Lines Matching +full:n +full:- +full:1
34 * takes n byte sk_seed and returns n byte seed using 32 byte address addr.
36 static void get_seed(unsigned char *seed, const unsigned char *sk_seed, int n, uint32_t addr[8]) in get_seed() argument
45 prf(seed, bytes, sk_seed, n); in get_seed()
53 int xmss_set_params(xmss_params *params, int n, int h, int w, int k) in xmss_set_params() argument
55 if (k >= h || k < 2 || (h - k) % 2) { in xmss_set_params()
56 fprintf(stderr, "For BDS traversal, H - K must be even, with H > K >= 2!\n"); in xmss_set_params()
57 return 1; in xmss_set_params()
59 params->h = h; in xmss_set_params()
60 params->n = n; in xmss_set_params()
61 params->k = k; in xmss_set_params()
63 wots_set_params(&wots_par, n, w); in xmss_set_params()
64 params->wots_par = wots_par; in xmss_set_params()
74 state->stack = stack; in xmss_set_bds_state()
75 state->stackoffset = stackoffset; in xmss_set_bds_state()
76 state->stacklevels = stacklevels; in xmss_set_bds_state()
77 state->auth = auth; in xmss_set_bds_state()
78 state->keep = keep; in xmss_set_bds_state()
79 state->treehash = treehash; in xmss_set_bds_state()
80 state->retain = retain; in xmss_set_bds_state()
81 state->next_leaf = next_leaf; in xmss_set_bds_state()
90 int xmssmt_set_params(xmssmt_params *params, int n, int h, int d, int w, int k) in xmssmt_set_params() argument
93 fprintf(stderr, "d must divide h without remainder!\n"); in xmssmt_set_params()
94 return 1; in xmssmt_set_params()
96 params->h = h; in xmssmt_set_params()
97 params->d = d; in xmssmt_set_params()
98 params->n = n; in xmssmt_set_params()
99 params->index_len = (h + 7) / 8; in xmssmt_set_params()
101 if (xmss_set_params(&xmss_par, n, (h/d), w, k)) { in xmssmt_set_params()
102 return 1; in xmssmt_set_params()
104 params->xmss_par = xmss_par; in xmssmt_set_params()
109 * Computes a leaf from a WOTS public key using an L-tree.
113 unsigned int l = params->wots_par.len; in l_tree()
114 unsigned int n = params->n; in l_tree() local
122 while (l > 1) { in l_tree()
123 bound = l >> 1; //floor(l / 2); in l_tree()
127 //wots_pk[i] = RAND_HASH(pk[2i], pk[2i + 1], SEED, ADRS); in l_tree()
128 hash_h(wots_pk+i*n, wots_pk+i*2*n, pub_seed, addr, n); in l_tree()
130 //if ( l % 2 == 1 ) { in l_tree()
131 if (l & 1) { in l_tree()
132 //pk[floor(l / 2) + 1] = pk[l]; in l_tree()
133 memcpy(wots_pk+(l>>1)*n, wots_pk+(l-1)*n, n); in l_tree()
135 l=(l>>1)+1; in l_tree()
139 l=(l>>1); in l_tree()
141 //ADRS.setTreeHeight(ADRS.getTreeHeight() + 1); in l_tree()
146 memcpy(leaf, wots_pk, n); in l_tree()
150 …e. As this happens position independent, we only require that addr encodes the right ltree-address.
154 unsigned char seed[params->n]; in gen_leaf_wots()
155 unsigned char pk[params->wots_par.keysize]; in gen_leaf_wots()
157 get_seed(seed, sk_seed, params->n, ots_addr); in gen_leaf_wots()
158 wots_pkgen(pk, seed, &(params->wots_par), pub_seed, ots_addr); in gen_leaf_wots()
164 unsigned int r = params->h, i; in treehash_minheight_on_stack()
165 for (i = 0; i < treehash->stackusage; i++) { in treehash_minheight_on_stack()
166 if (state->stacklevels[state->stackoffset - i - 1] < r) { in treehash_minheight_on_stack()
167 r = state->stacklevels[state->stackoffset - i - 1]; in treehash_minheight_on_stack()
181 unsigned int n = params->n; in treehash_setup() local
182 unsigned int h = params->h; in treehash_setup()
183 unsigned int k = params->k; in treehash_setup()
193 setType(ltree_addr, 1); in treehash_setup()
198 unsigned char stack[(height+1)*n]; in treehash_setup()
199 unsigned int stacklevels[height+1]; in treehash_setup()
203 lastnode = idx+(1<<height); in treehash_setup()
205 for (i = 0; i < h-k; i++) { in treehash_setup()
206 state->treehash[i].h = i; in treehash_setup()
207 state->treehash[i].completed = 1; in treehash_setup()
208 state->treehash[i].stackusage = 0; in treehash_setup()
215 gen_leaf_wots(stack+stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr); in treehash_setup()
218 if (h - k > 0 && i == 3) { in treehash_setup()
219 memcpy(state->treehash[0].node, stack+stackoffset*n, n); in treehash_setup()
221 while (stackoffset>1 && stacklevels[stackoffset-1] == stacklevels[stackoffset-2]) in treehash_setup()
223 nodeh = stacklevels[stackoffset-1]; in treehash_setup()
224 if (i >> nodeh == 1) { in treehash_setup()
225 memcpy(state->auth + nodeh*n, stack+(stackoffset-1)*n, n); in treehash_setup()
228 if (nodeh < h - k && i >> nodeh == 3) { in treehash_setup()
229 memcpy(state->treehash[nodeh].node, stack+(stackoffset-1)*n, n); in treehash_setup()
231 else if (nodeh >= h - k) { in treehash_setup()
232 …memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((i >> nodeh) - 3) >> 1)) * n, stack… in treehash_setup()
235 setTreeHeight(node_addr, stacklevels[stackoffset-1]); in treehash_setup()
236 setTreeIndex(node_addr, (idx >> (stacklevels[stackoffset-1]+1))); in treehash_setup()
237 hash_h(stack+(stackoffset-2)*n, stack+(stackoffset-2)*n, pub_seed, in treehash_setup()
238 node_addr, n); in treehash_setup()
239 stacklevels[stackoffset-2]++; in treehash_setup()
240 stackoffset--; in treehash_setup()
245 for (i = 0; i < n; i++) in treehash_setup()
250 int n = params->n; in treehash_update() local
260 setType(ltree_addr, 1); in treehash_update()
264 setLtreeADRS(ltree_addr, treehash->next_idx); in treehash_update()
265 setOTSADRS(ots_addr, treehash->next_idx); in treehash_update()
267 unsigned char nodebuffer[2 * n]; in treehash_update()
270 while (treehash->stackusage > 0 && state->stacklevels[state->stackoffset-1] == nodeheight) { in treehash_update()
271 memcpy(nodebuffer + n, nodebuffer, n); in treehash_update()
272 memcpy(nodebuffer, state->stack + (state->stackoffset-1)*n, n); in treehash_update()
274 setTreeIndex(node_addr, (treehash->next_idx >> (nodeheight+1))); in treehash_update()
275 hash_h(nodebuffer, nodebuffer, pub_seed, node_addr, n); in treehash_update()
277 treehash->stackusage--; in treehash_update()
278 state->stackoffset--; in treehash_update()
280 if (nodeheight == treehash->h) { // this also implies stackusage == 0 in treehash_update()
281 memcpy(treehash->node, nodebuffer, n); in treehash_update()
282 treehash->completed = 1; in treehash_update()
285 memcpy(state->stack + state->stackoffset*n, nodebuffer, n); in treehash_update()
286 treehash->stackusage++; in treehash_update()
287 state->stacklevels[state->stackoffset] = nodeheight; in treehash_update()
288 state->stackoffset++; in treehash_update()
289 treehash->next_idx++; in treehash_update()
298 unsigned int n = params->n; in validate_authpath() local
301 unsigned char buffer[2*n]; in validate_authpath()
303 …// If leafidx is odd (last bit = 1), current path element is a right child and authpath has to go … in validate_authpath()
305 if (leafidx & 1) { in validate_authpath()
306 for (j = 0; j < n; j++) in validate_authpath()
307 buffer[n+j] = leaf[j]; in validate_authpath()
308 for (j = 0; j < n; j++) in validate_authpath()
312 for (j = 0; j < n; j++) in validate_authpath()
314 for (j = 0; j < n; j++) in validate_authpath()
315 buffer[n+j] = authpath[j]; in validate_authpath()
317 authpath += n; in validate_authpath()
319 for (i=0; i < params->h-1; i++) { in validate_authpath()
321 leafidx >>= 1; in validate_authpath()
323 if (leafidx&1) { in validate_authpath()
324 hash_h(buffer+n, buffer, pub_seed, addr, n); in validate_authpath()
325 for (j = 0; j < n; j++) in validate_authpath()
329 hash_h(buffer, buffer, pub_seed, addr, n); in validate_authpath()
330 for (j = 0; j < n; j++) in validate_authpath()
331 buffer[j+n] = authpath[j]; in validate_authpath()
333 authpath += n; in validate_authpath()
335 setTreeHeight(addr, (params->h-1)); in validate_authpath()
336 leafidx >>= 1; in validate_authpath()
338 hash_h(root, buffer, pub_seed, addr, n); in validate_authpath()
343 * Returns 1 if such an instance was not found
348 unsigned int h = params->h; in bds_treehash_update()
349 unsigned int k = params->k; in bds_treehash_update()
354 level = h - k; in bds_treehash_update()
355 for (i = 0; i < h - k; i++) { in bds_treehash_update()
356 if (state->treehash[i].completed) { in bds_treehash_update()
359 else if (state->treehash[i].stackusage == 0) { in bds_treehash_update()
363 low = treehash_minheight_on_stack(state, params, &(state->treehash[i])); in bds_treehash_update()
370 if (level == h - k) { in bds_treehash_update()
373 treehash_update(&(state->treehash[level]), state, sk_seed, params, pub_seed, addr); in bds_treehash_update()
376 return updates - used; in bds_treehash_update()
381 * Returns 1 if all leaf nodes have already been processed
388 int n = params->n; in bds_state_update() local
389 int h = params->h; in bds_state_update()
390 int k = params->k; in bds_state_update()
393 int idx = state->next_leaf; in bds_state_update()
394 if (idx == 1 << h) { in bds_state_update()
395 return 1; in bds_state_update()
403 setType(ltree_addr, 1); in bds_state_update()
410 gen_leaf_wots(state->stack+state->stackoffset*n, sk_seed, params, pub_seed, ltree_addr, ots_addr); in bds_state_update()
412 state->stacklevels[state->stackoffset] = 0; in bds_state_update()
413 state->stackoffset++; in bds_state_update()
414 if (h - k > 0 && idx == 3) { in bds_state_update()
415 memcpy(state->treehash[0].node, state->stack+state->stackoffset*n, n); in bds_state_update()
417 …while (state->stackoffset>1 && state->stacklevels[state->stackoffset-1] == state->stacklevels[stat… in bds_state_update()
418 nodeh = state->stacklevels[state->stackoffset-1]; in bds_state_update()
419 if (idx >> nodeh == 1) { in bds_state_update()
420 memcpy(state->auth + nodeh*n, state->stack+(state->stackoffset-1)*n, n); in bds_state_update()
423 if (nodeh < h - k && idx >> nodeh == 3) { in bds_state_update()
424 memcpy(state->treehash[nodeh].node, state->stack+(state->stackoffset-1)*n, n); in bds_state_update()
426 else if (nodeh >= h - k) { in bds_state_update()
427 …memcpy(state->retain + ((1 << (h - 1 - nodeh)) + nodeh - h + (((idx >> nodeh) - 3) >> 1)) * n, sta… in bds_state_update()
430 setTreeHeight(node_addr, state->stacklevels[state->stackoffset-1]); in bds_state_update()
431 setTreeIndex(node_addr, (idx >> (state->stacklevels[state->stackoffset-1]+1))); in bds_state_update()
432 …hash_h(state->stack+(state->stackoffset-2)*n, state->stack+(state->stackoffset-2)*n, pub_seed, nod… in bds_state_update()
434 state->stacklevels[state->stackoffset-2]++; in bds_state_update()
435 state->stackoffset--; in bds_state_update()
437 state->next_leaf++; in bds_state_update()
449 unsigned int n = params->n; in bds_round() local
450 unsigned int h = params->h; in bds_round()
451 unsigned int k = params->k; in bds_round()
456 unsigned char buf[2 * n]; in bds_round()
466 setType(ltree_addr, 1); in bds_round()
471 if (! ((leaf_idx >> i) & 1)) { in bds_round()
478 memcpy(buf, state->auth + (tau-1) * n, n); in bds_round()
479 // we need to do this before refreshing state->keep to prevent overwriting in bds_round()
480 memcpy(buf + n, state->keep + ((tau-1) >> 1) * n, n); in bds_round()
482 if (!((leaf_idx >> (tau + 1)) & 1) && (tau < h - 1)) { in bds_round()
483 memcpy(state->keep + (tau >> 1)*n, state->auth + tau*n, n); in bds_round()
488 gen_leaf_wots(state->auth, sk_seed, params, pub_seed, ltree_addr, ots_addr); in bds_round()
491 setTreeHeight(node_addr, (tau-1)); in bds_round()
493 hash_h(state->auth + tau * n, buf, pub_seed, node_addr, n); in bds_round()
495 if (i < h - k) { in bds_round()
496 memcpy(state->auth + i * n, state->treehash[i].node, n); in bds_round()
499 offset = (1 << (h - 1 - i)) + i - h; in bds_round()
500 rowidx = ((leaf_idx >> i) - 1) >> 1; in bds_round()
501 memcpy(state->auth + i * n, state->retain + (offset + rowidx) * n, n); in bds_round()
505 for (i = 0; i < ((tau < h - k) ? tau : (h - k)); i++) { in bds_round()
506 startidx = leaf_idx + 1 + 3 * (1 << i); in bds_round()
507 if (startidx < 1U << h) { in bds_round()
508 state->treehash[i].h = i; in bds_round()
509 state->treehash[i].next_idx = startidx; in bds_round()
510 state->treehash[i].completed = 0; in bds_round()
511 state->treehash[i].stackusage = 0; in bds_round()
524 unsigned int n = params->n; in xmss_keypair() local
527 sk[1] = 0; in xmss_keypair()
530 // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte) in xmss_keypair()
531 randombytes(sk+4, 3*n); in xmss_keypair()
533 memcpy(pk+n, sk+4+2*n, n); in xmss_keypair()
538 treehash_setup(pk, params->h, 0, state, sk+4, params, sk+4+2*n, addr); in xmss_keypair()
540 memcpy(sk+4+3*n, pk, n); in xmss_keypair()
547 * 1. an array containing the signature followed by the message AND
553 unsigned int h = params->h; in xmss_sign()
554 unsigned int n = params->n; in xmss_sign() local
555 unsigned int k = params->k; in xmss_sign()
559 …unsigned long idx = ((unsigned long)sk[0] << 24) | ((unsigned long)sk[1] << 16) | ((unsigned long)… in xmss_sign()
560 unsigned char sk_seed[n]; in xmss_sign()
561 memcpy(sk_seed, sk+4, n); in xmss_sign()
562 unsigned char sk_prf[n]; in xmss_sign()
563 memcpy(sk_prf, sk+4+n, n); in xmss_sign()
564 unsigned char pub_seed[n]; in xmss_sign()
565 memcpy(pub_seed, sk+4+2*n, n); in xmss_sign()
571 unsigned char hash_key[3*n]; in xmss_sign()
574 sk[0] = ((idx + 1) >> 24) & 255; in xmss_sign()
575 sk[1] = ((idx + 1) >> 16) & 255; in xmss_sign()
576 sk[2] = ((idx + 1) >> 8) & 255; in xmss_sign()
577 sk[3] = (idx + 1) & 255; in xmss_sign()
578 // -- Secret key for this non-forward-secure version is now updated. in xmss_sign()
579 …// -- A productive implementation should use a file handle instead and write the updated secret ke… in xmss_sign()
582 unsigned char R[n]; in xmss_sign()
583 unsigned char msg_h[n]; in xmss_sign()
584 unsigned char ots_seed[n]; in xmss_sign()
587 // --------------------------------- in xmss_sign()
589 // --------------------------------- in xmss_sign()
593 prf(R, idx_bytes_32, sk_prf, n); in xmss_sign()
595 memcpy(hash_key, R, n); in xmss_sign()
596 memcpy(hash_key+n, sk+4+3*n, n); in xmss_sign()
597 to_byte(hash_key+2*n, idx, n); in xmss_sign()
599 h_msg(msg_h, msg, msglen, hash_key, 3*n, n); in xmss_sign()
606 sig_msg[1] = (idx >> 16) & 255; in xmss_sign()
614 for (i = 0; i < n; i++) in xmss_sign()
617 sig_msg += n; in xmss_sign()
618 *sig_msg_len += n; in xmss_sign()
620 // ---------------------------------- in xmss_sign()
622 // ---------------------------------- in xmss_sign()
629 get_seed(ots_seed, sk_seed, n, ots_addr); in xmss_sign()
632 wots_sign(sig_msg, msg_h, ots_seed, &(params->wots_par), pub_seed, ots_addr); in xmss_sign()
634 sig_msg += params->wots_par.keysize; in xmss_sign()
635 *sig_msg_len += params->wots_par.keysize; in xmss_sign()
638 memcpy(sig_msg, state->auth, h*n); in xmss_sign()
640 if (idx < (1U << h) - 1) { in xmss_sign()
642 bds_treehash_update(state, (h - k) >> 1, sk_seed, params, pub_seed, ots_addr); in xmss_sign()
647 sig_msg += params->h*n; in xmss_sign()
648 *sig_msg_len += params->h*n; in xmss_sign()
665 unsigned int n = params->n; in xmss_sign_open() local
669 unsigned char wots_pk[params->wots_par.keysize]; in xmss_sign_open()
670 unsigned char pkhash[n]; in xmss_sign_open()
671 unsigned char root[n]; in xmss_sign_open()
672 unsigned char msg_h[n]; in xmss_sign_open()
673 unsigned char hash_key[3*n]; in xmss_sign_open()
675 unsigned char pub_seed[n]; in xmss_sign_open()
676 memcpy(pub_seed, pk+n, n); in xmss_sign_open()
684 setType(ltree_addr, 1); in xmss_sign_open()
688 …idx = ((unsigned long)sig_msg[0] << 24) | ((unsigned long)sig_msg[1] << 16) | ((unsigned long)sig_… in xmss_sign_open()
689 printf("verify:: idx = %lu\n", idx); in xmss_sign_open()
692 memcpy(hash_key, sig_msg+4,n); in xmss_sign_open()
693 memcpy(hash_key+n, pk, n); in xmss_sign_open()
694 to_byte(hash_key+2*n, idx, n); in xmss_sign_open()
696 sig_msg += (n+4); in xmss_sign_open()
697 sig_msg_len -= (n+4); in xmss_sign_open()
700 unsigned long long tmp_sig_len = params->wots_par.keysize+params->h*n; in xmss_sign_open()
701 m_len = sig_msg_len - tmp_sig_len; in xmss_sign_open()
702 h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n); in xmss_sign_open()
704 //----------------------- in xmss_sign_open()
706 //----------------------- in xmss_sign_open()
711 wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->wots_par), pub_seed, ots_addr); in xmss_sign_open()
713 sig_msg += params->wots_par.keysize; in xmss_sign_open()
714 sig_msg_len -= params->wots_par.keysize; in xmss_sign_open()
723 sig_msg += params->h*n; in xmss_sign_open()
724 sig_msg_len -= params->h*n; in xmss_sign_open()
726 for (i = 0; i < n; i++) in xmss_sign_open()
741 *msglen = -1; in xmss_sign_open()
742 return -1; in xmss_sign_open()
752 unsigned int n = params->n; in xmssmt_keypair() local
754 unsigned char ots_seed[params->n]; in xmssmt_keypair()
756 for (i = 0; i < params->index_len; i++) { in xmssmt_keypair()
759 // Init SK_SEED (n byte), SK_PRF (n byte), and PUB_SEED (n byte) in xmssmt_keypair()
760 randombytes(sk+params->index_len, 3*n); in xmssmt_keypair()
762 memcpy(pk+n, sk+params->index_len+2*n, n); in xmssmt_keypair()
764 // Set address to point on the single tree on layer d-1 in xmssmt_keypair()
766 setLayerADRS(addr, (params->d-1)); in xmssmt_keypair()
768 for (i = 0; i < params->d - 1; i++) { in xmssmt_keypair()
770 …treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), p… in xmssmt_keypair()
771 setLayerADRS(addr, (i+1)); in xmssmt_keypair()
772 get_seed(ots_seed, sk+params->index_len, n, addr); in xmssmt_keypair()
773 …wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, pk, ots_seed, &(params->xmss_par.wots_p… in xmssmt_keypair()
775 …treehash_setup(pk, params->xmss_par.h, 0, states + i, sk+params->index_len, &(params->xmss_par), p… in xmssmt_keypair()
776 memcpy(sk+params->index_len+3*n, pk, n); in xmssmt_keypair()
783 * 1. an array containing the signature followed by the message AND
789 unsigned int n = params->n; in xmssmt_sign() local
791 unsigned int tree_h = params->xmss_par.h; in xmssmt_sign()
792 unsigned int h = params->h; in xmssmt_sign()
793 unsigned int k = params->xmss_par.k; in xmssmt_sign()
794 unsigned int idx_len = params->index_len; in xmssmt_sign()
798 int needswap_upto = -1; in xmssmt_sign()
801 unsigned char sk_seed[n]; in xmssmt_sign()
802 unsigned char sk_prf[n]; in xmssmt_sign()
803 unsigned char pub_seed[n]; in xmssmt_sign()
805 unsigned char R[n]; in xmssmt_sign()
806 unsigned char msg_h[n]; in xmssmt_sign()
807 unsigned char hash_key[3*n]; in xmssmt_sign()
808 unsigned char ots_seed[n]; in xmssmt_sign()
817 idx |= ((unsigned long long)sk[i]) << 8*(idx_len - 1 - i); in xmssmt_sign()
820 memcpy(sk_seed, sk+idx_len, n); in xmssmt_sign()
821 memcpy(sk_prf, sk+idx_len+n, n); in xmssmt_sign()
822 memcpy(pub_seed, sk+idx_len+2*n, n); in xmssmt_sign()
826 sk[i] = ((idx + 1) >> 8*(idx_len - 1 - i)) & 255; in xmssmt_sign()
828 // -- Secret key for this non-forward-secure version is now updated. in xmssmt_sign()
829 …// -- A productive implementation should use a file handle instead and write the updated secret ke… in xmssmt_sign()
832 // --------------------------------- in xmssmt_sign()
834 // --------------------------------- in xmssmt_sign()
839 prf(R, idx_bytes_32, sk_prf, n); in xmssmt_sign()
841 memcpy(hash_key, R, n); in xmssmt_sign()
842 memcpy(hash_key+n, sk+idx_len+3*n, n); in xmssmt_sign()
843 to_byte(hash_key+2*n, idx, n); in xmssmt_sign()
846 h_msg(msg_h, msg, msglen, hash_key, 3*n, n); in xmssmt_sign()
853 sig_msg[i] = (idx >> 8*(idx_len - 1 - i)) & 255; in xmssmt_sign()
860 for (i = 0; i < n; i++) in xmssmt_sign()
863 sig_msg += n; in xmssmt_sign()
864 *sig_msg_len += n; in xmssmt_sign()
866 // ---------------------------------- in xmssmt_sign()
868 // ---------------------------------- in xmssmt_sign()
875 idx_leaf = (idx & ((1 << tree_h)-1)); in xmssmt_sign()
881 get_seed(ots_seed, sk_seed, n, ots_addr); in xmssmt_sign()
884 wots_sign(sig_msg, msg_h, ots_seed, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign()
886 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign()
887 *sig_msg_len += params->xmss_par.wots_par.keysize; in xmssmt_sign()
889 memcpy(sig_msg, states[0].auth, tree_h*n); in xmssmt_sign()
890 sig_msg += tree_h*n; in xmssmt_sign()
891 *sig_msg_len += tree_h*n; in xmssmt_sign()
894 for (i = 1; i < params->d; i++) { in xmssmt_sign()
896 …memcpy(sig_msg, wots_sigs + (i-1)*params->xmss_par.wots_par.keysize, params->xmss_par.wots_par.key… in xmssmt_sign()
898 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign()
899 *sig_msg_len += params->xmss_par.wots_par.keysize; in xmssmt_sign()
902 memcpy(sig_msg, states[i].auth, tree_h*n); in xmssmt_sign()
903 sig_msg += tree_h*n; in xmssmt_sign()
904 *sig_msg_len += tree_h*n; in xmssmt_sign()
907 updates = (tree_h - k) >> 1; in xmssmt_sign()
909 setTreeADRS(addr, (idx_tree + 1)); in xmssmt_sign()
910 // mandatory update for NEXT_0 (does not count towards h-k/2) if NEXT_0 exists in xmssmt_sign()
911 if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << h)) { in xmssmt_sign()
912 bds_state_update(&states[params->d], sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
915 for (i = 0; i < params->d; i++) { in xmssmt_sign()
917 if (! (((idx + 1) & ((1ULL << ((i+1)*tree_h)) - 1)) == 0)) { in xmssmt_sign()
918 idx_leaf = (idx >> (tree_h * i)) & ((1 << tree_h)-1); in xmssmt_sign()
919 idx_tree = (idx >> (tree_h * (i+1))); in xmssmt_sign()
922 if (i == (unsigned int) (needswap_upto + 1)) { in xmssmt_sign()
923 bds_round(&states[i], idx_leaf, sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
925 … updates = bds_treehash_update(&states[i], updates, sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
926 setTreeADRS(addr, (idx_tree + 1)); in xmssmt_sign()
927 // if a NEXT-tree exists for this level; in xmssmt_sign()
928 if ((1 + idx_tree) * (1 << tree_h) + idx_leaf < (1ULL << (h - tree_h * i))) { in xmssmt_sign()
929 if (i > 0 && updates > 0 && states[params->d + i].next_leaf < (1ULL << h)) { in xmssmt_sign()
930 bds_state_update(&states[params->d + i], sk_seed, &(params->xmss_par), pub_seed, addr); in xmssmt_sign()
931 updates--; in xmssmt_sign()
935 else if (idx < (1ULL << h) - 1) { in xmssmt_sign()
936 memcpy(&tmp, states+params->d + i, sizeof(bds_state)); in xmssmt_sign()
937 memcpy(states+params->d + i, states + i, sizeof(bds_state)); in xmssmt_sign()
940 setLayerADRS(ots_addr, (i+1)); in xmssmt_sign()
941 setTreeADRS(ots_addr, ((idx + 1) >> ((i+2) * tree_h))); in xmssmt_sign()
942 setOTSADRS(ots_addr, (((idx >> ((i+1) * tree_h)) + 1) & ((1 << tree_h)-1))); in xmssmt_sign()
944 get_seed(ots_seed, sk+params->index_len, n, ots_addr); in xmssmt_sign()
945 …wots_sign(wots_sigs + i*params->xmss_par.wots_par.keysize, states[i].stack, ots_seed, &(params->xm… in xmssmt_sign()
947 states[params->d + i].stackoffset = 0; in xmssmt_sign()
948 states[params->d + i].next_leaf = 0; in xmssmt_sign()
950 updates--; // WOTS-signing counts as one update in xmssmt_sign()
952 for (j = 0; j < tree_h-k; j++) { in xmssmt_sign()
953 states[i].treehash[j].completed = 1; in xmssmt_sign()
972 unsigned int n = params->n; in xmssmt_sign_open() local
974 unsigned int tree_h = params->xmss_par.h; in xmssmt_sign_open()
975 unsigned int idx_len = params->index_len; in xmssmt_sign_open()
981 unsigned char wots_pk[params->xmss_par.wots_par.keysize]; in xmssmt_sign_open()
982 unsigned char pkhash[n]; in xmssmt_sign_open()
983 unsigned char root[n]; in xmssmt_sign_open()
984 unsigned char msg_h[n]; in xmssmt_sign_open()
985 unsigned char hash_key[3*n]; in xmssmt_sign_open()
987 unsigned char pub_seed[n]; in xmssmt_sign_open()
988 memcpy(pub_seed, pk+n, n); in xmssmt_sign_open()
997 idx |= ((unsigned long long)sig_msg[i]) << (8*(idx_len - 1 - i)); in xmssmt_sign_open()
999 printf("verify:: idx = %llu\n", idx); in xmssmt_sign_open()
1001 sig_msg_len -= idx_len; in xmssmt_sign_open()
1004 memcpy(hash_key, sig_msg,n); in xmssmt_sign_open()
1005 memcpy(hash_key+n, pk, n); in xmssmt_sign_open()
1006 to_byte(hash_key+2*n, idx, n); in xmssmt_sign_open()
1008 sig_msg += n; in xmssmt_sign_open()
1009 sig_msg_len -= n; in xmssmt_sign_open()
1013 …unsigned long long tmp_sig_len = (params->d * params->xmss_par.wots_par.keysize) + (params->h * n); in xmssmt_sign_open()
1014 m_len = sig_msg_len - tmp_sig_len; in xmssmt_sign_open()
1015 h_msg(msg_h, sig_msg + tmp_sig_len, m_len, hash_key, 3*n, n); in xmssmt_sign_open()
1018 //----------------------- in xmssmt_sign_open()
1020 //----------------------- in xmssmt_sign_open()
1024 idx_leaf = (idx & ((1 << tree_h)-1)); in xmssmt_sign_open()
1030 setType(ltree_addr, 1); in xmssmt_sign_open()
1038 wots_pkFromSig(wots_pk, sig_msg, msg_h, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign_open()
1040 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1041 sig_msg_len -= params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1045 l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr); in xmssmt_sign_open()
1048 validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr); in xmssmt_sign_open()
1050 sig_msg += tree_h*n; in xmssmt_sign_open()
1051 sig_msg_len -= tree_h*n; in xmssmt_sign_open()
1053 for (i = 1; i < params->d; i++) { in xmssmt_sign_open()
1055 idx_leaf = (idx_tree & ((1 << tree_h)-1)); in xmssmt_sign_open()
1063 setType(ltree_addr, 1); in xmssmt_sign_open()
1071 wots_pkFromSig(wots_pk, sig_msg, root, &(params->xmss_par.wots_par), pub_seed, ots_addr); in xmssmt_sign_open()
1073 sig_msg += params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1074 sig_msg_len -= params->xmss_par.wots_par.keysize; in xmssmt_sign_open()
1078 l_tree(pkhash, wots_pk, &(params->xmss_par), pub_seed, ltree_addr); in xmssmt_sign_open()
1081 validate_authpath(root, pkhash, idx_leaf, sig_msg, &(params->xmss_par), pub_seed, node_addr); in xmssmt_sign_open()
1083 sig_msg += tree_h*n; in xmssmt_sign_open()
1084 sig_msg_len -= tree_h*n; in xmssmt_sign_open()
1088 for (i = 0; i < n; i++) in xmssmt_sign_open()
1103 *msglen = -1; in xmssmt_sign_open()
1104 return -1; in xmssmt_sign_open()