purecrypto 0.6.2

A pure-Rust cryptography toolkit with no foreign-code dependencies, from constant-time primitives up to keys, X.509 and TLS.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249

//! XMSS / XMSS^MT parameter sets (RFC 8391 §5, NIST SP 800-208).
//!
//! Only the Winternitz `w = 16` sets are provided (every standardized XMSS set
//! uses `w = 16`). The hash family, output length `n`, total tree height, and —
//! for XMSS^MT — the number of layers `d` derive every other quantity.

/// Largest `n` over the supported sets (SHA2-256 / SHAKE = 32 bytes).
pub(crate) const MAX_N: usize = 32;
/// `w = 16` ⇒ `len_2 = 3`; `len_1 = 8n/4 = 2n` ⇒ at most `2·32 + 3 = 67`.
pub(crate) const MAX_WOTS_LEN: usize = 67;

/// The underlying hash family.
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
pub(crate) enum HashFamily {
    /// SHA-256 (output truncated to `n` for `n < 32`).
    Sha2_256,
    /// SHAKE128, squeezed to `n` bytes.
    Shake128,
    /// SHAKE256, squeezed to `n` bytes.
    Shake256,
}

/// A fully resolved XMSS / XMSS^MT parameter set.
#[derive(Clone, Copy)]
pub(crate) struct Params {
    /// Hash output length in bytes.
    pub n: usize,
    /// Length in bytes of the domain-separation prefix `toByte(X, padding_len)`.
    pub padding_len: usize,
    /// Total (hyper)tree height `h`.
    pub full_height: u32,
    /// Number of layers `d` (1 for XMSS, > 1 for XMSS^MT).
    pub d: u32,
    /// Per-subtree height `h / d`.
    pub tree_height: u32,
    /// `log2(w)`; 4 for `w = 16`.
    pub wots_log_w: u32,
    /// `w - 1`, the maximum chain length step.
    pub wots_w: u32,
    /// `len_1 = 8n / log2(w)`.
    pub wots_len1: usize,
    /// `len_2` (always 3 for `w = 16`).
    pub wots_len2: usize,
    /// `len = len_1 + len_2`, the number of WOTS+ chains.
    pub wots_len: usize,
    /// The hash family.
    pub family: HashFamily,
    /// Index bytes in the signature/secret key (`ceil(h/8)`, min 4 for XMSS).
    pub index_bytes: usize,
}

impl Params {
    /// Bytes in a single WOTS+ signature (`len · n`).
    pub(crate) fn wots_sig_bytes(&self) -> usize {
        self.wots_len * self.n
    }

    /// Bytes in a full XMSS / XMSS^MT signature.
    pub(crate) fn sig_bytes(&self) -> usize {
        self.index_bytes
            + self.n
            + self.d as usize * self.wots_sig_bytes()
            + self.full_height as usize * self.n
    }

    /// Bytes in the raw secret key payload: `idx ‖ SK_SEED ‖ SK_PRF ‖ root ‖ PUB_SEED`.
    pub(crate) fn sk_bytes(&self) -> usize {
        self.index_bytes + 4 * self.n
    }

    /// Bytes in the raw public key payload (`root ‖ PUB_SEED`).
    pub(crate) fn pk_bytes(&self) -> usize {
        2 * self.n
    }
}

/// Builds the derived fields from the core inputs.
const fn make(n: usize, full_height: u32, d: u32, family: HashFamily) -> Params {
    // padding_len follows the reference: 4 for n=24, otherwise n.
    let padding_len = if n == 24 { 4 } else { n };
    let wots_log_w = 4; // w = 16
    let wots_len1 = (8 * n) / wots_log_w as usize;
    let wots_len2 = 3;
    let index_bytes = if d == 1 {
        4
    } else {
        (full_height as usize).div_ceil(8)
    };
    Params {
        n,
        padding_len,
        full_height,
        d,
        tree_height: full_height / d,
        wots_log_w,
        wots_w: 16,
        wots_len1,
        wots_len2,
        wots_len: wots_len1 + wots_len2,
        family,
        index_bytes,
    }
}

/// The XMSS parameter sets this crate supports (RFC 8391 §5.3, SP 800-208).
#[allow(non_camel_case_types)]
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
#[repr(u32)]
pub enum XmssParamSet {
    /// XMSS-SHA2_10_256 (OID 0x00000001).
    Sha2_10_256 = 0x0000_0001,
    /// XMSS-SHA2_16_256 (OID 0x00000002).
    Sha2_16_256 = 0x0000_0002,
    /// XMSS-SHA2_20_256 (OID 0x00000003).
    Sha2_20_256 = 0x0000_0003,
    /// XMSS-SHAKE_10_256 (SHAKE128, OID 0x00000007).
    Shake_10_256 = 0x0000_0007,
    /// XMSS-SHAKE_16_256 (SHAKE128, OID 0x00000008).
    Shake_16_256 = 0x0000_0008,
    /// XMSS-SHAKE_20_256 (SHAKE128, OID 0x00000009).
    Shake_20_256 = 0x0000_0009,
    /// XMSS-SHA2_10_192 (OID 0x0000000d).
    Sha2_10_192 = 0x0000_000d,
    /// XMSS-SHA2_16_192 (OID 0x0000000e).
    Sha2_16_192 = 0x0000_000e,
    /// XMSS-SHA2_20_192 (OID 0x0000000f).
    Sha2_20_192 = 0x0000_000f,
    /// XMSS-SHAKE256_10_256 (SHAKE256, OID 0x00000010).
    Shake256_10_256 = 0x0000_0010,
    /// XMSS-SHAKE256_16_256 (SHAKE256, OID 0x00000011).
    Shake256_16_256 = 0x0000_0011,
    /// XMSS-SHAKE256_20_256 (SHAKE256, OID 0x00000012).
    Shake256_20_256 = 0x0000_0012,
}

impl XmssParamSet {
    /// The 32-bit XMSS algorithm OID (RFC 8391 / IANA registry).
    pub fn oid(self) -> u32 {
        self as u32
    }

    /// Looks up a parameter set by its 32-bit OID.
    pub fn from_oid(oid: u32) -> Option<Self> {
        use XmssParamSet::*;
        Some(match oid {
            0x0000_0001 => Sha2_10_256,
            0x0000_0002 => Sha2_16_256,
            0x0000_0003 => Sha2_20_256,
            0x0000_0007 => Shake_10_256,
            0x0000_0008 => Shake_16_256,
            0x0000_0009 => Shake_20_256,
            0x0000_000d => Sha2_10_192,
            0x0000_000e => Sha2_16_192,
            0x0000_000f => Sha2_20_192,
            0x0000_0010 => Shake256_10_256,
            0x0000_0011 => Shake256_16_256,
            0x0000_0012 => Shake256_20_256,
            _ => return None,
        })
    }

    pub(crate) fn params(self) -> Params {
        use HashFamily::*;
        use XmssParamSet::*;
        match self {
            Sha2_10_256 => make(32, 10, 1, Sha2_256),
            Sha2_16_256 => make(32, 16, 1, Sha2_256),
            Sha2_20_256 => make(32, 20, 1, Sha2_256),
            Shake_10_256 => make(32, 10, 1, Shake128),
            Shake_16_256 => make(32, 16, 1, Shake128),
            Shake_20_256 => make(32, 20, 1, Shake128),
            Sha2_10_192 => make(24, 10, 1, Sha2_256),
            Sha2_16_192 => make(24, 16, 1, Sha2_256),
            Sha2_20_192 => make(24, 20, 1, Sha2_256),
            Shake256_10_256 => make(32, 10, 1, Shake256),
            Shake256_16_256 => make(32, 16, 1, Shake256),
            Shake256_20_256 => make(32, 20, 1, Shake256),
        }
    }
}

/// The XMSS^MT parameter sets this crate supports (RFC 8391 §5.4).
#[allow(non_camel_case_types)]
#[derive(Clone, Copy, PartialEq, Eq, Debug)]
#[repr(u32)]
pub enum XmssMtParamSet {
    /// XMSSMT-SHA2_20/2_256 (OID 0x00000001).
    Sha2_20_2_256 = 0x0000_0001,
    /// XMSSMT-SHA2_20/4_256 (OID 0x00000002).
    Sha2_20_4_256 = 0x0000_0002,
    /// XMSSMT-SHA2_40/2_256 (OID 0x00000003).
    Sha2_40_2_256 = 0x0000_0003,
    /// XMSSMT-SHA2_40/4_256 (OID 0x00000004).
    Sha2_40_4_256 = 0x0000_0004,
    /// XMSSMT-SHA2_40/8_256 (OID 0x00000005).
    Sha2_40_8_256 = 0x0000_0005,
    /// XMSSMT-SHA2_60/3_256 (OID 0x00000006).
    Sha2_60_3_256 = 0x0000_0006,
    /// XMSSMT-SHA2_60/6_256 (OID 0x00000007).
    Sha2_60_6_256 = 0x0000_0007,
    /// XMSSMT-SHA2_60/12_256 (OID 0x00000008).
    Sha2_60_12_256 = 0x0000_0008,
    /// XMSSMT-SHAKE_20/2_256 (SHAKE128, OID 0x00000011).
    Shake_20_2_256 = 0x0000_0011,
    /// XMSSMT-SHAKE_20/4_256 (SHAKE128, OID 0x00000012).
    Shake_20_4_256 = 0x0000_0012,
}

impl XmssMtParamSet {
    /// The 32-bit XMSS^MT algorithm OID (RFC 8391 / IANA registry).
    pub fn oid(self) -> u32 {
        self as u32
    }

    /// Looks up a parameter set by its 32-bit OID.
    pub fn from_oid(oid: u32) -> Option<Self> {
        use XmssMtParamSet::*;
        Some(match oid {
            0x0000_0001 => Sha2_20_2_256,
            0x0000_0002 => Sha2_20_4_256,
            0x0000_0003 => Sha2_40_2_256,
            0x0000_0004 => Sha2_40_4_256,
            0x0000_0005 => Sha2_40_8_256,
            0x0000_0006 => Sha2_60_3_256,
            0x0000_0007 => Sha2_60_6_256,
            0x0000_0008 => Sha2_60_12_256,
            0x0000_0011 => Shake_20_2_256,
            0x0000_0012 => Shake_20_4_256,
            _ => return None,
        })
    }

    pub(crate) fn params(self) -> Params {
        use HashFamily::*;
        use XmssMtParamSet::*;
        match self {
            Sha2_20_2_256 => make(32, 20, 2, Sha2_256),
            Sha2_20_4_256 => make(32, 20, 4, Sha2_256),
            Sha2_40_2_256 => make(32, 40, 2, Sha2_256),
            Sha2_40_4_256 => make(32, 40, 4, Sha2_256),
            Sha2_40_8_256 => make(32, 40, 8, Sha2_256),
            Sha2_60_3_256 => make(32, 60, 3, Sha2_256),
            Sha2_60_6_256 => make(32, 60, 6, Sha2_256),
            Sha2_60_12_256 => make(32, 60, 12, Sha2_256),
            Shake_20_2_256 => make(32, 20, 2, Shake128),
            Shake_20_4_256 => make(32, 20, 4, Shake128),
        }
    }
}