Botan  2.15.0
Crypto and TLS for C++11
xmss_verification_operation.cpp
Go to the documentation of this file.
1 /*
2  * XMSS Verification Operation
3  * Provides signature verification capabilities for Extended Hash-Based
4  * Signatures (XMSS).
5  *
6  * (C) 2016,2017 Matthias Gierlings
7  *
8  * Botan is released under the Simplified BSD License (see license.txt)
9  **/
10 
11 #include <botan/internal/xmss_verification_operation.h>
12 #include <botan/xmss_common_ops.h>
13 
14 namespace Botan {
15 
17  const XMSS_PublicKey& public_key) :
18  m_pub_key(public_key),
19  m_hash(public_key.xmss_hash_function()),
20  m_msg_buf(0)
21  {
22  }
23 
25 XMSS_Verification_Operation::root_from_signature(const XMSS_Signature& sig,
26  const secure_vector<uint8_t>& msg,
27  XMSS_Address& adrs,
28  const secure_vector<uint8_t>& seed)
29  {
30  const auto params = m_pub_key.xmss_parameters();
31 
32  const uint32_t next_index = static_cast<uint32_t>(sig.unused_leaf_index());
34  adrs.set_ots_address(next_index);
35 
36  XMSS_WOTS_PublicKey pub_key_ots(m_pub_key.wots_parameters().oid(),
37  msg,
38  sig.tree().ots_signature(),
39  adrs,
40  seed);
41 
43  adrs.set_ltree_address(next_index);
44 
45  std::array<secure_vector<uint8_t>, 2> node;
46  XMSS_Common_Ops::create_l_tree(node[0], pub_key_ots, adrs, seed, m_hash, params);
47 
49  adrs.set_tree_index(next_index);
50 
51  for(size_t k = 0; k < params.tree_height(); k++)
52  {
53  adrs.set_tree_height(static_cast<uint32_t>(k));
54  if(((next_index / (static_cast<size_t>(1) << k)) & 0x01) == 0)
55  {
56  adrs.set_tree_index(adrs.get_tree_index() >> 1);
58  node[0],
59  sig.tree().authentication_path()[k],
60  adrs,
61  seed,
62  m_hash,
63  params);
64  }
65  else
66  {
67  adrs.set_tree_index((adrs.get_tree_index() - 1) >> 1);
69  sig.tree().authentication_path()[k],
70  node[0],
71  adrs,
72  seed,
73  m_hash,
74  params);
75  }
76  node[0] = node[1];
77  }
78  return node[0];
79  }
80 
81 bool
82 XMSS_Verification_Operation::verify(const XMSS_Signature& sig,
83  const secure_vector<uint8_t>& msg,
84  const XMSS_PublicKey& public_key)
85  {
86  XMSS_Address adrs;
87  secure_vector<uint8_t> index_bytes;
88  XMSS_Tools::concat(index_bytes,
89  sig.unused_leaf_index(),
90  m_pub_key.xmss_parameters().element_size());
91  secure_vector<uint8_t> msg_digest =
92  m_hash.h_msg(sig.randomness(),
93  public_key.root(),
94  index_bytes,
95  msg);
96 
97  secure_vector<uint8_t> node = root_from_signature(sig,
98  msg_digest,
99  adrs,
100  public_key.public_seed());
101 
102  return (node == public_key.root());
103  }
104 
105 // FIXME: XMSS signature verification requires the "randomness" parameter out
106 // of the XMSS signature, which is part of the prefix that is hashed before
107 // msg. Since the signature is unknown till sign() is called all message
108 // content has to be buffered. For large messages this can be inconvenient or
109 // impossible.
110 // Possible solution: Change PK_Ops::Verification interface to take the
111 // signature as constructor argument, make sign a parameterless member call.
112 void XMSS_Verification_Operation::update(const uint8_t msg[], size_t msg_len)
113  {
114  std::copy(msg, msg + msg_len, std::back_inserter(m_msg_buf));
115  }
116 
118  size_t sig_len)
119  {
120  try
121  {
122  XMSS_Signature signature(m_pub_key.xmss_parameters().oid(),
123  secure_vector<uint8_t>(sig, sig + sig_len));
124  bool result = verify(signature, m_msg_buf, m_pub_key);
125  m_msg_buf.clear();
126  return result;
127  }
128  catch(...)
129  {
130  m_msg_buf.clear();
131  return false;
132  }
133  }
134 
135 }
136 
uint32_t get_tree_index() const
Definition: xmss_address.h:297
void set_ots_address(uint32_t value)
Definition: xmss_address.h:164
void set_tree_height(uint32_t value)
Definition: xmss_address.h:251
static void create_l_tree(secure_vector< uint8_t > &result, wots_keysig_t pk, XMSS_Address &adrs, const secure_vector< uint8_t > &seed, XMSS_Hash &hash, const XMSS_Parameters &params)
void set_ltree_address(uint32_t value)
Definition: xmss_address.h:194
const XMSS_WOTS_PublicKey::TreeSignature & tree() const
const wots_keysig_t & authentication_path() const
bool is_valid_signature(const uint8_t sig[], size_t sig_len) override
secure_vector< uint8_t > h_msg(const secure_vector< uint8_t > &randomness, const secure_vector< uint8_t > &root, const secure_vector< uint8_t > &index_bytes, const secure_vector< uint8_t > &data)
Definition: xmss_hash.cpp:70
void update(const uint8_t msg[], size_t msg_len) override
const XMSS_WOTS_Parameters & wots_parameters() const
const XMSS_Parameters & xmss_parameters() const
void set_type(Type type)
Definition: xmss_address.h:111
Definition: alg_id.cpp:13
XMSS_Verification_Operation(const XMSS_PublicKey &public_key)
static void concat(secure_vector< uint8_t > &target, const T &src)
Definition: xmss_tools.h:63
static void randomize_tree_hash(secure_vector< uint8_t > &result, const secure_vector< uint8_t > &left, const secure_vector< uint8_t > &right, XMSS_Address &adrs, const secure_vector< uint8_t > &seed, XMSS_Hash &hash, const XMSS_Parameters &params)
const wots_keysig_t & ots_signature() const
size_t element_size() const
size_t unused_leaf_index() const
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
void set_tree_index(uint32_t value)
Definition: xmss_address.h:313
xmss_algorithm_t oid() const
ots_algorithm_t oid() const