SPHINCS+

• Algorithm type: Digital signature scheme.
• Main cryptographic assumption: hash-based signatures.
• Principal submitters: Andreas Hülsing.
• Auxiliary submitters: Jean-Philippe Aumasson, Daniel J. Bernstein,, Ward Beullens, Christoph Dobraunig, Maria Eichlseder, Scott Fluhrer, Stefan-Lukas Gazdag, Panos Kampanakis, Stefan Kölbl, Tanja Lange, Martin M. Lauridsen, Florian Mendel, Ruben Niederhagen, Christian Rechberger, Joost Rijneveld, Peter Schwabe, Bas Westerbaan.
• Authors' website: https://sphincs.org/
• Specification version: NIST Round 3 submission, v3.1 (June 10, 2022).
• Primary Source:
  • Source: https://github.com/PQClean/PQClean/commit/8e221ae797b229858a0b0d784577a8cb149d5789 with copy_from_upstream patches
  • Implementation license (SPDX-Identifier): CC0-1.0

Advisories

• This algorithm is not tested under Windows.

Parameter set summary

Parameter set	Parameter set alias	Security model	Claimed NIST Level	Public key size (bytes)	Secret key size (bytes)	Signature size (bytes)
SPHINCS+-SHA2-128f-simple	NA	EUF-CMA	1	32	64	17088
SPHINCS+-SHA2-128s-simple	NA	EUF-CMA	1	32	64	7856
SPHINCS+-SHA2-192f-simple	NA	EUF-CMA	3	48	96	35664
SPHINCS+-SHA2-192s-simple	NA	EUF-CMA	3	48	96	16224
SPHINCS+-SHA2-256f-simple	NA	EUF-CMA	5	64	128	49856
SPHINCS+-SHA2-256s-simple	NA	EUF-CMA	5	64	128	29792
SPHINCS+-SHAKE-128f-simple	NA	EUF-CMA	1	32	64	17088
SPHINCS+-SHAKE-128s-simple	NA	EUF-CMA	1	32	64	7856
SPHINCS+-SHAKE-192f-simple	NA	EUF-CMA	3	48	96	35664
SPHINCS+-SHAKE-192s-simple	NA	EUF-CMA	3	48	96	16224
SPHINCS+-SHAKE-256f-simple	NA	EUF-CMA	5	64	128	49856
SPHINCS+-SHAKE-256s-simple	NA	EUF-CMA	5	64	128	29792

SPHINCS+-SHA2-128f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?‡
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

‡For an explanation of what this denotes, consult the Explanation of Terms section at the end of this file.

SPHINCS+-SHA2-128s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHA2-192f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHA2-192s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHA2-256f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHA2-256s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-128f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-128s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-192f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-192s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-256f-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

SPHINCS+-SHAKE-256s-simple implementation characteristics

Implementation source	Identifier in upstream	Supported architecture(s)	Supported operating system(s)	CPU extension(s) used	No branching-on-secrets claimed?	No branching-on-secrets checked by valgrind?	Large stack usage?
Primary Source	clean	All	All	None	False	False	False
Primary Source	avx2	x86_64	Linux,Darwin	AVX2	True	True	False

Are implementations chosen based on runtime CPU feature detection? Yes.

Explanation of Terms

• Large Stack Usage: Implementations identified as having such may cause failures when running in threads or in constrained environments.