Week 6 • Chapter 47

Hash-Based Signatures

From Lamport (1979) to SLH-DSA (FIPS 205, 2024)

Bartosz Naskręcki — UAM, Spring 2026

Why Hash-Based Is Special Ch 47.1

Every other signature scheme rests on an algebraic hardness assumption:

RSA, DSA, ECDSA, EdDSA — factoring or DLP
ML-DSA, Falcon — Module-LWE / NTRU
UOV / Rainbow — MQ
SQIsign — isogeny / quaternion

Each of these could fall to a single mathematical breakthrough.

Hash-based assumption. The hash function $H \colon \{0,1\}^* \to \{0,1\}^n$ is collision-resistant and (for some constructions) second-preimage resistant.

That is the entire security premise. No number theory.

Trade-off. SLH-DSA signatures are 8–50 KB; ML-DSA is 2.5–4.6 KB; Ed25519 is 64 bytes. Hash-based is the conservative choice for low-frequency, long-lifetime signatures (firmware signing, root-of-trust).

Chapter 47.1 — The premise

Lamport One-Time Signatures (1979) Ch 47.2

Let $H \colon \{0,1\}^* \to \{0,1\}^n$.
Keygen. Sample $2n$ random secrets $s_{i,b} \in \{0,1\}^n$ for $i \in [n]$, $b \in \{0,1\}$. Public key: $H(s_{i,b})$ for every $(i,b)$.
Sign $m$. Compute $h = H(m) = h_0 \ldots h_{n-1}$. Signature: $\sigma = (s_{0,h_0}, \ldots, s_{n-1,h_{n-1}})$.
Verify. Hash each $\sigma_i$, check $H(\sigma_i) = \mathrm{pk}_{i,h_i}$.

One-time only. Each signature reveals one secret per bit-position; reusing a key leaks half the secrets.
Quantum security. Grover halves preimage resistance → pick $n \ge 256$ for 128-bit quantum security.

Sizes for $n = 256$ bits (SHA-256):

	Formula (bytes)	SHA-256
Secret key	$2n \cdot n / 8 = n^2/4$	16 384
Public key	$n^2/4$	16 384
Signature	$n^2/8$	8 192

Chapter 47.2 — Lamport

WOTS+ — Smaller Signatures via Chaining Ch 47.3

FIPS 205 convention: $w$ is the digit alphabet size (typically $w = 16$, i.e. $\log_2 w = 4$ bits per digit).

Lamport spends one secret per bit; WOTS+ spends one chain per digit. Each chain has length $w - 1$; signing digit $d$ publishes the chain truncated $d$ steps in.

A checksum prevents incrementing one digit without forcing a decrement elsewhere.

Sizes for $n = 32$ bytes, $w = 16$ (so $\ell_1 = 64$, $\ell_2 = 3$, $\ell = 67$):

	Lamport	WOTS+
Sig bytes	8 192	2 144
Verify hashes	256	$\le \ell(w-1) = 1\,005$

~4× smaller signature, ~4× more verifier work.

The "+" in WOTS+ refers to Hülsing 2013: per-step bitmasks defeat a multi-target attack.

Chapter 47.3 — WOTS+

Merkle Trees: One Public Key, Many Signatures Ch 47.4

Generate $2^h$ independent OTS key pairs. Hash each public key into a leaf. Build a binary Merkle tree by hashing pairs.

Public key = the root, $n$ bytes.

A signature on leaf $j$ carries:

$\sigma^{(j)}$ (OTS sig);
$\mathrm{pk}^{(j)}$ (OTS pk);
the authentication path: $h$ sibling hashes from leaf $j$ to the root.

Auth-path overhead is $h \cdot n$ bytes — tiny next to the OTS payload.

Sig of leaf 5: $\sigma^{(5)}$, $\mathrm{pk}^{(5)}$, and 3 sibling hashes (yellow = auth path; lavender = recompute path).

Chapter 47.4 — Merkle MSS

The State-Reuse Catastrophe Ch 47.7

Problem. The signer must remember which leaves it has used. Reusing a Lamport leaf reveals secrets; reusing a WOTS+ leaf permits Winternitz-style multi-signature forgery.

Real-world failure modes:

VM snapshot & restore.
HSM rollback after a power failure.
Concurrent signers without a shared monotonic counter.
Clone-from-image of a signing appliance.

Demonstration in Ch 47.7 (16-bit truncated hash for visibility):

Differing positions : 10/16
Secrets known       : 26/32
Forged after 132 tries

Scaled to a real 256-bit hash, the brute-force becomes a hash-preimage problem — still bad, just harder.

NIST SP 800-208 (2020) recommends XMSS / LMS only for narrow deployments where state can be guaranteed. SPHINCS+ / SLH-DSA exists to remove this failure mode.

Chapter 47.7 — Why we needed stateless

SLH-DSA / SPHINCS+ — Stateless at Last Ch 47.6

Idea: a fixed-height hyper-tree. At each subtree, WOTS+ signs the root below. At the bottom, FORS (Forest Of Random Subsets) provides a few-time signature.

The leaf for a message is selected pseudorandomly from the message itself; two distinct messages almost surely hit different FORS leaves.

Even on a leaf collision, FORS is secure for several messages per leaf — statelessness without disaster.

Signature size at NIST level 1 (bytes)

FIPS 205 parameter sets: 128f / 128s / 192f / 192s / 256f / 256s. "f" = fast (large sig); "s" = small (slower).

Chapter 47.6 — SLH-DSA / FIPS 205

Lab Today — Build the Signature Pipeline Ch 47 lab

Implement Lamport keygen, sign, verify in pure Python with hashlib.sha256.
Build a height-3 Merkle tree over 8 Lamport leaves; verify both the OTS sig and the auth path.
Reproduce the state-reuse forgery from §47.7 with a 16-bit truncated hash. Then explain why the same demo fails to terminate at 256 bits, and what kind of attack does succeed there.
(Stretch) Implement WOTS+ for $n = 32, w = 16$. Measure the actual signature size and verifier hash count; compare with the prediction $\ell = 64 + 3 = 67$ chains and $\ell(2^w - 1)$ hashes.
(Project candidate) Implement SLH-DSA-SHA2-128s following Algorithms 17 and 18 of FIPS 205, on top of your WOTS+ + FORS + Merkle primitives. Verify the published 7 856-byte signature size.

Chapter 47 — Lab

Recap

Hash-based signatures are the most conservatively secure PQC primitive: security reduces to one-wayness and collision-resistance of $H$, no algebra.
Lamport → WOTS+ → Merkle MSS → XMSS / LMS (stateful, RFC 8391/8554) → SLH-DSA (stateless, FIPS 205).
State is dangerous in practice (VM snapshots, HSM rollbacks). FIPS 205 was the first NIST PQC signature standardised because it removes that failure mode.
The price is signature size: 8–50 KB. Fine for low-volume, long-lifetime signatures; bad for TLS handshakes.

Next Tuesday (W7): NTRU, multivariate, and isogeny — the three families with the most interesting recent cryptanalysis, including two flagship-scheme breaks in 2022.