[フレーム]
You are viewing this page in an unauthorized frame window.

This is a potential security issue, you are being redirected to https://csrc.nist.gov.

You have JavaScript disabled. This site requires JavaScript to be enabled for complete site functionality.

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Projects

Stateful Hash-Based Signatures HBS

Overview

In Special Publication 800-208, Recommendation for Stateful Hash-Based Signature Schemes, NIST approves two schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort. The two schemes were developed through the Internet Research Task Force (IRTF): 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, in RFC 8554 in April 2019.

Since being published in 2020, NIST has received feedback in regards to the restriction against private key export as laid out in SP 800-208. In response, NIST has held a few public discussions about possible options about how to deal with that issue. We are currently working on a revision of SP 800-208 that would enable key export, but also mitigate security concerns.

Background

HBS schemes were the topic for a session of talks during the first public workshop on post-quantum security, as well as the panel discussion that followed it. Participants expressed significant interest in the standardization of such schemes at that time, because the underlying technology was well understood. In particular, the security of an HBS scheme, when implemented properly, relies only on the preimage resistance of its component cryptographic hash function. This property is already the basis for the security of many NIST-approved cryptographic algorithms and protocols, and no quantum computing algorithms are known that would pose a practical threat in the foreseeable future.

Therefore, HBS schemes were considered good candidates for early standardization. The stateful versions of HBS schemes offer better performance than the stateless versions but are vulnerable to misuse if they are not implemented properly. NIST established a sub-project for approving stateful HBS schemes because they didn't meet the API requested for signatures and require state management.

NIST SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes.

October 30, 2020: This publication supplements FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554, respectively.

Stateful hash-based signature schemes are secure against the development of quantum computers, but they are not suitable for general use because their security depends on careful state management. They are most appropriate for applications in which the use of the private key may be carefully controlled.

NIST SP 800-208 profiles LMS, XMSS, and their multi-tree variants. This profile approves the use of some but not all of the parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs. This profile also requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.

On February 4, 2019, NIST issued a request for public input on how to mitigate the potential misuse of stateful HBS schemes.

On June 21, 2018, NIST issued a request for public input on XMSS and LMS.

Contacts

Technical Inquiries
[email protected]

John Kelsey

Dustin Moody

Contacts

Technical Inquiries
[email protected]

John Kelsey

Dustin Moody

Created December 20, 2018, Updated April 28, 2025

AltStyle によって変換されたページ (->オリジナル) /