Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[rom] Introduce domain separation prefix for SPHINCS+. #23762

Merged
merged 2 commits into from
Jun 25, 2024
Merged

[rom] Introduce domain separation prefix for SPHINCS+. #23762

merged 2 commits into from
Jun 25, 2024

Conversation

jadephilipoom
Copy link
Contributor

For later compatibility with the FIPS 205 standard, introduces a domain separation prefix for the message that is always two zero bytes, indicating a "pure" (not pre-hashed) message and an empty context. For now, the pre-hashed variant is not supported (we may add it as a separate change, but it made sense to me to do this step first).

I chose to implement the domain separator outside of the main SPHINCS+ implementation to maintain KAT compatibility; the existing KATs don't include the domain separator, and NIST has said that their KATs will include targets for the "internal" underlying operation that does not include the prefix.

Resolves #21944

@jadephilipoom jadephilipoom requested review from a team as code owners June 21, 2024 10:15
@jadephilipoom jadephilipoom mentioned this pull request Jun 21, 2024
Merged
@moidx moidx removed the request for review from a team June 24, 2024 21:02
moidx
moidx approved these changes Jun 24, 2024
View reviewed changes
sw/device/silicon_creator/lib/sigverify/spx_verify.c
*
* In our case, `ctx` is always the empty string, so the length is 0.
*/
static const uint8_t kSpxVerifyPureDomainSep[] = {
Copy link
Contributor

@moidx moidx Jun 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sgtm. The sequence of three arguments gets reduced to two due to len(ctx) == 0. This matches the proposed specification.

@jadephilipoom
[rom] Introduce domain separation prefix for SPHINCS+.
0b046f8 
For later compatibility with the FIPS 205 standard, introduces a domain
separation prefix for the message that is always two zero bytes, indicating a
"pure" (not pre-hashed) message and an empty context.

Signed-off-by: Jade Philipoom <[email protected]>
@jadephilipoom
[rom,test] Re-generate SPHINCS+ test data to include domain separator.
33a3e94 
Signed-off-by: Jade Philipoom <[email protected]>
@jadephilipoom jadephilipoom merged commit 34938fd into lowRISC:master Jun 25, 2024
32 checks passed
@jadephilipoom jadephilipoom deleted the spx-domain-sep branch June 25, 2024 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moidx moidx moidx approved these changes

@cfrantz cfrantz cfrantz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[rom] Change the base-w representation in SPHINCS+
3 participants
@jadephilipoom @cfrantz @moidx