|
- #include <stdlib.h>
- #include <string.h>
- #include <stdint.h>
-
- #include "hash.h"
- #include "hash_address.h"
- #include "params.h"
- #include "wots.h"
- #include "xmss_commons.h"
-
- /**
- * Converts the value of 'in' to 'outlen' bytes in big-endian byte order.
- */
- void ull_to_bytes(unsigned char *out, unsigned int outlen,
- unsigned long long in)
- {
- int i;
-
- /* Iterate over out in decreasing order, for big-endianness. */
- for (i = outlen - 1; i >= 0; i--) {
- out[i] = in & 0xff;
- in = in >> 8;
- }
- }
-
- /**
- * Converts the inlen bytes in 'in' from big-endian byte order to an integer.
- */
- unsigned long long bytes_to_ull(const unsigned char *in, unsigned int inlen)
- {
- unsigned long long retval = 0;
- unsigned int i;
-
- for (i = 0; i < inlen; i++) {
- retval |= ((unsigned long long)in[i]) << (8*(inlen - 1 - i));
- }
- return retval;
- }
-
- /**
- * Computes the leaf at a given address. First generates the WOTS key pair,
- * then computes leaf using l_tree. As this happens position independent, we
- * only require that addr encodes the right ltree-address.
- */
- void gen_leaf_wots(const xmss_params *params, unsigned char *leaf,
- const unsigned char *sk_seed, const unsigned char *pub_seed,
- uint32_t ltree_addr[8], uint32_t ots_addr[8])
- {
- unsigned char seed[params->n];
- unsigned char pk[params->wots_keysize];
-
- get_seed(params, seed, sk_seed, ots_addr);
- wots_pkgen(params, pk, seed, pub_seed, ots_addr);
-
- l_tree(params, leaf, pk, pub_seed, ltree_addr);
- }
-
- /**
- * Used for pseudo-random key generation.
- * Generates the seed for the WOTS key pair at address 'addr'.
- *
- * Takes n-byte sk_seed and returns n-byte seed using 32 byte address 'addr'.
- */
- void get_seed(const xmss_params *params, unsigned char *seed,
- const unsigned char *sk_seed, uint32_t addr[8])
- {
- unsigned char bytes[32];
-
- /* Make sure that chain addr, hash addr, and key bit are zeroed. */
- set_chain_addr(addr, 0);
- set_hash_addr(addr, 0);
- set_key_and_mask(addr, 0);
-
- /* Generate seed. */
- addr_to_bytes(bytes, addr);
- prf(params, seed, bytes, sk_seed, params->n);
- }
-
- /**
- * Computes a leaf node from a WOTS public key using an L-tree.
- * Note that this destroys the used WOTS public key.
- */
- void l_tree(const xmss_params *params,
- unsigned char *leaf, unsigned char *wots_pk,
- const unsigned char *pub_seed, uint32_t addr[8])
- {
- unsigned int l = params->wots_len;
- unsigned int parent_nodes;
- uint32_t i;
- uint32_t height = 0;
-
- set_tree_height(addr, height);
-
- while (l > 1) {
- parent_nodes = l >> 1;
- for (i = 0; i < parent_nodes; i++) {
- set_tree_index(addr, i);
- /* Hashes the nodes at (i*2)*params->n and (i*2)*params->n + 1 */
- hash_h(params, wots_pk + i*params->n,
- wots_pk + (i*2)*params->n, pub_seed, addr);
- }
- /* If the row contained an odd number of nodes, the last node was not
- hashed. Instead, we pull it up to the next layer. */
- if (l & 1) {
- memcpy(wots_pk + (l >> 1)*params->n,
- wots_pk + (l - 1)*params->n, params->n);
- l = (l >> 1) + 1;
- }
- else {
- l = l >> 1;
- }
- height++;
- set_tree_height(addr, height);
- }
- memcpy(leaf, wots_pk, params->n);
- }
-
- /**
- * Computes the randomized message hash.
- */
- void hash_message(const xmss_params *params, unsigned char *mhash,
- const unsigned char *R, const unsigned char *root,
- unsigned long long idx,
- const unsigned char *m, unsigned long long mlen)
- {
- unsigned char hash_key[3*params->n];
-
- /* Compute hash key. */
- memcpy(hash_key, R, params->n);
- memcpy(hash_key + params->n, root, params->n);
- ull_to_bytes(hash_key + 2*params->n, params->n, idx);
-
- /* Hash the message using the randomized hash key. */
- h_msg(params, mhash, m, mlen, hash_key, 3*params->n);
- }
-
- /**
- * Computes a root node given a leaf and an auth path
- */
- static void compute_root(const xmss_params *params, unsigned char *root,
- const unsigned char *leaf, unsigned long leafidx,
- const unsigned char *auth_path,
- const unsigned char *pub_seed, uint32_t addr[8])
- {
- uint32_t i;
- unsigned char buffer[2*params->n];
-
- /* If leafidx is odd (last bit = 1), current path element is a right child
- and auth_path has to go left. Otherwise it is the other way around. */
- if (leafidx & 1) {
- memcpy(buffer + params->n, leaf, params->n);
- memcpy(buffer, auth_path, params->n);
- }
- else {
- memcpy(buffer, leaf, params->n);
- memcpy(buffer + params->n, auth_path, params->n);
- }
- auth_path += params->n;
-
- for (i = 0; i < params->tree_height - 1; i++) {
- set_tree_height(addr, i);
- leafidx >>= 1;
- set_tree_index(addr, leafidx);
-
- /* Pick the right or left neighbor, depending on parity of the node. */
- if (leafidx & 1) {
- hash_h(params, buffer + params->n, buffer, pub_seed, addr);
- memcpy(buffer, auth_path, params->n);
- }
- else {
- hash_h(params, buffer, buffer, pub_seed, addr);
- memcpy(buffer + params->n, auth_path, params->n);
- }
- auth_path += params->n;
- }
-
- /* The last iteration is exceptional; we do not copy an auth)path node. */
- set_tree_height(addr, params->tree_height - 1);
- leafidx >>= 1;
- set_tree_index(addr, leafidx);
- hash_h(params, root, buffer, pub_seed, addr);
- }
-
- /**
- * Verifies a given message signature pair under a given public key.
- * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]
- */
- int xmss_core_sign_open(const xmss_params *params,
- unsigned char *m, unsigned long long *mlen,
- const unsigned char *sm, unsigned long long smlen,
- const unsigned char *pk)
- {
- const unsigned char *pub_seed = pk + params->n;
- unsigned char wots_pk[params->wots_keysize];
- unsigned char leaf[params->n];
- unsigned char root[params->n];
- unsigned char mhash[params->n];
- unsigned long idx;
-
- uint32_t ots_addr[8] = {0};
- uint32_t ltree_addr[8] = {0};
- uint32_t node_addr[8] = {0};
-
- set_type(ots_addr, XMSS_ADDR_TYPE_OTS);
- set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);
- set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);
-
- *mlen = smlen - params->bytes;
-
- /* Convert the index bytes from the signature to an integer. */
- idx = (unsigned long)bytes_to_ull(sm, params->index_len);
-
- /* Compute the message hash. */
- hash_message(params, mhash, sm + params->index_len, pk, idx,
- sm + params->bytes, *mlen);
- sm += params->index_len + params->n;
-
- /* The WOTS public key is only correct if the signature was correct. */
- set_ots_addr(ots_addr, idx);
- wots_pk_from_sig(params, wots_pk, sm, mhash, pub_seed, ots_addr);
- sm += params->wots_keysize;
-
- /* Compute the leaf node using the WOTS public key. */
- set_ltree_addr(ltree_addr, idx);
- l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);
-
- /* Compute the root node. */
- compute_root(params, root, leaf, idx, sm, pub_seed, node_addr);
- sm += params->tree_height*params->n;
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pk, params->n)) {
- /* If not, zero the message */
- memset(m, 0, *mlen);
- *mlen = -1;
- return -1;
- }
-
- /* If verification was successful, copy the message from the signature. */
- memcpy(m, sm, *mlen);
-
- return 0;
- }
-
- /**
- * Verifies a given message signature pair under a given public key.
- * Note that this assumes a pk without an OID, i.e. [root || PUB_SEED]
- */
- int xmssmt_core_sign_open(const xmss_params *params,
- unsigned char *m, unsigned long long *mlen,
- const unsigned char *sm, unsigned long long smlen,
- const unsigned char *pk)
- {
- const unsigned char *pub_seed = pk + params->n;
- unsigned char wots_pk[params->wots_keysize];
- unsigned char leaf[params->n];
- unsigned char root[params->n];
- unsigned char *mhash = root;
- unsigned long long idx = 0;
- unsigned int i;
- uint32_t idx_leaf;
-
- uint32_t ots_addr[8] = {0};
- uint32_t ltree_addr[8] = {0};
- uint32_t node_addr[8] = {0};
-
- set_type(ots_addr, XMSS_ADDR_TYPE_OTS);
- set_type(ltree_addr, XMSS_ADDR_TYPE_LTREE);
- set_type(node_addr, XMSS_ADDR_TYPE_HASHTREE);
-
- *mlen = smlen - params->bytes;
-
- /* Convert the index bytes from the signature to an integer. */
- idx = bytes_to_ull(sm, params->index_len);
-
- /* Compute the message hash. */
- hash_message(params, mhash, sm + params->index_len, pk, idx,
- sm + params->bytes, *mlen);
- sm += params->index_len + params->n;
-
- /* For each subtree.. */
- for (i = 0; i < params->d; i++) {
- idx_leaf = (idx & ((1 << params->tree_height)-1));
- idx = idx >> params->tree_height;
-
- set_layer_addr(ots_addr, i);
- set_layer_addr(ltree_addr, i);
- set_layer_addr(node_addr, i);
-
- set_tree_addr(ltree_addr, idx);
- set_tree_addr(ots_addr, idx);
- set_tree_addr(node_addr, idx);
-
- /* The WOTS public key is only correct if the signature was correct. */
- set_ots_addr(ots_addr, idx_leaf);
- /* Initially, root = mhash, but on subsequent iterations it is the root
- of the subtree below the currently processed subtree. */
- wots_pk_from_sig(params, wots_pk, sm, root, pub_seed, ots_addr);
- sm += params->wots_keysize;
-
- /* Compute the leaf node using the WOTS public key. */
- set_ltree_addr(ltree_addr, idx_leaf);
- l_tree(params, leaf, wots_pk, pub_seed, ltree_addr);
-
- /* Compute the root node of this subtree. */
- compute_root(params, root, leaf, idx_leaf, sm, pub_seed, node_addr);
- sm += params->tree_height*params->n;
- }
-
- /* Check if the root node equals the root node in the public key. */
- if (memcmp(root, pk, params->n)) {
- /* If not, zero the message */
- memset(m, 0, *mlen);
- *mlen = -1;
- return -1;
- }
-
- /* If verification was successful, copy the message from the signature. */
- memcpy(m, sm, *mlen);
-
- return 0;
- }
|