eXtended Merkle Signature Scheme (XMSS) with GoA digital signature allows for the creation of a signature of a messaging using a private key to sign it, and a public key to verify it. With a One-Time Signature (OTS) scheme we can only sign exactly one message securely with a given key pari, while an Many-Time Signature (MTS) system allows for many to be signed. Overall XMSS is a stateful hash-based method and which results in relatively small private and public keys, with fast signature generation and verification, but has relatively slow key generation. Buchmann, Dahmen, and Huelsing outlined XMSS in [1]. It has been standardized in [RFC 8391] and uses WOTS+ as its main building block. |
Code
The following is some sample code:
package main import ( "crypto/rand" "fmt" "io" "os" "strconv" "github.com/AidosKuneen/xmss" ) func getSalt(n int) []byte { nonce := make([]byte, n) if _, err := io.ReadFull(rand.Reader, nonce); err != nil { panic(err.Error()) } return (nonce) } func main() { h := 10 seed := getSalt(12) mer := xmss.NewMerkle(byte(h), seed) m := "Input message" argCount := len(os.Args[1:]) if argCount > 0 { m = os.Args[1] } if argCount > 1 { h, _ = strconv.Atoi(os.Args[2]) } msg := []byte(m) sig := mer.Sign(msg) pub := mer.PublicKey() fmt.Printf("== XMSS (eXtended Merkle Signature Scheme) ==\n") fmt.Printf("Input message:\t\t\t%s\n", m) fmt.Printf("Seed:\t\t\t%x\n", seed) fmt.Printf("h (height):\t\t\t%d\n", h) fmt.Printf("\nSignature (first 32 bytes):\t%x\n", sig[:32]) fmt.Printf("\nSignature length:\t\t%d bytes\n", len(sig)) if xmss.Verify(sig, msg, pub) { fmt.Println("Signature is Valid") } }
And a sample run:
== XMSS (eXtended Merkle Signature Scheme) == Input message: Testing 123 Seed: 61ceed2b844792410551d7f3 h (height): 10 Signature (first 32 bytes): 00000000cb52639273d1cf3deae830d558f5889cf57f9d948955a0b8ce34caf1 Signature length: 2500 bytes Signature is Valid
References
[1] Buchmann, J., Dahmen, E., & Hülsing, A. (2011, November). XMSS-a practical forward secure signature scheme based on minimal security assumptions. In International Workshop on Post-Quantum Cryptography (pp. 117-129). Springer, Berlin, Heidelberg. [paper]