Content deleted Content added
Line 12:
In addition to Merkle's seminal scheme, more recent hash-based signature schemes include the XMSS scheme, the Leighton-Micali (LMS) and the SPHINCS scheme. Most hash-based signature schemes are [[State (computer science)|stateful]], meaning that signing requires updating the secret key, unlike conventional digital signature schemes. For stateful hash-based signature schemes, signing requires keeping state of the used one-time keys and making sure they are never reused. The XMSS and LMS schemes are stateful, while the SPHINCS scheme is stateless. SPHINCS signatures are larger than XMSS and LMS signatures. Additionally to the WOTS+ one-time signature scheme, SPHINCS also uses a few-time (hash-based) signature scheme called HORST. HORST is an improvement of an older few-time signature scheme, HORS (Hash to Obtain Random Subset).<ref>{{cite journal|last1=Reyzin|first1=Leonid|last2=Reyzin|first2=Natan|title=Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying|journal=Lecture Notes in Computer Science|date=2002|volume=2384|issue=Information Security and Privacy|page=144-153|doi=10.1007/3-540-45450-0_11|url=https://link.springer.com/chapter/10.1007/3-540-45450-0_11|publisher=Springer, Berlin, Heidelberg|language=en}}</ref>
Two [[Internet Research Task Force|IRTF]] [[Internet Draft]]s on stateful hash-based schemes (XMSS/XMSS<sup>''MT''</sup> and LMS) are currently active.<ref>{{cite web|last1=Hülsing|first1=Andreas|last2=Butin|first2=Denis|last3=Gazdag|first3=Stefan|last4=Mohaisen|first4=Aziz|title=draft-irtf-cfrg-xmss-hash-based-signatures-09 - XMSS: Extended Hash-Based Signatures|url=https://datatracker.ietf.org/doc/draft-irtf-cfrg-xmss-hash-based-signatures/|website=datatracker.ietf.org|publisher=IETF|language=en}}</ref><ref>{{cite web|last1=McGrew|first1=David|last2=Curcio|first2=Michael|last3=Fluhrer|first3=Scott|title=draft-mcgrew-hash-sigs-06 - Hash-Based Signatures|url=https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/|website=datatracker.ietf.org|publisher=IETF|language=en}}</ref> Practical improvement have been proposed in the literature that alleviate the concerns introduced by stateful schemes.<ref>{{cite journal|last1=McGrew|first1=David|last2=Kampanakis|first2=Panos|last3=Fluhrer|first3=Scott|last4=Gazdag|first4=Stefan-Lukas|last5=Butin|first5=Denis|last6=Buchmann|first6=Johannes|title=State Management for Hash-Based Signatures|journal=Security Standardisation Research|date=2016|volume=10074|pages=244–260|doi=10.1007/978-3-319-49100-4_11|url=http://link.springer.com/chapter/10.1007/978-3-319-49100-4_11|publisher=Springer, Cham|language=en}}</ref> Hash functions appropriate for these schemes include [[SHA-2]], [[SHA-3]] and [[BLAKE (hash function)|BLAKE]]
==References==
| |||