FORS (Forest of Random Subsets)
FORS (Forest of Random Subsets) is a few-time hash-based signature scheme used as an internal component of the stateless standard SLH-DSA, formerly SPHINCS+. Unlike a one-time scheme such as WOTS, FORS tolerates a bounded number of signatures per key with only gradual security loss, which is what lets SLH-DSA sign without keeping state. A FORS key holds many secret values grouped into several trees; a message digest selects one leaf from each tree, and the signature reveals those leaves together with their authentication paths.
Why few-time signing matters
SLH-DSA has no counter to guarantee a fresh key per signature, so it selects a FORS key pseudorandomly from a large set. Two messages can occasionally map to the same FORS key, so the parameters are chosen so that the residual forgery probability stays below the target security level even after the maximum number of signatures. Each FORS key is authenticated by a Merkle hypertree of WOTS+ keys, and the whole construction relies only on hash function security. FIPS 205 fixes the FORS tree count and height for every SLH-DSA parameter set (FIPS 205).
Sources
- FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
- The SPHINCS+ Signature Framework (IACR ePrint (ACM CCS 2019), 2019)
Cite this entry
"FORS (Forest of Random Subsets)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/fors@misc{pqwiki-fors,
title = {FORS (Forest of Random Subsets)},
howpublished = {\url{https://postquantum.wiki/fors}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}