[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [pkcs11] HSS in version 3.1 of the specification
On 2/18/23 7:15 AM, Jonathan Schulze-Hewett wrote:
In the only PKCS#11 implementation of LMS I've dealt with, C_Sign took just the message as input, not the output of a hash of I||q||D_MESG||C||message. Since we're the authors of the original proposal I assume that's what we meant.
This is what I would have thought once I've read the HSS spec, and noted that the input is a variable lenght message, not something the length of the hash.It also explains where there isn't a 'hash & Sign' variants (CKM_HSS_WITH_SHA512 for instance) like the other signing algorithms... the hash is built in. It's also how the designers of HSS would have wanted the interface.
I wonder if we just need to call it out since this is different from the other algorithms (though it will be the same as the pq, where the hash is part of the signing algorithm).I also suspect that we copied the language from the other algorithms in an attempt to indicate that we're not doing hash then sign, just the LMS signature step. The fact that HSS/LMS is a hash based scheme makes things convoluted. If it wasn't a hash based scheme I think the existing language would be clearer. Suggestions for updating the language?
Sincerely, Jonathan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]