from Niels: > Another question: All other public key algorithms are in libhogweed, and > depend on GMP bignum functions. But the motivation for the > nettle/hogweed split was to avoid a runtime shared library dependency on > GMP for applications that don't use any algorithms based on bignums. And > therefore, it seems slh-dsa belongs in libnettle, not libhogweed. Do you > agree?
Yes, I think that sounds reasonable. from Simon: > Interesting - my perception is that SPHINCS+ verification is faster than > Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be > explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your > implementation get? I used the reference sphincs+ implementation https://github.com/sphincs/sphincsplus/tree/master together with some patches from leancrypto to make it conform to the NIST standard. I haven't done any benchmarks on my patch, but there are benchmarking tests in the reference implementation. https://github.com/sphincs/sphincsplus/blob/master/ref/test/benchmark.c On Fri, Feb 21, 2025 at 11:06 AM Simon Josefsson <[email protected]> wrote: > Niels Möller <[email protected]> writes: > > >> 2. I think first there should be at least one fast and short option > >> available. > > > > Makes sense, I'm working on adding slh-dsa-shake-128f. > > Having 256-bit options would be nice, as a conservative long-term > signature algorithm choice, any chance you could add those? > > The SHA2 alternatives would be nice too, some environments have better > performance for SHA2 than SHAKE. > > > $ ./examples/hogweed-benchmark slh-dsa-shake > > name size sign/s verify/s > > slh-dsa-shake-s 128 0.76 992.98 > > slh-dsa-shake-f 128 20.19 337.95 > > > > $ ./examples/hogweed-benchmark eddsa > > name size sign/s verify/s > > eddsa 255 24990.3 6626.5 > > eddsa 448 6645.6 1797.3 > > > > So for verify operations (consider signed firmware updates in some > > embedded system expected to operate for decades), it's only about one > > order of magnitude slower than classic signatures. > > Interesting - my perception is that SPHINCS+ verification is faster than > Ed25519 (at the end of [1] suggests 5-10 times faster). Could this be > explained by SHA2 vs SHAKE? Zoltan, what benchmarks did your > implementation get? > > /Simon > > [1] > https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/ > _______________________________________________ > nettle-bugs mailing list -- [email protected] > To unsubscribe send an email to [email protected] > _______________________________________________ nettle-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
