kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
35 Commits
1 Branch
488 KiB
 
 
Tree: 59a4846fbd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '59a4846fbd'
${ noResults }
xmss-KAT-generator/xmss_fast.c

1139 lines
34 KiB
Raw Blame History 

  1. /*

  2. xmss_fast.c version 20151120

  3. Andreas Hülsing and Joost Rijneveld

  4. Public domain.

  5. */

  6. 

  7. #include "xmss_fast.h"

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. #include <math.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "prg.h"

  17. #include "xmss_commons.h"

  18. 

  19. // For testing

  20. #include "stdio.h"

  21. 

  22. /**

  23.  * Macros used to manipulate the respective fields

  24.  * in the 16byte hash address

  25.  */

  26. #define SET_LAYER_ADDRESS(a, v) {\

  27.   a[6] = (a[6] & 3) | ((v << 2) & 252);\

  28.   a[5] = (a[5] & 252) | ((v >> 6) & 3);}

  29. 

  30. #define SET_TREE_ADDRESS(a, v) {\

  31.   a[9] = (a[9] & 3) | ((v << 2) & 252);\

  32.   a[8] = (v >> 6) & 255;\

  33.   a[7] = (v >> 14) & 255;\

  34.   a[6] = (a[6] & 252) | ((v >> 22) & 3);}

  35. 

  36. #define SET_OTS_BIT(a, b) {\

  37.   a[9] = (a[9] & 253) | ((b << 1) & 2);}

  38. 

  39. #define SET_OTS_ADDRESS(a, v) {\

  40.   a[12] = (a[12] & 1) | ((v << 1) & 254);\

  41.   a[11] = (v >> 7) & 255;\

  42.   a[10] = (v >> 15) & 255;\

  43.   a[9] = (a[9] & 254) | ((v >> 23) & 1);}

  44. 

  45. #define ZEROISE_OTS_ADDR(a) {\

  46.   a[12] = (a[12] & 254);\

  47.   a[13] = 0;\

  48.   a[14] = 0;\

  49.   a[15] = 0;}

  50. 

  51. #define SET_LTREE_BIT(a, b) {\

  52.   a[9] = (a[9] & 254) | (b & 1);}

  53. 

  54. #define SET_LTREE_ADDRESS(a, v) {\

  55.   a[12] = v & 255;\

  56.   a[11] = (v >> 8) & 255;\

  57.   a[10] = (v >> 16) & 255;}

  58. 

  59. #define SET_LTREE_TREE_HEIGHT(a, v) {\

  60.   a[13] = (a[13] & 3) | ((v << 2) & 252);}

  61. 

  62. #define SET_LTREE_TREE_INDEX(a, v) {\

  63.   a[15] = (a[15] & 3) | ((v << 2) & 252);\

  64.   a[14] = (v >> 6) & 255;\

  65.   a[13] = (a[13] & 252) | ((v >> 14) & 3);}

  66. 

  67. #define SET_NODE_PADDING(a) {\

  68.   a[10] = 0;\

  69.   a[11] = a[11] & 3;}

  70. 

  71. #define SET_NODE_TREE_HEIGHT(a, v) {\

  72.   a[12] = (a[12] & 3) | ((v << 2) & 252);\

  73.   a[11] = (a[11] & 252) | ((v >> 6) & 3);}

  74. 

  75. #define SET_NODE_TREE_INDEX(a, v) {\

  76.   a[15] = (a[15] & 3) | ((v << 2) & 252);\

  77.   a[14] = (v >> 6) & 255;\

  78.   a[13] = (v >> 14) & 255;\

  79.   a[12] = (a[12] & 252) | ((v >> 22) & 3);}

  80. 

  81. /**

  82.  * Used for pseudorandom keygeneration,

  83.  * generates the seed for the WOTS keypair at address addr

  84.  *

  85.  * takes n byte sk_seed and returns n byte seed using 16 byte address addr.

  86.  */

  87. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, unsigned char addr[16])

  88. {

  89.   // Make sure that chain addr, hash addr, and key bit are 0!

  90.   ZEROISE_OTS_ADDR(addr);

  91.   // Generate pseudorandom value

  92.   prg_with_counter(seed, sk_seed, n, addr);

  93. }

  94. 

  95. /**

  96.  * Initialize xmss params struct

  97.  * parameter names are the same as in the draft

  98.  * parameter k is K as used in the BDS algorithm

  99.  */

  100. int xmss_set_params(xmss_params *params, int m, int n, int h, int w, int k)

  101. {

  102.   if (k >= h || k < 2 || (h - k) % 2) {

  103.     fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n");

  104.     return 1;

  105.   }

  106.   params->h = h;

  107.   params->m = m;

  108.   params->n = n;

  109.   params->k = k;

  110.   wots_params wots_par;

  111.   wots_set_params(&wots_par, m, n, w);

  112.   params->wots_par = wots_par;

  113.   return 0;

  114. }

  115. 

  116. /**

  117.  * Initialize BDS state struct

  118.  * parameter names are the same as used in the description of the BDS traversal

  119.  */

  120. void xmss_set_bds_state(bds_state *state, unsigned char *stack, int stackoffset, unsigned char *stacklevels, unsigned char *auth, unsigned char *keep, treehash_inst *treehash, unsigned char *retain, int next_leaf)

  121. {

  122.   state->stack = stack;

  123.   state->stackoffset = stackoffset;

  124.   state->stacklevels = stacklevels;

  125.   state->auth = auth;

  126.   state->keep = keep;

  127.   state->treehash = treehash;

  128.   state->retain = retain;

  129.   state->next_leaf = next_leaf;

  130. }

  131. 

  132. /**

  133.  * Initialize xmssmt_params struct

  134.  * parameter names are the same as in the draft

  135.  *

  136.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  137.  */

  138. int xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w, int k)

  139. {

  140.   if (h % d) {

  141.     fprintf(stderr, "d must divide h without remainder!\n");

  142.     return 1;

  143.   }

  144.   params->h = h;

  145.   params->d = d;

  146.   params->m = m;

  147.   params->n = n;

  148.   params->index_len = (h + 7) / 8;

  149.   xmss_params xmss_par;

  150.   if (xmss_set_params(&xmss_par, m, n, (h/d), w, k)) {

  151.     return 1;

  152.   }

  153.   params->xmss_par = xmss_par;

  154.   return 0;

  155. }

  156. 

  157. /**

  158.  * Computes a leaf from a WOTS public key using an L-tree.

  159.  */

  160. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  161. {

  162.   unsigned int l = params->wots_par.len;

  163.   unsigned int n = params->n;

  164.   unsigned long i = 0;

  165.   unsigned int height = 0;

  166. 

  167.   //ADRS.setTreeHeight(0);

  168.   SET_LTREE_TREE_HEIGHT(addr, height);

  169.   unsigned long bound;

  170.   while (l > 1) {

  171.      bound = l >> 1; //floor(l / 2);

  172.      for (i = 0; i < bound; i = i + 1) {

  173.        //ADRS.setTreeIndex(i);

  174.        SET_LTREE_TREE_INDEX(addr, i);

  175.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  176.        hash_2n_n(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);

  177.      }

  178.      //if ( l % 2 == 1 ) {

  179.      if (l & 1) {

  180.        //pk[floor(l / 2) + 1] = pk[l];

  181.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  182.        //l = ceil(l / 2);

  183.        l=(l>>1)+1;

  184.      }

  185.      else

  186.      {

  187.        //l = ceil(l / 2);

  188.        l=(l>>1);

  189.      }

  190.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  191.      height++;

  192.      SET_LTREE_TREE_HEIGHT(addr, height);

  193.    }

  194.    //return pk[0];

  195.    memcpy(leaf, wots_pk, n);

  196. }

  197. 

  198. /**

  199.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  200.  */

  201. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  202. {

  203.   unsigned char seed[params->n];

  204.   unsigned char pk[params->wots_par.keysize];

  205. 

  206.   get_seed(seed, sk_seed, params->n, ots_addr);

  207.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  208. 

  209.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  210. }

  211. 

  212. static int treehash_minheight_on_stack(bds_state* state, const xmss_params *params, const treehash_inst *treehash) {

  213.   unsigned int r = params->h, i;

  214.   for (i = 0; i < treehash->stackusage; i++) {

  215.     if (state->stacklevels[state->stackoffset - i - 1] < r) {

  216.       r = state->stacklevels[state->stackoffset - i - 1];

  217.     }

  218.   }

  219.   return r;

  220. }

  221. 

  222. /**

  223.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  224.  * Currently only used for key generation.

  225.  *

  226.  */

  227. static void treehash_setup(unsigned char *node, int height, int index, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  228. {

  229.   unsigned int idx = index;

  230.   unsigned int n = params->n;

  231.   unsigned int h = params->h;

  232.   unsigned int k = params->k;

  233.   // use three different addresses because at this point we use all three formats in parallel

  234.   unsigned char ots_addr[16];

  235.   unsigned char ltree_addr[16];

  236.   unsigned char node_addr[16];

  237.   memcpy(ots_addr, addr, 10);

  238.   SET_OTS_BIT(ots_addr, 1);

  239.   memcpy(ltree_addr, addr, 10);

  240.   SET_OTS_BIT(ltree_addr, 0);

  241.   SET_LTREE_BIT(ltree_addr, 1);

  242.   memcpy(node_addr, ltree_addr, 10);

  243.   SET_LTREE_BIT(node_addr, 0);

  244.   SET_NODE_PADDING(node_addr);

  245. 

  246.   unsigned int lastnode, i;

  247.   unsigned char stack[(height+1)*n];

  248.   unsigned int stacklevels[height+1];

  249.   unsigned int stackoffset=0;

  250.   unsigned int nodeh;

  251. 

  252.   lastnode = idx+(1<<height);

  253. 

  254.   for (i = 0; i < h-k; i++) {

  255.     state->treehash[i].h = i;

  256.     state->treehash[i].completed = 1;

  257.     state->treehash[i].stackusage = 0;

  258.   }

  259. 

  260.   i = 0;

  261.   for (; idx < lastnode; idx++) {

  262.     SET_LTREE_ADDRESS(ltree_addr, idx);

  263.     SET_OTS_ADDRESS(ots_addr, idx);

  264.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  265.     stacklevels[stackoffset] = 0;

  266.     stackoffset++;

  267.     if (h - k > 0 && i == 3) {

  268.       memcpy(state->treehash[0].node, stack+stackoffset*n, n);

  269.     }

  270.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  271.     {

  272.       nodeh = stacklevels[stackoffset-1];

  273.       if (i >> nodeh == 1) {

  274.         memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n);

  275.       }

  276.       else {

  277.         if (nodeh < h - k && i >> nodeh == 3) {

  278.           memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n);

  279.         }

  280.         else if (nodeh >= h - k) {

  281.           memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack+(stackoffset-1)*n, n);

  282.         }

  283.       }

  284.       SET_NODE_TREE_HEIGHT(node_addr, stacklevels[stackoffset-1]);

  285.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  286.       hash_2n_n(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  287.           node_addr, n);

  288.       stacklevels[stackoffset-2]++;

  289.       stackoffset--;

  290.     }

  291.     i++;

  292.   }

  293. 

  294.   for (i = 0; i < n; i++)

  295.     node[i] = stack[i];

  296. }

  297. 

  298. static void treehash_update(treehash_inst *treehash, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16]) {

  299.   int n = params->n;

  300. 

  301.   unsigned char ots_addr[16];

  302.   unsigned char ltree_addr[16];

  303.   unsigned char node_addr[16];

  304. 

  305.   memcpy(ots_addr, addr, 10);

  306.   SET_OTS_BIT(ots_addr, 1);

  307.   memcpy(ltree_addr, addr, 10);

  308.   SET_OTS_BIT(ltree_addr, 0);

  309.   SET_LTREE_BIT(ltree_addr, 1);

  310.   memcpy(node_addr, ltree_addr, 10);

  311.   SET_LTREE_BIT(node_addr, 0);

  312.   SET_NODE_PADDING(node_addr);

  313. 

  314.   SET_LTREE_ADDRESS(ltree_addr, treehash->next_idx);

  315.   SET_OTS_ADDRESS(ots_addr, treehash->next_idx);

  316. 

  317.   unsigned char nodebuffer[2 * n];

  318.   unsigned int nodeheight = 0;

  319.   gen_leaf_wots(nodebuffer, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  320.   while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  321.     memcpy(nodebuffer + n, nodebuffer, n);

  322.     memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n);

  323.     SET_NODE_TREE_HEIGHT(node_addr, nodeheight);

  324.     SET_NODE_TREE_INDEX(node_addr, (treehash->next_idx >> (nodeheight+1)));

  325.     hash_2n_n(nodebuffer, nodebuffer, pub_seed, node_addr, n);

  326.     nodeheight++;

  327.     treehash->stackusage--;

  328.     state->stackoffset--;

  329.   }

  330.   if (nodeheight == treehash->h) { // this also implies stackusage == 0

  331.     memcpy(treehash->node, nodebuffer, n);

  332.     treehash->completed = 1;

  333.   }

  334.   else {

  335.     memcpy(state->stack + state->stackoffset*n, nodebuffer, n);

  336.     treehash->stackusage++;

  337.     state->stacklevels[state->stackoffset] = nodeheight;

  338.     state->stackoffset++;

  339.     treehash->next_idx++;

  340.   }

  341. }

  342. 

  343. /**

  344.  * Computes a root node given a leaf and an authapth

  345.  */

  346. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  347. {

  348.   unsigned int n = params->n;

  349. 

  350.   unsigned int i, j;

  351.   unsigned char buffer[2*n];

  352. 

  353.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  354.   // Otherwise, it is the other way around

  355.   if (leafidx & 1) {

  356.     for (j = 0; j < n; j++)

  357.       buffer[n+j] = leaf[j];

  358.     for (j = 0; j < n; j++)

  359.       buffer[j] = authpath[j];

  360.   }

  361.   else {

  362.     for (j = 0; j < n; j++)

  363.       buffer[j] = leaf[j];

  364.     for (j = 0; j < n; j++)

  365.       buffer[n+j] = authpath[j];

  366.   }

  367.   authpath += n;

  368. 

  369.   for (i = 0; i < params->h-1; i++) {

  370.     SET_NODE_TREE_HEIGHT(addr, i);

  371.     leafidx >>= 1;

  372.     SET_NODE_TREE_INDEX(addr, leafidx);

  373.     if (leafidx & 1) {

  374.       hash_2n_n(buffer+n, buffer, pub_seed, addr, n);

  375.       for (j = 0; j < n; j++)

  376.         buffer[j] = authpath[j];

  377.     }

  378.     else {

  379.       hash_2n_n(buffer, buffer, pub_seed, addr, n);

  380.       for (j = 0; j < n; j++)

  381.         buffer[j+n] = authpath[j];

  382.     }

  383.     authpath += n;

  384.   }

  385.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  386.   leafidx >>= 1;

  387.   SET_NODE_TREE_INDEX(addr, leafidx);

  388.   hash_2n_n(root, buffer, pub_seed, addr, n);

  389. }

  390. 

  391. /**

  392.  * Performs one treehash update on the instance that needs it the most.

  393.  * Returns 1 if such an instance was not found

  394.  **/

  395. static char bds_treehash_update(bds_state *state, unsigned int updates, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const unsigned char addr[16]) {

  396.   unsigned int i, j;

  397.   unsigned int level, l_min, low;

  398.   unsigned int h = params->h;

  399.   unsigned int k = params->k;

  400.   unsigned int used = 0;

  401. 

  402.   for (j = 0; j < updates; j++) {

  403.     l_min = h;

  404.     level = h - k;

  405.     for (i = 0; i < h - k; i++) {

  406.       if (state->treehash[i].completed) {

  407.         low = h;

  408.       }

  409.       else if (state->treehash[i].stackusage == 0) {

  410.         low = i;

  411.       }

  412.       else {

  413.         low = treehash_minheight_on_stack(state, params, &(state->treehash[i]));

  414.       }

  415.       if (low < l_min) {

  416.         level = i;

  417.         l_min = low;

  418.       }

  419.     }

  420.     if (level == h - k) {

  421.       break;

  422.     }

  423.     treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr);

  424.     used++;

  425.   }

  426.   return updates - used;

  427. }

  428. 

  429. /**

  430.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  431.  * Returns 1 if all leaf nodes have already been processed

  432.  **/

  433. static char bds_state_update(bds_state *state, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const unsigned char addr[16]) {

  434.   unsigned char ltree_addr[16];

  435.   unsigned char node_addr[16];

  436.   unsigned char ots_addr[16];

  437. 

  438.   int n = params->n;

  439.   int h = params->h;

  440.   int k = params->k;

  441. 

  442.   int nodeh;

  443.   int idx = state->next_leaf;

  444.   if (idx == 1 << h) {

  445.     return 1;

  446.   }

  447. 

  448.   memcpy(ots_addr, addr, 10);

  449.   SET_OTS_BIT(ots_addr, 1);

  450.   SET_OTS_ADDRESS(ots_addr, idx);

  451. 

  452.   memcpy(ltree_addr, addr, 10);

  453.   SET_OTS_BIT(ltree_addr, 0);

  454.   SET_LTREE_BIT(ltree_addr, 1);

  455.   SET_LTREE_ADDRESS(ltree_addr, idx);

  456. 

  457.   memcpy(node_addr, addr, 10);

  458.   SET_LTREE_BIT(node_addr, 0);

  459.   SET_OTS_BIT(node_addr, 0);

  460.   SET_NODE_PADDING(node_addr);

  461. 

  462.   gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  463. 

  464.   state->stacklevels[state->stackoffset] = 0;

  465.   state->stackoffset++;

  466.   if (h - k > 0 && idx == 3) {

  467.     memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n);

  468.   }

  469.   while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  470.     nodeh = state->stacklevels[state->stackoffset-1];

  471.     if (idx >> nodeh == 1) {

  472.       memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n);

  473.     }

  474.     else {

  475.       if (nodeh < h - k && idx >> nodeh == 3) {

  476.         memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n);

  477.       }

  478.       else if (nodeh >= h - k) {

  479.         memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, state->stack+(state->stackoffset-1)*n, n);

  480.       }

  481.     }

  482.     SET_NODE_TREE_HEIGHT(node_addr, state->stacklevels[state->stackoffset-1]);

  483.     SET_NODE_TREE_INDEX(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  484.     hash_2n_n(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, node_addr, n);

  485. 

  486.     state->stacklevels[state->stackoffset-2]++;

  487.     state->stackoffset--;

  488.   }

  489.   state->next_leaf++;

  490.   return 0;

  491. }

  492. 

  493. /**

  494.  * Returns the auth path for node leaf_idx and computes the auth path for the

  495.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  496.  * in "Post Quantum Cryptography", Springer 2009.

  497.  */

  498. static void bds_round(bds_state *state, const unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  499. {

  500.   unsigned int i;

  501.   unsigned int n = params->n;

  502.   unsigned int h = params->h;

  503.   unsigned int k = params->k;

  504. 

  505.   unsigned int tau = h;

  506.   unsigned int startidx;

  507.   unsigned int offset, rowidx;

  508.   unsigned char buf[2 * n];

  509. 

  510.   unsigned char ots_addr[16];

  511.   unsigned char ltree_addr[16];

  512.   unsigned char node_addr[16];

  513. 

  514.   memcpy(ots_addr, addr, 10);

  515.   SET_OTS_BIT(ots_addr, 1);

  516.   memcpy(ltree_addr, addr, 10);

  517.   SET_OTS_BIT(ltree_addr, 0);

  518.   SET_LTREE_BIT(ltree_addr, 1);

  519.   memcpy(node_addr, ltree_addr, 10);

  520.   SET_LTREE_BIT(node_addr, 0);

  521.   SET_NODE_PADDING(node_addr);

  522. 

  523.   for (i = 0; i < h; i++) {

  524.     if (! ((leaf_idx >> i) & 1)) {

  525.       tau = i;

  526.       break;

  527.     }

  528.   }

  529. 

  530.   if (tau > 0) {

  531.     memcpy(buf,     state->auth + (tau-1) * n, n);

  532.     // we need to do this before refreshing state->keep to prevent overwriting

  533.     memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n);

  534.   }

  535.   if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) {

  536.     memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n);

  537.   }

  538.   if (tau == 0) {

  539.     SET_LTREE_ADDRESS(ltree_addr, leaf_idx);

  540.     SET_OTS_ADDRESS(ots_addr, leaf_idx);

  541.     gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  542.   }

  543.   else {

  544.     SET_NODE_TREE_HEIGHT(node_addr, (tau-1));

  545.     SET_NODE_TREE_INDEX(node_addr, leaf_idx >> tau);

  546.     hash_2n_n(state->auth + tau * n, buf, pub_seed, node_addr, n);

  547.     for (i = 0; i < tau; i++) {

  548.       if (i < h - k) {

  549.         memcpy(state->auth + i * n, state->treehash[i].node, n);

  550.       }

  551.       else {

  552.         offset = (1 << (h - 1 - i)) + i - h;

  553.         rowidx = ((leaf_idx >> i) - 1) >> 1;

  554.         memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n);

  555.       }

  556.     }

  557. 

  558.     for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) {

  559.       startidx = leaf_idx + 1 + 3 * (1 << i);

  560.       if (startidx < 1U << h) {

  561.         state->treehash[i].h = i;

  562.         state->treehash[i].next_idx = startidx;

  563.         state->treehash[i].completed = 0;

  564.         state->treehash[i].stackusage = 0;

  565.       }

  566.     }

  567.   }

  568. }

  569. 

  570. /*

  571.  * Generates a XMSS key pair for a given parameter set.

  572.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  573.  * Format pk: [root || PUB_SEED] omitting algo oid.

  574.  */

  575. int xmss_keypair(unsigned char *pk, unsigned char *sk, bds_state *state, xmss_params *params)

  576. {

  577.   unsigned int n = params->n;

  578.   unsigned int m = params->m;

  579.   // Set idx = 0

  580.   sk[0] = 0;

  581.   sk[1] = 0;

  582.   sk[2] = 0;

  583.   sk[3] = 0;

  584.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  585.   randombytes(sk+4, 2*n+m);

  586.   // Copy PUB_SEED to public key

  587.   memcpy(pk+n, sk+4+n+m, n);

  588. 

  589.   unsigned char addr[16] = {0, 0, 0, 0};

  590.   // Compute root

  591.   treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+n+m, addr);

  592.   return 0;

  593. }

  594. 

  595. /**

  596.  * Signs a message.

  597.  * Returns

  598.  * 1. an array containing the signature followed by the message AND

  599.  * 2. an updated secret key!

  600.  *

  601.  */

  602. int xmss_sign(unsigned char *sk, bds_state *state, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  603. {

  604.   unsigned int h = params->h;

  605.   unsigned int n = params->n;

  606.   unsigned int m = params->m;

  607.   unsigned int k = params->k;

  608. 

  609.   // Extract SK

  610.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  611.   unsigned char sk_seed[n];

  612.   memcpy(sk_seed, sk+4, n);

  613.   unsigned char sk_prf[m];

  614.   memcpy(sk_prf, sk+4+n, m);

  615.   unsigned char pub_seed[n];

  616.   memcpy(pub_seed, sk+4+n+m, n);

  617. 

  618.   // Update SK

  619.   sk[0] = ((idx + 1) >> 24) & 255;

  620.   sk[1] = ((idx + 1) >> 16) & 255;

  621.   sk[2] = ((idx + 1) >> 8) & 255;

  622.   sk[3] = (idx + 1) & 255;

  623.   // -- Secret key for this non-forward-secure version is now updated.

  624.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  625. 

  626.   // Init working params

  627.   unsigned long long i;

  628.   unsigned char R[m];

  629.   unsigned char msg_h[m];

  630.   unsigned char ots_seed[n];

  631.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  632. 

  633.   // ---------------------------------

  634.   // Message Hashing

  635.   // ---------------------------------

  636. 

  637.   // Message Hash:

  638.   // First compute pseudorandom key

  639.   prf_m(R, msg, msglen, sk_prf, m);

  640.   // Then use it for message digest

  641.   hash_m(msg_h, msg, msglen, R, m, m);

  642. 

  643.   // Start collecting signature

  644.   *sig_msg_len = 0;

  645. 

  646.   // Copy index to signature

  647.   sig_msg[0] = (idx >> 24) & 255;

  648.   sig_msg[1] = (idx >> 16) & 255;

  649.   sig_msg[2] = (idx >> 8) & 255;

  650.   sig_msg[3] = idx & 255;

  651. 

  652.   sig_msg += 4;

  653.   *sig_msg_len += 4;

  654. 

  655.   // Copy R to signature

  656.   for (i = 0; i < m; i++)

  657.     sig_msg[i] = R[i];

  658. 

  659.   sig_msg += m;

  660.   *sig_msg_len += m;

  661. 

  662.   // ----------------------------------

  663.   // Now we start to "really sign"

  664.   // ----------------------------------

  665. 

  666.   // Prepare Address

  667.   SET_OTS_BIT(ots_addr, 1);

  668.   SET_OTS_ADDRESS(ots_addr, idx);

  669. 

  670.   // Compute seed for OTS key pair

  671.   get_seed(ots_seed, sk_seed, n, ots_addr);

  672. 

  673.   // Compute WOTS signature

  674.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  675. 

  676.   sig_msg += params->wots_par.keysize;

  677.   *sig_msg_len += params->wots_par.keysize;

  678. 

  679.   // the auth path was already computed during the previous round

  680.   memcpy(sig_msg, state->auth, h*n);

  681. 

  682.   if (idx < (1U << h) - 1) {

  683.     bds_round(state, idx, sk_seed, params, pub_seed, ots_addr);

  684.     bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr);

  685.   }

  686. 

  687.   sig_msg += params->h*n;

  688.   *sig_msg_len += params->h*n;

  689. 

  690.   //Whipe secret elements?

  691.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  692. 

  693.   memcpy(sig_msg, msg, msglen);

  694.   *sig_msg_len += msglen;

  695. 

  696.   return 0;

  697. }

  698. 

  699. /**

  700.  * Verifies a given message signature pair under a given public key.

  701.  */

  702. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  703. {

  704.   unsigned int n = params->n;

  705.   unsigned int m = params->m;

  706. 

  707.   unsigned long long i, m_len;

  708.   unsigned long idx=0;

  709.   unsigned char wots_pk[params->wots_par.keysize];

  710.   unsigned char pkhash[n];

  711.   unsigned char root[n];

  712.   unsigned char msg_h[m];

  713. 

  714.   unsigned char pub_seed[n];

  715.   memcpy(pub_seed, pk+n, n);

  716. 

  717.   // Init addresses

  718.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  719.   unsigned char ltree_addr[16];

  720.   unsigned char node_addr[16];

  721. 

  722.   SET_OTS_BIT(ots_addr, 1);

  723. 

  724.   memcpy(ltree_addr, ots_addr, 10);

  725.   SET_OTS_BIT(ltree_addr, 0);

  726.   SET_LTREE_BIT(ltree_addr, 1);

  727. 

  728.   memcpy(node_addr, ltree_addr, 10);

  729.   SET_LTREE_BIT(node_addr, 0);

  730.   SET_NODE_PADDING(node_addr);

  731. 

  732.   // Extract index

  733.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  734.   printf("verify:: idx = %lu\n", idx);

  735.   sig_msg += 4;

  736.   sig_msg_len -= 4;

  737. 

  738.   // hash message (recall, R is now on pole position at sig_msg

  739.   unsigned long long tmp_sig_len = m+params->wots_par.keysize+params->h*n;

  740.   m_len = sig_msg_len - tmp_sig_len;

  741.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  742. 

  743.   sig_msg += m;

  744.   sig_msg_len -= m;

  745. 

  746.   //-----------------------

  747.   // Verify signature

  748.   //-----------------------

  749. 

  750.   // Prepare Address

  751.   SET_OTS_ADDRESS(ots_addr, idx);

  752.   // Check WOTS signature

  753.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  754. 

  755.   sig_msg += params->wots_par.keysize;

  756.   sig_msg_len -= params->wots_par.keysize;

  757. 

  758.   // Compute Ltree

  759.   SET_LTREE_ADDRESS(ltree_addr, idx);

  760.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  761. 

  762.   // Compute root

  763.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  764. 

  765.   sig_msg += params->h*n;

  766.   sig_msg_len -= params->h*n;

  767. 

  768.   for (i = 0; i < n; i++)

  769.     if (root[i] != pk[i])

  770.       goto fail;

  771. 

  772.   *msglen = sig_msg_len;

  773.   for (i = 0; i < *msglen; i++)

  774.     msg[i] = sig_msg[i];

  775. 

  776.   return 0;

  777. 

  778. 

  779. fail:

  780.   *msglen = sig_msg_len;

  781.   for (i = 0; i < *msglen; i++)

  782.     msg[i] = 0;

  783.   *msglen = -1;

  784.   return -1;

  785. }

  786. 

  787. /*

  788.  * Generates a XMSSMT key pair for a given parameter set.

  789.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  790.  * Format pk: [root || PUB_SEED] omitting algo oid.

  791.  */

  792. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, bds_state *states, unsigned char *wots_sigs, xmssmt_params *params)

  793. {

  794.   unsigned int n = params->n;

  795.   unsigned int m = params->m;

  796.   unsigned int i;

  797.   unsigned char ots_seed[params->n];

  798.   // Set idx = 0

  799.   for (i = 0; i < params->index_len; i++) {

  800.     sk[i] = 0;

  801.   }

  802.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  803.   randombytes(sk+params->index_len, 2*n+m);

  804.   // Copy PUB_SEED to public key

  805.   memcpy(pk+n, sk+params->index_len+n+m, n);

  806. 

  807.   // Set address to point on the single tree on layer d-1

  808.   unsigned char addr[16] = {0, 0, 0, 0};

  809.   SET_OTS_BIT(addr, 1);

  810.   SET_TREE_ADDRESS(addr, 0);

  811.   SET_OTS_ADDRESS(addr, 0);

  812.   SET_LAYER_ADDRESS(addr, 0);

  813.   // Set up state and compute wots signatures for all but topmost tree root

  814.   for (i = 0; i < params->d - 1; i++) {

  815.     // Compute seed for OTS key pair

  816.     treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  817.     SET_LAYER_ADDRESS(addr, (i+1));

  818.     get_seed(ots_seed, sk+params->index_len, n, addr);

  819.     wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_par), pk+n, addr);

  820.   }

  821.   treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  822.   return 0;

  823. }

  824. 

  825. /**

  826.  * Signs a message.

  827.  * Returns

  828.  * 1. an array containing the signature followed by the message AND

  829.  * 2. an updated secret key!

  830.  *

  831.  */

  832. int xmssmt_sign(unsigned char *sk, bds_state *states, unsigned char *wots_sigs, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  833. {

  834.   unsigned int n = params->n;

  835.   unsigned int m = params->m;

  836.   unsigned int tree_h = params->xmss_par.h;

  837.   unsigned int h = params->h;

  838.   unsigned int k = params->xmss_par.k;

  839.   unsigned int idx_len = params->index_len;

  840.   unsigned long long idx_tree;

  841.   unsigned long long idx_leaf;

  842.   unsigned long long i, j;

  843.   int needswap_upto = -1;

  844.   unsigned int updates;

  845. 

  846.   unsigned char sk_seed[n];

  847.   unsigned char sk_prf[m];

  848.   unsigned char pub_seed[n];

  849.   // Init working params

  850.   unsigned char R[m];

  851.   unsigned char msg_h[m];

  852.   unsigned char ots_seed[n];

  853.   unsigned char addr[16] = {0, 0, 0, 0};

  854.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  855.   bds_state tmp;

  856. 

  857.   // Extract SK

  858.   unsigned long long idx = 0;

  859.   for (i = 0; i < idx_len; i++) {

  860.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  861.   }

  862. 

  863.   memcpy(sk_seed, sk+idx_len, n);

  864.   memcpy(sk_prf, sk+idx_len+n, m);

  865.   memcpy(pub_seed, sk+idx_len+n+m, n);

  866. 

  867.   // Update SK

  868.   for (i = 0; i < idx_len; i++) {

  869.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  870.   }

  871.   // -- Secret key for this non-forward-secure version is now updated.

  872.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  873. 

  874. 

  875.   // ---------------------------------

  876.   // Message Hashing

  877.   // ---------------------------------

  878. 

  879.   // Message Hash:

  880.   // First compute pseudorandom key

  881.   prf_m(R, msg, msglen, sk_prf, m);

  882.   // Then use it for message digest

  883.   hash_m(msg_h, msg, msglen, R, m, m);

  884. 

  885.   // Start collecting signature

  886.   *sig_msg_len = 0;

  887. 

  888.   // Copy index to signature

  889.   for (i = 0; i < idx_len; i++) {

  890.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  891.   }

  892. 

  893.   sig_msg += idx_len;

  894.   *sig_msg_len += idx_len;

  895. 

  896.   // Copy R to signature

  897.   for (i = 0; i < m; i++)

  898.     sig_msg[i] = R[i];

  899. 

  900.   sig_msg += m;

  901.   *sig_msg_len += m;

  902. 

  903.   // ----------------------------------

  904.   // Now we start to "really sign"

  905.   // ----------------------------------

  906. 

  907.   // Handle lowest layer separately as it is slightly different...

  908. 

  909.   // Prepare Address

  910.   SET_OTS_BIT(ots_addr, 1);

  911.   idx_tree = idx >> tree_h;

  912.   idx_leaf = (idx & ((1 << tree_h)-1));

  913.   SET_LAYER_ADDRESS(ots_addr, 0);

  914.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  915.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  916. 

  917.   // Compute seed for OTS key pair

  918.   get_seed(ots_seed, sk_seed, n, ots_addr);

  919. 

  920.   // Compute WOTS signature

  921.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  922. 

  923.   sig_msg += params->xmss_par.wots_par.keysize;

  924.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  925. 

  926.   memcpy(sig_msg, states[0].auth, tree_h*n);

  927.   sig_msg += tree_h*n;

  928.   *sig_msg_len += tree_h*n;

  929. 

  930.   // prepare signature of remaining layers

  931.   for (i = 1; i < params->d; i++) {

  932.     // put WOTS signature in place

  933.     memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.keysize);

  934. 

  935.     sig_msg += params->xmss_par.wots_par.keysize;

  936.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  937. 

  938.     // put AUTH nodes in place

  939.     memcpy(sig_msg, states[i].auth, tree_h*n);

  940.     sig_msg += tree_h*n;

  941.     *sig_msg_len += tree_h*n;

  942.   }

  943. 

  944.   updates = (tree_h - k) >> 1;

  945. 

  946.   SET_TREE_ADDRESS(addr, (idx_tree + 1));

  947.   // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  948.   if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << h)) {

  949.     bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr);

  950.   }

  951. 

  952.   for (i = 0; i < params->d; i++) {

  953.     // check if we're not at the end of a tree

  954.     if (! (((idx + 1) & ((1ULL << ((i+1)*tree_h)) - 1)) == 0)) {

  955.       idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1);

  956.       idx_tree = (idx >> (tree_h * (i+1)));

  957.       SET_LAYER_ADDRESS(addr, i);

  958.       SET_TREE_ADDRESS(addr, idx_tree);

  959.       if (i == (unsigned int) (needswap_upto + 1)) {

  960.         bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr);

  961.       }

  962.       updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr);

  963.       SET_TREE_ADDRESS(addr, (idx_tree + 1));

  964.       // if a NEXT-tree exists for this level;

  965.       if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << (h - tree_h * i))) {

  966.         if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << h)) {

  967.           bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr);

  968.           updates--;

  969.         }

  970.       }

  971.     }

  972.     else if (idx < (1ULL << h) - 1) {

  973.       memcpy(&tmp, states+params->d + i, sizeof(bds_state));

  974.       memcpy(states+params->d + i, states + i, sizeof(bds_state));

  975.       memcpy(states + i, &tmp, sizeof(bds_state));

  976. 

  977.       SET_LAYER_ADDRESS(ots_addr, (i+1));

  978.       SET_TREE_ADDRESS(ots_addr, ((idx + 1) >> ((i+2) * tree_h)));

  979.       SET_OTS_ADDRESS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1)));

  980. 

  981.       get_seed(ots_seed, sk+params->index_len, n, ots_addr);

  982.       wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  983. 

  984.       states[params->d + i].stackoffset = 0;

  985.       states[params->d + i].next_leaf = 0;

  986. 

  987.       updates--; // WOTS-signing counts as one update

  988.       needswap_upto = i;

  989.       for (j = 0; j < tree_h-k; j++) {

  990.         states[i].treehash[j].completed = 1;

  991.       }

  992.     }

  993.   }

  994. 

  995.   //Whipe secret elements?

  996.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  997. 

  998.   memcpy(sig_msg, msg, msglen);

  999.   *sig_msg_len += msglen;

  1000. 

  1001.   return 0;

  1002. }

  1003. 

  1004. /**

  1005.  * Verifies a given message signature pair under a given public key.

  1006.  */

  1007. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  1008. {

  1009.   unsigned int n = params->n;

  1010.   unsigned int m = params->m;

  1011. 

  1012.   unsigned int tree_h = params->xmss_par.h;

  1013.   unsigned int idx_len = params->index_len;

  1014.   unsigned long long idx_tree;

  1015.   unsigned long long idx_leaf;

  1016. 

  1017.   unsigned long long i, m_len;

  1018.   unsigned long long idx=0;

  1019.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  1020.   unsigned char pkhash[n];

  1021.   unsigned char root[n];

  1022.   unsigned char msg_h[m];

  1023. 

  1024.   unsigned char pub_seed[n];

  1025.   memcpy(pub_seed, pk+n, n);

  1026. 

  1027.   // Init addresses

  1028.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  1029.   unsigned char ltree_addr[16];

  1030.   unsigned char node_addr[16];

  1031. 

  1032.   // Extract index

  1033.   for (i = 0; i < idx_len; i++) {

  1034.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  1035.   }

  1036.   printf("verify:: idx = %llu\n", idx);

  1037.   sig_msg += idx_len;

  1038.   sig_msg_len -= idx_len;

  1039. 

  1040.   // hash message (recall, R is now on pole position at sig_msg

  1041.   unsigned long long tmp_sig_len = m+ (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  1042.   m_len = sig_msg_len - tmp_sig_len;

  1043.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  1044. 

  1045.   sig_msg += m;

  1046.   sig_msg_len -= m;

  1047. 

  1048.   //-----------------------

  1049.   // Verify signature

  1050.   //-----------------------

  1051. 

  1052.   // Prepare Address

  1053.   idx_tree = idx >> tree_h;

  1054.   idx_leaf = (idx & ((1 << tree_h)-1));

  1055.   SET_LAYER_ADDRESS(ots_addr, 0);

  1056.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  1057.   SET_OTS_BIT(ots_addr, 1);

  1058. 

  1059.   memcpy(ltree_addr, ots_addr, 10);

  1060.   SET_OTS_BIT(ltree_addr, 0);

  1061.   SET_LTREE_BIT(ltree_addr, 1);

  1062. 

  1063.   memcpy(node_addr, ltree_addr, 10);

  1064.   SET_LTREE_BIT(node_addr, 0);

  1065.   SET_NODE_PADDING(node_addr);

  1066. 

  1067.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  1068. 

  1069.   // Check WOTS signature

  1070.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1071. 

  1072.   sig_msg += params->xmss_par.wots_par.keysize;

  1073.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  1074. 

  1075.   // Compute Ltree

  1076.   SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  1077.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1078. 

  1079.   // Compute root

  1080.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1081. 

  1082.   sig_msg += tree_h*n;

  1083.   sig_msg_len -= tree_h*n;

  1084. 

  1085.   for (i = 1; i < params->d; i++) {

  1086.     // Prepare Address

  1087.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  1088.     idx_tree = idx_tree >> tree_h;

  1089. 

  1090.     SET_LAYER_ADDRESS(ots_addr, i);

  1091.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  1092.     SET_OTS_BIT(ots_addr, 1);

  1093. 

  1094.     memcpy(ltree_addr, ots_addr, 10);

  1095.     SET_OTS_BIT(ltree_addr, 0);

  1096.     SET_LTREE_BIT(ltree_addr, 1);

  1097. 

  1098.     memcpy(node_addr, ltree_addr, 10);

  1099.     SET_LTREE_BIT(node_addr, 0);

  1100.     SET_NODE_PADDING(node_addr);

  1101. 

  1102.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  1103. 

  1104.     // Check WOTS signature

  1105.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1106. 

  1107.     sig_msg += params->xmss_par.wots_par.keysize;

  1108.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  1109. 

  1110.     // Compute Ltree

  1111.     SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  1112.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1113. 

  1114.     // Compute root

  1115.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1116. 

  1117.     sig_msg += tree_h*n;

  1118.     sig_msg_len -= tree_h*n;

  1119. 

  1120.   }

  1121. 

  1122.   for (i = 0; i < n; i++)

  1123.     if (root[i] != pk[i])

  1124.       goto fail;

  1125. 

  1126.   *msglen = sig_msg_len;

  1127.   for (i = 0; i < *msglen; i++)

  1128.     msg[i] = sig_msg[i];

  1129. 

  1130.   return 0;

  1131. 

  1132. 

  1133. fail:

  1134.   *msglen = sig_msg_len;

  1135.   for (i = 0; i < *msglen; i++)

  1136.     msg[i] = 0;

  1137.   *msglen = -1;

  1138.   return -1;

  1139. }