Merge pull request #3716 from Rohde-Schwarz/pl/lms

HSS-LMS Signature Algorithm Implementation
randombit · May 23, 2024 · 19567e3 · 19567e3
2 parents ddfd075 + 2c31a2f
commit 19567e3
Show file tree

Hide file tree

Showing 35 changed files with 3,867 additions and 19 deletions.
diff --git a/doc/api_ref/pubkey.rst b/doc/api_ref/pubkey.rst
@@ -123,6 +123,13 @@ signatures can be created. If the same state is ever used to generate two
 signatures, then the whole scheme becomes insecure, and signatures can be
 forged.
 
+HSS-LMS
+-------
+
+A post-quantum secure hash-based signature scheme similar to XMSS. Contains
+support for multitrees. It is stateful, meaning the private key changes after
+each signature.
+
 SPHINCS+
 ~~~~~~~~~
 
@@ -782,6 +789,7 @@ Botan implements the following signature algorithms:
 #. SPHINCS+.
  Takes the optional parameter ``Deterministic`` (default) or ``Randomized``.
 #. XMSS. Takes no parameter.
+#. HSS-LMS. Takes no parameter.
 
 .. _ecdsa_example:
 
@@ -1204,10 +1212,12 @@ is based on `RFC 8391 "XMSS: eXtended Merkle Signature Scheme"
 
 .. warning::
 
- XMSS is stateful, meaning the private key must be updated after
- each signature. If the same private key is ever used to generate
- two different signatures, then the scheme becomes insecure. For
- this reason it can be challenging to use XMSS securely.
+ XMSS is stateful, meaning the private key updates after each signature
+ creation. Applications are responsible for updating their persistent secret
+ with the new output of ``Private_Key::private_key_bits()`` after each signature
+ creation. If the same private key is ever used to generate
+ two different signatures, then the scheme becomes insecure. For this reason,
+ it can be challenging to use XMSS securely.
 
 XMSS uses the Botan interfaces for public key cryptography.
 The following algorithms are implemented:
@@ -1241,3 +1251,44 @@ signature:
 
 .. literalinclude:: /../src/examples/xmss.cpp
  :language: cpp
+
+
+Hierarchical Signature System with Leighton-Micali Hash-Based Signatures (HSS-LMS)
+----------------------------------------------------------------------------------
+
+HSS-LMS is a stateful hash-based signature scheme which is defined in `RFC 8554
+"Leighton-Micali Hash-Based Signatures" <https://datatracker.ietf.org/doc/html/rfc8554>`_.
+
+It is a multitree scheme, which is highly configurable. Multitree means, it consists
+of multiple layers of Merkle trees, which can be defined individually. Moreover, the
+used hash function and the Winternitz Parameter of the underlying one-time signature
+can be chosen for each tree layer. For a sensible selection of parameters refer to
+`RFC 8554 Section 6.4. <https://datatracker.ietf.org/doc/html/rfc8554#section-6.4>`_.
+
+.. warning::
+
+ HSS-LMS is stateful, meaning the private key updates after each signature
+ creation. Applications are responsible for updating their persistent secret
+ with the new output of ``Private_Key::private_key_bits()`` after each signature
+ creation. If the same private key is ever used to generate
+ two different signatures, then the scheme becomes insecure. For this reason,
+ it can be challenging to use HSS-LMS securely.
+
+HSS-LMS uses the Botan interfaces for public key cryptography. The ``params``
+argument of the HSS-LMS private key is used to define the parameter set.
+The syntax of this argument must be the following:
+
+``HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)``
+
+e.g. ``HSS-LMS(SHA-256,HW(5,1),HW(5,1))`` to use SHA-256 in a two-layer HSS instance
+with LMS tree height 5 and Winternitz parameter 1. This results in a
+private key that can be used to create up to 2^(5+5)=1024 signatures.
+
+The following parameters are allowed (which are specified in
+`RFC 8554 <https://datatracker.ietf.org/doc/html/rfc8554>`_ and
+and `draft-fluhrer-lms-more-parm-sets-11 <https://datatracker.ietf.org/doc/html/draft-fluhrer-lms-more-parm-sets-11>`_):
+
+- hash: ``SHA-256``, ``Truncated(SHA-256,192)``, ``SHAKE-256(256)``, ``SHAKE-256(192)``
+- h: ``5``, ``10``, ``15``, ``20``, ``25``
+- w: ``1``, ``2``, ``4``, ``8``
+
diff --git a/doc/dev_ref/oids.rst b/doc/dev_ref/oids.rst
@@ -84,6 +84,8 @@ Values currently assigned are::
  SphincsPlus-haraka-256s-r3.1 OBJECT IDENTIFIER ::= { SphincsPlus-haraka 5 }
  SphincsPlus-haraka-256f-r3.1 OBJECT IDENTIFIER ::= { SphincsPlus-haraka 6 }
 
+ HSS-LMS-Private-Key OBJECT IDENTIFIER ::= { publicKey 13 }
+
  symmetricKey OBJECT IDENTIFIER ::= { randombit 3 }
 
  ocbModes OBJECT IDENTIFIER ::= { symmetricKey 2 }

diff --git a/src/build-data/oids.txt b/src/build-data/oids.txt
@@ -1,5 +1,5 @@
-# Regenerate with ./src/scripts/dev_tools/oids.py oids > src/lib/asn1/oid_maps.cpp
-# AND ./src/scripts/dev_tools/oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
+# Regenerate with ./src/scripts/dev_tools/gen_oids.py oids > src/lib/asn1/oid_maps.cpp
+# AND ./src/scripts/dev_tools/gen_oids.py dn_ub > src/lib/x509/x509_dn_ub.cpp
 # (if you modified something under [dn]
 
 # Public key types
@@ -47,6 +47,14 @@
 1.3.6.1.4.1.25258.1.10.2 = Dilithium-6x5-AES-r3
 1.3.6.1.4.1.25258.1.10.3 = Dilithium-8x7-AES-r3
 
+# HSS-LMS
+# draft-gazdag-x509-hash-sigs-01
+1.2.840.113549.1.9.16.3.17 = HSS-LMS
+
+# HSS-LMS private key (since the format of an HSS-LMS private key is not specified,
+# we define an OID for the one we use)
+1.3.6.1.4.1.25258.1.13 = HSS-LMS-Private-Key
+
 # SPHINCS+ OIDs are currently in Botan's private arc
 1.3.6.1.4.1.25258.1.12.1.1 = SphincsPlus-shake-128s-r3.1
 1.3.6.1.4.1.25258.1.12.1.2 = SphincsPlus-shake-128f-r3.1

diff --git a/src/cli/speed.cpp b/src/cli/speed.cpp
@@ -124,6 +124,10 @@
  #include <botan/dilithium.h>
 #endif
 
+#if defined(BOTAN_HAS_HSS_LMS)
+ #include <botan/hss_lms.h>
+#endif
+
 #if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
  #include <botan/sphincsplus.h>
 #endif
@@ -411,7 +415,8 @@ class Speed final : public Command {
  "McEliece",
  "Kyber",
  "SPHINCS+",
- "FrodoKEM"
+ "FrodoKEM",
+ "HSS-LMS",
  };
  // clang-format on
  }
@@ -626,6 +631,11 @@ class Speed final : public Command {
  bench_xmss(provider, msec);
  }
 #endif
+#if defined(BOTAN_HAS_HSS_LMS)
+ else if(algo == "HSS-LMS") {
+ bench_hss_lms(provider, msec);
+ }
+#endif
 #if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
  else if(algo == "SPHINCS+") {
  bench_sphincs_plus(provider, msec);
@@ -2134,6 +2144,33 @@ class Speed final : public Command {
  }
 #endif
 
+#if defined(BOTAN_HAS_HSS_LMS)
+ void bench_hss_lms(const std::string& provider, std::chrono::milliseconds msec) {
+ // At first we compare instances with multiple hash functions. LMS trees with
+ // height 10 are suitable, since they can be used for enough signatures and are
+ // fast enough for speed testing.
+ // Afterward, setups with multiple HSS layers are tested
+ std::vector<std::string> hss_lms_instances{"SHA-256,HW(10,1)",
+ "SHAKE-256(256),HW(10,1)",
+ "SHAKE-256(192),HW(10,1)",
+ "Truncated(SHA-256,192),HW(10,1)",
+ "SHA-256,HW(10,1),HW(10,1)",
+ "SHA-256,HW(10,1),HW(10,1),HW(10,1)"};
+
+ for(const auto& params : hss_lms_instances) {
+ auto keygen_timer = make_timer(params, provider, "keygen");
+
+ std::unique_ptr<Botan::Private_Key> key(
+ keygen_timer->run([&] { return Botan::create_private_key("HSS-LMS", rng(), params); }));
+
+ record_result(keygen_timer);
+ if(bench_pk_sig(*key, params, provider, "", msec) == 1) {
+ break;
+ }
+ }
+ }
+#endif
+
 #if defined(BOTAN_HAS_ZFEC)
  void bench_zfec(std::chrono::milliseconds msec) {
  const size_t k = 4;

diff --git a/src/lib/asn1/oid_maps.cpp b/src/lib/asn1/oid_maps.cpp
@@ -91,6 +91,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
  {"1.2.840.113549.1.5.13", "PBE-PKCS5v20"},
  {"1.2.840.113549.1.9.1", "PKCS9.EmailAddress"},
  {"1.2.840.113549.1.9.14", "PKCS9.ExtensionRequest"},
+ {"1.2.840.113549.1.9.16.3.17", "HSS-LMS"},
  {"1.2.840.113549.1.9.16.3.18", "ChaCha20Poly1305"},
  {"1.2.840.113549.1.9.16.3.6", "KeyWrap.TripleDES"},
  {"1.2.840.113549.1.9.16.3.8", "Compression.Zlib"},
@@ -164,6 +165,7 @@ std::unordered_map<std::string, std::string> OID_Map::load_oid2str_map() {
  {"1.3.6.1.4.1.25258.1.12.3.4", "SphincsPlus-haraka-192f-r3.1"},
  {"1.3.6.1.4.1.25258.1.12.3.5", "SphincsPlus-haraka-256s-r3.1"},
  {"1.3.6.1.4.1.25258.1.12.3.6", "SphincsPlus-haraka-256f-r3.1"},
+ {"1.3.6.1.4.1.25258.1.13", "HSS-LMS-Private-Key"},
  {"1.3.6.1.4.1.25258.1.14.1", "FrodoKEM-640-SHAKE"},
  {"1.3.6.1.4.1.25258.1.14.2", "FrodoKEM-976-SHAKE"},
  {"1.3.6.1.4.1.25258.1.14.3", "FrodoKEM-1344-SHAKE"},
@@ -405,6 +407,8 @@ std::unordered_map<std::string, OID> OID_Map::load_str2oid_map() {
  {"HMAC(SHA-384)", OID({1, 2, 840, 113549, 2, 10})},
  {"HMAC(SHA-512)", OID({1, 2, 840, 113549, 2, 11})},
  {"HMAC(SHA-512-256)", OID({1, 2, 840, 113549, 2, 13})},
+ {"HSS-LMS", OID({1, 2, 840, 113549, 1, 9, 16, 3, 17})},
+ {"HSS-LMS-Private-Key", OID({1, 3, 6, 1, 4, 1, 25258, 1, 13})},
  {"KeyWrap.AES-128", OID({2, 16, 840, 1, 101, 3, 4, 1, 5})},
  {"KeyWrap.AES-192", OID({2, 16, 840, 1, 101, 3, 4, 1, 25})},
  {"KeyWrap.AES-256", OID({2, 16, 840, 1, 101, 3, 4, 1, 45})},