Skip to content

Commit

Permalink
Implementation of HSS-LMS
Browse files Browse the repository at this point in the history
Implementation of the Hierarchical Signature System (HSS) with
Leighton-Micali Hash-Based Signatures (LMS). Based on RFC 8554.

Co-authored-by: Philippe Lieser <[email protected]>
  • Loading branch information
FAlbertDev and lieser committed Sep 28, 2023
1 parent 9dddcf6 commit ba36c5e
Show file tree
Hide file tree
Showing 25 changed files with 3,475 additions and 3 deletions.
39 changes: 39 additions & 0 deletions doc/api_ref/pubkey.rst
Original file line number Diff line number Diff line change
Expand Up @@ -1010,3 +1010,42 @@ signature:

.. literalinclude:: /../src/examples/xmss.cpp
:language: cpp


Hierarchical Signature System with Leighton-Micali Hash-Based Signatures (HSS-LMS)
----------------------------------------------------------------------------------

HSS-LMS is a stateful hash-based signature scheme which is defined in `RFC 8554
"Leighton-Micali Hash-Based Signatures" <https://datatracker.ietf.org/doc/html/rfc8554>`_.

It is a multitree scheme, which is highly configurable. Multitree means, it consists
of multiple layers of Merkle trees, which can be defined individually. Moreover, the
used hash function and the Winternitz Parameter of the underlying one-time signature
can be chosen for each tree layer. For a sensible selection of parameters refer to
`RFC 8554 Section 6.4. <https://datatracker.ietf.org/doc/html/rfc8554#section-6.4>`_.

.. warning::

HSS-LMS is stateful, meaning the private key must be updated after
each signature. If the same private key is ever used to generate
two different signatures, then the scheme becomes insecure. For
this reason it can be challening to use HSS-LMS securely.

HSS-LMS uses the Botan interfaces for public key cryptography. The ``params``
argument of the HSS-LMS private key is used to define the parameter set.
The syntax of this argument must be the following:

``HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)``

e.g. ``HSS-LMS(SHA-256,HW(5,1),HW(5,1))`` to use SHA-256 in a two-layer HSS instance
with LMS tree hights 5 and Winternitz parameter 1. This results in a
private key that can be used to create up to 2^(5+5)=1024 signatures.

The following parameters are allowed (which are specified in
`RFC 8554 <https://datatracker.ietf.org/doc/html/rfc8554>`_ and
and `draft-fluhrer-lms-more-parm-sets-11 <https://datatracker.ietf.org/doc/html/draft-fluhrer-lms-more-parm-sets-11>`_):

- hash: ``SHA-256``, ``Truncated(SHA-256,192)``, ``SHAKE-256(256)``, ``SHAKE-256(192)``
- h: ``5``, ``10``, ``15``, ``20``, ``25``
- w: ``1``, ``2``, ``4``, ``8``

12 changes: 10 additions & 2 deletions src/build-data/oids.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Regenerate with ./src/scripts/oids.py oids > src/lib/asn1/oid_maps.cpp
# AND ./src/scripts/oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
# Regenerate with ./src/scripts/dev_tools/gen_oids.py oids > src/lib/asn1/oid_maps.cpp
# AND ./src/scripts/dev_tools/gen_oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
# (if you modified something under [dn]

# Public key types
Expand Down Expand Up @@ -29,6 +29,14 @@
1.3.6.1.4.1.25258.1.10.2 = Dilithium-6x5-AES-r3
1.3.6.1.4.1.25258.1.10.3 = Dilithium-8x7-AES-r3

# HSS-LMS
# draft-gazdag-x509-hash-sigs-01
1.2.840.113549.1.9.16.3.17 = HSS-LMS

# HSS-LMS private key (since the format of an HSS-LMS private key is not specified,
# we define an OID for the one we use)
1.3.6.1.4.1.25258.1.13 = HSS-LMS-Private-Key

# SPHINCS+ OIDs are currently in Botan's private arc
1.3.6.1.4.1.25258.1.12.1.1 = SphincsPlus-shake-128s-r3.1
1.3.6.1.4.1.25258.1.12.1.2 = SphincsPlus-shake-128f-r3.1
Expand Down
6 changes: 5 additions & 1 deletion src/lib/asn1/oid_maps.cpp
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/*
* OID maps
*
* This file was automatically generated by src/scripts/dev_tools/gen_oids.py on 2023-05-30
* This file was automatically generated by ./src/scripts/dev_tools/gen_oids.py on 2023-09-27
*
* All manual edits to this file will be lost. Edit the script
* then regenerate this source file.
Expand Down Expand Up @@ -91,6 +91,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
{"1.2.840.113549.1.5.13", "PBE-PKCS5v20"},
{"1.2.840.113549.1.9.1", "PKCS9.EmailAddress"},
{"1.2.840.113549.1.9.14", "PKCS9.ExtensionRequest"},
{"1.2.840.113549.1.9.16.3.17", "HSS-LMS"},
{"1.2.840.113549.1.9.16.3.18", "ChaCha20Poly1305"},
{"1.2.840.113549.1.9.16.3.6", "KeyWrap.TripleDES"},
{"1.2.840.113549.1.9.16.3.8", "Compression.Zlib"},
Expand Down Expand Up @@ -162,6 +163,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
{"1.3.6.1.4.1.25258.1.12.3.4", "SphincsPlus-haraka-192f-r3.1"},
{"1.3.6.1.4.1.25258.1.12.3.5", "SphincsPlus-haraka-256s-r3.1"},
{"1.3.6.1.4.1.25258.1.12.3.6", "SphincsPlus-haraka-256f-r3.1"},
{"1.3.6.1.4.1.25258.1.13", "HSS-LMS-Private-Key"},
{"1.3.6.1.4.1.25258.1.3", "McEliece"},
{"1.3.6.1.4.1.25258.1.5", "XMSS-draft6"},
{"1.3.6.1.4.1.25258.1.6.1", "GOST-34.10-2012-256/SHA-256"},
Expand Down Expand Up @@ -384,6 +386,8 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
{"HMAC(SHA-384)", OID({1, 2, 840, 113549, 2, 10})},
{"HMAC(SHA-512)", OID({1, 2, 840, 113549, 2, 11})},
{"HMAC(SHA-512-256)", OID({1, 2, 840, 113549, 2, 13})},
{"HSS-LMS", OID({1, 2, 840, 113549, 1, 9, 16, 3, 17})},
{"HSS-LMS-Private-Key", OID({1, 3, 6, 1, 4, 1, 25258, 1, 13})},
{"KeyWrap.AES-128", OID({2, 16, 840, 1, 101, 3, 4, 1, 5})},
{"KeyWrap.AES-192", OID({2, 16, 840, 1, 101, 3, 4, 1, 25})},
{"KeyWrap.AES-256", OID({2, 16, 840, 1, 101, 3, 4, 1, 45})},
Expand Down
Loading

0 comments on commit ba36c5e

Please sign in to comment.