Botan  2.19.1
Crypto and TLS for C++11
xmss_signature_operation.cpp
Go to the documentation of this file.
1 /*
2  * XMSS Signature Operation
3  * Signature generation operation for Extended Hash-Based Signatures (XMSS) as
4  * defined in:
5  *
6  * [1] XMSS: Extended Hash-Based Signatures,
7  * Request for Comments: 8391
8  * Release: May 2018.
9  * https://datatracker.ietf.org/doc/rfc8391/
10  *
11  * (C) 2016,2017,2018 Matthias Gierlings
12  *
13  * Botan is released under the Simplified BSD License (see license.txt)
14  **/
15 
16 #include <botan/internal/xmss_signature_operation.h>
17 #include <botan/internal/xmss_tools.h>
18 
19 namespace Botan {
20 
22  const XMSS_PrivateKey& private_key) :
23  m_priv_key(private_key),
24  m_xmss_params(private_key.xmss_oid()),
25  m_hash(private_key.xmss_hash_function()),
26  m_randomness(0),
27  m_leaf_idx(0),
28  m_is_initialized(false)
29  {}
30 
32 XMSS_Signature_Operation::generate_tree_signature(const secure_vector<uint8_t>& msg,
33  XMSS_PrivateKey& xmss_priv_key,
34  XMSS_Address& adrs)
35  {
36 
37  wots_keysig_t auth_path = build_auth_path(xmss_priv_key, adrs);
39  adrs.set_ots_address(m_leaf_idx);
40 
41  wots_keysig_t sig_ots = xmss_priv_key.wots_private_key().sign(msg, adrs);
42  return XMSS_WOTS_PublicKey::TreeSignature(sig_ots, auth_path);
43  }
44 
45 XMSS_Signature
46 XMSS_Signature_Operation::sign(const secure_vector<uint8_t>& msg_hash,
47  XMSS_PrivateKey& xmss_priv_key)
48  {
49  XMSS_Address adrs;
50  XMSS_Signature sig(m_leaf_idx,
51  m_randomness,
52  generate_tree_signature(msg_hash, xmss_priv_key,adrs));
53  return sig;
54  }
55 
57  {
58  return sizeof(uint64_t) + // size of leaf index
59  m_xmss_params.element_size() +
60  m_xmss_params.len() * m_xmss_params.element_size() +
61  m_xmss_params.tree_height() * m_xmss_params.element_size();
62  }
63 
65 XMSS_Signature_Operation::build_auth_path(XMSS_PrivateKey& priv_key,
66  XMSS_Address& adrs)
67  {
68  wots_keysig_t auth_path(m_xmss_params.tree_height());
70 
71  for(size_t j = 0; j < m_xmss_params.tree_height(); j++)
72  {
73  size_t k = (m_leaf_idx / (1ULL << j)) ^ 0x01;
74  auth_path[j] = priv_key.tree_hash(k * (1ULL << j), j, adrs);
75  }
76 
77  return auth_path;
78  }
79 
80 void XMSS_Signature_Operation::update(const uint8_t msg[], size_t msg_len)
81  {
82  initialize();
83  m_hash.h_msg_update(msg, msg_len);
84  }
85 
88  {
89  initialize();
90  secure_vector<uint8_t> signature(sign(m_hash.h_msg_final(),
91  m_priv_key).bytes());
92  m_is_initialized = false;
93  return signature;
94  }
95 
96 void XMSS_Signature_Operation::initialize()
97  {
98  // return if we already initialized and reserved a leaf index for signing.
99  if(m_is_initialized)
100  { return; }
101 
102  secure_vector<uint8_t> index_bytes;
103  // reserve leaf index so it can not be reused in by another signature
104  // operation using the same private key.
105  m_leaf_idx = static_cast<uint32_t>(m_priv_key.reserve_unused_leaf_index());
106 
107  // write prefix for message hashing into buffer.
108  XMSS_Tools::concat(index_bytes, m_leaf_idx, 32);
109  m_randomness = m_hash.prf(m_priv_key.prf(), index_bytes);
110  index_bytes.clear();
111  XMSS_Tools::concat(index_bytes, m_leaf_idx,
112  m_priv_key.xmss_parameters().element_size());
113  m_hash.h_msg_init(m_randomness,
114  m_priv_key.root(),
115  index_bytes);
116  m_is_initialized = true;
117  }
118 
119 }
120 
secure_vector< uint8_t > tree_hash(size_t start_idx, size_t target_node_height, XMSS_Address &adrs)
size_t element_size() const
secure_vector< uint8_t > h_msg_final()
Definition: xmss_hash.cpp:64
void set_ots_address(uint32_t value)
Definition: xmss_address.h:164
XMSS_Signature_Operation(const XMSS_PrivateKey &private_key)
void h_msg_update(const uint8_t data[], size_t size)
Definition: xmss_hash.cpp:59
wots_keysig_t sign(const secure_vector< uint8_t > &msg, XMSS_Address &adrs)
Definition: xmss_wots.h:654
size_t tree_height() const
const XMSS_Parameters & xmss_parameters() const
Definition: xmss.h:108
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:65
void prf(secure_vector< uint8_t > &result, const secure_vector< uint8_t > &key, const secure_vector< uint8_t > &data)
Definition: xmss_hash.h:35
void set_type(Type type)
Definition: xmss_address.h:111
secure_vector< uint8_t > & root()
Definition: xmss.h:146
Definition: alg_id.cpp:13
std::vector< secure_vector< uint8_t > > wots_keysig_t
static void concat(secure_vector< uint8_t > &target, const T &src)
Definition: xmss_tools.h:63
void h_msg_init(const secure_vector< uint8_t > &randomness, const secure_vector< uint8_t > &root, const secure_vector< uint8_t > &index_bytes)
Definition: xmss_hash.cpp:47
const secure_vector< uint8_t > & prf() const
Definition: xmss.h:359
secure_vector< uint8_t > sign(RandomNumberGenerator &) override
void update(const uint8_t msg[], size_t msg_len) override
std::unique_ptr< HashFunction > m_hash
Definition: tpm.cpp:446
const XMSS_WOTS_PrivateKey & wots_private_key() const
Definition: xmss.h:343