2.5 Leighton-Micali Signatures

The Crypto API supports Leighton-Micali Signatures (LMS), and the multi-level Hierarchical Signature Scheme (HSS). These schemes are defined in Leighton-Micali Hash-Based Signatures [RFC8554].

For the Crypto API to support signature verification, it is only necessary to define a public keys for these schemes, and the default public key formats for import and export.

Rationale

At present, it is not expected that the Crypto API will be used to generate LMS or HSS private keys, or to carry out signing operations. However, there is value in supporting verification of LMS and HSS signatures. Therefore, the Crypto API does not support LMS or HSS key pairs, or the associated signing operations.

Note

A full set of NIST-approved parameter sets for LMS and HSS is defined in NIST Special Publication 800-208: Recommendation for Stateful Hash-Based Signature Schemes [SP800-208] §4, with the additional IANA identifiers defined in Additional Parameter sets for HSS/LMS Hash-Based Signatures [CFRG-LMS].

2.5.1 Leighton-Micali Signature keys

PSA_KEY_TYPE_LMS_PUBLIC_KEY (macro)

Leighton-Micali Signatures (LMS) public key.

Added in version 1.3.

#define PSA_KEY_TYPE_LMS_PUBLIC_KEY ((psa_key_type_t)0x4007)

The parameterization of an LMS key is fully encoded in the key data.

The key attribute size of an LMS public key is output length, in bits, of the hash function identified by the LMS parameter set.

  • SHA-256/192, SHAKE256/192 : key_bits = 192

  • SHA-256, SHAKE256/256 : key_bits = 256

Compatible algorithms

Key format

In calls to psa_import_key(), psa_export_key(), and psa_export_public_key(), the public-key data format is the encoded lms_public_key structure, defined in [RFC8554] §3.

PSA_KEY_TYPE_HSS_PUBLIC_KEY (macro)

Hierarchical Signature Scheme (HSS) public key.

Added in version 1.3.

#define PSA_KEY_TYPE_HSS_PUBLIC_KEY ((psa_key_type_t)0x4008)

The parameterization of an HSS key is fully encoded in the key data.

The key attribute size of an HSS public key is output length, in bits, of the hash function identified by the HSS parameter set.

  • SHA-256/192, SHAKE256/192 : key_bits = 192

  • SHA-256, SHAKE256/256 : key_bits = 256

Compatible algorithms

Key format

Warning

The key format may change in a final version of this API. The standardization of exchange formats for HSS public keys is in progress, but final documents have not been published. See Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure [LAMPS-SHBS].

The current proposed format is based on the expected outcome of that process.

In calls to psa_import_key(), psa_export_key(), and psa_export_public_key(), the public-key data format is the encoded hss_public_key structure, defined in [RFC8554] §3.

2.5.2 Leighton-Micali Signature algorithms

These algorithms extend those defined in PSA Certified Crypto API [PSA-CRYPT] §10.7 Asymmetric signature, for use with the signature functions.

PSA_ALG_LMS (macro)

Leighton-Micali Signatures (LMS) signature algorithm.

Added in version 1.3.

#define PSA_ALG_LMS ((psa_algorithm_t) 0x06004800)

This message-signature algorithm can only be used with the psa_verify_message() function.

This is the LMS stateful hash-based signature algorithm, defined by Leighton-Micali Hash-Based Signatures [RFC8554]. LMS requires an LMS key. The key and the signature must both encode the same LMS parameter set, which is used for the verification procedure.

Note

LMS signature calculation is not supported.

Compatible key types

PSA_KEY_TYPE_LMS_PUBLIC_KEY (signature verification only)

PSA_ALG_HSS (macro)

Hierarchical Signature Scheme (HSS) signature algorithm.

Added in version 1.3.

#define PSA_ALG_HSS ((psa_algorithm_t) 0x06004900)

This message-signature algorithm can only be used with the psa_verify_message() function.

This is the HSS stateful hash-based signature algorithm, defined by Leighton-Micali Hash-Based Signatures [RFC8554]. HSS requires an HSS key. The key and the signature must both encode the same HSS parameter set, which is used for the verification procedure.

Note

HSS signature calculation is not supported.

Compatible key types

PSA_KEY_TYPE_HSS_PUBLIC_KEY (signature verification only)