Add LMS/HSS signatures to documentation. #101
Conversation
philljj
changed the title
wolfSSL/src/appendix07.md
Outdated
|
|
||
| ### Motivation | ||
|
|
||
| HBS schemes are of growing interest for a number of reasons. |
wolfSSL/src/appendix07.md
Outdated
| HBS schemes are of growing interest for a number of reasons. | ||
| The primary motivation for HBS schemes is post-quantum security. As discussed previously in this appendix, Shor's algorithm would allow a quantum computer to efficiently factorize large integers and compute discrete logarithms, thus completely breaking public-key cryptography schemes such as RSA and ECC. | ||
|
|
||
| In contrast, HBS schemes are founded on the security of their underlying hash functions and Merkle trees (typically implemented with SHA256), which are not expected to be broken by the advent of large quantum computers. For these reasons they have been recommended by NIST SP 800-208 and the NSA's CNSA 2.0 suite. See these two links for more info: |
There was a problem hiding this comment.
large ->cryptographically relevant
wolfSSL/src/appendix07.md
Outdated
|
|
||
| Furthermore, the CNSA 2.0 timeline has specified that post-quantum HBS schemes should be used exclusively by 2030, and adoption should begin _immediately_. In fact, adoption of LMS is the earliest requirement in the CNSA 2.0 suite timeline. | ||
|
|
||
| However, the stateful nature of HBS schemes requires that significant care is given to their use and tracking their state. In an HBS system, the private key is actually a finite set of one-time signature (OTS) keys, which may never be reused. If the same OTS key were used to sign two different messages, it would be possible for an attacker to fabricate signatures, and the security of the entire scheme would unravel. Therefore, HBS schemes are not suitable for general use such as the public internet. |
There was a problem hiding this comment.
In an HBS system ---> In a stateful HBS system
There are multiple instances where you need to write stateful HBS in this document. The reason you have to do this is that SPHINCS+ is a stateless HBS.
wolfSSL/src/appendix07.md
Outdated
|
|
||
| However, the stateful nature of HBS schemes requires that significant care is given to their use and tracking their state. In an HBS system, the private key is actually a finite set of one-time signature (OTS) keys, which may never be reused. If the same OTS key were used to sign two different messages, it would be possible for an attacker to fabricate signatures, and the security of the entire scheme would unravel. Therefore, HBS schemes are not suitable for general use such as the public internet. | ||
|
|
||
| Instead, because of these unique strengths and characteristics, and NIST and NSA backing, HBS schemes such as LMS/HSS are of particular interest for offline firmware authentication and signature verification, especially on embedded or constrained systems that are expected to have a long operational lifetime and thus need to be resilient against a post-quantum future. |
There was a problem hiding this comment.
post-quantum future ---> cryptographically relevant quantum computer
wolfSSL/src/appendix07.md
Outdated
| ### LMS and HSS signatures | ||
|
|
||
| wolfSSL is adding support for the LMS and HSS hash-based signature schemes to our wolfCrypt embedded crypto engine. This will be achieved by experimental integration with the hash-sigs LMS/HSS library (<https://github.com/cisco/hash-sigs>), similar to our previous libOQS integration. | ||
|
|
||
| Leighton-Micali Signatures (LMS), and its multi-tree variant, the Hierarchical Signature System (HSS), are both post-quantum, stateful hash-based signature schemes. They are noted for having small public and private keys, and fast signing and verifying. Their signature sizes are larger, but are tunable via their Winternitz parameter. See these two links from RFC8554 for more details: | ||
|
|
||
| - LMS: <https://datatracker.ietf.org/doc/html/rfc8554> | ||
| - HSS: <https://datatracker.ietf.org/doc/html/rfc8554#section-6> |
There was a problem hiding this comment.
I don't think they are 2 separate schemes. I think they are combined to make a single sig scheme.
I don't think you can do HSS without LMS. I could be wrong on that one though.
There was a problem hiding this comment.
Correct, HSS is just a multi-tree generalization of LMS that contains LMS as a component. That's what I meant to convey.
There was a problem hiding this comment.
But you say " LMS and HSS hash-based signature schemes " which makes it sound like 2 separate schemes.
wolfSSL/src/appendix07.md
Outdated
|
|
||
| #### Benchmark Data | ||
|
|
||
| The following benchmark data was taken on an 8-core Intel i7-8700 CPU @ 3.20GHz, on Fedora 38 (`6.2.9-300.fc38.x86_64`). |
There was a problem hiding this comment.
You didn't mention how many threads were spawned in this line.
There was a problem hiding this comment.
I described it in the multi-threaded and single-threaded test results below.
When using hss_lib_thread.a the hash-sigs lib will spawn up to 16 worker threads, depending on the parameters used and what it's calculating. This is outside our control, unless we use their API to set the maximum for number of worker threads. In practice I only saw 6 cores utilized during key gen.
wolfSSL/src/appendix07.md
Outdated
| ### LMS and HSS signatures | ||
|
|
||
| wolfSSL is adding support for the LMS and HSS hash-based signature schemes to our wolfCrypt embedded crypto engine. This will be achieved by experimental integration with the hash-sigs LMS/HSS library (<https://github.com/cisco/hash-sigs>), similar to our previous libOQS integration. | ||
|
|
||
| Leighton-Micali Signatures (LMS), and its multi-tree variant, the Hierarchical Signature System (HSS), are both post-quantum, stateful hash-based signature schemes. They are noted for having small public and private keys, and fast signing and verifying. Their signature sizes are larger, but are tunable via their Winternitz parameter. See these two links from RFC8554 for more details: | ||
|
|
||
| - LMS: <https://datatracker.ietf.org/doc/html/rfc8554> | ||
| - HSS: <https://datatracker.ietf.org/doc/html/rfc8554#section-6> |
There was a problem hiding this comment.
But you say " LMS and HSS hash-based signature schemes " which makes it sound like 2 separate schemes.
wolfSSL/src/appendix07.md
Outdated
|
|
||
| #### Benchmark Data | ||
|
|
||
| The following benchmark data was taken on an 8-core Intel i7-8700 CPU @ 3.20GHz, on Fedora 38 (`6.2.9-300.fc38.x86_64`). |
There was a problem hiding this comment.
You didn't mention how many threads were spawned in this line.
|
Ok. Write that you saw 6 threads spawned. |
I capped the number of threads at 4, so could clearly state it used 4 cores in the multi-threaded benchmark. |
Added new subsection
Post-Quantum Stateful Hash-Based Signaturesto appendix07.New subsection covers stateful Hash-based Signature (HBS) schemes. Includes:
Note: I wasn't sure whether this should go in a separate appendix, or in appendix07. I can update the rest of appendix07 or move this as needed.