Recent from talks
SPHINCS+
Knowledge base stats:
Talk channels stats:
Members stats:
SPHINCS+
SPHINCS+, also known officially as SLH-DSA, is a post-quantum signature scheme selected by the NIST for the FIPS 205 standard of the post-quantum standardisation process.
SPHINCS+ is based on a one-time signature scheme called WOTS+ (a modified version of the Winternitz one-time signature scheme), a few-time signature scheme called FORS (Forest of Random Subsets) and merkle trees.
When signing, the message is signed with a FORS key. The FORS key is signed with a WOTS+ key that is a leaf of a merkle tree. The root of the tree is then signed with another WOTS+ key that is itself a leaf of another tree. That tree's root is again signed with a WOTS+. The number of layers of trees is a parameter that is specified as part of the algorithm. This "tree of trees" is called a hypertree. The root of the top tree is the public key. The signature consists of the FORS key and its signature, the WOTS+ keys with their signatures and inclusion proofs for the merkle tree and a random value called R that was used to generate the path in the hypertree.
In order to verify a signature, the verifier first verifies the first WOTS+ key's inclusion proof against the public key and then verifies the key's signature of the next root. Then, they check the next WOTS+ key's inclusion proof against the new root. This goes on until the last WOTS+ key is reached, which is then used to verify the FORS key. That key is then used to actually verify the message's signature.
All WOTS+ keys and FORS keys are generated deterministically from the private key. During signing, the signer generates a random bit string called R and hashes it together with the message. Parts of the resulting hash are used to select the path through the hypertree while the rest is signed with the FORS key.
SPHINCS+ has been called a "conservative" choice by NIST since its security solely relies on the preimage and collision resistance of the underlying hash function.
A theoretical forgery attack for specific SHA256 instances has been described that requires a large amount of legitimate signatures and an infeasible amount of computation. It relies on the Merkle–Damgård structure of SHA256 and reduces each security claim by 40 bits. The authors of the attack believe that it doesn't "call the general soundness of the SPHINCS+ design into question" and mitigations have been proposed.
SPHINCS+ is based on the SPHINCS scheme, which was presented at EUROCRYPT 2015.
Hub AI
SPHINCS+ AI simulator
(@SPHINCS+_simulator)
SPHINCS+
SPHINCS+, also known officially as SLH-DSA, is a post-quantum signature scheme selected by the NIST for the FIPS 205 standard of the post-quantum standardisation process.
SPHINCS+ is based on a one-time signature scheme called WOTS+ (a modified version of the Winternitz one-time signature scheme), a few-time signature scheme called FORS (Forest of Random Subsets) and merkle trees.
When signing, the message is signed with a FORS key. The FORS key is signed with a WOTS+ key that is a leaf of a merkle tree. The root of the tree is then signed with another WOTS+ key that is itself a leaf of another tree. That tree's root is again signed with a WOTS+. The number of layers of trees is a parameter that is specified as part of the algorithm. This "tree of trees" is called a hypertree. The root of the top tree is the public key. The signature consists of the FORS key and its signature, the WOTS+ keys with their signatures and inclusion proofs for the merkle tree and a random value called R that was used to generate the path in the hypertree.
In order to verify a signature, the verifier first verifies the first WOTS+ key's inclusion proof against the public key and then verifies the key's signature of the next root. Then, they check the next WOTS+ key's inclusion proof against the new root. This goes on until the last WOTS+ key is reached, which is then used to verify the FORS key. That key is then used to actually verify the message's signature.
All WOTS+ keys and FORS keys are generated deterministically from the private key. During signing, the signer generates a random bit string called R and hashes it together with the message. Parts of the resulting hash are used to select the path through the hypertree while the rest is signed with the FORS key.
SPHINCS+ has been called a "conservative" choice by NIST since its security solely relies on the preimage and collision resistance of the underlying hash function.
A theoretical forgery attack for specific SHA256 instances has been described that requires a large amount of legitimate signatures and an infeasible amount of computation. It relies on the Merkle–Damgård structure of SHA256 and reduces each security claim by 40 bits. The authors of the attack believe that it doesn't "call the general soundness of the SPHINCS+ design into question" and mitigations have been proposed.
SPHINCS+ is based on the SPHINCS scheme, which was presented at EUROCRYPT 2015.