1 /** 2 * \file lmots.h 3 * 4 * \brief This file provides an API for the LM-OTS post-quantum-safe one-time 5 * public-key signature scheme as defined in RFC8554 and NIST.SP.200-208. 6 * This implementation currently only supports a single parameter set 7 * MBEDTLS_LMOTS_SHA256_N32_W8 in order to reduce complexity. 8 */ 9 /* 10 * Copyright The Mbed TLS Contributors 11 * SPDX-License-Identifier: Apache-2.0 12 * 13 * Licensed under the Apache License, Version 2.0 (the "License"); you may 14 * not use this file except in compliance with the License. 15 * You may obtain a copy of the License at 16 * 17 * http://www.apache.org/licenses/LICENSE-2.0 18 * 19 * Unless required by applicable law or agreed to in writing, software 20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 22 * See the License for the specific language governing permissions and 23 * limitations under the License. 24 */ 25 26 #ifndef MBEDTLS_LMOTS_H 27 #define MBEDTLS_LMOTS_H 28 29 #include "mbedtls/build_info.h" 30 31 #include "psa/crypto.h" 32 33 #include "mbedtls/lms.h" 34 35 #include <stdint.h> 36 #include <stddef.h> 37 38 39 #define MBEDTLS_LMOTS_PUBLIC_KEY_LEN(type) (MBEDTLS_LMOTS_TYPE_LEN + \ 40 MBEDTLS_LMOTS_I_KEY_ID_LEN + \ 41 MBEDTLS_LMOTS_Q_LEAF_ID_LEN + \ 42 MBEDTLS_LMOTS_N_HASH_LEN(type)) 43 44 #define MBEDTLS_LMOTS_SIG_TYPE_OFFSET (0) 45 #define MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET (MBEDTLS_LMOTS_SIG_TYPE_OFFSET + \ 46 MBEDTLS_LMOTS_TYPE_LEN) 47 #define MBEDTLS_LMOTS_SIG_SIGNATURE_OFFSET(type) (MBEDTLS_LMOTS_SIG_C_RANDOM_OFFSET + \ 48 MBEDTLS_LMOTS_C_RANDOM_VALUE_LEN(type)) 49 50 #ifdef __cplusplus 51 extern "C" { 52 #endif 53 54 55 #if defined(MBEDTLS_TEST_HOOKS) 56 extern int (*mbedtls_lmots_sign_private_key_invalidated_hook)(unsigned char *); 57 #endif /* defined(MBEDTLS_TEST_HOOKS) */ 58 59 /** 60 * \brief This function converts an unsigned int into a 61 * network-byte-order (big endian) string. 62 * 63 * \param val The unsigned integer value 64 * \param len The length of the string. 65 * \param bytes The string to output into. 66 */ 67 void mbedtls_lms_unsigned_int_to_network_bytes(unsigned int val, size_t len, 68 unsigned char *bytes); 69 70 /** 71 * \brief This function converts a network-byte-order 72 * (big endian) string into an unsigned integer. 73 * 74 * \param len The length of the string. 75 * \param bytes The string. 76 * 77 * \return The corresponding LMS error code. 78 */ 79 unsigned int mbedtls_lms_network_bytes_to_unsigned_int(size_t len, 80 const unsigned char *bytes); 81 82 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 83 /** 84 * \brief This function converts a \ref psa_status_t to a 85 * low-level LMS error code. 86 * 87 * \param status The psa_status_t to convert 88 * 89 * \return The corresponding LMS error code. 90 */ 91 int MBEDTLS_DEPRECATED mbedtls_lms_error_from_psa(psa_status_t status); 92 #endif 93 94 /** 95 * \brief This function initializes a public LMOTS context 96 * 97 * \param ctx The uninitialized LMOTS context that will then be 98 * initialized. 99 */ 100 void mbedtls_lmots_public_init(mbedtls_lmots_public_t *ctx); 101 102 /** 103 * \brief This function uninitializes a public LMOTS context 104 * 105 * \param ctx The initialized LMOTS context that will then be 106 * uninitialized. 107 */ 108 void mbedtls_lmots_public_free(mbedtls_lmots_public_t *ctx); 109 110 /** 111 * \brief This function imports an LMOTS public key into a 112 * LMOTS context. 113 * 114 * \note Before this function is called, the context must 115 * have been initialized. 116 * 117 * \note See IETF RFC8554 for details of the encoding of 118 * this public key. 119 * 120 * \param ctx The initialized LMOTS context store the key in. 121 * \param key The buffer from which the key will be read. 122 * #MBEDTLS_LMOTS_PUBLIC_KEY_LEN bytes will be read 123 * from this. 124 * 125 * \return \c 0 on success. 126 * \return A non-zero error code on failure. 127 */ 128 int mbedtls_lmots_import_public_key(mbedtls_lmots_public_t *ctx, 129 const unsigned char *key, size_t key_size); 130 131 /** 132 * \brief This function exports an LMOTS public key from a 133 * LMOTS context that already contains a public key. 134 * 135 * \note Before this function is called, the context must 136 * have been initialized and the context must contain 137 * a public key. 138 * 139 * \note See IETF RFC8554 for details of the encoding of 140 * this public key. 141 * 142 * \param ctx The initialized LMOTS context that contains the 143 * public key. 144 * \param key The buffer into which the key will be output. Must 145 * be at least #MBEDTLS_LMOTS_PUBLIC_KEY_LEN in size. 146 * 147 * \return \c 0 on success. 148 * \return A non-zero error code on failure. 149 */ 150 int mbedtls_lmots_export_public_key(const mbedtls_lmots_public_t *ctx, 151 unsigned char *key, size_t key_size, 152 size_t *key_len); 153 154 /** 155 * \brief This function creates a candidate public key from 156 * an LMOTS signature. This can then be compared to 157 * the real public key to determine the validity of 158 * the signature. 159 * 160 * \note This function is exposed publicly to be used in LMS 161 * signature verification, it is expected that 162 * mbedtls_lmots_verify will be used for LMOTS 163 * signature verification. 164 * 165 * \param params The LMOTS parameter set, q and I values as an 166 * mbedtls_lmots_parameters_t struct. 167 * \param msg The buffer from which the message will be read. 168 * \param msg_size The size of the message that will be read. 169 * \param sig The buffer from which the signature will be read. 170 * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from 171 * this. 172 * \param out The buffer where the candidate public key will be 173 * stored. Must be at least #MBEDTLS_LMOTS_N_HASH_LEN 174 * bytes in size. 175 * 176 * \return \c 0 on success. 177 * \return A non-zero error code on failure. 178 */ 179 int mbedtls_lmots_calculate_public_key_candidate(const mbedtls_lmots_parameters_t *params, 180 const unsigned char *msg, 181 size_t msg_size, 182 const unsigned char *sig, 183 size_t sig_size, 184 unsigned char *out, 185 size_t out_size, 186 size_t *out_len); 187 188 /** 189 * \brief This function verifies a LMOTS signature, using a 190 * LMOTS context that contains a public key. 191 * 192 * \warning This function is **not intended for use in 193 * production**, due to as-yet unsolved problems with 194 * handling stateful keys. The API for this function 195 * may change considerably in future versions. 196 * 197 * \note Before this function is called, the context must 198 * have been initialized and must contain a public key 199 * (either by import or calculation from a private 200 * key). 201 * 202 * \param ctx The initialized LMOTS context from which the public 203 * key will be read. 204 * \param msg The buffer from which the message will be read. 205 * \param msg_size The size of the message that will be read. 206 * \param sig The buf from which the signature will be read. 207 * #MBEDTLS_LMOTS_SIG_LEN bytes will be read from 208 * this. 209 * 210 * \return \c 0 on successful verification. 211 * \return A non-zero error code on failure. 212 */ 213 int mbedtls_lmots_verify(const mbedtls_lmots_public_t *ctx, 214 const unsigned char *msg, 215 size_t msg_size, const unsigned char *sig, 216 size_t sig_size); 217 218 #if defined(MBEDTLS_LMS_PRIVATE) 219 220 /** 221 * \brief This function initializes a private LMOTS context 222 * 223 * \param ctx The uninitialized LMOTS context that will then be 224 * initialized. 225 */ 226 void mbedtls_lmots_private_init(mbedtls_lmots_private_t *ctx); 227 228 /** 229 * \brief This function uninitializes a private LMOTS context 230 * 231 * \param ctx The initialized LMOTS context that will then be 232 * uninitialized. 233 */ 234 void mbedtls_lmots_private_free(mbedtls_lmots_private_t *ctx); 235 236 /** 237 * \brief This function calculates an LMOTS private key, and 238 * stores in into an LMOTS context. 239 * 240 * \warning This function is **not intended for use in 241 * production**, due to as-yet unsolved problems with 242 * handling stateful keys. The API for this function 243 * may change considerably in future versions. 244 * 245 * \note The seed must have at least 256 bits of entropy. 246 * 247 * \param ctx The initialized LMOTS context to generate the key 248 * into. 249 * \param I_key_identifier The key identifier of the key, as a 16-byte string. 250 * \param q_leaf_identifier The leaf identifier of key. If this LMOTS key is 251 * not being used as part of an LMS key, this should 252 * be set to 0. 253 * \param seed The seed used to deterministically generate the 254 * key. 255 * \param seed_size The length of the seed. 256 * 257 * \return \c 0 on success. 258 * \return A non-zero error code on failure. 259 */ 260 int mbedtls_lmots_generate_private_key(mbedtls_lmots_private_t *ctx, 261 mbedtls_lmots_algorithm_type_t type, 262 const unsigned char I_key_identifier[MBEDTLS_LMOTS_I_KEY_ID_LEN], 263 uint32_t q_leaf_identifier, 264 const unsigned char *seed, 265 size_t seed_size); 266 267 /** 268 * \brief This function generates an LMOTS public key from a 269 * LMOTS context that already contains a private key. 270 * 271 * \note Before this function is called, the context must 272 * have been initialized and the context must contain 273 * a private key. 274 * 275 * \param ctx The initialized LMOTS context to generate the key 276 * from and store it into. 277 * 278 * \return \c 0 on success. 279 * \return A non-zero error code on failure. 280 */ 281 int mbedtls_lmots_calculate_public_key(mbedtls_lmots_public_t *ctx, 282 const mbedtls_lmots_private_t *priv_ctx); 283 284 /** 285 * \brief This function creates a LMOTS signature, using a 286 * LMOTS context that contains a private key. 287 * 288 * \note Before this function is called, the context must 289 * have been initialized and must contain a private 290 * key. 291 * 292 * \note LMOTS private keys can only be used once, otherwise 293 * attackers may be able to create forged signatures. 294 * If the signing operation is successful, the private 295 * key in the context will be erased, and no further 296 * signing will be possible until another private key 297 * is loaded 298 * 299 * \param ctx The initialized LMOTS context from which the 300 * private key will be read. 301 * \param f_rng The RNG function to be used for signature 302 * generation. 303 * \param p_rng The RNG context to be passed to f_rng 304 * \param msg The buffer from which the message will be read. 305 * \param msg_size The size of the message that will be read. 306 * \param sig The buf into which the signature will be stored. 307 * Must be at least #MBEDTLS_LMOTS_SIG_LEN in size. 308 * 309 * \return \c 0 on success. 310 * \return A non-zero error code on failure. 311 */ 312 int mbedtls_lmots_sign(mbedtls_lmots_private_t *ctx, 313 int (*f_rng)(void *, unsigned char *, size_t), 314 void *p_rng, const unsigned char *msg, size_t msg_size, 315 unsigned char *sig, size_t sig_size, size_t *sig_len); 316 317 #endif /* defined(MBEDTLS_LMS_PRIVATE) */ 318 319 #ifdef __cplusplus 320 } 321 #endif 322 323 #endif /* MBEDTLS_LMOTS_H */ 324
