eXtended Merkle Signature Scheme
XMSS is a stateful hash-based signature scheme whose security relies only on hash functions, making it resistant to quantum attacks. Each private key can sign a limited number of messages, and the signer must carefully track which one-time keys have been used, because reusing state destroys security. Defined in RFC 8391 and approved by NIST in SP 800-208, XMSS is recommended for firmware and software signing, including under the NSA's CNSA 2.0 suite.