- Key Takeaways
- What SLH-DSA Is and Why It Exists
- How SLH-DSA Works
- The 12 Parameter Sets
- The Tradeoff: Conservative Security, Large Signatures
- SLH-DSA vs ML-DSA: When to Use Which
- Where SLH-DSA Fits in Standards and Protocols
- How Encryption Consulting Helps
- Frequently Asked Questions
- Choose the Right Post-Quantum Signature for Each System
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is a post-quantum digital signature standard published by NIST as FIPS 205 in August 2024. It is based on SPHINCS+ and derives its security entirely from hash functions, making it the most conservative of NIST’s post-quantum signature standards.
SLH-DSA is one of two post-quantum digital signature algorithms NIST finalized in 2024, standardized in FIPS 205 and based on the SPHINCS+ submission. Unlike lattice-based ML-DSA, its security rests only on the properties of hash functions, with no structured mathematical assumption to break. That makes SLH-DSA slower and its signatures larger, but it serves as a conservative, high-assurance backup where long-term trust matters most.
Key Takeaways
- SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is NIST’s hash-based post-quantum signature standard, published as FIPS 205 on August 13, 2024, and based on SPHINCS+.
- Its security depends only on the collision and preimage resistance of hash functions (SHA-2 and SHAKE), not on a lattice or other structured problem. This is the most conservative security foundation in NIST’s PQC signature suite.
- FIPS 205 approves 12 parameter sets: six using SHA-2 and six using SHAKE, at security categories 1, 3, and 5, each offered in a small-signature (‘s’) and fast-signing (‘f’) variant.
- SLH-DSA signatures are large (for example, roughly 7,856 bytes for SLH-DSA-128s) and signing is comparatively slow, which is the tradeoff for its conservative security.
- ML-DSA (FIPS 204) is NIST’s primary, general-purpose signature algorithm. SLH-DSA is the conservative alternative for long-lived, high-assurance signatures such as firmware and root-of-trust signing.
What SLH-DSA Is and Why It Exists
SLH-DSA is a digital signature algorithm designed to remain secure against attacks by quantum computers. Digital signatures prove that data came from a specific signer and has not been altered, and they underpin code signing, certificates, secure boot, and document integrity. The public-key signature algorithms in use today, RSA and ECDSA, are broken by Shor’s algorithm on a sufficiently powerful quantum computer, so NIST standardized quantum-resistant replacements.
NIST standardized two signature algorithms rather than one, on purpose. ML-DSA (FIPS 204), based on lattice cryptography, is the general-purpose default. SLH-DSA (FIPS 205) is the conservative alternative. If a future cryptanalytic breakthrough ever weakened lattice-based schemes, SLH-DSA would still stand, because it relies on nothing more than the security of hash functions, which are among the most studied and trusted primitives in cryptography.
How SLH-DSA Works
SLH-DSA is built entirely from hash functions, combined in a layered structure that produces a stateless signature scheme. Three components do the work:
- WOTS+ (Winternitz One-Time Signature Plus): A one-time signature scheme used to sign the nodes of the internal trees. Each WOTS+ key is used only once.
- FORS (Forest of Random Subsets): A few-time signature scheme used at the leaf level to sign the actual message digest, allowing a key to sign a limited number of times safely.
- Hypertree: A tree of trees that links many WOTS+ and FORS keys together under a single public key, which is what allows SLH-DSA to be stateless: the signer does not need to track which keys have been used.
The word stateless is important. Earlier hash-based schemes such as LMS and XMSS (standardized in NIST SP 800-208) are stateful, meaning the signer must carefully track which one-time keys have been used, and reusing one breaks security. SLH-DSA removes that operational hazard, at the cost of larger signatures and slower signing.
The 12 Parameter Sets
FIPS 205 approves 12 parameter sets. They vary along three dimensions: the hash function family (SHA-2 or SHAKE), the security category (1, 3, or 5, corresponding to 128, 192, and 256-bit security), and the optimization goal (small signature or fast signing).
| Dimension | Options | What it controls |
|---|---|---|
| Hash family | SHA-2 or SHAKE | The underlying hash function. NIST notes SHAKE-based sets offer greater flexibility for long-term use. |
| Security category | 1, 3, 5 (128 / 192 / 256-bit) | The strength level. Category 1 targets roughly AES-128 equivalent security, category 5 roughly AES-256. |
| Optimization | ‘s’ (small) or ‘f’ (fast) | ‘s’ minimizes signature size at the cost of slower signing; ‘f’ speeds up signing at the cost of larger signatures. |
This gives names such as SLH-DSA-SHA2-128s (SHA-2, category 1, small) and SLH-DSA-SHAKE-256f (SHAKE, category 5, fast). The ‘s’ and ‘f’ tradeoff is the practical decision point: choose ‘s’ when signatures are stored or transmitted often and signing is infrequent, and ‘f’ when signing throughput matters more than signature size.
The Tradeoff: Conservative Security, Large Signatures
SLH-DSA’s defining characteristic is that it buys maximum security confidence at a real performance cost. Its signatures are large and its signing is slow compared with both classical signatures and lattice-based ML-DSA.
For scale, an SLH-DSA-128s signature is roughly 7,856 bytes, and signing is comparatively slow, whereas an ML-DSA-65 signature is a few kilobytes and signs far faster. Verification is more reasonable, but the signature size alone can make SLH-DSA impractical for high-volume or bandwidth-constrained uses. The upside is the security argument: if the underlying hash function is secure, SLH-DSA is secure. There is no newer, less-studied hardness assumption involved.
SLH-DSA vs ML-DSA: When to Use Which
FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) are complementary, not interchangeable. Choosing between them is a real design decision.
| Attribute | ML-DSA (FIPS 204) | SLH-DSA (FIPS 205) |
|---|---|---|
| Based on | Module-lattice cryptography (CRYSTALS-Dilithium) | Hash functions (SPHINCS+) |
| Security assumption | MLWE / MSIS lattice problems | Hash function collision / preimage resistance |
| Signature size | Smaller (kilobytes) | Larger (multiple kilobytes to tens of KB) |
| Speed | Fast signing and verification | Slower signing |
| Best role | General-purpose default signature | Conservative, high-assurance long-lived signatures |
In practice, ML-DSA is the right default for most applications: TLS, general code signing, and document signing. SLH-DSA is chosen where the signature must remain trustworthy for decades and where the extra size and slower signing are acceptable, such as firmware signing, secure-boot root keys, and root certificate authorities. Some organizations use SLH-DSA specifically to hedge against the small chance of a future lattice breakthrough.
Where SLH-DSA Fits in Standards and Protocols
FIPS 205 was published on August 13, 2024, alongside FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA). Adoption in protocols is progressing: RFC 9814 (July 2025) standardizes the use of SLH-DSA in the Cryptographic Message Syntax (CMS), which is used for signed data such as S/MIME and some code-signing formats. As with the rest of the post-quantum transition, real-world adoption also depends on support in HSMs, cryptographic libraries, and certificate authorities, which is maturing rather than complete.
How Encryption Consulting Helps
Choosing between ML-DSA and SLH-DSA, and identifying which of your systems need quantum-safe signatures at all, is exactly the kind of decision Encryption Consulting’s Post-Quantum Cryptography Advisory Services are built for. We inventory where your organization uses digital signatures today, assess which use cases justify SLH-DSA’s conservative security versus ML-DSA’s efficiency, and design a migration plan that accounts for signature size, HSM and library support, and the long confidentiality horizons of firmware and root-of-trust signing. The result is an algorithm selection grounded in your actual systems rather than defaults. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.
Frequently Asked Questions
What is SLH-DSA?
SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) is a post-quantum digital signature standard published by NIST as FIPS 205 in August 2024. It is based on the SPHINCS+ scheme and produces signatures that remain secure against quantum computers. Its distinguishing feature is that its security depends only on the properties of hash functions, with no lattice or other structured mathematical assumption, which makes it the most conservative of NIST’s post-quantum signature standards.
What is the difference between SLH-DSA and ML-DSA?
Both are NIST post-quantum signature standards finalized in 2024, but they rest on different foundations. ML-DSA (FIPS 204) is based on module-lattice cryptography and is fast with relatively small signatures, making it the general-purpose default. SLH-DSA (FIPS 205) is based purely on hash functions, giving it a more conservative security argument but larger signatures and slower signing. ML-DSA suits most uses; SLH-DSA suits long-lived, high-assurance signatures such as firmware and root keys.
Why are SLH-DSA signatures so large?
SLH-DSA builds a signature from many hash-based components: one-time WOTS+ signatures, few-time FORS signatures, and a hypertree that links them under one public key. Representing all of this produces a signature that is much larger than a classical or lattice-based signature. For example, an SLH-DSA-128s signature is roughly 7,856 bytes. The large size is the price of a security argument that rests only on hash functions, which is why SLH-DSA is reserved for cases where that conservatism is worth the cost.
What are the SLH-DSA parameter sets?
FIPS 205 approves 12 parameter sets. Six use the SHA-2 hash family and six use SHAKE. Within each family there are three security categories (1, 3, and 5, roughly corresponding to 128, 192, and 256-bit security), and each category comes in a small-signature variant marked ‘s’ and a fast-signing variant marked ‘f’. Examples include SLH-DSA-SHA2-128s and SLH-DSA-SHAKE-256f. NIST notes that SHAKE-based sets offer greater flexibility for long-term use.
What does stateless mean in SLH-DSA?
Stateless means the signer does not have to track which internal keys have already been used. Earlier hash-based signature schemes such as LMS and XMSS are stateful: the signer must record and never reuse each one-time key, and a mistake breaks security. SLH-DSA uses a hypertree structure and randomized selection so that no state needs to be maintained between signatures. This removes a significant operational risk, at the cost of larger signatures and slower signing.
When should I use SLH-DSA instead of ML-DSA?
Use SLH-DSA when a signature must remain trustworthy for a very long time and when its larger size and slower signing are acceptable, such as firmware signing, secure-boot root keys, and root certificate authorities. Use ML-DSA for general-purpose signing where efficiency matters, such as TLS and routine code signing. Some organizations also use SLH-DSA as a hedge, so that a future weakness in lattice cryptography would not compromise their most critical long-lived signatures.
Choose the Right Post-Quantum Signature for Each System
SLH-DSA and ML-DSA solve different problems, and picking the wrong one carries a real cost in performance or assurance. Explore Encryption Consulting’s PQC Advisory Services to inventory your signature use cases and select the right quantum-safe algorithm for each one.
- Key Takeaways
- What SLH-DSA Is and Why It Exists
- How SLH-DSA Works
- The 12 Parameter Sets
- The Tradeoff: Conservative Security, Large Signatures
- SLH-DSA vs ML-DSA: When to Use Which
- Where SLH-DSA Fits in Standards and Protocols
- How Encryption Consulting Helps
- Frequently Asked Questions
- Choose the Right Post-Quantum Signature for Each System
