Quantum-Safe Signatures - Example
In this example, we shall demonstrate the **[SPHINCS+ signature library](https://github.com/sphincs/sphincsplus). It implements hash-based signatures, which are designed to be quantum-safe. Note that the SPHINCS+ signatures are still experimental** (as of Nov 2018) and their security is not still indisputably proven, because they are relatively new and are still not well analysed by cryptographers.
We shall demonstrate the SPHINCS+ cryptosystem for hash-based digital signatures, more precisely two of its configurations:
SPHINCS+-128f – 64-byte private key, 32-byte public key, ~16.9KB signature, instant key generation, fast signing speed < 1 sec, instant verification, 128-bit security level
SPHINCS+-128s – 64-byte private key, 32-byte public key, ~ 8KB signature, instant key generation, slow signing speed ~ few secs, instant verification, 133-bit security level
To install the official SPHINCS+ signature library PySPX for Python, use the following command:
The pyspx
package may not compile in Windows (using the Visual C++ compiler), so Linux is recommended (or a Python virtual machine like PythonAnywhere or Repl.it).
Let's demonstrate the SPHINCS+ signature with the shake256_128f
parameter set (SPHINCS+, using SHAKE256-128 as hash function and in fast mode), using this Python example:
Run the above code example: https://repl.it/@nakov/SPHINCSplus-signature-in-Python.
The above code is fast: it runs for portion of the second. The output from it looks like this:
It is visible from the above output that for the shake256_128f
parameter set the SPHINCS+ public key is small (32 bytes), the private key is also small (64 bytes), but the signature is big (16976 bytes, ~16.9 KB, partially shown above). This makes SPHINCS+ signatures not an ideal solution for the post-quantum signatures. Additionally, the signature computation speed is sensibly slower than RSA and ECDSA.
Let's tweak the SPHINCS+ algorithm parameters to get shorter signature, using the shake256_128s
parameter set (SPHINCS+, using SHAKE256-128 as hash function and in slow mode). This smaller signature will cost many times more computing time for signing. Let's change the algorithm parameters like this (in fact the important change is at the first line only):
Run the above code example: https://repl.it/@nakov/SPHINCSplus-signature-smaller-size-in-Python.
The produced signature size now is smaller (~ 8KB, partially shown below), but the time to generate the signature is drastically increased (signing takes a few seconds, key generation and signature verification are still fast):
We may conclude that quantum-safe digital signature algorithms like SPHINCS+ signatures may replace ECDSA and EdDSA in the post-quantum computing era, but they still have one big disadvantage: large signatures. For some applications the signature size may not be a problem, but for others smaller signatures are critical.
Last updated