[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [pkcs11] HSS in version 3.1 of the specifciation
Hi Bob, that wasnât the point of my question. I fully understand the whole single part way it is defined and the limitation with verify. My question was that for HSS, the spec uses the same wording we use for CKM_RSA_PKCS, or CKM_ECDSA, where the application computes the hash and provides the hash
as input to the C_Sign() call. For ECDSA without hashing, we state âThis mechanism corresponds only to the part of ECDSA that processes the hash value, which should not be longer than
1024 bits; it does not compute the hash value.â. For DSA without hashing, we state âThis mechanism corresponds only to the part of DSA that processes the 20-byte hash value; it does not compute the hash
valueâ. For RSA without hashing, we state âThis mechanism corresponds only to the part of PKCS #1 that involves block formatting and RSA, given a hash value; it
does not compute a hash value on the message to be signedâ. These all make sense as many standards define these algorithms as Sign(hash(message)). So the part that only processes hash is well defined. For HSS, we also state
âThis mechanism corresponds only to the part of LMS that processes the
hash value, which may be of any length; it does not compute the hash valueâ. There is no part of LMS that processes a hash value. LMS process the whole message that is to be signed.
LMS is defined as Sign(message). So it is not clear to me how CKM_HSS can âcorresponds to only to part of LMSâ. I assume CKM_HSS is computing the full LMS signature over the provided data as that is the only way it can work. The description we have in the spec suggests
it is only doing a part of LMS. Maybe Iâm just nit picking over the wording? Maybe I am. Thanks From: pkcs11@lists.oasis-open.org <pkcs11@lists.oasis-open.org>
On Behalf Of Robert Relyea On 2/16/23 7:10 AM, JOHNSON Darren wrote:
Yes, that's why it's defined as a single shot operation. Sign isn't a problem, but verify needs the signature at the beginning (because 'C' is in the signature). For now you can only do C_Verify_Init(), C_Verify() for HSS. Unlike RSA, there isn't a HSS_SHA1 type signature, the Hash is the same hash as the WOTS_Hash of the bottom tree always.
yes, I thing we should plan for that.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]