From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 28 Nov 2025 07:47:50 -0800 Received: from mail-oa1-f55.google.com ([209.85.160.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vP0hK-0004Gr-9l for bitcoindev@gnusha.org; Fri, 28 Nov 2025 07:47:50 -0800 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-3ec76d47b56sf1746148fac.0 for ; Fri, 28 Nov 2025 07:47:50 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1764344864; cv=pass; d=google.com; s=arc-20240605; b=btXa+NxLgaCVGVj0YACloVP26oYLw7fXplkyJun39oWr3gpLUTJ+JMZpgp5kKPntnY IDJVNV91fJlK+1d/aFNiqbtRBmtZ8WFs7n75Z3Cn0+FcA1qwof4g7NlfxusS2epL2bCT gd97Y/fWqTcvwwzg+Nmuo7PF95KHwCxBEhP5rgAv4exVYO2DCyDPiyA2xtfZgjpLGeqp Y5aBH+O8Z+zRa3g6lKBhrwcnTWj/uvJIxlnZYv+TDVB3/WVI1kfxPTZHF0pGCS26WFOh CP/vxsFQD30gZleLqPUdB5rJJ//Bv56UhF44wQW0zPGBUBOT9yZvcjLsYd+MUuOvSN/F jt1g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version :content-transfer-encoding:references:in-reply-to:date:to:from :subject:message-id:sender:dkim-signature; bh=gr0jNRepNbbZyeGntE98sbivtrnvnd4N5eSAjYLYjrc=; fh=etM3TyFVdnLbeHJ5C/LuiMZXqjIWrs0CjDlINT2o40I=; b=IU9lh4FhZpKP0vtIYOgvBbQmgAcumzWQNpck5VVPOeyRDriG312hCoqRp9XvExsKLd 2zx3xH07FemhuPdApjbSwFjPiZFPCAsQTryr6AY6p739a0PiLz8buPKnFDl3q+sIyqNY EHgpLGVh4HQ6F7yeTOSnlpQwdpFdUAxPugTYGJMS1xkOU4TdOenHfJLLneaB6B7oVcTL QUaccvY9YZxhvzahyYY7YaSlmzRkUTNfWp3er5c2swoWfTAusCEdOvZCXB/wYq99o14v 2zRczIURG6DZUZE7rpSET3jz470A6lBLCKj7TzJ1UwkAcvJV+k+WBfrRDe5zqWlI/dZI kDyg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@real-or-random.org header.s=MBO0001 header.b=FvO6mE3r; spf=pass (google.com: domain of me@real-or-random.org designates 80.241.56.171 as permitted sender) smtp.mailfrom=me@real-or-random.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=real-or-random.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1764344864; x=1764949664; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=gr0jNRepNbbZyeGntE98sbivtrnvnd4N5eSAjYLYjrc=; b=drFbGfmCOgRYcyBh90bsYgK76A4XhoHwpp+R8vHLFyHR3rhChPN5POVnJqBHI2CjO2 yOyJClTaiZ2LupNOJE5tW2VyNhRBpwhOes1h2xFFpHayiOOe+E4rfe69u+23NuqrEkBd h+spyVlPB85yzWbat5f5rh1oGPoEAIzGvM9cO1V7X7oXRNQ5nBQ1UJmIek/1KmjqB3Gz TPC9KlMfOeamI3ZrIxGQbjcF/bQAfolV4Yzo7nuhfHZa65MgbEckMa799tGA2DF5ZRz/ gn2VfqaWr9NF28dRQ1Fa6/lIojcPzn8+Lk0oPiekEsThjzwk4P8jtfZ8g7cB8t1lN75N saAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764344864; x=1764949664; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=gr0jNRepNbbZyeGntE98sbivtrnvnd4N5eSAjYLYjrc=; b=ndtYAYL+Z7+WTGGZwSTZpfV1aXFdDcIpRl26SHPvixjfocc3pCC2HVKJ30Ef/+tkZN lQV0VKWeW4xpQw3s7PCTNAo4sKUKGAqJNSkMmbmIw3EUS24SKNjNZJZ9sY6Tw7F5ly6U cRcqb6PobjXt2xSrmsvQg+AuaZ/1+PxhHAB+bbwAtX/hxO/Z+BkXBQVQfExfkKWmNeCO ywB6k9DqO4VrUF2qZEjlLg60DB0sBF1oHmPx9yDxEpfy5MZ0xdWDiAiILPpb3RlVPsO6 kSLnwEeCMYvKH+ii/bEextkFKq+1M9TlPQo8mPSLPnzB8PIr9poeZJbuVwpkXMow6t15 6Ayg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVsXpa4MsoYrlJRXI3oRwLh7KZkTjLGAdRP8aAw3FX5+NRGRmlVXTBfylgvQgpUE6AjOzXjYgwu7OO4@gnusha.org X-Gm-Message-State: AOJu0YxzZBgiEy1UdHQMbAUlxlEp/05VkeMo+n007MFqDtd4mfKu+4ka G8NCLxndX+wsOdImYTdJEMVSc908rvK5uE43cEEpR1j3UJdBe/hpN8hd X-Google-Smtp-Source: AGHT+IEGJkkE2fxjXIbAOh0cc1Vw7jlJkzmYJUgJiD3uTAl4XE6TOYAUnwwFi78CfsP5j+1myw7Ypg== X-Received: by 2002:a05:6870:450b:b0:3ec:530d:815a with SMTP id 586e51a60fabf-3ecbe2e6dbamr11760788fac.22.1764344864016; Fri, 28 Nov 2025 07:47:44 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="Ae8XA+afODNb4b9AGhFayOkbbMJ/Ioj54bxnYrt7hKmpDFpVhQ==" Received: by 2002:a05:6870:2496:b0:3e8:9f07:3b9 with SMTP id 586e51a60fabf-3f0d234f30els980619fac.0.-pod-prod-03-us; Fri, 28 Nov 2025 07:47:39 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW1KCrShwjK7R9w1C5siSK+CaR/cxk3OYOXZMmeY7m2CcChT7vO1BWrmS3zwlMqcnwqsOEleesLJvzV@googlegroups.com X-Received: by 2002:a05:6808:2f16:b0:439:af2f:d1d5 with SMTP id 5614622812f47-45112b41805mr11333737b6e.39.1764344859172; Fri, 28 Nov 2025 07:47:39 -0800 (PST) Received: by 2002:ab3:109e:0:b0:2d1:a641:6210 with SMTP id a1c4a302cd1d6-2d36a18312dmsc7a; Fri, 28 Nov 2025 07:39:18 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV1o/njjcu0f6QLivgY0lLndWxzNhQr5EsHKnjlVQWB4tyM9D4gbi70fh/mQakhie1j8MwERf/LVB1b@googlegroups.com X-Received: by 2002:a05:6512:3191:b0:595:91c5:3de1 with SMTP id 2adb3069b0e04-596a36e1f3fmr9679637e87.0.1764344356509; Fri, 28 Nov 2025 07:39:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764344356; cv=none; d=google.com; s=arc-20240605; b=b85UguClrgTVr/36QxRK3/QLf4YadlvNGYAHyIINKlboy36kBX46UW64KytmCCxMYS S/1vXAp2IdJEBQuR9h+4OeazF+vWCF5DPne1RoSQDf+cDmSFvJvom5WtX4J1NpTqS8Hf hvcn8zBIjHRowcQRwBmcikoCcUuHXaV6vZm/OjEtQnLCR4ncipF4NcCGD8eT2oElSCJM osyLMujJgeGPbdHc9WT2seo5S2I3NtyiO/djcMNuTvopoC4U/Jo/0gCJAzUjwvrpOmgs suZvQzkPIdl5V5tsFUDOF7fS5FGfNpazYQhZwEsTtmq/ecQYVxOoHcxXnivx2eWV8tWz IFcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to:date :to:from:subject:message-id:dkim-signature; bh=a5ZcKXDuHN7HsOVBJGx58l6qiiUHOzV0B1K6mYm8LF4=; fh=L3ZNnTLo6/NFVsqAUYdTY/4eBjwXRebqJcrhgaclEz4=; b=L1ltX41D67DlrREuzPJWhPRmXr7Dit7YgN1BFFiz+MXFxZS7D+S+k97FB5mlljdQNj WA09kCyxg6i7CIIIvnLx4ouOAMp/nvscopwPtnirBGsfIdrRz1UzbpGtkcPFWgphAx9Z KVhYEmxm/74Sfgpvwd6UeEMp7CelthORnQ6E4ih/Zhbfifio3bkIlKmEEePdvMOfx2QU PEkzAfWWeRFwYrE9PuWY7x8BoYjCnM8IR9X9t6agy5Eo4ET82pM1/JwWM9VgTC8BHfTZ JsFnzCF3Ehfhocz6iJUCtbScZfT91roajY7fX6NqbzwAq2fpP5k+dCDnvS6R8fI030vI WSJA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@real-or-random.org header.s=MBO0001 header.b=FvO6mE3r; spf=pass (google.com: domain of me@real-or-random.org designates 80.241.56.171 as permitted sender) smtp.mailfrom=me@real-or-random.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=real-or-random.org Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org. [80.241.56.171]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-596bf8a7aa3si94948e87.2.2025.11.28.07.39.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Nov 2025 07:39:16 -0800 (PST) Received-SPF: pass (google.com: domain of me@real-or-random.org designates 80.241.56.171 as permitted sender) client-ip=80.241.56.171; Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4dHyC54Q0mz9tfK; Fri, 28 Nov 2025 16:39:13 +0100 (CET) Message-ID: <6ad6c7418b6b845d6e2dd0ccdb2b508de0c3c10c.camel@real-or-random.org> Subject: Re: [bitcoindev] SLH-DSA (SPHINCS) Performance Optimization Techniques From: Tim Ruffing To: conduition , Bitcoin Development Mailing List Date: Fri, 28 Nov 2025 16:39:12 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Rspamd-Queue-Id: 4dHyC54Q0mz9tfK X-Original-Sender: me@real-or-random.org X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@real-or-random.org header.s=MBO0001 header.b=FvO6mE3r; spf=pass (google.com: domain of me@real-or-random.org designates 80.241.56.171 as permitted sender) smtp.mailfrom=me@real-or-random.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=real-or-random.org Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) Let me just say that leave the note here that this is awesome work! I didn't expect that so much can be gained using SIMD, and that it beats SHA-NI by such a large margin (even taking into account the caveats you've mentioned). Tim On Sun, 2025-11-23 at 18:46 -0800, 'conduition' via Bitcoin Development Mailing List wrote: > Hi devs, >=20 > I've spent the last several months implementing and benchmarking > optimization techniques for the post-quantum hash-based signature > scheme SLH-DSA (formerly SPHINCS+), which is being considered as a > candidate for a quantum-resistant soft-fork upgrade to Bitcoin, re: > BIP360. >=20 > Survey article: https://conduition.io/code/fast-slh-dsa/ >=20 > char1.png >=20 > As a material result of my findings, I believe I now possess what may > be the fastest publicly available implementation of SLH-DSA (at least > on my hardware), and possibly also one of the fastest GPU > implementations, though I've had difficulty finding comparable > alternatives on that front. Its speed is owed to the Vulkan graphics > programming API, often used by video game devs to squeeze performance > out of gaming PCs and mobile phones. >=20 > The code:=C2=A0 > -=C2=A0https://github.com/conduition/slhvk > -=C2=A0https://github.com/conduition/slh-experiments >=20 > Using my CPU, this code can sign a message with SLH-DSA-SHA2-128s in > just 11 milliseconds, and can generate keys in only 2 milliseconds > (1ms if batched). Verification throughput approaches that of ECDSA, > at around 15000 nanoseconds per verification if properly batched. If > you have a GPU with drivers, everything runs even faster. >=20 > For perspective, the fastest open source SLH-DSA library I could > find, PQClean, requires 94 milliseconds for SLH-DSA-SHA2-128s signing > and 12ms for keygen on my CPU. PQClean can only achieve this speed on > x86 CPUs, whereas Vulkan works on ARM devices, including Apple > silicon. >=20 > There are caveats. This technique is memory-hungry, requiring several > megabytes of RAM for signing and keygen, so it will not help in > resource-constrained environments like hardware wallets. Dedicated > hash accelerator chips or FPGAs would be more appropriate for those > use-cases. >=20 > Furthermore, there is a hefty startup penalty, owing to the need to > compile shaders on-device at runtime, though this can be mitigated by > on-disk caching, and proper context scoping (e.g. don't compile > verification shaders if you only need signing shaders). For daemon > programs like bitcoind or lnd, I believe this would be not such a big > issue, but it would be problematic for start-and-stop apps like CLI > utilities. >=20 > More research is needed to gather additional data, and to assess the > viability of this technique on diverse platforms. If you are > interested in collaborating, please email me :) >=20 > regards, > conduition > --=20 > You received this message because you are subscribed to the Google > Groups "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/d463887f-3a9e-48a5-b61a-8680= 646a370an%40googlegroups.com > . --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 6ad6c7418b6b845d6e2dd0ccdb2b508de0c3c10c.camel%40real-or-random.org.