LMS (Leighton-Micali Signature)

LMS (Leighton-Micali Signature) is a stateful hash-based signature scheme defined in RFC 8554. Like XMSS, it builds a Merkle tree over many one-time keys (its LM-OTS one-time signatures) and uses the tree root as the public key; each signature spends one leaf and includes the authentication path to the root. The signer must track which leaves are used, so LMS carries the state-management burden common to stateful schemes.

Standardization and use

NIST SP 800-208 approves LMS, its multi-tree variant HSS, XMSS, and XMSS-MT for cases such as firmware and software signing, where signing happens in a controlled environment and the number of signatures is planned in advance. LMS is valued for its simplicity and reliance only on hash function security, which makes it post-quantum secure and straightforward to audit. Its main limitation is state: reusing a one-time leaf can allow forgeries, so deployments must prevent index reuse across backups, clones, and concurrent signers. For applications that cannot manage state safely, the stateless SLH-DSA standard is the alternative.

Sources

  1. RFC 8554: Leighton-Micali Hash-Based Signatures (IETF, 2019)
  2. NIST SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes (NIST, 2020)
Cite this entry
"LMS (Leighton-Micali Signature)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/lms@misc{pqwiki-lms, title = {LMS (Leighton-Micali Signature)}, howpublished = {\url{https://postquantum.wiki/lms}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }