SLH-DSA support #14419
Description
In order to add the support for SLH-DSA in cryptography, I've started to work on adding the test vectors.
However, this PQ algorithm has a signature size issue.
The test vectors from NIST are quite heavy:
Of note, wycheproof has no test vectors for SLH-DSA.
I know the trailofbits/go-slh-dsa uses as tests the full JSON files, but I'm unsure if we want to commit 70 MB of test files in this repo.
If we limit our support to BoringSSL (headers), then we can significantly trim down the number of test vectors:
- sigVer vectors for SLH-DSA-SHA2-128s and SLH-DSA-SHAKE-256f (the only two parameter sets BoringSSL exposes).
- Pure, external interface only (matching what
SLHDSA_*_verifyaccepts). - 14 tests per parameter set, mix of valid and invalid signatures.
- Total size: about 1.8MB
It excludes:
- keyGen vectors: BoringSSL API does not expose a way to generate a key from a seed
- sigGen vectors: BoringSSL only supports randomized signing - deterministic vectors cannot be verified
- other parameter sets
- prehash vectors
- internal vectors
But, if / when we support another backend (e.g. OpenSSL), we would have to extend those test vectors.
I see several paths forward (rough size estimates in parentheses):
- Keep the whole vectors files (unnecessarily large)
- Keep the whole vectors files but trim down internal and prehash versions (15MB)
- Keep only 2 tests per parameter set, down from 14 (3MB)
- Keep only 1 test per parameter set (1.5MB)
- Trim the test vectors to only test the prefix/suffix of the signature (?) - the most compact, but also somewhat unsatisfying