kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 Commits
1 Branch
488 KiB
 
 
Tree: 0986ceb2b7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0986ceb2b7'
${ noResults }
xmss-KAT-generator/xmss.c

807 lines
22 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. //#include "prg.h"

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. 

  21. // For testing

  22. #include "stdio.h"

  23. 

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes n byte sk_seed and returns n byte seed using 32 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8], const unsigned char hash_alg)

  32. {

  33.   unsigned char bytes[32];

  34.   // Make sure that chain addr, hash addr, and key bit are 0!

  35.   setChainADRS(addr,0);

  36.   setHashADRS(addr,0);

  37.   setKeyAndMask(addr,0);

  38.   // Generate pseudorandom value

  39.   addr_to_byte(bytes, addr);

  40.   prf(seed, bytes, sk_seed, n, hash_alg);

  41. }

  42. 

  43. /**

  44.  * Initialize xmss params struct

  45.  * parameter names are the same as in the draft

  46.  */

  47. void xmss_set_params(xmss_params *params, int n, int h, int w, unsigned char hash_alg)

  48. {

  49.   params->h = h;

  50.   params->n = n;

  51.   wots_params wots_par;

  52.   wots_set_params(&wots_par, n, w, hash_alg);

  53.   params->wots_par = wots_par;

  54.   params->hash_alg = hash_alg;

  55. }

  56. 

  57. /**

  58.  * Initialize xmssmt_params struct

  59.  * parameter names are the same as in the draft

  60.  *

  61.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  62.  */

  63. void xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w, unsigned char hash_alg)

  64. {

  65.   if (h % d) {

  66.     fprintf(stderr, "d must devide h without remainder!\n");

  67.     return;

  68.   }

  69.   params->h = h;

  70.   params->d = d;

  71.   params->n = n;

  72.   params->index_len = (h + 7) / 8;

  73.   xmss_params xmss_par;

  74.   xmss_set_params(&xmss_par, n, (h/d), w, hash_alg);

  75.   params->xmss_par = xmss_par;

  76. }

  77. 

  78. /**

  79.  * Computes a leaf from a WOTS public key using an L-tree.

  80.  */

  81. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  82. {

  83.   unsigned int l = params->wots_par.len;

  84.   unsigned int n = params->n;

  85.   uint32_t i = 0;

  86.   uint32_t height = 0;

  87.   uint32_t bound;

  88. 

  89.   //ADRS.setTreeHeight(0);

  90.   setTreeHeight(addr, height);

  91.   

  92.   while (l > 1) {

  93.      bound = l >> 1; //floor(l / 2);

  94.      for (i = 0; i < bound; i++) {

  95.        //ADRS.setTreeIndex(i);

  96.        setTreeIndex(addr, i);

  97.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  98.        hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n, params->hash_alg);

  99.      }

  100.      //if ( l % 2 == 1 ) {

  101.      if (l & 1) {

  102.        //pk[floor(l / 2) + 1] = pk[l];

  103.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  104.        //l = ceil(l / 2);

  105.        l=(l>>1)+1;

  106.      }

  107.      else {

  108.        //l = ceil(l / 2);

  109.        l=(l>>1);

  110.      }

  111.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  112.      height++;

  113.      setTreeHeight(addr, height);

  114.    }

  115.    //return pk[0];

  116.    memcpy(leaf, wots_pk, n);

  117. }

  118. 

  119. /**

  120.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  121.  */

  122. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, uint32_t ltree_addr[8], uint32_t ots_addr[8])

  123. {

  124.   unsigned char seed[params->n];

  125.   unsigned char pk[params->wots_par.keysize];

  126. 

  127.   get_seed(seed, sk_seed, params->n, ots_addr, params->hash_alg);

  128.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  129. 

  130.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  131. }

  132. 

  133. /**

  134.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  135.  * Currently only used for key generation.

  136.  *

  137.  */

  138. static void treehash(unsigned char *node, uint16_t height, uint32_t index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8])

  139. {

  140. 

  141.   uint32_t idx = index;

  142.   uint16_t n = params->n;

  143.   // use three different addresses because at this point we use all three formats in parallel

  144.   uint32_t ots_addr[8];

  145.   uint32_t ltree_addr[8];

  146.   uint32_t  node_addr[8];

  147.   // only copy layer and tree address parts

  148.   memcpy(ots_addr, addr, 12);

  149.   // type = ots

  150.   setType(ots_addr, 0);

  151.   memcpy(ltree_addr, addr, 12);

  152.   setType(ltree_addr, 1);

  153.   memcpy(node_addr, addr, 12);

  154.   setType(node_addr, 2);

  155. 

  156.   uint32_t lastnode, i;

  157.   unsigned char stack[(height+1)*n];

  158.   uint16_t stacklevels[height+1];

  159.   unsigned int stackoffset=0;

  160. 

  161.   lastnode = idx+(1 << height);

  162. 

  163.   for (; idx < lastnode; idx++) {

  164.     setLtreeADRS(ltree_addr, idx);

  165.     setOTSADRS(ots_addr, idx);

  166.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  167.     stacklevels[stackoffset] = 0;

  168.     stackoffset++;

  169.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  170.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  171.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  172.       hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  173.              node_addr, n, params->hash_alg);

  174.       stacklevels[stackoffset-2]++;

  175.       stackoffset--;

  176.     }

  177.   }

  178.   for (i=0; i < n; i++)

  179.     node[i] = stack[i];

  180. }

  181. 

  182. /**

  183.  * Computes a root node given a leaf and an authapth

  184.  */

  185. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  186. {

  187.   unsigned int n = params->n;

  188. 

  189.   uint32_t i, j;

  190.   unsigned char buffer[2*n];

  191. 

  192.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  193.   // Otherwise, it is the other way around

  194.   if (leafidx & 1) {

  195.     for (j = 0; j < n; j++)

  196.       buffer[n+j] = leaf[j];

  197.     for (j = 0; j < n; j++)

  198.       buffer[j] = authpath[j];

  199.   }

  200.   else {

  201.     for (j = 0; j < n; j++)

  202.       buffer[j] = leaf[j];

  203.     for (j = 0; j < n; j++)

  204.       buffer[n+j] = authpath[j];

  205.   }

  206.   authpath += n;

  207. 

  208.   for (i=0; i < params->h-1; i++) {

  209.     setTreeHeight(addr, i);

  210.     leafidx >>= 1;

  211.     setTreeIndex(addr, leafidx);

  212.     if (leafidx&1) {

  213.       hash_h(buffer+n, buffer, pub_seed, addr, n, params->hash_alg);

  214.       for (j = 0; j < n; j++)

  215.         buffer[j] = authpath[j];

  216.     }

  217.     else {

  218.       hash_h(buffer, buffer, pub_seed, addr, n, params->hash_alg);

  219.       for (j = 0; j < n; j++)

  220.         buffer[j+n] = authpath[j];

  221.     }

  222.     authpath += n;

  223.   }

  224.   setTreeHeight(addr, (params->h-1));

  225.   leafidx >>= 1;

  226.   setTreeIndex(addr, leafidx);

  227.   hash_h(root, buffer, pub_seed, addr, n, params->hash_alg);

  228. }

  229. 

  230. /**

  231.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  232.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  233.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  234.  */

  235. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, uint32_t addr[8])

  236. {

  237.   uint32_t i, j, level;

  238.   uint32_t n = params->n;

  239.   uint32_t h = params->h;

  240. 

  241.   unsigned char tree[2*(1<<h)*n];

  242. 

  243.   uint32_t ots_addr[8];

  244.   uint32_t ltree_addr[8];

  245.   uint32_t node_addr[8];

  246. 

  247.   memcpy(ots_addr, addr, 12);

  248.   setType(ots_addr, 0);

  249.   memcpy(ltree_addr, addr, 12);

  250.   setType(ltree_addr, 1);

  251.   memcpy(node_addr, addr, 12);

  252.   setType(node_addr, 2);

  253. 

  254.   // Compute all leaves

  255.   for (i = 0; i < (1U << h); i++) {

  256.     setLtreeADRS(ltree_addr, i);

  257.     setOTSADRS(ots_addr, i);

  258.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  259.   }

  260. 

  261. 

  262.   level = 0;

  263.   // Compute tree:

  264.   // Outer loop: For each inner layer

  265.   for (i = (1<<h); i > 1; i>>=1) {

  266.     setTreeHeight(node_addr, level);

  267.     // Inner loop: for each pair of sibling nodes

  268.     for (j = 0; j < i; j+=2) {

  269.       setTreeIndex(node_addr, j>>1);

  270.       hash_h(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n, params->hash_alg);

  271.     }

  272.     level++;

  273.   }

  274. 

  275.   // copy authpath

  276.   for (i=0; i < h; i++)

  277.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  278. 

  279.   // copy root

  280.   memcpy(root, tree+n, n);

  281. }

  282. 

  283. 

  284. /*

  285.  * Generates a XMSS key pair for a given parameter set.

  286.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  287.  * Format pk: [root || PUB_SEED] omitting algo oid.

  288.  */

  289. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  290. {

  291.   unsigned int n = params->n;

  292.   // Set idx = 0

  293.   sk[0] = 0;

  294.   sk[1] = 0;

  295.   sk[2] = 0;

  296.   sk[3] = 0;

  297.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  298.   randombytes(sk+4, 3*n);

  299.   // Copy PUB_SEED to public key

  300.   memcpy(pk+n, sk+4+2*n, n);

  301. 

  302.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  303.   // Compute root

  304.   treehash(pk, params->h, 0, sk+4, params, sk+4+2*n, addr);

  305.   // copy root to sk

  306.   memcpy(sk+4+3*n, pk, n);

  307.   return 0;

  308. }

  309. 

  310. /**

  311.  * Signs a message.

  312.  * Returns

  313.  * 1. an array containing the signature followed by the message AND

  314.  * 2. an updated secret key!

  315.  *

  316.  */

  317. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  318. {

  319.   uint16_t n = params->n;

  320.   uint16_t i = 0;

  321. 

  322.   // Extract SK

  323.   uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  324.   unsigned char sk_seed[n];

  325.   memcpy(sk_seed, sk+4, n);

  326.   unsigned char sk_prf[n];

  327.   memcpy(sk_prf, sk+4+n, n);

  328.   unsigned char pub_seed[n];

  329.   memcpy(pub_seed, sk+4+2*n, n);

  330.   

  331.   // index as 32 bytes string

  332.   unsigned char idx_bytes_32[32];

  333.   to_byte(idx_bytes_32, idx, 32);

  334.   

  335.   

  336.   unsigned char hash_key[3*n];

  337.   

  338.   // Update SK

  339.   sk[0] = ((idx + 1) >> 24) & 255;

  340.   sk[1] = ((idx + 1) >> 16) & 255;

  341.   sk[2] = ((idx + 1) >> 8) & 255;

  342.   sk[3] = (idx + 1) & 255;

  343.   // -- Secret key for this non-forward-secure version is now updated.

  344.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  345. 

  346.   // Init working params

  347.   unsigned char R[n];

  348.   unsigned char msg_h[n];

  349.   unsigned char root[n];

  350.   unsigned char ots_seed[n];

  351.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  352. 

  353.   // ---------------------------------

  354.   // Message Hashing

  355.   // ---------------------------------

  356. 

  357.   // Message Hash:

  358.   // First compute pseudorandom value

  359.   prf(R, idx_bytes_32, sk_prf, n, params->hash_alg);

  360.   // Generate hash key (R || root || idx)

  361.   memcpy(hash_key, R, n);

  362.   memcpy(hash_key+n, sk+4+3*n, n);

  363.   to_byte(hash_key+2*n, idx, n);

  364.   // Then use it for message digest

  365.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n, params->hash_alg);

  366.   

  367.   // Start collecting signature

  368.   *sig_msg_len = 0;

  369. 

  370.   // Copy index to signature

  371.   sig_msg[0] = (idx >> 24) & 255;

  372.   sig_msg[1] = (idx >> 16) & 255;

  373.   sig_msg[2] = (idx >> 8) & 255;

  374.   sig_msg[3] = idx & 255;

  375. 

  376.   sig_msg += 4;

  377.   *sig_msg_len += 4;

  378. 

  379.   // Copy R to signature

  380.   for (i = 0; i < n; i++)

  381.     sig_msg[i] = R[i];

  382. 

  383.   sig_msg += n;

  384.   *sig_msg_len += n;

  385. 

  386.   // ----------------------------------

  387.   // Now we start to "really sign"

  388.   // ----------------------------------

  389. 

  390.   // Prepare Address

  391.   setType(ots_addr, 0);

  392.   setOTSADRS(ots_addr, idx);

  393. 

  394.   // Compute seed for OTS key pair

  395.   get_seed(ots_seed, sk_seed, n, ots_addr, params->hash_alg);

  396. 

  397.   // Compute WOTS signature

  398.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  399. 

  400.   sig_msg += params->wots_par.keysize;

  401.   *sig_msg_len += params->wots_par.keysize;

  402. 

  403.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  404.   sig_msg += params->h*n;

  405.   *sig_msg_len += params->h*n;

  406. 

  407.   //Whipe secret elements?

  408.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  409. 

  410.   memcpy(sig_msg, msg, msglen);

  411.   *sig_msg_len += msglen;

  412. 

  413.   return 0;

  414. }

  415. 

  416. /**

  417.  * Verifies a given message signature pair under a given public key.

  418.  */

  419. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  420. {

  421.   uint16_t n = params->n;

  422.   

  423.   unsigned long long i, m_len;

  424.   unsigned long idx=0;

  425.   unsigned char wots_pk[params->wots_par.keysize];

  426.   unsigned char pkhash[n];

  427.   unsigned char root[n];

  428.   unsigned char msg_h[n];

  429.   unsigned char hash_key[3*n];

  430. 

  431.   unsigned char pub_seed[n];

  432.   memcpy(pub_seed, pk+n, n);

  433. 

  434.   // Init addresses

  435.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  436.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  437.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  438. 

  439.   setType(ots_addr, 0);

  440.   setType(ltree_addr, 1);

  441.   setType(node_addr, 2);

  442.   

  443.   // Extract index

  444.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  445.   printf("verify:: idx = %lu\n", idx);

  446.   

  447.   // Generate hash key (R || root || idx)

  448.   memcpy(hash_key, sig_msg+4,n);

  449.   memcpy(hash_key+n, pk, n);

  450.   to_byte(hash_key+2*n, idx, n);

  451.   

  452.   sig_msg += (n+4);

  453.   sig_msg_len -= (n+4);

  454.   

  455. 

  456.   // hash message 

  457.   unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n;

  458.   m_len = sig_msg_len - tmp_sig_len;

  459.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n, params->hash_alg);

  460.   

  461.   //-----------------------

  462.   // Verify signature

  463.   //-----------------------

  464. 

  465.   // Prepare Address

  466.   setOTSADRS(ots_addr, idx);

  467.   // Check WOTS signature

  468.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  469. 

  470.   sig_msg += params->wots_par.keysize;

  471.   sig_msg_len -= params->wots_par.keysize;

  472. 

  473.   // Compute Ltree

  474.   setLtreeADRS(ltree_addr, idx);

  475.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  476. 

  477.   // Compute root

  478.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  479. 

  480.   sig_msg += params->h*n;

  481.   sig_msg_len -= params->h*n;

  482. 

  483.   for (i=0; i < n; i++)

  484.     if (root[i] != pk[i])

  485.       goto fail;

  486. 

  487.   *msglen = sig_msg_len;

  488.   for (i=0; i < *msglen; i++)

  489.     msg[i] = sig_msg[i];

  490. 

  491.   return 0;

  492. 

  493. 

  494. fail:

  495.   *msglen = sig_msg_len;

  496.   for (i=0; i < *msglen; i++)

  497.     msg[i] = 0;

  498.   *msglen = -1;

  499.   return -1;

  500. }

  501. 

  502. /*

  503.  * Generates a XMSSMT key pair for a given parameter set.

  504.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  505.  * Format pk: [root || PUB_SEED] omitting algo oid.

  506.  */

  507. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  508. {

  509.   unsigned int n = params->n;

  510.   uint16_t i;

  511.   // Set idx = 0

  512.   for (i = 0; i < params->index_len; i++) {

  513.     sk[i] = 0;

  514.   }

  515.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  516.   randombytes(sk+params->index_len, 3*n);

  517.   // Copy PUB_SEED to public key

  518.   memcpy(pk+n, sk+params->index_len+2*n, n);

  519. 

  520.   // Set address to point on the single tree on layer d-1

  521.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  522.   setLayerADRS(addr, (params->d-1));

  523. 

  524.   // Compute root

  525.   treehash(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  526.   memcpy(sk+params->index_len+3*n, pk, n);

  527.   return 0;

  528. }

  529. 

  530. /**

  531.  * Signs a message.

  532.  * Returns

  533.  * 1. an array containing the signature followed by the message AND

  534.  * 2. an updated secret key!

  535.  *

  536.  */

  537. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  538. {

  539.   unsigned int n = params->n;

  540.   unsigned int tree_h = params->xmss_par.h;

  541.   unsigned int idx_len = params->index_len;

  542.   uint64_t idx_tree;

  543.   uint32_t idx_leaf;

  544.   uint64_t i;

  545. 

  546.   unsigned char sk_seed[n];

  547.   unsigned char sk_prf[n];

  548.   unsigned char pub_seed[n];

  549.   // Init working params

  550.   unsigned char R[n];

  551.   unsigned char hash_key[3*n];

  552.   unsigned char msg_h[n];

  553.   unsigned char root[n];

  554.   unsigned char ots_seed[n];

  555.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  556.   unsigned char idx_bytes_32[32];

  557. 

  558.   // Extract SK

  559.   unsigned long long idx = 0;

  560.   for (i = 0; i < idx_len; i++) {

  561.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  562.   }

  563. 

  564.   memcpy(sk_seed, sk+idx_len, n);

  565.   memcpy(sk_prf, sk+idx_len+n, n);

  566.   memcpy(pub_seed, sk+idx_len+2*n, n);

  567. 

  568.   // Update SK

  569.   for (i = 0; i < idx_len; i++) {

  570.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  571.   }

  572.   // -- Secret key for this non-forward-secure version is now updated.

  573.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  574. 

  575. 

  576.   // ---------------------------------

  577.   // Message Hashing

  578.   // ---------------------------------

  579. 

  580.   // Message Hash:

  581.   // First compute pseudorandom value

  582.   to_byte(idx_bytes_32, idx, 32);

  583.   prf(R, idx_bytes_32, sk_prf, n, params->xmss_par.hash_alg);

  584.   // Generate hash key (R || root || idx)

  585.   memcpy(hash_key, R, n);

  586.   memcpy(hash_key+n, sk+idx_len+3*n, n);

  587.   to_byte(hash_key+2*n, idx, n);

  588.   

  589.   // Then use it for message digest

  590.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n, params->xmss_par.hash_alg);

  591. 

  592.   // Start collecting signature

  593.   *sig_msg_len = 0;

  594. 

  595.   // Copy index to signature

  596.   for (i = 0; i < idx_len; i++) {

  597.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  598.   }

  599. 

  600.   sig_msg += idx_len;

  601.   *sig_msg_len += idx_len;

  602. 

  603.   // Copy R to signature

  604.   for (i=0; i < n; i++)

  605.     sig_msg[i] = R[i];

  606. 

  607.   sig_msg += n;

  608.   *sig_msg_len += n;

  609. 

  610.   // ----------------------------------

  611.   // Now we start to "really sign"

  612.   // ----------------------------------

  613. 

  614.   // Handle lowest layer separately as it is slightly different...

  615. 

  616.   // Prepare Address

  617.   setType(ots_addr, 0);

  618.   idx_tree = idx >> tree_h;

  619.   idx_leaf = (idx & ((1 << tree_h)-1));

  620.   setLayerADRS(ots_addr, 0);

  621.   setTreeADRS(ots_addr, idx_tree);

  622.   setOTSADRS(ots_addr, idx_leaf);

  623. 

  624.   // Compute seed for OTS key pair

  625.   get_seed(ots_seed, sk_seed, n, ots_addr, params->xmss_par.hash_alg);

  626. 

  627.   // Compute WOTS signature

  628.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  629. 

  630.   sig_msg += params->xmss_par.wots_par.keysize;

  631.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  632. 

  633.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  634.   sig_msg += tree_h*n;

  635.   *sig_msg_len += tree_h*n;

  636. 

  637.   // Now loop over remaining layers...

  638.   unsigned int j;

  639.   for (j = 1; j < params->d; j++) {

  640.     // Prepare Address

  641.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  642.     idx_tree = idx_tree >> tree_h;

  643.     setLayerADRS(ots_addr, j);

  644.     setTreeADRS(ots_addr, idx_tree);

  645.     setOTSADRS(ots_addr, idx_leaf);

  646. 

  647.     // Compute seed for OTS key pair

  648.     get_seed(ots_seed, sk_seed, n, ots_addr, params->xmss_par.hash_alg);

  649. 

  650.     // Compute WOTS signature

  651.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  652. 

  653.     sig_msg += params->xmss_par.wots_par.keysize;

  654.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  655. 

  656.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  657.     sig_msg += tree_h*n;

  658.     *sig_msg_len += tree_h*n;

  659.   }

  660. 

  661.   //Whipe secret elements?

  662.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  663. 

  664.   memcpy(sig_msg, msg, msglen);

  665.   *sig_msg_len += msglen;

  666. 

  667.   return 0;

  668. }

  669. 

  670. /**

  671.  * Verifies a given message signature pair under a given public key.

  672.  */

  673. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  674. {

  675.   unsigned int n = params->n;

  676. 

  677.   unsigned int tree_h = params->xmss_par.h;

  678.   unsigned int idx_len = params->index_len;

  679.   uint64_t idx_tree;

  680.   uint32_t idx_leaf;

  681. 

  682.   unsigned long long i, m_len;

  683.   unsigned long long idx=0;

  684.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  685.   unsigned char pkhash[n];

  686.   unsigned char root[n];

  687.   unsigned char msg_h[n];

  688.   unsigned char hash_key[3*n];

  689. 

  690.   unsigned char pub_seed[n];

  691.   memcpy(pub_seed, pk+n, n);

  692. 

  693.   // Init addresses

  694.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  695.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  696.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  697. 

  698.   // Extract index

  699.   for (i = 0; i < idx_len; i++) {

  700.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  701.   }

  702.   printf("verify:: idx = %llu\n", idx);

  703.   sig_msg += idx_len;

  704.   sig_msg_len -= idx_len;

  705. 

  706.   // Generate hash key (R || root || idx)

  707.   memcpy(hash_key, sig_msg,n);

  708.   memcpy(hash_key+n, pk, n);

  709.   to_byte(hash_key+2*n, idx, n);

  710. 

  711.   sig_msg += n;

  712.   sig_msg_len -= n;

  713.   

  714.   // hash message 

  715.   unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  716.   m_len = sig_msg_len - tmp_sig_len;

  717.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n, params->xmss_par.hash_alg);

  718. 

  719. 

  720.   //-----------------------

  721.   // Verify signature

  722.   //-----------------------

  723. 

  724.   // Prepare Address

  725.   idx_tree = idx >> tree_h;

  726.   idx_leaf = (idx & ((1 << tree_h)-1));

  727.   setLayerADRS(ots_addr, 0);

  728.   setTreeADRS(ots_addr, idx_tree);

  729.   setType(ots_addr, 0);

  730. 

  731.   memcpy(ltree_addr, ots_addr, 12);

  732.   setType(ltree_addr, 1);

  733. 

  734.   memcpy(node_addr, ltree_addr, 12);

  735.   setType(node_addr, 2);

  736.   

  737.   setOTSADRS(ots_addr, idx_leaf);

  738. 

  739.   // Check WOTS signature

  740.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  741. 

  742.   sig_msg += params->xmss_par.wots_par.keysize;

  743.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  744. 

  745.   // Compute Ltree

  746.   setLtreeADRS(ltree_addr, idx_leaf);

  747.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  748. 

  749.   // Compute root

  750.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  751. 

  752.   sig_msg += tree_h*n;

  753.   sig_msg_len -= tree_h*n;

  754. 

  755.   for (i = 1; i < params->d; i++) {

  756.     // Prepare Address

  757.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  758.     idx_tree = idx_tree >> tree_h;

  759. 

  760.     setLayerADRS(ots_addr, i);

  761.     setTreeADRS(ots_addr, idx_tree);

  762.     setType(ots_addr, 0);

  763. 

  764.     memcpy(ltree_addr, ots_addr, 12);

  765.     setType(ltree_addr, 1);

  766. 

  767.     memcpy(node_addr, ltree_addr, 12);

  768.     setType(node_addr, 2);

  769. 

  770.     setOTSADRS(ots_addr, idx_leaf);

  771. 

  772.     // Check WOTS signature

  773.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  774. 

  775.     sig_msg += params->xmss_par.wots_par.keysize;

  776.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  777. 

  778.     // Compute Ltree

  779.     setLtreeADRS(ltree_addr, idx_leaf);

  780.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  781. 

  782.     // Compute root

  783.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  784. 

  785.     sig_msg += tree_h*n;

  786.     sig_msg_len -= tree_h*n;

  787. 

  788.   }

  789. 

  790.   for (i=0; i < n; i++)

  791.     if (root[i] != pk[i])

  792.       goto fail;

  793. 

  794.   *msglen = sig_msg_len;

  795.   for (i=0; i < *msglen; i++)

  796.     msg[i] = sig_msg[i];

  797. 

  798.   return 0;

  799. 

  800. 

  801. fail:

  802.   *msglen = sig_msg_len;

  803.   for (i=0; i < *msglen; i++)

  804.     msg[i] = 0;

  805.   *msglen = -1;

  806.   return -1;

  807. }