PostQuantum.LMS.Signer is preview software. The core LMS/HSS implementation is cross-validated against BouncyCastle and pinned known-answer vectors, but it has not yet undergone an independent third-party audit or a formal side-channel review. Do not make a CNSA 2.0 / production assurance claim on the basis of this library alone until that review has happened.
| Version | Supported |
|---|---|
| 0.1.x (preview) | ✅ security fixes |
| < 0.1 | ❌ |
Please report security issues privately — do not open a public issue for an exploitable flaw.
- Preferred: open a GitHub private security advisory.
- Or email the maintainer (see the GitHub profile for
systemslibrarian).
Please include: affected version/commit, a description, and a proof-of-concept or reproduction steps if possible. We aim to acknowledge within 72 hours and to agree a disclosure timeline with you. We support coordinated disclosure and will credit reporters who wish to be named.
Because this is a stateful signature scheme, the highest-severity class of bug is anything that can cause a one-time-key index to be reused. Examples we treat as critical:
- A code path that signs without first durably persisting the advanced index.
- A way to defeat the compare-and-swap guard in
IStateStoreand double-sign an index. - Incorrect HSS subtree re-keying that reissues an already-used leaf.
- A wire-format/parsing flaw that lets a forged signature verify.
Stateful hash-based signatures have a fundamental limit that no pure-software library can overcome: if the entire machine state is rolled back (a restored VM snapshot or disk backup), the monotonic counter rolls back with it and key reuse becomes possible.
This is documented in README.md (“
This release implements all NIST SP 800-208 parameter sets: SHA-256 and SHAKE256, at both full (n=32) and truncated (n=24) output — all 16 LM-OTS and 20 LMS typecodes. The non-SHA-256/n32 families are cross-validated byte-for-byte against BouncyCastle.
To God be the glory.