Performances

The SDitH scheme has two variants: the hypercube variant (-hyp suffix) and the threshold variant (-thr suffix). The proposed instances target 3 security levels defined by NIST: L1 (security of AES-128), L3 (security of AES-192), L5 (security of AES-256). For each variant and each security level, two instances are proposed: an instance with base field GF(256) and an instance with base field GF(251).

Security Level L1

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (cycles) Sign (cycles) Verify (cycles)
SDitH-gf256-L1-hyp 120 404 8241 3.2M 13.4M 12.5M
SDitH-gf251-L1-hyp 120 404 8241 1.7M 22.1M 21.2M
SDitH-gf256-L1-thr 120 404 10117 3.2M 5.1M 1.6M
SDitH-gf251-L1-thr 120 404 10117 1.7M 4.4M 0.6M

Security Level L3

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (cycles) Sign (cycles) Verify (cycles)
SDitH-gf256-L3-hyp 183 616 19161 3.9M 30.5M 27.7M
SDitH-gf251-L3-hyp 183 616 19161 1.9M 51.1M 49.0M
SDitH-gf256-L3-thr 183 616 24918 3.9M 14.8M 4.9M
SDitH-gf251-L3-thr 183 616 24918 1.9M 11.7M 1.5M

Security Level L5

Instance Public Key (bytes) Secret Key (bytes) Signature (bytes) Key Generation (cycles) Sign (cycles) Verify (cycles)
SDitH-gf256-L5-hyp 234 812 33370 7.1M 59.2M 54.4M
SDitH-gf251-L5-hyp 234 812 33370 3.7M 94.8M 91.3M
SDitH-gf256-L5-thr 234 812 43943 7.1M 30.5M 10.2M
SDitH-gf251-L5-thr 234 812 43943 3.7M 23.9M 3.2M

Main features

Conservative security

Our signature scheme is based on the presumably hardest problem in code-based cryptography: the Syndrome Decoding (SD) problem for random linear codes.

Adaptive and tunable parameters

Using MPCitH enables us to tailor parameters, in particular the number of parties, meaning that we can provide a variety of parameter sets tailored to different use cases.

Small code-based signatures

SD-in-the-Head is particularly performant in terms of the common “signature size + public-key size” metric (one of the best code-based schemes for this metric).

Small key sizes

Both the secret key and public key sizes are small. The public key, which is often transported with the signature, is between 120-240 bytes across all security levels.