NIST plans to approve one or more schemes for stateful hash-based signatures (HBS) as part of the post-quantum cryptography development effort. NIST is actively considering two such schemes developed through the Internet Engineering Task Force: 1) XMSS, specified in Request for Comments (RFC) 8391 in May 2018, and 2) LMS, currently specified in draft.
HBS schemes were the topic for a session of talks during the first public workshop on post-quantum security, as well as the panel discussion that followed it. Participants expressed significant interest in the standardization of such schemes at that time, because the underlying technology was well understood. In particular, the security of an HBS scheme, when implemented properly, relies only on the preimage resistance of its component cryptographic hash function. This property is already the basis for the security of many NIST-approved cryptographic algorithms and protocols, and no quantum computing algorithms are known that would pose a practical threat in the foreseeable future.
Therefore, HBS schemes are good candidates for early standardization. The stateful versions of HBS schemes offer better performance than the stateless versions but are vulnerable to misuse if they are not implemented properly. NIST established a sub-project for approving stateful HBS schemes because they don’t meet the API requested for signatures and require state management.
On February 4, 2019, NIST issued a request for public input on how to mitigate the potential misuse of stateful HBS schemes.
On June 21, 2018, NIST issued a request for public input on XMSS and LMS.