Hash-Based Signatures

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Last updated 2013-08-29 (latest revision 2013-02-25)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
On Agenda cfrg at IETF-99
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This note describes a digital signature system based on cryptographic hash functions, following the seminal work in this area. It specifies a one-time signature scheme based on the work of Lamport, Diffie, Winternitz, and Merkle (LDWM), and specifies a general signature system using a Merkle tree. These systems provide asymmetric authentication without using large integer mathematics and achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and naturally resist side-channel attacks. Unlike most other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.


David McGrew (mcgrew@cisco.com)
Michael Curcio (micurcio@cisco.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)