| Raef Coles | 8ff6df5 | 2021-07-21 12:42:15 +0100 | [diff] [blame] | 1 | /** |
| 2 | * \file lmots.h |
| 3 | * |
| 4 | * \brief This file provides an API for the LM-OTS post-quantum-safe one-time |
| 5 | * public-key signature scheme. |
| 6 | */ |
| 7 | /* |
| 8 | * Copyright The Mbed TLS Contributors |
| 9 | * SPDX-License-Identifier: Apache-2.0 |
| 10 | * |
| 11 | * Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 12 | * not use this file except in compliance with the License. |
| 13 | * You may obtain a copy of the License at |
| 14 | * |
| 15 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 16 | * |
| 17 | * Unless required by applicable law or agreed to in writing, software |
| 18 | * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 19 | * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 20 | * See the License for the specific language governing permissions and |
| 21 | * limitations under the License. |
| 22 | */ |
| 23 | |
| 24 | #ifndef MBEDTLS_LMOTS_H |
| 25 | #define MBEDTLS_LMOTS_H |
| 26 | |
| 27 | #include "mbedtls/private_access.h" |
| 28 | |
| 29 | #include <stdint.h> |
| 30 | #include <stddef.h> |
| 31 | |
| 32 | #define MBEDTLS_ERR_LMOTS_BAD_INPUT_DATA -0x0076 /**< Bad data has been input to an LMOTS function */ |
| 33 | #define MBEDTLS_ERR_LMOTS_VERIFY_FAILED -0x0078 /**< LMOTS signature verification failed */ |
| 34 | |
| 35 | #define MBEDTLS_LMOTS_N_HASH_LEN (32) |
| 36 | #define MBEDTLS_LMOTS_P_SIG_SYMBOL_LEN (34) |
| 37 | #define MBEDTLS_LMOTS_TYPE_LEN (4) |
| 38 | #define MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN (MBEDTLS_LMOTS_N_HASH_LEN) |
| 39 | #define MBEDTLS_LMOTS_I_KEY_ID_LEN (16) |
| 40 | #define MBEDTLS_LMOTS_Q_LEAF_ID_LEN (4) |
| 41 | |
| 42 | #define MBEDTLS_LMOTS_SIG_LEN (MBEDTLS_LMOTS_TYPE_LEN + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN + \ |
| 43 | (MBEDTLS_LMOTS_P_SIG_SYMBOL_LEN * MBEDTLS_LMOTS_N_HASH_LEN)) |
| 44 | |
| 45 | #define MBEDTLS_LMOTS_PUBKEY_LEN (MBEDTLS_LMOTS_TYPE_LEN + MBEDTLS_LMOTS_I_KEY_ID_LEN + \ |
| 46 | MBEDTLS_LMOTS_Q_LEAF_ID_LEN + MBEDTLS_LMOTS_N_HASH_LEN) |
| 47 | |
| 48 | #define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0) |
| 49 | #define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) |
| 50 | #define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN) |
| 51 | |
| 52 | #define MBEDTLS_LMOTS_PUBKEY_TYPE_OFFSET (0) |
| 53 | #define MBEDTLS_LMOTS_PUBKEY_I_KEY_ID_OFFSET (MBEDTLS_LMOTS_PUBKEY_TYPE_OFFSET + MBEDTLS_LMOTS_TYPE_LEN) |
| 54 | #define MBEDTLS_LMOTS_PUBKEY_Q_LEAF_ID_OFFSET (MBEDTLS_LMOTS_PUBKEY_I_KEY_ID_OFFSET + MBEDTLS_LMOTS_I_KEY_ID_LEN) |
| 55 | #define MBEDTLS_LMOTS_PUBKEY_KEY_HASH_OFFSET (MBEDTLS_LMOTS_PUBKEY_Q_LEAF_ID_OFFSET + MBEDTLS_LMOTS_Q_LEAF_ID_LEN) |
| 56 | |
| 57 | |
| 58 | #ifdef __cplusplus |
| 59 | extern "C" { |
| 60 | #endif |
| 61 | |
| Raef Coles | c464746 | 2022-06-15 12:17:51 +0100 | [diff] [blame] | 62 | /* https://www.iana.org/assignments/leighton-micali-signatures/leighton-micali-signatures.xhtml |
| 63 | * We are only implementing a subset of the types, particularly n32_w8, for the sake of simplicty. |
| Raef Coles | 8ff6df5 | 2021-07-21 12:42:15 +0100 | [diff] [blame] | 64 | */ |
| 65 | typedef enum { |
| 66 | MBEDTLS_LMOTS_SHA256_N32_W8 = 4 |
| 67 | } mbedtls_lmots_algorithm_type_t; |
| 68 | |
| 69 | |
| 70 | typedef struct { |
| Raef Coles | c464746 | 2022-06-15 12:17:51 +0100 | [diff] [blame] | 71 | unsigned char MBEDTLS_PRIVATE(have_privkey); /*!< Whether the context contains a private key. |
| 72 | Boolean values only. */ |
| 73 | unsigned char MBEDTLS_PRIVATE(have_pubkey); /*!< Whether the context contains a public key. |
| 74 | Boolean values only. */ |
| 75 | unsigned char MBEDTLS_PRIVATE(I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN]); /*!< The key |
| 76 | identifier. */ |
| 77 | unsigned int MBEDTLS_PRIVATE(q_leaf_identifier); /*!< Which leaf of the LMS key this is. |
| 78 | 0 if the key is not part of an LMS key. */ |
| 79 | unsigned char MBEDTLS_PRIVATE(q_leaf_identifier_bytes)[MBEDTLS_LMOTS_Q_LEAF_ID_LEN];/*!< The |
| 80 | leaf identifier in network bytes form. */ |
| 81 | mbedtls_lmots_algorithm_type_t MBEDTLS_PRIVATE(type); /*!< The LM-OTS key type identifier as |
| 82 | per IANA. Only SHA256_N32_W8 is currently |
| 83 | supported. */ |
| 84 | unsigned char MBEDTLS_PRIVATE(priv_key[MBEDTLS_LMOTS_P_SIG_SYMBOL_LEN][32]); /*!< The private |
| 85 | key, one hash output per byte of the encoded |
| 86 | symbol string P (32 bytes of hash output + |
| 87 | 2 bytes of checksum). */ |
| 88 | unsigned char MBEDTLS_PRIVATE(pub_key[32]); /*!< The public key, in the form of a SHA256 |
| 89 | output. */ |
| Raef Coles | 8ff6df5 | 2021-07-21 12:42:15 +0100 | [diff] [blame] | 90 | } mbedtls_lmots_context; |
| 91 | |
| 92 | |
| 93 | /** |
| 94 | * \brief This function initializes an LMOTS context |
| 95 | * |
| 96 | * \param ctx The uninitialized LMOTS context that will then be |
| 97 | * initialized. |
| 98 | */ |
| 99 | void mbedtls_lmots_init( mbedtls_lmots_context *ctx ); |
| 100 | |
| 101 | /** |
| 102 | * \brief This function uninitializes an LMOTS context |
| 103 | * |
| 104 | * \param ctx The initialized LMOTS context that will then be |
| 105 | * uninitialized. |
| 106 | */ |
| 107 | void mbedtls_lmots_free( mbedtls_lmots_context *ctx ); |
| 108 | |
| 109 | /** |
| 110 | * \brief This function sets the type of an LMOTS context |
| 111 | * |
| 112 | * \note The parameter set in the context will then be used |
| 113 | * for keygen operations etc. |
| 114 | * |
| 115 | * \param ctx The initialized LMOTS context. |
| 116 | * \param type The type that will be set in the context. |
| 117 | */ |
| 118 | int mbedtls_lmots_set_algorithm_type( mbedtls_lmots_context *ctx, |
| 119 | mbedtls_lmots_algorithm_type_t type ); |
| 120 | |
| 121 | /** |
| 122 | * \brief This function creates a candidate public key from |
| 123 | * an LMOTS signature. This can then be compared to |
| 124 | * the real public key to determine the validity of |
| 125 | * the signature. |
| 126 | * |
| 127 | * \note This function is exposed publicly to be used in LMS |
| 128 | * signature verification, it is expected that |
| 129 | * mbedtls_lmots_verify will be used for LMOTS |
| 130 | * signature verification. |
| 131 | * |
| 132 | * \param I_key_identifier The key identifier of the key, as a 16 byte |
| 133 | * bytestring. |
| 134 | * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is |
| 135 | * not being used as part of an LMS key, this should |
| 136 | * be set to 0. |
| 137 | * \param msg The buffer from which the message will be read. |
| 138 | * \param msg_len The size of the message that will be read. |
| 139 | * \param sig The buff from which the signature will be read. |
| 140 | * MBEDTLS_LMOTS_SIG_LEN bytes will be read from this. |
| 141 | * \param out The buffer where the candidate public key will be |
| 142 | * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN |
| 143 | * bytes in size. |
| 144 | * |
| 145 | * \return \c 0 on success. |
| 146 | * \return A non-zero error code on failure. |
| 147 | */ |
| 148 | int mbedtls_lmots_generate_pub_key_candidate( const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], |
| 149 | const unsigned char q_leaf_identifier[MBEDTLS_LMOTS_Q_LEAF_ID_LEN], |
| 150 | const unsigned char *msg, |
| 151 | size_t msg_len, |
| 152 | const unsigned char *sig, |
| 153 | unsigned char *out ); |
| 154 | |
| 155 | /** |
| 156 | * \brief This function creates a LMOTS signature, using a |
| 157 | * LMOTS context that contains a private key. |
| 158 | * |
| 159 | * \note Before this function is called, the context must |
| 160 | * have been initialized and must contain a private |
| 161 | * key. |
| 162 | * |
| 163 | * \note LMOTS private keys can only be used once, otherwise |
| 164 | * attackers may be able to create forged signatures. |
| 165 | * If the signing operation is successful, the private |
| 166 | * key in the context will be erased, and no further |
| 167 | * signing will be possible until another private key |
| 168 | * is loaded |
| 169 | * |
| 170 | * \param ctx The initialized LMOTS context from which the |
| 171 | * private key will be read. |
| 172 | * \param f_rng The RNG function to be used for signature |
| 173 | * generation. |
| 174 | * \param p_rng The RNG context to be passed to f_rng |
| 175 | * \param msg The buffer from which the message will be read. |
| 176 | * \param msg_len The size of the message that will be read. |
| 177 | * \param sig The buf into which the signature will be stored. |
| 178 | * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size. |
| 179 | * |
| 180 | * \return \c 0 on success. |
| 181 | * \return A non-zero error code on failure. |
| 182 | */ |
| 183 | int mbedtls_lmots_sign( mbedtls_lmots_context *ctx, |
| 184 | int (*f_rng)(void *, unsigned char *, size_t), |
| 185 | void *p_rng, const unsigned char *msg, size_t msg_len, |
| 186 | unsigned char *sig ); |
| 187 | |
| 188 | /** |
| 189 | * \brief This function verifies a LMOTS signature, using a |
| 190 | * LMOTS context that contains a public key. |
| 191 | * |
| 192 | * \note Before this function is called, the context must |
| 193 | * have been initialized and must contain a public key |
| 194 | * (either by import or generation). |
| 195 | * |
| 196 | * \param ctx The initialized LMOTS context from which the public |
| 197 | * key will be read. |
| 198 | * \param msg The buffer from which the message will be read. |
| 199 | * \param msg_len The size of the message that will be read. |
| 200 | * \param sig The buf from which the signature will be read. |
| 201 | * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from |
| 202 | * this. |
| 203 | * |
| 204 | * \return \c 0 on successful verification. |
| 205 | * \return A non-zero error code on failure. |
| 206 | */ |
| 207 | int mbedtls_lmots_verify( mbedtls_lmots_context *ctx, const unsigned char *msg, |
| 208 | size_t msg_len, const unsigned char *sig ); |
| 209 | |
| 210 | /** |
| 211 | * \brief This function imports an LMOTS public key into a |
| 212 | * LMOTS context. |
| 213 | * |
| 214 | * \note Before this function is called, the context must |
| 215 | * have been initialized. |
| 216 | * |
| 217 | * \note See IETF RFC8554 for details of the encoding of |
| 218 | * this public key. |
| 219 | * |
| 220 | * \param ctx The initialized LMOTS context store the key in. |
| 221 | * \param key The buffer from which the key will be read. |
| 222 | * #MBEDTLS_LMOTS_PUBKEY_LEN bytes will be read from |
| 223 | * this. |
| 224 | * |
| 225 | * \return \c 0 on success. |
| 226 | * \return A non-zero error code on failure. |
| 227 | */ |
| 228 | int mbedtls_lmots_import_pubkey( mbedtls_lmots_context *ctx, |
| 229 | const unsigned char *key ); |
| 230 | |
| 231 | /** |
| 232 | * \brief This function exports an LMOTS public key from a |
| 233 | * LMOTS context that already contains a public key. |
| 234 | * |
| 235 | * \note Before this function is called, the context must |
| 236 | * have been initialized and the context must contain |
| 237 | * a public key. |
| 238 | * |
| 239 | * \note See IETF RFC8554 for details of the encoding of |
| 240 | * this public key. |
| 241 | * |
| 242 | * \param ctx The initialized LMOTS context that contains the |
| 243 | * publc key. |
| 244 | * \param key The buffer into which the key will be output. Must |
| 245 | * be at least #MBEDTLS_LMOTS_PUBKEY_LEN in size. |
| 246 | * |
| 247 | * \return \c 0 on success. |
| 248 | * \return A non-zero error code on failure. |
| 249 | */ |
| 250 | int mbedtls_lmots_export_pubkey( mbedtls_lmots_context *ctx, |
| 251 | unsigned char *key ); |
| 252 | |
| 253 | /** |
| 254 | * \brief This function generates an LMOTS public key from a |
| 255 | * LMOTS context that already contains a private key. |
| 256 | * |
| 257 | * \note Before this function is called, the context must |
| 258 | * have been initialized and the context must contain |
| 259 | * a private key. |
| 260 | * |
| 261 | * \param ctx The initialized LMOTS context to generate the key |
| 262 | * from and store it into. |
| 263 | * |
| 264 | * \return \c 0 on success. |
| 265 | * \return A non-zero error code on failure. |
| 266 | */ |
| 267 | int mbedtls_lmots_gen_pubkey( mbedtls_lmots_context *ctx ); |
| 268 | |
| 269 | /** |
| 270 | * \brief This function generates an LMOTS private key, and |
| 271 | * stores in into an LMOTS context. |
| 272 | * |
| 273 | * \note Before this function is called, the context must |
| 274 | * have been initialized and the type of the LMOTS |
| 275 | * context set using mbedtls_lmots_set_algorithm_type |
| 276 | * |
| 277 | * \note The seed must have at least 256 bits of entropy. |
| 278 | * |
| 279 | * \param ctx The initialized LMOTS context to generate the key |
| 280 | * into. |
| 281 | * \param I_key_identifier The key identifier of the key, as a 16 byte |
| 282 | * bytestring. |
| 283 | * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is |
| 284 | * not being used as part of an LMS key, this should |
| 285 | * be set to 0. |
| 286 | * \param seed The seed used to deterministically generate the |
| 287 | * key. |
| 288 | * \param seed_len The length of the seed. |
| 289 | * |
| 290 | * \return \c 0 on success. |
| 291 | * \return A non-zero error code on failure. |
| 292 | */ |
| 293 | int mbedtls_lmots_gen_privkey( mbedtls_lmots_context *ctx, |
| 294 | const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], |
| 295 | unsigned int q_leaf_identifier, |
| 296 | const unsigned char *seed, |
| 297 | size_t seed_len ); |
| 298 | |
| 299 | #ifdef __cplusplus |
| 300 | } |
| 301 | #endif |
| 302 | |
| 303 | #endif /* MBEDTLS_LMOTS_H */ |