The Internet Engineering Task Force (IETF) has announced that the XMSS stateful hash-based signature scheme has been published as Request for Comments (RFC) 8391. Our understanding is that the LMS stateful hash-based signature scheme will likely be published as an RFC in the coming months.
NIST plans to coordinate with other standards organizations, such as the IETF, to develop standards for stateful hash-based signatures. As stateful hash-based signatures do not meet the API requested for signatures, this standardization effort will be a separate process from the one outlined in the December 2016 Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms. It is expected that NIST will only approve a stateful hash-based signature standard for use in a limited range of signature applications, such as code signing, where most implementations will be able to securely deal with the requirement to keep state.
We—NIST's Computer Security Division—would like your feedback:
- Should NIST start moving forward now with XMSS?
- Should we wait until the RFC for LMS is finished?
- Is anybody aware of industry using stateful hash-based signatures at this time?
Send us a message at pqc-comments@nist.gov.
Thank you.
NIST Computer Security Division
