Coverage Report

Created: 2021-05-04 09:02

/src/botan/build/include/botan/xmss_wots.h
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * XMSS WOTS
3
 * (C) 2016,2018 Matthias Gierlings
4
 *
5
 * Botan is released under the Simplified BSD License (see license.txt)
6
 **/
7
8
#ifndef BOTAN_XMSS_WOTS_H_
9
#define BOTAN_XMSS_WOTS_H_
10
11
#include <botan/asn1_obj.h>
12
#include <botan/exceptn.h>
13
#include <botan/pk_keys.h>
14
#include <botan/rng.h>
15
#include <botan/secmem.h>
16
#include <botan/xmss_hash.h>
17
#include <map>
18
#include <memory>
19
#include <string>
20
#include <vector>
21
22
namespace Botan {
23
24
/**
25
 * Descibes a signature method for XMSS Winternitz One Time Signatures,
26
 * as defined in:
27
 * [1] XMSS: Extended Hash-Based Signatures,
28
 *     Request for Comments: 8391
29
 *     Release: May 2018.
30
 *     https://datatracker.ietf.org/doc/rfc8391/
31
 **/
32
class XMSS_WOTS_Parameters final
33
   {
34
   public:
35
      enum ots_algorithm_t
36
         {
37
         WOTSP_SHA2_256 = 0x00000001,
38
         WOTSP_SHA2_512 = 0x00000002,
39
         WOTSP_SHAKE_256 = 0x00000003,
40
         WOTSP_SHAKE_512 = 0x00000004
41
         };
42
43
      XMSS_WOTS_Parameters(const std::string& algo_name);
44
      XMSS_WOTS_Parameters(ots_algorithm_t ots_spec);
45
46
      static ots_algorithm_t xmss_wots_id_from_string(const std::string& param_set);
47
48
      /**
49
       * Algorithm 1: convert input string to base.
50
       *
51
       * @param msg Input string (referred to as X in [1]).
52
       * @param out_size size of message in base w.
53
       *
54
       * @return Input string converted to the given base.
55
       **/
56
      secure_vector<uint8_t> base_w(const secure_vector<uint8_t>& msg, size_t out_size) const;
57
58
      secure_vector<uint8_t> base_w(size_t value) const;
59
60
      void append_checksum(secure_vector<uint8_t>& data);
61
62
      /**
63
       * @return XMSS WOTS registry name for the chosen parameter set.
64
       **/
65
      const std::string& name() const
66
0
         {
67
0
         return m_name;
68
0
         }
69
70
      /**
71
       * @return Botan name for the hash function used.
72
       **/
73
      const std::string& hash_function_name() const
74
0
         {
75
0
         return m_hash_name;
76
0
         }
77
78
      /**
79
       * Retrieves the uniform length of a message, and the size of
80
       * each node. This correlates to XMSS parameter "n" defined
81
       * in [1].
82
       *
83
       * @return element length in bytes.
84
       **/
85
0
      size_t element_size() const { return m_element_size; }
86
87
      /**
88
       * The Winternitz parameter.
89
       *
90
       * @return numeric base used for internal representation of
91
       *         data.
92
       **/
93
0
      size_t wots_parameter() const { return m_w; }
94
95
0
      size_t len() const { return m_len; }
96
97
0
      size_t len_1() const { return m_len_1; }
98
99
0
      size_t len_2() const { return m_len_2; }
100
101
0
      size_t lg_w() const { return m_lg_w; }
102
103
0
      ots_algorithm_t oid() const { return m_oid; }
104
105
0
      size_t estimated_strength() const { return m_strength; }
106
107
      bool operator==(const XMSS_WOTS_Parameters& p) const
108
0
         {
109
0
         return m_oid == p.m_oid;
110
0
         }
111
112
   private:
113
      static const std::map<std::string, ots_algorithm_t> m_oid_name_lut;
114
      ots_algorithm_t m_oid;
115
      std::string m_name;
116
      std::string m_hash_name;
117
      size_t m_element_size;
118
      size_t m_w;
119
      size_t m_len_1;
120
      size_t m_len_2;
121
      size_t m_len;
122
      size_t m_strength;
123
      uint8_t m_lg_w;
124
   };
125
126
class XMSS_Address;
127
128
typedef std::vector<secure_vector<uint8_t>> wots_keysig_t;
129
130
/**
131
 * A Winternitz One Time Signature public key for use with Extended Hash-Based
132
 * Signatures.
133
 **/
134
class XMSS_WOTS_PublicKey : virtual public Public_Key
135
   {
136
   public:
137
      class TreeSignature final
138
         {
139
         public:
140
0
            TreeSignature() = default;
141
142
            TreeSignature(const wots_keysig_t& ots_sig,
143
                          const wots_keysig_t& auth_path)
144
               : m_ots_sig(ots_sig), m_auth_path(auth_path)
145
0
               {}
146
147
            TreeSignature(wots_keysig_t&& ots_sig,
148
                          wots_keysig_t&& auth_path)
149
               : m_ots_sig(std::move(ots_sig)),
150
                 m_auth_path(std::move(auth_path))
151
0
               {}
152
153
            const wots_keysig_t& ots_signature() const
154
0
               {
155
0
               return m_ots_sig;
156
0
               }
157
158
            wots_keysig_t& ots_signature()
159
0
               {
160
0
               return m_ots_sig;
161
0
               }
162
163
            const wots_keysig_t& authentication_path() const
164
0
               {
165
0
               return m_auth_path;
166
0
               }
167
168
            wots_keysig_t& authentication_path()
169
0
               {
170
0
               return m_auth_path;
171
0
               }
172
173
         private:
174
            wots_keysig_t m_ots_sig;
175
            wots_keysig_t m_auth_path;
176
         };
177
178
      /**
179
       * Creates a XMSS_WOTS_PublicKey for the signature method identified by
180
       * oid. The public seed for this key will be initialized with a
181
       * uniformly random n-byte value, where "n" is the element size of the
182
       * selected signature method.
183
       *
184
       * @param oid Identifier for the selected signature method.
185
       **/
186
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid)
187
         : m_wots_params(oid),
188
0
           m_hash(m_wots_params.hash_function_name()) {}
189
190
      /**
191
       * Creates a XMSS_WOTS_PublicKey for the signature method identified by
192
       * oid. The public seed for this key will be initialized with a
193
       * uniformly random n-byte value, where "n" is the element size of the
194
       * selected signature method.
195
       *
196
       * @param oid Identifier for the selected signature method.
197
       * @param rng A random number generate used to generate the public seed.
198
       **/
199
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
200
                          RandomNumberGenerator& rng)
201
         : m_wots_params(oid),
202
           m_hash(m_wots_params.hash_function_name()),
203
0
           m_public_seed(rng.random_vec(m_wots_params.element_size())) {}
204
205
      /**
206
       * Creates a XMSS_WOTS_PrivateKey for the signature method identified by
207
       * oid, with a precomputed public seed.
208
       *
209
       * @param oid Identifier for the selected signature method.
210
       * @param public_seed A precomputed public seed of n-bytes length.
211
       **/
212
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
213
                          secure_vector<uint8_t> public_seed)
214
         : m_wots_params(oid),
215
           m_hash(m_wots_params.hash_function_name()),
216
0
           m_public_seed(public_seed) {}
Unexecuted instantiation: Botan::XMSS_WOTS_PublicKey::XMSS_WOTS_PublicKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >)
Unexecuted instantiation: Botan::XMSS_WOTS_PublicKey::XMSS_WOTS_PublicKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >)
217
218
      /**
219
       * Creates a XMSS_WOTS_PublicKey for the signature method identified by
220
       * oid. The public seed will be initialized with a precomputed seed and
221
       * and precomputed key data which should be derived from a
222
       * XMSS_WOTS_PrivateKey.
223
       *
224
       * @param oid Ident:s/ifier for the selected signature methods.
225
       * @param public_seed A precomputed public seed of n-bytes length.
226
       * @param key Precomputed raw key data of the XMSS_WOTS_PublicKey.
227
       **/
228
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
229
                          secure_vector<uint8_t>&& public_seed,
230
                          wots_keysig_t&& key)
231
         : m_wots_params(oid),
232
           m_hash(m_wots_params.hash_function_name()),
233
           m_key(std::move(key)),
234
           m_public_seed(std::move(public_seed))
235
0
         {}
236
237
      /**
238
       * Creates a XMSS_WOTS_PublicKey for the signature method identified by
239
       * oid. The public seed will be initialized with a precomputed seed and
240
       * and precomputed key data which should be derived from a
241
       * XMSS_WOTS_PrivateKey.
242
       *
243
       * @param oid Identifier for the selected signature methods.
244
       * @param public_seed A precomputed public seed of n-bytes length.
245
       * @param key Precomputed raw key data of the XMSS_WOTS_PublicKey.
246
       **/
247
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
248
                          const secure_vector<uint8_t>& public_seed,
249
                          const wots_keysig_t& key)
250
         : m_wots_params(oid),
251
           m_hash(m_wots_params.hash_function_name()),
252
           m_key(key),
253
           m_public_seed(public_seed)
254
0
         {}
255
256
      /**
257
       * Creates a XMSS_WOTS_PublicKey form a message and signature using
258
       * Algorithm 6 WOTS_pkFromSig defined in the XMSS standard. This
259
       * overload is used to verify a message using a public key.
260
       *
261
       * @param oid WOTSP algorithm identifier.
262
       * @param msg A message.
263
       * @param sig A WOTS signature for msg.
264
       * @param adrs An XMSS_Address.
265
       * @param public_seed The public public_seed.
266
       **/
267
      XMSS_WOTS_PublicKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
268
                          const secure_vector<uint8_t>& msg,
269
                          const wots_keysig_t& sig,
270
                          XMSS_Address& adrs,
271
                          const secure_vector<uint8_t>& public_seed)
272
         : m_wots_params(oid),
273
           m_hash(m_wots_params.hash_function_name()),
274
           m_key(pub_key_from_signature(msg,
275
                                        sig,
276
                                        adrs,
277
                                        public_seed)),
278
           m_public_seed(public_seed)
279
0
         {}
Unexecuted instantiation: Botan::XMSS_WOTS_PublicKey::XMSS_WOTS_PublicKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, std::__1::vector<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, std::__1::allocator<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > > > const&, Botan::XMSS_Address&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
Unexecuted instantiation: Botan::XMSS_WOTS_PublicKey::XMSS_WOTS_PublicKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, std::__1::vector<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> >, std::__1::allocator<std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > > > const&, Botan::XMSS_Address&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
280
281
      /**
282
       * Retrieves the i-th element out of the length len chain of
283
       * n-byte elements contained in the public key.
284
       *
285
       * @param i index of the element.
286
       * @returns n-byte element addressed by i.
287
       **/
288
0
      const secure_vector<uint8_t>& operator[](size_t i) const { return m_key[i]; }
289
0
      secure_vector<uint8_t>& operator[](size_t i) { return m_key[i]; }
290
291
      /**
292
       * Convert the key into the raw key data. The key becomes a length
293
       * len vector of n-byte elements.
294
       **/
295
0
      operator const wots_keysig_t& () const { return m_key; }
296
297
      /**
298
       * Convert the key into the raw key data. The key becomes a length
299
       * len vector of n-byte elements.
300
       **/
301
0
      operator wots_keysig_t& () { return m_key; }
302
303
0
      const secure_vector<uint8_t>& public_seed() const { return m_public_seed; }
304
305
0
      secure_vector<uint8_t>& public_seed() { return m_public_seed; }
306
307
      void set_public_seed(const secure_vector<uint8_t>& public_seed)
308
0
         {
309
0
         m_public_seed = public_seed;
310
0
         }
311
312
      void set_public_seed(secure_vector<uint8_t>&& public_seed)
313
0
         {
314
0
         m_public_seed = std::move(public_seed);
315
0
         }
316
317
0
      const wots_keysig_t& key_data() const { return m_key; }
318
319
0
      wots_keysig_t& key_data() { return m_key; }
320
321
      void set_key_data(const wots_keysig_t& key_data)
322
0
         {
323
0
         m_key = key_data;
324
0
         }
325
326
      void set_key_data(wots_keysig_t&& key_data)
327
0
         {
328
0
         m_key = std::move(key_data);
329
0
         }
330
331
      const XMSS_WOTS_Parameters& wots_parameters() const
332
0
         {
333
0
         return m_wots_params;
334
0
         }
335
336
      std::string algo_name() const override
337
0
         {
338
0
         return m_wots_params.name();
339
0
         }
340
341
      AlgorithmIdentifier algorithm_identifier() const override
342
0
         {
343
0
         throw Not_Implemented("No AlgorithmIdentifier available for XMSS-WOTS.");
344
0
         }
345
346
      bool check_key(RandomNumberGenerator&, bool) const override
347
0
         {
348
0
         return true;
349
0
         }
350
351
      size_t estimated_strength() const override
352
0
         {
353
0
         return m_wots_params.estimated_strength();
354
0
         }
355
356
      size_t key_length() const override
357
0
         {
358
0
         return m_wots_params.estimated_strength();
359
0
         }
360
361
      std::vector<uint8_t> public_key_bits() const override
362
0
         {
363
0
         throw Not_Implemented("No key format defined for XMSS-WOTS");
364
0
         }
365
366
      bool operator==(const XMSS_WOTS_PublicKey& key)
367
0
         {
368
0
         return m_key == key.m_key;
369
0
         }
370
371
      bool operator!=(const XMSS_WOTS_PublicKey& key)
372
0
         {
373
0
         return !(*this == key);
374
0
         }
375
376
   protected:
377
      /**
378
       * Algorithm 2: Chaining Function.
379
       *
380
       * Takes an n-byte input string and transforms it into a the function
381
       * result iterating the cryptographic hash function "F" steps times on
382
       * the input x using the outputs of the PRNG "G".
383
       *
384
       * This overload is used in multithreaded scenarios, where it is
385
       * required to provide seperate instances of XMSS_Hash to each
386
       * thread.
387
       *
388
       * @param[out] x An n-byte input string, that will be transformed into
389
       *               the chaining function result.
390
       * @param start_idx The start index.
391
       * @param steps A number of steps.
392
       * @param adrs An OTS Hash Address.
393
       * @param public_seed A public seed.
394
       * @param hash Instance of XMSS_Hash, that may only by the thead
395
       *        executing chain.
396
       **/
397
      void chain(secure_vector<uint8_t>& x,
398
                 size_t start_idx,
399
                 size_t steps,
400
                 XMSS_Address& adrs,
401
                 const secure_vector<uint8_t>& public_seed,
402
                 XMSS_Hash& hash);
403
404
      /**
405
       * Algorithm 2: Chaining Function.
406
       *
407
       * Takes an n-byte input string and transforms it into a the function
408
       * result iterating the cryptographic hash function "F" steps times on
409
       * the input x using the outputs of the PRNG "G".
410
       *
411
       * @param[out] x An n-byte input string, that will be transformed into
412
       *               the chaining function result.
413
       * @param start_idx The start index.
414
       * @param steps A number of steps.
415
       * @param adrs An OTS Hash Address.
416
       * @param public_seed A public seed.
417
       **/
418
      inline void chain(secure_vector<uint8_t>& x,
419
                        size_t start_idx,
420
                        size_t steps,
421
                        XMSS_Address& adrs,
422
                        const secure_vector<uint8_t>& public_seed)
423
0
         {
424
0
         chain(x, start_idx, steps, adrs, public_seed, m_hash);
425
0
         }
426
427
      XMSS_WOTS_Parameters m_wots_params;
428
      XMSS_Hash m_hash;
429
      wots_keysig_t m_key;
430
      secure_vector<uint8_t> m_public_seed;
431
432
   private:
433
      /**
434
       * Algorithm 6: "WOTS_pkFromSig"
435
       * Computes a Winternitz One Time Signature+ public key from a message and
436
       * its signature.
437
       *
438
       * @param msg A message.
439
       * @param sig The signature for msg.
440
       * @param adrs An address.
441
       * @param public_seed A public_seed.
442
       *
443
       * @return Temporary WOTS+ public key.
444
       **/
445
      wots_keysig_t pub_key_from_signature(
446
         const secure_vector<uint8_t>& msg,
447
         const wots_keysig_t& sig,
448
         XMSS_Address& adrs,
449
         const secure_vector<uint8_t>& public_seed);
450
   };
451
452
/** A Winternitz One Time Signature private key for use with Extended Hash-Based
453
 * Signatures.
454
 **/
455
class XMSS_WOTS_PrivateKey final : public virtual XMSS_WOTS_PublicKey,
456
   public virtual Private_Key
457
   {
458
   public:
459
      /**
460
       * Creates a WOTS private key for the chosen XMSS WOTS signature method.
461
       * Members need to be initialized manually.
462
       *
463
       * @param oid Identifier for the selected signature method.
464
       **/
465
      XMSS_WOTS_PrivateKey(XMSS_WOTS_Parameters::ots_algorithm_t oid)
466
         : XMSS_WOTS_PublicKey(oid)
467
0
         {}
468
469
      /**
470
       * Creates a WOTS private key for the chosen XMSS WOTS signature method.
471
       *
472
       * @param oid Identifier for the selected signature method.
473
       * @param rng A random number generator to use for key generation.
474
       **/
475
      XMSS_WOTS_PrivateKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
476
                           RandomNumberGenerator& rng)
477
         : XMSS_WOTS_PublicKey(oid, rng),
478
           m_private_seed(rng.random_vec(m_wots_params.element_size()))
479
0
         {
480
0
         set_key_data(generate(m_private_seed));
481
0
         }
482
483
      /**
484
       * Constructs a WOTS private key. Chains will be generated on demand
485
       * applying a hash function to a unique value generated from a secret
486
       * seed and a counter. The secret seed of length n, will be
487
       * automatically generated using AutoSeeded_RNG(). "n" equals
488
       * the element size of the chosen WOTS security parameter set.
489
       *
490
       * @param oid Identifier for the selected signature method.
491
       * @param public_seed A public seed used for the pseudo random generation
492
       *        of public keys derived from this private key.
493
       * @param rng A random number generator to use for key generation.
494
       **/
495
      XMSS_WOTS_PrivateKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
496
                           const secure_vector<uint8_t>& public_seed,
497
                           RandomNumberGenerator& rng)
498
         : XMSS_WOTS_PublicKey(oid, public_seed),
499
           m_private_seed(rng.random_vec(m_wots_params.element_size()))
500
0
         {
501
0
         set_key_data(generate(m_private_seed));
502
0
         }
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, Botan::RandomNumberGenerator&)
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, Botan::RandomNumberGenerator&)
503
504
      /**
505
       * Constructs a WOTS private key. Chains will be generated on demand
506
       * applying a hash function to a unique value generated from a secret
507
       * seed and a counter. The secret seed of length n, will be
508
       * automatically generated using AutoSeeded_RNG(). "n" equals
509
       * the element size of the chosen WOTS security parameter set.
510
       *
511
       * @param oid Identifier for the selected signature method.
512
       * @param public_seed A public seed used for the pseudo random generation
513
       *        of public keys derived from this private key.
514
       **/
515
      XMSS_WOTS_PrivateKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
516
                           const secure_vector<uint8_t>& public_seed)
517
         : XMSS_WOTS_PublicKey(oid, public_seed)
518
0
         {}
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
519
520
      /**
521
       * Constructs a WOTS private key. Chains will be generated on demand
522
       * applying a hash function to a unique value generated from the
523
       * secret seed and a counter.
524
       *
525
       * @param oid Identifier for the selected signature method.
526
       * @param public_seed A public seed used for the pseudo random generation
527
       *        of public keys derived from this private key.
528
       * @param private_seed A secret uniformly random n-byte value.
529
       **/
530
      XMSS_WOTS_PrivateKey(XMSS_WOTS_Parameters::ots_algorithm_t oid,
531
                           const secure_vector<uint8_t>& public_seed,
532
                           const secure_vector<uint8_t>& private_seed)
533
         : XMSS_WOTS_PublicKey(oid, public_seed),
534
           m_private_seed(private_seed)
535
0
         {
536
0
         set_key_data(generate(private_seed));
537
0
         }
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
Unexecuted instantiation: Botan::XMSS_WOTS_PrivateKey::XMSS_WOTS_PrivateKey(Botan::XMSS_WOTS_Parameters::ots_algorithm_t, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&, std::__1::vector<unsigned char, Botan::secure_allocator<unsigned char> > const&)
538
539
      std::unique_ptr<Public_Key> public_key() const override
540
0
         {
541
0
         throw Not_Implemented("Not possible to derive WOTS public key from private key");
542
0
         }
543
544
      /**
545
       * Retrieves the i-th WOTS private key using pseudo random key
546
       * (re-)generation.
547
       *
548
       * This overload is used in multithreaded scenarios, where it is
549
       * required to provide seperate instances of XMSS_Hash to each
550
       * thread.
551
       *
552
       * @param i Index of the key to retrieve.
553
       * @param hash Instance of XMSS_Hash, that may only be used by the
554
       *        thead executing at.
555
       *
556
       * @return WOTS secret key.
557
       **/
558
      wots_keysig_t at(size_t i, XMSS_Hash& hash);
559
560
      /**
561
       * Retrieves the i-th WOTS private key using pseudo random key
562
       * (re-)generation.
563
       *
564
       * @param i Index of the key to retrieve.
565
       *
566
       * @return WOTS secret key.
567
       **/
568
      inline wots_keysig_t operator[](size_t i)
569
0
         {
570
0
         return this->at(i, m_hash);
571
0
         }
572
573
      /**
574
       * Retrieves the i-th WOTS private key using pseudo random key
575
       * (re-)generation.
576
       *
577
       * This overload is used in multithreaded scenarios, where it is
578
       * required to provide seperate instances of XMSS_Hash to each
579
       * thread.
580
       *
581
       * @param adrs The address of the key to retrieve.
582
       * @param hash Instance of XMSS_Hash, that may only be used by the
583
       *        thead executing at.
584
       *
585
       * @return WOTS secret key.
586
       **/
587
      wots_keysig_t at(const XMSS_Address& adrs, XMSS_Hash& hash);
588
589
      inline wots_keysig_t operator[](const XMSS_Address& adrs)
590
0
         {
591
0
         return this->at(adrs, m_hash);
592
0
         }
593
594
      wots_keysig_t generate_private_key(const secure_vector<uint8_t>& priv_seed);
595
596
      /**
597
       * Algorithm 4: "WOTS_genPK"
598
       * Generates a Winternitz One Time Signature+ (WOTS+) Public Key from a
599
       * given private key.
600
       *
601
       * @param adrs Hash function address encoding the address of the WOTS+
602
       *             key pair within a greater structure.
603
       *
604
       * @return A XMSS_WOTS_PublicKey.
605
       **/
606
      XMSS_WOTS_PublicKey generate_public_key(XMSS_Address& adrs);
607
608
      /**
609
       * Algorithm 4: "WOTS_genPK"
610
       * Initializes a Winternitz One Time Signature+ (WOTS+) Public Key's
611
       * key_data() member, with data derived from in_key_data using the
612
       * WOTS chaining function.
613
       *
614
       * This overload is used in multithreaded scenarios, where it is
615
       * required to provide seperate instances of XMSS_Hash to each
616
       * thread.
617
       *
618
       * @param[out] pub_key Public key to initialize key_data() member on.
619
       * @param in_key_data Input key material from private key used for
620
       *        public key generation.
621
       * @param adrs Hash function address encoding the address of
622
       *        the WOTS+ key pair within a greater structure.
623
       * @param hash Instance of XMSS_Hash, that may only by the thead
624
       *        executing generate_public_key.
625
       **/
626
      void generate_public_key(XMSS_WOTS_PublicKey& pub_key,
627
                               wots_keysig_t&& in_key_data,
628
                               XMSS_Address& adrs,
629
                               XMSS_Hash& hash);
630
      /**
631
       * Algorithm 4: "WOTS_genPK"
632
       * Initializes a Winternitz One Time Signature+ (WOTS+) Public Key's
633
       * key_data() member, with data derived from in_key_data using the
634
       * WOTS chaining function.
635
       *
636
       * @param[out] pub_key Public key to initialize key_data() member on.
637
       * @param in_key_data Input key material from private key used for
638
       *        public key generation.
639
       * @param adrs Hash function address encoding the address of
640
       *        the WOTS+ key pair within a greater structure.
641
       **/
642
      inline void generate_public_key(XMSS_WOTS_PublicKey& pub_key,
643
                                      wots_keysig_t&& in_key_data,
644
                                      XMSS_Address& adrs)
645
0
         {
646
0
         generate_public_key(pub_key, std::forward<wots_keysig_t>(in_key_data), adrs, m_hash);
647
0
         }
648
649
      /**
650
       * Algorithm 5: "WOTS_sign"
651
       * Generates a signature from a private key and a message.
652
       *
653
       * @param msg A message to sign.
654
       * @param adrs An OTS hash address identifying the WOTS+ key pair
655
       *        used for signing.
656
       *
657
       * @return signature for msg.
658
       **/
659
      inline wots_keysig_t sign(const secure_vector<uint8_t>& msg,
660
                                XMSS_Address& adrs)
661
0
         {
662
0
         return sign(msg, adrs, m_hash);
663
0
         }
664
665
      /**
666
       * Algorithm 5: "WOTS_sign"
667
       * Generates a signature from a private key and a message.
668
       *
669
       * This overload is used in multithreaded scenarios, where it is
670
       * required to provide seperate instances of XMSS_Hash to each
671
       * thread.
672
       *
673
       * @param msg A message to sign.
674
       * @param adrs An OTS hash address identifying the WOTS+ key pair
675
       *        used for signing.
676
       * @param hash Instance of XMSS_Hash, that may only be used by the
677
       *        thead executing sign.
678
       *
679
       * @return signature for msg.
680
       **/
681
      wots_keysig_t sign(const secure_vector<uint8_t>& msg,
682
                         XMSS_Address& adrs,
683
                         XMSS_Hash& hash);
684
685
      /**
686
       * Retrieves the secret seed used to generate WOTS+ chains. The seed
687
       * should be a uniformly random n-byte value.
688
       *
689
       * @return secret seed.
690
       **/
691
      const secure_vector<uint8_t>& private_seed() const
692
0
         {
693
0
         return m_private_seed;
694
0
         }
695
696
      /**
697
       * Sets the secret seed used to generate WOTS+ chains. The seed
698
       * should be a uniformly random n-byte value.
699
       *
700
       * @param private_seed Uniformly random n-byte value.
701
       **/
702
      void set_private_seed(const secure_vector<uint8_t>& private_seed)
703
0
         {
704
0
         m_private_seed = private_seed;
705
0
         }
706
707
      /**
708
       * Sets the secret seed used to generate WOTS+ chains. The seed
709
       * should be a uniformly random n-byte value.
710
       *
711
       * @param private_seed Uniformly random n-byte value.
712
       **/
713
      void set_private_seed(secure_vector<uint8_t>&& private_seed)
714
0
         {
715
0
         m_private_seed = std::move(private_seed);
716
0
         }
717
718
      AlgorithmIdentifier
719
      pkcs8_algorithm_identifier() const override
720
0
         {
721
0
         throw Not_Implemented("No AlgorithmIdentifier available for XMSS-WOTS.");
722
0
         }
723
724
      secure_vector<uint8_t> private_key_bits() const override
725
0
         {
726
0
         throw Not_Implemented("No PKCS8 key format defined for XMSS-WOTS.");
727
0
         }
728
729
   private:
730
      /**
731
       * Algorithm 3: "Generating a WOTS+ Private Key".
732
       * Generates a private key.
733
       *
734
       * This overload is used in multithreaded scenarios, where it is
735
       * required to provide seperate instances of XMSS_Hash to each thread.
736
       *
737
       * @param private_seed Uniformly random n-byte value.
738
       * @param[in] hash Instance of XMSS_Hash, that may only be used by the
739
       *            thead executing generate.
740
       *
741
       * @returns a vector of length key_size() of vectors of n bytes length
742
       *          containing uniformly random data.
743
       **/
744
      wots_keysig_t generate(const secure_vector<uint8_t>& private_seed,
745
                             XMSS_Hash& hash);
746
747
      inline wots_keysig_t generate(const secure_vector<uint8_t>& private_seed)
748
0
         {
749
0
         return generate(private_seed, m_hash);
750
0
         }
751
752
      secure_vector<uint8_t> m_private_seed;
753
   };
754
755
}
756
757
#endif