Stateful hash-based signature (HBS) schemes are digital signature schemes believed to be resistant to the threat posed by a cryptographically relevant quantum computer. The National Institute of Standards and Technology (NIST) has standardized two stateful HBS schemes under SP 800-208: the Leighton-Micali Signature (LMS) system and the eXtended Merkle Signature Scheme (XMSS), including their multi-tree variants, the Hierarchical Signature System (HSS) and multi-tree XMSS. Stateful HBS schemes differ from other asymmetric signature schemes in that a HBS private key is comprised of a predefined set of one-time signature (OTS) private keys. “State” refers to the capacity to enforce single usage of each OTS private key across the lifespan of the HBS private key.
In September 2022, NSA released the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), setting timelines for the adoption
of quantum-resistant algorithms in national security systems. Under CNSA 2.0, vendors are encouraged to adopt stateful HBS schemes as defined in SP 800-208 immediately for all software and firmware code signing, with a requirement to support them by 2025.
NSA provided three justifications for preferring stateful HBS schemes now for code signing versus waiting for final standards for post-quantum asymmetric algorithms:
- Urgency. Firmware for systems being deployed into the field now may continue to be in service well after the quantum threat becomes real.
- Standards. NIST has already codified the standards for stateful HBS schemes under SP 800-208. Final standards for new post-quantum algorithms are not expected until 2024.
- Cryptanalysis. HBS schemes have been extensively researched for their quantum resistance and the performance impacts of implementing HBS schemes are non-critical to the code signing use case.
LMS/HSS enables customers to begin their transition to quantum-resistant software and firmware signing. Download this white paper to learn more about Quantum Resistant Code Signing with Thales’ LMS/HSS implementations that are both compliant with SP 800-208 and PKCS#11 v3.