-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathwots.go
95 lines (69 loc) · 2.71 KB
/
wots.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
/*
Package wotsp implements WOTSP-SHA2_256 as documented in RFC 8391
(https://datatracker.ietf.org/doc/rfc8391/).
W-OTS+ is a one-time hash-based signature scheme that is most commonly used in
a larger scheme such as XMSS or SPHINCS. As a W-OTS+ private key/private seed
can only be used once securely, W-OTS+ should not be used directly to create
signatures in most situations. This package is thus meant primarily to be used
in larger structures such as SPHINCS.
Since SHA512_256, BLAKE2b_256 and BLAKE2s_256 work out of the box, they can be
used as the internal hash function as well by setting Opts.Hash to their
corresponding crypto.Hash values.
*/
package wotsp
import (
"crypto/subtle"
)
// N is a constant defined as the output length of the used hash function.
const N = 32
// GenPublicKey computes the public key that corresponds to the expanded seed.
func GenPublicKey(seed, pubSeed []byte, opts Opts) (pubKey []byte) {
params := opts.Mode.params()
numRoutines := opts.routines()
h := newHasher(seed, pubSeed, opts, numRoutines)
privKey := h.expandSeed()
// Initialise list of chain lengths for full chains
lengths := make([]uint8, params.l)
for i := range lengths {
lengths[i] = uint8(params.w - 1)
}
adrs := &opts.Address
pubKey = make([]byte, params.l*N)
h.computeChains(numRoutines, privKey, pubKey, lengths, adrs, params, false)
return
}
// Sign generates the signature of msg using the private key generated using the
// given seed.
func Sign(msg, seed, pubSeed []byte, opts Opts) (sig []byte) {
params := opts.Mode.params()
numRoutines := opts.routines()
h := newHasher(seed, pubSeed, opts, numRoutines)
privKey := h.expandSeed()
lengths := h.baseW(msg, params.l1)
csum := h.checksum(lengths)
lengths = append(lengths, csum...)
adrs := &opts.Address
sig = make([]byte, params.l*N)
h.computeChains(numRoutines, privKey, sig, lengths, adrs, params, false)
return
}
// PublicKeyFromSig generates a public key from the given signature
func PublicKeyFromSig(sig, msg, pubSeed []byte, opts Opts) (pubKey []byte) {
params := opts.Mode.params()
numRoutines := opts.routines()
h := newHasher(nil, pubSeed, opts, numRoutines)
lengths := h.baseW(msg, h.params.l1)
csum := h.checksum(lengths)
lengths = append(lengths, csum...)
adrs := &opts.Address
pubKey = make([]byte, params.l*N)
h.computeChains(numRoutines, sig, pubKey, lengths, adrs, params, true)
return
}
// Verify checks whether the signature is correct for the given message.
func Verify(pk, sig, msg, pubSeed []byte, opts Opts) bool {
pubKeyFromSig := PublicKeyFromSig(sig, msg, pubSeed, opts)
// use subtle.ConstantTimeCompare instead of bytes.Equal to avoid timing
// attacks.
return subtle.ConstantTimeCompare(pk, pubKeyFromSig) == 1
}