Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HSS-LMS Signature Algorithm Implementation #3716

Merged
merged 3 commits into from
May 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 55 additions & 4 deletions doc/api_ref/pubkey.rst
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,13 @@ signatures can be created. If the same state is ever used to generate two
signatures, then the whole scheme becomes insecure, and signatures can be
forged.

HSS-LMS
-------

A post-quantum secure hash-based signature scheme similar to XMSS. Contains
support for multitrees. It is stateful, meaning the private key changes after
each signature.

SPHINCS+
~~~~~~~~~

Expand Down Expand Up @@ -782,6 +789,7 @@ Botan implements the following signature algorithms:
#. SPHINCS+.
Takes the optional parameter ``Deterministic`` (default) or ``Randomized``.
#. XMSS. Takes no parameter.
#. HSS-LMS. Takes no parameter.

.. _ecdsa_example:

Expand Down Expand Up @@ -1204,10 +1212,12 @@ is based on `RFC 8391 "XMSS: eXtended Merkle Signature Scheme"

.. warning::

XMSS is stateful, meaning the private key must be updated after
each signature. If the same private key is ever used to generate
two different signatures, then the scheme becomes insecure. For
this reason it can be challenging to use XMSS securely.
XMSS is stateful, meaning the private key updates after each signature
creation. Applications are responsible for updating their persistent secret
with the new output of ``Private_Key::private_key_bits()`` after each signature
creation. If the same private key is ever used to generate
two different signatures, then the scheme becomes insecure. For this reason,
it can be challenging to use XMSS securely.

XMSS uses the Botan interfaces for public key cryptography.
The following algorithms are implemented:
Expand Down Expand Up @@ -1241,3 +1251,44 @@ signature:

.. literalinclude:: /../src/examples/xmss.cpp
:language: cpp


Hierarchical Signature System with Leighton-Micali Hash-Based Signatures (HSS-LMS)
lieser marked this conversation as resolved.
Show resolved Hide resolved
----------------------------------------------------------------------------------

HSS-LMS is a stateful hash-based signature scheme which is defined in `RFC 8554
"Leighton-Micali Hash-Based Signatures" <https://datatracker.ietf.org/doc/html/rfc8554>`_.

It is a multitree scheme, which is highly configurable. Multitree means, it consists
of multiple layers of Merkle trees, which can be defined individually. Moreover, the
used hash function and the Winternitz Parameter of the underlying one-time signature
can be chosen for each tree layer. For a sensible selection of parameters refer to
`RFC 8554 Section 6.4. <https://datatracker.ietf.org/doc/html/rfc8554#section-6.4>`_.

.. warning::

HSS-LMS is stateful, meaning the private key updates after each signature
creation. Applications are responsible for updating their persistent secret
with the new output of ``Private_Key::private_key_bits()`` after each signature
creation. If the same private key is ever used to generate
two different signatures, then the scheme becomes insecure. For this reason,
it can be challenging to use HSS-LMS securely.

HSS-LMS uses the Botan interfaces for public key cryptography. The ``params``
argument of the HSS-LMS private key is used to define the parameter set.
The syntax of this argument must be the following:

``HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)``

e.g. ``HSS-LMS(SHA-256,HW(5,1),HW(5,1))`` to use SHA-256 in a two-layer HSS instance
with LMS tree height 5 and Winternitz parameter 1. This results in a
private key that can be used to create up to 2^(5+5)=1024 signatures.

The following parameters are allowed (which are specified in
`RFC 8554 <https://datatracker.ietf.org/doc/html/rfc8554>`_ and
and `draft-fluhrer-lms-more-parm-sets-11 <https://datatracker.ietf.org/doc/html/draft-fluhrer-lms-more-parm-sets-11>`_):

- hash: ``SHA-256``, ``Truncated(SHA-256,192)``, ``SHAKE-256(256)``, ``SHAKE-256(192)``
- h: ``5``, ``10``, ``15``, ``20``, ``25``
- w: ``1``, ``2``, ``4``, ``8``

2 changes: 2 additions & 0 deletions doc/dev_ref/oids.rst
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ Values currently assigned are::
SphincsPlus-haraka-256s-r3.1 OBJECT IDENTIFIER ::= { SphincsPlus-haraka 5 }
SphincsPlus-haraka-256f-r3.1 OBJECT IDENTIFIER ::= { SphincsPlus-haraka 6 }

HSS-LMS-Private-Key OBJECT IDENTIFIER ::= { publicKey 13 }

symmetricKey OBJECT IDENTIFIER ::= { randombit 3 }

ocbModes OBJECT IDENTIFIER ::= { symmetricKey 2 }
Expand Down
12 changes: 10 additions & 2 deletions src/build-data/oids.txt
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Regenerate with ./src/scripts/dev_tools/oids.py oids > src/lib/asn1/oid_maps.cpp
# AND ./src/scripts/dev_tools/oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
# Regenerate with ./src/scripts/dev_tools/gen_oids.py oids > src/lib/asn1/oid_maps.cpp
# AND ./src/scripts/dev_tools/gen_oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
# (if you modified something under [dn]

# Public key types
Expand Down Expand Up @@ -47,6 +47,14 @@
1.3.6.1.4.1.25258.1.10.2 = Dilithium-6x5-AES-r3
1.3.6.1.4.1.25258.1.10.3 = Dilithium-8x7-AES-r3

# HSS-LMS
# draft-gazdag-x509-hash-sigs-01
1.2.840.113549.1.9.16.3.17 = HSS-LMS

# HSS-LMS private key (since the format of an HSS-LMS private key is not specified,
# we define an OID for the one we use)
1.3.6.1.4.1.25258.1.13 = HSS-LMS-Private-Key

reneme marked this conversation as resolved.
Show resolved Hide resolved
# SPHINCS+ OIDs are currently in Botan's private arc
1.3.6.1.4.1.25258.1.12.1.1 = SphincsPlus-shake-128s-r3.1
1.3.6.1.4.1.25258.1.12.1.2 = SphincsPlus-shake-128f-r3.1
Expand Down
39 changes: 38 additions & 1 deletion src/cli/speed.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,10 @@
#include <botan/dilithium.h>
#endif

#if defined(BOTAN_HAS_HSS_LMS)
#include <botan/hss_lms.h>
#endif

#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
#include <botan/sphincsplus.h>
#endif
Expand Down Expand Up @@ -411,7 +415,8 @@ class Speed final : public Command {
"McEliece",
"Kyber",
"SPHINCS+",
"FrodoKEM"
"FrodoKEM",
"HSS-LMS",
};
// clang-format on
}
Expand Down Expand Up @@ -626,6 +631,11 @@ class Speed final : public Command {
bench_xmss(provider, msec);
}
#endif
#if defined(BOTAN_HAS_HSS_LMS)
else if(algo == "HSS-LMS") {
bench_hss_lms(provider, msec);
}
#endif
#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
else if(algo == "SPHINCS+") {
bench_sphincs_plus(provider, msec);
Expand Down Expand Up @@ -2134,6 +2144,33 @@ class Speed final : public Command {
}
#endif

#if defined(BOTAN_HAS_HSS_LMS)
void bench_hss_lms(const std::string& provider, std::chrono::milliseconds msec) {
// At first we compare instances with multiple hash functions. LMS trees with
// height 10 are suitable, since they can be used for enough signatures and are
// fast enough for speed testing.
// Afterward, setups with multiple HSS layers are tested
std::vector<std::string> hss_lms_instances{"SHA-256,HW(10,1)",
"SHAKE-256(256),HW(10,1)",
"SHAKE-256(192),HW(10,1)",
"Truncated(SHA-256,192),HW(10,1)",
"SHA-256,HW(10,1),HW(10,1)",
"SHA-256,HW(10,1),HW(10,1),HW(10,1)"};

for(const auto& params : hss_lms_instances) {
auto keygen_timer = make_timer(params, provider, "keygen");

std::unique_ptr<Botan::Private_Key> key(
keygen_timer->run([&] { return Botan::create_private_key("HSS-LMS", rng(), params); }));

record_result(keygen_timer);
if(bench_pk_sig(*key, params, provider, "", msec) == 1) {
break;
}
}
}
#endif

#if defined(BOTAN_HAS_ZFEC)
void bench_zfec(std::chrono::milliseconds msec) {
const size_t k = 4;
Expand Down
4 changes: 4 additions & 0 deletions src/lib/asn1/oid_maps.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
{"1.2.840.113549.1.5.13", "PBE-PKCS5v20"},
{"1.2.840.113549.1.9.1", "PKCS9.EmailAddress"},
{"1.2.840.113549.1.9.14", "PKCS9.ExtensionRequest"},
{"1.2.840.113549.1.9.16.3.17", "HSS-LMS"},
{"1.2.840.113549.1.9.16.3.18", "ChaCha20Poly1305"},
{"1.2.840.113549.1.9.16.3.6", "KeyWrap.TripleDES"},
{"1.2.840.113549.1.9.16.3.8", "Compression.Zlib"},
Expand Down Expand Up @@ -164,6 +165,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
{"1.3.6.1.4.1.25258.1.12.3.4", "SphincsPlus-haraka-192f-r3.1"},
{"1.3.6.1.4.1.25258.1.12.3.5", "SphincsPlus-haraka-256s-r3.1"},
{"1.3.6.1.4.1.25258.1.12.3.6", "SphincsPlus-haraka-256f-r3.1"},
{"1.3.6.1.4.1.25258.1.13", "HSS-LMS-Private-Key"},
{"1.3.6.1.4.1.25258.1.14.1", "FrodoKEM-640-SHAKE"},
{"1.3.6.1.4.1.25258.1.14.2", "FrodoKEM-976-SHAKE"},
{"1.3.6.1.4.1.25258.1.14.3", "FrodoKEM-1344-SHAKE"},
Expand Down Expand Up @@ -405,6 +407,8 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
{"HMAC(SHA-384)", OID({1, 2, 840, 113549, 2, 10})},
{"HMAC(SHA-512)", OID({1, 2, 840, 113549, 2, 11})},
{"HMAC(SHA-512-256)", OID({1, 2, 840, 113549, 2, 13})},
{"HSS-LMS", OID({1, 2, 840, 113549, 1, 9, 16, 3, 17})},
{"HSS-LMS-Private-Key", OID({1, 3, 6, 1, 4, 1, 25258, 1, 13})},
{"KeyWrap.AES-128", OID({2, 16, 840, 1, 101, 3, 4, 1, 5})},
{"KeyWrap.AES-192", OID({2, 16, 840, 1, 101, 3, 4, 1, 25})},
{"KeyWrap.AES-256", OID({2, 16, 840, 1, 101, 3, 4, 1, 45})},
Expand Down
Loading
Loading