-
Notifications
You must be signed in to change notification settings - Fork 568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PQC: SLH-DSA #4291
PQC: SLH-DSA #4291
Conversation
00a177b
to
a80c9df
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Appendix A.1 mentions the introduction of HashSLH-DSA that describes an addtional domain separated signing mode when providing the actual message or a hash of the message, similar to HashML-DSA. Also here, I would suggest to implement HashSLH-DSA in a future pull request. |
To me seems fine to implement the prehashed variant later, or not at all. |
a80c9df
to
6d4dacf
Compare
Update: I have now implemented SLH-DSA (without context and without prehash). However, I already prepared contexts and pre-hashes for the next iteration. Also, I did not rename the classes and files to not bloat this PR. A follow-up PR will handle this, which will not contain any logical changes. |
10a4056
to
6311285
Compare
bfc761b
to
52da0c8
Compare
52da0c8
to
0b2ad80
Compare
Update: Test vectors and double-checks are integrated. Next week, I will look into SLH-DSA with X.509. Otherwise, this PR should be ready for review (and side-channel analysis (@aewag)) :) |
913c52a
to
6f21276
Compare
Thanks for your review, @reneme! I applied your review suggestions and sprinkled in some StrongTypes. Regarding the logic separation between SLH-DSA and SPHINCS+: |
b3d8d33
to
16a9a13
Compare
11ce0c7
to
e907eb7
Compare
e907eb7
to
20fe513
Compare
7353a40
to
d4ad4e5
Compare
Rebased after #4367 caused conflicts. |
IMO fine to ship this in 3.6.0 but we can wait for 3.7.0 if you want context support, prehashing etc which is blocked on #4318 |
This commit applies the changes from SPHINCS+ Round 3.1 to SLH-DSA (FIPS 205). The documentation is updated accordingly.
SLH-DSA test vectors generated from https://github.com/mjosaarinen/py-acvp-pqc/tree/main. Co-Authored-By: Amos Treiber <amos.treiber@rohde-schwarz.com>
Co-authored-by: Johannes Roth <johannes.roth91@posteo.de>
f5ffe99
to
bfb9130
Compare
PQC: SLH-DSA
Similar to PRs #3893 and #4270, this PR integrates the SLH-DSA (FIPS 205) instances into our SPHINCS+ implementation. The difference to the current SPHINCS+ round 3.1 implementation is marginal.
Module Hierarchy
I added new modules to allow users to activate only the final SLH-DSA instances. Since the logic is almost the same, no new logic is added to these modules. However, I think it's quite handy for users to allow only SLH-DSA instances via modules (for example, using a policy).
Future Work
I already prepared most of the logic necessary for the support of contexts and the pre-hashed instances. We are currently working on an improved API for the creation of signers, which will provide us with the API necessary for supporting the aforementioned features (see #4318). We do not expect this improved API available with Botan 3.6.0 so (non-empty) contexts and prehashed instances are postponed until then.
Also, currently, all SLH-DSA-related files are still named
sphincsplus
orsp_*
. The same goes for the class and method names. I want to move this refactoring work into a follow-up PR since it would make reviewing this one very difficult.SLH-DSA Specification Release - TODOs
ACVP Tests: #1, #2, #3We generated our own KATS using py-acvp-pqc since the ACVP tests are not compatible with our API.Implement PrehashSLH-DSA→ PrehashSLH-DSA will be addressed in a future PR (probably for Botan 3.7.0)Implement the new "context" parameter in signing/verifying→ Contexts will be addressed in a future PR (probably for Botan 3.7.0)