doxygen/sp__wots_8cpp_source.html

/*

* WOTS+ - Winternitz One Time Signature Plus Scheme (FIPS 205, Section 5)

* (C) 2023 Jack Lloyd

*     2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity

*

* Botan is released under the Simplified BSD License (see license.txt)

**/


#include <botan/internal/sp_wots.h>


#include <botan/internal/sp_hash.h>

#include <botan/internal/stl_util.h>


namespace Botan {

namespace {


/**

 * @brief FIPS 205, Algorithm 5: chain

 *

 * Computes a WOTS+ hash chain for @p steps steps beginning with value

 * @p wots_chain_key at index @p start.

 */

void chain(StrongSpan<WotsPublicKeyNode> out,

           StrongSpan<const WotsNode> wots_chain_key,

           WotsHashIndex start,

           uint8_t steps,

           Sphincs_Address& addr,

           Sphincs_Hash_Functions& hashes,

           const Sphincs_Parameters& params) {

   // Initialize out with the value at position 'start'.

   std::copy(wots_chain_key.begin(), wots_chain_key.end(), out.begin());


   // Iterate 'steps' calls to the hash function.

   for(WotsHashIndex i = start; i < (start + steps) && i < params.w(); i++) {

      addr.set_hash_address(i);

      hashes.T(out, addr, out);

   }

}


/**

 * FIPS 205, Algorithm 4: base_2^b for WOTS+

 *

 * Interprets an array of bytes as integers in base w = 2^b.

 * This only works when lg_w is a divisor of 8.

 */

void base_2_b(std::span<WotsHashIndex> output, std::span<const uint8_t> input, const Sphincs_Parameters& params) {

   BOTAN_ASSERT_NOMSG(output.size() <= 8 * input.size() / params.log_w());


   size_t input_offset = 0;

   uint8_t current_byte = 0;

   uint32_t remaining_bits_in_current_byte = 0;


   for(auto& out : output) {

      if(remaining_bits_in_current_byte == 0) {

         current_byte = input[input_offset];

         ++input_offset;

         remaining_bits_in_current_byte = 8;

      }

      remaining_bits_in_current_byte -= params.log_w();

      out = WotsHashIndex((current_byte >> remaining_bits_in_current_byte) & (params.w() - 1));

   }

}


/**

 * Computes the WOTS+ checksum over a message (in base_2^b).

 * Corresponds to FIPS 205, Algorithm 7 or 8, Step 7.

 */

void wots_checksum(std::span<WotsHashIndex> output,

                   std::span<const WotsHashIndex> msg_base_w,

                   const Sphincs_Parameters& params) {

   uint32_t csum = 0;


   // Compute checksum.

   for(auto wots_hash_index : msg_base_w) {

      csum += params.w() - 1 - wots_hash_index.get();

   }


   // Convert checksum to base_w.

   csum = csum << ((8 - ((params.wots_len_2() * params.log_w()) % 8)) % 8);


   std::array<uint8_t, 4> csum_bytes{};

   store_be(csum, csum_bytes.data());


   const size_t csum_bytes_size = params.wots_checksum_bytes();

   BOTAN_ASSERT_NOMSG(csum_bytes.size() >= csum_bytes_size);

   base_2_b(output, std::span(csum_bytes).last(csum_bytes_size), params);

}


}  // namespace


std::vector<WotsHashIndex> chain_lengths(const SphincsTreeNode& msg, const Sphincs_Parameters& params) {

   std::vector<WotsHashIndex> result(params.wots_len_1() + params.wots_len_2());


   auto msg_base_w = std::span(result).first(params.wots_len_1());

   auto checksum_base_w = std::span(result).last(params.wots_len_2());


   base_2_b(msg_base_w, msg.get(), params);

   wots_checksum(checksum_base_w, msg_base_w, params);


   return result;

}


WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode& hashed_message,

                                             StrongSpan<const WotsSignature> signature,

                                             Sphincs_Address& address,

                                             const Sphincs_Parameters& params,

                                             Sphincs_Hash_Functions& hashes) {

   const std::vector<WotsHashIndex> lengths = chain_lengths(hashed_message, params);

   WotsPublicKey pk_buffer(params.wots_len() * params.n());

   BufferSlicer sig(signature);

   BufferStuffer pk(pk_buffer);


   for(WotsChainIndex i(0); i < params.wots_len(); i++) {

      address.set_chain_address(i);


      // params.w() can be one of {4, 8, 256}

      const WotsHashIndex start_index = lengths[i.get()];

      const uint8_t steps_to_take = static_cast<uint8_t>(params.w() - 1) - start_index.get();


      chain(pk.next<WotsPublicKeyNode>(params.n()),

            sig.take<WotsNode>(params.n()),

            start_index,

            steps_to_take,

            address,

            hashes,

            params);

   }


   return pk_buffer;

}


void wots_sign_and_pkgen(StrongSpan<WotsSignature> sig_out,

                         StrongSpan<SphincsTreeNode> leaf_out,

                         const SphincsSecretSeed& secret_seed,

                         TreeNodeIndex leaf_idx,

                         std::optional<TreeNodeIndex> sign_leaf_idx,

                         const std::vector<WotsHashIndex>& wots_steps,

                         Sphincs_Address& leaf_addr,

                         Sphincs_Address& pk_addr,

                         const Sphincs_Parameters& params,

                         Sphincs_Hash_Functions& hashes) {

   // `wots_steps` are needed only if `sign_leaf_idx` is set

   BOTAN_ASSERT_NOMSG(!sign_leaf_idx.has_value() || wots_steps.size() == params.wots_len());

   BOTAN_ASSERT_NOMSG(pk_addr.get_type() == Sphincs_Address_Type::WotsPublicKeyCompression);


   secure_vector<uint8_t> wots_sig;

   WotsPublicKey wots_pk_buffer(params.wots_bytes());


   BufferStuffer wots_pk(wots_pk_buffer);

   BufferStuffer sig(sig_out);


   leaf_addr.set_keypair_address(leaf_idx);

   pk_addr.set_keypair_address(leaf_idx);


   for(WotsChainIndex i(0); i < params.wots_len(); i++) {

      // If the current leaf is part of the signature wots_k stores the chain index

      //   of the value neccessary for the signature. Otherwise: nullopt (no signature)

      const auto wots_k = [&]() -> std::optional<WotsHashIndex> {

         if(sign_leaf_idx.has_value() && leaf_idx == sign_leaf_idx.value()) {

            return wots_steps[i.get()];

         } else {

            return std::nullopt;

         }

      }();


      // Start with the secret seed

      leaf_addr.set_chain_address(i);

      leaf_addr.set_hash_address(WotsHashIndex(0));

      leaf_addr.set_type(Sphincs_Address_Type::WotsKeyGeneration);


      auto buffer_s = wots_pk.next<WotsNode>(params.n());


      hashes.PRF(buffer_s, secret_seed, leaf_addr);


      leaf_addr.set_type(Sphincs_Address_Type::WotsHash);


      // Iterates down the WOTS chain

      for(WotsHashIndex k(0);; k++) {

         // Check if this is the value that needs to be saved as a part of the WOTS signature

         if(wots_k.has_value() && k == wots_k.value()) {

            std::copy(buffer_s.begin(), buffer_s.end(), sig.next<WotsNode>(params.n()).begin());

         }


         // Check if the top of the chain was hit

         if(k == params.w() - 1) {

            break;

         }


         // Iterate one step on the chain

         leaf_addr.set_hash_address(k);


         hashes.T(buffer_s, leaf_addr, buffer_s);

      }

   }


   // Do the final thash to generate the public keys

   hashes.T(leaf_out, pk_addr, wots_pk_buffer);

}


}  // namespace Botan

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::BufferSlicer
Definition stl_util.h:76

Botan::BufferSlicer::take
std::span< const uint8_t > take(const size_t count)
Definition stl_util.h:90

Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:134

Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:142

Botan::Sphincs_Address
Definition sp_address.h:34

Botan::Sphincs_Address::get_type
Sphincs_Address_Type get_type() const
Definition sp_address.h:136

Botan::Sphincs_Address::set_chain_address
Sphincs_Address & set_chain_address(WotsChainIndex chain)
Definition sp_address.h:83

Botan::Sphincs_Address::set_hash_address
Sphincs_Address & set_hash_address(WotsHashIndex hash)
Definition sp_address.h:93

Botan::Sphincs_Address::set_keypair_address
Sphincs_Address & set_keypair_address(TreeNodeIndex keypair)
Definition sp_address.h:78

Botan::Sphincs_Address::set_type
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:73

Botan::Sphincs_Hash_Functions
Definition sp_hash.h:23

Botan::Sphincs_Hash_Functions::T
void T(std::span< uint8_t > out, const Sphincs_Address &address, const BufferTs &... in)
Definition sp_hash.h:57

Botan::Sphincs_Hash_Functions::PRF
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:70

Botan::Sphincs_Parameters
Definition sp_parameters.h:45

Botan::Sphincs_Parameters::wots_bytes
uint32_t wots_bytes() const
Definition sp_parameters.h:170

Botan::Sphincs_Parameters::n
size_t n() const
Definition sp_parameters.h:96

Botan::Sphincs_Parameters::wots_len_2
uint32_t wots_len_2() const
Definition sp_parameters.h:160

Botan::Sphincs_Parameters::wots_len_1
uint32_t wots_len_1() const
Definition sp_parameters.h:155

Botan::Sphincs_Parameters::wots_len
uint32_t wots_len() const
Definition sp_parameters.h:165

Botan::Sphincs_Parameters::w
uint32_t w() const
Definition sp_parameters.h:124

Botan::StrongSpan
Definition strong_type.h:640

Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:52

Botan
Definition alg_id.cpp:13

Botan::SphincsTreeNode
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:70

Botan::Sphincs_Address_Type::WotsKeyGeneration
@ WotsKeyGeneration
Definition sp_address.h:26

Botan::Sphincs_Address_Type::WotsPublicKeyCompression
@ WotsPublicKeyCompression
Definition sp_address.h:22

Botan::Sphincs_Address_Type::WotsHash
@ WotsHash
Definition sp_address.h:21

Botan::wots_public_key_from_signature
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 8: wots_pkFromSig.
Definition sp_wots.cpp:103

Botan::wots_sign_and_pkgen
void wots_sign_and_pkgen(StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters &params, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
Definition sp_wots.cpp:132

Botan::WotsHashIndex
Strong< uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber > WotsHashIndex
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition sp_types.h:98

Botan::WotsNode
Strong< secure_vector< uint8_t >, struct WotsNode_ > WotsNode
Start (or intermediate) node of a WOTS+ chain.
Definition sp_types.h:79

Botan::WotsPublicKey
Strong< std::vector< uint8_t >, struct WotsPublicKey_ > WotsPublicKey
Definition sp_types.h:73

Botan::WotsChainIndex
Strong< uint32_t, struct WotsChainIndex_ > WotsChainIndex
Index of a WOTS chain within a single usage of WOTS.
Definition sp_types.h:95

Botan::SphincsSecretSeed
Strong< secure_vector< uint8_t >, struct SphincsSecretSeed_ > SphincsSecretSeed
Definition sp_types.h:61

Botan::WotsPublicKeyNode
Strong< std::vector< uint8_t >, struct WotsPublicKeyNode_ > WotsPublicKeyNode
End node of a WOTS+ chain (part of the WOTS+ public key)
Definition sp_types.h:76

Botan::TreeNodeIndex
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69

Botan::chain_lengths
std::vector< WotsHashIndex > chain_lengths(const SphincsTreeNode &msg, const Sphincs_Parameters &params)
Definition sp_wots.cpp:91

Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745