Botan 3.6.1
Crypto and TLS for C&
hss_lms.h
Go to the documentation of this file.
1/*
2 * Hierarchical Signature System (HSS) / Leighton-Micali Signature (LMS)
3 * hash-based signature algorithm (RFC 8554).
4 *
5 * (C) 2023 Jack Lloyd
6 * 2023 Philippe Lieser, Fabian Albert - Rohde & Schwarz Cybersecurity GmbH
7 *
8 * Botan is released under the Simplified BSD License (see license.txt)
9 **/
10
11#ifndef BOTAN_HSS_LMS_H_
12#define BOTAN_HSS_LMS_H_
13
14#include <botan/pk_keys.h>
15
16#include <memory>
17#include <vector>
18
19namespace Botan {
20
21class HSS_LMS_PublicKeyInternal;
22class HSS_LMS_PrivateKeyInternal;
23
24/**
25 * @brief An HSS/LMS public key.
26 *
27 * Implementation of the Hierarchical Signature System (HSS) of
28 * Leighton-Micali Hash-Based Signatures (LMS) defined in RFC 8554
29 * (https://www.rfc-editor.org/rfc/rfc8554.html).
30 *
31 * To derive seeds for single LMS trees in the HSS-multitree, the method (SECRET_METHOD 2)
32 * of the reference implementation (https://github.com/cisco/hash-sigs) is used.
33 */
34class BOTAN_PUBLIC_API(3, 5) HSS_LMS_PublicKey : public virtual Public_Key {
35 public:
36 /**
37 * @brief Load an existing public key using its bytes.
38 */
39 HSS_LMS_PublicKey(std::span<const uint8_t> pub_key_bytes);
40
41 ~HSS_LMS_PublicKey() override;
42
43 size_t key_length() const override;
44
45 std::string algo_name() const override;
46
47 size_t estimated_strength() const override;
48 AlgorithmIdentifier algorithm_identifier() const override;
49 OID object_identifier() const override;
50 bool check_key(RandomNumberGenerator& rng, bool strong) const override;
51 std::vector<uint8_t> raw_public_key_bits() const override;
52 std::vector<uint8_t> public_key_bits() const override;
53
54 std::unique_ptr<PK_Ops::Verification> create_verification_op(std::string_view params,
55 std::string_view provider) const override;
56
57 std::unique_ptr<PK_Ops::Verification> create_x509_verification_op(const AlgorithmIdentifier& signature_algorithm,
58 std::string_view provider) const override;
59
60 bool supports_operation(PublicKeyOperation op) const override;
61
62 /**
63 * @throws Not_Implemented for LMS public keys.
64 */
65 std::unique_ptr<Private_Key> generate_another(RandomNumberGenerator& rng) const override;
66
67 protected:
68 HSS_LMS_PublicKey() = default;
69
70 std::shared_ptr<HSS_LMS_PublicKeyInternal> m_public;
71};
72
73BOTAN_DIAGNOSTIC_PUSH
74BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
75
76/**
77 * @brief An HSS/LMS private key.
78 *
79 * HSS/LMS is a statefule hash-based signature scheme. This means the private key must
80 * be (securely) updated after using it for signing. Also, there is a maximal number
81 * of signatures that can be created using one HSS/LMS key pair, which depends on
82 * the number and size of LMS layers of the chosen HSS/LMS instance. For the selection
83 * of a sensible parameter set, refer to RFC 8554 6.4.
84 *
85 * The format of the HSS/LMS private key is not defined in
86 * RFC 8554. We use the following format (big endian):
87 *
88 * PrivateKey = u32str(L) || u64str(idx) ||
89 * u32str(LMS algorithm id (root layer)) || u32str(LMOTS algorithm id (root layer)) ||
90 * ... ||
91 * u32str(LMS algorithm id (bottom layer)) || u32str(LMOTS algorithm id (bottom layer)) ||
92 * HSS_SEED || HSS_Identifier
93 *
94 * L: Number of LMS layers
95 * Idx: Number of signatures already created using this private key
96 * HSS_SEED: Seed to derive LMS Seeds (see RFC 8554 Appendix A) like in SECRET_METHOD 2 of
97 * https://github.com/cisco/hash-sigs. As long as the hash functions output length.
98 * HSS_Identifier: 16 bytes long.
99 *
100 * The HSS/LMS instance to use for creating new keys is defined using an algorithm parameter sting,
101 * i.e. to define which hash function (hash), LMS tree height (h)
102 * and OTS Winternitz coefficient widths (w) to use. The syntax is the following:
103 *
104 * HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)
105 *
106 * e.g. 'HSS-LMS(SHA-256,HW(5,1),HW(5,1))' to use SHA-256 in a two-layer HSS instance
107 * with a LMS tree hights 5 and w=1. The following parameters are allowed (which are
108 * specified in RFC 8554 and draft-fluhrer-lms-more-parm-sets-11):
109 *
110 * hash: 'SHA-256', 'Truncated(SHA-256,192)', 'SHAKE-256(256)', SHAKE-256(192)
111 * h: '5', '10', '15', '20', '25'
112 * w: '1', '2', '4', '8'
113 *
114 * Note: The selected hash function is also used for seed derivation.
115 */
116class BOTAN_PUBLIC_API(3, 5) HSS_LMS_PrivateKey final : public virtual HSS_LMS_PublicKey,
117 public virtual Private_Key {
118 public:
119 /**
120 * @brief Load an existing LMS private key using its bytes
121 */
122 HSS_LMS_PrivateKey(std::span<const uint8_t> private_key_bytes);
123
124 /**
125 * @brief Construct a new hss lms privatekey object.
126 *
127 * @param rng random number generator
128 * @param algo_params string is format 'HSS-LMS(<hash>,HW(<h>,<w>),HW(<h>,<w>),...)'
129 */
130 HSS_LMS_PrivateKey(RandomNumberGenerator& rng, std::string_view algo_params);
131
132 ~HSS_LMS_PrivateKey() override;
133
134 secure_vector<uint8_t> private_key_bits() const override;
135 secure_vector<uint8_t> raw_private_key_bits() const override;
136 std::unique_ptr<Public_Key> public_key() const override;
137
138 AlgorithmIdentifier pkcs8_algorithm_identifier() const override;
139
140 bool stateful_operation() const override { return true; }
141
142 /**
143 * Retrieves the number of remaining signatures for this private key.
144 */
145 std::optional<uint64_t> remaining_operations() const override;
146
147 std::unique_ptr<Private_Key> generate_another(RandomNumberGenerator& rng) const override;
148
149 std::unique_ptr<PK_Ops::Signature> create_signature_op(RandomNumberGenerator& rng,
150 std::string_view params,
151 std::string_view provider) const override;
152
153 private:
154 HSS_LMS_PrivateKey(std::shared_ptr<HSS_LMS_PrivateKeyInternal> sk);
155
156 std::shared_ptr<HSS_LMS_PrivateKeyInternal> m_private;
157};
158
159BOTAN_DIAGNOSTIC_POP
160
161} // namespace Botan
162
163#endif
Botan::HSS_LMS_PrivateKey
An HSS/LMS private key.
Definition hss_lms.h:117
Botan::HSS_LMS_PrivateKey::stateful_operation
bool stateful_operation() const override
Definition hss_lms.h:140
Botan::HSS_LMS_PrivateKey::~HSS_LMS_PrivateKey
~HSS_LMS_PrivateKey() override
Botan::HSS_LMS_PublicKey
An HSS/LMS public key.
Definition hss_lms.h:34
Botan::HSS_LMS_PublicKey::~HSS_LMS_PublicKey
~HSS_LMS_PublicKey() override
Botan::HSS_LMS_PublicKey::HSS_LMS_PublicKey
HSS_LMS_PublicKey()=default
Botan::HSS_LMS_PublicKey::m_public
std::shared_ptr< HSS_LMS_PublicKeyInternal > m_public
Definition hss_lms.h:70
Botan::Private_Key
Definition pk_keys.h:263
Botan::Public_Key
Definition pk_keys.h:119
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
BOTAN_DIAGNOSTIC_POP
#define BOTAN_DIAGNOSTIC_POP
Definition compiler.h:191
BOTAN_DIAGNOSTIC_PUSH
#define BOTAN_DIAGNOSTIC_PUSH
Definition compiler.h:188
BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
#define BOTAN_DIAGNOSTIC_IGNORE_INHERITED_VIA_DOMINANCE
Definition compiler.h:190
BOTAN_PUBLIC_API
#define BOTAN_PUBLIC_API(maj, min)
Definition compiler.h:31
Botan::PublicKeyOperation
PublicKeyOperation
Definition pk_keys.h:45
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Generated by doxygen 1.12.0