Digital Signature
SLH-DSA
Stateless Hash-based Digital Signature Algorithm · FIPS 205
FIPS-finalisedhash-based5 parameter setsQNSP tier: default+provider: nobleprovider: liboqsalso called: SPHINCS+, Stateless Hash-DSA
NIST's hash-based digital signature standard, finalised August 2024 as FIPS 205. SLH-DSA's security rests only on the hardness of finding hash function preimages — the most conservative assumption available — making it the natural choice for long-archival signatures and government-tier policy.
Mechanism
How it works
SLH-DSA combines a few-time hash signature (FORS) with a hypertree of one-time signatures (WOTS+) glued together using Merkle trees. The result is a stateless signature scheme whose security reduces solely to the security of the underlying hash function (SHA-2 or SHAKE). 12 parameter sets cover combinations of {SHA2, SHAKE} × {128, 192, 256 bits} × {fast, small}. The `f` (fast) variants prioritise signing speed; `s` (small) variants prioritise signature size.
Parameter Sets
5 variants shipped
Each variant trades security category against key, ciphertext, or signature size. QNSP exposes all variants via the @cuilabs/liboqs-native binding; tenant crypto-policy determines which are allowed.
| Variant | NIST Level | Public Key | Secret Key | Signature | Note |
|---|---|---|---|---|---|
| SLH-DSA-SHA2-128s | L1 | 32 B | 64 B | 7,856 B | Smallest signature, slower signing. Hash: SHA-2-256. |
| SLH-DSA-SHA2-128f | L1 | 32 B | 64 B | 17,088 B | Faster signing, larger signature. Hash: SHA-2-256. |
| SLH-DSA-SHA2-256s | L5 | 64 B | 128 B | 29,792 B | Maximum / Government tier — smallest sig variant. |
| SLH-DSA-SHA2-256f | L5 | 64 B | 128 B | 49,856 B | Maximum / Government tier — faster signing variant. |
| SLH-DSA-SHAKE-128s / 128f / 192s / 192f / 256s / 256f | L5 | 32 B | 64 B | 7,856 B | SHAKE-based variants (6 additional). Identical security categories; SHAKE provides constant-time XOF for environments where SHA-2 acceleration is unavailable. |
NIST ACVP
Conformance evidence
QNSP runs the official NIST ACVP test vectors against every shipped algorithm. Live evidence + SHA-3-256 tamper digest at /verify/conformance.
@noble/post-quantum
passingPure-JavaScript reference; cross-verification secondary on Maximum + Government tiers.
@cuilabs/liboqs-native
deferredNative-C primary production engine. Runs across every QNSP backend service.
noble passes all 120 SLH-DSA keyGen ACVP tests across all 12 parameter sets. liboqs keyGen tests deferred (same OQS_SIG_keypair_derand gap as ML-DSA).
Use Cases
When to use it
- Long-archival signatures (decades-long validity)
- Government tier (FIPS-finalised conservative-assumption requirement)
- Code-signing for high-assurance artefacts
- Independent cross-verification of ML-DSA signatures (different security assumption)
Trade-offs
What you give up, what you get
- Largest signatures of any FIPS-finalised PQC scheme (8 KB – 50 KB depending on parameter set)
- Slowest signing performance — milliseconds, not microseconds
- Strongest security argument — relies only on hash function security
- Stateless: no key-use counter to maintain (unlike LMS / XMSS)
References