CNSA 2.0 Update Part 3: LMS and XMSS

On April 18th, 2024, the NSA released updates and clarifications to their CNSA 2.0 (Commercial National Security Algorithm Suite 2.0) advisory in the form of an FAQ. This is the third in a multipart series of postings about the questions and answers that we feel are most interesting and our reactions to them.

But first, some clarifications on terms and acronyms:

  • NSS: National Security System
  • NIST SP 800-208 National Institute of Standard and Technology Special Publication 800-208 titled: Recommendation for Stateful Hash-Based Signature Schemes
  • LMS: Leighton-Micali Signatures; a stateful hash-based signature scheme
  • HSS: Hierarchical Signature Scheme; the hyper-tree algorithm that is on top of LMS
  • XMSS: eXtended Merkle Signature Scheme; a stateful hash-based signature scheme
  • XMSS^MT: eXtended Merkle Signature Scheme – Multi-Tree; the hyper-tree algorithm that is on top of XMSS

Q: Can I use HSS or XMSSMT from NIST SP 800-208?

A: From NIST SP 800-208, NSA has only approved LMS and XMSS for use in NSS. The multitree algorithms HSS and XMSSMT are not allowed.

Essentially what this means is that only the actual stateful hash-based signature schemes are approved for usage in NSS. The hyper-tree (colloquially known as “tree of trees”) components specified in NIST SP 800-208 are not approved.

Our implementation supports the hyper-tree components with the actual stateful hash-based signature schemes. More specifically, HSS/LMS and XMSS/XMSS^MT.

It is quite simple to transform an LMS public key into an HSS/LMS public key by putting 4 bytes of zeros in front of the LMS public key. The same is true of the signature.

In addition to the hyper-tree components, we allow for XMSS by supporting the following specifications in our API:

  • XMSS-SHA2_10_256
  • XMSS-SHA2_16_256
  • XMSS-SHA2_20_256

Note the lack of MT.

Here at wolfSSL we are looking forward to the future of post-quantum algorithms. If you need LMS or XMSS that is performant, capable of running in bare metal environments like pre-boot, or resource constrained environments, contact us at or call us at +1 425 245 8247.

Download wolfSSL Now