Summary

Add a new standard signature algorithm named "HSS/LMS", and provide new KeyFactory and Signature implementations for the algorithm. The KeyFactory only operates on public keys and the Signature only covers the verification part.

The HSS/LMS algorithm is defined in RFC 8554: Leighton-Micali Hash-Based Signatures and NIST Special Publication 800-208.

Problem

The Leighton-Micali Signature (LMS) system, along with its multi-tree variant, the Hierarchical Signature System (HSS), is a stateful hash-based signature (HBS) scheme.

It is believed that this algorithm will not be broken by the development of large-scale quantum computers.

HSS/LMS is one of the two approved stateful HBS schemes listed in NIST Special Publication 800-208 published in October 2020. The Commercial National Security Algorithm Suite 2.0, published by NSA in September 2022, approves and recommends LMS as a quantum-resistant algorithm for software and firmware signing for National Security Systems.

It is important for the JDK to support this algorithm to comply with CNSA 2.0 and provide a quantum-resistant signature algorithm.

Solution

Define a new standard algorithm name "HSS/LMS" for KeyFactory and Signature. This name was chosen to be consistent with the algorithm name used by other standards such as RFC 8708 (Use of the HSS/LMS Hash-Based Signature Algorithm in the Cryptographic Message Syntax (CMS)) and RFC 8778 (Use of the HSS/LMS Hash-Based Signature Algorithm with CBOR Object Signing and Encryption (COSE)).

Provide KeyFactory and Signature implementations of this algorithm in the SUN provider. The implementations will only cover public key management and signature verification. This is because in the Introduction section, NIST SP 800-208 explicitly pointed out that:

This recommendation requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported, even in encrypted form.

An HSS/LMS PublicKey object generated by the generatePublic or translateKey methods of the KeyFactory implementation is serializable and uses java.security.KeyRep as its serialized representation. Its getAlgorithm returns "HSS/LMS" and its getFormat returns "X.509".

The Signature implementation will throw an InvalidKeyException if its initSign method is called. The KeyFactory implementation will throw an InvalidKeySpecException if its generatePrivate method is called or if its getKeySpec method is called with an unsupported key or an unsupported key specification, or an InvalidKeyException if its translateKey method is called on an unsupported key.

Note: The public key and signatures must be in HSS format, that is to say, the L header of the public key and the Npsk header of the signature must be present, even if it's only for a single tree LMS, where L = 1 and Npsk = 0. Plain LMS format is not supported.

The object identifier for HSS/LMS is defined in RFC 8708, Section 3 as:

id-alg-hss-lms-hashsig OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) alg(3) 17 }

We will support this object identifier as an OID alias for the standard name, i.e. "OID.1.2.840.113549.1.9.16.3.17".

Specification

In the Java Standard Algorithm Names page, in "KeyFactory Algorithms", add

HSS/LMS Keys for the Leighton-Micali Signature (LMS) system with the Hierarchical Signature System (HSS) as defined in RFC 8554

In "Signature Algorithms", add

HSS/LMS The Leighton-Micali Signature (LMS) system with the Hierarchical Signature System (HSS) as defined in RFC 8554

In JDK Provider Documentation, in the SUN provider section, add a name "HSS/LMS" in the "Signature" row.