JEP draft: Leighton-Micali Hash-Based Signatures

Wei-Jun Wang at
Mon Mar 20 21:51:27 UTC 2023

Hi All,

We propose to add support for HSS/LMS as a Signature algorithm to JCA/JCE.

All currently widely used digital signature schemes, including DSA, RSA, ECDSA, and EdDSA, have the potential to be broken if large scale quantum computers are ever built. However, the security of HSS/LMS depends only on the security of the underlying hash functions, and it is believed that the security of hash functions will not be broken by the development of large-scale quantum computers.

We have drafted a JEP for adding this support (see link below). We propose to add a new standard name and some new APIs. We will also provide an implementation of signature verification which would be integrated into an existing JDK security provider.

We don’t plan to provide implementations of key pair generation and signature generation out-of-box as they should be implemented in hardware. However, we believe third party vendors will be interested in implementing them (in a “hardware cryptographic module”) and exposing the functions through a Java security provider. Thus we are proposing an HSSGenParameterSpec class to initialize the KeyPairGenerator for HSS/LMS. We also are proposing to define new interfaces named HSSLMSPrivateKey and HSSLMSPublicKey where you can read parameters from the keys. There is a keysRemaining() method where you can find out how many LM-OTS keys are left.

You can read the draft JEP at

Feel free to add any comment here.


More information about the security-dev mailing list