You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 9 години
преди 9 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673
  1. /*
  2. xmss_fast.c version 20160722
  3. Andreas Hülsing
  4. Joost Rijneveld
  5. Public domain.
  6. */
  7. #include "xmss_fast.h"
  8. #include <stdlib.h>
  9. #include <string.h>
  10. #include <stdint.h>
  11. #include "randombytes.h"
  12. #include "wots.h"
  13. #include "hash.h"
  14. #include "xmss_commons.h"
  15. #include "hash_address.h"
  16. #include "params.h"
  17. /**
  18. * Initialize BDS state struct
  19. * parameter names are the same as used in the description of the BDS traversal
  20. */
  21. void xmss_set_bds_state(bds_state *state, unsigned char *stack, int stackoffset, unsigned char *stacklevels, unsigned char *auth, unsigned char *keep, treehash_inst *treehash, unsigned char *retain, int next_leaf)
  22. {
  23. state->stack = stack;
  24. state->stackoffset = stackoffset;
  25. state->stacklevels = stacklevels;
  26. state->auth = auth;
  27. state->keep = keep;
  28. state->treehash = treehash;
  29. state->retain = retain;
  30. state->next_leaf = next_leaf;
  31. }
  32. static int treehash_minheight_on_stack(bds_state* state, const treehash_inst *treehash)
  33. {
  34. unsigned int r = XMSS_TREEHEIGHT, i;
  35. for (i = 0; i < treehash->stackusage; i++) {
  36. if (state->stacklevels[state->stackoffset - i - 1] < r) {
  37. r = state->stacklevels[state->stackoffset - i - 1];
  38. }
  39. }
  40. return r;
  41. }
  42. /**
  43. * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.
  44. * Currently only used for key generation.
  45. *
  46. */
  47. static void treehash_setup(unsigned char *node, int height, int index, bds_state *state, const unsigned char *sk_seed, const unsigned char *pub_seed, const uint32_t addr[8])
  48. {
  49. unsigned int idx = index;
  50. // use three different addresses because at this point we use all three formats in parallel
  51. uint32_t ots_addr[8];
  52. uint32_t ltree_addr[8];
  53. uint32_t node_addr[8];
  54. // only copy layer and tree address parts
  55. memcpy(ots_addr, addr, 12);
  56. // type = ots
  57. setType(ots_addr, 0);
  58. memcpy(ltree_addr, addr, 12);
  59. setType(ltree_addr, 1);
  60. memcpy(node_addr, addr, 12);
  61. setType(node_addr, 2);
  62. uint32_t lastnode, i;
  63. unsigned char stack[(height+1)*XMSS_N];
  64. unsigned int stacklevels[height+1];
  65. unsigned int stackoffset=0;
  66. unsigned int nodeh;
  67. lastnode = idx+(1<<height);
  68. for (i = 0; i < XMSS_TREEHEIGHT-XMSS_BDS_K; i++) {
  69. state->treehash[i].h = i;
  70. state->treehash[i].completed = 1;
  71. state->treehash[i].stackusage = 0;
  72. }
  73. i = 0;
  74. for (; idx < lastnode; idx++) {
  75. setLtreeADRS(ltree_addr, idx);
  76. setOTSADRS(ots_addr, idx);
  77. gen_leaf_wots(stack+stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);
  78. stacklevels[stackoffset] = 0;
  79. stackoffset++;
  80. if (XMSS_TREEHEIGHT - XMSS_BDS_K > 0 && i == 3) {
  81. memcpy(state->treehash[0].node, stack+stackoffset*XMSS_N, XMSS_N);
  82. }
  83. while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])
  84. {
  85. nodeh = stacklevels[stackoffset-1];
  86. if (i >> nodeh == 1) {
  87. memcpy(state->auth + nodeh*XMSS_N, stack+(stackoffset-1)*XMSS_N, XMSS_N);
  88. }
  89. else {
  90. if (nodeh < XMSS_TREEHEIGHT - XMSS_BDS_K && i >> nodeh == 3) {
  91. memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*XMSS_N, XMSS_N);
  92. }
  93. else if (nodeh >= XMSS_TREEHEIGHT - XMSS_BDS_K) {
  94. memcpy(state->retain + ((1 << (XMSS_TREEHEIGHT - 1 - nodeh)) + nodeh - XMSS_TREEHEIGHT + (((i >> nodeh) - 3) >> 1)) * XMSS_N, stack+(stackoffset-1)*XMSS_N, XMSS_N);
  95. }
  96. }
  97. setTreeHeight(node_addr, stacklevels[stackoffset-1]);
  98. setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));
  99. hash_h(stack+(stackoffset-2)*XMSS_N, stack+(stackoffset-2)*XMSS_N, pub_seed, node_addr);
  100. stacklevels[stackoffset-2]++;
  101. stackoffset--;
  102. }
  103. i++;
  104. }
  105. for (i = 0; i < XMSS_N; i++)
  106. node[i] = stack[i];
  107. }
  108. static void treehash_update(treehash_inst *treehash, bds_state *state, const unsigned char *sk_seed, const unsigned char *pub_seed, const uint32_t addr[8])
  109. {
  110. uint32_t ots_addr[8];
  111. uint32_t ltree_addr[8];
  112. uint32_t node_addr[8];
  113. // only copy layer and tree address parts
  114. memcpy(ots_addr, addr, 12);
  115. // type = ots
  116. setType(ots_addr, 0);
  117. memcpy(ltree_addr, addr, 12);
  118. setType(ltree_addr, 1);
  119. memcpy(node_addr, addr, 12);
  120. setType(node_addr, 2);
  121. setLtreeADRS(ltree_addr, treehash->next_idx);
  122. setOTSADRS(ots_addr, treehash->next_idx);
  123. unsigned char nodebuffer[2 * XMSS_N];
  124. unsigned int nodeheight = 0;
  125. gen_leaf_wots(nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);
  126. while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {
  127. memcpy(nodebuffer + XMSS_N, nodebuffer, XMSS_N);
  128. memcpy(nodebuffer, state->stack + (state->stackoffset-1)*XMSS_N, XMSS_N);
  129. setTreeHeight(node_addr, nodeheight);
  130. setTreeIndex(node_addr, (treehash->next_idx >> (nodeheight+1)));
  131. hash_h(nodebuffer, nodebuffer, pub_seed, node_addr);
  132. nodeheight++;
  133. treehash->stackusage--;
  134. state->stackoffset--;
  135. }
  136. if (nodeheight == treehash->h) { // this also implies stackusage == 0
  137. memcpy(treehash->node, nodebuffer, XMSS_N);
  138. treehash->completed = 1;
  139. }
  140. else {
  141. memcpy(state->stack + state->stackoffset*XMSS_N, nodebuffer, XMSS_N);
  142. treehash->stackusage++;
  143. state->stacklevels[state->stackoffset] = nodeheight;
  144. state->stackoffset++;
  145. treehash->next_idx++;
  146. }
  147. }
  148. /**
  149. * Performs one treehash update on the instance that needs it the most.
  150. * Returns 1 if such an instance was not found
  151. **/
  152. static char bds_treehash_update(bds_state *state, unsigned int updates, const unsigned char *sk_seed, unsigned char *pub_seed, const uint32_t addr[8]) {
  153. uint32_t i, j;
  154. unsigned int level, l_min, low;
  155. unsigned int used = 0;
  156. for (j = 0; j < updates; j++) {
  157. l_min = XMSS_TREEHEIGHT;
  158. level = XMSS_TREEHEIGHT - XMSS_BDS_K;
  159. for (i = 0; i < XMSS_TREEHEIGHT - XMSS_BDS_K; i++) {
  160. if (state->treehash[i].completed) {
  161. low = XMSS_TREEHEIGHT;
  162. }
  163. else if (state->treehash[i].stackusage == 0) {
  164. low = i;
  165. }
  166. else {
  167. low = treehash_minheight_on_stack(state, &(state->treehash[i]));
  168. }
  169. if (low < l_min) {
  170. level = i;
  171. l_min = low;
  172. }
  173. }
  174. if (level == XMSS_TREEHEIGHT - XMSS_BDS_K) {
  175. break;
  176. }
  177. treehash_update(&(state->treehash[level]), state, sk_seed, pub_seed, addr);
  178. used++;
  179. }
  180. return updates - used;
  181. }
  182. /**
  183. * Updates the state (typically NEXT_i) by adding a leaf and updating the stack
  184. * Returns 1 if all leaf nodes have already been processed
  185. **/
  186. static char bds_state_update(bds_state *state, const unsigned char *sk_seed, unsigned char *pub_seed, const uint32_t addr[8]) {
  187. uint32_t ltree_addr[8];
  188. uint32_t node_addr[8];
  189. uint32_t ots_addr[8];
  190. int nodeh;
  191. int idx = state->next_leaf;
  192. if (idx == 1 << XMSS_TREEHEIGHT) {
  193. return 1;
  194. }
  195. // only copy layer and tree address parts
  196. memcpy(ots_addr, addr, 12);
  197. // type = ots
  198. setType(ots_addr, 0);
  199. memcpy(ltree_addr, addr, 12);
  200. setType(ltree_addr, 1);
  201. memcpy(node_addr, addr, 12);
  202. setType(node_addr, 2);
  203. setOTSADRS(ots_addr, idx);
  204. setLtreeADRS(ltree_addr, idx);
  205. gen_leaf_wots(state->stack+state->stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);
  206. state->stacklevels[state->stackoffset] = 0;
  207. state->stackoffset++;
  208. if (XMSS_TREEHEIGHT - XMSS_BDS_K > 0 && idx == 3) {
  209. memcpy(state->treehash[0].node, state->stack+state->stackoffset*XMSS_N, XMSS_N);
  210. }
  211. while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {
  212. nodeh = state->stacklevels[state->stackoffset-1];
  213. if (idx >> nodeh == 1) {
  214. memcpy(state->auth + nodeh*XMSS_N, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);
  215. }
  216. else {
  217. if (nodeh < XMSS_TREEHEIGHT - XMSS_BDS_K && idx >> nodeh == 3) {
  218. memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);
  219. }
  220. else if (nodeh >= XMSS_TREEHEIGHT - XMSS_BDS_K) {
  221. memcpy(state->retain + ((1 << (XMSS_TREEHEIGHT - 1 - nodeh)) + nodeh - XMSS_TREEHEIGHT + (((idx >> nodeh) - 3) >> 1)) * XMSS_N, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);
  222. }
  223. }
  224. setTreeHeight(node_addr, state->stacklevels[state->stackoffset-1]);
  225. setTreeIndex(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));
  226. hash_h(state->stack+(state->stackoffset-2)*XMSS_N, state->stack+(state->stackoffset-2)*XMSS_N, pub_seed, node_addr);
  227. state->stacklevels[state->stackoffset-2]++;
  228. state->stackoffset--;
  229. }
  230. state->next_leaf++;
  231. return 0;
  232. }
  233. /**
  234. * Returns the auth path for node leaf_idx and computes the auth path for the
  235. * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo
  236. * in "Post Quantum Cryptography", Springer 2009.
  237. */
  238. static void bds_round(bds_state *state, const unsigned long leaf_idx, const unsigned char *sk_seed, unsigned char *pub_seed, uint32_t addr[8])
  239. {
  240. unsigned int i;
  241. unsigned int tau = XMSS_TREEHEIGHT;
  242. unsigned int startidx;
  243. unsigned int offset, rowidx;
  244. unsigned char buf[2 * XMSS_N];
  245. uint32_t ots_addr[8];
  246. uint32_t ltree_addr[8];
  247. uint32_t node_addr[8];
  248. // only copy layer and tree address parts
  249. memcpy(ots_addr, addr, 12);
  250. // type = ots
  251. setType(ots_addr, 0);
  252. memcpy(ltree_addr, addr, 12);
  253. setType(ltree_addr, 1);
  254. memcpy(node_addr, addr, 12);
  255. setType(node_addr, 2);
  256. for (i = 0; i < XMSS_TREEHEIGHT; i++) {
  257. if (! ((leaf_idx >> i) & 1)) {
  258. tau = i;
  259. break;
  260. }
  261. }
  262. if (tau > 0) {
  263. memcpy(buf, state->auth + (tau-1) * XMSS_N, XMSS_N);
  264. // we need to do this before refreshing state->keep to prevent overwriting
  265. memcpy(buf + XMSS_N, state->keep + ((tau-1) >> 1) * XMSS_N, XMSS_N);
  266. }
  267. if (!((leaf_idx >> (tau + 1)) & 1) && (tau < XMSS_TREEHEIGHT - 1)) {
  268. memcpy(state->keep + (tau >> 1)*XMSS_N, state->auth + tau*XMSS_N, XMSS_N);
  269. }
  270. if (tau == 0) {
  271. setLtreeADRS(ltree_addr, leaf_idx);
  272. setOTSADRS(ots_addr, leaf_idx);
  273. gen_leaf_wots(state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);
  274. }
  275. else {
  276. setTreeHeight(node_addr, (tau-1));
  277. setTreeIndex(node_addr, leaf_idx >> tau);
  278. hash_h(state->auth + tau * XMSS_N, buf, pub_seed, node_addr);
  279. for (i = 0; i < tau; i++) {
  280. if (i < XMSS_TREEHEIGHT - XMSS_BDS_K) {
  281. memcpy(state->auth + i * XMSS_N, state->treehash[i].node, XMSS_N);
  282. }
  283. else {
  284. offset = (1 << (XMSS_TREEHEIGHT - 1 - i)) + i - XMSS_TREEHEIGHT;
  285. rowidx = ((leaf_idx >> i) - 1) >> 1;
  286. memcpy(state->auth + i * XMSS_N, state->retain + (offset + rowidx) * XMSS_N, XMSS_N);
  287. }
  288. }
  289. for (i = 0; i < ((tau < XMSS_TREEHEIGHT - XMSS_BDS_K) ? tau : (XMSS_TREEHEIGHT - XMSS_BDS_K)); i++) {
  290. startidx = leaf_idx + 1 + 3 * (1 << i);
  291. if (startidx < 1U << XMSS_TREEHEIGHT) {
  292. state->treehash[i].h = i;
  293. state->treehash[i].next_idx = startidx;
  294. state->treehash[i].completed = 0;
  295. state->treehash[i].stackusage = 0;
  296. }
  297. }
  298. }
  299. }
  300. /*
  301. * Generates a XMSS key pair for a given parameter set.
  302. * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  303. * Format pk: [root || PUB_SEED] omitting algo oid.
  304. */
  305. int xmss_keypair(unsigned char *pk, unsigned char *sk, bds_state *state)
  306. {
  307. // Set idx = 0
  308. sk[0] = 0;
  309. sk[1] = 0;
  310. sk[2] = 0;
  311. sk[3] = 0;
  312. // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)
  313. randombytes(sk+4, 3*XMSS_N);
  314. // Copy PUB_SEED to public key
  315. memcpy(pk+XMSS_N, sk+4+2*XMSS_N, XMSS_N);
  316. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  317. // Compute root
  318. treehash_setup(pk, XMSS_TREEHEIGHT, 0, state, sk+4, sk+4+2*XMSS_N, addr);
  319. // copy root to sk
  320. memcpy(sk+4+3*XMSS_N, pk, XMSS_N);
  321. return 0;
  322. }
  323. /**
  324. * Signs a message.
  325. * Returns
  326. * 1. an array containing the signature followed by the message AND
  327. * 2. an updated secret key!
  328. *
  329. */
  330. int xmss_sign(unsigned char *sk, bds_state *state, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)
  331. {
  332. uint16_t i = 0;
  333. // Extract SK
  334. unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];
  335. unsigned char sk_seed[XMSS_N];
  336. memcpy(sk_seed, sk+4, XMSS_N);
  337. unsigned char sk_prf[XMSS_N];
  338. memcpy(sk_prf, sk+4+XMSS_N, XMSS_N);
  339. unsigned char pub_seed[XMSS_N];
  340. memcpy(pub_seed, sk+4+2*XMSS_N, XMSS_N);
  341. // index as 32 bytes string
  342. unsigned char idx_bytes_32[32];
  343. to_byte(idx_bytes_32, idx, 32);
  344. unsigned char hash_key[3*XMSS_N];
  345. // Update SK
  346. sk[0] = ((idx + 1) >> 24) & 255;
  347. sk[1] = ((idx + 1) >> 16) & 255;
  348. sk[2] = ((idx + 1) >> 8) & 255;
  349. sk[3] = (idx + 1) & 255;
  350. // -- Secret key for this non-forward-secure version is now updated.
  351. // -- A productive implementation should use a file handle instead and write the updated secret key at this point!
  352. // Init working params
  353. unsigned char R[XMSS_N];
  354. unsigned char msg_h[XMSS_N];
  355. unsigned char ots_seed[XMSS_N];
  356. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  357. // ---------------------------------
  358. // Message Hashing
  359. // ---------------------------------
  360. // Message Hash:
  361. // First compute pseudorandom value
  362. prf(R, idx_bytes_32, sk_prf, XMSS_N);
  363. // Generate hash key (R || root || idx)
  364. memcpy(hash_key, R, XMSS_N);
  365. memcpy(hash_key+XMSS_N, sk+4+3*XMSS_N, XMSS_N);
  366. to_byte(hash_key+2*XMSS_N, idx, XMSS_N);
  367. // Then use it for message digest
  368. h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);
  369. // Start collecting signature
  370. *smlen = 0;
  371. // Copy index to signature
  372. sm[0] = (idx >> 24) & 255;
  373. sm[1] = (idx >> 16) & 255;
  374. sm[2] = (idx >> 8) & 255;
  375. sm[3] = idx & 255;
  376. sm += 4;
  377. *smlen += 4;
  378. // Copy R to signature
  379. for (i = 0; i < XMSS_N; i++)
  380. sm[i] = R[i];
  381. sm += XMSS_N;
  382. *smlen += XMSS_N;
  383. // ----------------------------------
  384. // Now we start to "really sign"
  385. // ----------------------------------
  386. // Prepare Address
  387. setType(ots_addr, 0);
  388. setOTSADRS(ots_addr, idx);
  389. // Compute seed for OTS key pair
  390. get_seed(ots_seed, sk_seed, ots_addr);
  391. // Compute WOTS signature
  392. wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);
  393. sm += XMSS_WOTS_KEYSIZE;
  394. *smlen += XMSS_WOTS_KEYSIZE;
  395. // the auth path was already computed during the previous round
  396. memcpy(sm, state->auth, XMSS_TREEHEIGHT*XMSS_N);
  397. if (idx < (1U << XMSS_TREEHEIGHT) - 1) {
  398. bds_round(state, idx, sk_seed, pub_seed, ots_addr);
  399. bds_treehash_update(state, (XMSS_TREEHEIGHT - XMSS_BDS_K) >> 1, sk_seed, pub_seed, ots_addr);
  400. }
  401. sm += XMSS_TREEHEIGHT*XMSS_N;
  402. *smlen += XMSS_TREEHEIGHT*XMSS_N;
  403. memcpy(sm, m, mlen);
  404. *smlen += mlen;
  405. return 0;
  406. }
  407. /*
  408. * Generates a XMSSMT key pair for a given parameter set.
  409. * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  410. * Format pk: [root || PUB_SEED] omitting algo oid.
  411. */
  412. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, bds_state *states, unsigned char *wots_sigs)
  413. {
  414. unsigned char ots_seed[XMSS_N];
  415. int i;
  416. // Set idx = 0
  417. for (i = 0; i < XMSS_INDEX_LEN; i++) {
  418. sk[i] = 0;
  419. }
  420. // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)
  421. randombytes(sk+XMSS_INDEX_LEN, 3*XMSS_N);
  422. // Copy PUB_SEED to public key
  423. memcpy(pk+XMSS_N, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);
  424. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  425. // Start with the bottom-most layer
  426. setLayerADRS(addr, 0);
  427. // Set up state and compute wots signatures for all but topmost tree root
  428. for (i = 0; i < XMSS_D - 1; i++) {
  429. // Compute seed for OTS key pair
  430. treehash_setup(pk, XMSS_TREEHEIGHT, 0, states + i, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);
  431. setLayerADRS(addr, (i+1));
  432. get_seed(ots_seed, sk+XMSS_INDEX_LEN, addr);
  433. wots_sign(wots_sigs + i*XMSS_WOTS_KEYSIZE, pk, ots_seed, pk+XMSS_N, addr);
  434. }
  435. // Address now points to the single tree on layer d-1
  436. treehash_setup(pk, XMSS_TREEHEIGHT, 0, states + i, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);
  437. memcpy(sk+XMSS_INDEX_LEN+3*XMSS_N, pk, XMSS_N);
  438. return 0;
  439. }
  440. /**
  441. * Signs a message.
  442. * Returns
  443. * 1. an array containing the signature followed by the message AND
  444. * 2. an updated secret key!
  445. *
  446. */
  447. int xmssmt_sign(unsigned char *sk, bds_state *states, unsigned char *wots_sigs, unsigned char *sm, unsigned long long *smlen, const unsigned char *m, unsigned long long mlen)
  448. {
  449. uint64_t idx_tree;
  450. uint32_t idx_leaf;
  451. uint64_t i, j;
  452. int needswap_upto = -1;
  453. unsigned int updates;
  454. unsigned char sk_seed[XMSS_N];
  455. unsigned char sk_prf[XMSS_N];
  456. unsigned char pub_seed[XMSS_N];
  457. // Init working params
  458. unsigned char R[XMSS_N];
  459. unsigned char msg_h[XMSS_N];
  460. unsigned char hash_key[3*XMSS_N];
  461. unsigned char ots_seed[XMSS_N];
  462. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  463. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  464. unsigned char idx_bytes_32[32];
  465. bds_state tmp;
  466. // Extract SK
  467. unsigned long long idx = 0;
  468. for (i = 0; i < XMSS_INDEX_LEN; i++) {
  469. idx |= ((unsigned long long)sk[i]) << 8*(XMSS_INDEX_LEN - 1 - i);
  470. }
  471. memcpy(sk_seed, sk+XMSS_INDEX_LEN, XMSS_N);
  472. memcpy(sk_prf, sk+XMSS_INDEX_LEN+XMSS_N, XMSS_N);
  473. memcpy(pub_seed, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);
  474. // Update SK
  475. for (i = 0; i < XMSS_INDEX_LEN; i++) {
  476. sk[i] = ((idx + 1) >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;
  477. }
  478. // -- Secret key for this non-forward-secure version is now updated.
  479. // -- A productive implementation should use a file handle instead and write the updated secret key at this point!
  480. // ---------------------------------
  481. // Message Hashing
  482. // ---------------------------------
  483. // Message Hash:
  484. // First compute pseudorandom value
  485. to_byte(idx_bytes_32, idx, 32);
  486. prf(R, idx_bytes_32, sk_prf, XMSS_N);
  487. // Generate hash key (R || root || idx)
  488. memcpy(hash_key, R, XMSS_N);
  489. memcpy(hash_key+XMSS_N, sk+XMSS_INDEX_LEN+3*XMSS_N, XMSS_N);
  490. to_byte(hash_key+2*XMSS_N, idx, XMSS_N);
  491. // Then use it for message digest
  492. h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);
  493. // Start collecting signature
  494. *smlen = 0;
  495. // Copy index to signature
  496. for (i = 0; i < XMSS_INDEX_LEN; i++) {
  497. sm[i] = (idx >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;
  498. }
  499. sm += XMSS_INDEX_LEN;
  500. *smlen += XMSS_INDEX_LEN;
  501. // Copy R to signature
  502. for (i = 0; i < XMSS_N; i++)
  503. sm[i] = R[i];
  504. sm += XMSS_N;
  505. *smlen += XMSS_N;
  506. // ----------------------------------
  507. // Now we start to "really sign"
  508. // ----------------------------------
  509. // Handle lowest layer separately as it is slightly different...
  510. // Prepare Address
  511. setType(ots_addr, 0);
  512. idx_tree = idx >> XMSS_TREEHEIGHT;
  513. idx_leaf = (idx & ((1 << XMSS_TREEHEIGHT)-1));
  514. setLayerADRS(ots_addr, 0);
  515. setTreeADRS(ots_addr, idx_tree);
  516. setOTSADRS(ots_addr, idx_leaf);
  517. // Compute seed for OTS key pair
  518. get_seed(ots_seed, sk_seed, ots_addr);
  519. // Compute WOTS signature
  520. wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);
  521. sm += XMSS_WOTS_KEYSIZE;
  522. *smlen += XMSS_WOTS_KEYSIZE;
  523. memcpy(sm, states[0].auth, XMSS_TREEHEIGHT*XMSS_N);
  524. sm += XMSS_TREEHEIGHT*XMSS_N;
  525. *smlen += XMSS_TREEHEIGHT*XMSS_N;
  526. // prepare signature of remaining layers
  527. for (i = 1; i < XMSS_D; i++) {
  528. // put WOTS signature in place
  529. memcpy(sm, wots_sigs + (i-1)*XMSS_WOTS_KEYSIZE, XMSS_WOTS_KEYSIZE);
  530. sm += XMSS_WOTS_KEYSIZE;
  531. *smlen += XMSS_WOTS_KEYSIZE;
  532. // put AUTH nodes in place
  533. memcpy(sm, states[i].auth, XMSS_TREEHEIGHT*XMSS_N);
  534. sm += XMSS_TREEHEIGHT*XMSS_N;
  535. *smlen += XMSS_TREEHEIGHT*XMSS_N;
  536. }
  537. updates = (XMSS_TREEHEIGHT - XMSS_BDS_K) >> 1;
  538. setTreeADRS(addr, (idx_tree + 1));
  539. // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists
  540. if ((1 + idx_tree) * (1 << XMSS_TREEHEIGHT) + idx_leaf < (1ULL << XMSS_FULLHEIGHT)) {
  541. bds_state_update(&states[XMSS_D], sk_seed, pub_seed, addr);
  542. }
  543. for (i = 0; i < XMSS_D; i++) {
  544. // check if we're not at the end of a tree
  545. if (! (((idx + 1) & ((1ULL << ((i+1)*XMSS_TREEHEIGHT)) - 1)) == 0)) {
  546. idx_leaf = (idx >> (XMSS_TREEHEIGHT * i)) & ((1 << XMSS_TREEHEIGHT)-1);
  547. idx_tree = (idx >> (XMSS_TREEHEIGHT * (i+1)));
  548. setLayerADRS(addr, i);
  549. setTreeADRS(addr, idx_tree);
  550. if (i == (unsigned int) (needswap_upto + 1)) {
  551. bds_round(&states[i], idx_leaf, sk_seed, pub_seed, addr);
  552. }
  553. updates = bds_treehash_update(&states[i], updates, sk_seed, pub_seed, addr);
  554. setTreeADRS(addr, (idx_tree + 1));
  555. // if a NEXT-tree exists for this level;
  556. if ((1 + idx_tree) * (1 << XMSS_TREEHEIGHT) + idx_leaf < (1ULL << (XMSS_FULLHEIGHT - XMSS_TREEHEIGHT * i))) {
  557. if (i > 0 && updates > 0 && states[XMSS_D + i].next_leaf < (1ULL << XMSS_FULLHEIGHT)) {
  558. bds_state_update(&states[XMSS_D + i], sk_seed, pub_seed, addr);
  559. updates--;
  560. }
  561. }
  562. }
  563. else if (idx < (1ULL << XMSS_FULLHEIGHT) - 1) {
  564. memcpy(&tmp, states+XMSS_D + i, sizeof(bds_state));
  565. memcpy(states+XMSS_D + i, states + i, sizeof(bds_state));
  566. memcpy(states + i, &tmp, sizeof(bds_state));
  567. setLayerADRS(ots_addr, (i+1));
  568. setTreeADRS(ots_addr, ((idx + 1) >> ((i+2) * XMSS_TREEHEIGHT)));
  569. setOTSADRS(ots_addr, (((idx >> ((i+1) * XMSS_TREEHEIGHT)) + 1) & ((1 << XMSS_TREEHEIGHT)-1)));
  570. get_seed(ots_seed, sk+XMSS_INDEX_LEN, ots_addr);
  571. wots_sign(wots_sigs + i*XMSS_WOTS_KEYSIZE, states[i].stack, ots_seed, pub_seed, ots_addr);
  572. states[XMSS_D + i].stackoffset = 0;
  573. states[XMSS_D + i].next_leaf = 0;
  574. updates--; // WOTS-signing counts as one update
  575. needswap_upto = i;
  576. for (j = 0; j < XMSS_TREEHEIGHT-XMSS_BDS_K; j++) {
  577. states[i].treehash[j].completed = 1;
  578. }
  579. }
  580. }
  581. memcpy(sm, m, mlen);
  582. *smlen += mlen;
  583. return 0;
  584. }