kris
/
xmss-KAT-generator
1
0
Forkuj 0
Kod Zgłoszenia 0 Oczekujące zmiany 0 Wydania 0 Wiki Aktywność
Nie możesz wybrać więcej, niż 25 tematów Tematy muszą się zaczynać od litery lub cyfry, mogą zawierać myślniki ('-') i mogą mieć do 35 znaków.
42 Commity
1 Gałąź
488 KiB
 
 
Drzewo: 1e00c92c18
Gałęzie Tagi
${ item.name }
Utwórz gałąź ${ searchTerm }
z '1e00c92c18'
${ noResults }
xmss-KAT-generator/xmss.c

754 wiersze
21 KiB
Czysty Wina Historia 

  1. /*

  2. xmss.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. //#include "prg.h"

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. #include "params.h"

  21. 

  22. // For testing

  23. #include "stdio.h"

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes XMSS_N byte sk_seed and returns XMSS_N byte seed using 32 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, uint32_t addr[8])

  32. {

  33.   unsigned char bytes[32];

  34.   // Make sure that chain addr, hash addr, and key bit are 0!

  35.   setChainADRS(addr, 0);

  36.   setHashADRS(addr, 0);

  37.   setKeyAndMask(addr, 0);

  38.   // Generate pseudorandom value

  39.   addr_to_byte(bytes, addr);

  40.   prf(seed, bytes, sk_seed, XMSS_N);

  41. }

  42. 

  43. /**

  44.  * Computes a leaf from a WOTS public key using an L-tree.

  45.  */

  46. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const unsigned char *pub_seed, uint32_t addr[8])

  47. {

  48.   unsigned int l = XMSS_WOTS_LEN;

  49.   uint32_t i = 0;

  50.   uint32_t height = 0;

  51.   uint32_t bound;

  52. 

  53.   //ADRS.setTreeHeight(0);

  54.   setTreeHeight(addr, height);

  55. 

  56.   while (l > 1) {

  57.      bound = l >> 1; //floor(l / 2);

  58.      for (i = 0; i < bound; i++) {

  59.        //ADRS.setTreeIndex(i);

  60.        setTreeIndex(addr, i);

  61.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  62.        hash_h(wots_pk+i*XMSS_N, wots_pk+i*2*XMSS_N, pub_seed, addr, XMSS_N);

  63.      }

  64.      //if ( l % 2 == 1 ) {

  65.      if (l & 1) {

  66.        //pk[floor(l / 2) + 1] = pk[l];

  67.        memcpy(wots_pk+(l>>1)*XMSS_N, wots_pk+(l-1)*XMSS_N, XMSS_N);

  68.        //l = ceil(l / 2);

  69.        l=(l>>1)+1;

  70.      }

  71.      else {

  72.        //l = ceil(l / 2);

  73.        l=(l>>1);

  74.      }

  75.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  76.      height++;

  77.      setTreeHeight(addr, height);

  78.    }

  79.    //return pk[0];

  80.    memcpy(leaf, wots_pk, XMSS_N);

  81. }

  82. 

  83. /**

  84.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  85.  */

  86. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const unsigned char *pub_seed, uint32_t ltree_addr[8], uint32_t ots_addr[8])

  87. {

  88.   unsigned char seed[XMSS_N];

  89.   unsigned char pk[XMSS_WOTS_KEYSIZE];

  90. 

  91.   get_seed(seed, sk_seed, ots_addr);

  92.   wots_pkgen(pk, seed, pub_seed, ots_addr);

  93. 

  94.   l_tree(leaf, pk, pub_seed, ltree_addr);

  95. }

  96. 

  97. /**

  98.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  99.  * Currently only used for key generation.

  100.  *

  101.  */

  102. static void treehash(unsigned char *node, uint16_t height, uint32_t index, const unsigned char *sk_seed, const unsigned char *pub_seed, const uint32_t addr[8])

  103. {

  104.   uint32_t idx = index;

  105.   // use three different addresses because at this point we use all three formats in parallel

  106.   uint32_t ots_addr[8];

  107.   uint32_t ltree_addr[8];

  108.   uint32_t node_addr[8];

  109.   // only copy layer and tree address parts

  110.   memcpy(ots_addr, addr, 12);

  111.   // type = ots

  112.   setType(ots_addr, 0);

  113.   memcpy(ltree_addr, addr, 12);

  114.   setType(ltree_addr, 1);

  115.   memcpy(node_addr, addr, 12);

  116.   setType(node_addr, 2);

  117. 

  118.   uint32_t lastnode, i;

  119.   unsigned char stack[(height+1)*XMSS_N];

  120.   uint16_t stacklevels[height+1];

  121.   unsigned int stackoffset=0;

  122. 

  123.   lastnode = idx+(1 << height);

  124. 

  125.   for (; idx < lastnode; idx++) {

  126.     setLtreeADRS(ltree_addr, idx);

  127.     setOTSADRS(ots_addr, idx);

  128.     gen_leaf_wots(stack+stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);

  129.     stacklevels[stackoffset] = 0;

  130.     stackoffset++;

  131.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  132.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  133.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  134.       hash_h(stack+(stackoffset-2)*XMSS_N, stack+(stackoffset-2)*XMSS_N, pub_seed,

  135.           node_addr, XMSS_N);

  136.       stacklevels[stackoffset-2]++;

  137.       stackoffset--;

  138.     }

  139.   }

  140.   for (i=0; i < XMSS_N; i++)

  141.     node[i] = stack[i];

  142. }

  143. 

  144. /**

  145.  * Computes a root node given a leaf and an authapth

  146.  */

  147. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const unsigned char *pub_seed, uint32_t addr[8])

  148. {

  149.   uint32_t i, j;

  150.   unsigned char buffer[2*XMSS_N];

  151. 

  152.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  153.   // Otherwise, it is the other way around

  154.   if (leafidx & 1) {

  155.     for (j = 0; j < XMSS_N; j++)

  156.       buffer[XMSS_N+j] = leaf[j];

  157.     for (j = 0; j < XMSS_N; j++)

  158.       buffer[j] = authpath[j];

  159.   }

  160.   else {

  161.     for (j = 0; j < XMSS_N; j++)

  162.       buffer[j] = leaf[j];

  163.     for (j = 0; j < XMSS_N; j++)

  164.       buffer[XMSS_N+j] = authpath[j];

  165.   }

  166.   authpath += XMSS_N;

  167. 

  168.   for (i=0; i < XMSS_TREEHEIGHT-1; i++) {

  169.     setTreeHeight(addr, i);

  170.     leafidx >>= 1;

  171.     setTreeIndex(addr, leafidx);

  172.     if (leafidx&1) {

  173.       hash_h(buffer+XMSS_N, buffer, pub_seed, addr, XMSS_N);

  174.       for (j = 0; j < XMSS_N; j++)

  175.         buffer[j] = authpath[j];

  176.     }

  177.     else {

  178.       hash_h(buffer, buffer, pub_seed, addr, XMSS_N);

  179.       for (j = 0; j < XMSS_N; j++)

  180.         buffer[j+XMSS_N] = authpath[j];

  181.     }

  182.     authpath += XMSS_N;

  183.   }

  184.   setTreeHeight(addr, (XMSS_TREEHEIGHT-1));

  185.   leafidx >>= 1;

  186.   setTreeIndex(addr, leafidx);

  187.   hash_h(root, buffer, pub_seed, addr, XMSS_N);

  188. }

  189. 

  190. /**

  191.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  192.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  193.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  194.  */

  195. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, unsigned char *pub_seed, uint32_t addr[8])

  196. {

  197.   uint32_t i, j, level;

  198. 

  199.   unsigned char tree[2*(1<<XMSS_TREEHEIGHT)*XMSS_N];

  200. 

  201.   uint32_t ots_addr[8];

  202.   uint32_t ltree_addr[8];

  203.   uint32_t node_addr[8];

  204. 

  205.   memcpy(ots_addr, addr, 12);

  206.   setType(ots_addr, 0);

  207.   memcpy(ltree_addr, addr, 12);

  208.   setType(ltree_addr, 1);

  209.   memcpy(node_addr, addr, 12);

  210.   setType(node_addr, 2);

  211. 

  212.   // Compute all leaves

  213.   for (i = 0; i < (1U << XMSS_TREEHEIGHT); i++) {

  214.     setLtreeADRS(ltree_addr, i);

  215.     setOTSADRS(ots_addr, i);

  216.     gen_leaf_wots(tree+((1<<XMSS_TREEHEIGHT)*XMSS_N + i*XMSS_N), sk_seed, pub_seed, ltree_addr, ots_addr);

  217.   }

  218. 

  219. 

  220.   level = 0;

  221.   // Compute tree:

  222.   // Outer loop: For each inner layer

  223.   for (i = (1<<XMSS_TREEHEIGHT); i > 1; i>>=1) {

  224.     setTreeHeight(node_addr, level);

  225.     // Inner loop: for each pair of sibling nodes

  226.     for (j = 0; j < i; j+=2) {

  227.       setTreeIndex(node_addr, j>>1);

  228.       hash_h(tree + (i>>1)*XMSS_N + (j>>1) * XMSS_N, tree + i*XMSS_N + j*XMSS_N, pub_seed, node_addr, XMSS_N);

  229.     }

  230.     level++;

  231.   }

  232. 

  233.   // copy authpath

  234.   for (i=0; i < XMSS_TREEHEIGHT; i++)

  235.     memcpy(authpath + i*XMSS_N, tree + ((1<<XMSS_TREEHEIGHT)>>i)*XMSS_N + ((leaf_idx >> i) ^ 1) * XMSS_N, XMSS_N);

  236. 

  237.   // copy root

  238.   memcpy(root, tree+XMSS_N, XMSS_N);

  239. }

  240. 

  241. 

  242. /*

  243.  * Generates a XMSS key pair for a given parameter set.

  244.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  245.  * Format pk: [root || PUB_SEED] omitting algo oid.

  246.  */

  247. int xmss_keypair(unsigned char *pk, unsigned char *sk)

  248. {

  249.   // Set idx = 0

  250.   sk[0] = 0;

  251.   sk[1] = 0;

  252.   sk[2] = 0;

  253.   sk[3] = 0;

  254.   // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)

  255.   randombytes(sk+4, 3*XMSS_N);

  256.   // Copy PUB_SEED to public key

  257.   memcpy(pk+XMSS_N, sk+4+2*XMSS_N, XMSS_N);

  258. 

  259.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  260.   // Compute root

  261.   treehash(pk, XMSS_TREEHEIGHT, 0, sk+4, sk+4+2*XMSS_N, addr);

  262.   // copy root to sk

  263.   memcpy(sk+4+3*XMSS_N, pk, XMSS_N);

  264.   return 0;

  265. }

  266. 

  267. /**

  268.  * Signs a message.

  269.  * Returns

  270.  * 1. an array containing the signature followed by the message AND

  271.  * 2. an updated secret key!

  272.  *

  273.  */

  274. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen)

  275. {

  276.   uint16_t i = 0;

  277. 

  278.   // Extract SK

  279.   uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  280.   unsigned char sk_seed[XMSS_N];

  281.   memcpy(sk_seed, sk+4, XMSS_N);

  282.   unsigned char sk_prf[XMSS_N];

  283.   memcpy(sk_prf, sk+4+XMSS_N, XMSS_N);

  284.   unsigned char pub_seed[XMSS_N];

  285.   memcpy(pub_seed, sk+4+2*XMSS_N, XMSS_N);

  286.   

  287.   // index as 32 bytes string

  288.   unsigned char idx_bytes_32[32];

  289.   to_byte(idx_bytes_32, idx, 32);

  290.   

  291.   

  292.   unsigned char hash_key[3*XMSS_N];

  293.   

  294.   // Update SK

  295.   sk[0] = ((idx + 1) >> 24) & 255;

  296.   sk[1] = ((idx + 1) >> 16) & 255;

  297.   sk[2] = ((idx + 1) >> 8) & 255;

  298.   sk[3] = (idx + 1) & 255;

  299.   // -- Secret key for this non-forward-secure version is now updated.

  300.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  301. 

  302.   // Init working params

  303.   unsigned char R[XMSS_N];

  304.   unsigned char msg_h[XMSS_N];

  305.   unsigned char root[XMSS_N];

  306.   unsigned char ots_seed[XMSS_N];

  307.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  308. 

  309.   // ---------------------------------

  310.   // Message Hashing

  311.   // ---------------------------------

  312. 

  313.   // Message Hash:

  314.   // First compute pseudorandom value

  315.   prf(R, idx_bytes_32, sk_prf, XMSS_N);

  316.   // Generate hash key (R || root || idx)

  317.   memcpy(hash_key, R, XMSS_N);

  318.   memcpy(hash_key+XMSS_N, sk+4+3*XMSS_N, XMSS_N);

  319.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  320.   // Then use it for message digest

  321.   h_msg(msg_h, msg, msglen, hash_key, 3*XMSS_N, XMSS_N);

  322.   

  323.   // Start collecting signature

  324.   *sig_msg_len = 0;

  325. 

  326.   // Copy index to signature

  327.   sig_msg[0] = (idx >> 24) & 255;

  328.   sig_msg[1] = (idx >> 16) & 255;

  329.   sig_msg[2] = (idx >> 8) & 255;

  330.   sig_msg[3] = idx & 255;

  331. 

  332.   sig_msg += 4;

  333.   *sig_msg_len += 4;

  334. 

  335.   // Copy R to signature

  336.   for (i = 0; i < XMSS_N; i++)

  337.     sig_msg[i] = R[i];

  338. 

  339.   sig_msg += XMSS_N;

  340.   *sig_msg_len += XMSS_N;

  341. 

  342.   // ----------------------------------

  343.   // Now we start to "really sign"

  344.   // ----------------------------------

  345. 

  346.   // Prepare Address

  347.   setType(ots_addr, 0);

  348.   setOTSADRS(ots_addr, idx);

  349. 

  350.   // Compute seed for OTS key pair

  351.   get_seed(ots_seed, sk_seed, ots_addr);

  352. 

  353.   // Compute WOTS signature

  354.   wots_sign(sig_msg, msg_h, ots_seed, pub_seed, ots_addr);

  355. 

  356.   sig_msg += XMSS_WOTS_KEYSIZE;

  357.   *sig_msg_len += XMSS_WOTS_KEYSIZE;

  358. 

  359.   compute_authpath_wots(root, sig_msg, idx, sk_seed, pub_seed, ots_addr);

  360.   sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  361.   *sig_msg_len += XMSS_TREEHEIGHT*XMSS_N;

  362. 

  363.   //Whipe secret elements?

  364.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  365. 

  366.   memcpy(sig_msg, msg, msglen);

  367.   *sig_msg_len += msglen;

  368. 

  369.   return 0;

  370. }

  371. 

  372. /**

  373.  * Verifies a given message signature pair under a given public key.

  374.  */

  375. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk)

  376. {

  377.   

  378.   unsigned long long i, m_len;

  379.   unsigned long idx=0;

  380.   unsigned char wots_pk[XMSS_WOTS_KEYSIZE];

  381.   unsigned char pkhash[XMSS_N];

  382.   unsigned char root[XMSS_N];

  383.   unsigned char msg_h[XMSS_N];

  384.   unsigned char hash_key[3*XMSS_N];

  385. 

  386.   unsigned char pub_seed[XMSS_N];

  387.   memcpy(pub_seed, pk+XMSS_N, XMSS_N);

  388. 

  389.   // Init addresses

  390.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  391.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  392.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  393. 

  394.   setType(ots_addr, 0);

  395.   setType(ltree_addr, 1);

  396.   setType(node_addr, 2);

  397.   

  398.   // Extract index

  399.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  400.   printf("verify:: idx = %lu\n", idx);

  401.   

  402.   // Generate hash key (R || root || idx)

  403.   memcpy(hash_key, sig_msg+4,XMSS_N);

  404.   memcpy(hash_key+XMSS_N, pk, XMSS_N);

  405.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  406.   

  407.   sig_msg += (XMSS_N+4);

  408.   sig_msg_len -= (XMSS_N+4);

  409.   

  410. 

  411.   // hash message 

  412.   unsigned long long tmp_sig_len = XMSS_WOTS_KEYSIZE+XMSS_TREEHEIGHT*XMSS_N;

  413.   m_len = sig_msg_len - tmp_sig_len;

  414.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*XMSS_N, XMSS_N);

  415.   

  416.   //-----------------------

  417.   // Verify signature

  418.   //-----------------------

  419. 

  420.   // Prepare Address

  421.   setOTSADRS(ots_addr, idx);

  422.   // Check WOTS signature

  423.   wots_pkFromSig(wots_pk, sig_msg, msg_h, pub_seed, ots_addr);

  424. 

  425.   sig_msg += XMSS_WOTS_KEYSIZE;

  426.   sig_msg_len -= XMSS_WOTS_KEYSIZE;

  427. 

  428.   // Compute Ltree

  429.   setLtreeADRS(ltree_addr, idx);

  430.   l_tree(pkhash, wots_pk, pub_seed, ltree_addr);

  431. 

  432.   // Compute root

  433.   validate_authpath(root, pkhash, idx, sig_msg, pub_seed, node_addr);

  434. 

  435.   sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  436.   sig_msg_len -= XMSS_TREEHEIGHT*XMSS_N;

  437. 

  438.   for (i=0; i < XMSS_N; i++)

  439.     if (root[i] != pk[i])

  440.       goto fail;

  441. 

  442.   *msglen = sig_msg_len;

  443.   for (i=0; i < *msglen; i++)

  444.     msg[i] = sig_msg[i];

  445. 

  446.   return 0;

  447. 

  448. 

  449. fail:

  450.   *msglen = sig_msg_len;

  451.   for (i=0; i < *msglen; i++)

  452.     msg[i] = 0;

  453.   *msglen = -1;

  454.   return -1;

  455. }

  456. 

  457. /*

  458.  * Generates a XMSSMT key pair for a given parameter set.

  459.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  460.  * Format pk: [root || PUB_SEED] omitting algo oid.

  461.  */

  462. int xmssmt_keypair(unsigned char *pk, unsigned char *sk)

  463. {

  464.   uint16_t i;

  465.   // Set idx = 0

  466.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  467.     sk[i] = 0;

  468.   }

  469.   // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)

  470.   randombytes(sk+XMSS_INDEX_LEN, 3*XMSS_N);

  471.   // Copy PUB_SEED to public key

  472.   memcpy(pk+XMSS_N, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  473. 

  474.   // Set address to point on the single tree on layer d-1

  475.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  476.   setLayerADRS(addr, (XMSS_D-1));

  477. 

  478.   // Compute root

  479.   treehash(pk, XMSS_TREEHEIGHT, 0, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);

  480.   memcpy(sk+XMSS_INDEX_LEN+3*XMSS_N, pk, XMSS_N);

  481.   return 0;

  482. }

  483. 

  484. /**

  485.  * Signs a message.

  486.  * Returns

  487.  * 1. an array containing the signature followed by the message AND

  488.  * 2. an updated secret key!

  489.  *

  490.  */

  491. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen)

  492. {

  493.   uint64_t idx_tree;

  494.   uint32_t idx_leaf;

  495.   uint64_t i;

  496. 

  497.   unsigned char sk_seed[XMSS_N];

  498.   unsigned char sk_prf[XMSS_N];

  499.   unsigned char pub_seed[XMSS_N];

  500.   // Init working params

  501.   unsigned char R[XMSS_N];

  502.   unsigned char hash_key[3*XMSS_N];

  503.   unsigned char msg_h[XMSS_N];

  504.   unsigned char root[XMSS_N];

  505.   unsigned char ots_seed[XMSS_N];

  506.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  507.   unsigned char idx_bytes_32[32];

  508. 

  509.   // Extract SK

  510.   unsigned long long idx = 0;

  511.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  512.     idx |= ((unsigned long long)sk[i]) << 8*(XMSS_INDEX_LEN - 1 - i);

  513.   }

  514. 

  515.   memcpy(sk_seed, sk+XMSS_INDEX_LEN, XMSS_N);

  516.   memcpy(sk_prf, sk+XMSS_INDEX_LEN+XMSS_N, XMSS_N);

  517.   memcpy(pub_seed, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  518. 

  519.   // Update SK

  520.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  521.     sk[i] = ((idx + 1) >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  522.   }

  523.   // -- Secret key for this non-forward-secure version is now updated.

  524.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  525. 

  526. 

  527.   // ---------------------------------

  528.   // Message Hashing

  529.   // ---------------------------------

  530. 

  531.   // Message Hash:

  532.   // First compute pseudorandom value

  533.   to_byte(idx_bytes_32, idx, 32);

  534.   prf(R, idx_bytes_32, sk_prf, XMSS_N);

  535.   // Generate hash key (R || root || idx)

  536.   memcpy(hash_key, R, XMSS_N);

  537.   memcpy(hash_key+XMSS_N, sk+XMSS_INDEX_LEN+3*XMSS_N, XMSS_N);

  538.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  539. 

  540.   // Then use it for message digest

  541.   h_msg(msg_h, msg, msglen, hash_key, 3*XMSS_N, XMSS_N);

  542. 

  543.   // Start collecting signature

  544.   *sig_msg_len = 0;

  545. 

  546.   // Copy index to signature

  547.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  548.     sig_msg[i] = (idx >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  549.   }

  550. 

  551.   sig_msg += XMSS_INDEX_LEN;

  552.   *sig_msg_len += XMSS_INDEX_LEN;

  553. 

  554.   // Copy R to signature

  555.   for (i=0; i < XMSS_N; i++)

  556.     sig_msg[i] = R[i];

  557. 

  558.   sig_msg += XMSS_N;

  559.   *sig_msg_len += XMSS_N;

  560. 

  561.   // ----------------------------------

  562.   // Now we start to "really sign"

  563.   // ----------------------------------

  564. 

  565.   // Handle lowest layer separately as it is slightly different...

  566. 

  567.   // Prepare Address

  568.   setType(ots_addr, 0);

  569.   idx_tree = idx >> XMSS_TREEHEIGHT;

  570.   idx_leaf = (idx & ((1 << XMSS_TREEHEIGHT)-1));

  571.   setLayerADRS(ots_addr, 0);

  572.   setTreeADRS(ots_addr, idx_tree);

  573.   setOTSADRS(ots_addr, idx_leaf);

  574. 

  575.   // Compute seed for OTS key pair

  576.   get_seed(ots_seed, sk_seed, ots_addr);

  577. 

  578.   // Compute WOTS signature

  579.   wots_sign(sig_msg, msg_h, ots_seed, pub_seed, ots_addr);

  580. 

  581.   sig_msg += XMSS_WOTS_KEYSIZE;

  582.   *sig_msg_len += XMSS_WOTS_KEYSIZE;

  583. 

  584.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, pub_seed, ots_addr);

  585.   sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  586.   *sig_msg_len += XMSS_TREEHEIGHT*XMSS_N;

  587. 

  588.   // Now loop over remaining layers...

  589.   unsigned int j;

  590.   for (j = 1; j < XMSS_D; j++) {

  591.     // Prepare Address

  592.     idx_leaf = (idx_tree & ((1 << XMSS_TREEHEIGHT)-1));

  593.     idx_tree = idx_tree >> XMSS_TREEHEIGHT;

  594.     setLayerADRS(ots_addr, j);

  595.     setTreeADRS(ots_addr, idx_tree);

  596.     setOTSADRS(ots_addr, idx_leaf);

  597. 

  598.     // Compute seed for OTS key pair

  599.     get_seed(ots_seed, sk_seed, ots_addr);

  600. 

  601.     // Compute WOTS signature

  602.     wots_sign(sig_msg, root, ots_seed, pub_seed, ots_addr);

  603. 

  604.     sig_msg += XMSS_WOTS_KEYSIZE;

  605.     *sig_msg_len += XMSS_WOTS_KEYSIZE;

  606. 

  607.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, pub_seed, ots_addr);

  608.     sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  609.     *sig_msg_len += XMSS_TREEHEIGHT*XMSS_N;

  610.   }

  611. 

  612.   //Whipe secret elements?

  613.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  614. 

  615.   memcpy(sig_msg, msg, msglen);

  616.   *sig_msg_len += msglen;

  617. 

  618.   return 0;

  619. }

  620. 

  621. /**

  622.  * Verifies a given message signature pair under a given public key.

  623.  */

  624. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk)

  625. {

  626.   uint64_t idx_tree;

  627.   uint32_t idx_leaf;

  628. 

  629.   unsigned long long i, m_len;

  630.   unsigned long long idx=0;

  631.   unsigned char wots_pk[XMSS_WOTS_KEYSIZE];

  632.   unsigned char pkhash[XMSS_N];

  633.   unsigned char root[XMSS_N];

  634.   unsigned char msg_h[XMSS_N];

  635.   unsigned char hash_key[3*XMSS_N];

  636. 

  637.   unsigned char pub_seed[XMSS_N];

  638.   memcpy(pub_seed, pk+XMSS_N, XMSS_N);

  639. 

  640.   // Init addresses

  641.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  642.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  643.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  644. 

  645.   // Extract index

  646.   for (i = 0; i < XMSS_INDEX_LEN; i++) {

  647.     idx |= ((unsigned long long)sig_msg[i]) << (8*(XMSS_INDEX_LEN - 1 - i));

  648.   }

  649.   printf("verify:: idx = %llu\n", idx);

  650.   sig_msg += XMSS_INDEX_LEN;

  651.   sig_msg_len -= XMSS_INDEX_LEN;

  652. 

  653.   // Generate hash key (R || root || idx)

  654.   memcpy(hash_key, sig_msg,XMSS_N);

  655.   memcpy(hash_key+XMSS_N, pk, XMSS_N);

  656.   to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  657. 

  658.   sig_msg += XMSS_N;

  659.   sig_msg_len -= XMSS_N;

  660.   

  661.   // hash message 

  662.   unsigned long long tmp_sig_len = (XMSS_D * XMSS_WOTS_KEYSIZE) + (XMSS_FULLHEIGHT * XMSS_N);

  663.   m_len = sig_msg_len - tmp_sig_len;

  664.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*XMSS_N, XMSS_N);

  665. 

  666. 

  667.   //-----------------------

  668.   // Verify signature

  669.   //-----------------------

  670. 

  671.   // Prepare Address

  672.   idx_tree = idx >> XMSS_TREEHEIGHT;

  673.   idx_leaf = (idx & ((1 << XMSS_TREEHEIGHT)-1));

  674.   setLayerADRS(ots_addr, 0);

  675.   setTreeADRS(ots_addr, idx_tree);

  676.   setType(ots_addr, 0);

  677. 

  678.   memcpy(ltree_addr, ots_addr, 12);

  679.   setType(ltree_addr, 1);

  680. 

  681.   memcpy(node_addr, ltree_addr, 12);

  682.   setType(node_addr, 2);

  683.   

  684.   setOTSADRS(ots_addr, idx_leaf);

  685. 

  686.   // Check WOTS signature

  687.   wots_pkFromSig(wots_pk, sig_msg, msg_h, pub_seed, ots_addr);

  688. 

  689.   sig_msg += XMSS_WOTS_KEYSIZE;

  690.   sig_msg_len -= XMSS_WOTS_KEYSIZE;

  691. 

  692.   // Compute Ltree

  693.   setLtreeADRS(ltree_addr, idx_leaf);

  694.   l_tree(pkhash, wots_pk, pub_seed, ltree_addr);

  695. 

  696.   // Compute root

  697.   validate_authpath(root, pkhash, idx_leaf, sig_msg, pub_seed, node_addr);

  698. 

  699.   sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  700.   sig_msg_len -= XMSS_TREEHEIGHT*XMSS_N;

  701. 

  702.   for (i = 1; i < XMSS_D; i++) {

  703.     // Prepare Address

  704.     idx_leaf = (idx_tree & ((1 << XMSS_TREEHEIGHT)-1));

  705.     idx_tree = idx_tree >> XMSS_TREEHEIGHT;

  706. 

  707.     setLayerADRS(ots_addr, i);

  708.     setTreeADRS(ots_addr, idx_tree);

  709.     setType(ots_addr, 0);

  710. 

  711.     memcpy(ltree_addr, ots_addr, 12);

  712.     setType(ltree_addr, 1);

  713. 

  714.     memcpy(node_addr, ltree_addr, 12);

  715.     setType(node_addr, 2);

  716. 

  717.     setOTSADRS(ots_addr, idx_leaf);

  718. 

  719.     // Check WOTS signature

  720.     wots_pkFromSig(wots_pk, sig_msg, root, pub_seed, ots_addr);

  721. 

  722.     sig_msg += XMSS_WOTS_KEYSIZE;

  723.     sig_msg_len -= XMSS_WOTS_KEYSIZE;

  724. 

  725.     // Compute Ltree

  726.     setLtreeADRS(ltree_addr, idx_leaf);

  727.     l_tree(pkhash, wots_pk, pub_seed, ltree_addr);

  728. 

  729.     // Compute root

  730.     validate_authpath(root, pkhash, idx_leaf, sig_msg, pub_seed, node_addr);

  731. 

  732.     sig_msg += XMSS_TREEHEIGHT*XMSS_N;

  733.     sig_msg_len -= XMSS_TREEHEIGHT*XMSS_N;

  734. 

  735.   }

  736. 

  737.   for (i=0; i < XMSS_N; i++)

  738.     if (root[i] != pk[i])

  739.       goto fail;

  740. 

  741.   *msglen = sig_msg_len;

  742.   for (i=0; i < *msglen; i++)

  743.     msg[i] = sig_msg[i];

  744. 

  745.   return 0;

  746. 

  747. 

  748. fail:

  749.   *msglen = sig_msg_len;

  750.   for (i=0; i < *msglen; i++)

  751.     msg[i] = 0;

  752.   *msglen = -1;

  753.   return -1;

  754. }