From 0771bc42d6f2d7cd25c62e0a7653414d8ced9263 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Mon, 10 Nov 2025 15:13:06 -0500 Subject: [PATCH] Deprecate LMS and XMSS integrations. --- INSTALL | 106 ++------------------------------------------------------ 1 file changed, 3 insertions(+), 103 deletions(-) diff --git a/INSTALL b/INSTALL index ca9df34eb..a0f649a56 100644 --- a/INSTALL +++ b/INSTALL @@ -295,63 +295,7 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl. 17. Building with hash-sigs lib for LMS/HSS support [EXPERIMENTAL] - Using LMS/HSS requires that the hash-sigs lib has been built on - your system. We support hash-sigs lib at this git commit: - b0631b8891295bf2929e68761205337b7c031726 - At the time of writing this, this is the HEAD of the master - branch of the hash-sigs project. - - Currently the hash-sigs project only builds static libraries: - - hss_verify.a: a single-threaded verify-only static lib. - - hss_lib.a: a single-threaded static lib. - - hss_lib_thread.a: a multi-threaded static lib. - - The multi-threaded version will mainly have speedups for key - generation and signing. - - The default LMS build (--enable-lms) will look for - hss_lib.a first, and hss_lib_thread.a second, in a specified - hash-sigs dir. - - The LMS verify-only build (--enable-lms=verify-only) will look - for hss_verify.a only, which is a slimmer library that includes - only the minimal functions necessary for signature verification. - - How to get and build the hash-sigs library: - $ mkdir ~/hash_sigs - $ cd ~/hash_sigs - $ git clone https://github.com/cisco/hash-sigs.git src - $ cd src - $ git checkout b0631b8891295bf2929e68761205337b7c031726 - - In sha256.h, set USE_OPENSSL to 0: - #define USE_OPENSSL 0 - - To build the single-threaded version: - $ make hss_lib.a - $ ls *.a - hss_lib.a - - To build multi-threaded: - $ make hss_lib_thread.a - $ ls *.a - hss_lib_thread.a - - To build verify-only: - $ make hss_verify.a - $ ls *.a - hss_verify.a - - Build wolfSSL with - $ ./configure \ - --enable-static \ - --disable-shared \ - --enable-lms \ - --with-liblms= - $ make - - Run the benchmark against LMS/HSS with: - $ ./wolfcrypt/benchmark/benchmark -lms_hss + Deprecated. wolfSSL now has its own LMS/HSS implementation in wolfCrypt. 18. Building for Debian, Ubuntu, Linux Mint, and derivatives @@ -373,49 +317,5 @@ We also have vcpkg ports for wolftpm, wolfmqtt and curl. 20. Building with xmss-reference lib for XMSS/XMSS^MT support [EXPERIMENTAL] - Experimental support for XMSS/XMSS^MT has been achieved by integration - with the xmss-reference implementation from RFC 8391 (XMSS: eXtended - Merkle Signature Scheme). We support a patched version of xmss-reference - based on this git commit: - 171ccbd26f098542a67eb5d2b128281c80bd71a6 - At the time of writing this, this is the HEAD of the master branch of - the xmss-reference project. - - How to get the xmss-reference library: - $ mkdir ~/xmss - $ cd ~/xmss - $ git clone https://github.com/XMSS/xmss-reference.git src - $ cd src - $ git checkout 171ccbd26f098542a67eb5d2b128281c80bd71a6 - $ git apply - - The patch may be found in the wolfssl-examples repo here: - pq/stateful_hash_sig/0001-Patch-to-support-wolfSSL-xmss-reference-integration.patch - - To build patched xmss-reference: - $ make xmss_lib.a - - To build verify-only patched xmss-reference: - $ make xmss_verify_lib.a - - Note that this patch changes xmss-reference to use wolfCrypt SHA256 hashing, - by registering a SHA callback function in xmss-reference. It - thus benefits from all the same asm speedups as wolfCrypt SHA hashing. - Depending on architecture you may build with --enable-intelasm, or - --enable-armasm, and see 30-40% speedups in XMSS/XMSS^MT. - - For full keygen, signing, verifying, and benchmarking support, build - wolfSSL with: - $ ./configure \ - --enable-xmss \ - --with-libxmss= - $ make - - Run the benchmark against XMSS/XMSS^MT with: - $ ./wolfcrypt/benchmark/benchmark -xmss_xmssmt - - For a leaner xmss verify-only build, build with - $ ./configure \ - --enable-xmss=verify-only \ - --with-libxmss= - $ make + Deprecated. wolfSSL now has its own XMMS/XMSS^MT implementation in + wolfCrypt.