kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 Commits
1 Branch
488 KiB
 
 
Tree: 9f512fa8dc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '9f512fa8dc'
${ noResults }
xmss-KAT-generator/xmss_fast.c

1097 lines
32 KiB
Raw Blame History 

  1. /*

  2. xmss_fast.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss_fast.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. 

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. // For testing

  21. #include "stdio.h"

  22. 

  23. 

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes n byte sk_seed and returns n byte seed using 32 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8])

  32. {

  33.   unsigned char bytes[32];

  34.   // Make sure that chain addr, hash addr, and key bit are 0!

  35.   setChainADRS(addr,0);

  36.   setHashADRS(addr,0);

  37.   setKeyAndMask(addr,0);

  38.   // Generate pseudorandom value

  39.   addr_to_byte(bytes, addr);

  40.   prf(seed, bytes, sk_seed, n);

  41. }

  42. 

  43. /**

  44.  * Initialize xmss params struct

  45.  * parameter names are the same as in the draft

  46.  * parameter k is K as used in the BDS algorithm

  47.  */

  48. int xmss_set_params(xmss_params *params, int n, int h, int w, int k)

  49. {

  50.   if (k >= h || k < 2 || (h - k) % 2) {

  51.     fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n");

  52.     return 1;

  53.   }

  54.   params->h = h;

  55.   params->n = n;

  56.   params->k = k;

  57.   wots_params wots_par;

  58.   wots_set_params(&wots_par, n, w);

  59.   params->wots_par = wots_par;

  60.   return 0;

  61. }

  62. 

  63. /**

  64.  * Initialize BDS state struct

  65.  * parameter names are the same as used in the description of the BDS traversal

  66.  */

  67. void xmss_set_bds_state(bds_state *state, unsigned char *stack, int stackoffset, unsigned char *stacklevels, unsigned char *auth, unsigned char *keep, treehash_inst *treehash, unsigned char *retain, int next_leaf)

  68. {

  69.   state->stack = stack;

  70.   state->stackoffset = stackoffset;

  71.   state->stacklevels = stacklevels;

  72.   state->auth = auth;

  73.   state->keep = keep;

  74.   state->treehash = treehash;

  75.   state->retain = retain;

  76.   state->next_leaf = next_leaf;

  77. }

  78. 

  79. /**

  80.  * Initialize xmssmt_params struct

  81.  * parameter names are the same as in the draft

  82.  *

  83.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  84.  */

  85. int xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w, int k)

  86. {

  87.   if (h % d) {

  88.     fprintf(stderr, "d must divide h without remainder!\n");

  89.     return 1;

  90.   }

  91.   params->h = h;

  92.   params->d = d;

  93.   params->n = n;

  94.   params->index_len = (h + 7) / 8;

  95.   xmss_params xmss_par;

  96.   if (xmss_set_params(&xmss_par, n, (h/d), w, k)) {

  97.     return 1;

  98.   }

  99.   params->xmss_par = xmss_par;

  100.   return 0;

  101. }

  102. 

  103. /**

  104.  * Computes a leaf from a WOTS public key using an L-tree.

  105.  */

  106. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  107. {

  108.   unsigned int l = params->wots_par.len;

  109.   unsigned int n = params->n;

  110.   uint32_t i = 0;

  111.   uint32_t height = 0;

  112.   uint32_t bound;

  113. 

  114.   //ADRS.setTreeHeight(0);

  115.   setTreeHeight(addr, height);

  116.   

  117.   while (l > 1) {

  118.      bound = l >> 1; //floor(l / 2);

  119.      for (i = 0; i < bound; i++) {

  120.        //ADRS.setTreeIndex(i);

  121.        setTreeIndex(addr, i);

  122.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  123.        hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);

  124.      }

  125.      //if ( l % 2 == 1 ) {

  126.      if (l & 1) {

  127.        //pk[floor(l / 2) + 1] = pk[l];

  128.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  129.        //l = ceil(l / 2);

  130.        l=(l>>1)+1;

  131.      }

  132.      else {

  133.        //l = ceil(l / 2);

  134.        l=(l>>1);

  135.      }

  136.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  137.      height++;

  138.      setTreeHeight(addr, height);

  139.    }

  140.    //return pk[0];

  141.    memcpy(leaf, wots_pk, n);

  142. }

  143. 

  144. /**

  145.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  146.  */

  147. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, uint32_t ltree_addr[8], uint32_t ots_addr[8])

  148. {

  149.   unsigned char seed[params->n];

  150.   unsigned char pk[params->wots_par.keysize];

  151. 

  152.   get_seed(seed, sk_seed, params->n, ots_addr);

  153.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  154. 

  155.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  156. }

  157. 

  158. static int treehash_minheight_on_stack(bds_state* state, const xmss_params *params, const treehash_inst *treehash) {

  159.   unsigned int r = params->h, i;

  160.   for (i = 0; i < treehash->stackusage; i++) {

  161.     if (state->stacklevels[state->stackoffset - i - 1] < r) {

  162.       r = state->stacklevels[state->stackoffset - i - 1];

  163.     }

  164.   }

  165.   return r;

  166. }

  167. 

  168. /**

  169.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  170.  * Currently only used for key generation.

  171.  *

  172.  */

  173. static void treehash_setup(unsigned char *node, int height, int index, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8])

  174. {

  175.   unsigned int idx = index;

  176.   unsigned int n = params->n;

  177.   unsigned int h = params->h;

  178.   unsigned int k = params->k;

  179.   // use three different addresses because at this point we use all three formats in parallel

  180.   uint32_t ots_addr[8];

  181.   uint32_t ltree_addr[8];

  182.   uint32_t  node_addr[8];

  183.   // only copy layer and tree address parts

  184.   memcpy(ots_addr, addr, 12);

  185.   // type = ots

  186.   setType(ots_addr, 0);

  187.   memcpy(ltree_addr, addr, 12);

  188.   setType(ltree_addr, 1);

  189.   memcpy(node_addr, addr, 12);

  190.   setType(node_addr, 2);

  191. 

  192.   uint32_t lastnode, i;

  193.   unsigned char stack[(height+1)*n];

  194.   unsigned int stacklevels[height+1];

  195.   unsigned int stackoffset=0;

  196.   unsigned int nodeh;

  197. 

  198.   lastnode = idx+(1<<height);

  199. 

  200.   for (i = 0; i < h-k; i++) {

  201.     state->treehash[i].h = i;

  202.     state->treehash[i].completed = 1;

  203.     state->treehash[i].stackusage = 0;

  204.   }

  205. 

  206.   i = 0;

  207.   for (; idx < lastnode; idx++) {

  208.     setLtreeADRS(ltree_addr, idx);

  209.     setOTSADRS(ots_addr, idx);

  210.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  211.     stacklevels[stackoffset] = 0;

  212.     stackoffset++;

  213.     if (h - k > 0 && i == 3) {

  214.       memcpy(state->treehash[0].node, stack+stackoffset*n, n);

  215.     }

  216.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  217.     {

  218.       nodeh = stacklevels[stackoffset-1];

  219.       if (i >> nodeh == 1) {

  220.         memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n);

  221.       }

  222.       else {

  223.         if (nodeh < h - k && i >> nodeh == 3) {

  224.           memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n);

  225.         }

  226.         else if (nodeh >= h - k) {

  227.           memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack+(stackoffset-1)*n, n);

  228.         }

  229.       }

  230.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  231.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  232.       hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  233.           node_addr, n);

  234.       stacklevels[stackoffset-2]++;

  235.       stackoffset--;

  236.     }

  237.     i++;

  238.   }

  239. 

  240.   for (i = 0; i < n; i++)

  241.     node[i] = stack[i];

  242. }

  243. 

  244. static void treehash_update(treehash_inst *treehash, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8]) {

  245.   int n = params->n;

  246. 

  247.   uint32_t ots_addr[8];

  248.   uint32_t ltree_addr[8];

  249.   uint32_t  node_addr[8];

  250.   // only copy layer and tree address parts

  251.   memcpy(ots_addr, addr, 12);

  252.   // type = ots

  253.   setType(ots_addr, 0);

  254.   memcpy(ltree_addr, addr, 12);

  255.   setType(ltree_addr, 1);

  256.   memcpy(node_addr, addr, 12);

  257.   setType(node_addr, 2);

  258. 

  259.   setLtreeADRS(ltree_addr, treehash->next_idx);

  260.   setOTSADRS(ots_addr, treehash->next_idx);

  261. 

  262.   unsigned char nodebuffer[2 * n];

  263.   unsigned int nodeheight = 0;

  264.   gen_leaf_wots(nodebuffer, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  265.   while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {

  266.     memcpy(nodebuffer + n, nodebuffer, n);

  267.     memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n);

  268.     setTreeHeight(node_addr, nodeheight);

  269.     setTreeIndex(node_addr, (treehash->next_idx >> (nodeheight+1)));

  270.     hash_h(nodebuffer, nodebuffer, pub_seed, node_addr, n);

  271.     nodeheight++;

  272.     treehash->stackusage--;

  273.     state->stackoffset--;

  274.   }

  275.   if (nodeheight == treehash->h) { // this also implies stackusage == 0

  276.     memcpy(treehash->node, nodebuffer, n);

  277.     treehash->completed = 1;

  278.   }

  279.   else {

  280.     memcpy(state->stack + state->stackoffset*n, nodebuffer, n);

  281.     treehash->stackusage++;

  282.     state->stacklevels[state->stackoffset] = nodeheight;

  283.     state->stackoffset++;

  284.     treehash->next_idx++;

  285.   }

  286. }

  287. 

  288. /**

  289.  * Computes a root node given a leaf and an authapth

  290.  */

  291. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  292. {

  293.   unsigned int n = params->n;

  294. 

  295.   uint32_t i, j;

  296.   unsigned char buffer[2*n];

  297. 

  298.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  299.   // Otherwise, it is the other way around

  300.   if (leafidx & 1) {

  301.     for (j = 0; j < n; j++)

  302.       buffer[n+j] = leaf[j];

  303.     for (j = 0; j < n; j++)

  304.       buffer[j] = authpath[j];

  305.   }

  306.   else {

  307.     for (j = 0; j < n; j++)

  308.       buffer[j] = leaf[j];

  309.     for (j = 0; j < n; j++)

  310.       buffer[n+j] = authpath[j];

  311.   }

  312.   authpath += n;

  313. 

  314.   for (i=0; i < params->h-1; i++) {

  315.     setTreeHeight(addr, i);

  316.     leafidx >>= 1;

  317.     setTreeIndex(addr, leafidx);

  318.     if (leafidx&1) {

  319.       hash_h(buffer+n, buffer, pub_seed, addr, n);

  320.       for (j = 0; j < n; j++)

  321.         buffer[j] = authpath[j];

  322.     }

  323.     else {

  324.       hash_h(buffer, buffer, pub_seed, addr, n);

  325.       for (j = 0; j < n; j++)

  326.         buffer[j+n] = authpath[j];

  327.     }

  328.     authpath += n;

  329.   }

  330.   setTreeHeight(addr, (params->h-1));

  331.   leafidx >>= 1;

  332.   setTreeIndex(addr, leafidx);

  333.   hash_h(root, buffer, pub_seed, addr, n);

  334. }

  335. 

  336. /**

  337.  * Performs one treehash update on the instance that needs it the most.

  338.  * Returns 1 if such an instance was not found

  339.  **/

  340. static char bds_treehash_update(bds_state *state, unsigned int updates, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const uint32_t addr[8]) {

  341.   uint32_t i, j;

  342.   unsigned int level, l_min, low;

  343.   unsigned int h = params->h;

  344.   unsigned int k = params->k;

  345.   unsigned int used = 0;

  346. 

  347.   for (j = 0; j < updates; j++) {

  348.     l_min = h;

  349.     level = h - k;

  350.     for (i = 0; i < h - k; i++) {

  351.       if (state->treehash[i].completed) {

  352.         low = h;

  353.       }

  354.       else if (state->treehash[i].stackusage == 0) {

  355.         low = i;

  356.       }

  357.       else {

  358.         low = treehash_minheight_on_stack(state, params, &(state->treehash[i]));

  359.       }

  360.       if (low < l_min) {

  361.         level = i;

  362.         l_min = low;

  363.       }

  364.     }

  365.     if (level == h - k) {

  366.       break;

  367.     }

  368.     treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr);

  369.     used++;

  370.   }

  371.   return updates - used;

  372. }

  373. 

  374. /**

  375.  * Updates the state (typically NEXT_i) by adding a leaf and updating the stack

  376.  * Returns 1 if all leaf nodes have already been processed

  377.  **/

  378. static char bds_state_update(bds_state *state, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const uint32_t addr[8]) {

  379.   uint32_t ltree_addr[8];

  380.   uint32_t node_addr[8];

  381.   uint32_t ots_addr[8];

  382. 

  383.   int n = params->n;

  384.   int h = params->h;

  385.   int k = params->k;

  386. 

  387.   int nodeh;

  388.   int idx = state->next_leaf;

  389.   if (idx == 1 << h) {

  390.     return 1;

  391.   }

  392. 

  393.   // only copy layer and tree address parts

  394.   memcpy(ots_addr, addr, 12);

  395.   // type = ots

  396.   setType(ots_addr, 0);

  397.   memcpy(ltree_addr, addr, 12);

  398.   setType(ltree_addr, 1);

  399.   memcpy(node_addr, addr, 12);

  400.   setType(node_addr, 2);

  401.   

  402.   setOTSADRS(ots_addr, idx);

  403.   setLtreeADRS(ltree_addr, idx);

  404. 

  405.   gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  406. 

  407.   state->stacklevels[state->stackoffset] = 0;

  408.   state->stackoffset++;

  409.   if (h - k > 0 && idx == 3) {

  410.     memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n);

  411.   }

  412.   while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {

  413.     nodeh = state->stacklevels[state->stackoffset-1];

  414.     if (idx >> nodeh == 1) {

  415.       memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n);

  416.     }

  417.     else {

  418.       if (nodeh < h - k && idx >> nodeh == 3) {

  419.         memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n);

  420.       }

  421.       else if (nodeh >= h - k) {

  422.         memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, state->stack+(state->stackoffset-1)*n, n);

  423.       }

  424.     }

  425.     setTreeHeight(node_addr, state->stacklevels[state->stackoffset-1]);

  426.     setTreeIndex(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));

  427.     hash_h(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, node_addr, n);

  428. 

  429.     state->stacklevels[state->stackoffset-2]++;

  430.     state->stackoffset--;

  431.   }

  432.   state->next_leaf++;

  433.   return 0;

  434. }

  435. 

  436. /**

  437.  * Returns the auth path for node leaf_idx and computes the auth path for the

  438.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  439.  * in "Post Quantum Cryptography", Springer 2009.

  440.  */

  441. static void bds_round(bds_state *state, const unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, uint32_t addr[8])

  442. {

  443.   unsigned int i;

  444.   unsigned int n = params->n;

  445.   unsigned int h = params->h;

  446.   unsigned int k = params->k;

  447. 

  448.   unsigned int tau = h;

  449.   unsigned int startidx;

  450.   unsigned int offset, rowidx;

  451.   unsigned char buf[2 * n];

  452. 

  453.   uint32_t ots_addr[8];

  454.   uint32_t ltree_addr[8];

  455.   uint32_t  node_addr[8];

  456.   // only copy layer and tree address parts

  457.   memcpy(ots_addr, addr, 12);

  458.   // type = ots

  459.   setType(ots_addr, 0);

  460.   memcpy(ltree_addr, addr, 12);

  461.   setType(ltree_addr, 1);

  462.   memcpy(node_addr, addr, 12);

  463.   setType(node_addr, 2);

  464. 

  465.   for (i = 0; i < h; i++) {

  466.     if (! ((leaf_idx >> i) & 1)) {

  467.       tau = i;

  468.       break;

  469.     }

  470.   }

  471. 

  472.   if (tau > 0) {

  473.     memcpy(buf,     state->auth + (tau-1) * n, n);

  474.     // we need to do this before refreshing state->keep to prevent overwriting

  475.     memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n);

  476.   }

  477.   if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) {

  478.     memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n);

  479.   }

  480.   if (tau == 0) {

  481.     setLtreeADRS(ltree_addr, leaf_idx);

  482.     setOTSADRS(ots_addr, leaf_idx);

  483.     gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  484.   }

  485.   else {

  486.     setTreeHeight(node_addr, (tau-1));

  487.     setTreeIndex(node_addr, leaf_idx >> tau);

  488.     hash_h(state->auth + tau * n, buf, pub_seed, node_addr, n);

  489.     for (i = 0; i < tau; i++) {

  490.       if (i < h - k) {

  491.         memcpy(state->auth + i * n, state->treehash[i].node, n);

  492.       }

  493.       else {

  494.         offset = (1 << (h - 1 - i)) + i - h;

  495.         rowidx = ((leaf_idx >> i) - 1) >> 1;

  496.         memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n);

  497.       }

  498.     }

  499. 

  500.     for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) {

  501.       startidx = leaf_idx + 1 + 3 * (1 << i);

  502.       if (startidx < 1U << h) {

  503.         state->treehash[i].h = i;

  504.         state->treehash[i].next_idx = startidx;

  505.         state->treehash[i].completed = 0;

  506.         state->treehash[i].stackusage = 0;

  507.       }

  508.     }

  509.   }

  510. }

  511. 

  512. /*

  513.  * Generates a XMSS key pair for a given parameter set.

  514.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  515.  * Format pk: [root || PUB_SEED] omitting algo oid.

  516.  */

  517. int xmss_keypair(unsigned char *pk, unsigned char *sk, bds_state *state, xmss_params *params)

  518. {

  519.   unsigned int n = params->n;

  520.   // Set idx = 0

  521.   sk[0] = 0;

  522.   sk[1] = 0;

  523.   sk[2] = 0;

  524.   sk[3] = 0;

  525.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  526.   randombytes(sk+4, 3*n);

  527.   // Copy PUB_SEED to public key

  528.   memcpy(pk+n, sk+4+2*n, n);

  529. 

  530.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  531. 

  532.   // Compute root

  533.   treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+2*n, addr);

  534.   // copy root to sk

  535.   memcpy(sk+4+3*n, pk, n);

  536.   return 0;

  537. }

  538. 

  539. /**

  540.  * Signs a message.

  541.  * Returns

  542.  * 1. an array containing the signature followed by the message AND

  543.  * 2. an updated secret key!

  544.  *

  545.  */

  546. int xmss_sign(unsigned char *sk, bds_state *state, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  547. {

  548.   unsigned int h = params->h;

  549.   unsigned int n = params->n;

  550.   unsigned int k = params->k;

  551.   uint16_t i = 0;

  552. 

  553.   // Extract SK

  554.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  555.   unsigned char sk_seed[n];

  556.   memcpy(sk_seed, sk+4, n);

  557.   unsigned char sk_prf[n];

  558.   memcpy(sk_prf, sk+4+n, n);

  559.   unsigned char pub_seed[n];

  560.   memcpy(pub_seed, sk+4+2*n, n);

  561.   

  562.   // index as 32 bytes string

  563.   unsigned char idx_bytes_32[32];

  564.   to_byte(idx_bytes_32, idx, 32);

  565.   

  566.   unsigned char hash_key[3*n]; 

  567.   

  568.   // Update SK

  569.   sk[0] = ((idx + 1) >> 24) & 255;

  570.   sk[1] = ((idx + 1) >> 16) & 255;

  571.   sk[2] = ((idx + 1) >> 8) & 255;

  572.   sk[3] = (idx + 1) & 255;

  573.   // -- Secret key for this non-forward-secure version is now updated.

  574.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  575. 

  576.   // Init working params

  577.   unsigned char R[n];

  578.   unsigned char msg_h[n];

  579.   unsigned char ots_seed[n];

  580.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  581. 

  582.   // ---------------------------------

  583.   // Message Hashing

  584.   // ---------------------------------

  585. 

  586.   // Message Hash:

  587.   // First compute pseudorandom value

  588.   prf(R, idx_bytes_32, sk_prf, n);

  589.   // Generate hash key (R || root || idx)

  590.   memcpy(hash_key, R, n);

  591.   memcpy(hash_key+n, sk+4+3*n, n);

  592.   to_byte(hash_key+2*n, idx, n);

  593.   // Then use it for message digest

  594.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n);

  595. 

  596.   // Start collecting signature

  597.   *sig_msg_len = 0;

  598. 

  599.   // Copy index to signature

  600.   sig_msg[0] = (idx >> 24) & 255;

  601.   sig_msg[1] = (idx >> 16) & 255;

  602.   sig_msg[2] = (idx >> 8) & 255;

  603.   sig_msg[3] = idx & 255;

  604. 

  605.   sig_msg += 4;

  606.   *sig_msg_len += 4;

  607. 

  608.   // Copy R to signature

  609.   for (i = 0; i < n; i++)

  610.     sig_msg[i] = R[i];

  611. 

  612.   sig_msg += n;

  613.   *sig_msg_len += n;

  614. 

  615.   // ----------------------------------

  616.   // Now we start to "really sign"

  617.   // ----------------------------------

  618. 

  619.   // Prepare Address

  620.   setType(ots_addr, 0);

  621.   setOTSADRS(ots_addr, idx);

  622. 

  623.   // Compute seed for OTS key pair

  624.   get_seed(ots_seed, sk_seed, n, ots_addr);

  625. 

  626.   // Compute WOTS signature

  627.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  628. 

  629.   sig_msg += params->wots_par.keysize;

  630.   *sig_msg_len += params->wots_par.keysize;

  631. 

  632.   // the auth path was already computed during the previous round

  633.   memcpy(sig_msg, state->auth, h*n);

  634. 

  635.   if (idx < (1U << h) - 1) {

  636.     bds_round(state, idx, sk_seed, params, pub_seed, ots_addr);

  637.     bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr);

  638.   }

  639. 

  640.   sig_msg += params->h*n;

  641.   *sig_msg_len += params->h*n;

  642. 

  643.   //Whipe secret elements?

  644.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  645. 

  646.   memcpy(sig_msg, msg, msglen);

  647.   *sig_msg_len += msglen;

  648. 

  649.   return 0;

  650. }

  651. 

  652. /**

  653.  * Verifies a given message signature pair under a given public key.

  654.  */

  655. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  656. {

  657.   unsigned int n = params->n;

  658. 

  659.   unsigned long long i, m_len;

  660.   unsigned long idx=0;

  661.   unsigned char wots_pk[params->wots_par.keysize];

  662.   unsigned char pkhash[n];

  663.   unsigned char root[n];

  664.   unsigned char msg_h[n];

  665.   unsigned char hash_key[3*n];

  666. 

  667.   unsigned char pub_seed[n];

  668.   memcpy(pub_seed, pk+n, n);

  669. 

  670.   // Init addresses

  671.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  672.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  673.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  674. 

  675.   setType(ots_addr, 0);

  676.   setType(ltree_addr, 1);

  677.   setType(node_addr, 2);

  678. 

  679.   // Extract index

  680.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  681.   printf("verify:: idx = %lu\n", idx);

  682.   

  683.   // Generate hash key (R || root || idx)

  684.   memcpy(hash_key, sig_msg+4,n);

  685.   memcpy(hash_key+n, pk, n);

  686.   to_byte(hash_key+2*n, idx, n);

  687.   

  688.   sig_msg += (n+4);

  689.   sig_msg_len -= (n+4);

  690. 

  691.   // hash message 

  692.   unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n;

  693.   m_len = sig_msg_len - tmp_sig_len;

  694.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n);

  695. 

  696.   //-----------------------

  697.   // Verify signature

  698.   //-----------------------

  699. 

  700.   // Prepare Address

  701.   setOTSADRS(ots_addr, idx);

  702.   // Check WOTS signature

  703.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  704. 

  705.   sig_msg += params->wots_par.keysize;

  706.   sig_msg_len -= params->wots_par.keysize;

  707. 

  708.   // Compute Ltree

  709.   setLtreeADRS(ltree_addr, idx);

  710.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  711. 

  712.   // Compute root

  713.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  714. 

  715.   sig_msg += params->h*n;

  716.   sig_msg_len -= params->h*n;

  717. 

  718.   for (i = 0; i < n; i++)

  719.     if (root[i] != pk[i])

  720.       goto fail;

  721. 

  722.   *msglen = sig_msg_len;

  723.   for (i = 0; i < *msglen; i++)

  724.     msg[i] = sig_msg[i];

  725. 

  726.   return 0;

  727. 

  728. 

  729. fail:

  730.   *msglen = sig_msg_len;

  731.   for (i = 0; i < *msglen; i++)

  732.     msg[i] = 0;

  733.   *msglen = -1;

  734.   return -1;

  735. }

  736. 

  737. /*

  738.  * Generates a XMSSMT key pair for a given parameter set.

  739.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  740.  * Format pk: [root || PUB_SEED] omitting algo oid.

  741.  */

  742. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, bds_state *states, unsigned char *wots_sigs, xmssmt_params *params)

  743. {

  744.   unsigned int n = params->n;

  745.   unsigned int i;

  746.   unsigned char ots_seed[params->n];

  747.   // Set idx = 0

  748.   for (i = 0; i < params->index_len; i++) {

  749.     sk[i] = 0;

  750.   }

  751.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  752.   randombytes(sk+params->index_len, 3*n);

  753.   // Copy PUB_SEED to public key

  754.   memcpy(pk+n, sk+params->index_len+2*n, n);

  755. 

  756.   // Set address to point on the single tree on layer d-1

  757.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  758.   setLayerADRS(addr, (params->d-1));

  759.   // Set up state and compute wots signatures for all but topmost tree root

  760.   for (i = 0; i < params->d - 1; i++) {

  761.     // Compute seed for OTS key pair

  762.     treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  763.     setLayerADRS(addr, (i+1));

  764.     get_seed(ots_seed, sk+params->index_len, n, addr);

  765.     wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_par), pk+n, addr);

  766.   }

  767.   treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  768.   memcpy(sk+params->index_len+3*n, pk, n);

  769.   return 0;

  770. }

  771. 

  772. /**

  773.  * Signs a message.

  774.  * Returns

  775.  * 1. an array containing the signature followed by the message AND

  776.  * 2. an updated secret key!

  777.  *

  778.  */

  779. int xmssmt_sign(unsigned char *sk, bds_state *states, unsigned char *wots_sigs, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  780. {

  781.   unsigned int n = params->n;

  782.   

  783.   unsigned int tree_h = params->xmss_par.h;

  784.   unsigned int h = params->h;

  785.   unsigned int k = params->xmss_par.k;

  786.   unsigned int idx_len = params->index_len;

  787.   uint64_t idx_tree;

  788.   uint32_t idx_leaf;

  789.   uint64_t i, j;

  790.   int needswap_upto = -1;

  791.   unsigned int updates;

  792. 

  793.   unsigned char sk_seed[n];

  794.   unsigned char sk_prf[n];

  795.   unsigned char pub_seed[n];

  796.   // Init working params

  797.   unsigned char R[n];

  798.   unsigned char msg_h[n];

  799.   unsigned char hash_key[3*n];

  800.   unsigned char ots_seed[n];

  801.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  802.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  803.   unsigned char idx_bytes_32[32];

  804.   bds_state tmp;

  805. 

  806.   // Extract SK 

  807.   unsigned long long idx = 0;

  808.   for (i = 0; i < idx_len; i++) {

  809.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  810.   }

  811. 

  812.   memcpy(sk_seed, sk+idx_len, n);

  813.   memcpy(sk_prf, sk+idx_len+n, n);

  814.   memcpy(pub_seed, sk+idx_len+2*n, n);

  815. 

  816.   // Update SK

  817.   for (i = 0; i < idx_len; i++) {

  818.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  819.   }

  820.   // -- Secret key for this non-forward-secure version is now updated.

  821.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  822. 

  823. 

  824.   // ---------------------------------

  825.   // Message Hashing

  826.   // ---------------------------------

  827. 

  828.   // Message Hash:

  829.   // First compute pseudorandom value

  830.   to_byte(idx_bytes_32, idx, 32);

  831.   prf(R, idx_bytes_32, sk_prf, n);

  832.   // Generate hash key (R || root || idx)

  833.   memcpy(hash_key, R, n);

  834.   memcpy(hash_key+n, sk+idx_len+3*n, n);

  835.   to_byte(hash_key+2*n, idx, n);

  836.   

  837.   // Then use it for message digest

  838.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n);

  839. 

  840.   // Start collecting signature

  841.   *sig_msg_len = 0;

  842. 

  843.   // Copy index to signature

  844.   for (i = 0; i < idx_len; i++) {

  845.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  846.   }

  847. 

  848.   sig_msg += idx_len;

  849.   *sig_msg_len += idx_len;

  850. 

  851.   // Copy R to signature

  852.   for (i = 0; i < n; i++)

  853.     sig_msg[i] = R[i];

  854. 

  855.   sig_msg += n;

  856.   *sig_msg_len += n;

  857. 

  858.   // ----------------------------------

  859.   // Now we start to "really sign"

  860.   // ----------------------------------

  861. 

  862.   // Handle lowest layer separately as it is slightly different...

  863. 

  864.   // Prepare Address

  865.   setType(ots_addr, 0);

  866.   idx_tree = idx >> tree_h;

  867.   idx_leaf = (idx & ((1 << tree_h)-1));

  868.   setLayerADRS(ots_addr, 0);

  869.   setTreeADRS(ots_addr, idx_tree);

  870.   setOTSADRS(ots_addr, idx_leaf);

  871. 

  872.   // Compute seed for OTS key pair

  873.   get_seed(ots_seed, sk_seed, n, ots_addr);

  874. 

  875.   // Compute WOTS signature

  876.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  877. 

  878.   sig_msg += params->xmss_par.wots_par.keysize;

  879.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  880. 

  881.   memcpy(sig_msg, states[0].auth, tree_h*n);

  882.   sig_msg += tree_h*n;

  883.   *sig_msg_len += tree_h*n;

  884. 

  885.   // prepare signature of remaining layers

  886.   for (i = 1; i < params->d; i++) {

  887.     // put WOTS signature in place

  888.     memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.keysize);

  889. 

  890.     sig_msg += params->xmss_par.wots_par.keysize;

  891.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  892. 

  893.     // put AUTH nodes in place

  894.     memcpy(sig_msg, states[i].auth, tree_h*n);

  895.     sig_msg += tree_h*n;

  896.     *sig_msg_len += tree_h*n;

  897.   }

  898. 

  899.   updates = (tree_h - k) >> 1;

  900. 

  901.   setTreeADRS(addr, (idx_tree + 1));

  902.   // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists

  903.   if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << h)) {

  904.     bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr);

  905.   }

  906. 

  907.   for (i = 0; i < params->d; i++) {

  908.     // check if we're not at the end of a tree

  909.     if (! (((idx + 1) & ((1ULL << ((i+1)*tree_h)) - 1)) == 0)) {

  910.       idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1);

  911.       idx_tree = (idx >> (tree_h * (i+1)));

  912.       setLayerADRS(addr, i);

  913.       setTreeADRS(addr, idx_tree);

  914.       if (i == (unsigned int) (needswap_upto + 1)) {

  915.         bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr);

  916.       }

  917.       updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr);

  918.       setTreeADRS(addr, (idx_tree + 1));

  919.       // if a NEXT-tree exists for this level;

  920.       if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << (h - tree_h * i))) {

  921.         if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << h)) {

  922.           bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr);

  923.           updates--;

  924.         }

  925.       }

  926.     }

  927.     else if (idx < (1ULL << h) - 1) {

  928.       memcpy(&tmp, states+params->d + i, sizeof(bds_state));

  929.       memcpy(states+params->d + i, states + i, sizeof(bds_state));

  930.       memcpy(states + i, &tmp, sizeof(bds_state));

  931. 

  932.       setLayerADRS(ots_addr, (i+1));

  933.       setTreeADRS(ots_addr, ((idx + 1) >> ((i+2) * tree_h)));

  934.       setOTSADRS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1)));

  935. 

  936.       get_seed(ots_seed, sk+params->index_len, n, ots_addr);

  937.       wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  938. 

  939.       states[params->d + i].stackoffset = 0;

  940.       states[params->d + i].next_leaf = 0;

  941. 

  942.       updates--; // WOTS-signing counts as one update

  943.       needswap_upto = i;

  944.       for (j = 0; j < tree_h-k; j++) {

  945.         states[i].treehash[j].completed = 1;

  946.       }

  947.     }

  948.   }

  949. 

  950.   //Whipe secret elements?

  951.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  952. 

  953.   memcpy(sig_msg, msg, msglen);

  954.   *sig_msg_len += msglen;

  955. 

  956.   return 0;

  957. }

  958. 

  959. /**

  960.  * Verifies a given message signature pair under a given public key.

  961.  */

  962. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  963. {

  964.   unsigned int n = params->n;

  965. 

  966.   unsigned int tree_h = params->xmss_par.h;

  967.   unsigned int idx_len = params->index_len;

  968.   uint64_t idx_tree;

  969.   uint32_t idx_leaf;

  970. 

  971.   unsigned long long i, m_len;

  972.   unsigned long long idx=0;

  973.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  974.   unsigned char pkhash[n];

  975.   unsigned char root[n];

  976.   unsigned char msg_h[n];

  977.   unsigned char hash_key[3*n];

  978. 

  979.   unsigned char pub_seed[n];

  980.   memcpy(pub_seed, pk+n, n);

  981. 

  982.   // Init addresses

  983.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  984.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  985.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  986. 

  987.   // Extract index

  988.   for (i = 0; i < idx_len; i++) {

  989.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  990.   }

  991.   printf("verify:: idx = %llu\n", idx);

  992.   sig_msg += idx_len;

  993.   sig_msg_len -= idx_len;

  994.   

  995.   // Generate hash key (R || root || idx)

  996.   memcpy(hash_key, sig_msg,n);

  997.   memcpy(hash_key+n, pk, n);

  998.   to_byte(hash_key+2*n, idx, n);

  999. 

  1000.   sig_msg += n;

  1001.   sig_msg_len -= n;

  1002.   

  1003. 

  1004.   // hash message (recall, R is now on pole position at sig_msg

  1005.   unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  1006.   m_len = sig_msg_len - tmp_sig_len;

  1007.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n);

  1008. 

  1009.   

  1010.   //-----------------------

  1011.   // Verify signature

  1012.   //-----------------------

  1013. 

  1014.   // Prepare Address

  1015.   idx_tree = idx >> tree_h;

  1016.   idx_leaf = (idx & ((1 << tree_h)-1));

  1017.   setLayerADRS(ots_addr, 0);

  1018.   setTreeADRS(ots_addr, idx_tree);

  1019.   setType(ots_addr, 0);

  1020. 

  1021.   memcpy(ltree_addr, ots_addr, 12);

  1022.   setType(ltree_addr, 1);

  1023. 

  1024.   memcpy(node_addr, ltree_addr, 12);

  1025.   setType(node_addr, 2);

  1026.   

  1027.   setOTSADRS(ots_addr, idx_leaf);

  1028. 

  1029.   // Check WOTS signature

  1030.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1031. 

  1032.   sig_msg += params->xmss_par.wots_par.keysize;

  1033.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  1034. 

  1035.   // Compute Ltree

  1036.   setLtreeADRS(ltree_addr, idx_leaf);

  1037.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1038. 

  1039.   // Compute root

  1040.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1041. 

  1042.   sig_msg += tree_h*n;

  1043.   sig_msg_len -= tree_h*n;

  1044. 

  1045.   for (i = 1; i < params->d; i++) {

  1046.     // Prepare Address

  1047.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  1048.     idx_tree = idx_tree >> tree_h;

  1049. 

  1050.     setLayerADRS(ots_addr, i);

  1051.     setTreeADRS(ots_addr, idx_tree);

  1052.     setType(ots_addr, 0);

  1053. 

  1054.     memcpy(ltree_addr, ots_addr, 12);

  1055.     setType(ltree_addr, 1);

  1056. 

  1057.     memcpy(node_addr, ltree_addr, 12);

  1058.     setType(node_addr, 2);

  1059. 

  1060.     setOTSADRS(ots_addr, idx_leaf);

  1061. 

  1062.     // Check WOTS signature

  1063.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  1064. 

  1065.     sig_msg += params->xmss_par.wots_par.keysize;

  1066.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  1067. 

  1068.     // Compute Ltree

  1069.     setLtreeADRS(ltree_addr, idx_leaf);

  1070.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  1071. 

  1072.     // Compute root

  1073.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  1074. 

  1075.     sig_msg += tree_h*n;

  1076.     sig_msg_len -= tree_h*n;

  1077. 

  1078.   }

  1079. 

  1080.   for (i = 0; i < n; i++)

  1081.     if (root[i] != pk[i])

  1082.       goto fail;

  1083. 

  1084.   *msglen = sig_msg_len;

  1085.   for (i = 0; i < *msglen; i++)

  1086.     msg[i] = sig_msg[i];

  1087. 

  1088.   return 0;

  1089. 

  1090. 

  1091. fail:

  1092.   *msglen = sig_msg_len;

  1093.   for (i = 0; i < *msglen; i++)

  1094.     msg[i] = 0;

  1095.   *msglen = -1;

  1096.   return -1;

  1097. }