#crypto #post-quantum #signature #lms

no-std hbs-lms

Pure Rust implementation of the Leighton Micali Signature scheme with support for key generation, signature generation and verification

3 releases

0.1.1 May 17, 2023
0.1.0 Jan 4, 2022
0.1.0-alpha.5 Dec 4, 2021
0.1.0-alpha.4 Nov 25, 2021
0.1.0-alpha.1 Oct 15, 2021

#477 in Cryptography

48 downloads per month



Contains (ELF exe/lib, 82KB) tests/demo

Leighton-Micali Hash-Based Signatures

crate Docs Apache2/MIT licensed Rust Version Build Status

LMS implementation in Rust according to the IETF RFC 8554. This implementation is binary compatible with the reference implementation found here: hash-sigs.

This crate does not require the standard library (i.e. no_std capable) and can be easily used for bare-metal programming.


A demo application is located in the examples folder to demonstrate the use of the library. This demo application can be used in the console as follows:

cargo run --release --example lms-demo -- genkey mykey 10/2 --seed 0123456701234567012345670123456701234567012345670123456701234567

cargo run --release --example lms-demo -- sign mykey message.txt

HBS_LMS_MAX_HASH_OPTIMIZATIONS=1000 HBS_LMS_THREADS=2 cargo run --release --example lms-demo \
    --features fast_verify -- sign_mut mykey message.txt

cargo run --release --example lms-demo -- verify mykey message.txt

Naming conventions wrt to the IETF RFC

The naming in the RFC is done by using a single character. To allow for a better understanding of the implementation, we have decided to use more descriptive designations. The following table shows the mapping between the RFC and the library naming including a short description.

RFC Naming Library Naming Meaning
I lms_tree_identifier 16-byte random value to identify a single LMS tree
q lms_leaf_identifier 4-byte value to identify all leafs in a single LMS tree
C signature_randomizer 32-byte random value added to every signature
Q message_hash Output of hashed message together with I, q, D_MESG and C
y signature_data The actual data of the signature
p hash_chain_count The number of hash chains for a certain W parameter
ls checksum_left_shift How many bits the checksum is shifted into the coef-value
n hash_function_output_size Number of bytes that the lm_ots hash functions generates
m hash_function_output_size Number of bytes that the lms hash functions generates

Minimum Supported Rust Version

The crate in this repository supports Rust 1.57 or higher.

Minimum supported Rust version can be changed in the future, but it will be done with a minor version bump.


This work is licensed under terms of the Apache-2.0 license (see LICENSE file).


Any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be licensed as above, without any additional terms or conditions.


~42K SLoC