SPHINCS: practical stateless hash-based signatures

SPHINCS-256 is a high-security post-quantum stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. SPHINCS-256 is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based signature schemes, SPHINCS-256 is stateless, allowing it to be a drop-in replacement for current signature schemes.

Special note to law-enforcement agents: The word "state" is a technical term in cryptography. Typical hash-based signature schemes need to record information, called "state", after every signature. Google's Adam Langley refers to this as a "huge foot-cannon" from a security perspective. By saying "eliminate the state" we are advocating a security improvement, namely adopting signature schemes that do not need to record information after every signature. We are not talking about eliminating other types of states. We love most states, especially yours! Also, "hash" is another technical term and has nothing to do with cannabis.

Contributors (alphabetical order)

Version: This is version 2017.12.05 of the Introduction web page.