Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for stateful-hash-based signature verification (HSS/LMS, XMSS, and XMSS^MT) #232

Open
athoelke opened this issue Dec 17, 2024 · 1 comment · May be fixed by #233
Open

Support for stateful-hash-based signature verification (HSS/LMS, XMSS, and XMSS^MT) #232

athoelke opened this issue Dec 17, 2024 · 1 comment · May be fixed by #233
Labels
Crypto API Issue or PR related to the Cryptography API enhancement New feature or request
Milestone
Crypto API 1.3 PQ...

Comments

@athoelke
Copy link
Contributor

Prior to the standardization of ML-DSA and SLH-DSA, stateful-hash-based signature algorithms were developed, and then described in NIST Special Publication 800-208. The algorithms are:

  • LMS and its multi-level variant HSS/LMS. These are described in RFC 8554
  • XMSS and its multi-level variant XMSSMT. These are described in RFC 8391

These schemes are not vulnerable to quantum computing, and are based on the well-established security of cryptographic hash algorithms. They also have relatively small public keys and signatures (for PQC signature schemes), and relatively simple implementation requirements. However, they are based on one-time-signatures (OTS), and the security critically depends on never reusing any of the set of OTS private keys. This requirement is met by having a stateful private key, that records which OTS private keys have been used.

The implication of a stateful private key, is that deploying systems which use them have substantial system challenges related to throughput, resilience and redundancy. The security and footprint attributes of these schemes (compared to other PQC signatures) make them attractive for some specific use cases at this point in time. For example, authentication of initial stages of constrained system firmware, where the authenticating component and authentication public key are immutable.

The use case of firmware verification can be supported without needing an implementation to deal with the challenge of handling a stateful private key: the Crypto API could define suitable public-key types and signature algorithms, that can only be used with signature verification functions.
@athoelke athoelke added enhancement New feature or request Crypto API Issue or PR related to the Cryptography API labels Dec 17, 2024
@athoelke
Copy link
Contributor Author

athoelke commented Dec 17, 2024
edited
Loading

The IETF LAMPS draft standards relating to these algorithms' use in X.509 and CMS, only define algorithm identifiers for HSS/LMS, XMSS, and XMSS^MT. There is no definitions for stand-alone LMS, but single-level HSS/LMS is a trivial wrapping of LMS.

See:

I propose to follow that approach, and not define key types or algorithm identifiers for just LMS.

@athoelke athoelke added this to the Crypto API 1.3 PQC Extension milestone Dec 17, 2024
@athoelke athoelke linked a pull request Dec 19, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Crypto API Issue or PR related to the Cryptography API enhancement New feature or request
Projects
PSA Certified API development
Status: Todo
Milestone
Crypto API 1.3 PQC Extension
Development

Successfully merging a pull request may close this issue.

Add support for stateful hash-based signatures to the PQC Extension athoelke/psa-api
1 participant
@athoelke