1. Introduction
This section preserves the RFC text for X.509 SLH-DSA algorithm identifiers, including ASN.1, OIDs, AlgorithmIdentifier, id-slh-dsa-* and id-hash-slh-dsa-* names, DER examples, certificates, key usage, IANA registrations, and security requirements.
Original RFC Text
1. Introduction
The Stateless Hash-Based Digital Signature Algorithm (SLH-DSA) is a
quantum-resistant digital signature scheme standardized in [FIPS205]
by the US National Institute of Standards and Technology (NIST) Post-
Quantum Cryptography (PQC) project [NIST-PQC]. Prior to
standardization, the algorithm was known as SPHINCS+. SLH-DSA and
SPHINCS+ are not compatible. This document defines the ASN.1 Object
Identifiers (OIDs) and conventions for the encoding of SLH-DSA
digital signatures, public keys, and private keys in the X.509 Public
Key Infrastructure.
SLH-DSA offers three security levels. The parameters for each of the
security levels were chosen to be at least as secure as a generic
block cipher of 128, 192, or 256 bits. There are small (s) and fast
(f) versions of the algorithm, and there is also the option to use
the SHA-2 algorithm family [FIPS180] or SHAKE256 [FIPS202] as
internal functions. While the fast versions are optimized for key
generation and signing speed, they are actually slower at
verification than the SLH-DSA small parameter sets. The small
versions are optimized for signature size; see Table 1. As an
example, id-slh-dsa-shake-256s represents the 256-bit security level,
the small version of the algorithm, and the use of SHAKE256.
NIST [CSOR] has assigned separate algorithm identifiers for SLH-DSA
for each combination of these security levels: fast vs. small, SHA-2
vs. SHAKE256, and pure mode vs. pre-hash mode.
SLH-DSA signature operations include an optional context string (ctx)
as input, defined in Section 10.2 of [FIPS205]. The context string
has a maximum length of 255 bytes. By default, the context string is
the empty string. This document only specifies the use of the empty
context string for use in the X.509 Public Key Infrastructure.
SLH-DSA offers two signature modes: pure mode, where the entire
content is signed directly, and pre-hash mode, where a digest of the
content is signed. This document uses the term SLH-DSA to refer to
the algorithm in general. When a pure or pre-hash mode needs to be
differentiated, the terms Pure SLH-DSA and HashSLH-DSA are used.
This document specifies the use of both Pure SLH-DSA and HashSLH-DSA
in Public Key Infrastructure X.509 (PKIX) certificates and
Certificate Revocation Lists (CRLs).
1.1. Notation
The following notation is used in this document:
a || b: Concatenation of a and b.
id-slh-dsa-*: A shorthand to refer to all 12 OIDs used to specify
the different parameter combinations for Pure SLH-DSA.
id-hash-slh-dsa-*: A shorthand to refer to all 12 OIDs used to
specify the different parameter combinations for HashSLH-DSA.