kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
72 Commits
1 Branch
488 KiB
 
 
Tree: 305bd614bb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '305bd614bb'
${ noResults }
xmss-KAT-generator/xmss_core_fast.c

706 lines
25 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "xmss_commons.h"

  11. #include "xmss_core_fast.h"

  12. 

  13. /**

  14.  * Initialize BDS state struct

  15.  * parameter names are the same as used in the description of the BDS traversal

  16.  */

  17. void xmss_set_bds_state(bds_state *state, unsigned char *stack,

  18.                         int stackoffset, unsigned char *stacklevels,

  19.                         unsigned char *auth, unsigned char *keep,

  20.                         treehash_inst *treehash, unsigned char *retain,

  21.                         int next_leaf)

  22. {

  23.     state->stack = stack;

  24.     state->stackoffset = stackoffset;

  25.     state->stacklevels = stacklevels;

  26.     state->auth = auth;

  27.     state->keep = keep;

  28.     state->treehash = treehash;

  29.     state->retain = retain;

  30.     state->next_leaf = next_leaf;

  31. }

  32. 

  33. static int treehash_minheight_on_stack(const xmss_params *params,

  34.                                        bds_state* state,

  35.                                        const treehash_inst *treehash)

  36. {

  37.     unsigned int r = params->tree_height, i;

  38. 

  39.     for (i = 0; i < treehash->stackusage; i++) {

  40.         if (state->stacklevels[state->stackoffset - i - 1] < r) {

  41.             r = state->stacklevels[state->stackoffset - i - 1];

  42.         }

  43.     }

  44.     return r;

  45. }

  46. 

  47. /**

  48.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  49.  * Currently only used for key generation.

  50.  *

  51.  */

  52. static void treehash_init(const xmss_params *params,

  53.                           unsigned char *node, int height, int index,

  54.                           bds_state *state, const unsigned char *sk_seed,

  55.                           const unsigned char *pub_seed, const uint32_t addr[8])

  56. {

  57.     unsigned int idx = index;

  58.     // use three different addresses because at this point we use all three formats in parallel

  59.     uint32_t ots_addr[8];

  60.     uint32_t ltree_addr[8];

  61.     uint32_t node_addr[8];

  62.     // only copy layer and tree address parts

  63.     memcpy(ots_addr, addr, 12);

  64.     // type = ots

  65.     set_type(ots_addr, 0);

  66.     memcpy(ltree_addr, addr, 12);

  67.     set_type(ltree_addr, 1);

  68.     memcpy(node_addr, addr, 12);

  69.     set_type(node_addr, 2);

  70. 

  71.     uint32_t lastnode, i;

  72.     unsigned char stack[(height+1)*params->n];

  73.     unsigned int stacklevels[height+1];

  74.     unsigned int stackoffset=0;

  75.     unsigned int nodeh;

  76. 

  77.     lastnode = idx+(1<<height);

  78. 

  79.     for (i = 0; i < params->tree_height-params->bds_k; i++) {

  80.         state->treehash[i].h = i;

  81.         state->treehash[i].completed = 1;

  82.         state->treehash[i].stackusage = 0;

  83.     }

  84. 

  85.     i = 0;

  86.     for (; idx < lastnode; idx++) {

  87.         set_ltree_addr(ltree_addr, idx);

  88.         set_ots_addr(ots_addr, idx);

  89.         gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  90.         stacklevels[stackoffset] = 0;

  91.         stackoffset++;

  92.         if (params->tree_height - params->bds_k > 0 && i == 3) {

  93.             memcpy(state->treehash[0].node, stack+stackoffset*params->n, params->n);

  94.         }

  95.         while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  96.             nodeh = stacklevels[stackoffset-1];

  97.             if (i >> nodeh == 1) {

  98.                 memcpy(state->auth + nodeh*params->n, stack+(stackoffset-1)*params->n, params->n);

  99.             }

  100.             else {

  101.                 if (nodeh < params->tree_height - params->bds_k && i >> nodeh == 3) {

  102.                     memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*params->n, params->n);

  103.                 }

  104.                 else if (nodeh >= params->tree_height - params->bds_k) {

  105.                     memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((i >> nodeh) - 3) >> 1)) * params->n, stack+(stackoffset-1)*params->n, params->n);

  106.                 }

  107.             }

  108.             set_tree_height(node_addr, stacklevels[stackoffset-1]);

  109.             set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  110.             hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);

  111.             stacklevels[stackoffset-2]++;

  112.             stackoffset--;

  113.         }

  114.         i++;

  115.     }

  116. 

  117.     for (i = 0; i < params->n; i++) {

  118.         node[i] = stack[i];

  119.     }

  120. }

  121. 

  122. static void treehash_update(const xmss_params *params,

  123.                             treehash_inst *treehash, bds_state *state,

  124.                             const unsigned char *sk_seed,

  125.                             const unsigned char *pub_seed,

  126.                             const uint32_t addr[8])

  127. {

  128.     uint32_t ots_addr[8];

  129.     uint32_t ltree_addr[8];

  130.     uint32_t node_addr[8];

  131.     // only copy layer and tree address parts

  132.     memcpy(ots_addr, addr, 12);

  133.     // type = ots

  134.     set_type(ots_addr, 0);

  135.     memcpy(ltree_addr, addr, 12);

  136.     set_type(ltree_addr, 1);

  137.     memcpy(node_addr, addr, 12);

  138.     set_type(node_addr, 2);

  139. 

  140.     set_ltree_addr(ltree_addr, treehash->next_idx);

  141.     set_ots_addr(ots_addr, treehash->next_idx);

  142. 

  143.     unsigned char nodebuffer[2 * params->n];

  144.     unsigned int nodeheight = 0;

  145.     gen_leaf_wots(params, nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);

  146.     while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  147.         memcpy(nodebuffer + params->n, nodebuffer, params->n);

  148.         memcpy(nodebuffer, state->stack + (state->stackoffset-1)*params->n, params->n);

  149.         set_tree_height(node_addr, nodeheight);

  150.         set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));

  151.         hash_h(params, nodebuffer, nodebuffer, pub_seed, node_addr);

  152.         nodeheight++;

  153.         treehash->stackusage--;

  154.         state->stackoffset--;

  155.     }

  156.     if (nodeheight == treehash->h) { // this also implies stackusage == 0

  157.         memcpy(treehash->node, nodebuffer, params->n);

  158.         treehash->completed = 1;

  159.     }

  160.     else {

  161.         memcpy(state->stack + state->stackoffset*params->n, nodebuffer, params->n);

  162.         treehash->stackusage++;

  163.         state->stacklevels[state->stackoffset] = nodeheight;

  164.         state->stackoffset++;

  165.         treehash->next_idx++;

  166.     }

  167. }

  168. 

  169. /**

  170.  * Performs one treehash update on the instance that needs it the most.

  171.  * Returns 1 if such an instance was not found

  172.  **/

  173. static char bds_treehash_update(const xmss_params *params,

  174.                                 bds_state *state, unsigned int updates,

  175.                                 const unsigned char *sk_seed,

  176.                                 unsigned char *pub_seed,

  177.                                 const uint32_t addr[8])

  178. {

  179.     uint32_t i, j;

  180.     unsigned int level, l_min, low;

  181.     unsigned int used = 0;

  182. 

  183.     for (j = 0; j < updates; j++) {

  184.         l_min = params->tree_height;

  185.         level = params->tree_height - params->bds_k;

  186.         for (i = 0; i < params->tree_height - params->bds_k; i++) {

  187.             if (state->treehash[i].completed) {

  188.                 low = params->tree_height;

  189.             }

  190.             else if (state->treehash[i].stackusage == 0) {

  191.                 low = i;

  192.             }

  193.             else {

  194.                 low = treehash_minheight_on_stack(params, state, &(state->treehash[i]));

  195.             }

  196.             if (low < l_min) {

  197.                 level = i;

  198.                 l_min = low;

  199.             }

  200.         }

  201.         if (level == params->tree_height - params->bds_k) {

  202.             break;

  203.         }

  204.         treehash_update(params, &(state->treehash[level]), state, sk_seed, pub_seed, addr);

  205.         used++;

  206.     }

  207.     return updates - used;

  208. }

  209. 

  210. /**

  211.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  212.  * Returns 1 if all leaf nodes have already been processed

  213.  **/

  214. static char bds_state_update(const xmss_params *params,

  215.                              bds_state *state, const unsigned char *sk_seed,

  216.                              const unsigned char *pub_seed,

  217.                              const uint32_t addr[8])

  218. {

  219.     uint32_t ltree_addr[8];

  220.     uint32_t node_addr[8];

  221.     uint32_t ots_addr[8];

  222. 

  223.     unsigned int nodeh;

  224.     int idx = state->next_leaf;

  225.     if (idx == 1 << params->tree_height) {

  226.         return 1;

  227.     }

  228. 

  229.     // only copy layer and tree address parts

  230.     memcpy(ots_addr, addr, 12);

  231.     // type = ots

  232.     set_type(ots_addr, 0);

  233.     memcpy(ltree_addr, addr, 12);

  234.     set_type(ltree_addr, 1);

  235.     memcpy(node_addr, addr, 12);

  236.     set_type(node_addr, 2);

  237. 

  238.     set_ots_addr(ots_addr, idx);

  239.     set_ltree_addr(ltree_addr, idx);

  240. 

  241.     gen_leaf_wots(params, state->stack+state->stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  242. 

  243.     state->stacklevels[state->stackoffset] = 0;

  244.     state->stackoffset++;

  245.     if (params->tree_height - params->bds_k > 0 && idx == 3) {

  246.         memcpy(state->treehash[0].node, state->stack+state->stackoffset*params->n, params->n);

  247.     }

  248.     while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  249.         nodeh = state->stacklevels[state->stackoffset-1];

  250.         if (idx >> nodeh == 1) {

  251.             memcpy(state->auth + nodeh*params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  252.         }

  253.         else {

  254.             if (nodeh < params->tree_height - params->bds_k && idx >> nodeh == 3) {

  255.                 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*params->n, params->n);

  256.             }

  257.             else if (nodeh >= params->tree_height - params->bds_k) {

  258.                 memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((idx >> nodeh) - 3) >> 1)) * params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  259.             }

  260.         }

  261.         set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);

  262.         set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  263.         hash_h(params, state->stack+(state->stackoffset-2)*params->n, state->stack+(state->stackoffset-2)*params->n, pub_seed, node_addr);

  264. 

  265.         state->stacklevels[state->stackoffset-2]++;

  266.         state->stackoffset--;

  267.     }

  268.     state->next_leaf++;

  269.     return 0;

  270. }

  271. 

  272. /**

  273.  * Returns the auth path for node leaf_idx and computes the auth path for the

  274.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  275.  * in "Post Quantum Cryptography", Springer 2009.

  276.  */

  277. static void bds_round(const xmss_params *params,

  278.                       bds_state *state, const unsigned long leaf_idx,

  279.                       const unsigned char *sk_seed,

  280.                       const unsigned char *pub_seed, uint32_t addr[8])

  281. {

  282.     unsigned int i;

  283.     unsigned int tau = params->tree_height;

  284.     unsigned int startidx;

  285.     unsigned int offset, rowidx;

  286.     unsigned char buf[2 * params->n];

  287. 

  288.     uint32_t ots_addr[8];

  289.     uint32_t ltree_addr[8];

  290.     uint32_t node_addr[8];

  291.     // only copy layer and tree address parts

  292.     memcpy(ots_addr, addr, 12);

  293.     // type = ots

  294.     set_type(ots_addr, 0);

  295.     memcpy(ltree_addr, addr, 12);

  296.     set_type(ltree_addr, 1);

  297.     memcpy(node_addr, addr, 12);

  298.     set_type(node_addr, 2);

  299. 

  300.     for (i = 0; i < params->tree_height; i++) {

  301.         if (! ((leaf_idx >> i) & 1)) {

  302.             tau = i;

  303.             break;

  304.         }

  305.     }

  306. 

  307.     if (tau > 0) {

  308.         memcpy(buf, state->auth + (tau-1) * params->n, params->n);

  309.         // we need to do this before refreshing state->keep to prevent overwriting

  310.         memcpy(buf + params->n, state->keep + ((tau-1) >> 1) * params->n, params->n);

  311.     }

  312.     if (!((leaf_idx >> (tau + 1)) & 1) && (tau < params->tree_height - 1)) {

  313.         memcpy(state->keep + (tau >> 1)*params->n, state->auth + tau*params->n, params->n);

  314.     }

  315.     if (tau == 0) {

  316.         set_ltree_addr(ltree_addr, leaf_idx);

  317.         set_ots_addr(ots_addr, leaf_idx);

  318.         gen_leaf_wots(params, state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);

  319.     }

  320.     else {

  321.         set_tree_height(node_addr, (tau-1));

  322.         set_tree_index(node_addr, leaf_idx >> tau);

  323.         hash_h(params, state->auth + tau * params->n, buf, pub_seed, node_addr);

  324.         for (i = 0; i < tau; i++) {

  325.             if (i < params->tree_height - params->bds_k) {

  326.                 memcpy(state->auth + i * params->n, state->treehash[i].node, params->n);

  327.             }

  328.             else {

  329.                 offset = (1 << (params->tree_height - 1 - i)) + i - params->tree_height;

  330.                 rowidx = ((leaf_idx >> i) - 1) >> 1;

  331.                 memcpy(state->auth + i * params->n, state->retain + (offset + rowidx) * params->n, params->n);

  332.             }

  333.         }

  334. 

  335.         for (i = 0; i < ((tau < params->tree_height - params->bds_k) ? tau : (params->tree_height - params->bds_k)); i++) {

  336.             startidx = leaf_idx + 1 + 3 * (1 << i);

  337.             if (startidx < 1U << params->tree_height) {

  338.                 state->treehash[i].h = i;

  339.                 state->treehash[i].next_idx = startidx;

  340.                 state->treehash[i].completed = 0;

  341.                 state->treehash[i].stackusage = 0;

  342.             }

  343.         }

  344.     }

  345. }

  346. 

  347. /*

  348.  * Generates a XMSS key pair for a given parameter set.

  349.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  350.  * Format pk: [root || PUB_SEED] omitting algo oid.

  351.  */

  352. int xmss_core_keypair(const xmss_params *params,

  353.                       unsigned char *pk, unsigned char *sk, bds_state *state)

  354. {

  355.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  356. 

  357.     // Set idx = 0

  358.     sk[0] = 0;

  359.     sk[1] = 0;

  360.     sk[2] = 0;

  361.     sk[3] = 0;

  362.     // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  363.     randombytes(sk + params->index_len, 3*params->n);

  364.     // Copy PUB_SEED to public key

  365.     memcpy(pk + params->n, sk + params->index_len + 2*params->n, params->n);

  366. 

  367.     // Compute root

  368.     treehash_init(params, pk, params->tree_height, 0, state, sk + params->index_len, sk + params->index_len + 2*params->n, addr);

  369.     // copy root o sk

  370.     memcpy(sk + params->index_len + 3*params->n, pk, params->n);

  371.     return 0;

  372. }

  373. 

  374. /**

  375.  * Signs a message.

  376.  * Returns

  377.  * 1. an array containing the signature followed by the message AND

  378.  * 2. an updated secret key!

  379.  *

  380.  */

  381. int xmss_core_sign(const xmss_params *params,

  382.                    unsigned char *sk, bds_state *state,

  383.                    unsigned char *sm, unsigned long long *smlen,

  384.                    const unsigned char *m, unsigned long long mlen)

  385. {

  386.     uint16_t i = 0;

  387. 

  388.     // Extract SK

  389.     unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  390.     unsigned char sk_seed[params->n];

  391.     memcpy(sk_seed, sk + params->index_len, params->n);

  392.     unsigned char sk_prf[params->n];

  393.     memcpy(sk_prf, sk + params->index_len + params->n, params->n);

  394.     unsigned char pub_seed[params->n];

  395.     memcpy(pub_seed, sk + params->index_len + 2*params->n, params->n);

  396. 

  397.     // index as 32 bytes string

  398.     unsigned char idx_bytes_32[32];

  399.     ull_to_bytes(idx_bytes_32, idx, 32);

  400. 

  401.     unsigned char hash_key[3*params->n];

  402. 

  403.     // Update SK

  404.     sk[0] = ((idx + 1) >> 24) & 255;

  405.     sk[1] = ((idx + 1) >> 16) & 255;

  406.     sk[2] = ((idx + 1) >> 8) & 255;

  407.     sk[3] = (idx + 1) & 255;

  408.     // Secret key for this non-forward-secure version is now updated.

  409.     // A production implementation should consider using a file handle instead,

  410.     //  and write the updated secret key at this point!

  411. 

  412.     // Init working params

  413.     unsigned char R[params->n];

  414.     unsigned char msg_h[params->n];

  415.     unsigned char ots_seed[params->n];

  416.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  417. 

  418.     // ---------------------------------

  419.     // Message Hashing

  420.     // ---------------------------------

  421. 

  422.     // Message Hash:

  423.     // First compute pseudorandom value

  424.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  425.     // Generate hash key (R || root || idx)

  426.     memcpy(hash_key, R, params->n);

  427.     memcpy(hash_key+params->n, sk+4+3*params->n, params->n);

  428.     ull_to_bytes(hash_key+2*params->n, idx, params->n);

  429.     // Then use it for message digest

  430.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  431. 

  432.     // Start collecting signature

  433.     *smlen = 0;

  434. 

  435.     // Copy index to signature

  436.     sm[0] = (idx >> 24) & 255;

  437.     sm[1] = (idx >> 16) & 255;

  438.     sm[2] = (idx >> 8) & 255;

  439.     sm[3] = idx & 255;

  440. 

  441.     sm += 4;

  442.     *smlen += 4;

  443. 

  444.     // Copy R to signature

  445.     for (i = 0; i < params->n; i++) {

  446.         sm[i] = R[i];

  447.     }

  448. 

  449.     sm += params->n;

  450.     *smlen += params->n;

  451. 

  452.     // ----------------------------------

  453.     // Now we start to "really sign"

  454.     // ----------------------------------

  455. 

  456.     // Prepare Address

  457.     set_type(ots_addr, 0);

  458.     set_ots_addr(ots_addr, idx);

  459. 

  460.     // Compute seed for OTS key pair

  461.     get_seed(params, ots_seed, sk_seed, ots_addr);

  462. 

  463.     // Compute WOTS signature

  464.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  465. 

  466.     sm += params->wots_keysize;

  467.     *smlen += params->wots_keysize;

  468. 

  469.     // the auth path was already computed during the previous round

  470.     memcpy(sm, state->auth, params->tree_height*params->n);

  471. 

  472.     if (idx < (1U << params->tree_height) - 1) {

  473.         bds_round(params, state, idx, sk_seed, pub_seed, ots_addr);

  474.         bds_treehash_update(params, state, (params->tree_height - params->bds_k) >> 1, sk_seed, pub_seed, ots_addr);

  475.     }

  476. 

  477.     sm += params->tree_height*params->n;

  478.     *smlen += params->tree_height*params->n;

  479. 

  480.     memcpy(sm, m, mlen);

  481.     *smlen += mlen;

  482. 

  483.     return 0;

  484. }

  485. 

  486. /*

  487.  * Generates a XMSSMT key pair for a given parameter set.

  488.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  489.  * Format pk: [root || PUB_SEED] omitting algo oid.

  490.  */

  491. int xmssmt_core_keypair(const xmss_params *params,

  492.                         unsigned char *pk, unsigned char *sk,

  493.                         bds_state *states, unsigned char *wots_sigs)

  494. {

  495.     unsigned char ots_seed[params->n];

  496.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  497.     unsigned int i;

  498. 

  499.     // Set idx = 0

  500.     for (i = 0; i < params->index_len; i++) {

  501.         sk[i] = 0;

  502.     }

  503.     // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)

  504.     randombytes(sk+params->index_len, 3*params->n);

  505.     // Copy PUB_SEED to public key

  506.     memcpy(pk+params->n, sk+params->index_len+2*params->n, params->n);

  507. 

  508.     // Start with the bottom-most layer

  509.     set_layer_addr(addr, 0);

  510.     // Set up state and compute wots signatures for all but topmost tree root

  511.     for (i = 0; i < params->d - 1; i++) {

  512.         // Compute seed for OTS key pair

  513.         treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);

  514.         set_layer_addr(addr, (i+1));

  515.         get_seed(params, ots_seed, sk + params->index_len, addr);

  516.         wots_sign(params, wots_sigs + i*params->wots_keysize, pk, ots_seed, pk+params->n, addr);

  517.     }

  518.     // Address now points to the single tree on layer d-1

  519.     treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);

  520.     memcpy(sk + params->index_len + 3*params->n, pk, params->n);

  521.     return 0;

  522. }

  523. 

  524. /**

  525.  * Signs a message.

  526.  * Returns

  527.  * 1. an array containing the signature followed by the message AND

  528.  * 2. an updated secret key!

  529.  *

  530.  */

  531. int xmssmt_core_sign(const xmss_params *params,

  532.                      unsigned char *sk,

  533.                      bds_state *states, unsigned char *wots_sigs,

  534.                      unsigned char *sm, unsigned long long *smlen,

  535.                      const unsigned char *m, unsigned long long mlen)

  536. {

  537.     uint64_t idx_tree;

  538.     uint32_t idx_leaf;

  539.     uint64_t i, j;

  540.     int needswap_upto = -1;

  541.     unsigned int updates;

  542. 

  543.     unsigned char sk_seed[params->n];

  544.     unsigned char sk_prf[params->n];

  545.     unsigned char pub_seed[params->n];

  546.     // Init working params

  547.     unsigned char R[params->n];

  548.     unsigned char msg_h[params->n];

  549.     unsigned char hash_key[3*params->n];

  550.     unsigned char ots_seed[params->n];

  551.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  552.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  553.     unsigned char idx_bytes_32[32];

  554.     bds_state tmp;

  555. 

  556.     // Extract SK

  557.     unsigned long long idx = 0;

  558.     for (i = 0; i < params->index_len; i++) {

  559.         idx |= ((unsigned long long)sk[i]) << 8*(params->index_len - 1 - i);

  560.     }

  561. 

  562.     memcpy(sk_seed, sk+params->index_len, params->n);

  563.     memcpy(sk_prf, sk+params->index_len+params->n, params->n);

  564.     memcpy(pub_seed, sk+params->index_len+2*params->n, params->n);

  565. 

  566.     // Update SK

  567.     for (i = 0; i < params->index_len; i++) {

  568.         sk[i] = ((idx + 1) >> 8*(params->index_len - 1 - i)) & 255;

  569.     }

  570.     // Secret key for this non-forward-secure version is now updated.

  571.     // A production implementation should consider using a file handle instead,

  572.     //  and write the updated secret key at this point!

  573. 

  574.     // ---------------------------------

  575.     // Message Hashing

  576.     // ---------------------------------

  577. 

  578.     // Message Hash:

  579.     // First compute pseudorandom value

  580.     ull_to_bytes(idx_bytes_32, idx, 32);

  581.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  582.     // Generate hash key (R || root || idx)

  583.     memcpy(hash_key, R, params->n);

  584.     memcpy(hash_key+params->n, sk+params->index_len+3*params->n, params->n);

  585.     ull_to_bytes(hash_key+2*params->n, idx, params->n);

  586. 

  587.     // Then use it for message digest

  588.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  589. 

  590.     // Start collecting signature

  591.     *smlen = 0;

  592. 

  593.     // Copy index to signature

  594.     for (i = 0; i < params->index_len; i++) {

  595.         sm[i] = (idx >> 8*(params->index_len - 1 - i)) & 255;

  596.     }

  597. 

  598.     sm += params->index_len;

  599.     *smlen += params->index_len;

  600. 

  601.     // Copy R to signature

  602.     for (i = 0; i < params->n; i++) {

  603.         sm[i] = R[i];

  604.     }

  605. 

  606.     sm += params->n;

  607.     *smlen += params->n;

  608. 

  609.     // ----------------------------------

  610.     // Now we start to "really sign"

  611.     // ----------------------------------

  612. 

  613.     // Handle lowest layer separately as it is slightly different...

  614. 

  615.     // Prepare Address

  616.     set_type(ots_addr, 0);

  617.     idx_tree = idx >> params->tree_height;

  618.     idx_leaf = (idx & ((1 << params->tree_height)-1));

  619.     set_layer_addr(ots_addr, 0);

  620.     set_tree_addr(ots_addr, idx_tree);

  621.     set_ots_addr(ots_addr, idx_leaf);

  622. 

  623.     // Compute seed for OTS key pair

  624.     get_seed(params, ots_seed, sk_seed, ots_addr);

  625. 

  626.     // Compute WOTS signature

  627.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  628. 

  629.     sm += params->wots_keysize;

  630.     *smlen += params->wots_keysize;

  631. 

  632.     memcpy(sm, states[0].auth, params->tree_height*params->n);

  633.     sm += params->tree_height*params->n;

  634.     *smlen += params->tree_height*params->n;

  635. 

  636.     // prepare signature of remaining layers

  637.     for (i = 1; i < params->d; i++) {

  638.         // put WOTS signature in place

  639.         memcpy(sm, wots_sigs + (i-1)*params->wots_keysize, params->wots_keysize);

  640. 

  641.         sm += params->wots_keysize;

  642.         *smlen += params->wots_keysize;

  643. 

  644.         // put AUTH nodes in place

  645.         memcpy(sm, states[i].auth, params->tree_height*params->n);

  646.         sm += params->tree_height*params->n;

  647.         *smlen += params->tree_height*params->n;

  648.     }

  649. 

  650.     updates = (params->tree_height - params->bds_k) >> 1;

  651. 

  652.     set_tree_addr(addr, (idx_tree + 1));

  653.     // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  654.     if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << params->full_height)) {

  655.         bds_state_update(params, &states[params->d], sk_seed, pub_seed, addr);

  656.     }

  657. 

  658.     for (i = 0; i < params->d; i++) {

  659.         // check if we're not at the end of a tree

  660.         if (! (((idx + 1) & ((1ULL << ((i+1)*params->tree_height)) - 1)) == 0)) {

  661.             idx_leaf = (idx >> (params->tree_height * i)) & ((1 << params->tree_height)-1);

  662.             idx_tree = (idx >> (params->tree_height * (i+1)));

  663.             set_layer_addr(addr, i);

  664.             set_tree_addr(addr, idx_tree);

  665.             if (i == (unsigned int) (needswap_upto + 1)) {

  666.                 bds_round(params, &states[i], idx_leaf, sk_seed, pub_seed, addr);

  667.             }

  668.             updates = bds_treehash_update(params, &states[i], updates, sk_seed, pub_seed, addr);

  669.             set_tree_addr(addr, (idx_tree + 1));

  670.             // if a NEXT-tree exists for this level;

  671.             if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << (params->full_height - params->tree_height * i))) {

  672.                 if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << params->full_height)) {

  673.                     bds_state_update(params, &states[params->d + i], sk_seed, pub_seed, addr);

  674.                     updates--;

  675.                 }

  676.             }

  677.         }

  678.         else if (idx < (1ULL << params->full_height) - 1) {

  679.             memcpy(&tmp, states+params->d + i, sizeof(bds_state));

  680.             memcpy(states+params->d + i, states + i, sizeof(bds_state));

  681.             memcpy(states + i, &tmp, sizeof(bds_state));

  682. 

  683.             set_layer_addr(ots_addr, (i+1));

  684.             set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * params->tree_height)));

  685.             set_ots_addr(ots_addr, (((idx >> ((i+1) * params->tree_height)) + 1) & ((1 << params->tree_height)-1)));

  686. 

  687.             get_seed(params, ots_seed, sk+params->index_len, ots_addr);

  688.             wots_sign(params, wots_sigs + i*params->wots_keysize, states[i].stack, ots_seed, pub_seed, ots_addr);

  689. 

  690.             states[params->d + i].stackoffset = 0;

  691.             states[params->d + i].next_leaf = 0;

  692. 

  693.             updates--; // WOTS-signing counts as one update

  694.             needswap_upto = i;

  695.             for (j = 0; j < params->tree_height-params->bds_k; j++) {

  696.                 states[i].treehash[j].completed = 1;

  697.             }

  698.         }

  699.     }

  700. 

  701.     memcpy(sm, m, mlen);

  702.     *smlen += mlen;

  703. 

  704.     return 0;

  705. }