You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1143 lines
34 KiB

  1. /*
  2. xmss.c version 20150811
  3. Andreas Hülsing
  4. Public domain.
  5. */
  6. #include "xmss_fast.h"
  7. #include <stdlib.h>
  8. #include <string.h>
  9. #include <stdint.h>
  10. #include <math.h>
  11. #include "randombytes.h"
  12. #include "wots.h"
  13. #include "hash.h"
  14. #include "prg.h"
  15. #include "xmss_commons.h"
  16. // For testing
  17. #include "stdio.h"
  18. /**
  19. * Macros used to manipulate the respective fields
  20. * in the 16byte hash address
  21. */
  22. #define SET_LAYER_ADDRESS(a, v) {\
  23. a[6] = (a[6] & 3) | ((v << 2) & 252);\
  24. a[5] = (a[5] & 252) | ((v >> 6) & 3);}
  25. #define SET_TREE_ADDRESS(a, v) {\
  26. a[9] = (a[9] & 3) | ((v << 2) & 252);\
  27. a[8] = (v >> 6) & 255;\
  28. a[7] = (v >> 14) & 255;\
  29. a[6] = (a[6] & 252) | ((v >> 22) & 3);}
  30. #define SET_OTS_BIT(a, b) {\
  31. a[9] = (a[9] & 253) | ((b << 1) & 2);}
  32. #define SET_OTS_ADDRESS(a, v) {\
  33. a[12] = (a[12] & 1) | ((v << 1) & 254);\
  34. a[11] = (v >> 7) & 255;\
  35. a[10] = (v >> 15) & 255;\
  36. a[9] = (a[9] & 254) | ((v >> 23) & 1);}
  37. #define ZEROISE_OTS_ADDR(a) {\
  38. a[12] = (a[12] & 254);\
  39. a[13] = 0;\
  40. a[14] = 0;\
  41. a[15] = 0;}
  42. #define SET_LTREE_BIT(a, b) {\
  43. a[9] = (a[9] & 254) | (b & 1);}
  44. #define SET_LTREE_ADDRESS(a, v) {\
  45. a[12] = v & 255;\
  46. a[11] = (v >> 8) & 255;\
  47. a[10] = (v >> 16) & 255;}
  48. #define SET_LTREE_TREE_HEIGHT(a, v) {\
  49. a[13] = (a[13] & 3) | ((v << 2) & 252);}
  50. #define SET_LTREE_TREE_INDEX(a, v) {\
  51. a[15] = (a[15] & 3) | ((v << 2) & 252);\
  52. a[14] = (v >> 6) & 255;\
  53. a[13] = (a[13] & 252) | ((v >> 14) & 3);}
  54. #define SET_NODE_PADDING(a) {\
  55. a[10] = 0;\
  56. a[11] = a[11] & 3;}
  57. #define SET_NODE_TREE_HEIGHT(a, v) {\
  58. a[12] = (a[12] & 3) | ((v << 2) & 252);\
  59. a[11] = (a[11] & 252) | ((v >> 6) & 3);}
  60. #define SET_NODE_TREE_INDEX(a, v) {\
  61. a[15] = (a[15] & 3) | ((v << 2) & 252);\
  62. a[14] = (v >> 6) & 255;\
  63. a[13] = (v >> 14) & 255;\
  64. a[12] = (a[12] & 252) | ((v >> 22) & 3);}
  65. /**
  66. * Used for pseudorandom keygeneration,
  67. * generates the seed for the WOTS keypair at address addr
  68. *
  69. * takes n byte sk_seed and returns n byte seed using 16 byte address addr.
  70. */
  71. static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, unsigned char addr[16])
  72. {
  73. // Make sure that chain addr, hash addr, and key bit are 0!
  74. ZEROISE_OTS_ADDR(addr);
  75. // Generate pseudorandom value
  76. prg_with_counter(seed, sk_seed, n, addr);
  77. }
  78. /**
  79. * Initialize xmss params struct
  80. * parameter names are the same as in the draft
  81. * parameter k is K as used in the BDS algorithm
  82. */
  83. int xmss_set_params(xmss_params *params, int m, int n, int h, int w, int k)
  84. {
  85. if (k >= h || k < 2 || (h - k) % 2) {
  86. fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n");
  87. return 1;
  88. }
  89. params->h = h;
  90. params->m = m;
  91. params->n = n;
  92. params->k = k;
  93. wots_params wots_par;
  94. wots_set_params(&wots_par, m, n, w);
  95. params->wots_par = wots_par;
  96. return 0;
  97. }
  98. /**
  99. * Initialize BDS state struct
  100. * parameter names are the same as used in the description of the BDS traversal
  101. */
  102. void xmss_set_bds_state(bds_state *state, unsigned char *stack, int stackoffset, unsigned char *stacklevels, unsigned char *auth, unsigned char *keep, treehash_inst *treehash, unsigned char *retain, int next_leaf)
  103. {
  104. state->stack = stack;
  105. state->stackoffset = stackoffset;
  106. state->stacklevels = stacklevels;
  107. state->auth = auth;
  108. state->keep = keep;
  109. state->treehash = treehash;
  110. state->retain = retain;
  111. state->next_leaf = next_leaf;
  112. }
  113. /**
  114. * Initialize xmssmt_params struct
  115. * parameter names are the same as in the draft
  116. *
  117. * Especially h is the total tree height, i.e. the XMSS trees have height h/d
  118. */
  119. int xmssmt_set_params(xmssmt_params *params, int m, int n, int h, int d, int w, int k)
  120. {
  121. if (h % d) {
  122. fprintf(stderr, "d must divide h without remainder!\n");
  123. return 1;
  124. }
  125. params->h = h;
  126. params->d = d;
  127. params->m = m;
  128. params->n = n;
  129. params->index_len = (h + 7) / 8;
  130. xmss_params xmss_par;
  131. if (xmss_set_params(&xmss_par, m, n, (h/d), w, k)) {
  132. return 1;
  133. }
  134. params->xmss_par = xmss_par;
  135. return 0;
  136. }
  137. /**
  138. * Computes a leaf from a WOTS public key using an L-tree.
  139. */
  140. static void l_tree(unsigned char *leaf, unsigned char *wots_pk, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])
  141. {
  142. unsigned int l = params->wots_par.len;
  143. unsigned int n = params->n;
  144. unsigned long i = 0;
  145. unsigned int height = 0;
  146. //ADRS.setTreeHeight(0);
  147. SET_LTREE_TREE_HEIGHT(addr, height);
  148. unsigned long bound;
  149. while (l > 1) {
  150. bound = l >> 1; //floor(l / 2);
  151. for (i = 0; i < bound; i = i + 1) {
  152. //ADRS.setTreeIndex(i);
  153. SET_LTREE_TREE_INDEX(addr, i);
  154. //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS);
  155. hash_2n_n(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n);
  156. }
  157. //if ( l % 2 == 1 ) {
  158. if (l & 1) {
  159. //pk[floor(l / 2) + 1] = pk[l];
  160. memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n);
  161. //l = ceil(l / 2);
  162. l=(l>>1)+1;
  163. }
  164. else
  165. {
  166. //l = ceil(l / 2);
  167. l=(l>>1);
  168. }
  169. //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1);
  170. height++;
  171. SET_LTREE_TREE_HEIGHT(addr, height);
  172. }
  173. //return pk[0];
  174. memcpy(leaf, wots_pk, n);
  175. }
  176. /**
  177. * Computes the leaf at a given address. First generates the WOTS key pair, then computes leaf using l_tree. As this happens position independent, we only require that addr encodes the right ltree-address.
  178. */
  179. static void gen_leaf_wots(unsigned char *leaf, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, unsigned char ltree_addr[16], unsigned char ots_addr[16])
  180. {
  181. unsigned char seed[params->n];
  182. unsigned char pk[params->wots_par.keysize];
  183. get_seed(seed, sk_seed, params->n, ots_addr);
  184. wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr);
  185. l_tree(leaf, pk, params, pub_seed, ltree_addr);
  186. }
  187. static int treehash_minheight_on_stack(bds_state* state, const xmss_params *params, const treehash_inst *treehash) {
  188. unsigned int r = params->h, i;
  189. for (i = 0; i < treehash->stackusage; i++) {
  190. if (state->stacklevels[state->stackoffset - i - 1] < r) {
  191. r = state->stacklevels[state->stackoffset - i - 1];
  192. }
  193. }
  194. return r;
  195. }
  196. /**
  197. * Merkle's TreeHash algorithm. The address only needs to initialize the first 78 bits of addr. Everything else will be set by treehash.
  198. * Currently only used for key generation.
  199. *
  200. */
  201. static void treehash_setup(unsigned char *node, int height, int index, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16])
  202. {
  203. unsigned int idx = index;
  204. unsigned int n = params->n;
  205. unsigned int h = params->h;
  206. unsigned int k = params->k;
  207. // use three different addresses because at this point we use all three formats in parallel
  208. unsigned char ots_addr[16];
  209. unsigned char ltree_addr[16];
  210. unsigned char node_addr[16];
  211. memcpy(ots_addr, addr, 10);
  212. SET_OTS_BIT(ots_addr, 1);
  213. memcpy(ltree_addr, addr, 10);
  214. SET_OTS_BIT(ltree_addr, 0);
  215. SET_LTREE_BIT(ltree_addr, 1);
  216. memcpy(node_addr, ltree_addr, 10);
  217. SET_LTREE_BIT(node_addr, 0);
  218. SET_NODE_PADDING(node_addr);
  219. unsigned int lastnode, i;
  220. unsigned char stack[(height+1)*n];
  221. unsigned int stacklevels[height+1];
  222. unsigned int stackoffset=0;
  223. unsigned int nodeh;
  224. lastnode = idx+(1<<height);
  225. for (i = 0; i < h-k; i++) {
  226. state->treehash[i].h = i;
  227. state->treehash[i].completed = 1;
  228. state->treehash[i].stackusage = 0;
  229. }
  230. i = 0;
  231. for (; idx < lastnode; idx++) {
  232. SET_LTREE_ADDRESS(ltree_addr, idx);
  233. SET_OTS_ADDRESS(ots_addr, idx);
  234. gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);
  235. stacklevels[stackoffset] = 0;
  236. stackoffset++;
  237. if (h - k > 0 && i == 3) {
  238. memcpy(state->treehash[0].node, stack+stackoffset*n, n);
  239. }
  240. while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2])
  241. {
  242. nodeh = stacklevels[stackoffset-1];
  243. if (i >> nodeh == 1) {
  244. memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n);
  245. }
  246. else {
  247. if (nodeh < h - k && i >> nodeh == 3) {
  248. memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n);
  249. }
  250. else if (nodeh >= h - k) {
  251. memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack+(stackoffset-1)*n, n);
  252. }
  253. }
  254. SET_NODE_TREE_HEIGHT(node_addr, stacklevels[stackoffset-1]);
  255. SET_NODE_TREE_INDEX(node_addr, (idx >> (stacklevels[stackoffset-1]+1)));
  256. hash_2n_n(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed,
  257. node_addr, n);
  258. stacklevels[stackoffset-2]++;
  259. stackoffset--;
  260. }
  261. i++;
  262. }
  263. for (i = 0; i < n; i++)
  264. node[i] = stack[i];
  265. }
  266. static void treehash_update(treehash_inst *treehash, bds_state *state, const unsigned char *sk_seed, const xmss_params *params, const unsigned char *pub_seed, const unsigned char addr[16]) {
  267. int n = params->n;
  268. unsigned char ots_addr[16];
  269. unsigned char ltree_addr[16];
  270. unsigned char node_addr[16];
  271. memcpy(ots_addr, addr, 10);
  272. SET_OTS_BIT(ots_addr, 1);
  273. memcpy(ltree_addr, addr, 10);
  274. SET_OTS_BIT(ltree_addr, 0);
  275. SET_LTREE_BIT(ltree_addr, 1);
  276. memcpy(node_addr, ltree_addr, 10);
  277. SET_LTREE_BIT(node_addr, 0);
  278. SET_NODE_PADDING(node_addr);
  279. SET_LTREE_ADDRESS(ltree_addr, treehash->next_idx);
  280. SET_OTS_ADDRESS(ots_addr, treehash->next_idx);
  281. unsigned char nodebuffer[2 * n];
  282. unsigned int nodeheight = 0;
  283. gen_leaf_wots(nodebuffer, sk_seed, params, pub_seed, ltree_addr, ots_addr);
  284. while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) {
  285. memcpy(nodebuffer + n, nodebuffer, n);
  286. memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n);
  287. SET_NODE_TREE_HEIGHT(node_addr, nodeheight);
  288. SET_NODE_TREE_INDEX(node_addr, (treehash->next_idx >> (nodeheight+1)));
  289. hash_2n_n(nodebuffer, nodebuffer, pub_seed, node_addr, n);
  290. nodeheight++;
  291. treehash->stackusage--;
  292. state->stackoffset--;
  293. }
  294. if (nodeheight == treehash->h) { // this also implies stackusage == 0
  295. memcpy(treehash->node, nodebuffer, n);
  296. treehash->completed = 1;
  297. }
  298. else {
  299. memcpy(state->stack + state->stackoffset*n, nodebuffer, n);
  300. treehash->stackusage++;
  301. state->stacklevels[state->stackoffset] = nodeheight;
  302. state->stackoffset++;
  303. treehash->next_idx++;
  304. }
  305. }
  306. /**
  307. * Computes a root node given a leaf and an authapth
  308. */
  309. static void validate_authpath(unsigned char *root, const unsigned char *leaf, unsigned long leafidx, const unsigned char *authpath, const xmss_params *params, const unsigned char *pub_seed, unsigned char addr[16])
  310. {
  311. unsigned int n = params->n;
  312. unsigned int i, j;
  313. unsigned char buffer[2*n];
  314. // If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go to the left.
  315. // Otherwise, it is the other way around
  316. if (leafidx & 1) {
  317. for (j = 0; j < n; j++)
  318. buffer[n+j] = leaf[j];
  319. for (j = 0; j < n; j++)
  320. buffer[j] = authpath[j];
  321. }
  322. else {
  323. for (j = 0; j < n; j++)
  324. buffer[j] = leaf[j];
  325. for (j = 0; j < n; j++)
  326. buffer[n+j] = authpath[j];
  327. }
  328. authpath += n;
  329. for (i = 0; i < params->h-1; i++) {
  330. SET_NODE_TREE_HEIGHT(addr, i);
  331. leafidx >>= 1;
  332. SET_NODE_TREE_INDEX(addr, leafidx);
  333. if (leafidx & 1) {
  334. hash_2n_n(buffer+n, buffer, pub_seed, addr, n);
  335. for (j = 0; j < n; j++)
  336. buffer[j] = authpath[j];
  337. }
  338. else {
  339. hash_2n_n(buffer, buffer, pub_seed, addr, n);
  340. for (j = 0; j < n; j++)
  341. buffer[j+n] = authpath[j];
  342. }
  343. authpath += n;
  344. }
  345. SET_NODE_TREE_HEIGHT(addr, (params->h-1));
  346. leafidx >>= 1;
  347. SET_NODE_TREE_INDEX(addr, leafidx);
  348. hash_2n_n(root, buffer, pub_seed, addr, n);
  349. }
  350. /**
  351. * Performs one treehash update on the instance that needs it the most.
  352. * Returns 1 if such an instance was not found
  353. **/
  354. static char bds_treehash_update(bds_state *state, unsigned int updates, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const unsigned char addr[16]) {
  355. unsigned int i, j;
  356. unsigned int level, l_min, low;
  357. unsigned int h = params->h;
  358. unsigned int k = params->k;
  359. unsigned int used = 0;
  360. for (j = 0; j < updates; j++) {
  361. l_min = h;
  362. level = h - k;
  363. for (i = 0; i < h - k; i++) {
  364. if (state->treehash[i].completed) {
  365. low = h;
  366. }
  367. else if (state->treehash[i].stackusage == 0) {
  368. low = i;
  369. }
  370. else {
  371. low = treehash_minheight_on_stack(state, params, &(state->treehash[i]));
  372. }
  373. if (low < l_min) {
  374. level = i;
  375. l_min = low;
  376. }
  377. }
  378. if (level == h - k) {
  379. break;
  380. }
  381. treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr);
  382. used++;
  383. }
  384. return updates - used;
  385. }
  386. /**
  387. * Updates the state (typically NEXT_i) by adding a leaf and updating the stack
  388. * Returns 1 if all leaf nodes have already been processed
  389. **/
  390. static char bds_state_update(bds_state *state, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, const unsigned char addr[16]) {
  391. unsigned char ltree_addr[16];
  392. unsigned char node_addr[16];
  393. unsigned char ots_addr[16];
  394. int n = params->n;
  395. int h = params->h;
  396. int k = params->k;
  397. int nodeh;
  398. int idx = state->next_leaf;
  399. if (idx == 1 << h) {
  400. return 1;
  401. }
  402. memcpy(ots_addr, addr, 10);
  403. SET_OTS_BIT(ots_addr, 1);
  404. SET_OTS_ADDRESS(ots_addr, idx);
  405. memcpy(ltree_addr, addr, 10);
  406. SET_OTS_BIT(ltree_addr, 0);
  407. SET_LTREE_BIT(ltree_addr, 1);
  408. SET_LTREE_ADDRESS(ltree_addr, idx);
  409. memcpy(node_addr, addr, 10);
  410. SET_LTREE_BIT(node_addr, 0);
  411. SET_OTS_BIT(node_addr, 0);
  412. SET_NODE_PADDING(node_addr);
  413. gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr);
  414. state->stacklevels[state->stackoffset] = 0;
  415. state->stackoffset++;
  416. if (h - k > 0 && idx == 3) {
  417. memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n);
  418. }
  419. while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[state->stackoffset-2]) {
  420. nodeh = state->stacklevels[state->stackoffset-1];
  421. if (idx >> nodeh == 1) {
  422. memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n);
  423. }
  424. else {
  425. if (nodeh < h - k && idx >> nodeh == 3) {
  426. memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n);
  427. }
  428. else if (nodeh >= h - k) {
  429. memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, state->stack+(state->stackoffset-1)*n, n);
  430. }
  431. }
  432. SET_NODE_TREE_HEIGHT(node_addr, state->stacklevels[state->stackoffset-1]);
  433. SET_NODE_TREE_INDEX(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1)));
  434. hash_2n_n(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, node_addr, n);
  435. state->stacklevels[state->stackoffset-2]++;
  436. state->stackoffset--;
  437. }
  438. state->next_leaf++;
  439. return 0;
  440. }
  441. /**
  442. * Returns the auth path for node leaf_idx and computes the auth path for the
  443. * next leaf node, using the algorithm described by Buchmann, Dahmen and Szydlo
  444. * in "Post Quantum Cryptography", Springer 2009.
  445. */
  446. static void bds_round(bds_state *state, const unsigned long leaf_idx, const unsigned char *sk_seed, const xmss_params *params, unsigned char *pub_seed, unsigned char addr[16])
  447. {
  448. unsigned int i;
  449. unsigned int n = params->n;
  450. unsigned int h = params->h;
  451. unsigned int k = params->k;
  452. unsigned int tau = h;
  453. unsigned int startidx;
  454. unsigned int offset, rowidx;
  455. unsigned char buf[2 * n];
  456. unsigned char ots_addr[16];
  457. unsigned char ltree_addr[16];
  458. unsigned char node_addr[16];
  459. memcpy(ots_addr, addr, 10);
  460. SET_OTS_BIT(ots_addr, 1);
  461. memcpy(ltree_addr, addr, 10);
  462. SET_OTS_BIT(ltree_addr, 0);
  463. SET_LTREE_BIT(ltree_addr, 1);
  464. memcpy(node_addr, ltree_addr, 10);
  465. SET_LTREE_BIT(node_addr, 0);
  466. SET_NODE_PADDING(node_addr);
  467. for (i = 0; i < h; i++) {
  468. if (! ((leaf_idx >> i) & 1)) {
  469. tau = i;
  470. break;
  471. }
  472. }
  473. if (tau > 0) {
  474. memcpy(buf, state->auth + (tau-1) * n, n);
  475. // we need to do this before refreshing state->keep to prevent overwriting
  476. memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n);
  477. }
  478. if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) {
  479. memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n);
  480. }
  481. if (tau == 0) {
  482. SET_LTREE_ADDRESS(ltree_addr, leaf_idx);
  483. SET_OTS_ADDRESS(ots_addr, leaf_idx);
  484. gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr);
  485. }
  486. else {
  487. SET_NODE_TREE_HEIGHT(node_addr, (tau-1));
  488. SET_NODE_TREE_INDEX(node_addr, leaf_idx >> tau);
  489. hash_2n_n(state->auth + tau * n, buf, pub_seed, node_addr, n);
  490. for (i = 0; i < tau; i++) {
  491. if (i < h - k) {
  492. memcpy(state->auth + i * n, state->treehash[i].node, n);
  493. }
  494. else {
  495. offset = (1 << (h - 1 - i)) + i - h;
  496. rowidx = ((leaf_idx >> i) - 1) >> 1;
  497. memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n);
  498. }
  499. }
  500. for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) {
  501. startidx = leaf_idx + 1 + 3 * (1 << i);
  502. if (startidx < 1U << h) {
  503. state->treehash[i].h = i;
  504. state->treehash[i].next_idx = startidx;
  505. state->treehash[i].completed = 0;
  506. state->treehash[i].stackusage = 0;
  507. }
  508. }
  509. }
  510. }
  511. /*
  512. * Generates a XMSS key pair for a given parameter set.
  513. * Format sk: [(32bit) idx || SK_SEED || SK_PRF || PUB_SEED]
  514. * Format pk: [root || PUB_SEED] omitting algo oid.
  515. */
  516. int xmss_keypair(unsigned char *pk, unsigned char *sk, bds_state *state, xmss_params *params)
  517. {
  518. unsigned int n = params->n;
  519. unsigned int m = params->m;
  520. // Set idx = 0
  521. sk[0] = 0;
  522. sk[1] = 0;
  523. sk[2] = 0;
  524. sk[3] = 0;
  525. // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)
  526. randombytes(sk+4, 2*n+m);
  527. // Copy PUB_SEED to public key
  528. memcpy(pk+n, sk+4+n+m, n);
  529. unsigned char addr[16] = {0, 0, 0, 0};
  530. // Compute root
  531. treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+n+m, addr);
  532. return 0;
  533. }
  534. /**
  535. * Signs a message.
  536. * Returns
  537. * 1. an array containing the signature followed by the message AND
  538. * 2. an updated secret key!
  539. *
  540. */
  541. int xmss_sign(unsigned char *sk, bds_state *state, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmss_params *params)
  542. {
  543. unsigned int h = params->h;
  544. unsigned int n = params->n;
  545. unsigned int m = params->m;
  546. unsigned int k = params->k;
  547. // Extract SK
  548. unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)sk[2] << 8) | sk[3];
  549. unsigned char sk_seed[n];
  550. memcpy(sk_seed, sk+4, n);
  551. unsigned char sk_prf[m];
  552. memcpy(sk_prf, sk+4+n, m);
  553. unsigned char pub_seed[n];
  554. memcpy(pub_seed, sk+4+n+m, n);
  555. // Update SK
  556. sk[0] = ((idx + 1) >> 24) & 255;
  557. sk[1] = ((idx + 1) >> 16) & 255;
  558. sk[2] = ((idx + 1) >> 8) & 255;
  559. sk[3] = (idx + 1) & 255;
  560. // -- Secret key for this non-forward-secure version is now updated.
  561. // -- A productive implementation should use a file handle instead and write the updated secret key at this point!
  562. // Init working params
  563. unsigned long long i;
  564. unsigned char R[m];
  565. unsigned char msg_h[m];
  566. unsigned char ots_seed[n];
  567. unsigned char ots_addr[16] = {0, 0, 0, 0};
  568. // ---------------------------------
  569. // Message Hashing
  570. // ---------------------------------
  571. // Message Hash:
  572. // First compute pseudorandom key
  573. prf_m(R, msg, msglen, sk_prf, m);
  574. // Then use it for message digest
  575. hash_m(msg_h, msg, msglen, R, m, m);
  576. // Start collecting signature
  577. *sig_msg_len = 0;
  578. // Copy index to signature
  579. sig_msg[0] = (idx >> 24) & 255;
  580. sig_msg[1] = (idx >> 16) & 255;
  581. sig_msg[2] = (idx >> 8) & 255;
  582. sig_msg[3] = idx & 255;
  583. sig_msg += 4;
  584. *sig_msg_len += 4;
  585. // Copy R to signature
  586. for (i = 0; i < m; i++)
  587. sig_msg[i] = R[i];
  588. sig_msg += m;
  589. *sig_msg_len += m;
  590. // ----------------------------------
  591. // Now we start to "really sign"
  592. // ----------------------------------
  593. // Prepare Address
  594. SET_OTS_BIT(ots_addr, 1);
  595. SET_OTS_ADDRESS(ots_addr, idx);
  596. // Compute seed for OTS key pair
  597. get_seed(ots_seed, sk_seed, n, ots_addr);
  598. // Compute WOTS signature
  599. wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr);
  600. sig_msg += params->wots_par.keysize;
  601. *sig_msg_len += params->wots_par.keysize;
  602. // the auth path was already computed during the previous round
  603. memcpy(sig_msg, state->auth, h*n);
  604. if (idx < (1U << h) - 1) {
  605. bds_round(state, idx, sk_seed, params, pub_seed, ots_addr);
  606. bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr);
  607. }
  608. sig_msg += params->h*n;
  609. *sig_msg_len += params->h*n;
  610. //Whipe secret elements?
  611. //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);
  612. memcpy(sig_msg, msg, msglen);
  613. *sig_msg_len += msglen;
  614. return 0;
  615. }
  616. /**
  617. * Verifies a given message signature pair under a given public key.
  618. */
  619. int xmss_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmss_params *params)
  620. {
  621. unsigned int n = params->n;
  622. unsigned int m = params->m;
  623. unsigned long long i, m_len;
  624. unsigned long idx=0;
  625. unsigned char wots_pk[params->wots_par.keysize];
  626. unsigned char pkhash[n];
  627. unsigned char root[n];
  628. unsigned char msg_h[m];
  629. unsigned char pub_seed[n];
  630. memcpy(pub_seed, pk+n, n);
  631. // Init addresses
  632. unsigned char ots_addr[16] = {0, 0, 0, 0};
  633. unsigned char ltree_addr[16];
  634. unsigned char node_addr[16];
  635. SET_OTS_BIT(ots_addr, 1);
  636. memcpy(ltree_addr, ots_addr, 10);
  637. SET_OTS_BIT(ltree_addr, 0);
  638. SET_LTREE_BIT(ltree_addr, 1);
  639. memcpy(node_addr, ltree_addr, 10);
  640. SET_LTREE_BIT(node_addr, 0);
  641. SET_NODE_PADDING(node_addr);
  642. // Extract index
  643. idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_msg[2] << 8) | sig_msg[3];
  644. printf("verify:: idx = %lu\n", idx);
  645. sig_msg += 4;
  646. sig_msg_len -= 4;
  647. // hash message (recall, R is now on pole position at sig_msg
  648. unsigned long long tmp_sig_len = m+params->wots_par.keysize+params->h*n;
  649. m_len = sig_msg_len - tmp_sig_len;
  650. hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);
  651. sig_msg += m;
  652. sig_msg_len -= m;
  653. //-----------------------
  654. // Verify signature
  655. //-----------------------
  656. // Prepare Address
  657. SET_OTS_ADDRESS(ots_addr, idx);
  658. // Check WOTS signature
  659. wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr);
  660. sig_msg += params->wots_par.keysize;
  661. sig_msg_len -= params->wots_par.keysize;
  662. // Compute Ltree
  663. SET_LTREE_ADDRESS(ltree_addr, idx);
  664. l_tree(pkhash, wots_pk, params, pub_seed, ltree_addr);
  665. // Compute root
  666. validate_authpath(root, pkhash, idx, sig_msg, params, pub_seed, node_addr);
  667. sig_msg += params->h*n;
  668. sig_msg_len -= params->h*n;
  669. for (i = 0; i < n; i++)
  670. if (root[i] != pk[i])
  671. goto fail;
  672. *msglen = sig_msg_len;
  673. for (i = 0; i < *msglen; i++)
  674. msg[i] = sig_msg[i];
  675. return 0;
  676. fail:
  677. *msglen = sig_msg_len;
  678. for (i = 0; i < *msglen; i++)
  679. msg[i] = 0;
  680. *msglen = -1;
  681. return -1;
  682. }
  683. /*
  684. * Generates a XMSSMT key pair for a given parameter set.
  685. * Format sk: [(ceil(h/8) bit) idx || SK_SEED || SK_PRF || PUB_SEED]
  686. * Format pk: [root || PUB_SEED] omitting algo oid.
  687. */
  688. int xmssmt_keypair(unsigned char *pk, unsigned char *sk, bds_state *states, unsigned char *wots_sigs, xmssmt_params *params)
  689. {
  690. unsigned int n = params->n;
  691. unsigned int m = params->m;
  692. unsigned int i;
  693. unsigned char ots_seed[params->n];
  694. // Set idx = 0
  695. for (i = 0; i < params->index_len; i++) {
  696. sk[i] = 0;
  697. }
  698. // Init SK_SEED (n byte), SK_PRF (m byte), and PUB_SEED (n byte)
  699. randombytes(sk+params->index_len, 2*n+m);
  700. // Copy PUB_SEED to public key
  701. memcpy(pk+n, sk+params->index_len+n+m, n);
  702. // Set address to point on the single tree on layer d-1
  703. unsigned char addr[16] = {0, 0, 0, 0};
  704. SET_OTS_BIT(addr, 1);
  705. SET_TREE_ADDRESS(addr, 0);
  706. SET_OTS_ADDRESS(addr, 0);
  707. SET_LAYER_ADDRESS(addr, 0);
  708. // Set up state and compute wots signatures for all but topmost tree root
  709. for (i = 0; i < params->d - 1; i++) {
  710. SET_LAYER_ADDRESS(addr, i);
  711. SET_TREE_ADDRESS(addr, 0);
  712. SET_OTS_ADDRESS(addr, 0);
  713. // Compute seed for OTS key pair
  714. treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);
  715. SET_LAYER_ADDRESS(addr, (i+1));
  716. get_seed(ots_seed, sk+params->index_len, n, addr);
  717. wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_par), pk+n, addr);
  718. }
  719. treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), pk+n, addr);
  720. return 0;
  721. }
  722. /**
  723. * Signs a message.
  724. * Returns
  725. * 1. an array containing the signature followed by the message AND
  726. * 2. an updated secret key!
  727. *
  728. */
  729. int xmssmt_sign(unsigned char *sk, bds_state *states, unsigned char *wots_sigs, unsigned char *sig_msg, unsigned long long *sig_msg_len, const unsigned char *msg, unsigned long long msglen, const xmssmt_params *params)
  730. {
  731. unsigned int n = params->n;
  732. unsigned int m = params->m;
  733. unsigned int tree_h = params->xmss_par.h;
  734. unsigned int h = params->h;
  735. unsigned int k = params->xmss_par.k;
  736. unsigned int idx_len = params->index_len;
  737. unsigned long long idx_tree;
  738. unsigned long long idx_leaf;
  739. unsigned long long i, j;
  740. int needswap_upto = -1;
  741. unsigned int updates;
  742. unsigned char sk_seed[n];
  743. unsigned char sk_prf[m];
  744. unsigned char pub_seed[n];
  745. // Init working params
  746. unsigned char R[m];
  747. unsigned char msg_h[m];
  748. unsigned char ots_seed[n];
  749. unsigned char addr[16] = {0, 0, 0, 0};
  750. unsigned char ots_addr[16] = {0, 0, 0, 0};
  751. bds_state tmp;
  752. // Extract SK
  753. unsigned long long idx = 0;
  754. for (i = 0; i < idx_len; i++) {
  755. idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i);
  756. }
  757. memcpy(sk_seed, sk+idx_len, n);
  758. memcpy(sk_prf, sk+idx_len+n, m);
  759. memcpy(pub_seed, sk+idx_len+n+m, n);
  760. // Update SK
  761. for (i = 0; i < idx_len; i++) {
  762. sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255;
  763. }
  764. // -- Secret key for this non-forward-secure version is now updated.
  765. // -- A productive implementation should use a file handle instead and write the updated secret key at this point!
  766. // ---------------------------------
  767. // Message Hashing
  768. // ---------------------------------
  769. // Message Hash:
  770. // First compute pseudorandom key
  771. prf_m(R, msg, msglen, sk_prf, m);
  772. // Then use it for message digest
  773. hash_m(msg_h, msg, msglen, R, m, m);
  774. // Start collecting signature
  775. *sig_msg_len = 0;
  776. // Copy index to signature
  777. for (i = 0; i < idx_len; i++) {
  778. sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255;
  779. }
  780. sig_msg += idx_len;
  781. *sig_msg_len += idx_len;
  782. // Copy R to signature
  783. for (i = 0; i < m; i++)
  784. sig_msg[i] = R[i];
  785. sig_msg += m;
  786. *sig_msg_len += m;
  787. // ----------------------------------
  788. // Now we start to "really sign"
  789. // ----------------------------------
  790. // Handle lowest layer separately as it is slightly different...
  791. // Prepare Address
  792. SET_OTS_BIT(ots_addr, 1);
  793. idx_tree = idx >> tree_h;
  794. idx_leaf = (idx & ((1 << tree_h)-1));
  795. SET_LAYER_ADDRESS(ots_addr, 0);
  796. SET_TREE_ADDRESS(ots_addr, idx_tree);
  797. SET_OTS_ADDRESS(ots_addr, idx_leaf);
  798. // Compute seed for OTS key pair
  799. get_seed(ots_seed, sk_seed, n, ots_addr);
  800. // Compute WOTS signature
  801. wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);
  802. sig_msg += params->xmss_par.wots_par.keysize;
  803. *sig_msg_len += params->xmss_par.wots_par.keysize;
  804. memcpy(sig_msg, states[0].auth, tree_h*n);
  805. sig_msg += tree_h*n;
  806. *sig_msg_len += tree_h*n;
  807. // prepare signature of remaining layers
  808. for (i = 1; i < params->d; i++) {
  809. // put WOTS signature in place
  810. memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.keysize);
  811. sig_msg += params->xmss_par.wots_par.keysize;
  812. *sig_msg_len += params->xmss_par.wots_par.keysize;
  813. // put AUTH nodes in place
  814. memcpy(sig_msg, states[i].auth, tree_h*n);
  815. sig_msg += tree_h*n;
  816. *sig_msg_len += tree_h*n;
  817. }
  818. updates = (tree_h - k) >> 1;
  819. SET_LAYER_ADDRESS(addr, 0);
  820. SET_TREE_ADDRESS(addr, (idx_tree + 1));
  821. // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists
  822. if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1UL << h)) {
  823. bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr);
  824. }
  825. for (i = 0; i < params->d; i++) {
  826. // check if we're not at the end of a tree
  827. if (! (((idx + 1) & ((1UL << ((i+1)*tree_h)) - 1)) == 0)) {
  828. idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1);
  829. idx_tree = (idx >> (tree_h * (i+1)));
  830. SET_LAYER_ADDRESS(addr, i);
  831. SET_TREE_ADDRESS(addr, idx_tree);
  832. if (i == (unsigned int) (needswap_upto + 1)) {
  833. bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr);
  834. }
  835. updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr);
  836. SET_TREE_ADDRESS(addr, (idx_tree + 1));
  837. // if a NEXT-tree exists for this level;
  838. if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1UL << (h - tree_h * i))) {
  839. if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1UL << h)) {
  840. bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr);
  841. updates--;
  842. }
  843. }
  844. }
  845. else if (idx < (1UL << h) - 1) {
  846. memcpy(&tmp, states+params->d + i, sizeof(bds_state));
  847. memcpy(states+params->d + i, states + i, sizeof(bds_state));
  848. memcpy(states + i, &tmp, sizeof(bds_state));
  849. SET_LAYER_ADDRESS(ots_addr, (i+1));
  850. SET_TREE_ADDRESS(ots_addr, ((idx + 1) >> ((i+2) * tree_h)));
  851. SET_OTS_ADDRESS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1)));
  852. get_seed(ots_seed, sk+params->index_len, n, ots_addr);
  853. wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr);
  854. states[params->d + i].stackoffset = 0;
  855. states[params->d + i].next_leaf = 0;
  856. updates--; // WOTS-signing counts as one update
  857. needswap_upto = i;
  858. for (j = 0; j < tree_h-k; j++) {
  859. states[i].treehash[j].completed = 1;
  860. }
  861. }
  862. }
  863. //Whipe secret elements?
  864. //zerobytes(tsk, CRYPTO_SECRETKEYBYTES);
  865. memcpy(sig_msg, msg, msglen);
  866. *sig_msg_len += msglen;
  867. return 0;
  868. }
  869. /**
  870. * Verifies a given message signature pair under a given public key.
  871. */
  872. int xmssmt_sign_open(unsigned char *msg, unsigned long long *msglen, const unsigned char *sig_msg, unsigned long long sig_msg_len, const unsigned char *pk, const xmssmt_params *params)
  873. {
  874. unsigned int n = params->n;
  875. unsigned int m = params->m;
  876. unsigned int tree_h = params->xmss_par.h;
  877. unsigned int idx_len = params->index_len;
  878. unsigned long long idx_tree;
  879. unsigned long long idx_leaf;
  880. unsigned long long i, m_len;
  881. unsigned long long idx=0;
  882. unsigned char wots_pk[params->xmss_par.wots_par.keysize];
  883. unsigned char pkhash[n];
  884. unsigned char root[n];
  885. unsigned char msg_h[m];
  886. unsigned char pub_seed[n];
  887. memcpy(pub_seed, pk+n, n);
  888. // Init addresses
  889. unsigned char ots_addr[16] = {0, 0, 0, 0};
  890. unsigned char ltree_addr[16];
  891. unsigned char node_addr[16];
  892. // Extract index
  893. for (i = 0; i < idx_len; i++) {
  894. idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i));
  895. }
  896. printf("verify:: idx = %llu\n", idx);
  897. sig_msg += idx_len;
  898. sig_msg_len -= idx_len;
  899. // hash message (recall, R is now on pole position at sig_msg
  900. unsigned long long tmp_sig_len = m+ (params->d * params->xmss_par.wots_par.keysize) + (params->h * n);
  901. m_len = sig_msg_len - tmp_sig_len;
  902. hash_m(msg_h, sig_msg + tmp_sig_len, m_len, sig_msg, m, m);
  903. sig_msg += m;
  904. sig_msg_len -= m;
  905. //-----------------------
  906. // Verify signature
  907. //-----------------------
  908. // Prepare Address
  909. idx_tree = idx >> tree_h;
  910. idx_leaf = (idx & ((1 << tree_h)-1));
  911. SET_LAYER_ADDRESS(ots_addr, 0);
  912. SET_TREE_ADDRESS(ots_addr, idx_tree);
  913. SET_OTS_BIT(ots_addr, 1);
  914. memcpy(ltree_addr, ots_addr, 10);
  915. SET_OTS_BIT(ltree_addr, 0);
  916. SET_LTREE_BIT(ltree_addr, 1);
  917. memcpy(node_addr, ltree_addr, 10);
  918. SET_LTREE_BIT(node_addr, 0);
  919. SET_NODE_PADDING(node_addr);
  920. SET_OTS_ADDRESS(ots_addr, idx_leaf);
  921. // Check WOTS signature
  922. wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr);
  923. sig_msg += params->xmss_par.wots_par.keysize;
  924. sig_msg_len -= params->xmss_par.wots_par.keysize;
  925. // Compute Ltree
  926. SET_LTREE_ADDRESS(ltree_addr, idx_leaf);
  927. l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);
  928. // Compute root
  929. validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);
  930. sig_msg += tree_h*n;
  931. sig_msg_len -= tree_h*n;
  932. for (i = 1; i < params->d; i++) {
  933. // Prepare Address
  934. idx_leaf = (idx_tree & ((1 << tree_h)-1));
  935. idx_tree = idx_tree >> tree_h;
  936. SET_LAYER_ADDRESS(ots_addr, i);
  937. SET_TREE_ADDRESS(ots_addr, idx_tree);
  938. SET_OTS_BIT(ots_addr, 1);
  939. memcpy(ltree_addr, ots_addr, 10);
  940. SET_OTS_BIT(ltree_addr, 0);
  941. SET_LTREE_BIT(ltree_addr, 1);
  942. memcpy(node_addr, ltree_addr, 10);
  943. SET_LTREE_BIT(node_addr, 0);
  944. SET_NODE_PADDING(node_addr);
  945. SET_OTS_ADDRESS(ots_addr, idx_leaf);
  946. // Check WOTS signature
  947. wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr);
  948. sig_msg += params->xmss_par.wots_par.keysize;
  949. sig_msg_len -= params->xmss_par.wots_par.keysize;
  950. // Compute Ltree
  951. SET_LTREE_ADDRESS(ltree_addr, idx_leaf);
  952. l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr);
  953. // Compute root
  954. validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr);
  955. sig_msg += tree_h*n;
  956. sig_msg_len -= tree_h*n;
  957. }
  958. for (i = 0; i < n; i++)
  959. if (root[i] != pk[i])
  960. goto fail;
  961. *msglen = sig_msg_len;
  962. for (i = 0; i < *msglen; i++)
  963. msg[i] = sig_msg[i];
  964. return 0;
  965. fail:
  966. *msglen = sig_msg_len;
  967. for (i = 0; i < *msglen; i++)
  968. msg[i] = 0;
  969. *msglen = -1;
  970. return -1;
  971. }