Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

xmss_core_fast.c 25 KiB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705
  1. #include <stdlib.h>
  2. #include <string.h>
  3. #include <stdint.h>
  4. #include "hash.h"
  5. #include "hash_address.h"
  6. #include "params.h"
  7. #include "randombytes.h"
  8. #include "wots.h"
  9. #include "xmss_commons.h"
  10. #include "xmss_core_fast.h"
  11. /**
  12. * Initialize BDS state struct
  13. * parameter names are the same as used in the description of the BDS traversal
  14. */
  15. void xmss_set_bds_state(bds_state *state, unsigned char *stack,
  16. int stackoffset, unsigned char *stacklevels,
  17. unsigned char *auth, unsigned char *keep,
  18. treehash_inst *treehash, unsigned char *retain,
  19. int next_leaf)
  20. {
  21. state->stack = stack;
  22. state->stackoffset = stackoffset;
  23. state->stacklevels = stacklevels;
  24. state->auth = auth;
  25. state->keep = keep;
  26. state->treehash = treehash;
  27. state->retain = retain;
  28. state->next_leaf = next_leaf;
  29. }
  30. static int treehash_minheight_on_stack(const xmss_params *params,
  31. bds_state* state,
  32. const treehash_inst *treehash)
  33. {
  34. unsigned int r = params->tree_height, i;
  35. for (i = 0; i < treehash->stackusage; i++) {
  36. if (state->stacklevels[state->stackoffset - i - 1] < r) {
  37. r = state->stacklevels[state->stackoffset - i - 1];
  38. }
  39. }
  40. return r;
  41. }
  42. /**
  43. * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.
  44. * Currently only used for key generation.
  45. *
  46. */
  47. static void treehash_init(const xmss_params *params,
  48. unsigned char *node, int height, int index,
  49. bds_state *state, const unsigned char *sk_seed,
  50. const unsigned char *pub_seed, const uint32_t addr[8])
  51. {
  52. unsigned int idx = index;
  53. // use three different addresses because at this point we use all three formats in parallel
  54. uint32_t ots_addr[8];
  55. uint32_t ltree_addr[8];
  56. uint32_t node_addr[8];
  57. // only copy layer and tree address parts
  58. memcpy(ots_addr, addr, 12);
  59. // type = ots
  60. set_type(ots_addr, 0);
  61. memcpy(ltree_addr, addr, 12);
  62. set_type(ltree_addr, 1);
  63. memcpy(node_addr, addr, 12);
  64. set_type(node_addr, 2);
  65. uint32_t lastnode, i;
  66. unsigned char stack[(height+1)*params->n];
  67. unsigned int stacklevels[height+1];
  68. unsigned int stackoffset=0;
  69. unsigned int nodeh;
  70. lastnode = idx+(1<<height);
  71. for (i = 0; i < params->tree_height-params->bds_k; i++) {
  72. state->treehash[i].h = i;
  73. state->treehash[i].completed = 1;
  74. state->treehash[i].stackusage = 0;
  75. }
  76. i = 0;
  77. for (; idx < lastnode; idx++) {
  78. set_ltree_addr(ltree_addr, idx);
  79. set_ots_addr(ots_addr, idx);
  80. gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);
  81. stacklevels[stackoffset] = 0;
  82. stackoffset++;
  83. if (params->tree_height - params->bds_k > 0 && i == 3) {
  84. memcpy(state->treehash[0].node, stack+stackoffset*params->n, params->n);
  85. }
  86. while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {
  87. nodeh = stacklevels[stackoffset-1];
  88. if (i >> nodeh == 1) {
  89. memcpy(state->auth + nodeh*params->n, stack+(stackoffset-1)*params->n, params->n);
  90. }
  91. else {
  92. if (nodeh < params->tree_height - params->bds_k && i >> nodeh == 3) {
  93. memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*params->n, params->n);
  94. }
  95. else if (nodeh >= params->tree_height - params->bds_k) {
  96. memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((i >> nodeh) - 3) >> 1)) * params->n, stack+(stackoffset-1)*params->n, params->n);
  97. }
  98. }
  99. set_tree_height(node_addr, stacklevels[stackoffset-1]);
  100. set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));
  101. hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);
  102. stacklevels[stackoffset-2]++;
  103. stackoffset--;
  104. }
  105. i++;
  106. }
  107. for (i = 0; i < params->n; i++) {
  108. node[i] = stack[i];
  109. }
  110. }
  111. static void treehash_update(const xmss_params *params,
  112. treehash_inst *treehash, bds_state *state,
  113. const unsigned char *sk_seed,
  114. const unsigned char *pub_seed,
  115. const uint32_t addr[8])
  116. {
  117. uint32_t ots_addr[8];
  118. uint32_t ltree_addr[8];
  119. uint32_t node_addr[8];
  120. // only copy layer and tree address parts
  121. memcpy(ots_addr, addr, 12);
  122. // type = ots
  123. set_type(ots_addr, 0);
  124. memcpy(ltree_addr, addr, 12);
  125. set_type(ltree_addr, 1);
  126. memcpy(node_addr, addr, 12);
  127. set_type(node_addr, 2);
  128. set_ltree_addr(ltree_addr, treehash->next_idx);
  129. set_ots_addr(ots_addr, treehash->next_idx);
  130. unsigned char nodebuffer[2 * params->n];
  131. unsigned int nodeheight = 0;
  132. gen_leaf_wots(params, nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);
  133. while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {
  134. memcpy(nodebuffer + params->n, nodebuffer, params->n);
  135. memcpy(nodebuffer, state->stack + (state->stackoffset-1)*params->n, params->n);
  136. set_tree_height(node_addr, nodeheight);
  137. set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));
  138. hash_h(params, nodebuffer, nodebuffer, pub_seed, node_addr);
  139. nodeheight++;
  140. treehash->stackusage--;
  141. state->stackoffset--;
  142. }
  143. if (nodeheight == treehash->h) { // this also implies stackusage == 0
  144. memcpy(treehash->node, nodebuffer, params->n);
  145. treehash->completed = 1;
  146. }
  147. else {
  148. memcpy(state->stack + state->stackoffset*params->n, nodebuffer, params->n);
  149. treehash->stackusage++;
  150. state->stacklevels[state->stackoffset] = nodeheight;
  151. state->stackoffset++;
  152. treehash->next_idx++;
  153. }
  154. }
  155. /**
  156. * Performs one treehash update on the instance that needs it the most.
  157. * Returns 1 if such an instance was not found
  158. **/
  159. static char bds_treehash_update(const xmss_params *params,
  160. bds_state *state, unsigned int updates,
  161. const unsigned char *sk_seed,
  162. unsigned char *pub_seed,
  163. const uint32_t addr[8])
  164. {
  165. uint32_t i, j;
  166. unsigned int level, l_min, low;
  167. unsigned int used = 0;
  168. for (j = 0; j < updates; j++) {
  169. l_min = params->tree_height;
  170. level = params->tree_height - params->bds_k;
  171. for (i = 0; i < params->tree_height - params->bds_k; i++) {
  172. if (state->treehash[i].completed) {
  173. low = params->tree_height;
  174. }
  175. else if (state->treehash[i].stackusage == 0) {
  176. low = i;
  177. }
  178. else {
  179. low = treehash_minheight_on_stack(params, state, &(state->treehash[i]));
  180. }
  181. if (low < l_min) {
  182. level = i;
  183. l_min = low;
  184. }
  185. }
  186. if (level == params->tree_height - params->bds_k) {
  187. break;
  188. }
  189. treehash_update(params, &(state->treehash[level]), state, sk_seed, pub_seed, addr);
  190. used++;
  191. }
  192. return updates - used;
  193. }
  194. /**
  195. * Updates the state (typically NEXT_i) by adding a leaf and updating the stack
  196. * Returns 1 if all leaf nodes have already been processed
  197. **/
  198. static char bds_state_update(const xmss_params *params,
  199. bds_state *state, const unsigned char *sk_seed,
  200. const unsigned char *pub_seed,
  201. const uint32_t addr[8])
  202. {
  203. uint32_t ltree_addr[8];
  204. uint32_t node_addr[8];
  205. uint32_t ots_addr[8];
  206. unsigned int nodeh;
  207. int idx = state->next_leaf;
  208. if (idx == 1 << params->tree_height) {
  209. return 1;
  210. }
  211. // only copy layer and tree address parts
  212. memcpy(ots_addr, addr, 12);
  213. // type = ots
  214. set_type(ots_addr, 0);
  215. memcpy(ltree_addr, addr, 12);
  216. set_type(ltree_addr, 1);
  217. memcpy(node_addr, addr, 12);
  218. set_type(node_addr, 2);
  219. set_ots_addr(ots_addr, idx);
  220. set_ltree_addr(ltree_addr, idx);
  221. gen_leaf_wots(params, state->stack+state->stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);
  222. state->stacklevels[state->stackoffset] = 0;
  223. state->stackoffset++;
  224. if (params->tree_height - params->bds_k > 0 && idx == 3) {
  225. memcpy(state->treehash[0].node, state->stack+state->stackoffset*params->n, params->n);
  226. }
  227. while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {
  228. nodeh = state->stacklevels[state->stackoffset-1];
  229. if (idx >> nodeh == 1) {
  230. memcpy(state->auth + nodeh*params->n, state->stack+(state->stackoffset-1)*params->n, params->n);
  231. }
  232. else {
  233. if (nodeh < params->tree_height - params->bds_k && idx >> nodeh == 3) {
  234. memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*params->n, params->n);
  235. }
  236. else if (nodeh >= params->tree_height - params->bds_k) {
  237. memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((idx >> nodeh) - 3) >> 1)) * params->n, state->stack+(state->stackoffset-1)*params->n, params->n);
  238. }
  239. }
  240. set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);
  241. set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));
  242. hash_h(params, state->stack+(state->stackoffset-2)*params->n, state->stack+(state->stackoffset-2)*params->n, pub_seed, node_addr);
  243. state->stacklevels[state->stackoffset-2]++;
  244. state->stackoffset--;
  245. }
  246. state->next_leaf++;
  247. return 0;
  248. }
  249. /**
  250. * Returns the auth path for node leaf_idx and computes the auth path for the
  251. * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo
  252. * in "Post Quantum Cryptography", Springer 2009.
  253. */
  254. static void bds_round(const xmss_params *params,
  255. bds_state *state, const unsigned long leaf_idx,
  256. const unsigned char *sk_seed,
  257. const unsigned char *pub_seed, uint32_t addr[8])
  258. {
  259. unsigned int i;
  260. unsigned int tau = params->tree_height;
  261. unsigned int startidx;
  262. unsigned int offset, rowidx;
  263. unsigned char buf[2 * params->n];
  264. uint32_t ots_addr[8];
  265. uint32_t ltree_addr[8];
  266. uint32_t node_addr[8];
  267. // only copy layer and tree address parts
  268. memcpy(ots_addr, addr, 12);
  269. // type = ots
  270. set_type(ots_addr, 0);
  271. memcpy(ltree_addr, addr, 12);
  272. set_type(ltree_addr, 1);
  273. memcpy(node_addr, addr, 12);
  274. set_type(node_addr, 2);
  275. for (i = 0; i < params->tree_height; i++) {
  276. if (! ((leaf_idx >> i) & 1)) {
  277. tau = i;
  278. break;
  279. }
  280. }
  281. if (tau > 0) {
  282. memcpy(buf, state->auth + (tau-1) * params->n, params->n);
  283. // we need to do this before refreshing state->keep to prevent overwriting
  284. memcpy(buf + params->n, state->keep + ((tau-1) >> 1) * params->n, params->n);
  285. }
  286. if (!((leaf_idx >> (tau + 1)) & 1) && (tau < params->tree_height - 1)) {
  287. memcpy(state->keep + (tau >> 1)*params->n, state->auth + tau*params->n, params->n);
  288. }
  289. if (tau == 0) {
  290. set_ltree_addr(ltree_addr, leaf_idx);
  291. set_ots_addr(ots_addr, leaf_idx);
  292. gen_leaf_wots(params, state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);
  293. }
  294. else {
  295. set_tree_height(node_addr, (tau-1));
  296. set_tree_index(node_addr, leaf_idx >> tau);
  297. hash_h(params, state->auth + tau * params->n, buf, pub_seed, node_addr);
  298. for (i = 0; i < tau; i++) {
  299. if (i < params->tree_height - params->bds_k) {
  300. memcpy(state->auth + i * params->n, state->treehash[i].node, params->n);
  301. }
  302. else {
  303. offset = (1 << (params->tree_height - 1 - i)) + i - params->tree_height;
  304. rowidx = ((leaf_idx >> i) - 1) >> 1;
  305. memcpy(state->auth + i * params->n, state->retain + (offset + rowidx) * params->n, params->n);
  306. }
  307. }
  308. for (i = 0; i < ((tau < params->tree_height - params->bds_k) ? tau : (params->tree_height - params->bds_k)); i++) {
  309. startidx = leaf_idx + 1 + 3 * (1 << i);
  310. if (startidx < 1U << params->tree_height) {
  311. state->treehash[i].h = i;
  312. state->treehash[i].next_idx = startidx;
  313. state->treehash[i].completed = 0;
  314. state->treehash[i].stackusage = 0;
  315. }
  316. }
  317. }
  318. }
  319. /*
  320. * Generates a XMSS key pair for a given parameter set.
  321. * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  322. * Format pk: [root || PUB_SEED] omitting algo oid.
  323. */
  324. int xmss_core_keypair(const xmss_params *params,
  325. unsigned char *pk, unsigned char *sk, bds_state *state)
  326. {
  327. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  328. // Set idx = 0
  329. sk[0] = 0;
  330. sk[1] = 0;
  331. sk[2] = 0;
  332. sk[3] = 0;
  333. // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)
  334. randombytes(sk + params->index_bytes, 3*params->n);
  335. // Copy PUB_SEED to public key
  336. memcpy(pk + params->n, sk + params->index_bytes + 2*params->n, params->n);
  337. // Compute root
  338. treehash_init(params, pk, params->tree_height, 0, state, sk + params->index_bytes, sk + params->index_bytes + 2*params->n, addr);
  339. // copy root o sk
  340. memcpy(sk + params->index_bytes + 3*params->n, pk, params->n);
  341. return 0;
  342. }
  343. /**
  344. * Signs a message.
  345. * Returns
  346. * 1. an array containing the signature followed by the message AND
  347. * 2. an updated secret key!
  348. *
  349. */
  350. int xmss_core_sign(const xmss_params *params,
  351. unsigned char *sk, bds_state *state,
  352. unsigned char *sm, unsigned long long *smlen,
  353. const unsigned char *m, unsigned long long mlen)
  354. {
  355. uint16_t i = 0;
  356. // Extract SK
  357. unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];
  358. unsigned char sk_seed[params->n];
  359. memcpy(sk_seed, sk + params->index_bytes, params->n);
  360. unsigned char sk_prf[params->n];
  361. memcpy(sk_prf, sk + params->index_bytes + params->n, params->n);
  362. unsigned char pub_seed[params->n];
  363. memcpy(pub_seed, sk + params->index_bytes + 2*params->n, params->n);
  364. // index as 32 bytes string
  365. unsigned char idx_bytes_32[32];
  366. ull_to_bytes(idx_bytes_32, 32, idx);
  367. unsigned char hash_key[3*params->n];
  368. // Update SK
  369. sk[0] = ((idx + 1) >> 24) & 255;
  370. sk[1] = ((idx + 1) >> 16) & 255;
  371. sk[2] = ((idx + 1) >> 8) & 255;
  372. sk[3] = (idx + 1) & 255;
  373. // Secret key for this non-forward-secure version is now updated.
  374. // A production implementation should consider using a file handle instead,
  375. // and write the updated secret key at this point!
  376. // Init working params
  377. unsigned char R[params->n];
  378. unsigned char msg_h[params->n];
  379. unsigned char ots_seed[params->n];
  380. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  381. // ---------------------------------
  382. // Message Hashing
  383. // ---------------------------------
  384. // Message Hash:
  385. // First compute pseudorandom value
  386. prf(params, R, idx_bytes_32, sk_prf, params->n);
  387. // Generate hash key (R || root || idx)
  388. memcpy(hash_key, R, params->n);
  389. memcpy(hash_key+params->n, sk+4+3*params->n, params->n);
  390. ull_to_bytes(hash_key+2*params->n, params->n, idx);
  391. // Then use it for message digest
  392. h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);
  393. // Start collecting signature
  394. *smlen = 0;
  395. // Copy index to signature
  396. sm[0] = (idx >> 24) & 255;
  397. sm[1] = (idx >> 16) & 255;
  398. sm[2] = (idx >> 8) & 255;
  399. sm[3] = idx & 255;
  400. sm += 4;
  401. *smlen += 4;
  402. // Copy R to signature
  403. for (i = 0; i < params->n; i++) {
  404. sm[i] = R[i];
  405. }
  406. sm += params->n;
  407. *smlen += params->n;
  408. // ----------------------------------
  409. // Now we start to "really sign"
  410. // ----------------------------------
  411. // Prepare Address
  412. set_type(ots_addr, 0);
  413. set_ots_addr(ots_addr, idx);
  414. // Compute seed for OTS key pair
  415. get_seed(params, ots_seed, sk_seed, ots_addr);
  416. // Compute WOTS signature
  417. wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);
  418. sm += params->wots_sig_bytes;
  419. *smlen += params->wots_sig_bytes;
  420. // the auth path was already computed during the previous round
  421. memcpy(sm, state->auth, params->tree_height*params->n);
  422. if (idx < (1U << params->tree_height) - 1) {
  423. bds_round(params, state, idx, sk_seed, pub_seed, ots_addr);
  424. bds_treehash_update(params, state, (params->tree_height - params->bds_k) >> 1, sk_seed, pub_seed, ots_addr);
  425. }
  426. sm += params->tree_height*params->n;
  427. *smlen += params->tree_height*params->n;
  428. memcpy(sm, m, mlen);
  429. *smlen += mlen;
  430. return 0;
  431. }
  432. /*
  433. * Generates a XMSSMT key pair for a given parameter set.
  434. * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  435. * Format pk: [root || PUB_SEED] omitting algo oid.
  436. */
  437. int xmssmt_core_keypair(const xmss_params *params,
  438. unsigned char *pk, unsigned char *sk,
  439. bds_state *states, unsigned char *wots_sigs)
  440. {
  441. unsigned char ots_seed[params->n];
  442. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  443. unsigned int i;
  444. // Set idx = 0
  445. for (i = 0; i < params->index_bytes; i++) {
  446. sk[i] = 0;
  447. }
  448. // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)
  449. randombytes(sk+params->index_bytes, 3*params->n);
  450. // Copy PUB_SEED to public key
  451. memcpy(pk+params->n, sk+params->index_bytes+2*params->n, params->n);
  452. // Start with the bottom-most layer
  453. set_layer_addr(addr, 0);
  454. // Set up state and compute wots signatures for all but topmost tree root
  455. for (i = 0; i < params->d - 1; i++) {
  456. // Compute seed for OTS key pair
  457. treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_bytes, pk+params->n, addr);
  458. set_layer_addr(addr, (i+1));
  459. get_seed(params, ots_seed, sk + params->index_bytes, addr);
  460. wots_sign(params, wots_sigs + i*params->wots_sig_bytes, pk, ots_seed, pk+params->n, addr);
  461. }
  462. // Address now points to the single tree on layer d-1
  463. treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_bytes, pk+params->n, addr);
  464. memcpy(sk + params->index_bytes + 3*params->n, pk, params->n);
  465. return 0;
  466. }
  467. /**
  468. * Signs a message.
  469. * Returns
  470. * 1. an array containing the signature followed by the message AND
  471. * 2. an updated secret key!
  472. *
  473. */
  474. int xmssmt_core_sign(const xmss_params *params,
  475. unsigned char *sk,
  476. bds_state *states, unsigned char *wots_sigs,
  477. unsigned char *sm, unsigned long long *smlen,
  478. const unsigned char *m, unsigned long long mlen)
  479. {
  480. uint64_t idx_tree;
  481. uint32_t idx_leaf;
  482. uint64_t i, j;
  483. int needswap_upto = -1;
  484. unsigned int updates;
  485. unsigned char sk_seed[params->n];
  486. unsigned char sk_prf[params->n];
  487. unsigned char pub_seed[params->n];
  488. // Init working params
  489. unsigned char R[params->n];
  490. unsigned char msg_h[params->n];
  491. unsigned char hash_key[3*params->n];
  492. unsigned char ots_seed[params->n];
  493. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  494. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  495. unsigned char idx_bytes_32[32];
  496. bds_state tmp;
  497. // Extract SK
  498. unsigned long long idx = 0;
  499. for (i = 0; i < params->index_bytes; i++) {
  500. idx |= ((unsigned long long)sk[i]) << 8*(params->index_bytes - 1 - i);
  501. }
  502. memcpy(sk_seed, sk+params->index_bytes, params->n);
  503. memcpy(sk_prf, sk+params->index_bytes+params->n, params->n);
  504. memcpy(pub_seed, sk+params->index_bytes+2*params->n, params->n);
  505. // Update SK
  506. for (i = 0; i < params->index_bytes; i++) {
  507. sk[i] = ((idx + 1) >> 8*(params->index_bytes - 1 - i)) & 255;
  508. }
  509. // Secret key for this non-forward-secure version is now updated.
  510. // A production implementation should consider using a file handle instead,
  511. // and write the updated secret key at this point!
  512. // ---------------------------------
  513. // Message Hashing
  514. // ---------------------------------
  515. // Message Hash:
  516. // First compute pseudorandom value
  517. ull_to_bytes(idx_bytes_32, 32, idx);
  518. prf(params, R, idx_bytes_32, sk_prf, params->n);
  519. // Generate hash key (R || root || idx)
  520. memcpy(hash_key, R, params->n);
  521. memcpy(hash_key+params->n, sk+params->index_bytes+3*params->n, params->n);
  522. ull_to_bytes(hash_key+2*params->n, params->n, idx);
  523. // Then use it for message digest
  524. h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);
  525. // Start collecting signature
  526. *smlen = 0;
  527. // Copy index to signature
  528. for (i = 0; i < params->index_bytes; i++) {
  529. sm[i] = (idx >> 8*(params->index_bytes - 1 - i)) & 255;
  530. }
  531. sm += params->index_bytes;
  532. *smlen += params->index_bytes;
  533. // Copy R to signature
  534. for (i = 0; i < params->n; i++) {
  535. sm[i] = R[i];
  536. }
  537. sm += params->n;
  538. *smlen += params->n;
  539. // ----------------------------------
  540. // Now we start to "really sign"
  541. // ----------------------------------
  542. // Handle lowest layer separately as it is slightly different...
  543. // Prepare Address
  544. set_type(ots_addr, 0);
  545. idx_tree = idx >> params->tree_height;
  546. idx_leaf = (idx & ((1 << params->tree_height)-1));
  547. set_layer_addr(ots_addr, 0);
  548. set_tree_addr(ots_addr, idx_tree);
  549. set_ots_addr(ots_addr, idx_leaf);
  550. // Compute seed for OTS key pair
  551. get_seed(params, ots_seed, sk_seed, ots_addr);
  552. // Compute WOTS signature
  553. wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);
  554. sm += params->wots_sig_bytes;
  555. *smlen += params->wots_sig_bytes;
  556. memcpy(sm, states[0].auth, params->tree_height*params->n);
  557. sm += params->tree_height*params->n;
  558. *smlen += params->tree_height*params->n;
  559. // prepare signature of remaining layers
  560. for (i = 1; i < params->d; i++) {
  561. // put WOTS signature in place
  562. memcpy(sm, wots_sigs + (i-1)*params->wots_sig_bytes, params->wots_sig_bytes);
  563. sm += params->wots_sig_bytes;
  564. *smlen += params->wots_sig_bytes;
  565. // put AUTH nodes in place
  566. memcpy(sm, states[i].auth, params->tree_height*params->n);
  567. sm += params->tree_height*params->n;
  568. *smlen += params->tree_height*params->n;
  569. }
  570. updates = (params->tree_height - params->bds_k) >> 1;
  571. set_tree_addr(addr, (idx_tree + 1));
  572. // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists
  573. if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << params->full_height)) {
  574. bds_state_update(params, &states[params->d], sk_seed, pub_seed, addr);
  575. }
  576. for (i = 0; i < params->d; i++) {
  577. // check if we're not at the end of a tree
  578. if (! (((idx + 1) & ((1ULL << ((i+1)*params->tree_height)) - 1)) == 0)) {
  579. idx_leaf = (idx >> (params->tree_height * i)) & ((1 << params->tree_height)-1);
  580. idx_tree = (idx >> (params->tree_height * (i+1)));
  581. set_layer_addr(addr, i);
  582. set_tree_addr(addr, idx_tree);
  583. if (i == (unsigned int) (needswap_upto + 1)) {
  584. bds_round(params, &states[i], idx_leaf, sk_seed, pub_seed, addr);
  585. }
  586. updates = bds_treehash_update(params, &states[i], updates, sk_seed, pub_seed, addr);
  587. set_tree_addr(addr, (idx_tree + 1));
  588. // if a NEXT-tree exists for this level;
  589. if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << (params->full_height - params->tree_height * i))) {
  590. if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << params->full_height)) {
  591. bds_state_update(params, &states[params->d + i], sk_seed, pub_seed, addr);
  592. updates--;
  593. }
  594. }
  595. }
  596. else if (idx < (1ULL << params->full_height) - 1) {
  597. memcpy(&tmp, states+params->d + i, sizeof(bds_state));
  598. memcpy(states+params->d + i, states + i, sizeof(bds_state));
  599. memcpy(states + i, &tmp, sizeof(bds_state));
  600. set_layer_addr(ots_addr, (i+1));
  601. set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * params->tree_height)));
  602. set_ots_addr(ots_addr, (((idx >> ((i+1) * params->tree_height)) + 1) & ((1 << params->tree_height)-1)));
  603. get_seed(params, ots_seed, sk+params->index_bytes, ots_addr);
  604. wots_sign(params, wots_sigs + i*params->wots_sig_bytes, states[i].stack, ots_seed, pub_seed, ots_addr);
  605. states[params->d + i].stackoffset = 0;
  606. states[params->d + i].next_leaf = 0;
  607. updates--; // WOTS-signing counts as one update
  608. needswap_upto = i;
  609. for (j = 0; j < params->tree_height-params->bds_k; j++) {
  610. states[i].treehash[j].completed = 1;
  611. }
  612. }
  613. }
  614. memcpy(sm, m, mlen);
  615. *smlen += mlen;
  616. return 0;
  617. }