Bimodal Lattice Signature Scheme (BLISS) » History » Version 30
« Previous -
Version 30/58
(diff) -
Next » -
Current version
Andreas Steffen, 13.12.2014 20:46
Bimodal Lattice Signature Scheme (BLISS)¶
- Table of contents
- Bimodal Lattice Signature Scheme (BLISS)
BLISS is a post-quantum signature scheme based on the CRYPTO 2013 paper Lattice Signatures and Bimodal Gaussians by Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Starting with the strongSwan 5.2.2 release we offer BLISS as an IKEv2 public key authentication method. We also added full BLISS key and certificate generation support to the strongSwan pki tool.
This seamless integration into the strongSwan framework was made possible by the new libstrongswan bliss plugin completely written in the C programming language without the use of any external libraries and which implements the libstrongswan public_key_t and private_key_t interfaces.
Building strongSwan with BLISS Support¶
If you want to play around with BLISS keys and signatures using the strongSwan pki tool please follow the quick software installation HOWTO:
wget http://download.strongswan.org/strongswan-5.2.2rc1.tar.bz2 tar xjf strongswan-5.2.2rc1.tar.bz2 cd strongswan-5.2.2rc1 ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-bliss make sudo make install
BLISS Private Key Generation¶
strongSwan currently supports the BLISS-I, BLISS-III, and BLISS-IV schemes with a cryptographic strength of 128 bits, 160 bits and 192 bits, respectively. Using the pki tool a private BLISS key can be generated as follows:
pki --gen --type bliss --size 1 --debug 2 > cakey1.der mgf1 based on sha1 is seeded with 20 octets mgf1 generated 240 octets mgf1 based on sha1 is seeded with 20 octets mgf1 generated 240 octets l2 norm of s1||s2: 771, Nk(S): 47150 (46479 max) mgf1 based on sha1 is seeded with 20 octets mgf1 generated 220 octets mgf1 based on sha1 is seeded with 20 octets mgf1 generated 240 octets l2 norm of s1||s2: 771, Nk(S): 43332 (46479 max) secret key generation succeeded after 2 trials
When generating the private key consisting of the two polynomials s1 and s2, the limit for the Nk(S) metric must not be exceeded. This means that often several trials are needed in order to obtain a valid BLISS private key. With the command
pki --print --type bliss-priv --in cakey1.der private key with: pubkey: BLISS 128 bits strength keyid: d1:a3:fb:04:8d:1b:86:4f:fa:a7:d8:45:ec:e3:e3:ec:ef:7b:85:ca subjkey: e3:fc:6b:59:9a:ee:81:d5:10:3a:58:9f:e2:99:f7:7f:5c:3b:1c:96
information on the BLISS private key is displayed.
Let's now generate a BLISS-IV key with 192 bit cryptographic strength in base64-encoded PEM format
pki --gen --type bliss --size 4 --outform pem > cakey4.pem secret key generation succeeded after 6 trials
The PEM key format is printable
cat cakey4.pem -----BEGIN BLISS PRIVATE KEY----- MIIFGgYLKwYBBAGCoCoFAgQDggOBAEOoiWS7mISnnPjzFJu6REHq1REYuLfillD2 VmmCWuB1NcL6GLTRFzwCMCw8KBLpyZhEAs6QlelSWVxPuBGMuQzQsmm9A3NjrV4U 655KXTkuiTpZP00qsfKuqh6EofkQ+89YK6qZNnxAeJ/mB9Dlkq9ELPjigNlZfUkd Ky2fBJkwdKLb75WermM3tOYts0X06j7M3WX8DdVsGgIrzC57shAiD9nyhrUNHB15 b9IymR84GW4BJofKVW2GJVeUyLnh8YP33OUx6F5aEqweSbi5dGtbDbr0WmK6LmNw dKQyv+hickbXGTWifAEktjpTApYjBBB6TZgiAW2P4T3dMq2ciQUbhCl1xWUlWF+2 iZbfFrcMb4dVrWOYbQRfvURmCkvJWsXHiijK8E+pmCDCruQg7TuRlIdXCRhSZrzY +pLcY7mKBfyCvrmYmmCMRQQXeTDnGI/9VhHJ6icK6Mqy2BwRVFj9FmSsAHmF9gkL hcaPlsgpLqaoK41FcJHjMbJIjWKaHkFXMQ0K943cM0ivB3EqRG68AptqH1QxkIi6 haUuQL6Nsl/tXo4VwyiVpm1faRQW5Re9L6KbEhLgnT3JeAft0zOOlHwx5myBDAxa s8LP9H/EyzpO4uyd1eHlqZvGEmlt9lhOikLwEohWDoZIpWFKrtfzciQMOugLq4m4 n+ueVo25rvq6MRwncj0FCwlt0nAhWeP8hQYTzhgFsBeheM4OaWVRhRPQmqYFrLRZ grvkgGIQd2IDKhjqCI7gpOi/KRG5RbnyvO4zaqLNy16Lk4exZ2iin19YQpmU613j EVLsMoRTQl2tE+aB0GJ0BpE3u0Aqnrp6ZhCJmK8CybfYAGhV5sly59Cds7QtIw8r 6pXl7Wd0q2sMFsUnqadcCwqoeOciqU+AwvQ+X2g4eilxV6D2TkLMMBUOYi5BqNdj a7pJAnUUMyEYvDXhMUYnjGlK3RFKHFCzCalQN0s5JLRTpLnTTy70TtvMaDJAWCwG OShSbNqr0zGNfnCsFjuppZ+5tQd7GRCgjL2uG0CDTIKEq5vmaH1d3FOldJX2uYYA O6QOKIThuiH3C0OgAQoLGoArsmFymtBXHxPZSjtE5SR+1YVCr4UEdGlSt2efJoxm eBaYki03CF2pSm7EDHxbEjDC9E3AeOfUW6Iq4dTGThjGNGnnBIbpv0mSdXFzWcZU 3rwQo51EA4HBAACSCPjwAOUCAOCCCOP/gCDzxzweEOByCAACeEP1wF+DxhwBiQTw AP/0AAQFx/z+SACPgR+ASePwOAOgAAQBwDiAV0OOCADwB0eOgAeAOORwMAPzwOQS CBuMAQOB+Px/x+AuCeRweeADzwACPyCP+RyQhgBzwOCBwSBwOB+SeQAQCOBwACAB 0eByABwQBwQAAeCBwgAAB/wACDwNyPgeQOPwAAR+OAR+AB+COAQCBx+QeB+R+B+Q CADjxwACPiARvwOBwQDjggcY7EEgAEHjcYAcogEHgccDjgcDg8fgAnjgAgfkgEgc DnjgAEbAn8ArnAhAAcAkAEgADkgAD8DgkDgkcDnkcE88jkjkgjgD9ccAg8cc8jjr kcgkABED8gAD8H/n8gAAj8AgEHj8D8D89Dfg4DAgEEAAgAj8HgkgAj8HgcHodAEk cn8DAL8AD/g//gcDkAEH/AAD/gcDnj8AkD8AcDgErkHjAAcA9AAAAcAcEEEgAAAg AYLoAgAEHgkDgYccgbk= -----END BLISS PRIVATE KEY-----
At last let's generate a BLISS-III key with a cryptographic strength of 160 bits with the highest debug level enabled:
pki --gen --type bliss --size 3 --debug 4 > cakey3.der mgf1 based on sha1 is seeded with 20 octets mgf1 generated 380 octets mgf1 based on sha1 is seeded with 20 octets mgf1 generated 380 octets l2 norm of s1||s2: 1401, Nk(S): 125552 (128626 max) secret key generation succeeded after 1 trial i f g a F G A 0 -1 1 11932 6730 11344 6400 1 1 0 2227 1206 9396 6244 2 -1 2 4844 496 414 4411 3 -1 0 2768 2813 1412 6619 4 0 2 3583 2753 3520 9237 5 0 2 10160 2434 9512 8688 6 0 2 8157 9071 10775 8990 7 0 0 3862 5091 211 3126 8 -1 0 3045 2278 5799 8812 9 1 0 9942 5685 3335 541 10 0 0 8236 1637 526 5000 11 0 0 8638 9 9539 10618 12 0 -2 11526 11882 8890 8976 13 -1 0 12180 11895 3538 5231 14 -2 0 6332 4243 11062 243 15 0 0 4083 4302 3400 4000 16 0 2 4545 6031 2766 1708 17 0 0 1495 4119 8792 11954 18 1 -2 5664 9450 5151 6621 19 0 0 3580 1963 11193 1552 20 -1 -2 7090 5950 10318 8445 21 0 0 5180 8190 7147 11145 22 0 -2 8455 12226 27 10533 23 0 0 810 4585 6578 3333 24 1 0 5316 9595 2034 7088 25 0 0 10072 11746 10425 9554 26 -1 0 4544 5888 7751 8402 27 0 0 9529 10638 5983 9509 28 0 0 6832 8019 5519 1124 29 1 -2 8900 2356 4475 4326 30 0 -2 4438 7452 2418 406 31 -1 -2 363 9949 6078 3369 32 0 0 6032 9713 11653 12232 33 0 0 1342 11748 11094 4727 34 -1 -2 780 9506 2687 5713 35 1 0 1114 11518 5003 1173 36 1 0 11561 8458 9766 5255 37 0 0 932 4680 7848 10211 38 0 0 4748 4235 6832 9975 39 1 2 6338 9116 1371 9287 40 0 0 9216 11714 11657 4532 41 1 -2 1100 6203 6951 9887 42 1 0 11955 9307 124 11984 43 0 0 6550 6220 9948 11200 44 1 0 10183 7920 2231 2050 45 0 0 5858 10736 11843 4851 46 1 0 4402 6459 5976 5509 47 1 2 3354 2643 9397 11716 48 1 -2 9937 3908 1174 11478 49 2 0 11688 9298 10680 1833 50 -1 2 5348 4731 12240 5286 51 0 0 4594 1469 10189 5043 52 0 2 6324 1006 6445 3268 53 0 -4 2137 2707 4158 569 54 -1 -2 340 2232 4643 9852 55 -1 0 1784 8290 9620 3129 56 1 0 7203 5610 11341 749 57 0 0 6651 12057 10851 5621 58 -1 0 383 5516 9861 2272 59 2 0 10893 8086 1452 140 60 0 0 7921 10970 6955 9293 61 1 -2 4243 10170 5305 9178 62 -1 2 3565 2730 3858 11021 63 0 0 5697 1308 7157 8076 64 0 -2 4079 5666 9079 5400 65 1 0 3653 2895 1244 11606 66 0 2 9829 6670 4713 3470 67 1 -2 11728 5737 6142 2111 68 1 -2 7403 10194 2903 2562 69 -2 0 770 9857 301 4108 70 0 -2 6771 2653 10239 2130 71 0 0 7855 4463 7362 9248 72 -1 0 10880 6688 3127 311 73 -1 2 4691 8128 533 8290 74 -1 -2 4037 3558 115 10006 75 0 0 2284 389 6473 3776 76 0 0 5390 9091 1720 7047 77 0 2 4988 1314 11101 4376 78 1 0 5858 6929 7217 3009 79 0 0 8276 9115 9758 8600 80 0 0 1719 3490 6518 2847 81 0 0 3145 16 2434 10905 82 1 0 12177 5643 1293 9983 83 0 2 8860 7027 7247 4144 84 0 -2 8029 11886 5161 8312 85 0 0 6660 8970 4777 9518 86 0 2 8940 2217 8996 6495 87 0 0 4623 2243 11869 10300 88 0 4 11841 4074 6347 3751 89 -1 0 2220 12271 2346 3966 90 0 2 11997 617 8162 8020 91 0 -2 4335 73 10232 9399 92 1 2 8016 10780 11912 11369 93 0 -2 4302 7923 717 7152 94 0 -2 8014 1252 8311 11638 95 1 0 11580 975 1679 2699 96 1 2 6246 3336 161 6745 97 -1 -4 5081 9817 11892 6259 98 0 0 4544 10997 12278 4499 99 0 2 1616 9495 12225 10213 100 -1 -2 8533 8912 6448 9929 101 0 2 8850 8093 11649 9665 102 1 -4 9776 4225 8805 9906 103 -1 0 12203 5021 12232 10353 104 1 2 1285 10557 8597 2897 105 1 0 5553 11162 5268 10387 106 -1 -2 6413 10365 11905 6694 107 0 -2 1915 8797 5109 10630 108 1 2 5668 7809 10108 689 109 0 -2 5724 6433 9119 9062 110 1 0 3193 2998 10987 4238 111 0 2 3218 6756 10221 11532 112 0 0 11475 1061 3999 2494 113 0 0 1751 10398 9032 10926 114 0 0 5049 4368 3557 9980 115 0 0 6973 10707 10291 4631 116 0 0 826 2759 8952 11976 117 -2 0 11077 1210 8027 7898 118 0 0 3361 8733 5169 237 119 0 0 9447 10875 12077 11281 120 0 0 7154 928 564 11601 121 -1 -2 5099 1695 5523 11879 122 0 -2 5533 6614 4882 7444 123 0 2 2416 2221 11163 3679 124 0 -2 683 8407 7179 11214 125 -1 0 1698 4946 8846 5627 126 0 2 11993 1197 5067 2037 127 -1 2 11131 10689 4543 8346 128 1 0 11684 12052 5700 5576 129 0 0 11081 7285 5758 2882 130 0 0 2204 10550 10764 10396 131 0 0 5413 6834 237 9705 132 0 0 3139 9589 3580 1000 133 1 0 2435 10845 11335 4375 134 0 0 5835 9461 5820 8967 135 1 2 1986 7566 6638 7219 136 1 2 12005 279 4775 854 137 0 -2 11470 3603 1399 4755 138 0 4 3665 10794 4373 10453 139 0 0 6909 8265 11931 11831 140 1 2 9201 4238 3547 9596 141 1 -2 7577 11197 9585 4684 142 0 0 8947 1967 2051 7873 143 0 -2 9195 2467 6347 7903 144 1 2 11017 8525 11401 10043 145 -1 0 1786 7054 2174 5272 146 0 0 2541 11091 10944 11808 147 0 0 1685 12142 9116 11391 148 0 -2 9324 10699 11938 1090 149 1 -2 6706 2541 7886 7480 150 1 0 10550 1341 3839 5373 151 -1 -2 4665 7629 5217 2934 152 0 2 1311 6833 4048 11099 153 1 0 11994 1783 10226 2549 154 1 0 9953 5962 11300 10712 155 0 -2 2781 11449 395 11045 156 -1 4 6768 7744 9122 6955 157 0 -2 1288 10720 7913 9198 158 0 2 3735 3959 3762 4924 159 1 2 2817 4147 6807 6198 160 0 0 2935 11500 11190 4051 161 0 2 1193 7795 11414 3350 162 -1 -2 757 3411 9464 4481 163 0 -2 3830 7004 11979 593 164 0 0 11945 57 6438 9168 165 -2 2 1844 173 7130 9844 166 1 0 1055 4376 673 559 167 1 0 665 1744 11877 9442 168 -1 0 190 3421 9077 5294 169 -1 0 5948 4923 10003 9323 170 0 -2 66 3154 7238 10273 171 1 0 3608 7307 8272 11128 172 0 -2 11068 10669 7822 12269 173 -1 -2 2289 5725 7793 11084 174 0 -2 2045 9528 5770 5250 175 0 -2 5369 1937 9741 7669 176 0 0 5495 973 32 8740 177 1 -2 187 6219 10487 11605 178 0 0 6664 3891 6930 9183 179 0 -2 8951 3731 4350 10057 180 0 -2 2119 8064 2295 14 181 0 0 5587 7068 12132 419 182 1 0 5551 9660 4283 5818 183 1 -2 58 319 9240 1724 184 0 2 9694 6238 4742 12274 185 2 2 1752 10949 7406 7643 186 0 2 4551 4296 5533 7516 187 0 0 5809 2080 4616 3169 188 0 -2 4805 9682 4940 10345 189 0 4 5232 10223 8937 9376 190 0 -2 4985 6043 7853 528 191 1 0 11937 4497 1366 6015 192 1 0 7724 7554 12130 1918 193 0 -2 2011 4752 4070 3130 194 0 0 8272 1015 1803 3973 195 -1 0 7832 7988 9436 5558 196 0 -4 8854 10413 11890 8575 197 0 0 2277 3600 263 11719 198 -1 2 2986 1000 9583 11721 199 0 2 2907 8991 11579 11775 200 0 2 7872 2207 9525 1285 201 1 0 7562 9107 2777 2830 202 -2 -2 10678 10608 9041 10880 203 0 0 656 11804 3455 2400 204 -1 -2 4799 3910 3626 6180 205 -1 0 1998 5423 2614 5813 206 0 0 2327 11665 8051 2567 207 0 0 282 6807 4478 1129 208 0 -2 7967 3811 12284 6446 209 -1 0 3169 11501 11972 11650 210 -1 0 2614 4186 5549 10021 211 1 -2 11856 11417 10104 6753 212 1 0 3692 2680 3800 12107 213 0 2 4639 5506 11526 6189 214 0 0 6373 9147 2814 9738 215 0 0 1942 1124 9011 3124 216 0 2 5163 558 11376 4381 217 0 0 11687 9612 8623 84 218 0 0 8537 3843 11615 35 219 1 0 11885 4846 3711 6409 220 0 2 9728 8703 2262 5270 221 -1 -2 4928 745 4084 3453 222 0 2 2383 5711 4946 10846 223 0 -2 2480 3190 11514 2446 224 0 2 8786 4156 10444 381 225 0 0 7294 3059 859 5500 226 0 -2 2793 4752 4311 11196 227 -1 2 9428 8892 6184 2715 228 1 0 3240 6263 8476 7279 229 0 0 2533 993 6898 5972 230 -1 2 6513 1130 623 3622 231 -1 0 2175 455 8066 855 232 1 -2 8930 11192 11277 6039 233 -1 0 10052 9546 1723 3691 234 0 0 12282 10488 5953 11501 235 1 0 966 2764 1478 7550 236 0 4 2689 4295 136 7671 237 0 0 2735 10452 7686 5468 238 -1 0 7155 3804 11767 4710 239 1 2 6875 1049 8317 1238 240 -1 -2 5800 4804 10126 7221 241 0 2 10256 8623 4292 11309 242 -1 0 9012 8378 9611 5688 243 -1 2 4014 1882 3226 12134 244 0 2 11698 2629 1993 9817 245 1 -2 9293 4184 3392 10739 246 0 2 93 852 8664 11953 247 0 2 6230 8044 8507 6969 248 -1 2 6093 7622 10297 8445 249 -1 0 10974 7821 3675 3517 250 -1 -2 4760 11952 9509 11495 251 0 -2 7410 5638 8286 2604 252 0 0 313 2955 7834 4178 253 -1 0 9733 3273 12249 11493 254 -1 0 682 9048 9531 3876 255 1 -2 2283 179 4322 9567 256 0 0 10470 1633 2290 9062 257 0 -2 11005 5584 7880 6991 258 1 -2 2732 7686 7623 8563 259 0 0 8845 9994 6380 2032 260 0 -2 9527 785 4071 4639 261 0 -2 7141 5116 474 9863 262 0 0 8896 9356 8790 4233 263 0 -2 8781 5058 11323 5758 264 -1 -2 2106 4848 5472 3773 265 0 0 10312 2028 1706 5806 266 -1 0 11587 11556 10433 7614 267 -1 0 9354 4702 4673 11174 268 1 2 4179 310 1572 9202 269 0 0 231 7881 4637 8778 270 0 0 10643 12282 3262 11823 271 0 2 4803 573 11021 12201 272 -1 0 11942 2736 1772 881 273 1 0 10172 5565 7021 1748 274 0 2 8091 902 11967 2343 275 1 0 6507 2055 1543 1125 276 0 0 8363 4684 8421 7891 277 0 2 11435 7507 3108 1495 278 1 0 1121 5376 1638 8545 279 1 2 6659 7231 2291 9356 280 2 -2 11535 5948 8451 10276 281 0 2 9996 5929 11267 11752 282 0 0 9341 11999 10535 9922 283 0 0 1156 407 2491 5743 284 1 0 10878 9742 11436 7146 285 1 0 4269 10191 6723 1057 286 0 0 3150 6385 11151 8222 287 -1 2 10602 12270 1942 11540 288 -1 0 4149 9389 5193 155 289 1 0 2220 1914 7033 2039 290 1 -2 5849 9681 7990 10354 291 0 -2 578 1167 9422 2925 292 0 2 2784 4352 1474 8850 293 0 2 2831 7803 7941 10471 294 1 -2 1505 5309 1529 10706 295 -1 -2 12152 3117 1462 5319 296 0 0 12015 10147 2163 3011 297 0 2 12204 3215 10166 351 298 -1 0 3251 7021 9039 9355 299 0 0 5488 2986 1862 5927 300 1 0 7988 280 3983 11996 301 0 -2 11691 944 6647 7206 302 0 -2 5811 8894 11593 4438 303 1 2 11242 8285 3494 3099 304 0 0 1369 3781 11946 9679 305 0 0 4923 855 11924 2443 306 0 0 10077 6525 5892 12143 307 0 0 5765 923 7601 5041 308 -1 0 11585 4403 7020 7236 309 -1 0 9508 11281 9550 8744 310 -1 2 8015 7011 6196 851 311 0 0 10282 6674 7084 1139 312 -1 0 366 5463 5297 11037 313 0 0 3271 3185 6778 10142 314 -1 0 6295 3530 2128 3092 315 -1 2 2446 9761 5698 9652 316 0 0 6414 6084 11668 2854 317 1 0 7954 11099 5621 8453 318 1 0 8505 3817 6471 8585 319 0 -2 10555 260 7709 1873 320 0 0 4679 8577 2591 3492 321 1 0 4517 10562 7356 10826 322 0 0 5129 7378 6792 11094 323 1 0 11014 1117 906 7306 324 -1 -2 8930 3044 7558 1690 325 0 -2 12034 5641 5602 3833 326 1 0 4468 8161 11613 1703 327 0 0 9452 5643 6465 759 328 -1 0 4250 1062 8885 5366 329 0 0 2562 11062 10606 12050 330 0 0 11004 5092 1145 9690 331 0 0 3971 4167 9338 10914 332 0 -2 4640 2905 8263 8180 333 -1 2 11466 11858 4479 8686 334 -2 -2 2263 10527 11374 8335 335 -1 2 8803 10486 6140 10827 336 0 0 1608 10434 277 3299 337 0 0 8846 4037 5405 10610 338 0 2 2025 9028 11374 249 339 0 0 7495 5760 9448 3603 340 0 2 15 10858 10180 53 341 0 0 2216 822 8232 10505 342 0 0 4552 6213 8198 2721 343 -1 0 8537 12065 4985 6616 344 1 0 59 1083 5343 4975 345 0 0 6820 2485 7426 8044 346 0 -2 79 3592 780 2094 347 0 2 6060 2269 1661 5628 348 -1 0 483 7927 6962 9842 349 -1 0 10399 11975 182 8453 350 1 2 10965 8081 9568 12240 351 -1 0 6177 9642 10608 1217 352 0 -2 3647 7424 6312 11588 353 0 -2 10821 5412 7478 9670 354 0 2 7993 8400 9262 9133 355 0 -2 12183 9287 5467 4145 356 1 -2 11881 11278 2062 2271 357 0 0 11023 11205 4098 9315 358 0 0 2486 1161 4531 11806 359 0 2 7820 8932 2128 6164 360 0 -2 4830 2661 6650 6782 361 0 0 1280 8451 7065 2723 362 1 -4 3505 2948 7690 10249 363 0 0 1931 604 857 11619 364 -1 0 4519 1694 1682 7386 365 1 0 7001 5943 10006 9007 366 1 0 6867 7829 3179 9453 367 0 2 6439 1013 9753 968 368 0 -2 471 7027 6703 4401 369 0 2 10693 6320 2472 5896 370 1 0 6616 5825 5027 4446 371 0 -4 2610 2936 10741 11669 372 -1 0 10505 5607 7619 11326 373 -1 0 8796 8925 6540 641 374 0 0 7862 9942 2067 7361 375 2 2 5933 11598 7281 2337 376 0 0 4397 9644 2961 575 377 0 0 11546 3667 60 496 378 0 2 10359 897 6655 9940 379 0 0 8042 11627 7627 4091 380 0 2 7229 5196 10305 4323 381 0 2 11076 8341 5590 590 382 1 -2 5915 587 3514 10997 383 0 0 4235 5733 1374 7164 384 0 -2 6883 2313 3411 910 385 2 0 5537 5149 391 10153 386 0 0 4786 9993 11959 7183 387 1 0 8660 4137 8672 1422 388 -1 0 10388 8443 6742 3136 389 -1 0 3028 4136 7848 1024 390 -1 -2 3013 9457 3424 5692 391 0 2 6434 10654 246 8185 392 -1 0 5801 5730 384 4298 393 0 0 3559 11131 6623 3040 394 0 2 6911 3462 6279 10768 395 0 0 2559 11098 1487 5746 396 0 0 6942 1081 5465 2597 397 0 0 6852 666 5872 6467 398 0 0 10873 4863 11256 4225 399 1 -2 3670 513 2689 1203 400 1 0 11066 6794 6433 4163 401 0 2 4927 11148 7593 4700 402 0 2 5570 7675 6432 9507 403 0 0 9882 11756 11480 4705 404 1 2 9553 7076 9700 2926 405 -1 2 9678 12074 7468 11797 406 0 2 3955 2530 10255 10763 407 1 0 10843 8488 12022 6421 408 0 0 2514 2611 6629 2177 409 -2 -2 1934 6748 5463 3878 410 1 -2 2677 5860 4847 11948 411 1 0 2065 8327 9459 7023 412 0 0 6908 5681 530 4705 413 0 0 10718 6791 9883 10546 414 -1 0 10338 11007 3468 2087 415 1 0 7817 625 11048 7745 416 0 0 11023 4466 10734 10811 417 0 0 6306 7136 5359 9233 418 0 0 1858 10575 2337 11205 419 0 0 1118 2777 6009 7711 420 1 0 8755 4003 5535 8938 421 -1 0 12259 1775 2505 8171 422 0 0 5186 12038 9054 9707 423 -1 0 8317 9867 2073 6580 424 0 -2 3750 7074 7221 12191 425 -1 -2 7076 6288 3318 10214 426 0 0 4066 8076 12163 3442 427 1 2 5009 366 10803 1339 428 2 0 7392 9060 4955 11591 429 -1 -4 9381 8187 9349 5579 430 0 0 6499 4642 5787 12187 431 1 2 11461 11653 3278 7917 432 1 0 8976 7597 613 6477 433 0 -2 9335 10397 6485 11019 434 0 -2 7590 5554 4787 9128 435 -1 -2 7109 7497 615 8655 436 1 2 5984 709 9806 6063 437 1 0 4451 1057 1327 2187 438 0 0 6532 2071 1809 9139 439 0 0 5657 1586 11166 5121 440 0 0 3926 7845 1167 7773 441 0 0 6347 293 1762 11582 442 0 0 12239 10323 4500 6461 443 1 -2 1977 3819 4233 7946 444 0 0 5851 9874 3996 8822 445 -1 2 3107 3834 5546 9707 446 1 0 5636 11215 11094 5276 447 -1 0 12270 4649 5 11911 448 1 -2 6452 394 1732 3872 449 -2 0 11019 764 1006 10907 450 0 -4 11659 6297 4922 4827 451 1 2 890 9098 11786 3678 452 1 2 7670 7736 2460 10669 453 0 2 2047 7505 11511 3057 454 0 0 12148 5933 9508 9426 455 0 0 5596 3895 2879 7412 456 0 2 6504 2290 4180 9071 457 1 0 8051 946 316 11380 458 0 -2 2479 10389 6976 2480 459 -1 0 10512 10125 6279 6329 460 0 0 4709 6976 7912 6808 461 0 2 6605 9934 10200 10093 462 -1 0 949 7882 3698 1544 463 1 -2 10292 3467 350 3293 464 1 0 6448 9423 1313 2345 465 0 2 692 6812 7583 6050 466 1 0 3635 4184 2733 3816 467 0 0 12067 5816 10128 11192 468 0 0 9902 8712 11275 6813 469 0 0 10938 7970 1902 7019 470 1 0 9568 4228 242 5633 471 0 0 2196 5792 6794 10300 472 0 0 4075 157 8672 2560 473 0 -4 2110 3629 9461 9122 474 -2 -2 3412 4091 7245 4018 475 0 0 11653 40 5765 10897 476 0 0 10799 728 9056 10951 477 0 0 2114 2282 3786 314 478 -1 2 817 10585 8784 10553 479 -1 0 3705 12125 8654 5792 480 0 -4 1808 8664 196 4624 481 -1 2 5841 1907 7238 7769 482 0 0 8769 9263 6687 676 483 0 0 3412 9123 9517 1111 484 -1 0 4204 49 11892 6011 485 -1 0 11196 448 3872 2642 486 0 0 651 2142 3834 6611 487 1 4 7208 10823 6626 12033 488 0 -2 8558 10995 11169 2660 489 0 0 7955 2079 1785 7697 490 1 0 5565 11081 6935 1449 491 0 2 11661 2880 10737 887 492 -1 -2 2546 3372 1543 2424 493 1 0 1667 10715 7245 11246 494 0 0 93 456 1273 2563 495 0 0 3205 2733 6176 7453 496 1 0 12191 7834 2926 12258 497 0 0 3788 5251 935 6085 498 0 0 10114 12224 8954 11395 499 0 -2 7464 568 5744 7972 500 -1 0 1992 6344 10425 3471 501 -1 0 5249 7024 675 3466 502 0 2 8334 3338 1945 4805 503 0 0 8566 837 6796 2416 504 -1 2 1905 3844 2872 1612 505 0 2 377 8680 5459 608 506 0 0 1990 7692 10261 6844 507 0 2 5170 9084 10608 4433 508 0 0 11365 3048 11553 3451 509 0 -2 12098 6095 11214 3125 510 1 -2 1431 2633 10329 5488 511 -1 -2 3846 4226 8410 4614
Shown are the 512 small coefficients of the private keys f = s1 and g = 2 * s2 + 1 as well as their Number Theoretic Transforms (NTT) F and G, respectively. The BLISS public key A is computed as the component-wise inverse of F * G and the reverse NTT gives a = 1/(f * g) mod q with the 14 bit modulus q = 12289. Sometime it happens that F * G is not invertible, so that the following debug message is output
S1[91] is zero - s1 is not invertible
and another trial run is started.
BLISS Root CA Certificate Generation¶
A self-signed BLISS CA certificate can be generated with the following command
pki --self --type bliss --in cakey4.pem --ca --dn "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" --lifetime 3653 --debug 2 --outform pem > cacert4.pem file content is not binary ASN.1 -----BEGIN BLISS PRIVATE KEY----- -----END BLISS PRIVATE KEY----- L0 - BLISSPrivateKey: L1 - keyType: 'BLISS-IV' L1 - public: L1 - secret1: L1 - secret2: L0 - subjectPublicKeyInfo: L1 - algorithm: L2 - algorithmIdentifier: L3 - algorithm: 'blissPublicKey' L3 - parameters: L4 - blissKeyType: 'BLISS-IV' L1 - subjectPublicKey: mgf1 based on sha256 is seeded with 32 octets y1 = -859..738 (sigma2 = 71786, mean = -6.6) y2 = -852..644 (sigma2 = 65618, mean = 2.0) norm2(s1*c) + norm2(s2*c) = 63602, rejected mgf1 generated 10304 octets mgf1 based on sha256 is seeded with 32 octets y1 = -942..726 (sigma2 = 81503, mean = -8.6) y2 = -876..893 (sigma2 = 69883, mean = 2.4) norm2(s1*c) + norm2(s2*c) = 66020, accepted scalar(z1,s1*c) + scalar(z2,s2*c) = 86651, rejected mgf1 generated 10528 octets mgf1 based on sha256 is seeded with 32 octets y1 = -862..785 (sigma2 = 72628, mean = -7.1) y2 = -782..921 (sigma2 = 74618, mean = 4.1) norm2(s1*c) + norm2(s2*c) = 64940, accepted scalar(z1,s1*c) + scalar(z2,s2*c) = -176380, accepted z1 = -873..780, z2d = -3..4 efficiency of Huffman coder is 3.4121 bits/tuple (1747 bits) generated BLISS signature (6706 bits encoded in 839 bytes) signature generation needed 3 rounds mgf1 generated 10656 octets
With a debug level of 2 you get quite a lot of debug information. Starting from the top, the automatic conversion from PEM to DER format is shown, followed by the ASN.1 encoding of the BLISS private key from which the BLISS public key is extracted. Then in order to generate the BLISS certificate signature, two vectors y1 and y2 with 512 random numbers tightly following a Gaussian probability distribution using rejection sampling are generated. This process usually requires several rounds and a lot of random bits are used. The BLISS signature finally consists of the random vectors z1 and z2 as well as the sparse challenge vector c.
A BLISS certificate can be displayed at any time with
pki --print --debug 2 --in cacert4.pem
L0 - x509:
L1 - tbsCertificate:
L2 - DEFAULT v1:
L3 - version:
X.509v3
L2 - serialNumber:
L2 - signature:
L3 - algorithmIdentifier:
L4 - algorithm:
'BLISS-with-SHA512'
L2 - issuer:
'C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA'
L2 - validity:
L3 - notBefore:
L4 - utcTime:
'Dec 13 12:01:57 UTC 2014'
L3 - notAfter:
L4 - utcTime:
'Dec 13 12:01:57 UTC 2024'
L2 - subject:
'C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA'
L2 - subjectPublicKeyInfo:
-- > --
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
'blissPublicKey'
L3 - parameters:
L0 - subjectPublicKeyInfo:
L1 - algorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
'blissPublicKey'
L3 - parameters:
L4 - blissKeyType:
'BLISS-IV'
L1 - subjectPublicKey:
-- < --
L2 - optional extensions:
L3 - extensions:
L4 - extension:
L5 - extnID:
'basicConstraints'
L5 - critical:
TRUE
L5 - extnValue:
L6 - basicConstraints:
L7 - CA:
TRUE
L4 - extension:
L5 - extnID:
'keyUsage'
L5 - critical:
TRUE
L5 - extnValue:
L4 - extension:
L5 - extnID:
'subjectKeyIdentifier'
L5 - critical:
FALSE
L5 - extnValue:
L6 - keyIdentifier:
L1 - signatureAlgorithm:
L2 - algorithmIdentifier:
L3 - algorithm:
'BLISS-with-SHA512'
L1 - signatureValue:
z1 = -873..780, z2d = -3..4
cert: X509
subject: "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA"
validity: not before Dec 13 13:01:57 2014, ok
not after Dec 13 13:01:57 2024, ok (expires in 3652 days)
serial: 12:a0:ca:85:51:b9:f3:27
flags: CA CRLSign self-signed
subjkeyId: 37:f4:9e:f8:b7:50:ed:d4:29:16:72:58:b4:b1:f1:f5:46:c9:54:71
pubkey: BLISS 192 bits strength
keyid: 55:ee:7a:31:44:e5:a0:cf:b6:c9:a7:17:98:c9:60:a7:eb:d0:4e:4f
subjkey: 37:f4:9e:f8:b7:50:ed:d4:29:16:72:58:b4:b1:f1:f5:46:c9:54:71
If you are not interested in any detailed information then just creat a self-signed BLISS CA certificate with
pki --self --type bliss --in cakey1.der --ca --dn "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA" --lifetime 3653 > cacert1.der
and view it with
pki --print --in cacert1.der
cert: X509
subject: "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA"
validity: not before Dec 13 12:58:21 2014, ok
not after Dec 13 12:58:21 2024, ok (expires in 3652 days)
serial: 5d:06:0d:4b:69:64:84:62
flags: CA CRLSign self-signed
subjkeyId: f3:60:55:bc:0b:49:c4:8a:a6:38:cc:ad:72:67:e5:91:7c:b8:a4:f5
pubkey: BLISS 128 bits strength
keyid: df:78:00:c4:b4:13:e7:fd:4f:05:dd:39:1a:2e:2b:c5:65:39:10:f4
subjkey: f3:60:55:bc:0b:49:c4:8a:a6:38:cc:ad:72:67:e5:91:7c:b8:a4:f5
BLISS End Entity Certificate Generation¶
We are now going to generate a BLISS-I key pair for user Carol:
pki --gen --type bliss --size 1 > carolKey.der secret key generation succeeded after 2 trials
Next we create a self-signed PKCS#10 certificate request
pki --req --type bliss --in carolKey.der --dn "C=CH, O=strongSwan Project, CN=carol@strongswan.org" --san carol@strongswan.org > carolReq.der
which is used as the input for the CA to create a signed end entity certificate:
pki --issue --type pkcs10 --in carolReq.der --cacert cacert4.pem --cakey cakey4.pem --crl http://crl.strongswan.org/bliss.crl --flag clientAuth > carolCert.der
and which has the following content
pki --print --in carolCert.der
cert: X509
subject: "C=CH, O=strongSwan Project, CN=carol@strongswan.org"
issuer: "C=CH, O=strongSwan Project, CN=strongSwan BLISS Root CA"
validity: not before Dec 13 13:20:34 2014, ok
not after Dec 12 13:20:34 2017, ok (expires in 1094 days)
serial: 38:a9:13:10:c2:ed:ed:c3
altNames: carol@strongswan.org
flags: clientAuth
CRL URIs: http://crl.strongswan.org/bliss.crl
authkeyId: 37:f4:9e:f8:b7:50:ed:d4:29:16:72:58:b4:b1:f1:f5:46:c9:54:71
subjkeyId: 8b:a3:c5:11:00:bb:84:55:dd:b8:4b:20:04:d9:58:77:57:ba:d8:3c
pubkey: BLISS 128 bits strength
keyid: 5b:cf:17:14:a8:d8:aa:bc:40:f3:21:95:a9:67:7d:20:af:66:4e:c2
subjkey: 8b:a3:c5:11:00:bb:84:55:dd:b8:4b:20:04:d9:58:77:57:ba:d8:3c
IKEv2 Public Key Authentication using BLISS Signatures¶
The ikev2/rw-ntru-bliss strongSwan remote-access VPN scenario shows the practical use of IKEv2 public key authentication based on BLISS signatures. The larger size of the BLISS signatures and certificates compared to RSA is not a problem because IKEv2 Message Fragmentation (RFC 7383) is being used:
IKE_AUTH Request
Dec 12 13:53:11 carol charon: 13[IKE] sending end entity cert "C=CH, O=Linux strongSwan, OU=BLISS I, CN=carol@strongswan.org" Dec 12 13:53:11 carol charon: 13[IKE] establishing CHILD_SA home Dec 12 13:53:11 carol charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CPRQ(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Dec 12 13:53:11 carol charon: 13[ENC] splitting IKE message with length of 3232 bytes into 3 fragments Dec 12 13:53:11 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ] Dec 12 13:53:11 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ] Dec 12 13:53:11 carol charon: 13[ENC] generating IKE_AUTH request 1 [ EF ] Dec 12 13:53:11 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) Dec 12 13:53:11 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes) Dec 12 13:53:11 carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (452 bytes)
IKE_AUTH Response
Dec 12 13:53:12 carol charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) Dec 12 13:53:12 carol charon: 03[ENC] parsed IKE_AUTH response 1 [ EF ] Dec 12 13:53:12 carol charon: 03[ENC] received fragment #1 of 3, waiting for complete IKE message Dec 12 13:53:12 carol charon: 03[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes) Dec 12 13:53:12 carol charon: 03[ENC] parsed IKE_AUTH response 1 [ EF ] Dec 12 13:53:12 carol charon: 03[ENC] received fragment #2 of 3, waiting for complete IKE message Dec 12 13:53:12 carol charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (548 bytes) Dec 12 13:53:12 carol charon: 15[ENC] parsed IKE_AUTH response 1 [ EF ] Dec 12 13:53:12 carol charon: 15[ENC] received fragment #3 of 3, reassembling fragmented IKE message Dec 12 13:53:12 carol charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Dec 12 13:53:12 carol charon: 15[IKE] received end entity cert "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" Dec 12 13:53:12 carol charon: 15[CFG] using certificate "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" Dec 12 13:53:12 carol charon: 15[CFG] using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" Dec 12 13:53:12 carol charon: 15[CFG] checking certificate status of "C=CH, O=Linux strongSwan, OU=BLISS IV, CN=moon.strongswan.org" Dec 12 13:53:12 carol charon: 15[CFG] fetching crl from 'http://crl.strongswan.org/strongswan_bliss.crl' ... Dec 12 13:53:12 carol charon: 15[CFG] using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" Dec 12 13:53:12 carol charon: 15[CFG] crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan BLISS Root CA" Dec 12 13:53:12 carol charon: 15[CFG] crl is valid: until Jan 11 12:36:45 2015 Dec 12 13:53:12 carol charon: 15[CFG] certificate status is good Dec 12 13:53:12 carol charon: 15[CFG] reached self-signed root ca with a path length of 0 Dec 12 13:53:12 carol charon: 15[IKE] authentication of 'moon.strongswan.org' with BLISS signature successful Dec 12 13:53:12 carol charon: 15[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
BTW- the key exchange method used is NTRU Encryption so that the strongSwan IPsec connection setup is not vulnerable to quantum computer based key attacks:
IKE_SA_INIT Request
Dec 12 13:53:11 carol charon: 12[IKE] initiating IKE_SA home[1] to 192.168.0.1 Dec 12 13:53:11 carol charon: 12[LIB] 128 bit optimum NTRU parameter set ees439ep1 selected Dec 12 13:53:11 carol charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V ] Dec 12 13:53:11 carol charon: 12[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (813 bytes)
Design Details on BLISS Signatures¶
- For Gaussian sampling we are using a Bernoulli Sampler as described in Lattice Signatures and Bimodal Gaussians but currently not a Cumulative Distribution Table (CDT). This means the Gaussian rejection sampling currently requires a lot of random material which is produced using the MGF1 Mask Generation Function (RFC 2437) seeded by a true random source. The hash function used with MGF1 is currently SHA-1 for cryptographic strengths up to 160 bits, and SHA-256 for strengths up to 256 bits but we think about generally switching to SHA-512 since that hash function is used for the random oracle used by the BLISS signature anyway and SHA-512 performance is usually superior to SHA-256 on 64 bit platforms.
- In order to minimize the BLISS signature size currently the following automatically generated Huffman Codes are used to encode the tuples
(abs(z1[i]) >> 8, z2d[i])
The performance of the BLISS-III and BLISS-IV codes is quite good, but for BLISS-I the more complex scheme which encodes the tuples(abs(z1[2*i]) >> 8, abs(z1[2*i+1]) >> 8, z2d[2*i], z2d[2*i+1])
as proposed by Thomas Pöppelmann, Léo Ducas and Tim Güneysu in Enhanced Lattice-Based Signatures on Reconfigurable Hardware might result in a significant improvement of the compression rate.
ASN.1 Syntax¶
Object Identifiers¶
id-bliss { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) ita(36906) bliss(5) }
keyType { id-bliss 1 }
blissPublicKey { keyType 1 }
parameters { id-bliss 2 }
blissI = { parameters 1 }
blissII = { parameters 2 }
blissIII = { parameters 3 }
blissIV = { parameters 4 }
blissSigType = { id-bliss 3 }
blissWithSha512 = { blissSigType 1 }
BLISS Private Key¶
BlissPrivateKey ::= SEQUENCE {
parameter OBJECT IDENTIFIER,
public BIT STRING, -- A
secret1 BIT STRING, -- s1
secret2 BIT STRING -- s2 }
As parameter one of the BLISS parameters OIDs blissI .. blissIV is used.
BLISS Public Key¶
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters OBJECT IDENTIFER }
As algorithm the blissPublicKey OID is used and parameters indicates one of the BLISS parameter OIDs blissI .. blissIV.