From 2624033f73cc69f1b3760775b8138ef4f88df742061d7b69e0e66d9779ac2b82 Mon Sep 17 00:00:00 2001 From: Sergey Matveev Date: Thu, 17 Apr 2025 11:12:31 +0300 Subject: [PATCH] Do randomised SPHINCS+ signatures Unlike classical signature schemes like ECDSA, here entropy is only used for randomisation. Even if low quality PRNG is in use, even if it is constant, it has no security drawbacks on private key leakage (except for side-channel attacks). ECDSA/GOST 34.10 can be completely compromised with bad PRNGs. --- go/cm/hash/algo.go | 4 ++-- go/cm/hash/shake.go | 6 +++--- go/cm/sign/pub.go | 6 +++--- go/cm/sign/spx/kp.go | 9 ++++----- go/cm/sign/spx/signer.go | 6 +++--- spec/cm/signed.texi | 23 ++++++++++++----------- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/go/cm/hash/algo.go b/go/cm/hash/algo.go index 5819400..703e7d1 100644 --- a/go/cm/hash/algo.go +++ b/go/cm/hash/algo.go @@ -73,12 +73,12 @@ func ByName(name string) hash.Hash { return h case SHAKE128: return NewSHAKE128() - case SHAKE256, SPHINCSPlusSHAKE256sNonRandom, SPHINCSPlusSHAKE256sNonRandomPh: + case SHAKE256, SPHINCSPlusSHAKE256s, SPHINCSPlusSHAKE256sPh: return NewSHAKE256() case SHAKE128Merkle: return NewSHAKE128MerkleHasher( merkle.DefaultChunkLen, DefaultNumCPU) - case SHAKE256Merkle, SPHINCSPlusSHAKE256sNonRandomMerkle: + case SHAKE256Merkle, SPHINCSPlusSHAKE256sMerkle: return NewSHAKE256MerkleHasher( merkle.DefaultChunkLen, DefaultNumCPU) } diff --git a/go/cm/hash/shake.go b/go/cm/hash/shake.go index 4de9849..5051d76 100644 --- a/go/cm/hash/shake.go +++ b/go/cm/hash/shake.go @@ -27,9 +27,9 @@ const ( SHAKE128Merkle = "shake128-merkle" SHAKE256Merkle = "shake256-merkle" - SPHINCSPlusSHAKE256sNonRandom = "sphincs+-shake-256s-nonrandom" - SPHINCSPlusSHAKE256sNonRandomPh = "sphincs+-shake-256s-nonrandom-ph" - SPHINCSPlusSHAKE256sNonRandomMerkle = "sphincs+-shake-256s-nonrandom-merkle" + SPHINCSPlusSHAKE256s = "sphincs+-shake-256s" + SPHINCSPlusSHAKE256sPh = "sphincs+-shake-256s-ph" + SPHINCSPlusSHAKE256sMerkle = "sphincs+-shake-256s-merkle" ) type SHAKE struct { diff --git a/go/cm/sign/pub.go b/go/cm/sign/pub.go index bc7bf64..c71076e 100644 --- a/go/cm/sign/pub.go +++ b/go/cm/sign/pub.go @@ -141,7 +141,7 @@ func (pub *PubLoad) CheckSignature(algo string, signed, signature []byte) (err e err = ErrSigInvalid } case spx.SPHINCSPlusSHAKE256s: - if algo != spx.SPHINCSPlusSHAKE256sNonRandom { + if algo != spx.SPHINCSPlusSHAKE256s { return ErrBadSigAlgo } valid, err = spx.Verify(key.A, key.V, signed, signature) @@ -193,8 +193,8 @@ func (pub *PubLoad) CheckSignaturePrehash( } case spx.SPHINCSPlusSHAKE256s: switch algo { - case spx.SPHINCSPlusSHAKE256sNonRandomPh: - case spx.SPHINCSPlusSHAKE256sNonRandomMerkle: + case spx.SPHINCSPlusSHAKE256sPh: + case spx.SPHINCSPlusSHAKE256sMerkle: default: return ErrBadSigAlgo } diff --git a/go/cm/sign/spx/kp.go b/go/cm/sign/spx/kp.go index 10fc55c..0a9c0b8 100644 --- a/go/cm/sign/spx/kp.go +++ b/go/cm/sign/spx/kp.go @@ -21,13 +21,12 @@ import ( ) const ( - SPHINCSPlusSHAKE256s = "sphincs+-shake-256s" - SPHINCSPlusSHAKE256sNonRandom = "sphincs+-shake-256s-nonrandom" - SPHINCSPlusSHAKE256sNonRandomPh = "sphincs+-shake-256s-nonrandom-ph" - SPHINCSPlusSHAKE256sNonRandomMerkle = "sphincs+-shake-256s-nonrandom-merkle" + SPHINCSPlusSHAKE256s = "sphincs+-shake-256s" + SPHINCSPlusSHAKE256sPh = "sphincs+-shake-256s-ph" + SPHINCSPlusSHAKE256sMerkle = "sphincs+-shake-256s-merkle" ) -var Params = spxParams.MakeSphincsPlusSHAKE256256sRobust(false) +var Params = spxParams.MakeSphincsPlusSHAKE256256sRobust(true) func NewKeypair(algo string) (prv, pub []byte, err error) { sk, pk := spx.Spx_keygen(Params) diff --git a/go/cm/sign/spx/signer.go b/go/cm/sign/spx/signer.go index 5531a79..57ddcb4 100644 --- a/go/cm/sign/spx/signer.go +++ b/go/cm/sign/spx/signer.go @@ -67,11 +67,11 @@ func (s *Signer) Prehasher() *hash.Hash { func (s *Signer) Algo() string { switch s.mode { case mode.Pure: - return SPHINCSPlusSHAKE256sNonRandom + return SPHINCSPlusSHAKE256s case mode.Prehash: - return SPHINCSPlusSHAKE256sNonRandomPh + return SPHINCSPlusSHAKE256sPh case mode.Merkle: - return SPHINCSPlusSHAKE256sNonRandomMerkle + return SPHINCSPlusSHAKE256sMerkle } return "" } diff --git a/spec/cm/signed.texi b/spec/cm/signed.texi index 4252f8f..1bf94e5 100644 --- a/spec/cm/signed.texi +++ b/spec/cm/signed.texi @@ -116,26 +116,27 @@ recipient's public key fingerprint(s). HashEdDSA mode is used with @code{ed25519ph-blake2b-merkle} algorithm identifier for signature. -@node cm-signed-sphincs+-shake-256s-nonrandom -@cindex cm-signed-sphincs+-shake-256s-nonrandom -@nodedescription cm/signed with SPHINCS+-SHAKE256-256s-robust non-random -@subsection cm/signed with SPHINCS+-SHAKE256-256s-robust non-random +@node cm-signed-sphincs+-shake-256s +@cindex cm-signed-sphincs+-shake-256s +@cindex cm-signed-sphincs+-shake-256s-ph +@nodedescription cm/signed with SPHINCS+-SHAKE256-256s-robust +@subsection cm/signed with SPHINCS+-SHAKE256-256s-robust @url{https://sphincs.org/, SPHINCS+} with @url{https://keccak.team/, SHAKE256} hash, 255-bit security level, small signatures, robust parameters and deterministic signatures. - @code{sphincs+-shake-256s-nonrandom} algorithm identifier + @code{sphincs+-shake-256s} algorithm identifier must be used for the signature in pure signing mode. - @code{sphincs+-shake-256s-nonrandom-ph} is used in prehash mode. + @code{sphincs+-shake-256s-ph} is used in prehash mode. -@node cm-signed-sphincs+-shake-256s-nonrandom-merkle -@cindex cm-signed-sphincs+-shake-256s-nonrandom-merkle -@nodedescription cm-signed-sphincs+-shake-256s-nonrandom with Merkle-tree hashing -@subsection cm-signed-sphincs+-shake-256s-nonrandom with Merkle-tree hashing +@node cm-signed-sphincs+-shake-256s-merkle +@cindex cm-signed-sphincs+-shake-256s-merkle +@nodedescription cm-signed-sphincs+-shake-256s with Merkle-tree hashing +@subsection cm-signed-sphincs+-shake-256s with Merkle-tree hashing @ref{cm-hashed-shake-merkle, shake256-merkle} Merkle-tree hashing is used. - @code{sphincs+-shake-256s-nonrandom-merkle} algorithm + @code{sphincs+-shake-256s-merkle} algorithm identifier must be used for the signature. -- 2.48.1