Code Singing Parameters for LMS/HSS/XMSS

destrand

3/1/24, 12:11 AM

LMS is specially used for applications, such as code-signing (https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf). Given the parameter list in table 3, found here https://datatracker.ietf.org/doc/html/rfc8554#section-6.2, for which specific code-signing applications and environments (router firmware updates, user OS updates, cloud embedded device firmware update verification) are these parameter sets most practical? The key lifetime in particular?

1 + 3

hash-signature

poncho

3/1/24, 3:07 AM

Note that key lifetime in table 3 is there with the assumption that you're generating 1000 signatures per second. Now, you are not likely to generate 1000 software updates per second, hence it would be more useful to look at the maximum number of signatures that a parameter set can generate - that's the sum of the values in the parm set, raised to the power of two (and so the 20/15 parm set has a limit of $2^{20+15} = 2^{35}$ signatures for a specific public key

poncho

3/1/24, 3:14 AM

Also, are you asking which parameter sets would be recommended for software updates? Or, what uses would be best suited for these parameter sets? The first is the obvious question; the way you worded it makes it sound like the second...

destrand

3/1/24, 9:57 PM

thank you, poncho. Yes, the second is correct. May you please kindly answer that?

Score:1

Crypto

poncho

3/1/24, 10:32 PM

for which specific code-signing applications and environments (router firmware updates, user OS updates, cloud embedded device firmware update verification) are these parameter sets most practical?

Well, LMS is best suited if:

You need good security (e.g. postquantum); LMS makes the assumption that SHA-256 is strong (alternatively SHAKE-256 for some other parameter sets) - it makes no other assumptions.
You don't mind largish signatures (well, large compared to RSA or ECC signatures - they compare quite nicely to other postquantum signature algorithms)
You can control the signing process; specifically, you can ensure that you don't accidentally reuse state.

The last criteria is the critical one for most applications; it's difficult to see how it can be used on (say) a PC, because we're likely to store state on disk, and if that disk is backed-up and restored, we've lost track of the state.

On the other hand, if you have a centralized signer, and you can ensure that state is managed properly (ideally on an HSM), then it works.

The key lifetime in particular?

Every LMS key has a bound on the number of signatures it can generate; this is what we are referring to as "key lifetime"; obviously, if you generate one signature per update, you want to set this bound higher than the number of updates you'll ever generate. I don't personally see it as a major issue, because we can easily set that limit to be so huge (e.g. $2^{60}$) that we'll never hit it. This does increase the size of the signatures, but not drastically.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Code Singing Parameters for LMS/HSS/XMSS

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.