kris
/
xmss-KAT-generator
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
105 Commits
1 Branch
488 KiB
Tree: fe252b8093
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'fe252b8093'
${ noResults }
xmss-KAT-generator/xmss_core_fast.c

xmss_core_fast.c 33 KiB
Ruw Normale weergave Geschiedenis

Add xmss_fast starting point before BDS
9 jaren geleden
SWITCH from v01 to v03 Versions are incompatible due to different address formats and differing message compression!
8 jaren geleden
Refactor to use compile-time parameter sets This starts a cleanup / refactor, but there is still some low-hanging fruit.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Move ull-byte-conversions to separate utils file
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Store BDS state in passable struct, not in globals
9 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Store BDS state in passable struct, not in globals
9 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Store BDS state in passable struct, not in globals
9 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Store BDS state in passable struct, not in globals
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add SHAKE128 and SHAKE256 This also performs numerous consistency fixes
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Consistently return -1 on failure
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Consistently return -1 on failure
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Resolve comparison warnings
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Consistently return -1 on failure
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Use BDS for auth paths in XMSS (but not XMSSMT yet)
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Let xmss_core decide on secret key size This allows different backends to store additional state information in the secret key while the rest of the codebase remains agnostic. In particular, this prepares for a common xmss_core.h API for both the standard and the BDS-traversal-based implementations.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Let xmss_core decide on secret key size This allows different backends to store additional state information in the secret key while the rest of the codebase remains agnostic. In particular, this prepares for a common xmss_core.h API for both the standard and the BDS-traversal-based implementations.
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
upgraded to draft-06
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Reorder ull_to_bytes parameters to group output
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Perform various reformatting / renaming
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Clean up and simplify hash function definitions
7 jaren geleden
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Let xmss_core decide on secret key size This allows different backends to store additional state information in the secret key while the rest of the codebase remains agnostic. In particular, this prepares for a common xmss_core.h API for both the standard and the BDS-traversal-based implementations.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Let xmss_core decide on secret key size This allows different backends to store additional state information in the secret key while the rest of the codebase remains agnostic. In particular, this prepares for a common xmss_core.h API for both the standard and the BDS-traversal-based implementations.
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
upgraded to draft-06
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Resolve comparison warnings
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Perform various reformatting / renaming
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Reorder ull_to_bytes parameters to group output
7 jaren geleden
Clean up and simplify hash function definitions
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Support messages that exceed the stack size Previous code allocated an array on the stack of mlen bytes, but it should be possible to also sign heap-space messages. By relying on the fact that sm and m fit the message + signature, we move the message so that 4*n bytes of prefix can be added.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Rename parameters for readability and consistency
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Revert to using runtime-only parameter struct Using global defines for parameters (as seems to be typical in academic crypto code) does not play nice with multithreading at all.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Make XMSSMT also use BDS tree traversal
9 jaren geleden
Make codestyle more consistent, fix -Wextra warns
8 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
Make core_fast use the secret key for the state This ensures that xmss_core and xmss_core_fast offer the same API. Note that xmss_core_fast still needs a major refactor, and this wrapper is not exactly very clean. There is a considerable chance this refactor will change the format of the state in the secret key.
7 jaren geleden
Refactor for more consistent style and readability
7 jaren geleden
Add xmss_fast starting point before BDS
9 jaren geleden
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953 
  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "utils.h"

  11. #include "xmss_commons.h"

  12. #include "xmss_core.h"

  13. 

  14. typedef struct{

  15.     unsigned char h;

  16.     unsigned long next_idx;

  17.     unsigned char stackusage;

  18.     unsigned char completed;

  19.     unsigned char *node;

  20. } treehash_inst;

  21. 

  22. typedef struct {

  23.     unsigned char *stack;

  24.     unsigned int stackoffset;

  25.     unsigned char *stacklevels;

  26.     unsigned char *auth;

  27.     unsigned char *keep;

  28.     treehash_inst *treehash;

  29.     unsigned char *retain;

  30.     unsigned int next_leaf;

  31. } bds_state;

  32. 

  33. /* These serialization functions provide a transition between the current

  34.    way of storing the state in an exposed struct, and storing it as part of the

  35.    byte array that is the secret key.

  36.    They will probably be refactored in a non-backwards-compatible way, soon. */

  37. 

  38. static void xmssmt_serialize_state(const xmss_params *params,

  39.                                    unsigned char *sk, bds_state *states)

  40. {

  41.     unsigned int i, j;

  42. 

  43.     /* Skip past the 'regular' sk */

  44.     sk += params->index_bytes + 4*params->n;

  45. 

  46.     for (i = 0; i < 2*params->d - 1; i++) {

  47.         sk += (params->tree_height + 1) * params->n; /* stack */

  48. 

  49.         ull_to_bytes(sk, 4, states[i].stackoffset);

  50.         sk += 4;

  51. 

  52.         sk += params->tree_height + 1; /* stacklevels */

  53.         sk += params->tree_height * params->n; /* auth */

  54.         sk += (params->tree_height >> 1) * params->n; /* keep */

  55. 

  56.         for (j = 0; j < params->tree_height - params->bds_k; j++) {

  57.             ull_to_bytes(sk, 1, states[i].treehash[j].h);

  58.             sk += 1;

  59. 

  60.             ull_to_bytes(sk, 4, states[i].treehash[j].next_idx);

  61.             sk += 4;

  62. 

  63.             ull_to_bytes(sk, 1, states[i].treehash[j].stackusage);

  64.             sk += 1;

  65. 

  66.             ull_to_bytes(sk, 1, states[i].treehash[j].completed);

  67.             sk += 1;

  68. 

  69.             sk += params->n; /* node */

  70.         }

  71. 

  72.         /* retain */

  73.         sk += ((1 << params->bds_k) - params->bds_k - 1) * params->n;

  74. 

  75.         ull_to_bytes(sk, 4, states[i].next_leaf);

  76.         sk += 4;

  77.     }

  78. }

  79. 

  80. static void xmssmt_deserialize_state(const xmss_params *params,

  81.                                      bds_state *states,

  82.                                      unsigned char **wots_sigs,

  83.                                      unsigned char *sk)

  84. {

  85.     unsigned int i, j;

  86. 

  87.     /* Skip past the 'regular' sk */

  88.     sk += params->index_bytes + 4*params->n;

  89. 

  90.     // TODO These data sizes follow from the (former) test xmss_core_fast.c

  91.     // TODO They should be reconsidered / motivated more explicitly

  92. 

  93.     for (i = 0; i < 2*params->d - 1; i++) {

  94.         states[i].stack = sk;

  95.         sk += (params->tree_height + 1) * params->n;

  96. 

  97.         states[i].stackoffset = bytes_to_ull(sk, 4);

  98.         sk += 4;

  99. 

  100.         states[i].stacklevels = sk;

  101.         sk += params->tree_height + 1;

  102. 

  103.         states[i].auth = sk;

  104.         sk += params->tree_height * params->n;

  105. 

  106.         states[i].keep = sk;

  107.         sk += (params->tree_height >> 1) * params->n;

  108. 

  109.         for (j = 0; j < params->tree_height - params->bds_k; j++) {

  110.             states[i].treehash[j].h = bytes_to_ull(sk, 1);

  111.             sk += 1;

  112. 

  113.             states[i].treehash[j].next_idx = bytes_to_ull(sk, 4);

  114.             sk += 4;

  115. 

  116.             states[i].treehash[j].stackusage = bytes_to_ull(sk, 1);

  117.             sk += 1;

  118. 

  119.             states[i].treehash[j].completed = bytes_to_ull(sk, 1);

  120.             sk += 1;

  121. 

  122.             states[i].treehash[j].node = sk;

  123.             sk += params->n;

  124.         }

  125. 

  126.         states[i].retain = sk;

  127.         sk += ((1 << params->bds_k) - params->bds_k - 1) * params->n;

  128. 

  129.         states[i].next_leaf = bytes_to_ull(sk, 4);

  130.         sk += 4;

  131.     }

  132. 

  133.     if (params->d > 1) {

  134.         *wots_sigs = sk;

  135.     }

  136. }

  137. 

  138. static void xmss_serialize_state(const xmss_params *params,

  139.                                  unsigned char *sk, bds_state *state)

  140. {

  141.     xmssmt_serialize_state(params, sk, state);

  142. }

  143. 

  144. static void xmss_deserialize_state(const xmss_params *params,

  145.                                    bds_state *state, unsigned char *sk)

  146. {

  147.     xmssmt_deserialize_state(params, state, NULL, sk);

  148. }

  149. 

  150. static void memswap(void *a, void *b, void *t, unsigned long long len)

  151. {

  152.     memcpy(t, a, len);

  153.     memcpy(a, b, len);

  154.     memcpy(b, t, len);

  155. }

  156. 

  157. /**

  158.  * Swaps the content of two bds_state objects, swapping actual memory rather

  159.  * than pointers.

  160.  * As we're mapping memory chunks in the secret key to bds state objects,

  161.  * it is now necessary to make swaps 'real swaps'. This could be done in the

  162.  * serialization function as well, but that causes more overhead

  163.  */

  164. // TODO this should not be necessary if we keep better track of the states

  165. static void deep_state_swap(const xmss_params *params,

  166.                             bds_state *a, bds_state *b)

  167. {

  168.     // TODO this is extremely ugly and should be refactored

  169.     // TODO right now, this ensures that both 'stack' and 'retain' fit

  170.     unsigned char t[

  171.         ((params->tree_height + 1) > ((1 << params->bds_k) - params->bds_k - 1)

  172.          ? (params->tree_height + 1)

  173.          : ((1 << params->bds_k) - params->bds_k - 1))

  174.         * params->n];

  175.     unsigned int i;

  176. 

  177.     memswap(a->stack, b->stack, t, (params->tree_height + 1) * params->n);

  178.     memswap(&a->stackoffset, &b->stackoffset, t, sizeof(a->stackoffset));

  179.     memswap(a->stacklevels, b->stacklevels, t, params->tree_height + 1);

  180.     memswap(a->auth, b->auth, t, params->tree_height * params->n);

  181.     memswap(a->keep, b->keep, t, (params->tree_height >> 1) * params->n);

  182. 

  183.     for (i = 0; i < params->tree_height - params->bds_k; i++) {

  184.         memswap(&a->treehash[i].h, &b->treehash[i].h, t, sizeof(a->treehash[i].h));

  185.         memswap(&a->treehash[i].next_idx, &b->treehash[i].next_idx, t, sizeof(a->treehash[i].next_idx));

  186.         memswap(&a->treehash[i].stackusage, &b->treehash[i].stackusage, t, sizeof(a->treehash[i].stackusage));

  187.         memswap(&a->treehash[i].completed, &b->treehash[i].completed, t, sizeof(a->treehash[i].completed));

  188.         memswap(a->treehash[i].node, b->treehash[i].node, t, params->n);

  189.     }

  190. 

  191.     memswap(a->retain, b->retain, t, ((1 << params->bds_k) - params->bds_k - 1) * params->n);

  192.     memswap(&a->next_leaf, &b->next_leaf, t, sizeof(a->next_leaf));

  193. }

  194. 

  195. static int treehash_minheight_on_stack(const xmss_params *params,

  196.                                        bds_state* state,

  197.                                        const treehash_inst *treehash)

  198. {

  199.     unsigned int r = params->tree_height, i;

  200. 

  201.     for (i = 0; i < treehash->stackusage; i++) {

  202.         if (state->stacklevels[state->stackoffset - i - 1] < r) {

  203.             r = state->stacklevels[state->stackoffset - i - 1];

  204.         }

  205.     }

  206.     return r;

  207. }

  208. 

  209. /**

  210.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  211.  * Currently only used for key generation.

  212.  *

  213.  */

  214. static void treehash_init(const xmss_params *params,

  215.                           unsigned char *node, int height, int index,

  216.                           bds_state *state, const unsigned char *sk_seed,

  217.                           const unsigned char *pub_seed, const uint32_t addr[8])

  218. {

  219.     unsigned int idx = index;

  220.     // use three different addresses because at this point we use all three formats in parallel

  221.     uint32_t ots_addr[8];

  222.     uint32_t ltree_addr[8];

  223.     uint32_t node_addr[8];

  224.     // only copy layer and tree address parts

  225.     memcpy(ots_addr, addr, 12);

  226.     // type = ots

  227.     set_type(ots_addr, 0);

  228.     memcpy(ltree_addr, addr, 12);

  229.     set_type(ltree_addr, 1);

  230.     memcpy(node_addr, addr, 12);

  231.     set_type(node_addr, 2);

  232. 

  233.     uint32_t lastnode, i;

  234.     unsigned char stack[(height+1)*params->n];

  235.     unsigned int stacklevels[height+1];

  236.     unsigned int stackoffset=0;

  237.     unsigned int nodeh;

  238. 

  239.     lastnode = idx+(1<<height);

  240. 

  241.     for (i = 0; i < params->tree_height-params->bds_k; i++) {

  242.         state->treehash[i].h = i;

  243.         state->treehash[i].completed = 1;

  244.         state->treehash[i].stackusage = 0;

  245.     }

  246. 

  247.     i = 0;

  248.     for (; idx < lastnode; idx++) {

  249.         set_ltree_addr(ltree_addr, idx);

  250.         set_ots_addr(ots_addr, idx);

  251.         gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  252.         stacklevels[stackoffset] = 0;

  253.         stackoffset++;

  254.         if (params->tree_height - params->bds_k > 0 && i == 3) {

  255.             memcpy(state->treehash[0].node, stack+stackoffset*params->n, params->n);

  256.         }

  257.         while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  258.             nodeh = stacklevels[stackoffset-1];

  259.             if (i >> nodeh == 1) {

  260.                 memcpy(state->auth + nodeh*params->n, stack+(stackoffset-1)*params->n, params->n);

  261.             }

  262.             else {

  263.                 if (nodeh < params->tree_height - params->bds_k && i >> nodeh == 3) {

  264.                     memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*params->n, params->n);

  265.                 }

  266.                 else if (nodeh >= params->tree_height - params->bds_k) {

  267.                     memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((i >> nodeh) - 3) >> 1)) * params->n, stack+(stackoffset-1)*params->n, params->n);

  268.                 }

  269.             }

  270.             set_tree_height(node_addr, stacklevels[stackoffset-1]);

  271.             set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  272.             hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);

  273.             stacklevels[stackoffset-2]++;

  274.             stackoffset--;

  275.         }

  276.         i++;

  277.     }

  278. 

  279.     for (i = 0; i < params->n; i++) {

  280.         node[i] = stack[i];

  281.     }

  282. }

  283. 

  284. static void treehash_update(const xmss_params *params,

  285.                             treehash_inst *treehash, bds_state *state,

  286.                             const unsigned char *sk_seed,

  287.                             const unsigned char *pub_seed,

  288.                             const uint32_t addr[8])

  289. {

  290.     uint32_t ots_addr[8];

  291.     uint32_t ltree_addr[8];

  292.     uint32_t node_addr[8];

  293.     // only copy layer and tree address parts

  294.     memcpy(ots_addr, addr, 12);

  295.     // type = ots

  296.     set_type(ots_addr, 0);

  297.     memcpy(ltree_addr, addr, 12);

  298.     set_type(ltree_addr, 1);

  299.     memcpy(node_addr, addr, 12);

  300.     set_type(node_addr, 2);

  301. 

  302.     set_ltree_addr(ltree_addr, treehash->next_idx);

  303.     set_ots_addr(ots_addr, treehash->next_idx);

  304. 

  305.     unsigned char nodebuffer[2 * params->n];

  306.     unsigned int nodeheight = 0;

  307.     gen_leaf_wots(params, nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);

  308.     while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  309.         memcpy(nodebuffer + params->n, nodebuffer, params->n);

  310.         memcpy(nodebuffer, state->stack + (state->stackoffset-1)*params->n, params->n);

  311.         set_tree_height(node_addr, nodeheight);

  312.         set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));

  313.         hash_h(params, nodebuffer, nodebuffer, pub_seed, node_addr);

  314.         nodeheight++;

  315.         treehash->stackusage--;

  316.         state->stackoffset--;

  317.     }

  318.     if (nodeheight == treehash->h) { // this also implies stackusage == 0

  319.         memcpy(treehash->node, nodebuffer, params->n);

  320.         treehash->completed = 1;

  321.     }

  322.     else {

  323.         memcpy(state->stack + state->stackoffset*params->n, nodebuffer, params->n);

  324.         treehash->stackusage++;

  325.         state->stacklevels[state->stackoffset] = nodeheight;

  326.         state->stackoffset++;

  327.         treehash->next_idx++;

  328.     }

  329. }

  330. 

  331. /**

  332.  * Performs treehash updates on the instance that needs it the most.

  333.  * Returns the updated number of available updates.

  334.  **/

  335. static char bds_treehash_update(const xmss_params *params,

  336.                                 bds_state *state, unsigned int updates,

  337.                                 const unsigned char *sk_seed,

  338.                                 unsigned char *pub_seed,

  339.                                 const uint32_t addr[8])

  340. {

  341.     uint32_t i, j;

  342.     unsigned int level, l_min, low;

  343.     unsigned int used = 0;

  344. 

  345.     for (j = 0; j < updates; j++) {

  346.         l_min = params->tree_height;

  347.         level = params->tree_height - params->bds_k;

  348.         for (i = 0; i < params->tree_height - params->bds_k; i++) {

  349.             if (state->treehash[i].completed) {

  350.                 low = params->tree_height;

  351.             }

  352.             else if (state->treehash[i].stackusage == 0) {

  353.                 low = i;

  354.             }

  355.             else {

  356.                 low = treehash_minheight_on_stack(params, state, &(state->treehash[i]));

  357.             }

  358.             if (low < l_min) {

  359.                 level = i;

  360.                 l_min = low;

  361.             }

  362.         }

  363.         if (level == params->tree_height - params->bds_k) {

  364.             break;

  365.         }

  366.         treehash_update(params, &(state->treehash[level]), state, sk_seed, pub_seed, addr);

  367.         used++;

  368.     }

  369.     return updates - used;

  370. }

  371. 

  372. /**

  373.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  374.  * Returns -1 if all leaf nodes have already been processed

  375.  **/

  376. static char bds_state_update(const xmss_params *params,

  377.                              bds_state *state, const unsigned char *sk_seed,

  378.                              const unsigned char *pub_seed,

  379.                              const uint32_t addr[8])

  380. {

  381.     uint32_t ltree_addr[8];

  382.     uint32_t node_addr[8];

  383.     uint32_t ots_addr[8];

  384. 

  385.     unsigned int nodeh;

  386.     int idx = state->next_leaf;

  387.     if (idx == 1 << params->tree_height) {

  388.         return -1;

  389.     }

  390. 

  391.     // only copy layer and tree address parts

  392.     memcpy(ots_addr, addr, 12);

  393.     // type = ots

  394.     set_type(ots_addr, 0);

  395.     memcpy(ltree_addr, addr, 12);

  396.     set_type(ltree_addr, 1);

  397.     memcpy(node_addr, addr, 12);

  398.     set_type(node_addr, 2);

  399. 

  400.     set_ots_addr(ots_addr, idx);

  401.     set_ltree_addr(ltree_addr, idx);

  402. 

  403.     gen_leaf_wots(params, state->stack+state->stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  404. 

  405.     state->stacklevels[state->stackoffset] = 0;

  406.     state->stackoffset++;

  407.     if (params->tree_height - params->bds_k > 0 && idx == 3) {

  408.         memcpy(state->treehash[0].node, state->stack+state->stackoffset*params->n, params->n);

  409.     }

  410.     while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  411.         nodeh = state->stacklevels[state->stackoffset-1];

  412.         if (idx >> nodeh == 1) {

  413.             memcpy(state->auth + nodeh*params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  414.         }

  415.         else {

  416.             if (nodeh < params->tree_height - params->bds_k && idx >> nodeh == 3) {

  417.                 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*params->n, params->n);

  418.             }

  419.             else if (nodeh >= params->tree_height - params->bds_k) {

  420.                 memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((idx >> nodeh) - 3) >> 1)) * params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  421.             }

  422.         }

  423.         set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);

  424.         set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  425.         hash_h(params, state->stack+(state->stackoffset-2)*params->n, state->stack+(state->stackoffset-2)*params->n, pub_seed, node_addr);

  426. 

  427.         state->stacklevels[state->stackoffset-2]++;

  428.         state->stackoffset--;

  429.     }

  430.     state->next_leaf++;

  431.     return 0;

  432. }

  433. 

  434. /**

  435.  * Returns the auth path for node leaf_idx and computes the auth path for the

  436.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  437.  * in "Post Quantum Cryptography", Springer 2009.

  438.  */

  439. static void bds_round(const xmss_params *params,

  440.                       bds_state *state, const unsigned long leaf_idx,

  441.                       const unsigned char *sk_seed,

  442.                       const unsigned char *pub_seed, uint32_t addr[8])

  443. {

  444.     unsigned int i;

  445.     unsigned int tau = params->tree_height;

  446.     unsigned int startidx;

  447.     unsigned int offset, rowidx;

  448.     unsigned char buf[2 * params->n];

  449. 

  450.     uint32_t ots_addr[8];

  451.     uint32_t ltree_addr[8];

  452.     uint32_t node_addr[8];

  453.     // only copy layer and tree address parts

  454.     memcpy(ots_addr, addr, 12);

  455.     // type = ots

  456.     set_type(ots_addr, 0);

  457.     memcpy(ltree_addr, addr, 12);

  458.     set_type(ltree_addr, 1);

  459.     memcpy(node_addr, addr, 12);

  460.     set_type(node_addr, 2);

  461. 

  462.     for (i = 0; i < params->tree_height; i++) {

  463.         if (! ((leaf_idx >> i) & 1)) {

  464.             tau = i;

  465.             break;

  466.         }

  467.     }

  468. 

  469.     if (tau > 0) {

  470.         memcpy(buf, state->auth + (tau-1) * params->n, params->n);

  471.         // we need to do this before refreshing state->keep to prevent overwriting

  472.         memcpy(buf + params->n, state->keep + ((tau-1) >> 1) * params->n, params->n);

  473.     }

  474.     if (!((leaf_idx >> (tau + 1)) & 1) && (tau < params->tree_height - 1)) {

  475.         memcpy(state->keep + (tau >> 1)*params->n, state->auth + tau*params->n, params->n);

  476.     }

  477.     if (tau == 0) {

  478.         set_ltree_addr(ltree_addr, leaf_idx);

  479.         set_ots_addr(ots_addr, leaf_idx);

  480.         gen_leaf_wots(params, state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);

  481.     }

  482.     else {

  483.         set_tree_height(node_addr, (tau-1));

  484.         set_tree_index(node_addr, leaf_idx >> tau);

  485.         hash_h(params, state->auth + tau * params->n, buf, pub_seed, node_addr);

  486.         for (i = 0; i < tau; i++) {

  487.             if (i < params->tree_height - params->bds_k) {

  488.                 memcpy(state->auth + i * params->n, state->treehash[i].node, params->n);

  489.             }

  490.             else {

  491.                 offset = (1 << (params->tree_height - 1 - i)) + i - params->tree_height;

  492.                 rowidx = ((leaf_idx >> i) - 1) >> 1;

  493.                 memcpy(state->auth + i * params->n, state->retain + (offset + rowidx) * params->n, params->n);

  494.             }

  495.         }

  496. 

  497.         for (i = 0; i < ((tau < params->tree_height - params->bds_k) ? tau : (params->tree_height - params->bds_k)); i++) {

  498.             startidx = leaf_idx + 1 + 3 * (1 << i);

  499.             if (startidx < 1U << params->tree_height) {

  500.                 state->treehash[i].h = i;

  501.                 state->treehash[i].next_idx = startidx;

  502.                 state->treehash[i].completed = 0;

  503.                 state->treehash[i].stackusage = 0;

  504.             }

  505.         }

  506.     }

  507. }

  508. 

  509. /**

  510.  * Given a set of parameters, this function returns the size of the secret key.

  511.  * This is implementation specific, as varying choices in tree traversal will

  512.  * result in varying requirements for state storage.

  513.  */

  514. unsigned long long xmss_core_sk_bytes(const xmss_params *params)

  515. {

  516.     return xmssmt_core_sk_bytes(params);

  517. }

  518. 

  519. /*

  520.  * Generates a XMSS key pair for a given parameter set.

  521.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  522.  * Format pk: [root || PUB_SEED] omitting algo oid.

  523.  */

  524. int xmss_core_keypair(const xmss_params *params,

  525.                       unsigned char *pk, unsigned char *sk)

  526. {

  527.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  528. 

  529.     // TODO refactor BDS state not to need separate treehash instances

  530.     bds_state state;

  531.     treehash_inst treehash[params->tree_height - params->bds_k];

  532.     state.treehash = treehash;

  533. 

  534.     xmss_deserialize_state(params, &state, sk);

  535. 

  536.     state.stackoffset = 0;

  537.     state.next_leaf = 0;

  538. 

  539.     // Set idx = 0

  540.     sk[0] = 0;

  541.     sk[1] = 0;

  542.     sk[2] = 0;

  543.     sk[3] = 0;

  544.     // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  545.     randombytes(sk + params->index_bytes, 3*params->n);

  546.     // Copy PUB_SEED to public key

  547.     memcpy(pk + params->n, sk + params->index_bytes + 2*params->n, params->n);

  548. 

  549.     // Compute root

  550.     treehash_init(params, pk, params->tree_height, 0, &state, sk + params->index_bytes, sk + params->index_bytes + 2*params->n, addr);

  551.     // copy root o sk

  552.     memcpy(sk + params->index_bytes + 3*params->n, pk, params->n);

  553. 

  554.     /* Write the BDS state into sk. */

  555.     xmss_serialize_state(params, sk, &state);

  556. 

  557.     return 0;

  558. }

  559. 

  560. /**

  561.  * Signs a message.

  562.  * Returns

  563.  * 1. an array containing the signature followed by the message AND

  564.  * 2. an updated secret key!

  565.  *

  566.  */

  567. int xmss_core_sign(const xmss_params *params,

  568.                    unsigned char *sk,

  569.                    unsigned char *sm, unsigned long long *smlen,

  570.                    const unsigned char *m, unsigned long long mlen)

  571. {

  572.     const unsigned char *pub_root = sk + params->index_bytes + 3*params->n;

  573. 

  574.     uint16_t i = 0;

  575. 

  576.     // TODO refactor BDS state not to need separate treehash instances

  577.     bds_state state;

  578.     treehash_inst treehash[params->tree_height - params->bds_k];

  579.     state.treehash = treehash;

  580. 

  581.     /* Load the BDS state from sk. */

  582.     xmss_deserialize_state(params, &state, sk);

  583. 

  584.     // Extract SK

  585.     unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  586.     unsigned char sk_seed[params->n];

  587.     memcpy(sk_seed, sk + params->index_bytes, params->n);

  588.     unsigned char sk_prf[params->n];

  589.     memcpy(sk_prf, sk + params->index_bytes + params->n, params->n);

  590.     unsigned char pub_seed[params->n];

  591.     memcpy(pub_seed, sk + params->index_bytes + 2*params->n, params->n);

  592. 

  593.     // index as 32 bytes string

  594.     unsigned char idx_bytes_32[32];

  595.     ull_to_bytes(idx_bytes_32, 32, idx);

  596. 

  597.     // Update SK

  598.     sk[0] = ((idx + 1) >> 24) & 255;

  599.     sk[1] = ((idx + 1) >> 16) & 255;

  600.     sk[2] = ((idx + 1) >> 8) & 255;

  601.     sk[3] = (idx + 1) & 255;

  602.     // Secret key for this non-forward-secure version is now updated.

  603.     // A production implementation should consider using a file handle instead,

  604.     //  and write the updated secret key at this point!

  605. 

  606.     // Init working params

  607.     unsigned char R[params->n];

  608.     unsigned char msg_h[params->n];

  609.     unsigned char ots_seed[params->n];

  610.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  611. 

  612.     // ---------------------------------

  613.     // Message Hashing

  614.     // ---------------------------------

  615. 

  616.     // Message Hash:

  617.     // First compute pseudorandom value

  618.     prf(params, R, idx_bytes_32, sk_prf);

  619. 

  620.     /* Already put the message in the right place, to make it easier to prepend

  621.      * things when computing the hash over the message. */

  622.     memcpy(sm + params->sig_bytes, m, mlen);

  623. 

  624.     /* Compute the message hash. */

  625.     hash_message(params, msg_h, R, pub_root, idx,

  626.                  sm + params->sig_bytes - 4*params->n, mlen);

  627. 

  628.     // Start collecting signature

  629.     *smlen = 0;

  630. 

  631.     // Copy index to signature

  632.     sm[0] = (idx >> 24) & 255;

  633.     sm[1] = (idx >> 16) & 255;

  634.     sm[2] = (idx >> 8) & 255;

  635.     sm[3] = idx & 255;

  636. 

  637.     sm += 4;

  638.     *smlen += 4;

  639. 

  640.     // Copy R to signature

  641.     for (i = 0; i < params->n; i++) {

  642.         sm[i] = R[i];

  643.     }

  644. 

  645.     sm += params->n;

  646.     *smlen += params->n;

  647. 

  648.     // ----------------------------------

  649.     // Now we start to "really sign"

  650.     // ----------------------------------

  651. 

  652.     // Prepare Address

  653.     set_type(ots_addr, 0);

  654.     set_ots_addr(ots_addr, idx);

  655. 

  656.     // Compute seed for OTS key pair

  657.     get_seed(params, ots_seed, sk_seed, ots_addr);

  658. 

  659.     // Compute WOTS signature

  660.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  661. 

  662.     sm += params->wots_sig_bytes;

  663.     *smlen += params->wots_sig_bytes;

  664. 

  665.     // the auth path was already computed during the previous round

  666.     memcpy(sm, state.auth, params->tree_height*params->n);

  667. 

  668.     if (idx < (1U << params->tree_height) - 1) {

  669.         bds_round(params, &state, idx, sk_seed, pub_seed, ots_addr);

  670.         bds_treehash_update(params, &state, (params->tree_height - params->bds_k) >> 1, sk_seed, pub_seed, ots_addr);

  671.     }

  672. 

  673.     sm += params->tree_height*params->n;

  674.     *smlen += params->tree_height*params->n;

  675. 

  676.     memcpy(sm, m, mlen);

  677.     *smlen += mlen;

  678. 

  679.     /* Write the updated BDS state back into sk. */

  680.     xmss_serialize_state(params, sk, &state);

  681. 

  682.     return 0;

  683. }

  684. 

  685. /**

  686.  * Given a set of parameters, this function returns the size of the secret key.

  687.  * This is implementation specific, as varying choices in tree traversal will

  688.  * result in varying requirements for state storage.

  689.  */

  690. unsigned long long xmssmt_core_sk_bytes(const xmss_params *params)

  691. {

  692.     return params->index_bytes + 4 * params->n

  693.             + (2 * params->d - 1) * (

  694.                 (params->tree_height + 1) * params->n

  695.                 + 4

  696.                 + params->tree_height + 1

  697.                 + params->tree_height * params->n

  698.                 + (params->tree_height >> 1) * params->n

  699.                 + (params->tree_height - params->bds_k) * (7 + params->n)

  700.                 + ((1 << params->bds_k) - params->bds_k - 1) * params->n

  701.                 + 4

  702.              )

  703.             + (params->d - 1) * params->wots_sig_bytes;

  704. }

  705. 

  706. /*

  707.  * Generates a XMSSMT key pair for a given parameter set.

  708.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  709.  * Format pk: [root || PUB_SEED] omitting algo oid.

  710.  */

  711. int xmssmt_core_keypair(const xmss_params *params,

  712.                         unsigned char *pk, unsigned char *sk)

  713. {

  714.     unsigned char ots_seed[params->n];

  715.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  716.     unsigned int i;

  717.     unsigned char *wots_sigs;

  718. 

  719.     // TODO refactor BDS state not to need separate treehash instances

  720.     bds_state states[2*params->d - 1];

  721.     treehash_inst treehash[(2*params->d - 1) * (params->tree_height - params->bds_k)];

  722.     for (i = 0; i < 2*params->d - 1; i++) {

  723.         states[i].treehash = treehash + i * (params->tree_height - params->bds_k);

  724.     }

  725. 

  726.     xmssmt_deserialize_state(params, states, &wots_sigs, sk);

  727. 

  728.     for (i = 0; i < 2 * params->d - 1; i++) {

  729.         states[i].stackoffset = 0;

  730.         states[i].next_leaf = 0;

  731.     }

  732. 

  733.     // Set idx = 0

  734.     for (i = 0; i < params->index_bytes; i++) {

  735.         sk[i] = 0;

  736.     }

  737.     // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)

  738.     randombytes(sk+params->index_bytes, 3*params->n);

  739.     // Copy PUB_SEED to public key

  740.     memcpy(pk+params->n, sk+params->index_bytes+2*params->n, params->n);

  741. 

  742.     // Start with the bottom-most layer

  743.     set_layer_addr(addr, 0);

  744.     // Set up state and compute wots signatures for all but topmost tree root

  745.     for (i = 0; i < params->d - 1; i++) {

  746.         // Compute seed for OTS key pair

  747.         treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_bytes, pk+params->n, addr);

  748.         set_layer_addr(addr, (i+1));

  749.         get_seed(params, ots_seed, sk + params->index_bytes, addr);

  750.         wots_sign(params, wots_sigs + i*params->wots_sig_bytes, pk, ots_seed, pk+params->n, addr);

  751.     }

  752.     // Address now points to the single tree on layer d-1

  753.     treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_bytes, pk+params->n, addr);

  754.     memcpy(sk + params->index_bytes + 3*params->n, pk, params->n);

  755. 

  756.     xmssmt_serialize_state(params, sk, states);

  757. 

  758.     return 0;

  759. }

  760. 

  761. /**

  762.  * Signs a message.

  763.  * Returns

  764.  * 1. an array containing the signature followed by the message AND

  765.  * 2. an updated secret key!

  766.  *

  767.  */

  768. int xmssmt_core_sign(const xmss_params *params,

  769.                      unsigned char *sk,

  770.                      unsigned char *sm, unsigned long long *smlen,

  771.                      const unsigned char *m, unsigned long long mlen)

  772. {

  773.     const unsigned char *pub_root = sk + params->index_bytes + 3*params->n;

  774. 

  775.     uint64_t idx_tree;

  776.     uint32_t idx_leaf;

  777.     uint64_t i, j;

  778.     int needswap_upto = -1;

  779.     unsigned int updates;

  780. 

  781.     unsigned char sk_seed[params->n];

  782.     unsigned char sk_prf[params->n];

  783.     unsigned char pub_seed[params->n];

  784.     // Init working params

  785.     unsigned char R[params->n];

  786.     unsigned char msg_h[params->n];

  787.     unsigned char ots_seed[params->n];

  788.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  789.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  790.     unsigned char idx_bytes_32[32];

  791. 

  792.     unsigned char *wots_sigs;

  793. 

  794.     // TODO refactor BDS state not to need separate treehash instances

  795.     bds_state states[2*params->d - 1];

  796.     treehash_inst treehash[(2*params->d - 1) * (params->tree_height - params->bds_k)];

  797.     for (i = 0; i < 2*params->d - 1; i++) {

  798.         states[i].treehash = treehash + i * (params->tree_height - params->bds_k);

  799.     }

  800. 

  801.     xmssmt_deserialize_state(params, states, &wots_sigs, sk);

  802. 

  803.     // Extract SK

  804.     unsigned long long idx = 0;

  805.     for (i = 0; i < params->index_bytes; i++) {

  806.         idx |= ((unsigned long long)sk[i]) << 8*(params->index_bytes - 1 - i);

  807.     }

  808. 

  809.     memcpy(sk_seed, sk+params->index_bytes, params->n);

  810.     memcpy(sk_prf, sk+params->index_bytes+params->n, params->n);

  811.     memcpy(pub_seed, sk+params->index_bytes+2*params->n, params->n);

  812. 

  813.     // Update SK

  814.     for (i = 0; i < params->index_bytes; i++) {

  815.         sk[i] = ((idx + 1) >> 8*(params->index_bytes - 1 - i)) & 255;

  816.     }

  817.     // Secret key for this non-forward-secure version is now updated.

  818.     // A production implementation should consider using a file handle instead,

  819.     //  and write the updated secret key at this point!

  820. 

  821.     // ---------------------------------

  822.     // Message Hashing

  823.     // ---------------------------------

  824. 

  825.     // Message Hash:

  826.     // First compute pseudorandom value

  827.     ull_to_bytes(idx_bytes_32, 32, idx);

  828.     prf(params, R, idx_bytes_32, sk_prf);

  829. 

  830.     /* Already put the message in the right place, to make it easier to prepend

  831.      * things when computing the hash over the message. */

  832.     memcpy(sm + params->sig_bytes, m, mlen);

  833. 

  834.     /* Compute the message hash. */

  835.     hash_message(params, msg_h, R, pub_root, idx,

  836.                  sm + params->sig_bytes - 4*params->n, mlen);

  837. 

  838.     // Start collecting signature

  839.     *smlen = 0;

  840. 

  841.     // Copy index to signature

  842.     for (i = 0; i < params->index_bytes; i++) {

  843.         sm[i] = (idx >> 8*(params->index_bytes - 1 - i)) & 255;

  844.     }

  845. 

  846.     sm += params->index_bytes;

  847.     *smlen += params->index_bytes;

  848. 

  849.     // Copy R to signature

  850.     for (i = 0; i < params->n; i++) {

  851.         sm[i] = R[i];

  852.     }

  853. 

  854.     sm += params->n;

  855.     *smlen += params->n;

  856. 

  857.     // ----------------------------------

  858.     // Now we start to "really sign"

  859.     // ----------------------------------

  860. 

  861.     // Handle lowest layer separately as it is slightly different...

  862. 

  863.     // Prepare Address

  864.     set_type(ots_addr, 0);

  865.     idx_tree = idx >> params->tree_height;

  866.     idx_leaf = (idx & ((1 << params->tree_height)-1));

  867.     set_layer_addr(ots_addr, 0);

  868.     set_tree_addr(ots_addr, idx_tree);

  869.     set_ots_addr(ots_addr, idx_leaf);

  870. 

  871.     // Compute seed for OTS key pair

  872.     get_seed(params, ots_seed, sk_seed, ots_addr);

  873. 

  874.     // Compute WOTS signature

  875.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  876. 

  877.     sm += params->wots_sig_bytes;

  878.     *smlen += params->wots_sig_bytes;

  879. 

  880.     memcpy(sm, states[0].auth, params->tree_height*params->n);

  881.     sm += params->tree_height*params->n;

  882.     *smlen += params->tree_height*params->n;

  883. 

  884.     // prepare signature of remaining layers

  885.     for (i = 1; i < params->d; i++) {

  886.         // put WOTS signature in place

  887.         memcpy(sm, wots_sigs + (i-1)*params->wots_sig_bytes, params->wots_sig_bytes);

  888. 

  889.         sm += params->wots_sig_bytes;

  890.         *smlen += params->wots_sig_bytes;

  891. 

  892.         // put AUTH nodes in place

  893.         memcpy(sm, states[i].auth, params->tree_height*params->n);

  894.         sm += params->tree_height*params->n;

  895.         *smlen += params->tree_height*params->n;

  896.     }

  897. 

  898.     updates = (params->tree_height - params->bds_k) >> 1;

  899. 

  900.     set_tree_addr(addr, (idx_tree + 1));

  901.     // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  902.     if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << params->full_height)) {

  903.         bds_state_update(params, &states[params->d], sk_seed, pub_seed, addr);

  904.     }

  905. 

  906.     for (i = 0; i < params->d; i++) {

  907.         // check if we're not at the end of a tree

  908.         if (! (((idx + 1) & ((1ULL << ((i+1)*params->tree_height)) - 1)) == 0)) {

  909.             idx_leaf = (idx >> (params->tree_height * i)) & ((1 << params->tree_height)-1);

  910.             idx_tree = (idx >> (params->tree_height * (i+1)));

  911.             set_layer_addr(addr, i);

  912.             set_tree_addr(addr, idx_tree);

  913.             if (i == (unsigned int) (needswap_upto + 1)) {

  914.                 bds_round(params, &states[i], idx_leaf, sk_seed, pub_seed, addr);

  915.             }

  916.             updates = bds_treehash_update(params, &states[i], updates, sk_seed, pub_seed, addr);

  917.             set_tree_addr(addr, (idx_tree + 1));

  918.             // if a NEXT-tree exists for this level;

  919.             if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << (params->full_height - params->tree_height * i))) {

  920.                 if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << params->full_height)) {

  921.                     bds_state_update(params, &states[params->d + i], sk_seed, pub_seed, addr);

  922.                     updates--;

  923.                 }

  924.             }

  925.         }

  926.         else if (idx < (1ULL << params->full_height) - 1) {

  927.             deep_state_swap(params, states+params->d + i, states + i);

  928. 

  929.             set_layer_addr(ots_addr, (i+1));

  930.             set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * params->tree_height)));

  931.             set_ots_addr(ots_addr, (((idx >> ((i+1) * params->tree_height)) + 1) & ((1 << params->tree_height)-1)));

  932. 

  933.             get_seed(params, ots_seed, sk+params->index_bytes, ots_addr);

  934.             wots_sign(params, wots_sigs + i*params->wots_sig_bytes, states[i].stack, ots_seed, pub_seed, ots_addr);

  935. 

  936.             states[params->d + i].stackoffset = 0;

  937.             states[params->d + i].next_leaf = 0;

  938. 

  939.             updates--; // WOTS-signing counts as one update

  940.             needswap_upto = i;

  941.             for (j = 0; j < params->tree_height-params->bds_k; j++) {

  942.                 states[i].treehash[j].completed = 1;

  943.             }

  944.         }

  945.     }

  946. 

  947.     memcpy(sm, m, mlen);

  948.     *smlen += mlen;

  949. 

  950.     xmssmt_serialize_state(params, sk, states);

  951. 

  952.     return 0;

  953. }