Lines Matching +full:0 +full:- +full:n
34 * takes n byte sk_seed and returns n byte seed using 32 byte address addr.
36 static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8]) in get_seed() argument
39 // Make sure that chain addr, hash addr, and key bit are 0! in get_seed()
40 setChainADRS(addr,0); in get_seed()
41 setHashADRS(addr,0); in get_seed()
42 setKeyAndMask(addr,0); in get_seed()
45 prf(seed, bytes, sk_seed, n); in get_seed()
53 int xmss_set_params(xmss_params *params, int n, int h, int w, int k) in xmss_set_params() argument
55 if (k >= h || k < 2 || (h - k) % 2) { in xmss_set_params()
56 fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n"); in xmss_set_params()
59 params->h = h; in xmss_set_params()
60 params->n = n; in xmss_set_params()
61 params->k = k; in xmss_set_params()
63 wots_set_params(&wots_par, n, w); in xmss_set_params()
64 params->wots_par = wots_par; in xmss_set_params()
65 return 0; in xmss_set_params()
74 state->stack = stack; in xmss_set_bds_state()
75 state->stackoffset = stackoffset; in xmss_set_bds_state()
76 state->stacklevels = stacklevels; in xmss_set_bds_state()
77 state->auth = auth; in xmss_set_bds_state()
78 state->keep = keep; in xmss_set_bds_state()
79 state->treehash = treehash; in xmss_set_bds_state()
80 state->retain = retain; in xmss_set_bds_state()
81 state->next_leaf = next_leaf; in xmss_set_bds_state()
90 int xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w, int k) in xmssmt_set_params() argument
93 fprintf(stderr, "d must divide h without remainder!\n"); in xmssmt_set_params()
96 params->h = h; in xmssmt_set_params()
97 params->d = d; in xmssmt_set_params()
98 params->n = n; in xmssmt_set_params()
99 params->index_len = (h + 7) / 8; in xmssmt_set_params()
101 if (xmss_set_params(&xmss_par, n, (h/d), w, k)) { in xmssmt_set_params()
104 params->xmss_par = xmss_par; in xmssmt_set_params()
105 return 0; in xmssmt_set_params()
109 * Computes a leaf from a WOTS public key using an L-tree.
113 unsigned int l = params->wots_par.len; in l_tree()
114 unsigned int n = params->n; in l_tree() local
115 uint32_t i = 0; in l_tree()
116 uint32_t height = 0; in l_tree()
119 //ADRS.setTreeHeight(0); in l_tree()
124 for (i = 0; i < bound; i++) { in l_tree()
128 hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n); in l_tree()
133 memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n); in l_tree()
145 //return pk[0]; in l_tree()
146 memcpy(leaf, wots_pk, n); in l_tree()
150 …e. As this happens position independent, we only require that addr encodes the right ltree-address.
154 unsigned char seed[params->n]; in gen_leaf_wots()
155 unsigned char pk[params->wots_par.keysize]; in gen_leaf_wots()
157 get_seed(seed, sk_seed, params->n, ots_addr); in gen_leaf_wots()
158 wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr); in gen_leaf_wots()
164 unsigned int r = params->h, i; in treehash_minheight_on_stack()
165 for (i = 0; i < treehash->stackusage; i++) { in treehash_minheight_on_stack()
166 if (state->stacklevels[state->stackoffset - i - 1] < r) { in treehash_minheight_on_stack()
167 r = state->stacklevels[state->stackoffset - i - 1]; in treehash_minheight_on_stack()
181 unsigned int n = params->n; in treehash_setup() local
182 unsigned int h = params->h; in treehash_setup()
183 unsigned int k = params->k; in treehash_setup()
191 setType(ots_addr, 0); in treehash_setup()
198 unsigned char stack[(height+1)*n]; in treehash_setup()
200 unsigned int stackoffset=0; in treehash_setup()
205 for (i = 0; i < h-k; i++) { in treehash_setup()
206 state->treehash[i].h = i; in treehash_setup()
207 state->treehash[i].completed = 1; in treehash_setup()
208 state->treehash[i].stackusage = 0; in treehash_setup()
211 i = 0; in treehash_setup()
215 gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr); in treehash_setup()
216 stacklevels[stackoffset] = 0; in treehash_setup()
218 if (h - k > 0 && i == 3) { in treehash_setup()
219 memcpy(state->treehash[0].node, stack+stackoffset*n, n); in treehash_setup()
221 while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) in treehash_setup()
223 nodeh = stacklevels[stackoffset-1]; in treehash_setup()
225 memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n); in treehash_setup()
228 if (nodeh < h - k && i >> nodeh == 3) { in treehash_setup()
229 memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n); in treehash_setup()
231 else if (nodeh >= h - k) { in treehash_setup()
232 …memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack… in treehash_setup()
235 setTreeHeight(node_addr, stacklevels[stackoffset-1]); in treehash_setup()
236 setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1))); in treehash_setup()
237 hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed, in treehash_setup()
238 node_addr, n); in treehash_setup()
239 stacklevels[stackoffset-2]++; in treehash_setup()
240 stackoffset--; in treehash_setup()
245 for (i = 0; i < n; i++) in treehash_setup()
250 int n = params->n; in treehash_update() local
258 setType(ots_addr, 0); in treehash_update()
264 setLtreeADRS(ltree_addr, treehash->next_idx); in treehash_update()
265 setOTSADRS(ots_addr, treehash->next_idx); in treehash_update()
267 unsigned char nodebuffer[2 * n]; in treehash_update()
268 unsigned int nodeheight = 0; in treehash_update()
270 while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) { in treehash_update()
271 memcpy(nodebuffer + n, nodebuffer, n); in treehash_update()
272 memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n); in treehash_update()
274 setTreeIndex(node_addr, (treehash->next_idx >> (nodeheight+1))); in treehash_update()
275 hash_h(nodebuffer, nodebuffer, pub_seed, node_addr, n); in treehash_update()
277 treehash->stackusage--; in treehash_update()
278 state->stackoffset--; in treehash_update()
280 if (nodeheight == treehash->h) { // this also implies stackusage == 0 in treehash_update()
281 memcpy(treehash->node, nodebuffer, n); in treehash_update()
282 treehash->completed = 1; in treehash_update()
285 memcpy(state->stack + state->stackoffset*n, nodebuffer, n); in treehash_update()
286 treehash->stackusage++; in treehash_update()
287 state->stacklevels[state->stackoffset] = nodeheight; in treehash_update()
288 state->stackoffset++; in treehash_update()
289 treehash->next_idx++; in treehash_update()
298 unsigned int n = params->n; in validate_authpath() local
301 unsigned char buffer[2*n]; in validate_authpath()
306 for (j = 0; j < n; j++) in validate_authpath()
307 buffer[n+j] = leaf[j]; in validate_authpath()
308 for (j = 0; j < n; j++) in validate_authpath()
312 for (j = 0; j < n; j++) in validate_authpath()
314 for (j = 0; j < n; j++) in validate_authpath()
315 buffer[n+j] = authpath[j]; in validate_authpath()
317 authpath += n; in validate_authpath()
319 for (i=0; i < params->h-1; i++) { in validate_authpath()
324 hash_h(buffer+n, buffer, pub_seed, addr, n); in validate_authpath()
325 for (j = 0; j < n; j++) in validate_authpath()
329 hash_h(buffer, buffer, pub_seed, addr, n); in validate_authpath()
330 for (j = 0; j < n; j++) in validate_authpath()
331 buffer[j+n] = authpath[j]; in validate_authpath()
333 authpath += n; in validate_authpath()
335 setTreeHeight(addr, (params->h-1)); in validate_authpath()
338 hash_h(root, buffer, pub_seed, addr, n); in validate_authpath()
348 unsigned int h = params->h; in bds_treehash_update()
349 unsigned int k = params->k; in bds_treehash_update()
350 unsigned int used = 0; in bds_treehash_update()
352 for (j = 0; j < updates; j++) { in bds_treehash_update()
354 level = h - k; in bds_treehash_update()
355 for (i = 0; i < h - k; i++) { in bds_treehash_update()
356 if (state->treehash[i].completed) { in bds_treehash_update()
359 else if (state->treehash[i].stackusage == 0) { in bds_treehash_update()
363 low = treehash_minheight_on_stack(state, params, &(state->treehash[i])); in bds_treehash_update()
370 if (level == h - k) { in bds_treehash_update()
373 treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr); in bds_treehash_update()
376 return updates - used; in bds_treehash_update()
388 int n = params->n; in bds_state_update() local
389 int h = params->h; in bds_state_update()
390 int k = params->k; in bds_state_update()
393 int idx = state->next_leaf; in bds_state_update()
401 setType(ots_addr, 0); in bds_state_update()
410 gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr); in bds_state_update()
412 state->stacklevels[state->stackoffset] = 0; in bds_state_update()
413 state->stackoffset++; in bds_state_update()
414 if (h - k > 0 && idx == 3) { in bds_state_update()
415 memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n); in bds_state_update()
417 …while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[stat… in bds_state_update()
418 nodeh = state->stacklevels[state->stackoffset-1]; in bds_state_update()
420 memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n); in bds_state_update()
423 if (nodeh < h - k && idx >> nodeh == 3) { in bds_state_update()
424 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n); in bds_state_update()
426 else if (nodeh >= h - k) { in bds_state_update()
427 …memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, sta… in bds_state_update()
430 setTreeHeight(node_addr, state->stacklevels[state->stackoffset-1]); in bds_state_update()
431 setTreeIndex(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1))); in bds_state_update()
432 …hash_h(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, nod… in bds_state_update()
434 state->stacklevels[state->stackoffset-2]++; in bds_state_update()
435 state->stackoffset--; in bds_state_update()
437 state->next_leaf++; in bds_state_update()
438 return 0; in bds_state_update()
449 unsigned int n = params->n; in bds_round() local
450 unsigned int h = params->h; in bds_round()
451 unsigned int k = params->k; in bds_round()
456 unsigned char buf[2 * n]; in bds_round()
464 setType(ots_addr, 0); in bds_round()
470 for (i = 0; i < h; i++) { in bds_round()
477 if (tau > 0) { in bds_round()
478 memcpy(buf, state->auth + (tau-1) * n, n); in bds_round()
479 // we need to do this before refreshing state->keep to prevent overwriting in bds_round()
480 memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n); in bds_round()
482 if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) { in bds_round()
483 memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n); in bds_round()
485 if (tau == 0) { in bds_round()
488 gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr); in bds_round()
491 setTreeHeight(node_addr, (tau-1)); in bds_round()
493 hash_h(state->auth + tau * n, buf, pub_seed, node_addr, n); in bds_round()
494 for (i = 0; i < tau; i++) { in bds_round()
495 if (i < h - k) { in bds_round()
496 memcpy(state->auth + i * n, state->treehash[i].node, n); in bds_round()
499 offset = (1 << (h - 1 - i)) + i - h; in bds_round()
500 rowidx = ((leaf_idx >> i) - 1) >> 1; in bds_round()
501 memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n); in bds_round()
505 for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) { in bds_round()
508 state->treehash[i].h = i; in bds_round()
509 state->treehash[i].next_idx = startidx; in bds_round()
510 state->treehash[i].completed = 0; in bds_round()
511 state->treehash[i].stackusage = 0; in bds_round()
524 unsigned int n = params->n; in xmss_keypair() local
525 // Set idx = 0 in xmss_keypair()
526 sk[0] = 0; in xmss_keypair()
527 sk[1] = 0; in xmss_keypair()
528 sk[2] = 0; in xmss_keypair()
529 sk[3] = 0; in xmss_keypair()
530 // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte) in xmss_keypair()
531 randombytes(sk+4, 3*n); in xmss_keypair()
533 memcpy(pk+n, sk+4+2*n, n); in xmss_keypair()
535 uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmss_keypair()
538 treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+2*n, addr); in xmss_keypair()
540 memcpy(sk+4+3*n, pk, n); in xmss_keypair()
541 return 0; in xmss_keypair()
553 unsigned int h = params->h; in xmss_sign()
554 unsigned int n = params->n; in xmss_sign() local
555 unsigned int k = params->k; in xmss_sign()
556 uint16_t i = 0; in xmss_sign()
559 …unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)… in xmss_sign()
560 unsigned char sk_seed[n]; in xmss_sign()
561 memcpy(sk_seed, sk+4, n); in xmss_sign()
562 unsigned char sk_prf[n]; in xmss_sign()
563 memcpy(sk_prf, sk+4+n, n); in xmss_sign()
564 unsigned char pub_seed[n]; in xmss_sign()
565 memcpy(pub_seed, sk+4+2*n, n); in xmss_sign()
571 unsigned char hash_key[3*n]; in xmss_sign()
574 sk[0] = ((idx + 1) >> 24) & 255; in xmss_sign()
578 // -- Secret key for this non-forward-secure version is now updated. in xmss_sign()
579 …// -- A productive implementation should use a file handle instead and write the updated secret ke… in xmss_sign()
582 unsigned char R[n]; in xmss_sign()
583 unsigned char msg_h[n]; in xmss_sign()
584 unsigned char ots_seed[n]; in xmss_sign()
585 uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmss_sign()
587 // --------------------------------- in xmss_sign()
589 // --------------------------------- in xmss_sign()
593 prf(R, idx_bytes_32, sk_prf, n); in xmss_sign()
595 memcpy(hash_key, R, n); in xmss_sign()
596 memcpy(hash_key+n, sk+4+3*n, n); in xmss_sign()
597 to_byte(hash_key+2*n, idx, n); in xmss_sign()
599 h_msg(msg_h, msg, msglen, hash_key, 3*n, n); in xmss_sign()
602 *sig_msg_len = 0; in xmss_sign()
605 sig_msg[0] = (idx >> 24) & 255; in xmss_sign()
614 for (i = 0; i < n; i++) in xmss_sign()
617 sig_msg += n; in xmss_sign()
618 *sig_msg_len += n; in xmss_sign()
620 // ---------------------------------- in xmss_sign()
622 // ---------------------------------- in xmss_sign()
625 setType(ots_addr, 0); in xmss_sign()
629 get_seed(ots_seed, sk_seed, n, ots_addr); in xmss_sign()
632 wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr); in xmss_sign()
634 sig_msg += params->wots_par.keysize; in xmss_sign()
635 *sig_msg_len += params->wots_par.keysize; in xmss_sign()
638 memcpy(sig_msg, state->auth, h*n); in xmss_sign()
640 if (idx < (1U << h) - 1) { in xmss_sign()
642 bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr); in xmss_sign()
647 sig_msg += params->h*n; in xmss_sign()
648 *sig_msg_len += params->h*n; in xmss_sign()
657 return 0; in xmss_sign()
665 unsigned int n = params->n; in xmss_sign_open() local
668 unsigned long idx=0; in xmss_sign_open()
669 unsigned char wots_pk[params->wots_par.keysize]; in xmss_sign_open()
670 unsigned char pkhash[n]; in xmss_sign_open()
671 unsigned char root[n]; in xmss_sign_open()
672 unsigned char msg_h[n]; in xmss_sign_open()
673 unsigned char hash_key[3*n]; in xmss_sign_open()
675 unsigned char pub_seed[n]; in xmss_sign_open()
676 memcpy(pub_seed, pk+n, n); in xmss_sign_open()
679 uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmss_sign_open()
680 uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmss_sign_open()
681 uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmss_sign_open()
683 setType(ots_addr, 0); in xmss_sign_open()
688 …idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_… in xmss_sign_open()
689 printf("verify:: idx = %lu\n", idx); in xmss_sign_open()
692 memcpy(hash_key, sig_msg+4,n); in xmss_sign_open()
693 memcpy(hash_key+n, pk, n); in xmss_sign_open()
694 to_byte(hash_key+2*n, idx, n); in xmss_sign_open()
696 sig_msg += (n+4); in xmss_sign_open()
697 sig_msg_len -= (n+4); in xmss_sign_open()
700 unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n; in xmss_sign_open()
701 m_len = sig_msg_len - tmp_sig_len; in xmss_sign_open()
702 h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n); in xmss_sign_open()
704 //----------------------- in xmss_sign_open()
706 //----------------------- in xmss_sign_open()
711 wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr); in xmss_sign_open()
713 sig_msg += params->wots_par.keysize; in xmss_sign_open()
714 sig_msg_len -= params->wots_par.keysize; in xmss_sign_open()
723 sig_msg += params->h*n; in xmss_sign_open()
724 sig_msg_len -= params->h*n; in xmss_sign_open()
726 for (i = 0; i < n; i++) in xmss_sign_open()
731 for (i = 0; i < *msglen; i++) in xmss_sign_open()
734 return 0; in xmss_sign_open()
739 for (i = 0; i < *msglen; i++) in xmss_sign_open()
740 msg[i] = 0; in xmss_sign_open()
741 *msglen = -1; in xmss_sign_open()
742 return -1; in xmss_sign_open()
752 unsigned int n = params->n; in xmssmt_keypair() local
754 unsigned char ots_seed[params->n]; in xmssmt_keypair()
755 // Set idx = 0 in xmssmt_keypair()
756 for (i = 0; i < params->index_len; i++) { in xmssmt_keypair()
757 sk[i] = 0; in xmssmt_keypair()
759 // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte) in xmssmt_keypair()
760 randombytes(sk+params->index_len, 3*n); in xmssmt_keypair()
762 memcpy(pk+n, sk+params->index_len+2*n, n); in xmssmt_keypair()
764 // Set address to point on the single tree on layer d-1 in xmssmt_keypair()
765 uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_keypair()
766 setLayerADRS(addr, (params->d-1)); in xmssmt_keypair()
768 for (i = 0; i < params->d - 1; i++) { in xmssmt_keypair()
770 …treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), p… in xmssmt_keypair()
772 get_seed(ots_seed, sk+params->index_len, n, addr); in xmssmt_keypair()
773 …wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_p… in xmssmt_keypair()
775 …treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), p… in xmssmt_keypair()
776 memcpy(sk+params->index_len+3*n, pk, n); in xmssmt_keypair()
777 return 0; in xmssmt_keypair()
789 unsigned int n = params->n; in xmssmt_sign() local
791 unsigned int tree_h = params->xmss_par.h; in xmssmt_sign()
792 unsigned int h = params->h; in xmssmt_sign()
793 unsigned int k = params->xmss_par.k; in xmssmt_sign()
794 unsigned int idx_len = params->index_len; in xmssmt_sign()
798 int needswap_upto = -1; in xmssmt_sign()
801 unsigned char sk_seed[n]; in xmssmt_sign()
802 unsigned char sk_prf[n]; in xmssmt_sign()
803 unsigned char pub_seed[n]; in xmssmt_sign()
805 unsigned char R[n]; in xmssmt_sign()
806 unsigned char msg_h[n]; in xmssmt_sign()
807 unsigned char hash_key[3*n]; in xmssmt_sign()
808 unsigned char ots_seed[n]; in xmssmt_sign()
809 uint32_t addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_sign()
810 uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_sign()
815 unsigned long long idx = 0; in xmssmt_sign()
816 for (i = 0; i < idx_len; i++) { in xmssmt_sign()
817 idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i); in xmssmt_sign()
820 memcpy(sk_seed, sk+idx_len, n); in xmssmt_sign()
821 memcpy(sk_prf, sk+idx_len+n, n); in xmssmt_sign()
822 memcpy(pub_seed, sk+idx_len+2*n, n); in xmssmt_sign()
825 for (i = 0; i < idx_len; i++) { in xmssmt_sign()
826 sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255; in xmssmt_sign()
828 // -- Secret key for this non-forward-secure version is now updated. in xmssmt_sign()
829 …// -- A productive implementation should use a file handle instead and write the updated secret ke… in xmssmt_sign()
832 // --------------------------------- in xmssmt_sign()
834 // --------------------------------- in xmssmt_sign()
839 prf(R, idx_bytes_32, sk_prf, n); in xmssmt_sign()
841 memcpy(hash_key, R, n); in xmssmt_sign()
842 memcpy(hash_key+n, sk+idx_len+3*n, n); in xmssmt_sign()
843 to_byte(hash_key+2*n, idx, n); in xmssmt_sign()
846 h_msg(msg_h, msg, msglen, hash_key, 3*n, n); in xmssmt_sign()
849 *sig_msg_len = 0; in xmssmt_sign()
852 for (i = 0; i < idx_len; i++) { in xmssmt_sign()
853 sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255; in xmssmt_sign()
860 for (i = 0; i < n; i++) in xmssmt_sign()
863 sig_msg += n; in xmssmt_sign()
864 *sig_msg_len += n; in xmssmt_sign()
866 // ---------------------------------- in xmssmt_sign()
868 // ---------------------------------- in xmssmt_sign()
873 setType(ots_addr, 0); in xmssmt_sign()
875 idx_leaf = (idx & ((1 << tree_h)-1)); in xmssmt_sign()
876 setLayerADRS(ots_addr, 0); in xmssmt_sign()
881 get_seed(ots_seed, sk_seed, n, ots_addr); in xmssmt_sign()
884 wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign()
886 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign()
887 *sig_msg_len += params->xmss_par.wots_par.keysize; in xmssmt_sign()
889 memcpy(sig_msg, states[0].auth, tree_h*n); in xmssmt_sign()
890 sig_msg += tree_h*n; in xmssmt_sign()
891 *sig_msg_len += tree_h*n; in xmssmt_sign()
894 for (i = 1; i < params->d; i++) { in xmssmt_sign()
896 …memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.key… in xmssmt_sign()
898 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign()
899 *sig_msg_len += params->xmss_par.wots_par.keysize; in xmssmt_sign()
902 memcpy(sig_msg, states[i].auth, tree_h*n); in xmssmt_sign()
903 sig_msg += tree_h*n; in xmssmt_sign()
904 *sig_msg_len += tree_h*n; in xmssmt_sign()
907 updates = (tree_h - k) >> 1; in xmssmt_sign()
910 // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists in xmssmt_sign()
912 bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
915 for (i = 0; i < params->d; i++) { in xmssmt_sign()
917 if (! (((idx + 1) & ((1ULL << ((i+1)*tree_h)) - 1)) == 0)) { in xmssmt_sign()
918 idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1); in xmssmt_sign()
923 bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
925 … updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
927 // if a NEXT-tree exists for this level; in xmssmt_sign()
928 if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << (h - tree_h * i))) { in xmssmt_sign()
929 if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << h)) { in xmssmt_sign()
930 bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
931 updates--; in xmssmt_sign()
935 else if (idx < (1ULL << h) - 1) { in xmssmt_sign()
936 memcpy(&tmp, states+params->d + i, sizeof(bds_state)); in xmssmt_sign()
937 memcpy(states+params->d + i, states + i, sizeof(bds_state)); in xmssmt_sign()
942 setOTSADRS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1))); in xmssmt_sign()
944 get_seed(ots_seed, sk+params->index_len, n, ots_addr); in xmssmt_sign()
945 …wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xm… in xmssmt_sign()
947 states[params->d + i].stackoffset = 0; in xmssmt_sign()
948 states[params->d + i].next_leaf = 0; in xmssmt_sign()
950 updates--; // WOTS-signing counts as one update in xmssmt_sign()
952 for (j = 0; j < tree_h-k; j++) { in xmssmt_sign()
964 return 0; in xmssmt_sign()
972 unsigned int n = params->n; in xmssmt_sign_open() local
974 unsigned int tree_h = params->xmss_par.h; in xmssmt_sign_open()
975 unsigned int idx_len = params->index_len; in xmssmt_sign_open()
980 unsigned long long idx=0; in xmssmt_sign_open()
981 unsigned char wots_pk[params->xmss_par.wots_par.keysize]; in xmssmt_sign_open()
982 unsigned char pkhash[n]; in xmssmt_sign_open()
983 unsigned char root[n]; in xmssmt_sign_open()
984 unsigned char msg_h[n]; in xmssmt_sign_open()
985 unsigned char hash_key[3*n]; in xmssmt_sign_open()
987 unsigned char pub_seed[n]; in xmssmt_sign_open()
988 memcpy(pub_seed, pk+n, n); in xmssmt_sign_open()
991 uint32_t ots_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_sign_open()
992 uint32_t ltree_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_sign_open()
993 uint32_t node_addr[8] = {0, 0, 0, 0, 0, 0, 0, 0}; in xmssmt_sign_open()
996 for (i = 0; i < idx_len; i++) { in xmssmt_sign_open()
997 idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i)); in xmssmt_sign_open()
999 printf("verify:: idx = %llu\n", idx); in xmssmt_sign_open()
1001 sig_msg_len -= idx_len; in xmssmt_sign_open()
1004 memcpy(hash_key, sig_msg,n); in xmssmt_sign_open()
1005 memcpy(hash_key+n, pk, n); in xmssmt_sign_open()
1006 to_byte(hash_key+2*n, idx, n); in xmssmt_sign_open()
1008 sig_msg += n; in xmssmt_sign_open()
1009 sig_msg_len -= n; in xmssmt_sign_open()
1013 …unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n); in xmssmt_sign_open()
1014 m_len = sig_msg_len - tmp_sig_len; in xmssmt_sign_open()
1015 h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n); in xmssmt_sign_open()
1018 //----------------------- in xmssmt_sign_open()
1020 //----------------------- in xmssmt_sign_open()
1024 idx_leaf = (idx & ((1 << tree_h)-1)); in xmssmt_sign_open()
1025 setLayerADRS(ots_addr, 0); in xmssmt_sign_open()
1027 setType(ots_addr, 0); in xmssmt_sign_open()
1038 wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign_open()
1040 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1041 sig_msg_len -= params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1045 l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr); in xmssmt_sign_open()
1048 validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr); in xmssmt_sign_open()
1050 sig_msg += tree_h*n; in xmssmt_sign_open()
1051 sig_msg_len -= tree_h*n; in xmssmt_sign_open()
1053 for (i = 1; i < params->d; i++) { in xmssmt_sign_open()
1055 idx_leaf = (idx_tree & ((1 << tree_h)-1)); in xmssmt_sign_open()
1060 setType(ots_addr, 0); in xmssmt_sign_open()
1071 wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign_open()
1073 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1074 sig_msg_len -= params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1078 l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr); in xmssmt_sign_open()
1081 validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr); in xmssmt_sign_open()
1083 sig_msg += tree_h*n; in xmssmt_sign_open()
1084 sig_msg_len -= tree_h*n; in xmssmt_sign_open()
1088 for (i = 0; i < n; i++) in xmssmt_sign_open()
1093 for (i = 0; i < *msglen; i++) in xmssmt_sign_open()
1096 return 0; in xmssmt_sign_open()
1101 for (i = 0; i < *msglen; i++) in xmssmt_sign_open()
1102 msg[i] = 0; in xmssmt_sign_open()
1103 *msglen = -1; in xmssmt_sign_open()
1104 return -1; in xmssmt_sign_open()