Standards Development

Scope

This document specifies mechanisms for hash-function-based digital signatures with appendix which do not require the signer to maintain a state. It defines how to generate keys, sign, and verify signatures using these mechanisms.

Purpose

Stateless hash-based signatures offer the full functionality of digital signatures while requiring only minimal security assumptions – a cryptographic hash function. Stateful hash-based signatures, as standardized in 14888-4, share the latter feature but require the signer to maintain a state, typically a counter, to know which parts of the signing key have already been used. This can cause problems when used in virtual machines when state is restored from backups as state reuse results in loss of security. Stateless hash-based signatures covered in this part avoid this problem.

 Based on a session held on March 13th, 2025, in Fairfax (USA) on PWI 25542, WG2 agreed with unanimous consent to propose a new project on standardizing stateless hash-based mechanisms. The only specific algorithm that will be standardized will be SLH-DSA (also known as FIPS 205 and with designers’ name SPHINCS+) with parameters for NIST security level 3 and higher. The session was specific to the contributions received on the CfC circulated as part of PWI 25542 on “Inclusion of digital signature schemes for Post-Quantum Cryptography in ISO/IEC standards” (cf. WG2 N3787, N3844, N3933, N3969).

As part of this, the experts confirmed their belief in the usefulness of standardizing digital signature schemes for Post-Quantum Cryptography. The experts agreed that a new part of the ISO/IEC 14888 standard on digital signatures with appendix is necessary. This new part (Part 6) will focus on stateless hash-based mechanisms.