NIST has published a new standard, SP 800-208, which recommends the use of two stateful hash-based signature schemes: XMSS and LMS. These schemes are secure against quantum computers but require careful state management. The standard profiles LMS, XMSS, and their multi-tree variants, approving some but not all parameter sets defined in RFCs 8391 and 8554. The approved parameter sets use SHA-256 or SHAKE256 with 192- or 256-bit outputs. The standard also requires key and signature generation to be performed in hardware cryptographic modules that do not allow secret keying material to be exported.
Keywords: Post-quantum, Digital Signature, Cryptography, Hash-Based Signature, Quantum Computer
