SLH-DSA

What is SLH-DSA?

SLH-DSA is a stateless, hash-based signature scheme that protects data against quantum computing attacks. It is based on the hardness of finding preimages of hash functions. The hardness assumption is well studied and trusted, leading SLH-DSA and the most conservative choice for digital signing algorithms.

SLH-DSA is a special-purpose digital signature scheme that can be used in systems with low throughput and high memory footprints. An example of usage would be in code signing, where long signing times and large signature sizes are not prohibitive. Due to the small public key sizes, it is also an attractive solution for systems that are agnostic to timings and signature sizes but have little space for public keys. SLH-DSA is not meant as a general replacement for protocols like TLS.

SLH-DSA By the Numbers

SLH-DSA's high security assurances come with a tradeoff. It is much slower and much larger than traditional primitives. When designing a system, it is important to make sure the signatures will properly fit. The good news is that SLH-DSA public and private keys are smaller than RSA keys. Below is a list of the sizes of SLH-DSA with comparisons with its RSA and ECC counterparts. RSA 2048 and Ed25519 are used as the comparison since they are the most widely used RSA and ECC signature schemes for certificates.

NIST Standardized

In Autust 2024, the United States National Institute of Standards and Technology (NIST) standardized SLH-DSA in their FIPS 205 (link to: https://csrc.nist.gov/pubs/fips/205/final) document. They assert that SLH-DSA is usable by US government organizations for sensitive information.

Further, NIST has given guidance that organizations should switch to PQC by 2030. They have also commented that after 2035 PQC cryptography will be mandatory for government agencies.