One consideration with hash-based signature schemes is that they can only sign a limited number of messages securely, because of their use of one-time signature schemes. The US [[National Institute of Standards and Technology]] (NIST), specified that algorithms in its [[post-quantum cryptography]] competition support a minimum of 2{{Superscript|64}} signatures safely.<ref>{{Cite web |title=Submission Requirements and Evaluation Criteria for the Post-Quantum Cryptography Standardization Process |url=https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryptography/documents/call-for-proposals-final-dec-2016.pdf |website=NIST CSRC}}</ref>
In 2022, NIST announced [[SPHINCS+]] as one of three algorithms to be standardized for digital signatures.<ref>{{Cite web |date=2022-07-05 |title=NIST announces four quantum-resistant algorithms |url=https://venturebeat.com/2022/07/05/nist-post-quantum-cryptography-standard/ |access-date=2022-07-10 |website=VentureBeat |language=en-US}}</ref> NIST standardized stateful hash-based cryptography based on the [[eXtended Merkle Signature Scheme]] (XMSS) and [[Leighton–Micali Signatures]] (LMS),<ref name="rfc8554"/>, which are applicable in different circumstances, in 2020, but noted that the requirement to maintain state when using them makes them more difficult to implement in a way that avoids misuse.<ref>{{Cite web|url=https://csrc.nist.gov/news/2019/stateful-hbs-request-for-public-comments|title=Request for Public Comments on Stateful HBS {{!}} CSRC|last=Computer Security Division|first=Information Technology Laboratory|date=2019-02-01|website=CSRC {{!}} NIST|language=EN-US|access-date=2019-02-04}}</ref><ref>{{Cite journal |last1=Alagic |first1=Gorjan |last2=Apon |first2=Daniel |last3=Cooper |first3=David |last4=Dang |first4=Quynh |last5=Dang |first5=Thinh |last6=Kelsey |first6=John |last7=Lichtinger |first7=Jacob |last8=Miller |first8=Carl |last9=Moody |first9=Dustin |last10=Peralta |first10=Rene |last11=Perlner |first11=Ray |date=2022-07-05 |title=Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process |doi=10.6028/NIST.IR.8413-upd1 |url=https://csrc.nist.gov/publications/detail/nistir/8413/final |language=en}}</ref><ref>{{Cite journal |last1=Cooper |first1=David |last2=Apon |first2=Daniel |last3=Dang |first3=Quynh |last4=Davidson |first4=Michael |last5=Dworkin |first5=Morris |last6=Miller |first6=Carl |date=2020-10-29 |title=Recommendation for Stateful Hash-Based Signature Schemes |doi=10.6028/NIST.SP.800-208 |url=https://csrc.nist.gov/publications/detail/sp/800-208/final |language=en}}</ref>
== History ==
Line 42:
== Implementations ==
The XMSS, GMSS and SPHINCS schemes are available in the Java [[Bouncy Castle (cryptography)|Bouncy Castle]] cryptographic APIs.<ref>{{cite web|title=bcgit/bc-java|url=https://github.com/bcgit/bc-java/tree/master/core/src/main/java/org/bouncycastle/pqc/crypto|website=GitHub|language=en|date=2018-12-18}}</ref> LMS<ref>{{cite web|title=wolfCrypt implementations of LMS/HSS and XMSS/XMSS^MT signatures: build options and benchmarks (Intel x86)|url=https://www.wolfssl.com/wolfcrypt-implementations-of-lms-hss-and-xmss-xmssmt-signatures-build-options-and-benchmarks-intel-x86/|website=wolfSSL|language=en|date=2024-06-18}}</ref> and XMSS schemes are available in the [[wolfSSL|wolfSSL]] cryptographic APIs.<ref>{{cite web|title=wolfSSL/wolfssl|url=https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/lms.h|website=GitHub|language=en|date=2023-11-22}}</ref> SPHINCS is implemented in the SUPERCOP benchmarking toolkit.<ref>{{cite web|title=SUPERCOP|url=http://bench.cr.yp.to/supercop.html|access-date=2017-05-31|archive-url=https://web.archive.org/web/20150215055126/http://bench.cr.yp.to/supercop.html|archive-date=2015-02-15|url-status=dead}}</ref> Optimised<ref>{{cite web|title=Code|url=https://huelsing.wordpress.com/code/|website=Andreas Hülsing|access-date=2017-05-31|archive-date=2017-08-22|archive-url=https://web.archive.org/web/20170822224019/https://huelsing.wordpress.com/code/|url-status=dead}}</ref> and unoptimised<ref>{{cite web|title=squareUP > Publications|url=http://www.pqsignatures.org/index/publications.html#code|website=www.pqsignatures.org|language=en-gb}}</ref> reference implementations of the XMSS RFC exist. The LMS scheme has been implemented in Python<ref>{{cite web|last1=David|first1=McGrew|title=The hash-sigs package: an implementation of the Leighton–Micali Hierarchical Signature System (HSS).|url=https://github.com/davidmcgrew/hash-sigs/|website=GitHub|language=en|date=2018-05-29}}</ref> and in C<ref>{{cite web|last1=David|first1=McGrew|title=A full-featured implementation of the LMS and HSS Hash Based Signature Schemes from draft-mcgrew-hash-sigs-07.|url=https://github.com/cisco/hash-sigs|website=GitHub|language=en|date=2018-11-22}}</ref> following its Internet-Draft.
