[Cryptech Core] hash-based signatures

[Paul Selkirk]

I'll send a fuller message to tech@ during/after the face-to-face, but
for now I just want to update the core team.

Executive summary: I've been working on a clean-room implementation of
hash-based signatures, as specified in draft-mcgrew-hash-sigs-08. It
works (generates keys, signs, and verifies) to the extent it's been
tested, which is not much.

More precisely, it verifies the test case in the draft, and it verifies
the signatures that it generates. I haven't yet done any interop testing
with the McGrew/Cisco reference code. (I honestly haven't even looked at
it yet.)

The biggest missing piece is restart - rebuilding the tree structure
from stored keys on reboot. A tree of height 10 has 1024 one-time
signing keys in the flash ("token") keystore. There's a bit of hashing
involved in rebuilding the tree structure and generating the public key
for the tree. A hierarchical signing scheme will also have one or more
lower-level trees in the volatile keystore, which will need to be
regenerated in full. This is time-intensive enough that I'll want to
spin up a task to do it in the background, rather than do it all in the
HSM startup code.

A smaller bit of unfinished business is that currently the pkcs8
encoding for the keystore uses Russ's OID from
draft-housley-cms-mts-hash-sig. This is an abuse, but it's a
place-holder until we get a proper OID allocated.

I've tested generating keys with different parameter settings, to see
the time-space trade-offs (smaller keys and signatures mean more
hashing, so slower keygen, signing, and verification). However, larger
signature sizes seem to crash the muxd, but I didn't have time to
investigate before I had to leave.

Finally, I just noticed that the draft was revved on Friday, but I
haven't had a chance to see what's changed.

				paul