A while back, NIST (National Institute for Standards and Technology) came out with Special Publication 800-208 titled “Recommendation for Stateful Hash-Based Signature Schemes”. The full document can be found here.
It was very specific and strongly stated that you need to be very careful about how you do key generation and signing using these algorithms. Here is a direct quote:
Implementations of the key generation and signature algorithms in this document shall only be validated for use within hardware cryptographic modules. The cryptographic modules shall be validated to provide FIPS 140-2 or FIPS 140-3 [19] Level 3 or higher physical security, and the operational environment shall be non-modifiable or limited. … The cryptographic module shall not allow for the export of private keying material. The entropy source for any approved random bit generator used in the implementation shall be located inside the cryptographic module’s physical boundary.
In a nutshell, once an LMS or XMSS private key is generated, there must only ever be one instance of it. No copies. Not even backups. The reason is that with multiple instances there is a chance for misuse of the state of the private key which would be catastrophic because it would require the revocation of the key pair. The standards that define the formats of the cryptographic artifacts even went so far as to leave the format of the private key undefined so that interoperability would be further hindered.
We understood this from the start. By using the –enable-lms or –enable-xmss flags you will get the full suite of operations: key generation, sign and verify. This will allow our customers to quickly start experimenting, prototyping and benchmarking with these algorithms without first having to go through the long process of finding an HSM vendor. Of course, once it comes time to use these algorithms in production, to reduce code size and guarantee compliance, the key generation and sign operations can be eliminated from the binary with the following flags: –enable-lms=verify-only or –enable-xmss=verify-only.
Here at wolfSSL, we’ve got you covered from start to finish.
If you have questions about any of the above, please contact us at facts@wolfssl.com or +1 425 245 8247.
Download wolfSSL Now