U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-208 (Initial Public Draft)

Recommendation for Stateful Hash-Based Signature Schemes

Date Published: December 2019
Comments Due: February 28, 2020 (public comment period is CLOSED)
Email Questions to: pqc-comments@nist.gov

Planning Note (10/29/2020): NIST has added its responses to the public comments received on Draft SP 800-208.


David Cooper (NIST), Daniel Apon (NIST), Quynh Dang (NIST), Michael Davidson (NIST), Morris Dworkin (NIST), Carl Miller (NIST)


All of the digital signature schemes specified in Federal Information Processing Standards Publication (FIPS) 186-4 will be broken if large-scale quantum computers are ever built. NIST is in the process of developing standards for post-quantum secure digital signature schemes that can be used as replacements for the schemes that are specified in FIPS 186-4. However, this standardization process will not be complete for several years.

In this draft recommendation, NIST is proposing to supplement FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554, respectively. Stateful hash-based signature schemes are not suitable for general use since they require careful state management in order to ensure their security. However, their use may be appropriate for applications in which use of the private key may be carefully controlled and where there is a need to transition to a post-quantum secure digital signature scheme before the post-quantum cryptography standardization process has completed.

Draft SP 800-208 profiles LMS, XMSS, and their multi-tree variants. This profile approves the use of some but not all of the parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs. This profile also requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.

NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.



cryptography; digital signatures; hash-based signatures; public-key cryptography
Control Families

None selected


Download URL

Supplemental Material:
Comments received (pdf)

Document History:
12/11/19: SP 800-208 (Draft)
10/29/20: SP 800-208 (Final)