Niels Möller nisse@lysator.liu.se writes:
An update: I've now added support for slh-dsa-shake-128s and slh-dsa-shake-128f to the master branch. I think I'll look at sha2-variants next, I'm also curious about their performance.
I now have a work in progress implementation, and on this machine with sha_ni instructions, it appears to be considerably faster than sha3/shake:
name size sign/s verify/s slh-dsa-shake-s 128 0.80 1073.93 slh-dsa-shake-f 128 21.76 365.65 slh-dsa-sha2-s 128 6.31 7507.65
But there are still some bugs, and it would be help a lot both for actual debugging and for confidence, to have authoritative test vectors.
There are none in the spec, none (for the sha2 flavors) in https://github.com/smuellerDD/leancrypto/tree/master/slh-dsa/tests, and I'm having some difficulty locating test vectors elsewhere. (I also checked Zoltan's patch that started this development, but that was also shake only).
I think I can find some test vectors at http://sphincs.org/resources.html, but unclear if that would apply to the NIST version (which differs in some details). Do any of you know where to find test vectors for the NIST version of SLH-DSA-SHA2-*?
Regards, /Niels