SPHINCS+C: Compressing SPHINCS+ With (Almost) No Cost

Mikhail Kudinov; Andreas Hülsing; Eyal Ronen; Eylon Yogev

Paper 2022/778

SPHINCS+C: Compressing SPHINCS+ With (Almost) No Cost

Mikhail Kudinov

, Eindhoven University of Technology

Andreas Hülsing

, Eindhoven University of Technology

Eyal Ronen

, Tel Aviv University

Eylon Yogev

, Bar-Ilan University

Abstract

SPHINCS+~[CCS '19] is one of the selected post-quantum digital signature schemes of NIST's post-quantum standardization process. The scheme is a hash-based signature and is considered one of the most secure and robust proposals. The proposal includes a fast (but large) variant and a small (but costly) variant for each security level. The main problem that might hinder its adoption is its large signature size. Although SPHINCS+ supports a trade-off between signature size and the computational cost of signing, further reducing the signature size (below the small variants) results in a prohibitively high computational cost for the signer. This paper presents several novel methods for further compressing the signature size while requiring negligible added computational costs for the signer and further reducing verification time. Moreover, our approach enables a much more efficient trade-off curve between signature size and the computational costs of the signer. In many parameter settings, we achieve small signatures and faster running times simultaneously. For example, for $128$-bit security, the small signature variant of SPHINCS+ is $7856$ bytes long, while our variant is only $6304$ bytes long: a compression of approximately $20$% while still reducing the signer's running time. However, other trade-offs that focus, e.g., on verification speed, are possible. The main insight behind our scheme is that there are predefined specific subsets of messages for which the WOTS+ and FORS signatures (that SPHINCS+ uses) can be compressed, and generation can be made faster while maintaining the same security guarantees. Although most messages will not come from these subsets, we can search for suitable hashed values to sign. We sign a hash of the message concatenated with a counter that was chosen such that the hashed value is in the subset. The resulting signature is both smaller and faster to sign and verify. Our schemes are simple to describe and implement. We provide an implementation, a theoretical analysis of speed and security, as well as benchmark results.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Preprint.
Keywords: hash based signatures post-quantum security
Contact author(s): m kudinov @ tue nl
andreas @ huelsing net
eyal ronen @ cs tau ac il
eylon yogev @ biu ac il
History: 2022-09-14: revised; 2022-06-16: received; See all versions
Short URL: https://ia.cr/2022/778
License: CC BY-SA

BibTeX

@misc{cryptoeprint:2022/778,
      author = {Mikhail Kudinov and Andreas Hülsing and Eyal Ronen and Eylon Yogev},
      title = {SPHINCS+C: Compressing SPHINCS+ With (Almost) No Cost},
      howpublished = {Cryptology ePrint Archive, Paper 2022/778},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/778}},
      url = {https://eprint.iacr.org/2022/778}
}