forked from lentus/wotsp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wots.go
109 lines (84 loc) · 2.72 KB
/
wots.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
/*
Package wotsp implements WOTSP-SHA2_256 as documented in RFC 8391
(https://datatracker.ietf.org/doc/rfc8391/).
W-OTS+ is a one-time hash-based signature scheme that is most commonly used in
a larger scheme such as XMSS or SPHINCS. As a W-OTS+ private key/private seed
can only be used once securely, W-OTS+ should not be used directly to create
signatures in most situations. This package is thus meant primarily to be used
in larger structures such as SPHINCS.
*/
package wotsp
import (
"crypto/subtle"
)
// N is a constant used by wotsp.
const N = 32
// GenPublicKey computes the public key that corresponds to the expanded seed.
func GenPublicKey(seed, pubSeed []byte, opts Opts) (pubKey []byte, err error) {
params, err := opts.Mode.params()
if err != nil {
return
}
numRoutines := opts.routines()
h, err := newHasher(seed, pubSeed, opts, numRoutines)
privKey := h.expandSeed()
// Initialise list of chain lengths for full chains
lengths := make([]uint8, params.l)
for i := range lengths {
lengths[i] = params.w - 1
}
adrs := opts.Address
pubKey = make([]byte, params.l*N)
h.computeChains(numRoutines, privKey, pubKey, lengths, &adrs, params, false)
return
}
// Sign generates the signature of msg using the private key generated using the
// given seed.
func Sign(msg, seed, pubSeed []byte, opts Opts) (sig []byte, err error) {
params, err := opts.Mode.params()
if err != nil {
return
}
numRoutines := opts.routines()
h, err := newHasher(seed, pubSeed, opts, numRoutines)
if err != nil {
return
}
privKey := h.expandSeed()
lengths := h.baseW(msg, params.l1)
csum := h.checksum(lengths)
lengths = append(lengths, csum...)
adrs := opts.Address
sig = make([]byte, params.l*N)
h.computeChains(numRoutines, privKey, sig, lengths, &adrs, params, false)
return
}
// PublicKeyFromSig generates a public key from the given signature
func PublicKeyFromSig(sig, msg, pubSeed []byte, opts Opts) (pubKey []byte, err error) {
params, err := opts.Mode.params()
if err != nil {
return
}
numRoutines := opts.routines()
h, err := newHasher(nil, pubSeed, opts, numRoutines)
if err != nil {
return
}
lengths := h.baseW(msg, h.params.l1)
csum := h.checksum(lengths)
lengths = append(lengths, csum...)
adrs := opts.Address
pubKey = make([]byte, params.l*N)
h.computeChains(numRoutines, sig, pubKey, lengths, &adrs, params, true)
return
}
// Verify checks whether the signature is correct for the given message.
func Verify(pk, sig, msg, pubSeed []byte, opts Opts) (valid bool, err error) {
if sig, err = PublicKeyFromSig(sig, msg, pubSeed, opts); err != nil {
return
}
// use subtle.ConstantTimeCompare instead of bytes.Equal to avoid timing
// attacks.
valid = subtle.ConstantTimeCompare(pk, sig) == 1
return
}