Niels Möller <[email protected]> writes:
>> 2. I think first there should be at least one fast and short option >> available. > > Makes sense, I'm working on adding slh-dsa-shake-128f. Having 256-bit options would be nice, as a conservative long-term signature algorithm choice, any chance you could add those? The SHA2 alternatives would be nice too, some environments have better performance for SHA2 than SHAKE. > $ ./examples/hogweed-benchmark slh-dsa-shake > name size sign/s verify/s > slh-dsa-shake-s 128 0.76 992.98 > slh-dsa-shake-f 128 20.19 337.95 > > $ ./examples/hogweed-benchmark eddsa > name size sign/s verify/s > eddsa 255 24990.3 6626.5 > eddsa 448 6645.6 1797.3 > > So for verify operations (consider signed firmware updates in some > embedded system expected to operate for decades), it's only about one > order of magnitude slower than classic signatures. Interesting - my perception is that SPHINCS+ verification is faster than Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your implementation get? /Simon [1] https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/
signature.asc
Description: PGP signature
_______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
