[Cryptography] Opinions on signatures algorithms for post-quantum crypto?

Hanno Böck hanno at hboeck.de
Mon Dec 7 17:50:12 EST 2015

On Mon, 7 Dec 2015 18:00:00 +0000
David Wong <David.Wong at nccgroup.trust> wrote:

> Now I've looked at hash-based signatures. There are not a lot of
> papers, not a lot of discussions on it. Even L. Reyzin (behind HORS)
> says that lattice-based signatures are more suited for post-quantum
> crypto.

There are stateful and stateless hash-based schemes, I think XMSS and
SPHINCS are what's state of the art right now.

Stateful schemes are very problematic in many real-world usecases.
SPHINCS is stateless, but it has rather large sigs (42 kb afair).
That's feasible for some apps (think of gpg-like systems), but not for
others (https, where you easily have to transmit 3-4 sigs just for the

It's the standard dilemma of postquantum today: You can choose between
probably secure, but impractical (in this case sphincs, xmss), and
practical, but security is highly uncertain (lattice-based stuff). And
if you really want to use the stuff widely, patents come in as another
complicating factor.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151207/a831441c/attachment.sig>

More information about the cryptography mailing list