01 — Why Hash-Based?
The Assumption Hierarchy
Cryptographic security always rests on assumptions. The fewer and simpler the assumptions, the more confidence we have.
| Algorithm Family | Security Assumption | Years of Study | Confidence |
|---|---|---|---|
| RSA | Integer factorisation is hard | ~50 years | High (but Shor breaks it) |
| ECDSA | Discrete logarithm is hard | ~40 years | High (but Shor breaks it) |
| AES | No efficient distinguisher exists | ~25 years | Very high |
| SHA-256 | No efficient preimage/collision finder | ~20 years | Very high |
| ML-DSA | Module-LWE/SIS is hard | ~15 years | High |
| FN-DSA | NTRU lattice problems are hard | ~25 years | Moderate–high |
| SLH-DSA | Hash functions (SHA-2/SHA-3) are secure | ~20 years | Very high |
Why Hash Functions Are Special
Hash functions have three remarkable properties:
- No algebraic structure — Unlike RSA (rings), ECC (curves), or lattices (vector spaces), hash functions are "structureless." There are no equations to solve, no symmetries to exploit.
- Extensive cryptanalysis — SHA-256 and SHA-3 have been analysed by thousands of cryptographers for decades. No significant weaknesses have been found.
- Diverse use — Hash functions secure Bitcoin, TLS, software updates, Git commits, and virtually every other cryptographic system. A break would be catastrophic across the entire field — making them the most scrutinised primitives.
The Conservative Position
"We don't know if lattices will remain hard. We are very confident that SHA-256 will remain hard."
SLH-DSA takes the most conservative position in the PQC landscape:
- If ML-DSA has an unexpected weakness → SLH-DSA still works
- If FN-DSA has an unexpected weakness → SLH-DSA still works
- If quantum computers break lattices (somehow) → SLH-DSA still works
- Only if SHA-256 or SHAKE256 is broken → SLH-DSA fails
The Trade-Off: Size
| Property | SLH-DSA | ML-DSA | FN-DSA |
|---|---|---|---|
| Security assumption | Hash only | Lattice | Lattice |
| Signature size | 8–30 KB | ~3 KB | ~0.7–1.3 KB |
| Public key size | 32–64 B | ~2 KB | ~1–2.6 KB |
| Signing speed | Slow (ms) | Fast (µs) | Moderate (µs) |
| Best use | Trust anchors | General purpose | Constrained bandwidth |
When Conservative Matters
| Scenario | Why SLH-DSA? | Example |
|---|---|---|
| Root CA certificates | Compromise affects millions of descendants | National ID root, financial system root |
| Long-term notarisation | Signature must remain valid for 20+ years | Legal contracts, patent filings, birth certificates |
| Algorithm agility | Provide a fallback if lattices are broken | Dual-sign with ML-DSA + SLH-DSA |
| High-assurance environments | Minimal assumptions preferred over performance | Military, nuclear systems, voting |
| Post-quantum fallback | "Break glass in case of lattice emergency" | Pre-generated trust anchor for rapid migration |
The "Break Glass" Scenario
Imagine it's 2035:
- A quantum algorithm for lattice problems is discovered (unlikely but not impossible).
- ML-DSA and FN-DSA signatures can now be forged.
- Millions of certificates, software updates, and documents are compromised.
- Systems pre-equipped with SLH-DSA trust anchors switch over immediately.
- The world continues with degraded performance but intact security.
SLH-DSA is insurance against the failure of every other PQC family.
Resources
- NIST FIPS 205, Section 1: Introduction and Motivation
- Bernstein et al., "SPHINCS+ — Submission to the NIST post-quantum project" (2020), v3.1
- Goldreich, "Foundations of Cryptography" (2001), Volume 1 — Chapter 6: Hash Functions