Performances

The SDitH scheme has two trade-offs: the trade-off for short signatures (-short suffix) and the trade-off for fast timings (-fast suffix). The proposed instances target 3 security levels defined by NIST: L1 (security of AES-128), L3 (security of AES-192), L5 (security of AES-256).

Security Level L1

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (ms) Sign (ms) Verify (ms)
SDitH2-L1-gf2-short 70 163 3705 0.63 6.73 6.04
SDitH2-L1-gf2-fast 70 163 4484 0.74 2.01 1.79

Security Level L3

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (ms) Sign (ms) Verify (ms)
SDitH2-L3-gf2-short 98 232 7964 3.02 42.26 39.83
SDitH2-L3-gf2-fast 98 232 9916 1.56 6.36 5.75

Security Level L5

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (ms) Sign (ms) Verify (ms)
SDitH2-L5-gf2-short 132 307 14121 1.55 60.48 57.23
SDitH2-L5-gf2-fast 132 307 17540 1.82 9.42 8.70

Main features

Conservative security

Our signature scheme is based on the presumably hardest problem in code-based cryptography: the Syndrome Decoding (SD) problem for random linear codes.

Adaptive and tunable parameters

Using MPCitH enables us to tailor parameters, in particular the number of parties, meaning that we can provide a variety of parameter sets tailored to different use cases.

Small code-based signatures

SD-in-the-Head is particularly performant in terms of the common “signature size + public-key size” metric (one of the best code-based schemes for this metric).

Small key sizes

Both the secret key and public key sizes are small. The public key, which is often transported with the signature, is between 70-132 bytes across all security levels.