RFC 8554

Leighton-Micali Hash-Based Signatures, April 2019

Canonical URL:
File formats:
Plain TextPDF HTML
D. McGrew
M. Curcio
S. Fluhrer

Cite this RFC: TXT  |  XML

DOI:  10.17487/RFC8554

Discuss this RFC: Send questions or comments to cfrg@irtf.org

Other actions: Submit Errata  |  Find IPR Disclosures from the IETF


This note describes a digital-signature system based on cryptographic hash functions, following the seminal work in this area of Lamport, Diffie, Winternitz, and Merkle, as adapted by Leighton and Micali in 1995. It specifies a one-time signature scheme and a general signature scheme. These systems provide asymmetric authentication without using large integer mathematics and can achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and are naturally resistant to side-channel attacks. Unlike many other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.

This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. This has been reviewed by many researchers, both in the research group and outside of it. The Acknowledgements section lists many of them.

For the definition of Status, see RFC 2026.

For the definition of Stream, see RFC 4844.

Download PDF Reader