WIP rework aux

Fraunhofer-AISEC · Sep 6, 2024 · a541b7c · a541b7c
1 parent ffa2dac
commit a541b7c
Showing 1 changed file with 17 additions and 34 deletions.
diff --git a/src/hss/aux.rs b/src/hss/aux.rs
@@ -33,56 +33,39 @@ pub struct MutableExpandedAuxData<'a> {
     pub hmac: &'a mut [u8],
 }
 
-// TODO/Rework:
-//   Improve: for SST with e.g. 8 signing entities, each level below intermediate nodes
-//   would need only ~1/8 of space that's needed w/o SST
-//   (obviously it doesn't make sense to save lower-level nodes of other signing entities)
+// Rework:
+// In case of SST, use aux_data for nodes lower than the SST root nodes
 pub fn hss_optimal_aux_level<H: HashChain>(
     mut max_length: usize,
     lms_parameter: LmsParameter<H>,
     actual_len: Option<&mut usize>,
-    l0_top_div: Option<u8>,
+    opt_l0_top_div: Option<u8>,
 ) -> AuxLevel {
     let mut aux_level = AuxLevel::default();
 
-    // HMAC has size of hash
     let size_hash = lms_parameter.get_hash_function_output_size();
     let orig_max_length = max_length;
 
-    let mut min_top_level = 1;
-
-    // if SST is used, leave space for signing entity node values depending on their level!
-    let mut size_for_signing_entity_nodes: usize = 0;
-    if let Some(l0_top_div) = l0_top_div {
-        size_for_signing_entity_nodes = 2usize.pow(l0_top_div as u32) * size_hash;
-
-        // don't populate levels above the "intermediate node" values in first keygen step (those would be wrong)
-        // TODO/Rework: maybe populate the levels above intermed. node values in the second keygen step
-        //   -> given the max. of 256 signing entities, that should result in a minor performance improvement
-        min_top_level = l0_top_div + 1;
-        // add level to level bit, later abort if max_length too small
+    // If SST is used, reserve space for SST root nodes
+    if let Some(l0_top_div) = opt_l0_top_div {
         aux_level |= 0x80000000 | (1 << l0_top_div);
+
+        let sst_nodes_size = 2usize.pow(l0_top_div as u32) * size_hash;
+        // Saturated sub to avoid underflow, safe to use because leftovers for markers needed!
+        max_length = max_length.saturating_sub(sst_nodes_size);
     }
 
-    let min_length = AUX_DATA_HASHES + size_hash + size_for_signing_entity_nodes;
-
-    if max_length < min_length {
-        if let Some(l0_top_div) = l0_top_div {
-            panic!("AUX data size = {} too small to store intermediate node values for dist. state mgmt with l0_top_div {} requires at least {} bytes.",
-                orig_max_length, l0_top_div, min_length);
-        } else {
-            if let Some(actual_len) = actual_len {
-                *actual_len = 1; // ??
-            }
-            return 0; // no AUX data used, but w/o SST we can live with that
+    if max_length < AUX_DATA_HASHES + size_hash {
+        if let Some(actual_len) = actual_len {
+            *actual_len = 1;
         }
+        return 0;
     }
+    max_length -= AUX_DATA_HASHES + size_hash;
 
-    max_length -= min_length;
-
-    let h0 = lms_parameter.get_tree_height();
-
-    for level in (min_top_level..=h0).rev().step_by(MIN_SUBTREE) {
+    // If SST is used, exclude SST root node layer, else include leaf node layer, i.e. height + 1
+    let h0 = opt_l0_top_div.unwrap_or(lms_parameter.get_tree_height() + 1);
+    for level in (1..h0).rev().step_by(MIN_SUBTREE) {
         let len_this_level = size_hash << level;
 
         if max_length >= len_this_level {