06 — The Stateless Property
What "Stateful" Means
A stateful signature scheme requires the signer to remember what they've done:
Stateful signer:
1. Check index counter: "Next available key is #42"
2. Sign with key #42
3. Increment counter: "Next available key is #43"
4. Save state to disk
If the state is lost or corrupted:
- You might reuse key #42 → forgery
- You might skip keys → wasted capacity
Real-World Stateful Problems
| Scenario | What happens | Risk |
|---|---|---|
| Server crash | Restore from 1-hour-old backup | Missed 1,000 signatures → reuse keys |
| Multi-server setup | Load balancer distributes requests | Server A uses key #100, Server B uses key #100 → reuse |
| Backup restore | Nightly backup restored after corruption | State rolled back → reuse recent keys |
| Database replication lag | Primary signs with key #1000, replica at #950 | Replica might reuse keys #951–#1000 |
| Key ceremony | Air-gapped HSM signs offline | Must track state on write-once media |
SLH-DSA Is Stateless
SLH-DSA eliminates the state entirely:
Stateless signer:
1. Take message + public key seed
2. Compute: path = Hash(message || pk_seed || random_salt)
3. Derive signing keys along path from master seed
4. Sign with derived keys
5. No state to save!
The message itself determines which keys to use. No counter. No database. No synchronisation.
How Key Derivation Works
Instead of pre-generating and storing millions of keys, SLH-DSA derives them on demand:
Master Seed (secret, 32 bytes)
|
v
Pseudorandom Function (PRF)
|
+-- Message hash + path index --> WOTS+ secret key #1
+-- Message hash + path index --> WOTS+ secret key #2
+-- ...
+-- Message hash + path index --> FORS secret key
The PRF (typically SHA-256 in a specific mode) expands the master seed into any key needed. As long as the master seed is secret, all derived keys are secret.
Security Implications
The Good
| Property | Stateless benefit |
|---|---|
| Crash recovery | No state to lose; just reload the master seed |
| Multi-server | Each server derives the same keys for the same message; different keys for different messages |
| Backup simplicity | Single 32-byte master seed backs up everything |
| HSM compatibility | Master seed stays in HSM; derived keys computed inside HSM |
The Caveat: Message-Dependent Paths
Same message → same path → same keys. This is fine for legitimate re-signing but:
- An attacker who can choose messages might try to force path collisions
- The random salt in the signature prevents this (different salt → different path)
- Even without salt, the probability of accidental collision is negligible
Formal Security
SLH-DSA's security proof shows:
- Existential unforgeability: No attacker can forge a signature without breaking the hash function
- Statelessness: The proof holds even when the signer has no memory of previous signatures
- Multi-target protection: The bitmasks (WOTS+) and salt prevent multi-target attacks
Stateless vs. Stateful: When to Choose
| Requirement | Choose | Example |
|---|---|---|
| Maximum simplicity | SLH-DSA | Smart contracts, distributed systems |
| Minimum signature size | XMSS / LMS | Embedded systems with strict bandwidth |
| Maximum speed | XMSS / LMS | High-frequency signing (timestamping) |
| No state management | SLH-DSA | Any system with backups or multiple instances |
| Compliance (FIPS 140) | Both | LMS is NIST-approved; SLH-DSA is now FIPS 205 |
Resources
- Hülsing et al., "SLH-DSA specification" (2022), NIST PQC Round 3 submission
- NIST FIPS 205, Section 4: Security and Stateless Property
- RFC 8554: Leighton-Micali Hash-Based Signatures (LMS, stateful)