2.6 eXtended Merkle Signature Scheme¶
The Crypto API supports eXtended Merkle Signature Scheme (XMSS), and the multi-tree variant XMSSMT. These schemes are defined in XMSS: eXtended Merkle Signature Scheme [RFC8391].
For the Crypto API to support signature verification, it is only necessary to define public keys for these schemes, and the default public key formats for import and export.
Rationale
At present, it is not expected that the Crypto API will be used to generate XMSS or XMSSMT private keys, or to carry out signing operations. However, there is value in supporting verification of XMSS and XMSSMT signatures. Therefore, the Crypto API does not support XMSS or XMSSMT key pairs, or the associated signing operations.
Note
A full set of NIST-approved parameter sets for XMSS or XMSSMT is defined in NIST Special Publication 800-208: Recommendation for Stateful Hash-Based Signature Schemes [SP800-208] §5.
2.6.1 XMSS and XMSSMT keys¶
PSA_KEY_TYPE_XMSS_PUBLIC_KEY
(macro)¶
eXtended Merkle Signature Scheme (XMSS) public key.
Added in version 1.3.
#define PSA_KEY_TYPE_XMSS_PUBLIC_KEY ((psa_key_type_t)0x400B)
The parameterization of an XMSS key is fully encoded in the key data.
The key attribute size of an XMSS public key is output length, in bits, of the hash function identified by the XMSS parameter set.
SHA-256/192, SHAKE256/192 :
key_bits = 192
SHA-256, SHAKE256/256 :
key_bits = 256
Note
For a multi-tree XMSS key, see PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY
.
Compatible algorithms
Key format
Warning
The key format may change in a final version of this API. The standardization of exchange formats for XMSS public keys is in progress, but final documents have not been published. See Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure [LAMPS-SHBS].
The current proposed format is based on the expected outcome of that process.
In calls to psa_import_key
()
, psa_export_key
()
, and psa_export_public_key
()
, the public-key data format is the encoded xmss_public_key
structure, defined in [RFC8391] Appendix B.3.
PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY
(macro)¶
Multi-tree eXtended Merkle Signature Scheme (XMSSMT) public key.
Added in version 1.3.
#define PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY ((psa_key_type_t)0x400D)
The parameterization of an XMSSMT key is fully encoded in the key data.
The key attribute size of an XMSSMT public key is output length, in bits, of the hash function identified by the XMSSMT parameter set.
SHA-256/192, SHAKE256/192 :
key_bits = 192
SHA-256, SHAKE256/256 :
key_bits = 256
Compatible algorithms
Key format
Warning
The key format may change in a final version of this API. The standardization of exchange formats for XMSSMT public keys is in progress, but final documents have not been published. See Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure [LAMPS-SHBS].
The current proposed format is based on the expected outcome of that process.
In calls to psa_import_key
()
, psa_export_key
()
, and psa_export_public_key
()
, the public-key data format is the encoded xmssmt_public_key
structure, defined in [RFC8391] Appendix C.3.
2.6.2 XMSS and XMSSMT algorithms¶
These algorithms extend those defined in PSA Certified Crypto API [PSA-CRYPT] §10.7 Asymmetric signature, for use with the signature functions.
PSA_ALG_XMSS
(macro)¶
eXtended Merkle Signature Scheme (XMSS) signature algorithm.
Added in version 1.3.
#define PSA_ALG_XMSS ((psa_algorithm_t) 0x06004A00)
This message-signature algorithm can only be used with the psa_verify_message
()
function.
This is the XMSS stateful hash-based signature algorithm, defined by XMSS: eXtended Merkle Signature Scheme [RFC8391]. XMSS requires an XMSS key. The key and the signature must both encode the same XMSS parameter set, which is used for the verification procedure.
Note
XMSS signature calculation is not supported.
Compatible key types
PSA_KEY_TYPE_XMSS_PUBLIC_KEY
(signature verification only)PSA_ALG_XMSS_MT
(macro)¶
Multi-tree eXtended Merkle Signature Scheme (XMSSMT) signature algorithm.
Added in version 1.3.
#define PSA_ALG_XMSS_MT ((psa_algorithm_t) 0x06004B00)
This message-signature algorithm can only be used with the psa_verify_message
()
function.
This is the XMSSMT stateful hash-based signature algorithm, defined by XMSS: eXtended Merkle Signature Scheme [RFC8391]. XMSSMT requires an XMSSMT key. The key and the signature must both encode the same XMSSMT parameter set, which is used for the verification procedure.
Note
XMSSMT signature calculation is not supported.
Compatible key types
PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY
(signature verification only)