DI Management Home > Cryptography > SPHINCS+ > SPHINCS+ Introduction

SPHINCS+ Introduction


As a summary of the SPHINCS+ algorithm, we take the excellent description of SPHINCS+ from Use of the SPHINCS+ Signature Algorithm in the Cryptographic Message Syntax (CMS) (draft R. Housley, 21 November 2022)

SPHINCS+ is a hash-based signature scheme which consists of a few time signature construction, namely Forest of Random Subsets (FORS) and a hypertree [a tree of trees]. FORS signs a message with a private key. The corresponding FORS public keys are the leaves in k binary trees. The roots of these trees are hashed together to form a FORS root. SPHINCS+ uses a one-time signature scheme called WOTS+. The FORS tree roots are signed by a WOTS+ one-time signature private key. The corresponding WOTS+ public keys form the leaves in d-layers of Merkle subtrees in the SPHINCS+ hypertree. The bottom layer of that hypertree signs the FORS roots with WOTS+. The root of the bottom Merkle subtrees are then signed with WOTS+ and the corresponding WOTS+ public keys form the leaves of the next level up subtree.

Subtree roots are consequently signed by their corresponding subtree layers until we reach the top subtree. The top layer subtree forms the hypertree root which is trusted at the verifier.

A SPHINCS+ signature consists of the FORS signature, the WOTS+ signature in each layer and the path to the root of each subtree until we reach the root of the hypertree.

A SPHINCS+ signature is verified by verifying the FORS signature, the WOTS+ signatures and the path to the root of each subtree. When reaching the root of the hypertree, the signature verifies only if it hashes to the pre-trusted root of the SPHINCS+ hypertree.

SPHINCS+ was designed to sign up to $2^{64}$ messages and offers three security levels: 128 bits, 192 bits, and 256 bits of security.

The parameters of the SPHINCS+ hypertree include the security parameter $n$, the hash function, the tree height, the number of layers of subtrees, the Winternitz parameter of WOTS+, the number of FORS trees and leaves in each.

The SPHINCS+ key pair

The public key consists of two $n$-byte values: the root node of the top tree in the hypertree PK.root, and a random $n$-byte public seed PK.seed.

The private key consists of the public key plus two more $n$-byte random seeds: SK.seed to generate the WOTS+ and FORS secret keys and SK.prf used for the randomized message digest.

<< previous: Few Time Signature (FTS) Contents next: SPHINCS+ Example >>

Contact us

To comment on this page or to contact us, please send us a message.

This page first published 17 March 2023. Last updated 17 March 2023.