FIPS 205 — SLH-DSA (Hash-Based Signatures)

What It Is in One Sentence

SLH-DSA creates signatures using only hash functions — no new mathematical assumptions. If SHA-2 and SHA-3 remain secure, SLH-DSA remains secure.

The Problem

All other PQC signatures (ML-DSA, FN-DSA) rely on lattice problems:

Module-LWE for ML-KEM and ML-DSA
NTRU-SIS for FN-DSA

These are well-studied but relatively new (20 years of cryptanalysis vs. 40+ for RSA/factoring). What if a breakthrough in lattice algorithms renders them weak?

SLH-DSA provides a conservative fallback — its security depends only on hash functions, which have been the backbone of cryptography since the 1970s.

How It Works (High Level)

SLH-DSA combines three building blocks:

┌─────────────────────────────────────────────┐
│              SLH-DSA                          │
│                                               │
│  ┌─────────────┐    ┌──────────────┐        │
│  │ WOTS+       │    │ FORS          │        │
│  │ (One-time   │    │ (Few-time     │        │
│  │  signature) │    │  signature)   │        │
│  └──────┬──────┘    └──────┬───────┘        │
│         │                  │                 │
│         └────────┬─────────┘                 │
│                  │                           │
│         ┌────────▼─────────┐                │
│         │ XMSS / Hypertree │                │
│         │ (Merkle tree of  │                │
│         │  many OTS keys)   │                │
│         └──────────────────┘                │
│                                               │
└─────────────────────────────────────────────┘

Building Block	Role	Security Assumption
WOTS+	Sign one message with one key	Hash function preimage resistance
FORS	Sign a few messages with one key	Hash function collision resistance
Hypertree	Organise millions of keys into a tree	Hash function collision resistance

Quick Reference

Parameter set	Hash	Security	Public key	Signature
SLH-DSA-SHA2-128s	SHA-256	Level 1	32 B	7,856 B
SLH-DSA-SHA2-128f	SHA-256	Level 1	32 B	17,064 B
SLH-DSA-SHA2-192s	SHA-256	Level 3	48 B	16,224 B
SLH-DSA-SHAKE-256s	SHAKE256	Level 5	64 B	29,792 B

s = small (smaller signatures, slower signing). f = fast (larger signatures, faster signing).

Articles in This Section

01 — Why Hash-Based — Conservative security and trust minimisation
02 — Merkle Trees — The data structure behind hash-based crypto
03 — One-Time Signatures (WOTS+) — Signing once, securely
04 — Few-Time Signatures (FORS) — Signing a few times per key
05 — The Hypertree — Scaling to millions of signatures
06 — Stateless Property — Why no key state tracking needed
07 — Size vs. Speed — The fundamental trade-off
08 — When to Use — Trust anchor and fallback scenarios

Resources

NIST FIPS 205 PDF
SPHINCS+ specification
Bernstein et al., "SPHINCS+ — Submission to the NIST post-quantum project" (2020)