XMSS (eXtended Merkle Signature Scheme)

XMSS (eXtended Merkle Signature Scheme) is a stateful hash-based signature scheme standardized in RFC 8391. It arranges many WOTS+ one-time key pairs as the leaves of a Merkle tree; the tree root is the long-lived public key, and each signature reveals one WOTS+ signature plus the authentication path linking its leaf to the root. Because every one-time key must be used exactly once, the signer keeps state: an index recording which leaves are already spent.

State and standardization

The stateful requirement is the main operational hazard. If one index signs two different messages, for example after a virtual-machine rollback or a restored backup, security can collapse. For this reason NIST SP 800-208 approves XMSS and its multi-tree variant XMSS-MT only for constrained uses such as firmware signing, where a device signs in a controlled sequence. XMSS security reduces to standard hash function properties, so it is considered post-quantum secure. It is closely related to LMS, the other stateful scheme approved in the same document; stateless SLH-DSA avoids state at the cost of larger signatures.

Sources

  1. RFC 8391: XMSS: eXtended Merkle Signature Scheme (IETF, 2018)
  2. NIST SP 800-208, Recommendation for Stateful Hash-Based Signature Schemes (NIST, 2020)
Cite this entry
"XMSS (eXtended Merkle Signature Scheme)." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/xmss@misc{pqwiki-xmss, title = {XMSS (eXtended Merkle Signature Scheme)}, howpublished = {\url{https://postquantum.wiki/xmss}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }