Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Recommendation for Stateful Hash-Based Signature Schemes: Draft NIST SP 800-208 Available for Comment
NIST has released Draft NIST Special Publication (SP) 800-208, "Recommendation for Stateful Hash-Based Signature Schemes." The public comment period ends February 28, 2020.
NIST invites comments on Draft NIST Special Publication (SP) 800-208, Recommendation for Stateful Hash-Based Signature Schemes. All of the digital signature schemes specified in Federal Information Processing Standards Publication (FIPS) 186-4 will be broken if large-scale quantum computers are ever built. NIST is in the process of developing standards for post-quantum secure digital signature schemes that can be used as replacements for the schemes that are specified in FIPS 186-4. However, this standardization process will not be complete for several years.
In this draft recommendation, NIST is proposing to supplement FIPS 186 by approving the use of two stateful hash-based signature schemes: the eXtended Merkle Signature Scheme (XMSS) and the Leighton-Micali Signature system (LMS) as specified in Requests for Comments (RFC) 8391 and 8554, respectively. Stateful hash-based signature schemes are not suitable for general use since they require careful state management in order to ensure their security. However, their use may be appropriate for applications in which use of the private key may be carefully controlled and where there is a need to transition to a post-quantum secure digital signature scheme before the post-quantum cryptography standardization process has completed.
Draft SP 800-208 profiles LMS, XMSS, and their multi-tree variants. This profile approves the use of some but not all of the parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use either SHA-256 or SHAKE256 with 192- or 256-bit outputs. This profile also requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported.
The public comment period for this document is open through February 28, 2020. See the publication details for a copy of the draft and instructions for submitting comments.
NOTE: A call for patent claims is included on page iv of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy--Inclusion of Patents in ITL Publications.