SPHINCS+

SPHINCS+
General
DesignersJean-Philippe Aumasson, Daniel J. Bernstein, Ward Beullens, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Andreas Hülsing, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, Bas Westerbaan
First publishedNovember 30, 2017; 7 years ago (2017-11-30)
Derived fromSPHINCS
Detail
Security claims264 signatures before the work needed to forge a signature is less than the required security level
StructureHash-based cryptography

SPHINCS+, also known officially as SLH-DSA,[1] is a post-quantum signature scheme selected by the NIST for the FIPS 205 standard of the post-quantum standardisation process.

Design

SPHINCS+ is based on a one-time signature scheme called WOTS+ (a modified version of the Winternitz one-time signature scheme), a few-time signature scheme called FORS (Forest of Random Subsets) and merkle trees.[2]

When signing, the message is signed with a FORS key. The FORS key is signed with a WOTS+ key that is a leaf of a merkle tree. The root of the tree is then signed with another WOTS+ key that is itself a leaf of another tree. That tree's root is again signed with a WOTS+. The number of layers of trees is a parameter that is specified as part of the algorithm. This "tree of trees" is called a hypertree. The root of the top tree is the public key. The signature consists of the FORS key and its signature, the WOTS+ keys with their signatures and inclusion proofs for the merkle tree and a random value called R that was used to generate the path in the hypertree.[2]

In order to verify a signature, the verifier first verifies the first WOTS+ key's inclusion proof against the public key and then verifies the key's signature of the next root. Then, they check the next WOTS+ key's inclusion proof against the new root. This goes on until the last WOTS+ key is reached, which is then used to verify the FORS key. That key is then used to actually verify the message's signature.[2]

All WOTS+ keys and FORS keys are generated deterministically from the private key. During signing, the signer generates a random bit string called R and hashes it together with the message. Parts of the resulting hash are used to select the path through the hypertree while the rest is signed with the FORS key.[2]

Security

SPHINCS+ has been called a "conservative" choice by NIST since its security solely relies on the preimage and collision resistance of the underlying hash function.[3][4]

History

SPHINCS+ is based on the SPHINCS scheme, which was presented at EUROCRYPT 2015.[5]

SPHINCS features a larger 1kb public and private key size and a 41kb signature size.[5]

SPHINCS+ was first released in 2017[6] since SPHINCS suffers from a vulnerability called "multi-target attacks in hash-based signatures", which was addressed by a 2016 paper. Furthermore, it doesn't have verifiable index selection (the path through the trees), which enables another kind of multi-target attack. SPHINCS+ was designed to address all these issues and also decrease the key and signature sizes using tree-less WOTS+ key compression, the addition of the R parameter during signing and the replacement of the few-time signature scheme with FORS.[7][8]

SPHINCS+ was standardized as SLH-DSA by NIST in August 2024 in the FIPS 205 standard,[1] making it one of the two NIST standardized post-quantum signature schemes with the other one being ML-DSA.[9][10][11]

Instances

SLH-DSA specifies the following instances based on the hash function SHA256 or SHAKE256), the type (f for faster signing time and s for shorter signature) and security level (e.g. 128 means that forging signatures is as hard as breaking AES-128):[1][12]

Name Security level Type Hash function Public key size Private key size Signature size
SPHINCS+-SHA2-128s 1[a] small SHA256 32 64 7856
SPHINCS+-SHAKE-128s SHAKE256
SPHINCS+-SHA2-128f fast SHA256 17088
SPHINCS+-SHAKE-128f SHAKE256
SPHINCS+-SHA2-192s 3[b] small SHA256 48 96 16224
SPHINCS+-SHAKE-192s SHAKE256
SPHINCS+-SHA2-192f fast SHA256 35664
SPHINCS+-SHAKE-192f SHAKE256
SPHINCS+-SHA2-256s 5[c] small SHA256 64 128 29792
SPHINCS+-SHAKE-256s SHAKE256
SPHINCS+-SHA2-256f fast SHA256 49856
SPHINCS+-SHAKE-256f SHAKE256

Implementations

References

  1. ^ Signature forgery should be as hard as a successful key search on AES-128 or a SHA256 collision
  2. ^ Signature forgery should be as hard as a successful key search on AES-192 or a SHA384 collision
  3. ^ Signature forgery should be as hard as a successful key search on AES-256
  1. ^ a b c Stateless hash-based digital signature standard (Report). Washington, D.C.: National Institute of Standards and Technology (U.S.). August 13, 2024. doi:10.6028/nist.fips.205.
  2. ^ a b c d "Breaking Category Five SPHINCS+ with SHA-256". Retrieved May 12, 2025.
  3. ^ "Recovering the tight security proof of SPHINCS+" (PDF). Retrieved June 29, 2025.
  4. ^ "A Tight Security Proof for SPHINCS+, Formally Verified". PQShield. January 30, 2025. Retrieved June 30, 2025.
  5. ^ a b "SPHINCS: Introduction". SPHINCS. July 18, 2013. Retrieved June 29, 2025.
  6. ^ "SPHINCS+ Submission to the NIST post-quantum project" (PDF). Retrieved June 29, 2025.
  7. ^ "SPHINCS+ – The smaller SPHINCS". Andreas Hülsing. December 4, 2017. Retrieved June 29, 2025.
  8. ^ "Mitigating Multi-Target Attacks in Hash-based Signatures" (PDF). Retrieved June 29, 2025.
  9. ^ Valenta, Luke; Gonçalves, Vânia; Westerbaan, Bas; Rosenberg, Michael; Kipp, Kevin; Dincer, Renan; Araya, Felipe Astroza; Galicer, Mari; Meunier, Thibault (August 20, 2024). "NIST's first post-quantum standards". The Cloudflare Blog. Retrieved June 29, 2025.
  10. ^ "SPHINCS+". Open Quantum Safe. June 10, 2022. Retrieved June 29, 2025.
  11. ^ Boutin, Chad (August 13, 2024). "NIST Releases First 3 Finalized Post-Quantum Encryption Standards". NIST. Retrieved June 29, 2025.
  12. ^ "Security (Evaluation Criteria)". CSRC. January 3, 2017. Retrieved June 29, 2025.
  13. ^ "randombit/botan: Cryptography Toolkit". GitHub. March 6, 2013. Retrieved June 29, 2025.
  14. ^ "PQC and Lightweight Cryptography Updates". Bouncycastle. January 24, 2025. Retrieved June 29, 2025.
  15. ^ Hess, Tjaden (August 15, 2024). "We wrote the code, and the code won". The Trail of Bits Blog. Retrieved June 29, 2025.
  16. ^ "open-quantum-safe/liboqs: C library for prototyping and experimenting with quantum-resistant cryptography". GitHub. August 12, 2016. Retrieved June 29, 2025.
Index: pl ar de en es fr it arz nl ja pt ceb sv uk vi war zh ru af ast az bg zh-min-nan bn be ca cs cy da et el eo eu fa gl ko hi hr id he ka la lv lt hu mk ms min no nn ce uz kk ro simple sk sl sr sh fi ta tt th tg azb tr ur zh-yue hy my ace als am an hyw ban bjn map-bms ba be-tarask bcl bpy bar bs br cv nv eml hif fo fy ga gd gu hak ha hsb io ig ilo ia ie os is jv kn ht ku ckb ky mrj lb lij li lmo mai mg ml zh-classical mr xmf mzn cdo mn nap new ne frr oc mhr or as pa pnb ps pms nds crh qu sa sah sco sq scn si sd szl su sw tl shn te bug vec vo wa wuu yi yo diq bat-smg zu lad kbd ang smn ab roa-rup frp arc gn av ay bh bi bo bxr cbk-zam co za dag ary se pdc dv dsb myv ext fur gv gag inh ki glk gan guw xal haw rw kbp pam csb kw km kv koi kg gom ks gcr lo lbe ltg lez nia ln jbo lg mt mi tw mwl mdf mnw nqo fj nah na nds-nl nrm nov om pi pag pap pfl pcd krc kaa ksh rm rue sm sat sc trv stq nso sn cu so srn kab roa-tara tet tpi to chr tum tk tyv udm ug vep fiu-vro vls wo xh zea ty ak bm ch ny ee ff got iu ik kl mad cr pih ami pwn pnt dz rmy rn sg st tn ss ti din chy ts kcg ve
Prefix: a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9

Portal di Ensiklopedia Dunia

Portal : Agama
Agama
Portal : Bahasa
Bahasa
Portal : Biografi
Biografi
Portal : Budaya
Budaya
Portal : Ekonomi
Ekonomi
Portal : Elektronika
Elektronika
Portal : Film
Film
Portal : Filsafat
Filsafat
Portal : Geografi
Geografi
Portal : Indonesia
Indonesia
Portal : Ilmu
Ilmu
Portal : Lingkungan
Lingkungan
Portal : Masyarakat
Masyarakat
Portal : Matematika
Matematika
Portal : Militer
Militer
Portal : Mitologi
Mitologi
Portal : Musik
Musik
Portal : Olahraga
Olahraga
Portal : Pendidikan
Pendidikan
Portal : Politik
Politik
Portal : Sastra
Sastra
Portal : Sejarah
Sejarah
Portal : Seni
Seni
Portal : Teknologi
Teknologi

Kembali kehalaman sebelumnya