Add lms to RustCrypto/signatures #801

incertia · 2024-01-31T16:22:08Z

This adds the lms directory to RustCrypto/signatures under the crate name lms-signature. The authors of the original RFC seem quite happy using the phrase so this keeps the naming in the signatures repository consistent. Hopefully I ported the Github workflow without any issues.

There are two notable limitations to our implementation:

We rely on generic_array::GenericArray from the older digest-0.10.7 instead of using the hybrid_array::Array approach from the upcoming digest-0.11 ecosystem.
We lack a way of compressing Merkle tree data so we just store the entire tree which causes H15, H20, and H25 variants of LMS to not work due to storage limitations.

This PR also does not modify the main README in any way. I have also refrained from committing any changes to Cargo.lock.

.github/workflows/lms.yml

lms/.github/workflows/lms-rust.yml

lms/Cargo.toml

lms/lms/lib.rs

lms/lms/lms/private.rs

lms/.gitignore

lms/CHANGELOG.md

lms/Cargo.toml

tarcieri · 2024-02-06T15:35:06Z

lms/src/lms/private.rs

+    #[test]
+    fn test_pk_tree_kat1() {
+        let seed = hex!("558b8966c48ae9cb898b423c83443aae014a72f1b1ab5cc85cf1d892903b5439");
+        let id = hex!("d08fabd4a2091ff0a8cb4ed834e74534");
+        let expected_k = hex!("32a58885cd9ba0431235466bff9651c6c92124404d45fa53cf161c28f1ad5a8e");
+
+        let lms_priv = SigningKey::<LmsSha256M32H10<LmsOtsSha256N32W4>>::new_from_seed(id, seed);
+        let lms_pub = lms_priv.public();
+        assert_eq!(lms_pub.k(), expected_k);
+        assert_eq!(lms_pub.id(), &id);
+    }
+
+    #[test]
+    fn test_pk_tree_kat2() {
+        let seed = hex!("a1c4696e2608035a886100d05cd99945eb3370731884a8235e2fb3d4d71f2547");
+        let id = hex!("215f83b7ccb9acbcd08db97b0d04dc2b");
+        let expected_k = hex!("a1cd035833e0e90059603f26e07ad2aad152338e7a5e5984bcd5f7bb4eba40b7");
+
+        let lms_priv = SigningKey::<LmsSha256M32H5<LmsOtsSha256N32W8>>::new_from_seed(id, seed);
+        let lms_pub = lms_priv.public();
+        assert_eq!(lms_pub.k(), expected_k);
+        assert_eq!(lms_pub.id(), &id);
+    }
+
+    #[test]
+    fn test_kat_2() {
+        let expected_signature = [


Can you provide some information on the provenance of these KATs?

It appears to be RFC8554 Appendix F but I'm noticing test_pk_tree_kat1 appears to be "Test Case 2".

lms/src/lms/public.rs

lms/src/lms/signature.rs

lms/src/ots/error.rs

…e that increases coverage

tjade273 · 2024-02-16T18:51:41Z

@tarcieri do you have opinions on large in-file KAT buffers like this?

Debating whether we should

Leave as-is
Break large KATs out to a separate directory
Just include a hash of the actual expected result and compare against that

There will be a couple more large KATs eventually once HSS is implemented, and if we want to support the larger merkle tree sizes then they will start getting really big.

tarcieri · 2024-03-05T20:48:59Z

@tjade273 we generally just check them in, but for very large ones omit them from the resulting .crate, e.g.:

https://github.com/RustCrypto/MACs/blob/43cc597/cmac/Cargo.toml#L14

.github/workflows/lms.yml

tarcieri · 2024-03-05T20:53:53Z

utACK, let me know if you'd like to make any additional changes or otherwise we can get this merged

Co-authored-by: Tony Arcieri <bascule@gmail.com>

incertia · 2024-03-06T19:25:10Z

We can probably get this merged.

add lms to RustCrypto/signatures

341371e