SPHINCS+ digital signature algorithm becomes post-quantum cryptography standard – SDU professor is co-creator

The National Institute of Standards and Technology (NIST) has officially released the Stateless Hash-Based Digital Signature Standard, also known as Federal Information Processing Standards (FIPS) Publication 205.

These standards are the result of years of global efforts to combat the threats posed by quantum computers on our modern IT security.

Ruben Niederhagen, Associate Professor at Department of Mathematics and Computer Science at University of Southern Denmark, and Assistant Research Fellow at the Institute of Information Science at Academia Sinica in Taiwan is co-creator of one of the chosen standards:  SPHINCS+.

NIST standards play a critical role in IT security worldwide because they greatly influence which cryptography is used on the Internet, and not just when you surf, shop or use your online bank. Their influence also applies to many other forms of digital communication, including communication in cars, trains, planes and even satellites.

The potential threat of quantum computers and the challenges for cryptography

Quantum computers have vast potential applications, but they also pose severe challenges to current network security. Traditional cryptographic components, especially public-key cryptosystems, will become vulnerable as quantum computers develop. These systems are widely used in Internet protocols like HTTPS, public digital infrastructure and anywhere digital signatures are used. Once compromised, the security risks are immense.

The rise of quantum computers mainly threatens cryptosystems that rely on problems like large integer factorization and discrete logarithms, which are difficult to solve on today's computers but become easy with quantum computers. Therefore, developing new cryptographic components that can withstand quantum computer attacks has become a top priority for global cybersecurity research.

– It will be very easy for a quantum computer to break important security systems on conventional computers and thus gain access to all your personal sensitive information. The threat is real, says Ruben Niederhagen, who is an assistant professor at the Department of Mathematics and Computer Science at the University of Southern Denmark and a specialist in cryptography.

To address this challenge, NIST launched an open post-quantum cryptography standardization process in 2016, inviting top cryptography experts worldwide to propose solutions. After three rounds of hard evaluation, NIST selected four algorithms to standardize, one of which is SPHINCS+.

SPHINCS+ and its role in post-quantum cryptography

The SPHINCS+ algorithm is a hash-based digital signature technique that does not rely on large integer factorization or discrete logarithm problems (like traditional signature algorithms). Instead, SPHINCS+ uses security properties of hash functions to ensure the security of digital signatures. The selection of SPHINCS+ not only affirms its technical excellence but also shows the trust in its long-term security. In many applications, security is the primary concern, and SPHINCS+ is designed to meet this need.

SPHINCS+ is designed to provide a long-term secure solution that can resist future quantum computer attacks. Unlike other hash-based digital signature techniques like the Internet Engineering Task Force (IETF) standards XMSS and LMS, it employs a stateless design, meaning that each signing operation does not require the previous signing state, thereby avoiding potential security risks. This feature gives SPHINCS+ a significant advantage in applications requiring high security and reliability.

In the FIPS 205 standard, NIST calls SPHINCS+ the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). The publication of this standard further confirms the importance of SPHINCS+ in post-quantum cryptography and ensures its widespread adoption.

The release and significance of FIPS 205

The official release of FIPS 205 by NIST details the technical specifics of the stateless hash-based digital signature algorithm.

Its release marks the formal standardization of SPHINCS+, which means that the U.S. government now has a widely trusted and secure digital signature technology to face the threats of quantum computers.

FIPS 205 applies not only to all U.S. federal departments and agencies but is also open to private and commercial organizations, allowing them to adopt this standard to protect sensitive information.

The implementation of this standard will effectively enhance data integrity and source authentication capabilities, playing a crucial role in areas such as email, electronic funds transfer, electronic data interchange, and software distribution.

According to FIPS 205, digital signature algorithms should be applied in scenarios requiring data integrity assurance and data source authentication, and should prevent private key leakage to ensure the security of signatures. NIST emphasizes that while FIPS 205 specifies the security requirements for digital signatures, it is still up to individual organizations to ensure the overall security of their systems.

It is widely expected that the NIST standards will be considered for adoption by other national and international standardization agencies as well and that hence SPHINCS+ is likely to also become a standard in other countries and for a wide range of digital solutions.

– For a cryptographer, it is a very rewarding, once-in-a-lifetime opportunity and a great honor to contribute to a cryptographic scheme that gets selected for standardization and that is going to find worldwide adoption, says Ruben Niederhagen.