07 — Size vs. Speed
The Fundamental Trade-Off
SLH-DSA offers two variants per security level:
| Variant |
Signature size |
Signing time |
Best for |
| s (small) |
Smaller |
Slower |
Bandwidth-constrained |
| f (fast) |
Larger |
Faster |
Signing-constrained |
This trade-off exists because the "small" variant uses larger FORS and hypertree parameters (more hash computations per signature, but fewer components to include). The "fast" variant uses smaller parameters (fewer hash computations, but more components in the signature).
Concrete Numbers
Level 1 (AES-128 equivalent)
|
SLH-DSA-SHA2-128s |
SLH-DSA-SHA2-128f |
| Signature |
7,856 B |
17,064 B |
| Public key |
32 B |
32 B |
| Private key |
64 B |
64 B |
| Sign time |
~10 ms |
~2 ms |
| Verify time |
~1 ms |
~0.5 ms |
| FORS height (a) |
12 |
6 |
| FORS trees (k) |
14 |
33 |
| Hypertree layers (d) |
7 |
22 |
| Tree height (h) |
3 |
3 |
Level 3 (AES-192 equivalent)
|
SLH-DSA-SHA2-192s |
SLH-DSA-SHA2-192f |
| Signature |
16,224 B |
35,664 B |
| Sign time |
~20 ms |
~4 ms |
Level 5 (AES-256 equivalent)
|
SLH-DSA-SHAKE-256s |
SLH-DSA-SHAKE-256f |
| Signature |
29,792 B |
49,856 B |
| Sign time |
~40 ms |
~8 ms |
Why s Is Slower
The "small" variant uses:
- Taller FORS trees (a): Must compute longer Merkle paths (more hash operations)
- Fewer FORS trees (k): Each tree is larger, so path computation is more expensive
- Fewer hypertree layers (d): Each layer is larger, requiring more WOTS+ chains
But the signature is smaller because:
- Fewer FORS trees → fewer Merkle paths to include
- Fewer hypertree layers → fewer WOTS+ signatures to include
Why f Is Faster
The "fast" variant uses:
- Shorter FORS trees (a): Merkle paths are shorter (fewer hash operations)
- More FORS trees (k): Each tree is smaller, but there are more of them
- More hypertree layers (d): Each layer is smaller and faster to traverse
But the signature is larger because:
- More FORS trees → more Merkle paths to include
- More hypertree layers → more WOTS+ signatures and paths to include
Protocol Impact
| Protocol |
Typical payload |
SLH-DSA-SHA2-128s impact |
SLH-DSA-SHA2-128f impact |
| TLS handshake |
~2–4 KB |
+7.9 KB (significant) |
+17 KB (very large) |
| Code signing |
1–100 MB |
Negligible |
Negligible |
| Firmware image |
1–50 MB |
Negligible |
Negligible |
| Document signing |
10 KB–10 MB |
Negligible |
Negligible |
| Blockchain tx |
~250 B |
Very large (32×) |
Extremely large (68×) |
Benchmarks on Real Hardware
| Platform |
SHA2-128s sign |
SHA2-128f sign |
SHA2-128s verify |
| Intel Core i7 (3.6 GHz) |
~8 ms |
~2 ms |
~0.8 ms |
| ARM Cortex-A72 |
~25 ms |
~6 ms |
~2.5 ms |
| ARM Cortex-M4 (embedded) |
~500 ms |
~120 ms |
~50 ms |
Note: SLH-DSA signing is cache-friendly — the same hash operations repeated many times. Verification is faster because it involves fewer hash computations.
Choosing Between s and f
| Use case |
Recommendation |
Rationale |
| Firmware signing |
f |
Speed matters; size is irrelevant |
| Document archives |
s |
Size matters for long-term storage |
| Trust anchor certs |
s |
Rarely signed; size matters for distribution |
| High-frequency timestamps |
f |
Speed matters most |
| TLS (if you must) |
Neither — use ML-DSA |
SLH-DSA is too large for TLS |
| Embedded/IoT |
s |
Smaller signatures; cache helps with repeated hashing |
Comparison with Other PQC Signatures
| Algorithm |
Signature size |
Sign time |
Verify time |
Best for |
| SLH-DSA-SHA2-128s |
7,856 B |
~8 ms |
~0.8 ms |
Conservative trust anchors |
| SLH-DSA-SHA2-128f |
17,064 B |
~2 ms |
~0.4 ms |
Fast conservative signing |
| ML-DSA-65 |
3,293 B |
~0.5 ms |
~0.12 ms |
General purpose |
| FN-DSA-512 |
666 B |
~1 ms |
~0.1 ms |
Constrained bandwidth |
| ECDSA P-256 |
64 B |
~0.05 ms |
~0.1 ms |
Legacy (not quantum-safe) |
Resources