SPHINCS+

SPHINCS⁺ is based on a one-time signature scheme called WOTS⁺ (a modified version of the Winternitz one-time signature scheme), a few-time signature scheme called FORS (Forest of Random Subsets) and Merkle trees.^[2]

When signing, the message is signed with a FORS key. The FORS key is signed with a WOTS⁺ key that is a leaf of a merkle tree. The root of the tree is then signed with another WOTS⁺ key that is itself a leaf of another tree. That tree's root is again signed with a WOTS⁺. The number of layers of trees is a parameter that is specified as part of the algorithm. This "tree of trees" is called a hypertree. The root of the top tree is the public key. The signature consists of the FORS key and its signature, the WOTS⁺ keys with their signatures and inclusion proofs for the merkle tree and a random value called R that was used to generate the path in the hypertree.^[2]

In order to verify a signature, the verifier first verifies the first WOTS⁺ key's inclusion proof against the public key and then verifies the key's signature of the next root. Then, they check the next WOTS⁺ key's inclusion proof against the new root. This goes on until the last WOTS⁺ key is reached, which is then used to verify the FORS key. That key is then used to actually verify the message's signature.^[2]

All WOTS⁺ keys and FORS keys are generated deterministically from the private key. During signing, the signer generates a random bit string called R and hashes it together with the message. Parts of the resulting hash are used to select the path through the hypertree while the rest is signed with the FORS key.^[2]

SPHINCS⁺ has been called a "conservative" choice by NIST since its security solely relies on the preimage and collision resistance of the underlying hash function.^[3][4]

A theoretical forgery attack for specific SHA256 instances has been described that requires a large amount of legitimate signatures and an infeasible amount of computation. It relies on the Merkle–Damgård structure of SHA256^[a] and reduces each security claim by 40 bits. The authors of the attack believe that it doesn't "call the general soundness of the SPHINCS⁺ design into question" and mitigations have been proposed.^[2]

SPHINCS⁺ is based on the SPHINCS scheme, which was presented at EUROCRYPT 2015.^[6]

SPHINCS features a larger 1kB public and private key size and a 41kB signature size.^[6]

SPHINCS⁺ was first released in 2017^[7] since SPHINCS suffers from a vulnerability called "multi-target attacks in hash-based signatures", which was addressed by a 2016 paper. Furthermore, it doesn't have verifiable index selection (the path through the trees), which enables another kind of multi-target attack. SPHINCS⁺ was designed to address all these issues and also decrease the key and signature sizes using tree-less WOTS⁺ key compression, the addition of the R parameter during signing and the replacement of the few-time signature scheme with FORS.^[8][9]

SPHINCS⁺ was standardized as SLH-DSA by NIST in August 2024 in the FIPS 205 standard,^[1] making it one of the two NIST standardized post-quantum signature schemes with the other one being ML-DSA.^[10][11][12]

SLH-DSA specifies the following instances based on the hash function (SHA256 or SHAKE256), the type (f for faster signing time and s for shorter signature) and security level (e.g. 128 means that forging signatures is as hard as breaking AES-128):^[1][13]

• Botan^[14]
• Bouncy Castle^[15]
• RustCrypto, written by Trail of Bits^[16]
• Open Quantum Safe [de]^[17]

• Official website