Botan 3.6.1
Crypto and TLS for C&
hss.cpp
Go to the documentation of this file.
1/**
2 * HSS - Hierarchical Signatures System (RFC 8554)
3 * (C) 2023 Jack Lloyd
4 * 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#include <botan/internal/hss.h>
10
11#include <botan/internal/fmt.h>
12#include <botan/internal/hss_lms_utils.h>
13#include <botan/internal/int_utils.h>
14#include <botan/internal/scan_name.h>
15#include <botan/internal/stl_util.h>
16
17#include <algorithm>
18#include <limits>
19
20namespace Botan {
21
22namespace {
23
24/**
25 * @brief The maximum number of levels in a HSS-LMS tree.
26 *
27 * RFC 8554 Section 6:
28 * The number of levels is denoted as L and is between one
29 * and eight, inclusive.
30 */
31constexpr HSS_Level HSS_MAX_LEVELS(8);
32
33/**
34 * @brief Domain-separation parameter for generation the seed of a child LMS tree.
35 *
36 * This comes from https://github.com/cisco/hash-sigs.
37 */
38constexpr uint16_t SEED_CHILD_SEED = 0xfffe;
39
40/**
41 * @brief Domain-separation parameter for generation the identifier of a child LMS tree.
42 *
43 * This comes from https://github.com/cisco/hash-sigs.
44 */
45constexpr uint16_t SEED_CHILD_I = 0xffff;
46
47/**
48 * @brief Check that the given @p hash_name is one of the supported hash functions for HSS-LMS.
49 */
50constexpr bool is_supported_hash_function(std::string_view hash_name) {
51 return hash_name == "SHA-256" || hash_name == "Truncated(SHA-256,192)" || hash_name == "SHAKE-256(256)" ||
52 hash_name == "SHAKE-256(192)";
53}
54
55/**
56 * Given an HSS index, i.e. the number of already created HSS signatures, return the lms leaf indices for
57 * the different LMS layers from root layer to bottom layer.
58 */
59std::vector<LMS_Tree_Node_Idx> derive_lms_leaf_indices_from_hss_index(HSS_Sig_Idx hss_idx,
60 const HSS_LMS_Params& hss_params) {
61 std::vector<LMS_Tree_Node_Idx> q(hss_params.L().get());
62 for(int32_t layer_ctr = hss_params.L().get() - 1; layer_ctr >= 0; --layer_ctr) {
63 HSS_Level layer(layer_ctr);
64 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& layer_params = hss_params.params_at_level(layer);
65 size_t layer_h = layer_params.lms_params().h();
66 q.at(layer.get()) =
67 checked_cast_to<LMS_Tree_Node_Idx>(hss_idx.get() % checked_cast_to<uint64_t>(1ULL << layer_h));
68 hss_idx = hss_idx >> layer_h;
69 }
70 BOTAN_ARG_CHECK(hss_idx == HSS_Sig_Idx(0), "HSS Tree is exhausted");
71
72 return q;
73}
74
75} // namespace
76
77HSS_LMS_Params::HSS_LMS_Params(std::vector<LMS_LMOTS_Params_Pair> lm_lmots_params) :
78 m_lms_lmots_params(std::move(lm_lmots_params)), m_max_sig_count(calc_max_sig_count()) {
79 BOTAN_ARG_CHECK(!m_lms_lmots_params.empty() && m_lms_lmots_params.size() <= HSS_MAX_LEVELS,
80 "Invalid number of levels");
81}
82
83HSS_LMS_Params::HSS_LMS_Params(std::string_view algo_params) {
84 SCAN_Name scan(fmt("HSS-LMS({})", algo_params));
85
86 BOTAN_ARG_CHECK(scan.arg_count() >= 2 && scan.arg_count() <= HSS_MAX_LEVELS + 1, "Invalid number of arguments");
87 std::string hash = scan.arg(0);
88 BOTAN_ARG_CHECK(is_supported_hash_function(hash), "Supported HSS-LMS hash function");
89
90 for(size_t i = 1; i < scan.arg_count(); ++i) {
91 SCAN_Name scan_layer(scan.arg(i));
92 BOTAN_ARG_CHECK(scan_layer.algo_name() == "HW", "Invalid name for layer parameters");
93 BOTAN_ARG_CHECK(scan_layer.arg_count() == 2, "Invalid number of layer parameters");
94 const auto h =
95 checked_cast_to_or_throw<uint8_t, Invalid_Argument>(scan_layer.arg_as_integer(0), "Invalid tree height");
96 const auto w = checked_cast_to_or_throw<uint8_t, Invalid_Argument>(scan_layer.arg_as_integer(1),
97 "Invalid Winternitz parameter");
98 m_lms_lmots_params.push_back({LMS_Params::create_or_throw(hash, h), LMOTS_Params::create_or_throw(hash, w)});
99 }
100 m_max_sig_count = calc_max_sig_count();
101}
102
103HSS_Sig_Idx HSS_LMS_Params::calc_max_sig_count() const {
104 uint32_t total_height_counter = 0;
105 for(HSS_Level level(0); level < L(); level++) {
106 total_height_counter += params_at_level(level).lms_params().h();
107 }
108 if(total_height_counter >= sizeof(HSS_Sig_Idx) * 8) {
109 return HSS_Sig_Idx(std::numeric_limits<HSS_Sig_Idx::wrapped_type>::max());
110 }
111 return HSS_Sig_Idx(1) << total_height_counter;
112}
113
114HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params& hss_params, RandomNumberGenerator& rng) :
115 m_hss_params(hss_params), m_current_idx(0), m_sig_size(HSS_Signature::size(m_hss_params)) {
116 m_hss_seed = rng.random_vec<LMS_Seed>(m_hss_params.params_at_level(HSS_Level(0)).lms_params().m());
117 m_identifier = rng.random_vec<LMS_Identifier>(LMS_IDENTIFIER_LEN);
118}
119
120std::shared_ptr<HSS_LMS_PrivateKeyInternal> HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(
121 std::span<const uint8_t> key_bytes) {
122 if(key_bytes.size() < sizeof(HSS_Level) + sizeof(HSS_Sig_Idx)) {
123 throw Decoding_Error("Too few private key bytes.");
124 }
125 BufferSlicer slicer(key_bytes);
126
127 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
128 if(L == 0U || L > HSS_MAX_LEVELS) {
129 throw Decoding_Error("Invalid number of HSS layers in private HSS-LMS key.");
130 }
131
132 const auto sig_idx = load_be<HSS_Sig_Idx>(slicer.take<sizeof(HSS_Sig_Idx)>());
133
134 std::vector<HSS_LMS_Params::LMS_LMOTS_Params_Pair> params;
135 for(size_t layer = 1; layer <= L; ++layer) {
136 if(slicer.remaining() < sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type)) {
137 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
138 }
139 const auto lms_type = load_be<LMS_Algorithm_Type>(slicer.take<sizeof(LMS_Algorithm_Type)>());
140 const auto lmots_type = load_be<LMOTS_Algorithm_Type>(slicer.take<sizeof(LMOTS_Algorithm_Type)>());
141 params.push_back({LMS_Params::create_or_throw(lms_type), LMOTS_Params::create_or_throw(lmots_type)});
142 }
143 std::string hash_name = params.at(0).lms_params().hash_name();
144 if(std::any_of(params.begin(), params.end(), [&hash_name](HSS_LMS_Params::LMS_LMOTS_Params_Pair& lms_lmots_params) {
145 bool invalid_lmots_hash = lms_lmots_params.lmots_params().hash_name() != hash_name;
146 bool invalid_lms_hash = lms_lmots_params.lms_params().hash_name() != hash_name;
147 return invalid_lmots_hash || invalid_lms_hash;
148 })) {
149 throw Decoding_Error("Inconsistent hash functions are not allowed.");
150 }
151
152 if(slicer.remaining() < params.at(0).lms_params().m() + LMS_IDENTIFIER_LEN) {
153 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
154 }
155 auto hss_seed = slicer.copy<LMS_Seed>(params.at(0).lms_params().m());
156 auto identifier = slicer.copy<LMS_Identifier>(LMS_IDENTIFIER_LEN);
157
158 if(!slicer.empty()) {
159 throw Decoding_Error("Private HSS-LMS key contains more bytes than expected.");
160 }
161 auto sk = std::shared_ptr<HSS_LMS_PrivateKeyInternal>(
162 new HSS_LMS_PrivateKeyInternal(HSS_LMS_Params(std::move(params)), std::move(hss_seed), std::move(identifier)));
163
164 sk->set_idx(sig_idx);
165 return sk;
166}
167
168secure_vector<uint8_t> HSS_LMS_PrivateKeyInternal::to_bytes() const {
169 secure_vector<uint8_t> sk_bytes(size());
170 BufferStuffer stuffer(sk_bytes);
171
172 stuffer.append(store_be(hss_params().L()));
173 stuffer.append(store_be(get_idx()));
174
175 for(HSS_Level layer(1); layer <= hss_params().L(); ++layer) {
176 const auto& params = hss_params().params_at_level(layer - 1);
177 stuffer.append(store_be(params.lms_params().algorithm_type()));
178 stuffer.append(store_be(params.lmots_params().algorithm_type()));
179 }
180 stuffer.append(m_hss_seed);
181 stuffer.append(m_identifier);
182 BOTAN_ASSERT_NOMSG(stuffer.full());
183
184 return sk_bytes;
185}
186
187void HSS_LMS_PrivateKeyInternal::set_idx(HSS_Sig_Idx idx) {
188 m_current_idx = idx;
189}
190
191HSS_Sig_Idx HSS_LMS_PrivateKeyInternal::reserve_next_idx() {
192 HSS_Sig_Idx next_idx = m_current_idx;
193 if(next_idx >= m_hss_params.max_sig_count()) {
194 throw Decoding_Error("HSS private key is exhausted");
195 }
196 set_idx(m_current_idx + 1);
197 return next_idx;
198}
199
200size_t HSS_LMS_PrivateKeyInternal::size() const {
201 size_t sk_size = sizeof(HSS_Level) + sizeof(HSS_Sig_Idx);
202 // The concatenated algorithm types for all layers
203 sk_size += hss_params().L().get() * (sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type));
204 sk_size += m_hss_seed.size() + m_identifier.size();
205 return sk_size;
206}
207
208HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal(HSS_LMS_Params hss_params,
209 LMS_Seed hss_seed,
210 LMS_Identifier identifier) :
211 m_hss_params(std::move(hss_params)),
212 m_hss_seed(std::move(hss_seed)),
213 m_identifier(std::move(identifier)),
214 m_current_idx(0),
215 m_sig_size(HSS_Signature::size(m_hss_params)) {
216 BOTAN_ARG_CHECK(m_hss_seed.size() == m_hss_params.params_at_level(HSS_Level(0)).lms_params().m(),
217 "Invalid seed size");
218 BOTAN_ARG_CHECK(m_identifier.size() == LMS_IDENTIFIER_LEN, "Invalid identifier size");
219}
220
221std::vector<uint8_t> HSS_LMS_PrivateKeyInternal::sign(std::span<const uint8_t> msg) {
222 std::vector<uint8_t> sig(HSS_Signature::size(hss_params()));
223 BufferStuffer sig_stuffer(sig);
224 sig_stuffer.append(store_be(hss_params().L() - 1));
225
226 std::vector<LMS_Tree_Node_Idx> q = derive_lms_leaf_indices_from_hss_index(reserve_next_idx(), hss_params());
227
228 // Derive LMS private keys and compute buffers
229 std::vector<LMS_PrivateKey> lms_key_at_layer;
230 std::vector<StrongSpan<LMS_Signature_Bytes>> out_lms_sig_buffer_at_layer;
231 std::vector<std::span<uint8_t>> out_child_pk_buffer_at_layer;
232 for(HSS_Level layer(0); layer < hss_params().L(); ++layer) {
233 // Generate key for current layer
234 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& layer_params = hss_params().params_at_level(layer);
235 if(layer == HSS_Level(0)) {
236 lms_key_at_layer.push_back(hss_derive_root_lms_private_key());
237 } else {
238 lms_key_at_layer.push_back(
239 hss_derive_child_lms_private_key(layer_params, lms_key_at_layer.back(), q.at(layer.get() - 1)));
240 out_child_pk_buffer_at_layer.push_back(sig_stuffer.next(LMS_PublicKey::size(layer_params.lms_params())));
241 }
242 out_lms_sig_buffer_at_layer.push_back(sig_stuffer.next<LMS_Signature_Bytes>(
243 LMS_Signature::size(layer_params.lms_params(), layer_params.lmots_params())));
244 }
245 BOTAN_ASSERT_NOMSG(sig_stuffer.full());
246
247 // Sign and write the signature from bottom layer to root layer
248 std::vector<uint8_t> current_pk;
249 for(int32_t layer_it = hss_params().L().get() - 1; layer_it >= 0; --layer_it) {
250 HSS_Level layer(layer_it);
251 if(layer == hss_params().L() - 1) {
252 current_pk =
253 lms_key_at_layer.at(layer.get())
254 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(msg))
255 .to_bytes();
256 } else {
257 copy_mem(out_child_pk_buffer_at_layer.at(layer.get()), current_pk);
258 current_pk =
259 lms_key_at_layer.at(layer.get())
260 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(current_pk))
261 .to_bytes();
262 }
263 }
264
265 return sig;
266}
267
268LMS_PrivateKey HSS_LMS_PrivateKeyInternal::hss_derive_root_lms_private_key() const {
269 auto& top_params = hss_params().params_at_level(HSS_Level(0));
270 return LMS_PrivateKey(top_params.lms_params(), top_params.lmots_params(), m_identifier, m_hss_seed);
271}
272
273LMS_PrivateKey HSS_LMS_PrivateKeyInternal::hss_derive_child_lms_private_key(
274 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& child_lms_lmots_params,
275 const LMS_PrivateKey& parent_sk,
276 LMS_Tree_Node_Idx parent_q) {
277 const auto hash = HashFunction::create_or_throw(child_lms_lmots_params.lms_params().hash_name());
278
279 // CHILD_SEED = H( PARENT_I || PARENT_Q || SEED_CHILD_SEED || 0xff || PARENT_SEED )
280 PseudorandomKeyGeneration seed_generator(parent_sk.identifier());
281 seed_generator.set_q(parent_q.get());
282 seed_generator.set_i(SEED_CHILD_SEED);
283 seed_generator.set_j(0xff);
284 auto child_seed = seed_generator.gen<LMS_Seed>(*hash, parent_sk.seed());
285
286 // CHILD_I = H( PARENT_I || PARENT_Q || SEED_CHILD_I || 0xff || PARENT_SEED )
287 seed_generator.set_i(SEED_CHILD_I);
288 auto child_identifier = seed_generator.gen<LMS_Identifier>(*hash, parent_sk.seed());
289 child_identifier.resize(LMS_IDENTIFIER_LEN);
290 CT::unpoison(child_identifier); // identifiers are part of the signature
291
292 return LMS_PrivateKey(child_lms_lmots_params.lms_params(),
293 child_lms_lmots_params.lmots_params(),
294 std::move(child_identifier),
295 std::move(child_seed));
296}
297
298HSS_LMS_PublicKeyInternal HSS_LMS_PublicKeyInternal::create(const HSS_LMS_PrivateKeyInternal& hss_sk) {
299 auto& hss_params = hss_sk.hss_params();
300
301 const auto root_sk = hss_sk.hss_derive_root_lms_private_key();
302 LMS_PublicKey top_pub_key = LMS_PublicKey(root_sk);
303
304 return HSS_LMS_PublicKeyInternal(hss_params.L(), std::move(top_pub_key));
305}
306
307std::shared_ptr<HSS_LMS_PublicKeyInternal> HSS_LMS_PublicKeyInternal::from_bytes_or_throw(
308 std::span<const uint8_t> key_bytes) {
309 if(key_bytes.size() < sizeof(HSS_Level)) {
310 throw Decoding_Error("Too few public key bytes.");
311 }
312 BufferSlicer slicer(key_bytes);
313
314 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
315 if(L > HSS_MAX_LEVELS) {
316 throw Decoding_Error("Invalid number of HSS layers in public HSS-LMS key.");
317 }
318
319 LMS_PublicKey lms_pub_key = LMS_PublicKey::from_bytes_or_throw(slicer);
320
321 if(!slicer.empty()) {
322 throw Decoding_Error("Public HSS-LMS key contains more bytes than expected.");
323 }
324 return std::make_shared<HSS_LMS_PublicKeyInternal>(L, std::move(lms_pub_key));
325}
326
327std::vector<uint8_t> HSS_LMS_PublicKeyInternal::to_bytes() const {
328 return concat<std::vector<uint8_t>>(store_be(m_L), m_top_lms_pub_key.to_bytes());
329}
330
334
338
339size_t HSS_LMS_PublicKeyInternal::size() const {
340 return sizeof(m_L) + LMS_PublicKey::size(m_top_lms_pub_key.lms_params());
341}
342
343bool HSS_LMS_PublicKeyInternal::verify_signature(std::span<const uint8_t> msg, const HSS_Signature& sig) const {
344 if(checked_cast_to<HSS_Level>(sig.Nspk()) + 1 != m_L) {
345 // HSS levels in the public key does not match with the signature's
346 return false;
347 }
348
349 const LMS_PublicKey* lms_pk = &lms_pub_key();
350 const auto hash_name = lms_pk->lms_params().hash_name();
351
352 // Verify the signature by the above layer over the LMS public keys for layer 1 to Nspk.
353 for(HSS_Level layer(0); layer < sig.Nspk(); ++layer) {
354 const HSS_Signature::Signed_Pub_Key& signed_pub_key = sig.signed_pub_key(layer);
355 if(signed_pub_key.public_key().lms_params().hash_name() != hash_name ||
356 signed_pub_key.public_key().lmots_params().hash_name() != hash_name) {
357 // We do not allow HSS-LMS instances with multiple different hash functions.
358 return false;
359 }
360 if(!lms_pk->verify_signature(LMS_Message(signed_pub_key.public_key().to_bytes()), signed_pub_key.signature())) {
361 return false;
362 }
363 lms_pk = &signed_pub_key.public_key();
364 }
365
366 // Verify the signature by the bottom layer over the message.
367 return lms_pk->verify_signature(LMS_Message(msg), sig.bottom_sig());
368}
369
370HSS_Signature::Signed_Pub_Key::Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub) :
371 m_sig(std::move(sig)), m_pub(std::move(pub)) {}
372
373HSS_Signature HSS_Signature::from_bytes_or_throw(std::span<const uint8_t> sig_bytes) {
374 if(sig_bytes.size() < sizeof(uint32_t)) {
375 throw Decoding_Error("Too few HSS signature bytes.");
376 }
377 BufferSlicer slicer(sig_bytes);
378
379 const auto Nspk = load_be(slicer.take<sizeof(uint32_t)>());
380 if(Nspk >= HSS_MAX_LEVELS) {
381 throw Decoding_Error("Invalid number of HSS layers in signature.");
382 }
383
384 std::vector<Signed_Pub_Key> signed_pub_keys;
385 for(size_t i = 0; i < Nspk; ++i) {
386 LMS_Signature sig = LMS_Signature::from_bytes_or_throw(slicer);
387 LMS_PublicKey pub_key = LMS_PublicKey::from_bytes_or_throw(slicer);
388 signed_pub_keys.push_back(Signed_Pub_Key(std::move(sig), std::move(pub_key)));
389 }
390
391 auto sig = LMS_Signature::from_bytes_or_throw(slicer);
392
393 if(!slicer.empty()) {
394 throw Decoding_Error("HSS-LMS signature contains more bytes than expected.");
395 }
396 return HSS_Signature(std::move(signed_pub_keys), std::move(sig));
397}
398
399size_t HSS_Signature::size(const HSS_LMS_Params& params) {
400 size_t size = sizeof(uint32_t);
401 size += LMS_Signature::size(params.params_at_level(HSS_Level(0)).lms_params(),
402 params.params_at_level(HSS_Level(0)).lmots_params());
403 for(HSS_Level layer(1); layer < params.L(); ++layer) {
404 const auto& param = params.params_at_level(layer);
405 size += LMS_PublicKey::size(param.lms_params());
406 size += LMS_Signature::size(param.lms_params(), param.lmots_params());
407 }
408 return size;
409}
410
411} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::BufferSlicer::remaining
size_t remaining() const
Definition stl_util.h:127
Botan::BufferSlicer::copy
auto copy(const size_t count)
Definition stl_util.h:89
Botan::BufferSlicer::empty
bool empty() const
Definition stl_util.h:129
Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:98
Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:142
Botan::BufferStuffer::append
constexpr void append(std::span< const uint8_t > buffer)
Definition stl_util.h:177
Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:150
Botan::BufferStuffer::full
constexpr bool full() const
Definition stl_util.h:187
Botan::Decoding_Error
Definition exceptn.h:191
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair
Represents a pair of LMS and LMOTS parameters associated with one LMS tree layer.
Definition hss.h:46
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lms_params
const LMS_Params & lms_params() const
The LMS parameters.
Definition hss.h:51
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lmots_params
const LMOTS_Params & lmots_params() const
The LMOTS parameters.
Definition hss.h:56
Botan::HSS_LMS_Params
The HSS-LMS parameters.
Definition hss.h:41
Botan::HSS_LMS_Params::params_at_level
const LMS_LMOTS_Params_Pair & params_at_level(HSS_Level level) const
Returns the LMS an LM-OTS parameters at the specified level of the HSS tree.
Definition hss.h:98
Botan::HSS_LMS_Params::L
HSS_Level L() const
Returns the number of layers the HSS tree has.
Definition hss.h:103
Botan::HSS_LMS_Params::max_sig_count
HSS_Sig_Idx max_sig_count() const
The maximal number of signatures allowed for these HSS parameters.
Definition hss.h:108
Botan::HSS_LMS_Params::HSS_LMS_Params
HSS_LMS_Params(std::vector< LMS_LMOTS_Params_Pair > lm_lmots_params)
Construct the HSS-LMS parameters from a vector LMS and LM-OTS parameters.
Definition hss.cpp:77
Botan::HSS_LMS_PrivateKeyInternal
The internal HSS-LMS private key.
Definition hss.h:126
Botan::HSS_LMS_PrivateKeyInternal::get_idx
HSS_Sig_Idx get_idx() const
Get the idx of the next signature to generate.
Definition hss.h:158
Botan::HSS_LMS_PrivateKeyInternal::set_idx
void set_idx(HSS_Sig_Idx idx)
Set the idx of the next signature to generate.
Definition hss.cpp:187
Botan::HSS_LMS_PrivateKeyInternal::sign
std::vector< uint8_t > sign(std::span< const uint8_t > msg)
Create a HSS-LMS signature.
Definition hss.cpp:221
Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PrivateKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a private HSS-LMS key.
Definition hss.cpp:120
Botan::HSS_LMS_PrivateKeyInternal::hss_params
const HSS_LMS_Params & hss_params() const
Returns the used HSS-LMS parameters.
Definition hss.h:148
Botan::HSS_LMS_PrivateKeyInternal::hss_derive_root_lms_private_key
LMS_PrivateKey hss_derive_root_lms_private_key() const
Create the HSS root LMS tree's LMS_PrivateKey using the HSS-LMS private key.
Definition hss.cpp:268
Botan::HSS_LMS_PrivateKeyInternal::to_bytes
secure_vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:168
Botan::HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal
HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params &hss_params, RandomNumberGenerator &rng)
Create an internal HSS-LMS private key.
Definition hss.cpp:114
Botan::HSS_LMS_PublicKeyInternal
The internal HSS-LMS public key.
Definition hss.h:245
Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PublicKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a public HSS-LMS key.
Definition hss.cpp:307
Botan::HSS_LMS_PublicKeyInternal::verify_signature
bool verify_signature(std::span< const uint8_t > msg, const HSS_Signature &sig) const
Verify a HSS-LMS signature.
Definition hss.cpp:343
Botan::HSS_LMS_PublicKeyInternal::to_bytes
std::vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:327
Botan::HSS_LMS_PublicKeyInternal::algo_name
std::string algo_name() const
The algorithm name for HSS-LMS.
Definition hss.h:295
Botan::HSS_LMS_PublicKeyInternal::size
size_t size() const
Returns the size in bytes the key would have in its encoded format.
Definition hss.cpp:339
Botan::HSS_LMS_PublicKeyInternal::object_identifier
OID object_identifier() const
The object identifier for HSS-LMS.
Definition hss.cpp:335
Botan::HSS_LMS_PublicKeyInternal::create
static HSS_LMS_PublicKeyInternal create(const HSS_LMS_PrivateKeyInternal &hss_sk)
Create the public HSS-LMS key from its private key.
Definition hss.cpp:298
Botan::HSS_LMS_PublicKeyInternal::HSS_LMS_PublicKeyInternal
HSS_LMS_PublicKeyInternal(HSS_Level L, LMS_PublicKey top_lms_pub_key)
Definition hss.h:264
Botan::HSS_LMS_PublicKeyInternal::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const
The algorithm identifier for HSS-LMS.
Definition hss.cpp:331
Botan::HSS_LMS_PublicKeyInternal::lms_pub_key
const LMS_PublicKey & lms_pub_key() const
Returns the public LMS key of the top LMS tree.
Definition hss.h:275
Botan::HSS_Signature::Signed_Pub_Key
A LMS public key signed by the HSS layer above it.
Definition hss.h:329
Botan::HSS_Signature::Signed_Pub_Key::Signed_Pub_Key
Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub)
Constructor for a new sig-pubkey-pair.
Definition hss.cpp:370
Botan::HSS_Signature::Signed_Pub_Key::signature
const LMS_Signature & signature() const
The signature of the public key.
Definition hss.h:339
Botan::HSS_Signature::Signed_Pub_Key::public_key
const LMS_PublicKey & public_key() const
The signed public key.
Definition hss.h:344
Botan::HSS_Signature
A HSS-LMS signature.
Definition hss.h:321
Botan::HSS_Signature::size
static size_t size(const HSS_LMS_Params &params)
Returns the size a signature would have in its encoded format.
Definition hss.cpp:399
Botan::HSS_Signature::bottom_sig
const LMS_Signature & bottom_sig() const
Returns the LMS signature by the bottom layer of the signed message.
Definition hss.h:384
Botan::HSS_Signature::Nspk
HSS_Level Nspk() const
Returns the number of signed public keys (Nspk = L-1).
Definition hss.h:371
Botan::HSS_Signature::signed_pub_key
const Signed_Pub_Key & signed_pub_key(HSS_Level layer) const
Returns the signed LMS key signed by a specific layer.
Definition hss.h:379
Botan::HSS_Signature::from_bytes_or_throw
static HSS_Signature from_bytes_or_throw(std::span< const uint8_t > sig_bytes)
Parse a HSS-LMS signature.
Definition hss.cpp:373
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
Botan::LMOTS_Params::create_or_throw
static LMOTS_Params create_or_throw(LMOTS_Algorithm_Type type)
Create the LM-OTS parameters from a known algorithm type.
Definition lm_ots.cpp:100
Botan::LMOTS_Params::hash_name
const std::string & hash_name() const
Name of the hash function to use.
Definition lm_ots.h:150
Botan::LMS_Instance::lms_params
const LMS_Params & lms_params() const
The LMS parameters for this LMS instance.
Definition lms.h:164
Botan::LMS_Instance::lmots_params
const LMOTS_Params & lmots_params() const
The LMOTS parameters used for OTS instances of this LMS instance.
Definition lms.h:169
Botan::LMS_Instance::identifier
const LMS_Identifier & identifier() const
The identifier of this LMS tree ('I' in RFC 8554)
Definition lms.h:174
Botan::LMS_Params::hash_name
const std::string & hash_name() const
Returns the name of the hash function to use.
Definition lms.h:124
Botan::LMS_Params::h
uint8_t h() const
Returns the height of the LMS tree.
Definition lms.h:114
Botan::LMS_Params::create_or_throw
static LMS_Params create_or_throw(LMS_Algorithm_Type type)
Create the LMS parameters from a known algorithm type.
Definition lms.cpp:112
Botan::LMS_PrivateKey
Representation of an LMS Private key.
Definition lms.h:190
Botan::LMS_PrivateKey::seed
const LMS_Seed & seed() const
The secret seed used for LMOTS' WOTS chain input creation (RFC 8554 Appendix A)
Definition lms.h:201
Botan::LMS_PublicKey
The LMS public key.
Definition lms.h:225
Botan::LMS_PublicKey::size
static size_t size(const LMS_Params &lms_params)
The expected size of an LMS public key for given lms_params.
Definition lms.cpp:313
Botan::LMS_PublicKey::to_bytes
std::vector< uint8_t > to_bytes() const
Bytes of the full lms public key according to 8554 5.3.
Definition lms.cpp:294
Botan::LMS_PublicKey::from_bytes_or_throw
static LMS_PublicKey from_bytes_or_throw(BufferSlicer &slicer)
Parse a public LMS key.
Definition lms.cpp:264
Botan::LMS_PublicKey::verify_signature
bool verify_signature(const LMS_Message &msg, const LMS_Signature &sig) const
Verify a LMS signature.
Definition lms.cpp:352
Botan::LMS_Signature
Container for LMS Signature data.
Definition lms.h:293
Botan::LMS_Signature::from_bytes_or_throw
static LMS_Signature from_bytes_or_throw(BufferSlicer &slicer)
Parse the bytes of a lms signature into a LMS Signature object.
Definition lms.cpp:317
Botan::LMS_Signature::size
static size_t size(const LMS_Params &lms_params, const LMOTS_Params &lmots_params)
Definition lms.cpp:419
Botan::OID::from_string
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
Botan::PseudorandomKeyGeneration
Helper class used to derive secret values based in the pseudorandom key generation described in RFC 8...
Definition hss_lms_utils.h:28
Botan::RandomNumberGenerator::random_vec
void random_vec(std::span< uint8_t > v)
Definition rng.h:180
Botan::SCAN_Name
Definition scan_name.h:22
Botan::SCAN_Name::arg
std::string arg(size_t i) const
Definition scan_name.cpp:119
Botan::SCAN_Name::arg_count
size_t arg_count() const
Definition scan_name.h:49
Botan::SCAN_Name::algo_name
const std::string & algo_name() const
Definition scan_name.h:44
Botan::SCAN_Name::arg_as_integer
size_t arg_as_integer(size_t i, size_t def_value) const
Definition scan_name.cpp:133
Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:50
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64
Botan::LMS_Algorithm_Type
LMS_Algorithm_Type
Enum of available LMS algorithm types.
Definition lms.h:30
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::checked_cast_to_or_throw
constexpr RT checked_cast_to_or_throw(AT i, std::string_view error_msg_on_fail)
Definition int_utils.h:61
Botan::LMS_IDENTIFIER_LEN
constexpr size_t LMS_IDENTIFIER_LEN
The length in bytes of the LMS identifier (I).
Definition lms.h:67
Botan::HSS_Sig_Idx
Strong< uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber > HSS_Sig_Idx
The index of a node within a specific LMS tree layer.
Definition hss.h:29
Botan::checked_cast_to
constexpr RT checked_cast_to(AT i)
Definition int_utils.h:74
Botan::LMS_Identifier
Strong< std::vector< uint8_t >, struct LMS_Identifier_ > LMS_Identifier
The identifier of an LMS tree (I in RFC 8554)
Definition lm_ots.h:50
Botan::LMOTS_Algorithm_Type
LMOTS_Algorithm_Type
Enum of available LM-OTS algorithm types.
Definition lm_ots.h:65
Botan::LMS_Seed
Strong< secure_vector< uint8_t >, struct LMS_SEED_ > LMS_Seed
Seed of the LMS tree, used to generate the LM-OTS private keys.
Definition lm_ots.h:25
Botan::LMS_Message
Strong< std::vector< uint8_t >, struct LMS_Message_ > LMS_Message
A message that is signed with an LMS tree.
Definition lm_ots.h:55
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition stl_util.h:263
Botan::HSS_Level
Strong< uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber > HSS_Level
The HSS layer in the HSS multi tree starting at 0 from the root.
Definition hss.h:34
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:773
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:530
Generated by doxygen 1.12.0