diff --git a/include/gmssl/xmss.h b/include/gmssl/xmss.h index 13c80d70..216f5596 100644 --- a/include/gmssl/xmss.h +++ b/include/gmssl/xmss.h @@ -15,7 +15,6 @@ #include #include #include -#include #ifdef ENABLE_SHA2 #include #endif @@ -25,18 +24,22 @@ extern "C" { #endif +typedef uint8_t xmss_hash256_t[32]; + // Crosscheck with data from xmss-reference (SHA-256), except the XMSS signature. -#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) -# define HASH256_CTX SHA256_CTX -# define hash256_init sha256_init -# define hash256_update sha256_update -# define hash256_finish sha256_finish +#if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) && !defined(HASH256_CTX) +# define XMSS_HASH256_CTX SHA256_CTX +# define xmss_hash256_init sha256_init +# define xmss_hash256_update sha256_update +# define xmss_hash256_finish sha256_finish +# define XMSS_HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE #else -# define HASH256_CTX SM3_CTX -# define hash256_init sm3_init -# define hash256_update sm3_update -# define hash256_finish sm3_finish +# define XMSS_HASH256_CTX SM3_CTX +# define xmss_hash256_init sm3_init +# define xmss_hash256_update sm3_update +# define xmss_hash256_finish sm3_finish +# define XMSS_HASH256_BLOCK_SIZE SM3_BLOCK_SIZE #endif @@ -85,65 +88,65 @@ typedef struct { typedef uint8_t xmss_adrs_t[32]; -void adrs_copy_layer_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_tree_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_type(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_ots_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_ltree_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_padding(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_chain_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_tree_height(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_hash_address(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_tree_index(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_copy_key_and_mask(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_layer_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_tree_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_type(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_ots_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_ltree_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_padding(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_chain_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_tree_height(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_hash_address(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_tree_index(xmss_adrs_t dst, const xmss_adrs_t src); +void xmss_adrs_copy_key_and_mask(xmss_adrs_t dst, const xmss_adrs_t src); -void adrs_set_layer_address(xmss_adrs_t adrs, uint32_t layer); -void adrs_set_tree_address(xmss_adrs_t adrs, uint64_t tree_addr); -void adrs_set_type(xmss_adrs_t adrs, uint32_t type); -void adrs_set_ots_address(xmss_adrs_t adrs, uint32_t address); -void adrs_set_ltree_address(xmss_adrs_t adrs, uint32_t address); -void adrs_set_padding(xmss_adrs_t adrs, uint32_t padding); -void adrs_set_chain_address(xmss_adrs_t adrs, uint32_t address); -void adrs_set_tree_height(xmss_adrs_t adrs, uint32_t height); -void adrs_set_hash_address(xmss_adrs_t adrs, uint32_t address); -void adrs_set_tree_index(xmss_adrs_t adrs, uint32_t index); -void adrs_set_key_and_mask(xmss_adrs_t adrs, uint32_t key_and_mask); +void xmss_adrs_set_layer_address(xmss_adrs_t adrs, uint32_t layer); +void xmss_adrs_set_tree_address(xmss_adrs_t adrs, uint64_t tree_addr); +void xmss_adrs_set_type(xmss_adrs_t adrs, uint32_t type); +void xmss_adrs_set_ots_address(xmss_adrs_t adrs, uint32_t address); +void xmss_adrs_set_ltree_address(xmss_adrs_t adrs, uint32_t address); +void xmss_adrs_set_padding(xmss_adrs_t adrs, uint32_t padding); +void xmss_adrs_set_chain_address(xmss_adrs_t adrs, uint32_t address); +void xmss_adrs_set_tree_height(xmss_adrs_t adrs, uint32_t height); +void xmss_adrs_set_hash_address(xmss_adrs_t adrs, uint32_t address); +void xmss_adrs_set_tree_index(xmss_adrs_t adrs, uint32_t index); +void xmss_adrs_set_key_and_mask(xmss_adrs_t adrs, uint32_t key_and_mask); -int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const hash256_t adrs); +int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_hash256_t adrs); // WOTS+ with SM3/SHA256 -#define WOTS_WINTERNITZ_W 16 // rfc 8391 named algors only support w = 2^4 = 16 -#define WOTS_NUM_CHAINS 67 +#define XMSS_WOTS_WINTERNITZ_W 16 // rfc 8391 named algors only support w = 2^4 = 16 +#define XMSS_WOTS_NUM_CHAINS 67 -typedef hash256_t wots_key_t[WOTS_NUM_CHAINS]; -typedef hash256_t wots_sig_t[WOTS_NUM_CHAINS]; +typedef xmss_hash256_t xmss_wots_key_t[XMSS_WOTS_NUM_CHAINS]; +typedef xmss_hash256_t xmss_wots_sig_t[XMSS_WOTS_NUM_CHAINS]; -void wots_derive_sk(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t adrs, - wots_key_t sk); -void wots_chain(const hash256_t x, - const hash256_t seed, const xmss_adrs_t adrs, - int start, int steps, hash256_t y); -void wots_sk_to_pk(const wots_key_t sk, - const hash256_t seed, const xmss_adrs_t adrs, - wots_key_t pk); -void wots_sign(const wots_key_t sk, - const hash256_t seed, const xmss_adrs_t adrs, - const hash256_t dgst, wots_sig_t sig); -void wots_sig_to_pk(const wots_sig_t sig, - const hash256_t seed, const xmss_adrs_t adrs, - const hash256_t dgst, wots_key_t pk); -void wots_pk_to_root(const wots_key_t pk, - const hash256_t seed, const xmss_adrs_t adrs, - hash256_t wots_root); -void wots_derive_root(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t adrs, - hash256_t wots_root); -int wots_verify(const hash256_t wots_root, - const hash256_t seed, const xmss_adrs_t adrs, - const hash256_t dgst, const wots_sig_t sig); +void xmss_wots_derive_sk(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + xmss_wots_key_t sk); +void xmss_wots_chain(const xmss_hash256_t x, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + int start, int steps, xmss_hash256_t y); +void xmss_wots_sk_to_pk(const xmss_wots_key_t sk, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + xmss_wots_key_t pk); +void xmss_wots_sign(const xmss_wots_key_t sk, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + const xmss_hash256_t dgst, xmss_wots_sig_t sig); +void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + const xmss_hash256_t dgst, xmss_wots_key_t pk); +void xmss_wots_pk_to_root(const xmss_wots_key_t pk, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + xmss_hash256_t wots_root); +void xmss_wots_derive_root(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + xmss_hash256_t wots_root); +int xmss_wots_verify(const xmss_hash256_t wots_root, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + const xmss_hash256_t dgst, const xmss_wots_sig_t sig); @@ -185,21 +188,21 @@ uint32_t xmss_type_from_name(const char *name); int xmss_type_to_height(uint32_t xmss_type, size_t *height); size_t xmss_num_tree_nodes(size_t height); -void xmss_build_tree(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t adrs, - size_t height, hash256_t *tree); // tree[xmss_num_tree_nodes(height)] -void xmss_build_auth_path(const hash256_t *tree, size_t height, - uint32_t index, hash256_t *auth_path); // auth_path[height] -void xmss_build_root(const hash256_t wots_root, uint32_t index, - const hash256_t seed, const xmss_adrs_t adrs, - const hash256_t *auth_path, size_t height, - hash256_t xmss_root); +void xmss_build_tree(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + size_t height, xmss_hash256_t *tree); // tree[xmss_num_tree_nodes(height)] +void xmss_build_auth_path(const xmss_hash256_t *tree, size_t height, + uint32_t index, xmss_hash256_t *auth_path); // auth_path[height] +void xmss_build_root(const xmss_hash256_t wots_root, uint32_t index, + const xmss_hash256_t seed, const xmss_adrs_t adrs, + const xmss_hash256_t *auth_path, size_t height, + xmss_hash256_t xmss_root); typedef struct { uint32_t xmss_type; - hash256_t seed; - hash256_t root; + xmss_hash256_t seed; + xmss_hash256_t root; } XMSS_PUBLIC_KEY; #define XMSS_PUBLIC_KEY_SIZE (4 + 32 + 32) // = 68 @@ -207,9 +210,9 @@ typedef struct { typedef struct { XMSS_PUBLIC_KEY public_key; uint32_t index; - hash256_t secret; - hash256_t sk_prf; - hash256_t *tree; // hash256_t[2^(h + 1) - 1] + xmss_hash256_t secret; + xmss_hash256_t sk_prf; + xmss_hash256_t *tree; // xmss_hash256_t[2^(h + 1) - 1] } XMSS_KEY; // XMSS_SHA2_10_256: 65,640 @@ -232,9 +235,9 @@ void xmss_key_cleanup(XMSS_KEY *key); typedef struct { uint32_t index; // < 2^(XMSS_MAX_HEIGHT) = 2^20, always encode to 4 bytes - hash256_t random; - wots_sig_t wots_sig; - hash256_t auth_path[XMSS_MAX_HEIGHT]; + xmss_hash256_t random; + xmss_wots_sig_t wots_sig; + xmss_hash256_t auth_path[XMSS_MAX_HEIGHT]; } XMSS_SIGNATURE; // XMSS_SM3_10_256 2500 bytes @@ -243,6 +246,7 @@ typedef struct { #define XMSS_SIGNATURE_MIN_SIZE (4 + 32 + 32*67 + 32 * XMSS_MIN_HEIGHT) // = 2500 bytes #define XMSS_SIGNATURE_MAX_SIZE (4 + 32 + 32*67 + 32 * XMSS_MAX_HEIGHT) // = 2820 bytes int xmss_signature_size(uint32_t xmss_type, size_t *siglen); +int xmss_key_get_signature_size(const XMSS_KEY *key, size_t *siglen); int xmss_signature_to_bytes(const XMSS_SIGNATURE *sig, uint32_t xmss_type, uint8_t **out, size_t *outlen); int xmss_signature_from_bytes(XMSS_SIGNATURE *sig, uint32_t xmss_type, const uint8_t **in, size_t *inlen); int xmss_signature_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *in, size_t inlen); @@ -251,7 +255,7 @@ int xmss_signature_print_ex(FILE *fp, int fmt, int ind, const char *label, const typedef struct { XMSS_PUBLIC_KEY xmss_public_key; XMSS_SIGNATURE xmss_sig; - HASH256_CTX hash256_ctx; + XMSS_HASH256_CTX hash256_ctx; } XMSS_SIGN_CTX; int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key); @@ -335,19 +339,19 @@ size_t xmssmt_num_trees_nodes(size_t height, size_t layers); typedef struct { uint32_t xmssmt_type; - hash256_t seed; - hash256_t root; + xmss_hash256_t seed; + xmss_hash256_t root; } XMSSMT_PUBLIC_KEY; -#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(hash256_t) + sizeof(hash256_t)) // = 68 bytes +#define XMSSMT_PUBLIC_KEY_SIZE (4 + sizeof(xmss_hash256_t) + sizeof(xmss_hash256_t)) // = 68 bytes typedef struct { XMSSMT_PUBLIC_KEY public_key; uint64_t index; // in [0, 2^60 - 1] - hash256_t secret; - hash256_t sk_prf; - hash256_t *trees; - wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS - 1]; + xmss_hash256_t secret; + xmss_hash256_t sk_prf; + xmss_hash256_t *trees; + xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS - 1]; } XMSSMT_KEY; /* @@ -361,7 +365,7 @@ typedef struct { XMSSMT_SM3_60_12_256: 47,916 bytes */ int xmssmt_private_key_size(uint32_t xmssmt_type, size_t *len); -int xmssmt_build_auth_path(const hash256_t *tree, size_t height, size_t layers, uint64_t index, hash256_t *auth_path); +int xmssmt_build_auth_path(const xmss_hash256_t *tree, size_t height, size_t layers, uint64_t index, xmss_hash256_t *auth_path); int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type); int xmssmt_key_update(XMSSMT_KEY *key); @@ -376,17 +380,18 @@ void xmssmt_key_cleanup(XMSSMT_KEY *key); typedef struct { uint64_t index; - hash256_t random; - wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS]; - hash256_t auth_path[XMSSMT_MAX_HEIGHT]; + xmss_hash256_t random; + xmss_wots_sig_t wots_sigs[XMSSMT_MAX_LAYERS]; + xmss_hash256_t auth_path[XMSSMT_MAX_HEIGHT]; } XMSSMT_SIGNATURE; int xmssmt_index_to_bytes(uint64_t index, uint32_t xmssmt_type, uint8_t **out, size_t *outlen); int xmssmt_index_from_bytes(uint64_t *index, uint32_t xmssmt_type, const uint8_t **in, size_t *inlen); #define XMSSMT_SIGNATURE_MAX_SIZE \ - (sizeof(uint64_t) + sizeof(hash256_t) + sizeof(wots_sig_t)*XMSSMT_MAX_LAYERS + sizeof(hash256_t)*XMSSMT_MAX_HEIGHT) // = 27688 bytes + (sizeof(uint64_t) + sizeof(xmss_hash256_t) + sizeof(xmss_wots_sig_t)*XMSSMT_MAX_LAYERS + sizeof(xmss_hash256_t)*XMSSMT_MAX_HEIGHT) // = 27688 bytes +int xmssmt_key_get_signature_size(const XMSSMT_KEY *key, size_t *siglen); int xmssmt_signature_size(uint32_t xmssmt_type, size_t *siglen); int xmssmt_signature_to_bytes(const XMSSMT_SIGNATURE *sig, uint32_t xmssmt_type, uint8_t **out, size_t *outlen); int xmssmt_signature_from_bytes(XMSSMT_SIGNATURE *sig, uint32_t xmssmt_type, const uint8_t **in, size_t *inlen); @@ -397,7 +402,7 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const typedef struct { XMSSMT_PUBLIC_KEY xmssmt_public_key; XMSSMT_SIGNATURE xmssmt_sig; - HASH256_CTX hash256_ctx; + XMSS_HASH256_CTX hash256_ctx; } XMSSMT_SIGN_CTX; int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key); diff --git a/src/xmss.c b/src/xmss.c index 286ec3e6..9cd131b4 100644 --- a/src/xmss.c +++ b/src/xmss.c @@ -22,14 +22,14 @@ #include -static const uint8_t hash256_two[] = { +static const uint8_t xmss_hash256_two[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, }; -static const uint8_t hash256_three[] = { +static const uint8_t xmss_hash256_three[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -53,7 +53,7 @@ static void uint32_from_bytes(uint32_t *a, const uint8_t **in, size_t *inlen) *inlen -= 4; } -static void hash256_to_bytes(const hash256_t hash, uint8_t **out, size_t *outlen) +static void xmss_hash256_to_bytes(const xmss_hash256_t hash, uint8_t **out, size_t *outlen) { if (out && *out) { memcpy(*out, hash, 32); @@ -62,7 +62,7 @@ static void hash256_to_bytes(const hash256_t hash, uint8_t **out, size_t *outlen *outlen += 32; } -static void hash256_from_bytes(hash256_t hash, const uint8_t **in, size_t *inlen) +static void hash256_from_bytes(xmss_hash256_t hash, const uint8_t **in, size_t *inlen) { memcpy(hash, *in, 32); *in += 32; @@ -70,92 +70,92 @@ static void hash256_from_bytes(hash256_t hash, const uint8_t **in, size_t *inlen } -void adrs_copy_layer_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_layer_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst, src, 4); } -void adrs_copy_tree_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_tree_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 4, src + 4, 8); } -void adrs_copy_type(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_type(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 12, src + 12, 4); } -void adrs_copy_ots_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_ots_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 16, src + 16, 4); } -void adrs_copy_chain_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_chain_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 20, src + 20, 4); } -void adrs_copy_hash_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_hash_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 24, src + 24, 4); } -void adrs_copy_key_and_mask(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_key_and_mask(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 28, src + 28, 4); } -void adrs_copy_ltree_address(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_ltree_address(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 16, src + 16, 4); } -void adrs_copy_tree_height(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_tree_height(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 20, src + 20, 4); } -void adrs_copy_tree_index(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_tree_index(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 24, src + 24, 4); } -void adrs_copy_padding(xmss_adrs_t dst, const xmss_adrs_t src) { +void xmss_adrs_copy_padding(xmss_adrs_t dst, const xmss_adrs_t src) { memcpy(dst + 16, src + 16, 4); } -void adrs_set_layer_address(uint8_t adrs[32], uint32_t layer) { +void xmss_adrs_set_layer_address(uint8_t adrs[32], uint32_t layer) { PUTU32(adrs, layer); } -void adrs_set_tree_address(uint8_t adrs[32], uint64_t tree_addr) { +void xmss_adrs_set_tree_address(uint8_t adrs[32], uint64_t tree_addr) { PUTU64(adrs + 4, tree_addr); } -void adrs_set_type(uint8_t adrs[32], uint32_t type) { +void xmss_adrs_set_type(uint8_t adrs[32], uint32_t type) { PUTU32(adrs + 4*3, type); memset(adrs + 16, 0, 16); } -void adrs_set_ots_address(uint8_t adrs[32], uint32_t address) { +void xmss_adrs_set_ots_address(uint8_t adrs[32], uint32_t address) { PUTU32(adrs + 4*4, address); } -void adrs_set_chain_address(uint8_t adrs[32], uint32_t address) { +void xmss_adrs_set_chain_address(uint8_t adrs[32], uint32_t address) { PUTU32(adrs + 4*5, address); } -void adrs_set_hash_address(uint8_t adrs[32], uint32_t address) { +void xmss_adrs_set_hash_address(uint8_t adrs[32], uint32_t address) { PUTU32(adrs + 4*6, address); } -void adrs_set_ltree_address(uint8_t adrs[32], uint32_t address) { +void xmss_adrs_set_ltree_address(uint8_t adrs[32], uint32_t address) { PUTU32(adrs + 4*4, address); } -void adrs_set_padding(uint8_t adrs[32], uint32_t padding) { +void xmss_adrs_set_padding(uint8_t adrs[32], uint32_t padding) { PUTU32(adrs + 4*4, padding); } -void adrs_set_tree_height(uint8_t adrs[32], uint32_t height) { +void xmss_adrs_set_tree_height(uint8_t adrs[32], uint32_t height) { PUTU32(adrs + 4*5, height); } -void adrs_set_tree_index(uint8_t adrs[32], uint32_t index) { +void xmss_adrs_set_tree_index(uint8_t adrs[32], uint32_t index) { PUTU32(adrs + 4*6, index); } -void adrs_set_key_and_mask(uint8_t adrs[32], uint32_t key_and_mask) { +void xmss_adrs_set_key_and_mask(uint8_t adrs[32], uint32_t key_and_mask) { PUTU32(adrs + 4*7, key_and_mask); } @@ -234,9 +234,9 @@ int xmss_adrs_print(FILE *fp, int fmt, int ind, const char *label, const xmss_ad return 1; } -void wots_derive_sk(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t ots_adrs, - wots_key_t sk) +void xmss_wots_derive_sk(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + xmss_wots_key_t sk) { static const uint8_t hash256_four[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -244,103 +244,103 @@ void wots_derive_sk(const hash256_t secret, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, }; - HASH256_CTX ctx; + XMSS_HASH256_CTX ctx; xmss_adrs_t adrs; int chain; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); - for (chain = 0; chain < WOTS_NUM_CHAINS; chain++) { - adrs_set_chain_address(adrs, chain); - adrs_set_hash_address(adrs, 0); - adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); + for (chain = 0; chain < XMSS_WOTS_NUM_CHAINS; chain++) { + xmss_adrs_set_chain_address(adrs, chain); + xmss_adrs_set_hash_address(adrs, 0); + xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); - hash256_init(&ctx); - hash256_update(&ctx, hash256_four, sizeof(hash256_t)); - hash256_update(&ctx, secret, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, sk[chain]); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, hash256_four, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, secret, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, sk[chain]); } } -void wots_chain(const hash256_t x, - const hash256_t seed, const xmss_adrs_t ots_adrs, - int start, int steps, hash256_t y) +void xmss_wots_chain(const xmss_hash256_t x, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + int start, int steps, xmss_hash256_t y) { - const hash256_t hash256_zero = {0}; - HASH256_CTX ctx; + const xmss_hash256_t hash256_zero = {0}; + XMSS_HASH256_CTX ctx; xmss_adrs_t adrs; - hash256_t key; - hash256_t bitmask; + xmss_hash256_t key; + xmss_hash256_t bitmask; int i; // tmp = x - memcpy(y, x, sizeof(hash256_t)); + memcpy(y, x, sizeof(xmss_hash256_t)); - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); - adrs_copy_chain_address(adrs, ots_adrs); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); + xmss_adrs_copy_chain_address(adrs, ots_adrs); for (i = 0; i < steps; i++) { - adrs_set_hash_address(adrs, start + i); + xmss_adrs_set_hash_address(adrs, start + i); // key = prf(seed, adrs) - adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); - hash256_init(&ctx); - hash256_update(&ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, key); + xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_KEY); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, key); // bitmask = prf(seed, adrs) - adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_BITMASK); - hash256_init(&ctx); - hash256_update(&ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, bitmask); + xmss_adrs_set_key_and_mask(adrs, XMSS_ADRS_GENERATE_BITMASK); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, bitmask); // tmp = f(key, tmp xor bitmask) - gmssl_memxor(y, y, bitmask, sizeof(hash256_t)); - hash256_init(&ctx); - hash256_update(&ctx, hash256_zero, sizeof(hash256_t)); - hash256_update(&ctx, key, sizeof(hash256_t)); - hash256_update(&ctx, y, sizeof(hash256_t)); - hash256_finish(&ctx, y); + gmssl_memxor(y, y, bitmask, sizeof(xmss_hash256_t)); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, hash256_zero, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, key, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, y, sizeof(xmss_hash256_t)); + xmss_hash256_finish(&ctx, y); } } -void wots_sk_to_pk(const wots_key_t sk, - const hash256_t seed, const xmss_adrs_t ots_adrs, - wots_key_t pk) +void xmss_wots_sk_to_pk(const xmss_wots_key_t sk, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + xmss_wots_key_t pk) { const int start = 0; - const int steps = WOTS_WINTERNITZ_W - 1; + const int steps = XMSS_WOTS_WINTERNITZ_W - 1; xmss_adrs_t adrs; int chain; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); - for (chain = 0; chain < WOTS_NUM_CHAINS; chain++) { - adrs_set_chain_address(adrs, chain); - wots_chain(sk[chain], seed, adrs, start, steps, pk[chain]); + for (chain = 0; chain < XMSS_WOTS_NUM_CHAINS; chain++) { + xmss_adrs_set_chain_address(adrs, chain); + xmss_wots_chain(sk[chain], seed, adrs, start, steps, pk[chain]); } } // seperate 256 bit digest into 256/4 = 64 step values, generate 3 checksum step values // output steps[i] in [0, w-1] = [0, 16-1] // this implementation is for hash256 and w=16 only! -static void base_w_and_checksum(const hash256_t dgst, int steps[67]) +static void base_w_and_checksum(const xmss_hash256_t dgst, int steps[67]) { int csum = 0; int sbits; @@ -367,53 +367,53 @@ static void base_w_and_checksum(const hash256_t dgst, int steps[67]) steps[66] = csum_bytes[1] >> 4; } -void wots_sign(const wots_key_t sk, - const hash256_t seed, const xmss_adrs_t ots_adrs, - const hash256_t dgst, wots_key_t sig) +void xmss_wots_sign(const xmss_wots_key_t sk, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + const xmss_hash256_t dgst, xmss_wots_key_t sig) { xmss_adrs_t adrs; const int start = 0; - int steps[WOTS_NUM_CHAINS]; + int steps[XMSS_WOTS_NUM_CHAINS]; int chain; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); base_w_and_checksum(dgst, steps); - for (chain = 0; chain < WOTS_NUM_CHAINS; chain++) { - adrs_set_chain_address(adrs, chain); - wots_chain(sk[chain], seed, adrs, start, steps[chain], sig[chain]); + for (chain = 0; chain < XMSS_WOTS_NUM_CHAINS; chain++) { + xmss_adrs_set_chain_address(adrs, chain); + xmss_wots_chain(sk[chain], seed, adrs, start, steps[chain], sig[chain]); } } -void wots_sig_to_pk(const wots_sig_t sig, - const hash256_t seed, const xmss_adrs_t ots_adrs, - const hash256_t dgst, wots_key_t pk) +void xmss_wots_sig_to_pk(const xmss_wots_sig_t sig, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + const xmss_hash256_t dgst, xmss_wots_key_t pk) { - hash256_t adrs; + xmss_hash256_t adrs; int steps[67]; int chain; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); base_w_and_checksum(dgst, steps); - for (chain = 0; chain < WOTS_NUM_CHAINS; chain++) { - adrs_set_chain_address(adrs, chain); - wots_chain(sig[chain], seed, adrs, steps[chain], 15 - steps[chain], pk[chain]); + for (chain = 0; chain < XMSS_WOTS_NUM_CHAINS; chain++) { + xmss_adrs_set_chain_address(adrs, chain); + xmss_wots_chain(sig[chain], seed, adrs, steps[chain], 15 - steps[chain], pk[chain]); } } // TODO: need test and test vector -static void randomized_tree_hash(const hash256_t left_child, const hash256_t right_child, - const hash256_t seed, const xmss_adrs_t tree_adrs, - hash256_t parent) +static void xmss_tree_hash(const xmss_hash256_t left_child, const xmss_hash256_t right_child, + const xmss_hash256_t seed, const xmss_adrs_t tree_adrs, + xmss_hash256_t parent) { static const uint8_t hash256_one[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -421,134 +421,134 @@ static void randomized_tree_hash(const hash256_t left_child, const hash256_t rig 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, }; - HASH256_CTX ctx; + XMSS_HASH256_CTX ctx; xmss_adrs_t adrs; - hash256_t key; - hash256_t bm0; - hash256_t bm1; + xmss_hash256_t key; + xmss_hash256_t bm0; + xmss_hash256_t bm1; // copy adrs (and set the last key_and_mask) - adrs_copy_layer_address(adrs, tree_adrs); - adrs_copy_tree_address(adrs, tree_adrs); - adrs_copy_type(adrs, tree_adrs); - adrs_copy_ltree_address(adrs, tree_adrs); - adrs_copy_tree_height(adrs, tree_adrs); - adrs_copy_tree_index(adrs, tree_adrs); + xmss_adrs_copy_layer_address(adrs, tree_adrs); + xmss_adrs_copy_tree_address(adrs, tree_adrs); + xmss_adrs_copy_type(adrs, tree_adrs); + xmss_adrs_copy_ltree_address(adrs, tree_adrs); + xmss_adrs_copy_tree_height(adrs, tree_adrs); + xmss_adrs_copy_tree_index(adrs, tree_adrs); // key = prf(seed, adrs) - adrs_set_key_and_mask(adrs, 0); - hash256_init(&ctx); - hash256_update(&ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, key); + xmss_adrs_set_key_and_mask(adrs, 0); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, key); // bm_0 = prf(seed, adrs) - adrs_set_key_and_mask(adrs, 1); - hash256_init(&ctx); - hash256_update(&ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, bm0); + xmss_adrs_set_key_and_mask(adrs, 1); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, bm0); // bm_1 = prf(seed, adrs) - adrs_set_key_and_mask(adrs, 2); - hash256_init(&ctx); - hash256_update(&ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx, seed, sizeof(hash256_t)); - hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); - hash256_finish(&ctx, bm1); + xmss_adrs_set_key_and_mask(adrs, 2); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, seed, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, adrs, sizeof(xmss_adrs_t)); + xmss_hash256_finish(&ctx, bm1); // parent = Hash( tobyte(1, 32) || key || (left xor bm_0) || (right xor bm_1) ) - gmssl_memxor(bm0, bm0, left_child, sizeof(hash256_t)); - gmssl_memxor(bm1, bm1, right_child, sizeof(hash256_t)); - hash256_init(&ctx); - hash256_update(&ctx, hash256_one, sizeof(hash256_t)); - hash256_update(&ctx, key, sizeof(hash256_t)); - hash256_update(&ctx, bm0, sizeof(hash256_t)); - hash256_update(&ctx, bm1, sizeof(hash256_t)); - hash256_finish(&ctx, parent); + gmssl_memxor(bm0, bm0, left_child, sizeof(xmss_hash256_t)); + gmssl_memxor(bm1, bm1, right_child, sizeof(xmss_hash256_t)); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, hash256_one, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, key, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, bm0, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, bm1, sizeof(xmss_hash256_t)); + xmss_hash256_finish(&ctx, parent); } // ltree is wots+ leaf tree, (un-balanced) merkle tree from the 67 wots+ hashs -void wots_pk_to_root(const wots_key_t in_pk, - const hash256_t seed, const xmss_adrs_t in_adrs, - hash256_t wots_root) +void xmss_wots_pk_to_root(const xmss_wots_key_t in_pk, + const xmss_hash256_t seed, const xmss_adrs_t in_adrs, + xmss_hash256_t wots_root) { - wots_key_t pk; + xmss_wots_key_t pk; xmss_adrs_t adrs; uint32_t tree_height = 0; - int len = WOTS_NUM_CHAINS; + int len = XMSS_WOTS_NUM_CHAINS; uint32_t i; - memcpy(pk, in_pk, sizeof(wots_key_t)); + memcpy(pk, in_pk, sizeof(xmss_wots_key_t)); - adrs_copy_layer_address(adrs, in_adrs); - adrs_copy_tree_address(adrs, in_adrs); - adrs_copy_type(adrs, in_adrs); - adrs_copy_ltree_address(adrs, in_adrs); + xmss_adrs_copy_layer_address(adrs, in_adrs); + xmss_adrs_copy_tree_address(adrs, in_adrs); + xmss_adrs_copy_type(adrs, in_adrs); + xmss_adrs_copy_ltree_address(adrs, in_adrs); - adrs_set_tree_height(adrs, tree_height++); + xmss_adrs_set_tree_height(adrs, tree_height++); while (len > 1) { for (i = 0; i < len/2; i++) { - adrs_set_tree_index(adrs, i); - randomized_tree_hash(pk[2 * i], pk[2 * i + 1], seed, adrs, pk[i]); + xmss_adrs_set_tree_index(adrs, i); + xmss_tree_hash(pk[2 * i], pk[2 * i + 1], seed, adrs, pk[i]); } if (len % 2) { memcpy(pk[len/2], pk[len-1], 32); //pk[len/2] = pk[len - 1]; } len = (len + 1)/2; - adrs_set_tree_height(adrs, tree_height++); + xmss_adrs_set_tree_height(adrs, tree_height++); } memcpy(wots_root, pk[0], 32); } -int wots_verify(const hash256_t wots_root, - const hash256_t seed, const xmss_adrs_t ots_adrs, - const hash256_t dgst, const wots_sig_t sig) +int xmss_wots_verify(const xmss_hash256_t wots_root, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + const xmss_hash256_t dgst, const xmss_wots_sig_t sig) { xmss_adrs_t adrs; - wots_key_t pk; - hash256_t root; + xmss_wots_key_t pk; + xmss_hash256_t root; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); - wots_sig_to_pk(sig, seed, adrs, dgst, pk); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); + xmss_wots_sig_to_pk(sig, seed, adrs, dgst, pk); - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_copy_ltree_address(adrs, ots_adrs); // ltree_address offset is same as ots_address - wots_pk_to_root(pk, seed, adrs, root); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_copy_ltree_address(adrs, ots_adrs); // ltree_address offset is same as ots_address + xmss_wots_pk_to_root(pk, seed, adrs, root); - if (memcmp(root, wots_root, sizeof(hash256_t)) != 0) { + if (memcmp(root, wots_root, sizeof(xmss_hash256_t)) != 0) { //error_print(); return 0; } return 1; } -void wots_derive_root(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t ots_adrs, - hash256_t wots_root) +void xmss_wots_derive_root(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t ots_adrs, + xmss_hash256_t wots_root) { xmss_adrs_t adrs; - wots_key_t wots_key; + xmss_wots_key_t wots_key; - adrs_copy_layer_address(adrs, ots_adrs); - adrs_copy_tree_address(adrs, ots_adrs); - adrs_copy_type(adrs, ots_adrs); - adrs_copy_ots_address(adrs, ots_adrs); - wots_derive_sk(secret, seed, adrs, wots_key); - wots_sk_to_pk(wots_key, seed, adrs, wots_key); + xmss_adrs_copy_layer_address(adrs, ots_adrs); + xmss_adrs_copy_tree_address(adrs, ots_adrs); + xmss_adrs_copy_type(adrs, ots_adrs); + xmss_adrs_copy_ots_address(adrs, ots_adrs); + xmss_wots_derive_sk(secret, seed, adrs, wots_key); + xmss_wots_sk_to_pk(wots_key, seed, adrs, wots_key); - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_copy_ltree_address(adrs, ots_adrs); // ltree_address offset is same as ots_address - wots_pk_to_root(wots_key, seed, adrs, wots_root); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_copy_ltree_address(adrs, ots_adrs); // ltree_address offset is same as ots_address + xmss_wots_pk_to_root(wots_key, seed, adrs, wots_root); } @@ -561,79 +561,79 @@ size_t xmss_num_tree_nodes(size_t height) { return (1 << (height + 1)) - 1; } -void xmss_build_tree(const hash256_t secret, - const hash256_t seed, const xmss_adrs_t xmss_adrs, - size_t height, hash256_t *tree) +void xmss_build_tree(const xmss_hash256_t secret, + const xmss_hash256_t seed, const xmss_adrs_t xmss_adrs, + size_t height, xmss_hash256_t *tree) { xmss_adrs_t adrs; - hash256_t *children; - hash256_t *parents; + xmss_hash256_t *children; + xmss_hash256_t *parents; size_t n = 1 << height; uint32_t h; // as tree_height uint32_t i; // as tree_index - adrs_copy_layer_address(adrs, xmss_adrs); - adrs_copy_tree_address(adrs, xmss_adrs); + xmss_adrs_copy_layer_address(adrs, xmss_adrs); + xmss_adrs_copy_tree_address(adrs, xmss_adrs); // derive 2^h wots+ roots as leaves of xmss tree - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); for (i = 0; i < n; i++) { - adrs_set_ots_address(adrs, i); - wots_derive_root(secret, seed, adrs, tree[i]); + xmss_adrs_set_ots_address(adrs, i); + xmss_wots_derive_root(secret, seed, adrs, tree[i]); } // build xmss tree - adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); - adrs_set_padding(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); + xmss_adrs_set_padding(adrs, 0); children = tree; parents = tree + n; for (h = 0; h < height; h++) { - adrs_set_tree_height(adrs, h + 1); + xmss_adrs_set_tree_height(adrs, h + 1); n >>= 1; for (i = 0; i < n; i++) { - adrs_set_tree_index(adrs, i); - randomized_tree_hash(children[2*i], children[2*i + 1], seed, adrs, parents[i]); + xmss_adrs_set_tree_index(adrs, i); + xmss_tree_hash(children[2*i], children[2*i + 1], seed, adrs, parents[i]); } children = parents; parents += n; } } -void xmss_build_auth_path(const hash256_t *tree, size_t height, uint32_t tree_index, hash256_t *auth_path) +void xmss_build_auth_path(const xmss_hash256_t *tree, size_t height, uint32_t tree_index, xmss_hash256_t *auth_path) { size_t h; for (h = 0; h < height; h++) { - memcpy(auth_path[h], tree[tree_index ^ 1], sizeof(hash256_t)); + memcpy(auth_path[h], tree[tree_index ^ 1], sizeof(xmss_hash256_t)); tree += (1 << (height - h)); tree_index >>= 1; } } -void xmss_build_root(const hash256_t wots_root, uint32_t tree_index, - const hash256_t seed, const xmss_adrs_t xmss_adrs, - const hash256_t *auth_path, size_t height, - hash256_t root) +void xmss_build_root(const xmss_hash256_t wots_root, uint32_t tree_index, + const xmss_hash256_t seed, const xmss_adrs_t xmss_adrs, + const xmss_hash256_t *auth_path, size_t height, + xmss_hash256_t root) { xmss_adrs_t adrs; uint32_t h; - adrs_copy_layer_address(adrs, xmss_adrs); - adrs_copy_tree_address(adrs, xmss_adrs); - adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); - adrs_set_padding(adrs, 0); + xmss_adrs_copy_layer_address(adrs, xmss_adrs); + xmss_adrs_copy_tree_address(adrs, xmss_adrs); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); + xmss_adrs_set_padding(adrs, 0); - memcpy(root, wots_root, sizeof(hash256_t)); + memcpy(root, wots_root, sizeof(xmss_hash256_t)); for (h = 0; h < height; h++) { int right_child = tree_index & 1; tree_index >>= 1; - adrs_set_tree_height(adrs, h + 1); - adrs_set_tree_index(adrs, tree_index); + xmss_adrs_set_tree_height(adrs, h + 1); + xmss_adrs_set_tree_index(adrs, tree_index); if (right_child) - randomized_tree_hash(auth_path[h], root, seed, adrs, root); - else randomized_tree_hash(root, auth_path[h], seed, adrs, root); + xmss_tree_hash(auth_path[h], root, seed, adrs, root); + else xmss_tree_hash(root, auth_path[h], seed, adrs, root); } } @@ -685,15 +685,15 @@ int xmss_private_key_size(uint32_t xmss_type, size_t *keysize) return -1; } *keysize = XMSS_PUBLIC_KEY_SIZE - + sizeof(hash256_t) - + sizeof(hash256_t) + + sizeof(xmss_hash256_t) + + sizeof(xmss_hash256_t) + sizeof(uint32_t) - + sizeof(hash256_t) * xmss_num_tree_nodes(height); + + sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); return 1; } int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, - const hash256_t seed, const hash256_t secret, const hash256_t sk_prf) + const xmss_hash256_t seed, const xmss_hash256_t secret, const xmss_hash256_t sk_prf) { size_t height; xmss_adrs_t adrs; @@ -707,20 +707,20 @@ int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, return -1; } memset(key, 0, sizeof(*key)); - if (!(key->tree = malloc(sizeof(hash256_t) * xmss_num_tree_nodes(height)))) { + if (!(key->tree = malloc(sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height)))) { error_print(); return -1; } key->public_key.xmss_type = xmss_type; - memcpy(key->public_key.seed, seed, sizeof(hash256_t)); - memcpy(key->secret, secret, sizeof(hash256_t)); - memcpy(key->sk_prf, sk_prf, sizeof(hash256_t)); + memcpy(key->public_key.seed, seed, sizeof(xmss_hash256_t)); + memcpy(key->secret, secret, sizeof(xmss_hash256_t)); + memcpy(key->sk_prf, sk_prf, sizeof(xmss_hash256_t)); - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); xmss_build_tree(key->secret, key->public_key.seed, adrs, height, key->tree); - memcpy(key->public_key.root, key->tree[xmss_tree_root_offset(height)], sizeof(hash256_t)); + memcpy(key->public_key.root, key->tree[xmss_tree_root_offset(height)], sizeof(xmss_hash256_t)); key->index = 0; return 1; } @@ -728,17 +728,17 @@ int xmss_key_generate_ex(XMSS_KEY *key, uint32_t xmss_type, int xmss_key_generate(XMSS_KEY *key, uint32_t xmss_type) { int ret = -1; - hash256_t seed; - hash256_t secret; - hash256_t sk_prf; + xmss_hash256_t seed; + xmss_hash256_t secret; + xmss_hash256_t sk_prf; if (!key) { error_print(); return -1; } - if (rand_bytes(seed, sizeof(hash256_t)) != 1 - || rand_bytes(secret, sizeof(hash256_t)) != 1 - || rand_bytes(sk_prf, sizeof(hash256_t)) != 1) { + if (rand_bytes(seed, sizeof(xmss_hash256_t)) != 1 + || rand_bytes(secret, sizeof(xmss_hash256_t)) != 1 + || rand_bytes(sk_prf, sizeof(xmss_hash256_t)) != 1) { error_print(); goto end; } @@ -802,9 +802,9 @@ int xmss_key_remaining_signs(const XMSS_KEY *key, size_t *count) void xmss_key_cleanup(XMSS_KEY *key) { if (key) { - gmssl_secure_clear(key->public_key.seed, sizeof(hash256_t)); // clear all RNG outputs - gmssl_secure_clear(key->secret, sizeof(hash256_t)); - gmssl_secure_clear(key->sk_prf, sizeof(hash256_t)); + gmssl_secure_clear(key->public_key.seed, sizeof(xmss_hash256_t)); // clear all RNG outputs + gmssl_secure_clear(key->secret, sizeof(xmss_hash256_t)); + gmssl_secure_clear(key->sk_prf, sizeof(xmss_hash256_t)); if (key->tree) { free(key->tree); key->tree = NULL; @@ -819,8 +819,8 @@ int xmss_public_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen) return -1; } uint32_to_bytes(key->public_key.xmss_type, out, outlen); - hash256_to_bytes(key->public_key.root, out, outlen); - hash256_to_bytes(key->public_key.seed, out, outlen); + xmss_hash256_to_bytes(key->public_key.root, out, outlen); + xmss_hash256_to_bytes(key->public_key.seed, out, outlen); return 1; } @@ -851,8 +851,8 @@ int xmss_public_key_print(FILE *fp, int fmt, int ind, const char *label, const X format_print(fp, fmt, ind, "%s\n", label); ind += 4; format_print(fp, fmt, ind, "type: %s\n", xmss_type_name(key->public_key.xmss_type)); - format_bytes(fp, fmt, ind, "seed", key->public_key.seed, sizeof(hash256_t)); - format_bytes(fp, fmt, ind, "root", key->public_key.root, sizeof(hash256_t)); + format_bytes(fp, fmt, ind, "seed", key->public_key.seed, sizeof(xmss_hash256_t)); + format_bytes(fp, fmt, ind, "root", key->public_key.root, sizeof(xmss_hash256_t)); return 1; } @@ -870,8 +870,8 @@ int xmss_private_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen return -1; } uint32_to_bytes(key->index, out, outlen); - hash256_to_bytes(key->secret, out, outlen); - hash256_to_bytes(key->sk_prf, out, outlen); + xmss_hash256_to_bytes(key->secret, out, outlen); + xmss_hash256_to_bytes(key->sk_prf, out, outlen); if (key->tree == NULL) { error_print(); @@ -881,7 +881,7 @@ int xmss_private_key_to_bytes(const XMSS_KEY *key, uint8_t **out, size_t *outlen error_print(); return -1; } - tree_size = sizeof(hash256_t) * xmss_num_tree_nodes(height); + tree_size = sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); if (out && *out) { memcpy(*out, key->tree, tree_size); *out += tree_size; @@ -905,7 +905,7 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen return -1; } // check inlen without tree - if (*inlen < sizeof(uint32_t) + sizeof(hash256_t)*2) { + if (*inlen < sizeof(uint32_t) + sizeof(xmss_hash256_t)*2) { error_print(); return -1; } @@ -914,7 +914,7 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen error_print(); return -1; } - tree_size = sizeof(hash256_t) * xmss_num_tree_nodes(height); + tree_size = sizeof(xmss_hash256_t) * xmss_num_tree_nodes(height); // prepare buffer (might failure ops) before load secrets if (!(key->tree = malloc(tree_size))) { @@ -942,14 +942,14 @@ int xmss_private_key_from_bytes(XMSS_KEY *key, const uint8_t **in, size_t *inlen *inlen -= tree_size; } else { // build_tree - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); xmss_build_tree(key->secret, key->public_key.seed, adrs, height, key->tree); } // check if (memcmp(key->tree[xmss_tree_root_offset(height)], - key->public_key.root, sizeof(hash256_t)) != 0) { + key->public_key.root, sizeof(xmss_hash256_t)) != 0) { xmss_key_cleanup(key); error_print(); return -1; @@ -962,8 +962,8 @@ int xmss_private_key_print(FILE *fp, int fmt, int ind, const char *label, const format_print(fp, fmt, ind, "%s\n", label); ind += 4; xmss_public_key_print(fp, fmt, ind, "public_key", key); - format_bytes(fp, fmt, ind, "secret", key->secret, sizeof(hash256_t)); - format_bytes(fp, fmt, ind, "sk_prf", key->sk_prf, sizeof(hash256_t)); + format_bytes(fp, fmt, ind, "secret", key->secret, sizeof(xmss_hash256_t)); + format_bytes(fp, fmt, ind, "sk_prf", key->sk_prf, sizeof(xmss_hash256_t)); format_print(fp, fmt, ind, "index: %"PRIu32"\n", key->index); return 1; } @@ -984,7 +984,20 @@ int xmss_signature_size(uint32_t xmss_type, size_t *siglen) *siglen = sizeof(sig.index) + sizeof(sig.random) + sizeof(sig.wots_sig) - + sizeof(hash256_t) * height; + + sizeof(xmss_hash256_t) * height; + return 1; +} + +int xmss_key_get_signature_size(const XMSS_KEY *key, size_t *siglen) +{ + if (!key || !siglen) { + error_print(); + return -1; + } + if (xmss_signature_size(key->public_key.xmss_type, siglen) != 1) { + error_print(); + return -1; + } return 1; } @@ -1009,7 +1022,7 @@ int xmss_signature_from_bytes(XMSS_SIGNATURE *sig, uint32_t xmss_type, const uin uint32_from_bytes(&sig->index, in, inlen); hash256_from_bytes(sig->random, in, inlen); - for (i = 0; i < WOTS_NUM_CHAINS; i++) { + for (i = 0; i < XMSS_WOTS_NUM_CHAINS; i++) { hash256_from_bytes(sig->wots_sig[i], in, inlen); } for (i = 0; i < height; i++) { @@ -1032,12 +1045,12 @@ int xmss_signature_to_bytes(const XMSS_SIGNATURE *sig, uint32_t xmss_type, uint8 return -1; } uint32_to_bytes(sig->index, out, outlen); - hash256_to_bytes(sig->random, out, outlen); - for (i = 0; i < WOTS_NUM_CHAINS; i++) { - hash256_to_bytes(sig->wots_sig[i], out, outlen); + xmss_hash256_to_bytes(sig->random, out, outlen); + for (i = 0; i < XMSS_WOTS_NUM_CHAINS; i++) { + xmss_hash256_to_bytes(sig->wots_sig[i], out, outlen); } for (i = 0; i < height; i++) { - hash256_to_bytes(sig->auth_path[i], out, outlen); + xmss_hash256_to_bytes(sig->auth_path[i], out, outlen); } return 1; } @@ -1125,14 +1138,14 @@ int xmss_signature_print(FILE *fp, int fmt, int ind, const char *label, const ui void xmss_sign_ctx_cleanup(XMSS_SIGN_CTX *ctx) { if (ctx) { - gmssl_secure_clear(ctx->xmss_sig.random, sizeof(hash256_t)); - gmssl_secure_clear(ctx->xmss_sig.wots_sig, sizeof(wots_sig_t)); // might cache wots_sk + gmssl_secure_clear(ctx->xmss_sig.random, sizeof(xmss_hash256_t)); + gmssl_secure_clear(ctx->xmss_sig.wots_sig, sizeof(xmss_wots_sig_t)); // might cache wots_sk } } int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) { - hash256_t hash256_index = {0}; + xmss_hash256_t hash256_index = {0}; xmss_adrs_t adrs; size_t height; @@ -1160,18 +1173,18 @@ int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) // derive ctx->xmss_sig.random PUTU32(hash256_index + 28, key->index); // r = PRF(SK_PRF, toByte(idx_sig, 32)); - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); - hash256_finish(&ctx->hash256_ctx, ctx->xmss_sig.random); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmss_sig.random); // wots_sk => ctx->xmss_sig.wots_sig - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, key->index); - wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmss_sig.wots_sig); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, key->index); + xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmss_sig.wots_sig); // xmss_sig.auth_path xmss_build_auth_path(key->tree, height, key->index, ctx->xmss_sig.auth_path); @@ -1180,11 +1193,11 @@ int xmss_sign_init(XMSS_SIGN_CTX *ctx, XMSS_KEY *key) key->index++; // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); return 1; } @@ -1196,7 +1209,7 @@ int xmss_sign_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } if (data && datalen) { - hash256_update(&ctx->hash256_ctx, data, datalen); + xmss_hash256_update(&ctx->hash256_ctx, data, datalen); } return 1; } @@ -1205,21 +1218,21 @@ int xmss_sign_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) int xmss_sign_finish(XMSS_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) { xmss_adrs_t adrs; - hash256_t dgst; + xmss_hash256_t dgst; if (!ctx || !sig || !siglen) { error_print(); return -1; } - hash256_finish(&ctx->hash256_ctx, dgst); + xmss_hash256_finish(&ctx->hash256_ctx, dgst); - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, ctx->xmss_sig.index); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, ctx->xmss_sig.index); - wots_sign(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, dgst, + xmss_wots_sign(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, dgst, ctx->xmss_sig.wots_sig); *siglen = 0; @@ -1232,7 +1245,7 @@ int xmss_sign_finish(XMSS_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) int xmss_verify_init_ex(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const XMSS_SIGNATURE *sig) { - hash256_t hash256_index = {0}; + xmss_hash256_t hash256_index = {0}; if (!ctx || !key || !sig) { error_print(); @@ -1244,19 +1257,19 @@ int xmss_verify_init_ex(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const XMSS_SIGN // cache xmss_sig ctx->xmss_sig = *sig; - // hash256_init + // xmss_hash256_init PUTU32(hash256_index + 28, ctx->xmss_sig.index); - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); return 1; } int xmss_verify_init(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const uint8_t *sig, size_t siglen) { - hash256_t hash256_index = {0}; + xmss_hash256_t hash256_index = {0}; if (!ctx || !key || !sig || !siglen) { error_print(); @@ -1271,13 +1284,13 @@ int xmss_verify_init(XMSS_SIGN_CTX *ctx, const XMSS_KEY *key, const uint8_t *sig return -1; } - // hash256_init + // xmss_hash256_init PUTU32(hash256_index + 28, ctx->xmss_sig.index); - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmss_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); return 1; } @@ -1288,7 +1301,7 @@ int xmss_verify_update(XMSS_SIGN_CTX *ctx, const uint8_t *data, size_t datalen) return -1; } if (data && datalen) { - hash256_update(&ctx->hash256_ctx, data, datalen); + xmss_hash256_update(&ctx->hash256_ctx, data, datalen); } return 1; } @@ -1297,9 +1310,9 @@ int xmss_verify_finish(XMSS_SIGN_CTX *ctx) { size_t height, h; uint32_t index; - hash256_t dgst; + xmss_hash256_t dgst; xmss_adrs_t adrs; - hash256_t root; + xmss_hash256_t root; if (!ctx) { error_print(); @@ -1316,31 +1329,31 @@ int xmss_verify_finish(XMSS_SIGN_CTX *ctx) index = ctx->xmss_sig.index; // dgst - hash256_finish(&ctx->hash256_ctx, dgst); + xmss_hash256_finish(&ctx->hash256_ctx, dgst); // wots_sig => wots_pk - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, ctx->xmss_sig.index); - wots_sig_to_pk(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, dgst, ctx->xmss_sig.wots_sig); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, ctx->xmss_sig.index); + xmss_wots_sig_to_pk(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, dgst, ctx->xmss_sig.wots_sig); // wots_pk => wots_root - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_set_ltree_address(adrs, ctx->xmss_sig.index); - wots_pk_to_root(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, root); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_set_ltree_address(adrs, ctx->xmss_sig.index); + xmss_wots_pk_to_root(ctx->xmss_sig.wots_sig, ctx->xmss_public_key.seed, adrs, root); // wots_root (index), auth_path => xmss_root - adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); - adrs_set_padding(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); + xmss_adrs_set_padding(adrs, 0); for (h = 0; h < height; h++) { int right_child = index & 1; index >>= 1; - adrs_set_tree_height(adrs, h + 1); - adrs_set_tree_index(adrs, index); + xmss_adrs_set_tree_height(adrs, h + 1); + xmss_adrs_set_tree_index(adrs, index); if (right_child) - randomized_tree_hash(ctx->xmss_sig.auth_path[h], root, ctx->xmss_public_key.seed, adrs, root); - else randomized_tree_hash(root, ctx->xmss_sig.auth_path[h], ctx->xmss_public_key.seed, adrs, root); + xmss_tree_hash(ctx->xmss_sig.auth_path[h], root, ctx->xmss_public_key.seed, adrs, root); + else xmss_tree_hash(root, ctx->xmss_sig.auth_path[h], ctx->xmss_public_key.seed, adrs, root); } if (memcmp(root, ctx->xmss_public_key.root, 32) != 0) { @@ -1429,8 +1442,8 @@ int xmssmt_public_key_to_bytes(const XMSSMT_KEY *key, uint8_t **out, size_t *out return -1; } uint32_to_bytes(key->public_key.xmssmt_type, out, outlen); - hash256_to_bytes(key->public_key.root, out, outlen); - hash256_to_bytes(key->public_key.seed, out, outlen); + xmss_hash256_to_bytes(key->public_key.root, out, outlen); + xmss_hash256_to_bytes(key->public_key.seed, out, outlen); return 1; } @@ -1467,11 +1480,11 @@ int xmssmt_private_key_size(uint32_t xmssmt_type, size_t *len) return -1; } *len = XMSSMT_PUBLIC_KEY_SIZE; - *len += sizeof(hash256_t); - *len += sizeof(hash256_t); + *len += sizeof(xmss_hash256_t); + *len += sizeof(xmss_hash256_t); xmssmt_index_to_bytes(index, xmssmt_type, NULL, len); - *len += sizeof(hash256_t) * xmssmt_num_trees_nodes(height, layers); - *len += sizeof(wots_sig_t) * (layers - 1); + *len += sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); + *len += sizeof(xmss_wots_sig_t) * (layers - 1); return 1; } @@ -1495,18 +1508,18 @@ int xmssmt_private_key_to_bytes(const XMSSMT_KEY *key, uint8_t **out, size_t *ou return -1; } xmssmt_index_to_bytes(key->index, key->public_key.xmssmt_type, out, outlen); - hash256_to_bytes(key->secret, out, outlen); - hash256_to_bytes(key->sk_prf, out, outlen); + xmss_hash256_to_bytes(key->secret, out, outlen); + xmss_hash256_to_bytes(key->sk_prf, out, outlen); - treeslen = sizeof(hash256_t) * xmssmt_num_trees_nodes(height, layers); + treeslen = sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); if (out && *out) { memcpy(*out, key->trees, treeslen); *out += treeslen; - memcpy(*out, key->wots_sigs, sizeof(wots_sig_t) * (layers - 1)); - *out += sizeof(wots_sig_t) * (layers - 1); + memcpy(*out, key->wots_sigs, sizeof(xmss_wots_sig_t) * (layers - 1)); + *out += sizeof(xmss_wots_sig_t) * (layers - 1); } *outlen += treeslen; - *outlen += sizeof(wots_sig_t) * (layers - 1); + *outlen += sizeof(xmss_wots_sig_t) * (layers - 1); return 1; } @@ -1547,7 +1560,7 @@ int xmssmt_private_key_from_bytes(XMSSMT_KEY *key, const uint8_t **in, size_t *i error_print(); return -1; } - treeslen = sizeof(hash256_t) * xmssmt_num_trees_nodes(height, layers); + treeslen = sizeof(xmss_hash256_t) * xmssmt_num_trees_nodes(height, layers); if (!(key->trees = malloc(treeslen))) { error_print(); return -1; @@ -1555,9 +1568,9 @@ int xmssmt_private_key_from_bytes(XMSSMT_KEY *key, const uint8_t **in, size_t *i memcpy(key->trees, *in, treeslen); *in += treeslen; *inlen -= treeslen; - memcpy(key->wots_sigs, *in, sizeof(wots_sig_t) * (layers - 1)); - *in += sizeof(wots_sig_t) * (layers - 1); - *inlen -= sizeof(wots_sig_t) * (layers - 1); + memcpy(key->wots_sigs, *in, sizeof(xmss_wots_sig_t) * (layers - 1)); + *in += sizeof(xmss_wots_sig_t) * (layers - 1); + *inlen -= sizeof(xmss_wots_sig_t) * (layers - 1); return 1; } @@ -1567,10 +1580,10 @@ int xmssmt_key_update(XMSSMT_KEY *key) size_t height; size_t layers; size_t layer; - hash256_t *tree; + xmss_hash256_t *tree; uint64_t next_index; xmss_adrs_t adrs; - uint8_t *xmss_root; // FIXME: use hash256_t* + uint8_t *xmss_root; // FIXME: use xmss_hash256_t* if (!key) { error_print(); @@ -1598,18 +1611,18 @@ int xmssmt_key_update(XMSSMT_KEY *key) } // generate tree of the layer - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, xmssmt_tree_address(next_index, height, layers, layer)); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, xmssmt_tree_address(next_index, height, layers, layer)); xmss_build_tree(key->secret, key->public_key.seed, adrs, height/layers, tree); // sign the new xmss_root - adrs_set_layer_address(adrs, layer + 1); - adrs_set_tree_address(adrs, xmssmt_tree_address(next_index, height, layers, layer + 1)); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, xmssmt_tree_index(next_index, height, layers, layer + 1)); - wots_derive_sk(key->secret, key->public_key.seed, adrs, key->wots_sigs[layer]); + xmss_adrs_set_layer_address(adrs, layer + 1); + xmss_adrs_set_tree_address(adrs, xmssmt_tree_address(next_index, height, layers, layer + 1)); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, xmssmt_tree_index(next_index, height, layers, layer + 1)); + xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, key->wots_sigs[layer]); xmss_root = tree[xmss_tree_root_offset(height/layers)]; - wots_sign(key->wots_sigs[layer], key->public_key.seed, adrs, xmss_root, key->wots_sigs[layer]); + xmss_wots_sign(key->wots_sigs[layer], key->public_key.seed, adrs, xmss_root, key->wots_sigs[layer]); tree += xmss_num_tree_nodes(height/layers); } @@ -1621,9 +1634,9 @@ int xmssmt_key_update(XMSSMT_KEY *key) void xmssmt_key_cleanup(XMSSMT_KEY *key) { if (key) { - gmssl_secure_clear(key->public_key.seed, sizeof(hash256_t)); // clear all RNG outputs - gmssl_secure_clear(key->secret, sizeof(hash256_t)); - gmssl_secure_clear(key->sk_prf, sizeof(hash256_t)); + gmssl_secure_clear(key->public_key.seed, sizeof(xmss_hash256_t)); // clear all RNG outputs + gmssl_secure_clear(key->secret, sizeof(xmss_hash256_t)); + gmssl_secure_clear(key->sk_prf, sizeof(xmss_hash256_t)); if (key->trees) { free(key->trees); } @@ -1632,13 +1645,13 @@ void xmssmt_key_cleanup(XMSSMT_KEY *key) } int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, - const hash256_t seed, const hash256_t secret, const hash256_t sk_prf) + const xmss_hash256_t seed, const xmss_hash256_t secret, const xmss_hash256_t sk_prf) { size_t height; size_t layers; uint32_t layer; xmss_adrs_t adrs; - hash256_t *tree; + xmss_hash256_t *tree; uint8_t *xmss_root; @@ -1662,9 +1675,9 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, key->public_key.xmssmt_type = xmssmt_type; - memcpy(key->public_key.seed, seed, sizeof(hash256_t)); - memcpy(key->secret, secret, sizeof(hash256_t)); - memcpy(key->sk_prf, sk_prf, sizeof(hash256_t)); + memcpy(key->public_key.seed, seed, sizeof(xmss_hash256_t)); + memcpy(key->secret, secret, sizeof(xmss_hash256_t)); + memcpy(key->sk_prf, sk_prf, sizeof(xmss_hash256_t)); @@ -1672,7 +1685,7 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, key->index = 0; // malloc tress - if (!(key->trees = malloc(xmssmt_num_trees_nodes(height, layers) * sizeof(hash256_t)))) { + if (!(key->trees = malloc(xmssmt_num_trees_nodes(height, layers) * sizeof(xmss_hash256_t)))) { error_print(); return -1; } @@ -1683,8 +1696,8 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, for (layer = 0; layer < layers; layer++) { // generate tree of the layer - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, xmssmt_tree_address(index, height, layers, layer)); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, xmssmt_tree_address(index, height, layers, layer)); xmss_build_tree(key->secret, key->public_key.seed, adrs, height/layers, tree); @@ -1693,16 +1706,16 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, // sign xmss_root with higher layer if (layer < layers - 1) { - adrs_set_layer_address(adrs, layer + 1); - adrs_set_tree_address(adrs, xmssmt_tree_address(index, height, layers, layer + 1)); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, xmssmt_tree_index(index, height, layers, layer + 1)); - wots_derive_sk(key->secret, key->public_key.seed, adrs, key->wots_sigs[layer]); + xmss_adrs_set_layer_address(adrs, layer + 1); + xmss_adrs_set_tree_address(adrs, xmssmt_tree_address(index, height, layers, layer + 1)); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, xmssmt_tree_index(index, height, layers, layer + 1)); + xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, key->wots_sigs[layer]); /* - hash256_t *tree2 = key->trees + xmss_num_tree_nodes(height/layers) * layer; - hash256_t xmss_root2 = tree2[xmss_tree_root_offset(height/layers)]; + xmss_hash256_t *tree2 = key->trees + xmss_num_tree_nodes(height/layers) * layer; + xmss_hash256_t xmss_root2 = tree2[xmss_tree_root_offset(height/layers)]; fprintf(stderr, "%p %p\n", tree, tree2); @@ -1710,19 +1723,19 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, */ - wots_sign(key->wots_sigs[layer], key->public_key.seed, adrs, xmss_root, key->wots_sigs[layer]); + xmss_wots_sign(key->wots_sigs[layer], key->public_key.seed, adrs, xmss_root, key->wots_sigs[layer]); } } // copy the top-level root - memcpy(key->public_key.root, xmss_root, sizeof(hash256_t)); + memcpy(key->public_key.root, xmss_root, sizeof(xmss_hash256_t)); tree = key->trees; - hash256_t root; + xmss_hash256_t root; - wots_key_t wots_pk; + xmss_wots_key_t wots_pk; // extra check @@ -1732,17 +1745,17 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, tree_address = xmssmt_tree_address(index, height, layers, layer + 1); tree_index = xmssmt_tree_index(index, height, layers, layer + 1); - adrs_set_layer_address(adrs, layer + 1); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); + xmss_adrs_set_layer_address(adrs, layer + 1); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); - wots_sig_to_pk(key->wots_sigs[layer], key->public_key.seed, adrs, dgst, wots_pk); + xmss_wots_sig_to_pk(key->wots_sigs[layer], key->public_key.seed, adrs, dgst, wots_pk); - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_set_tree_index(adrs, tree_index); - wots_pk_to_root(wots_pk, key->public_key.seed, adrs, root); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_set_tree_index(adrs, tree_index); + xmss_wots_pk_to_root(wots_pk, key->public_key.seed, adrs, root); tree += xmss_num_tree_nodes(height/layers); @@ -1758,21 +1771,21 @@ int xmssmt_key_generate_ex(XMSSMT_KEY *key, uint32_t xmssmt_type, int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type) { - hash256_t seed; - hash256_t secret; - hash256_t sk_prf; + xmss_hash256_t seed; + xmss_hash256_t secret; + xmss_hash256_t sk_prf; - if (rand_bytes(seed, sizeof(hash256_t)) != 1) { + if (rand_bytes(seed, sizeof(xmss_hash256_t)) != 1) { error_print(); return -1; } - if (rand_bytes(secret, sizeof(hash256_t)) != 1) { + if (rand_bytes(secret, sizeof(xmss_hash256_t)) != 1) { error_print(); return -1; } - if (rand_bytes(sk_prf, sizeof(hash256_t)) != 1) { + if (rand_bytes(sk_prf, sizeof(xmss_hash256_t)) != 1) { error_print(); return -1; } @@ -1786,7 +1799,7 @@ int xmssmt_key_generate(XMSSMT_KEY *key, uint32_t xmssmt_type) } // not checked -int xmssmt_build_auth_path(const hash256_t *tree, size_t height, size_t layers, uint64_t index, hash256_t *auth_path) +int xmssmt_build_auth_path(const xmss_hash256_t *tree, size_t height, size_t layers, uint64_t index, xmss_hash256_t *auth_path) { size_t i; @@ -1820,7 +1833,7 @@ int xmssmt_private_key_print(FILE *fp, int fmt, int ind, const char *label, cons { size_t height; size_t layers; - hash256_t *tree; + xmss_hash256_t *tree; size_t i; format_print(fp, fmt, ind, "%s\n", label); @@ -1839,7 +1852,7 @@ int xmssmt_private_key_print(FILE *fp, int fmt, int ind, const char *label, cons size_t j; format_print(fp, fmt, ind, "wots_sig\n"); for (j = 0; j < 67; j++) { - format_bytes(stderr, 0, ind+4, "", key->wots_sigs[i][j], sizeof(hash256_t)); + format_bytes(stderr, 0, ind+4, "", key->wots_sigs[i][j], sizeof(xmss_hash256_t)); } } */ @@ -1939,9 +1952,22 @@ int xmssmt_signature_size(uint32_t xmssmt_type, size_t *siglen) error_print(); return -1; } - *siglen += sizeof(hash256_t); - *siglen += sizeof(wots_sig_t) * layers; - *siglen += sizeof(hash256_t) * height; + *siglen += sizeof(xmss_hash256_t); + *siglen += sizeof(xmss_wots_sig_t) * layers; + *siglen += sizeof(xmss_hash256_t) * height; + return 1; +} + +int xmssmt_key_get_signature_size(const XMSSMT_KEY *key, size_t *siglen) +{ + if (!key || !siglen) { + error_print(); + return -1; + } + if (xmssmt_signature_size(key->public_key.xmssmt_type, siglen) != 1) { + error_print(); + return -1; + } return 1; } @@ -1965,15 +1991,15 @@ int xmssmt_signature_to_bytes(const XMSSMT_SIGNATURE *sig, uint32_t xmssmt_type, error_print(); return -1; } - hash256_to_bytes(sig->random, out, outlen); + xmss_hash256_to_bytes(sig->random, out, outlen); size_t layer; for (layer = 0; layer < layers; layer++) { for (i = 0; i < 67; i++) { - hash256_to_bytes(sig->wots_sigs[layer][i], out, outlen); + xmss_hash256_to_bytes(sig->wots_sigs[layer][i], out, outlen); } for (i = 0; i < height/layers; i++) { - hash256_to_bytes(sig->auth_path[(height/layers) * layer + i], out, outlen); + xmss_hash256_to_bytes(sig->auth_path[(height/layers) * layer + i], out, outlen); } } } @@ -2089,37 +2115,37 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const //format_print(fp, fmt, ind, "index: %u"PRIu64"\n", index); format_print(fp, fmt, ind, "index: %llu\n", (unsigned long long)index); - if (siglen < sizeof(hash256_t)) { + if (siglen < sizeof(xmss_hash256_t)) { error_print(); return -1; } - format_bytes(fp, fmt, ind, "random", sig, sizeof(hash256_t)); - sig += sizeof(hash256_t); - siglen -= sizeof(hash256_t); + format_bytes(fp, fmt, ind, "random", sig, sizeof(xmss_hash256_t)); + sig += sizeof(xmss_hash256_t); + siglen -= sizeof(xmss_hash256_t); for (layer = 0; layer < layers; layer++) { format_print(fp, fmt, ind, "redurced_xmss_signature[%zu]\n", layer); format_print(fp, fmt, ind+4, "wots_sig\n"); for (i = 0; i < 67; i++) { format_print(fp, fmt, ind+4, "%d ", i); - if (siglen < sizeof(hash256_t)) { + if (siglen < sizeof(xmss_hash256_t)) { error_print(); return -1; } - format_bytes(fp, fmt, 0, "", sig, sizeof(hash256_t)); - sig += sizeof(hash256_t); - siglen -= sizeof(hash256_t); + format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_hash256_t)); + sig += sizeof(xmss_hash256_t); + siglen -= sizeof(xmss_hash256_t); } format_print(fp, fmt, ind+4, "auth_path\n"); for (i = 0; i < height/layers; i++) { format_print(fp, fmt, ind+8, "%d ", i); - if (siglen < sizeof(hash256_t)) { + if (siglen < sizeof(xmss_hash256_t)) { error_print(); return -1; } - format_bytes(fp, fmt, 0, "", sig, sizeof(hash256_t)); - sig += sizeof(hash256_t); - siglen -= sizeof(hash256_t); + format_bytes(fp, fmt, 0, "", sig, sizeof(xmss_hash256_t)); + sig += sizeof(xmss_hash256_t); + siglen -= sizeof(xmss_hash256_t); } } if (siglen) { @@ -2132,8 +2158,8 @@ int xmssmt_signature_print(FILE *fp, int fmt, int ind, const char *label, const void xmssmt_sign_ctx_cleanup(XMSSMT_SIGN_CTX *ctx) { if (ctx) { - gmssl_secure_clear(ctx->xmssmt_sig.random, sizeof(hash256_t)); - gmssl_secure_clear(ctx->xmssmt_sig.wots_sigs[0], sizeof(wots_sig_t)); + gmssl_secure_clear(ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); + gmssl_secure_clear(ctx->xmssmt_sig.wots_sigs[0], sizeof(xmss_wots_sig_t)); } } @@ -2144,7 +2170,7 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) size_t layer; uint64_t tree_address; uint32_t tree_index; - hash256_t hash256_index; + xmss_hash256_t hash256_index; xmss_adrs_t adrs; if (!ctx || !key) { @@ -2172,13 +2198,13 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) // copy wots_sigs[1] to wots_sig[layers - 1] from key for (layer = 1; layer < layers; layer++) { - memcpy(ctx->xmssmt_sig.wots_sigs[layer], key->wots_sigs[layer - 1], sizeof(wots_sig_t)); + memcpy(ctx->xmssmt_sig.wots_sigs[layer], key->wots_sigs[layer - 1], sizeof(xmss_wots_sig_t)); } // build auth_path for (layer = 0; layer < layers; layer++) { - hash256_t *tree; - hash256_t *auth_path; + xmss_hash256_t *tree; + xmss_hash256_t *auth_path; tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; @@ -2188,28 +2214,28 @@ int xmssmt_sign_init(XMSSMT_SIGN_CTX *ctx, XMSSMT_KEY *key) // derive ctx->xmssmt_sig.random memset(hash256_index, 0, 24); PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); - hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); // derive wots_sk and save to wots_sigs[0] layer = 0; tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); xmssmt_key_update(key); @@ -2224,7 +2250,7 @@ int xmssmt_sign_update(XMSSMT_SIGN_CTX *ctx, const uint8_t *data, size_t datalen return -1; } if (data && datalen) { - hash256_update(&ctx->hash256_ctx, data, datalen); + xmss_hash256_update(&ctx->hash256_ctx, data, datalen); } return 1; } @@ -2238,14 +2264,14 @@ int xmssmt_sign_finish_ex(XMSSMT_SIGN_CTX *ctx, XMSSMT_SIGNATURE *sig) uint64_t tree_address; uint32_t tree_index; xmss_adrs_t adrs; - hash256_t dgst; + xmss_hash256_t dgst; if (!ctx || !sig) { error_print(); return -1; } - hash256_finish(&ctx->hash256_ctx, dgst); + xmss_hash256_finish(&ctx->hash256_ctx, dgst); if (xmssmt_type_to_height_and_layers(ctx->xmssmt_public_key.xmssmt_type, &height, &layers) != 1) { error_print(); @@ -2254,11 +2280,11 @@ int xmssmt_sign_finish_ex(XMSSMT_SIGN_CTX *ctx, XMSSMT_SIGNATURE *sig) tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_sign(ctx->xmssmt_sig.wots_sigs[0], ctx->xmssmt_public_key.seed, adrs, dgst, + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_sign(ctx->xmssmt_sig.wots_sigs[0], ctx->xmssmt_public_key.seed, adrs, dgst, ctx->xmssmt_sig.wots_sigs[0]); @@ -2290,7 +2316,7 @@ int xmssmt_sign_finish(XMSSMT_SIGN_CTX *ctx, uint8_t *sig, size_t *siglen) int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMSSMT_SIGNATURE *sig) { - hash256_t hash256_index; + xmss_hash256_t hash256_index; xmss_adrs_t adrs; if (!ctx || !key || !sig) { @@ -2311,11 +2337,11 @@ int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMS PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); return 1; } @@ -2323,7 +2349,7 @@ int xmssmt_verify_init_ex(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const XMS // check compatible publickey and sig int xmssmt_verify_init(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const uint8_t *sig, size_t siglen) { - hash256_t hash256_index; + xmss_hash256_t hash256_index; xmss_adrs_t adrs; if (!ctx || !key || !sig) { error_print(); @@ -2351,11 +2377,11 @@ int xmssmt_verify_init(XMSSMT_SIGN_CTX *ctx, const XMSSMT_KEY *key, const uint8_ PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); return 1; } @@ -2367,7 +2393,7 @@ int xmssmt_verify_update(XMSSMT_SIGN_CTX *ctx, const uint8_t *data, size_t datal return -1; } if (data && datalen) { - hash256_update(&ctx->hash256_ctx, data, datalen); + xmss_hash256_update(&ctx->hash256_ctx, data, datalen); } return 1; } @@ -2378,9 +2404,9 @@ int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx) size_t layers; size_t layer; xmss_adrs_t adrs; - hash256_t dgst; + xmss_hash256_t dgst; - hash256_finish(&ctx->hash256_ctx, dgst); + xmss_hash256_finish(&ctx->hash256_ctx, dgst); if (xmssmt_type_to_height_and_layers(ctx->xmssmt_public_key.xmssmt_type, &height, &layers) != 1) { error_print(); @@ -2390,23 +2416,23 @@ int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx) for (layer = 0; layer < layers; layer++) { uint64_t tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); uint32_t tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - wots_key_t wots_pk; + xmss_wots_key_t wots_pk; // wots_sig, dgst => wots_pk - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_sig_to_pk(ctx->xmssmt_sig.wots_sigs[layer], ctx->xmssmt_public_key.seed, adrs, dgst, wots_pk); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_sig_to_pk(ctx->xmssmt_sig.wots_sigs[layer], ctx->xmssmt_public_key.seed, adrs, dgst, wots_pk); // wots_pk => wots_root - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_set_ltree_address(adrs, tree_index); - wots_pk_to_root(wots_pk, ctx->xmssmt_public_key.seed, adrs, dgst); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_set_ltree_address(adrs, tree_index); + xmss_wots_pk_to_root(wots_pk, ctx->xmssmt_public_key.seed, adrs, dgst); // wots_root, auth_path => xmss_root (as dgst) - adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); - adrs_set_padding(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); + xmss_adrs_set_padding(adrs, 0); xmss_build_root(dgst, tree_index, ctx->xmssmt_public_key.seed, adrs, ctx->xmssmt_sig.auth_path + (height/layers) * layer, height/layers, @@ -2414,7 +2440,7 @@ int xmssmt_verify_finish(XMSSMT_SIGN_CTX *ctx) } // verify xmssmt_root (save in dgst) - if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(hash256_t)) != 0) { + if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_hash256_t)) != 0) { error_print(); return -1; } diff --git a/tests/xmsstest.c b/tests/xmsstest.c index 38c15d8f..6a9e5bad 100644 --- a/tests/xmsstest.c +++ b/tests/xmsstest.c @@ -23,13 +23,13 @@ static int test_xmss_adrs(void) xmss_adrs_t adrs; - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 1); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, 0); - adrs_set_chain_address(adrs, 1); - adrs_set_hash_address(adrs, 12); - adrs_set_key_and_mask(adrs, 0); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 1); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, 0); + xmss_adrs_set_chain_address(adrs, 1); + xmss_adrs_set_hash_address(adrs, 12); + xmss_adrs_set_key_and_mask(adrs, 0); xmss_adrs_print(stderr, 0, 4, "ADRS", adrs); @@ -41,11 +41,11 @@ static int test_xmss_adrs(void) #if defined(ENABLE_XMSS_CROSSCHECK) && defined(ENABLE_SHA2) static int test_wots_derive_sk(void) { - hash256_t secret = {0}; - hash256_t seed = {0}; + xmss_hash256_t secret = {0}; + xmss_hash256_t seed = {0}; xmss_adrs_t adrs = {0}; - wots_key_t wots_sk; - wots_key_t test_sk; + xmss_wots_key_t wots_sk; + xmss_wots_key_t test_sk; size_t len; // sha256 test 1 @@ -56,7 +56,7 @@ static int test_wots_derive_sk(void) hex_to_bytes("382c16f94b77905d4a6f78e1f38faf5ef914ac42324e356aeede056d356a5eeb", 64, test_sk[1], &len); hex_to_bytes("ab08e768529903e533c9bf8b3ea8c69d36aedcee5ac78801f92d23ef758cfe03", 64, test_sk[66], &len); - wots_derive_sk(secret, seed, adrs, wots_sk); + xmss_wots_derive_sk(secret, seed, adrs, wots_sk); if (memcmp(wots_sk[0], test_sk[0], 32) || memcmp(wots_sk[1], test_sk[1], 32) @@ -73,7 +73,7 @@ static int test_wots_derive_sk(void) hex_to_bytes("e45dad76c1b23975e898a365b8c73d13695a887ba2ba2377f840d3a3b7bf806c", 64, test_sk[1], &len); hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sk[66], &len); - wots_derive_sk(secret, seed, adrs, wots_sk); + xmss_wots_derive_sk(secret, seed, adrs, wots_sk); if (memcmp(wots_sk[0], test_sk[0], 32) || memcmp(wots_sk[1], test_sk[1], 32) @@ -88,12 +88,12 @@ static int test_wots_derive_sk(void) static int test_wots_sk_to_pk(void) { - hash256_t secret = {0}; - hash256_t seed = {0}; + xmss_hash256_t secret = {0}; + xmss_hash256_t seed = {0}; xmss_adrs_t adrs = {0}; - wots_key_t wots_sk; - wots_key_t wots_pk; - wots_key_t test_pk; + xmss_wots_key_t wots_sk; + xmss_wots_key_t wots_pk; + xmss_wots_key_t test_pk; size_t len; // sha256 test 2 @@ -104,9 +104,9 @@ static int test_wots_sk_to_pk(void) hex_to_bytes("acf6be724d4b074d67330559ec24b3d42c9b9d87fa103e7f6be402ec3a2d41c1", 64, test_pk[1], &len); hex_to_bytes("98691d83a657840d4b6f410e25fcd9a6480670ac9c090d3b79bc904ba7e131aa", 64, test_pk[66], &len); - wots_derive_sk(secret, seed, adrs, wots_sk); + xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); + xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); if (memcmp(wots_pk[0], test_pk[0], 32) || memcmp(wots_pk[1], test_pk[1], 32) @@ -121,15 +121,15 @@ static int test_wots_sk_to_pk(void) static int test_wots_sign(void) { - hash256_t secret = {0}; - hash256_t seed = {0}; + xmss_hash256_t secret = {0}; + xmss_hash256_t seed = {0}; xmss_adrs_t adrs = {0}; - hash256_t dgst = {0}; - wots_key_t wots_sk; - wots_key_t wots_pk; - wots_sig_t wots_sig; - wots_sig_t test_sig; - wots_key_t sig_pk; + xmss_hash256_t dgst = {0}; + xmss_wots_key_t wots_sk; + xmss_wots_key_t wots_pk; + xmss_wots_sig_t wots_sig; + xmss_wots_sig_t test_sig; + xmss_wots_key_t sig_pk; size_t len; int i; @@ -144,23 +144,23 @@ static int test_wots_sign(void) hex_to_bytes("75d2cfddd6ca9773fb9d0d17efe5c731c1a44f4b31352e26767623abf52911f9", 64, test_sig[15], &len); hex_to_bytes("aaad735aa51662b8a48258561fb857b3f2b12a5802593522145b3b68355abf3b", 64, test_sig[66], &len); - wots_derive_sk(secret, seed, adrs, wots_sk); + xmss_wots_derive_sk(secret, seed, adrs, wots_sk); - wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); + xmss_wots_sk_to_pk(wots_sk, seed, adrs, wots_pk); - wots_sign(wots_sk, seed, adrs, dgst, wots_sig); + xmss_wots_sign(wots_sk, seed, adrs, dgst, wots_sig); - if (memcmp(wots_sig[0], test_sig[0], sizeof(hash256_t)) - || memcmp(wots_sig[1], test_sig[1], sizeof(hash256_t)) - || memcmp(wots_sig[15], test_sig[15], sizeof(hash256_t)) - || memcmp(wots_sig[66], test_sig[66], sizeof(hash256_t))) { + if (memcmp(wots_sig[0], test_sig[0], sizeof(xmss_hash256_t)) + || memcmp(wots_sig[1], test_sig[1], sizeof(xmss_hash256_t)) + || memcmp(wots_sig[15], test_sig[15], sizeof(xmss_hash256_t)) + || memcmp(wots_sig[66], test_sig[66], sizeof(xmss_hash256_t))) { error_print(); return -1; } - wots_sig_to_pk(wots_sig, seed, adrs, dgst, sig_pk); + xmss_wots_sig_to_pk(wots_sig, seed, adrs, dgst, sig_pk); - if (memcmp(sig_pk ,wots_pk, sizeof(wots_key_t))) { + if (memcmp(sig_pk ,wots_pk, sizeof(xmss_wots_key_t))) { error_print(); return -1; } @@ -171,39 +171,39 @@ static int test_wots_sign(void) static int test_wots_derive_root(void) { - hash256_t secret; - hash256_t seed; + xmss_hash256_t secret; + xmss_hash256_t seed; xmss_adrs_t adrs; - hash256_t root; - hash256_t wots_0_root; - hash256_t wots_1023_root; + xmss_hash256_t root; + xmss_hash256_t wots_0_root; + xmss_hash256_t wots_1023_root; size_t len; - memset(secret, 0x12, sizeof(hash256_t)); - memset(seed, 0xab, sizeof(hash256_t)); + memset(secret, 0x12, sizeof(xmss_hash256_t)); + memset(seed, 0xab, sizeof(xmss_hash256_t)); hex_to_bytes("7A968C5F9AE4D2B781872B4E6EE851D55CC02F0AB9196701580D6F503D35DB68", 64, wots_0_root, &len); hex_to_bytes("939E10CD44769D4D9853F7CF5612D6D83B3AA140A8867CCF34A1DBCC66FC4333", 64, wots_1023_root, &len); // wots index is 0 - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_ots_address(adrs, 0); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_ots_address(adrs, 0); - wots_derive_root(secret, seed, adrs, root); + xmss_wots_derive_root(secret, seed, adrs, root); - if (memcmp(root, wots_0_root, sizeof(hash256_t)) != 0) { + if (memcmp(root, wots_0_root, sizeof(xmss_hash256_t)) != 0) { error_print(); return -1; } // wots index is 1023 - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_ots_address(adrs, 1023); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_ots_address(adrs, 1023); - wots_derive_root(secret, seed, adrs, root); + xmss_wots_derive_root(secret, seed, adrs, root); - if (memcmp(root, wots_1023_root, sizeof(hash256_t)) != 0) { + if (memcmp(root, wots_1023_root, sizeof(xmss_hash256_t)) != 0) { error_print(); return -1; } @@ -215,25 +215,25 @@ static int test_wots_derive_root(void) static int test_wots_verify(void) { uint32_t index = 0; - hash256_t secret; - hash256_t seed; + xmss_hash256_t secret; + xmss_hash256_t seed; xmss_adrs_t adrs; - wots_key_t sk; - hash256_t dgst; - wots_sig_t sig; - hash256_t root; + xmss_wots_key_t sk; + xmss_hash256_t dgst; + xmss_wots_sig_t sig; + xmss_hash256_t root; - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, index); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, index); - wots_derive_sk(secret, seed, adrs, sk); - wots_sign(sk, seed, adrs, dgst, sig); - wots_derive_root(secret, seed, adrs, root); + xmss_wots_derive_sk(secret, seed, adrs, sk); + xmss_wots_sign(sk, seed, adrs, dgst, sig); + xmss_wots_derive_root(secret, seed, adrs, root); - if (wots_verify(root, seed, adrs, dgst, sig) != 1) { + if (xmss_wots_verify(root, seed, adrs, dgst, sig) != 1) { error_print(); return -1; } @@ -247,26 +247,26 @@ static int test_wots_verify(void) static int test_xmss_build_tree(void) { - hash256_t xmss_secret; - hash256_t seed; + xmss_hash256_t xmss_secret; + xmss_hash256_t seed; xmss_adrs_t adrs; int height = 10; - hash256_t *tree = malloc(32 * (1< sig.wots_sig - adrs_set_layer_address(adrs, 0); - adrs_set_tree_address(adrs, 0); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, index); - wots_derive_sk(key.secret, key.public_key.seed, adrs, sig.wots_sig); + xmss_adrs_set_layer_address(adrs, 0); + xmss_adrs_set_tree_address(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, index); + xmss_wots_derive_sk(key.secret, key.public_key.seed, adrs, sig.wots_sig); // check wots_root - wots_derive_root(key.secret, key.public_key.seed, adrs, root); - if (memcmp(root, key.tree[index], sizeof(hash256_t)) != 0) { + xmss_wots_derive_root(key.secret, key.public_key.seed, adrs, root); + if (memcmp(root, key.tree[index], sizeof(xmss_hash256_t)) != 0) { xmss_key_cleanup(&key); error_print(); return -1; @@ -500,24 +500,24 @@ static int test_xmss_sign(void) PUTU32(hash256_index + 28, index); - hash256_init(&ctx); - hash256_update(&ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx, sig.random, sizeof(hash256_t)); - hash256_update(&ctx, key.public_key.root, sizeof(hash256_t)); - hash256_update(&ctx, hash256_index, sizeof(hash256_t)); - hash256_update(&ctx, msg, sizeof(msg)); - hash256_finish(&ctx, dgst); + xmss_hash256_init(&ctx); + xmss_hash256_update(&ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, key.public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, hash256_index, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx, msg, sizeof(msg)); + xmss_hash256_finish(&ctx, dgst); - wots_sign(sig.wots_sig, key.public_key.seed, adrs, dgst, sig.wots_sig); + xmss_wots_sign(sig.wots_sig, key.public_key.seed, adrs, dgst, sig.wots_sig); // verify // wots_sig => wots_root - wots_sig_to_pk(sig.wots_sig, key.public_key.seed, adrs, dgst, sig.wots_sig); + xmss_wots_sig_to_pk(sig.wots_sig, key.public_key.seed, adrs, dgst, sig.wots_sig); - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_set_ltree_address(adrs, index); - wots_pk_to_root(sig.wots_sig, key.public_key.seed, adrs, root); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_set_ltree_address(adrs, index); + xmss_wots_pk_to_root(sig.wots_sig, key.public_key.seed, adrs, root); @@ -539,7 +539,7 @@ static int test_xmss_sign(void) xmss_build_root(root, index, key.public_key.seed, adrs, sig.auth_path, height, root); - if (memcmp(root, key.public_key.root, sizeof(hash256_t)) != 0) { + if (memcmp(root, key.public_key.root, sizeof(xmss_hash256_t)) != 0) { error_print(); return -1; } @@ -893,13 +893,13 @@ static uint64_t xmssmt_tree_index(uint64_t index, size_t height, size_t layers, // reference implementation of xmss^mt sign/verify static int test_xmssmt_sign(void) { - static const uint8_t hash256_two[] = { + static const uint8_t xmss_hash256_two[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, }; - static const uint8_t hash256_three[] = { + static const uint8_t xmss_hash256_three[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -917,9 +917,9 @@ static int test_xmssmt_sign(void) XMSSMT_KEY *key = &xmssmt_key; XMSSMT_SIGN_CTX xmssmt_ctx; XMSSMT_SIGN_CTX *ctx = &xmssmt_ctx; - hash256_t dgst; + xmss_hash256_t dgst; - hash256_t hash256_index; + xmss_hash256_t hash256_index; xmss_adrs_t adrs; uint64_t tree_address; @@ -951,63 +951,63 @@ static int test_xmssmt_sign(void) // XMSSMT_SIGNATURE: // uint64_t index - // hash256_t random + // xmss_hash256_t random // wots_sig_t wots_sigs[layers]; - // hash256_t auth_path[height/layers] + // xmss_hash256_t auth_path[height/layers] // copy index ctx->xmssmt_sig.index = key->index; // copy wots_sigs[1] to wots_sig[layers - 1] from key for (layer = 1; layer < layers; layer++) { - memcpy(ctx->xmssmt_sig.wots_sigs[layer], key->wots_sigs[layer - 1], sizeof(wots_sig_t)); + memcpy(ctx->xmssmt_sig.wots_sigs[layer], key->wots_sigs[layer - 1], sizeof(xmss_wots_sig_t)); } // build auth_path for (layer = 0; layer < layers; layer++) { uint32_t tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - hash256_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; - hash256_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; + xmss_hash256_t *tree = key->trees + xmss_num_tree_nodes(height/layers) * layer; + xmss_hash256_t *auth_path = ctx->xmssmt_sig.auth_path + (height/layers) * layer; xmss_build_auth_path(tree, height/layers, tree_index, auth_path); } // derive ctx->xmssmt_sig.random memset(hash256_index, 0, 24); PUTU64(hash256_index + 24, ctx->xmssmt_sig.index); - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_three, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); - hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_three, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->sk_prf, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + xmss_hash256_finish(&ctx->hash256_ctx, ctx->xmssmt_sig.random); // derive wots_sk and save to wots_sigs[0] layer = 0; tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_derive_sk(key->secret, key->public_key.seed, adrs, ctx->xmssmt_sig.wots_sigs[0]); // H_msg(M) := HASH256(toByte(2, 32) || r || XMSS_ROOT || toByte(idx_sig, 32) || M) - hash256_init(&ctx->hash256_ctx); - hash256_update(&ctx->hash256_ctx, hash256_two, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(hash256_t)); - hash256_update(&ctx->hash256_ctx, msg, sizeof(msg)); - hash256_finish(&ctx->hash256_ctx, dgst); + xmss_hash256_init(&ctx->hash256_ctx); + xmss_hash256_update(&ctx->hash256_ctx, xmss_hash256_two, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, ctx->xmssmt_sig.random, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, key->public_key.root, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, hash256_index, sizeof(xmss_hash256_t)); + xmss_hash256_update(&ctx->hash256_ctx, msg, sizeof(msg)); + xmss_hash256_finish(&ctx->hash256_ctx, dgst); // generate message wots_sig as wots_sigs[0] layer = 0; tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_sign(ctx->xmssmt_sig.wots_sigs[0], ctx->xmssmt_public_key.seed, adrs, dgst, + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_sign(ctx->xmssmt_sig.wots_sigs[0], ctx->xmssmt_public_key.seed, adrs, dgst, ctx->xmssmt_sig.wots_sigs[0]); xmssmt_signature_print_ex(stderr, 0, 4, "xmssmt_signature", &ctx->xmssmt_sig, xmssmt_type); @@ -1017,23 +1017,23 @@ static int test_xmssmt_sign(void) for (layer = 0; layer < layers; layer++) { uint64_t tree_address = xmssmt_tree_address(ctx->xmssmt_sig.index, height, layers, layer); uint32_t tree_index = xmssmt_tree_index(ctx->xmssmt_sig.index, height, layers, layer); - wots_key_t wots_pk; + xmss_wots_key_t wots_pk; // wots_sig, dgst => wots_pk - adrs_set_layer_address(adrs, layer); - adrs_set_tree_address(adrs, tree_address); - adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); - adrs_set_ots_address(adrs, tree_index); - wots_sig_to_pk(ctx->xmssmt_sig.wots_sigs[layer], ctx->xmssmt_public_key.seed, adrs, dgst, wots_pk); + xmss_adrs_set_layer_address(adrs, layer); + xmss_adrs_set_tree_address(adrs, tree_address); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_OTS); + xmss_adrs_set_ots_address(adrs, tree_index); + xmss_wots_sig_to_pk(ctx->xmssmt_sig.wots_sigs[layer], ctx->xmssmt_public_key.seed, adrs, dgst, wots_pk); // wots_pk => wots_root - adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); - adrs_set_ltree_address(adrs, tree_index); - wots_pk_to_root(wots_pk, ctx->xmssmt_public_key.seed, adrs, dgst); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_LTREE); + xmss_adrs_set_ltree_address(adrs, tree_index); + xmss_wots_pk_to_root(wots_pk, ctx->xmssmt_public_key.seed, adrs, dgst); // wots_root, auth_path => xmss_root (as dgst) - adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); - adrs_set_padding(adrs, 0); + xmss_adrs_set_type(adrs, XMSS_ADRS_TYPE_HASHTREE); + xmss_adrs_set_padding(adrs, 0); xmss_build_root(dgst, tree_index, ctx->xmssmt_public_key.seed, adrs, ctx->xmssmt_sig.auth_path + (height/layers) * layer, height/layers, @@ -1041,7 +1041,7 @@ static int test_xmssmt_sign(void) } // verify xmssmt_root (save in dgst) - if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(hash256_t)) != 0) { + if (memcmp(dgst, ctx->xmssmt_public_key.root, sizeof(xmss_hash256_t)) != 0) { error_print(); return -1; }