[Cryptography] Opinions on signatures algorithms for post-quantum crypto?
hanno at hboeck.de
Mon Dec 7 17:50:12 EST 2015
On Mon, 7 Dec 2015 18:00:00 +0000
David Wong <David.Wong at nccgroup.trust> wrote:
> Now I've looked at hash-based signatures. There are not a lot of
> papers, not a lot of discussions on it. Even L. Reyzin (behind HORS)
> says that lattice-based signatures are more suited for post-quantum
There are stateful and stateless hash-based schemes, I think XMSS and
SPHINCS are what's state of the art right now.
Stateful schemes are very problematic in many real-world usecases.
SPHINCS is stateless, but it has rather large sigs (42 kb afair).
That's feasible for some apps (think of gpg-like systems), but not for
others (https, where you easily have to transmit 3-4 sigs just for the
It's the standard dilemma of postquantum today: You can choose between
probably secure, but impractical (in this case sphincs, xmss), and
practical, but security is highly uncertain (lattice-based stuff). And
if you really want to use the stuff widely, patents come in as another
mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the cryptography