Botan 3.7.1
Crypto and TLS for C&
hss.cpp
Go to the documentation of this file.
1/**
2 * HSS - Hierarchical Signatures System (RFC 8554)
3 * (C) 2023 Jack Lloyd
4 * 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#include <botan/internal/hss.h>
10
11#include <botan/internal/fmt.h>
12#include <botan/internal/hss_lms_utils.h>
13#include <botan/internal/int_utils.h>
14#include <botan/internal/scan_name.h>
15#include <botan/internal/stl_util.h>
16
17#include <algorithm>
18#include <limits>
19
20namespace Botan {
21
22namespace {
23
24/**
25 * @brief The maximum number of levels in a HSS-LMS tree.
26 *
27 * RFC 8554 Section 6:
28 * The number of levels is denoted as L and is between one
29 * and eight, inclusive.
30 */
31constexpr HSS_Level HSS_MAX_LEVELS(8);
32
33/**
34 * @brief Domain-separation parameter for generation the seed of a child LMS tree.
35 *
36 * This comes from https://github.com/cisco/hash-sigs.
37 */
38constexpr uint16_t SEED_CHILD_SEED = 0xfffe;
39
40/**
41 * @brief Domain-separation parameter for generation the identifier of a child LMS tree.
42 *
43 * This comes from https://github.com/cisco/hash-sigs.
44 */
45constexpr uint16_t SEED_CHILD_I = 0xffff;
46
47/**
48 * @brief Check that the given @p hash_name is one of the supported hash functions for HSS-LMS.
49 */
50constexpr bool is_supported_hash_function(std::string_view hash_name) {
51 return hash_name == "SHA-256" || hash_name == "Truncated(SHA-256,192)" || hash_name == "SHAKE-256(256)" ||
52 hash_name == "SHAKE-256(192)";
53}
54
55/**
56 * Given an HSS index, i.e. the number of already created HSS signatures, return the lms leaf indices for
57 * the different LMS layers from root layer to bottom layer.
58 */
59std::vector<LMS_Tree_Node_Idx> derive_lms_leaf_indices_from_hss_index(HSS_Sig_Idx hss_idx,
60 const HSS_LMS_Params& hss_params) {
61 std::vector<LMS_Tree_Node_Idx> q(hss_params.L().get());
62 for(int32_t layer_ctr = hss_params.L().get() - 1; layer_ctr >= 0; --layer_ctr) {
63 HSS_Level layer(layer_ctr);
64 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& layer_params = hss_params.params_at_level(layer);
65 size_t layer_h = layer_params.lms_params().h();
66 q.at(layer.get()) =
67 checked_cast_to<LMS_Tree_Node_Idx>(hss_idx.get() % checked_cast_to<uint64_t>(1ULL << layer_h));
68 hss_idx = hss_idx >> layer_h;
69 }
70 BOTAN_ARG_CHECK(hss_idx == HSS_Sig_Idx(0), "HSS Tree is exhausted");
71
72 return q;
73}
74
75} // namespace
76
77HSS_LMS_Params::HSS_LMS_Params(std::vector<LMS_LMOTS_Params_Pair> lm_lmots_params) :
78 m_lms_lmots_params(std::move(lm_lmots_params)), m_max_sig_count(calc_max_sig_count()) {
79 BOTAN_ARG_CHECK(!m_lms_lmots_params.empty() && m_lms_lmots_params.size() <= HSS_MAX_LEVELS,
80 "Invalid number of levels");
81}
82
83HSS_LMS_Params::HSS_LMS_Params(std::string_view algo_params) {
84 const auto wrap_in_hss_lms = [&]() {
85 if(algo_params.starts_with("HSS-LMS(")) {
86 return std::string(algo_params);
87 } else {
88 return fmt("HSS-LMS({})", algo_params);
89 }
90 }();
91 SCAN_Name scan(wrap_in_hss_lms);
92
93 BOTAN_ARG_CHECK(scan.arg_count() >= 2 && scan.arg_count() <= HSS_MAX_LEVELS + 1, "Invalid number of arguments");
94 std::string hash = scan.arg(0);
95 BOTAN_ARG_CHECK(is_supported_hash_function(hash), "Supported HSS-LMS hash function");
96
97 for(size_t i = 1; i < scan.arg_count(); ++i) {
98 SCAN_Name scan_layer(scan.arg(i));
99 BOTAN_ARG_CHECK(scan_layer.algo_name() == "HW", "Invalid name for layer parameters");
100 BOTAN_ARG_CHECK(scan_layer.arg_count() == 2, "Invalid number of layer parameters");
101 const auto h =
102 checked_cast_to_or_throw<uint8_t, Invalid_Argument>(scan_layer.arg_as_integer(0), "Invalid tree height");
104 "Invalid Winternitz parameter");
105 m_lms_lmots_params.push_back({LMS_Params::create_or_throw(hash, h), LMOTS_Params::create_or_throw(hash, w)});
106 }
107 m_max_sig_count = calc_max_sig_count();
108}
109
110HSS_Sig_Idx HSS_LMS_Params::calc_max_sig_count() const {
111 uint32_t total_height_counter = 0;
112 for(HSS_Level level(0); level < L(); level++) {
113 total_height_counter += params_at_level(level).lms_params().h();
114 }
115 if(total_height_counter >= sizeof(HSS_Sig_Idx) * 8) {
116 return HSS_Sig_Idx(std::numeric_limits<HSS_Sig_Idx::wrapped_type>::max());
117 }
118 return HSS_Sig_Idx(1) << total_height_counter;
119}
120
122 m_hss_params(hss_params), m_current_idx(0), m_sig_size(HSS_Signature::size(m_hss_params)) {
123 m_hss_seed = rng.random_vec<LMS_Seed>(m_hss_params.params_at_level(HSS_Level(0)).lms_params().m());
124 m_identifier = rng.random_vec<LMS_Identifier>(LMS_IDENTIFIER_LEN);
125}
126
127std::shared_ptr<HSS_LMS_PrivateKeyInternal> HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(
128 std::span<const uint8_t> key_bytes) {
129 if(key_bytes.size() < sizeof(HSS_Level) + sizeof(HSS_Sig_Idx)) {
130 throw Decoding_Error("Too few private key bytes.");
131 }
132 BufferSlicer slicer(key_bytes);
133
134 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
135 if(L == 0U || L > HSS_MAX_LEVELS) {
136 throw Decoding_Error("Invalid number of HSS layers in private HSS-LMS key.");
137 }
138
139 const auto sig_idx = load_be<HSS_Sig_Idx>(slicer.take<sizeof(HSS_Sig_Idx)>());
140
141 std::vector<HSS_LMS_Params::LMS_LMOTS_Params_Pair> params;
142 for(size_t layer = 1; layer <= L; ++layer) {
143 if(slicer.remaining() < sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type)) {
144 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
145 }
146 const auto lms_type = load_be<LMS_Algorithm_Type>(slicer.take<sizeof(LMS_Algorithm_Type)>());
147 const auto lmots_type = load_be<LMOTS_Algorithm_Type>(slicer.take<sizeof(LMOTS_Algorithm_Type)>());
148 params.push_back({LMS_Params::create_or_throw(lms_type), LMOTS_Params::create_or_throw(lmots_type)});
149 }
150 std::string hash_name = params.at(0).lms_params().hash_name();
151 if(std::any_of(params.begin(), params.end(), [&hash_name](HSS_LMS_Params::LMS_LMOTS_Params_Pair& lms_lmots_params) {
152 bool invalid_lmots_hash = lms_lmots_params.lmots_params().hash_name() != hash_name;
153 bool invalid_lms_hash = lms_lmots_params.lms_params().hash_name() != hash_name;
154 return invalid_lmots_hash || invalid_lms_hash;
155 })) {
156 throw Decoding_Error("Inconsistent hash functions are not allowed.");
157 }
158
159 if(slicer.remaining() < params.at(0).lms_params().m() + LMS_IDENTIFIER_LEN) {
160 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
161 }
162 auto hss_seed = slicer.copy<LMS_Seed>(params.at(0).lms_params().m());
163 auto identifier = slicer.copy<LMS_Identifier>(LMS_IDENTIFIER_LEN);
164
165 if(!slicer.empty()) {
166 throw Decoding_Error("Private HSS-LMS key contains more bytes than expected.");
167 }
168 auto sk = std::shared_ptr<HSS_LMS_PrivateKeyInternal>(
169 new HSS_LMS_PrivateKeyInternal(HSS_LMS_Params(std::move(params)), std::move(hss_seed), std::move(identifier)));
170
171 sk->set_idx(sig_idx);
172 return sk;
173}
174
176 secure_vector<uint8_t> sk_bytes(size());
177 BufferStuffer stuffer(sk_bytes);
178
179 stuffer.append(store_be(hss_params().L()));
180 stuffer.append(store_be(get_idx()));
181
182 for(HSS_Level layer(1); layer <= hss_params().L(); ++layer) {
183 const auto& params = hss_params().params_at_level(layer - 1);
184 stuffer.append(store_be(params.lms_params().algorithm_type()));
185 stuffer.append(store_be(params.lmots_params().algorithm_type()));
186 }
187 stuffer.append(m_hss_seed);
188 stuffer.append(m_identifier);
189 BOTAN_ASSERT_NOMSG(stuffer.full());
190
191 return sk_bytes;
192}
193
195 m_current_idx = idx;
196}
197
198HSS_Sig_Idx HSS_LMS_PrivateKeyInternal::reserve_next_idx() {
199 HSS_Sig_Idx next_idx = m_current_idx;
200 if(next_idx >= m_hss_params.max_sig_count()) {
201 throw Decoding_Error("HSS private key is exhausted");
202 }
203 set_idx(m_current_idx + 1);
204 return next_idx;
205}
206
207size_t HSS_LMS_PrivateKeyInternal::size() const {
208 size_t sk_size = sizeof(HSS_Level) + sizeof(HSS_Sig_Idx);
209 // The concatenated algorithm types for all layers
210 sk_size += hss_params().L().get() * (sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type));
211 sk_size += m_hss_seed.size() + m_identifier.size();
212 return sk_size;
213}
214
216 LMS_Seed hss_seed,
217 LMS_Identifier identifier) :
218 m_hss_params(std::move(hss_params)),
219 m_hss_seed(std::move(hss_seed)),
220 m_identifier(std::move(identifier)),
221 m_current_idx(0),
222 m_sig_size(HSS_Signature::size(m_hss_params)) {
223 BOTAN_ARG_CHECK(m_hss_seed.size() == m_hss_params.params_at_level(HSS_Level(0)).lms_params().m(),
224 "Invalid seed size");
225 BOTAN_ARG_CHECK(m_identifier.size() == LMS_IDENTIFIER_LEN, "Invalid identifier size");
226}
227
228std::vector<uint8_t> HSS_LMS_PrivateKeyInternal::sign(std::span<const uint8_t> msg) {
229 std::vector<uint8_t> sig(HSS_Signature::size(hss_params()));
230 BufferStuffer sig_stuffer(sig);
231 sig_stuffer.append(store_be(hss_params().L() - 1));
232
233 std::vector<LMS_Tree_Node_Idx> q = derive_lms_leaf_indices_from_hss_index(reserve_next_idx(), hss_params());
234
235 // Derive LMS private keys and compute buffers
236 std::vector<LMS_PrivateKey> lms_key_at_layer;
237 std::vector<StrongSpan<LMS_Signature_Bytes>> out_lms_sig_buffer_at_layer;
238 std::vector<std::span<uint8_t>> out_child_pk_buffer_at_layer;
239 for(HSS_Level layer(0); layer < hss_params().L(); ++layer) {
240 // Generate key for current layer
242 if(layer == HSS_Level(0)) {
243 lms_key_at_layer.push_back(hss_derive_root_lms_private_key());
244 } else {
245 lms_key_at_layer.push_back(
246 hss_derive_child_lms_private_key(layer_params, lms_key_at_layer.back(), q.at(layer.get() - 1)));
247 out_child_pk_buffer_at_layer.push_back(sig_stuffer.next(LMS_PublicKey::size(layer_params.lms_params())));
248 }
249 out_lms_sig_buffer_at_layer.push_back(sig_stuffer.next<LMS_Signature_Bytes>(
250 LMS_Signature::size(layer_params.lms_params(), layer_params.lmots_params())));
251 }
252 BOTAN_ASSERT_NOMSG(sig_stuffer.full());
253
254 // Sign and write the signature from bottom layer to root layer
255 std::vector<uint8_t> current_pk;
256 for(int32_t layer_it = hss_params().L().get() - 1; layer_it >= 0; --layer_it) {
257 HSS_Level layer(layer_it);
258 if(layer == hss_params().L() - 1) {
259 current_pk =
260 lms_key_at_layer.at(layer.get())
261 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(msg))
262 .to_bytes();
263 } else {
264 copy_mem(out_child_pk_buffer_at_layer.at(layer.get()), current_pk);
265 current_pk =
266 lms_key_at_layer.at(layer.get())
267 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(current_pk))
268 .to_bytes();
269 }
270 }
271
272 return sig;
273}
274
276 auto& top_params = hss_params().params_at_level(HSS_Level(0));
277 return LMS_PrivateKey(top_params.lms_params(), top_params.lmots_params(), m_identifier, m_hss_seed);
278}
279
280LMS_PrivateKey HSS_LMS_PrivateKeyInternal::hss_derive_child_lms_private_key(
281 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& child_lms_lmots_params,
282 const LMS_PrivateKey& parent_sk,
283 LMS_Tree_Node_Idx parent_q) {
284 const auto hash = HashFunction::create_or_throw(child_lms_lmots_params.lms_params().hash_name());
285
286 // CHILD_SEED = H( PARENT_I || PARENT_Q || SEED_CHILD_SEED || 0xff || PARENT_SEED )
287 PseudorandomKeyGeneration seed_generator(parent_sk.identifier());
288 seed_generator.set_q(parent_q.get());
289 seed_generator.set_i(SEED_CHILD_SEED);
290 seed_generator.set_j(0xff);
291 auto child_seed = seed_generator.gen<LMS_Seed>(*hash, parent_sk.seed());
292
293 // CHILD_I = H( PARENT_I || PARENT_Q || SEED_CHILD_I || 0xff || PARENT_SEED )
294 seed_generator.set_i(SEED_CHILD_I);
295 auto child_identifier = seed_generator.gen<LMS_Identifier>(*hash, parent_sk.seed());
296 child_identifier.resize(LMS_IDENTIFIER_LEN);
297 CT::unpoison(child_identifier); // identifiers are part of the signature
298
299 return LMS_PrivateKey(child_lms_lmots_params.lms_params(),
300 child_lms_lmots_params.lmots_params(),
301 std::move(child_identifier),
302 std::move(child_seed));
303}
304
306 auto& hss_params = hss_sk.hss_params();
307
308 const auto root_sk = hss_sk.hss_derive_root_lms_private_key();
309 LMS_PublicKey top_pub_key = LMS_PublicKey(root_sk);
310
311 return HSS_LMS_PublicKeyInternal(hss_params.L(), std::move(top_pub_key));
312}
313
314std::shared_ptr<HSS_LMS_PublicKeyInternal> HSS_LMS_PublicKeyInternal::from_bytes_or_throw(
315 std::span<const uint8_t> key_bytes) {
316 if(key_bytes.size() < sizeof(HSS_Level)) {
317 throw Decoding_Error("Too few public key bytes.");
318 }
319 BufferSlicer slicer(key_bytes);
320
321 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
322 if(L > HSS_MAX_LEVELS) {
323 throw Decoding_Error("Invalid number of HSS layers in public HSS-LMS key.");
324 }
325
327
328 if(!slicer.empty()) {
329 throw Decoding_Error("Public HSS-LMS key contains more bytes than expected.");
330 }
331 return std::make_shared<HSS_LMS_PublicKeyInternal>(L, std::move(lms_pub_key));
332}
333
334std::vector<uint8_t> HSS_LMS_PublicKeyInternal::to_bytes() const {
335 return concat<std::vector<uint8_t>>(store_be(m_L), m_top_lms_pub_key.to_bytes());
336}
337
341
345
347 return sizeof(m_L) + LMS_PublicKey::size(m_top_lms_pub_key.lms_params());
348}
349
350bool HSS_LMS_PublicKeyInternal::verify_signature(std::span<const uint8_t> msg, const HSS_Signature& sig) const {
351 if(checked_cast_to<HSS_Level>(sig.Nspk()) + 1 != m_L) {
352 // HSS levels in the public key does not match with the signature's
353 return false;
354 }
355
356 const LMS_PublicKey* lms_pk = &lms_pub_key();
357 const auto hash_name = lms_pk->lms_params().hash_name();
358
359 // Verify the signature by the above layer over the LMS public keys for layer 1 to Nspk.
360 for(HSS_Level layer(0); layer < sig.Nspk(); ++layer) {
361 const HSS_Signature::Signed_Pub_Key& signed_pub_key = sig.signed_pub_key(layer);
362 if(signed_pub_key.public_key().lms_params().hash_name() != hash_name ||
363 signed_pub_key.public_key().lmots_params().hash_name() != hash_name) {
364 // We do not allow HSS-LMS instances with multiple different hash functions.
365 return false;
366 }
367 if(!lms_pk->verify_signature(LMS_Message(signed_pub_key.public_key().to_bytes()), signed_pub_key.signature())) {
368 return false;
369 }
370 lms_pk = &signed_pub_key.public_key();
371 }
372
373 // Verify the signature by the bottom layer over the message.
374 return lms_pk->verify_signature(LMS_Message(msg), sig.bottom_sig());
375}
376
378 m_sig(std::move(sig)), m_pub(std::move(pub)) {}
379
380HSS_Signature HSS_Signature::from_bytes_or_throw(std::span<const uint8_t> sig_bytes) {
381 if(sig_bytes.size() < sizeof(uint32_t)) {
382 throw Decoding_Error("Too few HSS signature bytes.");
383 }
384 BufferSlicer slicer(sig_bytes);
385
386 const auto Nspk = load_be(slicer.take<sizeof(uint32_t)>());
387 if(Nspk >= HSS_MAX_LEVELS) {
388 throw Decoding_Error("Invalid number of HSS layers in signature.");
389 }
390
391 std::vector<Signed_Pub_Key> signed_pub_keys;
392 for(size_t i = 0; i < Nspk; ++i) {
395 signed_pub_keys.push_back(Signed_Pub_Key(std::move(sig), std::move(pub_key)));
396 }
397
398 auto sig = LMS_Signature::from_bytes_or_throw(slicer);
399
400 if(!slicer.empty()) {
401 throw Decoding_Error("HSS-LMS signature contains more bytes than expected.");
402 }
403 return HSS_Signature(std::move(signed_pub_keys), std::move(sig));
404}
405
406size_t HSS_Signature::size(const HSS_LMS_Params& params) {
407 size_t size = sizeof(uint32_t);
408 size += LMS_Signature::size(params.params_at_level(HSS_Level(0)).lms_params(),
409 params.params_at_level(HSS_Level(0)).lmots_params());
410 for(HSS_Level layer(1); layer < params.L(); ++layer) {
411 const auto& param = params.params_at_level(layer);
412 size += LMS_PublicKey::size(param.lms_params());
413 size += LMS_Signature::size(param.lms_params(), param.lmots_params());
414 }
415 return size;
416}
417
418} // namespace Botan
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
size_t remaining() const
Definition stl_util.h:127
auto copy(const size_t count)
Definition stl_util.h:89
bool empty() const
Definition stl_util.h:129
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:98
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:142
constexpr void append(std::span< const uint8_t > buffer)
Definition stl_util.h:177
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:150
constexpr bool full() const
Definition stl_util.h:187
Represents a pair of LMS and LMOTS parameters associated with one LMS tree layer.
Definition hss.h:46
const LMS_Params & lms_params() const
The LMS parameters.
Definition hss.h:51
const LMOTS_Params & lmots_params() const
The LMOTS parameters.
Definition hss.h:56
The HSS-LMS parameters.
Definition hss.h:41
const LMS_LMOTS_Params_Pair & params_at_level(HSS_Level level) const
Returns the LMS an LM-OTS parameters at the specified level of the HSS tree.
Definition hss.h:98
HSS_Level L() const
Returns the number of layers the HSS tree has.
Definition hss.h:103
HSS_Sig_Idx max_sig_count() const
The maximal number of signatures allowed for these HSS parameters.
Definition hss.h:108
HSS_LMS_Params(std::vector< LMS_LMOTS_Params_Pair > lm_lmots_params)
Construct the HSS-LMS parameters from a vector LMS and LM-OTS parameters.
Definition hss.cpp:77
The internal HSS-LMS private key.
Definition hss.h:126
HSS_Sig_Idx get_idx() const
Get the idx of the next signature to generate.
Definition hss.h:158
void set_idx(HSS_Sig_Idx idx)
Set the idx of the next signature to generate.
Definition hss.cpp:194
std::vector< uint8_t > sign(std::span< const uint8_t > msg)
Create a HSS-LMS signature.
Definition hss.cpp:228
static std::shared_ptr< HSS_LMS_PrivateKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a private HSS-LMS key.
Definition hss.cpp:127
const HSS_LMS_Params & hss_params() const
Returns the used HSS-LMS parameters.
Definition hss.h:148
LMS_PrivateKey hss_derive_root_lms_private_key() const
Create the HSS root LMS tree's LMS_PrivateKey using the HSS-LMS private key.
Definition hss.cpp:275
secure_vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:175
HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params &hss_params, RandomNumberGenerator &rng)
Create an internal HSS-LMS private key.
Definition hss.cpp:121
The internal HSS-LMS public key.
Definition hss.h:245
static std::shared_ptr< HSS_LMS_PublicKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a public HSS-LMS key.
Definition hss.cpp:314
bool verify_signature(std::span< const uint8_t > msg, const HSS_Signature &sig) const
Verify a HSS-LMS signature.
Definition hss.cpp:350
std::vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:334
std::string algo_name() const
The algorithm name for HSS-LMS.
Definition hss.h:295
size_t size() const
Returns the size in bytes the key would have in its encoded format.
Definition hss.cpp:346
OID object_identifier() const
The object identifier for HSS-LMS.
Definition hss.cpp:342
static HSS_LMS_PublicKeyInternal create(const HSS_LMS_PrivateKeyInternal &hss_sk)
Create the public HSS-LMS key from its private key.
Definition hss.cpp:305
HSS_LMS_PublicKeyInternal(HSS_Level L, LMS_PublicKey top_lms_pub_key)
Definition hss.h:264
AlgorithmIdentifier algorithm_identifier() const
The algorithm identifier for HSS-LMS.
Definition hss.cpp:338
const LMS_PublicKey & lms_pub_key() const
Returns the public LMS key of the top LMS tree.
Definition hss.h:275
A LMS public key signed by the HSS layer above it.
Definition hss.h:329
Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub)
Constructor for a new sig-pubkey-pair.
Definition hss.cpp:377
const LMS_Signature & signature() const
The signature of the public key.
Definition hss.h:339
const LMS_PublicKey & public_key() const
The signed public key.
Definition hss.h:344
A HSS-LMS signature.
Definition hss.h:321
static size_t size(const HSS_LMS_Params &params)
Returns the size a signature would have in its encoded format.
Definition hss.cpp:406
const LMS_Signature & bottom_sig() const
Returns the LMS signature by the bottom layer of the signed message.
Definition hss.h:384
HSS_Level Nspk() const
Returns the number of signed public keys (Nspk = L-1).
Definition hss.h:371
const Signed_Pub_Key & signed_pub_key(HSS_Level layer) const
Returns the signed LMS key signed by a specific layer.
Definition hss.h:379
static HSS_Signature from_bytes_or_throw(std::span< const uint8_t > sig_bytes)
Parse a HSS-LMS signature.
Definition hss.cpp:380
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
static LMOTS_Params create_or_throw(LMOTS_Algorithm_Type type)
Create the LM-OTS parameters from a known algorithm type.
Definition lm_ots.cpp:100
const std::string & hash_name() const
Name of the hash function to use.
Definition lm_ots.h:150
const LMS_Params & lms_params() const
The LMS parameters for this LMS instance.
Definition lms.h:164
const LMOTS_Params & lmots_params() const
The LMOTS parameters used for OTS instances of this LMS instance.
Definition lms.h:169
const LMS_Identifier & identifier() const
The identifier of this LMS tree ('I' in RFC 8554)
Definition lms.h:174
const std::string & hash_name() const
Returns the name of the hash function to use.
Definition lms.h:124
uint8_t h() const
Returns the height of the LMS tree.
Definition lms.h:114
static LMS_Params create_or_throw(LMS_Algorithm_Type type)
Create the LMS parameters from a known algorithm type.
Definition lms.cpp:112
Representation of an LMS Private key.
Definition lms.h:190
const LMS_Seed & seed() const
The secret seed used for LMOTS' WOTS chain input creation (RFC 8554 Appendix A)
Definition lms.h:201
The LMS public key.
Definition lms.h:225
static size_t size(const LMS_Params &lms_params)
The expected size of an LMS public key for given lms_params.
Definition lms.cpp:313
std::vector< uint8_t > to_bytes() const
Bytes of the full lms public key according to 8554 5.3.
Definition lms.cpp:294
static LMS_PublicKey from_bytes_or_throw(BufferSlicer &slicer)
Parse a public LMS key.
Definition lms.cpp:264
bool verify_signature(const LMS_Message &msg, const LMS_Signature &sig) const
Verify a LMS signature.
Definition lms.cpp:352
Container for LMS Signature data.
Definition lms.h:293
static LMS_Signature from_bytes_or_throw(BufferSlicer &slicer)
Parse the bytes of a lms signature into a LMS Signature object.
Definition lms.cpp:317
static size_t size(const LMS_Params &lms_params, const LMOTS_Params &lmots_params)
Definition lms.cpp:419
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
Helper class used to derive secret values based in the pseudorandom key generation described in RFC 8...
void random_vec(std::span< uint8_t > v)
Definition rng.h:180
std::string arg(size_t i) const
size_t arg_count() const
Definition scan_name.h:49
const std::string & algo_name() const
Definition scan_name.h:44
size_t arg_as_integer(size_t i, size_t def_value) const
constexpr T & get() &
Definition strong_type.h:50
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64
LMS_Algorithm_Type
Enum of available LMS algorithm types.
Definition lms.h:30
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
constexpr RT checked_cast_to_or_throw(AT i, std::string_view error_msg_on_fail)
Definition int_utils.h:61
constexpr size_t LMS_IDENTIFIER_LEN
The length in bytes of the LMS identifier (I).
Definition lms.h:67
Strong< uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber > HSS_Sig_Idx
The index of a node within a specific LMS tree layer.
Definition hss.h:29
constexpr RT checked_cast_to(AT i)
Definition int_utils.h:74
Strong< std::vector< uint8_t >, struct LMS_Identifier_ > LMS_Identifier
The identifier of an LMS tree (I in RFC 8554)
Definition lm_ots.h:50
LMOTS_Algorithm_Type
Enum of available LM-OTS algorithm types.
Definition lm_ots.h:65
Strong< secure_vector< uint8_t >, struct LMS_SEED_ > LMS_Seed
Seed of the LMS tree, used to generate the LM-OTS private keys.
Definition lm_ots.h:25
Strong< std::vector< uint8_t >, struct LMS_Message_ > LMS_Message
A message that is signed with an LMS tree.
Definition lm_ots.h:55
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263
Strong< uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber > HSS_Level
The HSS layer in the HSS multi tree starting at 0 from the root.
Definition hss.h:34
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:147
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:773
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:530