Signing it twice: mitigating the effects of state reuse for stateful signatures

Signing it twice: mitigating the effects of state reuse for stateful signatures cover

By Niels Duif en Daan S. Meijer

Stateful hash-based signature schemes such as LMS and XMSS are widely trusted post-quantum standards, but they share a known weakness: if a signing key is ever accidentally reused, even once, the result can be a practical forgery. In the real world, with backups, caching, and system crashes, that kind of accidental reuse is never fully out of the question.

In this paper, Sentyron researchers Niels Duif and Daan Meijer present a way to significantly limit the damage when reuse does happen. Their method, called checksum pinning, makes the signer repeat part of the signing process until the resulting checksum hits a specific target value. This makes two signatures from the same reused key far more similar to each other, closing most of the gap an attacker would normally exploit. The approach requires no changes for anyone verifying a signature and works with existing LMS and XMSS implementations.

The results are substantial. Without this mitigation, a single key reuse can drop security to around 60 bits, dangerously low. With checksum pinning, the researchers show that 80 bits of security can be maintained in 99 percent of reuse cases, at the cost of around 1.4 million extra hashing operations during signing.

The researchers are clear that this is not a license to be careless. Avoiding key reuse remains essential. This method is meant as an additional safety net, not a replacement, for when something goes wrong despite every precaution.

This research was presented at the International Conference on Military Communication and Information Systems (ICMCIS) in Bath, United Kingdom, in May 2026.

Read the full paper, including all figures and the complete technical derivation, here.