package org.bouncycastle.pqc.crypto.gmss.util;
import org.bouncycastle.crypto.Digest;
This class implements key pair generation and signature generation of the
Winternitz one-time signature scheme (OTSS), described in C.Dods, N.P. Smart,
and M. Stam, "Hash Based Digital Signature Schemes", LNCS 3796, pages
96–115, 2005. The class is used by the GMSS classes.
/**
* This class implements key pair generation and signature generation of the
* Winternitz one-time signature scheme (OTSS), described in C.Dods, N.P. Smart,
* and M. Stam, "Hash Based Digital Signature Schemes", LNCS 3796, pages
* 96–115, 2005. The class is used by the GMSS classes.
*/
public class WinternitzOTSignature
{
The hash function used by the OTS
/**
* The hash function used by the OTS
*/
private Digest messDigestOTS;
The length of the message digest and private key
/**
* The length of the message digest and private key
*/
private int mdsize, keysize;
/**
* An array of strings, containing the name of the used hash function, the
* name of the PRGN and the names of the corresponding providers
*/
// private String[] name = new String[2];
The private key
/**
* The private key
*/
private byte[][] privateKeyOTS;
The Winternitz parameter
/**
* The Winternitz parameter
*/
private int w;
The source of randomness for OTS private key generation
/**
* The source of randomness for OTS private key generation
*/
private GMSSRandom gmssRandom;
Sizes of the message and the checksum, both
/**
* Sizes of the message and the checksum, both
*/
private int messagesize, checksumsize;
The constructor generates an OTS key pair, using seed0
and
the PRNG
Params: - seed0 – the seed for the PRGN
- digest – an array of strings, containing the name of the used hash
function, the name of the PRGN and the names of the
corresponding providers
- w – the Winternitz parameter
/**
* The constructor generates an OTS key pair, using <code>seed0</code> and
* the PRNG
*
* @param seed0 the seed for the PRGN
* @param digest an array of strings, containing the name of the used hash
* function, the name of the PRGN and the names of the
* corresponding providers
* @param w the Winternitz parameter
*/
public WinternitzOTSignature(byte[] seed0, Digest digest, int w)
{
// this.name = name;
this.w = w;
messDigestOTS = digest;
gmssRandom = new GMSSRandom(messDigestOTS);
// calulate keysize for private and public key and also the help
// array
mdsize = messDigestOTS.getDigestSize();
int mdsizeBit = mdsize << 3;
messagesize = (int)Math.ceil((double)(mdsizeBit) / (double)w);
checksumsize = getLog((messagesize << w) + 1);
keysize = messagesize
+ (int)Math.ceil((double)checksumsize / (double)w);
/*
* mdsize = messDigestOTS.getDigestLength(); messagesize =
* ((mdsize<<3)+(w-1))/w;
*
* checksumsize = getlog((messagesize<<w)+1);
*
* keysize = messagesize + (checksumsize+w-1)/w;
*/
// define the private key messagesize
privateKeyOTS = new byte[keysize][mdsize];
// gmssRandom.setSeed(seed0);
byte[] dummy = new byte[mdsize];
System.arraycopy(seed0, 0, dummy, 0, dummy.length);
// generate random bytes and
// assign them to the private key
for (int i = 0; i < keysize; i++)
{
privateKeyOTS[i] = gmssRandom.nextSeed(dummy);
}
}
Returns: The private OTS key
/**
* @return The private OTS key
*/
public byte[][] getPrivateKey()
{
return privateKeyOTS;
}
Returns: The public OTS key
/**
* @return The public OTS key
*/
public byte[] getPublicKey()
{
byte[] helppubKey = new byte[keysize * mdsize];
byte[] help = new byte[mdsize];
int two_power_t = 1 << w;
for (int i = 0; i < keysize; i++)
{
// hash w-1 time the private key and assign it to the public key
messDigestOTS.update(privateKeyOTS[i], 0, privateKeyOTS[i].length);
help = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(help, 0);
for (int j = 2; j < two_power_t; j++)
{
messDigestOTS.update(help, 0, help.length);
help = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(help, 0);
}
System.arraycopy(help, 0, helppubKey, mdsize * i, mdsize);
}
messDigestOTS.update(helppubKey, 0, helppubKey.length);
byte[] tmp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(tmp, 0);
return tmp;
}
Returns: The one-time signature of the message, generated with the private
key
/**
* @return The one-time signature of the message, generated with the private
* key
*/
public byte[] getSignature(byte[] message)
{
byte[] sign = new byte[keysize * mdsize];
// byte [] message; // message m as input
byte[] hash = new byte[mdsize]; // hash of message m
int counter = 0;
int c = 0;
int test = 0;
// create hash of message m
messDigestOTS.update(message, 0, message.length);
hash = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hash, 0);
if (8 % w == 0)
{
int d = 8 / w;
int k = (1 << w) - 1;
byte[] hlp = new byte[mdsize];
// create signature
for (int i = 0; i < hash.length; i++)
{
for (int j = 0; j < d; j++)
{
test = hash[i] & k;
c += test;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
hash[i] = (byte)(hash[i] >>> w);
counter++;
}
}
c = (messagesize << w) - c;
for (int i = 0; i < checksumsize; i += w)
{
test = c & k;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
c >>>= w;
counter++;
}
}
else if (w < 8)
{
int d = mdsize / w;
int k = (1 << w) - 1;
byte[] hlp = new byte[mdsize];
long big8;
int ii = 0;
// create signature
// first d*w bytes of hash
for (int i = 0; i < d; i++)
{
big8 = 0;
for (int j = 0; j < w; j++)
{
big8 ^= (hash[ii] & 0xff) << (j << 3);
ii++;
}
for (int j = 0; j < 8; j++)
{
test = (int)(big8 & k);
c += test;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
big8 >>>= w;
counter++;
}
}
// rest of hash
d = mdsize % w;
big8 = 0;
for (int j = 0; j < d; j++)
{
big8 ^= (hash[ii] & 0xff) << (j << 3);
ii++;
}
d <<= 3;
for (int j = 0; j < d; j += w)
{
test = (int)(big8 & k);
c += test;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
big8 >>>= w;
counter++;
}
// check bytes
c = (messagesize << w) - c;
for (int i = 0; i < checksumsize; i += w)
{
test = c & k;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
c >>>= w;
counter++;
}
}// end if(w<8)
else if (w < 57)
{
int d = (mdsize << 3) - w;
int k = (1 << w) - 1;
byte[] hlp = new byte[mdsize];
long big8, test8;
int r = 0;
int s, f, rest, ii;
// create signature
// first a*w bits of hash where a*w <= 8*mdsize < (a+1)*w
while (r <= d)
{
s = r >>> 3;
rest = r % 8;
r += w;
f = (r + 7) >>> 3;
big8 = 0;
ii = 0;
for (int j = s; j < f; j++)
{
big8 ^= (hash[j] & 0xff) << (ii << 3);
ii++;
}
big8 >>>= rest;
test8 = (big8 & k);
c += test8;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test8 > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test8--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
counter++;
}
// rest of hash
s = r >>> 3;
if (s < mdsize)
{
rest = r % 8;
big8 = 0;
ii = 0;
for (int j = s; j < mdsize; j++)
{
big8 ^= (hash[j] & 0xff) << (ii << 3);
ii++;
}
big8 >>>= rest;
test8 = (big8 & k);
c += test8;
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test8 > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test8--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
counter++;
}
// check bytes
c = (messagesize << w) - c;
for (int i = 0; i < checksumsize; i += w)
{
test8 = (c & k);
System.arraycopy(privateKeyOTS[counter], 0, hlp, 0, mdsize);
while (test8 > 0)
{
messDigestOTS.update(hlp, 0, hlp.length);
hlp = new byte[messDigestOTS.getDigestSize()];
messDigestOTS.doFinal(hlp, 0);
test8--;
}
System.arraycopy(hlp, 0, sign, counter * mdsize, mdsize);
c >>>= w;
counter++;
}
}// end if(w<57)
return sign;
}
This method returns the least integer that is greater or equal to the
logarithm to the base 2 of an integer intValue
.
Params: - intValue – an integer
Returns: The least integer greater or equal to the logarithm to the base 2
of intValue
/**
* This method returns the least integer that is greater or equal to the
* logarithm to the base 2 of an integer <code>intValue</code>.
*
* @param intValue an integer
* @return The least integer greater or equal to the logarithm to the base 2
* of <code>intValue</code>
*/
public int getLog(int intValue)
{
int log = 1;
int i = 2;
while (i < intValue)
{
i <<= 1;
log++;
}
return log;
}
}