SLH-DSA Example

We use JavaScript to display the mathematics on this page. Please enable JavaScript in your browser for it to work.

`SLH-DSA-SHA2-128f`

We choose an example using the algorithm SLH-DSA-SHA2-128f. This uses the hash function SHA-256 with 128 bits of security ($n=16$ bytes), using the fast parameters (faster computation, larger signature size).

Reference: The example uses a NIST test vector from their ACVP-Server GitHub site ACVP-Server under SLH-DSA-sigGen-FIPS205. See test-case-tcid-1.json (accessed 2025-04-29).

Details

SLH-DSA public key [2n bytes]

FA495FB834DEFEA7CC96A81309479135   # PK.seed
A67029E90668C5A58B96E60111491F3D   # PK.root
--------------------------------------------
SLH-DSA private key [4n bytes]

D5213BA4BB6470F1B9EDA88CBC94E627   # SK.seed
7A58A951EF7F2B81461DBAC41B5A6B83   # SK.prf
FA495FB834DEFEA7CC96A81309479135   # PK.seed
A67029E90668C5A58B96E60111491F3D   # PK.root
--------------------------------------------
Message to-be-signed [1 byte]

3F

Input M' to slh_sign_internal [3 bytes]

00003F

The signature is 17088 bytes long. Yes, that's 17 kilobytes. That is not a typo! By comparison, an ECDSA signature of the same security strength using NIST P-256 is just 64 bytes.

Example signature in full 1068 lines of 16 bytes. This is just to show how big it is. Really big. You just won’t believe how vastly, hugely, mindbogglingly big it is.

Example signature with annotation

As a check, the SHA-256 digest of the signature is d3537e05ae63876bf78015ff86cc9e284f91cabfac191298fbaa375596351d55.

Parameters

The parameters for SLH-DSA-SHA2-128f are

n = 16  # security parameter in bytes
w = 16  # Winternitz parameter 
lg(w) = 4
h = 66  # hypertree height
d = 22  # number of layers in hypertree
k = 33  # number of trees in FORS
t = 64 = 2^6  # number of leaves in FORS
a = 6  # height of FORS trees = lg(t)
h/d = 66/22 = 3  # HT subtree size
m = 34  # length in bytes of the message digest
len = len1 + len2 = 32 + 3 = 35  # length WOTS+ private key

where $\lg(x) \equiv \log_2(x)$, i.e. if $x=2^y$ then $\lg(x)=y$

The signature components

The signature in this example is of length 17088 bytes and consists of 3 parts:

SIG = R || SIG_FORS || SIG_HT

The Randomizer R of length $n = 16$ bytes.
The FORS signature (SIG_FORS) of length $(a+1)\cdot k\cdot n =3696$ bytes.
The Hypertree signature (SIG_HT) of length $(h+d\cdot len)\cdot n =13376$ bytes.

The overall algorithm is

R = generate_R()
SIG = R
SIG_fors = fors_sign()
SIG = SIG || SIG_fors
SIG_ht = ht_sign()
SIG = SIG || SIG_ht
return SIG

Signature computations

When computing the signature values, the most important thing is to derive the correct ADRS parameter before calling the hash functions, F, H, etc.

For more details, see The ADRS parameter in SLH-DSA and hash functions.

In the computations that follow, all values are byte strings encoded in hexadecimal. Results that form part of the signature are shown

HIGHLIGHTED IN BLUE

<< previous: SLH-DSA Introduction

Contents

next: The ADRS parameter in SLH-DSA >>

Rate this page

Contact us

To comment on this page or to contact us, please send us a message.

This page first published 17 March 2023. Last updated 16 February 2026.