SLH-DSA (FIPS 205)
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is the hash-based digital signature scheme scheme standardized by NIST in FIPS 205, finalized on August 13, 2024. It is the standardized form of SPHINCS+, selected in the NIST PQC standardization process as the conservative option: its security rests only on the properties of the underlying cryptographic hash function.
How it works
SLH-DSA composes three hash-based building blocks into one structure:
- WOTS+ one-time signatures sign a single value each; security degrades if a WOTS+ key signs twice.
- Merkle trees (Merkle tree) authenticate many WOTS+ public keys under a single root, forming XMSS subtrees.
- A hypertree stacks several layers of these subtrees: the WOTS+ keys of each tree sign the roots of trees on the layer below, so the top root (the public key) indirectly authenticates an enormous number of leaves.
- FORS, a few-time signature scheme, sits at the bottom of the hypertree and signs the actual message digest.
Older hash-based schemes such as XMSS and LMS (standardized separately in NIST SP 800-208) are stateful: the signer must reliably track which one-time keys have been used, and losing that state is catastrophic. SLH-DSA removes the state by making the leaf choice pseudorandom for every signature over a hypertree with about 2^63 to 2^68 leaves, so the probability that a few-time key is reused often enough to matter is negligible. Statelessness is what makes the scheme safe to deploy in ordinary software stacks, virtual machines, and backups.
Parameter sets
FIPS 205 defines 12 parameter sets: three security levels, each in an "s" (small signature, slower signing) and an "f" (fast signing, larger signature) variant, each instantiated with either SHA2 or SHAKE as the hash function. The SHA2 and SHAKE variants of a given set share identical sizes, so the table lists the six size profiles. All sizes are exact, in bytes.
| Parameter set | Security category | Public key | Private key | Signature |
|---|---|---|---|---|
| SLH-DSA-128s | 1 | 32 | 64 | 7856 |
| SLH-DSA-128f | 1 | 32 | 64 | 17088 |
| SLH-DSA-192s | 3 | 48 | 96 | 16224 |
| SLH-DSA-192f | 3 | 48 | 96 | 35664 |
| SLH-DSA-256s | 5 | 64 | 128 | 29792 |
| SLH-DSA-256f | 5 | 64 | 128 | 49856 |
Keys are tiny; signatures are not. The "s" sets sign slowly but verify quickly and produce the smallest signatures, which suits applications that sign rarely and verify often, such as firmware images and root certificates. The "f" sets sign several times faster at the price of roughly doubled signature size and slower verification.
Why it is the conservative choice
Every other NIST post-quantum signature depends on a structured algebraic problem: ML-DSA and FN-DSA on lattice problems. SLH-DSA needs nothing beyond standard hash function properties (preimage-type resistance and pseudorandomness), assumptions that have survived decades of cryptanalysis and that a quantum computer only weakens by the limited, well-understood speedup of Grover's algorithm. If a mathematical breakthrough ever undermined lattices, the Rainbow and SIKE breaks during the NIST process being the cautionary examples, SLH-DSA would be unaffected. That is why it was standardized despite its costs.
Tradeoffs versus ML-DSA
The costs are concrete. An SLH-DSA-128s signature is 7856 bytes against 2420 bytes for ML-DSA-44, and signing with the "s" parameter sets is orders of magnitude slower than ML-DSA, taking on the order of hundreds of milliseconds on desktop-class processors. For interactive protocols that sign constantly, such as TLS handshakes, ML-DSA is the practical default; SLH-DSA is chosen where signatures are long-lived, verification dominates, and conservative assumptions matter most: firmware and code signing, trust anchors, and documents that must remain verifiable for decades. Side-by-side numbers are in post-quantum algorithm comparison. Implementations are available in liboqs and PQClean.
Frequently asked questions
Why choose SLH-DSA over ML-DSA?
SLH-DSA depends only on the security of hash functions, the most conservative assumption available, which makes it attractive for long-lived keys even though its signatures are larger and signing is slower.
Sources
- FIPS 205, Stateless Hash-Based Digital Signature Standard (NIST, 2024)
- SPHINCS+ official site (SPHINCS+ team, 2022)
- NIST SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes (NIST, 2020)
Cite this entry
"SLH-DSA (FIPS 205)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/slh-dsa@misc{pqwiki-slh-dsa,
title = {SLH-DSA (FIPS 205)},
howpublished = {\url{https://postquantum.wiki/slh-dsa}},
year = {2026},
note = {postquantum.wiki, updated 2026-07-11}
}