Expand description
LMS implementation.
This follows RFC 8554, and additional parameter sets from draft-fluhrer-lms-more-parm-sets-09.txt (which itself copies the parameters from NIST SP 800-208).
WARNING: LMS is a stateful signature scheme; each signature modifies
the private key. If the same private key state is used to generate
two signatures (even if both are on the same data), then attackers
observing the two signature values learn enough to make forgeries.
This implementation always mutates the PrivateKey
structure when
generating a signature, but it is up to the caller to ensure that the
new private key state is properly committed to stable storage before
showing the signature value to any third party.
This code was written mostly for verifying the test vectors in the parameter sets in the new draft; it does not include facilities for serialization of private and public keys. It also does NOT implement HSS, the hierarchical scheme that builds on top of LMS (in RFC 8554, section 6).
Modules
- LMS_SHA256_M24_H5 with LMOTS_SHA256_N24_W8
- LMS_SHA256_M32_H5 with LMOTS_SHA256_N32_W8
- LMS_SHAKE_M24_H5 with LMOTS_SHAKE_N24_W8
- LMS_SHAKE_M32_H5 with LMOTS_SHAKE_N32_W8