Closed buu700 closed 8 years ago
You realize the signatures are 41KB, yes? Sphincs is largely for signing big long-lived things like software distribution packages, or maybe some contracts that persist for very long times. It won't help you against an eavesdropper equipped with a quantum computer, either one now, or one in the future looking back at your communications today.
Yes, I'm aware of that.
For clarification, if you're wondering about my intended use case, it is signing software distribution packages. Cyph has an in-browser code signing layer called WebSign that currently uses Ed25519. Post-quantum encrypted communication is already implemented using NTRU (+ Curve25519), but the threat model focuses solely on after-the-fact attacks against stored traffic logs since a real-time quantum attack could break Ed25519.
While adding SPHINCS on top of Ed25519 won't immediately make Cyph resistant to a real-time quantum attack (since the rest of the stack it depends on will still be vulnerable — browser updates, OS updates, etc.), I would rather have that piece in place sooner rather than later; plus it wouldn't hurt my cause to have SPHINCS maintained in a major library like libsodium, ready for eventual consumption by those other layers of the stack.
Adding PQ algorithms now would be a bit premature.
SPHINCS is an excellent proposal, but from a practical perspective, it's still hardly a replacement for the current signature systems.
We're bound to see other stateless signing mechanisms soon. SPHINCS itself might be revisited, if only to allow pre-hashing and for the choice of the hash function.
Of course, PQ signing and key exchange systems will eventually be added. But don't jump the gun to include a temporary solution.
Adding PQ algorithms now would be a bit premature.
Indeed. Although SPHINCS (or something derived from it) is a very likely candidate for signatures, we still don't know which public-key encryption algorithm we should use, and probably won't know for another 2 years.
We're not even completely sure what symmetric crypto we should be using : http://arxiv.org/abs/1602.05973
Fair enough @jedisct1, that's probably the right decision (just figured I'd check before jumping straight to writing an asm.js wrapper myself).
https://sphincs.cr.yp.to
tl;dr: It's an experimental post-quantum signature scheme. Its notable property is that it's stateless (in contrast to other hash-based schemes such as Merkle's), thus allowing it to act as a drop-in replacement for more conventional schemes like RSA and ECDSA. Portable reference implementation by djb et al. is attached.
Related request: it'd be awesome to have this feature in libsodium.js.
sphincs256.ref.zip