PQC External Hash

HSS_EXT_HASH_PARAM_PROP

CK_ HSS_EXT_HASH_PARAM_PROP is a structure that receives the parameters from the CKM_HSS_EXT_HASH_PROP mechanism during the C_SignInit and C_VerifyInit functions. The structure is defined as follows:

typedef struct CK_HSS_EXT_HASH_PARAMS_PROP {

CK_ULONG	  version;  // must be 0

CK_BYTE[54]   prefix;   // output

CK_SIZE       length;   // output

}  CK_HSS_EXT_HASH_PARAMS_PROP;

The fields of the structure have the following meanings:

•version always zero

•prefix buffer to receive the message prefix (or portion thereof)

•length set to number of bytes in ‘prefix’ filled by the mechanism

The C_SignInit and C_VerifyInit functions will set ‘prefix’ to contain the concatenation of the following fields

	keyIdentifier	key unique identifier byte array ‘I’
	u32strq	LMS leaf identifier ‘q’ as a 32 bit integer in network byte order ( big endian)
	u16strdMsg	fixed value 0x8181
	random	per signature randomizer output ‘C’

The ‘prefix’ and ‘length’ fields are output values only. The C_SignInit and C_VerifyInit functions will set the ‘prefix’ and ‘length’ fields.

HSS_EXT_HASH_GETPREFIX_PROP

CK_ HSS_EXT_HASH_GETPREFIX_PROP is a mechanism parameter used by the CKM_HSS_EXT_HASH_PROP mechanism during the C_VerifyInit function. The structure is defined as follows:

typedef struct CK_HSS_EXT_HASH_GETPREFIX_PROP {

const CK_BYTE_PTR   signature;  // sig to lock

const CK_SIZE       sigLength;

typedef struct CK_HSS_EXT_HASH_PARAMS_PROP params;

}  CK_HSS_EXT_HASH_GETPREFIX_PROP;

How to use:

Before calling C_VerifyInit the following fields need to be setup:

•signature point to the signature to to get prefix details from

•sigLength length in bytes of the signature to parse

•params.version set to 0

On return: the params.prefix and params.sigLength will contain the string to start off the message digesting process.

Algorithm

The Identifier ‘I’ can be read from the HSS Public key CKA_VALUE attribute.

The ‘q’ and ‘C’ values can be parsed from the signature.

An HSS signature is built up from LMS signatures, which, in turn, are made of LM-OTS signatures.

lmots_signature format : u32str(type) || C || y[0] || ... || y[p-1]

LMS signature has this format:

u32str(q) || lmots_signature || u32str(type) ||

path[0] || path[1] || path[2] || ... || path[h-1]

HSS Signature (as returned from the C_Sign function).

In the specific case of L=1, the format of an HSS signature is

u32str(0) || lms_sig[0]

In the general case, the format of an HSS signature is

u32str(Nspk) || signed_pub_key[0] || ...

|| signed_pub_key[Nspk-1] || lms_sig[Nspk]

which is equivalent to

u32str(Nspk) || lms_sig[0] || pub[1] || ...

|| lms_sig[Nspk-1] || pub[Nspk] || lms_sig[Nspk]

The signature should be parsed to find the location of the pub[Nspk] and lms_sig[Nspk]

Note LMS signature begins with these values:

u32str(q) || u32str(lmots_type) || C . . .

The public key pub[Nspk] can be parsed like this:

Parse pubtype, I, from the public key as follows:

a.pubtype = strTou32(first 4 bytes of public key)

b.b. ots_typecode = strTou32(next 4 bytes of public key)

c.c. Set m according to pubtype, based on Table 2.

d.d. If the public key is not exactly 24 + m bytes long, return INVALID.

e.e. I = next 16 bytes of the public key

The prefix value is :

I || u32str(lms_sig[Nspl].q) || u16str(D_MESG) || lms_sig[Nspk].C

HSS_EXT_HASH_PROP signing/verify (Proprietary)

The HSS_EXT_HASH_PROP mechanism, denoted CKM_HSS_EXT_HASH_PROP, is a proprietary mechanism for single-part signatures and verification for HSS where the message hash is computed externally.

This mechanism has two optional parameters CK_HSS_EXT_HASH_GETPREFIX_PROP and CK_HSS_EXT_HASH_PARAMS_PROP structure.

Signing:

Call C_SignInit with mechanism CKM_HSS_EXT_HASH_PROP and using a version 0 CKM_HSS_EXT_HASH_PROP structure as the mechanism parameter.

Compute the external hash by first digesting ‘length’ bytes of ‘prefix’ and then digesting the message to be signed.

Call C_Sign with the message equal to the computed hash.

Verifying:

If the message prefix is known call C_VerifyInit with mechanism CKM_HSS_EXT_HASH_PROP and using NULL mechanism parameter. Otherwise use an initialized CK_HSS_EXT_HASH_GETPREFIX_PROP structure as the mechanism parameter in order to fetch the message prefix.

Compute the external message hash by first digesting ‘length’ bytes of ‘prefix’.

Call C_Verify with the message equal to the computed hash and the signature to be verified.

For the purposes of these mechanisms, an HSS signature is a byte string with length depending on CKA_HSS_LEVELS, CKA_HSS_LMS_TYPES, CKA_HSS_LMOTS_TYPES as described in the following table.

HSS: Key and Data Length

Function	Key type	Input length	Output length
C_Sign	HSS Private Key	any	1296-749882
C_Verify	HSS Public Key	any, 1296-749882	N/A

Implementation Note:

It is expected that the C_VerifyInit could be executed in the Cryptoki library only.

So signing would require two calls to the HSM while verify could be done in one.

XMSS_EXT_HASH_PARAM_PROP

typedef struct CK_HSS_EXT_HASH_PARAMS_PROP {

CK_ULONG	  version;  // must be 0

CK_BYTE[192]  prefix;   // output

CK_SIZE       length;   // output

}  CK_HSS_EXT_HASH_PARAMS_PROP;

The fields of the structure have the following meanings:

	version	always zero
	prefix	buffer to receive the message prefix (or portion thereof)
	length	set to number of bytes in ‘prefix’ filled by the mechanism

The C_SignInit and C_VerifyInit functions will set ‘prefix’ to contain the concatenation of the following fields

	r	signature unique random string ‘n’ bytes long
	root	‘n’ byte root hash
	ustridx	index of sig expanded to ‘n’ bytes

The ‘prefix’ and ‘length’ fields are output values only. The C_SignInit and C_VerifyInit functions will set the ‘prefix’ and ‘length’ fields.

XMSS_EXT_HASH_GETPREFIX_PROP

CK_ XMSS_EXT_HASH_GETPREFIX_PROP is a mechanism parameter used by the CKM_XMSS_EXT_HASH_PROP mechanism during the C_VerifyInit function. The structure is defined as follows:

typedef struct CK_XMSS_EXT_HASH_GETPREFIX_PROP {

const CK_BYTE_PTR   signature;  // sig to lock

const CK_SIZE       sigLength;

typedef struct CK_XMSS_EXT_HASH_PARAMS_PROP params;

}  CK_XMSS_EXT_HASH_GETPREFIX_PROP;

How to use:

Before calling C_VerifyInit the following fields need to be setup:

•signature point to the signature to to get prefix details from

•sigLength length in bytes of the signature to parse

•params.version set to 0

On return: the params.prefix and params.sigLength will contain the string to start off the message digesting process.

Algorithm

The XMSS or XMSS/MT public key should be read from the XMSS Public key CKA_VALUE attribute.

The first 4 bytes represent the parameter set OID. This value van be used to determine the ‘n’ value.

The root Identifier ‘root’ will be the next ‘n’ bytes read from the CKA_VALUE attribute.

The ‘idx_sig’ and ‘r’ value can be parsed from the signature.

An XMSS/MT signature begins with a 4 byte idx_sig value (32 bit network order) followed by the ‘n’ byte random value.

The idx_sig value needs to be expanded to an ‘n’ byte string.

The prefix = r || root || (toByte(idx_sig, n))

XMSS_EXT_HASH_PROP and XMSSMT_EXT_HASH_PROP signing/verify (Proprietary)

The XMSS_EXT_HASH_PROP mechanism, denoted CKM_XMSS_EXT_HASH_PROP, is a proprietary mechanism for single-part signatures and verification for XMSS where the message hash is computed externally.

The XMSSMT_EXT_HASH_PROP mechanism, denoted CKM_XMSSMT_EXT_HASH_PROP, is a proprietary mechanism for single-part signatures and verification for XMSS/MT where the message hash is computed externally.

This mechanism has two optional parameters CK_XMSS_EXT_HASH_GETPREFIX_PROP and CK_XMSS_EXT_HASH_PARAMS_PROP structure.