from Niels:
Another question: All other public key algorithms are in libhogweed, and depend on GMP bignum functions. But the motivation for the nettle/hogweed split was to avoid a runtime shared library dependency on GMP for applications that don't use any algorithms based on bignums. And therefore, it seems slh-dsa belongs in libnettle, not libhogweed. Do you agree?
Yes, I think that sounds reasonable.
from Simon:
Interesting - my perception is that SPHINCS+ verification is faster than Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your implementation get?
I used the reference sphincs+ implementation https://github.com/sphincs/sphincsplus/tree/master together with some patches from leancrypto to make it conform to the NIST standard. I haven't done any benchmarks on my patch, but there are benchmarking tests in the reference implementation. https://github.com/sphincs/sphincsplus/blob/master/ref/test/benchmark.c
On Fri, Feb 21, 2025 at 11:06 AM Simon Josefsson simon@josefsson.org wrote:
Niels Möller nisse-SamgB31n2u5IcsJQ0EH25Q@public.gmane.org writes:
- I think first there should be at least one fast and short option
available.
Makes sense, I'm working on adding slh-dsa-shake-128f.
Having 256-bit options would be nice, as a conservative long-term signature algorithm choice, any chance you could add those?
The SHA2 alternatives would be nice too, some environments have better performance for SHA2 than SHAKE.
$ ./examples/hogweed-benchmark slh-dsa-shake name size sign/s verify/s slh-dsa-shake-s 128 0.76 992.98 slh-dsa-shake-f 128 20.19 337.95
$ ./examples/hogweed-benchmark eddsa name size sign/s verify/s eddsa 255 24990.3 6626.5 eddsa 448 6645.6 1797.3
So for verify operations (consider signed firmware updates in some embedded system expected to operate for decades), it's only about one order of magnitude slower than classic signatures.
Interesting - my perception is that SPHINCS+ verification is faster than Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your implementation get?
/Simon
[1] https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphi... _______________________________________________ nettle-bugs mailing list -- nettle-bugs@lists.lysator.liu.se To unsubscribe send an email to nettle-bugs-leave@lists.lysator.liu.se