{"id":17011846,"url":"https://github.com/25a0/sts-sphincs","last_synced_at":"2025-03-22T13:23:52.920Z","repository":{"id":50228242,"uuid":"234279608","full_name":"25A0/sts-sphincs","owner":"25A0","description":"SPHINCS, the hash-based signature scheme, with fast batch signatures","archived":false,"fork":false,"pushed_at":"2020-01-21T17:11:47.000Z","size":390,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-27T12:49:35.820Z","etag":null,"topics":["cryptography","digital-signature","hash-based-signatures","post-quantum-cryptography"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/25A0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-16T09:11:04.000Z","updated_at":"2020-01-21T17:17:39.000Z","dependencies_parsed_at":"2022-09-24T09:02:02.726Z","dependency_job_id":null,"html_url":"https://github.com/25A0/sts-sphincs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/25A0%2Fsts-sphincs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/25A0%2Fsts-sphincs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/25A0%2Fsts-sphincs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/25A0%2Fsts-sphincs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/25A0","download_url":"https://codeload.github.com/25A0/sts-sphincs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244960790,"owners_count":20538885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","digital-signature","hash-based-signatures","post-quantum-cryptography"],"created_at":"2024-10-14T06:08:22.898Z","updated_at":"2025-03-22T13:23:52.890Z","avatar_url":"https://github.com/25A0.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SPHINCS with short-time state\n\nThis is an implementation of SPHINCS batch signing as described in my\nyet-to-be-published master's thesis.\nThere are multiple differences to\nthe [SPHINCS signature scheme](https://sphincs.cr.yp.to/index.html) published in [[1]](#1):\n\n - To protect against multi-target attacks, all hash calls are seeded with bit\n masks. In classic SPHINCS, these bit masks were included in the private key.\n Here, the bit masks are generated ad-hoc with an addressing scheme modeled\n after XMSS-T [[2]](#2).\n\n - This version of SPHINCS comes with an extended API to expose the batch\n signing capabilities. The extended API is explained below.\n\n**Should you use this to actually create and verify signatures of important messages?**\nAbsolutely not. This code has not been reviewed or audited by anyone, and I'm a master's\nstudent with little experience when it comes to writing secure code.\n\n## Batch signing API\n\nThis version of SPHINCS offers an API for faster signatures. To use this API,\nyou will need to initialize a so-called short-time state first, by calling\n`crypto_sts_init`. That short-time state can then be used to sign a limited\nnumber of messages, by calling `crypto_sts_sign`.\n\n - Initialize a short-time state:\n ```\n int crypto_sts_init(unsigned char *short_time_state,\n const unsigned char *secret_key, long long leaf_index);\n ```\n\n - Sign a message using the short-time state:\n ```\n int crypto_sts_sign(unsigned char *signature, unsigned long long *signature_length,\n const unsigned char *message, unsigned long long message_length,\n unsigned char *short_time_state\n const unsigned char *secret_key);\n ```\n\nFinally, there is a function to query how many more messages can be signed with\na given short-time state. Once the signing capacity of a short-time state is\nexhausted, you will need to generate a new short-time state.\n\n - Query the number of messages that can be signed with the given short-time state:\n ```\n long long crypto_sts_remaining_uses(unsigned char *short_time_state);\n ```\n\n\nIn addition to that, the traditional API is also supported:\n\n - Create a keypair:\n ```\n int crypto_sign_keypair(unsigned char *public_key, unsigned char *secret_key);\n ```\n\n - Sign a message:\n ```\n int crypto_sign(unsigned char *signature, unsigned long long *signature_length,\n const unsigned char *message, unsigned long long message_length,\n const unsigned char *secretkey);\n ```\n\n - Verify a signature:\n ```\n int crypto_sign_open(unsigned char *message, unsigned long long *message_length,\n const unsigned char *signature, unsigned long long signature_length,\n const unsigned char *public_key);\n ```\n\n## Variants\n\nThis repository essentially offers three variants of SPHINCS:\n\n - **Classic SPHINCS**, without batch signing.\n - **Sequential batch signing**, which speeds up signatures by signing messages\n with sequential leaf nodes of the hypertree, and caching the parts of the\n signature that is shared between them.\n - **Subtree batch signing**, which speeds up signatures by creating a subtree,\n and signing the root of the subtree with a HORST keypair of the hypertree.\n The individual messages are then signed with WOTS key pairs, the public keys\n of which form the leaf nodes of the subtree.\n\nAll variants feature smaller secret key sizes.\n\nThe Makefile in `src` contains recipes to build libraries for each variant:\n\n - `libsphincs.a` for classic SPHINCS,\n - `libsphincs_sequential.a` for sequential batch signing,\n - `libsphincs_subtree.a` for subtree batch signing.\n\n## Example usage\n\nThe source directory contains three example files, one for each variant:\n\n - `example.c` for classic SPHINCS,\n - `example_sequential.c` for sequential batch signing,\n - `example_subtree.c` for subtree batch signing.\n\nBuild and run them with e.g. `make example_sequential \u0026\u0026 ./example_sequential`.\n\n## Tests\n\nRun `make test` to run the tests.\n\n## Benchmarks\n\nThere is primitive benchmarking code to measure some cycles, which you can run\nwith `make bench`. It will print key sizes, signature sizes, STS sizes, and\ncycle counts for the three variants for a single signature.\n\nNote that this software is not optimized, and significantly slower than the\nvectorized implementation of SPHINCS.\n\nExample output, on Intel i5-4690K:\n\n```\n./bench_sphincs_sign\nBenchmark SPHINCS signatures\n crypto_secretkeybytes: 96 B\n crypto_publickeybytes: 64 B\n crypto_bytes: 41000 B\n Keypair: ----+----+----+----+----+-- 1.72 * 2^27 cycles\n Sign, 32 signatures: ----+----+----+----+----+----+----+- 1.60 * 2^36 cycles\n Sign, avg per signature: ----+----+----+----+----+----+- 1.60 * 2^31 cycles\n Verify: ----+----+----+----+----+ 1.36 * 2^25 cycles\n Elapsed cycles: ----+----+----+----+----+----+----+- 1.61 * 2^36 cycles\n./bench_subtree_batch_sign\nBenchmark SPHINCS subtree batch signatures\n crypto_secretkeybytes: 96 B\n crypto_publickeybytes: 64 B\n crypto_sts_bytes: 36233 B\n crypto_bytes: 37416 B\n Keypair: ----+----+----+----+----+-- 1.74 * 2^27 cycles\n STS init: ----+----+----+----+----+----+- 1.60 * 2^31 cycles\n Sign, 32 signatures: ----+----+----+----+----+-- 1.69 * 2^27 cycles\n Sign, avg per signature: ----+----+----+----+-- 1.69 * 2^22 cycles\n Verify: ----+----+----+----+----+ 1.48 * 2^25 cycles\n Elapsed cycles: ----+----+----+----+----+----+- 1.83 * 2^31 cycles\n./bench_sequential_batch_sign\nBenchmark SPHINCS sequential batch signatures\n crypto_secretkeybytes: 96 B\n crypto_publickeybytes: 64 B\n crypto_sts_bytes: 26376 B\n crypto_bytes: 41000 B\n Keypair: ----+----+----+----+----+-- 1.72 * 2^27 cycles\n STS init: ----+----+----+----+----+----+- 1.30 * 2^31 cycles\n Sign, 32 signatures: ----+----+----+----+----+----+---- 1.21 * 2^34 cycles\n Sign, avg per signature: ----+----+----+----+----+---- 1.21 * 2^29 cycles\n Verify: ----+----+----+----+----+ 1.38 * 2^25 cycles\n Elapsed cycles: ----+----+----+----+----+----+---- 1.39 * 2^34 cycles\n```\n\n## Caveats of a short-time state\n\nSPHINCS is a stateless signature scheme: Once a keypair is produced,\nonly that keypair is necessary to sign new messages. This behaviour is in line\nwith commonly used signature schemes like RSA, DSA and ECDSA.\n\nHowever, there are many *stateful* hash-based signature schemes, like the\nclassic Merkle Signature Scheme, and its variations XMSS, XMSS-T, CMSS, and\nothers. Key pairs in these schemes are associated with a fixed number of\none-time signature (OTS) key pairs (e.g. Winternitz OTS [[3, Section 5]](#3)).\nAs the name suggests, each OTS key pair can only be used for a single\nsignature. Re-using the same OTS key pair has the potential to break the\nscheme, and can allow an attacker to forge signatures. Because of that, new\nsignatures depends on previously signed messages, since the signer needs to\ndistinguish used from unused OTS key pairs.\n\nWith stateful signatures, the data that contains the stateful information (the\n_state_) has to be handled with care. If it is restored from a backup, a VM\nsnapshot, or shared between processes without proper synchronization, then\nthere is a risk that used key material is re-used, potentially breaking the\nscheme.\n\nThe batch signing variants of SPHINCS in this repository use a short-time state\nto speed up signatures. Any precautions that apply to stateful signature\nschemes also apply to this short-time state. However, no additional precautions\nhave to be taken when handling the keypair.\n\n\n---\n\nThis code is based on the [SUPERCOP](https://bench.cr.yp.to/supercop.html)\nimplementation of SPHINCS, written by\nDaniel J. Bernstein,\nDaira Hopwood,\nAndreas Hülsing,\nTanja Lange,\nRuben Niederhagen,\nLouiza Papachristodoulou,\nPeter Schwabe, and\nZooko Wilcox O'Hearn\n\n---\n\n\u003cspan id=\"1\"\u003e[1]\u003c/span\u003e: Daniel J. Bernstein, Daira Hopwood, Andreas Hülsing,\nTanja Lange, Ruben Niederhagen, Louiza Papachristodoulou, Michael Schneider,\nPeter Schwabe, Zooko Wilcox-O'Hearn. _\"SPHINCS: practical stateless hash-based\nsignatures.\"_ Pages 368–397 in Advances in cryptology—EUROCRYPT 2015—34th\nannual international conference on the theory and applications of cryptographic\ntechniques, Sofia, Bulgaria, April 26–30, 2015, proceedings, part I, edited by\nElisabeth Oswald, Marc Fischlin. Lecture Notes in Computer Science 9056,\nSpringer, 2015. ISBN 978-3-662-46799-2. Date: 2015.02.02.\n([PDF](https://sphincs.cr.yp.to/sphincs-20141001.pdf))\n\n\u003cspan id=\"2\"\u003e[2]\u003c/span\u003e: Andreas Hülsing, Joost Rijneveld, and Fang Song.\n_Mitigating multi-target attacks in hash-based signatures._ In Public-Key\nCryptography–PKC 2016, pages 387–416. Springer, 2016.\n([PDF](http://eprint.iacr.org/2015/1256.pdf))\n\n\u003cspan id=\"3\"\u003e[3]\u003c/span\u003e: Ralph Merkle. A certified digital signature. In\nAdvances in Cryptology — CRYPTO’89 Proceedings, pages 218–238. Springer, 1990.\n([PDF](http://www.merkle.com/papers/Certified1979.pdf))\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F25a0%2Fsts-sphincs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F25a0%2Fsts-sphincs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F25a0%2Fsts-sphincs/lists"}