2.6 eXtended Merkle Signature Scheme

The Crypto API supports eXtended Merkle Signature Scheme (XMSS), and the multi-tree variant XMSS^MT. These schemes are defined in XMSS: eXtended Merkle Signature Scheme [RFC8391].

For the Crypto API to support signature verification, it is only necessary to define public keys for these schemes, and the default public key formats for import and export.

Rationale

At present, it is not expected that the Crypto API will be used to generate XMSS or XMSS^MT private keys, or to carry out signing operations. However, there is value in supporting verification of XMSS and XMSS^MT signatures. Therefore, the Crypto API does not support XMSS or XMSS^MT key pairs, or the associated signing operations.

Note

A full set of NIST-approved parameter sets for XMSS or XMSS^MT is defined in NIST Special Publication 800-208: Recommendation for Stateful Hash-Based Signature Schemes [SP800-208] §5.

2.6.1 XMSS and XMSS^MT keys

PSA_KEY_TYPE_XMSS_PUBLIC_KEY (macro)

eXtended Merkle Signature Scheme (XMSS) public key.

Added in version 1.3.

#define PSA_KEY_TYPE_XMSS_PUBLIC_KEY ((psa_key_type_t)0x400B)

The parameterization of an XMSS key is fully encoded in the key data.

The key attribute size of an XMSS public key is output length, in bits, of the hash function identified by the XMSS parameter set.

• SHA-256/192, SHAKE256/192 : key_bits = 192

• SHA-256, SHAKE256/256 : key_bits = 256

Note

For a multi-tree XMSS key, see PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY.

Compatible algorithms

PSA_ALG_XMSS

Key format

Warning

The key format may change in a final version of this API. The standardization of exchange formats for XMSS public keys is in progress, but final documents have not been published. See Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure [LAMPS-SHBS].

The current proposed format is based on the expected outcome of that process.

In calls to psa_import_key(), psa_export_key(), and psa_export_public_key(), the public-key data format is the encoded xmss_public_key structure, defined in [RFC8391] Appendix B.3.

PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY (macro)

Multi-tree eXtended Merkle Signature Scheme (XMSS^MT) public key.

Added in version 1.3.

#define PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY ((psa_key_type_t)0x400D)

The parameterization of an XMSS^MT key is fully encoded in the key data.

The key attribute size of an XMSS^MT public key is output length, in bits, of the hash function identified by the XMSS^MT parameter set.

• SHA-256/192, SHAKE256/192 : key_bits = 192

• SHA-256, SHAKE256/256 : key_bits = 256

Compatible algorithms

PSA_ALG_XMSS_MT

Key format

Warning

The key format may change in a final version of this API. The standardization of exchange formats for XMSS^MT public keys is in progress, but final documents have not been published. See Use of the HSS and XMSS Hash-Based Signature Algorithms in Internet X.509 Public Key Infrastructure [LAMPS-SHBS].

The current proposed format is based on the expected outcome of that process.

In calls to psa_import_key(), psa_export_key(), and psa_export_public_key(), the public-key data format is the encoded xmssmt_public_key structure, defined in [RFC8391] Appendix C.3.

2.6.2 XMSS and XMSS^MT algorithms

These algorithms extend those defined in PSA Certified Crypto API [PSA-CRYPT] §10.7 Asymmetric signature, for use with the signature functions.

PSA_ALG_XMSS (macro)

eXtended Merkle Signature Scheme (XMSS) signature algorithm.

Added in version 1.3.

#define PSA_ALG_XMSS ((psa_algorithm_t) 0x06004A00)

This message-signature algorithm can only be used with the psa_verify_message() function.

This is the XMSS stateful hash-based signature algorithm, defined by XMSS: eXtended Merkle Signature Scheme [RFC8391]. XMSS requires an XMSS key. The key and the signature must both encode the same XMSS parameter set, which is used for the verification procedure.

Note

XMSS signature calculation is not supported.

Compatible key types

PSA_KEY_TYPE_XMSS_PUBLIC_KEY (signature verification only)

PSA_ALG_XMSS_MT (macro)

Multi-tree eXtended Merkle Signature Scheme (XMSS^MT) signature algorithm.

Added in version 1.3.

#define PSA_ALG_XMSS_MT ((psa_algorithm_t) 0x06004B00)

This message-signature algorithm can only be used with the psa_verify_message() function.

This is the XMSS^MT stateful hash-based signature algorithm, defined by XMSS: eXtended Merkle Signature Scheme [RFC8391]. XMSS^MT requires an XMSS^MT key. The key and the signature must both encode the same XMSS^MT parameter set, which is used for the verification procedure.

Note

XMSS^MT signature calculation is not supported.

Compatible key types

PSA_KEY_TYPE_XMSS_MT_PUBLIC_KEY (signature verification only)