kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71 Commits
1 Branch
488 KiB
 
 
Tree: 998137622a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '998137622a'
${ noResults }
xmss-KAT-generator/xmss_core_fast.c

705 lines
25 KiB
Raw Blame History 

  1. #include <stdlib.h>

  2. #include <string.h>

  3. #include <stdint.h>

  4. 

  5. #include "hash.h"

  6. #include "hash_address.h"

  7. #include "params.h"

  8. #include "randombytes.h"

  9. #include "wots.h"

  10. #include "xmss_commons.h"

  11. #include "xmss_core_fast.h"

  12. 

  13. /**

  14.  * Initialize BDS state struct

  15.  * parameter names are the same as used in the description of the BDS traversal

  16.  */

  17. void xmss_set_bds_state(bds_state *state, unsigned char *stack,

  18.                         int stackoffset, unsigned char *stacklevels,

  19.                         unsigned char *auth, unsigned char *keep,

  20.                         treehash_inst *treehash, unsigned char *retain,

  21.                         int next_leaf)

  22. {

  23.     state->stack = stack;

  24.     state->stackoffset = stackoffset;

  25.     state->stacklevels = stacklevels;

  26.     state->auth = auth;

  27.     state->keep = keep;

  28.     state->treehash = treehash;

  29.     state->retain = retain;

  30.     state->next_leaf = next_leaf;

  31. }

  32. 

  33. static int treehash_minheight_on_stack(const xmss_params *params,

  34.                                        bds_state* state,

  35.                                        const treehash_inst *treehash)

  36. {

  37.     unsigned int r = params->tree_height, i;

  38. 

  39.     for (i = 0; i < treehash->stackusage; i++) {

  40.         if (state->stacklevels[state->stackoffset - i - 1] < r) {

  41.             r = state->stacklevels[state->stackoffset - i - 1];

  42.         }

  43.     }

  44.     return r;

  45. }

  46. 

  47. /**

  48.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  49.  * Currently only used for key generation.

  50.  *

  51.  */

  52. static void treehash_init(const xmss_params *params,

  53.                           unsigned char *node, int height, int index,

  54.                           bds_state *state, const unsigned char *sk_seed,

  55.                           const unsigned char *pub_seed, const uint32_t addr[8])

  56. {

  57.     unsigned int idx = index;

  58.     // use three different addresses because at this point we use all three formats in parallel

  59.     uint32_t ots_addr[8];

  60.     uint32_t ltree_addr[8];

  61.     uint32_t node_addr[8];

  62.     // only copy layer and tree address parts

  63.     memcpy(ots_addr, addr, 12);

  64.     // type = ots

  65.     set_type(ots_addr, 0);

  66.     memcpy(ltree_addr, addr, 12);

  67.     set_type(ltree_addr, 1);

  68.     memcpy(node_addr, addr, 12);

  69.     set_type(node_addr, 2);

  70. 

  71.     uint32_t lastnode, i;

  72.     unsigned char stack[(height+1)*params->n];

  73.     unsigned int stacklevels[height+1];

  74.     unsigned int stackoffset=0;

  75.     unsigned int nodeh;

  76. 

  77.     lastnode = idx+(1<<height);

  78. 

  79.     for (i = 0; i < params->tree_height-params->bds_k; i++) {

  80.         state->treehash[i].h = i;

  81.         state->treehash[i].completed = 1;

  82.         state->treehash[i].stackusage = 0;

  83.     }

  84. 

  85.     i = 0;

  86.     for (; idx < lastnode; idx++) {

  87.         set_ltree_addr(ltree_addr, idx);

  88.         set_ots_addr(ots_addr, idx);

  89.         gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  90.         stacklevels[stackoffset] = 0;

  91.         stackoffset++;

  92.         if (params->tree_height - params->bds_k > 0 && i == 3) {

  93.             memcpy(state->treehash[0].node, stack+stackoffset*params->n, params->n);

  94.         }

  95.         while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  96.             nodeh = stacklevels[stackoffset-1];

  97.             if (i >> nodeh == 1) {

  98.                 memcpy(state->auth + nodeh*params->n, stack+(stackoffset-1)*params->n, params->n);

  99.             }

  100.             else {

  101.                 if (nodeh < params->tree_height - params->bds_k && i >> nodeh == 3) {

  102.                     memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*params->n, params->n);

  103.                 }

  104.                 else if (nodeh >= params->tree_height - params->bds_k) {

  105.                     memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((i >> nodeh) - 3) >> 1)) * params->n, stack+(stackoffset-1)*params->n, params->n);

  106.                 }

  107.             }

  108.             set_tree_height(node_addr, stacklevels[stackoffset-1]);

  109.             set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  110.             hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);

  111.             stacklevels[stackoffset-2]++;

  112.             stackoffset--;

  113.         }

  114.         i++;

  115.     }

  116. 

  117.     for (i = 0; i < params->n; i++) {

  118.         node[i] = stack[i];

  119.     }

  120. }

  121. 

  122. static void treehash_update(const xmss_params *params,

  123.                             treehash_inst *treehash, bds_state *state,

  124.                             const unsigned char *sk_seed,

  125.                             const unsigned char *pub_seed,

  126.                             const uint32_t addr[8])

  127. {

  128.     uint32_t ots_addr[8];

  129.     uint32_t ltree_addr[8];

  130.     uint32_t node_addr[8];

  131.     // only copy layer and tree address parts

  132.     memcpy(ots_addr, addr, 12);

  133.     // type = ots

  134.     set_type(ots_addr, 0);

  135.     memcpy(ltree_addr, addr, 12);

  136.     set_type(ltree_addr, 1);

  137.     memcpy(node_addr, addr, 12);

  138.     set_type(node_addr, 2);

  139. 

  140.     set_ltree_addr(ltree_addr, treehash->next_idx);

  141.     set_ots_addr(ots_addr, treehash->next_idx);

  142. 

  143.     unsigned char nodebuffer[2 * params->n];

  144.     unsigned int nodeheight = 0;

  145.     gen_leaf_wots(params, nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);

  146.     while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  147.         memcpy(nodebuffer + params->n, nodebuffer, params->n);

  148.         memcpy(nodebuffer, state->stack + (state->stackoffset-1)*params->n, params->n);

  149.         set_tree_height(node_addr, nodeheight);

  150.         set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));

  151.         hash_h(params, nodebuffer, nodebuffer, pub_seed, node_addr);

  152.         nodeheight++;

  153.         treehash->stackusage--;

  154.         state->stackoffset--;

  155.     }

  156.     if (nodeheight == treehash->h) { // this also implies stackusage == 0

  157.         memcpy(treehash->node, nodebuffer, params->n);

  158.         treehash->completed = 1;

  159.     }

  160.     else {

  161.         memcpy(state->stack + state->stackoffset*params->n, nodebuffer, params->n);

  162.         treehash->stackusage++;

  163.         state->stacklevels[state->stackoffset] = nodeheight;

  164.         state->stackoffset++;

  165.         treehash->next_idx++;

  166.     }

  167. }

  168. 

  169. /**

  170.  * Performs one treehash update on the instance that needs it the most.

  171.  * Returns 1 if such an instance was not found

  172.  **/

  173. static char bds_treehash_update(const xmss_params *params,

  174.                                 bds_state *state, unsigned int updates,

  175.                                 const unsigned char *sk_seed,

  176.                                 unsigned char *pub_seed,

  177.                                 const uint32_t addr[8])

  178. {

  179.     uint32_t i, j;

  180.     unsigned int level, l_min, low;

  181.     unsigned int used = 0;

  182. 

  183.     for (j = 0; j < updates; j++) {

  184.         l_min = params->tree_height;

  185.         level = params->tree_height - params->bds_k;

  186.         for (i = 0; i < params->tree_height - params->bds_k; i++) {

  187.             if (state->treehash[i].completed) {

  188.                 low = params->tree_height;

  189.             }

  190.             else if (state->treehash[i].stackusage == 0) {

  191.                 low = i;

  192.             }

  193.             else {

  194.                 low = treehash_minheight_on_stack(params, state, &(state->treehash[i]));

  195.             }

  196.             if (low < l_min) {

  197.                 level = i;

  198.                 l_min = low;

  199.             }

  200.         }

  201.         if (level == params->tree_height - params->bds_k) {

  202.             break;

  203.         }

  204.         treehash_update(params, &(state->treehash[level]), state, sk_seed, pub_seed, addr);

  205.         used++;

  206.     }

  207.     return updates - used;

  208. }

  209. 

  210. /**

  211.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  212.  * Returns 1 if all leaf nodes have already been processed

  213.  **/

  214. static char bds_state_update(const xmss_params *params,

  215.                              bds_state *state, const unsigned char *sk_seed,

  216.                              const unsigned char *pub_seed,

  217.                              const uint32_t addr[8])

  218. {

  219.     uint32_t ltree_addr[8];

  220.     uint32_t node_addr[8];

  221.     uint32_t ots_addr[8];

  222. 

  223.     unsigned int nodeh;

  224.     int idx = state->next_leaf;

  225.     if (idx == 1 << params->tree_height) {

  226.         return 1;

  227.     }

  228. 

  229.     // only copy layer and tree address parts

  230.     memcpy(ots_addr, addr, 12);

  231.     // type = ots

  232.     set_type(ots_addr, 0);

  233.     memcpy(ltree_addr, addr, 12);

  234.     set_type(ltree_addr, 1);

  235.     memcpy(node_addr, addr, 12);

  236.     set_type(node_addr, 2);

  237. 

  238.     set_ots_addr(ots_addr, idx);

  239.     set_ltree_addr(ltree_addr, idx);

  240. 

  241.     gen_leaf_wots(params, state->stack+state->stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);

  242. 

  243.     state->stacklevels[state->stackoffset] = 0;

  244.     state->stackoffset++;

  245.     if (params->tree_height - params->bds_k > 0 && idx == 3) {

  246.         memcpy(state->treehash[0].node, state->stack+state->stackoffset*params->n, params->n);

  247.     }

  248.     while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  249.         nodeh = state->stacklevels[state->stackoffset-1];

  250.         if (idx >> nodeh == 1) {

  251.             memcpy(state->auth + nodeh*params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  252.         }

  253.         else {

  254.             if (nodeh < params->tree_height - params->bds_k && idx >> nodeh == 3) {

  255.                 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*params->n, params->n);

  256.             }

  257.             else if (nodeh >= params->tree_height - params->bds_k) {

  258.                 memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((idx >> nodeh) - 3) >> 1)) * params->n, state->stack+(state->stackoffset-1)*params->n, params->n);

  259.             }

  260.         }

  261.         set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);

  262.         set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  263.         hash_h(params, state->stack+(state->stackoffset-2)*params->n, state->stack+(state->stackoffset-2)*params->n, pub_seed, node_addr);

  264. 

  265.         state->stacklevels[state->stackoffset-2]++;

  266.         state->stackoffset--;

  267.     }

  268.     state->next_leaf++;

  269.     return 0;

  270. }

  271. 

  272. /**

  273.  * Returns the auth path for node leaf_idx and computes the auth path for the

  274.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  275.  * in "Post Quantum Cryptography", Springer 2009.

  276.  */

  277. static void bds_round(const xmss_params *params,

  278.                       bds_state *state, const unsigned long leaf_idx,

  279.                       const unsigned char *sk_seed,

  280.                       const unsigned char *pub_seed, uint32_t addr[8])

  281. {

  282.     unsigned int i;

  283.     unsigned int tau = params->tree_height;

  284.     unsigned int startidx;

  285.     unsigned int offset, rowidx;

  286.     unsigned char buf[2 * params->n];

  287. 

  288.     uint32_t ots_addr[8];

  289.     uint32_t ltree_addr[8];

  290.     uint32_t node_addr[8];

  291.     // only copy layer and tree address parts

  292.     memcpy(ots_addr, addr, 12);

  293.     // type = ots

  294.     set_type(ots_addr, 0);

  295.     memcpy(ltree_addr, addr, 12);

  296.     set_type(ltree_addr, 1);

  297.     memcpy(node_addr, addr, 12);

  298.     set_type(node_addr, 2);

  299. 

  300.     for (i = 0; i < params->tree_height; i++) {

  301.         if (! ((leaf_idx >> i) & 1)) {

  302.             tau = i;

  303.             break;

  304.         }

  305.     }

  306. 

  307.     if (tau > 0) {

  308.         memcpy(buf, state->auth + (tau-1) * params->n, params->n);

  309.         // we need to do this before refreshing state->keep to prevent overwriting

  310.         memcpy(buf + params->n, state->keep + ((tau-1) >> 1) * params->n, params->n);

  311.     }

  312.     if (!((leaf_idx >> (tau + 1)) & 1) && (tau < params->tree_height - 1)) {

  313.         memcpy(state->keep + (tau >> 1)*params->n, state->auth + tau*params->n, params->n);

  314.     }

  315.     if (tau == 0) {

  316.         set_ltree_addr(ltree_addr, leaf_idx);

  317.         set_ots_addr(ots_addr, leaf_idx);

  318.         gen_leaf_wots(params, state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);

  319.     }

  320.     else {

  321.         set_tree_height(node_addr, (tau-1));

  322.         set_tree_index(node_addr, leaf_idx >> tau);

  323.         hash_h(params, state->auth + tau * params->n, buf, pub_seed, node_addr);

  324.         for (i = 0; i < tau; i++) {

  325.             if (i < params->tree_height - params->bds_k) {

  326.                 memcpy(state->auth + i * params->n, state->treehash[i].node, params->n);

  327.             }

  328.             else {

  329.                 offset = (1 << (params->tree_height - 1 - i)) + i - params->tree_height;

  330.                 rowidx = ((leaf_idx >> i) - 1) >> 1;

  331.                 memcpy(state->auth + i * params->n, state->retain + (offset + rowidx) * params->n, params->n);

  332.             }

  333.         }

  334. 

  335.         for (i = 0; i < ((tau < params->tree_height - params->bds_k) ? tau : (params->tree_height - params->bds_k)); i++) {

  336.             startidx = leaf_idx + 1 + 3 * (1 << i);

  337.             if (startidx < 1U << params->tree_height) {

  338.                 state->treehash[i].h = i;

  339.                 state->treehash[i].next_idx = startidx;

  340.                 state->treehash[i].completed = 0;

  341.                 state->treehash[i].stackusage = 0;

  342.             }

  343.         }

  344.     }

  345. }

  346. 

  347. /*

  348.  * Generates a XMSS key pair for a given parameter set.

  349.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  350.  * Format pk: [root || PUB_SEED] omitting algo oid.

  351.  */

  352. int xmss_core_keypair(const xmss_params *params,

  353.                       unsigned char *pk, unsigned char *sk, bds_state *state)

  354. {

  355.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  356. 

  357.     // Set idx = 0

  358.     sk[0] = 0;

  359.     sk[1] = 0;

  360.     sk[2] = 0;

  361.     sk[3] = 0;

  362.     // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  363.     randombytes(sk + params->index_len, 3*params->n);

  364.     // Copy PUB_SEED to public key

  365.     memcpy(pk + params->n, sk + params->index_len + 2*params->n, params->n);

  366. 

  367.     // Compute root

  368.     treehash_init(params, pk, params->tree_height, 0, state, sk + params->index_len, sk + params->index_len + 2*params->n, addr);

  369.     // copy root o sk

  370.     memcpy(sk + params->index_len + 3*params->n, pk, params->n);

  371.     return 0;

  372. }

  373. 

  374. /**

  375.  * Signs a message.

  376.  * Returns

  377.  * 1. an array containing the signature followed by the message AND

  378.  * 2. an updated secret key!

  379.  *

  380.  */

  381. int xmss_core_sign(const xmss_params *params,

  382.                    unsigned char *sk, bds_state *state,

  383.                    unsigned char *sm, unsigned long long *smlen,

  384.                    const unsigned char *m, unsigned long long mlen)

  385. {

  386.     uint16_t i = 0;

  387. 

  388.     // Extract SK

  389.     unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  390.     unsigned char sk_seed[params->n];

  391.     memcpy(sk_seed, sk + params->index_len, params->n);

  392.     unsigned char sk_prf[params->n];

  393.     memcpy(sk_prf, sk + params->index_len + params->n, params->n);

  394.     unsigned char pub_seed[params->n];

  395.     memcpy(pub_seed, sk + params->index_len + 2*params->n, params->n);

  396. 

  397.     // index as 32 bytes string

  398.     unsigned char idx_bytes_32[32];

  399.     to_byte(idx_bytes_32, idx, 32);

  400. 

  401.     unsigned char hash_key[3*params->n];

  402. 

  403.     // Update SK

  404.     sk[0] = ((idx + 1) >> 24) & 255;

  405.     sk[1] = ((idx + 1) >> 16) & 255;

  406.     sk[2] = ((idx + 1) >> 8) & 255;

  407.     sk[3] = (idx + 1) & 255;

  408.     // -- Secret key for this non-forward-secure version is now updated.

  409.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  410. 

  411.     // Init working params

  412.     unsigned char R[params->n];

  413.     unsigned char msg_h[params->n];

  414.     unsigned char ots_seed[params->n];

  415.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  416. 

  417.     // ---------------------------------

  418.     // Message Hashing

  419.     // ---------------------------------

  420. 

  421.     // Message Hash:

  422.     // First compute pseudorandom value

  423.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  424.     // Generate hash key (R || root || idx)

  425.     memcpy(hash_key, R, params->n);

  426.     memcpy(hash_key+params->n, sk+4+3*params->n, params->n);

  427.     to_byte(hash_key+2*params->n, idx, params->n);

  428.     // Then use it for message digest

  429.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  430. 

  431.     // Start collecting signature

  432.     *smlen = 0;

  433. 

  434.     // Copy index to signature

  435.     sm[0] = (idx >> 24) & 255;

  436.     sm[1] = (idx >> 16) & 255;

  437.     sm[2] = (idx >> 8) & 255;

  438.     sm[3] = idx & 255;

  439. 

  440.     sm += 4;

  441.     *smlen += 4;

  442. 

  443.     // Copy R to signature

  444.     for (i = 0; i < params->n; i++) {

  445.         sm[i] = R[i];

  446.     }

  447. 

  448.     sm += params->n;

  449.     *smlen += params->n;

  450. 

  451.     // ----------------------------------

  452.     // Now we start to "really sign"

  453.     // ----------------------------------

  454. 

  455.     // Prepare Address

  456.     set_type(ots_addr, 0);

  457.     set_ots_addr(ots_addr, idx);

  458. 

  459.     // Compute seed for OTS key pair

  460.     get_seed(params, ots_seed, sk_seed, ots_addr);

  461. 

  462.     // Compute WOTS signature

  463.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  464. 

  465.     sm += params->wots_keysize;

  466.     *smlen += params->wots_keysize;

  467. 

  468.     // the auth path was already computed during the previous round

  469.     memcpy(sm, state->auth, params->tree_height*params->n);

  470. 

  471.     if (idx < (1U << params->tree_height) - 1) {

  472.         bds_round(params, state, idx, sk_seed, pub_seed, ots_addr);

  473.         bds_treehash_update(params, state, (params->tree_height - params->bds_k) >> 1, sk_seed, pub_seed, ots_addr);

  474.     }

  475. 

  476.     sm += params->tree_height*params->n;

  477.     *smlen += params->tree_height*params->n;

  478. 

  479.     memcpy(sm, m, mlen);

  480.     *smlen += mlen;

  481. 

  482.     return 0;

  483. }

  484. 

  485. /*

  486.  * Generates a XMSSMT key pair for a given parameter set.

  487.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  488.  * Format pk: [root || PUB_SEED] omitting algo oid.

  489.  */

  490. int xmssmt_core_keypair(const xmss_params *params,

  491.                         unsigned char *pk, unsigned char *sk,

  492.                         bds_state *states, unsigned char *wots_sigs)

  493. {

  494.     unsigned char ots_seed[params->n];

  495.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  496.     unsigned int i;

  497. 

  498.     // Set idx = 0

  499.     for (i = 0; i < params->index_len; i++) {

  500.         sk[i] = 0;

  501.     }

  502.     // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)

  503.     randombytes(sk+params->index_len, 3*params->n);

  504.     // Copy PUB_SEED to public key

  505.     memcpy(pk+params->n, sk+params->index_len+2*params->n, params->n);

  506. 

  507.     // Start with the bottom-most layer

  508.     set_layer_addr(addr, 0);

  509.     // Set up state and compute wots signatures for all but topmost tree root

  510.     for (i = 0; i < params->d - 1; i++) {

  511.         // Compute seed for OTS key pair

  512.         treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);

  513.         set_layer_addr(addr, (i+1));

  514.         get_seed(params, ots_seed, sk + params->index_len, addr);

  515.         wots_sign(params, wots_sigs + i*params->wots_keysize, pk, ots_seed, pk+params->n, addr);

  516.     }

  517.     // Address now points to the single tree on layer d-1

  518.     treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);

  519.     memcpy(sk + params->index_len + 3*params->n, pk, params->n);

  520.     return 0;

  521. }

  522. 

  523. /**

  524.  * Signs a message.

  525.  * Returns

  526.  * 1. an array containing the signature followed by the message AND

  527.  * 2. an updated secret key!

  528.  *

  529.  */

  530. int xmssmt_core_sign(const xmss_params *params,

  531.                      unsigned char *sk,

  532.                      bds_state *states, unsigned char *wots_sigs,

  533.                      unsigned char *sm, unsigned long long *smlen,

  534.                      const unsigned char *m, unsigned long long mlen)

  535. {

  536.     uint64_t idx_tree;

  537.     uint32_t idx_leaf;

  538.     uint64_t i, j;

  539.     int needswap_upto = -1;

  540.     unsigned int updates;

  541. 

  542.     unsigned char sk_seed[params->n];

  543.     unsigned char sk_prf[params->n];

  544.     unsigned char pub_seed[params->n];

  545.     // Init working params

  546.     unsigned char R[params->n];

  547.     unsigned char msg_h[params->n];

  548.     unsigned char hash_key[3*params->n];

  549.     unsigned char ots_seed[params->n];

  550.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  551.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  552.     unsigned char idx_bytes_32[32];

  553.     bds_state tmp;

  554. 

  555.     // Extract SK

  556.     unsigned long long idx = 0;

  557.     for (i = 0; i < params->index_len; i++) {

  558.         idx |= ((unsigned long long)sk[i]) << 8*(params->index_len - 1 - i);

  559.     }

  560. 

  561.     memcpy(sk_seed, sk+params->index_len, params->n);

  562.     memcpy(sk_prf, sk+params->index_len+params->n, params->n);

  563.     memcpy(pub_seed, sk+params->index_len+2*params->n, params->n);

  564. 

  565.     // Update SK

  566.     for (i = 0; i < params->index_len; i++) {

  567.         sk[i] = ((idx + 1) >> 8*(params->index_len - 1 - i)) & 255;

  568.     }

  569.     // -- Secret key for this non-forward-secure version is now updated.

  570.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  571. 

  572. 

  573.     // ---------------------------------

  574.     // Message Hashing

  575.     // ---------------------------------

  576. 

  577.     // Message Hash:

  578.     // First compute pseudorandom value

  579.     to_byte(idx_bytes_32, idx, 32);

  580.     prf(params, R, idx_bytes_32, sk_prf, params->n);

  581.     // Generate hash key (R || root || idx)

  582.     memcpy(hash_key, R, params->n);

  583.     memcpy(hash_key+params->n, sk+params->index_len+3*params->n, params->n);

  584.     to_byte(hash_key+2*params->n, idx, params->n);

  585. 

  586.     // Then use it for message digest

  587.     h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);

  588. 

  589.     // Start collecting signature

  590.     *smlen = 0;

  591. 

  592.     // Copy index to signature

  593.     for (i = 0; i < params->index_len; i++) {

  594.         sm[i] = (idx >> 8*(params->index_len - 1 - i)) & 255;

  595.     }

  596. 

  597.     sm += params->index_len;

  598.     *smlen += params->index_len;

  599. 

  600.     // Copy R to signature

  601.     for (i = 0; i < params->n; i++) {

  602.         sm[i] = R[i];

  603.     }

  604. 

  605.     sm += params->n;

  606.     *smlen += params->n;

  607. 

  608.     // ----------------------------------

  609.     // Now we start to "really sign"

  610.     // ----------------------------------

  611. 

  612.     // Handle lowest layer separately as it is slightly different...

  613. 

  614.     // Prepare Address

  615.     set_type(ots_addr, 0);

  616.     idx_tree = idx >> params->tree_height;

  617.     idx_leaf = (idx & ((1 << params->tree_height)-1));

  618.     set_layer_addr(ots_addr, 0);

  619.     set_tree_addr(ots_addr, idx_tree);

  620.     set_ots_addr(ots_addr, idx_leaf);

  621. 

  622.     // Compute seed for OTS key pair

  623.     get_seed(params, ots_seed, sk_seed, ots_addr);

  624. 

  625.     // Compute WOTS signature

  626.     wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);

  627. 

  628.     sm += params->wots_keysize;

  629.     *smlen += params->wots_keysize;

  630. 

  631.     memcpy(sm, states[0].auth, params->tree_height*params->n);

  632.     sm += params->tree_height*params->n;

  633.     *smlen += params->tree_height*params->n;

  634. 

  635.     // prepare signature of remaining layers

  636.     for (i = 1; i < params->d; i++) {

  637.         // put WOTS signature in place

  638.         memcpy(sm, wots_sigs + (i-1)*params->wots_keysize, params->wots_keysize);

  639. 

  640.         sm += params->wots_keysize;

  641.         *smlen += params->wots_keysize;

  642. 

  643.         // put AUTH nodes in place

  644.         memcpy(sm, states[i].auth, params->tree_height*params->n);

  645.         sm += params->tree_height*params->n;

  646.         *smlen += params->tree_height*params->n;

  647.     }

  648. 

  649.     updates = (params->tree_height - params->bds_k) >> 1;

  650. 

  651.     set_tree_addr(addr, (idx_tree + 1));

  652.     // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  653.     if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << params->full_height)) {

  654.         bds_state_update(params, &states[params->d], sk_seed, pub_seed, addr);

  655.     }

  656. 

  657.     for (i = 0; i < params->d; i++) {

  658.         // check if we're not at the end of a tree

  659.         if (! (((idx + 1) & ((1ULL << ((i+1)*params->tree_height)) - 1)) == 0)) {

  660.             idx_leaf = (idx >> (params->tree_height * i)) & ((1 << params->tree_height)-1);

  661.             idx_tree = (idx >> (params->tree_height * (i+1)));

  662.             set_layer_addr(addr, i);

  663.             set_tree_addr(addr, idx_tree);

  664.             if (i == (unsigned int) (needswap_upto + 1)) {

  665.                 bds_round(params, &states[i], idx_leaf, sk_seed, pub_seed, addr);

  666.             }

  667.             updates = bds_treehash_update(params, &states[i], updates, sk_seed, pub_seed, addr);

  668.             set_tree_addr(addr, (idx_tree + 1));

  669.             // if a NEXT-tree exists for this level;

  670.             if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << (params->full_height - params->tree_height * i))) {

  671.                 if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << params->full_height)) {

  672.                     bds_state_update(params, &states[params->d + i], sk_seed, pub_seed, addr);

  673.                     updates--;

  674.                 }

  675.             }

  676.         }

  677.         else if (idx < (1ULL << params->full_height) - 1) {

  678.             memcpy(&tmp, states+params->d + i, sizeof(bds_state));

  679.             memcpy(states+params->d + i, states + i, sizeof(bds_state));

  680.             memcpy(states + i, &tmp, sizeof(bds_state));

  681. 

  682.             set_layer_addr(ots_addr, (i+1));

  683.             set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * params->tree_height)));

  684.             set_ots_addr(ots_addr, (((idx >> ((i+1) * params->tree_height)) + 1) & ((1 << params->tree_height)-1)));

  685. 

  686.             get_seed(params, ots_seed, sk+params->index_len, ots_addr);

  687.             wots_sign(params, wots_sigs + i*params->wots_keysize, states[i].stack, ots_seed, pub_seed, ots_addr);

  688. 

  689.             states[params->d + i].stackoffset = 0;

  690.             states[params->d + i].next_leaf = 0;

  691. 

  692.             updates--; // WOTS-signing counts as one update

  693.             needswap_upto = i;

  694.             for (j = 0; j < params->tree_height-params->bds_k; j++) {

  695.                 states[i].treehash[j].completed = 1;

  696.             }

  697.         }

  698.     }

  699. 

  700.     memcpy(sm, m, mlen);

  701.     *smlen += mlen;

  702. 

  703.     return 0;

  704. }