kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44 Commits
1 Branch
488 KiB
 
 
Tree: 3c0f6668ef
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3c0f6668ef'
${ noResults }
xmss-KAT-generator/xmss_fast.c

1099 lines
32 KiB
Raw Blame History 

  1. /*

  2. xmss_fast.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss_fast.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. 

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. // For testing

  21. #include "stdio.h"

  22. 

  23. 

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes n byte sk_seed and returns n byte seed using 32 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8], unsigned char hash_alg)

  32. {

  33.   unsigned char bytes[32];

  34.   // Make sure that chain addr, hash addr, and key bit are 0!

  35.   setChainADRS(addr,0);

  36.   setHashADRS(addr,0);

  37.   setKeyAndMask(addr,0);

  38.   // Generate pseudorandom value

  39.   addr_to_byte(bytes, addr);

  40.   prf(seed, bytes, sk_seed, n, hash_alg);

  41. }

  42. 

  43. /**

  44.  * Initialize xmss params struct

  45.  * parameter names are the same as in the draft

  46.  * parameter k is K as used in the BDS algorithm

  47.  */

  48. int xmss_set_params(xmss_params *params, int n, int h, int w, int k, unsigned char hash_alg)

  49. {

  50.   if (k >= h || k < 2 || (h - k) % 2) {

  51.     fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n");

  52.     return 1;

  53.   }

  54.   params->h = h;

  55.   params->n = n;

  56.   params->k = k;

  57.   wots_params wots_par;

  58.   wots_set_params(&wots_par, n, w, hash_alg);

  59.   params->wots_par = wots_par;

  60.   params->hash_alg = hash_alg;

  61.   return 0;

  62. }

  63. 

  64. /**

  65.  * Initialize BDS state struct

  66.  * parameter names are the same as used in the description of the BDS traversal

  67.  */

  68. void xmss_set_bds_state(bds_state *state, unsigned char *stack, int stackoffset, unsigned char *stacklevels, unsigned char *auth, unsigned char *keep, treehash_inst *treehash, unsigned char *retain, int next_leaf)

  69. {

  70.   state->stack = stack;

  71.   state->stackoffset = stackoffset;

  72.   state->stacklevels = stacklevels;

  73.   state->auth = auth;

  74.   state->keep = keep;

  75.   state->treehash = treehash;

  76.   state->retain = retain;

  77.   state->next_leaf = next_leaf;

  78. }

  79. 

  80. /**

  81.  * Initialize xmssmt_params struct

  82.  * parameter names are the same as in the draft

  83.  *

  84.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  85.  */

  86. int xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w, int k, unsigned char hash_alg)

  87. {

  88.   if (h % d) {

  89.     fprintf(stderr, "d must divide h without remainder!\n");

  90.     return 1;

  91.   }

  92.   params->h = h;

  93.   params->d = d;

  94.   params->n = n;

  95.   params->index_len = (h + 7) / 8;

  96.   xmss_params xmss_par;

  97.   if (xmss_set_params(&xmss_par, n, (h/d), w, k, hash_alg)) {

  98.     return 1;

  99.   }

  100.   params->xmss_par = xmss_par;

  101.   return 0;

  102. }

  103. 

  104. /**

  105.  * Computes a leaf from a WOTS public key using an L-tree.

  106.  */

  107. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  108. {

  109.   unsigned int l = params->wots_par.len;

  110.   unsigned int n = params->n;

  111.   uint32_t i = 0;

  112.   uint32_t height = 0;

  113.   uint32_t bound;

  114. 

  115.   //ADRS.setTreeHeight(0);

  116.   setTreeHeight(addr, height);

  117.   

  118.   while (l > 1) {

  119.      bound = l >> 1; //floor(l / 2);

  120.      for (i = 0; i < bound; i++) {

  121.        //ADRS.setTreeIndex(i);

  122.        setTreeIndex(addr, i);

  123.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  124.        hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n, params->hash_alg);

  125.      }

  126.      //if ( l % 2 == 1 ) {

  127.      if (l & 1) {

  128.        //pk[floor(l / 2) + 1] = pk[l];

  129.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  130.        //l = ceil(l / 2);

  131.        l=(l>>1)+1;

  132.      }

  133.      else {

  134.        //l = ceil(l / 2);

  135.        l=(l>>1);

  136.      }

  137.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  138.      height++;

  139.      setTreeHeight(addr, height);

  140.    }

  141.    //return pk[0];

  142.    memcpy(leaf, wots_pk, n);

  143. }

  144. 

  145. /**

  146.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  147.  */

  148. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, uint32_t ltree_addr[8], uint32_t ots_addr[8])

  149. {

  150.   unsigned char seed[params->n];

  151.   unsigned char pk[params->wots_par.keysize];

  152. 

  153.   get_seed(seed, sk_seed, params->n, ots_addr, params->hash_alg);

  154.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  155. 

  156.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  157. }

  158. 

  159. static int treehash_minheight_on_stack(bds_state* state, const xmss_params *params, const treehash_inst *treehash) {

  160.   unsigned int r = params->h, i;

  161.   for (i = 0; i < treehash->stackusage; i++) {

  162.     if (state->stacklevels[state->stackoffset - i - 1] < r) {

  163.       r = state->stacklevels[state->stackoffset - i - 1];

  164.     }

  165.   }

  166.   return r;

  167. }

  168. 

  169. /**

  170.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  171.  * Currently only used for key generation.

  172.  *

  173.  */

  174. static void treehash_setup(unsigned char *node, int height, int index, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8])

  175. {

  176.   unsigned int idx = index;

  177.   unsigned int n = params->n;

  178.   unsigned int h = params->h;

  179.   unsigned int k = params->k;

  180.   // use three different addresses because at this point we use all three formats in parallel

  181.   uint32_t ots_addr[8];

  182.   uint32_t ltree_addr[8];

  183.   uint32_t  node_addr[8];

  184.   // only copy layer and tree address parts

  185.   memcpy(ots_addr, addr, 12);

  186.   // type = ots

  187.   setType(ots_addr, 0);

  188.   memcpy(ltree_addr, addr, 12);

  189.   setType(ltree_addr, 1);

  190.   memcpy(node_addr, addr, 12);

  191.   setType(node_addr, 2);

  192. 

  193.   uint32_t lastnode, i;

  194.   unsigned char stack[(height+1)*n];

  195.   unsigned int stacklevels[height+1];

  196.   unsigned int stackoffset=0;

  197.   unsigned int nodeh;

  198. 

  199.   lastnode = idx+(1<<height);

  200. 

  201.   for (i = 0; i < h-k; i++) {

  202.     state->treehash[i].h = i;

  203.     state->treehash[i].completed = 1;

  204.     state->treehash[i].stackusage = 0;

  205.   }

  206. 

  207.   i = 0;

  208.   for (; idx < lastnode; idx++) {

  209.     setLtreeADRS(ltree_addr, idx);

  210.     setOTSADRS(ots_addr, idx);

  211.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  212.     stacklevels[stackoffset] = 0;

  213.     stackoffset++;

  214.     if (h - k > 0 && i == 3) {

  215.       memcpy(state->treehash[0].node, stack+stackoffset*n, n);

  216.     }

  217.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  218.     {

  219.       nodeh = stacklevels[stackoffset-1];

  220.       if (i >> nodeh == 1) {

  221.         memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n);

  222.       }

  223.       else {

  224.         if (nodeh < h - k && i >> nodeh == 3) {

  225.           memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n);

  226.         }

  227.         else if (nodeh >= h - k) {

  228.           memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack+(stackoffset-1)*n, n);

  229.         }

  230.       }

  231.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  232.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  233.       hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  234.           node_addr, n, params->hash_alg);

  235.       stacklevels[stackoffset-2]++;

  236.       stackoffset--;

  237.     }

  238.     i++;

  239.   }

  240. 

  241.   for (i = 0; i < n; i++)

  242.     node[i] = stack[i];

  243. }

  244. 

  245. static void treehash_update(treehash_inst *treehash, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8]) {

  246.   int n = params->n;

  247. 

  248.   uint32_t ots_addr[8];

  249.   uint32_t ltree_addr[8];

  250.   uint32_t  node_addr[8];

  251.   // only copy layer and tree address parts

  252.   memcpy(ots_addr, addr, 12);

  253.   // type = ots

  254.   setType(ots_addr, 0);

  255.   memcpy(ltree_addr, addr, 12);

  256.   setType(ltree_addr, 1);

  257.   memcpy(node_addr, addr, 12);

  258.   setType(node_addr, 2);

  259. 

  260.   setLtreeADRS(ltree_addr, treehash->next_idx);

  261.   setOTSADRS(ots_addr, treehash->next_idx);

  262. 

  263.   unsigned char nodebuffer[2 * n];

  264.   unsigned int nodeheight = 0;

  265.   gen_leaf_wots(nodebuffer, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  266.   while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  267.     memcpy(nodebuffer + n, nodebuffer, n);

  268.     memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n);

  269.     setTreeHeight(node_addr, nodeheight);

  270.     setTreeIndex(node_addr, (treehash->next_idx >> (nodeheight+1)));

  271.     hash_h(nodebuffer, nodebuffer, pub_seed, node_addr, n, params->hash_alg);

  272.     nodeheight++;

  273.     treehash->stackusage--;

  274.     state->stackoffset--;

  275.   }

  276.   if (nodeheight == treehash->h) { // this also implies stackusage == 0

  277.     memcpy(treehash->node, nodebuffer, n);

  278.     treehash->completed = 1;

  279.   }

  280.   else {

  281.     memcpy(state->stack + state->stackoffset*n, nodebuffer, n);

  282.     treehash->stackusage++;

  283.     state->stacklevels[state->stackoffset] = nodeheight;

  284.     state->stackoffset++;

  285.     treehash->next_idx++;

  286.   }

  287. }

  288. 

  289. /**

  290.  * Computes a root node given a leaf and an authapth

  291.  */

  292. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  293. {

  294.   unsigned int n = params->n;

  295. 

  296.   uint32_t i, j;

  297.   unsigned char buffer[2*n];

  298. 

  299.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  300.   // Otherwise, it is the other way around

  301.   if (leafidx & 1) {

  302.     for (j = 0; j < n; j++)

  303.       buffer[n+j] = leaf[j];

  304.     for (j = 0; j < n; j++)

  305.       buffer[j] = authpath[j];

  306.   }

  307.   else {

  308.     for (j = 0; j < n; j++)

  309.       buffer[j] = leaf[j];

  310.     for (j = 0; j < n; j++)

  311.       buffer[n+j] = authpath[j];

  312.   }

  313.   authpath += n;

  314. 

  315.   for (i=0; i < params->h-1; i++) {

  316.     setTreeHeight(addr, i);

  317.     leafidx >>= 1;

  318.     setTreeIndex(addr, leafidx);

  319.     if (leafidx&1) {

  320.       hash_h(buffer+n, buffer, pub_seed, addr, n, params->hash_alg);

  321.       for (j = 0; j < n; j++)

  322.         buffer[j] = authpath[j];

  323.     }

  324.     else {

  325.       hash_h(buffer, buffer, pub_seed, addr, n, params->hash_alg);

  326.       for (j = 0; j < n; j++)

  327.         buffer[j+n] = authpath[j];

  328.     }

  329.     authpath += n;

  330.   }

  331.   setTreeHeight(addr, (params->h-1));

  332.   leafidx >>= 1;

  333.   setTreeIndex(addr, leafidx);

  334.   hash_h(root, buffer, pub_seed, addr, n, params->hash_alg);

  335. }

  336. 

  337. /**

  338.  * Performs one treehash update on the instance that needs it the most.

  339.  * Returns 1 if such an instance was not found

  340.  **/

  341. static char bds_treehash_update(bds_state *state, unsigned int updates, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const uint32_t addr[8]) {

  342.   uint32_t i, j;

  343.   unsigned int level, l_min, low;

  344.   unsigned int h = params->h;

  345.   unsigned int k = params->k;

  346.   unsigned int used = 0;

  347. 

  348.   for (j = 0; j < updates; j++) {

  349.     l_min = h;

  350.     level = h - k;

  351.     for (i = 0; i < h - k; i++) {

  352.       if (state->treehash[i].completed) {

  353.         low = h;

  354.       }

  355.       else if (state->treehash[i].stackusage == 0) {

  356.         low = i;

  357.       }

  358.       else {

  359.         low = treehash_minheight_on_stack(state, params, &(state->treehash[i]));

  360.       }

  361.       if (low < l_min) {

  362.         level = i;

  363.         l_min = low;

  364.       }

  365.     }

  366.     if (level == h - k) {

  367.       break;

  368.     }

  369.     treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr);

  370.     used++;

  371.   }

  372.   return updates - used;

  373. }

  374. 

  375. /**

  376.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  377.  * Returns 1 if all leaf nodes have already been processed

  378.  **/

  379. static char bds_state_update(bds_state *state, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const uint32_t addr[8]) {

  380.   uint32_t ltree_addr[8];

  381.   uint32_t node_addr[8];

  382.   uint32_t ots_addr[8];

  383. 

  384.   int n = params->n;

  385.   int h = params->h;

  386.   int k = params->k;

  387. 

  388.   int nodeh;

  389.   int idx = state->next_leaf;

  390.   if (idx == 1 << h) {

  391.     return 1;

  392.   }

  393. 

  394.   // only copy layer and tree address parts

  395.   memcpy(ots_addr, addr, 12);

  396.   // type = ots

  397.   setType(ots_addr, 0);

  398.   memcpy(ltree_addr, addr, 12);

  399.   setType(ltree_addr, 1);

  400.   memcpy(node_addr, addr, 12);

  401.   setType(node_addr, 2);

  402.   

  403.   setOTSADRS(ots_addr, idx);

  404.   setLtreeADRS(ltree_addr, idx);

  405. 

  406.   gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  407. 

  408.   state->stacklevels[state->stackoffset] = 0;

  409.   state->stackoffset++;

  410.   if (h - k > 0 && idx == 3) {

  411.     memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n);

  412.   }

  413.   while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  414.     nodeh = state->stacklevels[state->stackoffset-1];

  415.     if (idx >> nodeh == 1) {

  416.       memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n);

  417.     }

  418.     else {

  419.       if (nodeh < h - k && idx >> nodeh == 3) {

  420.         memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n);

  421.       }

  422.       else if (nodeh >= h - k) {

  423.         memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, state->stack+(state->stackoffset-1)*n, n);

  424.       }

  425.     }

  426.     setTreeHeight(node_addr, state->stacklevels[state->stackoffset-1]);

  427.     setTreeIndex(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  428.     hash_h(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, node_addr, n, params->hash_alg);

  429. 

  430.     state->stacklevels[state->stackoffset-2]++;

  431.     state->stackoffset--;

  432.   }

  433.   state->next_leaf++;

  434.   return 0;

  435. }

  436. 

  437. /**

  438.  * Returns the auth path for node leaf_idx and computes the auth path for the

  439.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  440.  * in "Post Quantum Cryptography", Springer 2009.

  441.  */

  442. static void bds_round(bds_state *state, const unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, uint32_t addr[8])

  443. {

  444.   unsigned int i;

  445.   unsigned int n = params->n;

  446.   unsigned int h = params->h;

  447.   unsigned int k = params->k;

  448. 

  449.   unsigned int tau = h;

  450.   unsigned int startidx;

  451.   unsigned int offset, rowidx;

  452.   unsigned char buf[2 * n];

  453. 

  454.   uint32_t ots_addr[8];

  455.   uint32_t ltree_addr[8];

  456.   uint32_t  node_addr[8];

  457.   // only copy layer and tree address parts

  458.   memcpy(ots_addr, addr, 12);

  459.   // type = ots

  460.   setType(ots_addr, 0);

  461.   memcpy(ltree_addr, addr, 12);

  462.   setType(ltree_addr, 1);

  463.   memcpy(node_addr, addr, 12);

  464.   setType(node_addr, 2);

  465. 

  466.   for (i = 0; i < h; i++) {

  467.     if (! ((leaf_idx >> i) & 1)) {

  468.       tau = i;

  469.       break;

  470.     }

  471.   }

  472. 

  473.   if (tau > 0) {

  474.     memcpy(buf,     state->auth + (tau-1) * n, n);

  475.     // we need to do this before refreshing state->keep to prevent overwriting

  476.     memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n);

  477.   }

  478.   if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) {

  479.     memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n);

  480.   }

  481.   if (tau == 0) {

  482.     setLtreeADRS(ltree_addr, leaf_idx);

  483.     setOTSADRS(ots_addr, leaf_idx);

  484.     gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  485.   }

  486.   else {

  487.     setTreeHeight(node_addr, (tau-1));

  488.     setTreeIndex(node_addr, leaf_idx >> tau);

  489.     hash_h(state->auth + tau * n, buf, pub_seed, node_addr, n, params->hash_alg);

  490.     for (i = 0; i < tau; i++) {

  491.       if (i < h - k) {

  492.         memcpy(state->auth + i * n, state->treehash[i].node, n);

  493.       }

  494.       else {

  495.         offset = (1 << (h - 1 - i)) + i - h;

  496.         rowidx = ((leaf_idx >> i) - 1) >> 1;

  497.         memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n);

  498.       }

  499.     }

  500. 

  501.     for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) {

  502.       startidx = leaf_idx + 1 + 3 * (1 << i);

  503.       if (startidx < 1U << h) {

  504.         state->treehash[i].h = i;

  505.         state->treehash[i].next_idx = startidx;

  506.         state->treehash[i].completed = 0;

  507.         state->treehash[i].stackusage = 0;

  508.       }

  509.     }

  510.   }

  511. }

  512. 

  513. /*

  514.  * Generates a XMSS key pair for a given parameter set.

  515.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  516.  * Format pk: [root || PUB_SEED] omitting algo oid.

  517.  */

  518. int xmss_keypair(unsigned char *pk, unsigned char *sk, bds_state *state, xmss_params *params)

  519. {

  520.   unsigned int n = params->n;

  521.   // Set idx = 0

  522.   sk[0] = 0;

  523.   sk[1] = 0;

  524.   sk[2] = 0;

  525.   sk[3] = 0;

  526.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  527.   randombytes(sk+4, 3*n);

  528.   // Copy PUB_SEED to public key

  529.   memcpy(pk+n, sk+4+2*n, n);

  530. 

  531.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  532. 

  533.   // Compute root

  534.   treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+2*n, addr);

  535.   // copy root to sk

  536.   memcpy(sk+4+3*n, pk, n);

  537.   return 0;

  538. }

  539. 

  540. /**

  541.  * Signs a message.

  542.  * Returns

  543.  * 1. an array containing the signature followed by the message AND

  544.  * 2. an updated secret key!

  545.  *

  546.  */

  547. int xmss_sign(unsigned char *sk, bds_state *state, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  548. {

  549.   unsigned int h = params->h;

  550.   unsigned int n = params->n;

  551.   unsigned int k = params->k;

  552.   uint16_t i = 0;

  553. 

  554.   // Extract SK

  555.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  556.   unsigned char sk_seed[n];

  557.   memcpy(sk_seed, sk+4, n);

  558.   unsigned char sk_prf[n];

  559.   memcpy(sk_prf, sk+4+n, n);

  560.   unsigned char pub_seed[n];

  561.   memcpy(pub_seed, sk+4+2*n, n);

  562.   

  563.   // index as 32 bytes string

  564.   unsigned char idx_bytes_32[32];

  565.   to_byte(idx_bytes_32, idx, 32);

  566.   

  567.   unsigned char hash_key[3*n]; 

  568.   

  569.   // Update SK

  570.   sk[0] = ((idx + 1) >> 24) & 255;

  571.   sk[1] = ((idx + 1) >> 16) & 255;

  572.   sk[2] = ((idx + 1) >> 8) & 255;

  573.   sk[3] = (idx + 1) & 255;

  574.   // -- Secret key for this non-forward-secure version is now updated.

  575.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  576. 

  577.   // Init working params

  578.   unsigned char R[n];

  579.   unsigned char msg_h[n];

  580.   unsigned char ots_seed[n];

  581.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  582. 

  583.   // ---------------------------------

  584.   // Message Hashing

  585.   // ---------------------------------

  586. 

  587.   // Message Hash:

  588.   // First compute pseudorandom value

  589.   prf(R, idx_bytes_32, sk_prf, n, params->hash_alg);

  590.   // Generate hash key (R || root || idx)

  591.   memcpy(hash_key, R, n);

  592.   memcpy(hash_key+n, sk+4+3*n, n);

  593.   to_byte(hash_key+2*n, idx, n);

  594.   // Then use it for message digest

  595.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n, params->hash_alg);

  596. 

  597.   // Start collecting signature

  598.   *sig_msg_len = 0;

  599. 

  600.   // Copy index to signature

  601.   sig_msg[0] = (idx >> 24) & 255;

  602.   sig_msg[1] = (idx >> 16) & 255;

  603.   sig_msg[2] = (idx >> 8) & 255;

  604.   sig_msg[3] = idx & 255;

  605. 

  606.   sig_msg += 4;

  607.   *sig_msg_len += 4;

  608. 

  609.   // Copy R to signature

  610.   for (i = 0; i < n; i++)

  611.     sig_msg[i] = R[i];

  612. 

  613.   sig_msg += n;

  614.   *sig_msg_len += n;

  615. 

  616.   // ----------------------------------

  617.   // Now we start to "really sign"

  618.   // ----------------------------------

  619. 

  620.   // Prepare Address

  621.   setType(ots_addr, 0);

  622.   setOTSADRS(ots_addr, idx);

  623. 

  624.   // Compute seed for OTS key pair

  625.   get_seed(ots_seed, sk_seed, n, ots_addr, params->hash_alg);

  626. 

  627.   // Compute WOTS signature

  628.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  629. 

  630.   sig_msg += params->wots_par.keysize;

  631.   *sig_msg_len += params->wots_par.keysize;

  632. 

  633.   // the auth path was already computed during the previous round

  634.   memcpy(sig_msg, state->auth, h*n);

  635. 

  636.   if (idx < (1U << h) - 1) {

  637.     bds_round(state, idx, sk_seed, params, pub_seed, ots_addr);

  638.     bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr);

  639.   }

  640. 

  641.   sig_msg += params->h*n;

  642.   *sig_msg_len += params->h*n;

  643. 

  644.   //Whipe secret elements?

  645.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  646. 

  647.   memcpy(sig_msg, msg, msglen);

  648.   *sig_msg_len += msglen;

  649. 

  650.   return 0;

  651. }

  652. 

  653. /**

  654.  * Verifies a given message signature pair under a given public key.

  655.  */

  656. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  657. {

  658.   unsigned int n = params->n;

  659. 

  660.   unsigned long long i, m_len;

  661.   unsigned long idx=0;

  662.   unsigned char wots_pk[params->wots_par.keysize];

  663.   unsigned char pkhash[n];

  664.   unsigned char root[n];

  665.   unsigned char msg_h[n];

  666.   unsigned char hash_key[3*n];

  667. 

  668.   unsigned char pub_seed[n];

  669.   memcpy(pub_seed, pk+n, n);

  670. 

  671.   // Init addresses

  672.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  673.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  674.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  675. 

  676.   setType(ots_addr, 0);

  677.   setType(ltree_addr, 1);

  678.   setType(node_addr, 2);

  679. 

  680.   // Extract index

  681.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  682.   printf("verify:: idx = %lu\n", idx);

  683.   

  684.   // Generate hash key (R || root || idx)

  685.   memcpy(hash_key, sig_msg+4,n);

  686.   memcpy(hash_key+n, pk, n);

  687.   to_byte(hash_key+2*n, idx, n);

  688.   

  689.   sig_msg += (n+4);

  690.   sig_msg_len -= (n+4);

  691. 

  692.   // hash message 

  693.   unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n;

  694.   m_len = sig_msg_len - tmp_sig_len;

  695.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n, params->hash_alg);

  696. 

  697.   //-----------------------

  698.   // Verify signature

  699.   //-----------------------

  700. 

  701.   // Prepare Address

  702.   setOTSADRS(ots_addr, idx);

  703.   // Check WOTS signature

  704.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  705. 

  706.   sig_msg += params->wots_par.keysize;

  707.   sig_msg_len -= params->wots_par.keysize;

  708. 

  709.   // Compute Ltree

  710.   setLtreeADRS(ltree_addr, idx);

  711.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  712. 

  713.   // Compute root

  714.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  715. 

  716.   sig_msg += params->h*n;

  717.   sig_msg_len -= params->h*n;

  718. 

  719.   for (i = 0; i < n; i++)

  720.     if (root[i] != pk[i])

  721.       goto fail;

  722. 

  723.   *msglen = sig_msg_len;

  724.   for (i = 0; i < *msglen; i++)

  725.     msg[i] = sig_msg[i];

  726. 

  727.   return 0;

  728. 

  729. 

  730. fail:

  731.   *msglen = sig_msg_len;

  732.   for (i = 0; i < *msglen; i++)

  733.     msg[i] = 0;

  734.   *msglen = -1;

  735.   return -1;

  736. }

  737. 

  738. /*

  739.  * Generates a XMSSMT key pair for a given parameter set.

  740.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  741.  * Format pk: [root || PUB_SEED] omitting algo oid.

  742.  */

  743. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, bds_state *states, unsigned char *wots_sigs, xmssmt_params *params)

  744. {

  745.   unsigned int n = params->n;

  746.   unsigned int i;

  747.   unsigned char ots_seed[params->n];

  748.   // Set idx = 0

  749.   for (i = 0; i < params->index_len; i++) {

  750.     sk[i] = 0;

  751.   }

  752.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  753.   randombytes(sk+params->index_len, 3*n);

  754.   // Copy PUB_SEED to public key

  755.   memcpy(pk+n, sk+params->index_len+2*n, n);

  756. 

  757.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  758.   // Start with the bottom-most layer

  759.   setLayerADRS(addr, 0);

  760.   // Set up state and compute wots signatures for all but topmost tree root

  761.   for (i = 0; i < params->d - 1; i++) {

  762.     // Compute seed for OTS key pair

  763.     treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  764.     setLayerADRS(addr, (i+1));

  765.     get_seed(ots_seed, sk+params->index_len, n, addr, params->xmss_par.hash_alg);

  766.     wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_par), pk+n, addr);

  767.   }

  768.   // Address now points to the single tree on layer d-1

  769.   treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  770.   memcpy(sk+params->index_len+3*n, pk, n);

  771.   return 0;

  772. }

  773. 

  774. /**

  775.  * Signs a message.

  776.  * Returns

  777.  * 1. an array containing the signature followed by the message AND

  778.  * 2. an updated secret key!

  779.  *

  780.  */

  781. int xmssmt_sign(unsigned char *sk, bds_state *states, unsigned char *wots_sigs, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  782. {

  783.   unsigned int n = params->n;

  784.   

  785.   unsigned int tree_h = params->xmss_par.h;

  786.   unsigned int h = params->h;

  787.   unsigned int k = params->xmss_par.k;

  788.   unsigned int idx_len = params->index_len;

  789.   uint64_t idx_tree;

  790.   uint32_t idx_leaf;

  791.   uint64_t i, j;

  792.   int needswap_upto = -1;

  793.   unsigned int updates;

  794. 

  795.   unsigned char sk_seed[n];

  796.   unsigned char sk_prf[n];

  797.   unsigned char pub_seed[n];

  798.   // Init working params

  799.   unsigned char R[n];

  800.   unsigned char msg_h[n];

  801.   unsigned char hash_key[3*n];

  802.   unsigned char ots_seed[n];

  803.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  804.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  805.   unsigned char idx_bytes_32[32];

  806.   bds_state tmp;

  807. 

  808.   // Extract SK 

  809.   unsigned long long idx = 0;

  810.   for (i = 0; i < idx_len; i++) {

  811.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  812.   }

  813. 

  814.   memcpy(sk_seed, sk+idx_len, n);

  815.   memcpy(sk_prf, sk+idx_len+n, n);

  816.   memcpy(pub_seed, sk+idx_len+2*n, n);

  817. 

  818.   // Update SK

  819.   for (i = 0; i < idx_len; i++) {

  820.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  821.   }

  822.   // -- Secret key for this non-forward-secure version is now updated.

  823.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  824. 

  825. 

  826.   // ---------------------------------

  827.   // Message Hashing

  828.   // ---------------------------------

  829. 

  830.   // Message Hash:

  831.   // First compute pseudorandom value

  832.   to_byte(idx_bytes_32, idx, 32);

  833.   prf(R, idx_bytes_32, sk_prf, n, params->xmss_par.hash_alg);

  834.   // Generate hash key (R || root || idx)

  835.   memcpy(hash_key, R, n);

  836.   memcpy(hash_key+n, sk+idx_len+3*n, n);

  837.   to_byte(hash_key+2*n, idx, n);

  838.   

  839.   // Then use it for message digest

  840.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n, params->xmss_par.hash_alg);

  841. 

  842.   // Start collecting signature

  843.   *sig_msg_len = 0;

  844. 

  845.   // Copy index to signature

  846.   for (i = 0; i < idx_len; i++) {

  847.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  848.   }

  849. 

  850.   sig_msg += idx_len;

  851.   *sig_msg_len += idx_len;

  852. 

  853.   // Copy R to signature

  854.   for (i = 0; i < n; i++)

  855.     sig_msg[i] = R[i];

  856. 

  857.   sig_msg += n;

  858.   *sig_msg_len += n;

  859. 

  860.   // ----------------------------------

  861.   // Now we start to "really sign"

  862.   // ----------------------------------

  863. 

  864.   // Handle lowest layer separately as it is slightly different...

  865. 

  866.   // Prepare Address

  867.   setType(ots_addr, 0);

  868.   idx_tree = idx >> tree_h;

  869.   idx_leaf = (idx & ((1 << tree_h)-1));

  870.   setLayerADRS(ots_addr, 0);

  871.   setTreeADRS(ots_addr, idx_tree);

  872.   setOTSADRS(ots_addr, idx_leaf);

  873. 

  874.   // Compute seed for OTS key pair

  875.   get_seed(ots_seed, sk_seed, n, ots_addr, params->xmss_par.hash_alg);

  876. 

  877.   // Compute WOTS signature

  878.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  879. 

  880.   sig_msg += params->xmss_par.wots_par.keysize;

  881.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  882. 

  883.   memcpy(sig_msg, states[0].auth, tree_h*n);

  884.   sig_msg += tree_h*n;

  885.   *sig_msg_len += tree_h*n;

  886. 

  887.   // prepare signature of remaining layers

  888.   for (i = 1; i < params->d; i++) {

  889.     // put WOTS signature in place

  890.     memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.keysize);

  891. 

  892.     sig_msg += params->xmss_par.wots_par.keysize;

  893.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  894. 

  895.     // put AUTH nodes in place

  896.     memcpy(sig_msg, states[i].auth, tree_h*n);

  897.     sig_msg += tree_h*n;

  898.     *sig_msg_len += tree_h*n;

  899.   }

  900. 

  901.   updates = (tree_h - k) >> 1;

  902. 

  903.   setTreeADRS(addr, (idx_tree + 1));

  904.   // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  905.   if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << h)) {

  906.     bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr);

  907.   }

  908. 

  909.   for (i = 0; i < params->d; i++) {

  910.     // check if we're not at the end of a tree

  911.     if (! (((idx + 1) & ((1ULL << ((i+1)*tree_h)) - 1)) == 0)) {

  912.       idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1);

  913.       idx_tree = (idx >> (tree_h * (i+1)));

  914.       setLayerADRS(addr, i);

  915.       setTreeADRS(addr, idx_tree);

  916.       if (i == (unsigned int) (needswap_upto + 1)) {

  917.         bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr);

  918.       }

  919.       updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr);

  920.       setTreeADRS(addr, (idx_tree + 1));

  921.       // if a NEXT-tree exists for this level;

  922.       if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << (h - tree_h * i))) {

  923.         if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << h)) {

  924.           bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr);

  925.           updates--;

  926.         }

  927.       }

  928.     }

  929.     else if (idx < (1ULL << h) - 1) {

  930.       memcpy(&tmp, states+params->d + i, sizeof(bds_state));

  931.       memcpy(states+params->d + i, states + i, sizeof(bds_state));

  932.       memcpy(states + i, &tmp, sizeof(bds_state));

  933. 

  934.       setLayerADRS(ots_addr, (i+1));

  935.       setTreeADRS(ots_addr, ((idx + 1) >> ((i+2) * tree_h)));

  936.       setOTSADRS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1)));

  937. 

  938.       get_seed(ots_seed, sk+params->index_len, n, ots_addr, params->xmss_par.hash_alg);

  939.       wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  940. 

  941.       states[params->d + i].stackoffset = 0;

  942.       states[params->d + i].next_leaf = 0;

  943. 

  944.       updates--; // WOTS-signing counts as one update

  945.       needswap_upto = i;

  946.       for (j = 0; j < tree_h-k; j++) {

  947.         states[i].treehash[j].completed = 1;

  948.       }

  949.     }

  950.   }

  951. 

  952.   //Whipe secret elements?

  953.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  954. 

  955.   memcpy(sig_msg, msg, msglen);

  956.   *sig_msg_len += msglen;

  957. 

  958.   return 0;

  959. }

  960. 

  961. /**

  962.  * Verifies a given message signature pair under a given public key.

  963.  */

  964. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  965. {

  966.   unsigned int n = params->n;

  967. 

  968.   unsigned int tree_h = params->xmss_par.h;

  969.   unsigned int idx_len = params->index_len;

  970.   uint64_t idx_tree;

  971.   uint32_t idx_leaf;

  972. 

  973.   unsigned long long i, m_len;

  974.   unsigned long long idx=0;

  975.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  976.   unsigned char pkhash[n];

  977.   unsigned char root[n];

  978.   unsigned char msg_h[n];

  979.   unsigned char hash_key[3*n];

  980. 

  981.   unsigned char pub_seed[n];

  982.   memcpy(pub_seed, pk+n, n);

  983. 

  984.   // Init addresses

  985.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  986.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  987.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  988. 

  989.   // Extract index

  990.   for (i = 0; i < idx_len; i++) {

  991.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  992.   }

  993.   printf("verify:: idx = %llu\n", idx);

  994.   sig_msg += idx_len;

  995.   sig_msg_len -= idx_len;

  996.   

  997.   // Generate hash key (R || root || idx)

  998.   memcpy(hash_key, sig_msg,n);

  999.   memcpy(hash_key+n, pk, n);

  1000.   to_byte(hash_key+2*n, idx, n);

  1001. 

  1002.   sig_msg += n;

  1003.   sig_msg_len -= n;

  1004.   

  1005. 

  1006.   // hash message (recall, R is now on pole position at sig_msg

  1007.   unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  1008.   m_len = sig_msg_len - tmp_sig_len;

  1009.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n, params->xmss_par.hash_alg);

  1010. 

  1011.   

  1012.   //-----------------------

  1013.   // Verify signature

  1014.   //-----------------------

  1015. 

  1016.   // Prepare Address

  1017.   idx_tree = idx >> tree_h;

  1018.   idx_leaf = (idx & ((1 << tree_h)-1));

  1019.   setLayerADRS(ots_addr, 0);

  1020.   setTreeADRS(ots_addr, idx_tree);

  1021.   setType(ots_addr, 0);

  1022. 

  1023.   memcpy(ltree_addr, ots_addr, 12);

  1024.   setType(ltree_addr, 1);

  1025. 

  1026.   memcpy(node_addr, ltree_addr, 12);

  1027.   setType(node_addr, 2);

  1028.   

  1029.   setOTSADRS(ots_addr, idx_leaf);

  1030. 

  1031.   // Check WOTS signature

  1032.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1033. 

  1034.   sig_msg += params->xmss_par.wots_par.keysize;

  1035.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  1036. 

  1037.   // Compute Ltree

  1038.   setLtreeADRS(ltree_addr, idx_leaf);

  1039.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1040. 

  1041.   // Compute root

  1042.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1043. 

  1044.   sig_msg += tree_h*n;

  1045.   sig_msg_len -= tree_h*n;

  1046. 

  1047.   for (i = 1; i < params->d; i++) {

  1048.     // Prepare Address

  1049.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  1050.     idx_tree = idx_tree >> tree_h;

  1051. 

  1052.     setLayerADRS(ots_addr, i);

  1053.     setTreeADRS(ots_addr, idx_tree);

  1054.     setType(ots_addr, 0);

  1055. 

  1056.     memcpy(ltree_addr, ots_addr, 12);

  1057.     setType(ltree_addr, 1);

  1058. 

  1059.     memcpy(node_addr, ltree_addr, 12);

  1060.     setType(node_addr, 2);

  1061. 

  1062.     setOTSADRS(ots_addr, idx_leaf);

  1063. 

  1064.     // Check WOTS signature

  1065.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1066. 

  1067.     sig_msg += params->xmss_par.wots_par.keysize;

  1068.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  1069. 

  1070.     // Compute Ltree

  1071.     setLtreeADRS(ltree_addr, idx_leaf);

  1072.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1073. 

  1074.     // Compute root

  1075.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1076. 

  1077.     sig_msg += tree_h*n;

  1078.     sig_msg_len -= tree_h*n;

  1079. 

  1080.   }

  1081. 

  1082.   for (i = 0; i < n; i++)

  1083.     if (root[i] != pk[i])

  1084.       goto fail;

  1085. 

  1086.   *msglen = sig_msg_len;

  1087.   for (i = 0; i < *msglen; i++)

  1088.     msg[i] = sig_msg[i];

  1089. 

  1090.   return 0;

  1091. 

  1092. 

  1093. fail:

  1094.   *msglen = sig_msg_len;

  1095.   for (i = 0; i < *msglen; i++)

  1096.     msg[i] = 0;

  1097.   *msglen = -1;

  1098.   return -1;

  1099. }