{"id":18894120,"url":"https://github.com/trailofbits/lms-go","last_synced_at":"2025-07-11T07:41:47.800Z","repository":{"id":220008899,"uuid":"750517737","full_name":"trailofbits/lms-go","owner":"trailofbits","description":"Leighton-Micali Hash-Based Signatures, for Go","archived":false,"fork":false,"pushed_at":"2025-02-18T22:05:03.000Z","size":122,"stargazers_count":7,"open_issues_count":5,"forks_count":2,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-04-22T01:09:02.389Z","etag":null,"topics":["cryptography","golang","hash-based-signatures"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-01-30T19:39:27.000Z","updated_at":"2025-04-04T04:44:48.000Z","dependencies_parsed_at":"2024-04-01T15:27:26.135Z","dependency_job_id":"9ae12f88-f2ee-4d88-96e6-d3081c256c8f","html_url":"https://github.com/trailofbits/lms-go","commit_stats":null,"previous_names":["trailofbits/lms-go"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/trailofbits/lms-go","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Flms-go","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Flms-go/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Flms-go/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Flms-go/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/lms-go/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Flms-go/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264757252,"owners_count":23659314,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","golang","hash-based-signatures"],"created_at":"2024-11-08T08:18:08.189Z","updated_at":"2025-07-11T07:41:47.783Z","avatar_url":"https://github.com/trailofbits.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Leighton-Micali Hash-Based Signatures\n\nThis repository contains implementations of [Leighton-Micali Hash-Based\nSignatures (RFC 8554)](https://datatracker.ietf.org/doc/html/rfc8554).\n\n## Security Notice\n\nLMS signatures are stateful: Users must take care to never sign more than one\nmessage with the same internal LM-OTS private key. To avoid catastrophe, state\nmust be maintained across multiple invocations of the signing algorithm.\n\nWhen using our LMS implementations, the internal counter (`q`) will be\nincremented before each signature is returned.\n\nIf the LMS private key is persisted to storage, you **MUST** update the\npersistent storage after each signature is generated and before it is released\nto the rest of the application. Failure to adhere to this requirement is a\nsecurity vulnerability in your application.\n\nFor a stateless hash-based signature algorithm, see\n[SPHINCS+](https://sphincs.org).\n\nNOTE: this project has not been externally audited, but the entire codebase \nwas internally reviewed by cryptographers at Trail of Bits.\n\n## Installation\n\n```\ngo get https://github.com/trailofbits/lms-go\n```\n\n## Usage\n\n```go\nseckey, err := lms.NewPrivateKey(common.LMS_SHA256_M32_H10, common.LMOTS_SHA256_N32_W4)\npubkey, err := seckey.Public()\n// The optional nil argument can be a user-chosen RNG\nsig, err   := seckey.Sign([]byte(\"example\"), nil)\nsig_valid  := pubkey.Verify([]byte(\"example\"), sig)\n```\n\n### Key Management\n\nWe do not require much from the user in terms of key management. Any internal\nstate changing operation uses a call by pointer to update the internal state.\nWhen persisting private keys to long term storage, users must be very careful\nthat **the same private key is never read from disk twice**. This would create\ntwo private keys in the same state and thus when they are both used to sign a\nmessage, the LMOTS private keys will have been reused, which is considered **not\ngood**.\n\n## License\n\nThis codebase is licensed under the [3-Clause BSD License](https://opensource.org/license/bsd-3-clause/).\n\n## Contribution\n\nIf you are interesting in contributing to this codebase, please see [CONTRIBUTING.md](/CONTRIBUTING.md) for more information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Flms-go","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Flms-go","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Flms-go/lists"}