Botan 3.11.0
Crypto and TLS for C&
hss.h
Go to the documentation of this file.
1/**
2 * HSS - Hierarchical Signatures System (RFC 8554)
3 * (C) 2023 Jack Lloyd
4 * 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#ifndef BOTAN_HSS_H_
10#define BOTAN_HSS_H_
11
12#include <botan/asn1_obj.h>
13#include <botan/internal/ct_utils.h>
14#include <botan/internal/int_utils.h>
15#include <botan/internal/lms.h>
16#include <botan/internal/stateful_key_index_registry.h>
17#include <memory>
18#include <span>
19#include <string_view>
20#include <utility>
21#include <vector>
22
23namespace Botan {
24
25class RandomNumberGenerator;
26
27/**
28 * @brief The index of a node within a specific LMS tree layer
29 */
30using HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber>;
31
32/**
33 * @brief The HSS layer in the HSS multi tree starting at 0 from the root
34 */
35using HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber>;
36
37/**
38 * @brief The HSS-LMS parameters.
39 *
40 * See RFC 8554 Section 6.
41 */
42class BOTAN_TEST_API HSS_LMS_Params final {
43 public:
44 /**
45 * @brief Represents a pair of LMS and LMOTS parameters associated with one LMS tree layer.
46 */
47 class LMS_LMOTS_Params_Pair final {
48 public:
49 /**
50 * @brief The LMS parameters.
51 */
52 const LMS_Params& lms_params() const { return m_lms_params; }
53
54 /**
55 * @brief The LMOTS parameters.
56 */
57 const LMOTS_Params& lmots_params() const { return m_lmots_params; }
58
59 /**
60 * @brief Construct a new params pair
61 */
62 LMS_LMOTS_Params_Pair(LMS_Params p_lms_params, LMOTS_Params p_lmots_params) :
63 m_lms_params(std::move(p_lms_params)), m_lmots_params(std::move(p_lmots_params)) {}
64
65 private:
66 LMS_Params m_lms_params;
67 LMOTS_Params m_lmots_params;
68 };
69
70 /**
71 * @brief Construct the HSS-LMS parameters from a vector LMS and LM-OTS parameters.
72 */
73 explicit HSS_LMS_Params(std::vector<LMS_LMOTS_Params_Pair> lm_lmots_params);
74
75 /**
76 * @brief Construct the HSS-LMS parameters form an algorithm parameter string.
77 *
78 * The HSS/LMS instance to use for creating new keys is defined using an algorithm parameter string,
79 * i.e. to define which hash function (hash), LMS tree height (h)
80 * and OTS Winternitz coefficient widths (w) to use. The syntax is the following:
81 *
82 * HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)
83 *
84 * e.g. 'HSS-LMS(SHA-256,HW(5,1),HW(5,1))' to use SHA-256 in a two-layer HSS instance
85 * with a LMS tree height 5 and w=1. The following parameters are allowed (which are
86 * specified in RFC 8554 and draft-fluhrer-lms-more-parm-sets-11):
87 *
88 * hash: 'SHA-256', 'Truncated(SHA-256,192)', 'SHAKE-256(256)', SHAKE-256(192)
89 * h: '5', '10', '15', '20', '25'
90 * w: '1', '2', '4', '8'
91 *
92 * Note: The selected hash function is also used for seed derivation.
93 */
94 explicit HSS_LMS_Params(std::string_view algo_params);
95
96 /**
97 * @brief Returns the LMS an LM-OTS parameters at the specified @p level of the HSS tree.
98 */
99 const LMS_LMOTS_Params_Pair& params_at_level(HSS_Level level) const { return m_lms_lmots_params.at(level.get()); }
100
101 /**
102 * @brief Returns the number of layers the HSS tree has.
103 */
104 HSS_Level L() const { return checked_cast_to<HSS_Level>(m_lms_lmots_params.size()); }
105
106 /**
107 * @brief The maximal number of signatures allowed for these HSS parameters
108 */
109 HSS_Sig_Idx max_sig_count() const { return m_max_sig_count; }
110
111 private:
112 /**
113 * @brief Compute the maximal number of signatures
114 */
115 HSS_Sig_Idx calc_max_sig_count() const;
116
117 std::vector<LMS_LMOTS_Params_Pair> m_lms_lmots_params;
118 HSS_Sig_Idx m_max_sig_count;
119};
120
121/**
122 * @brief The internal HSS-LMS private key.
123 *
124 * Note that the format is not specified in the RFC 8554,
125 * and is Botan specific.
126 */
127class HSS_LMS_PrivateKeyInternal final {
128 public:
129 /**
130 * @brief Create an internal HSS-LMS private key.
131 *
132 * @param hss_params The HSS-LMS parameters for the key.
133 * @param rng The rng to use.
134 */
135 HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params& hss_params, RandomNumberGenerator& rng);
136
137 /**
138 * @brief Parse a private HSS-LMS key.
139 *
140 * @param key_bytes The private key bytes to parse.
141 * @return The internal HSS-LMS private key.
142 * @throws Decoding_Error If parsing the private key fails.
143 */
144 static std::shared_ptr<HSS_LMS_PrivateKeyInternal> from_bytes_or_throw(std::span<const uint8_t> key_bytes);
145
146 /**
147 * @brief Returns the used HSS-LMS parameters.
148 */
149 const HSS_LMS_Params& hss_params() const { return m_hss_params; }
150
151 /**
152 * @brief Returns the key in its encoded format.
153 */
154 secure_vector<uint8_t> to_bytes() const;
155
156 /**
157 * @brief Get the idx of the next signature to generate.
158 */
159 HSS_Sig_Idx remaining_operations(HSS_Sig_Idx idx) const;
160
161 /**
162 * @brief Set the idx of the next signature to generate.
163 *
164 * Note that creating two signatures with the same index is insecure.
165 * The index must be lower than hss_params().max_sig_count().
166 * The index will never go backward (highest value wins).
167 */
168 void set_idx(HSS_Sig_Idx idx);
169
170 /**
171 * @brief Create a HSS-LMS signature.
172 *
173 * See RFC 8554 6.2 - Algorithm 8.
174 *
175 * For each signature creation the hypertree is computed once
176 * again, so no data is stored between multiple signatures. However,
177 * storing data between multiple signatures could be an optimization
178 * if applications create multiple signatures in one go.
179 *
180 * @param msg The message to sign.
181 */
182 std::vector<uint8_t> sign(std::span<const uint8_t> msg);
183
184 /**
185 * @brief Create the HSS root LMS tree's LMS_PrivateKey using the HSS-LMS private key.
186 *
187 * We use the same generation as the reference implementation (https://github.com/cisco/hash-sigs)
188 * with SECRET_METHOD==2.
189 *
190 * @return The LMS private key
191 */
192 LMS_PrivateKey hss_derive_root_lms_private_key() const;
193
194 /**
195 * @brief Returns the size in bytes of a signature created by this key.
196 */
197 size_t signature_size() const { return m_sig_size; }
198
199 void _const_time_poison() const { CT::poison(m_hss_seed); }
200
201 void _const_time_unpoison() const { CT::unpoison(m_hss_seed); }
202
203 private:
204 HSS_LMS_PrivateKeyInternal(HSS_LMS_Params hss_params, LMS_Seed hss_seed, LMS_Identifier identifier);
205
206 /**
207 * @brief Get the index of the next signature to generate and
208 * increase the counter by one.
209 */
210 HSS_Sig_Idx reserve_next_idx();
211
212 /**
213 * @brief Returns the size in bytes the key would have in its encoded format.
214 */
215 size_t size() const;
216
217 /**
218 * @brief Derive the seed and identifier of an LMS tree from its parent LMS tree.
219 *
220 * We use the same generation as the reference implementation (https://github.com/cisco/hash-sigs).
221 *
222 * @param child_lms_lmots_params The LMS-LMOTS parameter pair of the child tree.
223 * @param parent_sk The parent's LMS private key
224 * @param parent_q The LMS leaf number the child tree has in its parent tree.
225 * @return LMS private key
226 */
227 static LMS_PrivateKey hss_derive_child_lms_private_key(
228 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& child_lms_lmots_params,
229 const LMS_PrivateKey& parent_sk,
230 LMS_Tree_Node_Idx parent_q);
231
232 HSS_LMS_Params m_hss_params;
233 LMS_Seed m_hss_seed;
234 LMS_Identifier m_identifier;
235 Stateful_Key_Index_Registry::KeyId m_keyid;
236 const size_t m_sig_size;
237};
238
239class HSS_Signature;
240
241/**
242 * @brief The internal HSS-LMS public key.
243 *
244 * Format according to RFC 8554:
245 * u32str(L) || pub[0]
246 */
247class HSS_LMS_PublicKeyInternal final {
248 public:
249 /**
250 * @brief Create the public HSS-LMS key from its private key.
251 *
252 * @param hss_sk The private HSS-LMS key.
253 * @return The internal HSS-LMS public key.
254 */
255 static HSS_LMS_PublicKeyInternal create(const HSS_LMS_PrivateKeyInternal& hss_sk);
256
257 /**
258 * @brief Parse a public HSS-LMS key.
259 *
260 * @param key_bytes The public key bytes to parse.
261 * @return The internal HSS-LMS public key.
262 * @throws Decoding_Error If parsing the public key fails.
263 */
264 static std::shared_ptr<HSS_LMS_PublicKeyInternal> from_bytes_or_throw(std::span<const uint8_t> key_bytes);
265
266 HSS_LMS_PublicKeyInternal(HSS_Level L, LMS_PublicKey top_lms_pub_key) :
267 m_L(L), m_top_lms_pub_key(std::move(top_lms_pub_key)) {}
268
269 /**
270 * @brief Returns the key in its encoded format.
271 */
272 std::vector<uint8_t> to_bytes() const;
273
274 /**
275 * @brief Returns the public LMS key of the top LMS tree.
276 */
277 const LMS_PublicKey& lms_pub_key() const { return m_top_lms_pub_key; }
278
279 /**
280 * @brief Returns the size in bytes the key would have in its encoded format.
281 */
282 size_t size() const;
283
284 /**
285 * @brief The algorithm identifier for HSS-LMS
286 */
287 AlgorithmIdentifier algorithm_identifier() const;
288
289 /**
290 * @brief The object identifier for HSS-LMS
291 */
292 OID object_identifier() const;
293
294 /**
295 * @brief The algorithm name for HSS-LMS
296 */
297 std::string algo_name() const { return "HSS-LMS"; }
298
299 /**
300 * @brief Verify a HSS-LMS signature.
301 *
302 * See RFC 8554 6.3.
303 *
304 * @param msg The signed message.
305 * @param sig The already parsed HSS-LMS signature.
306 * @return True iff the signature is valid.
307 */
308 bool verify_signature(std::span<const uint8_t> msg, const HSS_Signature& sig) const;
309
310 void _const_time_unpoison() const { CT::unpoison(m_top_lms_pub_key); }
311
312 private:
313 HSS_Level m_L;
314 LMS_PublicKey m_top_lms_pub_key;
315};
316
317/**
318 * @brief A HSS-LMS signature.
319 *
320 * Format according to RFC 8554:
321 * u32str(Nspk) || sig[0] || pub[1] || ... || sig[Nspk-1] || pub[Nspk] || sig[Nspk]
322 */
323class BOTAN_TEST_API HSS_Signature final {
324 public:
325 /**
326 * @brief A LMS public key signed by the HSS layer above it.
327 *
328 * signed_pub_key[i] = sig[i] || pub[i+1],
329 * for i between 0 and Nspk-1, inclusive.
330 */
331 class Signed_Pub_Key final {
332 public:
333 /**
334 * @brief Constructor for a new sig-pubkey-pair
335 */
336 Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub);
337
338 /**
339 * @brief The signature of the public key
340 */
341 const LMS_Signature& signature() const { return m_sig; }
342
343 /**
344 * @brief The signed public key
345 */
346 const LMS_PublicKey& public_key() const { return m_pub; }
347
348 private:
349 LMS_Signature m_sig;
350 LMS_PublicKey m_pub;
351 };
352
353 /**
354 * @brief Parse a HSS-LMS signature.
355 *
356 * @param sig_bytes The signature bytes to parse.
357 * @return The parsed HSS-LMS signature.
358 * @throws Decoding_Error If parsing the signature fails.
359 */
360 static HSS_Signature from_bytes_or_throw(std::span<const uint8_t> sig_bytes);
361
362 /**
363 * @brief Returns the size a signature would have in its encoded format.
364 *
365 * @param params The HSS-LMS parameters.
366 * @return size_t The expected size in bytes.
367 */
368 static size_t size(const HSS_LMS_Params& params);
369
370 /**
371 * @brief Returns the number of signed public keys (Nspk = L-1).
372 */
373 HSS_Level Nspk() const { return HSS_Level(static_cast<uint32_t>(m_signed_pub_keys.size())); }
374
375 /**
376 * @brief Returns the signed LMS key signed by a specific layer.
377 *
378 * @param layer The layer by which the LMS key is signed.
379 * @return The LMS key and the signature by its parent layer.
380 */
381 const Signed_Pub_Key& signed_pub_key(HSS_Level layer) const { return m_signed_pub_keys.at(layer.get()); }
382
383 /**
384 * @brief Returns the LMS signature by the bottom layer of the signed message.
385 */
386 const LMS_Signature& bottom_sig() const { return m_sig; }
387
388 private:
389 /**
390 * @brief Private constructor using the individual signature fields.
391 */
392 HSS_Signature(std::vector<Signed_Pub_Key> signed_pub_keys, LMS_Signature sig) :
393 m_signed_pub_keys(std::move(signed_pub_keys)), m_sig(std::move(sig)) {}
394
395 std::vector<Signed_Pub_Key> m_signed_pub_keys;
396 LMS_Signature m_sig;
397};
398
399} // namespace Botan
400
401#endif
BOTAN_TEST_API
#define BOTAN_TEST_API
Definition api.h:41
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair
Represents a pair of LMS and LMOTS parameters associated with one LMS tree layer.
Definition hss.h:47
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lms_params
const LMS_Params & lms_params() const
The LMS parameters.
Definition hss.h:52
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lmots_params
const LMOTS_Params & lmots_params() const
The LMOTS parameters.
Definition hss.h:57
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::LMS_LMOTS_Params_Pair
LMS_LMOTS_Params_Pair(LMS_Params p_lms_params, LMOTS_Params p_lmots_params)
Construct a new params pair.
Definition hss.h:62
Botan::HSS_LMS_Params
The HSS-LMS parameters.
Definition hss.h:42
Botan::HSS_LMS_Params::params_at_level
const LMS_LMOTS_Params_Pair & params_at_level(HSS_Level level) const
Returns the LMS an LM-OTS parameters at the specified level of the HSS tree.
Definition hss.h:99
Botan::HSS_LMS_Params::L
HSS_Level L() const
Returns the number of layers the HSS tree has.
Definition hss.h:104
Botan::HSS_LMS_Params::max_sig_count
HSS_Sig_Idx max_sig_count() const
The maximal number of signatures allowed for these HSS parameters.
Definition hss.h:109
Botan::HSS_LMS_Params::HSS_LMS_Params
HSS_LMS_Params(std::vector< LMS_LMOTS_Params_Pair > lm_lmots_params)
Construct the HSS-LMS parameters from a vector LMS and LM-OTS parameters.
Definition hss.cpp:79
Botan::HSS_LMS_PrivateKeyInternal
The internal HSS-LMS private key.
Definition hss.h:127
Botan::HSS_LMS_PrivateKeyInternal::set_idx
void set_idx(HSS_Sig_Idx idx)
Set the idx of the next signature to generate.
Definition hss.cpp:220
Botan::HSS_LMS_PrivateKeyInternal::_const_time_poison
void _const_time_poison() const
Definition hss.h:199
Botan::HSS_LMS_PrivateKeyInternal::sign
std::vector< uint8_t > sign(std::span< const uint8_t > msg)
Create a HSS-LMS signature.
Definition hss.cpp:240
Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PrivateKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a private HSS-LMS key.
Definition hss.cpp:146
Botan::HSS_LMS_PrivateKeyInternal::hss_params
const HSS_LMS_Params & hss_params() const
Returns the used HSS-LMS parameters.
Definition hss.h:149
Botan::HSS_LMS_PrivateKeyInternal::hss_derive_root_lms_private_key
LMS_PrivateKey hss_derive_root_lms_private_key() const
Create the HSS root LMS tree's LMS_PrivateKey using the HSS-LMS private key.
Definition hss.cpp:287
Botan::HSS_LMS_PrivateKeyInternal::to_bytes
secure_vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:195
Botan::HSS_LMS_PrivateKeyInternal::signature_size
size_t signature_size() const
Returns the size in bytes of a signature created by this key.
Definition hss.h:197
Botan::HSS_LMS_PrivateKeyInternal::_const_time_unpoison
void _const_time_unpoison() const
Definition hss.h:201
Botan::HSS_LMS_PrivateKeyInternal::remaining_operations
HSS_Sig_Idx remaining_operations(HSS_Sig_Idx idx) const
Get the idx of the next signature to generate.
Definition hss.cpp:216
Botan::HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal
HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params &hss_params, RandomNumberGenerator &rng)
Create an internal HSS-LMS private key.
Definition hss.cpp:123
Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PublicKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a public HSS-LMS key.
Definition hss.cpp:326
Botan::HSS_LMS_PublicKeyInternal::verify_signature
bool verify_signature(std::span< const uint8_t > msg, const HSS_Signature &sig) const
Verify a HSS-LMS signature.
Definition hss.cpp:362
Botan::HSS_LMS_PublicKeyInternal::to_bytes
std::vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:346
Botan::HSS_LMS_PublicKeyInternal::algo_name
std::string algo_name() const
The algorithm name for HSS-LMS.
Definition hss.h:297
Botan::HSS_LMS_PublicKeyInternal::size
size_t size() const
Returns the size in bytes the key would have in its encoded format.
Definition hss.cpp:358
Botan::HSS_LMS_PublicKeyInternal::object_identifier
OID object_identifier() const
The object identifier for HSS-LMS.
Definition hss.cpp:354
Botan::HSS_LMS_PublicKeyInternal::_const_time_unpoison
void _const_time_unpoison() const
Definition hss.h:310
Botan::HSS_LMS_PublicKeyInternal::create
static HSS_LMS_PublicKeyInternal create(const HSS_LMS_PrivateKeyInternal &hss_sk)
Create the public HSS-LMS key from its private key.
Definition hss.cpp:317
Botan::HSS_LMS_PublicKeyInternal::HSS_LMS_PublicKeyInternal
HSS_LMS_PublicKeyInternal(HSS_Level L, LMS_PublicKey top_lms_pub_key)
Definition hss.h:266
Botan::HSS_LMS_PublicKeyInternal::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const
The algorithm identifier for HSS-LMS.
Definition hss.cpp:350
Botan::HSS_LMS_PublicKeyInternal::lms_pub_key
const LMS_PublicKey & lms_pub_key() const
Returns the public LMS key of the top LMS tree.
Definition hss.h:277
Botan::HSS_Signature::Signed_Pub_Key
A LMS public key signed by the HSS layer above it.
Definition hss.h:331
Botan::HSS_Signature::Signed_Pub_Key::Signed_Pub_Key
Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub)
Constructor for a new sig-pubkey-pair.
Definition hss.cpp:389
Botan::HSS_Signature::Signed_Pub_Key::signature
const LMS_Signature & signature() const
The signature of the public key.
Definition hss.h:341
Botan::HSS_Signature::Signed_Pub_Key::public_key
const LMS_PublicKey & public_key() const
The signed public key.
Definition hss.h:346
Botan::HSS_Signature
A HSS-LMS signature.
Definition hss.h:323
Botan::HSS_Signature::bottom_sig
const LMS_Signature & bottom_sig() const
Returns the LMS signature by the bottom layer of the signed message.
Definition hss.h:386
Botan::HSS_Signature::Nspk
HSS_Level Nspk() const
Returns the number of signed public keys (Nspk = L-1).
Definition hss.h:373
Botan::HSS_Signature::signed_pub_key
const Signed_Pub_Key & signed_pub_key(HSS_Level layer) const
Returns the signed LMS key signed by a specific layer.
Definition hss.h:381
Botan::LMOTS_Params
The LM-OTS parameters.
Definition lm_ots.h:103
Botan::LMS_Params
The LMS parameters.
Definition lms.h:91
Botan::LMS_PrivateKey
Representation of an LMS Private key.
Definition lms.h:192
Botan::LMS_PublicKey
The LMS public key.
Definition lms.h:227
Botan::LMS_Signature
Container for LMS Signature data.
Definition lms.h:295
Botan::Stateful_Key_Index_Registry::KeyId
Definition stateful_key_index_registry.h:30
Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:85
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:67
Botan::CT::poison
constexpr void poison(const T *p, size_t n)
Definition ct_utils.h:56
Botan::HSS_Sig_Idx
Strong< uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber > HSS_Sig_Idx
The index of a node within a specific LMS tree layer.
Definition hss.h:30
Botan::checked_cast_to
constexpr RT checked_cast_to(AT i)
Definition int_utils.h:74
Botan::LMS_Identifier
Strong< std::vector< uint8_t >, struct LMS_Identifier_ > LMS_Identifier
The identifier of an LMS tree (I in RFC 8554).
Definition lm_ots.h:53
Botan::LMS_Seed
Strong< secure_vector< uint8_t >, struct LMS_SEED_ > LMS_Seed
Seed of the LMS tree, used to generate the LM-OTS private keys.
Definition lm_ots.h:28
Botan::HSS_Level
Strong< uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber > HSS_Level
The HSS layer in the HSS multi tree starting at 0 from the root.
Definition hss.h:35
Botan::LMS_Tree_Node_Idx
Strong< uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber > LMS_Tree_Node_Idx
The index of a node within a specific LMS tree layer.
Definition lm_ots.h:48
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Generated by doxygen 1.15.0