kris
/
xmss-KAT-generator
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
42 Commits
1 Branch
488 KiB
 
 
Tree: dd067bd23e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'dd067bd23e'
${ noResults }
xmss-KAT-generator/xmss.c

806 lines
22 KiB
Raw Blame History 

  1. /*

  2. xmss.c version 20160722

  3. Andreas Hülsing

  4. Joost Rijneveld

  5. Public domain.

  6. */

  7. 

  8. #include "xmss.h"

  9. #include <stdlib.h>

  10. #include <string.h>

  11. #include <stdint.h>

  12. #include <math.h>

  13. 

  14. #include "randombytes.h"

  15. #include "wots.h"

  16. #include "hash.h"

  17. //#include "prg.h"

  18. #include "xmss_commons.h"

  19. #include "hash_address.h"

  20. 

  21. // For testing

  22. #include "stdio.h"

  23. 

  24. 

  25. /**

  26.  * Used for pseudorandom keygeneration,

  27.  * generates the seed for the WOTS keypair at address addr

  28.  *

  29.  * takes n byte sk_seed and returns n byte seed using 32 byte address addr.

  30.  */

  31. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8])

  32. {

  33.   unsigned char bytes[32];

  34.   // Make sure that chain addr, hash addr, and key bit are 0!

  35.   setChainADRS(addr,0);

  36.   setHashADRS(addr,0);

  37.   setKeyAndMask(addr,0);

  38.   // Generate pseudorandom value

  39.   addr_to_byte(bytes, addr);

  40.   prf(seed, bytes, sk_seed, n);

  41. }

  42. 

  43. /**

  44.  * Initialize xmss params struct

  45.  * parameter names are the same as in the draft

  46.  */

  47. void xmss_set_params(xmss_params *params, int n, int h, int w)

  48. {

  49.   params->h = h;

  50.   params->n = n;

  51.   wots_params wots_par;

  52.   wots_set_params(&wots_par, n, w);

  53.   params->wots_par = wots_par;

  54. }

  55. 

  56. /**

  57.  * Initialize xmssmt_params struct

  58.  * parameter names are the same as in the draft

  59.  *

  60.  * Especially h is the total tree height, i.e. the XMSS trees have height h/d

  61.  */

  62. void xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w)

  63. {

  64.   if (h % d) {

  65.     fprintf(stderr, "d must devide h without remainder!\n");

  66.     return;

  67.   }

  68.   params->h = h;

  69.   params->d = d;

  70.   params->n = n;

  71.   params->index_len = (h + 7) / 8;

  72.   xmss_params xmss_par;

  73.   xmss_set_params(&xmss_par, n, (h/d), w);

  74.   params->xmss_par = xmss_par;

  75. }

  76. 

  77. /**

  78.  * Computes a leaf from a WOTS public key using an L-tree.

  79.  */

  80. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  81. {

  82.   unsigned int l = params->wots_par.len;

  83.   unsigned int n = params->n;

  84.   uint32_t i = 0;

  85.   uint32_t height = 0;

  86.   uint32_t bound;

  87. 

  88.   //ADRS.setTreeHeight(0);

  89.   setTreeHeight(addr, height);

  90.   

  91.   while (l > 1) {

  92.      bound = l >> 1; //floor(l / 2);

  93.      for (i = 0; i < bound; i++) {

  94.        //ADRS.setTreeIndex(i);

  95.        setTreeIndex(addr, i);

  96.        //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);

  97.        hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);

  98.      }

  99.      //if ( l % 2 == 1 ) {

  100.      if (l & 1) {

  101.        //pk[floor(l / 2) + 1] = pk[l];

  102.        memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);

  103.        //l = ceil(l / 2);

  104.        l=(l>>1)+1;

  105.      }

  106.      else {

  107.        //l = ceil(l / 2);

  108.        l=(l>>1);

  109.      }

  110.      //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);

  111.      height++;

  112.      setTreeHeight(addr, height);

  113.    }

  114.    //return pk[0];

  115.    memcpy(leaf, wots_pk, n);

  116. }

  117. 

  118. /**

  119.  * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.

  120.  */

  121. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, uint32_t ltree_addr[8], uint32_t ots_addr[8])

  122. {

  123.   unsigned char seed[params->n];

  124.   unsigned char pk[params->wots_par.keysize];

  125. 

  126.   get_seed(seed, sk_seed, params->n, ots_addr);

  127.   wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);

  128. 

  129.   l_tree(leaf, pk, params, pub_seed, ltree_addr);

  130. }

  131. 

  132. /**

  133.  * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.

  134.  * Currently only used for key generation.

  135.  *

  136.  */

  137. static void treehash(unsigned char *node, uint16_t height, uint32_t index, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const uint32_t addr[8])

  138. {

  139. 

  140.   uint32_t idx = index;

  141.   uint16_t n = params->n;

  142.   // use three different addresses because at this point we use all three formats in parallel

  143.   uint32_t ots_addr[8];

  144.   uint32_t ltree_addr[8];

  145.   uint32_t  node_addr[8];

  146.   // only copy layer and tree address parts

  147.   memcpy(ots_addr, addr, 12);

  148.   // type = ots

  149.   setType(ots_addr, 0);

  150.   memcpy(ltree_addr, addr, 12);

  151.   setType(ltree_addr, 1);

  152.   memcpy(node_addr, addr, 12);

  153.   setType(node_addr, 2);

  154. 

  155.   uint32_t lastnode, i;

  156.   unsigned char stack[(height+1)*n];

  157.   uint16_t stacklevels[height+1];

  158.   unsigned int stackoffset=0;

  159. 

  160.   lastnode = idx+(1 << height);

  161. 

  162.   for (; idx < lastnode; idx++) {

  163.     setLtreeADRS(ltree_addr, idx);

  164.     setOTSADRS(ots_addr, idx);

  165.     gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);

  166.     stacklevels[stackoffset] = 0;

  167.     stackoffset++;

  168.     while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) {

  169.       setTreeHeight(node_addr, stacklevels[stackoffset-1]);

  170.       setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));

  171.       hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,

  172.           node_addr, n);

  173.       stacklevels[stackoffset-2]++;

  174.       stackoffset--;

  175.     }

  176.   }

  177.   for (i=0; i < n; i++)

  178.     node[i] = stack[i];

  179. }

  180. 

  181. /**

  182.  * Computes a root node given a leaf and an authapth

  183.  */

  184. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, uint32_t addr[8])

  185. {

  186.   unsigned int n = params->n;

  187. 

  188.   uint32_t i, j;

  189.   unsigned char buffer[2*n];

  190. 

  191.   // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.

  192.   // Otherwise, it is the other way around

  193.   if (leafidx & 1) {

  194.     for (j = 0; j < n; j++)

  195.       buffer[n+j] = leaf[j];

  196.     for (j = 0; j < n; j++)

  197.       buffer[j] = authpath[j];

  198.   }

  199.   else {

  200.     for (j = 0; j < n; j++)

  201.       buffer[j] = leaf[j];

  202.     for (j = 0; j < n; j++)

  203.       buffer[n+j] = authpath[j];

  204.   }

  205.   authpath += n;

  206. 

  207.   for (i=0; i < params->h-1; i++) {

  208.     setTreeHeight(addr, i);

  209.     leafidx >>= 1;

  210.     setTreeIndex(addr, leafidx);

  211.     if (leafidx&1) {

  212.       hash_h(buffer+n, buffer, pub_seed, addr, n);

  213.       for (j = 0; j < n; j++)

  214.         buffer[j] = authpath[j];

  215.     }

  216.     else {

  217.       hash_h(buffer, buffer, pub_seed, addr, n);

  218.       for (j = 0; j < n; j++)

  219.         buffer[j+n] = authpath[j];

  220.     }

  221.     authpath += n;

  222.   }

  223.   setTreeHeight(addr, (params->h-1));

  224.   leafidx >>= 1;

  225.   setTreeIndex(addr, leafidx);

  226.   hash_h(root, buffer, pub_seed, addr, n);

  227. }

  228. 

  229. /**

  230.  * Computes the authpath and the root. This method is using a lot of space as we build the whole tree and then select the authpath nodes.

  231.  * For more efficient algorithms see e.g. the chapter on hash-based signatures in Bernstein, Buchmann, Dahmen. "Post-quantum Cryptography", Springer 2009.

  232.  * It returns the authpath in "authpath" with the node on level 0 at index 0.

  233.  */

  234. static void compute_authpath_wots(unsigned char *root, unsigned char *authpath, unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, uint32_t addr[8])

  235. {

  236.   uint32_t i, j, level;

  237.   uint32_t n = params->n;

  238.   uint32_t h = params->h;

  239. 

  240.   unsigned char tree[2*(1<<h)*n];

  241. 

  242.   uint32_t ots_addr[8];

  243.   uint32_t ltree_addr[8];

  244.   uint32_t node_addr[8];

  245. 

  246.   memcpy(ots_addr, addr, 12);

  247.   setType(ots_addr, 0);

  248.   memcpy(ltree_addr, addr, 12);

  249.   setType(ltree_addr, 1);

  250.   memcpy(node_addr, addr, 12);

  251.   setType(node_addr, 2);

  252. 

  253.   // Compute all leaves

  254.   for (i = 0; i < (1U << h); i++) {

  255.     setLtreeADRS(ltree_addr, i);

  256.     setOTSADRS(ots_addr, i);

  257.     gen_leaf_wots(tree+((1<<h)*n + i*n), sk_seed, params, pub_seed, ltree_addr, ots_addr);

  258.   }

  259. 

  260. 

  261.   level = 0;

  262.   // Compute tree:

  263.   // Outer loop: For each inner layer

  264.   for (i = (1<<h); i > 1; i>>=1) {

  265.     setTreeHeight(node_addr, level);

  266.     // Inner loop: for each pair of sibling nodes

  267.     for (j = 0; j < i; j+=2) {

  268.       setTreeIndex(node_addr, j>>1);

  269.       hash_h(tree + (i>>1)*n + (j>>1) * n, tree + i*n + j*n, pub_seed, node_addr, n);

  270.     }

  271.     level++;

  272.   }

  273. 

  274.   // copy authpath

  275.   for (i=0; i < h; i++)

  276.     memcpy(authpath + i*n, tree + ((1<<h)>>i)*n + ((leaf_idx >> i) ^ 1) * n, n);

  277. 

  278.   // copy root

  279.   memcpy(root, tree+n, n);

  280. }

  281. 

  282. 

  283. /*

  284.  * Generates a XMSS key pair for a given parameter set.

  285.  * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED || root]

  286.  * Format pk: [root || PUB_SEED] omitting algo oid.

  287.  */

  288. int xmss_keypair(unsigned char *pk, unsigned char *sk, xmss_params *params)

  289. {

  290.   unsigned int n = params->n;

  291.   // Set idx = 0

  292.   sk[0] = 0;

  293.   sk[1] = 0;

  294.   sk[2] = 0;

  295.   sk[3] = 0;

  296.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  297.   randombytes(sk+4, 3*n);

  298.   // Copy PUB_SEED to public key

  299.   memcpy(pk+n, sk+4+2*n, n);

  300. 

  301.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  302.   // Compute root

  303.   treehash(pk, params->h, 0, sk+4, params, sk+4+2*n, addr);

  304.   // copy root to sk

  305.   memcpy(sk+4+3*n, pk, n);

  306.   return 0;

  307. }

  308. 

  309. /**

  310.  * Signs a message.

  311.  * Returns

  312.  * 1. an array containing the signature followed by the message AND

  313.  * 2. an updated secret key!

  314.  *

  315.  */

  316. int xmss_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)

  317. {

  318.   uint16_t n = params->n;

  319.   uint16_t i = 0;

  320. 

  321.   // Extract SK

  322.   uint32_t idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];

  323.   unsigned char sk_seed[n];

  324.   memcpy(sk_seed, sk+4, n);

  325.   unsigned char sk_prf[n];

  326.   memcpy(sk_prf, sk+4+n, n);

  327.   unsigned char pub_seed[n];

  328.   memcpy(pub_seed, sk+4+2*n, n);

  329.   

  330.   // index as 32 bytes string

  331.   unsigned char idx_bytes_32[32];

  332.   to_byte(idx_bytes_32, idx, 32);

  333.   

  334.   

  335.   unsigned char hash_key[3*n];

  336.   

  337.   // Update SK

  338.   sk[0] = ((idx + 1) >> 24) & 255;

  339.   sk[1] = ((idx + 1) >> 16) & 255;

  340.   sk[2] = ((idx + 1) >> 8) & 255;

  341.   sk[3] = (idx + 1) & 255;

  342.   // -- Secret key for this non-forward-secure version is now updated.

  343.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  344. 

  345.   // Init working params

  346.   unsigned char R[n];

  347.   unsigned char msg_h[n];

  348.   unsigned char root[n];

  349.   unsigned char ots_seed[n];

  350.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  351. 

  352.   // ---------------------------------

  353.   // Message Hashing

  354.   // ---------------------------------

  355. 

  356.   // Message Hash:

  357.   // First compute pseudorandom value

  358.   prf(R, idx_bytes_32, sk_prf, n);

  359.   // Generate hash key (R || root || idx)

  360.   memcpy(hash_key, R, n);

  361.   memcpy(hash_key+n, sk+4+3*n, n);

  362.   to_byte(hash_key+2*n, idx, n);

  363.   // Then use it for message digest

  364.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n);

  365.   

  366.   // Start collecting signature

  367.   *sig_msg_len = 0;

  368. 

  369.   // Copy index to signature

  370.   sig_msg[0] = (idx >> 24) & 255;

  371.   sig_msg[1] = (idx >> 16) & 255;

  372.   sig_msg[2] = (idx >> 8) & 255;

  373.   sig_msg[3] = idx & 255;

  374. 

  375.   sig_msg += 4;

  376.   *sig_msg_len += 4;

  377. 

  378.   // Copy R to signature

  379.   for (i = 0; i < n; i++)

  380.     sig_msg[i] = R[i];

  381. 

  382.   sig_msg += n;

  383.   *sig_msg_len += n;

  384. 

  385.   // ----------------------------------

  386.   // Now we start to "really sign"

  387.   // ----------------------------------

  388. 

  389.   // Prepare Address

  390.   setType(ots_addr, 0);

  391.   setOTSADRS(ots_addr, idx);

  392. 

  393.   // Compute seed for OTS key pair

  394.   get_seed(ots_seed, sk_seed, n, ots_addr);

  395. 

  396.   // Compute WOTS signature

  397.   wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);

  398. 

  399.   sig_msg += params->wots_par.keysize;

  400.   *sig_msg_len += params->wots_par.keysize;

  401. 

  402.   compute_authpath_wots(root, sig_msg, idx, sk_seed, params, pub_seed, ots_addr);

  403.   sig_msg += params->h*n;

  404.   *sig_msg_len += params->h*n;

  405. 

  406.   //Whipe secret elements?

  407.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  408. 

  409.   memcpy(sig_msg, msg, msglen);

  410.   *sig_msg_len += msglen;

  411. 

  412.   return 0;

  413. }

  414. 

  415. /**

  416.  * Verifies a given message signature pair under a given public key.

  417.  */

  418. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)

  419. {

  420.   uint16_t n = params->n;

  421.   

  422.   unsigned long long i, m_len;

  423.   unsigned long idx=0;

  424.   unsigned char wots_pk[params->wots_par.keysize];

  425.   unsigned char pkhash[n];

  426.   unsigned char root[n];

  427.   unsigned char msg_h[n];

  428.   unsigned char hash_key[3*n];

  429. 

  430.   unsigned char pub_seed[n];

  431.   memcpy(pub_seed, pk+n, n);

  432. 

  433.   // Init addresses

  434.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  435.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  436.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  437. 

  438.   setType(ots_addr, 0);

  439.   setType(ltree_addr, 1);

  440.   setType(node_addr, 2);

  441.   

  442.   // Extract index

  443.   idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];

  444.   printf("verify:: idx = %lu\n", idx);

  445.   

  446.   // Generate hash key (R || root || idx)

  447.   memcpy(hash_key, sig_msg+4,n);

  448.   memcpy(hash_key+n, pk, n);

  449.   to_byte(hash_key+2*n, idx, n);

  450.   

  451.   sig_msg += (n+4);

  452.   sig_msg_len -= (n+4);

  453.   

  454. 

  455.   // hash message 

  456.   unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n;

  457.   m_len = sig_msg_len - tmp_sig_len;

  458.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n);

  459.   

  460.   //-----------------------

  461.   // Verify signature

  462.   //-----------------------

  463. 

  464.   // Prepare Address

  465.   setOTSADRS(ots_addr, idx);

  466.   // Check WOTS signature

  467.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);

  468. 

  469.   sig_msg += params->wots_par.keysize;

  470.   sig_msg_len -= params->wots_par.keysize;

  471. 

  472.   // Compute Ltree

  473.   setLtreeADRS(ltree_addr, idx);

  474.   l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);

  475. 

  476.   // Compute root

  477.   validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);

  478. 

  479.   sig_msg += params->h*n;

  480.   sig_msg_len -= params->h*n;

  481. 

  482.   for (i=0; i < n; i++)

  483.     if (root[i] != pk[i])

  484.       goto fail;

  485. 

  486.   *msglen = sig_msg_len;

  487.   for (i=0; i < *msglen; i++)

  488.     msg[i] = sig_msg[i];

  489. 

  490.   return 0;

  491. 

  492. 

  493. fail:

  494.   *msglen = sig_msg_len;

  495.   for (i=0; i < *msglen; i++)

  496.     msg[i] = 0;

  497.   *msglen = -1;

  498.   return -1;

  499. }

  500. 

  501. /*

  502.  * Generates a XMSSMT key pair for a given parameter set.

  503.  * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]

  504.  * Format pk: [root || PUB_SEED] omitting algo oid.

  505.  */

  506. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, xmssmt_params *params)

  507. {

  508.   unsigned int n = params->n;

  509.   uint16_t i;

  510.   // Set idx = 0

  511.   for (i = 0; i < params->index_len; i++) {

  512.     sk[i] = 0;

  513.   }

  514.   // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte)

  515.   randombytes(sk+params->index_len, 3*n);

  516.   // Copy PUB_SEED to public key

  517.   memcpy(pk+n, sk+params->index_len+2*n, n);

  518. 

  519.   // Set address to point on the single tree on layer d-1

  520.   uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  521.   setLayerADRS(addr, (params->d-1));

  522. 

  523.   // Compute root

  524.   treehash(pk, params->xmss_par.h, 0, sk+params->index_len, &(params->xmss_par), pk+n, addr);

  525.   memcpy(sk+params->index_len+3*n, pk, n);

  526.   return 0;

  527. }

  528. 

  529. /**

  530.  * Signs a message.

  531.  * Returns

  532.  * 1. an array containing the signature followed by the message AND

  533.  * 2. an updated secret key!

  534.  *

  535.  */

  536. int xmssmt_sign(unsigned char *sk, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)

  537. {

  538.   unsigned int n = params->n;

  539.   unsigned int tree_h = params->xmss_par.h;

  540.   unsigned int idx_len = params->index_len;

  541.   uint64_t idx_tree;

  542.   uint32_t idx_leaf;

  543.   uint64_t i;

  544. 

  545.   unsigned char sk_seed[n];

  546.   unsigned char sk_prf[n];

  547.   unsigned char pub_seed[n];

  548.   // Init working params

  549.   unsigned char R[n];

  550.   unsigned char hash_key[3*n];

  551.   unsigned char msg_h[n];

  552.   unsigned char root[n];

  553.   unsigned char ots_seed[n];

  554.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  555.   unsigned char idx_bytes_32[32];

  556. 

  557.   // Extract SK

  558.   unsigned long long idx = 0;

  559.   for (i = 0; i < idx_len; i++) {

  560.     idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);

  561.   }

  562. 

  563.   memcpy(sk_seed, sk+idx_len, n);

  564.   memcpy(sk_prf, sk+idx_len+n, n);

  565.   memcpy(pub_seed, sk+idx_len+2*n, n);

  566. 

  567.   // Update SK

  568.   for (i = 0; i < idx_len; i++) {

  569.     sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;

  570.   }

  571.   // -- Secret key for this non-forward-secure version is now updated.

  572.   // -- A productive implementation should use a file handle instead and write the updated secret key at this point!

  573. 

  574. 

  575.   // ---------------------------------

  576.   // Message Hashing

  577.   // ---------------------------------

  578. 

  579.   // Message Hash:

  580.   // First compute pseudorandom value

  581.   to_byte(idx_bytes_32, idx, 32);

  582.   prf(R, idx_bytes_32, sk_prf, n);

  583.   // Generate hash key (R || root || idx)

  584.   memcpy(hash_key, R, n);

  585.   memcpy(hash_key+n, sk+idx_len+3*n, n);

  586.   to_byte(hash_key+2*n, idx, n);

  587.   

  588.   // Then use it for message digest

  589.   h_msg(msg_h, msg, msglen, hash_key, 3*n, n);

  590. 

  591.   // Start collecting signature

  592.   *sig_msg_len = 0;

  593. 

  594.   // Copy index to signature

  595.   for (i = 0; i < idx_len; i++) {

  596.     sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;

  597.   }

  598. 

  599.   sig_msg += idx_len;

  600.   *sig_msg_len += idx_len;

  601. 

  602.   // Copy R to signature

  603.   for (i=0; i < n; i++)

  604.     sig_msg[i] = R[i];

  605. 

  606.   sig_msg += n;

  607.   *sig_msg_len += n;

  608. 

  609.   // ----------------------------------

  610.   // Now we start to "really sign"

  611.   // ----------------------------------

  612. 

  613.   // Handle lowest layer separately as it is slightly different...

  614. 

  615.   // Prepare Address

  616.   setType(ots_addr, 0);

  617.   idx_tree = idx >> tree_h;

  618.   idx_leaf = (idx & ((1 << tree_h)-1));

  619.   setLayerADRS(ots_addr, 0);

  620.   setTreeADRS(ots_addr, idx_tree);

  621.   setOTSADRS(ots_addr, idx_leaf);

  622. 

  623.   // Compute seed for OTS key pair

  624.   get_seed(ots_seed, sk_seed, n, ots_addr);

  625. 

  626.   // Compute WOTS signature

  627.   wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  628. 

  629.   sig_msg += params->xmss_par.wots_par.keysize;

  630.   *sig_msg_len += params->xmss_par.wots_par.keysize;

  631. 

  632.   compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  633.   sig_msg += tree_h*n;

  634.   *sig_msg_len += tree_h*n;

  635. 

  636.   // Now loop over remaining layers...

  637.   unsigned int j;

  638.   for (j = 1; j < params->d; j++) {

  639.     // Prepare Address

  640.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  641.     idx_tree = idx_tree >> tree_h;

  642.     setLayerADRS(ots_addr, j);

  643.     setTreeADRS(ots_addr, idx_tree);

  644.     setOTSADRS(ots_addr, idx_leaf);

  645. 

  646.     // Compute seed for OTS key pair

  647.     get_seed(ots_seed, sk_seed, n, ots_addr);

  648. 

  649.     // Compute WOTS signature

  650.     wots_sign(sig_msg, root, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  651. 

  652.     sig_msg += params->xmss_par.wots_par.keysize;

  653.     *sig_msg_len += params->xmss_par.wots_par.keysize;

  654. 

  655.     compute_authpath_wots(root, sig_msg, idx_leaf, sk_seed, &(params->xmss_par), pub_seed, ots_addr);

  656.     sig_msg += tree_h*n;

  657.     *sig_msg_len += tree_h*n;

  658.   }

  659. 

  660.   //Whipe secret elements?

  661.   //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);

  662. 

  663.   memcpy(sig_msg, msg, msglen);

  664.   *sig_msg_len += msglen;

  665. 

  666.   return 0;

  667. }

  668. 

  669. /**

  670.  * Verifies a given message signature pair under a given public key.

  671.  */

  672. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)

  673. {

  674.   unsigned int n = params->n;

  675. 

  676.   unsigned int tree_h = params->xmss_par.h;

  677.   unsigned int idx_len = params->index_len;

  678.   uint64_t idx_tree;

  679.   uint32_t idx_leaf;

  680. 

  681.   unsigned long long i, m_len;

  682.   unsigned long long idx=0;

  683.   unsigned char wots_pk[params->xmss_par.wots_par.keysize];

  684.   unsigned char pkhash[n];

  685.   unsigned char root[n];

  686.   unsigned char msg_h[n];

  687.   unsigned char hash_key[3*n];

  688. 

  689.   unsigned char pub_seed[n];

  690.   memcpy(pub_seed, pk+n, n);

  691. 

  692.   // Init addresses

  693.   uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  694.   uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  695.   uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0};

  696. 

  697.   // Extract index

  698.   for (i = 0; i < idx_len; i++) {

  699.     idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));

  700.   }

  701.   printf("verify:: idx = %llu\n", idx);

  702.   sig_msg += idx_len;

  703.   sig_msg_len -= idx_len;

  704. 

  705.   // Generate hash key (R || root || idx)

  706.   memcpy(hash_key, sig_msg,n);

  707.   memcpy(hash_key+n, pk, n);

  708.   to_byte(hash_key+2*n, idx, n);

  709. 

  710.   sig_msg += n;

  711.   sig_msg_len -= n;

  712.   

  713.   // hash message 

  714.   unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);

  715.   m_len = sig_msg_len - tmp_sig_len;

  716.   h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n);

  717. 

  718. 

  719.   //-----------------------

  720.   // Verify signature

  721.   //-----------------------

  722. 

  723.   // Prepare Address

  724.   idx_tree = idx >> tree_h;

  725.   idx_leaf = (idx & ((1 << tree_h)-1));

  726.   setLayerADRS(ots_addr, 0);

  727.   setTreeADRS(ots_addr, idx_tree);

  728.   setType(ots_addr, 0);

  729. 

  730.   memcpy(ltree_addr, ots_addr, 12);

  731.   setType(ltree_addr, 1);

  732. 

  733.   memcpy(node_addr, ltree_addr, 12);

  734.   setType(node_addr, 2);

  735.   

  736.   setOTSADRS(ots_addr, idx_leaf);

  737. 

  738.   // Check WOTS signature

  739.   wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  740. 

  741.   sig_msg += params->xmss_par.wots_par.keysize;

  742.   sig_msg_len -= params->xmss_par.wots_par.keysize;

  743. 

  744.   // Compute Ltree

  745.   setLtreeADRS(ltree_addr, idx_leaf);

  746.   l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  747. 

  748.   // Compute root

  749.   validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  750. 

  751.   sig_msg += tree_h*n;

  752.   sig_msg_len -= tree_h*n;

  753. 

  754.   for (i = 1; i < params->d; i++) {

  755.     // Prepare Address

  756.     idx_leaf = (idx_tree & ((1 << tree_h)-1));

  757.     idx_tree = idx_tree >> tree_h;

  758. 

  759.     setLayerADRS(ots_addr, i);

  760.     setTreeADRS(ots_addr, idx_tree);

  761.     setType(ots_addr, 0);

  762. 

  763.     memcpy(ltree_addr, ots_addr, 12);

  764.     setType(ltree_addr, 1);

  765. 

  766.     memcpy(node_addr, ltree_addr, 12);

  767.     setType(node_addr, 2);

  768. 

  769.     setOTSADRS(ots_addr, idx_leaf);

  770. 

  771.     // Check WOTS signature

  772.     wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);

  773. 

  774.     sig_msg += params->xmss_par.wots_par.keysize;

  775.     sig_msg_len -= params->xmss_par.wots_par.keysize;

  776. 

  777.     // Compute Ltree

  778.     setLtreeADRS(ltree_addr, idx_leaf);

  779.     l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);

  780. 

  781.     // Compute root

  782.     validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);

  783. 

  784.     sig_msg += tree_h*n;

  785.     sig_msg_len -= tree_h*n;

  786. 

  787.   }

  788. 

  789.   for (i=0; i < n; i++)

  790.     if (root[i] != pk[i])

  791.       goto fail;

  792. 

  793.   *msglen = sig_msg_len;

  794.   for (i=0; i < *msglen; i++)

  795.     msg[i] = sig_msg[i];

  796. 

  797.   return 0;

  798. 

  799. 

  800. fail:

  801.   *msglen = sig_msg_len;

  802.   for (i=0; i < *msglen; i++)

  803.     msg[i] = 0;

  804.   *msglen = -1;

  805.   return -1;

  806. }