SLH-DSA: Hash-Based Signature for PQC

• SLH-DSA is a stateless hash-based digital signature algorithm built from FORS, XMSS, and WOTSP that offers post-quantum security without relying on algebraic assumptions.
• Integrating quantum random number generators (QRNGs) enhances signature entropy and unpredictability, albeit with increased computational overhead.
• Practical vulnerabilities like software-only Rowhammer attacks underscore the need for robust hardware countermeasures and secure memory management.

SLH-DSA refers to the Stateless Hash-Based Digital Signature Algorithm, a leading post-quantum signature scheme standardized by NIST in 2024. SLH-DSA delivers digital signatures with security founded solely on the properties of cryptographic hash functions. Its stateless operation and hash-based structural primitives (FORS, XMSS, WOTSP) make it particularly attractive as a conservative alternative to classical schemes, especially given the threat posed by quantum computing to number-theoretic cryptography. The recent literature encompasses both PQC standardization, advanced implementation topics, enhancements with quantum random number generators (QRNGs), and the discovery of practical software-only universal forgery attacks using fault injection mechanisms such as Rowhammer.

1. Algorithmic Foundations and Hash-Based Structure

SLH-DSA is architected as a composition of three hash-based signature primitives:

• FORS: A few-time signature, optimized for efficient message signing.
• XMSS (eXtended Merkle Signature Scheme): A many-time signature that constructs a hypertree of Merkle structures, each node representing concatenated hash commitments.
• WOTSP (Winternitz One-Time Signature Scheme⁺): The lowest level, providing strong one-time security through hash chain iteration.

The signing operation proceeds as follows: a message is first signed using a FORS key pair (with ephemeral, hash-derived private keys). This FORS public key is subsequently authenticated via XMSS, which recursively combines left and right node hashes:

$$\text{pk}^X = H(\text{PK.seed}, \text{ADRS}, lnode \parallel rnode)$$

The XMSS tree is populated with WOTSP instances, each consisting of a hash chain with secret initial values iteratively mapped via a hash function. Hierarchical certification using Merkle proofs ensures that each ephemeral key is used only once, preventing forgeries if implemented faithfully.

2. Security Properties and Quantum Resistance

SLH-DSA’s security is predicated on the one-wayness and collision resistance of its underlying hash functions; no additional algebraic assumptions (e.g., factoring, discrete logarithm) are invoked. This design provides robust resistance against both classical and quantum attacks, as long as the hash functions meet their formal security definitions.

A defining property is stateless operation: no state needs to be persisted between signing operations, unlike certain earlier hash-based schemes. This eliminates risks of key-exhaustion, nonce re-use, and signature collisions, which historically contributed to implementation vulnerabilities.

The scheme’s conservative approach—layering keys through FORS, XMSS, and WOTSP and using randomized salts—results in signatures that cannot be forged unless hash collisions or preimage weaknesses are found.

3. QRNG-Enhanced SLH-DSA: Algorithmic Integration and Security Impact

Recent research (Chen, 24 Jul 2025) introduces integration of quantum random number generators (QRNGs) into the SLH-DSA workflow, enhancing entropy and unpredictability of key and signature generation.

• Key Generation: Each SLH-DSA key pair is defined by three high-entropy seeds:

$$\text{SK.seed},\ \text{SK.prf},\ \text{PK.seed} \leftarrow \text{QRNG}(8n\ \text{bits})$$

QRNGs produce these seeds by preparing qubits in a uniform superposition (e.g., Hadamard gate $H|0\rangle = (|0\rangle + |1\rangle)/\sqrt{2}$) and sampling the measured state.

• Signature Generation: For each signature, a fresh random value (addrnd) is generated:

$$\text{addrnd} \leftarrow \text{QRNG}(8n\,\text{bits})$$

This randomness is used within the signature construction, ensuring non-determinism even under adversarial attack.

Key advantages of QRNG integration are:

• True quantum randomness prevents statistical attacks that exploit weaknesses in conventional PRNGs.
• Higher entropy validation according to NIST SP 800-90B, confirmed through tests for independent and identically distributed (IID) properties and entropy measurements.
• Elevated unforgeability, as random seeds are theoretically unpredictable.

The implementation introduces computational overhead—key generation using QRNGs is slower than SecureRandom PRNGs (for instance, H-Gate QRNG gives 136ms vs. 6.4ms per key; digital signatures similarly show increased times)—but these costs are considered acceptable for high-security post-quantum deployments.

4. Rowhammer Fault Attacks: Software-Only Universal Forgery Against SLH-DSA

A major development (Boy et al., 16 Sep 2025) demonstrates that SLH-DSA can be compromised under real-world fault attacks. The SLasH-DSA attack utilizes Rowhammer, a DRAM vulnerability, to induce bit flips in memory regions storing critical SLH-DSA state (notably, buffers holding lnode values during XMSS tree computation).

Attack process:

• The attacker reverses engineering of DRAM mapping using timing side channels and allocates contiguous memory through huge pages or Spoiler exploits.
• A software-only Rowhammer pattern is executed (via frameworks like Swage), corrupting a specific page at a time when sensitive signature state is loaded.
• Faults cause multiple uses of the same WOTSP key—violating the signature scheme’s one-time key use invariant.
• Faulty signatures are collected and analyzed; intermediate chain secrets from compromised WOTSP instances are discovered via exhaustive search.
• A grafting tree attack reconstructs an XMSS tree and selects a randomization $R'$ so the signature path traverses the compromised instance; this enables universal forgery for any message.

Complexity analysis shows the expected computational cost for a successful forgery is guided by the exposed chain secrets—an offline dynamic programming calculation identifies the path of least resistance.

This attack generalizes to commodity server and desktop platforms (OpenSSL 3.5.1, all NIST SLH-DSA security levels), illustrating that microarchitectural fault injections can defeat even theoretically rigorous PQC schemes if hardware countermeasures (e.g., ECC, PRAC) and careful software memory management are absent.

5. Implementation Details, Frameworks, and Countermeasures

The Swage framework, presented in (Boy et al., 16 Sep 2025), modularizes all components required for practical Rowhammer exploits:

Module	Function	Key Approach
DRAM Inspector	Physical-DRAM mapping	Timing side channels
Allocator	Secure contiguous memory allocation	Huge pages, Spoiler exploit
Hammerer	Rowhammer pattern synthesis	BlacksmithFuzz
Orchestrator	Process state orchestration	Synchronization
Page Injector	OS-level memory placement	Page injection

Mitigation strategies emerging from this line of work include:

• Hardware ECC and new DRAM architectures with finer-grained error correction or active row counters.
• OS-level page randomization and segregation for sensitive cryptographic computations.
• Invariance checks and signature operation “self-auditing” to detect re-use and unexpected tree traversals in XMSS/WOTSP. A plausible implication is that PQC standardization should require not only mathematical soundness but also resilient hardware and memory management practices.

6. Practical Performance and Deployment Considerations

Empirical findings show that QRNG-enhanced SLH-DSA increases key generation and signing times by roughly one order of magnitude compared to conventional PRNG-based implementations—though random bit quality is confirmed to be superior. Universal forgery through Rowhammer requires substantial offline and online effort; the software-only attack illustrated required eight hours of memory hammering and 36 seconds of post-processing to produce a forgery on the highest security level.

This suggests that in high-assurance environments, practical deployment of SLH-DSA must balance these trade-offs:

• Security enhancement from QRNGs justifies modest computational overhead for critical infrastructure and long-term archival signatures.
• Fault attack resilience depends on platform-level countermeasures rather than solely algorithmic properties; systems without hardware protection are likely vulnerable.

7. Broader Impact, Limitations, and Future Directions

SLH-DSA marks a significant advancement in post-quantum cryptography, but recent research has exposed key limitations:

• Hash function assumption remains fundamental. Advances in cryptanalysis or new attacks against hash functions (including quantum algorithms that outperform Grover’s) could affect foundational security.
• Implementation is not cryptographically sufficient. Universal forgery is empirically possible on common hardware absent strong fault defenses. Algorithmic improvements alone are not enough to neutralize practical vulnerabilities.
• Adoption of QRNG-enhanced algorithms can offer significant robustness, but deployment requires hardware acceleration of quantum randomness and careful entropy validation.
• Modular, untangled frameworks for fault attack analysis (such as Swage) enable scalable vulnerability discovery across PQC implementations.

A plausible implication is that future PQC standards may incorporate mandatory hardware auditability or defensive layering, marking a convergence of algorithmic design and physical engineering for truly quantum-secure digital signatures.