You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

706 lines
25 KiB

  1. #include <stdlib.h>
  2. #include <string.h>
  3. #include <stdint.h>
  4. #include "hash.h"
  5. #include "hash_address.h"
  6. #include "params.h"
  7. #include "randombytes.h"
  8. #include "wots.h"
  9. #include "xmss_commons.h"
  10. #include "xmss_core_fast.h"
  11. /**
  12. * Initialize BDS state struct
  13. * parameter names are the same as used in the description of the BDS traversal
  14. */
  15. void xmss_set_bds_state(bds_state *state, unsigned char *stack,
  16. int stackoffset, unsigned char *stacklevels,
  17. unsigned char *auth, unsigned char *keep,
  18. treehash_inst *treehash, unsigned char *retain,
  19. int next_leaf)
  20. {
  21. state->stack = stack;
  22. state->stackoffset = stackoffset;
  23. state->stacklevels = stacklevels;
  24. state->auth = auth;
  25. state->keep = keep;
  26. state->treehash = treehash;
  27. state->retain = retain;
  28. state->next_leaf = next_leaf;
  29. }
  30. static int treehash_minheight_on_stack(const xmss_params *params,
  31. bds_state* state,
  32. const treehash_inst *treehash)
  33. {
  34. unsigned int r = params->tree_height, i;
  35. for (i = 0; i < treehash->stackusage; i++) {
  36. if (state->stacklevels[state->stackoffset - i - 1] < r) {
  37. r = state->stacklevels[state->stackoffset - i - 1];
  38. }
  39. }
  40. return r;
  41. }
  42. /**
  43. * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.
  44. * Currently only used for key generation.
  45. *
  46. */
  47. static void treehash_init(const xmss_params *params,
  48. unsigned char *node, int height, int index,
  49. bds_state *state, const unsigned char *sk_seed,
  50. const unsigned char *pub_seed, const uint32_t addr[8])
  51. {
  52. unsigned int idx = index;
  53. // use three different addresses because at this point we use all three formats in parallel
  54. uint32_t ots_addr[8];
  55. uint32_t ltree_addr[8];
  56. uint32_t node_addr[8];
  57. // only copy layer and tree address parts
  58. memcpy(ots_addr, addr, 12);
  59. // type = ots
  60. set_type(ots_addr, 0);
  61. memcpy(ltree_addr, addr, 12);
  62. set_type(ltree_addr, 1);
  63. memcpy(node_addr, addr, 12);
  64. set_type(node_addr, 2);
  65. uint32_t lastnode, i;
  66. unsigned char stack[(height+1)*params->n];
  67. unsigned int stacklevels[height+1];
  68. unsigned int stackoffset=0;
  69. unsigned int nodeh;
  70. lastnode = idx+(1<<height);
  71. for (i = 0; i < params->tree_height-params->bds_k; i++) {
  72. state->treehash[i].h = i;
  73. state->treehash[i].completed = 1;
  74. state->treehash[i].stackusage = 0;
  75. }
  76. i = 0;
  77. for (; idx < lastnode; idx++) {
  78. set_ltree_addr(ltree_addr, idx);
  79. set_ots_addr(ots_addr, idx);
  80. gen_leaf_wots(params, stack+stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);
  81. stacklevels[stackoffset] = 0;
  82. stackoffset++;
  83. if (params->tree_height - params->bds_k > 0 && i == 3) {
  84. memcpy(state->treehash[0].node, stack+stackoffset*params->n, params->n);
  85. }
  86. while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {
  87. nodeh = stacklevels[stackoffset-1];
  88. if (i >> nodeh == 1) {
  89. memcpy(state->auth + nodeh*params->n, stack+(stackoffset-1)*params->n, params->n);
  90. }
  91. else {
  92. if (nodeh < params->tree_height - params->bds_k && i >> nodeh == 3) {
  93. memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*params->n, params->n);
  94. }
  95. else if (nodeh >= params->tree_height - params->bds_k) {
  96. memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((i >> nodeh) - 3) >> 1)) * params->n, stack+(stackoffset-1)*params->n, params->n);
  97. }
  98. }
  99. set_tree_height(node_addr, stacklevels[stackoffset-1]);
  100. set_tree_index(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));
  101. hash_h(params, stack+(stackoffset-2)*params->n, stack+(stackoffset-2)*params->n, pub_seed, node_addr);
  102. stacklevels[stackoffset-2]++;
  103. stackoffset--;
  104. }
  105. i++;
  106. }
  107. for (i = 0; i < params->n; i++) {
  108. node[i] = stack[i];
  109. }
  110. }
  111. static void treehash_update(const xmss_params *params,
  112. treehash_inst *treehash, bds_state *state,
  113. const unsigned char *sk_seed,
  114. const unsigned char *pub_seed,
  115. const uint32_t addr[8])
  116. {
  117. uint32_t ots_addr[8];
  118. uint32_t ltree_addr[8];
  119. uint32_t node_addr[8];
  120. // only copy layer and tree address parts
  121. memcpy(ots_addr, addr, 12);
  122. // type = ots
  123. set_type(ots_addr, 0);
  124. memcpy(ltree_addr, addr, 12);
  125. set_type(ltree_addr, 1);
  126. memcpy(node_addr, addr, 12);
  127. set_type(node_addr, 2);
  128. set_ltree_addr(ltree_addr, treehash->next_idx);
  129. set_ots_addr(ots_addr, treehash->next_idx);
  130. unsigned char nodebuffer[2 * params->n];
  131. unsigned int nodeheight = 0;
  132. gen_leaf_wots(params, nodebuffer, sk_seed, pub_seed, ltree_addr, ots_addr);
  133. while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {
  134. memcpy(nodebuffer + params->n, nodebuffer, params->n);
  135. memcpy(nodebuffer, state->stack + (state->stackoffset-1)*params->n, params->n);
  136. set_tree_height(node_addr, nodeheight);
  137. set_tree_index(node_addr, (treehash->next_idx >> (nodeheight+1)));
  138. hash_h(params, nodebuffer, nodebuffer, pub_seed, node_addr);
  139. nodeheight++;
  140. treehash->stackusage--;
  141. state->stackoffset--;
  142. }
  143. if (nodeheight == treehash->h) { // this also implies stackusage == 0
  144. memcpy(treehash->node, nodebuffer, params->n);
  145. treehash->completed = 1;
  146. }
  147. else {
  148. memcpy(state->stack + state->stackoffset*params->n, nodebuffer, params->n);
  149. treehash->stackusage++;
  150. state->stacklevels[state->stackoffset] = nodeheight;
  151. state->stackoffset++;
  152. treehash->next_idx++;
  153. }
  154. }
  155. /**
  156. * Performs one treehash update on the instance that needs it the most.
  157. * Returns 1 if such an instance was not found
  158. **/
  159. static char bds_treehash_update(const xmss_params *params,
  160. bds_state *state, unsigned int updates,
  161. const unsigned char *sk_seed,
  162. unsigned char *pub_seed,
  163. const uint32_t addr[8])
  164. {
  165. uint32_t i, j;
  166. unsigned int level, l_min, low;
  167. unsigned int used = 0;
  168. for (j = 0; j < updates; j++) {
  169. l_min = params->tree_height;
  170. level = params->tree_height - params->bds_k;
  171. for (i = 0; i < params->tree_height - params->bds_k; i++) {
  172. if (state->treehash[i].completed) {
  173. low = params->tree_height;
  174. }
  175. else if (state->treehash[i].stackusage == 0) {
  176. low = i;
  177. }
  178. else {
  179. low = treehash_minheight_on_stack(params, state, &(state->treehash[i]));
  180. }
  181. if (low < l_min) {
  182. level = i;
  183. l_min = low;
  184. }
  185. }
  186. if (level == params->tree_height - params->bds_k) {
  187. break;
  188. }
  189. treehash_update(params, &(state->treehash[level]), state, sk_seed, pub_seed, addr);
  190. used++;
  191. }
  192. return updates - used;
  193. }
  194. /**
  195. * Updates the state (typically NEXT_i) by adding a leaf and updating the stack
  196. * Returns 1 if all leaf nodes have already been processed
  197. **/
  198. static char bds_state_update(const xmss_params *params,
  199. bds_state *state, const unsigned char *sk_seed,
  200. const unsigned char *pub_seed,
  201. const uint32_t addr[8])
  202. {
  203. uint32_t ltree_addr[8];
  204. uint32_t node_addr[8];
  205. uint32_t ots_addr[8];
  206. unsigned int nodeh;
  207. int idx = state->next_leaf;
  208. if (idx == 1 << params->tree_height) {
  209. return 1;
  210. }
  211. // only copy layer and tree address parts
  212. memcpy(ots_addr, addr, 12);
  213. // type = ots
  214. set_type(ots_addr, 0);
  215. memcpy(ltree_addr, addr, 12);
  216. set_type(ltree_addr, 1);
  217. memcpy(node_addr, addr, 12);
  218. set_type(node_addr, 2);
  219. set_ots_addr(ots_addr, idx);
  220. set_ltree_addr(ltree_addr, idx);
  221. gen_leaf_wots(params, state->stack+state->stackoffset*params->n, sk_seed, pub_seed, ltree_addr, ots_addr);
  222. state->stacklevels[state->stackoffset] = 0;
  223. state->stackoffset++;
  224. if (params->tree_height - params->bds_k > 0 && idx == 3) {
  225. memcpy(state->treehash[0].node, state->stack+state->stackoffset*params->n, params->n);
  226. }
  227. while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {
  228. nodeh = state->stacklevels[state->stackoffset-1];
  229. if (idx >> nodeh == 1) {
  230. memcpy(state->auth + nodeh*params->n, state->stack+(state->stackoffset-1)*params->n, params->n);
  231. }
  232. else {
  233. if (nodeh < params->tree_height - params->bds_k && idx >> nodeh == 3) {
  234. memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*params->n, params->n);
  235. }
  236. else if (nodeh >= params->tree_height - params->bds_k) {
  237. memcpy(state->retain + ((1 << (params->tree_height - 1 - nodeh)) + nodeh - params->tree_height + (((idx >> nodeh) - 3) >> 1)) * params->n, state->stack+(state->stackoffset-1)*params->n, params->n);
  238. }
  239. }
  240. set_tree_height(node_addr, state->stacklevels[state->stackoffset-1]);
  241. set_tree_index(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));
  242. hash_h(params, state->stack+(state->stackoffset-2)*params->n, state->stack+(state->stackoffset-2)*params->n, pub_seed, node_addr);
  243. state->stacklevels[state->stackoffset-2]++;
  244. state->stackoffset--;
  245. }
  246. state->next_leaf++;
  247. return 0;
  248. }
  249. /**
  250. * Returns the auth path for node leaf_idx and computes the auth path for the
  251. * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo
  252. * in "Post Quantum Cryptography", Springer 2009.
  253. */
  254. static void bds_round(const xmss_params *params,
  255. bds_state *state, const unsigned long leaf_idx,
  256. const unsigned char *sk_seed,
  257. const unsigned char *pub_seed, uint32_t addr[8])
  258. {
  259. unsigned int i;
  260. unsigned int tau = params->tree_height;
  261. unsigned int startidx;
  262. unsigned int offset, rowidx;
  263. unsigned char buf[2 * params->n];
  264. uint32_t ots_addr[8];
  265. uint32_t ltree_addr[8];
  266. uint32_t node_addr[8];
  267. // only copy layer and tree address parts
  268. memcpy(ots_addr, addr, 12);
  269. // type = ots
  270. set_type(ots_addr, 0);
  271. memcpy(ltree_addr, addr, 12);
  272. set_type(ltree_addr, 1);
  273. memcpy(node_addr, addr, 12);
  274. set_type(node_addr, 2);
  275. for (i = 0; i < params->tree_height; i++) {
  276. if (! ((leaf_idx >> i) & 1)) {
  277. tau = i;
  278. break;
  279. }
  280. }
  281. if (tau > 0) {
  282. memcpy(buf, state->auth + (tau-1) * params->n, params->n);
  283. // we need to do this before refreshing state->keep to prevent overwriting
  284. memcpy(buf + params->n, state->keep + ((tau-1) >> 1) * params->n, params->n);
  285. }
  286. if (!((leaf_idx >> (tau + 1)) & 1) && (tau < params->tree_height - 1)) {
  287. memcpy(state->keep + (tau >> 1)*params->n, state->auth + tau*params->n, params->n);
  288. }
  289. if (tau == 0) {
  290. set_ltree_addr(ltree_addr, leaf_idx);
  291. set_ots_addr(ots_addr, leaf_idx);
  292. gen_leaf_wots(params, state->auth, sk_seed, pub_seed, ltree_addr, ots_addr);
  293. }
  294. else {
  295. set_tree_height(node_addr, (tau-1));
  296. set_tree_index(node_addr, leaf_idx >> tau);
  297. hash_h(params, state->auth + tau * params->n, buf, pub_seed, node_addr);
  298. for (i = 0; i < tau; i++) {
  299. if (i < params->tree_height - params->bds_k) {
  300. memcpy(state->auth + i * params->n, state->treehash[i].node, params->n);
  301. }
  302. else {
  303. offset = (1 << (params->tree_height - 1 - i)) + i - params->tree_height;
  304. rowidx = ((leaf_idx >> i) - 1) >> 1;
  305. memcpy(state->auth + i * params->n, state->retain + (offset + rowidx) * params->n, params->n);
  306. }
  307. }
  308. for (i = 0; i < ((tau < params->tree_height - params->bds_k) ? tau : (params->tree_height - params->bds_k)); i++) {
  309. startidx = leaf_idx + 1 + 3 * (1 << i);
  310. if (startidx < 1U << params->tree_height) {
  311. state->treehash[i].h = i;
  312. state->treehash[i].next_idx = startidx;
  313. state->treehash[i].completed = 0;
  314. state->treehash[i].stackusage = 0;
  315. }
  316. }
  317. }
  318. }
  319. /*
  320. * Generates a XMSS key pair for a given parameter set.
  321. * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  322. * Format pk: [root || PUB_SEED] omitting algo oid.
  323. */
  324. int xmss_core_keypair(const xmss_params *params,
  325. unsigned char *pk, unsigned char *sk, bds_state *state)
  326. {
  327. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  328. // Set idx = 0
  329. sk[0] = 0;
  330. sk[1] = 0;
  331. sk[2] = 0;
  332. sk[3] = 0;
  333. // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)
  334. randombytes(sk + params->index_len, 3*params->n);
  335. // Copy PUB_SEED to public key
  336. memcpy(pk + params->n, sk + params->index_len + 2*params->n, params->n);
  337. // Compute root
  338. treehash_init(params, pk, params->tree_height, 0, state, sk + params->index_len, sk + params->index_len + 2*params->n, addr);
  339. // copy root o sk
  340. memcpy(sk + params->index_len + 3*params->n, pk, params->n);
  341. return 0;
  342. }
  343. /**
  344. * Signs a message.
  345. * Returns
  346. * 1. an array containing the signature followed by the message AND
  347. * 2. an updated secret key!
  348. *
  349. */
  350. int xmss_core_sign(const xmss_params *params,
  351. unsigned char *sk, bds_state *state,
  352. unsigned char *sm, unsigned long long *smlen,
  353. const unsigned char *m, unsigned long long mlen)
  354. {
  355. uint16_t i = 0;
  356. // Extract SK
  357. unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];
  358. unsigned char sk_seed[params->n];
  359. memcpy(sk_seed, sk + params->index_len, params->n);
  360. unsigned char sk_prf[params->n];
  361. memcpy(sk_prf, sk + params->index_len + params->n, params->n);
  362. unsigned char pub_seed[params->n];
  363. memcpy(pub_seed, sk + params->index_len + 2*params->n, params->n);
  364. // index as 32 bytes string
  365. unsigned char idx_bytes_32[32];
  366. ull_to_bytes(idx_bytes_32, 32, idx);
  367. unsigned char hash_key[3*params->n];
  368. // Update SK
  369. sk[0] = ((idx + 1) >> 24) & 255;
  370. sk[1] = ((idx + 1) >> 16) & 255;
  371. sk[2] = ((idx + 1) >> 8) & 255;
  372. sk[3] = (idx + 1) & 255;
  373. // Secret key for this non-forward-secure version is now updated.
  374. // A production implementation should consider using a file handle instead,
  375. // and write the updated secret key at this point!
  376. // Init working params
  377. unsigned char R[params->n];
  378. unsigned char msg_h[params->n];
  379. unsigned char ots_seed[params->n];
  380. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  381. // ---------------------------------
  382. // Message Hashing
  383. // ---------------------------------
  384. // Message Hash:
  385. // First compute pseudorandom value
  386. prf(params, R, idx_bytes_32, sk_prf, params->n);
  387. // Generate hash key (R || root || idx)
  388. memcpy(hash_key, R, params->n);
  389. memcpy(hash_key+params->n, sk+4+3*params->n, params->n);
  390. ull_to_bytes(hash_key+2*params->n, params->n, idx);
  391. // Then use it for message digest
  392. h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);
  393. // Start collecting signature
  394. *smlen = 0;
  395. // Copy index to signature
  396. sm[0] = (idx >> 24) & 255;
  397. sm[1] = (idx >> 16) & 255;
  398. sm[2] = (idx >> 8) & 255;
  399. sm[3] = idx & 255;
  400. sm += 4;
  401. *smlen += 4;
  402. // Copy R to signature
  403. for (i = 0; i < params->n; i++) {
  404. sm[i] = R[i];
  405. }
  406. sm += params->n;
  407. *smlen += params->n;
  408. // ----------------------------------
  409. // Now we start to "really sign"
  410. // ----------------------------------
  411. // Prepare Address
  412. set_type(ots_addr, 0);
  413. set_ots_addr(ots_addr, idx);
  414. // Compute seed for OTS key pair
  415. get_seed(params, ots_seed, sk_seed, ots_addr);
  416. // Compute WOTS signature
  417. wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);
  418. sm += params->wots_keysize;
  419. *smlen += params->wots_keysize;
  420. // the auth path was already computed during the previous round
  421. memcpy(sm, state->auth, params->tree_height*params->n);
  422. if (idx < (1U << params->tree_height) - 1) {
  423. bds_round(params, state, idx, sk_seed, pub_seed, ots_addr);
  424. bds_treehash_update(params, state, (params->tree_height - params->bds_k) >> 1, sk_seed, pub_seed, ots_addr);
  425. }
  426. sm += params->tree_height*params->n;
  427. *smlen += params->tree_height*params->n;
  428. memcpy(sm, m, mlen);
  429. *smlen += mlen;
  430. return 0;
  431. }
  432. /*
  433. * Generates a XMSSMT key pair for a given parameter set.
  434. * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]
  435. * Format pk: [root || PUB_SEED] omitting algo oid.
  436. */
  437. int xmssmt_core_keypair(const xmss_params *params,
  438. unsigned char *pk, unsigned char *sk,
  439. bds_state *states, unsigned char *wots_sigs)
  440. {
  441. unsigned char ots_seed[params->n];
  442. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  443. unsigned int i;
  444. // Set idx = 0
  445. for (i = 0; i < params->index_len; i++) {
  446. sk[i] = 0;
  447. }
  448. // Init SK_SEED (params->n byte), SK_PRF (params->n byte), and PUB_SEED (params->n byte)
  449. randombytes(sk+params->index_len, 3*params->n);
  450. // Copy PUB_SEED to public key
  451. memcpy(pk+params->n, sk+params->index_len+2*params->n, params->n);
  452. // Start with the bottom-most layer
  453. set_layer_addr(addr, 0);
  454. // Set up state and compute wots signatures for all but topmost tree root
  455. for (i = 0; i < params->d - 1; i++) {
  456. // Compute seed for OTS key pair
  457. treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);
  458. set_layer_addr(addr, (i+1));
  459. get_seed(params, ots_seed, sk + params->index_len, addr);
  460. wots_sign(params, wots_sigs + i*params->wots_keysize, pk, ots_seed, pk+params->n, addr);
  461. }
  462. // Address now points to the single tree on layer d-1
  463. treehash_init(params, pk, params->tree_height, 0, states + i, sk+params->index_len, pk+params->n, addr);
  464. memcpy(sk + params->index_len + 3*params->n, pk, params->n);
  465. return 0;
  466. }
  467. /**
  468. * Signs a message.
  469. * Returns
  470. * 1. an array containing the signature followed by the message AND
  471. * 2. an updated secret key!
  472. *
  473. */
  474. int xmssmt_core_sign(const xmss_params *params,
  475. unsigned char *sk,
  476. bds_state *states, unsigned char *wots_sigs,
  477. unsigned char *sm, unsigned long long *smlen,
  478. const unsigned char *m, unsigned long long mlen)
  479. {
  480. uint64_t idx_tree;
  481. uint32_t idx_leaf;
  482. uint64_t i, j;
  483. int needswap_upto = -1;
  484. unsigned int updates;
  485. unsigned char sk_seed[params->n];
  486. unsigned char sk_prf[params->n];
  487. unsigned char pub_seed[params->n];
  488. // Init working params
  489. unsigned char R[params->n];
  490. unsigned char msg_h[params->n];
  491. unsigned char hash_key[3*params->n];
  492. unsigned char ots_seed[params->n];
  493. uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  494. uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};
  495. unsigned char idx_bytes_32[32];
  496. bds_state tmp;
  497. // Extract SK
  498. unsigned long long idx = 0;
  499. for (i = 0; i < params->index_len; i++) {
  500. idx |= ((unsigned long long)sk[i]) << 8*(params->index_len - 1 - i);
  501. }
  502. memcpy(sk_seed, sk+params->index_len, params->n);
  503. memcpy(sk_prf, sk+params->index_len+params->n, params->n);
  504. memcpy(pub_seed, sk+params->index_len+2*params->n, params->n);
  505. // Update SK
  506. for (i = 0; i < params->index_len; i++) {
  507. sk[i] = ((idx + 1) >> 8*(params->index_len - 1 - i)) & 255;
  508. }
  509. // Secret key for this non-forward-secure version is now updated.
  510. // A production implementation should consider using a file handle instead,
  511. // and write the updated secret key at this point!
  512. // ---------------------------------
  513. // Message Hashing
  514. // ---------------------------------
  515. // Message Hash:
  516. // First compute pseudorandom value
  517. ull_to_bytes(idx_bytes_32, 32, idx);
  518. prf(params, R, idx_bytes_32, sk_prf, params->n);
  519. // Generate hash key (R || root || idx)
  520. memcpy(hash_key, R, params->n);
  521. memcpy(hash_key+params->n, sk+params->index_len+3*params->n, params->n);
  522. ull_to_bytes(hash_key+2*params->n, params->n, idx);
  523. // Then use it for message digest
  524. h_msg(params, msg_h, m, mlen, hash_key, 3*params->n);
  525. // Start collecting signature
  526. *smlen = 0;
  527. // Copy index to signature
  528. for (i = 0; i < params->index_len; i++) {
  529. sm[i] = (idx >> 8*(params->index_len - 1 - i)) & 255;
  530. }
  531. sm += params->index_len;
  532. *smlen += params->index_len;
  533. // Copy R to signature
  534. for (i = 0; i < params->n; i++) {
  535. sm[i] = R[i];
  536. }
  537. sm += params->n;
  538. *smlen += params->n;
  539. // ----------------------------------
  540. // Now we start to "really sign"
  541. // ----------------------------------
  542. // Handle lowest layer separately as it is slightly different...
  543. // Prepare Address
  544. set_type(ots_addr, 0);
  545. idx_tree = idx >> params->tree_height;
  546. idx_leaf = (idx & ((1 << params->tree_height)-1));
  547. set_layer_addr(ots_addr, 0);
  548. set_tree_addr(ots_addr, idx_tree);
  549. set_ots_addr(ots_addr, idx_leaf);
  550. // Compute seed for OTS key pair
  551. get_seed(params, ots_seed, sk_seed, ots_addr);
  552. // Compute WOTS signature
  553. wots_sign(params, sm, msg_h, ots_seed, pub_seed, ots_addr);
  554. sm += params->wots_keysize;
  555. *smlen += params->wots_keysize;
  556. memcpy(sm, states[0].auth, params->tree_height*params->n);
  557. sm += params->tree_height*params->n;
  558. *smlen += params->tree_height*params->n;
  559. // prepare signature of remaining layers
  560. for (i = 1; i < params->d; i++) {
  561. // put WOTS signature in place
  562. memcpy(sm, wots_sigs + (i-1)*params->wots_keysize, params->wots_keysize);
  563. sm += params->wots_keysize;
  564. *smlen += params->wots_keysize;
  565. // put AUTH nodes in place
  566. memcpy(sm, states[i].auth, params->tree_height*params->n);
  567. sm += params->tree_height*params->n;
  568. *smlen += params->tree_height*params->n;
  569. }
  570. updates = (params->tree_height - params->bds_k) >> 1;
  571. set_tree_addr(addr, (idx_tree + 1));
  572. // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists
  573. if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << params->full_height)) {
  574. bds_state_update(params, &states[params->d], sk_seed, pub_seed, addr);
  575. }
  576. for (i = 0; i < params->d; i++) {
  577. // check if we're not at the end of a tree
  578. if (! (((idx + 1) & ((1ULL << ((i+1)*params->tree_height)) - 1)) == 0)) {
  579. idx_leaf = (idx >> (params->tree_height * i)) & ((1 << params->tree_height)-1);
  580. idx_tree = (idx >> (params->tree_height * (i+1)));
  581. set_layer_addr(addr, i);
  582. set_tree_addr(addr, idx_tree);
  583. if (i == (unsigned int) (needswap_upto + 1)) {
  584. bds_round(params, &states[i], idx_leaf, sk_seed, pub_seed, addr);
  585. }
  586. updates = bds_treehash_update(params, &states[i], updates, sk_seed, pub_seed, addr);
  587. set_tree_addr(addr, (idx_tree + 1));
  588. // if a NEXT-tree exists for this level;
  589. if ((1 + idx_tree) * (1 << params->tree_height) + idx_leaf < (1ULL << (params->full_height - params->tree_height * i))) {
  590. if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << params->full_height)) {
  591. bds_state_update(params, &states[params->d + i], sk_seed, pub_seed, addr);
  592. updates--;
  593. }
  594. }
  595. }
  596. else if (idx < (1ULL << params->full_height) - 1) {
  597. memcpy(&tmp, states+params->d + i, sizeof(bds_state));
  598. memcpy(states+params->d + i, states + i, sizeof(bds_state));
  599. memcpy(states + i, &tmp, sizeof(bds_state));
  600. set_layer_addr(ots_addr, (i+1));
  601. set_tree_addr(ots_addr, ((idx + 1) >> ((i+2) * params->tree_height)));
  602. set_ots_addr(ots_addr, (((idx >> ((i+1) * params->tree_height)) + 1) & ((1 << params->tree_height)-1)));
  603. get_seed(params, ots_seed, sk+params->index_len, ots_addr);
  604. wots_sign(params, wots_sigs + i*params->wots_keysize, states[i].stack, ots_seed, pub_seed, ots_addr);
  605. states[params->d + i].stackoffset = 0;
  606. states[params->d + i].next_leaf = 0;
  607. updates--; // WOTS-signing counts as one update
  608. needswap_upto = i;
  609. for (j = 0; j < params->tree_height-params->bds_k; j++) {
  610. states[i].treehash[j].completed = 1;
  611. }
  612. }
  613. }
  614. memcpy(sm, m, mlen);
  615. *smlen += mlen;
  616. return 0;
  617. }