Closed buu700 closed 8 years ago
burdges
commented
8 years ago You realize the signatures are 41KB, yes? Sphincs is largely for signing big long-lived things like software distribution packages, or maybe some contracts that persist for very long times. It won't help you against an eavesdropper equipped with a quantum computer, either one now, or one in the future looking back at your communications today.
buu700
commented
8 years ago Yes, I'm aware of that.
buu700
commented
8 years ago For clarification, if you're wondering about my intended use case, it is signing software distribution packages. Cyph has an in-browser code signing layer called WebSign that currently uses Ed25519. Post-quantum encrypted communication is already implemented using NTRU (+ Curve25519), but the threat model focuses solely on after-the-fact attacks against stored traffic logs since a real-time quantum attack could break Ed25519.
While adding SPHINCS on top of Ed25519 won't immediately make Cyph resistant to a real-time quantum attack (since the rest of the stack it depends on will still be vulnerable — browser updates, OS updates, etc.), I would rather have that piece in place sooner rather than later; plus it wouldn't hurt my cause to have SPHINCS maintained in a major library like libsodium, ready for eventual consumption by those other layers of the stack.
jedisct1
commented
8 years ago Adding PQ algorithms now would be a bit premature.
SPHINCS is an excellent proposal, but from a practical perspective, it's still hardly a replacement for the current signature systems.
We're bound to see other stateless signing mechanisms soon. SPHINCS itself might be revisited, if only to allow pre-hashing and for the choice of the hash function.
Of course, PQ signing and key exchange systems will eventually be added. But don't jump the gun to include a temporary solution.
paragonie-scott
commented
8 years ago Adding PQ algorithms now would be a bit premature.
Indeed. Although SPHINCS (or something derived from it) is a very likely candidate for signatures, we still don't know which public-key encryption algorithm we should use, and probably won't know for another 2 years.
burdges
commented
8 years ago We're not even completely sure what symmetric crypto we should be using : http://arxiv.org/abs/1602.05973
buu700
commented
8 years ago Fair enough @jedisct1, that's probably the right decision (just figured I'd check before jumping straight to writing an asm.js wrapper myself).
https://sphincs.cr.yp.to
tl;dr: It's an experimental post-quantum signature scheme. Its notable property is that it's stateless (in contrast to other hash-based schemes such as Merkle's), thus allowing it to act as a drop-in replacement for more conventional schemes like RSA and ECDSA. Portable reference implementation by djb et al. is attached.
Related request: it'd be awesome to have this feature in libsodium.js.
sphincs256.ref.zip