NIST plans to standardize a smaller variant of SLH-DSA- their hash-basedpost-quantum digital signature scheme.
The new variant, called Relatively Small Signatures (RLS), will halve signaturesizes and improve verification speeds. The drawbacks of RLS are lowerexhaustion limits (fewer total signatures per key) and slower signing speeds
RLS supports at most 2^24 (~16 million) signatures per key, compared withcurrent SLH-DSA variants, which allow up to 2^64. This cap is still sufficient formost use cases.
RLS prioritizes verification speed over signing speed. Across the correspondingparameter sets, RLS variants verify with ~7x fewer hashes than their SLH-DSAcounterparts, but sign with ~600x more hashes.
To close this out, I'll compare the smallest current SLH-DSA parameter set withits corresponding RLS variant.
SLH-DSA-SHAKE-128s.
NIST Security Level: 1
Signature size:7,856 bytes
Public key size: 32 bytes.
* Hashes during signing:2,186,222
* Hashes during verification: 2,214
rls128cs1:
NiST Security Level: 1
Signature size: 3,856 bytes
Public key size: 32 bytes
Hashes during signing:1,451,229,184
*Hashes during verification: 311
NlST hasn't put a date on finalizing RLS yet, and l don't expect one soon giventhe U.S. government shutdown..
