QNSP
Start building free
Why QNSP
The Quantum ImperativeWhy QNSPPQC Migration GuideCompetitive AnalysisVet PQC Vendors
Platform
Platform ArchitectureCapabilitiesUse Cases by IndustryKnowledge BaseBlogResearch
Trust
Trust HubCompliance MappingNIST ACVP ConformancePerformance BenchmarksEntropy ChainAlgorithm CatalogSystem Status
Developers
Developer HubUse CasesAI Assistants (MCP)
PricingContactStart building free

Digital Signature

SLH-DSA

Stateless Hash-based Digital Signature Algorithm · FIPS 205

FIPS-finalisedhash-based5 parameter setsQNSP tier: default+provider: nobleprovider: liboqsalso called: SPHINCS+, Stateless Hash-DSA
NIST's hash-based digital signature standard, finalised August 2024 as FIPS 205. SLH-DSA's security rests only on the hardness of finding hash function preimages — the most conservative assumption available — making it the natural choice for long-archival signatures and government-tier policy.

Mechanism

How it works

SLH-DSA combines a few-time hash signature (FORS) with a hypertree of one-time signatures (WOTS+) glued together using Merkle trees. The result is a stateless signature scheme whose security reduces solely to the security of the underlying hash function (SHA-2 or SHAKE). 12 parameter sets cover combinations of {SHA2, SHAKE} × {128, 192, 256 bits} × {fast, small}. The `f` (fast) variants prioritise signing speed; `s` (small) variants prioritise signature size.

Parameter Sets

5 variants shipped

Each variant trades security category against key, ciphertext, or signature size. QNSP exposes all variants via the @cuilabs/liboqs-native binding; tenant crypto-policy determines which are allowed.

VariantNIST LevelPublic KeySecret KeySignatureNote
SLH-DSA-SHA2-128sL132 B64 B7,856 BSmallest signature, slower signing. Hash: SHA-2-256.
SLH-DSA-SHA2-128fL132 B64 B17,088 BFaster signing, larger signature. Hash: SHA-2-256.
SLH-DSA-SHA2-256sL564 B128 B29,792 BMaximum / Government tier — smallest sig variant.
SLH-DSA-SHA2-256fL564 B128 B49,856 BMaximum / Government tier — faster signing variant.
SLH-DSA-SHAKE-128s / 128f / 192s / 192f / 256s / 256fL532 B64 B7,856 BSHAKE-based variants (6 additional). Identical security categories; SHAKE provides constant-time XOF for environments where SHA-2 acceleration is unavailable.

NIST ACVP

Conformance evidence

QNSP runs the official NIST ACVP test vectors against every shipped algorithm. Live evidence + SHA-3-256 tamper digest at /verify/conformance.

@noble/post-quantum
passing
Pure-JavaScript reference; cross-verification secondary on Maximum + Government tiers.
@cuilabs/liboqs-native
deferred
Native-C primary production engine. Runs across every QNSP backend service.
noble passes all 120 SLH-DSA keyGen ACVP tests across all 12 parameter sets. liboqs keyGen tests deferred (same OQS_SIG_keypair_derand gap as ML-DSA).
View live ACVP evidence →

Use Cases

When to use it

  • Long-archival signatures (decades-long validity)
  • Government tier (FIPS-finalised conservative-assumption requirement)
  • Code-signing for high-assurance artefacts
  • Independent cross-verification of ML-DSA signatures (different security assumption)

Trade-offs

What you give up, what you get

  • Largest signatures of any FIPS-finalised PQC scheme (8 KB – 50 KB depending on parameter set)
  • Slowest signing performance — milliseconds, not microseconds
  • Strongest security argument — relies only on hash function security
  • Stateless: no key-use counter to maintain (unlike LMS / XMSS)

FAQ

SLH-DSA — frequently asked questions

Concise, source-of-truth answers to the questions buyers and engineers ask most about this algorithm.

What is SLH-DSA?

SLH-DSA (Stateless Hash-based Digital Signature Algorithm) is a hash based post-quantum digital signature scheme. It is designed to resist attacks from both classical and quantum computers, and QNSP ships 5 of its parameter sets. It is also known as SPHINCS+, Stateless Hash-DSA.

Is SLH-DSA NIST-standardized?

Yes. SLH-DSA is a NIST-standardized algorithm, finalized as FIPS 205. QNSP runs the official NIST ACVP test vectors against it on every release, with the live evidence and a SHA-3-256 tamper digest published at /verify/conformance.

What is SLH-DSA used for?

On QNSP, SLH-DSA is used for Long-archival signatures (decades-long validity); Government tier (FIPS-finalised conservative-assumption requirement). It is available from the default crypto-policy tier upward via the noble and liboqs providers.

References

Primary sources