bytes32, signature: Tuple[bytes, byte
 ```
 
 ```python
-def FALCON_HASH_TO_POINT_KECCAKPRNG(message: bytes32, signature: Tuple[bytes, bytes]) -> bool:
+def FALCON_HASH_TO_POINT_KECCAKPRNG(message: bytes32, signature: bytes) -> bool:
     """
     Compute the Hash To Point Falcon Challenge using Keccak-PRNG.
     Args:
         message (bytes32): The original message (hash).
-        signature (Tuple[bytes, bytes]): A tuple (r, s), where:
-            - r (bytes): The salt.
-            - s (bytes): The signature vector.
+        signature (666 bytes): containing:
+            - r (40 bytes): The salt.
+            - s (626 bytes): The compressed signature vector.
     Returns:
         c: The Hash To Point polynomial challenge as a vector.
     """
@@ -232,7 +228,7 @@ def FALCON_HASH_TO_POINT_KECCAKPRNG(message: bytes32, signature: Tuple[bytes, by
     q = 12289  # Falcon modulus
 
     # Step 1: Parse Input Data
-    r, s2_compressed = signature  # Extract salt and compressed signature vector
+    r, s2_compressed = signature[:40], signature[40:]  # Extract salt and compressed signature vector
 
     # Step 2: Verify Well-formedness
     if not is_valid_signature_format(s2_compressed, pubkey):
@@ -251,11 +247,11 @@ def FALCON_HASH_TO_POINT_KECCAKPRNG(message: bytes32, signature: Tuple[bytes, by
     return c
 ```
 
-#### Encoding of the challenge polynomial `c` (897 bytes, normative)
+#### Encoding of the challenge polynomial `c` (896 bytes, normative)
 
 * Domain: degree-512 polynomial with coefficients in `[0, q)`, `q = 12289`.
 * Order: coefficients are serialized in index order `c[0], c[1], …, c[511]`.
-* Bit-packing: each coefficient is a 14-bit **big-endian** unsigned integer. Concatenate all 512 encodings into a bitstring, then left-pad the final byte with zero bits to reach exactly **897 bytes**. Consumers MUST reject encodings that are not exactly 897 bytes.
+* Bit-packing: each coefficient is a 14-bit **big-endian** unsigned integer. Concatenate all 512 encodings into a bitstring of exactly **896 bytes**. Consumers MUST reject encodings that are not exactly 896 bytes.
 
 ### Core algorithm
 
@@ -278,15 +274,15 @@ def FALCON_HASH_TO_POINT_KECCAKPRNG(message: bytes32, signature: Tuple[bytes, by
 The following code illustrates Falcon core algorithm:
 
 ```python
-def FALCON_CORE(signature: Tuple[bytes, bytes], h: bytes, challenge: bytes) -> bool:
+def FALCON_CORE(signature: bytes, h: bytes, challenge: bytes) -> bool:
     """
     Verify Falcon Core Algorithm
     Args:
-        signature (Tuple[bytes, bytes]): A tuple (r, s), where:
-            - r (bytes): The salt.
-            - s (bytes): The signature vector.
-            - h (bytes): The Falcon public key in the ntt domain, computed as h=ntt(pubkey) externally.
-            - challenge (bytes): The Falcon Hash To Point Challenge.
+        - signature (666 bytes): containing:
+            - r (40 bytes): The salt.
+            - s (626 bytes): The compressed signature vector.
+        - h (bytes): The Falcon public key in the ntt domain, computed as h=ntt(pubkey) externally.
+        - challenge (bytes): The Falcon Hash To Point Challenge.
     Returns:
         bool: True if the signature is valid, False otherwise.
     """
@@ -296,7 +292,7 @@ def FALCON_CORE(signature: Tuple[bytes, bytes], h: bytes, challenge: bytes) -> b
     ACCEPTANCE_BOUND = 34034726  # Falcon-512 acceptance bound
 
     # Step 1: Parse Input Data
-    r, s2_compressed = signature  # Extract salt and compressed signature vector
+    r, s2_compressed = signature[:40], signature[40:]  # Extract salt and compressed signature vector
 
     # Step 2: Verify Well-formedness
     if not is_valid_signature_format(s2_compressed, pubkey):
@@ -336,7 +332,7 @@ The following requirements MUST be checked by the precompiled contract to verify
 **Raw Input data**
 
 * Verify that the message is 32-bytes long,
-* Verify that the public key is 897-bytes long,
+* Verify that the public key is 896-bytes long,
 * Verify that the signature is 666-bytes long.
 
 **Parsed Input data**
@@ -358,12 +354,12 @@ The precompiled contracts are proposed with the following input and outputs, whi
 
 **Input**
 
-* 32 bytes: message hash `m`
-* 666 bytes: Falcon-512 compressed signature `(r || s2_compressed)`
+* 32 bytes: message hash `m`,
+* 666 bytes: salt `r` (40 bytes), Falcon-512 compressed signature `s2_compressed` (626 bytes) concatenated: `r || s2_compressed`.
 
 **Output**
 
-* 897 bytes: packed challenge polynomial `c` (see §3.1 encoding)
+* 896 bytes: packed challenge polynomial `c` (see §3.1 encoding)
 
 #### `FALCON_HASH_TO_POINT_KECCAKPRNG`
 
@@ -372,9 +368,9 @@ Same I/O as §4.1, but the XOF is Keccak-PRNG. The construction is normative and
 #### `FALCON_CORE`
 
 * **Input data**
-    * 666 bytes for Falcon-512 compressed signature
-    * 897 bytes for Falcon-512 public key
-    * 897 bytes for the Hash To Point Challenge
+    * 666 bytes for Falcon-512 signature
+    * 896 bytes for Falcon-512 public key
+    * 896 bytes for the Hash To Point Challenge
 * **Output data**:
     * If the core algorithm process succeeds, it returns 1 in 32 bytes format.
     * If the core algorithm process fails, it does not return any output data.
@@ -383,8 +379,9 @@ Same I/O as §4.1, but the XOF is Keccak-PRNG. The construction is normative and
 
 * Invalid input length (not compliant to described input)
 * Invalid field element encoding (≥ q)
-* Invalid norm  bound
-* Signature verification failure
+* Invalid signature decompression
+
+Note that a well-formed but invalid signature does not produce an error, but `FALCON_CORE` invalidates the signature (and it does not return any output data).
 
 #### Precompiled Contract Gas Usage
 
@@ -475,7 +472,7 @@ In the format of [EIP-7932](./eip-7932.md):
 
 ## Test Cases
 
-A set of test vectors for verifying implementations is located in a separate file (to be provided for each opcode). For the NIST compliant version, KATS are reproduced.
+A set of test vectors for verifying implementations is located in a separate file (to be provided for each opcode). For the NIST compliant version, KATs are reproduced for HashToPoint (with a provided salt `r`) as well as for the compressed signature vector s2 (with a provided `HashToPoint` input). Note that `s2` is not padded with zeroes, leading to a maximum size of 626 bytes.
 
 
 ## Reference Implementation