On Tue, May 29, 2018 at 06:00:12PM +0200, Daniel Cegiełka wrote: > Hi, > > Sorry if this is a more "misc-list" topic, but according to > Cryptography Services[1] team: > > "SPHINCS[2] is the more recent one (vs XMSS), combining a good numbers > of advances in the field and even more! Bringing the statelessness we > were all waiting for." > > Would SPHINCS be not a better choice then XMSS? > > [1] https://cryptoservices.github.io/quantum/2015/12/08/XMSS-and-SPHINCS.html > [2] https://sphincs.cr.yp.to/index.html > > Best regards, > Daniel >
Hi, first of all: This is an old comparison. SPHINCS and XMSS have both evolved since 2015. SPHINCS [0] got superseeded by SPHINCS+ [1]. SPHINCS had 41kB sized signatures, SPHINCS+ can go down to 8 kB if you are using lowest security options, like NIST defined in their process. XMSS usually creates even smaller signatures, if that is an important factor for you. The reason SPHINCS+ can be stateless is that it uses probability. The signatures are created using Few-Time-Signature schemes. You can sign with the same key pair a few times, but the security decreases with every signature. Using the combination of a huge tree and that scheme you can show that (with a given set of parameters) the probability of re-using the same key pair too often decreases. On XMSS you keep state so that you definitely not re-use the same key pair. The most important factor for XMSS is that it is an RFC, RFC 8391 [2] to be precise. It has been through a standardization process including proper review and comments. SPHINCS+ on the other hand is in the NIST Post-Quantum standardization process, but it will probably take a few more years until it completes. Patrick [0] http://sphincs.cr.yp.to [1] http://sphincs.org [2] https://tools.ietf.org/html/rfc8391
