/* * Copyright 2024-2025 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include #include #include "slh_dsa_local.h" #include "slh_dsa_key.h" /* For the parameter sets defined there is only one w value */ #define SLH_WOTS_LOGW 4 #define SLH_WOTS_W 16 #define SLH_WOTS_LEN1(n) (2 * (n)) #define SLH_WOTS_LEN2 3 #define SLH_WOTS_CHECKSUM_LEN ((SLH_WOTS_LEN2 + SLH_WOTS_LOGW + 7) / 8) #define SLH_WOTS_LEN_MAX SLH_WOTS_LEN(SLH_MAX_N) #define NIBBLE_MASK 15 #define NIBBLE_SHIFT 4 /* * @brief Convert a byte array to a byte array of (4 bit) nibbles * This is a Variant of the FIPS 205 Algorithm 4 base_2^b function. * * @param in A byte message to convert * @param in_len The size of |in|. * @param out The returned array of nibbles, with a size of 2*|in_len| */ static ossl_inline void slh_bytes_to_nibbles(const uint8_t *in, size_t in_len, uint8_t *out) { size_t consumed = 0; for (consumed = 0; consumed < in_len; consumed++) { *out++ = (*in >> NIBBLE_SHIFT); *out++ = (*in++ & NIBBLE_MASK); } } /* * With w = 16 the maximum checksum is 0xF * n which fits into 12 bits * which is 3 nibbles. * * This is effectively a cutdown version of Algorithm 7: steps 3 to 6 * which does a complicated base2^b(tobyte()) operation. */ static ossl_inline void compute_checksum_nibbles(const uint8_t *in, size_t in_len, uint8_t *out) { size_t i; uint16_t csum = 0; /* Compute checksum */ for (i = 0; i < in_len; ++i) csum += in[i]; /* * This line is effectively the same as doing csum += NIBBLE_MASK - in[i] * in the loop above. */ csum = (uint16_t)(NIBBLE_MASK * in_len) - csum; /* output checksum as 3 nibbles */ out[0] = (csum >> (2 * NIBBLE_SHIFT)) & NIBBLE_MASK; out[1] = (csum >> NIBBLE_SHIFT) & NIBBLE_MASK; out[2] = csum & NIBBLE_MASK; } /** * @brief WOTS+ Chaining function * See FIPS 205 Section 5 Algorithm 5 * * Iterates using a hash function on the input |steps| times starting at index * |start|. (Internally the |adrs| hash address is used to update the chaining * index). * * @param ctx Contains SLH_DSA algorithm functions and constants. * @param in An input string of |n| bytes * @param start_index The chaining start index * @param steps The number of iterations starting from |start_index| * Note |start_index| + |steps| < w * (where w = 16 indicates the length of the hash chains) * @param pk_seed A public key seed (which is added to the hash) * @param adrs An ADRS object which has a type of WOTS_HASH, and has a layer * address, tree address, key pair address and chain address * @params wpkt A WPACKET object to write the hash chain to (n bytes are written) * @returns 1 on success, or 0 on error. */ static int slh_wots_chain(SLH_DSA_HASH_CTX *ctx, const uint8_t *in, uint8_t start_index, uint8_t steps, const uint8_t *pk_seed, uint8_t *adrs, WPACKET *wpkt) { const SLH_DSA_KEY *key = ctx->key; SLH_HASH_FUNC_DECLARE(key, hashf); SLH_ADRS_FUNC_DECLARE(key, adrsf); SLH_HASH_FN_DECLARE(hashf, F); SLH_ADRS_FN_DECLARE(adrsf, set_hash_address); size_t j = start_index, end_index; size_t n = key->params->n; uint8_t *tmp; /* Pointer into the |wpkt| buffer */ size_t tmp_len = n; if (steps == 0) return WPACKET_memcpy(wpkt, in, n); if (!WPACKET_allocate_bytes(wpkt, tmp_len, &tmp)) return 0; set_hash_address(adrs, (uint32_t)(j++)); if (!F(ctx, pk_seed, adrs, in, n, tmp, tmp_len)) return 0; end_index = start_index + steps; for (; j < end_index; ++j) { set_hash_address(adrs, (uint32_t)j); if (!F(ctx, pk_seed, adrs, tmp, n, tmp, tmp_len)) return 0; } return 1; } /** * @brief WOTS+ Public key generation. * See FIPS 205 Section 5.1 Algorithm 6 * * @param ctx Contains SLH_DSA algorithm functions and constants. * @param sk_seed A private key seed of size |n| * @param pk_seed A public key seed of size |n| * @param adrs An ADRS object containing the layer address, tree address and * keypair address of the WOTS+ public key to generate. * @param pk_out The generated public key of size |n| * @param pk_out_len The maximum size of |pk_out| * @returns 1 on success, or 0 on error. */ int ossl_slh_wots_pk_gen(SLH_DSA_HASH_CTX *ctx, const uint8_t *sk_seed, const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { int ret = 0; const SLH_DSA_KEY *key = ctx->key; size_t n = key->params->n; size_t i, len = SLH_WOTS_LEN(n); /* 2 * n + 3 */ uint8_t sk[SLH_MAX_N]; uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N]; WPACKET pkt, *tmp_wpkt = &pkt; /* Points to the |tmp| buffer */ size_t tmp_len = 0; SLH_HASH_FUNC_DECLARE(key, hashf); SLH_ADRS_FUNC_DECLARE(key, adrsf); SLH_HASH_FN_DECLARE(hashf, PRF); SLH_ADRS_FN_DECLARE(adrsf, set_chain_address); SLH_ADRS_DECLARE(sk_adrs); SLH_ADRS_DECLARE(wots_pk_adrs); if (!WPACKET_init_static_len(tmp_wpkt, tmp, sizeof(tmp), 0)) return 0; adrsf->copy(sk_adrs, adrs); adrsf->set_type_and_clear(sk_adrs, SLH_ADRS_TYPE_WOTS_PRF); adrsf->copy_keypair_address(sk_adrs, adrs); for (i = 0; i < len; ++i) { /* len = 2n + 3 */ set_chain_address(sk_adrs, (uint32_t)i); if (!PRF(ctx, pk_seed, sk_seed, sk_adrs, sk, sizeof(sk))) goto end; set_chain_address(adrs, (uint32_t)i); if (!slh_wots_chain(ctx, sk, 0, NIBBLE_MASK, pk_seed, adrs, tmp_wpkt)) goto end; } if (!WPACKET_get_total_written(tmp_wpkt, &tmp_len)) /* should be n * (2 * n + 3) */ goto end; adrsf->copy(wots_pk_adrs, adrs); adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK); adrsf->copy_keypair_address(wots_pk_adrs, adrs); ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len, pk_out, pk_out_len); end: WPACKET_finish(tmp_wpkt); OPENSSL_cleanse(tmp, sizeof(tmp)); OPENSSL_cleanse(sk, n); return ret; } /** * @brief WOTS+ Signature generation * See FIPS 205 Section 5.2 Algorithm 7 * * The returned signature size is len * |n| bytes (where len = 2 * |n| + 3). * * @param ctx Contains SLH_DSA algorithm functions and constants. * @param msg An input message of size |n| bytes. * The message is either an XMSS or FORS public key * @param sk_seed The private key seed of size |n| bytes * @param pk_seed The public key seed of size |n| bytes * @param adrs An address containing the layer address, tree address and key * pair address. The size is either 32 or 22 bytes. * @param sig_wpkt A WPACKET object to write the signature to. * @returns 1 on success, or 0 on error. */ int ossl_slh_wots_sign(SLH_DSA_HASH_CTX *ctx, const uint8_t *msg, const uint8_t *sk_seed, const uint8_t *pk_seed, uint8_t *adrs, WPACKET *sig_wpkt) { int ret = 0; const SLH_DSA_KEY *key = ctx->key; uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX]; /* size is >= 2 * n + 3 */ uint8_t sk[SLH_MAX_N]; size_t i; size_t n = key->params->n; size_t len1 = SLH_WOTS_LEN1(n); /* 2 * n = the msg length in nibbles */ size_t len = len1 + SLH_WOTS_LEN2; /* 2 * n + 3 (3 checksum nibbles) */ SLH_ADRS_DECLARE(sk_adrs); SLH_HASH_FUNC_DECLARE(key, hashf); SLH_ADRS_FUNC_DECLARE(key, adrsf); SLH_HASH_FN_DECLARE(hashf, PRF); SLH_ADRS_FN_DECLARE(adrsf, set_chain_address); /* * Convert n message bytes to 2*n base w=16 integers * i.e. Convert message to an array of 2*n nibbles. */ slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles); /* Compute a 12 bit checksum and add it to the end */ compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1); adrsf->copy(sk_adrs, adrs); adrsf->set_type_and_clear(sk_adrs, SLH_ADRS_TYPE_WOTS_PRF); adrsf->copy_keypair_address(sk_adrs, adrs); for (i = 0; i < len; ++i) { set_chain_address(sk_adrs, (uint32_t)i); /* compute chain i secret */ if (!PRF(ctx, pk_seed, sk_seed, sk_adrs, sk, sizeof(sk))) goto err; set_chain_address(adrs, (uint32_t)i); /* compute chain i signature */ if (!slh_wots_chain(ctx, sk, 0, msg_and_csum_nibbles[i], pk_seed, adrs, sig_wpkt)) goto err; } ret = 1; err: return ret; } /** * @brief Compute a candidate WOTS+ public key from a message and signature * See FIPS 205 Section 5.3 Algorithm 8 * * The size of the signature is len * |n| bytes (where len = 2 * |n| + 3). * * @param ctx Contains SLH_DSA algorithm functions and constants. * @param sig_rpkt A PACKET object to read a WOTS+ signature from * @param msg A message of size |n| bytes. * @param pk_seed The public key seed of size |n|. * @param adrs An ADRS object containing the layer address, tree address and * key pair address that of the WOTS+ key used to sign the message. * @param pk_out The returned public key candidate of size |n| * @param pk_out_len The maximum size of |pk_out| * @returns 1 on success, or 0 on error. */ int ossl_slh_wots_pk_from_sig(SLH_DSA_HASH_CTX *ctx, PACKET *sig_rpkt, const uint8_t *msg, const uint8_t *pk_seed, uint8_t *adrs, uint8_t *pk_out, size_t pk_out_len) { int ret = 0; const SLH_DSA_KEY *key = ctx->key; uint8_t msg_and_csum_nibbles[SLH_WOTS_LEN_MAX]; size_t i; size_t n = key->params->n; size_t len1 = SLH_WOTS_LEN1(n); size_t len = len1 + SLH_WOTS_LEN2; /* 2n + 3 */ const uint8_t *sig_i; /* Pointer into |sig_rpkt| buffer */ uint8_t tmp[SLH_WOTS_LEN_MAX * SLH_MAX_N]; WPACKET pkt, *tmp_pkt = &pkt; size_t tmp_len = 0; SLH_HASH_FUNC_DECLARE(key, hashf); SLH_ADRS_FUNC_DECLARE(key, adrsf); SLH_ADRS_FN_DECLARE(adrsf, set_chain_address); SLH_ADRS_DECLARE(wots_pk_adrs); if (!WPACKET_init_static_len(tmp_pkt, tmp, sizeof(tmp), 0)) return 0; slh_bytes_to_nibbles(msg, n, msg_and_csum_nibbles); compute_checksum_nibbles(msg_and_csum_nibbles, len1, msg_and_csum_nibbles + len1); /* Compute the end nodes for each of the chains */ for (i = 0; i < len; ++i) { set_chain_address(adrs, (uint32_t)i); if (!PACKET_get_bytes(sig_rpkt, &sig_i, n) || !slh_wots_chain(ctx, sig_i, msg_and_csum_nibbles[i], NIBBLE_MASK - msg_and_csum_nibbles[i], pk_seed, adrs, tmp_pkt)) goto err; } /* compress the computed public key value */ adrsf->copy(wots_pk_adrs, adrs); adrsf->set_type_and_clear(wots_pk_adrs, SLH_ADRS_TYPE_WOTS_PK); adrsf->copy_keypair_address(wots_pk_adrs, adrs); if (!WPACKET_get_total_written(tmp_pkt, &tmp_len)) goto err; ret = hashf->T(ctx, pk_seed, wots_pk_adrs, tmp, tmp_len, pk_out, pk_out_len); err: if (!WPACKET_finish(tmp_pkt)) ret = 0; return ret; }