/src/botan/src/lib/pubkey/xmss/xmss_common_ops.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * XMSS Common Ops |
3 | | * Operations shared by XMSS signature generation and verification operations. |
4 | | * (C) 2016,2017 Matthias Gierlings |
5 | | * |
6 | | * Botan is released under the Simplified BSD License (see license.txt) |
7 | | **/ |
8 | | |
9 | | #include <botan/xmss_common_ops.h> |
10 | | |
11 | | namespace Botan { |
12 | | |
13 | | void |
14 | | XMSS_Common_Ops::randomize_tree_hash(secure_vector<uint8_t>& result, |
15 | | const secure_vector<uint8_t>& left, |
16 | | const secure_vector<uint8_t>& right, |
17 | | XMSS_Address& adrs, |
18 | | const secure_vector<uint8_t>& seed, |
19 | | XMSS_Hash& hash) |
20 | 0 | { |
21 | 0 | adrs.set_key_mask_mode(XMSS_Address::Key_Mask::Key_Mode); |
22 | 0 | secure_vector<uint8_t> key { hash.prf(seed, adrs.bytes()) }; |
23 | 0 |
|
24 | 0 | adrs.set_key_mask_mode(XMSS_Address::Key_Mask::Mask_MSB_Mode); |
25 | 0 | secure_vector<uint8_t> bitmask_l { hash.prf(seed, adrs.bytes()) }; |
26 | 0 |
|
27 | 0 | adrs.set_key_mask_mode(XMSS_Address::Key_Mask::Mask_LSB_Mode); |
28 | 0 | secure_vector<uint8_t> bitmask_r { hash.prf(seed, adrs.bytes()) }; |
29 | 0 |
|
30 | 0 | BOTAN_ASSERT(bitmask_l.size() == left.size() && |
31 | 0 | bitmask_r.size() == right.size(), |
32 | 0 | "Bitmask size doesn't match node size."); |
33 | 0 |
|
34 | 0 | secure_vector<uint8_t> concat_xor(m_xmss_params.element_size() * 2); |
35 | 0 | for(size_t i = 0; i < left.size(); i++) |
36 | 0 | { |
37 | 0 | concat_xor[i] = left[i] ^ bitmask_l[i]; |
38 | 0 | concat_xor[i + left.size()] = right[i] ^ bitmask_r[i]; |
39 | 0 | } |
40 | 0 |
|
41 | 0 | hash.h(result, key, concat_xor); |
42 | 0 | } |
43 | | |
44 | | |
45 | | void |
46 | | XMSS_Common_Ops::create_l_tree(secure_vector<uint8_t>& result, |
47 | | wots_keysig_t pk, |
48 | | XMSS_Address& adrs, |
49 | | const secure_vector<uint8_t>& seed, |
50 | | XMSS_Hash& hash) |
51 | 0 | { |
52 | 0 | size_t l = m_xmss_params.len(); |
53 | 0 | adrs.set_tree_height(0); |
54 | 0 |
|
55 | 0 | while(l > 1) |
56 | 0 | { |
57 | 0 | for(size_t i = 0; i < l >> 1; i++) |
58 | 0 | { |
59 | 0 | adrs.set_tree_index(static_cast<uint32_t>(i)); |
60 | 0 | randomize_tree_hash(pk[i], pk[2 * i], pk[2 * i + 1], adrs, seed, hash); |
61 | 0 | } |
62 | 0 | if(l & 0x01) |
63 | 0 | { |
64 | 0 | pk[l >> 1] = pk[l - 1]; |
65 | 0 | } |
66 | 0 | l = (l >> 1) + (l & 0x01); |
67 | 0 | adrs.set_tree_height(adrs.get_tree_height() + 1); |
68 | 0 | } |
69 | 0 | result = pk[0]; |
70 | 0 | } |
71 | | |
72 | | } |