Implementation of HSS-LMS

Implementation of the Hierarchical Signature System (HSS) with Leighton-Micali Hash-Based Signatures (LMS). Based on RFC 8554. Co-authored-by: Philippe Lieser <[email protected]>
randombit · Sep 29, 2023 · 4cc77c9 · 4cc77c9
1 parent 9dddcf6
commit 4cc77c9
Show file tree

Hide file tree

Showing 25 changed files with 3,533 additions and 3 deletions.
diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst
@@ -1010,3 +1010,42 @@ signature:
 
 .. literalinclude:: /../src/examples/xmss.cpp
    :language: cpp
+
+
+Hierarchical Signature System with Leighton-Micali Hash-Based Signatures (HSS-LMS)
+----------------------------------------------------------------------------------
+
+HSS-LMS is a stateful hash-based signature scheme which is defined in `RFC 8554
+"Leighton-Micali Hash-Based Signatures" <https://datatracker.ietf.org/doc/html/rfc8554>`_.
+
+It is a multitree scheme, which is highly configurable. Multitree means, it consists
+of multiple layers of Merkle trees, which can be defined individually. Moreover, the
+used hash function and the Winternitz Parameter of the underlying one-time signature
+can be chosen for each tree layer. For a sensible selection of parameters refer to
+`RFC 8554 Section 6.4. <https://datatracker.ietf.org/doc/html/rfc8554#section-6.4>`_.
+
+.. warning::
+
+   HSS-LMS is stateful, meaning the private key must be updated after
+   each signature. If the same private key is ever used to generate
+   two different signatures, then the scheme becomes insecure. For
+   this reason it can be challening to use HSS-LMS securely.
+
+HSS-LMS uses the Botan interfaces for public key cryptography. The ``params``
+argument of the HSS-LMS private key is used to define the parameter set.
+The syntax of this argument must be the following:
+
+``HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)``
+
+e.g. ``HSS-LMS(SHA-256,HW(5,1),HW(5,1))`` to use SHA-256 in a two-layer HSS instance
+with LMS tree hights 5 and Winternitz parameter 1. This results in a
+private key that can be used to create up to 2^(5+5)=1024 signatures.
+
+The following parameters are allowed (which are specified in
+`RFC 8554 <https://datatracker.ietf.org/doc/html/rfc8554>`_ and
+and `draft-fluhrer-lms-more-parm-sets-11 <https://datatracker.ietf.org/doc/html/draft-fluhrer-lms-more-parm-sets-11>`_):
+
+- hash: ``SHA-256``, ``Truncated(SHA-256,192)``, ``SHAKE-256(256)``, ``SHAKE-256(192)``
+- h: ``5``, ``10``, ``15``, ``20``, ``25``
+- w: ``1``, ``2``, ``4``, ``8``
+
diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
@@ -1,5 +1,5 @@
-# Regenerate with ./src/scripts/oids.py oids > src/lib/asn1/oid_maps.cpp
-# AND             ./src/scripts/oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
+# Regenerate with ./src/scripts/dev_tools/gen_oids.py oids > src/lib/asn1/oid_maps.cpp
+# AND             ./src/scripts/dev_tools/gen_oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
 # (if you modified something under [dn]
 
 # Public key types
@@ -29,6 +29,14 @@
 1.3.6.1.4.1.25258.1.10.2 = Dilithium-6x5-AES-r3
 1.3.6.1.4.1.25258.1.10.3 = Dilithium-8x7-AES-r3
 
+# HSS-LMS
+# draft-gazdag-x509-hash-sigs-01
+1.2.840.113549.1.9.16.3.17 = HSS-LMS
+
+# HSS-LMS private key (since the format of an HSS-LMS private key is not specified,
+#  we define an OID for the one we use)
+1.3.6.1.4.1.25258.1.13 = HSS-LMS-Private-Key
+
 # SPHINCS+ OIDs are currently in Botan's private arc
 1.3.6.1.4.1.25258.1.12.1.1 = SphincsPlus-shake-128s-r3.1
 1.3.6.1.4.1.25258.1.12.1.2 = SphincsPlus-shake-128f-r3.1

diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
@@ -1,7 +1,7 @@
 /*
 * OID maps
 *
-* This file was automatically generated by src/scripts/dev_tools/gen_oids.py on 2023-05-30
+* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2023-09-27
 *
 * All manual edits to this file will be lost. Edit the script
 * then regenerate this source file.
@@ -91,6 +91,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.2.840.113549.1.5.13", "PBE-PKCS5v20"},
       {"1.2.840.113549.1.9.1", "PKCS9.EmailAddress"},
       {"1.2.840.113549.1.9.14", "PKCS9.ExtensionRequest"},
+      {"1.2.840.113549.1.9.16.3.17", "HSS-LMS"},
       {"1.2.840.113549.1.9.16.3.18", "ChaCha20Poly1305"},
       {"1.2.840.113549.1.9.16.3.6", "KeyWrap.TripleDES"},
       {"1.2.840.113549.1.9.16.3.8", "Compression.Zlib"},
@@ -162,6 +163,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
       {"1.3.6.1.4.1.25258.1.12.3.4", "SphincsPlus-haraka-192f-r3.1"},
       {"1.3.6.1.4.1.25258.1.12.3.5", "SphincsPlus-haraka-256s-r3.1"},
       {"1.3.6.1.4.1.25258.1.12.3.6", "SphincsPlus-haraka-256f-r3.1"},
+      {"1.3.6.1.4.1.25258.1.13", "HSS-LMS-Private-Key"},
       {"1.3.6.1.4.1.25258.1.3", "McEliece"},
       {"1.3.6.1.4.1.25258.1.5", "XMSS-draft6"},
       {"1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/SHA-256"},
@@ -384,6 +386,8 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
       {"HMAC(SHA-384)", OID({1, 2, 840, 113549, 2, 10})},
       {"HMAC(SHA-512)", OID({1, 2, 840, 113549, 2, 11})},
       {"HMAC(SHA-512-256)", OID({1, 2, 840, 113549, 2, 13})},
+      {"HSS-LMS", OID({1, 2, 840, 113549, 1, 9, 16, 3, 17})},
+      {"HSS-LMS-Private-Key", OID({1, 3, 6, 1, 4, 1, 25258, 1, 13})},
       {"KeyWrap.AES-128", OID({2, 16, 840, 1, 101, 3, 4, 1, 5})},
       {"KeyWrap.AES-192", OID({2, 16, 840, 1, 101, 3, 4, 1, 25})},
       {"KeyWrap.AES-256", OID({2, 16, 840, 1, 101, 3, 4, 1, 45})},