# Alice, Bob & Eve: Digital signatures using quantum-safe SLH-DSA

The **Stateless Hash-based Digital Signature Algorithm** (SLH-DSA, formerly known as **SPHINCS+**) is second post-quantum algorithm that came from NIST competition and was standardized as FIPS 205. This algorithm is not based on (relatively new) concept of lattices, but instead uses well-known principles of hashing. It serves as a hedge against possible unknown weaknesses in lattice-based assumptions and is a very conservative choice.

## No support yet

Sadly, this algorithm is not natively available for use on any mainstream platform. .NET has class for it (`System.Security.Cryptography.SlhDsa`), so the code will compile, but not run - the `IsSupported` property returns `false`:

In [None]:
// Install the Microsoft.Bcl.Cryptography package 
#r "nuget: Microsoft.Bcl.Cryptography"

// Import namespace
using System.Security.Cryptography;

// Show what runtime we're actually on
Console.WriteLine($"Runtime version:  {System.Runtime.InteropServices.RuntimeInformation.FrameworkDescription}");

#pragma warning disable SYSLIB5006 // Ignore [Experimental] warning for demo purposes

// Check whether SLH-DSA is supported on this platform
Console.WriteLine($"SLH-DSA supported: {SlhDsa.IsSupported}");

Runtime version:  .NET 9.0.11
SLH-DSA supported: False


At time of writing, neither of Windows, Linux or Mac OS does support SLH-DSA natively. There are 3rd party libraries available, like Bouncy Castle, but no native support yet. This is actually consistent with rollout plans, as ML-DSA is the primary algorithm and was implemented first.

## SLH-DSA Variants

SLH-DSA is known for its relatively short keys and very long signatures. It can use either SHA2 or SHAKE hash algorithms as its base, but the properties remain constant.

Here is table containing the main algorithm data:

Variant      | AES Eq. | RSA Eq.   | PrivKey (B) | PrivKey (bits) | PubKey (B) | PubKey (bits) | Signature (B) | Signature (bits)
------------ | ------- | --------- | ----------: | -------------: | ---------: | ------------: | ------------: | ---------------:
SLH‑DSA‑128s | AES‑128 | RSA‑3072  |          64 |            512 |         32 |           256 |         7 856 |           62 848
SLH‑DSA‑128f | AES‑128 | RSA‑3072  |          64 |            512 |         32 |           256 |        17 088 |          136 704
SLH‑DSA‑192s | AES‑192 | RSA‑7680  |          96 |            768 |         48 |           384 |        16 224 |          129 792
SLH‑DSA‑192f | AES‑192 | RSA‑7680  |          96 |            768 |         48 |           384 |        35 664 |          285 312
SLH‑DSA‑256s | AES‑256 | RSA‑15360 |         128 |          1 024 |         64 |           512 |        29 792 |          238 336
SLH‑DSA‑256f | AES‑256 | RSA‑15360 |         128 |          1 024 |         64 |           512 |        49 856 |          398 848