SPHINCS Tasks

[TJ-91]

• [x] gen_message_random_sha2: It's HMAC-256 and HMAC-512. Libgcrypt offers HMAC-256. Decide whether to implement HMAC-512 in Libgcrypt or whether to just replace the hash calls from the ref impl. Replace HMAC-SHA256/512 by libgcrypt internals

• [x] mgf1 is already implemented for RSA but only with static methods and not with a real interface. Now that SPHINCS+ also needs it, this might be turned into a real implementation with an interface (prefer the easy solution to just replace the hash calls from ref impl.) Replace SPHINCS+'s mgf1 implementation

  • [x] implement as suggested by Falko
  • [x] #45
  • For now it's implemented as:
  • libcipher_la_DEPENDENCIES = $(GCRYPT_MODULES) mgf.lo
  • libcipher_la_LIBADD = $(GCRYPT_MODULES) mgf.lo
  • A conditional (if RSA or SPHINCS+ is built) would probably suffice but how to do it in automake?

• [x] eliminate VLA

• [x] check and propagate return codes everywhere

• [x] check if thash can be unified into one function

• [x] implement seeded state (gcry_md_copy)

• [x] remove unneeded code / files

• [x] rename to SLH-DSA

[falko-strenzke]

Not sure what exactly you mean by "HMAC-512", but I assume "HMAC-SHA512". Libgcrypt features also HMAC-SHA512. From cipher/mac-hmac.c:

const gcry_mac_spec_t _gcry_mac_type_spec_hmac_sha512 = {
  GCRY_MAC_HMAC_SHA512, {0, 1}, "HMAC_SHA512",
  &hmac_ops
};

[falko-strenzke]

• mgf1 is already implemented for RSA but only with static methods and not with a real interface. Now that SPHINCS+ also needs it, this might be turned into a real implementation with an interface (prefer the easy solution to just replace the hash calls from ref impl.)

Yes, definitely the existing implementation of MGF1 should be used. I propose to put it into a new file cipher/mgf.c and the corresponding header file. But it should not become accessible through the API, only offer an internal interface. As far as I can see, the single existing function

static gcry_err_code_t
mgf1 (unsigned char *output, size_t outlen, unsigned char *seed, size_t seedlen,
      int algo)

should suffice, right?

[TJ-91]

Good suggestions.

Libgcrypt features also HMAC-SHA512

Ah, I was confused by hmac256.c and didn't see mac-hmac.c.

should suffice, right?

Yes that should work