doxygen/sp__hypertree_8cpp_source.html

/*

 * SLH-DSA's Hypertree Logic (FIPS 205, Section 7)

 * (C) 2023 Jack Lloyd

 *     2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity

 *

 * Botan is released under the Simplified BSD License (see license.txt)

 */


#include <botan/internal/sp_hypertree.h>


#include <botan/sp_parameters.h>

#include <botan/internal/sp_address.h>

#include <botan/internal/sp_hash.h>

#include <botan/internal/sp_treehash.h>

#include <botan/internal/sp_wots.h>

#include <botan/internal/sp_xmss.h>

#include <botan/internal/stl_util.h>


namespace Botan {


void ht_sign(StrongSpan<SphincsHypertreeSignature> out_sig,

             const SphincsTreeNode& message_to_sign,

             const SphincsSecretSeed& secret_seed,

             XmssTreeIndexInLayer tree_index_in_layer,

             TreeNodeIndex idx_leaf,

             const Sphincs_Parameters& params,

             Sphincs_Hash_Functions& hashes) {

   BOTAN_ASSERT_NOMSG(out_sig.size() == params.ht_signature_bytes());

   BufferStuffer ht_signature(out_sig);


   Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);

   wots_addr.set_tree_address(tree_index_in_layer).set_keypair_address(idx_leaf);


   Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);


   SphincsTreeNode xmss_root;

   for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {

      // The first XMSS tree signs the message, the others their underlying XMSS tree root

      const SphincsTreeNode& node_to_xmss_sign = (layer_idx == 0U) ? message_to_sign : xmss_root;


      tree_addr.set_layer_address(layer_idx).set_tree_address(tree_index_in_layer);

      wots_addr.copy_subtree_from(tree_addr).set_keypair_address(idx_leaf);


      xmss_root = xmss_sign_and_pkgen(ht_signature.next<SphincsXmssSignature>(params.xmss_signature_bytes()),

                                      node_to_xmss_sign,

                                      secret_seed,

                                      wots_addr,

                                      tree_addr,

                                      idx_leaf,

                                      params,

                                      hashes);


      // Update the indices for the next layer.

      idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));

      tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();

   }


   BOTAN_ASSERT_NOMSG(ht_signature.full());

}


bool ht_verify(const SphincsTreeNode& signed_msg,

               StrongSpan<const SphincsHypertreeSignature> ht_sig,

               const SphincsTreeNode& pk_root,

               XmssTreeIndexInLayer tree_index_in_layer,

               TreeNodeIndex idx_leaf,

               const Sphincs_Parameters& params,

               Sphincs_Hash_Functions& hashes) {

   BOTAN_ASSERT_NOMSG(ht_sig.size() == params.ht_signature_bytes());

   BufferSlicer sig_s(ht_sig);


   Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);

   Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);

   Sphincs_Address wots_pk_addr(Sphincs_Address_Type::WotsPublicKeyCompression);


   SphincsTreeNode reconstructed_root(params.n());


   // Each iteration reconstructs the root of one XMSS tree of the hypertree

   for(HypertreeLayerIndex layer_idx(0); layer_idx < params.d(); layer_idx++) {

      // The first XMSS tree signs the message, the others their underlying XMSS tree root

      const SphincsTreeNode& current_root = (layer_idx == 0U) ? signed_msg : reconstructed_root;


      tree_addr.set_layer_address(layer_idx);

      tree_addr.set_tree_address(tree_index_in_layer);


      wots_addr.copy_subtree_from(tree_addr);

      wots_addr.set_keypair_address(idx_leaf);


      wots_pk_addr.copy_keypair_from(wots_addr);


      const auto wots_pk = wots_public_key_from_signature(

         current_root, sig_s.take<WotsSignature>(params.wots_bytes()), wots_addr, params, hashes);


      // Compute the leaf node using the WOTS public key.

      const auto leaf = hashes.T<SphincsTreeNode>(wots_pk_addr, wots_pk);


      // Compute the root node of this subtree.

      compute_root(StrongSpan<SphincsTreeNode>(reconstructed_root),

                   params,

                   hashes,

                   leaf,

                   idx_leaf,

                   0,

                   sig_s.take<SphincsAuthenticationPath>(params.xmss_tree_height() * params.n()),

                   params.xmss_tree_height(),

                   tree_addr);


      // Update the indices for the next layer.

      idx_leaf = TreeNodeIndex(tree_index_in_layer.get() & ((1 << params.xmss_tree_height()) - 1));

      tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();

   }


   BOTAN_ASSERT_NOMSG(sig_s.empty());


   // Check if the root node equals the root node in the public key.

   return reconstructed_root == pk_root;

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59

Botan::BufferSlicer
Definition stl_util.h:84

Botan::BufferSlicer::empty
bool empty() const
Definition stl_util.h:129

Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:98

Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:142

Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:150

Botan::BufferStuffer::full
constexpr bool full() const
Definition stl_util.h:187

Botan::Sphincs_Address
Definition sp_address.h:34

Botan::Sphincs_Address::set_layer_address
Sphincs_Address & set_layer_address(HypertreeLayerIndex layer)
Definition sp_address.h:58

Botan::Sphincs_Address::set_tree_address
Sphincs_Address & set_tree_address(XmssTreeIndexInLayer tree)
Definition sp_address.h:63

Botan::Sphincs_Address::copy_subtree_from
Sphincs_Address & copy_subtree_from(const Sphincs_Address &other)
Definition sp_address.h:106

Botan::Sphincs_Address::set_keypair_address
Sphincs_Address & set_keypair_address(TreeNodeIndex keypair)
Definition sp_address.h:79

Botan::Sphincs_Address::copy_keypair_from
Sphincs_Address & copy_keypair_from(const Sphincs_Address other)
Definition sp_address.h:121

Botan::Sphincs_Hash_Functions
Definition sp_hash.h:23

Botan::Sphincs_Hash_Functions::T
void T(std::span< uint8_t > out, const Sphincs_Address &address, BufferTs &&... in)
Definition sp_hash.h:57

Botan::Sphincs_Parameters
Definition sp_parameters.h:45

Botan::Sphincs_Parameters::wots_bytes
uint32_t wots_bytes() const
Definition sp_parameters.h:170

Botan::Sphincs_Parameters::n
size_t n() const
Definition sp_parameters.h:96

Botan::Sphincs_Parameters::xmss_tree_height
uint32_t xmss_tree_height() const
Definition sp_parameters.h:135

Botan::Sphincs_Parameters::ht_signature_bytes
uint32_t ht_signature_bytes() const
Definition sp_parameters.h:145

Botan::Sphincs_Parameters::xmss_signature_bytes
uint32_t xmss_signature_bytes() const
Definition sp_parameters.h:140

Botan::Sphincs_Parameters::d
uint32_t d() const
Definition sp_parameters.h:106

Botan::StrongSpan
Definition strong_type.h:614

Botan::StrongSpan::size
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:663

Botan::Strong< std::vector< uint8_t >, struct SphincsTreeNode_ >

Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:50

Botan
Definition alg_id.cpp:13

Botan::Sphincs_Address_Type::HashTree
@ HashTree

Botan::Sphincs_Address_Type::WotsPublicKeyCompression
@ WotsPublicKeyCompression

Botan::Sphincs_Address_Type::WotsHash
@ WotsHash

Botan::wots_public_key_from_signature
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 8: wots_pkFromSig.
Definition sp_wots.cpp:103

Botan::ht_sign
void ht_sign(StrongSpan< SphincsHypertreeSignature > out_sig, const SphincsTreeNode &message_to_sign, const SphincsSecretSeed &secret_seed, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 12: ht_sign.
Definition sp_hypertree.cpp:21

Botan::ht_verify
bool ht_verify(const SphincsTreeNode &signed_msg, StrongSpan< const SphincsHypertreeSignature > ht_sig, const SphincsTreeNode &pk_root, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 13: ht_verify.
Definition sp_hypertree.cpp:61

Botan::TreeNodeIndex
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92

Botan::xmss_sign_and_pkgen
SphincsTreeNode xmss_sign_and_pkgen(StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 10: xmss_sign.
Definition sp_xmss.cpp:19

Botan::compute_root
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
Definition sp_treehash.cpp:102