Hash-based cryptography
Hash-based cryptography refers to a class of cryptographic primitives and protocols, most notably digital signature schemes, whose security is derived solely from the well-established properties of cryptographic hash functions—such as collision resistance, preimage resistance, and second preimage resistance—without relying on unproven number-theoretic assumptions like the hardness of factoring large integers.[1] These schemes are particularly valued for their post-quantum security, as hash functions are believed to remain secure against attacks from large-scale quantum computers, unlike traditional public-key systems vulnerable to Shor's algorithm.[2]
The origins of hash-based cryptography trace back to 1979, when Ralph Merkle introduced the first practical hash-based digital signature scheme in his paper "A Certified Digital Signature," which combined one-time signatures (OTS) with a binary tree of hashes (now known as a Merkle tree) to enable multiple signatures from a single public key while preventing key reuse.[3] That same year, Leslie Lamport proposed an OTS scheme based on one-way functions, laying foundational groundwork for hash-only constructions.[4] In 1982, Robert Winternitz proposed the Winternitz OTS (W-OTS), which uses parameterized chaining of hash values to trade signature size for efficiency, further advancing the field.[1]
Key developments in the 1990s and 2000s focused on scalable tree-based structures, such as the Leighton-Micali Signature (LMS) scheme proposed in 1995, which employs structured prefixes to enhance security against adaptive attacks.[1] The eXtended Merkle Signature Scheme (XMSS), introduced in 2011, built on these ideas to provide forward security and was formalized in IETF RFC 8391 in 2018. NIST has endorsed both LMS (RFC 8554) and XMSS as stateful hash-based signatures in Special Publication 800-208 (2020), recommending their use with approved hash functions like SHA-256 or SHAKE256 for applications requiring long-term quantum resistance, such as firmware signing.[1] To address state management challenges in stateful schemes, stateless alternatives emerged, including SPHINCS in 2015 and its optimized version SPHINCS+ in 2019, which rely on pseudorandom functions and subset-resilient hashes for security without tracking used keys, though at the expense of larger signature sizes.[4] SPHINCS+ was selected for standardization as SLH-DSA in FIPS 205 (2024). NIST's post-quantum cryptography standardization process, which began in 2016, has issued several standards resilient to quantum threats by 2024.[5][6]
Fundamentals
Definition and Principles
Hash-based cryptography refers to a family of cryptographic schemes that construct digital signatures primarily using cryptographic hash functions as the underlying primitive, without relying on number-theoretic assumptions such as the hardness of integer factorization or discrete logarithms.[7] In these schemes, the private key typically consists of a collection of random bit strings, while the corresponding public key is formed by computing and publishing the hash values of these strings, effectively committing to them in a one-way manner.[8] During signature generation, parts of the private key—specifically, preimages under the hash function—are selectively revealed based on the message to be signed, allowing verification without fully compromising the key for future uses in basic one-time variants.[7]
The core principles revolve around the one-way properties of hash functions, particularly preimage resistance and collision resistance, to ensure security. Signing a message involves hashing the message to derive a bit string that indexes into the private key, revealing the appropriate preimages whose hashes match commitments in the public key. Verification then recomputes the message hash and checks that the revealed preimages hash to the expected public key values, confirming authenticity without needing additional computational assumptions. A generic one-time signature scheme can be outlined as follows:
Key Generation:
- Private key sk: For each i=1 to n, generate two random bit strings s_{i,0} and s_{i,1} of length l each.
- Public key pk: Compute pk_{i,0} = H(s_{i,0}) and pk_{i,1} = H(s_{i,1}) for i=1 to n, where H is a collision-resistant [hash function](/page/Hash_function).
Signing message m:
- Compute msg_hash = H(m), interpreted as n bits b_1, ..., b_n.
- Signature σ: For each i, set σ_i = s_{i, b_i}; reveal the selected preimages.
Verification of σ on m with pk:
- Compute msg_hash = H(m) to get bits b_1, ..., b_n.
- For each i, check if H(σ_i) equals pk_{i, b_i}.
- Accept if all checks pass.
Key Generation:
- Private key sk: For each i=1 to n, generate two random bit strings s_{i,0} and s_{i,1} of length l each.
- Public key pk: Compute pk_{i,0} = H(s_{i,0}) and pk_{i,1} = H(s_{i,1}) for i=1 to n, where H is a collision-resistant [hash function](/page/Hash_function).
Signing message m:
- Compute msg_hash = H(m), interpreted as n bits b_1, ..., b_n.
- Signature σ: For each i, set σ_i = s_{i, b_i}; reveal the selected preimages.
Verification of σ on m with pk:
- Compute msg_hash = H(m) to get bits b_1, ..., b_n.
- For each i, check if H(σ_i) equals pk_{i, b_i}.
- Accept if all checks pass.
This process ensures that an adversary cannot forge signatures without finding hash preimages or collisions, as revealing too much of the private key limits reuse.[8][7][9]
A key benefit of hash-based cryptography is its resistance to quantum attacks, stemming from the fact that Grover's algorithm provides only a quadratic speedup for searching hash preimages, allowing security levels to be maintained by doubling the hash output size without altering the core construction.[8] Unlike other post-quantum approaches, hash-based methods offer simplicity and efficiency on classical hardware, with standardization efforts by NIST focusing exclusively on digital signature applications. In August 2024, NIST finalized FIPS 205 specifying the SLH-DSA (based on SPHINCS+) as the first standardized stateless hash-based signature, while stateful schemes XMSS (RFC 8391) and LMS (RFC 8554) are detailed in NIST SP 800-208 (2020).[2][10][1]
Hash Functions in Cryptography
In cryptographic hash functions, three essential security properties underpin their use in hash-based schemes: preimage resistance, second preimage resistance, and collision resistance. Preimage resistance, also known as one-wayness, ensures that given a hash value h, it is computationally infeasible to find any input message m such that H(m) = h, where H is the hash function; this property is critical because it prevents adversaries from reversing hashes to uncover secret inputs, which could compromise the integrity of commitments or keys in hash-based constructions.[11] Second preimage resistance requires that, given an input m and its hash H(m), finding a different input m' \neq m with H(m') = H(m) is computationally infeasible; this is vital for maintaining message uniqueness, as a violation would allow substitution attacks that alter data without detection in verification processes.[11] Collision resistance provides the strongest guarantee, making it computationally infeasible to find any two distinct inputs m_1 \neq m_2 such that H(m_1) = H(m_2); this property is particularly important in hash-based cryptography, as collisions could enable forging by producing alternative preimages that match a valid hash, undermining the non-malleability of signatures or proofs.[11] These properties form a hierarchy, where collision resistance implies the others, ensuring robust protection against existential forgeries.[12]
Cryptographic hash functions are typically constructed using structured designs that amplify the security of underlying primitives. The Merkle-Damgård construction, employed in standards like SHA-2, iteratively processes message blocks through a compression function to produce a fixed-length output, inheriting collision resistance from the compression function's security under the assumption of ideal behavior. In contrast, the sponge construction, used in SHA-3 (based on the Keccak algorithm), operates by absorbing input into a state via a permutation and then squeezing out the output, offering flexibility in output lengths and provable bounds on security properties like collision resistance without relying on a separate compression step. For an n-bit output hash function, collision resistance is generally bounded by the birthday paradox, where the expected effort to find a collision is approximately $2^{n/2}; this scale establishes the security level, as weaker constructions might succumb to attacks below this threshold.[12]
The probability of success in a birthday attack, which exploits random sampling to find collisions, can be approximated as follows for q queries on an n-bit hash:
P(\text{collision}) \approx 1 - e^{-q^2 / 2^{n+1}}
This formula highlights how security degrades quadratically with query count relative to the output size, emphasizing the need for sufficiently large n (e.g., 256 bits for $2^{128} collision effort).[12]
Standardization efforts by the National Institute of Standards and Technology (NIST) have established SHA-2 and SHA-3 as foundational primitives for hash-based cryptography. SHA-2, defined in FIPS 180-4, includes variants like SHA-256 and SHA-512 with output lengths providing collision resistance up to $2^{128} and $2^{256}, respectively, and serves as the backbone for many schemes due to its widespread implementation. SHA-3, specified in FIPS 202, complements SHA-2 with its sponge-based design, offering similar output options and enhanced resistance to certain structural attacks. Both families exhibit strong quantum resistance for collision finding, as Grover's algorithm only quadratically accelerates preimage searches but leaves the birthday bound largely intact, making them suitable for post-quantum applications when paired with adequate bit lengths.
Historical Development
Early Proposals
The development of hash-based cryptography began in the late 1970s, amid the foundational advances in public-key systems introduced by Diffie and Hellman in 1976, which highlighted the need for efficient digital signatures without relying on computationally intensive number-theoretic assumptions. Early proposals focused on constructing signatures solely from one-way functions, such as cryptographic hash functions, to provide provable security in a classical computing environment. These schemes addressed key limitations of contemporary methods, including the requirement for ephemeral random values per signature and vulnerabilities to certain attacks in systems like those proposed by Rabin.[9]
In October 1979, Leslie Lamport published the seminal work "Constructing Digital Signatures from a One Way Function," introducing the first practical one-time signature scheme. Motivated by the inefficiencies of Diffie-Hellman-style signatures, which demanded fresh randomness for each use and risked forgery if keys were reused, Lamport's approach enabled verifiable signatures for a single message per key pair, leveraging a one-way function to bind the signer to the document without revealing private information. This scheme laid the groundwork for hash-based methods, emphasizing simplicity and reliance on the hardness of inverting the function.[9]
Concurrently in 1979, Ralph Merkle advanced the field with his paper "A Certified Digital Signature," proposing one-time signatures based on hash chains to efficiently sign multi-bit messages. Merkle's innovation used repeated applications of a one-way hash function to create chains that reduced the overhead compared to bit-by-bit signing, while introducing the concept of authentication trees—a hierarchical structure allowing multiple one-time signatures to be aggregated under a single certified public key. This addressed early key management issues, such as the impracticality of publishing vast numbers of individual public keys for numerous messages, though full tree details were deferred for later elaboration. Merkle's work highlighted the potential for scalable hash-based authentication in practical systems like electronic transactions.[3]
Building on these foundations, Robert Winternitz proposed an enhancement in 1982 through his design for a public-key cryptosystem at SRI International, refining the one-time signature mechanism with higher-base number representations. This allowed for significantly shorter signatures by encoding message blocks in bases greater than two, trading some computational cost for reduced bandwidth—a roughly four- to eight-fold improvement over prior methods—while preserving security under the one-way function assumption.[13] These initial constructions operated in a pre-quantum context, assuming ideal properties of hash functions akin to the later formalized random oracle model, and grappled with challenges like stateful key usage and large key sizes absent from tree-based aggregation.[3]
Post-Quantum Motivations
The advent of quantum computing has profoundly influenced the evolution of cryptographic primitives, particularly highlighting vulnerabilities in traditional public-key systems reliant on integer factorization and discrete logarithms. Shor's algorithm, introduced in 1994, enables quantum computers to efficiently factor large integers and solve discrete logarithm problems, thereby breaking widely used schemes like RSA and elliptic curve cryptography (ECC). In contrast, hash-based cryptography remains resilient to Shor's algorithm, as its security foundations do not depend on these algebraic structures. However, Grover's algorithm, proposed in 1996, provides a quadratic speedup for unstructured search problems, including preimage attacks on hash functions; for an n-bit hash output, this reduces the classical complexity from O(2^n) to O(2^{n/2}), necessitating larger hash sizes (e.g., 256 bits doubled to 512) to maintain equivalent security levels against quantum adversaries.
This quantum threat landscape spurred renewed interest in hash-based signatures during the 2000s, shifting focus from early one-time schemes to more practical constructions suitable for broader deployment. Between 2004 and 2010, research emphasized stateful hash-based schemes, exemplified by the eXtended Merkle Signature Scheme (XMSS) introduced in 2011, which leveraged Merkle trees for multi-use efficiency while relying solely on the collision resistance of hash functions.[14] The 2010s saw advancements in stateless designs to address state management challenges, with SPHINCS emerging in 2015 as a forward-secure, hash-only signature scheme capable of signing hundreds of messages per second on contemporary hardware.[15] These developments aligned with growing awareness of quantum risks, culminating in the U.S. National Institute of Standards and Technology (NIST) launching its Post-Quantum Cryptography (PQC) Standardization Project in December 2016 to solicit and evaluate quantum-resistant algorithms.[2]
In the 2020s, NIST's PQC process accelerated hash-based adoption through rigorous evaluation rounds from 2019 to 2022, selecting candidates based on security, performance, and implementation feasibility. This led to the finalization of standards in 2024, including FIPS 205 for the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), derived from SPHINCS+, which provides provable security under well-established hash function assumptions. By 2025, adoption trends reflect increasing integration into production systems, such as Cloudflare's deployment of post-quantum signatures in TLS protocols to protect a significant portion of global internet traffic.[16] Hash-based schemes are favored over alternatives like lattice-based cryptography for their conservative security model, which depends exclusively on the longevity-tested properties of cryptographic hash functions rather than emerging mathematical assumptions potentially vulnerable to unforeseen attacks.[17]
One-Time Signature Schemes
Lamport Signatures
Lamport signatures, introduced by Leslie Lamport in 1979, form the foundational one-time signature scheme in hash-based cryptography, relying solely on the one-wayness of a hash function to provide security for a single message signature.[9] The scheme is designed for messages that can be represented as an n-bit string, where n is the desired security level (e.g., n = 256 for 256-bit security against brute-force attacks on the hash function). It operates by associating each message bit with a pair of secret values whose hash images form the public verification key, ensuring that forging a signature requires inverting the hash function.
Key Generation
To generate a key pair, the signer selects $2n random bit strings sk = \{r_{i,b}\}_{i=1}^{n},_{b \in \{0,1\}}, where each r_{i,b} is chosen uniformly at random from \{0,1\}^\lambda and \lambda is the output length of the hash function h (typically \lambda = n). The private key is this set of $2n strings. The public key is then computed as pk = \{h(r_{i,b})\}_{i=1}^{n},_{b \in \{0,1\}}, consisting of $2n hash values. This public key, which has size $2n \cdot n bits for n-bit hashes, is published or shared with verifiers.[9]
Signing
Given a message m interpreted as an n-bit string with bits b_i \in \{0,1\} for i = 1 to n (in practice, b_i may be the bits of h(m') for an arbitrary message m' to enable signing longer messages), the signature \sigma = (\sigma_1, \dots, \sigma_n) is formed by revealing, for each i, the private string corresponding to the message bit: \sigma_i = r_{i, b_i}. The signer should then discard the revealed strings to enforce one-time use, as reusing the key pair would compromise security by allowing an adversary to forge signatures on related messages. The resulting signature has size n \cdot \lambda bits, equivalent to n full hash inputs.[9]
Verification
To verify a signature \sigma on message m with bits b_i using public key pk, the verifier computes h(\sigma_i) for each i = 1 to n and checks whether h(\sigma_i) = pk_{i, b_i} for all i. If all equalities hold, the signature is accepted; otherwise, it is rejected. This process confirms that the revealed preimages match the committed hash values in the positions dictated by the message bits, without requiring knowledge of the unrevealed private strings. The verification time is linear in n, involving n hash evaluations.[9]
The scheme's large key and signature sizes—public key approximately twice the signature size, both scaling linearly with n—stem from the need to commit to two possibilities per message bit, making it impractical for direct use without optimizations but ideal as a building block. Security relies on the collision resistance and one-wayness of h; specifically, the Lamport scheme is proven existentially unforgeable under chosen-message attack (EUF-CMA) for one-time use in the random oracle model, where an adversary cannot produce a valid signature on a new message after seeing one signature, assuming h behaves as an ideal one-way function.[18] This provable security holds under the standard definition for one-time signatures, with forgery requiring either collision-finding or preimage attacks on h.[19]
Winternitz One-Time Signatures
The Winternitz one-time signature (WOTS) scheme, proposed as an enhancement to the Lamport signature, achieves smaller signature sizes by encoding multiple message bits per chain using a base-w representation, where w = 2^k for some integer k \geq 1. This allows signing k bits of the message with a single chain of length w-1, rather than one bit per chain as in Lamport signatures, trading increased computation for reduced space. To prevent an adversary from altering the message to increase any block value and decrease others while preserving the signature, a checksum is appended to the message blocks and signed using additional chains. The scheme relies on a collision-resistant hash function h and is designed for one-time use per key pair.
In the construction, the private key consists of \ell random seeds sk_1, \dots, sk_\ell, where \ell is the total number of chains determined by the message length m in bits, the parameter w, and the checksum overhead. Specifically, let \ell_1 = \lceil m / \log_2 w \rceil be the number of message blocks, then compute \ell_2 = \lfloor \log_w (\ell_1 (w-1)) \rfloor + 1 for the checksum blocks, and set \ell = \ell_1 + \ell_2. The corresponding public key is the tuple of hashes pk_j = h^{w-1}(sk_j) for j = 1 to \ell, where the iterated hash is defined recursively as
h^i(s) =
\begin{cases}
s & \text{if } i = 0, \\
h(h^{i-1}(s)) & \text{if } i > 0.
\end{cases}
To sign an m-bit message M, divide M into \ell_1 = \lceil m / \log_2 w \rceil blocks m_1, \dots, m_{\ell_1} each in \{0, \dots, w-1\}, compute the checksum C = \sum_{j=1}^{\ell_1} (w-1 - m_j), and represent C in base w using \ell_2 blocks c_1, \dots, c_{\ell_2}. The signature reveals \sigma_j = h^{m_j}(sk_j) for the message blocks and \sigma_{\ell_1 + j} = h^{c_j}(sk_{\ell_1 + j}) for the checksum blocks, concatenated as (\sigma_1, \dots, \sigma_\ell).[13][20]
Verification recomputes the public key values from the signature: for each j, starting from the revealed \sigma_j, iteratively apply h exactly (w-1 - b_j) times, where b_j is the j-th base-w digit of the message-plus-checksum, and check if the result matches pk_j. If all match, the signature is valid. The parameter k controls the trade-off between signature size and security margin against multi-target preimage attacks on the hash chains; larger k shortens signatures but requires stronger hash resistance to preimages. For example, with w=16 (k=4) and a 256-bit hash, the signature size reduces by a factor of approximately 4 compared to Lamport signatures, while maintaining comparable security under the random oracle model.[13][20]
A variant known as WOTS+ improves upon the original by modifying the checksum computation and hash chaining to mitigate second-preimage attacks on the checksum, enabling significantly shorter signatures, for example by more than 50% for XMSS+ at the 80-bit security level. It achieves strong unforgeability under adaptive chosen-message attacks in the standard model when instantiated with a pseudorandom function family, and has been adopted in schemes like XMSS and SPHINCS+.[21]
Multi-Time Signature Schemes
Stateful Approaches
Stateful hash-based signature schemes enable multiple message signings with a single key pair by organizing numerous one-time key pairs into a structure that authenticates their usage without reuse. The signer maintains a private state, typically an index tracking the next unused one-time key pair, to ensure each is employed exactly once; key reuse would compromise security by allowing forgery attacks. The public key consists of the root hash of a Merkle tree, whose leaves are the public keys of these one-time signatures, such as Winternitz One-Time Signatures (WOTS).[1]
Merkle trees in this context are binary trees where each leaf node holds the hash of a WOTS public key, and internal nodes are computed as pairwise hashes of their children. To verify a signature, the signer reveals the authentication path from the used leaf to the root, consisting of sibling node hashes, allowing the verifier to recompute the root and confirm authenticity without exposing the entire tree. The root is computed iteratively via pairwise hashing, such as \text{root} = h(0 \| \text{left} \| \text{right}) for sibling nodes, where h is a cryptographic hash function and the prefix 0 distinguishes tree nodes from other hashes.[1][14]
The eXtended Merkle Signature Scheme (XMSS), first proposed in 2011, builds on WOTS+ (an enhanced Winternitz scheme) combined with L-trees for compressing WOTS+ public keys to fixed-length n-byte values before placing them as Merkle tree leaves. The signer tracks state through a leaf index, incrementing it after each signature to select the next WOTS+ key pair from the tree's $2^h leaves. XMSS parameters include n=256 bits for the hash output size, Winternitz parameter w=16 for balancing security and efficiency, and tree height h ranging from 10 to 20 to support up to $2^{20} signatures.[14][22]
The Leighton-Micali Signature (LMS) scheme, originally proposed in 1995 and standardized in RFC 8554 in 2019, employs simpler binary Merkle trees with leaves derived from LM-OTS (a WOTS-like one-time scheme) public keys. State management mirrors XMSS, with the signer updating an index q to point to the next unused leaf after signing. LMS defines fixed parameter sets for targeted security levels: LMS_SHA-256 for 128-bit security with height h=5 to 25, LMS_SHA-384 for 192-bit, and LMS_SHA-512 for 256-bit, all using 32-byte hashes where applicable.[20][1][23]
Stateless Approaches
Stateless hash-based signature schemes address the state management challenges of stateful multi-time schemes by enabling unlimited message signing without maintaining signer state, relying instead on randomization to select one-time keys and cryptographic structures to prove non-reuse. In this design, for each signature, the signer generates a pseudorandom index from the message and secret key to select an unused one-time key from a vast space, such as $2^{60} possibilities for 128-bit security, ensuring negligible collision probability even after $2^{40} signatures. To verify non-reuse without a global counter, the scheme employs few-time signatures on the index bits, combined with a hypertree—a layered structure of many small Merkle trees—to authenticate the path from the selected leaf to the root, aggregating hashes across layers. This approach trades larger signature sizes for simplicity and fault tolerance, as randomization eliminates the need for sequential key advancement.[15][24]
The foundational stateless scheme, SPHINCS, introduced in 2014, uses Winternitz one-time signatures (WOTS) at the leaves and a hypertree of height h (e.g., 60) with d layers (e.g., 12), where each layer consists of small Merkle trees of height h/d \approx 5. For index signing, it applies the HORST few-time scheme, which allows up to t=2^{16} uses per key with security parameter k=32, to commit to the random index while revealing only necessary authentication paths. Parameters for 128-bit security yield signatures of about 41 KB, public keys of 1 KB, and support signing hundreds of messages per second on contemporary hardware.[15]
SPHINCS+, proposed in 2019, refines this framework for better efficiency, replacing HORST with FORS (Forest of Random Subsets) trees for few-time index signatures—each FORS instance signs short strings using k hypertrees of height a, with t=2^a leaves—and XMSS (eXtended Merkle Signature Scheme) trees for many-time aggregation across hypertree layers, employing WOTS+ chains of length \ell. The hypertree aggregates FORS public keys via XMSS paths, with the root computed as a hash of layer-wise commitments. For 128-bit security, parameter sets like SPHINCS+-128s use h=64, d=8, k=14, t=2^{12}, resulting in 8 KB signatures, while the faster SPHINCS+-128f uses h=64, d=22, k=33, t=2^6, yielding 17 KB signatures but reduced computation.[24][25]
In index selection, the signer computes a random index i from the message digest, signs the message with WOTS at leaf i, and includes the FORS signature on i's bits along with hypertree authentication paths; the root is verified as:
\text{root} = \text{H}(\text{layer}_1 \|\ \text{layer}_2 \|\ \dots \|\ \text{layer}_d)
where each \text{layer}_j is the Merkle root of XMSS trees authenticating the path.[24]
SLH-DSA, standardized by NIST in 2024 as FIPS 205, optimizes SPHINCS+ with minor modifications like updated addressing and pseudorandom function usage, providing parameter sets for 128-bit security such as SLH-DSA-SHA2-128f (h=64, d=22, k=33, a=6, 17 KB signatures) and SLH-DSA-SHA2-128s (h=63, d=7, k=14, a=12, 7.8 KB signatures), both using SHA-256. These retain the hypertree and FORS/XMSS components for stateless operation.[26][27]
The primary trade-off is increased signature size—often 10-50 times larger than lattice-based alternatives—due to including full randomization proofs and paths, though verification remains efficient at under 1 ms.[24][26]
Security Properties
Provable Security and Assumptions
Hash-based signature schemes are typically analyzed for existential unforgeability under chosen-message attack (EU-CMA) security, where an adversary cannot produce a valid signature on a new message after adaptively querying signatures on chosen messages.[1] For one-time schemes like Lamport and Winternitz one-time signatures (WOTS), security reduces to the one-wayness (preimage resistance) of the underlying hash function, ensuring that revealing hash images for a message does not allow forgery on another.[13] In the random oracle model (ROM), proofs show that breaking the signature implies finding a preimage for a random oracle query, with tight reductions preserving the security bound.[28] Multi-time schemes extend this via Merkle tree structures, relying on the non-malleability of authentication paths to prevent forgery across multiple uses; proofs demonstrate EU-CMA security by reducing forgeries to collisions or preimages in the tree hashes.[29]
Core assumptions include the collision resistance and second-preimage resistance of the hash function in the ROM, modeling the hash as an ideal random function to simplify proofs while capturing essential properties.[1] Stateful schemes, such as XMSS, assume secure state management to avoid reuse, but are vulnerable to state compromise attacks where an adversary exploiting leaked state can forge signatures by predicting future key uses.[29] Stateless schemes like SPHINCS mitigate this by deriving keys pseudorandomly from a seed and message, but introduce risks from birthday attacks on random indices, with collision probability approximately \frac{q^2}{2^k}, where q is the number of signatures and k the seed length in bits; proofs bound this by requiring sufficiently large seeds to keep the probability negligible. For tree-based constructions, security proofs often employ the fork-cipher model to analyze authentication path integrity, reducing path malleability to hash function properties under parallel oracle queries.[28]
In the quantum setting, hash-based signatures inherit security from quantum-resistant hash functions, as they avoid hard problems vulnerable to Shor's algorithm, such as integer factorization or discrete logarithms.[30] Grover's algorithm halves the effective security against preimage and collision searches, necessitating hash outputs of twice the desired classical security level (e.g., 512 bits for 128-bit security) to maintain bounds; formal reductions in the quantum random oracle model confirm EU-CMA security under these extended assumptions.[31] Specific risks include key reuse in one-time schemes leading to immediate forgery upon repetition, and index collisions in stateless designs enabling signature replacement attacks if the same index is reused across messages.[1]
Hash-based signature schemes exhibit distinct performance characteristics, primarily due to their reliance on iterated hash function evaluations rather than algebraic operations. Public keys are typically compact, ranging from 32 to 64 bytes for 256-bit security levels, as they consist of a root hash value and possibly a seed. For instance, the XMSS scheme with SHA2-256 parameters (n=32, h=20) uses a 64-byte public key. Signatures, however, vary significantly in size: stateful schemes like XMSS produce signatures of 2.5 to 2.8 KB for basic configurations supporting up to 2^20 messages, while multi-tree extensions (XMSSMT) can reach 8 to 27 KB for vastly larger message counts (e.g., 2^60). In contrast, stateless schemes like SPHINCS+-256s generate 29.8 KB signatures, reflecting the inclusion of multiple hypertree traversals to avoid state management.[29][32][33]
Computational overhead in hash-based schemes stems from the need for numerous hash iterations per operation. Signing and verification are dominated by one-time signature computations (e.g., WOTS+ requiring up to approximately 1,000 hash evaluations for 256-bit security with w=16) plus Merkle tree path updates or verifications, totaling 10^3 to 10^4 hash calls. For XMSS-SHA2_20_256, signing involves about 11,455 calls to hash functions (F and H), while verification requires 1,159 such calls. These operations are slower than classical alternatives like ECDSA, where signing and verification typically complete in microseconds on modern hardware, but hash-based methods benefit from high parallelizability since hashes can be computed independently across cores.[34][29][32]
Key trade-offs arise between stateful and stateless designs. Stateful approaches, such as XMSS and LMS, offer smaller signatures (e.g., 2.5 KB vs. 30 KB) and faster operations (e.g., 3-5x quicker verification than SPHINCS+ equivalents) at the expense of requiring careful state tracking to prevent key reuse, introducing deployment risks like synchronization failures in distributed systems. Stateless variants like SPHINCS+ eliminate state management for greater user-friendliness and forward security but incur 10-20x larger signatures and higher computational costs due to randomized hypertree sampling. Compared to RSA or ECC-based schemes, hash-based signatures have 10-100x larger sizes and 10-100x slower speeds but provide quantum resistance without relying on unproven hard problems.[32][17][34]
Optimizations focus on parameter selection and hardware support. Tuning tree height (h) or Winternitz parameter (w) balances security, size, and speed; for example, increasing w from 16 to 256 reduces signature length by up to 50% but raises per-signature hash counts by a factor of 4. Hardware acceleration for underlying hashes (e.g., AES-NI for AES-based variants or SHA extensions) can yield 2-5x speedups in iteration-heavy operations, making schemes viable for constrained environments.[32][35]
As of 2025, benchmarks on modern CPUs (e.g., Intel Xeon with AVX2) show SPHINCS+-256s verification times around 1 ms, with signing at 50-100 ms, reflecting improvements from optimized implementations but still lagging ECDSA by 10-50x in verification latency. Stateful schemes like XMSS achieve sub-millisecond verification for smaller parameters, underscoring their efficiency in low-volume scenarios.[36][37]
Standardization and Implementations
NIST Post-Quantum Standards
The National Institute of Standards and Technology (NIST) initiated its post-quantum cryptography (PQC) standardization process with a call for proposals on December 20, 2016, following the release of NISTIR 8105 in April 2016.[6] The process involved multiple rounds of evaluation from 2017 to 2022, culminating in the selection of hash-based signature schemes as part of the broader PQC efforts to address quantum threats.[6] For hash-based signatures, NIST finalized standards for stateful schemes earlier through RFCs and special publications, while stateless variants progressed through the main PQC rounds.
In August 2024, NIST published FIPS 205, specifying the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), which is based on the SPHINCS+ scheme.[5] SLH-DSA provides three security levels corresponding to NIST categories 1 (128-bit), 3 (192-bit), and 5 (256-bit) post-quantum security.[27] It employs hash functions such as SHA-256 or SHAKE (from the KECCAK family) and defines 12 parameter sets, differentiated by suffixes like "s" for smaller, slower signatures and "f" for larger, faster ones; for example, the SLH-DSA-SHA2-128s set uses a 32-byte public key and produces signatures of approximately 7.8 KB.[27][38]
Stateful hash-based signatures were standardized separately, with NIST approving the Leighton-Micali Signature (LMS) scheme in RFC 8554 (published May 2019) and the eXtended Merkle Signature Scheme (XMSS) in RFC 8391 (published August 2018).[20][29] NIST SP 800-208, released in October 2020, profiles these schemes and their hierarchical variants (HSS for LMS and XMSS^MT for XMSS), approving parameter sets for security levels 2 through 5 based on tree heights and hash output sizes (192 or 256 bits using SHA-256 or SHAKE256).[1] Examples include LMS_SHA256_M32_H10 for level 2 (with height 10 allowing up to 2^10 signatures) and XMSS^MT-SHA2_20/2_256 for level 2 multi-tree configurations.[1]
NIST's selection of hash-based schemes emphasized conservatism, relying solely on the security of well-studied hash functions without dependence on number-theoretic assumptions; efficiency in terms of computational cost, despite larger key and signature sizes; and the absence of patents to ensure broad adoption.[39] These schemes were included to provide algorithmic diversity beyond lattice-based alternatives, serving as a robust fallback in case of unforeseen vulnerabilities in other PQC paradigms.[40]
As of November 2025, FIPS 205 remains the standard for SLH-DSA, with NIST continuing validation testing and implementation guidance, alongside ongoing support for LMS and XMSS in federal systems.[5][1]
Practical Deployments
Hash-based cryptography has seen practical implementations in various software libraries, enabling developers to integrate these schemes into applications for post-quantum security. The Open Quantum Safe (OQS) project provides liboqs, an open-source C library that supports hash-based signature schemes such as XMSS and SPHINCS+, facilitating experimentation and prototyping in protocols like TLS. Bouncy Castle, a widely used Java cryptography library, incorporated support for XMSS and SPHINCS+ in its updates, allowing seamless integration into Java-based systems for post-quantum digital signatures. Similarly, Cloudflare's CIRCL library for the Go programming language includes implementations of SPHINCS+ and related hash-based primitives, optimized for performance in cloud environments.[41]
Hardware accelerations enhance the efficiency of hash-based schemes, particularly through optimized instructions for underlying hash functions. Intel processors leverage SHA-3 extensions via software libraries that utilize AVX-512 instructions for faster Keccak computations, reducing the computational overhead in signature generation and verification. ARM architectures incorporate cryptographic extensions that accelerate SHA-3 operations, as seen in the Cortex-A series, supporting efficient deployment on mobile and embedded devices. Recent FPGA prototypes have demonstrated speedups for SPHINCS+, with research achieving up to 5x improvement in verification throughput compared to CPU baselines as of 2025, making these schemes viable for resource-constrained hardware.[42] These hardware advancements build on NIST's post-quantum standards for XMSS and SPHINCS+.
Real-world deployments of hash-based signatures remain limited as of November 2025, primarily due to challenges with larger signature sizes. Experimental integrations in protocols like TLS have focused on hybrid approaches combining hash-based with classical signatures. In blockchain contexts, discussions around quantum-resistant signatures continue, but no widespread pilots in major layer-2 solutions like Optimism have been confirmed. Migration to hash-based cryptography presents challenges, primarily due to larger key and signature sizes that impact bandwidth and storage in existing protocols. For instance, SPHINCS+ signatures can exceed 40 KB, necessitating hybrid schemes that combine hash-based with classical signatures like ECDSA to maintain interoperability during transition periods. These hybrids allow gradual adoption while preserving security margins. Looking ahead, NIST's post-quantum migration plan anticipates widespread adoption of standardized hash-based schemes by 2030, driven by regulatory mandates and maturing implementations. Note that experimental support for schemes like XMSS in projects such as OpenSSH has been discontinued in late 2025 releases.[43]