Project

General

Profile

Bimodal Lattice Signature Scheme (BLISS)

BLISS is a post-quantum signature scheme based on the CRYPTO 2013 paper Lattice Signatures and Bimodal Gaussians by Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Starting with the strongSwan 5.2.2 release we offer BLISS as an IKEv2 public key authentication method. We also added full BLISS key and certificate generation support to the strongSwan pki tool. With strongSwan 5.3.0 we are upgrading to the improved BLISS-B signature algorithm described in Accelerating Bliss: the Geometry of Ternary Polynomials by Léo Ducas. This HOWTO is based on the new BLISS-B default scheme. It is possible though to revert to the old BLISS behaviour by setting

libstrongswan {
  plugins {
    bliss {
      use_bliss_b = no
    }
  }
}

in strongswan.conf, although we don't see any advantage whatever for doing this.

The bliss plugin requires the a source of randomness (rdrand, padlock or nonce plugin), the mgf1 and the hmac plugin.

This seamless integration into the strongSwan framework was made possible by the new libstrongswan bliss plugin completely written in the C programming language without the use of any external libraries and which implements the libstrongswan public_key_t and private_key_t interfaces.

Building strongSwan with BLISS Support

If you want to play around with BLISS keys and signatures using the strongSwan pki tool please follow the quick software installation HOWTO:

wget http://download.strongswan.org/strongswan-5.3.3.tar.bz2
tar xjf strongswan-5.3.3.tar.bz2
cd strongswan-5.3.3
./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-bliss
make
sudo make install

BLISS Private Key Generation

strongSwan currently supports the BLISS-B-I, BLISS-B-III, and BLISS-B-IV schemes with a cryptographic strength of 128 bits, 160 bits and 192 bits, respectively. Using the pki tool a private BLISS-B-I key can be generated as follows:

pki --gen --type bliss --size 1 --debug 2 > cakey1.der

mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 240 octets
mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 240 octets
l2 norm of s1||s2: 771, Nk(S): 44024

secret key generation succeeded after 1 trial

With the command
pki --print --type bliss-priv --in cakey1.der

private key with:
pubkey:    BLISS 128 bits strength
keyid:     66:5d:b6:ae:85:b6:32:1b:9a:7e:2c:ed:c7:6a:4d:68:f0:3a:ec:77
subjkey:   50:c5:a5:b0:21:e2:a8:13:12:ba:7c:87:f3:3f:ab:90:ad:2c:4d:c2

information on the BLISS private key is displayed.

Let's now generate a BLISS-B-IV key with 192 bit cryptographic strength in base64-encoded PEM format

pki --gen --type bliss --size 4 --outform pem  > cakey4.pem
secret key generation succeeded after 1 trial

The PEM key format is printable
cat cakey4.pem

-----BEGIN BLISS PRIVATE KEY-----
MIIFGgYLKwYBBAGCoCoFAggDggOBAFPFQxsmKwFTjeebvilsNgguxG6vs6EWIyWi
RUkzxZ3BZVy2Oya/9jkMO4O5W/TM5C5vKf0ADlu4fVzU2drT9YA6LzeJIhlWmHu0
ISD9s3Q6pf5NxpvKKFiqjA8ePHFk2iIJQ+DbA9VCtYzM0BOz11+blrl4zOeHp2Am
lmkQwW1OTYejkOBEdGFFuwpVbLXL0XTj4KPZB9icIU48VVh2fS/fOjSRyVhruzVO
6QQtHeCE6p0HLQCpYsw4i93KaYyoS9tDK5Ia/TGWcpp9Sih4k60iJAEusftoijJl
hq41uiUgVd7vpeaWBoMurUODR4aYMiNF2eCGuPTC+76hpZ4h91TmZ7ASuoATl57E
XN3wY61OuLW+CiTlHZsfddmTRyWbtp5t0Ckk2RaoEsCvU/22csb3Z4CkASoJawVB
i6VeQPtTr9cfUDb4mhSOv7LRZmjkkqyl5FduVOw3BePVZGqHZLrLdZ1AAbAtoel9
FYZ/EBEbQpGVEEWwm98tsFeIp2JWUCA9bOdzlOsoJ6mmgz9fKXDQBsv+DeOSkXNo
yKJ0EnXh6J5iPG6gtvoRVwGLfL0Yqcl7nkB5UUGWdQC2PNKZEAW2zVg5Wx4ALtgI
qKhqyH5S29X4LoCqut6TuU8PYjKMlr9G8pK5kfXx3/A1/iD15m5esYBRmkddMRsK
w3XdASNeHOeVfFU6FgKe+hYQhCTBgZGN3CFRtRhWbV7NES2DRkxiIgFWYrfRgLt/
pobwJcL4VqwQQiSD83isZaHNRKJ+WttYKpQmTQk/ycYpD1DJ98Kw1LeyfTXxvtv8
prSQekPNXHeyN8fXDgZmpLIBdOyutO5uelVV/ovsLGtmSQehXXvLj9IoETxtsnYj
XpQU86hCaOl8ZLaASUhrqqBe0nQYB5Utr7P7YaxrfYYoiCEZZrLR9oIWNHYMiev2
FCkQie3mrOb9K5AJo3DnfyumrNjOxq2a8N9WHRaDGrKT+l3gVJysxebExLNJsOHU
89DZcnA3ulxmxoMdH/KzGMd9bjCIf0xNltRhULrBoShlhBElqK8znFHWhGmdbWhe
0C3kKzApp5MebesGOdUT/U/ylUKPyINd90cqQESjHe+WibikN4WCcihiBRzvexQG
klrkgqhAxL9ZX4SFWtzLsiSIpmWJUaY72vwo2TuA5un+Xq3yi7YtBggaRjg86Yiv
tDsRFpMAA4HBAByACgOQOAOCBz0AD+AT+QCQB+OgPx/wAOP+QQAeeAR+AAAFwACO
CAAByOgAQOBz+AAPyNwCRwAD+h+QCPxyATx+QPxyACATweCRzwAACQAPyCQOOeQA
OOOgPyCQAieCQARigBxwB9geMPxwCRiDxgVwEEAAOAB+eP+CMCR+OCgCMRwPwB+A
RwAhwQBzhyRzyBx+QQCACEAfyOPwP/ifiDwSAhwCDyCCAQSAfhwMAeQBwSAACAAD
+CCeOUACeCASAAOBwQAAYAf/oEc8A8fkgAAfgEEHkEADfgn4AAAjk8gcAEEADgDo
ccEg/fj8EkAcfkAEEgAo4EADnEIcnnjgEgAnkcEnggEcbgDhAAcdAcEAAAgA8AEk
8rgAjkdAAAHgAgdckAEIADBfgAA4HgYgD8EjgDkAcAEgEHn/8AA8gHgA8cEEcAAk
fgggAf84AAAgBEj8jlD8AEcoADjgc/gDkgAk/gAdAg8A78ADAEgYgg8gEbngkc8/
ggAnkjhcHggAkEgj8Ak=
-----END BLISS PRIVATE KEY-----

At last let's generate a BLISS-B-III key with a cryptographic strength of 160 bits with the highest debug level enabled:
pki --gen --type bliss --size 3 --debug 4 > cakey3.der

mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 380 octets
mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 420 octets
l2 norm of s1||s2: 1397, Nk(S): 134554

S1[374] is zero - s1 is not invertible

mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 400 octets
mgf1 based on sha1 is seeded with 20 octets
mgf1 generated 400 octets
l2 norm of s1||s2: 1397, Nk(S): 150444

secret key generation succeeded after 2 trials

   i   f   g     a     F     G     A
   0   0  -1 11349  7348  7670  2988
   1   1   0  7974  3185  4952 11025
   2   0  -2  8985  2527  9470  4541
   3   1  -2  7381 10610 11589  2467
   4   0   0    24  6142  3407  1095
   5   0   0   660  5787  7097  4552
   6  -2   0  7663   996  8919   120
   7   0   0 11446  2979  5879  5439
   8   0   0 10761  9288  6406 11689
   9   1   2 10655  5145  9566 11720
  10  -1  -2  2239 12023  2977   497
  11   1  -2  8056  9625   769  1665
  12  -1   0 12073 10413  8267  7745
  13   0   0 10423  7043  8384   659
  14  -1   0  2927  4462  1895  3870
  15   0  -2  8350 10004  5363  2321
  16   0   0  8719  8405  9805  4329
  17   0   0   126    16 11765  9184
  18   1   0 11077  7415 10462 12186
  19   0   0 10321 10888  9001  9002
  20   0   0 11406 12197  2320  2112
  21  -1   0  2382  8071 11316  6203
  22   0   0 11952  2522  7713  2532
  23  -1   0  3121  3838  1919  6145
  24   0   2  3530  7422  3780  6905
  25  -1   0  1229  3845  2506  2337
  26  -1   2  1278   246 10767  6488
  27   0   0  1031  8302  2463 11225
  28   0  -2  6091 11836  4336  2866
  29   0   0  9763 11818  1023  5477
  30   1   0  3533 11202 11192   815
  31  -2   0  2485  9375  1396  1096
  32   0   2  7774  9256 11751  4761
  33   1  -2  5705   105  8018  5109
  34   1  -2  1310  1037 11693  6138
  35   0   2  3963 11119  7278  9888
  36  -1   0  2664   716  7917  2946
  37   0  -2  2310  7971 11642 12218
  38   0   0  9219 11411  7807  8627
  39   0   0  5358  9175 10240  7187
  40   0   0  9739 11874 10139 11850
  41   1   2  8814 10927 12043   325
  42   0   0  7933 11743  3920  9761
  43  -2   0   251  6664  6850  4969
  44   0   0  3754  5561  1275  4389
  45   0   0  4863  4628 11852  5770
  46   0   0  9053  8612  8420  4162
  47   0  -2  7268  6093  2250 12126
  48  -1   0  3867  7439 10172 11395
  49   0   0  1877  8716  2985  4663
  50   0   2  4520   140  3538  6872
  51  -1  -2 12012  7676  9229  8965
  52   1   0 11243  1199  5329  3192
  53   0   0  3816  4823  4210  2768
  54   0   0 11185  7269 11376 10485
  55   0  -2   368  6947  8326  6955
  56   0   0 12276 11097  9506  5786
  57   0   0  1482  7994  2714 10832
  58   0   0  8790  4355  2509  5980
  59   0   0  2592  5059 10875 12262
  60   1   2   741  7578  6721  5847
  61  -1   0  5401  2769  1664  5597
  62  -1  -2  3498  3562  8160  1127
  63   0   4  9783  9751  4934   153
  64   1   2   562 10232  3792  2585
  65   0   2  5623  3669   816  8702
  66   0   0  6817  2897  3255   595
  67   0   2  4920  4356  5602  2309
  68   1   2  1443  8246  1837  9328
  69  -1   2  8830  8527 10087 11388
  70   1   2  8318   386  8777 10115
  71   0   0  4835  3976  8200  6604
  72   0   0 12193  2774  9810  4345
  73   0  -2  5217  4530  5891  2120
  74   0  -2  2158  1444  8147  8082
  75   0   0  6172  6249  9683  3797
  76   0  -2  3351  2755  4435 10774
  77   0   0  1795  5593  7010  2249
  78   0   0  6378  6529  2449  3586
  79   1   0  3282  8543  8791  6877
  80   0   0  5941  2515  3404  2122
  81   0   0  9619   226  4829   402
  82   0   0  3819  1636  3669  5343
  83   0   0 10054 10341  5815  9832
  84  -1  -2  5846  1459  6451  1689
  85   0   0  7204  2539  4867  2209
  86   0   0  5750  2023   198  8863
  87  -1   2  6261  5977 12147   331
  88   0   0  3021  2021  2604  1412
  89   0   2  7572  3901  5291 12199
  90   1  -2  3971 10971  5040  6150
  91  -1   0  3481  7683  7127  5588
  92   0   0  3473 10868  6948 11869
  93   0   2  6995   549  8855  4202
  94   0   0  7016  7421  1258  1782
  95   1   2 12142  5614 12132  5085
  96   1   0   297 11408 10263  5819
  97   1  -2  4317   569  1661  4560
  98   0   2 11899  8600  5015  2094
  99   1   0  5837   554  9502  5474
 100  -1  -2  3375  3281  8625  7400
 101   1   0  6925   720  9235 10339
 102   0  -2 11463 11460  3152  8935
 103  -1  -2   996  3541  9592  4202
 104   0  -2  2977  4667  4746  6684
 105   0   2  3324 10226  9780  6935
 106  -1   2 12127 10743 12252  3426
 107   0  -2  9795 10231  6839  4720
 108   0  -2  2889  3500  3258 10106
 109  -1   4  8087  6380  5416  6311
 110   1  -2 10557  3805  1796  5365
 111   1   2  5909 10540  3107  6083
 112   0   0 10442  3605  1555  2523
 113   0   2  4226  1933  5029  6252
 114  -1   2  5275    89  7465  3812
 115  -1   0  6815 10334   200 11126
 116   1   2  8730  6104  4971  2153
 117  -1  -2 11235 12105  8587   688
 118   0  -2  1258  4392   665  3646
 119   0   0  2480  3460  8326  2652
 120   1   0  1216 12123  2535   651
 121   0   2   857  2091   562  1352
 122   0  -2  3169  4464  2919  6236
 123   1   0 10107  2680  1350  8667
 124   0  -4 10308  2108  9352   704
 125   1   2   878 11994  2136  3492
 126   0  -2  3800  8913  4121  2070
 127  -1   0  2443 12112  7839   164
 128   0  -2 11654  9227  7360  9710
 129   0   2 11660 11240 10772  2157
 130   1   0 11564   268 12057  4768
 131   0   2  8890 10527 10742  1333
 132  -1  -2  9912 11312  4630  8146
 133  -1   0 11456  6000  2141  4365
 134   2   0  7960  7033  8674  7036
 135  -1   0  8533  2433  6170 11842
 136   1  -2  1397  9385  6566  9096
 137   0   0  3543 10922  5370    59
 138   0   2   691  8292  8171  7134
 139   0   0  2713  3104  9141  2707
 140   0  -4  1268  2361  6871   513
 141   1   2 11076  6984  2153   815
 142   0   0 11657  3591  7098  2661
 143   1   2  2834  4083  3018  1617
 144   0   0  8185  6619   366  9415
 145  -1  -2  1494 11839  6863   449
 146   0  -2  1832 10258  7230  3046
 147   0   0 10931   383  4893 12013
 148   0  -4  8238  6439  4367  1371
 149   0   2  8006  2974 11322   260
 150   0   0  3541  8377  6324  2901
 151   0  -2   687   330  6124  7243
 152   0  -2  5192 10152  4457 10671
 153   0   0  8674  3299  1218   317
 154  -1  -2  1498    19  1224  1358
 155   1   0   472  2029  5208 12231
 156   1   2 11731  6425  7592  7694
 157   0   2  2261  2600 10784  4466
 158   0  -2  1898 10580  1586  6744
 159   0  -2  2031  4303  4379  9674
 160   0   2  8153  5295  3898  8827
 161   0   2  2277  6730 11103  7512
 162   0   0  7728  5951  8617  5449
 163  -1   0  3329  9973  2756  3798
 164   0   4  4018  4540   262  7747
 165   2  -2 10665  6550   101  8895
 166   0  -2   312  5809  4027  6453
 167   0   0  3681 11662  4601  3795
 168   0   0   500  5083  3045 10237
 169  -1  -2  8154  3232 10955  7992
 170   0   0 11548  6348  5285 12164
 171   1   0  6451    22   780  3387
 172   1   0  5800  5147 11929  9887
 173   1  -2  8134 11119  9744  1000
 174   0   0  5101  7573  9100   415
 175   1   0  9541  6816  2627  7553
 176   1  -2 10032  6407  7662  3751
 177  -1   2  8100  1861  3525 10574
 178   0  -2 10999  5885  8924  7590
 179  -1   0 11795 11656  5412 11931
 180   0   0  1342  2873  8302  5833
 181   0   0  8856 10345  7649  3593
 182   0   0  7741  1590  4966 10870
 183   0  -2  3478  2035 10096    11
 184   1   0  8425  2564  3099  9055
 185   1   0  4004  5338  6973 11648
 186   0   0  4081   397  5788  3141
 187   1  -2  6047  6044  3975  7664
 188   0   2   975  9088  8057  9530
 189  -1  -2  3775  8502  1657  2826
 190   0   0    72  5348 10522  5788
 191  -1   2  9402  7182 10043 10824
 192  -2  -2  8696  2259   176   642
 193   1   0  3219 10202    91  8120
 194   0   0  7399  8460  5181  3038
 195   1   0 10700  3012  2362  4856
 196   1   0  4992 11439 10921   551
 197   0   0  5563  1953  8425   923
 198   0  -2  6322  5002 10435  5611
 199  -1   2  5331  3700  5755  6993
 200   0   2  5020  6081  4634  8539
 201   0  -2  1731  4572  2581  9642
 202   0   2 11300 11624  8550  8765
 203   0   0  2415  4285   437  5756
 204   0   0  1692  2723  3419  8567
 205  -1   2 11041  8154   463  1789
 206   0   0   229   879   660  9941
 207   0   0 10044  8647  6406 10013
 208   0  -2  5036 10770  3797  9730
 209   0   2   128   719  6480  5034
 210  -1   0  1769 10401  2634  1730
 211  -1   0  7590  6692 10502  6910
 212   0   0  9672  8222  8598  1131
 213   1   0  3125  9161  4272  2293
 214   1   0  6486  6086 10033  4450
 215   0   2  4166 11350  4036 10531
 216   1   0 10082 11068 11523  7992
 217   0   2  7985  9711  4620  1352
 218   0  -2  4946    35   768  6342
 219   2   0  9774  8732  5103  7354
 220  -1   0  3980  4302   175 11772
 221  -1   0  3136 10258  9525  3299
 222   1   0 10184 11483  7139  6837
 223   0   2  7193  5495  9627  3249
 224   0   2  4553 10654  1257  8703
 225   0   2  7386  1794  2317  7187
 226  -1   2   307 11685   515  5106
 227  -2  -2  7122  9559  7718 11755
 228  -1   2  3466  4578   320  9143
 229   0   0  5051 11084  5008  1495
 230   0   2 10973  1782  6396   707
 231   1   0  1035  6457  5457  9829
 232   1   2  4754  1143  5864  6112
 233   0   2  5311  9348  7515  8484
 234   0   2  3745 10143  2071  5422
 235   0   0   225 10115   234  5223
 236   0  -4 12167  3220 10760   156
 237   0   0  5150  9392  6587  1703
 238   0   0 11547  8431  3214  9415
 239   0   0 10851  7709  8050  7538
 240  -1  -2   874  4765  4964   424
 241   1  -2 10600  1689   176  6010
 242   1   0  5997  7556  2161  3323
 243   0   0 11136  1266  1123  4767
 244   1   2  8554  2615  8070   708
 245   0   0  5773   555  5168  7272
 246   1   0  9508  9446  7790   235
 247  -1   0  3106  4221  6747  8893
 248   0  -2   241  6515  5228  7759
 249   0   0  1974 11662  7592  5613
 250  -1  -2  3428  1764 10330 11640
 251   1   0  4655  1942  1732  6215
 252   0   0 11761  3245  3177   463
 253   0   2  2542 10529 10352  4798
 254   0   0 12279  9976  8184  1686
 255   0   2  3742 10902  6628  4000
 256  -1   0  6807  3116  6784  5492
 257   1   0   901  3092  5803  7605
 258  -1   2  5324  1193 11349  9919
 259   0   0  2529  2195    55  4199
 260   0   2   864 12240 10142  1047
 261   0  -2  1873  5812  8077 11544
 262   0   2  6561  6540   574  2394
 263   0   0 11716   386  2798 10004
 264  -1  -2  9511  6119  7103  8637
 265   0   0  2030  2719  3742 11400
 266   0   0  3930  7307  6651   307
 267   1   0  9365 12108 10182 10128
 268   0   0  3050  9623   605 10173
 269  -1  -2  2608  3226  7810  7644
 270   1   2  1443 10911  8826  9411
 271   1   2  5348  5689   732  8915
 272  -1   0 10309  9547  3782  4821
 273  -1   0  7011  2137   329  5860
 274   1   0   425   151  3881  1572
 275  -1  -2  9483  3656  9352  8742
 276  -1   2   467 11338  1738 10323
 277   1   0  9537  2935 11057  4262
 278  -1   2  2982  4478  9997  4813
 279   0   0  7618  2654   704  6455
 280   1  -2  6020  6996   514  3587
 281   0   0   247  2408  9281  7266
 282   0   0  9312  8448  1433   150
 283  -1   2  8888   579  2432  2254
 284   0  -2   680  8265  7767  2316
 285   0   0 11315  3768  4554  8944
 286  -1   0  5306  2299  8412  4745
 287   1   0  7061  9470 10690  5659
 288   1  -2 12278  9451  2537  6516
 289  -1  -2  6029  4153  8159   650
 290   0   0    83  5244   380  3384
 291   1   0   444  3466  8086   832
 292   0   2   625 11105  9360  7133
 293  -1   2 10950  1635  7226  3056
 294   0   0   601   153  7982  9289
 295   0   0  4177  5547  8758  3163
 296   0  -2  8037 12168  6842  3295
 297   0   2  9675  2582  5677  8555
 298   0  -4 11275  5739 12176  6910
 299   0   0  8556   449  9059 11926
 300   1  -2  7028  8263  4462  1403
 301   1   0  9851  9816 10642  3504
 302  -1   0  3040 12216  8553  2913
 303  -1   4  2910  3848 11681 12110
 304   1   0  1841 10354  4153  1376
 305  -1   0 12210  4975  2286  5252
 306   0   0  8918  9177  1954   260
 307  -2   0  6909  6209  8913  5854
 308  -1  -2  6292   703  6706 11879
 309   1   2 11570 11111  6320  5315
 310   0   0  5052   592  4939 12069
 311  -1   0 10922 12185  9127  2630
 312   0   2  7576 10464  9782  2944
 313  -1   0  3680   366  4320  8876
 314   1  -2  1219  3469  6931  5376
 315   1   0  3550 10768  4531  1823
 316  -2  -2  1658  7879 11165    95
 317   0   0  2694  1931  5154  4973
 318   0   0  1040   460  8549  3732
 319  -1   0  8606  6308  8514  5351
 320   0  -2  8549  1116 10216  4590
 321   0   2  3357  8573  9508  1479
 322   1  -2  6401  9086  5806   731
 323   0   4  8810   541  1047 10610
 324   0   0 12091  1342  9191 11664
 325  -1  -2  3353  7216  6908  4422
 326   1  -2  6423  5847  1781  4290
 327  -1   0  2085  6979  3705 10865
 328   0   0  4054  9659  7199  5282
 329   0   0  4131  7411  9499   318
 330   0   0  4228  5354 10302  4744
 331   0   0  2544 11482 10185  2500
 332  -1   0    83  4027 11600   778
 333   0   2 10980   846  4210 11190
 334  -1   0  9362  3868   220  7803
 335  -1   0 11475  1085  1224  2878
 336  -1   0  5423   164  3901  9840
 337   0   2  4383  2284 10899  9200
 338   0   0  3723   899 11100 10702
 339   1   0  7305  7082  5684 11561
 340   1   0  2908 11634  2989  2078
 341   0  -2 10159  3082  8672  8767
 342   1   2  4147  6030  3925  7103
 343   0   2  6503  8183  7428  7283
 344   0  -4  1540  5385  3648  7333
 345   1   0  6989  2881 10619  8603
 346   0   0  2902 12009   698  5352
 347   0  -2  7777  8639  1878  8255
 348   0  -2  7904  2306  2389 10217
 349   0   0  3969  2527  9120   558
 350   0   0   228  8105  1127 10594
 351   0   0  7932  1438  2928  6326
 352   0   2  7927 11962  2097  5518
 353   0   0 11544  2417  5795 10400
 354   0   0 10459  8131 11956  4921
 355   0   0   312 11086  5587  7238
 356   0   0  1452 11546  4140   441
 357   0  -2  7851  5803  9477   584
 358   0  -2 11293 10761 10615  6033
 359   1  -2  2858 11927  9839  5031
 360  -1   4   359  6204  6880  4866
 361  -1   0  6279  3716  1209  1677
 362  -1   2  1054  5481  3774  3606
 363   0   0  4712  8559  7160  6192
 364   1   0  6108 11892   260  5014
 365  -2   0  7497  2298   580 11947
 366   0  -2   763  7812  2847  3167
 367   0   0 11981  4945  8923  6657
 368   0   0  8100  6595 12018  5346
 369   0  -2  5488  1311 11385  5183
 370   0   2  1659  5948   912  6562
 371  -1   0  8633  6154  9146  9371
 372   1   0   590  1897  5342  1577
 373   0   0  4566  6636  4267 10810
 374   0  -2  8598  3136  1723  8798
 375   0   0  2460  1107 10645 10256
 376   0   2 11497  3068  5174  2397
 377   0   0  2749  4923  7543  2680
 378   1   4  2843  7308  7749   107
 379  -1   0  9178  8015  8361 10628
 380   0   0  8418  1085  7030  1309
 381   0   0  6413  6687  6321  9605
 382   0   0  7704  9813  2529 12015
 383   1   0  4353 11345  5846  7362
 384  -2   0   483   493  7176   887
 385   0  -2  1964 12124   630 11168
 386   0  -2 11626  7968 10413 10000
 387  -1  -2  7600  2425  6332  3104
 388   0   0  1875 10712  9870  4381
 389  -1   2  5301  9244  9938  7693
 390  -1   0  8347  1651  4708 10498
 391  -1   0  6480  3664  7631  8055
 392   1   0 11001  4962  3013  1707
 393  -1   0  9167  5049 12060  7976
 394   0   0  3871 10432  8889  9207
 395   0   2  1900  1335  3063  7210
 396   0   0  3446  5082 11819 11075
 397  -1   0  9621 12019  8735  5657
 398   0   2 10282  5977  5889  6091
 399   0  -2  6899 10659 10654  7201
 400   0  -2  8828 11918   530 10532
 401   0   0  5889  5235  1426  1505
 402   0   2 10499 11288  6888 11079
 403   0  -2  6758 11300  3460  9527
 404   0   2 10492  4626  9496   103
 405   1   0  4071  5214  9330  5418
 406   0   4  4344  5575  3054  6479
 407   0  -2  3367   988  6366 11176
 408  -1   0  7382  6520  1529  9724
 409   0   0  7638  6486  4438  2460
 410   0  -2  1148  9873  8821  1975
 411   0   0  6283  5276 11948  5257
 412   0   2  2366  6232 10434  9810
 413   1   0  3431  2686  4540  2454
 414   1   0  4532  5476 11629  4946
 415   0   0  5428  8846   483  4258
 416   0   4  2795  1320  8114  5350
 417   0   2  2510 12017  2768  5050
 418   0  -2  2406  2440  2740  6750
 419   0   2 10282  1086   809 10400
 420   0   0  8477  8393  3405 10159
 421  -1   0  7203  5025   387  6339
 422   0   0  1510    42  3061  5047
 423   1   0  8899  1346  3963  3518
 424   0   0  7690  4485  2532  6815
 425   0  -2  2210 11591  2890  4503
 426   0   0  2367  8826  8001 12127
 427   1   2 10596  8314  7863 12185
 428  -1  -2  6039 10099  5011  6333
 429  -1  -2  7353  8641  6623   965
 430   0   0  3054  6816  5283  7438
 431  -1   0  9421  5919  7903 11491
 432   0   0  5202 11236 11135  6875
 433   1   0 10469  3625  5140 11409
 434  -1   0  6457  3420  1289  3087
 435   0   0  4981  7584  3667  8992
 436   0   0  2486  9323  5488  6760
 437   0  -2 10800  9052 10347  4450
 438   1   0  1546  5976  6208 10283
 439  -1   0 10050  8648  5275  3907
 440   1   4 10633  8816  8122  7347
 441  -1   0  8730  5232 12281  4754
 442   1   2  4288  4871  6784 12192
 443   1   0  9297  9950  4775  2378
 444   1   2  1069   209 11331   995
 445   0   0  7851  6881  6175  5523
 446   0   0  5388  6671  4672  1421
 447   0  -2 10231  5133  2309  5799
 448  -1   0   153  9835  5074  5216
 449   0   0 11934  2437  7339 11818
 450  -1   0  8801  8789    48 11348
 451   0   2  6042   987  8243 10106
 452  -2   0 10333  2589  4798  6818
 453  -1   0  6545  9349  9453  2743
 454  -1  -2  4195  9643  9110 11013
 455   0  -2  6640   357 11133  9945
 456  -1   0 11534  6683 11405    44
 457   0   0  7142  5256  9490 10584
 458   0   0  7200  2149  3622  9014
 459   0   0  7165  7039 10762  7156
 460   1   2  8215  7133 10600  1285
 461   2  -2 11301 10333  7383   769
 462  -1   0  5004 10864  3139  1300
 463   1   0 11040  3075 10760 11733
 464   0  -2  6614  8230  3156  2279
 465   0   0  3877  7182 10115 11440
 466  -1   0  2357  2232  4764  2711
 467   1  -2  3295  2363  2758  2045
 468   0   0  8589   865  2917  2518
 469   0   2  2772  2928  3650  6641
 470   0   0  5177  2183  7996  8414
 471   1  -2  6874  9197  8865  8729
 472  -2   0  7827 11526 10909  1548
 473   0  -2 11766  8236  6451  5159
 474   0   2 10634  8707  6140  7148
 475  -1   0   613  1770  4832  8487
 476   1   2  4973  1080 10080  8202
 477   0   0 11955  4174   873  1699
 478  -1  -2 10831   993  6778  8348
 479   1   0  5558  5835  7067  4186
 480   0  -2  2702  3993  6392  6043
 481  -1   0 12069  1685  1987  4574
 482  -1  -2 10029  9050  6174 10299
 483  -1   0  9883  8157 10233  1321
 484   1   2  4512  7252  6080   699
 485   0   0  5562   756  5195 11922
 486   0   0  3388  2386 11462  7782
 487   0   0  8847 11806 10279  2981
 488   2   0  4206  9692  7466  3513
 489   1   2 10165 11806  9176 10260
 490   0   0  1657 11469 12267    30
 491   0   0 10457 11636   606   319
 492   1   0  2806  9200  7521  1752
 493   0   0  1874  5675 11192  6546
 494   0   2   874  5094 11842  7809
 495  -1   0   760 12102  5115 10093
 496  -1   0  1626  4185  9898  2052
 497  -1   2 11878  8847  8718 11044
 498  -1   0   952  2338  1103 11254
 499   1  -2  2558 10638  3234  3355
 500  -1   0  8556 11033  5603  1199
 501   0   0  5848  7063 11603  6796
 502   0   2  7859  2289  1071  7667
 503   0   0  7909  7745  9517  9120
 504   0   0  7307  3801   992  4019
 505   0   2  4268  2937  3718  1290
 506   0   0  7878 10639   121 12207
 507   0  -2  9470  8437 10821  3280
 508  -1   0  8213  9197  7737  8475
 509  -1  -2 10700  6041  8143  5205
 510  -1   0   344  5879  1943  2793
 511   1   0 10325  7270  3760  2198

Shown are the 512 small coefficients of the private keys f = s1 and g = 2 * s2 + 1 as well as their Number Theoretic Transforms (NTT) F and G, respectively. The BLISS public key A is computed as the component-wise inverse of F * G and the reverse NTT gives a = 1/(f * g) mod q with the 14 bit modulus q = 12289. Sometime it happens that F * G is not invertible, so that the following debug message is output
S1[374] is zero - s1 is not invertible

and another trial run is started.

BLISS Root CA Certificate Generation

A self-signed BLISS CA certificate can be generated with the following command

pki --self --type bliss --in cakey4.pem --ca --dn "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" --lifetime 3653 --digest sha512 --debug 2 --outform pem > cacert4.pem

The BLISS private key is read and parsed

  file content is not binary ASN.1
  -----BEGIN BLISS PRIVATE KEY-----
  -----END BLISS PRIVATE KEY-----

L0 - BLISSPrivateKey:
L1 - keyType:
  'BLISS-B-IV'
L1 - public:
L1 - secret1:
L1 - secret2:
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
  'blissPublicKey'
L3 - parameters:
L4 - blissKeyType:
  'BLISS-B-IV'
L1 - subjectPublicKey:

First signature round:

mgf1 based on sha256 is seeded with 32 octets
y1 = -937..665 (sigma2 = 71312, mean =  6.0)
y2 = -961..788 (sigma2 = 78187, mean = 11.3)

mgf1 based on sha512 is seeded with 1088 octets
mgf1 generated 64 octets

norm2(s1*c') + norm2(s2*c') = 54394 (69576 max), accepted
scalar(z1,s1*c) + scalar(z2,s2*c) = 121971, rejected

mgf1 generated 10112 octets

Second signature round:

mgf1 based on sha256 is seeded with 32 octets
y1 = -809..845 (sigma2 = 68853, mean = -6.4)
y2 = -758..716 (sigma2 = 69034, mean = -19.2)

Random oracle based on MGF1 and SHA-512 generates κ = 39 non-zero c_indices:

mgf1 based on sha512 is seeded with 1088 octets

 i  c_index[i]
 0      482
 1      309
 2       98
 3      333
 4      472
 5       55
 6      218
 7      142
 8      221
 9      175
10      387
11      443
12      225
13       96
14      316
15      359
16      394
17      307
18      144
19      420
20       37
21      146
22       45
23      171
24      240
25      471
26      323
27       49
28       29
29       78
30      377
31      462
32      473
33       15
34      351
35       77
36       35
37      449
38      424

41  index trials
mgf1 generated 64 octets

norm2(s1*c') + norm2(s2*c') = 52674 (69576 max), accepted
scalar(z1,s1*c) + scalar(z2,s2*c) = 15806, accepted

z1 = -811..853, z2d = -3..3

efficiency of Huffman coder is 3.3340 bits/tuple (1707 bits)
generated BLISS signature (6666 bits encoded in 834 bytes)
signature generation needed 2 rounds

mgf1 generated 10240 octets

With a debug level of 2 you get quite a lot of debug information. Starting from the top, the automatic conversion from PEM to DER format is shown, followed by the ASN.1 encoding of the BLISS private key from which the BLISS public key is extracted. Then in order to generate the BLISS certificate signature, two vectors y1 and y2 with 512 random numbers tightly following a Gaussian probability distribution using rejection sampling are generated. This process often requires several rounds and a lot of random bits are used. The BLISS signature finally consists of the random vectors z1 and z2 as well as the sparse challenge vector c.

A BLISS certificate can be displayed at any time with

pki --print --debug 2 --in cacert4.pem

  file content is not binary ASN.1
  -----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----

L0 - x509:
L1 - tbsCertificate:
L2 - DEFAULT v1:
L3 - version:
  X.509v3
L2 - serialNumber:
L2 - signature:
L3 - algorithmIdentifier:
L4 - algorithm:
  'BLISS-with-SHA512'
L2 - issuer:
  'C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA'
L2 - validity:
L3 - notBefore:
L4 - utcTime:
  'Jul 28 10:10:44 UTC 2015'
L3 - notAfter:
L4 - utcTime:
  'Jul 28 10:10:44 UTC 2025'
L2 - subject:
  'C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA'
L2 - subjectPublicKeyInfo:
-- > --
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
  'blissPublicKey'
L3 - parameters:
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
  'blissPublicKey'
L3 - parameters:
L4 - blissKeyType:
  'BLISS-B-IV'
L1 - subjectPublicKey:
-- < --
L2 - optional extensions:
L3 - extensions:
L4 - extension:
L5 - extnID:
  'basicConstraints'
L5 - critical:
  TRUE
L5 - extnValue:
L6 - basicConstraints:
L7 - CA:
  TRUE
L4 - extension:
L5 - extnID:
  'keyUsage'
L5 - critical:
  TRUE
L5 - extnValue:
L4 - extension:
L5 - extnID:
  'subjectKeyIdentifier'
L5 - critical:
  FALSE
L5 - extnValue:
L6 - keyIdentifier:
L1 - signatureAlgorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
  'BLISS-with-SHA512'
L1 - signatureValue:

z1 = -811..853, z2d = -3..3

mgf1 based on sha512 is seeded with 1088 octets
mgf1 generated 64 octets

cert:      X509
subject:  "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" 
issuer:   "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" 
validity:  not before Jul 28 12:10:44 2015, ok
           not after  Jul 28 12:10:44 2025, ok (expires in 3652 days)
serial:    7b:79:fb:00:a5:f6:c8:47
flags:     CA CRLSign self-signed 
subjkeyId: 47:bd:9e:5e:a8:58:ce:60:14:73:f3:54:7c:e8:28:10:7b:e6:c7:65
pubkey:    BLISS 192 bits strength
keyid:     1c:a7:5c:94:d1:ee:f6:c7:94:21:18:e5:ef:89:b3:c3:64:42:24:97
subjkey:   47:bd:9e:5e:a8:58:ce:60:14:73:f3:54:7c:e8:28:10:7b:e6:c7:65

BLISS End Entity Certificate Generation

We are now going to generate a BLISS-I key pair for user Carol:

pki --gen --type bliss --size 1 > carolKey.der

secret key generation succeeded after 1 trial

Next we create a self-signed PKCS#10 certificate request
 pki --req --type bliss --in carolKey.der --dn "C=CH, O=strongSwan Project, CN=carol@strongswan.org" --san carol@strongswan.org > carolReq.der

which is used as the input for the CA to create a signed end entity certificate:
 pki --issue --type pkcs10 --in carolReq.der --cacert cacert4.pem --cakey cakey4.pem --crl http://crl.strongswan.org/bliss.crl --flag clientAuth > carolCert.der

and which has the following content
pki --print --in carolCert.der

cert:      X509
subject:  "C=CH, O=strongSwan Project, CN=carol@strongswan.org" 
issuer:   "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" 
validity:  not before Mar 15 18:04:00 2015, ok
           not after  Mar 14 18:04:00 2018, ok (expires in 1094 days)
serial:    43:63:44:f0:7f:2f:aa:dc
altNames:  carol@strongswan.org
flags:     clientAuth 
CRL URIs:  http://crl.strongswan.org/bliss.crl
authkeyId: 47:bd:9e:5e:a8:58:ce:60:14:73:f3:54:7c:e8:28:10:7b:e6:c7:65
subjkeyId: cb:b5:c3:d5:00:ba:bb:90:ec:80:99:05:68:72:ae:3b:04:f8:9b:5f
pubkey:    BLISS 128 bits strength
keyid:     f5:0e:6e:0c:4c:65:ac:03:41:bf:5c:9f:26:d5:52:dc:87:6b:3d:15
subjkey:   cb:b5:c3:d5:00:ba:bb:90:ec:80:99:05:68:72:ae:3b:04:f8:9b:5f

IKEv2 Public Key Authentication using BLISS Signatures

The ikev2/rw-ntru-bliss strongSwan remote-access VPN scenario shows the practical use of IKEv2 public key authentication based on BLISS signatures. The larger size of the BLISS signatures and certificates compared to RSA is not a problem because IKEv2 Message Fragmentation (RFC 7383) is being used:

IKE_AUTH Request

Mar 15 12:18:03 carol charon: 13[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=BLISS I, CN=carol@strongswan.org" 
Mar 15 12:18:03 carol charon: 13[IKE] establishing CHILD_SA home
Mar 15 12:18:03 carol charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Mar 15 12:18:03 carol charon: 13[ENC] splitting IKE message with length of 3232 bytes into 3 fragments
Mar 15 12:18:03 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ]
Mar 15 12:18:03 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ]
Mar 15 12:18:03 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ]
Mar 15 12:18:03 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
Mar 15 12:18:03 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
Mar 15 12:18:03 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (452 bytes)

IKE_AUTH Response

Mar 15 12:18:03 carol charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
Mar 15 12:18:03 carol charon: 14[ENC] parsed IKE_AUTH response 1 [ EF ]
Mar 15 12:18:03 carol charon: 14[ENC] received fragment #1 of 3, waiting for complete IKE message
Mar 15 12:18:03 carol charon: 14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
Mar 15 12:18:03 carol charon: 14[ENC] parsed IKE_AUTH response 1 [ EF ]
Mar 15 12:18:03 carol charon: 14[ENC] received fragment #2 of 3, waiting for complete IKE message
Mar 15 12:18:03 carol charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (580 bytes)
Mar 15 12:18:03 carol charon: 15[ENC] parsed IKE_AUTH response 1 [ EF ]
Mar 15 12:18:03 carol charon: 15[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Mar 15 12:18:03 carol charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Mar 15 12:18:03 carol charon: 15[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" 
Mar 15 12:18:03 carol charon: 15[CFG]   using certificate "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" 
Mar 15 12:18:03 carol charon: 15[CFG]   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" 
Mar 15 12:18:03 carol charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" 
Mar 15 12:18:03 carol charon: 15[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan_bliss.crl' ...
Mar 15 12:18:03 carol charon: 15[CFG]   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" 
Mar 15 12:18:03 carol charon: 15[CFG]   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" 
Mar 15 12:18:03 carol charon: 15[CFG]   crl is valid: until Apr 14 11:08:14 2015
Mar 15 12:18:03 carol charon: 15[CFG] certificate status is good
Mar 15 12:18:03 carol charon: 15[CFG]   reached self-signed root ca with a path length of 0
Mar 15 12:18:03 carol charon: 15[IKE] authentication of 'moon.strongswan.org' with BLISS_WITH_SHA512 successful
Mar 15 12:18:03 carol charon: 15[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]

BTW- the key exchange method used is NTRU Encryption so that the strongSwan IPsec connection setup is not vulnerable to quantum computer based key attacks:

IKE_SA_INIT Request

Mar 15 12:18:03 carol charon: 12[IKE] initiating IKE_SA home[1] to 192.168.0.1
Mar 15 12:18:03 carol charon: 12[LIB] 128 bit optimum NTRU parameter set ees439ep1 selected
Mar 15 12:18:03 carol charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) V ]
Mar 15 12:18:03 carol charon: 12[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (829 bytes)

Design Details on BLISS Signatures

  • For Gaussian sampling we are using a Bernoulli Sampler as described in Lattice Signatures and Bimodal Gaussians but currently not a Cumulative Distribution Table (CDT). This means the Gaussian rejection sampling currently requires a lot of random material which is produced using the MGF1 Mask Generation Function (RFC 2437) seeded by a true random source. The hash function used with MGF1 is currently SHA-1 for cryptographic strengths up to 160 bits, and SHA-256 for strengths up to 256 bits but we think about generally switching to SHA-512 since that hash function is used for the random oracle used by the BLISS signature anyway and SHA-512 performance is usually superior to SHA-256 on 64 bit platforms.
  • Measured BLISS Signature Size*
    Scheme Bit-packed Partially Huffman-coded Compression Rates
    BLISS-I 7375 bits 5718 .. 5793 .. 5884 bits 22.5 .. 21.4 .. 20.2 %
    BLISS-III 7950 bits 6093 .. 6167 .. 6255 bits 23.4 .. 22.4 .. 21.3 %
    BLISS-IV 8543 bits 6644 .. 6725 .. 6784 bits 22.3 .. 21.3 .. 20.6 %
    *statistics based on a measurement set of 50 signatures, each

ASN.1 Syntax

Object Identifiers

id-bliss { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) ita(36906) bliss(5) }

keyType { id-bliss 1 }

blissPublicKey { keyType 1 }

parameters { id-bliss 2 }

bliss-I     = { parameters 1 }
bliss-II    = { parameters 2 }
bliss-III   = { parameters 3 }
bliss-IV    = { parameters 4 }
bliss-B-I   = { parameters 5 }
bliss-B-II  = { parameters 6 }
bliss-B-III = { parameters 7 }
bliss-B-IV  = { parameters 8 }

blissSigType = { id-bliss 3 }

blissWithSha2-512 = { blissSigType 1 }
blissWithSha2-384 = { blissSigType 2 }
blissWithSha2-256 = { blissSigType 3 }
blissWithSha3-512 = { blissSigType 4 }
blissWithSha3-384 = { blissSigType 5 }
blissWithSha3-256 = { blissSigType 6 }

BLISS Private Key

BlissPrivateKey  ::= SEQUENCE {
    parameter OBJECT IDENTIFIER,
    public    BIT STRING, -- A
    secret1   BIT STRING, -- s1
    secret2   BIT STRING  -- s2 }

As parameter one of the BLISS parameters OIDs bliss-B-I .. bliss-B-IV is used.

BLISS Public Key

SubjectPublicKeyInfo  ::=  SEQUENCE  {
    algorithm         AlgorithmIdentifier,
    subjectPublicKey  BIT STRING  }

AlgorithmIdentifier  ::=  SEQUENCE  {
    algorithm         OBJECT IDENTIFIER,
    parameters        OBJECT IDENTIFER }

As algorithm the blissPublicKey OID is used and parameters indicates one of the BLISS parameter OIDs bliss-B-I .. bliss-B-IV.

References