kris
/
xmss-KAT-generator
1
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
58 Incheckningar
1 Gren
488 KiB
 
 
Träd: 9d5884e120
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '9d5884e120'
${ noResults }
xmss-KAT-generator/xmss_core_fast.c

702 rader
24 KiB
Blame Historik 

  1. /*

  2. xmss_fast.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. 

  12. #include "hash.h"

  13. #include "hash_address.h"

  14. #include "params.h"

  15. #include "randombytes.h"

  16. #include "wots.h"

  17. #include "xmss_commons.h"

  18. #include "xmss_core_fast.h"

  19. 

  20. /**

  21.  * Initialize BDS state struct

  22.  * parameter names are the same as used in the description of the BDS traversal

  23.  */

  24. void xmss_set_bds_state(bds_state *state, unsigned char *stack,

  25.                         int stackoffset, unsigned char *stacklevels,

  26.                         unsigned char *auth, unsigned char *keep,

  27.                         treehash_inst *treehash, unsigned char *retain,

  28.                         int next_leaf)

  29. {

  30.     state->stack = stack;

  31.     state->stackoffset = stackoffset;

  32.     state->stacklevels = stacklevels;

  33.     state->auth = auth;

  34.     state->keep = keep;

  35.     state->treehash = treehash;

  36.     state->retain = retain;

  37.     state->next_leaf = next_leaf;

  38. }

  39. 

  40. static int treehash_minheight_on_stack(bds_state* state,

  41.                                        const treehash_inst *treehash)

  42. {

  43.     unsigned int r = XMSS_TREEHEIGHT, i;

  44. 

  45.     for (i = 0; i < treehash->stackusage; i++) {

  46.         if (state->stacklevels[state->stackoffset - i - 1] < r) {

  47.             r = state->stacklevels[state->stackoffset - i - 1];

  48.         }

  49.     }

  50.     return r;

  51. }

  52. 

  53. /**

  54.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  55.  * Currently only used for key generation.

  56.  *

  57.  */

  58. static void treehash_init(unsigned char *node, int height, int index,

  59.                           bds_state *state, const unsigned char *sk_seed,

  60.                           const unsigned char *pub_seed, const uint32_t addr[8])

  61. {

  62.     unsigned int idx = index;

  63.     // use three different addresses because at this point we use all three formats in parallel

  64.     uint32_t ots_addr[8];

  65.     uint32_t ltree_addr[8];

  66.     uint32_t node_addr[8];

  67.     // only copy layer and tree address parts

  68.     memcpy(ots_addr, addr, 12);

  69.     // type = ots

  70.     set_type(ots_addr, 0);

  71.     memcpy(ltree_addr, addr, 12);

  72.     set_type(ltree_addr, 1);

  73.     memcpy(node_addr, addr, 12);

  74.     set_type(node_addr, 2);

  75. 

  76.     uint32_t lastnode, i;

  77.     unsigned char stack[(height+1)*XMSS_N];

  78.     unsigned int stacklevels[height+1];

  79.     unsigned int stackoffset=0;

  80.     unsigned int nodeh;

  81. 

  82.     lastnode = idx+(1<<height);

  83. 

  84.     for (i = 0; i < XMSS_TREEHEIGHT-XMSS_BDS_K; i++) {

  85.         state->treehash[i].h = i;

  86.         state->treehash[i].completed = 1;

  87.         state->treehash[i].stackusage = 0;

  88.     }

  89. 

  90.     i = 0;

  91.     for (; idx < lastnode; idx++) {

  92.         set_ltree_addr(ltree_addr, idx);

  93.         set_ots_addr(ots_addr, idx);

  94.         gen_leaf_wots(stack+stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);

  95.         stacklevels[stackoffset] = 0;

  96.         stackoffset++;

  97.         if (XMSS_TREEHEIGHT - XMSS_BDS_K > 0 && i == 3) {

  98.             memcpy(state->treehash[0].node, stack+stackoffset*XMSS_N, XMSS_N);

  99.         }

  100.         while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  101.             nodeh = stacklevels[stackoffset-1];

  102.             if (i >> nodeh == 1) {

  103.                 memcpy(state->auth + nodeh*XMSS_N, stack+(stackoffset-1)*XMSS_N, XMSS_N);

  104.             }

  105.             else {

  106.                 if (nodeh < XMSS_TREEHEIGHT - XMSS_BDS_K && i >> nodeh == 3) {

  107.                     memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*XMSS_N, XMSS_N);

  108.                 }

  109.                 else if (nodeh >= XMSS_TREEHEIGHT - XMSS_BDS_K) {

  110.                     memcpy(state->retain + ((1 << (XMSS_TREEHEIGHT - 1 - nodeh)) + nodeh - XMSS_TREEHEIGHT + (((i >> nodeh) - 3) >> 1)) * XMSS_N, stack+(stackoffset-1)*XMSS_N, XMSS_N);

  111.                 }

  112.             }

  113.             set_tree_height(node_addr, stacklevels[stackoffset-1]);

  114.             set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  115.             hash_h(stack+(stackoffset-2)*XMSS_N, stack+(stackoffset-2)*XMSS_N, pub_seed, node_addr);

  116.             stacklevels[stackoffset-2]++;

  117.             stackoffset--;

  118.         }

  119.         i++;

  120.     }

  121. 

  122.     for (i = 0; i < XMSS_N; i++) {

  123.         node[i] = stack[i];

  124.     }

  125. }

  126. 

  127. static void treehash_update(treehash_inst *treehash, bds_state *state,

  128.                             const unsigned char *sk_seed,

  129.                             const unsigned char *pub_seed,

  130.                             const uint32_t addr[8])

  131. {

  132.     uint32_t ots_addr[8];

  133.     uint32_t ltree_addr[8];

  134.     uint32_t node_addr[8];

  135.     // only copy layer and tree address parts

  136.     memcpy(ots_addr, addr, 12);

  137.     // type = ots

  138.     set_type(ots_addr, 0);

  139.     memcpy(ltree_addr, addr, 12);

  140.     set_type(ltree_addr, 1);

  141.     memcpy(node_addr, addr, 12);

  142.     set_type(node_addr, 2);

  143. 

  144.     set_ltree_addr(ltree_addr, treehash->next_idx);

  145.     set_ots_addr(ots_addr, treehash->next_idx);

  146. 

  147.     unsigned char nodebuffer[2 * XMSS_N];

  148.     unsigned int nodeheight = 0;

  149.     gen_leaf_wots(nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);

  150.     while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  151.         memcpy(nodebuffer + XMSS_N, nodebuffer, XMSS_N);

  152.         memcpy(nodebuffer, state->stack + (state->stackoffset-1)*XMSS_N, XMSS_N);

  153.         set_tree_height(node_addr, nodeheight);

  154.         set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));

  155.         hash_h(nodebuffer, nodebuffer, pub_seed, node_addr);

  156.         nodeheight++;

  157.         treehash->stackusage--;

  158.         state->stackoffset--;

  159.     }

  160.     if (nodeheight == treehash->h) { // this also implies stackusage == 0

  161.         memcpy(treehash->node, nodebuffer, XMSS_N);

  162.         treehash->completed = 1;

  163.     }

  164.     else {

  165.         memcpy(state->stack + state->stackoffset*XMSS_N, nodebuffer, XMSS_N);

  166.         treehash->stackusage++;

  167.         state->stacklevels[state->stackoffset] = nodeheight;

  168.         state->stackoffset++;

  169.         treehash->next_idx++;

  170.     }

  171. }

  172. 

  173. /**

  174.  * Performs one treehash update on the instance that needs it the most.

  175.  * Returns 1 if such an instance was not found

  176.  **/

  177. static char bds_treehash_update(bds_state *state, unsigned int updates,

  178.                                 const unsigned char *sk_seed,

  179.                                 unsigned char *pub_seed,

  180.                                 const uint32_t addr[8])

  181. {

  182.     uint32_t i, j;

  183.     unsigned int level, l_min, low;

  184.     unsigned int used = 0;

  185. 

  186.     for (j = 0; j < updates; j++) {

  187.         l_min = XMSS_TREEHEIGHT;

  188.         level = XMSS_TREEHEIGHT - XMSS_BDS_K;

  189.         for (i = 0; i < XMSS_TREEHEIGHT - XMSS_BDS_K; i++) {

  190.             if (state->treehash[i].completed) {

  191.                 low = XMSS_TREEHEIGHT;

  192.             }

  193.             else if (state->treehash[i].stackusage == 0) {

  194.                 low = i;

  195.             }

  196.             else {

  197.                 low = treehash_minheight_on_stack(state, &(state->treehash[i]));

  198.             }

  199.             if (low < l_min) {

  200.                 level = i;

  201.                 l_min = low;

  202.             }

  203.         }

  204.         if (level == XMSS_TREEHEIGHT - XMSS_BDS_K) {

  205.             break;

  206.         }

  207.         treehash_update(&(state->treehash[level]), state, sk_seed, pub_seed, addr);

  208.         used++;

  209.     }

  210.     return updates - used;

  211. }

  212. 

  213. /**

  214.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  215.  * Returns 1 if all leaf nodes have already been processed

  216.  **/

  217. static char bds_state_update(bds_state *state, const unsigned char *sk_seed,

  218.                              const unsigned char *pub_seed,

  219.                              const uint32_t addr[8])

  220. {

  221.     uint32_t ltree_addr[8];

  222.     uint32_t node_addr[8];

  223.     uint32_t ots_addr[8];

  224. 

  225.     int nodeh;

  226.     int idx = state->next_leaf;

  227.     if (idx == 1 << XMSS_TREEHEIGHT) {

  228.         return 1;

  229.     }

  230. 

  231.     // only copy layer and tree address parts

  232.     memcpy(ots_addr, addr, 12);

  233.     // type = ots

  234.     set_type(ots_addr, 0);

  235.     memcpy(ltree_addr, addr, 12);

  236.     set_type(ltree_addr, 1);

  237.     memcpy(node_addr, addr, 12);

  238.     set_type(node_addr, 2);

  239. 

  240.     set_ots_addr(ots_addr, idx);

  241.     set_ltree_addr(ltree_addr, idx);

  242. 

  243.     gen_leaf_wots(state->stack+state->stackoffset*XMSS_N, sk_seed, pub_seed, ltree_addr, ots_addr);

  244. 

  245.     state->stacklevels[state->stackoffset] = 0;

  246.     state->stackoffset++;

  247.     if (XMSS_TREEHEIGHT - XMSS_BDS_K > 0 && idx == 3) {

  248.         memcpy(state->treehash[0].node, state->stack+state->stackoffset*XMSS_N, XMSS_N);

  249.     }

  250.     while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  251.         nodeh = state->stacklevels[state->stackoffset-1];

  252.         if (idx >> nodeh == 1) {

  253.             memcpy(state->auth + nodeh*XMSS_N, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);

  254.         }

  255.         else {

  256.             if (nodeh < XMSS_TREEHEIGHT - XMSS_BDS_K && idx >> nodeh == 3) {

  257.                 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);

  258.             }

  259.             else if (nodeh >= XMSS_TREEHEIGHT - XMSS_BDS_K) {

  260.                 memcpy(state->retain + ((1 << (XMSS_TREEHEIGHT - 1 - nodeh)) + nodeh - XMSS_TREEHEIGHT + (((idx >> nodeh) - 3) >> 1)) * XMSS_N, state->stack+(state->stackoffset-1)*XMSS_N, XMSS_N);

  261.             }

  262.         }

  263.         set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);

  264.         set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  265.         hash_h(state->stack+(state->stackoffset-2)*XMSS_N, state->stack+(state->stackoffset-2)*XMSS_N, pub_seed, node_addr);

  266. 

  267.         state->stacklevels[state->stackoffset-2]++;

  268.         state->stackoffset--;

  269.     }

  270.     state->next_leaf++;

  271.     return 0;

  272. }

  273. 

  274. /**

  275.  * Returns the auth path for node leaf_idx and computes the auth path for the

  276.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  277.  * in "Post Quantum Cryptography", Springer 2009.

  278.  */

  279. static void bds_round(bds_state *state, const unsigned long leaf_idx,

  280.                       const unsigned char *sk_seed,

  281.                       const unsigned char *pub_seed, uint32_t addr[8])

  282. {

  283.     unsigned int i;

  284.     unsigned int tau = XMSS_TREEHEIGHT;

  285.     unsigned int startidx;

  286.     unsigned int offset, rowidx;

  287.     unsigned char buf[2 * XMSS_N];

  288. 

  289.     uint32_t ots_addr[8];

  290.     uint32_t ltree_addr[8];

  291.     uint32_t node_addr[8];

  292.     // only copy layer and tree address parts

  293.     memcpy(ots_addr, addr, 12);

  294.     // type = ots

  295.     set_type(ots_addr, 0);

  296.     memcpy(ltree_addr, addr, 12);

  297.     set_type(ltree_addr, 1);

  298.     memcpy(node_addr, addr, 12);

  299.     set_type(node_addr, 2);

  300. 

  301.     for (i = 0; i < XMSS_TREEHEIGHT; i++) {

  302.         if (! ((leaf_idx >> i) & 1)) {

  303.             tau = i;

  304.             break;

  305.         }

  306.     }

  307. 

  308.     if (tau > 0) {

  309.         memcpy(buf, state->auth + (tau-1) * XMSS_N, XMSS_N);

  310.         // we need to do this before refreshing state->keep to prevent overwriting

  311.         memcpy(buf + XMSS_N, state->keep + ((tau-1) >> 1) * XMSS_N, XMSS_N);

  312.     }

  313.     if (!((leaf_idx >> (tau + 1)) & 1) && (tau < XMSS_TREEHEIGHT - 1)) {

  314.         memcpy(state->keep + (tau >> 1)*XMSS_N, state->auth + tau*XMSS_N, XMSS_N);

  315.     }

  316.     if (tau == 0) {

  317.         set_ltree_addr(ltree_addr, leaf_idx);

  318.         set_ots_addr(ots_addr, leaf_idx);

  319.         gen_leaf_wots(state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);

  320.     }

  321.     else {

  322.         set_tree_height(node_addr, (tau-1));

  323.         set_tree_index(node_addr, leaf_idx >> tau);

  324.         hash_h(state->auth + tau * XMSS_N, buf, pub_seed, node_addr);

  325.         for (i = 0; i < tau; i++) {

  326.             if (i < XMSS_TREEHEIGHT - XMSS_BDS_K) {

  327.                 memcpy(state->auth + i * XMSS_N, state->treehash[i].node, XMSS_N);

  328.             }

  329.             else {

  330.                 offset = (1 << (XMSS_TREEHEIGHT - 1 - i)) + i - XMSS_TREEHEIGHT;

  331.                 rowidx = ((leaf_idx >> i) - 1) >> 1;

  332.                 memcpy(state->auth + i * XMSS_N, state->retain + (offset + rowidx) * XMSS_N, XMSS_N);

  333.             }

  334.         }

  335. 

  336.         for (i = 0; i < ((tau < XMSS_TREEHEIGHT - XMSS_BDS_K) ? tau : (XMSS_TREEHEIGHT - XMSS_BDS_K)); i++) {

  337.             startidx = leaf_idx + 1 + 3 * (1 << i);

  338.             if (startidx < 1U << XMSS_TREEHEIGHT) {

  339.                 state->treehash[i].h = i;

  340.                 state->treehash[i].next_idx = startidx;

  341.                 state->treehash[i].completed = 0;

  342.                 state->treehash[i].stackusage = 0;

  343.             }

  344.         }

  345.     }

  346. }

  347. 

  348. /*

  349.  * Generates a XMSS key pair for a given parameter set.

  350.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  351.  * Format pk: [root || PUB_SEED] omitting algo oid.

  352.  */

  353. int xmss_core_keypair(unsigned char *pk, unsigned char *sk, bds_state *state)

  354. {

  355.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  356. 

  357.     // Set idx = 0

  358.     sk[0] = 0;

  359.     sk[1] = 0;

  360.     sk[2] = 0;

  361.     sk[3] = 0;

  362.     // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  363.     randombytes(sk + XMSS_INDEX_LEN, 3*XMSS_N);

  364.     // Copy PUB_SEED to public key

  365.     memcpy(pk + XMSS_N, sk + XMSS_INDEX_LEN + 2*XMSS_N, XMSS_N);

  366. 

  367.     // Compute root

  368.     treehash_init(pk, XMSS_TREEHEIGHT, 0, state, sk + XMSS_INDEX_LEN, sk + XMSS_INDEX_LEN + 2*XMSS_N, addr);

  369.     // copy root o sk

  370.     memcpy(sk + XMSS_INDEX_LEN + 3*XMSS_N, pk, XMSS_N);

  371.     return 0;

  372. }

  373. 

  374. /**

  375.  * Signs a message.

  376.  * Returns

  377.  * 1. an array containing the signature followed by the message AND

  378.  * 2. an updated secret key!

  379.  *

  380.  */

  381. int xmss_core_sign(unsigned char *sk, bds_state *state,

  382.                    unsigned char *sm, unsigned long long *smlen,

  383.                    const unsigned char *m, unsigned long long mlen)

  384. {

  385.     uint16_t i = 0;

  386. 

  387.     // Extract SK

  388.     unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  389.     unsigned char sk_seed[XMSS_N];

  390.     memcpy(sk_seed, sk + XMSS_INDEX_LEN, XMSS_N);

  391.     unsigned char sk_prf[XMSS_N];

  392.     memcpy(sk_prf, sk + XMSS_INDEX_LEN + XMSS_N, XMSS_N);

  393.     unsigned char pub_seed[XMSS_N];

  394.     memcpy(pub_seed, sk + XMSS_INDEX_LEN + 2*XMSS_N, XMSS_N);

  395. 

  396.     // index as 32 bytes string

  397.     unsigned char idx_bytes_32[32];

  398.     to_byte(idx_bytes_32, idx, 32);

  399. 

  400.     unsigned char hash_key[3*XMSS_N];

  401. 

  402.     // Update SK

  403.     sk[0] = ((idx + 1) >> 24) & 255;

  404.     sk[1] = ((idx + 1) >> 16) & 255;

  405.     sk[2] = ((idx + 1) >> 8) & 255;

  406.     sk[3] = (idx + 1) & 255;

  407.     // -- Secret key for this non-forward-secure version is now updated.

  408.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  409. 

  410.     // Init working params

  411.     unsigned char R[XMSS_N];

  412.     unsigned char msg_h[XMSS_N];

  413.     unsigned char ots_seed[XMSS_N];

  414.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  415. 

  416.     // ---------------------------------

  417.     // Message Hashing

  418.     // ---------------------------------

  419. 

  420.     // Message Hash:

  421.     // First compute pseudorandom value

  422.     prf(R, idx_bytes_32, sk_prf, XMSS_N);

  423.     // Generate hash key (R || root || idx)

  424.     memcpy(hash_key, R, XMSS_N);

  425.     memcpy(hash_key+XMSS_N, sk+4+3*XMSS_N, XMSS_N);

  426.     to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  427.     // Then use it for message digest

  428.     h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);

  429. 

  430.     // Start collecting signature

  431.     *smlen = 0;

  432. 

  433.     // Copy index to signature

  434.     sm[0] = (idx >> 24) & 255;

  435.     sm[1] = (idx >> 16) & 255;

  436.     sm[2] = (idx >> 8) & 255;

  437.     sm[3] = idx & 255;

  438. 

  439.     sm += 4;

  440.     *smlen += 4;

  441. 

  442.     // Copy R to signature

  443.     for (i = 0; i < XMSS_N; i++) {

  444.         sm[i] = R[i];

  445.     }

  446. 

  447.     sm += XMSS_N;

  448.     *smlen += XMSS_N;

  449. 

  450.     // ----------------------------------

  451.     // Now we start to "really sign"

  452.     // ----------------------------------

  453. 

  454.     // Prepare Address

  455.     set_type(ots_addr, 0);

  456.     set_ots_addr(ots_addr, idx);

  457. 

  458.     // Compute seed for OTS key pair

  459.     get_seed(ots_seed, sk_seed, ots_addr);

  460. 

  461.     // Compute WOTS signature

  462.     wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);

  463. 

  464.     sm += XMSS_WOTS_KEYSIZE;

  465.     *smlen += XMSS_WOTS_KEYSIZE;

  466. 

  467.     // the auth path was already computed during the previous round

  468.     memcpy(sm, state->auth, XMSS_TREEHEIGHT*XMSS_N);

  469. 

  470.     if (idx < (1U << XMSS_TREEHEIGHT) - 1) {

  471.         bds_round(state, idx, sk_seed, pub_seed, ots_addr);

  472.         bds_treehash_update(state, (XMSS_TREEHEIGHT - XMSS_BDS_K) >> 1, sk_seed, pub_seed, ots_addr);

  473.     }

  474. 

  475.     sm += XMSS_TREEHEIGHT*XMSS_N;

  476.     *smlen += XMSS_TREEHEIGHT*XMSS_N;

  477. 

  478.     memcpy(sm, m, mlen);

  479.     *smlen += mlen;

  480. 

  481.     return 0;

  482. }

  483. 

  484. /*

  485.  * Generates a XMSSMT key pair for a given parameter set.

  486.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  487.  * Format pk: [root || PUB_SEED] omitting algo oid.

  488.  */

  489. int xmssmt_core_keypair(unsigned char *pk, unsigned char *sk,

  490.                         bds_state *states, unsigned char *wots_sigs)

  491. {

  492.     unsigned char ots_seed[XMSS_N];

  493.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  494.     int i;

  495. 

  496.     // Set idx = 0

  497.     for (i = 0; i < XMSS_INDEX_LEN; i++) {

  498.         sk[i] = 0;

  499.     }

  500.     // Init SK_SEED (XMSS_N byte), SK_PRF (XMSS_N byte), and PUB_SEED (XMSS_N byte)

  501.     randombytes(sk+XMSS_INDEX_LEN, 3*XMSS_N);

  502.     // Copy PUB_SEED to public key

  503.     memcpy(pk+XMSS_N, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  504. 

  505.     // Start with the bottom-most layer

  506.     set_layer_addr(addr, 0);

  507.     // Set up state and compute wots signatures for all but topmost tree root

  508.     for (i = 0; i < XMSS_D - 1; i++) {

  509.         // Compute seed for OTS key pair

  510.         treehash_init(pk, XMSS_TREEHEIGHT, 0, states + i, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);

  511.         set_layer_addr(addr, (i+1));

  512.         get_seed(ots_seed, sk + XMSS_INDEX_LEN, addr);

  513.         wots_sign(wots_sigs + i*XMSS_WOTS_KEYSIZE, pk, ots_seed, pk+XMSS_N, addr);

  514.     }

  515.     // Address now points to the single tree on layer d-1

  516.     treehash_init(pk, XMSS_TREEHEIGHT, 0, states + i, sk+XMSS_INDEX_LEN, pk+XMSS_N, addr);

  517.     memcpy(sk + XMSS_INDEX_LEN + 3*XMSS_N, pk, XMSS_N);

  518.     return 0;

  519. }

  520. 

  521. /**

  522.  * Signs a message.

  523.  * Returns

  524.  * 1. an array containing the signature followed by the message AND

  525.  * 2. an updated secret key!

  526.  *

  527.  */

  528. int xmssmt_core_sign(unsigned char *sk,

  529.                      bds_state *states, unsigned char *wots_sigs,

  530.                      unsigned char *sm, unsigned long long *smlen,

  531.                      const unsigned char *m, unsigned long long mlen)

  532. {

  533.     uint64_t idx_tree;

  534.     uint32_t idx_leaf;

  535.     uint64_t i, j;

  536.     int needswap_upto = -1;

  537.     unsigned int updates;

  538. 

  539.     unsigned char sk_seed[XMSS_N];

  540.     unsigned char sk_prf[XMSS_N];

  541.     unsigned char pub_seed[XMSS_N];

  542.     // Init working params

  543.     unsigned char R[XMSS_N];

  544.     unsigned char msg_h[XMSS_N];

  545.     unsigned char hash_key[3*XMSS_N];

  546.     unsigned char ots_seed[XMSS_N];

  547.     uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  548.     uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  549.     unsigned char idx_bytes_32[32];

  550.     bds_state tmp;

  551. 

  552.     // Extract SK

  553.     unsigned long long idx = 0;

  554.     for (i = 0; i < XMSS_INDEX_LEN; i++) {

  555.         idx |= ((unsigned long long)sk[i]) << 8*(XMSS_INDEX_LEN - 1 - i);

  556.     }

  557. 

  558.     memcpy(sk_seed, sk+XMSS_INDEX_LEN, XMSS_N);

  559.     memcpy(sk_prf, sk+XMSS_INDEX_LEN+XMSS_N, XMSS_N);

  560.     memcpy(pub_seed, sk+XMSS_INDEX_LEN+2*XMSS_N, XMSS_N);

  561. 

  562.     // Update SK

  563.     for (i = 0; i < XMSS_INDEX_LEN; i++) {

  564.         sk[i] = ((idx + 1) >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  565.     }

  566.     // -- Secret key for this non-forward-secure version is now updated.

  567.     // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  568. 

  569. 

  570.     // ---------------------------------

  571.     // Message Hashing

  572.     // ---------------------------------

  573. 

  574.     // Message Hash:

  575.     // First compute pseudorandom value

  576.     to_byte(idx_bytes_32, idx, 32);

  577.     prf(R, idx_bytes_32, sk_prf, XMSS_N);

  578.     // Generate hash key (R || root || idx)

  579.     memcpy(hash_key, R, XMSS_N);

  580.     memcpy(hash_key+XMSS_N, sk+XMSS_INDEX_LEN+3*XMSS_N, XMSS_N);

  581.     to_byte(hash_key+2*XMSS_N, idx, XMSS_N);

  582. 

  583.     // Then use it for message digest

  584.     h_msg(msg_h, m, mlen, hash_key, 3*XMSS_N);

  585. 

  586.     // Start collecting signature

  587.     *smlen = 0;

  588. 

  589.     // Copy index to signature

  590.     for (i = 0; i < XMSS_INDEX_LEN; i++) {

  591.         sm[i] = (idx >> 8*(XMSS_INDEX_LEN - 1 - i)) & 255;

  592.     }

  593. 

  594.     sm += XMSS_INDEX_LEN;

  595.     *smlen += XMSS_INDEX_LEN;

  596. 

  597.     // Copy R to signature

  598.     for (i = 0; i < XMSS_N; i++) {

  599.         sm[i] = R[i];

  600.     }

  601. 

  602.     sm += XMSS_N;

  603.     *smlen += XMSS_N;

  604. 

  605.     // ----------------------------------

  606.     // Now we start to "really sign"

  607.     // ----------------------------------

  608. 

  609.     // Handle lowest layer separately as it is slightly different...

  610. 

  611.     // Prepare Address

  612.     set_type(ots_addr, 0);

  613.     idx_tree = idx >> XMSS_TREEHEIGHT;

  614.     idx_leaf = (idx & ((1 << XMSS_TREEHEIGHT)-1));

  615.     set_layer_addr(ots_addr, 0);

  616.     set_tree_addr(ots_addr, idx_tree);

  617.     set_ots_addr(ots_addr, idx_leaf);

  618. 

  619.     // Compute seed for OTS key pair

  620.     get_seed(ots_seed, sk_seed, ots_addr);

  621. 

  622.     // Compute WOTS signature

  623.     wots_sign(sm, msg_h, ots_seed, pub_seed, ots_addr);

  624. 

  625.     sm += XMSS_WOTS_KEYSIZE;

  626.     *smlen += XMSS_WOTS_KEYSIZE;

  627. 

  628.     memcpy(sm, states[0].auth, XMSS_TREEHEIGHT*XMSS_N);

  629.     sm += XMSS_TREEHEIGHT*XMSS_N;

  630.     *smlen += XMSS_TREEHEIGHT*XMSS_N;

  631. 

  632.     // prepare signature of remaining layers

  633.     for (i = 1; i < XMSS_D; i++) {

  634.         // put WOTS signature in place

  635.         memcpy(sm, wots_sigs + (i-1)*XMSS_WOTS_KEYSIZE, XMSS_WOTS_KEYSIZE);

  636. 

  637.         sm += XMSS_WOTS_KEYSIZE;

  638.         *smlen += XMSS_WOTS_KEYSIZE;

  639. 

  640.         // put AUTH nodes in place

  641.         memcpy(sm, states[i].auth, XMSS_TREEHEIGHT*XMSS_N);

  642.         sm += XMSS_TREEHEIGHT*XMSS_N;

  643.         *smlen += XMSS_TREEHEIGHT*XMSS_N;

  644.     }

  645. 

  646.     updates = (XMSS_TREEHEIGHT - XMSS_BDS_K) >> 1;

  647. 

  648.     set_tree_addr(addr, (idx_tree + 1));

  649.     // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  650.     if ((1 + idx_tree) * (1 << XMSS_TREEHEIGHT) + idx_leaf < (1ULL << XMSS_FULLHEIGHT)) {

  651.         bds_state_update(&states[XMSS_D], sk_seed, pub_seed, addr);

  652.     }

  653. 

  654.     for (i = 0; i < XMSS_D; i++) {

  655.         // check if we're not at the end of a tree

  656.         if (! (((idx + 1) & ((1ULL << ((i+1)*XMSS_TREEHEIGHT)) - 1)) == 0)) {

  657.             idx_leaf = (idx >> (XMSS_TREEHEIGHT * i)) & ((1 << XMSS_TREEHEIGHT)-1);

  658.             idx_tree = (idx >> (XMSS_TREEHEIGHT * (i+1)));

  659.             set_layer_addr(addr, i);

  660.             set_tree_addr(addr, idx_tree);

  661.             if (i == (unsigned int) (needswap_upto + 1)) {

  662.                 bds_round(&states[i], idx_leaf, sk_seed, pub_seed, addr);

  663.             }

  664.             updates = bds_treehash_update(&states[i], updates, sk_seed, pub_seed, addr);

  665.             set_tree_addr(addr, (idx_tree + 1));

  666.             // if a NEXT-tree exists for this level;

  667.             if ((1 + idx_tree) * (1 << XMSS_TREEHEIGHT) + idx_leaf < (1ULL << (XMSS_FULLHEIGHT - XMSS_TREEHEIGHT * i))) {

  668.                 if (i > 0 && updates > 0 && states[XMSS_D + i].next_leaf < (1ULL << XMSS_FULLHEIGHT)) {

  669.                     bds_state_update(&states[XMSS_D + i], sk_seed, pub_seed, addr);

  670.                     updates--;

  671.                 }

  672.             }

  673.         }

  674.         else if (idx < (1ULL << XMSS_FULLHEIGHT) - 1) {

  675.             memcpy(&tmp, states+XMSS_D + i, sizeof(bds_state));

  676.             memcpy(states+XMSS_D + i, states + i, sizeof(bds_state));

  677.             memcpy(states + i, &tmp, sizeof(bds_state));

  678. 

  679.             set_layer_addr(ots_addr, (i+1));

  680.             set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * XMSS_TREEHEIGHT)));

  681.             set_ots_addr(ots_addr, (((idx >> ((i+1) * XMSS_TREEHEIGHT)) + 1) & ((1 << XMSS_TREEHEIGHT)-1)));

  682. 

  683.             get_seed(ots_seed, sk+XMSS_INDEX_LEN, ots_addr);

  684.             wots_sign(wots_sigs + i*XMSS_WOTS_KEYSIZE, states[i].stack, ots_seed, pub_seed, ots_addr);

  685. 

  686.             states[XMSS_D + i].stackoffset = 0;

  687.             states[XMSS_D + i].next_leaf = 0;

  688. 

  689.             updates--; // WOTS-signing counts as one update

  690.             needswap_upto = i;

  691.             for (j = 0; j < XMSS_TREEHEIGHT-XMSS_BDS_K; j++) {

  692.                 states[i].treehash[j].completed = 1;

  693.             }

  694.         }

  695.     }

  696. 

  697.     memcpy(sm, m, mlen);

  698.     *smlen += mlen;

  699. 

  700.     return 0;

  701. }