xmss-KAT-generator/wots.c

#include <stdint.h>
#include <string.h>

#include "utils.h"
#include "hash.h"
#include "wots.h"
#include "hash_address.h"
#include "params.h"

/**
 * Helper method for pseudorandom key generation.
 * Expands an n-byte array into a len*n byte array using the `prf_keygen` function.
 */
static void expand_seed(const xmss_params *params,
                        unsigned char *outseeds, const unsigned char *inseed, 
                        const unsigned char *pub_seed, uint32_t addr[8])
{
    uint32_t i;
    unsigned char buf[params->n + 32];

    set_hash_addr(addr, 0);
    set_key_and_mask(addr, 0);
    memcpy(buf, pub_seed, params->n);
    for (i = 0; i < params->wots_len; i++) {
        set_chain_addr(addr, i);
        addr_to_bytes(buf + params->n, addr);
        prf_keygen(params, outseeds + i*params->n, buf, inseed);
    }
}

/**
 * Computes the chaining function.
 * out and in have to be n-byte arrays.
 *
 * Interprets in as start-th value of the chain.
 * addr has to contain the address of the chain.
 */
static void gen_chain(const xmss_params *params,
                      unsigned char *out, const unsigned char *in,
                      unsigned int start, unsigned int steps,
                      const unsigned char *pub_seed, uint32_t addr[8])
{
    uint32_t i;

    /* Initialize out with the value at position 'start'. */
    memcpy(out, in, params->n);

    /* Iterate 'steps' calls to the hash function. */
    for (i = start; i < (start+steps) && i < params->wots_w; i++) {
        set_hash_addr(addr, i);
        thash_f(params, out, out, pub_seed, addr);
    }
}

/**
 * base_w algorithm as described in draft.
 * Interprets an array of bytes as integers in base w.
 * This only works when log_w is a divisor of 8.
 */
static void base_w(const xmss_params *params,
                   int *output, const int out_len, const unsigned char *input)
{
    int in = 0;
    int out = 0;
    unsigned char total;
    int bits = 0;
    int consumed;

    for (consumed = 0; consumed < out_len; consumed++) {
        if (bits == 0) {
            total = input[in];
            in++;
            bits += 8;
        }
        bits -= params->wots_log_w;
        output[out] = (total >> bits) & (params->wots_w - 1);
        out++;
    }
}

/* Computes the WOTS+ checksum over a message (in base_w). */
static void wots_checksum(const xmss_params *params,
                          int *csum_base_w, const int *msg_base_w)
{
    int csum = 0;
    unsigned char csum_bytes[(params->wots_len2 * params->wots_log_w + 7) / 8];
    unsigned int i;

    /* Compute checksum. */
    for (i = 0; i < params->wots_len1; i++) {
        csum += params->wots_w - 1 - msg_base_w[i];
    }

    /* Convert checksum to base_w. */
    /* Make sure expected empty zero bits are the least significant bits. */
    csum = csum << (8 - ((params->wots_len2 * params->wots_log_w) % 8));
    ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);
    base_w(params, csum_base_w, params->wots_len2, csum_bytes);
}

/* Takes a message and derives the matching chain lengths. */
static void chain_lengths(const xmss_params *params,
                          int *lengths, const unsigned char *msg)
{
    base_w(params, lengths, params->wots_len1, msg);
    wots_checksum(params, lengths + params->wots_len1, lengths);
}

/**
 * WOTS key generation. Takes a 32 byte seed for the private key, expands it to
 * a full WOTS private key and computes the corresponding public key.
 * It requires the seed pub_seed (used to generate bitmasks and hash keys)
 * and the address of this WOTS key pair.
 *
 * Writes the computed public key to 'pk'.
 */
void wots_pkgen(const xmss_params *params,
                unsigned char *pk, const unsigned char *seed,
                const unsigned char *pub_seed, uint32_t addr[8])
{
    uint32_t i;

    /* The WOTS+ private key is derived from the seed. */
    expand_seed(params, pk, seed, pub_seed, addr);

    for (i = 0; i < params->wots_len; i++) {
        set_chain_addr(addr, i);
        gen_chain(params, pk + i*params->n, pk + i*params->n,
                  0, params->wots_w - 1, pub_seed, addr);
    }
}

/**
 * Takes a n-byte message and the 32-byte seed for the private key to compute a
 * signature that is placed at 'sig'.
 */
void wots_sign(const xmss_params *params,
               unsigned char *sig, const unsigned char *msg,
               const unsigned char *seed, const unsigned char *pub_seed,
               uint32_t addr[8])
{
    int lengths[params->wots_len];
    uint32_t i;

    chain_lengths(params, lengths, msg);

    /* The WOTS+ private key is derived from the seed. */
    expand_seed(params, sig, seed, pub_seed, addr);

    for (i = 0; i < params->wots_len; i++) {
        set_chain_addr(addr, i);
        gen_chain(params, sig + i*params->n, sig + i*params->n,
                  0, lengths[i], pub_seed, addr);
    }
}

/**
 * Takes a WOTS signature and an n-byte message, computes a WOTS public key.
 *
 * Writes the computed public key to 'pk'.
 */
void wots_pk_from_sig(const xmss_params *params, unsigned char *pk,
                      const unsigned char *sig, const unsigned char *msg,
                      const unsigned char *pub_seed, uint32_t addr[8])
{
    int lengths[params->wots_len];
    uint32_t i;

    chain_lengths(params, lengths, msg);

    for (i = 0; i < params->wots_len; i++) {
        set_chain_addr(addr, i);
        gen_chain(params, pk + i*params->n, sig + i*params->n,
                  lengths[i], params->wots_w - 1 - lengths[i], pub_seed, addr);
    }
}
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`#include <stdint.h>`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`#include <string.h>`

Move ull-byte-conversions to separate utils file 2017-11-01 13:59:33 +00:00			`#include "utils.h"`
Initial commit 2015-08-11 11:08:27 +01:00			`#include "hash.h"`
			`#include "wots.h"`
SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression! 2016-02-16 15:31:18 +00:00			`#include "hash_address.h"`
Refactor to use compile-time parameter sets This starts a cleanup / refactor, but there is still some low-hanging fruit. 2017-06-02 13:10:24 +01:00			`#include "params.h"`
Initial commit 2015-08-11 11:08:27 +01:00
			`/**`
Perform various reformatting / renaming 2017-10-23 13:10:39 +01:00			`* Helper method for pseudorandom key generation.`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			* Expands an n-byte array into a len*n byte array using the `prf_keygen` function.
Initial commit 2015-08-11 11:08:27 +01:00			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`static void expand_seed(const xmss_params *params,`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`unsigned char outseeds, const unsigned char inseed,`
			`const unsigned char *pub_seed, uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`uint32_t i;`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`unsigned char buf[params->n + 32];`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`set_hash_addr(addr, 0);`
			`set_key_and_mask(addr, 0);`
			`memcpy(buf, pub_seed, params->n);`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`for (i = 0; i < params->wots_len; i++) {`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`set_chain_addr(addr, i);`
			`addr_to_bytes(buf + params->n, addr);`
			`prf_keygen(params, outseeds + i*params->n, buf, inseed);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

			`/**`
			`* Computes the chaining function.`
Perform various reformatting / renaming 2017-10-23 13:10:39 +01:00			`* out and in have to be n-byte arrays.`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00			`*`
Perform various reformatting / renaming 2017-10-23 13:10:39 +01:00			`* Interprets in as start-th value of the chain.`
			`* addr has to contain the address of the chain.`
Initial commit 2015-08-11 11:08:27 +01:00			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`static void gen_chain(const xmss_params *params,`
			`unsigned char out, const unsigned char in,`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`unsigned int start, unsigned int steps,`
			`const unsigned char *pub_seed, uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`uint32_t i;`

Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/* Initialize out with the value at position 'start'. */`
			`memcpy(out, in, params->n);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/* Iterate 'steps' calls to the hash function. */`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`for (i = start; i < (start+steps) && i < params->wots_w; i++) {`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`set_hash_addr(addr, i);`
Rename hash functions to tweaked hashes Since there's a tweak being introduced, this should be reflected in the name of the functions. 2017-11-01 14:16:17 +00:00			`thash_f(params, out, out, pub_seed, addr);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

			`/**`
			`* base_w algorithm as described in draft.`
Perform various reformatting / renaming 2017-10-23 13:10:39 +01:00			`* Interprets an array of bytes as integers in base w.`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`* This only works when log_w is a divisor of 8.`
Initial commit 2015-08-11 11:08:27 +01:00			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`static void base_w(const xmss_params *params,`
			`int output, const int out_len, const unsigned char input)`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int in = 0;`
			`int out = 0;`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`unsigned char total;`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`int bits = 0;`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`int consumed;`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`for (consumed = 0; consumed < out_len; consumed++) {`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`if (bits == 0) {`
			`total = input[in];`
			`in++;`
			`bits += 8;`
			`}`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`bits -= params->wots_log_w;`
			`output[out] = (total >> bits) & (params->wots_w - 1);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`out++;`
Initial commit 2015-08-11 11:08:27 +01:00			`}`
			`}`

Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/* Computes the WOTS+ checksum over a message (in base_w). */`
			`static void wots_checksum(const xmss_params *params,`
			`int csum_base_w, const int msg_base_w)`
			`{`
			`int csum = 0;`
			`unsigned char csum_bytes[(params->wots_len2 * params->wots_log_w + 7) / 8];`
			`unsigned int i;`

			`/* Compute checksum. */`
			`for (i = 0; i < params->wots_len1; i++) {`
			`csum += params->wots_w - 1 - msg_base_w[i];`
			`}`

			`/* Convert checksum to base_w. */`
			`/* Make sure expected empty zero bits are the least significant bits. */`
			`csum = csum << (8 - ((params->wots_len2 * params->wots_log_w) % 8));`
Reorder ull_to_bytes parameters to group output 2017-10-23 15:19:16 +01:00			`ull_to_bytes(csum_bytes, sizeof(csum_bytes), csum);`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`base_w(params, csum_base_w, params->wots_len2, csum_bytes);`
			`}`

			`/* Takes a message and derives the matching chain lengths. */`
			`static void chain_lengths(const xmss_params *params,`
			`int lengths, const unsigned char msg)`
			`{`
			`base_w(params, lengths, params->wots_len1, msg);`
			`wots_checksum(params, lengths + params->wots_len1, lengths);`
			`}`

			`/**`
			`* WOTS key generation. Takes a 32 byte seed for the private key, expands it to`
			`* a full WOTS private key and computes the corresponding public key.`
			`* It requires the seed pub_seed (used to generate bitmasks and hash keys)`
			`* and the address of this WOTS key pair.`
			`*`
			`* Writes the computed public key to 'pk'.`
			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`void wots_pkgen(const xmss_params *params,`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`unsigned char pk, const unsigned char seed,`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`const unsigned char *pub_seed, uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`uint32_t i;`

Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/* The WOTS+ private key is derived from the seed. */`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`expand_seed(params, pk, seed, pub_seed, addr);`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`for (i = 0; i < params->wots_len; i++) {`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`set_chain_addr(addr, i);`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`gen_chain(params, pk + iparams->n, pk + iparams->n,`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`0, params->wots_w - 1, pub_seed, addr);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/**`
Fix typo in WOTS comments: n-byte messages, not m 2017-11-01 12:35:35 +00:00			`* Takes a n-byte message and the 32-byte seed for the private key to compute a`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`* signature that is placed at 'sig'.`
			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`void wots_sign(const xmss_params *params,`
			`unsigned char sig, const unsigned char msg,`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`const unsigned char seed, const unsigned char pub_seed,`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`int lengths[params->wots_len];`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`uint32_t i;`
Initial commit 2015-08-11 11:08:27 +01:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`chain_lengths(params, lengths, msg);`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/* The WOTS+ private key is derived from the seed. */`
Improved key generation In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method. This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed \|\| adrs). 2020-04-28 15:02:06 +01:00			`expand_seed(params, sig, seed, pub_seed, addr);`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`for (i = 0; i < params->wots_len; i++) {`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`set_chain_addr(addr, i);`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`gen_chain(params, sig + iparams->n, sig + iparams->n,`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`0, lengths[i], pub_seed, addr);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00			`}`

Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`/**`
Fix typo in WOTS comments: n-byte messages, not m 2017-11-01 12:35:35 +00:00			`* Takes a WOTS signature and an n-byte message, computes a WOTS public key.`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`*`
			`* Writes the computed public key to 'pk'.`
			`*/`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`void wots_pk_from_sig(const xmss_params params, unsigned char pk,`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`const unsigned char sig, const unsigned char msg,`
			`const unsigned char *pub_seed, uint32_t addr[8])`
Initial commit 2015-08-11 11:08:27 +01:00			`{`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`int lengths[params->wots_len];`
			`uint32_t i;`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`chain_lengths(params, lengths, msg);`
Make codestyle more consistent, fix -Wextra warns 2016-02-02 13:06:43 +00:00
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`for (i = 0; i < params->wots_len; i++) {`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`set_chain_addr(addr, i);`
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all. 2017-10-16 10:58:45 +01:00			`gen_chain(params, pk + iparams->n, sig + iparams->n,`
Refactor and deduplicate WOTS 2017-10-23 14:54:14 +01:00			`lengths[i], params->wots_w - 1 - lengths[i], pub_seed, addr);`
Refactor for more consistent style and readability 2017-08-03 16:38:34 +01:00			`}`
Initial commit 2015-08-11 11:08:27 +01:00			`}`