JDK-8305973 : HSS/LMS Signature Verification
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 21
  • Submitted: 2023-04-13
  • Updated: 2023-05-11
  • Resolved: 2023-05-05
Related Reports
CSR :  
JDK-8298127 - HSS/LMS Signature Verification
Description
Summary
-------

Add a new standard signature algorithm named "HSS/LMS", and provide new `KeyFactory` and `Signature` implementations for the algorithm. The `KeyFactory` only operates on public keys and the `Signature` only covers the verification part.

The HSS/LMS algorithm is defined in [RFC 8554: Leighton-Micali Hash-Based Signatures](https://www.rfc-editor.org/rfc/rfc8554.html) and [NIST Special Publication 800-208](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf).

Problem
-------

The Leighton-Micali Signature (LMS) system, along with its multi-tree variant, the Hierarchical Signature System (HSS), is a stateful hash-based signature (HBS) scheme.

It is believed that this algorithm will not be broken by the development of large-scale quantum computers.

HSS/LMS is one of the two approved stateful HBS schemes listed in NIST Special Publication 800-208 published in October 2020. The [Commercial National Security Algorithm Suite 2.0](https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF), published by NSA in September 2022, approves and recommends LMS as a quantum-resistant algorithm for software and firmware signing for National Security Systems.

It is important for the JDK to support this algorithm to comply with CNSA 2.0 and provide a quantum-resistant signature algorithm.

Solution
--------

Define a new standard algorithm name "HSS/LMS" for `KeyFactory` and `Signature`. This name was chosen to be consistent with the algorithm name used by other standards such as [RFC 8708](https://www.rfc-editor.org/rfc/rfc8708.html) (Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryptographic Message Syntax (CMS)) and [RFC 8778](https://www.rfc-editor.org/rfc/rfc8778.html) (Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)).


Provide `KeyFactory` and `Signature` implementations of this algorithm in the SUN provider. The implementations will only cover public key management and signature verification. This is because in the Introduction section, NIST SP 800-208 explicitly pointed out that:

> This recommendation requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported, even in encrypted form.

An HSS/LMS `PublicKey` object generated by the `generatePublic` or `translateKey` methods of the `KeyFactory` implementation is serializable and uses `java.security.KeyRep` as its serialized representation. Its `getAlgorithm` returns "HSS/LMS" and its `getFormat` returns "X.509".

The `Signature` implementation will throw an `InvalidKeyException` if its `initSign` method is called. The `KeyFactory` implementation will throw an `InvalidKeySpecException` if its `generatePrivate` method is called or if its `getKeySpec` method is called with an unsupported key or an unsupported key specification, or an `InvalidKeyException` if its `translateKey` method is called on an unsupported key.

Note: The public key and signatures must be in HSS format, that is to say, the `L` header of the public key and the `Npsk` header of the signature must be present, even if it's only for a single tree LMS, where `L = 1` and `Npsk = 0`. Plain LMS format is not supported.

The object identifier for HSS/LMS is defined in RFC 8708, Section 3 as:

> id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1)
>     member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
>     smime(16) alg(3) 17 }

We will support this object identifier as an OID alias for the standard name, i.e. "OID.1.2.840.113549.1.9.16.3.17".

Specification
-------------

In the [Java Standard Algorithm Names](https://docs.oracle.com/en/java/javase/19/docs/specs/security/standard-names.html) page, in "KeyFactory Algorithms", add
> HSS/LMS Keys for the Leighton-Micali Signature (LMS) system with the Hierarchical Signature System (HSS) as defined in RFC 8554


In "Signature Algorithms", add
> HSS/LMS The Leighton-Micali Signature (LMS) system with the Hierarchical Signature System (HSS) as defined in RFC 8554

In [JDK Provider Documentation](https://docs.oracle.com/en/java/javase/19/security/oracle-providers.html#GUID-FE2D2E28-C991-4EF9-9DBE-2A4982726313), in the SUN provider section, add a name "HSS/LMS" in the "Signature" row.
Comments
Moving to Approved.
05-05-2023
Moving to Provisional.
21-04-2023