Skip to main content

State Management for Hash-Based Signatures

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10074)


The unavoidable transition to post-quantum cryptography requires dependable quantum-safe digital signature schemes. Hash-based signatures are well-understood and promising candidates, and the object of current standardization efforts. In the scope of this standardization process, the most commonly raised concern is statefulness, due to the use of one-time signature schemes. While the theory of hash-based signatures is mature, a discussion of the system security issues arising from the concrete management of their state has been lacking. In this paper, we analyze state management in N-time hash-based signature schemes, considering both security and performance, and categorize the security issues that can occur due to state synchronization failures. We describe a state reservation and nonvolatile storage, and show that it can be naturally realized in a hierarchical signature scheme. To protect against unintentional copying of the private key state, we consider a hybrid stateless/stateful scheme, which provides a graceful security degradation in the face of unintentional copying, at the cost of increased signature size. Compared to a completely stateless scheme, the hybrid approach realizes the essential benefits, with smaller signatures and faster signing.


  • Post-quantum cryptography
  • Hash-based signatures
  • Statefulness
  • System integration

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    This allows for forward-secure constructions if used with the right schemes, e.g. special instantiations of XMSS using a forward-secure PRNG as shown by [2]. That way an attacker may get access to the secret key on a system but is not able to forge signatures using previous keys. A hash-based secret key is then to be seen just as secure as any other signing key that an attacker gets access to.

  2. 2.

    The authentication path is the sequence of tree nodes that a verifier needs to reconstruct the path to reach the root of the tree from a leaf.

  3. 3.

    Recall that the Winternitz parameter is used as a trade-off setting for the underlying one-time signature scheme.

  4. 4.

    Note that either of these two levels could themselves be hierarchical signature schemes.


  1. Bernstein, D.J., Hopwood, D., Hülsing, A., Lange, T., Niederhagen, R., Papachristodoulou, L., Schneider, M., Schwabe, P., Wilcox-O’Hearn, Z.: SPHINCS: practical stateless hash-based signatures. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 368–397. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_15

    Google Scholar 

  2. Buchmann, J., Dahmen, E., Hülsing, A.: XMSS - a practical forward secure signature scheme based on minimal security assumptions. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 117–129. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25405-5_8

    CrossRef  Google Scholar 

  3. Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007). doi:10.1007/978-3-540-72738-5_3

    CrossRef  Google Scholar 

  4. Buchmann, J., Dahmen, E., Schneider, M.: Merkle tree traversal revisited. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 63–78. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88403-3_5

    CrossRef  Google Scholar 

  5. Buchmann, J., García, L.C.C., Dahmen, E., Döring, M., Klintsevich, E.: CMSS – an improved Merkle signature scheme. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 349–363. Springer, Heidelberg (2006). doi:10.1007/11941378_25

    CrossRef  Google Scholar 

  6. Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on Post-quantum cryptography (NISTIR 8105 Draft) (2016). Accessed 06 June 2016

  7. Dods, C., Smart, N.P., Stam, M.: Hash based digital signature schemes. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 96–115. Springer, Heidelberg (2005). doi:10.1007/11586821_8

    CrossRef  Google Scholar 

  8. ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_2

    CrossRef  Google Scholar 

  9. ETSI: White paper no. 8: quantum safe cryptography and security. an introduction, benefits, enablers and challenges (2015). Accessed 06 June 2016

  10. Everspaugh, A.C., Bose, B.: Virtual Machine Reset-Atomicity in Xen. Technical report, University of Wisconsin-Madison (2013). Accessed 06 June 2016

  11. Garfinkel, T., Rosenblum, M.: When virtual is harder than real: security challenges in virtual machine based computing environments. In: Proceedings of HotOS 2005: 10th Workshop on Hot Topics in Operating Systems. USENIX Association (2005)

    Google Scholar 

  12. Goldreich, O.: Foundations of Cryptography. Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)

    CrossRef  MATH  Google Scholar 

  13. Hülsing, A.: W-OTS+ – shorter signatures for hash-based signature schemes. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 173–188. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38553-7_10

    CrossRef  Google Scholar 

  14. Hülsing, A., Butin, D., Gazdag, S., Mohaisen, A.: XMSS: Extended hash-based signatures (2016). Internet-Draft. Accessed 06 June 2016

  15. Hülsing, A., Rausch, L., Buchmann, J.: Optimal parameters for XMSSMT. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds.) CD-ARES 2013. LNCS, vol. 8128, pp. 194–208. Springer, Heidelberg (2013). doi:10.1007/978-3-642-40588-4_14

    CrossRef  Google Scholar 

  16. Information assurance directorate at the National Security Agency: commercial national security algorithm suite (2015). Accessed 06 June 2016

  17. Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)

    CrossRef  Google Scholar 

  18. Knecht, M., Meier, W., Nicola, C.U.: A space- and time-efficient implementation of the Merkle tree traversal algorithm. CoRR abs/1409.4081 (2014)

    Google Scholar 

  19. Lamport, L.: Constructing digital signatures from a one way function. Technical report, SRI International Computer Science Laboratory (1979). Accessed 06 June 2016

  20. Leighton, T., Micali, S.: Large provably fast and secure digital signature schemes from secure hash functions. U.S. Patent 5,432,852 (1995)

    Google Scholar 

  21. McGrew, D., Curcio, M.: Hash-based signatures (2016). Internet-Draft. Accessed 06 June 2016

  22. Merkle, R.C.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990). doi:10.1007/0-387-34805-0_21

    CrossRef  Google Scholar 

  23. Monz, T., Nigg, D., Martinez, E.A., Brandl, M.F., Schindler, P., Rines, R., Wang, S.X., Chuang, I.L., Blatt, R.: Realization of a scalable Shor algorithm. Science 351(6277), 1068–1070 (2016)

    CrossRef  MathSciNet  Google Scholar 

  24. Reyzin, L., Reyzin, N.: Better than BiBa: short one-time signatures with fast signing and verifying. In: Batten, L., Seberry, J. (eds.) ACISP 2002. LNCS, vol. 2384, pp. 144–153. Springer, Heidelberg (2002). doi:10.1007/3-540-45450-0_11

    CrossRef  Google Scholar 

  25. Ristenpart, T., Yilek, S.: When good randomness goes bad: virtual machine reset vulnerabilities and hedging deployed cryptography. In: Proceedings of the Network and Distributed System Security Symposium (NDSS). The Internet Society (2010)

    Google Scholar 

  26. Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978)

    CrossRef  MathSciNet  MATH  Google Scholar 

  27. Saeedi, K., Simmons, S., Salvail, J.Z., Dluhy, P., Riemann, H., Abrosimov, N.V., Becker, P., Pohl, H.J., Morton, J.J.L., Thewalt, M.L.W.: Room-temperature quantum bit storage exceeding 39 min using ionized donors in silicon-28. Science 342(6160), 830–833 (2013)

    CrossRef  Google Scholar 

  28. Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)

    CrossRef  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to David McGrew .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

McGrew, D., Kampanakis, P., Fluhrer, S., Gazdag, SL., Butin, D., Buchmann, J. (2016). State Management for Hash-Based Signatures. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49099-1

  • Online ISBN: 978-3-319-49100-4

  • eBook Packages: Computer ScienceComputer Science (R0)