strongSwan

h1. Bimodal Lattice Signature Scheme (BLISS)

BLISS is a post-quantum signature scheme based on the CRYPTO 2013 paper "Lattice Signatures and Bimodal Gaussians":https://eprint.iacr.org/2013/383 by Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Starting with the strongSwan [[5.2.2]] release we offer BLISS as an IKEv2 public key authentication method and added full BLISS key and certificate generation support to the strongSwan [[IpsecPki|pki]] tool.

h2. BLISS Private Key Generation

strongSwan currently supports the BLISS-I, BLISS-III, and BLISS-IV schemes with a cryptographic strength of 128 bits, 160 bits and 192 bits, respectively. Using the [[IpsecPki|pki]] tool a private BLISS key can be generated as follows:

<pre>

pki --gen --type bliss --size 1 --debug 2 > key1.der

mgf1 based on sha1 is seeded with 20 octets

mgf1 generated 240 octets

mgf1 based on sha1 is seeded with 20 octets

mgf1 generated 240 octets

l2 norm of s1||s2: 771, Nk(S): 47150 (46479 max)

mgf1 based on sha1 is seeded with 20 octets

mgf1 generated 220 octets

mgf1 based on sha1 is seeded with 20 octets

mgf1 generated 240 octets

l2 norm of s1||s2: 771, Nk(S): 43332 (46479 max)

secret key generation succeeded after 2 trials

</pre>

When generating the private key consisting of the two polynomials s1 and s2, the Nk(S) metric must be fulfilled. This means that often several trials are needed in order to obtain a valid BLISS private key.

With the command

<pre>

pki --print --type bliss-priv --in key1.der

private key with:

pubkey:    BLISS 128 bits strength

keyid:     d1:a3:fb:04:8d:1b:86:4f:fa:a7:d8:45:ec:e3:e3:ec:ef:7b:85:ca

subjkey:   e3:fc:6b:59:9a:ee:81:d5:10:3a:58:9f:e2:99:f7:7f:5c:3b:1c:96

</pre>

information on the BLISS private key is displayed.