Skip to content

Commit

Permalink
Apply review suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
@FAlbertDev
FAlbertDev committed Oct 22, 2024
1 parent 81535ee commit fade6a9
Showing 1 changed file with 16 additions and 21 deletions.
37 changes: 16 additions & 21 deletions docs/cryptodoc/src/05_07_slh_dsa.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,6 @@ Botan's implementation of the Stateless Hash-Based Digital Signature Standard
(SLH-DSA) is found in
:srcref:`src/lib/pubkey/sphincsplus/` and follows [FIPS-205]_.

**Remark:** In the current version of Botan, the classes, file names, and
directory paths adhere to the SPHINCS\ :sup:`+` naming convention. This is
expected to change in the upcoming release.

Algorithm Internals
-------------------
Expand Down Expand Up @@ -382,21 +379,19 @@ Algorithm 22 of [FIPS-205]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplu
2. ``internal_msg = 0x00 || 0x00 || m`` (contexts are currently not supported).
3. Create signature ``sig`` using ``slh_sign_internal``

4. ``opt_rand = SK.pub_seed`` if ``addrnd == NULL``. Otherwise, set ``opt_rand`` to ``addrnd``.
5. ``msg_random_s = PRF_msg(m, SK.prf, opt_rand)`` and set ``sig = msg_random_s``.
6. ``(mhash, tree_idx, leaf_idx) = H_msg(msg_random_s, SK.sphincs_root, m)``.
7. Set tree address of ``fors_addr`` to ``tree_idx``, its type to ``ForsTree``, and its keypair address to ``leaf_idx``.
8. ``(fors_sig, fors_root) = fors_sign_and_pkgen(mhash, SK.secret_seed, fors_addr)`` and append ``fors_sig`` to ``sig``.
9. ``ht_sig = ht_sign(fors_root, SK.secret_seed, tree_idx, leaf_idx)`` and append ``ht_sig`` to ``sig``.
1. ``opt_rand = SK.pub_seed`` if ``addrnd == NULL``. Otherwise, set ``opt_rand`` to ``addrnd``.
2. ``msg_random_s = PRF_msg(m, SK.prf, opt_rand)`` and set ``sig = msg_random_s``.
3. ``(mhash, tree_idx, leaf_idx) = H_msg(msg_random_s, SK.root, m)``.
4. Set tree address of ``fors_addr`` to ``tree_idx``, its type to ``ForsTree``, and its keypair address to ``leaf_idx``.
5. ``(fors_sig, fors_root) = fors_sign_and_pkgen(mhash, SK.sk_seed, fors_addr)`` and append ``fors_sig`` to ``sig``.
6. ``ht_sig = ht_sign(fors_root, SK.sk_seed, tree_idx, leaf_idx)`` and append ``ht_sig`` to ``sig``.


**Notes:**

- Steps 1-3 correspond to Algorithm 22 of [FIPS-205]_ and are performed in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:355|sign`.
- Steps 4-9 correspond to Algorithm 19 of [FIPS-205]_ and are performed in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:375|slh_sign_internal`.
- Step 6: ``SK.public_seed`` is omitted as an input because the hash functions are already instantiated with a corresponding member variable.
- When using the deterministic variant, ``slh_sign_internal`` will set its randomness to ``pub_seed``, as
specified in Algorithm 19 of [FIPS-205]_.
- Steps 3.3, 3.5, 3.6: ``SK.pub_seed`` is omitted as an input because the hash functions are already instantiated with a corresponding member variable.
- ``SK`` is passed to ``slh_sign_internal`` via member variables.

Signature Validation
Expand Down Expand Up @@ -426,19 +421,19 @@ Algorithm 24 of [FIPS-205]_ (see :srcref:`[src/lib/pubkey/sphincsplus/sphincsplu
1. ``internal_msg = 0x00 || 0x00 || m`` (contexts are currently not supported)
2. The signature is valid iff ``slh_verify_internal(internal_msg, sig, PK) == true``

3. Return ``false`` if the length of ``sig`` is invalid.
4. Take the first ``n`` bytes of ``sig`` as value ``msg_random_s``.
5. ``(mhash, tree_idx, leaf_idx) = H_msg(msg_random_s, PK.root, m)``.
6. Set tree address of ``fors_addr`` to tree_idx, its type to ``ForsTree``, and its keypair address to ``leaf_idx``.
7. Take the FORS signature bytes of ``sig`` as value ``fors_sig_s``.
8. ``fors_root = fors_public_key_from_signature(mhash, fors_sig_s, fors_addr)``.
9. Take the hypertree signature bytes of ``sig`` as value ``ht_sig_s``.
10. The signature is valid iff ``ht_verify(fors_root, ht_sig_s, PK.root, tree_idx, leaf_idx) == true``.
1. Return ``false`` if the length of ``sig`` is invalid.
2. Take the first ``n`` bytes of ``sig`` as value ``msg_random_s``.
3. ``(mhash, tree_idx, leaf_idx) = H_msg(msg_random_s, PK.root, m)``.
4. Set tree address of ``fors_addr`` to tree_idx, its type to ``ForsTree``, and its keypair address to ``leaf_idx``.
5. Take the FORS signature bytes of ``sig`` as value ``fors_sig_s``.
6. ``fors_root = fors_public_key_from_signature(mhash, fors_sig_s, fors_addr)``.
7. Take the hypertree signature bytes of ``sig`` as value ``ht_sig_s``.
8. The signature is valid iff ``ht_verify(fors_root, ht_sig_s, PK.root, tree_idx, leaf_idx) == true``.

**Notes:**

- Steps 1-2 correspond to Algorithm 24 of [FIPS-205]_ and are performed in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:203|is_valid_signature`.
- Steps 3-10 correspond to Algorithm 20 of [FIPS-205]_ and are performed in :srcref:`[src/lib/pubkey/sphincsplus/sphincsplus_common]/sphincsplus.cpp:212|slh_verify_internal`.
- Step 5: ``PK.public_seed`` is omitted as an input because the hash functions are already instantiated with a corresponding member variable.
- Steps 2.3, 2.6, 2.8: ``PK.pub_seed`` is omitted as an input because the hash functions are already instantiated with a corresponding member variable.
- ``PK`` is passed to ``slh_verify_internal`` via member variables.
- The lengths of the FORS and the hypertree signatures are precomputed in the ``Sphincs_Parameters`` object.

0 comments on commit fade6a9

Please sign in to comment.