Na lms kat multi level (#1620)

* 2-level LMS Support

* Add LMS KAT from RFC 8554

* Fix format

* Add multi level LMS variants supported by other libraried

* Added 2-Level LMS Variants. Updated test vector format per code review comments. Updated tests accordingly.

* Removed unused variable

* Update per comments

* Added stateful example application and review comments

* Fixed use of uninit var

* Update some comments

* rename LMS KAT files

* rename LMS KAT files

* Added LMS KAT

* rename KAT file

* add individual options

* add missing N32 in algorithm name

* Use strip to remove new line, instead of [1:-2].
Add algo_dir = lms

* Rename KATs.json for LMS

* Shorten LMS names

* Supported KAT files for LMS

* Remove unsupported KAT files

* Fix format

* Fix mem leak

* Add testcase for hash corner. Fix hash increment problem.

* Fix formatting

---------

Co-authored-by: Duc Nguyen <[email protected]>

.CMake/alg_support.cmake

@@ -529,6 +529,8 @@ cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h60_12 "" ON "OQS_ENA
 
 
 option(OQS_ENABLE_SIG_STFL_LMS "Enable LMS algorithm family" ON)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w8_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w4_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
 
 if((OQS_MINIMAL_BUILD STREQUAL "ON"))
    message(FATAL_ERROR "OQS_MINIMAL_BUILD option ${OQS_MINIMAL_BUILD} no longer supported")

README.md

@@ -68,6 +68,8 @@ All names other than `ML-KEM` and `ML-DSA` are subject to change. `liboqs` makes
 - **ML-DSA**: ML-DSA-44-ipd (alias: ML-DSA-44), ML-DSA-65-ipd (alias: ML-DSA-65), ML-DSA-87-ipd (alias: ML-DSA-87)
 - **SPHINCS+-SHA2**: SPHINCS+-SHA2-128f-simple, SPHINCS+-SHA2-128s-simple, SPHINCS+-SHA2-192f-simple, SPHINCS+-SHA2-192s-simple, SPHINCS+-SHA2-256f-simple, SPHINCS+-SHA2-256s-simple
 - **SPHINCS+-SHAKE**: SPHINCS+-SHAKE-128f-simple, SPHINCS+-SHAKE-128s-simple, SPHINCS+-SHAKE-192f-simple, SPHINCS+-SHAKE-192s-simple, SPHINCS+-SHAKE-256f-simple, SPHINCS+-SHAKE-256s-simple
+- **XMSS**: XMSS-SHA2_10_256, XMSS-SHA2_16_256, XMSS-SHA2_20_256, XMSS-SHAKE_10_256, XMSS-SHAKE_16_256, XMSS-SHAKE_20_256, XMSS-SHA2_10_512, XMSS-SHA2_16_512, XMSS-SHA2_20_512, XMSS-SHAKE_10_512, XMSS-SHAKE_16_512, XMSS-SHAKE_20_512, XMSSMT-SHA2_20/2_256, XMSSMT-SHA2_20/4_256, XMSSMT-SHA2_40/2_256, XMSSMT-SHA2_40/4_256, XMSSMT-SHA2_40/8_256, XMSSMT-SHA2_60/3_256, XMSSMT-SHA2_60/6_256, XMSSMT-SHA2_60/12_256, XMSSMT-SHAKE_20/2_256, XMSSMT-SHAKE_20/4_256, XMSSMT-SHAKE_40/2_256, XMSSMT-SHAKE_40/4_256, XMSSMT-SHAKE_40/8_256, XMSSMT-SHAKE_60/3_256, XMSSMT-SHAKE_60/6_256, XMSSMT-SHAKE_60/12_256 
+- **LMS**: LMS_SHA256_H5_W1, LMS_SHA256_H5_W2, LMS_SHA256_H5_W4, LMS_SHA256_H5_W8, LMS_SHA256_H10_W1, LMS_SHA256_H10_W2, LMS_SHA256_H10_W4, LMS_SHA256_H10_W8, LMS_SHA256_H15_W1, LMS_SHA256_H15_W2, LMS_SHA256_H15_W4, LMS_SHA256_H15_W8, LMS_SHA256_H20_W1, LMS_SHA256_H20_W2, LMS_SHA256_H20_W4, LMS_SHA256_H20_W8, LMS_SHA256_H25_W1, LMS_SHA256_H25_W2, LMS_SHA256_H25_W4, LMS_SHA256_H25_W8, LMS_SHA256_H5_W8_H5_W8, LMS_SHA256_H10_W4_H5_W8, LMS_SHA256_H10_W8_H5_W8, LMS_SHA256_H10_W2_H10_W2, LMS_SHA256_H10_W4_H10_W4, LMS_SHA256_H10_W8_H10_W8, LMS_SHA256_H15_W8_H5_W8, LMS_SHA256_H15_W8_H10_W8, LMS_SHA256_H15_W8_H15_W8, LMS_SHA256_H20_W8_H5_W8, LMS_SHA256_H20_W8_H10_W8, LMS_SHA256_H20_W8_H15_W8, LMS_SHA256_H20_W8_H20_W8
 <!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_END -->
 
 Note that for algorithms marked with a dagger (†), liboqs contains at least one implementation that uses a large amount of stack space; this may cause failures when run in threads or in constrained environments. For more information, consult the algorithm information sheets in the [docs/algorithms](https://github.com/open-quantum-safe/liboqs/tree/main/docs/algorithms) folder.
@@ -124,10 +126,12 @@ The following instructions assume we are in `build`.
 
 	- `test_kem`: Simple test harness for key encapsulation mechanisms
 	- `test_sig`: Simple test harness for key signature schemes
+	- `test_sig_stfl`: Simple test harness for stateful key signature schemes
 	- `test_kem_mem`: Simple test harness for checking memory consumption of key encapsulation mechanisms
 	- `test_sig_mem`: Simple test harness for checking memory consumption of key signature schemes
 	- `kat_kem`: Program that generates known answer test (KAT) values for key encapsulation mechanisms using the same procedure as the NIST submission requirements, for checking against submitted KAT values using `tests/test_kat.py`
 	- `kat_sig`: Program that generates known answer test (KAT) values for signature schemes using the same procedure as the NIST submission requirements, for checking against submitted KAT values using `tests/test_kat.py`
+	- `kat_stfl_sig`: Program for checking results against submitted KAT values using `tests/test_kat.py`
 	- `speed_kem`: Benchmarking program for key encapsulation mechanisms; see `./speed_kem --help` for usage instructions
 	- `speed_sig`: Benchmarking program for signature mechanisms; see `./speed_sig --help` for usage instructions
 	- `example_kem`: Minimal runnable example showing the usage of the KEM API

src/common/sha2/sha2_armv8.c

@@ -187,8 +187,11 @@ void oqs_sha2_sha256_inc_finalize_armv8(uint8_t *out, sha256ctx *state, const ui
 		}
 
 		memcpy(tmp_in, state->data, state->data_len);
-		memcpy(tmp_in + state->data_len, in, inlen);
+		if (in && inlen) {
+			memcpy(tmp_in + state->data_len, in, inlen);
+		}
 		new_in = tmp_in;
+		state->data_len = 0;
 	}
 
 	uint64_t bytes = load_bigendian_64(state->ctx + 32) + new_inlen;
@@ -280,33 +283,34 @@ void oqs_sha2_sha256_inc_blocks_armv8(sha256ctx *state, const uint8_t *in, size_
 
 void oqs_sha2_sha256_inc_armv8(sha256ctx *state, const uint8_t *in, size_t len) {
 	uint64_t bytes = 0;
+	size_t in_index = 0;
 	while (len) {
 		size_t incr = 64 - state->data_len;
 		if (incr > len) {
 			incr = len;
 		}
 
-		for (size_t i = 0; i < incr; ++i, state->data_len++) {
-			state->data[state->data_len] = in[i];
+		for (size_t i = 0; i < incr; ++i, state->data_len++, in_index++)) {
+			state->data[state->data_len] = in[in_index++)];
 		}
 
 		if (state->data_len < 64) {
-			break;
-		}
+		break;
+	}
 
-		/*
-		 * Process a complete block now
-		 */
-		bytes = load_bigendian_64(state->ctx + 32) + 64;
-		crypto_hashblocks_sha256_armv8(state->ctx, state->data, 64);
-		store_bigendian_64(state->ctx + 32, bytes);
+	/*
+	 * Process a complete block now
+	 */
+	bytes = load_bigendian_64(state->ctx + 32) + 64;
+	crypto_hashblocks_sha256_armv8(state->ctx, state->data, 64);
+	store_bigendian_64(state->ctx + 32, bytes);
 
-		/*
-		 * update the remaining input
-		 */
-		len -= incr;
-		state->data_len = 0;
-	}
+	/*
+	 * update the remaining input
+	 */
+	len -= incr;
+	state->data_len = 0;
+}
 }
 
 void oqs_sha2_sha224_inc_blocks_armv8(sha224ctx *state, const uint8_t *in, size_t inblocks) {

src/common/sha2/sha2_c.c

@@ -654,14 +654,15 @@ void oqs_sha2_sha256_inc_blocks_c(sha256ctx *state, const uint8_t *in, size_t in
 
 void oqs_sha2_sha256_inc_c(sha256ctx *state, const uint8_t *in, size_t len) {
 	uint64_t bytes = 0;
+	size_t in_index = 0;
 	while (len) {
 		size_t incr = 64 - state->data_len;
 		if (incr > len) {
 			incr = len;
 		}
 
-		for (size_t i = 0; i < incr; ++i, state->data_len++) {
-			state->data[state->data_len] = in[i];
+		for (size_t i = 0; i < incr; ++i, state->data_len++, in_index++) {
+			state->data[state->data_len] = in[in_index];
 		}
 
 		if (state->data_len < 64) {
@@ -718,8 +719,11 @@ void oqs_sha2_sha256_inc_finalize_c(uint8_t *out, sha256ctx *state, const uint8_
 		}
 
 		memcpy(tmp_in, state->data, state->data_len);
-		memcpy(tmp_in + state->data_len, in, inlen);
+		if (in && inlen) {
+			memcpy(tmp_in + state->data_len, in, inlen);
+		}
 		new_in = tmp_in;
+		state->data_len = 0;
 	}
 
 	uint64_t bytes = load_bigendian_64(state->ctx + 32) + new_inlen;

src/oqsconfig.h.cmake

@@ -222,3 +222,5 @@
 #cmakedefine OQS_ENABLE_SIG_STFL_xmssmt_shake128_h60_12 1
 
 #cmakedefine OQS_ENABLE_SIG_STFL_LMS 1
+#cmakedefine OQS_ENABLE_SIG_STFL_lms_sha256_h5_w8_h5_w8 1
+#cmakedefine OQS_ENABLE_SIG_STFL_lms_sha256_h10_w4_h5_w8 1