SLH-DSA-SHA2-128f Security API

Version: 1.0.0
Last Updated: 2025-01-02
Security Classification: Stateless Hash-Based Signature
Author: MetaMUI Security Team

Overview

SLH-DSA-SHA2-128f (SPHINCS+) is a stateless hash-based signature scheme using SHA-256, providing 128-bit security without state management requirements.

• Algorithm Family: Hash-based signature
• NIST Security Level: Level 1 (128-bit security)
• Key Sizes:
  • Public Key: 32 bytes
  • Secret Key: 64 bytes
  • Signature: 7856 bytes (fast variant)
• Standard: FIPS 205

Security Warnings ⚠️

1. Large Signatures: 7856 bytes per signature
2. Stateless: No state management required (advantage)
3. Hash-based Security: Security relies on SHA-256
4. Fast Variant: Optimized for signing speed

API Functions

Key Generation

def slh_dsa_sha2_128f_keygen() -> Tuple[PublicKey, SecretKey]:
    """Generate stateless hash-based keypair"""

Signing

def slh_dsa_sha2_128f_sign(message: bytes, secret_key: SecretKey) -> Signature:
    """Sign with stateless hash-based signature"""

Verification

def slh_dsa_sha2_128f_verify(message: bytes, signature: Signature, public_key: PublicKey) -> bool:
    """Verify hash-based signature"""

Security Best Practices

• Use when stateless operation is required
• Suitable for firmware signing
• Consider signature size in bandwidth-limited applications
• No special state management needed

Security Analysis

Threat Model: SLH-DSA-SHA2-128f Threat Model

The comprehensive threat analysis covers:

• Algorithm-specific attack vectors
• Implementation vulnerabilities
• Side-channel considerations
• Quantum resistance analysis (where applicable)
• Deployment recommendations

For complete security analysis and risk assessment, see the dedicated threat model documentation.

References

1. FIPS 205: Stateless Hash-Based Digital Signature Standard
2. SPHINCS+ Specification

---

Back to Algorithm Security APIs