Should we prioritise LMS for the 3.5 release?
Paul Dale
Public
Seen by 19
Looking for opinions for & against us recommending prioritising the LMS work for the 3.5 release.
Paul Dale Tue 14 Jan 2025 1:56AM
LMS is lightweight (compared to the other PQ signature mechanisms) and it uses only old well understood cryptography (digests). ML-DSA is the priority signature scheme for 3.5; it is heavyweight and carries a higher risk of a cryptanalytic breakthrough since it's based on less mature mathematics.
I anticipate that LMS will be embraced by hardware vendors for firmware signing rather than used in certificates. No doubt, it will be used for all manner of purposes by the community nonetheless.
The effort required to include it should be limited to the review/feedback loop and the final merge effort -- all of the core development is done. The final merge is small, the review cycle is unknown but I wouldn't expect it to be huge. I.e. this should be possible without adversely impacting the other priorities for 3.5.
HSS is essentially an extension of LMS. There is a pull request for it as well but it depends on the LMS one, so they are going to be serial in nature. Let's not worry about the incremental effort for HSS at this point.
Poll Created Tue 14 Jan 2025 1:59AM
Should LMS be included in the upcoming 3.5 release? Closed Thu 16 Jan 2025 1:00PM
After the poll concluded, community members expressed concerns that the proposed action might be challenging to deploy securely, leading to strong opposition due to safety considerations. Consequently, the decision has been deferred.
Results
| Results | Option | % of points | Voters | |||
|---|---|---|---|---|---|---|
|
|
Yes | 100.0% | 6 |
|
||
| No | 0.0% | 0 | ||||
| Undecided | 0% | 3 |
|
6 of 9 people have participated (66%)
James Bourne Tue 14 Jan 2025 1:59AM
Core dev done. Final merge is small. Limited review cycle. Will not upend other 3.5 work. Required for FIPS.
Jeff Johnson Tue 14 Jan 2025 1:59AM
As noted in my comments on the subject. Dev work done, no disruption to current release plan, only upside from what I can gather.
Paul Dale Tue 14 Jan 2025 2:00AM
Note also, that LMS is part of FIPS 205 and would be part of the FIPS 140-3 validation of the 3.5 release. We don't know when the subsequent FIPS 140-3 validation will occur.
Jaroslav Reznik Tue 14 Jan 2025 2:52PM
Another note - LMS is also approved under CNSA 2.0 (but only for signing firmware/software), see https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/1/CSI_CNSA_2.0_FAQ_.PDF
Jeff Johnson Tue 14 Jan 2025 3:13PM
LMS is prioritized for firmware and s/w code signing as Jaroslav noted and is one of the first requirements for the transition to PQ. HSM vendors are supporting LMS signing now. If the work is done and it will not delay any other work for 3.5, I would recommend to include it. Alg testing is available now as well. Since the FIPS validation cycle is sooo long anyway, I personally don't see a down side to including LMS verify in 3.5 release and also having it as part of the next FIPS validation. From a community perspective as well it would be awesome to have a common implementation of LMS verification to test against.
Paul Dale Wed 15 Jan 2025 10:26PM
Everyone has voited, so I'll close this and pass the recommendation along. The process for the latter hasn't been sorted out yet so I emailed this to the directors:
Based on an unanimous decision, the corporation BAC recommends that LMS (as per #25598) be prioritised for inclusion in the upcoming OpenSSL 3.5 release.
Although not directly part of the decision, including it as part of any future FIPS 140-3 validation also seems desirable.
Dr Paul Dale
Randall Becker · Mon 13 Jan 2025 11:36PM
I think this is an interesting idea. What does putting this in 3.5 give us, other than, perhaps, a test bed for HSS. If LMS is strategic, then ASAP. If it is a notion, not sure. If we need this to support quantum safety, it probably should be done to get to communities for testing prior to any major HSS effort. I don't have much to contribute on this subject as a technical expert.