What are the differences between Gravity-SPHINCS and SPHINCS+ from security and practicality standpoints? Are they just different implementations of the underlying SPHINCS algorithms or are they functional variations on the underlying algorithms?
Asked
Active
Viewed 958 times
1 Answers
8
Gravity-SPHINCS and SPHINCS+ are two different improvements of the original SPHINCS algorithm. Both change the few-time signature scheme HORST (used in SPHINCS) in slightly different ways. However, both are variations of HORST. This leads to variable length signatures for Gravity-SPHINCS and fixed length signatures for SPHINCS+ which are as long as the signatures one would obtain from using the Gravity-SPHINCS few-time signature scheme in SPHINCS+ in the worst case. However, the often shorter variable length signatures come at the cost of far more complicated signing and verification.
Moreover, both change the way the index of the used few-times signature scheme gets computed. While different, both achieve that the index can be verified by the verifier which was not the case for SPHINCS. Finally, Gravity-SPHINCS uses the assumption that collision-finding for quantum computers is as slow as second-preimage finding under certain assumptions about storage access times. Hence, Gravity-SPHINCS slightly simplifies the way hashing is done in the construction at the cost of only achieving a security reduction from collision resistance of the internal hash function. On the opposite, SPHINCS+ gets a security reduction from second-preimage resistance of the internal hash function (there are different assumptions on the hash function used to compress the message in both proposals).
So to summarize, the schemes follow the same high level design principle but instantiate it in very different ways. Which one is better probably depends on what you want.
mephisto
- 2,968
- 20
- 29