Botan 3.9.0
Crypto and TLS for C&
xmss_parameters.h
Go to the documentation of this file.
1/*
2 * XMSS Parameters
3 * (C) 2016,2018 Matthias Gierlings
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 **/
7
8#ifndef BOTAN_XMSS_PARAMETERS_H_
9#define BOTAN_XMSS_PARAMETERS_H_
10
11#include <map>
12#include <string>
13
14#include <botan/secmem.h>
15#include <botan/types.h>
16
17namespace Botan {
18
19/**
20 * Descibes a signature method for XMSS Winternitz One Time Signatures,
21 * as defined in:
22 * [1] XMSS: Extended Hash-Based Signatures,
23 * Request for Comments: 8391
24 * Release: May 2018.
25 * https://datatracker.ietf.org/doc/rfc8391/
26 * [2] Recommendation for Stateful Hash-Based Signature Schemes
27 * NIST Special Publication 800-208
28 * Release: October 2020.
29 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
30 **/
32 public:
33 enum ots_algorithm_t : uint32_t /* NOLINT(*-enum-size) */ {
34 // from RFC 8391
35 WOTSP_SHA2_256 = 0x00000001,
36
37 // from RFC 8391 but not approved by NIST SP.800-208
38 // (see footnote on page 16)
39 WOTSP_SHA2_512 = 0x00000002,
40 WOTSP_SHAKE_256 = 0x00000003,
41 WOTSP_SHAKE_512 = 0x00000004,
42
43 // from NIST SP.800-208
44 WOTSP_SHA2_192 = 0x00000005,
45 WOTSP_SHAKE_256_256 = 0x00000006,
46 WOTSP_SHAKE_256_192 = 0x00000007,
47 };
48
49 explicit XMSS_WOTS_Parameters(std::string_view algo_name);
50
51 BOTAN_FUTURE_EXPLICIT XMSS_WOTS_Parameters(ots_algorithm_t ots_spec);
52
53 static ots_algorithm_t xmss_wots_id_from_string(std::string_view param_set);
54
55 /**
56 * Algorithm 1: convert input string to base.
57 *
58 * @param msg Input string (referred to as X in [1]).
59 * @param out_size size of message in base w.
60 *
61 * @return Input string converted to the given base.
62 **/
63 secure_vector<uint8_t> base_w(const secure_vector<uint8_t>& msg, size_t out_size) const;
64
65 secure_vector<uint8_t> base_w(size_t value) const;
66
67 void append_checksum(secure_vector<uint8_t>& data) const;
68
69 /**
70 * @return XMSS WOTS registry name for the chosen parameter set.
71 **/
72 const std::string& name() const { return m_name; }
73
74 /**
75 * Retrieves the uniform length of a message, and the size of
76 * each node. This correlates to XMSS parameter "n" defined
77 * in [1].
78 *
79 * @return element length in bytes.
80 **/
81 size_t element_size() const { return m_element_size; }
82
83 /**
84 * The Winternitz parameter.
85 *
86 * @return numeric base used for internal representation of
87 * data.
88 **/
89 size_t wots_parameter() const { return m_w; }
90
91 size_t len() const { return m_len; }
92
93 size_t len_1() const { return m_len_1; }
94
95 size_t len_2() const { return m_len_2; }
96
97 size_t lg_w() const { return m_lg_w; }
98
99 ots_algorithm_t oid() const { return m_oid; }
100
101 size_t estimated_strength() const { return m_strength; }
102
103 bool operator==(const XMSS_WOTS_Parameters& p) const { return m_oid == p.m_oid; }
104
105 private:
106 static const std::map<std::string, ots_algorithm_t> m_oid_name_lut;
107 ots_algorithm_t m_oid;
108 std::string m_name;
109 std::string m_hash_name;
110 size_t m_element_size;
111 size_t m_w;
112 size_t m_len_1;
113 size_t m_len_2;
114 size_t m_len;
115 size_t m_strength;
116 uint8_t m_lg_w;
117};
118
119/**
120 * Descibes a signature method for XMSS, as defined in:
121 * [1] XMSS: Extended Hash-Based Signatures,
122 * Request for Comments: 8391
123 * Release: May 2018.
124 * https://datatracker.ietf.org/doc/rfc8391/
125 * [2] Recommendation for Stateful Hash-Based Signature Schemes
126 * NIST Special Publication 800-208
127 * Release: October 2020.
128 * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-208.pdf
129 **/
131 public:
132 enum xmss_algorithm_t : uint32_t /* NOLINT(*-enum-size) */ {
133 // from RFC 8391
134 XMSS_SHA2_10_256 = 0x00000001,
135 XMSS_SHA2_16_256 = 0x00000002,
136 XMSS_SHA2_20_256 = 0x00000003,
137
138 // from RFC 8391 but not approved by NIST SP.800-208
139 // (see footnote on page 16)
140 XMSS_SHA2_10_512 = 0x00000004,
141 XMSS_SHA2_16_512 = 0x00000005,
142 XMSS_SHA2_20_512 = 0x00000006,
143 XMSS_SHAKE_10_256 = 0x00000007,
144 XMSS_SHAKE_16_256 = 0x00000008,
145 XMSS_SHAKE_20_256 = 0x00000009,
146 XMSS_SHAKE_10_512 = 0x0000000a,
147 XMSS_SHAKE_16_512 = 0x0000000b,
148 XMSS_SHAKE_20_512 = 0x0000000c,
149
150 // from NIST SP.800-208
151 XMSS_SHA2_10_192 = 0x0000000d,
152 XMSS_SHA2_16_192 = 0x0000000e,
153 XMSS_SHA2_20_192 = 0x0000000f,
160 };
161
162 static xmss_algorithm_t xmss_id_from_string(std::string_view algo_name);
163
164 explicit XMSS_Parameters(std::string_view algo_name);
165 explicit XMSS_Parameters(xmss_algorithm_t oid);
166
167 /**
168 * @return XMSS registry name for the chosen parameter set.
169 **/
170 const std::string& name() const { return m_name; }
171
172 const std::string& hash_function_name() const { return m_hash_name; }
173
174 /**
175 * Retrieves the uniform length of a message, and the size of
176 * each node. This correlates to XMSS parameter "n" defined
177 * in [1].
178 *
179 * @return element length in bytes.
180 **/
181 size_t element_size() const { return m_element_size; }
182
183 /**
184 * Retrieves the length of the hash identifier (domain separator)
185 * in bytes. See definition of `toByte()` in RFC 8391 Section 2.4
186 * and the concrete definitions of hash functions in Section 5.1
187 * where this parameter is always equal to the output length of the
188 * underlying hash primitive. Also see NIST SP.800-208 where
189 * instantiations utilizing truncated hashes use shorter hash IDs.
190 */
191 size_t hash_id_size() const { return m_hash_id_size; }
192
193 /**
194 * @returns The height (number of levels - 1) of the tree
195 **/
196 size_t tree_height() const { return m_tree_height; }
197
198 /**
199 * @returns total number of signatures allowed for this XMSS instance
200 */
201 size_t total_number_of_signatures() const { return size_t(1) << tree_height(); }
202
203 /**
204 * The Winternitz parameter.
205 *
206 * @return numeric base used for internal representation of
207 * data.
208 **/
209 size_t wots_parameter() const { return m_w; }
210
211 size_t len() const { return m_len; }
212
213 xmss_algorithm_t oid() const { return m_oid; }
214
215 XMSS_WOTS_Parameters::ots_algorithm_t ots_oid() const { return m_wots_oid; }
216
217 /**
218 * Returns the estimated pre-quantum security level of
219 * the chosen algorithm.
220 **/
221 size_t estimated_strength() const { return m_strength; }
222
223 size_t raw_public_key_size() const { return sizeof(uint32_t) + 2 * element_size(); }
224
226 return raw_public_key_size() + sizeof(uint32_t) + 2 * element_size();
227 }
228
229 size_t raw_private_key_size() const {
230 return raw_legacy_private_key_size() + 1 /* identifier for WOTS+ key derivation method */;
231 }
232
233 bool operator==(const XMSS_Parameters& p) const { return m_oid == p.m_oid; }
234
235 private:
236 xmss_algorithm_t m_oid;
238 std::string m_name;
239 std::string m_hash_name;
240 size_t m_element_size;
241 size_t m_hash_id_size;
242 size_t m_tree_height;
243 size_t m_w;
244 size_t m_len;
245 size_t m_strength;
246};
247
248} // namespace Botan
249
250#endif
#define BOTAN_PUBLIC_API(maj, min)
Definition api.h:21
#define BOTAN_FUTURE_EXPLICIT
Definition api.h:52
size_t total_number_of_signatures() const
size_t hash_id_size() const
size_t raw_private_key_size() const
XMSS_Parameters(std::string_view algo_name)
size_t estimated_strength() const
size_t wots_parameter() const
size_t raw_public_key_size() const
xmss_algorithm_t oid() const
const std::string & hash_function_name() const
XMSS_WOTS_Parameters::ots_algorithm_t ots_oid() const
const std::string & name() const
size_t raw_legacy_private_key_size() const
size_t element_size() const
bool operator==(const XMSS_Parameters &p) const
XMSS_WOTS_Parameters(std::string_view algo_name)
ots_algorithm_t oid() const
const std::string & name() const
bool operator==(const XMSS_WOTS_Parameters &p) const
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69