doxygen/sp__fors_8cpp_source.html

/*

 * FORS - Forest of Random Subsets (FIPS 205, Section 8)

 * (C) 2023 Jack Lloyd

 *     2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity

 *

 * Parts of this file have been adapted from https://github.com/sphincs/sphincsplus

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/sp_fors.h>


#include <botan/assert.h>

#include <botan/hash.h>

#include <botan/sp_parameters.h>


#include <botan/internal/sp_address.h>

#include <botan/internal/sp_hash.h>

#include <botan/internal/sp_treehash.h>

#include <botan/internal/sp_types.h>

#include <botan/internal/stl_util.h>


namespace Botan {


namespace {


/// FIPS 205, Algorithm 4: base_2^b(X,b,out_len) with b = a and out_len = k (for usage in FORS)

std::vector<TreeNodeIndex> fors_message_to_indices(std::span<const uint8_t> message, const Sphincs_Parameters& params) {

   BOTAN_ASSERT_NOMSG((message.size() * 8) >= (params.k() * params.a()));


   std::vector<TreeNodeIndex> indices(params.k());


   uint32_t offset = 0;


   // This is one of the few places where the logic of SPHINCS+ round 3.1 and SLH-DSA differs

   auto update_idx = [&]() -> std::function<void(TreeNodeIndex&, uint32_t)> {

#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)

      if(params.is_slh_dsa()) {

         return [&](TreeNodeIndex& idx, uint32_t i) {

            idx ^= (((message[offset >> 3] >> (~offset & 0x7)) & 0x1) << (params.a() - 1 - i));

         };

      }

#endif

#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)

      if(!params.is_slh_dsa()) {

         return [&](TreeNodeIndex& idx, uint32_t i) { idx ^= (((message[offset >> 3] >> (offset & 0x7)) & 0x1) << i); };

      }

#endif

      throw Internal_Error("Missing FORS index update logic for SPHINCS+ or SLH-DSA");

   }();


   for(auto& idx : indices) {

      for(uint32_t i = 0; i < params.a(); ++i, ++offset) {

         update_idx(idx, i);

      }

   }


   return indices;

}


}  // namespace


SphincsTreeNode fors_sign_and_pkgen(StrongSpan<ForsSignature> sig_out,

                                    const SphincsHashedMessage& hashed_message,

                                    const SphincsSecretSeed& secret_seed,

                                    const Sphincs_Address& address,

                                    const Sphincs_Parameters& params,

                                    Sphincs_Hash_Functions& hashes) {

   BOTAN_ASSERT_NOMSG(sig_out.size() == params.fors_signature_bytes());


   const auto indices = fors_message_to_indices(hashed_message, params);


   auto fors_tree_addr = Sphincs_Address::as_keypair_from(address);


   auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);


   std::vector<uint8_t> roots_buffer(params.k() * params.n());

   BufferStuffer roots(roots_buffer);

   BufferStuffer sig(sig_out);


   // Buffer to hold the FORS leafs during tree traversal

   // (Avoids a secure_vector allocation/deallocation in the hot path)

   ForsLeafSecret fors_leaf_secret(params.n());


   // For each of the k FORS subtrees: Compute the secret leaf, the authentication path

   // and the trees' root and append the signature respectively

   BOTAN_ASSERT_NOMSG(indices.size() == params.k());

   for(uint32_t i = 0; i < params.k(); ++i) {

      uint32_t idx_offset = i * (1 << params.a());


      // Compute the secret leaf given by the chunk of the message and append it to the signature

      fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration)

         .set_tree_height(TreeLayerIndex(0))

         .set_tree_index(indices[i] + idx_offset);


      hashes.PRF(sig.next<ForsLeafSecret>(params.n()), secret_seed, fors_tree_addr);


      // Compute the authentication path and root for this leaf node

      fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);


      GenerateLeafFunction fors_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {

         fors_tree_addr.set_tree_index(address_index);

         fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration);


         hashes.PRF(fors_leaf_secret, secret_seed, fors_tree_addr);


         fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);

         hashes.T(out_root, fors_tree_addr, fors_leaf_secret);

      };


      treehash(roots.next<SphincsTreeNode>(params.n()),

               sig.next<SphincsAuthenticationPath>(params.a() * params.n()),

               params,

               hashes,

               indices[i],

               idx_offset,

               params.a(),

               fors_gen_leaf,

               fors_tree_addr);

   }


   BOTAN_ASSERT_NOMSG(sig.full());

   BOTAN_ASSERT_NOMSG(roots.full());


   // Compute the public key by the hash of the concatenation of all roots

   return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);

}


SphincsTreeNode fors_public_key_from_signature(const SphincsHashedMessage& hashed_message,

                                               StrongSpan<const ForsSignature> signature,

                                               const Sphincs_Address& address,

                                               const Sphincs_Parameters& params,

                                               Sphincs_Hash_Functions& hashes) {

   const auto indices = fors_message_to_indices(hashed_message, params);


   auto fors_tree_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTree);


   auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);


   BufferSlicer s(signature);

   std::vector<uint8_t> roots_buffer(params.k() * params.n());

   BufferStuffer roots(roots_buffer);


   // For each of the k FORS subtrees: Reconstruct the subtree's root node by using the

   // leaf and the authentication path offered in the FORS signature.

   BOTAN_ASSERT_NOMSG(indices.size() == params.k());

   for(uint32_t i = 0; i < params.k(); ++i) {

      uint32_t idx_offset = i * (1 << params.a());


      // Compute the FORS leaf by using the secret leaf contained in the signature

      fors_tree_addr.set_tree_height(TreeLayerIndex(0)).set_tree_index(indices[i] + idx_offset);

      auto fors_leaf_secret = s.take<ForsLeafSecret>(params.n());

      auto auth_path = s.take<SphincsAuthenticationPath>(params.n() * params.a());

      auto leaf = hashes.T<SphincsTreeNode>(fors_tree_addr, fors_leaf_secret);


      // Reconstruct the subtree's root using the authentication path

      compute_root(roots.next<SphincsTreeNode>(params.n()),

                   params,

                   hashes,

                   leaf,

                   indices[i],

                   idx_offset,

                   auth_path,

                   params.a(),

                   fors_tree_addr);

   }


   BOTAN_ASSERT_NOMSG(roots.full());


   // Reconstruct the public key the signature creates with the hash of the concatenation of all roots

   // Only if the signature is valid, the pk is the correct FORS pk.

   return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::BufferSlicer
Definition stl_util.h:76

Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:90

Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:134

Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:142

Botan::BufferStuffer::full
constexpr bool full() const
Definition stl_util.h:179

Botan::Internal_Error
Definition exceptn.h:321

Botan::Sphincs_Address
Definition sp_address.h:34

Botan::Sphincs_Address::set_type
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:73

Botan::Sphincs_Address::as_keypair_from
static Sphincs_Address as_keypair_from(const Sphincs_Address &other)
Definition sp_address.h:130

Botan::Sphincs_Hash_Functions
Definition sp_hash.h:23

Botan::Sphincs_Hash_Functions::T
void T(std::span< uint8_t > out, const Sphincs_Address &address, const BufferTs &... in)
Definition sp_hash.h:57

Botan::Sphincs_Hash_Functions::PRF
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:70

Botan::Sphincs_Parameters
Definition sp_parameters.h:45

Botan::Sphincs_Parameters::n
size_t n() const
Definition sp_parameters.h:96

Botan::Sphincs_Parameters::k
uint32_t k() const
Definition sp_parameters.h:119

Botan::Sphincs_Parameters::a
uint32_t a() const
Definition sp_parameters.h:114

Botan::Sphincs_Parameters::fors_signature_bytes
uint32_t fors_signature_bytes() const
Definition sp_parameters.h:180

Botan::StrongSpan
Definition strong_type.h:640

Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:695

Botan
Definition alg_id.cpp:13

Botan::SphincsTreeNode
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:70

Botan::Sphincs_Address_Type::ForsTree
@ ForsTree
Definition sp_address.h:24

Botan::Sphincs_Address_Type::ForsKeyGeneration
@ ForsKeyGeneration
Definition sp_address.h:27

Botan::fors_sign_and_pkgen
SphincsTreeNode fors_sign_and_pkgen(StrongSpan< ForsSignature > sig_out, const SphincsHashedMessage &hashed_message, const SphincsSecretSeed &secret_seed, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)
Definition sp_fors.cpp:63

Botan::ForsLeafSecret
Strong< secure_vector< uint8_t >, struct ForsLeafSecret_ > ForsLeafSecret
Definition sp_types.h:71

Botan::SphincsSecretSeed
Strong< secure_vector< uint8_t >, struct SphincsSecretSeed_ > SphincsSecretSeed
Definition sp_types.h:61

Botan::SphincsHashedMessage
Strong< std::vector< uint8_t >, struct SphincsHashedMessage_ > SphincsHashedMessage
Definition sp_types.h:59

Botan::GenerateLeafFunction
std::function< void(StrongSpan< SphincsTreeNode >, TreeNodeIndex)> GenerateLeafFunction
Definition sp_treehash.h:25

Botan::TreeNodeIndex
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92

Botan::fors_public_key_from_signature
SphincsTreeNode fors_public_key_from_signature(const SphincsHashedMessage &hashed_message, StrongSpan< const ForsSignature > signature, const Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 17: fors_pkFromSig.
Definition sp_fors.cpp:129

Botan::SphincsAuthenticationPath
Strong< std::vector< uint8_t >, struct SphincsAuthenticationPath_ > SphincsAuthenticationPath
Definition sp_types.h:67

Botan::TreeLayerIndex
Strong< uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber > TreeLayerIndex
Index of the layer within a FORS/XMSS tree.
Definition sp_types.h:83

Botan::treehash
void treehash(StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)
Definition sp_treehash.cpp:17

Botan::compute_root
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
Definition sp_treehash.cpp:102