xref: /freebsd/crypto/openssl/doc/man7/EVP_PKEY-SLH-DSA.pod (revision e7be843b4a162e68651d3911f0357ed464915629) 
1=pod
2
3=head1 NAME
4
5EVP_PKEY-SLH-DSA, EVP_KEYMGMT-SLH-DSA,
6EVP_PKEY-SLH-DSA-SHA2-128s, EVP_PKEY-SLH-DSA-SHA2-128f,
7EVP_PKEY-SLH-DSA-SHA2-192s, EVP_PKEY-SLH-DSA-SHA2-192f,
8EVP_PKEY-SLH-DSA-SHA2-256s, EVP_PKEY-SLH-DSA-SHA2-256f,
9EVP_PKEY-SLH-DSA-SHAKE-128s, EVP_PKEY-SLH-DSA-SHAKE-128f,
10EVP_PKEY-SLH-DSA-SHAKE-192s, EVP_PKEY-SLH-DSA-SHAKE-192f,
11EVP_PKEY-SLH-DSA-SHAKE-256s, EVP_PKEY-SLH-DSA-SHAKE-256f
12- EVP_PKEY SLH-DSA keytype and algorithm support
13
14=head1 DESCRIPTION
15
16The B<SLH-DSA-SHA2-128s>, B<EVP_PKEY-SLH-DSA-SHA2-128f>,
17B<SLH-DSA-SHA2-192s>, B<EVP_PKEY-SLH-DSA-SHA2-192f>,
18B<SLH-DSA-SHA2-256s>, B<EVP_PKEY-SLH-DSA-SHA2-256f>,
19B<SLH-DSA-SHAKE-128s>, B<EVP_PKEY-SLH-DSA-SHAKE-128f>,
20B<SLH-DSA-SHAKE-192s>, B<EVP_PKEY-SLH-DSA-SHAKE-192f>,
21B<SLH-DSA-SHAKE-256s> and B<EVP_PKEY-SLH-DSA-SHAKE-256f> key types are
22implemented in OpenSSL's default and FIPS providers.  These implementations
23support the associated key, containing the public key I<pub> and the
24private key I<priv>.
25
26SLH-DSA (Stateless Hash-based Digital Signature Standard) uses small keys,
27but has relatively large signatures and is relatively slow performing all
28operations compared to B<ML-DSA>. It does however have proven security proofs,
29since it relies only on hash functions.
30
31Each of the different key types has an associated security parameter B<n>.
32This value is one of 16, 24 or 32 for key types B<SLH-DSA*128*>, B<SLH-DSA*192*>
33and B<SLH-DSA*256*>, respectively.
34
35Both the public and private key components contain 2 elements of size B<n>.
36Key generation generates the private key elements and one of the public key
37elements randomly, and the final public key element is computed from these values.
38
39The public key has relatively small sizes of 32, 48 or 64 bytes,
40corresponding to the algorithm names of 128, 192 and 256 respectively.
41
42The algorithms ending with B<s> produce smaller signatures, but are much slower
43than the faster B<f> variants.
44
45The signature sizes for the B<s> algorithm variants are 7856, 16224 and 29792
46which correspond to the algorithm names of 128s, 192s and 256s respectively.
47The signature sizes for the B<f> algorithm variants are 17088, 35664 and 49856
48which correspond to the algorithm names containing 128f, 192f and 256f respectively.
49
50Internally there are 7 hash related functions that are used for each algorithm.
51For algorithms containing B<SHAKE> in their name B<SHAKE-256> is used for all
52functions.
53For the <SHA2-128> algorithms the functions use <MGF1-SHA-256>, <HMAC-SHA-256>
54and <SHA-256>.
55The remaining <SHA2> algorithms use <MGF1-SHA-512>, <HMAC-SHA-512>, <SHA-256> and
56<SHA-512>.
57See FIPS 205 Section 11.1 and 11.2 for more information.
58
59=head2 Keygen Parameters
60
61=over 4
62
63=item "seed" (B<OSSL_PKEY_PARAM_SLH_DSA_SEED>) <octet string>
64
65Supplies values to use for the private seed, private prf and
66public seed instead of generating random values. This is used for testing
67purposes only. The length of the value supplied must be 3 * B<n>.
68
69=item "properties" (B<OSSL_PKEY_PARAM_PROPERTIES>) <utf8_string>
70
71Sets properties to be used when fetching algorithm implementations used for
72SLH-DSA hashing operations.
73
74=back
75
76Use EVP_PKEY_CTX_set_params() after calling EVP_PKEY_keygen_init().
77
78=head2 Common SLH-DSA parameters
79
80In addition to the common parameters that all keytypes should support (see
81L<provider-keymgmt(7)/Common Information Parameters>), the implementation of
82these key types support the following.
83
84The following parameters are gettable using EVP_PKEY_get_octet_string_param(),
85and settable when using EVP_PKEY_fromdata().
86
87=over 4
88
89=item "pub" (B<OSSL_PKEY_PARAM_PUB_KEY>) <octet string>
90
91The public key has a size of 2 * B<n> bytes.
92i.e. It consists of the concatenation of PK.seed and PK.root
93as defined by FIPS 205 Figure 16.
94
95=item "priv" (B<OSSL_PKEY_PARAM_PRIV_KEY>) <octet string>
96
97The private key has a size of 4 * B<n> bytes, which includes the public key components.
98i.e. It consists of the concatenation of SK.seed, SK.prf, PK.seed and PF.root
99as defined by FIPS 205 Figure 15.
100
101=item "mandatory-digest" (B<OSSL_PKEY_PARAM_MANDATORY_DIGEST>) <UTF8 string>
102
103The empty string, signifying that no digest may be specified.
104
105=back
106
107=head1 CONFORMING TO
108
109=over 4
110
111=item FIPS 205
112
113=back
114
115=head1 EXAMPLES
116
117An B<EVP_PKEY> context can be obtained by calling:
118
119    EVP_PKEY_CTX *pctx =
120        EVP_PKEY_CTX_new_from_name(NULL, "SLH-DSA-SHA2-128f", NULL);
121
122An B<SLH-DSA> key can be generated like this:
123
124    pkey = EVP_PKEY_Q_keygen(NULL, NULL, "SLH-DSA-SHA2-128f");
125
126The key pair components can be extracted from a key by calling:
127
128    uint8_t priv[64], pub[32];
129    size_t priv_len, pub_len;
130
131    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY,
132                                    priv, sizeof(priv), &priv_len);
133    EVP_PKEY_get_octet_string_param(pkey, OSSL_PKEY_PARAM_PUB_KEY,
134                                    pub, sizeof(pub), &pub_len));
135
136Similar code can be used for the other key types such as "SLH-DSA-SHAKE-256f".
137
138=head1 SEE ALSO
139
140L<EVP_KEYMGMT(3)>, L<EVP_PKEY(3)>, L<provider-keymgmt(7)>,
141L<EVP_SIGNATURE-SLH-DSA(7)>
142
143=head1 HISTORY
144
145This functionality was added in OpenSSL 3.5.
146
147=head1 COPYRIGHT
148
149Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved.
150
151Licensed under the Apache License 2.0 (the "License").  You may not use
152this file except in compliance with the License.  You can obtain a copy
153in the file LICENSE in the source distribution or at
154L<https://www.openssl.org/source/license.html>.
155
156=cut
157