Project Details

We aim to ease and encourage the concrete use of hash-based signatures by addressing a number of practical issues that have not been tackled so far.

Statefulness and PKI Integration

A peculiarity of hash-based signatures is the necessity of dealing with statefulness. Hash-based signatures rely on Merkle trees which combine many one-time signature keys in a single structure. One-time signature keys may not be used securely more than once. It is therefore crucial to keep track of a signature key index to prevent conflicts or security issues. This makes hash-based signature schemes stateful. In a sense, private signing keys become critical resources. This issue is not relevant for commonly used signature schemes, and cryptographic libraries do not account for it. A key conceptual task therefore consists in investigating the best approaches to dealing with statefulness, depending on the use case at hand. Choices in this regard have major security and performance implications. This part of the project aims to clarify optimal approaches for different use cases and analyse their consequences.

The specificities of hash-based signature also warrant careful integration with Public Key Infrastructure. Certificate Authorities must be informed of key evolutions.

Proof-of-concept Implementations

An implementation in an industrial setting is planned. XMSS(MT) will be integrated into genua's software update authentication system. This will allow us to investigate practical considerations in a low-frequency signing application example.

To foster widespread use, inclusion in cipher suites is essential. We aim to integrate XMSS(MT) in an open-source TLS implementation. Ideally, we would like to combine it with a post-quantum key exchange. Commonly used TLS key exchange protocols, such as Diffie-Hellman or its Ephemeral variant, are based on intractability assumptions which are not quantum-safe. Fortunately, some examples of post-quantum key exchange protocols, such as lattice-based schemes, already exis.

Protocol integration in an S/MIME implementation is also part of the project. Furthermore, we would like to provide a variant of a SSH library with XMSS(MT) as part of the cipher suite. Open-source cryptographic libraries are widely used, so hash-based signatures should feature there, too. A prime candidate is Bouncy Castle.

Optimal Parameter Selection and Side-Channel Resistance

Another practical aspect is the selection of secure parameters for different use cases. Hash-based signature schemes use many parameters, offering numerous performance/security trade-off possibilities. No parameter sets have been recommended by recognised organisations as of now. After defining requirements for common application scenarios, we will investigate optimal parameter choices for them. A step in this direction exists in previous work by Andreas Hülsing, using linearisation by the lambda method combined with the IBM CPLEX solver.

The resistance of hash-based signatures to side-channel attack will be investigated. We plan to adopt a provable security approach. This involves analysing the leakage resilience of the pseudo-random key generation. Existing contributions to this topic must be adapted to the specifics of XMSS(MT).


For hash-based signatures to become widely used, standardisation is essential. An IETF Internet-Draft on plain hash-based signatures already exists. We would like to see advanced variants such as XMSS(MT) represented in standards.