From: Sergey Matveev Date: Thu, 17 Apr 2025 08:23:50 +0000 (+0300) Subject: Use 256f SPHINCS+ variant X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=fea0a64f6ed42293cc3efb1b0bf281612a5543a2eadb2134a58094be1180e315;p=keks.git Use 256f SPHINCS+ variant It is a tradeoff between one-third more space usage for signature and much more faster actions. Additional 10KB of space is cheap. --- diff --git a/go/cm/cmd/cmkeytool/certification.t b/go/cm/cmd/cmkeytool/certification.t index 7c03dc6..fd1e4c8 100755 --- a/go/cm/cmd/cmkeytool/certification.t +++ b/go/cm/cmd/cmkeytool/certification.t @@ -7,7 +7,7 @@ TMPDIR=${TMPDIR:-/tmp} echo "gost3410-512C gost3410-256A ed25519-blake2b ed25519-blake2b -sphincs+-shake-256s sphincs+-shake-256s" | while read caAlgo eeAlgo ; do +sphincs+-shake-256f sphincs+-shake-256f" | while read caAlgo eeAlgo ; do sub="-sub CN=CA -sub C=RU" test_expect_success "$caAlgo: CA load generation" "cmkeytool \ diff --git a/go/cm/cmd/cmkeytool/main.go b/go/cm/cmd/cmkeytool/main.go index db9520f..948e546 100644 --- a/go/cm/cmd/cmkeytool/main.go +++ b/go/cm/cmd/cmkeytool/main.go @@ -98,7 +98,7 @@ func main() { gost.GOST3410512C, sntrup4591761x25519.SNTRUP4591761X25519, mceliece6960119x25519.ClassicMcEliece6960119X25519, - spx.SPHINCSPlusSHAKE256s, + spx.SPHINCSPlusSHAKE256f, } sort.Strings(algos) for _, s := range algos { @@ -180,7 +180,7 @@ func main() { prvRaw, pub, err = sntrup4591761x25519.NewKeypair() case mceliece6960119x25519.ClassicMcEliece6960119X25519: prvRaw, pub, err = mceliece6960119x25519.NewKeypair() - case spx.SPHINCSPlusSHAKE256s: + case spx.SPHINCSPlusSHAKE256f: prvRaw, pub, err = spx.NewKeypair(*algo) default: err = errors.New("unknown -algo specified") @@ -211,7 +211,7 @@ func main() { hasher = cmhash.ByName(cmhash.BLAKE2b256) case gost.GOST3410256A, gost.GOST3410512C: hasher = cmhash.ByName(cmhash.Streebog256) - case mceliece6960119x25519.ClassicMcEliece6960119X25519, spx.SPHINCSPlusSHAKE256s: + case mceliece6960119x25519.ClassicMcEliece6960119X25519, spx.SPHINCSPlusSHAKE256f: hasher = cmhash.ByName(cmhash.SHAKE128) default: log.Fatal("unsupported algorithm") diff --git a/go/cm/cmd/cmsigtool/basic.t b/go/cm/cmd/cmsigtool/basic.t index 87bd284..9fa402e 100755 --- a/go/cm/cmd/cmsigtool/basic.t +++ b/go/cm/cmd/cmsigtool/basic.t @@ -8,7 +8,7 @@ TMPDIR=${TMPDIR:-/tmp} echo "gost3410-512C gost3410-256A ed25519-blake2b -sphincs+-shake-256s" | while read keyalgo ; do +sphincs+-shake-256f" | while read keyalgo ; do sub="-sub what=ever" typ="some-different-type" diff --git a/go/cm/hash/algo.go b/go/cm/hash/algo.go index 703e7d1..133ea02 100644 --- a/go/cm/hash/algo.go +++ b/go/cm/hash/algo.go @@ -73,12 +73,12 @@ func ByName(name string) hash.Hash { return h case SHAKE128: return NewSHAKE128() - case SHAKE256, SPHINCSPlusSHAKE256s, SPHINCSPlusSHAKE256sPh: + case SHAKE256, SPHINCSPlusSHAKE256f, SPHINCSPlusSHAKE256fPh: return NewSHAKE256() case SHAKE128Merkle: return NewSHAKE128MerkleHasher( merkle.DefaultChunkLen, DefaultNumCPU) - case SHAKE256Merkle, SPHINCSPlusSHAKE256sMerkle: + case SHAKE256Merkle, SPHINCSPlusSHAKE256fMerkle: return NewSHAKE256MerkleHasher( merkle.DefaultChunkLen, DefaultNumCPU) } diff --git a/go/cm/hash/shake.go b/go/cm/hash/shake.go index 5051d76..a92a4e9 100644 --- a/go/cm/hash/shake.go +++ b/go/cm/hash/shake.go @@ -27,9 +27,9 @@ const ( SHAKE128Merkle = "shake128-merkle" SHAKE256Merkle = "shake256-merkle" - SPHINCSPlusSHAKE256s = "sphincs+-shake-256s" - SPHINCSPlusSHAKE256sPh = "sphincs+-shake-256s-ph" - SPHINCSPlusSHAKE256sMerkle = "sphincs+-shake-256s-merkle" + SPHINCSPlusSHAKE256f = "sphincs+-shake-256f" + SPHINCSPlusSHAKE256fPh = "sphincs+-shake-256f-ph" + SPHINCSPlusSHAKE256fMerkle = "sphincs+-shake-256f-merkle" ) type SHAKE struct { diff --git a/go/cm/sign/prv.go b/go/cm/sign/prv.go index 7c7cdbd..08ca9ae 100644 --- a/go/cm/sign/prv.go +++ b/go/cm/sign/prv.go @@ -60,7 +60,7 @@ func PrvParse(data []byte) (prv Iface, pub []byte, err error) { prv, pub, err = ed25519blake2b.NewSigner(av.V) case gost.GOST3410256A, gost.GOST3410512C: prv, pub, err = gost.NewSigner(av.V) - case spx.SPHINCSPlusSHAKE256s: + case spx.SPHINCSPlusSHAKE256f: prv, pub, err = spx.NewSigner(av.V) default: err = fmt.Errorf("unknown private key algo: %s", av.A) diff --git a/go/cm/sign/pub.go b/go/cm/sign/pub.go index c71076e..b7b61f5 100644 --- a/go/cm/sign/pub.go +++ b/go/cm/sign/pub.go @@ -140,8 +140,8 @@ func (pub *PubLoad) CheckSignature(algo string, signed, signature []byte) (err e if !valid { err = ErrSigInvalid } - case spx.SPHINCSPlusSHAKE256s: - if algo != spx.SPHINCSPlusSHAKE256s { + case spx.SPHINCSPlusSHAKE256f: + if algo != spx.SPHINCSPlusSHAKE256f { return ErrBadSigAlgo } valid, err = spx.Verify(key.A, key.V, signed, signature) @@ -191,10 +191,10 @@ func (pub *PubLoad) CheckSignaturePrehash( if !valid { err = ErrSigInvalid } - case spx.SPHINCSPlusSHAKE256s: + case spx.SPHINCSPlusSHAKE256f: switch algo { - case spx.SPHINCSPlusSHAKE256sPh: - case spx.SPHINCSPlusSHAKE256sMerkle: + case spx.SPHINCSPlusSHAKE256fPh: + case spx.SPHINCSPlusSHAKE256fMerkle: default: return ErrBadSigAlgo } diff --git a/go/cm/sign/spx/kp.go b/go/cm/sign/spx/kp.go index 5359c61..67818af 100644 --- a/go/cm/sign/spx/kp.go +++ b/go/cm/sign/spx/kp.go @@ -21,12 +21,12 @@ import ( ) const ( - SPHINCSPlusSHAKE256s = "sphincs+-shake-256s" - SPHINCSPlusSHAKE256sPh = "sphincs+-shake-256s-ph" - SPHINCSPlusSHAKE256sMerkle = "sphincs+-shake-256s-merkle" + SPHINCSPlusSHAKE256f = "sphincs+-shake-256f" + SPHINCSPlusSHAKE256fPh = "sphincs+-shake-256f-ph" + SPHINCSPlusSHAKE256fMerkle = "sphincs+-shake-256f-merkle" ) -var Params = spxParams.MakeSphincsPlusSHAKE256256sSimple(true) +var Params = spxParams.MakeSphincsPlusSHAKE256256fSimple(true) func NewKeypair(algo string) (prv, pub []byte, err error) { sk, pk := spx.Spx_keygen(Params) diff --git a/go/cm/sign/spx/signer.go b/go/cm/sign/spx/signer.go index 57ddcb4..b7ea550 100644 --- a/go/cm/sign/spx/signer.go +++ b/go/cm/sign/spx/signer.go @@ -67,11 +67,11 @@ func (s *Signer) Prehasher() *hash.Hash { func (s *Signer) Algo() string { switch s.mode { case mode.Pure: - return SPHINCSPlusSHAKE256s + return SPHINCSPlusSHAKE256f case mode.Prehash: - return SPHINCSPlusSHAKE256sPh + return SPHINCSPlusSHAKE256fPh case mode.Merkle: - return SPHINCSPlusSHAKE256sMerkle + return SPHINCSPlusSHAKE256fMerkle } return "" } diff --git a/spec/cm/prv.texi b/spec/cm/prv.texi index cc191a4..4b25e17 100644 --- a/spec/cm/prv.texi +++ b/spec/cm/prv.texi @@ -51,14 +51,14 @@ Stored in a file, it should begin with "cm/prv" @ref{MAGIC, magic}. @code{mceliece6960119-x25519} algorithm identifier is used. -@node cm-prv-sphincs+-shake-256s -@cindex cm-prv-sphincs+-shake-256s -@nodedescription cm/prv with SPHINCS+-SHAKE256-256s -@subsection cm/prv with SPHINCS+-SHAKE256-256s +@node cm-prv-sphincs+-shake-256f +@cindex cm-prv-sphincs+-shake-256f +@nodedescription cm/prv with SPHINCS+-SHAKE256-256f +@subsection cm/prv with SPHINCS+-SHAKE256-256f @url{https://sphincs.org/, SPHINCS+} with @url{https://keccak.team/, SHAKE256} hash, - 255-bit security level, small signatures and simple parameters. + 255-bit security level, fast variant and simple parameters. Value is concatenation of private and public keys (128+64 bytes). - Algorithm identifier for the public key: @code{sphincs+-shake-256s}. + Algorithm identifier for the public key: @code{sphincs+-shake-256f}. diff --git a/spec/cm/pub.texi b/spec/cm/pub.texi index 7a4819b..deefcad 100644 --- a/spec/cm/pub.texi +++ b/spec/cm/pub.texi @@ -191,15 +191,15 @@ MAP { save resources during @ref{kem-mceliece6960119-x25519-hkdf-shake256} KDF calculations. -@node cm-pub-sphincs+-shake-256s -@cindex cm-pub-sphincs+-shake-256s -@nodedescription cm/pub with SPHINCS+-SHAKE256-256s -@subsection cm/pub with SPHINCS+-SHAKE256-256s +@node cm-pub-sphincs+-shake-256f +@cindex cm-pub-sphincs+-shake-256f +@nodedescription cm/pub with SPHINCS+-SHAKE256-256f +@subsection cm/pub with SPHINCS+-SHAKE256-256f @url{https://sphincs.org/, SPHINCS+} with @url{https://keccak.team/, SHAKE256} hash, - 255-bit security level, small signatures and simple parameters. + 255-bit security level, fast variant and simple parameters. - @code{sphincs+-shake-256s} algorithm identifier is used. + @code{sphincs+-shake-256f} algorithm identifier is used. Public key's fingerprint should be calculated using SHAKE128. diff --git a/spec/cm/signed.texi b/spec/cm/signed.texi index 1015332..315467e 100644 --- a/spec/cm/signed.texi +++ b/spec/cm/signed.texi @@ -116,27 +116,27 @@ recipient's public key fingerprint(s). HashEdDSA mode is used with @code{ed25519ph-blake2b-merkle} algorithm identifier for signature. -@node cm-signed-sphincs+-shake-256s -@cindex cm-signed-sphincs+-shake-256s -@cindex cm-signed-sphincs+-shake-256s-ph -@nodedescription cm/signed with SPHINCS+-SHAKE256-256s -@subsection cm/signed with SPHINCS+-SHAKE256-256s +@node cm-signed-sphincs+-shake-256f +@cindex cm-signed-sphincs+-shake-256f +@cindex cm-signed-sphincs+-shake-256f-ph +@nodedescription cm/signed with SPHINCS+-SHAKE256-256f +@subsection cm/signed with SPHINCS+-SHAKE256-256f @url{https://sphincs.org/, SPHINCS+} with @url{https://keccak.team/, SHAKE256} hash, - 255-bit security level, small signatures, + 255-bit security level, fast variant, simple parameters and deterministic signatures. - @code{sphincs+-shake-256s} algorithm identifier + @code{sphincs+-shake-256f} algorithm identifier must be used for the signature in pure signing mode. - @code{sphincs+-shake-256s-ph} is used in prehash mode. + @code{sphincs+-shake-256f-ph} is used in prehash mode. -@node cm-signed-sphincs+-shake-256s-merkle -@cindex cm-signed-sphincs+-shake-256s-merkle -@nodedescription cm-signed-sphincs+-shake-256s with Merkle-tree hashing -@subsection cm-signed-sphincs+-shake-256s with Merkle-tree hashing +@node cm-signed-sphincs+-shake-256f-merkle +@cindex cm-signed-sphincs+-shake-256f-merkle +@nodedescription cm-signed-sphincs+-shake-256f with Merkle-tree hashing +@subsection cm-signed-sphincs+-shake-256f with Merkle-tree hashing @ref{cm-hashed-shake-merkle, shake256-merkle} Merkle-tree hashing is used. - @code{sphincs+-shake-256s-merkle} algorithm + @code{sphincs+-shake-256f-merkle} algorithm identifier must be used for the signature.