kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
30 Commits
1 Branch
488 KiB
 
 
Tree: 1e503b665e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1e503b665e'
${ noResults }
xmss-KAT-generator/xmss.c

845 lines
23 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20150811

  3. Andreas Hülsing

  4. Public domain.

  5. */

  6. 

  7. #include "xmss.h"

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. #include <math.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "prg.h"

  17. #include "xmss_commons.h"

  18. 

  19. // For testing

  20. #include "stdio.h"

  21. 

  22. /**

  23.  * Macros used to manipulate the respective fields

  24.  * in the 16byte hash address

  25.  */

  26. #define SET_LAYER_ADDRESS(a, v) {\

  27.   a[6] = (a[6] & 3) | ((v << 2) & 252);\

  28.   a[5] = (a[5] & 252) | ((v >> 6) & 3);}

  29. 

  30. #define SET_TREE_ADDRESS(a, v) {\

  31.   a[9] = (a[9] & 3) | ((v << 2) & 252);\

  32.   a[8] = (v >> 6) & 255;\

  33.   a[7] = (v >> 14) & 255;\

  34.   a[6] = (a[6] & 252) | ((v >> 22) & 3);}

  35. 

  36. #define SET_OTS_BIT(a, b) {\

  37.   a[9] = (a[9] & 253) | ((b << 1) & 2);}

  38. 

  39. #define SET_OTS_ADDRESS(a, v) {\

  40.   a[12] = (a[12] & 1) | ((v << 1) & 254);\

  41.   a[11] = (v >> 7) & 255;\

  42.   a[10] = (v >> 15) & 255;\

  43.   a[9] = (a[9] & 254) | ((v >> 23) & 1);}

  44. 

  45. #define ZEROISE_OTS_ADDR(a) {\

  46.   a[12] = (a[12] & 254);\

  47.   a[13] = 0;\

  48.   a[14] = 0;\

  49.   a[15] = 0;}

  50. 

  51. #define SET_LTREE_BIT(a, b) {\

  52.   a[9] = (a[9] & 254) | (b & 1);}

  53. 

  54. #define SET_LTREE_ADDRESS(a, v) {\

  55.   a[12] = v & 255;\

  56.   a[11] = (v >> 8) & 255;\

  57.   a[10] = (v >> 16) & 255;}

  58. 

  59. #define SET_LTREE_TREE_HEIGHT(a, v) {\

  60.   a[13] = (a[13] & 3) | ((v << 2) & 252);}

  61. 

  62. #define SET_LTREE_TREE_INDEX(a, v) {\

  63.   a[15] = (a[15] & 3) | ((v << 2) & 252);\

  64.   a[14] = (v >> 6) & 255;\

  65.   a[13] = (a[13] & 252) | ((v >> 14) & 3);}

  66. 

  67. #define SET_NODE_PADDING(a) {\

  68.   a[10] = 0;\

  69.   a[11] = a[11] & 3;}

  70. 

  71. #define SET_NODE_TREE_HEIGHT(a, v) {\

  72.   a[12] = (a[12] & 3) | ((v << 2) & 252);\

  73.   a[11] = (a[11] & 252) | ((v >> 6) & 3);}

  74. 

  75. #define SET_NODE_TREE_INDEX(a, v) {\

  76.   a[15] = (a[15] & 3) | ((v << 2) & 252);\

  77.   a[14] = (v >> 6) & 255;\

  78.   a[13] = (v >> 14) & 255;\

  79.   a[12] = (a[12] & 252) | ((v >> 22) & 3);}

  80. 

  81. 

  82. /**

  83.  * Used for pseudorandom keygeneration,

  84.  * generates the seed for the WOTS keypair at address addr

  85.  *

  86.  * takes n byte sk_seed and returns n byte seed using 16 byte address addr.

  87.  */

  88. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, unsigned char addr[16])

  89. {

  90.   // Make sure that chain addr, hash addr, and key bit are 0!

  91.   ZEROISE_OTS_ADDR(addr);

  92.   // Generate pseudorandom value

  93.   prg_with_counter(seed, sk_seed, n, addr);

  94. }

  95. 

  96. /**

  97.  * Initialize xmss params struct

  98.  * parameter names are the same as in the draft

  99.  */

  100. void xmss_set_params(xmss_params *params, int m, int n, int h, int w)

  101. {

  102.   params->h = h;

  103.   params->m = m;

  104.   params->n = n;

  105.   wots_params wots_par;

  106.   wots_set_params(&wots_par, m, n, w);

  107.   params->wots_par = wots_par;

  108. }

  109. 

  110. /**

  111.  * Initialize xmssmt_params struct

  112.  * parameter names are the same as in the draft

  113.  *

  114.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  115.  */

  116. void xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w)

  117. {

  118.   if (h % d) {

  119.     fprintf(stderr, "d must devide h without remainder!\n");

  120.     return;

  121.   }

  122.   params->h = h;

  123.   params->d = d;

  124.   params->m = m;

  125.   params->n = n;

  126.   params->index_len = (h + 7) / 8;

  127.   xmss_params xmss_par;

  128.   xmss_set_params(&xmss_par, m, n, (h/d), w);

  129.   params->xmss_par = xmss_par;

  130. }

  131. 

  132. /**

  133.  * Computes a leaf from a WOTS public key using an L-tree.

  134.  */

  135. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  136. {

  137.   unsigned int l = params->wots_par.len;

  138.   unsigned int n = params->n;

  139.   unsigned long i = 0;

  140.   unsigned int height = 0;

  141. 

  142.   //ADRS.setTreeHeight(0);

  143.   SET_LTREE_TREE_HEIGHT(addr, height);

  144.   unsigned long bound;

  145.   while (l > 1) {

  146.      bound = l >> 1; //floor(l / 2);

  147.      for (i = 0; i < bound; i++) {

  148.        //ADRS.setTreeIndex(i);

  149.        SET_LTREE_TREE_INDEX(addr, i);

  150.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  151.        hash_2n_n(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);

  152.      }

  153.      //if ( l % 2 == 1 ) {

  154.      if (l & 1) {

  155.        //pk[floor(l / 2) + 1] = pk[l];

  156.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  157.        //l = ceil(l / 2);

  158.        l=(l>>1)+1;

  159.      }

  160.      else {

  161.        //l = ceil(l / 2);

  162.        l=(l>>1);

  163.      }

  164.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  165.      height++;

  166.      SET_LTREE_TREE_HEIGHT(addr, height);

  167.    }

  168.    //return pk[0];

  169.    memcpy(leaf, wots_pk, n);

  170. }

  171. 

  172. /**

  173.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  174.  */

  175. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  176. {

  177.   unsigned char seed[params->n];

  178.   unsigned char pk[params->wots_par.keysize];

  179. 

  180.   get_seed(seed, sk_seed, params->n, ots_addr);

  181.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  182. 

  183.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  184. }

  185. 

  186. /**

  187.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  188.  * Currently only used for key generation.

  189.  *

  190.  */

  191. static void treehash(unsigned char *node, int height, int index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  192. {

  193. 

  194.   unsigned int idx = index;

  195.   unsigned int n = params->n;

  196.   // use three different addresses because at this point we use all three formats in parallel

  197.   unsigned char ots_addr[16];

  198.   unsigned char ltree_addr[16];

  199.   unsigned char node_addr[16];

  200.   memcpy(ots_addr, addr, 10);

  201.   SET_OTS_BIT(ots_addr, 1);

  202.   memcpy(ltree_addr, addr, 10);

  203.   SET_OTS_BIT(ltree_addr, 0);

  204.   SET_LTREE_BIT(ltree_addr, 1);

  205.   memcpy(node_addr, ltree_addr, 10);

  206.   SET_LTREE_BIT(node_addr, 0);

  207.   SET_NODE_PADDING(node_addr);

  208. 

  209.   unsigned int lastnode, i;

  210.   unsigned char stack[(height+1)*n];

  211.   unsigned int stacklevels[height+1];

  212.   unsigned int stackoffset=0;

  213. 

  214.   lastnode = idx+(1 << height);

  215. 

  216.   for (; idx < lastnode; idx++) {

  217.     SET_LTREE_ADDRESS(ltree_addr, idx);

  218.     SET_OTS_ADDRESS(ots_addr, idx);

  219.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  220.     stacklevels[stackoffset] = 0;

  221.     stackoffset++;

  222.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  223.       SET_NODE_TREE_HEIGHT(node_addr, stacklevels[stackoffset-1]);

  224.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  225.       hash_2n_n(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  226.           node_addr, n);

  227.       stacklevels[stackoffset-2]++;

  228.       stackoffset--;

  229.     }

  230.   }

  231.   for (i=0; i < n; i++)

  232.     node[i] = stack[i];

  233. }

  234. 

  235. /**

  236.  * Computes a root node given a leaf and an authapth

  237.  */

  238. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  239. {

  240.   unsigned int n = params->n;

  241. 

  242.   unsigned int i, j;

  243.   unsigned char buffer[2*n];

  244. 

  245.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  246.   // Otherwise, it is the other way around

  247.   if (leafidx & 1) {

  248.     for (j = 0; j < n; j++)

  249.       buffer[n+j] = leaf[j];

  250.     for (j = 0; j < n; j++)

  251.       buffer[j] = authpath[j];

  252.   }

  253.   else {

  254.     for (j = 0; j < n; j++)

  255.       buffer[j] = leaf[j];

  256.     for (j = 0; j < n; j++)

  257.       buffer[n+j] = authpath[j];

  258.   }

  259.   authpath += n;

  260. 

  261.   for (i=0; i < params->h-1; i++) {

  262.     SET_NODE_TREE_HEIGHT(addr, i);

  263.     leafidx >>= 1;

  264.     SET_NODE_TREE_INDEX(addr, leafidx);

  265.     if (leafidx&1) {

  266.       hash_2n_n(buffer+n, buffer, pub_seed, addr, n);

  267.       for (j = 0; j < n; j++)

  268.         buffer[j] = authpath[j];

  269.     }

  270.     else {

  271.       hash_2n_n(buffer, buffer, pub_seed, addr, n);

  272.       for (j = 0; j < n; j++)

  273.         buffer[j+n] = authpath[j];

  274.     }

  275.     authpath += n;

  276.   }

  277.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  278.   leafidx >>= 1;

  279.   SET_NODE_TREE_INDEX(addr, leafidx);

  280.   hash_2n_n(root, buffer, pub_seed, addr, n);

  281. }

  282. 

  283. /**

  284.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  285.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  286.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  287.  */

  288. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  289. {

  290.   unsigned int i, j, level;

  291.   unsigned int n = params->n;

  292.   unsigned int h = params->h;

  293. 

  294.   unsigned char tree[2*(1<<h)*n];

  295. 

  296.   unsigned char ots_addr[16];

  297.   unsigned char ltree_addr[16];

  298.   unsigned char node_addr[16];

  299. 

  300.   memcpy(ots_addr, addr, 10);

  301.   SET_OTS_BIT(ots_addr, 1);

  302.   memcpy(ltree_addr, addr, 10);

  303.   SET_OTS_BIT(ltree_addr, 0);

  304.   SET_LTREE_BIT(ltree_addr, 1);

  305.   memcpy(node_addr, ltree_addr, 10);

  306.   SET_LTREE_BIT(node_addr, 0);

  307.   SET_NODE_PADDING(node_addr);

  308. 

  309. 

  310.   // Compute all leaves

  311.   for (i = 0; i < (1U << h); i++) {

  312.     SET_LTREE_ADDRESS(ltree_addr, i);

  313.     SET_OTS_ADDRESS(ots_addr, i);

  314.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  315.   }

  316. 

  317. 

  318.   level = 0;

  319.   // Compute tree:

  320.   // Outer loop: For each inner layer

  321.   for (i = (1<<h); i > 1; i>>=1) {

  322.     SET_NODE_TREE_HEIGHT(node_addr, level);

  323.     // Inner loop: for each pair of sibling nodes

  324.     for (j = 0; j < i; j+=2) {

  325.       SET_NODE_TREE_INDEX(node_addr, j>>1);

  326.       hash_2n_n(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n);

  327.     }

  328.     level++;

  329.   }

  330. 

  331.   // copy authpath

  332.   for (i=0; i < h; i++)

  333.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  334. 

  335.   // copy root

  336.   memcpy(root, tree+n, n);

  337. }

  338. 

  339. 

  340. /*

  341.  * Generates a XMSS key pair for a given parameter set.

  342.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  343.  * Format pk: [root || PUB_SEED] omitting algo oid.

  344.  */

  345. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  346. {

  347.   unsigned int n = params->n;

  348.   unsigned int m = params->m;

  349.   // Set idx = 0

  350.   sk[0] = 0;

  351.   sk[1] = 0;

  352.   sk[2] = 0;

  353.   sk[3] = 0;

  354.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  355.   randombytes(sk+4, 2*n+m);

  356.   // Copy PUB_SEED to public key

  357.   memcpy(pk+n, sk+4+n+m, n);

  358. 

  359.   unsigned char addr[16] = {0, 0, 0, 0};

  360.   // Compute root

  361.   treehash(pk, params->h, 0, sk+4, params, sk+4+n+m, addr);

  362.   return 0;

  363. }

  364. 

  365. /**

  366.  * Signs a message.

  367.  * Returns

  368.  * 1. an array containing the signature followed by the message AND

  369.  * 2. an updated secret key!

  370.  *

  371.  */

  372. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  373. {

  374.   unsigned int n = params->n;

  375.   unsigned int m = params->m;

  376. 

  377.   // Extract SK

  378.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  379.   unsigned char sk_seed[n];

  380.   memcpy(sk_seed, sk+4, n);

  381.   unsigned char sk_prf[m];

  382.   memcpy(sk_prf, sk+4+n, m);

  383.   unsigned char pub_seed[n];

  384.   memcpy(pub_seed, sk+4+n+m, n);

  385. 

  386.   // Update SK

  387.   sk[0] = ((idx + 1) >> 24) & 255;

  388.   sk[1] = ((idx + 1) >> 16) & 255;

  389.   sk[2] = ((idx + 1) >> 8) & 255;

  390.   sk[3] = (idx + 1) & 255;

  391.   // -- Secret key for this non-forward-secure version is now updated.

  392.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  393. 

  394.   // Init working params

  395.   unsigned long long i;

  396.   unsigned char R[m];

  397.   unsigned char msg_h[m];

  398.   unsigned char root[n];

  399.   unsigned char ots_seed[n];

  400.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  401. 

  402.   // ---------------------------------

  403.   // Message Hashing

  404.   // ---------------------------------

  405. 

  406.   // Message Hash:

  407.   // First compute pseudorandom key

  408.   prf_m(R, msg, msglen, sk_prf, m);

  409.   // Then use it for message digest

  410.   hash_m(msg_h, msg, msglen, R, m, m);

  411. 

  412.   // Start collecting signature

  413.   *sig_msg_len = 0;

  414. 

  415.   // Copy index to signature

  416.   sig_msg[0] = (idx >> 24) & 255;

  417.   sig_msg[1] = (idx >> 16) & 255;

  418.   sig_msg[2] = (idx >> 8) & 255;

  419.   sig_msg[3] = idx & 255;

  420. 

  421.   sig_msg += 4;

  422.   *sig_msg_len += 4;

  423. 

  424.   // Copy R to signature

  425.   for (i = 0; i < m; i++)

  426.     sig_msg[i] = R[i];

  427. 

  428.   sig_msg += m;

  429.   *sig_msg_len += m;

  430. 

  431.   // ----------------------------------

  432.   // Now we start to "really sign"

  433.   // ----------------------------------

  434. 

  435.   // Prepare Address

  436.   SET_OTS_BIT(ots_addr, 1);

  437.   SET_OTS_ADDRESS(ots_addr, idx);

  438. 

  439.   // Compute seed for OTS key pair

  440.   get_seed(ots_seed, sk_seed, n, ots_addr);

  441. 

  442.   // Compute WOTS signature

  443.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  444. 

  445.   sig_msg += params->wots_par.keysize;

  446.   *sig_msg_len += params->wots_par.keysize;

  447. 

  448.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  449.   sig_msg += params->h*n;

  450.   *sig_msg_len += params->h*n;

  451. 

  452.   //Whipe secret elements?

  453.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  454. 

  455.   memcpy(sig_msg, msg, msglen);

  456.   *sig_msg_len += msglen;

  457. 

  458.   return 0;

  459. }

  460. 

  461. /**

  462.  * Verifies a given message signature pair under a given public key.

  463.  */

  464. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  465. {

  466.   unsigned int n = params->n;

  467.   unsigned int m = params->m;

  468. 

  469.   unsigned long long i, m_len;

  470.   unsigned long idx=0;

  471.   unsigned char wots_pk[params->wots_par.keysize];

  472.   unsigned char pkhash[n];

  473.   unsigned char root[n];

  474.   unsigned char msg_h[m];

  475. 

  476.   unsigned char pub_seed[n];

  477.   memcpy(pub_seed, pk+n, n);

  478. 

  479.   // Init addresses

  480.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  481.   unsigned char ltree_addr[16];

  482.   unsigned char node_addr[16];

  483. 

  484.   SET_OTS_BIT(ots_addr, 1);

  485. 

  486.   memcpy(ltree_addr, ots_addr, 10);

  487.   SET_OTS_BIT(ltree_addr, 0);

  488.   SET_LTREE_BIT(ltree_addr, 1);

  489. 

  490.   memcpy(node_addr, ltree_addr, 10);

  491.   SET_LTREE_BIT(node_addr, 0);

  492.   SET_NODE_PADDING(node_addr);

  493. 

  494.   // Extract index

  495.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  496.   printf("verify:: idx = %lu\n", idx);

  497.   sig_msg += 4;

  498.   sig_msg_len -= 4;

  499. 

  500.   // hash message (recall, R is now on pole position at sig_msg

  501.   unsigned long long tmp_sig_len = m+params->wots_par.keysize+params->h*n;

  502.   m_len = sig_msg_len - tmp_sig_len;

  503.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  504. 

  505.   sig_msg += m;

  506.   sig_msg_len -= m;

  507. 

  508.   //-----------------------

  509.   // Verify signature

  510.   //-----------------------

  511. 

  512.   // Prepare Address

  513.   SET_OTS_ADDRESS(ots_addr, idx);

  514.   // Check WOTS signature

  515.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  516. 

  517.   sig_msg += params->wots_par.keysize;

  518.   sig_msg_len -= params->wots_par.keysize;

  519. 

  520.   // Compute Ltree

  521.   SET_LTREE_ADDRESS(ltree_addr, idx);

  522.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  523. 

  524.   // Compute root

  525.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  526. 

  527.   sig_msg += params->h*n;

  528.   sig_msg_len -= params->h*n;

  529. 

  530.   for (i=0; i < n; i++)

  531.     if (root[i] != pk[i])

  532.       goto fail;

  533. 

  534.   *msglen = sig_msg_len;

  535.   for (i=0; i < *msglen; i++)

  536.     msg[i] = sig_msg[i];

  537. 

  538.   return 0;

  539. 

  540. 

  541. fail:

  542.   *msglen = sig_msg_len;

  543.   for (i=0; i < *msglen; i++)

  544.     msg[i] = 0;

  545.   *msglen = -1;

  546.   return -1;

  547. }

  548. 

  549. /*

  550.  * Generates a XMSSMT key pair for a given parameter set.

  551.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  552.  * Format pk: [root || PUB_SEED] omitting algo oid.

  553.  */

  554. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  555. {

  556.   unsigned int n = params->n;

  557.   unsigned int m = params->m;

  558.   unsigned int i;

  559.   // Set idx = 0

  560.   for (i = 0; i < params->index_len; i++) {

  561.     sk[i] = 0;

  562.   }

  563.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  564.   randombytes(sk+params->index_len, 2*n+m);

  565.   // Copy PUB_SEED to public key

  566.   memcpy(pk+n, sk+params->index_len+n+m, n);

  567. 

  568.   // Set address to point on the single tree on layer d-1

  569.   unsigned char addr[16] = {0, 0, 0, 0};

  570.   SET_LAYER_ADDRESS(addr, (params->d-1));

  571. 

  572.   // Compute root

  573.   treehash(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  574.   return 0;

  575. }

  576. 

  577. /**

  578.  * Signs a message.

  579.  * Returns

  580.  * 1. an array containing the signature followed by the message AND

  581.  * 2. an updated secret key!

  582.  *

  583.  */

  584. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  585. {

  586.   unsigned int n = params->n;

  587.   unsigned int m = params->m;

  588.   unsigned int tree_h = params->xmss_par.h;

  589.   unsigned int idx_len = params->index_len;

  590.   unsigned long long idx_tree;

  591.   unsigned long long idx_leaf;

  592.   unsigned long long i;

  593. 

  594.   unsigned char sk_seed[n];

  595.   unsigned char sk_prf[m];

  596.   unsigned char pub_seed[n];

  597.   // Init working params

  598.   unsigned char R[m];

  599.   unsigned char msg_h[m];

  600.   unsigned char root[n];

  601.   unsigned char ots_seed[n];

  602.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  603. 

  604.   // Extract SK

  605.   unsigned long long idx = 0;

  606.   for (i = 0; i < idx_len; i++) {

  607.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  608.   }

  609. 

  610.   memcpy(sk_seed, sk+idx_len, n);

  611.   memcpy(sk_prf, sk+idx_len+n, m);

  612.   memcpy(pub_seed, sk+idx_len+n+m, n);

  613. 

  614.   // Update SK

  615.   for (i = 0; i < idx_len; i++) {

  616.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  617.   }

  618.   // -- Secret key for this non-forward-secure version is now updated.

  619.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  620. 

  621. 

  622.   // ---------------------------------

  623.   // Message Hashing

  624.   // ---------------------------------

  625. 

  626.   // Message Hash:

  627.   // First compute pseudorandom key

  628.   prf_m(R, msg, msglen, sk_prf, m);

  629.   // Then use it for message digest

  630.   hash_m(msg_h, msg, msglen, R, m, m);

  631. 

  632.   // Start collecting signature

  633.   *sig_msg_len = 0;

  634. 

  635.   // Copy index to signature

  636.   for (i = 0; i < idx_len; i++) {

  637.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  638.   }

  639. 

  640.   sig_msg += idx_len;

  641.   *sig_msg_len += idx_len;

  642. 

  643.   // Copy R to signature

  644.   for (i=0; i < m; i++)

  645.     sig_msg[i] = R[i];

  646. 

  647.   sig_msg += m;

  648.   *sig_msg_len += m;

  649. 

  650.   // ----------------------------------

  651.   // Now we start to "really sign"

  652.   // ----------------------------------

  653. 

  654.   // Handle lowest layer separately as it is slightly different...

  655. 

  656.   // Prepare Address

  657.   SET_OTS_BIT(ots_addr, 1);

  658.   idx_tree = idx >> tree_h;

  659.   idx_leaf = (idx & ((1 << tree_h)-1));

  660.   SET_LAYER_ADDRESS(ots_addr, 0);

  661.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  662.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  663. 

  664.   // Compute seed for OTS key pair

  665.   get_seed(ots_seed, sk_seed, n, ots_addr);

  666. 

  667.   // Compute WOTS signature

  668.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  669. 

  670.   sig_msg += params->xmss_par.wots_par.keysize;

  671.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  672. 

  673.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  674.   sig_msg += tree_h*n;

  675.   *sig_msg_len += tree_h*n;

  676. 

  677.   // Now loop over remaining layers...

  678.   unsigned int j;

  679.   for (j = 1; j < params->d; j++) {

  680.     // Prepare Address

  681.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  682.     idx_tree = idx_tree >> tree_h;

  683.     SET_LAYER_ADDRESS(ots_addr, j);

  684.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  685.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  686. 

  687.     // Compute seed for OTS key pair

  688.     get_seed(ots_seed, sk_seed, n, ots_addr);

  689. 

  690.     // Compute WOTS signature

  691.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  692. 

  693.     sig_msg += params->xmss_par.wots_par.keysize;

  694.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  695. 

  696.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  697.     sig_msg += tree_h*n;

  698.     *sig_msg_len += tree_h*n;

  699.   }

  700. 

  701.   //Whipe secret elements?

  702.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  703. 

  704.   memcpy(sig_msg, msg, msglen);

  705.   *sig_msg_len += msglen;

  706. 

  707.   return 0;

  708. }

  709. 

  710. /**

  711.  * Verifies a given message signature pair under a given public key.

  712.  */

  713. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  714. {

  715.   unsigned int n = params->n;

  716.   unsigned int m = params->m;

  717. 

  718.   unsigned int tree_h = params->xmss_par.h;

  719.   unsigned int idx_len = params->index_len;

  720.   unsigned long long idx_tree;

  721.   unsigned long long idx_leaf;

  722. 

  723.   unsigned long long i, m_len;

  724.   unsigned long long idx=0;

  725.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  726.   unsigned char pkhash[n];

  727.   unsigned char root[n];

  728.   unsigned char msg_h[m];

  729. 

  730.   unsigned char pub_seed[n];

  731.   memcpy(pub_seed, pk+n, n);

  732. 

  733.   // Init addresses

  734.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  735.   unsigned char ltree_addr[16];

  736.   unsigned char node_addr[16];

  737. 

  738.   // Extract index

  739.   for (i = 0; i < idx_len; i++) {

  740.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  741.   }

  742.   printf("verify:: idx = %llu\n", idx);

  743.   sig_msg += idx_len;

  744.   sig_msg_len -= idx_len;

  745. 

  746.   // hash message (recall, R is now on pole position at sig_msg

  747.   unsigned long long tmp_sig_len = m+ (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  748.   m_len = sig_msg_len - tmp_sig_len;

  749.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  750. 

  751.   sig_msg += m;

  752.   sig_msg_len -= m;

  753. 

  754.   //-----------------------

  755.   // Verify signature

  756.   //-----------------------

  757. 

  758.   // Prepare Address

  759.   idx_tree = idx >> tree_h;

  760.   idx_leaf = (idx & ((1 << tree_h)-1));

  761.   SET_LAYER_ADDRESS(ots_addr, 0);

  762.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  763.   SET_OTS_BIT(ots_addr, 1);

  764. 

  765.   memcpy(ltree_addr, ots_addr, 10);

  766.   SET_OTS_BIT(ltree_addr, 0);

  767.   SET_LTREE_BIT(ltree_addr, 1);

  768. 

  769.   memcpy(node_addr, ltree_addr, 10);

  770.   SET_LTREE_BIT(node_addr, 0);

  771.   SET_NODE_PADDING(node_addr);

  772. 

  773.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  774. 

  775.   // Check WOTS signature

  776.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  777. 

  778.   sig_msg += params->xmss_par.wots_par.keysize;

  779.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  780. 

  781.   // Compute Ltree

  782.   SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  783.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  784. 

  785.   // Compute root

  786.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  787. 

  788.   sig_msg += tree_h*n;

  789.   sig_msg_len -= tree_h*n;

  790. 

  791.   for (i = 1; i < params->d; i++) {

  792.     // Prepare Address

  793.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  794.     idx_tree = idx_tree >> tree_h;

  795. 

  796.     SET_LAYER_ADDRESS(ots_addr, i);

  797.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  798.     SET_OTS_BIT(ots_addr, 1);

  799. 

  800.     memcpy(ltree_addr, ots_addr, 10);

  801.     SET_OTS_BIT(ltree_addr, 0);

  802.     SET_LTREE_BIT(ltree_addr, 1);

  803. 

  804.     memcpy(node_addr, ltree_addr, 10);

  805.     SET_LTREE_BIT(node_addr, 0);

  806.     SET_NODE_PADDING(node_addr);

  807. 

  808.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  809. 

  810.     // Check WOTS signature

  811.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  812. 

  813.     sig_msg += params->xmss_par.wots_par.keysize;

  814.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  815. 

  816.     // Compute Ltree

  817.     SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  818.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  819. 

  820.     // Compute root

  821.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  822. 

  823.     sig_msg += tree_h*n;

  824.     sig_msg_len -= tree_h*n;

  825. 

  826.   }

  827. 

  828.   for (i=0; i < n; i++)

  829.     if (root[i] != pk[i])

  830.       goto fail;

  831. 

  832.   *msglen = sig_msg_len;

  833.   for (i=0; i < *msglen; i++)

  834.     msg[i] = sig_msg[i];

  835. 

  836.   return 0;

  837. 

  838. 

  839. fail:

  840.   *msglen = sig_msg_len;

  841.   for (i=0; i < *msglen; i++)

  842.     msg[i] = 0;

  843.   *msglen = -1;

  844.   return -1;

  845. }