1 /** 2 * \file lms.h 3 * 4 * \brief This file provides an API for the LMS post-quantum-safe stateful-hash 5 public-key signature scheme as defined in RFC8554 and NIST.SP.200-208. 6 * This implementation currently only supports a single parameter set 7 * MBEDTLS_LMS_SHA256_M32_H10 in order to reduce complexity. This is one 8 * of the signature schemes recommended by the IETF draft SUIT standard 9 * for IOT firmware upgrades (RFC9019). 10 */ 11 /* 12 * Copyright The Mbed TLS Contributors 13 * SPDX-License-Identifier: Apache-2.0 14 * 15 * Licensed under the Apache License, Version 2.0 (the "License"); you may 16 * not use this file except in compliance with the License. 17 * You may obtain a copy of the License at 18 * 19 * http://www.apache.org/licenses/LICENSE-2.0 20 * 21 * Unless required by applicable law or agreed to in writing, software 22 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 23 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 24 * See the License for the specific language governing permissions and 25 * limitations under the License. 26 */ 27 #ifndef MBEDTLS_LMS_H 28 #define MBEDTLS_LMS_H 29 30 #include <stdint.h> 31 #include <stddef.h> 32 33 #include "mbedtls/private_access.h" 34 #include "mbedtls/build_info.h" 35 36 #define MBEDTLS_ERR_LMS_BAD_INPUT_DATA -0x0011 /**< Bad data has been input to an LMS function */ 37 #define MBEDTLS_ERR_LMS_OUT_OF_PRIVATE_KEYS -0x0013 /**< Specified LMS key has utilised all of its private keys */ 38 #define MBEDTLS_ERR_LMS_VERIFY_FAILED -0x0015 /**< LMS signature verification failed */ 39 #define MBEDTLS_ERR_LMS_ALLOC_FAILED -0x0017 /**< LMS failed to allocate space for a private key */ 40 #define MBEDTLS_ERR_LMS_BUFFER_TOO_SMALL -0x0019 /**< Input/output buffer is too small to contain requited data */ 41 42 /* Currently only defined for SHA256, 32 is the max hash output size */ 43 #define MBEDTLS_LMOTS_N_HASH_LEN_MAX (32u) 44 #define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX (34u) 45 #define MBEDTLS_LMOTS_N_HASH_LEN(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 32u : 0) 46 #define MBEDTLS_LMOTS_I_KEY_ID_LEN (16u) 47 #define MBEDTLS_LMOTS_Q_LEAF_ID_LEN (4u) 48 #define MBEDTLS_LMOTS_TYPE_LEN (4u) 49 #define MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) ((type) == MBEDTLS_LMOTS_SHA256_N32_W8 ? 34u : 0) 50 #define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) (MBEDTLS_LMOTS_N_HASH_LEN(type)) 51 52 #define MBEDTLS_LMOTS_SIG_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \ 53 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type) + \ 54 (MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT(type) * \ 55 MBEDTLS_LMOTS_N_HASH_LEN(type))) 56 57 58 #define MBEDTLS_LMS_TYPE_LEN (4) 59 #define MBEDTLS_LMS_H_TREE_HEIGHT(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 10u : 0) 60 61 /* The length of a hash output, Currently only implemented for SHA256. 62 * Max is 32 bytes. 63 */ 64 #define MBEDTLS_LMS_M_NODE_BYTES(type) ((type) == MBEDTLS_LMS_SHA256_M32_H10 ? 32 : 0) 65 #define MBEDTLS_LMS_M_NODE_BYTES_MAX 32 66 67 #define MBEDTLS_LMS_SIG_LEN(type, otstype) (MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \ 68 MBEDTLS_LMOTS_SIG_LEN(otstype) + \ 69 MBEDTLS_LMS_TYPE_LEN + \ 70 (MBEDTLS_LMS_H_TREE_HEIGHT(type) * \ 71 MBEDTLS_LMS_M_NODE_BYTES(type))) 72 73 #define MBEDTLS_LMS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMS_TYPE_LEN + \ 74 MBEDTLS_LMOTS_TYPE_LEN + \ 75 MBEDTLS_LMOTS_I_KEY_ID_LEN + \ 76 MBEDTLS_LMS_M_NODE_BYTES(type)) 77 78 79 #ifdef __cplusplus 80 extern "C" { 81 #endif 82 83 /** The Identifier of the LMS parameter set, as per 84 * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml 85 * We are only implementing a subset of the types, particularly H10, for the sake of simplicity. 86 */ 87 typedef enum { 88 MBEDTLS_LMS_SHA256_M32_H10 = 0x6, 89 } mbedtls_lms_algorithm_type_t; 90 91 /** The Identifier of the LMOTS parameter set, as per 92 * https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml. 93 * We are only implementing a subset of the types, particularly N32_W8, for the sake of simplicity. 94 */ 95 typedef enum { 96 MBEDTLS_LMOTS_SHA256_N32_W8 = 4 97 } mbedtls_lmots_algorithm_type_t; 98 99 /** LMOTS parameters structure. 100 * 101 * This contains the metadata associated with an LMOTS key, detailing the 102 * algorithm type, the key ID, and the leaf identifier should be key be part of 103 * a LMS key. 104 */ 105 typedef struct { 106 unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key 107 identifier. */ 108 unsigned char MBEDTLS_PRIVATE(q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN]); /*!< Which 109 leaf of the LMS key this is. 110 0 if the key is not part of an LMS key. */ 111 mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as 112 per IANA. Only SHA256_N32_W8 is 113 currently supported. */ 114 } mbedtls_lmots_parameters_t; 115 116 /** LMOTS public context structure. 117 * 118 * A LMOTS public key is a hash output, and the applicable parameter set. 119 * 120 * The context must be initialized before it is used. A public key must either 121 * be imported or generated from a private context. 122 * 123 * \dot 124 * digraph lmots_public_t { 125 * UNINITIALIZED -> INIT [label="init"]; 126 * HAVE_PUBLIC_KEY -> INIT [label="free"]; 127 * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"]; 128 * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"]; 129 * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"]; 130 * } 131 * \enddot 132 */ 133 typedef struct { 134 mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params); 135 unsigned char MBEDTLS_PRIVATE(public_key)[MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 136 unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key. 137 Boolean values only. */ 138 } mbedtls_lmots_public_t; 139 140 #if defined(MBEDTLS_LMS_PRIVATE) 141 /** LMOTS private context structure. 142 * 143 * A LMOTS private key is one hash output for each of digit of the digest + 144 * checksum, and the applicable parameter set. 145 * 146 * The context must be initialized before it is used. A public key must either 147 * be imported or generated from a private context. 148 * 149 * \dot 150 * digraph lmots_public_t { 151 * UNINITIALIZED -> INIT [label="init"]; 152 * HAVE_PRIVATE_KEY -> INIT [label="free"]; 153 * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"]; 154 * HAVE_PRIVATE_KEY -> INIT [label="sign"]; 155 * } 156 * \enddot 157 */ 158 typedef struct { 159 mbedtls_lmots_parameters_t MBEDTLS_PRIVATE(params); 160 unsigned char MBEDTLS_PRIVATE(private_key)[MBEDTLS_LMOTS_P_SIG_DIGIT_COUNT_MAX][ 161 MBEDTLS_LMOTS_N_HASH_LEN_MAX]; 162 unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key. 163 Boolean values only. */ 164 } mbedtls_lmots_private_t; 165 #endif /* defined(MBEDTLS_LMS_PRIVATE) */ 166 167 168 /** LMS parameters structure. 169 * 170 * This contains the metadata associated with an LMS key, detailing the 171 * algorithm type, the type of the underlying OTS algorithm, and the key ID. 172 */ 173 typedef struct { 174 unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key 175 identifier. */ 176 mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(otstype); /*!< The LM-OTS key type identifier as 177 per IANA. Only SHA256_N32_W8 is 178 currently supported. */ 179 mbedtls_lms_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LMS key type identifier as per 180 IANA. Only SHA256_M32_H10 is currently 181 supported. */ 182 } mbedtls_lms_parameters_t; 183 184 /** LMS public context structure. 185 * 186 * A LMS public key is the hash output that is the root of the Merkle tree, and 187 * the applicable parameter set 188 * 189 * The context must be initialized before it is used. A public key must either 190 * be imported or generated from a private context. 191 * 192 * \dot 193 * digraph lms_public_t { 194 * UNINITIALIZED -> INIT [label="init"]; 195 * HAVE_PUBLIC_KEY -> INIT [label="free"]; 196 * INIT -> HAVE_PUBLIC_KEY [label="import_public_key"]; 197 * INIT -> HAVE_PUBLIC_KEY [label="calculate_public_key from private key"]; 198 * HAVE_PUBLIC_KEY -> HAVE_PUBLIC_KEY [label="export_public_key"]; 199 * } 200 * \enddot 201 */ 202 typedef struct { 203 mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params); 204 unsigned char MBEDTLS_PRIVATE(T_1_pub_key)[MBEDTLS_LMS_M_NODE_BYTES_MAX]; /*!< The public key, in 205 the form of the Merkle tree root node. */ 206 unsigned char MBEDTLS_PRIVATE(have_public_key); /*!< Whether the context contains a public key. 207 Boolean values only. */ 208 } mbedtls_lms_public_t; 209 210 211 #if defined(MBEDTLS_LMS_PRIVATE) 212 /** LMS private context structure. 213 * 214 * A LMS private key is a set of LMOTS private keys, an index to the next usable 215 * key, and the applicable parameter set. 216 * 217 * The context must be initialized before it is used. A public key must either 218 * be imported or generated from a private context. 219 * 220 * \dot 221 * digraph lms_public_t { 222 * UNINITIALIZED -> INIT [label="init"]; 223 * HAVE_PRIVATE_KEY -> INIT [label="free"]; 224 * INIT -> HAVE_PRIVATE_KEY [label="generate_private_key"]; 225 * } 226 * \enddot 227 */ 228 typedef struct { 229 mbedtls_lms_parameters_t MBEDTLS_PRIVATE(params); 230 uint32_t MBEDTLS_PRIVATE(q_next_usable_key); /*!< The index of the next OTS key that has not 231 been used. */ 232 mbedtls_lmots_private_t *MBEDTLS_PRIVATE(ots_private_keys); /*!< The private key material. One OTS key 233 for each leaf node in the Merkle tree. NULL 234 when have_private_key is 0 and non-NULL otherwise. 235 is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) in length. */ 236 mbedtls_lmots_public_t *MBEDTLS_PRIVATE(ots_public_keys); /*!< The OTS key public keys, used to 237 build the Merkle tree. NULL 238 when have_private_key is 0 and 239 non-NULL otherwise. 240 Is 2^MBEDTLS_LMS_H_TREE_HEIGHT(type) 241 in length. */ 242 unsigned char MBEDTLS_PRIVATE(have_private_key); /*!< Whether the context contains a private key. 243 Boolean values only. */ 244 } mbedtls_lms_private_t; 245 #endif /* defined(MBEDTLS_LMS_PRIVATE) */ 246 247 /** 248 * \brief This function initializes an LMS public context 249 * 250 * \param ctx The uninitialized LMS context that will then be 251 * initialized. 252 */ 253 void mbedtls_lms_public_init(mbedtls_lms_public_t *ctx); 254 255 /** 256 * \brief This function uninitializes an LMS public context 257 * 258 * \param ctx The initialized LMS context that will then be 259 * uninitialized. 260 */ 261 void mbedtls_lms_public_free(mbedtls_lms_public_t *ctx); 262 263 /** 264 * \brief This function imports an LMS public key into a 265 * public LMS context. 266 * 267 * \note Before this function is called, the context must 268 * have been initialized. 269 * 270 * \note See IETF RFC8554 for details of the encoding of 271 * this public key. 272 * 273 * \param ctx The initialized LMS context store the key in. 274 * \param key The buffer from which the key will be read. 275 * #MBEDTLS_LMS_PUBLIC_KEY_LEN bytes will be read from 276 * this. 277 * \param key_size The size of the key being imported. 278 * 279 * \return \c 0 on success. 280 * \return A non-zero error code on failure. 281 */ 282 int mbedtls_lms_import_public_key(mbedtls_lms_public_t *ctx, 283 const unsigned char *key, size_t key_size); 284 285 /** 286 * \brief This function exports an LMS public key from a 287 * LMS public context that already contains a public 288 * key. 289 * 290 * \note Before this function is called, the context must 291 * have been initialized and the context must contain 292 * a public key. 293 * 294 * \note See IETF RFC8554 for details of the encoding of 295 * this public key. 296 * 297 * \param ctx The initialized LMS public context that contains 298 * the public key. 299 * \param key The buffer into which the key will be output. Must 300 * be at least #MBEDTLS_LMS_PUBLIC_KEY_LEN in size. 301 * \param key_size The size of the key buffer. 302 * \param key_len If not NULL, will be written with the size of the 303 * key. 304 * 305 * \return \c 0 on success. 306 * \return A non-zero error code on failure. 307 */ 308 int mbedtls_lms_export_public_key(const mbedtls_lms_public_t *ctx, 309 unsigned char *key, size_t key_size, 310 size_t *key_len); 311 312 /** 313 * \brief This function verifies a LMS signature, using a 314 * LMS context that contains a public key. 315 * 316 * \note Before this function is called, the context must 317 * have been initialized and must contain a public key 318 * (either by import or generation). 319 * 320 * \param ctx The initialized LMS public context from which the 321 * public key will be read. 322 * \param msg The buffer from which the message will be read. 323 * \param msg_size The size of the message that will be read. 324 * \param sig The buf from which the signature will be read. 325 * #MBEDTLS_LMS_SIG_LEN bytes will be read from 326 * this. 327 * \param sig_size The size of the signature to be verified. 328 * 329 * \return \c 0 on successful verification. 330 * \return A non-zero error code on failure. 331 */ 332 int mbedtls_lms_verify(const mbedtls_lms_public_t *ctx, 333 const unsigned char *msg, size_t msg_size, 334 const unsigned char *sig, size_t sig_size); 335 336 #if defined(MBEDTLS_LMS_PRIVATE) 337 /** 338 * \brief This function initializes an LMS private context 339 * 340 * \param ctx The uninitialized LMS private context that will 341 * then be initialized. */ 342 void mbedtls_lms_private_init(mbedtls_lms_private_t *ctx); 343 344 /** 345 * \brief This function uninitializes an LMS private context 346 * 347 * \param ctx The initialized LMS private context that will then 348 * be uninitialized. 349 */ 350 void mbedtls_lms_private_free(mbedtls_lms_private_t *ctx); 351 352 /** 353 * \brief This function generates an LMS private key, and 354 * stores in into an LMS private context. 355 * 356 * \warning This function is **not intended for use in 357 * production**, due to as-yet unsolved problems with 358 * handling stateful keys. The API for this function 359 * may change considerably in future versions. 360 * 361 * \note The seed must have at least 256 bits of entropy. 362 * 363 * \param ctx The initialized LMOTS context to generate the key 364 * into. 365 * \param type The LMS parameter set identifier. 366 * \param otstype The LMOTS parameter set identifier. 367 * \param f_rng The RNG function to be used to generate the key ID. 368 * \param p_rng The RNG context to be passed to f_rng 369 * \param seed The seed used to deterministically generate the 370 * key. 371 * \param seed_size The length of the seed. 372 * 373 * \return \c 0 on success. 374 * \return A non-zero error code on failure. 375 */ 376 int mbedtls_lms_generate_private_key(mbedtls_lms_private_t *ctx, 377 mbedtls_lms_algorithm_type_t type, 378 mbedtls_lmots_algorithm_type_t otstype, 379 int (*f_rng)(void *, unsigned char *, size_t), 380 void *p_rng, const unsigned char *seed, 381 size_t seed_size); 382 383 /** 384 * \brief This function calculates an LMS public key from a 385 * LMS context that already contains a private key. 386 * 387 * \note Before this function is called, the context must 388 * have been initialized and the context must contain 389 * a private key. 390 * 391 * \param ctx The initialized LMS public context to calculate the key 392 * from and store it into. 393 * 394 * \param priv_ctx The LMS private context to read the private key 395 * from. This must have been initialized and contain a 396 * private key. 397 * 398 * \return \c 0 on success. 399 * \return A non-zero error code on failure. 400 */ 401 int mbedtls_lms_calculate_public_key(mbedtls_lms_public_t *ctx, 402 const mbedtls_lms_private_t *priv_ctx); 403 404 /** 405 * \brief This function creates a LMS signature, using a 406 * LMS context that contains unused private keys. 407 * 408 * \warning This function is **not intended for use in 409 * production**, due to as-yet unsolved problems with 410 * handling stateful keys. The API for this function 411 * may change considerably in future versions. 412 * 413 * \note Before this function is called, the context must 414 * have been initialized and must contain a private 415 * key. 416 * 417 * \note Each of the LMOTS private keys inside a LMS private 418 * key can only be used once. If they are reused, then 419 * attackers may be able to forge signatures with that 420 * key. This is all handled transparently, but it is 421 * important to not perform copy operations on LMS 422 * contexts that contain private key material. 423 * 424 * \param ctx The initialized LMS private context from which the 425 * private key will be read. 426 * \param f_rng The RNG function to be used for signature 427 * generation. 428 * \param p_rng The RNG context to be passed to f_rng 429 * \param msg The buffer from which the message will be read. 430 * \param msg_size The size of the message that will be read. 431 * \param sig The buf into which the signature will be stored. 432 * Must be at least #MBEDTLS_LMS_SIG_LEN in size. 433 * \param sig_size The size of the buffer the signature will be 434 * written into. 435 * \param sig_len If not NULL, will be written with the size of the 436 * signature. 437 * 438 * \return \c 0 on success. 439 * \return A non-zero error code on failure. 440 */ 441 int mbedtls_lms_sign(mbedtls_lms_private_t *ctx, 442 int (*f_rng)(void *, unsigned char *, size_t), 443 void *p_rng, const unsigned char *msg, 444 unsigned int msg_size, unsigned char *sig, size_t sig_size, 445 size_t *sig_len); 446 #endif /* defined(MBEDTLS_LMS_PRIVATE) */ 447 448 #ifdef __cplusplus 449 } 450 #endif 451 452 #endif /* MBEDTLS_LMS_H */ 453
