Status of XMSS Test Vectors and support for BC/DR

[Dave Wheeler]

Hey John,

I am interested in getting an update on XMSS and policy updates on protection of XMSS private keys including distribution across physical HSMs. We chatted briefly at ICMC 2025 this past April and was hoping for some additional details.

Why does this matter?

I have multiple projects (some in hardware) that utilize XMSS now (started in 2021) and the delay in test vectors (and commensurate delay in potential FIPS certification) has been painful.  I say this not to lay any guilt, because I know you all are doing your best and working hard for us, but just to identify that we need some dates to be able to plan appropriately. We are expecting to set up infrastructure and generate production keys later in 2026.

Second, there are third party HW vendors that have announced support for LMS coming out next year, and I need to plan support for those as well. This includes a reasonable plan for business continuity and disaster recovery that will have an (eventual) path to FIPS certification. I am not really clear on the path that NIST is heading down for key generation across multiple HSMs (beyond multi-tree which for performance reasons is not ideal for embedded systems due to the required additional L-tree computations). Solutions like Sharing and one-time-seed (OTS) sharing, and bottom-up Merkle tree generation, have been discussed. I am not sure where NIST stands here.

I would greatly appreciate some additional details on where NIST stands and the direction they are heading. 2026 is an important year, and I want to make decisions that are aligned with NIST's direction. What can you share that will help in this regard? Will a draft be available in early Q1-2026 that can help direct use of HBS schemes aligned with NIST expectations?

Thanks,

Dave Wheeler

[Hamilton Silberg]

Hi Dave,

You're not alone with the interest in updates to our LMS/XMSS guidance. We had several people asking at our conference in September.

For test vectors, I hear they're actively being worked on (no expected date to share yet). 

As for the standard, I'm working with John and a few others to write out a concrete plan via a white paper. We plan to share that here on the forum for feedback (targeting early Q1'26), to then convert into a revision for SP800-208.

As a brief summary of planned changes, we are looking to introduce a method for 'provisioning' part of the tree, allowing safe transfer of 'portions' of the key state between/to HSMs. We're targeting something not requiring multi-layered trees, as well as targeting support for both HSM-only and existing key management strategies.

Best,
-Hamilton Silberg
NIST PQC

[Kris Kwiatkowski]

FWIW - I'm using those:
https://github.com/post-quantum-cryptography/KAT/tree/main/XMSS

I needed something to test my implementation, so created them from refrence implementation [1].

Cheers,
Kris

[1] https://github.com/XMSS/xmss-reference

--
You received this message because you are subscribed to the Google Groups "pqc-forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pqc-forum+...@list.nist.gov.
To view this discussion visit https://groups.google.com/a/list.nist.gov/d/msgid/pqc-forum/cf331603-362c-43b5-9d55-41e3af597ec3n%40list.nist.gov.