davidmcgrew / hash-sigs Goto Github PK

In LmotsPrivateKey::init() S is passed in and length of S is not enforced (to LenS). Secondly, if S is None, S is generated from entropy to size of n, which is incorrect. S should always be 68 bytes.

I have come to realize this implements an earlier version of the Internet-Draft, not RFC 8554.

Using Python 3 syntax, this is one example:

D_PBLC = bytes.fromhex('8080') # hash of iterations in the LM-OTS
D_MESG = bytes.fromhex('8181') # hash of the message in the LMOTS
D_LEAF = bytes.fromhex('8282') # for hash of a leaf in LMS tree
D_INTR = bytes.fromhex('8383') # for hash of an interior node in LMS tree
D_PRG = bytes.fromhex('ff') # for computing LMS private keys

The order of the inputs to H() is a further indication. Does anyone know of a Python3 implementation that implements RFC 8554?

RFC 8554 says: The parameter I is a 16-byte string that indicates which Merkle tree this LM-OTS is used with.

Thus, the LenI in the lms_params dict should be 16, not 64.

lms_params = {
# m, h, LenI
lms_sha256_m32_h5: (32, 5, 16),
lms_sha256_m32_h10: (32, 10, 16),
lms_sha256_m32_h15: (32, 15, 16),
lms_sha256_m32_h20: (32, 20, 16),
lms_sha256_m32_h25: (32, 25, 16)
}

python hss.py genkey hss2-5-8
python hss.py read hss2-5-8.prv

HSS private key
levels 00000002
prv[0]:

LMS private key
lms_type 00000005
lmots_type 00000004
SEED d107250f79aae039733e5a364272cf5e
26265d7b7ba689e1c7f861c423736578
I 444951aacaae7b5beeefce552732cce1
25d0b42633e3eeb7ad0773334cd74216
b0ea691c8f8cbb8a0920b89a4b02c095
e30b4abd2c31a7ac7282c093c2fcb6b8
leaf_num 00000001

python hss.py read hss2-5-8.pub

HSS public key
levels 00000002

LMS public key
LMS type 00000005 # LMS_SHA256_M32_H5
LMOTS_type 00000004 # LMOTS_SHA256_N32_W8
I 444951aacaae7b5beeefce552732cce1
25d0b42633e3eeb7ad0773334cd74216
b0ea691c8f8cbb8a0920b89a4b02c095
e30b4abd2c31a7ac7282c093c2fcb6b8
K 3b690e170c095985b2a3f0809aa0a3d5
a1e831228a63257e8aa7acf71b72ef82

Attempt to sign the file "hello.txt" containing the text: Hello World!
python hss.py sign hello.txt hss2-5-8.prv

The signature is stored in the file of size 2,697 bytes
hello.txt.sig
Something is wrong. We cannot pretty print the signature with
python hss.py read hello.txt.sig
hss.py crashes at line 1282..., with message:
ValueError: ('error: parameter has wrong length', '0')

Signature verification fails:
python hss.py verify hss2-5-8.pub hello.txt
-> INVALID (error: exception)

Signing the second time gives different signature size: 2,707 bytes, but still fails verification
Signing the third time gives different signature size: 2,701 bytes, but still fails verification
Signing the fourth time gives different signature size: 2,700 bytes, but still fails verification

I'm getting this error when trying to verify a signature. Steps:

python hss.py genkey Alice
python hss.py sign somefile.txt Alice.prv
python hss.py verify Alice.pub somefile.txt

There seem to be other errors from what I can tell looking at the code, like it's only saving one level (root) of LMS private keys and the I parameter is 64 instead of 16 bytes.

Are you still maintaining this project? Is there an LMS/HSS implementation somewhere that does work? Should I switch to XMSS?

Thank you.