Hash-Based Signatures

The information below is for an old version of the document
Document Type Expired Internet-Draft (individual)
Last updated 2013-08-29 (latest revision 2013-02-25)
Stream (None)
Intended RFC status (None)
Expired & archived
plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This note describes a digital signature system based on cryptographic hash functions, following the seminal work in this area. It specifies a one-time signature scheme based on the work of Lamport, Diffie, Winternitz, and Merkle (LDWM), and specifies a general signature system using a Merkle tree. These systems provide asymmetric authentication without using large integer mathematics and achieve a high security level. They are suitable for compact implementations, are relatively simple to implement, and naturally resist side-channel attacks. Unlike most other signature systems, hash-based signatures would still be secure even if it proves feasible for an attacker to build a quantum computer.


David McGrew (mcgrew@cisco.com)
Michael Curcio (micurcio@cisco.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)