U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Recommendation for Stateful Hash-Based Signature Schemes: Draft NIST SP 800-208 Available for Comment
December 11, 2019

NIST invites comments on Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes. All of the digital signature schemes specified in Federal Information Processing Standards Publication (FIPS) 186-4 will be broken if large-scale quantum computers are ever built. NIST is in the process of developing standards for post-quantum secure digital signature schemes that can be used as replacements for the schemes that are specified in FIPS 186-4. However, this standardization process will not be complete for several years.

In this draft recommendation, NIST is proposing to supplement FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554, respectively. Stateful hash-based signature schemes are not suitable for general use since they require careful state management in order to ensure their security. However, their use may be appropriate for applications in which use of the private key may be carefully controlled and where there is a need to transition to a post-quantum secure digital signature scheme before the post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS, XMSS, and their multi-tree variants. This profile approves the use of some but not all of the parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs. This profile also requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.

The public comment period for this document is open through February 28, 2020. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.

Parent Project

See: Hash-Based Signatures
Created December 11, 2019, Updated June 22, 2020