Niels Möller nisse-SamgB31n2u5IcsJQ0EH25Q@public.gmane.org writes:
- I think first there should be at least one fast and short option
available.
Makes sense, I'm working on adding slh-dsa-shake-128f.
Having 256-bit options would be nice, as a conservative long-term signature algorithm choice, any chance you could add those?
The SHA2 alternatives would be nice too, some environments have better performance for SHA2 than SHAKE.
$ ./examples/hogweed-benchmark slh-dsa-shake name size sign/s verify/s slh-dsa-shake-s 128 0.76 992.98 slh-dsa-shake-f 128 20.19 337.95
$ ./examples/hogweed-benchmark eddsa name size sign/s verify/s eddsa 255 24990.3 6626.5 eddsa 448 6645.6 1797.3
So for verify operations (consider signed firmware updates in some embedded system expected to operate for decades), it's only about one order of magnitude slower than classic signatures.
Interesting - my perception is that SPHINCS+ verification is faster than Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your implementation get?
/Simon
[1] https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphi...