Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SHA256/192 parameter sets #17

Merged
merged 7 commits into from
Feb 18, 2025
Merged

Support SHA256/192 parameter sets #17

merged 7 commits into from
Feb 18, 2025

Conversation

chrisfenner
Copy link
Contributor

This PR is intended to partly address #16. A future PR could add the SHAKE256-based parameter sets from https://datatracker.ietf.org/doc/draft-fluhrer-lms-more-parm-sets/19/

This change is organized into several commits:

9fec504 breaks up lms_type_code into lmsTypecode and lmotsTypecode
597ce9e refactors the main ots_test test cases into two table-driven tests
dd44552 merges the two table-driven tests in ots_test and adds better negative coverage to ots_test
a661817 moves the existing hash_write helper into common and adds a hashSum helper as well, to deal with the truncation of hashes for some parameter sets. It updates some internal code to use params.N where before it assumed N was the same as the size of the hash output.
761b8aa adds support for SHA256/192 based LMS and LM-OTS parameter sets
3ce0165 adds the KAT from the RFC that introduces SHA256/192 based parameter sets

@chrisfenner
Break up into lms_type_code into lmsTypecode and lmotsTypecode
9fec504 
This commit replaces lms_type_code (which was used for typecodes for
both LMS and LM-OTS) with two types: lmsTypecode (for LMS typecodes) and
lmotsTypecode (for LM-OTS typecodes).

While the typecodes for both LMS and LM-OTS parameter sets are both
uint32 values, and the original sets in RFC8554 didn't overlap, the
namespaces are distinct: see
https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml

Separating the types also allows greater clarity of code: the expected
type of a typecode is explicit now, and type safety will reduce future
bugs.

The new type names use camelCase instead of snake_case. This is
idiomatic for Go:
https://google.github.io/styleguide/go/decisions#underscores

The original choice not to export lms_type_code is respected by this
change. Not making the type public is an uncommon choice, but it does
allow internal refactors like this one to avoid breaking callers.
@chrisfenner
Refactor ots_test
597ce9e 
This commit updates TestOtsSignVerify and TestOtsSignVerifyFail to be
table-driven tests. This is more idiomatic for Go, and will allow us to
add more OTS parameter sets later easily.
@chrisfenner
Merge TestOtsSignVerify and TestOtsSignVerifyFail
dd44552 
This commit merges the Verify and VerifyFail tests into one table-driven
test, with subtests for the OK and fail cases.
@chrisfenner
Extract common hash helpers to common and consistently use params.N
a661817 
This commit factors out hash_write into common.HashWrite, and replaces
usage of hash.Hash.Sum with a new helper called common.HashSum, which
takes care of the hash truncation for cases when params.N is less than
the size of the hash.
@chrisfenner
Add support for SHA256/192-based parameter sets for LMS and LM-OTS
761b8aa 
https://datatracker.ietf.org/doc/draft-fluhrer-lms-more-parm-sets/19/
@chrisfenner
Add known-answer test from RFC
3ce0165 
This commit incorporates the known-answer test for SHA256/192 from
https://datatracker.ietf.org/doc/draft-fluhrer-lms-more-parm-sets/19/
@CLAassistant
Copy link

CLAassistant commented Feb 15, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@tob-scott-a
Copy link
Contributor

These changes look good to me. I think SHAKE256-based parameters are also worth supporting in the future (although they're currently not in the standard library crypto module--only vanilla SHA3 is).

@tob-scott-a tob-scott-a merged commit d2f2806 into trailofbits:main Feb 18, 2025
2 checks passed
@chrisfenner
Copy link
Contributor Author

Thank you for the extremely quick turnaround, @tob-scott-a!

Re: SHAKE256 - I may find some time to follow up on this.

@chrisfenner
Copy link
Contributor Author

Thank you for the extremely quick turnaround, @tob-scott-a!

Re: SHAKE256 - I may find some time to follow up on this.

@tob-scott-a it looks like go 1.24 has it: golang/go#70701. How open are you to updating the required Go version for this module as part of the introduction of SHAKE256-based LMS parameters?

@tob-scott-a
Copy link
Contributor

Go 1.24 has SHA3, but SHAKE requires x/crypto.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tob-scott-a tob-scott-a tob-scott-a approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chrisfenner @CLAassistant @tob-scott-a