kris
/
xmss-KAT-generator
1
0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Версии 0 Уики Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36 Ревизии
1 Клон
488 KiB
 
 
ИН на ревизия: c37b9dcfca
Клонове Маркери
${ item.name }
Create branch ${ searchTerm }
от 'c37b9dcfca'
${ noResults }
xmss-KAT-generator/xmss.c

821 lines
22 KiB
Директен файл Blame История 

  1. /*

  2. xmss.c version 20160210

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. #include "prg.h"

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. 

  21. // For testing

  22. #include "stdio.h"

  23. 

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes n byte sk_seed and returns n byte seed using 16 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, unsigned char addr[16])

  32. {

  33.   // Make sure that chain addr, hash addr, and key bit are 0!

  34.   ZEROISE_OTS_ADDR(addr);

  35.   // Generate pseudorandom value

  36.   prg_with_counter(seed, sk_seed, n, addr);

  37. }

  38. 

  39. /**

  40.  * Initialize xmss params struct

  41.  * parameter names are the same as in the draft

  42.  */

  43. void xmss_set_params(xmss_params *params, int m, int n, int h, int w)

  44. {

  45.   params->h = h;

  46.   params->m = m;

  47.   params->n = n;

  48.   wots_params wots_par;

  49.   wots_set_params(&wots_par, m, n, w);

  50.   params->wots_par = wots_par;

  51. }

  52. 

  53. /**

  54.  * Initialize xmssmt_params struct

  55.  * parameter names are the same as in the draft

  56.  *

  57.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  58.  */

  59. void xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w)

  60. {

  61.   if (h % d) {

  62.     fprintf(stderr, "d must devide h without remainder!\n");

  63.     return;

  64.   }

  65.   params->h = h;

  66.   params->d = d;

  67.   params->m = m;

  68.   params->n = n;

  69.   params->index_len = (h + 7) / 8;

  70.   xmss_params xmss_par;

  71.   xmss_set_params(&xmss_par, m, n, (h/d), w);

  72.   params->xmss_par = xmss_par;

  73. }

  74. 

  75. /**

  76.  * Computes a leaf from a WOTS public key using an L-tree.

  77.  */

  78. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  79. {

  80.   unsigned int l = params->wots_par.len;

  81.   unsigned int n = params->n;

  82.   unsigned long i = 0;

  83.   unsigned int height = 0;

  84. 

  85.   //ADRS.setTreeHeight(0);

  86.   SET_LTREE_TREE_HEIGHT(addr, height);

  87.   unsigned long bound;

  88.   while (l > 1) {

  89.      bound = l >> 1; //floor(l / 2);

  90.      for (i = 0; i < bound; i++) {

  91.        //ADRS.setTreeIndex(i);

  92.        SET_LTREE_TREE_INDEX(addr, i);

  93.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  94.        hash_2n_n(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);

  95.      }

  96.      //if ( l % 2 == 1 ) {

  97.      if (l & 1) {

  98.        //pk[floor(l / 2) + 1] = pk[l];

  99.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  100.        //l = ceil(l / 2);

  101.        l=(l>>1)+1;

  102.      }

  103.      else {

  104.        //l = ceil(l / 2);

  105.        l=(l>>1);

  106.      }

  107.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  108.      height++;

  109.      SET_LTREE_TREE_HEIGHT(addr, height);

  110.    }

  111.    //return pk[0];

  112.    memcpy(leaf, wots_pk, n);

  113. }

  114. 

  115. /**

  116.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  117.  */

  118. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])

  119. {

  120.   unsigned char seed[params->n];

  121.   unsigned char pk[params->wots_par.keysize];

  122. 

  123.   get_seed(seed, sk_seed, params->n, ots_addr);

  124.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  125. 

  126.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  127. }

  128. 

  129. /**

  130.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  131.  * Currently only used for key generation.

  132.  *

  133.  */

  134. static void treehash(unsigned char *node, int height, int index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])

  135. {

  136. 

  137.   unsigned int idx = index;

  138.   unsigned int n = params->n;

  139.   // use three different addresses because at this point we use all three formats in parallel

  140.   unsigned char ots_addr[16];

  141.   unsigned char ltree_addr[16];

  142.   unsigned char node_addr[16];

  143.   memcpy(ots_addr, addr, 10);

  144.   SET_OTS_BIT(ots_addr, 1);

  145.   memcpy(ltree_addr, addr, 10);

  146.   SET_OTS_BIT(ltree_addr, 0);

  147.   SET_LTREE_BIT(ltree_addr, 1);

  148.   memcpy(node_addr, ltree_addr, 10);

  149.   SET_LTREE_BIT(node_addr, 0);

  150.   SET_NODE_PADDING(node_addr);

  151. 

  152.   unsigned int lastnode, i;

  153.   unsigned char stack[(height+1)*n];

  154.   unsigned int stacklevels[height+1];

  155.   unsigned int stackoffset=0;

  156. 

  157.   lastnode = idx+(1 << height);

  158. 

  159.   for (; idx < lastnode; idx++) {

  160.     SET_LTREE_ADDRESS(ltree_addr, idx);

  161.     SET_OTS_ADDRESS(ots_addr, idx);

  162.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  163.     stacklevels[stackoffset] = 0;

  164.     stackoffset++;

  165.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  166.       SET_NODE_TREE_HEIGHT(node_addr, stacklevels[stackoffset-1]);

  167.       SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  168.       hash_2n_n(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  169.           node_addr, n);

  170.       stacklevels[stackoffset-2]++;

  171.       stackoffset--;

  172.     }

  173.   }

  174.   for (i=0; i < n; i++)

  175.     node[i] = stack[i];

  176. }

  177. 

  178. /**

  179.  * Computes a root node given a leaf and an authapth

  180.  */

  181. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])

  182. {

  183.   unsigned int n = params->n;

  184. 

  185.   unsigned int i, j;

  186.   unsigned char buffer[2*n];

  187. 

  188.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  189.   // Otherwise, it is the other way around

  190.   if (leafidx & 1) {

  191.     for (j = 0; j < n; j++)

  192.       buffer[n+j] = leaf[j];

  193.     for (j = 0; j < n; j++)

  194.       buffer[j] = authpath[j];

  195.   }

  196.   else {

  197.     for (j = 0; j < n; j++)

  198.       buffer[j] = leaf[j];

  199.     for (j = 0; j < n; j++)

  200.       buffer[n+j] = authpath[j];

  201.   }

  202.   authpath += n;

  203. 

  204.   for (i=0; i < params->h-1; i++) {

  205.     SET_NODE_TREE_HEIGHT(addr, i);

  206.     leafidx >>= 1;

  207.     SET_NODE_TREE_INDEX(addr, leafidx);

  208.     if (leafidx&1) {

  209.       hash_2n_n(buffer+n, buffer, pub_seed, addr, n);

  210.       for (j = 0; j < n; j++)

  211.         buffer[j] = authpath[j];

  212.     }

  213.     else {

  214.       hash_2n_n(buffer, buffer, pub_seed, addr, n);

  215.       for (j = 0; j < n; j++)

  216.         buffer[j+n] = authpath[j];

  217.     }

  218.     authpath += n;

  219.   }

  220.   SET_NODE_TREE_HEIGHT(addr, (params->h-1));

  221.   leafidx >>= 1;

  222.   SET_NODE_TREE_INDEX(addr, leafidx);

  223.   hash_2n_n(root, buffer, pub_seed, addr, n);

  224. }

  225. 

  226. /**

  227.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  228.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  229.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  230.  */

  231. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])

  232. {

  233.   unsigned int i, j, level;

  234.   unsigned int n = params->n;

  235.   unsigned int h = params->h;

  236. 

  237.   unsigned char tree[2*(1<<h)*n];

  238. 

  239.   unsigned char ots_addr[16];

  240.   unsigned char ltree_addr[16];

  241.   unsigned char node_addr[16];

  242. 

  243.   memcpy(ots_addr, addr, 10);

  244.   SET_OTS_BIT(ots_addr, 1);

  245.   memcpy(ltree_addr, addr, 10);

  246.   SET_OTS_BIT(ltree_addr, 0);

  247.   SET_LTREE_BIT(ltree_addr, 1);

  248.   memcpy(node_addr, ltree_addr, 10);

  249.   SET_LTREE_BIT(node_addr, 0);

  250.   SET_NODE_PADDING(node_addr);

  251. 

  252. 

  253.   // Compute all leaves

  254.   for (i = 0; i < (1U << h); i++) {

  255.     SET_LTREE_ADDRESS(ltree_addr, i);

  256.     SET_OTS_ADDRESS(ots_addr, i);

  257.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  258.   }

  259. 

  260. 

  261.   level = 0;

  262.   // Compute tree:

  263.   // Outer loop: For each inner layer

  264.   for (i = (1<<h); i > 1; i>>=1) {

  265.     SET_NODE_TREE_HEIGHT(node_addr, level);

  266.     // Inner loop: for each pair of sibling nodes

  267.     for (j = 0; j < i; j+=2) {

  268.       SET_NODE_TREE_INDEX(node_addr, j>>1);

  269.       hash_2n_n(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n);

  270.     }

  271.     level++;

  272.   }

  273. 

  274.   // copy authpath

  275.   for (i=0; i < h; i++)

  276.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  277. 

  278.   // copy root

  279.   memcpy(root, tree+n, n);

  280. }

  281. 

  282. 

  283. /*

  284.  * Generates a XMSS key pair for a given parameter set.

  285.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  286.  * Format pk: [root || PUB_SEED] omitting algo oid.

  287.  */

  288. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  289. {

  290.   unsigned int n = params->n;

  291.   unsigned int m = params->m;

  292.   // Set idx = 0

  293.   sk[0] = 0;

  294.   sk[1] = 0;

  295.   sk[2] = 0;

  296.   sk[3] = 0;

  297.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  298.   randombytes(sk+4, 2*n+m);

  299.   // Copy PUB_SEED to public key

  300.   memcpy(pk+n, sk+4+n+m, n);

  301. 

  302.   unsigned char addr[16] = {0, 0, 0, 0};

  303.   // Compute root

  304.   treehash(pk, params->h, 0, sk+4, params, sk+4+n+m, addr);

  305.   return 0;

  306. }

  307. 

  308. /**

  309.  * Signs a message.

  310.  * Returns

  311.  * 1. an array containing the signature followed by the message AND

  312.  * 2. an updated secret key!

  313.  *

  314.  */

  315. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  316. {

  317.   unsigned int n = params->n;

  318.   unsigned int m = params->m;

  319. 

  320.   // Extract SK

  321.   unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  322.   unsigned char sk_seed[n];

  323.   memcpy(sk_seed, sk+4, n);

  324.   unsigned char sk_prf[m];

  325.   memcpy(sk_prf, sk+4+n, m);

  326.   unsigned char pub_seed[n];

  327.   memcpy(pub_seed, sk+4+n+m, n);

  328.   

  329.   unsigned char hash_key[2*m];

  330.   unsigned long long i; 

  331.   for(i = 0; i < m-4; i++){

  332.     hash_key[i] = 0;

  333.   }

  334.   for(i = 0; i < 4; i++){

  335.     hash_key[i+m-4] = sk[i];

  336.   }

  337.   

  338.   // Update SK

  339.   sk[0] = ((idx + 1) >> 24) & 255;

  340.   sk[1] = ((idx + 1) >> 16) & 255;

  341.   sk[2] = ((idx + 1) >> 8) & 255;

  342.   sk[3] = (idx + 1) & 255;

  343.   // -- Secret key for this non-forward-secure version is now updated.

  344.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  345. 

  346.   // Init working params

  347.   unsigned char R[m];

  348.   unsigned char msg_h[m];

  349.   unsigned char root[n];

  350.   unsigned char ots_seed[n];

  351.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  352. 

  353.   // ---------------------------------

  354.   // Message Hashing

  355.   // ---------------------------------

  356. 

  357.   // Message Hash:

  358.   // First compute pseudorandom value

  359.   prf_m(R, msg, msglen, sk_prf, m);

  360.   // Generate hash key (idx || R)

  361.   memcpy(hash_key+m, R, m);

  362.   // Then use it for message digest

  363.   hash_m(msg_h, msg, msglen, hash_key, 2*m, m);

  364. 

  365.   // Start collecting signature

  366.   *sig_msg_len = 0;

  367. 

  368.   // Copy index to signature

  369.   sig_msg[0] = (idx >> 24) & 255;

  370.   sig_msg[1] = (idx >> 16) & 255;

  371.   sig_msg[2] = (idx >> 8) & 255;

  372.   sig_msg[3] = idx & 255;

  373. 

  374.   sig_msg += 4;

  375.   *sig_msg_len += 4;

  376. 

  377.   // Copy R to signature

  378.   for (i = 0; i < m; i++)

  379.     sig_msg[i] = R[i];

  380. 

  381.   sig_msg += m;

  382.   *sig_msg_len += m;

  383. 

  384.   // ----------------------------------

  385.   // Now we start to "really sign"

  386.   // ----------------------------------

  387. 

  388.   // Prepare Address

  389.   SET_OTS_BIT(ots_addr, 1);

  390.   SET_OTS_ADDRESS(ots_addr, idx);

  391. 

  392.   // Compute seed for OTS key pair

  393.   get_seed(ots_seed, sk_seed, n, ots_addr);

  394. 

  395.   // Compute WOTS signature

  396.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  397. 

  398.   sig_msg += params->wots_par.keysize;

  399.   *sig_msg_len += params->wots_par.keysize;

  400. 

  401.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  402.   sig_msg += params->h*n;

  403.   *sig_msg_len += params->h*n;

  404. 

  405.   //Whipe secret elements?

  406.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  407. 

  408.   memcpy(sig_msg, msg, msglen);

  409.   *sig_msg_len += msglen;

  410. 

  411.   return 0;

  412. }

  413. 

  414. /**

  415.  * Verifies a given message signature pair under a given public key.

  416.  */

  417. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  418. {

  419.   unsigned int n = params->n;

  420.   unsigned int m = params->m;

  421. 

  422.   unsigned long long i, m_len;

  423.   unsigned long idx=0;

  424.   unsigned char wots_pk[params->wots_par.keysize];

  425.   unsigned char pkhash[n];

  426.   unsigned char root[n];

  427.   unsigned char msg_h[m];

  428.   unsigned char hash_key[2*m];

  429. 

  430.   unsigned char pub_seed[n];

  431.   memcpy(pub_seed, pk+n, n);

  432. 

  433.   // Init addresses

  434.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  435.   unsigned char ltree_addr[16];

  436.   unsigned char node_addr[16];

  437. 

  438.   SET_OTS_BIT(ots_addr, 1);

  439. 

  440.   memcpy(ltree_addr, ots_addr, 10);

  441.   SET_OTS_BIT(ltree_addr, 0);

  442.   SET_LTREE_BIT(ltree_addr, 1);

  443. 

  444.   memcpy(node_addr, ltree_addr, 10);

  445.   SET_LTREE_BIT(node_addr, 0);

  446.   SET_NODE_PADDING(node_addr);

  447. 

  448.   // Extract index

  449.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  450.   printf("verify:: idx = %lu\n", idx);

  451.   for(i = 0; i < m-4; i++){

  452.     hash_key[i] = 0;

  453.   }

  454.   for(i = 0; i < m+4; i++){

  455.     hash_key[i+m-4] = sig_msg[i];

  456.   }

  457.   sig_msg += (m+4);

  458.   sig_msg_len -= (m+4);

  459. 

  460.   // hash message 

  461.   unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n;

  462.   m_len = sig_msg_len - tmp_sig_len;

  463.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 2*m, m);

  464. 

  465.   //-----------------------

  466.   // Verify signature

  467.   //-----------------------

  468. 

  469.   // Prepare Address

  470.   SET_OTS_ADDRESS(ots_addr, idx);

  471.   // Check WOTS signature

  472.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  473. 

  474.   sig_msg += params->wots_par.keysize;

  475.   sig_msg_len -= params->wots_par.keysize;

  476. 

  477.   // Compute Ltree

  478.   SET_LTREE_ADDRESS(ltree_addr, idx);

  479.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  480. 

  481.   // Compute root

  482.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  483. 

  484.   sig_msg += params->h*n;

  485.   sig_msg_len -= params->h*n;

  486. 

  487.   for (i=0; i < n; i++)

  488.     if (root[i] != pk[i])

  489.       goto fail;

  490. 

  491.   *msglen = sig_msg_len;

  492.   for (i=0; i < *msglen; i++)

  493.     msg[i] = sig_msg[i];

  494. 

  495.   return 0;

  496. 

  497. 

  498. fail:

  499.   *msglen = sig_msg_len;

  500.   for (i=0; i < *msglen; i++)

  501.     msg[i] = 0;

  502.   *msglen = -1;

  503.   return -1;

  504. }

  505. 

  506. /*

  507.  * Generates a XMSSMT key pair for a given parameter set.

  508.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  509.  * Format pk: [root || PUB_SEED] omitting algo oid.

  510.  */

  511. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  512. {

  513.   unsigned int n = params->n;

  514.   unsigned int m = params->m;

  515.   unsigned int i;

  516.   // Set idx = 0

  517.   for (i = 0; i < params->index_len; i++) {

  518.     sk[i] = 0;

  519.   }

  520.   // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)

  521.   randombytes(sk+params->index_len, 2*n+m);

  522.   // Copy PUB_SEED to public key

  523.   memcpy(pk+n, sk+params->index_len+n+m, n);

  524. 

  525.   // Set address to point on the single tree on layer d-1

  526.   unsigned char addr[16] = {0, 0, 0, 0};

  527.   SET_LAYER_ADDRESS(addr, (params->d-1));

  528. 

  529.   // Compute root

  530.   treehash(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  531.   return 0;

  532. }

  533. 

  534. /**

  535.  * Signs a message.

  536.  * Returns

  537.  * 1. an array containing the signature followed by the message AND

  538.  * 2. an updated secret key!

  539.  *

  540.  */

  541. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  542. {

  543.   unsigned int n = params->n;

  544.   unsigned int m = params->m;

  545.   unsigned int tree_h = params->xmss_par.h;

  546.   unsigned int idx_len = params->index_len;

  547.   unsigned long long idx_tree;

  548.   unsigned long long idx_leaf;

  549.   unsigned long long i;

  550. 

  551.   unsigned char sk_seed[n];

  552.   unsigned char sk_prf[m];

  553.   unsigned char pub_seed[n];

  554.   // Init working params

  555.   unsigned char R[m];

  556.   unsigned char hash_key[2*m];

  557.   unsigned char msg_h[m];

  558.   unsigned char root[n];

  559.   unsigned char ots_seed[n];

  560.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  561. 

  562.   // Extract SK

  563.   for(i = 0; i < m-idx_len; i++){

  564.     hash_key[i] = 0;

  565.   }

  566.   unsigned long long idx = 0;

  567.   for (i = 0; i < idx_len; i++) {

  568.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  569.     hash_key[m-idx_len+i] = sk[i];

  570.   }

  571. 

  572.   memcpy(sk_seed, sk+idx_len, n);

  573.   memcpy(sk_prf, sk+idx_len+n, m);

  574.   memcpy(pub_seed, sk+idx_len+n+m, n);

  575. 

  576.   // Update SK

  577.   for (i = 0; i < idx_len; i++) {

  578.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  579.   }

  580.   // -- Secret key for this non-forward-secure version is now updated.

  581.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  582. 

  583. 

  584.   // ---------------------------------

  585.   // Message Hashing

  586.   // ---------------------------------

  587. 

  588.   // Message Hash:

  589.   // First compute pseudorandom key

  590.   prf_m(R, msg, msglen, sk_prf, m);

  591.   

  592.   // Generate hash key (idx || R)

  593.   memcpy(hash_key+m, R, m);

  594.   

  595.   // Then use it for message digest

  596.   hash_m(msg_h, msg, msglen, hash_key, 2*m, m);

  597. 

  598.   // Start collecting signature

  599.   *sig_msg_len = 0;

  600. 

  601.   // Copy index to signature

  602.   for (i = 0; i < idx_len; i++) {

  603.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  604.   }

  605. 

  606.   sig_msg += idx_len;

  607.   *sig_msg_len += idx_len;

  608. 

  609.   // Copy R to signature

  610.   for (i=0; i < m; i++)

  611.     sig_msg[i] = R[i];

  612. 

  613.   sig_msg += m;

  614.   *sig_msg_len += m;

  615. 

  616.   // ----------------------------------

  617.   // Now we start to "really sign"

  618.   // ----------------------------------

  619. 

  620.   // Handle lowest layer separately as it is slightly different...

  621. 

  622.   // Prepare Address

  623.   SET_OTS_BIT(ots_addr, 1);

  624.   idx_tree = idx >> tree_h;

  625.   idx_leaf = (idx & ((1 << tree_h)-1));

  626.   SET_LAYER_ADDRESS(ots_addr, 0);

  627.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  628.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  629. 

  630.   // Compute seed for OTS key pair

  631.   get_seed(ots_seed, sk_seed, n, ots_addr);

  632. 

  633.   // Compute WOTS signature

  634.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  635. 

  636.   sig_msg += params->xmss_par.wots_par.keysize;

  637.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  638. 

  639.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  640.   sig_msg += tree_h*n;

  641.   *sig_msg_len += tree_h*n;

  642. 

  643.   // Now loop over remaining layers...

  644.   unsigned int j;

  645.   for (j = 1; j < params->d; j++) {

  646.     // Prepare Address

  647.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  648.     idx_tree = idx_tree >> tree_h;

  649.     SET_LAYER_ADDRESS(ots_addr, j);

  650.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  651.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  652. 

  653.     // Compute seed for OTS key pair

  654.     get_seed(ots_seed, sk_seed, n, ots_addr);

  655. 

  656.     // Compute WOTS signature

  657.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  658. 

  659.     sig_msg += params->xmss_par.wots_par.keysize;

  660.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  661. 

  662.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  663.     sig_msg += tree_h*n;

  664.     *sig_msg_len += tree_h*n;

  665.   }

  666. 

  667.   //Whipe secret elements?

  668.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  669. 

  670.   memcpy(sig_msg, msg, msglen);

  671.   *sig_msg_len += msglen;

  672. 

  673.   return 0;

  674. }

  675. 

  676. /**

  677.  * Verifies a given message signature pair under a given public key.

  678.  */

  679. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  680. {

  681.   unsigned int n = params->n;

  682.   unsigned int m = params->m;

  683. 

  684.   unsigned int tree_h = params->xmss_par.h;

  685.   unsigned int idx_len = params->index_len;

  686.   unsigned long long idx_tree;

  687.   unsigned long long idx_leaf;

  688. 

  689.   unsigned long long i, m_len;

  690.   unsigned long long idx=0;

  691.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  692.   unsigned char pkhash[n];

  693.   unsigned char root[n];

  694.   unsigned char msg_h[m];

  695.   unsigned char hash_key[2*m];

  696. 

  697.   unsigned char pub_seed[n];

  698.   memcpy(pub_seed, pk+n, n);

  699. 

  700.   // Init addresses

  701.   unsigned char ots_addr[16] = {0, 0, 0, 0};

  702.   unsigned char ltree_addr[16];

  703.   unsigned char node_addr[16];

  704. 

  705.   // Extract index

  706.   for(i = 0; i < m-idx_len; i++){

  707.     hash_key[i] = 0;

  708.   }

  709.   for (i = 0; i < idx_len; i++) {

  710.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  711.     hash_key[m-idx_len+i] = sig_msg[i];

  712.   }

  713.   printf("verify:: idx = %llu\n", idx);

  714.   sig_msg += idx_len;

  715.   sig_msg_len -= idx_len;

  716. 

  717.   for(i = 0; i < m; i++){

  718.     hash_key[m+i] = sig_msg[i];

  719.   }

  720. 

  721.   sig_msg += m;

  722.   sig_msg_len -= m;

  723.   

  724.   // hash message (recall, R is now on pole position at sig_msg

  725.   unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  726.   m_len = sig_msg_len - tmp_sig_len;

  727.   hash_m(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 2*m, m);

  728. 

  729. 

  730.   //-----------------------

  731.   // Verify signature

  732.   //-----------------------

  733. 

  734.   // Prepare Address

  735.   idx_tree = idx >> tree_h;

  736.   idx_leaf = (idx & ((1 << tree_h)-1));

  737.   SET_LAYER_ADDRESS(ots_addr, 0);

  738.   SET_TREE_ADDRESS(ots_addr, idx_tree);

  739.   SET_OTS_BIT(ots_addr, 1);

  740. 

  741.   memcpy(ltree_addr, ots_addr, 10);

  742.   SET_OTS_BIT(ltree_addr, 0);

  743.   SET_LTREE_BIT(ltree_addr, 1);

  744. 

  745.   memcpy(node_addr, ltree_addr, 10);

  746.   SET_LTREE_BIT(node_addr, 0);

  747.   SET_NODE_PADDING(node_addr);

  748. 

  749.   SET_OTS_ADDRESS(ots_addr, idx_leaf);

  750. 

  751.   // Check WOTS signature

  752.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  753. 

  754.   sig_msg += params->xmss_par.wots_par.keysize;

  755.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  756. 

  757.   // Compute Ltree

  758.   SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  759.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  760. 

  761.   // Compute root

  762.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  763. 

  764.   sig_msg += tree_h*n;

  765.   sig_msg_len -= tree_h*n;

  766. 

  767.   for (i = 1; i < params->d; i++) {

  768.     // Prepare Address

  769.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  770.     idx_tree = idx_tree >> tree_h;

  771. 

  772.     SET_LAYER_ADDRESS(ots_addr, i);

  773.     SET_TREE_ADDRESS(ots_addr, idx_tree);

  774.     SET_OTS_BIT(ots_addr, 1);

  775. 

  776.     memcpy(ltree_addr, ots_addr, 10);

  777.     SET_OTS_BIT(ltree_addr, 0);

  778.     SET_LTREE_BIT(ltree_addr, 1);

  779. 

  780.     memcpy(node_addr, ltree_addr, 10);

  781.     SET_LTREE_BIT(node_addr, 0);

  782.     SET_NODE_PADDING(node_addr);

  783. 

  784.     SET_OTS_ADDRESS(ots_addr, idx_leaf);

  785. 

  786.     // Check WOTS signature

  787.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  788. 

  789.     sig_msg += params->xmss_par.wots_par.keysize;

  790.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  791. 

  792.     // Compute Ltree

  793.     SET_LTREE_ADDRESS(ltree_addr, idx_leaf);

  794.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  795. 

  796.     // Compute root

  797.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  798. 

  799.     sig_msg += tree_h*n;

  800.     sig_msg_len -= tree_h*n;

  801. 

  802.   }

  803. 

  804.   for (i=0; i < n; i++)

  805.     if (root[i] != pk[i])

  806.       goto fail;

  807. 

  808.   *msglen = sig_msg_len;

  809.   for (i=0; i < *msglen; i++)

  810.     msg[i] = sig_msg[i];

  811. 

  812.   return 0;

  813. 

  814. 

  815. fail:

  816.   *msglen = sig_msg_len;

  817.   for (i=0; i < *msglen; i++)

  818.     msg[i] = 0;

  819.   *msglen = -1;

  820.   return -1;

  821. }