[Cryptography] SPHINCS: practical hash-based digital signatures

Zooko Wilcox-OHearn zooko at leastauthority.com
Tue Oct 7 11:29:48 EDT 2014

Dear Crypto Folks:

I'd like to draw your attention to a new digital signature scheme, SPHINCS:


(← Disclosure and disclaimer: Like with the recently-mentioned BLAKE2,
I'm a co-author, and like with BLAKE2, my co-authors did more of the
heavy lifting intellectually than I did.)

But anyway, here's my pitch for why you might care about SPHINCS:

Every digital signature algorithm that you can think of could be
broken by an attacker who could exploit a flaw in its secure hash
algorithm. *Or* the attacker could exploit a flaw in the *other* part
— the signature scheme.

That's because every digital signature algorithm (e.g. RSA-PSS,
Ed25519, ECDSA, etc.) uses a secure hash function to generate a short
fixed-length message representative, and then uses the signature
scheme to sign the message representative.

So there are two ways that an attacker can break any of the digital
signature algorithms mentioned above (RSA, Ed25519, etc. etc.) — by
breaking the hash function or by cracking the other part.

But there is only one way that an attacker can break SPHINCS: by
breaking the hash function.

I think that's pretty awesome.


Zooko Wilcox-O'Hearn

Founder, CEO, and Customer Support Rep
Freedom matters.

“Eliminate the state!”

“Use more hash!”

More information about the cryptography mailing list