kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 Commits
1 Branch
488 KiB
 
 
Tree: a33aef699c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a33aef699c'
${ noResults }
xmss-KAT-generator/xmss_fast.c

1005 lines
28 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20150811

  3. Andreas Hülsing

  4. Public domain.

  5. */

  6. 

  7. #include "xmss.h"

  8. #include <stdlib.h>

  9. #include <string.h>

  10. #include <stdint.h>

  11. #include <math.h>

  12. 

  13. #include "randombytes.h"

  14. #include "wots.h"

  15. #include "hash.h"

  16. #include "prg.h"

  17. #include "xmss_commons.h"

  18. 

  19. // For testing

  20. #include "stdio.h"

  21. 

  22. /**

  23.  * Macros used to manipulate the respective fields

  24.  * in the 16byte hash address

  25.  */

  26. #define SET_LAYER_ADDRESS(a, v) {\

  27.   a[6] = (a[6] & 3) | ((v << 2) & 255);\

  28.   a[5] = (a[5] & 252) | ((v >> 6) & 255);}  

  29. 

  30. #define SET_TREE_ADDRESS(a, v) {\

  31.   a[9] = (a[9] & 3) | ((v << 2) & 255);\

  32.   a[8] = (v >> 6) & 255;\

  33.   a[7] = (v >> 14) & 255;\

  34.   a[6] = (a[6] & 252) | ((v >> 22) & 255);}  

  35.   

  36. #define SET_OTS_BIT(a, b) {\

  37.   a[9] = (a[9] & 253) | (b << 1);}

  38. 

  39. #define SET_OTS_ADDRESS(a, v) {\

  40.   a[12] = (a[12] & 1) | ((v << 1) & 255);\

  41.   a[11] = (v >> 7) & 255;\

  42.   a[10] = (v >> 15) & 255;\

  43.   a[9] = (a[9] & 254) | ((v >> 23) & 1);}  

  44.   

  45. #define ZEROISE_OTS_ADDR(a) {\

  46.   a[12] = (a[12] & 254);\

  47.   a[13] = 0;\

  48.   a[14] = 0;\

  49.   a[15] = 0;}

  50.   

  51. #define SET_LTREE_BIT(a, b) {\

  52.   a[9] = (a[9] & 254) | b;}

  53. 

  54. #define SET_LTREE_ADDRESS(a, v) {\

  55.   a[12] = v & 255;\

  56.   a[11] = (v >> 8) & 255;\

  57.   a[10] = (v >> 16) & 255;}

  58. 

  59. #define SET_LTREE_TREE_HEIGHT(a, v) {\

  60.   a[13] = (a[13] & 3) | ((v << 2) & 255);}

  61. 

  62. #define SET_LTREE_TREE_INDEX(a, v) {\

  63.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  64.   a[14] = (v >> 6) & 255;\

  65.   a[13] = (a[13] & 252) | ((v >> 14) & 3);}

  66.   

  67. #define SET_NODE_PADDING(a) {\

  68.   a[10] = 0;\

  69.   a[11] = a[11] & 3;}  

  70. 

  71. #define SET_NODE_TREE_HEIGHT(a, v) {\

  72.   a[12] = (a[12] & 3) | ((v << 2) & 255);\

  73.   a[11] = (a[11] & 252) | ((v >> 6) & 3);}

  74. 

  75. #define SET_NODE_TREE_INDEX(a, v) {\

  76.   a[15] = (a[15] & 3) | ((v << 2) & 255);\

  77.   a[14] = (v >> 6) & 255;\

  78.   a[13] = (v >> 14) & 255;\

  79.   a[12] = (a[12] & 252) | ((v >> 22) & 3);}

  80. 

  81. 

  82. // TODO these defines still need to be merged into the parameter selection

  83. #define H 8

  84. #define K 2

  85. #define N 32

  86. 

  87. typedef struct{

  88.   int h;

  89.   int next_idx;

  90.   unsigned int stackusage;

  91.   unsigned char completed;

  92.   unsigned char node[N];

  93. } treehash_inst;

  94. 

  95. // TODO these data structures need to be non-global (especially for xmss_mt)

  96. unsigned char STACK[(H-K-1)*N];

  97. unsigned int STACKOFFSET = 0;

  98. unsigned char STACKLEVELS[H-K-1];

  99. 

  100. unsigned char AUTH[H*N];

  101. unsigned char KEEP[(H >> 1)*N];

  102. treehash_inst TREEHASH[H-K];

  103. unsigned char RETAIN[((1 << K) - K - 1) * N];

  104. 

  105.   /**

  106.  * Used for pseudorandom keygeneration,

  107.  * generates the seed for the WOTS keypair at address addr

  108.  */

  109. static void get_seed(unsigned char seed[32], const unsigned char *sk_seed, unsigned char addr[16])

  110. {

  111.   // Make sure that chain addr, hash addr, and key bit are 0!

  112.   ZEROISE_OTS_ADDR(addr);

  113.   // Generate pseudorandom value

  114.   prg_with_counter(seed, 32, sk_seed, 32, addr);

  115. }

  116. 

  117. /**

  118.  * Initialize xmss params struct

  119.  * parameter names are the same as in the draft

  120.  */

  121. void xmss_set_params(xmss_params *params, int m, int n, int h, int w)

  122. {

  123.   params->h = h;

  124.   params->m = m;

  125.   params->n = n;

  126.   wots_params wots_par;

  127.   wots_set_params(&wots_par, m, n, w);

  128.   params->wots_par = wots_par;

  129. }

  130. 

  131. /**

  132.  * Initialize xmssmt_params struct

  133.  * parameter names are the same as in the draft

  134.  * 

  135.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  136.  */

  137. void xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w)

  138. {

  139.   if(h % d){

  140.     fprintf(stderr, "d must devide h without remainder!\n");

  141.     return;

  142.   }

  143.   params->h = h;

  144.   params->d = d;

  145.   params->m = m;

  146.   params->n = n;

  147.   params->index_len = (h + 7) / 8;

  148.   xmss_params xmss_par;

  149.   xmss_set_params(&xmss_par, m, n, (h/d), w);

  150.   params->xmss_par = xmss_par;

  151. }

  152. 

  153. /**

  154.  * Computes a leaf from a WOTS public key using an L-tree.

  155.  */

  156. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  157. { 

  158.   unsigned int l = params->wots_par.len;

  159.   unsigned int n = params->n;

  160.   unsigned long i = 0;

  161.   unsigned int height = 0;

  162.   

  163.   //ADRS.setTreeHeight(0);

  164.   SET_LTREE_TREE_HEIGHT(addr,height);

  165.   unsigned long bound;

  166.   while ( l > 1 ) 

  167.   {

  168.      bound = l >> 1; //floor(l / 2); 

  169.      for ( i = 0; i < bound; i = i + 1 ) {

  170.        //ADRS.setTreeIndex(i);

  171.        SET_LTREE_TREE_INDEX(addr,i);

  172.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  173.        hash_2n_n(wots_pk+i*n,wots_pk+i*2*n, pub_seed, addr, n);

  174.      }

  175.      //if ( l % 2 == 1 ) {

  176.      if(l&1)

  177.      {

  178.        //pk[floor(l / 2) + 1] = pk[l];

  179.        memcpy(wots_pk+(l>>1)*n,wots_pk+(l-1)*n, n);

  180.        //l = ceil(l / 2);

  181.        l=(l>>1)+1;

  182.      }

  183.      else

  184.      {

  185.        //l = ceil(l / 2);

  186.        l=(l>>1);

  187.      }     

  188.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  189.      height++;

  190.      SET_LTREE_TREE_HEIGHT(addr,height);

  191.    }

  192.    //return pk[0];

  193.    memcpy(leaf,wots_pk,n);

  194. }

  195. 

  196. /**

  197.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  198.  */

  199. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  200. {

  201.   unsigned char seed[32];

  202.   unsigned char pk[params->wots_par.keysize];

  203. 

  204.   get_seed(seed, sk_seed, ots_addr);

  205.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  206. 

  207.   l_tree(leaf, pk, params, pub_seed, ltree_addr); 

  208. }

  209. 

  210. static int treehash_minheight_on_stack(const xmss_params *params, const treehash_inst *treehash) {

  211.   int r = params->h, i;

  212.   for (i = 0; i < treehash->stackusage; i++) {

  213.     if (STACKLEVELS[STACKOFFSET - i - 1] < r) {

  214.       r = STACKLEVELS[STACKOFFSET - i - 1];

  215.     }

  216.   }

  217.   return r;

  218. }

  219. 

  220. /**

  221.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  222.  * Currently only used for key generation.

  223.  * 

  224.  */

  225. static void treehash_setup(unsigned char *node, int height, int index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  226. {

  227. 

  228.   unsigned int idx = index;

  229.   unsigned int n = params->n;

  230.   // use three different addresses because at this point we use all three formats in parallel

  231.   unsigned char ots_addr[16];

  232.   unsigned char ltree_addr[16];

  233.   unsigned char node_addr[16];

  234.   memcpy(ots_addr, addr, 10);

  235.   SET_OTS_BIT(ots_addr, 1);

  236.   memcpy(ltree_addr, addr, 10);

  237.   SET_OTS_BIT(ltree_addr, 0);

  238.   SET_LTREE_BIT(ltree_addr, 1);

  239.   memcpy(node_addr, ltree_addr, 10);

  240.   SET_LTREE_BIT(node_addr, 0);

  241.   SET_NODE_PADDING(node_addr);

  242.   

  243.   int lastnode,i;

  244.   unsigned char stack[(height+1)*n];

  245.   unsigned int  stacklevels[height+1];

  246.   unsigned int  stackoffset=0;

  247.   

  248.   int nodeh;

  249. 

  250.   lastnode = idx+(1<<height);

  251. 

  252.   for(i = 0; i < H-K; i++) {

  253.     TREEHASH[i].h = i;

  254.     TREEHASH[i].completed = 1;

  255.     TREEHASH[i].stackusage = 0;

  256.   }

  257. 

  258.   i = 0;

  259.   for(;idx<lastnode;idx++) 

  260.   {

  261.     SET_LTREE_ADDRESS(ltree_addr,idx);

  262.     SET_OTS_ADDRESS(ots_addr,idx);

  263.     gen_leaf_wots(stack+stackoffset*n,sk_seed,params, pub_seed, ltree_addr, ots_addr);

  264.     stacklevels[stackoffset] = 0;

  265.     stackoffset++;

  266.     if (H - K > 0 && i == 3) {

  267.       memcpy(TREEHASH[0].node, stack+stackoffset*n, n);

  268.     }

  269.     while(stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])

  270.     {

  271.       nodeh = stacklevels[stackoffset-1];

  272.       if (i >> nodeh == 1) {

  273.         memcpy(AUTH + nodeh*n, stack+(stackoffset-1)*n, n);

  274.       }

  275.       else {

  276.         if (nodeh < H - K && i >> nodeh == 3) {

  277.           memcpy(TREEHASH[nodeh].node, stack+(stackoffset-1)*n, n);

  278.         }

  279.         else if (nodeh >= H - K) {

  280.           memcpy(RETAIN + ((1 << (H - 1 - nodeh)) + nodeh - H + (((i >> nodeh) - 3) >> 1)) * n, stack+(stackoffset-1)*n, n);

  281.         }

  282.       }

  283.       SET_NODE_TREE_HEIGHT(node_addr,stacklevels[stackoffset-1]);

  284.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  285.       hash_2n_n(stack+(stackoffset-2)*n,stack+(stackoffset-2)*n, pub_seed,

  286.           node_addr, n);

  287.       stacklevels[stackoffset-2]++;

  288.       stackoffset--;

  289.     }

  290.     i++;

  291.   }

  292. 

  293.   for(i=0;i<n;i++)

  294.     node[i] = stack[i];

  295. }

  296. 

  297. static void treehash_update(treehash_inst *treehash, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16]) {

  298.   int n = params->n;

  299. 

  300.   unsigned char ots_addr[16];

  301.   unsigned char ltree_addr[16];

  302.   unsigned char node_addr[16];

  303. 

  304.   memcpy(ots_addr, addr, 10);

  305.   SET_OTS_BIT(ots_addr, 1);

  306.   memcpy(ltree_addr, addr, 10);

  307.   SET_OTS_BIT(ltree_addr, 0);

  308.   SET_LTREE_BIT(ltree_addr, 1);

  309.   memcpy(node_addr, ltree_addr, 10);

  310.   SET_LTREE_BIT(node_addr, 0);

  311.   SET_NODE_PADDING(node_addr);

  312. 

  313.   SET_LTREE_ADDRESS(ltree_addr, treehash->next_idx);

  314.   SET_OTS_ADDRESS(ots_addr, treehash->next_idx);

  315. 

  316.   unsigned char nodebuffer[2 * n];

  317.   unsigned int nodeheight = 0;

  318.   gen_leaf_wots(nodebuffer, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  319.   while (treehash->stackusage > 0 && STACKLEVELS[STACKOFFSET-1] == nodeheight) {

  320.     memcpy(nodebuffer + n, nodebuffer, n);

  321.     memcpy(nodebuffer, STACK + (STACKOFFSET-1)*n, n);

  322.     SET_NODE_TREE_HEIGHT(node_addr, nodeheight);

  323.     SET_NODE_TREE_INDEX(node_addr, (treehash->next_idx >> (nodeheight+1)));

  324.     hash_2n_n(nodebuffer, nodebuffer, pub_seed, node_addr, n);

  325.     nodeheight++;

  326.     treehash->stackusage--;

  327.     STACKOFFSET--;

  328.   }

  329.   if (nodeheight == treehash->h) { // this also implies stackusage == 0

  330.     memcpy(treehash->node, nodebuffer, n);

  331.     treehash->completed = 1;

  332.   }

  333.   else {

  334.     memcpy(STACK + STACKOFFSET*n, nodebuffer, n);

  335.     treehash->stackusage++;

  336.     STACKLEVELS[STACKOFFSET] = nodeheight;

  337.     STACKOFFSET++;

  338.     treehash->next_idx++;

  339.   }

  340. }

  341. 

  342. /**

  343.  * Computes a root node given a leaf and an authapth

  344.  */

  345. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  346. {

  347.   unsigned int n = params->n;

  348.   

  349.   int i,j;

  350.   unsigned char buffer[2*n];

  351. 

  352.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  353.   // Otherwise, it is the other way around

  354.   if(leafidx&1)

  355.   {

  356.     for(j=0;j<n;j++)

  357.       buffer[n+j] = leaf[j];

  358.     for(j=0;j<n;j++)

  359.       buffer[j] = authpath[j];

  360.   }

  361.   else

  362.   {

  363.     for(j=0;j<n;j++)

  364.       buffer[j] = leaf[j];

  365.     for(j=0;j<n;j++)

  366.       buffer[n+j] = authpath[j];

  367.   }

  368.   authpath += n;

  369. 

  370.   for(i=0;i<params->h-1;i++)

  371.   {

  372.     SET_NODE_TREE_HEIGHT(addr,i);

  373.     leafidx >>= 1;

  374.     SET_NODE_TREE_INDEX(addr, leafidx);

  375.     if(leafidx&1)

  376.     {

  377.       hash_2n_n(buffer+n,buffer,pub_seed, addr, n);

  378.       for(j=0;j<n;j++)

  379.         buffer[j] = authpath[j];

  380.     }

  381.     else

  382.     {

  383.       hash_2n_n(buffer,buffer,pub_seed, addr, n);

  384.       for(j=0;j<n;j++)

  385.         buffer[j+n] = authpath[j];

  386.     }

  387.     authpath += n;

  388.   }

  389.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  390.   leafidx >>= 1;

  391.   SET_NODE_TREE_INDEX(addr, leafidx);

  392.   hash_2n_n(root,buffer,pub_seed,addr,n);

  393. }

  394. 

  395. /**

  396.  * Returns the auth path for node leaf_idx and computes the auth path for the

  397.  * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo

  398.  * in "Post Quantum Cryptography", Springer 2009.

  399.  */

  400. static void compute_authpath_wots_fast(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  401. {

  402.   unsigned int i, j;

  403.   int n = params->n;

  404.   int h = params->h;

  405.   int k = K; // TODO retrieve this from params instead

  406. 

  407.   // the auth path was already computed during the previous round

  408.   memcpy(authpath, AUTH, h*n);

  409.   // TODO but we don't have the root handy yet.

  410.   // memcpy(root, ???, n);

  411. 

  412.   int tau = h;

  413.   int startidx;

  414.   int offset, rowidx;

  415.   int level, l_min, low;

  416.   unsigned char buf[2 * n];

  417. 

  418.   unsigned char ots_addr[16];

  419.   unsigned char ltree_addr[16];

  420.   unsigned char node_addr[16];

  421.   

  422.   memcpy(ots_addr, addr, 10);

  423.   SET_OTS_BIT(ots_addr, 1);

  424.   memcpy(ltree_addr, addr, 10);

  425.   SET_OTS_BIT(ltree_addr, 0);

  426.   SET_LTREE_BIT(ltree_addr, 1);

  427.   memcpy(node_addr, ltree_addr, 10);

  428.   SET_LTREE_BIT(node_addr, 0);

  429.   SET_NODE_PADDING(node_addr);

  430. 

  431.   for (i = 0; i < h; i++) {

  432.     if (! ((leaf_idx >> i) & 1)) {

  433.       tau = i;

  434.       break;

  435.     }

  436.   }

  437. 

  438.   if (tau > 0) {

  439.     memcpy(buf,     AUTH + (tau-1) * n, n);

  440.     // we need to do this before refreshing KEEP to prevent overwriting

  441.     memcpy(buf + n, KEEP + ((tau-1) >> 1) * n, n);

  442.   }

  443.   if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) {

  444.     memcpy(KEEP + (tau >> 1)*n, AUTH + tau*n, n);

  445.   }

  446.   if (tau == 0) {

  447.     SET_LTREE_ADDRESS(ltree_addr,leaf_idx);

  448.     SET_OTS_ADDRESS(ots_addr,leaf_idx);

  449.     gen_leaf_wots(AUTH, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  450.   }

  451.   else {

  452.     SET_NODE_TREE_HEIGHT(node_addr, (tau-1));

  453.     SET_NODE_TREE_INDEX(node_addr, leaf_idx >> tau);

  454.     hash_2n_n(AUTH + tau * n, buf, pub_seed, node_addr, n);

  455.     for (i = 0; i < tau; i++) {

  456.       if (i < h - k) {

  457.         memcpy(AUTH + i * n, TREEHASH[i].node, n);

  458.       }

  459.       else {

  460.         offset = (1 << (h - 1 - i)) + i - h;

  461.         rowidx = ((leaf_idx >> i) - 1) >> 1;

  462.         memcpy(AUTH + i * n, RETAIN + (offset + rowidx) * n, n);

  463.       }

  464.     }

  465. 

  466.     for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) {

  467.       startidx = leaf_idx + 1 + 3 * (1 << i);

  468.       if (startidx < 1 << h) {

  469.         TREEHASH[i].h = i;

  470.         TREEHASH[i].next_idx = startidx;

  471.         TREEHASH[i].completed = 0;

  472.       }

  473.     }

  474.   }

  475. 

  476.   for (i = 0; i < (h - k) >> 1; i++) {

  477.     l_min = h;

  478.     level = h - k;

  479.     for (j = 0; j < h - k; j++) {

  480.       if (TREEHASH[j].completed) {

  481.         low = h;

  482.       }

  483.       else if (TREEHASH[j].stackusage == 0) {

  484.         low = j;

  485.       }

  486.       else {

  487.         low = treehash_minheight_on_stack(params, &TREEHASH[j]);

  488.       }

  489.       if (low < l_min) {

  490.         level = j;

  491.         l_min = low;

  492.       }

  493.     }

  494.     if (level != h - k) {

  495.       treehash_update(&TREEHASH[level], sk_seed, params, pub_seed, addr);

  496.     }

  497.   }

  498. }

  499. 

  500. /*

  501.  * Generates a XMSS key pair for a given parameter set.

  502.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  503.  * Format pk: [root || PUB_SEED] omitting algo oid.

  504.  */

  505. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  506. {

  507.   unsigned int n = params->n;

  508.   unsigned int m = params->m;

  509.   // Set idx = 0

  510.   sk[0] = 0;

  511.   sk[1] = 0;

  512.   sk[2] = 0;

  513.   sk[3] = 0;

  514.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  515.   randombytes(sk+4,2*n+m);

  516.   // Copy PUB_SEED to public key

  517.   memcpy(pk+n, sk+4+n+m,n);

  518. 

  519.   unsigned char addr[16] = {0,0,0,0};

  520.   // Compute root

  521.   treehash_setup(pk, params->h, 0, sk+4, params, sk+4+n+m, addr);

  522.   return 0;

  523. }

  524. 

  525. /**

  526.  * Signs a message.

  527.  * Returns 

  528.  * 1. an array containing the signature followed by the message AND

  529.  * 2. an updated secret key!

  530.  * 

  531.  */

  532. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  533. {

  534.   unsigned int n = params->n;

  535.   unsigned int m = params->m;

  536.   

  537.   // Extract SK

  538.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  539.   unsigned char sk_seed[n];

  540.   memcpy(sk_seed,sk+4,n);

  541.   unsigned char sk_prf[m];

  542.   memcpy(sk_prf,sk+4+n,m);

  543.   unsigned char pub_seed[n];

  544.   memcpy(pub_seed,sk+4+n+m,n);  

  545.   

  546.   // Update SK

  547.   sk[0] = ((idx + 1) >> 24) & 255;

  548.   sk[1] = ((idx + 1) >> 16) & 255;

  549.   sk[2] = ((idx + 1) >> 8) & 255;

  550.   sk[3] = (idx + 1) & 255;

  551.   // -- Secret key for this non-forward-secure version is now updated. 

  552.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point! 

  553.   

  554.   // Init working params

  555.   unsigned long long i;

  556.   unsigned char R[m];

  557.   unsigned char msg_h[m];

  558.   unsigned char root[n];

  559.   unsigned char ots_seed[n];

  560.   unsigned char ots_addr[16] = {0,0,0,0};

  561.   

  562.   // ---------------------------------

  563.   // Message Hashing

  564.   // ---------------------------------

  565.   

  566.   // Message Hash: 

  567.   // First compute pseudorandom key

  568.   prf_m(R, msg, msglen, sk_prf, m); 

  569.   // Then use it for message digest

  570.   hash_m(msg_h, msg, msglen, R, m, m);

  571.   

  572.   // Start collecting signature

  573.   *sig_msg_len = 0;

  574. 

  575.   // Copy index to signature

  576.   sig_msg[0] = (idx >> 24) & 255;

  577.   sig_msg[1] = (idx >> 16) & 255;

  578.   sig_msg[2] = (idx >> 8) & 255;

  579.   sig_msg[3] = idx & 255;

  580.   

  581.   sig_msg += 4;

  582.   *sig_msg_len += 4;

  583.   

  584.   // Copy R to signature

  585.   for(i=0; i<m; i++)

  586.     sig_msg[i] = R[i];

  587. 

  588.   sig_msg += m;

  589.   *sig_msg_len += m;

  590.   

  591.   // ----------------------------------

  592.   // Now we start to "really sign" 

  593.   // ----------------------------------

  594.   

  595.   // Prepare Address

  596.   SET_OTS_BIT(ots_addr,1);

  597.   SET_OTS_ADDRESS(ots_addr,idx);

  598.   

  599.   // Compute seed for OTS key pair

  600.   get_seed(ots_seed, sk_seed, ots_addr);

  601.      

  602.   // Compute WOTS signature

  603.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  604.   

  605.   sig_msg += params->wots_par.keysize;

  606.   *sig_msg_len += params->wots_par.keysize;

  607. 

  608.   compute_authpath_wots_fast(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  609.   sig_msg += params->h*n;

  610.   *sig_msg_len += params->h*n;

  611.   

  612.   //Whipe secret elements?  

  613.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  614. 

  615.   memcpy(sig_msg,msg,msglen);

  616.   *sig_msg_len += msglen;

  617. 

  618.   return 0;

  619. }

  620. 

  621. /**

  622.  * Verifies a given message signature pair under a given public key.

  623.  */

  624. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  625. {

  626.   unsigned int n = params->n;

  627.   unsigned int m = params->m;

  628.     

  629.   unsigned long long i, m_len;

  630.   unsigned long idx=0;

  631.   unsigned char wots_pk[params->wots_par.keysize];

  632.   unsigned char pkhash[n];

  633.   unsigned char root[n];

  634.   unsigned char msg_h[m];

  635.   

  636.   unsigned char pub_seed[n];

  637.   memcpy(pub_seed,pk+n,n);  

  638.   

  639.   // Init addresses

  640.   unsigned char ots_addr[16] = {0,0,0,0};

  641.   unsigned char ltree_addr[16];

  642.   unsigned char node_addr[16];

  643.   

  644.   SET_OTS_BIT(ots_addr, 1);

  645.   

  646.   memcpy(ltree_addr, ots_addr, 10);

  647.   SET_OTS_BIT(ltree_addr, 0);

  648.   SET_LTREE_BIT(ltree_addr, 1);

  649.   

  650.   memcpy(node_addr, ltree_addr, 10);

  651.   SET_LTREE_BIT(node_addr, 0);

  652.   SET_NODE_PADDING(node_addr);  

  653.   

  654.   // Extract index

  655.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  656.   printf("verify:: idx = %lu\n",idx);

  657.   sig_msg += 4;

  658.   sig_msg_len -= 4;

  659.   

  660.   // hash message (recall, R is now on pole position at sig_msg

  661.   unsigned long long tmp_sig_len = m+params->wots_par.keysize+params->h*n;

  662.   m_len = sig_msg_len - tmp_sig_len;

  663.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  664. 

  665.   sig_msg += m;

  666.   sig_msg_len -= m;

  667.   

  668.   //-----------------------

  669.   // Verify signature

  670.   //-----------------------

  671.   

  672.   // Prepare Address

  673.   SET_OTS_ADDRESS(ots_addr,idx);

  674.   // Check WOTS signature 

  675.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  676. 

  677.   sig_msg += params->wots_par.keysize;

  678.   sig_msg_len -= params->wots_par.keysize;

  679.   

  680.   // Compute Ltree

  681.   SET_LTREE_ADDRESS(ltree_addr, idx); 

  682.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  683.   

  684.   // Compute root

  685.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);  

  686. 

  687.   sig_msg += params->h*n;

  688.   sig_msg_len -= params->h*n;

  689.   

  690.   for(i=0;i<n;i++)

  691.     if(root[i] != pk[i])

  692.       goto fail;

  693.   

  694.   *msglen = sig_msg_len;

  695.   for(i=0;i<*msglen;i++)

  696.     msg[i] = sig_msg[i];

  697. 

  698.   return 0;

  699.   

  700.   

  701. fail:

  702.   *msglen = sig_msg_len;

  703.   for(i=0;i<*msglen;i++)

  704.     msg[i] = 0;

  705.   *msglen = -1;

  706.   return -1;

  707. }

  708. 

  709. /*

  710.  * Generates a XMSSMT key pair for a given parameter set.

  711.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  712.  * Format pk: [root || PUB_SEED] omitting algo oid.

  713.  */

  714. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  715. {

  716.   unsigned int n = params->n;

  717.   unsigned int m = params->m;

  718.   unsigned int i;

  719.   // Set idx = 0

  720.   for (i = 0; i < params->index_len; i++){

  721.     sk[i] = 0;

  722.   }

  723.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  724.   randombytes(sk+params->index_len,2*n+m);

  725.   // Copy PUB_SEED to public key

  726.   memcpy(pk+n, sk+params->index_len+n+m,n);

  727. 

  728.   // Set address to point on the single tree on layer d-1

  729.   unsigned char addr[16] = {0,0,0,0};

  730.   SET_LAYER_ADDRESS(addr, (params->d-1));

  731.   

  732.   // Compute root

  733.   treehash_setup(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  734.   return 0;

  735. }

  736. 

  737. /**

  738.  * Signs a message.

  739.  * Returns 

  740.  * 1. an array containing the signature followed by the message AND

  741.  * 2. an updated secret key!

  742.  * 

  743.  */

  744. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  745. {

  746.   unsigned int n = params->n;

  747.   unsigned int m = params->m;

  748.   unsigned int tree_h = params->xmss_par.h;

  749.   unsigned int idx_len = params->index_len;

  750.   unsigned long long idx_tree;

  751.   unsigned long long idx_leaf;

  752.   unsigned long long i;

  753.   

  754.   unsigned char sk_seed[n];

  755.   unsigned char sk_prf[m];

  756.   unsigned char pub_seed[n];

  757.   // Init working params

  758.   unsigned char R[m];

  759.   unsigned char msg_h[m];

  760.   unsigned char root[n];

  761.   unsigned char ots_seed[n];

  762.   unsigned char ots_addr[16] = {0,0,0,0};

  763.   

  764.   // Extract SK

  765.   unsigned long long idx = 0;

  766.   for(i = 0; i < idx_len; i++){

  767.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  768.   }

  769.   

  770.   memcpy(sk_seed,sk+idx_len,n);

  771.   memcpy(sk_prf,sk+idx_len+n,m);

  772.   memcpy(pub_seed,sk+idx_len+n+m,n);  

  773.   

  774.   // Update SK

  775.   for(i = 0; i < idx_len; i++){

  776.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  777.   }

  778.   // -- Secret key for this non-forward-secure version is now updated. 

  779.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point! 

  780.   

  781.   

  782.   // ---------------------------------

  783.   // Message Hashing

  784.   // ---------------------------------

  785.   

  786.   // Message Hash: 

  787.   // First compute pseudorandom key

  788.   prf_m(R, msg, msglen, sk_prf, m); 

  789.   // Then use it for message digest

  790.   hash_m(msg_h, msg, msglen, R, m, m);

  791.   

  792.   // Start collecting signature

  793.   *sig_msg_len = 0;

  794. 

  795.   // Copy index to signature

  796.   for(i = 0; i < idx_len; i++){

  797.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  798.   }

  799.   

  800.   sig_msg += idx_len;

  801.   *sig_msg_len += idx_len;

  802.   

  803.   // Copy R to signature

  804.   for(i=0; i<m; i++)

  805.     sig_msg[i] = R[i];

  806. 

  807.   sig_msg += m;

  808.   *sig_msg_len += m;

  809.   

  810.   // ----------------------------------

  811.   // Now we start to "really sign" 

  812.   // ----------------------------------

  813.   

  814.   // Handle lowest layer separately as it is slightly different...

  815.   

  816.   // Prepare Address

  817.   SET_OTS_BIT(ots_addr,1);

  818.   idx_tree = idx >> tree_h;

  819.   idx_leaf = (idx & ((1 << tree_h)-1));

  820.   SET_LAYER_ADDRESS(ots_addr,0);

  821.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  822.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  823.   

  824.   // Compute seed for OTS key pair

  825.   get_seed(ots_seed, sk_seed, ots_addr);

  826.      

  827.   // Compute WOTS signature

  828.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  829.   

  830.   sig_msg += params->xmss_par.wots_par.keysize;

  831.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  832. 

  833.   compute_authpath_wots_fast(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  834.   sig_msg += tree_h*n;

  835.   *sig_msg_len += tree_h*n;

  836.   

  837.   // Now loop over remaining layers...

  838.   unsigned int j;

  839.   for(j = 1; j < params->d; j++){

  840.     // Prepare Address

  841.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  842.     idx_tree = idx_tree >> tree_h;

  843.     SET_LAYER_ADDRESS(ots_addr,j);

  844.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  845.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  846.     

  847.     // Compute seed for OTS key pair

  848.     get_seed(ots_seed, sk_seed, ots_addr);

  849.       

  850.     // Compute WOTS signature

  851.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  852.     

  853.     sig_msg += params->xmss_par.wots_par.keysize;

  854.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  855. 

  856.     compute_authpath_wots_fast(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  857.     sig_msg += tree_h*n;

  858.     *sig_msg_len += tree_h*n;   

  859.   }

  860.   

  861.   //Whipe secret elements?  

  862.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  863. 

  864.   memcpy(sig_msg,msg,msglen);

  865.   *sig_msg_len += msglen;

  866. 

  867.   return 0;

  868. }

  869. 

  870. /**

  871.  * Verifies a given message signature pair under a given public key.

  872.  */

  873. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  874. {

  875.   unsigned int n = params->n;

  876.   unsigned int m = params->m;

  877.   

  878.   unsigned int tree_h = params->xmss_par.h;

  879.   unsigned int idx_len = params->index_len;

  880.   unsigned long long idx_tree;

  881.   unsigned long long idx_leaf;

  882.   

  883.   unsigned long long i, m_len;

  884.   unsigned long long idx=0;

  885.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  886.   unsigned char pkhash[n];

  887.   unsigned char root[n];

  888.   unsigned char msg_h[m];

  889.   

  890.   unsigned char pub_seed[n];

  891.   memcpy(pub_seed,pk+n,n);  

  892.   

  893.   // Init addresses

  894.   unsigned char ots_addr[16] = {0,0,0,0};

  895.   unsigned char ltree_addr[16];

  896.   unsigned char node_addr[16];

  897.   

  898.   // Extract index

  899.   for(i = 0; i < idx_len; i++){

  900.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  901.   }

  902.   printf("verify:: idx = %llu\n",idx);

  903.   sig_msg += idx_len;

  904.   sig_msg_len -= idx_len;

  905.   

  906.   // hash message (recall, R is now on pole position at sig_msg

  907.   unsigned long long tmp_sig_len = m+ (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  908.   m_len = sig_msg_len - tmp_sig_len;

  909.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);

  910. 

  911.   sig_msg += m;

  912.   sig_msg_len -= m;

  913.   

  914.   //-----------------------

  915.   // Verify signature

  916.   //-----------------------

  917.   

  918.   // Prepare Address

  919.   idx_tree = idx >> tree_h;

  920.   idx_leaf = (idx & ((1 << tree_h)-1));

  921.   SET_LAYER_ADDRESS(ots_addr,0);

  922.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  923.   SET_OTS_BIT(ots_addr, 1);

  924.   

  925.   memcpy(ltree_addr, ots_addr, 10);

  926.   SET_OTS_BIT(ltree_addr, 0);

  927.   SET_LTREE_BIT(ltree_addr, 1);

  928.   

  929.   memcpy(node_addr, ltree_addr, 10);

  930.   SET_LTREE_BIT(node_addr, 0);

  931.   SET_NODE_PADDING(node_addr);  

  932.   

  933.   SET_OTS_ADDRESS(ots_addr,idx_leaf);

  934.   

  935.   // Check WOTS signature 

  936.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  937. 

  938.   sig_msg += params->xmss_par.wots_par.keysize;

  939.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  940.   

  941.   // Compute Ltree

  942.   SET_LTREE_ADDRESS(ltree_addr, idx_leaf); 

  943.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  944.   

  945.   // Compute root

  946.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);  

  947. 

  948.   sig_msg += tree_h*n;

  949.   sig_msg_len -= tree_h*n;

  950.   

  951.   for(i = 1; i < params->d; i++){

  952.     // Prepare Address

  953.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  954.     idx_tree = idx_tree >> tree_h;

  955.     

  956.     SET_LAYER_ADDRESS(ots_addr,i);

  957.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  958.     SET_OTS_BIT(ots_addr, 1);

  959.     

  960.     memcpy(ltree_addr, ots_addr, 10);

  961.     SET_OTS_BIT(ltree_addr, 0);

  962.     SET_LTREE_BIT(ltree_addr, 1);

  963.     

  964.     memcpy(node_addr, ltree_addr, 10);

  965.     SET_LTREE_BIT(node_addr, 0);

  966.     SET_NODE_PADDING(node_addr);  

  967.     

  968.     SET_OTS_ADDRESS(ots_addr,idx_leaf);

  969.     

  970.     // Check WOTS signature 

  971.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  972. 

  973.     sig_msg += params->xmss_par.wots_par.keysize;

  974.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  975.     

  976.     // Compute Ltree

  977.     SET_LTREE_ADDRESS(ltree_addr, idx_leaf); 

  978.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  979.     

  980.     // Compute root

  981.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);  

  982. 

  983.     sig_msg += tree_h*n;

  984.     sig_msg_len -= tree_h*n;

  985.     

  986.   }

  987.   

  988.   for(i=0;i<n;i++)

  989.     if(root[i] != pk[i])

  990.       goto fail;

  991.   

  992.   *msglen = sig_msg_len;

  993.   for(i=0;i<*msglen;i++)

  994.     msg[i] = sig_msg[i];

  995. 

  996.   return 0;

  997.   

  998.   

  999. fail:

  1000.   *msglen = sig_msg_len;

  1001.   for(i=0;i<*msglen;i++)

  1002.     msg[i] = 0;

  1003.   *msglen = -1;

  1004.   return -1;

  1005. }