Vigil Security, LLC

housley@vigilsec.com

Cisco Systems

sfluhrer@cisco.com

Amazon Web Services

kpanos@amazon.com

Cloudflare

bas@westerbaan.name

SEC lamps SLH-DSA is a stateless hash-based signature algorithm. This document specifies the conventions for using the SLH-DSA signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

• .  Introduction
  • .  ASN.1
  • .  Motivation
  • .  Terminology
• .  SLH-DSA Hash-Based Signature Algorithm Overview
• .  SLH-DSA Public Key Identifier
• .  Signed-Data Conventions
• .  Security Considerations
• .  Operational Considerations
• .  IANA Considerations
• .  References
  • .  Normative References
  • .  Informative References
• .  ASN.1 Module
• Acknowledgements
• Authors' Addresses

Introduction This document specifies the conventions for using the SLH-DSA hash-based signature algorithm with the Cryptographic Message Syntax (CMS) signed-data content type. SLH-DSA offers two signature modes: pure mode and pre-hash mode. SLH-DSA signature operations include a context string as input. The context string has a maximum length of 255 bytes. By default, the context string is the empty string. This document only specifies the use of pure mode with an empty context string for the CMS signed-data content type. SLH-DSA offers three security levels. The parameters for each of the security levels were chosen to provide 128 bits of security, 192 bits of security, and 256 bits of security. Separate algorithm identifiers have been assigned for SLH-DSA at each of these security levels. SLH-DSA is a stateless hash-based signature algorithm. Other hash-based signature algorithms are stateful, including Hierarchical Signature System (HSS) / Leighton-Micali Signatures (LMS) and eXtended Merkle Signature Scheme (XMSS) . Without the need for state kept by the signer, SLH-DSA is much less fragile than the stateful hash-based signature algorithms.

ASN.1 CMS values are generated with ASN.1 using the Basic Encoding Rules (BER) and the Distinguished Encoding Rules (DER) .

Motivation There have been recent advances in cryptanalysis and advances in the development of quantum computers. Each of these advances pose a threat to widely deployed digital signature algorithms. If Cryptographically Relevant Quantum Computers (CRQCs) are ever built, they will be able to break many of the public key cryptosystems currently in use, including RSA, DSA, Elliptic Curve Digital Signature Algorithm (ECDSA), and Edwards-curve Digital Signature Algorithm (EdDSA). A Post-Quantum Cryptosystem (PQC) is secure against quantum computers that have more than a trivial number of quantum bits (qu-bits). It is open to conjecture when it will be feasible to build such quantum computers; however, it is prudent to use cryptographic algorithms that remain secure if a CRQC is invented. SLH-DSA is a PQC signature algorithm.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

SLH-DSA Hash-Based Signature Algorithm Overview SLH-DSA is a stateless hash-based signature algorithm. SLH-DSA makes use of a few-time signature construction (Forest of Random Subsets (FORS)) and a hypertree. FORS signs a message with a private key. The corresponding FORS public keys are the leaves in k binary trees. The roots of these trees are hashed together to form a FORS root. SLH-DSA uses a one-time signature scheme called Winternitz One-Time Signature Plus (WOTS+). The FORS tree roots are signed by a WOTS+ private key. The corresponding WOTS+ public keys form the leaves in d-layers of Merkle subtrees in the SLH-DSA hypertree. The bottom layer of that hypertree signs the FORS roots with WOTS+.  The roots of the bottom Merkle subtrees are then signed with WOTS+ and the corresponding WOTS+ public keys form the leaves of the next-level-up subtree. Subtree roots are consequently signed by their corresponding subtree layers until the top subtree is reached. The top-layer subtree forms the hypertree root, which is trusted at the verifier. An SLH-DSA signature consists of the randomization string, the FORS signature, the WOTS+ signature in each layer, and the path to the root of each subtree until the root of the hypertree is reached. An SLH-DSA signature is verified using the FORS signature, the WOTS+ signatures, and the path to the root of each subtree. When reaching the root of the hypertree, the signature verifies only if it hashes to the pre-trusted root of the SLH-DSA hypertree. SLH-DSA is a stateless hash-based signature algorithm. Stateful hash-based signature schemes require that the WOTS+ private key (generated by using a state index) never be reused or the scheme loses its security. FORS is used at the bottom of the SLH-DSA hypertree. Security decreases if the same private key is used to sign two or more different messages, but security does not collapse, as is the case in stateful hash-based signature algorithms. Without the need for state kept by the signer to ensure it is not reused, SLH-DSA is much less fragile. SLH-DSA was designed to sign up to 2⁶⁴ messages and offers three security levels. The parameters of the SLH-DSA hypertree include the security parameter, the hash function, the tree height, the number of layers of subtrees, the Winternitz parameter of WOTS+, and the number of FORS trees and leaves in each. The parameters for each of the security levels were chosen to be at least as secure as a generic block cipher of 128, 192, or 256 bits.

SLH-DSA Public Key Identifier The AlgorithmIdentifier for an SLH-DSA public key MUST use one of the twelve id-slh-dsa object identifiers listed below, based on the security level used to generate the SLH-DSA hypertree, the small or fast version of the algorithm, and the use of SHA2 or SHAKE . For example, id-slh-dsa-shake-256s represents the 256-bit security level, the small version of the algorithm, and the use of SHAKE256. The parameters field of the AlgorithmIdentifier for the SLH-DSA public key MUST be absent. nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { sigAlgs 20 } id-slh-dsa-sha2-128f OBJECT IDENTIFIER ::= { sigAlgs 21 } id-slh-dsa-sha2-192s OBJECT IDENTIFIER ::= { sigAlgs 22 } id-slh-dsa-sha2-192f OBJECT IDENTIFIER ::= { sigAlgs 23 } id-slh-dsa-sha2-256s OBJECT IDENTIFIER ::= { sigAlgs 24 } id-slh-dsa-sha2-256f OBJECT IDENTIFIER ::= { sigAlgs 25 } id-slh-dsa-shake-128s OBJECT IDENTIFIER ::= { sigAlgs 26 } id-slh-dsa-shake-128f OBJECT IDENTIFIER ::= { sigAlgs 27 } id-slh-dsa-shake-192s OBJECT IDENTIFIER ::= { sigAlgs 28 } id-slh-dsa-shake-192f OBJECT IDENTIFIER ::= { sigAlgs 29 } id-slh-dsa-shake-256s OBJECT IDENTIFIER ::= { sigAlgs 30 } id-slh-dsa-shake-256f OBJECT IDENTIFIER ::= { sigAlgs 31 } When this AlgorithmIdentifier appears in the SubjectPublicKeyInfo field of an X.509 certificate , the certificate key usage extension MAY contain digitalSignature, nonRepudiation, keyCertSign, and cRLSign; the certificate key usage extension MUST NOT contain other values. pk-slh-dsa-sha2-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } SLH-DSA-PublicKey ::= OCTET STRING (SIZE (32 | 48 | 64)) SLH-DSA-PrivateKey ::= OCTET STRING (SIZE (64 | 96 | 128)) No additional encoding of the SLH-DSA public key is applied in the SubjectPublicKeyInfo field of an X.509 certificate . No additional encoding of the SLH-DSA private key is applied in the PrivateKeyInfo field of the privateKey field of the OneAsymmetricKey type of an Asymmetric Key Package . When an SLH-DSA public key appears outside of a SubjectPublicKeyInfo type in an environment that uses ASN.1 encoding, the SLH-DSA public key can be encoded as an OCTET STRING by using the SLH-DSA-PublicKey type. When an SLH-DSA private key appears outside of an Asymmetric Key Package in an environment that uses ASN.1 encoding, the SLH-DSA private key can be encoded as an OCTET STRING by using the SLH-DSA-PrivateKey type.

Signed-Data Conventions As specified in CMS , the digital signature is produced from the message digest and the signer's private key. The signature is computed over different values depending on whether signed attributes are absent or present. When signed attributes are absent, the SLH-DSA (pure mode) signature is computed over the content. When signed attributes are present, a hash SHOULD be computed over the DER-encoded signed attributes using the same hash function that is used in the SLH-DSA tree. The signed attributes MUST include a content-type attribute and a message-digest attribute. The message-digest attribute contains the hash value of the content. The SLH-DSA signature is computed over the DER encoding of the set of signed attributes. The SLH-DSA signature-generation operation is called slh_sign; see Section 10.2.1 of . In summary: IF (signed attributes are absent) THEN slh_sign(content) ELSE signed attributes message-digest attribute = Hash(content); slh_sign(DER(SignedAttributes)) In some implementations, performance may be significantly improved by signing and verifying DER(SignedAttributes) when the content is large. That is, passing an entire large message content to the signing function or the signature validation function can have an impact on performance. When the signed attributes are present, requires the inclusion of the content-type attribute and the message-digest attribute. Other attributes can also be included. When using SLH-DSA and signed attributes are present in the SignerInfo, the digestAlgorithms field in the SignedData MUST include the identifier for the one-way hash function used to compute the message digest. When using SLH-DSA, the fields in the SignerInfo are used as follows:

digestAlgorithm:

The digestAlgorithm MUST identify a one-way hash function. When signed attributes are absent, the digestAlgorithm identifier SHOULD match the hash function used in the SLH-DSA tree (as shown in the list below). The digestAlgorithm does not have any significance when signed attributes are absent as it is not used to pre-hash the message. When there is a concern for failures with legacy implementations that do not support all hash functions, signers MAY choose to always use the SHA-256 algorithm identifier as the digestAlgorithm when signed attributes are absent. When signed attributes are present, to ensure collision resistance, the identified hash function MUST produce a hash value that is at least twice the size of the hash function used in the SLH-DSA tree. The hash functions defined in and MUST be supported for use with the variants of SLH-DSA as shown below: id-slh-dsa-sha2-128s: SHA-256 id-slh-dsa-sha2-128f: SHA-256 id-slh-dsa-sha2-192s: SHA-512 id-slh-dsa-sha2-192f: SHA-512 id-slh-dsa-sha2-256s: SHA-512 id-slh-dsa-sha2-256f: SHA-512 id-slh-dsa-shake-128s: SHAKE128 with 256-bit output id-slh-dsa-shake-128f: SHAKE128 with 256-bit output id-slh-dsa-shake-192s: SHAKE256 with 512-bit output id-slh-dsa-shake-192f: SHAKE256 with 512-bit output id-slh-dsa-shake-256s: SHAKE256 with 512-bit output id-slh-dsa-shake-256f: SHAKE256 with 512-bit output The object identifiers for SHA-256 and SHA-512 are included in . The object identifiers for SHAKE128 and SHAKE256 are included in . In all four cases, the AlgorithmIdentifier SHOULD NOT include parameters.

signatureAlgorithm:

The signatureAlgorithm MUST contain one of the SLH-DSA algorithm identifiers, and the algorithm parameters field MUST be absent. The algorithm identifier MUST be one of the following: id-slh-dsa-sha2-128s, id-slh-dsa-sha2-128f, id-slh-dsa-sha2-192s, id-slh-dsa-sha2-192f, id-slh-dsa-sha2-256s, id-slh-dsa-sha2-256f, id-slh-dsa-shake-128s, id-slh-dsa-shake-128f, id-slh-dsa-shake-192s, id-slh-dsa-shake-192f, id-slh-dsa-shake-256s, id-slh-dsa-shake-256f.

signature:

The signature contains the signature value resulting from the SLH-DSA signing operation with the parameters associated with the selected signatureAlgorithm. The SLH-DSA signature-generation operation is specified in Section 10.2.1 of , and the SLH-DSA signature verification operation is specified in Section 10.3 of . Signature verification MUST include checking that the signatureAlgorithm field identifies SLH-DSA parameters that are consistent with public key used to validate the signature.

Security Considerations Implementations MUST protect the private keys. Compromise of the private keys may result in the ability to forge signatures. When generating an SLH-DSA key pair, an implementation MUST generate each key pair independently of all other key pairs in the SLH-DSA hypertree. A SLH-DSA tree MUST NOT be used for more than 2⁶⁴ signing operations. The generation of private keys relies on random numbers. The use of inadequate Pseudorandom Number Generators (PRNGs) to generate these values can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the keys, searching the resulting small set of possibilities, rather than brute-force searching the whole key space. The generation of quality random numbers is difficult, and offers important guidance in this area. To avoid algorithm-substitution attacks, the CMSAlgorithmProtection attribute defined in SHOULD be included in signed attributes. Implementers should consider their particular use cases and may choose to implement optional fault-attack countermeasures . Verifying a signature before releasing the signature value is a typical fault-attack countermeasure; however, this countermeasure is not effective for SLH-DSA . Redundancy by replicating the signature-generation process MAY be used as an effective fault-attack countermeasure for SLH-DSA ; however, the SLH-DSA signature generation is already considered slow. Likewise, implementers should consider their particular use cases and may choose to implement protections against passive power and emissions side-channel attacks .

Operational Considerations If slh_sign is implemented in a hardware device such as Hardware Security Module (HSM) or portable cryptographic token, implementations can avoid sending the full content to the device. By including signed attributes, which necessarily include the message-digest attribute and the content-type attribute as described in , the much smaller set of signed attributes are sent to the device for signing. By including signed attributes in the SignerInfo, one can obtain similar interface characteristics to SLH-DSA in pre-hash mode. With pre-hash mode, the hash of the content is passed to the SLH-DSA signature operation instead of the full message content. By including signed attributes in the SignerInfo, a relatively small to-be-signed value is passed to the SLH-DSA signature operation. For this reason, SLH-DSA pre-hash mode is not specified for use with the CMS SignedData. Note SLH-DSA pre-hash mode always yields a different signature value than SLH-DSA pure mode, even if the to-be-signed content is the same. When using SLH-DSA in pure mode, it is not possible to single-pass process the content to verify a SignedData message that does not contain signed attributes. To assist recipients that might make use of stream-based APIs, implementers SHOULD include signed attributes within any SignerInfo that uses SLH-DSA as signature algorithm. Doing so allows the recipient implementation to avoid keeping the signed content in memory. Recall that when signed attributes are present, they MUST contain a content-type attribute and a message-digest attribute, and they SHOULD contain a CMSAlgorithmProtection attribute.

IANA Considerations For the ASN.1 Module in , IANA has assigned an Object Identifier (OID) for the module identifier (81) with a Description of "id-mod-slh-dsa-2024". The OID for the module has been allocated in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry.

References Normative References National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST) National Institute of Standards and Technology (NIST) In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK] This document describes the Cryptographic Message Syntax (CMS). This syntax is used to digitally sign, digest, authenticate, or encrypt arbitrary message content. [STANDARDS-TRACK] This document describes the conventions for using the Secure Hash Algorithm (SHA) message digest algorithms (SHA-224, SHA-256, SHA-384, SHA-512) with the Cryptographic Message Syntax (CMS). It also describes the conventions for using these algorithms with the CMS and the Digital Signature Algorithm (DSA), Rivest Shamir Adleman (RSA), and Elliptic Curve DSA (ECDSA) signature algorithms. Further, it provides SMIMECapabilities attribute values for each algorithm. [STANDARDS-TRACK] This document defines the syntax for private-key information and a content type for it. Private-key information includes a private key for a specified public-key algorithm and a set of attributes. The Cryptographic Message Syntax (CMS), as defined in RFC 5652, can be used to digitally sign, digest, authenticate, or encrypt the asymmetric key format content type. This document obsoletes RFC 5208. [STANDARDS-TRACK] The Cryptographic Message Syntax (CMS), unlike X.509/PKIX certificates, is vulnerable to algorithm substitution attacks. In an algorithm substitution attack, the attacker changes either the algorithm being used or the parameters of the algorithm in order to change the result of a signature verification process. In X.509 certificates, the signature algorithm is protected because it is duplicated in the TBSCertificate.signature field with the proviso that the validator is to compare both fields as part of the signature validation process. This document defines a new attribute that contains a copy of the relevant algorithm identifiers so that they are protected by the signature or authentication process. [STANDARDS-TRACK] RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document updates the "Cryptographic Message Syntax (CMS) Algorithms" (RFC 3370) and describes the conventions for using the SHAKE family of hash functions in the Cryptographic Message Syntax as one-way hash functions with the RSA Probabilistic Signature Scheme (RSASSA-PSS) and Elliptic Curve Digital Signature Algorithm (ECDSA). The conventions for the associated signer public keys in CMS are also described. ITU-T ITU-T Informative References Post-Quantum Cryptography (PQCrypto 2018), Lecture Notes in Computer Science, vol. 10786, pp. 165-184 IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2023, no. 2, pp. 80-114 Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space. Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. The Cryptographic Message Syntax (CMS) format, and many associated formats, are expressed using ASN.1. The current ASN.1 modules conform to the 1988 version of ASN.1. This document updates those ASN.1 modules to conform to the 2002 version of ASN.1. There are no bits-on-the-wire changes to any of the formats; this is simply a change to the syntax. This document is not an Internet Standards Track specification; it is published for informational purposes. This note describes the eXtended Merkle Signature Scheme (XMSS), a hash-based digital signature system that is based on existing descriptions in scientific literature. This note specifies Winternitz One-Time Signature Plus (WOTS+), a one-time signature scheme; XMSS, a single-tree scheme; and XMSS^MT, a multi-tree variant of XMSS. Both XMSS and XMSS^MT use WOTS+ as a main building block. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers. This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them. Cryptology ePrint Archive, Paper 2024/367

ASN.1 Module This ASN.1 Module builds upon the conventions established in . SLH-DSA-Module-2024 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) id-smime(16) id-mod(0) id-mod-slh-dsa-2024(81) } DEFINITIONS IMPLICIT TAGS ::= BEGIN EXPORTS ALL; IMPORTS PUBLIC-KEY, SIGNATURE-ALGORITHM, SMIME-CAPS FROM AlgorithmInformation-2009 -- in [RFC5911] { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58) } ; -- -- Object Identifiers -- nistAlgorithms OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) csor(3) 4 } sigAlgs OBJECT IDENTIFIER ::= { nistAlgorithms 3 } id-slh-dsa-sha2-128s OBJECT IDENTIFIER ::= { sigAlgs 20 } id-slh-dsa-sha2-128f OBJECT IDENTIFIER ::= { sigAlgs 21 } id-slh-dsa-sha2-192s OBJECT IDENTIFIER ::= { sigAlgs 22 } id-slh-dsa-sha2-192f OBJECT IDENTIFIER ::= { sigAlgs 23 } id-slh-dsa-sha2-256s OBJECT IDENTIFIER ::= { sigAlgs 24 } id-slh-dsa-sha2-256f OBJECT IDENTIFIER ::= { sigAlgs 25 } id-slh-dsa-shake-128s OBJECT IDENTIFIER ::= { sigAlgs 26 } id-slh-dsa-shake-128f OBJECT IDENTIFIER ::= { sigAlgs 27 } id-slh-dsa-shake-192s OBJECT IDENTIFIER ::= { sigAlgs 28 } id-slh-dsa-shake-192f OBJECT IDENTIFIER ::= { sigAlgs 29 } id-slh-dsa-shake-256s OBJECT IDENTIFIER ::= { sigAlgs 30 } id-slh-dsa-shake-256f OBJECT IDENTIFIER ::= { sigAlgs 31 } -- -- Signature Algorithm, Public Key, and Private Key -- sa-slh-dsa-sha2-128s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-128s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-128s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-128s } } sa-slh-dsa-sha2-128f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-128f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-128f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-128f } } sa-slh-dsa-sha2-192s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-192s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-192s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-192s } } sa-slh-dsa-sha2-192f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-192f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-192f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-192f } } sa-slh-dsa-sha2-256s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-256s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-256s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-256s } } sa-slh-dsa-sha2-256f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-sha2-256f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-sha2-256f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-sha2-256f } } sa-slh-dsa-shake-128s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-128s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-128s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-128s } } sa-slh-dsa-shake-128f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-128f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-128f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-128f } } sa-slh-dsa-shake-192s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-192s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-192s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-192s } } sa-slh-dsa-shake-192f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-192f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-192f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-192f } } sa-slh-dsa-shake-256s SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-256s PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-256s } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-256s } } sa-slh-dsa-shake-256f SIGNATURE-ALGORITHM ::= { IDENTIFIER id-slh-dsa-shake-256f PARAMS ARE absent PUBLIC-KEYS { pk-slh-dsa-shake-256f } SMIME-CAPS { IDENTIFIED BY id-slh-dsa-shake-256f } } pk-slh-dsa-sha2-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-sha2-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-sha2-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-128f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-128f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-192f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-192f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256s PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256s -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } pk-slh-dsa-shake-256f PUBLIC-KEY ::= { IDENTIFIER id-slh-dsa-shake-256f -- KEY no ASN.1 wrapping -- CERT-KEY-USAGE { digitalSignature, nonRepudiation, keyCertSign, cRLSign } -- PRIVATE-KEY no ASN.1 wrapping -- } SLH-DSA-PublicKey ::= OCTET STRING (SIZE (32 | 48 | 64)) SLH-DSA-PrivateKey ::= OCTET STRING (SIZE (64 | 96 | 128)) -- -- Expand the signature algorithm set used by CMS [RFC5911] -- SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= { sa-slh-dsa-sha2-128s | sa-slh-dsa-sha2-128f | sa-slh-dsa-sha2-192s | sa-slh-dsa-sha2-192f | sa-slh-dsa-sha2-256s | sa-slh-dsa-sha2-256f | sa-slh-dsa-shake-128s | sa-slh-dsa-shake-128f | sa-slh-dsa-shake-192s | sa-slh-dsa-shake-192f | sa-slh-dsa-shake-256s | sa-slh-dsa-shake-256f, ... } -- -- Expand the S/MIME capabilities set used by CMS [RFC5911] -- SMimeCaps SMIME-CAPS ::= { sa-slh-dsa-sha2-128s.&smimeCaps | sa-slh-dsa-sha2-128f.&smimeCaps | sa-slh-dsa-sha2-192s.&smimeCaps | sa-slh-dsa-sha2-192f.&smimeCaps | sa-slh-dsa-sha2-256s.&smimeCaps | sa-slh-dsa-sha2-256f.&smimeCaps | sa-slh-dsa-shake-128s.&smimeCaps | sa-slh-dsa-shake-128f.&smimeCaps | sa-slh-dsa-shake-192s.&smimeCaps | sa-slh-dsa-shake-192f.&smimeCaps | sa-slh-dsa-shake-256s.&smimeCaps | sa-slh-dsa-shake-256f.&smimeCaps, ... } END

Acknowledgements Thanks to , , , , , , , , and for their careful review and constructive comments.

Authors' Addresses Vigil Security, LLC

housley@vigilsec.com

Cisco Systems

sfluhrer@cisco.com

Amazon Web Services

kpanos@amazon.com

Cloudflare

bas@westerbaan.name