LMS and HSS
Thales also provides optional PKCS11 header files, including all of the mechanism constants and mechanism parameter structs for LMS/HSS. These header files are needed to develop a C or C++ application using the new mechanisms supported by the 7.8.8 firmware.
HSS algorithm is basically a chain of LMS signatures whose length is the number of HSS levels.
Therefore, an HSS signature with 1 level is equivalent to an LMS signature.
Applications that expect a raw LMS signature will need to strip away additional HSS level information to recover the raw LMS signature.
Details are shown below in the mechanism descriptions.
NOTE By design (approved by NIST) HSS keys cannot be copied/cloned and therefore are not for use in an HA group, and cannot be backed-up or restored.
Time Considerations
Key generation mechanisms and signing mechanisms may take many minutes.
In the CoreLibrary the SignInit and the C_GenerateKeyPair using HSS mechanisms will apply the timeout specified in the config file.
Section: Luna
Name: HSSKeyGenSignTimeout
Default: no timeout
NOTE At the same width, height, etc., increasing the number of levels causes relatively small increases in time required for the action.
The larger the W parameter, the more time is required for signing.
The smaller the W parameter, the larger the resulting signatures.
Key generation will take some time.
The first signature with a new key, or following a reboot of the HSM, takes significantly longer than subsequent signatures.
HSS Application Programming Interface
This section describes the C-based PKCS#11 interface to the HSS functions in the HSM firmware.
MECHANISMS
HSS
HSS is a mechanism for single-part signatures and verification that follows the digital signature algorithm defined in [RFC 8554] and [NIST 800-208].
LMS is supported by the NIST Algorithm Validation Scheme. So, these key types and mechanisms are supported in FIPS Algorithms Only mode.
Definitions
#define CKK_HSS 0x00000046UL #define CKA_HSS_LEVELS 0x00000617UL #define CKA_HSS_LMS_TYPE 0x00000618UL #define CKA_HSS_LMOTS_TYPE 0x00000619UL #define CKA_HSS_LMS_TYPES 0x0000061aUL #define CKA_HSS_LMOTS_TYPES 0x0000061bUL #define CKA_HSS_KEYS_REMAINING 0x0000061cUL
typedef CK_ULONG CK_HSS_LEVELS; typedef CK_ULONG CK_LMS_TYPE; typedef CK_ULONG CK_LMOTS_TYPE;
#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL #define CKM_HSS 0x00004033UL
| Functions | |||||||
|---|---|---|---|---|---|---|---|
| Mechanism | Encrypt & Decrypt |
Sign & Verify |
SR & VR | Digest | Generate Key/Keypair |
Wrap & Unwrap |
Derive |
| CKM_HSS_KEY_PAIR_GEN | - | - | - | - | Yes | - | - |
| CKM_HSS | - | Yes | - | - | - | - | - |
HSS public key objects
HSS public key objects (object class CKO_PUBLIC_KEY, key type CKK_HSS) hold HSS public keys.
The following table defines the HSS public key object attributes, in addition to the common attributes defined for this object class:
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_HSS_LEVELS ** | CK_ULONG | The number of levels in the HSS scheme. |
| CKA_HSS_LMS_TYPE ** | CK_ULONG | The encoding for the Merkle tree heights of the top level LMS tree in the hierarchy. |
| CKA_HSS_LMOTS_TYPE ** | CK_ULONG | The encoding for the Winternitz parameter of the one-time-signature scheme of the top level LMS tree. |
| CKA_VALUE *, *** | Byte array | XDR-encoded public key as defined in [RFC 8554]. |
* MUST be specified when object is created with C_CreateObject.
** Optional when object is created with C_CreateObject.
*** MUST not be specified when object is generated with C_GenerateKeyPair.
HSS private key objects
HSS private key objects (object class CKO_PRIVATE_KEY, key type CKK_HSS) hold HSS private keys.
For security reasons HSS Private key must never be capable of generating more than one signature with the same index value. The simple solution is to ensure only one instance of a key exists. That is, it is never copied within the HSM and never leaves the HSM. Therefore: C_CopyObject, C_CreateObject, C_WrapKey and C_UnwrapKey operations are NOT allowed on HSS Private key objects.
The following table defines the HSS private key object attributes, in addition to the common attributes defined for this object class:
| Attribute | Data Type | Meaning |
|---|---|---|
| CKA_HSS_LEVELS* | CK_ULONG |
The number of levels in the HSS scheme Typical value 1, 2 or 3 - maximum 8 |
| CKA_HSS_LMS_TYPES* | CK_ULONG_PTR | A list of encodings for the Merkle tree heights of the LMS trees in the hierarchy from top to bottom. The number of encodings in the array is the ulValueLen component of the attribute divided by the size of CK_ULONG. This number must match the CKA_HSS_LEVELS attribute value. |
| CKA_HSS_LMOTS_TYPES* | CK_ULONG_PTR | A list of encodings for the Winternitz parameter of the one-time-signature scheme of the LMS trees in the hierarchy from top to bottom. The number of encodings in the array is the ulValueLen component of the attribute divided by the size of CK_ULONG. This number must match the CKA_HSS_LEVELS attribute value. |
| CKA_VALUE** *** | Byte array | Vendor defined, must include state information. |
| CKA_PUBLIC_KEY** | Byte array | Proprietary extension, same value as CKA_VALUE in the public key. |
| CKA_HSS_KEYS_REMAINING** | CK_ULONG | The minimum of the following two values: 1) The number of one-time private keys remaining; 2) 2^32-1 |
* MUST be specified when object is generated with C_GenerateKeyPair.
** MUST not be specified when object is generated with C_GenerateKeyPair.
*** Cannot be revealed if object has its CKA_SENSITIVE attribute set to CK_TRUE or its CKA_EXTRACTABLE attribute set to CK_FALSE.
The encodings for CKA_HSS_LMOTS_TYPES and CKA_HSS_LMS_TYPES are defined in [RFC 8554] and [NIST 800-208].
CKA_SENSITIVE MUST be true, CKA_EXTRACTABLE MUST be false for this key.
HSS key pair generation
The HSS key pair generation mechanism, denoted CKM_HSS_KEY_PAIR_GEN, is a key pair generation mechanism for HSS.
This mechanism does not have a parameter.
The mechanism generates HSS public/private key pairs for the scheme specified by the CKA_HSS_LEVELS, CKA_HSS_LMS_TYPES, and CKA_HSS_LMOTS_TYPES attributes of the template for the private key.
The mechanism contributes the
•CKA_CLASS,
•CKA_KEY_TYPE,
•CKA_HSS_LEVELS,
•CKA_HSS_LMS_TYPE,
•CKA_HSS_LMOTS_TYPE, and
•CKA_VALUE
attributes to the new public key and the
•CKA_CLASS,
•CKA_KEY_TYPE,
•CKA_VALUE,
•CKA_PUBLIC_KEY and
•CKA_HSS_KEYS_REMAINING
attributes to the new private key.
If no CKA_ID attribute is specified in the public or private key templates the mechanism defaults the value to the ‘I’ key identifier value.
After the key pair is generated the mechanism compares the 16-byte key identifier (I value) of the public and private keys and ensures they match.
For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used and must be set to 0.
CKA_HSS_LMOTS_TYPES is an array of these CK_ULONG values where:
n = number of bytes in output of hash
w = the number of bits from hash or checksum used in a Winternitz single chain
p = number of n-byte elements in a key or signature
NOTE Only the SHA256 versions of these parameter sets are mentioned in the RFC 8554, but the remaining are approved in SP 800-208.
| Name SHA256 | Numeric Identifier | n | w | p |
|---|---|---|---|---|
| Reserved | 0x00000000 | |||
| LMOTS_SHA256_N32_W1 | 0x00000001 | 32 | 1 | 265 |
| LMOTS_SHA256_N32_W2 | 0x00000002 | 32 | 2 | 133 |
| LMOTS_SHA256_N32_W4 | 0x00000003 | 32 | 4 | 67 |
| LMOTS_SHA256_N32_W8 | 0x00000004 | 32 | 8 | 34 |
| Name SHA256/192 | Numeric Identifier | n | w | p |
|---|---|---|---|---|
| LMOTS_SHA256_N24_W1 | 0x00000005 | 24 | 1 | 200 |
| LMOTS_SHA256_N24_W2 | 0x00000006 | 24 | 2 | 101 |
| LMOTS_SHA256_N24_W4 | 0x00000007 | 24 | 4 | 51 |
| LMOTS_SHA256_N24_W8 | 0x00000008 | 24 | 8 | 26 |
CKA_HSS_LMS_TYPES is an array of these CK_ULONG values where:
h = the height of a tree
m = the number of bytes associated with each node (i.e. hash) of a Merkle tree.
NOTE LMS hash algorithm must be the same as used by the underlying LM-OTP parameter set.
| Name SHA256/192 | Numeric Identifier | m | h |
|---|---|---|---|
| LMS_SHA256_M24_H5 | 0x0000000A | 24 | 5 |
| LMS_SHA256_M24_H10 | 0x0000000B | 24 | 10 |
| LMS_SHA256_M24_H15 | 0x0000000C | 24 | 15 |
| LMS_SHA256_M24_H20 | 0x0000000D | 24 | 20 |
| LMS_SHA256_M24_H25 * | 0x0000000E | 24 | 25 |
| Name SHA256 | Numeric Identifier | m | h |
|---|---|---|---|
| LMS_SHA256_M32_H5 | 0x00000005 | 32 | 5 |
| LMS_SHA256_M32_H10 | 0x00000006 | 32 | 10 |
| LMS_SHA256_M32_H15 | 0x00000007 | 32 | 15 |
| LMS_SHA256_M32_H20 | 0x00000008 | 32 | 20 |
| LMS_SHA256_M32_H25 * | 0x00000009 | 32 | 25 |
| SHAKE variant not supported | |||
NOTE if the total number of LMS heights is greater than 64 or if the signature that would be created is greater than 64Kbyte then the key generate operation fails and CKR_KEY_SIZE_RANGE is returned.
The maximum number of signatures an HSS key can create, irrespective of the total height, is limited to 2^32.
* Height 25 LMS are not supported.
The format of an HSS public key is given below.
| L (levels) | 4 bytes |
| LMS Type (top level) | 4 bytes |
| LMOTS Type (top level) | 4 bytes |
| I (Key Identifier) | 16 bytes |
| K (top hash) | m bytes |
The LMS public key can be represented as the HSS public key but with the L value missing and assumed to equal 1 i.e. byte string:
u32str(lmstype) || u32str(lmotstype) || I || K
Therefore, to convert a HSS public key with one level to a LMS public key:
>verify first 4 bytes are 0, 0, 0, 1
>strip these 4 bytes from the key.
HSS signing/verifying
The HSS mechanism, denoted CKM_HSS, is a mechanism for single-part signatures and verification for HSS.
This mechanism has no parameter.
For the purposes of these mechanisms, an HSS signature is a byte string with length depending on CKA_HSS_LEVELS, CKA_HSS_LMS_TYPES, CKA_HSS_LMOTS_TYPES as described in the following table.
| Function | Key tpe | Input length | Output length |
|---|---|---|---|
| C_Sign | HSS Private Key | Any | 1296-74988* |
| C_Verify | HSS Public Key | any, 1296-749882 | N/A |
* The Signature size can be calculated with this formula (assumes all levels have same LMOTS and LMS parameters):
NOTE Sizes > 64KB are not supported.
Signature length bytes = 4+(levels-1)*(24+n)+levels*(8+(n+4+n*p)+ h*n)
where:
•p number of Winternitz chains e.g. SHA256 has values (265, 133, 67, 34) for lmots type (W1, W2, W4, W8) and
•n and m are sizes of hash in bytes (32 or 24) and
•h is the number of levels in the LMS Merkle trees and
•levels is the value of CKA_HSS_LEVELS
Luna HSMs have a limit of approximately 64KB for a signature, therefore some parameter sets cannot be supported on Luna – especially those with large number of levels.
For this mechanism, the ulMinKeySize and ulMaxKeySize fields of the CK_MECHANISM_INFO structure are not used and must be set to 0.
If the number of signatures is exhausted, CKR_KEY_EXHAUSTED is returned.
The format of an LM-OTS signature is given below.
| LM-OTS algorithm OID | 4 bytes |
| C (random value) | 16 bytes |
| y[0] | n bytes |
| y[p-1] | n bytes |
The format of an LMS signature is given below.
| u32str(q) | 4 bytes |
| LM-OTS signature | |
| LMS algorithm OID | 4 bytes |
| path[0] | m bytes |
| path[h-1] | m bytes |
In the specific case of L=1, the format of an HSS signature is
u32str(0) || sig[0]
In the general case, the format of an HSS signature is
u32str(Nspk) || signed_pub_key[0] || ...
|| signed_pub_key[Nspk-1] || sig[Nspk]
Converting an HSS signature to a LMS signature.
Assuming the HSS signature has been generated using a HSS private key with only one level then the raw LMS signature can be obtained by:
>verify the first 4 bytes are all zero
>strip the first 32 bits (4 bytes) from the HSS signature.
Converting a LMS signature to a HSS signature
(as required for the mechanism):
>Prepend 4 bytes of zero to the LMS signature
ABORTING LONG OPERATIONS
If you (your application or our tools) launch a lengthy keygen, and decide that the program has "locked up", and abort the program, the HSM remains committed to the original task, and no other cryptographic operation can be run until it is finished.
If you need to abort the key generation operation, you must reboot the HSM,
PUBLIC KEY CERTIFICATES
PQC public keys can use the X509 certificate syntax as long as the algorithm OID values and key/signature formats are standardized.
The object identifier for an HSS public key is id-alg-hss-lms-hashsig:
id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1)member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) alg(3) 17 }
SubjectPublicKeyInfo ::= SEQUENCE
algorithm AlgorithmIndentifier
subjectPublicKey BIT STRING
AlgorithmIndentifier ::= SEQUENCE
algorithm OBJECT IDENTIFIER
parameters ANY OPTIONAL -- NULL for HSS
subjectPublicKey defined by AlgorithmIndentifier
For HSS pub key it is an OCTET STRING inside a BIT STRING
HSSPublicKey ::= OCTECT STRING
CERTIFICATE EXTENSIONS
KeyUsage
{ digitalSignature, nonRepudiation, keyCertSign, cRLSign } }
HSS certs for end users MUST contain one or both of the following values:
nonRepudiation; and
digitalSignature.
HSS certs for a certification authority must use one or more of the following values:
nonRepudiation;
digitalSignature;
keyCertSign; and
cRLSign.
HSS Signature Algorithms
hss-with-SHA256 OBJECT IDENTIFIER ::= { itu-t(0)identified-organization(4) etsi(0) reserved(127)
etsi-identified-organization(0) isara(15) algorithms(1)
asymmetric(1) hss(12) 2 }
hss-with-SHA512 OBJECT IDENTIFIER ::= { itu-t(0)identified-organization(4) etsi(0) reserved(127)
etsi-identified-organization(0) isara(15) algorithms(1)
asymmetric(1) hss(12) 1 }
TOOLS
MULTITOKEN
The tool has been extended to perform HSS Key Pair gen and Sign/Verify operations.
Syntax
Arguments
-hssparams -hss Parameters for HSS Key Pair Generation/sign:
comma separated list of strings (default LMOTS_SHA256_N24_W4,LMS_SHA256_M32_H5)
Operating Modes
hssgenkey - HSS KeyGen
hsssignver - HSS Sign
HSS Operation:
Parameter set is a comma separated list of strings with one LMS and one LMOTS per level.
HSS Keys can have from 1 to 8 levels, each level is defined by one LMS and one LMOTS type.
LMS Types:
LMS_SHA256_M24_H5
LMS_SHA256_M24_H10
LMS_SHA256_M24_H15
LMS_SHA256_M24_H20
LMS_SHA256_M32_H5
LMS_SHA256_M32_H10
LMS_SHA256_M32_H15
LMS_SHA256_M32_H20
LMOTS Types:
LMOTS_SHA256_N24_W1
LMOTS_SHA256_N24_W2
LMOTS_SHA256_N24_W4
LMOTS_SHA256_N24_W8
LMOTS_SHA256_N32_W1
LMOTS_SHA256_N32_W2
LMOTS_SHA256_N32_W4
LMOTS_SHA256_N32_W8
For example, a two level key with top level height 10 and bottom level height 5
-hssparams LMOTS_SHA256_N32_W4,LMS_SHA256_M32_H10,LMOTS_SHA256_N24_W1,LMS_SHA256_M32_H5
Default value of hssparams is a single level tree with LMOTS_SHA256_N32_W4,LMS_SHA256_M32_H5
If you are performing a signature test it is possible that the key under test would become exhausted. Rather than failing in this situation the multitoken utility generates a fresh key pair and continues the testing. This means that the time to generate a key pair is included in the signature timing results. Therefore, for "uncontaminated" signature timing results, choose the key parameters and the test duration / number of iterations, to avoid the key exhaustion problem.
CMU
Syntax
cmu generatekeypair
cmu generatekeypair [-keyType=<keytype>] [-modulusBits=<length>] [-publicExponent=<value>] [-label=<label>] [-inputFile=<filename>] [-labelPublic=<label>] [-labelPrivate=<label>] [-mech]=<pkcs | prime | aux>[-modifiable=<0/1>] [-encrypt=<0/1>] [-decrypt=<0/1>] [-sign=<0/1>] [-verify=<0/1>] [-wrap=<0/1>] [-unwrap=<0/1>] [-extractable=<0/1>] [-id=<hex_ID>] [-startDate=<YYYYMMDD>] [-endDate=<YYYYMMDD>] [-subject=<hex_value>] [-curvetype=<value>] [-prime=<length>] [-subprime=<length>] [-base=<length>]-hssparams=<paramlist>
| -extractable=<0/1> |
Defines the extractable setting for the private key in the newly generated key pair. It must be set to True or False (or 1 or 0), with False being the default. NOTE NOTE HSS Private keys are never extractable and attempting to specify extractable=1 will cause an error.
|
| -id=<hex_ID> |
Defines the ID field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. NOTE NOTE HSS Keys CKA_ID will default to the unique ID value that is created as part of the key generation. |
| -keyType=<keytype> |
Defines the type of asymmetric keys to generate. This parameter is not required if the key type can be established by the presence of other parameters. (e.g. If -modulusBits and/or -publicExponent parameters are specified, then -keyType=RSA is redundant). Currently, only RSA key pairs are supported. |
| - hssparams =<params> |
Defines the hss key properties - LMS,LMOTS type(s) as list. Supported LMS Types LMS_SHA256_M32_H5 LMS_SHA256_M32_H10 LMS_SHA256_M32_H15 LMS_SHA256_M32_H20 LMS_SHA256_M32_H25 LMS_SHA256_M24_H5 LMS_SHA256_M24_H10 LMS_SHA256_M24_H15 LMS_SHA256_M24_H20 Supported LMOTS Types: LMOTS_SHA256_N32_W1 LMOTS_SHA256_N32_W2 LMOTS_SHA256_N32_W4 LMOTS_SHA256_N32_W8 LMOTS_SHA256_N24_W1 LMOTS_SHA256_N24_W2 LMOTS_SHA256_N24_W4 LMOTS_SHA256_N24_W8 Parameter Sets are a comma separated list of LMS and LMOTS Types, one pair for each level, starting with the top. For example, a two level HSS key where the top level has height 10 and signs 1024 bottom level trees of height 5 might look like this: hssparams=LMS_SHA256_M32_H10,LMOTS_SHA256_N32_W5,LMS_SHA256_M32_H5,LMOTS_SHA256_N32_W2 Example HSS Cmu gen -keytype=HSS -hssparams=LMS_SHA256_M32_H10,LMOTS_SHA256_N32_W4 -slot=3 -password=12345678 NOTE While the tool allows H25 keys to be specified, the HSM does not support a height of 25. |
cmu getattribute
| -attributes=<attribute(s)> |
Lists the attributes to be displayed for the object as a comma-separated list. Multiple instances of this option can also be used to define multiple attributes. If this parameter is omitted, all viewable attributes are displayed.
|
cmu getpkc
NOTE NOTE This operation works with non-extractable keys only, and supports RSA, ECC and HSS keypair types.
This confirmation procedure is currently not supported on FM-enabled HSMs.
cmu requestcertificate
supported for HSS
cmu selfsigncertificate
Can create self signed certs for HSS key pairs
New option -verify = true can be added to this command to request the CMU to verify the signature in the new certificate.
cmu setattribute
HSS Private and Public keys should allow some attributes to be changed if those are modifiable
cmu verifypkc
Verifies PKC certs for RSA, ECC and HSS private keys.
CKDEMO
NOTE: the ckdemo tool allows LMS heights 25 to be specified but the HSM does not support that level. If you attempt to generate a HSS keypair with H25 an error occurs.
The Ckdemo tool has the following extensions to support HSS:
Object Management:
(24) Get Attribute and (27) display Object: Displays HSS public and private key attributes.
(32) Extract Public Key: Extracts and encodes the HSS public key value
Security: Option:
(42) Sign: Allows for Algorithm (52) HSS and performs an HSS signature.
(43) Verify: Allows for Algorithm (52) HSS and performs an HSS signature verification.
(45) Simple Generate Key: New option (42) HSS prompts for HSS levels and parameters and generates a key pair.
GENERAL SUPPORT NOTES
NOTE Multi-part signing and verify is not yet supported.
>CKA_HSS_KEYS_REMAINING This attribute on the private key decrements after each signature.
>CKR_KEY_EXHAUSTED is returned from a sign operation if the CKA_HSS_KEYS_REMAINING is zero.
>CKA_EXTRACTABLE on the private key cannot be set to 1 when generating the key pair.
>CKA_ID defaults to ID of key pair but can be overwritten in the creation template. The ID is 16 bytes long stored in the public key starting at offset 12.
>Certain parameter sets (8 levels with LMOTS n=1).would result in a signature greater than the HSM capacity of 64KB. Keys with these parameters cannot be generated; the HSM returns an error.
>CKK_HSS private key objects cannot be wrapped/unwrapped, created or cloned. During C_GenerateKeyPair; the firmware rejects CKA_EXTRACTABLE=true or CKA_SENSITIVE=False attributes in the private key template and fails with CKR_ATTRIBUTE_VALUE_INVALID. During C_CreateObject or C_UnwrapKey the FW rejects objects with CKA_CLASS=CKO_PRIVATE_KEY and CKA_KEY_TYPE=CKK_HSS.
>HSS private keys cannot reside on key rings and must be created and managed on partitions only.
>HSS private keys cannot be copied with C_CopyObject.
>HSS private keys cannot be cloned.
