kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
488 KiB
 
 
Tree: 481cc106b6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '481cc106b6'
${ noResults }
xmss-KAT-generator/xmss.c

856 lines
23 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20150811

  3. Andreas Hülsing

  4. Public domain.

  5. */

  6. 

  7. #include "xmss.h"

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. #include <math.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "prg.h"

  17. #include "xmss_commons.h"

  18. 

  19. // For testing

  20. #include "stdio.h"

  21. 

  22. /**

  23.  * Macros used to manipulate the respective fields

  24.  * in the 16byte hash address

  25.  */

  26. #define SET_LAYER_ADDRESS(a, v) {\

  27.   a[6] = (a[6] & 3) | ((v << 2) & 255);\

  28.   a[5] = (a[5] & 252) | ((v >> 6) & 255);}  

  29. 

  30. #define SET_TREE_ADDRESS(a, v) {\

  31.   a[9] = (a[9] & 3) | ((v << 2) & 255);\

  32.   a[8] = (v >> 6) & 255;\

  33.   a[7] = (v >> 14) & 255;\

  34.   a[6] = (a[6] & 252) | ((v >> 22) & 255);}  

  35.   

  36. #define SET_OTS_BIT(a, b) {\

  37.   a[9] = (a[9] & 253) | (b << 1);}

  38. 

  39. #define SET_OTS_ADDRESS(a, v) {\

  40.   a[12] = (a[12] & 1) | ((v << 1) & 255);\

  41.   a[11] = (v >> 7) & 255;\

  42.   a[10] = (v >> 15) & 255;\

  43.   a[9] = (a[9] & 254) | ((v >> 23) & 1);}  

  44.   

  45. #define ZEROISE_OTS_ADDR(a) {\

  46.   a[12] = (a[12] & 254);\

  47.   a[13] = 0;\

  48.   a[14] = 0;\

  49.   a[15] = 0;}

  50.   

  51. #define SET_LTREE_BIT(a, b) {\

  52.   a[9] = (a[9] & 254) | b;}

  53. 

  54. #define SET_LTREE_ADDRESS(a, v) {\

  55.   a[12] = v & 255;\

  56.   a[11] = (v >> 8) & 255;\

  57.   a[10] = (v >> 16) & 255;}

  58. 

  59. #define SET_LTREE_TREE_HEIGHT(a, v) {\

  60.   a[13] = (a[13] & 3) | ((v << 2) & 255);}

  61. 

  62. #define SET_LTREE_TREE_INDEX(a, v) {\

  63.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  64.   a[14] = (v >> 6) & 255;\

  65.   a[13] = (a[13] & 252) | ((v >> 14) & 3);}

  66.   

  67. #define SET_NODE_PADDING(a) {\

  68.   a[10] = 0;\

  69.   a[11] = a[11] & 3;}  

  70. 

  71. #define SET_NODE_TREE_HEIGHT(a, v) {\

  72.   a[12] = (a[12] & 3) | ((v << 2) & 255);\

  73.   a[11] = (a[11] & 252) | ((v >> 6) & 3);}

  74. 

  75. #define SET_NODE_TREE_INDEX(a, v) {\

  76.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  77.   a[14] = (v >> 6) & 255;\

  78.   a[13] = (v >> 14) & 255;\

  79.   a[12] = (a[12] & 252) | ((v >> 22) & 3);}

  80. 

  81. 

  82.   /**

  83.  * Used for pseudorandom keygeneration,

  84.  * generates the seed for the WOTS keypair at address addr

  85.  */

  86. static void get_seed(unsigned char seed[32], const unsigned char *sk_seed, unsigned char addr[16])

  87. {

  88.   // Make sure that chain addr, hash addr, and key bit are 0!

  89.   ZEROISE_OTS_ADDR(addr);

  90.   // Generate pseudorandom value

  91.   prg_with_counter(seed, 32, sk_seed, 32, addr);

  92. }

  93. 

  94. /**

  95.  * Initialize xmss params struct

  96.  * parameter names are the same as in the draft

  97.  */

  98. void xmss_set_params(xmss_params *params, int m, int n, int h, int w)

  99. {

  100.   params->h = h;

  101.   params->m = m;

  102.   params->n = n;

  103.   wots_params wots_par;

  104.   wots_set_params(&wots_par, m, n, w);

  105.   params->wots_par = wots_par;

  106. }

  107. 

  108. /**

  109.  * Initialize xmssmt_params struct

  110.  * parameter names are the same as in the draft

  111.  * 

  112.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  113.  */

  114. void xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w)

  115. {

  116.   if(h % d){

  117.     fprintf(stderr, "d must devide h without remainder!\n");

  118.     return;

  119.   }

  120.   params->h = h;

  121.   params->d = d;

  122.   params->m = m;

  123.   params->n = n;

  124.   params->index_len = ceil(h / 8);

  125.   xmss_params xmss_par;

  126.   xmss_set_params(&xmss_par, m, n, (h/d), w);

  127.   params->xmss_par = xmss_par;

  128. }

  129. 

  130. /**

  131.  * Computes a leaf from a WOTS public key using an L-tree.

  132.  */

  133. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  134. { 

  135.   uint l = params->wots_par.len;

  136.   uint n = params->n;

  137.   unsigned long i = 0;

  138.   uint height = 0;

  139.   

  140.   //ADRS.setTreeHeight(0);

  141.   SET_LTREE_TREE_HEIGHT(addr,height);

  142.   unsigned long bound;

  143.   while ( l > 1 ) 

  144.   {

  145.      bound = l >> 1; //floor(l / 2); 

  146.      for ( i = 0; i < bound; i = i + 1 ) {

  147.        //ADRS.setTreeIndex(i);

  148.        SET_LTREE_TREE_INDEX(addr,i);

  149.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  150.        hash_2n_n(wots_pk+i*n,wots_pk+i*2*n, pub_seed, addr, n);

  151.      }

  152.      //if ( l % 2 == 1 ) {

  153.      if(l&1)

  154.      {

  155.        //pk[floor(l / 2) + 1] = pk[l];

  156.        memcpy(wots_pk+(l>>1)*n,wots_pk+(l-1)*n, n);

  157.        //l = ceil(l / 2);

  158.        l=(l>>1)+1;

  159.      }

  160.      else

  161.      {

  162.        //l = ceil(l / 2);

  163.        l=(l>>1);

  164.      }     

  165.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  166.      height++;

  167.      SET_LTREE_TREE_HEIGHT(addr,height);

  168.    }

  169.    //return pk[0];

  170.    memcpy(leaf,wots_pk,n);

  171. }

  172. 

  173. /**

  174.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  175.  */

  176. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  177. {

  178.   unsigned char seed[32];

  179.   unsigned char pk[params->wots_par.keysize];

  180. 

  181.   get_seed(seed, sk_seed, ots_addr);

  182.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  183. 

  184.   l_tree(leaf, pk, params, pub_seed, ltree_addr); 

  185. }

  186. 

  187. /**

  188.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  189.  * Currently only used for key generation.

  190.  * 

  191.  */

  192. static void treehash(unsigned char *node, int height, int index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  193. {

  194. 

  195.   uint idx = index;

  196.   uint n = params->n;

  197.   // use three different addresses because at this point we use all three formats in parallel

  198.   unsigned char ots_addr[16];

  199.   unsigned char ltree_addr[16];

  200.   unsigned char node_addr[16];

  201.   memcpy(ots_addr, addr, 10);

  202.   SET_OTS_BIT(ots_addr, 1);

  203.   memcpy(ltree_addr, addr, 10);

  204.   SET_OTS_BIT(ltree_addr, 0);

  205.   SET_LTREE_BIT(ltree_addr, 1);

  206.   memcpy(node_addr, ltree_addr, 10);

  207.   SET_LTREE_BIT(node_addr, 0);

  208.   SET_NODE_PADDING(node_addr);

  209.   

  210.   int lastnode,i;

  211.   unsigned char stack[(height+1)*n];

  212.   unsigned int  stacklevels[height+1];

  213.   unsigned int  stackoffset=0;

  214.   

  215.   lastnode = idx+(1<<height);

  216. 

  217.   for(;idx<lastnode;idx++) 

  218.   {

  219.     SET_LTREE_ADDRESS(ltree_addr,idx);

  220.     SET_OTS_ADDRESS(ots_addr,idx);

  221.     gen_leaf_wots(stack+stackoffset*n,sk_seed,params, pub_seed, ltree_addr, ots_addr);

  222.     stacklevels[stackoffset] = 0;

  223.     stackoffset++;

  224.     while(stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  225.     {

  226.       SET_NODE_TREE_HEIGHT(node_addr,stacklevels[stackoffset-1]);

  227.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  228.       hash_2n_n(stack+(stackoffset-2)*n,stack+(stackoffset-2)*n, pub_seed,

  229.           node_addr, n);

  230.       stacklevels[stackoffset-2]++;

  231.       stackoffset--;

  232.     }

  233.   }

  234.   for(i=0;i<n;i++)

  235.     node[i] = stack[i];

  236. }

  237. 

  238. /**

  239.  * Computes a root node given a leaf and an authapth

  240.  */

  241. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  242. {

  243.   uint n = params->n;

  244.   

  245.   int i,j;

  246.   unsigned char buffer[2*n];

  247. 

  248.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  249.   // Otherwise, it is the other way around

  250.   if(leafidx&1)

  251.   {

  252.     for(j=0;j<n;j++)

  253.       buffer[n+j] = leaf[j];

  254.     for(j=0;j<n;j++)

  255.       buffer[j] = authpath[j];

  256.   }

  257.   else

  258.   {

  259.     for(j=0;j<n;j++)

  260.       buffer[j] = leaf[j];

  261.     for(j=0;j<n;j++)

  262.       buffer[n+j] = authpath[j];

  263.   }

  264.   authpath += n;

  265. 

  266.   for(i=0;i<params->h-1;i++)

  267.   {

  268.     SET_NODE_TREE_HEIGHT(addr,i);

  269.     leafidx >>= 1;

  270.     SET_NODE_TREE_INDEX(addr, leafidx);

  271.     if(leafidx&1)

  272.     {

  273.       hash_2n_n(buffer+n,buffer,pub_seed, addr, n);

  274.       for(j=0;j<n;j++)

  275.         buffer[j] = authpath[j];

  276.     }

  277.     else

  278.     {

  279.       hash_2n_n(buffer,buffer,pub_seed, addr, n);

  280.       for(j=0;j<n;j++)

  281.         buffer[j+n] = authpath[j];

  282.     }

  283.     authpath += n;

  284.   }

  285.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  286.   leafidx >>= 1;

  287.   SET_NODE_TREE_INDEX(addr, leafidx);

  288.   hash_2n_n(root,buffer,pub_seed,addr,n);

  289. }

  290. 

  291. /**

  292.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  293.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  294.  * It returns the authpath in "authpath" with the node on level 0 at index 0.  

  295.  */

  296. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  297. {

  298.   uint i, j, level;

  299.   int n = params->n;

  300.   int h = params->h;

  301.   

  302.   unsigned char tree[2*(1<<h)*n];

  303. 

  304.   unsigned char ots_addr[16];

  305.   unsigned char ltree_addr[16];

  306.   unsigned char node_addr[16];

  307.   

  308.   memcpy(ots_addr, addr, 10);

  309.   SET_OTS_BIT(ots_addr, 1);

  310.   memcpy(ltree_addr, addr, 10);

  311.   SET_OTS_BIT(ltree_addr, 0);

  312.   SET_LTREE_BIT(ltree_addr, 1);

  313.   memcpy(node_addr, ltree_addr, 10);

  314.   SET_LTREE_BIT(node_addr, 0);

  315.   SET_NODE_PADDING(node_addr);

  316. 

  317.   

  318.   // Compute all leaves

  319.   for(i = 0; i < (1<<h); i++)

  320.   {

  321.     SET_LTREE_ADDRESS(ltree_addr,i);

  322.     SET_OTS_ADDRESS(ots_addr,i);

  323.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  324.   }

  325.   

  326.   

  327.   level = 0;

  328.   // Compute tree:

  329.   // Outer loop: For each inner layer 

  330.   for (i = (1<<h); i > 0; i>>=1)

  331.   {

  332.     SET_NODE_TREE_HEIGHT(node_addr, level);

  333.     // Inner loop: for each pair of sibling nodes

  334.     for (j = 0; j < i; j+=2)

  335.     {

  336.       SET_NODE_TREE_INDEX(node_addr, j>>1);

  337.       hash_2n_n(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n);

  338.     }

  339.     level++;

  340.   }

  341. 

  342.   // copy authpath

  343.   for(i=0;i<h;i++)

  344.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  345.   

  346.   // copy root

  347.   memcpy(root, tree+n, n);

  348. }

  349. 

  350. 

  351. /*

  352.  * Generates a XMSS key pair for a given parameter set.

  353.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  354.  * Format pk: [root || PUB_SEED] omitting algo oid.

  355.  */

  356. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  357. {

  358.   uint n = params->n;

  359.   uint m = params->m;

  360.   // Set idx = 0

  361.   sk[0] = 0;

  362.   sk[1] = 0;

  363.   sk[2] = 0;

  364.   sk[3] = 0;

  365.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  366.   randombytes(sk+4,2*n+m);

  367.   // Copy PUB_SEED to public key

  368.   memcpy(pk+n, sk+4+n+m,n);

  369. 

  370.   unsigned char addr[16] = {0,0,0,0};

  371.   // Compute root

  372.   treehash(pk, params->h, 0, sk+4, params, sk+4+n+m, addr);

  373.   return 0;

  374. }

  375. 

  376. /**

  377.  * Signs a message.

  378.  * Returns 

  379.  * 1. an array containing the signature followed by the message AND

  380.  * 2. an updated secret key!

  381.  * 

  382.  */

  383. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  384. {

  385.   uint n = params->n;

  386.   uint m = params->m;

  387.   

  388.   // Extract SK

  389.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  390.   unsigned char sk_seed[n];

  391.   memcpy(sk_seed,sk+4,n);

  392.   unsigned char sk_prf[m];

  393.   memcpy(sk_prf,sk+4+n,m);

  394.   unsigned char pub_seed[n];

  395.   memcpy(pub_seed,sk+4+n+m,n);  

  396.   

  397.   // Update SK

  398.   sk[0] = ((idx + 1) >> 24) & 255;

  399.   sk[1] = ((idx + 1) >> 16) & 255;

  400.   sk[2] = ((idx + 1) >> 8) & 255;

  401.   sk[3] = (idx + 1) & 255;

  402.   // -- Secret key for this non-forward-secure version is now updated. 

  403.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point! 

  404.   

  405.   // Init working params

  406.   unsigned long long i;

  407.   unsigned char R[m];

  408.   unsigned char msg_h[m];

  409.   unsigned char root[n];

  410.   unsigned char ots_seed[n];

  411.   unsigned char ots_addr[16] = {0,0,0,0};

  412.   

  413.   // ---------------------------------

  414.   // Message Hashing

  415.   // ---------------------------------

  416.   

  417.   // Message Hash: 

  418.   // First compute pseudorandom key

  419.   prf_m(R, msg, msglen, sk_prf, m); 

  420.   // Then use it for message digest

  421.   hash_m(msg_h, msg, msglen, R, m, m);

  422.   

  423.   // Start collecting signature

  424.   *sig_msg_len = 0;

  425. 

  426.   // Copy index to signature

  427.   sig_msg[0] = (idx >> 24) & 255;

  428.   sig_msg[1] = (idx >> 16) & 255;

  429.   sig_msg[2] = (idx >> 8) & 255;

  430.   sig_msg[3] = idx & 255;

  431.   

  432.   sig_msg += 4;

  433.   *sig_msg_len += 4;

  434.   

  435.   // Copy R to signature

  436.   for(i=0; i<m; i++)

  437.     sig_msg[i] = R[i];

  438. 

  439.   sig_msg += m;

  440.   *sig_msg_len += m;

  441.   

  442.   // ----------------------------------

  443.   // Now we start to "really sign" 

  444.   // ----------------------------------

  445.   

  446.   // Prepare Address

  447.   SET_OTS_BIT(ots_addr,1);

  448.   SET_OTS_ADDRESS(ots_addr,idx);

  449.   

  450.   // Compute seed for OTS key pair

  451.   get_seed(ots_seed, sk_seed, ots_addr);

  452.      

  453.   // Compute WOTS signature

  454.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  455.   

  456.   sig_msg += params->wots_par.keysize;

  457.   *sig_msg_len += params->wots_par.keysize;

  458. 

  459.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  460.   sig_msg += params->h*n;

  461.   *sig_msg_len += params->h*n;

  462.   

  463.   //Whipe secret elements?  

  464.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  465. 

  466.   memcpy(sig_msg,msg,msglen);

  467.   *sig_msg_len += msglen;

  468. 

  469.   return 0;

  470. }

  471. 

  472. /**

  473.  * Verifies a given message signature pair under a given public key.

  474.  */

  475. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  476. {

  477.   uint n = params->n;

  478.   uint m = params->m;

  479.     

  480.   unsigned long long i, m_len;

  481.   unsigned long idx=0;

  482.   unsigned char wots_pk[params->wots_par.keysize];

  483.   unsigned char pkhash[n];

  484.   unsigned char root[n];

  485.   unsigned char msg_h[m];

  486.   

  487.   unsigned char pub_seed[n];

  488.   memcpy(pub_seed,pk+n,n);  

  489.   

  490.   // Init addresses

  491.   unsigned char ots_addr[16] = {0,0,0,0};

  492.   unsigned char ltree_addr[16];

  493.   unsigned char node_addr[16];

  494.   

  495.   SET_OTS_BIT(ots_addr, 1);

  496.   

  497.   memcpy(ltree_addr, ots_addr, 10);

  498.   SET_OTS_BIT(ltree_addr, 0);

  499.   SET_LTREE_BIT(ltree_addr, 1);

  500.   

  501.   memcpy(node_addr, ltree_addr, 10);

  502.   SET_LTREE_BIT(node_addr, 0);

  503.   SET_NODE_PADDING(node_addr);  

  504.   

  505.   // Extract index

  506.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  507.   printf("verify:: idx = %lu\n",idx);

  508.   sig_msg += 4;

  509.   sig_msg_len -= 4;

  510.   

  511.   // hash message (recall, R is now on pole position at sig_msg

  512.   unsigned long long tmp_sig_len = m+params->wots_par.keysize+params->h*n;

  513.   m_len = sig_msg_len - tmp_sig_len;

  514.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  515. 

  516.   sig_msg += m;

  517.   sig_msg_len -= m;

  518.   

  519.   //-----------------------

  520.   // Verify signature

  521.   //-----------------------

  522.   

  523.   // Prepare Address

  524.   SET_OTS_ADDRESS(ots_addr,idx);

  525.   // Check WOTS signature 

  526.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  527. 

  528.   sig_msg += params->wots_par.keysize;

  529.   sig_msg_len -= params->wots_par.keysize;

  530.   

  531.   // Compute Ltree

  532.   SET_LTREE_ADDRESS(ltree_addr, idx); 

  533.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  534.   

  535.   // Compute root

  536.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);  

  537. 

  538.   sig_msg += params->h*n;

  539.   sig_msg_len -= params->h*n;

  540.   

  541.   for(i=0;i<n;i++)

  542.     if(root[i] != pk[i])

  543.       goto fail;

  544.   

  545.   *msglen = sig_msg_len;

  546.   for(i=0;i<*msglen;i++)

  547.     msg[i] = sig_msg[i];

  548. 

  549.   return 0;

  550.   

  551.   

  552. fail:

  553.   *msglen = sig_msg_len;

  554.   for(i=0;i<*msglen;i++)

  555.     msg[i] = 0;

  556.   *msglen = -1;

  557.   return -1;

  558. }

  559. 

  560. /*

  561.  * Generates a XMSSMT key pair for a given parameter set.

  562.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  563.  * Format pk: [root || PUB_SEED] omitting algo oid.

  564.  */

  565. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  566. {

  567.   uint n = params->n;

  568.   uint m = params->m;

  569.   uint i;

  570.   // Set idx = 0

  571.   for (i = 0; i < params->index_len; i++){

  572.     sk[i] = 0;

  573.   }

  574.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  575.   randombytes(sk+params->index_len,2*n+m);

  576.   // Copy PUB_SEED to public key

  577.   memcpy(pk+n, sk+params->index_len+n+m,n);

  578. 

  579.   // Set address to point on the single tree on layer d-1

  580.   unsigned char addr[16] = {0,0,0,0};

  581.   SET_LAYER_ADDRESS(addr, (params->d-1));

  582.   

  583.   // Compute root

  584.   treehash(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  585.   return 0;

  586. }

  587. 

  588. /**

  589.  * Signs a message.

  590.  * Returns 

  591.  * 1. an array containing the signature followed by the message AND

  592.  * 2. an updated secret key!

  593.  * 

  594.  */

  595. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  596. {

  597.   uint n = params->n;

  598.   uint m = params->m;

  599.   uint tree_h = params->xmss_par.h;

  600.   uint idx_len = params->index_len;

  601.   unsigned long long idx_tree;

  602.   unsigned long long idx_leaf;

  603.   unsigned long long i;

  604.   

  605.   unsigned char sk_seed[n];

  606.   unsigned char sk_prf[m];

  607.   unsigned char pub_seed[n];

  608.   // Init working params

  609.   unsigned char R[m];

  610.   unsigned char msg_h[m];

  611.   unsigned char root[n];

  612.   unsigned char ots_seed[n];

  613.   unsigned char ots_addr[16] = {0,0,0,0};

  614.   

  615.   // Extract SK

  616.   unsigned long long idx = 0;

  617.   for(i = 0; i < idx_len; i++){

  618.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  619.   }

  620.   

  621.   memcpy(sk_seed,sk+idx_len,n);

  622.   memcpy(sk_prf,sk+idx_len+n,m);

  623.   memcpy(pub_seed,sk+idx_len+n+m,n);  

  624.   

  625.   // Update SK

  626.   for(i = 0; i < idx_len; i++){

  627.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  628.   }

  629.   // -- Secret key for this non-forward-secure version is now updated. 

  630.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point! 

  631.   

  632.   

  633.   // ---------------------------------

  634.   // Message Hashing

  635.   // ---------------------------------

  636.   

  637.   // Message Hash: 

  638.   // First compute pseudorandom key

  639.   prf_m(R, msg, msglen, sk_prf, m); 

  640.   // Then use it for message digest

  641.   hash_m(msg_h, msg, msglen, R, m, m);

  642.   

  643.   // Start collecting signature

  644.   *sig_msg_len = 0;

  645. 

  646.   // Copy index to signature

  647.   for(i = 0; i < idx_len; i++){

  648.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  649.   }

  650.   

  651.   sig_msg += idx_len;

  652.   *sig_msg_len += idx_len;

  653.   

  654.   // Copy R to signature

  655.   for(i=0; i<m; i++)

  656.     sig_msg[i] = R[i];

  657. 

  658.   sig_msg += m;

  659.   *sig_msg_len += m;

  660.   

  661.   // ----------------------------------

  662.   // Now we start to "really sign" 

  663.   // ----------------------------------

  664.   

  665.   // Handle lowest layer separately as it is slightly different...

  666.   

  667.   // Prepare Address

  668.   SET_OTS_BIT(ots_addr,1);

  669.   idx_tree = idx >> tree_h;

  670.   idx_leaf = (idx & ((1 << tree_h)-1));

  671.   SET_LAYER_ADDRESS(ots_addr,0);

  672.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  673.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  674.   

  675.   // Compute seed for OTS key pair

  676.   get_seed(ots_seed, sk_seed, ots_addr);

  677.      

  678.   // Compute WOTS signature

  679.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  680.   

  681.   sig_msg += params->xmss_par.wots_par.keysize;

  682.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  683. 

  684.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  685.   sig_msg += tree_h*n;

  686.   *sig_msg_len += tree_h*n;

  687.   

  688.   // Now loop over remaining layers...

  689.   uint j;

  690.   for(j = 1; j < params->d; j++){

  691.     // Prepare Address

  692.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  693.     idx_tree = idx_tree >> tree_h;

  694.     SET_LAYER_ADDRESS(ots_addr,j);

  695.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  696.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  697.     

  698.     // Compute seed for OTS key pair

  699.     get_seed(ots_seed, sk_seed, ots_addr);

  700.       

  701.     // Compute WOTS signature

  702.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  703.     

  704.     sig_msg += params->xmss_par.wots_par.keysize;

  705.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  706. 

  707.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  708.     sig_msg += tree_h*n;

  709.     *sig_msg_len += tree_h*n;   

  710.   }

  711.   

  712.   //Whipe secret elements?  

  713.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  714. 

  715.   memcpy(sig_msg,msg,msglen);

  716.   *sig_msg_len += msglen;

  717. 

  718.   return 0;

  719. }

  720. 

  721. /**

  722.  * Verifies a given message signature pair under a given public key.

  723.  */

  724. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  725. {

  726.   uint n = params->n;

  727.   uint m = params->m;

  728.   

  729.   uint tree_h = params->xmss_par.h;

  730.   uint idx_len = params->index_len;

  731.   unsigned long long idx_tree;

  732.   unsigned long long idx_leaf;

  733.   

  734.   unsigned long long i, m_len;

  735.   unsigned long long idx=0;

  736.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  737.   unsigned char pkhash[n];

  738.   unsigned char root[n];

  739.   unsigned char msg_h[m];

  740.   

  741.   unsigned char pub_seed[n];

  742.   memcpy(pub_seed,pk+n,n);  

  743.   

  744.   // Init addresses

  745.   unsigned char ots_addr[16] = {0,0,0,0};

  746.   unsigned char ltree_addr[16];

  747.   unsigned char node_addr[16];

  748.   

  749.   // Extract index

  750.   for(i = 0; i < idx_len; i++){

  751.     idx |= ((unsigned long long)sig_msg[i]) << 8*(idx_len - 1 - i);

  752.   }

  753.   printf("verify:: idx = %llu\n",idx);

  754.   sig_msg += idx_len;

  755.   sig_msg_len -= idx_len;

  756.   

  757.   // hash message (recall, R is now on pole position at sig_msg

  758.   unsigned long long tmp_sig_len = m+ (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  759.   m_len = sig_msg_len - tmp_sig_len;

  760.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  761. 

  762.   sig_msg += m;

  763.   sig_msg_len -= m;

  764.   

  765.   //-----------------------

  766.   // Verify signature

  767.   //-----------------------

  768.   

  769.   // Prepare Address

  770.   idx_tree = idx >> tree_h;

  771.   idx_leaf = (idx & ((1 << tree_h)-1));

  772.   SET_LAYER_ADDRESS(ots_addr,0);

  773.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  774.   SET_OTS_BIT(ots_addr, 1);

  775.   

  776.   memcpy(ltree_addr, ots_addr, 10);

  777.   SET_OTS_BIT(ltree_addr, 0);

  778.   SET_LTREE_BIT(ltree_addr, 1);

  779.   

  780.   memcpy(node_addr, ltree_addr, 10);

  781.   SET_LTREE_BIT(node_addr, 0);

  782.   SET_NODE_PADDING(node_addr);  

  783.   

  784.   SET_OTS_ADDRESS(ots_addr,idx_leaf);

  785.   

  786.   // Check WOTS signature 

  787.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  788. 

  789.   sig_msg += params->xmss_par.wots_par.keysize;

  790.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  791.   

  792.   // Compute Ltree

  793.   SET_LTREE_ADDRESS(ltree_addr, idx_leaf); 

  794.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  795.   

  796.   // Compute root

  797.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);  

  798. 

  799.   sig_msg += tree_h*n;

  800.   sig_msg_len -= tree_h*n;

  801.   

  802.   for(i = 1; i < params->d; i++){

  803.     // Prepare Address

  804.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  805.     idx_tree = idx_tree >> tree_h;

  806.     

  807.     SET_LAYER_ADDRESS(ots_addr,i);

  808.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  809.     SET_OTS_BIT(ots_addr, 1);

  810.     

  811.     memcpy(ltree_addr, ots_addr, 10);

  812.     SET_OTS_BIT(ltree_addr, 0);

  813.     SET_LTREE_BIT(ltree_addr, 1);

  814.     

  815.     memcpy(node_addr, ltree_addr, 10);

  816.     SET_LTREE_BIT(node_addr, 0);

  817.     SET_NODE_PADDING(node_addr);  

  818.     

  819.     SET_OTS_ADDRESS(ots_addr,idx_leaf);

  820.     

  821.     // Check WOTS signature 

  822.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  823. 

  824.     sig_msg += params->xmss_par.wots_par.keysize;

  825.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  826.     

  827.     // Compute Ltree

  828.     SET_LTREE_ADDRESS(ltree_addr, idx_leaf); 

  829.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  830.     

  831.     // Compute root

  832.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);  

  833. 

  834.     sig_msg += tree_h*n;

  835.     sig_msg_len -= tree_h*n;

  836.     

  837.   }

  838.   

  839.   for(i=0;i<n;i++)

  840.     if(root[i] != pk[i])

  841.       goto fail;

  842.   

  843.   *msglen = sig_msg_len;

  844.   for(i=0;i<*msglen;i++)

  845.     msg[i] = sig_msg[i];

  846. 

  847.   return 0;

  848.   

  849.   

  850. fail:

  851.   *msglen = sig_msg_len;

  852.   for(i=0;i<*msglen;i++)

  853.     msg[i] = 0;

  854.   *msglen = -1;

  855.   return -1;

  856. }