diff --git a/CMakeLists.txt b/CMakeLists.txt index 9a160908..e54e253d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -53,15 +53,16 @@ option(ENABLE_SM4_XTS "Enable SM4 XTS mode" ON) option(ENABLE_SM4_CBC_MAC "Enable SM4-CBC-MAC" ON) option(ENABLE_SM2_EXTS "Enable SM2 Extensions" OFF) + option(ENABLE_LMS_HSS "Enable LMS/HSS signature" ON) option(ENABLE_XMSS "Enable XMSS/XMSS^MT signature" ON) - +option(ENABLE_SPHINCS "Enable SPHINCS+ signature" OFF) +option(ENABLE_KYBER "Enable Kyber" OFF) option(ENABLE_SHA1 "Enable SHA1" ON) option(ENABLE_SHA2 "Enable SHA2" ON) option(ENABLE_AES "Enable AES" ON) option(ENABLE_CHACHA20 "Enable Chacha20" ON) -option(ENABLE_KYBER "Enable Kyber" ON) option(ENABLE_SKF "Enable SKF module" OFF) option(ENABLE_SDF "Enable SDF module" ON) @@ -449,6 +450,21 @@ if (ENABLE_XMSS) endif() +if (ENABLE_SPHINCS) + message(STATUS "ENABLE_SPHINCS is ON") + add_definitions(-DENABLE_SPHINCS) + list(APPEND src src/sphincs.c) + #list(APPEND tools tools/sphincskeygen.c tools/sphincssign.c tools/sphincsverify.c) + #list(APPEND tests sphincs) + + option(ENABLE_SPHINCS_CROSSCHECK "Enable SPHINCS SHA-256 cross-check" ON) + if (ENABLE_SPHINCS_CROSSCHECK) + message(STATUS "ENABLE_SPHINCS_CROSSCHECK is ON") + add_definitions(-DENABLE_SPHINCS_CROSSCHECK) + endif() +endif() + + if (ENABLE_KYBER) message(STATUS "ENABLE_KYBER is ON") add_definitions(-DENABLE_KYBER) diff --git a/include/gmssl/sphincs.h b/include/gmssl/sphincs.h new file mode 100644 index 00000000..305f5147 --- /dev/null +++ b/include/gmssl/sphincs.h @@ -0,0 +1,184 @@ +/* + * Copyright 2014-2026 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#ifndef GMSSL_SPHINCS_H +#define GMSSL_SPHINCS_H + + +#include +#include +#include +#include +#include +#ifdef ENABLE_SHA2 +#include +#endif + + +#ifdef __cplusplus +extern "C" { +#endif + + +#if defined(ENABLE_SPHINCS_CROSSCHECK) && defined(ENABLE_SHA2) +# define HASH256_CTX SHA256_CTX +# define hash256_init sha256_init +# define hash256_update sha256_update +# define hash256_finish sha256_finish +# define HASH256_BLOCK_SIZE SHA256_BLOCK_SIZE +#else +# define HASH256_CTX SM3_CTX +# define hash256_init sm3_init +# define hash256_update sm3_update +# define hash256_finish sm3_finish +# define HASH256_BLOCK_SIZE SM3_BLOCK_SIZE +#endif + +/* +In order to make keeping track of the types easier throughout the pseudo-code in the rest of +this document, we refer to them respectively using the constants WOTS_HASH, WOTS_PK, TREE, +FORS_TREE, FORS_ROOTS, WOTS_PRF, and FORS_PRF. +*/ + +enum { + SPHINCS_ADRS_TYPE_WOTS_PRF = 0, + SPHINCS_ADRS_TYPE_WOTS_PK = 1, + SPHINCS_ADRS_TYPE_HASHTREE = 2, + SPHINCS_ADRS_TYPE_FORS_TREE = 3, + SPHINCS_ADRS_TYPE_FORS_ROOT = 4, + SPHINCS_ADRS_TYPE_WOTS_KEYGEN = 5, + SPHINCS_ADRS_TYPE_FORS_KEYGEN = 6, +}; + +typedef uint8_t sphincs_adrs_t[32]; + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 0 + uint32_t keypair_address; + uint32_t chain_address; + uint32_t hash_address; +} SPHINCS_ADRS_WOTS_HASH; + +void sphincs_adrs_copy_layer_address(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_tree_address(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_type(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_keypair_address(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_chain_address(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_hash_address(sphincs_adrs_t dst, const sphincs_adrs_t src); + +void sphincs_adrs_set_layer_address(sphincs_adrs_t adrs, const uint32_t address); +void sphincs_adrs_set_tree_address(sphincs_adrs_t adrs, const uint64_t address); +void sphincs_adrs_set_type(sphincs_adrs_t adrs, const uint32_t type); +void sphincs_adrs_set_keypair_address(sphincs_adrs_t adrs, const uint32_t address); +void sphincs_adrs_set_chain_address(sphincs_adrs_t adrs, const uint32_t address); +void sphincs_adrs_set_hash_address(sphincs_adrs_t adrs, const uint32_t address); + +// 所有的padding都在最后,是否意味着可以不用padding? +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 1 + uint32_t keypair_address; + uint32_t padding[3]; // = {0,0,0} +} SPHINCS_ADRS_WOTS_PK_COMP; + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 2 + uint32_t padding; // = 0 + uint32_t tree_height; + uint32_t tree_index; +} SPHINCS_ADRS_HASHTREE; + +void sphincs_adrs_copy_tree_height(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_copy_tree_index(sphincs_adrs_t dst, const sphincs_adrs_t src); +void sphincs_adrs_set_tree_height(sphincs_adrs_t adrs, uint32_t height); +void sphincs_adrs_set_tree_index(sphincs_adrs_t adrs, uint32_t index); + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 3 + uint32_t keypair_address; + uint32_t tree_height; + uint32_t tree_index; +} SPHINCS_ADRS_FORS_TREE; + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 4 + uint32_t keypair_address; + uint32_t padding[2]; // = {0,0} +} SPHINCS_ADRS_FORS_ROOT; + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 5 + uint32_t keypair_address; + uint32_t chain_address; + uint32_t hash_address; // = 0 +} SPHINCS_ADRS_WOTS_KEYGEN; + +typedef struct { + uint32_t layer_address; + uint32_t tree_address[3]; + uint32_t type; // = 6 + uint32_t keypair_address; + uint32_t tree_height; // = 0 + uint32_t tree_index; +} SPHINCS_ADRS_FORS_KEYGEN; + +typedef uint8_t sphincs_adrsc_t[22]; + +void sphincs_adrs_compress(const sphincs_adrs_t adrs, sphincs_adrsc_t adrsc); + +// 这里比较奇怪的是,fors的参数以及哈希值是多少? +// 哈希值被分成两部分,一部分用来从hypertree上找到树的地址,一个是用于fors的输入 +typedef struct { + char *name; + size_t secret_size; // 这个是n,当sm3/sha256时n==16 + size_t height; + size_t layers; + size_t fors_height; + size_t fors_trees; + int winternitz_w; + int bitsec; + int sec_level; + size_t siglen; +} SPHINCS_PARAMS; + +// sizeof(sphincs_secret_t) == n, when sm3/sha256, n == 16 +typedef uint8_t sphincs_secret_t[16]; + + + +void sphincs_wots_chain(const sphincs_secret_t x, + const sphincs_secret_t seed, const sphincs_adrs_t ots_adrs, + int start, int steps, sphincs_secret_t y); + + +typedef sphincs_secret_t sphincs_wots_key_t[35]; +typedef sphincs_secret_t sphincs_wots_sig_t[35]; + + +void sphincs_wots_derive_sk(const sphincs_secret_t secret, + const sphincs_secret_t seed, const sphincs_adrs_t adrs, + sphincs_wots_key_t sk); + + +#ifdef __cplusplus +} +#endif +#endif + diff --git a/src/sphincs.c b/src/sphincs.c new file mode 100644 index 00000000..d432486e --- /dev/null +++ b/src/sphincs.c @@ -0,0 +1,489 @@ +/* + * Copyright 2014-2026 The GmSSL Project. All Rights Reserved. + * + * Licensed under the Apache License, Version 2.0 (the License); you may + * not use this file except in compliance with the License. + * + * http://www.apache.org/licenses/LICENSE-2.0 + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +static const SPHINCS_PARAMS sphincs_params[] = { + // n h d lg(t) k w siglen + { "SPHINCS+_128s", 16, 63, 7, 12, 14, 16, 133, 1, 7856 }, + { "SPHINCS+_128f", 16, 66, 22, 6, 33, 16, 128, 1, 17088 }, + { "SPHINCS+_192s", 24, 64, 7, 14, 17, 16, 193, 3, 16244 }, + { "SPHINCS+_192f", 24, 66, 22, 8, 33, 16, 194, 3, 35644 }, + { "SPHINCS+_256s", 32, 64, 8, 14, 22, 16, 255, 5, 29792 }, + { "SPHINCS+_256f", 32, 68, 17, 9, 35, 16, 255, 5, 49856 }, +}; + + + +void sphincs_adrs_copy_layer_address(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst, src, 4); +} + +void sphincs_adrs_copy_tree_address(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 4, src + 4, 12); +} + +void sphincs_adrs_copy_type(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 16, src + 16, 4); +} + +void sphincs_adrs_copy_keypair_address(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 20, src + 20, 4); +} + +void sphincs_adrs_copy_chain_address(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 24, src + 24, 4); +} + +void sphincs_adrs_copy_hash_address(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 28, src + 28, 4); +} + +void sphincs_adrs_set_layer_address(sphincs_adrs_t adrs, const uint32_t address) { + PUTU32(adrs, address); +} + +void sphincs_adrs_set_tree_address(sphincs_adrs_t adrs, const uint64_t address) { + PUTU32(adrs + 4, 0); + PUTU64(adrs + 8, address); +} + +void sphincs_adrs_set_type(sphincs_adrs_t adrs, const uint32_t type) { + PUTU32(adrs + 16, type); +} + +void sphincs_adrs_set_keypair_address(sphincs_adrs_t adrs, const uint32_t address) { + PUTU32(adrs + 20, address); +} + +void sphincs_adrs_set_chain_address(sphincs_adrs_t adrs, const uint32_t address) { + PUTU32(adrs + 24, address); +} + +void sphincs_adrs_set_hash_address(sphincs_adrs_t adrs, const uint32_t address) { + PUTU32(adrs + 28, address); +} + +void sphincs_adrs_copy_tree_height(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 24, src + 24, 4); +} + +void sphincs_adrs_copy_tree_index(sphincs_adrs_t dst, const sphincs_adrs_t src) { + memcpy(dst + 28, src + 28, 4); +} + +void sphincs_adrs_set_tree_height(sphincs_adrs_t adrs, uint32_t height) { + PUTU32(adrs + 24, height); +} + +void sphincs_adrs_set_tree_index(sphincs_adrs_t adrs, uint32_t index) { + PUTU32(adrs + 28, index); +} + + +void sphincs_adrs_compress(const sphincs_adrs_t adrs, sphincs_adrsc_t adrsc) +{ + memcpy(adrsc, adrs, 22); +} + + +void sphincs_wots_chain(const sphincs_secret_t x, + const sphincs_secret_t seed, const sphincs_adrs_t ots_adrs, + int start, int steps, sphincs_secret_t y) +{ + const uint8_t uint32_zero[4] = {0}; + uint8_t block[HASH256_BLOCK_SIZE] = {0}; + sphincs_adrs_t adrs; + sphincs_adrsc_t adrsc; + HASH256_CTX ctx; + hash256_t dgst; + int i; + + memcpy(block, seed, sizeof(sphincs_secret_t)); + + sphincs_adrs_copy_layer_address(adrs, ots_adrs); + sphincs_adrs_copy_tree_address(adrs, ots_adrs); + sphincs_adrs_copy_type(adrs, ots_adrs); + sphincs_adrs_copy_keypair_address(adrs, ots_adrs); + sphincs_adrs_copy_chain_address(adrs, ots_adrs); + + memcpy(y, x, sizeof(sphincs_secret_t)); + + for (i = 0; i < steps; i++) { + sphincs_adrs_set_hash_address(adrs, start + i); + sphincs_adrs_compress(adrs, adrsc); + + // tmp = tmp xor mgf1(seed||ardsc) + hash256_init(&ctx); + hash256_update(&ctx, seed, sizeof(sphincs_secret_t)); + hash256_update(&ctx, adrsc, sizeof(sphincs_adrsc_t)); + hash256_update(&ctx, uint32_zero, sizeof(uint32_zero)); + hash256_finish(&ctx, dgst); + + gmssl_memxor(y, y, dgst, sizeof(sphincs_secret_t)); + + // y = hash256(blockpad(seed) || adrsc || y) + hash256_init(&ctx); + hash256_update(&ctx, block, sizeof(block)); + hash256_update(&ctx, adrsc, sizeof(sphincs_adrsc_t)); + hash256_update(&ctx, y, sizeof(sphincs_secret_t)); + hash256_finish(&ctx, dgst); + + memcpy(y, dgst, sizeof(sphincs_secret_t)); + } +} + +void sphincs_wots_derive_sk(const sphincs_secret_t secret, + const sphincs_secret_t seed, const sphincs_adrs_t in_adrs, + sphincs_wots_key_t sk) +{ + uint8_t block[HASH256_BLOCK_SIZE] = {0}; + sphincs_adrs_t adrs; + sphincs_adrsc_t adrsc; + HASH256_CTX ctx; + hash256_t dgst; + int i; + + memcpy(block, seed, sizeof(sphincs_secret_t)); + + sphincs_adrs_copy_layer_address(adrs, in_adrs); + sphincs_adrs_copy_tree_address(adrs, in_adrs); + sphincs_adrs_set_type(adrs, SPHINCS_ADRS_TYPE_WOTS_PRF); + + for (i = 0; i < 35; i++) { + sphincs_adrs_set_chain_address(adrs, i); + sphincs_adrs_set_hash_address(adrs, 0); + sphincs_adrs_compress(adrs, adrsc); + + // sk[i] + hash256_init(&ctx); + hash256_update(&ctx, block, sizeof(block)); + hash256_update(&ctx, adrsc, sizeof(adrsc)); + hash256_update(&ctx, secret, sizeof(sphincs_secret_t)); + hash256_finish(&ctx, dgst); + memcpy(sk, dgst, sizeof(sphincs_secret_t)); + } +} + +void sphincs_wots_sk_to_pk(const sphincs_wots_key_t sk, + const sphincs_secret_t seed, const sphincs_adrs_t ots_adrs, + sphincs_wots_key_t pk) +{ + const int start = 0; + const int steps = 16 - 1; + sphincs_adrs_t adrs; + int chain; + + sphincs_adrs_copy_layer_address(adrs, ots_adrs); + sphincs_adrs_copy_tree_address(adrs, ots_adrs); + sphincs_adrs_copy_type(adrs, ots_adrs); + sphincs_adrs_copy_keypair_address(adrs, ots_adrs); + + for (chain = 0; chain < 35; chain++) { + sphincs_adrs_set_chain_address(adrs, chain); + sphincs_adrs_set_hash_address(adrs, 0); + sphincs_wots_chain(sk[chain], seed, adrs, start, steps, pk[chain]); + } +} + +void sphincs_wots_pk_to_root(const sphincs_wots_key_t pk, + const sphincs_secret_t seed, const sphincs_adrs_t in_adrs, + sphincs_secret_t root) +{ + uint8_t block[HASH256_BLOCK_SIZE] = {0}; + sphincs_adrs_t adrs; + sphincs_adrsc_t adrsc; + HASH256_CTX ctx; + hash256_t dgst; + int i; + + memcpy(block, seed, sizeof(sphincs_secret_t)); + + sphincs_adrs_copy_layer_address(adrs, in_adrs); + sphincs_adrs_copy_tree_address(adrs, in_adrs); + sphincs_adrs_set_type(adrs, SPHINCS_ADRS_TYPE_WOTS_PK); + sphincs_adrs_copy_keypair_address(adrs, in_adrs); + sphincs_adrs_compress(adrs, adrsc); + + hash256_init(&ctx); + hash256_update(&ctx, block, sizeof(block)); + hash256_update(&ctx, adrsc, sizeof(adrsc)); + for (i = 0; i < 35; i++) { + hash256_update(&ctx, pk[i], sizeof(sphincs_secret_t)); + } + hash256_finish(&ctx, dgst); + + memcpy(root, dgst, sizeof(sphincs_secret_t)); +} + +void sphincs_base_w_and_checksum(const sphincs_secret_t dgst, int steps[35]) +{ + int csum = 0; + int sbits; + int i; + + for (i = 0; i < 16; i++) { + steps[2 * i] = dgst[i] >> 4; + steps[2 * i + 1] = dgst[i] & 0xf; + } + for (i = 0; i < 32; i++) { + csum += 15 - steps[i]; + } + // csum = csum << (8 - ((len_2 * lg(w)) %8)) = (8 - (3*4)%8) = 8 - 4 = 4 + sbits = (8 - ((3 * 4) % 8)); + csum <<= sbits; + + // len_2_bytes = ceil((len_2 * lg(w)) / 8) = ceil(12/8) = 2 + uint8_t csum_bytes[2]; + csum_bytes[0] = (csum >> 8) & 0xff; + csum_bytes[1] = csum & 0xff; + + steps[32] = csum_bytes[0] >> 4; + steps[33] = csum_bytes[0] & 0xf; + steps[34] = csum_bytes[1] >> 4; +} + +void sphincs_wots_sign(const sphincs_wots_key_t sk, + const sphincs_secret_t seed, const sphincs_adrs_t ots_adrs, + const sphincs_secret_t dgst, sphincs_wots_sig_t sig) +{ + sphincs_adrs_t adrs; + const int start = 0; + int steps[35]; + uint32_t i; + + sphincs_adrs_copy_layer_address(adrs, ots_adrs); + sphincs_adrs_copy_tree_address(adrs, ots_adrs); + sphincs_adrs_copy_type(adrs, ots_adrs); + sphincs_adrs_copy_keypair_address(adrs, ots_adrs); + + sphincs_base_w_and_checksum(dgst, steps); + + for (i = 0; i < 35; i++) { + sphincs_adrs_set_chain_address(adrs, i); + sphincs_adrs_set_hash_address(adrs, 0); + sphincs_wots_chain(sk[i], seed, adrs, start, steps[i], sig[i]); + } +} + +void sphincs_wots_sig_to_pk(const sphincs_wots_sig_t sig, + const sphincs_secret_t seed, const sphincs_adrs_t ots_adrs, + const sphincs_secret_t dgst, sphincs_wots_key_t pk) +{ + sphincs_adrs_t adrs; + int steps[35]; + int i; + + sphincs_adrs_copy_layer_address(adrs, ots_adrs); + sphincs_adrs_copy_tree_address(adrs, ots_adrs); + sphincs_adrs_copy_type(adrs, ots_adrs); + sphincs_adrs_copy_keypair_address(adrs, ots_adrs); + + sphincs_base_w_and_checksum(dgst, steps); + + for (i = 0; i < 35; i++) { + sphincs_adrs_set_chain_address(adrs, i); + sphincs_wots_chain(sig[i], seed, adrs, steps[i], 15 - steps[i], pk[i]); + } +} + +void sphincs_xmss_tree_hash(const sphincs_secret_t left_child, const sphincs_secret_t right_child, + const sphincs_secret_t seed, const sphincs_adrs_t in_adrs, + hash256_t parent) +{ +} + +void sphincs_xmss_build_tree(const sphincs_secret_t secret, + const sphincs_secret_t seed, const sphincs_adrs_t in_adrs, + size_t height, sphincs_secret_t *tree) +{ + sphincs_adrs_t adrs; + sphincs_secret_t *children; + sphincs_secret_t *parents; + size_t n = 1 << height; + uint32_t h; // as tree_height + uint32_t i; // as tree_index + + sphincs_adrs_copy_layer_address(adrs, in_adrs); + sphincs_adrs_copy_tree_address(adrs, in_adrs); + + // derive 2^h wots+ roots as leaves of xmss tree + sphincs_adrs_set_type(adrs, SPHINCS_ADRS_TYPE_WOTS_PRF); + for (i = 0; i < n; i++) { + sphincs_adrs_set_keypair_address(adrs, i); + //sphincs_wots_derive_root(secret, seed, adrs, tree[i]); + } + + // build xmss tree + sphincs_adrs_set_type(adrs, SPHINCS_ADRS_TYPE_HASHTREE); + //sphincs_adrs_set_padding(adrs, 0); + + children = tree; + parents = tree + n; + for (h = 0; h < height; h++) { + sphincs_adrs_set_tree_height(adrs, h + 1); + n >>= 1; + for (i = 0; i < n; i++) { + sphincs_adrs_set_tree_index(adrs, i); + sphincs_xmss_tree_hash(children[2*i], children[2*i + 1], seed, adrs, parents[i]); + } + children = parents; + parents += n; + } +} + + + +void fors_tree_hash(const sphincs_secret_t seed, const sphincs_secret_t secret, + int start, int height, const sphincs_adrs_t adrs) +{ +} + + + + +void fors_derive_secret(const sphincs_secret_t seed, const sphincs_secret_t secret, + const sphincs_adrs_t in_adrs, uint32_t fors_index, sphincs_secret_t sk) +{ + uint8_t block[HASH256_BLOCK_SIZE] = {0}; + sphincs_adrs_t adrs; + sphincs_adrsc_t adrsc; + HASH256_CTX ctx; + hash256_t dgst; + + // blockpad(seed) + memcpy(block, seed, sizeof(sphincs_secret_t)); + + sphincs_adrs_copy_layer_address(adrs, in_adrs); + sphincs_adrs_copy_tree_address(adrs, in_adrs); + sphincs_adrs_set_type(adrs, SPHINCS_ADRS_TYPE_FORS_KEYGEN); + sphincs_adrs_copy_keypair_address(adrs, in_adrs); + sphincs_adrs_set_tree_height(adrs, 0); + sphincs_adrs_set_tree_index(adrs, fors_index); + + // compress adrs + sphincs_adrs_compress(adrs, adrsc); + + // sk = prf(seed, secret, adrs) = hash256(blockpad(seed)||adrsc||secret) + hash256_init(&ctx); + hash256_update(&ctx, block, sizeof(block)); + hash256_update(&ctx, adrsc, sizeof(adrsc)); + hash256_update(&ctx, secret, sizeof(sphincs_secret_t)); + hash256_finish(&ctx, dgst); + + memcpy(sk, dgst, sizeof(sphincs_secret_t)); + gmssl_secure_clear(dgst, sizeof(dgst)); +} + + + + + + +/* +int fors_derive_merkle_tree(const sphincs_hash_t sk_seed, const sphincs_adrs_t adrs, sphincs_hash_t *tree) +{ + int r; + + int a = 12; + int t = (1 << a); + + + uint8_t rbytes[4]; + HASH256_CTX ctx; + hash256_t x[34]; + hash256_t pub; + hash256_t *T = tree - 1; + + for (r = 2*t - 1; r >= 1; r--) { + + PUTU32(rbytes, r); + + if (r >= t) { + int q = r - n; + + + sm3_lmots_derive_secrets(seed, I, q, x); + sm3_lmots_secrets_to_public_hash(I, q, x, pub); + + + + // H(I||u32str(r)||u16str(D_LEAF)||OTS_PUB_HASH[r-2^h]) + hash256_init(&ctx); + hash256_update(&ctx, I, 16); + hash256_update(&ctx, rbytes, 4); + hash256_update(&ctx, D_LEAF, 2); + hash256_update(&ctx, pub, 32); + hash256_finish(&ctx, T[r]); + + } else { + // H(I||u32str(r)||u16str(D_INTR)||T[2*r]||T[2*r+1]) + hash256_init(&ctx); + hash256_update(&ctx, I, 16); + hash256_update(&ctx, rbytes, 4); + hash256_update(&ctx, D_INTR, 2); + hash256_update(&ctx, T[2*r], 32); + hash256_update(&ctx, T[2*r + 1], 32); + hash256_finish(&ctx, T[r]); + } + } +} + + + +int fors_derive_secrets(const sphincs_hash_t sk_seed, const sphincs_adrs_t adrs, uint32_t index, sphincs_hash_t sk[14 * 4096]) +{ + sphincs_adrs_t sk_adrs; + uint32_t i; + + memcpy(sk_adrs, adrs, sizeof(sphincs_adrs_t)); + sphincs_adrs_set_type(sk_adrs, SPHINCSX_ADRS_TYPE_FORS_KEYGEN); + sphincs_adrs_set_tree_height(sk_adrs, 0); + sphincs_adrs_set_tree_index(sk_adrs, index); + + for (i = 0; i < SPHINCSX_FORS_NUM_SK; i++) { + sphincs_adrs_set_keypair_addrss(sk_adrs, i); + sphincs_prf(sk_seed, sk_adrs, sk[i]); + } + + return 1; +} + + +void fors_treehash(const sphincs_hash_t sk_seed, const sphincs_hash_t pk_seed) +{ +} + +void fors_secrets_to_public_root(const sphincs_hash_t sk[SPHINCSX_FORS_NUM_SK], + const sphincs_adrs_t pk_seed, const sphincs_adrs_t adrs, + sphincs_hash_t pub) +{ + +} + +int fors_treehash(const sphincs_adrs_t sk_seed, cosnt sphincs_adrs_t pk_seed, + unsigned int s, unsigned int z, const sphincs_adrs_t fors_adrs, + uint8_t out[16]) +{ +} +*/ +