Add Stateful Signature (XMSS and LMS) (#1650)

Add support for LMS and XMSS. Key generation and signing are disabled behind a feature flag labelled "hazardous experimental."

---------

Signed-off-by: Duc Tri Nguyen <[email protected]>
Signed-off-by: Spencer Wilson <[email protected]>
Signed-off-by: Norman Ashley <[email protected]>
Signed-off-by: Douglas Stebila <[email protected]>
Co-authored-by: Duc Tri Nguyen <[email protected]>
Co-authored-by: Douglas Stebila <[email protected]>
Co-authored-by: Duc Nguyen <[email protected]>
Co-authored-by: Douglas Stebila <[email protected]>
Co-authored-by: Duc Nguyen <[email protected]>
Co-authored-by: Spencer Wilson <[email protected]>
Co-authored-by: Jason Goertzen <[email protected]>

.CMake/alg_support.cmake

@@ -497,6 +497,91 @@ endif()
 
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_ADD_ENABLE_BY_ALG_CONDITIONAL_END
 
+option(OQS_ENABLE_SIG_STFL_XMSS "Enable XMSS algorithm family" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha256_h10 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha256_h16 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha256_h20 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake128_h10 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake128_h16 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake128_h20 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha512_h10 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha512_h16 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_sha512_h20 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake256_h10 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake256_h16 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmss_shake256_h20 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h20_2 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h20_4 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h40_2 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h40_4 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h40_8 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h60_3 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h60_6 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_sha256_h60_12 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h20_2 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h20_4 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h40_2 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h40_4 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h40_8 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h60_3 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h60_6 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_xmssmt_shake128_h60_12 "" ON "OQS_ENABLE_SIG_STFL_XMSS" OFF)
+
+
+option(OQS_ENABLE_SIG_STFL_LMS "Enable LMS algorithm family" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w1 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w1 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w1 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w1 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h25_w1 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h25_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h25_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h25_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h5_w8_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w4_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w8_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w2_h10_w2 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w4_h10_w4 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h10_w8_h10_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w8_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w8_h10_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h15_w8_h15_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w8_h5_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w8_h10_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w8_h15_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+cmake_dependent_option(OQS_ENABLE_SIG_STFL_lms_sha256_h20_w8_h20_w8 "" ON "OQS_ENABLE_SIG_STFL_LMS" OFF)
+
+option(OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN "Enable stateful key and signature generation for research and experimentation" OFF)
+cmake_dependent_option(OQS_ALLOW_STFL_KEY_AND_SIG_GEN "" ON "OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN" OFF)
+
+if (${OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN} AND ${OQS_ENABLE_SIG_STFL_XMSS})
+    set(OQS_ALLOW_XMSS_KEY_AND_SIG_GEN ON)
+else()
+    set(OQS_ALLOW_XMSS_KEY_AND_SIG_GEN OFF)
+endif()
+
+if (${OQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN} AND ${OQS_ENABLE_SIG_STFL_LMS})
+    set(OQS_ALLOW_LMS_KEY_AND_SIG_GEN ON)
+else()
+    set(OQS_ALLOW_LMS_KEY_AND_SIG_GEN OFF)
+endif()
+
+if(OQS_ALLOW_STFL_KEY_AND_SIG_GEN  STREQUAL "ON")
+    message(STATUS "Experimental stateful key and signature generation is enabled. Ensure secret keys are securely stored to prevent multiple simultaneous sign operations.")
+endif()
+
 # Set XKCP (Keccak) required for Sphincs AVX2 code even if OpenSSL3 SHA3 is used:
 if (${OQS_ENABLE_SIG_SPHINCS} OR NOT ${OQS_USE_SHA3_OPENSSL})
     set(OQS_ENABLE_SHA3_xkcp_low ON)
@@ -509,4 +594,4 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
     else()
         set(OQS_ENABLE_SHA3_xkcp_low_avx2 OFF)
     endif()
-endif()
+endif()

.circleci/config.yml

@@ -344,6 +344,7 @@ workflows:
           <<: *require_buildcheck
           name: arm64
           PYTEST_ARGS: --numprocesses=auto --maxprocesses=10 --ignore=tests/test_kat_all.py
+          CMAKE_ARGS: -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON
 
   commit-to-main:
     when:

.github/workflows/android.yml

@@ -10,8 +10,10 @@ jobs:
       fail-fast: false
       matrix:
         abi: [armeabi-v7a, arm64-v8a, x86, x86_64]
+        stfl_opt: [ON, OFF]
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Build project
-        run: ./scripts/build-android.sh $ANDROID_NDK_HOME -a ${{ matrix.abi }}
+        run: ./scripts/build-android.sh $ANDROID_NDK_HOME -a ${{ matrix.abi }} -f "-DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }}"

.github/workflows/apple.yml

@@ -10,10 +10,13 @@ jobs:
       fail-fast: false
       matrix:
         platform: [OS64, TVOS]
+        stfl_opt: [OFF, ON]
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Generate project
-        run: cmake -B build --toolchain .CMake/apple.cmake -DOQS_USE_OPENSSL=OFF -DPLATFORM=${{ matrix.platform }} .
+        run: |
+          cmake -B build --toolchain .CMake/apple.cmake -DOQS_USE_OPENSSL=OFF -DPLATFORM=${{ matrix.platform }} \
+            -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
       - name: Build project
         run: cmake --build build

.github/workflows/unix.yml

@@ -74,15 +74,19 @@ jobs:
         include:
           - name: alpine
             container: openquantumsafe/ci-alpine-amd64:latest
-            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: alpine-no-stfl-key-sig-gen
+            container: openquantumsafe/ci-alpine-amd64:latest
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
             PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
           - name: alpine-openssl-all
             container: openquantumsafe/ci-alpine-amd64:latest
-            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=ON -DBUILD_SHARED_LIBS=ON -DOQS_USE_AES_OPENSSL=ON -DOQS_USE_SHA2_OPENSSL=ON -DOQS_USE_SHA3_OPENSSL=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
             PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
           - name: alpine-noopenssl
             container: openquantumsafe/ci-alpine-amd64:latest
-            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF
+            CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DOQS_USE_OPENSSL=OFF -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
             PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
           - name: focal-nistr4-openssl
             container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
@@ -98,7 +102,11 @@ jobs:
             PYTEST_ARGS: --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py
           - name: address-sanitizer
             container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
-            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --numprocesses=auto --maxprocesses=10
+          - name: address-sanitizer-no-stfl-key-sig-gen
+            container: openquantumsafe/ci-ubuntu-focal-x86_64:latest
+            CMAKE_ARGS: -DCMAKE_C_COMPILER=clang-9 -DCMAKE_BUILD_TYPE=Debug -DUSE_SANITIZER=Address -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
             PYTEST_ARGS: --ignore=tests/test_distbuild.py --ignore=tests/test_leaks.py --ignore=tests/test_kat_all.py --numprocesses=auto --maxprocesses=10
     container:
       image: ${{ matrix.container }}
@@ -137,7 +145,11 @@ jobs:
         include:
           - name: armhf
             ARCH: armhf
-            CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic
+            CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
+            PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
+          - name: armhf-no-stfl-key-sig-gen
+            ARCH: armhf
+            CMAKE_ARGS: -DOQS_ENABLE_SIG_SPHINCS=OFF -DOQS_USE_OPENSSL=OFF -DOQS_OPT_TARGET=generic -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=OFF -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
             PYTEST_ARGS: --ignore=tests/test_alg_info.py --ignore=tests/test_kat_all.py
           # no longer supporting armel
           # - name: armel
@@ -203,6 +215,7 @@ jobs:
           - macos-13
           - macos-14
         CMAKE_ARGS:
+          - -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_ENABLE_SIG_STFL_LMS=ON
           - -DCMAKE_C_COMPILER=gcc-13
           - -DOQS_USE_OPENSSL=OFF
           - -DBUILD_SHARED_LIBS=ON -DOQS_DIST_BUILD=OFF

.github/workflows/windows.yml

@@ -6,10 +6,13 @@ jobs:
 
   windows-arm64:
     runs-on: windows-2022
+    strategy:
+      matrix:
+        stfl_opt: [ON, OFF]
     steps:
       - uses: actions/checkout@v3
       - name: Generate Project
-        run: cmake -B build --toolchain .CMake/toolchain_windows_arm64.cmake .
+        run: cmake -B build --toolchain .CMake/toolchain_windows_arm64.cmake -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
       - name: Build Project
         run: cmake --build build
 
@@ -19,10 +22,11 @@ jobs:
       fail-fast: false
       matrix:
         toolchain: [.CMake/toolchain_windows_x86.cmake, .CMake/toolchain_windows_amd64.cmake]
+        stfl_opt: [ON, OFF]
     steps:
       - uses: actions/checkout@v3
       - name: Generate Project
-        run: cmake -B build --toolchain ${{ matrix.toolchain }} .
+        run: cmake -B build --toolchain ${{ matrix.toolchain }} -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_SIG_STFL_KEY_SIG_GEN=${{ matrix.stfl_opt }} .
       - name: Build Project
         run: cmake --build build
       - name: Test dependencies

.travis.yml

@@ -9,13 +9,13 @@ jobs:
       compiler: gcc
       if: NOT branch =~ /^ghactionsonly-/
       script:
-        - mkdir build && cd build && cmake -GNinja .. && cmake -LA .. && ninja
+        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA .. && ninja
         - cd build & ninja run_tests
     - arch: s390x
       os: linux
       dist: focal
       compiler: gcc
       if: NOT branch =~ /^ghactionsonly-/
       script:
-        - mkdir build && cd build && cmake -GNinja .. && cmake -LA .. && ninja
+        - mkdir build && cd build && cmake -GNinja -DOQS_ENABLE_SIG_STFL_LMS=ON -DOQS_ENABLE_SIG_STFL_XMSS=ON -DOQS_HAZARDOUS_EXPERIMENTAL_ENABLE_STFL_SIG_KEY_SIG_GEN=ON .. && cmake -LA .. && ninja
         - cd build & ninja run_tests

CMakeLists.txt

@@ -153,7 +153,8 @@ set(PUBLIC_HEADERS ${PROJECT_SOURCE_DIR}/src/oqs.h
                    ${PROJECT_SOURCE_DIR}/src/common/common.h
                    ${PROJECT_SOURCE_DIR}/src/common/rand/rand.h
                    ${PROJECT_SOURCE_DIR}/src/kem/kem.h
-                   ${PROJECT_SOURCE_DIR}/src/sig/sig.h)
+                   ${PROJECT_SOURCE_DIR}/src/sig/sig.h
+                   ${PROJECT_SOURCE_DIR}/src/sig_stfl/sig_stfl.h)
 
 set(INTERNAL_HEADERS ${PROJECT_SOURCE_DIR}/src/common/aes/aes.h
                      ${PROJECT_SOURCE_DIR}/src/common/rand/rand_nist.h
@@ -196,6 +197,12 @@ if(OQS_ENABLE_SIG_SPHINCS)
     set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/sphincs/sig_sphincs.h)
 endif()
 ##### OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_HEADERS_END
+if(OQS_ENABLE_SIG_STFL_XMSS)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig_stfl/xmss/sig_stfl_xmss.h)
+endif()
+if(OQS_ENABLE_SIG_STFL_LMS)
+    set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig_stfl/lms/sig_stfl_lms.h)
+endif()
 execute_process(COMMAND ${CMAKE_COMMAND} -E make_directory ${PROJECT_BINARY_DIR}/include/oqs)
 execute_process(COMMAND ${CMAKE_COMMAND} -E copy ${PUBLIC_HEADERS} ${PROJECT_BINARY_DIR}/include/oqs)
 execute_process(COMMAND ${CMAKE_COMMAND} -E copy ${INTERNAL_HEADERS} ${PROJECT_BINARY_DIR}/include/oqs)