FIPS 205 SPHINCS+ Guide

Introduction

This guide explains how to use Kyber Club's FIPS 205 SPHINCS+ tools to generate quantum-safe keypairs, sign data, and verify signatures. We'll follow a scenario with Alice and Bob to demonstrate the process. SPHINCS+, a stateless hash-based digital signature algorithm, ensures data authenticity and integrity against quantum computer attacks, as standardised by NIST.

Use Scenario: Alice and Bob

Alice wants to sign a document to prove its authenticity to Bob, ensuring it remains verifiable even against quantum threats. She uses Kyber Club's SPHINCS+ tools to generate a keypair and shares the public key with Bob. Alice signs the document, and Bob verifies the signature using her public key, confirming the document's integrity and origin.

Step-by-Step Guide

Follow these steps to use our SPHINCS+ tools effectively:

1. Generate a Keypair (Alice)

   Visit the keypair generation tool. This creates keypairs for SPHINCS+-SHAKE-128f, SPHINCS+-SHAKE-192f, and SPHINCS+-SHAKE-256f, each offering different security levels. We recommend SPHINCS+-SHAKE-192f for a balance of security (Level 3) and performance, suitable for most applications.

   Action: Download each keypair or copy them to a secure location. For example, click 'Download' next to SPHINCS+-SHAKE-192f to save 'SPHINCS-SHAKE-192f-public.txt' and 'SPHINCS-SHAKE-192f-private.txt'. Alternatively, use the 'Download All as ZIP' button to get all keypairs in one file.

   Important: Store both public and private keys securely. The private key must remain confidential and stored offline, as it cannot be regenerated. Without it, you cannot sign data, and existing signatures cannot be recreated.

2. Share the Public Key (Alice)

   Send the public key (e.g., 'SPHINCS-SHAKE-192f-public.txt') to Bob via a trusted channel, such as secure email or messaging. Never share the private key.

   Tip: Confirm with Bob that he received the correct public key to ensure successful verification.

3. Sign Data (Alice)

   Alice visits the signing tool. She pastes her private key (e.g., from 'SPHINCS-SHAKE-192f-private.txt') into the text box or uploads the private key file. Then, she enters the data to sign - either by pasting text (up to 1KB) or uploading a file (up to 5MB, such as a document or image).

   Action: Click 'Generate SPHINCS+ Signature'. The tool detects the variant (e.g., 192f) from the private key and produces a signature. Alice can copy the signature or download it as a file (e.g., 'sphincs-shake-192f-signature.txt' for pasted data or 'document.pdf.SPHINCS-SHAKE-192f.sig.txt' for files).

   Tip: Keep the original data unchanged, as it’s needed for verification.

4. Send Data and Signature (Alice)

   Alice sends the original data and the signature to Bob. These can be sent via any channel, as the signature ensures authenticity and integrity.

5. Verify Signature (Bob)

   Bob visits the verification tool. He pastes Alice’s public key (e.g., from 'SPHINCS-SHAKE-192f-public.txt') or uploads the public key file. Then, he provides the original data (by pasting text up to 1KB or uploading a file up to 6MB) and the signature (by pasting or uploading the signature file, up to 100KB).

   Action: Click 'Validate SPHINCS+ Signature'. The tool verifies the signature and displays whether it is valid, confirming the data’s authenticity and integrity (e.g., 'The signature for document.pdf ... is valid').

   Important: If the signature is invalid, check that the data, signature, and public key match exactly.

Safekeeping Your Keys

Your private key is critical for signing and cannot be regenerated. If lost, you cannot create new signatures, and existing signatures cannot be recreated. Follow these best practices:

• Store private keys offline, such as on a secure USB drive or encrypted storage device.
• Back up keys in multiple secure locations to prevent loss from hardware failure.
• Never share your private key, even with trusted parties.
• Use strong passwords and encryption for any device or file containing your keys.

Public keys can be shared freely but should be sent via a trusted channel to avoid tampering.

Additional Tips

• Choose the Right Variant: SPHINCS+-SHAKE-192f is recommended for most users, offering strong security (Level 3) with reasonable performance. Use SPHINCS+-SHAKE-128f for faster signing with lower security (Level 1) or SPHINCS+-SHAKE-256f for maximum security (Level 5).
• Verify Inputs: Ensure private and public keys, data, and signatures are correct to avoid signing or verification failures.
• Data Size Limits: The signing tool accepts pasted text up to 1KB or files up to 5MB. The verification tool accepts text up to 1KB, files up to 6MB, and signatures up to 100KB.
• Security Assurance: Data and keys are processed in memory and not stored. See our Privacy Policy for details.
• Combine with Encryption: For confidential data, pair SPHINCS+ signatures with ML-KEM encapsulation using our FIPS 203 tools.

Need Help?

If you encounter errors, have questions, or wish to suggest improvements, please visit our contact page. We're here to help you secure your data with quantum-safe signatures.