SPHINCS+#

SPHINCS+ is a “stateless hash-based signature scheme” based on the SPHINCS signature scheme [BHH+14]. Andreas Hülsing has a blog post that goes over the changes made to SPHINCS.

The latest version of the specification document at the time of writing can be found here. Other resources are listed in the Resources section of the SPHINCS+ website.

SPHINCS+ is a stateless hash-based signature scheme, which means that is doesn’t require the user to save a state, unlike stateful schemes like XMSS [BDH11]. The disadvantage of stateful schemes is that reusing one-time key pairs may be catastrophic [GBH18].

The specification provides the following overview: “At a high level, SPHINCS+ works like SPHINCS. The basic idea is to authenticate a huge number of few-time signature (FTS) key pairs using a so-called hypertree. FTS schemes are signature schemes that allow a key pair to produce a small number of signatures, e.g., in the order of ten for our parameter sets. For each new message, a (pseudo)random FTS key pair is chosen to sign the message. The signature consists then of the FTS signature and the authentication information for that FTS key pair. The authentication information is roughly a hypertree signature, i.e. a signature using a certification tree of Merkle tree signatures.”.

Parameters#

There are three different signature schemes, depending on the hash function used to instantiate the SPHINCS+ construction:

  • SPHINCS+-SHAKE256

  • SPHINCS+-SHA-256

  • SPHINCS+-Haraka

Haraka is a cryptographic hash function that aims to be efficient on short inputs [KLMR16]. While Haraka is not a hash function approved by the NIST, the authors included this scheme to showcase the performance of SPHINCS+ instantiated with a dedicated short-input hash function.

Each of these schemes was split into two variants during the second round of submission: a simple and a robust variant. The robust variant is the one introduced in the first round submission, while the simple variant “introduces instantiations of the tweakable hash functions similar to those of the LMS proposal [[MCF19]] for stateful hash-based signatures”.

SPHINCS+ parameters#

Parameter

Description

\(n\)

The security parameter in bytes.

\(w\)

The Winternitz parameter.

\(h\)

The height of the hypertree.

\(d\)

The number of layers in the hypertree.

\(k\)

The number of trees in FORS.

\(t\)

The number of leaves of a FORS tree.

SPHINCS+ parameter sets#

Parameter set

\(n\)

\(h\)

\(d\)

\(log(t)\)

\(k\)

\(w\)

Bit security

NIST security level

SPHINCS+-128s

16

63

7

12

14

16

133

1

SPHINCS+-128f

16

66

22

6

33

16

128

1

SPHINCS+-192s

24

63

7

14

17

16

193

3

SPHINCS+-192f

24

66

22

8

33

16

194

3

SPHINCS+-256s

32

64

8

14

22

16

255

5

SPHINCS+-256f

32

68

17

9

35

16

255

5

SPHINCS+ parameter sizes#

Parameter set

Public key

Private key

Signature

SPHINCS+-128s

32

64

7856

SPHINCS+-128f

32

64

17088

SPHINCS+-192s

48

96

16224

SPHINCS+-192f

48

96

35664

SPHINCS+-256s

64

128

29792

SPHINCS+-256f

64

128

49856

Implementations#

The reference implementation can be found on GitHub: sphincs/sphincsplus. It has the three main schemes, as well as optimized implementations:

  • SPHINCS+-SHA256 with AVX2.

  • SPHINCS+-SHAKE256 with AVX2.

  • SPHINCS+-Haraka with AES-NI.

And include an aarch64 implementation of SPHINCS+-SHAKE256.

The Software page of the website lists some third-party implementations such as:

Some integrations not listed there are:

  • Open Quantum Safe’s liboqs.

  • PQClean, which includes the same variations as the reference repository (SHAKE256 with AVX2/in aarch64, SHA256 with AVX2, and Haraka with AES-NI).

Benchmarks#

While there are no benchmarks on the website, an extensive one is included in the specification, in Section 10, Table 4.

Benchmarks are also available in the SUPERCOP benchmarking framework.

Considering the number of variants, no benchmarks are proposed here.

Attacks#

Some attacks have been published:

  • Breaking Category Five SPHINCS+ with SHA-256 [PKC22], which gives “a complete forgery attack that reduces the concrete classical security of these parameter sets by approximately 40 bits of security”.

  • Practical Fault Injection Attacks on SPHINCS [GKPM18], an attack that “allows the creation of a universal signature forgery that applies to all current standardisation candidates (XMSS, LMS, SPHINCS+, and Gravity-SPHINCS)”.

  • Grafting Trees: a Fault Attack against the SPHINCS framework [CMP18], in which the authors propose “the first fault attack against the framework underlying SPHINCS, Gravity-SPHINCS and SPHINCS+”.

  • On Protecting SPHINCS+ Against Fault Attacks [Gen23], in which the author “adapts the original attack to SPHINCS+ reinforced with randomized signing and extends the applicability of the attack to any combination of faulty and valid signatures”.

Bibliography#

[BHH+14]

Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing, Tanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider, Peter Schwabe, and Zooko Wilcox-O'Hearn. Sphincs: practical stateless hash-based signatures. Cryptology ePrint Archive, Paper 2014/795, 2014. https://eprint.iacr.org/2014/795. URL: https://eprint.iacr.org/2014/795.

[BDH11]

Johannes Buchmann, Erik Dahmen, and Andreas Hülsing. Xmss - a practical forward secure signature scheme based on minimal security assumptions. Cryptology ePrint Archive, Paper 2011/484, 2011. https://eprint.iacr.org/2011/484. URL: https://eprint.iacr.org/2011/484.

[CMP18]

Laurent Castelnovi, Ange Martinelli, and Thomas Prest. Grafting trees: a fault attack against the sphincs framework. Cryptology ePrint Archive, Paper 2018/102, 2018. https://eprint.iacr.org/2018/102. URL: https://eprint.iacr.org/2018/102.

[Gen23]

Aymeric Genêt. On protecting sphincs+ against fault attacks. Cryptology ePrint Archive, Paper 2023/042, 2023. https://eprint.iacr.org/2023/042. URL: https://eprint.iacr.org/2023/042.

[GKPM18]

Aymeric Genêt, Matthias J. Kannwischer, Hervé Pelletier, and Andrew McLauchlan. Practical fault injection attacks on sphincs. Cryptology ePrint Archive, Paper 2018/674, 2018. https://eprint.iacr.org/2018/674. URL: https://eprint.iacr.org/2018/674.

[GBH18]

L. Groot Bruinderink and A.T. Hülsing. “oops, i did it again” – security of one-time signatures under two-message attacks. In Carlisle Adams and Jan Camenisch, editors, Selected Areas in Cryptography – SAC 2017, Lecture Notes in Computer Science, 299–322. Germany, 2018. Springer. 24th International Conference on Selected Areas in Cryptography (SAC 2017), SAC 2017 ; Conference date: 16-08-2017 Through 18-08-2017. doi:10.1007/978-3-319-72565-9_15.

[KLMR16]

Stefan Kölbl, Martin M. Lauridsen, Florian Mendel, and Christian Rechberger. Haraka v2 - efficient short-input hashing for post-quantum applications. Cryptology ePrint Archive, Paper 2016/098, 2016. https://eprint.iacr.org/2016/098. URL: https://eprint.iacr.org/2016/098.

[MCF19]

David McGrew, Michael Curcio, and Scott Fluhrer. Leighton-Micali Hash-Based Signatures. Request for Comments RFC 8554, Internet Engineering Task Force, April 2019. Num Pages: 61. URL: https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs-15 (visited on 2023-07-20), doi:10.17487/RFC8554.

[PKC22]

Ray Perlner, John Kelsey, and David Cooper. Breaking category five sphincs+ with sha-256. Cryptology ePrint Archive, Paper 2022/1061, 2022. https://eprint.iacr.org/2022/1061. URL: https://eprint.iacr.org/2022/1061.