Botan 3.11.0
Crypto and TLS for C&
hss.cpp
Go to the documentation of this file.
1/**
2 * HSS - Hierarchical Signatures System (RFC 8554)
3 * (C) 2023,2026 Jack Lloyd
4 * 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9#include <botan/internal/hss.h>
10
11#include <botan/rng.h>
12#include <botan/internal/buffer_slicer.h>
13#include <botan/internal/buffer_stuffer.h>
14#include <botan/internal/concat_util.h>
15#include <botan/internal/fmt.h>
16#include <botan/internal/hss_lms_utils.h>
17#include <botan/internal/int_utils.h>
18#include <botan/internal/scan_name.h>
19#include <botan/internal/stateful_key_index_registry.h>
20#include <limits>
21
22namespace Botan {
23
24namespace {
25
26/**
27 * @brief The maximum number of levels in a HSS-LMS tree.
28 *
29 * RFC 8554 Section 6:
30 * The number of levels is denoted as L and is between one
31 * and eight, inclusive.
32 */
33constexpr HSS_Level HSS_MAX_LEVELS(8);
34
35/**
36 * @brief Domain-separation parameter for generation the seed of a child LMS tree.
37 *
38 * This comes from https://github.com/cisco/hash-sigs.
39 */
40constexpr uint16_t SEED_CHILD_SEED = 0xfffe;
41
42/**
43 * @brief Domain-separation parameter for generation the identifier of a child LMS tree.
44 *
45 * This comes from https://github.com/cisco/hash-sigs.
46 */
47constexpr uint16_t SEED_CHILD_I = 0xffff;
48
49/**
50 * @brief Check that the given @p hash_name is one of the supported hash functions for HSS-LMS.
51 */
52constexpr bool is_supported_hash_function(std::string_view hash_name) {
53 return hash_name == "SHA-256" || hash_name == "Truncated(SHA-256,192)" || hash_name == "SHAKE-256(256)" ||
54 hash_name == "SHAKE-256(192)";
55}
56
57/**
58 * Given an HSS index, i.e. the number of already created HSS signatures, return the lms leaf indices for
59 * the different LMS layers from root layer to bottom layer.
60 */
61std::vector<LMS_Tree_Node_Idx> derive_lms_leaf_indices_from_hss_index(HSS_Sig_Idx hss_idx,
62 const HSS_LMS_Params& hss_params) {
63 std::vector<LMS_Tree_Node_Idx> q(hss_params.L().get());
64 for(int32_t layer_ctr = hss_params.L().get() - 1; layer_ctr >= 0; --layer_ctr) {
65 HSS_Level layer(layer_ctr);
66 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& layer_params = hss_params.params_at_level(layer);
67 const size_t layer_h = layer_params.lms_params().h();
68 q.at(layer.get()) =
69 checked_cast_to<LMS_Tree_Node_Idx>(hss_idx.get() % checked_cast_to<uint64_t>(1ULL << layer_h));
70 hss_idx = hss_idx >> layer_h;
71 }
72 BOTAN_ARG_CHECK(hss_idx == HSS_Sig_Idx(0), "HSS Tree is exhausted");
73
74 return q;
75}
76
77} // namespace
78
79HSS_LMS_Params::HSS_LMS_Params(std::vector<LMS_LMOTS_Params_Pair> lm_lmots_params) :
80 m_lms_lmots_params(std::move(lm_lmots_params)), m_max_sig_count(calc_max_sig_count()) {
81 BOTAN_ARG_CHECK(!m_lms_lmots_params.empty() && m_lms_lmots_params.size() <= HSS_MAX_LEVELS,
82 "Invalid number of levels");
83}
84
85HSS_LMS_Params::HSS_LMS_Params(std::string_view algo_params) : m_max_sig_count(0) {
86 const auto wrap_in_hss_lms = [&]() {
87 if(algo_params.starts_with("HSS-LMS(")) {
88 return std::string(algo_params);
89 } else {
90 return fmt("HSS-LMS({})", algo_params);
91 }
92 }();
93 const SCAN_Name scan(wrap_in_hss_lms);
94
95 BOTAN_ARG_CHECK(scan.arg_count() >= 2 && scan.arg_count() <= HSS_MAX_LEVELS + 1, "Invalid number of arguments");
96 const std::string hash = scan.arg(0);
97 BOTAN_ARG_CHECK(is_supported_hash_function(hash), "Supported HSS-LMS hash function");
98
99 for(size_t i = 1; i < scan.arg_count(); ++i) {
100 const SCAN_Name scan_layer(scan.arg(i));
101 BOTAN_ARG_CHECK(scan_layer.algo_name() == "HW", "Invalid name for layer parameters");
102 BOTAN_ARG_CHECK(scan_layer.arg_count() == 2, "Invalid number of layer parameters");
103 const auto h =
104 checked_cast_to_or_throw<uint8_t, Invalid_Argument>(scan_layer.arg_as_integer(0), "Invalid tree height");
105 const auto w = checked_cast_to_or_throw<uint8_t, Invalid_Argument>(scan_layer.arg_as_integer(1),
106 "Invalid Winternitz parameter");
107 m_lms_lmots_params.push_back({LMS_Params::create_or_throw(hash, h), LMOTS_Params::create_or_throw(hash, w)});
108 }
109 m_max_sig_count = calc_max_sig_count();
110}
111
112HSS_Sig_Idx HSS_LMS_Params::calc_max_sig_count() const {
113 uint32_t total_height_counter = 0;
114 for(HSS_Level level(0); level < L(); level++) {
115 total_height_counter += params_at_level(level).lms_params().h();
116 }
117 if(total_height_counter >= sizeof(HSS_Sig_Idx) * 8) {
118 return HSS_Sig_Idx(std::numeric_limits<HSS_Sig_Idx::wrapped_type>::max());
119 }
120 return HSS_Sig_Idx(1) << total_height_counter;
121}
122
123HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params& hss_params, RandomNumberGenerator& rng) :
124 m_hss_params(hss_params),
125 m_hss_seed(rng.random_vec<LMS_Seed>(m_hss_params.params_at_level(HSS_Level(0)).lms_params().m())),
126 m_identifier(rng.random_vec<LMS_Identifier>(LMS_IDENTIFIER_LEN)),
127 // LMS doesn't have a single unique parameter code that we can easily use,
128 // so algo_params is left as 0
129 m_keyid("HSS-LMS", 0, m_hss_seed, m_identifier),
130 m_sig_size(HSS_Signature::size(m_hss_params)) {}
131
132HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal(HSS_LMS_Params hss_params,
133 LMS_Seed hss_seed,
134 LMS_Identifier identifier) :
135 m_hss_params(std::move(hss_params)),
136 m_hss_seed(std::move(hss_seed)),
137 m_identifier(std::move(identifier)),
138 // LMS doesn't have a single unique parameter code that we can easily use, so algo_params is left as 0
139 m_keyid("HSS-LMS", 0, m_hss_seed, m_identifier),
140 m_sig_size(HSS_Signature::size(m_hss_params)) {
141 BOTAN_ARG_CHECK(m_hss_seed.size() == m_hss_params.params_at_level(HSS_Level(0)).lms_params().m(),
142 "Invalid HSS-LMS seed size");
143 BOTAN_ARG_CHECK(m_identifier.size() == LMS_IDENTIFIER_LEN, "Invalid HSS-LMS identifier size");
144}
145
146std::shared_ptr<HSS_LMS_PrivateKeyInternal> HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(
147 std::span<const uint8_t> key_bytes) {
148 if(key_bytes.size() < sizeof(HSS_Level) + sizeof(HSS_Sig_Idx)) {
149 throw Decoding_Error("Too few private key bytes.");
150 }
151 BufferSlicer slicer(key_bytes);
152
153 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
154 if(L == 0U || L > HSS_MAX_LEVELS) {
155 throw Decoding_Error("Invalid number of HSS layers in private HSS-LMS key.");
156 }
157
158 const auto sig_idx = load_be<HSS_Sig_Idx>(slicer.take<sizeof(HSS_Sig_Idx)>());
159
160 std::vector<HSS_LMS_Params::LMS_LMOTS_Params_Pair> params;
161 for(size_t layer = 1; layer <= L; ++layer) {
162 if(slicer.remaining() < sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type)) {
163 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
164 }
165 const auto lms_type = load_be<LMS_Algorithm_Type>(slicer.take<sizeof(LMS_Algorithm_Type)>());
166 const auto lmots_type = load_be<LMOTS_Algorithm_Type>(slicer.take<sizeof(LMOTS_Algorithm_Type)>());
167 params.push_back({LMS_Params::create_or_throw(lms_type), LMOTS_Params::create_or_throw(lmots_type)});
168 }
169 const auto& hash_name = params.at(0).lms_params().hash_name();
170
171 for(const auto& param : params) {
172 const bool invalid_lmots_hash = param.lmots_params().hash_name() != hash_name;
173 const bool invalid_lms_hash = param.lms_params().hash_name() != hash_name;
174 if(invalid_lmots_hash || invalid_lms_hash) {
175 throw Decoding_Error("Inconsistent hash functions are not allowed.");
176 }
177 }
178
179 if(slicer.remaining() < params.at(0).lms_params().m() + LMS_IDENTIFIER_LEN) {
180 throw Decoding_Error("Out of bytes while parsing private HSS-LMS key.");
181 }
182 auto hss_seed = slicer.copy<LMS_Seed>(params.at(0).lms_params().m());
183 auto identifier = slicer.copy<LMS_Identifier>(LMS_IDENTIFIER_LEN);
184
185 if(!slicer.empty()) {
186 throw Decoding_Error("Private HSS-LMS key contains more bytes than expected.");
187 }
188 auto sk = std::shared_ptr<HSS_LMS_PrivateKeyInternal>(
189 new HSS_LMS_PrivateKeyInternal(HSS_LMS_Params(std::move(params)), std::move(hss_seed), std::move(identifier)));
190
191 sk->set_idx(sig_idx);
192 return sk;
193}
194
195secure_vector<uint8_t> HSS_LMS_PrivateKeyInternal::to_bytes() const {
196 secure_vector<uint8_t> sk_bytes(size());
197 BufferStuffer stuffer(sk_bytes);
198
199 const uint64_t current_index = Stateful_Key_Index_Registry::global().current_index(m_keyid);
200
201 stuffer.append(store_be(hss_params().L()));
202 stuffer.append(store_be(current_index));
203
204 for(HSS_Level layer(1); layer <= hss_params().L(); ++layer) {
205 const auto& params = hss_params().params_at_level(layer - 1);
206 stuffer.append(store_be(params.lms_params().algorithm_type()));
207 stuffer.append(store_be(params.lmots_params().algorithm_type()));
208 }
209 stuffer.append(m_hss_seed);
210 stuffer.append(m_identifier);
211 BOTAN_ASSERT_NOMSG(stuffer.full());
212
213 return sk_bytes;
214}
215
219
223
224HSS_Sig_Idx HSS_LMS_PrivateKeyInternal::reserve_next_idx() {
225 const auto idx = HSS_Sig_Idx(Stateful_Key_Index_Registry::global().reserve_next_index(m_keyid));
226 if(idx >= m_hss_params.max_sig_count()) {
227 throw Decoding_Error("HSS private key is exhausted");
228 }
229 return idx;
230}
231
232size_t HSS_LMS_PrivateKeyInternal::size() const {
233 size_t sk_size = sizeof(HSS_Level) + sizeof(HSS_Sig_Idx);
234 // The concatenated algorithm types for all layers
235 sk_size += hss_params().L().get() * (sizeof(LMS_Algorithm_Type) + sizeof(LMOTS_Algorithm_Type));
236 sk_size += m_hss_seed.size() + m_identifier.size();
237 return sk_size;
238}
239
240std::vector<uint8_t> HSS_LMS_PrivateKeyInternal::sign(std::span<const uint8_t> msg) {
241 std::vector<uint8_t> sig(HSS_Signature::size(hss_params()));
242 BufferStuffer sig_stuffer(sig);
243 sig_stuffer.append(store_be(hss_params().L() - 1));
244
245 std::vector<LMS_Tree_Node_Idx> q = derive_lms_leaf_indices_from_hss_index(reserve_next_idx(), hss_params());
246
247 // Derive LMS private keys and compute buffers
248 std::vector<LMS_PrivateKey> lms_key_at_layer;
249 std::vector<StrongSpan<LMS_Signature_Bytes>> out_lms_sig_buffer_at_layer;
250 std::vector<std::span<uint8_t>> out_child_pk_buffer_at_layer;
251 for(HSS_Level layer(0); layer < hss_params().L(); ++layer) {
252 // Generate key for current layer
253 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& layer_params = hss_params().params_at_level(layer);
254 if(layer == HSS_Level(0)) {
255 lms_key_at_layer.push_back(hss_derive_root_lms_private_key());
256 } else {
257 lms_key_at_layer.push_back(
258 hss_derive_child_lms_private_key(layer_params, lms_key_at_layer.back(), q.at(layer.get() - 1)));
259 out_child_pk_buffer_at_layer.push_back(sig_stuffer.next(LMS_PublicKey::size(layer_params.lms_params())));
260 }
261 out_lms_sig_buffer_at_layer.push_back(sig_stuffer.next<LMS_Signature_Bytes>(
262 LMS_Signature::size(layer_params.lms_params(), layer_params.lmots_params())));
263 }
264 BOTAN_ASSERT_NOMSG(sig_stuffer.full());
265
266 // Sign and write the signature from bottom layer to root layer
267 std::vector<uint8_t> current_pk;
268 for(int32_t layer_it = hss_params().L().get() - 1; layer_it >= 0; --layer_it) {
269 HSS_Level layer(layer_it);
270 if(layer == hss_params().L() - 1) {
271 current_pk =
272 lms_key_at_layer.at(layer.get())
273 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(msg))
274 .to_bytes();
275 } else {
276 copy_mem(out_child_pk_buffer_at_layer.at(layer.get()), current_pk);
277 current_pk =
278 lms_key_at_layer.at(layer.get())
279 .sign_and_get_pk(out_lms_sig_buffer_at_layer.at(layer.get()), q.at(layer.get()), LMS_Message(current_pk))
280 .to_bytes();
281 }
282 }
283
284 return sig;
285}
286
287LMS_PrivateKey HSS_LMS_PrivateKeyInternal::hss_derive_root_lms_private_key() const {
288 const auto& top_params = hss_params().params_at_level(HSS_Level(0));
289 return LMS_PrivateKey(top_params.lms_params(), top_params.lmots_params(), m_identifier, m_hss_seed);
290}
291
292LMS_PrivateKey HSS_LMS_PrivateKeyInternal::hss_derive_child_lms_private_key(
293 const HSS_LMS_Params::LMS_LMOTS_Params_Pair& child_lms_lmots_params,
294 const LMS_PrivateKey& parent_sk,
295 LMS_Tree_Node_Idx parent_q) {
296 const auto hash = HashFunction::create_or_throw(child_lms_lmots_params.lms_params().hash_name());
297
298 // CHILD_SEED = H( PARENT_I || PARENT_Q || SEED_CHILD_SEED || 0xff || PARENT_SEED )
299 PseudorandomKeyGeneration seed_generator(parent_sk.identifier());
300 seed_generator.set_q(parent_q.get());
301 seed_generator.set_i(SEED_CHILD_SEED);
302 seed_generator.set_j(0xff);
303 auto child_seed = seed_generator.gen<LMS_Seed>(*hash, parent_sk.seed());
304
305 // CHILD_I = H( PARENT_I || PARENT_Q || SEED_CHILD_I || 0xff || PARENT_SEED )
306 seed_generator.set_i(SEED_CHILD_I);
307 auto child_identifier = seed_generator.gen<LMS_Identifier>(*hash, parent_sk.seed());
308 child_identifier.resize(LMS_IDENTIFIER_LEN);
309 CT::unpoison(child_identifier); // identifiers are part of the signature
310
311 return LMS_PrivateKey(child_lms_lmots_params.lms_params(),
312 child_lms_lmots_params.lmots_params(),
313 std::move(child_identifier),
314 std::move(child_seed));
315}
316
317HSS_LMS_PublicKeyInternal HSS_LMS_PublicKeyInternal::create(const HSS_LMS_PrivateKeyInternal& hss_sk) {
318 const auto& hss_params = hss_sk.hss_params();
319
320 const auto root_sk = hss_sk.hss_derive_root_lms_private_key();
321 LMS_PublicKey top_pub_key = LMS_PublicKey(root_sk);
322
323 return HSS_LMS_PublicKeyInternal(hss_params.L(), std::move(top_pub_key));
324}
325
326std::shared_ptr<HSS_LMS_PublicKeyInternal> HSS_LMS_PublicKeyInternal::from_bytes_or_throw(
327 std::span<const uint8_t> key_bytes) {
328 if(key_bytes.size() < sizeof(HSS_Level)) {
329 throw Decoding_Error("Too few public key bytes.");
330 }
331 BufferSlicer slicer(key_bytes);
332
333 const auto L = load_be<HSS_Level>(slicer.take<sizeof(HSS_Level)>());
334 if(L > HSS_MAX_LEVELS) {
335 throw Decoding_Error("Invalid number of HSS layers in public HSS-LMS key.");
336 }
337
338 LMS_PublicKey lms_pub_key = LMS_PublicKey::from_bytes_or_throw(slicer);
339
340 if(!slicer.empty()) {
341 throw Decoding_Error("Public HSS-LMS key contains more bytes than expected.");
342 }
343 return std::make_shared<HSS_LMS_PublicKeyInternal>(L, std::move(lms_pub_key));
344}
345
346std::vector<uint8_t> HSS_LMS_PublicKeyInternal::to_bytes() const {
347 return concat<std::vector<uint8_t>>(store_be(m_L), m_top_lms_pub_key.to_bytes());
348}
349
353
357
358size_t HSS_LMS_PublicKeyInternal::size() const {
359 return sizeof(m_L) + LMS_PublicKey::size(m_top_lms_pub_key.lms_params());
360}
361
362bool HSS_LMS_PublicKeyInternal::verify_signature(std::span<const uint8_t> msg, const HSS_Signature& sig) const {
363 if(checked_cast_to<HSS_Level>(sig.Nspk()) + 1 != m_L) {
364 // HSS levels in the public key does not match with the signature's
365 return false;
366 }
367
368 const LMS_PublicKey* lms_pk = &lms_pub_key();
369 const auto hash_name = lms_pk->lms_params().hash_name();
370
371 // Verify the signature by the above layer over the LMS public keys for layer 1 to Nspk.
372 for(HSS_Level layer(0); layer < sig.Nspk(); ++layer) {
373 const HSS_Signature::Signed_Pub_Key& signed_pub_key = sig.signed_pub_key(layer);
374 if(signed_pub_key.public_key().lms_params().hash_name() != hash_name ||
375 signed_pub_key.public_key().lmots_params().hash_name() != hash_name) {
376 // We do not allow HSS-LMS instances with multiple different hash functions.
377 return false;
378 }
379 if(!lms_pk->verify_signature(LMS_Message(signed_pub_key.public_key().to_bytes()), signed_pub_key.signature())) {
380 return false;
381 }
382 lms_pk = &signed_pub_key.public_key();
383 }
384
385 // Verify the signature by the bottom layer over the message.
386 return lms_pk->verify_signature(LMS_Message(msg), sig.bottom_sig());
387}
388
389HSS_Signature::Signed_Pub_Key::Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub) :
390 m_sig(std::move(sig)), m_pub(std::move(pub)) {}
391
392HSS_Signature HSS_Signature::from_bytes_or_throw(std::span<const uint8_t> sig_bytes) {
393 if(sig_bytes.size() < sizeof(uint32_t)) {
394 throw Decoding_Error("Too few HSS signature bytes.");
395 }
396 BufferSlicer slicer(sig_bytes);
397
398 const auto Nspk = load_be(slicer.take<sizeof(uint32_t)>());
399 if(Nspk >= HSS_MAX_LEVELS) {
400 throw Decoding_Error("Invalid number of HSS layers in signature.");
401 }
402
403 std::vector<Signed_Pub_Key> signed_pub_keys;
404 for(size_t i = 0; i < Nspk; ++i) {
405 LMS_Signature sig = LMS_Signature::from_bytes_or_throw(slicer);
406 LMS_PublicKey pub_key = LMS_PublicKey::from_bytes_or_throw(slicer);
407 signed_pub_keys.push_back(Signed_Pub_Key(std::move(sig), std::move(pub_key)));
408 }
409
410 auto sig = LMS_Signature::from_bytes_or_throw(slicer);
411
412 if(!slicer.empty()) {
413 throw Decoding_Error("HSS-LMS signature contains more bytes than expected.");
414 }
415 return HSS_Signature(std::move(signed_pub_keys), std::move(sig));
416}
417
418size_t HSS_Signature::size(const HSS_LMS_Params& params) {
419 size_t size = sizeof(uint32_t);
420 size += LMS_Signature::size(params.params_at_level(HSS_Level(0)).lms_params(),
421 params.params_at_level(HSS_Level(0)).lmots_params());
422 for(HSS_Level layer(1); layer < params.L(); ++layer) {
423 const auto& param = params.params_at_level(layer);
424 size += LMS_PublicKey::size(param.lms_params());
425 size += LMS_Signature::size(param.lms_params(), param.lmots_params());
426 }
427 return size;
428}
429
430} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BufferSlicer::remaining
size_t remaining() const
Definition buffer_slicer.h:66
Botan::BufferSlicer::copy
auto copy(const size_t count)
Definition buffer_slicer.h:28
Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition buffer_slicer.h:37
Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition buffer_stuffer.h:24
Botan::BufferStuffer::append
constexpr void append(std::span< const uint8_t > buffer)
Definition buffer_stuffer.h:59
Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition buffer_stuffer.h:32
Botan::BufferStuffer::full
constexpr bool full() const
Definition buffer_stuffer.h:69
Botan::Decoding_Error
Definition exceptn.h:192
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair
Represents a pair of LMS and LMOTS parameters associated with one LMS tree layer.
Definition hss.h:47
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lms_params
const LMS_Params & lms_params() const
The LMS parameters.
Definition hss.h:52
Botan::HSS_LMS_Params::LMS_LMOTS_Params_Pair::lmots_params
const LMOTS_Params & lmots_params() const
The LMOTS parameters.
Definition hss.h:57
Botan::HSS_LMS_Params
The HSS-LMS parameters.
Definition hss.h:42
Botan::HSS_LMS_Params::params_at_level
const LMS_LMOTS_Params_Pair & params_at_level(HSS_Level level) const
Returns the LMS an LM-OTS parameters at the specified level of the HSS tree.
Definition hss.h:99
Botan::HSS_LMS_Params::L
HSS_Level L() const
Returns the number of layers the HSS tree has.
Definition hss.h:104
Botan::HSS_LMS_Params::max_sig_count
HSS_Sig_Idx max_sig_count() const
The maximal number of signatures allowed for these HSS parameters.
Definition hss.h:109
Botan::HSS_LMS_Params::HSS_LMS_Params
HSS_LMS_Params(std::vector< LMS_LMOTS_Params_Pair > lm_lmots_params)
Construct the HSS-LMS parameters from a vector LMS and LM-OTS parameters.
Definition hss.cpp:79
Botan::HSS_LMS_PrivateKeyInternal
The internal HSS-LMS private key.
Definition hss.h:127
Botan::HSS_LMS_PrivateKeyInternal::set_idx
void set_idx(HSS_Sig_Idx idx)
Set the idx of the next signature to generate.
Definition hss.cpp:220
Botan::HSS_LMS_PrivateKeyInternal::sign
std::vector< uint8_t > sign(std::span< const uint8_t > msg)
Create a HSS-LMS signature.
Definition hss.cpp:240
Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PrivateKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a private HSS-LMS key.
Definition hss.cpp:146
Botan::HSS_LMS_PrivateKeyInternal::hss_params
const HSS_LMS_Params & hss_params() const
Returns the used HSS-LMS parameters.
Definition hss.h:149
Botan::HSS_LMS_PrivateKeyInternal::hss_derive_root_lms_private_key
LMS_PrivateKey hss_derive_root_lms_private_key() const
Create the HSS root LMS tree's LMS_PrivateKey using the HSS-LMS private key.
Definition hss.cpp:287
Botan::HSS_LMS_PrivateKeyInternal::to_bytes
secure_vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:195
Botan::HSS_LMS_PrivateKeyInternal::remaining_operations
HSS_Sig_Idx remaining_operations(HSS_Sig_Idx idx) const
Get the idx of the next signature to generate.
Definition hss.cpp:216
Botan::HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal
HSS_LMS_PrivateKeyInternal(const HSS_LMS_Params &hss_params, RandomNumberGenerator &rng)
Create an internal HSS-LMS private key.
Definition hss.cpp:123
Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw
static std::shared_ptr< HSS_LMS_PublicKeyInternal > from_bytes_or_throw(std::span< const uint8_t > key_bytes)
Parse a public HSS-LMS key.
Definition hss.cpp:326
Botan::HSS_LMS_PublicKeyInternal::verify_signature
bool verify_signature(std::span< const uint8_t > msg, const HSS_Signature &sig) const
Verify a HSS-LMS signature.
Definition hss.cpp:362
Botan::HSS_LMS_PublicKeyInternal::to_bytes
std::vector< uint8_t > to_bytes() const
Returns the key in its encoded format.
Definition hss.cpp:346
Botan::HSS_LMS_PublicKeyInternal::algo_name
std::string algo_name() const
The algorithm name for HSS-LMS.
Definition hss.h:297
Botan::HSS_LMS_PublicKeyInternal::size
size_t size() const
Returns the size in bytes the key would have in its encoded format.
Definition hss.cpp:358
Botan::HSS_LMS_PublicKeyInternal::object_identifier
OID object_identifier() const
The object identifier for HSS-LMS.
Definition hss.cpp:354
Botan::HSS_LMS_PublicKeyInternal::create
static HSS_LMS_PublicKeyInternal create(const HSS_LMS_PrivateKeyInternal &hss_sk)
Create the public HSS-LMS key from its private key.
Definition hss.cpp:317
Botan::HSS_LMS_PublicKeyInternal::HSS_LMS_PublicKeyInternal
HSS_LMS_PublicKeyInternal(HSS_Level L, LMS_PublicKey top_lms_pub_key)
Definition hss.h:266
Botan::HSS_LMS_PublicKeyInternal::algorithm_identifier
AlgorithmIdentifier algorithm_identifier() const
The algorithm identifier for HSS-LMS.
Definition hss.cpp:350
Botan::HSS_LMS_PublicKeyInternal::lms_pub_key
const LMS_PublicKey & lms_pub_key() const
Returns the public LMS key of the top LMS tree.
Definition hss.h:277
Botan::HSS_Signature::Signed_Pub_Key
A LMS public key signed by the HSS layer above it.
Definition hss.h:331
Botan::HSS_Signature::Signed_Pub_Key::Signed_Pub_Key
Signed_Pub_Key(LMS_Signature sig, LMS_PublicKey pub)
Constructor for a new sig-pubkey-pair.
Definition hss.cpp:389
Botan::HSS_Signature::Signed_Pub_Key::signature
const LMS_Signature & signature() const
The signature of the public key.
Definition hss.h:341
Botan::HSS_Signature::Signed_Pub_Key::public_key
const LMS_PublicKey & public_key() const
The signed public key.
Definition hss.h:346
Botan::HSS_Signature
A HSS-LMS signature.
Definition hss.h:323
Botan::HSS_Signature::size
static size_t size(const HSS_LMS_Params &params)
Returns the size a signature would have in its encoded format.
Definition hss.cpp:418
Botan::HSS_Signature::bottom_sig
const LMS_Signature & bottom_sig() const
Returns the LMS signature by the bottom layer of the signed message.
Definition hss.h:386
Botan::HSS_Signature::Nspk
HSS_Level Nspk() const
Returns the number of signed public keys (Nspk = L-1).
Definition hss.h:373
Botan::HSS_Signature::signed_pub_key
const Signed_Pub_Key & signed_pub_key(HSS_Level layer) const
Returns the signed LMS key signed by a specific layer.
Definition hss.h:381
Botan::HSS_Signature::from_bytes_or_throw
static HSS_Signature from_bytes_or_throw(std::span< const uint8_t > sig_bytes)
Parse a HSS-LMS signature.
Definition hss.cpp:392
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:308
Botan::LMOTS_Params::create_or_throw
static LMOTS_Params create_or_throw(LMOTS_Algorithm_Type type)
Create the LM-OTS parameters from a known algorithm type.
Definition lm_ots.cpp:106
Botan::LMOTS_Params::hash_name
const std::string & hash_name() const
Name of the hash function to use.
Definition lm_ots.h:153
Botan::LMS_Instance::lms_params
const LMS_Params & lms_params() const
The LMS parameters for this LMS instance.
Definition lms.h:166
Botan::LMS_Instance::lmots_params
const LMOTS_Params & lmots_params() const
The LMOTS parameters used for OTS instances of this LMS instance.
Definition lms.h:171
Botan::LMS_Instance::identifier
const LMS_Identifier & identifier() const
The identifier of this LMS tree ('I' in RFC 8554).
Definition lms.h:176
Botan::LMS_Params::hash_name
const std::string & hash_name() const
Returns the name of the hash function to use.
Definition lms.h:126
Botan::LMS_Params::h
uint8_t h() const
Returns the height of the LMS tree.
Definition lms.h:116
Botan::LMS_Params::create_or_throw
static LMS_Params create_or_throw(LMS_Algorithm_Type type)
Create the LMS parameters from a known algorithm type.
Definition lms.cpp:120
Botan::LMS_PrivateKey
Representation of an LMS Private key.
Definition lms.h:192
Botan::LMS_PrivateKey::seed
const LMS_Seed & seed() const
The secret seed used for LMOTS' WOTS chain input creation (RFC 8554 Appendix A).
Definition lms.h:203
Botan::LMS_PublicKey
The LMS public key.
Definition lms.h:227
Botan::LMS_PublicKey::size
static size_t size(const LMS_Params &lms_params)
The expected size of an LMS public key for given lms_params.
Definition lms.cpp:321
Botan::LMS_PublicKey::to_bytes
std::vector< uint8_t > to_bytes() const
Bytes of the full lms public key according to 8554 5.3.
Definition lms.cpp:302
Botan::LMS_PublicKey::from_bytes_or_throw
static LMS_PublicKey from_bytes_or_throw(BufferSlicer &slicer)
Parse a public LMS key.
Definition lms.cpp:272
Botan::LMS_PublicKey::verify_signature
bool verify_signature(const LMS_Message &msg, const LMS_Signature &sig) const
Verify a LMS signature.
Definition lms.cpp:361
Botan::LMS_Signature
Container for LMS Signature data.
Definition lms.h:295
Botan::LMS_Signature::from_bytes_or_throw
static LMS_Signature from_bytes_or_throw(BufferSlicer &slicer)
Parse the bytes of a lms signature into a LMS Signature object.
Definition lms.cpp:325
Botan::LMS_Signature::size
static size_t size(const LMS_Params &lms_params, const LMOTS_Params &lmots_params)
Definition lms.cpp:428
Botan::OID::from_string
static OID from_string(std::string_view str)
Definition asn1_oid.cpp:86
Botan::PseudorandomKeyGeneration
Helper class used to derive secret values based in the pseudorandom key generation described in RFC 8...
Definition hss_lms_utils.h:28
Botan::SCAN_Name
Definition scan_name.h:22
Botan::SCAN_Name::arg
std::string arg(size_t i) const
Definition scan_name.cpp:119
Botan::SCAN_Name::arg_count
size_t arg_count() const
Definition scan_name.h:49
Botan::SCAN_Name::algo_name
const std::string & algo_name() const
Definition scan_name.h:44
Botan::SCAN_Name::arg_as_integer
size_t arg_as_integer(size_t i, size_t def_value) const
Definition scan_name.cpp:133
Botan::Stateful_Key_Index_Registry::current_index
uint64_t current_index(const KeyId &key_id)
Definition stateful_key_index_registry.cpp:51
Botan::Stateful_Key_Index_Registry::set_index_lower_bound
void set_index_lower_bound(const KeyId &key_id, uint64_t min)
Definition stateful_key_index_registry.cpp:65
Botan::Stateful_Key_Index_Registry::global
static Stateful_Key_Index_Registry & global()
Definition stateful_key_index_registry.cpp:15
Botan::detail::Container_Strong_Adapter_Base::size
size_type size() const noexcept(noexcept(this->get().size()))
Definition strong_type.h:141
Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:85
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:67
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::LMS_Algorithm_Type
LMS_Algorithm_Type
Enum of available LMS algorithm types.
Definition lms.h:32
Botan::fmt
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
Botan::checked_cast_to_or_throw
constexpr RT checked_cast_to_or_throw(AT i, std::string_view error_msg_on_fail)
Definition int_utils.h:61
Botan::LMS_IDENTIFIER_LEN
constexpr size_t LMS_IDENTIFIER_LEN
The length in bytes of the LMS identifier (I).
Definition lms.h:69
Botan::HSS_Sig_Idx
Strong< uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber > HSS_Sig_Idx
The index of a node within a specific LMS tree layer.
Definition hss.h:30
Botan::checked_cast_to
constexpr RT checked_cast_to(AT i)
Definition int_utils.h:74
Botan::LMS_Signature_Bytes
Strong< std::vector< uint8_t >, struct LMS_Signature_Bytes_ > LMS_Signature_Bytes
Raw bytes of an LMS signature.
Definition lms.h:84
Botan::LMS_Identifier
Strong< std::vector< uint8_t >, struct LMS_Identifier_ > LMS_Identifier
The identifier of an LMS tree (I in RFC 8554).
Definition lm_ots.h:53
Botan::LMOTS_Algorithm_Type
LMOTS_Algorithm_Type
Enum of available LM-OTS algorithm types.
Definition lm_ots.h:68
Botan::LMS_Seed
Strong< secure_vector< uint8_t >, struct LMS_SEED_ > LMS_Seed
Seed of the LMS tree, used to generate the LM-OTS private keys.
Definition lm_ots.h:28
Botan::LMS_Message
Strong< std::vector< uint8_t >, struct LMS_Message_ > LMS_Message
A message that is signed with an LMS tree.
Definition lm_ots.h:58
Botan::concat
constexpr auto concat(Rs &&... ranges)
Definition concat_util.h:90
Botan::HSS_Level
Strong< uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber > HSS_Level
The HSS layer in the HSS multi tree starting at 0 from the root.
Definition hss.h:35
Botan::LMS_Tree_Node_Idx
Strong< uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber > LMS_Tree_Node_Idx
The index of a node within a specific LMS tree layer.
Definition lm_ots.h:48
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504
Generated by doxygen 1.15.0