SPHINCS$^+$ post-quantum digital signature scheme with Streebog hash function
E.O. Kiktenko, A.A. Bulychev, P.A. Karagodin, N.O. Pozhar, M.N., Anufriev, and A.K. Fedorov

TL;DR
This paper evaluates the use of the Russian Streebog hash function in the SPHINCS$^+$ post-quantum digital signature scheme, comparing its performance with SHA-256-based versions through benchmarks.
Contribution
It introduces the implementation and performance analysis of Streebog within SPHINCS$^+$, a promising post-quantum signature scheme, highlighting its efficiency and practicality.
Findings
Streebog-based SPHINCS$^+$ shows comparable performance to SHA-256 versions.
Benchmark results demonstrate the viability of Streebog for post-quantum signatures.
Performance varies with different parameter sets, indicating flexibility in deployment.
Abstract
Many commonly used public key cryptosystems will become insecure once a scalable quantum computer is built. New cryptographic schemes that can guarantee protection against attacks with quantum computers, so-called post-quantum algorithms, have emerged in recent decades. One of the most promising candidates for a post-quantum signature scheme is SPHINCS, which is based on cryptographic hash functions. In this contribution, we analyze the use of the new Russian standardized hash function, known as Streebog, for the implementation of the SPHINCS signature scheme. We provide a performance comparison with SHA-256-based instantiation and give benchmarks for various sets of parameters.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 1
Figure 5
Figure 6
Figure 7
Figure 8
Figure 1
Figure 10Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
\corresp
[cor1]Corresponding author: [email protected] (E.O.K.)
\corresp[cor2]Corresponding author: [email protected] (A.K.F.)
aff1]Russian Quantum Center, Skolkovo, Moscow 143025, Russia aff2]QApp, Skolkovo, Moscow 143025, Russia
SPHINCS+ post-quantum digital signature scheme
with Streebog hash function
E.O. Kiktenko
A.A. Bulychev
P.A. Karagodin
N.O. Pozhar
M.N. Anufriev
A.K. Fedorov
[
[
Abstract
Many commonly used public-key cryptosystems will become insecure once a scalable quantum computer is built. New cryptographic schemes that can guarantee protection against attacks with quantum computers, so-called post-quantum algorithms, have emerged in recent decades. One of the most promising candidates for a post-quantum signature scheme is SPHINCS+, which is based on cryptographic hash functions. In this contribution, we analyze the use of the new Russian standardized hash function, known as Streebog, for the implementation of the SPHINCS+ signature scheme. We provide a performance comparison with SHA-256-based instantiation and give benchmarks for various sets of parameters.
1 Introduction
Public-key cryptography is a cornerstone of internet security. Quantum computers possess a threat to the widely deployed public-key cryptography schemes, whose security is based on the computational complexity of certain tasks, such as integer factorization and discrete logarithm. Shor’s quantum algorithm [1] and variational quantum factoring [2] would allow one to solve these tasks with a significant boost [3]. Quantum computers have less of an effect on symmetric cryptography since Shor’s algorithm does not apply for their cryptoanalysis. Nevertheless, Grover’s algorithm [4] would allow quantum computers a quadratic speedup in brute force attacks. Thus, the current goal is to develop cryptographic systems that are secure against both classical and quantum attacks, before large-scale quantum computers arrive.
Fortunately, not all public-key cryptosystems are vulnerable to attacks with quantum computers [5]. Several cryptosystems, which strive to remain secure under the assumption that the attacker has a large-scale quantum computer, have been suggested [6]. These schemes are in the scope of so-called post-quantum cryptography. Existing proposals for post-quantum cryptography include code-based and lattice-based schemes for encryption and digital signatures as well as signature schemes based on hash functions.
Hash-based digital signatures are built upon cryptographic hash functions, which are well-known tools in the modern cryptography. Such schemes attract significant attention since their security can be reduced to the properties of the chosen hashing primitive. Another benefit of hash-based signature schemes is their flexibility as they can be used with any secure hashing function, and so if a flaw is discovered in a secure hashing function, a hash-based signature scheme just needs to switch to a new and secure hash function to remain effective. The most advanced version of hash-based digital signatures is SPHINCS+ [7], which is a modification of the previously suggested SPHINCS scheme employing the Merkle hyper-tree [8]. Another option is the Gravity-SPHINCS scheme [9], whose primary innovation is the authentication scheme update. Nevertheless, SPHINCS+ requires fewer security assumptions.
In the present work, we consider the use of the new Russian standardized hash function, known as Streebog (GOST R 34.11-2012), for the implementation of the SPHINCS+ signature scheme. The Streebog hash function, described in RFC 6986 [10], is of Merkle-Damgard-type function, which makes it suitable for the installation in the SPHINCS+ scheme. We provide a performance comparison with SHA-256-based instantiation and give benchmarks for various sets of parameters.
2 SPHINCS+ instantiation with Streebog hash function
The main goal of this paper is to analyze the use of the Russian standardized hash functions for the SPHINCS+ signature scheme. To this end, we start from brief overview of SPHINCS+ and then demonstrate the results of its work with the Russian standardized hash function Streebog, specified in GOST R 34.11-2012 and described in RFC 6986 [10].
2.1 SPHINCS+ signature scheme
The SPHINCS+ scheme uses a Merkle hyper-tree that consists of a large number of binary hash trees (see Fig. 1). Each node in the binary hash tree is associated with a hash string and has exactly two child nodes. The hash strings are computed as a function of children’s strings. To build each subtree, several public-private key-pairs of Winternitz-type one-time signatures (WOTS+) [11] are generated. Compressed public keys are then used as subtree leaves, whereas corresponding private keys sign roots of lower-level subtrees. On the lowest level, Winternitz keypairs sign public keys of FORS (Forest of Random Subsets) schemes. In their turn, FORS elements actually sign messages. For a given FORS element, the signature security decreases with every signed message. However, FORS elements in the hyper-tree are selected pseudorandomly, and probability to select the same FORS element multiple times degrades much faster. For this reason, there is no need to keep count of used FORS keys (“maintain the state”). The hyper-tree part follows closely Extended Merkle Signature Scheme (XMSS), which is a stateful signature scheme proposed for standardization by IETF [12]. Typically, there are 10 to 20 layers of subtrees with a height of each one about 3 to 8 depending on security level and other properties (see Table I for various sets of parameters). The full hyper-tree is not held in memory rather the necessary parts are generated dynamically when signing takes place.
A private key of the scheme consists of two seeds. The first one is used to pseudorandomly generate FORS and Winternitz secret key elements, and the other generates a randomization value for the message hashing. Public keys also have two elements: The root of the hyper-tree and a public seed that is used in various parts of the scheme. In practical implementations, the secret key holds copy of the public key elements.
To sign a message, a randomizer is generated and the message is hashed with this randomizer. The output is split into message digest, and the part, which determines subtree and leaf position of a FORS element to use. The message digest is signed by the FORS scheme, and after that hyper-tree signature of the corresponding FORS public key is computed. It consists of Winternitz one-time signatures interleaved with Merkle authentication paths in subtrees. The full SPHINCS+ signature includes FORS and hyper-tree signatures. For the verification purpose, FORS public key is reconstructed, then the hyper-tree root is computed and compared to the published value. The SPHINCS+ security level (in bits), private key, public key and signature sizes (in bytes) for different specifications of the scheme are presented in Table I according to Ref. [7], even though the claimed security levels might be overestimated [13].
The security of hash-based signature schemes can be reduced to underlying hash function properties. The SPHINCS+ scheme can be built entirely from standard hash functions. However, it uses several auxiliary functions to wrap calls to them. They are summarized in Table II.
2.2 SPHINCS+ with Streebog Hash Function
SPHINCS+ describes instantiations of auxiliary functions in terms of three hash functions: SHAKE256, SHA-256, and Haraka. The Russian standardized hash function Streebog is of Merkle-Damgard type, which makes it similar to SHA-256. The compression function operates in the Miyaguchi–Preneel mode and employs a 12-round AES-like cipher. Cryptoanalysis of Streebog hash function was a subject of intensive research [14, 16, 15].
The necessary auxiliary functions and their instantiations in terms of SHA-256 and Streebog functions are summarized in the Table III. MGF1 is a hash-based mask generation function [17] and HMAC is keyed-hashing for message authentication [18] For SHA-256, we consider the function of the following form:
[TABLE]
For the Streebog instantiations, it changes as follows:
[TABLE]
In the SPHINCS+ specification, three levels of security are considered. For each level, two sets of parameters are provided: one is optimized for speed and the other for signature size [7].
We provide the results of the comparison of the performance the SPHINCS+-Streebog and SHA-256 instantiations for each set of parameters. For the comparison purpose, we employ realizations of both hash functions from CryptoPro CSP 4.0.9958 Zhegalkin version library [19]. All the tests were performed on Xeon E5-2696v3 @ 2.3-3.8GHz processor with Linux 4.9 with the use of Google Benchmark Framework [20]. The obtained results are illustrated in Fig. 2. One can see that for a particular implementation of the hash functions, Streebog achieves comparable performance, and thus is quite suitable for use in the SPHINCS+ scheme.
3 Conclusion
We have analyzed how SPHINCS+ hash-based digital signature scheme can be instantiated with hash function primitive Streebog, which is defined in GOST Russian Federation state standard. SPHINCS+ scheme is provably secure, and its security depends only on properties of the underlying hash function. The Streebog hash function satisfies the demanded requirement for its use in the SPHINCS+ digital signature scheme.
Acknowledgments
The work was partially supported by the Russian Foundation for Basic Research (18-37-20033). Authors would like to thank E.K. Alekseev, L.R. Akhmetzyanova, and L.A. Sonina for fruitful discussion and technical support in Streebog and SHA-256 implementations.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput. 26 , 1484 (1997) . · doi ↗
- 2[2] E.R. Anschuetz, J.P. Olson, A. Aspuru-Guzik, and Y. Cao, Variational quantum factoring, ar Xiv.org:1808.08927 .
- 3[3] ETSI White Paper No. 8, Quantum Safe Cryptography and Security (2015).
- 4[4] L.K. Grover, A fast quantum mechanical algorithm for database search, in Proceedings of 28th Annual ACM Symposium on the Theory of Computing (New York, USA, 1996) , p. 212.
- 5[5] D.J. Bernstein, Introduction to post-quantum cryptography (Springer-Verlag Berlin Heidelberg, 2009).
- 6[6] D.J. Bernstein and T. Lange, Post-quantum cryptography, Nature 549 , 188 (2017) . · doi ↗
- 7[7] D.J. Bernstein, C. Dobraunig, M. Eichlseder, S. Fluhrer, S.-L. Gazdag, A. Hülsing, P. Kampanakis, S. Kölbl, T. Lange, M.M. Lauridsen, F. Mendel, R. Niederhagen, C. Rechberger, J. Rijneveld, and P. Schwabe, SPHINCS + , Submission to the NIST post-quantum project, 2017 .
- 8[8] D.J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, M. Schneider, P. Schwabe, and Z. Wilcox-O’Hearn, SPHINCS: Practical stateless hash-based signatures, Lect. Notes Comp. Sci. 9056 , 368 (2015) . · doi ↗
